[openswan] rhbz #771612: ipsec barf should not grep sparse file. The
avesh
avesh at fedoraproject.org
Tue Aug 21 18:36:19 UTC 2012
commit 6a0dce5720feb3f103c7c383e2046b613fc3d0f0
Author: Avesh Agarwal <avagarwa at redhat.com>
Date: Tue Aug 21 14:35:51 2012 -0400
rhbz #771612: ipsec barf should not grep sparse file. The
patch has been provided by pwouters at redhat.com.
- rhbz #785180: openswan uses ifconfig which is deprecated.
- rhbz #796683: Compile time no-strict-aliasing issue.
- rhbz #834396: Coverity scan fixes, warnings, dead code.
- rhbz #834400: NAT-OA reserved field issue.
openswan-771612.patch | 22 ++++
openswan-785180.patch | 34 ++++++
openswan-834396.patch | 312 +++++++++++++++++++++++++++++++++++++++++++++++++
openswan-834400.patch | 18 +++
openswan.spec | 22 +++-
5 files changed, 405 insertions(+), 3 deletions(-)
---
diff --git a/openswan-771612.patch b/openswan-771612.patch
new file mode 100644
index 0000000..b350ab4
--- /dev/null
+++ b/openswan-771612.patch
@@ -0,0 +1,22 @@
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index 502a107..83d7465 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -72,7 +72,7 @@ findlog() { # findlog string fallbackstring possiblefile ...
+ fi
+ done
+ # nope, resort to a search, newest first, of uncompressed logs
+- for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
++ for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
+ do
+ if test -f $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f
+ then
+@@ -83,7 +83,7 @@ findlog() { # findlog string fallbackstring possiblefile ...
+ return 0
+ fi
+ done
+- for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
++ for f in `ls -t $LOGS | egrep -v lastlog | egrep -v tmp | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
+ do
+ if test -s $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
+ then
diff --git a/openswan-785180.patch b/openswan-785180.patch
new file mode 100644
index 0000000..409302a
--- /dev/null
+++ b/openswan-785180.patch
@@ -0,0 +1,34 @@
+diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in
+index 4147418..27d6e23 100755
+--- a/programs/_startklips/_startklips.in
++++ b/programs/_startklips/_startklips.in
+@@ -183,7 +183,7 @@ getinterfaceinfo() {
+
+ # get default route info
+ getdefaultrouteinfo() {
+- netstat -nr | awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print "phys=" $NF; print "next=" $2; exit 0 }'
++ ip route list | awk '$1 == "default" { print "phys=" $NF; print "next=" $3; exit 0 }'
+ }
+
+ # set up a Klips interface
+diff --git a/programs/verify/verify.in b/programs/verify/verify.in
+index 4f9fc74..a63cd2c 100755
+--- a/programs/verify/verify.in
++++ b/programs/verify/verify.in
+@@ -475,12 +475,11 @@ sub dnschecks {
+ checkdnshost $hostname;
+
+ # Check all the public IP addresses...
+- run "/sbin/ifconfig -a";
+- foreach (grep /inet addr/, at out)
++ run "ip -4 -o addr show";
++ for (@out)
+ {
+- $_=~ s/^\s*//;
+- @temp=split(/[:\ ]+/, $_);
+- push(@address,$temp[2]);
++ @temp=split(/[\/\ ]+/, $_);
++ push(@address,$temp[3]);
+ }
+ # Purge all non-routeable IPs...
