src - OpenBSD base system

diff options


context:
space:
mode:

author	Henning Brauer <henning@cvs.openbsd.org>	2006-10-26 14:26:50 +0000
committer	Henning Brauer <henning@cvs.openbsd.org>	2006-10-26 14:26:50 +0000
commit	596f3ba1a23944e85fc0b4c1168d8bfdc14c7717 (patch)
tree	217c4994944a7706df97623cd0bd4513c857527b /usr.sbin/bgpd
parent	e633e0ff3bd724da4d1253c016ac21e1c0122a18 (diff)

* make sure we keep copies of everything we need to

* remove SAs and flows later again, even if the * configuration info changed due to reload. * We need: SPIs, method, local_addr, remote_addr. * remote_addr cannot change, so no copy. with this, I have just migrated a session from tcp md5sig to ipsec esp ike, just with bgpctl reload (both sides) followed by bgpctl neighbor $foo clear (just one side)! claudio ok

Diffstat (limited to 'usr.sbin/bgpd')

-rw-r--r--

usr.sbin/bgpd/pfkey.c

-rw-r--r--

usr.sbin/bgpd/session.h

2 files changed, 56 insertions, 38 deletions

diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c
index b0ad05e849e..bd0652ffb7f 100644
--- a/usr.sbin/bgpd/pfkey.c
+++ b/usr.sbin/bgpd/pfkey.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfkey.c,v 1.33 2006/10/26 13:17:00 henning Exp $ */

+/* $OpenBSD: pfkey.c,v 1.34 2006/10/26 14:26:49 henning Exp $ */

@@ -498,12 +498,12 @@ int

pfkey_md5sig_establish(struct peer *p)

{

if (!p->auth.spi_out)

- if (pfkey_sa_add(&p->conf.local_addr, &p->conf.remote_addr,

+ if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,

p->conf.auth.md5key_len, p->conf.auth.md5key,

&p->auth.spi_out) == -1)

return (-1);

if (!p->auth.spi_in)

- if (pfkey_sa_add(&p->conf.remote_addr, &p->conf.local_addr,

+ if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,

p->conf.auth.md5key_len, p->conf.auth.md5key,

&p->auth.spi_in) == -1)

return (-1);

@@ -516,11 +516,11 @@ int

pfkey_md5sig_remove(struct peer *p)

{

if (p->auth.spi_out)

- if (pfkey_sa_remove(&p->conf.local_addr, &p->conf.remote_addr,

+ if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,

&p->auth.spi_out) == -1)

return (-1);

if (p->auth.spi_in)

- if (pfkey_sa_remove(&p->conf.remote_addr, &p->conf.local_addr,

+ if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,

&p->auth.spi_in) == -1)

return (-1);

@@ -531,10 +531,9 @@ pfkey_md5sig_remove(struct peer *p)

int

pfkey_ipsec_establish(struct peer *p)

{

- struct peer_auth *auth = &p->conf.auth;

uint8_t satype = SADB_SATYPE_ESP;

- switch (p->conf.auth.method) {

+ switch (p->auth.method) {

case AUTH_IPSEC_IKE_ESP:

satype = SADB_SATYPE_ESP;

break;

@@ -543,26 +542,30 @@ pfkey_ipsec_establish(struct peer *p)

break;

case AUTH_IPSEC_MANUAL_ESP:

case AUTH_IPSEC_MANUAL_AH:

- satype = p->conf.auth.method == AUTH_IPSEC_MANUAL_ESP ?

+ satype = p->auth.method == AUTH_IPSEC_MANUAL_ESP ?

SADB_SATYPE_ESP : SADB_SATYPE_AH;

if (pfkey_send(fd, satype, SADB_ADD, 0,

- &p->conf.local_addr, &p->conf.remote_addr,

- auth->spi_out,

- auth->auth_alg_out, auth->auth_keylen_out,

- auth->auth_key_out,

- auth->enc_alg_out, auth->enc_keylen_out,

- auth->enc_key_out,

+ &p->auth.local_addr, &p->conf.remote_addr,

+ p->auth.spi_out,

+ p->conf.auth.auth_alg_out,

+ p->conf.auth.auth_keylen_out,

+ p->conf.auth.auth_key_out,

+ p->conf.auth.enc_alg_out,

+ p->conf.auth.enc_keylen_out,

+ p->conf.auth.enc_key_out,

0, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_send(fd, satype, SADB_ADD, 0,

- &p->conf.remote_addr, &p->conf.local_addr,

- auth->spi_in,

- auth->auth_alg_in, auth->auth_keylen_in,

- auth->auth_key_in,

- auth->enc_alg_in, auth->enc_keylen_in,

- auth->enc_key_in,

+ &p->conf.remote_addr, &p->auth.local_addr,

+ p->auth.spi_in,

+ p->conf.auth.auth_alg_in,

+ p->conf.auth.auth_keylen_in,

+ p->conf.auth.auth_key_in,

+ p->conf.auth.enc_alg_in,

+ p->conf.auth.enc_keylen_in,

+ p->conf.auth.enc_key_in,

0, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

@@ -574,25 +577,25 @@ pfkey_ipsec_establish(struct peer *p)

}

if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, IPSP_DIRECTION_OUT,

- &p->conf.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)

+ &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, IPSP_DIRECTION_OUT,

- &p->conf.local_addr, &p->conf.remote_addr, BGP_PORT, 0) < 0)

+ &p->auth.local_addr, &p->conf.remote_addr, BGP_PORT, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, IPSP_DIRECTION_IN,

- &p->conf.remote_addr, &p->conf.local_addr, 0, BGP_PORT) < 0)

+ &p->conf.remote_addr, &p->auth.local_addr, 0, BGP_PORT) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_flow(fd, satype, SADB_X_ADDFLOW, IPSP_DIRECTION_IN,

- &p->conf.remote_addr, &p->conf.local_addr, BGP_PORT, 0) < 0)

+ &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

@@ -606,7 +609,7 @@ pfkey_ipsec_remove(struct peer *p)

{

uint8_t satype;

- switch (p->conf.auth.method) {

+ switch (p->auth.method) {

case AUTH_IPSEC_IKE_ESP:

satype = SADB_SATYPE_ESP;

break;

@@ -615,19 +618,19 @@ pfkey_ipsec_remove(struct peer *p)

break;

case AUTH_IPSEC_MANUAL_ESP:

case AUTH_IPSEC_MANUAL_AH:

- satype = p->conf.auth.method == AUTH_IPSEC_MANUAL_ESP ?

+ satype = p->auth.method == AUTH_IPSEC_MANUAL_ESP ?

SADB_SATYPE_ESP : SADB_SATYPE_AH;

if (pfkey_send(fd, satype, SADB_DELETE, 0,

- &p->conf.local_addr, &p->conf.remote_addr,

- p->conf.auth.spi_out, 0, 0, NULL, 0, 0, NULL,

+ &p->auth.local_addr, &p->conf.remote_addr,

+ p->auth.spi_out, 0, 0, NULL, 0, 0, NULL,

0, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_send(fd, satype, SADB_DELETE, 0,

- &p->conf.remote_addr, &p->conf.local_addr,

- p->conf.auth.spi_in, 0, 0, NULL, 0, 0, NULL,

+ &p->conf.remote_addr, &p->auth.local_addr,

+ p->auth.spi_in, 0, 0, NULL, 0, 0, NULL,

0, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

@@ -639,25 +642,25 @@ pfkey_ipsec_remove(struct peer *p)

}

if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,

- &p->conf.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)

+ &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,

- &p->conf.local_addr, &p->conf.remote_addr, BGP_PORT, 0) < 0)

+ &p->auth.local_addr, &p->conf.remote_addr, BGP_PORT, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN,

- &p->conf.remote_addr, &p->conf.local_addr, 0, BGP_PORT) < 0)

+ &p->conf.remote_addr, &p->auth.local_addr, 0, BGP_PORT) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN,

- &p->conf.remote_addr, &p->conf.local_addr, BGP_PORT, 0) < 0)

+ &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0)

return (-1);

if (pfkey_reply(fd, NULL) < 0)

return (-1);

@@ -669,9 +672,22 @@ pfkey_ipsec_remove(struct peer *p)

int

pfkey_establish(struct peer *p)

{

- if (!p->conf.auth.method)

+ /*

+ * make sure we keep copies of everything we need to

+ * remove SAs and flows later again, even if the

+ * info in p->conf changed due to reload.

+ * We need: SPIs, method, local_addr, remote_addr.

+ * remote_addr cannot change, so no copy.

+ */

+ memcpy(&p->auth.local_addr, &p->conf.local_addr,

+ sizeof(p->auth.local_addr));

+ p->auth.method = p->conf.auth.method;

+ p->auth.spi_in = p->conf.auth.spi_in;

+ p->auth.spi_out = p->conf.auth.spi_out;

+ if (!p->auth.method)

return (0);

- else if (p->conf.auth.method == AUTH_MD5SIG)

+ else if (p->auth.method == AUTH_MD5SIG)

return (pfkey_md5sig_establish(p));

else

return (pfkey_ipsec_establish(p));

@@ -682,7 +698,7 @@ pfkey_remove(struct peer *p)

{

if (!p->auth.established)

return (0);

- else if (p->conf.auth.method == AUTH_MD5SIG)

+ else if (p->auth.method == AUTH_MD5SIG)

return (pfkey_md5sig_remove(p));

else

return (pfkey_ipsec_remove(p));

diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h
index 50ce6129dde..9d53860cdb7 100644
--- a/usr.sbin/bgpd/session.h
+++ b/usr.sbin/bgpd/session.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: session.h,v 1.87 2006/10/26 13:17:00 henning Exp $ */

+/* $OpenBSD: session.h,v 1.88 2006/10/26 14:26:49 henning Exp $ */

@@ -167,8 +167,10 @@ struct peer {

struct capabilities peer;

} capa;

struct {

+ struct bgpd_addr local_addr;

u_int32_t spi_in;

u_int32_t spi_out;

+ enum auth_method method;

u_int8_t established;

} auth;

struct sockaddr_storage sa_local;