|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
From: Robert Wolf <r.wolf.debian@atlas.cz>
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
Date: Mon, 11 Jan 2016 14:21:40 +0100
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
Subject: Server should not bind control port if there is no shared secret
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
And add two additional check of shared secret
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- checks validity of the read shared secret and set ctlkey structure
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
pointer not NULL only if there is really any shared secret.
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- check if ctlkey is NULL or if shared secret is NULL or empty
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
(pointer is not NULL, but there are no data - length is 0).
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
This resolved upstream issue #36:
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- https://sourceforge.net/p/wide-dhcpv6/bugs/36
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
Closes: #799080
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
---
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
dhcp6_ctl.c | 16 +++++++++++++---
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
dhcp6s.c | 2 +-
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
2 files changed, 14 insertions(+), 4 deletions(-)
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
diff --git a/dhcp6_ctl.c b/dhcp6_ctl.c
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
index dc6c323..056b550 100644
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
--- a/dhcp6_ctl.c
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+++ b/dhcp6_ctl.c
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
@@ -166,9 +166,14 @@ dhcp6_ctl_authinit(keyfile, keyinfop, digestlenp)
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
strerror(errno));
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
return (-1);
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
}
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- if (fgets(line, sizeof(line), fp) == NULL && ferror(fp)) {
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- debug_printf(LOG_ERR, FNAME, "failed to read key file: %s",
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- strerror(errno));
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ if (fgets(line, sizeof(line), fp) == NULL) {
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ if (ferror(fp)) {
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ debug_printf(LOG_ERR, FNAME, "failed to read key file: %s",
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ strerror(errno));
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ } else {
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ debug_printf(LOG_INFO, FNAME, "no shared key. shared key file "
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ "is empty. dhcp6s will not listen on a control port.");
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ }
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
goto fail;
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
}
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
if ((secretlen = base64_decodestring(line, secret, sizeof(secret)))
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
@@ -176,6 +181,11 @@ dhcp6_ctl_authinit(keyfile, keyinfop, digestlenp)
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
debug_printf(LOG_ERR, FNAME, "failed to decode base64 string");
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
goto fail;
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
}
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ if (secretlen == 0) {
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ debug_printf(LOG_INFO, FNAME, "no shared key found. dhcp6s will "
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ "not listen on a control port.");
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ goto fail;
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ }
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
if ((ctlkey = malloc(sizeof(*ctlkey))) == NULL) {
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
debug_printf(LOG_WARNING, FNAME, "failed to allocate control key");
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
goto fail;
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
diff --git a/dhcp6s.c b/dhcp6s.c
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
index a230d75..1942d8d 100644
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
--- a/dhcp6s.c
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+++ b/dhcp6s.c
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
@@ -573,7 +573,7 @@ server6_init()
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
freeaddrinfo(res);
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
/* set up control socket */
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
- if (ctlkey == NULL)
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
+ if (ctlkey == NULL || ctlkey->secret == NULL || ctlkey->secretlen == 0)
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
debug_printf(LOG_NOTICE, FNAME, "skip opening control port");
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
else if (dhcp6_ctl_init(ctladdr, ctlport,
|
|
![](https://seccdn.libravatar.org/avatar/9944c551140cca65d986c6356c5c7891e1680e5c85ba9bcb1951d52c239a23af?s=16&d=retro) |
068952c |
DHCP6CTL_DEF_COMMANDQUEUELEN, &ctlsock)) {
|