diff options
author | Timo Teräs <timo.teras@iki.fi> | 2015-07-13 14:16:04 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2015-07-14 05:08:35 +0000 |
commit | 7ce589bdb789cd6f3dd6f18a522ef660a74e134b (patch) | |
tree | cc154a3740f5df5a4868fdabe203dbeec24f449a | |
parent | 084c3ad2d7e5817e4ef3b034f9d1e8d5727023af (diff) | |
download | alpine_aports-7ce589bdb789cd6f3dd6f18a522ef660a74e134b.tar.bz2 alpine_aports-7ce589bdb789cd6f3dd6f18a522ef660a74e134b.tar.xz alpine_aports-7ce589bdb789cd6f3dd6f18a522ef660a74e134b.zip |
main/strongswan: ikev1 grekey
interoperability fix to work with Alpine patched ipsec-tools
(will probably be removed after a migration period)
(cherry picked from commit 2a4023dfee4f68916ac96d02fc41874d7286d625)
-rw-r--r-- | main/strongswan/1000-support-gre-key-in-ikev1.patch | 507 | ||||
-rw-r--r-- | main/strongswan/APKBUILD | 6 |
2 files changed, 512 insertions, 1 deletions
diff --git a/main/strongswan/1000-support-gre-key-in-ikev1.patch b/main/strongswan/1000-support-gre-key-in-ikev1.patch new file mode 100644 index 0000000000..72cdd8b825 --- /dev/null +++ b/main/strongswan/1000-support-gre-key-in-ikev1.patch | |||
@@ -0,0 +1,507 @@ | |||
1 | From f69e2daf4c4ccc57c14fd73d6b7320c5359758c8 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> | ||
3 | Date: Mon, 13 Jul 2015 14:03:49 +0300 | ||
4 | Subject: [PATCH] support gre key in ikev1 | ||
5 | |||
6 | this implements gre key negotiation in ikev1 similarly to the | ||
7 | ipsec-tools patch in alpine. | ||
8 | |||
9 | the from/to port pair is internally used as gre key for gre | ||
10 | protocol traffic selectors. since from/to pairs 0/0xffff and | ||
11 | 0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000 | ||
12 | will not work. | ||
13 | |||
14 | this is not standard compliant, and should probably not be upstreamed | ||
15 | or used widely, but it is applied for interoperability with alpine | ||
16 | racoon for the time being. | ||
17 | --- | ||
18 | src/libcharon/encoding/payloads/id_payload.c | 68 +++++++++++++++++----- | ||
19 | src/libcharon/encoding/payloads/id_payload.h | 6 +- | ||
20 | src/libcharon/plugins/stroke/stroke_config.c | 5 ++ | ||
21 | src/libcharon/plugins/unity/unity_narrow.c | 2 +- | ||
22 | src/libcharon/plugins/vici/vici_config.c | 9 ++- | ||
23 | src/libcharon/sa/ikev1/tasks/quick_mode.c | 16 ++--- | ||
24 | .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 40 ++++++++++--- | ||
25 | src/libstrongswan/selectors/traffic_selector.c | 33 ++++++++++- | ||
26 | src/libstrongswan/selectors/traffic_selector.h | 31 ++++++++++ | ||
27 | 9 files changed, 171 insertions(+), 39 deletions(-) | ||
28 | |||
29 | diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c | ||
30 | index bb8aab7..2cf08e9 100644 | ||
31 | --- a/src/libcharon/encoding/payloads/id_payload.c | ||
32 | +++ b/src/libcharon/encoding/payloads/id_payload.c | ||
33 | @@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*, | ||
34 | * Create a traffic selector from an range ID | ||
35 | */ | ||
36 | static traffic_selector_t *get_ts_from_range(private_id_payload_t *this, | ||
37 | - ts_type_t type) | ||
38 | + ts_type_t type, | ||
39 | + u_int16_t from_port, u_int16_t to_port) | ||
40 | { | ||
41 | return traffic_selector_create_from_bytes(this->protocol_id, type, | ||
42 | - chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port, | ||
43 | - chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535); | ||
44 | + chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port, | ||
45 | + chunk_skip(this->id_data, this->id_data.len / 2), to_port); | ||
46 | } | ||
47 | |||
48 | /** | ||
49 | * Create a traffic selector from an subnet ID | ||
50 | */ | ||
51 | static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this, | ||
52 | - ts_type_t type) | ||
53 | + ts_type_t type, | ||
54 | + u_int16_t from_port, u_int16_t to_port) | ||
