Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge tag '3004.388.7'
Browse files Browse the repository at this point in the history
3004.388.7
gnuton committed May 5, 2024
2 parents a0eb958 + 90bd9a5 commit 57c9427
Showing 933 changed files with 28,434 additions and 62,547 deletions.
3 changes: 2 additions & 1 deletion Changelog-NG.txt
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@ Asuswrt-Merlin Changelog
- ADDED: Support for TUF-AX3000 V2
- ADDED: Support for RT-AX58U V2

3004.388.7 (xx-xxx-2024)
3004.388.7 (26-Apr-2024)
- NOTE: RT-AX56U is exceptionally included in this release.

- NEW: IGD2 support for UPNP/PCP. This will allow IPv6 pinhole
@@ -24,6 +24,7 @@ Asuswrt-Merlin Changelog
- UPDATED: wireguard kernel to v1.0.20220627.
- UPDATED: wireguard tools to 2023-08-04 snapshot.
- UPDATED: dropbear to 2024.84.
- UPDATED: strongswan to 5.9.13 (fixes CVE-2023-41913)
- CHANGED: Hardcoded location of the CA bundle in inadyn, so it
no longer needs to be manually defined in custom
configurations.
2 changes: 1 addition & 1 deletion release/src-rt/version.conf
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@ KERNEL_VER_AM=$(subst .,,$(KERNEL_VER))
FS_VER_AM=$(subst .,,$(FS_VER))

SERIALNO=388.7
EXTENDNO=beta1
EXTENDNO=0

ifeq ($(ROG_UI),y)
EXTENDNO:=$(EXTENDNO)_rog
4 changes: 2 additions & 2 deletions release/src/router/httpd/sysinfo.c
Original file line number Diff line number Diff line change
@@ -185,7 +185,7 @@ int ej_show_sysinfo(int eid, webs_t wp, int argc, char_t ** argv)
int count = 0;
char model[64];
#if defined(BCM4912)
strcpy(model, "BCM4912 - Cortex B53 ARMv8");
strcpy(model, "BCM4912 - B53 ARMv8");
#else

char impl[8], arch[8], variant[8], part[10], revision[4];
@@ -207,7 +207,7 @@ int ej_show_sysinfo(int eid, webs_t wp, int argc, char_t ** argv)
&& !strcmp(variant, "0x0")
&& !strcmp(part, "0x100")
&& !strcmp(arch, "8"))
sprintf(model, "BCM490x - Cortex B53 ARMv8 revision %s", revision);
sprintf(model, "BCM490x - B53 ARMv8 revision %s", revision);
else if (!strcmp(impl, "0x41")
&& !strcmp(variant, "0x0")
&& !strcmp(part, "0xc07")
2 changes: 1 addition & 1 deletion release/src/router/strongswan/.tarball-git-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
5.9.8
5.9.13
5 changes: 1 addition & 4 deletions release/src/router/strongswan/Android.mk
Original file line number Diff line number Diff line change
@@ -17,11 +17,8 @@ strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
pkcs1 pkcs8 pem xcbc hmac kdf kernel-netlink socket-default android-dns \
stroke eap-identity eap-mschapv2 eap-md5 eap-gtc

strongswan_STARTER_PLUGINS := kernel-netlink

# list of all plugins - used to enable them with the function below
strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \
$(strongswan_STARTER_PLUGINS))
strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS))

include $(LOCAL_PATH)/Android.common.mk

17 changes: 2 additions & 15 deletions release/src/router/strongswan/Doxyfile.in
Original file line number Diff line number Diff line change
@@ -222,12 +222,6 @@ TAB_SIZE = 4

ALIASES =

# This tag can be used to specify a number of word-keyword mappings (TCL only).
# A mapping has the form "name=value". For example adding "class=itcl::class"
# will allow you to use the command class in the itcl::class meaning.

TCL_SUBST =

# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
# only. Doxygen will then generate output that is more tailored for C. For
# instance, some of the names that are used will be different. The list of all
@@ -978,13 +972,6 @@ VERBATIM_HEADERS = YES

ALPHABETICAL_INDEX = YES

# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in
# which the alphabetical index list will be split.
# Minimum value: 1, maximum value: 20, default value: 5.
# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.

COLS_IN_ALPHA_INDEX = 5

# In case all classes in a project start with a common prefix, all classes will
# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
# can be used to specify a prefix (or a list of prefixes) that should be ignored
@@ -1466,7 +1453,7 @@ MATHJAX_CODEFILE =
# The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES.

SEARCHENGINE = NO
SEARCHENGINE = YES

# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There
@@ -1583,7 +1570,7 @@ COMPACT_LATEX = NO
# The default value is: a4.
# This tag requires that the tag GENERATE_LATEX is set to YES.

