rpms-fedora-extras/strongswan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: rpms-fedora-extras:strongswan-5.9.14-5.fc42
Branches Tags
rpms-fedora-extras:master rpms-fedora-extras:strongswan-6.0.2-4.fc42 rpms-fedora-extras:strongswan-5.9.14-5.fc42 rpms-fedora-extras:strongswan-6.0.1-1.fc41 rpms-fedora-extras:strongswan-5.9.14-5.fc41 rpms-fedora-extras:strongswan-5.9.14-1.fc40 rpms-fedora-extras:strongswan-5.9.11-3.fc40 rpms-fedora-extras:strongswan-5.9.11-2.fc39 rpms-fedora-extras:strongswan-5.9.11-1.fc38 rpms-fedora-extras:strongswan-5.9.10-1.fc38 rpms-fedora-extras:strongswan-5.9.9-2.fc37 rpms-fedora-extras:strongswan-5.9.8-1.fc36 rpms-fedora-extras:strongswan-5.9.6-1.fc36 rpms-fedora-extras:strongswan-5.9.5-3.fc35 rpms-fedora-extras:strongswan-5.9.5-3.fc36 rpms-fedora-extras:f35 rpms-fedora-extras:strongswan-5.9.5-2.fc35 rpms-fedora-extras:strongswan-5.9.4-4.fc35 rpms-fedora-extras:strongswan-5.9.4-2.fc35 rpms-fedora-extras:strongswan-5.9.4-1.fc34 rpms-fedora-extras:strongswan-5.9.3-1.fc34 rpms-fedora-extras:strongswan-5.9.1-1.fc32 rpms-fedora-extras:strongswan-5.9.1-1.fc33 rpms-fedora-extras:strongswan-5.9.1-1.fc34 rpms-fedora-extras:strongswan-5.9.0-2.fc32 rpms-fedora-extras:5.9.2-test rpms-fedora-extras:strongswan-5.9.0-2.fc33 rpms-fedora-extras:5.9.0-1.fc32 rpms-fedora-extras:strongswan-5.8.4-2.fc32 rpms-fedora-extras:strongswan-5.8.2-2.fc31 rpms-fedora-extras:f32 rpms-fedora-extras:strongswan-5.7.2-3.fc31-vici rpms-fedora-extras:strongswan-5.7.2-2.fc31-vici rpms-fedora-extras:strongswan-5.6.3-2.fc31-vici rpms-fedora-extras:f31
..
compare: rpms-fedora-extras:strongswan-5.9.4-1.fc34
Branches Tags
rpms-fedora-extras:strongswan-6.0.2-4.fc42 rpms-fedora-extras:strongswan-5.9.14-5.fc42 rpms-fedora-extras:strongswan-6.0.1-1.fc41 rpms-fedora-extras:strongswan-5.9.14-5.fc41 rpms-fedora-extras:strongswan-5.9.14-1.fc40 rpms-fedora-extras:strongswan-5.9.11-3.fc40 rpms-fedora-extras:strongswan-5.9.11-2.fc39 rpms-fedora-extras:strongswan-5.9.11-1.fc38 rpms-fedora-extras:strongswan-5.9.10-1.fc38 rpms-fedora-extras:strongswan-5.9.9-2.fc37 rpms-fedora-extras:strongswan-5.9.8-1.fc36 rpms-fedora-extras:strongswan-5.9.6-1.fc36 rpms-fedora-extras:strongswan-5.9.5-3.fc35 rpms-fedora-extras:strongswan-5.9.5-3.fc36 rpms-fedora-extras:f35 rpms-fedora-extras:strongswan-5.9.5-2.fc35 rpms-fedora-extras:strongswan-5.9.4-4.fc35 rpms-fedora-extras:strongswan-5.9.4-2.fc35 rpms-fedora-extras:strongswan-5.9.4-1.fc34 rpms-fedora-extras:strongswan-5.9.3-1.fc34 rpms-fedora-extras:strongswan-5.9.1-1.fc32 rpms-fedora-extras:strongswan-5.9.1-1.fc33 rpms-fedora-extras:strongswan-5.9.1-1.fc34 rpms-fedora-extras:strongswan-5.9.0-2.fc32 rpms-fedora-extras:5.9.2-test rpms-fedora-extras:strongswan-5.9.0-2.fc33 rpms-fedora-extras:master rpms-fedora-extras:5.9.0-1.fc32 rpms-fedora-extras:strongswan-5.8.4-2.fc32 rpms-fedora-extras:strongswan-5.8.2-2.fc31 rpms-fedora-extras:f32 rpms-fedora-extras:strongswan-5.7.2-3.fc31-vici rpms-fedora-extras:strongswan-5.7.2-2.fc31-vici rpms-fedora-extras:strongswan-5.6.3-2.fc31-vici rpms-fedora-extras:f31

1 Commits
strongswan ... strongswan

Author SHA1 Message Date
Zoran Peričić
12a24a66d2 Patch vici for NHRP 2021-11-01 16:34:10 +01:00
15 changed files with 619 additions and 1522 deletions
Expand all files Collapse all files

15
.gitignore vendored
View File

@@ -4,18 +4,3 @@
/strongswan-5.9.2.tar.bz2
/strongswan-5.9.3.tar.bz2
/strongswan-5.9.4.tar.bz2
/948F158A4E76A27BF3D07532DF42C170B34DBA77
/strongswan-5.9.5.tar.bz2
/strongswan-5.9.5.tar.bz2.sig
/strongswan-5.9.6.tar.bz2
/strongswan-5.9.6.tar.bz2.sig
/strongswan-5.9.8.tar.bz2
/strongswan-5.9.8.tar.bz2.sig
/strongswan-5.9.9.tar.bz2
/strongswan-5.9.9.tar.bz2.sig
/strongswan-5.9.10.tar.bz2
/strongswan-5.9.10.tar.bz2.sig
/strongswan-5.9.11.tar.bz2
/strongswan-5.9.11.tar.bz2.sig
/strongswan-5.9.14.tar.bz2
/strongswan-5.9.14.tar.bz2.sig

