diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-10-08 22:51:41 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-10-08 22:51:41 +0200 |
commit | 1219bf8a90a7bf8cd3a5363551ef635d51e8fc8e (patch) | |
tree | a21a5fc103bb3bd65ecd85ed22be5228fc54e447 /meta-networking/recipes-support/ipsec-tools/ipsec-tools | |
download | meta-openembedded-1219bf8a90a7bf8cd3a5363551ef635d51e8fc8e.tar.gz |
initial commit for Enea Linux 5.0 arm
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta-networking/recipes-support/ipsec-tools/ipsec-tools')
9 files changed, 526 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch new file mode 100644 index 000000000..d5602c03d --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0001-racoon-pfkey-avoid-potential-null-pointer-dereferenc.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 738a9857be9c92ad2f70be88ccee238e3154a936 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe.macdonald@windriver.com> | ||
3 | Date: Wed, 2 Oct 2013 14:20:37 -0400 | ||
4 | Subject: [PATCH] racoon/pfkey: avoid potential null-pointer dereference | ||
5 | |||
6 | Building with -Werror=maybe-uninitialized revealed that 'remote' from | ||
7 | pk_recvmigrate() could be used with uninitialized data in | ||
8 | migrate_sp_ike_addresses(). Ensure it is always at a minimum assigned | ||
9 | NULL. | ||
10 | |||
11 | Upstream-Status: Pending | ||
12 | |||
13 | Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> | ||
14 | --- | ||
15 | src/racoon/pfkey.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c | ||
19 | index d00b166..e0dc1db 100644 | ||
20 | --- a/src/racoon/pfkey.c | ||
21 | +++ b/src/racoon/pfkey.c | ||
22 | @@ -3352,7 +3352,7 @@ pk_recvmigrate(mhp) | ||
23 | struct sockaddr *old_saddr, *new_saddr; | ||
24 | struct sockaddr *old_daddr, *new_daddr; | ||
25 | struct sockaddr *old_local, *old_remote; | ||
26 | - struct sockaddr *local, *remote; | ||
27 | + struct sockaddr *local, *remote = NULL; | ||
28 | struct sadb_x_kmaddress *kmaddr; | ||
29 | struct sadb_x_policy *xpl; | ||
30 | struct sadb_x_ipsecrequest *xisr_list; | ||
31 | -- | ||
32 | 1.7.9.5 | ||
33 | |||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch new file mode 100644 index 000000000..13e9d73fc --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Barker <paul@paulbarker.me.uk> | ||
3 | Date: Wed, 5 Mar 2014 13:39:14 +0000 | ||
4 | Subject: [PATCH] Don't link against libfl | ||
5 | |||
6 | We can remove all references to yywrap by adding "%option noyywrap" statements | ||
7 | to each flex source file that doesn't override yywrap. After this, we no longer | ||
8 | need to link against libfl and so no longer get errors about undefined | ||
9 | references to yylex. | ||
10 | |||
11 | Signed-off-by: Paul Barker <paul@paulbarker.me.uk> | ||
12 | Upstream-status: Submitted 2014-03-11 | ||
13 | see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797 | ||
14 | --- | ||
15 | src/libipsec/Makefile.am | 1 - | ||
16 | src/racoon/Makefile.am | 2 +- | ||
17 | src/racoon/cftoken.l | 2 ++ | ||
18 | src/setkey/Makefile.am | 1 - | ||
19 | src/setkey/token.l | 2 ++ | ||
20 | 5 files changed, 5 insertions(+), 3 deletions(-) | ||
21 | |||
22 | diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am | ||
23 | index 6a4e3b3..df1e106 100644 | ||
24 | --- a/src/libipsec/Makefile.am | ||
25 | +++ b/src/libipsec/Makefile.am | ||
26 | @@ -26,7 +26,6 @@ libipsec_la_SOURCES = \ | ||
27 | # version is current:revision:age. | ||
28 | # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32 | ||
29 | libipsec_la_LDFLAGS = -version-info 0:1:0 | ||
30 | -libipsec_la_LIBADD = $(LEXLIB) | ||
31 | |||
32 | noinst_HEADERS = ipsec_strerror.h | ||
33 | |||
