diff options
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-support/ipsec-tools')
16 files changed, 1255 insertions, 0 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch new file mode 100644 index 000000000..5c0914745 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-build-with-clang.patch @@ -0,0 +1,115 @@ +From 9135ca401186fb14e5e5110bbb04d1ccc480360a Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 15 Nov 2016 04:15:44 +0000 +Subject: [PATCH] Fix build with clang + +Fixes for following errors found by clang + +src/racoon/eaytest.c:316:6: error: comparison of array 'dnstr_w1' not equal to a null pointer is always true + [-Werror,-Wtautological-pointer-compare] + if (dnstr_w1 != NULL) { + ^~~~~~~~ ~~~~ +src/racoon/eaytest.c:326:6: error: comparison of array 'dnstr_w1' not equal to a null pointer is always true + [-Werror,-Wtautological-pointer-compare] + if (dnstr_w1 != NULL) { + ^~~~~~~~ ~~~~ + +src/racoon/isakmp.c:1134:11: error: promoted type 'int' of K&R function parameter is not compatible with the + parameter type 'u_int8_t' (aka 'unsigned char') declared in a previous prototype [-Werror,-Wknr-promoted-parameter] + u_int8_t etype; + ^ +src/racoon/isakmp.c:184:48: note: previous declaration is here + struct sockaddr *, struct sockaddr *, u_int8_t)); + ^ + 1 error generated. + +src/racoon/racoonctl.c:1457:15: error: incompatible pointer types passing 'struct evt_async *' to parameter of type + 'caddr_t' (aka 'char *') [-Werror,-Wincompatible-pointer-types] + print_cfg(ec, len); + ^~ + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/racoon/eaytest.c | 4 ++-- + src/racoon/isakmp.c | 10 +++++----- + src/racoon/racoonctl.c | 7 +++---- + 3 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c +index 1474bdc..d609e4f 100644 +--- a/src/racoon/eaytest.c ++++ b/src/racoon/eaytest.c +@@ -313,7 +313,7 @@ certtest(ac, av) + + printf("exact match: succeed.\n"); + +- if (dnstr_w1 != NULL) { ++ if (dnstr_w1[0] != '\0') { + asn1dn = eay_str2asn1dn(dnstr_w1, strlen(dnstr_w1)); + if (asn1dn == NULL || asn1dn->l == asn1dn0.l) + errx(1, "asn1dn length wrong for wildcard 1\n"); +@@ -323,7 +323,7 @@ certtest(ac, av) + printf("wildcard 1 match: succeed.\n"); + } + +- if (dnstr_w1 != NULL) { ++ if (dnstr_w1[0] != '\0') { + asn1dn = eay_str2asn1dn(dnstr_w2, strlen(dnstr_w2)); + if (asn1dn == NULL || asn1dn->l == asn1dn0.l) + errx(1, "asn1dn length wrong for wildcard 2\n"); +diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c +index 2672f7a..da7ebe8 100644 +--- a/src/racoon/isakmp.c ++++ b/src/racoon/isakmp.c +@@ -567,7 +567,7 @@ isakmp_main(msg, remote, local) + + /* it must be responder's 1st exchange. */ + if (isakmp_ph1begin_r(msg, remote, local, +- isakmp->etype) < 0) ++ (u_int8_t)isakmp->etype) < 0) + return -1; + break; + +@@ -1128,10 +1128,10 @@ isakmp_ph1begin_i(rmconf, remote, local) + + /* new negotiation of phase 1 for responder */ + static int +-isakmp_ph1begin_r(msg, remote, local, etype) +- vchar_t *msg; +- struct sockaddr *remote, *local; +- u_int8_t etype; ++isakmp_ph1begin_r(vchar_t *msg, ++ struct sockaddr *remote, ++ struct sockaddr *local, ++ u_int8_t etype) + { + struct isakmp *isakmp = (struct isakmp *)msg->v; + struct ph1handle *iph1; +diff --git a/src/racoon/racoonctl.c b/src/racoon/racoonctl.c +index da28ecd..bbf068e 100644 +--- a/src/racoon/racoonctl.c ++++ b/src/racoon/racoonctl.c +@@ -1299,9 +1299,8 @@ print_evt(evtdump) + * Print ISAKMP mode config info (IP and banner) + */ + void +-print_cfg(buf, len) +- caddr_t buf; +- int len; ++print_cfg(caddr_t buf, ++ int len) + { + struct evt_async *evtdump = (struct evt_async *)buf; + struct isakmp_data *attr; +@@ -1454,7 +1453,7 @@ handle_recv(combuf) + else if (evt_quit_event == ec->ec_type) { + switch (ec->ec_type) { + case EVT_PHASE1_MODE_CFG: +- print_cfg(ec, len); ++ print_cfg((caddr_t)ec, len); + break; + default: + print_evt(ec); +-- +1.9.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch new file mode 100644 index 000000000..630ecdb5f --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-Fix-header-issues-found-with-musl-libc.patch @@ -0,0 +1,249 @@ +From 7d9585be093c9cb2428b373c0b0088bb778942d0 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 20 Mar 2017 21:37:47 -0700 +Subject: [PATCH] Fix header issues found with musl libc + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/libipsec/ipsec_strerror.h | 3 +++ + src/libipsec/libpfkey.h | 4 +++- + src/racoon/admin.c | 2 +- + src/racoon/backupsa.c | 6 +++--- + src/racoon/cftoken.l | 4 ++++ + src/racoon/logger.h | 3 +++ + src/racoon/misc.h | 3 +++ + src/racoon/missing/crypto/sha2/sha2.h | 3 +++ + src/racoon/netdb_dnssec.h | 3 +++ + src/racoon/pfkey.c | 1 - + src/racoon/plog.h | 2 ++ + src/racoon/str2val.h | 3 +++ + src/racoon/vmbuf.h | 3 +++ + src/setkey/extern.h | 3 ++- + src/setkey/setkey.c | 1 - + 15 files changed, 36 insertions(+), 8 deletions(-) + +diff --git a/src/libipsec/ipsec_strerror.h b/src/libipsec/ipsec_strerror.h +index 2b4264f..dac66a1 100644 +--- a/src/libipsec/ipsec_strerror.h ++++ b/src/libipsec/ipsec_strerror.h +@@ -34,6 +34,9 @@ + #ifndef _IPSEC_STRERROR_H + #define _IPSEC_STRERROR_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + extern int __ipsec_errcode; + extern void __ipsec_set_strerror __P((const char *)); + +diff --git a/src/libipsec/libpfkey.h b/src/libipsec/libpfkey.h +index 61d2f2a..f7991b7 100644 +--- a/src/libipsec/libpfkey.h ++++ b/src/libipsec/libpfkey.h +@@ -34,6 +34,9 @@ + #ifndef _LIBPFKEY_H + #define _LIBPFKEY_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + #ifndef KAME_LIBPFKEY_H + #define KAME_LIBPFKEY_H + +@@ -43,7 +46,6 @@ + + #define PRIORITY_OFFSET_POSITIVE_MAX 0x3fffffff + #define PRIORITY_OFFSET_NEGATIVE_MAX 0x40000000 +- + struct sadb_msg; + extern void pfkey_sadump __P((struct sadb_msg *)); + extern void pfkey_sadump_withports __P((struct sadb_msg *)); +diff --git a/src/racoon/admin.c b/src/racoon/admin.c +index 4b1875b..03ea3f8 100644 +--- a/src/racoon/admin.c ++++ b/src/racoon/admin.c +@@ -36,7 +36,6 @@ + #include <sys/types.h> + #include <sys/param.h> + #include <sys/socket.h> +-#include <sys/signal.h> + #include <sys/stat.h> + #include <sys/un.h> + +@@ -46,6 +45,7 @@ + #include PATH_IPSEC_H + + ++#include <signal.h> + #include <stdlib.h> + #include <stdio.h> + #include <string.h> +diff --git a/src/racoon/backupsa.c b/src/racoon/backupsa.c +index 82d74ca..95307ca 100644 +--- a/src/racoon/backupsa.c ++++ b/src/racoon/backupsa.c +@@ -276,9 +276,9 @@ do { \ + GETNEXTNUM(sa_args.a_keylen, strtoul); + GETNEXTNUM(sa_args.flags, strtoul); + GETNEXTNUM(sa_args.l_alloc, strtoul); +- GETNEXTNUM(sa_args.l_bytes, strtouq); +- GETNEXTNUM(sa_args.l_addtime, strtouq); +- GETNEXTNUM(sa_args.l_usetime, strtouq); ++ GETNEXTNUM(sa_args.l_bytes, strtoull); ++ GETNEXTNUM(sa_args.l_addtime, strtoull); ++ GETNEXTNUM(sa_args.l_usetime, strtoull); + GETNEXTNUM(sa_args.seq, strtoul); + + #undef GETNEXTNUM +diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l +index 1701922..787f4a9 100644 +--- a/src/racoon/cftoken.l ++++ b/src/racoon/cftoken.l +@@ -77,6 +77,10 @@ + + #include "cfparse.h" + ++#ifndef GLOB_TILDE ++#define GLOB_TILDE 0 ++#endif ++ + int yyerrorcount = 0; + + #if defined(YIPS_DEBUG) +diff --git a/src/racoon/logger.h b/src/racoon/logger.h +index 3fd3e94..67af5f0 100644 +--- a/src/racoon/logger.h ++++ b/src/racoon/logger.h +@@ -34,6 +34,9 @@ + #ifndef _LOGGER_H + #define _LOGGER_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + struct log { + int head; + int siz; +diff --git a/src/racoon/misc.h b/src/racoon/misc.h +index 3e758d9..30d9825 100644 +--- a/src/racoon/misc.h ++++ b/src/racoon/misc.h +@@ -34,6 +34,9 @@ + #ifndef _MISC_H + #define _MISC_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + #define BIT2STR(b) bit2str(b, sizeof(b)<<3) + + #ifdef HAVE_FUNC_MACRO +diff --git a/src/racoon/missing/crypto/sha2/sha2.h b/src/racoon/missing/crypto/sha2/sha2.h +index 42bcc2a..c043dfe 100644 +--- a/src/racoon/missing/crypto/sha2/sha2.h ++++ b/src/racoon/missing/crypto/sha2/sha2.h +@@ -40,6 +40,9 @@ + #ifndef __SHA2_H__ + #define __SHA2_H__ + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/src/racoon/netdb_dnssec.h b/src/racoon/netdb_dnssec.h +index a11209d..98fd813 100644 +--- a/src/racoon/netdb_dnssec.h ++++ b/src/racoon/netdb_dnssec.h +@@ -34,6 +34,9 @@ + #ifndef _NETDB_DNSSEC_H + #define _NETDB_DNSSEC_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + #ifndef T_CERT + #define T_CERT 37 /* defined by RFC2538 section 2 */ + #endif +diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c +index 8f26c19..a06c30e 100644 +--- a/src/racoon/pfkey.c ++++ b/src/racoon/pfkey.c +@@ -59,7 +59,6 @@ + #include <sys/param.h> + #include <sys/socket.h> + #include <sys/queue.h> +-#include <sys/sysctl.h> + + #include <net/route.h> + #include <net/pfkeyv2.h> +diff --git a/src/racoon/plog.h b/src/racoon/plog.h +index ed43c8b..920c850 100644 +--- a/src/racoon/plog.h ++++ b/src/racoon/plog.h +@@ -34,6 +34,8 @@ + #ifndef _PLOG_H + #define _PLOG_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ + #ifdef HAVE_STDARG_H + #include <stdarg.h> + #else +diff --git a/src/racoon/str2val.h b/src/racoon/str2val.h +index 4a7cec1..d3d698e 100644 +--- a/src/racoon/str2val.h ++++ b/src/racoon/str2val.h +@@ -34,6 +34,9 @@ + #ifndef _STR2VAL_H + #define _STR2VAL_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + extern caddr_t val2str __P((const char *, size_t)); + extern char *str2val __P((const char *, int, size_t *)); + +diff --git a/src/racoon/vmbuf.h b/src/racoon/vmbuf.h +index 3f2f4ea..8287a00 100644 +--- a/src/racoon/vmbuf.h ++++ b/src/racoon/vmbuf.h +@@ -34,6 +34,9 @@ + #ifndef _VMBUF_H + #define _VMBUF_H + ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ ++ + /* + * bp v + * v v +diff --git a/src/setkey/extern.h b/src/setkey/extern.h +index 6f439fa..a1d9d14 100644 +--- a/src/setkey/extern.h ++++ b/src/setkey/extern.h +@@ -1,6 +1,7 @@ + /* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */ + +- ++#undef __P ++#define __P(protos) protos /* ANSI C prototypes */ + + void parse_init __P((void)); + int parse __P((FILE **)); +diff --git a/src/setkey/setkey.c b/src/setkey/setkey.c +index c400faa..51f8b75 100644 +--- a/src/setkey/setkey.c ++++ b/src/setkey/setkey.c +@@ -40,7 +40,6 @@ + #include <sys/socket.h> + #include <sys/time.h> + #include <sys/stat.h> +-#include <sys/sysctl.h> + #include <err.h> + #include <netinet/in.h> + #include <net/pfkeyv2.h> +-- +2.12.0 + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch new file mode 100644 index 000000000..d5602c03d --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch @@ -0,0 +1,33 @@ +From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe.macdonald@windriver.com> +Date: Wed, 2 Oct 2013 14:20:37 -0400 +Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference + +Building with -Werror=maybe-uninitialized revealed that 'remote' from +pk_recvmigrate() could be used with uninitialized data in +migrate_sp_ike_addresses(). Ensure it is always at a minimum assigned +NULL. + +Upstream-Status: Pending + +Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> +--- + src/racoon/pfkey.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c +index d00b166..e0dc1db 100644 +--- a/src/racoon/pfkey.c ++++ b/src/racoon/pfkey.c +@@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp) + struct sockaddr *old_saddr, *new_saddr; + struct sockaddr *old_daddr, *new_daddr; + struct sockaddr *old_local, *old_remote; +- struct sockaddr *local, *remote; ++ struct sockaddr *local, *remote = NULL; + struct sadb_x_kmaddress *kmaddr; + struct sadb_x_policy *xpl; + struct sadb_x_ipsecrequest *xisr_list; +-- +1.7.9.5 + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch new file mode 100644 index 000000000..13e9d73fc --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch @@ -0,0 +1,87 @@ +From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001 +From: Paul Barker <paul@paulbarker.me.uk> +Date: Wed, 5 Mar 2014 13:39:14 +0000 +Subject: [PATCH] Don't link against libfl + +We can remove all references to yywrap by adding "%option noyywrap" statements +to each flex source file that doesn't override yywrap. After this, we no longer +need to link against libfl and so no longer get errors about undefined +references to yylex. + +Signed-off-by: Paul Barker <paul@paulbarker.me.uk> +Upstream-status: Submitted 2014-03-11 + see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797 +--- + src/libipsec/Makefile.am | 1 - + src/racoon/Makefile.am | 2 +- + src/racoon/cftoken.l | 2 ++ + src/setkey/Makefile.am | 1 - + src/setkey/token.l | 2 ++ + 5 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am +index 6a4e3b3..df1e106 100644 +--- a/src/libipsec/Makefile.am ++++ b/src/libipsec/Makefile.am +@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \ + # version is current:revision:age. + # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32 + libipsec_la_LDFLAGS = -version-info 0:1:0 +-libipsec_la_LIBADD = $(LEXLIB) + + noinst_HEADERS = ipsec_strerror.h + +diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am +index dbaded9..0662957 100644 +--- a/src/racoon/Makefile.am ++++ b/src/racoon/Makefile.am +@@ -38,7 +38,7 @@ racoon_SOURCES = \ + cftoken.l cfparse.y prsa_tok.l prsa_par.y + EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ + isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) +-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ ++racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \ + $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la + racoon_DEPENDENCIES = \ + $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ +diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l +index 490242c..1701922 100644 +--- a/src/racoon/cftoken.l ++++ b/src/racoon/cftoken.l +@@ -106,6 +106,8 @@ static int incstackp = 0; + static int yy_first_time = 1; + %} + ++%option noyywrap ++ + /* common seciton */ + nl \n + ws [ \t]+ +diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am +index 746c1f1..389e6cf 100644 +--- a/src/setkey/Makefile.am ++++ b/src/setkey/Makefile.am +@@ -13,7 +13,6 @@ setkey_SOURCES = \ + + setkey_LDFLAGS = ../libipsec/libipsec.la + setkey_DEPENDENCIES = ../libipsec/libipsec.la +-setkey_LDADD = $(LEXLIB) + + noinst_HEADERS = vchar.h extern.h + man8_MANS = setkey.8 +diff --git a/src/setkey/token.l b/src/setkey/token.l +index ad3d843..eb23b76 100644 +--- a/src/setkey/token.l ++++ b/src/setkey/token.l +@@ -88,6 +88,8 @@ + #endif + %} + ++%option noyywrap ++ + /* common section */ + nl \n + ws [ \t]+ +-- +1.9.0 + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch new file mode 100644 index 000000000..e9dd84aaa --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-cfparse-clear-memory-equal-to-size-of-array.patch @@ -0,0 +1,30 @@ +From a5c59f6a1479947d33dba5191724cc5fc88a614b Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 22 Apr 2017 10:39:57 -0700 +Subject: [PATCH 2/2] cfparse: clear memory equal to size of array + +Fixes compiler error +cfparse.y: In function 'set_isakmp_proposal': +cfparse.y:2567:3: error: 'memset' used with length equal to number of elements without multiplication by element size [-Werror=memset-elt-size] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/racoon/cfparse.y | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y +index 0d9bd67..5d9c67b 100644 +--- a/src/racoon/cfparse.y ++++ b/src/racoon/cfparse.y +@@ -2564,7 +2564,7 @@ set_isakmp_proposal(rmconf) + plog(LLV_DEBUG2, LOCATION, NULL, + "encklen=%d\n", s->encklen); + +- memset(types, 0, ARRAYLEN(types)); ++ memset(types, 0, sizeof(types)); + types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; + types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; + types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; +-- +2.12.2 + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch new file mode 100644 index 000000000..8d270a62b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch @@ -0,0 +1,13 @@ +Index: ipsec-tools-0.8.1/configure.ac +=================================================================== +--- ipsec-tools-0.8.1.orig/configure.ac 2013-01-08 12:43:29.000000000 +0000 ++++ ipsec-tools-0.8.1/configure.ac 2014-07-18 07:51:30.045555880 +0000 +@@ -6,7 +6,7 @@ + AC_CONFIG_SRCDIR([configure.ac]) + AC_CONFIG_HEADERS(config.h) + +-AM_INIT_AUTOMAKE(dist-bzip2) ++AM_INIT_AUTOMAKE([foreign dist-bzip2]) + + AC_ENABLE_SHARED(no) + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch new file mode 100644 index 000000000..5286376ac --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch @@ -0,0 +1,36 @@ +[PATCH] fix CVE-2015-4047 + +Upstream-Status: Backport + +http://www.openwall.com/lists/oss-security/2015/05/20/1 + +racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause +a denial of service (NULL pointer dereference and IKE daemon crash) via +a series of crafted UDP requests. + +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4047 + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + src/racoon/gssapi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/racoon/gssapi.c b/src/racoon/gssapi.c +index e64b201..1ad3b42 100644 +--- a/src/racoon/gssapi.c ++++ b/src/racoon/gssapi.c +@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1) + gss_name_t princ, canon_princ; + OM_uint32 maj_stat, min_stat; + ++ if (iph1->rmconf == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); ++ return -1; ++ } ++ + gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); + if (gps == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); +-- +1.9.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch new file mode 100644 index 000000000..bd0796554 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch @@ -0,0 +1,207 @@ +Upstream-Status: Backport [https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b] + +Fix CVE-2016-10396. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 +Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 +Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 + +Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c +=================================================================== +--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c ++++ pkg-ipsec-tools/src/racoon/isakmp_frag.c +@@ -1,4 +1,4 @@ +-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ ++/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ + + /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ + +@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) + return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); + } + ++static int ++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) ++{ ++ struct isakmp_frag_item *pitem = NULL; ++ struct isakmp_frag_item *citem = iph1->frag_chain; ++ ++ /* no frag yet, just insert at beginning of list */ ++ if (iph1->frag_chain == NULL) { ++ iph1->frag_chain = item; ++ return 0; ++ } ++ ++ do { ++ /* duplicate fragment number, abort (CVE-2016-10396) */ ++ if (citem->frag_num == item->frag_num) ++ return -1; ++ ++ /* need to insert before current item */ ++ if (citem->frag_num > item->frag_num) { ++ if (pitem != NULL) ++ pitem->frag_next = item; ++ else ++ /* insert at the beginning of the list */ ++ iph1->frag_chain = item; ++ item->frag_next = citem; ++ return 0; ++ } ++ ++ pitem = citem; ++ citem = citem->frag_next; ++ } while (citem != NULL); ++ ++ /* we reached the end of the list, insert */ ++ pitem->frag_next = item; ++ return 0; ++} ++ + int + isakmp_frag_extract(iph1, msg) + struct ph1handle *iph1; +@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) + item->frag_next = NULL; + item->frag_packet = buf; + +- /* Look for the last frag while inserting the new item in the chain */ +- if (item->frag_last) +- last_frag = item->frag_num; ++ /* Check for the last frag before inserting the new item in the chain */ ++ if (item->frag_last) { ++ /* if we have the last fragment, indices must match */ ++ if (iph1->frag_last_index != 0 && ++ item->frag_last != iph1->frag_last_index) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated last fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; ++ } + +- if (iph1->frag_chain == NULL) { +- iph1->frag_chain = item; +- } else { +- struct isakmp_frag_item *current; ++ last_frag = iph1->frag_last_index = item->frag_num; ++ } + +- current = iph1->frag_chain; +- while (current->frag_next) { +- if (current->frag_last) +- last_frag = item->frag_num; +- current = current->frag_next; +- } +- current->frag_next = item; ++ /* insert fragment into chain */ ++ if (isakmp_frag_insert(iph1, item) == -1) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; + } + +- /* If we saw the last frag, check if the chain is complete */ ++ /* If we saw the last frag, check if the chain is complete ++ * we have a sorted list now, so just walk through */ + if (last_frag != 0) { ++ item = iph1->frag_chain; + for (i = 1; i <= last_frag; i++) { +- item = iph1->frag_chain; +- do { +- if (item->frag_num == i) +- break; +- item = item->frag_next; +- } while (item != NULL); +- ++ if (item->frag_num != i) ++ break; ++ item = item->frag_next; + if (item == NULL) /* Not found */ + break; + } + +- if (item != NULL) /* It is complete */ ++ if (i > last_frag) /* It is complete */ + return 1; + } + +@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) + } + data = buf->v; + ++ item = iph1->frag_chain; + for (i = 1; i <= frag_count; i++) { +- item = iph1->frag_chain; +- do { +- if (item->frag_num == i) +- break; +- item = item->frag_next; +- } while (item != NULL); +- +- if (item == NULL) { ++ if (item->frag_num != i) { + plog(LLV_ERROR, LOCATION, NULL, + "Missing fragment #%d\n", i); + vfree(buf); +@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) + } + memcpy(data, item->frag_packet->v, item->frag_packet->l); + data += item->frag_packet->l; ++ item = item->frag_next; + } + + out: +Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c +=================================================================== +--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c ++++ pkg-ipsec-tools/src/racoon/isakmp_inf.c +@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca + #endif + #ifdef ENABLE_FRAG + iph1->frag = 0; ++ iph1->frag_last_index = 0; + iph1->frag_chain = NULL; + #endif + +Index: pkg-ipsec-tools/src/racoon/isakmp.c +=================================================================== +--- pkg-ipsec-tools.orig/src/racoon/isakmp.c ++++ pkg-ipsec-tools/src/racoon/isakmp.c +@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local) + iph1->frag = 1; + else + iph1->frag = 0; ++ iph1->frag_last_index = 0; + iph1->frag_chain = NULL; + #endif + iph1->approval = NULL; +@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et + #endif + #ifdef ENABLE_FRAG + iph1->frag = 0; ++ iph1->frag_last_index = 0; + iph1->frag_chain = NULL; + #endif + iph1->approval = NULL; +Index: pkg-ipsec-tools/src/racoon/handler.h +=================================================================== +--- pkg-ipsec-tools.orig/src/racoon/handler.h ++++ pkg-ipsec-tools/src/racoon/handler.h +@@ -1,4 +1,4 @@ +-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ ++/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ + + /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ + +@@ -141,6 +141,7 @@ struct ph1handle { + #endif + #ifdef ENABLE_FRAG + int frag; /* IKE phase 1 fragmentation */ ++ int frag_last_index; + struct isakmp_frag_item *frag_chain; /* Received fragments */ + #endif + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch new file mode 100644 index 000000000..36efc4917 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch @@ -0,0 +1,23 @@ +squahes below warning + warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" + +Seen with glibc 2.20 + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Upstream-Status: Pending +Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h +=================================================================== +--- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h 2006-09-09 09:22:08.000000000 -0700 ++++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h 2014-09-03 22:27:22.551563888 -0700 +@@ -4,7 +4,11 @@ + #define __GLIBC_BUGS_H__ 1 + + #define _XOPEN_SOURCE 500 ++/* Legacy feature macro.*/ + #define _BSD_SOURCE ++/* New feature macro that provides everything _BSD_SOURCE and ++ * _SVID_SOURCE provided and possibly more. */ ++#define _DEFAULT_SOURCE + + #include <features.h> + #include <sys/types.h> diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch new file mode 100644 index 000000000..e82db087c --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch @@ -0,0 +1,220 @@ +racoon: Resend UPDATE message when received EINTR message + +Upstream-Status: Pending + +While kernel is processing the UPDATE message which is sent from racoon, +it maybe interrupted by system signal and if this case happens, +kernel responds with an EINTR message to racoon and kernel fails to +establish the corresponding SA. +Fix this problem by resend the UPDATE message when EINTR(Interrupted +system call) error happens. + +Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> +--- +--- a/src/libipsec/libpfkey.h ++++ b/src/libipsec/libpfkey.h +@@ -92,6 +92,12 @@ + u_int16_t ctxstrlen; /* length of security context string */ + }; + ++struct update_msg_info { ++ struct sadb_msg *update_msg; ++ int so; ++ int len; ++}; ++ + /* The options built into libipsec */ + extern int libipsec_opt; + #define LIBIPSEC_OPT_NATT 0x01 +--- a/src/libipsec/pfkey.c ++++ b/src/libipsec/pfkey.c +@@ -1219,7 +1219,8 @@ + } + #endif + +- ++struct update_msg_info update_msg_send = {NULL, 0, 0}; ++ + /* sending SADB_ADD or SADB_UPDATE message to the kernel */ + static int + pfkey_send_x1(struct pfkey_send_sa_args *sa_parms) +@@ -1483,10 +1484,24 @@ + + /* send message */ + len = pfkey_send(sa_parms->so, newmsg, len); +- free(newmsg); + +- if (len < 0) +- return -1; ++ if (newmsg->sadb_msg_type == SADB_UPDATE) { ++ if (update_msg_send.update_msg) ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = newmsg; ++ update_msg_send.so = sa_parms->so; ++ update_msg_send.len = len; ++ ++ if (len < 0) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ return -1; ++ } ++ } else { ++ free(newmsg); ++ if (len < 0) ++ return -1; ++ } + + __ipsec_errcode = EIPSEC_NO_ERROR; + return len; +--- a/src/racoon/session.c ++++ b/src/racoon/session.c +@@ -100,6 +100,8 @@ + + #include "sainfo.h" + ++extern struct update_msg_info update_msg_send; ++ + struct fd_monitor { + int (*callback)(void *ctx, int fd); + void *ctx; +@@ -348,6 +350,11 @@ + close_sockets(); + backupsa_clean(); + ++ if (update_msg_send.update_msg) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ } ++ + plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid()); + + exit(0); +--- a/src/racoon/pfkey.c ++++ b/src/racoon/pfkey.c +@@ -103,10 +103,12 @@ + #include "crypto_openssl.h" + #include "grabmyaddr.h" ++#include "../libipsec/libpfkey.h" + + #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) + #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC + #endif + ++extern struct update_msg_info update_msg_send; + /* prototype */ + static u_int ipsecdoi2pfkey_aalg __P((u_int)); + static u_int ipsecdoi2pfkey_ealg __P((u_int)); +@@ -253,6 +255,13 @@ + s_pfkey_type(msg->sadb_msg_type), + strerror(msg->sadb_msg_errno)); + ++ if (msg->sadb_msg_errno == EINTR && ++ update_msg_send.update_msg) { ++ plog(LLV_DEBUG, LOCATION, NULL, ++ "pfkey update resend\n"); ++ send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0); ++ } ++ + goto end; + } + +@@ -498,6 +507,11 @@ + { + flushsp(); + ++ if (update_msg_send.update_msg) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ } ++ + if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "libipsec sending spddump failed: %s\n", +@@ -1295,6 +1309,8 @@ + return 0; + } + ++int update_received = 0; ++ + static int + pk_recvupdate(mhp) + caddr_t *mhp; +@@ -1307,6 +1323,13 @@ + int incomplete = 0; + struct saproto *pr; + ++ update_received = 1; ++ ++ if (update_msg_send.update_msg) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ } ++ + /* ignore this message because of local test mode. */ + if (f_local) + return 0; +@@ -4163,3 +4186,8 @@ + + return buf; + } ++ ++int receive_from_isakmp() ++{ ++ return pfkey_handler(NULL, lcconf->sock_pfkey); ++} +--- a/src/racoon/pfkey.h ++++ b/src/racoon/pfkey.h +@@ -71,5 +71,6 @@ + extern u_int32_t pk_getseq __P((void)); + extern const char *sadbsecas2str + __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int)); ++extern int receive_from_isakmp __P((void)); + + #endif /* _PFKEY_H */ +--- a/src/racoon/isakmp_quick.c ++++ b/src/racoon/isakmp_quick.c +@@ -774,6 +774,8 @@ + return error; + } + ++extern int update_received; ++ + /* + * send to responder + * HDR*, HASH(3) +@@ -892,6 +894,11 @@ + } + plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + ++ while (!update_received) ++ receive_from_isakmp(); ++ ++ update_received = 0; ++ + /* Do ADD for responder */ + if (pk_sendadd(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); +@@ -1035,6 +1042,11 @@ + } + plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + ++ while (!update_received) ++ receive_from_isakmp(); ++ ++ update_received = 0; ++ + /* Do ADD for responder */ + if (pk_sendadd(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); +@@ -1989,6 +2001,11 @@ + } + plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + ++ while (!update_received) ++ receive_from_isakmp(); ++ ++ update_received = 0; ++ + /* Do ADD for responder */ + if (pk_sendadd(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch new file mode 100644 index 000000000..e272bc20f --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch @@ -0,0 +1,26 @@ +Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm + +Upstream-Status: Pending + +Add checking for invalid ivm, or it will crash racoon. + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +--- + isakmp_cfg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c +--- a/src/racoon/isakmp_cfg.c ++++ b/src/racoon/isakmp_cfg.c +@@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg) + iph1->mode_cfg->last_msgid != packet->msgid ) + iph1->mode_cfg->ivm = + isakmp_cfg_newiv(iph1, packet->msgid); ++ if(iph1->mode_cfg->ivm == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "failed to create new IV\n"); ++ return; ++ } + ivm = iph1->mode_cfg->ivm; + + dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive); diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch new file mode 100644 index 000000000..de1bdb407 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch @@ -0,0 +1,61 @@ +Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers + +Upstream-Status: Pending + +Add checking for invalid pointers, or it will crash racoon. + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +--- + ipsec_doi.c | 5 +++-- + isakmp_cfg.c | 7 +++++++ + isakmp_quick.c | 6 ++++-- + 3 files changed, 14 insertions(+), 4 deletions(-) + +diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c +--- a/src/racoon/ipsec_doi.c ++++ b/src/racoon/ipsec_doi.c +@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact ) + + /* handle wildcard IDs */ + +- if (idt == NULL || ids == NULL) +- { ++ if (idt == NULL || ids == NULL || ++ idt->v == NULL || idt->l == 0 || ++ ids->v == NULL || ids->l == 0) { + if( !exact ) + { + plog(LLV_DEBUG, LOCATION, NULL, +diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c +--- a/src/racoon/isakmp_cfg.c ++++ b/src/racoon/isakmp_cfg.c +@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid) + return NULL; + } + ++ if (iph1->ivm == NULL || iph1->ivm->iv == NULL || ++ iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "isakmp_cfg_newiv called with invalid IV management\n"); ++ return NULL; ++ } ++ + if (ics->ivm != NULL) + oakley_delivm(ics->ivm); + +diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c +--- a/src/racoon/isakmp_quick.c ++++ b/src/racoon/isakmp_quick.c +@@ -2243,8 +2243,10 @@ get_proposal_r(iph2) + int error = ISAKMP_INTERNAL_ERROR; + + /* check the existence of ID payload */ +- if ((iph2->id_p != NULL && iph2->id == NULL) +- || (iph2->id_p == NULL && iph2->id != NULL)) { ++ if ((iph2->id_p != NULL && ++ (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) || ++ (iph2->id != NULL && ++ (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) { + plog(LLV_ERROR, LOCATION, NULL, + "Both IDs wasn't found in payload.\n"); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf new file mode 100644 index 000000000..6b507508b --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf @@ -0,0 +1,8 @@ +# Defaults for racoon service +# sourced by racoon.service +# installed at /etc/default/racoon by the maintainer scripts +# +# This is a POSIX shell fragment +# +# Arguments to pass to racoon +RACOON_ARGS="" diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample new file mode 100644 index 000000000..2948a4a35 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample @@ -0,0 +1,40 @@ +# +# NOTE: This file will not be used if you use racoon-tool(8) to manage your +# IPsec connections. racoon-tool will process racoon-tool.conf(5) and +# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead +# of this file. +# +# Simple racoon.conf +# +# +# Please look in /usr/share/doc/racoon/examples for +# examples that come with the source. +# +# Please read racoon.conf(5) for details, and alsoread setkey(8). +# +# +# Also read the Linux IPSEC Howto up at +# http://www.ipsec-howto.org/t1.html +# +log notify; +path pre_shared_key "/etc/racoon/psk.txt"; +path certificate "/etc/racoon/certs"; + +#remote 172.31.1.1 { +# exchange_mode main,aggressive; +# proposal { +# encryption_algorithm 3des; +# hash_algorithm sha1; +# authentication_method pre_shared_key; +# dh_group modp1024; +# } +# generate_policy off; +#} +# +#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any { +# pfs_group modp768; +# encryption_algorithm 3des; +# authentication_algorithm hmac_md5; +# compression_algorithm deflate; +#} + diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service new file mode 100644 index 000000000..a10e77027 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service @@ -0,0 +1,11 @@ +[Unit] +Description=Racoon IKEv1 key management daemon for IPSEC +After=syslog.target network.target + +[Service] +Type=forking +EnvironmentFile=-@SYSCONFDIR@/default/racoon +ExecStart=@SBINDIR@/racoon $RACOON_ARGS + +[Install] +WantedBy=multi-user.target diff --git a/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb new file mode 100644 index 000000000..5cbeb15ad --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb @@ -0,0 +1,96 @@ +DESCRIPTION = "IPsec-Tools is a port of KAME's IPsec utilities to the \ +Linux-2.6 IPsec implementation." +HOMEPAGE = "http://ipsec-tools.sourceforge.net/" +SECTION = "net" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://src/libipsec/pfkey.c;beginline=6;endline=31;md5=bc9b7ff40beff19fe6bc6aef26bd2b24" + +DEPENDS = "virtual/kernel openssl readline flex-native bison-native" + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +SRC_URI = "http://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${PV}.tar.bz2 \ + file://0002-Don-t-link-against-libfl.patch \ + file://configure.patch \ + file://0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch \ + file://racoon-check-invalid-pointers.patch \ + file://racoon-check-invalid-ivm.patch \ + file://glibc-2.20.patch \ + file://racoon-Resend-UPDATE-message-when-received-EINTR-message.patch \ + file://racoon.conf.sample \ + file://racoon.conf \ + file://racoon.service \ + file://fix-CVE-2015-4047.patch \ + file://0001-Fix-build-with-clang.patch \ + file://0001-Fix-header-issues-found-with-musl-libc.patch \ + file://0002-cfparse-clear-memory-equal-to-size-of-array.patch \ + file://fix-CVE-2016-10396.patch \ + " +SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41" +SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d" + +inherit autotools systemd + +# Options: +# --enable-adminport enable admin port +# --enable-rc5 enable RC5 encryption (patented) +# --enable-idea enable IDEA encryption (patented) +# --enable-gssapi enable GSS-API authentication +# --enable-hybrid enable hybrid, both mode-cfg and xauth support +# --enable-frag enable IKE fragmentation payload support +# --enable-stats enable statistics logging function +# --enable-dpd enable dead peer detection +# --enable-samode-unspec enable to use unspecified a mode of SA +# --disable-ipv6 disable ipv6 support +# --enable-natt enable NAT-Traversal (yes/no/kernel) +# --enable-natt-versions=list list of supported NAT-T versions delimited by coma. +# --with-kernel-headers=/lib/modules/<uname>/build/include +# where your Linux Kernel headers are installed +# --with-readline support readline input (yes by default) +# --with-flex use directiory (default: no) +# --with-flexlib=<LIB> specify flex library. +# --with-openssl=DIR specify OpenSSL directory +# --with-libradius=DIR specify libradius path (like/usr/pkg) +# --with-libpam=DIR specify libpam path (like/usr/pkg) +# +# Note: if you give it the actual kernel headers it won't build, it actually +# needs to point at the linux-libc-headers version of the kernel headers. +# +EXTRA_OECONF = "--with-kernel-headers=${STAGING_INCDIR} \ + --with-readline \ + --with-openssl=${STAGING_LIBDIR}/.. \ + --without-libradius \ + --disable-security-context \ + --enable-shared \ + --enable-dpd \ + --enable-natt=yes \ + --sysconfdir=${sysconfdir}/racoon \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '--enable-ipv6=yes', '', d)}" + +# See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530527 +CFLAGS += "-fno-strict-aliasing" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam," +PACKAGECONFIG[selinux] = "--enable-security-context,--disable-security-context,libselinux," + +SYSTEMD_SERVICE_${PN} = "racoon.service" + +do_install_append() { + install -d ${D}${sysconfdir}/racoon + install -m 0644 ${WORKDIR}/racoon.conf.sample ${D}${sysconfdir}/racoon/racoon.conf + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/racoon.service ${D}${systemd_unitdir}/system + + sed -i -e 's#@SYSCONFDIR@#${sysconfdir}#g' ${D}${systemd_unitdir}/system/racoon.service + sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/racoon.service + + install -d ${D}${sysconfdir}/default/ + install -m 0644 ${WORKDIR}/racoon.conf ${D}${sysconfdir}/default/racoon + fi +} + +FILES_${PN} += "${sysconfdir}/racoon/racoon.conf \ + ${sysconfdir}/default/racoon" |