diff options
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/iked/iked.h | 6 | ||||
-rw-r--r-- | sbin/iked/ikev2.c | 148 | ||||
-rw-r--r-- | sbin/iked/pfkey.c | 4 | ||||
-rw-r--r-- | sbin/iked/policy.c | 18 | ||||
-rw-r--r-- | sbin/iked/util.c | 18 |
5 files changed, 165 insertions, 29 deletions
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index b12d7d75f19..08b6f589316 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.69 2014/02/17 15:53:46 markus Exp $ */ +/* $OpenBSD: iked.h,v 1.70 2014/02/21 20:52:38 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -184,6 +184,9 @@ struct iked_childsa { struct iked_childsa *csa_peersa; /* peer */ + struct iked_childsa *csa_parent; /* IPCOMP parent */ + u_int csa_children; /* IPCOMP children */ + RB_ENTRY(iked_childsa) csa_node; TAILQ_ENTRY(iked_childsa) csa_entry; }; @@ -844,6 +847,7 @@ void socket_set_blockmode(int, enum blockmodes); int socket_af(struct sockaddr *, in_port_t); in_port_t socket_getport(struct sockaddr *); +int socket_setport(struct sockaddr *, in_port_t); int socket_getaddr(int, struct sockaddr_storage *); int socket_bypass(int, struct sockaddr *); int udp_bind(struct sockaddr *, in_port_t); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 8ae7f8832ad..e534a2e7cee 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.95 2014/02/18 13:10:48 markus Exp $ */ +/* $OpenBSD: ikev2.c,v 1.96 2014/02/21 20:52:38 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -106,7 +106,8 @@ ssize_t ikev2_add_ts_payload(struct ibuf *, u_int, struct iked_sa *); int ikev2_add_data(struct ibuf *, void *, size_t); int ikev2_add_buf(struct ibuf *buf, struct ibuf *); -int ikev2_ipcomp_enable(struct iked_sa *); +int ikev2_ipcomp_enable(struct iked *, struct iked_sa *); +void ikev2_ipcomp_csa_free(struct iked *, struct iked_childsa *); int ikev2_cp_setaddr(struct iked *, struct iked_sa *); int ikev2_cp_fixaddr(struct iked_sa *, struct iked_addr *, @@ -1397,8 +1398,9 @@ ikev2_add_ipcompnotify(struct iked *env, struct ibuf *e, if (spi == 0) return (len); cpi = htobe16((u_int16_t)spi); - if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) - return (-1); + if (*pld) + if (ikev2_next_payload(*pld, len, IKEV2_PAYLOAD_NOTIFY) == -1) + return (-1); if ((*pld = ikev2_add_payload(e)) == NULL) return (-1); len = sizeof(*n) + sizeof(cpi) + sizeof(transform); @@ -2324,9 +2326,10 @@ ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa, { struct iked_childsa *csa = NULL, *csb = NULL; struct ikev2_notify *n; - struct ikev2_payload *pld; + struct ikev2_payload *pld = NULL; struct ibuf *e = NULL, *nonce = NULL; u_int8_t *ptr; + u_int8_t firstpayload; u_int32_t spi; ssize_t len = 0; int initiator, ret = -1; @@ -2359,6 +2362,18 @@ ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa, if ((e = ibuf_static()) == NULL) goto done; + /* compression */ + if ((sa->sa_policy->pol_flags & IKED_POLICY_IPCOMP) && + (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa)) == -1) + goto done; + + if (pld) { + firstpayload = IKEV2_PAYLOAD_NOTIFY; + if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1) + goto done; + } else + firstpayload = IKEV2_PAYLOAD_SA; + /* SA payload */ if ((pld = ikev2_add_payload(e)) == NULL) goto