[PATCH 08/12] ipsec-tools: Apply patches from FreeBSD ports.

Christian Mauderer christian.mauderer at embedded-brains.de
Wed Aug 1 08:04:50 UTC 2018


Source: https://svnweb.freebsd.org/ports/head/security/ipsec-tools/files/ revision 468617.
---
 ipsec-tools/src/libipsec/libpfkey.h   |   2 +-
 ipsec-tools/src/libipsec/pfkey.c      |  33 ++++++++---
 ipsec-tools/src/racoon/gssapi.c       |   5 ++
 ipsec-tools/src/racoon/handler.h      |   3 +-
 ipsec-tools/src/racoon/isakmp.c       |   2 +
 ipsec-tools/src/racoon/isakmp_cfg.c   |   4 ++
 ipsec-tools/src/racoon/isakmp_frag.c  | 102 +++++++++++++++++++++++-----------
 ipsec-tools/src/racoon/isakmp_inf.c   |   1 +
 ipsec-tools/src/racoon/isakmp_quick.c |  26 +++++++++
 ipsec-tools/src/racoon/localconf.c    |   3 +-
 ipsec-tools/src/racoon/nattraversal.c |   5 +-
 ipsec-tools/src/racoon/pfkey.c        |   6 +-
 12 files changed, 141 insertions(+), 51 deletions(-)

diff --git a/ipsec-tools/src/libipsec/libpfkey.h b/ipsec-tools/src/libipsec/libpfkey.h
index a213aac7..c05285a2 100644
--- a/ipsec-tools/src/libipsec/libpfkey.h
+++ b/ipsec-tools/src/libipsec/libpfkey.h
@@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
 	u_int32_t	seq;
 	u_int8_t	l_natt_type;
 	u_int16_t	l_natt_sport, l_natt_dport;
-	struct sockaddr *l_natt_oa;
+	struct sockaddr *l_natt_oai, *l_natt_oar;
 	u_int16_t	l_natt_frag;
 	u_int8_t ctxdoi, ctxalg;	/* Security context DOI and algorithm */
 	caddr_t ctxstr;			/* Security context string */
diff --git a/ipsec-tools/src/libipsec/pfkey.c b/ipsec-tools/src/libipsec/pfkey.c
index 3114229e..554952d7 100644
--- a/ipsec-tools/src/libipsec/pfkey.c
+++ b/ipsec-tools/src/libipsec/pfkey.c
@@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
 		len += sizeof(struct sadb_x_nat_t_type);
 		len += sizeof(struct sadb_x_nat_t_port);
 		len += sizeof(struct sadb_x_nat_t_port);
-		if (sa_parms->l_natt_oa)
+		if (sa_parms->l_natt_oai)
 			len += sizeof(struct sadb_address) +
-			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
+			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
+		if (sa_parms->l_natt_oar)
+			len += sizeof(struct sadb_address) +
+			  PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
 #ifdef SADB_X_EXT_NAT_T_FRAG
 		if (sa_parms->l_natt_frag)
 			len += sizeof(struct sadb_x_nat_t_frag);
@@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
 			return -1;
 		}
 
-		if (sa_parms->l_natt_oa) {
-			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
-					      sa_parms->l_natt_oa,
-					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
+		if (sa_parms->l_natt_oai) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
+					      sa_parms->l_natt_oai,
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
+					      IPSEC_ULPROTO_ANY);
+			if (!p) {
+				free(newmsg);
+				return -1;
+			}
+		}
+
+		if (sa_parms->l_natt_oar) {
+			p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
+					      sa_parms->l_natt_oar,
+					      (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
 					      IPSEC_ULPROTO_ANY);
 			if (!p) {
 				free(newmsg);
@@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_t *mhp)
 		case SADB_X_EXT_NAT_T_TYPE:
 		case SADB_X_EXT_NAT_T_SPORT:
 		case SADB_X_EXT_NAT_T_DPORT:
-		case SADB_X_EXT_NAT_T_OA:
+		case SADB_X_EXT_NAT_T_OAI:
+		case SADB_X_EXT_NAT_T_OAR:
 #endif
 #ifdef SADB_X_EXT_TAG
 		case SADB_X_EXT_TAG:
@@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int satype, u_int mode, struct sockaddr *src,
 	psaa.l_natt_type = l_natt_type;
 	psaa.l_natt_sport = l_natt_sport;
 	psaa.l_natt_dport = l_natt_dport;
-	psaa.l_natt_oa = l_natt_oa;
+	psaa.l_natt_oar = l_natt_oa;
 	psaa.l_natt_frag = l_natt_frag;
 
