From 064d166efd1860e52f186b5584fe236da88505e9 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Mon, 29 Feb 2016 05:21:16 +0100 Subject: [PATCH 1/4] strongswan: run sleep with integer argument The default busybox config used by OpenWrt does not enable floating point number support for the sleep applet. This can cause an error when stopping or restarting strongswan: sleep: invalid number '0.1' Replace the float with an integer to fix this. Signed-off-by: Stijn Tintel --- net/strongswan/Makefile | 2 +- net/strongswan/patches/210-sleep.patch | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 net/strongswan/patches/210-sleep.patch diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 84cdaf1d2f..88ed0a50e4 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=5.3.5 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/ diff --git a/net/strongswan/patches/210-sleep.patch b/net/strongswan/patches/210-sleep.patch new file mode 100644 index 0000000000..ea799671eb --- /dev/null +++ b/net/strongswan/patches/210-sleep.patch @@ -0,0 +1,11 @@ +--- a/src/ipsec/_ipsec.in ++++ b/src/ipsec/_ipsec.in +@@ -259,7 +259,7 @@ stop) + loop=110 + while [ $loop -gt 0 ] ; do + kill -0 $spid 2>/dev/null || break +- sleep 0.1 ++ sleep 1 + loop=$(($loop - 1)) + done + if [ $loop -eq 0 ] From 06cf48b15e0e0fa0a6287ba0fe7c594fb8377c27 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Mon, 29 Feb 2016 07:00:13 +0100 Subject: [PATCH 2/4] strongswan: fix alignment in connmark plugin Signed-off-by: Stijn Tintel --- net/strongswan/Makefile | 2 +- ...mark-Fix-alignment-when-adding-rules.patch | 411 ++++++++++++++++++ 2 files changed, 412 insertions(+), 1 deletion(-) create mode 100644 net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 88ed0a50e4..5d31c564af 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=5.3.5 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/ diff --git a/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch b/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch new file mode 100644 index 0000000000..963bd1bfc5 --- /dev/null +++ b/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch @@ -0,0 +1,411 @@ +From a4d7f5ee6f36decdcd18d70078e1f0a847fe9b24 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 30 Nov 2015 16:04:35 +0100 +Subject: [PATCH 1/2] connmark: Fix alignment when adding rules + +The structs that make up a message sent to the kernel have all to be +aligned with XT_ALIGN. That was not necessarily the case when +initializing the complete message as struct. + + #1212 +--- + src/libcharon/plugins/connmark/connmark_listener.c | 332 +++++++++++---------- + 1 file changed, 172 insertions(+), 160 deletions(-) + +diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c +index 23df690..cd53701 100644 +--- a/src/libcharon/plugins/connmark/connmark_listener.c ++++ b/src/libcharon/plugins/connmark/connmark_listener.c +@@ -1,4 +1,7 @@ + /* ++ * Copyright (C) 2015 Tobias Brunner ++ * Hochschule fuer Technik Rapperswil ++ * + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * +@@ -25,6 +28,14 @@ + #include + #include + ++/** ++ * Add a struct at the current position in the buffer ++ */ ++#define ADD_STRUCT(pos, st, ...) ({\ ++ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\ ++ *(st*)_cur = (st){ __VA_ARGS__ };\ ++ (st*)_cur;\ ++}) + + typedef struct private_connmark_listener_t private_connmark_listener_t; + +@@ -108,54 +119,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this, + u_int mark, u_int32_t spi, + host_t *dst, host_t *src) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_match m; +- struct xt_udp udp; +- struct ipt_entry_target t; +- struct xt_mark_tginfo2 tm; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + +- sizeof(ipt.udp)), +- .next_offset = sizeof(ipt), +- .ip = { +- .proto = IPPROTO_UDP, +- }, ++ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + ++ XT_ALIGN(sizeof(struct xt_udp)); ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ .ip = { ++ .proto = IPPROTO_UDP, + }, +- .m = { +- .u = { +- .user = { +- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), +- .name = "udp", +- }, ++ ); ++ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) || ++ !host2in(src, &e->ip.src, &e->ip.smsk)) ++ { ++ return FALSE; ++ } ++ ADD_STRUCT(pos, struct ipt_entry_match, ++ .u = { ++ .user = { ++ .match_size = match_size, ++ .name = "udp", + }, + }, +- .udp = { +- .spts = { src->get_port(src), src->get_port(src) }, +- .dpts = { dst->get_port(dst), dst->get_port(dst) }, +- }, +- .t = { +- .u = { +- .user = { +- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), +- .name = "MARK", +- .revision = 2, +- }, ++ ); ++ ADD_STRUCT(pos, struct xt_udp, ++ .spts = { src->get_port(src), src->get_port(src) }, ++ .dpts = { dst->get_port(dst), dst->get_port(dst) }, ++ ); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "MARK", ++ .revision = 2, + }, + }, +- .tm = { +- .mark = mark, +- .mask = ~0, +- }, +- }; +- +- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || +- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) +- { +- return FALSE; +- } +- return manage_rule(ipth, "PREROUTING", add, &ipt.e); ++ ); ++ ADD_STRUCT(pos, struct xt_mark_tginfo2, ++ .mark = mark, ++ .mask = ~0, ++ ); ++ return manage_rule(ipth, "PREROUTING", add, e); + } + + /** +@@ -166,53 +177,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this, + u_int mark, u_int32_t spi, + host_t *dst, host_t *src) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_match m; +- struct xt_esp esp; +- struct ipt_entry_target t; +- struct xt_mark_tginfo2 tm; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + +- sizeof(ipt.esp)), +- .next_offset = sizeof(ipt), +- .ip = { +- .proto = IPPROTO_ESP, +- }, ++ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + ++ XT_ALIGN(sizeof(struct xt_esp)); ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ .ip = { ++ .proto = IPPROTO_ESP, + }, +- .m = { +- .u = { +- .user = { +- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), +- .name = "esp", +- }, ++ ); ++ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) || ++ !host2in(src, &e->ip.src, &e->ip.smsk)) ++ { ++ return FALSE; ++ } ++ ADD_STRUCT(pos, struct ipt_entry_match, ++ .u = { ++ .user = { ++ .match_size = match_size, ++ .name = "esp", + }, + }, +- .esp = { +- .spis = { htonl(spi), htonl(spi) }, +- }, +- .t = { +- .u = { +- .user = { +- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), +- .name = "MARK", +- .revision = 2, +- }, ++ ); ++ ADD_STRUCT(pos, struct xt_esp, ++ .spis = { htonl(spi), htonl(spi) }, ++ ); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "MARK", ++ .revision = 2, + }, + }, +- .tm = { +- .mark = mark, +- .mask = ~0, +- }, +- }; +- +- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || +- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) +- { +- return FALSE; +- } +- return manage_rule(ipth, "PREROUTING", add, &ipt.e); ++ ); ++ ADD_STRUCT(pos, struct xt_mark_tginfo2, ++ .mark = mark, ++ .mask = ~0, ++ ); ++ return manage_rule(ipth, "PREROUTING", add, e); + } + + /** +@@ -238,59 +249,59 @@ static bool manage_in(private_connmark_listener_t *this, + u_int mark, u_int32_t spi, + traffic_selector_t *dst, traffic_selector_t *src) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_match m; +- struct xt_policy_info p; +- struct ipt_entry_target t; +- struct xt_connmark_tginfo1 cm; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + +- sizeof(ipt.p)), +- .next_offset = sizeof(ipt), +- }, +- .m = { +- .u = { +- .user = { +- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)), +- .name = "policy", +- }, ++ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + ++ XT_ALIGN(sizeof(struct xt_policy_info)); ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_connmark_tginfo1)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ ); ++ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) || ++ !ts2in(src, &e->ip.src, &e->ip.smsk)) ++ { ++ return FALSE; ++ } ++ ADD_STRUCT(pos, struct ipt_entry_match, ++ .u = { ++ .user = { ++ .match_size = match_size, ++ .name = "policy", + }, + }, +- .p = { +- .pol = { +- { +- .spi = spi, +- .match.spi = 1, +- }, ++ ); ++ ADD_STRUCT(pos, struct xt_policy_info, ++ .pol = { ++ { ++ .spi = spi, ++ .match.spi = 1, + }, +- .len = 1, +- .flags = XT_POLICY_MATCH_IN, + }, +- .t = { +- .u = { +- .user = { +- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), +- .name = "CONNMARK", +- .revision = 1, +- }, ++ .len = 1, ++ .flags = XT_POLICY_MATCH_IN, ++ ); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "CONNMARK", ++ .revision = 1, + }, + }, +- .cm = { +- .ctmark = mark, +- .ctmask = ~0, +- .nfmask = ~0, +- .mode = XT_CONNMARK_SET, +- }, +- }; +- +- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || +- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) +- { +- return FALSE; +- } +- return manage_rule(ipth, "INPUT", add, &ipt.e); ++ ); ++ ADD_STRUCT(pos, struct xt_connmark_tginfo1, ++ .ctmark = mark, ++ .ctmask = ~0, ++ .nfmask = ~0, ++ .mode = XT_CONNMARK_SET, ++ ); ++ return manage_rule(ipth, "INPUT", add, e); + } + + /** +@@ -300,37 +311,38 @@ static bool manage_out(private_connmark_listener_t *this, + struct iptc_handle *ipth, bool add, + traffic_selector_t *dst, traffic_selector_t *src) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_target t; +- struct xt_connmark_tginfo1 