rpms/ipsec-tools/devel racoon-lspp-ipsec.patch, NONE, 1.1 ipsec-tools.spec, 1.32, 1.33

Mon Sep 25 14:46:13 UTC 2006

Author: harald

Update of /cvs/dist/rpms/ipsec-tools/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23568

Modified Files:
	ipsec-tools.spec 
Added Files:
	racoon-lspp-ipsec.patch 
Log Message:
- added patch for selinux integration (bug #207159)


racoon-lspp-ipsec.patch:
 configure.ac              |    1 
 src/racoon/cftoken.c      |    1 
 src/racoon/isakmp_quick.c |    6 ++
 src/racoon/pfkey.c        |   42 ++++++++++++++--
 src/racoon/policy.c       |    8 ---
 src/racoon/policy.h       |    6 ++
 src/racoon/proposal.c     |   13 +----
 src/racoon/security.c     |  117 ++++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 175 insertions(+), 19 deletions(-)

--- NEW FILE racoon-lspp-ipsec.patch ---
This is the latest in a series of racoon patches. 
Upon testing racoon, it appeared racoon was still trying
to lookup policy with a security context, although
security contexts were not being used. 
This patch includes fix for this problem.

Please replace any previous racoon patches, with this one. 
This patch is against ipsec-tools-0.6.5-3.1 in rawhide. 

Let me know if there are any problems. 

Regards,
Joy Latten

----------------------------------------------------------------------------


diff -urpN ipsec-tools-0.6.5.orig/configure.ac ipsec-tools-0.6.5.0918/configure.ac
--- ipsec-tools-0.6.5.orig/configure.ac	2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/configure.ac	2006-09-18 03:29:40.000000000 -0500
@@ -620,6 +620,7 @@ if test "$enable_security_context" = "ye
 		AC_DEFINE([HAVE_SECCTX], [], [Enable Security Context])
 		SECCTX_OBJS="security.o"
 		AC_SUBST(SECCTX_OBJS)
+		LIBS="$LIBS -lselinux"
 	fi
 fi
 
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/cftoken.c ipsec-tools-0.6.5.0918/src/racoon/cftoken.c
--- ipsec-tools-0.6.5.orig/src/racoon/cftoken.c	2006-08-22 00:49:52.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/cftoken.c	2006-09-18 02:57:23.000000000 -0500
@@ -1363,6 +1363,7 @@ char *yytext;
 #include "isakmp_var.h"
 #include "isakmp.h"
 #include "ipsec_doi.h"
+#include "policy.h"
 #include "proposal.h"
 #include "nattraversal.h"
 #ifdef GC
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c
--- ipsec-tools-0.6.5.orig/src/racoon/isakmp_quick.c	2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/isakmp_quick.c	2006-09-18 02:47:16.000000000 -0500
@@ -2128,5 +2128,11 @@ get_proposal_r(iph2)
 		return ISAKMP_INTERNAL_ERROR;
 	}
 
+#ifdef HAVE_SECCTX
+	if (spidx.sec_ctx.ctx_str) {
+		set_secctx_in_proposal(iph2, spidx);
+	}
+#endif /* HAVE_SECCTX */
+
 	return 0;
 }
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/pfkey.c ipsec-tools-0.6.5.0918/src/racoon/pfkey.c
--- ipsec-tools-0.6.5.orig/src/racoon/pfkey.c	2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/pfkey.c	2006-09-21 01:35:43.000000000 -0500
@@ -1672,6 +1672,10 @@ pk_recvacquire(mhp)
 	struct ph2handle *iph2[MAXNESTEDSA];
 	struct sockaddr *src, *dst;
 	int n;	/* # of phase 2 handler */
+#ifdef HAVE_SECCTX
+	struct sadb_x_sec_ctx *m_sec_ctx;
+#endif /* HAVE_SECCTX */
+	struct policyindex spidx;
 
 	/* ignore this message because of local test mode. */
 	if (f_local)
@@ -1691,6 +1695,24 @@ pk_recvacquire(mhp)
 	src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
 	dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
 
+#ifdef HAVE_SECCTX 
+	m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
+
+	if (m_sec_ctx != NULL) {
+		plog(LLV_INFO, LOCATION, NULL, 
+			"security context doi: %u\n",
+			m_sec_ctx->sadb_x_ctx_doi);
+		plog(LLV_INFO, LOCATION, NULL, 
+			"security context algorithm: %u\n",
+			m_sec_ctx->sadb_x_ctx_alg);
+		plog(LLV_INFO, LOCATION, NULL, 
+			"security context length: %u\n",
+			m_sec_ctx->sadb_x_ctx_len);
+		plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
+			((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
+	}
+#endif /* HAVE_SECCTX */
+
 	/* ignore if type is not IPSEC_POLICY_IPSEC */
 	if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
 		plog(LLV_DEBUG, LOCATION, NULL,
@@ -1778,18 +1800,24 @@ pk_recvacquire(mhp)
 
 	/* get inbound policy */
     {
-	struct policyindex spidx;
 
+	memset(&spidx, 0, sizeof(spidx));
 	spidx.dir = IPSEC_DIR_INBOUND;
 	memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
 	memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
 	spidx.prefs = sp_out->spidx.prefd;
 	spidx.prefd = sp_out->spidx.prefs;
 	spidx.ul_proto = sp_out->spidx.ul_proto;
+
 #ifdef HAVE_SECCTX
-	if (*sp_out->spidx.sec_ctx.ctx_str)
-		memcpy(&spidx.sec_ctx, &sp_out->spidx.sec_ctx, 
-			sizeof(spidx.sec_ctx));
+	if (m_sec_ctx) {
+		spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
+		spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
+		spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
+		memcpy(spidx.sec_ctx.ctx_str,
+  			((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
+			spidx.sec_ctx.ctx_strlen);
+	}
 #endif
 
 	sp_in = getsp(&spidx);
@@ -1877,6 +1905,12 @@ pk_recvacquire(mhp)
 		delph2(iph2[n]);
 		return -1;
 	}
+#ifdef HAVE_SECCTX
+	if (m_sec_ctx) {
+		set_secctx_in_proposal(iph2[n], spidx);
+	}
+#endif /* HAVE_SECCTX */
+
 	insph2(iph2[n]);
 
 	/* start isakmp initiation by using ident exchange */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.c ipsec-tools-0.6.5.0918/src/racoon/policy.c
--- ipsec-tools-0.6.5.orig/src/racoon/policy.c	2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.c	2006-09-21 02:04:10.000000000 -0500
@@ -206,9 +206,7 @@ cmpspidxstrict(a, b)
 #ifdef HAVE_SECCTX
 	if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg 
 	 || a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
-	 || a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
-	 || (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str, 
-	     a->sec_ctx.ctx_strlen) != 0))
+	 || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
 		return 1;
 #endif
 	return 0;
@@ -284,9 +282,7 @@ cmpspidxwild(a, b)
 #ifdef HAVE_SECCTX
 	if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg 
 	 || a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
-	 || a->sec_ctx.ctx_strlen != b->sec_ctx.ctx_strlen
-	 || (memcmp(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str, 
-	     a->sec_ctx.ctx_strlen) != 0))
+	 || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
 		return 1;
 #endif
 
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/policy.h ipsec-tools-0.6.5.0918/src/racoon/policy.h
--- ipsec-tools-0.6.5.orig/src/racoon/policy.h	2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/policy.h	2006-09-18 03:05:08.000000000 -0500
@@ -35,6 +35,7 @@
 #include <sys/queue.h>
 
 #ifdef HAVE_SECCTX
+
 #define MAX_CTXSTR_SIZE 50
 struct security_ctx {
 	u_int8_t ctx_doi;	/* Security Context DOI */
@@ -146,6 +147,11 @@ extern void initsp __P((void));
 extern struct ipsecrequest *newipsecreq __P((void));
 
 extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_SECCTX
+#include <selinux/selinux.h>
 extern int get_security_context __P((vchar_t *, struct policyindex *));
+extern int within_range __P((security_context_t, security_context_t));
+extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
+#endif
 
 #endif /* _POLICY_H */
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/proposal.c ipsec-tools-0.6.5.0918/src/racoon/proposal.c
--- ipsec-tools-0.6.5.orig/src/racoon/proposal.c	2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/proposal.c	2006-09-18 02:47:16.000000000 -0500
@@ -1025,15 +1025,6 @@ set_proposal_from_policy(iph2, sp_main, 
 	newpp->lifetime = iph2->sainfo->lifetime;
 	newpp->lifebyte = iph2->sainfo->lifebyte;
 	newpp->pfs_group = iph2->sainfo->pfs_group;
-#ifdef HAVE_SECCTX
-	if (*sp_main->spidx.sec_ctx.ctx_str) {
-		newpp->sctx.ctx_doi = sp_main->spidx.sec_ctx.ctx_doi;
-		newpp->sctx.ctx_alg = sp_main->spidx.sec_ctx.ctx_alg;
-		newpp->sctx.ctx_strlen = sp_main->spidx.sec_ctx.ctx_strlen;
-		memcpy(newpp->sctx.ctx_str, sp_main->spidx.sec_ctx.ctx_str, 
-			sp_main->spidx.sec_ctx.ctx_strlen);
-	}
-#endif /* HAVE_SECCTX */
 
 	if (lcconf->complex_bundle)
 		goto skip1;
@@ -1196,7 +1187,11 @@ set_proposal_from_proposal(iph2)
 			pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
 			memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
 				pp_peer->sctx.ctx_strlen);
+
+			plog(LLV_INFO, LOCATION, NULL,
+        		     "RESPONDING with (%s).\n", pp_peer->sctx.ctx_str);
 		}
+		
 #endif /* HAVE_SECCTX */
 		
 		if (pp_peer->next != NULL) {
diff -urpN ipsec-tools-0.6.5.orig/src/racoon/security.c ipsec-tools-0.6.5.0918/src/racoon/security.c
--- ipsec-tools-0.6.5.orig/src/racoon/security.c	2006-08-22 00:49:53.000000000 -0500
+++ ipsec-tools-0.6.5.0918/src/racoon/security.c	2006-09-18 10:58:37.000000000 -0500
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2005 International Business Machines Corporation
+ * Copyright (c) 2005 by Trusted Computer Solutions, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -36,6 +37,12 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#include <selinux/avc.h>
+#include <selinux/context.h>
+
 #include "var.h"
 #include "vmbuf.h"
 #include "misc.h"
@@ -45,6 +52,7 @@
 #include "isakmp.h"
 #include "ipsec_doi.h"
 #include "policy.h"
+#include "proposal.h"
 #include "strnames.h"
 #include "handler.h"
 
@@ -150,3 +158,112 @@ get_security_context(sa, p)
 	}
 	return 0;
 }
+
+void
+set_secctx_in_proposal(iph2, spidx)
+	struct ph2handle *iph2;
+	struct policyindex spidx;
+{
+	iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi;
+	iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg;
+	iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen;
+		memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str,
+			spidx.sec_ctx.ctx_strlen);
+}
+
+
+/*
+ * function: 	init_avc
+ * description:	function performs the steps necessary to initialize the
+ *		userspace avc.
+ * input:	void
+ * return:	0	if avc was successfully initialized
+ * 		1	if the avc could not be initialized
+ */
+
+static int
+init_avc(void)
+{
+	int rtn = 0;
+
+	if (!is_selinux_mls_enabled()) {
+		plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
+				" enabled.\n");
+		return 1;
+	}
+
+	rtn = avc_init("racoon", NULL, NULL, NULL, NULL);
+	if (rtn != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, "racoon: could not initialize avc.\n");
+		rtn = 1;
+	}
+	return rtn;
+}
+
+/*
+ * function: 	within_range
+ * description:	function determines if the specified sl is within the
+ * 		configured range for a policy rule.
+ * input:	security_context *sl		SL
+ * 		char *range		Range
+ * return:	1	if the sl is within the range
+ * 		0	if the sl is not within the range or an error
+ * 			occurred which prevented the determination
+ */
+
+int
+within_range(security_context_t sl, security_context_t range)
+{
+	int rtn = 1;
+	security_id_t slsid;
+	security_id_t rangesid;
+	struct av_decision avd;
+	security_class_t tclass;
+	access_vector_t av;
+
+	if (!*range)	/* This policy doesn't have security context */
+		return 1;
+
+	rtn = init_avc();
+	if (rtn != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+			"within_range: couldn't initialize the AVC\n");
+		return 0;
+	}
+
+	/*
+	 * Get the sids for the sl and range contexts
+	 */
+	rtn = avc_context_to_sid(sl, &slsid);
+	if (rtn != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+				"within_range: Unable to retrieve "
+				"sid for sl context (%s).\n", sl);
+		return 0;
+	}
+	rtn = avc_context_to_sid(range, &rangesid);
+	if (rtn != 0) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+				"within_range: Unable to retrieve "
+				"sid for range context (%s).\n", range);
+		sidput(slsid);
+		return 0;
+	}
+
+	/* 
+	 * Straight up test between sl and range
+	 */
+	tclass = SECCLASS_ASSOCIATION;
+	av = ASSOCIATION__POLMATCH;
+	rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
+	if (rtn != 0) {
+		plog(LLV_INFO, LOCATION, NULL, 
+			"within_range: The sl is not within range\n");
+		sidput(slsid);
+		sidput(rangesid);
+		return 0;
+	}
+	plog(LLV_DEBUG, LOCATION, NULL, 
+		"within_range: The sl (%s) is within range (%s)\n", sl, range);
+		return 1;
+}



Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/dist/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- ipsec-tools.spec	4 Aug 2006 09:19:17 -0000	1.32
+++ ipsec-tools.spec	25 Sep 2006 14:46:11 -0000	1.33
@@ -1,6 +1,6 @@
 Name: ipsec-tools
 Version: 0.6.5
-Release: 4
+Release: 5
 Summary: Tools for configuring and using IPSEC
 License: BSD
 Group: System Environment/Base
@@ -18,8 +18,10 @@
 #Patch6: ipsec-tools-0.6.1-openssl-098.patch
 Patch7: ipsec-tools-0.6.5-mls.patch
 Patch8: ipsec-tools-0.6.5-pre6.patch
+Patch9: racoon-lspp-ipsec.patch
 
 BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
+BuildRequires: libselinux-devel >= 1.30.28-2
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 Requires: initscripts >= 7.31.11.EL-1
 	
@@ -39,6 +41,7 @@
 #%patch6 -p1 -b .openssl-098
 %patch7 -p1 -b .mls
 %patch8 -p1 -b .pre6
+%patch9 -p1 -b .sctx
 
 mkdir -p kernel-headers/linux
 cp %{SOURCE1} %{SOURCE2} %{SOURCE5} %{SOURCE6} kernel-headers/linux
@@ -97,6 +100,9 @@
 %config(noreplace) /etc/racoon/racoon.conf
 
 %changelog
+* Mon Sep 25 2006 Harald Hoyer <harald at redhat.com> - 0.6.5-5
+- added patch for selinux integration (bug #207159)
+
 * Fri Aug  4 2006 Harald Hoyer <harald at redhat.com> - 0.6.5-4
 - backport of important 0.6.6 fixes:
   - sets NAT-T ports to 0 if no NAT encapsulation


