[prev in list] [next in list] [prev in thread] [next in thread]
List: ipcop-svn
Subject: [Ipcop-svn] SF.net SVN: ipcop:[7084] ipcop/trunk
From: dotzball () users ! sourceforge ! net
Date: 2013-07-19 21:16:47
Message-ID: E1V0I2l-00074k-D4 () sfs-ml-3 ! v29 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 7084
http://sourceforge.net/p/ipcop/svn/7084
Author: dotzball
Date: 2013-07-19 21:16:44 +0000 (Fri, 19 Jul 2013)
Log Message:
-----------
Upgrade openswan to 2.6.39.
Modified Paths:
--------------
ipcop/trunk/lfs/openswan
ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0
ipcop/trunk/updates/2.1.0/information.xml
Added Paths:
-----------
ipcop/trunk/src/patches/openswan-2.6.39_remove_CFLAGS_no-error_cpp.patch
ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch
Modified: ipcop/trunk/lfs/openswan
===================================================================
--- ipcop/trunk/lfs/openswan 2013-07-17 01:06:16 UTC (rev 7083)
+++ ipcop/trunk/lfs/openswan 2013-07-19 21:16:44 UTC (rev 7084)
@@ -33,7 +33,7 @@
include Config
PKG_NAME = openswan
-VER = 2.6.38
+VER = 2.6.39
HOST_ARCH = all
OTHER_SRC = yes
KERNEL_MOD = yes
@@ -44,12 +44,10 @@
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP)
-PATCH1 := ${PKG_NAME}_${VER}-1.debian.tar.gz
-
# Used to include same timestamp for all
# This is the release date
-DATESTAMP = "Mar 24 2012"
-TIMESTAMP = "00:22:00"
+DATESTAMP = "Jun 3 2013"
+TIMESTAMP = "19:33:00"
###############################################################################
# Top-level Rules
@@ -58,10 +56,8 @@
objects = $(DL_FILE) $(PATCH1)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(PATCH1) := $(URL_DEBIAN)/o/$(PKG_NAME)/$(PATCH1)
-$(DL_FILE)_MD5 = 13073eb5314b83a31be88e4117e8bbcd
-$(PATCH1)_MD5 := 559f9d8ba2270b3377111941ffa67bac
+$(DL_FILE)_MD5 = 199757597f9f776d85752bb0c713b5ed
install : $(TARGET)
@@ -91,9 +87,10 @@
$(TARGET) : $(firstword $(MAKEFILE_LIST)) $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && tar zxf $(DIR_DL)/$(PATCH1)
- cd $(DIR_APP) && for patch in `cat debian/patches/series` ; do patch -p1 -i \
debian/patches/$$patch; done
+ cd $(DIR_APP) && patch -Np1 -i \
$(DIR_PATCHES)/$(THISAPP)_remove_CFLAGS_no-error_cpp.patch + cd $(DIR_APP) && patch \
-RNp1 -i $(DIR_PATCHES)/$(THISAPP)_verify-python.patch +
cd $(DIR_APP) && sed -i \
-e 's%^INC_USRLOCAL.*$$%INC_USRLOCAL=/usr%' \
-e 's%^USERCOMPILE.*$$%USERCOMPILE=$(CFLAGS)%' \
Added: ipcop/trunk/src/patches/openswan-2.6.39_remove_CFLAGS_no-error_cpp.patch
===================================================================
--- ipcop/trunk/src/patches/openswan-2.6.39_remove_CFLAGS_no-error_cpp.patch \
(rev 0)
+++ ipcop/trunk/src/patches/openswan-2.6.39_remove_CFLAGS_no-error_cpp.patch 2013-07-19 \
21:16:44 UTC (rev 7084) @@ -0,0 +1,24 @@
+diff -Nur openswan-2.6.39.orig/lib/libopenswan/Makefile \
openswan-2.6.39/lib/libopenswan/Makefile +--- \
openswan-2.6.39.orig/lib/libopenswan/Makefile 2013-05-31 19:12:15.000000000 +0200 \
++++ openswan-2.6.39/lib/libopenswan/Makefile 2013-07-19 11:09:17.000000000 +0200 +@@ \
-85,9 +85,6 @@ + # must turn this off due to initsubnet.c
+ CFLAGS+= -Wno-error=cast-qual
+
+-# some junk left in alg_info.c
+-CFLAGS+= -Wno-error=cpp
+-
+ #CFLAGS+= -Wmissing-declarations
+ CFLAGS+= -Wstrict-prototypes
+ #CFLAGS+= -pedantic
+diff -Nur openswan-2.6.39.orig/programs/pluto/Makefile \
openswan-2.6.39/programs/pluto/Makefile +--- \
openswan-2.6.39.orig/programs/pluto/Makefile 2013-05-31 19:12:15.000000000 +0200 ++++ \
openswan-2.6.39/programs/pluto/Makefile 2013-07-19 11:08:28.000000000 +0200 +@@ -47,7 \
+47,6 @@ +
+ # must turn this off due to myid.c
+ CFLAGS+= -Wno-error=cast-qual
+-CFLAGS+= -Wno-error=cpp
+
+ ifeq ($(HAVE_BROKEN_POPEN),true)
+ CFLAGS+=-DHAVE_BROKEN_POPEN
Added: ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch
===================================================================
--- ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch \
(rev 0)
+++ ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch 2013-07-19 21:16:44 \
UTC (rev 7084) @@ -0,0 +1,1146 @@
+From 42a64529a904697972a914a250d65a329cc037eb Mon Sep 17 00:00:00 2001
+From: Paul Wouters <paul@nohats.ca>
+Date: Mon, 10 Sep 2012 00:00:00 -0400
+Subject: [PATCH] Fixed ipsec verify to avoid perl and use python instead. It
+ helps during minimum install so that openswan does not have to pull perl
+ packages, and it keeps minimal install really minimum. Also Removed
+ compilation of ipsec policy subprogram as it is not needed with NETKEY.
