mirror of
https://git.rtems.org/rtems-libbsd/
synced 2025-07-24 01:19:44 +08:00
ipsec-tools: Apply patches from FreeBSD ports.
Source: https://svnweb.freebsd.org/ports/head/security/ipsec-tools/files/ revision 468617.
This commit is contained in:
parent
ff36f5e409
commit
8645c9d720
@ -85,7 +85,7 @@ struct pfkey_send_sa_args {
|
||||
u_int32_t seq;
|
||||
u_int8_t l_natt_type;
|
||||
u_int16_t l_natt_sport, l_natt_dport;
|
||||
struct sockaddr *l_natt_oa;
|
||||
struct sockaddr *l_natt_oai, *l_natt_oar;
|
||||
u_int16_t l_natt_frag;
|
||||
u_int8_t ctxdoi, ctxalg; /* Security context DOI and algorithm */
|
||||
caddr_t ctxstr; /* Security context string */
|
||||
|
@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
|
||||
len += sizeof(struct sadb_x_nat_t_type);
|
||||
len += sizeof(struct sadb_x_nat_t_port);
|
||||
len += sizeof(struct sadb_x_nat_t_port);
|
||||
if (sa_parms->l_natt_oa)
|
||||
if (sa_parms->l_natt_oai)
|
||||
len += sizeof(struct sadb_address) +
|
||||
PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa));
|
||||
PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai));
|
||||
if (sa_parms->l_natt_oar)
|
||||
len += sizeof(struct sadb_address) +
|
||||
PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar));
|
||||
#ifdef SADB_X_EXT_NAT_T_FRAG
|
||||
if (sa_parms->l_natt_frag)
|
||||
len += sizeof(struct sadb_x_nat_t_frag);
|
||||
@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args *sa_parms)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (sa_parms->l_natt_oa) {
|
||||
p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA,
|
||||
sa_parms->l_natt_oa,
|
||||
(u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)),
|
||||
if (sa_parms->l_natt_oai) {
|
||||
p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI,
|
||||
sa_parms->l_natt_oai,
|
||||
(u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)),
|
||||
IPSEC_ULPROTO_ANY);
|
||||
if (!p) {
|
||||
free(newmsg);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (sa_parms->l_natt_oar) {
|
||||
p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR,
|
||||
sa_parms->l_natt_oar,
|
||||
(u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)),
|
||||
IPSEC_ULPROTO_ANY);
|
||||
if (!p) {
|
||||
free(newmsg);
|
||||
@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_t *mhp)
|
||||
case SADB_X_EXT_NAT_T_TYPE:
|
||||
case SADB_X_EXT_NAT_T_SPORT:
|
||||
case SADB_X_EXT_NAT_T_DPORT:
|
||||
case SADB_X_EXT_NAT_T_OA:
|
||||
case SADB_X_EXT_NAT_T_OAI:
|
||||
case SADB_X_EXT_NAT_T_OAR:
|
||||
#endif
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
case SADB_X_EXT_TAG:
|
||||
@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int satype, u_int mode, struct sockaddr *src,
|
||||
psaa.l_natt_type = l_natt_type;
|
||||
psaa.l_natt_sport = l_natt_sport;
|
||||
psaa.l_natt_dport = l_natt_dport;
|
||||
psaa.l_natt_oa = l_natt_oa;
|
||||
psaa.l_natt_oar = l_natt_oa;
|
||||
psaa.l_natt_frag = l_natt_frag;
|
||||
|
||||
return pfkey_send_update2(&psaa);
|
||||
@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype, u_int mode, struct sockaddr *src,
|
||||
psaa.l_natt_type = l_natt_type;
|
||||
psaa.l_natt_sport = l_natt_sport;
|
||||
psaa.l_natt_dport = l_natt_dport;
|
||||
psaa.l_natt_oa = l_natt_oa;
|
||||
psaa.l_natt_oai = l_natt_oa;
|
||||
psaa.l_natt_frag = l_natt_frag;
|
||||
|
||||
return pfkey_send_add2(&psaa);
|
||||
|
@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
|
||||
gss_name_t princ, canon_princ;
|
||||
OM_uint32 maj_stat, min_stat;
|
||||
|
||||
if (iph1->rmconf == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
|
||||
if (gps == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
|
||||
/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
|
||||
|
||||
/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
|
||||
|
||||
@ -141,6 +141,7 @@ struct ph1handle {
|
||||
#endif
|
||||
#ifdef ENABLE_FRAG
|
||||
int frag; /* IKE phase 1 fragmentation */
|
||||
int frag_last_index;
|
||||
struct isakmp_frag_item *frag_chain; /* Received fragments */
|
||||
#endif
|
||||
|
||||
|
@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
|
||||
iph1->frag = 1;
|
||||
else
|
||||
iph1->frag = 0;
|
||||
iph1->frag_last_index = 0;
|
||||
iph1->frag_chain = NULL;
|
||||
#endif
|
||||
iph1->approval = NULL;
|
||||
@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, etype)
|
||||
#endif
|
||||
#ifdef ENABLE_FRAG
|
||||
iph1->frag = 0;
|
||||
iph1->frag_last_index = 0;
|
||||
iph1->frag_chain = NULL;
|
||||
#endif
|
||||
iph1->approval = NULL;
|
||||
|
@ -38,7 +38,9 @@
|
||||
#include <sys/socket.h>
|
||||
#include <sys/queue.h>
|
||||
|
||||
#if __FreeBSD_version >= 900007
|
||||
#include <utmpx.h>
|
||||
#endif
|
||||
#if defined(__APPLE__) && defined(__MACH__)
|
||||
#include <util.h>
|
||||
#endif
|
||||
@ -1663,6 +1665,7 @@ isakmp_cfg_accounting_system(port, raddr, usr, inout)
|
||||
char *usr;
|
||||
int inout;
|
||||
{
|
||||
#if __FreeBSD_version >= 900007
|
||||
int error = 0;
|
||||
struct utmpx ut;
|
||||
char addr[NI_MAXHOST];
|
||||
@ -1706,6 +1709,7 @@ isakmp_cfg_accounting_system(port, raddr, usr, inout)
|
||||
plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
|
||||
/* $NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $ */
|
||||
|
||||
/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
|
||||
|
||||
@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
|
||||
return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
|
||||
}
|
||||
|
||||
static int
|
||||
isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
|
||||
{
|
||||
struct isakmp_frag_item *pitem = NULL;
|
||||
struct isakmp_frag_item *citem = iph1->frag_chain;
|
||||
|
||||
/* no frag yet, just insert at beginning of list */
|
||||
if (iph1->frag_chain == NULL) {
|
||||
iph1->frag_chain = item;
|
||||
return 0;
|
||||
}
|
||||
|
||||
do {
|
||||
/* duplicate fragment number, abort (CVE-2016-10396) */
|
||||
if (citem->frag_num == item->frag_num)
|
||||
return -1;
|
||||
|
||||
/* need to insert before current item */
|
||||
if (citem->frag_num > item->frag_num) {
|
||||
if (pitem != NULL)
|
||||
pitem->frag_next = item;
|
||||
else
|
||||
/* insert at the beginning of the list */
|
||||
iph1->frag_chain = item;
|
||||
item->frag_next = citem;
|
||||
return 0;
|
||||
}
|
||||
|
||||
pitem = citem;
|
||||
citem = citem->frag_next;
|
||||
} while (citem != NULL);
|
||||
|
||||
/* we reached the end of the list, insert */
|
||||
pitem->frag_next = item;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
isakmp_frag_extract(iph1, msg)
|
||||
struct ph1handle *iph1;
|
||||
@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
|
||||
item->frag_next = NULL;
|
||||
item->frag_packet = buf;
|
||||
|
||||
/* Look for the last frag while inserting the new item in the chain */
|
||||
if (item->frag_last)
|
||||
last_frag = item->frag_num;
|
||||
|
||||
if (iph1->frag_chain == NULL) {
|
||||
iph1->frag_chain = item;
|
||||
} else {
|
||||
struct isakmp_frag_item *current;
|
||||
|
||||
current = iph1->frag_chain;
|
||||
while (current->frag_next) {
|
||||
if (current->frag_last)
|
||||
last_frag = item->frag_num;
|
||||
current = current->frag_next;
|
||||
/* Check for the last frag before inserting the new item in the chain */
|
||||
if (item->frag_last) {
|
||||
/* if we have the last fragment, indices must match */
|
||||
if (iph1->frag_last_index != 0 &&
|
||||
item->frag_last != iph1->frag_last_index) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"Repeated last fragment index mismatch\n");
|
||||
racoon_free(item);
|
||||
vfree(buf);
|
||||
return -1;
|
||||
}
|
||||
current->frag_next = item;
|
||||
|
||||
last_frag = iph1->frag_last_index = item->frag_num;
|
||||
}
|
||||
|
||||
/* If we saw the last frag, check if the chain is complete */
|
||||
if (last_frag != 0) {
|
||||
for (i = 1; i <= last_frag; i++) {
|
||||
item = iph1->frag_chain;
|
||||
do {
|
||||
if (item->frag_num == i)
|
||||
break;
|
||||
item = item->frag_next;
|
||||
} while (item != NULL);
|
||||
/* insert fragment into chain */
|
||||
if (isakmp_frag_insert(iph1, item) == -1) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"Repeated fragment index mismatch\n");
|
||||
racoon_free(item);
|
||||
vfree(buf);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* If we saw the last frag, check if the chain is complete
|
||||
* we have a sorted list now, so just walk through */
