From: Felix Fietkau Date: Tue, 15 Apr 2014 17:28:55 +0000 (+0000) Subject: AA: strongswan: update to the latest version to fix various security issues, includin... X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=a1698a4d7696fd80325291ccf918788d568abd2c;p=openwrt%2Fsvn-archive%2Farchive.git AA: strongswan: update to the latest version to fix various security issues, including CVE-2014-2338 Signed-off-by: Felix Fietkau SVN-Revision: 40518 --- diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index cb8f95fd64..a0a8a6c5a9 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -1,5 +1,5 @@ -# -# Copyright (C) 2012 OpenWrt.org +# +# Copyright (C) 2012-2014 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan -PKG_VERSION:=5.0.0 +PKG_VERSION:=5.1.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=http://download.strongswan.org/ -PKG_MD5SUM:=c8b861305def7c0abae04f7bbefec212 +PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/ +PKG_MD5SUM:=1d1c108775242743cd8699215b2918c3 PKG_MOD_AVAILABLE:= \ addrblock \ @@ -36,6 +36,7 @@ PKG_MOD_AVAILABLE:= \ eap-identity \ eap-md5 \ eap-mschapv2 \ + eap-radius \ farp \ fips-prf \ gcm \ @@ -44,6 +45,7 @@ PKG_MOD_AVAILABLE:= \ ha \ hmac \ kernel-klips \ + kernel-libipsec \ kernel-netlink \ kernel-pfkey \ ldap \ @@ -69,18 +71,18 @@ PKG_MOD_AVAILABLE:= \ smp \ socket-default \ socket-dynamic \ - socket-raw \ sql \ sqlite \ stroke \ test-vectors \ + unity \ uci \ updown \ whitelist \ x509 \ xauth-eap \ xauth-generic \ - xcbc \ + xcbc PKG_CONFIG_DEPENDS:= \ CONFIG_STRONGSWAN_DEVICE_RANDOM \ @@ -150,6 +152,7 @@ $(call Package/strongswan/Default) +strongswan-mod-eap-identity \ +strongswan-mod-eap-md5 \ +strongswan-mod-eap-mschapv2 \ + +strongswan-mod-eap-radius \ +strongswan-mod-farp \ +strongswan-mod-fips-prf \ +strongswan-mod-gcm \ @@ -185,6 +188,7 @@ $(call Package/strongswan/Default) +strongswan-mod-stroke \ +strongswan-mod-test-vectors \ +strongswan-mod-uci \ + +strongswan-mod-unity \ +strongswan-mod-updown \ +strongswan-mod-whitelist \ +strongswan-mod-x509 \ @@ -198,8 +202,9 @@ endef define Package/strongswan-full/description $(call Package/strongswan/description/Default) This meta-package contains dependencies for all of the strongswan plugins - except kernel-klips, kernel-pfkey, socket-dynamic and socket-raw which are - ommitted in favor of the kernel-netlink and socket-default plugins. + except kernel-klips, kernel-libipsec, kernel-pfkey, + socket-dynamic and which are ommitted in favor of the kernel-netlink and + socket-default plugins. endef @@ -301,7 +306,7 @@ endef define Package/strongswan-utils/description $(call Package/strongswan/description/Default) - This package contains the openac, pki & scepclient utilities. + This package contains the pki & scepclient utilities. endef define BuildPlugin @@ -343,6 +348,7 @@ EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib define Package/strongswan/conffiles /etc/ipsec.conf /etc/ipsec.secrets +/etc/ipsec.user /etc/strongswan.conf endef @@ -352,6 +358,8 @@ define Package/strongswan/install $(INSTALL_DIR) $(1)/usr/lib/ipsec $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/ $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec endef define Package/strongswan-default/install @@ -380,8 +388,10 @@ endef define Package/strongswan-utils/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/ $(INSTALL_DIR) $(1)/usr/lib/ipsec - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{openac,pki,scepclient} $(1)/usr/lib/ipsec/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/ endef define Plugin/duplicheck/install @@ -390,6 +400,12 @@ define Plugin/duplicheck/install $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-duplicheck.so $(1)/usr/lib/ipsec/plugins/ endef +define Plugin/eap-radius/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libradius.so.