CVS commit: src/sys/netipsec

2023-07-20 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Fri Jul 21 00:44:38 UTC 2023

Modified Files:
src/sys/netipsec: key.c

Log Message:
Use kmem_free instead of kmem_intr_free, as key_freesaval() is not called in 
softint after key.c:r1.223.

E.g. key_freesaval() was called the following call path before SAD MP-ify.
  esp_input_cb()
KEY_FREESAV()
  key_freesav()
key_delsav()
  key_freesaval()

ok'ed by ozaki-r@n.o.


To generate a diff of this commit:
cvs rdiff -u -r1.280 -r1.281 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.280 src/sys/netipsec/key.c:1.281
--- src/sys/netipsec/key.c:1.280	Thu Dec  8 08:07:07 2022
+++ src/sys/netipsec/key.c	Fri Jul 21 00:44:38 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.280 2022/12/08 08:07:07 knakahara Exp $	*/
+/*	$NetBSD: key.c,v 1.281 2023/07/21 00:44:38 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.280 2022/12/08 08:07:07 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.281 2023/07/21 00:44:38 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -3589,21 +3589,21 @@ key_freesaval(struct secasvar *sav)
 	key_sa_refcnt(sav));
 
 	if (sav->replay != NULL)
-		kmem_intr_free(sav->replay, sav->replay_len);
+		kmem_free(sav->replay, sav->replay_len);
 	if (sav->key_auth != NULL)
-		kmem_intr_free(sav->key_auth, sav->key_auth_len);
+		kmem_free(sav->key_auth, sav->key_auth_len);
 	if (sav->key_enc != NULL)
-		kmem_intr_free(sav->key_enc, sav->key_enc_len);
+		kmem_free(sav->key_enc, sav->key_enc_len);
 	if (sav->lft_c_counters_percpu != NULL) {
 		percpu_free(sav->lft_c_counters_percpu,
 		sizeof(lifetime_counters_t));
 	}
 	if (sav->lft_c != NULL)
-		kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c)));
+		kmem_free(sav->lft_c, sizeof(*(sav->lft_c)));
 	if (sav->lft_h != NULL)
-		kmem_intr_free(sav->lft_h, sizeof(*(sav->lft_h)));
+		kmem_free(sav->lft_h, sizeof(*(sav->lft_h)));
 	if (sav->lft_s != NULL)
-		kmem_intr_free(sav->lft_s, sizeof(*(sav->lft_s)));
+		kmem_free(sav->lft_s, sizeof(*(sav->lft_s)));
 }
 
 /*

CVS commit: src/sys/netipsec

2023-07-20 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Fri Jul 21 00:44:38 UTC 2023

Modified Files:
src/sys/netipsec: key.c

Log Message:
Use kmem_free instead of kmem_intr_free, as key_freesaval() is not called in 
softint after key.c:r1.223.

E.g. key_freesaval() was called the following call path before SAD MP-ify.
  esp_input_cb()
KEY_FREESAV()
  key_freesav()
key_delsav()
  key_freesaval()

ok'ed by ozaki-r@n.o.


To generate a diff of this commit:
cvs rdiff -u -r1.280 -r1.281 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-12-08 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Dec  8 08:07:07 UTC 2022

Modified Files:
src/sys/netipsec: ipsec.c key.c

Log Message:
Fix: sp->lastused should be updated by time_uptime, and refactor a little.


To generate a diff of this commit:
cvs rdiff -u -r1.176 -r1.177 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.279 -r1.280 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.176 src/sys/netipsec/ipsec.c:1.177
--- src/sys/netipsec/ipsec.c:1.176	Wed Nov  9 08:18:52 2022
+++ src/sys/netipsec/ipsec.c	Thu Dec  8 08:07:07 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.176 2022/11/09 08:18:52 knakahara Exp $ */
+/* $NetBSD: ipsec.c,v 1.177 2022/12/08 08:07:07 knakahara Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.176 2022/11/09 08:18:52 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.177 2022/12/08 08:07:07 knakahara Exp $");
 
 /*
  * IPsec controller part.
@@ -248,7 +248,7 @@ ipsec_checkpcbcache(struct mbuf *m, stru
 		 */
 	}
 
-	sp->lastused = time_second;
+	key_sp_touch(sp);
 	KEY_SP_REF(sp);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	"DP cause refcnt++:%d SP:%p\n",

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.279 src/sys/netipsec/key.c:1.280
--- src/sys/netipsec/key.c:1.279	Thu Dec  8 08:05:03 2022
+++ src/sys/netipsec/key.c	Thu Dec  8 08:07:07 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.279 2022/12/08 08:05:03 knakahara Exp $	*/
+/*	$NetBSD: key.c,v 1.280 2022/12/08 08:07:07 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.279 2022/12/08 08:05:03 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.280 2022/12/08 08:07:07 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -972,7 +972,7 @@ found:
 		KEY_CHKSPDIR(sp->spidx.dir, dir);
 
 		/* found a SPD entry */
-		sp->lastused = time_uptime;
+		key_sp_touch(sp);
 		key_sp_ref(sp, where, tag);
 	}
 	pserialize_read_exit(s);
@@ -1049,7 +1049,7 @@ key_gettunnel(const struct sockaddr *osr
 	sp = NULL;
 found:
 	if (sp) {
-		sp->lastused = time_uptime;
+		key_sp_touch(sp);
 		key_sp_ref(sp, where, tag);
 	}
 	pserialize_read_exit(s);

CVS commit: src/sys/netipsec

2022-12-08 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Dec  8 08:07:07 UTC 2022

Modified Files:
src/sys/netipsec: ipsec.c key.c

Log Message:
Fix: sp->lastused should be updated by time_uptime, and refactor a little.


To generate a diff of this commit:
cvs rdiff -u -r1.176 -r1.177 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.279 -r1.280 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-12-08 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Dec  8 08:05:03 UTC 2022

Modified Files:
src/sys/netipsec: ipsecif.c key.c key.h

Log Message:
Fix: update lastused of ipsecif(4) IPv6 out SP.


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/netipsec/ipsecif.c
cvs rdiff -u -r1.278 -r1.279 src/sys/netipsec/key.c
cvs rdiff -u -r1.37 -r1.38 src/sys/netipsec/key.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsecif.c
diff -u src/sys/netipsec/ipsecif.c:1.20 src/sys/netipsec/ipsecif.c:1.21
--- src/sys/netipsec/ipsecif.c:1.20	Wed Dec  7 08:30:15 2022
+++ src/sys/netipsec/ipsecif.c	Thu Dec  8 08:05:03 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsecif.c,v 1.20 2022/12/07 08:30:15 knakahara Exp $  */
+/*	$NetBSD: ipsecif.c,v 1.21 2022/12/08 08:05:03 knakahara Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.20 2022/12/07 08:30:15 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.21 2022/12/08 08:05:03 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -395,7 +395,10 @@ ipsecif4_output(struct ipsec_variant *va
 	/*
 	 * The SPs in ipsec_variant are prevented from freed by
 	 * ipsec_variant->iv_psref. So, KEY_SP_REF() is unnecessary here.
+	 *
+	 * However, lastused should be updated.
 	 */
+	key_sp_touch(sp);
 
 	KASSERT(sp->policy != IPSEC_POLICY_NONE);
 	KASSERT(sp->policy != IPSEC_POLICY_ENTRUST);

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.278 src/sys/netipsec/key.c:1.279
--- src/sys/netipsec/key.c:1.278	Wed Oct 19 21:28:02 2022
+++ src/sys/netipsec/key.c	Thu Dec  8 08:05:03 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $	*/
+/*	$NetBSD: key.c,v 1.279 2022/12/08 08:05:03 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.279 2022/12/08 08:05:03 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -871,6 +871,13 @@ key_sp_refcnt(const struct secpolicy *sp
 	return 0;
 }
 
+void
+key_sp_touch(struct secpolicy *sp)
+{
+
+	sp->lastused = time_uptime;
+}
+
 static void
 key_spd_pserialize_perform(void)
 {

Index: src/sys/netipsec/key.h
diff -u src/sys/netipsec/key.h:1.37 src/sys/netipsec/key.h:1.38
--- src/sys/netipsec/key.h:1.37	Mon Aug  9 20:49:10 2021
+++ src/sys/netipsec/key.h	Thu Dec  8 08:05:03 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.h,v 1.37 2021/08/09 20:49:10 andvar Exp $	*/
+/*	$NetBSD: key.h,v 1.38 2022/12/08 08:05:03 knakahara Exp $	*/
 /*	$FreeBSD: key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $	*/
 
@@ -67,6 +67,7 @@ void key_free_sp(struct secpolicy *);
 u_int key_sp_refcnt(const struct secpolicy *);
 void key_sp_ref(struct secpolicy *, const char *, int);
 void key_sp_unref(struct secpolicy *, const char *, int);
+void key_sp_touch(struct secpolicy *);
 void key_sa_ref(struct secasvar *, const char *, int);
 void key_sa_unref(struct secasvar *, const char *, int);
 u_int key_sa_refcnt(const struct secasvar *);

CVS commit: src/sys/netipsec

2022-12-08 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Dec  8 08:05:03 UTC 2022

Modified Files:
src/sys/netipsec: ipsecif.c key.c key.h

Log Message:
Fix: update lastused of ipsecif(4) IPv6 out SP.


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/netipsec/ipsecif.c
cvs rdiff -u -r1.278 -r1.279 src/sys/netipsec/key.c
cvs rdiff -u -r1.37 -r1.38 src/sys/netipsec/key.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-11-09 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Wed Nov  9 08:18:53 UTC 2022

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
Fix IPv4 security policy with port number does not work for forwarding packets.


