Hosting Provided By

[PATCH] isakmpd issues.

From: Jean-Francois Dive <jef(at)linuxbe.org>
Date: Wed Aug 06 2003 - 03:40:24 EDT

Hello Akan, all,

Here are 2 patches for isakmpd, both made on the latest CVS as of today.

In constants.c:constant_lookup() returns 0 if it does not find any value to string conversion in the constants. The problem is that the result is not checked in some places around the code. Even worst, this happens in notification parsing (isakmp_responder and ipsec_responder) which means that even an unauthenticated packet could trigger theproblem (assuming potential middle traffic sniffing to know the cookies if needed. I had no time to check it out). The proposed solution is somehow ugly (use a safe_constant_lookup which returns "unknown %d" on a static buffer (this is the ugly part), it depends on how you see this functions should be used).

The second patch add support for fine grained selectors for linux native ipsec (add proto, sport and dport).

Cheers,

JeF

<----- constant pactch ------->
Index: constants.c

RCS file: /mnt/u/cvs/isakmpd/constants.c,v retrieving revision 1.1.1.2

diff -u -r1.1.1.2 constants.c
--- constants.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ constants.c	27 Jul 2003 14:44:39 -0000

@@ -36,6 +36,8 @@

#include "constants.h"

Do you need help?

+static char tmp_buf[30];
+
int
constant_value (struct constant_map *map, char *name) {
@@ -58,6 +60,18 @@

return 0;
}

+char *
+safe_constant_lookup (struct constant_map *map, int value)
+{
+  struct constant_map *entry = map;
+
+  for (entry = map; entry->name; entry++)
+    if (entry->value == value)
+      return entry->name;
+  snprintf(tmp_buf, 30, "unknown %d", value);
+  return tmp_buf;
+}
+

struct constant_map *
constant_link_lookup (struct constant_map *map, int value) {
Index: constants.h

RCS file: /mnt/u/cvs/isakmpd/constants.h,v retrieving revision 1.1.1.2

diff -u -r1.1.1.2 constants.h
--- constants.h	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ constants.h	27 Jul 2003 14:44:57 -0000

@@ -40,6 +40,7 @@

struct constant_map *constant_link_lookup (struct constant_map *, int);

 extern char *constant_lookup (struct constant_map *, int);
+extern char *safe_constant_lookup (struct constant_map *, int);
 extern char *constant_name (struct constant_map *, int);
 extern char *constant_name_maps (struct constant_map **, int);

extern int constant_value (struct constant_map *, char *); Index: exchange.c

RCS file: /mnt/u/cvs/isakmpd/exchange.c,v retrieving revision 1.1.1.2
diff -u -r1.1.1.2 exchange.c

--- exchange.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ exchange.c	27 Jul 2003 14:45:22 -0000


@@ -1100,7 +1100,7 @@


 	{
 	  log_print ("exchange_setup_p1: expected exchange type %s got %s",
 		     str,
-		     constant_lookup (isakmp_exch_cst,
+		     safe_constant_lookup (isakmp_exch_cst,
 				      GET_ISAKMP_HDR_EXCH_TYPE (msg->iov[0]
 								.iov_base)));
 	  return 0;

Index: ike_auth.c

RCS file: /mnt/u/cvs/isakmpd/ike_auth.c,v retrieving revision 1.1.1.2
diff -u -r1.1.1.2 ike_auth.c

--- ike_auth.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ ike_auth.c	27 Jul 2003 14:45:37 -0000


@@ -682,7 +682,7 @@


 	{
 	  LOG_DBG ((LOG_MISC, 30,
 		    "rsa_sig_decode_hash: no handler for %s CERT encoding",
-		    constant_lookup (isakmp_certenc_cst,
+		    safe_constant_lookup (isakmp_certenc_cst,
 				     GET_ISAKMP_CERT_ENCODING (p->p))));
 	  continue;
 	}

Index: ike_phase_1.c

RCS file: /mnt/u/cvs/isakmpd/ike_phase_1.c,v retrieving revision 1.1.1.2

diff -u -r1.1.1.2 ike_phase_1.c
--- ike_phase_1.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ ike_phase_1.c	27 Jul 2003 14:45:50 -0000


