Attachment #138555 for bug #184545




# Created by: Florent Thoumie <flz@FreeBSD.org>
# $FreeBSD: ports/net/openbgpd/Makefile,v 1.35 2012/12/24 12:56:29 svnexp Exp $

PORTNAME=	openbgpd
PORTVERSION=	5.2.20121209

DISTNAME=	${PORTNAME}-4.6
EXTRACT_SUFX=	.tgz
DIST_SUBDIR=	${PORTNAME}
NO_STAGE=	yes

MAINTAINER=	hrs@FreeBSD.org
COMMENT=	Free implementation of the Border Gateway Protocol, Version 4

CONFLICTS=	zebra-[0-9]* quagga-[0-9]*

WRKSRC=		${WRKDIR}
MANCOMPRESSED=	yes
USE_RC_SUBR=	${PORTNAME}
PLIST_FILES=	sbin/bgpctl sbin/bgpd
		man/man8/bgpctl.8.gz man/man8/bgpd.8.gz
SUB_FILES=	pkg-message
USERS=		_bgpd
GROUPS=		_bgpd

MAN5=		bgpd.conf.5
MAN8=		bgpctl.8 bgpd.8

OPTIONS_DEFINE=	IPV6LLPEER
OPTIONS_DEFAULT=IPV6LLPEER
IPV6LLPEER_DESC=Support nexthop using IPv6 link-local address

Lines 1-6 Link Here

(-)b/files/openbgpd.in (-1 / +1 lines)
1	#!/bin/sh	1	#!/bin/sh
2	#	2	#
3	# $FreeBSD: net/openbgpd/files/openbgpd.in 302141 2012-08-05 23:19:36Z dougb $	3	# $FreeBSD: ports/net/openbgpd/files/openbgpd.in,v 1.2 2012/11/17 06:00:08 svnexp Exp $
4	#	4	#
5		5
6	# PROVIDE: bgpd	6	# PROVIDE: bgpd




--- bgpd/Makefile.orig	2013-02-21 19:20:05.000000000 +0000
+++ bgpd/Makefile	2013-02-21 19:20:54.000000000 +0000
RCS file: /home/cvs/private/hrs/openbgpd/bgpd/Makefile,v
retrieving revision 1.1.1.2
retrieving revision 1.9
diff -u -p -r1.1.1.2 -r1.9
--- bgpd/Makefile	9 Jul 2009 16:49:54 -0000	1.1.1.2
+++ bgpd/Makefile	13 Oct 2012 18:36:00 -0000	1.9
@@ -1,15 +1,25 @@
 #	$OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $
 

-SRCS=	bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \
+SRCS=	bgpd.c session.c log.c parse.y config.c \
 	rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \
 	control.c pfkey.c rde_update.c rde_attr.c printconf.c \
-	rde_filter.c pftable.c name2id.c util.c carp.c timer.c
+	control.c pfkey_compat.c rde_update.c rde_attr.c printconf.c \
+	rde_filter.c pftable.c name2id.c util.c carp.c timer.c \
+	imsg.c imsg-buffer.c
 CFLAGS+= -Wall -I${.CURDIR}




diff -ur bgpd.orig/pfkey.c bgpd/pfkey.c
--- bgpd.orig/pfkey.c	2013-03-15 12:07:16.000000000 +0000
+++ bgpd/pfkey.c	2013-03-15 12:07:47.000000000 +0000
retrieving revision 1.1.1.6
retrieving revision 1.1.1.9
diff -u -p -r1.1.1.6 -r1.1.1.9
--- bgpd/pfkey.c	14 Feb 2010 20:19:57 -0000	1.1.1.6
+++ bgpd/pfkey.c	13 Oct 2012 18:22:44 -0000	1.1.1.9
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */
+/*	$OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -21,7 +21,7 @@
 #include <sys/socket.h>
 #include <sys/uio.h>
 #include <net/pfkeyv2.h>
-#include <netinet/ip_ipsp.h>
+//#include <netinet/ip_ipsp.h>
 #include <ctype.h>
 #include <errno.h>
 #include <limits.h>
@@ -65,15 +65,15 @@
 {
 	struct sadb_msg		smsg;
 	struct sadb_sa		sa;
-	struct sadb_address	sa_src, sa_dst, sa_peer, sa_smask, sa_dmask;
+	struct sadb_address	sa_src, sa_dst;
 	struct sadb_key		sa_akey, sa_ekey;
 	struct sadb_spirange	sa_spirange;
-	struct sadb_protocol	sa_flowtype, sa_protocol;
 	struct iovec		iov[IOV_CNT];
 	ssize_t			n;
 	int			len = 0;
 	int			iov_cnt;
-	struct sockaddr_storage	ssrc, sdst, speer, smask, dmask;
+	struct sockaddr_storage	ssrc, sdst, smask, dmask;
+	struct sockaddr		*saptr;
 
 	if (!pid)
 		pid = getpid();
@@ -81,22 +81,17 @@
 	/* we need clean sockaddr... no ports set */
 	bzero(&ssrc, sizeof(ssrc));
 	bzero(&smask, sizeof(smask));

 		ssrc.ss_len = sizeof(struct sockaddr);
 		break;
 	default:
@@ -107,22 +102,17 @@
 
 	bzero(&sdst, sizeof(sdst));
 	bzero(&dmask, sizeof(dmask));

 		sdst.ss_len = sizeof(struct sockaddr);
 		break;
 	default:
@@ -135,7 +125,7 @@
 	smsg.sadb_msg_version = PF_KEY_V2;
 	smsg.sadb_msg_seq = ++sadb_msg_seq;
 	smsg.sadb_msg_pid = pid;
-	smsg.sadb_msg_len = sizeof(smsg) / 8;
+	smsg.sadb_msg_len = PFKEY_UNIT64(sizeof(smsg));
 	smsg.sadb_msg_type = mtype;
 	smsg.sadb_msg_satype = satype;
 