+ @address=grep !/^(127.*|10.*|172.1[6789]+.*.*|172.2+.*.*|172.3[01]+.*.*|192.168.*.*|169.254.*.*)/, at address;
diff --git a/openswan-834396.patch b/openswan-834396.patch
new file mode 100644
index 0000000..b848d27
--- /dev/null
+++ b/openswan-834396.patch
@@ -0,0 +1,312 @@
+diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
+index 4fc6096..43152b6 100644
+--- a/lib/libipsecconf/confread.c
++++ b/lib/libipsecconf/confread.c
+@@ -876,8 +876,8 @@ static int load_conn (struct starter_config *cfg
+ for(alsosize=0; alsos[alsosize]!=NULL; alsosize++);
+
+ alsoplace = 0;
+- while(alsos != NULL
+- && alsoplace < alsosize && alsos[alsoplace] != NULL
++ /*alsos is equal to conn->alsos that has been already veirfied for NULL*/
++ while(alsoplace < alsosize && alsos[alsoplace] != NULL
+ && alsoplace < ALSO_LIMIT)
+ {
+ /*
+diff --git a/lib/libopenswan/alg_info.c b/lib/libopenswan/alg_info.c
+index b5af2ce..e855261 100644
+--- a/lib/libopenswan/alg_info.c
++++ b/lib/libopenswan/alg_info.c
+@@ -723,18 +723,6 @@ alg_info_parse_str (struct alg_info *alg_info
+
+ case ST_END:
+ case ST_EOF:
+- /*
+- * If we detect sha2_256 with key size 96, we know they really meant
+- * to configure sha2_256_trunc 256 bit with a hash truncation of 96
+- */
+-#warning paul check and redo me
+-#if 0
+- if( !strncmp( ctx.aalg_buf, sha2_256, 8) && (ctx.eklen==0) && (ctx.aklen==96)) {
+- DBG(DBG_CRYPT,DBG_log(" converting sha2_256-96 to sha2_256_trunc-256"));
+- strncpy(ctx.aalg_buf, "sha2_256_trunc", sizeof("sha2_256_trunc"));
+- ctx.aklen = 256;
+- }
+-#endif
+
+ DBG(DBG_CRYPT, DBG_log("alg_info_parse_str() "
+ "ealg_buf=%s aalg_buf=%s "
+diff --git a/lib/libopenswan/pem.c b/lib/libopenswan/pem.c
+index 396725c..27da8cd 100644
+--- a/lib/libopenswan/pem.c
++++ b/lib/libopenswan/pem.c
+@@ -277,6 +277,8 @@ pem_decrypt(chunk_t *blob, chunk_t *iv
+
+ pass->prompt(RC_ENTERSECRET, "need passphrase for '%s'", label);
+
++ clonetochunk(blob_copy, blob->ptr, blob->len, "blob copy");
++
+ for (i = 0; i < MAX_PROMPT_PASS_TRIALS; i++)
+ {
+ int n;
+@@ -302,8 +304,6 @@ pem_decrypt(chunk_t *blob, chunk_t *iv
+ return ugh;
+ }
+
+- clonetochunk(blob_copy, blob->ptr, blob->len, "blob copy");
+-
+ if (pem_decrypt_3des(blob, iv, pass->secret))
+ {
+ pass->prompt(RC_SUCCESS, "valid passphrase, private key loaded successfully");
+@@ -313,9 +313,10 @@ pem_decrypt(chunk_t *blob, chunk_t *iv
+
+ /* blob is useless after wrong decryption, restore the original */
+ pfree(blob->ptr);
+- *blob = blob_copy;
++ clonetochunk(*blob, blob_copy.ptr, blob_copy.len, "blob copy");
+ }
+ pass->prompt(RC_LOG_SERIOUS, "%s", ugh);
++ pfree(blob_copy.ptr);
+ return ugh;
+ }
+ else
+diff --git a/lib/libopenswan/secrets.c b/lib/libopenswan/secrets.c
+index 8cb69dd..1f7398b 100644
+--- a/lib/libopenswan/secrets.c
++++ b/lib/libopenswan/secrets.c
