developer | 773a9c2 | 2023-10-13 12:08:31 +0800 | [diff] [blame] | 1 | --- a/feeds/packages/net/strongswan/Makefile |
| 2 | +++ b/feeds/packages/net/strongswan/Makefile |
| 3 | @@ -8,12 +8,12 @@ |
| 4 | include $(TOPDIR)/rules.mk |
| 5 | |
| 6 | PKG_NAME:=strongswan |
| 7 | -PKG_VERSION:=5.9.2 |
| 8 | -PKG_RELEASE:=3 |
| 9 | +PKG_VERSION:=5.9.11 |
| 10 | +PKG_RELEASE:=1 |
| 11 | |
| 12 | PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 |
| 13 | PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ |
| 14 | -PKG_HASH:=61c72f741edb2c1295a7b7ccce0317a104b3f9d39efd04c52cd05b01b55ab063 |
| 15 | +PKG_HASH:=ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d |
| 16 | PKG_LICENSE:=GPL-2.0-or-later |
| 17 | PKG_MAINTAINER:=Philip Prindeville <philipp@redfish-solutions.com>, Noel Kuntze <noel.kuntze@thermi.consulting> |
| 18 | PKG_CPE_ID:=cpe:/a:strongswan:strongswan |
| 19 | @@ -25,8 +25,10 @@ PKG_MOD_AVAILABLE:= \ |
| 20 | agent \ |
| 21 | attr \ |
| 22 | attr-sql \ |
| 23 | + bliss \ |
| 24 | blowfish \ |
| 25 | ccm \ |
| 26 | + chapoly \ |
| 27 | cmac \ |
| 28 | constraints \ |
| 29 | connmark \ |
| 30 | @@ -37,6 +39,7 @@ PKG_MOD_AVAILABLE:= \ |
| 31 | des \ |
| 32 | dhcp \ |
| 33 | dnskey \ |
| 34 | + drbg \ |
| 35 | duplicheck \ |
| 36 | eap-identity \ |
| 37 | eap-md5 \ |
| 38 | @@ -52,15 +55,18 @@ PKG_MOD_AVAILABLE:= \ |
| 39 | gmpdh \ |
| 40 | ha \ |
| 41 | hmac \ |
| 42 | + kdf \ |
| 43 | kernel-libipsec \ |
| 44 | kernel-netlink \ |
| 45 | ldap \ |
| 46 | led \ |
| 47 | load-tester \ |
| 48 | - nonce \ |
| 49 | md4 \ |
| 50 | md5 \ |
| 51 | + mgf1 \ |
| 52 | mysql \ |
| 53 | + newhope \ |
| 54 | + ntru \ |
| 55 | openssl \ |
| 56 | pem \ |
| 57 | pgp \ |
| 58 | @@ -76,6 +82,7 @@ PKG_MOD_AVAILABLE:= \ |
| 59 | revocation \ |
| 60 | sha1 \ |
| 61 | sha2 \ |
| 62 | + sha3 \ |
| 63 | smp \ |
| 64 | socket-default \ |
| 65 | socket-dynamic \ |
| 66 | @@ -89,6 +96,7 @@ PKG_MOD_AVAILABLE:= \ |
| 67 | updown \ |
| 68 | vici \ |
| 69 | whitelist \ |
| 70 | + wolfssl \ |
| 71 | x509 \ |
| 72 | xauth-eap \ |
| 73 | xauth-generic \ |
| 74 | @@ -123,9 +131,17 @@ define Package/strongswan |
| 75 | $(call Package/strongswan/Default) |
| 76 | MENU:=1 |
| 77 | DEPENDS:= +libpthread +ip \ |
| 78 | + +kmod-crypto-aead \ |
| 79 | +kmod-crypto-authenc \ |
| 80 | - +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 \ |
| 81 | - +kmod-ipt-ipsec +iptables-mod-ipsec |
| 82 | + +kmod-crypto-cbc \ |
| 83 | + +kmod-lib-zlib-inflate \ |
| 84 | + +kmod-lib-zlib-deflate \ |
| 85 | + +kmod-crypto-des \ |
| 86 | + +kmod-crypto-echainiv \ |
| 87 | + +kmod-crypto-hmac \ |
| 88 | + +kmod-crypto-md5 \ |
| 89 | + +kmod-crypto-sha1 \ |
| 90 | + +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 |
| 91 | endef |
| 92 | |
| 93 | define Package/strongswan/config |
| 94 | @@ -144,14 +160,17 @@ $(call Package/strongswan/Default) |
| 95 | +strongswan-charon \ |
| 96 | +strongswan-charon-cmd \ |
| 97 | +strongswan-ipsec \ |
| 98 | + +strongswan-libnttfft \ |
| 99 | +strongswan-mod-addrblock \ |
| 100 | +strongswan-mod-aes \ |
| 101 | +strongswan-mod-af-alg \ |
| 102 | +strongswan-mod-agent \ |
| 103 | +strongswan-mod-attr \ |
| 104 | +strongswan-mod-attr-sql \ |
| 105 | + +strongswan-mod-bliss \ |
| 106 | +strongswan-mod-blowfish \ |
| 107 | +strongswan-mod-ccm \ |
| 108 | + +strongswan-mod-chapoly \ |
| 109 | +strongswan-mod-cmac \ |
| 110 | +strongswan-mod-constraints \ |
| 111 | +strongswan-mod-connmark \ |
| 112 | @@ -162,6 +181,7 @@ $(call Package/strongswan/Default) |
| 113 | +strongswan-mod-des \ |
| 114 | +strongswan-mod-dhcp \ |
| 115 | +strongswan-mod-dnskey \ |
| 116 | + +strongswan-mod-drbg \ |
| 117 | +strongswan-mod-duplicheck \ |
| 118 | +strongswan-mod-eap-identity \ |
| 119 | +strongswan-mod-eap-md5 \ |
| 120 | @@ -176,14 +196,17 @@ $(call Package/strongswan/Default) |
| 121 | +strongswan-mod-gmp \ |
| 122 | +strongswan-mod-ha \ |
| 123 | +strongswan-mod-hmac \ |
| 124 | + +strongswan-mod-kdf \ |
| 125 | +strongswan-mod-kernel-netlink \ |
| 126 | +strongswan-mod-ldap \ |
| 127 | +strongswan-mod-led \ |
| 128 | +strongswan-mod-load-tester \ |
| 129 | - +strongswan-mod-nonce \ |
| 130 | +strongswan-mod-md4 \ |
| 131 | +strongswan-mod-md5 \ |
| 132 | + +strongswan-mod-mgf1 \ |
| 133 | +strongswan-mod-mysql \ |
| 134 | + +strongswan-mod-newhope \ |
| 135 | + +strongswan-mod-ntru \ |
| 136 | +strongswan-mod-openssl \ |
| 137 | +strongswan-mod-pem \ |
| 138 | +strongswan-mod-pgp \ |
| 139 | @@ -199,6 +222,7 @@ $(call Package/strongswan/Default) |
| 140 | +strongswan-mod-revocation \ |
| 141 | +strongswan-mod-sha1 \ |
| 142 | +strongswan-mod-sha2 \ |
| 143 | + +strongswan-mod-sha3 \ |
| 144 | +strongswan-mod-smp \ |
| 145 | +strongswan-mod-socket-default \ |
| 146 | +strongswan-mod-sql \ |
| 147 | @@ -211,12 +235,12 @@ $(call Package/strongswan/Default) |
| 148 | +strongswan-mod-updown \ |
| 149 | +strongswan-mod-vici \ |
| 150 | +strongswan-mod-whitelist \ |
| 151 | + +strongswan-mod-wolfssl \ |
| 152 | +strongswan-mod-x509 \ |
| 153 | +strongswan-mod-xauth-eap \ |
| 154 | +strongswan-mod-xauth-generic \ |
| 155 | +strongswan-mod-xcbc \ |
| 156 | +strongswan-pki \ |
| 157 | - +strongswan-scepclient \ |
| 158 | +strongswan-swanctl \ |
| 159 | @DEVEL |
| 160 | endef |
| 161 | @@ -235,7 +259,6 @@ $(call Package/strongswan/Default) |
| 162 | TITLE+= (default) |
| 163 | DEPENDS:= strongswan \ |
| 164 | +strongswan-charon \ |
| 165 | - +strongswan-ipsec \ |
| 166 | +strongswan-mod-aes \ |
| 167 | +strongswan-mod-attr \ |
| 168 | +strongswan-mod-connmark \ |
| 169 | @@ -245,9 +268,10 @@ $(call Package/strongswan/Default) |
| 170 | +strongswan-mod-fips-prf \ |
| 171 | +strongswan-mod-gmp \ |
| 172 | +strongswan-mod-hmac \ |
developer | 69d8e02 | 2023-11-15 13:24:33 +0800 | [diff] [blame] | 173 | + +strongswan-mod-kdf \ |
developer | 773a9c2 | 2023-10-13 12:08:31 +0800 | [diff] [blame] | 174 | +strongswan-mod-kernel-netlink \ |
| 175 | +strongswan-mod-md5 \ |
| 176 | - +strongswan-mod-nonce \ |
| 177 | + +strongswan-mod-mgf1 \ |
| 178 | +strongswan-mod-pem \ |
| 179 | +strongswan-mod-pgp \ |
| 180 | +strongswan-mod-pkcs1 \ |
| 181 | @@ -260,11 +284,11 @@ $(call Package/strongswan/Default) |
| 182 | +strongswan-mod-sha2 \ |
| 183 | +strongswan-mod-socket-default \ |
| 184 | +strongswan-mod-sshkey \ |
| 185 | - +strongswan-mod-stroke \ |
| 186 | +strongswan-mod-updown \ |
| 187 | +strongswan-mod-x509 \ |
| 188 | +strongswan-mod-xauth-generic \ |
| 189 | - +strongswan-mod-xcbc |
| 190 | + +strongswan-mod-xcbc \ |
| 191 | + +strongswan-swanctl |
| 192 | endef |
| 193 | |
| 194 | define Package/strongswan-default/description |
| 195 | @@ -283,9 +307,10 @@ $(call Package/strongswan/Default) |
| 196 | +strongswan-mod-des \ |
| 197 | +strongswan-mod-gmpdh \ |
| 198 | +strongswan-mod-hmac \ |
| 199 | + @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \ |
| 200 | +strongswan-mod-kernel-netlink \ |
| 201 | +strongswan-mod-md5 \ |
| 202 | - +strongswan-mod-nonce \ |
| 203 | + +strongswan-mod-mgf1 \ |
| 204 | +strongswan-mod-pubkey \ |
| 205 | +strongswan-mod-random \ |
| 206 | +strongswan-mod-sha1 \ |
| 207 | @@ -311,8 +336,9 @@ $(call Package/strongswan/Default) |
| 208 | +strongswan-mod-aes \ |
| 209 | +strongswan-mod-gmp \ |
| 210 | +strongswan-mod-hmac \ |
| 211 | + @(PACKAGE_strongswan-mod-kdf||PACKAGE_strongswan-mod-openssl||PACKAGE_strongswan-mod-wolfssl) \ |
| 212 | +strongswan-mod-kernel-netlink \ |
| 213 | - +strongswan-mod-nonce \ |
| 214 | + +strongswan-mod-mgf1 \ |
| 215 | +strongswan-mod-pubkey \ |
| 216 | +strongswan-mod-random \ |
| 217 | +strongswan-mod-sha1 \ |
| 218 | @@ -361,26 +387,26 @@ $(call Package/strongswan/description/De |
| 219 | This package contains the ipsec utility. |
| 220 | endef |
| 221 | |
| 222 | -define Package/strongswan-pki |
| 223 | +define Package/strongswan-libnttfft |
| 224 | $(call Package/strongswan/Default) |
| 225 | - TITLE+= PKI tool |
| 226 | + TITLE+= nttfft library |
| 227 | DEPENDS:= strongswan |
| 228 | endef |
| 229 | |
| 230 | -define Package/strongswan-pki/description |
| 231 | +define Package/strongswan-libnttfft/description |
| 232 | $(call Package/strongswan/description/Default) |
| 233 | - This package contains the pki tool. |
| 234 | + This package contains the Number Theoretic Transforms library. |
| 235 | endef |
| 236 | |
| 237 | -define Package/strongswan-scepclient |
| 238 | +define Package/strongswan-pki |
| 239 | $(call Package/strongswan/Default) |
| 240 | - TITLE+= SCEP client |
| 241 | - DEPENDS:= strongswan |
| 242 | + TITLE+= PKI tool |
| 243 | + DEPENDS:= strongswan strongswan-libtls |
| 244 | endef |
| 245 | |
| 246 | -define Package/strongswan-scepclient/description |
| 247 | +define Package/strongswan-pki/description |
| 248 | $(call Package/strongswan/description/Default) |
| 249 | - This package contains the SCEP client. |
| 250 | + This package contains the pki tool. |
| 251 | endef |
| 252 | |
| 253 | define Package/strongswan-swanctl |
| 254 | @@ -394,6 +420,17 @@ $(call Package/strongswan/description/De |
| 255 | This package contains the swanctl utility. |
| 256 | endef |
| 257 | |
| 258 | +define Package/strongswan-gencerts |
| 259 | +$(call Package/strongswan/Default) |
| 260 | + TITLE+= X.509 certificate generation utility |
| 261 | + DEPENDS:= strongswan +strongswan-pki bash |
| 262 | +endef |
| 263 | + |
| 264 | +define Package/strongswan-gencerts/description |
| 265 | +$(call Package/strongswan/description/Default) |
| 266 | + This package contains the X.509 certificate generation utility. |
| 267 | +endef |
| 268 | + |
| 269 | define Package/strongswan-libtls |
| 270 | $(call Package/strongswan/Default) |
| 271 | TITLE+= libtls |
| 272 | @@ -430,11 +467,12 @@ CONFIGURE_ARGS+= \ |
| 273 | --disable-scripts \ |
| 274 | --disable-static \ |
| 275 | --disable-fast \ |
| 276 | + --enable-nonce \ |
| 277 | + --enable-mgf1 \ |
| 278 | --enable-mediation \ |
| 279 | --with-systemdsystemunitdir=no \ |
| 280 | $(if $(CONFIG_PACKAGE_strongswan-charon-cmd),--enable-cmd,--disable-cmd) \ |
| 281 | $(if $(CONFIG_PACKAGE_strongswan-pki),--enable-pki,--disable-pki) \ |
| 282 | - $(if $(CONFIG_PACKAGE_strongswan-scepclient),--enable-scepclient,--disable-scepclient) \ |
| 283 | --with-random-device=/dev/random \ |
| 284 | --with-urandom-device=/dev/urandom \ |
| 285 | --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN_ROUTING_TABLE))" \ |
| 286 | @@ -444,8 +482,6 @@ CONFIGURE_ARGS+= \ |
| 287 | ) \ |
| 288 | ac_cv_search___atomic_load=no |
| 289 | |
| 290 | -EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib |
| 291 | - |
| 292 | define Package/strongswan/conffiles |
| 293 | /etc/strongswan.conf |
| 294 | /etc/strongswan.d/ |
| 295 | @@ -455,8 +491,11 @@ define Package/strongswan/install |
| 296 | $(INSTALL_DIR) $(1)/etc |
| 297 | $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/ |
| 298 | echo -e "\ninclude /var/ipsec/strongswan.conf" >> $(1)/etc/strongswan.conf |
| 299 | - $(INSTALL_DIR) $(1)/usr/lib/ipsec |
| 300 | + $(INSTALL_DIR) $(1)/etc/strongswan.d/charon |
| 301 | + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/nonce.conf $(1)/etc/strongswan.d/charon/ |
| 302 | + $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins |
| 303 | $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/ |
| 304 | + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-nonce.so $(1)/usr/lib/ipsec/plugins/ |
| 305 | endef |
| 306 | |
| 307 | define Package/strongswan-default/install |
| 308 | @@ -518,6 +557,11 @@ opkg list-changed-conffiles | grep -qx / |
| 309 | } |
| 310 | endef |
| 311 | |
| 312 | +define Package/strongswan-libnttfft/install |
| 313 | + $(INSTALL_DIR) $(1)/usr/lib/ipsec |
| 314 | + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libnttfft.so.* $(1)/usr/lib/ipsec/ |
| 315 | +endef |
| 316 | + |
| 317 | define Package/strongswan-pki/install |
| 318 | $(INSTALL_DIR) $(1)/etc/strongswan.d |
| 319 | $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/ |
| 320 | @@ -525,14 +569,8 @@ define Package/strongswan-pki/install |
| 321 | $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/ |
| 322 | endef |
| 323 | |
| 324 | -define Package/strongswan-scepclient/install |
| 325 | - $(INSTALL_DIR) $(1)/etc/strongswan.d |
| 326 | - $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/scepclient.conf $(1)/etc/strongswan.d/ |
| 327 | - $(INSTALL_DIR) $(1)/usr/lib/ipsec |
| 328 | - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/ |
| 329 | -endef |
| 330 | - |
| 331 | define Package/strongswan-swanctl/conffiles |
| 332 | +/etc/config/ipsec |
| 333 | /etc/swanctl/ |
| 334 | endef |
| 335 | |
| 336 | @@ -547,6 +585,11 @@ define Package/strongswan-swanctl/instal |
| 337 | $(INSTALL_BIN) ./files/swanctl.init $(1)/etc/init.d/swanctl |
| 338 | endef |
| 339 | |
| 340 | +define Package/strongswan-gencerts/install |
| 341 | + $(INSTALL_DIR) $(1)/usr/bin |
| 342 | + $(INSTALL_BIN) ./files/gencerts.sh $(1)/usr/bin/gencerts |
| 343 | +endef |
| 344 | + |
| 345 | define Package/strongswan-libtls/install |
| 346 | $(INSTALL_DIR) $(1)/usr/lib/ipsec |
| 347 | $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libtls.so.* $(1)/usr/lib/ipsec/ |
| 348 | @@ -570,14 +613,7 @@ define Plugin/attr-sql/install |
| 349 | endef |
| 350 | |
| 351 | define Plugin/stroke/install |
| 352 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/aacerts |
