diff options
author | Christian Breunig <christian@breunig.cc> | 2023-11-24 20:54:26 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-24 20:54:26 +0100 |
commit | 360f7e2e0d29368c5fea462755b3915e1f539cd5 (patch) | |
tree | a1287a9ccfc952944c0c647e35044cc0825ab190 | |
parent | 884b3c9a9c7458f8ce2e9d67d9bedf1bf736d185 (diff) | |
parent | 68744626ea2650259a4d8daad528542556bb6188 (diff) | |
download | vyos-build-360f7e2e0d29368c5fea462755b3915e1f539cd5.tar.gz vyos-build-360f7e2e0d29368c5fea462755b3915e1f539cd5.zip |
Merge pull request #457 from GurliGebis/T5754-strongswan-upgrade
T5754 strongswan upgrade
5 files changed, 87 insertions, 155 deletions
diff --git a/packages/strongswan/Jenkinsfile b/packages/strongswan/Jenkinsfile index 13d6dd6c..d79941d7 100644 --- a/packages/strongswan/Jenkinsfile +++ b/packages/strongswan/Jenkinsfile @@ -21,9 +21,9 @@ def pkgList = [ ['name': 'strongswan', - 'scmCommit': 'debian/5.9.8-5', + 'scmCommit': 'debian/5.9.11-2', 'scmUrl': 'https://salsa.debian.org/debian/strongswan.git', - 'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; cd ..; ./build.sh'], + 'buildCmd': 'cd ..; ./build.sh'], ] // Start package build using library function from https://github.com/vyos/vyos-build diff --git a/packages/strongswan/build.sh b/packages/strongswan/build.sh index e5ffbffa..c0dab4d5 100755 --- a/packages/strongswan/build.sh +++ b/packages/strongswan/build.sh @@ -2,6 +2,35 @@ CWD=$(pwd) set -e +# extracted build dependencies, as autogenerationg and installing them will fail :/ +sudo apt-get install -y bison \ + bzip2 \ + debhelper-compat \ + dh-apparmor \ + dpkg-dev \ + flex \ + gperf \ + libiptc-dev \ + libcap-dev \ + libcurl3-dev \ + libgcrypt20-dev \ + libgmp3-dev \ + libkrb5-dev \ + libldap2-dev \ + libnm-dev \ + libpam0g-dev \ + libsqlite3-dev \ + libssl-dev \ + libsystemd-dev \ + libtool \ + libtss2-dev \ + libxml2-dev \ + pkg-config \ + po-debconf \ + systemd \ + libsystemd-dev \ + tzdata + SRC=strongswan if [ ! -d ${SRC} ]; then echo "Source directory does not exists, please 'git clone'" @@ -21,7 +50,7 @@ fi cd ${SRC} echo "I: bump version" -dch -v "5.9.8-5+vyos0" "Patchset for DMVPN support" -b +dch -v "5.9.11-2+vyos0" "Patchset for DMVPN support" -b echo "I: Build Debian Package" -dpkg-buildpackage -uc -us -tc -b +dpkg-buildpackage -uc -us -tc -b -d diff --git a/packages/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch b/packages/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch index b791166a..ceb47350 100644 --- a/packages/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/packages/strongswan/patches/0001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -30,20 +30,20 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi> 11 files changed, 215 insertions(+), 47 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c -index 8c09cac89..8582798d2 100644 +index 2e2cb3c..b9369a8 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c @@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) child_cfg = create_child_cfg(this, peer_cfg); if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- controller_cb_empty, NULL, 0, FALSE) != SUCCESS) -+ NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS) +- controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) ++ NULL, NULL, controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) { terminate(pid); } diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c -index cff504966..9c5afe833 100644 +index 027f48e..4ce8616 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -15,6 +15,28 @@ @@ -75,7 +75,7 @@ index cff504966..9c5afe833 100644 #include "controller.h" #include <sys/types.h> -@@ -102,6 +124,16 @@ struct interface_listener_t { +@@ -107,6 +129,16 @@ struct interface_listener_t { */ ike_sa_t *ike_sa; @@ -92,7 +92,7 @@ index cff504966..9c5afe833 100644 /** * unique ID, used for various methods */ -@@ -414,10 +446,15 @@ METHOD(job_t, initiate_execute, job_requeue_t, +@@ -417,10 +449,15 @@ METHOD(job_t, initiate_execute, job_requeue_t, ike_sa_t *ike_sa; interface_listener_t *listener = &job->listener; peer_cfg_t *peer_cfg = listener->peer_cfg; @@ -109,15 +109,15 @@ index cff504966..9c5afe833 100644 if (!ike_sa) { DESTROY_IF(listener->child_cfg); -@@ -492,6 +529,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, +@@ -499,6 +536,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, METHOD(controller_t, initiate, status_t, private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + host_t *my_host, host_t *other_host, - controller_cb_t callback, void *param, u_int timeout, bool limits) + controller_cb_t callback, void *param, level_t max_level, u_int timeout, + bool limits) { - interface_job_t *job; -@@ -514,6 +552,8 @@ METHOD(controller_t, initiate, status_t, +@@ -523,6 +561,8 @@ METHOD(controller_t, initiate, status_t, .status = FAILED, .child_cfg = child_cfg, .peer_cfg = peer_cfg, @@ -127,10 +127,10 @@ index cff504966..9c5afe833 100644 .options.limits = limits, }, diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h -index cdd3a5d43..507c19fb3 100644 +index 36a1d46..a130fbb 100644 --- a/src/libcharon/control/controller.h +++ b/src/libcharon/control/controller.h -@@ -80,6 +80,8 @@ struct controller_t { +@@ -81,6 +81,8 @@ struct controller_t { * * @param peer_cfg peer_cfg to use for IKE_SA setup * @param child_cfg optional child_cfg to set up CHILD_SA from @@ -138,25 +138,25 @@ index cdd3a5d43..507c19fb3 100644 + * @param other_host optional address hint for destination * @param cb logging callback * @param param parameter to include in each call of cb - * @param timeout timeout in ms to wait for callbacks, 0 to disable -@@ -93,6 +95,7 @@ struct controller_t { + * @param max_level maximum log level for which cb is invoked +@@ -95,6 +97,7 @@ struct controller_t { */ status_t (*initiate)(controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + host_t *my_host, host_t *other_host, - controller_cb_t callback, void *param, u_int timeout, - bool limits); + controller_cb_t callback, void *param, + level_t max_level, u_int timeout, bool limits); diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c -index ba4e5bf9e..db2c6f00b 100644 +index 2824c93..21ff6b3 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg if (msg->output_verbosity < 0) { charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, FALSE); +- NULL, NULL, 0, 0, FALSE); ++ NULL, NULL, NULL, NULL, 0, 0, FALSE); } else { @@ -167,24 +167,24 @@ index ba4e5bf9e..db2c6f00b 100644 - peer_cfg, child_cfg, (controller_cb_t)stroke_log, + peer_cfg, child_cfg, NULL, NULL, + (controller_cb_t)stroke_log, - &info, this->timeout, FALSE); + &info, msg->output_verbosity, this->timeout, FALSE); switch (status) { diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index 0c061d4b2..2da616700 100644 +index 5221225..b1486e3 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c -@@ -2215,7 +2215,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, +@@ -2252,7 +2252,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), -- NULL, NULL, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, FALSE); +- NULL, NULL, 0, 0, FALSE); ++ NULL, NULL, NULL, NULL, 0, 0, FALSE); } } diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 7b8ff1215..8d996c044 100644 +index 1c236d2..811d8db 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -15,6 +15,28 @@ @@ -238,7 +238,7 @@ index 7b8ff1215..8d996c044 100644 if (!child && !ike) { -@@ -199,31 +225,51 @@ CALLBACK(initiate, vici_message_t*, +@@ -199,31 +225,52 @@ CALLBACK(initiate, vici_message_t*, log_cb = (controller_cb_t)log_vici; } @@ -265,11 +265,12 @@ index 7b8ff1215..8d996c044 100644 + msg = send_reply(this, "%s config '%s' not found", type, sa); + goto ret; } -- switch (charon->controller->initiate(charon->controller, peer_cfg, -- child_cfg, log_cb, &log, timeout, limits)) +- switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, +- log_cb, &log, log.level, timeout, limits)) + switch (charon->controller->initiate(charon->controller, -+ peer_cfg, child_cfg, my_host, other_host, -+ log_cb, &log, timeout, limits)) ++ peer_cfg, child_cfg, ++ my_host, other_host, ++ log_cb, &log, log.level, timeout, limits)) { case SUCCESS: - return send_reply(this, NULL); @@ -297,22 +298,22 @@ index 7b8ff1215..8d996c044 100644 + return msg; } - CALLBACK(terminate, vici_message_t*, + /** diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c -index b966cd132..23ed1e01f 100644 +index 122e5ce..dec458c 100644 --- a/src/libcharon/processing/jobs/start_action_job.c +++ b/src/libcharon/processing/jobs/start_action_job.c @@ -84,7 +84,7 @@ METHOD(job_t, execute, job_requeue_t, charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), -- NULL, NULL, 0, FALSE); -+ NULL, NULL, NULL, NULL, 0, FALSE); +- NULL, NULL, 0, 0, FALSE); ++ NULL, NULL, NULL, NULL, 0, 0, FALSE); } } children->destroy(children); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index c8d439630..d9c32d8cc 100644 +index fc31c2a..51e28bc 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -16,6 +16,28 @@ @@ -401,7 +402,7 @@ index c8d439630..d9c32d8cc 100644 } charon->bus->set_sa(charon->bus, ike_sa); diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h -index 004cc2216..50f8246f8 100644 +index 004cc22..50f8246 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -123,7 +123,8 @@ struct ike_sa_manager_t { @@ -429,7 +430,7 @@ index 004cc2216..50f8246f8 100644 /** * Reset initiator SPI. diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index d8d8a421a..e7c906eb7 100644 +index d8d8a42..e7c906e 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void, @@ -456,32 +457,34 @@ index d8d8a421a..e7c906eb7 100644 - - ike_sa->set_peer_cfg(ike_sa, peer); - ike_cfg = ike_sa->get_ike_cfg(ike_sa); -+ { -+ ike_cfg_t *ike_cfg; -+ uint16_t port; -+ uint8_t mask; - +- - port = ike_cfg->get_other_port(ike_cfg); - data->dst->to_subnet(data->dst, &host, &mask); - host->set_port(host, port); - ike_sa->set_other_host(ike_sa, host); -+ ike_cfg = peer->get_ike_cfg(peer); - +- - port = ike_cfg->get_my_port(ike_cfg); - data->src->to_subnet(data->src, &host, &mask); - host->set_port(host, port); - ike_sa->set_my_host(ike_sa, host); -+ port = ike_cfg->get_other_port(ike_cfg); -+ data->dst->to_subnet(data->dst, &other_host, &mask); -+ other_host->set_port(other_host, port); - +- - charon->bus->set_sa(charon->bus, ike_sa); - } - } - else -- { + { - ike_sa = charon->ike_sa_manager->checkout_by_config( - charon->ike_sa_manager, peer); ++ ike_cfg_t *ike_cfg; ++ uint16_t port; ++ uint8_t mask; ++ ++ ike_cfg = peer->get_ike_cfg(peer); ++ ++ port = ike_cfg->get_other_port(ike_cfg); ++ data->dst->to_subnet(data->dst, &other_host, &mask); ++ other_host->set_port(other_host, port); ++ + port = ike_cfg->get_my_port(ike_cfg); + data->src->to_subnet(data->src, &my_host, &mask); + my_host->set_port(my_host, port); @@ -496,7 +499,7 @@ index d8d8a421a..e7c906eb7 100644 if (ike_sa) { diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c -index e0fffb907..dcaded59d 100644 +index e0fffb9..dcaded5 100644 --- a/src/swanctl/commands/initiate.c +++ b/src/swanctl/commands/initiate.c @@ -14,6 +14,28 @@ @@ -574,6 +577,3 @@ index e0fffb907..dcaded59d 100644 {"timeout", 't', 1, "timeout in seconds before detaching"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, --- -2.38.1 - diff --git a/packages/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch b/packages/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch index 085d1303..57a622e8 100644 --- a/packages/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch +++ b/packages/strongswan/patches/0004-VyOS-disable-options-enabled-by-Debian-that-are-unus.patch @@ -95,7 +95,7 @@ index 2fed1f10f..fa0d21a0c 100755 --enable-addrblock \ --enable-agent \ @@ -88,7 +97,7 @@ ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) - endif + deb_systemdsystemunitdir = $(shell pkg-config --variable=systemdsystemunitdir systemd | sed s,^/,,) override_dh_auto_configure: - dh_auto_configure -- $(CONFIGUREARGS) diff --git a/packages/strongswan/patches/0005-vici-add-soft-lifetime-calculation-if-hard-lifetime-configured.patch b/packages/strongswan/patches/0005-vici-add-soft-lifetime-calculation-if-hard-lifetime-configured.patch deleted file mode 100644 index dc21a96d..00000000 --- a/packages/strongswan/patches/0005-vici-add-soft-lifetime-calculation-if-hard-lifetime-configured.patch +++ /dev/null @@ -1,97 +0,0 @@ -From a2b1e06f07569e8d3f08a37b68a206164b67fbe3 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <tobias@strongswan.org> -Date: Tue, 6 Dec 2022 17:33:20 +0100 -Subject: [PATCH] vici: Base default soft lifetime on hard lifetime if - configured - -Depending on the configured hard lifetime the default soft lifetime -might not make sense and could even cause rekeying to get disabled. -To avoid that, derive the soft lifetime from the hard lifetime so it's -10% higher than the soft lifetime. - -References strongswan/strongswan#1414 ---- - src/libcharon/plugins/vici/vici_config.c | 46 ++++++++++++++++++++---- - 1 file changed, 40 insertions(+), 6 deletions(-) - -diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index 0c061d4b2d7..a59d799caf6 100644 ---- a/src/libcharon/plugins/vici/vici_config.c -+++ b/src/libcharon/plugins/vici/vici_config.c -@@ -1981,18 +1981,52 @@ CALLBACK(auth_sn, bool, - */ - static void check_lifetimes(lifetime_cfg_t *lft) - { -+ /* if no soft lifetime specified, set a default or base it on the hard lifetime */ -+ if (lft->time.rekey == LFT_UNDEFINED) -+ { -+ if (lft->time.life != LFT_UNDEFINED) -+ { -+ lft->time.rekey = lft->time.life / 1.1; -+ } -+ else -+ { -+ lft->time.rekey = LFT_DEFAULT_CHILD_REKEY_TIME; -+ } -+ } -+ if (lft->bytes.rekey == LFT_UNDEFINED) -+ { -+ if (lft->bytes.life != LFT_UNDEFINED) -+ { -+ lft->bytes.rekey = lft->bytes.life / 1.1; -+ } -+ else -+ { -+ lft->bytes.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES; -+ } -+ } -+ if (lft->packets.rekey == LFT_UNDEFINED) -+ { -+ if (lft->packets.life != LFT_UNDEFINED) -+ { -+ lft->packets.rekey = lft->packets.life / 1.1; -+ } -+ else -+ { -+ lft->packets.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS; -+ } -+ } - /* if no hard lifetime specified, add one at soft lifetime + 10% */ - if (lft->time.life == LFT_UNDEFINED) - { -- lft->time.life = lft->time.rekey * 110 / 100; -+ lft->time.life = lft->time.rekey * 1.1; - } - if (lft->bytes.life == LFT_UNDEFINED) - { -- lft->bytes.life = lft->bytes.rekey * 110 / 100; -+ lft->bytes.life = lft->bytes.rekey * 1.1; - } - if (lft->packets.life == LFT_UNDEFINED) - { -- lft->packets.life = lft->packets.rekey * 110 / 100; -+ lft->packets.life = lft->packets.rekey * 1.1; - } - /* if no rand time defined, use difference of hard and soft */ - if (lft->time.jitter == LFT_UNDEFINED) -@@ -2026,17 +2060,17 @@ CALLBACK(children_sn, bool, - .mode = MODE_TUNNEL, - .lifetime = { - .time = { -- .rekey = LFT_DEFAULT_CHILD_REKEY_TIME, -+ .rekey = LFT_UNDEFINED, - .life = LFT_UNDEFINED, - .jitter = LFT_UNDEFINED, - }, - .bytes = { -- .rekey = LFT_DEFAULT_CHILD_REKEY_BYTES, -+ .rekey = LFT_UNDEFINED, - .life = LFT_UNDEFINED, - .jitter = LFT_UNDEFINED, - }, - .packets = { -- .rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS, -+ .rekey = LFT_UNDEFINED, - .life = LFT_UNDEFINED, - .jitter = LFT_UNDEFINED, - }, |