Tue Jan 24 19:23:56 2017 UTC ()
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.


(christos)
diff -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/handler.h
diff -r1.75 -r1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
cvs diff -r1.25 -r1.26 src/crypto/dist/ipsec-tools/src/racoon/handler.h (expand / switch to unified diff)

--- src/crypto/dist/ipsec-tools/src/racoon/handler.h 2010/11/17 10:40:41 1.25
+++ src/crypto/dist/ipsec-tools/src/racoon/handler.h 2017/01/24 19:23:56 1.26
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ 1/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
2 2
3/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ 3/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4 4
5/* 5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
@@ -131,26 +131,27 @@ struct ph1handle { @@ -131,26 +131,27 @@ struct ph1handle {
131 131
132 u_int8_t version; /* ISAKMP version */ 132 u_int8_t version; /* ISAKMP version */
133 u_int8_t etype; /* Exchange type actually for use */ 133 u_int8_t etype; /* Exchange type actually for use */
134 u_int8_t flags; /* Flags */ 134 u_int8_t flags; /* Flags */
135 u_int32_t msgid; /* message id */ 135 u_int32_t msgid; /* message id */
136 136
137 u_int32_t vendorid_mask; /* bitmask of received supported vendor ids*/ 137 u_int32_t vendorid_mask; /* bitmask of received supported vendor ids*/
138#ifdef ENABLE_NATT 138#ifdef ENABLE_NATT
139 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */ 139 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
140 u_int32_t natt_flags; /* NAT-T related flags */ 140 u_int32_t natt_flags; /* NAT-T related flags */
141#endif 141#endif
142#ifdef ENABLE_FRAG 142#ifdef ENABLE_FRAG
143 int frag; /* IKE phase 1 fragmentation */ 143 int frag; /* IKE phase 1 fragmentation */
 144 int frag_last_index;
144 struct isakmp_frag_item *frag_chain; /* Received fragments */ 145 struct isakmp_frag_item *frag_chain; /* Received fragments */
145#endif 146#endif
146 147
147 struct sched sce; /* schedule for expire */ 148 struct sched sce; /* schedule for expire */
148 149
149 struct sched scr; /* schedule for resend */ 150 struct sched scr; /* schedule for resend */
150 int retry_counter; /* for resend. */ 151 int retry_counter; /* for resend. */
151 vchar_t *sendbuf; /* buffer for re-sending */ 152 vchar_t *sendbuf; /* buffer for re-sending */
152 153
153 vchar_t *dhpriv; /* DH; private value */ 154 vchar_t *dhpriv; /* DH; private value */
154 vchar_t *dhpub; /* DH; public value */ 155 vchar_t *dhpub; /* DH; public value */
155 vchar_t *dhpub_p; /* DH; partner's public value */ 156 vchar_t *dhpub_p; /* DH; partner's public value */
156 vchar_t *dhgxy; /* DH; shared secret */ 157 vchar_t *dhgxy; /* DH; shared secret */
cvs diff -r1.75 -r1.76 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c (expand / switch to unified diff)

