PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access

outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.
This commit is contained in:
christos 2013-06-04 22:47:37 +00:00
parent 1ca75828fb
commit 213e873fd6
13 changed files with 80 additions and 172 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_output.c,v 1.218 2013/02/02 07:00:40 kefren Exp $ */
/* $NetBSD: ip_output.c,v 1.219 2013/06/04 22:47:37 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.218 2013/02/02 07:00:40 kefren Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.219 2013/06/04 22:47:37 christos Exp $");
#include "opt_pfil_hooks.h"
#include "opt_inet.h"
@ -126,6 +126,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.218 2013/02/02 07:00:40 kefren Exp $
#include <netinet/ip_private.h>
#include <netinet/in_offload.h>
#include <netinet/portalgo.h>
#include <netinet/udp.h>
#ifdef MROUTING
#include <netinet/ip_mroute.h>
@ -137,9 +138,6 @@ __KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.218 2013/02/02 07:00:40 kefren Exp $
#include <netipsec/xform.h>
#endif /* FAST_IPSEC*/
#ifdef IPSEC_NAT_T
#include <netinet/udp.h>
#endif
static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
static struct ifnet *ip_multicast_if(struct in_addr *, int *);
@ -179,9 +177,7 @@ ip_output(struct mbuf *m0, ...)
struct ip_moptions *imo;
struct socket *so;
va_list ap;
#ifdef IPSEC_NAT_T
int natt_frag = 0;
#endif
#ifdef FAST_IPSEC
struct inpcb *inp;
struct secpolicy *sp = NULL;
@ -518,22 +514,20 @@ sendit:
* sp == NULL, error != 0 discard packet, report error
*/
if (sp != NULL) {
#ifdef IPSEC_NAT_T
/*
* NAT-T ESP fragmentation: don't do IPSec processing now,
* we'll do it on each fragmented packet.
* NAT-T ESP fragmentation: don't do IPSec processing
* now, we'll do it on each fragmented packet.
*/
if (sp->req->sav &&
((sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP) ||
(sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE))) {
if (ntohs(ip->ip_len) > sp->req->sav->esp_frag) {
if (sp->req->sav && (sp->req->sav->natt_type &
(UDP_ENCAP_ESPINUDP|UDP_ENCAP_ESPINUDP_NON_IKE))) {
if (ntohs(ip->ip_len) > sp->req->sav->esp_frag)
{
natt_frag = 1;
mtu = sp->req->sav->esp_frag;
splx(s);
goto spd_done;
}
}
#endif /* IPSEC_NAT_T */
/*
* Do delayed checksums now because we send before
@ -711,19 +705,17 @@ spd_done:
ia->ia_ifa.ifa_data.ifad_outbytes +=
ntohs(ip->ip_len);
#endif
#ifdef IPSEC_NAT_T
/*
* If we get there, the packet has not been handeld by
* If we get there, the packet has not been handled by
* IPSec whereas it should have. Now that it has been
* fragmented, re-inject it in ip_output so that IPsec
* processing can occur.
*/
if (natt_frag) {
error = ip_output(m, opt,
ro, flags | IP_RAWOUTPUT | IP_NOIPNEWID, imo, so, mtu_p);
} else
#endif /* IPSEC_NAT_T */
{
error = ip_output(m, opt, ro,
flags | IP_RAWOUTPUT | IP_NOIPNEWID,
imo, so, mtu_p);
} else {
KASSERT((m->m_pkthdr.csum_flags &
(M_CSUM_UDPv4 | M_CSUM_TCPv4)) == 0);
KERNEL_LOCK(1, NULL);

