Remove unnecessary addresses in PF_KEY message.
MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
====================
5. SPD Update
// snip
SADB_X_SPDADD:
// snip
sadb_x_ipsecrequest_reqid:
An ID for that SA can be passed to the kernel in the
sadb_x_ipsecrequest_reqid field.
If tunnel mode is specified, the sadb_x_ipsecrequest structure is
followed by two sockaddr structures that define the tunnel
endpoint addresses. In the case that transport mode is used, no
additional addresses are specified.
====================
see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01
ipsecif(4) uses transport mode, so it should not add addresses.
(knakahara)
diff -r1.19 -r1.20 src/sys/net/if_ipsec.c--- src/sys/net/if_ipsec.c 2018/12/07 05:09:39 1.19
+++ src/sys/net/if_ipsec.c 2018/12/26 08:55:14 1.20
| @@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
| 1 | /* $NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $ */ | 1 | /* $NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $ */ | |
| 2 | 2 | |||
| 3 | /* | 3 | /* | |
| 4 | * Copyright (c) 2017 Internet Initiative Japan Inc. | 4 | * Copyright (c) 2017 Internet Initiative Japan Inc. | |
| 5 | * All rights reserved. | 5 | * All rights reserved. | |
| 6 | * | 6 | * | |
| 7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
| 8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
| 9 | * are met: | 9 | * are met: | |
| 10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
| 11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
| 12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
| 13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
| 14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
| @@ -17,27 +17,27 @@ | @@ -17,27 +17,27 @@ | |||
| 17 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | 17 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | |
| 18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | 18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
| 19 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | 19 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | |
| 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
| 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
| 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
| 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
| 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
| 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
| 26 | * POSSIBILITY OF SUCH DAMAGE. | 26 | * POSSIBILITY OF SUCH DAMAGE. | |
| 27 | */ | 27 | */ | |
| 28 | 28 | |||
| 29 | #include <sys/cdefs.h> | 29 | #include <sys/cdefs.h> | |
| 30 | __KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $"); | 30 | __KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $"); | |
| 31 | 31 | |||
| 32 | #ifdef _KERNEL_OPT | 32 | #ifdef _KERNEL_OPT | |
| 33 | #include "opt_inet.h" | 33 | #include "opt_inet.h" | |
| 34 | #endif | 34 | #endif | |
| 35 | 35 | |||
| 36 | #include <sys/param.h> | 36 | #include <sys/param.h> | |
| 37 | #include <sys/systm.h> | 37 | #include <sys/systm.h> | |
| 38 | #include <sys/kernel.h> | 38 | #include <sys/kernel.h> | |
| 39 | #include <sys/mbuf.h> | 39 | #include <sys/mbuf.h> | |
| 40 | #include <sys/socket.h> | 40 | #include <sys/socket.h> | |
| 41 | #include <sys/sockio.h> | 41 | #include <sys/sockio.h> | |
| 42 | #include <sys/errno.h> | 42 | #include <sys/errno.h> | |
| 43 | #include <sys/ioctl.h> | 43 | #include <sys/ioctl.h> | |
| @@ -1585,34 +1585,27 @@ if_ipsec_add_sp0(struct sockaddr *src, i | @@ -1585,34 +1585,27 @@ if_ipsec_add_sp0(struct sockaddr *src, i | |||
| 1585 | if_ipsec_add_pad(m, padlen); | 1585 | if_ipsec_add_pad(m, padlen); | |
| 1586 | 1586 | |||
| 1587 | if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); | 1587 | if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); | |
| 1588 | /* ditto */ | 1588 | /* ditto */ | |
