ipsecTools: drop

2024-11-22 23:13:19 +00:00 · 2021-12-15 17:52:58 +00:00 · 2021-12-15 17:52:58 +00:00 · b5f5cc6d44
commit b5f5cc6d44
parent be3e6db322
6 changed files with 1 additions and 276 deletions
--- a/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch
+++ b/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch
@ -1,16 +0,0 @@
-Index: pkg-ipsec-tools/src/racoon/gssapi.c
-===================================================================
--- pkg-ipsec-tools.orig/src/racoon/gssapi.c
-+++ pkg-ipsec-tools/src/racoon/gssapi.c
-@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
-	gss_name_t princ, canon_princ;
-	OM_uint32 maj_stat, min_stat;
-
-+	if (iph1->rmconf == NULL) {
-+		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
-+		return -1;
-+	}
-+
-	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
-	if (gps == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
--- a/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch
+++ b/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch
@ -1,193 +0,0 @@
-From: Antoine_Beaupre <anarcat@orangeseeds.org>
-Acked-by: Jiri Bohac <jbohac@suse.cz>
-Subject: PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list.
-References: bsc#1047443, CVE-2016-10396
-
-
-
-Index: a/src/racoon/handler.h
-===================================================================
--- a/src/racoon/handler.h.orig	2018-01-26 18:05:21.114764376 +0100
-+++ a/src/racoon/handler.h	2018-01-26 18:05:33.986741103 +0100
-@@ -141,6 +141,7 @@ struct ph1handle {
- #endif
- #ifdef ENABLE_FRAG
- 	int frag;			/* IKE phase 1 fragmentation */
-+	int frag_last_index;
- 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
- #endif
- 
-Index: a/src/racoon/isakmp.c
-===================================================================
--- a/src/racoon/isakmp.c.orig	2018-01-26 18:05:21.118764369 +0100
-+++ a/src/racoon/isakmp.c	2018-01-26 18:05:33.986741103 +0100
-@@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
- 		iph1->frag = 1;
- 	else
- 		iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 	iph1->approval = NULL;
-@@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, et
- #endif
- #ifdef ENABLE_FRAG
- 	iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 	iph1->approval = NULL;
-Index: a/src/racoon/isakmp_frag.c
-===================================================================
--- a/src/racoon/isakmp_frag.c.orig	2018-01-26 18:05:21.118764369 +0100
-+++ a/src/racoon/isakmp_frag.c	2018-01-26 18:05:33.986741103 +0100
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
- 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
- }
- 
-+static int 
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
-+{
-+	struct isakmp_frag_item *pitem = NULL;
-+	struct isakmp_frag_item *citem = iph1->frag_chain;
-+
-+	/* no frag yet, just insert at beginning of list */
-+	if (iph1->frag_chain == NULL) {
-+		iph1->frag_chain = item;
-+		return 0;
-+	}
-+
-+	do {
-+		/* duplicate fragment number, abort (CVE-2016-10396) */
-+		if (citem->frag_num == item->frag_num)
-+			return -1;
-+
-+		/* need to insert before current item */
-+		if (citem->frag_num > item->frag_num) {
-+			if (pitem != NULL)
-+				pitem->frag_next = item;
-+			else
-+				/* insert at the beginning of the list  */
-+				iph1->frag_chain = item;
-+			item->frag_next = citem;
-+			return 0;
-+		}
-+
-+		pitem = citem;
-+		citem = citem->frag_next;
-+	} while (citem != NULL);
-+
-+	/* we reached the end of the list, insert */
-+	pitem->frag_next = item;
-+	return 0;
-+}
-+
- int 
- isakmp_frag_extract(iph1, msg)
- 	struct ph1handle *iph1;
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
- 	item->frag_next = NULL;
- 	item->frag_packet = buf;
- 
-	/* Look for the last frag while inserting the new item in the chain */
-	if (item->frag_last)
-		last_frag = item->frag_num;
-+	/* Check for the last frag before inserting the new item in the chain */
-+	if (item->frag_last) {
-+		/* if we have the last fragment, indices must match */
-+		if (iph1->frag_last_index != 0 &&
-+		    item->frag_last != iph1->frag_last_index) {
-+			plog(LLV_ERROR, LOCATION, NULL,
-+			     "Repeated last fragment index mismatch\n");
-+			racoon_free(item);
-+			vfree(buf);
-+			return -1;
-+		}
- 
-	if (iph1->frag_chain == NULL) {
-		iph1->frag_chain = item;
-	} else {
-		struct isakmp_frag_item *current;
-+		last_frag = iph1->frag_last_index = item->frag_num;
-+	}
- 
-		current = iph1->frag_chain;
-		while (current->frag_next) {
-			if (current->frag_last)
-				last_frag = item->frag_num;
-			current = current->frag_next;
-		}
-		current->frag_next = item;
-+	/* insert fragment into chain */
-+	if (isakmp_frag_insert(iph1, item) == -1) {
-+		plog(LLV_ERROR, LOCATION, NULL,
-+		    "Repeated fragment index mismatch\n");
-+		racoon_free(item);
-+		vfree(buf);
-+		return -1;
- 	}
- 
-	/* If we saw the last frag, check if the chain is complete */
-+	/* If we saw the last frag, check if the chain is complete
-+	 * we have a sorted list now, so just walk through */
- 	if (last_frag != 0) {
-+		item = iph1->frag_chain;
- 		for (i = 1; i <= last_frag; i++) {
-			item = iph1->frag_chain;
-			do {
-				if (item->frag_num == i)
-					break;
-				item = item->frag_next;
-			} while (item != NULL);
-
-+			if (item->frag_num != i)
-+				break;
-+			item = item->frag_next;
- 			if (item == NULL) /* Not found */
- 				break;
- 		}
- 
-		if (item != NULL) /* It is complete */
-+		if (i > last_frag) /* It is complete */
- 			return 1;
- 	}
- 		
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
- 	}
- 	data = buf->v;
- 
-+	item = iph1->frag_chain;
- 	for (i = 1; i <= frag_count; i++) {
-		item = iph1->frag_chain;
-		do {
-			if (item->frag_num == i)
-				break;
-			item = item->frag_next;
-		} while (item != NULL);
-
-		if (item == NULL) {
-+		if (item->frag_num != i) {
- 			plog(LLV_ERROR, LOCATION, NULL, 
- 			    "Missing fragment #%d\n", i);
- 			vfree(buf);
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
- 		}
- 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
- 		data += item->frag_packet->l;
-+		item = item->frag_next;
- 	}
- 
- out:
-
-
-diff -u -p -r1.50 -r1.51
--- a/src/racoon/isakmp_inf.c	2013/04/12 09:53:10	1.50
-+++ a/src/racoon/isakmp_inf.c	2017/01/24 19:23:56	1.51
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
- #endif
- #ifdef ENABLE_FRAG
- 	iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 
--- a/pkgs/os-specific/linux/ipsec-tools/default.nix
+++ b/pkgs/os-specific/linux/ipsec-tools/default.nix
@ -1,49 +0,0 @@
-{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }:
-
-# TODO: These tools are supposed to work under NetBSD and FreeBSD as
-# well, so I guess it's not appropriate to place this expression in
-# "os-specific/linux/ipsec-tools". Since I cannot verify that the
-# expression actually builds on those platforms, I'll leave it here for
-# the time being.
-
-stdenv.mkDerivation rec {
-  pname = "ipsec-tools";
-  version = "0.8.2";
-
-  src = fetchurl {
-    url = "mirror://sourceforge/ipsec-tools/ipsec-tools-${version}.tar.bz2";
-    sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf";
-  };
-
-  buildInputs = [ readline openssl flex libkrb5 pam ];
-
-  patches = [
-    ./dont-create-localstatedir-during-install.patch
-    ./CVE-2015-4047.patch
-    ./CVE-2016-10396.patch
-  ];
-
-  # fix build with newer gcc versions
-  preConfigure = ''substituteInPlace configure --replace "-Werror" "" '';
-
-  configureFlags = [
-    "--sysconfdir=/etc --localstatedir=/var"
-    "--with-kernel-headers=${linuxHeaders}/include"
-    "--disable-security-context"
-    "--enable-adminport"
-    "--enable-dpd"
-    "--enable-frag"
-    "--enable-gssapi"
-    "--enable-hybrid"
-    "--enable-natt"
-    "--enable-shared"
-    "--enable-stats"
-  ];
-
-  meta = with lib; {
-    homepage = "http://ipsec-tools.sourceforge.net/";
-    description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation";
-    license = licenses.bsd3;
-    platforms = platforms.linux;
-  };
-}
--- a/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch
+++ b/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch
@ -1,13 +0,0 @@
-diff -ubr ipsec-tools-0.8.0-orig/src/racoon/Makefile.in ipsec-tools-0.8.0/src/racoon/Makefile.in
--- ipsec-tools-0.8.0-orig/src/racoon/Makefile.in	2012-10-20 13:01:07.700903316 +0200
-+++ ipsec-tools-0.8.0/src/racoon/Makefile.in	2012-10-20 13:01:13.177832616 +0200
-@@ -1085,9 +1085,6 @@
- 	uninstall-sbinPROGRAMS
- 
- 
-install-exec-local:
-	${mkinstalldirs} $(DESTDIR)${adminsockdir}
-
- # special object rules
- crypto_openssl_test.o: crypto_openssl.c
- 	$(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -412,6 +412,7 @@ mapAliases ({
  inotifyTools = inotify-tools;
  inter-ui = inter; # added 2021-03-27
  iproute = iproute2; # moved from top-level 2021-03-14
+  ipsecTools = throw "ipsecTools has benn removed, because it was no longer maintained upstream"; # added 2021-12-15
  i-score = throw "i-score has been removed: abandoned upstream."; # added 2020-11-21
  jack2Full = jack2; # moved from top-level 2021-03-14
  jamomacore = throw "jamomacore has been removed: abandoned upstream."; # added 2020-11-21
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -8641,11 +8641,6 @@ with pkgs;

  pngout = callPackage ../tools/graphics/pngout { };

-  ipsecTools = callPackage ../os-specific/linux/ipsec-tools {
-    flex = flex_2_5_35;
-    openssl = openssl_1_0_2;
-  };
-
  patch = gnupatch;

  patchage = callPackage ../applications/audio/patchage { };