Index: branches/2018Q2/security/ipsec-tools/Makefile =================================================================== --- branches/2018Q2/security/ipsec-tools/Makefile (revision 467374) +++ branches/2018Q2/security/ipsec-tools/Makefile (revision 467375) @@ -1,102 +1,104 @@ # Created by: vanhu # $FreeBSD$ # TODO: - libipsec issue ? # - cleanup... # - SYSCONFDIR # - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= SF MAINTAINER= vanhu@FreeBSD.org COMMENT= KAME racoon IKE daemon, ipsec-tools version + +LICENSE= BSD3CLAUSE CONFLICTS= racoon-[0-9]* USE_RC_SUBR= racoon INSTALL_TARGET= install-strip USES= libtool tar:bzip2 ssl GNU_CONFIGURE= yes USE_LDCONFIG= yes CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \ --localstatedir=${STATEDIR:S/\/racoon//} \ --with-pkgversion=freebsd-${PORTVERSION} STATEDIR= /var/db/racoon SUB_LIST+= STATEDIR=${STATEDIR} PLIST_SUB+= STATEDIR=${STATEDIR} OPTIONS_DEFINE= DEBUG IPV6 ADMINPORT STATS DPD NATT NATTF FRAG HYBRID PAM \ RADIUS LDAP GSSAPI SAUNSPEC RC5 IDEA DOCS EXAMPLES WCPSKEY OPTIONS_DEFAULT= DEBUG DPD NATT FRAG HYBRID ADMINPORT_DESC= Enable Admin port STATS_DESC= Statistics logging function DPD_DESC= Dead Peer Detection NATT_DESC= NAT-Traversal (kernel-patch required before 11.0-STABLE) NATTF_DESC= require NAT-Traversal (fail without kernel-patch) FRAG_DESC= IKE fragmentation payload support HYBRID_DESC= Hybrid, Xauth and Mode-cfg support SAUNSPEC_DESC= Unspecified SA mode RC5_DESC= RC5 encryption (patented) IDEA_DESC= IDEA encryption (patented) PAM_DESC= PAM authentication (Xauth server) RADIUS_DESC= Radius authentication (Xauth server) LDAP_DESC= LDAP authentication (Xauth server) WCPSKEY_DESC= Allow wildcard matching for pre-shared keys PORTDOCS= * PORTEXAMPLES= * DEBUG_CONFIGURE_ENABLE= debug IPV6_CONFIGURE_ENABLE= ipv6 ADMINPORT_CONFIGURE_ENABLE=adminport STATS_CONFIGURE_ENABLE= stats DPD_CONFIGURE_ENABLE= dpd NATTF_VARS= NATT=yes NATTF_VARS_OFF= NATT=kernel NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc NATT_CONFIGURE_OFF= --disable-natt FRAG_CONFIGURE_ENABLE= frag HYBRID_CONFIGURE_ENABLE=hybrid PAM_CONFIGURE_WITH= libpam GSSAPI_USES= iconv GSSAPI_CFLAGS= -I${LOCALBASE}/include GSSAPI_LDFLAGS= -L${LOCALBASE}/lib GSSAPI_CONFIGURE_ENABLE=gssapi RADIUS_CONFIGURE_WITH= libradius LDAP_USE= OPENLDAP=yes LDAP_CONFIGURE_ON= --with-libldap=${LOCALBASE} LDAP_CONFIGURE_OFF= --without-libldap SAUNSPEC_CONFIGURE_ENABLE= samode-unspec RC5_CONFIGURE_ENABLE= rc5 IDEA_CONFIGURE_ENABLE= idea WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff post-patch: @${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure post-install: @${MKDIR} ${STAGEDIR}/${PREFIX}/etc/racoon @if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \ ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \ ${ECHO_MSG} " You must build the kernel if you want to run racoon on the host"; \ fi ; post-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}/${EXAMPLESDIR} @${RM} ${WRKSRC}/src/racoon/samples/*.in @${CP} -r ${WRKSRC}/src/racoon/samples/* ${STAGEDIR}/${EXAMPLESDIR} post-install-DOCS-on: @${MKDIR} ${STAGEDIR}/${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR} .include Index: branches/2018Q2/security/ipsec-tools/files/patch-handler.c =================================================================== --- branches/2018Q2/security/ipsec-tools/files/patch-handler.c (nonexistent) +++ branches/2018Q2/security/ipsec-tools/files/patch-handler.c (revision 467375) @@ -0,0 +1,22 @@ +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.25 +retrieving revision 1.26 +diff -p -u -r1.25 -r1.26 +--- src/racoon/handler.h 17 Nov 2010 10:40:41 -0000 1.25 ++++ src/racoon/handler.h 24 Jan 2017 19:23:56 -0000 1.26 +@@ -1,4 +1,4 @@ +-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ ++/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ + + /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ + +@@ -141,6 +141,7 @@ struct ph1handle { + #endif + #ifdef ENABLE_FRAG + int frag; /* IKE phase 1 fragmentation */ ++ int frag_last_index; + struct isakmp_frag_item *frag_chain; /* Received fragments */ + #endif + Property changes on: branches/2018Q2/security/ipsec-tools/files/patch-handler.