| 353 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/acerts |
| 354 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/cacerts |
| 355 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/certs |
| 356 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/crls |
| 357 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/ocspcerts |
| 358 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/private |
| 359 | - $(INSTALL_DIR) $(1)/etc/ipsec.d/reqs |
| 360 | + $(INSTALL_DIR) $(1)/etc/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private,reqs} |
| 361 | |
| 362 | $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins |
| 363 | $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{starter,stroke} $(1)/usr/lib/ipsec/ |
| 364 | @@ -618,9 +654,10 @@ $(eval $(call BuildPackage,strongswan-is |
| 365 | $(eval $(call BuildPackage,strongswan-charon)) |
| 366 | $(eval $(call BuildPackage,strongswan-charon-cmd)) |
| 367 | $(eval $(call BuildPackage,strongswan-ipsec)) |
| 368 | +$(eval $(call BuildPackage,strongswan-libnttfft)) |
| 369 | $(eval $(call BuildPackage,strongswan-pki)) |
| 370 | -$(eval $(call BuildPackage,strongswan-scepclient)) |
| 371 | $(eval $(call BuildPackage,strongswan-swanctl)) |
| 372 | +$(eval $(call BuildPackage,strongswan-gencerts)) |
| 373 | $(eval $(call BuildPackage,strongswan-libtls)) |
| 374 | $(eval $(call BuildPlugin,addrblock,RFC 3779 address block constraint support,)) |
| 375 | $(eval $(call BuildPlugin,aes,AES crypto,)) |
| 376 | @@ -628,10 +665,12 @@ $(eval $(call BuildPlugin,af-alg,AF_ALG |
| 377 | $(eval $(call BuildPlugin,agent,SSH agent signing,)) |
| 378 | $(eval $(call BuildPlugin,attr,file based config,)) |
| 379 | $(eval $(call BuildPlugin,attr-sql,SQL based config,+strongswan-charon)) |
| 380 | +$(eval $(call BuildPlugin,bliss,BLISS crypto,+strongswan-libnttfft +strongswan-mod-mgf1 +strongswan-mod-hmac)) |
| 381 | $(eval $(call BuildPlugin,blowfish,Blowfish crypto,)) |
| 382 | $(eval $(call BuildPlugin,ccm,CCM AEAD wrapper crypto,)) |
| 383 | +$(eval $(call BuildPlugin,chapoly,ChaCha20-Poly1305 AEAD crypto,+kmod-crypto-chacha20poly1305)) |
| 384 | $(eval $(call BuildPlugin,cmac,CMAC crypto,)) |
| 385 | -$(eval $(call BuildPlugin,connmark,netfilter connection marking,)) |
| 386 | +$(eval $(call BuildPlugin,connmark,netfilter connection marking,+libip4tc)) |
| 387 | $(eval $(call BuildPlugin,constraints,advanced X509 constraint checking,)) |
| 388 | $(eval $(call BuildPlugin,coupling,IKEv2 plugin to couple peer certificates permanently to authentication,)) |
| 389 | $(eval $(call BuildPlugin,ctr,Counter Mode wrapper crypto,)) |
| 390 | @@ -640,6 +679,7 @@ $(eval $(call BuildPlugin,curve25519,Cur |
| 391 | $(eval $(call BuildPlugin,des,DES crypto,)) |
| 392 | $(eval $(call BuildPlugin,dhcp,DHCP based attribute provider,)) |
| 393 | $(eval $(call BuildPlugin,dnskey,DNS RR key decoding,)) |
| 394 | +$(eval $(call BuildPlugin,drbg,Deterministic random bit generator,,)) |
| 395 | $(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,)) |
| 396 | $(eval $(call BuildPlugin,eap-identity,EAP identity helper,)) |
| 397 | $(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,)) |
| 398 | @@ -648,22 +688,25 @@ $(eval $(call BuildPlugin,eap-radius,EAP |
| 399 | $(eval $(call BuildPlugin,eap-tls,EAP TLS auth,+strongswan-libtls)) |
| 400 | $(eval $(call BuildPlugin,farp,fake arp respsonses,)) |
| 401 | $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1)) |
| 402 | -$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+kmod-ipt-conntrack-extra)) |
| 403 | +$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+libip4tc +kmod-ipt-conntrack-extra)) |
| 404 | $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,)) |
| 405 | $(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt)) |
| 406 | $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp)) |
| 407 | $(eval $(call BuildPlugin,gmpdh,DH-Groups; no libgmp dep,)) |
| 408 | $(eval $(call BuildPlugin,ha,high availability cluster,)) |
| 409 | $(eval $(call BuildPlugin,hmac,HMAC crypto,)) |
| 410 | +$(eval $(call BuildPlugin,kdf,KDF/PRF+,)) |
| 411 | $(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,)) |
| 412 | $(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,)) |
| 413 | $(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap)) |
| 414 | $(eval $(call BuildPlugin,led,LED blink on IKE activity,)) |
| 415 | $(eval $(call BuildPlugin,load-tester,load testing,)) |
| 416 | -$(eval $(call BuildPlugin,nonce,nonce genereation,)) |
| 417 | $(eval $(call BuildPlugin,md4,MD4 crypto,)) |
| 418 | $(eval $(call BuildPlugin,md5,MD5 crypto,)) |
| 419 | +$(eval $(call BuildPlugin,mgf1,MGF1 crypto,)) |
| 420 | $(eval $(call BuildPlugin,mysql,MySQL database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-mysql:libmysqlclient-r)) |
| 421 | +$(eval $(call BuildPlugin,newhope,New Hope crypto,+strongswan-libnttfft +strongswan-mod-chapoly +strongswan-mod-sha3)) |
| 422 | +$(eval $(call BuildPlugin,ntru,NTRU crypto,+strongswan-mod-mgf1)) |
| 423 | $(eval $(call BuildPlugin,openssl,OpenSSL crypto,+PACKAGE_strongswan-mod-openssl:libopenssl)) |
| 424 | $(eval $(call BuildPlugin,pem,PEM decoding,)) |
| 425 | $(eval $(call BuildPlugin,pgp,PGP key decoding,)) |
| 426 | @@ -679,6 +722,7 @@ $(eval $(call BuildPlugin,resolve,DNS re |
| 427 | $(eval $(call BuildPlugin,revocation,X509 CRL/OCSP revocation,)) |
| 428 | $(eval $(call BuildPlugin,sha1,SHA1 crypto,)) |
| 429 | $(eval $(call BuildPlugin,sha2,SHA2 crypto,)) |
| 430 | +$(eval $(call BuildPlugin,sha3,SHA3 and SHAKE crypto,)) |
| 431 | $(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2)) |
| 432 | $(eval $(call BuildPlugin,socket-default,default socket implementation for charon,)) |
| 433 | $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,)) |
| 434 | @@ -689,9 +733,10 @@ $(eval $(call BuildPlugin,stroke,Stroke, |
| 435 | $(eval $(call BuildPlugin,test-vectors,crypto test vectors,)) |
| 436 | $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci)) |
| 437 | $(eval $(call BuildPlugin,unity,Cisco Unity extension,)) |
| 438 | -$(eval $(call BuildPlugin,updown,updown firewall,)) |
| 439 | +$(eval $(call BuildPlugin,updown,updown firewall,+iptables +IPV6:ip6tables +iptables-mod-ipsec +kmod-ipt-ipsec)) |
| 440 | $(eval $(call BuildPlugin,vici,Versatile IKE Configuration Interface,)) |
| 441 | $(eval $(call BuildPlugin,whitelist,peer identity whitelisting,)) |
| 442 | +$(eval $(call BuildPlugin,wolfssl,WolfSSL crypto,+PACKAGE_strongswan-mod-wolfssl:libwolfssl)) |
| 443 | $(eval $(call BuildPlugin,x509,x509 certificate,)) |
| 444 | $(eval $(call BuildPlugin,xauth-eap,EAP XAuth backend,)) |
| 445 | $(eval $(call BuildPlugin,xauth-generic,generic XAuth backend,)) |
| 446 | --- /dev/null |
| 447 | +++ b/feeds/packages/net/strongswan/files/gencerts.sh |
| 448 | @@ -0,0 +1,155 @@ |
| 449 | +#!/bin/sh |
| 450 | + |
| 451 | +# |
| 452 | +# see: |
| 453 | +# https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/ |
| 454 | +# |
| 455 | + |
| 456 | +PROG=$(basename "$0") |
| 457 | + |
| 458 | +[ -z "$EUID" ] && EUID=$(id -u) |
| 459 | + |
| 460 | +if [ $# -lt 5 ]; then |
| 461 | + echo "Usage: $PROG { -s | -c | -u } country domain organization identities [ ... ]" >&2 |
| 462 | + exit 1 |
| 463 | +fi |
| 464 | + |
| 465 | +case "$1" in |
| 466 | +-s) |
| 467 | + S_OPT=1 ;; |
| 468 | +-c) |
| 469 | + C_OPT=1 ;; |
| 470 | +-u) |
| 471 | + U_OPT=1 ;; |
| 472 | +*) |
| 473 | + echo "$PROG: require an option specifying server/client/user credential type" >&2 |
| 474 | + exit 1 |
| 475 | + ;; |
| 476 | +esac |
| 477 | +shift |
| 478 | + |
| 479 | +C="$1"; shift |
| 480 | +DOMAIN="$1"; shift |
| 481 | +SHORT_DOMAIN="${DOMAIN%%.*}" |
| 482 | +ORG="$1"; shift |
| 483 | + |
| 484 | +# invariants... |
| 485 | +SYSCONFDIR=/etc |
| 486 | +SWANCTL_DIR="$SYSCONFDIR/swanctl" |
| 487 | +: ${KEYINFO:="rsa:4096"} |
| 488 | +: ${CADAYS:=3650} |
| 489 | +: ${CRTDAYS:=730} |
| 490 | + |
| 491 | +makeDN() |
| 492 | +{ |
| 493 | + printf "C=%s, O=%s, CN=%s" "$1" "$2" "$3" |
| 494 | +} |
| 495 | + |
| 496 | +field() |
| 497 | +{ |
| 498 | + local arg="$1" |
| 499 | + local nth="$2" |
| 500 | + |
| 501 | + echo "$arg" | cut -d ':' -f "$nth" |
| 502 | +} |
| 503 | + |
| 504 | +genmasterkey() |
| 505 | +{ |
| 506 | + local keytype keybits |
| 507 | + |
| 508 | + keytype=$(field "$KEYINFO" 1) |
| 509 | + keybits=$(field "$KEYINFO" 2) |
| 510 | + |
| 511 | + pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" |
| 512 | + chmod 0400 "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" |
| 513 | +} |
| 514 | + |
| 515 | +genca() |
| 516 | +{ |
| 517 | + local keytype |
| 518 | + |
| 519 | + keytype=$(field "$KEYINFO" 1) |
| 520 | + |
| 521 | + pki --self --ca --lifetime "$CADAYS" --in "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" --type "$keytype" \ |
| 522 | + --dn "$ROOTDN" --outform pem > "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" |
| 523 | + chmod 0444 "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" |
| 524 | +} |
| 525 | + |
| 526 | +genclientkey() |
| 527 | +{ |
| 528 | + local name="$1" keytype keybits |
| 529 | + |
| 530 | + keytype=$(field "$KEYINFO" 1) |
| 531 | + keybits=$(field "$KEYINFO" 2) |
| 532 | + |
| 533 | + pki --gen --type "$keytype" --size "$keybits" --outform pem > "$SWANCTL_DIR/private/$name.key" |
| 534 | + chmod 0400 "$SWANCTL_DIR/private/$name.key" |
| 535 | +} |
| 536 | + |
| 537 | +gendevcert() |
| 538 | +{ |
| 539 | + local dn="$1" |
| 540 | + local san="$2" |
| 541 | + local name="$3" |
| 542 | + |
| 543 | + # reads key from input |
| 544 | + pki --issue --lifetime "$CRTDAYS" \ |
| 545 | + --cacert "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" \ |
| 546 | + --cakey "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" \ |
| 547 | + --dn "$dn" --san "$san" \ |
| 548 | + ${S_OPT:+--flag serverAuth} \ |
| 549 | + ${S_OPT:---flag clientAuth} \ |
| 550 | + --flag ikeIntermediate \ |
| 551 | + --outform pem > "$SWANCTL_DIR/x509/$name.crt" |
| 552 | + chmod 0444 "$SWANCTL_DIR/x509/$name.crt" |
| 553 | +} |
| 554 | + |
| 555 | +gendev() |
| 556 | +{ |
| 557 | + local keytype |
| 558 | + |
| 559 | + keytype=$(field "$KEYINFO" 1) |
| 560 | + |
| 561 | + [ -f "$SWANCTL_DIR/private/$NAME.key" ] || genclientkey "$NAME" |
| 562 | + |
| 563 | + [ -f "$SWANCTL_DIR/x509/$NAME.crt" ] || \ |
| 564 | + pki --pub --in "$SWANCTL_DIR/private/$NAME.key" --type "$keytype" \ |
| 565 | + | gendevcert "$DEVDN" "$DEVSAN" "$NAME" |
| 566 | +} |
| 567 | + |
| 568 | +setparams() |
| 569 | +{ |
| 570 | + NAME="$1" |
| 571 | + |
| 572 | + if [ -n "$U_OPT" ]; then |
| 573 | + DEVSAN="$NAME@$DOMAIN" |
| 574 | + DEVDN="$(makeDN "$C" "$ORG" "$DEVSAN")" |
| 575 | + else |
| 576 | + DEVSAN="$NAME.$DOMAIN" |
| 577 | + DEVDN="$(makeDN "$C" "$ORG" "$NAME")" |
| 578 | + fi |
| 579 | +} |
| 580 | + |
| 581 | +umask 077 |
| 582 | + |
| 583 | +[ "$EUID" -eq 0 ] || { echo "Must run as root!" >&2 ; exit 1; } |
| 584 | + |
| 585 | +ROOTDN="$(makeDN "$C" "$ORG" "Root CA")" |
| 586 | + |
| 587 | +[ -f "$SWANCTL_DIR/private/$SHORT_DOMAIN.key" ] || genmasterkey |
| 588 | + |
| 589 | +[ -f "$SWANCTL_DIR/x509ca/$SHORT_DOMAIN.crt" ] || genca |
| 590 | + |
| 591 | +PARENT="$SYSCONFDIR" |
| 592 | +BASEDIR="${SWANCTL_DIR##$PARENT/}" |
| 593 | + |
| 594 | +for name in "$@"; do |
| 595 | + setparams "$name" |
| 596 | + gendev |
| 597 | + |
| 598 | + tar -zcf "$name-certs.tar.gz" -C "$PARENT" "$BASEDIR/x509ca/$SHORT_DOMAIN.crt" "$BASEDIR/x509/$name.crt" "$BASEDIR/private/$name.key" |
| 599 | + chmod 600 "$name-certs.tar.gz" |
| 600 | + echo "Generated as $name-certs.tar.gz" |
| 601 | +done |
| 602 | + |
| 603 | +exit 0 |
| 604 | --- a/feeds/packages/net/strongswan/files/ipsec.init |
| 605 | +++ b/feeds/packages/net/strongswan/files/ipsec.init |
| 606 | @@ -354,6 +354,8 @@ service_triggers() { |
| 607 | start_service() { |
| 608 | prepare_env |
| 609 | |
| 610 | + warning "Strongswan is deprecating the ipsec CLI; please migrate to swanctl." |
| 611 | + |
| 612 | [ $WAIT_FOR_INTF -eq 1 ] && return |
| 613 | |
| 614 | procd_open_instance |
| 615 | --- a/feeds/packages/net/strongswan/files/swanctl.init |
| 616 | +++ b/feeds/packages/net/strongswan/files/swanctl.init |
| 617 | @@ -4,7 +4,7 @@ START=90 |
| 618 | STOP=10 |
| 619 | |
| 620 | USE_PROCD=1 |
| 621 | -PROG=/usr/lib/ipsec/starter |
| 622 | +PROG=/usr/lib/ipsec/charon |
| 623 | |
| 624 | . $IPKG_INSTROOT/lib/functions.sh |
| 625 | . $IPKG_INSTROOT/lib/functions/network.sh |
| 626 | @@ -17,8 +17,9 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanc |
| 627 | |
| 628 | WAIT_FOR_INTF=0 |
| 629 | |
| 630 | -time2seconds() |
| 631 | -{ |
| 632 | +CONFIG_FAIL=0 |
| 633 | + |
| 634 | +time2seconds() { |
| 635 | local timestring="$1" |
| 636 | local multiplier number suffix |
| 637 | |
| 638 | @@ -40,8 +41,7 @@ time2seconds() |
| 639 | echo $(( number * multiplier )) |
| 640 | } |
| 641 | |
| 642 | -seconds2time() |
| 643 | -{ |
| 644 | +seconds2time() { |
| 645 | local seconds="$1" |
| 646 | |
| 647 | if [ $seconds -eq 0 ]; then |
| 648 | @@ -63,9 +63,12 @@ file_reset() { |
| 649 | |
| 650 | xappend() { |
| 651 | local file="$1" |
| 652 | - shift |
| 653 | + local indent="$2" |
| 654 | + shift 2 |
| 655 | |
| 656 | - echo "$@" >> "$file" |
| 657 | + for cmd in "$@"; do |
| 658 | + echo "$indent$cmd" >> "$file" |
| 659 | + done |
| 660 | } |
| 661 | |
| 662 | swan_reset() { |