@@ -143,7 +133,7 @@
 	case SADB_GETSPI:
 		bzero(&sa_spirange, sizeof(sa_spirange));
 		sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
-		sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8;
+		sa_spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(sa_spirange));
 		sa_spirange.sadb_spirange_min = 0x100;
 		sa_spirange.sadb_spirange_max = 0xffffffff;
 		sa_spirange.sadb_spirange_reserved = 0;
@@ -153,11 +143,12 @@
 	case SADB_DELETE:
 		bzero(&sa, sizeof(sa));
 		sa.sadb_sa_exttype = SADB_EXT_SA;
-		sa.sadb_sa_len = sizeof(sa) / 8;
+		sa.sadb_sa_len = PFKEY_UNIT64(sizeof(sa));
 		sa.sadb_sa_replay = 0;
 		sa.sadb_sa_spi = spi;
 		sa.sadb_sa_state = SADB_SASTATE_MATURE;
 		break;
+#if 0
 	case SADB_X_ADDFLOW:
 	case SADB_X_DELFLOW:
 		bzero(&sa_flowtype, sizeof(sa_flowtype));
@@ -172,35 +163,37 @@
 		sa_protocol.sadb_protocol_direction = 0;
 		sa_protocol.sadb_protocol_proto = 6;
 		break;
+#endif
 	}
 
 	bzero(&sa_src, sizeof(sa_src));
 	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
-	sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
+	sa_src.sadb_address_len = PFKEY_UNIT64(sizeof(sa_src) + ROUNDUP(ssrc.ss_len));
 
 	bzero(&sa_dst, sizeof(sa_dst));
 	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-	sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
+	sa_dst.sadb_address_len = PFKEY_UNIT64(sizeof(sa_dst) + ROUNDUP(sdst.ss_len));
 
 	sa.sadb_sa_auth = aalg;
-	sa.sadb_sa_encrypt = SADB_X_EALG_AES; /* XXX */
+	sa.sadb_sa_encrypt = ealg; /* XXX */
 
 	switch (mtype) {
 	case SADB_ADD:
 	case SADB_UPDATE:
 		bzero(&sa_akey, sizeof(sa_akey));
 		sa_akey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
-		sa_akey.sadb_key_len = (sizeof(sa_akey) +
-		    ((alen + 7) / 8) * 8) / 8;
+		sa_akey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_akey) +
+		    (PFKEY_ALIGN8(alen)));
 		sa_akey.sadb_key_bits = 8 * alen;
 
 		bzero(&sa_ekey, sizeof(sa_ekey));
 		sa_ekey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
-		sa_ekey.sadb_key_len = (sizeof(sa_ekey) +
-		    ((elen + 7) / 8) * 8) / 8;
+		sa_ekey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_ekey) +
+		    (PFKEY_ALIGN8(elen)));
 		sa_ekey.sadb_key_bits = 8 * elen;
 
 		break;
+#if 0
 	case SADB_X_ADDFLOW:
 	case SADB_X_DELFLOW:
 		/* sa_peer always points to the remote machine */
@@ -220,8 +213,8 @@
 		sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
 
 		bzero(&smask, sizeof(smask));

 			smask.ss_len = sizeof(struct sockaddr_in);
 			smask.ss_family = AF_INET;
 			memset(&((struct sockaddr_in *)&smask)->sin_addr,
@@ -233,7 +226,7 @@
 				    htons(0xffff);
 			}
 			break;

 			smask.ss_len = sizeof(struct sockaddr_in6);
 			smask.ss_family = AF_INET6;
 			memset(&((struct sockaddr_in6 *)&smask)->sin6_addr,
@@ -247,8 +240,8 @@
 			break;
 		}
 		bzero(&dmask, sizeof(dmask));

 			dmask.ss_len = sizeof(struct sockaddr_in);
 			dmask.ss_family = AF_INET;
 			memset(&((struct sockaddr_in *)&dmask)->sin_addr,
@@ -260,7 +253,7 @@
 				    htons(0xffff);
 			}
 			break;

 			dmask.ss_len = sizeof(struct sockaddr_in6);
 			dmask.ss_family = AF_INET6;
 			memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr,
@@ -284,6 +277,7 @@
 		sa_dmask.sadb_address_len =
 		    (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
 		break;
+#endif
 	}
 
 	iov_cnt = 0;
@@ -310,6 +304,7 @@
 		smsg.sadb_msg_len += sa_spirange.sadb_spirange_len;
 		iov_cnt++;
 		break;
+#if 0
 	case SADB_X_ADDFLOW:
 		/* sa_peer always points to the remote machine */
 		iov[iov_cnt].iov_base = &sa_peer;
@@ -351,6 +346,7 @@
 		smsg.sadb_msg_len += sa_dmask.sadb_address_len;
 		iov_cnt++;
 		break;
+#endif
 	}
 
 	/* dest addr */
@@ -380,7 +376,7 @@
 			iov[iov_cnt].iov_len = sizeof(sa_akey);
 			iov_cnt++;
 			iov[iov_cnt].iov_base = akey;
-			iov[iov_cnt].iov_len = ((alen + 7) / 8) * 8;
+			iov[iov_cnt].iov_len = PFKEY_ALIGN8(alen);
 			smsg.sadb_msg_len += sa_akey.sadb_key_len;
 			iov_cnt++;
 		}
@@ -390,14 +386,14 @@
 			iov[iov_cnt].iov_len = sizeof(sa_ekey);
 			iov_cnt++;
 			iov[iov_cnt].iov_base = ekey;
-			iov[iov_cnt].iov_len = ((elen + 7) / 8) * 8;
+			iov[iov_cnt].iov_len = PFKEY_ALIGN8(elen);
 			smsg.sadb_msg_len += sa_ekey.sadb_key_len;
 			iov_cnt++;
 		}
 		break;
 	}
 
-	len = smsg.sadb_msg_len * 8;
+	len = PFKEY_UNUNIT64(smsg.sadb_msg_len);
 	do {
 		n = writev(sd, iov, iov_cnt);
 	} while (n == -1 && (errno == EAGAIN || errno == EINTR));
@@ -411,6 +407,33 @@
 }
 
 int

 pfkey_reply(int sd, u_int32_t *spip)
 {
 	struct sadb_msg hdr, *msg;
@@ -418,27 +441,17 @@
 	struct sadb_sa *sa;
 	u_int8_t *data;
 	ssize_t len;

-	for (;;) {
-		if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
-			log_warn("pfkey peek");
-			return (-1);
+		rv = pfkey_read(sd, &hdr);
+		if (rv == -1)
 			return (-1);
-		}
-
-		if (hdr.sadb_msg_seq == sadb_msg_seq &&

-		/* not ours, discard */
-		if (read(sd, &hdr, sizeof(hdr)) == -1) {
-			log_warn("pfkey read");
+	do {
+		rv = pfkey_read(sd, &hdr);
+		if (rv == -1)
 			return (-1);
-		}
-	}
+	} while (rv);
 
 	if (hdr.sadb_msg_errno != 0) {
 		errno = hdr.sadb_msg_errno;
-		if (errno == ESRCH)
+		if (errno == ESRCH || errno == EEXIST)
 			return (0);
 		else {
 			log_warn("pfkey");
@@ -486,13 +499,8 @@
 pfkey_sa_add(struct bgpd_addr *src, struct bgpd_addr *dst, u_int8_t keylen,
     char *key, u_int32_t *spi)
 {
-	if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0,
-	    src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
-		return (-1);
-	if (pfkey_reply(fd, spi) < 0)
-		return (-1);
-	if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0,
-		src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0)
+	if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_ADD, 0,
+		src, dst, *spi, SADB_X_AALG_TCP_MD5, keylen, key, SADB_EALG_NONE, 0, NULL, 0, 0) < 0)
 		return (-1);
 	if (pfkey_reply(fd, NULL) < 0)
 		return (-1);
@@ -503,7 +511,7 @@
 pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *spi)
 {
 	if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0,
-	    src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+	    src, dst, *spi, SADB_X_AALG_TCP_MD5, 0, NULL, 0, 0, NULL, 0, 0) < 0)
 		return (-1);
 	if (pfkey_reply(fd, NULL) < 0)
 		return (-1);
@@ -511,37 +519,37 @@
 	return (0);
 }
 
+#define TCP_SIG_SPI     0x1000
 int
 pfkey_md5sig_establish(struct peer *p)
 {
 	sleep(1);
 
-	if (!p->auth.spi_out)
-		if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
-		    p->conf.auth.md5key_len, p->conf.auth.md5key,
-		    &p->auth.spi_out) == -1)
-			return (-1);
-	if (!p->auth.spi_in)
-		if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
-		    p->conf.auth.md5key_len, p->conf.auth.md5key,
-		    &p->auth.spi_in) == -1)
-			return (-1);
+	p->auth.spi_out = htonl(TCP_SIG_SPI);
+	if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
+	    p->conf.auth.md5key_len, p->conf.auth.md5key,
+	    &p->auth.spi_out) == -1)
+		return (-1);
+	p->auth.spi_in = htonl(TCP_SIG_SPI);
+	if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
+	    p->conf.auth.md5key_len, p->conf.auth.md5key,
+	    &p->auth.spi_out) == -1)
+		return (-1);
 
 	p->auth.established = 1;
 	return (0);
 }
+#undef TCP_SIG_SPI
 
 int
 pfkey_md5sig_remove(struct peer *p)
 {
-	if (p->auth.spi_out)
-		if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
-		    &p->auth.spi_out) == -1)
-			return (-1);
-	if (p->auth.spi_in)
-		if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
-		    &p->auth.spi_in) == -1)
-			return (-1);
+	if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
+	    &p->auth.spi_out) == -1)
+		return (-1);
+	if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
+	    &p->auth.spi_in) == -1)
+		return (-1);
 
 	p->auth.established = 0;
 	return (0);
@@ -550,6 +558,7 @@
 int
 pfkey_ipsec_establish(struct peer *p)
 {
+#if 0
 	uint8_t satype = SADB_SATYPE_ESP;
 
 	switch (p->auth.method) {
@@ -621,6 +630,9 @@
 
 	p->auth.established = 1;
 	return (0);
+#else
+	return (-1);
+#endif
 }
 
 int
@@ -660,6 +672,7 @@
 		break;
 	}
 
+#if 0
 	if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,
 	    &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)
 		return (-1);
@@ -681,6 +694,7 @@
 	if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN,
 	    &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0)
 		return (-1);
+#endif
 	if (pfkey_reply(fd, NULL) < 0)
 		return (-1);
 
@@ -715,9 +729,7 @@
 int
 pfkey_remove(struct peer *p)
 {
-	if (!p->auth.established)
-		return (0);
-	else if (p->auth.method == AUTH_MD5SIG)
+	if (p->auth.method == AUTH_MD5SIG)
 		return (pfkey_md5sig_remove(p));
 	else
 		return (pfkey_ipsec_remove(p));
@@ -730,11 +742,9 @@
 		if (errno == EPROTONOSUPPORT) {
 			log_warnx("PF_KEY not available, disabling ipsec");
 			sysdep->no_pfkey = 1;

Lines 123-129 diff -u -p -r1.1.1.8 -r1.13 Link Here

(-)b/files/patch-bgpd_session.c (-1 / +1 lines)
123	+ int s;	123	+ int s;
124	+	124	+
125	+ /* Check if TCP_MD5SIG is supported. */	125	+ /* Check if TCP_MD5SIG is supported. */
126	+ s = socket(PF_LOCAL, SOCK_STREAM, 0);	126	+ s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
127	+ if (s < 0)	127	+ if (s < 0)
128	+ fatal("socket open for TCP_MD5SIG check");	128	+ fatal("socket open for TCP_MD5SIG check");
129	+ opt = TF_SIGNATURE;	129	+ opt = TF_SIGNATURE;

Return to bug 184545

Lines 1-4 Link Here

(-)b/Makefile (-3 / +8 lines)
1	# $FreeBSD: net/openbgpd/Makefile 330656 2013-10-17 16:47:58Z ohauer $	1	# Created by: Florent Thoumie <flz@FreeBSD.org>
		2	# $FreeBSD: ports/net/openbgpd/Makefile,v 1.35 2012/12/24 12:56:29 svnexp Exp $
2		3
3	PORTNAME= openbgpd	4	PORTNAME= openbgpd
4	PORTVERSION= 5.2.20121209	5	PORTVERSION= 5.2.20121209
Lines 8-13 MASTER_SITE_SUBDIR= OpenBGPD Link Here
8	DISTNAME= ${PORTNAME}-4.6	9	DISTNAME= ${PORTNAME}-4.6
9	EXTRACT_SUFX= .tgz	10	EXTRACT_SUFX= .tgz
10	DIST_SUBDIR= ${PORTNAME}	11	DIST_SUBDIR= ${PORTNAME}
		12	NO_STAGE= yes
11		13
12	MAINTAINER= hrs@FreeBSD.org	14	MAINTAINER= hrs@FreeBSD.org
13	COMMENT= Free implementation of the Border Gateway Protocol, Version 4	15	COMMENT= Free implementation of the Border Gateway Protocol, Version 4
Lines 15-27 COMMENT= Free implementation of the Border Gateway Protocol, Version 4 Link Here
15	CONFLICTS= zebra-[0-9]* quagga-[0-9]*	17	CONFLICTS= zebra-[0-9]* quagga-[0-9]*
16		18
17	WRKSRC= ${WRKDIR}	19	WRKSRC= ${WRKDIR}
		20	MANCOMPRESSED= yes
18	USE_RC_SUBR= ${PORTNAME}	21	USE_RC_SUBR= ${PORTNAME}
19	PLIST_FILES= sbin/bgpctl sbin/bgpd man/man5/bgpd.conf.5.gz \	22	PLIST_FILES= sbin/bgpctl sbin/bgpd
20	man/man8/bgpctl.8.gz man/man8/bgpd.8.gz
21	SUB_FILES= pkg-message	23	SUB_FILES= pkg-message
22	USERS= _bgpd	24	USERS= _bgpd
23	GROUPS= _bgpd	25	GROUPS= _bgpd
24		26
		27	MAN5= bgpd.conf.5
		28	MAN8= bgpctl.8 bgpd.8
		29
25	OPTIONS_DEFINE= IPV6LLPEER	30	OPTIONS_DEFINE= IPV6LLPEER
26	OPTIONS_DEFAULT=IPV6LLPEER	31	OPTIONS_DEFAULT=IPV6LLPEER
27	IPV6LLPEER_DESC=Support nexthop using IPv6 link-local address	32	IPV6LLPEER_DESC=Support nexthop using IPv6 link-local address

Lines 1-11 Link Here

(-)b/files/patch-bgpd_Makefile (-10 / +3 lines)
1	Index: bgpd/Makefile	1	--- bgpd/Makefile.orig 2013-02-21 19:20:05.000000000 +0000
2	===================================================================	2	+++ bgpd/Makefile 2013-02-21 19:20:54.000000000 +0000
3	RCS file: /home/cvs/private/hrs/openbgpd/bgpd/Makefile,v
4	retrieving revision 1.1.1.2
5	retrieving revision 1.9
6	diff -u -p -r1.1.1.2 -r1.9
7	--- bgpd/Makefile 9 Jul 2009 16:49:54 -0000 1.1.1.2
8	+++ bgpd/Makefile 13 Oct 2012 18:36:00 -0000 1.9
9	@@ -1,15 +1,25 @@	3	@@ -1,15 +1,25 @@
10	# $OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $	4	# $OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $
11		5
Lines 17-25 diff -u -p -r1.1.1.2 -r1.9 Link Here
17	-SRCS= bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \	11	-SRCS= bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \
18	+SRCS= bgpd.c session.c log.c parse.y config.c \	12	+SRCS= bgpd.c session.c log.c parse.y config.c \
19	rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \	13	rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \
20	- control.c pfkey.c rde_update.c rde_attr.c printconf.c \	14	control.c pfkey.c rde_update.c rde_attr.c printconf.c \
21	- rde_filter.c pftable.c name2id.c util.c carp.c timer.c	15	- rde_filter.c pftable.c name2id.c util.c carp.c timer.c
22	+ control.c pfkey_compat.c rde_update.c rde_attr.c printconf.c \
23	+ rde_filter.c pftable.c name2id.c util.c carp.c timer.c \	16	+ rde_filter.c pftable.c name2id.c util.c carp.c timer.c \
24	+ imsg.c imsg-buffer.c	17	+ imsg.c imsg-buffer.c
25	CFLAGS+= -Wall -I${.CURDIR}	18	CFLAGS+= -Wall -I${.CURDIR}

Lines 1-26 Link Here

(-)b/files/patch-bgpd_pfkey.c (-24 / +297 lines)
1	Index: bgpd/pfkey.c	1	diff -ur bgpd.orig/pfkey.c bgpd/pfkey.c
2	===================================================================	2	--- bgpd.orig/pfkey.c 2013-03-15 12:07:16.000000000 +0000
3	RCS file: /home/cvs/private/hrs/openbgpd/bgpd/pfkey.c,v	3	+++ bgpd/pfkey.c 2013-03-15 12:07:47.000000000 +0000
4	retrieving revision 1.1.1.6
5	retrieving revision 1.1.1.9
6	diff -u -p -r1.1.1.6 -r1.1.1.9
7	--- bgpd/pfkey.c 14 Feb 2010 20:19:57 -0000 1.1.1.6
8	+++ bgpd/pfkey.c 13 Oct 2012 18:22:44 -0000 1.1.1.9
9	@@ -1,4 +1,4 @@	4	@@ -1,4 +1,4 @@
10	-/* $OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */	5	-/* $OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */
11	+/* $OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */	6	+/* $OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */
12		7
13	/*	8	/*
14	* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>	9	* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
15	@@ -74,6 +74,7 @@ pfkey_send(int sd, uint8_t satype, uint8	10	@@ -21,7 +21,7 @@
		11	#include <sys/socket.h>
		12	#include <sys/uio.h>
		13	#include <net/pfkeyv2.h>
		14	-#include <netinet/ip_ipsp.h>
		15	+//#include <netinet/ip_ipsp.h>
		16	#include <ctype.h>
		17	#include <errno.h>
		18	#include <limits.h>
		19	@@ -65,15 +65,15 @@
		20	{
		21	struct sadb_msg smsg;
		22	struct sadb_sa sa;
		23	- struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask;
		24	+ struct sadb_address sa_src, sa_dst;
		25	struct sadb_key sa_akey, sa_ekey;
		26	struct sadb_spirange sa_spirange;
		27	- struct sadb_protocol sa_flowtype, sa_protocol;
		28	struct iovec iov[IOV_CNT];
		29	ssize_t n;
16	int len = 0;	30	int len = 0;
17	int iov_cnt;	31	int iov_cnt;
18	struct sockaddr_storage ssrc, sdst, speer, smask, dmask;	32	- struct sockaddr_storage ssrc, sdst, speer, smask, dmask;
		33	+ struct sockaddr_storage ssrc, sdst, smask, dmask;
19	+ struct sockaddr *saptr;	34	+ struct sockaddr *saptr;
20		35
21	if (!pid)	36	if (!pid)
22	pid = getpid();	37	pid = getpid();
23	@@ -81,22 +82,17 @@ pfkey_send(int sd, uint8_t satype, uint8	38	@@ -81,22 +81,17 @@
24	/* we need clean sockaddr... no ports set */	39	/* we need clean sockaddr... no ports set */
25	bzero(&ssrc, sizeof(ssrc));	40	bzero(&ssrc, sizeof(ssrc));
26	bzero(&smask, sizeof(smask));	41	bzero(&smask, sizeof(smask));
Lines 49-55 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
49	ssrc.ss_len = sizeof(struct sockaddr);	64	ssrc.ss_len = sizeof(struct sockaddr);
50	break;	65	break;
51	default:	66	default:
52	@@ -107,22 +103,17 @@ pfkey_send(int sd, uint8_t satype, uint8	67	@@ -107,22 +102,17 @@
53		68
54	bzero(&sdst, sizeof(sdst));	69	bzero(&sdst, sizeof(sdst));
55	bzero(&dmask, sizeof(dmask));	70	bzero(&dmask, sizeof(dmask));
Lines 78-84 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
78	sdst.ss_len = sizeof(struct sockaddr);	93	sdst.ss_len = sizeof(struct sockaddr);
79	break;	94	break;
80	default:	95	default:
81	@@ -220,8 +211,8 @@ pfkey_send(int sd, uint8_t satype, uint8	96	@@ -135,7 +125,7 @@
		97	smsg.sadb_msg_version = PF_KEY_V2;
		98	smsg.sadb_msg_seq = ++sadb_msg_seq;
		99	smsg.sadb_msg_pid = pid;
		100	- smsg.sadb_msg_len = sizeof(smsg) / 8;
		101	+ smsg.sadb_msg_len = PFKEY_UNIT64(sizeof(smsg));
		102	smsg.sadb_msg_type = mtype;
		103	smsg.sadb_msg_satype = satype;
		104
		105	@@ -143,7 +133,7 @@
		106	case SADB_GETSPI:
		107	bzero(&sa_spirange, sizeof(sa_spirange));
		108	sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE;
		109	- sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8;
		110	+ sa_spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(sa_spirange));
		111	sa_spirange.sadb_spirange_min = 0x100;
		112	sa_spirange.sadb_spirange_max = 0xffffffff;
		113	sa_spirange.sadb_spirange_reserved = 0;
		114	@@ -153,11 +143,12 @@
		115	case SADB_DELETE:
		116	bzero(&sa, sizeof(sa));
		117	sa.sadb_sa_exttype = SADB_EXT_SA;
		118	- sa.sadb_sa_len = sizeof(sa) / 8;
		119	+ sa.sadb_sa_len = PFKEY_UNIT64(sizeof(sa));
		120	sa.sadb_sa_replay = 0;
		121	sa.sadb_sa_spi = spi;
		122	sa.sadb_sa_state = SADB_SASTATE_MATURE;
		123	break;
		124	+#if 0
		125	case SADB_X_ADDFLOW:
		126	case SADB_X_DELFLOW:
		127	bzero(&sa_flowtype, sizeof(sa_flowtype));
		128	@@ -172,35 +163,37 @@
		129	sa_protocol.sadb_protocol_direction = 0;
		130	sa_protocol.sadb_protocol_proto = 6;
		131	break;
		132	+#endif
		133	}
		134
		135	bzero(&sa_src, sizeof(sa_src));
		136	sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
		137	- sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
		138	+ sa_src.sadb_address_len = PFKEY_UNIT64(sizeof(sa_src) + ROUNDUP(ssrc.ss_len));
		139
		140	bzero(&sa_dst, sizeof(sa_dst));
		141	sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
		142	- sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
		143	+ sa_dst.sadb_address_len = PFKEY_UNIT64(sizeof(sa_dst) + ROUNDUP(sdst.ss_len));
		144
		145	sa.sadb_sa_auth = aalg;
		146	- sa.sadb_sa_encrypt = SADB_X_EALG_AES; /* XXX */
		147	+ sa.sadb_sa_encrypt = ealg; /* XXX */
		148
		149	switch (mtype) {
		150	case SADB_ADD:
		151	case SADB_UPDATE:
		152	bzero(&sa_akey, sizeof(sa_akey));
		153	sa_akey.sadb_key_exttype = SADB_EXT_KEY_AUTH;
		154	- sa_akey.sadb_key_len = (sizeof(sa_akey) +
		155	- ((alen + 7) / 8) * 8) / 8;
		156	+ sa_akey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_akey) +
		157	+ (PFKEY_ALIGN8(alen)));
		158	sa_akey.sadb_key_bits = 8 * alen;
		159
		160	bzero(&sa_ekey, sizeof(sa_ekey));
161	sa_ekey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
162	- sa_ekey.sadb_key_len = (sizeof(sa_ekey) +
163	- ((elen + 7) / 8) * 8) / 8;
164	+ sa_ekey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_ekey) +
165	+ (PFKEY_ALIGN8(elen)));
166	sa_ekey.sadb_key_bits = 8 * elen;
167
168	break;
169	+#if 0
170	case SADB_X_ADDFLOW:
171	case SADB_X_DELFLOW:
172	/* sa_peer always points to the remote machine */
173	@@ -220,8 +213,8 @@
82	sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;	174	sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW;
83		175
84	bzero(&smask, sizeof(smask));	176	bzero(&smask, sizeof(smask));
Lines 89-95 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
89	smask.ss_len = sizeof(struct sockaddr_in);	181	smask.ss_len = sizeof(struct sockaddr_in);
90	smask.ss_family = AF_INET;	182	smask.ss_family = AF_INET;
91	memset(&((struct sockaddr_in *)&smask)->sin_addr,	183	memset(&((struct sockaddr_in *)&smask)->sin_addr,
92	@@ -233,7 +224,7 @@ pfkey_send(int sd, uint8_t satype, uint8	184	@@ -233,7 +226,7 @@
93	htons(0xffff);	185	htons(0xffff);
94	}	186	}
95	break;	187	break;
Lines 98-104 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
98	smask.ss_len = sizeof(struct sockaddr_in6);	190	smask.ss_len = sizeof(struct sockaddr_in6);
99	smask.ss_family = AF_INET6;	191	smask.ss_family = AF_INET6;
100	memset(&((struct sockaddr_in6 *)&smask)->sin6_addr,	192	memset(&((struct sockaddr_in6 *)&smask)->sin6_addr,
101	@@ -247,8 +238,8 @@ pfkey_send(int sd, uint8_t satype, uint8	193	@@ -247,8 +240,8 @@
102	break;	194	break;
103	}	195	}
104	bzero(&dmask, sizeof(dmask));	196	bzero(&dmask, sizeof(dmask));
Lines 109-115 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
109	dmask.ss_len = sizeof(struct sockaddr_in);	201	dmask.ss_len = sizeof(struct sockaddr_in);
110	dmask.ss_family = AF_INET;	202	dmask.ss_family = AF_INET;
111	memset(&((struct sockaddr_in *)&dmask)->sin_addr,	203	memset(&((struct sockaddr_in *)&dmask)->sin_addr,
112	@@ -260,7 +251,7 @@ pfkey_send(int sd, uint8_t satype, uint8	204	@@ -260,7 +253,7 @@
113	htons(0xffff);	205	htons(0xffff);
114	}	206	}
115	break;	207	break;
Lines 118-124 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
118	dmask.ss_len = sizeof(struct sockaddr_in6);	210	dmask.ss_len = sizeof(struct sockaddr_in6);
119	dmask.ss_family = AF_INET6;	211	dmask.ss_family = AF_INET6;
120	memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr,	212	memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr,
121	@@ -411,6 +402,33 @@ pfkey_send(int sd, uint8_t satype, uint8	213	@@ -284,6 +277,7 @@
		214	sa_dmask.sadb_address_len =
		215	(sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8;
		216	break;
		217	+#endif
		218	}
		219
		220	iov_cnt = 0;
		221	@@ -310,6 +304,7 @@
		222	smsg.sadb_msg_len += sa_spirange.sadb_spirange_len;
		223	iov_cnt++;
		224	break;
		225	+#if 0
		226	case SADB_X_ADDFLOW:
		227	/* sa_peer always points to the remote machine */
		228	iov[iov_cnt].iov_base = &sa_peer;
		229	@@ -351,6 +346,7 @@
		230	smsg.sadb_msg_len += sa_dmask.sadb_address_len;
		231	iov_cnt++;
		232	break;
		233	+#endif
		234	}
		235
		236	/* dest addr */
		237	@@ -380,7 +376,7 @@
		238	iov[iov_cnt].iov_len = sizeof(sa_akey);
		239	iov_cnt++;
		240	iov[iov_cnt].iov_base = akey;
		241	- iov[iov_cnt].iov_len = ((alen + 7) / 8) * 8;
		242	+ iov[iov_cnt].iov_len = PFKEY_ALIGN8(alen);
		243	smsg.sadb_msg_len += sa_akey.sadb_key_len;
		244	iov_cnt++;
		245	}
		246	@@ -390,14 +386,14 @@
		247	iov[iov_cnt].iov_len = sizeof(sa_ekey);
		248	iov_cnt++;
		249	iov[iov_cnt].iov_base = ekey;
		250	- iov[iov_cnt].iov_len = ((elen + 7) / 8) * 8;
		251	+ iov[iov_cnt].iov_len = PFKEY_ALIGN8(elen);
		252	smsg.sadb_msg_len += sa_ekey.sadb_key_len;
		253	iov_cnt++;
		254	}
		255	break;
		256	}
		257
		258	- len = smsg.sadb_msg_len * 8;
		259	+ len = PFKEY_UNUNIT64(smsg.sadb_msg_len);
		260	do {
		261	n = writev(sd, iov, iov_cnt);
		262	} while (n == -1 && (errno == EAGAIN \|\| errno == EINTR));
		263	@@ -411,6 +407,33 @@
122	}	264	}
123		265
124	int	266	int
Lines 152-158 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
152	pfkey_reply(int sd, u_int32_t *spip)	294	pfkey_reply(int sd, u_int32_t *spip)
153	{	295	{
154	struct sadb_msg hdr, *msg;	296	struct sadb_msg hdr, *msg;
155	@@ -418,23 +436,13 @@ pfkey_reply(int sd, u_int32_t *spip)	297	@@ -418,27 +441,17 @@
156	struct sadb_sa *sa;	298	struct sadb_sa *sa;
157	u_int8_t *data;	299	u_int8_t *data;
158	ssize_t len;	300	ssize_t len;
Lines 161-170 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
161	- for (;;) {	303	- for (;;) {
162	- if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {	304	- if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) {
163	- log_warn("pfkey peek");	305	- log_warn("pfkey peek");
164	+ do {	306	- return (-1);
165	+ rv = pfkey_read(sd, &hdr);
166	+ if (rv == -1)
167	return (-1);
168	- }	307	- }
169	-	308	-
170	- if (hdr.sadb_msg_seq == sadb_msg_seq &&	309	- if (hdr.sadb_msg_seq == sadb_msg_seq &&
Lines 174-187 diff -u -p -r1.1.1.6 -r1.1.1.9 Link Here
174	- /* not ours, discard */	313	- /* not ours, discard */
175	- if (read(sd, &hdr, sizeof(hdr)) == -1) {	314	- if (read(sd, &hdr, sizeof(hdr)) == -1) {
176	- log_warn("pfkey read");	315	- log_warn("pfkey read");
177	- return (-1);	316	+ do {
		317	+ rv = pfkey_read(sd, &hdr);
		318	+ if (rv == -1)
		319	return (-1);
178	- }	320	- }
179	- }	321	- }
180	+ } while (rv);	322	+ } while (rv);
181		323
182	if (hdr.sadb_msg_errno != 0) {	324	if (hdr.sadb_msg_errno != 0) {
183	errno = hdr.sadb_msg_errno;	325	errno = hdr.sadb_msg_errno;
184	@@ -730,11 +738,9 @@ pfkey_init(struct bgpd_sysdep *sysdep)	326	- if (errno == ESRCH)
		327	+ if (errno == ESRCH \|\| errno == EEXIST)
		328	return (0);
		329	else {
		330	log_warn("pfkey");
		331	@@ -486,13 +499,8 @@
		332	pfkey_sa_add(struct bgpd_addr src, struct bgpd_addr dst, u_int8_t keylen,
		333	char key, u_int32_t spi)
		334	{
		335	- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0,
		336	- src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
		337	- return (-1);
		338	- if (pfkey_reply(fd, spi) < 0)
		339	- return (-1);
		340	- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0,
		341	- src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0)
		342	+ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_ADD, 0,
		343	+ src, dst, *spi, SADB_X_AALG_TCP_MD5, keylen, key, SADB_EALG_NONE, 0, NULL, 0, 0) < 0)
		344	return (-1);
		345	if (pfkey_reply(fd, NULL) < 0)
		346	return (-1);
		347	@@ -503,7 +511,7 @@
		348	pfkey_sa_remove(struct bgpd_addr src, struct bgpd_addr dst, u_int32_t *spi)
		349	{
		350	if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0,
		351	- src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
		352	+ src, dst, *spi, SADB_X_AALG_TCP_MD5, 0, NULL, 0, 0, NULL, 0, 0) < 0)
		353	return (-1);
		354	if (pfkey_reply(fd, NULL) < 0)
		355	return (-1);
		356	@@ -511,37 +519,37 @@
		357	return (0);
		358	}
		359
		360	+#define TCP_SIG_SPI 0x1000
		361	int
		362	pfkey_md5sig_establish(struct peer *p)
		363	{
		364	sleep(1);
		365
		366	- if (!p->auth.spi_out)
		367	- if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
		368	- p->conf.auth.md5key_len, p->conf.auth.md5key,
		369	- &p->auth.spi_out) == -1)
		370	- return (-1);
		371	- if (!p->auth.spi_in)
		372	- if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
		373	- p->conf.auth.md5key_len, p->conf.auth.md5key,
		374	- &p->auth.spi_in) == -1)
		375	- return (-1);
		376	+ p->auth.spi_out = htonl(TCP_SIG_SPI);
		377	+ if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr,
		378	+ p->conf.auth.md5key_len, p->conf.auth.md5key,
		379	+ &p->auth.spi_out) == -1)
		380	+ return (-1);
		381	+ p->auth.spi_in = htonl(TCP_SIG_SPI);
		382	+ if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr,
		383	+ p->conf.auth.md5key_len, p->conf.auth.md5key,
		384	+ &p->auth.spi_out) == -1)
		385	+ return (-1);
		386
		387	p->auth.established = 1;
		388	return (0);
		389	}
		390	+#undef TCP_SIG_SPI
391
392	int
393	pfkey_md5sig_remove(struct peer *p)
394	{
395	- if (p->auth.spi_out)
396	- if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
397	- &p->auth.spi_out) == -1)
398	- return (-1);
399	- if (p->auth.spi_in)
400	- if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
401	- &p->auth.spi_in) == -1)
402	- return (-1);
403	+ if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr,
404	+ &p->auth.spi_out) == -1)
405	+ return (-1);
406	+ if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr,
407	+ &p->auth.spi_in) == -1)
408	+ return (-1);
409
410	p->auth.established = 0;
411	return (0);
412	@@ -550,6 +558,7 @@
413	int
414	pfkey_ipsec_establish(struct peer *p)
415	{
416	+#if 0
417	uint8_t satype = SADB_SATYPE_ESP;
418
419	switch (p->auth.method) {
420	@@ -621,6 +630,9 @@
421
422	p->auth.established = 1;
423	return (0);
424	+#else
425	+ return (-1);
426	+#endif
427	}
428
429	int
430	@@ -660,6 +672,7 @@
431	break;
432	}
433
434	+#if 0
435	if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,
436	&p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0)
437	return (-1);
438	@@ -681,6 +694,7 @@
439	if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN,
440	&p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0)
441	return (-1);
442	+#endif
443	if (pfkey_reply(fd, NULL) < 0)
444	return (-1);
445
446	@@ -715,9 +729,7 @@
447	int
448	pfkey_remove(struct peer *p)
449	{
450	- if (!p->auth.established)
451	- return (0);
452	- else if (p->auth.method == AUTH_MD5SIG)
453	+ if (p->auth.method == AUTH_MD5SIG)
454	return (pfkey_md5sig_remove(p));
455	else
456	return (pfkey_ipsec_remove(p));
457	@@ -730,11 +742,9 @@
185	if (errno == EPROTONOSUPPORT) {	458	if (errno == EPROTONOSUPPORT) {
186	log_warnx("PF_KEY not available, disabling ipsec");	459	log_warnx("PF_KEY not available, disabling ipsec");
187	sysdep->no_pfkey = 1;	460	sysdep->no_pfkey = 1;