update buildroot to 2017.02.11

2018-05-22 15:35:47 +02:00
parent 4bf1f5e091
commit a3c10bd762
9257 changed files with 433426 additions and 1701 deletions
--- a/bsp/buildroot-2017.02.11/package/ipsec-tools/0001-susv3-legacy.patch
+++ b/bsp/buildroot-2017.02.11/package/ipsec-tools/0001-susv3-legacy.patch
@@ -0,0 +1,35 @@
+Replaces sysv3 legacy functions with modern equivalents.
+
+Signed-off-by: Julien Boibessot <julien.boibessot@armadeus.com>
+Index: ipsec-tools-0.7.3/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c	2010-07-12 14:46:52.000000000 +0200
+++ ipsec-tools-0.7.3/src/racoon/pfkey.c	2010-07-12 15:01:39.000000000 +0200
+@@ -3008,12 +3008,12 @@
+ 				struct sockaddr *paddr;
+ 
+ 				paddr = (struct sockaddr *)(xisr + 1);
+-				bcopy(paddr, &(*p_isr)->saidx.src,
+				memmove(&(*p_isr)->saidx.src, paddr,
+ 					sysdep_sa_len(paddr));
+ 
+ 				paddr = (struct sockaddr *)((caddr_t)paddr
+ 							+ sysdep_sa_len(paddr));
+-				bcopy(paddr, &(*p_isr)->saidx.dst,
+				memmove(&(*p_isr)->saidx.dst, paddr,
+ 					sysdep_sa_len(paddr));
+ 			}
+ 
+Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c
+===================================================================
+--- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c	2010-07-12 14:49:51.000000000 +0200
+++ ipsec-tools-0.7.3/src/racoon/racoonctl.c	2010-07-12 15:00:52.000000000 +0200
+@@ -785,7 +785,7 @@
+ 		errx(1, "cannot read source address");
+ 
+ 	/* We get "ip[port]" strip the port */
+-	if ((idx = index(srcaddr, '[')) == NULL) 
+	if ((idx = strchr(srcaddr, '[')) == NULL)
+ 		errx(1, "unexpected source address format");
+ 	*idx = '\0';
+ 
--- a/bsp/buildroot-2017.02.11/package/ipsec-tools/0002-CVE-2015-4047.patch
+++ b/bsp/buildroot-2017.02.11/package/ipsec-tools/0002-CVE-2015-4047.patch
@@ -0,0 +1,26 @@
+ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon
+
+See: https://bugs.gentoo.org/show_bug.cgi?id=550118
+
+Downloaded from
+https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch
+
+See also
+https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/bug785778-null-pointer-deref.patch/
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+--- ./src/racoon/gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
+++ ./src/racoon/gssapi.c    19 May 2015 15:16:00 -0000      1.6
+@@ -192,6 +192,11 @@
+	gss_name_t princ, canon_princ;
+	OM_uint32 maj_stat, min_stat;
+ 
+	if (iph1->rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+		return -1;
+	}
+
+	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
+	if (gps == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
--- a/bsp/buildroot-2017.02.11/package/ipsec-tools/Config.in
+++ b/bsp/buildroot-2017.02.11/package/ipsec-tools/Config.in
@@ -0,0 +1,75 @@
+config BR2_PACKAGE_IPSEC_TOOLS
+	bool "ipsec-tools"
+	depends on BR2_USE_MMU # fork()
+	depends on !BR2_TOOLCHAIN_USES_MUSL # Use __P() macro all over the tree
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_FLEX
+	help
+	  This package is required to support IPSec for Linux 2.6+
+
+	  http://ipsec-tools.sourceforge.net/
+
+if BR2_PACKAGE_IPSEC_TOOLS
+
+config BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT
+	default y
+	bool "Enable racoonctl(8)"
+	help
+	  Lets racoon to listen to racoon admin port, which is to
+	  be contacted by racoonctl(8).
+
+config BR2_PACKAGE_IPSEC_TOOLS_NATT
+	bool "Enable NAT-Traversal"
+	help
+	  This needs kernel support, which is available on Linux. On
+	  NetBSD, NAT-Traversal kernel support has not been integrated
+	  yet, you can get it from here:
+
+	  http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you
+
+	  live in a country where software patents are legal, using
+	  NAT-Traversal might infringe a patent.