done; @@ -2403,7 +2418,7 @@ ikev2_send_create_child_sa(struct iked *env, struct iked_sa *sa, goto done; ret = ikev2_msg_send_encrypt(env, sa, &e, - IKEV2_EXCHANGE_CREATE_CHILD_SA, IKEV2_PAYLOAD_SA, 0); + IKEV2_EXCHANGE_CREATE_CHILD_SA, firstpayload, 0); if (ret == 0) { if (rekey) { csa->csa_rekey = 1; @@ -2516,11 +2531,12 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) struct iked_spi *spi, *rekey = &msg->msg_rekey; struct ikev2_keyexchange *ke; struct ikev2_notify *n; - struct ikev2_payload *pld; + struct ikev2_payload *pld = NULL; struct ibuf *buf = NULL, *e = NULL, *nonce = NULL; struct group *group; u_int64_t spi64; u_int32_t spi32; + u_int8_t firstpayload; ssize_t len = 0; int initiator, protoid, rekeying = 1; int ret = -1; @@ -2661,6 +2677,18 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) if ((e = ibuf_static()) == NULL) goto done; + /* compression (unless IKE rekeying) */ + if (!nsa && sa->sa_ipcomp && + (len = ikev2_add_ipcompnotify(env, e, &pld, 0, sa)) == -1) + goto done; + + if (pld) { + firstpayload = IKEV2_PAYLOAD_NOTIFY; + if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_SA) == -1) + goto done; + } else + firstpayload = IKEV2_PAYLOAD_SA; + /* SA payload */ if ((pld = ikev2_add_payload(e)) == NULL) goto done; @@ -2706,7 +2734,7 @@ ikev2_resp_create_child_sa(struct iked *env, struct iked_message *msg) goto done; if ((ret = ikev2_msg_send_encrypt(env, sa, &e, - IKEV2_EXCHANGE_CREATE_CHILD_SA, IKEV2_PAYLOAD_SA, 1)) == -1) + IKEV2_EXCHANGE_CREATE_CHILD_SA, firstpayload, 1)) == -1) goto done; if (protoid == IKEV2_SAPROTO_IKE) { @@ -3787,8 +3815,11 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, int initiator) &flow->flow_src) && IKED_ADDR_EQ(&saflow->flow_dst, &flow->flow_dst) && - saflow->flow_saproto == prop->prop_protoid) + saflow->flow_saproto == + prop->prop_protoid) { skip = 1; + break; + } } if (skip) continue; @@ -3936,11 +3967,30 @@ ikev2_childsa_negotiate(struct iked *env, struct iked_sa *sa, int initiator) return (ret); } +/* free a replaced IPCOMP SA */ +void +ikev2_ipcomp_csa_free(struct iked *env, struct iked_childsa *csa) +{ + if (csa->csa_children) + fatalx("ikev2_ipcomp_csa_free: has children"); + if (csa->csa_ikesa) + TAILQ_REMOVE(&csa->csa_ikesa->sa_childsas, csa, + csa_entry); + if (csa->csa_loaded) { + log_debug("%s: csa %p loaded: calling pfkey_sa_delete", + __func__, csa); + pfkey_sa_delete(env->sc_pfkey, csa); + RB_REMOVE(iked_activesas, &env->sc_activesas, csa); + } + childsa_free(csa); +} + int -ikev2_ipcomp_enable(struct iked_sa *sa) +ikev2_ipcomp_enable(struct iked *env, struct iked_sa *sa) { - struct iked_childsa *other, *csa = NULL, *csb = NULL; + struct iked_childsa *other, *nother, *csa = NULL, *csb = NULL; struct iked_flow *flow, *flowa = NULL, *flowb = NULL; + struct iked_flow *nflow, *oflow; if ((csa = calloc(1, sizeof(*csa))) == NULL || (csb = calloc(1, sizeof(*csb))) == NULL || @@ -3954,10 +4004,19 @@ ikev2_ipcomp_enable(struct iked_sa *sa) } /* switch ESP SAs to transport mode */ - TAILQ_FOREACH(other, &sa->sa_childsas, csa_entry) + TAILQ_FOREACH(other, &sa->sa_childsas, csa_entry) { if (!other->csa_rekey && !other->csa_loaded && - other->csa_saproto == IKEV2_SAPROTO_ESP) + other->csa_saproto == IKEV2_SAPROTO_ESP) { other->csa_transport = 1; + if (other->csa_dir == IPSP_DIRECTION_OUT) { + other->csa_parent = csa; + csa->csa_children++; + } else { + other->csa_parent = csb; + csb->csa_children++; + } + } + } /* install IPCOMP SAs */ csa->csa_ikesa = sa; @@ -3975,7 +4034,7 @@ ikev2_ipcomp_enable(struct iked_sa *sa) csa->csa_dir = IPSP_DIRECTION_OUT; csa->csa_local = &sa->sa_local; csa->csa_peer = &sa->sa_peer; - csb->csa_allocated = 0; + csa->csa_persistent = 1; memcpy(csb, csa, sizeof(*csb)); csb->csa_spi.spi = csa->csa_peerspi; @@ -3985,6 +4044,26 @@ ikev2_ipcomp_enable(struct iked_sa *sa) csb->csa_peer = csa->csa_local; csb->csa_allocated = 1; + /* remove old replaced IPCOMP SAs */ + TAILQ_FOREACH_SAFE(other, &sa->sa_childsas, csa_entry, nother) { + if (other->csa_saproto != IKEV2_SAPROTO_IPCOMP || + other->csa_children != 0) + continue; + if (other->csa_dir == csa->csa_dir && + IKED_ADDR_EQ(other->csa_local, csa->csa_local) && + IKED_ADDR_EQ(other->csa_peer, csa->csa_peer)) { + log_debug("%s: csa %p replaces %p", + __func__, csa, other); + ikev2_ipcomp_csa_free(env, other); + } else if (other->csa_dir == csb->csa_dir && + IKED_ADDR_EQ(other->csa_local, csb->csa_local) && + IKED_ADDR_EQ(other->csa_peer, csb->csa_peer)) { + log_debug("%s: csa %p replaces %p", + __func__, csb, other); + ikev2_ipcomp_csa_free(env, other); + } + } + TAILQ_INSERT_TAIL(&sa->sa_childsas, csa, csa_entry); TAILQ_INSERT_TAIL(&sa->sa_childsas, csb, csa_entry); @@ -3992,13 +4071,27 @@ ikev2_ipcomp_enable(struct iked_sa *sa) csb->csa_peersa = csa; /* redirect flows to IPCOMP */ - TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { + /* XXX expensive? should be merged into ikev2_childsa_negotiate() */ + TAILQ_FOREACH_SAFE(flow, &sa->sa_flows, flow_entry, nflow) { if (flow->flow_loaded || flow->flow_saproto != IKEV2_SAPROTO_ESP) continue; - log_debug("%s: flow %p saproto %d -> %d", __func__, - flow, flow->flow_saproto, IKEV2_SAPROTO_IPCOMP); - flow->flow_saproto = IKEV2_SAPROTO_IPCOMP; + TAILQ_FOREACH(oflow, &sa->sa_flows, flow_entry) + if (IKED_ADDR_EQ(&oflow->flow_src, &flow->flow_src) && + IKED_ADDR_EQ(&oflow->flow_dst, &flow->flow_dst) && + oflow->flow_dir == flow->flow_dir && + oflow->flow_saproto == IKEV2_SAPROTO_IPCOMP) + break; + if (oflow != NULL) { + log_debug("%s: keeping oflow %p, indentical to flow %p", + __func__, oflow, flow); + TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry); + flow_free(flow); + } else { + log_debug("%s: flow %p saproto %d -> %d", __func__, + flow, flow->flow_saproto, IKEV2_SAPROTO_IPCOMP); + flow->flow_saproto = IKEV2_SAPROTO_IPCOMP; + } } /* setup ESP flows for gateways */ @@ -4015,11 +4108,25 @@ ikev2_ipcomp_enable(struct iked_sa *sa) flowa->flow_peer = &sa->sa_peer; memcpy(&flowa->flow_src, &sa->sa_local, sizeof(sa->sa_local)); memcpy(&flowa->flow_dst, &sa->sa_peer, sizeof(sa->sa_peer)); + socket_setport((struct sockaddr *)&flowa->flow_src.addr, 0); + socket_setport((struct sockaddr *)&flowa->flow_dst.addr, 0); + flowa->flow_src.addr_port = flowa->flow_dst.addr_port = 0; flowa->flow_src.addr_mask = flowa->flow_dst.addr_mask = (sa->sa_local.addr_af == AF_INET) ? 32 : 128; - flowa->flow_src.addr_port = flowa->flow_dst.addr_port = 0; flowa->flow_ikesa = sa; + /* skip if flow already exists */ + TAILQ_FOREACH(flow, &sa->sa_flows, flow_entry) { + if (IKED_ADDR_EQ(&flow->flow_src, &flowa->flow_src) && + IKED_ADDR_EQ(&flow->flow_dst, &flowa->flow_dst) && + flow->flow_dir == flowa->flow_dir && + flow->flow_saproto == flowa->flow_saproto) { + free(flowa); + free(flowb); + goto done; + } + } + memcpy(flowb, flowa, sizeof(*flowb)); flowb->flow_dir = IPSP_DIRECTION_IN; memcpy(&flowb->flow_dst, &flowa->flow_src, sizeof(flowa->flow_src)); @@ -4028,6 +4135,7 @@ ikev2_ipcomp_enable(struct iked_sa *sa) TAILQ_INSERT_TAIL(&sa->sa_flows, flowa, flow_entry); TAILQ_INSERT_TAIL(&sa->sa_flows, flowb, flow_entry); + done: /* make sure IPCOMP CPIs are not reused */ sa->sa_ipcomp = 0; sa->sa_cpi_in = sa->sa_cpi_out = 0; @@ -4042,7 +4150,7 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) struct iked_flow *flow, *oflow; if (sa->sa_ipcomp && sa->sa_cpi_in && sa->sa_cpi_out && - ikev2_ipcomp_enable(sa) == -1) + ikev2_ipcomp_enable(env, sa) == -1) return (-1); TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index 1c97009d60d..09f1626b4ac 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.28 2014/02/14 09:00:03 markus Exp $ */ +/* $OpenBSD: pfkey.c,v 1.29 2014/02/21 20:52:38 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -814,7 +814,7 @@ pfkey_sa_last_used(int sd, struct iked_childsa *sa, u_int64_t *last_used) } if ((sa_life = pfkey_find_ext(data, n, SADB_X_EXT_LIFETIME_LASTUSE)) == NULL) { - log_debug("%s: erronous reply", __func__); + /* has never been used */ ret = -1; goto done; } diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index 3f7ed72c315..9292faf849a 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.30 2014/02/17 15:53:46 markus Exp $ */ +/* $OpenBSD: policy.c,v 1.31 2014/02/21 20:52:38 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -415,11 +415,19 @@ sa_address(struct iked_sa *sa, struct iked_addr *addr, } void -childsa_free(struct iked_childsa *sa) +childsa_free(struct iked_childsa *csa) { - ibuf_release(sa->csa_encrkey); - ibuf_release(sa->csa_integrkey); - free(sa); + if (csa->csa_children) { + /* XXX should not happen */ + log_warnx("%s: trying to remove CSA %p children %u", + __func__, csa, csa->csa_children); + return; + } + if (csa->csa_parent) + csa->csa_parent->csa_children--; + ibuf_release(csa->csa_encrkey); + ibuf_release(csa->csa_integrkey); + free(csa); } struct iked_childsa * diff --git a/sbin/iked/util.c b/sbin/iked/util.c index dcdedf3a815..5228c713525 100644 --- a/sbin/iked/util.c +++ b/sbin/iked/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.24 2014/02/14 09:00:03 markus Exp $ */ +/* $OpenBSD: util.c,v 1.25 2014/02/21 20:52:38 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -91,6 +91,22 @@ socket_getport(struct sockaddr *sa) } int +socket_setport(struct sockaddr *sa, in_port_t port) +{ + switch (sa->sa_family) { + case AF_INET: + ((struct sockaddr_in *)sa)->sin_port = htons(port); + break; + case AF_INET6: + ((struct sockaddr_in6 *)sa)->sin6_port = htons(port); + break; + default: + return (-1); + } + return (0); +} + +int socket_getaddr(int s, struct sockaddr_storage *ss) { socklen_t sslen; |