--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c 2016/03/09 22:27:17 1.75
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c 2017/01/24 19:23:56 1.76
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: isakmp.c,v 1.75 2016/03/09 22:27:17 christos Exp $ */ 1/* $NetBSD: isakmp.c,v 1.76 2017/01/24 19:23:56 christos Exp $ */
2 2
3/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ 3/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
4 4
5/* 5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
@@ -1067,26 +1067,27 @@ isakmp_ph1begin_i(rmconf, remote, local) @@ -1067,26 +1067,27 @@ isakmp_ph1begin_i(rmconf, remote, local)
1067#endif 1067#endif
1068#ifdef ENABLE_HYBRID 1068#ifdef ENABLE_HYBRID
1069 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 1069 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1070 delph1(iph1); 1070 delph1(iph1);
1071 return NULL; 1071 return NULL;
1072 } 1072 }
1073#endif 1073#endif
1074#ifdef ENABLE_FRAG 1074#ifdef ENABLE_FRAG
1075 1075
1076 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE) 1076 if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
1077 iph1->frag = 1; 1077 iph1->frag = 1;
1078 else 1078 else
1079 iph1->frag = 0; 1079 iph1->frag = 0;
 1080 iph1->frag_last_index = 0;
1080 iph1->frag_chain = NULL; 1081 iph1->frag_chain = NULL;
1081#endif 1082#endif
1082 iph1->approval = NULL; 1083 iph1->approval = NULL;
1083 1084
1084 /* XXX copy remote address */ 1085 /* XXX copy remote address */
1085 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) { 1086 if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
1086 delph1(iph1); 1087 delph1(iph1);
1087 return NULL; 1088 return NULL;
1088 } 1089 }
1089 1090
1090 (void)insph1(iph1); 1091 (void)insph1(iph1);
1091 1092
1092 /* start phase 1 exchange */ 1093 /* start phase 1 exchange */
@@ -1171,26 +1172,27 @@ isakmp_ph1begin_r(msg, remote, local, et @@ -1171,26 +1172,27 @@ isakmp_ph1begin_r(msg, remote, local, et
1171 iph1->version = isakmp->v; 1172 iph1->version = isakmp->v;
1172 iph1->msgid = 0; 1173 iph1->msgid = 0;
1173#ifdef HAVE_GSSAPI 1174#ifdef HAVE_GSSAPI
1174 iph1->gssapi_state = NULL; 1175 iph1->gssapi_state = NULL;
1175#endif 1176#endif
1176#ifdef ENABLE_HYBRID 1177#ifdef ENABLE_HYBRID
1177 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) { 1178 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
1178 delph1(iph1); 1179 delph1(iph1);
1179 return -1; 1180 return -1;
1180 } 1181 }
1181#endif 1182#endif
1182#ifdef ENABLE_FRAG 1183#ifdef ENABLE_FRAG
1183 iph1->frag = 0; 1184 iph1->frag = 0;
 1185 iph1->frag_last_index = 0;
1184 iph1->frag_chain = NULL; 1186 iph1->frag_chain = NULL;
1185#endif 1187#endif
1186 iph1->approval = NULL; 1188 iph1->approval = NULL;
1187 1189
1188#ifdef ENABLE_NATT 1190#ifdef ENABLE_NATT
1189 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port. 1191 /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
1190 * We have to setup this flag now to correctly generate the first reply. 1192 * We have to setup this flag now to correctly generate the first reply.
1191 * Don't know if a better check could be done for that ? 1193 * Don't know if a better check could be done for that ?
1192 */ 1194 */
1193 if(extract_port(local) == lcconf->port_isakmp_natt) 1195 if(extract_port(local) == lcconf->port_isakmp_natt)
1194 iph1->natt_flags |= (NAT_PORTS_CHANGED); 1196 iph1->natt_flags |= (NAT_PORTS_CHANGED);
1195#endif 1197#endif
1196 1198
cvs diff -r1.50 -r1.51 src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c (expand / switch to unified diff)

--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c 2013/04/12 09:53:10 1.50
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c 2017/01/24 19:23:56 1.51
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: isakmp_inf.c,v 1.50 2013/04/12 09:53:10 tteras Exp $ */ 1/* $NetBSD: isakmp_inf.c,v 1.51 2017/01/24 19:23:56 christos Exp $ */
2 2
3/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */ 3/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
4 4
5/* 5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved. 7 * All rights reserved.
8 *  8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
@@ -710,26 +710,27 @@ isakmp_info_send_nx(isakmp, remote, loca @@ -710,26 +710,27 @@ isakmp_info_send_nx(isakmp, remote, loca
710 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t)); 710 memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t));
711 isakmp_newcookie((char *)&iph1->index.r_ck, remote, local); 711 isakmp_newcookie((char *)&iph1->index.r_ck, remote, local);
712 iph1->status = PHASE1ST_START; 712 iph1->status = PHASE1ST_START;
713 iph1->side = INITIATOR; 713 iph1->side = INITIATOR;
714 iph1->version = isakmp->v; 714 iph1->version = isakmp->v;
715 iph1->flags = 0; 715 iph1->flags = 0;
716 iph1->msgid = 0; /* XXX */ 716 iph1->msgid = 0; /* XXX */
717#ifdef ENABLE_HYBRID 717#ifdef ENABLE_HYBRID
718 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) 718 if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
719 goto end; 719 goto end;
720#endif 720#endif
721#ifdef ENABLE_FRAG 721#ifdef ENABLE_FRAG
722 iph1->frag = 0; 722 iph1->frag = 0;
 723 iph1->frag_last_index = 0;
723 iph1->frag_chain = NULL; 724 iph1->frag_chain = NULL;
724#endif 725#endif
725 726
726 /* copy remote address */ 727 /* copy remote address */
727 if (copy_ph1addresses(iph1, NULL, remote, local) < 0) 728 if (copy_ph1addresses(iph1, NULL, remote, local) < 0)
728 goto end; 729 goto end;
729 730
730 tlen = sizeof(*n) + spisiz; 731 tlen = sizeof(*n) + spisiz;
731 if (data) 732 if (data)
732 tlen += data->l; 733 tlen += data->l;
733 payload = vmalloc(tlen); 734 payload = vmalloc(tlen);
734 if (payload == NULL) {  735 if (payload == NULL) {
735 plog(LLV_ERROR, LOCATION, NULL, 736 plog(LLV_ERROR, LOCATION, NULL,