diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 85f733e312..b91f5e1b55 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan -PKG_VERSION:=5.3.5 -PKG_RELEASE:=3 +PKG_VERSION:=5.4.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/ -PKG_MD5SUM:=a2f9ea185f27e7f8413d4cd2ee61efe4 +PKG_MD5SUM:=9d7c77b0da9b69f859624897e5e9ebbf PKG_LICENSE:=GPL-2.0+ PKG_MAINTAINER:=Steven Barth @@ -399,7 +399,7 @@ define Package/strongswan/install $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/ $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/ $(INSTALL_DIR) $(1)/usr/lib/ipsec - $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/ $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/ $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/ $(INSTALL_DIR) $(1)/etc/init.d @@ -562,7 +562,7 @@ $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charo $(eval $(call BuildPlugin,sql,SQL database interface,)) $(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3)) $(eval $(call BuildPlugin,sshkey,SSH key decoding,)) -$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils)) +$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-charon +strongswan-utils)) $(eval $(call BuildPlugin,test-vectors,crypto test vectors,)) $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci)) $(eval $(call BuildPlugin,unity,Cisco Unity extension,)) diff --git a/net/strongswan/patches/101-musl-fixes.patch b/net/strongswan/patches/101-musl-fixes.patch index 3b90e6cf2e..a360d1cab9 100644 --- a/net/strongswan/patches/101-musl-fixes.patch +++ b/net/strongswan/patches/101-musl-fixes.patch @@ -50,8 +50,8 @@ +#undef blkcnt_t +#undef crypt +#undef encrypt ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -18,6 +18,8 @@ * for more details. */ @@ -61,8 +61,8 @@ #include #include #include ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -37,6 +37,8 @@ * THE SOFTWARE. */ @@ -72,8 +72,8 @@ #include #include #include ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -15,6 +15,8 @@ * for more details. */ diff --git a/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch b/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch deleted file mode 100644 index 4e743f5f12..0000000000 --- a/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch +++ /dev/null @@ -1,324 +0,0 @@ -From 1f642f872abe39cb5a67a87c4e9b63c9d78657d7 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 30 Nov 2015 16:30:22 +0100 -Subject: [PATCH 2/2] forecast: Fix alignment when adding rules - -Basically the same issue as with the connmark plugin. - - #1212 ---- - src/libcharon/plugins/forecast/forecast_listener.c | 247 +++++++++++---------- - 1 file changed, 133 insertions(+), 114 deletions(-) - -diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c -index 63a8cb1..7e93617 100644 ---- a/src/libcharon/plugins/forecast/forecast_listener.c -+++ b/src/libcharon/plugins/forecast/forecast_listener.c -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2010-2014 Martin Willi - * Copyright (C) 2010-2014 revosec AG - * -@@ -25,6 +28,15 @@ - #include - #include - -+/** -+ * Add a struct at the current position in the buffer -+ */ -+#define ADD_STRUCT(pos, st, ...) ({\ -+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\ -+ *(st*)_cur = (st){ __VA_ARGS__ };\ -+ (st*)_cur;\ -+}) -+ - typedef struct private_forecast_listener_t private_forecast_listener_t; - - /** -@@ -164,60 +176,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain, - static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, - entry_t *entry, bool add) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_udp udp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.udp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_UDP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_udp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_UDP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), -- .name = "udp", -- }, -+ ); -+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "udp", - }, - }, -- .udp = { -- .spts = { -- entry->rhost->get_port(entry->rhost), -- entry->rhost->get_port(entry->lhost) -- }, -- .dpts = { -- entry->lhost->get_port(entry->lhost), -- entry->lhost->get_port(entry->lhost) -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_udp, -+ .spts = { -+ entry->rhost->get_port(entry->rhost), -+ entry->rhost->get_port(entry->lhost) - }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -- }, -+ .dpts = { -+ entry->lhost->get_port(entry->lhost), -+ entry->lhost->get_port(entry->lhost) - }, -- .tm = { -- .mark = entry->mark, -- .mask = ~0, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, -+ }, - }, -- }; -- -- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = entry->mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -225,53 +237,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, - */ - static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_esp esp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.esp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_ESP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_esp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_ESP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), -- .name = "esp", -- }, -+ ); -+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "esp", - }, - }, -- .esp = { -- .spis = { htonl(entry->spi), htonl(entry->spi) }, -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_esp, -+ .spis = { htonl(entry->spi), htonl(entry->spi) }, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, - }, - }, -- .tm = { -- .mark = entry->mark, -- .mask = ~0, -- }, -- }; -- -- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = entry->mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -291,45 +303,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add) - */ - static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 m; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e)), -- .next_offset = sizeof(ipt), -- }, -- .t = { -- .