547
0001-charon-add-optional-source-and-remote-overrides-for-.patch
View File

@@ -1,37 +1,117 @@
From d917774f73954cc6367e73b775ff9ea115d6fd28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
Date: Tue, 9 Jul 2024 19:07:57 +0200
From c2e02e7aa1aead5f5c9c6ceef7f3569d90deb20f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 21 Sep 2015 13:41:58 +0300
Subject: [PATCH 1/4] charon: add optional source and remote overrides for
initiate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This introduces support for specifying optional IKE SA specific
source and remote address for child sa initiation. This allows
to initiate wildcard connection for known address via vici.
In addition this allows simpler implementation of trap-any patches
In addition this allows impler implementation of trap-any patches
and is a prerequisite for dmvpn support.
---
src/libcharon/control/controller.c | 34 ++++++++++++++++--
src/libcharon/control/controller.h | 28 +++++++++++++++
src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++----
src/libcharon/sa/ike_sa_manager.c | 34 +++++++++++++++++-
src/libcharon/sa/ike_sa_manager.h | 25 ++++++++++++-
src/libcharon/sa/trap_manager.c | 44 +++++++++--------------
src/swanctl/commands/initiate.c | 19 +++++++++-
7 files changed, 186 insertions(+), 39 deletions(-)
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
src/charon-cmd/cmd/cmd_connection.c | 2 +-
src/charon-nm/nm/nm_service.c | 2 +-
src/conftest/actions.c | 2 +-
.../backend/android_service.c | 2 +-
src/frontends/osx/charon-xpc/xpc_dispatch.c | 1 +
src/libcharon/control/controller.c | 44 ++++++++++++-
src/libcharon/control/controller.h | 3 +
.../plugins/load_tester/load_tester_control.c | 1 +
.../plugins/load_tester/load_tester_plugin.c | 1 +
src/libcharon/plugins/medcli/medcli_config.c | 3 +-
src/libcharon/plugins/smp/smp.c | 3 +-
src/libcharon/plugins/stroke/stroke_control.c | 5 +-
src/libcharon/plugins/uci/uci_control.c | 1 +
src/libcharon/plugins/vici/vici_config.c | 2 +-
src/libcharon/plugins/vici/vici_control.c | 61 ++++++++++++++++---
.../processing/jobs/initiate_mediation_job.c | 1 +
.../processing/jobs/start_action_job.c | 2 +-
src/libcharon/sa/ike_sa_manager.c | 49 ++++++++++++++-
src/libcharon/sa/ike_sa_manager.h | 8 ++-
src/libcharon/sa/trap_manager.c | 44 ++++++-------
src/swanctl/commands/initiate.c | 40 +++++++++++-
21 files changed, 227 insertions(+), 50 deletions(-)
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 0481d78d4..805d6f198 100644
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
child_cfg = create_child_cfg(this, peer_cfg);
if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
- controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
+ NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
{
terminate(pid);
}
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 2d93b2fae..482170d76 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -883,7 +883,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
* Prepare IKE_SA
*/
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
- peer_cfg);
+ peer_cfg, NULL, NULL);
peer_cfg->destroy(peer_cfg);
if (!ike_sa)
{
diff --git a/src/conftest/actions.c b/src/conftest/actions.c
index 66e41f743..64ef8e9ee 100644
--- a/src/conftest/actions.c
+++ b/src/conftest/actions.c
@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config)
{
DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
- NULL, NULL, 0, FALSE);
+ NULL, NULL, NULL, NULL, 0, FALSE);
}
else
{
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 027f48e937..ac4661a323 100644
index 46b065e3f..fbaff8730 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -1,4 +1,6 @@
/*
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
@@ -15,6 +15,28 @@
* for more details.
*/
+/*
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
* Copyright (C) 2011-2023 Tobias Brunner
* Copyright (C) 2007-2011 Martin Willi
*
@@ -107,6 +109,16 @@ struct interface_listener_t {
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
#include "controller.h"
#include <sys/types.h>
@@ -102,6 +124,16 @@ struct interface_listener_t {
*/
ike_sa_t *ike_sa;
@@ -48,16 +128,15 @@ index 027f48e937..ac4661a323 100644
/**
* unique ID, used for various methods
*/
@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
@@ -414,10 +446,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
ike_sa_t *ike_sa;
interface_listener_t *listener = &job->listener;
peer_cfg_t *peer_cfg = listener->peer_cfg;
+ host_t *my_host = listener->my_host;
+ host_t *other_host = listener->other_host;
- ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
- peer_cfg);
+ ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
+ peer_cfg, my_host, other_host);
peer_cfg->destroy(peer_cfg);
+
@@ -67,23 +146,23 @@ index 027f48e937..ac4661a323 100644
if (!ike_sa)
{
DESTROY_IF(listener->child_cfg);
@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t,
private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
controller_cb_t callback, void *param, level_t max_level, u_int timeout,
bool limits)
+{
+ return this->public.initiate2(&this->public, peer_cfg, child_cfg, NULL, NULL, callback, param, max_level, timeout, limits);
+}
@@ -425,6 +463,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
listener_done(listener);
return JOB_REQUEUE_NONE;
}
+
+METHOD(controller_t, initiate2, status_t,
+ private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
listener->lock->lock(listener->lock);
listener->ike_sa = ike_sa;
listener->lock->unlock(listener->lock);
@@ -492,6 +531,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
METHOD(controller_t, initiate, status_t,
private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ host_t *my_host, host_t *other_host,
+ controller_cb_t callback, void *param, level_t max_level, u_int timeout,
+ bool limits)
controller_cb_t callback, void *param, u_int timeout, bool limits)
{
interface_job_t *job;
status_t status;
@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t,
@@ -514,6 +554,8 @@ METHOD(controller_t, initiate, status_t,
.status = FAILED,
.child_cfg = child_cfg,
.peer_cfg = peer_cfg,
@@ -92,65 +171,161 @@ index 027f48e937..ac4661a323 100644
.lock = spinlock_create(),
.options.limits = limits,
},
@@ -770,6 +799,7 @@ controller_t *controller_create(void)
.public = {
.create_ike_sa_enumerator = _create_ike_sa_enumerator,
.initiate = _initiate,
+ .initiate2 = _initiate2,
.terminate_ike = _terminate_ike,
.terminate_child = _terminate_child,
.destroy = _destroy,
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
index 36a1d46317..f5c60e2e72 100644
index b4ccfced2..7a088b122 100644
--- a/src/libcharon/control/controller.h
+++ b/src/libcharon/control/controller.h
@@ -98,6 +98,34 @@ struct controller_t {
controller_cb_t callback, void *param,
level_t max_level, u_int timeout, bool limits);
+ /**
+ * Initiate a CHILD_SA, and if required, an IKE_SA.
+ *
+ * If a callback is provided the function is synchronous and thus blocks
+ * until the IKE_SA is established or failed.
+ *
+ * @param peer_cfg peer_cfg to use for IKE_SA setup
+ * @param child_cfg optional child_cfg to set up CHILD_SA from
@@ -79,6 +79,8 @@ struct controller_t {
*
* @param peer_cfg peer_cfg to use for IKE_SA setup
* @param child_cfg optional child_cfg to set up CHILD_SA from
+ * @param my_host optional address hint for source
+ * @param other_host optional address hint for destination
+ * @param cb logging callback
+ * @param param parameter to include in each call of cb
+ * @param max_level maximum log level for which cb is invoked
+ * @param timeout timeout in ms to wait for callbacks, 0 to disable
+ * @param limits whether to check limits regarding IKE_SA initiation
+ * @return
+ * - SUCCESS, if CHILD_SA established
+ * - FAILED, if setup failed
+ * - NEED_MORE, if callback returned FALSE
+ * - OUT_OF_RES if timed out
+ * - INVALID_STATE if limits prevented initiation
+ */
+ status_t (*initiate2)(controller_t *this,
+ peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
* @param cb logging callback
* @param param parameter to include in each call of cb
* @param timeout timeout in ms to wait for callbacks, 0 to disable
@@ -92,6 +94,7 @@ struct controller_t {
*/
status_t (*initiate)(controller_t *this,
peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ host_t *my_host, host_t *other_host,
+ controller_cb_t callback, void *param,
+ level_t max_level, u_int timeout, bool limits);
+
/**
* Terminate an IKE_SA and all of its CHILD_SAs.
*
controller_cb_t callback, void *param, u_int timeout,
bool limits);
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
index 8e89ab435..9dfd415ca 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -239,6 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
switch (charon->controller->initiate(charon->controller,
peer_cfg, child_cfg->get_ref(child_cfg),
+ NULL, NULL,
(void*)initiate_cb, listener, 0, FALSE))
{
case NEED_MORE:
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 961c10406..f59294d88 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -151,6 +151,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
charon->controller->initiate(charon->controller,
peer_cfg, child_cfg->get_ref(child_cfg),
+ NULL, NULL,
NULL, NULL, 0, FALSE);
if (s)
{
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index e88c11d3a..d4ce4f203 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -349,7 +349,8 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
peer_cfg->get_ref(peer_cfg);
enumerator->destroy(enumerator);
charon->controller->initiate(charon->controller,
- peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
+ peer_cfg, child_cfg, NULL, NULL,
+ NULL, NULL, 0, FALSE);
}
else
{
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 2953a603b..f028406fb 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -493,7 +493,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
if (child)
{
status = charon->controller->initiate(charon->controller,
- peer, child, (controller_cb_t)xml_callback,
+ peer, child, NULL, NULL,
+ (controller_cb_t)xml_callback,
writer, 0, FALSE);
}
else
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 8d84b934e..b00d0e62d 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
if (msg->output_verbosity < 0)
{
charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
- NULL, NULL, 0, FALSE);
+ NULL, NULL, NULL, NULL, 0, FALSE);
}
else
{
@@ -116,7 +116,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
status_t status;
status = charon->controller->initiate(charon->controller,
- peer_cfg, child_cfg, (controller_cb_t)stroke_log,
+ peer_cfg, child_cfg, NULL, NULL,
+ (controller_cb_t)stroke_log,
&info, this->timeout, FALSE);
switch (status)
{
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
index b6cfda082..115e0a82e 100644
--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -147,6 +147,7 @@ static void initiate(private_uci_control_t *this, char *name)
if (enumerator->enumerate(enumerator, &child_cfg) &&
charon->controller->initiate(charon->controller, peer_cfg,
child_cfg->get_ref(child_cfg),
+ NULL, NULL,
