svn commit: r505537 - in head/security/ipsec-tools: . files
Eugene Grosbein
eugen at FreeBSD.org
Mon Jul 1 04:49:34 UTC 2019
Author: eugen
Date: Mon Jul 1 04:49:33 2019
New Revision: 505537
URL: https://svnweb.freebsd.org/changeset/ports/505537
Log:
security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config
Wilcard patch exposures existing bug where agressive tunnels using ip addresses
for identification were not matching the entry in the PSK file,
due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.
PR: 203308
Submitted by: andywhite at gmail.com (based on)
Added:
head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff (contents, props changed)
Modified:
head/security/ipsec-tools/Makefile
Modified: head/security/ipsec-tools/Makefile
==============================================================================
--- head/security/ipsec-tools/Makefile Mon Jul 1 03:32:39 2019 (r505536)
+++ head/security/ipsec-tools/Makefile Mon Jul 1 04:49:33 2019 (r505537)
@@ -8,7 +8,7 @@
PORTNAME= ipsec-tools
PORTVERSION= 0.8.2
-PORTREVISION= 9
+PORTREVISION= 10
CATEGORIES= security
MASTER_SITES= SF
@@ -77,8 +77,8 @@ LDAP_CONFIGURE_OFF= --without-libldap
SAUNSPEC_CONFIGURE_ENABLE= samode-unspec
RC5_CONFIGURE_ENABLE= rc5
IDEA_CONFIGURE_ENABLE= idea
-WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff
NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff
+WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff ${FILESDIR}/wildcard-psk-oakley.c.diff
.include <bsd.port.pre.mk>
Added: head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff Mon Jul 1 04:49:33 2019 (r505537)
@@ -0,0 +1,22 @@
+--- src/racoon/oakley.c.orig 2012-08-29 18:35:09.000000000 +0700
++++ src/racoon/oakley.c 2019-07-01 11:03:18.864245000 +0700
+@@ -2400,7 +2400,19 @@ oakley_skeyid(iph1)
+ case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
+ #endif
+ if (iph1->etype != ISAKMP_ETYPE_IDENT) {
++ struct ipsecdoi_id_b *id_b;
++
++ id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
++ if (id_b->type != IPSECDOI_ID_IPV4_ADDR &&
++ id_b->type != IPSECDOI_ID_IPV6_ADDR)
+ iph1->authstr = getpskbyname(iph1->id_p);
++ else {
++ struct sockaddr addr;
++ u_int16_t ul_proto;
++ u_int8_t prefix;
++ if (!ipsecdoi_id2sockaddr(iph1->id_p, &addr, &prefix, &ul_proto))
++ iph1->authstr = getpskbyaddr(&addr);
++ }
+ if (iph1->authstr == NULL) {
+ if (iph1->rmconf->verify_identifier) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
More information about the svn-ports-all
mailing list