34 | diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am | ||
35 | index dbaded9..0662957 100644 | ||
36 | --- a/src/racoon/Makefile.am | ||
37 | +++ b/src/racoon/Makefile.am | ||
38 | @@ -38,7 +38,7 @@ racoon_SOURCES = \ | ||
39 | cftoken.l cfparse.y prsa_tok.l prsa_par.y | ||
40 | EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ | ||
41 | isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) | ||
42 | -racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ | ||
43 | +racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \ | ||
44 | $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la | ||
45 | racoon_DEPENDENCIES = \ | ||
46 | $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ | ||
47 | diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l | ||
48 | index 490242c..1701922 100644 | ||
49 | --- a/src/racoon/cftoken.l | ||
50 | +++ b/src/racoon/cftoken.l | ||
51 | @@ -106,6 +106,8 @@ static int incstackp = 0; | ||
52 | static int yy_first_time = 1; | ||
53 | %} | ||
54 | |||
55 | +%option noyywrap | ||
56 | + | ||
57 | /* common seciton */ | ||
58 | nl \n | ||
59 | ws [ \t]+ | ||
60 | diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am | ||
61 | index 746c1f1..389e6cf 100644 | ||
62 | --- a/src/setkey/Makefile.am | ||
63 | +++ b/src/setkey/Makefile.am | ||
64 | @@ -13,7 +13,6 @@ setkey_SOURCES = \ | ||
65 | |||
66 | setkey_LDFLAGS = ../libipsec/libipsec.la | ||
67 | setkey_DEPENDENCIES = ../libipsec/libipsec.la | ||
68 | -setkey_LDADD = $(LEXLIB) | ||
69 | |||
70 | noinst_HEADERS = vchar.h extern.h | ||
71 | man8_MANS = setkey.8 | ||
72 | diff --git a/src/setkey/token.l b/src/setkey/token.l | ||
73 | index ad3d843..eb23b76 100644 | ||
74 | --- a/src/setkey/token.l | ||
75 | +++ b/src/setkey/token.l | ||
76 | @@ -88,6 +88,8 @@ | ||
77 | #endif | ||
78 | %} | ||
79 | |||
80 | +%option noyywrap | ||
81 | + | ||
82 | /* common section */ | ||
83 | nl \n | ||
84 | ws [ \t]+ | ||
85 | -- | ||
86 | 1.9.0 | ||
87 | |||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch new file mode 100644 index 000000000..8d270a62b --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/configure.patch | |||
@@ -0,0 +1,13 @@ | |||
1 | Index: ipsec-tools-0.8.1/configure.ac | ||
2 | =================================================================== | ||
3 | --- ipsec-tools-0.8.1.orig/configure.ac 2013-01-08 12:43:29.000000000 +0000 | ||
4 | +++ ipsec-tools-0.8.1/configure.ac 2014-07-18 07:51:30.045555880 +0000 | ||
5 | @@ -6,7 +6,7 @@ | ||
6 | AC_CONFIG_SRCDIR([configure.ac]) | ||
7 | AC_CONFIG_HEADERS(config.h) | ||
8 | |||
9 | -AM_INIT_AUTOMAKE(dist-bzip2) | ||
10 | +AM_INIT_AUTOMAKE([foreign dist-bzip2]) | ||
11 | |||
12 | AC_ENABLE_SHARED(no) | ||
13 | |||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch new file mode 100644 index 000000000..36efc4917 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/glibc-2.20.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | squahes below warning | ||
2 | warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" | ||
3 | |||
4 | Seen with glibc 2.20 | ||
5 | |||
6 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
7 | Upstream-Status: Pending | ||
8 | Index: ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h | ||
9 | =================================================================== | ||
10 | --- ipsec-tools-0.8.2.orig/src/include-glibc/glibc-bugs.h 2006-09-09 09:22:08.000000000 -0700 | ||
11 | +++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h 2014-09-03 22:27:22.551563888 -0700 | ||
12 | @@ -4,7 +4,11 @@ | ||
13 | #define __GLIBC_BUGS_H__ 1 | ||
14 | |||
15 | #define _XOPEN_SOURCE 500 | ||
16 | +/* Legacy feature macro.*/ | ||
17 | #define _BSD_SOURCE | ||
18 | +/* New feature macro that provides everything _BSD_SOURCE and | ||
