Module Name: src
Committed By: christos
Date: Tue Jun 4 22:47:37 UTC 2013
Modified Files:
src/sys/netinet: ip_output.c udp_usrreq.c
src/sys/netipsec: files.netipsec ipsec.c ipsec.h ipsec_input.c
ipsec_output.c key.c key.h keydb.h xform_ah.c xform_esp.c
xform_ipcomp.c
Log Message:
PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access
outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.
To generate a diff of this commit:
cvs rdiff -u -r1.218 -r1.219 src/sys/netinet/ip_output.c
cvs rdiff -u -r1.187 -r1.188 src/sys/netinet/udp_usrreq.c
cvs rdiff -u -r1.10 -r1.11 src/sys/netipsec/files.netipsec
cvs rdiff -u -r1.57 -r1.58 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.31 -r1.32 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.29 -r1.30 src/sys/netipsec/ipsec_input.c \
src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.38 -r1.39 src/sys/netipsec/ipsec_output.c \
src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.79 -r1.80 src/sys/netipsec/key.c
cvs rdiff -u -r1.11 -r1.12 src/sys/netipsec/key.h
cvs rdiff -u -r1.12 -r1.13 src/sys/netipsec/keydb.h
cvs rdiff -u -r1.41 -r1.42 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.218 src/sys/netinet/ip_output.c:1.219
--- src/sys/netinet/ip_output.c:1.218 Sat Feb 2 02:00:40 2013
+++ src/sys/netinet/ip_output.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.218 2013/02/02 07:00:40 kefren Exp $ */
+/* $NetBSD: ip_output.c,v 1.219 2013/06/04 22:47:37 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.218 2013/02/02 07:00:40 kefren Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.219 2013/06/04 22:47:37 christos Exp $");
#include "opt_pfil_hooks.h"
#include "opt_inet.h"
@@ -126,6 +126,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_output.c,
#include <netinet/ip_private.h>
#include <netinet/in_offload.h>
#include <netinet/portalgo.h>
+#include <netinet/udp.h>
#ifdef MROUTING
#include <netinet/ip_mroute.h>
@@ -137,9 +138,6 @@ __KERNEL_RCSID(0, "$NetBSD: ip_output.c,
#include <netipsec/xform.h>
#endif /* FAST_IPSEC*/
-#ifdef IPSEC_NAT_T
-#include <netinet/udp.h>
-#endif
static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
static struct ifnet *ip_multicast_if(struct in_addr *, int *);
@@ -179,9 +177,7 @@ ip_output(struct mbuf *m0, ...)
struct ip_moptions *imo;
struct socket *so;
va_list ap;
-#ifdef IPSEC_NAT_T
int natt_frag = 0;
-#endif
#ifdef FAST_IPSEC
struct inpcb *inp;
struct secpolicy *sp = NULL;
@@ -518,22 +514,20 @@ sendit:
* sp == NULL, error != 0 discard packet, report error
*/
if (sp != NULL) {
-#ifdef IPSEC_NAT_T
/*
- * NAT-T ESP fragmentation: don't do IPSec processing now,
- * we'll do it on each fragmented packet.
+ * NAT-T ESP fragmentation: don't do IPSec processing
+ * now, we'll do it on each fragmented packet.
*/
- if (sp->req->sav &&
- ((sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP) ||
- (sp->req->sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE))) {
- if (ntohs(ip->ip_len) > sp->req->sav->esp_frag) {
+ if (sp->req->sav && (sp->req->sav->natt_type &
+ (UDP_ENCAP_ESPINUDP|UDP_ENCAP_ESPINUDP_NON_IKE))) {
+ if (ntohs(ip->ip_len) > sp->req->sav->esp_frag)
+ {
natt_frag = 1;
mtu = sp->req->sav->esp_frag;
splx(s);
goto spd_done;
}
}
-#endif /* IPSEC_NAT_T */
/*
* Do delayed checksums now because we send before
@@ -711,19 +705,17 @@ spd_done:
ia->ia_ifa.ifa_data.ifad_outbytes +=
ntohs(ip->ip_len);
#endif
-#ifdef IPSEC_NAT_T
/*
- * If we get there, the packet has not been handeld by
+ * If we get there, the packet has not been handled by
* IPSec whereas it should have. Now that it has been
* fragmented, re-inject it in ip_output so that IPsec
* processing can occur.