+@@ -1258,6 +1258,7 @@ osw_process_secret_records(struct secret **psecrets, int verbose,
+ /* expecting a list of indices and then the key info */
+ s = alloc_thing(struct secret, "secret");
+
++ if (s != NULL) {
+ s->ids = NULL;
+ s->pks.kind = PPK_PSK; /* default */
+ setchunk(s->pks.u.preshared_secret, NULL, 0);
+@@ -1268,7 +1269,8 @@ osw_process_secret_records(struct secret **psecrets, int verbose,
+ s->pks.u.RSA_private_key.pub.nssCert = NULL;
+ #endif
+
+- while(s != NULL)
++ //while(s != NULL)
++ while(1)
+ {
+ struct id id;
+ err_t ugh;
+@@ -1278,7 +1280,7 @@ osw_process_secret_records(struct secret **psecrets, int verbose,
+ /* found key part */
+ shift(); /* discard explicit separator */
+ process_secret(psecrets, verbose, s, pass);
+- s = NULL;
++ //s = NULL;
+ break;
+ }
+
+@@ -1331,9 +1333,11 @@ osw_process_secret_records(struct secret **psecrets, int verbose,
+ /* unexpected Record Boundary or EOF */
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list"
+ , flp->filename, flp->lino);
++ pfree(s);
+ break;
+ }
+ }
++ }
+ }
+ }
+ }
+diff --git a/lib/libopenswan/x509dn.c b/lib/libopenswan/x509dn.c
+index fdc1c9f..f746107 100644
+--- a/lib/libopenswan/x509dn.c
++++ b/lib/libopenswan/x509dn.c
+@@ -1300,7 +1300,7 @@ decrypt_sig(chunk_t sig, int alg, const x509cert_t *issuer_cert,
+ PRArenaPool *arena;
+ SECStatus retVal = SECSuccess;
+ SECItem nss_n, nss_e, dsig;
+- SECItem signature, data;
++ SECItem signature;
+ mpz_t e;
+ mpz_t n;
+ mpz_t s;
+@@ -1379,10 +1379,6 @@ decrypt_sig(chunk_t sig, int alg, const x509cert_t *issuer_cert,
+ signature.data = sc.ptr;
+ signature.len = (unsigned int)sc.len;
+
+- data.type = siBuffer;
+- data.data = digest->ptr;
+- data.len = (unsigned int)digest->len;
+-
+ dsigc.len = (unsigned int)sc.len;
+ dsigc.ptr = alloc_bytes(dsigc.len, "NSS decrypted signature");
+ dsig.type = siBuffer;
+diff --git a/lib/libpluto/readwhackmsg.c b/lib/libpluto/readwhackmsg.c
+index e043c77..ffbaed2 100644
+--- a/lib/libpluto/readwhackmsg.c
++++ b/lib/libpluto/readwhackmsg.c
+@@ -82,6 +82,7 @@ void readwhackmsg(char *infile)
+ fclose(record);
+ perror(infile);
+ }
++ //fclose(record);
+ }
+
+ /*
+diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
+index 6086840..3905ace 100644
+--- a/programs/pluto/connections.c
++++ b/programs/pluto/connections.c
+@@ -1686,7 +1686,7 @@ struct connection *
+ ikev2_narrow_instantiate(struct connection *c)
+ {
+ struct connection *d;
+- int wildcards;
++ //int wildcards;
+
+ /*if(!(c->policy & POLICY_IKEV2_ALLOW) && !(c->policy & POLICY_IKEV2_PROPOSE)) {
+ passert(c->kind == CK_TEMPLATE);
+@@ -3566,6 +3566,10 @@ eclipsed(struct connection *c, struct spd_route **esrp)
+
+ ue = NULL;
+
++ /* This while is never true as ue is NULL.
++ * The flow will never go inside while.
++ * This function will return NULL.
