diff options
-rw-r--r-- | lib/libipsec/pfkey.c | 43 | ||||
-rw-r--r-- | sbin/setkey/Makefile | 3 | ||||
-rw-r--r-- | sbin/setkey/parse.y | 30 | ||||
-rw-r--r-- | sys/netipsec/key_debug.c | 103 |
4 files changed, 151 insertions, 28 deletions
diff --git a/lib/libipsec/pfkey.c b/lib/libipsec/pfkey.c index 34a3ac300989..4791ddc2a648 100644 --- a/lib/libipsec/pfkey.c +++ b/lib/libipsec/pfkey.c @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include <netipsec/ipsec.h> #include <stdlib.h> +#include <stdint.h> #include <unistd.h> #include <string.h> #include <errno.h> @@ -69,6 +70,7 @@ static caddr_t pfkey_setsadbmsg(caddr_t, caddr_t, u_int, u_int, u_int, u_int32_t, pid_t); static caddr_t pfkey_setsadbsa(caddr_t, caddr_t, u_int32_t, u_int, u_int, u_int, u_int32_t); +static caddr_t pfkey_setsadbxreplay(caddr_t, caddr_t, uint32_t); static caddr_t pfkey_setsadbaddr(caddr_t, caddr_t, u_int, struct sockaddr *, u_int, u_int); static caddr_t pfkey_setsadbkey(caddr_t, caddr_t, u_int, caddr_t, u_int); @@ -1196,6 +1198,13 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, + sizeof(struct sadb_lifetime) + sizeof(struct sadb_lifetime); + if (wsize > UINT8_MAX) { + if (wsize > (UINT32_MAX - 32) >> 3) { + __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; + return (-1); + } + len += sizeof(struct sadb_x_sa_replay); + } if (e_type != SADB_EALG_NONE) len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen)); if (a_type != SADB_AALG_NONE) @@ -1223,6 +1232,13 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize, free(newmsg); return -1; } + if (wsize > UINT8_MAX) { + p = pfkey_setsadbxreplay(p, ep, wsize); + if (!p) { + free(newmsg); + return (-1); + } + } p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, plen, IPSEC_ULPROTO_ANY); if (!p) { @@ -1982,7 +1998,7 @@ pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) p->sadb_sa_len = PFKEY_UNIT64(len); p->sadb_sa_exttype = SADB_EXT_SA; p->sadb_sa_spi = spi; - p->sadb_sa_replay = wsize; + p->sadb_sa_replay = wsize > UINT8_MAX ? UINT8_MAX: wsize; p->sadb_sa_state = SADB_SASTATE_LARVAL; p->sadb_sa_auth = auth; p->sadb_sa_encrypt = enc; @@ -1992,6 +2008,31 @@ pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags) } /* + * Set data into sadb_x_sa_replay. + * `buf' must has been allocated sufficiently. + */ +static caddr_t +pfkey_setsadbxreplay(caddr_t buf, caddr_t lim, uint32_t wsize) +{ + struct sadb_x_sa_replay *p; + u_int len; + + p = (struct sadb_x_sa_replay *)buf; + len = sizeof(struct sadb_x_sa_replay); + + if (buf + len > lim) + return (NULL); + + memset(p, 0, len); + p->sadb_x_sa_replay_len = PFKEY_UNIT64(len); + p->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; + /* Convert wsize from bytes to number of packets. */ + p->sadb_x_sa_replay_replay = wsize << 3; + + return (buf + len); +} + +/* * set data into sadb_address. * `buf' must has been allocated sufficiently. * prefixlen is in bits. diff --git a/sbin/setkey/Makefile b/sbin/setkey/Makefile index 875d4b2698e8..a4d5b1201b7a 100644 --- a/sbin/setkey/Makefile +++ b/sbin/setkey/Makefile @@ -51,6 +51,9 @@ CFLAGS+= -I${SRCTOP}/sys SRCS+= y.tab.h y.tab.h: parse.y CFLAGS+= -DIPSEC_DEBUG -DYY_NO_UNPUT +.if ${MK_INET_SUPPORT} != "no" +CFLAGS+= -DINET +.endif .if ${MK_INET6_SUPPORT} != "no" CFLAGS+= -DINET6 .endif diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y index 60e779d47c2d..f336c5d489fd 100644 --- a/sbin/setkey/parse.y +++ b/sbin/setkey/parse.y @@ -45,6 +45,7 @@ #include <string.h> #include <unistd.h> #include <stdio.h> +#include <stdint.h> #include <netdb.h> #include <ctype.h> #include <errno.h> @@ -513,6 +514,8 @@ extension return -1; } p_replay = $2; + if (p_replay > (UINT32_MAX - 32) >> 3) + yyerror("replay window is too large"); } | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } @@ -899,6 +902,7 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) int l, l0, len; struct sadb_sa m_sa; struct sadb_x_sa2 m_sa2; + struct sadb_x_sa_replay m_replay; struct sadb_address m_addr; struct addrinfo *s, *d; int n; @@ -920,7 +924,8 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) m_sa.sadb_sa_len = PFKEY_UNIT64(len); m_sa.sadb_sa_exttype = SADB_EXT_SA; m_sa.sadb_sa_spi = htonl(p_spi); - m_sa.sadb_sa_replay = p_replay; + m_sa.sadb_sa_replay = p_replay > UINT8_MAX ? UINT8_MAX: + p_replay; m_sa.sadb_sa_state = 0; m_sa.sadb_sa_auth = p_alg_auth; m_sa.sadb_sa_encrypt = p_alg_enc; @@ -937,6 +942,17 @@ setkeymsg_addr(type, satype, srcs, dsts, no_spi) memcpy(buf + l, &m_sa2, len); l += len; + + if (p_replay > UINT8_MAX) { + len = sizeof(struct sadb_x_sa_replay); + m_replay.sadb_x_sa_replay_len = PFKEY_UNIT64(len); + m_replay.sadb_x_sa_replay_exttype = + SADB_X_EXT_SA_REPLAY; + m_replay.sadb_x_sa_replay_replay = p_replay << 3; + + memcpy(buf + l, &m_replay, len); + l += len; + } } l0 = l; @@ -1017,6 +1033,7 @@ setkeymsg_add(type, satype, srcs, dsts) struct sadb_sa m_sa; struct sadb_x_sa2 m_sa2; struct sadb_address m_addr; + struct sadb_x_sa_replay m_replay; struct addrinfo *s, *d; int n; int plen; @@ -1100,7 +1117,7 @@ setkeymsg_add(type, satype, srcs, dsts) m_sa.sadb_sa_len = PFKEY_UNIT64(len); m_sa.sadb_sa_exttype = SADB_EXT_SA; m_sa.sadb_sa_spi = htonl(p_spi); - m_sa.sadb_sa_replay = p_replay; + m_sa.sadb_sa_replay = p_replay > UINT8_MAX ? UINT8_MAX: p_replay; m_sa.sadb_sa_state = 0; m_sa.sadb_sa_auth = p_alg_auth; m_sa.sadb_sa_encrypt = p_alg_enc; @@ -1118,6 +1135,15 @@ setkeymsg_add(type, satype, srcs, dsts) memcpy(buf + l, &m_sa2, len); l += len; + if (p_replay > UINT8_MAX) { + len = sizeof(struct sadb_x_sa_replay); + m_replay.sadb_x_sa_replay_len = PFKEY_UNIT64(len); + m_replay.sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; + m_replay.sadb_x_sa_replay_replay = p_replay << 3; + + memcpy(buf + l, &m_replay, len); + l += len; + } l0 = l; n = 0; diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index d3c57a88f4ec..e4dc9ea0c47d 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -63,6 +63,7 @@ #include <ctype.h> #include <stdio.h> #include <stdlib.h> +#include <arpa/inet.h> #endif /* !_KERNEL */ static void kdebug_sadb_prop(struct sadb_ext *); @@ -73,6 +74,8 @@ static void kdebug_sadb_sa(struct sadb_ext *); static void kdebug_sadb_address(struct sadb_ext *); static void kdebug_sadb_key(struct sadb_ext *); static void kdebug_sadb_x_sa2(struct sadb_ext *); +static void kdebug_sadb_x_sa_replay(struct sadb_ext *); +static void kdebug_sadb_x_natt(struct sadb_ext *); #ifdef _KERNEL static void kdebug_secreplay(struct secreplay *); @@ -131,6 +134,10 @@ kdebug_sadb(struct sadb_msg *base) case SADB_EXT_ADDRESS_SRC: case SADB_EXT_ADDRESS_DST: case SADB_EXT_ADDRESS_PROXY: + case SADB_X_EXT_NAT_T_OAI: + case SADB_X_EXT_NAT_T_OAR: + case SADB_X_EXT_NEW_ADDRESS_SRC: + case SADB_X_EXT_NEW_ADDRESS_DST: kdebug_sadb_address(ext); break; case SADB_EXT_KEY_AUTH: @@ -159,6 +166,14 @@ kdebug_sadb(struct sadb_msg *base) case SADB_X_EXT_SA2: kdebug_sadb_x_sa2(ext); break; + case SADB_X_EXT_SA_REPLAY: + kdebug_sadb_x_sa_replay(ext); + break; + case SADB_X_EXT_NAT_T_TYPE: + case SADB_X_EXT_NAT_T_SPORT: + case SADB_X_EXT_NAT_T_DPORT: + kdebug_sadb_x_natt(ext); + break; default: printf("%s: invalid ext_type %u\n", __func__, ext->sadb_ext_type); @@ -342,8 +357,6 @@ kdebug_sadb_address(struct sadb_ext *ext) ((u_char *)&addr->sadb_address_reserved)[1]); kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr))); - - return; } static void @@ -392,6 +405,41 @@ kdebug_sadb_x_sa2(struct sadb_ext *ext) return; } +static void +kdebug_sadb_x_sa_replay(struct sadb_ext *ext) +{ + struct sadb_x_sa_replay *replay; + + /* sanity check */ + if (ext == NULL) + panic("%s: NULL pointer was passed.\n", __func__); + + replay = (struct sadb_x_sa_replay *)ext; + printf("sadb_x_sa_replay{ replay=%u }\n", + replay->sadb_x_sa_replay_replay); +} + +static void +kdebug_sadb_x_natt(struct sadb_ext *ext) +{ + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *port; + + /* sanity check */ + if (ext == NULL) + panic("%s: NULL pointer was passed.\n", __func__); + + if (ext->sadb_ext_type == SADB_X_EXT_NAT_T_TYPE) { + type = (struct sadb_x_nat_t_type *)ext; + printf("sadb_x_nat_t_type{ type=%u }\n", + type->sadb_x_nat_t_type_type); + } else { + port = (struct sadb_x_nat_t_port *)ext; + printf("sadb_x_nat_t_port{ port=%u }\n", + ntohs(port->sadb_x_nat_t_port_port)); + } +} + void kdebug_sadb_x_policy(struct sadb_ext *ext) { @@ -402,9 +450,11 @@ kdebug_sadb_x_policy(struct sadb_ext *ext) if (ext == NULL) panic("%s: NULL pointer was passed.\n", __func__); - printf("sadb_x_policy{ type=%u dir=%u id=%x }\n", + printf("sadb_x_policy{ type=%u dir=%u id=%x scope=%u %s=%u }\n", xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir, - xpl->sadb_x_policy_id); + xpl->sadb_x_policy_id, xpl->sadb_x_policy_scope, + xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET ? + "ifindex": "priority", xpl->sadb_x_policy_priority); if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) { int tlen; @@ -850,39 +900,42 @@ ipsec_sa2str(struct secasvar *sav, char *buf, size_t size) void kdebug_sockaddr(struct sockaddr *addr) { - struct sockaddr_in *sin4; -#ifdef INET6 - struct sockaddr_in6 *sin6; -#endif + char buf[IPSEC_ADDRSTRLEN]; /* sanity check */ if (addr == NULL) panic("%s: NULL pointer was passed.\n", __func__); - /* NOTE: We deal with port number as host byte order. */ - printf("sockaddr{ len=%u family=%u", addr->sa_len, addr->sa_family); - switch (addr->sa_family) { - case AF_INET: - sin4 = (struct sockaddr_in *)addr; - printf(" port=%u\n", ntohs(sin4->sin_port)); - ipsec_hexdump((caddr_t)&sin4->sin_addr, sizeof(sin4->sin_addr)); +#ifdef INET + case AF_INET: { + struct sockaddr_in *sin; + + sin = (struct sockaddr_in *)addr; + inet_ntop(AF_INET, &sin->sin_addr, buf, sizeof(buf)); break; + } +#endif #ifdef INET6 - case AF_INET6: + case AF_INET6: { + struct sockaddr_in6 *sin6; + sin6 = (struct sockaddr_in6 *)addr; - printf(" port=%u\n", ntohs(sin6->sin6_port)); - printf(" flowinfo=0x%08x, scope_id=0x%08x\n", - sin6->sin6_flowinfo, sin6->sin6_scope_id); - ipsec_hexdump((caddr_t)&sin6->sin6_addr, - sizeof(sin6->sin6_addr)); + if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { + snprintf(buf, sizeof(buf), "%s%%%u", + inet_ntop(AF_INET6, &sin6->sin6_addr, buf, + sizeof(buf)), sin6->sin6_scope_id); + } else + inet_ntop(AF_INET6, &sin6->sin6_addr, buf, + sizeof(buf)); break; + } #endif + default: + sprintf(buf, "unknown"); } - - printf(" }\n"); - - return; + printf("sockaddr{ len=%u family=%u addr=%s }\n", addr->sa_len, + addr->sa_family, buf); } void |