From: Michael Tremer Date: Mon, 30 Mar 2015 22:55:21 +0000 (+0200) Subject: strongswan: Update to 5.3.0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df5fbff5319a798146ecf1365a4638b5c1a1c888;p=people%2Fms%2Fipfire-2.x.git strongswan: Update to 5.3.0 Enable support for CCM and CTR --- diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index a26a86c3e2..2abb58e5d7 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -16,8 +16,10 @@ etc/strongswan.d/charon-logging.conf etc/strongswan.d/charon.conf etc/strongswan.d/charon/aes.conf etc/strongswan.d/charon/attr.conf +etc/strongswan.d/charon/ccm.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/constraints.conf +etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf etc/strongswan.d/charon/des.conf etc/strongswan.d/charon/dhcp.conf @@ -94,8 +96,10 @@ usr/lib/ipsec/libtls.so.0.0.0 #usr/lib/ipsec/plugins usr/lib/ipsec/plugins/libstrongswan-aes.so usr/lib/ipsec/plugins/libstrongswan-attr.so +usr/lib/ipsec/plugins/libstrongswan-ccm.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-constraints.so +usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so usr/lib/ipsec/plugins/libstrongswan-dhcp.so usr/lib/ipsec/plugins/libstrongswan-des.so @@ -175,8 +179,10 @@ usr/sbin/ipsec #usr/share/strongswan/templates/config/plugins #usr/share/strongswan/templates/config/plugins/aes.conf #usr/share/strongswan/templates/config/plugins/attr.conf +#usr/share/strongswan/templates/config/plugins/ccm.conf #usr/share/strongswan/templates/config/plugins/cmac.conf #usr/share/strongswan/templates/config/plugins/constraints.conf +#usr/share/strongswan/templates/config/plugins/ctr.conf #usr/share/strongswan/templates/config/plugins/curl.conf #usr/share/strongswan/templates/config/plugins/des.conf #usr/share/strongswan/templates/config/plugins/dhcp.conf diff --git a/lfs/strongswan b/lfs/strongswan index 77c287a09a..1de4320051 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 5.2.2 +VER = 5.3.0 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 7ee1a33060b2bde35be0f6d78a1d26d0 +$(DL_FILE)_MD5 = c52d4228231c2025d9c320d0e9990327 install : $(TARGET) @@ -78,11 +78,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-eb25190.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ @@ -93,6 +89,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-farp \ --enable-openssl \ --enable-gcrypt \ + --enable-ccm \ + --enable-ctr \ --enable-gcm \ --enable-xauth-eap \ --enable-xauth-noauth \ diff --git a/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch b/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch deleted file mode 100644 index 44b247e6d8..0000000000 --- a/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit 650a3ad5151958b99a95836fb8b84b8aa18da1be -Author: Tobias Brunner -Date: Wed Feb 25 08:09:11 2015 +0100 - - ike-sa-manager: Make sure the message ID of initial messages is 0 - - It is mandated by the RFCs and it is expected by the task managers. - - Initial messages with invalid MID will be treated like regular messages, - so no IKE_SA will be created for them. Instead, if the responder SPI is 0 - no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI. - If an SPI is set and we do find an SA, then we either ignore the message - because the MID is unexpected, or because we don't allow initial messages - on established connections. - - There is one exception, though, if an attacker can slip in an IKE_SA_INIT - with both SPIs set before the client's IKE_AUTH is handled by the server, - it does get processed (see next commit). - - References #816. - -diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index d0cbd47..5e2b925 100644 ---- a/src/libcharon/sa/ike_sa_manager.c -+++ b/src/libcharon/sa/ike_sa_manager.c -@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, - - DBG2(DBG_MGR, "checkout IKE_SA by message"); - -- if (id->get_responder_spi(id) == 0) -+ if (id->get_responder_spi(id) == 0 && -+ message->get_message_id(message) == 0) - { - if (message->get_major_version(message) == IKEV2_MAJOR_VERSION) - { diff --git a/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch b/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch deleted file mode 100644 index 4d76e7c240..0000000000 --- a/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch +++ /dev/null @@ -1,42 +0,0 @@ -commit dd0ebb54837298c869389d36a0b42eefdb893dd6 -Author: Tobias Brunner -Date: Wed Feb 25 08:30:33 2015 +0100 - - ikev2: Only accept initial messages in specific states - - The previous code allowed an attacker to slip in an IKE_SA_INIT with - both SPIs and MID 1 set when an IKE_AUTH would be expected instead. - - References #816. - -diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c -index be84e71..540d4dc 100644 ---- a/src/libcharon/sa/ikev2/task_manager_v2.c -+++ b/src/libcharon/sa/ikev2/task_manager_v2.c -@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t, - { - if (mid == this->responding.mid) - { -- /* reject initial messages once established */ -- if (msg->get_exchange_type(msg) == IKE_SA_INIT || -- msg->get_exchange_type(msg) == IKE_AUTH) -+ /* reject initial messages if not received in specific states */ -+ if ((msg->get_exchange_type(msg) == IKE_SA_INIT && -+ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) || -+ (msg->get_exchange_type(msg) == IKE_AUTH && -+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)) - { -- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED && -- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) -- { -- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", -- exchange_type_names, msg->get_exchange_type(msg)); -- return FAILED; -- } -+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", -+ exchange_type_names, msg->get_exchange_type(msg), -+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa)); -+ return FAILED; - } - if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) - { /* with MOBIKE, we do no implicit updates */ diff --git a/src/patches/strongswan-5.2.2-issue-816-eb25190.patch b/src/patches/strongswan-5.2.2-issue-816-eb25190.patch deleted file mode 100644 index 8dcb32b0b4..0000000000 --- a/src/patches/strongswan-5.2.2-issue-816-eb25190.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit eb251906298b529fa53b8a99746a9a7a9f318dd5 -Author: Tobias Brunner -Date: Wed Feb 25 08:18:58 2015 +0100 - - ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received - - This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request - does not have message ID 0") because it allowed to close any IKE_SA by - sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those - of that SA. - - The next commit will prevent SAs from getting created for IKE_SA_INIT messages - with invalid MID. - - Fixes #816. - -diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c -index 48266aa..be84e71 100644 ---- a/src/libcharon/sa/ikev2/task_manager_v2.c -+++ b/src/libcharon/sa/ikev2/task_manager_v2.c -@@ -1355,10 +1355,6 @@ METHOD(task_manager_t, process_message, status_t, - { - DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored", - mid, this->responding.mid); -- if (msg->get_exchange_type(msg) == IKE_SA_INIT) -- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */ -- return DESTROY_ME; -- } - } - } - else diff --git a/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch b/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch deleted file mode 100644 index 0c54812fe3..0000000000 --- a/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch +++ /dev/null @@ -1,50 +0,0 @@ -From cd2c30a56ec9bdab8b3923851509f27a4fd6f537 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 10 Feb 2015 19:03:44 +0100 -Subject: [PATCH] ikev1: Set protocol ID and SPIs in INITIAL-CONTACT - notification payloads - -The payload we sent before is not compliant with RFC 2407 and thus some -peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error). - - #819 ---- - src/libcharon/sa/ikev1/tasks/main_mode.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c -index 5065e70..3ea4a2a 100644 ---- a/src/libcharon/sa/ikev1/tasks/main_mode.c -+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c -@@ -213,6 +213,10 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message, - { - identification_t *idr; - host_t *host; -+ notify_payload_t *notify; -+ ike_sa_id_t *ike_sa_id; -+ u_int64_t spi_i, spi_r; -+ chunk_t spi; - - idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE); - if (idr && !idr->contains_wildcards(idr)) -@@ -224,8 +228,15 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message, - if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, - idi, idr, host->get_family(host))) - { -- message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1, -- chunk_empty); -+ notify = notify_payload_create_from_protocol_and_type( -+ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1); -+ ike_sa_id = this->ike_sa->get_id(this->ike_sa); -+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id); -+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id); -+ spi = chunk_cata("cc", chunk_from_thing(spi_i), -+ chunk_from_thing(spi_r)); -+ notify->set_spi_data(notify, spi); -+ message->add_payload(message, (payload_t*)notify); - } - } - } --- -1.7.9.5 - diff --git a/src/patches/strongswan-5.0.2_ipfire.patch b/src/patches/strongswan-ipfire.patch similarity index 95% rename from src/patches/strongswan-5.0.2_ipfire.patch rename to src/patches/strongswan-ipfire.patch index 71eb24e481..79bee04690 100644 --- a/src/patches/strongswan-5.0.2_ipfire.patch +++ b/src/patches/strongswan-ipfire.patch @@ -1,8 +1,8 @@ ---- a/src/_updown/_updown.in -+++ b/src/_updown/_updown.in -@@ -178,6 +178,29 @@ - ;; - esac +--- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000 ++++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000 +@@ -122,6 +122,29 @@ + # address family. + # +function ip_encode() { + local IFS=. @@ -27,10 +27,10 @@ + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) +} + - # utility functions for route manipulation - # Meddling with this stuff should not be necessary and requires great care. - uproute() { -@@ -407,12 +430,12 @@ + # define a minimum PATH environment in case it is not set + PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" + export PATH +@@ -232,12 +255,12 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -46,7 +46,7 @@ # # allow IPIP traffic because of the implicit SA created by the kernel if # IPComp is used (for small inbound packets that are not compressed) -@@ -428,10 +451,10 @@ +@@ -253,10 +276,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -59,7 +59,7 @@ fi fi ;; -@@ -439,12 +462,12 @@ +@@ -264,12 +287,12 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -75,7 +75,7 @@ # # IPIP exception teardown if [ -n "$PLUTO_IPCOMP" ] -@@ -459,10 +482,10 @@ +@@ -284,10 +307,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -88,7 +88,7 @@ fi fi ;; -@@ -472,24 +495,24 @@ +@@ -297,24 +320,24 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -121,7 +121,7 @@ fi # # allow IPIP traffic because of the implicit SA created by the kernel if -@@ -497,7 +520,7 @@ +@@ -322,7 +345,7 @@ # INPUT is correct here even for forwarded traffic. if [ -n "$PLUTO_IPCOMP" ] then @@ -130,7 +130,7 @@ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -507,12 +530,51 @@ +@@ -332,12 +355,51 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -184,7 +184,7 @@ ;; down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down -@@ -520,34 +582,34 @@ +@@ -345,34 +407,34 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -228,7 +228,7 @@ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -557,12 +619,51 @@ +@@ -382,12 +444,51 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -282,7 +282,7 @@ ;; # # IPv6 -@@ -597,10 +698,10 @@ +@@ -412,10 +513,10 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -295,7 +295,7 @@ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -621,10 +722,10 @@ +@@ -436,10 +537,10 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -308,7 +308,7 @@ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -647,10 +748,10 @@ +@@ -462,10 +563,10 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -321,7 +321,7 @@ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -659,10 +760,10 @@ +@@ -474,10 +575,10 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -334,7 +334,7 @@ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -686,11 +787,11 @@ +@@ -501,11 +602,11 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -348,7 +348,7 @@ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -700,11 +801,11 @@ +@@ -515,11 +616,11 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then