Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec Fix port matching; we need to ignore ports when...



details:   https://anonhg.NetBSD.org/src/rev/a9011fc9c1a4
branches:  trunk
changeset: 814077:a9011fc9c1a4
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Mar 05 20:13:40 2016 +0000

description:
Fix port matching; we need to ignore ports when they are 0 not only in
the second saidx but the first one too. Fixes NAT-T issue with NetBSD
being the host behind NAT.

diffstat:

 sys/netipsec/key.c |  59 ++++++++++++++++++++++++++++++++---------------------
 1 files changed, 36 insertions(+), 23 deletions(-)

diffs (96 lines):

diff -r 58dc476af1b4 -r a9011fc9c1a4 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Sat Mar 05 20:12:23 2016 +0000
+++ b/sys/netipsec/key.c        Sat Mar 05 20:13:40 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.93 2016/03/05 20:12:23 christos Exp $        */
+/*     $NetBSD: key.c,v 1.94 2016/03/05 20:13:40 christos Exp $        */
 /*     $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $        */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.93 2016/03/05 20:12:23 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.94 2016/03/05 20:13:40 christos Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -4191,6 +4191,19 @@
 }
 #endif /*INET6*/
 
+static in_port_t
+key_getport(const void *v)
+{
+       const struct sockaddr *sa = v;
+       switch (sa->sa_family) {
+       case AF_INET:
+               return ((const struct sockaddr_in *)v)->sin_port;
+       case AF_INET6:
+               return ((const struct sockaddr_in6 *)v)->sin6_port;
+       default:
+               return 0;
+       }
+}
 /*
  * compare two secasindex structure.
  * flag can specify to compare 2 saidxes.
@@ -4210,6 +4223,7 @@
        int flag)
 {
        int chkport = 0;
+       const struct sockaddr *sa0src, *sa0dst, *sa1src, *sa1dst;
 
        /* sanity */
        if (saidx0 == NULL && saidx1 == NULL)
@@ -4248,29 +4262,28 @@
                                return 0;
                }
 
-       /*
-        * If NAT-T is enabled, check ports for tunnel mode.
-        * Don't do it for transport mode, as there is no
-        * port information available in the SP.
-         * Also don't check ports if they are set to zero
-        * in the SPD: This means we have a non-generated
-        * SPD which can't know UDP ports.
-        */
-       if (saidx1->mode == IPSEC_MODE_TUNNEL &&
-           ((((const struct sockaddr *)(&saidx1->src))->sa_family == AF_INET &&
-             ((const struct sockaddr *)(&saidx1->dst))->sa_family == AF_INET &&
-             ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&
-             ((const struct sockaddr_in *)(&saidx1->dst))->sin_port) ||
-             (((const struct sockaddr *)(&saidx1->src))->sa_family == AF_INET6 &&
-             ((const struct sockaddr *)(&saidx1->dst))->sa_family == AF_INET6 &&
-             ((const struct sockaddr_in6 *)(&saidx1->src))->sin6_port &&
-             ((const struct sockaddr_in6 *)(&saidx1->dst))->sin6_port)))
-               chkport = 1;
-
-               if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, chkport) != 0) {
+
+               sa0src = &saidx0->src.sa;
+               sa0dst = &saidx0->dst.sa;
+               sa1src = &saidx1->src.sa;
+               sa1dst = &saidx1->dst.sa;
+               /*
+                * If NAT-T is enabled, check ports for tunnel mode.
+                * Don't do it for transport mode, as there is no
+                * port information available in the SP.
+                * Also don't check ports if they are set to zero
+                * in the SPD: This means we have a non-generated
+                * SPD which can't know UDP ports.
+                */
+               if (saidx1->mode == IPSEC_MODE_TUNNEL) {
+                       chkport = key_getport(sa0src) && key_getport(sa0dst) &&
+                           key_getport(sa1src) && key_getport(sa1dst);
+               }
+
+               if (key_sockaddrcmp(sa0src, sa1src, chkport) != 0) {
                        return 0;
                }
-               if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, chkport) != 0) {
+               if (key_sockaddrcmp(sa0dst, &sa1dst, chkport) != 0) {
                        return 0;
                }
        }



Home | Main Index | Thread Index | Old Index