diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-02-28 16:46:27 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-02-28 16:46:27 +0000 |
| commit | d44c51a1611305bdb03515161662f4bc88a16504 (patch) | |
| tree | 3fa554303875e7b9c67fefb166991f412808eb60 | |
| parent | IPv6 packets with routing header 0 are dropped by pf, but answered (diff) | |
| download | wireguard-openbsd-d44c51a1611305bdb03515161662f4bc88a16504.tar.xz wireguard-openbsd-d44c51a1611305bdb03515161662f4bc88a16504.zip | |
Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
| -rw-r--r-- | sbin/iked/pfkey.c | 4 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkdump.c | 12 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkey.c | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 6 | ||||
| -rw-r--r-- | sys/net/pfkeyv2.c | 20 | ||||
| -rw-r--r-- | sys/net/pfkeyv2.h | 6 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_convert.c | 12 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 16 |
8 files changed, 60 insertions, 20 deletions
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index d5a582f0f07..73c481ec1b8 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.52 2016/09/03 09:20:07 vgross Exp $ */ +/* $OpenBSD: pfkey.c,v 1.53 2017/02/28 16:46:27 bluhm Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -1019,7 +1019,7 @@ pfkey_sagroup(int sd, uint8_t satype1, uint8_t action, (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; bzero(&sa_proto, sizeof(sa_proto)); - sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; + sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; sa_proto.sadb_protocol_direction = 0; sa_proto.sadb_protocol_proto = satype2; diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index 68e4f616015..b8dbaf5228a 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.42 2015/12/09 21:41:50 naddy Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.43 2017/02/28 16:46:27 bluhm Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -55,6 +55,7 @@ static void print_ident(struct sadb_ext *, struct sadb_msg *); static void print_udpenc(struct sadb_ext *, struct sadb_msg *); static void print_tag(struct sadb_ext *, struct sadb_msg *); static void print_tap(struct sadb_ext *, struct sadb_msg *); +static void print_satype(struct sadb_ext *, struct sadb_msg *); static struct idname *lookup(struct idname *, u_int32_t); static char *lookup_name(struct idname *, u_int32_t); @@ -103,6 +104,7 @@ struct idname ext_types[] = { { SADB_X_EXT_LIFETIME_LASTUSE, "lifetime_lastuse", print_life }, { SADB_X_EXT_TAG, "tag", print_tag }, { SADB_X_EXT_TAP, "tap", print_tap }, + { SADB_X_EXT_SATYPE2, "satype2", print_satype }, { 0, NULL, NULL } }; @@ -404,6 +406,14 @@ print_tap(struct sadb_ext *ext, struct sadb_msg *msg) printf("enc%u", stap->sadb_x_tap_unit); } +static void +print_satype(struct sadb_ext *ext, struct sadb_msg *msg) +{ + struct sadb_protocol *proto = (struct sadb_protocol *)ext; + + printf("type %s", lookup_name(sa_types, proto->sadb_protocol_proto)); +} + static char * alg_by_ext(u_int8_t ext_type, u_int8_t id) { diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index 224b8e4b064..4926ce8e693 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.57 2015/12/10 17:27:00 mmcc Exp $ */ +/* $OpenBSD: pfkey.c,v 1.58 2017/02/28 16:46:27 bluhm Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -701,7 +701,7 @@ pfkey_sagroup(int sd, u_int8_t satype, u_int8_t satype2, u_int8_t action, sa_dst2.sadb_address_len = (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8; bzero(&sa_proto, sizeof(sa_proto)); - sa_proto.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; + sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8; sa_proto.sadb_protocol_direction = 0; sa_proto.sadb_protocol_proto = satype2; diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index f3c1aeff544..a15b3402380 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.197 2015/12/10 17:27:00 mmcc Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.198 2017/02/28 16:46:27 bluhm Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -3303,8 +3303,8 @@ pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, goto cleanup; addr = 0; - /* Setup the PROTOCOL extension. */ - protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; + /* Setup the sa type extension. */ + protocol.sadb_protocol_exttype = SADB_X_EXT_SATYPE2; protocol.sadb_protocol_len = sizeof protocol / PF_KEY_V2_CHUNK; switch (proto2->proto) { case IPSEC_PROTO_IPSEC_ESP: diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 02aa0e3219e..5ff3eba4c40 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.152 2017/02/24 18:36:33 bluhm Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.153 2017/02/28 16:46:27 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -556,6 +556,13 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) } } + if (sa->tdb_onext) { + i += sizeof(struct sadb_sa); + i += sizeof(struct sadb_address) + + PADUP(SA_LEN(&sa->tdb_onext->tdb_dst.sa)); + i += sizeof(struct sadb_protocol); + } + if (sa->tdb_udpencap_port) i += sizeof(struct sadb_x_udpencap); @@ -634,6 +641,15 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) export_flow(&p, IPSP_IPSEC_USE, &sa->tdb_filter, &sa->tdb_filtermask, headers); + if (sa->tdb_onext) { + headers[SADB_X_EXT_SA2] = p; + export_sa(&p, sa->tdb_onext); + headers[SADB_X_EXT_DST2] = p; + export_address(&p, &sa->tdb_onext->tdb_dst.sa); + headers[SADB_X_EXT_SATYPE2] = p; + export_satype(&p, sa->tdb_onext); + } + /* Export UDP encapsulation port, if present */ if (sa->tdb_udpencap_port) { headers[SADB_X_EXT_UDPENCAP] = p; @@ -1368,7 +1384,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2]; sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] + sizeof(struct sadb_address)); - sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]); + sa_proto = (struct sadb_protocol *) headers[SADB_X_EXT_SATYPE2]; tdb2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp, SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto)); diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index f2319b422e4..f43f698d85f 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.73 2017/01/24 10:08:30 krw Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.74 2017/02/28 16:46:27 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -261,7 +261,8 @@ struct sadb_x_tap { #define SADB_X_EXT_LIFETIME_LASTUSE 32 #define SADB_X_EXT_TAG 33 #define SADB_X_EXT_TAP 34 -#define SADB_EXT_MAX 34 +#define SADB_X_EXT_SATYPE2 35 +#define SADB_EXT_MAX 35 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */ #define SADB_SATYPE_UNSPEC 0 @@ -427,6 +428,7 @@ void export_key(void **, struct tdb *, int); void export_udpencap(void **, struct tdb *); void export_tag(void **, struct tdb *); void export_tap(void **, struct tdb *); +void export_satype(void **, struct tdb *); void import_address(struct sockaddr *, struct sadb_address *); void import_identities(struct ipsec_ids **, int, struct sadb_ident *, diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c index 7a810e7edad..9109f07f65c 100644 --- a/sys/net/pfkeyv2_convert.c +++ b/sys/net/pfkeyv2_convert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_convert.c,v 1.58 2017/01/24 10:08:30 krw Exp $ */ +/* $OpenBSD: pfkeyv2_convert.c,v 1.59 2017/02/28 16:46:27 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) * @@ -887,4 +887,14 @@ export_tap(void **p, struct tdb *tdb) stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t); *p += sizeof(struct sadb_x_tap); } + +void +export_satype(void **p, struct tdb *tdb) +{ + struct sadb_protocol *sab = *p; + + sab->sadb_protocol_len = sizeof(struct sadb_protocol) / + sizeof(uint64_t); + sab->sadb_protocol_proto = tdb->tdb_satype; +} #endif diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index 8cb4b3cc327..547532fa7b4 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.50 2017/01/24 10:08:30 krw Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.51 2017/02/28 16:46:27 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -125,6 +125,7 @@ #define BITMAP_X_LIFETIME_LASTUSE (1LL << SADB_X_EXT_LIFETIME_LASTUSE) #define BITMAP_X_TAG (1LL << SADB_X_EXT_TAG) #define BITMAP_X_TAP (1LL << SADB_X_EXT_TAP) +#define BITMAP_X_SATYPE2 (1LL << SADB_X_EXT_SATYPE2) uint64_t sadb_exts_allowed_in[SADB_MAX+1] = { @@ -157,7 +158,7 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_FLOW, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_ASKPOLICY */ BITMAP_X_POLICY, }; @@ -193,7 +194,7 @@ uint64_t sadb_exts_required_in[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_ASKPOLICY */ BITMAP_X_POLICY, }; @@ -229,7 +230,7 @@ uint64_t sadb_exts_allowed_out[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_ASKPOLICY */ BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE | BITMAP_X_POLICY, }; @@ -265,7 +266,7 @@ uint64_t sadb_exts_required_out[SADB_MAX+1] = /* X_DELFLOW */ BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE, /* X_GRPSPIS */ - BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL, + BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_SATYPE2, /* X_REPPOLICY */ BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_FLOW_TYPE, }; @@ -434,9 +435,10 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) break; case SADB_X_EXT_PROTOCOL: case SADB_X_EXT_FLOW_TYPE: + case SADB_X_EXT_SATYPE2: if (i != sizeof(struct sadb_protocol)) { - DPRINTF(("pfkeyv2_parsemessage: bad " - "PROTOCOL/FLOW header length in extension " + DPRINTF(("pfkeyv2_parsemessage: bad PROTOCOL/" + "FLOW/SATYPE2 header length in extension " "header %d\n", sadb_ext->sadb_ext_type)); return (EINVAL); } |