Group :: Security/Networking
RPM: ipsec-tools
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: racoon-lspp-ipsec.patch
Download
Download
This is the latest in a series of racoon patches.
Upon testing racoon, it appeared racoon was still trying
to lookup policy with a security context, although
security contexts were not being used.
This patch includes fix for this problem.
Please replace any previous racoon patches, with this one.
This patch is against ipsec-tools-0.6.5-3.1 in rawhide.
Let me know if there are any problems.
Regards,
Joy Latten
----------------------------------------------------------------------------
diff -urpN ipsec-tools-0.6.5.orig/configure.ac ipsec-tools-0.6.5.0918/configure.ac
--- ipsec-tools-0.6.5.orig/configure.ac 2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/configure.ac 2006-09-18 03:29:40.000000000 -0500
@@ -620,6 +620,7 @@ if test "$enable_security_context" = "ye
AC_DEFINE([HAVE_SECCTX], [], [Enable Security Context])
SECCTX_OBJS="security.o"
AC_SUBST(SECCTX_OBJS)
+ LIBS="$LIBS -lselinux"
fi
fi
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/cftoken.c ipsec-tools-0.6.5.0918/src/racoon/cftoken.c
--- ipsec-tools-0.6.5.orig/src/racoon/cftoken.c 2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/cftoken.c 2006-09-18 02:57:23.000000000 -0500
@@ -1363,6 +1363,7 @@ char *yytext;
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
+#include "policy.h"
#include "proposal.h"
#include "nattraversal.h"
#ifdef GC
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c
--- ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c 2006-09-18 02:47:16.000000000 -0500
@@ -2128,5 +2128,11 @@ get_proposal_r(iph2)
return ISAKMP_INTERNAL_ERROR;
}
+#ifdef HAVE_SECCTX
+ if (spidx.sec_ctx.ctx_str) {
+ set_secctx_in_proposal(iph2, spidx);
+ }
+#endif /* HAVE_SECCTX */
+
return 0;
}
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/pfkey.c ipsec-tools-0.6.5.0918/src/racoon/pfkey.c
--- ipsec-tools-0.6.5.orig/src/racoon/pfkey.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/pfkey.c 2006-09-21 01:35:43.000000000 -0500
@@ -1672,6 +1672,10 @@ pk_recvacquire(mhp)
struct ph2handle *iph2[MAXNESTEDSA];
struct sockaddr *src, *dst;
int n; /* # of phase 2 handler */
+#ifdef HAVE_SECCTX
+ struct sadb_x_sec_ctx *m_sec_ctx;
+#endif /* HAVE_SECCTX */
+ struct policyindex spidx;
/* ignore this message because of local test mode. */
if (f_local)
@@ -1691,6 +1695,24 @@ pk_recvacquire(mhp)
src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+#ifdef HAVE_SECCTX
+ m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+
+ if (m_sec_ctx != NULL) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context doi: %u\n",
+ m_sec_ctx->sadb_x_ctx_doi);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context algorithm: %u\n",
+ m_sec_ctx->sadb_x_ctx_alg);
+ plog(LLV_INFO, LOCATION, NULL,
+ "security context length: %u\n",
+ m_sec_ctx->sadb_x_ctx_len);
+ plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
+ }
+#endif /* HAVE_SECCTX */
+
/* ignore if type is not IPSEC_POLICY_IPSEC */
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
plog(LLV_DEBUG, LOCATION, NULL,
@@ -1778,18 +1800,24 @@ pk_recvacquire(mhp)
/* get inbound policy */
{
- struct policyindex spidx;
+ memset(&spidx, 0, sizeof(spidx));
spidx.dir = IPSEC_DIR_INBOUND;
memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
spidx.prefs = sp_out->spidx.prefd;
spidx.prefd = sp_out->spidx.prefs;
spidx.ul_proto = sp_out->spidx.ul_proto;
+
#ifdef HAVE_SECCTX
- if (*sp_out->spidx.sec_ctx.ctx_str)
- memcpy(&spidx.sec_ctx, &sp_out->spidx.sec_ctx,
- sizeof(spidx.sec_ctx));
+ if (m_sec_ctx) {
+ spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
+ spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
+ spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
+ memcpy(spidx.sec_ctx.ctx_str,
+ ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
+ spidx.sec_ctx.ctx_strlen);
+ }
#endif
sp_in = getsp(&spidx);
@@ -1877,6 +1905,12 @@ pk_recvacquire(mhp)
delph2(iph2[n]);
return -1;
}
+#ifdef HAVE_SECCTX
+ if (m_sec_ctx) {
+ set_secctx_in_proposal(iph2[n], spidx);
+ }
+#endif /* HAVE_SECCTX */
+
insph2(iph2[n]);
/* start isakmp initiation by using ident exchange */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.c ipsec-tools-0.6.5.0918/src/racoon/policy.c
--- ipsec-tools-0.6.5.orig/src/racoon/policy.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.c 2006-09-21 02:04:10.000000000 -0500
@@ -206,9 +206,7 @@ cmpspidxstrict(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
- || a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
- || (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
- a->sec_ctx.ctx_strlen) != 0))
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
return 1;
#endif
return 0;
@@ -284,9 +282,7 @@ cmpspidxwild(a, b)
#ifdef HAVE_SECCTX
if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
|| a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
- || a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
- || (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str,
- a->sec_ctx.ctx_strlen) != 0))
+ || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
return 1;
#endif
