Attachment 2654 Details for Bug 7095 – openswan-cve-2011-4073.patch

[patch] openswan-cve-2011-4073.patch

openswan-cve-2011-4073.patch (text/plain), 4.00 KB, created by David Walser on 2012-08-17 19:52:52 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: David Walser

Created: 2012-08-17 19:52:52 CEST

Size: 4.00 KB

patch

obsolete

>diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/ikev1_continuations.h openswan-2.6.32-current/programs/pluto/ikev1_continuations.h
>--- openswan-2.6.32-cvs-patched/programs/pluto/ikev1_continuations.h	2011-10-27 14:45:17.229069635 -0400
>+++ openswan-2.6.32-current/programs/pluto/ikev1_continuations.h	2011-10-27 15:32:30.130607359 -0400
>@@ -7,8 +7,6 @@
> 
> struct qke_continuation {
>     struct pluto_crypto_req_cont qke_pcrc;
>-    struct state                *st;            /* need to use abstract # */
>-    struct state                *isakmp_sa;     /* used in initiator */
>     so_serial_t                  replacing;
>     struct msg_digest           *md;            /* used in responder */
> };
>diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/ikev1_quick.c openswan-2.6.32-current/programs/pluto/ikev1_quick.c
>--- openswan-2.6.32-cvs-patched/programs/pluto/ikev1_quick.c	2011-10-27 14:47:05.651990914 -0400
>+++ openswan-2.6.32-current/programs/pluto/ikev1_quick.c	2011-10-27 15:32:30.131607358 -0400
>@@ -701,7 +701,8 @@ init_phase2_iv(struct state *st, const m
> 
> static stf_status
> quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
>-		 , struct pluto_crypto_req *r);
>+		 , struct pluto_crypto_req *r
>+		 , struct state *st);
> 
> static void
> quick_outI1_continue(struct pluto_crypto_req_cont *pcrc
>@@ -709,7 +710,7 @@ quick_outI1_continue(struct pluto_crypto
> 		     , err_t ugh)
> {
>     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
>-    struct state *const st = qke->st;
>+    struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
>     stf_status e;
> 
>     DBG(DBG_CONTROLMORE
>@@ -732,7 +733,9 @@ quick_outI1_continue(struct pluto_crypto
> 
>     set_cur_state(st);	/* we must reset before exit */
>     set_suspended(st, NULL);
>-    e = quick_outI1_tail(pcrc, r);
>+    e = quick_outI1_tail(pcrc, r, st);
>+    if (e == STF_INTERNAL_ERROR)
>+	loglog(RC_LOG_SERIOUS, "%s: quick_outI1_tail() failed with STF_INTERNAL_ERROR", __FUNCTION__);
> 
>     reset_globals();
> }
>@@ -827,8 +830,6 @@ quick_outI1(int whack_sock
> 		     , isakmp_sa->st_serialno, st->st_msgid, p2alg, pfsgroupname);
>     }
> 
>-    qke->st = st;
>-    qke->isakmp_sa = isakmp_sa;
>     qke->replacing = replacing;
>     pcrc_init(&qke->qke_pcrc);
>     qke->qke_pcrc.pcrc_func = quick_outI1_continue;
>@@ -846,12 +847,12 @@ quick_outI1(int whack_sock
>     
> static stf_status
> quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
>-		 , struct pluto_crypto_req *r)
>+		 , struct pluto_crypto_req *r
>+		 , struct state *st)
> {
>     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
>-    struct state *st = qke->st;
>+    struct state *isakmp_sa = state_with_serialno(st->st_clonedfrom);
>     struct connection *c = st->st_connection;
>-    struct state *isakmp_sa = qke->isakmp_sa;
>     pb_stream rbody;
>     u_char	/* set by START_HASH_PAYLOAD: */
> 	*r_hashval,	/* where in reply to jam hash value */
>@@ -860,7 +861,11 @@ quick_outI1_tail(struct pluto_crypto_req
> 		      c->spd.this.protocol || c->spd.that.protocol ||
> 		      c->spd.this.port || c->spd.that.port;
> 
>-    st->st_connection = c;
>+    if(isakmp_sa == NULL) {
>+	/* phase1 state got deleted while cryptohelper was working */
>+	loglog(RC_LOG_SERIOUS,"phase2 initiation failed because parent ISAKMP #%lu is gone", st->st_clonedfrom);
>+	return STF_FATAL;
>+    }
> 
> #ifdef NAT_TRAVERSAL
>     if (isakmp_sa->hidden_variables.st_nat_traversal & NAT_T_DETECTED) {
>@@ -1981,8 +1986,6 @@ quick_inI1_outR1_authtail(struct verify_
> 	    ci = pcim_ongoing_crypto;
> 	    if(ci < st->st_import) ci = st->st_import;
> 
>-	    qke->st = st;
>-	    qke->isakmp_sa = p1st;
> 	    qke->md = md;
> 	    pcrc_init(&qke->qke_pcrc);
> 	    qke->qke_pcrc.pcrc_func = quick_inI1_outR1_cryptocontinue1;
>@@ -2007,7 +2010,7 @@ quick_inI1_outR1_cryptocontinue1(struct 
> {
>     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
>     struct msg_digest *md = qke->md;
>-    struct state *const st = qke->st;
>+    struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
>     stf_status e;
> 
>     DBG(DBG_CONTROLMORE

diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/ikev1_continuations.h openswan-2.6.32-current/programs/pluto/ikev1_continuations.h
--- openswan-2.6.32-cvs-patched/programs/pluto/ikev1_continuations.h	2011-10-27 14:45:17.229069635 -0400
+++ openswan-2.6.32-current/programs/pluto/ikev1_continuations.h	2011-10-27 15:32:30.130607359 -0400
@@ -7,8 +7,6 @@
 
 struct qke_continuation {
     struct pluto_crypto_req_cont qke_pcrc;
-    struct state                *st;            /* need to use abstract # */
-    struct state                *isakmp_sa;     /* used in initiator */
     so_serial_t                  replacing;
     struct msg_digest           *md;            /* used in responder */
 };
diff -urNp openswan-2.6.32-cvs-patched/programs/pluto/ikev1_quick.c openswan-2.6.32-current/programs/pluto/ikev1_quick.c
--- openswan-2.6.32-cvs-patched/programs/pluto/ikev1_quick.c	2011-10-27 14:47:05.651990914 -0400
+++ openswan-2.6.32-current/programs/pluto/ikev1_quick.c	2011-10-27 15:32:30.131607358 -0400
@@ -701,7 +701,8 @@ init_phase2_iv(struct state *st, const m
 
 static stf_status
 quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
-		 , struct pluto_crypto_req *r);
+		 , struct pluto_crypto_req *r
+		 , struct state *st);
 
 static void
 quick_outI1_continue(struct pluto_crypto_req_cont *pcrc
@@ -709,7 +710,7 @@ quick_outI1_continue(struct pluto_crypto
 		     , err_t ugh)
 {
     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
-    struct state *const st = qke->st;
+    struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
     stf_status e;
 
     DBG(DBG_CONTROLMORE
@@ -732,7 +733,9 @@ quick_outI1_continue(struct pluto_crypto
 
     set_cur_state(st);	/* we must reset before exit */
     set_suspended(st, NULL);
-    e = quick_outI1_tail(pcrc, r);
+    e = quick_outI1_tail(pcrc, r, st);
+    if (e == STF_INTERNAL_ERROR)
+	loglog(RC_LOG_SERIOUS, "%s: quick_outI1_tail() failed with STF_INTERNAL_ERROR", __FUNCTION__);
 
     reset_globals();
 }
@@ -827,8 +830,6 @@ quick_outI1(int whack_sock
 		     , isakmp_sa->st_serialno, st->st_msgid, p2alg, pfsgroupname);
     }
 
-    qke->st = st;
-    qke->isakmp_sa = isakmp_sa;
     qke->replacing = replacing;
     pcrc_init(&qke->qke_pcrc);
     qke->qke_pcrc.pcrc_func = quick_outI1_continue;
@@ -846,12 +847,12 @@ quick_outI1(int whack_sock
     
 static stf_status
 quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
-		 , struct pluto_crypto_req *r)
+		 , struct pluto_crypto_req *r
+		 , struct state *st)
 {
     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
-    struct state *st = qke->st;
+    struct state *isakmp_sa = state_with_serialno(st->st_clonedfrom);
     struct connection *c = st->st_connection;
-    struct state *isakmp_sa = qke->isakmp_sa;
     pb_stream rbody;
     u_char	/* set by START_HASH_PAYLOAD: */
 	*r_hashval,	/* where in reply to jam hash value */
@@ -860,7 +861,11 @@ quick_outI1_tail(struct pluto_crypto_req
 		      c->spd.this.protocol || c->spd.that.protocol ||
 		      c->spd.this.port || c->spd.that.port;
 
-    st->st_connection = c;
+    if(isakmp_sa == NULL) {
+	/* phase1 state got deleted while cryptohelper was working */
+	loglog(RC_LOG_SERIOUS,"phase2 initiation failed because parent ISAKMP #%lu is gone", st->st_clonedfrom);
+	return STF_FATAL;
+    }
 
 #ifdef NAT_TRAVERSAL
     if (isakmp_sa->hidden_variables.st_nat_traversal & NAT_T_DETECTED) {
@@ -1981,8 +1986,6 @@ quick_inI1_outR1_authtail(struct verify_
 	    ci = pcim_ongoing_crypto;
 	    if(ci < st->st_import) ci = st->st_import;
 
-	    qke->st = st;
-	    qke->isakmp_sa = p1st;
 	    qke->md = md;
 	    pcrc_init(&qke->qke_pcrc);
 	    qke->qke_pcrc.pcrc_func = quick_inI1_outR1_cryptocontinue1;
@@ -2007,7 +2010,7 @@ quick_inI1_outR1_cryptocontinue1(struct 
 {
     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
     struct msg_digest *md = qke->md;
-    struct state *const st = qke->st;
+    struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
     stf_status e;
 
     DBG(DBG_CONTROLMORE

Actions: View | Diff

Attachments on bug 7095: 2653 | 2654