diff options
author | Jeff Hatch <jhatch@multitech.com> | 2016-08-04 10:00:34 -0500 |
---|---|---|
committer | Jeff Hatch <jhatch@multitech.com> | 2016-08-04 10:00:34 -0500 |
commit | a2cb5255dba1e2be506e592e207a77cec2cdc37d (patch) | |
tree | df9122e548e9f4f50fc9dfa596a574e5a1b21352 | |
parent | 03c987617ac2419730e454101f263ccb8016e63c (diff) | |
download | meta-mlinux-a2cb5255dba1e2be506e592e207a77cec2cdc37d.tar.gz meta-mlinux-a2cb5255dba1e2be506e592e207a77cec2cdc37d.tar.bz2 meta-mlinux-a2cb5255dba1e2be506e592e207a77cec2cdc37d.zip |
Add strongswan 5.3.2 bitbake recipe to upgrade from 5.1.1 and override the openembedded recipe
5 files changed, 282 insertions, 0 deletions
diff --git a/recipes-support/strongswan/files/fix-funtion-parameter.patch b/recipes-support/strongswan/files/fix-funtion-parameter.patch new file mode 100644 index 0000000..da96983 --- /dev/null +++ b/recipes-support/strongswan/files/fix-funtion-parameter.patch @@ -0,0 +1,98 @@ +fix the function parameter + +Upstream-Status: pending + +Original openssl_diffie_hellman_create has three parameters, but +it is reassigned a function pointer which has one parameter, and +is called with one parameter, which will lead to segment fault +on PPC, Now we simply correct the number of parameters. + + #0 0x484d4aa0 in __GI_raise (sig=6) + at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 + #1 0x484d9930 in __GI_abort () at abort.c:91 + #2 0x10002064 in segv_handler (signal=11) at charon.c:224 + #3 <signal handler called> + #4 0x48d89630 in openssl_diffie_hellman_create (group=MODP_1024_BIT, g=..., + p=<error reading variable: Cannot access memory at address 0x0>) + at openssl_diffie_hellman.c:143 + #5 0x482c54f8 in create_dh (this=0x11ac6e68, group=MODP_1024_BIT) + at crypto/crypto_factory.c:358 + #6 0x48375884 in create_dh (this=<optimized out>, group=<optimized out>) + at sa/keymat.c:132 + #7 0x483843b8 in process_payloads (this=0x51400a78, message=<optimized + out>) + at sa/tasks/ike_init.c:200 + #8 0x483844d0 in process_r (this=0x51400a78, message=0x51500778) + at sa/tasks/ike_init.c:319 + #9 0x48374c9c in process_request (message=0x51500778, this=0x51400d20) + at sa/task_manager.c:870 + #10 process_message (this=0x51400d20, msg=0x51500778) at + sa/task_manager.c:925 + #11 0x4836c378 in process_message (this=0x514005f0, message=0x51500778) + at sa/ike_sa.c:1317 + #12 0x48362270 in execute (this=0x515008d0) + at processing/jobs/process_message_job.c:74 + +Signed-off-by: Roy.Li <rongqing.li@windriver.com> +--- + src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 8 +++++++- + src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h | 4 +++- + src/libstrongswan/plugins/openssl/openssl_plugin.c | 1 + + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +index ff33824..bd21446 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c ++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +@@ -142,7 +142,7 @@ METHOD(diffie_hellman_t, destroy, void, + /* + * Described in header. + */ +-openssl_diffie_hellman_t *openssl_diffie_hellman_create( ++openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom( + diffie_hellman_group_t group, chunk_t g, chunk_t p) + { + private_openssl_diffie_hellman_t *this; +@@ -197,5 +197,11 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( + + return &this->public; + } ++openssl_diffie_hellman_t *openssl_diffie_hellman_create( diffie_hellman_group_t group) ++{ ++ chunk_t g; ++ chunk_t p; ++ openssl_diffie_hellman_create_custom(group, g, p); ++} + + #endif /* OPENSSL_NO_DH */ +diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h +index 53dc59c..eb69eaa 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h ++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h +@@ -44,8 +44,10 @@ struct openssl_diffie_hellman_t { + * @param p custom prime, if MODP_CUSTOM + * @return openssl_diffie_hellman_t object, NULL if not supported + */ +-openssl_diffie_hellman_t *openssl_diffie_hellman_create( ++openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom( + diffie_hellman_group_t