Remove support for non-IKE markers in the kernel. Discussed on tech-net@,
and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked. Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE. Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
This commit is contained in:
parent
ec343e4518
commit
f645db7adb
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: udp.4,v 1.14 2012/11/12 05:13:28 christos Exp $
|
||||
.\" $NetBSD: udp.4,v 1.15 2018/05/31 07:03:57 maxv Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 1983, 1991, 1993
|
||||
.\" The Regents of the University of California. All rights reserved.
|
||||
|
@ -29,7 +29,7 @@
|
|||
.\"
|
||||
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
|
||||
.\"
|
||||
.Dd June 20, 2012
|
||||
.Dd May 31, 2018
|
||||
.Dt UDP 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -111,11 +111,9 @@ option can be used to encapsulate
|
|||
.Tn ESP
|
||||
packets in
|
||||
.Tn UDP .
|
||||
There are two valid encapsulation options:
|
||||
.Tn UDP_ENCAP_ESPINUDP_NON_IKE
|
||||
from draft-ietf-ipsec-nat-t-ike-00/01 and
|
||||
There is one valid encapsulation option:
|
||||
.Tn UDP_ENCAP_ESPINUDP
|
||||
from draft-ietf-ipsec-udp-encaps-06
|
||||
from RFC3948
|
||||
defined in
|
||||
.In netinet/udp.h .
|
||||
.Pp
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: in_pcb.h,v 1.65 2018/01/01 00:51:36 christos Exp $ */
|
||||
/* $NetBSD: in_pcb.h,v 1.66 2018/05/31 07:03:57 maxv Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
@ -113,7 +113,6 @@ struct inpcb {
|
|||
/* XXX should move to an UDP control block */
|
||||
#define INP_ESPINUDP 0x0100 /* ESP over UDP for NAT-T */
|
||||
#define INP_ESPINUDP_NON_IKE 0x0200 /* ESP over UDP for NAT-T */
|
||||
#define INP_ESPINUDP_ALL (INP_ESPINUDP|INP_ESPINUDP_NON_IKE)
|
||||
#define INP_NOHEADER 0x0400 /* Kernel removes IP header
|
||||
* before feeding a packet
|
||||
* to the raw socket user.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: udp_usrreq.c,v 1.252 2018/05/18 18:58:51 maxv Exp $ */
|
||||
/* $NetBSD: udp_usrreq.c,v 1.253 2018/05/31 07:03:57 maxv Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
|
@ -66,7 +66,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.252 2018/05/18 18:58:51 maxv Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.253 2018/05/31 07:03:57 maxv Exp $");
|
||||
|
||||
#ifdef _KERNEL_OPT
|
||||
#include "opt_inet.h"
|
||||
|
@ -598,7 +598,7 @@ udp4_realinput(struct sockaddr_in *src, struct sockaddr_in *dst,
|
|||
|
||||
#ifdef IPSEC
|
||||
/* Handle ESP over UDP */
|
||||
if (inp->inp_flags & INP_ESPINUDP_ALL) {
|
||||
if (inp->inp_flags & INP_ESPINUDP) {
|
||||
switch (udp4_espinudp(mp, off, inp->inp_socket)) {
|
||||
case -1: /* Error, m was freed */
|
||||
rcvcnt = -1;
|
||||
|
@ -732,18 +732,13 @@ udp_ctloutput(int op, struct socket *so, struct sockopt *sopt)
|
|||
|
||||
switch(optval) {
|
||||
case 0:
|
||||
inp->inp_flags &= ~INP_ESPINUDP_ALL;
|
||||
inp->inp_flags &= ~INP_ESPINUDP;
|
||||
break;
|
||||
|
||||
case UDP_ENCAP_ESPINUDP:
|
||||
inp->inp_flags &= ~INP_ESPINUDP_ALL;
|
||||
inp->inp_flags |= INP_ESPINUDP;
|
||||
break;
|
||||
|
||||
case UDP_ENCAP_ESPINUDP_NON_IKE:
|
||||
inp->inp_flags &= ~INP_ESPINUDP_ALL;
|
||||
inp->inp_flags |= INP_ESPINUDP_NON_IKE;
|
||||
break;
|
||||
default:
|
||||
error = EINVAL;
|
||||
break;
|
||||
|
@ -1241,10 +1236,8 @@ udp_statinc(u_int stat)
|
|||
* Handle ESP-in-UDP packets (RFC3948).
|
||||
*
|
||||
* We need to distinguish between ESP packets and IKE packets. We do so by
|
||||
* looking at the Non-ESP and Non-IKE markers.
|
||||
*
|
||||
* If IKE, we process the UDP packet as usual. Otherwise, ESP, we invoke
|
||||
* IPsec.
|
||||
* looking at the Non-ESP marker. If IKE, we process the UDP packet as usual.
|
||||
* Otherwise, ESP, we invoke IPsec.
|
||||
*
|
||||
* Returns:
|
||||
* 1 if the packet was processed
|
||||
|
@ -1254,10 +1247,9 @@ udp_statinc(u_int stat)
|
|||
static int
|
||||
udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
|
||||
{
|
||||
const size_t skip = sizeof(struct udphdr);
|
||||
size_t len;
|
||||
uint8_t *data;
|
||||
struct inpcb *inp;
|
||||
size_t skip = 0;
|
||||
size_t minlen;
|
||||
size_t iphdrlen;
|
||||
struct ip *ip;
|
||||
|
@ -1265,6 +1257,7 @@ udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
|
|||
struct udphdr *udphdr;
|
||||
u_int16_t sport, dport;
|
||||
struct mbuf *m = *mp;
|
||||
uint32_t *marker;
|
||||
|
||||
/*
|
||||
* Collapse the mbuf chain if the first mbuf is too short.
|
||||
|
@ -1283,7 +1276,6 @@ udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
|
|||
|
||||
len = m->m_len - off;
|
||||
data = mtod(m, uint8_t *) + off;
|
||||
inp = sotoinpcb(so);
|
||||
|
||||
/* Ignore keepalive packets. */
|
||||
if ((len == 1) && (*data == 0xff)) {
|
||||
|
@ -1293,29 +1285,12 @@ udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
|
|||
}
|
||||
|
||||
/* Handle Non-ESP marker (32bit). If zero, then IKE. */
|
||||
if (inp->inp_flags & INP_ESPINUDP) {
|
||||
uint32_t *marker = (uint32_t *)data;
|
||||
|
||||
marker = (uint32_t *)data;
|
||||
if (len <= sizeof(uint32_t))
|
||||
return 0;
|
||||
if (marker[0] == 0)
|
||||
return 0;
|
||||
|
||||
skip = sizeof(struct udphdr);
|
||||
}
|
||||
|
||||
/* Handle Non-IKE marker (64bit). If non-zero, then IKE. */
|
||||
if (inp->inp_flags & INP_ESPINUDP_NON_IKE) {
|
||||
uint32_t *marker = (uint32_t *)data;
|
||||
|
||||
if (len <= 2 * sizeof(uint32_t) + sizeof(struct esp))
|
||||
return 0;
|
||||
if (marker[0] != 0 || marker[1] != 0)
|
||||
return 0;
|
||||
|
||||
skip = sizeof(struct udphdr) + 2 * sizeof(uint32_t);
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the UDP ports. They are handled in network order
|
||||
* everywhere in the IPSEC_NAT_T code.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $ */
|
||||
/* $NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
|
||||
|
@ -29,7 +29,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
|
@ -151,7 +151,6 @@ ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
|
|||
#endif
|
||||
struct mbuf *mo;
|
||||
struct udphdr *udp = NULL;
|
||||
uint64_t *data = NULL;
|
||||
int hlen, roff;
|
||||
|
||||
KASSERT(m != NULL);
|
||||
|
@ -164,8 +163,6 @@ ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
|
|||
ip = mtod(m, struct ip *);
|
||||
|
||||
hlen = sizeof(struct udphdr);
|
||||
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
|
||||
hlen += sizeof(uint64_t);
|
||||
|
||||
mo = m_makespace(m, sizeof(struct ip), hlen, &roff);
|
||||
if (mo == NULL) {
|
||||
|
@ -179,16 +176,7 @@ ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
|
|||
}
|
||||
|
||||
udp = (struct udphdr *)(mtod(mo, char *) + roff);
|
||||
data = (uint64_t *)(udp + 1);
|
||||
|
||||
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
|
||||
*data = 0; /* NON-IKE Marker */
|
||||
|
||||
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
|
||||
udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT);
|
||||
else
|
||||
udp->uh_sport = key_portfromsaddr(&saidx->src);
|
||||
|
||||
udp->uh_dport = key_portfromsaddr(&saidx->dst);
|
||||
udp->uh_sum = 0;
|
||||
udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2));
|
||||
|
@ -495,8 +483,7 @@ ipsec4_process_packet(struct mbuf *m, const struct ipsecrequest *isr,
|
|||
if (isr == isr->sp->req) { /* Check only if called from ipsec4_output */
|
||||
KASSERT(mtu != NULL);
|
||||
ip = mtod(m, struct ip *);
|
||||
if (!(sav->natt_type &
|
||||
(UDP_ENCAP_ESPINUDP|UDP_ENCAP_ESPINUDP_NON_IKE))) {
|
||||
if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) {
|
||||
goto noneed;
|
||||
}
|
||||
if (ntohs(ip->ip_len) <= sav->esp_frag)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $ */
|
||||
/* $NetBSD: ipsecif.c,v 1.10 2018/05/31 07:03:57 maxv Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2017 Internet Initiative Japan Inc.
|
||||
|
@ -27,7 +27,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.10 2018/05/31 07:03:57 maxv Exp $");
|
||||
|
||||
#ifdef _KERNEL_OPT
|
||||
#include "opt_inet.h"
|
||||
|
@ -173,8 +173,7 @@ ipsecif4_needfrag(struct mbuf *m, struct ipsecrequest *isr)
|
|||
if (sav == NULL)
|
||||
return 0;
|
||||
|
||||
if (!(sav->natt_type & UDP_ENCAP_ESPINUDP) &&
|
||||
!(sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE)) {
|
||||
if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) {
|
||||
mtu = 0;
|
||||
goto out;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue