Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove support for non-IKE markers in the kernel. Discussed on tech-net@, 

and now in PR/53334. Basically non-IKE markers come from a deprecated
draft, and our kernel code for them has never worked.

Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.

Perhaps we should also add a check in key_handle_natt_info(), to make
sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
This commit is contained in:
maxv 2018-05-31 07:03:57 +00:00
parent ec343e4518
commit f645db7adb
5 changed files with 25 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
share/man/man4/udp.4
View File

@ -1,4 +1,4 @@
.\" $NetBSD: udp.4,v 1.14 2012/11/12 05:13:28 christos Exp $
.\" $NetBSD: udp.4,v 1.15 2018/05/31 07:03:57 maxv Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@ -29,7 +29,7 @@
.\"
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
.\"
.Dd June 20, 2012
.Dd May 31, 2018
.Dt UDP 4
.Os
.Sh NAME
@ -111,11 +111,9 @@ option can be used to encapsulate
.Tn ESP
packets in
.Tn UDP .
There are two valid encapsulation options:
.Tn UDP_ENCAP_ESPINUDP_NON_IKE
from draft-ietf-ipsec-nat-t-ike-00/01 and
There is one valid encapsulation option:
.Tn UDP_ENCAP_ESPINUDP
from draft-ietf-ipsec-udp-encaps-06
from RFC3948
defined in
.In netinet/udp.h .
.Pp

3
sys/netinet/in_pcb.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: in_pcb.h,v 1.65 2018/01/01 00:51:36 christos Exp $ */
/* $NetBSD: in_pcb.h,v 1.66 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -113,7 +113,6 @@ struct inpcb {
/* XXX should move to an UDP control block */
#define INP_ESPINUDP 0x0100 /* ESP over UDP for NAT-T */
#define INP_ESPINUDP_NON_IKE 0x0200 /* ESP over UDP for NAT-T */
#define INP_ESPINUDP_ALL (INP_ESPINUDP|INP_ESPINUDP_NON_IKE)
#define INP_NOHEADER 0x0400 /* Kernel removes IP header
* before feeding a packet
* to the raw socket user.

43
sys/netinet/udp_usrreq.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: udp_usrreq.c,v 1.252 2018/05/18 18:58:51 maxv Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.253 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.252 2018/05/18 18:58:51 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.253 2018/05/31 07:03:57 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@ -598,7 +598,7 @@ udp4_realinput(struct sockaddr_in *src, struct sockaddr_in *dst,
#ifdef IPSEC
/* Handle ESP over UDP */
if (inp->inp_flags & INP_ESPINUDP_ALL) {
if (inp->inp_flags & INP_ESPINUDP) {
switch (udp4_espinudp(mp, off, inp->inp_socket)) {
case -1: /* Error, m was freed */
rcvcnt = -1;
@ -732,18 +732,13 @@ udp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
switch(optval) {
case 0:
inp->inp_flags &= ~INP_ESPINUDP_ALL;
inp->inp_flags &= ~INP_ESPINUDP;
break;
case UDP_ENCAP_ESPINUDP:
inp->inp_flags &= ~INP_ESPINUDP_ALL;
inp->inp_flags |= INP_ESPINUDP;
break;
case UDP_ENCAP_ESPINUDP_NON_IKE:
inp->inp_flags &= ~INP_ESPINUDP_ALL;
inp->inp_flags |= INP_ESPINUDP_NON_IKE;
break;
default:
error = EINVAL;
break;
@ -1241,10 +1236,8 @@ udp_statinc(u_int stat)
* Handle ESP-in-UDP packets (RFC3948).
*
* We need to distinguish between ESP packets and IKE packets. We do so by
* looking at the Non-ESP and Non-IKE markers.
*
* If IKE, we process the UDP packet as usual. Otherwise, ESP, we invoke
* IPsec.
* looking at the Non-ESP marker. If IKE, we process the UDP packet as usual.
* Otherwise, ESP, we invoke IPsec.
*
* Returns:
* 1 if the packet was processed
@ -1254,10 +1247,9 @@ udp_statinc(u_int stat)
static int
udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
{
const size_t skip = sizeof(struct udphdr);
size_t len;
uint8_t *data;
struct inpcb *inp;
size_t skip = 0;
size_t minlen;
size_t iphdrlen;
struct ip *ip;
@ -1265,6 +1257,7 @@ udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
struct udphdr *udphdr;
u_int16_t sport, dport;
struct mbuf *m = *mp;
uint32_t *marker;
/*
* Collapse the mbuf chain if the first mbuf is too short.
@ -1283,7 +1276,6 @@ udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
len = m->m_len - off;
data = mtod(m, uint8_t *) + off;
inp = sotoinpcb(so);
/* Ignore keepalive packets. */
if ((len == 1) && (*data == 0xff)) {
@ -1293,29 +1285,12 @@ udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
}
/* Handle Non-ESP marker (32bit). If zero, then IKE. */
if (inp->inp_flags & INP_ESPINUDP) {
uint32_t *marker = (uint32_t *)data;
marker = (uint32_t *)data;
if (len <= sizeof(uint32_t))
return 0;
if (marker[0] == 0)
return 0;
skip = sizeof(struct udphdr);
}
/* Handle Non-IKE marker (64bit). If non-zero, then IKE. */
if (inp->inp_flags & INP_ESPINUDP_NON_IKE) {
uint32_t *marker = (uint32_t *)data;
if (len <= 2 * sizeof(uint32_t) + sizeof(struct esp))
return 0;
if (marker[0] != 0 || marker[1] != 0)
return 0;
skip = sizeof(struct udphdr) + 2 * sizeof(uint32_t);
}
/*
* Get the UDP ports. They are handled in network order
* everywhere in the IPSEC_NAT_T code.

19
sys/netipsec/ipsec_output.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $ */
/* $NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@ -151,7 +151,6 @@ ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
#endif
struct mbuf *mo;
struct udphdr *udp = NULL;
uint64_t *data = NULL;
int hlen, roff;
KASSERT(m != NULL);
@ -164,8 +163,6 @@ ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
ip = mtod(m, struct ip *);
hlen = sizeof(struct udphdr);
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
hlen += sizeof(uint64_t);
mo = m_makespace(m, sizeof(struct ip), hlen, &roff);
if (mo == NULL) {
@ -179,16 +176,7 @@ ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
}
udp = (struct udphdr *)(mtod(mo, char *) + roff);
data = (uint64_t *)(udp + 1);
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
*data = 0; /* NON-IKE Marker */
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT);
else
udp->uh_sport = key_portfromsaddr(&saidx->src);
udp->uh_dport = key_portfromsaddr(&saidx->dst);
udp->uh_sum = 0;
udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2));
@ -495,8 +483,7 @@ ipsec4_process_packet(struct mbuf *m, const struct ipsecrequest *isr,
if (isr == isr->sp->req) { /* Check only if called from ipsec4_output */
KASSERT(mtu != NULL);
ip = mtod(m, struct ip *);
if (!(sav->natt_type &
(UDP_ENCAP_ESPINUDP|UDP_ENCAP_ESPINUDP_NON_IKE))) {
if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) {
goto noneed;
}
if (ntohs(ip->ip_len) <= sav->esp_frag)

7
sys/netipsec/ipsecif.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $ */
/* $NetBSD: ipsecif.c,v 1.10 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.10 2018/05/31 07:03:57 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@ -173,8 +173,7 @@ ipsecif4_needfrag(struct mbuf *m, struct ipsecrequest *isr)
if (sav == NULL)
return 0;
if (!(sav->natt_type & UDP_ENCAP_ESPINUDP) &&
!(sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE)) {
if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) {
mtu = 0;
goto out;
}