cm; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e)), +- .next_offset = sizeof(ipt), +- }, +- .t = { +- .u = { +- .user = { +- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), +- .name = "CONNMARK", +- .revision = 1, +- }, +- }, +- }, +- .cm = { +- .ctmask = ~0, +- .nfmask = ~0, +- .mode = XT_CONNMARK_RESTORE, +- }, +- }; +- +- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || +- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)); ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_connmark_tginfo1)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ ); ++ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) || ++ !ts2in(src, &e->ip.src, &e->ip.smsk)) + { + return FALSE; + } +- return manage_rule(ipth, "OUTPUT", add, &ipt.e); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "CONNMARK", ++ .revision = 1, ++ }, ++ }, ++ ); ++ ADD_STRUCT(pos, struct xt_connmark_tginfo1, ++ .ctmask = ~0, ++ .nfmask = ~0, ++ .mode = XT_CONNMARK_RESTORE, ++ ); ++ return manage_rule(ipth, "OUTPUT", add, e); + } + + /** +-- +2.4.10 From 475be1df93f10386d1da357710627ff01a4930a4 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Tue, 13 Oct 2015 04:15:16 +0200 Subject: [PATCH 3/4] strongswan: add forecast plugin Closes #1868. Signed-off-by: Stijn Tintel --- net/strongswan/Makefile | 3 + ...cast-Fix-alignment-when-adding-rules.patch | 324 ++++++++++++++++++ 2 files changed, 327 insertions(+) create mode 100644 net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 5d31c564af..85f733e312 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -43,6 +43,7 @@ PKG_MOD_AVAILABLE:= \ eap-tls \ farp \ fips-prf \ + forecast \ gcm \ gcrypt \ gmp \ @@ -160,6 +161,7 @@ $(call Package/strongswan/Default) +strongswan-mod-eap-tls \ +strongswan-mod-farp \ +strongswan-mod-fips-prf \ + +strongswan-mod-forecast \ +strongswan-mod-gcm \ +strongswan-mod-gcrypt \ +strongswan-mod-gmp \ @@ -523,6 +525,7 @@ $(eval $(call BuildPlugin,eap-radius,EAP RADIUS auth,)) $(eval $(call BuildPlugin,eap-tls,EAP TLS auth,+strongswan-libtls)) $(eval $(call BuildPlugin,farp,fake arp respsonses,)) $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1)) +$(eval $(call BuildPlugin,forecast,forward multi/broadcast traffic,+kmod-ipt-conntrack-extra)) $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,)) $(eval $(call BuildPlugin,gcrypt,libgcrypt,+PACKAGE_strongswan-mod-gcrypt:libgcrypt)) $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp)) diff --git a/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch b/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch new file mode 100644 index 0000000000..4e743f5f12 --- /dev/null +++ b/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch @@ -0,0 +1,324 @@ +From 1f642f872abe39cb5a67a87c4e9b63c9d78657d7 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 30 Nov 2015 16:30:22 +0100 +Subject: [PATCH 2/2] forecast: Fix alignment when adding rules + +Basically the same issue as with the connmark plugin. + + #1212 +--- + src/libcharon/plugins/forecast/forecast_listener.c | 247 +++++++++++---------- + 1 file changed, 133 insertions(+), 114 deletions(-) + +diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c +index 63a8cb1..7e93617 100644 +--- a/src/libcharon/plugins/forecast/forecast_listener.c ++++ b/src/libcharon/plugins/forecast/forecast_listener.c +@@ -1,4 +1,7 @@ + /* ++ * Copyright (C) 2015 Tobias Brunner ++ * Hochschule fuer Technik Rapperswil ++ * + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG + * +@@ -25,6 +28,15 @@ + #include + #include + ++/** ++ * Add a struct at the current position in the buffer ++ */ ++#define ADD_STRUCT(pos, st, ...) ({\ ++ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\ ++ *(st*)_cur = (st){ __VA_ARGS__ };\ ++ (st*)_cur;\ ++}) ++ + typedef struct private_forecast_listener_t private_forecast_listener_t; + + /** +@@ -164,60 +176,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain, + static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, + entry_t *entry, bool add) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_match m; +- struct xt_udp udp; +- struct ipt_entry_target t; +- struct xt_mark_tginfo2 tm; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + +- sizeof(ipt.udp)), +- .next_offset = sizeof(ipt), +- .ip = { +- .proto = IPPROTO_UDP, +- }, ++ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + ++ XT_ALIGN(sizeof(struct xt_udp)); ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ .ip = { ++ .proto = IPPROTO_UDP, + }, +- .m = { +- .u = { +- .user = { +- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), +- .name = "udp", +- }, ++ ); ++ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) || ++ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk)) ++ { ++ return FALSE; ++ } ++ ADD_STRUCT(pos, struct ipt_entry_match, ++ .u = { ++ .user = { ++ .match_size = match_size, ++ .name = "udp", + }, + }, +- .udp = { +- .spts = { +- entry->rhost->get_port(entry->rhost), +- entry->rhost->get_port(entry->lhost) +- }, +- .dpts = { +- entry->lhost->get_port(entry->lhost), +- entry->lhost->get_port(entry->lhost) +- }, ++ ); ++ ADD_STRUCT(pos, struct xt_udp, ++ .spts = { ++ entry->rhost->get_port(entry->rhost), ++ entry->rhost->get_port(entry->lhost) + }, +- .t = { +- .u = { +- .user = { +- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), +- .name = "MARK", +- .revision = 2, +- }, +- }, ++ .dpts = { ++ entry->lhost->get_port(entry->lhost), ++ entry->lhost->get_port(entry->lhost) + }, +- .tm = { +- .mark = entry->mark, +- .mask = ~0, ++ ); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "MARK", ++ .revision = 2, ++ }, + }, +- }; +- +- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || +- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) +- { +- return FALSE; +- } +- return manage_rule(ipth, "PREROUTING", add, &ipt.e); ++ ); ++ ADD_STRUCT(pos, struct xt_mark_tginfo2, ++ .mark = entry->mark, ++ .mask = ~0, ++ ); ++ return manage_rule(ipth, "PREROUTING", add, e); + } + + /** +@@ -225,53 +237,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, + */ + static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_match m; +- struct xt_esp esp; +- struct ipt_entry_target t; +- struct xt_mark_tginfo2 tm; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + +- sizeof(ipt.esp)), +- .next_offset = sizeof(ipt), +- .ip = { +- .proto = IPPROTO_ESP, +- }, ++ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + ++ XT_ALIGN(sizeof(struct xt_esp)); ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ .ip = { ++ .proto = IPPROTO_ESP, + }, +- .m = { +- .u = { +- .user = { +- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), +- .name = "esp", +- }, ++ ); ++ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) || ++ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk)) ++ { ++ return FALSE; ++ } ++ ADD_STRUCT(pos, struct ipt_entry_match, ++ .u = { ++ .user = { ++ .match_size = match_size, ++ .name = "esp", + }, + }, +- .esp = { +- .spis = { htonl(entry->spi), htonl(entry->spi) }, +- }, +- .t = { +- .u = { +- .user = { +- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), +- .name = "MARK", +- .revision = 2, +- }, ++ ); ++ ADD_STRUCT(pos, struct xt_esp, ++ .spis = { htonl(entry->spi), htonl(entry->spi) }, ++ ); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "MARK", ++ .revision = 2, + }, + }, +- .tm = { +- .mark = entry->mark, +- .mask = ~0, +- }, +- }; +- +- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || +- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) +- { +- return FALSE; +- } +- return manage_rule(ipth, "PREROUTING", add, &ipt.e); ++ ); ++ ADD_STRUCT(pos, struct xt_mark_tginfo2, ++ .mark = entry->mark, ++ .mask = ~0, ++ ); ++ return manage_rule(ipth, "PREROUTING", add, e); + } + + /** +@@ -291,45 +303,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add) + */ + static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add) + { +- struct { +- struct ipt_entry e; +- struct ipt_entry_target t; +- struct xt_mark_tginfo2 m; +- } ipt = { +- .e = { +- .target_offset = XT_ALIGN(sizeof(ipt.e)), +- .next_offset = sizeof(ipt), +- }, +- .t = { +- .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)), +- .u.user.name = "MARK", +- .u.user.revision = 2, +- }, +- .m = { +- .mark = entry->mark, +- .mask = ~0, ++ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)); ++ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + ++ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); ++ u_int16_t entry_size = target_offset + target_size; ++ u_char ipt[entry_size], *pos = ipt; ++ struct ipt_entry *e; ++ ++ memset(ipt, 0, sizeof(ipt)); ++ e = ADD_STRUCT(pos, struct ipt_entry, ++ .target_offset = target_offset, ++ .next_offset = entry_size, ++ ); ++ ADD_STRUCT(pos, struct ipt_entry_target, ++ .u = { ++ .user = { ++ .target_size = target_size, ++ .name = "MARK", ++ .revision = 2, ++ }, + }, +- }; ++ ); ++ ADD_STRUCT(pos, struct xt_mark_tginfo2, ++ .mark = entry->mark, ++ .mask = ~0, ++ ); ++ + enumerator_t *enumerator; + traffic_selector_t *ts; + + enumerator = array_create_enumerator(entry->rts); + while (enumerator->enumerate(enumerator, &ts)) + { +- if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk)) ++ if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk)) + { + continue; + } +- if (ipt.e.ip.dst.s_addr == 0xffffffff || +- ipt.e.ip.dst.s_addr == entry->broadcast || +- memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1)) ++ if (e->ip.dst.s_addr == 0xffffffff || ++ e->ip.dst.s_addr == entry->broadcast || ++ memeq(&e->ip.dst.s_addr, "\xe0", 1)) + { + /* skip broadcast/multicast selectors, they are shared and the mark + * is set by the socket we use for reinjection */ + continue; + } +- if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) || +- !manage_rule(ipth, "OUTPUT", add, &ipt.e)) ++ if (!manage_rule(ipth, "PREROUTING", add, e) || ++ !manage_rule(ipth, "OUTPUT", add, e)) + { + enumerator->destroy(enumerator); + return FALSE; +-- +2.4.10 From 108197ddcf284d65e2b10baa735970ed1382bf75 Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Mon, 28 Mar 2016 20:42:19 +0200 Subject: [PATCH 4/4] strongswan: bump to 5.4.0 Signed-off-by: Stijn Tintel --- net/strongswan/Makefile | 10 +- net/strongswan/patches/101-musl-fixes.patch | 12 +- ...cast-Fix-alignment-when-adding-rules.patch | 324 -------------- ...mark-Fix-alignment-when-adding-rules.patch | 411 ------------------ net/strongswan/patches/201-kmodloader.patch | 4 +- net/strongswan/patches/210-sleep.patch | 10 +- .../patches/305-minimal_dh_plugin.patch | 8 +- 7 files changed, 22 insertions(+), 757 deletions(-) delete mode 100644 net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch delete mode 100644 net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 85f733e312..b91f5e1b55 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan -PKG_VERSION:=5.3.5 -PKG_RELEASE:=3 +PKG_VERSION:=5.4.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/ -PKG_MD5SUM:=a2f9ea185f27e7f8413d4cd2ee61efe4 +PKG_MD5SUM:=9d7c77b0da9b69f859624897e5e9ebbf PKG_LICENSE:=GPL-2.0+ PKG_MAINTAINER:=Steven Barth @@ -399,7 +399,7 @@ define Package/strongswan/install $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/ $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/ $(INSTALL_DIR) $(1)/usr/lib/ipsec - $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/ $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/ $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/ $(INSTALL_DIR) $(1)/etc/init.d @@ -562,7 +562,7 @@ $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charo $(eval $(call BuildPlugin,sql,SQL database interface,)) $(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3)) $(eval $(call BuildPlugin,sshkey,SSH key decoding,)) -$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils)) +$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-charon +strongswan-utils)) $(eval $(call BuildPlugin,test-vectors,crypto test vectors,)) $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci)) $(eval $(call BuildPlugin,unity,Cisco Unity extension,)) diff --git a/net/strongswan/patches/101-musl-fixes.patch b/net/strongswan/patches/101-musl-fixes.patch index 3b90e6cf2e..a360d1cab9 100644 --- a/net/strongswan/patches/101-musl-fixes.patch +++ b/net/strongswan/patches/101-musl-fixes.patch @@ -50,8 +50,8 @@ +#undef blkcnt_t +#undef crypt +#undef encrypt ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -18,6 +18,8 @@ * for more details. */ @@ -61,8 +61,8 @@ #include #include #include ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -37,6 +37,8 @@ * THE SOFTWARE. */ @@ -72,8 +72,8 @@ #include #include #include ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c +--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c ++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -15,6 +15,8 @@ * for more details. */ diff --git a/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch b/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch deleted file mode 100644 index 4e743f5f12..0000000000 --- a/net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch +++ /dev/null @@ -1,324 +0,0 @@ -From 1f642f872abe39cb5a67a87c4e9b63c9d78657d7 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 30 Nov 2015 16:30:22 +0100 -Subject: [PATCH 2/2] forecast: Fix alignment when adding rules - -Basically the same issue as with the connmark plugin. - - #1212 ---- - src/libcharon/plugins/forecast/forecast_listener.c | 247 +++++++++++---------- - 1 file changed, 133 insertions(+), 114 deletions(-) - -diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c -index 63a8cb1..7e93617 100644 ---- a/src/libcharon/plugins/forecast/forecast_listener.c -+++ b/src/libcharon/plugins/forecast/forecast_listener.c -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2010-2014 Martin Willi - * Copyright (C) 2010-2014 revosec AG - * -@@ -25,6 +28,15 @@ - #include - #include - -+/** -+ * Add a struct at the current position in the buffer -+ */ -+#define ADD_STRUCT(pos, st, ...) ({\ -+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\ -+ *(st*)_cur = (st){ __VA_ARGS__ };\ -+ (st*)_cur;\ -+}) -+ - typedef struct private_forecast_listener_t private_forecast_listener_t; - - /** -@@ -164,60 +176,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain, - static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, - entry_t *entry, bool add) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_udp udp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.udp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_UDP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_udp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_UDP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), -- .name = "udp", -- }, -+ ); -+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "udp", - }, - }, -- .udp = { -- .spts = { -- entry->rhost->get_port(entry->rhost), -- entry->rhost->get_port(entry->lhost) -- }, -- .dpts = { -- entry->lhost->get_port(entry->lhost), -- entry->lhost->get_port(entry->lhost) -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_udp, -+ .spts = { -+ entry->rhost->get_port(entry->rhost), -+ entry->rhost->get_port(entry->lhost) - }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -- }, -+ .dpts = { -+ entry->lhost->get_port(entry->lhost), -+ entry->lhost->get_port(entry->lhost) - }, -- .tm = { -- .mark = entry->mark, -- .mask = ~0, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, -+ }, - }, -- }; -- -- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = entry->mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -225,53 +237,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth, - */ - static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_esp esp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.esp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_ESP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_esp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_ESP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), -- .name = "esp", -- }, -+ ); -+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "esp", - }, - }, -- .esp = { -- .spis = { htonl(entry->spi), htonl(entry->spi) }, -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_esp, -+ .spis = { htonl(entry->spi), htonl(entry->spi) }, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, - }, - }, -- .tm = { -- .mark = entry->mark, -- .mask = ~0, -- }, -- }; -- -- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = entry->mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -291,45 +303,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add) - */ - static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 m; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e)), -- .next_offset = sizeof(ipt), -- }, -- .t = { -- .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)), -- .u.user.name = "MARK", -- .u.user.revision = 2, -- }, -- .m = { -- .mark = entry->mark, -- .mask = ~0, -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)); -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, -+ }, - }, -- }; -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = entry->mark, -+ .mask = ~0, -+ ); -+ - enumerator_t *enumerator; - traffic_selector_t *ts; - - enumerator = array_create_enumerator(entry->rts); - while (enumerator->enumerate(enumerator, &ts)) - { -- if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk)) -+ if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk)) - { - continue; - } -- if (ipt.e.ip.dst.s_addr == 0xffffffff || -- ipt.e.ip.dst.s_addr == entry->broadcast || -- memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1)) -+ if (e->ip.dst.s_addr == 0xffffffff || -+ e->ip.dst.s_addr == entry->broadcast || -+ memeq(&e->ip.dst.s_addr, "\xe0", 1)) - { - /* skip broadcast/multicast selectors, they are shared and the mark - * is set by the socket we use for reinjection */ - continue; - } -- if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) || -- !manage_rule(ipth, "OUTPUT", add, &ipt.e)) -+ if (!manage_rule(ipth, "PREROUTING", add, e) || -+ !manage_rule(ipth, "OUTPUT", add, e)) - { - enumerator->destroy(enumerator); - return FALSE; --- -2.4.10 diff --git a/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch b/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch deleted file mode 100644 index 963bd1bfc5..0000000000 --- a/net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch +++ /dev/null @@ -1,411 +0,0 @@ -From a4d7f5ee6f36decdcd18d70078e1f0a847fe9b24 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 30 Nov 2015 16:04:35 +0100 -Subject: [PATCH 1/2] connmark: Fix alignment when adding rules - -The structs that make up a message sent to the kernel have all to be -aligned with XT_ALIGN. That was not necessarily the case when -initializing the complete message as struct. - - #1212 ---- - src/libcharon/plugins/connmark/connmark_listener.c | 332 +++++++++++---------- - 1 file changed, 172 insertions(+), 160 deletions(-) - -diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c -index 23df690..cd53701 100644 ---- a/src/libcharon/plugins/connmark/connmark_listener.c -+++ b/src/libcharon/plugins/connmark/connmark_listener.c -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2014 Martin Willi - * Copyright (C) 2014 revosec AG - * -@@ -25,6 +28,14 @@ - #include - #include - -+/** -+ * Add a struct at the current position in the buffer -+ */ -+#define ADD_STRUCT(pos, st, ...) ({\ -+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\ -+ *(st*)_cur = (st){ __VA_ARGS__ };\ -+ (st*)_cur;\ -+}) - - typedef struct private_connmark_listener_t private_connmark_listener_t; - -@@ -108,54 +119,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this, - u_int mark, u_int32_t spi, - host_t *dst, host_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_udp udp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.udp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_UDP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_udp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_UDP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)), -- .name = "udp", -- }, -+ ); -+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(src, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "udp", - }, - }, -- .udp = { -- .spts = { src->get_port(src), src->get_port(src) }, -- .dpts = { dst->get_port(dst), dst->get_port(dst) }, -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_udp, -+ .spts = { src->get_port(src), src->get_port(src) }, -+ .dpts = { dst->get_port(dst), dst->get_port(dst) }, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, - }, - }, -- .tm = { -- .mark = mark, -- .mask = ~0, -- }, -- }; -- -- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -166,53 +177,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this, - u_int mark, u_int32_t spi, - host_t *dst, host_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_esp esp; -- struct ipt_entry_target t; -- struct xt_mark_tginfo2 tm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.esp)), -- .next_offset = sizeof(ipt), -- .ip = { -- .proto = IPPROTO_ESP, -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_esp)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_mark_tginfo2)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ .ip = { -+ .proto = IPPROTO_ESP, - }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)), -- .name = "esp", -- }, -+ ); -+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !host2in(src, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "esp", - }, - }, -- .esp = { -- .spis = { htonl(spi), htonl(spi) }, -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)), -- .name = "MARK", -- .revision = 2, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_esp, -+ .spis = { htonl(spi), htonl(spi) }, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "MARK", -+ .revision = 2, - }, - }, -- .tm = { -- .mark = mark, -- .mask = ~0, -- }, -- }; -- -- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "PREROUTING", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_mark_tginfo2, -+ .mark = mark, -+ .mask = ~0, -+ ); -+ return manage_rule(ipth, "PREROUTING", add, e); - } - - /** -@@ -238,59 +249,59 @@ static bool manage_in(private_connmark_listener_t *this, - u_int mark, u_int32_t spi, - traffic_selector_t *dst, traffic_selector_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_match m; -- struct xt_policy_info p; -- struct ipt_entry_target t; -- struct xt_connmark_tginfo1 cm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) + -- sizeof(ipt.p)), -- .next_offset = sizeof(ipt), -- }, -- .m = { -- .u = { -- .user = { -- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)), -- .name = "policy", -- }, -+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) + -+ XT_ALIGN(sizeof(struct xt_policy_info)); -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size; -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ ); -+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !ts2in(src, &e->ip.src, &e->ip.smsk)) -+ { -+ return FALSE; -+ } -+ ADD_STRUCT(pos, struct ipt_entry_match, -+ .u = { -+ .user = { -+ .match_size = match_size, -+ .name = "policy", - }, - }, -- .p = { -- .pol = { -- { -- .spi = spi, -- .match.spi = 1, -- }, -+ ); -+ ADD_STRUCT(pos, struct xt_policy_info, -+ .pol = { -+ { -+ .spi = spi, -+ .match.spi = 1, - }, -- .len = 1, -- .flags = XT_POLICY_MATCH_IN, - }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), -- .name = "CONNMARK", -- .revision = 1, -- }, -+ .len = 1, -+ .flags = XT_POLICY_MATCH_IN, -+ ); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "CONNMARK", -+ .revision = 1, - }, - }, -- .cm = { -- .ctmark = mark, -- .ctmask = ~0, -- .nfmask = ~0, -- .mode = XT_CONNMARK_SET, -- }, -- }; -- -- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -- { -- return FALSE; -- } -- return manage_rule(ipth, "INPUT", add, &ipt.e); -+ ); -+ ADD_STRUCT(pos, struct xt_connmark_tginfo1, -+ .ctmark = mark, -+ .ctmask = ~0, -+ .nfmask = ~0, -+ .mode = XT_CONNMARK_SET, -+ ); -+ return manage_rule(ipth, "INPUT", add, e); - } - - /** -@@ -300,37 +311,38 @@ static bool manage_out(private_connmark_listener_t *this, - struct iptc_handle *ipth, bool add, - traffic_selector_t *dst, traffic_selector_t *src) - { -- struct { -- struct ipt_entry e; -- struct ipt_entry_target t; -- struct xt_connmark_tginfo1 cm; -- } ipt = { -- .e = { -- .target_offset = XT_ALIGN(sizeof(ipt.e)), -- .next_offset = sizeof(ipt), -- }, -- .t = { -- .u = { -- .user = { -- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)), -- .name = "CONNMARK", -- .revision = 1, -- }, -- }, -- }, -- .cm = { -- .ctmask = ~0, -- .nfmask = ~0, -- .mode = XT_CONNMARK_RESTORE, -- }, -- }; -- -- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) || -- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk)) -+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)); -+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) + -+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1)); -+ u_int16_t entry_size = target_offset + target_size; -+ u_char ipt[entry_size], *pos = ipt; -+ struct ipt_entry *e; -+ -+ memset(ipt, 0, sizeof(ipt)); -+ e = ADD_STRUCT(pos, struct ipt_entry, -+ .target_offset = target_offset, -+ .next_offset = entry_size, -+ ); -+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) || -+ !ts2in(src, &e->ip.src, &e->ip.smsk)) - { - return FALSE; - } -- return manage_rule(ipth, "OUTPUT", add, &ipt.e); -+ ADD_STRUCT(pos, struct ipt_entry_target, -+ .u = { -+ .user = { -+ .target_size = target_size, -+ .name = "CONNMARK", -+ .revision = 1, -+ }, -+ }, -+ ); -+ ADD_STRUCT(pos, struct xt_connmark_tginfo1, -+ .ctmask = ~0, -+ .nfmask = ~0, -+ .mode = XT_CONNMARK_RESTORE, -+ ); -+ return manage_rule(ipth, "OUTPUT", add, e); - } - - /** --- -2.4.10 diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch index 7d46156384..cd74f27119 100644 --- a/net/strongswan/patches/201-kmodloader.patch +++ b/net/strongswan/patches/201-kmodloader.patch @@ -1,6 +1,6 @@ --- a/src/starter/netkey.c +++ b/src/starter/netkey.c -@@ -31,7 +31,7 @@ bool starter_netkey_init(void) +@@ -30,7 +30,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { @@ -9,7 +9,7 @@ } /* now test again */ -@@ -45,11 +45,11 @@ bool starter_netkey_init(void) +@@ -44,11 +44,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { diff --git a/net/strongswan/patches/210-sleep.patch b/net/strongswan/patches/210-sleep.patch index ea799671eb..54b0efca5d 100644 --- a/net/strongswan/patches/210-sleep.patch +++ b/net/strongswan/patches/210-sleep.patch @@ -4,8 +4,8 @@ loop=110 while [ $loop -gt 0 ] ; do kill -0 $spid 2>/dev/null || break -- sleep 0.1 -+ sleep 1 - loop=$(($loop - 1)) - done - if [ $loop -eq 0 ] +- sleep 0.1 2>/dev/null ++ sleep 1 2>/dev/null + if [ $? -ne 0 ] + then + sleep 1 diff --git a/net/strongswan/patches/305-minimal_dh_plugin.patch b/net/strongswan/patches/305-minimal_dh_plugin.patch index e060ec36cf..adf5fd8e79 100644 --- a/net/strongswan/patches/305-minimal_dh_plugin.patch +++ b/net/strongswan/patches/305-minimal_dh_plugin.patch @@ -8,7 +8,7 @@ ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.]) ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.]) -@@ -1312,6 +1313,7 @@ ADD_PLUGIN([gcrypt], [s ch +@@ -1325,6 +1326,7 @@ ADD_PLUGIN([gcrypt], [s ch ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) ADD_PLUGIN([fips-prf], [s charon nm cmd]) ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen]) @@ -16,7 +16,7 @@ ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) ADD_PLUGIN([chapoly], [s charon scripts nm cmd]) -@@ -1444,6 +1446,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x +@@ -1458,6 +1460,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue) AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) @@ -24,7 +24,7 @@ AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) -@@ -1692,6 +1695,7 @@ AC_CONFIG_FILES([ +@@ -1707,6 +1710,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile @@ -34,7 +34,7 @@ src/libstrongswan/plugins/random/Makefile --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am -@@ -303,6 +303,13 @@ if MONOLITHIC +@@ -305,6 +305,13 @@ if MONOLITHIC endif endif