Module Name: src
Committed By: maxv
Date: Thu May 31 07:03:57 UTC 2018
Modified Files:
src/share/man/man4: udp.4
src/sys/netinet: in_pcb.h udp_usrreq.c
src/sys/netipsec: ipsec_output.c ipsecif.c
Log Message:
Remove support for non-IKE markers in the kernel. Discussed on tech-net@,
and now in PR/53334. Basically non-IKE markers come from a deprecated
draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make
sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/share/man/man4/udp.4
cvs rdiff -u -r1.65 -r1.66 src/sys/netinet/in_pcb.h
cvs rdiff -u -r1.252 -r1.253 src/sys/netinet/udp_usrreq.c
cvs rdiff -u -r1.78 -r1.79 src/sys/netipsec/ipsec_output.c
cvs rdiff -u -r1.9 -r1.10 src/sys/netipsec/ipsecif.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man4/udp.4
diff -u src/share/man/man4/udp.4:1.14 src/share/man/man4/udp.4:1.15
--- src/share/man/man4/udp.4:1.14 Mon Nov 12 05:13:28 2012
+++ src/share/man/man4/udp.4 Thu May 31 07:03:57 2018
@@ -1,4 +1,4 @@
-.\" $NetBSD: udp.4,v 1.14 2012/11/12 05:13:28 christos Exp $
+.\" $NetBSD: udp.4,v 1.15 2018/05/31 07:03:57 maxv Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
.\"
-.Dd June 20, 2012
+.Dd May 31, 2018
.Dt UDP 4
.Os
.Sh NAME
@@ -111,11 +111,9 @@ option can be used to encapsulate
.Tn ESP
packets in
.Tn UDP .
-There are two valid encapsulation options:
-.Tn UDP_ENCAP_ESPINUDP_NON_IKE
-from draft-ietf-ipsec-nat-t-ike-00/01 and
+There is one valid encapsulation option:
.Tn UDP_ENCAP_ESPINUDP
-from draft-ietf-ipsec-udp-encaps-06
+from RFC3948
defined in
.In netinet/udp.h .
.Pp
Index: src/sys/netinet/in_pcb.h
diff -u src/sys/netinet/in_pcb.h:1.65 src/sys/netinet/in_pcb.h:1.66
--- src/sys/netinet/in_pcb.h:1.65 Mon Jan 1 00:51:36 2018
+++ src/sys/netinet/in_pcb.h Thu May 31 07:03:57 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: in_pcb.h,v 1.65 2018/01/01 00:51:36 christos Exp $ */
+/* $NetBSD: in_pcb.h,v 1.66 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -113,7 +113,6 @@ struct inpcb {
/* XXX should move to an UDP control block */
#define INP_ESPINUDP 0x0100 /* ESP over UDP for NAT-T */
#define INP_ESPINUDP_NON_IKE 0x0200 /* ESP over UDP for NAT-T */
-#define INP_ESPINUDP_ALL (INP_ESPINUDP|INP_ESPINUDP_NON_IKE)
#define INP_NOHEADER 0x0400 /* Kernel removes IP header
* before feeding a packet
* to the raw socket user.
Index: src/sys/netinet/udp_usrreq.c
diff -u src/sys/netinet/udp_usrreq.c:1.252 src/sys/netinet/udp_usrreq.c:1.253
--- src/sys/netinet/udp_usrreq.c:1.252 Fri May 18 18:58:51 2018
+++ src/sys/netinet/udp_usrreq.c Thu May 31 07:03:57 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: udp_usrreq.c,v 1.252 2018/05/18 18:58:51 maxv Exp $ */
+/* $NetBSD: udp_usrreq.c,v 1.253 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.252 2018/05/18 18:58:51 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.253 2018/05/31 07:03:57 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -598,7 +598,7 @@ udp4_realinput(struct sockaddr_in *src,
#ifdef IPSEC
/* Handle ESP over UDP */
- if (inp->inp_flags & INP_ESPINUDP_ALL) {
+ if (inp->inp_flags & INP_ESPINUDP) {
switch (udp4_espinudp(mp, off, inp->inp_socket)) {
case -1: /* Error, m was freed */
rcvcnt = -1;
@@ -732,18 +732,13 @@ udp_ctloutput(int op, struct socket *so,
switch(optval) {
case 0:
- inp->inp_flags &= ~INP_ESPINUDP_ALL;
+ inp->inp_flags &= ~INP_ESPINUDP;
break;
case UDP_ENCAP_ESPINUDP:
- inp->inp_flags &= ~INP_ESPINUDP_ALL;
inp->inp_flags |= INP_ESPINUDP;
break;
- case UDP_ENCAP_ESPINUDP_NON_IKE:
- inp->inp_flags &= ~INP_ESPINUDP_ALL;
- inp->inp_flags |= INP_ESPINUDP_NON_IKE;
- break;
default:
error = EINVAL;
break;
@@ -1241,10 +1236,8 @@ udp_statinc(u_int stat)
* Handle ESP-in-UDP packets (RFC3948).
*
* We need to distinguish between ESP packets and IKE packets. We do so by
- * looking at the Non-ESP and Non-IKE markers.
- *
- * If IKE, we process the UDP packet as usual. Otherwise, ESP, we invoke
- * IPsec.
+ * looking at the Non-ESP marker. If IKE, we process the UDP packet as usual.
+ * Otherwise, ESP, we invoke IPsec.
*
* Returns:
* 1 if the packet was processed
@@ -1254,10 +1247,9 @@ udp_statinc(u_int stat)
static int
udp4_espinudp(struct mbuf **mp, int off, struct socket *so)
{
+ const size_t skip = sizeof(struct udphdr);
size_t len;
uint8_t *data;
- struct inpcb *inp;
- size_t skip = 0;
size_t minlen;
size_t iphdrlen;
struct ip *ip;
@@ -1265,6 +1257,7 @@ udp4_espinudp(struct mbuf **mp, int off,
struct udphdr *udphdr;
u_int16_t sport, dport;
struct mbuf *m = *mp;
+ uint32_t *marker;
/*
* Collapse the mbuf chain if the first mbuf is too short.
@@ -1283,7 +1276,6 @@ udp4_espinudp(struct mbuf **mp, int off,
len = m->m_len - off;
data = mtod(m, uint8_t *) + off;
- inp = sotoinpcb(so);
/* Ignore keepalive packets. */
if ((len == 1) && (*data == 0xff)) {
@@ -1293,28 +1285,11 @@ udp4_espinudp(struct mbuf **mp, int off,
}
/* Handle Non-ESP marker (32bit). If zero, then IKE. */
- if (inp->inp_flags & INP_ESPINUDP) {
- uint32_t *marker = (uint32_t *)data;
-
- if (len <= sizeof(uint32_t))
- return 0;
- if (marker[0] == 0)
- return 0;
-
- skip = sizeof(struct udphdr);
- }
-
- /* Handle Non-IKE marker (64bit). If non-zero, then IKE. */
- if (inp->inp_flags & INP_ESPINUDP_NON_IKE) {
- uint32_t *marker = (uint32_t *)data;
-
- if (len <= 2 * sizeof(uint32_t) + sizeof(struct esp))
- return 0;
- if (marker[0] != 0 || marker[1] != 0)
- return 0;
-
- skip = sizeof(struct udphdr) + 2 * sizeof(uint32_t);
- }
+ marker = (uint32_t *)data;
+ if (len <= sizeof(uint32_t))
+ return 0;
+ if (marker[0] == 0)
+ return 0;
/*
* Get the UDP ports. They are handled in network order
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.78 src/sys/netipsec/ipsec_output.c:1.79
--- src/sys/netipsec/ipsec_output.c:1.78 Mon May 7 09:33:51 2018
+++ src/sys/netipsec/ipsec_output.c Thu May 31 07:03:57 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -151,7 +151,6 @@ ipsec_process_done(struct mbuf *m, const
#endif
struct mbuf *mo;
struct udphdr *udp = NULL;
- uint64_t *data = NULL;
int hlen, roff;
KASSERT(m != NULL);
@@ -164,8 +163,6 @@ ipsec_process_done(struct mbuf *m, const
ip = mtod(m, struct ip *);
hlen = sizeof(struct udphdr);
- if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
- hlen += sizeof(uint64_t);
mo = m_makespace(m, sizeof(struct ip), hlen, &roff);
if (mo == NULL) {
@@ -179,16 +176,7 @@ ipsec_process_done(struct mbuf *m, const
}
udp = (struct udphdr *)(mtod(mo, char *) + roff);
- data = (uint64_t *)(udp + 1);
-
- if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
- *data = 0; /* NON-IKE Marker */
-
- if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
- udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT);
- else
- udp->uh_sport = key_portfromsaddr(&saidx->src);
-
+ udp->uh_sport = key_portfromsaddr(&saidx->src);
udp->uh_dport = key_portfromsaddr(&saidx->dst);
udp->uh_sum = 0;
udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2));
@@ -495,8 +483,7 @@ ipsec4_process_packet(struct mbuf *m, co
if (isr == isr->sp->req) { /* Check only if called from ipsec4_output */
KASSERT(mtu != NULL);
ip = mtod(m, struct ip *);
- if (!(sav->natt_type &
- (UDP_ENCAP_ESPINUDP|UDP_ENCAP_ESPINUDP_NON_IKE))) {
+ if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) {
goto noneed;
}
if (ntohs(ip->ip_len) <= sav->esp_frag)
Index: src/sys/netipsec/ipsecif.c
diff -u src/sys/netipsec/ipsecif.c:1.9 src/sys/netipsec/ipsecif.c:1.10
--- src/sys/netipsec/ipsecif.c:1.9 Wed May 9 07:33:31 2018
+++ src/sys/netipsec/ipsecif.c Thu May 31 07:03:57 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $ */
+/* $NetBSD: ipsecif.c,v 1.10 2018/05/31 07:03:57 maxv Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.10 2018/05/31 07:03:57 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -173,8 +173,7 @@ ipsecif4_needfrag(struct mbuf *m, struct
if (sav == NULL)
return 0;
- if (!(sav->natt_type & UDP_ENCAP_ESPINUDP) &&
- !(sav->natt_type & UDP_ENCAP_ESPINUDP_NON_IKE)) {
+ if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) {
mtu = 0;
goto out;
}
