summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Hatch <jhatch@multitech.com>2016-08-04 10:00:34 -0500
committerJeff Hatch <jhatch@multitech.com>2016-08-04 10:00:34 -0500
commita2cb5255dba1e2be506e592e207a77cec2cdc37d (patch)
treedf9122e548e9f4f50fc9dfa596a574e5a1b21352
parent03c987617ac2419730e454101f263ccb8016e63c (diff)
downloadmeta-mlinux-a2cb5255dba1e2be506e592e207a77cec2cdc37d.tar.gz
meta-mlinux-a2cb5255dba1e2be506e592e207a77cec2cdc37d.tar.bz2
meta-mlinux-a2cb5255dba1e2be506e592e207a77cec2cdc37d.zip
Add strongswan 5.3.2 bitbake recipe to upgrade from 5.1.1 and override the openembedded recipe
-rw-r--r--recipes-support/strongswan/files/fix-funtion-parameter.patch98
-rw-r--r--recipes-support/strongswan/files/install-strongswan-swanctl-service.patch22
-rw-r--r--recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch36
-rw-r--r--recipes-support/strongswan/files/support-newer-systemd.patch69
-rw-r--r--recipes-support/strongswan/strongswan_5.3.2.bb57
5 files changed, 282 insertions, 0 deletions
diff --git a/recipes-support/strongswan/files/fix-funtion-parameter.patch b/recipes-support/strongswan/files/fix-funtion-parameter.patch
new file mode 100644
index 0000000..da96983
--- /dev/null
+++ b/recipes-support/strongswan/files/fix-funtion-parameter.patch
@@ -0,0 +1,98 @@
+fix the function parameter
+
+Upstream-Status: pending
+
+Original openssl_diffie_hellman_create has three parameters, but
+it is reassigned a function pointer which has one parameter, and
+is called with one parameter, which will lead to segment fault
+on PPC, Now we simply correct the number of parameters.
+
+ #0 0x484d4aa0 in __GI_raise (sig=6)
+ at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
+ #1 0x484d9930 in __GI_abort () at abort.c:91
+ #2 0x10002064 in segv_handler (signal=11) at charon.c:224
+ #3 <signal handler called>
+ #4 0x48d89630 in openssl_diffie_hellman_create (group=MODP_1024_BIT, g=...,
+ p=<error reading variable: Cannot access memory at address 0x0>)
+ at openssl_diffie_hellman.c:143
+ #5 0x482c54f8 in create_dh (this=0x11ac6e68, group=MODP_1024_BIT)
+ at crypto/crypto_factory.c:358
+ #6 0x48375884 in create_dh (this=<optimized out>, group=<optimized out>)
+ at sa/keymat.c:132
+ #7 0x483843b8 in process_payloads (this=0x51400a78, message=<optimized
+ out>)
+ at sa/tasks/ike_init.c:200
+ #8 0x483844d0 in process_r (this=0x51400a78, message=0x51500778)
+ at sa/tasks/ike_init.c:319
+ #9 0x48374c9c in process_request (message=0x51500778, this=0x51400d20)
+ at sa/task_manager.c:870
+ #10 process_message (this=0x51400d20, msg=0x51500778) at
+ sa/task_manager.c:925
+ #11 0x4836c378 in process_message (this=0x514005f0, message=0x51500778)
+ at sa/ike_sa.c:1317
+ #12 0x48362270 in execute (this=0x515008d0)
+ at processing/jobs/process_message_job.c:74
+
+Signed-off-by: Roy.Li <rongqing.li@windriver.com>
+---
+ src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 8 +++++++-
+ src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h | 4 +++-
+ src/libstrongswan/plugins/openssl/openssl_plugin.c | 1 +
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+index ff33824..bd21446 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+@@ -142,7 +142,7 @@ METHOD(diffie_hellman_t, destroy, void,
+ /*
+ * Described in header.
