1 |
diff -Nurp ipsec-tools-0.8.0-p103/configure.ac ipsec-tools-0.8.0-p104/configure.ac |
2 |
--- ipsec-tools-0.8.0-p103/configure.ac 2011-03-18 15:25:12.000000000 +0200 |
3 |
+++ ipsec-tools-0.8.0-p104/configure.ac 2012-03-06 11:42:51.125378167 +0200 |
4 |
@@ -794,6 +794,27 @@ AC_TRY_COMPILE( |
5 |
AC_MSG_RESULT(yes)], |
6 |
[AC_MSG_RESULT(no)]) |
7 |
|
8 |
+AC_MSG_CHECKING(whether to support Auditing) |
9 |
+AC_ARG_ENABLE(audit, |
10 |
+ [ --enable-audit build audit daemon support for SELinux], |
11 |
+ enable_audit=$enableval,enable_audit=auto) |
12 |
+ |
13 |
+AC_MSG_RESULT($enable_audit) |
14 |
+ |
15 |
+# libaudit detection |
16 |
+if test x$enable_audit = xno ; then |
17 |
+ have_libaudit=no; |
18 |
+else |
19 |
+ AC_CHECK_LIB(audit, audit_log_user_avc_message, |
20 |
+ have_libaudit=yes, have_libaudit=no) |
21 |
+fi |
22 |
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes) |
23 |
+if test x$have_libaudit = xyes ; then |
24 |
+ AUDIT_LIBS="-laudit" |
25 |
+ AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support]) |
26 |
+fi |
27 |
+AC_SUBST(AUDIT_LIBS) |
28 |
+ |
29 |
CFLAGS="$CFLAGS $CFLAGS_ADD" |
30 |
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD" |
31 |
|
32 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/handler.h ipsec-tools-0.8.0-p104/src/racoon/handler.h |
33 |
--- ipsec-tools-0.8.0-p103/src/racoon/handler.h 2012-03-06 11:39:48.485129025 +0200 |
34 |
+++ ipsec-tools-0.8.0-p104/src/racoon/handler.h 2012-03-06 11:42:51.125378167 +0200 |
35 |
@@ -318,6 +318,7 @@ struct ph2handle { |
36 |
u_int32_t msgid; /* msgid for phase 2 */ |
37 |
|
38 |
u_int32_t sa_count; /* num of SAs sent in SADB_ADD */ |
39 |
+ u_int8_t loopback; |
40 |
|
41 |
struct sainfo *sainfo; /* place holder of sainfo */ |
42 |
struct saprop *proposal; /* SA(s) proposal. */ |
43 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.c ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.c |
44 |
--- ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.c 2011-03-14 19:18:13.000000000 +0200 |
45 |
+++ ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.c 2012-03-06 11:42:51.126378088 +0200 |
46 |
@@ -99,11 +99,10 @@ static vchar_t *quick_ir1mx __P((struct |
47 |
static int get_sainfo_r __P((struct ph2handle *)); |
48 |
static int get_proposal_r __P((struct ph2handle *)); |
49 |
static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *)); |
50 |
-static void quick_timeover_stub __P((struct sched *)); |
51 |
static void quick_timeover __P((struct ph2handle *)); |
52 |
|
53 |
/* called from scheduler */ |
54 |
-static void |
55 |
+void |
56 |
quick_timeover_stub(p) |
57 |
struct sched *p; |
58 |
{ |
59 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.h ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.h |
60 |
--- ipsec-tools-0.8.0-p103/src/racoon/isakmp_quick.h 2006-09-09 19:22:09.000000000 +0300 |
61 |
+++ ipsec-tools-0.8.0-p104/src/racoon/isakmp_quick.h 2012-03-06 11:42:51.126378088 +0200 |
62 |
@@ -47,4 +47,5 @@ extern int quick_r3recv __P((struct ph2h |
63 |
extern int quick_r3send __P((struct ph2handle *, vchar_t *)); |
64 |
extern int quick_r3prep __P((struct ph2handle *, vchar_t *)); |
65 |
|
66 |
+extern void quick_timeover_stub __P((struct sched *)); |
67 |
#endif /* _ISAKMP_QUICK_H */ |
68 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/main.c ipsec-tools-0.8.0-p104/src/racoon/main.c |
69 |
--- ipsec-tools-0.8.0-p103/src/racoon/main.c 2009-01-26 20:13:06.000000000 +0200 |
70 |
+++ ipsec-tools-0.8.0-p104/src/racoon/main.c 2012-03-06 11:42:51.126378088 +0200 |
71 |
@@ -297,6 +297,9 @@ main(ac, av) |
72 |
#ifdef HAVE_SECCTX |
73 |
init_avc(); |
74 |
#endif |
75 |
+#ifdef HAVE_LIBAUDIT |
76 |
+ audit_init(); |
77 |
+#endif |
78 |
eay_init(); |
79 |
initrmconf(); |
80 |
oakley_dhinit(); |
81 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/Makefile.am ipsec-tools-0.8.0-p104/src/racoon/Makefile.am |
82 |
--- ipsec-tools-0.8.0-p103/src/racoon/Makefile.am 2012-03-06 10:41:03.975025746 +0200 |
83 |
+++ ipsec-tools-0.8.0-p104/src/racoon/Makefile.am 2012-03-06 11:42:51.126378088 +0200 |
84 |
@@ -39,7 +39,7 @@ racoon_SOURCES = \ |
85 |
EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ |
86 |
isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) |
87 |
racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ |
88 |
- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la |
89 |
+ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@ |
90 |
racoon_DEPENDENCIES = \ |
91 |
$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ |
92 |
vmbuf.o sockmisc.o misc.o |
93 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/pfkey.c ipsec-tools-0.8.0-p104/src/racoon/pfkey.c |
94 |
--- ipsec-tools-0.8.0-p103/src/racoon/pfkey.c 2012-03-06 11:39:48.486129111 +0200 |
95 |
+++ ipsec-tools-0.8.0-p104/src/racoon/pfkey.c 2012-03-06 11:42:51.127378011 +0200 |
96 |
@@ -87,6 +87,7 @@ |
97 |
#include "isakmp_var.h" |
98 |
#include "isakmp.h" |
99 |
#include "isakmp_inf.h" |
100 |
+#include "isakmp_quick.h" |
101 |
#include "ipsec_doi.h" |
102 |
#include "oakley.h" |
103 |
#include "pfkey.h" |
104 |
@@ -101,6 +102,7 @@ |
105 |
#include "nattraversal.h" |
106 |
#include "crypto_openssl.h" |
107 |
#include "grabmyaddr.h" |
108 |
+#include "sockmisc.h" |
109 |
|
110 |
#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) |
111 |
#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC |
112 |
@@ -1043,6 +1045,56 @@ pk_recvgetspi(mhp) |
113 |
return -1; |
114 |
} |
115 |
|
116 |
+#ifdef HAVE_SECCTX |
117 |
+ if (iph2->loopback == 1) { |
118 |
+ u_int satype, reqid; |
119 |
+ struct sockaddr *src; |
120 |
+ |
121 |
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); |
122 |
+ if (cmpsaddr(src, dst) != CMPSADDR_MISMATCH) { |
123 |
+ struct pfkey_send_sa_args sa_args; |
124 |
+ /* yep, this is loopback. install SA */ |
125 |
+ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id); |
126 |
+ if (satype == ~0) { |
127 |
+ plog(LLV_ERROR, LOCATION, NULL, |
128 |
+ "invalid proto_id %d\n", |
129 |
+ iph2->proposal->head->proto_id); |
130 |
+ return -1; |
131 |
+ } |
132 |
+ |
133 |
+ reqid = iph2->proposal->head->reqid_in; |
134 |
+ |
135 |
+ iph2->status = PHASE2ST_ADDSA; |
136 |
+ |
137 |
+ memset (&sa_args, 0, sizeof (sa_args)); |
138 |
+ sa_args.so = lcconf->sock_pfkey; |
139 |
+ sa_args.satype = satype; |
140 |
+ sa_args.mode = IPSEC_MODE_TRANSPORT; |
141 |
+ sa_args.src = src; |
142 |
+ sa_args.dst = dst; |
143 |
+ sa_args.spi = sa->sadb_sa_spi; |
144 |
+ sa_args.reqid = reqid; |
145 |
+ sa_args.e_type = SADB_EALG_NULL; |
146 |
+ sa_args.a_type = SADB_AALG_NONE; |
147 |
+ sa_args.l_addtime = iph2->proposal->lifetime; |
148 |
+ sa_args.seq = iph2->seq; |
149 |
+ sa_args.ctxdoi = iph2->proposal->sctx.ctx_doi; |
150 |
+ sa_args.ctxalg = iph2->proposal->sctx.ctx_alg; |
151 |
+ sa_args.ctxstr = iph2->proposal->sctx.ctx_str; |
152 |
+ sa_args.ctxstrlen = iph2->proposal->sctx.ctx_strlen; |
153 |
+ if (pfkey_send_update2(&sa_args) < 0) { |
154 |
+ plog(LLV_ERROR, LOCATION, NULL, |
155 |
+ "failed to update loopback SA: %s\n", |
156 |
+ ipsec_strerror()); |
157 |
+ remph2(iph2); |
158 |
+ delph2(iph2); |
159 |
+ return -1; |
160 |
+ } |
161 |
+ } |
162 |
+ return 0; |
163 |
+ } |
164 |
+#endif /* HAVE SECCTX */ |
165 |
+ |
166 |
/* set SPI, and check to get all spi whether or not */ |
167 |
allspiok = 1; |
168 |
notfound = 1; |
169 |
@@ -1304,6 +1356,26 @@ pk_recvupdate(mhp) |
170 |
return -1; |
171 |
} |
172 |
|
173 |
+#ifdef HAVE_SECCTX |
174 |
+ /* get update for loopback here */ |
175 |
+ if (iph2->loopback == 1 && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) { |
176 |
+ plog(LLV_INFO, LOCATION, NULL, |
177 |
+ "IPsec-SA established without ISAKMP: %s\n", |
178 |
+ sadbsecas2str(iph2->dst, iph2->src, |
179 |
+ msg->sadb_msg_satype, sa->sadb_sa_spi, |
180 |
+ IPSEC_MODE_TRANSPORT)); |
181 |
+ |
182 |
+ /* turn off the timer for calling quick_timeover() */ |
183 |
+ sched_cancel(&iph2->sce); |
184 |
+ |
185 |
+ sched_schedule(&iph2->sce, iph2->proposal->lifetime, |
186 |
+ isakmp_ph2expire_stub); |
187 |
+ |
188 |
+ iph2->status = PHASE2ST_ESTABLISHED; |
189 |
+ return 0; |
190 |
+ } |
191 |
+#endif |
192 |
+ |
193 |
/* check to complete all keys ? */ |
194 |
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { |
195 |
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); |
196 |
@@ -1343,7 +1415,7 @@ pk_recvupdate(mhp) |
197 |
if (incomplete) |
198 |
return 0; |
199 |
|
200 |
- /* turn off the timer for calling pfkey_timeover() */ |
201 |
+ /* turn off the timer for calling quick_timeover() */ |
202 |
sched_cancel(&iph2->sce); |
203 |
|
204 |
/* update status */ |
205 |
@@ -1768,6 +1840,12 @@ pk_recvacquire(mhp) |
206 |
m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; |
207 |
|
208 |
if (m_sec_ctx != NULL) { |
209 |
+ if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) { |
210 |
+ plog(LLV_ERROR, LOCATION, NULL, |
211 |
+ "ignoring ACQUIRE: security context is greater than MAX, %d.\n", |
212 |
+ MAX_CTXSTR_SIZE); |
213 |
+ return -1; |
214 |
+ } |
215 |
plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", |
216 |
m_sec_ctx->sadb_x_ctx_doi); |
217 |
plog(LLV_INFO, LOCATION, NULL, |
218 |
@@ -1974,6 +2052,73 @@ pk_recvacquire(mhp) |
219 |
iph2->sa_dst = dupsaddr(sa_dst); |
220 |
} |
221 |
|
222 |
+#ifdef HAVE_SECCTX |
223 |
+ /* |
224 |
+ * If the src address in the ACQUIRE is one we listen on and |
225 |
+ * the src and dst addresses are the same, then assume this |
226 |
+ * packet arrived over loopback and just get an SPI and |
227 |
+ * install the SA. |
228 |
+ */ |
229 |
+ if (m_sec_ctx && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) { |
230 |
+ struct saprop *newpp; |
231 |
+ struct saproto *newpr; |
232 |
+ iph2->loopback = 1; |
233 |
+ newpp = newsaprop(); |
234 |
+ if (newpp == NULL) { |
235 |
+ plog(LLV_ERROR, LOCATION, NULL, |
236 |
+ "failed to allocate saprop.\n"); |
237 |
+ delph2(iph2); |
238 |
+ return -1; |
239 |
+ } |
240 |
+ /* allocate to hold reqid */ |
241 |
+ newpr = newsaproto(); |
242 |
+ if (newpr == NULL) { |
243 |
+ plog(LLV_ERROR, LOCATION, NULL, |
244 |
+ "failed to allocate saproto.\n"); |
245 |
+ delph2(iph2); |
246 |
+ return -1; |
247 |
+ } |
248 |
+ |
249 |
+ newpr->reqid_out = sp_out->req->saidx.reqid; |
250 |
+ newpr->reqid_in = sp_in->req->saidx.reqid; |
251 |
+ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto); |
252 |
+ |
253 |
+ inssaprotorev(newpp, newpr); |
254 |
+ iph2->proposal = newpp; |
255 |
+ printsaprop0(LLV_DEBUG, newpp); |
256 |
+ |
257 |
+ set_secctx_in_proposal(iph2, spidx); |
258 |
+ iph2->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; |
259 |
+ |
260 |
+ insph2(iph2); |
261 |
+ |
262 |
+ iph2->status = PHASE2ST_GETSPISENT; |
263 |
+ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); |
264 |
+ if (pfkey_send_getspi( |
265 |
+ lcconf->sock_pfkey, |
266 |
+ iph2->satype, |
267 |
+ IPSEC_MODE_TRANSPORT, |
268 |
+ dst, /* src of SA */ |
269 |
+ src, /* dst of SA */ |
270 |
+ 0, 0, |
271 |
+ newpr->reqid_in, iph2->seq) < 0) { |
272 |
+ plog(LLV_ERROR, LOCATION, NULL, |
273 |
+ "ipseclib failed send getspi (%s)\n", |
274 |
+ ipsec_strerror()); |
275 |
+ delph2(iph2); |
276 |
+ return -1; |
277 |
+ } |
278 |
+ sched_schedule(&iph2->sce, lcconf->wait_ph2complete, |
279 |
+ quick_timeover_stub); |
280 |
+ |
281 |
+ plog(LLV_DEBUG, LOCATION, NULL, |
282 |
+ "pfkey GETSPI sent: %s\n", |
283 |
+ sadbsecas2str(dst, src, iph2->satype, 0, |
284 |
+ IPSEC_MODE_TRANSPORT)); |
285 |
+ return 0; |
286 |
+ } |
287 |
+#endif /* HAVE_SECCTX */ |
288 |
+ |
289 |
if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) { |
290 |
delph2(iph2); |
291 |
return -1; |
292 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/policy.h ipsec-tools-0.8.0-p104/src/racoon/policy.h |
293 |
--- ipsec-tools-0.8.0-p103/src/racoon/policy.h 2008-12-05 08:02:20.000000000 +0200 |
294 |
+++ ipsec-tools-0.8.0-p104/src/racoon/policy.h 2012-03-06 11:42:51.127378011 +0200 |
295 |
@@ -38,7 +38,12 @@ |
296 |
|
297 |
|
298 |
#ifdef HAVE_SECCTX |
299 |
-#define MAX_CTXSTR_SIZE 50 |
300 |
+ |
301 |
+/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux |
302 |
+ * will attempt to combine so, worst case is all odd or even numbers. The |
303 |
+ * context size of SE Linux types is max'ed around 256. We allow 16 for |
304 |
+ * sensitivity */ |
305 |
+#define MAX_CTXSTR_SIZE 3344 /* (6 * 512) + 256 + 16 */ |
306 |
struct security_ctx { |
307 |
u_int8_t ctx_doi; /* Security Context DOI */ |
308 |
u_int8_t ctx_alg; /* Security Context Algorithm */ |
309 |
@@ -158,6 +163,9 @@ extern void initsp __P((void)); |
310 |
extern struct ipsecrequest *newipsecreq __P((void)); |
311 |
|
312 |
extern const char *spidx2str __P((const struct policyindex *)); |
313 |
+#ifdef HAVE_LIBAUDIT |
314 |
+extern void audit_init __P((void)); |
315 |
+#endif |
316 |
#ifdef HAVE_SECCTX |
317 |
#include <selinux/selinux.h> |
318 |
extern int get_security_context __P((vchar_t *, struct policyindex *)); |
319 |
diff -Nurp ipsec-tools-0.8.0-p103/src/racoon/security.c ipsec-tools-0.8.0-p104/src/racoon/security.c |
320 |
--- ipsec-tools-0.8.0-p103/src/racoon/security.c 2007-05-31 22:54:55.000000000 +0300 |
321 |
+++ ipsec-tools-0.8.0-p104/src/racoon/security.c 2012-03-06 11:42:51.128377935 +0200 |
322 |
@@ -55,6 +55,61 @@ |
323 |
#include "proposal.h" |
324 |
#include "strnames.h" |
325 |
#include "handler.h" |
326 |
+#ifdef HAVE_LIBAUDIT |
327 |
+#include <unistd.h> |
328 |
+#include <sys/param.h> |
329 |
+#include "libaudit.h" |
330 |
+#endif |
331 |
+ |
332 |
+static void log_callback (const char *fmt, ...); |
333 |
+ |
334 |
+static const struct avc_log_callback log_cb = |
335 |
+{ |
336 |
+ .func_log = log_callback, |
337 |
+ .func_audit = NULL |
338 |
+}; |
339 |
+ |
340 |
+#ifdef HAVE_LIBAUDIT |
341 |
+static int audit_fd = -1; |
342 |
+void |
343 |
+audit_init(void) |
344 |
+{ |
345 |
+ audit_fd = audit_open(); |
346 |
+ if (audit_fd < 0) { |
347 |
+ /* If kernel doesn't support audit, bail out */ |
348 |
+ if (errno == EINVAL || errno == EPROTONOSUPPORT || |
349 |
+ errno == EAFNOSUPPORT) |
350 |
+ return; |
351 |
+ /* If unprivileged, bail out */ |
352 |
+ if (errno == EPERM && getuid() != 0) |
353 |
+ return; |
354 |
+ plog (LLV_ERROR, LOCATION, NULL, |
355 |
+ "Failed opening connection to the audit subsystem"); |
356 |
+ } |
357 |
+} |
358 |
+#endif /* HAVE_LIBAUDIT */ |
359 |
+ |
360 |
+static void |
361 |
+log_callback (const char *fmt, ...) |
362 |
+{ |
363 |
+ va_list ap; |
364 |
+ va_start(ap, fmt); |
365 |
+#ifdef HAVE_LIBAUDIT |
366 |
+ if (audit_fd >= 0) { |
367 |
+ char buf[PATH_MAX*2]; |
368 |
+ |
369 |
+ /* FIXME: need to change this to show real user */ |
370 |
+ vsnprintf(buf, sizeof(buf), fmt, ap); |
371 |
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, |
372 |
+ buf, NULL, NULL, NULL, -1); |
373 |
+ return; |
374 |
+ } else |
375 |
+#endif /* HAVE_LIBAUDIT */ |
376 |
+ { |
377 |
+ vsyslog (LOG_INFO, fmt, ap); |
378 |
+ va_end(ap); |
379 |
+ } |
380 |
+} |
381 |
|
382 |
/* |
383 |
* Get the security context information from SA. |