rpms/libreswan
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport removal gethostbyname2 uses from the upstream

Browse Source 
Also fix issues spotted by covscan

Related: rhbz#1975812
Resolves: rhbz#1938784
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno 2021-07-21 12:22:09 +02:00
parent 10cb60dea1
commit e60042d1e1
3 changed files with 279 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
libreswan-4.4-covscan.patch Normal file
View File

@ -0,0 +1,101 @@
From 835f711502fa07825b27201cb772e911c59d54b0 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 21 Jul 2021 10:10:43 +0200
Subject: [PATCH] ipsec barf: fix shell test expression
Spotted by shellcheck:
/usr/libexec/ipsec/barf:55:5: error[SC1073]: Couldn't parse this test expression. Fix to allow more checks.
# 53| for f
# 54| do
# 55|-> if [ -s ${LOGS}/${f} -a \
# 56| -f ${LOGS}/${f} -a \
# 57| grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
programs/barf/barf.in | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/programs/barf/barf.in b/programs/barf/barf.in
index e76c62f338..499916da4b 100755
--- a/programs/barf/barf.in
+++ b/programs/barf/barf.in
@@ -53,8 +53,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
then
# aha, this one has it
findlog_file=${LOGS}/${f}
@@ -66,8 +66,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
then
# aha, this one has it
findlog_file=${LOGS}/${f}
@@ -80,8 +80,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
do
if [ -f ${LOGS}/${f} -a \
- ! -d ${LOGS}/${f} -a \
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+ ! -d ${LOGS}/${f} ] && \
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
then
# found it
findlog_file=${LOGS}/${f}
@@ -93,8 +93,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
then
# found it
findlog_file=${LOGS}/${f}
--
2.31.1
From 00ee1189626db8dcce084cb481ad0c49b435f4ff Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 21 Jul 2021 10:54:58 +0200
Subject: [PATCH] testing jambufcheck: add missing va_end calls in error path
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
testing/programs/jambufcheck/jambufcheck.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/testing/programs/jambufcheck/jambufcheck.c b/testing/programs/jambufcheck/jambufcheck.c
index 72baaa5a1d..23a47b15f6 100644
--- a/testing/programs/jambufcheck/jambufcheck.c
+++ b/testing/programs/jambufcheck/jambufcheck.c
@@ -104,11 +104,13 @@ static void check_jambuf(bool ok, const char *expect, ...)
}
break;
default:
+ va_end(ap);
FAIL("bad case");
return;
}
}
if (ok && !jambuf_ok(&buf)) {
+ va_end(ap);
FAIL("unexpectedly failed writing '%s'",
str == NULL ? "(null)" : str);
return;
--
2.31.1

168
libreswan-4.4-getaddrinfo.patch Normal file
View File

@ -0,0 +1,168 @@
diff -up ./lib/libswan/ttoaddress.c.getaddrinfo ./lib/libswan/ttoaddress.c
--- ./lib/libswan/ttoaddress.c.getaddrinfo 2021-04-22 17:24:33.000000000 +0200
+++ ./lib/libswan/ttoaddress.c 2021-07-22 13:16:19.073745043 +0200
@@ -20,6 +20,7 @@
#include <netdb.h> /* for gethostbyname2() */
#include "ip_address.h"
+#include "ip_sockaddr.h"
#include "ip_info.h"
#include "lswalloc.h" /* for alloc_things(), pfree() */
#include "lswlog.h" /* for pexpect() */
@@ -75,56 +76,6 @@ static err_t ttoaddr_base(shunk_t src,
}
/*
- * tryname - try it as a name
- *
- * Error return is intricate because we cannot compose a static string.
- */
-static err_t tryname(const char *p,
- int af,
- int suggested_af, /* kind(s) of numeric addressing tried */
- ip_address *dst)
-{
- struct hostent *h = gethostbyname2(p, af);
- if (h != NULL) {
- if (h->h_addrtype != af) {
- return "address-type mismatch from gethostbyname2!!!";
- }
-
- return data_to_address(h->h_addr, h->h_length, aftoinfo(af), dst);
- }
-
- if (af == AF_INET6) {
- if (suggested_af == AF_INET6) {
- return "not a numeric IPv6 address and name lookup failed (no validation performed)";
- } else /* AF_UNSPEC */ {
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
- }
- }
-
- pexpect(af == AF_INET);
-
- /* like, windows even has an /etc/networks? */
- struct netent *ne = getnetbyname(p);
- if (ne == NULL) {
- /* intricate because we cannot compose a static string */
- if (suggested_af == AF_INET) {
- return "not a numeric IPv4 address and name lookup failed (no validation performed)";
- } else {
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
- }
- }
-
- if (ne->n_addrtype != af) {
- return "address-type mismatch from getnetbyname!!!";
- }
-
- /* apparently .n_net is in host order */
- struct in_addr in = { htonl(ne->n_net), };
- *dst = address_from_in_addr(&in);
- return NULL;
-}
-
-/*
* tryhex - try conversion as an eight-digit hex number (AF_INET only)
*/
@@ -401,57 +352,56 @@ err_t getpiece(const char **srcp, /* *sr
err_t ttoaddress_dns(shunk_t src, const struct ip_info *afi, ip_address *dst)
{
+ char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
+ struct addrinfo *res = NULL;
+ const struct addrinfo hints = (struct addrinfo) {
+ .ai_family = afi == NULL ? AF_UNSPEC : afi->af,
+ };
*dst = unset_address;
- if (src.len == 0) {
- return "empty string";
- }
-
- bool was_numeric = true;
- err_t err = ttoaddr_base(src, afi, &was_numeric, dst);
- if (was_numeric) {
- /* no-point in continuing */
- return err;
- }
- /* err == non-numeric */
+ int eai = getaddrinfo(name, NULL, &hints, &res);
+ err_t err = NULL;
- for (const char *cp = src.ptr, *end = cp + src.len; cp < end; cp++) {
+ if (eai != 0) {
/*
- * Legal ASCII characters in a domain name.
- * Underscore technically is not, but is a common
- * misunderstanding. Non-ASCII characters are simply
- * exempted from checking at the moment, to allow for
- * UTF-8 encoded stuff; the purpose of this check is
- * merely to catch blatant errors.
- *
- * XXX: Suspect the ISASCII() check can be dropped -
- * utf-8 isn't allowed in DNS names and without a
- * utf-8 parser the check is flawed.
+ * return system-supplied diagnostic
+ * except where it is particularly confusing.
+ * "Name or service not unknown." is terrible.
*/
- static const char namechars[] =
- "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
-#define ISASCII(c) (((c) & 0x80) == 0)
- if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) {
- return "illegal (non-DNS-name) character in name";
+ err = eai == EAI_NONAME ? "NAME is unknown" : gai_strerror(eai);
+ } else if (res == NULL) {
+ err = "not a numeric IP address and name lookup failed (no validation performed)";
+ } else {
+ /* always choose IPv4 result if there is one */
+ struct addrinfo *winner = res;
+
+ for (struct addrinfo *r = res; r!= NULL; r = r->ai_next) {
+ if (r->ai_family == AF_INET) {
+ winner = r;
+ break;
+ }
+ }
+
+ ip_port mbz = { .hport = 0 };
+ ip_sockaddr sa = {
+ .len = winner->ai_addrlen,
+ };
+ passert(sizeof(sa.sa) >= winner->ai_addrlen);
+ memcpy(&sa.sa, winner->ai_addr, winner->ai_addrlen);
+ passert(sa.sa.sa.sa_family == winner->ai_family);
+ /* boneheaded getaddrinfo(3) leaves port field uninitialized */
+ if (winner->ai_family == AF_INET) {
+ sa.sa.sin.sin_port = 0;
+ } else if (winner->ai_family == AF_INET6) {
+ sa.sa.sin6.sin6_port = 0;
+ } else {
+ bad_case(winner->ai_family);
}
+ err = sockaddr_to_address_port(sa, dst, &mbz);
+ passert(hport(mbz) == 0);
}
- /*
- * need a guarenteed null terminated string
- */
- char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
- int suggested_af = afi == NULL ? AF_UNSPEC : afi->af;
- err_t v4err = NULL, v6err = NULL;
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET)) {
- err = v4err = tryname(name, AF_INET, suggested_af, dst);
- }
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET6)) {
- err = v6err = tryname(name, AF_INET6, suggested_af, dst);
- }
- /* prefer the IPv4 error */
- if (err != NULL && v4err != NULL) {
- err = v4err;
- }
+ freeaddrinfo(res);
pfree(name);
return err;
}

11
libreswan.spec
View File

@ -31,7 +31,7 @@ Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script # version is generated in the release script
Version: 4.4 Version: 4.4
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
License: GPLv2 License: GPLv2
Url: https://libreswan.org/ Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -42,6 +42,9 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif %endif
Patch0: libreswan-4.2-openssl3.patch Patch0: libreswan-4.2-openssl3.patch
Patch1: libreswan-4.4-ipcheck.patch Patch1: libreswan-4.4-ipcheck.patch
# Partially backported https://github.com/libreswan/libreswan/commit/4af9072e62237daad9fea9bb769f6dfbdf2e4ea1
Patch2: libreswan-4.4-getaddrinfo.patch
Patch3: libreswan-4.4-covscan.patch
BuildRequires: audit-libs-devel BuildRequires: audit-libs-devel
BuildRequires: bison BuildRequires: bison
@ -101,6 +104,8 @@ sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:in
# disable some testing tools that throw warnings on arm # disable some testing tools that throw warnings on arm
%patch1 -p1 %patch1 -p1
sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
%patch2 -p1 -b .getaddrinfo
%patch3 -p1 -b .covscan
%build %build
make %{?_smp_mflags} \ make %{?_smp_mflags} \
@ -200,6 +205,10 @@ certutil -N -d sql:$tmpdir --empty-password
%doc %{_mandir}/*/* %doc %{_mandir}/*/*
%changelog %changelog
* Wed Jul 21 2021 Daiki Ueno <dueno@redhat.com> - 4.4-3
- Backport removal gethostbyname2 uses from the upstream
- Fix issues spotted by covscan (rhbz#1938784)
* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 4.4-2 * Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 4.4-2
- Rebuild with newer GCC to fix annocheck failures - Rebuild with newer GCC to fix annocheck failures