View File

@ -1,4 +1,4 @@
/* $NetBSD: udp_usrreq.c,v 1.187 2012/06/22 14:54:35 christos Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.188 2013/06/04 22:47:37 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.187 2012/06/22 14:54:35 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.188 2013/06/04 22:47:37 christos Exp $");
#include "opt_inet.h"
#include "opt_compat_netbsd.h"
@ -148,10 +148,8 @@ struct inpcbtable udbtable;
percpu_t *udpstat_percpu;
#ifdef INET
#ifdef IPSEC_NAT_T
static int udp4_espinudp (struct mbuf **, int, struct sockaddr *,
struct socket *);
#endif
static void udp4_sendup (struct mbuf *, int, struct sockaddr *,
struct socket *);
static int udp4_realinput (struct sockaddr_in *, struct sockaddr_in *,
@ -404,6 +402,14 @@ udp_input(struct mbuf *m, ...)
UDP_STATINC(UDP_STAT_HDROPS);
return;
}
if (m == NULL) {
/*
* packet has been processed by ESP stuff -
* e.g. dropped NAT-T-keep-alive-packet ...
*/
return;
}
ip = mtod(m, struct ip *);
#ifdef INET6
if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) {
struct sockaddr_in6 src6, dst6;
@ -804,7 +810,6 @@ udp4_realinput(struct sockaddr_in *src, struct sockaddr_in *dst,
return rcvcnt;
}
#ifdef IPSEC_NAT_T
/* Handle ESP over UDP */
if (inp->inp_flags & INP_ESPINUDP_ALL) {
struct sockaddr *sa = (struct sockaddr *)src;
@ -830,7 +835,6 @@ udp4_realinput(struct sockaddr_in *src, struct sockaddr_in *dst,
break;
}
}
#endif
/*
* Check the minimum TTL for socket.
@ -1058,7 +1062,6 @@ udp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
break;
switch(optval) {
#ifdef IPSEC_NAT_T
case 0:
inp->inp_flags &= ~INP_ESPINUDP_ALL;
break;
@ -1072,7 +1075,6 @@ udp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
inp->inp_flags &= ~INP_ESPINUDP_ALL;
inp->inp_flags |= INP_ESPINUDP_NON_IKE;
break;
#endif
default:
error = EINVAL;
break;
@ -1437,7 +1439,7 @@ udp_statinc(u_int stat)
UDP_STATINC(stat);
}
#if (defined INET && defined IPSEC_NAT_T)
#if defined(INET)
/*
* Returns:
* 1 if the packet was processed
@ -1455,7 +1457,6 @@ udp4_espinudp(struct mbuf **mp, int off, struct sockaddr *src,
size_t minlen;
size_t iphdrlen;
struct ip *ip;
struct mbuf *n;
struct m_tag *tag;
struct udphdr *udphdr;
u_int16_t sport, dport;
@ -1483,6 +1484,8 @@ udp4_espinudp(struct mbuf **mp, int off, struct sockaddr *src,
/* Ignore keepalive packets */
if ((len == 1) && (*(unsigned char *)data == 0xff)) {
m_free(m);
*mp = NULL; /* avoid any further processiong by caller ... */
return 1;
}
@ -1542,16 +1545,9 @@ udp4_espinudp(struct mbuf **mp, int off, struct sockaddr *src,
ip->ip_p = IPPROTO_ESP;
/*
* Copy the mbuf to avoid multiple free, as both
* esp4_input (which we call) and udp_input (which
* called us) free the mbuf.
*/
if ((n = m_dup(m, 0, M_COPYALL, M_DONTWAIT)) == NULL) {
printf("udp4_espinudp: m_dup failed\n");
return 0;
}
/*
* We have modified the packet - it is now ESP, so we should not
* return to UDP processing ...
*
* Add a PACKET_TAG_IPSEC_NAT_T_PORT tag to remember
* the source UDP port. This is required if we want
* to select the right SPD for multiple hosts behind
@ -1560,20 +1556,21 @@ udp4_espinudp(struct mbuf **mp, int off, struct sockaddr *src,
if ((tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS,
sizeof(sport) + sizeof(dport), M_DONTWAIT)) == NULL) {
printf("udp4_espinudp: m_tag_get failed\n");
m_freem(n);
return 0;
m_freem(m);
return -1;
}
((u_int16_t *)(tag + 1))[0] = sport;
((u_int16_t *)(tag + 1))[1] = dport;
m_tag_prepend(n, tag);
m_tag_prepend(m, tag);
#ifdef FAST_IPSEC
ipsec4_common_input(n, iphdrlen, IPPROTO_ESP);
ipsec4_common_input(m, iphdrlen, IPPROTO_ESP);
#else
esp4_input(n, iphdrlen);
esp4_input(m, iphdrlen);
#endif
/* We handled it, it shouldn't be handled by UDP */
*mp = NULL; /* avoid free by caller ... */
return 1;
}
#endif

View File

@ -1,9 +1,8 @@
# $Id: files.netipsec,v 1.10 2012/03/22 20:34:42 drochner Exp $
# $Id: files.netipsec,v 1.11 2013/06/04 22:47:37 christos Exp $
#
#
defflag opt_ipsec.h FAST_IPSEC: opencrypto
defflag opt_ipsec.h IPSEC: FAST_IPSEC
defflag opt_ipsec.h IPSEC_NAT_T
defflag opt_ipsec.h IPSEC_DEBUG
file netipsec/ipsec.c fast_ipsec needs-flag

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.c,v 1.57 2012/12/07 15:29:38 christos Exp $ */
/* $NetBSD: ipsec.c,v 1.58 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.57 2012/12/07 15:29:38 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.58 2013/06/04 22:47:37 christos Exp $");
/*
* IPsec controller part.
@ -2274,6 +2274,17 @@ xform_init(struct secasvar *sav, int xftype)
return EINVAL;
}
void
nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport) {
struct m_tag *tag;
if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
*sport = ((u_int16_t *)(tag + 1))[0];
*dport = ((u_int16_t *)(tag + 1))[1];
} else
*sport = *dport = 0;
}
#ifdef __NetBSD__
/*
* XXXJRT This should be done as a protosw init call.

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.h,v 1.31 2012/01/06 14:17:11 drochner Exp $ */
/* $NetBSD: ipsec.h,v 1.32 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@ -349,6 +349,8 @@ int ipsec_clear_socket_cache(struct mbuf *m)
return 0;
}
void nat_t_ports_get(struct mbuf *, u_int16_t *, u_int16_t *);
#endif /* _KERNEL */

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $ */
/* $NetBSD: ipsec_input.c,v 1.30 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.30 2013/06/04 22:47:37 christos Exp $");
/*
* IPsec input processing.
@ -129,12 +129,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
union sockaddr_union dst_address;
struct secasvar *sav;
u_int32_t spi;
u_int16_t sport = 0;
u_int16_t dport = 0;
u_int16_t sport;
u_int16_t dport;
int s, error;
#ifdef IPSEC_NAT_T
struct m_tag * tag = NULL;
#endif
IPSEC_ISTAT(sproto, ESP_STAT_INPUT, AH_STAT_INPUT,
IPCOMP_STAT_INPUT);
@ -173,13 +170,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
}
#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
sport = ((u_int16_t *)(tag + 1))[0];
dport = ((u_int16_t *)(tag + 1))[1];
}
#endif
nat_t_ports_get(m, &dport, &sport);
/*
* Find the SA and (indirectly) call the appropriate

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $ */
/* $NetBSD: ipsec_output.c,v 1.39 2013/06/04 22:47:37 christos Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.39 2013/06/04 22:47:37 christos Exp $");
/*
* IPsec output processing.
@ -72,9 +72,7 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner E
#ifdef INET6
#include <netinet/icmp6.h>
#endif
#ifdef IPSEC_NAT_T
#include <netinet/udp.h>
#endif
#include <netipsec/ipsec.h>
#include <netipsec/ipsec_var.h>
@ -172,12 +170,10 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
#ifdef INET6
struct ip6_hdr * ip6;
#endif /* INET6 */
#ifdef IPSEC_NAT_T
struct mbuf * mo;
struct udphdr *udp = NULL;
uint64_t * data = NULL;
int hlen, roff;
#endif /* IPSEC_NAT_T */
IPSEC_SPLASSERT_SOFTNET("ipsec_process_done");
@ -189,7 +185,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
saidx = &sav->sah->saidx;
#ifdef IPSEC_NAT_T
if(sav->natt_type != 0) {
ip = mtod(m, struct ip *);
@ -222,7 +217,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
udp->uh_sum = 0;
udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2));
}
#endif /* IPSEC_NAT_T */
switch (saidx->dst.sa.sa_family) {
#ifdef INET
@ -230,10 +224,8 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
/* Fix the header length, for AH processing. */
ip = mtod(m, struct ip *);
ip->ip_len = htons(m->m_pkthdr.len);
#ifdef IPSEC_NAT_T
if (sav->natt_type != 0)
ip->ip_p = IPPROTO_UDP;
#endif /* IPSEC_NAT_T */
break;
#endif /* INET */
#ifdef INET6
@ -250,10 +242,8 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
#ifdef IPSEC_NAT_T
if (sav->natt_type != 0)
ip6->ip6_nxt = IPPROTO_UDP;
#endif /* IPSEC_NAT_T */
break;
#endif /* INET6 */
default:

