rpms/ipsec-tools/F-9 ipsec-tools-0.7.1-dpd-fixes.patch, NONE, 1.1 ipsec-tools-0.7.1-leaks.patch, NONE, 1.1 ipsec-tools-0.7.1-loopback.patch, NONE, 1.1 ipsec-tools-0.7.1-natt-linux.patch, NONE, 1.1 ipsec-tools-0.7.1-pie.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 ipsec-tools.spec, 1.55, 1.56 sources, 1.12, 1.13 ipsec-tools-0.7-contextsize.patch, 1.1, NONE ipsec-tools-0.7-libs.patch, 1.1, NONE ipsec-tools-0.7-loopback.patch, 1.2, NONE ipsec-tools-0.7-newcookie-alen.patch, 1.1, NONE ipsec.h, 1.1, NONE isakmp.c.diff, 1.1, NONE pfkeyv2.h, 1.4, NONE udp.h, 1.1, NONE xfrm.h, 1.2, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Sat Oct 18 11:52:01 UTC 2008
- Previous message: rpms/gdesklets-calendar/F-9 dead.package,NONE,1.1
- Next message: rpms/ipsec-tools/F-8 ipsec-tools-0.7.1-dpd-fixes.patch, NONE, 1.1 ipsec-tools-0.7.1-leaks.patch, NONE, 1.1 ipsec-tools-0.7.1-loopback.patch, NONE, 1.1 ipsec-tools-0.7.1-natt-linux.patch, NONE, 1.1 ipsec-tools-0.7.1-pie.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 ipsec-tools.spec, 1.50, 1.51 sources, 1.12, 1.13 ipsec-tools-0.7-contextsize.patch, 1.1, NONE ipsec-tools-0.7-libs.patch, 1.1, NONE ipsec-tools-0.7-loopback.patch, 1.2, NONE ipsec-tools-0.7-newcookie-alen.patch, 1.1, NONE ipsec.h, 1.1, NONE isakmp.c.diff, 1.1, NONE pfkeyv2.h, 1.4, NONE udp.h, 1.1, NONE xfrm.h, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/ipsec-tools/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16104
Modified Files:
.cvsignore ipsec-tools.spec sources
Added Files:
ipsec-tools-0.7.1-dpd-fixes.patch
ipsec-tools-0.7.1-leaks.patch ipsec-tools-0.7.1-loopback.patch
ipsec-tools-0.7.1-natt-linux.patch ipsec-tools-0.7.1-pie.patch
Removed Files:
ipsec-tools-0.7-contextsize.patch ipsec-tools-0.7-libs.patch
ipsec-tools-0.7-loopback.patch
ipsec-tools-0.7-newcookie-alen.patch ipsec.h isakmp.c.diff
pfkeyv2.h udp.h xfrm.h
Log Message:
* Fri Oct 17 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-5
- fix CVE-2008-3652 (memory leak DoS)
- compile racoon as PIE
- another fix for teardown of the IPSEC SAs on DPD in some circumstances
ipsec-tools-0.7.1-dpd-fixes.patch:
--- NEW FILE ipsec-tools-0.7.1-dpd-fixes.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.dpd-fixes ipsec-tools-0.7.1/src/racoon/isakmp_inf.c
--- ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.dpd-fixes 2008-10-17 14:18:44.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp_inf.c 2008-10-17 18:04:07.000000000 +0200
@@ -1202,7 +1202,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
- if (CMPSADDR(dst0, dst)) {
+ if (cmpsaddrwop(dst0, dst)) {
msg = next;
continue;
}
diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.dpd-fixes ipsec-tools-0.7.1/src/racoon/pfkey.c
--- ipsec-tools-0.7.1/src/racoon/pfkey.c.dpd-fixes 2008-10-17 14:18:44.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-10-17 18:17:16.000000000 +0200
@@ -902,13 +902,19 @@ pk_sendgetspi(iph2)
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(pp)) {
- src = iph2->src_id;
- dst = iph2->dst_id;
+ src = dupsaddr(iph2->src_id);
+ dst = dupsaddr(iph2->dst_id);
} else {
- src = iph2->src;
- dst = iph2->dst;
+ src = dupsaddr(iph2->src);
+ dst = dupsaddr(iph2->dst);
}
-
+
+ if (src == NULL || dst == NULL) {
+ racoon_free(src);
+ racoon_free(dst);
+ return -1;
+ }
+
for (pr = pp->head; pr != NULL; pr = pr->next) {
/* validity check */
@@ -916,6 +922,8 @@ pk_sendgetspi(iph2)
if (satype == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid proto_id %d\n", pr->proto_id);
+ racoon_free(src);
+ racoon_free(dst);
return -1;
}
/* this works around a bug in Linux kernel where it allocates 4 byte
@@ -932,12 +940,12 @@ pk_sendgetspi(iph2)
if (mode == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid encmode %d\n", pr->encmode);
+ racoon_free(src);
+ racoon_free(dst);
return -1;
}
#ifdef ENABLE_NATT
- /* XXX should we do a copy of src/dst for each pr ?