@@ -1258,7 +1258,7 @@


 	}
       LOG_DBG ((LOG_NEGOTIATION, 70,
 		"attribute_unacceptable: %s: got %s, expected %s", tag,
-		constant_lookup (map, decode_16 (value)), str));
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
+		safe_constant_lookup (map, decode_16 (value)), str));
       return 1;
 
     case IKE_ATTR_GROUP_PRIME:

Index: ipsec.c

RCS file: /mnt/u/cvs/isakmpd/ipsec.c,v
retrieving revision 1.3
diff -u -r1.3 ipsec.c

--- ipsec.c	22 Jul 2003 14:53:29 -0000	1.3
+++ ipsec.c	27 Jul 2003 14:46:10 -0000


@@ -1097,7 +1097,7 @@


           type = GET_ISAKMP_NOTIFY_MSG_TYPE (p->p);
 	  LOG_DBG ((LOG_EXCHANGE, 10,
 		    "ipsec_responder: got NOTIFY of type %s",
-		    constant_lookup (isakmp_notify_cst, type)));
+		    safe_constant_lookup (isakmp_notify_cst, type)));
 
           if (type == ISAKMP_NOTIFY_INVALID_SPI)
               ipsec_invalid_spi (msg, p);

Index: isakmp_doi.c

RCS file: /mnt/u/cvs/isakmpd/isakmp_doi.c,v retrieving revision 1.1.1.2
diff -u -r1.1.1.2 isakmp_doi.c

--- isakmp_doi.c	18 Jul 2003 13:31:01 -0000	1.1.1.2
+++ isakmp_doi.c	27 Jul 2003 14:46:29 -0000


@@ -237,7 +237,7 @@


 	{
 	  LOG_DBG ((LOG_EXCHANGE, 10,
 		    "isakmp_responder: got NOTIFY of type %s, ignoring",
-		    constant_lookup (isakmp_notify_cst,
+		    safe_constant_lookup (isakmp_notify_cst,
 				     GET_ISAKMP_NOTIFY_MSG_TYPE (p->p))));
 	  p->flags |= PL_MARK;
 	}




<------ linux-fine-grained ----->
--- ../isakmpd.upstream.cvs/pf_key_v2.c	2003-07-27 16:47:46.000000000
+0200
+++ ./pf_key_v2.c	2003-07-27 16:55:51.000000000 +0200


@@ -2042,9 +2042,17 @@


     goto cleanup;
   addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
   addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
+#ifdef LINUX_IPSEC

+ addr->sadb_address_proto = tproto;
+#else

addr->sadb_address_proto = IPSEC_ULPROTO_ANY; +#endif

addr->sadb_address_reserved = 0;

+#ifdef LINUX_IPSEC
+  pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, sport, 0);
+#else

pf_key_v2_setup_sockaddr (addr + 1, laddr, 0, IPSEC_PORT_ANY, 0); +#endif

switch (laddr->sa_family)

     {
     case AF_INET:


@@ -2069,9 +2077,17 @@


     goto cleanup;
   addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
   addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
+#ifdef LINUX_IPSEC

+ addr->sadb_address_proto = tproto;
+#else

addr->sadb_address_proto = IPSEC_ULPROTO_ANY; +#endif

Can we help you?

addr->sadb_address_reserved = 0;

+#ifdef LINUX_IPSEC
+  pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, dport, 0);
+#else

pf_key_v2_setup_sockaddr (addr + 1, raddr, 0, IPSEC_PORT_ANY, 0); +#endif

switch (raddr->sa_family)

     {
     case AF_INET:

Received on Wed Aug 6 03:45:26 2003

This message: [ Message body ]
Next message: Sascha Luck: "Bridging across VLANs?"
Previous message: Tobias Weingartner: "Re: FFS"
In reply to Tobias Weingartner: "Next x86 biosboot/boot diff"
Next in thread: Hakan Olsson: "Re: [PATCH] isakmpd issues."
Reply: Hakan Olsson: "Re: [PATCH] isakmpd issues."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:43 EDT