LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

ipsec-tools: remove 

As discussed on GitHub[0] the package should be removed.

[0]: https://github.com/openwrt/packages/issues/7832

> The package is effectively orphaned upstream and has been for some
  time. Given the security-sensitive nature of the package, an active
  maintainer community is essential for safe usage. Racoon's lack of
  support for IKEv2, despite it being stable for a long time, and the
  availability of next-generation tunneling systems such as wireguard,
  also would seem to limit its future value. Setkey's functionality
  has been subsumed by 'ip xfrm'.

> If you disagree that ipsec-tools should be removed from OpenWRT,
  please say so now. If there are still use cases for it that are
  not met by other IKE implmenentations that would be good to
  know. But more importantly, I think you'll need to convince us
  that ipsec-tools is actually safe to operate on today's Internet
  given its current state of development.

Signed-off-by: Paul Spooren <mail@aparcar.org>
lilik-openwrt-22.03
Paul Spooren 5 years ago
parent
4dcb01af8d
commit
96be603258
20 changed files with 0 additions and 2704 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -103
      net/ipsec-tools/Makefile
  2. +0
    -172
      net/ipsec-tools/files/functions.sh
  3. +0
    -41
      net/ipsec-tools/files/p1client-down
  4. +0
    -41
      net/ipsec-tools/files/p1client-up
  5. +0
    -113
      net/ipsec-tools/files/racoon
  6. +0
    -479
      net/ipsec-tools/files/racoon.init
  7. +0
    -19
      net/ipsec-tools/files/vpnctl
  8. +0
    -24
      net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch
  9. +0
    -22
      net/ipsec-tools/patches/001-no_libfl.patch
  10. +0
    -72
      net/ipsec-tools/patches/002-patch8-utmp.patch
  11. +0
    -13
      net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch
  12. +0
    -11
      net/ipsec-tools/patches/005-isakmp-fix.patch
  13. +0
    -50
      net/ipsec-tools/patches/006-linux-3.7-compat.patch
  14. +0
    -12
      net/ipsec-tools/patches/007-force_have_policy_fwd.patch
  15. +0
    -16
      net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch
  16. +0
    -187
      net/ipsec-tools/patches/009-musl-compat.patch
  17. +0
    -201
      net/ipsec-tools/patches/010-CVE-2016-10396.patch
  18. +0
    -11
      net/ipsec-tools/patches/012-fix-implicit-int.patch
  19. +0
    -1096
      net/ipsec-tools/patches/015-openssl-1.1.patch
  20. +0
    -21
      net/ipsec-tools/patches/020-openssl-deprecated.patch

+ 0
- 103
net/ipsec-tools/Makefile View File

@ -1,103 +0,0 @@
#
# Copyright (C) 2006-2015 OpenWrt.org
# 2014 Noah Meyerhans <frodo@morgul.net>
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=ipsec-tools
PKG_VERSION:=0.8.2
PKG_RELEASE:=9
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
Vitaly Protsko <villy@sft.ru>
PKG_LICENSE := BSD-3-Clause
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=@SF/ipsec-tools
PKG_HASH:=8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk
define Package/ipsec-tools
SECTION:=net
CATEGORY:=Network
SUBMENU:=VPN
DEPENDS:=+libopenssl +kmod-ipsec
TITLE:=IPsec management tools
URL:=http://ipsec-tools.sourceforge.net/
MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
endef
CONFIGURE_ARGS += \
--enable-shared \
--enable-static \
--with-kernel-headers="$(LINUX_DIR)/include" \
--without-readline \
--with-openssl="$(STAGING_DIR)/usr" \
--without-libradius \
--without-libpam \
--enable-dpd \
--enable-hybrid \
--enable-security-context=no \
--enable-natt \
--enable-adminport \
--enable-frag \
$(call autoconf_bool,CONFIG_IPV6,ipv6)
# override CFLAGS holding "-Werror" that break builds on compile warnings
MAKE_FLAGS+=\
CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)"
define Build/Prepare
$(call Build/Prepare/Default)
chmod -R u+w $(PKG_BUILD_DIR)
endef
define Build/Configure
(cd $(PKG_BUILD_DIR); touch \
configure.ac \
aclocal.m4 \
Makefile.in \
config.h.in \
configure \
);
$(call Build/Configure/Default)
ifndef CONFIG_SHADOW_PASSWORDS
echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h
endif
endef
define Package/ipsec-tools/install
$(INSTALL_DIR) $(1)/etc/racoon
$(INSTALL_CONF) ./files/functions.sh $(1)/etc/racoon/
$(INSTALL_BIN) ./files/p1client-up $(1)/etc/racoon/
$(INSTALL_BIN) ./files/p1client-down $(1)/etc/racoon/
$(INSTALL_BIN) ./files/vpnctl $(1)/etc/racoon/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/racoon $(1)/etc/config/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/
endef
define Package/ipsec-tools/conffiles
/etc/config/racoon
endef
$(eval $(call BuildPackage,ipsec-tools))

