Remove unnecessary addresses in PF_KEY message. MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says ==================== 5. SPD Update // snip SADB_X_SPDADD: // snip sadb_x_ipsecrequest_reqid: An ID for that SA can be passed to the kernel in the sadb_x_ipsecrequest_reqid field. If tunnel mode is specified, the sadb_x_ipsecrequest structure is followed by two sockaddr structures that define the tunnel endpoint addresses. In the case that transport mode is used, no additional addresses are specified. ==================== see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01 ipsecif(4) uses transport mode, so it should not add addresses.diff -r1.19 -r1.20 src/sys/net/if_ipsec.c
(knakahara)
--- src/sys/net/if_ipsec.c 2018/12/07 05:09:39 1.19
+++ src/sys/net/if_ipsec.c 2018/12/26 08:55:14 1.20
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $ */ | 1 | /* $NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $ */ | |
2 | 2 | |||
3 | /* | 3 | /* | |
4 | * Copyright (c) 2017 Internet Initiative Japan Inc. | 4 | * Copyright (c) 2017 Internet Initiative Japan Inc. | |
5 | * All rights reserved. | 5 | * All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -17,27 +17,27 @@ | @@ -17,27 +17,27 @@ | |||
17 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | 17 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | |
18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | 18 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
19 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | 19 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | |
20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | 23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | 24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | 25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
26 | * POSSIBILITY OF SUCH DAMAGE. | 26 | * POSSIBILITY OF SUCH DAMAGE. | |
27 | */ | 27 | */ | |
28 | 28 | |||
29 | #include <sys/cdefs.h> | 29 | #include <sys/cdefs.h> | |
30 | __KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $"); | 30 | __KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $"); | |
31 | 31 | |||
32 | #ifdef _KERNEL_OPT | 32 | #ifdef _KERNEL_OPT | |
33 | #include "opt_inet.h" | 33 | #include "opt_inet.h" | |
34 | #endif | 34 | #endif | |
35 | 35 | |||
36 | #include <sys/param.h> | 36 | #include <sys/param.h> | |
37 | #include <sys/systm.h> | 37 | #include <sys/systm.h> | |
38 | #include <sys/kernel.h> | 38 | #include <sys/kernel.h> | |
39 | #include <sys/mbuf.h> | 39 | #include <sys/mbuf.h> | |
40 | #include <sys/socket.h> | 40 | #include <sys/socket.h> | |
41 | #include <sys/sockio.h> | 41 | #include <sys/sockio.h> | |
42 | #include <sys/errno.h> | 42 | #include <sys/errno.h> | |
43 | #include <sys/ioctl.h> | 43 | #include <sys/ioctl.h> | |
@@ -1585,34 +1585,27 @@ if_ipsec_add_sp0(struct sockaddr *src, i | @@ -1585,34 +1585,27 @@ if_ipsec_add_sp0(struct sockaddr *src, i | |||
1585 | if_ipsec_add_pad(m, padlen); | 1585 | if_ipsec_add_pad(m, padlen); | |
1586 | 1586 | |||
1587 | if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); | 1587 | if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); | |
1588 | /* ditto */ | 1588 | /* ditto */ | |
1589 | if_ipsec_add_mbuf_addr_port(m, dst, 0, true); | 1589 | if_ipsec_add_mbuf_addr_port(m, dst, 0, true); | |
1590 | padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) | 1590 | padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) | |
1591 | - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); | 1591 | - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); | |
1592 | if_ipsec_add_pad(m, padlen); | 1592 | if_ipsec_add_pad(m, padlen); | |
1593 | 1593 | |||
1594 | if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); | 1594 | if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); | |
1595 | padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); | 1595 | padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); | |
1596 | if (policy == IPSEC_POLICY_IPSEC) { | 1596 | if (policy == IPSEC_POLICY_IPSEC) { | |
1597 | if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); | 1597 | if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); | |
1598 | /* | |||
1599 | * secpolicy.req->saidx.{src, dst} must be set port number, | |||
1600 | * when it is used for NAT-T. | |||
1601 | */ | |||
1602 | if_ipsec_add_mbuf_addr_port(m, src, sport, false); | |||
1603 | if_ipsec_add_mbuf_addr_port(m, dst, dport, false); | |||
1604 | padlen -= PFKEY_ALIGN8(sizeof(xisr)); | 1598 | padlen -= PFKEY_ALIGN8(sizeof(xisr)); | |
1605 | padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len); | |||
1606 | } | 1599 | } | |
1607 | if_ipsec_add_pad(m, padlen); | 1600 | if_ipsec_add_pad(m, padlen); | |
1608 | 1601 | |||
1609 | /* key_kpi_spdadd() has already done KEY_SP_REF(). */ | 1602 | /* key_kpi_spdadd() has already done KEY_SP_REF(). */ | |
1610 | return key_kpi_spdadd(m); | 1603 | return key_kpi_spdadd(m); | |
1611 | } | 1604 | } | |
1612 | 1605 | |||
1613 | static int | 1606 | static int | |
1614 | if_ipsec_add_sp(struct ipsec_variant *var, | 1607 | if_ipsec_add_sp(struct ipsec_variant *var, | |
1615 | struct sockaddr *src, in_port_t sport, | 1608 | struct sockaddr *src, in_port_t sport, | |
1616 | struct sockaddr *dst, in_port_t dport) | 1609 | struct sockaddr *dst, in_port_t dport) | |
1617 | { | 1610 | { | |
1618 | struct ipsec_softc *sc = var->iv_softc; | 1611 | struct ipsec_softc *sc = var->iv_softc; |
--- src/sys/netipsec/key.c 2018/12/22 14:28:57 1.258
+++ src/sys/netipsec/key.c 2018/12/26 08:55:14 1.259
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $ */ | 1 | /* $NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $ */ | |
2 | /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ | 2 | /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ | |
3 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ | 3 | /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ | |
4 | 4 | |||
5 | /* | 5 | /* | |
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
7 | * All rights reserved. | 7 | * All rights reserved. | |
8 | * | 8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | 9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | 10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | 11 | * are met: | |
12 | * 1. Redistributions of source code must retain the above copyright | 12 | * 1. Redistributions of source code must retain the above copyright | |
13 | * notice, this list of conditions and the following disclaimer. | 13 | * notice, this list of conditions and the following disclaimer. | |
14 | * 2. Redistributions in binary form must reproduce the above copyright | 14 | * 2. Redistributions in binary form must reproduce the above copyright | |
@@ -22,27 +22,27 @@ | @@ -22,27 +22,27 @@ | |||
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
31 | * SUCH DAMAGE. | 31 | * SUCH DAMAGE. | |
32 | */ | 32 | */ | |
33 | 33 | |||
34 | #include <sys/cdefs.h> | 34 | #include <sys/cdefs.h> | |
35 | __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $"); | 35 | __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $"); | |
36 | 36 | |||
37 | /* | 37 | /* | |
38 | * This code is referred to RFC 2367 | 38 | * This code is referred to RFC 2367 | |
39 | */ | 39 | */ | |
40 | 40 | |||
41 | #if defined(_KERNEL_OPT) | 41 | #if defined(_KERNEL_OPT) | |
42 | #include "opt_inet.h" | 42 | #include "opt_inet.h" | |
43 | #include "opt_ipsec.h" | 43 | #include "opt_ipsec.h" | |
44 | #include "opt_gateway.h" | 44 | #include "opt_gateway.h" | |
45 | #include "opt_net_mpsafe.h" | 45 | #include "opt_net_mpsafe.h" | |
46 | #endif | 46 | #endif | |
47 | 47 | |||
48 | #include <sys/types.h> | 48 | #include <sys/types.h> | |
@@ -1962,26 +1962,40 @@ _key_msg2sp(const struct sadb_x_policy * | @@ -1962,26 +1962,40 @@ _key_msg2sp(const struct sadb_x_policy * | |||
1962 | (*p_isr)->saidx.reqid = xisr_reqid; | 1962 | (*p_isr)->saidx.reqid = xisr_reqid; | |
1963 | } | 1963 | } | |
1964 | break; | 1964 | break; | |
1965 | 1965 | |||
1966 | default: | 1966 | default: | |
1967 | IPSECLOG(LOG_DEBUG, "invalid level=%u\n", | 1967 | IPSECLOG(LOG_DEBUG, "invalid level=%u\n", | |
1968 | xisr->sadb_x_ipsecrequest_level); | 1968 | xisr->sadb_x_ipsecrequest_level); | |
1969 | *error = EINVAL; | 1969 | *error = EINVAL; | |
1970 | goto free_exit; | 1970 | goto free_exit; | |
1971 | } | 1971 | } | |
1972 | (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; | 1972 | (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; | |
1973 | 1973 | |||
1974 | /* set IP addresses if there */ | 1974 | /* set IP addresses if there */ | |
1975 | /* | |||
1976 | * NOTE: | |||
1977 | * MOBIKE Extensions for PF_KEY draft says: | |||
1978 | * If tunnel mode is specified, the sadb_x_ipsecrequest | |||
1979 | * structure is followed by two sockaddr structures that | |||
1980 | * define the tunnel endpoint addresses. In the case that | |||
1981 | * transport mode is used, no additional addresses are | |||
1982 | * specified. | |||
1983 | * see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01 | |||
1984 | * | |||
1985 | * And then, the IP addresses will be set by | |||
1986 | * ipsec_fill_saidx_bymbuf() from packet in transport mode. | |||
1987 | * This behavior is used by NAT-T enabled ipsecif(4). | |||
1988 | */ | |||
1975 | if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { | 1989 | if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { | |
1976 | const struct sockaddr *paddr; | 1990 | const struct sockaddr *paddr; | |
1977 | 1991 | |||
1978 | paddr = (const struct sockaddr *)(xisr + 1); | 1992 | paddr = (const struct sockaddr *)(xisr + 1); | |
1979 | 1993 | |||
1980 | /* validity check */ | 1994 | /* validity check */ | |
1981 | if (paddr->sa_len > sizeof((*p_isr)->saidx.src)) { | 1995 | if (paddr->sa_len > sizeof((*p_isr)->saidx.src)) { | |
1982 | IPSECLOG(LOG_DEBUG, "invalid request " | 1996 | IPSECLOG(LOG_DEBUG, "invalid request " | |
1983 | "address length.\n"); | 1997 | "address length.\n"); | |
1984 | *error = EINVAL; | 1998 | *error = EINVAL; | |
1985 | goto free_exit; | 1999 | goto free_exit; | |
1986 | } | 2000 | } | |
1987 | memcpy(&(*p_isr)->saidx.src, paddr, paddr->sa_len); | 2001 | memcpy(&(*p_isr)->saidx.src, paddr, paddr->sa_len); |