19 | + * _SVID_SOURCE provided and possibly more. */ | ||
20 | +#define _DEFAULT_SOURCE | ||
21 | |||
22 | #include <features.h> | ||
23 | #include <sys/types.h> | ||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch new file mode 100644 index 000000000..e82db087c --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-Resend-UPDATE-message-when-received-EINTR-message.patch | |||
@@ -0,0 +1,220 @@ | |||
1 | racoon: Resend UPDATE message when received EINTR message | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | While kernel is processing the UPDATE message which is sent from racoon, | ||
6 | it maybe interrupted by system signal and if this case happens, | ||
7 | kernel responds with an EINTR message to racoon and kernel fails to | ||
8 | establish the corresponding SA. | ||
9 | Fix this problem by resend the UPDATE message when EINTR(Interrupted | ||
10 | system call) error happens. | ||
11 | |||
12 | Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> | ||
13 | --- | ||
14 | --- a/src/libipsec/libpfkey.h | ||
15 | +++ b/src/libipsec/libpfkey.h | ||
16 | @@ -92,6 +92,12 @@ | ||
17 | u_int16_t ctxstrlen; /* length of security context string */ | ||
18 | }; | ||
19 | |||
20 | +struct update_msg_info { | ||
21 | + struct sadb_msg *update_msg; | ||
22 | + int so; | ||
23 | + int len; | ||
24 | +}; | ||
25 | + | ||
26 | /* The options built into libipsec */ | ||
27 | extern int libipsec_opt; | ||
28 | #define LIBIPSEC_OPT_NATT 0x01 | ||
29 | --- a/src/libipsec/pfkey.c | ||
30 | +++ b/src/libipsec/pfkey.c | ||
31 | @@ -1219,7 +1219,8 @@ | ||
32 | } | ||
33 | #endif | ||
34 | |||
35 | - | ||
36 | +struct update_msg_info update_msg_send = {NULL, 0, 0}; | ||
37 | + | ||
38 | /* sending SADB_ADD or SADB_UPDATE message to the kernel */ | ||
39 | static int | ||
40 | pfkey_send_x1(struct pfkey_send_sa_args *sa_parms) | ||
41 | @@ -1483,10 +1484,24 @@ | ||
42 | |||
43 | /* send message */ | ||
44 | len = pfkey_send(sa_parms->so, newmsg, len); | ||
45 | - free(newmsg); | ||
46 | |||
47 | - if (len < 0) | ||
48 | - return -1; | ||
49 | + if (newmsg->sadb_msg_type == SADB_UPDATE) { | ||
50 | + if (update_msg_send.update_msg) | ||
51 | + free(update_msg_send.update_msg); | ||
52 | + update_msg_send.update_msg = newmsg; | ||
53 | + update_msg_send.so = sa_parms->so; | ||
54 | + update_msg_send.len = len; | ||
55 | + | ||
56 | + if (len < 0) { | ||
57 | + free(update_msg_send.update_msg); | ||
58 | + update_msg_send.update_msg = NULL; | ||
59 | + return -1; | ||
60 | + } | ||
61 | + } else { | ||
62 | + free(newmsg); | ||
63 | + if (len < 0) | ||
64 | + return -1; | ||
65 | + } | ||
66 | |||
67 | __ipsec_errcode = EIPSEC_NO_ERROR; | ||
68 | return len; | ||
69 | --- a/src/racoon/session.c | ||
70 | +++ b/src/racoon/session.c | ||
71 | @@ -100,6 +100,8 @@ | ||
72 | |||
73 | #include "sainfo.h" | ||
74 | |||
75 | +extern struct update_msg_info update_msg_send; | ||
76 | + | ||
77 | struct fd_monitor { | ||
78 | int (*callback)(void *ctx, int fd); | ||
79 | void *ctx; | ||
80 | @@ -348,6 +350,11 @@ | ||
81 | close_sockets(); | ||
82 | backupsa_clean(); | ||
83 | |||
84 | + if (update_msg_send.update_msg) { | ||
85 | + free(update_msg_send.update_msg); | ||
86 | + update_msg_send.update_msg = NULL; | ||
87 | + } | ||
88 | + | ||
89 | plog(LLV_INFO, LOCATION, NULL, "racoon process %d shutdown\n", getpid()); | ||
90 | |||
91 | exit(0); | ||
92 | --- a/src/racoon/pfkey.c | ||
93 | +++ b/src/racoon/pfkey.c | ||
94 | @@ -103,10 +103,12 @@ | ||
95 | #include "crypto_openssl.h" | ||
96 | #include "grabmyaddr.h" | ||
97 | +#include "../libipsec/libpfkey.h" | ||
98 | |||
99 | #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) | ||