| 663 | @@ -77,23 +80,23 @@ swan_xappend() { |
| 664 | } |
| 665 | |
| 666 | swan_xappend0() { |
| 667 | - swan_xappend "$@" |
| 668 | + swan_xappend "" "$@" |
| 669 | } |
| 670 | |
| 671 | swan_xappend1() { |
| 672 | - swan_xappend " ""$@" |
| 673 | + swan_xappend " " "$@" |
| 674 | } |
| 675 | |
| 676 | swan_xappend2() { |
| 677 | - swan_xappend " ""$@" |
| 678 | + swan_xappend " " "$@" |
| 679 | } |
| 680 | |
| 681 | swan_xappend3() { |
| 682 | - swan_xappend " ""$@" |
| 683 | + swan_xappend " " "$@" |
| 684 | } |
| 685 | |
| 686 | swan_xappend4() { |
| 687 | - swan_xappend " ""$@" |
| 688 | + swan_xappend " " "$@" |
| 689 | } |
| 690 | |
| 691 | swanctl_reset() { |
| 692 | @@ -105,52 +108,66 @@ swanctl_xappend() { |
| 693 | } |
| 694 | |
| 695 | swanctl_xappend0() { |
| 696 | - swanctl_xappend "$@" |
| 697 | + swanctl_xappend "" "$@" |
| 698 | } |
| 699 | |
| 700 | swanctl_xappend1() { |
| 701 | - swanctl_xappend " ""$@" |
| 702 | + swanctl_xappend " " "$@" |
| 703 | } |
| 704 | |
| 705 | swanctl_xappend2() { |
| 706 | - swanctl_xappend " ""$@" |
| 707 | + swanctl_xappend " " "$@" |
| 708 | } |
| 709 | |
| 710 | swanctl_xappend3() { |
| 711 | - swanctl_xappend " ""$@" |
| 712 | + swanctl_xappend " " "$@" |
| 713 | } |
| 714 | |
| 715 | swanctl_xappend4() { |
| 716 | - swanctl_xappend " ""$@" |
| 717 | + swanctl_xappend " " "$@" |
| 718 | } |
| 719 | |
| 720 | warning() { |
| 721 | echo "WARNING: $@" >&2 |
| 722 | } |
| 723 | |
| 724 | +fatal() { |
| 725 | + echo "ERROR: $@" >&2 |
| 726 | + CONFIG_FAIL=1 |
| 727 | +} |
| 728 | + |
| 729 | +append_var() { |
| 730 | + local var="$2" value="$1" delim="${3:- }" |
| 731 | + append "$var" "$value" "$delim" |
| 732 | +} |
| 733 | + |
| 734 | is_aead() { |
| 735 | local cipher="$1" |
| 736 | |
| 737 | case "$cipher" in |
| 738 | aes*gcm*|aes*ccm*|aes*gmac*) |
| 739 | return 0 ;; |
| 740 | + chacha20poly1305) |
| 741 | + return 0 ;; |
| 742 | esac |
| 743 | |
| 744 | return 1 |
| 745 | } |
| 746 | |
| 747 | -add_esp_proposal() { |
| 748 | +config_esp_proposal() { |
| 749 | + local conf="$1" |
| 750 | + |
| 751 | local encryption_algorithm |
| 752 | local hash_algorithm |
| 753 | local dh_group |
| 754 | |
| 755 | - config_get encryption_algorithm "$1" encryption_algorithm |
| 756 | - config_get hash_algorithm "$1" hash_algorithm |
| 757 | - config_get dh_group "$1" dh_group |
| 758 | + config_get encryption_algorithm "$conf" encryption_algorithm |
| 759 | + config_get hash_algorithm "$conf" hash_algorithm |
| 760 | + config_get dh_group "$conf" dh_group |
| 761 | |
| 762 | # check for AEAD and clobber hash_algorithm if set |
| 763 | if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then |
| 764 | - warning "Can't have $hash_algorithm with $encryption_algorithm" |
| 765 | + fatal "Can't have $hash_algorithm with $encryption_algorithm" |
| 766 | hash_algorithm= |
| 767 | fi |
| 768 | |
| 769 | @@ -158,29 +175,33 @@ add_esp_proposal() { |
| 770 | crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}" |
| 771 | } |
| 772 | |
| 773 | -parse_esp_proposal() { |
| 774 | +iter_esp_proposal() { |
| 775 | local conf="$1" |
| 776 | + local var="$2" |
| 777 | + |
| 778 | local crypto="" |
| 779 | |
| 780 | - config_list_foreach "$conf" crypto_proposal add_esp_proposal |
| 781 | + config_list_foreach "$conf" crypto_proposal config_esp_proposal |
| 782 | |
| 783 | - echo "$crypto" |
| 784 | + export -n "$var=$crypto" |
| 785 | } |
| 786 | |
| 787 | -add_ike_proposal() { |
| 788 | +config_ike_proposal() { |
| 789 | + local conf="$1" |
| 790 | + |
| 791 | local encryption_algorithm |
| 792 | local hash_algorithm |
| 793 | local dh_group |
| 794 | local prf_algorithm |
| 795 | |
| 796 | - config_get encryption_algorithm "$1" encryption_algorithm |
| 797 | - config_get hash_algorithm "$1" hash_algorithm |
| 798 | - config_get dh_group "$1" dh_group |
| 799 | - config_get prf_algorithm "$1" prf_algorithm |
| 800 | + config_get encryption_algorithm "$conf" encryption_algorithm |
| 801 | + config_get hash_algorithm "$conf" hash_algorithm |
| 802 | + config_get dh_group "$conf" dh_group |
| 803 | + config_get prf_algorithm "$conf" prf_algorithm |
| 804 | |
| 805 | # check for AEAD and clobber hash_algorithm if set |
| 806 | if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then |
| 807 | - warning "Can't have $hash_algorithm with $encryption_algorithm" |
| 808 | + fatal "Can't have $hash_algorithm with $encryption_algorithm" |
| 809 | hash_algorithm= |
| 810 | fi |
| 811 | |
| 812 | @@ -188,47 +209,65 @@ add_ike_proposal() { |
| 813 | crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}" |
| 814 | } |
| 815 | |
| 816 | -parse_ike_proposal() { |
| 817 | +iter_ike_proposal() { |
| 818 | local conf="$1" |
| 819 | + local var="$2" |
| 820 | + |
| 821 | local crypto="" |
| 822 | |
| 823 | - config_list_foreach "$conf" crypto_proposal add_ike_proposal |
| 824 | + config_list_foreach "$conf" crypto_proposal config_ike_proposal |
| 825 | |
| 826 | - echo "$crypto" |
| 827 | + export -n "$var=$crypto" |
| 828 | } |
| 829 | |
| 830 | -config_conn() { |
| 831 | +config_child() { |
| 832 | # Generic ipsec conn section shared by tunnel and transport |
| 833 | - local config_name="$1" |
| 834 | + local conf="$1" |
| 835 | local mode="$2" |
| 836 | |
| 837 | + local hw_offload |
| 838 | + local interface |
| 839 | + local ipcomp |
| 840 | + local priority |
| 841 | local local_subnet |
| 842 | local local_nat |
| 843 | local updown |
| 844 | local firewall |
| 845 | local remote_subnet |
| 846 | - local remote_sourceip |
| 847 | local lifetime |
| 848 | local dpdaction |
| 849 | local closeaction |
| 850 | local startaction |
| 851 | local if_id |
| 852 | local rekeytime |
| 853 | + local rekeybytes |
| 854 | + local lifebytes |
| 855 | + local rekeypackets |
| 856 | + local lifepackets |
| 857 | + |
| 858 | + config_get startaction "$conf" startaction "route" |
| 859 | + config_get local_nat "$conf" local_nat "" |
| 860 | + config_get updown "$conf" updown "" |
| 861 | + config_get firewall "$conf" firewall "" |
| 862 | + config_get lifetime "$conf" lifetime "" |
| 863 | + config_get dpdaction "$conf" dpdaction "none" |
| 864 | + config_get closeaction "$conf" closeaction "none" |
| 865 | + config_get if_id "$conf" if_id "" |
| 866 | + config_get rekeytime "$conf" rekeytime "" |
| 867 | + config_get_bool ipcomp "$conf" ipcomp 0 |
| 868 | + config_get interface "$conf" interface "" |
| 869 | + config_get hw_offload "$conf" hw_offload "" |
| 870 | + config_get priority "$conf" priority "" |
| 871 | + config_get rekeybytes "$conf" rekeybytes "" |
| 872 | + config_get lifebytes "$conf" lifebytes "" |
| 873 | + config_get rekeypackets "$conf" rekeypackets "" |
| 874 | + config_get lifepackets "$conf" lifepackets "" |
| 875 | |
| 876 | - config_get startaction "$1" startaction "route" |
| 877 | - config_get local_subnet "$1" local_subnet "" |
| 878 | - config_get local_nat "$1" local_nat "" |
| 879 | - config_get updown "$1" updown "" |
| 880 | - config_get firewall "$1" firewall "" |
| 881 | - config_get remote_subnet "$1" remote_subnet "" |
| 882 | - config_get remote_sourceip "$1" remote_sourceip "" |
| 883 | - config_get lifetime "$1" lifetime "" |
| 884 | - config_get dpdaction "$1" dpdaction "none" |
| 885 | - config_get closeaction "$1" closeaction "none" |
| 886 | - config_get if_id "$1" if_id "" |
| 887 | - config_get rekeytime "$1" rekeytime "" |
| 888 | + config_list_foreach "$conf" local_subnet append_var local_subnet "," |
| 889 | + config_list_foreach "$conf" remote_subnet append_var remote_subnet "," |
| 890 | |
| 891 | - local esp_proposal="$(parse_esp_proposal "$1")" |
| 892 | + local esp_proposal |
| 893 | + iter_esp_proposal "$conf" esp_proposal |
| 894 | |
| 895 | # translate from ipsec to swanctl |
| 896 | case "$startaction" in |
| 897 | @@ -240,7 +279,7 @@ config_conn() { |
| 898 | # already using new syntax |
| 899 | ;; |
| 900 | *) |
| 901 | - warning "Startaction $startaction unknown" |
| 902 | + fatal "Startaction $startaction unknown" |
| 903 | startaction= |
| 904 | ;; |
| 905 | esac |
| 906 | @@ -256,7 +295,7 @@ config_conn() { |
| 907 | # already using new syntax |
| 908 | ;; |
| 909 | *) |
| 910 | - warning "Closeaction $closeaction unknown" |
| 911 | + fatal "Closeaction $closeaction unknown" |
| 912 | closeaction= |
| 913 | ;; |
| 914 | esac |
| 915 | @@ -278,18 +317,32 @@ config_conn() { |
| 916 | # already using new syntax |
| 917 | ;; |
| 918 | *) |
| 919 | - warning "Dpdaction $dpdaction unknown" |
| 920 | + fatal "Dpdaction $dpdaction unknown" |
| 921 | dpdaction= |
| 922 | ;; |
| 923 | esac |
| 924 | |
| 925 | + case "$hw_offload" in |
| 926 | + yes|no|auto|"") |
| 927 | + ;; |
| 928 | + *) |
| 929 | + fatal "hw_offload value $hw_offload invalid" |
| 930 | + hw_offload="" |
| 931 | + ;; |
| 932 | + esac |
| 933 | + |
| 934 | [ -n "$local_nat" ] && local_subnet="$local_nat" |
| 935 | |
| 936 | - swanctl_xappend3 "$config_name {" |
| 937 | + swanctl_xappend3 "$conf {" |
| 938 | |
| 939 | [ -n "$local_subnet" ] && swanctl_xappend4 "local_ts = $local_subnet" |
| 940 | [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet" |
| 941 | - [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; } |
| 942 | + |
| 943 | + [ -n "$hw_offload" ] && swanctl_xappend4 "hw_offload = $hw_offload" |
| 944 | + [ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1" |
| 945 | + [ -n "$interface" ] && swanctl_xappend4 "interface = $interface" |
| 946 | + [ -n "$priority" ] && swanctl_xappend4 "priority = $priority" |
| 947 | + [ -n "$if_id" ] && swanctl_xappend4 "if_id_in = $if_id" "if_id_out = $if_id" |
| 948 | [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction" |
| 949 | [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction" |
| 950 | swanctl_xappend4 "esp_proposals = $esp_proposal" |
| 951 | @@ -301,6 +354,19 @@ config_conn() { |
| 952 | swanctl_xappend4 "life_time = $(seconds2time $(((110 * $(time2seconds $rekeytime)) / 100)))" |
| 953 | fi |
| 954 | [ -n "$rekeytime" ] && swanctl_xappend4 "rekey_time = $rekeytime" |
| 955 | + if [ -n "$lifebytes" ]; then |
| 956 | + swanctl_xappend4 "life_bytes = $lifebytes" |
| 957 | + elif [ -n "$rekeybytes" ]; then |
| 958 | + swanctl_xappend4 "life_bytes = $(((110 * rekeybytes) / 100))" |
| 959 | + fi |
| 960 | + [ -n "$rekeybytes" ] && swanctl_xappend4 "rekey_bytes = $rekeybytes" |
| 961 | + if [ -n "$lifepackets" ]; then |
| 962 | + swanctl_xappend4 "life_packets = $lifepackets" |
| 963 | + elif [ -n "$rekeypackets" ]; then |
| 964 | + swanctl_xappend4 "life_packets = $(((110 * rekeypackets) / 100))" |
| 965 | + fi |
| 966 | + [ -n "$rekeypackets" ] && swanctl_xappend4 "rekey_packets = $rekeypackets" |
| 967 | + [ -n "$inactivity" ] && swanctl_xappend4 "inactivity = $inactivity" |
| 968 | |
| 969 | [ -n "$updown" ] && swanctl_xappend4 "updown = $updown" |
| 970 | [ -n "$dpdaction" ] && swanctl_xappend4 "dpd_action = $dpdaction" |
| 971 | @@ -309,21 +375,56 @@ config_conn() { |
| 972 | } |
| 973 | |
| 974 | config_tunnel() { |
| 975 | - config_conn "$1" "tunnel" |
| 976 | + config_child "$1" "tunnel" |
| 977 | } |
| 978 | |
| 979 | config_transport() { |
| 980 | - config_conn "$1" "transport" |
| 981 | + config_child "$1" "transport" |
| 982 | +} |
| 983 | + |
| 984 | +config_pool() { |
| 985 | + local conf="$1" |
| 986 | + |
| 987 | + local addrs |
| 988 | + local dns |
| 989 | + local nbns |
| 990 | + local dhcp |
| 991 | + local netmask |
| 992 | + local server |
| 993 | + local subnet |
| 994 | + local split_include |
| 995 | + local split_exclude |
| 996 | + |
| 997 | + config_get addrs "$conf" addrs |
| 998 | + config_list_foreach "$conf" dns append_var dns "," |
| 999 | + config_list_foreach "$conf" nbns append_var nbns "," |
| 1000 | + config_list_foreach "$conf" dhcp append_var dhcp "," |
| 1001 | + config_list_foreach "$conf" netmask append_var netmask "," |
| 1002 | + config_list_foreach "$conf" server append_var server "," |
| 1003 | + config_list_foreach "$conf" subnet append_var subnet "," |
| 1004 | + config_list_foreach "$conf" split_include append_var split_include "," |
| 1005 | + config_list_foreach "$conf" split_exclude append_var split_exclude "," |
| 1006 | + |
| 1007 | + swanctl_xappend1 "$conf {" |
| 1008 | + [ -n "$addrs" ] && swanctl_xappend2 "addrs = $addrs" |
| 1009 | + [ -n "$dns" ] && swanctl_xappend2 "dns = $dns" |
| 1010 | + [ -n "$nbns" ] && swanctl_xappend2 "nbns = $nbns" |
| 1011 | + [ -n "$dhcp" ] && swanctl_xappend2 "dhcp = $dhcp" |
| 1012 | + [ -n "$netmask" ] && swanctl_xappend2 "netmask = $netmask" |
| 1013 | + [ -n "$server" ] && swanctl_xappend2 "server = $server" |
| 1014 | + [ -n "$subnet" ] && swanctl_xappend2 "subnet = $subnet" |
| 1015 | + [ -n "$split_include" ] && swanctl_xappend2 "split_include = $split_include" |
| 1016 | + [ -n "$split_exclude" ] && swanctl_xappend2 "split_exclude = $split_exclude" |
| 1017 | + swanctl_xappend1 "}" |
| 1018 | } |
| 1019 | |
| 1020 | config_remote() { |
| 1021 | - local config_name="$1" |
| 1022 | + local conf="$1" |
| 1023 | |
| 1024 | local enabled |
| 1025 | local gateway |
| 1026 | - local local_gateway |
| 1027 | local local_sourceip |
| 1028 | - local local_leftip |
| 1029 | + local local_ip |
| 1030 | local remote_gateway |
| 1031 | local pre_shared_key |
| 1032 | local auth_method |
| 1033 | @@ -331,38 +432,39 @@ config_remote() { |
