ports/111430: [ PATCH ] security/isakmpd with OpenSSL 0.9.8b and newer

Dan Lukes dan at obluda.cz
Mon Apr 9 22:50:04 UTC 2007 

>Number:         111430
>Category:       ports
>Synopsis:       [ PATCH ] security/isakmpd with OpenSSL 0.9.8b and newer
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 09 22:50:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 6.2-STABLE
isakmpd-20041207_2

>Description:
	From the Makefile:
.if ${OSVERSION} >= 700019
BROKEN=         is not buildable with OpenSSL 0.9.8b
.endif

By the way, the ${OSVERSION} >= 700019 is not sufficient test for OpenSSL 0.9.8b
 - we can have OpenSSL from PORTS also.

So:

Problem 1: not compilable on recent OS
Problem 2: not compilable against OpenSSL from ports (despite of version)

in advance

Problem 3: due missing #define, the isakmpd doesn't push upper protocol 
 specification and port number (for both src and dst addresses) into SPD/SADB
kernel database. "Any protocol"/"any src port"/"any dst port" submitted instead.

>How-To-Repeat:
	N/A
>Fix:

1. The x509.c patch make the port compilable against new OpenSSL.
2. The Makefile.sysdep patch make port compilable against OpenSSL from ports
3. The pf_key_v2 patch unlock apropriate code for __FREEBSD__

The patches [1] & [3] are brand new
The [2] is replacement for current patch-Makefile.sysdep - the only change
   is use of ${OPENSSLINC} instead of hard-coded paths.



--- x509.c~	Mon Apr  9 23:38:38 2007
+++ x509.c	Mon Apr  9 23:38:38 2007
@@ -910,7 +910,13 @@
 	X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 	/* XXX See comment in x509_read_crls_from_dir.  */
-	if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
+	if (
+#if OPENSSL_VERSION_NUMBER >= 0x00908020L
+	    x509_cas->param->flags
+#else
+	    x509_cas->flags
+#endif
+	                    & X509_V_FLAG_CRL_CHECK) {
 		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
 		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
 	}
--- sysdep/freebsd/Makefile.sysdep.orig	Sat Jun 26 05:40:57 2004
+++ sysdep/freebsd/Makefile.sysdep	Mon Apr  9 23:21:10 2007
@@ -40,12 +40,12 @@
 LIBSYSDEPDIR=	${.CURDIR}/sysdep/common/libsysdep
 .endif
 
-LDADD+=		-lgmp ${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib
+LDADD+=		${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib
 DPADD+=		${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a
 
-CFLAGS+=	-DHAVE_GETIFADDRS \
-		-I${.CURDIR}/sysdep/common -I/usr/include \
-		-I/usr/local/include -I/usr/local/include/openssl
+CFLAGS+=	-DHAVE_GETIFADDRS -DHAVE_PCAP \
+		-I${.CURDIR}/sysdep/common -I/usr/include -I${OPENSSLINC}/openssl \
+		-I/usr/local/include
 
 IPSEC_SRCS=	pf_key_v2.c
 IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
@@ -58,9 +58,6 @@
 GENERATED+=	sysdep-target
 sysdep-target:
 		cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS}
-
-# Kludge around much strange behaviour in /usr/share/mk/bsd.*/mk, don't build certpatch
-SUBDIR=		
 
 .if make(clean)
 SUBDIR+=	sysdep/common/libsysdep
--- pf_key_v2.c~	Mon Apr  9 23:10:51 2007
+++ pf_key_v2.c	Mon Apr  9 23:10:51 2007
@@ -2204,13 +2204,13 @@
 		goto cleanup;
 	addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
 	addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__) 
 	addr->sadb_address_proto = tproto;
 #else
 	addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
 #endif
 	addr->sadb_address_reserved = 0;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__) 
 	pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, sport, 0);
 #else
 	pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, IPSEC_PORT_ANY, 0);
@@ -2238,13 +2238,13 @@
 		goto cleanup;
 	addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
 	addr->sadb_address_len = len / PF_KEY_V2_CHUNK;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__) 
 	addr->sadb_address_proto = tproto;
 #else
 	addr->sadb_address_proto = IPSEC_ULPROTO_ANY;
 #endif
 	addr->sadb_address_reserved = 0;
-#ifdef LINUX_IPSEC
+#if defined(LINUX_IPSEC) || defined (__FreeBSD__) 
 	pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, dport, 0);
 #else
 	pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, IPSEC_PORT_ANY, 0);

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list