|
||||
if (last_frag != 0) {
|
||||
item = iph1->frag_chain;
|
||||
for (i = 1; i <= last_frag; i++) {
|
||||
if (item->frag_num != i)
|
||||
break;
|
||||
item = item->frag_next;
|
||||
if (item == NULL) /* Not found */
|
||||
break;
|
||||
}
|
||||
|
||||
if (item != NULL) /* It is complete */
|
||||
if (i > last_frag) /* It is complete */
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
|
||||
}
|
||||
data = buf->v;
|
||||
|
||||
item = iph1->frag_chain;
|
||||
for (i = 1; i <= frag_count; i++) {
|
||||
item = iph1->frag_chain;
|
||||
do {
|
||||
if (item->frag_num == i)
|
||||
break;
|
||||
item = item->frag_next;
|
||||
} while (item != NULL);
|
||||
|
||||
if (item == NULL) {
|
||||
if (item->frag_num != i) {
|
||||
plog(LLV_ERROR, LOCATION, NULL,
|
||||
"Missing fragment #%d\n", i);
|
||||
vfree(buf);
|
||||
@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
|
||||
}
|
||||
memcpy(data, item->frag_packet->v, item->frag_packet->l);
|
||||
data += item->frag_packet->l;
|
||||
item = item->frag_next;
|
||||
}
|
||||
|
||||
out:
|
||||
|
@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
|
||||
#endif
|
||||
#ifdef ENABLE_FRAG
|
||||
iph1->frag = 0;
|
||||
iph1->frag_last_index = 0;
|
||||
iph1->frag_chain = NULL;
|
||||
#endif
|
||||
|
||||
|
@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
|
||||
spidx.src.ss_family, spidx.dst.ss_family,
|
||||
_XIDT(iph2->id_p),idi2type);
|
||||
}
|
||||
#ifdef ENABLE_NATT
|
||||
if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
|
||||
u_int16_t port;
|
||||
|
||||
port = extract_port(&spidx.src);
|
||||
memcpy(&spidx.src, iph2->ph1->remote,
|
||||
sysdep_sa_len(iph2->ph1->remote));
|
||||
set_port(&spidx.src, port);
|
||||
switch (spidx.src.ss_family) {
|
||||
case AF_INET:
|
||||
spidx.prefs = sizeof(struct in_addr) << 3;
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
spidx.prefs = sizeof(struct in6_addr) << 3;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
spidx.prefs = 0;
|
||||
break;
|
||||
}
|
||||
plog(LLV_DEBUG, LOCATION,
|
||||
NULL, "use NAT address %s as src\n",
|
||||
saddr2str((struct sockaddr *)&spidx.src));
|
||||
}
|
||||
#endif
|
||||
} else {
|
||||
plog(LLV_DEBUG, LOCATION, NULL,
|
||||
"get a source address of SP index from Phase 1"
|
||||
|
@ -207,7 +207,8 @@ getpsk(str, len)
|
||||
if (*p == '\0')
|
||||
continue; /* no 2nd parameter */
|
||||
p--;
|
||||
if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
|
||||
if (strcmp(buf, "*") == 0
|
||||
|| (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
|
||||
p++;
|
||||
keylen = 0;
|
||||
for (q = p; *q != '\0' && *q != '\n'; q++)
|
||||
|
@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle *iph1)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
/* Should only the NATed host send keepalives?
|
||||
If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
|
||||
to the following condition. */
|
||||
if (iph1->natt_flags & NAT_DETECTED &&
|
||||
if (iph1->natt_flags & NAT_DETECTED_ME &&
|
||||
! (iph1->natt_flags & NAT_KA_QUEUED)) {
|
||||
ret = natt_keepalive_add (iph1->local, iph1->remote);
|
||||
if (ret == 0)
|
||||
|
@ -1190,7 +1190,10 @@ pk_sendupdate(iph2)
|
||||
sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
|
||||
sa_args.l_natt_sport = extract_port(iph2->ph1->remote);
|
||||
sa_args.l_natt_dport = extract_port(iph2->ph1->local);
|
||||
sa_args.l_natt_oa = iph2->natoa_src;
|
||||
/* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */
|
||||
sa_args.l_natt_oai = iph2->natoa_dst;
|
||||
/* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */
|
||||
sa_args.l_natt_oar = iph2->natoa_src;
|
||||
#ifdef SADB_X_EXT_NAT_T_FRAG
|
||||
sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
|
||||
#endif
|
||||
@ -1477,7 +1480,6 @@ pk_sendadd(iph2)
|
||||
sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
|
||||
sa_args.l_natt_sport = extract_port(iph2->ph1->local);
|
||||
sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
|
||||
sa_args.l_natt_oa = iph2->natoa_dst;
|
||||
#ifdef SADB_X_EXT_NAT_T_FRAG
|
||||
sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
|
||||
#endif
|
||||
|
Loading…
x
Reference in New Issue
Block a user