mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-17 06:23:00 +02:00
41ed4795fe
Fixed a denial-of-service and potential remote code execution vulnerability triggered by IKEv1/IKEv2 messages that contain payloads for the respective other IKE version. Such payload are treated specially since 5.2.2 but because they were still identified by their original payload type they were used as such in some places causing invalid function pointer dereferences. The vulnerability has been registered as CVE-2015-3991. https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-%28cve-2015-3991%29.html The increased buffer size has been fixed in bug #943 upstream https://wiki.strongswan.org/issues/943
128 lines
4.4 KiB
Plaintext
128 lines
4.4 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 5.3.1
|
|
|
|
THISAPP = strongswan-$(VER)
|
|
DL_FILE = $(THISAPP).tar.bz2
|
|
DL_FROM = $(URL_IPFIRE)
|
|
DIR_APP = $(DIR_SRC)/strongswan-$(VER)
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
ifeq "$(MACHINE)" "i586"
|
|
CONFIGURE_OPTIONS = \
|
|
--enable-padlock
|
|
else
|
|
CONFIGURE_OPTIONS = \
|
|
--disable-padlock
|
|
endif
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_MD5 = 66f258901a3d6c271da1a0c7fb3e5013
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
md5 : $(subst %,%_MD5,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, md5sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_MD5,$(objects)) :
|
|
@$(MD5)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
|
|
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.3.1-build-timeattack.patch
|
|
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
|
|
|
|
cd $(DIR_APP) && autoreconf -vfi
|
|
cd $(DIR_APP) && ./configure \
|
|
--prefix="/usr" \
|
|
--sysconfdir="/etc" \
|
|
--enable-curl \
|
|
--enable-dhcp \
|
|
--enable-farp \
|
|
--enable-openssl \
|
|
--enable-gcrypt \
|
|
--enable-ccm \
|
|
--enable-ctr \
|
|
--enable-gcm \
|
|
--enable-xauth-eap \
|
|
--enable-xauth-noauth \
|
|
--enable-eap-radius \
|
|
--enable-eap-tls \
|
|
--enable-eap-ttls \
|
|
--enable-eap-peap \
|
|
--enable-eap-mschapv2 \
|
|
--enable-eap-identity \
|
|
$(CONFIGURE_OPTIONS)
|
|
|
|
cd $(DIR_APP) && make $(MAKETUNING)
|
|
cd $(DIR_APP) && make install
|
|
|
|
# Remove all library files we don't want or need.
|
|
rm -vf /usr/lib/ipsec/plugins/*.{,l}a
|
|
|
|
-rm -rfv /etc/rc*.d/*ipsec
|
|
cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec
|
|
rm -f /etc/ipsec.conf /etc/ipsec.secrets
|
|
ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf
|
|
ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets
|
|
|
|
rm -rf /etc/ipsec.d/{cacerts,certs,crls}
|
|
ln -sf $(CONFIG_ROOT)/ca /etc/ipsec.d/cacerts
|
|
ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
|
|
ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
|
|
|
|
install -v -m 644 $(DIR_SRC)/config/strongswan/charon.conf \
|
|
/etc/strongswan.d/charon.conf
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|