security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config
Wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation. PR: 203308 Submitted by: andywhite@gmail.com (based on)
This commit is contained in:
parent
ad6f96367a
commit
bea4f8a142
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=505537
2 changed files with 24 additions and 2 deletions
|
@ -8,7 +8,7 @@
|
||||||
|
|
||||||
PORTNAME= ipsec-tools
|
PORTNAME= ipsec-tools
|
||||||
PORTVERSION= 0.8.2
|
PORTVERSION= 0.8.2
|
||||||
PORTREVISION= 9
|
PORTREVISION= 10
|
||||||
CATEGORIES= security
|
CATEGORIES= security
|
||||||
MASTER_SITES= SF
|
MASTER_SITES= SF
|
||||||
|
|
||||||
|
@ -77,8 +77,8 @@ LDAP_CONFIGURE_OFF= --without-libldap
|
||||||
SAUNSPEC_CONFIGURE_ENABLE= samode-unspec
|
SAUNSPEC_CONFIGURE_ENABLE= samode-unspec
|
||||||
RC5_CONFIGURE_ENABLE= rc5
|
RC5_CONFIGURE_ENABLE= rc5
|
||||||
IDEA_CONFIGURE_ENABLE= idea
|
IDEA_CONFIGURE_ENABLE= idea
|
||||||
WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff
|
|
||||||
NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff
|
NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff
|
||||||
|
WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff ${FILESDIR}/wildcard-psk-oakley.c.diff
|
||||||
|
|
||||||
.include <bsd.port.pre.mk>
|
.include <bsd.port.pre.mk>
|
||||||
|
|
||||||
|
|
22
security/ipsec-tools/files/wildcard-psk-oakley.c.diff
Normal file
22
security/ipsec-tools/files/wildcard-psk-oakley.c.diff
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
--- src/racoon/oakley.c.orig 2012-08-29 18:35:09.000000000 +0700
|
||||||
|
+++ src/racoon/oakley.c 2019-07-01 11:03:18.864245000 +0700
|
||||||
|
@@ -2400,7 +2400,19 @@ oakley_skeyid(iph1)
|
||||||
|
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
|
||||||
|
#endif
|
||||||
|
if (iph1->etype != ISAKMP_ETYPE_IDENT) {
|
||||||
|
+ struct ipsecdoi_id_b *id_b;
|
||||||
|
+
|
||||||
|
+ id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
|
||||||
|
+ if (id_b->type != IPSECDOI_ID_IPV4_ADDR &&
|
||||||
|
+ id_b->type != IPSECDOI_ID_IPV6_ADDR)
|
||||||
|
iph1->authstr = getpskbyname(iph1->id_p);
|
||||||
|
+ else {
|
||||||
|
+ struct sockaddr addr;
|
||||||
|
+ u_int16_t ul_proto;
|
||||||
|
+ u_int8_t prefix;
|
||||||
|
+ if (!ipsecdoi_id2sockaddr(iph1->id_p, &addr, &prefix, &ul_proto))
|
||||||
|
+ iph1->authstr = getpskbyaddr(&addr);
|
||||||
|
+ }
|
||||||
|
if (iph1->authstr == NULL) {
|
||||||
|
if (iph1->rmconf->verify_identifier) {
|
||||||
|
plog(LLV_ERROR, LOCATION, iph1->remote,
|
Loading…
Reference in a new issue