View File

@ -1,4 +1,4 @@
/* $NetBSD: key.c,v 1.79 2012/09/20 23:50:05 gdt Exp $ */
/* $NetBSD: key.c,v 1.80 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.79 2012/09/20 23:50:05 gdt Exp $");
__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.80 2013/06/04 22:47:37 christos Exp $");
/*
* This code is referd to RFC 2367
@ -400,10 +400,8 @@ static int key_spddump (struct socket *, struct mbuf *,
const struct sadb_msghdr *);
static struct mbuf * key_setspddump (int *errorp, pid_t);
static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid);
#ifdef IPSEC_NAT_T
static int key_nat_map (struct socket *, struct mbuf *,
const struct sadb_msghdr *);
#endif
static struct mbuf *key_setdumpsp (struct secpolicy *,
u_int8_t, u_int32_t, pid_t);
static u_int key_getspreqmsglen (const struct secpolicy *);
@ -424,11 +422,9 @@ static int key_setsaval (struct secasvar *, struct mbuf *,
static int key_mature (struct secasvar *);
static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t,
u_int8_t, u_int32_t, u_int32_t);
#ifdef IPSEC_NAT_T
static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t);
static struct mbuf *key_setsadbxtype (u_int16_t);
static struct mbuf *key_setsadbxfrag (u_int16_t);
#endif
static void key_porttosaddr (union sockaddr_union *, u_int16_t);
static int key_checksalen (const union sockaddr_union *);
static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t,
@ -465,13 +461,11 @@ static int key_getspi (struct socket *, struct mbuf *,
const struct sadb_msghdr *);
static u_int32_t key_do_getnewspi (const struct sadb_spirange *,
const struct secasindex *);
#ifdef IPSEC_NAT_T
static int key_handle_natt_info (struct secasvar *,
const struct sadb_msghdr *);
static int key_set_natt_ports (union sockaddr_union *,
union sockaddr_union *,
const struct sadb_msghdr *);
#endif
static int key_update (struct socket *, struct mbuf *,
const struct sadb_msghdr *);
#ifdef IPSEC_DOSEQCHECK
@ -1102,10 +1096,8 @@ key_allocsa(
u_int16_t cpi = 0;
u_int8_t algo = 0;
#ifdef IPSEC_NAT_T
if ((sport != 0) && (dport != 0))
chkport = 1;
#endif
IPSEC_ASSERT(dst != NULL, ("key_allocsa: null dst address"));
@ -2574,7 +2566,6 @@ key_spddump(struct socket *so, struct mbuf *m0,
return error;
}
#ifdef IPSEC_NAT_T
/*
* SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23
*/
@ -2639,7 +2630,6 @@ key_nat_map(struct socket *so, struct mbuf *m,
return 0;
}
#endif /* IPSEC_NAT_T */
static struct mbuf *
key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid)
@ -3191,10 +3181,8 @@ key_setsaval(struct secasvar *sav, struct mbuf *m,
sav->tdb_encalgxform = NULL; /* encoding algorithm */
sav->tdb_authalgxform = NULL; /* authentication algorithm */
sav->tdb_compalgxform = NULL; /* compression algorithm */
#ifdef IPSEC_NAT_T
sav->natt_type = 0;
sav->esp_frag = 0;
#endif
/* SA */
if (mhp->ext[SADB_EXT_SA] != NULL) {
@ -3520,12 +3508,10 @@ key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype,
SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH,
SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC,
SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY,
#ifdef IPSEC_NAT_T
SADB_X_EXT_NAT_T_TYPE,
SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT,
SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
SADB_X_EXT_NAT_T_FRAG,
#endif
};
@ -3598,7 +3584,6 @@ key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype,
p = sav->lft_s;
break;
#ifdef IPSEC_NAT_T
case SADB_X_EXT_NAT_T_TYPE:
m = key_setsadbxtype(sav->natt_type);
break;
@ -3629,7 +3614,6 @@ key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype,
case SADB_X_EXT_NAT_T_OAI:
case SADB_X_EXT_NAT_T_OAR:
continue;
#endif
case SADB_EXT_ADDRESS_PROXY:
case SADB_EXT_IDENTITY_SRC:
@ -3687,7 +3671,6 @@ fail:
}
#ifdef IPSEC_NAT_T
/*
* set a type in sadb_x_nat_t_type
*/
@ -3802,7 +3785,6 @@ key_portfromsaddr(const union sockaddr_union *saddr)
return port;
}
#endif /* IPSEC_NAT_T */
/*
* Set port is struct sockaddr. port is in network order
@ -4250,7 +4232,6 @@ key_cmpsaidx(
* in the SPD: This means we have a non-generated
* SPD which can't know UDP ports.
*/
#ifdef IPSEC_NAT_T
if (saidx1->mode == IPSEC_MODE_TUNNEL &&
((((const struct sockaddr *)(&saidx1->src))->sa_family == AF_INET &&
((const struct sockaddr *)(&saidx1->dst))->sa_family == AF_INET &&
@ -4261,7 +4242,6 @@ key_cmpsaidx(
((const struct sockaddr_in6 *)(&saidx1->src))->sin6_port &&
((const struct sockaddr_in6 *)(&saidx1->dst))->sin6_port)))
chkport = 1;
#endif
if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, chkport) != 0) {
return 0;
@ -4846,10 +4826,8 @@ key_setsecasidx(int proto, int mode, int reqid,
memcpy(&saidx->src, src_u, src_u->sa.sa_len);
memcpy(&saidx->dst, dst_u, dst_u->sa.sa_len);
#ifndef IPSEC_NAT_T
key_porttosaddr(&((saidx)->src),0);
key_porttosaddr(&((saidx)->dst),0);
#endif
return 0;
}
@ -4916,10 +4894,8 @@ key_getspi(struct socket *so, struct mbuf *m,
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
/* SPI allocation */
spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE],
@ -5098,8 +5074,6 @@ key_do_getnewspi(const struct sadb_spirange *spirange,
return newspi;
}
#ifdef IPSEC_NAT_T
/* Handle IPSEC_NAT_T info if present */
static int
key_handle_natt_info(struct secasvar *sav,
const struct sadb_msghdr *mhp)
@ -5222,7 +5196,6 @@ key_set_natt_ports(union sockaddr_union *src, union sockaddr_union *dst,
return 0;
}
#endif
/*
@ -5298,10 +5271,8 @@ key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
/* get a SA header */
if ((sah = key_getsah(&saidx)) == NULL) {
@ -5363,10 +5334,8 @@ key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
return key_senderror(so, m, error);
}
#ifdef IPSEC_NAT_T
if ((error = key_handle_natt_info(sav,mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif /* IPSEC_NAT_T */
/* check SA values to be mature. */
if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) {
@ -5500,10 +5469,8 @@ key_add(struct socket *so, struct mbuf *m,
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
/* get a SA header */
if ((newsah = key_getsah(&saidx)) == NULL) {
@ -5532,10 +5499,8 @@ key_add(struct socket *so, struct mbuf *m,
return key_senderror(so, m, error);
}
#ifdef IPSEC_NAT_T
if ((error = key_handle_natt_info(newsav, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif /* IPSEC_NAT_T */
/* check SA values to be mature. */
if ((error = key_mature(newsav)) != 0) {
@ -5733,10 +5698,8 @@ key_delete(struct socket *so, struct mbuf *m,
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
/* get a SA header */
LIST_FOREACH(sah, &sahtree, chain) {
@ -5803,10 +5766,8 @@ key_delete_all(struct socket *so, struct mbuf *m,
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
@ -5917,10 +5878,8 @@ key_get(struct socket *so, struct mbuf *m,
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
/* get a SA header */
LIST_FOREACH(sah, &sahtree, chain) {
@ -6601,10 +6560,8 @@ key_acquire2(struct socket *so, struct mbuf *m,
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
#endif
/* get a SA index */
LIST_FOREACH(sah, &sahtree, chain) {
@ -7287,9 +7244,7 @@ static int (*key_typesw[]) (struct socket *, struct mbuf *,
key_spdadd, /* SADB_X_SPDSETIDX */
NULL, /* SADB_X_SPDEXPIRE */
key_spddelete2, /* SADB_X_SPDDELETE2 */
#ifdef IPSEC_NAT_T
key_nat_map, /* SADB_X_NAT_T_NEW_MAPPING */
#endif
key_nat_map, /* SADB_X_NAT_T_NEW_MAPPING */
};
/*
@ -7624,14 +7579,12 @@ key_align(struct mbuf *m, struct sadb_msghdr *mhp)
case SADB_EXT_SPIRANGE:
case SADB_X_EXT_POLICY:
case SADB_X_EXT_SA2:
#ifdef IPSEC_NAT_T
case SADB_X_EXT_NAT_T_TYPE:
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
case SADB_X_EXT_NAT_T_OAI:
case SADB_X_EXT_NAT_T_OAR:
case SADB_X_EXT_NAT_T_FRAG:
#endif
/* duplicate check */
/*
* XXX Are there duplication payloads of either

