LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

net: remove ipsec-tools 

As discussed in #7832, ipsec-tools is no longer suitable for inclusion in the
distribution.

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
lilik-openwrt-22.03
Noah Meyerhans 5 years ago
parent
d3b32a62c2
commit
a8fd5cb7ab
20 changed files with 0 additions and 2704 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -103
      net/ipsec-tools/Makefile
  2. +0
    -172
      net/ipsec-tools/files/functions.sh
  3. +0
    -41
      net/ipsec-tools/files/p1client-down
  4. +0
    -41
      net/ipsec-tools/files/p1client-up
  5. +0
    -113
      net/ipsec-tools/files/racoon
  6. +0
    -479
      net/ipsec-tools/files/racoon.init
  7. +0
    -19
      net/ipsec-tools/files/vpnctl
  8. +0
    -24
      net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch
  9. +0
    -22
      net/ipsec-tools/patches/001-no_libfl.patch
  10. +0
    -72
      net/ipsec-tools/patches/002-patch8-utmp.patch
  11. +0
    -13
      net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch
  12. +0
    -11
      net/ipsec-tools/patches/005-isakmp-fix.patch
  13. +0
    -50
      net/ipsec-tools/patches/006-linux-3.7-compat.patch
  14. +0
    -12
      net/ipsec-tools/patches/007-force_have_policy_fwd.patch
  15. +0
    -16
      net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch
  16. +0
    -187
      net/ipsec-tools/patches/009-musl-compat.patch
  17. +0
    -201
      net/ipsec-tools/patches/010-CVE-2016-10396.patch
  18. +0
    -11
      net/ipsec-tools/patches/012-fix-implicit-int.patch
  19. +0
    -1096
      net/ipsec-tools/patches/015-openssl-1.1.patch
  20. +0
    -21
      net/ipsec-tools/patches/020-openssl-deprecated.patch

+ 0
- 103
net/ipsec-tools/Makefile View File

@ -1,103 +0,0 @@
#
# Copyright (C) 2006-2015 OpenWrt.org
# 2014 Noah Meyerhans <frodo@morgul.net>
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=ipsec-tools
PKG_VERSION:=0.8.2
PKG_RELEASE:=9
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
Vitaly Protsko <villy@sft.ru>
PKG_LICENSE := BSD-3-Clause
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=@SF/ipsec-tools
PKG_HASH:=8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk
define Package/ipsec-tools
SECTION:=net
CATEGORY:=Network
SUBMENU:=VPN
DEPENDS:=+libopenssl +kmod-ipsec
TITLE:=IPsec management tools
URL:=http://ipsec-tools.sourceforge.net/
MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
endef
CONFIGURE_ARGS += \
--enable-shared \
--enable-static \
--with-kernel-headers="$(LINUX_DIR)/include" \
--without-readline \
--with-openssl="$(STAGING_DIR)/usr" \
--without-libradius \
--without-libpam \
--enable-dpd \
--enable-hybrid \
--enable-security-context=no \
--enable-natt \
--enable-adminport \
--enable-frag \
$(call autoconf_bool,CONFIG_IPV6,ipv6)
# override CFLAGS holding "-Werror" that break builds on compile warnings
MAKE_FLAGS+=\
CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)"
define Build/Prepare
$(call Build/Prepare/Default)
chmod -R u+w $(PKG_BUILD_DIR)
endef
define Build/Configure
(cd $(PKG_BUILD_DIR); touch \
configure.ac \
aclocal.m4 \
Makefile.in \
config.h.in \
configure \
);
$(call Build/Configure/Default)
ifndef CONFIG_SHADOW_PASSWORDS
echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h
endif
endef
define Package/ipsec-tools/install
$(INSTALL_DIR) $(1)/etc/racoon
$(INSTALL_CONF) ./files/functions.sh $(1)/etc/racoon/
$(INSTALL_BIN) ./files/p1client-up $(1)/etc/racoon/
$(INSTALL_BIN) ./files/p1client-down $(1)/etc/racoon/
$(INSTALL_BIN) ./files/vpnctl $(1)/etc/racoon/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/racoon $(1)/etc/config/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/
endef
define Package/ipsec-tools/conffiles
/etc/config/racoon
endef
$(eval $(call BuildPackage,ipsec-tools))

+ 0
- 172
net/ipsec-tools/files/functions.sh View File

@ -1,172 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
errno=0
get_fieldval() {
local __data="$3"
local __rest
test -z "$1" && return
while true ; do
__rest=${__data#* }
test "$__rest" = "$__data" && break
if [ "${__data/ *}" = "$2" ]; then
eval "$1=${__rest/ *}"
break
fi
__data="$__rest"
done
}
manage_fw() {
local cmd=/usr/sbin/iptables
local mode
local item
if [ -z "$4" ]; then
$log "Bad usage of manage_fw"
errno=3; return 3
fi
case "$1" in
add|up|1) mode=A ;;
del|down|0) mode=D ;;
*) return 3 ;;
esac
for item in $4 ; do
$cmd -$mode forwarding_$2_rule -s $item -j ACCEPT
$cmd -$mode output_$3_rule -d $item -j ACCEPT
$cmd -$mode forwarding_$3_rule -d $item -j ACCEPT
$cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT
done
}
manage_sa() {
local spdcmd
local rtcmd
local gate
local litem
local ritem
if [ -z "$4" ]; then
$log "Bad usage of manage_sa"
errno=3; return 3
fi
case "$1" in
add|up|1) spdcmd=add; rtcmd=add ;;
del|down|0) spdcmd=delete; rtcmd=del ;;
*) errno=3; return 3 ;;
esac
get_fieldval gate src "$(/usr/sbin/ip route get $4)"
if [ -z "$gate" ]; then
$log "Can not find outbound IP for $4"
errno=3; return 3
fi
for litem in $2 ; do
for ritem in $3 ; do
echo "
spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require;
spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
" | /usr/sbin/setkey -c 1>&2
done
done
test -n "$5" && gate=$5
for ritem in $3 ; do
(sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) &
done
}
manage_nonesa() {
local spdcmd
local item
local cout cin
if [ -z "$4" ]; then
$log "Bad usage of manage_nonesa"
errno=3; return 3
fi
case "$1" in
add|up|1) spdcmd=add ;;
del|down|0) spdcmd=delete ;;
*) errno=3; return 3 ;;
esac
case "$2" in
local|remote) ;;
*) errno=3; return 3 ;;
esac
for item in $3 ; do
if [ "$2" = "local" ]; then
cout="$4 $item"
cin="$item $4"
else
cout="$item $4"
cin="$4 $item"
fi
echo "
spd$spdcmd $cout any -P out none;
spd$spdcmd $cin any -P in none;
" | /usr/sbin/setkey -c 1>&2
done
}
. /lib/functions/network.sh
get_zoneiflist() {
local item
local data
local addr
item=0
data=$(uci get firewall.@zone[0].name)
while [ -n "$data" ]; do
test "$data" = "$1" && break
let "item=$item+1"
data=$(uci get firewall.@zone[$item].name)
done
if [ -z "$data" ]; then
errno=1
return $errno
fi
data=$(uci get firewall.@zone[$item].network)
echo "$data"
}
get_zoneiplist() {
local item
local addr
local data
local result
data=$(get_zoneiflist $1)
test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno
for item in $data ; do
if network_is_up $item ; then
network_get_ipaddrs addr $item
test $? -eq 0 && result="$result $addr"
fi
done
result=$(echo $result)
echo "$result"
}
# EOF /etc/racoon/functions.sh

+ 0
- 41
net/ipsec-tools/files/p1client-down View File

@ -1,41 +0,0 @@
#!/bin/sh
#
log="logger -t p1client-down[$$]"
. /lib/functions.sh
. /etc/racoon/functions.sh
if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
$log "Connection without server-pushed routing is not supported"
exit 1
fi
$log "Shutting down tunnel to server $REMOTE_ADDR"
$log "Closing tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
config_load racoon
config_get confIntZone racoon int_zone lan
config_get confExtZone racoon ext_zone wan
manage_fw del $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
data=$(get_zoneiflist $confIntZone)
if [ -n "$data" ]; then
for item in $data ; do
network_get_subnet locnet $item
if [ -n "$locnet" ]; then
manage_sa del "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
else
$log "Can not find subnet on interface $item"
fi
done
else
$log "Can not find subnets in zone $confIntZone"
fi
get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
ip address del $INTERNAL_ADDR4/32 dev $data
# EOF /etc/racoon/p1client-down

+ 0
- 41
net/ipsec-tools/files/p1client-up View File

@ -1,41 +0,0 @@
#!/bin/sh
#
log="logger -t p1client-up[$$]"
. /lib/functions.sh
. /etc/racoon/functions.sh
if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
$log "Connection without server-pushed routing is not supported"
exit 1
fi
$log "Setting up tunnel to server $REMOTE_ADDR"
$log "Making tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
ip address add $INTERNAL_ADDR4/32 dev $data
config_load racoon
config_get confIntZone racoon int_zone lan
config_get confExtZone racoon ext_zone wan
data=$(get_zoneiflist $confIntZone)
if [ -n "$data" ]; then
for item in $data ; do
network_get_subnet locnet $item
if [ -n "$locnet" ]; then
manage_sa add "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
else
$log "Can not find subnet on interface $item"
fi
done
else
$log "Can not find interfaces in zone $confIntZone"
fi
manage_fw add $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
# EOF /etc/racoon/p1client-up

+ 0
- 113
net/ipsec-tools/files/racoon View File

@ -1,113 +0,0 @@
#/etc/config/racoon
#
# Copyright 2015 Vitaly Protsko <villy@sft.ru>
# * WARNING: this is "not working" example
# * Defaults are commented out
# * Resuting config will appear in /var/racoon/
config racoon
# option debug 0
# option ext_zone 'wan'
# option int_zone 'lan'
# option port 500
# option natt_port 4500
# following 4 or 6, no default
# option ipversion 4
config p1_proposal 'example_prop1'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'rsasig'
option dh_group 2
config p1_proposal 'example_anon'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'xauth_rsa_server'
option dh_group 2
config p1_proposal 'example_xauth'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'xauth_rsa_client'
option dh_group 2
config p2_proposal 'example_prop2'
option pfs_group 2
option enc_alg 'aes'
option auth_alg 'hmac_sha1'
config p2_proposal 'example_in2'
option pfs_group 2
# option lifetime 14400
option enc_alg 'aes'
option auth_alg 'hmac_sha1'
config sainfo 'office'
option p2_proposal 'example_prop2'
option local_net '192.168.8.0/24'
option remote_net '192.168.1.0/24'
# you can exclude some local or remote
# addresses from SA rules
list local_exclude '192.168.8.0/30'
list remote_exclude '192.168.1.128/29'
config sainfo 'welcome'
option p2_proposal 'example_in2'
option local_net '192.168.8.0/24'
option remote_net '192.168.10.0/24'
option dns4 '192.168.8.1'
option defdomain 'myhome.local'
config sainfo 'client'
option p2_proposal 'std_p2'
config tunnel 'Office'
option enabled 1
# initial_contact
# option init 1
option remote 'vpn.example.tld'
option exchange_mode 'main'
option certificate 'example_cert'
# option peer_id_type 'asn1dn'
# option prop_check 'obey'
# option verify_id 1
# option weak_p1check 1
# option dpd_delay ''
list p1_proposal 'example_prop1'
list sainfo 'office'
# WARNING: Only ONE tunnel with remote anonymous
# can be configured and it can have only
# ONE sainfo. Otherwise resulting racoon
# configuration will be unusable
config tunnel 'Incoming'
option enabled 1
option remote 'anonymous'
option pre_shared_key 'testitnow'
option exchange_mode 'aggressive,main'
option my_id_type 'fqdn'
option my_id 'myserver.homeip.net'
list p1_proposal 'example_anon'
list sainfo 'welcome'
config tunnel 'Client'
option enabled 1
option remote 'vpn.example.tld'
option username 'testuser'
option password 'testW0rD'
# option mode_cfg 1
list p1_proposal 'example_xauth'
list sainfo 'client'
# Insert corresponding data in PEM format as one line
config 'certificate' 'example_cert'
option 'key' '-----BEGIN PRIVATE KEY----- ~ -----END PRIVATE KEY-----'
option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
config 'certificate' 'example_ca_cert'
option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'

+ 0
- 479
net/ipsec-tools/files/racoon.init View File

@ -1,479 +0,0 @@
#!/bin/sh /etc/rc.common
#
# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
#set -vx
USE_PROCD=1
START=60
STOP=40
let connWait=2/2
confDir=/var/racoon
confExtZone=
confIntZone=
confPort=
confNATPort=
confIPMode=
confPh1ID=0
log="logger -t init.d/racoon[$$] "
. /etc/racoon/functions.sh
setup_load() {
config_get confExtZone "$1" ext_zone wan
config_get confIntZone "$1" int_zone lan
config_get confPort "$1" port 500
config_get confNATPort "$1" natt_port 4500
config_get confIPMode "$1" ipversion ""
case X$confIPMode in
X4|X6) ;;
*) unset confIPMode ;;
esac
}
write_header() {
echo "
# autogenerated, don't edit, look at /etc/config/racoon
#
path certificate \"$confDir/cert\";
path script \"/etc/racoon\";
path pre_shared_key \"$confDir/psk.txt\";
path pidfile \"$confDir/racoon.pid\";
padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }
timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }
"
}
setup_conf() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local pskconf=$confDir/psk.txt
local item
local data
data="$(get_zoneiplist $confExtZone)"
if [ "X$data" = X ]; then
$log "No IP addresses found for zone $confExtZone, exitng"
errno=2; return 2
fi
write_header > $conf
echo -n > $peerconf
echo -n > $pskconf
chmod 0600 $conf $peerconf $pskconf
echo "listen {" >> $conf
for item in $data ; do
echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf
done
echo "}" >> $conf
config_get_bool item "$1" debug 0
data=warning
test $item -ne 0 && data=debug
echo "log $data;" >> $conf
setup_fw add
}
setup_p1() {
local conf=$confDir/racoon.conf
local data
echo " proposal {" >> $conf
config_get data "$1" lifetime 28800
echo " lifetime time $data sec;" >> $conf
config_get data "$1" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$1" hash_alg
test -n "$data" && echo " hash_algorithm $data;" >> $conf
config_get data "$1" auth_method
test -n "$data" && echo " authentication_method $data;" >> $conf
config_get data "$1" dh_group 2
echo -e " dh_group $data;\n }" >> $conf
}
setup_fw() {
local cmd=/usr/sbin/iptables
local mode
case "$1" in
add|up|1) mode=A ;;
del|down|0) mode=D ;;
*) return 3 ;;
esac
$cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT
}
setup_sa() {
local conf=$confDir/racoon.conf
local remote="${2/ *}"
local client="${2#* }"
local locnet
local remnet
local p2
local data
test "$2" = "$client" && unset client
if [ -z "$client" ]; then
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured ($2)"
errno=4; return 4
fi
if [ "$remote" = "anonymous" ]; then
echo "sainfo anonymous {" >> $conf
else
echo "sainfo address $locnet any address $remnet any {" >> $conf
fi
else
echo "sainfo anonymous {" >> $conf
fi
config_get p2 "$1" p2_proposal
if [ -z "$p2" ]; then
$log "Phase2 proposal must be configured in $1 sainfo"
errno=5; return 5
fi
echo " remoteid $confPh1ID;" >> $conf
config_get data "$p2" pfs_group
test -n "$data" && echo " pfs_group $data;" >> $conf
config_get data "$p2" lifetime 14400
test -n "$data" && echo " lifetime time $data sec;" >> $conf
config_get data "$p2" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$p2" auth_alg
test -n "$data" && echo " authentication_algorithm $data;" >> $conf
echo -e " compression_algorithm deflate;\n}" >> $conf
if [ "$remote" = "anonymous" ]; then
echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf
config_get data "$1" dns4
test -n "$data" && echo " dns4 $data;" >> $conf
config_get data "$1" defdomain
test -n "$data" && echo " default_domain \"$data\";" >> $conf
data=${remnet%/*}
let "data=${data##*.}+1"
echo " network4 ${remnet%.*}.$data;" >> $conf
let "data=255<<(24-${remnet#*/}+8)&255"
echo " netmask4 255.255.255.$data;" >> $conf
echo -e " split_network include $locnet;\n}" >> $conf
elif [ -z "$client" ]; then
config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
manage_sa add "$locnet" "$remnet" $remote
test $? -gt 0 -o $errno -gt 0 && return $errno
manage_fw add $confIntZone $confExtZone "$remnet"
fi
}
setup_tunnel() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local data
local remote
local xauth
config_get_bool data "$1" enabled 0
test "$data" = "0" && return 0
config_get remote "$1" remote
if [ "$remote" = "anonymous" ]; then
echo -e "remote anonymous {\n generate_policy on;" >> $conf
else
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf
echo "$data" >> $peerconf
fi
config_get data "$1" pre_shared_key ""
if [ -n "$data" ]; then
if [ "$remote" != "anonymous" ]; then
echo "$remote $data" >> $confDir/psk.txt
else
echo "* $data" >> $confDir/psk.txt
fi
fi
let confPh1ID=$confPh1ID+1
echo " ph1id $confPh1ID;" >> $conf
config_get xauth "$1" username ""
config_get data "$1" certificate ""
if [ -n "$data" ]; then
echo -en " verify_cert on;\n my_identifier asn1dn;\n certificate_type x509 " >> $conf
echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf
else
config_get data "$1" my_id_type ""
if [ -n "$data" ]; then
echo -n " my_identifier $data" >> $conf
config_get data "$1" my_id ""
if [ -n "$data" ]; then
echo " \"$data\";" >> $conf
elif [ -n "$xauth" ]; then
echo " \"$xauth\";" >> $conf
else
echo ";" >> $conf
fi
elif [ -n "$xauth" ]; then
echo " my_identifier user_fqdn \"$xauth\";" >> $conf
fi
echo -n " peers_identifier " >> $conf
fi
if [ "$remote" = "anonymous" ]; then
echo "user_fqdn;" >> $conf
else
config_get data "$1" peer_id_type "asn1dn"
echo -n "$data" >> $conf
config_get data "$1" peer_id ""
test -n "$data" && echo -n " \"$data\"" >> $conf
echo ";" >> $conf
fi
if [ -n "$xauth" ]; then
config_get data "$1" password
if [ -z "$data" ]; then
$log "Password must be given in $1 tunnel"
errno=7; return 7
fi
echo "$xauth $data" >> $confDir/psk.txt
echo " xauth_login \"$xauth\";" >> $conf
echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
fi
config_get data "$1" exchange_mode
if [ -z "$data" ]; then
data=main
test -n "$xauth" && data="${data},aggressive"
fi
echo -e " exchange_mode $data;\n nat_traversal on;\n support_proxy on;" >> $conf
config_get data "$1" prop_check "obey"
test -n "$data" && echo " proposal_check $data;" >> $conf
config_get_bool data "$1" weak_p1check 1
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " weak_phase1_check $data;" >> $conf
config_get_bool data "$1" verify_id 1
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " verify_identifier $data;" >> $conf
config_get data "$1" dpd_delay ""
test -n "$data" && echo " dpd_delay $data;" >> $conf
unset data
test -n "$xauth" && data="on"
config_get data "$1" mode_cfg "$data"
test -n "$data" && echo " mode_cfg $data;" >> $conf
config_get_bool data "$1" init 0
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " initial_contact $data;" >> $conf
config_list_foreach "$1" p1_proposal setup_p1
echo "}" >> $conf
config_list_foreach "$1" sainfo setup_sa "$remote $xauth"
}
setup_cert() {
local item
local data
for item in key crt ; do
config_get data "$1" $item ""
test -z "$data" && continue
echo "$data" |\
sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\
> $confDir/cert/$1.$item
chmod 600 $confDir/cert/$1.$item
done
if [ -s $confDir/cert/$1.crt ]; then
data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt)
ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0
fi
}
destroy_sa() {
local locnet
local remnet
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured"
errno=4; return 4
fi
config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
manage_sa del "$locnet" "$remnet" $2
manage_fw del $confIntZone $confExtZone "$remnet"
}
destroy_tunnel() {
local data
config_get_bool data "$1" enabled 0
test "$data" = "0" && return 0
config_get remote "$1" remote
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
config_get data "$1" username ""
if [ -z "$data" ]; then
config_list_foreach "$1" sainfo destroy_sa $remote
fi
}
destroy_conf() {
setup_fw del
}
check_software() {
local item
for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do
if [ ! -x $item ]; then
$log "Needed program $item not found, exiting"
errno=9; return 9
fi
done
}
cleanup_conf() {
config_load racoon
config_foreach setup_load racoon
config_foreach destroy_conf racoon
config_foreach destroy_tunnel tunnel
/usr/sbin/setkey -P -F
/usr/sbin/setkey -F
}
check_dir() {
local item
for item in $confDir $confDir/cert ; do
if [ ! -d $item ]; then
mkdir -m 0700 -p $item
fi
done
}
wait4wanzone() {
local item=$connWait
local data
data="$(get_zoneiplist $confExtZone)"
while [ $item -gt 0 ]; do
test -n "$data" && break
sleep 2
let "item=$item-1"
data="$(get_zoneiplist $confExtZone)"
done
test -z "$data" && return 10
}
start_service() {
check_software
test $? -gt 0 -o $errno -gt 0 && exit $errno
check_dir
config_load racoon
config_foreach setup_load racoon
config_foreach wait4wanzone racoon
if [ $? -gt 0 ] || [ $errno -gt 0 ]; then
$log "No active interfaces in $confExtZone zone found, exiting"
exit $errno
fi
config_foreach setup_conf racoon
test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_tunnel tunnel
test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_cert certificate
procd_open_instance
procd_set_param command /usr/sbin/racoon
test -n "$confIPMode" && procd_append_param command -$confIPMode
procd_append_param command -F -f $confDir/racoon.conf
procd_set_param file $confDir/racoon.conf
procd_close_instance
if [ -x /etc/racoon/vpnctl ]; then
let connWait=$connWait*2+2
( sleep $connWait; /etc/racoon/vpnctl up ) &
fi
}
service_triggers() {
local item
local data
procd_add_reload_trigger "racoon" "network"
config_load racoon
config_foreach setup_load racoon
data=$(get_zoneiflist $confExtZone)
if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then
$log "Can not find interfaces for $confExtZone zone"
else
for item in $data ; do
procd_add_reload_interface_trigger $item
done
fi
}
stop_service() {
cleanup_conf
procd_kill racoon
}
trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10
# EOF /etc/init.d/racoon

+ 0
- 19
net/ipsec-tools/files/vpnctl View File

@ -1,19 +0,0 @@
#!/bin/sh
#
case X$1 in
Xup|X1|Xstart) connMode=vpn-connect ;;
Xdown|X0|Xstop) connMode=vpn-disconnect ;;
*)
echo "Usage: $0: up|1|start || down|0|stop"
exit 1 ;;
esac
if [ -s /var/racoon/peers.txt ]; then
(while read ipa ; do
racoonctl $connMode $ipa
done) < /var/racoon/peers.txt
fi
# EOF /usr/bin/vpnctl

+ 0
- 24
net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch View File

@ -1,24 +0,0 @@
--- a/src/racoon/oakley.c
+++ b/src/racoon/oakley.c
@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1)
plog(LLV_ERROR, LOCATION, iph1->remote,
"couldn't find the pskey for %s.\n",
saddrwop2str(iph1->remote));
+ }
+ }
+ if (iph1->authstr == NULL) {
+ /*
+ * If we could not locate a psk above try and locate
+ * the default psk, ie, "*".
+ */
+ iph1->authstr = privsep_getpsk("*", 1);
+ if (iph1->authstr == NULL) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "couldn't find the the default pskey either.\n");
goto end;
}
+ plog(LLV_NOTIFY, LOCATION, iph1->remote,
+ "Using default PSK.\n");
}
plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
/* should be secret PSK */

+ 0
- 22
net/ipsec-tools/patches/001-no_libfl.patch View File

@ -1,22 +0,0 @@
--- a/src/racoon/cftoken.l
+++ b/src/racoon/cftoken.l
@@ -104,6 +104,8 @@ static struct include_stack {
static int incstackp = 0;
static int yy_first_time = 1;
+
+int yywrap(void) { return 1; }
%}
/* common seciton */
--- a/src/setkey/token.l
+++ b/src/setkey/token.l
@@ -86,6 +86,8 @@
#if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
#endif
+
+int yywrap(void) { return 1; }
%}
/* common section */

+ 0
- 72
net/ipsec-tools/patches/002-patch8-utmp.patch View File

@ -1,72 +0,0 @@
--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
@@ -38,7 +38,7 @@
#include <sys/socket.h>
#include <sys/queue.h>
-#include <utmpx.h>
+#include <utmp.h>
#if defined(__APPLE__) && defined(__MACH__)
#include <util.h>
#endif
@@ -1664,7 +1664,8 @@ isakmp_cfg_accounting_system(port, raddr
int inout;
{
int error = 0;
- struct utmpx ut;
+ struct utmp ut;
+ char term[UT_LINESIZE];
char addr[NI_MAXHOST];
if (usr == NULL || usr[0]=='\0') {
@@ -1673,34 +1674,37 @@ isakmp_cfg_accounting_system(port, raddr
return -1;
}
- memset(&ut, 0, sizeof ut);
- gettimeofday((struct timeval *)&ut.ut_tv, NULL);
- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
+ sprintf(term, TERMSPEC, port);
switch (inout) {
case ISAKMP_CFG_LOGIN:
- ut.ut_type = USER_PROCESS;
- strncpy(ut.ut_user, usr, sizeof ut.ut_user);
+ strncpy(ut.ut_name, usr, UT_NAMESIZE);
+ ut.ut_name[UT_NAMESIZE - 1] = '\0';
+
+ strncpy(ut.ut_line, term, UT_LINESIZE);
+ ut.ut_line[UT_LINESIZE - 1] = '\0';
GETNAMEINFO_NULL(raddr, addr);
- strncpy(ut.ut_host, addr, sizeof ut.ut_host);
+ strncpy(ut.ut_host, addr, UT_HOSTSIZE);
+ ut.ut_host[UT_HOSTSIZE - 1] = '\0';
+
+ ut.ut_time = time(NULL);
plog(LLV_INFO, LOCATION, NULL,
"Accounting : '%s' logging on '%s' from %s.\n",
- ut.ut_user, ut.ut_id, addr);
-
- pututxline(&ut);
+ ut.ut_name, ut.ut_line, ut.ut_host);
+ login(&ut);
+
break;
case ISAKMP_CFG_LOGOUT:
- ut.ut_type = DEAD_PROCESS;
plog(LLV_INFO, LOCATION, NULL,
"Accounting : '%s' unlogging from '%s'.\n",
- usr, ut.ut_id);
-
- pututxline(&ut);
+ usr, term);
+ logout(term);
+
break;
default:
plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");

+ 0
- 13
net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch View File

@ -1,13 +0,0 @@
--- a/src/racoon/ipsec_doi.c
+++ b/src/racoon/ipsec_doi.c
@@ -3581,8 +3581,8 @@ ipsecdoi_checkid1(iph1)
iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
if (id_b->type != IPSECDOI_ID_IPV4_ADDR
&& id_b->type != IPSECDOI_ID_IPV6_ADDR) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Expecting IP address type in main mode, "
+ plog(LLV_WARNING, LOCATION, NULL,
+ "Expecting IP address type in main mode (RFC2409) , "
"but %s.\n", s_ipsecdoi_ident(id_b->type));
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}

+ 0
- 11
net/ipsec-tools/patches/005-isakmp-fix.patch View File

@ -1,11 +0,0 @@
--- a/src/racoon/isakmp.c
+++ b/src/racoon/isakmp.c
@@ -31,6 +31,8 @@
* SUCH DAMAGE.
*/
+#define __packed __attribute__((__packed__))
+
#include "config.h"
#include <sys/types.h>

+ 0
- 50
net/ipsec-tools/patches/006-linux-3.7-compat.patch View File

@ -1,50 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -74,9 +74,10 @@ case "$host_os" in
[ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
- KERNEL_INCLUDE=/usr/src/linux/include ,
- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
+ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, ,
+ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
+ KERNEL_INCLUDE=/usr/src/linux/include ,
+ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] )
AC_SUBST(KERNEL_INCLUDE)
# We need the configure script to run with correct kernel headers.
# However we don't want to point to kernel source tree in compile time,
@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes,
#ifdef SADB_X_EXT_NAT_T_TYPE
yes
#endif
-], [kernel_natt="yes"])
+], [kernel_natt="yes"], [
+ AC_EGREP_CPP(yes,
+ [#include <uapi/linux/pfkeyv2.h>
+ #ifdef SADB_X_EXT_NAT_T_TYPE
+ yes
+ #endif
+ ], [kernel_natt="yes"])
+])
;;
freebsd*|netbsd*)
# NetBSD case
--- a/src/include-glibc/Makefile.am
+++ b/src/include-glibc/Makefile.am
@@ -1,14 +1,7 @@
-
-.includes: ${top_builddir}/config.status
- ln -snf $(KERNEL_INCLUDE)/linux
- touch .includes
-
-all: .includes
-
EXTRA_DIST = \
glibc-bugs.h \
net/pfkeyv2.h \
netinet/ipsec.h \
sys/queue.h
-DISTCLEANFILES = .includes linux
+DISTCLEANFILES = linux

+ 0
- 12
net/ipsec-tools/patches/007-force_have_policy_fwd.patch View File

@ -1,12 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -732,7 +732,8 @@ case $host in
],
[AC_MSG_RESULT(yes)
AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
- [AC_MSG_RESULT(no)])
+ [AC_MSG_RESULT(forced)
+ AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])])
;;
*)
AC_MSG_RESULT(no)

+ 0
- 16
net/ipsec-tools/patches/008-racoon-fix_dereference_crash.patch View File

@ -1,16 +0,0 @@
Fix null dereference in racoon/gssapi.c (CVE-2015-4047)
--- a/src/racoon/gssapi.c
+++ b/src/racoon/gssapi.c
@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
gss_name_t princ, canon_princ;
OM_uint32 maj_stat, min_stat;
+ if (iph1->rmconf == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+ return -1;
+ }
+
gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
if (gps == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");

