mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-21 08:22:59 +02:00
ee80a12db0
- Update from version 5.9.9 to 5.9.10 - Update of rootfile not required - Changelog strongswan-5.9.10 - Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service and possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. - Added support for full packet hardware offload for IPsec SAs and policies with Linux 6.2 kernels to the kernel-netlink plugin. - TLS-based EAP methods now use the standardized key derivation when used with TLS 1.3. - The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication". - With the `prefer` value for the `childless` setting, initiators will create a childless IKE_SA if the responder supports the extension. - Routes via XFRM interfaces can optionally be installed automatically by enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. - charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel. - The `pki --req` command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request. - The `pki --issue` command adopts EKU flags from CSRs but allows modifying them (replace them completely, or adding/removing specific flags). - On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the IPsec SAs instead of the policies. - For libcurl with MultiSSL support, the curl plugin provides an option to select the SSL/TLS backend. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
122 lines
4.3 KiB
Plaintext
122 lines
4.3 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 5.9.10
|
|
|
|
THISAPP = strongswan-$(VER)
|
|
DL_FILE = $(THISAPP).tar.bz2
|
|
DL_FROM = $(URL_IPFIRE)
|
|
DIR_APP = $(DIR_SRC)/strongswan-$(VER)
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_BLAKE2 = 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
b2 : $(subst %,%_BLAKE2,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, b2sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_BLAKE2,$(objects)) :
|
|
@$(B2SUM)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
|
|
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
|
|
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
|
|
|
|
$(UPDATE_AUTOMAKE)
|
|
cd $(DIR_APP) && ./configure \
|
|
--prefix="/usr" \
|
|
--sysconfdir="/etc" \
|
|
--enable-curl \
|
|
--enable-dhcp \
|
|
--enable-farp \
|
|
--enable-openssl \
|
|
--enable-gcrypt \
|
|
--enable-ccm \
|
|
--enable-ctr \
|
|
--enable-gcm \
|
|
--enable-xauth-eap \
|
|
--enable-xauth-noauth \
|
|
--enable-eap-radius \
|
|
--enable-eap-tls \
|
|
--enable-eap-ttls \
|
|
--enable-eap-peap \
|
|
--enable-eap-mschapv2 \
|
|
--enable-eap-identity \
|
|
--enable-chapoly \
|
|
--enable-sha3 \
|
|
--disable-padlock \
|
|
--disable-rc2 \
|
|
$(CONFIGURE_OPTIONS)
|
|
|
|
cd $(DIR_APP) && make $(MAKETUNING)
|
|
cd $(DIR_APP) && make install
|
|
|
|
# Remove all library files we don't want or need.
|
|
rm -vf /usr/lib/ipsec/plugins/*.{,l}a
|
|
|
|
rm -f /etc/ipsec.conf /etc/ipsec.secrets
|
|
ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf
|
|
ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets
|
|
|
|
rm -rf /etc/ipsec.d/{cacerts,certs,crls}
|
|
ln -sf $(CONFIG_ROOT)/ca /etc/ipsec.d/cacerts
|
|
ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
|
|
ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
|
|
|
|
install -v -m 644 $(DIR_SRC)/config/strongswan/charon.conf \
|
|
/etc/strongswan.d/charon.conf
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|