Module Name: src
Committed By: spz
Date: Sun Sep 5 06:52:54 UTC 2010
Modified Files:
src/sys/net: pfkeyv2.h
src/sys/netipsec: key.c
src/sys/netkey: key.c
Log Message:
fix two bugs in the PFKEY interface:
1) RFC2367 says in 2.3.3 Address Extension: "All non-address
information in the sockaddrs, such as sin_zero for AF_INET sockaddrs,
and sin6_flowinfo for AF_INET6 sockaddrs, MUST be zeroed out."
the IPSEC_NAT_T code was expecting the port information it needs
to be conveyed in the sockaddr instead of exclusively by
SADB_X_EXT_NAT_T_SPORT and SADB_X_EXT_NAT_T_DPORT,
and was not zeroing out the port information in the non-nat-traversal
case.
Since it was expecting the port information to reside in the sockaddr
it could get away with (re)setting the ports after starting to use them.
-> Set the natt ports before setting the SA mature.
2) RFC3947 has two Original Address fields, initiator and responder,
so we need SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR and not just
SADB_X_EXT_NAT_T_OA
The change has been created using vanhu's patch for FreeBSD as reference.
Note that establishing actual nat-t sessions has not yet been tested.
Likely fixes the following:
PR bin/41757
PR net/42592
PR net/42606
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 src/sys/net/pfkeyv2.h
cvs rdiff -u -r1.63 -r1.64 src/sys/netipsec/key.c
cvs rdiff -u -r1.177 -r1.178 src/sys/netkey/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
