Unix Technical Forum

[PATCH] isakmpd issues.

This is a discussion on [PATCH] isakmpd issues. within the mailing.openbsd.tech forums, part of the OpenBSD category; --> Hello Akan, all, Here are 2 patches for isakmpd, both made on the latest CVS as of today. In ...


Go Back   Unix Technical Forum > Unix Operating Systems > OpenBSD > mailing.openbsd.tech

[PATCH] isakmpd issues. [PATCH] isakmpd issues.

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-18-2008, 07:32 AM
Jean-Francois Dive
 
Posts: n/a
Default [PATCH] isakmpd issues.
Hello Akan, all,

Here are 2 patches for isakmpd, both made on the latest CVS as of today.

In constants.c:constant_lookup() returns 0 if it does not find
any value to string conversion in the constants. The problem is that the
result is not checked in some places around the code. Even worst, this
happens in notification parsing (isakmp_responder and ipsec_responder)
which means that even an unauthenticated packet could trigger theproblem
(assuming potential middle traffic sniffing to know the cookies if
needed. I had no time to check it out). The proposed solution is somehow
ugly (use a safe_constant_lookup which returns "unknown %d" on a static
buffer (this is the ugly part), it depends on how you see this functions
should be used).

The second patch add support for fine grained selectors for linux native
ipsec (add proto, sport and dport).

Cheers,

JeF


<----- constant pactch ------->
Index: constants.c
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/constants.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 constants.c
--- constants.c 18 Jul 2003 13:31:01 -0000 1.1.1.2
+++ constants.c 27 Jul 2003 14:44:39 -0000
@@ -36,6 +36,8 @@

#include "constants.h"

+static char tmp_buf[30];
+
int
constant_value (struct constant_map *map, char *name)
{
@@ -58,6 +60,18 @@
return 0;
}

+char *
+safe_constant_lookup (struct constant_map *map, int value)
+{
+ struct constant_map *entry = map;
+
+ for (entry = map; entry->name; entry++)
+ if (entry->value == value)
+ return entry->name;
+ snprintf(tmp_buf, 30, "unknown %d", value);
+ return tmp_buf;
+}
+
struct constant_map *
constant_link_lookup (struct constant_map *map, int value)
{
Index: constants.h
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/constants.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 constants.h
--- constants.h 18 Jul 2003 13:31:01 -0000 1.1.1.2
+++ constants.h 27 Jul 2003 14:44:57 -0000
@@ -40,6 +40,7 @@

struct constant_map *constant_link_lookup (struct constant_map *, int);
extern char *constant_lookup (struct constant_map *, int);
+extern char *safe_constant_lookup (struct constant_map *, int);
extern char *constant_name (struct constant_map *, int);
extern char *constant_name_maps (struct constant_map **, int);
extern int constant_value (struct constant_map *, char *);
Index: exchange.c
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/exchange.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 exchange.c
--- exchange.c 18 Jul 2003 13:31:01 -0000 1.1.1.2
+++ exchange.c 27 Jul 2003 14:45:22 -0000
@@ -1100,7 +1100,7 @@
{
log_print ("exchange_setup_p1: expected exchange type %s got %s",
str,
- constant_lookup (isakmp_exch_cst,
+ safe_constant_lookup (isakmp_exch_cst,
GET_ISAKMP_HDR_EXCH_TYPE (msg->iov[0]
.iov_base)));
return 0;
Index: ike_auth.c
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/ike_auth.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 ike_auth.c
--- ike_auth.c 18 Jul 2003 13:31:01 -0000 1.1.1.2
+++ ike_auth.c 27 Jul 2003 14:45:37 -0000
@@ -682,7 +682,7 @@
{
LOG_DBG ((LOG_MISC, 30,
"rsa_sig_decode_hash: no handler for %s CERT encoding",
- constant_lookup (isakmp_certenc_cst,
+ safe_constant_lookup (isakmp_certenc_cst,
GET_ISAKMP_CERT_ENCODING (p->p))));
continue;
}
Index: ike_phase_1.c
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/ike_phase_1.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 ike_phase_1.c
--- ike_phase_1.c 18 Jul 2003 13:31:01 -0000 1.1.1.2
+++ ike_phase_1.c 27 Jul 2003 14:45:50 -0000
@@ -1258,7 +1258,7 @@
}
LOG_DBG ((LOG_NEGOTIATION, 70,
"attribute_unacceptable: %s: got %s, expected %s", tag,
- constant_lookup (map, decode_16 (value)), str));
+ safe_constant_lookup (map, decode_16 (value)), str));
return 1;

case IKE_ATTR_GROUP_PRIME:
Index: ipsec.c
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/ipsec.c,v
retrieving revision 1.3
diff -u -r1.3 ipsec.c
--- ipsec.c 22 Jul 2003 14:53:29 -0000 1.3
+++ ipsec.c 27 Jul 2003 14:46:10 -0000
@@ -1097,7 +1097,7 @@
type = GET_ISAKMP_NOTIFY_MSG_TYPE (p->p);
LOG_DBG ((LOG_EXCHANGE, 10,
"ipsec_responder: got NOTIFY of type %s",
- constant_lookup (isakmp_notify_cst, type)));
+ safe_constant_lookup (isakmp_notify_cst, type)));

if (type == ISAKMP_NOTIFY_INVALID_SPI)
ipsec_invalid_spi (msg, p);
Index: isakmp_doi.c
================================================== =================
RCS file: /mnt/u/cvs/isakmpd/isakmp_doi.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 isakmp_doi.c
--- isakmp_doi.c 18 Jul 2003 13:31:01 -0000 1.1.1.2
+++ isakmp_doi.c 27 Jul 2003 14:46:29 -0000
@@ -237,7 +237,7 @@
{
LOG_DBG ((LOG_EXCHANGE, 10,
"isakmp_responder: got NOTIFY of type %s, ignoring",
- constant_lookup (isakmp_notify_cst,
+ safe_constant_lookup (isakmp_notify_cst,
GET_ISAKMP_NOTIFY_MSG_TYPE (p->p))));
p->flags |= PL_MARK;
}




<------ linux-fine-grained ----->
--- ../isakmpd.upstream.cvs/pf_key_v2.c 2003-07-27 16:47:46.000000000
+0200
+++ ./pf_key_v2.c 2003-07-27 16:55:51.000000000 +0200
@@ -2042,9 +2042,17 @@
goto cleanup;
addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
+#ifdef LINUX_IPSEC
+ addr->sadb_address_proto = tproto;
+#else
addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
+#endif
addr->sadb_address_reserved = 0;
+#ifdef LINUX_IPSEC
+ pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, sport, 0);
+#else
pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, IPSEC_PORT_ANY, 0);
+#endif
switch (laddr->sa_family)
{
case AF_INET:
@@ -2069,9 +2077,17 @@
goto cleanup;
addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
+#ifdef LINUX_IPSEC
+ addr->sadb_address_proto = tproto;
+#else
addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
+#endif
addr->sadb_address_reserved = 0;
+#ifdef LINUX_IPSEC
+ pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, dport, 0);
+#else
pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, IPSEC_PORT_ANY, 0);
+#endif
switch (raddr->sa_family)
{
case AF_INET:

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Re: FFS | Bridging across VLANs? »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


All times are GMT. The time now is 06:19 PM.

Contact Us - Unix Technical Forums - Top

Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0
www.UnixAdminTalk.com