+
+---
+For IPCop verify needs to be reverted to perl as we don't have python available in \
IPCop. +Reverse patch this patch.
+
+
+diff --git a/programs/verify/verify.in b/programs/verify/verify.in
+index a63cd2c..61724f0 100755
+--- a/programs/verify/verify.in
++++ b/programs/verify/verify.in
+@@ -1,5 +1,8 @@
+-#!/usr/bin/perl
++#!/usr/bin/python
+ #
++# Copyright (C) 2012 Paul Wouters <pwouters@redhat.com>
++#
++# Based on old perl and shell code:
+ # Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
+ # Copyright (C) 2005-2008 Michael Richardson <mcr@xelerance.com>
+ # Copyright (C) 2005-2009 Paul Wouters <paul@xelerance.com>
+@@ -17,548 +20,584 @@
+ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ # for more details.
+
+-$reterr = 0;
+-$me="ipsec verify";
+-$ENV{'PATH'}="/sbin:/usr/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$ENV{'PATH'}";
+-if($ENV{'IPSEC_CONFS'}) { $conf=$ENV{'IPSEC_CONFS'} } else { $conf= `ipsec \
--confdir`; chomp($conf); } ++import os, sys, subprocess, glob
++
++
++retcode = 0
++
++confdir = os.getenv("IPSEC_CONFS")
++if not confdir:
++ # should get substituted by 'make programs'
++ confdir = "@IPSEC_DIR@"
++
++ipsecbin = "@IPSEC_SBINDIR@/ipsec"
+
+-$print_deprecated = 1;
++if not os.path.isfile(ipsecbin):
++ # hopefully somewhere in our path then
++ ipsecbin = "ipsec"
++
++if not os.path.isfile("%s/ipsec.conf"%confdir):
++ try:
++ p = subprocess.Popen("%s --config"%ipsecbin, stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ output = output.strip()
++ if os.path.isfile("%s/ipsec.conf"%output):
++ confdir = output
++ except:
++ sys.exit("Failed to find ipsec.conf")
+
+ # Should we print in colour by default?
+-if ( -e "/sbin/consoletype" )
+-{
+- $ctype=`/sbin/consoletype`;
+- if ( $ctype && !($ctype eq "serial"))
+- {
+- $colour="1";
+- }
+-}
+-else
+-{
+- if ( -e "/usr/bin/tput" )
+- {
+- $ctype=`/usr/bin/tput colors`;
+- if ( $ctype && ($ctype gt "0"))
+- {
+- $colour="1";
+- }
+- }
+-}
+-
+-sub printfun {
+- print sprintf("%-60s",@_);
+-}
+-
+-# capture STDOUT as @out, STDERR as @err with no temp files.
+-sub run {
+- $command=shift;
+-
+- pipe child_read, parent_write;
+- pipe parent_read, child_write;
+- pipe err_read, err_write;
+-
+- $mypid=fork;
+- if($mypid)
+- {
+- close child_write; close err_write;
+- @out=<parent_read>;
+- @err=<err_read>;
+- }
+- else
+- {
+- close parent_read; close parent_write;
+- open STDOUT,">&child_write";
+- open STDERR,">&err_write";
+- exec $command; $reterr = 1 ; print STDERR "Cannot execute command \
\"$command\": $!\n"; +- }
+-}
+-
+-# Code to print out [OK], [FAILED].
+-sub errchk {
+- if (!shift(@_))
+- {
+- print "\t[";
+- if($colour) { print "\e[1;31m"; }
+- if(@_)
+- {
+- print "@_";
+- }
+- else
+- {
+- print "FAILED";
+- $reterr = 1;
+- }
+- if($colour) { print "\e[0;39m"; }
+- print "]\n";
+- if(@err)
+- {
+- print " @err";
+- $reterr = 1;
+- }
+- }
+- else
+- {
+- print "\t[";
+- if($colour) { print "\e[1;32m"; }
+- print "OK";
+- if($colour) { print "\e[0;39m"; }
+- print "]\n";
+- }
+-}
+-
+-# Code to print out [OK], [FAILED] in warning colours
+-sub warnchk {
+- if (!shift(@_))
+- {
+- print "\t[";
+- if($colour) { print "\e[1;33m"; }
+- if(@_)
+- {
+- print "@_";
+- }
+- else
+- {
+- print "FAILED";
+- $reterr = 1;
+- }
+- if($colour) { print "\e[0;39m"; }
+- print "]\n";
+- if(@err)
+- {
+- print " @err";
+- $reterr = 1;
+- }
+- }
+- else
+- {
+- print "\t[";
+- if($colour) { print "\e[1;32m"; }
+- print "OK";
+- if($colour) { print "\e[0;39m"; }
+- print "]\n";
+- }
+-}
+-
+-
+-# Code to print out [DEPRECATED] and key restrict message
+-sub deprecated {
+-
+- print "\t[";
+- if($colour) { print "\e[1;33m"; }
+- print "DEPRECATED";
+- if($colour) { print "\e[0;39m"; }
+- print "]\n";
+-}
++colour = 0
++try:
++ p = subprocess.Popen("consoletype", stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ output = output.strip()
++ if output in ("vc","tty","pty"):
++ colour = 1
++except:
++ try:
++ p = subprocess.Popen("tput colors", stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if int(output) > 0:
++ colour = 1
++ except:
++ pass
++
++
++def printfun(text):
++ # suppress newline
++ sys.stdout.write("%-50s"%text)
++
++def print_result(rcode, rtext):
++ global colour
++ global retcode
++ OK = '\033[92m'
++ WARN = '\033[93m'
++ FAIL = '\033[91m'
++ ENDC = '\033[0m'
++
++ if rcode == "FAIL":
++ retcode = 1
++ if not rtext:
++ rtext = "FAILED"
++ if colour:
++ print "\t[%s%s%s]"%(FAIL,rtext,ENDC)
++ else:
++ print "\t[%s]"%rtext
++ elif rcode == "WARN":
++ # don't log warnings until we implemented IKE over TCP
++ # retcode = 1
++ if not rtext:
++ rtext = "WARNING"
++ if colour:
++ print "\t[%s%s%s]"%(WARN,rtext,ENDC)
++ else:
++ print "\t[%s]"%rtext
++ elif rcode == "OK":
++ if not rtext:
++ rtext = "OK"
++ if colour:
++ print "\t[%s%s%s]"%(OK,rtext,ENDC)
++ else:
++ print "\t[%s]"%rtext
++ else:
++ print "INTERNAL ERROR - unknown rcode:%s"%rcode
++
++
++
+
+ # Verification routines begin here...
+ #
+ # Check DNS Configuration based on a hostname
+ # $1 = Hostname (string)
+ # eg: checkdnshost oetest.freeswan.org
+-sub checkdnshost {
+- run "host -t key $_[0]";
+- ($keypresent)=grep /(0x4200|16896)/, @out;
+- if($keypresent)
+- {
+- printfun " Looking for KEY in forward dns zone: $_[0]";
+- deprecated;
+- }
+-
+-
+- printfun " Looking for TXT in forward dns zone: $_[0]";
+- run "host -t txt $_[0]";
+- ($txtpresent)=grep /X-IPsec-Server/,@out;
+- errchk "$txtpresent", "MISSING";
+-}
++#sub checkdnshost {
++# run "host -t key $_[0]";
++# ($keypresent)=grep /(0x4200|16896)/, @out;
++# if($keypresent)
++# {
++# printfun " Looking for KEY in forward dns zone: $_[0]";
++# deprecated;
++# }
++#
++#
++# printfun " Looking for TXT in forward dns zone: $_[0]";
++# run "host -t txt $_[0]";
++# ($txtpresent)=grep /X-IPsec-Server/,@out;
++# errchk "$txtpresent", "MISSING";
++#}
+
+ # Check DNS Configuration based on IP address
+ # $1 = IP Address (string)
+ # eg: checkdnsip 127.0.0.2
+-sub checkdnsip {
+- $fortxt=$_[0];
+- $revtxt=join('.',reverse(split(/\./, $fortxt))).".in-addr.arpa.";
+- printfun " Looking for TXT in reverse dns zone: $revtxt";
+- run "host -t txt $revtxt";
+- ($txtpresent)=grep /X-IPsec-Server/,@out;
+- errchk "$txtpresent", "MISSING";
+-
+- if($txtpresent) {
+- $txtpresent=~ s/.*X-IPsec-Server\([0-9].*\)=//; $txtpresent=~ s/[\"\ ].*//;
+- $gwip=$txtpresent;
+- chomp($gwip);
+- $gwrev=join('.',reverse(split(/\./, $gwip))).".in-addr.arpa.";
+- # Check for a KEY record for the indicated IPSec GW.
+- run "host -t key $gwrev";
+- ($keypresent)=grep /(0x4200|16896)/, @out;
+- if($keypresent)
+- {
+- printfun " Looking for KEY in reverse dns zone: $gwrev";
+- deprecated;
+- $print_deprecated = 1;
+-
+- }
+- # If the host is its own gateway, then we know we've got a TXT record.
+- if($gwip ne $fortxt) {
+- printfun "Looking for TXT in reverse dns zone: $gwrev";
+- run "host -t txt $gwrev";
+- ($txtpresent)=grep /X-IPsec-Server/,@out;
+- errchk "$txtpresent", "MISSING";
+- }
+-
+- }
+-}
+-
+-sub udp500check {
+- printfun " Pluto listening for IKE on udp 500";
+- run "lsof -i UDP:500";
+- #run "netstat -an";
+- ($listen)=grep /pluto/, @out;
+- if(!$listen)
+- {
+- errchk "", "FAILED";
+- $reterr = 1;
+- }
+- else
+- {
+- errchk "1";
+- }
+-}
+-
+-sub udp4500check {
+- printfun " Pluto listening for NAT-T on udp 4500";
+- run "lsof -i UDP:4500";
+- #run "netstat -an";
+- ($listen)=grep /pluto/, @out;
+- if(!$listen)
+- {
+- errchk "", "FAILED";
+- $reterr = 1;
+- }
+- else
+- {
+- errchk "1";
+- }
+-}
+-
+-sub checktunnel {
+- $csource=$_[0]; $cdest=$_[1]; $ctun=$_[2]; $all="0.0.0.0/0";
+-
+- printfun "Checking $ctun from $csource to $cdest";
+- run "iptables -t nat -L POSTROUTING -n";
+- @out=grep !/(Chain POSTROUTING|target)/, @out;
+- foreach (@out) {
+- ( $target, $prot, $opt, $source, $dest ) = split(' ',$_);
+- if(((($source eq $csource) || ($source eq $all)) && (($dest eq $cdest) || ($dest = \
$all))) && $target eq "ACCEPT") +- {
+- errchk "@out";
+- $reterr = 1;
+- }
+- else
+- {
+- @err="$target from $source to $dest kills tunnel $source -> $cdest\n";
+- errchk "","FAILED";
+- $reterr = 1;
+- }
+- }
+-}
+-
+-sub installstartcheck {
+- print "Checking your system to see if IPsec got installed and started \
correctly:\n"; +-
+- printfun "Version check and ipsec on-path";
+- run "ipsec --version";
+- errchk "@out";
+- print grep /Linux/, @out;
+-
+- printfun "Checking for IPsec support in kernel";
+- if ( -e "/proc/net/ipsec_eroute" || -e "/proc/net/pfkey" ) { $test="1" }
+- errchk "$test";
+-
+-# This requires KLIPS NAT-T patch > 2.4.x
+- if ( -e "/proc/net/ipsec_eroute") {
+-
+- printfun " KLIPS: checking for NAT Traversal support";
+- if ( -e "/sys/module/ipsec/parameters/natt_available") {
+- run "cat /sys/module/ipsec/parameters/natt_available";
+- if("@out" =="1\n")
+- { warnchk "", "OLD STYLE"; }
+- else {
+- if("@out" == "2\n")
+- { errchk "OK"; }
+- else
+- { warnchk "", "UNKNOWN"; }
+- }
+- } else { warnchk "","UNKNOWN"; }
+-
+- printfun " KLIPS: checking for OCF crypto offload support ";
+- if ( -e "/sys/module/ipsec/parameters/ocf_available") {