| 1034 | local dpddelay |
| 1035 | local inactivity |
| 1036 | local keyexchange |
| 1037 | - local reqid |
| 1038 | - local packet_marker |
| 1039 | local fragmentation |
| 1040 | local mobike |
| 1041 | local local_cert |
| 1042 | local local_key |
| 1043 | local ca_cert |
| 1044 | local rekeytime |
| 1045 | + local remote_ca_certs |
| 1046 | + local pools |
| 1047 | |
| 1048 | - config_get_bool enabled "$1" enabled 0 |
| 1049 | + config_get_bool enabled "$conf" enabled 0 |
| 1050 | [ $enabled -eq 0 ] && return |
| 1051 | |
| 1052 | - config_get gateway "$1" gateway |
| 1053 | - config_get pre_shared_key "$1" pre_shared_key |
| 1054 | - config_get auth_method "$1" authentication_method |
| 1055 | - config_get local_identifier "$1" local_identifier "" |
| 1056 | - config_get remote_identifier "$1" remote_identifier "" |
| 1057 | - config_get local_sourceip "$1" local_sourceip "" |
| 1058 | - config_get local_leftip "$1" local_leftip "%any" |
| 1059 | - config_get keyingtries "$1" keyingtries "3" |
| 1060 | - config_get dpddelay "$1" dpddelay "30s" |
| 1061 | - config_get inactivity "$1" inactivity |
| 1062 | - config_get keyexchange "$1" keyexchange "ikev2" |
| 1063 | - config_get reqid "$1" reqid |
| 1064 | - config_get packet_marker "$1" packet_marker |
| 1065 | - config_get fragmentation "$1" fragmentation "yes" |
| 1066 | - config_get_bool mobike "$1" mobike 1 |
| 1067 | - config_get local_cert "$1" local_cert "" |
| 1068 | - config_get local_key "$1" local_key "" |
| 1069 | - config_get ca_cert "$1" ca_cert "" |
| 1070 | - config_get rekeytime "$1" rekeytime |
| 1071 | - config_get overtime "$1" overtime |
| 1072 | + config_get gateway "$conf" gateway |
| 1073 | + config_get pre_shared_key "$conf" pre_shared_key |
| 1074 | + config_get auth_method "$conf" authentication_method |
| 1075 | + config_get local_identifier "$conf" local_identifier "" |
| 1076 | + config_get remote_identifier "$conf" remote_identifier "" |
| 1077 | + config_get local_ip "$conf" local_ip "%any" |
| 1078 | + config_get keyingtries "$conf" keyingtries "3" |
| 1079 | + config_get dpddelay "$conf" dpddelay "30s" |
| 1080 | + config_get inactivity "$conf" inactivity |
| 1081 | + config_get keyexchange "$conf" keyexchange "ikev2" |
| 1082 | + config_get fragmentation "$conf" fragmentation "yes" |
| 1083 | + config_get_bool mobike "$conf" mobike 1 |
| 1084 | + config_get local_cert "$conf" local_cert "" |
| 1085 | + config_get local_key "$conf" local_key "" |
| 1086 | + config_get ca_cert "$conf" ca_cert "" |
| 1087 | + config_get rekeytime "$conf" rekeytime |
| 1088 | + config_get overtime "$conf" overtime |
| 1089 | + |
| 1090 | + config_list_foreach "$conf" local_sourceip append_var local_sourceip "," |
| 1091 | + config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs "," |
| 1092 | + config_list_foreach "$conf" pools append_var pools "," |
| 1093 | |
| 1094 | case "$fragmentation" in |
| 1095 | 0) |
| 1096 | @@ -373,50 +475,70 @@ config_remote() { |
| 1097 | # already using new syntax |
| 1098 | ;; |
| 1099 | *) |
| 1100 | - warning "Fragmentation $fragmentation not supported" |
| 1101 | + fatal "Fragmentation $fragmentation not supported" |
| 1102 | fragmentation= |
| 1103 | ;; |
| 1104 | esac |
| 1105 | |
| 1106 | [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway" |
| 1107 | |
| 1108 | - [ -z "$local_gateway" ] && { |
| 1109 | - local ipdest |
| 1110 | + if [ -n "$local_key" ]; then |
| 1111 | + [ "$(dirname "$local_key")" != "." ] && \ |
| 1112 | + fatal "local_key $local_key can't be pathname" |
| 1113 | + [ -f "/etc/swanctl/private/$local_key" ] || \ |
| 1114 | + fatal "local_key $local_key not found" |
| 1115 | + fi |
| 1116 | + |
| 1117 | + local ike_proposal |
| 1118 | + iter_ike_proposal "$conf" ike_proposal |
| 1119 | |
| 1120 | - [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway" |
| 1121 | - local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'` |
| 1122 | - } |
| 1123 | + [ -n "$firewall" ] && fatal "Firewall not supported" |
| 1124 | |
| 1125 | - local ike_proposal="$(parse_ike_proposal "$1")" |
| 1126 | + if [ "$auth_method" = pubkey ]; then |
| 1127 | + if [ -n "$ca_cert" ]; then |
| 1128 | + [ "$(dirname "$ca_cert")" != "." ] && \ |
| 1129 | + fatal "ca_cert $ca_cert can't be pathname" |
| 1130 | + [ -f "/etc/swanctl/x509ca/$ca_cert" ] || \ |
| 1131 | + fatal "ca_cert $ca_cert not found" |
| 1132 | + fi |
| 1133 | |
| 1134 | - [ -n "$firewall" ] && warning "Firewall not supported" |
| 1135 | + if [ -n "$local_cert" ]; then |
| 1136 | + [ "$(dirname "$local_cert")" != "." ] && \ |
| 1137 | + fatal "local_cert $local_cert can't be pathname" |
| 1138 | + [ -f "/etc/swanctl/x509/$local_cert" ] || \ |
| 1139 | + fatal "local_cert $local_cert not found" |
| 1140 | + fi |
| 1141 | + fi |
| 1142 | |
| 1143 | - swanctl_xappend0 "# config for $config_name" |
| 1144 | + swanctl_xappend0 "# config for $conf" |
| 1145 | swanctl_xappend0 "connections {" |
| 1146 | - swanctl_xappend1 "$config_name {" |
| 1147 | - swanctl_xappend2 "local_addrs = $local_leftip" |
| 1148 | + swanctl_xappend1 "$conf {" |
| 1149 | + swanctl_xappend2 "local_addrs = $local_ip" |
| 1150 | swanctl_xappend2 "remote_addrs = $remote_gateway" |
| 1151 | |
| 1152 | [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip" |
| 1153 | [ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation" |
| 1154 | + [ -n "$pools" ] && swanctl_xappend2 "pools = $pools" |
| 1155 | |
| 1156 | swanctl_xappend2 "local {" |
| 1157 | swanctl_xappend3 "auth = $auth_method" |
| 1158 | |
| 1159 | [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\"" |
| 1160 | - [ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert" |
| 1161 | + [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \ |
| 1162 | + swanctl_xappend3 "certs = $local_cert" |
| 1163 | swanctl_xappend2 "}" |
| 1164 | |
| 1165 | swanctl_xappend2 "remote {" |
| 1166 | swanctl_xappend3 "auth = $auth_method" |
| 1167 | [ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\"" |
| 1168 | + [ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\"" |
| 1169 | swanctl_xappend2 "}" |
| 1170 | |
| 1171 | swanctl_xappend2 "children {" |
| 1172 | |
| 1173 | - config_list_foreach "$1" tunnel config_tunnel |
| 1174 | + config_list_foreach "$conf" tunnel config_tunnel |
| 1175 | |
| 1176 | - config_list_foreach "$1" transport config_transport |
| 1177 | + config_list_foreach "$conf" transport config_transport |
| 1178 | |
| 1179 | swanctl_xappend2 "}" |
| 1180 | |
| 1181 | @@ -428,7 +550,7 @@ config_remote() { |
| 1182 | ikev2) |
| 1183 | swanctl_xappend2 "version = 2" ;; |
| 1184 | *) |
| 1185 | - warning "Keyexchange $keyexchange not supported" |
| 1186 | + fatal "Keyexchange $keyexchange not supported" |
| 1187 | keyexchange= |
| 1188 | ;; |
| 1189 | esac |
| 1190 | @@ -454,17 +576,9 @@ config_remote() { |
| 1191 | if [ "$auth_method" = pubkey ]; then |
| 1192 | swanctl_xappend0 "" |
| 1193 | |
| 1194 | - swanctl_xappend0 "secrets {" |
| 1195 | - swanctl_xappend1 "rsa {" |
| 1196 | - swanctl_xappend2 "filename = $local_key" |
| 1197 | - swanctl_xappend1 "}" |
| 1198 | - swanctl_xappend0 "}" |
| 1199 | - |
| 1200 | - swanctl_xappend0 "" |
| 1201 | - |
| 1202 | if [ -n "$ca_cert" ]; then |
| 1203 | swanctl_xappend0 "authorities {" |
| 1204 | - swanctl_xappend1 "$config_name {" |
| 1205 | + swanctl_xappend1 "$conf {" |
| 1206 | swanctl_xappend2 "cacert = $ca_cert" |
| 1207 | swanctl_xappend1 "}" |
| 1208 | swanctl_xappend0 "}" |
| 1209 | @@ -474,18 +588,24 @@ config_remote() { |
| 1210 | swanctl_xappend0 "" |
| 1211 | |
| 1212 | swanctl_xappend0 "secrets {" |
| 1213 | - swanctl_xappend1 "ike {" |
| 1214 | + swanctl_xappend1 "ike-$conf {" |
| 1215 | swanctl_xappend2 "secret = $pre_shared_key" |
| 1216 | - if [ -z "$local_id" ]; then |
| 1217 | - swanctl_xappend2 "id1 = $local_id" |
| 1218 | - if [ -z "$remote_id" ]; then |
| 1219 | - swanctl_xappend2 "id2 = $remote_id" |
| 1220 | + if [ -n "$local_identifier" ]; then |
| 1221 | + swanctl_xappend2 "id1 = $local_identifier" |
| 1222 | + if [ -n "$remote_identifier" ]; then |
| 1223 | + swanctl_xappend2 "id2 = $remote_identifier" |
| 1224 | fi |
| 1225 | fi |
| 1226 | + swanctl_xappend1 "}" |
| 1227 | + swanctl_xappend0 "}" |
| 1228 | else |
| 1229 | - warning "AuthenticationMode $auth_mode not supported" |
| 1230 | + fatal "AuthenticationMode $auth_mode not supported" |
| 1231 | fi |
| 1232 | |
| 1233 | + swanctl_xappend0 "pools {" |
| 1234 | + config_list_foreach "$conf" pools config_pool |
| 1235 | + swanctl_xappend0 "}" |
| 1236 | + |
| 1237 | swanctl_xappend0 "" |
| 1238 | } |
| 1239 | |
| 1240 | @@ -494,24 +614,20 @@ do_preamble() { |
| 1241 | } |
| 1242 | |
| 1243 | config_ipsec() { |
| 1244 | - local debug |
| 1245 | + local conf="$1" |
| 1246 | + |
| 1247 | local rtinstall_enabled |
| 1248 | - local routing_tables_ignored |
| 1249 | local routing_table |
| 1250 | local routing_table_id |
| 1251 | local interface |
| 1252 | - local device_list |
| 1253 | - |
| 1254 | - swan_reset |
| 1255 | - swanctl_reset |
| 1256 | - do_preamble |
| 1257 | + local interface_list |
| 1258 | |
| 1259 | - config_get debug "$1" debug 0 |
| 1260 | - config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 |
| 1261 | + config_get debug "$conf" debug 0 |
| 1262 | + config_get_bool rtinstall_enabled "$conf" rtinstall_enabled 1 |
| 1263 | [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no |
| 1264 | |
| 1265 | # prepare extra charon config option ignore_routing_tables |
| 1266 | - for routing_table in $(config_get "$1" "ignore_routing_tables"); do |
| 1267 | + for routing_table in $(config_get "$conf" "ignore_routing_tables"); do |
| 1268 | if [ "$routing_table" -ge 0 ] 2>/dev/null; then |
| 1269 | routing_table_id=$routing_table |
| 1270 | else |
| 1271 | @@ -521,7 +637,8 @@ config_ipsec() { |
| 1272 | [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id" |
| 1273 | done |
| 1274 | |
| 1275 | - local interface_list=$(config_get "$1" "interface") |
| 1276 | + config_list_foreach "$conf" interface append_var interface_list |
| 1277 | + |
| 1278 | if [ -z "$interface_list" ]; then |
| 1279 | WAIT_FOR_INTF=0 |
| 1280 | else |
| 1281 | @@ -531,7 +648,9 @@ config_ipsec() { |
| 1282 | done |
| 1283 | [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1 |
| 1284 | fi |
| 1285 | +} |
| 1286 | |
| 1287 | +do_postamble() { |
| 1288 | swan_xappend0 "# generated by /etc/init.d/swanctl" |
| 1289 | swan_xappend0 "charon {" |
| 1290 | swan_xappend1 "install_routes = $install_routes" |
| 1291 | @@ -551,9 +670,19 @@ config_ipsec() { |
| 1292 | |
| 1293 | prepare_env() { |
| 1294 | mkdir -p /var/ipsec /var/swanctl |
| 1295 | + |
| 1296 | + swan_reset |
| 1297 | + swanctl_reset |
| 1298 | + do_preamble |
| 1299 | + |
| 1300 | + # needed by do_postamble |
| 1301 | + local debug install_routes routing_tables_ignored device_list |
| 1302 | + |
| 1303 | config_load ipsec |
| 1304 | config_foreach config_ipsec ipsec |
| 1305 | config_foreach config_remote remote |
| 1306 | + |
| 1307 | + do_postamble |
| 1308 | } |
| 1309 | |
| 1310 | service_running() { |
| 1311 | @@ -587,9 +716,14 @@ start_service() { |
| 1312 | |
| 1313 | [ $WAIT_FOR_INTF -eq 1 ] && return |
| 1314 | |
| 1315 | + if [ $CONFIG_FAIL -ne 0 ]; then |
| 1316 | + procd_set_param error "Invalid configuration" |
| 1317 | + return |
| 1318 | + fi |
| 1319 | + |
| 1320 | procd_open_instance |
| 1321 | |
| 1322 | - procd_set_param command $PROG --daemon charon --nofork |
| 1323 | + procd_set_param command $PROG |
| 1324 | |
| 1325 | procd_set_param file $SWANCTL_CONF_FILE |
| 1326 | procd_append_param file /etc/swanctl/conf.d/*.conf |
| 1327 | --- /dev/null |
| 1328 | +++ b/feeds/packages/net/strongswan/patches/0900-src-Patch-for-building-with-musl-on-openwrt-taken-ve.patch |
| 1329 | @@ -0,0 +1,110 @@ |
| 1330 | +From 27a54379cf3c48ff63c02a4a9f023297bba60d45 Mon Sep 17 00:00:00 2001 |
| 1331 | +From: Noel Kuntze <noel.kuntze@thermi.consulting> |
| 1332 | +Date: Mon, 12 Jul 2021 01:29:43 +0200 |
| 1333 | +Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken |
| 1334 | + verbatim from openwrt package sources) |
| 1335 | + |
| 1336 | +--- |
| 1337 | + .../kernel_netlink/kernel_netlink_ipsec.c | 1 + |
| 1338 | + .../kernel_netlink/kernel_netlink_net.c | 2 + |
| 1339 | + .../kernel_netlink/kernel_netlink_shared.c | 2 + |
| 1340 | + src/libstrongswan/library.h | 1 + |
| 1341 | + src/libstrongswan/musl.h | 38 +++++++++++++++++++ |
| 1342 | + .../plugins/bliss/bliss_huffman.c | 2 + |
| 1343 | + 6 files changed, 46 insertions(+) |
| 1344 | + create mode 100644 src/libstrongswan/musl.h |
| 1345 | + |
| 1346 | +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c |
| 1347 | ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c |
| 1348 | +@@ -41,6 +41,7 @@ |
| 1349 | + */ |
| 1350 | + |
| 1351 | + #define _GNU_SOURCE |
| 1352 | ++#include <musl.h> |
| 1353 | + #include <sys/types.h> |
| 1354 | + #include <sys/socket.h> |
| 1355 | + #include <sys/ioctl.h> |
| 1356 | +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c |
| 1357 | ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c |
| 1358 | +@@ -37,6 +37,8 @@ |
| 1359 | + * THE SOFTWARE. |
| 1360 | + */ |
| 1361 | + |
| 1362 | ++#include "musl.h" |
| 1363 | ++ |
| 1364 | + #include <sys/socket.h> |
| 1365 | + #include <sys/utsname.h> |
| 1366 | + #include <linux/netlink.h> |