*/
if (natt_frag) {
- error = ip_output(m, opt,
- ro, flags | IP_RAWOUTPUT | IP_NOIPNEWID, imo, so, mtu_p);
- } else
-#endif /* IPSEC_NAT_T */
- {
+ error = ip_output(m, opt, ro,
+ flags | IP_RAWOUTPUT | IP_NOIPNEWID,
+ imo, so, mtu_p);
+ } else {
KASSERT((m->m_pkthdr.csum_flags &
(M_CSUM_UDPv4 | M_CSUM_TCPv4)) == 0);
KERNEL_LOCK(1, NULL);
Index: src/sys/netinet/udp_usrreq.c
diff -u src/sys/netinet/udp_usrreq.c:1.187 src/sys/netinet/udp_usrreq.c:1.188
--- src/sys/netinet/udp_usrreq.c:1.187 Fri Jun 22 10:54:35 2012
+++ src/sys/netinet/udp_usrreq.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: udp_usrreq.c,v 1.187 2012/06/22 14:54:35 christos Exp $ */
+/* $NetBSD: udp_usrreq.c,v 1.188 2013/06/04 22:47:37 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.187 2012/06/22 14:54:35 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.188 2013/06/04 22:47:37 christos Exp $");
#include "opt_inet.h"
#include "opt_compat_netbsd.h"
@@ -148,10 +148,8 @@ struct inpcbtable udbtable;
percpu_t *udpstat_percpu;
#ifdef INET
-#ifdef IPSEC_NAT_T
static int udp4_espinudp (struct mbuf **, int, struct sockaddr *,
struct socket *);
-#endif
static void udp4_sendup (struct mbuf *, int, struct sockaddr *,
struct socket *);
static int udp4_realinput (struct sockaddr_in *, struct sockaddr_in *,
@@ -404,6 +402,14 @@ udp_input(struct mbuf *m, ...)
UDP_STATINC(UDP_STAT_HDROPS);
return;
}
+ if (m == NULL) {
+ /*
+ * packet has been processed by ESP stuff -
+ * e.g. dropped NAT-T-keep-alive-packet ...
+ */
+ return;
+ }
+ ip = mtod(m, struct ip *);
#ifdef INET6
if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) {
struct sockaddr_in6 src6, dst6;
@@ -804,7 +810,6 @@ udp4_realinput(struct sockaddr_in *src,
return rcvcnt;
}
-#ifdef IPSEC_NAT_T
/* Handle ESP over UDP */
if (inp->inp_flags & INP_ESPINUDP_ALL) {
struct sockaddr *sa = (struct sockaddr *)src;
@@ -830,7 +835,6 @@ udp4_realinput(struct sockaddr_in *src,
break;
}
}
-#endif
/*
* Check the minimum TTL for socket.
