From ddec278512b285d0786666208b7c75c86d1b2216 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Thu, 25 Oct 2018 03:36:20 +0500 Subject: sstp: improve openssl 1.1.x compatibility --- accel-pppd/ctrl/sstp/sstp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index e60d2cb0..6f660d9d 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2358,7 +2358,11 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) opt = conf_get_opt("sstp", "accept"); if (opt && strhas(opt, "ssl", ',')) { legacy_ssl: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ssl_ctx = SSL_CTX_new(TLS_server_method()); +#else ssl_ctx = SSL_CTX_new(SSLv23_server_method()); +#endif if (!ssl_ctx) { log_error("sstp: SSL_CTX error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto error; @@ -2372,7 +2376,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) SSL_OP_SINGLE_DH_USE | #endif #ifndef OPENSSL_NO_ECDH - SSL_OP_SINGLE_ECDH_USE | + SSL_OP_SINGLE_ECDH_USE | #endif SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | -- cgit v1.2.3 From aa96b94f6726d35c8966bb4ce55636696f8db431 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Thu, 25 Oct 2018 03:38:45 +0500 Subject: sstp: disable ciphers renegotiation (CVE-2009-3555) --- accel-pppd/ctrl/sstp/sstp.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index 6f660d9d..af6bc77e 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2328,6 +2328,16 @@ static int ssl_servername(SSL *ssl, int *al, void *arg) } #endif +#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) +static void ssl_info_cb(const SSL *ssl, int where, int ret) +{ + if ((where & SSL_CB_HANDSHAKE_DONE) != 0) { + /* disable renegotiation (CVE-2009-3555) */ + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) { SSL_CTX *old_ctx, *ssl_ctx = NULL; @@ -2372,6 +2382,9 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | #endif +#ifdef SSL_OP_NO_RENGOTIATION + SSL_OP_NO_RENGOTIATION | +#endif #ifndef OPENSSL_NO_DH SSL_OP_SINGLE_DH_USE | #endif @@ -2473,6 +2486,10 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) if (servername && SSL_CTX_set_tlsext_servername_callback(ssl_ctx, ssl_servername) != 1) log_warn("sstp: SSL server name check error: %s\n", ERR_error_string(ERR_get_error(), NULL)); #endif + +#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + SSL_CTX_set_info_callback(ssl_ctx, ssl_info_cb); +#endif } else { /* legacy option, to be removed */ opt = conf_get_opt("sstp", "ssl"); -- cgit v1.2.3 From 603800151415c69ceb3c9d986ef0c3487817cb67 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Thu, 25 Oct 2018 05:11:32 +0500 Subject: fix gateway address setup fail due memory corruption log: libnetlink: RTNETLINK answers: Invalid argument ppp0: f7bb00a79ef667d2: failed to set IPv4 address: Invalid argument ipaddr_add_peer() called only with mask equeal 0 or 32, but w/o zero-allocated structs it contans garbage in some cases. so, instead ipaddr_add() was called with wrong mask value. also, init chap-secrets mask for the same reason. --- accel-pppd/extra/chap-secrets.c | 3 ++- accel-pppd/extra/ippool.c | 3 +++ accel-pppd/extra/ipv6pool.c | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/accel-pppd/extra/chap-secrets.c b/accel-pppd/extra/chap-secrets.c index becb687c..92cfb42f 100644 --- a/accel-pppd/extra/chap-secrets.c +++ b/accel-pppd/extra/chap-secrets.c @@ -24,7 +24,7 @@ static char *def_chap_secrets = "/etc/ppp/chap-secrets"; static char *conf_chap_secrets; static int conf_encrypted; static in_addr_t conf_gw_ip_address = 0; -static int conf_netmask; +static int conf_netmask = 0; static void *pd_key; static struct ipdb_t ipdb; @@ -762,6 +762,7 @@ static void load_config(void) parse_gw_ip_address(opt); else { conf_gw_ip_address = 0; + conf_netmask = 0; } opt = conf_get_opt("chap-secrets", "encrypted"); diff --git a/accel-pppd/extra/ippool.c b/accel-pppd/extra/ippool.c index 0c0831c2..73ad3987 100644 --- a/accel-pppd/extra/ippool.c +++ b/accel-pppd/extra/ippool.c @@ -264,6 +264,7 @@ static void generate_pool_p2p(struct ippool_t *p) break; } + memset(it, 0, sizeof(*it)); it->pool = p; it->it.owner = &ipdb; if (conf_gw_ip_address) @@ -304,6 +305,7 @@ static void generate_pool_net30(struct ippool_t *p) break; } + memset(it, 0, sizeof(*it)); it->pool = p; it->it.owner = &ipdb; it->it.addr = addr[1]->addr; @@ -443,6 +445,7 @@ static int session_restore(struct ap_session *ses, struct backup_mod *m) ses->ipv4 = &it0->it; else { ses->ipv4 = _malloc(sizeof(*ses->ipv4)); + memset(ses->ipv4, 0, sizeof(*ses->ipv4)); ses->ipv4->addr = addr; ses->ipv4->peer_addr = peer_addr; ses->ipv4->owner = &ipdb_b; diff --git a/accel-pppd/extra/ipv6pool.c b/accel-pppd/extra/ipv6pool.c index 6fa5cc53..4f29a280 100644 --- a/accel-pppd/extra/ipv6pool.c +++ b/accel-pppd/extra/ipv6pool.c @@ -83,6 +83,7 @@ static void generate_ippool(struct in6_addr *addr, int mask, int prefix_len) while (in6_addr_cmp(&ip, &end) <= 0) { it = malloc(sizeof(*it)); + memset(it, 0, sizeof(*it)); it->it.owner = &ipdb; INIT_LIST_HEAD(&it->it.addr_list); a = malloc(sizeof(*a)); @@ -119,6 +120,7 @@ static void generate_dppool(struct in6_addr *addr, int mask, int prefix_len) while (in6_addr_cmp(&ip, &end) <= 0) { it = malloc(sizeof(*it)); + memset(it, 0, sizeof(*it)); it->it.owner = &ipdb; INIT_LIST_HEAD(&it->it.prefix_list); a = malloc(sizeof(*a)); -- cgit v1.2.3