* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2

- Added interop patch for (some?) Cisco VPN clients sending 16 zero bytes of extraneous IKE data - Removed fipscheck_version
2013-07-15 14:41:11 -04:00 · 2013-07-15 14:41:11 -04:00 · 04df865e49
commit 04df865e49
parent d3a863c1aa
2 changed files with 54 additions and 3 deletions
--- a/libreswan-3.5-cisco-interop.patch
+++ b/libreswan-3.5-cisco-interop.patch
@ -0,0 +1,44 @@
+commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Sun Jul 14 13:27:39 2013 -0400
+
+    pluto: work around for Cisco VPN clients sending extraneous bytes
+
+diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c
+index cc4be99..1ae2f40 100644
+--- a/programs/pluto/demux.c
+++ b/programs/pluto/demux.c
+@@ -146,12 +146,29 @@ void process_packet(struct msg_digest **mdp)
+ 		}
+ 	}
+ 
+-	if (md->packet_pbs.roof != md->message_pbs.roof) {
+	if (md->packet_pbs.roof < md->message_pbs.roof) {
+ 		libreswan_log(
+-			"size (%u) differs from size specified in ISAKMP HDR (%u)",
+-			(unsigned) pbs_room(
+-				&md->packet_pbs), md->hdr.isa_length);
+			"received packet size (%u) is smaller than from "
+			"size specified in ISAKMP HDR (%u) - packet dropped",
+			(unsigned) pbs_room(&md->packet_pbs),
+			md->hdr.isa_length);
+		/* abort processing corrupt packet */
+ 		return;
+	} else if (md->packet_pbs.roof > md->message_pbs.roof) {
+		/*
+		 * Some (old?) versions of the Cisco VPN client send an additional
+		 * 16 bytes of zero bytes - Complain but accept it
+		 */
+		DBG(DBG_CONTROL, {
+			DBG_log(
+			"size (%u) in received packet is larger than the size "
+			"specified in ISAKMP HDR (%u) - ignoring extraneous bytes",
+			(unsigned) pbs_room(&md->packet_pbs),
+			md->hdr.isa_length);
+			DBG_dump("extraneous bytes:", md->message_pbs.roof,
+				md->packet_pbs.roof - md->message_pbs.roof);
+		/* continue */
+		});
+ 	}
+ 
+ 	maj = (md->hdr.isa_version >> ISA_MAJ_SHIFT);
--- a/libreswan.spec
+++ b/libreswan.spec
@ -8,7 +8,6 @@

 %global _hardened_build 1

-%global fipscheck_version 1.3.0
 %global buildefence 0
 %global development 0

@ -32,6 +31,8 @@ Conflicts: openswan < %{version}-%{release}
 Obsoletes: openswan < %{version}-%{release}
 Provides: openswan = %{version}-%{release}

+Patch1: libreswan-3.5-cisco-interop.patch
+
 BuildRequires: pkgconfig hostname
 BuildRequires: nss-devel >= 3.12.6-2, nspr-devel
 BuildRequires: pam-devel
@ -39,9 +40,9 @@ BuildRequires: pam-devel
 BuildRequires: unbound-devel
 %endif
 %if %{USE_FIPSCHECK}
-BuildRequires: fipscheck-devel >= %{fipscheck_version}
+BuildRequires: fipscheck-devel
 # we need fipshmac
-Requires: fipscheck%{_isa} >= %{fipscheck_version}
+Requires: fipscheck%{_isa}
 %endif
 %if %{USE_LINUX_AUDIT}
 Buildrequires: audit-libs-devel
@ -79,6 +80,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

 %prep
 %setup -q -n libreswan-%{version}%{?prever}
+%patch1 -p1 -b .ciscovpn

 %build
 %if %{buildefence}
@ -184,6 +186,11 @@ rm -fr %{buildroot}/etc/rc.d/rc*
 %systemd_post ipsec.service

 %changelog
+* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
+- Added interop patch for (some?) Cisco VPN clients sending 16 zero
+  bytes of extraneous IKE data
+- Removed fipscheck_version
+
 * Sat Jul 13 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
 - Updated to 3.5