PAPER_TYPE = a4wide
PAPER_TYPE = a4

# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
# that should be included in the LaTeX output. To get the times font for
176 changes: 176 additions & 0 deletions release/src/router/strongswan/NEWS
Original file line number Diff line number Diff line change
@@ -1,3 +1,179 @@
strongswan-5.9.13
-----------------

- Fixes a regression with handling OCSP error responses and adds a new
option to specify the length of nonces in OCSP requests. Also adds some
other improvements for OCSP handling and fuzzers for OCSP
requests/responses.


strongswan-5.9.12
-----------------

- Fixed a vulnerability in charon-tkm related to processing DH public values
that can lead to a buffer overflow and potentially remote code execution.
This vulnerability has been registered as CVE-2023-41913.

- The new `pki --ocsp` command produces OCSP responses based on certificate
status information provided by plugins.

Two sources are currently available, the openxpki plugin that directly
accesses the OpenXPKI database and the `--index` argument, which reads
certificate status information from OpenSSL-style index.txt files.

- The cert-enroll script handles the initial enrollment of an X.509 host
certificate with a PKI server via the EST or SCEP protocols.

Run as a systemd timer or via a crontab entry the script daily checks the
expiration date of the host certificate. When a given deadline is reached,
the host certificate is automatically renewed via EST or SCEP re-enrollment
based on the possession of the old private key and the matching certificate.

- The --priv argument for charon-cmd allows using any type of private key.

- Support for nameConstraints of type iPAddress has been added (the openssl
plugin previously didn't support nameConstraints at all).

- SANs of type uniformResourceIdentifier can now be encoded in certificates.

- Password-less PKCS#12 and PKCS#8 files are supported.

- A new global option allows preventing peers from authenticating with trusted
end-entity certificates (i.e. local certificates).

- ECDSA public keys that encode curve parameters explicitly are now rejected by
all plugins that support ECDSA.

- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
also use the name in connection.interface-name.

- The resolve plugin tries to maintain the order of installed DNS servers.

- The kernel-libipsec plugin always installs routes even if no address is found
in the local traffic selectors.

- Increased the default receive buffer size for Netlink sockets to 8 MiB and
simplified its configuration.

- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
always generating a hash of the subjectPublicKey.

- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
unrelated traffic selectors.

- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
instead callbacks are always invoked even if only errors are signaled.

- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
handling invalid messages.

- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.

- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
CHILD_SA is not found during rekeying.

- The testing environment is now based on Debian 12 (bookworm), by default.


strongswan-5.9.11
-----------------

- A deadlock in the vici plugin has been fixed that could get triggered when
multiple connections were initiated/terminated concurrently and control-log
events were raised by the watcher_t component.

- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
encoded (even if it's a CA), or a CA certificate without keyUsage extension.

- Optional CA labels in EST server URIs are supported by `pki --est/estca`.

- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.

- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
earlier that was introduced with 5.9.10.

- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.

- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
gained support for trap policies.

- The dhcp plugin uses an alternate method to determine the source address
for unicast DHCP requests that's not affected by interface filtering.

- Certificate and trust chain selection as initiator has been improved in case
the local trust chain is incomplete and an unrelated certreq is received.

- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.

- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.

- Stale OCSP responses are now replace in-place in the certificate cache.

- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.


strongswan-5.9.10
-----------------

- Fixed a vulnerability related to certificate verification in TLS-based EAP
methods that leads to an authentication bypass followed by an expired pointer
dereference that results in a denial of service and possibly even remote code
execution.
This vulnerability has been registered as CVE-2023-26463.

- Added support for full packet hardware offload for IPsec SAs and policies with
Linux 6.2 kernels to the kernel-netlink plugin.

- TLS-based EAP methods now use the standardized key derivation when used
with TLS 1.3.

- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
implementing the "protected success indication".

- With the `prefer` value for the `childless` setting, initiators will create
a childless IKE_SA if the responder supports the extension.

- Routes via XFRM interfaces can optionally be installed automatically by
enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.

- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
issues with name resolution if they are supported by the kernel.

- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
PKCS#10 certificate signing request.

- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
(replace them completely, or adding/removing specific flags).

- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
IPsec SAs instead of the policies.

- For libcurl with MultiSSL support, the curl plugin provides an option to
select the SSL/TLS backend.


strongswan-5.9.9
----------------

- The charon.reqid_base setting allows specifying the first reqid that's
automatically assigned to a CHILD_SA.

- The path/command for resolvconf(8) used by the resolve plugin is now
configurable.

- The resolve plugin doesn't generate unique interface names for name servers
anymore. Instead, all available name servers are associated with a single,
configurable interface name.

- Serial numbers of certificates and CRLs are now always returned in canonical
form (i.e. without leading zeros).

- The kernel-netlink plugin now logs extended ACK error/warning messages.


strongswan-5.9.8
----------------

1 change: 1 addition & 0 deletions release/src/router/strongswan/conf/Makefile.am
Original file line number Diff line number Diff line change
@@ -79,6 +79,7 @@ plugins = \
plugins/lookip.opt \
plugins/ntru.opt \
plugins/openssl.opt \
plugins/openxpki.opt \
plugins/osx-attr.opt \
plugins/p-cscf.opt \
plugins/pkcs11.opt \
3 changes: 3 additions & 0 deletions release/src/router/strongswan/conf/options/charon-nm.opt
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
charon-nm.ca_dir = <default>
Directory from which to load CA certificates if no certificate is
configured.

charon-nm.mtu = 1400
MTU for XFRM interfaces created by the NM plugin.
20 changes: 17 additions & 3 deletions release/src/router/strongswan/conf/options/charon.opt
Original file line number Diff line number Diff line change
@@ -38,8 +38,8 @@ charon.cert_cache = yes
charon.cache_crls = no
Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
be saved under a unique file name derived from the public key of the
Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
**/etc/swanctl/x509crl** (vici), respectively.
Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
**${sysconfdir}/swanctl/x509crl** (vici), respectively.

charon.check_current_path = no
Whether to use DPD to check if the current path still works after any
@@ -302,6 +302,13 @@ charon.nbns1
charon.nbns2
WINS servers assigned to peer via configuration payload (CP).

charon.ocsp_nonce_len = 32
Length of nonces in OCSP requests (1-32).

Length of nonces in OCSP requests. According to RFC 8954, valid values are
between 1 and 32, with new clients required to use 32. Some servers might
not support that so lowering the value to e.g. 16 might be necessary.

charon.port = 500
UDP port used locally. If set to 0 a random port will be allocated.

@@ -372,9 +379,16 @@ charon.receive_delay_request = yes
charon.receive_delay_type = 0
Specific IKEv2 message type to delay, 0 for any.

charon.reject_trusted_end_entity = no
Reject peers that use trusted end-entity certificates (i.e. local
certificates).

charon.replay_window = 32
Size of the AH/ESP replay window, in packets.

charon.reqid_base = 1
Value of the first reqid to be automatically assigned to a CHILD_SA.

charon.retransmit_base = 1.8
Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
in **strongswan.conf**(5).
@@ -392,7 +406,7 @@ charon.retransmit_jitter = 0
charon.retransmit_limit = 0
Upper limit in seconds for calculated retransmission timeout (0 to disable).

charon.retry_initiate_interval = 0
charon.retry_initiate_interval = 0s
Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
resolution failed), 0 to disable retries.

8 changes: 8 additions & 0 deletions release/src/router/strongswan/conf/plugins/curl.opt
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
charon.plugins.curl.redir = -1
Maximum number of redirects followed by the plugin, set to 0 to disable
following redirects, set to -1 for no limit.

charon.plugins.curl.tls_backend =
The SSL/TLS backend to configure in curl if multiple are available.

The SSL/TLS backend to configure in curl if multiple are available (requires
libcurl 7.56 or newer). A list of available options is logged on level 2 if
nothing is configured. Similar but on level 1 if the selected backend isn't
available.
3 changes: 2 additions & 1 deletion release/src/router/strongswan/conf/plugins/eap-peap.opt
Original file line number Diff line number Diff line change
@@ -11,7 +11,8 @@ charon.plugins.eap-peap.phase2_method = mschapv2
Phase2 EAP client authentication method.

charon.plugins.eap-peap.phase2_piggyback = no
Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
Phase2 EAP Identity request piggybacked by server onto TLS Finished message,
relevant only if TLS 1.2 or earlier is negotiated.

charon.plugins.eap-peap.phase2_tnc = no
Start phase2 EAP TNC protocol after successful client authentication.
2 changes: 1 addition & 1 deletion release/src/router/strongswan/conf/plugins/eap-radius.opt
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes
Close the IKE_SA if there is a timeout during interim RADIUS accounting
updates.

charon.plugins.eap-radius.accounting_interval = 0
charon.plugins.eap-radius.accounting_interval = 0s
Interval in seconds for interim RADIUS accounting updates, if not specified
by the RADIUS server in the Access-Accept message.

Original file line number Diff line number Diff line change
@@ -5,3 +5,10 @@ charon.plugins.kernel-libipsec.allow_peer_ts = no
installed for such traffic (via TUN device) usually prevents further IKE
traffic. The fwmark options for the _kernel-netlink_ and _socket-default_
plugins can be used to circumvent that problem.

charon.plugins.kernel-libipsec.fwmark = charon.plugins.socket-default.fwmark
Firewall mark to set on outbound raw ESP packets.

charon.plugins.kernel-libipsec.raw_esp = no
Whether to send and receive ESP packets without UDP encapsulation if
supported on this platform and no NAT is detected.
Loading

0 comments on commit 57c9427

Please sign in to comment.