Bug 196930 - [Patch] security/ipsec-tools: Upgrade to 0.8.2 and add wildcard-PSK-option
Summary: [Patch] security/ipsec-tools: Upgrade to 0.8.2 and add wildcard-PSK-option
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-20 13:35 UTC by Harald Schmalzbauer
Modified: 2015-09-23 14:30 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (vanhu)


Attachments
Upgrade to 0.8.2 and add wildacrd-PSK-matching-option (3.05 KB, patch)
2015-01-20 13:35 UTC, Harald Schmalzbauer
no flags Details | Diff
patch to disable utmpx on 8.x (521 bytes, patch)
2015-02-06 20:23 UTC, Kurt Jaeger
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Harald Schmalzbauer 2015-01-20 13:35:54 UTC
Created attachment 151900 [details]
Upgrade to 0.8.2 and add wildacrd-PSK-matching-option

Please find attached the diff for ipsec-tools 0.8.2 upgrade.
I also simplified pkg-plist by replacing %%EXAMPLESDIR%% with PORTEXAMPLES=, but I'm not familar with this new method – monkey see monkey do.

Additionally I added an option which applys a well known patch allowing wildcard matching in psk.txt.
It's off by default, but there are common scenarios where people can accept the security relaxation to be able to provide special kinds of road-warrior access, so they simply can use that knob.

Thanks,

-Harry
Comment 1 Bugzilla Automation freebsd_committer 2015-01-20 13:35:54 UTC
Auto-assigned to maintainer vanhu@FreeBSD.org
Comment 2 ncrogers 2015-01-26 17:46:57 UTC
+1 for including the wildcard-PSK patch as an option. I've been using this patch for years with success on hundreds of systems, always manually hacking it into the port.
Comment 3 ncrogers 2015-01-26 18:29:15 UTC
FYI there is a minor typo in WCPSKEY_DESC. Should read "Allow wildcard" not "Allow wildard".
Comment 4 VANHULLEBUS Yvan freebsd_committer 2015-01-30 11:23:36 UTC
Ok for me, as wildcard patch is disabled by default.
Comment 5 ncrogers 2015-02-05 23:09:09 UTC
Can I expect this to get committed sometime soon and include the wildcard option?
Comment 6 Harald Schmalzbauer 2015-02-06 08:48:29 UTC
(In reply to ncrogers from comment #5)

I guess vanhu@ (maintainer) has replied in comment4, but according to svn log it seems he doesn't have committ bit. I don't have either... Who/how can we find somebody?

CCing ports@
Comment 7 Kurt Jaeger freebsd_committer 2015-02-06 09:04:51 UTC
I'll test it.
Comment 8 Kurt Jaeger freebsd_committer 2015-02-06 19:40:45 UTC
builds fine on 10.1a, 9.3a, but breaks on 8.4i ?

http://people.freebsd.org/~pi/logs/security__ipsec-tools-84i-1423248840.txt

Any ideas ?
Comment 9 Kurt Jaeger freebsd_committer 2015-02-06 19:50:40 UTC
ipsec-tools is excpecting utmpx which is missing on 8.x.

So this version is only for newer versions of FreeBSD.

Can someone provide a patch to still work with utmp ?
Comment 10 Olli Hauer freebsd_committer 2015-02-06 19:58:40 UTC
Perhaps Ed can take a look.
http://lists.freebsd.org/pipermail/freebsd-current/2010-January/014893.html
Comment 11 Kurt Jaeger freebsd_committer 2015-02-06 20:04:29 UTC
Thanks, I poked ed@
Comment 12 John Marino freebsd_committer 2015-02-06 20:20:04 UTC
*Never* CC the ports mailing list, thanks.
I am removing it from the list.
Comment 13 Kurt Jaeger freebsd_committer 2015-02-06 20:23:48 UTC
Created attachment 152636 [details]
patch to disable utmpx on 8.x
Comment 14 Kurt Jaeger freebsd_committer 2015-02-06 20:24:22 UTC
ed provided the patch to disable utmpx. Building fine on 8.4x
Comment 15 commit-hook freebsd_committer 2015-02-06 20:32:12 UTC
A commit references this bug:

Author: pi
Date: Fri Feb  6 20:31:56 UTC 2015
New revision: 378554
URL: https://svnweb.freebsd.org/changeset/ports/378554

Log:
  security/ipsec-tools: 0.8.1 -> 0.8.2

  From ChangeLog:
  - Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev)
  - Fix source port selection regression from version 0.8.1
  - Various logging improvements
  - Additional compliance and build fixes

  From submitter:
  - extra patch to adding wildcard psk option

  PR:		196930
  Submitted by:	Harald Schmalzbauer <bugzilla.freebsd@omnilan.de>,
  		Ed Schouten <ed@80368.nl>
  Approved by:	vanhu (maintainer)

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/distinfo
  head/security/ipsec-tools/files/patch-src-racoon-isakmp_cfg.c
  head/security/ipsec-tools/files/wildcard-psk.diff
  head/security/ipsec-tools/pkg-plist
Comment 16 Kurt Jaeger freebsd_committer 2015-02-06 20:35:36 UTC
Committed with further fixes from Ed Schouten.

Thanks to all who got involved!
Comment 17 Andrew Daugherity 2015-03-04 18:30:44 UTC
Port fails to build for me on 8.4 -- the newly added patch-src-racoon-isakmp_cfg.c conflicts with the existing patch8-utmp.diff.  If I rm files/patch-src-racoon-isakmp_cfg.c it builds fine, so I think this duplicate patch can just be dropped.  (The old patch replaced utmpx with utmp, while the new one removes utmpx entirely, so unless it's incorrect, patch8-utmp.diff appears better.)

Not sure why the person in comment #8 had their build fail -- apparently they weren't triggering this section of the Makefile and thus not having patch8-utmp applied:
.if ${OSVERSION} < 900007
EXTRA_PATCHES=  ${FILESDIR}/patch8-utmp.diff
.endif
Comment 18 andywhite 2015-09-23 14:30:02 UTC
Wildcard patch appears to break tunnels in Aggressive mode that use PSK, once there is a wildcard key in the PSK file.

with patch applied but no wildcard in the psk file

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: [X.X.255.179] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: ISAKMP-SA established X.X.255.182[500]-X.X.255.179[500] spi:78e9f4efeaccc1a8:949caf456c915321
racoon: INFO: initiate new phase 2 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=43872531(0x29d7113)
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=19415386(0x128415a)


adding a wildcard to the psk, no other configuration change

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: ERROR: HASH mismatched