Merge branch 'openiked:master' into master

.clusterfuzzlite/Dockerfile

@@ -1,7 +1,7 @@
 FROM gcr.io/oss-fuzz-base/base-builder:v1
 
 ENV CLUSTERFUZZLITE=TRUE
-RUN apt-get update && apt-get install -y bison libssl-dev libevent-dev libsystemd-dev
+RUN apt-get update && apt-get install -y bison libssl-dev libevent-dev
 COPY . $SRC/openiked-portable
 WORKDIR openiked-portable
 COPY .clusterfuzzlite/build.sh $SRC/

.clusterfuzzlite/build.sh

@@ -1,7 +1,7 @@
 #!/bin/bash -eu
 
 # build project
-cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DCLUSTERFUZZ=ON
+cmake -S . -B build -DCMAKE_BUILD_TYPE=DEBUG -DCLUSTERFUZZ=ON
 cmake --build build
 
 # copy binary and dict to $OUT

CMakeLists.txt

@@ -36,11 +36,11 @@ if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
 	if (HOMEBREW AND CMAKE_HOST_SYSTEM_PROCESSOR MATCHES "arm64")
 		include_directories("/opt/homebrew/include")
 		link_directories("/opt/homebrew/lib")
-		include_directories("/opt/homebrew/opt/openssl@1.1/include")
-        	link_directories("/opt/homebrew/opt/openssl@1.1/lib")
+		include_directories("/opt/homebrew/opt/openssl/include")
+        	link_directories("/opt/homebrew/opt/openssl/lib")
 	else()
-		include_directories("/usr/local/opt/openssl@1.1/include")
-		link_directories("/usr/local/opt/openssl@1.1/lib")
+		include_directories("/usr/local/opt/openssl/include")
+		link_directories("/usr/local/opt/openssl/lib")
 	endif()
 	set(HAVE_VROUTE ON)
 elseif(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
@@ -82,6 +82,9 @@ endif()
 if (NOT DEFINED CMAKE_INSTALL_MANDIR)
 	set (CMAKE_INSTALL_MANDIR ${CMAKE_INSTALL_PREFIX}/man)
 endif()
+if (NOT DEFINED CMAKE_INSTALL_SBINDIR)
+	set (CMAKE_INSTALL_SBINDIR ${CMAKE_INSTALL_PREFIX}/sbin)
+endif()
 
 check_linker_flag(C "LINKER:-z,now,-z,relro" HAVE_LD_Z)
 
@@ -406,7 +409,7 @@ if(CLUSTERFUZZ)
 	add_subdirectory(regress/parser-libfuzzer)
 	if (NOT DEFINED ENV{CLUSTERFUZZLITE})
 		set(CMAKE_C_COMPILER clang)
-		string(APPEND CMAKE_C_FLAGS " -g -O1 -fsanitize=fuzzer-no-link")
+		string(APPEND CMAKE_C_FLAGS " -g -O0 -fsanitize=fuzzer-no-link")
 	endif()
 endif()
 add_subdirectory(compat)

ikectl/CMakeLists.txt

@@ -57,7 +57,7 @@ target_link_libraries(ikectl
 	PRIVATE util event crypto ssl compat
 )
 
-install(TARGETS ikectl RUNTIME DESTINATION sbin)
+install(TARGETS ikectl RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikectl.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8/)
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikeca.cnf DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/ssl)
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikex509v3.cnf DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/ssl)

iked/CMakeLists.txt

@@ -161,15 +161,15 @@ add_custom_command(
 	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/genmap.sh
 )
 
-install(TARGETS iked RUNTIME DESTINATION sbin)
+install(TARGETS iked RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
 install(FILES ${CMAKE_SOURCE_DIR}/iked.conf
 	PERMISSIONS OWNER_READ OWNER_WRITE 
 	DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}
 )
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/iked.conf.5 DESTINATION ${CMAKE_INSTALL_MANDIR}/man5/)
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/iked.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8/)
 if(WITH_APPARMOR)
-	install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/../contrib/iked.apparmor
+	install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/../linux/iked.apparmor
 		DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/apparmor.d/
 		RENAME usr.sbin.iked)
 endif()

iked/ikev2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.379 2023/11/10 08:03:02 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.380 2023/11/24 14:43:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <[email protected]>
@@ -4059,10 +4059,10 @@ ikev2_send_ike_e(struct iked *env, struct iked_sa *sa, struct ibuf *buf,
 	if ((e = ibuf_static()) == NULL)
 		goto done;
 
-	if ((pld = ikev2_add_payload(e)) == NULL)
-		goto done;
-
 	if (buf) {
+		if ((pld = ikev2_add_payload(e)) == NULL)
+			goto done;
+
 		if (ibuf_add_buf(e, buf) != 0)
 			goto done;
 

iked/vroute-netlink.c

@@ -109,15 +109,6 @@ vroute_init(struct iked *env)
 	    NETLINK_ROUTE)) == -1)
 		fatal("%s: failed to create netlink socket", __func__);
 
-#ifdef WITH_SYSTEMD
-	int r;
-	r = sd_bus_open_system(&ivr->ivr_bus);
-	if (r < 0) {
-		log_warn("%s: sd_bus_open_system", __func__);
-		ivr->ivr_bus = NULL;
-	}
-#endif
-
 	TAILQ_INIT(&ivr->ivr_addrs);
 	TAILQ_INIT(&ivr->ivr_dnss);
 	TAILQ_INIT(&ivr->ivr_routes);
@@ -328,12 +319,13 @@ void
 vroute_removeroute(struct iked *env, struct sockaddr *dest)
 {
 	struct iked_vroute_sc	*ivr = env->sc_vroute;
-	struct vroute_route	*route;
+	struct vroute_route	*route, *troute;
 
-	TAILQ_FOREACH(route, &ivr->ivr_routes, vr_entry) {
+	TAILQ_FOREACH_SAFE(route, &ivr->ivr_routes, vr_entry, troute) {
 		if (sockaddr_cmp(dest, (struct sockaddr *)&route->vr_dest, -1))
 			continue;
 		TAILQ_REMOVE(&ivr->ivr_routes, route, vr_entry);
+		free(route);
 	}
 }
 
@@ -393,16 +385,17 @@ vroute_removeaddr(struct iked *env, int ifidx, struct sockaddr *addr,
     struct sockaddr *mask)
 {
 	struct iked_vroute_sc	*ivr = env->sc_vroute;
-	struct vroute_addr	*vaddr;
+	struct vroute_addr	*vaddr, *tvaddr;
 
-	TAILQ_FOREACH(vaddr, &ivr->ivr_addrs, va_entry) {
+	TAILQ_FOREACH_SAFE(vaddr, &ivr->ivr_addrs, va_entry, tvaddr) {
 		if (sockaddr_cmp(addr, (struct sockaddr *)&vaddr->va_addr, -1))
 			continue;
 		if (sockaddr_cmp(mask, (struct sockaddr *)&vaddr->va_mask, -1))
 			continue;
 		if (ifidx != vaddr->va_ifidx)
 			continue;
 		TAILQ_REMOVE(&ivr->ivr_addrs, vaddr, va_entry);
+		free(vaddr);
 	}
 }
 
@@ -743,12 +736,23 @@ int
 vroute_dodns(struct iked *env, int add, unsigned int ifindex)
 {
 #ifdef WITH_SYSTEMD
+	struct iked_vroute_sc *ivr = env->sc_vroute;
 	const char *destination = "org.freedesktop.resolve1";
 	const char *path = "/org/freedesktop/resolve1";
 	const char *interface = "org.freedesktop.resolve1.Manager";
 	sd_bus_error error = SD_BUS_ERROR_NULL;
 	int ret;
 
+	if (ivr->ivr_bus != NULL) {
+		log_warnx("%s: vr_bus already set, internal error", __func__);
+		return (0);
+	}
+	if (sd_bus_open_system(&ivr->ivr_bus) < 0) {
+		log_warn("%s: sd_bus_open_system failed", __func__);
+		ivr->ivr_bus = NULL;
+		return (0);
+	}
+
 	ret = vroute_dbus_dns(env, ifindex, &error, add,
 	    destination, path, interface);
 	if (ret < 0 && sd_bus_error_has_name(&error,
@@ -778,6 +782,9 @@ vroute_dodns(struct iked *env, int add, unsigned int ifindex)
 		    error.name, error.message);
 		sd_bus_error_free(&error);
 	}
+
+	sd_bus_flush_close_unref(ivr->ivr_bus);
+	ivr->ivr_bus = NULL;
 #endif
 	return (0);
 }

linux/openiked.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenIKED IKEv2 daemon
+Documentation=man:iked(8)
+Requires=network-online.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/iked
+ExecReload=/usr/sbin/ikectl reload
+
+[Install]
+WantedBy=multi-user.target

regress/parser-libfuzzer/common.c

@@ -12,6 +12,7 @@
 
 #include <event.h>
 #include <limits.h>
+#include <string.h>
 
 #include "iked.h"
 #include "types.h"
@@ -162,6 +163,7 @@ ssize_t
 ikev2_nat_detection(struct iked *env, struct iked_message *msg,
     void *ptr, size_t len, u_int type, int frompeer)
 {
+	bzero(ptr, len);
 	return (0);
 }
 

regress/parser-libfuzzer/run_test.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 
 # script to run the parser-fuzzer for 5 minutes with the right options
+# use repo github.com/openiked/openiked-fuzzing/corpus/test_libfuzzer as corpus for faster results
 
 # ASAN-option to help finding the source of memory leaks
 export ASAN_OPTIONS=fast_unwind_on_malloc=0