security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config

Wilcard patch exposures existing bug where agressive tunnels using ip addresses
for identification were not matching the entry in the PSK file,
due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.

PR:		203308
Submitted by:	andywhite@gmail.com (based on)
This commit is contained in:
Eugene Grosbein 2019-07-01 04:49:33 +00:00
parent ad6f96367a
commit bea4f8a142
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=505537
2 changed files with 24 additions and 2 deletions

View file

@ -8,7 +8,7 @@
PORTNAME= ipsec-tools
PORTVERSION= 0.8.2
PORTREVISION= 9
PORTREVISION= 10
CATEGORIES= security
MASTER_SITES= SF
@ -77,8 +77,8 @@ LDAP_CONFIGURE_OFF= --without-libldap
SAUNSPEC_CONFIGURE_ENABLE= samode-unspec
RC5_CONFIGURE_ENABLE= rc5
IDEA_CONFIGURE_ENABLE= idea
WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff
NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff
WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff ${FILESDIR}/wildcard-psk-oakley.c.diff
.include <bsd.port.pre.mk>

View file

@ -0,0 +1,22 @@
--- src/racoon/oakley.c.orig 2012-08-29 18:35:09.000000000 +0700
+++ src/racoon/oakley.c 2019-07-01 11:03:18.864245000 +0700
@@ -2400,7 +2400,19 @@ oakley_skeyid(iph1)
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
#endif
if (iph1->etype != ISAKMP_ETYPE_IDENT) {
+ struct ipsecdoi_id_b *id_b;
+
+ id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+ if (id_b->type != IPSECDOI_ID_IPV4_ADDR &&
+ id_b->type != IPSECDOI_ID_IPV6_ADDR)
iph1->authstr = getpskbyname(iph1->id_p);
+ else {
+ struct sockaddr addr;
+ u_int16_t ul_proto;
+ u_int8_t prefix;
+ if (!ipsecdoi_id2sockaddr(iph1->id_p, &addr, &prefix, &ul_proto))
+ iph1->authstr = getpskbyaddr(&addr);
+ }
if (iph1->authstr == NULL) {
if (iph1->rmconf->verify_identifier) {
plog(LLV_ERROR, LOCATION, iph1->remote,