| 1367 | +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c |
| 1368 | ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c |
| 1369 | +@@ -37,6 +37,8 @@ |
| 1370 | + * THE SOFTWARE. |
| 1371 | + */ |
| 1372 | + |
| 1373 | ++#include "musl.h" |
| 1374 | ++ |
| 1375 | + #include <sys/socket.h> |
| 1376 | + #include <linux/netlink.h> |
| 1377 | + #include <linux/rtnetlink.h> |
| 1378 | +--- a/src/libstrongswan/library.h |
| 1379 | ++++ b/src/libstrongswan/library.h |
| 1380 | +@@ -120,6 +120,7 @@ |
| 1381 | + #include "utils/leak_detective.h" |
| 1382 | + #include "plugins/plugin_loader.h" |
| 1383 | + #include "settings/settings.h" |
| 1384 | ++#include "musl.h" |
| 1385 | + |
| 1386 | + typedef struct library_t library_t; |
| 1387 | + |
| 1388 | +--- /dev/null |
| 1389 | ++++ b/src/libstrongswan/musl.h |
| 1390 | +@@ -0,0 +1,38 @@ |
| 1391 | ++#include <sys/types.h> |
| 1392 | ++ |
| 1393 | ++#define crypt x_crypt |
| 1394 | ++#define encrypt x_encrypt |
| 1395 | ++#include <unistd.h> |
| 1396 | ++ |
| 1397 | ++#define fd_set x_fd_set |
| 1398 | ++#define ino_t x_ino_t |
| 1399 | ++#define off_t x_off_t |
| 1400 | ++#define loff_t x_loff_t |
| 1401 | ++#define dev_t x_dev_t |
| 1402 | ++#define mode_t x_mode_t |
| 1403 | ++#define uid_t x_uid_t |
| 1404 | ++#define gid_t x_gid_t |
| 1405 | ++#define uint64_t x_uint64_t |
| 1406 | ++#define u_int64_t x_u_int64_t |
| 1407 | ++#define int64_t x_int64_t |
| 1408 | ++#define nlink_t x_nlink_t |
| 1409 | ++#define timer_t x_timer_t |
| 1410 | ++#define blkcnt_t x_blkcnt_t |
| 1411 | ++ |
| 1412 | ++#include <linux/types.h> |
| 1413 | ++ |
| 1414 | ++#undef fd_set |
| 1415 | ++#undef ino_t |
| 1416 | ++#undef off_t |
| 1417 | ++#undef dev_t |
| 1418 | ++#undef mode_t |
| 1419 | ++#undef uid_t |
| 1420 | ++#undef gid_t |
| 1421 | ++#undef uint64_t |
| 1422 | ++#undef u_int64_t |
| 1423 | ++#undef int64_t |
| 1424 | ++#undef nlink_t |
| 1425 | ++#undef timer_t |
| 1426 | ++#undef blkcnt_t |
| 1427 | ++#undef crypt |
| 1428 | ++#undef encrypt |
| 1429 | +--- a/src/libstrongswan/plugins/bliss/bliss_huffman.c |
| 1430 | ++++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c |
| 1431 | +@@ -18,6 +18,8 @@ |
| 1432 | + #include "bliss_param_set.h" |
| 1433 | + |
| 1434 | + #include <library.h> |
| 1435 | ++#undef fprintf |
| 1436 | ++#undef printf |
| 1437 | + |
| 1438 | + #include <stdio.h> |
| 1439 | + #include <math.h> |
| 1440 | --- /dev/null |
| 1441 | +++ b/feeds/packages/net/strongswan/patches/0901-uci-verbatim-patch-from-openwrt-package-sources.patch |
| 1442 | @@ -0,0 +1,29 @@ |
| 1443 | +From 81be4fa54760aa4fed53c6d93da443f57a66f262 Mon Sep 17 00:00:00 2001 |
| 1444 | +From: Noel Kuntze <noel.kuntze@thermi.consulting> |
| 1445 | +Date: Mon, 12 Jul 2021 01:30:32 +0200 |
| 1446 | +Subject: [PATCH 901/904] uci: verbatim patch from openwrt package sources |
| 1447 | + |
| 1448 | +--- |
| 1449 | + src/libcharon/plugins/uci/uci_parser.c | 4 ++-- |
| 1450 | + 1 file changed, 2 insertions(+), 2 deletions(-) |
| 1451 | + |
| 1452 | +--- a/src/libcharon/plugins/uci/uci_parser.c |
| 1453 | ++++ b/src/libcharon/plugins/uci/uci_parser.c |
| 1454 | +@@ -76,7 +76,7 @@ METHOD(enumerator_t, section_enumerator_ |
| 1455 | + if (uci_lookup(this->ctx, &element, this->package, |
| 1456 | + this->current->name, "name") == UCI_OK) |
| 1457 | + { /* use "name" attribute as config name if available ... */ |
| 1458 | +- *value = uci_to_option(element)->value; |
| 1459 | ++ *value = uci_to_option(element)->v.string; |
| 1460 | + } |
| 1461 | + else |
| 1462 | + { /* ... or the section name becomes config name */ |
| 1463 | +@@ -91,7 +91,7 @@ METHOD(enumerator_t, section_enumerator_ |
| 1464 | + if (value && uci_lookup(this->ctx, &element, this->package, |
| 1465 | + this->current->name, this->keywords[i]) == UCI_OK) |
| 1466 | + { |
| 1467 | +- *value = uci_to_option(element)->value; |
| 1468 | ++ *value = uci_to_option(element)->v.string; |
| 1469 | + } |
| 1470 | + } |
| 1471 | + |
| 1472 | --- /dev/null |
| 1473 | +++ b/feeds/packages/net/strongswan/patches/0902-ipsec-Patch-ipsec-script-to-work-with-musl-sleep-.-P.patch |
| 1474 | @@ -0,0 +1,21 @@ |
| 1475 | +From d71ec4f26a1334e78a38fa44a1271c52a029e3b4 Mon Sep 17 00:00:00 2001 |
| 1476 | +From: Noel Kuntze <noel.kuntze@thermi.consulting> |
| 1477 | +Date: Mon, 12 Jul 2021 01:31:36 +0200 |
| 1478 | +Subject: [PATCH 902/904] ipsec: Patch `ipsec` script to work with musl |
| 1479 | + `sleep`. Patch taken verbatim from openwrt package sources. |
| 1480 | + |
| 1481 | +--- |
| 1482 | + src/ipsec/_ipsec.in | 2 +- |
| 1483 | + 1 file changed, 1 insertion(+), 1 deletion(-) |
| 1484 | + |
| 1485 | +--- a/src/ipsec/_ipsec.in |
| 1486 | ++++ b/src/ipsec/_ipsec.in |
| 1487 | +@@ -257,7 +257,7 @@ stop) |
| 1488 | + loop=110 |
| 1489 | + while [ $loop -gt 0 ] ; do |
| 1490 | + kill -0 $spid 2>/dev/null || break |
| 1491 | +- sleep 0.1 2>/dev/null |
| 1492 | ++ sleep 1 2>/dev/null |
| 1493 | + if [ $? -ne 0 ] |
| 1494 | + then |
| 1495 | + sleep 1 |
| 1496 | --- /dev/null |
| 1497 | +++ b/feeds/packages/net/strongswan/patches/0903-updown-Call-sbin-hotplug-call-ipsec-1-in-updown-scri.patch |
| 1498 | @@ -0,0 +1,26 @@ |
| 1499 | +From c779da992bdd440e336383da0eb75ef3a2ea6cde Mon Sep 17 00:00:00 2001 |
| 1500 | +From: Noel Kuntze <noel.kuntze@thermi.consulting> |
| 1501 | +Date: Mon, 12 Jul 2021 01:32:20 +0200 |
| 1502 | +Subject: [PATCH 903/904] updown: Call /sbin/hotplug-call ipsec "$1" in updown |
| 1503 | + script. Patch taken verbatim from openwrt package sources. |
| 1504 | + |
| 1505 | +--- |
| 1506 | + src/_updown/_updown.in | 7 +++++++ |
| 1507 | + 1 file changed, 7 insertions(+) |
| 1508 | + |
| 1509 | +--- a/src/_updown/_updown.in |
| 1510 | ++++ b/src/_updown/_updown.in |
| 1511 | +@@ -22,6 +22,13 @@ |
| 1512 | + # that, and use the (left/right)updown parameters in ipsec.conf to make |
| 1513 | + # strongSwan use yours instead of this default one. |
| 1514 | + |
| 1515 | ++# Add your custom commands to the file "/etc/ipsec.user". Other packages could |
| 1516 | ++# also install their scripts in the directory "/etc/hotplug.d/ipsec". |
| 1517 | ++# This files/scripts are executed by the openwrt hotplug functionality on |
| 1518 | ++# ipsec events. |
| 1519 | ++ |
| 1520 | ++/sbin/hotplug-call ipsec "$1" |
| 1521 | ++ |
| 1522 | + # PLUTO_VERSION |
| 1523 | + # indicates what version of this interface is being |
| 1524 | + # used. This document describes version 1.1. This |
| 1525 | --- /dev/null |
| 1526 | +++ b/feeds/packages/net/strongswan/patches/0904-gmpdh-Plugin-that-implements-gmp-DH-functions-in-an-.patch |
| 1527 | @@ -0,0 +1,239 @@ |
| 1528 | +From 9f60c2ea6394facac55b90ef66466e1b9edef2a9 Mon Sep 17 00:00:00 2001 |
| 1529 | +From: Noel Kuntze <noel.kuntze@thermi.consulting> |
| 1530 | +Date: Mon, 12 Jul 2021 01:34:23 +0200 |
| 1531 | +Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an |
| 1532 | + extra plugin. Links and uses gmp plugin source and header files. Patch taken |
| 1533 | + verbatim from openwrt package sources. |
| 1534 | + |
| 1535 | +--- |
| 1536 | + configure.ac | 4 + |
| 1537 | + src/libstrongswan/Makefile.am | 7 ++ |
| 1538 | + src/libstrongswan/plugins/gmpdh/Makefile.am | 19 ++++ |
| 1539 | + .../plugins/gmpdh/gmpdh_plugin.c | 101 ++++++++++++++++++ |
| 1540 | + .../plugins/gmpdh/gmpdh_plugin.h | 42 ++++++++ |
| 1541 | + 5 files changed, 173 insertions(+) |
| 1542 | + create mode 100644 src/libstrongswan/plugins/gmpdh/Makefile.am |
| 1543 | + create mode 100644 src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c |
| 1544 | + create mode 100644 src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h |
| 1545 | + |
| 1546 | +--- a/configure.ac |
| 1547 | ++++ b/configure.ac |
| 1548 | +@@ -147,6 +147,7 @@ ARG_DISBL_SET([fips-prf], [disable |
| 1549 | + ARG_DISBL_SET([gcm], [disable the GCM AEAD wrapper crypto plugin.]) |
| 1550 | + ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.]) |
| 1551 | + ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.]) |
| 1552 | ++ARG_DISBL_SET([gmpdh], [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.]) |
| 1553 | + ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.]) |
| 1554 | + ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) |
| 1555 | + ARG_DISBL_SET([kdf], [disable KDF (prf+) implementation plugin.]) |
| 1556 | +@@ -1565,6 +1566,7 @@ ADD_PLUGIN([pkcs8], [s ch |
| 1557 | + ADD_PLUGIN([af-alg], [s charon pki scripts medsrv attest nm cmd aikgen]) |
| 1558 | + ADD_PLUGIN([fips-prf], [s charon nm cmd]) |
| 1559 | + ADD_PLUGIN([gmp], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz]) |
| 1560 | ++ADD_PLUGIN([gmpdh], [s charon pki scripts manager medsrv attest nm cmd aikgen]) |
| 1561 | + ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd]) |
| 1562 | + ADD_PLUGIN([agent], [s charon nm cmd]) |
| 1563 | + ADD_PLUGIN([keychain], [s charon cmd]) |
| 1564 | +@@ -1706,6 +1708,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x |
| 1565 | + AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue) |
| 1566 | + AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) |
| 1567 | + AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) |
| 1568 | ++AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue) |
| 1569 | + AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue) |
| 1570 | + AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) |
| 1571 | + AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue) |
| 1572 | +@@ -1983,6 +1986,7 @@ AC_CONFIG_FILES([ |
| 1573 | + src/libstrongswan/plugins/mgf1/Makefile |
| 1574 | + src/libstrongswan/plugins/fips_prf/Makefile |
| 1575 | + src/libstrongswan/plugins/gmp/Makefile |
| 1576 | ++ src/libstrongswan/plugins/gmpdh/Makefile |
| 1577 | + src/libstrongswan/plugins/curve25519/Makefile |
| 1578 | + src/libstrongswan/plugins/rdrand/Makefile |
| 1579 | + src/libstrongswan/plugins/aesni/Makefile |
| 1580 | +--- a/src/libstrongswan/Makefile.am |
| 1581 | ++++ b/src/libstrongswan/Makefile.am |
| 1582 | +@@ -353,6 +353,13 @@ if MONOLITHIC |
| 1583 | + endif |
| 1584 | + endif |
| 1585 | + |
| 1586 | ++if USE_GMPDH |
| 1587 | ++ SUBDIRS += plugins/gmpdh |
| 1588 | ++if MONOLITHIC |
| 1589 | ++ libstrongswan_la_LIBADD += plugins/gmpdh/libstrongswan-gmpdh.la |
| 1590 | ++endif |
| 1591 | ++endif |
| 1592 | ++ |
| 1593 | + if USE_CURVE25519 |
| 1594 | + SUBDIRS += plugins/curve25519 |
| 1595 | + if MONOLITHIC |
| 1596 | +--- /dev/null |
| 1597 | ++++ b/src/libstrongswan/plugins/gmpdh/Makefile.am |
| 1598 | +@@ -0,0 +1,19 @@ |
| 1599 | ++AM_CPPFLAGS = \ |
| 1600 | ++ -I$(top_srcdir)/src/libstrongswan |
| 1601 | ++ |
| 1602 | ++AM_CFLAGS = \ |
| 1603 | ++ $(PLUGIN_CFLAGS) |
| 1604 | ++ |
| 1605 | ++if MONOLITHIC |
| 1606 | ++noinst_LTLIBRARIES = libstrongswan-gmpdh.la |
| 1607 | ++else |
| 1608 | ++plugin_LTLIBRARIES = libstrongswan-gmpdh.la |
| 1609 | ++endif |
| 1610 | ++ |
| 1611 | ++libstrongswan_gmpdh_la_SOURCES = \ |
| 1612 | ++ gmpdh_plugin.h gmpdh_plugin.c \ |
| 1613 | ++ ../gmp/gmp_diffie_hellman.c ../gmp/gmp_diffie_hellman.h |
| 1614 | ++ |
| 1615 | ++ |
| 1616 | ++libstrongswan_gmpdh_la_LDFLAGS = -module -avoid-version -Wl,-Bstatic -Wl,-lgmp -Wl,-Bdynamic -Wl,--as-needed $(FPIC) |
| 1617 | ++libstrongswan_gmpdh_la_LIBADD = |
| 1618 | +--- /dev/null |
| 1619 | ++++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c |
| 1620 | +@@ -0,0 +1,101 @@ |
| 1621 | ++/* |
| 1622 | ++ * Copyright (C) 2008-2009 Martin Willi |
| 1623 | ++ * Hochschule fuer Technik Rapperswil |
| 1624 | ++ * |
| 1625 | ++ * This program is free software; you can redistribute it and/or modify it |
| 1626 | ++ * under the terms of the GNU General Public License as published by the |
| 1627 | ++ * Free Software Foundation; either version 2 of the License, or (at your |
| 1628 | ++ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| 1629 | ++ * |
| 1630 | ++ * This program is distributed in the hope that it will be useful, but |
| 1631 | ++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| 1632 | ++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 1633 | ++ * for more details. |
| 1634 | ++ */ |
| 1635 | ++ |
| 1636 | ++#include "gmpdh_plugin.h" |
| 1637 | ++ |
| 1638 | ++#include <library.h> |
| 1639 | ++#include "../gmp/gmp_diffie_hellman.h" |
| 1640 | ++ |
| 1641 | ++typedef struct private_gmpdh_plugin_t private_gmpdh_plugin_t; |
| 1642 | ++ |
| 1643 | ++/** |
| 1644 | ++ * private data of gmp_plugin |
| 1645 | ++ */ |
| 1646 | ++struct private_gmpdh_plugin_t { |
| 1647 | ++ |
| 1648 | ++ /** |
| 1649 | ++ * public functions |
| 1650 | ++ */ |
| 1651 | ++ gmpdh_plugin_t public; |
| 1652 | ++}; |
| 1653 | ++ |
| 1654 | ++METHOD(plugin_t, get_name, char*, |
| 1655 | ++ private_gmpdh_plugin_t *this) |
| 1656 | ++{ |
| 1657 | ++ return "gmpdh"; |
| 1658 | ++} |
| 1659 | ++ |
| 1660 | ++METHOD(plugin_t, get_features, int, |
| 1661 | ++ private_gmpdh_plugin_t *this, plugin_feature_t *features[]) |
| 1662 | ++{ |
| 1663 | ++ static plugin_feature_t f[] = { |
| 1664 | ++ /* DH groups */ |
| 1665 | ++ PLUGIN_REGISTER(KE, gmp_diffie_hellman_create), |
| 1666 | ++ PLUGIN_PROVIDE(KE, MODP_2048_BIT), |
| 1667 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1668 | ++ PLUGIN_PROVIDE(KE, MODP_2048_224), |
| 1669 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1670 | ++ PLUGIN_PROVIDE(KE, MODP_2048_256), |