- */
if (! pr->udp_encap) {
/* Remove port information, that SA doesn't use it */
set_port(src, 0);
@@ -956,6 +964,8 @@ pk_sendgetspi(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"ipseclib failed send getspi (%s)\n",
ipsec_strerror());
+ racoon_free(src);
+ racoon_free(dst);
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
@@ -963,6 +973,8 @@ pk_sendgetspi(iph2)
sadbsecas2str(dst, src, satype, 0, mode));
}
+ racoon_free(src);
+ racoon_free(dst);
return 0;
}
@@ -1146,11 +1158,17 @@ pk_sendupdate(iph2)
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(iph2->approval)) {
- sa_args.dst = iph2->src_id;
- sa_args.src = iph2->dst_id;
+ sa_args.dst = dupsaddr(iph2->src_id);
+ sa_args.src = dupsaddr(iph2->dst_id);
} else {
- sa_args.dst = iph2->src;
- sa_args.src = iph2->dst;
+ sa_args.dst = dupsaddr(iph2->src);
+ sa_args.src = dupsaddr(iph2->dst);
+ }
+
+ if (sa_args.src == NULL || sa_args.dst == NULL) {
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+ return -1;
}
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
@@ -1159,6 +1177,8 @@ pk_sendupdate(iph2)
if (sa_args.satype == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid proto_id %d\n", pr->proto_id);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
@@ -1172,6 +1192,8 @@ pk_sendupdate(iph2)
if (sa_args.mode == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid encmode %d\n", pr->encmode);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
#endif
@@ -1183,8 +1205,11 @@ pk_sendupdate(iph2)
pr->head->authtype,
&sa_args.e_type, &sa_args.e_keylen,
&sa_args.a_type, &sa_args.a_keylen,
- &sa_args.flags) < 0)
+ &sa_args.flags) < 0) {
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
+ }
#if 0
sa_args.l_bytes = iph2->approval->lifebyte * 1024,
@@ -1227,6 +1252,8 @@ pk_sendupdate(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"libipsec failed send update (%s)\n",
ipsec_strerror());
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
@@ -1256,6 +1283,8 @@ pk_sendupdate(iph2)
sa_args.satype, sa_args.spi, sa_args.mode));
}
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return 0;
}
@@ -1449,11 +1478,17 @@ pk_sendadd(iph2)
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(iph2->approval)) {
- sa_args.src = iph2->src_id;
- sa_args.dst = iph2->dst_id;
+ sa_args.src = dupsaddr(iph2->src_id);
+ sa_args.dst = dupsaddr(iph2->dst_id);
} else {
- sa_args.src = iph2->src;
- sa_args.dst = iph2->dst;
+ sa_args.src = dupsaddr(iph2->src);
+ sa_args.dst = dupsaddr(iph2->dst);
+ }
+
+ if (sa_args.src == NULL || sa_args.dst == NULL) {
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+ return -1;
}
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
@@ -1462,6 +1497,8 @@ pk_sendadd(iph2)
if (sa_args.satype == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid proto_id %d\n", pr->proto_id);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
@@ -1475,6 +1512,8 @@ pk_sendadd(iph2)
if (sa_args.mode == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid encmode %d\n", pr->encmode);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
#endif
@@ -1488,6 +1527,8 @@ pk_sendadd(iph2)
&sa_args.e_type, &sa_args.e_keylen,
&sa_args.a_type, &sa_args.a_keylen,
&sa_args.flags) < 0)
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
#if 0
@@ -1539,6 +1580,8 @@ pk_sendadd(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"libipsec failed send add (%s)\n",
ipsec_strerror());
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
@@ -1566,6 +1609,8 @@ pk_sendadd(iph2)
sa_args.satype, sa_args.spi, sa_args.mode));
}
iph2->sa_count = sa_sent;
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return 0;
}
diff -up ipsec-tools-0.7.1/src/racoon/isakmp.c.dpd-fixes ipsec-tools-0.7.1/src/racoon/isakmp.c
--- ipsec-tools-0.7.1/src/racoon/isakmp.c.dpd-fixes 2008-10-17 14:34:15.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp.c 2008-10-17 17:58:44.000000000 +0200
@@ -3255,6 +3255,14 @@ purge_remote(iph1)
continue;
}
+#ifdef ENABLE_NATT
+ if (extract_port(src) == 0 && extract_port(dst) == 0 &&
+ extract_port(iph1->local) == PORT_ISAKMP && extract_port(iph1->remote) == PORT_ISAKMP) {
+ set_port(src, PORT_ISAKMP);
+ set_port(dst, PORT_ISAKMP);
+ }
+#endif
+
/*
* check in/outbound SAs.
