[src/trunk]: src/crypto/dist/ipsec-tools Add an option --enable-wildcard-matc...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/crypto/dist/ipsec-tools Add an option --enable-wildcard-matc...
From: christos <christos%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 00:46:31 +0000

details:   https://anonhg.NetBSD.org/src/rev/9775a55fef1d
branches:  trunk
changeset: 787491:9775a55fef1d
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Jun 20 15:41:18 2013 +0000

description:
Add an option --enable-wildcard-match to enable wildcard matching and explain
why we might want it and why it is a bad idea in general that's why it is
not enabled by default. ok tteras@, manu@

diffstat:

 crypto/dist/ipsec-tools/configure.ac             |   8 ++++++
 crypto/dist/ipsec-tools/src/racoon/localconf.c   |   8 ++++-
 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 |  30 ++++++++++++++++++++++-
 3 files changed, 42 insertions(+), 4 deletions(-)

diffs (91 lines):

diff -r 2eb1e8403db4 -r 9775a55fef1d crypto/dist/ipsec-tools/configure.ac
--- a/crypto/dist/ipsec-tools/configure.ac      Thu Jun 20 15:30:00 2013 +0000
+++ b/crypto/dist/ipsec-tools/configure.ac      Thu Jun 20 15:41:18 2013 +0000
@@ -105,6 +105,14 @@
     ;;
 esac
 
+AH_TEMPLATE(ENABLE_WILDCARD_MATCH, [Enable wildcard matching in pre-shared-key file])
+AC_ARG_ENABLE([wildcard-match],
+[--enable-wildcard-match       Enable wildcard matching in pre-shared-key file],
+[case "${enableval}" in
+(yes)  AC_DEFINE(ENABLE_WILDCARD_MATCH);;
+(no)   ;;
+(*)    AC_MSG_ERROR(bad value ${enableval} for --enable-wildcard-match);;
+esac],[])
 ### Some basic toolchain checks
 
 # Checks for header files.
diff -r 2eb1e8403db4 -r 9775a55fef1d crypto/dist/ipsec-tools/src/racoon/localconf.c
--- a/crypto/dist/ipsec-tools/src/racoon/localconf.c    Thu Jun 20 15:30:00 2013 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/localconf.c    Thu Jun 20 15:41:18 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: localconf.c,v 1.8 2012/01/01 15:29:28 tteras Exp $     */
+/*     $NetBSD: localconf.c,v 1.9 2013/06/20 15:41:18 christos Exp $   */
 
 /*     $KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $      */
 
@@ -247,7 +247,11 @@
                if (*p == '\0')
                        continue;       /* no 2nd parameter */
                p--;
-               if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
+               if (
+#ifdef ENABLE_WILDCARD_MATCH
+                   strncmp(buf, "*", 2) == 0 ||
+#endif
+                   (strncmp(buf, str, len) == 0 && buf[len] == '\0')) {
                        p++;
                        keylen = 0;
                        for (q = p; *q != '\0' && *q != '\n'; q++)
diff -r 2eb1e8403db4 -r 9775a55fef1d crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  Thu Jun 20 15:30:00 2013 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5  Thu Jun 20 15:41:18 2013 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: racoon.conf.5,v 1.66 2012/11/30 08:19:01 wiz Exp $
+.\"    $NetBSD: racoon.conf.5,v 1.67 2013/06/20 15:41:18 christos Exp $
 .\"
 .\"    Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 29, 2012
+.Dd June 17, 2013
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -1468,6 +1468,32 @@
 .Xr racoon 8
 .Pq usually the privileged user ,
 and must not be accessible by others.
+.Pp
+If configured with
+.Dv ENABLE_WILDCARD_MATCH ,
+this implementation allows a wildcard key
+.Dq * .
+This is allowed for the special case of a single user connecting to
+a gateway using an iPhone.
+On an iPhone, L2TP over IPSEC only supports
+main mode with pre-shared keys (no certificates).
+Unfortunately racoon
+only supports pre-shared-key lookup by address when identity protection
+is used, and since the iPhone does not have a specific IP address, we
+don't know what key to put in the pre-shared key file. 
+.Pp
+Sharing the connection with more than one user is strongly discouraged
+because any user can pretend to be the server since they know the pre-shared
+key.
+This means that any user can steal the traffic of any other user, by
+spoofing DNS which is not trivial but easy.
+Even worse, the malicious user will be able to then steal any other
+authentication data (CHAP/XAUTH etc.) that another user will supply
+to the compromised server, because it assumes that phase 1 is secured
+by the pre-shared key.
+.Pp
+In summary, never use wildcard keys if your gateway is hosting more than
+one user.
 .\"
 .Sh EXAMPLES
 The following shows how the remote directive should be configured.

Prev by Date: [src/trunk]: src/external/bsd/dhcp/dist/client file descriptor neatness.
Next by Date: [src/trunk]: src/usr.sbin/racoon Enable wildcard matching in psk files. We ar...
Previous by Thread: [src/trunk]: src/external/bsd/dhcp/dist/client file descriptor neatness.
Next by Thread: [src/trunk]: src/usr.sbin/racoon Enable wildcard matching in psk files. We ar...
Indexes:

Home | Main Index | Thread Index | Old Index