+
+config BR2_PACKAGE_IPSEC_TOOLS_FRAG
+	bool "Enable IKE fragmentation"
+	help
+	  Enable IKE fragmentation, which is a workaround for
+	  broken routers that drop fragmented packets
+
+config BR2_PACKAGE_IPSEC_TOOLS_DPD
+	bool "Enable DPD (Dead Peer Detection)"
+	help
+	  Enable dead peer detection support
+
+config BR2_PACKAGE_IPSEC_TOOLS_STATS
+	default y
+	bool "Enable statistics logging function"
+
+config BR2_PACKAGE_IPSEC_TOOLS_READLINE
+	select BR2_PACKAGE_READLINE
+	bool "Enable readline input support"
+
+config BR2_PACKAGE_IPSEC_TOOLS_HYBRID
+	bool "Enable hybrid, both mode-cfg and xauth support"
+	help
+	  Hybrid mode is required for successful interoperability
+	  (e.g. Cisco VPN Client).
+
+choice
+	prompt "Security context"
+	default BR2_PACKAGE_IPSEC_SECCTX_DISABLE
+	help
+	  Selects whether or not to enable security context support.
+
+config BR2_PACKAGE_IPSEC_SECCTX_DISABLE
+	bool "Disable security context support"
+
+config BR2_PACKAGE_IPSEC_SECCTX_ENABLE
+	bool "Enable SELinux security context support"
+
+config BR2_PACKAGE_IPSEC_SECCTX_KERNEL
+	bool "Enable kernel security context"
+
+endchoice
+
+endif
--- a/bsp/buildroot-2017.02.11/package/ipsec-tools/ipsec-tools.hash
+++ b/bsp/buildroot-2017.02.11/package/ipsec-tools/ipsec-tools.hash
@@ -0,0 +1,3 @@
+# From http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.2/
+md5	d53ec14a0a3ece64e09e5e34b3350b41	ipsec-tools-0.8.2.tar.bz2
+sha1	7d92cae9fde59fb4f125636698c43b0a3df3d0f0	ipsec-tools-0.8.2.tar.bz2
--- a/bsp/buildroot-2017.02.11/package/ipsec-tools/ipsec-tools.mk
+++ b/bsp/buildroot-2017.02.11/package/ipsec-tools/ipsec-tools.mk
@@ -0,0 +1,79 @@
+################################################################################
+#
+# ipsec-tools
+#
+################################################################################
+
+IPSEC_TOOLS_VERSION = 0.8.2
+IPSEC_TOOLS_SOURCE = ipsec-tools-$(IPSEC_TOOLS_VERSION).tar.bz2
+IPSEC_TOOLS_SITE = http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/$(IPSEC_TOOLS_VERSION)
+IPSEC_TOOLS_INSTALL_STAGING = YES
+IPSEC_TOOLS_MAKE = $(MAKE1)
+IPSEC_TOOLS_DEPENDENCIES = openssl flex host-flex
+
+# configure hardcodes -Werror, so override CFLAGS on make invocation
+IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)'
+
+# openssl uses zlib, so we need to explicitly link with it when static
+ifeq ($(BR2_STATIC_LIBS),y)
+IPSEC_TOOLS_CONF_ENV += LIBS=-lz
+endif
+
+IPSEC_TOOLS_CONF_OPTS = \
+	  --without-libpam \
+	  --disable-gssapi \
+	  --with-kernel-headers=$(STAGING_DIR)/usr/include
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-adminport
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-adminport
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_NATT),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-natt
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-natt
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_FRAG),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-frag
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-frag
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_DPD),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-dpd
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-dpd
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_STATS),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-stats
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-stats
+endif
+
+ifneq ($(BR2_PACKAGE_IPSEC_TOOLS_READLINE),y)
+IPSEC_TOOLS_CONF_OPTS += --without-readline
+else
+IPSEC_TOOLS_DEPENDENCIES += readline
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_HYBRID),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-hybrid
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-hybrid
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_SECCTX_DISABLE),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-security-context=no
+endif
+ifeq ($(BR2_PACKAGE_IPSEC_SECCTX_ENABLE),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-security-context=yes
+endif
+ifeq ($(BR2_PACKAGE_IPSEC_SECCTX_KERNEL),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-security-context=kernel
+endif
+
+$(eval $(autotools-package))