| 1671 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1672 | ++ PLUGIN_PROVIDE(KE, MODP_1536_BIT), |
| 1673 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1674 | ++ PLUGIN_PROVIDE(KE, MODP_3072_BIT), |
| 1675 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1676 | ++ PLUGIN_PROVIDE(KE, MODP_4096_BIT), |
| 1677 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1678 | ++ PLUGIN_PROVIDE(KE, MODP_6144_BIT), |
| 1679 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1680 | ++ PLUGIN_PROVIDE(KE, MODP_8192_BIT), |
| 1681 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1682 | ++ PLUGIN_PROVIDE(KE, MODP_1024_BIT), |
| 1683 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1684 | ++ PLUGIN_PROVIDE(KE, MODP_1024_160), |
| 1685 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1686 | ++ PLUGIN_PROVIDE(KE, MODP_768_BIT), |
| 1687 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1688 | ++ PLUGIN_REGISTER(KE, gmp_diffie_hellman_create_custom), |
| 1689 | ++ PLUGIN_PROVIDE(KE, MODP_CUSTOM), |
| 1690 | ++ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 1691 | ++ }; |
| 1692 | ++ *features = f; |
| 1693 | ++ return countof(f); |
| 1694 | ++} |
| 1695 | ++ |
| 1696 | ++METHOD(plugin_t, destroy, void, |
| 1697 | ++ private_gmpdh_plugin_t *this) |
| 1698 | ++{ |
| 1699 | ++ free(this); |
| 1700 | ++} |
| 1701 | ++ |
| 1702 | ++/* |
| 1703 | ++ * see header file |
| 1704 | ++ */ |
| 1705 | ++plugin_t *gmpdh_plugin_create() |
| 1706 | ++{ |
| 1707 | ++ private_gmpdh_plugin_t *this; |
| 1708 | ++ |
| 1709 | ++ INIT(this, |
| 1710 | ++ .public = { |
| 1711 | ++ .plugin = { |
| 1712 | ++ .get_name = _get_name, |
| 1713 | ++ .get_features = _get_features, |
| 1714 | ++ .destroy = _destroy, |
| 1715 | ++ }, |
| 1716 | ++ }, |
| 1717 | ++ ); |
| 1718 | ++ |
| 1719 | ++ return &this->public.plugin; |
| 1720 | ++} |
| 1721 | ++ |
| 1722 | +--- /dev/null |
| 1723 | ++++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h |
| 1724 | +@@ -0,0 +1,42 @@ |
| 1725 | ++/* |
| 1726 | ++ * Copyright (C) 2008 Martin Willi |
| 1727 | ++ * Hochschule fuer Technik Rapperswil |
| 1728 | ++ * |
| 1729 | ++ * This program is free software; you can redistribute it and/or modify it |
| 1730 | ++ * under the terms of the GNU General Public License as published by the |
| 1731 | ++ * Free Software Foundation; either version 2 of the License, or (at your |
| 1732 | ++ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| 1733 | ++ * |
| 1734 | ++ * This program is distributed in the hope that it will be useful, but |
| 1735 | ++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| 1736 | ++ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 1737 | ++ * for more details. |
| 1738 | ++ */ |
| 1739 | ++ |
| 1740 | ++/** |
| 1741 | ++ * @defgroup gmpdh_p gmpdh |
| 1742 | ++ * @ingroup plugins |
| 1743 | ++ * |
| 1744 | ++ * @defgroup gmpdh_plugin gmpdh_plugin |
| 1745 | ++ * @{ @ingroup gmpdh_p |
| 1746 | ++ */ |
| 1747 | ++ |
| 1748 | ++#ifndef GMPDH_PLUGIN_H_ |
| 1749 | ++#define GMPDH_PLUGIN_H_ |
| 1750 | ++ |
| 1751 | ++#include <plugins/plugin.h> |
| 1752 | ++ |
| 1753 | ++typedef struct gmpdh_plugin_t gmpdh_plugin_t; |
| 1754 | ++ |
| 1755 | ++/** |
| 1756 | ++ * Plugin implementing asymmetric crypto algorithms using the GNU MP library. |
| 1757 | ++ */ |
| 1758 | ++struct gmpdh_plugin_t { |
| 1759 | ++ |
| 1760 | ++ /** |
| 1761 | ++ * implements plugin interface |
| 1762 | ++ */ |
| 1763 | ++ plugin_t plugin; |
| 1764 | ++}; |
| 1765 | ++ |
| 1766 | ++#endif /** GMPDH_PLUGIN_H_ @}*/ |
| 1767 | --- /dev/null |
| 1768 | +++ b/feeds/packages/net/strongswan/patches/0905-undef-wolfssl-RNG.patch |
| 1769 | @@ -0,0 +1,12 @@ |
| 1770 | +--- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c |
| 1771 | ++++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c |
| 1772 | +@@ -50,6 +50,9 @@ |
| 1773 | + #ifndef FIPS_MODE |
| 1774 | + #define FIPS_MODE 0 |
| 1775 | + #endif |
| 1776 | ++#ifdef RNG |
| 1777 | ++#undef RNG |
| 1778 | ++#endif |
| 1779 | + |
| 1780 | + typedef struct private_wolfssl_plugin_t private_wolfssl_plugin_t; |
| 1781 | + |
| 1782 | --- a/feeds/packages/net/strongswan/patches/101-musl-fixes.patch |
| 1783 | +++ /dev/null |
| 1784 | @@ -1,83 +0,0 @@ |
| 1785 | ---- a/src/libstrongswan/library.h |
| 1786 | -+++ b/src/libstrongswan/library.h |
| 1787 | -@@ -118,6 +118,7 @@ |
| 1788 | - #include "utils/leak_detective.h" |
| 1789 | - #include "plugins/plugin_loader.h" |
| 1790 | - #include "settings/settings.h" |
| 1791 | -+#include "musl.h" |
| 1792 | - |
| 1793 | - typedef struct library_t library_t; |
| 1794 | - |
| 1795 | ---- /dev/null |
| 1796 | -+++ b/src/libstrongswan/musl.h |
| 1797 | -@@ -0,0 +1,38 @@ |
| 1798 | -+#include <sys/types.h> |
| 1799 | -+ |
| 1800 | -+#define crypt x_crypt |
| 1801 | -+#define encrypt x_encrypt |
| 1802 | -+#include <unistd.h> |
| 1803 | -+ |
| 1804 | -+#define fd_set x_fd_set |
| 1805 | -+#define ino_t x_ino_t |
| 1806 | -+#define off_t x_off_t |
| 1807 | -+#define loff_t x_loff_t |
| 1808 | -+#define dev_t x_dev_t |
| 1809 | -+#define mode_t x_mode_t |
| 1810 | -+#define uid_t x_uid_t |
| 1811 | -+#define gid_t x_gid_t |
| 1812 | -+#define uint64_t x_uint64_t |
| 1813 | -+#define u_int64_t x_u_int64_t |
| 1814 | -+#define int64_t x_int64_t |
| 1815 | -+#define nlink_t x_nlink_t |
| 1816 | -+#define timer_t x_timer_t |
| 1817 | -+#define blkcnt_t x_blkcnt_t |
| 1818 | -+ |
| 1819 | -+#include <linux/types.h> |
| 1820 | -+ |
| 1821 | -+#undef fd_set |
| 1822 | -+#undef ino_t |
| 1823 | -+#undef off_t |
| 1824 | -+#undef dev_t |
| 1825 | -+#undef mode_t |
| 1826 | -+#undef uid_t |
| 1827 | -+#undef gid_t |
| 1828 | -+#undef uint64_t |
| 1829 | -+#undef u_int64_t |
| 1830 | -+#undef int64_t |
| 1831 | -+#undef nlink_t |
| 1832 | -+#undef timer_t |
| 1833 | -+#undef blkcnt_t |
| 1834 | -+#undef crypt |
| 1835 | -+#undef encrypt |
| 1836 | ---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c |
| 1837 | -+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c |
| 1838 | -@@ -40,6 +40,7 @@ |
| 1839 | - */ |
| 1840 | - |
| 1841 | - #define _GNU_SOURCE |
| 1842 | -+#include <musl.h> |
| 1843 | - #include <sys/types.h> |
| 1844 | - #include <sys/socket.h> |
| 1845 | - #include <sys/ioctl.h> |
| 1846 | ---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c |
| 1847 | -+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c |
| 1848 | -@@ -37,6 +37,8 @@ |
| 1849 | - * THE SOFTWARE. |
| 1850 | - */ |
| 1851 | - |
| 1852 | -+#include "musl.h" |
| 1853 | -+ |
| 1854 | - #include <sys/socket.h> |
| 1855 | - #include <sys/utsname.h> |
| 1856 | - #include <linux/netlink.h> |
| 1857 | ---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c |
| 1858 | -+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c |
| 1859 | -@@ -39,6 +39,8 @@ |
| 1860 | - * THE SOFTWARE. |
| 1861 | - */ |
| 1862 | - |
| 1863 | -+#include "musl.h" |
| 1864 | -+ |
| 1865 | - #include <sys/socket.h> |
| 1866 | - #include <linux/netlink.h> |
| 1867 | - #include <linux/rtnetlink.h> |
| 1868 | --- a/feeds/packages/net/strongswan/patches/203-uci.patch |
| 1869 | +++ /dev/null |
| 1870 | @@ -1,20 +0,0 @@ |
| 1871 | ---- a/src/libcharon/plugins/uci/uci_parser.c |
| 1872 | -+++ b/src/libcharon/plugins/uci/uci_parser.c |
| 1873 | -@@ -75,7 +75,7 @@ METHOD(enumerator_t, section_enumerator_ |
| 1874 | - if (uci_lookup(this->ctx, &element, this->package, |
| 1875 | - this->current->name, "name") == UCI_OK) |
| 1876 | - { /* use "name" attribute as config name if available ... */ |
| 1877 | -- *value = uci_to_option(element)->value; |
| 1878 | -+ *value = uci_to_option(element)->v.string; |
| 1879 | - } |
| 1880 | - else |
| 1881 | - { /* ... or the section name becomes config name */ |
| 1882 | -@@ -90,7 +90,7 @@ METHOD(enumerator_t, section_enumerator_ |
| 1883 | - if (value && uci_lookup(this->ctx, &element, this->package, |
| 1884 | - this->current->name, this->keywords[i]) == UCI_OK) |
| 1885 | - { |
| 1886 | -- *value = uci_to_option(element)->value; |
| 1887 | -+ *value = uci_to_option(element)->v.string; |
| 1888 | - } |
| 1889 | - } |
| 1890 | - |
| 1891 | --- a/feeds/packages/net/strongswan/patches/210-sleep.patch |
| 1892 | +++ /dev/null |
| 1893 | @@ -1,11 +0,0 @@ |
| 1894 | ---- a/src/ipsec/_ipsec.in |
| 1895 | -+++ b/src/ipsec/_ipsec.in |
| 1896 | -@@ -257,7 +257,7 @@ stop) |
| 1897 | - loop=110 |
| 1898 | - while [ $loop -gt 0 ] ; do |
| 1899 | - kill -0 $spid 2>/dev/null || break |
| 1900 | -- sleep 0.1 2>/dev/null |
| 1901 | -+ sleep 1 2>/dev/null |
| 1902 | - if [ $? -ne 0 ] |
| 1903 | - then |
| 1904 | - sleep 1 |
| 1905 | --- a/feeds/packages/net/strongswan/patches/300-include-ipsec-hotplug.patch |
| 1906 | +++ /dev/null |
| 1907 | @@ -1,16 +0,0 @@ |
| 1908 | ---- a/src/_updown/_updown.in |
| 1909 | -+++ b/src/_updown/_updown.in |
| 1910 | -@@ -22,6 +22,13 @@ |
| 1911 | - # that, and use the (left/right)updown parameters in ipsec.conf to make |
| 1912 | - # strongSwan use yours instead of this default one. |
| 1913 | - |
| 1914 | -+# Add your custom commands to the file "/etc/ipsec.user". Other packages could |
| 1915 | -+# also install their scripts in the directory "/etc/hotplug.d/ipsec". |
| 1916 | -+# This files/scripts are executed by the openwrt hotplug functionality on |
| 1917 | -+# ipsec events. |
| 1918 | -+ |
| 1919 | -+/sbin/hotplug-call ipsec "$1" |
| 1920 | -+ |
| 1921 | - # PLUTO_VERSION |
| 1922 | - # indicates what version of this interface is being |
| 1923 | - # used. This document describes version 1.1. This |
| 1924 | --- a/feeds/packages/net/strongswan/patches/305-minimal_dh_plugin.patch |
| 1925 | +++ /dev/null |
| 1926 | @@ -1,221 +0,0 @@ |
| 1927 | ---- a/configure.ac |
| 1928 | -+++ b/configure.ac |
| 1929 | -@@ -146,6 +146,7 @@ ARG_DISBL_SET([fips-prf], [disable |
| 1930 | - ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.]) |
| 1931 | - ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.]) |
| 1932 | - ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.]) |
| 1933 | -+ARG_DISBL_SET([gmpdh], [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.]) |
| 1934 | - ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.]) |
| 1935 | - ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) |
| 1936 | - ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.]) |
| 1937 | -@@ -1478,6 +1479,7 @@ ADD_PLUGIN([botan], [s ch |
| 1938 | - ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) |
| 1939 | - ADD_PLUGIN([fips-prf], [s charon nm cmd]) |
| 1940 | - ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz]) |
| 1941 | -+ADD_PLUGIN([gmpdh], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) |
| 1942 | - ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd]) |
| 1943 | - ADD_PLUGIN([agent], [s charon nm cmd]) |
| 1944 | - ADD_PLUGIN([keychain], [s charon cmd]) |
| 1945 | -@@ -1619,6 +1621,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x |
| 1946 | - AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue) |
| 1947 | - AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) |
| 1948 | - AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) |
| 1949 | -+AM_CONDITIONAL(USE_GMPDH, test x$gmpdh = xtrue) |
| 1950 | - AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue) |
| 1951 | - AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) |
| 1952 | - AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue) |
| 1953 | -@@ -1896,6 +1899,7 @@ AC_CONFIG_FILES([ |
| 1954 | - src/libstrongswan/plugins/mgf1/Makefile |
| 1955 | - src/libstrongswan/plugins/fips_prf/Makefile |
| 1956 | - src/libstrongswan/plugins/gmp/Makefile |
| 1957 | -+ src/libstrongswan/plugins/gmpdh/Makefile |
| 1958 | - src/libstrongswan/plugins/curve25519/Makefile |
| 1959 | - src/libstrongswan/plugins/rdrand/Makefile |
| 1960 | - src/libstrongswan/plugins/aesni/Makefile |
| 1961 | ---- a/src/libstrongswan/Makefile.am |
| 1962 | -+++ b/src/libstrongswan/Makefile.am |
| 1963 | -@@ -345,6 +345,13 @@ if MONOLITHIC |
| 1964 | - endif |
| 1965 | - endif |
| 1966 | - |
| 1967 | -+if USE_GMPDH |
| 1968 | -+ SUBDIRS += plugins/gmpdh |
| 1969 | -+if MONOLITHIC |
| 1970 | -+ libstrongswan_la_LIBADD += plugins/gmpdh/libstrongswan-gmpdh.la |
| 1971 | -+endif |
| 1972 | -+endif |
| 1973 | -+ |
| 1974 | - if USE_CURVE25519 |
| 1975 | - SUBDIRS += plugins/curve25519 |
| 1976 | - if MONOLITHIC |
| 1977 | ---- /dev/null |
| 1978 | -+++ b/src/libstrongswan/plugins/gmpdh/Makefile.am |
| 1979 | -@@ -0,0 +1,19 @@ |
| 1980 | -+AM_CPPFLAGS = \ |
| 1981 | -+ -I$(top_srcdir)/src/libstrongswan |
| 1982 | -+ |
| 1983 | -+AM_CFLAGS = \ |
| 1984 | -+ $(PLUGIN_CFLAGS) |
| 1985 | -+ |
| 1986 | -+if MONOLITHIC |
| 1987 | -+noinst_LTLIBRARIES = libstrongswan-gmpdh.la |
| 1988 | -+else |
| 1989 | -+plugin_LTLIBRARIES = libstrongswan-gmpdh.la |
| 1990 | -+endif |
| 1991 | -+ |
| 1992 | -+libstrongswan_gmpdh_la_SOURCES = \ |
| 1993 | -+ gmpdh_plugin.h gmpdh_plugin.c \ |
| 1994 | -+ ../gmp/gmp_diffie_hellman.c ../gmp/gmp_diffie_hellman.h |
| 1995 | -+ |
| 1996 | -+ |
| 1997 | -+libstrongswan_gmpdh_la_LDFLAGS = -module -avoid-version -Wl,-Bstatic -Wl,-lgmp -Wl,-Bdynamic -Wl,--as-needed $(FPIC) |
| 1998 | -+libstrongswan_gmpdh_la_LIBADD = |
| 1999 | ---- /dev/null |
| 2000 | -+++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.c |
| 2001 | -@@ -0,0 +1,101 @@ |
| 2002 | -+/* |
| 2003 | -+ * Copyright (C) 2008-2009 Martin Willi |
