[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] isakmpd issues.

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: [PATCH] isakmpd issues.
From: Jean-Francois Dive <jef_(_at_)_linuxbe_(_dot_)_org>
Date: 06 Aug 2003 09:40:24 +0200
Reply-to: jef_(_at_)_linuxbe_(_dot_)_org
Hello Akan, all,

Here are 2 patches for isakmpd, both made on the latest CVS as of today.

In constants.c:constant_lookup() returns 0 if it does not find
any value to string conversion in the constants. The problem is that the
result is not checked in some places around the code. Even worst, this
happens in notification parsing (isakmp_responder and ipsec_responder)
which means that even an unauthenticated packet could trigger theproblem
(assuming potential middle traffic sniffing to know the cookies if
needed. I had no time to check it out). The proposed solution is somehow
ugly (use a safe_constant_lookup which returns "unknown %d" on a static
buffer (this is the ugly part), it depends on how you see this functions
should be used). 

The second patch add support for fine grained selectors for linux native
ipsec (add proto, sport and dport).

Cheers,

JeF


<----- constant pactch ------->
Index: constants.c
===================================================================
RCS file: /mnt/u/cvs/isakmpd/constants.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 constants.c
--- constants.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ constants.c	27 Jul 2003 14:44:39 -0000
@@ -36,6 +36,8 @@
 
 #include "constants.h"
 
+static char tmp_buf[30];
+
 int
 constant_value (struct constant_map *map, char *name)
 {
@@ -58,6 +60,18 @@
   return 0;
 }
 
+char *
+safe_constant_lookup (struct constant_map *map, int value)
+{
+  struct constant_map *entry = map;
+
+  for (entry = map; entry->name; entry++)
+    if (entry->value == value)
+      return entry->name;
+  snprintf(tmp_buf, 30, "unknown %d", value);
+  return tmp_buf;
+}
+
 struct constant_map *
 constant_link_lookup (struct constant_map *map, int value)
 {
Index: constants.h
===================================================================
RCS file: /mnt/u/cvs/isakmpd/constants.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 constants.h
--- constants.h	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ constants.h	27 Jul 2003 14:44:57 -0000
@@ -40,6 +40,7 @@
 
 struct constant_map *constant_link_lookup (struct constant_map *, int);
 extern char *constant_lookup (struct constant_map *, int);
+extern char *safe_constant_lookup (struct constant_map *, int);
 extern char *constant_name (struct constant_map *, int);
 extern char *constant_name_maps (struct constant_map **, int);
 extern int constant_value (struct constant_map *, char *);
Index: exchange.c
===================================================================
RCS file: /mnt/u/cvs/isakmpd/exchange.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 exchange.c
--- exchange.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ exchange.c	27 Jul 2003 14:45:22 -0000
@@ -1100,7 +1100,7 @@
 	{
 	  log_print ("exchange_setup_p1: expected exchange type %s got %s",
 		     str,
-		     constant_lookup (isakmp_exch_cst,
+		     safe_constant_lookup (isakmp_exch_cst,
 				      GET_ISAKMP_HDR_EXCH_TYPE (msg->iov[0]
 								.iov_base)));
 	  return 0;
Index: ike_auth.c
===================================================================
RCS file: /mnt/u/cvs/isakmpd/ike_auth.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 ike_auth.c
--- ike_auth.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ ike_auth.c	27 Jul 2003 14:45:37 -0000
@@ -682,7 +682,7 @@
 	{
 	  LOG_DBG ((LOG_MISC, 30,
 		    "rsa_sig_decode_hash: no handler for %s CERT encoding",
-		    constant_lookup (isakmp_certenc_cst,
+		    safe_constant_lookup (isakmp_certenc_cst,
 				     GET_ISAKMP_CERT_ENCODING (p->p))));
 	  continue;
 	}
Index: ike_phase_1.c
===================================================================
RCS file: /mnt/u/cvs/isakmpd/ike_phase_1.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 ike_phase_1.c
--- ike_phase_1.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ ike_phase_1.c	27 Jul 2003 14:45:50 -0000
@@ -1258,7 +1258,7 @@
 	}
       LOG_DBG ((LOG_NEGOTIATION, 70,
 		"attribute_unacceptable: %s: got %s, expected %s", tag,
-		constant_lookup (map, decode_16 (value)), str));
+		safe_constant_lookup (map, decode_16 (value)), str));
       return 1;
 
     case IKE_ATTR_GROUP_PRIME:
Index: ipsec.c
===================================================================
RCS file: /mnt/u/cvs/isakmpd/ipsec.c,v
retrieving revision 1.3
diff -u -r1.3 ipsec.c
--- ipsec.c	22 Jul 2003 14:53:29 -0000	1.3
+++ ipsec.c	27 Jul 2003 14:46:10 -0000
@@ -1097,7 +1097,7 @@
           type = GET_ISAKMP_NOTIFY_MSG_TYPE (p->p);
 	  LOG_DBG ((LOG_EXCHANGE, 10,
 		    "ipsec_responder: got NOTIFY of type %s",
-		    constant_lookup (isakmp_notify_cst, type)));
+		    safe_constant_lookup (isakmp_notify_cst, type)));
 
           if (type == ISAKMP_NOTIFY_INVALID_SPI)
               ipsec_invalid_spi (msg, p);
Index: isakmp_doi.c
===================================================================
RCS file: /mnt/u/cvs/isakmpd/isakmp_doi.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 isakmp_doi.c
--- isakmp_doi.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ isakmp_doi.c	27 Jul 2003 14:46:29 -0000
@@ -237,7 +237,7 @@
 	{
 	  LOG_DBG ((LOG_EXCHANGE, 10,
 		    "isakmp_responder: got NOTIFY of type %s, ignoring",
-		    constant_lookup (isakmp_notify_cst,
+		    safe_constant_lookup (isakmp_notify_cst,
 				     GET_ISAKMP_NOTIFY_MSG_TYPE (p->p))));
 	  p->flags |= PL_MARK;
 	}




<------ linux-fine-grained ----->
--- ../isakmpd.upstream.cvs/pf_key_v2.c	2003-07-27 16:47:46.000000000
+0200
+++ ./pf_key_v2.c	2003-07-27 16:55:51.000000000 +0200
@@ -2042,9 +2042,17 @@
     goto cleanup;
   addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
   addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
+#ifdef LINUX_IPSEC
+  addr->sadb_address_proto = tproto;
+#else
   addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
+#endif
   addr->sadb_address_reserved = 0;
+#ifdef LINUX_IPSEC
+  pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, sport, 0);
+#else
   pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, IPSEC_PORT_ANY, 0);
+#endif
   switch (laddr->sa_family)
     {
     case AF_INET:
@@ -2069,9 +2077,17 @@
     goto cleanup;
   addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
   addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
+#ifdef LINUX_IPSEC
+  addr->sadb_address_proto = tproto;
+#else
   addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
+#endif
   addr->sadb_address_reserved = 0;
+#ifdef LINUX_IPSEC
+  pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, dport, 0);
+#else
   pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, IPSEC_PORT_ANY, 0);
+#endif
   switch (raddr->sa_family)
     {
     case AF_INET:
Prev by Date: Removable HD
Next by Date: Bridging across VLANs?
Previous by thread: Removable HD
Next by thread: Bridging across VLANs?
Index(es):
- Date
- Thread
Visit your host, monkey.org