CVS commit: src/crypto/dist/ipsec-tools/src/racoon

["Christos Zoulas" <christos%netbsd.org@localhost>]

Module Name:    src
Committed By:   christos
Date:           Fri Oct  5 20:12:37 UTC 2018

Modified Files:
        src/crypto/dist/ipsec-tools/src/racoon: isakmp_frag.c

Log Message:
>From Thomas Reim:

Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.

The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.

The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.

In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.

This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.

XXX: pullup-8


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
    src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.