View File

@ -1,4 +1,4 @@
/* $NetBSD: key.h,v 1.11 2011/06/09 19:54:18 drochner Exp $ */
/* $NetBSD: key.h,v 1.12 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@ -107,9 +107,7 @@ void key_init (void);
void key_sa_recordxfer (struct secasvar *, struct mbuf *);
void key_sa_routechange (struct sockaddr *);
#ifdef IPSEC_NAT_T
u_int16_t key_portfromsaddr (const union sockaddr_union *);
#endif

View File

@ -1,4 +1,4 @@
/* $NetBSD: keydb.h,v 1.12 2012/08/29 20:37:51 drochner Exp $ */
/* $NetBSD: keydb.h,v 1.13 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/keydb.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $ */
@ -128,10 +128,8 @@ struct secasvar {
const struct comp_algo *tdb_compalgxform; /* compression algorithm */
u_int64_t tdb_cryptoid; /* crypto session id */
#ifdef IPSEC_NAT_T
u_int16_t natt_type;
u_int16_t esp_frag;
#endif
};
/* replay prevention */

View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_ah.c,v 1.38 2012/08/30 12:16:49 drochner Exp $ */
/* $NetBSD: xform_ah.c,v 1.39 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.38 2012/08/30 12:16:49 drochner Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.39 2013/06/04 22:47:37 christos Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@ -827,11 +827,8 @@ ah_input_cb(struct cryptop *crp)
u_int8_t nxt;
char *ptr;
int s, authsize;
u_int16_t dport = 0;
u_int16_t sport = 0;
#ifdef IPSEC_NAT_T
struct m_tag * tag = NULL;
#endif
u_int16_t dport;
u_int16_t sport;
crd = crp->crp_desc;
@ -844,13 +841,8 @@ ah_input_cb(struct cryptop *crp)
m = (struct mbuf *) crp->crp_buf;
#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
sport = ((u_int16_t *)(tag + 1))[0];
dport = ((u_int16_t *)(tag + 1))[1];
}
#endif
nat_t_ports_get(m, &dport, &sport);
s = splsoftnet();
mutex_enter(softnet_lock);

View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_esp.c,v 1.41 2012/08/30 12:16:49 drochner Exp $ */
/* $NetBSD: xform_esp.c,v 1.42 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.41 2012/08/30 12:16:49 drochner Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.42 2013/06/04 22:47:37 christos Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@ -511,11 +511,8 @@ esp_input_cb(struct cryptop *crp)
struct secasvar *sav;
struct secasindex *saidx;
void *ptr;
u_int16_t dport = 0;
u_int16_t sport = 0;
#ifdef IPSEC_NAT_T
struct m_tag * tag = NULL;
#endif
u_int16_t dport;
u_int16_t sport;
crd = crp->crp_desc;
IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
@ -527,13 +524,8 @@ esp_input_cb(struct cryptop *crp)
mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
sport = ((u_int16_t *)(tag + 1))[0];
dport = ((u_int16_t *)(tag + 1))[1];
}
#endif
nat_t_ports_get(m, &dport, &sport);
s = splsoftnet();
mutex_enter(softnet_lock);

View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $ */
/* $NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#include "opt_inet.h"
@ -243,11 +243,8 @@ ipcomp_input_cb(struct cryptop *crp)
int s, hlen = IPCOMP_HLENGTH, error, clen;
u_int8_t nproto;
void *addr;
u_int16_t dport = 0;
u_int16_t sport = 0;
#ifdef IPSEC_NAT_T
struct m_tag * tag = NULL;
#endif
u_int16_t dport;
u_int16_t sport;
crd = crp->crp_desc;
@ -258,13 +255,8 @@ ipcomp_input_cb(struct cryptop *crp)
mtag = (struct mtag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
sport = ((u_int16_t *)(tag + 1))[0];
dport = ((u_int16_t *)(tag + 1))[1];
}
#endif
nat_t_ports_get(m, &dport, &sport);
s = splsoftnet();
mutex_enter(softnet_lock);