mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-24 15:56:49 +00:00
upgrade isakmpd, add security fix
SVN-Revision: 4768
This commit is contained in:
parent
550bdc5f80
commit
ebea7120f4
@ -9,14 +9,14 @@
|
|||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=isakmpd
|
PKG_NAME:=isakmpd
|
||||||
PKG_VERSION:=20040115cvs
|
PKG_VERSION:=20041012
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
|
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION).orig
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.gz
|
||||||
PKG_SOURCE_URL:=http://downloads.openwrt.org/sources/
|
PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/i/isakmpd/
|
||||||
PKG_MD5SUM:=9f59b10d57cfed5e95743255f1c1620d
|
PKG_MD5SUM:=e6d25a9e232fb186e1a48dc06453bd57
|
||||||
PKG_CAT:=bzcat
|
PKG_CAT:=zcat
|
||||||
|
|
||||||
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
|
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
|
||||||
|
|
||||||
@ -35,8 +35,10 @@ endef
|
|||||||
define Build/Compile
|
define Build/Compile
|
||||||
$(call Build/Compile/Default,LINUX_DIR="$(LINUX_DIR)" \
|
$(call Build/Compile/Default,LINUX_DIR="$(LINUX_DIR)" \
|
||||||
STAGING_DIR="$(STAGING_DIR)" \
|
STAGING_DIR="$(STAGING_DIR)" \
|
||||||
DESTDIR="$(PKG_INSTALL_DIR)")
|
DESTDIR="$(PKG_INSTALL_DIR)" \
|
||||||
|
)
|
||||||
$(MAKE) -C $(PKG_BUILD_DIR) \
|
$(MAKE) -C $(PKG_BUILD_DIR) \
|
||||||
|
STAGING_DIR="$(STAGING_DIR)" \
|
||||||
DESTDIR="$(PKG_INSTALL_DIR)" \
|
DESTDIR="$(PKG_INSTALL_DIR)" \
|
||||||
INSTALL="install -c" \
|
INSTALL="install -c" \
|
||||||
install-bin
|
install-bin
|
||||||
|
@ -1,133 +0,0 @@
|
|||||||
diff -urN isakmpd/GNUmakefile isakmpd.new/GNUmakefile
|
|
||||||
--- isakmpd/GNUmakefile 2004-01-16 13:36:32.000000000 +0100
|
|
||||||
+++ isakmpd.new/GNUmakefile 2006-09-03 17:33:03.000000000 +0200
|
|
||||||
@@ -40,12 +40,12 @@
|
|
||||||
# integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
|
|
||||||
# darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
|
|
||||||
# and later with native IPSec support.
|
|
||||||
-OS= openbsd
|
|
||||||
+#OS= openbsd
|
|
||||||
#OS= netbsd
|
|
||||||
#OS= freebsd
|
|
||||||
#OS= freeswan
|
|
||||||
#OS= darwin
|
|
||||||
-#OS= linux
|
|
||||||
+OS= linux
|
|
||||||
|
|
||||||
.CURDIR:= $(shell pwd)
|
|
||||||
VPATH= ${.CURDIR}/sysdep/${OS}
|
|
||||||
@@ -53,11 +53,11 @@
|
|
||||||
PROG= isakmpd
|
|
||||||
|
|
||||||
ifndef BINDIR
|
|
||||||
-BINDIR= /sbin
|
|
||||||
-endif
|
|
||||||
-ifndef LDSTATIC
|
|
||||||
-LDSTATIC= -static
|
|
||||||
+BINDIR= /usr/sbin
|
|
||||||
endif
|
|
||||||
+#ifndef LDSTATIC
|
|
||||||
+#LDSTATIC= -static
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
SRCS= app.c attribute.c cert.c connection.c \
|
|
||||||
constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \
|
|
||||||
@@ -154,7 +154,7 @@
|
|
||||||
|
|
||||||
ifdef USE_KEYNOTE
|
|
||||||
USE_LIBCRYPTO= yes
|
|
||||||
-LDADD+= -lkeynote -lm
|
|
||||||
+LDADD+= -L${LIBKEYNOTEDIR} -lkeynote -lm
|
|
||||||
DPADD+= ${LIBKEYNOTE} ${LIBM}
|
|
||||||
POLICY= policy.c
|
|
||||||
CFLAGS+= -DUSE_KEYNOTE
|
|
||||||
@@ -238,3 +238,16 @@
|
|
||||||
|
|
||||||
realcleandepend:
|
|
||||||
rm -f .depend tags
|
|
||||||
+
|
|
||||||
+# Install rules
|
|
||||||
+install: install-bin install-man
|
|
||||||
+
|
|
||||||
+install-bin: isakmpd
|
|
||||||
+ -mkdir -p $(DESTDIR)$(BINDIR)
|
|
||||||
+ $(INSTALL) $(INSTALL_OPTS) -m 755 isakmpd $(DESTDIR)$(BINDIR)
|
|
||||||
+
|
|
||||||
+install-man:
|
|
||||||
+ -mkdir -p $(DESTDIR)$(MANDIR)/man8
|
|
||||||
+ $(INSTALL) $(INSTALL_OPTS) -m 444 isakmpd.8 $(DESTDIR)$(MANDIR)/man8
|
|
||||||
+ -mkdir -p $(DESTDIR)$(MANDIR)/man5
|
|
||||||
+ $(INSTALL) $(INSTALL_OPTS) -m 444 isakmpd.conf.5 isakmpd.policy.5 $(DESTDIR)$(MANDIR)/man5
|
|
||||||
diff -urN isakmpd/samples/Makefile isakmpd.new/samples/Makefile
|
|
||||||
--- isakmpd/samples/Makefile 2003-06-03 16:39:50.000000000 +0200
|
|
||||||
+++ isakmpd.new/samples/Makefile 2006-09-03 17:07:24.000000000 +0200
|
|
||||||
@@ -26,7 +26,7 @@
|
|
||||||
#
|
|
||||||
|
|
||||||
FILES= VPN-* policy singlehost-*
|
|
||||||
-TARGETDIR= /usr/share/ipsec/isakmpd
|
|
||||||
+TARGETDIR= /usr/share/isakmpd/samples
|
|
||||||
|
|
||||||
# The mkdir below is for installation on OpenBSD pre 2.7
|
|
||||||
install:
|
|
||||||
diff -urN isakmpd/sysdep/linux/GNUmakefile.sysdep isakmpd.new/sysdep/linux/GNUmakefile.sysdep
|
|
||||||
--- isakmpd/sysdep/linux/GNUmakefile.sysdep 2004-01-16 13:36:42.000000000 +0100
|
|
||||||
+++ isakmpd.new/sysdep/linux/GNUmakefile.sysdep 2006-09-03 17:16:48.000000000 +0200
|
|
||||||
@@ -25,18 +25,20 @@
|
|
||||||
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
#
|
|
||||||
|
|
||||||
-LIBGMP:= /usr/lib/libgmp.a
|
|
||||||
-LIBCRYPTO:= /usr/lib/libcrypto.a
|
|
||||||
+LIBGMP:= -lgmp
|
|
||||||
+LIBCRYPTO:= -lcrypto
|
|
||||||
LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep
|
|
||||||
LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a
|
|
||||||
|
|
||||||
-LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
|
|
||||||
+LIBKEYNOTEDIR:= $(STAGING_DIR)/usr/include
|
|
||||||
+
|
|
||||||
+LDADD+= -L$(STAGING_DIR)/usr/lib ${LIBGMP} ${LIBSYSDEP} ${LIBCRYPTO}
|
|
||||||
-DPADD+= ${LIBGMP} ${LIBSYSDEP}
|
|
||||||
+DPADD+= ${LIBSYSDEP}
|
|
||||||
|
|
||||||
CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
|
|
||||||
-DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
|
|
||||||
- -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
|
|
||||||
- -I/usr/include/openssl
|
|
||||||
+ -I$(LINUX_DIR)/include -I${.CURDIR}/sysdep/common \
|
|
||||||
+ -I$(STAGING_DIR)/usr/include/openssl -I${LIBKEYNOTEDIR}
|
|
||||||
|
|
||||||
FEATURES= debug tripledes blowfish cast ec aggressive x509 policy
|
|
||||||
|
|
||||||
@@ -50,7 +52,7 @@
|
|
||||||
# hack libsysdep.a dependenc
|
|
||||||
${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
|
|
||||||
cd ${LIBSYSDEPDIR} && \
|
|
||||||
- ${MAKE} --no-print-directory ${MAKEFLAGS} \
|
|
||||||
+ ${MAKE} --no-print-directory \
|
|
||||||
CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
|
|
||||||
|
|
||||||
ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
|
|
||||||
diff -urN isakmpd/x509.c isakmpd.new/x509.c
|
|
||||||
--- isakmpd/x509.c 2004-01-06 01:09:19.000000000 +0100
|
|
||||||
+++ isakmpd.new/x509.c 2006-09-03 17:07:24.000000000 +0200
|
|
||||||
@@ -969,14 +969,14 @@
|
|
||||||
* trust.
|
|
||||||
*/
|
|
||||||
X509_STORE_CTX_init (&csc, x509_cas, cert, NULL);
|
|
||||||
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
|
||||||
- /* XXX See comment in x509_read_crls_from_dir. */
|
|
||||||
- if (x509_cas->flags & X509_V_FLAG_CRL_CHECK)
|
|
||||||
+//#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
|
||||||
+ /* XXX See comment in x509_read_crls_from_dir. */
|
|
||||||
+ /*if (x509_cas->flags & X509_V_FLAG_CRL_CHECK)
|
|
||||||
{
|
|
||||||
X509_STORE_CTX_set_flags (&csc, X509_V_FLAG_CRL_CHECK);
|
|
||||||
X509_STORE_CTX_set_flags (&csc, X509_V_FLAG_CRL_CHECK_ALL);
|
|
||||||
}
|
|
||||||
-#endif
|
|
||||||
+#endif */
|
|
||||||
res = X509_verify_cert (&csc);
|
|
||||||
err = csc.error;
|
|
||||||
X509_STORE_CTX_cleanup (&csc);
|
|
1706
openwrt/package/isakmpd/patches/010-debian_3.patch
Normal file
1706
openwrt/package/isakmpd/patches/010-debian_3.patch
Normal file
File diff suppressed because it is too large
Load Diff
59
openwrt/package/isakmpd/patches/020-standardize.patch
Normal file
59
openwrt/package/isakmpd/patches/020-standardize.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
diff -urN isakmpd/GNUmakefile isakmpd.new/GNUmakefile
|
||||||
|
--- isakmpd/GNUmakefile 2004-01-16 13:36:32.000000000 +0100
|
||||||
|
+++ isakmpd.new/GNUmakefile 2006-09-03 17:33:03.000000000 +0200
|
||||||
|
@@ -238,3 +238,16 @@
|
||||||
|
|
||||||
|
realcleandepend:
|
||||||
|
rm -f .depend tags
|
||||||
|
+
|
||||||
|
+# Install rules
|
||||||
|
+install: install-bin install-man
|
||||||
|
+
|
||||||
|
+install-bin: isakmpd
|
||||||
|
+ -mkdir -p $(DESTDIR)$(BINDIR)
|
||||||
|
+ $(INSTALL) $(INSTALL_OPTS) -m 755 isakmpd $(DESTDIR)$(BINDIR)
|
||||||
|
+
|
||||||
|
+install-man:
|
||||||
|
+ -mkdir -p $(DESTDIR)$(MANDIR)/man8
|
||||||
|
+ $(INSTALL) $(INSTALL_OPTS) -m 444 isakmpd.8 $(DESTDIR)$(MANDIR)/man8
|
||||||
|
+ -mkdir -p $(DESTDIR)$(MANDIR)/man5
|
||||||
|
+ $(INSTALL) $(INSTALL_OPTS) -m 444 isakmpd.conf.5 isakmpd.policy.5 $(DESTDIR)$(MANDIR)/man5
|
||||||
|
diff -urN isakmpd/samples/Makefile isakmpd.new/samples/Makefile
|
||||||
|
--- isakmpd/samples/Makefile 2003-06-03 16:39:50.000000000 +0200
|
||||||
|
+++ isakmpd.new/samples/Makefile 2006-09-03 17:07:24.000000000 +0200
|
||||||
|
@@ -26,7 +26,7 @@
|
||||||
|
#
|
||||||
|
|
||||||
|
FILES= VPN-* policy singlehost-*
|
||||||
|
-TARGETDIR= /usr/share/ipsec/isakmpd
|
||||||
|
+TARGETDIR= /usr/share/isakmpd/samples
|
||||||
|
|
||||||
|
# The mkdir below is for installation on OpenBSD pre 2.7
|
||||||
|
install:
|
||||||
|
|
||||||
|
diff -urN isakmp.old/sysdep/linux/GNUmakefile.sysdep isakmp.dev/sysdep/linux/GNUmakefile.sysdep
|
||||||
|
--- isakmp.old/sysdep/linux/GNUmakefile.sysdep 2006-09-07 13:49:20.000000000 +0200
|
||||||
|
+++ isakmp.dev/sysdep/linux/GNUmakefile.sysdep 2006-09-07 13:51:41.000000000 +0200
|
||||||
|
@@ -25,18 +25,18 @@
|
||||||
|
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
#
|
||||||
|
|
||||||
|
-LIBGMP:= /usr/lib/libgmp.a
|
||||||
|
-LIBCRYPTO:= /usr/lib/libcrypto.a
|
||||||
|
+LIBGMP:=
|
||||||
|
+LIBCRYPTO:= -lcrypto
|
||||||
|
LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep
|
||||||
|
LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a
|
||||||
|
|
||||||
|
-LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
|
||||||
|
+LDADD+= -L$(STAGING_DIR)/usr/lib -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
|
||||||
|
DPADD+= ${LIBGMP} ${LIBSYSDEP}
|
||||||
|
|
||||||
|
CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
|
||||||
|
-DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
|
||||||
|
-I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
|
||||||
|
- -I/usr/include/openssl
|
||||||
|
+ -I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/usr/include/openssl -I$(LINUX_DIR)/include
|
||||||
|
|
||||||
|
FEATURES= debug tripledes blowfish cast ec aggressive x509 policy
|
||||||
|
FEATURES+= dpd nat_traversal isakmp_cfg des aes
|
22
openwrt/package/isakmpd/patches/040-security_fix.patch
Normal file
22
openwrt/package/isakmpd/patches/040-security_fix.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
Index: sbin/isakmpd/ipsec.c
|
||||||
|
===================================================================
|
||||||
|
RCS file: /cvs/src/sbin/isakmpd/ipsec.c,v
|
||||||
|
retrieving revision 1.122
|
||||||
|
retrieving revision 1.122.2.1
|
||||||
|
diff -u -p -r1.122 -r1.122.2.1
|
||||||
|
--- isakmpd/ipsec.c 23 Sep 2005 14:44:03 -0000 1.122
|
||||||
|
+++ isakmpd/ipsec.c 19 Aug 2006 20:23:28 -0000 1.122.2.1
|
||||||
|
@@ -2076,9 +2076,10 @@ ipsec_proto_init(struct proto *proto, ch
|
||||||
|
{
|
||||||
|
struct ipsec_proto *iproto = proto->data;
|
||||||
|
|
||||||
|
- if (proto->sa->phase == 2 && section)
|
||||||
|
- iproto->replay_window = conf_get_num(section, "ReplayWindow",
|
||||||
|
- DEFAULT_REPLAY_WINDOW);
|
||||||
|
+ if (proto->sa->phase == 2)
|
||||||
|
+ iproto->replay_window = section ? conf_get_num(section,
|
||||||
|
+ "ReplayWindow", DEFAULT_REPLAY_WINDOW) :
|
||||||
|
+ DEFAULT_REPLAY_WINDOW;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
Loading…
Reference in New Issue
Block a user