controller_cb_empty, NULL, 0, FALSE) == SUCCESS)
{
write_fifo(this, "connection '%s' established\n", name);
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 2a4d58eab..0e9d24d11 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
charon->controller->initiate(charon->controller,
peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
- NULL, NULL, 0, FALSE);
+ NULL, NULL, NULL, NULL, 0, FALSE);
break;
case ACTION_ROUTE:
DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 1c236d2491..932d0cb5a8 100644
index 4c09b578d..4c00c2be5 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -1,4 +1,6 @@
/*
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
@@ -16,6 +16,28 @@
* for more details.
*/
+/*
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
* Copyright (C) 2015-2017 Tobias Brunner
* Copyright (C) 2014 Martin Willi
*
@@ -173,9 +175,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
#include "vici_control.h"
#include "vici_builder.h"
@@ -174,9 +196,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
CALLBACK(initiate, vici_message_t*,
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
{
@@ -163,7 +338,7 @@ index 1c236d2491..932d0cb5a8 100644
int timeout;
bool limits;
controller_cb_t log_cb = NULL;
@@ -189,6 +194,8 @@ CALLBACK(initiate, vici_message_t*,
@@ -190,6 +215,8 @@ CALLBACK(initiate, vici_message_t*,
timeout = request->get_int(request, 0, "timeout");
limits = request->get_bool(request, FALSE, "init-limits");
log.level = request->get_int(request, 1, "loglevel");
@@ -172,7 +347,7 @@ index 1c236d2491..932d0cb5a8 100644
if (!child && !ike)
{
@@ -202,28 +209,48 @@ CALLBACK(initiate, vici_message_t*,
@@ -203,28 +230,48 @@ CALLBACK(initiate, vici_message_t*,
type = child ? "CHILD_SA" : "IKE_SA";
sa = child ?: ike;
@@ -196,10 +371,10 @@ index 1c236d2491..932d0cb5a8 100644
+ msg = send_reply(this, "%s config '%s' not found", type, sa);
+ goto ret;
}
- switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+ switch (charon->controller->initiate2(charon->controller, peer_cfg, child_cfg,
+ my_host, other_host,
log_cb, &log, log.level, timeout, limits))
switch (charon->controller->initiate(charon->controller, peer_cfg,
- child_cfg, log_cb, &log, timeout, limits))
+ child_cfg, my_host, other_host,
+ log_cb, &log, timeout, limits))
{
case SUCCESS:
- return send_reply(this, NULL);
@@ -227,34 +402,76 @@ index 1c236d2491..932d0cb5a8 100644
+ return msg;
}
/**
CALLBACK(terminate, vici_message_t*,
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
index 6a72499d3..eb0ad3846 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
@@ -137,6 +137,7 @@ METHOD(job_t, initiate, job_requeue_t,
mediation_cfg->get_ref(mediation_cfg);
if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
+ NULL, NULL,
(controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS)
{
mediation_cfg->destroy(mediation_cfg);
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
index 3a0ed879f..e3399007b 100644
--- a/src/libcharon/processing/jobs/start_action_job.c
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t,
charon->controller->initiate(charon->controller,
peer_cfg->get_ref(peer_cfg),
child_cfg->get_ref(child_cfg),
- NULL, NULL, 0, FALSE);
+ NULL, NULL, NULL, NULL, 0, FALSE);
break;
case ACTION_ROUTE:
DBG1(DBG_JOB, "start action: route '%s'", name);
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 7763ae844e..cf53e9ae00 100644
index b6321cf16..a889b90ab 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1,5 +1,7 @@
/*
* Copyright (C) 2008-2022 Tobias Brunner
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
@@ -17,6 +17,28 @@
* for more details.
*/
+/*
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
* Copyright (C) 2005-2011 Martin Willi
* Copyright (C) 2005 Jan Hutter
*
@@ -1499,6 +1501,13 @@ typedef struct {
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
#include <string.h>
#include <inttypes.h>
@@ -1485,7 +1507,8 @@ typedef struct {
} config_entry_t;
METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
+{
+ return this->public.checkout_by_config2(&this->public, peer_cfg, NULL, NULL);
+}
+
+METHOD(ike_sa_manager_t, checkout_by_config2, ike_sa_t*,
- private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
+ private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg,
+ host_t *my_host, host_t *other_host)
{
enumerator_t *enumerator;
entry_t *entry;
@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -1496,7 +1519,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
u_int segment;
int i;
@@ -272,7 +489,7 @@ index 7763ae844e..cf53e9ae00 100644
if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
{ /* IKE_SA reuse disabled by config (not possible for IKEv1) */
@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -1554,6 +1586,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
continue;
}
@@ -288,7 +505,7 @@ index 7763ae844e..cf53e9ae00 100644
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
if (current_peer && current_peer->equals(current_peer, peer_cfg))
{
@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -1580,6 +1621,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
{
ike_sa->set_peer_cfg(ike_sa, peer_cfg);
checkout_new(this, ike_sa);
@@ -299,19 +516,11 @@ index 7763ae844e..cf53e9ae00 100644
}
}
charon->bus->set_sa(charon->bus, ike_sa);
@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create()
.checkout = _checkout,
.checkout_by_message = _checkout_by_message,
.checkout_by_config = _checkout_by_config,
+ .checkout_by_config2 = _checkout_by_config2,
.checkout_by_id = _checkout_by_id,
.checkout_by_name = _checkout_by_name,
.new_initiator_spi = _new_initiator_spi,
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index 004cc22168..d001f5a802 100644
index 318620be0..f40eeb74e 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
@@ -109,7 +109,8 @@ struct ike_sa_manager_t {
ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
/**
@@ -321,49 +530,34 @@ index 004cc22168..d001f5a802 100644
*
* To initiate, a CHILD_SA may be established within an existing IKE_SA.
* This call checks for an existing IKE_SA by comparing the configuration.
@@ -140,6 +141,28 @@ struct ike_sa_manager_t {
*/
ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
+ /**
+ * Checkout an IKE_SA for initiation by a peer_config and optional
+ * source and remote host addresses.
+ *
+ * To initiate, a CHILD_SA may be established within an existing IKE_SA.
+ * This call checks for an existing IKE_SA by comparing the configuration.
+ * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
+ * is returned.
+ * If no IKE_SA is found, a new one is created and registered in the
+ * manager. This is also the case when the found IKE_SA is in an unusable
+ * state (e.g. DELETING).
+ *
+ * @note The peer_config is always set on the returned IKE_SA.
+ *
+ * @param peer_cfg configuration used to find an existing IKE_SA
@@ -122,9 +123,12 @@ struct ike_sa_manager_t {
* @note The peer_config is always set on the returned IKE_SA.
*
* @param peer_cfg configuration used to find an existing IKE_SA
+ * @param my_host source host address for wildcard peer_cfg
+ * @param other_host remote host address for wildcard peer_cfg
+ * @return checked out/created IKE_SA
+ */
+ ike_sa_t *(*checkout_by_config2)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
* @return checked out/created IKE_SA
*/
- ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
+ ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
+ host_t *my_host, host_t *other_host);
+
/**
* Reset initiator SPI.
*
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 1b85c66a5b..bbc480c0cd 100644
index f9f78acab..555e28ab6 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
@@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
peer_cfg_t *peer;
child_cfg_t *child;
ike_sa_t *ike_sa;
- host_t *host;
+ host_t *host, *my_host = NULL, *other_host = NULL;
uint32_t allocated_reqid;
bool wildcard, ignore = FALSE;
@@ -603,36 +603,26 @@ METHOD(trap_manager_t, acquire, void,
this->lock->read_lock(this->lock);
@@ -508,36 +508,26 @@ METHOD(trap_manager_t, acquire, void,
this->lock->unlock(this->lock);
if (wildcard)
@@ -384,17 +578,17 @@ index 1b85c66a5b..bbc480c0cd 100644
+ uint8_t mask;
- port = ike_cfg->get_other_port(ike_cfg);
- data->dst->to_subnet(data->dst, &host, &mask);
- dst->to_subnet(dst, &host, &mask);
- host->set_port(host, port);
- ike_sa->set_other_host(ike_sa, host);
+ ike_cfg = peer->get_ike_cfg(peer);
- port = ike_cfg->get_my_port(ike_cfg);
- data->src->to_subnet(data->src, &host, &mask);
- src->to_subnet(src, &host, &mask);
- host->set_port(host, port);
- ike_sa->set_my_host(ike_sa, host);
+ port = ike_cfg->get_other_port(ike_cfg);
+ data->dst->to_subnet(data->dst, &other_host, &mask);
+ dst->to_subnet(dst, &other_host, &mask);
+ other_host->set_port(other_host, port);
- charon->bus->set_sa(charon->bus, ike_sa);
@@ -405,10 +599,10 @@ index 1b85c66a5b..bbc480c0cd 100644
- ike_sa = charon->ike_sa_manager->checkout_by_config(
- charon->ike_sa_manager, peer);
+ port = ike_cfg->get_my_port(ike_cfg);
+ data->src->to_subnet(data->src, &my_host, &mask);
+ src->to_subnet(src, &my_host, &mask);
+ my_host->set_port(my_host, port);
}
+ ike_sa = charon->ike_sa_manager->checkout_by_config2(
+ ike_sa = charon->ike_sa_manager->checkout_by_config(
+ charon->ike_sa_manager, peer,
+ my_host, other_host);
+ if (my_host) my_host->destroy(my_host);
@@ -417,16 +611,39 @@ index 1b85c66a5b..bbc480c0cd 100644
if (ike_sa)
diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
index e0fffb907d..c0fc8c5952 100644
index 8ade8bf41..03b2cb0f4 100644
--- a/src/swanctl/commands/initiate.c
+++ b/src/swanctl/commands/initiate.c
@@ -1,4 +1,5 @@
/*
@@ -13,6 +13,28 @@
* for more details.
*/
+/*
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
* Copyright (C) 2014 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@@ -38,7 +39,7 @@ static int initiate(vici_conn_t *conn)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
#include "command.h"
#include <errno.h>
@@ -37,7 +59,7 @@ static int initiate(vici_conn_t *conn)
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
@@ -435,7 +652,7 @@ index e0fffb907d..c0fc8c5952 100644
int ret = 0, timeout = 0, level = 1;
while (TRUE)
@@ -65,6 +66,12 @@ static int initiate(vici_conn_t *conn)
@@ -64,6 +86,12 @@ static int initiate(vici_conn_t *conn)
case 'l':
level = atoi(arg);
continue;
@@ -448,7 +665,7 @@ index e0fffb907d..c0fc8c5952 100644
case EOF:
break;
default:
@@ -88,6 +95,14 @@ static int initiate(vici_conn_t *conn)
@@ -87,6 +115,14 @@ static int initiate(vici_conn_t *conn)
{
vici_add_key_valuef(req, "ike", "%s", ike);
}
@@ -463,7 +680,7 @@ index e0fffb907d..c0fc8c5952 100644
if (timeout)
{
vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
@@ -134,6 +149,8 @@ static void __attribute__ ((constructor))reg()
@@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "initiate a CHILD_SA configuration"},
{"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"},
@@ -473,5 +690,5 @@ index e0fffb907d..c0fc8c5952 100644
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
--
2.49.0
2.31.1