+ 0
- 172
net/ipsec-tools/files/functions.sh View File

@ -1,172 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
errno=0
get_fieldval() {
local __data="$3"
local __rest
test -z "$1" && return
while true ; do
__rest=${__data#* }
test "$__rest" = "$__data" && break
if [ "${__data/ *}" = "$2" ]; then
eval "$1=${__rest/ *}"
break
fi
__data="$__rest"
done
}
manage_fw() {
local cmd=/usr/sbin/iptables
local mode
local item
if [ -z "$4" ]; then
$log "Bad usage of manage_fw"
errno=3; return 3
fi
case "$1" in
add|up|1) mode=A ;;
del|down|0) mode=D ;;
*) return 3 ;;
esac
for item in $4 ; do
$cmd -$mode forwarding_$2_rule -s $item -j ACCEPT
$cmd -$mode output_$3_rule -d $item -j ACCEPT
$cmd -$mode forwarding_$3_rule -d $item -j ACCEPT
$cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT
done
}
manage_sa() {
local spdcmd
local rtcmd
local gate
local litem
local ritem
if [ -z "$4" ]; then
$log "Bad usage of manage_sa"
errno=3; return 3
fi
case "$1" in
add|up|1) spdcmd=add; rtcmd=add ;;
del|down|0) spdcmd=delete; rtcmd=del ;;
*) errno=3; return 3 ;;
esac
get_fieldval gate src "$(/usr/sbin/ip route get $4)"
if [ -z "$gate" ]; then
$log "Can not find outbound IP for $4"
errno=3; return 3
fi
for litem in $2 ; do
for ritem in $3 ; do
echo "
spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require;
spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
" | /usr/sbin/setkey -c 1>&2
done
done
test -n "$5" && gate=$5
for ritem in $3 ; do
(sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) &
done
}
manage_nonesa() {
local spdcmd
local item
local cout cin
if [ -z "$4" ]; then
$log "Bad usage of manage_nonesa"
errno=3; return 3
fi
case "$1" in
add|up|1) spdcmd=add ;;
del|down|0) spdcmd=delete ;;
*) errno=3; return 3 ;;
esac
case "$2" in
local|remote) ;;
*) errno=3; return 3 ;;
esac
for item in $3 ; do
if [ "$2" = "local" ]; then
cout="$4 $item"
cin="$item $4"
else
cout="$item $4"
cin="$4 $item"
fi
echo "
spd$spdcmd $cout any -P out none;
spd$spdcmd $cin any -P in none;
" | /usr/sbin/setkey -c 1>&2
done
}
. /lib/functions/network.sh
get_zoneiflist() {
local item
local data
local addr
item=0
data=$(uci get firewall.@zone[0].name)
while [ -n "$data" ]; do
test "$data" = "$1" && break
let "item=$item+1"
data=$(uci get firewall.@zone[$item].name)
done
if [ -z "$data" ]; then
errno=1
return $errno
fi
data=$(uci get firewall.@zone[$item].network)
echo "$data"
}
get_zoneiplist() {
local item
local addr
local data
local result
data=$(get_zoneiflist $1)
test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno
for item in $data ; do
if network_is_up $item ; then
network_get_ipaddrs addr $item
test $? -eq 0 && result="$result $addr"
fi
done
result=$(echo $result)
echo "$result"
}
# EOF /etc/racoon/functions.sh

+ 0
- 41
net/ipsec-tools/files/p1client-down View File

@ -1,41 +0,0 @@
#!/bin/sh
#
log="logger -t p1client-down[$$]"
. /lib/functions.sh
. /etc/racoon/functions.sh
if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
$log "Connection without server-pushed routing is not supported"
exit 1
fi
$log "Shutting down tunnel to server $REMOTE_ADDR"
$log "Closing tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
config_load racoon
config_get confIntZone racoon int_zone lan
config_get confExtZone racoon ext_zone wan
manage_fw del $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
data=$(get_zoneiflist $confIntZone)
if [ -n "$data" ]; then
for item in $data ; do
network_get_subnet locnet $item
if [ -n "$locnet" ]; then
manage_sa del "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
else
$log "Can not find subnet on interface $item"
fi
done
else
$log "Can not find subnets in zone $confIntZone"
fi
get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
ip address del $INTERNAL_ADDR4/32 dev $data
# EOF /etc/racoon/p1client-down

+ 0
- 41
net/ipsec-tools/files/p1client-up View File

@ -1,41 +0,0 @@
#!/bin/sh
#
log="logger -t p1client-up[$$]"
. /lib/functions.sh
. /etc/racoon/functions.sh
if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
$log "Connection without server-pushed routing is not supported"
exit 1
fi
$log "Setting up tunnel to server $REMOTE_ADDR"
$log "Making tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
ip address add $INTERNAL_ADDR4/32 dev $data
config_load racoon
config_get confIntZone racoon int_zone lan
config_get confExtZone racoon ext_zone wan
data=$(get_zoneiflist $confIntZone)
if [ -n "$data" ]; then
for item in $data ; do
network_get_subnet locnet $item
if [ -n "$locnet" ]; then
manage_sa add "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
else
$log "Can not find subnet on interface $item"
fi
done
else
$log "Can not find interfaces in zone $confIntZone"
fi
manage_fw add $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
# EOF /etc/racoon/p1client-up