100 | #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC | ||
101 | #endif | ||
102 | |||
103 | +extern struct update_msg_info update_msg_send; | ||
104 | /* prototype */ | ||
105 | static u_int ipsecdoi2pfkey_aalg __P((u_int)); | ||
106 | static u_int ipsecdoi2pfkey_ealg __P((u_int)); | ||
107 | @@ -253,6 +255,13 @@ | ||
108 | s_pfkey_type(msg->sadb_msg_type), | ||
109 | strerror(msg->sadb_msg_errno)); | ||
110 | |||
111 | + if (msg->sadb_msg_errno == EINTR && | ||
112 | + update_msg_send.update_msg) { | ||
113 | + plog(LLV_DEBUG, LOCATION, NULL, | ||
114 | + "pfkey update resend\n"); | ||
115 | + send(update_msg_send.so, (void *)update_msg_send.update_msg, (socklen_t)update_msg_send.len, 0); | ||
116 | + } | ||
117 | + | ||
118 | goto end; | ||
119 | } | ||
120 | |||
121 | @@ -498,6 +507,11 @@ | ||
122 | { | ||
123 | flushsp(); | ||
124 | |||
125 | + if (update_msg_send.update_msg) { | ||
126 | + free(update_msg_send.update_msg); | ||
127 | + update_msg_send.update_msg = NULL; | ||
128 | + } | ||
129 | + | ||
130 | if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { | ||
131 | plog(LLV_ERROR, LOCATION, NULL, | ||
132 | "libipsec sending spddump failed: %s\n", | ||
133 | @@ -1295,6 +1309,8 @@ | ||
134 | return 0; | ||
135 | } | ||
136 | |||
137 | +int update_received = 0; | ||
138 | + | ||
139 | static int | ||
140 | pk_recvupdate(mhp) | ||
141 | caddr_t *mhp; | ||
142 | @@ -1307,6 +1323,13 @@ | ||
143 | int incomplete = 0; | ||
144 | struct saproto *pr; | ||
145 | |||
146 | + update_received = 1; | ||
147 | + | ||
148 | + if (update_msg_send.update_msg) { | ||
149 | + free(update_msg_send.update_msg); | ||
150 | + update_msg_send.update_msg = NULL; | ||
151 | + } | ||
152 | + | ||
153 | /* ignore this message because of local test mode. */ | ||
154 | if (f_local) | ||
155 | return 0; | ||
156 | @@ -4163,3 +4186,8 @@ | ||
157 | |||
158 | return buf; | ||
159 | } | ||
160 | + | ||
161 | +int receive_from_isakmp() | ||
162 | +{ | ||
163 | + return pfkey_handler(NULL, lcconf->sock_pfkey); | ||
164 | +} | ||
165 | --- a/src/racoon/pfkey.h | ||
166 | +++ b/src/racoon/pfkey.h | ||
167 | @@ -71,5 +71,6 @@ | ||
168 | extern u_int32_t pk_getseq __P((void)); | ||
169 | extern const char *sadbsecas2str | ||
170 | __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int)); | ||
171 | +extern int receive_from_isakmp __P((void)); | ||
172 | |||
173 | #endif /* _PFKEY_H */ | ||
174 | --- a/src/racoon/isakmp_quick.c | ||
175 | +++ b/src/racoon/isakmp_quick.c | ||
176 | @@ -774,6 +774,8 @@ | ||
177 | return error; | ||
178 | } | ||
179 | |||
180 | +extern int update_received; | ||
181 | + | ||
182 | /* | ||
183 | * send to responder | ||
184 | * HDR*, HASH(3) | ||
185 | @@ -892,6 +894,11 @@ | ||
186 | } | ||
187 | plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); | ||
188 | |||
189 | + while (!update_received) | ||
190 | + receive_from_isakmp(); | ||
191 | + | ||
192 | + update_received = 0; | ||
193 | + | ||
194 | /* Do ADD for responder */ | ||
195 | if (pk_sendadd(iph2) < 0) { | ||
196 | plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); | ||
197 | @@ -1035,6 +1042,11 @@ | ||
198 | } | ||
199 | plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); | ||
200 | |||
201 | + while (!update_received) | ||
202 | + receive_from_isakmp(); | ||
203 | + | ||
204 | + update_received = 0; | ||
205 | + | ||
206 | /* Do ADD for responder */ | ||
207 | if (pk_sendadd(iph2) < 0) { | ||
208 | plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); | ||
209 | @@ -1989,6 +2001,11 @@ | ||
210 | } | ||
211 | plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); | ||
212 | |||
213 | + while (!update_received) | ||
214 | + receive_from_isakmp(); | ||