@@ -1058,7 +1062,6 @@ udp_ctloutput(int op, struct socket *so,
break;
switch(optval) {
-#ifdef IPSEC_NAT_T
case 0:
inp->inp_flags &= ~INP_ESPINUDP_ALL;
break;
@@ -1072,7 +1075,6 @@ udp_ctloutput(int op, struct socket *so,
inp->inp_flags &= ~INP_ESPINUDP_ALL;
inp->inp_flags |= INP_ESPINUDP_NON_IKE;
break;
-#endif
default:
error = EINVAL;
break;
@@ -1437,7 +1439,7 @@ udp_statinc(u_int stat)
UDP_STATINC(stat);
}
-#if (defined INET && defined IPSEC_NAT_T)
+#if defined(INET)
/*
* Returns:
* 1 if the packet was processed
@@ -1455,7 +1457,6 @@ udp4_espinudp(struct mbuf **mp, int off,
size_t minlen;
size_t iphdrlen;
struct ip *ip;
- struct mbuf *n;
struct m_tag *tag;
struct udphdr *udphdr;
u_int16_t sport, dport;
@@ -1483,6 +1484,8 @@ udp4_espinudp(struct mbuf **mp, int off,
/* Ignore keepalive packets */
if ((len == 1) && (*(unsigned char *)data == 0xff)) {
+ m_free(m);
+ *mp = NULL; /* avoid any further processiong by caller ... */
return 1;
}
@@ -1542,16 +1545,9 @@ udp4_espinudp(struct mbuf **mp, int off,
ip->ip_p = IPPROTO_ESP;
/*
- * Copy the mbuf to avoid multiple free, as both
- * esp4_input (which we call) and udp_input (which
- * called us) free the mbuf.
- */
- if ((n = m_dup(m, 0, M_COPYALL, M_DONTWAIT)) == NULL) {
- printf("udp4_espinudp: m_dup failed\n");
- return 0;
- }
-
- /*
+ * We have modified the packet - it is now ESP, so we should not
+ * return to UDP processing ...
+ *
* Add a PACKET_TAG_IPSEC_NAT_T_PORT tag to remember
* the source UDP port. This is required if we want
* to select the right SPD for multiple hosts behind
@@ -1560,20 +1556,21 @@ udp4_espinudp(struct mbuf **mp, int off,
if ((tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS,
sizeof(sport) + sizeof(dport), M_DONTWAIT)) == NULL) {
printf("udp4_espinudp: m_tag_get failed\n");
- m_freem(n);
- return 0;
+ m_freem(m);
+ return -1;
}
((u_int16_t *)(tag + 1))[0] = sport;
((u_int16_t *)(tag + 1))[1] = dport;
- m_tag_prepend(n, tag);
+ m_tag_prepend(m, tag);
#ifdef FAST_IPSEC
- ipsec4_common_input(n, iphdrlen, IPPROTO_ESP);
+ ipsec4_common_input(m, iphdrlen, IPPROTO_ESP);
#else
- esp4_input(n, iphdrlen);
+ esp4_input(m, iphdrlen);
#endif
/* We handled it, it shouldn't be handled by UDP */
+ *mp = NULL; /* avoid free by caller ... */
return 1;
}
#endif
Index: src/sys/netipsec/files.netipsec
diff -u src/sys/netipsec/files.netipsec:1.10 src/sys/netipsec/files.netipsec:1.11
--- src/sys/netipsec/files.netipsec:1.10 Thu Mar 22 16:34:42 2012
+++ src/sys/netipsec/files.netipsec Tue Jun 4 18:47:37 2013
@@ -1,9 +1,8 @@
-# $Id: files.netipsec,v 1.10 2012/03/22 20:34:42 drochner Exp $
+# $Id: files.netipsec,v 1.11 2013/06/04 22:47:37 christos Exp $
#
#
defflag opt_ipsec.h FAST_IPSEC: opencrypto
defflag opt_ipsec.h IPSEC: FAST_IPSEC
-defflag opt_ipsec.h IPSEC_NAT_T
defflag opt_ipsec.h IPSEC_DEBUG
file netipsec/ipsec.c fast_ipsec needs-flag
Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.57 src/sys/netipsec/ipsec.c:1.58
--- src/sys/netipsec/ipsec.c:1.57 Fri Dec 7 10:29:38 2012
+++ src/sys/netipsec/ipsec.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.57 2012/12/07 15:29:38 christos Exp $ */
+/* $NetBSD: ipsec.c,v 1.58 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.57 2012/12/07 15:29:38 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.58 2013/06/04 22:47:37 christos Exp $");
/*
* IPsec controller part.
