| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
| |
|
|
| |
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
|
| |
|
|
| |
Signed-off-by: Moritz Warning <moritzwarning@web.de>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes:
* CVE-2018-16151
* CVE-2018-16152
* CVE-2018-17540
Details:
https://strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
| |
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Commit 6cd8fcabe added ipsec hotplug script support by calling "exec
/sbin/hotplug-call ipsec".
Using the exec call breaks the insertion of iptables rules by the _updown.in
script as hotplug-call just replaces the current shell meaning the commands
following exec do not run since the shell is replaced and as a result lead to
connectivity issues.
Fix this by removing the exec command in front of /sbin/hotplug-call.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |\
| |
| | |
strongswan: fix uclibc build issue
|
| | |
| |
| |
| |
| |
| | |
ibmariadb 10.2 needs to be linked in together with iconv.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
|
| |/
|
|
|
|
|
|
| |
Ipsec user script (/etc/ipsec.user) now get called indirectly by openwrt
"/sbin/hotplug-call". So other packages could also install their scripts
in "/etc/hotplug.d/ipsec".
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| |
|
|
|
|
|
|
| |
Fixes the following CVEs:
- CVE-2018-5388
- CVE-2018-10811
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The interface config option allows users to configure logical OpenWRT
interface names in the ipsec section; it allows StrongSwan to listen
and send traffic on specified interface(s). It translates to interfaces_use
StrongSwan option which is a comma sepearted list of network devices
that should be used by charon.
Since StrongSwan can only be started when one of the specified logical
OpenWRT interface is up procd interface triggers are installed to
trigger the reload script.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Based on the ipsec running state reload_service is either reloading ipsec
or starting ipsec. However in the latter case it calls ipsec start which
bypasses the procd start_service function which means the running ipsec
instance is not managed by procd.
Fix this by calling start in case ipsec is not running; at the same time
add service_running function which is used by procd provided running
function.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
| |
Fixes CVE-2017-11185.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
| |
When the strongswan service is running, `ipsec status` returns 0. Check
the return value instead of checking its output.
While at it, remove the [[ ]] bashism, use rereadall instead of
(reread)secrets, and move it inside the if statement.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
| |
In commit 36e073d8201fe7cf133ef3eea41f8855c3344c71, some checks were
added to see if the UCI config file exists and if there are any peers
configured in it. Due to these checks, if /etc/config/ipsec exists, but
contains no enabled peers, strongswan will not be started. This is not
ideal, as a user might want to experiment with the UCI config while
keeping existing connections in /etc/ipsec.conf operational.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
| |
Since the strongswan-utils package now only contains the aging ipsec
utility, rename it to strongswan-ipsec.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We currently include the SCEP client in strongswan-utils, which is a
dependency of the strongswan-default meta-package. As it's generally not
recommended to generate keys on embedded devices due to lack of entropy,
move the SCEP client to a separate package, and only depend on it in the
strongswan-full meta-package.
While at it, add scepclient.conf to the package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We currently include the PKI tool in strongswan-utils, which is a
dependency of the strongswan-default meta-package. As it's generally not
recommended to generate keys on embedded devices due to lack of entropy,
move the PKI tool to a separate package, and only depend on it in the
strongswan-full meta-package.
While at it, add pki.conf to the package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
| |
Fixes CVE-2017-9022, CVE-2017-9023.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |\
| |
| | |
strongswan: UCI support
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support to configure strongswan via uci.
uci support is based on the following sections
-ipsec : Global config items belonging in the strongswan.conf file
-remote : Defines the remote peer(s)
-tunnel : Defines the IPSec connections in tunnel mode
-transport : Defines the IPSec connections in transport mode
-crypto_proposal : Defines the different crypto proposals
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Signed-off-by: Gino Peeters <peeters.gino@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |/
|
|
|
|
| |
Closes #3905.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
| |
Patch 101-musl-fixes defines __kernel_nlink_t as void; but using
a pre-3.6.11 kernel on an arm cortex defines __kernel_nlink_t as
unsigned short using uclibc
Fix the compile issue by not redefining __kernel_nlink_t
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |\
| |
| | |
strongswan: Include musl.h after _GNU_SOURCE define
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
musl.h was included before _GNU_SOURCE in 101-musl-fixes patch
leading to compilation issue on gcc (RTLD_DEFAULT not being
defined in dlfcn.h due to __USE_GNU not being set).
As described in the feature test macro man page feature macro
can be defined in the source code but need to be defined before
including any headers.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | |
| |
| |
| | |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |/
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
| |
Closes #1868.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The default busybox config used by OpenWrt does not enable floating
point number support for the sleep applet. This can cause an error when
stopping or restarting strongswan:
sleep: invalid number '0.1'
Replace the float with an integer to fix this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
| |
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|