* Select only SAs where src == local and dst == remote (outgoing)
ipsec-tools-0.7.1-leaks.patch:
--- NEW FILE ipsec-tools-0.7.1-leaks.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/isakmp.c.leaks ipsec-tools-0.7.1/src/racoon/isakmp.c
--- ipsec-tools-0.7.1/src/racoon/isakmp.c.leaks 2008-10-17 14:18:44.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp.c 2008-10-17 14:34:15.000000000 +0200
@@ -798,20 +798,23 @@ ph1_main(iph1, msg)
[iph1->side]
[iph1->status])(iph1, msg);
if (error != 0) {
-#if 0
/* XXX
* When an invalid packet is received on phase1, it should
* be selected to process this packet. That is to respond
* with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler.
+ * and keep phase 1 handler. However, in PHASE1ST_START when
+ * acting as RESPONDER we must not keep phase 1 handler or else
+ * it will stay forever.
*/
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
-#else
- /* ignore the error and keep phase 1 handler */
- return 0;
-#endif
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "failed to pre-process packet.\n");
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+ return 0;
+ }
}
#ifndef ENABLE_FRAG
ipsec-tools-0.7.1-loopback.patch:
--- NEW FILE ipsec-tools-0.7.1-loopback.patch ---
diff -up ipsec-tools-0.7.1/configure.ac.loopback ipsec-tools-0.7.1/configure.ac
--- ipsec-tools-0.7.1/configure.ac.loopback 2008-07-22 15:53:46.000000000 +0200
+++ ipsec-tools-0.7.1/configure.ac 2008-07-30 21:14:30.000000000 +0200
@@ -794,6 +794,27 @@ if test "$enable_security_context" = "ye
fi
fi
+AC_MSG_CHECKING(whether to support Auditing)
+AC_ARG_ENABLE(audit,
+ [ --enable-audit build audit daemon support for SELinux],
+ enable_audit=$enableval,enable_audit=auto)
+
+AC_MSG_RESULT($enable_audit)
+
+# libaudit detection
+if test x$enable_audit = xno ; then
+ have_libaudit=no;
+else
+ AC_CHECK_LIB(audit, audit_log_user_avc_message,
+ have_libaudit=yes, have_libaudit=no)
+fi
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
+if test x$have_libaudit = xyes ; then
+ AUDIT_LIBS="-laudit"
+ AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
+fi
+AC_SUBST(AUDIT_LIBS)
+
CFLAGS="$CFLAGS $CFLAGS_ADD"
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/racoon/pfkey.c
--- ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback 2008-07-30 21:14:30.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-07-30 21:33:20.000000000 +0200
@@ -99,6 +99,7 @@
#include "nattraversal.h"
#include "crypto_openssl.h"
#include "grabmyaddr.h"
+#include "sockmisc.h"
#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
@@ -972,6 +973,56 @@ pk_recvgetspi(mhp)
return -1;
}
+#ifdef HAVE_SECCTX
+ if (iph2->loopback == 1) {
+ u_int satype, reqid;
+ struct sockaddr *src;
+
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ if (cmpsaddrstrict(src, dst) == 0) {
+ struct pfkey_send_sa_args sa_args;
+ /* yep, this is loopback. install SA */
+ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id);
+ if (satype == ~0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid proto_id %d\n",
+ iph2->proposal->head->proto_id);
+ return -1;
+ }
+
+ reqid = iph2->proposal->head->reqid_in;