215 | + | ||
216 | + update_received = 0; | ||
217 | + | ||
218 | /* Do ADD for responder */ | ||
219 | if (pk_sendadd(iph2) < 0) { | ||
220 | plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); | ||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch new file mode 100644 index 000000000..e272bc20f --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-ivm.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | Subject: [PATCH] ipsec-tools: racoon: check several invalid ivm | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Add checking for invalid ivm, or it will crash racoon. | ||
6 | |||
7 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
8 | --- | ||
9 | isakmp_cfg.c | 5 +++++ | ||
10 | 1 file changed, 5 insertions(+) | ||
11 | |||
12 | diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c | ||
13 | --- a/src/racoon/isakmp_cfg.c | ||
14 | +++ b/src/racoon/isakmp_cfg.c | ||
15 | @@ -171,6 +171,11 @@ isakmp_cfg_r(iph1, msg) | ||
16 | iph1->mode_cfg->last_msgid != packet->msgid ) | ||
17 | iph1->mode_cfg->ivm = | ||
18 | isakmp_cfg_newiv(iph1, packet->msgid); | ||
19 | + if(iph1->mode_cfg->ivm == NULL) { | ||
20 | + plog(LLV_ERROR, LOCATION, NULL, | ||
21 | + "failed to create new IV\n"); | ||
22 | + return; | ||
23 | + } | ||
24 | ivm = iph1->mode_cfg->ivm; | ||
25 | |||
26 | dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive); | ||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch new file mode 100644 index 000000000..de1bdb407 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoon-check-invalid-pointers.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | Subject: [PATCH] ipsec-tools: racoon: check several invalid pointers | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Add checking for invalid pointers, or it will crash racoon. | ||
6 | |||
7 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
8 | --- | ||
9 | ipsec_doi.c | 5 +++-- | ||
10 | isakmp_cfg.c | 7 +++++++ | ||
11 | isakmp_quick.c | 6 ++++-- | ||
12 | 3 files changed, 14 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff -urpN a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c | ||
15 | --- a/src/racoon/ipsec_doi.c | ||
16 | +++ b/src/racoon/ipsec_doi.c | ||
17 | @@ -3374,8 +3374,9 @@ ipsecdoi_chkcmpids( idt, ids, exact ) | ||
18 | |||
19 | /* handle wildcard IDs */ | ||
20 | |||
21 | - if (idt == NULL || ids == NULL) | ||
22 | - { | ||
23 | + if (idt == NULL || ids == NULL || | ||
24 | + idt->v == NULL || idt->l == 0 || | ||
25 | + ids->v == NULL || ids->l == 0) { | ||
26 | if( !exact ) | ||
27 | { | ||
28 | plog(LLV_DEBUG, LOCATION, NULL, | ||
29 | diff -urpN a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c | ||
30 | --- a/src/racoon/isakmp_cfg.c | ||
31 | +++ b/src/racoon/isakmp_cfg.c | ||
32 | @@ -1138,6 +1138,13 @@ isakmp_cfg_newiv(iph1, msgid) | ||
33 | return NULL; | ||
34 | } | ||
35 | |||
36 | + if (iph1->ivm == NULL || iph1->ivm->iv == NULL || | ||
37 | + iph1->ivm->iv->v == NULL || iph1->ivm->iv->l == 0) { | ||
38 | + plog(LLV_ERROR, LOCATION, NULL, | ||
39 | + "isakmp_cfg_newiv called with invalid IV management\n"); | ||
40 | + return NULL; | ||
41 | + } | ||
42 | + | ||
43 | if (ics->ivm != NULL) | ||
44 | oakley_delivm(ics->ivm); | ||
45 | |||
46 | diff -urpN a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c | ||
47 | --- a/src/racoon/isakmp_quick.c | ||
48 | +++ b/src/racoon/isakmp_quick.c | ||
49 | @@ -2243,8 +2243,10 @@ get_proposal_r(iph2) | ||
50 | int error = ISAKMP_INTERNAL_ERROR; | ||
51 | |||
52 | /* check the existence of ID payload */ | ||
53 | - if ((iph2->id_p != NULL && iph2->id == NULL) | ||
54 | - || (iph2->id_p == NULL && iph2->id != NULL)) { | ||
55 | + if ((iph2->id_p != NULL && | ||