| 1589 | if_ipsec_add_mbuf_addr_port(m, dst, 0, true); | 1589 | if_ipsec_add_mbuf_addr_port(m, dst, 0, true); | |
| 1590 | padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) | 1590 | padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) | |
| 1591 | - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); | 1591 | - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); | |
| 1592 | if_ipsec_add_pad(m, padlen); | 1592 | if_ipsec_add_pad(m, padlen); | |
| 1593 | 1593 | |||
| 1594 | if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); | 1594 | if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); | |
| 1595 | padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); | 1595 | padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); | |
| 1596 | if (policy == IPSEC_POLICY_IPSEC) { | 1596 | if (policy == IPSEC_POLICY_IPSEC) { | |
| 1597 | if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); | 1597 | if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); | |
| 1598 | /* | |||
| 1599 | * secpolicy.req->saidx.{src, dst} must be set port number, | |||
| 1600 | * when it is used for NAT-T. | |||
| 1601 | */ | |||
| 1602 | if_ipsec_add_mbuf_addr_port(m, src, sport, false); | |||
| 1603 | if_ipsec_add_mbuf_addr_port(m, dst, dport, false); | |||
| 1604 | padlen -= PFKEY_ALIGN8(sizeof(xisr)); | 1598 | padlen -= PFKEY_ALIGN8(sizeof(xisr)); | |
| 1605 | padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len); | |||
| 1606 | } | 1599 | } | |
| 1607 | if_ipsec_add_pad(m, padlen); | 1600 | if_ipsec_add_pad(m, padlen); | |
| 1608 | 1601 | |||
| 1609 | /* key_kpi_spdadd() has already done KEY_SP_REF(). */ | 1602 | /* key_kpi_spdadd() has already done KEY_SP_REF(). */ | |
| 1610 | return key_kpi_spdadd(m); | 1603 | return key_kpi_spdadd(m); | |
| 1611 | } | 1604 | } | |
| 1612 | 1605 | |||
| 1613 | static int | 1606 | static int | |
| 1614 | if_ipsec_add_sp(struct ipsec_variant *var, | 1607 | if_ipsec_add_sp(struct ipsec_variant *var, | |
| 1615 | struct sockaddr *src, in_port_t sport, | 1608 | struct sockaddr *src, in_port_t sport, | |
| 1616 | struct sockaddr *dst, in_port_t dport) | 1609 | struct sockaddr *dst, in_port_t dport) | |
| 1617 | { | 1610 | { | |
| 1618 | struct ipsec_softc *sc = var->iv_softc; | 1611 | struct ipsec_softc *sc = var->iv_softc; |
--- src/sys/netipsec/key.c 2018/12/22 14:28:57 1.258
+++ src/sys/netipsec/key.c 2018/12/26 08:55:14 1.259
| @@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
| 1 | /* $NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $ */ | 1 | /* $NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $ */ | |
| 2 | /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ | 2 | /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ | |
| 3 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ | 3 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ | |
| 4 | 4 | |||
| 5 | /* | 5 | /* | |
| 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
| 7 | * All rights reserved. | 7 | * All rights reserved. | |
| 8 | * | 8 | * | |
| 9 | * Redistribution and use in source and binary forms, with or without | 9 | * Redistribution and use in source and binary forms, with or without | |
| 10 | * modification, are permitted provided that the following conditions | 10 | * modification, are permitted provided that the following conditions | |
| 11 | * are met: | 11 | * are met: | |
| 12 | * 1. Redistributions of source code must retain the above copyright | 12 | * 1. Redistributions of source code must retain the above copyright | |
| 13 | * notice, this list of conditions and the following disclaimer. | 13 | * notice, this list of conditions and the following disclaimer. | |
| 14 | * 2. Redistributions in binary form must reproduce the above copyright | 14 | * 2. Redistributions in binary form must reproduce the above copyright | |
| @@ -22,27 +22,27 @@ | @@ -22,27 +22,27 @@ | |||
| 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
| 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
| 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
| 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
| 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
| 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
| 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
| 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
| 31 | * SUCH DAMAGE. | 31 | * SUCH DAMAGE. | |
| 32 | */ | 32 | */ | |
| 33 | 33 | |||
| 34 | #include <sys/cdefs.h> | 34 | #include <sys/cdefs.h> | |
| 35 | __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $"); | 35 | __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $"); | |
| 36 | 36 | |||
| 37 | /* | 37 | /* | |
| 38 | * This code is referred to RFC 2367 | 38 | * This code is referred to RFC 2367 | |
| 39 | */ | 39 | */ | |
| 40 | 40 | |||
| 41 | #if defined(_KERNEL_OPT) | 41 | #if defined(_KERNEL_OPT) | |
| 42 | #include "opt_inet.h" | 42 | #include "opt_inet.h" | |
| 43 | #include "opt_ipsec.h" | 43 | #include "opt_ipsec.h" | |
| 44 | #include "opt_gateway.h" | 44 | #include "opt_gateway.h" | |
| 45 | #include "opt_net_mpsafe.h" | 45 | #include "opt_net_mpsafe.h" | |
| 46 | #endif | 46 | #endif | |
| 47 | 47 | |||
| 48 | #include <sys/types.h> | 48 | #include <sys/types.h> | |
| @@ -1962,26 +1962,40 @@ _key_msg2sp(const struct sadb_x_policy * | @@ -1962,26 +1962,40 @@ _key_msg2sp(const struct sadb_x_policy * | |||
| 1962 | (*p_isr)->saidx.reqid = xisr_reqid; | 1962 | (*p_isr)->saidx.reqid = xisr_reqid; | |
| 1963 | } | 1963 | } | |
| 1964 | break; | 1964 | break; | |
| 1965 | 1965 | |||
| 1966 | default: | 1966 | default: | |
| 1967 | IPSECLOG(LOG_DEBUG, "invalid level=%u\n", | 1967 | IPSECLOG(LOG_DEBUG, "invalid level=%u\n", | |
| 1968 | xisr->sadb_x_ipsecrequest_level); | 1968 | xisr->sadb_x_ipsecrequest_level); | |
| 1969 | *error = EINVAL; | 1969 | *error = EINVAL; | |
| 1970 | goto free_exit; | 1970 | goto free_exit; | |
| 1971 | } | 1971 | } | |
| 1972 | (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; | 1972 | (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; | |
| 1973 | 1973 | |||
| 1974 | /* set IP addresses if there */ | 1974 | /* set IP addresses if there */ | |
| 1975 | /* | |||
| 1976 | * NOTE: | |||
| 1977 | * MOBIKE Extensions for PF_KEY draft says: | |||
| 1978 | * If tunnel mode is specified, the sadb_x_ipsecrequest | |||
| 1979 | * structure is followed by two sockaddr structures that | |||
| 1980 | * define the tunnel endpoint addresses. In the case that | |||
| 1981 | * transport mode is used, no additional addresses are | |||
| 1982 | * specified. | |||
| 1983 | * see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01 | |||
| 1984 | * | |||
| 1985 | * And then, the IP addresses will be set by | |||
| 1986 | * ipsec_fill_saidx_bymbuf() from packet in transport mode. | |||
| 1987 | * This behavior is used by NAT-T enabled ipsecif(4). | |||
| 1988 | */ | |||
| 1975 | if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { | 1989 | if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { | |
| 1976 | const struct sockaddr *paddr; | 1990 | const struct sockaddr *paddr; | |
| 1977 | 1991 | |||
| 1978 | paddr = (const struct sockaddr *)(xisr + 1); | 1992 | paddr = (const struct sockaddr *)(xisr + 1); | |
| 1979 | 1993 | |||
| 1980 | /* validity check */ | 1994 | /* validity check */ | |
| 1981 | if (paddr->sa_len > sizeof((*p_isr)->saidx.src)) { | 1995 | if (paddr->sa_len > sizeof((*p_isr)->saidx.src)) { | |
| 1982 | IPSECLOG(LOG_DEBUG, "invalid request " | 1996 | IPSECLOG(LOG_DEBUG, "invalid request " | |
| 1983 | "address length.\n"); | 1997 | "address length.\n"); | |
| 1984 | *error = EINVAL; | 1998 | *error = EINVAL; | |
| 1985 | goto free_exit; | 1999 | goto free_exit; | |
| 1986 | } | 2000 | } | |
| 1987 | memcpy(&(*p_isr)->saidx.src, paddr, paddr->sa_len); | 2001 | memcpy(&(*p_isr)->saidx.src, paddr, paddr->sa_len); |