+ 0
- 113
net/ipsec-tools/files/racoon View File

@ -1,113 +0,0 @@
#/etc/config/racoon
#
# Copyright 2015 Vitaly Protsko <villy@sft.ru>
# * WARNING: this is "not working" example
# * Defaults are commented out
# * Resuting config will appear in /var/racoon/
config racoon
# option debug 0
# option ext_zone 'wan'
# option int_zone 'lan'
# option port 500
# option natt_port 4500
# following 4 or 6, no default
# option ipversion 4
config p1_proposal 'example_prop1'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'rsasig'
option dh_group 2
config p1_proposal 'example_anon'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'xauth_rsa_server'
option dh_group 2
config p1_proposal 'example_xauth'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'xauth_rsa_client'
option dh_group 2
config p2_proposal 'example_prop2'
option pfs_group 2
option enc_alg 'aes'
option auth_alg 'hmac_sha1'
config p2_proposal 'example_in2'
option pfs_group 2
# option lifetime 14400
option enc_alg 'aes'
option auth_alg 'hmac_sha1'
config sainfo 'office'
option p2_proposal 'example_prop2'
option local_net '192.168.8.0/24'
option remote_net '192.168.1.0/24'
# you can exclude some local or remote
# addresses from SA rules
list local_exclude '192.168.8.0/30'
list remote_exclude '192.168.1.128/29'
config sainfo 'welcome'
option p2_proposal 'example_in2'
option local_net '192.168.8.0/24'
option remote_net '192.168.10.0/24'
option dns4 '192.168.8.1'
option defdomain 'myhome.local'
config sainfo 'client'
option p2_proposal 'std_p2'
config tunnel 'Office'
option enabled 1
# initial_contact
# option init 1
option remote 'vpn.example.tld'
option exchange_mode 'main'
option certificate 'example_cert'
# option peer_id_type 'asn1dn'
# option prop_check 'obey'
# option verify_id 1
# option weak_p1check 1
# option dpd_delay ''
list p1_proposal 'example_prop1'
list sainfo 'office'
# WARNING: Only ONE tunnel with remote anonymous
# can be configured and it can have only
# ONE sainfo. Otherwise resulting racoon
# configuration will be unusable
config tunnel 'Incoming'
option enabled 1
option remote 'anonymous'
option pre_shared_key 'testitnow'
option exchange_mode 'aggressive,main'
option my_id_type 'fqdn'
option my_id 'myserver.homeip.net'
list p1_proposal 'example_anon'
list sainfo 'welcome'
config tunnel 'Client'
option enabled 1
option remote 'vpn.example.tld'
option username 'testuser'
option password 'testW0rD'
# option mode_cfg 1
list p1_proposal 'example_xauth'
list sainfo 'client'
# Insert corresponding data in PEM format as one line
config 'certificate' 'example_cert'
option 'key' '-----BEGIN PRIVATE KEY----- ~ -----END PRIVATE KEY-----'
option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
config 'certificate' 'example_ca_cert'
option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'

