Received: by mail.netbsd.org (Postfix, from userid 605)
	id 17AB784D63; Fri,  5 Oct 2018 20:12:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id 4027584D32
	for <source-changes@NetBSD.org>; Fri,  5 Oct 2018 20:12:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id wlu_5LavXPgr for <source-changes@netbsd.org>;
	Fri,  5 Oct 2018 20:12:37 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 7EDFF84CCC
	for <source-changes@NetBSD.org>; Fri,  5 Oct 2018 20:12:37 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 79D9DFBEE; Fri,  5 Oct 2018 20:12:37 +0000 (UTC)
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Date: Fri, 5 Oct 2018 16:12:37 -0400
From: "Christos Zoulas" <christos@netbsd.org>
Subject: CVS commit: src/crypto/dist/ipsec-tools/src/racoon
To: source-changes@NetBSD.org
X-Mailer: log_accum
Message-Id: <20181005201237.79D9DFBEE@cvs.NetBSD.org>
Sender: source-changes-owner@NetBSD.org
List-Id: source-changes.NetBSD.org
Precedence: bulk
Reply-To: source-changes-d@NetBSD.org
Mail-Reply-To: "Christos Zoulas" <christos@netbsd.org>
Mail-Followup-To: source-changes-d@NetBSD.org
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20source-changes&body=unsubscribe%20source-changes>

Module Name:	src
Committed By:	christos
Date:		Fri Oct  5 20:12:37 UTC 2018

Modified Files:
	src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
    src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.