aboutsummaryrefslogtreecommitdiffstats
path: root/main/strongswan
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2015-08-06 16:42:20 +0300
committerTimo Teräs <timo.teras@iki.fi>2015-08-06 16:44:08 +0300
commitae3ab41b772ff36a0091d472f81c503ffbe93294 (patch)
tree241e3058c628cdd1ad1b1ca3978d21bfb65cbd26 /main/strongswan
parent8be40b15b63d279a0f1ce78e612e1f407dffcbe6 (diff)
downloadaports-ae3ab41b772ff36a0091d472f81c503ffbe93294.tar.bz2
aports-ae3ab41b772ff36a0091d472f81c503ffbe93294.tar.xz
main/strongswan: minor update to patches
- take the multiple CA fixes from upstream git branch - add more child_sa states that can be monitored
Diffstat (limited to 'main/strongswan')
-rw-r--r--main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch95
-rw-r--r--main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch34
-rw-r--r--main/strongswan/2002-fix-multiple-cacerts.patch53
-rw-r--r--main/strongswan/APKBUILD16
4 files changed, 128 insertions, 70 deletions
diff --git a/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch b/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
new file mode 100644
index 0000000000..2c9a1db4fd
--- /dev/null
+++ b/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
@@ -0,0 +1,95 @@
+From 7c7f85a0fd7e6f90c19d797304410da3925a9f96 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 3 Aug 2015 13:55:36 +0200
+Subject: [PATCH] auth-cfg: Similar to certificates matching one CA should be
+ enough
+
+Not sure if defining multiple CA constraints and enforcing _all_ of them,
+that is, the previous behavior, makes even sense. To ensure a very specific
+chain it should be enough to define the last intermediate CA. On the
+other hand, the ability to define multiple CAs could simplify configuration.
+
+This can currently only be used with swanctl/VICI based configs as `rightca`
+only takes a single DN.
+---
+ src/libstrongswan/credentials/auth_cfg.c | 35 ++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
+index 0ca45a1..9b57631 100644
+--- a/src/libstrongswan/credentials/auth_cfg.c
++++ b/src/libstrongswan/credentials/auth_cfg.c
+@@ -514,9 +514,10 @@ METHOD(auth_cfg_t, complies, bool,
+ private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
+ {
+ enumerator_t *e1, *e2;
+- bool success = TRUE, group_match = FALSE, cert_match = FALSE;
++ bool success = TRUE, group_match = FALSE;
++ bool ca_match = FALSE, cert_match = FALSE;
+ identification_t *require_group = NULL;
+- certificate_t *require_cert = NULL;
++ certificate_t *require_ca = NULL, *require_cert = NULL;
+ signature_scheme_t scheme = SIGN_UNKNOWN;
+ u_int strength = 0;
+ auth_rule_t t1, t2;
+@@ -531,26 +532,21 @@ METHOD(auth_cfg_t, complies, bool,
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ {
+- certificate_t *c1, *c2;
++ certificate_t *cert;
+
+- c1 = (certificate_t*)value;
++ /* for CA certs, a match of a single cert is sufficient */
++ require_ca = (certificate_t*)value;
+
+- success = FALSE;
+ e2 = create_enumerator(this);
+- while (e2->enumerate(e2, &t2, &c2))
++ while (e2->enumerate(e2, &t2, &cert))
+ {
+ if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+- c1->equals(c1, c2))
++ cert->equals(cert, require_ca))
+ {
+- success = TRUE;
++ ca_match = TRUE;
+ }
+ }
+ e2->destroy(e2);
+- if (!success && log_error)
+- {
+- DBG1(DBG_CFG, "constraint check failed: peer not "
+- "authenticated by CA '%Y'.", c1->get_subject(c1));
+- }
+ break;
+ }
+ case AUTH_RULE_SUBJECT_CERT:
+@@ -853,13 +849,22 @@ METHOD(auth_cfg_t, complies, bool,
+ }
+ return FALSE;
+ }
+-
++ if (require_ca && !ca_match)
++ {
++ if (log_error)
++ {
++ DBG1(DBG_CFG, "constraint check failed: peer not "
++ "authenticated by CA '%Y'",
++ require_ca->get_subject(require_ca));
++ }
++ return FALSE;
++ }
+ if (require_cert && !cert_match)
+ {
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: peer not "
+- "authenticated with peer cert '%Y'.",
++ "authenticated with peer cert '%Y'",
+ require_cert->get_subject(require_cert));
+ }
+ return FALSE;
+--
+2.5.0
+
diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
index a52450306c..c42b40d2d3 100644
--- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+++ b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
@@ -1,4 +1,4 @@
-From b8b84525b8c8c9e5cc1d1409a89347bb8869f893 Mon Sep 17 00:00:00 2001
+From 728f1a0afc45264715ee7a77d5ce6614cec42863 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 30 Apr 2015 10:58:15 +0300
Subject: [PATCH] vici: add support rekeying events, and individual sa state
@@ -11,14 +11,14 @@ Useful for monitoring and tracking full SA.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
- src/libcharon/plugins/vici/vici_query.c | 160 ++++++++++++++++++++++++++++++++
- 1 file changed, 160 insertions(+)
+ src/libcharon/plugins/vici/vici_query.c | 176 ++++++++++++++++++++++++++++++++
+ 1 file changed, 176 insertions(+)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 3d461f7..ade181c 100644
+index 3d461f7..316c698 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1065,7 +1065,13 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1065,7 +1065,17 @@ static void manage_commands(private_vici_query_t *this, bool reg)
this->dispatcher->manage_event(this->dispatcher, "list-conn", reg);
this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
@@ -27,12 +27,16 @@ index 3d461f7..ade181c 100644
+ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
++ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg);
++ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg);
++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg);
++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg);
manage_command(this, "list-sas", list_sas, reg);
manage_command(this, "list-policies", list_policies, reg);
manage_command(this, "list-conns", list_conns, reg);
-@@ -1100,6 +1106,77 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1100,6 +1110,77 @@ METHOD(listener_t, ike_updown, bool,
return TRUE;
}
@@ -110,7 +114,7 @@ index 3d461f7..ade181c 100644
METHOD(listener_t, child_updown, bool,
private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
{
-@@ -1131,6 +1208,85 @@ METHOD(listener_t, child_updown, bool,
+@@ -1131,6 +1212,97 @@ METHOD(listener_t, child_updown, bool,
return TRUE;
}
@@ -158,9 +162,21 @@ index 3d461f7..ade181c 100644
+
+ switch (state)
+ {
++ case CHILD_INSTALLING:
++ event = "child-state-installing";
++ break;
+ case CHILD_INSTALLED:
+ event = "child-state-installed";
+ break;
++ case CHILD_UPDATING:
++ event = "child-state-updating";
++ break;
++ case CHILD_REKEYING:
++ event = "child-state-rekeying";
++ break;
++ case CHILD_REKEYED:
++ event = "child-state-rekeyed";
++ break;
+ case CHILD_DESTROYING:
+ event = "child-state-destroying";
+ break;
@@ -196,7 +212,7 @@ index 3d461f7..ade181c 100644
METHOD(vici_query_t, destroy, void,
private_vici_query_t *this)
{
-@@ -1149,7 +1305,11 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1149,7 +1321,11 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
.public = {
.listener = {
.ike_updown = _ike_updown,
@@ -209,5 +225,5 @@ index 3d461f7..ade181c 100644
.destroy = _destroy,
},
--
-2.4.6
+2.5.0
diff --git a/main/strongswan/2002-fix-multiple-cacerts.patch b/main/strongswan/2002-fix-multiple-cacerts.patch
deleted file mode 100644
index 07a6de929e..0000000000
--- a/main/strongswan/2002-fix-multiple-cacerts.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
-index 0ca45a1..64155a0 100644
---- a/src/libstrongswan/credentials/auth_cfg.c
-+++ b/src/libstrongswan/credentials/auth_cfg.c
-@@ -515,6 +515,7 @@ METHOD(auth_cfg_t, complies, bool,
- {
- enumerator_t *e1, *e2;
- bool success = TRUE, group_match = FALSE, cert_match = FALSE;
-+ bool require_ca = FALSE, ca_match = FALSE;
- identification_t *require_group = NULL;
- certificate_t *require_cert = NULL;
- signature_scheme_t scheme = SIGN_UNKNOWN;
-@@ -535,22 +536,17 @@ METHOD(auth_cfg_t, complies, bool,
-
- c1 = (certificate_t*)value;
-
-- success = FALSE;
-+ require_ca = TRUE;
- e2 = create_enumerator(this);
- while (e2->enumerate(e2, &t2, &c2))
- {
- if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
- c1->equals(c1, c2))
- {
-- success = TRUE;
-+ ca_match = TRUE;
- }
- }
- e2->destroy(e2);
-- if (!success && log_error)
-- {
-- DBG1(DBG_CFG, "constraint check failed: peer not "
-- "authenticated by CA '%Y'.", c1->get_subject(c1));
-- }
- break;
- }
- case AUTH_RULE_SUBJECT_CERT:
-@@ -844,6 +840,15 @@ METHOD(auth_cfg_t, complies, bool,
- e2->destroy(e2);
- }
-
-+ if (require_ca && !ca_match)
-+ {
-+ if (log_error)
-+ {
-+ DBG1(DBG_CFG, "constraint check failed: no matching CA found");
-+ }
-+ return FALSE;
-+ }
-+
- if (require_group && !group_match)
- {
- if (log_error)
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index aa066af470..fe92b4b7b3 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -3,7 +3,7 @@
pkgname=strongswan
pkgver=5.3.2
_pkgver=${pkgver//_rc/rc}
-pkgrel=9
+pkgrel=10
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
@@ -46,12 +46,12 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
0401-printf-hook-builtin-Fix-invalid-memory-access.patch
0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
0601-child-sa-fix-refcounting-of-allocated-reqids.patch
+ 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
1001-charon-add-optional-source-and-remote-overrides-for-.patch
1002-vici-send-certificates-for-ike-sa-events.patch
1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
1004-vici-support-asynchronous-initiation.patch
2001-support-gre-key-in-ikev1.patch
- 2002-fix-multiple-cacerts.patch
strongswan.initd
charon.initd"
@@ -165,12 +165,12 @@ c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking-
c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
2d191d850683a6ed34f171ed64b643f0 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
b361ef4d3ed853620febc2117b4aa6cf 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
+d4f9141b0e63a1af35df04d970e27af7 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch
1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch
-b0f2d10bc3dc89f3bba28fead6687311 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+41a343863ffc1259c8a64771cd85c724 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch
b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch
-0aecbf5f7b900f272151363db1a00846 2002-fix-multiple-cacerts.patch
85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd
7962a720ebef6892d80a3cbdab72c204 charon.initd"
sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2
@@ -204,12 +204,12 @@ d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Ass
74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
6eec00bdb7778a51d04157ec640394959d599f3b8cef6bad0d875658cace99ea 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
a558247c9b6eeabfa2a677440a3e25a0841171347484d624c6c4668f9064b67d 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
+b591c93065a018cf79f8f39041a196b2142c5de0bda6b8eed2590be993329266 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch
b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch
-c0b39aaaf97f3797ef327a465e1468aa166044875b194e899999dc7c0723fc4c 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+811a0b67311546ec5371ce4322b1f69886be7754875c2522ebaeff08713bd26e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch
ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch
-fe0f3503c3b42af23a98cec4d0eeb9ab7aae0dc35c70ce9c533307a89fb3ee79 2002-fix-multiple-cacerts.patch
ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd
97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd"
sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2
@@ -243,11 +243,11 @@ b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88a
86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
f0dfb8aee6fd456d5d330d9a1212842ecd7f88b9b76bb1667dacdbbb2c38369fa089df6ce13c6363735012f653df91b4bbb082a970a11ec63e6a2d14ca2b0ec2 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
dad393b5d8b5152d7544a42818c446098b748cf4114b544d0bcf6a039c5f9f266ac850f6725b58d653186dcd23cae8a9db627f245412ad1cd3b5a4ccadc90825 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
+bc31b3fa089e594e7989e6cb095eb144cfdad55f991729235fda98e010bf715f5efb4b65f2ef2fd12bbc2d5c48e40f6010554bff43b30c7978402247114263e0 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch
ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch
-1ea845551c7da2a7817e34508b0da3f3f0bba879f3b95d08c8db0a6b32adaf50363556daa6ee2e0f11c1ee6c41077d39ba54dbd40e457a02a991add19fe115ef 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+98b46369adcbe86635a83779ed54b192c67ef34310a42f0c131f3ce50f2d46e3135caefeece6993a9ac92abba1a38854b128f4687dec0eb30b108788386688ea 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch
723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch
-845f414f84984a044f493fd2b4e0deea5e0244938500b5d61f34b7c4ab7896792abf3685d6bf04f28c68261ce8103d1dd14aee82bd9f303ddac8aae24c7ab33a 2002-fix-multiple-cacerts.patch
b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd
6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd"