Date: Tue, 10 Apr 2007 00:45:57 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/111430: [ PATCH ] security/isakmpd with OpenSSL 0.9.8b and newer Message-ID: <200704092245.l39Mjvjd059463@kulesh.obluda.cz> Resent-Message-ID: <200704092250.l39Mo35Z093063@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111430
>Category: ports
>Synopsis: [ PATCH ] security/isakmpd with OpenSSL 0.9.8b and newer
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 09 22:50:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 6.2-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 6.2-STABLE
isakmpd-20041207_2
>Description:
From the Makefile:
.if ${OSVERSION} >= 700019
BROKEN= is not buildable with OpenSSL 0.9.8b
.endif
By the way, the ${OSVERSION} >= 700019 is not sufficient test for OpenSSL 0.9.8b
- we can have OpenSSL from PORTS also.
So:
Problem 1: not compilable on recent OS
Problem 2: not compilable against OpenSSL from ports (despite of version)
in advance
Problem 3: due missing #define, the isakmpd doesn't push upper protocol
specification and port number (for both src and dst addresses) into SPD/SADB
kernel database. "Any protocol"/"any src port"/"any dst port" submitted instead.
>How-To-Repeat:
N/A
>Fix:
1. The x509.c patch make the port compilable against new OpenSSL.
2. The Makefile.sysdep patch make port compilable against OpenSSL from ports
3. The pf_key_v2 patch unlock apropriate code for __FREEBSD__
The patches [1] & [3] are brand new
The [2] is replacement for current patch-Makefile.sysdep - the only change
is use of ${OPENSSLINC} instead of hard-coded paths.
--- x509.c~ Mon Apr 9 23:38:38 2007
+++ x509.c Mon Apr 9 23:38:38 2007
@@ -910,7 +910,13 @@
X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
/* XXX See comment in x509_read_crls_from_dir. */
- if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
+ if (
+#if OPENSSL_VERSION_NUMBER >= 0x00908020L
+ x509_cas->param->flags
+#else
+ x509_cas->flags
+#endif
+ & X509_V_FLAG_CRL_CHECK) {
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
--- sysdep/freebsd/Makefile.sysdep.orig Sat Jun 26 05:40:57 2004
+++ sysdep/freebsd/Makefile.sysdep Mon Apr 9 23:21:10 2007
@@ -40,12 +40,12 @@
LIBSYSDEPDIR= ${.CURDIR}/sysdep/common/libsysdep
.endif
-LDADD+= -lgmp ${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib
+LDADD+= ${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib
DPADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a
-CFLAGS+= -DHAVE_GETIFADDRS \
- -I${.CURDIR}/sysdep/common -I/usr/include \
- -I/usr/local/include -I/usr/local/include/openssl
+CFLAGS+= -DHAVE_GETIFADDRS -DHAVE_PCAP \
+ -I${.CURDIR}/sysdep/common -I/usr/include -I${OPENSSLINC}/openssl \
+ -I/usr/local/include
IPSEC_SRCS= pf_key_v2.c
IPSEC_CFLAGS= -DUSE_PF_KEY_V2
@@ -58,9 +58,6 @@
GENERATED+= sysdep-target
sysdep-target:
cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS}
-
-# Kludge around much strange behaviour in /usr/share/mk/bsd.*/mk, don't build certpatch
-SUBDIR=
.if make(clean)
SUBDIR+= sysdep/common/libsysdep
--- pf_key_v2.c~ Mon Apr 9 23:10:51 2007
+++ pf_key_v2.c Mon Apr 9 23:10:51 2007
@@ -2204,13 +2204,13 @@
goto cleanup;
addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__)
addr->sadb_address_proto = tproto;
#else
addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
#endif
addr->sadb_address_reserved = 0;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__)
pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, sport, 0);
#else
pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, IPSEC_PORT_ANY, 0);
@@ -2238,13 +2238,13 @@
goto cleanup;
addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__)
addr->sadb_address_proto = tproto;
#else
addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
#endif
addr->sadb_address_reserved = 0;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__)
pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, dport, 0);
#else
pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, IPSEC_PORT_ANY, 0);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704092245.l39Mjvjd059463>