To generate a diff of this commit:
cvs rdiff -u -r1.175 -r1.176 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.175 src/sys/netipsec/ipsec.c:1.176
--- src/sys/netipsec/ipsec.c:1.175	Fri Nov  4 09:00:58 2022
+++ src/sys/netipsec/ipsec.c	Wed Nov  9 08:18:52 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.175 2022/11/04 09:00:58 ozaki-r Exp $ */
+/* $NetBSD: ipsec.c,v 1.176 2022/11/09 08:18:52 knakahara Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.175 2022/11/04 09:00:58 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.176 2022/11/09 08:18:52 knakahara Exp $");
 
 /*
  * IPsec controller part.
@@ -543,7 +543,7 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_
 	sp = NULL;
 
 	/* Make an index to look for a policy. */
-	*error = ipsec_setspidx(m, , dir, (flag & IP_FORWARDING) ? 0 : 1);
+	*error = ipsec_setspidx(m, , dir, 1);
 	if (*error != 0) {
 		IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag);
 		memset(, 0, sizeof(spidx));

CVS commit: src/sys/netipsec

2022-11-09 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Wed Nov  9 08:18:53 UTC 2022

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
Fix IPv4 security policy with port number does not work for forwarding packets.


To generate a diff of this commit:
cvs rdiff -u -r1.175 -r1.176 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-10-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Oct 19 21:28:03 UTC 2022

Modified Files:
src/sys/netipsec: key.c xform_ipcomp.c

Log Message:
PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header

Always always send / expect CPI in IPcomp header

Fixes kern/56836 where an IPsec interop combining compression and
ESP|AH would fail.

Since fast ipsec, the outgoing IPcomp header has contained the
compression algorithm instead of the CPI.  Adding the
SADB_X_EXT_RAWCPI flag worked around this but ...

The IPcomp's SADB was unconditionally hashed using the compression
algorithm instead of the CPI.  This meant that an incoming packet with
a valid CPI could never match its SADB.


To generate a diff of this commit:
cvs rdiff -u -r1.277 -r1.278 src/sys/netipsec/key.c
cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/xform_ipcomp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.277 src/sys/netipsec/key.c:1.278
--- src/sys/netipsec/key.c:1.277	Tue Oct 11 05:51:47 2022
+++ src/sys/netipsec/key.c	Wed Oct 19 17:28:02 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $	*/
+/*	$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -8765,10 +8765,7 @@ key_savlut_writer_insert_head(struct sec
 	KASSERT(mutex_owned(_sad.lock));
 	KASSERT(!sav->savlut_added);
 
-	if (sav->sah->saidx.proto == IPPROTO_IPCOMP)
-		hash_key = sav->alg_comp;
-	else
-		hash_key = sav->spi;
+	hash_key = sav->spi;
 
 	hash = key_savluthash(>sah->saidx.dst.sa,
 	sav->sah->saidx.proto, hash_key, key_sad.savlutmask);

Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.74 src/sys/netipsec/xform_ipcomp.c:1.75
--- src/sys/netipsec/xform_ipcomp.c:1.74	Sun May 22 07:40:29 2022
+++ src/sys/netipsec/xform_ipcomp.c	Wed Oct 19 17:28:02 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $	*/
 /*	$FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #if defined(_KERNEL_OPT)
@@ -573,10 +573,7 @@ ipcomp_output_cb(struct cryptop *crp)
 		}
 		ipcomp->comp_flags = 0;
 
-		if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
-			cpi = sav->alg_enc;
-		else
-			cpi = ntohl(sav->spi) & 0x;
+		cpi = ntohl(sav->spi) & 0x;
 		ipcomp->comp_cpi = htons(cpi);
 
 		/* Fix Next Protocol in IPv4/IPv6 header */

CVS commit: src/sys/netipsec

2022-10-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Oct 19 21:28:03 UTC 2022

Modified Files:
src/sys/netipsec: key.c xform_ipcomp.c

Log Message:
PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header

Always always send / expect CPI in IPcomp header

Fixes kern/56836 where an IPsec interop combining compression and
ESP|AH would fail.

Since fast ipsec, the outgoing IPcomp header has contained the
compression algorithm instead of the CPI.  Adding the
SADB_X_EXT_RAWCPI flag worked around this but ...

The IPcomp's SADB was unconditionally hashed using the compression
algorithm instead of the CPI.  This meant that an incoming packet with
a valid CPI could never match its SADB.


To generate a diff of this commit:
cvs rdiff -u -r1.277 -r1.278 src/sys/netipsec/key.c
cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/xform_ipcomp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-08-23 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Tue Aug 23 09:25:10 UTC 2022

Modified Files:
src/sys/netipsec: ipsec_input.c

Log Message:
Improve IPsec log when no key association found for SA.  Implemented by 
ohishi@IIJ.


To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.77 src/sys/netipsec/ipsec_input.c:1.78
--- src/sys/netipsec/ipsec_input.c:1.77	Tue May 24 20:50:20 2022
+++ src/sys/netipsec/ipsec_input.c	Tue Aug 23 09:25:10 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.77 2022/05/24 20:50:20 andvar Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.78 2022/08/23 09:25:10 knakahara Exp $	*/
 /*	$FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.77 2022/05/24 20:50:20 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.78 2022/08/23 09:25:10 knakahara Exp $");
 
 /*
  * IPsec input processing.
@@ -214,8 +214,8 @@ spi_get(struct mbuf *m, int sproto, int 
 static int
 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 {
-	char buf[IPSEC_ADDRSTRLEN];
-	union sockaddr_union dst_address;
+	char buf[IPSEC_ADDRSTRLEN], buf2[IPSEC_ADDRSTRLEN];
+	union sockaddr_union src_address, dst_address;
 	struct secasvar *sav;
 	u_int32_t spi;
 	u_int16_t sport;
@@ -255,12 +255,18 @@ ipsec_common_input(struct mbuf *m, int s
 	 * kernel crypto routine. The resulting mbuf chain is a valid
 	 * IP packet ready to go through input processing.
 	 */
+	memset(_address, 0, sizeof (src_address));
 	memset(_address, 0, sizeof(dst_address));
+	src_address.sa.sa_family = af;
 	dst_address.sa.sa_family = af;
 	switch (af) {
 #ifdef INET
 	case AF_INET:
+		src_address.sin.sin_len = sizeof(struct sockaddr_in);
 		dst_address.sin.sin_len = sizeof(struct sockaddr_in);
+		m_copydata(m, offsetof(struct ip, ip_src),
+		sizeof(struct in_addr),
+		_address.sin.sin_addr);
 		m_copydata(m, offsetof(struct ip, ip_dst),
 		sizeof(struct in_addr),
 		_address.sin.sin_addr);
@@ -268,7 +274,11 @@ ipsec_common_input(struct mbuf *m, int s
 #endif
 #ifdef INET6
 	case AF_INET6:
+		src_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
 		dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
+		m_copydata(m, offsetof(struct ip6_hdr, ip6_src),
+		sizeof(struct in6_addr),
+		_address.sin6.sin6_addr);
 		m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
 		sizeof(struct in6_addr),
 		_address.sin6.sin6_addr);
@@ -291,10 +301,35 @@ ipsec_common_input(struct mbuf *m, int s
 	/* NB: only pass dst since key_lookup_sa follows RFC2401 */
 	sav = KEY_LOOKUP_SA(_address, sproto, spi, sport, dport);
 	if (sav == NULL) {
-		IPSECLOG(LOG_DEBUG,
-		"no key association found for SA %s/%08lx/%u/%u\n",
-		ipsec_address(_address, buf, sizeof(buf)),
-		(u_long) ntohl(spi), sproto, ntohs(dport));
+		static struct timeval lasttime = {0, 0};
+		static int curpps = 0;
+
+		if (!ipsec_debug && ppsratecheck(, , 1)) {
+			if (sport || dport) {
+log(LOG_INFO,
+"no key association found for SA"
+" %s[%u]-%s[%u]/SPI 0x%08lx\n",
+ipsec_address(_address, buf, sizeof(buf)),
+ntohs(sport),
+ipsec_address(_address, buf2, sizeof(buf2)),
+ntohs(dport),
+(u_long) ntohl(spi));
+			} else {
+log(LOG_INFO,
+"no key association found for"
+" SA %s-%s/SPI 0x%08lx\n",
+ipsec_address(_address, buf, sizeof(buf)),
+ipsec_address(_address, buf2, sizeof(buf2)),
+(u_long) ntohl(spi));
+			}
+		} else if (ipsec_debug) {
+			IPSECLOG(LOG_DEBUG,
+			"no key association found for SA "
+			"%s-%s/SPI 0x%08lx/PROTO %u/PORT %u-%u\n",
+			ipsec_address(_address, buf, sizeof(buf)),
+			ipsec_address(_address, buf2, sizeof(buf2)),
+			 (u_long) ntohl(spi), sproto, ntohs(dport), ntohs(sport));
+		}
 		IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB,
 		IPCOMP_STAT_NOTDB);
 		splx(s);

CVS commit: src/sys/netipsec

2022-08-23 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Tue Aug 23 09:25:10 UTC 2022

Modified Files:
src/sys/netipsec: ipsec_input.c

Log Message:
Improve IPsec log when no key association found for SA.  Implemented by 
ohishi@IIJ.


To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-05-24 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Wed May 25 04:15:44 UTC 2022

Modified Files:
src/sys/netipsec: xform_esp.c

Log Message:
ipsec: don't assert for the format of incoming packets


To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 src/sys/netipsec/xform_esp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.105 src/sys/netipsec/xform_esp.c:1.106
--- src/sys/netipsec/xform_esp.c:1.105	Sun May 22 11:40:29 2022
+++ src/sys/netipsec/xform_esp.c	Wed May 25 04:15:44 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.105 2022/05/22 11:40:29 riastradh Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.106 2022/05/25 04:15:44 ozaki-r Exp $	*/
 /*	$FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.105 2022/05/22 11:40:29 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.106 2022/05/25 04:15:44 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -310,9 +310,13 @@ esp_input(struct mbuf *m, struct secasva
 
 	KASSERT(sav != NULL);
 	KASSERT(sav->tdb_encalgxform != NULL);
-	KASSERTMSG((skip & 3) == 0 && (m->m_pkthdr.len & 3) == 0,
-	"misaligned packet, skip %u pkt len %u",
-	skip, m->m_pkthdr.len);
+	if (__predict_false((skip & 3) != 0 || (m->m_pkthdr.len & 3) != 0)) {
+		DPRINTF("%s: misaligned packet, skip %u pkt len %u", __func__,
+		skip, m->m_pkthdr.len);
+		stat = ESP_STAT_BADILEN; /* Same as FreeBSD */
+		error = EINVAL;
+		goto out;
+	}
 
 	/* XXX don't pullup, just copy header */
 	M_REGION_GET(esp, struct newesp *, m, skip, sizeof(struct newesp));

CVS commit: src/sys/netipsec

2022-05-24 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Wed May 25 04:15:44 UTC 2022

Modified Files:
src/sys/netipsec: xform_esp.c

Log Message:
ipsec: don't assert for the format of incoming packets


To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 src/sys/netipsec/xform_esp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-05-22 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sun May 22 11:39:08 UTC 2022

Modified Files:
src/sys/netipsec: xform.h xform_ah.c xform_esp.c xform_ipcomp.c
xform_ipip.c xform_tcp.c

Log Message:
netipsec: Nothing uses xf_zeroize return value.  Nix it.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/sys/netipsec/xform.h
cvs rdiff -u -r1.110 -r1.111 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.102 -r1.103 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.70 -r1.71 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/xform_ipip.c
cvs rdiff -u -r1.24 -r1.25 src/sys/netipsec/xform_tcp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform.h
diff -u src/sys/netipsec/xform.h:1.21 src/sys/netipsec/xform.h:1.22
--- src/sys/netipsec/xform.h:1.21	Fri Nov  1 04:23:21 2019
+++ src/sys/netipsec/xform.h	Sun May 22 11:39:08 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform.h,v 1.21 2019/11/01 04:23:21 knakahara Exp $	*/
+/*	$NetBSD: xform.h,v 1.22 2022/05/22 11:39:08 riastradh Exp $	*/
 /*	$FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $	*/
 /*
@@ -77,7 +77,7 @@ struct xformsw {
 #define	XFT_COMP	0x1000
 	const char *xf_name;
 	int (*xf_init)(struct secasvar *, const struct xformsw *);
-	int (*xf_zeroize)(struct secasvar *);
+	void (*xf_zeroize)(struct secasvar *);
 	int (*xf_input)(struct mbuf *, struct secasvar *, int, int);
 	int (*xf_output)(struct mbuf *, const struct ipsecrequest *,
 	struct secasvar *, int, int, int);
@@ -95,7 +95,7 @@ int ipip_output(struct mbuf *, struct se
 
 /* XF_AH */
 int ah_init0(struct secasvar *, const struct xformsw *, struct cryptoini *);
-int ah_zeroize(struct secasvar *);
+void ah_zeroize(struct secasvar *);
 const struct auth_hash *ah_algorithm_lookup(int);
 size_t ah_authsiz(const struct secasvar *);
 size_t ah_hdrsiz(const struct secasvar *);

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.110 src/sys/netipsec/xform_ah.c:1.111
--- src/sys/netipsec/xform_ah.c:1.110	Sun May 22 11:30:40 2022
+++ src/sys/netipsec/xform_ah.c	Sun May 22 11:39:08 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.110 2022/05/22 11:30:40 riastradh Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.111 2022/05/22 11:39:08 riastradh Exp $	*/
 /*	$FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.110 2022/05/22 11:30:40 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.111 2022/05/22 11:39:08 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -264,21 +264,19 @@ ah_init(struct secasvar *sav, const stru
  *
  * NB: public for use by esp_zeroize (XXX).
  */
-int
+void
 ah_zeroize(struct secasvar *sav)
 {
-	int err;
 
 	if (sav->key_auth) {
 		explicit_memset(_KEYBUF(sav->key_auth), 0,
 		_KEYLEN(sav->key_auth));
 	}
 
-	err = crypto_freesession(sav->tdb_cryptoid);
+	(void)crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = 0;
 	sav->tdb_authalgxform = NULL;
 	sav->tdb_xform = NULL;
-	return err;
 }
 
 /*

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.102 src/sys/netipsec/xform_esp.c:1.103
--- src/sys/netipsec/xform_esp.c:1.102	Sun May 22 11:30:40 2022
+++ src/sys/netipsec/xform_esp.c	Sun May 22 11:39:08 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.102 2022/05/22 11:30:40 riastradh Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.103 2022/05/22 11:39:08 riastradh Exp $	*/
 /*	$FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.102 2022/05/22 11:30:40 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.103 2022/05/22 11:39:08 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -280,11 +280,11 @@ esp_init(struct secasvar *sav, const str
 /*
  * Paranoia.
  */
-static int
+static void
 esp_zeroize(struct secasvar *sav)
 {
 	/* NB: ah_zerorize free's the crypto session state */
-	int error = ah_zeroize(sav);
+	ah_zeroize(sav);
 
 	if (sav->key_enc) {
 		explicit_memset(_KEYBUF(sav->key_enc), 0,
@@ -292,7 +292,6 @@ esp_zeroize(struct secasvar *sav)
 	}
 	sav->tdb_encalgxform = NULL;
 	sav->tdb_xform = NULL;
-	return error;
 }
 
 /*

Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.70 src/sys/netipsec/xform_ipcomp.c:1.71
--- src/sys/netipsec/xform_ipcomp.c:1.70	Sun May 22 11:30:40 2022
+++ src/sys/netipsec/xform_ipcomp.c	Sun May 22 11:39:08 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.70 2022/05/22 11:30:40 riastradh Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.71 2022/05/22 11:39:08 riastradh Exp $	*/

CVS commit: src/sys/netipsec

2022-05-22 Thread Taylor R Campbell 
Module Name:src
Committed By:   riastradh
Date:   Sun May 22 11:39:08 UTC 2022

Modified Files:
src/sys/netipsec: xform.h xform_ah.c xform_esp.c xform_ipcomp.c
xform_ipip.c xform_tcp.c

Log Message:
netipsec: Nothing uses xf_zeroize return value.  Nix it.


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/sys/netipsec/xform.h
cvs rdiff -u -r1.110 -r1.111 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.102 -r1.103 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.70 -r1.71 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/xform_ipip.c
cvs rdiff -u -r1.24 -r1.25 src/sys/netipsec/xform_tcp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-05-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Thu May 19 19:18:03 UTC 2022

Modified Files:
src/sys/netipsec: ipsec_input.c

Log Message:
PR/56840: Andrew Cagney: use the proper polarity hton/ntoh macros (no
functional change).
Factor out spi retrieving code into a function.


To generate a diff of this commit:
cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.75 src/sys/netipsec/ipsec_input.c:1.76
--- src/sys/netipsec/ipsec_input.c:1.75	Sat Jan 26 21:08:48 2019
+++ src/sys/netipsec/ipsec_input.c	Thu May 19 15:18:03 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.75 2019/01/27 02:08:48 pgoyette Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.76 2022/05/19 19:18:03 christos Exp $	*/
 /*	$FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.75 2019/01/27 02:08:48 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.76 2022/05/19 19:18:03 christos Exp $");
 
 /*
  * IPsec input processing.
@@ -182,6 +182,29 @@ nat_t_ports_get(struct mbuf *m, uint16_t
 		*sport = *dport = 0;
 }
 
+static uint32_t
+spi_get(struct mbuf *m, int sproto, int skip)
+{
+	uint32_t spi;
+	uint16_t cpi;
+
+	switch (sproto) {
+	case IPPROTO_ESP:
+		m_copydata(m, skip, sizeof(spi), );
+		return spi;
+	case IPPROTO_AH:
+		m_copydata(m, skip + sizeof(spi), sizeof(spi), );
+		return spi;
+	case IPPROTO_IPCOMP:
+		m_copydata(m, skip + sizeof(cpi), sizeof(cpi), );
+		return htonl(ntohs(cpi));
+	default:
+		panic("%s called with bad protocol number: %d\n", __func__,
+		sproto);
+	}
+}
+
+
 /*
  * ipsec_common_input gets called when an IPsec-protected packet
  * is received by IPv4 or IPv6.  Its job is to find the right SA
@@ -222,18 +245,7 @@ ipsec_common_input(struct mbuf *m, int s
 	}
 
 	/* Retrieve the SPI from the relevant IPsec header */
-	if (sproto == IPPROTO_ESP) {
-		m_copydata(m, skip, sizeof(u_int32_t), );
-	} else if (sproto == IPPROTO_AH) {
-		m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), );
-	} else if (sproto == IPPROTO_IPCOMP) {
-		u_int16_t cpi;
-		m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), );
-		spi = ntohl(htons(cpi));
-	} else {
-		panic("%s called with bad protocol number: %d\n", __func__,
-		sproto);
-	}
+	spi = spi_get(m, sproto, skip);
 
 	/* find the source port for NAT-T */
 	nat_t_ports_get(m, , );

CVS commit: src/sys/netipsec

2022-05-19 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Thu May 19 19:18:03 UTC 2022

Modified Files:
src/sys/netipsec: ipsec_input.c

Log Message:
PR/56840: Andrew Cagney: use the proper polarity hton/ntoh macros (no
functional change).
Factor out spi retrieving code into a function.


To generate a diff of this commit:
cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2022-05-18 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed May 18 15:20:18 UTC 2022

Modified Files:
src/sys/netipsec: key.c key_debug.c key_debug.h

Log Message:
PR/56841: Andrew Cagney: debug-log IPcomp CPI lookups:
- debug-logs why an SPI is rejected
- adds missing __VA_OPT__(,) to some printf macros
- debug-log SPI+proto when adding/updating entry


To generate a diff of this commit:
cvs rdiff -u -r1.273 -r1.274 src/sys/netipsec/key.c
cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/key_debug.c
cvs rdiff -u -r1.10 -r1.11 src/sys/netipsec/key_debug.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.273 src/sys/netipsec/key.c:1.274
--- src/sys/netipsec/key.c:1.273	Sun Jan  2 15:28:53 2022
+++ src/sys/netipsec/key.c	Wed May 18 11:20:18 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.273 2022/01/02 20:28:53 andvar Exp $	*/
+/*	$NetBSD: key.c,v 1.274 2022/05/18 15:20:18 christos Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.273 2022/01/02 20:28:53 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.274 2022/05/18 15:20:18 christos Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -700,9 +700,9 @@ static void key_init_sav(struct secasvar
 static void key_wait_sav(struct secasvar *);
 static void key_destroy_sav(struct secasvar *);
 static struct secasvar *key_newsav(struct mbuf *,
-	const struct sadb_msghdr *, int *, const char*, int);
-#define	KEY_NEWSAV(m, sadb, e)\
-	key_newsav(m, sadb, e, __func__, __LINE__)
+	const struct sadb_msghdr *, int *, int, const char*, int);
+#define	KEY_NEWSAV(m, sadb, e, proto)\
+	key_newsav(m, sadb, e, proto, __func__, __LINE__)
 static void key_delsav (struct secasvar *);
 static struct secashead *key_getsah(const struct secasindex *, int);
 static struct secashead *key_getsah_ref(const struct secasindex *, int);
@@ -1288,8 +1288,11 @@ key_lookup_sa(
 		}
 	}
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
-	"DP from %s:%u check_spi=%d, check_alg=%d\n",
-	where, tag, must_check_spi, must_check_alg);
+	"DP from %s:%u check_spi=%d(%#x), check_alg=%d(%d), proto=%d\n",
+	where, tag,
+	must_check_spi, ntohl(spi),
+	must_check_alg, algo,
+	proto);
 
 
 	/*
@@ -3279,7 +3282,7 @@ key_destroy_sah(struct secashead *sah)
  */
 static struct secasvar *
 key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp,
-int *errp, const char* where, int tag)
+int *errp, int proto, const char* where, int tag)
 {
 	struct secasvar *newsav;
 	const struct sadb_sa *xsa;
@@ -3339,7 +3342,8 @@ key_newsav(struct mbuf *m, const struct 
 	newsav->pid = mhp->msg->sadb_msg_pid;
 
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
-	"DP from %s:%u return SA:%p\n", where, tag, newsav);
+	"DP from %s:%u return SA:%p spi=%#x proto=%d\n",
+	where, tag, newsav, ntohl(newsav->spi), proto);
 	return newsav;
 
 error:
@@ -4679,75 +4683,103 @@ key_spidx_match_withmask(
 	if (spidx0->src.sa.sa_family != spidx1->src.sa.sa_family ||
 	spidx0->dst.sa.sa_family != spidx1->dst.sa.sa_family ||
 	spidx0->src.sa.sa_len != spidx1->src.sa.sa_len ||
-	spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len)
+	spidx0->dst.sa.sa_len != spidx1->dst.sa.sa_len) {
+		KEYDEBUG_PRINTF(KEYDEBUG_MATCH, ".sa wrong\n");
 		return 0;
+	}
 
 	/* if spidx.ul_proto == IPSEC_ULPROTO_ANY, ignore. */
 	if (spidx0->ul_proto != (u_int16_t)IPSEC_ULPROTO_ANY &&
-	spidx0->ul_proto != spidx1->ul_proto)
+	spidx0->ul_proto != spidx1->ul_proto) {
+		KEYDEBUG_PRINTF(KEYDEBUG_MATCH, "proto wrong\n");
 		return 0;
+	}
 
 	switch (spidx0->src.sa.sa_family) {
 	case AF_INET:
 		if (spidx0->src.sin.sin_port != IPSEC_PORT_ANY &&
-		spidx0->src.sin.sin_port != spidx1->src.sin.sin_port)
+		spidx0->src.sin.sin_port != spidx1->src.sin.sin_port) {
+			KEYDEBUG_PRINTF(KEYDEBUG_MATCH, "v4 src port wrong\n");
 			return 0;
+		}
 		if (!key_bb_match_withmask(>src.sin.sin_addr,
-		>src.sin.sin_addr, spidx0->prefs))
+	   >src.sin.sin_addr, spidx0->prefs)) {
+			KEYDEBUG_PRINTF(KEYDEBUG_MATCH, "v4 src addr wrong\n");
 			return 0;
+		}
 		break;
 	case AF_INET6:
 		if (spidx0->src.sin6.sin6_port != IPSEC_PORT_ANY &&
-		spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port)
+		spidx0->src.sin6.sin6_port != spidx1->src.sin6.sin6_port) {
+			KEYDEBUG_PRINTF(KEYDEBUG_MATCH, "v6 src port wrong\n");
 			return 0;
+		}
 		/*
 		 * scope_id check. if sin6_scope_id is 0, we regard it
 		 * as a wildcard scope, which matches any scope zone ID.
 		 */
 		if (spidx0->src.sin6.sin6_scope_id &&
 		spidx1->src.sin6.sin6_scope_id &&
-		spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id)
+		spidx0->src.sin6.sin6_scope_id != spidx1->src.sin6.sin6_scope_id) {

CVS commit: src/sys/netipsec

2022-05-18 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed May 18 15:20:18 UTC 2022

Modified Files:
src/sys/netipsec: key.c key_debug.c key_debug.h

Log Message:
PR/56841: Andrew Cagney: debug-log IPcomp CPI lookups:
- debug-logs why an SPI is rejected
- adds missing __VA_OPT__(,) to some printf macros
- debug-log SPI+proto when adding/updating entry


To generate a diff of this commit:
cvs rdiff -u -r1.273 -r1.274 src/sys/netipsec/key.c
cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/key_debug.c
cvs rdiff -u -r1.10 -r1.11 src/sys/netipsec/key_debug.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2021-12-08 Thread Andrius Varanavicius 
Module Name:src
Committed By:   andvar
Date:   Wed Dec  8 20:03:26 UTC 2021

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
s/speficication/specification/


To generate a diff of this commit:
cvs rdiff -u -r1.172 -r1.173 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.172 src/sys/netipsec/ipsec.c:1.173
--- src/sys/netipsec/ipsec.c:1.172	Fri Aug 28 06:20:44 2020
+++ src/sys/netipsec/ipsec.c	Wed Dec  8 20:03:26 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.172 2020/08/28 06:20:44 ozaki-r Exp $ */
+/* $NetBSD: ipsec.c,v 1.173 2021/12/08 20:03:26 andvar Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.172 2020/08/28 06:20:44 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.173 2021/12/08 20:03:26 andvar Exp $");
 
 /*
  * IPsec controller part.
@@ -1849,7 +1849,7 @@ skippolicycheck:
  *
  *   IPv6 receivers MUST discard UDP packets with a zero checksum.
  *
- * There is more relaxed speficication RFC6935(IPv6 and UDP Checksums for
+ * There is more relaxed specification RFC6935(IPv6 and UDP Checksums for
  * Tunneled Packets). The document allows zero checksum. It's too
  * late to publish, there are a lot of interoperability problems...
  */

CVS commit: src/sys/netipsec

2021-12-08 Thread Andrius Varanavicius 
Module Name:src
Committed By:   andvar
Date:   Wed Dec  8 20:03:26 UTC 2021

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
s/speficication/specification/


To generate a diff of this commit:
cvs rdiff -u -r1.172 -r1.173 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2021-11-10 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Wed Nov 10 16:55:20 UTC 2021

Modified Files:
src/sys/netipsec: keydb.h

Log Message:
s/assocciation/association/ in comment.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/keydb.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/keydb.h
diff -u src/sys/netipsec/keydb.h:1.23 src/sys/netipsec/keydb.h:1.24
--- src/sys/netipsec/keydb.h:1.23	Thu Apr 19 08:27:38 2018
+++ src/sys/netipsec/keydb.h	Wed Nov 10 16:55:20 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: keydb.h,v 1.23 2018/04/19 08:27:38 maxv Exp $	*/
+/*	$NetBSD: keydb.h,v 1.24 2021/11/10 16:55:20 msaitoh Exp $	*/
 /*	$FreeBSD: keydb.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$KAME: keydb.h,v 1.14 2000/08/02 17:58:26 sakane Exp $	*/
 
@@ -55,7 +55,7 @@ union sockaddr_union {
 };
 #endif /* _SOCKADDR_UNION_DEFINED */
 
-/* Security Assocciation Index */
+/* Security Association Index */
 /* NOTE: Ensure to be same address family */
 struct secasindex {
 	union sockaddr_union src;	/* source address for SA */

CVS commit: src/sys/netipsec

2021-11-10 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Wed Nov 10 16:55:20 UTC 2021

Modified Files:
src/sys/netipsec: keydb.h

Log Message:
s/assocciation/association/ in comment.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/keydb.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-11-13 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Nov 14 03:17:08 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Reduce load for IKE negotiations when the system has many IPv6 addresses.

e.g. the system has many vlan(4), gif(4) or ipsecif(4) with link local address.


To generate a diff of this commit:
cvs rdiff -u -r1.268 -r1.269 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-11-13 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Thu Nov 14 03:17:08 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Reduce load for IKE negotiations when the system has many IPv6 addresses.

e.g. the system has many vlan(4), gif(4) or ipsecif(4) with link local address.


To generate a diff of this commit:
cvs rdiff -u -r1.268 -r1.269 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.268 src/sys/netipsec/key.c:1.269
--- src/sys/netipsec/key.c:1.268	Tue Nov 12 05:13:29 2019
+++ src/sys/netipsec/key.c	Thu Nov 14 03:17:08 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.268 2019/11/12 05:13:29 knakahara Exp $	*/
+/*	$NetBSD: key.c,v 1.269 2019/11/14 03:17:08 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.268 2019/11/12 05:13:29 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.269 2019/11/14 03:17:08 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -4502,30 +4502,34 @@ key_ismyaddr6(const struct sockaddr_in6 
 	bound = curlwp_bind();
 	s = pserialize_read_enter();
 	IN6_ADDRLIST_READER_FOREACH(ia) {
-		bool ingroup;
-
 		if (key_sockaddr_match((const struct sockaddr *),
 		(const struct sockaddr *)>ia_addr, 0)) {
 			pserialize_read_exit(s);
 			goto ours;
 		}
-		ia6_acquire(ia, );
-		pserialize_read_exit(s);
 
-		/*
-		 * XXX Multicast
-		 * XXX why do we care about multlicast here while we don't care
-		 * about IPv4 multicast??
-		 * XXX scope
-		 */
-		ingroup = in6_multi_group(>sin6_addr, ia->ia_ifp);
-		if (ingroup) {
+		if (IN6_IS_ADDR_MULTICAST(>sin6_addr)) {
+			bool ingroup;
+
+			ia6_acquire(ia, );
+			pserialize_read_exit(s);
+
+			/*
+			 * XXX Multicast
+			 * XXX why do we care about multlicast here while we don't care
+			 * about IPv4 multicast??
+			 * XXX scope
+			 */
+			ingroup = in6_multi_group(>sin6_addr, ia->ia_ifp);
+			if (ingroup) {
+ia6_release(ia, );
+goto ours;
+			}
+
+			s = pserialize_read_enter();
 			ia6_release(ia, );
-			goto ours;
 		}
 
-		s = pserialize_read_enter();
-		ia6_release(ia, );
 	}
 	pserialize_read_exit(s);

CVS commit: src/sys/netipsec

2019-11-11 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Tue Nov 12 05:13:29 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Fix SA can be expaired wrongly when there are many SPs.

When key_timehandler_spd() spent over one second, the "now" argument of
key_timehandler_sad() could be older than sav->created. That caused SA
was expired immediately.


To generate a diff of this commit:
cvs rdiff -u -r1.267 -r1.268 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-11-11 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Tue Nov 12 05:13:29 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Fix SA can be expaired wrongly when there are many SPs.

When key_timehandler_spd() spent over one second, the "now" argument of
key_timehandler_sad() could be older than sav->created. That caused SA
was expired immediately.


To generate a diff of this commit:
cvs rdiff -u -r1.267 -r1.268 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.267 src/sys/netipsec/key.c:1.268
--- src/sys/netipsec/key.c:1.267	Wed Sep 25 09:53:38 2019
+++ src/sys/netipsec/key.c	Tue Nov 12 05:13:29 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.267 2019/09/25 09:53:38 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.268 2019/11/12 05:13:29 knakahara Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.267 2019/09/25 09:53:38 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.268 2019/11/12 05:13:29 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -4883,14 +4883,20 @@ key_bb_match_withmask(const void *a1, co
 }
 
 static void
-key_timehandler_spd(time_t now)
+key_timehandler_spd(void)
 {
 	u_int dir;
 	struct secpolicy *sp;
+	volatile time_t now;
 
 	for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 	retry:
 		mutex_enter(_spd.lock);
+		/*
+		 * To avoid for sp->created to overtake "now" because of
+		 * wating mutex, set time_uptime here.
+		 */
+		now = time_uptime;
 		SPLIST_WRITER_FOREACH(sp, dir) {
 			KASSERTMSG(sp->state != IPSEC_SPSTATE_DEAD,
 			"sp->state=%u", sp->state);
@@ -4925,10 +4931,11 @@ key_timehandler_spd(time_t now)
 }
 
 static void
-key_timehandler_sad(time_t now)
+key_timehandler_sad(void)
 {
 	struct secashead *sah;
 	int s;
+	volatile time_t now;
 
 restart:
 	mutex_enter(_sad.lock);
@@ -4954,6 +4961,10 @@ restart:
 		/* if LARVAL entry doesn't become MATURE, delete it. */
 		mutex_enter(_sad.lock);
 	restart_sav_LARVAL:
+		/*
+		 * Same as key_timehandler_spd(), set time_uptime here.
+		 */
+		now = time_uptime;
 		SAVLIST_WRITER_FOREACH(sav, sah, SADB_SASTATE_LARVAL) {
 			if (now - sav->created > key_larval_lifetime) {
 key_sa_chgstate(sav, SADB_SASTATE_DEAD);
@@ -4968,6 +4979,10 @@ restart:
 		 */
 	restart_sav_MATURE:
 		mutex_enter(_sad.lock);
+		/*
+		 * ditto
+		 */
+		now = time_uptime;
 		SAVLIST_WRITER_FOREACH(sav, sah, SADB_SASTATE_MATURE) {
 			/* we don't need to check. */
 			if (sav->lft_s == NULL)
@@ -5032,6 +5047,10 @@ restart:
 		/* check DYING entry to change status to DEAD. */
 		mutex_enter(_sad.lock);
 	restart_sav_DYING:
+		/*
+		 * ditto
+		 */
+		now = time_uptime;
 		SAVLIST_WRITER_FOREACH(sav, sah, SADB_SASTATE_DYING) {
 			/* we don't need to check. */
 			if (sav->lft_h == NULL)
@@ -5098,13 +5117,18 @@ restart:
 }
 
 static void
-key_timehandler_acq(time_t now)
+key_timehandler_acq(void)
 {
 #ifndef IPSEC_NONBLOCK_ACQUIRE
 	struct secacq *acq, *nextacq;
+	volatile time_t now;
 
 restart:
 	mutex_enter(_misc.lock);
+	/*
+	 * Same as key_timehandler_spd(), set time_uptime here.
+	 */
+	now = time_uptime;
 	LIST_FOREACH_SAFE(acq, _misc.acqlist, chain, nextacq) {
 		if (now - acq->created > key_blockacq_lifetime) {
 			LIST_REMOVE(acq, chain);
@@ -5118,10 +5142,11 @@ key_timehandler_acq(time_t now)
 }
 
 static void
-key_timehandler_spacq(time_t now)
+key_timehandler_spacq(void)
 {
 #ifdef notyet
 	struct secspacq *acq, *nextacq;
+	time_t now = time_uptime;
 
 	LIST_FOREACH_SAFE(acq, _misc.spacqlist, chain, nextacq) {
 		if (now - acq->created > key_blockacq_lifetime) {
@@ -5143,15 +5168,14 @@ static unsigned int key_timehandler_work
 static void
 key_timehandler_work(struct work *wk, void *arg)
 {
-	time_t now = time_uptime;
 
 	/* We can allow enqueuing another work at this point */
 	atomic_swap_uint(_timehandler_work_enqueued, 0);
 
-	key_timehandler_spd(now);
-	key_timehandler_sad(now);
-	key_timehandler_acq(now);
-	key_timehandler_spacq(now);
+	key_timehandler_spd();
+	key_timehandler_sad();
+	key_timehandler_acq();
+	key_timehandler_spacq();
 
 	key_acquire_sendup_pending_mbuf();

CVS commit: src/sys/netipsec

2019-08-07 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Wed Aug  7 10:10:00 UTC 2019

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
ipsec_getpolicybysock() should also call key_havesp() like 
ipsec_getpolicybyaddr().

That can reduce KEYDEBUG messages.


To generate a diff of this commit:
cvs rdiff -u -r1.169 -r1.170 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-08-07 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Wed Aug  7 10:10:00 UTC 2019

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
ipsec_getpolicybysock() should also call key_havesp() like 
ipsec_getpolicybyaddr().

That can reduce KEYDEBUG messages.


To generate a diff of this commit:
cvs rdiff -u -r1.169 -r1.170 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.169 src/sys/netipsec/ipsec.c:1.170
--- src/sys/netipsec/ipsec.c:1.169	Tue Jul  9 16:56:24 2019
+++ src/sys/netipsec/ipsec.c	Wed Aug  7 10:10:00 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.169 2019/07/09 16:56:24 maxv Exp $ */
+/* $NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.169 2019/07/09 16:56:24 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.170 2019/08/07 10:10:00 knakahara Exp $");
 
 /*
  * IPsec controller part.
@@ -466,7 +466,10 @@ ipsec_getpolicybysock(struct mbuf *m, u_
 
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
-			sp = KEY_LOOKUP_SP_BYSPIDX(>spidx, dir);
+			if (key_havesp(dir))
+sp = KEY_LOOKUP_SP_BYSPIDX(>spidx, dir);
+			else
+sp = NULL;
 			if (sp == NULL)		/* no SP found */
 sp = KEY_GET_DEFAULT_SP(af);
 			break;
@@ -478,7 +481,10 @@ ipsec_getpolicybysock(struct mbuf *m, u_
 			return NULL;
 		}
 	} else {/* unpriv, SPD has policy */
-		sp = KEY_LOOKUP_SP_BYSPIDX(>spidx, dir);
+		if (key_havesp(dir))
+			sp = KEY_LOOKUP_SP_BYSPIDX(>spidx, dir);
+		else
+			sp = NULL;
 		if (sp == NULL) {		/* no SP found */
 			switch (currsp->policy) {
 			case IPSEC_POLICY_BYPASS:

CVS commit: src/sys/netipsec

2019-08-04 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun Aug  4 14:30:36 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Fix info leaks.


To generate a diff of this commit:
cvs rdiff -u -r1.265 -r1.266 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.265 src/sys/netipsec/key.c:1.266
--- src/sys/netipsec/key.c:1.265	Tue Jul 23 04:29:26 2019
+++ src/sys/netipsec/key.c	Sun Aug  4 14:30:36 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.265 2019/07/23 04:29:26 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.266 2019/08/04 14:30:36 maxv Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.265 2019/07/23 04:29:26 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.266 2019/08/04 14:30:36 maxv Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -7251,6 +7251,7 @@ key_api_register(struct socket *so, stru
 		sup = (struct sadb_supported *)(mtod(n, char *) + off);
 		sup->sadb_supported_len = PFKEY_UNIT64(alen);
 		sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
+		sup->sadb_supported_reserved = 0;
 		off += PFKEY_ALIGN8(sizeof(*sup));
 
 		for (i = 1; i <= SADB_AALG_MAX; i++) {
@@ -7266,6 +7267,7 @@ key_api_register(struct socket *so, stru
 			key_getsizes_ah(aalgo, i, , );
 			alg->sadb_alg_minbits = _BITS(minkeysize);
 			alg->sadb_alg_maxbits = _BITS(maxkeysize);
+			alg->sadb_alg_reserved = 0;
 			off += PFKEY_ALIGN8(sizeof(*alg));
 		}
 	}
@@ -7275,6 +7277,7 @@ key_api_register(struct socket *so, stru
 		sup = (struct sadb_supported *)(mtod(n, char *) + off);
 		sup->sadb_supported_len = PFKEY_UNIT64(elen);
 		sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT;
+		sup->sadb_supported_reserved = 0;
 		off += PFKEY_ALIGN8(sizeof(*sup));
 
 		for (i = 1; i <= SADB_EALG_MAX; i++) {
@@ -7288,6 +7291,7 @@ key_api_register(struct socket *so, stru
 			alg->sadb_alg_ivlen = ealgo->blocksize;
 			alg->sadb_alg_minbits = _BITS(ealgo->minkey);
 			alg->sadb_alg_maxbits = _BITS(ealgo->maxkey);
+			alg->sadb_alg_reserved = 0;
 			off += PFKEY_ALIGN8(sizeof(struct sadb_alg));
 		}
 	}

CVS commit: src/sys/netipsec

2019-08-04 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Sun Aug  4 14:30:36 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Fix info leaks.


To generate a diff of this commit:
cvs rdiff -u -r1.265 -r1.266 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-07-22 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jul 23 04:29:27 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
ipsec: fix a regression of the update API

The update API updates an SA by creating a new SA and removing an existing SA.
The previous change removed a newly added SA wrongly if an existing SA had been
created by the getspi API.


To generate a diff of this commit:
cvs rdiff -u -r1.264 -r1.265 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.264 src/sys/netipsec/key.c:1.265
--- src/sys/netipsec/key.c:1.264	Wed Jul 17 07:07:59 2019
+++ src/sys/netipsec/key.c	Tue Jul 23 04:29:26 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.264 2019/07/17 07:07:59 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.265 2019/07/23 04:29:26 ozaki-r Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.264 2019/07/17 07:07:59 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.265 2019/07/23 04:29:26 ozaki-r Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -3530,7 +3530,8 @@ out:
  *	others	: found, pointer to a SA.
  */
 static struct secasvar *
-key_lookup_and_remove_sav(struct secashead *sah, u_int32_t spi)
+key_lookup_and_remove_sav(struct secashead *sah, u_int32_t spi,
+const struct secasvar *hint)
 {
 	struct secasvar *sav = NULL;
 	u_int state;
@@ -3542,6 +3543,8 @@ key_lookup_and_remove_sav(struct secashe
 			KASSERT(sav->state == state);
 
 			if (sav->spi == spi) {
+if (hint != NULL && hint != sav)
+	continue;
 sav->state = SADB_SASTATE_DEAD;
 SAVLIST_WRITER_REMOVE(sav);
 SAVLUT_WRITER_REMOVE(sav);
@@ -5807,7 +5810,8 @@ key_api_update(struct socket *so, struct
 	 * We need to lookup and remove the sav atomically, so get it again
 	 * here by a special API while we have a reference to it.
 	 */
-	oldsav = key_lookup_and_remove_sav(sah, sa0->sadb_sa_spi);
+	oldsav = key_lookup_and_remove_sav(sah, sa0->sadb_sa_spi, sav);
+	KASSERT(oldsav == NULL || oldsav == sav);
 	/* We can release the reference because of oldsav */
 	KEY_SA_UNREF();
 	if (oldsav == NULL) {
@@ -6222,7 +6226,7 @@ key_api_delete(struct socket *so, struct
 	sah = key_getsah_ref(, CMP_HEAD);
 	if (sah != NULL) {
 		/* get a SA with SPI. */
-		sav = key_lookup_and_remove_sav(sah, sa0->sadb_sa_spi);
+		sav = key_lookup_and_remove_sav(sah, sa0->sadb_sa_spi, NULL);
 		key_sah_unref(sah);
 	}

CVS commit: src/sys/netipsec

2019-07-22 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jul 23 04:29:27 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
ipsec: fix a regression of the update API

The update API updates an SA by creating a new SA and removing an existing SA.
The previous change removed a newly added SA wrongly if an existing SA had been
created by the getspi API.


To generate a diff of this commit:
cvs rdiff -u -r1.264 -r1.265 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-07-17 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Wed Jul 17 07:07:59 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Avoid a race condition between SA (sav) manipulations

An sav can be removed from belonging list(s) twice resulting in an assertion
failure of pslist.  It can occur if the following two operations interleave:
(i) a deletion or a update of an SA via the API, and
(ii) a state change (key_sa_chgstate) of the same SA by the timer.
Note that even (ii) removes an sav once from its list(s) on a update.

The cause of the race condition is that the two operations are not serialized
and (i) doesn't get and remove an sav from belonging list(s) atomically.  So
(ii) can be inserted between an acquisition and a removal of (i).

Avoid the race condition by making (i) atomic.


To generate a diff of this commit:
cvs rdiff -u -r1.263 -r1.264 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.263 src/sys/netipsec/key.c:1.264
--- src/sys/netipsec/key.c:1.263	Wed Jun 12 22:23:06 2019
+++ src/sys/netipsec/key.c	Wed Jul 17 07:07:59 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.263 2019/06/12 22:23:06 christos Exp $	*/
+/*	$NetBSD: key.c,v 1.264 2019/07/17 07:07:59 ozaki-r Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.263 2019/06/12 22:23:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.264 2019/07/17 07:07:59 ozaki-r Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -696,8 +696,8 @@ static bool key_sah_has_sav(struct secas
 static void key_sah_ref(struct secashead *);
 static void key_sah_unref(struct secashead *);
 static void key_init_sav(struct secasvar *);
+static void key_wait_sav(struct secasvar *);
 static void key_destroy_sav(struct secasvar *);
-static void key_destroy_sav_with_ref(struct secasvar *);
 static struct secasvar *key_newsav(struct mbuf *,
 	const struct sadb_msghdr *, int *, const char*, int);
 #define	KEY_NEWSAV(m, sadb, e)\
@@ -1598,30 +1598,20 @@ key_destroy_sav(struct secasvar *sav)
 }
 
 /*
- * Destroy sav with holding its reference.
+ * Wait for references of a passed sav to go away.
  */
 static void
-key_destroy_sav_with_ref(struct secasvar *sav)
+key_wait_sav(struct secasvar *sav)
 {
 
 	ASSERT_SLEEPABLE();
 
 	mutex_enter(_sad.lock);
-	sav->state = SADB_SASTATE_DEAD;
-	SAVLIST_WRITER_REMOVE(sav);
-	SAVLUT_WRITER_REMOVE(sav);
-	mutex_exit(_sad.lock);
-
-	/* We cannot unref with holding key_sad.lock */
-	KEY_SA_UNREF();
-
-	mutex_enter(_sad.lock);
+	KASSERT(sav->state == SADB_SASTATE_DEAD);
 	KDASSERT(mutex_ownable(softnet_lock));
 	key_sad_pserialize_perform();
 	localcount_drain(>localcount, _sad.cv_lc, _sad.lock);
 	mutex_exit(_sad.lock);
-
-	key_destroy_sav(sav);
 }
 
 /* %%% SPD management */
@@ -3534,6 +3524,38 @@ out:
 }
 
 /*
+ * Search SAD litmited alive SA by an SPI and remove it from a list.
+ * OUT:
+ *	NULL	: not found
+ *	others	: found, pointer to a SA.
+ */
+static struct secasvar *
+key_lookup_and_remove_sav(struct secashead *sah, u_int32_t spi)
+{
+	struct secasvar *sav = NULL;
+	u_int state;
+
+	/* search all status */
+	mutex_enter(_sad.lock);
+	SASTATE_ALIVE_FOREACH(state) {
+		SAVLIST_WRITER_FOREACH(sav, sah, state) {
+			KASSERT(sav->state == state);
+
+			if (sav->spi == spi) {
+sav->state = SADB_SASTATE_DEAD;
+SAVLIST_WRITER_REMOVE(sav);
+SAVLUT_WRITER_REMOVE(sav);
+goto out;
+			}
+		}
+	}
+out:
+	mutex_exit(_sad.lock);
+
+	return sav;
+}
+
+/*
  * Free allocated data to member variables of sav:
  * sav->replay, sav->key_* and sav->lft_*.
  */
@@ -5628,7 +5650,7 @@ key_api_update(struct socket *so, struct
 	const struct sockaddr *src, *dst;
 	struct secasindex saidx;
 	struct secashead *sah;
-	struct secasvar *sav, *newsav;
+	struct secasvar *sav, *newsav, *oldsav;
 	u_int16_t proto;
 	u_int8_t mode;
 	u_int16_t reqid;
@@ -5781,12 +5803,25 @@ key_api_update(struct socket *so, struct
 	mutex_exit(_sad.lock);
 	key_validate_savlist(sah, SADB_SASTATE_MATURE);
 
+	/*
+	 * We need to lookup and remove the sav atomically, so get it again
+	 * here by a special API while we have a reference to it.
+	 */
+	oldsav = key_lookup_and_remove_sav(sah, sa0->sadb_sa_spi);
+	/* We can release the reference because of oldsav */
+	KEY_SA_UNREF();
+	if (oldsav == NULL) {
+		/* Someone has already removed the sav.  Nothing to do. */
+	} else {
+		key_wait_sav(oldsav);
+		key_destroy_sav(oldsav);
+		oldsav = NULL;
+	}
+	sav = NULL;
+
 	key_sah_unref(sah);
 	sah = NULL;
 
-	key_destroy_sav_with_ref(sav);
-	sav = NULL;
-
 {
 	struct mbuf *n;
 
@@ -6187,7 +6222,7 @@ key_api_delete(struct socket *so, struct
 	sah = key_getsah_ref(, CMP_HEAD);
 	if (sah != NULL) {
 		/* get a SA with SPI.

CVS commit: src/sys/netipsec

2019-07-17 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Wed Jul 17 07:07:59 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Avoid a race condition between SA (sav) manipulations

An sav can be removed from belonging list(s) twice resulting in an assertion
failure of pslist.  It can occur if the following two operations interleave:
(i) a deletion or a update of an SA via the API, and
(ii) a state change (key_sa_chgstate) of the same SA by the timer.
Note that even (ii) removes an sav once from its list(s) on a update.

The cause of the race condition is that the two operations are not serialized
and (i) doesn't get and remove an sav from belonging list(s) atomically.  So
(ii) can be inserted between an acquisition and a removal of (i).

Avoid the race condition by making (i) atomic.


To generate a diff of this commit:
cvs rdiff -u -r1.263 -r1.264 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-07-09 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jul  9 16:56:24 UTC 2019

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
Fix uninitialized variable: in ipsec_checkpcbcache(), spidx.dir is not
initialized, and the padding of the spidx structure is not initialized
either. This causes the memcmp() to wrongfully fail.

Change ipsec_setspidx() to always initialize spdix.dir and zero out the
padding.

ok ozaki-r@


To generate a diff of this commit:
cvs rdiff -u -r1.168 -r1.169 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.168 src/sys/netipsec/ipsec.c:1.169
--- src/sys/netipsec/ipsec.c:1.168	Sun Jan 27 02:08:48 2019
+++ src/sys/netipsec/ipsec.c	Tue Jul  9 16:56:24 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.168 2019/01/27 02:08:48 pgoyette Exp $ */
+/* $NetBSD: ipsec.c,v 1.169 2019/07/09 16:56:24 maxv Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.168 2019/01/27 02:08:48 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.169 2019/07/09 16:56:24 maxv Exp $");
 
 /*
  * IPsec controller part.
@@ -172,7 +172,7 @@ int ip6_ipsec_ecn = 0;		/* ECN ignore(-1
 #endif
 
 static int ipsec_setspidx_inpcb(struct mbuf *, void *);
-static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int);
+static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int);
 static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
 static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
 #ifdef INET6
@@ -220,7 +220,7 @@ ipsec_checkpcbcache(struct mbuf *m, stru
 	}
 	if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
 		/* NB: assume ipsec_setspidx never sleep */
-		if (ipsec_setspidx(m, , 1) != 0) {
+		if (ipsec_setspidx(m, , dir, 1) != 0) {
 			sp = NULL;
 			goto out;
 		}
@@ -269,7 +269,7 @@ ipsec_fillpcbcache(struct inpcbpolicy *p
 
 	pcbsp->sp_cache[dir].cachesp = NULL;
 	pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN;
-	if (ipsec_setspidx(m, >sp_cache[dir].cacheidx, 1) != 0) {
+	if (ipsec_setspidx(m, >sp_cache[dir].cacheidx, dir, 1) != 0) {
 		return EINVAL;
 	}
 	pcbsp->sp_cache[dir].cachesp = sp;
@@ -537,7 +537,7 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_
 	sp = NULL;
 
 	/* Make an index to look for a policy. */
-	*error = ipsec_setspidx(m, , (flag & IP_FORWARDING) ? 0 : 1);
+	*error = ipsec_setspidx(m, , dir, (flag & IP_FORWARDING) ? 0 : 1);
 	if (*error != 0) {
 		IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag);
 		memset(, 0, sizeof(spidx));
@@ -791,9 +791,9 @@ ipsec_setspidx_inpcb(struct mbuf *m, voi
 	KASSERT(inph->inph_sp->sp_out != NULL);
 	KASSERT(inph->inph_sp->sp_in != NULL);
 
-	error = ipsec_setspidx(m, >inph_sp->sp_in->spidx, 1);
+	error = ipsec_setspidx(m, >inph_sp->sp_in->spidx,
+	IPSEC_DIR_INBOUND, 1);
 	if (error == 0) {
-		inph->inph_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
 		inph->inph_sp->sp_out->spidx = inph->inph_sp->sp_in->spidx;
 		inph->inph_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
 	} else {
@@ -811,7 +811,8 @@ ipsec_setspidx_inpcb(struct mbuf *m, voi
  * the caller is responsible for error recovery (like clearing up spidx).
  */
 static int
-ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
+ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int dir,
+int needport)
 {
 	struct ip *ip = NULL;
 	struct ip ipbuf;
@@ -828,6 +829,9 @@ ipsec_setspidx(struct mbuf *m, struct se
 		return EINVAL;
 	}
 
+	memset(spidx, 0, sizeof(*spidx));
+	spidx->dir = dir;
+
 	if (m->m_len >= sizeof(*ip)) {
 		ip = mtod(m, struct ip *);
 	} else {

CVS commit: src/sys/netipsec

2019-07-09 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jul  9 16:56:24 UTC 2019

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
Fix uninitialized variable: in ipsec_checkpcbcache(), spidx.dir is not
initialized, and the padding of the spidx structure is not initialized
either. This causes the memcmp() to wrongfully fail.

Change ipsec_setspidx() to always initialize spdix.dir and zero out the
padding.

ok ozaki-r@


To generate a diff of this commit:
cvs rdiff -u -r1.168 -r1.169 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-06-12 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Jun 12 22:23:50 UTC 2019

Modified Files:
src/sys/netipsec: ipsec.h keysock.c xform_ah.c xform_esp.c
xform_ipcomp.c xform_ipip.c xform_tcp.c

Log Message:
make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.


To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/keysock.c
cvs rdiff -u -r1.107 -r1.108 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.97 -r1.98 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/xform_ipip.c
cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/xform_tcp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.87 src/sys/netipsec/ipsec.h:1.88
--- src/sys/netipsec/ipsec.h:1.87	Wed Jan 16 21:47:15 2019
+++ src/sys/netipsec/ipsec.h	Wed Jun 12 18:23:50 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.87 2019/01/17 02:47:15 knakahara Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.88 2019/06/12 22:23:50 christos Exp $	*/
 /*	$FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -237,13 +237,17 @@ extern int crypto_support;
 
 #include 
 
-#define	DPRINTF(x)	do { if (ipsec_debug) printf x; } while (0)
+#define	DPRINTF(fmt, args...) 		\
+	do {\
+		if (ipsec_debug)	\
+			log(LOG_DEBUG, "%s: " fmt, __func__, ##args);	\
+	} while (/*CONSTCOND*/0)
 
 #define IPSECLOG(level, fmt, args...) 	\
 	do {\
 		if (ipsec_debug)	\
 			log(level, "%s: " fmt, __func__, ##args);	\
-	} while (0)
+	} while (/*CONSTCOND*/0)
 
 #define ipsec_indone(m)	\
 	((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED))

Index: src/sys/netipsec/keysock.c
diff -u src/sys/netipsec/keysock.c:1.69 src/sys/netipsec/keysock.c:1.70
--- src/sys/netipsec/keysock.c:1.69	Tue Feb 26 01:52:34 2019
+++ src/sys/netipsec/keysock.c	Wed Jun 12 18:23:50 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: keysock.c,v 1.69 2019/02/26 06:52:34 maxv Exp $	*/
+/*	$NetBSD: keysock.c,v 1.70 2019/06/12 22:23:50 christos Exp $	*/
 /*	$FreeBSD: keysock.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$KAME: keysock.c,v 1.25 2001/08/13 20:07:41 itojun Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.69 2019/02/26 06:52:34 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.70 2019/06/12 22:23:50 christos Exp $");
 
 /* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */
 
@@ -437,7 +437,7 @@ key_accept(struct socket *so, struct soc
 {
 	KASSERT(solocked(so));
 
-	panic("key_accept");
+	panic("%s: unsupported", __func__);
 
 	return EOPNOTSUPP;
 }
@@ -513,7 +513,7 @@ key_abort(struct socket *so)
 {
 	KASSERT(solocked(so));
 
-	panic("key_abort");
+	panic("%s: unsupported", __func__);
 
 	return EOPNOTSUPP;
 }
@@ -612,7 +612,7 @@ static int
 key_purgeif(struct socket *so, struct ifnet *ifa)
 {
 
-	panic("key_purgeif");
+	panic("%s: unsupported", __func__);
 
 	return EOPNOTSUPP;
 }

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.107 src/sys/netipsec/xform_ah.c:1.108
--- src/sys/netipsec/xform_ah.c:1.107	Sat Jan 26 21:08:48 2019
+++ src/sys/netipsec/xform_ah.c	Wed Jun 12 18:23:50 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.107 2019/01/27 02:08:48 pgoyette Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.108 2019/06/12 22:23:50 christos Exp $	*/
 /*	$FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.107 2019/01/27 02:08:48 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.108 2019/06/12 22:23:50 christos Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -201,8 +201,8 @@ ah_init0(struct secasvar *sav, const str
 
 	thash = ah_algorithm_lookup(sav->alg_auth);
 	if (thash == NULL) {
-		DPRINTF(("%s: unsupported authentication algorithm %u\n",
-			__func__, sav->alg_auth));
+		DPRINTF("unsupported authentication algorithm %u\n",
+		sav->alg_auth);
 		return EINVAL;
 	}
 	/*
@@ -212,22 +212,22 @@ ah_init0(struct secasvar *sav, const str
 	 */
 	/* NB: replay state is setup elsewhere (sigh) */
 	if (((sav->flags_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
-		DPRINTF(("%s: replay state block inconsistency, "
-			"%s algorithm %s replay state\n", __func__,
-			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
-			sav->replay == NULL ? "without" : "with"));
+		DPRINTF("replay state block inconsistency, "
+		"%s algorithm %s replay state\n",
+		(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
+		sav->replay == NULL ? "without" : "with");
 		return EINVAL;
 	}
 	if (sav->key_auth == NULL) {
-		DPRINTF(("%s: no authentication key for %s

CVS commit: src/sys/netipsec

2019-06-12 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Jun 12 22:23:50 UTC 2019

Modified Files:
src/sys/netipsec: ipsec.h keysock.c xform_ah.c xform_esp.c
xform_ipcomp.c xform_ipip.c xform_tcp.c

Log Message:
make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.


To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/keysock.c
cvs rdiff -u -r1.107 -r1.108 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.97 -r1.98 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/xform_ipip.c
cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/xform_tcp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-06-12 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Jun 12 22:23:07 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
fix typo in comment, improve error message, add default case handling to
set error.


To generate a diff of this commit:
cvs rdiff -u -r1.262 -r1.263 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.262 src/sys/netipsec/key.c:1.263
--- src/sys/netipsec/key.c:1.262	Tue Jun 11 21:32:30 2019
+++ src/sys/netipsec/key.c	Wed Jun 12 18:23:06 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.262 2019/06/12 01:32:30 christos Exp $	*/
+/*	$NetBSD: key.c,v 1.263 2019/06/12 22:23:06 christos Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.262 2019/06/12 01:32:30 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.263 2019/06/12 22:23:06 christos Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -3276,7 +3276,7 @@ key_destroy_sah(struct secashead *sah)
  * When SAD message type is GETSPI:
  *	to set sequence number from acq_seq++,
  *	to set zero to SPI.
- *	not to call key_setsava().
+ *	not to call key_setsaval().
  * OUT:	NULL	: fail
  *	others	: pointer to new secasvar.
  *
@@ -3700,10 +3700,13 @@ key_setsaval(struct secasvar *sav, struc
 	case SADB_X_SATYPE_TCPSIGNATURE:
 		error = xform_init(sav, XF_TCPSIGNATURE);
 		break;
+	default:
+		error = EOPNOTSUPP;
+		break;
 	}
 	if (error) {
-		IPSECLOG(LOG_DEBUG, "unable to initialize SA type %u.\n",
-		mhp->msg->sadb_msg_satype);
+		IPSECLOG(LOG_DEBUG, "unable to initialize SA type %u (%d)\n",
+		mhp->msg->sadb_msg_satype, error);
 		goto fail;
 	}

CVS commit: src/sys/netipsec

2019-06-12 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Jun 12 22:23:07 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
fix typo in comment, improve error message, add default case handling to
set error.


To generate a diff of this commit:
cvs rdiff -u -r1.262 -r1.263 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netipsec

2019-06-11 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Jun 12 01:32:30 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Fix double free: key_setsaval() free's newsav by calling key_freesaval()
and key_api_update() calls key_delsav() when key_setsaval() fails which
calls key_freesaval() again...


To generate a diff of this commit:
cvs rdiff -u -r1.261 -r1.262 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.261 src/sys/netipsec/key.c:1.262
--- src/sys/netipsec/key.c:1.261	Sat Jan 26 21:08:48 2019
+++ src/sys/netipsec/key.c	Tue Jun 11 21:32:30 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.261 2019/01/27 02:08:48 pgoyette Exp $	*/
+/*	$NetBSD: key.c,v 1.262 2019/06/12 01:32:30 christos Exp $	*/
 /*	$FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.261 2019/01/27 02:08:48 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.262 2019/06/12 01:32:30 christos Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -5753,7 +5753,7 @@ key_api_update(struct socket *so, struct
 
 	error = key_setsaval(newsav, m, mhp);
 	if (error) {
-		key_delsav(newsav);
+		kmem_free(newsav, sizeof(*newsav));
 		goto error;
 	}

CVS commit: src/sys/netipsec

2019-06-11 Thread Christos Zoulas 
Module Name:src
Committed By:   christos
Date:   Wed Jun 12 01:32:30 UTC 2019

Modified Files:
src/sys/netipsec: key.c

Log Message:
Fix double free: key_setsaval() free's newsav by calling key_freesaval()
and key_api_update() calls key_delsav() when key_setsaval() fails which
calls key_freesaval() again...


To generate a diff of this commit:
cvs rdiff -u -r1.261 -r1.262 src/sys/netipsec/key.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Re: CVS commit: src/sys/netipsec

2018-05-14 Thread Maxime Villard 

Le 14/05/2018 à 04:16, Ryota Ozaki a écrit :

Module Name:src
Committed By:   ozaki-r
Date:   Mon May 14 02:16:30 UTC 2018

Modified Files:
src/sys/netipsec: xform_tcp.c

Log Message:
Restore TCP header inclusions for TCP_SIGNATURE


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/netipsec/xform_tcp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


arrrfff yes this file doesn't get built by default, phew

Re: CVS commit: src/sys/netipsec

2016-03-07 Thread Christos Zoulas 
On Mar 7,  7:36pm, ja...@uninett.no (Jarle Greipsland) wrote:
-- Subject: Re: CVS commit: src/sys/netipsec

| "Christos Zoulas" <chris...@netbsd.org> writes:
| > Module Name:src
| > Committed By:   christos
| > Date:   Sat Mar  5 20:13:40 UTC 2016
| > 
| > Modified Files:
| > src/sys/netipsec: key.c
| > 
| > Log Message:
| > Fix port matching; we need to ignore ports when they are 0 not only in
| > the second saidx but the first one too. Fixes NAT-T issue with NetBSD
| > being the host behind NAT.
| Will this fix also resolve bin/47894?  Or is that one an entirely
| different beast?

I am not sure. From the log it does not seem that it fails to complete
find the saidx entry for it. But I would definitely give it a try, because
being behind NAT was not working for me before and now it is. I also have
a much better clue how to debug the problem now :-)

christos

Re: CVS commit: src/sys/netipsec

2016-03-07 Thread Jarle Greipsland 
"Christos Zoulas"  writes:
> Module Name:  src
> Committed By: christos
> Date: Sat Mar  5 20:13:40 UTC 2016
> 
> Modified Files:
>   src/sys/netipsec: key.c
> 
> Log Message:
> Fix port matching; we need to ignore ports when they are 0 not only in
> the second saidx but the first one too. Fixes NAT-T issue with NetBSD
> being the host behind NAT.
Will this fix also resolve bin/47894?  Or is that one an entirely
different beast?
-jarle

Re: CVS commit: src/sys/netipsec

2009-07-31 Thread Soren Jacobsen 

On Jul 30, 2009, at 8:02 PM, Erik Fair wrote:



On Jul 30, 2009, at 07:41, Jonathan A. Kollasch wrote:


Module Name:src
Committed By:   jakllsch
Date:   Thu Jul 30 14:41:59 UTC 2009

Modified Files:
src/sys/netipsec: ipsec.c

Log Message:
As explained in kern/41701 there's a missing splx() here.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.



Has a pullup request for the netbsd-5 branch been submitted?


Yes.