| 2004 | -+ * Hochschule fuer Technik Rapperswil |
| 2005 | -+ * |
| 2006 | -+ * This program is free software; you can redistribute it and/or modify it |
| 2007 | -+ * under the terms of the GNU General Public License as published by the |
| 2008 | -+ * Free Software Foundation; either version 2 of the License, or (at your |
| 2009 | -+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| 2010 | -+ * |
| 2011 | -+ * This program is distributed in the hope that it will be useful, but |
| 2012 | -+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| 2013 | -+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 2014 | -+ * for more details. |
| 2015 | -+ */ |
| 2016 | -+ |
| 2017 | -+#include "gmpdh_plugin.h" |
| 2018 | -+ |
| 2019 | -+#include <library.h> |
| 2020 | -+#include "../gmp/gmp_diffie_hellman.h" |
| 2021 | -+ |
| 2022 | -+typedef struct private_gmpdh_plugin_t private_gmpdh_plugin_t; |
| 2023 | -+ |
| 2024 | -+/** |
| 2025 | -+ * private data of gmp_plugin |
| 2026 | -+ */ |
| 2027 | -+struct private_gmpdh_plugin_t { |
| 2028 | -+ |
| 2029 | -+ /** |
| 2030 | -+ * public functions |
| 2031 | -+ */ |
| 2032 | -+ gmpdh_plugin_t public; |
| 2033 | -+}; |
| 2034 | -+ |
| 2035 | -+METHOD(plugin_t, get_name, char*, |
| 2036 | -+ private_gmpdh_plugin_t *this) |
| 2037 | -+{ |
| 2038 | -+ return "gmpdh"; |
| 2039 | -+} |
| 2040 | -+ |
| 2041 | -+METHOD(plugin_t, get_features, int, |
| 2042 | -+ private_gmpdh_plugin_t *this, plugin_feature_t *features[]) |
| 2043 | -+{ |
| 2044 | -+ static plugin_feature_t f[] = { |
| 2045 | -+ /* DH groups */ |
| 2046 | -+ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create), |
| 2047 | -+ PLUGIN_PROVIDE(DH, MODP_2048_BIT), |
| 2048 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2049 | -+ PLUGIN_PROVIDE(DH, MODP_2048_224), |
| 2050 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2051 | -+ PLUGIN_PROVIDE(DH, MODP_2048_256), |
| 2052 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2053 | -+ PLUGIN_PROVIDE(DH, MODP_1536_BIT), |
| 2054 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2055 | -+ PLUGIN_PROVIDE(DH, MODP_3072_BIT), |
| 2056 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2057 | -+ PLUGIN_PROVIDE(DH, MODP_4096_BIT), |
| 2058 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2059 | -+ PLUGIN_PROVIDE(DH, MODP_6144_BIT), |
| 2060 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2061 | -+ PLUGIN_PROVIDE(DH, MODP_8192_BIT), |
| 2062 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2063 | -+ PLUGIN_PROVIDE(DH, MODP_1024_BIT), |
| 2064 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2065 | -+ PLUGIN_PROVIDE(DH, MODP_1024_160), |
| 2066 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2067 | -+ PLUGIN_PROVIDE(DH, MODP_768_BIT), |
| 2068 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2069 | -+ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create_custom), |
| 2070 | -+ PLUGIN_PROVIDE(DH, MODP_CUSTOM), |
| 2071 | -+ PLUGIN_DEPENDS(RNG, RNG_STRONG), |
| 2072 | -+ }; |
| 2073 | -+ *features = f; |
| 2074 | -+ return countof(f); |
| 2075 | -+} |
| 2076 | -+ |
| 2077 | -+METHOD(plugin_t, destroy, void, |
| 2078 | -+ private_gmpdh_plugin_t *this) |
| 2079 | -+{ |
| 2080 | -+ free(this); |
| 2081 | -+} |
| 2082 | -+ |
| 2083 | -+/* |
| 2084 | -+ * see header file |
| 2085 | -+ */ |
| 2086 | -+plugin_t *gmpdh_plugin_create() |
| 2087 | -+{ |
| 2088 | -+ private_gmpdh_plugin_t *this; |
| 2089 | -+ |
| 2090 | -+ INIT(this, |
| 2091 | -+ .public = { |
| 2092 | -+ .plugin = { |
| 2093 | -+ .get_name = _get_name, |
| 2094 | -+ .get_features = _get_features, |
| 2095 | -+ .destroy = _destroy, |
| 2096 | -+ }, |
| 2097 | -+ }, |
| 2098 | -+ ); |
| 2099 | -+ |
| 2100 | -+ return &this->public.plugin; |
| 2101 | -+} |
| 2102 | -+ |
| 2103 | ---- /dev/null |
| 2104 | -+++ b/src/libstrongswan/plugins/gmpdh/gmpdh_plugin.h |
| 2105 | -@@ -0,0 +1,42 @@ |
| 2106 | -+/* |
| 2107 | -+ * Copyright (C) 2008 Martin Willi |
| 2108 | -+ * Hochschule fuer Technik Rapperswil |
| 2109 | -+ * |
| 2110 | -+ * This program is free software; you can redistribute it and/or modify it |
| 2111 | -+ * under the terms of the GNU General Public License as published by the |
| 2112 | -+ * Free Software Foundation; either version 2 of the License, or (at your |
| 2113 | -+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| 2114 | -+ * |
| 2115 | -+ * This program is distributed in the hope that it will be useful, but |
| 2116 | -+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| 2117 | -+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 2118 | -+ * for more details. |
| 2119 | -+ */ |
| 2120 | -+ |
| 2121 | -+/** |
| 2122 | -+ * @defgroup gmpdh_p gmpdh |
| 2123 | -+ * @ingroup plugins |
| 2124 | -+ * |
| 2125 | -+ * @defgroup gmpdh_plugin gmpdh_plugin |
| 2126 | -+ * @{ @ingroup gmpdh_p |
| 2127 | -+ */ |
| 2128 | -+ |
| 2129 | -+#ifndef GMPDH_PLUGIN_H_ |
| 2130 | -+#define GMPDH_PLUGIN_H_ |
| 2131 | -+ |
| 2132 | -+#include <plugins/plugin.h> |
| 2133 | -+ |
| 2134 | -+typedef struct gmpdh_plugin_t gmpdh_plugin_t; |
| 2135 | -+ |
| 2136 | -+/** |
| 2137 | -+ * Plugin implementing asymmetric crypto algorithms using the GNU MP library. |
| 2138 | -+ */ |
| 2139 | -+struct gmpdh_plugin_t { |
| 2140 | -+ |
| 2141 | -+ /** |
| 2142 | -+ * implements plugin interface |
| 2143 | -+ */ |
| 2144 | -+ plugin_t plugin; |
| 2145 | -+}; |
| 2146 | -+ |
| 2147 | -+#endif /** GMPDH_PLUGIN_H_ @}*/ |
| 2148 | --- a/feeds/packages/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch |
| 2149 | +++ /dev/null |
| 2150 | @@ -1,30 +0,0 @@ |
| 2151 | -From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 |
| 2152 | -From: Tobias Brunner <tobias@strongswan.org> |
| 2153 | -Date: Tue, 28 Sep 2021 19:38:22 +0200 |
| 2154 | -Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change |
| 2155 | - |
| 2156 | -random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually |
| 2157 | -equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added |
| 2158 | -directly to that offset before applying`% CACHE_SIZE` to get an index into |
| 2159 | -the cache array. If the random value was very high, this resulted in an |
| 2160 | -integer overflow and a negative index value and, therefore, an out-of-bounds |
| 2161 | -access of the array and in turn dereferencing invalid pointers when trying |
| 2162 | -to acquire the read lock. This most likely results in a segmentation fault. |
| 2163 | - |
| 2164 | -Fixes: 764e8b2211ce ("reimplemented certificate cache") |
| 2165 | -Fixes: CVE-2021-41991 |
| 2166 | ---- |
| 2167 | - src/libstrongswan/credentials/sets/cert_cache.c | 2 +- |
| 2168 | - 1 file changed, 1 insertion(+), 1 deletion(-) |
| 2169 | - |
| 2170 | ---- a/src/libstrongswan/credentials/sets/cert_cache.c |
| 2171 | -+++ b/src/libstrongswan/credentials/sets/cert_cache.c |
| 2172 | -@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t * |
| 2173 | - for (try = 0; try < REPLACE_TRIES; try++) |
| 2174 | - { |
| 2175 | - /* replace a random relation */ |
| 2176 | -- offset = random(); |
| 2177 | -+ offset = random() % CACHE_SIZE; |
| 2178 | - for (i = 0; i < CACHE_SIZE; i++) |
| 2179 | - { |
| 2180 | - rel = &this->relations[(i + offset) % CACHE_SIZE]; |
| 2181 | --- a/feeds/packages/net/strongswan/patches/710-strongswan-5.5.0-5.9.4_eap_success.patch |
| 2182 | +++ /dev/null |
| 2183 | @@ -1,138 +0,0 @@ |
| 2184 | -From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 |
| 2185 | -From: Tobias Brunner <tobias@strongswan.org> |
| 2186 | -Date: Tue, 14 Dec 2021 10:51:35 +0100 |
| 2187 | -Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails |
| 2188 | - |
| 2189 | -Without this, the authentication succeeded if the server sent an early |
| 2190 | -EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, |
| 2191 | -which may be used in EAP-only scenarios but would complete without server |
| 2192 | -or client authentication. For clients configured for such EAP-only |
| 2193 | -scenarios, a rogue server could capture traffic after the tunnel is |
| 2194 | -established or even access hosts behind the client. For non-mutual EAP |
| 2195 | -methods, public key server authentication has been enforced for a while. |
| 2196 | - |
| 2197 | -A server previously could also crash a client by sending an EAP-Success |
| 2198 | -immediately without initiating an actual EAP method. |
| 2199 | - |
| 2200 | -Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") |
| 2201 | -Fixes: CVE-2021-45079 |
| 2202 | ---- |
| 2203 | - src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- |
| 2204 | - src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- |
| 2205 | - src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- |
| 2206 | - src/libcharon/sa/eap/eap_method.h | 8 ++++- |
| 2207 | - .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- |
| 2208 | - 5 files changed, 40 insertions(+), 8 deletions(-) |
| 2209 | - |
| 2210 | ---- a/src/libcharon/plugins/eap_gtc/eap_gtc.c |
| 2211 | -+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c |
| 2212 | -@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_ |
| 2213 | - METHOD(eap_method_t, get_msk, status_t, |
| 2214 | - private_eap_gtc_t *this, chunk_t *msk) |
| 2215 | - { |
| 2216 | -- return FAILED; |
| 2217 | -+ return NOT_SUPPORTED; |
| 2218 | - } |
| 2219 | - |
| 2220 | - METHOD(eap_method_t, get_identifier, uint8_t, |
| 2221 | ---- a/src/libcharon/plugins/eap_md5/eap_md5.c |
| 2222 | -+++ b/src/libcharon/plugins/eap_md5/eap_md5.c |
| 2223 | -@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_ |
| 2224 | - METHOD(eap_method_t, get_msk, status_t, |
| 2225 | - private_eap_md5_t *this, chunk_t *msk) |
| 2226 | - { |
| 2227 | -- return FAILED; |
| 2228 | -+ return NOT_SUPPORTED; |
| 2229 | - } |
| 2230 | - |
| 2231 | - METHOD(eap_method_t, is_mutual, bool, |
| 2232 | ---- a/src/libcharon/plugins/eap_radius/eap_radius.c |
| 2233 | -+++ b/src/libcharon/plugins/eap_radius/eap_radius.c |
| 2234 | -@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, |
| 2235 | - *out = msk; |
| 2236 | - return SUCCESS; |
| 2237 | - } |
| 2238 | -- return FAILED; |
| 2239 | -+ /* we assume the selected method did not establish an MSK, if it failed |
| 2240 | -+ * to establish one, process() would have failed */ |
| 2241 | -+ return NOT_SUPPORTED; |
| 2242 | - } |
| 2243 | - |
| 2244 | - METHOD(eap_method_t, get_identifier, uint8_t, |
| 2245 | ---- a/src/libcharon/sa/eap/eap_method.h |
| 2246 | -+++ b/src/libcharon/sa/eap/eap_method.h |
| 2247 | -@@ -114,10 +114,16 @@ struct eap_method_t { |
| 2248 | - * Not all EAP methods establish a shared secret. For implementations of |
| 2249 | - * the EAP-Identity method, get_msk() returns the received identity. |
| 2250 | - * |
| 2251 | -+ * @note Returning NOT_SUPPORTED is important for implementations of EAP |
| 2252 | -+ * methods that don't establish an MSK. In particular as client because |
| 2253 | -+ * key-generating EAP methods MUST fail to process EAP-Success messages if |
| 2254 | -+ * no MSK is established. |
| 2255 | -+ * |
| 2256 | - * @param msk chunk receiving internal stored MSK |
| 2257 | - * @return |
| 2258 | -- * - SUCCESS, or |
| 2259 | -+ * - SUCCESS, if MSK is established |
| 2260 | - * - FAILED, if MSK not established (yet) |
| 2261 | -+ * - NOT_SUPPORTED, for non-MSK-establishing methods |
| 2262 | - */ |
| 2263 | - status_t (*get_msk) (eap_method_t *this, chunk_t *msk); |
| 2264 | - |
| 2265 | ---- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c |
| 2266 | -+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c |
| 2267 | -@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap |
| 2268 | - this->method->destroy(this->method); |
| 2269 | - return server_initiate_eap(this, FALSE); |
| 2270 | - } |
| 2271 | -- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) |
| 2272 | -+ switch (this->method->get_msk(this->method, &this->msk)) |
| 2273 | - { |
| 2274 | -- this->msk = chunk_clone(this->msk); |
| 2275 | -+ case SUCCESS: |
| 2276 | -+ this->msk = chunk_clone(this->msk); |
| 2277 | -+ break; |
| 2278 | -+ case NOT_SUPPORTED: |
| 2279 | -+ break; |
| 2280 | -+ case FAILED: |
| 2281 | -+ default: |
| 2282 | -+ DBG1(DBG_IKE, "failed to establish MSK"); |
| 2283 | -+ goto failure; |
| 2284 | - } |
| 2285 | - if (vendor) |
| 2286 | - { |
| 2287 | -@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap |
| 2288 | - return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); |
| 2289 | - case FAILED: |
| 2290 | - default: |
| 2291 | -+failure: |
| 2292 | - /* type might have changed for virtual methods */ |
| 2293 | - type = this->method->get_type(this->method, &vendor); |
| 2294 | - if (vendor) |
| 2295 | -@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, |
| 2296 | - uint32_t vendor; |
| 2297 | - auth_cfg_t *cfg; |
| 2298 | - |
| 2299 | -- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) |
| 2300 | -+ if (!this->method) |
| 2301 | - { |
| 2302 | -- this->msk = chunk_clone(this->msk); |
| 2303 | -+ DBG1(DBG_IKE, "received unexpected %N", |
| 2304 | -+ eap_code_names, eap_payload->get_code(eap_payload)); |
| 2305 | -+ return FAILED; |
| 2306 | -+ } |
| 2307 | -+ switch (this->method->get_msk(this->method, &this->msk)) |
| 2308 | -+ { |
| 2309 | -+ case SUCCESS: |
| 2310 | -+ this->msk = chunk_clone(this->msk); |
| 2311 | -+ break; |
| 2312 | -+ case NOT_SUPPORTED: |
