diff options
| author | Eugene Grosbein <eugen@FreeBSD.org> | 2019-07-01 04:49:33 +0000 |
|---|---|---|
| committer | Eugene Grosbein <eugen@FreeBSD.org> | 2019-07-01 04:49:33 +0000 |
| commit | bea4f8a142ae79bd8709d52e10462a3031a4a2b8 (patch) | |
| tree | 67ebcf718adb33c575b07fd46dc4918ccaf317da | |
| parent | devel/py-adb: update to 1.3.0.7 (snapshot) (diff) | |
security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config
Wilcard patch exposures existing bug where agressive tunnels using ip addresses
for identification were not matching the entry in the PSK file,
due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.
PR: 203308
Submitted by: andywhite@gmail.com (based on)
Notes
Notes:
svn path=/head/; revision=505537
| -rw-r--r-- | security/ipsec-tools/Makefile | 4 | ||||
| -rw-r--r-- | security/ipsec-tools/files/wildcard-psk-oakley.c.diff | 22 |
2 files changed, 24 insertions, 2 deletions
diff --git a/security/ipsec-tools/Makefile b/security/ipsec-tools/Makefile index 9a55c71079f7..716d2b0df335 100644 --- a/security/ipsec-tools/Makefile +++ b/security/ipsec-tools/Makefile @@ -8,7 +8,7 @@ PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 9 +PORTREVISION= 10 CATEGORIES= security MASTER_SITES= SF @@ -77,8 +77,8 @@ LDAP_CONFIGURE_OFF= --without-libldap SAUNSPEC_CONFIGURE_ENABLE= samode-unspec RC5_CONFIGURE_ENABLE= rc5 IDEA_CONFIGURE_ENABLE= idea -WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff +WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff ${FILESDIR}/wildcard-psk-oakley.c.diff .include <bsd.port.pre.mk> diff --git a/security/ipsec-tools/files/wildcard-psk-oakley.c.diff b/security/ipsec-tools/files/wildcard-psk-oakley.c.diff new file mode 100644 index 000000000000..ca32e5dc4e02 --- /dev/null +++ b/security/ipsec-tools/files/wildcard-psk-oakley.c.diff @@ -0,0 +1,22 @@ +--- src/racoon/oakley.c.orig 2012-08-29 18:35:09.000000000 +0700 ++++ src/racoon/oakley.c 2019-07-01 11:03:18.864245000 +0700 +@@ -2400,7 +2400,19 @@ oakley_skeyid(iph1) + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: + #endif + if (iph1->etype != ISAKMP_ETYPE_IDENT) { ++ struct ipsecdoi_id_b *id_b; ++ ++ id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; ++ if (id_b->type != IPSECDOI_ID_IPV4_ADDR && ++ id_b->type != IPSECDOI_ID_IPV6_ADDR) + iph1->authstr = getpskbyname(iph1->id_p); ++ else { ++ struct sockaddr addr; ++ u_int16_t ul_proto; ++ u_int8_t prefix; ++ if (!ipsecdoi_id2sockaddr(iph1->id_p, &addr, &prefix, &ul_proto)) ++ iph1->authstr = getpskbyaddr(&addr); ++ } + if (iph1->authstr == NULL) { + if (iph1->rmconf->verify_identifier) { + plog(LLV_ERROR, LOCATION, iph1->remote, |