+
+ iph2->status = PHASE2ST_ADDSA;
+
+ memset (&sa_args, 0, sizeof (sa_args));
+ sa_args.so = lcconf->sock_pfkey;
+ sa_args.satype = satype;
+ sa_args.mode = IPSEC_MODE_TRANSPORT;
+ sa_args.src = src;
+ sa_args.dst = dst;
+ sa_args.spi = sa->sadb_sa_spi;
+ sa_args.reqid = reqid;
+ sa_args.e_type = SADB_EALG_NULL;
+ sa_args.a_type = SADB_AALG_NONE;
+ sa_args.l_addtime = iph2->proposal->lifetime;
+ sa_args.seq = iph2->seq;
+ sa_args.ctxdoi = iph2->proposal->sctx.ctx_doi;
+ sa_args.ctxalg = iph2->proposal->sctx.ctx_alg;
+ sa_args.ctxstr = iph2->proposal->sctx.ctx_str;
+ sa_args.ctxstrlen = iph2->proposal->sctx.ctx_strlen;
+ if (pfkey_send_update2(&sa_args) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to update loopback SA: %s\n",
+ ipsec_strerror());
+ remph2(iph2);
+ delph2(iph2);
+ return -1;
+ }
+ }
+ return 0;
+ }
+#endif /* HAVE SECCTX */
+
/* set SPI, and check to get all spi whether or not */
allspiok = 1;
notfound = 1;
@@ -1222,6 +1273,26 @@ pk_recvupdate(mhp)
return -1;
}
+#ifdef HAVE_SECCTX
+ /* get update for loopback here */
+ if (iph2->loopback == 1 && (cmpsaddrstrict(src, dst) == 0)) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "IPsec-SA established without ISAKMP: %s\n",
+ sadbsecas2str(iph2->dst, iph2->src,
+ msg->sadb_msg_satype, sa->sadb_sa_spi,
+ IPSEC_MODE_TRANSPORT));
+
+ /* turn off the timer for calling pfkey_timeover() */
+ SCHED_KILL(iph2->sce);
+
+ iph2->sce = sched_new(iph2->proposal->lifetime,
+ isakmp_ph2expire_stub, iph2);
+
+ iph2->status = PHASE2ST_ESTABLISHED;
+ return 0;
+ }
+#endif
+
/* check to complete all keys ? */
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
@@ -1264,11 +1335,6 @@ pk_recvupdate(mhp)
/* turn off the timer for calling pfkey_timeover() */
SCHED_KILL(iph2->sce);
- /* update status */
- /* Do this in pk_recvadd
- * iph2->status = PHASE2ST_ESTABLISHED;
- */
-
#ifdef ENABLE_STATS
gettimeofday(&iph2->end, NULL);
syslog(LOG_NOTICE, "%s(%s): %8.6f",
@@ -1657,6 +1723,7 @@ pk_recvacquire(mhp)
struct sadb_x_sec_ctx *m_sec_ctx;
#endif /* HAVE_SECCTX */
struct policyindex spidx;
+ int do_listen = 0;
/* ignore this message because of local test mode. */
@@ -1681,6 +1748,12 @@ pk_recvacquire(mhp)
m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
if (m_sec_ctx != NULL) {
+ if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignoring ACQUIRE: security context is greater than MAX, %d.\n",
+ MAX_CTXSTR_SIZE);
+ return -1;
+ }
plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
m_sec_ctx->sadb_x_ctx_doi);
plog(LLV_INFO, LOCATION, NULL,
@@ -1730,7 +1803,6 @@ pk_recvacquire(mhp)
*/
struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
struct myaddrs *p;
- int do_listen = 0;
for (p = lcconf->myaddrs; p; p = p->next) {
if (!cmpsaddrwop(p->addr, sa)) {
do_listen = 1;
@@ -1853,6 +1925,73 @@ pk_recvacquire(mhp)
plog(LLV_DEBUG, LOCATION, NULL,
"new acquire %s\n", spidx2str(&sp_out->spidx));
+#ifdef HAVE_SECCTX
+ /*
+ * If the src address in the ACQUIRE is one we listen on and
+ * the src and dst addresses are the same, then assume this
+ * packet arrived over loopback and just get an SPI and
+ * install the SA.