| 2313 | -+ break; |
| 2314 | -+ case FAILED: |
| 2315 | -+ default: |
| 2316 | -+ DBG1(DBG_IKE, "received %N but failed to establish MSK", |
| 2317 | -+ eap_code_names, eap_payload->get_code(eap_payload)); |
| 2318 | -+ return FAILED; |
| 2319 | - } |
| 2320 | - type = this->method->get_type(this->method, &vendor); |
| 2321 | - if (vendor) |
| 2322 | --- a/feeds/packages/net/strongswan/patches/720-strongswan-5.6.1-5.9.3_gmp-rsa-ssa-salt-len.patch |
| 2323 | +++ /dev/null |
| 2324 | @@ -1,49 +0,0 @@ |
| 2325 | -From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001 |
| 2326 | -From: Tobias Brunner <tobias@strongswan.org> |
| 2327 | -Date: Tue, 28 Sep 2021 17:52:08 +0200 |
| 2328 | -Subject: [PATCH] Reject RSASSA-PSS params with negative salt length |
| 2329 | - |
| 2330 | -The `salt_len` member in the struct is of type `ssize_t` because we use |
| 2331 | -negative values for special automatic salt lengths when generating |
| 2332 | -signatures. |
| 2333 | - |
| 2334 | -Not checking this could lead to an integer overflow. The value is assigned |
| 2335 | -to the `len` field of a chunk (`size_t`), which is further used in |
| 2336 | -calculations to check the padding structure and (if that is passed by a |
| 2337 | -matching crafted signature value) eventually a memcpy() that will result |
| 2338 | -in a segmentation fault. |
| 2339 | - |
| 2340 | -Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") |
| 2341 | -Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") |
| 2342 | -Fixes: CVE-2021-41990 |
| 2343 | ---- |
| 2344 | - src/libstrongswan/credentials/keys/signature_params.c | 6 +++++- |
| 2345 | - src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- |
| 2346 | - 2 files changed, 6 insertions(+), 2 deletions(-) |
| 2347 | - |
| 2348 | ---- a/src/libstrongswan/credentials/keys/signature_params.c |
| 2349 | -+++ b/src/libstrongswan/credentials/keys/signature_params.c |
| 2350 | -@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, |
| 2351 | - case RSASSA_PSS_PARAMS_SALT_LEN: |
| 2352 | - if (object.len) |
| 2353 | - { |
| 2354 | -- params->salt_len = (size_t)asn1_parse_integer_uint64(object); |
| 2355 | -+ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object); |
| 2356 | -+ if (params->salt_len < 0) |
| 2357 | -+ { |
| 2358 | -+ goto end; |
| 2359 | -+ } |
| 2360 | - } |
| 2361 | - break; |
| 2362 | - case RSASSA_PSS_PARAMS_TRAILER: |
| 2363 | ---- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |
| 2364 | -+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c |
| 2365 | -@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(pr |
| 2366 | - int i; |
| 2367 | - bool success = FALSE; |
| 2368 | - |
| 2369 | -- if (!params) |
| 2370 | -+ if (!params || params->salt_len < 0) |
| 2371 | - { |
| 2372 | - return FALSE; |
| 2373 | - } |
| 2374 | --- a/feeds/packages/net/strongswan/patches/730-strongswan-5.1.0-5.9.7_cert_online_validate.patch |
| 2375 | +++ /dev/null |
| 2376 | @@ -1,200 +0,0 @@ |
| 2377 | -From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 |
| 2378 | -From: Tobias Brunner <tobias@strongswan.org> |
| 2379 | -Date: Fri, 22 Jul 2022 15:37:43 +0200 |
| 2380 | -Subject: [PATCH] credential-manager: Do online revocation checks only after |
| 2381 | - basic trust chain validation |
| 2382 | - |
| 2383 | -This avoids querying URLs of potentially untrusted certificates, e.g. if |
| 2384 | -an attacker sends a specially crafted end-entity and intermediate CA |
| 2385 | -certificate with a CDP that points to a server that completes the |
| 2386 | -TCP handshake but then does not send any further data, which will block |
| 2387 | -the fetcher thread (depending on the plugin) for as long as the default |
| 2388 | -timeout for TCP. Doing that multiple times will block all worker threads, |
| 2389 | -leading to a DoS attack. |
| 2390 | - |
| 2391 | -The logging during the certificate verification obviously changes. The |
| 2392 | -following example shows the output of `pki --verify` for the current |
| 2393 | -strongswan.org certificate: |
| 2394 | - |
| 2395 | -new: |
| 2396 | - |
| 2397 | - using certificate "CN=www.strongswan.org" |
| 2398 | - using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" |
| 2399 | - using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" |
| 2400 | - reached self-signed root ca with a path length of 1 |
| 2401 | -checking certificate status of "CN=www.strongswan.org" |
| 2402 | - requesting ocsp status from 'http://r3.o.lencr.org' ... |
| 2403 | - ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" |
| 2404 | - ocsp response is valid: until Jul 27 12:59:58 2022 |
| 2405 | -certificate status is good |
| 2406 | -checking certificate status of "C=US, O=Let's Encrypt, CN=R3" |
| 2407 | -ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found |
| 2408 | - fetching crl from 'http://x1.c.lencr.org/' ... |
| 2409 | - using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" |
| 2410 | - crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" |
| 2411 | - crl is valid: until Apr 18 01:59:59 2023 |
| 2412 | -certificate status is good |
| 2413 | -certificate trusted, lifetimes valid, certificate not revoked |
| 2414 | - |
| 2415 | -old: |
| 2416 | - |
| 2417 | - using certificate "CN=www.strongswan.org" |
| 2418 | - using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" |
| 2419 | -checking certificate status of "CN=www.strongswan.org" |
| 2420 | - requesting ocsp status from 'http://r3.o.lencr.org' ... |
| 2421 | - ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" |
| 2422 | - ocsp response is valid: until Jul 27 12:59:58 2022 |
| 2423 | -certificate status is good |
| 2424 | - using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" |
| 2425 | -checking certificate status of "C=US, O=Let's Encrypt, CN=R3" |
| 2426 | -ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found |
| 2427 | - fetching crl from 'http://x1.c.lencr.org/' ... |
| 2428 | - using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" |
| 2429 | - crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" |
| 2430 | - crl is valid: until Apr 18 01:59:59 2023 |
| 2431 | -certificate status is good |
| 2432 | - reached self-signed root ca with a path length of 1 |
| 2433 | -certificate trusted, lifetimes valid, certificate not revoked |
| 2434 | - |
| 2435 | -Note that this also fixes an issue with the previous dual-use of the |
| 2436 | -`trusted` flag. It not only indicated whether the chain is trusted but |
| 2437 | -also whether the current issuer is the root anchor (the corresponding |
| 2438 | -flag in the `cert_validator_t` interface is called `anchor`). This was |
| 2439 | -a problem when building multi-level trust chains for pre-trusted |
| 2440 | -end-entity certificates (i.e. where `trusted` is TRUE from the start). |
| 2441 | -This caused the main loop to get aborted after the first intermediate CA |
| 2442 | -certificate and the mentioned `anchor` flag wasn't correct in any calls |
| 2443 | -to `cert_validator_t` implementations. |
| 2444 | - |
| 2445 | -Fixes: CVE-2022-40617 |
| 2446 | ---- |
| 2447 | - .../credentials/credential_manager.c | 54 +++++++++++++++---- |
| 2448 | - 1 file changed, 45 insertions(+), 9 deletions(-) |
| 2449 | - |
| 2450 | ---- a/src/libstrongswan/credentials/credential_manager.c |
| 2451 | -+++ b/src/libstrongswan/credentials/credential_manager.c |
| 2452 | -@@ -555,7 +555,7 @@ static void cache_queue(private_credenti |
| 2453 | - */ |
| 2454 | - static bool check_lifetime(private_credential_manager_t *this, |
| 2455 | - certificate_t *cert, char *label, |
| 2456 | -- int pathlen, bool trusted, auth_cfg_t *auth) |
| 2457 | -+ int pathlen, bool anchor, auth_cfg_t *auth) |
| 2458 | - { |
| 2459 | - time_t not_before, not_after; |
| 2460 | - cert_validator_t *validator; |
| 2461 | -@@ -570,7 +570,7 @@ static bool check_lifetime(private_crede |
| 2462 | - continue; |
| 2463 | - } |
| 2464 | - status = validator->check_lifetime(validator, cert, |
| 2465 | -- pathlen, trusted, auth); |
| 2466 | -+ pathlen, anchor, auth); |
| 2467 | - if (status != NEED_MORE) |
| 2468 | - { |
| 2469 | - break; |
| 2470 | -@@ -603,13 +603,13 @@ static bool check_lifetime(private_crede |
| 2471 | - */ |
| 2472 | - static bool check_certificate(private_credential_manager_t *this, |
| 2473 | - certificate_t *subject, certificate_t *issuer, bool online, |
| 2474 | -- int pathlen, bool trusted, auth_cfg_t *auth) |
| 2475 | -+ int pathlen, bool anchor, auth_cfg_t *auth) |
| 2476 | - { |
| 2477 | - cert_validator_t *validator; |
| 2478 | - enumerator_t *enumerator; |
| 2479 | - |
| 2480 | - if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || |
| 2481 | -- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) |
| 2482 | -+ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) |
| 2483 | - { |
| 2484 | - return FALSE; |
| 2485 | - } |
| 2486 | -@@ -622,7 +622,7 @@ static bool check_certificate(private_cr |
| 2487 | - continue; |
| 2488 | - } |
| 2489 | - if (!validator->validate(validator, subject, issuer, |
| 2490 | -- online, pathlen, trusted, auth)) |
| 2491 | -+ online, pathlen, anchor, auth)) |
| 2492 | - { |
| 2493 | - enumerator->destroy(enumerator); |
| 2494 | - return FALSE; |
| 2495 | -@@ -725,6 +725,7 @@ static bool verify_trust_chain(private_c |
| 2496 | - auth_cfg_t *auth; |
| 2497 | - signature_params_t *scheme; |
| 2498 | - int pathlen; |
| 2499 | -+ bool is_anchor = FALSE; |
| 2500 | - |
| 2501 | - auth = auth_cfg_create(); |
| 2502 | - get_key_strength(subject, auth); |
| 2503 | -@@ -742,7 +743,7 @@ static bool verify_trust_chain(private_c |
| 2504 | - auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); |
| 2505 | - DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", |
| 2506 | - issuer->get_subject(issuer)); |
| 2507 | -- trusted = TRUE; |
| 2508 | -+ trusted = is_anchor = TRUE; |
| 2509 | - } |
| 2510 | - else |
| 2511 | - { |
| 2512 | -@@ -777,11 +778,18 @@ static bool verify_trust_chain(private_c |
| 2513 | - DBG1(DBG_CFG, " issuer is \"%Y\"", |
| 2514 | - current->get_issuer(current)); |
| 2515 | - call_hook(this, CRED_HOOK_NO_ISSUER, current); |
| 2516 | -+ if (trusted) |
| 2517 | -+ { |
| 2518 | -+ DBG1(DBG_CFG, " reached end of incomplete trust chain for " |
| 2519 | -+ "trusted certificate \"%Y\"", |
| 2520 | -+ subject->get_subject(subject)); |
| 2521 | -+ } |
| 2522 | - break; |
| 2523 | - } |
| 2524 | - } |
| 2525 | -- if (!check_certificate(this, current, issuer, online, |
| 2526 | -- pathlen, trusted, auth)) |
| 2527 | -+ /* don't do online verification here */ |
| 2528 | -+ if (!check_certificate(this, current, issuer, FALSE, |
| 2529 | -+ pathlen, is_anchor, auth)) |
| 2530 | - { |
| 2531 | - trusted = FALSE; |
| 2532 | - issuer->destroy(issuer); |
| 2533 | -@@ -793,7 +801,7 @@ static bool verify_trust_chain(private_c |
| 2534 | - } |
| 2535 | - current->destroy(current); |
| 2536 | - current = issuer; |
| 2537 | -- if (trusted) |
| 2538 | -+ if (is_anchor) |
| 2539 | - { |
| 2540 | - DBG1(DBG_CFG, " reached self-signed root ca with a " |
| 2541 | - "path length of %d", pathlen); |
| 2542 | -@@ -806,6 +814,34 @@ static bool verify_trust_chain(private_c |
| 2543 | - DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); |
| 2544 | - call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); |
| 2545 | - } |
| 2546 | -+ else if (trusted && online) |
| 2547 | -+ { |
| 2548 | -+ enumerator_t *enumerator; |
| 2549 | -+ auth_rule_t rule; |
| 2550 | -+ |
| 2551 | -+ /* do online revocation checks after basic validation of the chain */ |
| 2552 | -+ pathlen = 0; |
| 2553 | -+ current = subject; |
| 2554 | -+ enumerator = auth->create_enumerator(auth); |
| 2555 | -+ while (enumerator->enumerate(enumerator, &rule, &issuer)) |
| 2556 | -+ { |
| 2557 | -+ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) |
| 2558 | -+ { |
| 2559 | -+ if (!check_certificate(this, current, issuer, TRUE, pathlen++, |
| 2560 | -+ rule == AUTH_RULE_CA_CERT, auth)) |
| 2561 | -+ { |
| 2562 | -+ trusted = FALSE; |
| 2563 | -+ break; |
| 2564 | -+ } |
| 2565 | -+ else if (rule == AUTH_RULE_CA_CERT) |
| 2566 | -+ { |
| 2567 | -+ break; |
| 2568 | -+ } |
| 2569 | -+ current = issuer; |
| 2570 | -+ } |
| 2571 | -+ } |
| 2572 | -+ enumerator->destroy(enumerator); |
| 2573 | -+ } |
| 2574 | - if (trusted) |
| 2575 | - { |
| 2576 | - result->merge(result, auth, FALSE); |
developer | 320744b | 2023-11-23 17:16:30 +0800 | [diff] [blame] | 2577 | --- a/package/kernel/linux/modules/crypto.mk |
| 2578 | +++ b/package/kernel/linux/modules/crypto.mk |
| 2579 | @@ -95,6 +95,18 @@ endef |
| 2580 | $(eval $(call KernelPackage,crypto-ccm)) |
| 2581 | |
| 2582 | |
| 2583 | +define KernelPackage/crypto-chacha20poly1305 |
| 2584 | + TITLE:=ChaCha20-Poly1305 AEAD support, RFC7539 (used by strongSwan IPsec VPN) |
| 2585 | + DEPENDS:=+kmod-crypto-aead +kmod-crypto-manager |
| 2586 | + KCONFIG:=CONFIG_CRYPTO_CHACHA20POLY1305 |
| 2587 | + FILES:=$(LINUX_DIR)/crypto/chacha20poly1305.ko |
| 2588 | + AUTOLOAD:=$(call AutoLoad,09,chacha20poly1305) |
| 2589 | + $(call AddDepends/crypto) |
| 2590 | +endef |
| 2591 | + |
| 2592 | +$(eval $(call KernelPackage,crypto-chacha20poly1305)) |
| 2593 | + |
| 2594 | + |
| 2595 | define KernelPackage/crypto-cmac |
| 2596 | TITLE:=Support for Cipher-based Message Authentication Code (CMAC) |
| 2597 | DEPENDS:=+kmod-crypto-hash |