diff options
4 files changed, 128 insertions, 70 deletions
diff --git a/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch b/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch new file mode 100644 index 0000000000..2c9a1db4fd --- /dev/null +++ b/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch @@ -0,0 +1,95 @@ +From 7c7f85a0fd7e6f90c19d797304410da3925a9f96 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 3 Aug 2015 13:55:36 +0200 +Subject: [PATCH] auth-cfg: Similar to certificates matching one CA should be + enough + +Not sure if defining multiple CA constraints and enforcing _all_ of them, +that is, the previous behavior, makes even sense. To ensure a very specific +chain it should be enough to define the last intermediate CA. On the +other hand, the ability to define multiple CAs could simplify configuration. + +This can currently only be used with swanctl/VICI based configs as `rightca` +only takes a single DN. +--- + src/libstrongswan/credentials/auth_cfg.c | 35 ++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c +index 0ca45a1..9b57631 100644 +--- a/src/libstrongswan/credentials/auth_cfg.c ++++ b/src/libstrongswan/credentials/auth_cfg.c +@@ -514,9 +514,10 @@ METHOD(auth_cfg_t, complies, bool, + private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) + { + enumerator_t *e1, *e2; +- bool success = TRUE, group_match = FALSE, cert_match = FALSE; ++ bool success = TRUE, group_match = FALSE; ++ bool ca_match = FALSE, cert_match = FALSE; + identification_t *require_group = NULL; +- certificate_t *require_cert = NULL; ++ certificate_t *require_ca = NULL, *require_cert = NULL; + signature_scheme_t scheme = SIGN_UNKNOWN; + u_int strength = 0; + auth_rule_t t1, t2; +@@ -531,26 +532,21 @@ METHOD(auth_cfg_t, complies, bool, + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + { +- certificate_t *c1, *c2; ++ certificate_t *cert; + +- c1 = (certificate_t*)value; ++ /* for CA certs, a match of a single cert is sufficient */ ++ require_ca = (certificate_t*)value; + +- success = FALSE; + e2 = create_enumerator(this); +- while (e2->enumerate(e2, &t2, &c2)) ++ while (e2->enumerate(e2, &t2, &cert)) + { + if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && +- c1->equals(c1, c2)) ++ cert->equals(cert, require_ca)) + { +- success = TRUE; ++ ca_match = TRUE; + } + } + e2->destroy(e2); +- if (!success && log_error) +- { +- DBG1(DBG_CFG, "constraint check failed: peer not " +- "authenticated by CA '%Y'.", c1->get_subject(c1)); +- } + break; + } + case AUTH_RULE_SUBJECT_CERT: +@@ -853,13 +849,22 @@ METHOD(auth_cfg_t, complies, bool, + } + return FALSE; + } +- ++ if (require_ca && !ca_match) ++ { ++ if (log_error) ++ { ++ DBG1(DBG_CFG, "constraint check failed: peer not " ++ "authenticated by CA '%Y'", ++ require_ca->get_subject(require_ca)); ++ } ++ return FALSE; ++ } + if (require_cert && !cert_match) + { + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " +- "authenticated with peer cert '%Y'.", ++ "authenticated with peer cert '%Y'", + require_cert->get_subject(require_cert)); + } + return FALSE; +-- +2.5.0 + diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch index a52450306c..c42b40d2d3 100644 --- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +++ b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch @@ -1,4 +1,4 @@ -From b8b84525b8c8c9e5cc1d1409a89347bb8869f893 Mon Sep 17 00:00:00 2001 +From 728f1a0afc45264715ee7a77d5ce6614cec42863 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 30 Apr 2015 10:58:15 +0300 Subject: [PATCH] vici: add support rekeying events, and individual sa state @@ -11,14 +11,14 @@ Useful for monitoring and tracking full SA. Signed-off-by: Timo Teräs <timo.teras@iki.fi> --- - src/libcharon/plugins/vici/vici_query.c | 160 ++++++++++++++++++++++++++++++++ - 1 file changed, 160 insertions(+) + src/libcharon/plugins/vici/vici_query.c | 176 ++++++++++++++++++++++++++++++++ + 1 file changed, 176 insertions(+) diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index 3d461f7..ade181c 100644 +index 3d461f7..316c698 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c -@@ -1065,7 +1065,13 @@ static void manage_commands(private_vici_query_t *this, bool reg) +@@ -1065,7 +1065,17 @@ static void manage_commands(private_vici_query_t *this, bool reg) this->dispatcher->manage_event(this->dispatcher, "list-conn", reg); this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); @@ -27,12 +27,16 @@ index 3d461f7..ade181c 100644 + this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg); this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg); manage_command(this, "list-sas", list_sas, reg); manage_command(this, "list-policies", list_policies, reg); manage_command(this, "list-conns", list_conns, reg); -@@ -1100,6 +1106,77 @@ METHOD(listener_t, ike_updown, bool, +@@ -1100,6 +1110,77 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } @@ -110,7 +114,7 @@ index 3d461f7..ade181c 100644 METHOD(listener_t, child_updown, bool, private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) { -@@ -1131,6 +1208,85 @@ METHOD(listener_t, child_updown, bool, +@@ -1131,6 +1212,97 @@ METHOD(listener_t, child_updown, bool, return TRUE; } @@ -158,9 +162,21 @@ index 3d461f7..ade181c 100644 + + switch (state) + { ++ case CHILD_INSTALLING: ++ event = "child-state-installing"; ++ break; + case CHILD_INSTALLED: + event = "child-state-installed"; + break; ++ case CHILD_UPDATING: ++ event = "child-state-updating"; ++ break; ++ case CHILD_REKEYING: ++ event = "child-state-rekeying"; ++ break; ++ case CHILD_REKEYED: ++ event = "child-state-rekeyed"; ++ break; + case CHILD_DESTROYING: + event = "child-state-destroying"; + break; @@ -196,7 +212,7 @@ index 3d461f7..ade181c 100644 METHOD(vici_query_t, destroy, void, private_vici_query_t *this) { -@@ -1149,7 +1305,11 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) +@@ -1149,7 +1321,11 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) .public = { .listener = { .ike_updown = _ike_updown, @@ -209,5 +225,5 @@ index 3d461f7..ade181c 100644 .destroy = _destroy, }, -- -2.4.6 +2.5.0 diff --git a/main/strongswan/2002-fix-multiple-cacerts.patch b/main/strongswan/2002-fix-multiple-cacerts.patch deleted file mode 100644 index 07a6de929e..0000000000 --- a/main/strongswan/2002-fix-multiple-cacerts.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c -index 0ca45a1..64155a0 100644 ---- a/src/libstrongswan/credentials/auth_cfg.c -+++ b/src/libstrongswan/credentials/auth_cfg.c -@@ -515,6 +515,7 @@ METHOD(auth_cfg_t, complies, bool, - { - enumerator_t *e1, *e2; - bool success = TRUE, group_match = FALSE, cert_match = FALSE; -+ bool require_ca = FALSE, ca_match = FALSE; - identification_t *require_group = NULL; - certificate_t *require_cert = NULL; - signature_scheme_t scheme = SIGN_UNKNOWN; -@@ -535,22 +536,17 @@ METHOD(auth_cfg_t, complies, bool, - - c1 = (certificate_t*)value; - -- success = FALSE; -+ require_ca = TRUE; - e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &c2)) - { - if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && - c1->equals(c1, c2)) - { -- success = TRUE; -+ ca_match = TRUE; - } - } - e2->destroy(e2); -- if (!success && log_error) -- { -- DBG1(DBG_CFG, "constraint check failed: peer not " -- "authenticated by CA '%Y'.", c1->get_subject(c1)); -- } - break; - } - case AUTH_RULE_SUBJECT_CERT: -@@ -844,6 +840,15 @@ METHOD(auth_cfg_t, complies, bool, - e2->destroy(e2); - } - -+ if (require_ca && !ca_match) -+ { -+ if (log_error) -+ { -+ DBG1(DBG_CFG, "constraint check failed: no matching CA found"); -+ } -+ return FALSE; -+ } -+ - if (require_group && !group_match) - { - if (log_error) diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index aa066af470..fe92b4b7b3 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.3.2 _pkgver=${pkgver//_rc/rc} -pkgrel=9 +pkgrel=10 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -46,12 +46,12 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 0401-printf-hook-builtin-Fix-invalid-memory-access.patch 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch 0601-child-sa-fix-refcounting-of-allocated-reqids.patch + 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1002-vici-send-certificates-for-ike-sa-events.patch 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch 1004-vici-support-asynchronous-initiation.patch 2001-support-gre-key-in-ikev1.patch - 2002-fix-multiple-cacerts.patch strongswan.initd charon.initd" @@ -165,12 +165,12 @@ c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking- c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch 2d191d850683a6ed34f171ed64b643f0 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch b361ef4d3ed853620febc2117b4aa6cf 0601-child-sa-fix-refcounting-of-allocated-reqids.patch +d4f9141b0e63a1af35df04d970e27af7 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch 06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch -b0f2d10bc3dc89f3bba28fead6687311 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +41a343863ffc1259c8a64771cd85c724 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch -0aecbf5f7b900f272151363db1a00846 2002-fix-multiple-cacerts.patch 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd 7962a720ebef6892d80a3cbdab72c204 charon.initd" sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 @@ -204,12 +204,12 @@ d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Ass 74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch 6eec00bdb7778a51d04157ec640394959d599f3b8cef6bad0d875658cace99ea 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch a558247c9b6eeabfa2a677440a3e25a0841171347484d624c6c4668f9064b67d 0601-child-sa-fix-refcounting-of-allocated-reqids.patch +b591c93065a018cf79f8f39041a196b2142c5de0bda6b8eed2590be993329266 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch -c0b39aaaf97f3797ef327a465e1468aa166044875b194e899999dc7c0723fc4c 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +811a0b67311546ec5371ce4322b1f69886be7754875c2522ebaeff08713bd26e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch -fe0f3503c3b42af23a98cec4d0eeb9ab7aae0dc35c70ce9c533307a89fb3ee79 2002-fix-multiple-cacerts.patch ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 @@ -243,11 +243,11 @@ b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88a 86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch f0dfb8aee6fd456d5d330d9a1212842ecd7f88b9b76bb1667dacdbbb2c38369fa089df6ce13c6363735012f653df91b4bbb082a970a11ec63e6a2d14ca2b0ec2 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch dad393b5d8b5152d7544a42818c446098b748cf4114b544d0bcf6a039c5f9f266ac850f6725b58d653186dcd23cae8a9db627f245412ad1cd3b5a4ccadc90825 0601-child-sa-fix-refcounting-of-allocated-reqids.patch +bc31b3fa089e594e7989e6cb095eb144cfdad55f991729235fda98e010bf715f5efb4b65f2ef2fd12bbc2d5c48e40f6010554bff43b30c7978402247114263e0 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch 2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch -1ea845551c7da2a7817e34508b0da3f3f0bba879f3b95d08c8db0a6b32adaf50363556daa6ee2e0f11c1ee6c41077d39ba54dbd40e457a02a991add19fe115ef 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +98b46369adcbe86635a83779ed54b192c67ef34310a42f0c131f3ce50f2d46e3135caefeece6993a9ac92abba1a38854b128f4687dec0eb30b108788386688ea 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch 723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch -845f414f84984a044f493fd2b4e0deea5e0244938500b5d61f34b7c4ab7896792abf3685d6bf04f28c68261ce8103d1dd14aee82bd9f303ddac8aae24c7ab33a 2002-fix-multiple-cacerts.patch b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" |