diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2016-08-17 15:04:38 -0500 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2016-08-22 16:43:32 +0000 |
commit | b48b7b4109868a8c0ddda090992e936e821c7ea6 (patch) | |
tree | 696be8ea782f2548c0f63bb0188f4c8d3eeed681 /import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools | |
parent | d849ec78de728ef9a2d383b92ccfeabf40f8f1d0 (diff) | |
download | talos-openbmc-b48b7b4109868a8c0ddda090992e936e821c7ea6.tar.gz talos-openbmc-b48b7b4109868a8c0ddda090992e936e821c7ea6.zip |
Squashed 'import-layers/meta-openembedded/' content from commit 247b126
Change-Id: I40827e9ce5fba63f1cca2a0be44976ae8383b4c0
git-subtree-dir: import-layers/meta-openembedded
git-subtree-split: 247b1267bbe95719cd4877d2d3cfbaf2a2f4865a
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Diffstat (limited to 'import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools')
12 files changed, 650 insertions, 0 deletions
diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch new file mode 100644 index 000000000..d5602c03d --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch @@ -0,0 +1,33 @@ +From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe.macdonald@windriver.com> +Date: Wed, 2 Oct 2013 14:20:37 -0400 +Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference + +Building with -Werror=maybe-uninitialized revealed that 'remote' from +pk_recvmigrate() could be used with uninitialized data in +migrate_sp_ike_addresses(). Ensure it is always at a minimum assigned +NULL. + +Upstream-Status: Pending + +Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> +--- + src/racoon/pfkey.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c +index d00b166..e0dc1db 100644 +--- a/src/racoon/pfkey.c ++++ b/src/racoon/pfkey.c +@@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp) + struct sockaddr *old_saddr, *new_saddr; + struct sockaddr *old_daddr, *new_daddr; + struct sockaddr *old_local, *old_remote; +- struct sockaddr *local, *remote; ++ struct sockaddr *local, *remote = NULL; + struct sadb_x_kmaddress *kmaddr; + struct sadb_x_policy *xpl; + struct sadb_x_ipsecrequest *xisr_list; +-- +1.7.9.5 + diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch new file mode 100644 index 000000000..13e9d73fc --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch @@ -0,0 +1,87 @@ +From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001 +From: Paul Barker <paul@paulbarker.me.uk> +Date: Wed, 5 Mar 2014 13:39:14 +0000 +Subject: [PATCH] Don't link against libfl + +We can remove all references to yywrap by adding "%option noyywrap" statements +to each flex source file that doesn't override yywrap. After this, we no longer +need to link against libfl and so no longer get errors about undefined +references to yylex. + +Signed-off-by: Paul Barker <paul@paulbarker.me.uk> +Upstream-status: Submitted 2014-03-11 + see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797 +--- + src/libipsec/Makefile.am | 1 - + src/racoon/Makefile.am | 2 +- + src/racoon/cftoken.l | 2 ++ + src/setkey/Makefile.am | 1 - + src/setkey/token.l | 2 ++ + 5 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am +index 6a4e3b3..df1e106 100644 +--- a/src/libipsec/Makefile.am ++++ b/src/libipsec/Makefile.am +@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \ + # version is current:revision:age. + # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32 + libipsec_la_LDFLAGS = -version-info 0:1:0 +-libipsec_la_LIBADD = $(LEXLIB) + + noinst_HEADERS = ipsec_strerror.h + +diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am +index dbaded9..0662957 100644 +--- a/src/racoon/Makefile.am ++++ b/src/racoon/Makefile.am +@@ -38,7 +38,7 @@ racoon_SOURCES = \ + cftoken.l cfparse.y prsa_tok.l prsa_par.y + EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ + isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) +-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ ++racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \ + $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la + racoon_DEPENDENCIES = \ + $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ +diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l +index 490242c..1701922 100644 +--- a/src/racoon/cftoken.l ++++ b/src/racoon/cftoken.l +@@ -106,6 +106,8 @@ static int incstackp = 0; + static int yy_first_time = 