56 | + (iph2->id == NULL || iph2->id->v == NULL || iph2->id->l == 0)) || | ||
57 | + (iph2->id != NULL && | ||
58 | + (iph2->id_p == NULL || iph2->id_p->v == NULL || iph2->id_p->l == 0))) { | ||
59 | plog(LLV_ERROR, LOCATION, NULL, | ||
60 | "Both IDs wasn't found in payload.\n"); | ||
61 | return ISAKMP_NTYPE_INVALID_ID_INFORMATION; | ||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch new file mode 100644 index 000000000..f77fa8638 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/racoonctl-build-fix.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | Subject: [PATCH] ipsec-tools: racoonctl buildfix | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | building ipsec-tools failed building/linking racoonctl with some errors: | ||
6 | - missing "yylex" error | ||
7 | - some linking errors for variables defined in racoon but not racoonctl | ||
8 | - some symbols from nattraversal.c where not found as it wasn't linked | ||
9 | when building with NAT support. | ||
10 | |||
11 | Signed-off-by: Liviu Gheorghisan <liviu.gheorghisan@enea.com> | ||
12 | Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com> | ||
13 | --- | ||
14 | diff -rupN a/src/racoon/Makefile.am b/src/racoon/Makefile.am | ||
15 | --- a/src/racoon/Makefile.am 2014-03-05 12:16:52.907101044 +0100 | ||
16 | +++ b/src/racoon/Makefile.am 2014-03-05 12:17:10.946320064 +0100 | ||
17 | @@ -44,7 +44,17 @@ racoon_DEPENDENCIES = \ | ||
18 | $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ | ||
19 | vmbuf.o sockmisc.o misc.o | ||
20 | |||
21 | -racoonctl_SOURCES = racoonctl.c str2val.c | ||
22 | +racoonctl_SOURCES = \ | ||
23 | + session.c isakmp.c handler.c \ | ||
24 | + isakmp_ident.c isakmp_agg.c isakmp_base.c \ | ||
25 | + isakmp_quick.c isakmp_inf.c isakmp_newg.c \ | ||
26 | + gssapi.c dnssec.c getcertsbyname.c privsep.c \ | ||
27 | + pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \ | ||
28 | + policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \ | ||
29 | + proposal.c sainfo.c strnames.c nattraversal.c \ | ||
30 | + plog.c logger.c schedule.c str2val.c \ | ||
31 | + safefile.c backupsa.c genlist.c rsalist.c \ | ||
32 | + cftoken.l cfparse.y prsa_tok.l prsa_par.y racoonctl.c | ||
33 | racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la | ||
34 | |||
35 | libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c | ||
36 | |||
37 | diff -rupN a/src/racoon/racoonctl.c b/src/racoon/racoonctl.c | ||
38 | --- a/src/racoon/racoonctl.c 2014-03-05 12:16:52.915100698 +0100 | ||
39 | +++ b/src/racoon/racoonctl.c 2014-03-05 12:17:17.906018754 +0100 | ||
40 | @@ -247,6 +247,9 @@ usage() | ||
41 | #error "Incompatible racoonctl interface" | ||
42 | #endif | ||
43 | |||
44 | +int f_local = 0; /* local test mode. behave like a wall. */ | ||
45 | +int dump_config =0; | ||
46 | + | ||
47 | int | ||
48 | main(ac, av) | ||
49 | int ac; | ||
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch new file mode 100644 index 000000000..da1169218 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/with-flexdir.patch | |||
@@ -0,0 +1,14 @@ | |||
1 | --- ipsec-tools-0.8.1.old/configure.ac 2014-03-04 16:24:57.431207664 +0100 | ||
2 | +++ ipsec-tools-0.8.1/configure.ac 2014-03-04 16:26:00.372461304 +0100 | ||
3 | @@ -171,9 +171,9 @@ if test $with_readline != "no"; then | ||
4 | fi | ||
5 | |||
6 | |||
7 | -AC_MSG_CHECKING(if --with-flex option is specified) | ||
8 | +AC_MSG_CHECKING(if --with-flexdir option is specified) | ||
9 | AC_ARG_WITH(flexdir, | ||
10 | - [AC_HELP_STRING([--with-flex], [use directiory (default: no)])], | ||
11 | + [AC_HELP_STRING([--with-flexdir], [use directory (default: no)])], | ||
12 | [flexdir="$withval"]) | ||
13 | AC_MSG_RESULT(${flexdir-dirdefault}) | ||
14 | |||