+ 0
- 479
net/ipsec-tools/files/racoon.init View File

@ -1,479 +0,0 @@
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
#set -vx
USE_PROCD=1
START=60
STOP=40
let connWait=2/2
confDir=/var/racoon
confExtZone=
confIntZone=
confPort=
confNATPort=
confIPMode=
confPh1ID=0
log="logger -t init.d/racoon[$$] "
. /etc/racoon/functions.sh
setup_load() {
config_get confExtZone "$1" ext_zone wan
config_get confIntZone "$1" int_zone lan
config_get confPort "$1" port 500
config_get confNATPort "$1" natt_port 4500
config_get confIPMode "$1" ipversion ""
case X$confIPMode in
X4|X6) ;;
*) unset confIPMode ;;
esac
}
write_header() {
echo "
# autogenerated, don't edit, look at /etc/config/racoon
#
path certificate \"$confDir/cert\";
path script \"/etc/racoon\";
path pre_shared_key \"$confDir/psk.txt\";
path pidfile \"$confDir/racoon.pid\";
padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }
timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }
"
}
setup_conf() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local pskconf=$confDir/psk.txt
local item
local data
data="$(get_zoneiplist $confExtZone)"
if [ "X$data" = X ]; then
$log "No IP addresses found for zone $confExtZone, exitng"
errno=2; return 2
fi
write_header > $conf
echo -n > $peerconf
echo -n > $pskconf
chmod 0600 $conf $peerconf $pskconf
echo "listen {" >> $conf
for item in $data ; do
echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf
done
echo "}" >> $conf
config_get_bool item "$1" debug 0
data=warning
test $item -ne 0 && data=debug
echo "log $data;" >> $conf
setup_fw add
}
setup_p1() {
local conf=$confDir/racoon.conf
local data
echo " proposal {" >> $conf
config_get data "$1" lifetime 28800
echo " lifetime time $data sec;" >> $conf
config_get data "$1" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$1" hash_alg
test -n "$data" && echo " hash_algorithm $data;" >> $conf
config_get data "$1" auth_method
test -n "$data" && echo " authentication_method $data;" >> $conf
config_get data "$1" dh_group 2
echo -e " dh_group $data;\n }" >> $conf
}
setup_fw() {
local cmd=/usr/sbin/iptables
local mode
case "$1" in
add|up|1) mode=A ;;
del|down|0) mode=D ;;
*) return 3 ;;
esac
$cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT
}
setup_sa() {
local conf=$confDir/racoon.conf
local remote="${2/ *}"
local client="${2#* }"
local locnet
local remnet
local p2
local data
test "$2" = "$client" && unset client
if [ -z "$client" ]; then
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured ($2)"
errno=4; return 4
fi
if [ "$remote" = "anonymous" ]; then
echo "sainfo anonymous {" >> $conf
else
echo "sainfo address $locnet any address $remnet any {" >> $conf
fi
else
echo "sainfo anonymous {" >> $conf
fi
config_get p2 "$1" p2_proposal
if [ -z "$p2" ]; then
$log "Phase2 proposal must be configured in $1 sainfo"
errno=5; return 5
fi
echo " remoteid $confPh1ID;" >> $conf
config_get data "$p2" pfs_group
test -n "$data" && echo " pfs_group $data;" >> $conf
config_get data "$p2" lifetime 14400
test -n "$data" && echo " lifetime time $data sec;" >> $conf
config_get data "$p2" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$p2" auth_alg
test -n "$data" && echo " authentication_algorithm $data;" >> $conf
echo -e " compression_algorithm deflate;\n}" >> $conf
if [ "$remote" = "anonymous" ]; then
echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf
config_get data "$1" dns4
test -n "$data" && echo " dns4 $data;" >> $conf
config_get data "$1" defdomain
test -n "$data" && echo " default_domain \"$data\";" >> $conf
data=${remnet%/*}
let "data=${data##*.}+1"
echo " network4 ${remnet%.*}.$data;" >> $conf
let "data=255<<(24-${remnet#*/}+8)&255"
echo " netmask4 255.255.255.$data;" >> $conf
echo -e " split_network include $locnet;\n}" >> $conf
elif [ -z "$client" ]; then
config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
manage_sa add "$locnet" "$remnet" $remote
test $? -gt 0 -o $errno -gt 0 && return $errno
manage_fw add $confIntZone $confExtZone "$remnet"
fi
}
setup_tunnel() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local data
local remote
local xauth
config_get_bool data "$1" enabled 0
test "$data" = "0" && return 0
config_get remote "$1" remote
if [ "$remote" = "anonymous" ]; then
echo -e "remote anonymous {\n generate_policy on;" >> $conf
else
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf
echo "$data" >> $peerconf
fi
config_get data "$1" pre_shared_key ""
if [ -n "$data" ]; then
if [ "$remote" != "anonymous" ]; then
echo "$remote $data" >> $confDir/psk.txt
else
echo "* $data" >> $confDir/psk.txt
fi
fi
let confPh1ID=$confPh1ID+1
echo " ph1id $confPh1ID;" >> $conf
config_get xauth "$1" username ""
config_get data "$1" certificate ""
if [ -n "$data" ]; then
echo -en " verify_cert on;\n my_identifier asn1dn;\n certificate_type x509 " >> $conf
echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf
else
config_get data "$1" my_id_type ""
if [ -n "$data" ]; then
echo -n " my_identifier $data" >> $conf
config_get data "$1" my_id ""
if [ -n "$data" ]; then
echo " \"$data\";" >> $conf
elif [ -n "$xauth" ]; then
echo " \"$xauth\";" >> $conf
else
echo ";" >> $conf
fi
elif [ -n "$xauth" ]; then
echo " my_identifier user_fqdn \"$xauth\";" >> $conf
fi
echo -n " peers_identifier " >> $conf
fi
if [ "$remote" = "anonymous" ]; then
echo "user_fqdn;" >> $conf
else
config_get data "$1" peer_id_type "asn1dn"
echo -n "$data" >> $conf
config_get data "$1" peer_id ""
test -n "$data" && echo -n " \"$data\"" >> $conf
echo ";" >> $conf
fi
if [ -n "$xauth" ]; then
config_get data "$1" password
if [ -z "$data" ]; then
$log "Password must be given in $1 tunnel"
errno=7; return 7
fi
echo "$xauth $data" >> $confDir/psk.txt
echo " xauth_login \"$xauth\";" >> $conf
echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
fi
config_get data "$1" exchange_mode
if [ -z "$data" ]; then
data=main
test -n "$xauth" && data="${data},aggressive"
fi
echo -e " exchange_mode $data;\n nat_traversal on;\n support_proxy on;" >> $conf
config_get data "$1" prop_check "obey"
test -n "$data" && echo " proposal_check $data;" >> $conf
config_get_bool data "$1" weak_p1check 1
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " weak_phase1_check $data;" >> $conf
config_get_bool data "$1" verify_id 1
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " verify_identifier $data;" >> $conf
config_get data "$1" dpd_delay ""
test -n "$data" && echo " dpd_delay $data;" >> $conf
unset data
test -n "$xauth" && data="on"
config_get data "$1" mode_cfg "$data"
test -n "$data" && echo " mode_cfg $data;" >> $conf
config_get_bool data "$1" init 0
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " initial_contact $data;" >> $conf
config_list_foreach "$1" p1_proposal setup_p1
echo "}" >> $conf
config_list_foreach "$1" sainfo setup_sa "$remote $xauth"
}
setup_cert() {
local item
local data
for item in key crt ; do
config_get data "$1" $item ""
test -z "$data" && continue
echo "$data" |\
sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\
> $confDir/cert/$1.$item
chmod 600 $confDir/cert/$1.$item
done
if [ -s $confDir/cert/$1.crt ]; then
data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt)
ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0
fi
}
destroy_sa() {
local locnet
local remnet
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured"
errno=4; return 4
fi
config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
manage_sa del "$locnet" "$remnet" $2
manage_fw del $confIntZone $confExtZone "$remnet"
}
destroy_tunnel() {
local data
config_get_bool data "$1" enabled 0
test "$data" = "0" && return 0
config_get remote "$1" remote
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
config_get data "$1" username ""
if [ -z "$data" ]; then
config_list_foreach "$1" sainfo destroy_sa $remote
fi
}
destroy_conf() {
setup_fw del
}
check_software() {
local item
for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do
if [ ! -x $item ]; then
$log "Needed program $item not found, exiting"
errno=9; return 9
fi
done
}
cleanup_conf() {
config_load racoon
config_foreach setup_load racoon
config_foreach destroy_conf racoon
config_foreach destroy_tunnel tunnel
/usr/sbin/setkey -P -F
/usr/sbin/setkey -F
}
check_dir() {
local item
for item in $confDir $confDir/cert ; do
if [ ! -d $item ]; then
mkdir -m 0700 -p $item
fi
done
}
wait4wanzone() {
local item=$connWait
local data
data="$(get_zoneiplist $confExtZone)"
while [ $item -gt 0 ]; do
test -n "$data" && break
sleep 2
let "item=$item-1"
data="$(get_zoneiplist $confExtZone)"
done
test -z "$data" && return 10
}
start_service() {
check_software
test $? -gt 0 -o $errno -gt 0 && exit $errno
check_dir
config_load racoon
config_foreach setup_load racoon
config_foreach wait4wanzone racoon
if [ $? -gt 0 ] || [ $errno -gt 0 ]; then
$log "No active interfaces in $confExtZone zone found, exiting"
exit $errno
fi
config_foreach setup_conf racoon
test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_tunnel tunnel
test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_cert certificate
procd_open_instance
procd_set_param command /usr/sbin/racoon
test -n "$confIPMode" && procd_append_param command -$confIPMode
procd_append_param command -F -f $confDir/racoon.conf
procd_set_param file $confDir/racoon.conf
procd_close_instance
if [ -x /etc/racoon/vpnctl ]; then
let connWait=$connWait*2+2
( sleep $connWait; /etc/racoon/vpnctl up ) &
fi
}
service_triggers() {
local item
local data
procd_add_reload_trigger "racoon" "network"
config_load racoon
config_foreach setup_load racoon
data=$(get_zoneiflist $confExtZone)
if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then
$log "Can not find interfaces for $confExtZone zone"
else
for item in $data ; do
procd_add_reload_interface_trigger $item
done
fi
}
stop_service() {
cleanup_conf
procd_kill racoon
}
trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10
# EOF /etc/init.d/racoon