24
0002-vici-send-certificates-for-ike-sa-events.patch
View File

@@ -1,4 +1,4 @@
From f6210f6ab72ead26a24a8f231eee67948d3ca543 Mon Sep 17 00:00:00 2001
From e5589f7a7ddeac0de425783275d38327279eff4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 21 Sep 2015 13:42:05 +0300
Subject: [PATCH 2/4] vici: send certificates for ike-sa events
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
1 file changed, 42 insertions(+), 8 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index bacb7b101e..19acc0789b 100644
index fb65b1447..9a0dc1c8b 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
* List details of an IKE_SA
*/
static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,7 +24,7 @@ index bacb7b101e..19acc0789b 100644
{
time_t t;
ike_sa_id_t *id;
@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -388,6 +388,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
uint32_t if_id;
uint16_t alg, ks;
host_t *host;
@@ -33,7 +33,7 @@ index bacb7b101e..19acc0789b 100644
b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -397,11 +399,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
b->add_kv(b, "local-host", "%H", host);
b->add_kv(b, "local-port", "%d", host->get_port(host));
b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index bacb7b101e..19acc0789b 100644
eap = ike_sa->get_other_eap_id(ike_sa);
@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
@@ -532,7 +566,7 @@ CALLBACK(list_sas, vici_message_t*,
b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -86,7 +86,7 @@ index bacb7b101e..19acc0789b 100644
b->begin_section(b, "child-sas");
csas = ike_sa->create_child_sa_enumerator(ike_sa);
@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
@@ -1719,7 +1753,7 @@ METHOD(listener_t, ike_updown, bool,
}
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index bacb7b101e..19acc0789b 100644
b->end_section(b);
this->dispatcher->raise_event(this->dispatcher,
@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
@@ -1744,10 +1778,10 @@ METHOD(listener_t, ike_rekey, bool,
b = vici_builder_create();
b->begin_section(b, old->get_name(old));
b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index bacb7b101e..19acc0789b 100644
b->end_section(b);
b->end_section(b);
@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
@@ -1778,7 +1812,7 @@ METHOD(listener_t, ike_update, bool,
b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -117,7 +117,7 @@ index bacb7b101e..19acc0789b 100644
b->end_section(b);
this->dispatcher->raise_event(this->dispatcher,
@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
@@ -1808,7 +1842,7 @@ METHOD(listener_t, child_updown, bool,
}
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -126,7 +126,7 @@ index bacb7b101e..19acc0789b 100644
b->begin_section(b, "child-sas");
snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
@@ -1843,7 +1877,7 @@ METHOD(listener_t, child_rekey, bool,
b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +136,5 @@ index bacb7b101e..19acc0789b 100644
b->begin_section(b, old->get_name(old));
--
2.49.0
2.31.1

14
0003-vici-add-support-for-individual-sa-state-changes.patch
View File

@@ -1,4 +1,4 @@
From effc140ed0ed5c7f1897c8abb6364d2d4789a4ee Mon Sep 17 00:00:00 2001
From faa75e58ec73dc70ba296a2ec534f2f87550c960 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 21 Sep 2015 13:42:11 +0300
Subject: [PATCH 3/4] vici: add support for individual sa state changes
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
1 file changed, 106 insertions(+)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 19acc0789b..fa1aca9536 100644
index 9a0dc1c8b..b213ba432 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
@@ -1719,8 +1719,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
@@ -34,7 +34,7 @@ index 19acc0789b..fa1aca9536 100644
manage_command(this, "list-sas", list_sas, reg);
manage_command(this, "list-policies", list_policies, reg);
manage_command(this, "list-conns", list_conns, reg);
@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
@@ -1821,6 +1829,46 @@ METHOD(listener_t, ike_update, bool,
return TRUE;
}
@@ -81,7 +81,7 @@ index 19acc0789b..fa1aca9536 100644
METHOD(listener_t, child_updown, bool,
private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
{
@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
@@ -1900,6 +1948,62 @@ METHOD(listener_t, child_rekey, bool,
return TRUE;
}
@@ -144,7 +144,7 @@ index 19acc0789b..fa1aca9536 100644
METHOD(vici_query_t, destroy, void,
private_vici_query_t *this)
{
@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
@@ -1920,8 +2024,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
.ike_updown = _ike_updown,
.ike_rekey = _ike_rekey,
.ike_update = _ike_update,
@@ -156,5 +156,5 @@ index 19acc0789b..fa1aca9536 100644
.destroy = _destroy,
},
--
2.49.0
2.31.1

286
0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
View File

@@ -1,286 +0,0 @@
From 7f32aed540533e50fa05486df471ef3c19879324 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
Date: Sun, 21 Jan 2024 03:11:32 +0100
Subject: [PATCH 4/4] Support GRE key in selectors with kernel-netlink.
Implementation use two 2-byte port fields (from/to range) to store key
similar to ICMP.
---
.../kernel_netlink/kernel_netlink_ipsec.c | 19 +++++++++++++
.../plugins/load_tester/load_tester_config.c | 22 ++++++++++++++-
src/libcharon/plugins/stroke/stroke_config.c | 22 ++++++++++++++-
src/libcharon/plugins/vici/vici_config.c | 27 ++++++++++++++++++-
.../selectors/traffic_selector.c | 20 ++++++++++++++
.../selectors/traffic_selector.h | 12 +++++++++
src/starter/confread.c | 24 ++++++++++++++++-
src/swanctl/swanctl.opt | 3 +++
8 files changed, 145 insertions(+), 4 deletions(-)
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index db0b2ac37a..d4f9571817 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
{
struct xfrm_selector sel;
uint16_t port;
+ uint32_t gre_key;
memset(&sel, 0, sizeof(sel));
sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
@@ -884,6 +885,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
sel.dport = htons(traffic_selector_icmp_code(port));
sel.dport_mask = sel.dport ? ~0 : 0;
}
+ if (sel.proto == IPPROTO_GRE)
+ {
+ /* the kernel expects the GRE key in the source and destination
+ * port fields, respectively. */
+ gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
+ if ( gre_key != 0 )
+ {
+ sel.sport = gre_key >> 16;
+ sel.sport_mask = ~0;
+ sel.dport = gre_key & 0xffff;
+ sel.dport_mask = ~0;
+ } else {
+ sel.sport = 0;
+ sel.sport_mask = 0;
+ sel.dport = 0;
+ sel.dport_mask = 0;
+ }
+ }
sel.ifindex = interface ? if_nametoindex(interface) : 0;
sel.user = 0;
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 58e1cd98a0..f20fdae522 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*protocol = (uint8_t)p;
}
}
- if (streq(port, "%any"))
+ if (*protocol == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "%any"))
+ {
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ return FALSE;
+ }
+ *from_port = (p >> 16) & 0xffff;
+ *to_port = p & 0xffff;
+ if (*endptr)
+ {
+ return FALSE;
+ }
+ } else {
+ *from_port = 0;
+ *to_port = 0;
+ }
+ }
+ else if (streq(port, "%any"))
{
*from_port = 0;
*to_port = 0xffff;
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 55db379ffe..b4340b8d1b 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*protocol = (uint8_t)p;
}
}
- if (streq(port, "%any"))
+ if (*protocol == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "%any"))
+ {
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ return FALSE;
+ }
+ *from_port = (p >> 16) & 0xffff;
+ *to_port = p & 0xffff;
+ if (*endptr)
+ return FALSE;
+ }
+ else
+ {
+ *from_port = 0;
+ *to_port = 0;
+ }
+ }
+ else if (streq(port, "%any"))
{
*from_port = 0;
*to_port = 0xffff;
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index c858e9945c..24a254689b 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -715,7 +715,27 @@ CALLBACK(parse_ts, bool,
proto = (uint8_t)p;
}
}
- if (streq(port, "opaque"))
+ if (proto == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "any"))
+ {
+ p = strtol(port, &end, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ return FALSE;
+ }
+ from = (p >> 16) & 0xffff;
+ to = p & 0xffff;
+ if (*end)
+ {
+ return FALSE;
+ }
+ } else {
+ from = 0;
+ to = 0;
+ }
+ }
+ else if (streq(port, "opaque"))
{
from = 0xffff;
to = 0;
@@ -752,6 +772,11 @@ CALLBACK(parse_ts, bool,
}
}
}
+ else if (proto == IPPROTO_GRE)
+ {
+ from = 0;
+ to = 0;
+ }
if (streq(buf, "dynamic"))
{
ts = traffic_selector_create_dynamic(proto, from, to);
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index fe61e3768b..09757ec36f 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
return print_in_hook(data, "%d", type);
}
+/**
+ * Print GRE key
+ */
+static int print_gre(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
+{
+ uint32_t gre_key;
+
+ gre_key = traffic_selector_gre_key(from_port, to_port);
+
+ return print_in_hook(data, "%d", gre_key);
+}
+
/**
* Described in header.
*/
@@ -319,6 +331,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
{
written += print_icmp(data, this->from_port);
}
+ else if (this->protocol == IPPROTO_GRE)
+ {
+ written += print_gre(data, this->from_port, this->to_port);
+ }
else
{
serv = getservbyport(htons(this->from_port), serv_proto);
@@ -332,6 +348,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
}
}
}
+ else if (this->protocol == IPPROTO_GRE)
+ {
+ written += print_gre(data, this->from_port, this->to_port);
+ }
else if (is_opaque(this))
{
written += print_in_hook(data, "OPAQUE");
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index 367b4fff94..b7010e4a73 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -272,6 +272,18 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
return port & 0xff;
}
+/**
+ * Extract the GRE key from a source and destination port in host order
+ *
+ * @param from_port port number in host order
+ * @param to_port port number in host order
+ * @return GRE key
+ */
+static inline uint8_t traffic_selector_gre_key(uint16_t from_port, uint16_t to_port)
+{
+ return (from_port & 0xffff) << 16 | (to_port & 0xffff);
+}
+
/**
* Compare two traffic selectors, usable as sort function
*
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 5065bc369f..039b6f402b 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -325,7 +325,29 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
end->protocol = (uint8_t)p;
}
}
- if (streq(port, "%any"))
+ if (end->protocol == IPPROTO_GRE)
+ {
+ if (*port && !streq(port, "%any"))
+ {
+ p = strtol(port, &endptr, 0);
+ if (p < 0 || p > 0xffffffff)
+ {
+ DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+ goto err;
+ }
+ end->from_port = (p >> 16) & 0xffff;
+ end->to_port = p & 0xffff;
+ if (*endptr)
+ {
+ DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+ goto err;
+ }
+ } else {
+ end->from_port = 0;
+ end->to_port = 0;
+ }
+ }
+ else if (streq(port, "%any"))
{
end->from_port = 0;
end->to_port = 0xffff;
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index d9fd949ed1..1d63dadb89 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
as well, none of the kernel backends currently support port ranges, though.
+ If protocol is restricted to GRE, port restriction specifies GRE key
+ in 32 bit numeric form eg. dynamic[gre/100].
+
When IKEv1 is used only the first selector is interpreted, except if
the Cisco Unity extension plugin is used. This is due to a limitation of the
IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
--
2.49.0

124
0004-vyos-terminate-connections-source-dest.patch Normal file
View File

@@ -0,0 +1,124 @@
From 1057ecaa416c81b0e3fd4b26e1c8c301d1749ecb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
Date: Wed, 22 Jan 2020 13:12:39 +0100
Subject: [PATCH 4/4] vyos-terminate-connections-source-dest
---
src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
src/swanctl/commands/terminate.c | 18 ++++++++++++++-
2 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 4c00c2be5..8936e93ae 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
{
enumerator_t *enumerator, *isas, *csas;
- char *child, *ike, *errmsg = NULL;
+ char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str;
u_int child_id, ike_id, current, *del, done = 0;
bool force;
int timeout;
ike_sa_t *ike_sa;
child_sa_t *child_sa;
+ host_t *my_host = NULL, *other_host = NULL;
array_t *ids;
vici_builder_t *builder;
controller_cb_t log_cb = NULL;
@@ -299,12 +300,23 @@ CALLBACK(terminate, vici_message_t*,
force = request->get_bool(request, FALSE, "force");
timeout = request->get_int(request, 0, "timeout");
log.level = request->get_int(request, 1, "loglevel");
+ my_host_str = request->get_str(request, NULL, "my-host");
+ other_host_str = request->get_str(request, NULL, "other-host");
- if (!child && !ike && !ike_id && !child_id)
+ if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str)
{
return send_reply(this, "missing terminate selector");
}
-
+ if (my_host_str && !other_host_str || other_host_str && !my_host_str)
+ {
+ return send_reply(this, "missing source or remote");
+ }
+ else
+ {
+ my_host = host_create_from_string(my_host_str, 0);
+ other_host = host_create_from_string(other_host_str, 0);
+ DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host);
+ }
if (ike_id)
{
DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
@@ -367,6 +379,15 @@ CALLBACK(terminate, vici_message_t*,
{
array_insert(ids, ARRAY_TAIL, &ike_id);
}
+ else if (my_host && other_host)
+ {
+ if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
+ {
+ continue;
+ }
+ current = ike_sa->get_unique_id(ike_sa);
+ array_insert(ids, ARRAY_TAIL, &current);
+ }
}
isas->destroy(isas);
diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
index 2309843b2..37d0bde3f 100644
--- a/src/swanctl/commands/terminate.c
+++ b/src/swanctl/commands/terminate.c
@@ -37,7 +37,7 @@ static int terminate(vici_conn_t *conn)
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
- char *arg, *child = NULL, *ike = NULL;
+ char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0;
bool force = FALSE;
@@ -74,6 +74,12 @@ static int terminate(vici_conn_t *conn)
case 'l':
level = atoi(arg);
continue;
+ case 'S':
+ my_host = arg;
+ continue;
+ case 'R':
+ other_host = arg;
+ continue;
case EOF:
break;
default:
@@ -109,6 +115,14 @@ static int terminate(vici_conn_t *conn)
{
vici_add_key_valuef(req, "force", "yes");
}
+ if (my_host)
+ {
+ vici_add_key_valuef(req, "my-host", "%s", my_host);
+ }
+ if (other_host)
+ {
+ vici_add_key_valuef(req, "other-host", "%s", other_host);
+ }
if (timeout)
{
vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
@@ -155,6 +169,8 @@ static void __attribute__ ((constructor))reg()
{
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "terminate by CHILD_SA name"},
+ {"source", 'S', 1, "override source address"},
+ {"remote", 'R', 1, "override remote address"},
{"ike", 'i', 1, "terminate by IKE_SA name"},
{"child-id", 'C', 1, "terminate by CHILD_SA reqid"},
{"ike-id", 'I', 1, "terminate by IKE_SA unique identifier"},
--
2.31.1

48
STRONGSWAN-RELEASE-PGP-KEY
View File

@@ -1,48 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
=ze82
-----END PGP PUBLIC KEY BLOCK-----

3
sources
View File

@@ -1,2 +1 @@
SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242
SHA512 (strongswan-5.9.4.tar.bz2) = 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3

15
strongswan-5.6.2-CVE-2018-5388.patch Normal file
View File

@@ -0,0 +1,15 @@
diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
--- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c 2017-11-09 10:57:30.000000000 -0500
+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c 2018-05-24 00:00:32.382953618 -0400
@@ -628,6 +628,11 @@
return FALSE;
}
+ if (len < offsetof(stroke_msg_t, buffer))
+ {
+ DBG1(DBG_CFG, "invalid stroke message length %d", len);
+ return FALSE;
+ }
/* read message (we need an additional byte to terminate the buffer) */
msg = malloc(len + 1);
msg->length = len;

24
strongswan-5.8.4-runtime-dir.patch Normal file
View File

@@ -0,0 +1,24 @@
diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
--- strongswan-5.8.4.orig/init/systemd/strongswan.service.in 2019-08-27 16:26:53.000000000 +0300
+++ strongswan-5.8.4/init/systemd/strongswan.service.in 2020-04-12 12:05:57.383596844 +0300
@@ -9,6 +9,8 @@
ExecReload=@SBINDIR@/swanctl --reload
ExecReload=@SBINDIR@/swanctl --load-all --noprompt
Restart=on-abnormal
+RuntimeDirectory=strongswan
+RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
--- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in 2019-08-27 16:26:53.000000000 +0300
+++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in 2020-04-12 12:05:51.810559482 +0300
@@ -6,6 +6,8 @@
ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
StandardOutput=syslog
Restart=on-abnormal
+RuntimeDirectory=strongswan
+RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target

12
strongswan-5.9.1-runtime-dir.patch Normal file
View File

@@ -0,0 +1,12 @@
diff -Naur strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in
--- strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in 2020-10-16 08:36:37.000000000 -0400
+++ strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in 2021-02-12 14:06:09.985042362 -0500
@@ -5,6 +5,8 @@
[Service]
ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
Restart=on-abnormal
+RuntimeDirectory=strongswan
+RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target

12
strongswan-5.9.7-error-no-format.patch
View File

@@ -1,12 +0,0 @@
diff --git a/configure.ac b/configure.ac
index f9e6e55c2..247d055d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1480,7 +1480,6 @@ else
fi
# disable some warnings, whether explicitly enabled above or by default
# these are not compatible with our custom printf specifiers
-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
# we generally use comments, but GCC doesn't seem to recognize many of them
WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

109
strongswan-6.0.0-gcc15.patch
View File

@@ -1,109 +0,0 @@
From cf7fb47788dfb83bb5d8bd0bffdb582e381a2f0a Mon Sep 17 00:00:00 2001
From: Thomas Egerer <thomas.egerer@secunet.com>
Date: Fri, 6 Sep 2024 13:29:40 +0200
Subject: [PATCH] array: Don't use realloc() with zero size in array_compress()
The behavior of realloc(3) with zero size was apparently implementation
defined. While glibc documents the behavior as equivalent to free(3),
that might not apply to other C libraries. With C17, this behavior has
been deprecated, and with C23, the behavior is now undefined. It's also
why valgrind warns about this use.
Hence, when array_compress() would call realloc() with a zero size, we
now call free() explicitly and set the pointer to NULL.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
---
src/libstrongswan/collections/array.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 8acc8051d53..8b6c6d7397e 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -197,7 +197,17 @@ void array_compress(array_t *array)
}
if (tail)
{
- array->data = realloc(array->data, get_size(array, array->count));
+ size_t size = get_size(array, array->count);
+
+ if (size)
+ {
+ array->data = realloc(array->data, size);
+ }
+ else
+ {
+ free(array->data);
+ array->data = NULL;
+ }
array->tail = 0;
}
}
---
From f1f0bd9de60e2697a712e72b7ae9f79763a0901d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 9 Jan 2025 16:05:39 +0100
Subject: [PATCH] ctr: Remove parameter-less constructor prototype
Useless and causes a compiler warning/error:
error: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C23, conflicting with a subsequent declaration [-Werror,-Wdeprecated-non-prototype]
---
src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
index e9421a1be9f..3814465e48b 100644
--- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
@@ -37,11 +37,6 @@ struct ctr_ipsec_crypter_t {
crypter_t crypter;
};
-/**
- * Create a ctr_ipsec_crypter instance.
- */
-ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
-
/**
* Create a ctr_ipsec_crypter instance.
*
---
From 227d7ef9a24b8c62d6965c1c1690252bde7c698d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 10 Jan 2025 15:43:11 +0100
Subject: [PATCH] tnc-imv: Add missing argument to IMV recommendations
constructor
This avoids the following warning/error:
tnc_imv_manager.c:244:39: error: passing arguments to 'tnc_imv_recommendations_create' without a prototype is deprecated in all versions of C and is not supported in C23 [-Werror,-Wdeprecated-non-prototype]
244 | return tnc_imv_recommendations_create(this->imvs);
| ^
---
src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
index f7178876cfd..60272978ad3 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
@@ -27,8 +27,11 @@
#include <collections/linked_list.h>
/**
- * Create an IMV empty recommendations instance
+ * Create an empty IMV recommendations instance
+ *
+ * @param imv_list list of IMVs that could provide recommendations
+ * @return created instance
*/
-recommendations_t *tnc_imv_recommendations_create();
+recommendations_t *tnc_imv_recommendations_create(linked_list_t *imv_list);
#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
---

597
strongswan-6.0.1-gcc15.patch
View File

@@ -1,597 +0,0 @@
From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 21 Feb 2025 17:18:35 +0100
Subject: [PATCH] pki: Fix signature of help() to match that of a callback in
command_t
---
src/pki/command.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pki/command.c b/src/pki/command.c
index accec5fe51b..6e6bf041e18 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -265,7 +265,7 @@ int command_usage(char *error)
/**
* Show usage information
*/
-static int help(int c, char *v[])
+static int help()
{
return command_usage(NULL);
}
---
From 38d89f57f0771d3cc7b2ab70849584685ada2bc0 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 21 Feb 2025 16:47:34 +0100
Subject: [PATCH] charon-nm: Use CALLBACK macro for callback job's cancel
implementation
Casting to this specific function type doesn't work anymore if C23 is
used as the types mismatch.
---
src/charon-nm/nm/nm_backend.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index aefd3f95688..8ee1785212e 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -78,7 +78,8 @@ static job_requeue_t run(nm_backend_t *this)
/**
* Cancel the GLib Main Event Loop
*/
-static bool cancel(nm_backend_t *this)
+CALLBACK(cancel, bool,
+ nm_backend_t *this)
{
if (this->loop)
{
@@ -152,7 +153,7 @@ static bool nm_backend_init()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
- NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
+ NULL, cancel, JOB_PRIO_CRITICAL));
return TRUE;
}
---
From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 21 Feb 2025 16:45:57 +0100
Subject: [PATCH] callback-job: Replace return_false() in constructors with
dedicated function
Besides being clearer, this fixes issues with GCC 15. The latter uses
C23 by default, which changes the meaning of function declarations
without parameters such as
bool return false();
Instead of "this function takes an unknown number of arguments", this
now equals (void), that is, "this function takes no arguments". So we
run into incompatible pointer type warnings all over when using such
functions. They could be cast to (void*) but this seems the cleaner
solution for this use case.
---
src/charon-cmd/cmd/cmd_connection.c | 2 +-
.../jni/libandroidbridge/backend/android_dns_proxy.c | 2 +-
.../jni/libandroidbridge/backend/android_service.c | 6 +++---
src/libcharon/network/receiver.c | 2 +-
src/libcharon/network/sender.c | 2 +-
.../plugins/bypass_lan/bypass_lan_listener.c | 4 ++--
.../plugins/eap_radius/eap_radius_accounting.c | 2 +-
src/libcharon/plugins/eap_radius/eap_radius_plugin.c | 2 +-
src/libcharon/plugins/ha/ha_ctl.c | 2 +-
src/libcharon/plugins/ha/ha_dispatcher.c | 2 +-
src/libcharon/plugins/ha/ha_segments.c | 6 +++---
.../kernel_libipsec/kernel_libipsec_esp_handler.c | 2 +-
.../plugins/kernel_libipsec/kernel_libipsec_router.c | 2 +-
src/libcharon/plugins/smp/smp.c | 4 ++--
src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c | 2 +-
src/libcharon/plugins/uci/uci_control.c | 2 +-
src/libipsec/ipsec_event_relay.c | 2 +-
src/libipsec/ipsec_processor.c | 4 ++--
src/libpttls/pt_tls_dispatcher.c | 2 +-
src/libstrongswan/networking/streams/stream_service.c | 2 +-
src/libstrongswan/processing/jobs/callback_job.c | 10 +++++++++-
src/libstrongswan/processing/jobs/callback_job.h | 11 ++++++++++-
src/libstrongswan/processing/scheduler.c | 3 ++-
src/libstrongswan/processing/watcher.c | 4 ++--
src/libtls/tests/suites/test_socket.c | 2 +-
25 files changed, 51 insertions(+), 33 deletions(-)
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 8e8d8236e52..e220e33a62a 100644
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio(
(callback_job_cb_t)initiate, this, NULL,
- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ callback_job_cancel_thread, JOB_PRIO_CRITICAL));
return &this->public;
}
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index e79d5974409..480d1d622d5 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -737,7 +737,7 @@ receiver_t *receiver_create()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
return &this->public;
}
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index 4543766d62e..3fcd17f1b63 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -216,7 +216,7 @@ sender_t * sender_create()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
return &this->public;
}
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
index db7abd8146b..c9aed3666fc 100644
--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool,
{
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
- NULL, (callback_job_cancel_t)return_false));
+ NULL, callback_job_cancel_thread));
return TRUE;
}
@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void,
this->mutex->unlock(this->mutex);
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
- NULL, (callback_job_cancel_t)return_false));
+ NULL, callback_job_cancel_thread));
}
METHOD(bypass_lan_listener_t, destroy, void,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index f833dc3c0b4..2f29d080764 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this,
(job_t*)callback_job_create_with_prio(
(callback_job_cb_t)send_interim,
data, (void*)destroy_interim_data,
- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
+ callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv);
}
}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 5051542615a..55d5e032cea 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio(
(callback_job_cb_t)delete_all_async, NULL, NULL,
- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ callback_job_cancel_thread, JOB_PRIO_CRITICAL));
}
else if (id)
{
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index 8859bae166b..3d2ac7de84d 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
return &this->public;
}
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 5de26a65a27..83be91ab159 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
);
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
return &this->public;
}
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index afb76b39ea2..32d9ee40717 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this)
this->heartbeat_active = TRUE;
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this,
- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
}
METHOD(ha_segments_t, handle_status, void,
@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this)
{
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
}
/**
@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this)
DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
lib->scheduler->schedule_job(lib->scheduler,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL),
this->autobalance);
}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
index 095ad67b4b0..c18e266e4d1 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create()
}
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create(send_esp, this, NULL,
- (callback_job_cancel_t)return_false));
+ callback_job_cancel_thread));
return &this->public;
}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
index 74746e251de..07adc70be3e 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL);
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
- NULL, (callback_job_cancel_t)return_false));
+ NULL, callback_job_cancel_thread));
router = &this->public;
return &this->public;
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 6ca9f13997e..85ff5830bc5 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this)
fdp = malloc_thing(int);
*fdp = fd;
job = callback_job_create((callback_job_cb_t)process, fdp, free,
- (callback_job_cancel_t)return_false);
+ callback_job_cancel_thread);
lib->processor->queue_job(lib->processor, (job_t*)job);
return JOB_REQUEUE_DIRECT;
@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
return &this->public.plugin;
}
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index 30aeb116dec..da317a894d9 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void,
/* schedule timeout checking */
lib->scheduler->schedule_job_ms(lib->scheduler,
(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
- this, NULL, (callback_job_cancel_t)return_false),
+ this, NULL, callback_job_cancel_thread),
this->timeout * 1000);
dbg_nas_user(nas_id, user_name, FALSE, "created");
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
index b033c832c8c..8074005ee57 100644
--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -296,7 +296,7 @@ uci_control_t *uci_control_create()
{
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
- this, NULL, (callback_job_cancel_t)return_false,
+ this, NULL, callback_job_cancel_thread,
JOB_PRIO_CRITICAL));
}
return &this->public;
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index 0f10795d168..802146eef21 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create((callback_job_cb_t)handle_events, this,
- NULL, (callback_job_cancel_t)return_false));
+ NULL, callback_job_cancel_thread));
return &this->public;
}
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index 2572b088089..8549fefe261 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create()
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create((callback_job_cb_t)process_inbound, this,
- NULL, (callback_job_cancel_t)return_false));
+ NULL, callback_job_cancel_thread));
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create((callback_job_cb_t)process_outbound, this,
- NULL, (callback_job_cancel_t)return_false));
+ NULL, callback_job_cancel_thread));
return &this->public;
}
diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
index a134bee238f..c7e42b277e1 100644
--- a/src/libpttls/pt_tls_dispatcher.c
+++ b/src/libpttls/pt_tls_dispatcher.c
@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void,
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
connection, (void*)cleanup,
- (callback_job_cancel_t)return_false,
+ callback_job_cancel_thread,
JOB_PRIO_CRITICAL));
}
}
diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
index 5b709a2247d..c85a0664351 100644
--- a/src/libstrongswan/networking/streams/stream_service.c
+++ b/src/libstrongswan/networking/streams/stream_service.c
@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((void*)accept_async, data,
- (void*)destroy_async_data, (callback_job_cancel_t)return_false,
+ (void*)destroy_async_data, callback_job_cancel_thread,
this->prio));
}
else
diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
index cb2a0aba5b9..3ab40b947c9 100644
--- a/src/libstrongswan/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2012 Tobias Brunner
+ * Copyright (C) 2009-2025 Tobias Brunner
* Copyright (C) 2007-2011 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
return callback_job_create_with_prio(cb, data, cleanup, cancel,
JOB_PRIO_MEDIUM);
}
+
+/*
+ * Described in header
+ */
+bool callback_job_cancel_thread(void *data)
+{
+ return FALSE;
+}
diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
index 0f1ae212d87..fda86887944 100644
--- a/src/libstrongswan/processing/jobs/callback_job.h
+++ b/src/libstrongswan/processing/jobs/callback_job.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2025 Tobias Brunner
* Copyright (C) 2007-2011 Martin Willi
*
* Copyright (C) secunet Security Networks AG
@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data);
*/
typedef bool (*callback_job_cancel_t)(void *data);
+/**
+ * Default implementation of callback_job_cancel_t that simply returns FALSE
+ * to force cancellation of the thread by the processor.
+ *
+ * @param data ignored argument
+ * @return always returns FALSE
+ */
+bool callback_job_cancel_thread(void *data);
+
/**
* Class representing an callback Job.
*
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index c5e5dd83e70..76d98ddff51 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -329,7 +329,8 @@ scheduler_t * scheduler_create()
this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
job = callback_job_create_with_prio((callback_job_cb_t)schedule, this,
- NULL, return_false, JOB_PRIO_CRITICAL);
+ NULL, callback_job_cancel_thread,
+ JOB_PRIO_CRITICAL);
lib->processor->queue_job(lib->processor, (job_t*)job);
return &this->public;
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index 1200d670959..a86ec0910d1 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry,
this->jobs->insert_last(this->jobs,
callback_job_create_with_prio((void*)notify_async, data,
- (void*)notify_end, (callback_job_cancel_t)return_false,
+ (void*)notify_end, callback_job_cancel_thread,
JOB_PRIO_CRITICAL));
}
@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void,
lib->processor->queue_job(lib->processor,
(job_t*)callback_job_create_with_prio((void*)watch, this,
- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
}
else
{
diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
index 91ee58b975f..c17d0a8873e 100644
--- a/src/libtls/tests/suites/test_socket.c
+++ b/src/libtls/tests/suites/test_socket.c
@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config)
lib->processor->queue_job(lib->processor, (job_t*)
callback_job_create((void*)serve_echo, config, NULL,
- (callback_job_cancel_t)return_false));
+ callback_job_cancel_thread));
}
/**
---
From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 21 Feb 2025 17:00:44 +0100
Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty()
As described in the previous commit, GCC 15 uses C23 by default and that
changes the meaning of such argument-less function declarations. So
whenever we assign such a function to a pointer that expects a function
with arguments it causes an incompatible pointer type warning. We
could define dedicated functions/callbacks whenever necessary, but this
seems like the simpler approach for now (especially since most uses of
these functions have already been cast).
---
src/charon-nm/nm/nm_handler.c | 2 +-
src/libcharon/encoding/payloads/encrypted_payload.c | 2 +-
src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +-
src/libcharon/plugins/ha/ha_attribute.c | 2 +-
src/libcharon/plugins/updown/updown_handler.c | 2 +-
src/libstrongswan/utils/identification.c | 6 +++---
6 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
index d7331ad72f6..39d0190ac9e 100644
--- a/src/charon-nm/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
.public = {
.handler = {
.handle = _handle,
- .release = nop,
+ .release = (void*)nop,
.create_attribute_enumerator = _create_attribute_enumerator,
},
.create_enumerator = _create_enumerator,
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
index 676d00b7a29..4821c6108ed 100644
--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
.get_length = _frag_get_length,
.add_payload = _frag_add_payload,
.remove_payload = (void*)return_null,
- .generate_payloads = nop,
+ .generate_payloads = (void*)nop,
.set_transform = _frag_set_transform,
.get_transform = _frag_get_transform,
.encrypt = _frag_encrypt,
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
index 78f4f702aec..14d2ff99aa3 100644
--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
VA_ARGS_VGET(args, type, data);
*type = INTERNAL_IP4_DNS;
*data = chunk_empty;
- this->venumerate = return_false;
+ this->venumerate = (void*)return_false;
return TRUE;
}
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index b865a4b829b..103d1a93784 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments
.provider = {
.acquire_address = _acquire_address,
.release_address = _release_address,
- .create_attribute_enumerator = enumerator_create_empty,
+ .create_attribute_enumerator = (void*)enumerator_create_empty,
},
.reserve = _reserve,
.destroy = _destroy,
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index 36eb15615a4..3707e1e658c 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create()
.handler = {
.handle = _handle,
.release = _release,
- .create_attribute_enumerator = enumerator_create_empty,
+ .create_attribute_enumerator = (void*)enumerator_create_empty,
},
.create_dns_enumerator = _create_dns_enumerator,
.destroy = _destroy,
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identifi
100 5229 100 5229 0 0 26091 0 --:--:-- --:--:-- --:--:-- 26145
cation.c
index d31955b3806..58a05052dc1 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type)
this->public.hash = _hash_binary;
this->public.equals = _equals_binary;
this->public.matches = _matches_any;
- this->public.contains_wildcards = return_true;
+ this->public.contains_wildcards = (void*)return_true;
break;
case ID_FQDN:
case ID_RFC822_ADDR:
@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type)
this->public.hash = _hash_binary;
this->public.equals = _equals_binary;
this->public.matches = _matches_range;
- this->public.contains_wildcards = return_false;
+ this->public.contains_wildcards = (void*)return_false;
break;
default:
this->public.hash = _hash_binary;
this->public.equals = _equals_binary;
this->public.matches = _matches_binary;
- this->public.contains_wildcards = return_false;
+ this->public.contains_wildcards = (void*)return_false;
break;
}
return this;