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)), -- .u.user.name = "MARK", -- .u.user.revision = 2, -- }, -- .m = { -- .mark = entry->mark, -- .mask = ~0, -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)); -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, -+ }, - }, -- }; -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = entry->mark, -+ .mask = ~0, -+ ); -+ - enumerator_t *enumerator; - traffic_selector_t *ts; - - enumerator = array_create_enumerator(entry->rts); - while (enumerator->enumerate(enumerator, &ts)) - { -- if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk)) -+ if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk)) - { - continue; - } -- if (ipt.e.ip.dst.s_addr == 0xffffffff || -- ipt.e.ip.dst.s_addr == entry->broadcast || -- memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1)) -+ if (e->ip.dst.s_addr == 0xffffffff || -+ e->ip.dst.s_addr == entry->broadcast || -+ memeq(&e->ip.dst.s_addr, "\xe0", 1)) - { - /* skip broadcast/multicast selectors, they are shared and the mark - * is set by the socket we use for reinjection */ - continue; - } -- if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) || -- !manage_rule(ipth, "OUTPUT", add, &ipt.e)) -+ if (!manage_rule(ipth, "PREROUTING", add, e) || -+ !manage_rule(ipth, "OUTPUT", add, e)) - { - enumerator->destroy(enumerator); - return FALSE; --- -2.4.10 diff --git a/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch b/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch deleted file mode 100644 index 963bd1bfc5..0000000000 --- a/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch +++ /dev/null @@ -1,411 +0,0 @@ -From a4d7f5ee6f36decdcd18d70078e1f0a847fe9b24 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 30 Nov 2015 16:04:35 +0100 -Subject: [PATCH 1/2] connmark: Fix alignment when adding rules - -The structs that make up a message sent to the kernel have all to be -aligned with XT_ALIGN. That was not necessarily the case when -initializing the complete message as struct. - - #1212 ---- - src/libcharon/plugins/connmark/connmark_listener.c | 332 +++++++++++---------- - 1 file changed, 172 insertions(+), 160 deletions(-) - -diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c -index 23df690..cd53701 100644 ---- a/src/libcharon/plugins/connmark/connmark_listener.c -+++ b/src/libcharon/plugins/connmark/connmark_listener.c -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2014 Martin Willi - * Copyright (C) 2014 revosec AG - * -@@ -25,6 +28,14 @@ - #include - #include - -+/** -+ * Add a struct at the current position in the buffer -+ */ -+#define ADD_STRUCT(pos, st, ...) ({\ -+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\ -+ *(st*)_cur = (st){ __VA_ARGS__ };\ -+ (st*)_cur;\ -+}) - - typedef struct private_connmark_listener_t private_connmark_listener_t; - -@@ -108,54 +119,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this, - u_int mark, u_int32_t spi, - host_t *dst, host_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_udp udp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.udp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_UDP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_udp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_UDP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), -- .name = "udp", -- }, -+ ); -+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(src, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "udp", - }, - }, -- .udp = { -- .spts = { src->get_port(src), src->get_port(src) }, -- .dpts = { dst->get_port(dst), dst->get_port(dst) }, -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_udp, -+ .spts = { src->get_port(src), src->get_port(src) }, -+ .dpts = { dst->get_port(dst), dst->get_port(dst) }, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, - }, - }, -- .tm = { -- .mark = mark, -- .mask = ~0, -- }, -- }; -- -- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -166,53 +177,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this, - u_int mark, u_int32_t spi, - host_t *dst, host_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_esp esp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.esp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_ESP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_esp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_ESP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), -- .name = "esp", -- }, -+ ); -+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(src, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "esp", - }, - }, -- .esp = { -- .spis = { htonl(spi), htonl(spi) }, -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_esp, -+ .spis = { htonl(spi), htonl(spi) }, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, - }, - }, -- .tm = { -- .mark = mark, -- .mask = ~0, -- }, -- }; -- -- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -238,59 +249,59 @@ static bool manage_in(private_connmark_listener_t *this, - u_int mark, u_int32_t spi, - traffic_selector_t *dst, traffic_selector_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_policy_info p; -- struct ipt_entry_target t; -- struct xt_connmark_tginfo1 cm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.p)), -- .next_offset = sizeof(ipt), -- }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)), -- .name = "policy", -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_policy_info)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ ); -+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !ts2in(src, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "policy", - }, - }, -- .p = { -- .pol = { -- { -- .spi = spi, -- .match.spi = 1, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_policy_info, -+ .pol = { -+ { -+ .spi = spi, -+ .match.spi = 1, - }, -- .len = 1, -- .flags = XT_POLICY_MATCH_IN, - }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), -- .name = "CONNMARK", -- .revision = 1, -- }, -+ .len = 1, -+ .flags = XT_POLICY_MATCH_IN, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "CONNMARK", -+ .revision = 1, - }, - }, -- .cm = { -- .ctmark = mark, -- .ctmask = ~0, -- .nfmask = ~0, -- .mode = XT_CONNMARK_SET, -- }, -- }; -- -- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "INPUT", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_connmark_tginfo1, -+ .ctmark = mark, -+ .ctmask = ~0, -+ .nfmask = ~0, -+ .mode = XT_CONNMARK_SET, -+ ); -+ return manage_rule(ipth, "INPUT", add, e); - } - - /** -@@ -300,37 +311,38 @@ static bool manage_out(private_connmark_listener_t *this, - struct iptc_handle *ipth, bool add, - traffic_selector_t *dst, traffic_selector_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_target t; -- struct xt_connmark_tginfo1 cm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e)), -- .next_offset = sizeof(ipt), -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), -- .name = "CONNMARK", -- .revision = 1, -- }, -- }, -- }, -- .cm = { -- .ctmask = ~0, -- .nfmask = ~0, -- .mode = XT_CONNMARK_RESTORE, -- }, -- }; -- -- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)); -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ ); -+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !ts2in(src, &e->ip.src, &e->ip.smsk)) - { - return FALSE; - } -- return manage_rule(ipth, "OUTPUT", add, &ipt.e); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "CONNMARK", -+ .revision = 1, -+ }, -+ }, -+ ); -+ ADD_STRUCT(pos, struct xt_connmark_tginfo1, -+ .ctmask = ~0, -+ .nfmask = ~0, -+ .mode = XT_CONNMARK_RESTORE, -+ ); -+ return manage_rule(ipth, "OUTPUT", add, e); - } - - /** --- -2.4.10 diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch index 7d46156384..cd74f27119 100644 --- a/net/strongswan/patches/201-kmodloader.patch +++ b/net/strongswan/patches/201-kmodloader.patch @@ -1,6 +1,6 @@ --- a/src/starter/netkey.c +++ b/src/starter/netkey.c -@@ -31,7 +31,7 @@ bool starter_netkey_init(void) +@@ -30,7 +30,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { @@ -9,7 +9,7 @@ } /* now test again */ -@@ -45,11 +45,11 @@ bool starter_netkey_init(void) +@@ -44,11 +44,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { diff --git a/net/strongswan/patches/210-sleep.patch b/net/strongswan/patches/210-sleep.patch index ea799671eb..54b0efca5d 100644 --- a/net/strongswan/patches/210-sleep.patch +++ b/net/strongswan/patches/210-sleep.patch @@ -4,8 +4,8 @@ loop=110 while [ $loop -gt 0 ] ; do kill -0 $spid 2>/dev/null || break -- sleep 0.1 -+ sleep 1 - loop=$(($loop - 1)) - done - if [ $loop -eq 0 ] +- sleep 0.1 2>/dev/null ++ sleep 1 2>/dev/null + if [ $? -ne 0 ] + then + sleep 1 diff --git a/net/strongswan/patches/305-minimal_dh_plugin.patch b/net/strongswan/patches/305-minimal_dh_plugin.patch index e060ec36cf..adf5fd8e79 100644 --- a/net/strongswan/patches/305-minimal_dh_plugin.patch +++ b/net/strongswan/patches/305-minimal_dh_plugin.patch @@ -8,7 +8,7 @@ ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.]) ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.]) -@@ -1312,6 +1313,7 @@ ADD_PLUGIN([gcrypt], [s ch +@@ -1325,6 +1326,7 @@ ADD_PLUGIN([gcrypt], [s ch ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) ADD_PLUGIN([fips-prf], [s charon nm cmd]) ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) @@ -16,7 +16,7 @@ ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) ADD_PLUGIN([chapoly], [s charon scripts nm cmd]) -@@ -1444,6 +1446,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x +@@ -1458,6 +1460,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue) AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) @@ -24,7 +24,7 @@ AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) -@@ -1692,6 +1695,7 @@ AC_CONFIG_FILES([ +@@ -1707,6 +1710,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile @@ -34,7 +34,7 @@ src/libstrongswan/plugins/random/Makefile --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am -@@ -303,6 +303,13 @@ if MONOLITHIC +@@ -305,6 +305,13 @@ if MONOLITHIC endif endif