+ 0
- 19
net/ipsec-tools/files/vpnctl View File

@ -1,19 +0,0 @@
#!/bin/sh
#
case X$1 in
Xup|X1|Xstart) connMode=vpn-connect ;;
Xdown|X0|Xstop) connMode=vpn-disconnect ;;
*)
echo "Usage: $0: up|1|start || down|0|stop"
exit 1 ;;
esac
if [ -s /var/racoon/peers.txt ]; then
(while read ipa ; do
racoonctl $connMode $ipa
done) < /var/racoon/peers.txt
fi
# EOF /usr/bin/vpnctl

+ 0
- 24
net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch View File

@ -1,24 +0,0 @@
--- a/src/racoon/oakley.c
+++ b/src/racoon/oakley.c
@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1)
plog(LLV_ERROR, LOCATION, iph1->remote,
"couldn't find the pskey for %s.\n",
saddrwop2str(iph1->remote));
+ }
+ }
+ if (iph1->authstr == NULL) {
+ /*
+ * If we could not locate a psk above try and locate
+ * the default psk, ie, "*".
+ */
+ iph1->authstr = privsep_getpsk("*", 1);
+ if (iph1->authstr == NULL) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "couldn't find the the default pskey either.\n");
goto end;
}
+ plog(LLV_NOTIFY, LOCATION, iph1->remote,
+ "Using default PSK.\n");
}
plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
/* should be secret PSK */

+ 0
- 22
net/ipsec-tools/patches/001-no_libfl.patch View File

@ -1,22 +0,0 @@
--- a/src/racoon/cftoken.l
+++ b/src/racoon/cftoken.l
@@ -104,6 +104,8 @@ static struct include_stack {
static int incstackp = 0;
static int yy_first_time = 1;
+
+int yywrap(void) { return 1; }
%}
/* common seciton */
--- a/src/setkey/token.l
+++ b/src/setkey/token.l
@@ -86,6 +86,8 @@
#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
#endif
+
+int yywrap(void) { return 1; }
%}
/* common section */

