From 87f0d6ae984c52cde9d97861c92e619aa22c7e8a Mon Sep 17 00:00:00 2001 From: John Klug Date: Wed, 5 Jul 2017 09:39:28 -0500 Subject: Use openembedded strongswan, which is newer. --- .../strongswan/files/fix-funtion-parameter.patch | 98 ---------------------- .../files/install-strongswan-swanctl-service.patch | 22 ----- .../strongswan-5.0.0-5.1.2_reject_child_sa.patch | 36 -------- .../strongswan/files/support-newer-systemd.patch | 69 --------------- recipes-support/strongswan/strongswan_5.3.2.bb | 57 ------------- 5 files changed, 282 deletions(-) delete mode 100644 recipes-support/strongswan/files/fix-funtion-parameter.patch delete mode 100644 recipes-support/strongswan/files/install-strongswan-swanctl-service.patch delete mode 100644 recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch delete mode 100644 recipes-support/strongswan/files/support-newer-systemd.patch delete mode 100644 recipes-support/strongswan/strongswan_5.3.2.bb (limited to 'recipes-support') diff --git a/recipes-support/strongswan/files/fix-funtion-parameter.patch b/recipes-support/strongswan/files/fix-funtion-parameter.patch deleted file mode 100644 index da96983..0000000 --- a/recipes-support/strongswan/files/fix-funtion-parameter.patch +++ /dev/null @@ -1,98 +0,0 @@ -fix the function parameter - -Upstream-Status: pending - -Original openssl_diffie_hellman_create has three parameters, but -it is reassigned a function pointer which has one parameter, and -is called with one parameter, which will lead to segment fault -on PPC, Now we simply correct the number of parameters. - - #0 0x484d4aa0 in __GI_raise (sig=6) - at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 - #1 0x484d9930 in __GI_abort () at abort.c:91 - #2 0x10002064 in segv_handler (signal=11) at charon.c:224 - #3 - #4 0x48d89630 in openssl_diffie_hellman_create (group=MODP_1024_BIT, g=..., - p=) - at openssl_diffie_hellman.c:143 - #5 0x482c54f8 in create_dh (this=0x11ac6e68, group=MODP_1024_BIT) - at crypto/crypto_factory.c:358 - #6 0x48375884 in create_dh (this=, group=) - at sa/keymat.c:132 - #7 0x483843b8 in process_payloads (this=0x51400a78, message=) - at sa/tasks/ike_init.c:200 - #8 0x483844d0 in process_r (this=0x51400a78, message=0x51500778) - at sa/tasks/ike_init.c:319 - #9 0x48374c9c in process_request (message=0x51500778, this=0x51400d20) - at sa/task_manager.c:870 - #10 process_message (this=0x51400d20, msg=0x51500778) at - sa/task_manager.c:925 - #11 0x4836c378 in process_message (this=0x514005f0, message=0x51500778) - at sa/ike_sa.c:1317 - #12 0x48362270 in execute (this=0x515008d0) - at processing/jobs/process_message_job.c:74 - -Signed-off-by: Roy.Li ---- - src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 8 +++++++- - src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h | 4 +++- - src/libstrongswan/plugins/openssl/openssl_plugin.c | 1 + - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -index ff33824..bd21446 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -@@ -142,7 +142,7 @@ METHOD(diffie_hellman_t, destroy, void, - /* - * Described in header. - */ --openssl_diffie_hellman_t *openssl_diffie_hellman_create( -+openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom( - diffie_hellman_group_t group, chunk_t g, chunk_t p) - { - private_openssl_diffie_hellman_t *this; -@@ -197,5 +197,11 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( - - return &this->public; - } -+openssl_diffie_hellman_t *openssl_diffie_hellman_create( diffie_hellman_group_t group) -+{ -+ chunk_t g; -+ chunk_t p; -+ openssl_diffie_hellman_create_custom(group, g, p); -+} - - #endif /* OPENSSL_NO_DH */ -diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h -index 53dc59c..eb69eaa 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h -+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h -@@ -44,8 +44,10 @@ struct openssl_diffie_hellman_t { - * @param p custom prime, if MODP_CUSTOM - * @return openssl_diffie_hellman_t object, NULL if not supported - */ --openssl_diffie_hellman_t *openssl_diffie_hellman_create( -+openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom( - diffie_hellman_group_t group, chunk_t g, chunk_t p); -+openssl_diffie_hellman_t *openssl_diffie_hellman_create( -+ diffie_hellman_group_t group); - - #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/ - -diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c -index ff25086..c76873d 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c -+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c -@@ -388,6 +388,7 @@ METHOD(plugin_t, get_features, int, - PLUGIN_PROVIDE(DH, MODP_1024_BIT), - PLUGIN_PROVIDE(DH, MODP_1024_160), - PLUGIN_PROVIDE(DH, MODP_768_BIT), -+ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create_custom), - PLUGIN_PROVIDE(DH, MODP_CUSTOM), - #endif - #ifndef OPENSSL_NO_RSA --- -1.8.3 - diff --git a/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch b/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch deleted file mode 100644 index 86baccf..0000000 --- a/recipes-support/strongswan/files/install-strongswan-swanctl-service.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit 44cbabd8a42bc2a436562ed33fb8c89fa6b75b6e -Author: Chris Patterson -Date: Fri Dec 18 08:31:48 2015 -0500 - - strongswan-swanctl.service.in: match install used by strongswan.service - - Signed-off-by: Chris Patterson - -Upstream-Status: Submitted -https://github.com/strongswan/strongswan/pull/25 - -diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in -index 818d352..944101f 100644 ---- a/init/systemd-swanctl/strongswan-swanctl.service.in -+++ b/init/systemd-swanctl/strongswan-swanctl.service.in -@@ -7,3 +7,6 @@ Type=notify - ExecStart=@SBINDIR@/charon-systemd - ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt - ExecReload=@SBINDIR@/swanctl --reload -+ -+[Install] -+WantedBy=multi-user.target diff --git a/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch b/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch deleted file mode 100644 index ad3459e..0000000 --- a/recipes-support/strongswan/files/strongswan-5.0.0-5.1.2_reject_child_sa.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b980ba7757dcfedd756aa055b3271ea58cf85aa6 Mon Sep 17 00:00:00 2001 -From: Martin Willi -Date: Thu, 20 Feb 2014 16:08:43 +0100 -Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished - IKE_SAs - -Prevents a responder peer to trick us into established state by starting -IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. - -Fixes CVE-2014-2338 for 5.x versions of strongSwan. ---- - src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c -index ac3be90..a5252ab 100644 ---- a/src/libcharon/sa/ikev2/task_manager_v2.c -+++ b/src/libcharon/sa/ikev2/task_manager_v2.c -@@ -780,6 +780,15 @@ static status_t process_request(private_ - case CREATE_CHILD_SA: - { /* FIXME: we should prevent this on mediation connections */ - bool notify_found = FALSE, ts_found = FALSE; -+ -+ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || -+ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) -+ { -+ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " -+ "unestablished IKE_SA, rejected"); -+ return FAILED; -+ } -+ - enumerator = message->create_payload_enumerator(message); - while (enumerator->enumerate(enumerator, &payload)) - { --- -1.8.1.2 diff --git a/recipes-support/strongswan/files/support-newer-systemd.patch b/recipes-support/strongswan/files/support-newer-systemd.patch deleted file mode 100644 index 550cf67..0000000 --- a/recipes-support/strongswan/files/support-newer-systemd.patch +++ /dev/null @@ -1,69 +0,0 @@ -commit 82498129e0a91dfc3ed2c4ec3b2252f44655b83c -Author: Chris Patterson -Date: Fri Dec 18 08:27:57 2015 -0500 - - configure: support systemd >= 209 - - libsystemd-journal and libsystemd-daemon are now just - part of libsystemd. - - Keep original systemd checks as a fallback. - - Updates charon-systemd/Makefile.am accordingly. - - Tested on: - - debian wheezy (systemd v44) - - ubuntu 15.10 (systemd v255). - - Signed-off-by: Chris Patterson - -Upstream-Status: Submitted -https://github.com/strongswan/strongswan/pull/24 - -diff --git a/configure.ac b/configure.ac -index 3d71ce0..f6c0426 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -941,13 +941,17 @@ if test x$systemd = xtrue; then - AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)]) - fi - -- PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon]) -- AC_SUBST(systemd_daemon_CFLAGS) -- AC_SUBST(systemd_daemon_LIBS) -- -- PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal]) -- AC_SUBST(systemd_journal_CFLAGS) -- AC_SUBST(systemd_journal_LIBS) -+ PKG_CHECK_MODULES(systemd, [libsystemd >= 209], -+ [AC_SUBST(systemd_CFLAGS) -+ AC_SUBST(systemd_LIBS)], -+ [PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon]) -+ AC_SUBST(systemd_daemon_CFLAGS) -+ AC_SUBST(systemd_daemon_LIBS) -+ -+ PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal]) -+ AC_SUBST(systemd_journal_CFLAGS) -+ AC_SUBST(systemd_journal_LIBS) -+ ]) - fi - - if test x$tss = xtrousers; then -diff --git a/src/charon-systemd/Makefile.am b/src/charon-systemd/Makefile.am -index 1b9ac15..ee85d43 100644 ---- a/src/charon-systemd/Makefile.am -+++ b/src/charon-systemd/Makefile.am -@@ -9,11 +9,11 @@ charon_systemd_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon \ -- $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \ -+ $(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \ - -DPLUGINS=\""${charon_plugins}\"" - - charon_systemd_LDADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libhydra/libhydra.la \ - $(top_builddir)/src/libcharon/libcharon.la \ -- $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB) -+ $(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB) diff --git a/recipes-support/strongswan/strongswan_5.3.2.bb b/recipes-support/strongswan/strongswan_5.3.2.bb deleted file mode 100644 index 9dc4878..0000000 --- a/recipes-support/strongswan/strongswan_5.3.2.bb +++ /dev/null @@ -1,57 +0,0 @@ -DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \ -Linux operating system." -SUMMARY = "strongSwan is an OpenSource IPsec implementation" -HOMEPAGE = "http://www.strongswan.org" -SECTION = "net" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -DEPENDS = "gmp openssl flex-native flex bison-native" - -SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - file://fix-funtion-parameter.patch \ - file://support-newer-systemd.patch \ - file://install-strongswan-swanctl-service.patch \ -" - -SRC_URI[md5sum] = "fab014be1477ef4ebf9a765e10f8802c" -SRC_URI[sha256sum] = "a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225" - -EXTRA_OECONF = " \ - --without-lib-prefix \ -" - -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" - - -PACKAGECONFIG ??= "charon curl gmp openssl stroke sqlite3 \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ldap', 'ldap', '', d)} \ -" -PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni," -PACKAGECONFIG[charon] = "--enable-charon,--disable-charon," -PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl," -PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp," -PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap," -PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5," -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," -PACKAGECONFIG[scep] = "--enable-scepclient,--disable-scepclient," -PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4," -PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3," -PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke," -PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc" - -# requires swanctl -PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd," - -inherit autotools systemd pkgconfig - -RRECOMMENDS_${PN} = "kernel-module-ipsec" - -FILES_${PN} += "${libdir}/ipsec/lib*${SOLIBS} ${libdir}/ipsec/plugins/*.so" -FILES_${PN}-dbg += "${libdir}/ipsec/.debug ${libdir}/ipsec/plugins/.debug ${libexecdir}/ipsec/.debug" -FILES_${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/plugins/*.la" -FILES_${PN}-staticdev += "${libdir}/ipsec/*.a ${libdir}/ipsec/plugins/*.a" - -RPROVIDES_${PN} += "${PN}-systemd" -RREPLACES_${PN} += "${PN}-systemd" -RCONFLICTS_${PN} += "${PN}-systemd" -SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}-swanctl.service', '${BPN}.service', d)}" -- cgit v1.2.3