+ */
+ if (do_listen && m_sec_ctx && (cmpsaddrstrict(src, dst) == 0)) {
+ struct saprop *newpp;
+ struct saproto *newpr;
+ iph2[n]->loopback = 1;
+ newpp = newsaprop();
+ if (newpp == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate saprop.\n");
+ delph2(iph2[n]);
+ return -1;
+ }
+ /* allocate to hold reqid */
+ newpr = newsaproto();
+ if (newpr == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate saproto.\n");
+ delph2(iph2[n]);
+ return -1;
+ }
+
+ newpr->reqid_out = sp_out->req->saidx.reqid;
+ newpr->reqid_in = sp_in->req->saidx.reqid;
+ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto);
+
+ inssaprotorev(newpp, newpr);
+ iph2[n]->proposal = newpp;
+ printsaprop0(LLV_DEBUG, newpp);
+
+ set_secctx_in_proposal(iph2[n], spidx);
+ iph2[n]->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
+
+ insph2(iph2[n]);
+
+ iph2[n]->status = PHASE2ST_GETSPISENT;
+ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
+ if (pfkey_send_getspi(
+ lcconf->sock_pfkey,
+ iph2[n]->satype,
+ IPSEC_MODE_TRANSPORT,
+ dst, /* src of SA */
+ src, /* dst of SA */
+ 0, 0,
+ newpr->reqid_in, iph2[n]->seq) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ipseclib failed send getspi (%s)\n",
+ ipsec_strerror());
+ delph2(iph2[n]);
+ return -1;
+ }
+ iph2[n]->sce = sched_new(lcconf->wait_ph2complete,
+ pfkey_timeover_stub, iph2[n]);
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "pfkey GETSPI sent: %s\n",
+ sadbsecas2str(dst, src, iph2[n]->satype, 0,
+ IPSEC_MODE_TRANSPORT));
+ return 0;
+ }
+#endif /* HAVE_SECCTX */
+
/* get sainfo */
{
vchar_t *idsrc, *iddst;
diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback ipsec-tools-0.7.1/src/racoon/Makefile.am
--- ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback 2008-07-23 15:54:16.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-07-30 21:14:30.000000000 +0200
@@ -39,7 +39,7 @@ racoon_SOURCES = \
EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
+ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
racoon_DEPENDENCIES = \
$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
vmbuf.o sockmisc.o misc.o
diff -up ipsec-tools-0.7.1/src/racoon/policy.h.loopback ipsec-tools-0.7.1/src/racoon/policy.h
--- ipsec-tools-0.7.1/src/racoon/policy.h.loopback 2007-06-07 22:34:19.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/policy.h 2008-07-30 21:14:30.000000000 +0200
@@ -38,7 +38,12 @@
#ifdef HAVE_SECCTX
-#define MAX_CTXSTR_SIZE 50
+
+/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux
+ * will attempt to combine so, worst case is all odd or even numbers. The
+ * context size of SE Linux types is max'ed around 256. We allow 16 for
+ * sensitivity */
+#define MAX_CTXSTR_SIZE 3344 /* (6 * 512) + 256 + 16 */
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
u_int8_t ctx_alg; /* Security Context Algorithm */
@@ -152,6 +157,9 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_LIBAUDIT
+extern void audit_init __P((void));
+#endif
#ifdef HAVE_SECCTX
#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
diff -up ipsec-tools-0.7.1/src/racoon/main.c.loopback ipsec-tools-0.7.1/src/racoon/main.c
--- ipsec-tools-0.7.1/src/racoon/main.c.loopback 2007-06-07 22:34:18.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/main.c 2008-07-30 21:14:30.000000000 +0200
@@ -169,6 +169,9 @@ main(ac, av)
#ifdef HAVE_SECCTX
init_avc();
#endif
+#ifdef HAVE_LIBAUDIT
+ audit_init();
+#endif
eay_init();
initlcconf();
initrmconf();
diff -up ipsec-tools-0.7.1/src/racoon/handler.h.loopback ipsec-tools-0.7.1/src/racoon/handler.h
--- ipsec-tools-0.7.1/src/racoon/handler.h.loopback 2008-07-30 21:14:30.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/handler.h 2008-07-30 21:14:30.000000000 +0200
@@ -286,6 +286,7 @@ struct ph2handle {
u_int32_t msgid; /* msgid for phase 2 */
