diff options
| author |   tobhe <tobhe@openbsd.org> | 2020-11-21 19:23:53 +0000 |
|---|---|---|
| committer | tobhe <tobhe@openbsd.org> | 2020-11-21 19:23:53 +0000 |
| commit | 242deeeefc744ac8b1c99e59e424e10541da4953 (patch) | |
| tree | 6de348c7d5810c782c174ad62988e41298588afe | |
| parent | No need to update resolv.conf when renewing a lease does not result in any (diff) | |
| download | wireguard-openbsd-242deeeefc744ac8b1c99e59e424e10541da4953.tar.xz wireguard-openbsd-242deeeefc744ac8b1c99e59e424e10541da4953.zip | |
Clean up NATT hack. Pass 'frompeer' as parameter instead of manipulating
msg header to get the correct addresses and spis.
ok patrick@
| -rw-r--r-- | sbin/iked/iked.h | 4 | ||||
| -rw-r--r-- | sbin/iked/ikev2.c | 35 | ||||
| -rw-r--r-- | sbin/iked/ikev2_pld.c | 5 |
3 files changed, 12 insertions, 32 deletions
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index a2e12803fbe..f533db8f7fe 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.172 2020/11/18 22:24:03 tobhe Exp $ */ +/* $OpenBSD: iked.h,v 1.173 2020/11/21 19:23:53 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -950,7 +950,7 @@ struct ibuf * size_t); ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, - void *, size_t, unsigned int); + void *, size_t, unsigned int, int); int ikev2_send_informational(struct iked *, struct iked_message *); int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, uint8_t, uint8_t, int); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 7f07f6f0217..534a63f24b3 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.284 2020/11/17 18:39:56 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.285 2020/11/21 19:23:53 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -2056,7 +2056,7 @@ ikev2_next_payload(struct ikev2_payload *pld, size_t length, ssize_t ikev2_nat_detection(struct iked *env, struct iked_message *msg, - void *ptr, size_t len, unsigned int type) + void *ptr, size_t len, unsigned int type, int frompeer) { EVP_MD_CTX ctx; struct ike_header *hdr; @@ -2069,25 +2069,22 @@ ikev2_nat_detection(struct iked *env, struct iked_message *msg, struct sockaddr *src, *dst, *ss; uint64_t rspi, ispi; struct ibuf *buf; - int frompeer = 0; uint32_t rnd; if (ptr == NULL) return (mdlen); - if (ikev2_msg_frompeer(msg)) { + if (frompeer) { buf = msg->msg_parent->msg_data; if ((hdr = ibuf_seek(buf, 0, sizeof(*hdr))) == NULL) return (-1); ispi = hdr->ike_ispi; rspi = hdr->ike_rspi; - frompeer = 1; src = (struct sockaddr *)&msg->msg_peer; dst = (struct sockaddr *)&msg->msg_local; } else { ispi = htobe64(sa->sa_hdr.sh_ispi); rspi = htobe64(sa->sa_hdr.sh_rspi); - frompeer = 0; src = (struct sockaddr *)&msg->msg_local; dst = (struct sockaddr *)&msg->msg_peer; } @@ -2175,11 +2172,11 @@ ikev2_add_nat_detection(struct iked *env, struct ibuf *buf, if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) return (-1); n->n_type = htobe16(IKEV2_N_NAT_DETECTION_SOURCE_IP); - len = ikev2_nat_detection(env, msg, NULL, 0, 0); + len = ikev2_nat_detection(env, msg, NULL, 0, 0, 0); if ((ptr = ibuf_advance(buf, len)) == NULL) return (-1); if ((len = ikev2_nat_detection(env, msg, ptr, len, - betoh16(n->n_type))) == -1) + betoh16(n->n_type), 0)) == -1) return (-1); len += sizeof(*n); @@ -2191,11 +2188,11 @@ ikev2_add_nat_detection(struct iked *env, struct ibuf *buf, if ((n = ibuf_advance(buf, sizeof(*n))) == NULL) return (-1); n->n_type = htobe16(IKEV2_N_NAT_DETECTION_DESTINATION_IP); - len = ikev2_nat_detection(env, msg, NULL, 0, 0); + len = ikev2_nat_detection(env, msg, NULL, 0, 0, 0); if ((ptr = ibuf_advance(buf, len)) == NULL) return (-1); if ((len = ikev2_nat_detection(env, msg, ptr, len, - betoh16(n->n_type))) == -1) + betoh16(n->n_type), 0)) == -1) return (-1); len += sizeof(*n); return (len); @@ -2526,11 +2523,9 @@ ikev2_resp_informational(struct iked *env, struct iked_sa *sa, { struct ikev2_notify *n; struct ikev2_payload *pld = NULL; - struct ike_header *hdr; struct ibuf *buf = NULL; ssize_t len = 0; int ret = -1; - int oflags = 0; uint8_t firstpayload = IKEV2_PAYLOAD_NONE; if (!sa_stateok(sa, IKEV2_STATE_AUTH_REQUEST) || @@ -2550,24 +2545,8 @@ ikev2_resp_informational(struct iked *env, struct iked_sa *sa, */ if (sa->sa_mobike && (msg->msg_update_sa_addresses || msg->msg_natt_rcvd)) { - /* - * XXX workaround so ikev2_msg_frompeer() fails for - * XXX ikev2_nat_detection(), and the correct src/dst are - * XXX used for the nat detection payload. - */ - if (msg->msg_parent == NULL) - goto done; - if ((hdr = ibuf_seek(msg->msg_parent->msg_data, 0, - sizeof(*hdr))) == NULL) - goto done; - oflags = hdr->ike_flags; - if (sa->sa_hdr.sh_initiator) - hdr->ike_flags |= IKEV2_FLAG_INITIATOR; - else - hdr->ike_flags &= ~IKEV2_FLAG_INITIATOR; /* NAT-T notify payloads */ len = ikev2_add_nat_detection(env, buf, &pld, msg, len); - hdr->ike_flags = oflags; /* XXX undo workaround */ if (len == -1) goto done; firstpayload = IKEV2_PAYLOAD_NOTIFY; diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index f37ade763d9..cb3a1a2ceb5 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.110 2020/11/19 15:00:43 tobhe Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.111 2020/11/21 19:23:53 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -1033,7 +1033,8 @@ ikev2_pld_notify(struct iked *env, struct ikev2_payload *pld, " (%zu != %zu)", __func__, left, sizeof(md)); return (-1); } - if (ikev2_nat_detection(env, msg, md, sizeof(md), type) == -1) + if (ikev2_nat_detection(env, msg, md, sizeof(md), type, + ikev2_msg_frompeer(msg)) == -1) return (-1); if (memcmp(buf, md, left) != 0) { log_debug("%s: %s detected NAT", __func__, |