+ 0
- 72
net/ipsec-tools/patches/002-patch8-utmp.patch View File

@ -1,72 +0,0 @@
--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
@@ -38,7 +38,7 @@
#include <sys/socket.h>
#include <sys/queue.h>
-#include <utmpx.h>
+#include <utmp.h>
#if defined(__APPLE__) && defined(__MACH__)
#include <util.h>
#endif
@@ -1664,7 +1664,8 @@ isakmp_cfg_accounting_system(port, raddr
int inout;
{
int error = 0;
- struct utmpx ut;
+ struct utmp ut;
+ char term[UT_LINESIZE];
char addr[NI_MAXHOST];
if (usr == NULL || usr[0]=='\0') {
@@ -1673,34 +1674,37 @@ isakmp_cfg_accounting_system(port, raddr
return -1;
}
- memset(&ut, 0, sizeof ut);
- gettimeofday((struct timeval *)&ut.ut_tv, NULL);
- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
+ sprintf(term, TERMSPEC, port);
switch (inout) {
case ISAKMP_CFG_LOGIN:
- ut.ut_type = USER_PROCESS;
- strncpy(ut.ut_user, usr, sizeof ut.ut_user);
+ strncpy(ut.ut_name, usr, UT_NAMESIZE);
+ ut.ut_name[UT_NAMESIZE - 1] = '\0';
+
+ strncpy(ut.ut_line, term, UT_LINESIZE);
+ ut.ut_line[UT_LINESIZE - 1] = '\0';
GETNAMEINFO_NULL(raddr, addr);
- strncpy(ut.ut_host, addr, sizeof ut.ut_host);
+ strncpy(ut.ut_host, addr, UT_HOSTSIZE);
+ ut.ut_host[UT_HOSTSIZE - 1] = '\0';
+
+ ut.ut_time = time(NULL);
plog(LLV_INFO, LOCATION, NULL,
"Accounting : '%s' logging on '%s' from %s.\n",
- ut.ut_user, ut.ut_id, addr);
-
- pututxline(&ut);
+ ut.ut_name, ut.ut_line, ut.ut_host);
+ login(&ut);
+
break;
case ISAKMP_CFG_LOGOUT:
- ut.ut_type = DEAD_PROCESS;
plog(LLV_INFO, LOCATION, NULL,
"Accounting : '%s' unlogging from '%s'.\n",
- usr, ut.ut_id);
-
- pututxline(&ut);
+ usr, term);
+ logout(term);
+
break;
default:
plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");

+ 0
- 13
net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch View File

@ -1,13 +0,0 @@
--- a/src/racoon/ipsec_doi.c
+++ b/src/racoon/ipsec_doi.c
@@ -3581,8 +3581,8 @@ ipsecdoi_checkid1(iph1)
iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
if (id_b->type != IPSECDOI_ID_IPV4_ADDR
&& id_b->type != IPSECDOI_ID_IPV6_ADDR) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Expecting IP address type in main mode, "
+ plog(LLV_WARNING, LOCATION, NULL,
+ "Expecting IP address type in main mode (RFC2409) , "
"but %s.\n", s_ipsecdoi_ident(id_b->type));
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}

+ 0
- 11
net/ipsec-tools/patches/005-isakmp-fix.patch View File

@ -1,11 +0,0 @@
--- a/src/racoon/isakmp.c
+++ b/src/racoon/isakmp.c
@@ -31,6 +31,8 @@
* SUCH DAMAGE.
*/
+#define __packed __attribute__((__packed__))
+
#include "config.h"
#include <sys/types.h>

+ 0
- 50
net/ipsec-tools/patches/006-linux-3.7-compat.patch View File

@ -1,50 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -74,9 +74,10 @@ case "$host_os" in
[ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
- KERNEL_INCLUDE=/usr/src/linux/include ,
- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
+ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, ,
+ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
+ KERNEL_INCLUDE=/usr/src/linux/include ,
+ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] )
AC_SUBST(KERNEL_INCLUDE)
# We need the configure script to run with correct kernel headers.
# However we don't want to point to kernel source tree in compile time,
@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes,
#ifdef SADB_X_EXT_NAT_T_TYPE
yes
#endif
-], [kernel_natt="yes"])
+], [kernel_natt="yes"], [
+ AC_EGREP_CPP(yes,
+ [#include <uapi/linux/pfkeyv2.h>
+ #ifdef SADB_X_EXT_NAT_T_TYPE
+ yes
+ #endif
+ ], [kernel_natt="yes"])
+])
;;
freebsd*|netbsd*)
# NetBSD case
--- a/src/include-glibc/Makefile.am
+++ b/src/include-glibc/Makefile.am
@@ -1,14 +1,7 @@
-
-.includes: ${top_builddir}/config.status
- ln -snf $(KERNEL_INCLUDE)/linux
- touch .includes
-
-all: .includes
-
EXTRA_DIST = \
glibc-bugs.h \
net/pfkeyv2.h \
netinet/ipsec.h \
sys/queue.h
-DISTCLEANFILES = .includes linux
+DISTCLEANFILES = linux

+ 0
- 12
net/ipsec-tools/patches/007-force_have_policy_fwd.patch View File

@ -1,12 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -732,7 +732,8 @@ case $host in
],
[AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
- [AC_MSG_RESULT(no)])
+ [AC_MSG_RESULT(forced)
+ AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])])
;;
*)
AC_MSG_RESULT(no)

+ 0
- 16
net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch View File

@ -1,16 +0,0 @@
Fix null dereference in racoon/gssapi.c (CVE-2015-4047)
--- a/src/racoon/gssapi.c
+++ b/src/racoon/gssapi.c
@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
gss_name_t princ, canon_princ;
OM_uint32 maj_stat, min_stat;
+ if (iph1->rmconf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+ return -1;
+ }
+
gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");