@@ -2274,6 +2274,17 @@ xform_init(struct secasvar *sav, int xft
return EINVAL;
}
+void
+nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport) {
+ struct m_tag *tag;
+
+ if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
+ *sport = ((u_int16_t *)(tag + 1))[0];
+ *dport = ((u_int16_t *)(tag + 1))[1];
+ } else
+ *sport = *dport = 0;
+}
+
#ifdef __NetBSD__
/*
* XXXJRT This should be done as a protosw init call.
Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.31 src/sys/netipsec/ipsec.h:1.32
--- src/sys/netipsec/ipsec.h:1.31 Fri Jan 6 09:17:11 2012
+++ src/sys/netipsec/ipsec.h Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.31 2012/01/06 14:17:11 drochner Exp $ */
+/* $NetBSD: ipsec.h,v 1.32 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -349,6 +349,8 @@ int ipsec_clear_socket_cache(struct mbuf
return 0;
}
+void nat_t_ports_get(struct mbuf *, u_int16_t *, u_int16_t *);
+
#endif /* _KERNEL */
Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.29 src/sys/netipsec/ipsec_input.c:1.30
--- src/sys/netipsec/ipsec_input.c:1.29 Wed Jan 25 16:58:10 2012
+++ src/sys/netipsec/ipsec_input.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.30 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.29 2012/01/25 21:58:10 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.30 2013/06/04 22:47:37 christos Exp $");
/*
* IPsec input processing.
@@ -129,12 +129,9 @@ ipsec_common_input(struct mbuf *m, int s
union sockaddr_union dst_address;
struct secasvar *sav;
u_int32_t spi;
- u_int16_t sport = 0;
- u_int16_t dport = 0;
+ u_int16_t sport;
+ u_int16_t dport;
int s, error;
-#ifdef IPSEC_NAT_T
- struct m_tag * tag = NULL;
-#endif
IPSEC_ISTAT(sproto, ESP_STAT_INPUT, AH_STAT_INPUT,
IPCOMP_STAT_INPUT);
@@ -173,13 +170,8 @@ ipsec_common_input(struct mbuf *m, int s
}
-#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
- if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
- sport = ((u_int16_t *)(tag + 1))[0];
- dport = ((u_int16_t *)(tag + 1))[1];
- }
-#endif
+ nat_t_ports_get(m, &dport, &sport);
/*
* Find the SA and (indirectly) call the appropriate
Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.29 src/sys/netipsec/xform_ipcomp.c:1.30
--- src/sys/netipsec/xform_ipcomp.c:1.29 Wed Jan 25 15:31:23 2012
+++ src/sys/netipsec/xform_ipcomp.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#include "opt_inet.h"
@@ -243,11 +243,8 @@ ipcomp_input_cb(struct cryptop *crp)
int s, hlen = IPCOMP_HLENGTH, error, clen;
u_int8_t nproto;
void *addr;
- u_int16_t dport = 0;
- u_int16_t sport = 0;
-#ifdef IPSEC_NAT_T
- struct m_tag * tag = NULL;
-#endif
+ u_int16_t dport;
+ u_int16_t sport;
crd = crp->crp_desc;
@@ -258,13 +255,8 @@ ipcomp_input_cb(struct cryptop *crp)
mtag = (struct mtag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
-#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
- if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
- sport = ((u_int16_t *)(tag + 1))[0];
- dport = ((u_int16_t *)(tag + 1))[1];
- }
-#endif
+ nat_t_ports_get(m, &dport, &sport);
s = splsoftnet();
mutex_enter(softnet_lock);
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.38 src/sys/netipsec/ipsec_output.c:1.39
--- src/sys/netipsec/ipsec_output.c:1.38 Tue Jan 10 15:01:57 2012
+++ src/sys/netipsec/ipsec_output.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.39 2013/06/04 22:47:37 christos Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.38 2012/01/10 20:01:57 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.39 2013/06/04 22:47:37 christos Exp $");
/*
* IPsec output processing.