 	return pfkey_send_update2(&psaa);
@@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype, u_int mode, struct sockaddr *src,
 	psaa.l_natt_type = l_natt_type;
 	psaa.l_natt_sport = l_natt_sport;
 	psaa.l_natt_dport = l_natt_dport;
-	psaa.l_natt_oa = l_natt_oa;
+	psaa.l_natt_oai = l_natt_oa;
 	psaa.l_natt_frag = l_natt_frag;
 
 	return pfkey_send_add2(&psaa);
diff --git a/ipsec-tools/src/racoon/gssapi.c b/ipsec-tools/src/racoon/gssapi.c
index e64b2015..7edcf4f6 100644
--- a/ipsec-tools/src/racoon/gssapi.c
+++ b/ipsec-tools/src/racoon/gssapi.c
@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
 	gss_name_t princ, canon_princ;
 	OM_uint32 maj_stat, min_stat;
 
+	if (iph1->rmconf == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+		return -1;
+	}
+
 	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
 	if (gps == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
diff --git a/ipsec-tools/src/racoon/handler.h b/ipsec-tools/src/racoon/handler.h
index 45d596e2..f4e6afd0 100644
--- a/ipsec-tools/src/racoon/handler.h
+++ b/ipsec-tools/src/racoon/handler.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
+/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
 
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
 
@@ -141,6 +141,7 @@ struct ph1handle {
 #endif
 #ifdef ENABLE_FRAG
 	int frag;			/* IKE phase 1 fragmentation */
+	int frag_last_index;
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
 #endif
 
diff --git a/ipsec-tools/src/racoon/isakmp.c b/ipsec-tools/src/racoon/isakmp.c
index 2672f7ae..f9291c86 100644
--- a/ipsec-tools/src/racoon/isakmp.c
+++ b/ipsec-tools/src/racoon/isakmp.c
@@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
 		iph1->frag = 1;
 	else
 		iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
@@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, etype)
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
diff --git a/ipsec-tools/src/racoon/isakmp_cfg.c b/ipsec-tools/src/racoon/isakmp_cfg.c
index 67464590..660a32fe 100644
--- a/ipsec-tools/src/racoon/isakmp_cfg.c
+++ b/ipsec-tools/src/racoon/isakmp_cfg.c
@@ -38,7 +38,9 @@
 #include <sys/socket.h>
 #include <sys/queue.h>
 
+#if __FreeBSD_version >= 900007
 #include <utmpx.h>
+#endif
 #if defined(__APPLE__) && defined(__MACH__)
 #include <util.h>
 #endif
@@ -1663,6 +1665,7 @@ isakmp_cfg_accounting_system(port, raddr, usr, inout)
 	char *usr;
 	int inout;
 {
+#if __FreeBSD_version >= 900007
 	int error = 0;
 	struct utmpx ut;
 	char addr[NI_MAXHOST];
@@ -1706,6 +1709,7 @@ isakmp_cfg_accounting_system(port, raddr, usr, inout)
 		plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
 		break;
 	}
+#endif
 
 	return 0;
 }
diff --git a/ipsec-tools/src/racoon/isakmp_frag.c b/ipsec-tools/src/racoon/isakmp_frag.c
index ebba34b4..868ac943 100644
--- a/ipsec-tools/src/racoon/isakmp_frag.c
+++ b/ipsec-tools/src/racoon/isakmp_frag.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
+/*	$NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $	*/
 
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
 
@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
 }
 
+static int 
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+	struct isakmp_frag_item *pitem = NULL;
+	struct isakmp_frag_item *citem = iph1->frag_chain;
+
+	/* no frag yet, just insert at beginning of list */
+	if (iph1->frag_chain == NULL) {
+		iph1->frag_chain = item;
+		return 0;
+	}
+
+	do {
+		/* duplicate fragment number, abort (CVE-2016-10396) */
+		if (citem->frag_num == item->frag_num)
+			return -1;
+
+		/* need to insert before current item */
+		if (citem->frag_num > item->frag_num) {
+			if (pitem != NULL)
+				pitem->frag_next = item;
+			else
+				/* insert at the beginning of the list  */
+				iph1->frag_chain = item;
+			item->frag_next = citem;
+			return 0;
+		}
+
+		pitem = citem;
+		citem = citem->frag_next;
+	} while (citem != NULL);
+
+	/* we reached the end of the list, insert */
+	pitem->frag_next = item;
+	return 0;
+}
+
 int 
 isakmp_frag_extract(iph1, msg)
 	struct ph1handle *iph1;
@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 
-	/* Look for the last frag while inserting the new item in the chain */
-	if (item->frag_last)
-		last_frag = item->frag_num;
-
-	if (iph1->frag_chain == NULL) {
-		iph1->frag_chain = item;
-	} else {
-		struct isakmp_frag_item *current;
-
-		current = iph1->frag_chain;
-		while (current->frag_next) {
-			if (current->frag_last)
-				last_frag = item->frag_num;
-			current = current->frag_next;
+	/* Check for the last frag before inserting the new item in the chain */
+	if (item->frag_last) {
+		/* if we have the last fragment, indices must match */
+		if (iph1->frag_last_index != 0 &&
+		    item->frag_last != iph1->frag_last_index) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "Repeated last fragment index mismatch\n");
+			racoon_free(item);
+			vfree(buf);
+			return -1;
 		}
-		current->frag_next = item;
+
+		last_frag = iph1->frag_last_index = item->frag_num;
 	}
 
-	/* If we saw the last frag, check if the chain is complete */
+	/* insert fragment into chain */
+	if (isakmp_frag_insert(iph1, item) == -1) {
+		plog(LLV_ERROR, LOCATION, NULL,
+		    "Repeated fragment index mismatch\n");
+		racoon_free(item);
+		vfree(buf);
+		return -1;
+	}
+
+	/* If we saw the last frag, check if the chain is complete
+	 * we have a sorted list now, so just walk through */
 	if (last_frag != 0) {
+		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
-			item = iph1->frag_chain;
-			do {
-				if (item->frag_num == i)
-					break;
-				item = item->frag_next;
-			} while (item != NULL);
-
+			if (item->frag_num != i)
+				break;
+			item = item->frag_next;
 			if (item == NULL) /* Not found */
 				break;
 		}
 
-		if (item != NULL) /* It is complete */
+		if (i > last_frag) /* It is complete */
 			return 1;
 	}
 		
@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
 	}
 	data = buf->v;
 
+	item = iph1->frag_chain;
 	for (i = 1; i <= frag_count; i++) {
-		item = iph1->frag_chain;
-		do {
-			if (item->frag_num == i)
-				break;
-			item = item->frag_next;
-		} while (item != NULL);
-
-		if (item == NULL) {
+		if (item->frag_num != i) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			    "Missing fragment #%d\n", i);
 			vfree(buf);
@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
 		}
 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
 		data += item->frag_packet->l;
+		item = item->frag_next;
 	}
 
 out:
diff --git a/ipsec-tools/src/racoon/isakmp_inf.c b/ipsec-tools/src/racoon/isakmp_inf.c
index 99daffb3..b81d460a 100644
--- a/ipsec-tools/src/racoon/isakmp_inf.c
+++ b/ipsec-tools/src/racoon/isakmp_inf.c
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
+	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 
diff --git a/ipsec-tools/src/racoon/isakmp_quick.c b/ipsec-tools/src/racoon/isakmp_quick.c
index fa957ebc..77d126dd 100644
--- a/ipsec-tools/src/racoon/isakmp_quick.c
+++ b/ipsec-tools/src/racoon/isakmp_quick.c
@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
 			     spidx.src.ss_family, spidx.dst.ss_family,
 			     _XIDT(iph2->id_p),idi2type);
 		}
+#ifdef ENABLE_NATT
+		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
+			u_int16_t port;
+
+			port = extract_port(&spidx.src);
+			memcpy(&spidx.src, iph2->ph1->remote,
+			    sysdep_sa_len(iph2->ph1->remote));
+			set_port(&spidx.src, port);
+			switch (spidx.src.ss_family) {
+			case AF_INET:
+				spidx.prefs = sizeof(struct in_addr) << 3;
+				break;
+#ifdef INET6
+			case AF_INET6:
+				spidx.prefs = sizeof(struct in6_addr) << 3;
+				break;
+#endif
+			default:
+				spidx.prefs = 0;
+				break;
+			}
+			plog(LLV_DEBUG, LOCATION,
+				NULL, "use NAT address %s as src\n",
+				saddr2str((struct sockaddr *)&spidx.src));
+		}
+#endif
 	} else {
 		plog(LLV_DEBUG, LOCATION, NULL,
 		     "get a source address of SP index from Phase 1"
diff --git a/ipsec-tools/src/racoon/localconf.c b/ipsec-tools/src/racoon/localconf.c
index a512953b..f38ee285 100644
--- a/ipsec-tools/src/racoon/localconf.c
+++ b/ipsec-tools/src/racoon/localconf.c
@@ -207,7 +207,8 @@ getpsk(str, len)
 		if (*p == '\0')
 			continue;	/* no 2nd parameter */
 		p--;
-		if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+		if (strcmp(buf, "*") == 0
+		 || (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
 			p++;
 			keylen = 0;
 			for (q = p; *q != '\0' && *q != '\n'; q++)
diff --git a/ipsec-tools/src/racoon/nattraversal.c b/ipsec-tools/src/racoon/nattraversal.c
index b04cc1b5..c36d26f8 100644
--- a/ipsec-tools/src/racoon/nattraversal.c
+++ b/ipsec-tools/src/racoon/nattraversal.c
@@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle *iph1)
 {
   int ret = 0;
   
-  /* Should only the NATed host send keepalives?
-     If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
-     to the following condition. */
-  if (iph1->natt_flags & NAT_DETECTED &&
+  if (iph1->natt_flags & NAT_DETECTED_ME &&
       ! (iph1->natt_flags & NAT_KA_QUEUED)) {
     ret = natt_keepalive_add (iph1->local, iph1->remote);
     if (ret == 0)
diff --git a/ipsec-tools/src/racoon/pfkey.c b/ipsec-tools/src/racoon/pfkey.c
index d00b166d..68879992 100644
--- a/ipsec-tools/src/racoon/pfkey.c
+++ b/ipsec-tools/src/racoon/pfkey.c
@@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
 			sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
 			sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
 			sa_args.l_natt_dport = extract_port(iph2->ph1->local);
-			sa_args.l_natt_oa = iph2->natoa_src;
+			/* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
+				sa_args.l_natt_oai = iph2->natoa_dst;
+			/* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
+				sa_args.l_natt_oar = iph2->natoa_src;
 #ifdef SADB_X_EXT_NAT_T_FRAG
 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
 #endif
@@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
 			sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
 			sa_args.l_natt_sport = extract_port(iph2->ph1->local);
 			sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
-			sa_args.l_natt_oa = iph2->natoa_dst;
 #ifdef SADB_X_EXT_NAT_T_FRAG
 			sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
 #endif
-- 
2.13.7




More information about the devel mailing list