311
strongswan.spec
View File

@@ -1,85 +1,47 @@
%global _hardened_build 1
#%%define prerelease dr1
%global dist .nhrp.11%{?dist}
%bcond_without python3
%bcond_without perl
%bcond_with check
%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
# trousers was retired for F36+ and no longer available in RHEL with 9+
%bcond_without tss_trousers
%else
%bcond_with tss_trousers
%endif
%global forgeurl0 https://github.com/strongswan/strongswan
%global dist .nhrp.9%{?dist}
Name: strongswan
Version: 5.9.14
Release: 5%{?dist}
Version: 5.9.4
Release: 1%{?dist}
Summary: An OpenSource IPsec-based VPN and TNC solution
# Automatically converted from old format: GPLv2+ - review is highly recommended.
License: GPL-2.0-or-later
URL: https://www.strongswan.org/
VCS: git:%{forgeurl0}
Source0: https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
Source1: https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
Source2: https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
Source3: tmpfiles-strongswan.conf
Patch0: strongswan-5.6.0-uintptr_t.patch
# https://github.com/strongswan/strongswan/issues/1198
Patch1: strongswan-5.9.7-error-no-format.patch
Patch2: strongswan-6.0.0-gcc15.patch
Patch3: strongswan-6.0.1-gcc15.patch
License: GPLv2+
URL: http://www.strongswan.org/
Source0: http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
Source1: tmpfiles-strongswan.conf
Patch0: strongswan-5.9.1-runtime-dir.patch
Patch1: strongswan-5.6.0-uintptr_t.patch
Patch3: strongswan-5.6.2-CVE-2018-5388.patch
Patch10: 0001-charon-add-optional-source-and-remote-overrides-for-.patch
Patch11: 0002-vici-send-certificates-for-ike-sa-events.patch
Patch12: 0003-vici-add-support-for-individual-sa-state-changes.patch
Patch13: 0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
Patch13: 0004-vyos-terminate-connections-source-dest.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gnupg2
BuildRequires: make
# only needed for pre-release versions
#BuildRequires: autoconf automake
BuildRequires: make
BuildRequires: gcc
BuildRequires: systemd
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
BuildRequires: gmp-devel
BuildRequires: libcurl-devel
BuildRequires: openldap-devel
BuildRequires: openssl-devel
%if 0%{?fedora} >= 41
# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
BuildRequires: openssl-devel-engine
%endif
BuildRequires: sqlite-devel
BuildRequires: gettext-devel
BuildRequires: trousers-devel
BuildRequires: libxml2-devel
BuildRequires: pam-devel
BuildRequires: json-c-devel
BuildRequires: libgcrypt-devel
BuildRequires: systemd-devel
BuildRequires: iptables-devel
BuildRequires: libcap-devel
BuildRequires: tpm2-tss-devel
Recommends: tpm2-tools
%if %{with python3}
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-pytest
%endif
%if %{with perl}
BuildRequires: perl-devel perl-generators
BuildRequires: perl(ExtUtils::MakeMaker)
%endif
%if %{with tss_trousers}
BuildRequires: trousers-devel
%endif
BuildRequires: NetworkManager-libnm-devel
Requires(post): systemd
Requires(preun): systemd
@@ -99,8 +61,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
%package charon-nm
Summary: NetworkManager plugin for Strongswan
Requires: dbus
Obsoletes: strongswan-NetworkManager < 0:5.0.4-5
Conflicts: strongswan-NetworkManager < 0:5.0.4-5
Obsoletes: %{name}-NetworkManager < 0:5.0.4-5
Conflicts: %{name}-NetworkManager < 0:5.0.4-5
Conflicts: NetworkManager-strongswan < 1.4.2-1
%description charon-nm
NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -108,14 +70,14 @@ to NetworkManager.
%package sqlite
Summary: SQLite support for strongSwan
Requires: strongswan = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
%description sqlite
The sqlite plugin adds an SQLite database backend to strongSwan.
%package tnc-imcvs
Summary: Trusted network connect (TNC)'s IMC/IMV functionality
Requires: strongswan = %{version}-%{release}
Requires: strongswan-sqlite = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: %{name}-sqlite = %{version}-%{release}
%description tnc-imcvs
This package provides Trusted Network Connect's (TNC) architecture support.
It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -126,43 +88,20 @@ modules can be used by any third party TNC Client/Server implementation
possessing a standard IF-IMC/IMV interface. In addition, it implements
PT-TLS to support TNC over TLS.
%if %{with python3}
%package -n python3-vici
Summary: Strongswan Versatile IKE Configuration Interface python bindings
BuildArch: noarch
%description -n python3-vici
VICI is an attempt to improve the situation for system integrators by providing
a stable IPC interface, allowing external tools to query, configure
and control the IKE daemon.
The Versatile IKE Configuration Interface (VICI) python bindings provides module
for Strongswan runtime configuration from python applications.
%endif
%if %{with perl}
%package -n perl-vici
Summary: Strongswan Versatile IKE Configuration Interface perl bindings
BuildArch: noarch
%description -n perl-vici
VICI is an attempt to improve the situation for system integrators by providing
a stable IPC interface, allowing external tools to query, configure
and control the IKE daemon.
The Versatile IKE Configuration Interface (VICI) perl bindings provides module
for Strongswan runtime configuration from perl applications.
%endif
# TODO: make also ruby-vici
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -n %{name}-%{version}%{?prerelease} -p1
%setup -q -n %{name}-%{version}%{?prerelease}
%patch0 -p1
%patch1 -p1
%patch3 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%build
# only for snapshots
autoreconf
#autoreconf
# --with-ipsecdir moves internal commands to /usr/libexec/strongswan
# --bindir moves 'pki' command to /usr/libexec/strongswan
@@ -177,7 +116,7 @@ autoreconf
--with-piddir=%{_rundir}/strongswan \
--with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
--enable-bypass-lan \
--enable-tss-tss2 \
--enable-tss-trousers \
--enable-nm \
--enable-systemd \
--enable-openssl \
@@ -232,6 +171,8 @@ autoreconf
--enable-imv-attestation \
--enable-imv-os \
--enable-imc-os \
--enable-imc-swid \
--enable-imv-swid \
--enable-imc-swima \
--enable-imv-swima \
--enable-imc-hcd \
@@ -239,77 +180,26 @@ autoreconf
--enable-curl \
--enable-cmd \
--enable-acert \
--enable-aikgen \
--enable-vici \
--enable-swanctl \
--enable-duplicheck \
%ifarch x86_64 %{ix86}
--enable-aesni \
%endif
%if %{with python3}
PYTHON=%{python3} --enable-python-eggs \
%endif
%if %{with perl}
--enable-perl-cpan \
%endif
%if %{with check}
--enable-test-vectors \
%endif
%if %{with tss_trousers}
--enable-tss-trousers \
--enable-aikgen \
%endif
--enable-kernel-libipsec \
--with-capabilities=libcap \
CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
# TODO: --enable-python-eggs-install not python3 ready
# disable certain plugins in the daemon configuration by default
for p in bypass-lan; do
echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
done
# ensure manual page is regenerated with local configuration
rm -f src/ipsec/_ipsec.8
%make_build
pushd src/libcharon/plugins/vici
%if %{with python3}
pushd python
%make_build
sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
#py3_build
popd
%endif
%if %{with perl}
pushd perl/Vici-Session/
perl Makefile.PL INSTALLDIRS=vendor
%make_build
popd
%endif
popd
make %{?_smp_mflags}
%install
%make_install
pushd src/libcharon/plugins/vici
%if %{with python3}
pushd python
# TODO: --enable-python-eggs breaks our previous build. Do it now
# propose better way to upstream
%py3_build
%py3_install
popd
%endif
%if %{with perl}
%make_install -C perl/Vici-Session
rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
%endif
popd
make install DESTDIR=%{buildroot}
# prefix man pages
for i in %{buildroot}%{_mandir}/*/*; do
if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -328,31 +218,16 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
done
install -d -m 0700 %{buildroot}%{_rundir}/strongswan
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
%check
%if %{with check}
# Seen some tests hang. Ensure we do not block builder forever
export TESTS_VERBOSITY=1
timeout 600 %make_build check
%endif
%if %{with python}
pushd src/libcharon/plugins/vici
%pytest
popd
%endif
:
install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
%post
%systemd_post strongswan.service strongswan-starter.service
%systemd_post %{name}.service
%preun
%systemd_preun strongswan.service strongswan-starter.service
%systemd_preun %{name}.service
%postun
%systemd_postun_with_restart strongswan.service strongswan-starter.service
%systemd_postun_with_restart %{name}.service
%files
%doc README NEWS TODO ChangeLog
@@ -387,7 +262,6 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
%{_datadir}/strongswan/templates/database/
%attr(0755,root,root) %dir %{_rundir}/strongswan
%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
%files sqlite
%{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -414,108 +288,7 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
%{_libexecdir}/strongswan/charon-nm
%if %{with python3}
%files -n python3-vici
%license COPYING
%doc src/libcharon/plugins/vici/python/README.rst
%{python3_sitelib}/vici
%{python3_sitelib}/vici-%{version}-py*.egg-info
%endif
%if %{with perl}
%license COPYING
%files -n perl-vici
%{perl_vendorlib}/Vici
%endif
%changelog
* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
- convert license to SPDX
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
- Rebuilt for Python 3.13
* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
- Resolves: rhbz#2214186 strongswan-5.9.11 is available
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
- Rebuilt for Python 3.12
* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
- Update to 5.9.10
* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
- Use configure paths in manual pages (#2106120)
* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
- Update to 5.9.9 (#2157850)
* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
- Add BR perl-generators to automatically generates run-time dependencies
for installed Perl files
* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
- Resolves rhbz#2112274 strongswan-5.9.8 is available
- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
- Add BuildRequire for autoconf and automake, now required for release
- Remove obsolete patches
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
- Resolves rhbz#2080070 strongswan-5.9.6 is available
- Fixed missing format string in enum_flags_to_string()
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
- Rebuilt for Python 3.11
* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
- Use newly published/cleaned strongswan gpg key
* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
- Resolves rhbz#1419441 Add python and perl vici bindings
- Adds optional tests run
* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
- Return to using tmpfiles, but extend to cover strongswan-starter service too
- Cleanup old patches
* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
- Resolves: rhbz#2015165 strongswan-5.9.4 is available
- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature