Date: Tue, 10 Apr 2007 00:45:57 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/111430: [ PATCH ] security/isakmpd with OpenSSL 0.9.8b and newer Message-ID: <200704092245.l39Mjvjd059463@kulesh.obluda.cz> Resent-Message-ID: <200704092250.l39Mo35Z093063@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111430 >Category: ports >Synopsis: [ PATCH ] security/isakmpd with OpenSSL 0.9.8b and newer >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 09 22:50:02 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 6.2-STABLE i386 >Organization: Obludarium >Environment: System: FreeBSD 6.2-STABLE isakmpd-20041207_2 >Description: From the Makefile: .if ${OSVERSION} >= 700019 BROKEN= is not buildable with OpenSSL 0.9.8b .endif By the way, the ${OSVERSION} >= 700019 is not sufficient test for OpenSSL 0.9.8b - we can have OpenSSL from PORTS also. So: Problem 1: not compilable on recent OS Problem 2: not compilable against OpenSSL from ports (despite of version) in advance Problem 3: due missing #define, the isakmpd doesn't push upper protocol specification and port number (for both src and dst addresses) into SPD/SADB kernel database. "Any protocol"/"any src port"/"any dst port" submitted instead. >How-To-Repeat: N/A >Fix: 1. The x509.c patch make the port compilable against new OpenSSL. 2. The Makefile.sysdep patch make port compilable against OpenSSL from ports 3. The pf_key_v2 patch unlock apropriate code for __FREEBSD__ The patches [1] & [3] are brand new The [2] is replacement for current patch-Makefile.sysdep - the only change is use of ${OPENSSLINC} instead of hard-coded paths. --- x509.c~ Mon Apr 9 23:38:38 2007 +++ x509.c Mon Apr 9 23:38:38 2007 @@ -910,7 +910,13 @@ X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); #if OPENSSL_VERSION_NUMBER >= 0x00907000L /* XXX See comment in x509_read_crls_from_dir. */ - if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) { + if ( +#if OPENSSL_VERSION_NUMBER >= 0x00908020L + x509_cas->param->flags +#else + x509_cas->flags +#endif + & X509_V_FLAG_CRL_CHECK) { X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK); X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL); } --- sysdep/freebsd/Makefile.sysdep.orig Sat Jun 26 05:40:57 2004 +++ sysdep/freebsd/Makefile.sysdep Mon Apr 9 23:21:10 2007 @@ -40,12 +40,12 @@ LIBSYSDEPDIR= ${.CURDIR}/sysdep/common/libsysdep .endif -LDADD+= -lgmp ${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib +LDADD+= ${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib DPADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a -CFLAGS+= -DHAVE_GETIFADDRS \ - -I${.CURDIR}/sysdep/common -I/usr/include \ - -I/usr/local/include -I/usr/local/include/openssl +CFLAGS+= -DHAVE_GETIFADDRS -DHAVE_PCAP \ + -I${.CURDIR}/sysdep/common -I/usr/include -I${OPENSSLINC}/openssl \ + -I/usr/local/include IPSEC_SRCS= pf_key_v2.c IPSEC_CFLAGS= -DUSE_PF_KEY_V2 @@ -58,9 +58,6 @@ GENERATED+= sysdep-target sysdep-target: cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS} - -# Kludge around much strange behaviour in /usr/share/mk/bsd.*/mk, don't build certpatch -SUBDIR= .if make(clean) SUBDIR+= sysdep/common/libsysdep --- pf_key_v2.c~ Mon Apr 9 23:10:51 2007 +++ pf_key_v2.c Mon Apr 9 23:10:51 2007 @@ -2204,13 +2204,13 @@ goto cleanup; addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifdef LINUX_IPSEC +#if defined(LINUX_IPSEC) || defined (__FreeBSD__) addr->sadb_address_proto = tproto; #else addr->sadb_address_proto = IPSEC_ULPROTO_ANY; #endif addr->sadb_address_reserved = 0; -#ifdef LINUX_IPSEC +#if defined(LINUX_IPSEC) || defined (__FreeBSD__) pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, sport, 0); #else pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, IPSEC_PORT_ANY, 0); @@ -2238,13 +2238,13 @@ goto cleanup; addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifdef LINUX_IPSEC +#if defined(LINUX_IPSEC) || defined (__FreeBSD__) addr->sadb_address_proto = tproto; #else addr->sadb_address_proto = IPSEC_ULPROTO_ANY; #endif addr->sadb_address_reserved = 0; -#ifdef LINUX_IPSEC +#if defined(LINUX_IPSEC) || defined (__FreeBSD__) pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, dport, 0); #else pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, IPSEC_PORT_ANY, 0); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704092245.l39Mjvjd059463>