+ 0
- 187
net/ipsec-tools/patches/009-musl-compat.patch View File

@ -1,187 +0,0 @@
--- a/src/racoon/grabmyaddr.c
+++ b/src/racoon/grabmyaddr.c
@@ -47,7 +47,6 @@
#include <net/route.h>
#include <net/if.h>
#include <net/if_dl.h>
-#include <sys/sysctl.h>
#define USE_ROUTE
#endif
--- a/src/racoon/pfkey.c
+++ b/src/racoon/pfkey.c
@@ -59,7 +59,6 @@
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/queue.h>
-#include <sys/sysctl.h>
#include <net/route.h>
#include <net/pfkeyv2.h>
--- a/src/setkey/setkey.c
+++ b/src/setkey/setkey.c
@@ -40,7 +40,6 @@
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>
-#include <sys/sysctl.h>
#include <err.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
--- a/src/libipsec/ipsec_strerror.h
+++ b/src/libipsec/ipsec_strerror.h
@@ -34,6 +34,8 @@
#ifndef _IPSEC_STRERROR_H
#define _IPSEC_STRERROR_H
+#include <sys/cdefs.h>
+
extern int __ipsec_errcode;
extern void __ipsec_set_strerror __P((const char *));
--- a/src/libipsec/libpfkey.h
+++ b/src/libipsec/libpfkey.h
@@ -34,6 +34,8 @@
#ifndef _LIBPFKEY_H
#define _LIBPFKEY_H
+#include <sys/cdefs.h>
+
#ifndef KAME_LIBPFKEY_H
#define KAME_LIBPFKEY_H
--- a/src/racoon/backupsa.c
+++ b/src/racoon/backupsa.c
@@ -276,9 +276,9 @@ do { \
GETNEXTNUM(sa_args.a_keylen, strtoul);
GETNEXTNUM(sa_args.flags, strtoul);
GETNEXTNUM(sa_args.l_alloc, strtoul);
- GETNEXTNUM(sa_args.l_bytes, strtouq);
- GETNEXTNUM(sa_args.l_addtime, strtouq);
- GETNEXTNUM(sa_args.l_usetime, strtouq);
+ GETNEXTNUM(sa_args.l_bytes, strtoull);
+ GETNEXTNUM(sa_args.l_addtime, strtoull);
+ GETNEXTNUM(sa_args.l_usetime, strtoull);
GETNEXTNUM(sa_args.seq, strtoul);
#undef GETNEXTNUM
--- a/src/racoon/cftoken.l
+++ b/src/racoon/cftoken.l
@@ -77,6 +77,10 @@
#include "cfparse.h"
+#ifndef GLOB_TILDE
+#define GLOB_TILDE 0
+#endif
+
int yyerrorcount = 0;
#if defined(YIPS_DEBUG)
--- a/src/racoon/logger.h
+++ b/src/racoon/logger.h
@@ -34,6 +34,8 @@
#ifndef _LOGGER_H
#define _LOGGER_H
+#include <sys/cdefs.h>
+
struct log {
int head;
int siz;
--- a/src/racoon/misc.h
+++ b/src/racoon/misc.h
@@ -34,6 +34,8 @@
#ifndef _MISC_H
#define _MISC_H
+#include <sys/cdefs.h>
+
#define BIT2STR(b) bit2str(b, sizeof(b)<<3)
#ifdef HAVE_FUNC_MACRO
--- a/src/racoon/missing/crypto/sha2/sha2.h
+++ b/src/racoon/missing/crypto/sha2/sha2.h
@@ -40,6 +40,8 @@
#ifndef __SHA2_H__
#define __SHA2_H__
+#include <sys/cdefs.h>
+
#ifdef __cplusplus
extern "C" {
#endif
--- a/src/racoon/netdb_dnssec.h
+++ b/src/racoon/netdb_dnssec.h
@@ -34,6 +34,8 @@
#ifndef _NETDB_DNSSEC_H
#define _NETDB_DNSSEC_H
+#include <sys/cdefs.h>
+
#ifndef T_CERT
#define T_CERT 37 /* defined by RFC2538 section 2 */
#endif
--- a/src/racoon/plog.h
+++ b/src/racoon/plog.h
@@ -34,6 +34,8 @@
#ifndef _PLOG_H
#define _PLOG_H
+#include <sys/cdefs.h>
+
#ifdef HAVE_STDARG_H
#include <stdarg.h>
#else
--- a/src/racoon/str2val.h
+++ b/src/racoon/str2val.h
@@ -34,6 +34,8 @@
#ifndef _STR2VAL_H
#define _STR2VAL_H
+#include <sys/cdefs.h>
+
extern caddr_t val2str __P((const char *, size_t));
extern char *str2val __P((const char *, int, size_t *));
--- a/src/racoon/vmbuf.h
+++ b/src/racoon/vmbuf.h
@@ -34,6 +34,8 @@
#ifndef _VMBUF_H
#define _VMBUF_H
+#include <sys/cdefs.h>
+
/*
* bp v
* v v
--- a/src/setkey/extern.h
+++ b/src/setkey/extern.h
@@ -1,6 +1,6 @@
/* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */
-
+#include <sys/cdefs.h>
void parse_init __P((void));
int parse __P((FILE **));
--- a/src/racoon/isakmp_cfg.c
+++ b/src/racoon/isakmp_cfg.c
@@ -1694,8 +1694,6 @@ isakmp_cfg_accounting_system(port, raddr
"Accounting : '%s' logging on '%s' from %s.\n",
ut.ut_name, ut.ut_line, ut.ut_host);
- login(&ut);
-
break;
case ISAKMP_CFG_LOGOUT:
@@ -1703,8 +1701,6 @@ isakmp_cfg_accounting_system(port, raddr
"Accounting : '%s' unlogging from '%s'.\n",
usr, term);
- logout(term);
-
break;
default:
plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");

