diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2011-01-21 11:37:03 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2011-01-21 11:37:03 +0000 |
| commit | 1e6e892a126e00e30de570cf18cc56613f27bd85 (patch) | |
| tree | e43649dc16da2879331dba21342e8bd61b54e5e6 /sbin | |
| parent | e7d371d4641a57c20717353c0218fb0a3d8ff046 (diff) | |
split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.
ok mikeb@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/iked/config.c | 12 | ||||
| -rw-r--r-- | sbin/iked/iked.h | 9 | ||||
| -rw-r--r-- | sbin/iked/ikev2.c | 4 | ||||
| -rw-r--r-- | sbin/iked/pfkey.c | 29 |
4 files changed, 32 insertions, 22 deletions
diff --git a/sbin/iked/config.c b/sbin/iked/config.c index 4a70ee0d73e..c6cb9def24a 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.6 2011/01/12 14:35:45 mikeb Exp $ */ +/* $OpenBSD: config.c,v 1.7 2011/01/21 11:37:02 reyk Exp $ */ /* $vantronix: config.c,v 1.30 2010/05/28 15:34:35 reyk Exp $ */ /* @@ -543,21 +543,17 @@ config_setpfkey(struct iked *env, enum iked_procid id) { int s; - if ((s = pfkey_init(env)) == -1) + if ((s = pfkey_socket()) == -1) return (-1); imsg_compose_proc(env, id, IMSG_PFKEY_SOCKET, s, NULL, 0); return (0); } int -config_getpfkey(struct iked *env, struct imsg *imsg, - void (*dispatch)(int, short, void *)) +config_getpfkey(struct iked *env, struct imsg *imsg) { log_debug("%s: received pfkey fd %d", __func__, imsg->fd); - env->sc_pfkey = imsg->fd; - event_set(&env->sc_pfkeyev, env->sc_pfkey, - EV_READ|EV_PERSIST, dispatch, env); - event_add(&env->sc_pfkeyev, NULL); + pfkey_init(env, imsg->fd); return (0); } diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index b63a0108394..cb818e40999 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.29 2011/01/17 18:49:35 mikeb Exp $ */ +/* $OpenBSD: iked.h,v 1.30 2011/01/21 11:37:02 reyk Exp $ */ /* $vantronix: iked.h,v 1.61 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -529,8 +529,7 @@ int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, int config_getsocket(struct iked *env, struct imsg *, void (*cb)(int, short, void *)); int config_setpfkey(struct iked *, enum iked_procid); -int config_getpfkey(struct iked *, struct imsg *, - void (*)(int, short, void *)); +int config_getpfkey(struct iked *, struct imsg *); int config_setuser(struct iked *, struct iked_user *, enum iked_procid); int config_getuser(struct iked *, struct imsg *); @@ -692,8 +691,8 @@ int pfkey_sa_init(int, struct iked_childsa *, u_int32_t *); int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *); int pfkey_sa_delete(int, struct iked_childsa *); int pfkey_flush(int); -int pfkey_init(struct iked *); -void pfkey_dispatch(int, short, void *); +int pfkey_socket(void); +void pfkey_init(struct iked *, int fd); /* ca.c */ pid_t caproc(struct iked *, struct iked_proc *); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 1b40054043f..9f58bcdfe5b 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.34 2011/01/17 18:57:42 reyk Exp $ */ +/* $OpenBSD: ikev2.c,v 1.35 2011/01/21 11:37:02 reyk Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -131,7 +131,7 @@ ikev2_dispatch_parent(int fd, struct iked_proc *p, struct imsg *imsg) case IMSG_UDP_SOCKET: return (config_getsocket(env, imsg, ikev2_msg_cb)); case IMSG_PFKEY_SOCKET: - return (config_getpfkey(env, imsg, pfkey_dispatch)); + return (config_getpfkey(env, imsg)); case IMSG_CFG_POLICY: return (config_getpolicy(env, imsg)); case IMSG_CFG_USER: diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index 5deec8d06a0..b37e421932b 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.12 2011/01/17 18:49:35 mikeb Exp $ */ +/* $OpenBSD: pfkey.c,v 1.13 2011/01/21 11:37:02 reyk Exp $ */ /* $vantronix: pfkey.c,v 1.11 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -111,6 +111,7 @@ int pfkey_sagroup(int, u_int8_t, u_int8_t, int pfkey_write(int, struct sadb_msg *, struct iovec *, int, u_int8_t **, ssize_t *); int pfkey_reply(int, u_int8_t **, ssize_t *); +void pfkey_dispatch(int, short, void *); struct sadb_ident * pfkey_id2ident(struct iked_id *, u_int); @@ -1197,17 +1198,33 @@ pfkey_id2ident(struct iked_id *id, u_int exttype) } int -pfkey_init(struct iked *env) +pfkey_socket(void) { - struct sadb_msg smsg; - struct iovec iov; int fd; + if (iked_process != PROC_PARENT) + fatal("pfkey_socket: called from unprivileged process"); + if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) - fatal("pfkey_init: failed to open PF_KEY socket"); + fatal("pfkey_socket: failed to open PF_KEY socket"); pfkey_flush(fd); + return (fd); +} + +void +pfkey_init(struct iked *env, int fd) +{ + struct sadb_msg smsg; + struct iovec iov; + + /* Register the pfkey socket event handler */ + env->sc_pfkey = fd; + event_set(&env->sc_pfkeyev, env->sc_pfkey, + EV_READ|EV_PERSIST, pfkey_dispatch, env); + event_add(&env->sc_pfkeyev, NULL); + /* Register it to get ESP and AH acquires from the kernel */ bzero(&smsg, sizeof(smsg)); smsg.sadb_msg_version = PF_KEY_V2; @@ -1241,8 +1258,6 @@ pfkey_init(struct iked *env) pfkey_timer_tv.tv_sec = 1; pfkey_timer_tv.tv_usec = 0; evtimer_set(&pfkey_timer_ev, pfkey_timer_cb, env); - - return (fd); } void * |