| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
| 1 | /* $NetBSD: if_ipsec.c,v 1.3.2.7 2018/05/17 14:07:03 martin Exp $ */ | | 1 | /* $NetBSD: if_ipsec.c,v 1.3.2.8 2018/06/07 16:19:47 martin Exp $ */ |
| 2 | | | 2 | |
| 3 | /* | | 3 | /* |
| 4 | * Copyright (c) 2017 Internet Initiative Japan Inc. | | 4 | * Copyright (c) 2017 Internet Initiative Japan Inc. |
| 5 | * All rights reserved. | | 5 | * All rights reserved. |
| 6 | * | | 6 | * |
| 7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
| 8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
| 9 | * are met: | | 9 | * are met: |
| 10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
| 12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
| 13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
| 14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
| @@ -17,27 +17,27 @@ | | | @@ -17,27 +17,27 @@ |
| 17 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 17 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
| 18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 19 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 19 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
| 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| 26 | * POSSIBILITY OF SUCH DAMAGE. | | 26 | * POSSIBILITY OF SUCH DAMAGE. |
| 27 | */ | | 27 | */ |
| 28 | | | 28 | |
| 29 | #include <sys/cdefs.h> | | 29 | #include <sys/cdefs.h> |
| 30 | __KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.7 2018/05/17 14:07:03 martin Exp $"); | | 30 | __KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.8 2018/06/07 16:19:47 martin Exp $"); |
| 31 | | | 31 | |
| 32 | #ifdef _KERNEL_OPT | | 32 | #ifdef _KERNEL_OPT |
| 33 | #include "opt_inet.h" | | 33 | #include "opt_inet.h" |
| 34 | #endif | | 34 | #endif |
| 35 | | | 35 | |
| 36 | #include <sys/param.h> | | 36 | #include <sys/param.h> |
| 37 | #include <sys/systm.h> | | 37 | #include <sys/systm.h> |
| 38 | #include <sys/kernel.h> | | 38 | #include <sys/kernel.h> |
| 39 | #include <sys/mbuf.h> | | 39 | #include <sys/mbuf.h> |
| 40 | #include <sys/socket.h> | | 40 | #include <sys/socket.h> |
| 41 | #include <sys/sockio.h> | | 41 | #include <sys/sockio.h> |
| 42 | #include <sys/errno.h> | | 42 | #include <sys/errno.h> |
| 43 | #include <sys/ioctl.h> | | 43 | #include <sys/ioctl.h> |
| @@ -1564,40 +1564,49 @@ if_ipsec_add_sp0(struct sockaddr *src, i | | | @@ -1564,40 +1564,49 @@ if_ipsec_add_sp0(struct sockaddr *src, i |
| 1564 | ext_msg_len += PFKEY_UNIT64(size); | | 1564 | ext_msg_len += PFKEY_UNIT64(size); |
| 1565 | size = if_ipsec_set_sadb_dst(&xdst, dst, proto); | | 1565 | size = if_ipsec_set_sadb_dst(&xdst, dst, proto); |
| 1566 | ext_msg_len += PFKEY_UNIT64(size); | | 1566 | ext_msg_len += PFKEY_UNIT64(size); |
| 1567 | size = if_ipsec_set_sadb_x_policy(&xpl, &xisr, policy, dir, 0, level, src, dst); | | 1567 | size = if_ipsec_set_sadb_x_policy(&xpl, &xisr, policy, dir, 0, level, src, dst); |
| 1568 | ext_msg_len += PFKEY_UNIT64(size); | | 1568 | ext_msg_len += PFKEY_UNIT64(size); |
| 1569 | if_ipsec_set_sadb_msg_add(&msg, ext_msg_len); | | 1569 | if_ipsec_set_sadb_msg_add(&msg, ext_msg_len); |
| 1570 | | | 1570 | |
| 1571 | /* build PF_KEY message */ | | 1571 | /* build PF_KEY message */ |
| 1572 | | | 1572 | |
| 1573 | m->m_len = sizeof(msg); | | 1573 | m->m_len = sizeof(msg); |
| 1574 | m_copyback(m, 0, sizeof(msg), &msg); | | 1574 | m_copyback(m, 0, sizeof(msg), &msg); |
| 1575 | | | 1575 | |
| 1576 | if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc)); | | 1576 | if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc)); |
| 1577 | if_ipsec_add_mbuf_addr_port(m, src, sport, true); | | 1577 | /* |
| | | 1578 | * secpolicy.spidx.{src, dst} must not be set port number, |
| | | 1579 | * even if it is used for NAT-T. |
| | | 1580 | */ |
| | | 1581 | if_ipsec_add_mbuf_addr_port(m, src, 0, true); |
| 1578 | padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len) | | 1582 | padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len) |
| 1579 | - (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len)); | | 1583 | - (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len)); |
| 1580 | if_ipsec_add_pad(m, padlen); | | 1584 | if_ipsec_add_pad(m, padlen); |
| 1581 | | | 1585 | |
| 1582 | if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); | | 1586 | if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); |
| 1583 | if_ipsec_add_mbuf_addr_port(m, dst, dport, true); | | 1587 | /* ditto */ |
| | | 1588 | if_ipsec_add_mbuf_addr_port(m, dst, 0, true); |
| 1584 | padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) | | 1589 | padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) |
| 1585 | - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); | | 1590 | - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); |
| 1586 | if_ipsec_add_pad(m, padlen); | | 1591 | if_ipsec_add_pad(m, padlen); |
| 1587 | | | 1592 | |
| 1588 | if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); | | 1593 | if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); |
| 1589 | if (policy == IPSEC_POLICY_IPSEC) { | | 1594 | if (policy == IPSEC_POLICY_IPSEC) { |
| 1590 | if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); | | 1595 | if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); |
| | | 1596 | /* |
| | | 1597 | * secpolicy.req->saidx.{src, dst} must be set port number, |
| | | 1598 | * when it is used for NAT-T. |
| | | 1599 | */ |
| 1591 | if_ipsec_add_mbuf_addr_port(m, src, sport, false); | | 1600 | if_ipsec_add_mbuf_addr_port(m, src, sport, false); |
| 1592 | if_ipsec_add_mbuf_addr_port(m, dst, dport, false); | | 1601 | if_ipsec_add_mbuf_addr_port(m, dst, dport, false); |
| 1593 | } | | 1602 | } |
| 1594 | padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); | | 1603 | padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); |
| 1595 | if (src != NULL && dst != NULL) | | 1604 | if (src != NULL && dst != NULL) |
| 1596 | padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len); | | 1605 | padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len); |
| 1597 | if_ipsec_add_pad(m, padlen); | | 1606 | if_ipsec_add_pad(m, padlen); |
| 1598 | | | 1607 | |
| 1599 | /* key_kpi_spdadd() has already done KEY_SP_REF(). */ | | 1608 | /* key_kpi_spdadd() has already done KEY_SP_REF(). */ |
| 1600 | return key_kpi_spdadd(m); | | 1609 | return key_kpi_spdadd(m); |
| 1601 | } | | 1610 | } |
| 1602 | | | 1611 | |
| 1603 | static int | | 1612 | static int |