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2018Q2/security/ipsec-tools/files/patch-isakmp.c =================================================================== --- branches/2018Q2/security/ipsec-tools/files/patch-isakmp.c (nonexistent) +++ branches/2018Q2/security/ipsec-tools/files/patch-isakmp.c (revision 467375) @@ -0,0 +1,30 @@ +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.75 +retrieving revision 1.76 +diff -p -u -r1.75 -r1.76 +--- src/racoon/isakmp.c 9 Mar 2016 22:27:17 -0000 1.75 ++++ src/racoon/isakmp.c 24 Jan 2017 19:23:56 -0000 1.76 +@@ -1,4 +1,4 @@ +-/* $NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $ */ ++/* $NetBSD: isakmp.c,v 1.76 2017/01/24 19:23:56 christos Exp $ */ + + /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ + +@@ -1077,6 +1077,7 @@ isakmp_ph1begin_i(rmconf, remote, local) + iph1->frag = 1; + else + iph1->frag = 0; ++ iph1->frag_last_index = 0; + iph1->frag_chain = NULL; + #endif + iph1->approval = NULL; +@@ -1181,6 +1182,7 @@ isakmp_ph1begin_r(msg, remote, local, et + #endif + #ifdef ENABLE_FRAG + iph1->frag = 0; ++ iph1->frag_last_index = 0; + iph1->frag_chain = NULL; + #endif + iph1->approval = NULL; Property changes on: branches/2018Q2/security/ipsec-tools/files/patch-isakmp.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2018Q2/security/ipsec-tools/files/patch-isakmp_frag.c =================================================================== --- branches/2018Q2/security/ipsec-tools/files/patch-isakmp_frag.c (nonexistent) +++ branches/2018Q2/security/ipsec-tools/files/patch-isakmp_frag.c (revision 467375) @@ -0,0 +1,151 @@ +Index: src/racoon/isakmp_frag.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c,v +retrieving revision 1.5 +retrieving revision 1.7 +diff -p -u -r1.5 -r1.7 +--- src/racoon/isakmp_frag.c 22 Apr 2009 11:24:20 -0000 1.5 ++++ src/racoon/isakmp_frag.c 23 Jul 2017 05:40:27 -0000 1.7 +@@ -1,4 +1,4 @@ +-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ ++/* $NetBSD: isakmp_frag.c,v 1.7 2017/07/23 05:40:27 christos Exp $ */ + + /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ + +@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) + return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); + } + ++static int ++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) ++{ ++ struct isakmp_frag_item *pitem = NULL; ++ struct isakmp_frag_item *citem = iph1->frag_chain; ++ ++ /* no frag yet, just insert at beginning of list */ ++ if (iph1->frag_chain == NULL) { ++ iph1->frag_chain = item; ++ return 0; ++ } ++ ++ do { ++ /* duplicate fragment number, abort (CVE-2016-10396) */ ++ if (citem->frag_num == item->frag_num) ++ return -1; ++ ++ /* need to insert before current item */ ++ if (citem->frag_num > item->frag_num) { ++ if (pitem != NULL) ++ pitem->frag_next = item; ++ else ++ /* insert at the beginning of the list */ ++ iph1->frag_chain = item; ++ item->frag_next = citem; ++ return 0; ++ } ++ ++ pitem = citem; ++ citem = citem->frag_next; ++ } while (citem != NULL); ++ ++ /* we reached the end of the list, insert */ ++ pitem->frag_next = item; ++ return 0; ++} ++ + int + isakmp_frag_extract(iph1, msg) + struct ph1handle *iph1; +@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) + item->frag_next = NULL; + item->frag_packet = buf; + +- /* Look for the last frag while inserting the new item in the chain */ +- if (item->frag_last) +- last_frag = item->frag_num; ++ /* Check for the last frag before inserting the new item in the chain */ ++ if (item->frag_last) { ++ /* if we have the last fragment, indices must match */ ++ if (iph1->frag_last_index != 0 && ++ item->frag_last != iph1->frag_last_index) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated last fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; ++ } + +- if (iph1->frag_chain == NULL) { +- iph1->frag_chain = item; +- } else { +- struct isakmp_frag_item *current; ++ last_frag = iph1->frag_last_index = item->frag_num; ++ } + +- current = iph1->frag_chain; +- while (current->frag_next) { +- if (current->frag_last) +- last_frag = item->frag_num; +- current = current->frag_next; +- } +- current->frag_next = item; ++ /* insert fragment into chain */ ++ if (isakmp_frag_insert(iph1, item) == -1) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; + } + +- /* If we saw the last frag, check if the chain is complete */ ++ /* If we saw the last frag, check if the chain is complete ++ * we have a sorted list now, so just walk through */ + if (last_frag != 0) { ++ item = iph1->frag_chain; + for (i = 1; i <= last_frag; i++) { +- item = iph1->frag_chain; +- do { +- if (item->frag_num == i) +- break; +- item = item->frag_next; +- } while (item != NULL); +- ++ if (item->frag_num != i) ++ break; ++ item = item->frag_next; + if (item == NULL) /* Not found */ + break; + } + +- if (item != NULL) /* It is complete */ ++ if (i > last_frag) /* It is complete */ + return 1; + } + +@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) + } + data = buf->v; + ++ item = iph1->frag_chain; + for (i = 1; i <= frag_count; i++) { +- item = iph1->frag_chain; +- do { +- if (item->frag_num == i) +- break; +- item = item->frag_next; +- } while (item != NULL); +- +- if (item == NULL) { ++ if (item->frag_num != i) { + plog(LLV_ERROR, LOCATION, NULL, + "Missing fragment #%d\n", i); + vfree(buf); +@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) + } + memcpy(data, item->frag_packet->v, item->frag_packet->l); + data += item->frag_packet->l; ++ item = item->frag_next; + } + + out: Property changes on: branches/2018Q2/security/ipsec-tools/files/patch-isakmp_frag.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2018Q2/security/ipsec-tools/files/patch-isakmp_inf.c =================================================================== --- branches/2018Q2/security/ipsec-tools/files/patch-isakmp_inf.c (nonexistent) +++ branches/2018Q2/security/ipsec-tools/files/patch-isakmp_inf.c (revision 467375) @@ -0,0 +1,22 @@ +Index: src/racoon/isakmp_inf.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v +retrieving revision 1.50 +retrieving revision 1.51 +diff -p -u -r1.50 -r1.51 +--- src/racoon/isakmp_inf.c 12 Apr 2013 09:53:10 -0000 1.50 ++++ src/racoon/isakmp_inf.c 24 Jan 2017 19:23:56 -0000 1.51 +@@ -1,4 +1,4 @@ +-/* $NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $ */ ++/* $NetBSD: isakmp_inf.c,v 1.51 2017/01/24 19:23:56 christos Exp $ */ + + /* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ + +@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca + #endif + #ifdef ENABLE_FRAG + iph1->frag = 0; ++ iph1->frag_last_index = 0; + iph1->frag_chain = NULL; + #endif + Property changes on: branches/2018Q2/security/ipsec-tools/files/patch-isakmp_inf.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2018Q2 =================================================================== --- branches/2018Q2 (revision 467374) +++ branches/2018Q2 (revision 467375) Property changes on: branches/2018Q2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r467313