CVS commit: [netbsd-8] src/sys

Fri, 13 Mar 2020 01:36:01 -0700 

Module Name:    src
Committed By:   martin
Date:           Fri Mar 13 08:35:26 UTC 2020

Modified Files:
        src/sys/net [netbsd-8]: if_ipsec.c
        src/sys/netipsec [netbsd-8]: key.c

Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1520):

        sys/netipsec/key.c: revision 1.271
        sys/net/if_ipsec.c: revision 1.28
        sys/net/if_ipsec.c: revision 1.29

Fix ipsecif(4) SPDADD pfkey message has garbage.  Pointed out by ohishi@IIJ.

"setkey -x" output is the following.
========== before ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
  len=15 reserved=0 seq=0 pid=0
sadb_ext{ len=56 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
 { len=40 proto=50 mode=1 level=3 reqid=16393
sockaddr{ len=0 family=0  }
sockaddr{ len=0 family=0  }
 }
========== before ==========

========== after ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
  len=11 reserved=0 seq=0 pid=0
sadb_ext{ len=24 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
 { len=8 proto=50 mode=1 level=3 reqid=16393
 }
========== after ==========

reduce unnecessary reqid of NAT-T ipsecif(4), suggested by ohishi@IIJ.

Fix kern/55066.  Pointed out and fixed by Chuck Zmudzinski, thanks.
ok'ed by ozaki-r@n.o


To generate a diff of this commit:
cvs rdiff -u -r1.3.2.12 -r1.3.2.13 src/sys/net/if_ipsec.c
cvs rdiff -u -r1.163.2.14 -r1.163.2.15 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_ipsec.c
diff -u src/sys/net/if_ipsec.c:1.3.2.12 src/sys/net/if_ipsec.c:1.3.2.13
--- src/sys/net/if_ipsec.c:1.3.2.12	Tue Sep 24 18:27:09 2019
+++ src/sys/net/if_ipsec.c	Fri Mar 13 08:35:26 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipsec.c,v 1.3.2.12 2019/09/24 18:27:09 martin Exp $  */
+/*	$NetBSD: if_ipsec.c,v 1.3.2.13 2020/03/13 08:35:26 martin Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.12 2019/09/24 18:27:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.13 2020/03/13 08:35:26 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1450,7 +1450,10 @@ if_ipsec_set_sadb_x_policy(struct sadb_x
 		xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
 		xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
 		xisr->sadb_x_ipsecrequest_level = level;
-		xisr->sadb_x_ipsecrequest_reqid = key_newreqid();
+		if (level == IPSEC_LEVEL_UNIQUE)
+			xisr->sadb_x_ipsecrequest_reqid = key_newreqid();
+		else
+			xisr->sadb_x_ipsecrequest_reqid = 0;
 	}
 
 	return size;
@@ -1545,7 +1548,7 @@ if_ipsec_add_sp0(struct sockaddr *src, i
 	ext_msg_len += PFKEY_UNIT64(size);
 	size = if_ipsec_set_sadb_dst(&xdst, dst, proto);
 	ext_msg_len += PFKEY_UNIT64(size);
-	size = if_ipsec_set_sadb_x_policy(&xpl, &xisr, policy, dir, 0, level, src, dst);
+	size = if_ipsec_set_sadb_x_policy(&xpl, &xisr, policy, dir, 0, level, NULL, NULL);
 	ext_msg_len += PFKEY_UNIT64(size);
 	if_ipsec_set_sadb_msg_add(&msg, ext_msg_len);
 

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.14 src/sys/netipsec/key.c:1.163.2.15
--- src/sys/netipsec/key.c:1.163.2.14	Tue Sep 24 18:27:09 2019
+++ src/sys/netipsec/key.c	Fri Mar 13 08:35:26 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.163.2.14 2019/09/24 18:27:09 martin Exp $	*/
+/*	$NetBSD: key.c,v 1.163.2.15 2020/03/13 08:35:26 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.14 2019/09/24 18:27:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.15 2020/03/13 08:35:26 martin Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -4741,7 +4741,7 @@ key_portcomp(in_port_t port1, in_port_t 
 	case PORT_STRICT:
 		if (port1 != port2) {
 			KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
-			    "port fail %d != %d\n", port1, port2);
+			    "port fail %d != %d\n", ntohs(port1), ntohs(port2));
 			return 1;
 		}
 		return 0;
@@ -4793,9 +4793,9 @@ key_sockaddr_match(
 		KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 		    "addr success %s[%d] == %s[%d]\n",
 		    (in_print(s1, sizeof(s1), &sin1->sin_addr), s1),
-		    sin1->sin_port,
+		    ntohs(sin1->sin_port),
 		    (in_print(s2, sizeof(s2), &sin2->sin_addr), s2),
-		    sin2->sin_port);
+		    ntohs(sin2->sin_port));
 		break;
 	case AF_INET6:
 		sin61 = (const struct sockaddr_in6 *)sa1;

Reply via email to