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.h ipsec-tools-0.6.5.0918/src/racoon/policy.h
--- ipsec-tools-0.6.5.orig/src/racoon/policy.h 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.h 2006-09-18 03:05:08.000000000 -0500
@@ -35,6 +35,7 @@
#include <sys/queue.h>
#ifdef HAVE_SECCTX
+
#define MAX_CTXSTR_SIZE 50
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
@@ -146,6 +147,11 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_SECCTX
+#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
+extern int within_range __P((security_context_t, security_context_t));
+extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
+#endif
#endif /* _POLICY_H */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/proposal.c ipsec-tools-0.6.5.0918/src/racoon/proposal.c
--- ipsec-tools-0.6.5.orig/src/racoon/proposal.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/proposal.c 2006-09-18 02:47:16.000000000 -0500
@@ -1025,15 +1025,6 @@ set_proposal_from_policy(iph2, sp_main,
newpp->lifetime = iph2->sainfo->lifetime;
newpp->lifebyte = iph2->sainfo->lifebyte;
newpp->pfs_group = iph2->sainfo->pfs_group;
-#ifdef HAVE_SECCTX
- if (*sp_main->spidx.sec_ctx.ctx_str) {
- newpp->sctx.ctx_doi = sp_main->spidx.sec_ctx.ctx_doi;
- newpp->sctx.ctx_alg = sp_main->spidx.sec_ctx.ctx_alg;
- newpp->sctx.ctx_strlen = sp_main->spidx.sec_ctx.ctx_strlen;
- memcpy(newpp->sctx.ctx_str, sp_main->spidx.sec_ctx.ctx_str,
- sp_main->spidx.sec_ctx.ctx_strlen);
- }
-#endif /* HAVE_SECCTX */
if (lcconf->complex_bundle)
goto skip1;
@@ -1196,7 +1187,11 @@ set_proposal_from_proposal(iph2)
pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
pp_peer->sctx.ctx_strlen);
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "RESPONDING with (%s).\n", pp_peer->sctx.ctx_str);
}
+
#endif /* HAVE_SECCTX */
if (pp_peer->next != NULL) {
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/security.c ipsec-tools-0.6.5.0918/src/racoon/security.c
--- ipsec-tools-0.6.5.orig/src/racoon/security.c 2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/security.c 2006-09-18 10:58:37.000000000 -0500
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2005 International Business Machines Corporation
+ * Copyright (c) 2005 by Trusted Computer Solutions, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -36,6 +37,12 @@
#include <stdio.h>
#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#include <selinux/avc.h>
+#include <selinux/context.h>
+
#include "var.h"
#include "vmbuf.h"
#include "misc.h"
@@ -45,6 +52,7 @@
#include "isakmp.h"
#include "ipsec_doi.h"
#include "policy.h"
+#include "proposal.h"
#include "strnames.h"
#include "handler.h"
@@ -150,3 +158,112 @@ get_security_context(sa, p)
}
return 0;
}
+
+void
+set_secctx_in_proposal(iph2, spidx)
+ struct ph2handle *iph2;
+ struct policyindex spidx;
+{
+ iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi;
+ iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg;
+ iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen;
+ memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str,
+ spidx.sec_ctx.ctx_strlen);
+}
+
+
+/*
+ * function: init_avc
+ * description: function performs the steps necessary to initialize the
+ * userspace avc.
+ * input: void
+ * return: 0 if avc was successfully initialized
+ * 1 if the avc could not be initialized
+ */
+
+static int
+init_avc(void)
+{
+ int rtn = 0;
+
+ if (!is_selinux_mls_enabled()) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+ " enabled.\n");
+ return 1;
+ }
+
+ rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize avc.\n");
+ rtn = 1;
+ }
+ return rtn;
+}
+
+/*
+ * function: within_range
+ * description: function determines if the specified sl is within the
+ * configured range for a policy rule.
+ * input: security_context *sl SL
+ * char *range Range
+ * return: 1 if the sl is within the range
+ * 0 if the sl is not within the range or an error
+ * occurred which prevented the determination
+ */
+
+int
+within_range(security_context_t sl, security_context_t range)
+{
+ int rtn = 1;
+ security_id_t slsid;
+ security_id_t rangesid;
+ struct av_decision avd;
+ security_class_t tclass;
+ access_vector_t av;
+
+ if (!*range) /* This policy doesn't have security context */
+ return 1;
+
+ rtn = init_avc();
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: couldn't initialize the AVC\n");
+ return 0;
+ }
+
+ /*
+ * Get the sids for the sl and range contexts
+ */
+ rtn = avc_context_to_sid(sl, &slsid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for sl context (%s).\n", sl);
+ return 0;
+ }
+ rtn = avc_context_to_sid(range, &rangesid);
+ if (rtn != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "within_range: Unable to retrieve "
+ "sid for range context (%s).\n", range);
+ sidput(slsid);
+ return 0;
+ }
+
+ /*
+ * Straight up test between sl and range
+ */
+ tclass = SECCLASS_ASSOCIATION;
+ av = ASSOCIATION__POLMATCH;
+ rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+ if (rtn != 0) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "within_range: The sl is not within range\n");
+ sidput(slsid);
+ sidput(rangesid);
+ return 0;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "within_range: The sl (%s) is within range (%s)\n", sl, range);
+ return 1;
+}