* $(1)/usr/lib/ipsec/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so $(1)/usr/lib/ipsec/plugins/ +endef + define Plugin/attr-sql/install $(INSTALL_DIR) $(1)/usr/lib/ipsec $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/pool $(1)/usr/lib/ipsec/ @@ -416,6 +432,8 @@ define Plugin/updown/install $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{_updown,_updown_espmark} $(1)/usr/lib/ipsec/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-updown.so $(1)/usr/lib/ipsec/plugins/ + $(INSTALL_DIR) $(1)/etc + $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/ endef define Plugin/whitelist/install @@ -424,6 +442,11 @@ define Plugin/whitelist/install $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-whitelist.so $(1)/usr/lib/ipsec/plugins/ endef +define Plugin/kernel-libipsec/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libipsec.so.* $(1)/usr/lib/ipsec/ +endef + $(eval $(call BuildPackage,strongswan)) $(eval $(call BuildPackage,strongswan-default)) $(eval $(call BuildPackage,strongswan-full)) @@ -450,7 +473,8 @@ $(eval $(call BuildPlugin,dnskey,DNS RR key decoding,)) $(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,)) $(eval $(call BuildPlugin,eap-identity,EAP identity helper,)) $(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,)) -$(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,)) +$(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,+strongswan-mod-md4 +strongswan-mod-des)) +$(eval $(call BuildPlugin,eap-radius,EAP RADIUS auth,)) $(eval $(call BuildPlugin,farp,fake arp respsonses,)) $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1)) $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,)) @@ -459,6 +483,7 @@ $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp)) $(eval $(call BuildPlugin,ha,high availability cluster,)) $(eval $(call BuildPlugin,hmac,HMAC crypto,)) $(eval $(call BuildPlugin,kernel-klips,KLIPS kernel interface,)) +$(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,)) $(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,)) $(eval $(call BuildPlugin,kernel-pfkey,PK_KEY kernel interface,)) $(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap)) @@ -484,12 +509,12 @@ $(eval $(call BuildPlugin,sha2,SHA2 crypto,)) $(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2)) $(eval $(call BuildPlugin,socket-default,default socket implementation for charon,)) $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,)) -$(eval $(call BuildPlugin,socket-raw,raw socket implementation for charon,)) $(eval $(call BuildPlugin,sql,SQL database interface,)) $(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3)) $(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils)) $(eval $(call BuildPlugin,test-vectors,crypto test vectors,)) $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci)) +$(eval $(call BuildPlugin,unity,Cisco Unity extension,)) $(eval $(call BuildPlugin,updown,updown firewall,)) $(eval $(call BuildPlugin,whitelist,peer identity whitelisting,)) $(eval $(call BuildPlugin,x509,x509 certificate,)) diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init new file mode 100644 index 0000000000..391a2ae8c7 --- /dev/null +++ b/net/strongswan/files/ipsec.init @@ -0,0 +1,20 @@ +#!/bin/sh /etc/rc.common + +START=90 +STOP=10 + +start() { + ipsec start +} + +stop() { + ipsec stop +} + +restart() { + ipsec restart +} + +reload() { + ipsec update +} diff --git a/net/strongswan/files/ipsec.user b/net/strongswan/files/ipsec.user new file mode 100644 index 0000000000..4351ace397 --- /dev/null +++ b/net/strongswan/files/ipsec.user @@ -0,0 +1,6 @@ +# This file is interpreted as shell script. +# Put your custom ip rules here, they will +# be executed with each call to the script +# /usr/lib/ipsec/_updown which by default +# strongswan executes. + diff --git a/net/strongswan/patches/100-method_name_fix.patch b/net/strongswan/patches/100-method_name_fix.patch new file mode 100644 index 0000000000..477f399c65 --- /dev/null +++ b/net/strongswan/patches/100-method_name_fix.patch @@ -0,0 +1,40 @@ +--- a/src/libipsec/ip_packet.c ++++ b/src/libipsec/ip_packet.c +@@ -95,7 +95,7 @@ METHOD(ip_packet_t, get_next_header, u_i + return this->next_header; + } + +-METHOD(ip_packet_t, clone, ip_packet_t*, ++METHOD(ip_packet_t, clone_, ip_packet_t*, + private_ip_packet_t *this) + { + return ip_packet_create(chunk_clone(this->packet)); +@@ -183,7 +183,7 @@ ip_packet_t *ip_packet_create(chunk_t pa + .get_destination = _get_destination, + .get_next_header = _get_next_header, + .get_encoding = _get_encoding, +- .clone = _clone, ++ .clone = _clone_, + .destroy = _destroy, + }, + .src = src, +--- a/src/libipsec/esp_packet.c ++++ b/src/libipsec/esp_packet.c +@@ -115,7 +115,7 @@ METHOD(packet_t, skip_bytes, void, + return this->packet->skip_bytes(this->packet, bytes); + } + +-METHOD(packet_t, clone, packet_t*, ++METHOD(packet_t, clone_, packet_t*, + private_esp_packet_t *this) + { + private_esp_packet_t *pkt; +@@ -414,7 +414,7 @@ static private_esp_packet_t *esp_packet_ + .get_dscp = _get_dscp, + .set_dscp = _set_dscp, + .skip_bytes = _skip_bytes, +- .clone = _clone, ++ .clone = _clone_, + .destroy = _destroy, + }, + .get_source = _get_source, diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch new file mode 100644 index 0000000000..7d46156384 --- /dev/null +++ b/net/strongswan/patches/201-kmodloader.patch @@ -0,0 +1,28 @@ +--- a/src/starter/netkey.c ++++ b/src/starter/netkey.c +@@ -31,7 +31,7 @@ bool starter_netkey_init(void) + /* af_key module makes the netkey proc interface visible */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv af_key")); ++ ignore_result(system("modprobe af_key 2>&1 >/dev/null")); + } + + /* now test again */ +@@ -45,11 +45,11 @@ bool starter_netkey_init(void) + /* make sure that all required IPsec modules are loaded */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv ah4")); +- ignore_result(system("modprobe -qv esp4")); +- ignore_result(system("modprobe -qv ipcomp")); +- ignore_result(system("modprobe -qv xfrm4_tunnel")); +- ignore_result(system("modprobe -qv xfrm_user")); ++ ignore_result(system("modprobe ah4 2>&1 >/dev/null")); ++ ignore_result(system("modprobe esp4 2>&1 >/dev/null")); ++ ignore_result(system("modprobe ipcomp 2>&1 >/dev/null")); ++ ignore_result(system("modprobe xfrm4_tunnel 2>&1 >/dev/null")); ++ ignore_result(system("modprobe xfrm_user 2>&1 >/dev/null")); + } + + DBG2(DBG_APP, "found netkey IPsec stack"); diff --git a/net/strongswan/patches/201-no-modprobe.patch b/net/strongswan/patches/201-no-modprobe.patch deleted file mode 100644 index 5dee45e97f..0000000000 --- a/net/strongswan/patches/201-no-modprobe.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/src/starter/netkey.c -+++ b/src/starter/netkey.c -@@ -31,7 +31,7 @@ bool starter_netkey_init(void) - /* af_key module makes the netkey proc interface visible */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv af_key")); -+ ignore_result(system("insmod -qv af_key")); - } - - /* now test again */ -@@ -45,11 +45,11 @@ bool starter_netkey_init(void) - /* make sure that all required IPsec modules are loaded */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv ah4")); -- ignore_result(system("modprobe -qv esp4")); -- ignore_result(system("modprobe -qv ipcomp")); -- ignore_result(system("modprobe -qv xfrm4_tunnel")); -- ignore_result(system("modprobe -qv xfrm_user")); -+ ignore_result(system("insmod -qv ah4")); -+ ignore_result(system("insmod -qv esp4")); -+ ignore_result(system("insmod -qv ipcomp")); -+ ignore_result(system("insmod -qv xfrm4_tunnel")); -+ ignore_result(system("insmod -qv xfrm_user")); - } - - DBG2(DBG_APP, "found netkey IPsec stack"); diff --git a/net/strongswan/patches/300-include-ipsec-user-script.patch b/net/strongswan/patches/300-include-ipsec-user-script.patch new file mode 100644 index 0000000000..d96e84492e --- /dev/null +++ b/net/strongswan/patches/300-include-ipsec-user-script.patch @@ -0,0 +1,17 @@ +--- a/src/_updown/_updown.in ++++ b/src/_updown/_updown.in +@@ -16,11 +16,9 @@ + # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + # for more details. + +-# CAUTION: Installing a new version of strongSwan will install a new +-# copy of this script, wiping out any custom changes you make. If +-# you need changes, make a copy of this under another name, and customize +-# that, and use the (left/right)updown parameters in ipsec.conf to make +-# strongSwan use yours instead of this default one. ++# Add your custom ip rules to the /etc/ipsec.user file if you need that functionality. ++ ++[ -e /etc/ipsec.user ] && . /etc/ipsec.user "$1" + + # things that this script gets (from ipsec_pluto(8) man page) + #