55 | { | ||
56 | traffic_selector_t *ts; | ||
57 | chunk_t net, netmask; | ||
58 | @@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this, | ||
59 | netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i]; | ||
60 | } | ||
61 | ts = traffic_selector_create_from_bytes(this->protocol_id, type, | ||
62 | - net, this->port, netmask, this->port ?: 65535); | ||
63 | + net, from_port, netmask, to_port); | ||
64 | chunk_free(&netmask); | ||
65 | return ts; | ||
66 | } | ||
67 | @@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this, | ||
68 | * Create a traffic selector from an IP ID | ||
69 | */ | ||
70 | static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this, | ||
71 | - ts_type_t type) | ||
72 | + ts_type_t type, | ||
73 | + u_int16_t from_port, u_int16_t to_port) | ||
74 | { | ||
75 | return traffic_selector_create_from_bytes(this->protocol_id, type, | ||
76 | - this->id_data, this->port, this->id_data, this->port ?: 65535); | ||
77 | + this->id_data, from_port, this->id_data, to_port); | ||
78 | } | ||
79 | |||
80 | METHOD(id_payload_t, get_ts, traffic_selector_t*, | ||
81 | - private_id_payload_t *this) | ||
82 | + private_id_payload_t *this, id_payload_t *other_, bool initiator) | ||
83 | { | ||
84 | + private_id_payload_t *other = (private_id_payload_t *) other_; | ||
85 | + u_int16_t from_port, to_port; | ||
86 | + | ||
87 | + if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE) | ||
88 | + { | ||
89 | + if (initiator) | ||
90 | + { | ||
91 | + from_port = this->port; | ||
92 | + to_port = other->port; | ||
93 | + } | ||
94 | + else | ||
95 | + { | ||
96 | + from_port = other->port; | ||
97 | + to_port = this->port; | ||
98 | + } | ||
99 | + if (from_port == 0 && to_port == 0) | ||
100 | + to_port = 0xffff; | ||
101 | + } | ||
102 | + else | ||
103 | + { | ||
104 | + from_port = this->port; | ||
105 | + to_port = this->port ?: 0xffff; | ||
106 | + } | ||
107 | + | ||
108 | switch (this->id_type) | ||
109 | { | ||
110 | case ID_IPV4_ADDR_SUBNET: | ||
111 | if (this->id_data.len == 8) | ||
112 | { | ||
113 | - return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE); | ||
114 | + return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port); | ||
115 | } | ||
116 | break; | ||
117 | case ID_IPV6_ADDR_SUBNET: | ||
118 | if (this->id_data.len == 32) | ||
119 | { | ||
120 | - return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE); | ||
121 | + return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port); | ||
122 | } | ||
123 | break; | ||
124 | case ID_IPV4_ADDR_RANGE: | ||
125 | if (this->id_data.len == 8) | ||
126 | { | ||
127 | - return get_ts_from_range(this, TS_IPV4_ADDR_RANGE); | ||
128 | + return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port); | ||
129 | } | ||
130 | break; | ||
131 | case ID_IPV6_ADDR_RANGE: | ||
132 | if (this->id_data.len == 32) | ||
133 | { | ||
134 | - return get_ts_from_range(this, TS_IPV6_ADDR_RANGE); | ||
135 | + return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port); | ||
136 | } | ||
137 | break; | ||
138 | case ID_IPV4_ADDR: | ||
139 | if (this->id_data.len == 4) | ||
140 | { | ||
141 | - return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE); | ||
142 | + return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port); | ||
143 | } | ||
144 | break; | ||
145 | case ID_IPV6_ADDR: | ||
146 | if (this->id_data.len == 16) | ||
147 | { | ||
148 | - return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE); | ||
149 | + return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port); | ||
150 | } | ||
151 | break; | ||
152 | default: | ||
153 | @@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type, | ||
154 | /* | ||
155 | * Described in header. | ||
156 | */ | ||
157 | -id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts) | ||
158 | +id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator) | ||