+ 0
- 187
net/ipsec-tools/patches/009-musl-compat.patch View File

@ -1,187 +0,0 @@
--- a/src/racoon/grabmyaddr.c
+++ b/src/racoon/grabmyaddr.c
@@ -47,7 +47,6 @@
#include <net/route.h>
#include <net/if.h>
#include <net/if_dl.h>
-#include <sys/sysctl.h>
#define USE_ROUTE
#endif
--- a/src/racoon/pfkey.c
+++ b/src/racoon/pfkey.c
@@ -59,7 +59,6 @@
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/queue.h>
-#include <sys/sysctl.h>
#include <net/route.h>
#include <net/pfkeyv2.h>
--- a/src/setkey/setkey.c
+++ b/src/setkey/setkey.c
@@ -40,7 +40,6 @@
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>
-#include <sys/sysctl.h>
#include <err.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
--- a/src/libipsec/ipsec_strerror.h
+++ b/src/libipsec/ipsec_strerror.h
@@ -34,6 +34,8 @@
#ifndef _IPSEC_STRERROR_H
#define _IPSEC_STRERROR_H
+#include <sys/cdefs.h>
+
extern int __ipsec_errcode;
extern void __ipsec_set_strerror __P((const char *));
--- a/src/libipsec/libpfkey.h
+++ b/src/libipsec/libpfkey.h
@@ -34,6 +34,8 @@
#ifndef _LIBPFKEY_H
#define _LIBPFKEY_H
+#include <sys/cdefs.h>
+
#ifndef KAME_LIBPFKEY_H
#define KAME_LIBPFKEY_H
--- a/src/racoon/backupsa.c
+++ b/src/racoon/backupsa.c
@@ -276,9 +276,9 @@ do { \
GETNEXTNUM(sa_args.a_keylen, strtoul);
GETNEXTNUM(sa_args.flags, strtoul);
GETNEXTNUM(sa_args.l_alloc, strtoul);
- GETNEXTNUM(sa_args.l_bytes, strtouq);
- GETNEXTNUM(sa_args.l_addtime, strtouq);
- GETNEXTNUM(sa_args.l_usetime, strtouq);
+ GETNEXTNUM(sa_args.l_bytes, strtoull);
+ GETNEXTNUM(sa_args.l_addtime, strtoull);
+ GETNEXTNUM(sa_args.l_usetime, strtoull);
GETNEXTNUM(sa_args.seq, strtoul);
#undef GETNEXTNUM
--- a/src/racoon/cftoken.l
+++ b/src/racoon/cftoken.l
@@ -77,6 +77,10 @@
#include "cfparse.h"
+#ifndef GLOB_TILDE
+#define GLOB_TILDE 0
+#endif
+
int yyerrorcount = 0;
#if defined(YIPS_DEBUG)
--- a/src/racoon/logger.h
+++ b/src/racoon/logger.h
@@ -34,6 +34,8 @@
#ifndef _LOGGER_H
#define _LOGGER_H
+#include <sys/cdefs.h>
+
struct log {
int head;
int siz;
--- a/src/racoon/misc.h
+++ b/src/racoon/misc.h
@@ -34,6 +34,8 @@
#ifndef _MISC_H
#define _MISC_H
+#include <sys/cdefs.h>
+
#define BIT2STR(b) bit2str(b, sizeof(b)<<3)
#ifdef HAVE_FUNC_MACRO
--- a/src/racoon/missing/crypto/sha2/sha2.h
+++ b/src/racoon/missing/crypto/sha2/sha2.h
@@ -40,6 +40,8 @@
#ifndef __SHA2_H__
#define __SHA2_H__
+#include <sys/cdefs.h>
+
#ifdef __cplusplus
extern "C" {
#endif
--- a/src/racoon/netdb_dnssec.h
+++ b/src/racoon/netdb_dnssec.h
@@ -34,6 +34,8 @@
#ifndef _NETDB_DNSSEC_H
#define _NETDB_DNSSEC_H
+#include <sys/cdefs.h>
+
#ifndef T_CERT
#define T_CERT 37 /* defined by RFC2538 section 2 */
#endif
--- a/src/racoon/plog.h
+++ b/src/racoon/plog.h
@@ -34,6 +34,8 @@
#ifndef _PLOG_H
#define _PLOG_H
+#include <sys/cdefs.h>
+
#ifdef HAVE_STDARG_H
#include <stdarg.h>
#else
--- a/src/racoon/str2val.h
+++ b/src/racoon/str2val.h
@@ -34,6 +34,8 @@
#ifndef _STR2VAL_H
#define _STR2VAL_H
+#include <sys/cdefs.h>
+
extern caddr_t val2str __P((const char *, size_t));
extern char *str2val __P((const char *, int, size_t *));
--- a/src/racoon/vmbuf.h
+++ b/src/racoon/vmbuf.h
@@ -34,6 +34,8 @@
#ifndef _VMBUF_H
#define _VMBUF_H
+#include <sys/cdefs.h>
+
/*
* bp v
* v v
--- a/src/setkey/extern.h
+++ b/src/setkey/extern.h
@@ -1,6 +1,6 @@
/* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */
-
+#include <sys/cdefs.h>
void parse_init __P((void));
int parse __P((FILE **));
--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
@@ -1694,8 +1694,6 @@ isakmp_cfg_accounting_system(port, raddr
"Accounting : '%s' logging on '%s' from %s.\n",
ut.ut_name, ut.ut_line, ut.ut_host);
- login(&ut);
-
break;
case ISAKMP_CFG_LOGOUT:
@@ -1703,8 +1701,6 @@ isakmp_cfg_accounting_system(port, raddr
"Accounting : '%s' unlogging from '%s'.\n",
usr, term);
- logout(term);
-
break;
default:
plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");