+ 0
- 201
net/ipsec-tools/patches/010-CVE-2016-10396.patch View File

@ -1,201 +0,0 @@
Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
}
+static int
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+ struct isakmp_frag_item *pitem = NULL;
+ struct isakmp_frag_item *citem = iph1->frag_chain;
+
+ /* no frag yet, just insert at beginning of list */
+ if (iph1->frag_chain == NULL) {
+ iph1->frag_chain = item;
+ return 0;
+ }
+
+ do {
+ /* duplicate fragment number, abort (CVE-2016-10396) */
+ if (citem->frag_num == item->frag_num)
+ return -1;
+
+ /* need to insert before current item */
+ if (citem->frag_num > item->frag_num) {
+ if (pitem != NULL)
+ pitem->frag_next = item;
+ else
+ /* insert at the beginning of the list */
+ iph1->frag_chain = item;
+ item->frag_next = citem;
+ return 0;
+ }
+
+ pitem = citem;
+ citem = citem->frag_next;
+ } while (citem != NULL);
+
+ /* we reached the end of the list, insert */
+ pitem->frag_next = item;
+ return 0;
+}
+
int
isakmp_frag_extract(iph1, msg)
struct ph1handle *iph1;
@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
item->frag_next = NULL;
item->frag_packet = buf;
- /* Look for the last frag while inserting the new item in the chain */
- if (item->frag_last)
- last_frag = item->frag_num;
+ /* Check for the last frag before inserting the new item in the chain */
+ if (item->frag_last) {
+ /* if we have the last fragment, indices must match */
+ if (iph1->frag_last_index != 0 &&
+ item->frag_last != iph1->frag_last_index) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Repeated last fragment index mismatch\n");
+ racoon_free(item);
+ vfree(buf);
+ return -1;
+ }
- if (iph1->frag_chain == NULL) {
- iph1->frag_chain = item;
- } else {
- struct isakmp_frag_item *current;
+ last_frag = iph1->frag_last_index = item->frag_num;
+ }
- current = iph1->frag_chain;
- while (current->frag_next) {
- if (current->frag_last)
- last_frag = item->frag_num;
- current = current->frag_next;
- }
- current->frag_next = item;
+ /* insert fragment into chain */
+ if (isakmp_frag_insert(iph1, item) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Repeated fragment index mismatch\n");
+ racoon_free(item);
+ vfree(buf);
+ return -1;
}
- /* If we saw the last frag, check if the chain is complete */
+ /* If we saw the last frag, check if the chain is complete
+ * we have a sorted list now, so just walk through */
if (last_frag != 0) {
+ item = iph1->frag_chain;
for (i = 1; i <= last_frag; i++) {
- item = iph1->frag_chain;
- do {
- if (item->frag_num == i)
- break;
- item = item->frag_next;
- } while (item != NULL);
-
+ if (item->frag_num != i)
+ break;
+ item = item->frag_next;
if (item == NULL) /* Not found */
break;
}
- if (item != NULL) /* It is complete */
+ if (i > last_frag) /* It is complete */
return 1;
}
@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
}
data = buf->v;
+ item = iph1->frag_chain;
for (i = 1; i <= frag_count; i++) {
- item = iph1->frag_chain;
- do {
- if (item->frag_num == i)
- break;
- item = item->frag_next;
- } while (item != NULL);
-
- if (item == NULL) {
+ if (item->frag_num != i) {
plog(LLV_ERROR, LOCATION, NULL,
"Missing fragment #%d\n", i);
vfree(buf);
@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
}
memcpy(data, item->frag_packet->v, item->frag_packet->l);
data += item->frag_packet->l;
+ item = item->frag_next;
}
out:
Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
+ iph1->frag_last_index = 0;
iph1->frag_chain = NULL;
#endif
Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
+++ ipsec-tools-0.8.2/src/racoon/isakmp.c
@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
iph1->frag = 1;
else
iph1->frag = 0;
+ iph1->frag_last_index = 0;
iph1->frag_chain = NULL;
#endif
iph1->approval = NULL;
@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
+ iph1->frag_last_index = 0;
iph1->frag_chain = NULL;
#endif
iph1->approval = NULL;
Index: ipsec-tools-0.8.2/src/racoon/handler.h
===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/handler.h
+++ ipsec-tools-0.8.2/src/racoon/handler.h
@@ -1,4 +1,4 @@
-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -141,6 +141,7 @@ struct ph1handle {
#endif
#ifdef ENABLE_FRAG
int frag; /* IKE phase 1 fragmentation */
+ int frag_last_index;
struct isakmp_frag_item *frag_chain; /* Received fragments */
#endif

+ 0
- 11
net/ipsec-tools/patches/012-fix-implicit-int.patch View File

@ -1,11 +0,0 @@
--- a/src/racoon/isakmp_xauth.c
+++ b/src/racoon/isakmp_xauth.c
@@ -376,6 +376,7 @@ xauth_reply(iph1, port, id, res)
struct ph1handle *iph1;
int port;
int id;
+ int res;
{
struct xauth_state *xst = &iph1->mode_cfg->xauth;
char *usr = xst->authdata.generic.usr;

+ 0
- 1096
net/ipsec-tools/patches/015-openssl-1.1.patch
File diff suppressed because it is too large
View File


+ 0
- 21
net/ipsec-tools/patches/020-openssl-deprecated.patch View File

@ -1,21 +0,0 @@
--- a/src/racoon/crypto_openssl.c
+++ b/src/racoon/crypto_openssl.c
@@ -1087,7 +1087,7 @@ eay_strerror()
int line, flags;
unsigned long es;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */
#else
es = CRYPTO_thread_id();
--- a/src/racoon/openssl_compat.h
+++ b/src/racoon/openssl_compat.h
@@ -5,6 +5,7 @@
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#include <openssl/rsa.h>
+#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>

Write Preview
Loading…
Cancel
Save