From b5f5cc6d4417391394c7b513bf45a171a1b99c9b Mon Sep 17 00:00:00 2001 From: ajs124 Date: Wed, 15 Dec 2021 17:52:58 +0000 Subject: [PATCH 1/3] ipsecTools: drop --- .../linux/ipsec-tools/CVE-2015-4047.patch | 16 -- .../linux/ipsec-tools/CVE-2016-10396.patch | 193 ------------------ .../os-specific/linux/ipsec-tools/default.nix | 49 ----- ...-create-localstatedir-during-install.patch | 13 -- pkgs/top-level/aliases.nix | 1 + pkgs/top-level/all-packages.nix | 5 - 6 files changed, 1 insertion(+), 276 deletions(-) delete mode 100644 pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch delete mode 100644 pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch delete mode 100644 pkgs/os-specific/linux/ipsec-tools/default.nix delete mode 100644 pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch diff --git a/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch b/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch deleted file mode 100644 index 00c23c6cac14..000000000000 --- a/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: pkg-ipsec-tools/src/racoon/gssapi.c -=================================================================== ---- pkg-ipsec-tools.orig/src/racoon/gssapi.c -+++ pkg-ipsec-tools/src/racoon/gssapi.c -@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1) - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - -+ if (iph1->rmconf == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); -+ return -1; -+ } -+ - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); diff --git a/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch b/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch deleted file mode 100644 index b644d46f8c9d..000000000000 --- a/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch +++ /dev/null @@ -1,193 +0,0 @@ -From: Antoine_Beaupre -Acked-by: Jiri Bohac -Subject: PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list. -References: bsc#1047443, CVE-2016-10396 - - - -Index: a/src/racoon/handler.h -=================================================================== ---- a/src/racoon/handler.h.orig 2018-01-26 18:05:21.114764376 +0100 -+++ a/src/racoon/handler.h 2018-01-26 18:05:33.986741103 +0100 -@@ -141,6 +141,7 @@ struct ph1handle { - #endif - #ifdef ENABLE_FRAG - int frag; /* IKE phase 1 fragmentation */ -+ int frag_last_index; - struct isakmp_frag_item *frag_chain; /* Received fragments */ - #endif - -Index: a/src/racoon/isakmp.c -=================================================================== ---- a/src/racoon/isakmp.c.orig 2018-01-26 18:05:21.118764369 +0100 -+++ a/src/racoon/isakmp.c 2018-01-26 18:05:33.986741103 +0100 -@@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local) - iph1->frag = 1; - else - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -@@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, et - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -Index: a/src/racoon/isakmp_frag.c -=================================================================== ---- a/src/racoon/isakmp_frag.c.orig 2018-01-26 18:05:21.118764369 +0100 -+++ a/src/racoon/isakmp_frag.c 2018-01-26 18:05:33.986741103 +0100 -@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) - return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); - } - -+static int -+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) -+{ -+ struct isakmp_frag_item *pitem = NULL; -+ struct isakmp_frag_item *citem = iph1->frag_chain; -+ -+ /* no frag yet, just insert at beginning of list */ -+ if (iph1->frag_chain == NULL) { -+ iph1->frag_chain = item; -+ return 0; -+ } -+ -+ do { -+ /* duplicate fragment number, abort (CVE-2016-10396) */ -+ if (citem->frag_num == item->frag_num) -+ return -1; -+ -+ /* need to insert before current item */ -+ if (citem->frag_num > item->frag_num) { -+ if (pitem != NULL) -+ pitem->frag_next = item; -+ else -+ /* insert at the beginning of the list */ -+ iph1->frag_chain = item; -+ item->frag_next = citem; -+ return 0; -+ } -+ -+ pitem = citem; -+ citem = citem->frag_next; -+ } while (citem != NULL); -+ -+ /* we reached the end of the list, insert */ -+ pitem->frag_next = item; -+ return 0; -+} -+ - int - isakmp_frag_extract(iph1, msg) - struct ph1handle *iph1; -@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) - item->frag_next = NULL; - item->frag_packet = buf; - -- /* Look for the last frag while inserting the new item in the chain */ -- if (item->frag_last) -- last_frag = item->frag_num; -+ /* Check for the last frag before inserting the new item in the chain */ -+ if (item->frag_last) { -+ /* if we have the last fragment, indices must match */ -+ if (iph1->frag_last_index != 0 && -+ item->frag_last != iph1->frag_last_index) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated last fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; -+ } - -- if (iph1->frag_chain == NULL) { -- iph1->frag_chain = item; -- } else { -- struct isakmp_frag_item *current; -+ last_frag = iph1->frag_last_index = item->frag_num; -+ } - -- current = iph1->frag_chain; -- while (current->frag_next) { -- if (current->frag_last) -- last_frag = item->frag_num; -- current = current->frag_next; -- } -- current->frag_next = item; -+ /* insert fragment into chain */ -+ if (isakmp_frag_insert(iph1, item) == -1) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; - } - -- /* If we saw the last frag, check if the chain is complete */ -+ /* If we saw the last frag, check if the chain is complete -+ * we have a sorted list now, so just walk through */ - if (last_frag != 0) { -+ item = iph1->frag_chain; - for (i = 1; i <= last_frag; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -+ if (item->frag_num != i) -+ break; -+ item = item->frag_next; - if (item == NULL) /* Not found */ - break; - } - -- if (item != NULL) /* It is complete */ -+ if (i > last_frag) /* It is complete */ - return 1; - } - -@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) - } - data = buf->v; - -+ item = iph1->frag_chain; - for (i = 1; i <= frag_count; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -- if (item == NULL) { -+ if (item->frag_num != i) { - plog(LLV_ERROR, LOCATION, NULL, - "Missing fragment #%d\n", i); - vfree(buf); -@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) - } - memcpy(data, item->frag_packet->v, item->frag_packet->l); - data += item->frag_packet->l; -+ item = item->frag_next; - } - - out: - - -diff -u -p -r1.50 -r1.51 ---- a/src/racoon/isakmp_inf.c 2013/04/12 09:53:10 1.50 -+++ a/src/racoon/isakmp_inf.c 2017/01/24 19:23:56 1.51 -@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - diff --git a/pkgs/os-specific/linux/ipsec-tools/default.nix b/pkgs/os-specific/linux/ipsec-tools/default.nix deleted file mode 100644 index f10364121a46..000000000000 --- a/pkgs/os-specific/linux/ipsec-tools/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }: - -# TODO: These tools are supposed to work under NetBSD and FreeBSD as -# well, so I guess it's not appropriate to place this expression in -# "os-specific/linux/ipsec-tools". Since I cannot verify that the -# expression actually builds on those platforms, I'll leave it here for -# the time being. - -stdenv.mkDerivation rec { - pname = "ipsec-tools"; - version = "0.8.2"; - - src = fetchurl { - url = "mirror://sourceforge/ipsec-tools/ipsec-tools-${version}.tar.bz2"; - sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf"; - }; - - buildInputs = [ readline openssl flex libkrb5 pam ]; - - patches = [ - ./dont-create-localstatedir-during-install.patch - ./CVE-2015-4047.patch - ./CVE-2016-10396.patch - ]; - - # fix build with newer gcc versions - preConfigure = ''substituteInPlace configure --replace "-Werror" "" ''; - - configureFlags = [ - "--sysconfdir=/etc --localstatedir=/var" - "--with-kernel-headers=${linuxHeaders}/include" - "--disable-security-context" - "--enable-adminport" - "--enable-dpd" - "--enable-frag" - "--enable-gssapi" - "--enable-hybrid" - "--enable-natt" - "--enable-shared" - "--enable-stats" - ]; - - meta = with lib; { - homepage = "http://ipsec-tools.sourceforge.net/"; - description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation"; - license = licenses.bsd3; - platforms = platforms.linux; - }; -} diff --git a/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch b/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch deleted file mode 100644 index 16b80c36d6a5..000000000000 --- a/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ubr ipsec-tools-0.8.0-orig/src/racoon/Makefile.in ipsec-tools-0.8.0/src/racoon/Makefile.in ---- ipsec-tools-0.8.0-orig/src/racoon/Makefile.in 2012-10-20 13:01:07.700903316 +0200 -+++ ipsec-tools-0.8.0/src/racoon/Makefile.in 2012-10-20 13:01:13.177832616 +0200 -@@ -1085,9 +1085,6 @@ - uninstall-sbinPROGRAMS - - --install-exec-local: -- ${mkinstalldirs} $(DESTDIR)${adminsockdir} -- - # special object rules - crypto_openssl_test.o: crypto_openssl.c - $(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 060f2c068750..e899b3c67b27 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -412,6 +412,7 @@ mapAliases ({ inotifyTools = inotify-tools; inter-ui = inter; # added 2021-03-27 iproute = iproute2; # moved from top-level 2021-03-14 + ipsecTools = throw "ipsecTools has benn removed, because it was no longer maintained upstream"; # added 2021-12-15 i-score = throw "i-score has been removed: abandoned upstream."; # added 2020-11-21 jack2Full = jack2; # moved from top-level 2021-03-14 jamomacore = throw "jamomacore has been removed: abandoned upstream."; # added 2020-11-21 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 759870ec571a..264e1cede9e2 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -8641,11 +8641,6 @@ with pkgs; pngout = callPackage ../tools/graphics/pngout { }; - ipsecTools = callPackage ../os-specific/linux/ipsec-tools { - flex = flex_2_5_35; - openssl = openssl_1_0_2; - }; - patch = gnupatch; patchage = callPackage ../applications/audio/patchage { }; From 737de29e11d8fcf329e46879d4d0d0c33cdc6ac8 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Wed, 15 Dec 2021 17:56:08 +0000 Subject: [PATCH 2/3] nixos/racoon: drop --- nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 3 ++ nixos/modules/services/networking/racoon.nix | 45 -------------------- 3 files changed, 3 insertions(+), 46 deletions(-) delete mode 100644 nixos/modules/services/networking/racoon.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 4b2cb803e20e..c2b1e8866863 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -852,7 +852,6 @@ ./services/networking/quassel.nix ./services/networking/quorum.nix ./services/networking/quicktun.nix - ./services/networking/racoon.nix ./services/networking/radicale.nix ./services/networking/radvd.nix ./services/networking/rdnssd.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index b9a2f47f3f5a..81843dc0f90a 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -80,6 +80,9 @@ with lib; libinput and synaptics. '') (mkRemovedOptionModule [ "virtualisation" "rkt" ] "The rkt module has been removed, it was archived by upstream") + (mkRemovedOptionModule [ "services" "racoon" ] '' + The racoon module has been removed, because the software project was abandoned upstream. + '') # Do NOT add any option renames here, see top of the file ]; diff --git a/nixos/modules/services/networking/racoon.nix b/nixos/modules/services/networking/racoon.nix deleted file mode 100644 index 328f4cb1497f..000000000000 --- a/nixos/modules/services/networking/racoon.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.racoon; -in { - options.services.racoon = { - enable = mkEnableOption "racoon"; - - config = mkOption { - description = "Contents of racoon configuration file."; - default = ""; - type = types.str; - }; - - configPath = mkOption { - description = "Location of racoon config if config is not provided."; - default = "/etc/racoon/racoon.conf"; - type = types.path; - }; - }; - - config = mkIf cfg.enable { - systemd.services.racoon = { - description = "Racoon Daemon"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${ - if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config - else cfg.configPath - }"; - ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config"; - PIDFile = "/run/racoon.pid"; - Type = "forking"; - Restart = "always"; - }; - preStart = '' - rm /run/racoon.pid || true - mkdir -p /var/racoon - ''; - }; - }; -} From ef8280914f6e2ce5d5760d287abd7baee9baba20 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Wed, 15 Dec 2021 18:00:30 +0000 Subject: [PATCH 3/3] nixos/openvswitch: remove ipsec --- nixos/modules/virtualisation/openvswitch.nix | 61 +++----------------- 1 file changed, 8 insertions(+), 53 deletions(-) diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index 325f6f5b43f4..436a375fb5eb 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -36,17 +36,6 @@ in { Open vSwitch package to use. ''; }; - - ipsec = mkOption { - type = types.bool; - default = false; - description = '' - Whether to start racoon service for openvswitch. - Supported only if openvswitch version is less than 2.6.0. - Use virtualisation.vswitch.package = pkgs.openvswitch-lts - for a version that supports ipsec over GRE. - ''; - }; }; config = mkIf cfg.enable (let @@ -65,7 +54,7 @@ in { installPhase = "mkdir -p $out"; }; - in (mkMerge [{ + in { environment.systemPackages = [ cfg.package ]; boot.kernelModules = [ "tun" "openvswitch" ]; @@ -142,48 +131,14 @@ in { }; }; - } - (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { - environment.systemPackages = [ pkgs.ipsecTools ]; + }); - services.racoon.enable = true; - services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; - - networking.firewall.extraCommands = '' - iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1 - iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 - ''; - - systemd.services.ovs-monitor-ipsec = { - description = "Open_vSwitch Ipsec Daemon"; - wantedBy = [ "multi-user.target" ]; - requires = [ "ovsdb.service" ]; - before = [ "vswitchd.service" "racoon.service" ]; - environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock"; - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/ovs-monitor-ipsec \ - --root-prefix ${runDir}/ipsec \ - --pidfile /run/openvswitch/ovs-monitor-ipsec.pid \ - --monitor --detach \ - unix:/run/openvswitch/db.sock - ''; - PIDFile = "/run/openvswitch/ovs-monitor-ipsec.pid"; - # Use service type 'forking' to correctly determine when ovs-monitor-ipsec is ready. - Type = "forking"; - }; - - preStart = '' - rm -r ${runDir}/ipsec/etc/racoon/certs || true - mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/} - ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey - ln -fs ${pkgs.writeScript "racoon-restart" '' - #!${pkgs.runtimeShell} - /run/current-system/sw/bin/systemctl $1 racoon - ''} ${runDir}/ipsec/etc/init.d/racoon - ''; - }; - })])); + imports = [ + (mkRemovedOptionModule [ "virtualisation" "vswitch" "ipsec" ] '' + OpenVSwitch IPSec functionality has been removed, because it depended on racoon, + which was removed from nixpkgs, because it was abanoded upstream. + '') + ]; meta.maintainers = with maintainers; [ netixx ];