u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
+ u_int8_t loopback;
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
diff -up ipsec-tools-0.7.1/src/racoon/security.c.loopback ipsec-tools-0.7.1/src/racoon/security.c
--- ipsec-tools-0.7.1/src/racoon/security.c.loopback 2007-06-07 22:34:19.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/security.c 2008-07-30 21:14:30.000000000 +0200
@@ -55,6 +55,61 @@
#include "proposal.h"
#include "strnames.h"
#include "handler.h"
+#ifdef HAVE_LIBAUDIT
+#include <unistd.h>
+#include <sys/param.h>
+#include "libaudit.h"
+#endif
+
+static void log_callback (const char *fmt, ...);
+
+static const struct avc_log_callback log_cb =
+{
+ .func_log = log_callback,
+ .func_audit = NULL
+};
+
+#ifdef HAVE_LIBAUDIT
+static int audit_fd = -1;
+void
+audit_init(void)
+{
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ /* If kernel doesn't support audit, bail out */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return;
+ /* If unprivileged, bail out */
+ if (errno == EPERM && getuid() != 0)
+ return;
+ plog (LLV_ERROR, LOCATION, NULL,
+ "Failed opening connection to the audit subsystem");
+ }
+}
+#endif /* HAVE_LIBAUDIT */
+
+static void
+log_callback (const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+#ifdef HAVE_LIBAUDIT
+ if (audit_fd >= 0) {
+ char buf[PATH_MAX*2];
+
+ /* FIXME: need to change this to show real user */
+ vsnprintf(buf, sizeof(buf), fmt, ap);
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC,
+ buf, NULL, NULL, NULL, -1);
+ return;
+ } else
+#endif /* HAVE_LIBAUDIT */
+ {
+ vsyslog (LOG_INFO, fmt, ap);
+ va_end(ap);
+ }
+}
/*
* Get the security context information from SA.
ipsec-tools-0.7.1-natt-linux.patch:
--- NEW FILE ipsec-tools-0.7.1-natt-linux.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.natt-linux ipsec-tools-0.7.1/src/racoon/pfkey.c
--- ipsec-tools-0.7.1/src/racoon/pfkey.c.natt-linux 2008-07-30 21:34:33.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-08-10 17:28:47.000000000 +0200
@@ -290,6 +290,13 @@ pfkey_dump_sadb(satype)
struct sadb_msg *msg = NULL;
size_t bl, ml;
int len;
+#if defined(__linux__) && defined(ENABLE_NATT)
+ caddr_t mhp[SADB_EXT_MAX + 1];
+ struct sadb_sa *sa;
+ struct sockaddr *src, *dst;
+ struct sadb_x_nat_t_type *natt_type;
+ struct sadb_x_nat_t_port *natt_port;
+#endif
if ((s = privsep_pfkey_open()) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -325,6 +332,45 @@ pfkey_dump_sadb(satype)
continue;
}
+#if defined(__linux__) && defined(ENABLE_NATT)
+ /*
+ * NetBSD returns the NAT-T ports in the src and dst sockaddrs
+ * in addition to the SADB_X_EXT_NAT_T_*PORT structs.
+ *
+ * Linux only returns them in the SADB_X_EXT_NAT_T_*PORT
+ * structs. The racoon codebase is making the assumption that
+ * the NAT-T ports are reflected by the ports in the src and
+ * dst sockaddrs. We stick that information into those structs
+ * here to meet the assumptions elsewhere.
+ */
+ if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_check (%s)\n", ipsec_strerror());
+ goto no_fixup;
+ }
+
+ sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
+ if (!sa || !mhp[SADB_EXT_ADDRESS_SRC] || !mhp[SADB_EXT_ADDRESS_DST]) {
+ goto no_fixup;
+ }
+
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+
+ natt_type = (struct sadb_x_nat_t_type *)(mhp[SADB_X_EXT_NAT_T_TYPE]);
+
+ if (natt_type && natt_type->sadb_x_nat_t_type_type) {
+ /* set the src and dst ports */
+ natt_port = (struct sadb_x_nat_t_port *)(mhp[SADB_X_EXT_NAT_T_SPORT]);
+ if (natt_port != NULL && extract_port(src) == 0)
+ set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
+
+ natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
+ if (natt_port != NULL && extract_port(dst) == 0)
+ set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
+ }
+no_fixup:
+#endif /* __linux__ && ENABLE_NATT */
ml = msg->sadb_msg_len << 3;
bl = buf ? buf->l : 0;
diff -up ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.natt-linux ipsec-tools-0.7.1/src/racoon/isakmp_inf.c
--- ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.natt-linux 2008-07-11 10:08:42.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp_inf.c 2008-08-10 17:22:24.000000000 +0200
@@ -1143,10 +1143,6 @@ purge_ipsec_spi(dst0, proto, spi, n)
u_int64_t created;
size_t i;
caddr_t mhp[SADB_EXT_MAX + 1];
-#ifdef ENABLE_NATT
- struct sadb_x_nat_t_type *natt_type;
- struct sadb_x_nat_t_port *natt_port;
-#endif
plog(LLV_DEBUG2, LOCATION, NULL,
"purge_ipsec_spi:\n");
@@ -1199,20 +1195,6 @@ purge_ipsec_spi(dst0, proto, spi, n)
msg = next;
continue;
}
-#ifdef ENABLE_NATT
- natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
- if (natt_type && natt_type->sadb_x_nat_t_type_type) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
- if (extract_port(src) == 0 && natt_port != NULL)
- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
-
- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
- if (extract_port(dst) == 0 && natt_port != NULL)
- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
- }
-#endif
plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
ipsec-tools-0.7.1-pie.patch:
--- NEW FILE ipsec-tools-0.7.1-pie.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.pie ipsec-tools-0.7.1/src/racoon/Makefile.am
--- ipsec-tools-0.7.1/src/racoon/Makefile.am.pie 2008-10-17 14:13:24.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-10-17 14:16:53.000000000 +0200
@@ -12,7 +12,7 @@ adminsockdir=${localstatedir}/racoon
BUILT_SOURCES = cfparse.h prsa_par.h
INCLUDES = -I${srcdir}/../libipsec
AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
- -DADMINPORTDIR=\"${adminsockdir}\"
+ -DADMINPORTDIR=\"${adminsockdir}\" -fPIE
AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto
AM_YFLAGS = -d ${$*_YFLAGS}
AM_LFLAGS = ${$*_LFLAGS}
@@ -38,6 +38,7 @@ racoon_SOURCES = \
cftoken.l cfparse.y prsa_tok.l prsa_par.y
EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+racoon_LDFLAGS = -pie -Wl,-z,relro
racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
$(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
racoon_DEPENDENCIES = \
diff -up ipsec-tools-0.7.1/src/libipsec/Makefile.am.pie ipsec-tools-0.7.1/src/libipsec/Makefile.am
--- ipsec-tools-0.7.1/src/libipsec/Makefile.am.pie 2008-07-23 11:07:03.000000000 +0200
+++ ipsec-tools-0.7.1/src/libipsec/Makefile.am 2008-10-17 14:13:24.000000000 +0200
@@ -7,7 +7,7 @@ libipsec_HEADERS = libpfkey.h
man3_MANS = ipsec_set_policy.3 ipsec_strerror.3
-AM_CFLAGS = @GLIBC_BUGS@
+AM_CFLAGS = @GLIBC_BUGS@ -fPIE
AM_YFLAGS = -d -p __libipsec
AM_LFLAGS = -P__libipsec -olex.yy.c
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/F-9/.cvsignore,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- .cvsignore 29 Aug 2007 04:04:57 -0000 1.12
+++ .cvsignore 18 Oct 2008 11:51:31 -0000 1.13
@@ -1,2 +1 @@
-ipsec-tools-0.6.6.tar.bz2
-ipsec-tools-0.7.tar.bz2
+ipsec-tools-0.7.1.tar.bz2
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/F-9/ipsec-tools.spec,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -r1.55 -r1.56
--- ipsec-tools.spec 28 Feb 2008 16:07:33 -0000 1.55
+++ ipsec-tools.spec 18 Oct 2008 11:51:31 -0000 1.56
@@ -1,25 +1,25 @@
Name: ipsec-tools
-Version: 0.7
-Release: 13%{?dist}
+Version: 0.7.1
+Release: 5%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
URL: http://ipsec-tools.sourceforge.net/
-Source: http://prdownload.sourceforge.net/ipsec-tools/ipsec-tools-%{version}.tar.bz2
+Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-%{version}.tar.bz2
Source1: racoon.conf
Source2: psk.txt
Source3: p1_up_down
Source4: racoon.init
-Patch: ipsec-tools-0.7-libs.patch
-Patch2: isakmp.c.diff
Patch3: ipsec-tools-0.7-acquires.patch
-Patch4: ipsec-tools-0.7-loopback.patch
+Patch4: ipsec-tools-0.7.1-loopback.patch
# the following patches were also submitted upstream:
Patch5: ipsec-tools-0.7-iface.patch
Patch6: ipsec-tools-0.7-dupsplit.patch
-Patch7: ipsec-tools-0.7-contextsize.patch
-Patch8: ipsec-tools-0.7-newcookie-alen.patch
Patch9: ipsec-tools-0.7-splitcidr.patch
+Patch10: ipsec-tools-0.7.1-natt-linux.patch
+Patch11: ipsec-tools-0.7.1-pie.patch
+Patch12: ipsec-tools-0.7.1-leaks.patch
+Patch13: ipsec-tools-0.7.1-dpd-fixes.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2
@@ -37,22 +37,24 @@
%prep
%setup -q
-%patch -p1
-%patch2 -p1
%patch3 -p1 -b .acquires
%patch4 -p1 -b .loopback
%patch5 -p1 -b .iface
%patch6 -p1 -b .dupsplit
-%patch7 -p1 -b .ctxsize
-%patch8 -p1 -b .cookie
%patch9 -p1 -b .splitcidr
+%patch10 -p1 -b .natt-linux
+%patch11 -p1 -b .pie
+%patch12 -p1 -b .leaks
+%patch13 -p1 -b .dpd-fixes
./bootstrap
%build
source /etc/profile.d/krb5-devel.sh
sed -i 's|-Werror||g' configure
-CFLAGS="$RPM_OPT_FLAGS" %configure \
+LDFLAGS="-Wl,--as-needed"
+export LDFLAGS
+%configure \
--with-kernel-headers=/usr/include \
--sysconfdir=/etc/racoon \
--without-readline \
@@ -63,7 +65,6 @@
--enable-gssapi \
--enable-natt \
--enable-security-context \
- --enable-racoon-over-loopback \
--enable-audit
make
@@ -123,6 +124,25 @@
%config(noreplace) /etc/racoon/racoon.conf
%changelog
+* Fri Oct 17 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-5
+- fix CVE-2008-3652 (memory leak DoS)
+- compile racoon as PIE
+- another fix for teardown of the IPSEC SAs on DPD in some circumstances
+
+* Sun Aug 10 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-4
+- Even better fix for IPSEC SA purging avoiding code duplication
+ (original idea by Darrel Goeddel)
+
+* Fri Aug 8 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-3
+- Fix IPSEC SA purge with NAT_T enabled
+
+* Wed Jul 30 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-2
+- Different approach to allow racoon to add loopback SAs for
+ labeled IPSec (without ISAKMP)
+
+* Tue Jul 29 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-1
+- Update to a new upstream version
+
* Thu Feb 28 2008 Steve Conklin <sconklin at redhat.com> - 0.7-13
- Resolves bz#273261 remote-access client connection to Cisco ASA
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/F-9/sources,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- sources 29 Aug 2007 04:04:57 -0000 1.12
+++ sources 18 Oct 2008 11:51:31 -0000 1.13
@@ -1 +1 @@
-c0a586924edde35264ecfe94ad1c261f ipsec-tools-0.7.tar.bz2
+30b196a2829556182c39aed9f83c0bbf ipsec-tools-0.7.1.tar.bz2
--- ipsec-tools-0.7-contextsize.patch DELETED ---
--- ipsec-tools-0.7-libs.patch DELETED ---
--- ipsec-tools-0.7-loopback.patch DELETED ---
--- ipsec-tools-0.7-newcookie-alen.patch DELETED ---
--- ipsec.h DELETED ---
--- isakmp.c.diff DELETED ---
--- pfkeyv2.h DELETED ---
--- udp.h DELETED ---
--- xfrm.h DELETED ---
- Previous message: rpms/gdesklets-calendar/F-9 dead.package,NONE,1.1
- Next message: rpms/ipsec-tools/F-8 ipsec-tools-0.7.1-dpd-fixes.patch, NONE, 1.1 ipsec-tools-0.7.1-leaks.patch, NONE, 1.1 ipsec-tools-0.7.1-loopback.patch, NONE, 1.1 ipsec-tools-0.7.1-natt-linux.patch, NONE, 1.1 ipsec-tools-0.7.1-pie.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 ipsec-tools.spec, 1.50, 1.51 sources, 1.12, 1.13 ipsec-tools-0.7-contextsize.patch, 1.1, NONE ipsec-tools-0.7-libs.patch, 1.1, NONE ipsec-tools-0.7-loopback.patch, 1.2, NONE ipsec-tools-0.7-newcookie-alen.patch, 1.1, NONE ipsec.h, 1.1, NONE isakmp.c.diff, 1.1, NONE pfkeyv2.h, 1.4, NONE udp.h, 1.1, NONE xfrm.h, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list