@@ -72,9 +72,7 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec_output
#ifdef INET6
#include <netinet/icmp6.h>
#endif
-#ifdef IPSEC_NAT_T
#include <netinet/udp.h>
-#endif
#include <netipsec/ipsec.h>
#include <netipsec/ipsec_var.h>
@@ -172,12 +170,10 @@ ipsec_process_done(struct mbuf *m, struc
#ifdef INET6
struct ip6_hdr * ip6;
#endif /* INET6 */
-#ifdef IPSEC_NAT_T
struct mbuf * mo;
struct udphdr *udp = NULL;
uint64_t * data = NULL;
int hlen, roff;
-#endif /* IPSEC_NAT_T */
IPSEC_SPLASSERT_SOFTNET("ipsec_process_done");
@@ -189,7 +185,6 @@ ipsec_process_done(struct mbuf *m, struc
saidx = &sav->sah->saidx;
-#ifdef IPSEC_NAT_T
if(sav->natt_type != 0) {
ip = mtod(m, struct ip *);
@@ -222,7 +217,6 @@ ipsec_process_done(struct mbuf *m, struc
udp->uh_sum = 0;
udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2));
}
-#endif /* IPSEC_NAT_T */
switch (saidx->dst.sa.sa_family) {
#ifdef INET
@@ -230,10 +224,8 @@ ipsec_process_done(struct mbuf *m, struc
/* Fix the header length, for AH processing. */
ip = mtod(m, struct ip *);
ip->ip_len = htons(m->m_pkthdr.len);
-#ifdef IPSEC_NAT_T
if (sav->natt_type != 0)
ip->ip_p = IPPROTO_UDP;
-#endif /* IPSEC_NAT_T */
break;
#endif /* INET */
#ifdef INET6
@@ -250,10 +242,8 @@ ipsec_process_done(struct mbuf *m, struc
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
-#ifdef IPSEC_NAT_T
if (sav->natt_type != 0)
ip6->ip6_nxt = IPPROTO_UDP;
-#endif /* IPSEC_NAT_T */
break;
#endif /* INET6 */
default:
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.38 src/sys/netipsec/xform_ah.c:1.39
--- src/sys/netipsec/xform_ah.c:1.38 Thu Aug 30 08:16:49 2012
+++ src/sys/netipsec/xform_ah.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.38 2012/08/30 12:16:49 drochner Exp $ */
+/* $NetBSD: xform_ah.c,v 1.39 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.38 2012/08/30 12:16:49 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.39 2013/06/04 22:47:37 christos Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@@ -827,11 +827,8 @@ ah_input_cb(struct cryptop *crp)
u_int8_t nxt;
char *ptr;
int s, authsize;
- u_int16_t dport = 0;
- u_int16_t sport = 0;
-#ifdef IPSEC_NAT_T
- struct m_tag * tag = NULL;
-#endif
+ u_int16_t dport;
+ u_int16_t sport;
crd = crp->crp_desc;
@@ -844,13 +841,8 @@ ah_input_cb(struct cryptop *crp)
m = (struct mbuf *) crp->crp_buf;
-#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
- if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
- sport = ((u_int16_t *)(tag + 1))[0];
- dport = ((u_int16_t *)(tag + 1))[1];
- }
-#endif
+ nat_t_ports_get(m, &dport, &sport);
s = splsoftnet();
mutex_enter(softnet_lock);
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.79 src/sys/netipsec/key.c:1.80
--- src/sys/netipsec/key.c:1.79 Thu Sep 20 19:50:05 2012
+++ src/sys/netipsec/key.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.79 2012/09/20 23:50:05 gdt Exp $ */
+/* $NetBSD: key.c,v 1.80 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.79 2012/09/20 23:50:05 gdt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.80 2013/06/04 22:47:37 christos Exp $");
/*
* This code is referd to RFC 2367
@@ -400,10 +400,8 @@ static int key_spddump (struct socket *,
const struct sadb_msghdr *);
static struct mbuf * key_setspddump (int *errorp, pid_t);
static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid);
-#ifdef IPSEC_NAT_T