group, chunk_t g, chunk_t p); ++openssl_diffie_hellman_t *openssl_diffie_hellman_create( ++ diffie_hellman_group_t group); + + #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/ + +diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c +index ff25086..c76873d 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c ++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c +@@ -388,6 +388,7 @@ METHOD(plugin_t, get_features, int, + PLUGIN_PROVIDE(DH, MODP_1024_BIT), + PLUGIN_PROVIDE(DH, MODP_1024_160), + PLUGIN_PROVIDE(DH, MODP_768_BIT), ++ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create_custom), + PLUGIN_PROVIDE(DH, MODP_CUSTOM), + #endif + #ifndef OPENSSL_NO_RSA +-- +1.8.3 + diff --git a/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch b/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch new file mode 100644 index 0000000..86baccf --- /dev/null +++ b/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch @@ -0,0 +1,22 @@ +commit 44cbabd8a42bc2a436562ed33fb8c89fa6b75b6e +Author: Chris Patterson <pattersonc@ainfosec.com> +Date: Fri Dec 18 08:31:48 2015 -0500 + + strongswan-swanctl.service.in: match install used by strongswan.service + + Signed-off-by: Chris Patterson <pattersonc@ainfosec.com> + +Upstream-Status: Submitted +https://github.com/strongswan/strongswan/pull/25 + +diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in +index 818d352..944101f 100644 +--- a/init/systemd-swanctl/strongswan-swanctl.service.in ++++ b/init/systemd-swanctl/strongswan-swanctl.service.in +@@ -7,3 +7,6 @@ Type=notify + ExecStart=@SBINDIR@/charon-systemd + ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt + ExecReload=@SBINDIR@/swanctl --reload ++ ++[Install] ++WantedBy=multi-user.target diff --git a/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch b/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch new file mode 100644 index 0000000..ad3459e --- /dev/null +++ b/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch @@ -0,0 +1,36 @@ +From b980ba7757dcfedd756aa055b3271ea58cf85aa6 Mon Sep 17 00:00:00 2001 +From: Martin Willi <martin@revosec.ch> +Date: Thu, 20 Feb 2014 16:08:43 +0100 +Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished + IKE_SAs + +Prevents a responder peer to trick us into established state by starting +IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. + +Fixes CVE-2014-2338 for 5.x versions of strongSwan. +--- + src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c +index ac3be90..a5252ab 100644 +--- a/src/libcharon/sa/ikev2/task_manager_v2.c ++++ b/src/libcharon/sa/ikev2/task_manager_v2.c +@@ -780,6 +780,15 @@ static status_t process_request(private_ + case CREATE_CHILD_SA: + { /* FIXME: we should prevent this on mediation connections */ + bool notify_found = FALSE, ts_found = FALSE; ++ ++ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || ++ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) ++ { ++ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " ++ "unestablished IKE_SA, rejected"); ++ return FAILED; ++ } ++ + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { +-- +1.8.1.2 diff --git a/recipes-support/strongswan/files/support-newer-systemd.patch b/recipes-support/strongswan/files/support-newer-systemd.patch new file mode 100644 index 0000000..550cf67 --- /dev/null +++ b/recipes-support/strongswan/files/support-newer-systemd.patch @@ -0,0 +1,69 @@ +commit 82498129e0a91dfc3ed2c4ec3b2252f44655b83c +Author: Chris Patterson <pattersonc@ainfosec.com> +Date: Fri Dec 18 08:27:57 2015 -0500 + + configure: support systemd >= 209 + + libsystemd-journal and libsystemd-daemon are now just + part of libsystemd. + + Keep original systemd checks as a fallback. + + Updates charon-systemd/Makefile.am accordingly. + + Tested on: + - debian wheezy (systemd v44) + - ubuntu 15.10 (systemd v255). + + Signed-off-by: Chris Patterson <pattersonc@ainfosec.com> + +Upstream-Status: Submitted +https://github.com/strongswan/strongswan/pull/24 + +diff --git a/configure.ac b/configure.ac +index 3d71ce0..f6c0426 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -941,13 +941,17 @@ if test x$systemd = xtrue; then + AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)]) + fi + +- PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon]) +- AC_SUBST(systemd_daemon_CFLAGS) +- AC_SUBST(systemd_daemon_LIBS) +- +- PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal]) +- AC_SUBST(systemd_journal_CFLAGS) +- AC_SUBST(systemd_journal_LIBS) ++ PKG_CHECK_MODULES(systemd, [libsystemd >= 209], ++ [AC_SUBST(systemd_CFLAGS) ++ AC_SUBST(systemd_LIBS)], ++ [PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon]) ++ AC_SUBST(systemd_daemon_CFLAGS) ++ AC_SUBST(systemd_daemon_LIBS) ++ ++ PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal]) ++ AC_SUBST(systemd_journal_CFLAGS) ++ AC_SUBST(systemd_journal_LIBS) ++ ]) + fi + + if test x$tss = xtrousers; then +diff --git a/src/charon-systemd/Makefile.am b/src/charon-systemd/Makefile.am +index 1b9ac15..ee85d43 100644 +--- a/src/charon-systemd/Makefile.am ++++ b/src/charon-systemd/Makefile.am +@@ -9,11 +9,11 @@ charon_systemd_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ +- $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \ ++ $(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \ + -DPLUGINS=\""${charon_plugins}\"" + + charon_systemd_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ +- $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB) ++ $(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB) diff --git a/recipes-support/strongswan/strongswan_5.3.2.bb b/recipes-support/strongswan/strongswan_5.3.2.bb new file mode 100644 index 0000000..9dc4878 --- /dev/null +++ b/recipes-support/strongswan/strongswan_5.3.2.bb @@ -0,0 +1,57 @@ +DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \ +Linux operating system." +SUMMARY = "strongSwan is an OpenSource IPsec implementation" +HOMEPAGE = "http://www.strongswan.org" +SECTION = "net" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +DEPENDS = "gmp openssl flex-native flex bison-native" + +SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ + file://fix-funtion-parameter.patch \ + file://support-newer-systemd.patch \ + file://install-strongswan-swanctl-service.patch \ +" + +SRC_URI[md5sum] = "fab014be1477ef4ebf9a765e10f8802c" +SRC_URI[sha256sum] = "a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225" + +EXTRA_OECONF = " \ + --without-lib-prefix \ +" + +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" + + +PACKAGECONFIG ??= "charon curl gmp openssl stroke sqlite3 \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ldap', 'ldap', '', d)} \ +" +PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni," +PACKAGECONFIG[charon] = "--enable-charon,--disable-charon," +PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl," +PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp," +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap," +PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5," +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," +PACKAGECONFIG[scep] = "--enable-scepclient,--disable-scepclient," +PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4," +PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3," +PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke," +PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc" + +# requires swanctl +PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd," + +inherit autotools systemd pkgconfig + +RRECOMMENDS_${PN} = "kernel-module-ipsec" + +FILES_${PN} += "${libdir}/ipsec/lib*${SOLIBS} ${libdir}/ipsec/plugins/*.so" +FILES_${PN}-dbg += "${libdir}/ipsec/.debug ${libdir}/ipsec/plugins/.debug ${libexecdir}/ipsec/.debug" +FILES_${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/plugins/*.la" +FILES_${PN}-staticdev += "${libdir}/ipsec/*.a ${libdir}/ipsec/plugins/*.a" + +RPROVIDES_${PN} += "${PN}-systemd" +RREPLACES_${PN} += "${PN}-systemd" +RCONFLICTS_${PN} += "${PN}-systemd" +SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}-swanctl.service', '${BPN}.service', d)}" |