++ */
+ while (sr1 != NULL && ue != NULL)
+ {
+ for (ue = connections; ue != NULL; ue = ue->ac_next)
+diff --git a/programs/pluto/crypt_dh.c b/programs/pluto/crypt_dh.c
+index e6f6f2e..d33fd19 100644
+--- a/programs/pluto/crypt_dh.c
++++ b/programs/pluto/crypt_dh.c
+@@ -294,7 +294,7 @@ skeyid_preshared(const chunk_t pss
+
+ #ifdef HAVE_LIBNSS
+ chunk_t nir;
+- int k;
++ unsigned int k;
+ CK_MECHANISM_TYPE mechanism;
+ u_char buf1[HMAC_BUFSIZE*2], buf2[HMAC_BUFSIZE*2];
+ chunk_t buf1_chunk, buf2_chunk;
+@@ -403,7 +403,7 @@ skeyid_digisig(const chunk_t ni
+ struct hmac_ctx ctx;
+ chunk_t nir;
+ #ifdef HAVE_LIBNSS
+- int k;
++ unsigned int k;
+ CK_MECHANISM_TYPE mechanism;
+ u_char buf1[HMAC_BUFSIZE*2], buf2[HMAC_BUFSIZE*2];
+ chunk_t buf1_chunk, buf2_chunk;
+diff --git a/programs/pluto/crypt_ke.c b/programs/pluto/crypt_ke.c
+index e7620a3..97356a3 100644
+--- a/programs/pluto/crypt_ke.c
++++ b/programs/pluto/crypt_ke.c
+@@ -55,6 +55,7 @@
+
+ #ifdef HAVE_LIBNSS
+ # include <nss.h>
++#include <nspr.h>
+ # include <pk11pub.h>
+ # include <keyhi.h>
+ # include "oswconf.h"
+diff --git a/programs/pluto/crypto.c b/programs/pluto/crypto.c
+index 1e568c9..baec5f7 100644
+--- a/programs/pluto/crypto.c
++++ b/programs/pluto/crypto.c
+@@ -358,14 +358,14 @@ static void
+ do_3des(u_int8_t *buf, size_t buf_len
+ , u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+ {
+- des_key_schedule ks[3];
+-
+ passert(key != NULL);
+
+ #ifdef HAVE_LIBNSS
+ do_3des_nss(buf, buf_len, key, key_size, iv, enc);
+ #else
+
++ des_key_schedule ks[3];
++
+ passert(key_size==(DES_CBC_BLOCK_SIZE * 3));
+
+ (void) oswcrypto.des_set_key((des_cblock *)key + 0, ks[0]);
+diff --git a/programs/pluto/pluto_crypt.c b/programs/pluto/pluto_crypt.c
+index 46e4737..917515c 100644
+--- a/programs/pluto/pluto_crypt.c
++++ b/programs/pluto/pluto_crypt.c
+@@ -184,6 +184,7 @@ static void catchusr1(int signo UNUSED)
+ }
+ #endif
+
++#ifdef DEBUG
+ static void
+ helper_passert_fail(const char *pred_str
+ , const char *file_str
+@@ -204,7 +205,7 @@ helper_passert_fail(const char *pred_str
+ }
+ osw_abort();
+ }
+-
++#endif
+
+ void pluto_crypto_helper(int fd, int helpernum)
+ {
+diff --git a/programs/pluto/spdb_print.c b/programs/pluto/spdb_print.c
+index 28567e8..85c7d0d 100644
+--- a/programs/pluto/spdb_print.c
++++ b/programs/pluto/spdb_print.c
+@@ -141,16 +141,16 @@ sa_print(struct db_sa *f)
+ static void
+ print_sa_v2_attr(struct db_attr *at)
+ {
+- const struct enum_names *en = NULL;
++ //const struct enum_names *en = NULL;
+
+ if(at->type.ikev2 == 0) {
+ return;
+ }
+
+- en = NULL; /* XXX */
++ //en = NULL; /* XXX */
+ printf(" type: %u(%s) val: %u(%s)\n"
+ , at->type.ikev2, "" /*enum_name(&oakley_attr_names, at->type+ISAKMP_ATTR_AF_TV)*/
+- , at->val, en ? enum_name(en, at->val) : "unknown");
++ , at->val, "unknown");
+ }
+
+ void
+diff --git a/programs/pluto/spdb_v2_struct.c b/programs/pluto/spdb_v2_struct.c
+index a723130..852a628 100644
+--- a/programs/pluto/spdb_v2_struct.c
++++ b/programs/pluto/spdb_v2_struct.c
+@@ -1053,11 +1053,11 @@ ikev2_parse_parent_sa_body(
+
+ winning_prop = proposal;
+ gotmatch = TRUE;
+-
+- if(selection && !gotmatch && np == ISAKMP_NEXT_P) {
+- openswan_log("More than 1 proposal received from responder, ignoring rest. First one did not match");
+- return NO_PROPOSAL_CHOSEN;
+- }
++ /* gotmatch is true, so will never go inside if*/
++ //if(selection && !gotmatch && np == ISAKMP_NEXT_P) {
++ //openswan_log("More than 1 proposal received from responder, ignoring rest. First one did not match");
++ //return NO_PROPOSAL_CHOSEN;
++ //}
+ }
+ }
+
+@@ -1357,10 +1357,11 @@ ikev2_parse_child_sa_body(
+ gotmatch = TRUE;
+ winning_prop = proposal;
+
+- if(selection && !gotmatch && np == ISAKMP_NEXT_P) {
+- openswan_log("More than 1 proposal received from responder, ignoring rest. First one did not match");
+- return NO_PROPOSAL_CHOSEN;
+- }
++ /* gotmatch is true, so will never go inside if*/
++ //if(selection && !gotmatch && np == ISAKMP_NEXT_P) {
++ //openswan_log("More than 1 proposal received from responder, ignoring rest. First one did not match");
++ //return NO_PROPOSAL_CHOSEN;
++ //}
+ }
+ }
+
diff --git a/openswan-834400.patch b/openswan-834400.patch
new file mode 100644
index 0000000..e833b68
--- /dev/null
+++ b/openswan-834400.patch
@@ -0,0 +1,18 @@
+diff --git a/lib/libpluto/packet.c b/lib/libpluto/packet.c
+index bac754a..24c9397 100644
+--- a/lib/libpluto/packet.c
++++ b/lib/libpluto/packet.c
+@@ -597,10 +597,11 @@ struct_desc isakmp_nat_d = { "ISAKMP NAT-D Payload", isag_fields, sizeof(struct
+ */
+ static field_desc isanat_oa_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+- { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
++ { ft_nat, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
+- { ft_mbz, 24/BITS_PER_BYTE, NULL, NULL },
++ { ft_nat, 8/BITS_PER_BYTE, NULL, NULL },
++ { ft_nat, 16/BITS_PER_BYTE, NULL, NULL },
+ { ft_end, 0, NULL, NULL }
+ };
+
diff --git a/openswan.spec b/openswan.spec
index 8a95e9a..0dc51e4 100644
--- a/openswan.spec
+++ b/openswan.spec
@@ -10,7 +10,7 @@ Summary: IPSEC implementation with IKEv1 and IKEv2 keying protocols
Name: openswan
Version: 2.6.38
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -32,6 +32,10 @@ Patch11: rhbz-831676.patch
Patch12: rhbz-841325.patch
Patch13: openswan-updown-netkey.patch
Patch14: openswan-xauth-modecfg-issues.patch
+Patch15: openswan-771612.patch
+Patch16: openswan-785180.patch
+Patch17: openswan-834396.patch
+Patch18: openswan-834400.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -107,12 +111,16 @@ install -m 644 %{SOURCE3} docs/README.x509
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
%build
-
+#796683: -fno-strict-aliasing
%{__make} \
- USERCOMPILE="-g %{optflags} -fPIE -pie" \
+ USERCOMPILE="-g %{optflags} -fno-strict-aliasing -fPIE -pie" \
USERLINK="-g -pie" \
INC_USRLOCAL=%{_prefix} \
FINALLIBDIR=%{_libexecdir}/ipsec \
@@ -231,6 +239,14 @@ fi
chkconfig --add ipsec || :
%changelog
+* Tue Aug 21 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-5
+- rhbz #771612: ipsec barf should not grep sparse file. The
+patch has been provided by pwouters at redhat.com.
+- rhbz #785180: openswan uses ifconfig which is deprecated.
+- rhbz #796683: Compile time no-strict-aliasing issue.
+- rhbz #834396: Coverity scan fixes, warnings, dead code.
+- rhbz #834400: NAT-OA reserved field issue.
+
* Fri Aug 17 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-4
- Phase15 as xauth and modecfg is called in openswan is not
handled properly when only xauth (without modecfg) is used.
More information about the scm-commits
mailing list