1; + %} + ++%option noyywrap ++ + /* common seciton */ + nl \n + ws [ \t]+ +diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am +index 746c1f1..389e6cf 100644 +--- a/src/setkey/Makefile.am ++++ b/src/setkey/Makefile.am +@@ -13,7 +13,6 @@ setkey_SOURCES = \ + + setkey_LDFLAGS = ../libipsec/libipsec.la + setkey_DEPENDENCIES = ../libipsec/libipsec.la +-setkey_LDADD = $(LEXLIB) + + noinst_HEADERS = vchar.h extern.h + man8_MANS = setkey.8 +diff --git a/src/setkey/token.l b/src/setkey/token.l +index ad3d843..eb23b76 100644 +--- a/src/setkey/token.l ++++ b/src/setkey/token.l +@@ -88,6 +88,8 @@ + #endif + %} + ++%option noyywrap ++ + /* common section */ + nl \n + ws [ \t]+ +-- +1.9.0 + diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch new file mode 100644 index 000000000..8d270a62b --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch @@ -0,0 +1,13 @@ +Index: ipsec-tools-0.8.1/configure.ac +=================================================================== +--- ipsec-tools-0.8.1.orig/configure.ac 2013-01-08 12:43:29.000000000 +0000 ++++ ipsec-tools-0.8.1/configure.ac 2014-07-18 07:51:30.045555880 +0000 +@@ -6,7 +6,7 @@ + AC_CONFIG_SRCDIR([configure.ac]) + AC_CONFIG_HEADERS(config.h) + +-AM_INIT_AUTOMAKE(dist-bzip2) ++AM_INIT_AUTOMAKE([foreign dist-bzip2]) + + AC_ENABLE_SHARED(no) + diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch new file mode 100644 index 000000000..5286376ac --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2015-4047.patch @@ -0,0 +1,36 @@ +[PATCH] fix CVE-2015-4047 + +Upstream-Status: Backport + +http://www.openwall.com/lists/oss-security/2015/05/20/1 + +racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause +a denial of service (NULL pointer dereference and IKE daemon crash) via +a series of crafted UDP requests. + +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4047 + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + src/racoon/gssapi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/racoon/gssapi.c b/src/racoon/gssapi.c +index e64b201..1ad3b42 100644 +--- a/src/racoon/gssapi.c ++++ b/src/racoon/gssapi.c +@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1) + gss_name_t princ, canon_princ; + OM_uint32 maj_stat, min_stat; + ++ if (iph1->rmconf == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); ++ return -1; ++ } ++ + gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); + if (gps == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); +-- +1.9.1 + diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch new file mode 100644 index 000000000..36efc4917 --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch @@ -0,0 +1,23 @@ +squahes below warning + warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" + +Seen with glibc 2.20 + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Upstream-Status: Pending +Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h +=================================================================== +--- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h 2006-09-09 09:22:08.000000000 -0700 ++++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h 2014-09-03 22:27:22.551563888 -0700 +@@ -4,7 +4,11 @@ + #define __GLIBC_BUGS_H__ 1 + + #define _XOPEN_SOURCE 500 ++/* Legacy feature macro.*/ + #define _BSD_SOURCE ++/* New feature macro that provides everything _BSD_SOURCE and ++ * _SVID_SOURCE provided and possibly more. */ ++#define _DEFAULT_SOURCE + + #include <features.h> + #include <sys/types.h> diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch new file mode 100644 index 000000000..e82db087c --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch @@ -0,0 +1,220 @@ +racoon: Resend UPDATE message when received EINTR message + +Upstream-Status: Pending + +While kernel is processing the UPDATE message which is sent from racoon, +it maybe interrupted by system signal and if this case happens, +kernel responds with an EINTR message to racoon and kernel fails to +establish the corresponding SA. +Fix this problem by resend the UPDATE message when EINTR(Interrupted +system call) error happens. + +Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> +--- +--- a/src/libipsec/libpfkey.h ++++ b/src/libipsec/libpfkey.h +@@ -92,6 +92,12 @@ + u_int16_t ctxstrlen; /* length of security context string */ + }; + ++struct update_msg_info { ++ struct sadb_msg *update_msg; ++ int so; ++ int len; ++}; ++ + /* The options built into libipsec */ + extern int libipsec_opt; + #define LIBIPSEC_OPT_NATT 0x01 +--- a/src/libipsec/pfkey.c ++++ b/src/libipsec/pfkey.c +@@ -1219,7 +1219,8 @@ + } + #endif + +- ++struct update_msg_info update_msg_send = {NULL, 0, 0}; ++ + /* sending SADB_ADD or SADB_UPDATE message to the kernel */ + static int + pfkey_send_x1(struct pfkey_send_sa_args *sa_parms) +@@ -1483,10 +1484,24 @@ + + /* send message */ + len = pfkey_send(sa_parms->so, newmsg, len); +- free(newmsg); + +- if (len < 0) +- return -1; ++ if (newmsg->sadb_msg_type == SADB_UPDATE) { ++ if (update_msg_send.update_msg) ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = newmsg; ++ update_msg_send.so = sa_parms->so; ++ update_msg_send.len = len; ++ ++ if (len < 0) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ return -1; ++ } ++ } else { ++ free(newmsg); ++ if (len < 0) ++ return -1; ++ } + + __ipsec_errcode = EIPSEC_NO_ERROR; + return len; +--- a/src/racoon/session.c ++++ b/src/racoon/session.c +@@ -100,6 +100,8 @@ + + #include "sainfo.h" + ++extern struct update_msg_info update_msg_send; ++ + struct fd_monitor { + int (*callback)(void *ctx, int fd); + void *ctx; +@@ -348,6 +350,11 @@ + close_sockets(); + backupsa_clean(); + ++ if (update_msg_send.update_msg) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ } ++ + plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid()); + + exit(0); +--- a/src/racoon/pfkey.c ++++ b/src/racoon/pfkey.c +@@ -103,10 +103,12 @@ + #include "crypto_openssl.h" + #include "grabmyaddr.h" ++#include "../libipsec/libpfkey.h" + + #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) + #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC + #endif + ++extern struct update_msg_info update_msg_send; + /* prototype */ + static u_int ipsecdoi2pfkey_aalg __P((u_int)); + static u_int ipsecdoi2pfkey_ealg __P((u_int)); +@@ -253,6 +255,13 @@ + s_pfkey_type(msg->sadb_msg_type), + strerror(msg->sadb_msg_errno)); + ++ if (msg->sadb_msg_errno == EINTR && ++ update_msg_send.update_msg) { ++ plog(LLV_DEBUG, LOCATION, NULL, ++ "pfkey update resend\n"); ++ send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0); ++ } ++ + goto end; + } + +@@ -498,6 +507,11 @@ + { + flushsp(); + ++ if (update_msg_send.update_msg) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ } ++ + if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { + plog(LLV_ERROR, LOCATION, NULL, + "libipsec sending spddump failed: %s\n", +@@ -1295,6 +1309,8 @@ + return 0; + } + ++int update_received = 0; ++ + static int + pk_recvupdate(mhp) + caddr_t *mhp; +@@ -1307,6 +1323,13 @@ + int incomplete = 0; + struct saproto *pr; + ++ update_received = 1; ++ ++ if (update_msg_send.update_msg) { ++ free(update_msg_send.update_msg); ++ update_msg_send.update_msg = NULL; ++ } ++ + /* ignore this message because of local test mode. */ + if (f_local) + return 0; +@@ -4163,3 +4186,8 @@ + + return buf; + } ++ ++int receive_from_isakmp() ++{ ++ return pfkey_handler(NULL, lcconf->sock_pfkey); ++} +--- a/src/racoon/pfkey.h ++++ b/src/racoon/pfkey.h +@@ -71,5 +71,6 @@ + extern u_int32_t pk_getseq __P((void)); + extern const char *sadbsecas2str + __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int)); ++extern int receive_from_isakmp __P((void)); + + #endif /* _PFKEY_H */ +--- a/src/racoon/isakmp_quick.c ++++ b/src/racoon/isakmp_quick.c +@@ -774,6 +774,8 @@ + return error; + } + ++extern int update_received; ++ + /* + * send to responder + * HDR*, HASH(3) +@@ -892,6 +894,11 @@ + } + plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + ++ while (!update_received) ++ receive_from_isakmp(); ++ ++ update_received = 0; ++ + /* Do ADD for responder */ + if (pk_sendadd(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); +@@ -1035,6 +1042,11 @@ + } + plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + ++ while (!update_received) ++ receive_from_isakmp(); ++ ++ update_received = 0; ++ + /* Do ADD for responder */ + if (pk_sendadd(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); +@@ -1989,6 +2001,11 @@ + } + plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); + ++ while (!update_received) ++ receive_from_isakmp(); ++ ++ update_received = 0; ++ + /* Do ADD for responder */ + if (pk_sendadd(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch new file mode 100644 index 000000000..e272bc20f --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch @@ -0,0 +1,26 @@ +Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm + +Upstream-Status: Pending + +Add checking for invalid ivm, or it will crash racoon. + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +--- + isakmp_cfg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c +--- a/src/racoon/isakmp_cfg.c ++++ b/src/racoon/isakmp_cfg.c +@@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg) + iph1->mode_cfg->last_msgid != packet->msgid ) + iph1->mode_cfg->ivm = + isakmp_cfg_newiv(iph1, packet->msgid); ++ if(iph1->mode_cfg->ivm == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "failed to create new IV\n"); ++ return; ++ } + ivm = iph1->mode_cfg->ivm; + + dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive); diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch new file mode 100644 index 000000000..de1bdb407 --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch @@ -0,0 +1,61 @@ +Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers + +Upstream-Status: Pending + +Add checking for invalid pointers, or it will crash racoon. + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +--- + ipsec_doi.c | 5 +++-- + isakmp_cfg.c | 7 +++++++ + isakmp_quick.c | 6 ++++-- + 3 files changed, 14 insertions(+), 4 deletions(-) + +diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c +--- a/src/racoon/ipsec_doi.c ++++ b/src/racoon/ipsec_doi.c +@@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact ) + + /* handle wildcard IDs */ + +- if (idt == NULL || ids == NULL) +- { ++ if (idt == NULL || ids == NULL || ++ idt->v == NULL || idt->l == 0 || ++ ids->v == NULL || ids->l == 0) { + if( !exact ) + { + plog(LLV_DEBUG, LOCATION, NULL, +diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c +--- a/src/racoon/isakmp_cfg.c ++++ b/src/racoon/isakmp_cfg.c +@@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid) + return NULL; + } + ++ if (iph1->ivm == NULL || iph1->ivm->iv == NULL || ++ iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "isakmp_cfg_newiv called with invalid IV management\n"); ++ return NULL; ++ } ++ + if (ics->ivm != NULL) + oakley_delivm(ics->ivm); + +diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c +--- a/src/racoon/isakmp_quick.c ++++ b/src/racoon/isakmp_quick.c +@@ -2243,8 +2243,10 @@ get_proposal_r(iph2) + int error = ISAKMP_INTERNAL_ERROR; + + /* check the existence of ID payload */ +- if ((iph2->id_p != NULL && iph2->id == NULL) +- || (iph2->id_p == NULL && iph2->id != NULL)) { ++ if ((iph2->id_p != NULL && ++ (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) || ++ (iph2->id != NULL && ++ (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) { + plog(LLV_ERROR, LOCATION, NULL, + "Both IDs wasn't found in payload.\n"); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf new file mode 100644 index 000000000..6b507508b --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf @@ -0,0 +1,8 @@ +# Defaults for racoon service +# sourced by racoon.service +# installed at /etc/default/racoon by the maintainer scripts +# +# This is a POSIX shell fragment +# +# Arguments to pass to racoon +RACOON_ARGS="" diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample new file mode 100644 index 000000000..2948a4a35 --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.conf.sample @@ -0,0 +1,40 @@ +# +# NOTE: This file will not be used if you use racoon-tool(8) to manage your +# IPsec connections. racoon-tool will process racoon-tool.conf(5) and +# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead +# of this file. +# +# Simple racoon.conf +# +# +# Please look in /usr/share/doc/racoon/examples for +# examples that come with the source. +# +# Please read racoon.conf(5) for details, and alsoread setkey(8). +# +# +# Also read the Linux IPSEC Howto up at +# http://www.ipsec-howto.org/t1.html +# +log notify; +path pre_shared_key "/etc/racoon/psk.txt"; +path certificate "/etc/racoon/certs"; + +#remote 172.31.1.1 { +# exchange_mode main,aggressive; +# proposal { +# encryption_algorithm 3des; +# hash_algorithm sha1; +# authentication_method pre_shared_key; +# dh_group modp1024; +# } +# generate_policy off; +#} +# +#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any { +# pfs_group modp768; +# encryption_algorithm 3des; +# authentication_algorithm