aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2020-02-15 19:45:09 +0200
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2020-02-18 11:47:46 +0200
commit074beecf7285de64a13a7805b6f3bf0b548ec648 (patch)
tree05d76de538575619a2867d4bc57039bf1c59f707
parent5600c80ab97b0bed725ec1c24f981a765e54593b (diff)
downloadaports-074beecf7285de64a13a7805b6f3bf0b548ec648.tar.gz
aports-074beecf7285de64a13a7805b6f3bf0b548ec648.tar.bz2
aports-074beecf7285de64a13a7805b6f3bf0b548ec648.tar.xz
main/dmvpn: various fixes
define ciphers for better security and performance close inactive SAs fix race conditions
-rw-r--r--main/dmvpn/0001-use-static-config-file-for-charon.patch53
-rw-r--r--main/dmvpn/0002-enable-make_before_break-for-charon.patch25
-rw-r--r--main/dmvpn/0003-close-IKE-SA-on-inactivity.patch24
-rw-r--r--main/dmvpn/0004-define-cipher-proposals.patch37
-rw-r--r--main/dmvpn/0005-nhrp-events-wait-for-socket-creation-on-startup.patch43
-rw-r--r--main/dmvpn/APKBUILD17
6 files changed, 196 insertions, 3 deletions
diff --git a/main/dmvpn/0001-use-static-config-file-for-charon.patch b/main/dmvpn/0001-use-static-config-file-for-charon.patch
new file mode 100644
index 0000000000..45ceb57db8
--- /dev/null
+++ b/main/dmvpn/0001-use-static-config-file-for-charon.patch
@@ -0,0 +1,53 @@
+From 2bb2a86ee33c51b22b497b869ce22f4530704e77 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Sat, 15 Feb 2020 18:44:04 +0200
+Subject: [PATCH 1/5] use static config file for charon
+
+---
+ dmvpn.charon | 8 ++++++++
+ setup-dmvpn | 7 ++-----
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+ create mode 100644 dmvpn.charon
+
+diff --git a/dmvpn.charon b/dmvpn.charon
+new file mode 100644
+index 0000000..dd93b8a
+--- /dev/null
++++ b/dmvpn.charon
+@@ -0,0 +1,8 @@
++# Copyright (c) 2017-2020 Kaarle Ritvanen
++# See LICENSE file for license details
++
++charon {
++ x509 {
++ enforce_critical = no
++ }
++}
+diff --git a/setup-dmvpn b/setup-dmvpn
+index 3c1b461..0e7d9a2 100755
+--- a/setup-dmvpn
++++ b/setup-dmvpn
+@@ -1,7 +1,7 @@
+ #!/bin/sh -e
+
+ # Dynamic Multipoint VPN setup script for Alpine Linux
+-# Copyright (c) 2017-2019 Kaarle Ritvanen
++# Copyright (c) 2017-2020 Kaarle Ritvanen
+ # See LICENSE file for license details
+
+
+@@ -237,10 +237,7 @@ EOF
+ fi
+
+
+-augtool -s <<EOF
+-set /files/etc/conf.d/nhrpd/rc_need '"charon nhrp-events"'
+-set /files/etc/strongswan.d/charon.conf/charon/x509/enforce_critical no
+-EOF
++augtool -s "set /files/etc/conf.d/nhrpd/rc_need '\"charon nhrp-events\"'"
+
+ for serv in charon zebra; do
+ is_active $serv && rc-service $serv stop
+--
+2.24.1
+
diff --git a/main/dmvpn/0002-enable-make_before_break-for-charon.patch b/main/dmvpn/0002-enable-make_before_break-for-charon.patch
new file mode 100644
index 0000000000..a079c5029b
--- /dev/null
+++ b/main/dmvpn/0002-enable-make_before_break-for-charon.patch
@@ -0,0 +1,25 @@
+From 9a493fd2107ff1af08a976278ee48f3b0edba032 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Sat, 15 Feb 2020 18:46:19 +0200
+Subject: [PATCH 2/5] enable make_before_break for charon
+
+avoid race condition with nhrpd during IKE SA reauthentication
+---
+ dmvpn.charon | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dmvpn.charon b/dmvpn.charon
+index dd93b8a..909c0e8 100644
+--- a/dmvpn.charon
++++ b/dmvpn.charon
+@@ -2,6 +2,7 @@
+ # See LICENSE file for license details