159 | { | ||
160 | private_id_payload_t *this; | ||
161 | u_int8_t mask; | ||
162 | @@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts) | ||
163 | ts->get_from_address(ts), ts->get_to_address(ts)); | ||
164 | net->destroy(net); | ||
165 | } | ||
166 | - this->port = ts->get_from_port(ts); | ||
167 | this->protocol_id = ts->get_protocol(ts); | ||
168 | + if (initiator || this->protocol_id != IPPROTO_GRE) | ||
169 | + { | ||
170 | + this->port = ts->get_from_port(ts); | ||
171 | + } | ||
172 | + else | ||
173 | + { | ||
174 | + this->port = ts->get_to_port(ts); | ||
175 | + if (this->port == 0xffff && ts->get_from_port(ts) == 0) | ||
176 | + this->port = 0; | ||
177 | + } | ||
178 | this->payload_length += this->id_data.len; | ||
179 | |||
180 | return &this->public; | ||
181 | diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h | ||
182 | index df1d075..7558e91 100644 | ||
183 | --- a/src/libcharon/encoding/payloads/id_payload.h | ||
184 | +++ b/src/libcharon/encoding/payloads/id_payload.h | ||
185 | @@ -48,11 +48,11 @@ struct id_payload_t { | ||
186 | identification_t *(*get_identification) (id_payload_t *this); | ||
187 | |||
188 | /** | ||
189 | - * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity. | ||
190 | + * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair. | ||
191 | * | ||
192 | * @return traffic selector, NULL on failure | ||
193 | */ | ||
194 | - traffic_selector_t* (*get_ts)(id_payload_t *this); | ||
195 | + traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator); | ||
196 | |||
197 | /** | ||
198 | * Get encoded payload without fixed payload header (used for IKEv1). | ||
199 | @@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type, | ||
200 | * @param ts traffic selector | ||
201 | * @return PLV1_ID id_paylad_t object. | ||
202 | */ | ||
203 | -id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts); | ||
204 | +id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator); | ||
205 | |||
206 | #endif /** ID_PAYLOAD_H_ @}*/ | ||
207 | diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c | ||
208 | index 55ec7cd..87a1d08 100644 | ||
209 | --- a/src/libcharon/plugins/stroke/stroke_config.c | ||
210 | +++ b/src/libcharon/plugins/stroke/stroke_config.c | ||
211 | @@ -1032,6 +1032,11 @@ static bool parse_protoport(char *token, u_int16_t *from_port, | ||
212 | *from_port = 0xffff; | ||
213 | *to_port = 0; | ||
214 | } | ||
215 | + else if (*port && *protocol == IPPROTO_GRE) | ||
216 | + { | ||
217 | + p = strtol(port, &endptr, 0); | ||
218 | + traffic_selector_split_grekey(p, from_port, to_port); | ||
219 | + } | ||
220 | else if (*port) | ||
221 | { | ||
222 | svc = getservbyname(port, NULL); | ||
223 | diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c | ||
224 | index 227d24b..7749d8c 100644 | ||
225 | --- a/src/libcharon/plugins/unity/unity_narrow.c | ||
226 | +++ b/src/libcharon/plugins/unity/unity_narrow.c | ||
227 | @@ -247,7 +247,7 @@ METHOD(listener_t, message, bool, | ||
228 | if (!first) | ||
229 | { | ||
230 | id_payload = (id_payload_t*)payload; | ||
231 | - tsr = id_payload->get_ts(id_payload); | ||
232 | + tsr = id_payload->get_ts(id_payload, NULL, FALSE); | ||
233 | break; | ||
234 | } | ||
235 | first = FALSE; | ||
236 | diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c | ||
237 | index 3c4e3ec..9495d4d 100644 | ||
238 | --- a/src/libcharon/plugins/vici/vici_config.c | ||
239 | +++ b/src/libcharon/plugins/vici/vici_config.c | ||
240 | @@ -586,8 +586,13 @@ CALLBACK(parse_ts, bool, | ||
241 | } | ||
242 | else if (*port && !streq(port, "any")) | ||
243 | { | ||
244 | - svc = getservbyname(port, NULL); | ||
245 | - if (svc) | ||
246 | + if (proto == IPPROTO_GRE) | ||
247 | + { | ||
248 | + p = strtol(port, &end, 0); | ||
249 | + if (*end) return FALSE; | ||
250 | + traffic_selector_split_grekey(p, &from, &to); | ||
251 | + } | ||
252 | + else if ((svc = getservbyname(port, NULL)) != NULL) | ||
253 | { | ||
254 | from = to = ntohs(svc->s_port); | ||
255 | } | ||
256 | diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c | ||
257 | index 96edfd8..c0830dd 100644 | ||
258 | --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c | ||
259 | +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c | ||
260 | @@ -536,9 +536,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message) | ||
261 | { | ||
262 | id_payload_t *id_payload; | ||
263 | |||
264 | - id_payload = id_payload_create_from_ts(this->tsi); | ||
265 | + id_payload = id_payload_create_from_ts(this->tsi, TRUE); | ||
266 | message->add_payload(message, &id_payload->payload_interface); | ||
267 | - id_payload = id_payload_create_from_ts(this->tsr); | ||
268 | + id_payload = id_payload_create_from_ts(this->tsr, FALSE); | ||
269 | message->add_payload(message, &id_payload->payload_interface); | ||
270 | } | ||
271 | |||
272 | @@ -549,7 +549,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) | ||
273 | { | ||
274 | traffic_selector_t *tsi = NULL, *tsr = NULL; | ||
275 | enumerator_t *enumerator; | ||
276 | - id_payload_t *id_payload; | ||
277 | + id_payload_t *idi = NULL, *idr = NULL; | ||
278 | payload_t *payload; | ||
279 | host_t *hsi, *hsr; | ||
280 | bool first = TRUE; | ||
281 | @@ -559,20 +559,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) | ||
282 | { | ||
283 | if (payload->get_type(payload) == PLV1_ID) | ||
284 | { | ||
285 | - id_payload = (id_payload_t*)payload; | ||
286 | - | ||
287 | if (first) | ||
288 | { | ||
289 | - tsi = id_payload->get_ts(id_payload); | ||
290 | + idi = (id_payload_t*)payload; | ||
291 | first = FALSE; | ||
292 | } | ||
293 | else | ||
294 | { | ||
295 | - tsr = id_payload->get_ts(id_payload); | ||
296 | + idr = (id_payload_t*)payload; | ||
297 | break; | ||
298 | } | ||
299 | } | ||
300 | } | ||
301 | + if (idi && idr) { | ||
302 | + tsi = idi->get_ts(idi, idr, TRUE); | ||
303 | + tsr = idr->get_ts(idr, idi, FALSE); | ||
304 | + } | ||
305 | enumerator->destroy(enumerator); | ||
306 | |||
307 | /* create host2host selectors if ID payloads missing */ | ||
308 | diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | ||
309 | index f22e07d..e43df3f 100644 | ||
310 | --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | ||
311 | +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | ||
312 | @@ -743,7 +743,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, | ||
313 | ts2subnet(src, &sel.saddr, &sel.prefixlen_s); | ||
314 | ts2ports(dst, &sel.dport, &sel.dport_mask); | ||
315 | ts2ports(src, &sel.sport, &sel.sport_mask); | ||
316 | - if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) && | ||
317 | + if (sel.proto == IPPROTO_GRE) | ||
318 | + { | ||
319 | + sel.sport = htons(src->get_from_port(src)); | ||
320 | + sel.dport = htons(src->get_to_port(src)); | ||
321 | + sel.sport_mask = ~0; | ||
322 | + sel.dport_mask = ~0; | ||
323 | + if (sel.sport == htons(0) && sel.dport == htons(0xffff)) | ||
324 | + { | ||
325 | + sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0; | ||
326 | + } | ||
327 | + } | ||
328 | + else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) && | ||
329 | (sel.dport || sel.sport)) | ||
330 | { | ||
331 | /* the ICMP type is encoded in the most significant 8 bits and the ICMP | ||
332 | @@ -767,7 +778,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) | ||
333 | { | ||
334 | u_char *addr; | ||
335 | u_int8_t prefixlen; | ||
336 | - u_int16_t port = 0; | ||
337 | + u_int16_t from_port = 0, to_port = 65535; | ||
338 | host_t *host = NULL; | ||
339 | |||
340 | if (src) | ||
341 | @@ -776,7 +787,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) | ||
342 | prefixlen = sel->prefixlen_s; | ||
343 | if (sel->sport_mask) | ||
344 | { | ||
345 | - port = ntohs(sel->sport); | ||
346 | + from_port = to_port = ntohs(sel->sport); | ||
347 | } | ||
348 | } | ||
349 | else | ||
350 | @@ -785,14 +796,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) | ||
351 | prefixlen = sel->prefixlen_d; | ||
352 | if (sel->dport_mask) | ||
353 | { | ||
354 | - port = ntohs(sel->dport); | ||
355 | + from_port = to_port = ntohs(sel->dport); | ||
356 | + } | ||
357 | + } | ||
358 | + if (sel->proto == IPPROTO_GRE) | ||
359 | + { | ||
360 | + if (sel->sport_mask) | ||
361 | + { | ||
362 | + from_port = ntohs(sel->sport); | ||
363 | + to_port = ntohs(sel->dport); | ||
364 | + } | ||
365 | + else | ||
366 | + { | ||
367 | + from_port = 0; | ||
368 | + to_port = 0xffff; | ||
369 | } | ||
370 | } | ||
371 | - if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6) | ||
372 | + else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6) | ||
373 | { /* convert ICMP[v6] message type and code as supplied by the kernel in | ||
374 | * source and destination ports (both in network order) */ | ||
375 | - port = (sel->sport >> 8) | (sel->dport & 0xff00); | ||
376 | - port = ntohs(port); | ||
377 | + from_port = (sel->sport >> 8) | (sel->dport & 0xff00); | ||
378 | + from_port = to_port = ntohs(from_port); | ||
379 | } | ||
380 | /* The Linux 2.6 kernel does not set the selector's family field, | ||
381 | * so as a kludge we additionally test the prefix length. | ||
382 | @@ -809,7 +833,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) | ||
383 | if (host) | ||
384 | { | ||
385 | return traffic_selector_create_from_subnet(host, prefixlen, | ||
386 | - sel->proto, port, port ?: 65535); | ||
387 | + sel->proto, from_port, to_port); | ||
388 | } | ||
389 | return NULL; | ||
390 | } | ||
391 | diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c | ||
392 | index 3b7f8c5..c593a3f 100644 | ||
393 | --- a/src/libstrongswan/selectors/traffic_selector.c | ||
394 | +++ b/src/libstrongswan/selectors/traffic_selector.c | ||
395 | @@ -209,6 +209,14 @@ static int print_icmp(printf_hook_data_t *data, u_int16_t port) | ||
396 | } | ||
397 | |||
398 | /** | ||
399 | + * Print GRE key | ||
400 | + */ | ||
401 | +static int print_grekey(printf_hook_data_t *data, u_int16_t from_port, u_int16_t to_port) | ||
402 | +{ | ||
403 | + return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port)); | ||
404 | +} | ||
405 | + | ||
406 | +/** | ||
407 | * Described in header. | ||
408 | */ | ||
409 | int traffic_selector_printf_hook(printf_hook_data_t *data, | ||
410 | @@ -313,7 +321,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data, | ||
411 | /* build port string */ | ||
412 | if (has_ports) | ||
413 | { | ||
414 | - if (this->from_port == this->to_port) | ||
415 | + if (this->protocol == IPPROTO_GRE) | ||
416 | + { | ||
417 | + written += print_grekey(data, this->from_port, this->to_port); | ||
418 | + } | ||
419 | + else if (this->from_port == this->to_port) | ||
420 | { | ||
421 | struct servent *serv; | ||
422 | |||
423 | @@ -398,7 +410,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*, | ||
424 | /* select protocol, which is not zero */ | ||
425 | protocol = max(this->protocol, other->protocol); | ||
426 | |||
427 | - if ((is_opaque(this) && is_opaque(other)) || | ||
428 | + if (this->protocol == IPPROTO_GRE) | ||
429 | + { | ||
430 | + if (is_any(this)) | ||
431 | + { | ||
432 | + from_port = other->from_port; | ||
433 | + to_port = other->to_port; | ||
434 | + } | ||
435 | + else if (is_any(other) || | ||
436 | + (this->from_port == other->from_port && | ||
437 | + this->to_port == other->to_port)) | ||
438 | + { | ||
439 | + from_port = this->from_port; | ||
440 | + to_port = this->to_port; | ||
441 | + } | ||
442 | + else | ||
443 | + return NULL; | ||
444 | + } | ||
445 | + else if ((is_opaque(this) && is_opaque(other)) || | ||
446 | (is_opaque(this) && is_any(other)) || | ||
447 | (is_opaque(other) && is_any(this))) | ||
448 | { | ||
449 | diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h | ||
450 | index cf9a286..d458c68 100644 | ||
451 | --- a/src/libstrongswan/selectors/traffic_selector.h | ||
452 | +++ b/src/libstrongswan/selectors/traffic_selector.h | ||
453 | @@ -120,6 +120,9 @@ struct traffic_selector_t { | ||
454 | * 8 bits and the code in the least significant 8 bits. Use the utility | ||
455 | * functions to extract them. | ||
456 | * | ||
457 | + * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored | ||
458 | + * in the from port. Use the utility function to merge and split them. | ||
459 | + * | ||
460 | * @return port | ||
461 | */ | ||
462 | u_int16_t (*get_from_port) (traffic_selector_t *this); | ||
463 | @@ -134,6 +137,9 @@ struct traffic_selector_t { | ||
464 | * 8 bits and the code in the least significant 8 bits. Use the utility | ||
465 | * functions to extract them. | ||
466 | * | ||
467 | + * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored | ||
468 | + * in the to port. Use the utility function to merge and split them. | ||
469 | + * | ||
470 | * @return port | ||
471 | */ | ||
472 | u_int16_t (*get_to_port) (traffic_selector_t *this); | ||
473 | @@ -268,6 +274,31 @@ int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b, | ||
474 | void *opts); | ||
475 | |||
476 | /** | ||
477 | + * Reconstruct the 32-bit GRE KEY in host order from a from/to ports. | ||
478 | + * | ||
479 | + * @param from_port port number in host order | ||
480 | + * @param to_port port number in host order | ||
481 | + * @return GRE KEY in host order | ||
482 | + */ | ||
483 | +static inline u_int32_t traffic_selector_grekey(u_int16_t from_port, u_int16_t to_port) | ||
484 | +{ | ||
485 | + return (from_port << 16) | to_port; | ||
486 | +} | ||
487 | + | ||
488 | +/** | ||
489 | + * Split 32-bit GRE KEY in host order to from/to ports. | ||
490 | + * | ||
491 | + * @param grekey grekey in host order | ||
492 | + * @param from_port from port in host order | ||
493 | + * @param to_port to port in host order | ||
494 | + */ | ||
495 | +static inline void traffic_selector_split_grekey(u_int32_t grekey, u_int16_t *from_port, u_int16_t *to_port) | ||
496 | +{ | ||
497 | + *from_port = grekey >> 16; | ||
498 | + *to_port = grekey & 0xffff; | ||
499 | +} | ||
500 | + | ||
501 | +/** | ||
502 | * Create a new traffic selector using human readable params. | ||
503 | * | ||
504 | * If protocol is ICMP or ICMPv6 the ports are interpreted as follows: If they | ||
505 | -- | ||
506 | 2.4.5 | ||
507 | |||
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index b8701ddec5..f3a5493b30 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | pkgname=strongswan | 3 | pkgname=strongswan |
4 | pkgver=5.3.2 | 4 | pkgver=5.3.2 |
5 | _pkgver=${pkgver//_rc/rc} | 5 | _pkgver=${pkgver//_rc/rc} |
6 | pkgrel=1 | 6 | pkgrel=2 |
7 | pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" | 7 | pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" |
8 | url="http://www.strongswan.org/" | 8 | url="http://www.strongswan.org/" |
9 | arch="all" | 9 | arch="all" |
@@ -20,6 +20,7 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 | |||
20 | 0002-vici-send-certificates-for-ike-sa-events.patch | 20 | 0002-vici-send-certificates-for-ike-sa-events.patch |
21 | 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch | 21 | 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch |
22 | 0004-vici-support-asynchronous-initiation.patch | 22 | 0004-vici-support-asynchronous-initiation.patch |
23 | 1000-support-gre-key-in-ikev1.patch | ||
23 | 24 | ||
24 | strongswan.initd | 25 | strongswan.initd |
25 | charon.initd" | 26 | charon.initd" |
@@ -107,6 +108,7 @@ e553c5e9a895a2d95b1cbc33407d64a0 0001-charon-add-optional-source-and-remote-ove | |||
