diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2009-01-27 22:40:11 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2009-01-27 22:40:11 +0000 |
| commit | 1e71a92a6d728ac28d7ff50d7b911d046b2eb37a (patch) | |
| tree | 84e0ed4dc68a78120aa4b59b05f8b2eddf942a79 /sys | |
| parent | d95281d45da8e9fcdd1b2885dcb4d830eb3500fd (diff) | |
In IPsec acquire mode, if the flow was configured for the "any"
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.
To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.
tested by todd@, ok hshoexer@, angelos@, todd@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_spd.c | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 921f7b84b42..77d28487e2b 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.58 2008/09/10 14:01:23 blambert Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.59 2009/01/27 22:40:10 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -795,9 +795,7 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, ipa->ipa_info.sen_direction = ipo->ipo_addr.sen_direction; ipa->ipa_mask.sen_direction = ipo->ipo_mask.sen_direction; - if (ipo->ipo_mask.sen_ip_src.s_addr == INADDR_ANY || - ipo->ipo_addr.sen_ip_src.s_addr == INADDR_ANY || - ipsp_is_unspecified(ipo->ipo_dst)) { + if (ipsp_is_unspecified(ipo->ipo_dst)) { ipa->ipa_info.sen_ip_src = ddst->sen_ip_src; ipa->ipa_mask.sen_ip_src.s_addr = INADDR_BROADCAST; } else { @@ -805,9 +803,7 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, ipa->ipa_mask.sen_ip_src = ipo->ipo_mask.sen_ip_src; } - if (ipo->ipo_mask.sen_ip_dst.s_addr == INADDR_ANY || - ipo->ipo_addr.sen_ip_dst.s_addr == INADDR_ANY || - ipsp_is_unspecified(ipo->ipo_dst)) { + if (ipsp_is_unspecified(ipo->ipo_dst)) { ipa->ipa_info.sen_ip_dst = ddst->sen_ip_dst; ipa->ipa_mask.sen_ip_dst.s_addr = INADDR_BROADCAST; } else { @@ -836,9 +832,7 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, ipa->ipa_mask.sen_ip6_direction = ipo->ipo_mask.sen_ip6_direction; - if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_mask.sen_ip6_src) || - IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_addr.sen_ip6_src) || - ipsp_is_unspecified(ipo->ipo_dst)) { + if (ipsp_is_unspecified(ipo->ipo_dst)) { ipa->ipa_info.sen_ip6_src = ddst->sen_ip6_src; ipa->ipa_mask.sen_ip6_src = in6mask128; } else { @@ -846,9 +840,7 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, ipa->ipa_mask.sen_ip6_src = ipo->ipo_mask.sen_ip6_src; } - if (IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_mask.sen_ip6_dst) || - IN6_IS_ADDR_UNSPECIFIED(&ipo->ipo_addr.sen_ip6_dst) || - ipsp_is_unspecified(ipo->ipo_dst)) { + if (ipsp_is_unspecified(ipo->ipo_dst)) { ipa->ipa_info.sen_ip6_dst = ddst->sen_ip6_dst; ipa->ipa_mask.sen_ip6_dst = in6mask128; } else { |