+
+ charon {
++ make_before_break = yes
+ x509 {
+ enforce_critical = no
+ }
+--
+2.24.1
+
diff --git a/main/dmvpn/0003-close-IKE-SA-on-inactivity.patch b/main/dmvpn/0003-close-IKE-SA-on-inactivity.patch
new file mode 100644
index 0000000000..dba6151e8b
--- /dev/null
+++ b/main/dmvpn/0003-close-IKE-SA-on-inactivity.patch
@@ -0,0 +1,24 @@
+From fe4aeacf10b8866c15eab3dea9b9118b738d1f59 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Mon, 17 Feb 2020 13:13:11 +0200
+Subject: [PATCH 3/5] close IKE SA on inactivity
+
+---
+ dmvpn.charon | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dmvpn.charon b/dmvpn.charon
+index 909c0e8..191be15 100644
+--- a/dmvpn.charon
++++ b/dmvpn.charon
+@@ -2,6 +2,7 @@
+ # See LICENSE file for license details
+
+ charon {
++ inactivity_close_ike = yes
+ make_before_break = yes
+ x509 {
+ enforce_critical = no
+--
+2.24.1
+
diff --git a/main/dmvpn/0004-define-cipher-proposals.patch b/main/dmvpn/0004-define-cipher-proposals.patch
new file mode 100644
index 0000000000..483ecfac93
--- /dev/null
+++ b/main/dmvpn/0004-define-cipher-proposals.patch
@@ -0,0 +1,37 @@
+From e4bf525fead9ab5f768b189ae913c78bcf8716ba Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Mon, 17 Feb 2020 19:13:50 +0200
+Subject: [PATCH 4/5] define cipher proposals
+
+primary proposals for improved security and performance
+fallback proposals for compatibility with charon defaults
+---
+ dmvpn.swanctl | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/dmvpn.swanctl b/dmvpn.swanctl
+index 39b63bd..ec6e0c8 100644
+--- a/dmvpn.swanctl
++++ b/dmvpn.swanctl
+@@ -1,8 +1,9 @@
+-# Copyright (c) 2017-2019 Kaarle Ritvanen
++# Copyright (c) 2017-2020 Kaarle Ritvanen
+ # See LICENSE file for license details
+
+ connections {
+ dmvpn {
++ proposals = aes256gcm12-prfsha512-ecp384,aes128-sha256-prfaesxcbc-ecp256
+ mobike = no
+ dpd_delay = 15s
+ unique = replace
+@@ -16,6 +17,7 @@ connections {
+ }
+ children {
+ dmvpn {
++ esp_proposals = aes256gcm12-ecp384,aes128-sha256
+ local_ts = dynamic[gre]
+ remote_ts = dynamic[gre]
+ rekey_time = 100m
+--
+2.24.1
+
diff --git a/main/dmvpn/0005-nhrp-events-wait-for-socket-creation-on-startup.patch b/main/dmvpn/0005-nhrp-events-wait-for-socket-creation-on-startup.patch
new file mode 100644
index 0000000000..021c410a60
--- /dev/null
+++ b/main/dmvpn/0005-nhrp-events-wait-for-socket-creation-on-startup.patch
@@ -0,0 +1,43 @@
+From ae96f310077191b50c5bb52d39c3ef4f0c2fa552 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Mon, 17 Feb 2020 19:26:27 +0200
+Subject: [PATCH 5/5] nhrp-events: wait for socket creation on startup
+
+avoid race condition where an nhs-up message arrives before socket is ready
+---
+ nhrp-events.initd | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/nhrp-events.initd b/nhrp-events.initd
+index c42124f..0b40ead 100644
+--- a/nhrp-events.initd
++++ b/nhrp-events.initd
+@@ -1,13 +1,22 @@
+ #!/sbin/openrc-run
+
+ # init.d file for nhrp-events
+-# Copyright (c) 2017-2018 Kaarle Ritvanen
++# Copyright (c) 2017-2020 Kaarle Ritvanen
+
+ name=nhrp-events
+-command=/usr/sbin/$name
+ pidfile=/var/run/$name.pid
+-command_background=1
+
+ depend() {
+ need bgpd
+ }
++
++start() {
++ local rc
++ local socket=/var/run/$name.sock
++ ebegin "Starting $name"
++ rm -f $socket
++ start-stop-daemon -bmS -p $pidfile /usr/sbin/$name
++ rc=$?
++ ewaitfile 5 $socket
++ eend $rc
++}
+--
+2.24.1
+
diff --git a/main/dmvpn/APKBUILD b/main/dmvpn/APKBUILD
index 1f3ada620b..2b7d2a4d70 100644
--- a/main/dmvpn/APKBUILD
+++ b/main/dmvpn/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
pkgname=dmvpn
pkgver=1.2.1
-pkgrel=0
+pkgrel=1
pkgdesc="Dynamic Multipoint VPN"
url="https://git.alpinelinux.org/cgit/dmvpn-tools/"
arch="noarch"
@@ -11,7 +11,12 @@ depends="augeas bind-tools lua5.2 lua5.2-cqueues lua5.2-lyaml lua5.2-ossl
lua5.2-posix lua5.2-struct lua-dmvpn quagga strongswan tunnel"
subpackages="dmvpn-ca dmvpn-crl-dp lua-dmvpn"
options="!check"
-source="$url/snapshot/dmvpn-tools-$pkgver.tar.bz2"
+source="$url/snapshot/dmvpn-tools-$pkgver.tar.bz2
+ 0001-use-static-config-file-for-charon.patch
+ 0002-enable-make_before_break-for-charon.patch
+ 0003-close-IKE-SA-on-inactivity.patch
+ 0004-define-cipher-proposals.patch
+ 0005-nhrp-events-wait-for-socket-creation-on-startup.patch"
builddir="$srcdir/dmvpn-tools-$pkgver"
build() {
@@ -24,6 +29,7 @@ package() {
install -D -m 644 dmvpn.awall "$pkgdir"/usr/share/awall/optional/dmvpn.json
install -D -m 644 dmvpn-hub.awall "$pkgdir"/usr/share/awall/optional/dmvpn-hub.json
install -D dmvpn-pfx-decode "$pkgdir"/usr/libexec/dmvpn-pfx-decode
+ install -D -m 644 dmvpn.charon "$pkgdir"/etc/strongswan.d/dmvpn.conf
install -D -m 644 dmvpn.swanctl "$pkgdir"/etc/swanctl/conf.d/dmvpn.conf
install -D nhrp-events "$pkgdir"/usr/sbin/nhrp-events
install -D nhrp-events.initd "$pkgdir"/etc/init.d/nhrp-events
@@ -58,4 +64,9 @@ dmvpn() {
install -D -m 644 dmvpn.lua "$subpkgdir"/usr/share/lua/5.2/dmvpn.lua
}
-sha512sums="f39ad5b65a39d22a635a5f82f6024e21a6f899119718b5775eba965b903f007f611f6ea2c3456766f6f1e48d00fa43ddc5a8b3e8c9a732785c3db5ddf057c7b8 dmvpn-tools-1.2.1.tar.bz2"
+sha512sums="f39ad5b65a39d22a635a5f82f6024e21a6f899119718b5775eba965b903f007f611f6ea2c3456766f6f1e48d00fa43ddc5a8b3e8c9a732785c3db5ddf057c7b8 dmvpn-tools-1.2.1.tar.bz2
+1f80f10e90599780292be58ddad449bd3cf468458c5cd2dc9f7f7422b531f3507645017e404673fe4afc00679bf8fd24596964d070e8fd2e17e0297060954c98 0001-use-static-config-file-for-charon.patch
+eaffb04e5ae8f8c5796aca463d632fe62ed5b72a3606280a243bd7c978a9bd1095a15a06fb6eda86e22a9f15bd7fdd1ec27cf6ad1c7729f8b9f7dc3085bbbdf4 0002-enable-make_before_break-for-charon.patch
+5610a410a2267d1309d64515ed0f4d920b9ab6424db038ebeb47debf5ba46c1642b803ac67a125a371ac70dfaf4be9ac3bf9a1b546f78a1d2e268a22320a804d 0003-close-IKE-SA-on-inactivity.patch
+1828da98ab9fb1060ebed08f510d1c91eee795bb410cbc54a31c3bfe7d1c349461025e63d968575851f2772d2160c83682415f79ce3fe860336b1bd6adfbc22c 0004-define-cipher-proposals.patch
+2358c5873d431b211a51ac60100f93e5880ecdc649a6d00bef38a14464dae3f7c200590298075247dee21353c7d7c1f1e646dd9f1faf77e4e606cbc7b89de574 0005-nhrp-events-wait-for-socket-creation-on-startup.patch"