831bd1a778
- don't send authkey with SADB_DELETE, it's not accepted by pfkey - no need to reorder extension headers to match bgpd's
145 lines
4.6 KiB
Plaintext
145 lines
4.6 KiB
Plaintext
$OpenBSD: patch-sysdep_bsd_setkey_h,v 1.2 2017/03/03 00:05:38 sthen Exp $
|
|
|
|
- the local address must be configured in config file
|
|
- uses hardcoded SPI (same for each direction); see comments
|
|
|
|
|
|
--- sysdep/bsd/setkey.h.orig Thu Dec 22 22:53:39 2016
|
|
+++ sysdep/bsd/setkey.h Fri Mar 3 00:03:24 2017
|
|
@@ -8,12 +8,24 @@
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <net/pfkeyv2.h>
|
|
+
|
|
+#ifdef __OpenBSD__
|
|
+#include <netinet/ip_ipsp.h>
|
|
+#else
|
|
#include <netipsec/ipsec.h>
|
|
+#endif
|
|
|
|
#include "nest/bird.h"
|
|
#include "lib/unix.h"
|
|
|
|
+#ifndef PFKEY_ALIGN8
|
|
+#define PFKEY_ALIGN8(a) (1 + (((a) - 1) | (8 - 1)))
|
|
+#endif
|
|
|
|
+#ifndef PFKEY_UNIT64
|
|
+#define PFKEY_UNIT64(a) ((a) >> 3)
|
|
+#endif
|
|
+
|
|
/*
|
|
* Open a socket for manage the IPsec SA/SP database entries
|
|
*/
|
|
@@ -40,6 +52,7 @@ setkey_send(struct sadb_msg *msg, uint len)
|
|
if (msg->sadb_msg_type == SADB_ADD)
|
|
{
|
|
/* Delete possible current key in the IPsec SA/SP database */
|
|
+ /* XXX use SA_UPDATE here on OpenBSD? */
|
|
msg->sadb_msg_type = SADB_DELETE;
|
|
send(s, msg, len, 0);
|
|
msg->sadb_msg_type = SADB_ADD;
|
|
@@ -71,7 +84,9 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
|
|
sizeof(struct sadb_msg) +
|
|
sizeof(struct sadb_key) + PFKEY_ALIGN8(passwd_len) +
|
|
sizeof(struct sadb_sa) +
|
|
+#ifndef __OpenBSD__
|
|
sizeof(struct sadb_x_sa2) +
|
|
+#endif
|
|
sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa.sa_len) +
|
|
sizeof(struct sadb_address) + PFKEY_ALIGN8(dst->sa.sa_len);
|
|
|
|
@@ -90,6 +105,9 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
|
|
msg->sadb_msg_pid = getpid();
|
|
pos += len;
|
|
|
|
+#ifdef __OpenBSD__
|
|
+if (type != SADB_DELETE) {
|
|
+#endif
|
|
/* Set authentication algorithm and password */
|
|
struct sadb_key *key = (void *) pos;
|
|
len = sizeof(struct sadb_key) + PFKEY_ALIGN8(passwd_len);
|
|
@@ -98,31 +116,50 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
|
|
key->sadb_key_bits = passwd_len * 8;
|
|
memcpy(pos + sizeof(struct sadb_key), passwd, passwd_len);
|
|
pos += len;
|
|
+#ifdef __OpenBSD__
|
|
+}
|
|
+#endif
|
|
|
|
struct sadb_sa *sa = (void *) pos;
|
|
len = sizeof(struct sadb_sa);
|
|
sa->sadb_sa_len = PFKEY_UNIT64(len);
|
|
sa->sadb_sa_exttype = SADB_EXT_SA;
|
|
+#ifdef __OpenBSD__
|
|
+ sa->sadb_sa_auth = SADB_AALG_MD5HMAC;
|
|
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
|
|
+
|
|
+ /*
|
|
+ * XXX Before adding the SA we should use SADB_GETSPI to reserve/fetch
|
|
+ * an SPI (call it with src/dest addresses). This spi should be stored
|
|
+ * and used for SADB_ADD/UPDATE and stored to use for later SADB_DELETE.
|
|
+ */
|
|
sa->sadb_sa_spi = htonl((u32) TCP_SIG_SPI);
|
|
+#else
|
|
sa->sadb_sa_auth = SADB_X_AALG_TCP_MD5;
|
|
- sa->sadb_sa_encrypt = SADB_EALG_NONE;
|
|
sa->sadb_sa_flags = SADB_X_EXT_CYCSEQ;
|
|
+ sa->sadb_sa_spi = htonl((u32) TCP_SIG_SPI);
|
|
+#endif
|
|
+ sa->sadb_sa_encrypt = SADB_EALG_NONE;
|
|
pos += len;
|
|
|
|
+#ifndef __OpenBSD__
|
|
struct sadb_x_sa2 *sa2 = (void *) pos;
|
|
len = sizeof(struct sadb_x_sa2);
|
|
sa2->sadb_x_sa2_len = PFKEY_UNIT64(len);
|
|
sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
|
|
sa2->sadb_x_sa2_mode = IPSEC_MODE_ANY;
|
|
pos += len;
|
|
+#endif
|
|
|
|
/* Set source address */
|
|
struct sadb_address *saddr = (void *) pos;
|
|
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(src->sa.sa_len);
|
|
saddr->sadb_address_len = PFKEY_UNIT64(len);
|
|
saddr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
|
+#ifndef __OpenBSD__
|
|
saddr->sadb_address_proto = IPSEC_ULPROTO_ANY;
|
|
saddr->sadb_address_prefixlen = MAX_PREFIX_LENGTH;
|
|
+#endif
|
|
memcpy(pos + sizeof(struct sadb_address), &src->sa, src->sa.sa_len);
|
|
pos += len;
|
|
|
|
@@ -131,8 +168,10 @@ setkey_md5(sockaddr *src, sockaddr *dst, char *passwd,
|
|
len = sizeof(struct sadb_address) + PFKEY_ALIGN8(dst->sa.sa_len);
|
|
daddr->sadb_address_len = PFKEY_UNIT64(len);
|
|
daddr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
|
+#ifndef __OpenBSD__
|
|
daddr->sadb_address_proto = IPSEC_ULPROTO_ANY;
|
|
daddr->sadb_address_prefixlen = MAX_PREFIX_LENGTH;
|
|
+#endif
|
|
memcpy(pos + sizeof(struct sadb_address), &dst->sa, dst->sa.sa_len);
|
|
pos += len;
|
|
|
|
@@ -160,11 +199,19 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr
|
|
|
|
if (setkey_md5(&src, &dst, passwd, SADB_ADD) < 0)
|
|
ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
|
|
+#ifdef __OpenBSD__
|
|
+ if (setkey_md5(&dst, &src, passwd, SADB_ADD) < 0)
|
|
+ ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database #2");
|
|
+#endif
|
|
}
|
|
else
|
|
{
|
|
if (setkey_md5(&src, &dst, NULL, SADB_DELETE) < 0)
|
|
ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
|
|
+#ifdef __OpenBSD__
|
|
+ if (setkey_md5(&dst, &src, NULL, SADB_DELETE) < 0)
|
|
+ ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database #2");
|
|
+#endif
|
|
}
|
|
return 0;
|
|
}
|