+ */
+-openssl_diffie_hellman_t *openssl_diffie_hellman_create(
++openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom(
+ diffie_hellman_group_t group, chunk_t g, chunk_t p)
+ {
+ private_openssl_diffie_hellman_t *this;
+@@ -197,5 +197,11 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+
+ return &this->public;
+ }
++openssl_diffie_hellman_t *openssl_diffie_hellman_create( diffie_hellman_group_t group)
++{
++ chunk_t g;
++ chunk_t p;
++ openssl_diffie_hellman_create_custom(group, g, p);
++}
+
+ #endif /* OPENSSL_NO_DH */
+diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+index 53dc59c..eb69eaa 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+@@ -44,8 +44,10 @@ struct openssl_diffie_hellman_t {
+ * @param p custom prime, if MODP_CUSTOM
+ * @return openssl_diffie_hellman_t object, NULL if not supported
+ */
+-openssl_diffie_hellman_t *openssl_diffie_hellman_create(
++openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom(
+ diffie_hellman_group_t group, chunk_t g, chunk_t p);
++openssl_diffie_hellman_t *openssl_diffie_hellman_create(
++ diffie_hellman_group_t group);
+
+ #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/
+
+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+index ff25086..c76873d 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -388,6 +388,7 @@ METHOD(plugin_t, get_features, int,
+ PLUGIN_PROVIDE(DH, MODP_1024_BIT),
+ PLUGIN_PROVIDE(DH, MODP_1024_160),
+ PLUGIN_PROVIDE(DH, MODP_768_BIT),
++ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create_custom),
+ PLUGIN_PROVIDE(DH, MODP_CUSTOM),
+ #endif
+ #ifndef OPENSSL_NO_RSA
+--
+1.8.3
+
diff --git a/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch b/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch
new file mode 100644
index 0000000..86baccf
--- /dev/null
+++ b/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch
@@ -0,0 +1,22 @@
+commit 44cbabd8a42bc2a436562ed33fb8c89fa6b75b6e
+Author: Chris Patterson <pattersonc@ainfosec.com>
+Date: Fri Dec 18 08:31:48 2015 -0500
+
+ strongswan-swanctl.service.in: match install used by strongswan.service
+
+ Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
+
+Upstream-Status: Submitted
+https://github.com/strongswan/strongswan/pull/25
+
+diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in
+index 818d352..944101f 100644
+--- a/init/systemd-swanctl/strongswan-swanctl.service.in
++++ b/init/systemd-swanctl/strongswan-swanctl.service.in
+@@ -7,3 +7,6 @@ Type=notify
+ ExecStart=@SBINDIR@/charon-systemd
+ ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
+ ExecReload=@SBINDIR@/swanctl --reload
++
++[Install]
++WantedBy=multi-user.target
diff --git a/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch b/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch
new file mode 100644
index 0000000..ad3459e
--- /dev/null
+++ b/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch
@@ -0,0 +1,36 @@
+From b980ba7757dcfedd756aa055b3271ea58cf85aa6 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Thu, 20 Feb 2014 16:08:43 +0100
+Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished
+ IKE_SAs
+
+Prevents a responder peer to trick us into established state by starting
+IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.
+
+Fixes CVE-2014-2338 for 5.x versions of strongSwan.
+---
+ src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
+index ac3be90..a5252ab 100644
+--- a/src/libcharon/sa/ikev2/task_manager_v2.c
++++ b/src/libcharon/sa/ikev2/task_manager_v2.c
+@@ -780,6 +780,15 @@ static status_t process_request(private_
+ case CREATE_CHILD_SA:
+ { /* FIXME: we should prevent this on mediation connections */
+ bool notify_found = FALSE, ts_found = FALSE;
++
++ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
++ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
++ {
++ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
++ "unestablished IKE_SA, rejected");
++ return FAILED;
++ }
++
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+--
+1.8.1.2
diff --git a/recipes-support/strongswan/files/support-newer-systemd.patch b/recipes-support/strongswan/files/support-newer-systemd.patch
new file mode 100644
index 0000000..550cf67
--- /dev/null
+++ b/recipes-support/strongswan/files/support-newer-systemd.patch
@@ -0,0 +1,69 @@
+commit 82498129e0a91dfc3ed2c4ec3b2252f44655b83c
+Author: Chris Patterson <pattersonc@ainfosec.com>
+Date: Fri Dec 18 08:27:57 2015 -0500
+
+ configure: support systemd >= 209
+
+ libsystemd-journal and libsystemd-daemon are now just
+ part of libsystemd.
+
+ Keep original systemd checks as a fallback.
+
+ Updates charon-systemd/Makefile.am accordingly.
+
+ Tested on:
+ - debian wheezy (systemd v44)
+ - ubuntu 15.10 (systemd v255).
+
+ Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
+
+Upstream-Status: Submitted
+https://github.com/strongswan/strongswan/pull/24
+
+diff --git a/configure.ac b/configure.ac
+index 3d71ce0..f6c0426 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -941,13 +941,17 @@ if test x$systemd = xtrue; then
+ AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)])
+ fi
+
+- PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon])
+- AC_SUBST(systemd_daemon_CFLAGS)
+- AC_SUBST(systemd_daemon_LIBS)
+-
+- PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal])
+- AC_SUBST(systemd_journal_CFLAGS)
+- AC_SUBST(systemd_journal_LIBS)
++ PKG_CHECK_MODULES(systemd, [libsystemd >= 209],
++ [AC_SUBST(systemd_CFLAGS)
++ AC_SUBST(systemd_LIBS)],
++ [PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon])
++ AC_SUBST(systemd_daemon_CFLAGS)
++ AC_SUBST(systemd_daemon_LIBS)
++
++ PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal])
++ AC_SUBST(systemd_journal_CFLAGS)
++ AC_SUBST(systemd_journal_LIBS)
++ ])
+ fi
+
+ if test x$tss = xtrousers; then
+diff --git a/src/charon-systemd/Makefile.am b/src/charon-systemd/Makefile.am
+index 1b9ac15..ee85d43 100644
+--- a/src/charon-systemd/Makefile.am
++++ b/src/charon-systemd/Makefile.am
+@@ -9,11 +9,11 @@ charon_systemd_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon \
+- $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
++ $(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+ -DPLUGINS=\""${charon_plugins}\""
+
+ charon_systemd_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libcharon/libcharon.la \
+- $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
++ $(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
diff --git a/recipes-support/strongswan/strongswan_5.3.2.bb b/recipes-support/strongswan/strongswan_5.3.2.bb
new file mode 100644
index 0000000..9dc4878
--- /dev/null
+++ b/recipes-support/strongswan/strongswan_5.3.2.bb
@@ -0,0 +1,57 @@
+DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \
+Linux operating system."
+SUMMARY = "strongSwan is an OpenSource IPsec implementation"
+HOMEPAGE = "http://www.strongswan.org"
+SECTION = "net"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+DEPENDS = "gmp openssl flex-native flex bison-native"
+
+SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
+ file://fix-funtion-parameter.patch \
+ file://support-newer-systemd.patch \
+ file://install-strongswan-swanctl-service.patch \
+"
+
+SRC_URI[md5sum] = "fab014be1477ef4ebf9a765e10f8802c"
+SRC_URI[sha256sum] = "a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225"
+
+EXTRA_OECONF = " \
+ --without-lib-prefix \
+"
+
+EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}"
+
+
+PACKAGECONFIG ??= "charon curl gmp openssl stroke sqlite3 \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'ldap', 'ldap', '', d)} \
+"
+PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,"
+PACKAGECONFIG[charon] = "--enable-charon,--disable-charon,"
+PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,"
+PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp,"
+PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap,"
+PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,"
+PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,"
+PACKAGECONFIG[scep] = "--enable-scepclient,--disable-scepclient,"
+PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4,"
+PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3,"
+PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke,"
+PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc"
+
+# requires swanctl
+PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd,"
+
+inherit autotools systemd pkgconfig
+
+RRECOMMENDS_${PN} = "kernel-module-ipsec"
+
+FILES_${PN} += "${libdir}/ipsec/lib*${SOLIBS} ${libdir}/ipsec/plugins/*.so"
+FILES_${PN}-dbg += "${libdir}/ipsec/.debug ${libdir}/ipsec/plugins/.debug ${libexecdir}/ipsec/.debug"
+FILES_${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/plugins/*.la"
+FILES_${PN}-staticdev += "${libdir}/ipsec/*.a ${libdir}/ipsec/plugins/*.a"
+
+RPROVIDES_${PN} += "${PN}-systemd"
+RREPLACES_${PN} += "${PN}-systemd"
+RCONFLICTS_${PN} += "${PN}-systemd"
+SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}-swanctl.service', '${BPN}.service', d)}"