107 | 8bea05feac6f4e90c4973b2459864437 0002-vici-send-certificates-for-ike-sa-events.patch | 108 | 8bea05feac6f4e90c4973b2459864437 0002-vici-send-certificates-for-ike-sa-events.patch |
108 | 125c4e648f73b0dbdaa741ac13ed6d87 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch | 109 | 125c4e648f73b0dbdaa741ac13ed6d87 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch |
109 | f65811bd1ae6e7f98cf9d76928a0aa03 0004-vici-support-asynchronous-initiation.patch | 110 | f65811bd1ae6e7f98cf9d76928a0aa03 0004-vici-support-asynchronous-initiation.patch |
111 | b9f874287c35cce075b761087c28ab50 1000-support-gre-key-in-ikev1.patch | ||
110 | 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd | 112 | 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd |
111 | 7962a720ebef6892d80a3cbdab72c204 charon.initd" | 113 | 7962a720ebef6892d80a3cbdab72c204 charon.initd" |
112 | sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 | 114 | sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 |
@@ -114,6 +116,7 @@ a472df28677d4f43a063926a65b52b317dfca0b74f8c6a2e3bf852b94fbf5f0f 0001-charon-ad | |||
114 | c1cfe3d1e3345238e125a46a492f8dc0800aa3dc75aea060d54cdbab35fd60cb 0002-vici-send-certificates-for-ike-sa-events.patch | 116 | c1cfe3d1e3345238e125a46a492f8dc0800aa3dc75aea060d54cdbab35fd60cb 0002-vici-send-certificates-for-ike-sa-events.patch |
115 | 4e08d4fe01717de0601411b4756141394ced2d3107adc47f2c2beac2f92a967e 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch | 117 | 4e08d4fe01717de0601411b4756141394ced2d3107adc47f2c2beac2f92a967e 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch |
116 | 42171ee35e7679fe3d4efb80fdb121b0a7ea8df5cf3395bbcccb97d56327027c 0004-vici-support-asynchronous-initiation.patch | 118 | 42171ee35e7679fe3d4efb80fdb121b0a7ea8df5cf3395bbcccb97d56327027c 0004-vici-support-asynchronous-initiation.patch |
119 | ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 1000-support-gre-key-in-ikev1.patch | ||
117 | ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd | 120 | ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd |
118 | 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" | 121 | 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" |
119 | sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 | 122 | sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 |
@@ -121,5 +124,6 @@ sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b | |||
121 | ca6eec72f75f243234baa1b361ab6dba82a810d1efb01dbcfd16cd7ce104c3f18fb932c1f6f280a566bfcbe16bc67d7d55e024f72c9eef82a62fe78505293c5c 0002-vici-send-certificates-for-ike-sa-events.patch | 124 | ca6eec72f75f243234baa1b361ab6dba82a810d1efb01dbcfd16cd7ce104c3f18fb932c1f6f280a566bfcbe16bc67d7d55e024f72c9eef82a62fe78505293c5c 0002-vici-send-certificates-for-ike-sa-events.patch |
122 | 2e28af9043cab41f16c57f41ccb65b6591ec32d50a811bd393c4dcf7f0ffe81fac67679c41b716dfc74fca9ebedd178fe0b572b1c2cda3ccc685a0ad0d02f65a 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch | 125 | 2e28af9043cab41f16c57f41ccb65b6591ec32d50a811bd393c4dcf7f0ffe81fac67679c41b716dfc74fca9ebedd178fe0b572b1c2cda3ccc685a0ad0d02f65a 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch |
123 | 39e4a9839b2f6f42f662620b20697c684b90949622f8cc21c393ca55ab40e669befd1d2055e0f0c799cf37733a37bbf4df2b9cebc984a45bb66ecba6fa0ef116 0004-vici-support-asynchronous-initiation.patch | 126 | 39e4a9839b2f6f42f662620b20697c684b90949622f8cc21c393ca55ab40e669befd1d2055e0f0c799cf37733a37bbf4df2b9cebc984a45bb66ecba6fa0ef116 0004-vici-support-asynchronous-initiation.patch |
127 | 723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 1000-support-gre-key-in-ikev1.patch | ||
124 | b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd | 128 | b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd |
125 | 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" | 129 | 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" |