+ 0
- 201
net/ipsec-tools/patches/010-CVE-2016-10396.patch View File

@ -1,201 +0,0 @@
Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
}
+static int
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+ struct isakmp_frag_item *pitem = NULL;
+ struct isakmp_frag_item *citem = iph1->frag_chain;
+
+ /* no frag yet, just insert at beginning of list */
+ if (iph1->frag_chain == NULL) {
+ iph1->frag_chain = item;
+ return 0;
+ }
+
+ do {
+ /* duplicate fragment number, abort (CVE-2016-10396) */
+ if (citem->frag_num == item->frag_num)
+ return -1;
+
+ /* need to insert before current item */
+ if (citem->frag_num > item->frag_num) {
+ if (pitem != NULL)
+ pitem->frag_next = item;
+ else
+ /* insert at the beginning of the list */
+ iph1->frag_chain = item;
+ item->frag_next = citem;
+ return 0;
+ }
+
+ pitem = citem;
+ citem = citem->frag_next;
+ } while (citem != NULL);
+
+ /* we reached the end of the list, insert */
+ pitem->frag_next = item;
+ return 0;
+}
+
int
isakmp_frag_extract(iph1, msg)
struct ph1handle *iph1;
@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
item->frag_next = NULL;
item->frag_packet = buf;
- /* Look for the last frag while inserting the new item in the chain */
- if (item->frag_last)
- last_frag = item->frag_num;
+ /* Check for the last frag before inserting the new item in the chain */
+ if (item->frag_last) {
+ /* if we have the last fragment, indices must match */
+ if (iph1->frag_last_index != 0 &&
+ item->frag_last != iph1->frag_last_index) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Repeated last fragment index mismatch\n");
+ racoon_free(item);
+ vfree(buf);
+ return -1;
+ }
- if (iph1->frag_chain == NULL) {
- iph1->frag_chain = item;
- } else {
- struct isakmp_frag_item *current;
+ last_frag = iph1->frag_last_index = item->frag_num;
+ }
- current = iph1->frag_chain;
- while (current->frag_next) {
- if (current->frag_last)
- last_frag = item->frag_num;
- current = current->frag_next;
- }
- current->frag_next = item;
+ /* insert fragment into chain */
+ if (isakmp_frag_insert(iph1, item) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Repeated fragment index mismatch\n");
+ racoon_free(item);
+ vfree(buf);
+ return -1;
}
- /* If we saw the last frag, check if the chain is complete */
+ /* If we saw the last frag, check if the chain is complete
+ * we have a sorted list now, so just walk through */
if (last_frag != 0) {
+ item = iph1->frag_chain;
for (i = 1; i <= last_frag; i++) {
- item = iph1->frag_chain;
- do {
- if (item->frag_num == i)
- break;
- item = item->frag_next;
- } while (item != NULL);
-
+ if (item->frag_num != i)
+ break;
+ item = item->frag_next;
if (item == NULL) /* Not found */
break;
}
- if (item != NULL) /* It is complete */
+ if (i > last_frag) /* It is complete */
return 1;
}
@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
}
data = buf->v;
+ item = iph1->frag_chain;
for (i = 1; i <= frag_count; i++) {
- item = iph1->frag_chain;
- do {
- if (item->frag_num == i)
- break;
- item = item->frag_next;
- } while (item != NULL);
-
- if (item == NULL) {
+ if (item->frag_num != i) {
plog(LLV_ERROR, LOCATION, NULL,
"Missing fragment #%d\n", i);
vfree(buf);
@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
}
memcpy(data, item->frag_packet->v, item->frag_packet->l);
data += item->frag_packet->l;
+ item = item->frag_next;
}
out:
Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
+ iph1->frag_last_index = 0;
iph1->frag_chain = NULL;
#endif
Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
+++ ipsec-tools-0.8.2/src/racoon/isakmp.c
@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
iph1->frag = 1;
else
iph1->frag = 0;
+ iph1->frag_last_index = 0;
iph1->frag_chain = NULL;
#endif
iph1->approval = NULL;
@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
+ iph1->frag_last_index = 0;
iph1->frag_chain = NULL;
#endif
iph1->approval = NULL;
Index: ipsec-tools-0.8.2/src/racoon/handler.h
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/handler.h
+++ ipsec-tools-0.8.2/src/racoon/handler.h
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -141,6 +141,7 @@ struct ph1handle {
#endif
#ifdef ENABLE_FRAG
int frag; /* IKE phase 1 fragmentation */
+ int frag_last_index;
struct isakmp_frag_item *frag_chain; /* Received fragments */
#endif

+ 0
- 11
net/ipsec-tools/patches/012-fix-implicit-int.patch View File

@ -1,11 +0,0 @@
--- a/src/racoon/isakmp_xauth.c
+++ b/src/racoon/isakmp_xauth.c
@@ -376,6 +376,7 @@ xauth_reply(iph1, port, id, res)
struct ph1handle *iph1;
int port;
int id;
+ int res;
{
struct xauth_state *xst = &iph1->mode_cfg->xauth;
char *usr = xst->authdata.generic.usr;

+ 0
- 1096
net/ipsec-tools/patches/015-openssl-1.1.patch
File diff suppressed because it is too large
View File


+ 0
- 21
net/ipsec-tools/patches/020-openssl-deprecated.patch View File

@ -1,21 +0,0 @@
--- a/src/racoon/crypto_openssl.c
+++ b/src/racoon/crypto_openssl.c
@@ -1087,7 +1087,7 @@ eay_strerror()
int line, flags;
unsigned long es;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
#else
es = CRYPTO_thread_id();
--- a/src/racoon/openssl_compat.h
+++ b/src/racoon/openssl_compat.h
@@ -5,6 +5,7 @@
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#include <openssl/rsa.h>
+#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>

Write Preview
Loading…
Cancel
Save