+- run "cat /sys/module/ipsec/parameters/ocf_available";
+- if("@out" =="1\n")
+- { errchk "OK"; }
+- else {
+- { warnchk "", "N/A"; }
+- }
+- } else { warnchk "","UNKNOWN"; }
+-
+- }
+-
+-# Check for SAref kernel
+- if ( -e "/proc/net/ipsec/saref") {
+- printfun " Kernel: IPsec SAref kernel support";
+- run "grep 'refinfo patch applied' /proc/net/ipsec/saref";
+- if("@out" eq "refinfo patch applied\n")
+- { errchk "OK"; }
+- else
+- { warnchk "", "N/A"; }
+-
+- printfun " Kernel: IPsec SAref Bind kernel support";
+- run "grep 'bindref patch applied' /proc/net/ipsec/saref";
+- if("@out" eq "bindref patch applied\n")
+- { errchk "OK"; }
+- else
+- { warnchk "", "N/A"; }
+- } else {
+- printfun " SAref kernel support";
+- { warnchk "", "N/A"; }
+- }
+-
+- if ( -e "/proc/net/pfkey") {
+- printfun " NETKEY: Testing XFRM related proc values";
+- open("cat", "/proc/sys/net/ipv4/conf/default/send_redirects");
+- if(<cat> == "1")
+- {
+- errchk "";
+- $reterr = 1;
+- print "\n Please disable /proc/sys/net/ipv4/conf/*/send_redirects\n or NETKEY \
will cause the sending of bogus ICMP redirects!\n\n"; +- }
+- else { errchk "1"; }
+-
+- open("cat", "/proc/sys/net/ipv4/conf/default/accept_redirects");
+- if(<cat> == "1")
+- {
+- $reterr = 1;
+- errchk "";
+- print "\n Please disable /proc/sys/net/ipv4/conf/*/accept_redirects\n or NETKEY \
will accept bogus ICMP redirects!\n\n"; +- }
+- else { errchk "1"; }
+-
+- open("cat", "/proc/sys/net/core/xfrm_larval_drop");
+- if(<cat> == "0")
+- {
+- $reterr = 1;
+- errchk "";
+- print "\n Please enable /proc/sys/net/core/xfrm_larval_drop\n or NETKEY will \
cause non-POSIX compliant long time-outs\n\n"; +- }
+- else { errchk "1"; }
+- }
+-
+- if ( -c "/dev/hw_random" || -c "/dev/hwrng" ) {
+- printfun "Hardware RNG detected, testing if used properly";
+- run "pidof rngd";
+- ($processid) = @out;
+- chomp($processid);
+- if( $processid eq "" ) {
+- run "pidof clrngd";
+- ($processid2) = @out;
+- if( $processid2 eq "" ) {
+- errchk "";
+- print "\n Hardware RNG is present but 'rngd' or 'clrngd' is not running.\n No \
harware random used!\n\n"; +- $reterr = 1;
+- }
+- else { errchk "1"; }
+- }
+- else { errchk "1"; }
+- }
+-
+-
+- # Wouldn't this test fail if your mucked up your interface definition?
+- printfun "Checking that pluto is running";
+- run "ipsec whack --status";
+- errchk "@out";
+- if (grep /interface/, @out)
+- {
+- udp500check;
+- udp4500check;
+- }
+-}
+-
+-sub tunnelchecks {
+- open("dev", "/proc/net/dev");
+- if((grep !/(ipsec|lo:|Inter|packets)/, <dev>) > 1)
+- {
+- printfun "Two or more interfaces found, checking IP forwarding";
+- my ($data, $n);
+- open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;
+- $n = read FILE, $data, 1;
+- if($data == 1)
+- {
+- $reterr = 1;
+- errchk "0";
+- }
+-
+- printfun "Checking NAT and MASQUERADEing";
+- # This assumes KLIPS eroute information, we should add support
+- # for NETKEY, but ip xfrm is very annoying to parse
+- if(( -e "/proc/net/nf_conntrack" || -e "/proc/net/ip_conntrack")
+-&& -e "/proc/net/ipsec_eroute" )
+- {
+- run "iptables -t nat -L -n";
+- if(grep /(NAT|MASQ)/, @out)
+- {
+- printf "\n";
+- open("cat", "/proc/net/ipsec_eroute");
+- foreach(grep /tun0x/, <cat>)
+- {
+- @eroute=split(' ',$_);
+- checktunnel $eroute[1], $eroute[3], $eroute[5];
+- }
+- }
+- else
+- {
+- errchk "1";
+- }
+- }
+- else
+- {
+- errchk "OK";
+- }
+- }
+-}
+-
+-sub cmdchecks {
+- # check for vital commands
+- printfun "Checking for 'ip' command";
+- run "which ip";
+- errchk "@out";
+-
+- printfun "Checking /bin/sh is not /bin/dash";
+- if (-e "/bin/dash") {
+- run "cmp /bin/sh /bin/dash";
+- ($dash)=grep(/differ/, @out);
+- if(!$dash) {
+- warnchk "", "WARNING";
+- } else {
+- errchk "OK";
+- }
+- } else {
+- errchk "OK";
+- }
+-
+- printfun "Checking for 'iptables' command";
+- run "which iptables";
+- errchk "@out";
+-
+-
+- open("cat","$conf/ipsec.conf");
+- foreach(grep /crlcheckinterval/,<cat>)
+- {
+- if(!$curlcheckdone) {
+- $curlcheckdone=1;
+- printfun "Checking for 'curl' command for CRL fetching";
+- run "which curl";
+- errchk "@out";
+- }
+- }
+-# perhaps check for ip xfrm support, but forget about setkey.