hmac_md5; +# compression_algorithm deflate; +#} + diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service new file mode 100644 index 000000000..a10e77027 --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon.service @@ -0,0 +1,11 @@ +[Unit] +Description=Racoon IKEv1 key management daemon for IPSEC +After=syslog.target network.target + +[Service] +Type=forking +EnvironmentFile=-@SYSCONFDIR@/default/racoon +ExecStart=@SBINDIR@/racoon $RACOON_ARGS + +[Install] +WantedBy=multi-user.target diff --git a/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb new file mode 100644 index 000000000..d9f121273 --- /dev/null +++ b/import-layers/meta-openembedded/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb @@ -0,0 +1,92 @@ +DESCRIPTION = "IPsec-Tools is a port of KAME's IPsec utilities to the \ +Linux-2.6 IPsec implementation." +HOMEPAGE = "http://ipsec-tools.sourceforge.net/" +SECTION = "net" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://src/libipsec/pfkey.c;beginline=6;endline=31;md5=bc9b7ff40beff19fe6bc6aef26bd2b24" + +DEPENDS = "virtual/kernel openssl readline flex-native bison-native" + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +SRC_URI = "ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${PV}.tar.bz2 \ + file://0002-Don-t-link-against-libfl.patch \ + file://configure.patch \ + file://0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch \ + file://racoon-check-invalid-pointers.patch \ + file://racoon-check-invalid-ivm.patch \ + file://glibc-2.20.patch \ + file://racoon-Resend-UPDATE-message-when-received-EINTR-message.patch \ + file://racoon.conf.sample \ + file://racoon.conf \ + file://racoon.service \ + file://fix-CVE-2015-4047.patch \ + " +SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41" +SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d" + +inherit autotools systemd + +# Options: +# --enable-adminport enable admin port +# --enable-rc5 enable RC5 encryption (patented) +# --enable-idea enable IDEA encryption (patented) +# --enable-gssapi enable GSS-API authentication +# --enable-hybrid enable hybrid, both mode-cfg and xauth support +# --enable-frag enable IKE fragmentation payload support +# --enable-stats enable statistics logging function +# --enable-dpd enable dead peer detection +# --enable-samode-unspec enable to use unspecified a mode of SA +# --disable-ipv6 disable ipv6 support +# --enable-natt enable NAT-Traversal (yes/no/kernel) +# --enable-natt-versions=list list of supported NAT-T versions delimited by coma. +# --with-kernel-headers=/lib/modules/<uname>/build/include +# where your Linux Kernel headers are installed +# --with-readline support readline input (yes by default) +# --with-flex use directiory (default: no) +# --with-flexlib=<LIB> specify flex library. +# --with-openssl=DIR specify OpenSSL directory +# --with-libradius=DIR specify libradius path (like/usr/pkg) +# --with-libpam=DIR specify libpam path (like/usr/pkg) +# +# Note: if you give it the actual kernel headers it won't build, it actually +# needs to point at the linux-libc-headers version of the kernel headers. +# +EXTRA_OECONF = "--with-kernel-headers=${STAGING_INCDIR} \ + --with-readline \ + --with-openssl=${STAGING_LIBDIR}/.. \ + --without-libradius \ + --disable-security-context \ + --enable-shared \ + --enable-dpd \ + --enable-natt=yes \ + --sysconfdir=${sysconfdir}/racoon \ + ${@base_contains('DISTRO_FEATURES', 'ipv6', '--enable-ipv6=yes', '', d)}" + +# See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530527 +CFLAGS += "-fno-strict-aliasing" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam," +PACKAGECONFIG[selinux] = "--enable-security-context,--disable-security-context,libselinux," + +SYSTEMD_SERVICE_${PN} = "racoon.service" + +do_install_append() { + install -d ${D}${sysconfdir}/racoon + install -m 0644 ${WORKDIR}/racoon.conf.sample ${D}${sysconfdir}/racoon/racoon.conf + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/racoon.service ${D}${systemd_unitdir}/system + + sed -i -e 's#@SYSCONFDIR@#${sysconfdir}#g' ${D}${systemd_unitdir}/system/racoon.service + sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/racoon.service + + install -d ${D}${sysconfdir}/default/ + install -m 0644 ${WORKDIR}/racoon.conf ${D}${sysconfdir}/default/racoon + fi +} + +FILES_${PN} += "${sysconfdir}/racoon/racoon.conf \ + ${sysconfdir}/default/racoon" |