static int key_nat_map (struct socket *, struct mbuf *,
const struct sadb_msghdr *);
-#endif
static struct mbuf *key_setdumpsp (struct secpolicy *,
u_int8_t, u_int32_t, pid_t);
static u_int key_getspreqmsglen (const struct secpolicy *);
@@ -424,11 +422,9 @@ static int key_setsaval (struct secasvar
static int key_mature (struct secasvar *);
static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t,
u_int8_t, u_int32_t, u_int32_t);
-#ifdef IPSEC_NAT_T
static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t);
static struct mbuf *key_setsadbxtype (u_int16_t);
static struct mbuf *key_setsadbxfrag (u_int16_t);
-#endif
static void key_porttosaddr (union sockaddr_union *, u_int16_t);
static int key_checksalen (const union sockaddr_union *);
static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t,
@@ -465,13 +461,11 @@ static int key_getspi (struct socket *,
const struct sadb_msghdr *);
static u_int32_t key_do_getnewspi (const struct sadb_spirange *,
const struct secasindex *);
-#ifdef IPSEC_NAT_T
static int key_handle_natt_info (struct secasvar *,
const struct sadb_msghdr *);
static int key_set_natt_ports (union sockaddr_union *,
union sockaddr_union *,
const struct sadb_msghdr *);
-#endif
static int key_update (struct socket *, struct mbuf *,
const struct sadb_msghdr *);
#ifdef IPSEC_DOSEQCHECK
@@ -1102,10 +1096,8 @@ key_allocsa(
u_int16_t cpi = 0;
u_int8_t algo = 0;
-#ifdef IPSEC_NAT_T
if ((sport != 0) && (dport != 0))
chkport = 1;
-#endif
IPSEC_ASSERT(dst != NULL, ("key_allocsa: null dst address"));
@@ -2574,7 +2566,6 @@ key_spddump(struct socket *so, struct mb
return error;
}
-#ifdef IPSEC_NAT_T
/*
* SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23
*/
@@ -2639,7 +2630,6 @@ key_nat_map(struct socket *so, struct mb
return 0;
}
-#endif /* IPSEC_NAT_T */
static struct mbuf *
key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid)
@@ -3191,10 +3181,8 @@ key_setsaval(struct secasvar *sav, struc
sav->tdb_encalgxform = NULL; /* encoding algorithm */
sav->tdb_authalgxform = NULL; /* authentication algorithm */
sav->tdb_compalgxform = NULL; /* compression algorithm */
-#ifdef IPSEC_NAT_T
sav->natt_type = 0;
sav->esp_frag = 0;
-#endif
/* SA */
if (mhp->ext[SADB_EXT_SA] != NULL) {
@@ -3520,12 +3508,10 @@ key_setdumpsa(struct secasvar *sav, u_in
SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH,
SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC,
SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY,
-#ifdef IPSEC_NAT_T
SADB_X_EXT_NAT_T_TYPE,
SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT,
SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
SADB_X_EXT_NAT_T_FRAG,
-#endif
};
@@ -3598,7 +3584,6 @@ key_setdumpsa(struct secasvar *sav, u_in
p = sav->lft_s;
break;
-#ifdef IPSEC_NAT_T
case SADB_X_EXT_NAT_T_TYPE:
m = key_setsadbxtype(sav->natt_type);
break;
@@ -3629,7 +3614,6 @@ key_setdumpsa(struct secasvar *sav, u_in
case SADB_X_EXT_NAT_T_OAI:
case SADB_X_EXT_NAT_T_OAR:
continue;
-#endif
case SADB_EXT_ADDRESS_PROXY:
case SADB_EXT_IDENTITY_SRC:
@@ -3687,7 +3671,6 @@ fail:
}
-#ifdef IPSEC_NAT_T
/*
* set a type in sadb_x_nat_t_type
*/
@@ -3802,7 +3785,6 @@ key_portfromsaddr(const union sockaddr_u
return port;
}
-#endif /* IPSEC_NAT_T */
/*
* Set port is struct sockaddr. port is in network order
@@ -4250,7 +4232,6 @@ key_cmpsaidx(
* in the SPD: This means we have a non-generated
* SPD which can't know UDP ports.
*/
-#ifdef IPSEC_NAT_T
if (saidx1->mode == IPSEC_MODE_TUNNEL &&
((((const struct sockaddr *)(&saidx1->src))->sa_family == AF_INET &&
((const struct sockaddr *)(&saidx1->dst))->sa_family == AF_INET &&
@@ -4261,7 +4242,6 @@ key_cmpsaidx(
((const struct sockaddr_in6 *)(&saidx1->src))->sin6_port &&
((const struct sockaddr_in6 *)(&saidx1->dst))->sin6_port)))
chkport = 1;
-#endif
if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, chkport) != 0) {
return 0;
@@ -4846,10 +4826,8 @@ key_setsecasidx(int proto, int mode, int
memcpy(&saidx->src, src_u, src_u->sa.sa_len);
memcpy(&saidx->dst, dst_u, dst_u->sa.sa_len);
-#ifndef IPSEC_NAT_T
key_porttosaddr(&((saidx)->src),0);
key_porttosaddr(&((saidx)->dst),0);
-#endif
return 0;
}
@@ -4916,10 +4894,8 @@ key_getspi(struct socket *so, struct mbu
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
/* SPI allocation */
spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE],
@@ -5098,8 +5074,6 @@ key_do_getnewspi(const struct sadb_spira
return newspi;
}
-#ifdef IPSEC_NAT_T
-/* Handle IPSEC_NAT_T info if present */
static int
key_handle_natt_info(struct secasvar *sav,
const struct sadb_msghdr *mhp)
@@ -5222,7 +5196,6 @@ key_set_natt_ports(union sockaddr_union
return 0;
}
-#endif
/*
@@ -5298,10 +5271,8 @@ key_update(struct socket *so, struct mbu
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
/* get a SA header */
if ((sah = key_getsah(&saidx)) == NULL) {
@@ -5363,10 +5334,8 @@ key_update(struct socket *so, struct mbu
return key_senderror(so, m, error);
}
-#ifdef IPSEC_NAT_T
if ((error = key_handle_natt_info(sav,mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif /* IPSEC_NAT_T */
/* check SA values to be mature. */
if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) {
@@ -5500,10 +5469,8 @@ key_add(struct socket *so, struct mbuf *
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
/* get a SA header */
if ((newsah = key_getsah(&saidx)) == NULL) {
@@ -5532,10 +5499,8 @@ key_add(struct socket *so, struct mbuf *
return key_senderror(so, m, error);
}
-#ifdef IPSEC_NAT_T
if ((error = key_handle_natt_info(newsav, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif /* IPSEC_NAT_T */
/* check SA values to be mature. */
if ((error = key_mature(newsav)) != 0) {
@@ -5733,10 +5698,8 @@ key_delete(struct socket *so, struct mbu
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
/* get a SA header */
LIST_FOREACH(sah, &sahtree, chain) {
@@ -5803,10 +5766,8 @@ key_delete_all(struct socket *so, struct
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
LIST_FOREACH(sah, &sahtree, chain) {
if (sah->state == SADB_SASTATE_DEAD)
@@ -5917,10 +5878,8 @@ key_get(struct socket *so, struct mbuf *
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
/* get a SA header */
LIST_FOREACH(sah, &sahtree, chain) {
@@ -6601,10 +6560,8 @@ key_acquire2(struct socket *so, struct m
dst0 + 1, &saidx)) != 0)
return key_senderror(so, m, EINVAL);
-#ifdef IPSEC_NAT_T
if ((error = key_set_natt_ports(&saidx.src, &saidx.dst, mhp)) != 0)
return key_senderror(so, m, EINVAL);
-#endif
/* get a SA index */
LIST_FOREACH(sah, &sahtree, chain) {
@@ -7287,9 +7244,7 @@ static int (*key_typesw[]) (struct socke
key_spdadd, /* SADB_X_SPDSETIDX */
NULL, /* SADB_X_SPDEXPIRE */
key_spddelete2, /* SADB_X_SPDDELETE2 */
-#ifdef IPSEC_NAT_T
- key_nat_map, /* SADB_X_NAT_T_NEW_MAPPING */
-#endif
+ key_nat_map, /* SADB_X_NAT_T_NEW_MAPPING */
};
/*
@@ -7624,14 +7579,12 @@ key_align(struct mbuf *m, struct sadb_ms
case SADB_EXT_SPIRANGE:
case SADB_X_EXT_POLICY:
case SADB_X_EXT_SA2:
-#ifdef IPSEC_NAT_T
case SADB_X_EXT_NAT_T_TYPE:
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
case SADB_X_EXT_NAT_T_OAI:
case SADB_X_EXT_NAT_T_OAR:
case SADB_X_EXT_NAT_T_FRAG:
-#endif
/* duplicate check */
/*
* XXX Are there duplication payloads of either
Index: src/sys/netipsec/key.h
diff -u src/sys/netipsec/key.h:1.11 src/sys/netipsec/key.h:1.12
--- src/sys/netipsec/key.h:1.11 Thu Jun 9 15:54:18 2011
+++ src/sys/netipsec/key.h Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: key.h,v 1.11 2011/06/09 19:54:18 drochner Exp $ */
+/* $NetBSD: key.h,v 1.12 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@@ -107,9 +107,7 @@ void key_init (void);
void key_sa_recordxfer (struct secasvar *, struct mbuf *);
void key_sa_routechange (struct sockaddr *);
-#ifdef IPSEC_NAT_T
u_int16_t key_portfromsaddr (const union sockaddr_union *);
-#endif
Index: src/sys/netipsec/keydb.h
diff -u src/sys/netipsec/keydb.h:1.12 src/sys/netipsec/keydb.h:1.13
--- src/sys/netipsec/keydb.h:1.12 Wed Aug 29 16:37:51 2012
+++ src/sys/netipsec/keydb.h Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: keydb.h,v 1.12 2012/08/29 20:37:51 drochner Exp $ */
+/* $NetBSD: keydb.h,v 1.13 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/keydb.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $ */
@@ -128,10 +128,8 @@ struct secasvar {
const struct comp_algo *tdb_compalgxform; /* compression algorithm */
u_int64_t tdb_cryptoid; /* crypto session id */
-#ifdef IPSEC_NAT_T
u_int16_t natt_type;
u_int16_t esp_frag;
-#endif
};
/* replay prevention */
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.41 src/sys/netipsec/xform_esp.c:1.42
--- src/sys/netipsec/xform_esp.c:1.41 Thu Aug 30 08:16:49 2012
+++ src/sys/netipsec/xform_esp.c Tue Jun 4 18:47:37 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.41 2012/08/30 12:16:49 drochner Exp $ */
+/* $NetBSD: xform_esp.c,v 1.42 2013/06/04 22:47:37 christos Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.41 2012/08/30 12:16:49 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.42 2013/06/04 22:47:37 christos Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@@ -511,11 +511,8 @@ esp_input_cb(struct cryptop *crp)
struct secasvar *sav;
struct secasindex *saidx;
void *ptr;
- u_int16_t dport = 0;
- u_int16_t sport = 0;
-#ifdef IPSEC_NAT_T
- struct m_tag * tag = NULL;
-#endif
+ u_int16_t dport;
+ u_int16_t sport;
crd = crp->crp_desc;
IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
@@ -527,13 +524,8 @@ esp_input_cb(struct cryptop *crp)
mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
-#ifdef IPSEC_NAT_T
/* find the source port for NAT-T */
- if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
- sport = ((u_int16_t *)(tag + 1))[0];
- dport = ((u_int16_t *)(tag + 1))[1];
- }
-#endif
+ nat_t_ports_get(m, &dport, &sport);
s = splsoftnet();
mutex_enter(softnet_lock);