+-# if ( -e "/proc/net/pfkey") {
+-# printfun "Checking for 'setkey' command for NETKEY IPsec stack support";
+-# run "which setkey";
+-# errchk "@out";
++#sub checkdnsip {
++# $fortxt=$_[0];
++# $revtxt=join('.',reverse(split(/\./, $fortxt))).".in-addr.arpa.";
++# printfun " Looking for TXT in reverse dns zone: $revtxt";
++# run "host -t txt $revtxt";
++# ($txtpresent)=grep /X-IPsec-Server/,@out;
++# errchk "$txtpresent", "MISSING";
++#
++# if($txtpresent) {
++# $txtpresent=~ s/.*X-IPsec-Server\([0-9].*\)=//; $txtpresent=~ s/[\"\ ].*//;
++# $gwip=$txtpresent;
++# chomp($gwip);
++# $gwrev=join('.',reverse(split(/\./, $gwip))).".in-addr.arpa.";
++# # Check for a KEY record for the indicated IPSec GW.
++# run "host -t key $gwrev";
++# ($keypresent)=grep /(0x4200|16896)/, @out;
++# if($keypresent)
++# {
++# printfun " Looking for KEY in reverse dns zone: $gwrev";
++# deprecated;
++# $print_deprecated = 1;
++#
++# }
++# # If the host is its own gateway, then we know we've got a TXT record.
++# if($gwip ne $fortxt) {
++# printfun "Looking for TXT in reverse dns zone: $gwrev";
++# run "host -t txt $gwrev";
++# ($txtpresent)=grep /X-IPsec-Server/,@out;
++# errchk "$txtpresent", "MISSING";
++# }
++#
+ # }
+-}
+-
+-sub dnschecks {
+- # Check the running hostname.
+- printf "\nOpportunistic Encryption DNS checks:\n";
+- run "hostname";
+- ($hostname)=@out; chomp $hostname;
+- checkdnshost $hostname;
+-
+- # Check all the public IP addresses...
+- run "ip -4 -o addr show";
+- for (@out)
+- {
+- @temp=split(/[\/\ ]+/, $_);
+- push(@address,$temp[3]);
+- }
+- # Purge all non-routeable IPs...
+- @address=grep !/^(127.*|10.*|172.1[6789]+.*.*|172.2+.*.*|172.3[01]+.*.*|192.168.*.*|169.254.*.*)/,@address;
+- printfun " Does the machine have at least one non-private address?";
+- errchk @address;
+- foreach(@address=grep !$check{$_}++,@address)
+- {
+- checkdnsip $_;
+- }
+-}
+-
+-# Main function begins here!
+-# Harvest options, ensure they're valid.
+-use Getopt::Long;
+-%optctl = ("host" => \$hostname,"ip" => \$ip, "colour" => \$colour);
+-GetOptions(\%optctl, "host=s" ,"ip=s", "colour!");
+-
+-# Exit if we get passed an option we don't recognize.
+-if($Getopt::Long::error) { exit 1; }
+-
+-
+-# If you've passed --host or --ip, do only those checks.
+-if($hostname || $ip)
+-{
+-# Check this --host for OE.
+- if($hostname)
+- {
+- printf "Checking $hostname for Opportunistic Encryption:\n";
+- checkdnshost $hostname;
+- run "host -t A $hostname";
+- if(($ipaddr) = grep (/address/i, @out))
+- {
+- $ipaddr=~ s/.*address\ //;
+- chomp $ipaddr;
+- checkdnsip $ipaddr;
+- }
+- else
+- {
+- printf "$hostname does not resolve to an IP, no reverse lookup tests \
possible.\n"; +- }
+- }
+-# Check this IP for OE.
+- if($ip)
+- {
+- printf "Checking IP $ip for Opportunistic Encryption:\n";
+- checkdnsip $ip;
+- }
+-}
+-else
+-{
+- # Call the default routines...
+- # Root check...
+- if($> != "0")
+- {
+- print "To check this machine, you need to run \"$me\" as root.\n"; exit;
+- }
+- else
+- {
+- installstartcheck;
+- tunnelchecks;
+- cmdchecks;
+- run "ipsec addconn --configsetup";
+- ($oe)=grep(/oe=\'yes\'/, @out);
+- if( $oe) {
+- dnschecks;
+- if($print_deprecated)
+- {
+- print "
+-
+- RFC 3445 restricts the use of the KEY RR to DNSSEC applications. The use of
+- a KEY record sub-type for Opporunistic Encryption (OE) has been deprecated.
+- TXT records are used to provide all OE functionality.\n";
+- }
+- } else {
+- printfun "Opportunistic Encryption Support";
+- warnchk "", "DISABLED";
+- }
+- }
+- # finally, run the config file through the parser checks
+- run "ipsec auto addconn --checkconfig";
+-}
+-exit $reterr
++#}
++
++def plutocheck():
++ printfun("Checking that pluto is running")
++ p = subprocess.Popen(["pidof", "pluto"], stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if not output:
++ print_result("FAIL","FAILED")
++ return
++ else:
++ print_result("OK","OK")
++
++ # only if pluto is running, do the listen tests
++ udp500check()
++ tcp500check()
++ udp4500check()
++ tcp4500check()
++ tcp10000check()
++
++# This is pretty broken, as you can enable forwarding specificaly via iptables as \
well ++# It also won't find/exclude all kinds of interfaces. Also, lots of people \
have one ++# ethernet and one wifi interface, but don't want to bridge these.
++# So, mostly left here for historic reasons - candidate to be changed/removed
++def forwardcheck():
++ try:
++ output = open("/proc/net/dev","r").read().strip()
++ except:
++ printfun("Checking for multiple interfaces")
++ print_result("FAIL","UNEXPECTED KERNEL DEV LIST")
++ count = 0
++ for line in output.split("\n"):
++ if ":" in line:
++ if not "lo:" in line and not "ipsec" in line and not "mast" in line and not \
"virbr:" in line: ++ # let's count this as a real physical interface
++ count += 1
++ if count > 1:
++ printfun("Two or more interfaces found, checking IP forwarding")
++ try:
++ output = open("/proc/sys/net/ipv4/ip_forward","r").read().strip()
++ except:
++ print_result("FAIL","MISSING ip_forward proc file")
++ return
++ if output == "1":
++ print_result("OK","OK")
++ else:
++ print_result("FAIL","FAILED")
++
++def rpfiltercheck():
++ fail = 0
++ printfun("Checking rp_filter")
++ for dirname in glob.glob("/proc/sys/net/ipv4/conf/*"):
++ val = open("%s/rp_filter"%dirname,"r").read().strip()
++ if val == "1":
++ if fail == 0:
++ print_result("FAIL","ENABLED")
++ fail = 1
++ printfun(" %s/rp_filter"%dirname)
++ print_result("FAIL","ENABLED")
++ if fail == 0:
++ print_result("OK","OK")
++
++# Check if any NAT or MASQUERADE would accidentally mess up our packets
++def natcheck():
++ printfun("Checking NAT and MASQUERADEing")
++ print_result("WARN","TEST INCOMPLETE")
++
++ # run iptables -t nat -L -n
++ # grep for NAT or MASQ
++ # for KLIPS
++ # grep over /proc/net/ipsec_eroute check for 'tun0x' then find overlap
++ # for NETKEY
++ # grep over ip xfrm state/policy and find overlap
++
++def cmdchecks():
++ printfun("Checking 'ip' command")
++ if not os.path.isfile("/sbin/ip") and not os.path.isfile("/usr/sbin/ip"):
++ print_result("FAIL","FAILED")
++ p = subprocess.Popen(["ip", "xfrm"], stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if not "XFRM-OBJECT" in err:
++ print_result("FAIL","IP XFRM BROKEN")
++ else:
++ print_result("OK","OK")
++
++ printfun("Checking 'iptables' command")
++ if not os.path.isfile("/sbin/iptables") and not \
os.path.isfile("/usr/sbin/iptables"): ++ print_result("WARN","MISSING")
++ else:
++ print_result("OK","OK")
++
++def udp500check():
++ printfun(" Pluto listening for IKE on udp 500")
++ if 1==1:
++ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-u", "sport = :500"], \
stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if ":500" in output:
++ print_result("OK","OK")
++ else:
++ print "fail in else:%s"%output
++ print_result("FAIL","FAILED")
++ else:
++ print "except hit?"
++ print_result("FAIL","FAILED")
++
++# not yet implemented in *swan
++def tcp500check():
++ printfun(" Pluto listening for IKE on tcp 500")
++ try:
++ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-t", "sport = :500"], \
stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if ":500" in output:
++ print_result("OK","OK")
++ else:
++ print_result("WARN","NOT IMPLEMENTED")
++ except:
++ print_result("WARN","NOT IMPLEMENTED")
++
++def udp4500check():
++ printfun(" Pluto listening for IKE/NAT-T on udp 4500")
++ try:
++ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-u", "sport = :4500"], \
stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if ":4500" in output:
++ print_result("OK","OK")
++ else:
++ print_result("FAIL","DISABLED")
++ except:
++ print_result("FAIL","DISABLED")
++
++# not yet implemented in *swan
++def tcp4500check():
++ printfun(" Pluto listening for IKE/NAT-T on tcp 4500")
++ try:
++ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-t", "sport = :4500"], \
stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if ":4500" in output:
++ print_result("OK","OK")
++ else:
++ print_result("WARN","NOT IMPLEMENTED")
++ except:
++ print_result("WARN","NOT IMPLEMENTED")
++
++# not yet implemented in *swan
++def tcp10000check():
++ printfun(" Pluto listening for IKE on tcp 10000 (cisco)")
++ try:
++ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-t", "sport = :10000"], \
stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if ":10000" in output:
++ print_result("OK","OK")
++ else:
++ print_result("WARN","NOT IMPLEMENTED")
++ except:
++ print_result("WARN","NOT IMPLEMENTED")
++
++def installstartcheck():
++ print "Checking if IPsec got installed and started correctly:\n"
++ printfun("Version check and ipsec on-path")
++ try:
++ p = subprocess.Popen(["ipsec", "--version"], stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if "swan" in output:
++ print_result("OK","OK")
++ print output.replace("Linux","").strip()
++ else:
++ print_result("FAIL","FAILED")
++ except:
++ print_result("FAIL","FAILED")
++
++ printfun("Checking for IPsec support in kernel")
++ if not os.path.isfile("/proc/net/ipsec_eroute") and not \
os.path.isfile("/proc/net/pfkey"): ++ print_result("FAIL","FAILED")
++ if "no kernel code presently loaded" in output:
++ print("\n The ipsec service should be started before running 'ipsec verify'\n")
++ return
++ else:
++ print_result("OK","OK")
++
++ # we know we have some stack, so continue
++ if os.path.isfile("/proc/net/ipsec_eroute"):
++ installcheckklips()
++ else:
++ installchecknetkey()
++
++def installcheckklips():
++ # NAT-T patch check
++ printfun(" KLIPS: checking for NAT Traversal support")
++ try:
++ natt = open("/sys/module/ipsec/parameters/natt_available","r").read().strip()
++ if natt == "1":
++ print_result("WARN","OLD STYLE")
++ elif natt == "2":
++ print_result("OK","OK")
++ else:
++ print_result("FAIL","UNKNOWN CODE")
++ except:
++ print_result("WARN","OLD/MISSING")
++
++ # OCF patch check
++ printfun(" KLIPS: checking for OCF crypto offload support ")
++ try:
++ ocf = open("/sys/module/ipsec/parameters/ocf_available","r").read().strip()
++ if ocf == "1":
++ print_result("OK","OK")
++ else:
++ print_result("FAIL","UNKNOWN CODE")
++ except:
++ print_result("WARN","N/A")
++
++ # SAref patch check
++ saref = ""
++ printfun(" KLIPS: IPsec SAref kernel support")
++ try:
++ saref = open("/proc/net/ipsec/saref","r").read().strip()
++ if "refinfo patch applied" in saref:
++ print_result("OK","OK")
++ else:
++ print_result("WARN","N/A")
++
++ except:
++ print_result("WARN","N/A")
++
++ # SAref bind patch check
++ printfun(" KLIPS: IPsec SAref Bind kernel support")
++ if "bindref patch applied" in saref:
++ print_result("OK","OK")
++ else:
++ print_result("WARN","N/A")
++
++
++def installchecknetkey():
++ print (" NETKEY: Testing XFRM related proc values")
++ for option in ( "send_redirects", "accept_redirects"):
++ printfun(" ICMP default/%s"%option)
++ try:
++ redir = open("/proc/sys/net/ipv4/conf/default/%s"%option,"r").read().strip()
++ except:
++ print_result("FAIL","VERY BROKEN KERNEL")
++ return
++ if redir == "0":
++ print_result("OK","OK")
++ else:
++ print_result("FAIL","NOT DISABLED")
++ print("\n Disable /proc/sys/net/ipv4/conf/*/%s or NETKEY will cause act on or \
cause sending of bogus ICMP redirects!\n"%option) ++
++ printfun(" XFRM larval drop")
++ try:
++ larval = open("/proc/sys/net/core/xfrm_larval_drop","r").read().strip()
++ except:
++ print_result("FAIL","OLD OR BROKEN KERNEL")
++ return
++ if larval == "1":
++ print_result("OK","OK")
++ else:
++ print_result("FAIL","NOT ENABLED")
++
++
++def randomdevcheck():
++ printfun("Hardware random device check")
++ if os.path.isfile("/dev/hw_random") or os.path.isfile("/dev/hwrng"):
++ p = subprocess.Popen(["pidof", "rngd"], stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if not output:
++ p = subprocess.Popen(["pidof", "clrngd"], stdout=subprocess.PIPE, \
stderr=subprocess.PIPE) ++ output, err = p.communicate()
++ if not output:
++ print_result("FAIL","NO RUNNING (cl)rngd DAEMON FOR HW")
++ else:
++ print_result("OK","CLRNGD")
++ else:
++ print_result("OK","RNGD")
++ else:
++ print_result("OK","N/A")
++
++
++
++
++
++
++
++
++
++def main():
++ installstartcheck()
++ randomdevcheck()
++ forwardcheck()
++ rpfiltercheck()
++ plutocheck()
++ natcheck()
++ cmdchecks()
++ if retcode:
++ sys.exit("\nipsec verify: encountered errors")
++
++
++
++if __name__ == "__main__":
++ main()
++
++## old perl code not yet ported
++##
++## sub checktunnel {
++## $csource=$_[0]; $cdest=$_[1]; $ctun=$_[2]; $all="0.0.0.0/0";
++##
++## printfun "Checking $ctun from $csource to $cdest";
++## run "iptables -t nat -L POSTROUTING -n";
++## @out=grep !/(Chain POSTROUTING|target)/, @out;
++## foreach (@out) {
++## ( $target, $prot, $opt, $source, $dest ) = split(' ',$_);
++## if(((($source eq $csource) || ($source eq $all)) && (($dest eq $cdest) || \
($dest = $all))) && $target eq "ACCEPT") ++## {
++## errchk "@out";
++## $reterr = 1;
++## }
++## else
++## {
++## @err="$target from $source to $dest kills tunnel $source -> $cdest\n";
++## errchk "","FAILED";
++## $reterr = 1;
++## }
++## }
++## }
++##
++## printfun "Checking NAT and MASQUERADEing";
++## # This assumes KLIPS eroute information, we should add support
++## # for NETKEY, but ip xfrm is very annoying to parse
++## if(( -e "/proc/net/nf_conntrack" || -e "/proc/net/ip_conntrack")
++## && -e "/proc/net/ipsec_eroute" )
++## {
++## run "iptables -t nat -L -n";
++## if(grep /(NAT|MASQ)/, @out)
++## {
++## printf "\n";
++## open("cat", "/proc/net/ipsec_eroute");
++## foreach(grep /tun0x/, <cat>)
++## {
++## @eroute=split(' ',$_);
++## checktunnel $eroute[1], $eroute[3], $eroute[5];
++## }
++## }
++## else
++## {
++## errchk "1";
++## }
++## }
++## else
++## {
++## errchk "OK";
++## }
++## }
++## }
++##
++##
++## sub dnschecks {
++## # Check the running hostname.
++## printf "\nOpportunistic Encryption DNS checks:\n";
++## run "hostname";
++## ($hostname)=@out; chomp $hostname;
++## checkdnshost $hostname;
++##
++## # Check all the public IP addresses...
++## run "/sbin/ifconfig -a";
++## foreach (grep /inet addr/,@out)
++## {
++## $_=~ s/^\s*//;
++## @temp=split(/[:\ ]+/, $_);
++## push(@address,$temp[2]);
++## }
++## # Purge all non-routeable IPs...
++## @address=grep \
!/^(127.*|10.*|172.1[6789]+.*.*|172.2+.*.*|172.3[01]+.*.*|192.168.*.*|169.254.*.*)/,@address;
++## printfun " Does the machine have at least one non-private address?";
++## errchk @address;
++## foreach(@address=grep !$check{$_}++,@address)
++## {
++## checkdnsip $_;
++## }
++## }
++##
++##
++## # If you've passed --host or --ip, do only those checks.
++## if($hostname || $ip)
++## {
++## # Check this --host for OE.
++## if($hostname)
++## {
++## printf "Checking $hostname for Opportunistic Encryption:\n";
++## checkdnshost $hostname;
++## run "host -t A $hostname";
++## if(($ipaddr) = grep (/address/i, @out))
++## {
++## $ipaddr=~ s/.*address\ //;
++## chomp $ipaddr;
++## checkdnsip $ipaddr;
++## }
++## else
++## {
++## printf "$hostname does not resolve to an IP, no reverse lookup tests \
possible.\n"; ++## }
++## }
++## # Check this IP for OE.
++## if($ip)
++## {
++## printf "Checking IP $ip for Opportunistic Encryption:\n";
++## checkdnsip $ip;
++## }
++## }
++## else
++## {
++## # Call the default routines...
++## # Root check...
++## if($> != "0")
++## {
++## print "To check this machine, you need to run \"$me\" as root.\n"; exit;
++## }
++## else
++## {
++## installstartcheck;
++## tunnelchecks;
++## cmdchecks;
++## run "ipsec addconn --configsetup";
++## ($oe)=grep(/oe=\'yes\'/, @out);
++## if( $oe) {
++## dnschecks;
++## if($print_deprecated)
++## {
++## print "
++##
++## RFC 3445 restricts the use of the KEY RR to DNSSEC applications. The use of
++## a KEY record sub-type for Opporunistic Encryption (OE) has been deprecated.
++## TXT records are used to provide all OE functionality.\n";
++## }
++## } else {
++## printfun "Opportunistic Encryption Support";
++## warnchk "", "DISABLED";
++## }
++## }
++## # finally, run the config file through the parser checks
++## run "ipsec auto addconn --checkconfig";
++## }
++## exit $reterr
+--
+1.8.1.6
+
Modified: ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0
===================================================================
--- ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0 2013-07-17 01:06:16 UTC (rev 7083)
+++ ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0 2013-07-19 21:16:44 UTC (rev 7084)
@@ -528,7 +528,7 @@
/usr/lib/libssl.so
/usr/lib/libssl.so.1.0.0
##
-## openswan-2.6.38
+## openswan-2.6.39
/usr/lib/ipsec/_copyright
/usr/lib/ipsec/_include
/usr/lib/ipsec/_keycensor
Modified: ipcop/trunk/updates/2.1.0/information.xml
===================================================================
--- ipcop/trunk/updates/2.1.0/information.xml 2013-07-17 01:06:16 UTC (rev 7083)
+++ ipcop/trunk/updates/2.1.0/information.xml 2013-07-19 21:16:44 UTC (rev 7084)
@@ -17,7 +17,7 @@
less to 451, libffi to 3.0.13, libgd to 2.0.36~rc1, libgcrypt to 1.5.2, \
libnet to 1.1.6,
libnfnetlink to 1.0.1, libnetfiltercontrack to 1.0.2, libnl to 3.2.16, \
libpcap to 1.3.0, libpng to 1.5.16,
libusb to 1.0.9, libusb-compat to 0.1.4, libtool to 2.4.2, libxml2 to \
2.9.1, logrotate to 3.8.1, lsof to 4.87,
- mdadm to 3.2.6, net-tools to 1.60-p20120127084908, openldap to 2.4.35, \
openssh to 6.2p2, openssl to 1.0.1e, openswan to 2.6.38, + mdadm to 3.2.6, \
net-tools to 1.60-p20120127084908, openldap to 2.4.35, openssh to 6.2p2, openssl to \
1.0.1e, openswan to 2.6.39,
parted to 3.1, patch to 2.7.1, pciutils to 3.1.10, pcre to 8.32, perl to \
5.14.2-21, pixman to 0.24.4, procps to 3.3.8, psmisc to 22.20,
rp-pppoe to 3.11, rsyslog to 5.8.13, sed to 4.2.2, shadow to 4.1.5.1, \
smartmontools to 6.1, sqlite to 3.7.13 tcpdump to 4.3.0, traceroute to 2.0.19,
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic