CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Mon Oct 5 09:51:25 UTC 2020 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Make sequence number of esp header MP-safe for IPsec Tx side. reviewed by ozaki-r@n.o In IPsec Tx side, one Security Association can be used by multiple CPUs. On the other hand, in IPsec Rx side, one Security Association is used by only one CPU. XXX pullup-{8,9} To generate a diff of this commit: cvs rdiff -u -r1.100 -r1.101 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.100 src/sys/netipsec/xform_esp.c:1.101 --- src/sys/netipsec/xform_esp.c:1.100 Tue Jun 30 04:14:55 2020 +++ src/sys/netipsec/xform_esp.c Mon Oct 5 09:51:25 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.100 2020/06/30 04:14:55 riastradh Exp $ */ +/* $NetBSD: xform_esp.c,v 1.101 2020/10/05 09:51:25 knakahara Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.100 2020/06/30 04:14:55 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.101 2020/10/05 09:51:25 knakahara Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -796,11 +796,12 @@ esp_output(struct mbuf *m, const struct #ifdef IPSEC_DEBUG /* Emulate replay attack when ipsec_replay is TRUE. */ - if (!ipsec_replay) + if (ipsec_replay) + replay = htonl(sav->replay->count); + else #endif - sav->replay->count++; + replay = htonl(atomic_inc_32_nv(&sav->replay->count)); - replay = htonl(sav->replay->count); memcpy(mtod(mo,char *) + roff + sizeof(uint32_t), &replay, sizeof(uint32_t)); }
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Fri Mar 13 06:55:35 UTC 2020 Modified Files: src/sys/netipsec: key.c Log Message: Fix kern/55066. Pointed out and fixed by Chuck Zmudzinski, thanks. ok'ed by ozaki-r@n.o To generate a diff of this commit: cvs rdiff -u -r1.270 -r1.271 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.270 src/sys/netipsec/key.c:1.271 --- src/sys/netipsec/key.c:1.270 Fri Feb 7 12:35:33 2020 +++ src/sys/netipsec/key.c Fri Mar 13 06:55:35 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.270 2020/02/07 12:35:33 thorpej Exp $ */ +/* $NetBSD: key.c,v 1.271 2020/03/13 06:55:35 knakahara Exp $ */ /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.270 2020/02/07 12:35:33 thorpej Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.271 2020/03/13 06:55:35 knakahara Exp $"); /* * This code is referred to RFC 2367 @@ -4770,7 +4770,7 @@ key_portcomp(in_port_t port1, in_port_t case PORT_STRICT: if (port1 != port2) { KEYDEBUG_PRINTF(KEYDEBUG_MATCH, - "port fail %d != %d\n", port1, port2); + "port fail %d != %d\n", ntohs(port1), ntohs(port2)); return 1; } return 0; @@ -4822,9 +4822,9 @@ key_sockaddr_match( KEYDEBUG_PRINTF(KEYDEBUG_MATCH, "addr success %s[%d] == %s[%d]\n", (in_print(s1, sizeof(s1), &sin1->sin_addr), s1), - sin1->sin_port, + ntohs(sin1->sin_port), (in_print(s2, sizeof(s2), &sin2->sin_addr), s2), - sin2->sin_port); + ntohs(sin2->sin_port)); break; case AF_INET6: sin61 = (const struct sockaddr_in6 *)sa1;
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Fri Jan 31 06:54:19 UTC 2020 Modified Files: src/sys/netipsec: ipsecif.c Log Message: Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly. Pointed out by ohishi@IIJ. XXX pullup-8, pullup-9 To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.18 src/sys/netipsec/ipsecif.c:1.19 --- src/sys/netipsec/ipsecif.c:1.18 Fri Nov 1 04:28:14 2019 +++ src/sys/netipsec/ipsecif.c Fri Jan 31 06:54:19 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.18 2019/11/01 04:28:14 knakahara Exp $ */ +/* $NetBSD: ipsecif.c,v 1.19 2020/01/31 06:54:19 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.18 2019/11/01 04:28:14 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.19 2020/01/31 06:54:19 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -380,7 +380,17 @@ ipsecif4_output(struct ipsec_variant *va KASSERT(var->iv_psrc->sa_family == AF_INET); KASSERT(var->iv_pdst->sa_family == AF_INET); - sp = IV_SP_OUT(var); + switch (family) { + case AF_INET: + sp = IV_SP_OUT(var); + break; + case AF_INET6: + sp = IV_SP_OUT6(var); + break; + default: + m_freem(m); + return EAFNOSUPPORT; + } KASSERT(sp != NULL); /* * The SPs in ipsec_variant are prevented from freed by
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Fri Apr 12 07:12:12 UTC 2019 Modified Files: src/sys/netipsec: ipsecif.c Log Message: remove a variable which is no longer used. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.14 src/sys/netipsec/ipsecif.c:1.15 --- src/sys/netipsec/ipsecif.c:1.14 Mon Mar 18 11:38:03 2019 +++ src/sys/netipsec/ipsecif.c Fri Apr 12 07:12:12 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.14 2019/03/18 11:38:03 msaitoh Exp $ */ +/* $NetBSD: ipsecif.c,v 1.15 2019/04/12 07:12:12 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.14 2019/03/18 11:38:03 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.15 2019/04/12 07:12:12 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -921,17 +921,11 @@ ipsecif4_detach(struct ipsec_variant *va int ipsecif6_attach(struct ipsec_variant *var) { - struct sockaddr_in6 mask6; struct ipsec_softc *sc = var->iv_softc; KASSERT(if_ipsec_variant_is_configured(var)); KASSERT(var->iv_encap_cookie6 == NULL); - memset(&mask6, 0, sizeof(mask6)); - mask6.sin6_len = sizeof(struct sockaddr_in6); - mask6.sin6_addr.s6_addr32[0] = mask6.sin6_addr.s6_addr32[1] = - mask6.sin6_addr.s6_addr32[2] = mask6.sin6_addr.s6_addr32[3] = ~0; - var->iv_encap_cookie6 = encap_attach_func(AF_INET6, -1, if_ipsec_encap_func, &ipsecif6_encapsw, sc); if (var->iv_encap_cookie6 == NULL)
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Feb 26 06:52:34 UTC 2019 Modified Files: src/sys/netipsec: keysock.c Log Message: Fix locking: it is fine if the lock is already key_so_mtx, this can happen in socketpair. In that case don't take it. Ok ozaki-r@ Reported-by: syzbot+901e2e5edaaaed21c...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 src/sys/netipsec/keysock.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/keysock.c diff -u src/sys/netipsec/keysock.c:1.68 src/sys/netipsec/keysock.c:1.69 --- src/sys/netipsec/keysock.c:1.68 Sun Jan 27 02:08:48 2019 +++ src/sys/netipsec/keysock.c Tue Feb 26 06:52:34 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: keysock.c,v 1.68 2019/01/27 02:08:48 pgoyette Exp $ */ +/* $NetBSD: keysock.c,v 1.69 2019/02/26 06:52:34 maxv Exp $ */ /* $FreeBSD: keysock.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: keysock.c,v 1.25 2001/08/13 20:07:41 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.68 2019/01/27 02:08:48 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.69 2019/02/26 06:52:34 maxv Exp $"); /* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */ @@ -383,10 +383,12 @@ key_attach(struct socket *so, int proto) s = splsoftnet(); - KASSERT(so->so_lock == NULL); - mutex_obj_hold(key_so_mtx); - so->so_lock = key_so_mtx; - solock(so); + if (so->so_lock != key_so_mtx) { + KASSERT(so->so_lock == NULL); + mutex_obj_hold(key_so_mtx); + so->so_lock = key_so_mtx; + solock(so); + } error = raw_attach(so, proto, &key_rawcb); if (error) {
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Wed Dec 26 08:58:51 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c ipsecif.c key.c Log Message: ipsecif(4) supports multiple peers in the same NAPT. E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure. +--+ +| NetBSD_B | +--+ +--+ |+--+ | NetBSD_A |--- ... ---| NAPT |---+ +--+ +--+ |+--+ +| NetBSD_C | +--+ Add ATF later. To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.82 src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.12 -r1.13 src/sys/netipsec/ipsecif.c cvs rdiff -u -r1.259 -r1.260 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.81 src/sys/netipsec/ipsec_output.c:1.82 --- src/sys/netipsec/ipsec_output.c:1.81 Thu Nov 22 04:48:34 2018 +++ src/sys/netipsec/ipsec_output.c Wed Dec 26 08:58:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.81 2018/11/22 04:48:34 knakahara Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.82 2018/12/26 08:58:51 knakahara Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.81 2018/11/22 04:48:34 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.82 2018/12/26 08:58:51 knakahara Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -289,6 +289,24 @@ static void ipsec_fill_saidx_bymbuf(struct secasindex *saidx, const struct mbuf *m, const int af) { + struct m_tag *mtag; + u_int16_t natt_src = IPSEC_PORT_ANY; + u_int16_t natt_dst = IPSEC_PORT_ANY; + + /* + * For NAT-T enabled ipsecif(4), set NAT-T port numbers + * even if the saidx uses transport mode. + * + * See also ipsecif[46]_output(). + */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS); + if (mtag) { + u_int16_t *natt_ports; + + natt_ports = (u_int16_t *)(mtag + 1); + natt_src = natt_ports[1]; + natt_dst = natt_ports[0]; + } if (af == AF_INET) { struct sockaddr_in *sin; @@ -298,14 +316,14 @@ ipsec_fill_saidx_bymbuf(struct secasinde sin = &saidx->src.sin; sin->sin_len = sizeof(*sin); sin->sin_family = AF_INET; - sin->sin_port = IPSEC_PORT_ANY; + sin->sin_port = natt_src; sin->sin_addr = ip->ip_src; } if (saidx->dst.sa.sa_len == 0) { sin = &saidx->dst.sin; sin->sin_len = sizeof(*sin); sin->sin_family = AF_INET; - sin->sin_port = IPSEC_PORT_ANY; + sin->sin_port = natt_dst; sin->sin_addr = ip->ip_dst; } } else { @@ -316,7 +334,7 @@ ipsec_fill_saidx_bymbuf(struct secasinde sin6 = (struct sockaddr_in6 *)&saidx->src; sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = AF_INET6; - sin6->sin6_port = IPSEC_PORT_ANY; + sin6->sin6_port = natt_src; sin6->sin6_addr = ip6->ip6_src; if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { /* fix scope id for comparing SPD */ @@ -329,7 +347,7 @@ ipsec_fill_saidx_bymbuf(struct secasinde sin6 = (struct sockaddr_in6 *)&saidx->dst; sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = AF_INET6; - sin6->sin6_port = IPSEC_PORT_ANY; + sin6->sin6_port = natt_dst; sin6->sin6_addr = ip6->ip6_dst; if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { /* fix scope id for comparing SPD */ Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.12 src/sys/netipsec/ipsecif.c:1.13 --- src/sys/netipsec/ipsecif.c:1.12 Fri Dec 7 09:11:04 2018 +++ src/sys/netipsec/ipsecif.c Wed Dec 26 08:58:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.12 2018/12/07 09:11:04 knakahara Exp $ */ +/* $NetBSD: ipsecif.c,v 1.13 2018/12/26 08:58:51 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.12 2018/12/07 09:11:04 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.13 2018/12/26 08:58:51 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -71,6 +71,7 @@ __KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v #include +static int ipsecif_set_natt_ports(struct ipsec_variant *, struct mbuf *); static void ipsecif4_input(struct mbuf *, int, int, void *); static int ipsecif4_output(struct ipsec_variant *, int, struct mbuf *); static int ipsecif4_filter4(const struct ip *, struct ipsec_variant *, @@ -102,6 +103,32 @@ static const struct encapsw ipsecif4_enc static const struct encapsw ipsecif6_encapsw; #endif +static int +ipsecif_set_natt_ports(struct ipsec_variant *var, struct mbuf *m) +{ + + KASSERT(if_ipsec_heldref_variant(var)); + + if (var->iv_sport || va
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Dec 24 15:57:15 UTC 2018 Modified Files: src/sys/netipsec: keysock.c keysock.h Log Message: Remove unused function. To generate a diff of this commit: cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/keysock.c cvs rdiff -u -r1.11 -r1.12 src/sys/netipsec/keysock.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/keysock.c diff -u src/sys/netipsec/keysock.c:1.66 src/sys/netipsec/keysock.c:1.67 --- src/sys/netipsec/keysock.c:1.66 Thu Nov 8 04:30:38 2018 +++ src/sys/netipsec/keysock.c Mon Dec 24 15:57:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: keysock.c,v 1.66 2018/11/08 04:30:38 roy Exp $ */ +/* $NetBSD: keysock.c,v 1.67 2018/12/24 15:57:15 maxv Exp $ */ /* $FreeBSD: keysock.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: keysock.c,v 1.25 2001/08/13 20:07:41 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.66 2018/11/08 04:30:38 roy Exp $"); +__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.67 2018/12/24 15:57:15 maxv Exp $"); /* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */ @@ -218,98 +218,6 @@ key_sendup0( return error; } -/* XXX this interface should be obsoleted. */ -int -key_sendup(struct socket *so, struct sadb_msg *msg, u_int len, - int target) /*target of the resulting message*/ -{ - struct mbuf *m, *n, *mprev; - int tlen; - - KASSERT(so != NULL); - KASSERT(msg != NULL); - - if (KEYDEBUG_ON(KEYDEBUG_KEY_DUMP)) { - printf("key_sendup: \n"); - kdebug_sadb(msg); - } - - /* - * we increment statistics here, just in case we have ENOBUFS - * in this function. - */ - { - uint64_t *ps = PFKEY_STAT_GETREF(); - ps[PFKEY_STAT_IN_TOTAL]++; - ps[PFKEY_STAT_IN_BYTES] += len; - ps[PFKEY_STAT_IN_MSGTYPE + msg->sadb_msg_type]++; - PFKEY_STAT_PUTREF(); - } - - /* - * Get mbuf chain whenever possible (not clusters), - * to save socket buffer. We'll be generating many SADB_ACQUIRE - * messages to listening key sockets. If we simply allocate clusters, - * sbappendaddr() will raise ENOBUFS due to too little sbspace(). - * sbspace() computes # of actual data bytes AND mbuf region. - * - * TODO: SADB_ACQUIRE filters should be implemented. - */ - tlen = len; - m = mprev = NULL; - while (tlen > 0) { - int mlen; - if (tlen == len) { - MGETHDR(n, M_DONTWAIT, MT_DATA); - mlen = MHLEN; - } else { - MGET(n, M_DONTWAIT, MT_DATA); - mlen = MLEN; - } - if (!n) { - PFKEY_STATINC(PFKEY_STAT_IN_NOMEM); - return ENOBUFS; - } - n->m_len = mlen; - if (tlen >= MCLBYTES) { /*XXX better threshold? */ - MCLGET(n, M_DONTWAIT); - if ((n->m_flags & M_EXT) == 0) { -m_free(n); -m_freem(m); -PFKEY_STATINC(PFKEY_STAT_IN_NOMEM); -return ENOBUFS; - } - n->m_len = MCLBYTES; - } - - if (tlen < n->m_len) - n->m_len = tlen; - n->m_next = NULL; - if (m == NULL) - m = mprev = n; - else { - mprev->m_next = n; - mprev = n; - } - tlen -= n->m_len; - n = NULL; - } - m->m_pkthdr.len = len; - m_reset_rcvif(m); - m_copyback(m, 0, len, msg); - - /* avoid duplicated statistics */ - { - uint64_t *ps = PFKEY_STAT_GETREF(); - ps[PFKEY_STAT_IN_TOTAL]--; - ps[PFKEY_STAT_IN_BYTES] -= len; - ps[PFKEY_STAT_IN_MSGTYPE + msg->sadb_msg_type]--; - PFKEY_STAT_PUTREF(); - } - - return key_sendup_mbuf(so, m, target); -} - /* so can be NULL if target != KEY_SENDUP_ONE */ static int _key_sendup_mbuf(struct socket *so, struct mbuf *m, Index: src/sys/netipsec/keysock.h diff -u src/sys/netipsec/keysock.h:1.11 src/sys/netipsec/keysock.h:1.12 --- src/sys/netipsec/keysock.h:1.11 Thu Apr 19 08:27:39 2018 +++ src/sys/netipsec/keysock.h Mon Dec 24 15:57:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: keysock.h,v 1.11 2018/04/19 08:27:39 maxv Exp $ */ +/* $NetBSD: keysock.h,v 1.12 2018/12/24 15:57:15 maxv Exp $ */ /* $FreeBSD: keysock.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: keysock.h,v 1.8 2000/03/27 05:11:06 sumikawa Exp $ */ @@ -74,8 +74,7 @@ struct keycb { void key_init_so(void); -int key_sendup (struct socket *, struct sadb_msg *, u_int, int); -int key_sendup_mbuf (struct socket *, struct mbuf *, int); +int key_sendup_mbuf(struct socket *, struct mbuf *, int); #endif /* _KERNEL */ #endif /* !_NETIPSEC_KEYSOCK_H_ */
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Fri Dec 7 09:11:04 UTC 2018 Modified Files: src/sys/netipsec: ipsecif.c Log Message: ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.11 src/sys/netipsec/ipsecif.c:1.12 --- src/sys/netipsec/ipsecif.c:1.11 Thu Nov 15 10:23:56 2018 +++ src/sys/netipsec/ipsecif.c Fri Dec 7 09:11:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.11 2018/11/15 10:23:56 maxv Exp $ */ +/* $NetBSD: ipsecif.c,v 1.12 2018/12/07 09:11:04 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.11 2018/11/15 10:23:56 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.12 2018/12/07 09:11:04 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -364,10 +364,9 @@ ipsecif4_output(struct ipsec_variant *va KASSERT(sp->policy != IPSEC_POLICY_ENTRUST); KASSERT(sp->policy != IPSEC_POLICY_BYPASS); if (sp->policy != IPSEC_POLICY_IPSEC) { - struct ifnet *ifp = &var->iv_softc->ipsec_if; m_freem(m); - IF_DROP(&ifp->if_snd); - return 0; + error = ENETUNREACH; + goto done; } /* get flowinfo */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Oct 27 05:42:23 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c ipsec.h ipsec_input.c Log Message: Localify one function, and switch to C99 types while here. To generate a diff of this commit: cvs rdiff -u -r1.165 -r1.166 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.83 -r1.84 src/sys/netipsec/ipsec.h cvs rdiff -u -r1.71 -r1.72 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.165 src/sys/netipsec/ipsec.c:1.166 --- src/sys/netipsec/ipsec.c:1.165 Wed Jul 11 05:25:45 2018 +++ src/sys/netipsec/ipsec.c Sat Oct 27 05:42:23 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.165 2018/07/11 05:25:45 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.166 2018/10/27 05:42:23 maxv Exp $ */ /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.165 2018/07/11 05:25:45 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.166 2018/10/27 05:42:23 maxv Exp $"); /* * IPsec controller part. @@ -1868,18 +1868,6 @@ xform_init(struct secasvar *sav, int xft return EINVAL; } -void -nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport) -{ - struct m_tag *tag; - - if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { - *sport = ((u_int16_t *)(tag + 1))[0]; - *dport = ((u_int16_t *)(tag + 1))[1]; - } else - *sport = *dport = 0; -} - /* * XXXJRT This should be done as a protosw init call. */ Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.83 src/sys/netipsec/ipsec.h:1.84 --- src/sys/netipsec/ipsec.h:1.83 Fri Sep 14 05:09:51 2018 +++ src/sys/netipsec/ipsec.h Sat Oct 27 05:42:23 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.83 2018/09/14 05:09:51 maxv Exp $ */ +/* $NetBSD: ipsec.h,v 1.84 2018/10/27 05:42:23 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -302,8 +302,6 @@ struct mbuf *m_makespace(struct mbuf *, void *m_pad(struct mbuf *, int); int m_striphdr(struct mbuf *, int, int); -void nat_t_ports_get(struct mbuf *, u_int16_t *, u_int16_t *); - extern int ipsec_used __read_mostly; extern int ipsec_enabled __read_mostly; Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.71 src/sys/netipsec/ipsec_input.c:1.72 --- src/sys/netipsec/ipsec_input.c:1.71 Fri Sep 14 05:09:51 2018 +++ src/sys/netipsec/ipsec_input.c Sat Oct 27 05:42:23 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.71 2018/09/14 05:09:51 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.72 2018/10/27 05:42:23 maxv Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.71 2018/09/14 05:09:51 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.72 2018/10/27 05:42:23 maxv Exp $"); /* * IPsec input processing. @@ -170,6 +170,18 @@ ipsec4_fixup_checksum(struct mbuf *m) return m; } +static void +nat_t_ports_get(struct mbuf *m, uint16_t *dport, uint16_t *sport) +{ + struct m_tag *tag; + + if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { + *sport = ((uint16_t *)(tag + 1))[0]; + *dport = ((uint16_t *)(tag + 1))[1]; + } else + *sport = *dport = 0; +} + /* * ipsec_common_input gets called when an IPsec-protected packet * is received by IPv4 or IPv6. Its job is to find the right SA
CVS commit: src/sys/netipsec
Module Name:src Committed By: ozaki-r Date: Thu Aug 23 01:55:38 UTC 2018 Modified Files: src/sys/netipsec: key.c Log Message: Don't call key_ismyaddr, which may sleep, in a pserialize read section Use mutex here instead of pserialize because using mutex is simpler than using psz+ref, which is another solution, and key_checkspidup isn't called in any performance-sensitive paths. To generate a diff of this commit: cvs rdiff -u -r1.256 -r1.257 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.256 src/sys/netipsec/key.c:1.257 --- src/sys/netipsec/key.c:1.256 Wed Jul 4 19:20:25 2018 +++ src/sys/netipsec/key.c Thu Aug 23 01:55:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $ */ +/* $NetBSD: key.c,v 1.257 2018/08/23 01:55:38 ozaki-r Exp $ */ /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.257 2018/08/23 01:55:38 ozaki-r Exp $"); /* * This code is referred to RFC 2367 @@ -3455,7 +3455,6 @@ key_checkspidup(const struct secasindex { struct secashead *sah; struct secasvar *sav; - int s; /* check address family */ if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { @@ -3466,18 +3465,19 @@ key_checkspidup(const struct secasindex } /* check all SAD */ - s = pserialize_read_enter(); - SAHLIST_READER_FOREACH(sah) { + /* key_ismyaddr may sleep, so use mutex, not pserialize, here. */ + mutex_enter(&key_sad.lock); + SAHLIST_WRITER_FOREACH(sah) { if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) continue; sav = key_getsavbyspi(sah, spi); if (sav != NULL) { - pserialize_read_exit(s); KEY_SA_UNREF(&sav); + mutex_exit(&key_sad.lock); return true; } } - pserialize_read_exit(s); + mutex_exit(&key_sad.lock); return false; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: christos Date: Wed Jul 4 19:20:25 UTC 2018 Modified Files: src/sys/netipsec: key.c Log Message: merge duplicated code, more informative debugging. To generate a diff of this commit: cvs rdiff -u -r1.255 -r1.256 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.255 src/sys/netipsec/key.c:1.256 --- src/sys/netipsec/key.c:1.255 Sat Apr 28 11:45:16 2018 +++ src/sys/netipsec/key.c Wed Jul 4 15:20:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.255 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $ */ /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.255 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $"); /* * This code is referred to RFC 2367 @@ -113,7 +113,7 @@ __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.25 #include #include -#define FULLMASK 0xff +#define FULLMASK 0xffu #define _BITS(bytes) ((bytes) << 3) #define PORT_NONE 0 @@ -994,7 +994,8 @@ key_gettunnel(const struct sockaddr *osr KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); if (isrc->sa_family != idst->sa_family) { - IPSECLOG(LOG_ERR, "protocol family mismatched %d != %d\n.", + IPSECLOG(LOG_ERR, + "address family mismatched src %u, dst %u.\n", isrc->sa_family, idst->sa_family); sp = NULL; goto done; @@ -1185,14 +1186,14 @@ key_sendup_message_delete(struct secasva /* set sadb_address for saidx's. */ m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sav->sah->saidx.src.sa, - sav->sah->saidx.src.sa.sa_len << 3, IPSEC_ULPROTO_ANY); + _BITS(sav->sah->saidx.src.sa.sa_len), IPSEC_ULPROTO_ANY); if (m == NULL) goto msgfail; m_cat(result, m); /* set sadb_address for saidx's. */ m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sav->sah->saidx.src.sa, - sav->sah->saidx.src.sa.sa_len << 3, IPSEC_ULPROTO_ANY); + _BITS(sav->sah->saidx.src.sa.sa_len), IPSEC_ULPROTO_ANY); if (m == NULL) goto msgfail; m_cat(result, m); @@ -3458,7 +3459,9 @@ key_checkspidup(const struct secasindex /* check address family */ if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { - IPSECLOG(LOG_DEBUG, "address family mismatched.\n"); + IPSECLOG(LOG_DEBUG, + "address family mismatched src %u, dst %u.\n", + saidx->src.sa.sa_family, saidx->dst.sa.sa_family); return false; } @@ -3764,6 +3767,31 @@ key_init_xform(struct secasvar *sav) break; } + /* check algo */ + switch (sav->sah->saidx.proto) { + case IPPROTO_AH: + case IPPROTO_TCP: + if (sav->alg_enc != SADB_EALG_NONE) { + IPSECLOG(LOG_DEBUG, + "protocol %u and algorithm mismatched %u != %u.\n", + sav->sah->saidx.proto, + sav->alg_enc, SADB_EALG_NONE); + return EINVAL; + } + break; + case IPPROTO_IPCOMP: + if (sav->alg_auth != SADB_AALG_NONE) { + IPSECLOG(LOG_DEBUG, + "protocol %u and algorithm mismatched %d != %d.\n", + sav->sah->saidx.proto, + sav->alg_auth, SADB_AALG_NONE); + return(EINVAL); + } + break; + default: + break; + } + /* check satype */ switch (sav->sah->saidx.proto) { case IPPROTO_ESP: @@ -3783,32 +3811,17 @@ key_init_xform(struct secasvar *sav) "invalid flag (derived) given to AH SA.\n"); return EINVAL; } - if (sav->alg_enc != SADB_EALG_NONE) { - IPSECLOG(LOG_DEBUG, - "protocol and algorithm mismated.\n"); - return(EINVAL); - } error = xform_init(sav, XF_AH); break; case IPPROTO_IPCOMP: - if (sav->alg_auth != SADB_AALG_NONE) { - IPSECLOG(LOG_DEBUG, - "protocol and algorithm mismated.\n"); - return(EINVAL); - } if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 - && ntohl(sav->spi) >= 0x1) { + && ntohl(sav->spi) >= 0x1) { IPSECLOG(LOG_DEBUG, "invalid cpi for IPComp.\n"); return(EINVAL); } error = xform_init(sav, XF_IPCOMP); break; case IPPROTO_TCP: - if (sav->alg_enc != SADB_EALG_NONE) { - IPSECLOG(LOG_DEBUG, - "protocol and algorithm mismated.\n"); - return(EINVAL); - } error = xform_init(sav, XF_TCPSIGNATURE); break; default: @@ -4217,6 +4230,19 @@ key_setsadbsa(struct secasvar *sav) return m; } +static uint8_t +key_sabits(const struct sockaddr *saddr) +{ + switch (saddr->sa_family) { + case AF_INET: + return _BITS(sizeof(struct in_addr)); + case AF_INET6: + return _BITS(sizeof(struct in6_addr)); + default: + return FULLMASK; + } +} + /* * set data into sadb_address. */ @@ -4244,16 +4270,7 @@ key_setsadbaddr(u_int16_t exttype, const p->sadb_address_exttype = exttype; p->sadb_address_proto = ul_proto; if (prefixlen == FULLMASK) { - switch (saddr->sa_family) { -
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu May 31 15:34:25 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c Log Message: Clarify, remove superfluous things. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.27 src/sys/netipsec/ipsec_mbuf.c:1.28 --- src/sys/netipsec/ipsec_mbuf.c:1.27 Sat Apr 28 14:39:34 2018 +++ src/sys/netipsec/ipsec_mbuf.c Thu May 31 15:34:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.27 2018/04/28 14:39:34 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.28 2018/05/31 15:34:25 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.27 2018/04/28 14:39:34 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.28 2018/05/31 15:34:25 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -65,25 +65,15 @@ m_clone(struct mbuf *m0) for (m = m0; m != NULL; m = mprev->m_next) { /* * Regular mbufs are ignored unless there's a cluster - * in front of it that we can use to coalesce. We do - * the latter mainly so later clusters can be coalesced - * also w/o having to handle them specially (i.e. convert - * mbuf+cluster -> cluster). This optimization is heavily - * influenced by the assumption that we're running over - * Ethernet where MCLBYTES is large enough that the max - * packet size will permit lots of coalescing into a - * single cluster. This in turn permits efficient - * crypto operations, especially when using hardware. + * in front of it that we can use to coalesce. */ if ((m->m_flags & M_EXT) == 0) { if (mprev && (mprev->m_flags & M_EXT) && m->m_len <= M_TRAILINGSPACE(mprev)) { -/* XXX: this ignores mbuf types */ memcpy(mtod(mprev, char *) + mprev->m_len, - mtod(m, char *), m->m_len); +mtod(m, char *), m->m_len); mprev->m_len += m->m_len; -mprev->m_next = m->m_next; /* unlink from chain */ -m_free(m); /* reclaim mbuf */ +mprev->m_next = m_free(m); IPSEC_STATINC(IPSEC_STAT_MBCOALESCED); } else { mprev = m; @@ -92,7 +82,7 @@ m_clone(struct mbuf *m0) } /* - * Writable mbufs are left alone (for now). + * Writable mbufs are left alone. */ if (!M_READONLY(m)) { mprev = m; @@ -105,16 +95,14 @@ m_clone(struct mbuf *m0) * it anyway, we try to reduce the number of mbufs and * clusters so that future work is easier). */ - KASSERTMSG(m->m_flags & M_EXT, "m_flags 0x%x", m->m_flags); - /* NB: we only coalesce into a cluster or larger */ + + /* We only coalesce into a cluster. */ if (mprev != NULL && (mprev->m_flags & M_EXT) && m->m_len <= M_TRAILINGSPACE(mprev)) { - /* XXX: this ignores mbuf types */ memcpy(mtod(mprev, char *) + mprev->m_len, - mtod(m, char *), m->m_len); + mtod(m, char *), m->m_len); mprev->m_len += m->m_len; - mprev->m_next = m->m_next; /* unlink from chain */ - m_free(m); /* reclaim mbuf */ + mprev->m_next = m_free(m); IPSEC_STATINC(IPSEC_STAT_CLCOALESCED); continue; } @@ -123,12 +111,6 @@ m_clone(struct mbuf *m0) * Allocate new space to hold the copy... */ if (mprev == NULL && (m->m_flags & M_PKTHDR)) { - /* - * NB: if a packet header is present we must - * allocate the mbuf separately from any cluster - * because M_MOVE_PKTHDR will smash the data - * pointer and drop the M_EXT marker. - */ MGETHDR(n, M_DONTWAIT, m->m_type); if (n == NULL) { m_freem(m0); @@ -162,7 +144,7 @@ m_clone(struct mbuf *m0) mfirst = n; mlast = NULL; for (;;) { - int cc = min(len, MCLBYTES); + const int cc = min(len, MCLBYTES); memcpy(mtod(n, char *), mtod(m, char *) + off, cc); n->m_len = cc; if (mlast != NULL)
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu May 31 15:06:45 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c Log Message: Adapt rev1.75, suggested by Alexander Bluhm. Relax the checks to allow protocols smaller than two bytes (only IPPROTO_NONE). While here style. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.79 src/sys/netipsec/ipsec_output.c:1.80 --- src/sys/netipsec/ipsec_output.c:1.79 Thu May 31 07:03:57 2018 +++ src/sys/netipsec/ipsec_output.c Thu May 31 15:06:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.80 2018/05/31 15:06:45 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.79 2018/05/31 07:03:57 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.80 2018/05/31 15:06:45 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -624,39 +624,39 @@ compute_ipsec_pos(struct mbuf *m, int *i * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] */ while (1) { - if (*i + sizeof(ip6e) > m->m_pkthdr.len) { - return EINVAL; - } - switch (nxt) { case IPPROTO_AH: case IPPROTO_ESP: case IPPROTO_IPCOMP: - /* - * we should not skip security header added - * beforehand. - */ + /* + * We should not skip security header added + * beforehand. + */ return 0; case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: - /* - * if we see 2nd destination option header, - * we should stop there. - */ + if (*i + sizeof(ip6e) > m->m_pkthdr.len) { +return EINVAL; + } + + /* + * If we see 2nd destination option header, + * we should stop there. + */ if (nxt == IPPROTO_DSTOPTS && dstopt) return 0; if (nxt == IPPROTO_DSTOPTS) { /* - * seen 1st or 2nd destination option. + * Seen 1st or 2nd destination option. * next time we see one, it must be 2nd. */ dstopt = 1; } else if (nxt == IPPROTO_ROUTING) { /* - * if we see destination option next + * If we see destination option next * time, it must be dest2. */ dstopt = 2; @@ -667,6 +667,9 @@ compute_ipsec_pos(struct mbuf *m, int *i nxt = ip6e.ip6e_nxt; *off = *i + offsetof(struct ip6_ext, ip6e_nxt); *i += (ip6e.ip6e_len + 1) << 3; + if (*i > m->m_pkthdr.len) { +return EINVAL; + } break; default: return 0;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu May 31 06:25:41 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Constify ipseczeroes, and remove one use of it. To generate a diff of this commit: cvs rdiff -u -r1.105 -r1.106 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.105 src/sys/netipsec/xform_ah.c:1.106 --- src/sys/netipsec/xform_ah.c:1.105 Wed May 30 18:02:40 2018 +++ src/sys/netipsec/xform_ah.c Thu May 31 06:25:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.105 2018/05/30 18:02:40 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.106 2018/05/31 06:25:41 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.105 2018/05/30 18:02:40 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.106 2018/05/31 06:25:41 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -104,7 +104,7 @@ percpu_t *ahstat_percpu; int ah_enable = 1; /* control flow of packets with AH */ int ip4_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ -static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ +static const char ipseczeroes[256]; int ah_max_authsize; /* max authsize over all algorithms */ @@ -375,7 +375,7 @@ ah_massage_headers(struct mbuf **m0, int default: /* Zeroize all other options. */ -memcpy(ptr + off, ipseczeroes, optlen); +memset(ptr + off, 0, optlen); break; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu May 31 06:14:18 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Add a comment and a KASSERT. I remember wondering whether this check was a problem, since ARC4 has a blocksize of one. Normally ARC4 can't be used in IPsec. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.96 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.95 src/sys/netipsec/xform_esp.c:1.96 --- src/sys/netipsec/xform_esp.c:1.95 Thu May 31 05:52:09 2018 +++ src/sys/netipsec/xform_esp.c Thu May 31 06:14:18 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.95 2018/05/31 05:52:09 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.96 2018/05/31 06:14:18 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.95 2018/05/31 05:52:09 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.96 2018/05/31 06:14:18 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -337,14 +337,14 @@ esp_input(struct mbuf *m, struct secasva alen = esph ? esph->authsize : 0; /* - * Verify payload length is multiple of encryption algorithm - * block size. + * Verify payload length is multiple of encryption algorithm block + * size. * - * NB: This works for the null algorithm because the blocksize - * is 4 and all packets must be 4-byte aligned regardless - * of the algorithm. + * The payload must also be 4-byte-aligned. This is implicitly + * verified here too, since the blocksize is always 4-byte-aligned. */ plen = m->m_pkthdr.len - (skip + hlen + alen); + KASSERT((espx->blocksize & 3) == 0); if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu May 31 05:52:09 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: style To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.95 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.94 src/sys/netipsec/xform_esp.c:1.95 --- src/sys/netipsec/xform_esp.c:1.94 Wed May 30 17:17:11 2018 +++ src/sys/netipsec/xform_esp.c Thu May 31 05:52:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.95 2018/05/31 05:52:09 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.95 2018/05/31 05:52:09 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -243,7 +243,7 @@ esp_init(struct secasvar *sav, const str DPRINTF(("%s: invalid key length %u, must be either of " "20, 28 or 36\n", __func__, keylen)); return EINVAL; -} + } memset(&cria, 0, sizeof(cria)); cria.cri_alg = sav->tdb_authalgxform->type; @@ -313,7 +313,7 @@ esp_input(struct mbuf *m, struct secasva KASSERT(sav != NULL); KASSERT(sav->tdb_encalgxform != NULL); - KASSERTMSG((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, + KASSERTMSG((skip & 3) == 0 && (m->m_pkthdr.len & 3) == 0, "misaligned packet, skip %u pkt len %u", skip, m->m_pkthdr.len); @@ -369,7 +369,7 @@ esp_input(struct mbuf *m, struct secasva } /* Update the counters */ - ESP_STATADD(ESP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen - alen); + ESP_STATADD(ESP_STAT_IBYTES, plen); /* Get crypto descriptors */ crp = crypto_getreq(esph ? 2 : 1); @@ -489,15 +489,15 @@ out: } #ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff); \ - } \ +#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \ + if (saidx->dst.sa.sa_family == AF_INET6) { \ + error = ipsec6_common_input_cb(m, sav, skip, protoff); \ + } else { \ + error = ipsec4_common_input_cb(m, sav, skip, protoff); \ + }\ } while (0) #else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \ +#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \ (error = ipsec4_common_input_cb(m, sav, skip, protoff)) #endif @@ -709,15 +709,13 @@ esp_output(struct mbuf *m, const struct espx = sav->tdb_encalgxform; KASSERT(espx != NULL); + /* Determine the ESP header length */ if (sav->flags & SADB_X_EXT_OLD) hlen = sizeof(struct esp) + sav->ivlen; else hlen = sizeof(struct newesp) + sav->ivlen; - - if (esph) - alen = esph->authsize; - else - alen = 0; + /* Authenticator hash size */ + alen = esph ? esph->authsize : 0; /* * NB: The null encoding transform has a blocksize of 4
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 30 18:02:41 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Correctly handle the padding for IPv6-AH, as specified by RFC4302. Seen in a FreeBSD bug report, by Jason Mader. The RFC specifies that under IPv6 the complete AH header must be 64bit- aligned, and under IPv4 32bit-aligned. That's a rule we've never respected. The other BSDs and MacOS never have either. So respect it now. This makes it possible to set up IPv6-AH between Linux and NetBSD, and also probably between Windows and NetBSD. Until now all the tests I made were between two *BSD hosts, and everything worked "correctly" since both hosts were speaking the same non-standard AHv6, so they could understand each other. Tested with Fedora<->NetBSD, hmac-sha2-384. To generate a diff of this commit: cvs rdiff -u -r1.104 -r1.105 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.104 src/sys/netipsec/xform_ah.c:1.105 --- src/sys/netipsec/xform_ah.c:1.104 Wed May 30 17:17:11 2018 +++ src/sys/netipsec/xform_ah.c Wed May 30 18:02:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.105 2018/05/30 18:02:40 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.105 2018/05/30 18:02:40 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -167,11 +167,21 @@ ah_hdrsiz(const struct secasvar *sav) size_t size; if (sav != NULL) { - int authsize; + int authsize, rplen, align; + KASSERT(sav->tdb_authalgxform != NULL); /*XXX not right for null algorithm--does it matter??*/ + + /* RFC4302: use the correct alignment. */ + align = sizeof(uint32_t); +#ifdef INET6 + if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) { + align = sizeof(uint64_t); + } +#endif + rplen = HDRSIZE(sav); authsize = AUTHSIZE(sav); - size = roundup(authsize, sizeof(uint32_t)) + HDRSIZE(sav); + size = roundup(rplen + authsize, align); } else { /* default guess */ size = sizeof(struct ah) + sizeof(uint32_t) + ah_max_authsize; @@ -520,7 +530,7 @@ ah_input(struct mbuf *m, struct secasvar const struct auth_hash *ahx; struct tdb_crypto *tc = NULL; struct newah *ah; - int hl, rplen, authsize, error, stat = AH_STAT_HDROPS; + int hl, rplen, authsize, ahsize, error, stat = AH_STAT_HDROPS; struct cryptodesc *crda; struct cryptop *crp = NULL; bool pool_used; @@ -553,25 +563,26 @@ ah_input(struct mbuf *m, struct secasvar } /* Verify AH header length. */ - hl = ah->ah_len * sizeof(uint32_t); + hl = sizeof(struct ah) + (ah->ah_len * sizeof(uint32_t)); ahx = sav->tdb_authalgxform; authsize = AUTHSIZE(sav); - if (hl != authsize + rplen - sizeof(struct ah)) { + ahsize = ah_hdrsiz(sav); + if (hl != ahsize) { char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: bad authenticator length %u (expecting %lu)" " for packet in SA %s/%08lx\n", __func__, - hl, (u_long) (authsize + rplen - sizeof(struct ah)), + hl, (u_long)ahsize, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); stat = AH_STAT_BADAUTHL; error = EACCES; goto bad; } - if (skip + authsize + rplen > m->m_pkthdr.len) { + if (skip + ahsize > m->m_pkthdr.len) { char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" " for packet in SA %s/%08lx\n", __func__, - m->m_pkthdr.len, (u_long)(skip + authsize + rplen), + m->m_pkthdr.len, (u_long)(skip + ahsize), ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); stat = AH_STAT_BADAUTHL; @@ -720,7 +731,7 @@ static int ah_input_cb(struct cryptop *crp) { char buf[IPSEC_ADDRSTRLEN]; - int rplen, error, skip, protoff; + int rplen, ahsize, error, skip, protoff; unsigned char calc[AH_ALEN_MAX]; struct mbuf *m; struct tdb_crypto *tc; @@ -751,6 +762,7 @@ ah_input_cb(struct cryptop *crp) /* Figure out header size. */ rplen = HDRSIZE(sav); authsize = AUTHSIZE(sav); + ahsize = ah_hdrsiz(sav); size = sizeof(*tc) + skip + rplen + authsize; if (__predict_true(size <= ah_pool_item_size)) @@ -844,7 +856,7 @@ ah_input_cb(struct cryptop *crp) /* * Remove the AH header and authenticator from the mbuf. */ - error = m_striphdr(m, skip, rplen + authsize); + error = m_striphdr(m, skip, ahsize); if (error) { DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), @@ -891,7 +903,7 @@ ah_output(struct mbuf *m, const struct i struct mbuf *mi; struct cryptop
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 30 17:17:11 UTC 2018 Modified Files: src/sys/netipsec: xform.h xform_ah.c xform_esp.c Log Message: Introduce ah_authsiz, which computes the length of the ICV only. Use it in esp_hdrsiz, and clarify. Until now we were using ah_hdrsiz, and were relying on the fact that the size of the AH header happens to be equal to that of the ESP trailer. Now the size of the ESP trailer is added manually. This also fixes one branch in esp_hdrsiz: we always append an ESP trailer, so it must always be taken into account, and not just when an ICV is here. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/sys/netipsec/xform.h cvs rdiff -u -r1.103 -r1.104 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.93 -r1.94 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.19 src/sys/netipsec/xform.h:1.20 --- src/sys/netipsec/xform.h:1.19 Mon May 7 09:25:04 2018 +++ src/sys/netipsec/xform.h Wed May 30 17:17:11 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.19 2018/05/07 09:25:04 maxv Exp $ */ +/* $NetBSD: xform.h,v 1.20 2018/05/30 17:17:11 maxv Exp $ */ /* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -96,6 +96,7 @@ int ipip_output(struct mbuf *, struct se int ah_init0(struct secasvar *, const struct xformsw *, struct cryptoini *); int ah_zeroize(struct secasvar *); const struct auth_hash *ah_algorithm_lookup(int); +size_t ah_authsiz(const struct secasvar *); size_t ah_hdrsiz(const struct secasvar *); /* XF_ESP */ Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.103 src/sys/netipsec/xform_ah.c:1.104 --- src/sys/netipsec/xform_ah.c:1.103 Tue May 29 16:50:38 2018 +++ src/sys/netipsec/xform_ah.c Wed May 30 17:17:11 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -149,6 +149,19 @@ ah_algorithm_lookup(int alg) } size_t +ah_authsiz(const struct secasvar *sav) +{ + size_t size; + + if (sav == NULL) { + return ah_max_authsize; + } + + size = AUTHSIZE(sav); + return roundup(size, sizeof(uint32_t)); +} + +size_t ah_hdrsiz(const struct secasvar *sav) { size_t size; Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.93 src/sys/netipsec/xform_esp.c:1.94 --- src/sys/netipsec/xform_esp.c:1.93 Wed May 30 16:49:38 2018 +++ src/sys/netipsec/xform_esp.c Wed May 30 17:17:11 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -141,25 +141,34 @@ esp_hdrsiz(const struct secasvar *sav) if (sav != NULL) { /*XXX not right for null algorithm--does it matter??*/ KASSERT(sav->tdb_encalgxform != NULL); + + /* + * base header size + * + iv length for CBC mode + * + max pad length + * + sizeof(esp trailer) + * + icv length (if any). + */ if (sav->flags & SADB_X_EXT_OLD) size = sizeof(struct esp); else size = sizeof(struct newesp); - size += sav->tdb_encalgxform->ivsize + 9; + size += sav->tdb_encalgxform->ivsize + 9 + + sizeof(struct esptail); + /*XXX need alg check???*/ if (sav->tdb_authalgxform != NULL && sav->replay) - size += ah_hdrsiz(sav); + size += ah_authsiz(sav); } else { /* * base header size * + max iv length for CBC mode * + max pad length - * + sizeof(pad length field) - * + sizeof(next header field) + * + sizeof(esp trailer) * + max icv supported. */ size = sizeof(struct newesp) + esp_max_ivlen + 9 + - ah_hdrsiz(NULL); + sizeof(struct esptail) + ah_authsiz(NULL); } return size; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 30 16:49:38 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Apply the previous change in esp_input too, same as esp_output. To generate a diff of this commit: cvs rdiff -u -r1.92 -r1.93 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.92 src/sys/netipsec/xform_esp.c:1.93 --- src/sys/netipsec/xform_esp.c:1.92 Wed May 30 16:43:29 2018 +++ src/sys/netipsec/xform_esp.c Wed May 30 16:49:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.92 2018/05/30 16:43:29 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.92 2018/05/30 16:43:29 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -317,6 +317,7 @@ esp_input(struct mbuf *m, struct secasva esph = sav->tdb_authalgxform; espx = sav->tdb_encalgxform; + KASSERT(espx != NULL); /* Determine the ESP header length */ if (sav->flags & SADB_X_EXT_OLD) @@ -362,7 +363,7 @@ esp_input(struct mbuf *m, struct secasva ESP_STATADD(ESP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen - alen); /* Get crypto descriptors */ - crp = crypto_getreq(esph && espx ? 2 : 1); + crp = crypto_getreq(esph ? 2 : 1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); @@ -396,15 +397,15 @@ esp_input(struct mbuf *m, struct secasva /* Authentication descriptor */ crda->crd_skip = skip; - if (espx && espx->type == CRYPTO_AES_GCM_16) + if (espx->type == CRYPTO_AES_GCM_16) crda->crd_len = hlen - sav->ivlen; else crda->crd_len = m->m_pkthdr.len - (skip + alen); crda->crd_inject = m->m_pkthdr.len - alen; crda->crd_alg = esph->type; - if (espx && (espx->type == CRYPTO_AES_GCM_16 || - espx->type == CRYPTO_AES_GMAC)) { + if (espx->type == CRYPTO_AES_GCM_16 || + espx->type == CRYPTO_AES_GMAC) { crda->crd_key = _KEYBUF(sav->key_enc); crda->crd_klen = _KEYBITS(sav->key_enc); } else { @@ -454,20 +455,17 @@ esp_input(struct mbuf *m, struct secasva tc->tc_sav = sav; /* Decryption descriptor */ - if (espx) { - KASSERTMSG(crde != NULL, "null esp crypto descriptor"); - crde->crd_skip = skip + hlen; - if (espx->type == CRYPTO_AES_GMAC) - crde->crd_len = 0; - else - crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); - crde->crd_inject = skip + hlen - sav->ivlen; - - crde->crd_alg = espx->type; - crde->crd_key = _KEYBUF(sav->key_enc); - crde->crd_klen = _KEYBITS(sav->key_enc); - /* XXX Rounds ? */ - } + KASSERTMSG(crde != NULL, "null esp crypto descriptor"); + crde->crd_skip = skip + hlen; + if (espx->type == CRYPTO_AES_GMAC) + crde->crd_len = 0; + else + crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); + crde->crd_inject = skip + hlen - sav->ivlen; + crde->crd_alg = espx->type; + crde->crd_key = _KEYBUF(sav->key_enc); + crde->crd_klen = _KEYBITS(sav->key_enc); + /* XXX Rounds ? */ return crypto_dispatch(crp);
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 30 16:43:29 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Remove dead code, 'espx' is never NULL and dereferenced earlier, so no need to NULL-check all the time. To generate a diff of this commit: cvs rdiff -u -r1.91 -r1.92 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.91 src/sys/netipsec/xform_esp.c:1.92 --- src/sys/netipsec/xform_esp.c:1.91 Wed May 30 16:32:26 2018 +++ src/sys/netipsec/xform_esp.c Wed May 30 16:43:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.91 2018/05/30 16:32:26 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.92 2018/05/30 16:43:29 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.91 2018/05/30 16:32:26 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.92 2018/05/30 16:43:29 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -695,8 +695,7 @@ esp_output(struct mbuf *m, const struct uint8_t prot; int error, maxpacketsize; struct esptail *esptail; - - struct cryptodesc *crde = NULL, *crda = NULL; + struct cryptodesc *crde, *crda; struct cryptop *crp; esph = sav->tdb_authalgxform; @@ -844,7 +843,7 @@ esp_output(struct mbuf *m, const struct m_copyback(m, protoff, sizeof(uint8_t), &prot); /* Get crypto descriptors. */ - crp = crypto_getreq(esph && espx ? 2 : 1); + crp = crypto_getreq(esph ? 2 : 1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); @@ -853,26 +852,22 @@ esp_output(struct mbuf *m, const struct goto bad; } - if (espx) { - crde = crp->crp_desc; - crda = crde->crd_next; - - /* Encryption descriptor. */ - crde->crd_skip = skip + hlen; - if (espx->type == CRYPTO_AES_GMAC) - crde->crd_len = 0; - else - crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); - crde->crd_flags = CRD_F_ENCRYPT; - crde->crd_inject = skip + hlen - sav->ivlen; - - /* Encryption operation. */ - crde->crd_alg = espx->type; - crde->crd_key = _KEYBUF(sav->key_enc); - crde->crd_klen = _KEYBITS(sav->key_enc); - /* XXX Rounds ? */ - } else - crda = crp->crp_desc; + /* Get the descriptors. */ + crde = crp->crp_desc; + crda = crde->crd_next; + + /* Encryption descriptor. */ + crde->crd_skip = skip + hlen; + if (espx->type == CRYPTO_AES_GMAC) + crde->crd_len = 0; + else + crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); + crde->crd_flags = CRD_F_ENCRYPT; + crde->crd_inject = skip + hlen - sav->ivlen; + crde->crd_alg = espx->type; + crde->crd_key = _KEYBUF(sav->key_enc); + crde->crd_klen = _KEYBITS(sav->key_enc); + /* XXX Rounds ? */ /* IPsec-specific opaque crypto info. */ tc = pool_cache_get(esp_tdb_crypto_pool_cache, PR_NOWAIT); @@ -922,7 +917,7 @@ esp_output(struct mbuf *m, const struct if (esph) { /* Authentication descriptor. */ crda->crd_skip = skip; - if (espx && espx->type == CRYPTO_AES_GCM_16) + if (espx->type == CRYPTO_AES_GCM_16) crda->crd_len = hlen - sav->ivlen; else crda->crd_len = m->m_pkthdr.len - (skip + alen); @@ -930,8 +925,8 @@ esp_output(struct mbuf *m, const struct /* Authentication operation. */ crda->crd_alg = esph->type; - if (espx && (espx->type == CRYPTO_AES_GCM_16 || - espx->type == CRYPTO_AES_GMAC)) { + if (espx->type == CRYPTO_AES_GCM_16 || + espx->type == CRYPTO_AES_GMAC) { crda->crd_key = _KEYBUF(sav->key_enc); crda->crd_klen = _KEYBITS(sav->key_enc); } else {
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 30 16:32:26 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Simplify the padding computation. Until now 'padlen' contained the ESP Trailer (two bytes), and we were doing minus two all the time. Declare 'tlen', which contains padlen+ESP_Trailer+ICV, and use 'struct esptail' instead of hardcoding the construction of the trailer. 'padlen' now indicates only the length of the padding, so no need to do -2. To generate a diff of this commit: cvs rdiff -u -r1.90 -r1.91 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.90 src/sys/netipsec/xform_esp.c:1.91 --- src/sys/netipsec/xform_esp.c:1.90 Wed May 30 16:15:19 2018 +++ src/sys/netipsec/xform_esp.c Wed May 30 16:32:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.90 2018/05/30 16:15:19 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.91 2018/05/30 16:32:26 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.90 2018/05/30 16:15:19 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.91 2018/05/30 16:32:26 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -687,13 +687,14 @@ esp_output(struct mbuf *m, const struct char buf[IPSEC_ADDRSTRLEN]; const struct enc_xform *espx; const struct auth_hash *esph; - int hlen, rlen, padlen, blks, alen, i, roff; + int hlen, rlen, tlen, padlen, blks, alen, i, roff; struct mbuf *mo = NULL; struct tdb_crypto *tc; struct secasindex *saidx; unsigned char *tail; uint8_t prot; int error, maxpacketsize; + struct esptail *esptail; struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp; @@ -721,8 +722,11 @@ esp_output(struct mbuf *m, const struct /* Raw payload length. */ rlen = m->m_pkthdr.len - skip; - /* XXX clamp padding length a la KAME??? */ - padlen = ((blks - ((rlen + 2) % blks)) % blks) + 2; + /* Encryption padding. */ + padlen = ((blks - ((rlen + sizeof(struct esptail)) % blks)) % blks); + + /* Length of what we append (tail). */ + tlen = padlen + sizeof(struct esptail) + alen; ESP_STATINC(ESP_STAT_OUTPUT); @@ -748,12 +752,12 @@ esp_output(struct mbuf *m, const struct error = EPFNOSUPPORT; goto bad; } - if (skip + hlen + rlen + padlen + alen > maxpacketsize) { + if (skip + hlen + rlen + tlen > maxpacketsize) { DPRINTF(("%s: packet in SA %s/%08lx got too big (len %u, " "max len %u)\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), - skip + hlen + rlen + padlen + alen, maxpacketsize)); + skip + hlen + rlen + tlen, maxpacketsize)); ESP_STATINC(ESP_STAT_TOOBIG); error = EMSGSIZE; goto bad; @@ -803,7 +807,7 @@ esp_output(struct mbuf *m, const struct /* * Grow the mbuf, we will append data at the tail. */ - tail = m_pad(m, padlen + alen); + tail = m_pad(m, tlen); if (tail == NULL) { DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), @@ -818,21 +822,22 @@ esp_output(struct mbuf *m, const struct */ switch (sav->flags & SADB_X_EXT_PMASK) { case SADB_X_EXT_PSEQ: - for (i = 0; i < padlen - 2; i++) + for (i = 0; i < padlen; i++) tail[i] = i + 1; break; case SADB_X_EXT_PRAND: - (void)cprng_fast(tail, padlen - 2); + (void)cprng_fast(tail, padlen); break; case SADB_X_EXT_PZERO: default: - memset(tail, 0, padlen - 2); + memset(tail, 0, padlen); break; } - /* Fix padding length and Next Protocol in padding itself. */ - tail[padlen - 2] = padlen - 2; - m_copydata(m, protoff, sizeof(uint8_t), tail + padlen - 1); + /* Build the ESP Trailer. */ + esptail = (struct esptail *)&tail[padlen]; + esptail->esp_padlen = padlen; + m_copydata(m, protoff, sizeof(uint8_t), &esptail->esp_nxt); /* Fix Next Protocol in IPv4/IPv6 header. */ prot = IPPROTO_ESP;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 30 16:15:19 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Rename padding -> padlen, pad -> tail, and clarify. To generate a diff of this commit: cvs rdiff -u -r1.89 -r1.90 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.89 src/sys/netipsec/xform_esp.c:1.90 --- src/sys/netipsec/xform_esp.c:1.89 Fri May 18 19:02:49 2018 +++ src/sys/netipsec/xform_esp.c Wed May 30 16:15:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.89 2018/05/18 19:02:49 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.90 2018/05/30 16:15:19 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.89 2018/05/18 19:02:49 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.90 2018/05/30 16:15:19 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -687,11 +687,11 @@ esp_output(struct mbuf *m, const struct char buf[IPSEC_ADDRSTRLEN]; const struct enc_xform *espx; const struct auth_hash *esph; - int hlen, rlen, padding, blks, alen, i, roff; + int hlen, rlen, padlen, blks, alen, i, roff; struct mbuf *mo = NULL; struct tdb_crypto *tc; struct secasindex *saidx; - unsigned char *pad; + unsigned char *tail; uint8_t prot; int error, maxpacketsize; @@ -699,28 +699,30 @@ esp_output(struct mbuf *m, const struct struct cryptop *crp; esph = sav->tdb_authalgxform; - KASSERT(sav->tdb_encalgxform != NULL); espx = sav->tdb_encalgxform; + KASSERT(espx != NULL); if (sav->flags & SADB_X_EXT_OLD) hlen = sizeof(struct esp) + sav->ivlen; else hlen = sizeof(struct newesp) + sav->ivlen; - rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ + if (esph) + alen = esph->authsize; + else + alen = 0; + /* * NB: The null encoding transform has a blocksize of 4 * so that headers are properly aligned. */ blks = espx->blocksize; /* IV blocksize */ - /* XXX clamp padding length a la KAME??? */ - padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; + /* Raw payload length. */ + rlen = m->m_pkthdr.len - skip; - if (esph) - alen = esph->authsize; - else - alen = 0; + /* XXX clamp padding length a la KAME??? */ + padlen = ((blks - ((rlen + 2) % blks)) % blks) + 2; ESP_STATINC(ESP_STAT_OUTPUT); @@ -746,12 +748,12 @@ esp_output(struct mbuf *m, const struct error = EPFNOSUPPORT; goto bad; } - if (skip + hlen + rlen + padding + alen > maxpacketsize) { + if (skip + hlen + rlen + padlen + alen > maxpacketsize) { DPRINTF(("%s: packet in SA %s/%08lx got too big (len %u, " "max len %u)\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), - skip + hlen + rlen + padding + alen, maxpacketsize)); + skip + hlen + rlen + padlen + alen, maxpacketsize)); ESP_STATINC(ESP_STAT_TOOBIG); error = EMSGSIZE; goto bad; @@ -799,15 +801,14 @@ esp_output(struct mbuf *m, const struct } /* - * Add padding -- better to do it ourselves than use the crypto engine, - * although if/when we support compression, we'd have to do that. + * Grow the mbuf, we will append data at the tail. */ - pad = m_pad(m, padding + alen); - if (pad == NULL) { + tail = m_pad(m, padlen + alen); + if (tail == NULL) { DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); - m = NULL; /* NB: free'd by m_pad */ + m = NULL; error = ENOBUFS; goto bad; } @@ -817,21 +818,21 @@ esp_output(struct mbuf *m, const struct */ switch (sav->flags & SADB_X_EXT_PMASK) { case SADB_X_EXT_PSEQ: - for (i = 0; i < padding - 2; i++) - pad[i] = i+1; + for (i = 0; i < padlen - 2; i++) + tail[i] = i + 1; break; case SADB_X_EXT_PRAND: - (void)cprng_fast(pad, padding - 2); + (void)cprng_fast(tail, padlen - 2); break; case SADB_X_EXT_PZERO: default: - memset(pad, 0, padding - 2); + memset(tail, 0, padlen - 2); break; } /* Fix padding length and Next Protocol in padding itself. */ - pad[padding - 2] = padding - 2; - m_copydata(m, protoff, sizeof(uint8_t), pad + padding - 1); + tail[padlen - 2] = padlen - 2; + m_copydata(m, protoff, sizeof(uint8_t), tail + padlen - 1); /* Fix Next Protocol in IPv4/IPv6 header. */ prot = IPPROTO_ESP;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 29 16:50:38 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Strengthen and simplify, once more. To generate a diff of this commit: cvs rdiff -u -r1.102 -r1.103 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.102 src/sys/netipsec/xform_ah.c:1.103 --- src/sys/netipsec/xform_ah.c:1.102 Tue May 29 09:25:44 2018 +++ src/sys/netipsec/xform_ah.c Tue May 29 16:50:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.102 2018/05/29 09:25:44 ozaki-r Exp $ */ +/* $NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.102 2018/05/29 09:25:44 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -271,7 +271,7 @@ ah_massage_headers(struct mbuf **m0, int struct ip *ip; #endif #ifdef INET6 - int count; + int count, ip6optlen; struct ip6_ext *ip6e; struct ip6_hdr ip6; int alloc, nxt; @@ -394,11 +394,12 @@ ah_massage_headers(struct mbuf **m0, int /* Done with IPv6 header. */ m_copyback(m, 0, sizeof(struct ip6_hdr), &ip6); + ip6optlen = skip - sizeof(struct ip6_hdr); + /* Let's deal with the remaining headers (if any). */ - if (skip - sizeof(struct ip6_hdr) > 0) { + if (ip6optlen > 0) { if (m->m_len <= skip) { -ptr = malloc(skip - sizeof(struct ip6_hdr), -M_XDATA, M_NOWAIT); +ptr = malloc(ip6optlen, M_XDATA, M_NOWAIT); if (ptr == NULL) { DPRINTF(("%s: failed to allocate " "memory for IPv6 headers\n", @@ -412,7 +413,7 @@ ah_massage_headers(struct mbuf **m0, int * the IPv6 header. */ m_copydata(m, sizeof(struct ip6_hdr), -skip - sizeof(struct ip6_hdr), ptr); +ip6optlen, ptr); alloc = 1; } else { /* No need to allocate memory. */ @@ -425,23 +426,22 @@ ah_massage_headers(struct mbuf **m0, int nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ - for (off = 0; off < skip - sizeof(struct ip6_hdr);) { + for (off = 0; off < ip6optlen;) { int noff; + if (off + sizeof(*ip6e) > ip6optlen) { +goto error6; + } + ip6e = (struct ip6_ext *)(ptr + off); + noff = off + ((ip6e->ip6e_len + 1) << 3); + if (noff > ip6optlen) { +goto error6; + } + switch (nxt) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: -ip6e = (struct ip6_ext *)(ptr + off); -noff = off + ((ip6e->ip6e_len + 1) << 3); - -/* Sanity check. */ -if (noff > skip - sizeof(struct ip6_hdr)) { - goto error6; -} - -/* - * Zero out mutable options. - */ +/* Zero out mutable options. */ for (count = off + sizeof(struct ip6_ext); count < noff;) { if (ptr[count] == IP6OPT_PAD1) { @@ -464,27 +464,18 @@ ah_massage_headers(struct mbuf **m0, int count += optlen; } - if (count != noff) { goto error6; } - -/* Advance. */ -off += ((ip6e->ip6e_len + 1) << 3); -nxt = ip6e->ip6e_nxt; -break; +/* FALLTHROUGH */ case IPPROTO_ROUTING: -ip6e = (struct ip6_ext *)(ptr + off); - -/* advance */ -off += ((ip6e->ip6e_len + 1) << 3); +/* Advance. */ +off = noff; nxt = ip6e->ip6e_nxt; break; default: -DPRINTF(("%s: unexpected IPv6 header type %d\n", -__func__, off)); error6: if (alloc) free(ptr, M_XDATA); @@ -495,8 +486,7 @@ error6: /* Copyback and free, if we allocated. */ if (alloc) { - m_copyback(m, sizeof(struct ip6_hdr), - skip - sizeof(struct ip6_hdr), ptr); + m_copyback(m, sizeof(struct ip6_hdr), ip6optlen, ptr); free(ptr, M_XDATA); }
CVS commit: src/sys/netipsec
Module Name:src Committed By: ozaki-r Date: Tue May 29 09:25:44 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Fix non-INET6 builds To generate a diff of this commit: cvs rdiff -u -r1.101 -r1.102 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.101 src/sys/netipsec/xform_ah.c:1.102 --- src/sys/netipsec/xform_ah.c:1.101 Fri May 18 19:02:49 2018 +++ src/sys/netipsec/xform_ah.c Tue May 29 09:25:44 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.101 2018/05/18 19:02:49 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.102 2018/05/29 09:25:44 ozaki-r Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.101 2018/05/18 19:02:49 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.102 2018/05/29 09:25:44 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -266,11 +266,12 @@ ah_massage_headers(struct mbuf **m0, int { struct mbuf *m = *m0; unsigned char *ptr; - int off, count, optlen; + int off, optlen; #ifdef INET struct ip *ip; #endif #ifdef INET6 + int count; struct ip6_ext *ip6e; struct ip6_hdr ip6; int alloc, nxt;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Fri May 18 19:02:49 UTC 2018 Modified Files: src/sys/netipsec: ipsec_input.c xform_ah.c xform_esp.c Log Message: IP6_EXTHDR_GET -> M_REGION_GET, no functional change. To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/ipsec_input.c cvs rdiff -u -r1.100 -r1.101 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.88 -r1.89 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.69 src/sys/netipsec/ipsec_input.c:1.70 --- src/sys/netipsec/ipsec_input.c:1.69 Sun Apr 29 14:54:09 2018 +++ src/sys/netipsec/ipsec_input.c Fri May 18 19:02:49 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.69 2018/04/29 14:54:09 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.70 2018/05/18 19:02:49 maxv Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.69 2018/04/29 14:54:09 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.70 2018/05/18 19:02:49 maxv Exp $"); /* * IPsec input processing. @@ -139,7 +139,7 @@ ipsec4_fixup_checksum(struct mbuf *m) switch (ip->ip_p) { case IPPROTO_TCP: - IP6_EXTHDR_GET(th, struct tcphdr *, m, poff, sizeof(*th)); + M_REGION_GET(th, struct tcphdr *, m, poff, sizeof(*th)); if (th == NULL) return NULL; off = th->th_off << 2; @@ -151,7 +151,7 @@ ipsec4_fixup_checksum(struct mbuf *m) th->th_sum = in4_cksum(m, IPPROTO_TCP, poff, plen); break; case IPPROTO_UDP: - IP6_EXTHDR_GET(uh, struct udphdr *, m, poff, sizeof(*uh)); + M_REGION_GET(uh, struct udphdr *, m, poff, sizeof(*uh)); if (uh == NULL) return NULL; off = sizeof(*uh); Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.100 src/sys/netipsec/xform_ah.c:1.101 --- src/sys/netipsec/xform_ah.c:1.100 Sun May 13 18:34:59 2018 +++ src/sys/netipsec/xform_ah.c Fri May 18 19:02:49 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.100 2018/05/13 18:34:59 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.101 2018/05/18 19:02:49 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.100 2018/05/13 18:34:59 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.101 2018/05/18 19:02:49 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -530,7 +530,7 @@ ah_input(struct mbuf *m, struct secasvar rplen = HDRSIZE(sav); /* XXX don't pullup, just copy header */ - IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); + M_REGION_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { /* m already freed */ return ENOBUFS; Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.88 src/sys/netipsec/xform_esp.c:1.89 --- src/sys/netipsec/xform_esp.c:1.88 Sun May 13 18:34:59 2018 +++ src/sys/netipsec/xform_esp.c Fri May 18 19:02:49 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.88 2018/05/13 18:34:59 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.89 2018/05/18 19:02:49 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.88 2018/05/13 18:34:59 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.89 2018/05/18 19:02:49 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -309,7 +309,7 @@ esp_input(struct mbuf *m, struct secasva skip, m->m_pkthdr.len); /* XXX don't pullup, just copy header */ - IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof(struct newesp)); + M_REGION_GET(esp, struct newesp *, m, skip, sizeof(struct newesp)); if (esp == NULL) { /* m already freed */ return ENOBUFS;
CVS commit: src/sys/netipsec
Module Name:src Committed By: ozaki-r Date: Mon May 14 02:16:30 UTC 2018 Modified Files: src/sys/netipsec: xform_tcp.c Log Message: Restore TCP header inclusions for TCP_SIGNATURE To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/netipsec/xform_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_tcp.c diff -u src/sys/netipsec/xform_tcp.c:1.20 src/sys/netipsec/xform_tcp.c:1.21 --- src/sys/netipsec/xform_tcp.c:1.20 Fri May 11 13:50:38 2018 +++ src/sys/netipsec/xform_tcp.c Mon May 14 02:16:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_tcp.c,v 1.20 2018/05/11 13:50:38 maxv Exp $ */ +/* $NetBSD: xform_tcp.c,v 1.21 2018/05/14 02:16:29 ozaki-r Exp $ */ /* $FreeBSD: xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */ /* @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.20 2018/05/11 13:50:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.21 2018/05/14 02:16:29 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -49,6 +49,11 @@ __KERNEL_RCSID(0, "$NetBSD: xform_tcp.c, #include #include #include +#ifdef TCP_SIGNATURE +#include +#include +#include +#endif #include #include
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sun May 13 18:34:59 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c xform_esp.c xform_ipcomp.c Log Message: Remove unused calls to nat_t_ports_get. To generate a diff of this commit: cvs rdiff -u -r1.99 -r1.100 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.87 -r1.88 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.65 -r1.66 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.99 src/sys/netipsec/xform_ah.c:1.100 --- src/sys/netipsec/xform_ah.c:1.99 Fri May 11 15:43:07 2018 +++ src/sys/netipsec/xform_ah.c Sun May 13 18:34:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.99 2018/05/11 15:43:07 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.100 2018/05/13 18:34:59 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.99 2018/05/11 15:43:07 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.100 2018/05/13 18:34:59 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -725,8 +725,6 @@ ah_input_cb(struct cryptop *crp) uint8_t nxt; char *ptr; int authsize; - uint16_t dport; - uint16_t sport; bool pool_used; size_t size; IPSEC_DECLARE_LOCK_VARIABLE; @@ -738,9 +736,6 @@ ah_input_cb(struct cryptop *crp) protoff = tc->tc_protoff; m = crp->crp_buf; - /* find the source port for NAT-T */ - nat_t_ports_get(m, &dport, &sport); - IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav; Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.87 src/sys/netipsec/xform_esp.c:1.88 --- src/sys/netipsec/xform_esp.c:1.87 Fri May 11 15:43:07 2018 +++ src/sys/netipsec/xform_esp.c Sun May 13 18:34:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.87 2018/05/11 15:43:07 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.88 2018/05/13 18:34:59 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.87 2018/05/11 15:43:07 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.88 2018/05/13 18:34:59 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -509,8 +509,6 @@ esp_input_cb(struct cryptop *crp) struct secasvar *sav; struct secasindex *saidx; void *ptr; - uint16_t dport; - uint16_t sport; IPSEC_DECLARE_LOCK_VARIABLE; KASSERT(crp->crp_desc != NULL); @@ -521,9 +519,6 @@ esp_input_cb(struct cryptop *crp) protoff = tc->tc_protoff; m = crp->crp_buf; - /* find the source port for NAT-T */ - nat_t_ports_get(m, &dport, &sport); - IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav; Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.65 src/sys/netipsec/xform_ipcomp.c:1.66 --- src/sys/netipsec/xform_ipcomp.c:1.65 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/xform_ipcomp.c Sun May 13 18:34:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.65 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.66 2018/05/13 18:34:59 maxv Exp $ */ /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.65 2018/05/07 09:16:46 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.66 2018/05/13 18:34:59 maxv Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -250,8 +250,6 @@ ipcomp_input_cb(struct cryptop *crp) int hlen = IPCOMP_HLENGTH, error, clen; uint8_t nproto; struct ipcomp *ipc; - uint16_t dport; - uint16_t sport; IPSEC_DECLARE_LOCK_VARIABLE; KASSERT(crp->crp_opaque != NULL); @@ -260,9 +258,6 @@ ipcomp_input_cb(struct cryptop *crp) protoff = tc->tc_protoff; m = crp->crp_buf; - /* find the source port for NAT-T */ - nat_t_ports_get(m, &dport, &sport); - IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Fri May 11 15:43:07 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c xform_esp.c Log Message: ENOBUFS -> EACCES when updating the replay counter. To generate a diff of this commit: cvs rdiff -u -r1.98 -r1.99 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.86 -r1.87 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.98 src/sys/netipsec/xform_ah.c:1.99 --- src/sys/netipsec/xform_ah.c:1.98 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/xform_ah.c Fri May 11 15:43:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.98 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.99 2018/05/11 15:43:07 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.98 2018/05/07 09:16:46 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.99 2018/05/11 15:43:07 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -837,7 +837,7 @@ ah_input_cb(struct cryptop *crp) sizeof(seq), &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { AH_STATINC(AH_STAT_REPLAY); - error = ENOBUFS; /* XXX */ + error = EACCES; goto bad; } } Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.86 src/sys/netipsec/xform_esp.c:1.87 --- src/sys/netipsec/xform_esp.c:1.86 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/xform_esp.c Fri May 11 15:43:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.86 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.87 2018/05/11 15:43:07 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.86 2018/05/07 09:16:46 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.87 2018/05/11 15:43:07 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -607,7 +607,7 @@ esp_input_cb(struct cryptop *crp) DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav, logbuf, sizeof(logbuf; ESP_STATINC(ESP_STAT_REPLAY); - error = ENOBUFS; + error = EACCES; goto bad; } }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Fri May 11 13:50:38 UTC 2018 Modified Files: src/sys/netipsec: xform_tcp.c Log Message: Clean up, and panic if we call functions that are not supposed to be called. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/sys/netipsec/xform_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_tcp.c diff -u src/sys/netipsec/xform_tcp.c:1.19 src/sys/netipsec/xform_tcp.c:1.20 --- src/sys/netipsec/xform_tcp.c:1.19 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/xform_tcp.c Fri May 11 13:50:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_tcp.c,v 1.19 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: xform_tcp.c,v 1.20 2018/05/11 13:50:38 maxv Exp $ */ /* $FreeBSD: xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */ /* @@ -28,10 +28,13 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* TCP MD5 Signature Option (RFC2385) */ +/* + * TCP MD5 Signature Option (RFC2385). Dummy code, everything is handled + * in TCP directly. + */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.19 2018/05/07 09:16:46 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.20 2018/05/11 13:50:38 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -40,29 +43,16 @@ __KERNEL_RCSID(0, "$NetBSD: xform_tcp.c, #include #include #include -#include -#include #include -#include -#include #include #include #include #include -#include -#include -#include -#include #include #include -#ifdef INET6 -#include -#include -#endif - #include #include @@ -94,35 +84,29 @@ tcpsignature_init(struct secasvar *sav, if (sav->spi != htonl(TCP_SIG_SPI)) { DPRINTF(("%s: SPI %x must be TCP_SIG_SPI (0x1000)\n", __func__, sav->alg_auth)); - return (EINVAL); + return EINVAL; } if (sav->alg_auth != SADB_X_AALG_TCP_MD5) { DPRINTF(("%s: unsupported authentication algorithm %u\n", __func__, sav->alg_auth)); - return (EINVAL); + return EINVAL; } if (sav->key_auth == NULL) { DPRINTF(("%s: no authentication key present\n", __func__)); - return (EINVAL); + return EINVAL; } keylen = _KEYLEN(sav->key_auth); if ((keylen < TCP_KEYLEN_MIN) || (keylen > TCP_KEYLEN_MAX)) { DPRINTF(("%s: invalid key length %u\n", __func__, keylen)); - return (EINVAL); + return EINVAL; } - return (0); + return 0; } -/* - * Paranoia. - * - * Called when the SA is deleted. - */ static int tcpsignature_zeroize(struct secasvar *sav) { - if (sav->key_auth) { explicit_memset(_KEYBUF(sav->key_auth), 0, _KEYLEN(sav->key_auth)); @@ -132,33 +116,21 @@ tcpsignature_zeroize(struct secasvar *sa sav->tdb_authalgxform = NULL; sav->tdb_xform = NULL; - return (0); + return 0; } -/* - * Verify that an input packet passes authentication. - * Called from the ipsec layer. - * We do this from within tcp itself, so this routine is just a stub. - */ static int tcpsignature_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - /* XXX m_freem(m)? */ - return (0); + panic("%s: should not have been called", __func__); } -/* - * Prepend the authentication header. - * Called from the ipsec layer. - * We do this from within tcp itself, so this routine is just a stub. - */ static int tcpsignature_output(struct mbuf *m, const struct ipsecrequest *isr, struct secasvar *sav, int skip, int protoff) { - - return (EINVAL); + panic("%s: should not have been called", __func__); } static struct xformsw tcpsignature_xformsw = { @@ -175,6 +147,5 @@ static struct xformsw tcpsignature_xform void tcpsignature_attach(void) { - xform_register(&tcpsignature_xformsw); }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu May 10 05:15:14 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Replace dumb code by M_VERIFY_PACKET. In fact, perhaps we should not even call M_VERIFY_PACKET here, there is no particular reason for this place to be more wrong than the rest. To generate a diff of this commit: cvs rdiff -u -r1.162 -r1.163 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.162 src/sys/netipsec/ipsec.c:1.163 --- src/sys/netipsec/ipsec.c:1.162 Thu May 10 05:08:53 2018 +++ src/sys/netipsec/ipsec.c Thu May 10 05:15:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.162 2018/05/10 05:08:53 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.163 2018/05/10 05:15:14 maxv Exp $ */ /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.162 2018/05/10 05:08:53 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.163 2018/05/10 05:15:14 maxv Exp $"); /* * IPsec controller part. @@ -814,29 +814,10 @@ ipsec_setspidx(struct mbuf *m, struct se struct ip *ip = NULL; struct ip ipbuf; u_int v; - struct mbuf *n; - int len; int error; KASSERT(m != NULL); - - /* - * validate m->m_pkthdr.len. we see incorrect length if we - * mistakenly call this function with inconsistent mbuf chain - * (like 4.4BSD tcp/udp processing). - * - * XXX XXX XXX: We should remove this. - */ - len = 0; - for (n = m; n; n = n->m_next) - len += n->m_len; - if (m->m_pkthdr.len != len) { - KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP, - "total of m_len(%d) != pkthdr.len(%d), ignored.\n", - len, m->m_pkthdr.len); - KASSERTMSG(0, "impossible"); - return EINVAL; - } + M_VERIFY_PACKET(m); if (m->m_pkthdr.len < sizeof(struct ip)) { KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed May 9 07:33:31 UTC 2018 Modified Files: src/sys/netipsec: ipsecif.c Log Message: static const on ipsecif4_encapsw To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.8 src/sys/netipsec/ipsecif.c:1.9 --- src/sys/netipsec/ipsecif.c:1.8 Fri Apr 27 09:55:28 2018 +++ src/sys/netipsec/ipsecif.c Wed May 9 07:33:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.8 2018/04/27 09:55:28 knakahara Exp $ */ +/* $NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.8 2018/04/27 09:55:28 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.9 2018/05/09 07:33:31 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -91,7 +91,7 @@ static int ip6_ipsec_pmtu = 0; /* XXX: p static int ip6_ipsec_copy_tos = 0; #endif -struct encapsw ipsecif4_encapsw = { +static const struct encapsw ipsecif4_encapsw = { .encapsw4 = { .pr_input = ipsecif4_input, .pr_ctlinput = NULL,
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon May 7 09:33:51 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c xform_ipip.c Log Message: Remove a dummy reference to XF_IP4, explain briefly why we don't use ipe4_xformsw, and remove unused includes. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.73 -r1.74 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.77 src/sys/netipsec/ipsec_output.c:1.78 --- src/sys/netipsec/ipsec_output.c:1.77 Mon May 7 09:25:04 2018 +++ src/sys/netipsec/ipsec_output.c Mon May 7 09:33:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.77 2018/05/07 09:25:04 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.77 2018/05/07 09:25:04 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.78 2018/05/07 09:33:51 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -534,10 +534,6 @@ noneed: /* Do the appropriate encapsulation, if necessary */ if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ dst->sa.sa_family != AF_INET || /* PF mismatch */ -#if 0 - (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */ - sav->tdb_xform->xf_type == XF_IP4 ||/* ditto */ -#endif (dst->sa.sa_family == AF_INET && /* Proxy */ dst->sin.sin_addr.s_addr != INADDR_ANY && dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) { Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.73 src/sys/netipsec/xform_ipip.c:1.74 --- src/sys/netipsec/xform_ipip.c:1.73 Mon May 7 09:25:04 2018 +++ src/sys/netipsec/xform_ipip.c Mon May 7 09:33:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.73 2018/05/07 09:25:04 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.74 2018/05/07 09:33:51 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,26 +39,27 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.73 2018/05/07 09:25:04 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.74 2018/05/07 09:33:51 maxv Exp $"); -/* - * IP-inside-IP processing - */ #if defined(_KERNEL_OPT) #include "opt_inet.h" #endif +/* + * IP-inside-IP processing. + * + * The input point is encapsw{4,6}, called via the encap callback. The + * output point is ipip_output, called directly. XF_IP4 has no more + * meaning here, ipe4_xformsw is dummy. + */ + #include #include #include -#include #include #include -#include #include -#include -#include #include #include
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon May 7 09:25:04 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c xform.h xform_ipip.c Log Message: Remove now unused 'isr', 'skip' and 'protoff' arguments from ipip_output. To generate a diff of this commit: cvs rdiff -u -r1.76 -r1.77 src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.18 -r1.19 src/sys/netipsec/xform.h cvs rdiff -u -r1.72 -r1.73 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.76 src/sys/netipsec/ipsec_output.c:1.77 --- src/sys/netipsec/ipsec_output.c:1.76 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/ipsec_output.c Mon May 7 09:25:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.76 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.77 2018/05/07 09:25:04 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.76 2018/05/07 09:16:46 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.77 2018/05/07 09:25:04 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -550,7 +550,7 @@ noneed: ip->ip_sum = in_cksum(m, ip->ip_hl << 2); /* Encapsulate the packet */ - error = ipip_output(m, isr, sav, &mp, 0, 0); + error = ipip_output(m, sav, &mp); if (mp == NULL && !error) { /* Should never happen. */ IPSECLOG(LOG_DEBUG, @@ -763,7 +763,7 @@ ipsec6_process_packet(struct mbuf *m, co ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); /* Encapsulate the packet */ - error = ipip_output(m, isr, sav, &mp, 0, 0); + error = ipip_output(m, sav, &mp); if (mp == NULL && !error) { /* Should never happen. */ IPSECLOG(LOG_DEBUG, Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.18 src/sys/netipsec/xform.h:1.19 --- src/sys/netipsec/xform.h:1.18 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/xform.h Mon May 7 09:25:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.18 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: xform.h,v 1.19 2018/05/07 09:25:04 maxv Exp $ */ /* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -90,8 +90,7 @@ int xform_init(struct secasvar *sav, int struct cryptoini; /* XF_IP4 */ -int ipip_output(struct mbuf *, const struct ipsecrequest *, struct secasvar *, -struct mbuf **, int, int); +int ipip_output(struct mbuf *, struct secasvar *, struct mbuf **); /* XF_AH */ int ah_init0(struct secasvar *, const struct xformsw *, struct cryptoini *); Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.72 src/sys/netipsec/xform_ipip.c:1.73 --- src/sys/netipsec/xform_ipip.c:1.72 Mon May 7 09:16:46 2018 +++ src/sys/netipsec/xform_ipip.c Mon May 7 09:25:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.72 2018/05/07 09:16:46 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.73 2018/05/07 09:25:04 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.72 2018/05/07 09:16:46 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.73 2018/05/07 09:25:04 maxv Exp $"); /* * IP-inside-IP processing @@ -316,8 +316,7 @@ _ipip_input(struct mbuf *m, int iphlen) } int -ipip_output(struct mbuf *m, const struct ipsecrequest *isr, -struct secasvar *sav, struct mbuf **mp, int skip, int protoff) +ipip_output(struct mbuf *m, struct secasvar *sav, struct mbuf **mp) { char buf[IPSEC_ADDRSTRLEN]; uint8_t tp, otos;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon May 7 09:16:46 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c xform.h xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c xform_tcp.c Log Message: Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit. To generate a diff of this commit: cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.17 -r1.18 src/sys/netipsec/xform.h cvs rdiff -u -r1.97 -r1.98 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.85 -r1.86 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.64 -r1.65 src/sys/netipsec/xform_ipcomp.c cvs rdiff -u -r1.71 -r1.72 src/sys/netipsec/xform_ipip.c cvs rdiff -u -r1.18 -r1.19 src/sys/netipsec/xform_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.75 src/sys/netipsec/ipsec_output.c:1.76 --- src/sys/netipsec/ipsec_output.c:1.75 Tue May 1 05:42:26 2018 +++ src/sys/netipsec/ipsec_output.c Mon May 7 09:16:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.75 2018/05/01 05:42:26 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.76 2018/05/07 09:16:46 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.75 2018/05/01 05:42:26 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.76 2018/05/07 09:16:46 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -604,7 +604,7 @@ noneed: i = sizeof(struct ip6_hdr); off = offsetof(struct ip6_hdr, ip6_nxt); } - error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); + error = (*sav->tdb_xform->xf_output)(m, isr, sav, i, off); } else { error = ipsec_process_done(m, isr, sav); } @@ -794,7 +794,7 @@ ipsec6_process_packet(struct mbuf *m, co if (error) goto unrefsav; } - error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); + error = (*sav->tdb_xform->xf_output)(m, isr, sav, i, off); KEY_SA_UNREF(&sav); splx(s); return error; Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.17 src/sys/netipsec/xform.h:1.18 --- src/sys/netipsec/xform.h:1.17 Mon May 7 09:08:06 2018 +++ src/sys/netipsec/xform.h Mon May 7 09:16:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.17 2018/05/07 09:08:06 maxv Exp $ */ +/* $NetBSD: xform.h,v 1.18 2018/05/07 09:16:46 maxv Exp $ */ /* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -64,30 +64,28 @@ struct tdb_crypto { struct ipescrequest; struct xformsw { - u_short xf_type; /* xform ID */ + u_short xf_type; #define XF_IP4 1 /* IP inside IP */ #define XF_AH 2 /* AH */ #define XF_ESP 3 /* ESP */ #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ #define XF_IPCOMP 6 /* IPCOMP */ - u_short xf_flags; + u_short xf_flags; #define XFT_AUTH 0x0001 #define XFT_CONF 0x0100 #define XFT_COMP 0x1000 - const char *xf_name; /* human-readable name */ - int (*xf_init)(struct secasvar*, const struct xformsw*);/* setup */ - int (*xf_zeroize)(struct secasvar*); /* cleanup */ - int (*xf_input)(struct mbuf*, struct secasvar*, /* input */ - int, int); - int (*xf_output)(struct mbuf*, /* output */ - const struct ipsecrequest *, struct secasvar *, - struct mbuf **, int, int); - struct xformsw *xf_next; /* list of registered xforms */ + const char *xf_name; + int (*xf_init)(struct secasvar *, const struct xformsw *); + int (*xf_zeroize)(struct secasvar *); + int (*xf_input)(struct mbuf *, struct secasvar *, int, int); + int (*xf_output)(struct mbuf *, const struct ipsecrequest *, + struct secasvar *, int, int); + struct xformsw *xf_next; /* list of registered xforms */ }; #ifdef _KERNEL -extern void xform_register(struct xformsw*); -extern int xform_init(struct secasvar *sav, int xftype); +void xform_register(struct xformsw *); +int xform_init(struct secasvar *sav, int); struct cryptoini; @@ -97,16 +95,16 @@ int ipip_output(struct mbuf *, const str /* XF_AH */ int ah_init0(struct secasvar *, const struct xformsw *, struct cryptoini *); -int ah_zeroize(struct secasvar *sav); -const struct auth_hash *ah_algorithm_lookup(int alg); +int ah_zeroize(struct secasvar *); +const struct auth_hash *ah_algorithm_lookup(int); size_t ah_hdrsiz(const struct secasvar *); /* XF_ESP */ -const struct enc_xform *esp_algorithm_lookup(int alg); -size_t esp_hdrsiz(const struct secasvar *sav); +const struct enc_xform *esp_algorithm_lookup(int); +size_t esp_hdrsiz(const struct secasvar *); /* XF_COMP */ -const struct comp_algo *ipcomp_algorithm_lookup(int alg); +const struct comp_algo *ipcomp_algorithm_lookup(int); #endif /* _KERNEL */ #endif /* !_NETIPSEC_XFORM_H_ */ Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netip
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon May 7 09:08:06 UTC 2018 Modified Files: src/sys/netipsec: xform.h xform_ipip.c Log Message: Clarify IPIP: ipe4_xformsw is not allowed to call ipip_output, so replace the pointer by ipe4_output, which just panics. Group the ipe4_* functions together. Localify other functions. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/netipsec/xform.h cvs rdiff -u -r1.70 -r1.71 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.16 src/sys/netipsec/xform.h:1.17 --- src/sys/netipsec/xform.h:1.16 Tue May 1 08:08:46 2018 +++ src/sys/netipsec/xform.h Mon May 7 09:08:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.16 2018/05/01 08:08:46 maxv Exp $ */ +/* $NetBSD: xform.h,v 1.17 2018/05/07 09:08:06 maxv Exp $ */ /* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -92,8 +92,6 @@ extern int xform_init(struct secasvar *s struct cryptoini; /* XF_IP4 */ -int ip4_input6(struct mbuf **m, int *offp, int proto, void *); -void ip4_input(struct mbuf *m, int, int, void *); int ipip_output(struct mbuf *, const struct ipsecrequest *, struct secasvar *, struct mbuf **, int, int); Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.70 src/sys/netipsec/xform_ipip.c:1.71 --- src/sys/netipsec/xform_ipip.c:1.70 Sun Apr 29 14:35:35 2018 +++ src/sys/netipsec/xform_ipip.c Mon May 7 09:08:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.71 2018/05/07 09:08:06 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.71 2018/05/07 09:08:06 maxv Exp $"); /* * IP-inside-IP processing @@ -90,12 +90,10 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c int ipip_spoofcheck = 1; percpu_t *ipipstat_percpu; -void ipe4_attach(void); - static void _ipip_input(struct mbuf *, int); #ifdef INET6 -int +static int ip4_input6(struct mbuf **m, int *offp, int proto, void *eparg __unused) { _ipip_input(*m, *offp); @@ -104,7 +102,7 @@ ip4_input6(struct mbuf **m, int *offp, i #endif #ifdef INET -void +static void ip4_input(struct mbuf *m, int off, int proto, void *eparg __unused) { _ipip_input(m, off); @@ -517,6 +515,40 @@ bad: return error; } +#ifdef INET +static struct encapsw ipe4_encapsw = { + .encapsw4 = { + .pr_input = ip4_input, + .pr_ctlinput = NULL, + } +}; +#endif +#ifdef INET6 +static struct encapsw ipe4_encapsw6 = { + .encapsw6 = { + .pr_input = ip4_input6, + .pr_ctlinput = NULL, + } +}; +#endif + +/* + * Check the encapsulated packet to see if we want it + */ +static int +ipe4_encapcheck(struct mbuf *m, int off, int proto, void *arg) +{ + /* + * Only take packets coming from IPSEC tunnels; the rest + * must be handled by the gif tunnel code. Note that we + * also return a minimum priority when we want the packet + * so any explicit gif tunnels take precedence. + */ + return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); +} + +/* -- */ + static int ipe4_init(struct secasvar *sav, const struct xformsw *xsp) { @@ -541,6 +573,13 @@ ipe4_input(struct mbuf *m, struct secasv return EOPNOTSUPP; } +static int +ipe4_output(struct mbuf *m, const struct ipsecrequest *isr, +struct secasvar *sav, struct mbuf **mp, int skip, int protoff) +{ + panic("%s: should not have been called", __func__); +} + static struct xformsw ipe4_xformsw = { .xf_type = XF_IP4, .xf_flags = 0, @@ -548,41 +587,11 @@ static struct xformsw ipe4_xformsw = { .xf_init = ipe4_init, .xf_zeroize = ipe4_zeroize, .xf_input = ipe4_input, - .xf_output = ipip_output, + .xf_output = ipe4_output, .xf_next = NULL, }; -#ifdef INET -static struct encapsw ipe4_encapsw = { - .encapsw4 = { - .pr_input = ip4_input, - .pr_ctlinput = NULL, - } -}; -#endif -#ifdef INET6 -static struct encapsw ipe4_encapsw6 = { - .encapsw6 = { - .pr_input = ip4_input6, - .pr_ctlinput = NULL, - } -}; -#endif - -/* - * Check the encapsulated packet to see if we want it - */ -static int -ipe4_encapcheck(struct mbuf *m, int off, int proto, void *arg) -{ - /* - * Only take packets coming from IPSEC tunnels; the rest - * must be handled by the gif tunnel code. Note that we - * also return a minimum priority when we want the packet - * so any explicit gif tunnels take precedence. - */ - return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); -} +/* --
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 1 08:34:08 UTC 2018 Modified Files: src/sys/netipsec: ipsec.h Log Message: Remove some more dead code. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/sys/netipsec/ipsec.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.79 src/sys/netipsec/ipsec.h:1.80 --- src/sys/netipsec/ipsec.h:1.79 Sun Apr 29 11:51:08 2018 +++ src/sys/netipsec/ipsec.h Tue May 1 08:34:08 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.79 2018/04/29 11:51:08 maxv Exp $ */ +/* $NetBSD: ipsec.h,v 1.80 2018/05/01 08:34:08 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -61,12 +61,6 @@ struct secpolicyindex { u_int8_t prefs; /* prefix length in bits for src */ u_int8_t prefd; /* prefix length in bits for dst */ u_int16_t ul_proto; /* upper layer Protocol */ -#ifdef notyet - uid_t uids; - uid_t uidd; - gid_t gids; - gid_t gidd; -#endif }; /* Security Policy Data Base */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 1 08:27:13 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c xform_esp.c Log Message: When IP6_EXTHDR_GET fails, return ENOBUFS, and don't log an error (HDROPS is not supposed to be used here). To generate a diff of this commit: cvs rdiff -u -r1.96 -r1.97 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.84 -r1.85 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.96 src/sys/netipsec/xform_ah.c:1.97 --- src/sys/netipsec/xform_ah.c:1.96 Tue May 1 08:16:34 2018 +++ src/sys/netipsec/xform_ah.c Tue May 1 08:27:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.96 2018/05/01 08:16:34 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.97 2018/05/01 08:27:13 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.96 2018/05/01 08:16:34 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.97 2018/05/01 08:27:13 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -532,10 +532,8 @@ ah_input(struct mbuf *m, struct secasvar /* XXX don't pullup, just copy header */ IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { - DPRINTF(("%s: cannot pullup header\n", __func__)); - error = ENOBUFS; - stat = AH_STAT_HDROPS; /*XXX*/ - goto bad; + /* m already freed */ + return ENOBUFS; } nxt = ah->ah_nxt; Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.84 src/sys/netipsec/xform_esp.c:1.85 --- src/sys/netipsec/xform_esp.c:1.84 Tue May 1 08:16:34 2018 +++ src/sys/netipsec/xform_esp.c Tue May 1 08:27:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.84 2018/05/01 08:16:34 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.85 2018/05/01 08:27:13 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.84 2018/05/01 08:16:34 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.85 2018/05/01 08:27:13 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -312,7 +312,7 @@ esp_input(struct mbuf *m, struct secasva IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof(struct newesp)); if (esp == NULL) { /* m already freed */ - return EINVAL; + return ENOBUFS; } esph = sav->tdb_authalgxform;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 1 08:16:34 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c xform_esp.c Log Message: When the replay check fails, return EACCES instead of ENOBUFS. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.96 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.83 -r1.84 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.95 src/sys/netipsec/xform_ah.c:1.96 --- src/sys/netipsec/xform_ah.c:1.95 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/xform_ah.c Tue May 1 08:16:34 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.95 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.96 2018/05/01 08:16:34 maxv Exp $ */ /* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.95 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.96 2018/05/01 08:16:34 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -546,7 +546,7 @@ ah_input(struct mbuf *m, struct secasvar DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav, buf, sizeof(buf; stat = AH_STAT_REPLAY; - error = ENOBUFS; + error = EACCES; goto bad; } Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.83 src/sys/netipsec/xform_esp.c:1.84 --- src/sys/netipsec/xform_esp.c:1.83 Tue May 1 08:13:37 2018 +++ src/sys/netipsec/xform_esp.c Tue May 1 08:16:34 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.83 2018/05/01 08:13:37 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.84 2018/05/01 08:16:34 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.83 2018/05/01 08:13:37 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.84 2018/05/01 08:16:34 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -354,7 +354,7 @@ esp_input(struct mbuf *m, struct secasva DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav, logbuf, sizeof(logbuf; stat = ESP_STAT_REPLAY; - error = ENOBUFS; /* XXX */ + error = EACCES; goto out; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 1 08:13:37 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c xform_ipcomp.c Log Message: Remove double include, opencrypto/xform.h is already included in netipsec/xform.h. To generate a diff of this commit: cvs rdiff -u -r1.82 -r1.83 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.63 -r1.64 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.82 src/sys/netipsec/xform_esp.c:1.83 --- src/sys/netipsec/xform_esp.c:1.82 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/xform_esp.c Tue May 1 08:13:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.82 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.83 2018/05/01 08:13:37 maxv Exp $ */ /* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.82 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.83 2018/05/01 08:13:37 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -83,7 +83,6 @@ __KERNEL_RCSID(0, "$NetBSD: xform_esp.c, #include #include -#include percpu_t *espstat_percpu; Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.63 src/sys/netipsec/xform_ipcomp.c:1.64 --- src/sys/netipsec/xform_ipcomp.c:1.63 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/xform_ipcomp.c Tue May 1 08:13:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.63 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.64 2018/05/01 08:13:37 maxv Exp $ */ /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.63 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.64 2018/05/01 08:13:37 maxv Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -70,7 +70,6 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp #include #include -#include percpu_t *ipcompstat_percpu;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 1 08:08:46 UTC 2018 Modified Files: src/sys/netipsec: xform.h Log Message: Remove unused. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/netipsec/xform.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.15 src/sys/netipsec/xform.h:1.16 --- src/sys/netipsec/xform.h:1.15 Thu Apr 19 08:27:39 2018 +++ src/sys/netipsec/xform.h Tue May 1 08:08:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.15 2018/04/19 08:27:39 maxv Exp $ */ +/* $NetBSD: xform.h,v 1.16 2018/05/01 08:08:46 maxv Exp $ */ /* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -46,19 +46,6 @@ #include #include -#define AH_HMAC_INITIAL_RPL 1 /* replay counter initial value */ - -/* - * Packet tag assigned on completion of IPsec processing; used - * to speedup processing when/if the packet comes back for more - * processing. - */ -struct tdb_ident { - u_int32_t spi; - union sockaddr_union dst; - u_int8_t proto; -}; - /* * Opaque data structure hung off a crypto operation descriptor. */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue May 1 05:42:26 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c Log Message: Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely. To generate a diff of this commit: cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.74 src/sys/netipsec/ipsec_output.c:1.75 --- src/sys/netipsec/ipsec_output.c:1.74 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/ipsec_output.c Tue May 1 05:42:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.74 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.75 2018/05/01 05:42:26 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.74 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.75 2018/05/01 05:42:26 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -623,7 +623,7 @@ bad: #endif #ifdef INET6 -static void +static int compute_ipsec_pos(struct mbuf *m, int *i, int *off) { struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); @@ -640,7 +640,11 @@ compute_ipsec_pos(struct mbuf *m, int *i * put AH/ESP/IPcomp header. * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] */ - do { + while (1) { + if (*i + sizeof(ip6e) > m->m_pkthdr.len) { + return EINVAL; + } + switch (nxt) { case IPPROTO_AH: case IPPROTO_ESP: @@ -649,7 +653,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should not skip security header added * beforehand. */ - return; + return 0; case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: @@ -659,7 +663,7 @@ compute_ipsec_pos(struct mbuf *m, int *i * we should stop there. */ if (nxt == IPPROTO_DSTOPTS && dstopt) -return; +return 0; if (nxt == IPPROTO_DSTOPTS) { /* @@ -679,16 +683,14 @@ compute_ipsec_pos(struct mbuf *m, int *i m_copydata(m, *i, sizeof(ip6e), &ip6e); nxt = ip6e.ip6e_nxt; *off = *i + offsetof(struct ip6_ext, ip6e_nxt); - /* - * we will never see nxt == IPPROTO_AH - * so it is safe to omit AH case. - */ *i += (ip6e.ip6e_len + 1) << 3; break; default: - return; + return 0; } - } while (*i + sizeof(ip6e) < m->m_pkthdr.len); + } + + return 0; } static int @@ -788,7 +790,9 @@ ipsec6_process_packet(struct mbuf *m, co i = ip->ip_hl << 2; off = offsetof(struct ip, ip_p); } else { - compute_ipsec_pos(m, &i, &off); + error = compute_ipsec_pos(m, &i, &off); + if (error) + goto unrefsav; } error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); KEY_SA_UNREF(&sav);
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sun Apr 29 14:54:09 UTC 2018 Modified Files: src/sys/netipsec: ipsec_input.c Log Message: Remove useless icmp6.h include, remove manual externs and include in6.h to get proper definitions, and remove duplicate logic in ipsec6_common_input_cb. To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.68 src/sys/netipsec/ipsec_input.c:1.69 --- src/sys/netipsec/ipsec_input.c:1.68 Sun Apr 29 14:35:35 2018 +++ src/sys/netipsec/ipsec_input.c Sun Apr 29 14:54:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.69 2018/04/29 14:54:09 maxv Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.69 2018/04/29 14:54:09 maxv Exp $"); /* * IPsec input processing. @@ -72,14 +72,12 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec_input. #include #ifdef INET6 +#include #include #include #include #endif #include -#ifdef INET6 -#include -#endif #include #include @@ -377,7 +375,7 @@ cantpull: M_VERIFY_PACKET(m); - key_sa_recordxfer(sav, m); /* record data transfer */ + key_sa_recordxfer(sav, m); if ((inetsw[ip_protox[prot]].pr_flags & PR_LASTHDR) != 0 && ipsec_in_reject(m, NULL)) { @@ -446,9 +444,6 @@ ipsec6_common_input(struct mbuf **mp, in return IPPROTO_DONE; } -extern const struct ip6protosw inet6sw[]; -extern u_char ip6_protox[]; - /* * IPsec input callback, called by the transform callback. Takes care of * filtering and other sanity checks on the processed packet. @@ -461,7 +456,7 @@ ipsec6_common_input_cb(struct mbuf *m, s struct ip6_hdr *ip6; struct secasindex *saidx; int nxt; - u_int8_t prot, nxt8; + u_int8_t prot; int error, nest; if (__predict_false(m == NULL)) { @@ -493,20 +488,16 @@ ipsec6_common_input_cb(struct mbuf *m, s ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); - /* Save protocol */ - m_copydata(m, protoff, 1, &prot); + m_copydata(m, protoff, sizeof(prot), &prot); key_sa_recordxfer(sav, m); - /* Retrieve new protocol */ - m_copydata(m, protoff, sizeof(u_int8_t), &nxt8); - /* * See the end of ip6_input for this logic. * IPPROTO_IPV[46] case will be processed just like other ones */ nest = 0; - nxt = nxt8; + nxt = prot; while (nxt != IPPROTO_DONE) { if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { IP6_STATINC(IP6_STAT_TOOMANYHDR);
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sun Apr 29 14:35:36 UTC 2018 Modified Files: src/sys/netipsec: ipsec_input.c xform_ipip.c Log Message: Remove obsolete/dead code, the IP-in-IP encapsulation doesn't work this way anymore (XF_IP4 partly dropped by FAST_IPSEC). To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/ipsec_input.c cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.67 src/sys/netipsec/ipsec_input.c:1.68 --- src/sys/netipsec/ipsec_input.c:1.67 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/ipsec_input.c Sun Apr 29 14:35:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $"); /* * IPsec input processing. @@ -375,84 +375,6 @@ cantpull: prot = ip->ip_p; -#ifdef notyet - /* IP-in-IP encapsulation */ - if (prot == IPPROTO_IPIP) { - struct ip ipn; - - /* ipn will now contain the inner IPv4 header */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn); - - /* XXX PROXY address isn't recorded in SAH */ - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET && - saidx->proxy.sin.sin_addr.s_addr != - INADDR_ANY && - ipn.ip_src.s_addr != - saidx->proxy.sin.sin_addr.s_addr) || - (saidx->proxy.sa.sa_family != AF_INET && - saidx->proxy.sa.sa_family != 0)) { - - char ipbuf[INET_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - IN_PRINT(ipbuf, ipn.ip_src), - ipsp_address(saidx->proxy), - ipsp_address(saidx->dst), - (u_long) ntohl(sav->spi)); - - IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, - AH_STAT_PDROPS, - IPCOMP_STAT_PDROPS); - error = EACCES; - goto bad; - } - } -#if INET6 - /* IPv6-in-IP encapsulation. */ - if (prot == IPPROTO_IPV6) { - struct ip6_hdr ip6n; - - /* ip6n will now contain the inner IPv6 header. */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &saidx->proxy.sin6.sin6_addr)) || - (saidx->proxy.sa.sa_family != AF_INET6 && - saidx->proxy.sa.sa_family != 0)) { - - char ip6buf[INET6_ADDRSTRLEN]; - char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - ip6_sprintf(ip6buf, &ip6n.ip6_src), - ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), - ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), - (u_long) ntohl(sav->spi)); - - IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, - AH_STAT_PDROPS, - IPCOMP_STAT_PDROPS); - error = EACCES; - goto bad; - } - } -#endif /* INET6 */ -#endif /* notyet */ - M_VERIFY_PACKET(m); key_sa_recordxfer(sav, m); /* record data transfer */ @@ -574,80 +496,6 @@ ipsec6_common_input_cb(struct mbuf *m, s /* Save protocol */ m_copydata(m, protoff, 1, &prot); -#ifdef notyet -#ifdef INET - /* IP-in-IP encapsulation */ - if (prot == IPPROTO_IPIP) { - struct ip ipn; - - /* ipn will now contain the inner IPv4 header */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, skip, sizeof(struct ip), &ipn); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET && - saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY && - ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) || - (saidx->proxy.sa.sa_family != AF_INET && - saidx->proxy.sa.sa_family != 0)) { - - char ipbuf[INET_ADDRSTRLEN]; - char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - IN_PRINT(ipbuf, ipn.ip_src), - ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), - ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), - (u_long) ntohl(sav->spi)); -
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sun Apr 29 07:24:39 UTC 2018 Modified Files: src/sys/netipsec: ipsec.h Log Message: Remove duplicate prototype. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/ipsec.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.77 src/sys/netipsec/ipsec.h:1.78 --- src/sys/netipsec/ipsec.h:1.77 Sat Apr 28 14:25:56 2018 +++ src/sys/netipsec/ipsec.h Sun Apr 29 07:24:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.77 2018/04/28 14:25:56 maxv Exp $ */ +/* $NetBSD: ipsec.h,v 1.78 2018/04/29 07:24:38 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -327,7 +327,6 @@ void ah_attach(void); void esp_attach(void); void ipcomp_attach(void); void ipe4_attach(void); -void ipe4_attach(void); void tcpsignature_attach(void); void ipsec_attach(void);
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Apr 28 15:45:16 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c ipsec_input.c ipsec_output.c ipsec_private.h key.c xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c Log Message: Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op. To generate a diff of this commit: cvs rdiff -u -r1.159 -r1.160 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/ipsec_input.c cvs rdiff -u -r1.73 -r1.74 src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.8 -r1.9 src/sys/netipsec/ipsec_private.h cvs rdiff -u -r1.254 -r1.255 src/sys/netipsec/key.c cvs rdiff -u -r1.94 -r1.95 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.81 -r1.82 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.62 -r1.63 src/sys/netipsec/xform_ipcomp.c cvs rdiff -u -r1.68 -r1.69 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.159 src/sys/netipsec/ipsec.c:1.160 --- src/sys/netipsec/ipsec.c:1.159 Sat Apr 28 14:21:03 2018 +++ src/sys/netipsec/ipsec.c Sat Apr 28 15:45:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.159 2018/04/28 14:21:03 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.160 2018/04/28 15:45:16 maxv Exp $ */ /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.159 2018/04/28 14:21:03 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.160 2018/04/28 15:45:16 maxv Exp $"); /* * IPsec controller part. @@ -1610,8 +1610,6 @@ ipsec_chkreplay(u_int32_t seq, const str u_int32_t wsizeb; /* constant: bits of window size */ int frlast; /* constant: last frame */ - IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(sav != NULL); KASSERT(sav->replay != NULL); @@ -1668,8 +1666,6 @@ ipsec_updatereplay(u_int32_t seq, const u_int32_t wsizeb; /* constant: bits of window size */ int frlast; /* constant: last frame */ - IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(sav != NULL); KASSERT(sav->replay != NULL); Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.66 src/sys/netipsec/ipsec_input.c:1.67 --- src/sys/netipsec/ipsec_input.c:1.66 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipsec_input.c Sat Apr 28 15:45:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.66 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.66 2018/04/19 08:27:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $"); /* * IPsec input processing. @@ -326,8 +326,6 @@ ipsec4_common_input_cb(struct mbuf *m, s struct secasindex *saidx; int error; - IPSEC_SPLASSERT_SOFTNET("ipsec4_common_input_cb"); - if (__predict_false(m == NULL)) { panic("%s: NULL mbuf", __func__); } Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.73 src/sys/netipsec/ipsec_output.c:1.74 --- src/sys/netipsec/ipsec_output.c:1.73 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipsec_output.c Sat Apr 28 15:45:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.73 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.74 2018/04/28 15:45:16 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.73 2018/04/19 08:27:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.74 2018/04/28 15:45:16 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -154,8 +154,6 @@ ipsec_process_done(struct mbuf *m, const uint64_t *data = NULL; int hlen, roff; - IPSEC_SPLASSERT_SOFTNET("ipsec_process_done"); - KASSERT(m != NULL); KASSERT(isr != NULL); KASSERT(sav != NULL); @@ -376,7 +374,6 @@ do { \ struct secasvar *sav = NULL; struct secasindex saidx; - IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr"); KASSERTMSG(af == AF_INET || af == AF_INET6, "invalid address family %u", af); again: Index: src/sys/netipsec/ipsec_private.h diff -u src/sys/netipsec/ipsec_private.h:1.8 src/sys/netipsec/ipsec_private.h:1.9 --- src/sys/netipsec/ipsec_private.h:1.8 Sat Apr 28 14:39:34 2018 +++ src/sys/netipsec/ipsec_private.h Sat Apr 28 15:45:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_private.h,v 1.8 2018/04/28 14:39:34 maxv Exp $ */ +/* $NetBSD: ipsec_private.h,v 1.9 2018/04/28 15:45:16 maxv Exp $ */ /* * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -64,11 +64,6 @@ extern percpu_t *pfkeystat_percpu; #define PFKEY_STATINC(x) _NET_STATINC(pfkeystat
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Apr 28 14:39:34 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c ipsec_private.h Log Message: Inline M_EXT_WRITABLE directly, and remove the XXX, there's nothing wrong in the use of !M_READONLY. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/sys/netipsec/ipsec_mbuf.c cvs rdiff -u -r1.7 -r1.8 src/sys/netipsec/ipsec_private.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.26 src/sys/netipsec/ipsec_mbuf.c:1.27 --- src/sys/netipsec/ipsec_mbuf.c:1.26 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipsec_mbuf.c Sat Apr 28 14:39:34 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.26 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.27 2018/04/28 14:39:34 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.26 2018/04/19 08:27:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.27 2018/04/28 14:39:34 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -94,7 +94,7 @@ m_clone(struct mbuf *m0) /* * Writable mbufs are left alone (for now). */ - if (M_EXT_WRITABLE(m)) { + if (!M_READONLY(m)) { mprev = m; continue; } Index: src/sys/netipsec/ipsec_private.h diff -u src/sys/netipsec/ipsec_private.h:1.7 src/sys/netipsec/ipsec_private.h:1.8 --- src/sys/netipsec/ipsec_private.h:1.7 Wed Feb 28 11:19:49 2018 +++ src/sys/netipsec/ipsec_private.h Sat Apr 28 14:39:34 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_private.h,v 1.7 2018/02/28 11:19:49 maxv Exp $ */ +/* $NetBSD: ipsec_private.h,v 1.8 2018/04/28 14:39:34 maxv Exp $ */ /* * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -69,9 +69,6 @@ extern percpu_t *pfkeystat_percpu; */ #define IPSEC_SPLASSERT_SOFTNET(msg) do {} while (0) -/* XXX wrong, but close enough for restricted ipsec usage. */ -#define M_EXT_WRITABLE(m) (!M_READONLY(m)) - /* superuser opened socket? */ #define IPSEC_PRIVILEGED_SO(so) ((so)->so_uidinfo->ui_uid == 0)
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Apr 28 14:25:56 UTC 2018 Modified Files: src/sys/netipsec: ipsec.h ipsec6.h Log Message: Move the ipsec6_input prototype into ipsec6.h, and style. To generate a diff of this commit: cvs rdiff -u -r1.76 -r1.77 src/sys/netipsec/ipsec.h cvs rdiff -u -r1.27 -r1.28 src/sys/netipsec/ipsec6.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.76 src/sys/netipsec/ipsec.h:1.77 --- src/sys/netipsec/ipsec.h:1.76 Sat Apr 28 14:21:03 2018 +++ src/sys/netipsec/ipsec.h Sat Apr 28 14:25:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.76 2018/04/28 14:21:03 maxv Exp $ */ +/* $NetBSD: ipsec.h,v 1.77 2018/04/28 14:25:56 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -264,9 +264,6 @@ struct inpcb; int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *); int ipsec4_input(struct mbuf *, int); int ipsec4_forward(struct mbuf *, int *); -#ifdef INET6 -int ipsec6_input(struct mbuf *); -#endif struct inpcb; int ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **); Index: src/sys/netipsec/ipsec6.h diff -u src/sys/netipsec/ipsec6.h:1.27 src/sys/netipsec/ipsec6.h:1.28 --- src/sys/netipsec/ipsec6.h:1.27 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipsec6.h Sat Apr 28 14:25:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec6.h,v 1.27 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipsec6.h,v 1.28 2018/04/28 14:25:56 maxv Exp $ */ /* $FreeBSD: ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */ @@ -31,10 +31,6 @@ * SUCH DAMAGE. */ -/* - * IPsec controller part. - */ - #ifndef _NETIPSEC_IPSEC6_H_ #define _NETIPSEC_IPSEC6_H_ @@ -50,24 +46,21 @@ extern int ip6_ah_net_deflev; extern int ip6_ipsec_ecn; extern struct secpolicy ip6_def_policy; -struct inpcb; struct in6pcb; - -struct secpolicy *ipsec6_check_policy(struct mbuf *, -struct in6pcb *, int, int*,int*); - struct tcp6cb; -size_t ipsec6_hdrsiz_tcp(struct tcpcb*); +struct secpolicy *ipsec6_check_policy(struct mbuf *, struct in6pcb *, +int, int *, int *); +size_t ipsec6_hdrsiz_tcp(struct tcpcb *); -/* NetBSD protosw ctlin entrypoint */ void *esp6_ctlinput(int, const struct sockaddr *, void *); void *ah6_ctlinput(int, const struct sockaddr *, void *); struct m_tag; int ipsec6_common_input(struct mbuf **, int *, int); int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int); -int ipsec6_process_packet(struct mbuf*, const struct ipsecrequest *); +int ipsec6_process_packet(struct mbuf *, const struct ipsecrequest *); +int ipsec6_input(struct mbuf *); #endif /*_KERNEL*/ #endif /* !_NETIPSEC_IPSEC6_H_ */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Apr 28 14:01:51 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c ipsec.h Log Message: Style and remove unused stuff. To generate a diff of this commit: cvs rdiff -u -r1.157 -r1.158 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/ipsec.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.157 src/sys/netipsec/ipsec.c:1.158 --- src/sys/netipsec/ipsec.c:1.157 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipsec.c Sat Apr 28 14:01:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.157 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.158 2018/04/28 14:01:50 maxv Exp $ */ /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.157 2018/04/19 08:27:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.158 2018/04/28 14:01:50 maxv Exp $"); /* * IPsec controller part. @@ -1814,30 +1814,6 @@ ipsec_logsastr(const struct secasvar *sa return buf; } -void -ipsec_dumpmbuf(struct mbuf *m) -{ - int totlen; - int i; - u_char *p; - - totlen = 0; - printf("---\n"); - while (m) { - p = mtod(m, u_char *); - for (i = 0; i < m->m_len; i++) { - printf("%02x ", p[i]); - totlen++; - if (totlen % 16 == 0) -printf("\n"); - } - m = m->m_next; - } - if (totlen % 16 != 0) - printf("\n"); - printf("---\n"); -} - #ifdef INET6 struct secpolicy * ipsec6_check_policy(struct mbuf *m, struct in6pcb *in6p, int flags, Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.74 src/sys/netipsec/ipsec.h:1.75 --- src/sys/netipsec/ipsec.h:1.74 Thu Apr 19 21:50:10 2018 +++ src/sys/netipsec/ipsec.h Sat Apr 28 14:01:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.74 2018/04/19 21:50:10 christos Exp $ */ +/* $NetBSD: ipsec.h,v 1.75 2018/04/28 14:01:50 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -31,10 +31,6 @@ * SUCH DAMAGE. */ -/* - * IPsec controller part. - */ - #ifndef _NETIPSEC_IPSEC_H_ #define _NETIPSEC_IPSEC_H_ @@ -227,16 +223,6 @@ struct secspacq { #define IPSEC_REPLAYWSIZE 32 #ifdef _KERNEL -struct ipsec_output_state { - struct mbuf *m; - struct route *ro; - struct sockaddr *dst; -}; - -struct ipsec_history { - int ih_proto; - u_int32_t ih_spi; -}; extern int ipsec_debug; #ifdef IPSEC_DEBUG @@ -256,8 +242,7 @@ extern int ip4_ipsec_ecn; extern int crypto_support; #include -#define ipseclog(x) do { if (ipsec_debug) log x; } while (0) -/* for openbsd compatibility */ + #define DPRINTF(x) do { if (ipsec_debug) printf x; } while (0) #define IPSECLOG(level, fmt, args...) \ @@ -266,6 +251,11 @@ extern int crypto_support; log(level, "%s: " fmt, __func__, ##args); \ } while (0) +#define ipsec_indone(m) \ + ((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED)) +#define ipsec_outdone(m) \ + (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) + void ipsec_pcbconn(struct inpcbpolicy *); void ipsec_pcbdisconn(struct inpcbpolicy *); void ipsec_invalpcbcacheall(void); @@ -304,8 +294,6 @@ union sockaddr_union; const char *ipsec_address(const union sockaddr_union* sa, char *, size_t); const char *ipsec_logsastr(const struct secasvar *, char *, size_t); -void ipsec_dumpmbuf(struct mbuf *); - /* NetBSD protosw ctlin entrypoint */ void *esp4_ctlinput(int, const struct sockaddr *, void *); void *ah4_ctlinput(int, const struct sockaddr *, void *); @@ -318,19 +306,15 @@ int ipsec4_process_packet(struct mbuf *, int ipsec_process_done(struct mbuf *, const struct ipsecrequest *, struct secasvar *); -#define ipsec_indone(m) \ - ((m->m_flags & M_AUTHIPHDR) || (m->m_flags & M_DECRYPTED)) -#define ipsec_outdone(m) \ - (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) - struct mbuf *m_clone(struct mbuf *); struct mbuf *m_makespace(struct mbuf *, int, int, int *); -void *m_pad(struct mbuf *, int ); +void *m_pad(struct mbuf *, int); int m_striphdr(struct mbuf *, int, int); void nat_t_ports_get(struct mbuf *, u_int16_t *, u_int16_t *); -extern int ipsec_used __read_mostly, ipsec_enabled __read_mostly; +extern int ipsec_used __read_mostly; +extern int ipsec_enabled __read_mostly; #endif /* _KERNEL */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Apr 28 13:44:19 UTC 2018 Modified Files: src/sys/netipsec: ipsec_netbsd.c Log Message: Fix the net.inet6.ipsec6.def_policy node, the variable should be &ip6_def_policy.policy, otherwise we're overwriting other fields of the structure. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/ipsec_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.53 src/sys/netipsec/ipsec_netbsd.c:1.54 --- src/sys/netipsec/ipsec_netbsd.c:1.53 Sun Apr 22 10:25:40 2018 +++ src/sys/netipsec/ipsec_netbsd.c Sat Apr 28 13:44:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.54 2018/04/28 13:44:19 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.54 2018/04/28 13:44:19 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -720,7 +720,7 @@ sysctl_net_inet6_ipsec6_setup(struct sys CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "def_policy", SYSCTL_DESCR("Default action for non-IPSec packets"), - sysctl_ipsec, 0, (void *)&ip6_def_policy, 0, + sysctl_ipsec, 0, &ip6_def_policy.policy, 0, CTL_NET, PF_INET6, IPPROTO_AH, IPSECCTL_DEF_POLICY, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL,
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Apr 28 13:23:18 UTC 2018 Modified Files: src/sys/netipsec: ipsec_var.h key_var.h Log Message: Remove unused macros. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/netipsec/ipsec_var.h cvs rdiff -u -r1.4 -r1.5 src/sys/netipsec/key_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_var.h diff -u src/sys/netipsec/ipsec_var.h:1.6 src/sys/netipsec/ipsec_var.h:1.7 --- src/sys/netipsec/ipsec_var.h:1.6 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipsec_var.h Sat Apr 28 13:23:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_var.h,v 1.6 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipsec_var.h,v 1.7 2018/04/28 13:23:17 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /*- @@ -56,9 +56,6 @@ #define IPSEC_NSTATS 16 /* - * Definitions for IPsec & Key sysctl operations. - */ -/* * Names for IPsec & Key sysctl objects */ #define IPSECCTL_STATS 1 /* KAME compat stats */ @@ -78,38 +75,4 @@ #define IPSECCTL_ESP_RANDPAD 13 #define IPSECCTL_MAXID 14 -#define IPSECCTL_NAMES { \ - { 0, 0 }, \ - { 0, 0 }, \ - { "def_policy", CTLTYPE_INT }, \ - { "esp_trans_deflev", CTLTYPE_INT }, \ - { "esp_net_deflev", CTLTYPE_INT }, \ - { "ah_trans_deflev", CTLTYPE_INT }, \ - { "ah_net_deflev", CTLTYPE_INT }, \ - { 0, 0 }, \ - { "ah_cleartos", CTLTYPE_INT }, \ - { "ah_offsetmask", CTLTYPE_INT }, \ - { "dfbit", CTLTYPE_INT }, \ - { "ecn", CTLTYPE_INT }, \ - { "debug", CTLTYPE_INT }, \ - { "esp_randpad", CTLTYPE_INT }, \ -} - -#define IPSEC6CTL_NAMES { \ - { 0, 0 }, \ - { 0, 0 }, \ - { "def_policy", CTLTYPE_INT }, \ - { "esp_trans_deflev", CTLTYPE_INT }, \ - { "esp_net_deflev", CTLTYPE_INT }, \ - { "ah_trans_deflev", CTLTYPE_INT }, \ - { "ah_net_deflev", CTLTYPE_INT }, \ - { 0, 0 }, \ - { 0, 0 }, \ - { 0, 0 }, \ - { 0, 0 }, \ - { "ecn", CTLTYPE_INT }, \ - { "debug", CTLTYPE_INT }, \ - { "esp_randpad", CTLTYPE_INT }, \ -} - #endif /* !_NETIPSEC_IPSEC_VAR_H_ */ Index: src/sys/netipsec/key_var.h diff -u src/sys/netipsec/key_var.h:1.4 src/sys/netipsec/key_var.h:1.5 --- src/sys/netipsec/key_var.h:1.4 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/key_var.h Sat Apr 28 13:23:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key_var.h,v 1.4 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: key_var.h,v 1.5 2018/04/28 13:23:17 maxv Exp $ */ /* $FreeBSD: key_var.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: key_var.h,v 1.11 2001/09/12 23:05:07 sakane Exp $ */ @@ -51,38 +51,6 @@ #define KEYCTL_DUMPSP 14 #define KEYCTL_MAXID 15 -#define KEYCTL_NAMES { \ - { 0, 0 }, \ - { "debug", CTLTYPE_INT }, \ - { "spi_try", CTLTYPE_INT }, \ - { "spi_min_value", CTLTYPE_INT }, \ - { "spi_max_value", CTLTYPE_INT }, \ - { "random_int", CTLTYPE_INT }, \ - { "larval_lifetime", CTLTYPE_INT }, \ - { "blockacq_count", CTLTYPE_INT }, \ - { "blockacq_lifetime", CTLTYPE_INT }, \ - { "esp_keymin", CTLTYPE_INT }, \ - { "esp_auth", CTLTYPE_INT }, \ - { "ah_keymin", CTLTYPE_INT }, \ - { "prefered_oldsa", CTLTYPE_INT }, \ -} - -#define KEYCTL_VARS { \ - 0, \ - 0, \ - &key_spi_trycnt, \ - &key_spi_minval, \ - &key_spi_maxval, \ - &key_int_random, \ - &key_larval_lifetime, \ - &key_blockacq_count, \ - &key_blockacq_lifetime, \ - &ipsec_esp_keymin, \ - &ipsec_esp_auth, \ - &ipsec_ah_keymin, \ - &key_prefered_oldsa, \ -} - #ifdef _KERNEL #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0])) #define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sun Apr 22 10:25:40 UTC 2018 Modified Files: src/sys/netipsec: ipip_var.h ipsec_netbsd.c xform_ipip.c Log Message: Rename ipip_allow->ipip_spoofcheck, and add net.inet.ipsec.ipip_spoofcheck. Makes it simpler, and also fixes PR/39919. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/ipip_var.h cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/ipsec_netbsd.c cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipip_var.h diff -u src/sys/netipsec/ipip_var.h:1.5 src/sys/netipsec/ipip_var.h:1.6 --- src/sys/netipsec/ipip_var.h:1.5 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipip_var.h Sun Apr 22 10:25:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipip_var.h,v 1.5 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipip_var.h,v 1.6 2018/04/22 10:25:40 maxv Exp $ */ /* $FreeBSD: ipip_var.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $OpenBSD: ip_ipip.h,v 1.5 2002/06/09 16:26:10 itojun Exp $ */ /* @@ -59,6 +59,6 @@ #define IPIP_NSTATS 10 #ifdef _KERNEL -extern int ipip_allow; +extern int ipip_spoofcheck; #endif /* _KERNEL */ #endif /* !_NETINET_IPIP_H_ */ Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.52 src/sys/netipsec/ipsec_netbsd.c:1.53 --- src/sys/netipsec/ipsec_netbsd.c:1.52 Wed Apr 18 07:38:02 2018 +++ src/sys/netipsec/ipsec_netbsd.c Sun Apr 22 10:25:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -624,6 +624,12 @@ sysctl_net_inet_ipsec_setup(struct sysct CTL_NET, PF_INET, ipproto_ipsec, IPSECCTL_DEBUG, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "ipip_spoofcheck", NULL, + NULL, 0, &ipip_spoofcheck, 0, + CTL_NET, PF_INET, ipproto_ipsec, + CTL_CREATE, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_STRUCT, "ipsecstats", NULL, sysctl_net_inet_ipsec_stats, 0, NULL, 0, Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.66 src/sys/netipsec/xform_ipip.c:1.67 --- src/sys/netipsec/xform_ipip.c:1.66 Thu Apr 19 08:27:39 2018 +++ src/sys/netipsec/xform_ipip.c Sun Apr 22 10:25:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.66 2018/04/19 08:27:39 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.67 2018/04/22 10:25:40 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.66 2018/04/19 08:27:39 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.67 2018/04/22 10:25:40 maxv Exp $"); /* * IP-inside-IP processing @@ -87,7 +87,7 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c /* XXX IPCOMP */ #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) -int ipip_allow = 0; +int ipip_spoofcheck = 1; percpu_t *ipipstat_percpu; void ipe4_attach(void); @@ -254,7 +254,7 @@ _ipip_input(struct mbuf *m, int iphlen) /* Check for local address spoofing. */ if ((m_get_rcvif_NOMPSAFE(m) == NULL || !(m_get_rcvif_NOMPSAFE(m)->if_flags & IFF_LOOPBACK)) && - ipip_allow != 2) { + ipip_spoofcheck) { int s = pserialize_read_enter(); IFNET_READER_FOREACH(ifp) { IFADDR_READER_FOREACH(ifa, ifp) {
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu Apr 19 08:27:39 UTC 2018 Modified Files: src/sys/netipsec: ah.h ah_var.h esp.h esp_var.h ipcomp.h ipcomp_var.h ipip_var.h ipsec.c ipsec.h ipsec6.h ipsec_input.c ipsec_mbuf.c ipsec_output.c ipsec_var.h key.c key.h key_debug.c key_debug.h key_var.h keydb.h keysock.c keysock.h xform.h xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c xform_tcp.c Log Message: Remove extra long file paths from the headers. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/netipsec/ah.h src/sys/netipsec/ipcomp.h cvs rdiff -u -r1.6 -r1.7 src/sys/netipsec/ah_var.h cvs rdiff -u -r1.3 -r1.4 src/sys/netipsec/esp.h src/sys/netipsec/key_var.h cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/esp_var.h \ src/sys/netipsec/ipsec_var.h cvs rdiff -u -r1.7 -r1.8 src/sys/netipsec/ipcomp_var.h cvs rdiff -u -r1.4 -r1.5 src/sys/netipsec/ipip_var.h cvs rdiff -u -r1.156 -r1.157 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.72 -r1.73 src/sys/netipsec/ipsec.h \ src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.26 -r1.27 src/sys/netipsec/ipsec6.h cvs rdiff -u -r1.65 -r1.66 src/sys/netipsec/ipsec_input.c \ src/sys/netipsec/xform_ipip.c cvs rdiff -u -r1.25 -r1.26 src/sys/netipsec/ipsec_mbuf.c cvs rdiff -u -r1.253 -r1.254 src/sys/netipsec/key.c cvs rdiff -u -r1.35 -r1.36 src/sys/netipsec/key.h cvs rdiff -u -r1.21 -r1.22 src/sys/netipsec/key_debug.c cvs rdiff -u -r1.9 -r1.10 src/sys/netipsec/key_debug.h cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/keydb.h cvs rdiff -u -r1.63 -r1.64 src/sys/netipsec/keysock.c cvs rdiff -u -r1.10 -r1.11 src/sys/netipsec/keysock.h cvs rdiff -u -r1.14 -r1.15 src/sys/netipsec/xform.h cvs rdiff -u -r1.91 -r1.92 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.80 -r1.81 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.61 -r1.62 src/sys/netipsec/xform_ipcomp.c cvs rdiff -u -r1.17 -r1.18 src/sys/netipsec/xform_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ah.h diff -u src/sys/netipsec/ah.h:1.2 src/sys/netipsec/ah.h:1.3 --- src/sys/netipsec/ah.h:1.2 Sat Dec 10 23:44:08 2005 +++ src/sys/netipsec/ah.h Thu Apr 19 08:27:38 2018 @@ -1,5 +1,5 @@ -/* $NetBSD: ah.h,v 1.2 2005/12/10 23:44:08 elad Exp $ */ -/* $FreeBSD: src/sys/netipsec/ah.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ +/* $NetBSD: ah.h,v 1.3 2018/04/19 08:27:38 maxv Exp $ */ +/* $FreeBSD: ah.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: ah.h,v 1.13 2000/10/18 21:28:00 itojun Exp $ */ /* Index: src/sys/netipsec/ipcomp.h diff -u src/sys/netipsec/ipcomp.h:1.2 src/sys/netipsec/ipcomp.h:1.3 --- src/sys/netipsec/ipcomp.h:1.2 Sat Dec 10 23:44:08 2005 +++ src/sys/netipsec/ipcomp.h Thu Apr 19 08:27:38 2018 @@ -1,5 +1,5 @@ -/* $NetBSD: ipcomp.h,v 1.2 2005/12/10 23:44:08 elad Exp $ */ -/* $FreeBSD: src/sys/netipsec/ipcomp.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ +/* $NetBSD: ipcomp.h,v 1.3 2018/04/19 08:27:38 maxv Exp $ */ +/* $FreeBSD: ipcomp.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: ipcomp.h,v 1.8 2000/09/26 07:55:14 itojun Exp $ */ /* Index: src/sys/netipsec/ah_var.h diff -u src/sys/netipsec/ah_var.h:1.6 src/sys/netipsec/ah_var.h:1.7 --- src/sys/netipsec/ah_var.h:1.6 Fri Feb 16 10:07:07 2018 +++ src/sys/netipsec/ah_var.h Thu Apr 19 08:27:38 2018 @@ -1,5 +1,5 @@ -/* $NetBSD: ah_var.h,v 1.6 2018/02/16 10:07:07 maxv Exp $ */ -/* $FreeBSD: src/sys/netipsec/ah_var.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ +/* $NetBSD: ah_var.h,v 1.7 2018/04/19 08:27:38 maxv Exp $ */ +/* $FreeBSD: ah_var.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $OpenBSD: ip_ah.h,v 1.29 2002/06/09 16:26:10 itojun Exp $ */ /* * The authors of this code are John Ioannidis (j...@tla.org), Index: src/sys/netipsec/esp.h diff -u src/sys/netipsec/esp.h:1.3 src/sys/netipsec/esp.h:1.4 --- src/sys/netipsec/esp.h:1.3 Sat Dec 10 23:44:08 2005 +++ src/sys/netipsec/esp.h Thu Apr 19 08:27:38 2018 @@ -1,5 +1,5 @@ -/* $NetBSD: esp.h,v 1.3 2005/12/10 23:44:08 elad Exp $ */ -/* $FreeBSD: src/sys/netipsec/esp.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ +/* $NetBSD: esp.h,v 1.4 2018/04/19 08:27:38 maxv Exp $ */ +/* $FreeBSD: esp.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: esp.h,v 1.16 2000/10/18 21:28:00 itojun Exp $ */ /* Index: src/sys/netipsec/key_var.h diff -u src/sys/netipsec/key_var.h:1.3 src/sys/netipsec/key_var.h:1.4 --- src/sys/netipsec/key_var.h:1.3 Sat Dec 10 23:44:08 2005 +++ src/sys/netipsec/key_var.h Thu Apr 19 08:27:38 2018 @@ -1,5 +1,5 @@ -/* $NetBSD: key_var.h,v 1.3 2005/12/10 23:44:08 elad Exp $ */ -/* $FreeBSD: src/sys/netipsec/key_var.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ +/* $NetBSD: key_var.h,v 1.4 2018/04/19 08:27:38 maxv Exp $ */ +/* $FreeBSD: key_var.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: key_var.h,v 1.11 2001/09/12 23:05:07 sakane Exp $ */ /* Index: src/sys/netipsec/esp_var.h diff -u s
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu Apr 19 08:16:44 UTC 2018 Modified Files: src/sys/netipsec: xform_ipip.c Log Message: Remove unused typedef, remove unused arguments from _ipip_input, sync comment with reality, and change panic message. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.64 src/sys/netipsec/xform_ipip.c:1.65 --- src/sys/netipsec/xform_ipip.c:1.64 Wed Apr 18 06:43:10 2018 +++ src/sys/netipsec/xform_ipip.c Thu Apr 19 08:16:44 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.64 2018/04/18 06:43:10 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.65 2018/04/19 08:16:44 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.64 2018/04/18 06:43:10 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.65 2018/04/19 08:16:44 maxv Exp $"); /* * IP-inside-IP processing @@ -87,20 +87,18 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c /* XXX IPCOMP */ #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) -typedef void pr_in_input_t(struct mbuf *m, ...); - int ipip_allow = 0; percpu_t *ipipstat_percpu; void ipe4_attach(void); -static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp); +static void _ipip_input(struct mbuf *, int); #ifdef INET6 int ip4_input6(struct mbuf **m, int *offp, int proto, void *eparg __unused) { - _ipip_input(*m, *offp, NULL); + _ipip_input(*m, *offp); return IPPROTO_DONE; } #endif @@ -109,18 +107,16 @@ ip4_input6(struct mbuf **m, int *offp, i void ip4_input(struct mbuf *m, int off, int proto, void *eparg __unused) { - _ipip_input(m, off, NULL); + _ipip_input(m, off); } #endif /* - * ipip_input gets called when we receive an IP{46} encapsulated packet, - * either because we got it at a real interface, or because AH or ESP - * were being used in tunnel mode (in which case the rcvif element will - * contain the address of the encX interface associated with the tunnel). + * _ipip_input gets called when we receive an IP{46} encapsulated packet, + * because AH or ESP were being used in tunnel mode. */ static void -_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) +_ipip_input(struct mbuf *m, int iphlen) { register struct sockaddr_in *sin; register struct ifnet *ifp; @@ -181,7 +177,7 @@ _ipip_input(struct mbuf *m, int iphlen, break; #endif default: - panic("%s: unknown ip version %u (outer)", __func__, v >> 4); + panic("%s: impossible (1)", __func__); } /* Remove outer IP header */ @@ -252,7 +248,7 @@ _ipip_input(struct mbuf *m, int iphlen, break; #endif default: - panic("%s: unknown ip version %u (inner)", __func__, v>>4); + panic("%s: impossible (2)", __func__); } /* Check for local address spoofing. */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu Apr 19 07:58:26 UTC 2018 Modified Files: src/sys/netipsec: xform_ipcomp.c Log Message: Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts). To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.60 src/sys/netipsec/xform_ipcomp.c:1.61 --- src/sys/netipsec/xform_ipcomp.c:1.60 Sat Mar 10 17:48:32 2018 +++ src/sys/netipsec/xform_ipcomp.c Thu Apr 19 07:58:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.61 2018/04/19 07:58:26 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.61 2018/04/19 07:58:26 maxv Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -147,6 +147,7 @@ ipcomp_input(struct mbuf *m, struct seca int error, hlen = IPCOMP_HLENGTH, stat = IPCOMP_STAT_CRYPTO; IPSEC_SPLASSERT_SOFTNET(__func__); + KASSERT(skip + hlen <= m->m_pkthdr.len); /* Get crypto descriptors */ crp = crypto_getreq(1); @@ -307,16 +308,20 @@ ipcomp_input_cb(struct cryptop *crp) /* In case it's not done already, adjust the size of the mbuf chain */ m->m_pkthdr.len = clen + hlen + skip; + /* + * Get the next protocol field. + * + * XXX: Really, we should use m_copydata instead of m_pullup. + */ if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("%s: m_pullup failed\n", __func__)); error = EINVAL; goto bad; } - - /* Keep the next protocol field */ ipc = (struct ipcomp *)(mtod(m, uint8_t *) + skip); nproto = ipc->comp_nxt; + switch (nproto) { case IPPROTO_IPCOMP: case IPPROTO_AH: @@ -342,7 +347,7 @@ ipcomp_input_cb(struct cryptop *crp) } /* Restore the Next Protocol field */ - m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *)&nproto); + m_copyback(m, protoff, sizeof(nproto), &nproto); IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff); @@ -602,7 +607,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; - m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); + m_copyback(m, tc->tc_protoff, sizeof(prot), &prot); /* Adjust the length in the IP header */ switch (sav->sah->saidx.dst.sa.sa_family) {
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu Apr 19 07:36:23 UTC 2018 Modified Files: src/sys/netipsec: xform_esp.c Log Message: Style, and remove meaningless XXX. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.79 src/sys/netipsec/xform_esp.c:1.80 --- src/sys/netipsec/xform_esp.c:1.79 Fri Feb 16 09:24:55 2018 +++ src/sys/netipsec/xform_esp.c Thu Apr 19 07:36:23 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.79 2018/02/16 09:24:55 maxv Exp $ */ +/* $NetBSD: xform_esp.c,v 1.80 2018/04/19 07:36:23 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.79 2018/02/16 09:24:55 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.80 2018/04/19 07:36:23 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -355,9 +355,9 @@ esp_input(struct mbuf *m, struct secasva if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { char logbuf[IPSEC_LOGSASTRLEN]; DPRINTF(("%s: packet replay check for %s\n", __func__, - ipsec_logsastr(sav, logbuf, sizeof(logbuf; /*XXX*/ + ipsec_logsastr(sav, logbuf, sizeof(logbuf; stat = ESP_STAT_REPLAY; - error = ENOBUFS; /*XXX*/ + error = ENOBUFS; /* XXX */ goto out; } @@ -589,7 +589,8 @@ esp_input_cb(struct cryptop *crp) /* Release the crypto descriptors */ pool_cache_put(esp_tdb_crypto_pool_cache, tc); tc = NULL; - crypto_freereq(crp), crp = NULL; + crypto_freereq(crp); + crp = NULL; /* * Packet is now decrypted.
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Thu Apr 19 07:22:30 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: cosmetic To generate a diff of this commit: cvs rdiff -u -r1.90 -r1.91 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.90 src/sys/netipsec/xform_ah.c:1.91 --- src/sys/netipsec/xform_ah.c:1.90 Wed Apr 18 17:58:07 2018 +++ src/sys/netipsec/xform_ah.c Thu Apr 19 07:22:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.90 2018/04/18 17:58:07 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.91 2018/04/19 07:22:29 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.90 2018/04/18 17:58:07 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.91 2018/04/19 07:22:29 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -778,7 +778,6 @@ ah_input_cb(struct cryptop *crp) protoff = tc->tc_protoff; m = crp->crp_buf; - /* find the source port for NAT-T */ nat_t_ports_get(m, &dport, &sport); @@ -878,7 +877,7 @@ ah_input_cb(struct cryptop *crp) sizeof(seq), &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { AH_STATINC(AH_STAT_REPLAY); - error = ENOBUFS; /* XXX as above */ + error = ENOBUFS; /* XXX */ goto bad; } } @@ -1160,7 +1159,7 @@ bad_crp: bad: if (m) m_freem(m); - return (error); + return error; } /*
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 17:58:07 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Simplify the IPv4 parser. Get the option length in 'optlen', and sanitize it earlier. A new check is added (off + optlen > skip). In the IPv6 parser we reuse 'optlen', and remove 'ad' as a result. To generate a diff of this commit: cvs rdiff -u -r1.89 -r1.90 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.89 src/sys/netipsec/xform_ah.c:1.90 --- src/sys/netipsec/xform_ah.c:1.89 Mon Apr 16 17:32:34 2018 +++ src/sys/netipsec/xform_ah.c Wed Apr 18 17:58:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.89 2018/04/16 17:32:34 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.90 2018/04/18 17:58:07 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.89 2018/04/16 17:32:34 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.90 2018/04/18 17:58:07 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -266,7 +266,7 @@ ah_massage_headers(struct mbuf **m0, int { struct mbuf *m = *m0; unsigned char *ptr; - int off, count; + int off, count, optlen; #ifdef INET struct ip *ip; #endif @@ -274,7 +274,7 @@ ah_massage_headers(struct mbuf **m0, int struct ip6_ext *ip6e; struct ip6_hdr ip6; struct ip6_rthdr *rh; - int alloc, ad, nxt; + int alloc, nxt; #endif switch (proto) { @@ -308,56 +308,32 @@ ah_massage_headers(struct mbuf **m0, int /* IPv4 option processing */ for (off = sizeof(struct ip); off < skip;) { - if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP || - off + 1 < skip) -; - else { -DPRINTF(("%s: illegal IPv4 option length for " -"option %d\n", __func__, ptr[off])); - + if (ptr[off] == IPOPT_EOL) { +break; + } else if (ptr[off] == IPOPT_NOP) { +optlen = 1; + } else if (off + 1 < skip) { +optlen = ptr[off + 1]; +if (optlen < 2 || off + optlen > skip) { + m_freem(m); + return EINVAL; +} + } else { m_freem(m); return EINVAL; } switch (ptr[off]) { - case IPOPT_EOL: -off = skip; /* End the loop. */ -break; - case IPOPT_NOP: -off++; -break; - - case IPOPT_SECURITY: /* 0x82 */ + case IPOPT_SECURITY: case 0x85: /* Extended security. */ case 0x86: /* Commercial security. */ case 0x94: /* Router alert */ case 0x95: /* RFC1770 */ -/* Sanity check for option length. */ -if (ptr[off + 1] < 2) { - DPRINTF(("%s: illegal IPv4 option " - "length for option %d\n", __func__, - ptr[off])); - - m_freem(m); - return EINVAL; -} - -off += ptr[off + 1]; break; case IPOPT_LSRR: case IPOPT_SSRR: -/* Sanity check for option length. */ -if (ptr[off + 1] < 2) { - DPRINTF(("%s: illegal IPv4 option " - "length for option %d\n", __func__, - ptr[off])); - - m_freem(m); - return EINVAL; -} - /* * On output, if we have either of the * source routing options, we should @@ -369,32 +345,21 @@ ah_massage_headers(struct mbuf **m0, int */ if (out) memcpy(&ip->ip_dst, - ptr + off + ptr[off + 1] - + ptr + off + optlen - sizeof(struct in_addr), sizeof(struct in_addr)); +/* FALLTHROUGH */ -/* Fall through */ default: -/* Sanity check for option length. */ -if (ptr[off + 1] < 2) { - DPRINTF(("%s: illegal IPv4 option " - "length for option %d\n", __func__, - ptr[off])); - m_freem(m); - return EINVAL; -} - /* Zeroize all other options. */ -count = ptr[off + 1]; -memcpy(ptr + off, ipseczeroes, count); -off += count; +memcpy(ptr + off, ipseczeroes, optlen); break; } + off += optlen; + /* Sanity check. */ if (off > skip) { -DPRINTF(("%s: malformed IPv4 options header\n", - __func__)); m_freem(m); return EINVAL; } @@ -487,17 +452,17 @@ ah_massage_headers(struct mbuf **m0, int if (count + 1 >= noff) { goto error6; } - ad = ptr[count + 1] + 2; + optlen = ptr[count + 1] + 2; - if (count + ad > noff) { + if (count + optlen > noff) { goto error6; } if (ptr[count] & IP6OPT_MUTABLE) { - memset(ptr + count, 0, ad); + memset(ptr + count, 0, optlen); } - count += ad; + count += optlen; } if (count != noff) {
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 17:34:54 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c Log Message: Remove unused includes, remove misleading comments, and style. To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.24 src/sys/netipsec/ipsec_mbuf.c:1.25 --- src/sys/netipsec/ipsec_mbuf.c:1.24 Tue Apr 17 09:06:33 2018 +++ src/sys/netipsec/ipsec_mbuf.c Wed Apr 18 17:34:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.24 2018/04/17 09:06:33 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.25 2018/04/18 17:34:54 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.24 2018/04/17 09:06:33 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.25 2018/04/18 17:34:54 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -38,10 +38,6 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c #include #include #include -#include - -#include -#include #include #include @@ -94,11 +90,9 @@ m_clone(struct mbuf *m0) } continue; } + /* - * Writable mbufs are left alone (for now). Note - * that for 4.x systems it's not possible to identify - * whether or not mbufs with external buffers are - * writable unless they use clusters. + * Writable mbufs are left alone (for now). */ if (M_EXT_WRITABLE(m)) { mprev = m; @@ -128,7 +122,6 @@ m_clone(struct mbuf *m0) /* * Allocate new space to hold the copy... */ - /* XXX why can M_PKTHDR be set past the first mbuf? */ if (mprev == NULL && (m->m_flags & M_PKTHDR)) { /* * NB: if a packet header is present we must @@ -139,22 +132,23 @@ m_clone(struct mbuf *m0) MGETHDR(n, M_DONTWAIT, m->m_type); if (n == NULL) { m_freem(m0); -return (NULL); +return NULL; } M_MOVE_PKTHDR(n, m); MCLGET(n, M_DONTWAIT); if ((n->m_flags & M_EXT) == 0) { m_free(n); m_freem(m0); -return (NULL); +return NULL; } } else { n = m_getcl(M_DONTWAIT, m->m_type, m->m_flags); if (n == NULL) { m_freem(m0); -return (NULL); +return NULL; } } + /* * ... and copy the data. We deal with jumbo mbufs * (i.e. m_len > MCLBYTES) by splitting them into @@ -185,7 +179,7 @@ m_clone(struct mbuf *m0) if (n == NULL) { m_freem(mfirst); m_freem(m0); -return (NULL); +return NULL; } } n->m_next = m->m_next; @@ -196,7 +190,8 @@ m_clone(struct mbuf *m0) m_free(m); /* release old mbuf */ mprev = mfirst; } - return (m0); + + return m0; } /* @@ -220,7 +215,8 @@ m_makespace(struct mbuf *m0, int skip, i for (m = m0; m && skip > m->m_len; m = m->m_next) skip -= m->m_len; if (m == NULL) - return (NULL); + return NULL; + /* * At this point skip is the offset into the mbuf m * where the new header should be placed. Figure out @@ -302,6 +298,7 @@ m_makespace(struct mbuf *m0, int skip, i m->m_len += hlen; *off = skip; } + m0->m_pkthdr.len += hlen; /* adjust packet length */ return m; } @@ -393,7 +390,7 @@ m_striphdr(struct mbuf *m, int skip, int /* Find beginning of header */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL) - return (EINVAL); + return EINVAL; /* Remove the header and associated data from the mbuf. */ if (roff == 0) { @@ -446,5 +443,6 @@ m_striphdr(struct mbuf *m, int skip, int m1->m_len -= hlen; m->m_pkthdr.len -= hlen; } - return (0); + + return 0; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 07:38:02 UTC 2018 Modified Files: src/sys/netipsec: ipsec_input.c ipsec_netbsd.c Log Message: Remove unused malloc.h include. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/netipsec/ipsec_input.c cvs rdiff -u -r1.51 -r1.52 src/sys/netipsec/ipsec_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.64 src/sys/netipsec/ipsec_input.c:1.65 --- src/sys/netipsec/ipsec_input.c:1.64 Tue Apr 17 17:56:08 2018 +++ src/sys/netipsec/ipsec_input.c Wed Apr 18 07:38:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.64 2018/04/17 17:56:08 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.65 2018/04/18 07:38:02 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.64 2018/04/17 17:56:08 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.65 2018/04/18 07:38:02 maxv Exp $"); /* * IPsec input processing. @@ -51,7 +51,6 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec_input. #include #include -#include #include #include #include Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.51 src/sys/netipsec/ipsec_netbsd.c:1.52 --- src/sys/netipsec/ipsec_netbsd.c:1.51 Wed Apr 18 06:22:47 2018 +++ src/sys/netipsec/ipsec_netbsd.c Wed Apr 18 07:38:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.51 2018/04/18 06:22:47 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.51 2018/04/18 06:22:47 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -41,7 +41,6 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd #include #include -#include #include #include #include
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 07:32:44 UTC 2018 Modified Files: src/sys/netipsec: key.h Log Message: Style, and remove unused MALLOC_DECLARE. To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/netipsec/key.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.h diff -u src/sys/netipsec/key.h:1.34 src/sys/netipsec/key.h:1.35 --- src/sys/netipsec/key.h:1.34 Wed Jan 10 10:56:31 2018 +++ src/sys/netipsec/key.h Wed Apr 18 07:32:44 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.h,v 1.34 2018/01/10 10:56:31 knakahara Exp $ */ +/* $NetBSD: key.h,v 1.35 2018/04/18 07:32:44 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */ @@ -56,19 +56,19 @@ struct sadb_msghdr { int key_havesp(u_int dir); struct secpolicy *key_lookup_sp_byspidx(const struct secpolicyindex *, u_int, - const char*, int); +const char *, int); struct secpolicy *key_newsp(const char*, int); struct secpolicy *key_gettunnel(const struct sockaddr *, - const struct sockaddr *, const struct sockaddr *, - const struct sockaddr *, const char*, int); +const struct sockaddr *, const struct sockaddr *, +const struct sockaddr *, const char *, int); /* NB: prepend with _ for KAME IPv6 compatbility */ void key_init_sp(struct secpolicy *); void key_free_sp(struct secpolicy *); u_int key_sp_refcnt(const struct secpolicy *); -void key_sp_ref(struct secpolicy *, const char*, int); -void key_sp_unref(struct secpolicy *, const char*, int); -void key_sa_ref(struct secasvar *, const char*, int); -void key_sa_unref(struct secasvar *, const char*, int); +void key_sp_ref(struct secpolicy *, const char *, int); +void key_sp_unref(struct secpolicy *, const char *, int); +void key_sa_ref(struct secasvar *, const char *, int); +void key_sa_unref(struct secasvar *, const char *, int); u_int key_sa_refcnt(const struct secasvar *); void key_socksplist_add(struct secpolicy *); @@ -96,41 +96,37 @@ void key_socksplist_add(struct secpolicy key_sa_unref(*(psav), __func__, __LINE__) struct secasvar *key_lookup_sa(const union sockaddr_union *, - u_int, u_int32_t, u_int16_t, u_int16_t, const char*, int); -void key_freesav(struct secasvar **, const char*, int); +u_int, u_int32_t, u_int16_t, u_int16_t, const char *, int); +void key_freesav(struct secasvar **, const char *, int); struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *); #define KEY_LOOKUP_SA(dst, proto, spi, sport, dport) \ key_lookup_sa(dst, proto, spi, sport, dport, __func__, __LINE__) -int key_checktunnelsanity (struct secasvar *, u_int, void *, void *); +int key_checktunnelsanity(struct secasvar *, u_int, void *, void *); int key_checkrequest(const struct ipsecrequest *, const struct secasindex *, struct secasvar **); -struct secpolicy *key_msg2sp (const struct sadb_x_policy *, size_t, int *); +struct secpolicy *key_msg2sp(const struct sadb_x_policy *, size_t, int *); struct mbuf *key_sp2msg(const struct secpolicy *, int); -int key_ismyaddr (const struct sockaddr *); -int key_spdacquire (const struct secpolicy *); -u_long key_random (void); -void key_randomfill (void *, size_t); -void key_freereg (struct socket *); -int key_parse (struct mbuf *, struct socket *); -void key_init (void); -void key_sa_recordxfer (struct secasvar *, struct mbuf *); -void key_sa_routechange (struct sockaddr *); +int key_ismyaddr(const struct sockaddr *); +int key_spdacquire(const struct secpolicy *); +u_long key_random(void); +void key_randomfill(void *, size_t); +void key_freereg(struct socket *); +int key_parse(struct mbuf *, struct socket *); +void key_init(void); +void key_sa_recordxfer(struct secasvar *, struct mbuf *); +void key_sa_routechange(struct sockaddr *); void key_update_used(void); int key_get_used(void); -u_int16_t key_portfromsaddr (const union sockaddr_union *); +u_int16_t key_portfromsaddr(const union sockaddr_union *); /* for ipsec(4) */ struct secpolicy *key_kpi_spdadd(struct mbuf *); int key_kpi_spddelete2(struct mbuf *); u_int16_t key_newreqid(void); -#ifdef MALLOC_DECLARE -MALLOC_DECLARE(M_SECA); -#endif /* MALLOC_DECLARE */ - #endif /* defined(_KERNEL) */ #endif /* !_NETIPSEC_KEY_H_ */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 06:57:39 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Remove dead code. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.155 -r1.156 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.155 src/sys/netipsec/ipsec.c:1.156 --- src/sys/netipsec/ipsec.c:1.155 Tue Apr 17 17:47:05 2018 +++ src/sys/netipsec/ipsec.c Wed Apr 18 06:57:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.155 2018/04/17 17:47:05 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.156 2018/04/18 06:57:39 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.155 2018/04/17 17:47:05 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.156 2018/04/18 06:57:39 maxv Exp $"); /* * IPsec controller part. @@ -1269,9 +1269,6 @@ ipsec_get_policy(void *inp, const void * return ENOBUFS; } - /* XXX XXX XXX: What's the point? */ - (*mp)->m_type = MT_DATA; - if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { kdebug_mbuf(__func__, *mp); }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 06:52:35 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c Log Message: style To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.72 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.71 src/sys/netipsec/ipsec_output.c:1.72 --- src/sys/netipsec/ipsec_output.c:1.71 Mon Mar 5 11:50:25 2018 +++ src/sys/netipsec/ipsec_output.c Wed Apr 18 06:52:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.71 2018/03/05 11:50:25 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.72 2018/04/18 06:52:35 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.71 2018/03/05 11:50:25 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.72 2018/04/18 06:52:35 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -89,7 +89,7 @@ static percpu_t *ipsec_rtcache_percpu __ * processed this packet. */ static int -ipsec_register_done(struct mbuf *m, int * error) +ipsec_register_done(struct mbuf *m, int *error) { struct m_tag *mtag; @@ -144,14 +144,14 @@ ipsec_process_done(struct mbuf *m, const struct secasindex *saidx; int error; #ifdef INET - struct ip * ip; + struct ip *ip; #endif #ifdef INET6 - struct ip6_hdr * ip6; + struct ip6_hdr *ip6; #endif - struct mbuf * mo; + struct mbuf *mo; struct udphdr *udp = NULL; - uint64_t * data = NULL; + uint64_t *data = NULL; int hlen, roff; IPSEC_SPLASSERT_SOFTNET("ipsec_process_done"); @@ -175,7 +175,7 @@ ipsec_process_done(struct mbuf *m, const IPSECLOG(LOG_DEBUG, "failed to inject %u byte UDP for SA %s/%08lx\n", hlen, ipsec_address(&saidx->dst, buf, sizeof(buf)), - (u_long) ntohl(sav->spi)); + (u_long)ntohl(sav->spi)); error = ENOBUFS; goto bad; } @@ -196,10 +196,12 @@ ipsec_process_done(struct mbuf *m, const udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2)); } + /* + * Fix the header length, for AH processing. + */ switch (saidx->dst.sa.sa_family) { #ifdef INET case AF_INET: - /* Fix the header length, for AH processing. */ ip = mtod(m, struct ip *); ip->ip_len = htons(m->m_pkthdr.len); if (sav->natt_type != 0) @@ -208,7 +210,6 @@ ipsec_process_done(struct mbuf *m, const #endif #ifdef INET6 case AF_INET6: - /* Fix the header length, for AH processing. */ if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { error = ENXIO; goto bad; @@ -260,9 +261,9 @@ ipsec_process_done(struct mbuf *m, const } /* - * We're done with IPsec processing, - * mark that we have already processed the packet - * transmit it packet using the appropriate network protocol (IP or IPv6). + * We're done with IPsec processing, mark the packet as processed, + * and transmit it using the appropriate network protocol + * (IPv4/IPv6). */ if (ipsec_register_done(m, &error) < 0) @@ -412,8 +413,8 @@ again: ipsec_get_reqlevel(isr)); isr = isr->next; /* - * No more rules to apply, return NULL isr and no error - * It can happen when the last rules are USE rules + * No more rules to apply, return NULL isr and no error. + * It can happen when the last rules are USE rules. */ if (isr == NULL) { *ret = NULL;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 06:43:10 UTC 2018 Modified Files: src/sys/netipsec: xform_ipip.c Log Message: style To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.63 src/sys/netipsec/xform_ipip.c:1.64 --- src/sys/netipsec/xform_ipip.c:1.63 Thu Feb 15 10:41:51 2018 +++ src/sys/netipsec/xform_ipip.c Wed Apr 18 06:43:10 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.63 2018/02/15 10:41:51 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.64 2018/04/18 06:43:10 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.63 2018/02/15 10:41:51 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.64 2018/04/18 06:43:10 maxv Exp $"); /* * IP-inside-IP processing @@ -268,7 +268,7 @@ _ipip_input(struct mbuf *m, int iphlen, AF_INET) continue; - sin = (struct sockaddr_in *) ifa->ifa_addr; + sin = (struct sockaddr_in *)ifa->ifa_addr; if (sin->sin_addr.s_addr == ip4->ip_src.s_addr) { @@ -278,7 +278,7 @@ _ipip_input(struct mbuf *m, int iphlen, return; } } -#endif /* INET */ +#endif #ifdef INET6 if (ip6) { @@ -286,7 +286,7 @@ _ipip_input(struct mbuf *m, int iphlen, AF_INET6) continue; - sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; + sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { pserialize_read_exit(s); @@ -296,7 +296,7 @@ _ipip_input(struct mbuf *m, int iphlen, } } -#endif /* INET6 */ +#endif } } pserialize_read_exit(s); @@ -355,7 +355,7 @@ ipip_output(struct mbuf *m, const struct DPRINTF(("%s: unspecified tunnel endpoint " "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), - (u_long) ntohl(sav->spi))); + (u_long)ntohl(sav->spi))); IPIP_STATINC(IPIP_STAT_UNSPEC); error = EINVAL; goto bad; @@ -411,7 +411,7 @@ ipip_output(struct mbuf *m, const struct ipo->ip_p = IPPROTO_IPV6; ipo->ip_off = 0; } -#endif /* INET6 */ +#endif else { goto nofamily; } @@ -430,7 +430,7 @@ ipip_output(struct mbuf *m, const struct DPRINTF(("%s: unspecified tunnel endpoint " "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), - (u_long) ntohl(sav->spi))); + (u_long)ntohl(sav->spi))); IPIP_STATINC(IPIP_STAT_UNSPEC); error = ENOBUFS; goto bad; @@ -479,7 +479,7 @@ ipip_output(struct mbuf *m, const struct /* This is really IPVERSION. */ ip6o->ip6_nxt = IPPROTO_IPIP; } else -#endif /* INET */ +#endif if (tp == (IPV6_VERSION >> 4)) { uint32_t itos32; @@ -496,7 +496,7 @@ ipip_output(struct mbuf *m, const struct otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); - ip6o->ip6_flow |= htonl((uint32_t) otos << 20); + ip6o->ip6_flow |= htonl((uint32_t)otos << 20); break; #endif /* INET6 */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 06:22:47 UTC 2018 Modified Files: src/sys/netipsec: ipsec_netbsd.c Log Message: Style, and remove another misleading comment. To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.51 src/sys/netipsec/ipsec_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.50 src/sys/netipsec/ipsec_netbsd.c:1.51 --- src/sys/netipsec/ipsec_netbsd.c:1.50 Wed Apr 18 06:17:44 2018 +++ src/sys/netipsec/ipsec_netbsd.c Wed Apr 18 06:22:47 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.50 2018/04/18 06:17:44 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.51 2018/04/18 06:22:47 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.50 2018/04/18 06:17:44 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.51 2018/04/18 06:22:47 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -223,7 +223,7 @@ ah6_ctlinput(int cmd, const struct socka * Check to see if we have a valid SA corresponding * to the address in the ICMP message payload. */ - sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, + sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, IPPROTO_AH, ahp->ah_spi, 0, 0); if (sav) { @@ -298,12 +298,6 @@ esp6_ctlinput(int cmd, const struct sock ip6cp1.ip6c_src = ip6cp->ip6c_src; pfctlinput2(cmd, sa, &ip6cp1); - /* - * Then go to special cases that need ESP header information. - * XXX: We assume that when ip6 is non NULL, - * M and OFF are valid. - */ - /* check if we can safely examine src and dst ports */ if (m->m_pkthdr.len < off + sizeof(esp)) return NULL; @@ -316,7 +310,7 @@ esp6_ctlinput(int cmd, const struct sock m_copydata(m, off, sizeof(esp), &esp); espp = &esp; } else - espp = (struct newesp*)(mtod(m, char *) + off); + espp = (struct newesp *)(mtod(m, char *) + off); if (cmd == PRC_MSGSIZE) { int valid = 0; @@ -326,7 +320,7 @@ esp6_ctlinput(int cmd, const struct sock * the address in the ICMP message payload. */ - sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, + sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, IPPROTO_ESP, espp->esp_spi, 0, 0); if (sav) { @@ -360,11 +354,11 @@ sysctl_ipsec(SYSCTLFN_ARGS) struct sysctlnode node; node = *rnode; - t = *(int*)rnode->sysctl_data; + t = *(int *)rnode->sysctl_data; node.sysctl_data = &t; error = sysctl_lookup(SYSCTLFN_CALL(&node)); if (error || newp == NULL) - return (error); + return error; switch (rnode->sysctl_num) { case IPSECCTL_DEF_ESP_TRANSLEV: @@ -373,22 +367,22 @@ sysctl_ipsec(SYSCTLFN_ARGS) case IPSECCTL_DEF_AH_NETLEV: if (t != IPSEC_LEVEL_USE && t != IPSEC_LEVEL_REQUIRE) - return (EINVAL); + return EINVAL; ipsec_invalpcbcacheall(); break; case IPSECCTL_DEF_POLICY: if (t != IPSEC_POLICY_DISCARD && t != IPSEC_POLICY_NONE) - return (EINVAL); + return EINVAL; ipsec_invalpcbcacheall(); break; default: - return (EINVAL); + return EINVAL; } - *(int*)rnode->sysctl_data = t; + *(int *)rnode->sysctl_data = t; - return (0); + return 0; } #ifdef IPSEC_DEBUG @@ -399,11 +393,11 @@ sysctl_ipsec_test(SYSCTLFN_ARGS) struct sysctlnode node; node = *rnode; - t = *(int*)rnode->sysctl_data; + t = *(int *)rnode->sysctl_data; node.sysctl_data = &t; error = sysctl_lookup(SYSCTLFN_CALL(&node)); if (error || newp == NULL) - return (error); + return error; if (t < 0 || t > 1) return EINVAL; @@ -415,7 +409,7 @@ sysctl_ipsec_test(SYSCTLFN_ARGS) printf("ipsec: HMAC corruption %s\n", (t == 0) ? "deactivated" : "activated"); - *(int*)rnode->sysctl_data = t; + *(int *)rnode->sysctl_data = t; return 0; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 06:13:23 UTC 2018 Modified Files: src/sys/netipsec: ipsec_netbsd.c Log Message: Remove the net.inet6.esp6 net.inet6.ipcomp6 net.inet6.ah6 subtrees. They are aliases to net.inet6.ipsec6, but they are not consistent with the original intended naming. (eg there was net.inet6.esp6.esp_trans_deflev instead of net.inet6.esp6.trans_deflev). To generate a diff of this commit: cvs rdiff -u -r1.48 -r1.49 src/sys/netipsec/ipsec_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.48 src/sys/netipsec/ipsec_netbsd.c:1.49 --- src/sys/netipsec/ipsec_netbsd.c:1.48 Wed Apr 18 06:03:36 2018 +++ src/sys/netipsec/ipsec_netbsd.c Wed Apr 18 06:13:23 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.48 2018/04/18 06:03:36 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.49 2018/04/18 06:13:23 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.48 2018/04/18 06:03:36 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.49 2018/04/18 06:13:23 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -789,23 +789,5 @@ sysctl_net_inet6_ipsec6_setup(struct sys NULL, 0, &ipsec_used, 0, CTL_NET, PF_INET6, IPPROTO_AH, CTL_CREATE, CTL_EOL); - /* - * "aliases" for the ipsec6 subtree - */ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_ALIAS, - CTLTYPE_NODE, "esp6", NULL, - NULL, IPPROTO_AH, NULL, 0, - CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_ALIAS, - CTLTYPE_NODE, "ipcomp6", NULL, - NULL, IPPROTO_AH, NULL, 0, - CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_ALIAS, - CTLTYPE_NODE, "ah6", NULL, - NULL, IPPROTO_AH, NULL, 0, - CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); } #endif /* INET6 */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Apr 18 06:03:37 UTC 2018 Modified Files: src/sys/netipsec: ipsec_netbsd.c Log Message: Remove duplicate sysctls: net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev net.inet.esp.net_deflev = net.inet.ipsec.esp_net_deflev net.inet.ah.cleartos = net.inet.ipsec.ah_cleartos net.inet.ah.offsetmask= net.inet.ipsec.ah_offsetmask net.inet.ah.trans_deflev = net.inet.ipsec.ah_trans_deflev net.inet.ah.net_deflev= net.inet.ipsec.ah_net_deflev Use the convention on the right. Discussed a month ago on tech-net@. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 src/sys/netipsec/ipsec_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.47 src/sys/netipsec/ipsec_netbsd.c:1.48 --- src/sys/netipsec/ipsec_netbsd.c:1.47 Mon Feb 26 06:17:01 2018 +++ src/sys/netipsec/ipsec_netbsd.c Wed Apr 18 06:03:36 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.47 2018/02/26 06:17:01 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.48 2018/04/18 06:03:36 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.47 2018/02/26 06:17:01 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.48 2018/04/18 06:03:36 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -535,18 +535,6 @@ sysctl_net_inet_ipsec_setup(struct sysct NULL, 0, NULL, 0, CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "trans_deflev", NULL, - sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, - CTL_NET, PF_INET, IPPROTO_ESP, - IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "net_deflev", NULL, - sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, - CTL_NET, PF_INET, IPPROTO_ESP, - IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_STRUCT, "esp_stats", NULL, sysctl_net_inet_esp_stats, 0, NULL, 0, @@ -560,30 +548,6 @@ sysctl_net_inet_ipsec_setup(struct sysct NULL, 0, NULL, 0, CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "cleartos", NULL, - NULL, 0, &ip4_ah_cleartos, 0, - CTL_NET, PF_INET, IPPROTO_AH, - IPSECCTL_AH_CLEARTOS, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "offsetmask", NULL, - NULL, 0, &ip4_ah_offsetmask, 0, - CTL_NET, PF_INET, IPPROTO_AH, - IPSECCTL_AH_OFFSETMASK, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "trans_deflev", NULL, - sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, - CTL_NET, PF_INET, IPPROTO_AH, - IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "net_deflev", NULL, - sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, - CTL_NET, PF_INET, IPPROTO_AH, - IPSECCTL_DEF_AH_NETLEV, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_STRUCT, "ah_stats", NULL, sysctl_net_inet_ah_stats, 0, NULL, 0,
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Apr 17 17:56:08 UTC 2018 Modified Files: src/sys/netipsec: ipsec_input.c Log Message: fix comments To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.63 src/sys/netipsec/ipsec_input.c:1.64 --- src/sys/netipsec/ipsec_input.c:1.63 Sun Apr 15 07:35:49 2018 +++ src/sys/netipsec/ipsec_input.c Tue Apr 17 17:56:08 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.63 2018/04/15 07:35:49 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.64 2018/04/17 17:56:08 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.63 2018/04/15 07:35:49 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.64 2018/04/17 17:56:08 maxv Exp $"); /* * IPsec input processing. @@ -175,8 +175,8 @@ ipsec4_fixup_checksum(struct mbuf *m) /* * ipsec_common_input gets called when an IPsec-protected packet - * is received by IPv4 or IPv6. It's job is to find the right SA - # and call the appropriate transform. The transform callback + * is received by IPv4 or IPv6. Its job is to find the right SA + * and call the appropriate transform. The transform callback * takes care of further processing (like ingress filtering). */ static int @@ -685,7 +685,7 @@ ipsec6_common_input_cb(struct mbuf *m, s /* * Enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer + * Note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Apr 17 17:47:05 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Add XXX. If this code really does something, it should use MCHTYPE. To generate a diff of this commit: cvs rdiff -u -r1.154 -r1.155 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.154 src/sys/netipsec/ipsec.c:1.155 --- src/sys/netipsec/ipsec.c:1.154 Tue Apr 17 17:40:38 2018 +++ src/sys/netipsec/ipsec.c Tue Apr 17 17:47:05 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.154 2018/04/17 17:40:38 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.155 2018/04/17 17:47:05 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.154 2018/04/17 17:40:38 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.155 2018/04/17 17:47:05 maxv Exp $"); /* * IPsec controller part. @@ -1269,7 +1269,9 @@ ipsec_get_policy(void *inp, const void * return ENOBUFS; } + /* XXX XXX XXX: What's the point? */ (*mp)->m_type = MT_DATA; + if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) { kdebug_mbuf(__func__, *mp); }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Apr 17 17:40:38 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Style, add XXX (about the mtu that goes negative), and remove #ifdef inet. To generate a diff of this commit: cvs rdiff -u -r1.153 -r1.154 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.153 src/sys/netipsec/ipsec.c:1.154 --- src/sys/netipsec/ipsec.c:1.153 Tue Apr 3 09:03:59 2018 +++ src/sys/netipsec/ipsec.c Tue Apr 17 17:40:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.153 2018/04/03 09:03:59 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.154 2018/04/17 17:40:38 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.153 2018/04/03 09:03:59 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.154 2018/04/17 17:40:38 maxv Exp $"); /* * IPsec controller part. @@ -548,9 +548,11 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_ if (key_havesp(dir)) { sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir); } - - if (sp == NULL) /* no SP found, use system default */ + if (sp == NULL) { + /* no SP found, use system default */ sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family); + } + KASSERT(sp != NULL); return sp; } @@ -726,15 +728,18 @@ ipsec4_input(struct mbuf *m, int flags) return 0; } +/* + * If the packet is routed over IPsec tunnel, tell the originator the + * tunnel MTU. + * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz + * + * XXX: Quick hack!!! + * + * XXX: And what if the MTU goes negative? + */ int ipsec4_forward(struct mbuf *m, int *destmtu) { - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ struct secpolicy *sp; size_t ipsechdr; int error; @@ -819,7 +824,9 @@ ipsec_setspidx(struct mbuf *m, struct se /* * validate m->m_pkthdr.len. we see incorrect length if we * mistakenly call this function with inconsistent mbuf chain - * (like 4.4BSD tcp/udp processing). XXX should we panic here? + * (like 4.4BSD tcp/udp processing). + * + * XXX XXX XXX: We should remove this. */ len = 0; for (n = m; n; n = n->m_next) @@ -1057,9 +1064,9 @@ ipsec6_setspidx_ipaddr(struct mbuf *m, s struct ip6_hdr ip6buf; struct sockaddr_in6 *sin6; - if (m->m_len >= sizeof(*ip6)) + if (m->m_len >= sizeof(*ip6)) { ip6 = mtod(m, struct ip6_hdr *); - else { + } else { m_copydata(m, 0, sizeof(ip6buf), &ip6buf); ip6 = &ip6buf; } @@ -1132,9 +1139,9 @@ static void ipsec_destroy_policy(struct secpolicy *sp) { - if (sp == &ipsec_dummy_sp) + if (sp == &ipsec_dummy_sp) { ; /* It's dummy. No need to free it. */ - else { + } else { /* * We cannot destroy here because it can be called in * softint. So mark the SP as DEAD and let the timer @@ -1337,7 +1344,7 @@ ipsec_get_reqlevel(const struct ipsecreq ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); break; -#endif /* INET6 */ +#endif default: panic("%s: unknown af %u", __func__, isr->sp->spidx.src.sa.sa_family); @@ -1777,11 +1784,9 @@ const char * ipsec_address(const union sockaddr_union *sa, char *buf, size_t size) { switch (sa->sa.sa_family) { -#if INET case AF_INET: in_print(buf, size, &sa->sin.sin_addr); return buf; -#endif #if INET6 case AF_INET6: in6_print(buf, size, &sa->sin6.sin6_addr);
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Apr 17 09:06:33 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c Log Message: Fix a pretty bad mistake, that has always been there. m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Because of that, it is possible to exploit the attack I described in uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100% reliably. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.23 src/sys/netipsec/ipsec_mbuf.c:1.24 --- src/sys/netipsec/ipsec_mbuf.c:1.23 Tue Apr 17 06:23:30 2018 +++ src/sys/netipsec/ipsec_mbuf.c Tue Apr 17 09:06:33 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.23 2018/04/17 06:23:30 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.24 2018/04/17 09:06:33 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.23 2018/04/17 06:23:30 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.24 2018/04/17 09:06:33 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -404,6 +404,7 @@ m_striphdr(struct mbuf *m, int skip, int m->m_pkthdr.len -= hlen; } else if (roff + hlen >= m1->m_len) { struct mbuf *mo; + int adjlen; /* * Part or all of the header is at the end of this mbuf, @@ -412,11 +413,13 @@ m_striphdr(struct mbuf *m, int skip, int */ IPSEC_STATINC(IPSEC_STAT_INPUT_END); if (roff + hlen > m1->m_len) { + adjlen = roff + hlen - m1->m_len; + /* Adjust the next mbuf by the remainder */ - m_adj(m1->m_next, roff + hlen - m1->m_len); + m_adj(m1->m_next, adjlen); /* The second mbuf is guaranteed not to have a pkthdr... */ - m->m_pkthdr.len -= (roff + hlen - m1->m_len); + m->m_pkthdr.len -= adjlen; } /* Now, let's unlink the mbuf chain for a second...*/ @@ -424,9 +427,10 @@ m_striphdr(struct mbuf *m, int skip, int m1->m_next = NULL; /* ...and trim the end of the first part of the chain...sick */ - m_adj(m1, -(m1->m_len - roff)); + adjlen = m1->m_len - roff; + m_adj(m1, -adjlen); if (m1 != m) - m->m_pkthdr.len -= (m1->m_len - roff); + m->m_pkthdr.len -= adjlen; /* Finally, let's relink */ m1->m_next = mo;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Apr 17 06:23:30 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c Log Message: Don't assume M_PKTHDR is set only on the first mbuf of the chain. It should, but it looks like there are several places that can put M_PKTHDR on secondary mbufs (PR/53189), so drop this assumption right now to prevent further bugs. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.22 src/sys/netipsec/ipsec_mbuf.c:1.23 --- src/sys/netipsec/ipsec_mbuf.c:1.22 Sat Mar 10 17:52:50 2018 +++ src/sys/netipsec/ipsec_mbuf.c Tue Apr 17 06:23:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.22 2018/03/10 17:52:50 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.23 2018/04/17 06:23:30 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.22 2018/03/10 17:52:50 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.23 2018/04/17 06:23:30 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -400,7 +400,7 @@ m_striphdr(struct mbuf *m, int skip, int /* The header was at the beginning of the mbuf */ IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT); m_adj(m1, hlen); - if ((m1->m_flags & M_PKTHDR) == 0) + if (m1 != m) m->m_pkthdr.len -= hlen; } else if (roff + hlen >= m1->m_len) { struct mbuf *mo; @@ -425,7 +425,7 @@ m_striphdr(struct mbuf *m, int skip, int /* ...and trim the end of the first part of the chain...sick */ m_adj(m1, -(m1->m_len - roff)); - if ((m1->m_flags & M_PKTHDR) == 0) + if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); /* Finally, let's relink */
CVS commit: src/sys/netipsec
Module Name:src Committed By: yamaguchi Date: Tue Apr 17 04:22:59 UTC 2018 Modified Files: src/sys/netipsec: key.c Log Message: Fix panic of SADB when the state of sav is changed in timeout pointed out by ozaki-r@n.o, thanks To generate a diff of this commit: cvs rdiff -u -r1.252 -r1.253 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.252 src/sys/netipsec/key.c:1.253 --- src/sys/netipsec/key.c:1.252 Mon Apr 16 08:56:08 2018 +++ src/sys/netipsec/key.c Tue Apr 17 04:22:58 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.252 2018/04/16 08:56:08 yamaguchi Exp $ */ +/* $NetBSD: key.c,v 1.253 2018/04/17 04:22:58 yamaguchi Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.252 2018/04/16 08:56:08 yamaguchi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.253 2018/04/17 04:22:58 yamaguchi Exp $"); /* * This code is referred to RFC 2367 @@ -418,6 +418,8 @@ static struct { PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry) /* Macros for key_sad.savlut */ +#define SAVLUT_ENTRY_INIT(sav) \ + PSLIST_ENTRY_INIT((sav), pslist_entry_savlut) #define SAVLUT_READER_FOREACH(sav, dst, proto, hash_key) \ PSLIST_READER_FOREACH((sav), \ &key_sad.savlut[key_savluthash(dst, proto, hash_key, \ @@ -1432,6 +1434,7 @@ key_init_sav(struct secasvar *sav) localcount_init(&sav->localcount); SAVLIST_ENTRY_INIT(sav); + SAVLUT_ENTRY_INIT(sav); } u_int
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Apr 16 17:32:34 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Remove dead code. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.88 -r1.89 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.88 src/sys/netipsec/xform_ah.c:1.89 --- src/sys/netipsec/xform_ah.c:1.88 Fri Apr 13 09:34:20 2018 +++ src/sys/netipsec/xform_ah.c Mon Apr 16 17:32:34 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.88 2018/04/13 09:34:20 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.89 2018/04/16 17:32:34 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.88 2018/04/13 09:34:20 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.89 2018/04/16 17:32:34 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -299,22 +299,6 @@ ah_massage_headers(struct mbuf **m0, int ip->ip_sum = 0; ip->ip_off = htons(ntohs(ip->ip_off) & ip4_ah_offsetmask); - /* - * On FreeBSD, ip_off and ip_len assumed in host endian; - * they are converted (if necessary) by ip_input(). - * On NetBSD, ip_off and ip_len are in network byte order. - * They must be massaged back to network byte order - * before verifying the HMAC. Moreover, on FreeBSD, - * we should add `skip' back into the massaged ip_len - * (presumably ip_input() deducted it before we got here?) - * whereas on NetBSD, we should not. - */ - if (!out) { - /* XXX XXX: What are we trying to achieve here? */ - uint16_t inlen = ntohs(ip->ip_len); - ip->ip_len = htons(inlen); - } - if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) ip->ip_off &= htons(IP_DF); else
CVS commit: src/sys/netipsec
Module Name:src Committed By: yamaguchi Date: Mon Apr 16 08:56:08 UTC 2018 Modified Files: src/sys/netipsec: key.c keydb.h Log Message: Added a lookup table to find an sav quickly key_sad.sahlists doesn't work well for inbound packets because its key includes source address. For the reason, the look-up-table for the inbound packets is newly added. The table has all sav whose state is MATURE or DYING and uses a key calculated by destination address, protocol, and spi instead of saidx. reviewd ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.251 -r1.252 src/sys/netipsec/key.c cvs rdiff -u -r1.21 -r1.22 src/sys/netipsec/keydb.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.251 src/sys/netipsec/key.c:1.252 --- src/sys/netipsec/key.c:1.251 Mon Apr 16 08:52:09 2018 +++ src/sys/netipsec/key.c Mon Apr 16 08:56:08 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.251 2018/04/16 08:52:09 yamaguchi Exp $ */ +/* $NetBSD: key.c,v 1.252 2018/04/16 08:56:08 yamaguchi Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.251 2018/04/16 08:52:09 yamaguchi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.252 2018/04/16 08:56:08 yamaguchi Exp $"); /* * This code is referred to RFC 2367 @@ -124,6 +124,10 @@ __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.25 #define SAHHASH_NHASH 128 #endif +#ifndef SAVLUT_NHASH +#define SAVLUT_NHASH 128 +#endif + percpu_t *pfkeystat_percpu; /* @@ -213,10 +217,13 @@ static u_int32_t acq_seq = 0; * - Multiple saves with the same saidx can exist * - Only one entry has MATURE state and others should be DEAD * - DEAD entries are just ignored from searching - * - Modifications to the key_sad.sahlists and sah.savlist must be done with - * holding key_sad.lock which is a adaptive mutex - * - Read accesses to the key_sad.sahlists and sah.savlist must be in - * pserialize(9) read sections + * - All sav whose state is MATURE or DYING are registered to the lookup + * table called key_sad.savlut in addition to the savlists. + * - The table is used to search an sav without use of saidx. + * - Modifications to the key_sad.sahlists, sah.savlist and key_sad.savlut + * must be done with holding key_sad.lock which is a adaptive mutex + * - Read accesses to the key_sad.sahlists, sah.savlist and key_sad.savlut + * must be in pserialize(9) read sections * - sah's lifetime is managed by localcount(9) * - Getting an sah entry * - We get an sah from the key_sad.sahlists @@ -265,6 +272,8 @@ static struct { kcondvar_t cv_lc; struct pslist_head *sahlists; u_long sahlistmask; + struct pslist_head *savlut; + u_long savlutmask; pserialize_t psz; kcondvar_t cv_psz; @@ -408,6 +417,21 @@ static struct { #define SAVLIST_READER_NEXT(sav) \ PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry) +/* Macros for key_sad.savlut */ +#define SAVLUT_READER_FOREACH(sav, dst, proto, hash_key) \ + PSLIST_READER_FOREACH((sav), \ + &key_sad.savlut[key_savluthash(dst, proto, hash_key, \ + key_sad.savlutmask)],\ + struct secasvar, pslist_entry_savlut) +#define SAVLUT_WRITER_INSERT_HEAD(sav) \ + key_savlut_writer_insert_head((sav)) +#define SAVLUT_WRITER_REMOVE(sav) \ + do {\ + if (!(sav)->savlut_added)\ + break; \ + PSLIST_WRITER_REMOVE((sav), pslist_entry_savlut); \ + (sav)->savlut_added = false;\ + } while(0) /* search order for SAs */ /* @@ -807,8 +831,13 @@ static struct callout key_timehandler_ch static struct workqueue *key_timehandler_wq; static struct work key_timehandler_wk; +static inline void +key_savlut_writer_insert_head(struct secasvar *sav); static inline uint32_t key_saidxhash(const struct secasindex *, u_long); +static inline uint32_t +key_savluthash(const struct sockaddr *, +uint32_t, uint32_t, u_long); /* * Utilities for percpu counters for sadb_lifetime_allocations and @@ -1219,9 +1248,7 @@ key_lookup_sa( u_int16_t dport, const char* where, int tag) { - struct secashead *sah; struct secasvar *sav; - u_int state; int chkport; int s; @@ -1229,6 +1256,7 @@ key_lookup_sa( int must_check_alg = 0; u_int16_t cpi = 0; u_int8_t algo = 0; + uint32_t hash_key = spi; if ((sport != 0) && (dport != 0)) chkport = PORT_STRICT; @@ -1251,6 +1279,7 @@ key_lookup_sa( cpi = (u_int16_t) tmp; if (cpi < IPCOMP_CPI_NEGOTIATE_MIN) { algo = (u_int8_t) cpi; + hash_key = algo; must_check_spi = 0; must_check_alg = 1; } @@ -1267,57 +1296,51 @@ key_lookup_sa( * encrypted so we can't check internal IP header. */ s = pserialize_read_enter(); - SAHLIST_READER_FOREACH(sah) { - /*
CVS commit: src/sys/netipsec
Module Name:src Committed By: yamaguchi Date: Mon Apr 16 08:52:09 UTC 2018 Modified Files: src/sys/netipsec: key.c Log Message: Introduced a hash table to sahlist An saidx of sah included in the list is unique so that the search can use a hash list whose hash is calculated by the saidx to find an sah quickly. The hash list of the sahlits is used in FreeBSD, too. reviewed by ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.250 -r1.251 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.250 src/sys/netipsec/key.c:1.251 --- src/sys/netipsec/key.c:1.250 Mon Apr 9 06:26:05 2018 +++ src/sys/netipsec/key.c Mon Apr 16 08:52:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.250 2018/04/09 06:26:05 yamaguchi Exp $ */ +/* $NetBSD: key.c,v 1.251 2018/04/16 08:52:09 yamaguchi Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.250 2018/04/09 06:26:05 yamaguchi Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.251 2018/04/16 08:52:09 yamaguchi Exp $"); /* * This code is referred to RFC 2367 @@ -72,6 +72,7 @@ __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.25 #include #include #include +#include #include #include @@ -119,6 +120,10 @@ __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.25 #define PORT_LOOSE 1 #define PORT_STRICT 2 +#ifndef SAHHASH_NHASH +#define SAHHASH_NHASH 128 +#endif + percpu_t *pfkeystat_percpu; /* @@ -201,20 +206,20 @@ static u_int32_t acq_seq = 0; /* * Locking notes on SAD: * - Data structures - * - SAs are managed by the list called key_sad.sahlist and sav lists of sah - * entries + * - SAs are managed by the list called key_sad.sahlists and sav lists of + * sah entries * - An sav is supposed to be an SA from a viewpoint of users * - A sah has sav lists for each SA state - * - Multiple sahs with the same saidx can exist + * - Multiple saves with the same saidx can exist * - Only one entry has MATURE state and others should be DEAD * - DEAD entries are just ignored from searching - * - Modifications to the key_sad.sahlist and sah.savlist must be done with + * - Modifications to the key_sad.sahlists and sah.savlist must be done with * holding key_sad.lock which is a adaptive mutex - * - Read accesses to the key_sad.sahlist and sah.savlist must be in + * - Read accesses to the key_sad.sahlists and sah.savlist must be in * pserialize(9) read sections * - sah's lifetime is managed by localcount(9) * - Getting an sah entry - * - We get an sah from the key_sad.sahlist + * - We get an sah from the key_sad.sahlists * - Must iterate the list and increment the reference count of a found sah * (by key_sah_ref) in a pserialize read section * - A gotten sah must be released after use by key_sah_unref @@ -258,7 +263,8 @@ static struct { static struct { kmutex_t lock; kcondvar_t cv_lc; - struct pslist_head sahlist; + struct pslist_head *sahlists; + u_long sahlistmask; pserialize_t psz; kcondvar_t cv_psz; @@ -338,13 +344,23 @@ static struct { #define SAHLIST_WRITER_REMOVE(sah) \ PSLIST_WRITER_REMOVE((sah), pslist_entry) #define SAHLIST_READER_FOREACH(sah) \ - PSLIST_READER_FOREACH((sah), &key_sad.sahlist, struct secashead,\ - pslist_entry) + for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ + PSLIST_READER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ + struct secashead, pslist_entry) +#define SAHLIST_READER_FOREACH_SAIDX(sah, saidx) \ + PSLIST_READER_FOREACH((sah), \ + &key_sad.sahlists[key_saidxhash((saidx), \ + key_sad.sahlistmask)], \ + struct secashead, pslist_entry) #define SAHLIST_WRITER_FOREACH(sah) \ - PSLIST_WRITER_FOREACH((sah), &key_sad.sahlist, struct secashead,\ - pslist_entry) + for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \ + PSLIST_WRITER_FOREACH((sah), &key_sad.sahlists[_i_sah], \ + struct secashead, pslist_entry) #define SAHLIST_WRITER_INSERT_HEAD(sah) \ - PSLIST_WRITER_INSERT_HEAD(&key_sad.sahlist, (sah), pslist_entry) + PSLIST_WRITER_INSERT_HEAD( \ + &key_sad.sahlists[key_saidxhash(&(sah)->saidx, \ + key_sad.sahlistmask)], \ + (sah), pslist_entry) /* Macros for key_sad.sahlist#savlist */ #define SAVLIST_ENTRY_INIT(sav) \ @@ -791,6 +807,9 @@ static struct callout key_timehandler_ch static struct workqueue *key_timehandler_wq; static struct work key_timehandler_wk; +static inline uint32_t +key_saidxhash(const struct secasindex *, u_long); + /* * Utilities for percpu counters for sadb_lifetime_
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Fri Apr 13 09:34:20 UTC 2018 Modified Files: src/sys/netipsec: xform_ah.c Log Message: Remove duplicate, to better show that this place doesn't make a lot of sense. The code should probably be removed, it's a leftover from when we had #ifdef __FreeBSD__. To generate a diff of this commit: cvs rdiff -u -r1.87 -r1.88 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.87 src/sys/netipsec/xform_ah.c:1.88 --- src/sys/netipsec/xform_ah.c:1.87 Mon Feb 26 06:40:08 2018 +++ src/sys/netipsec/xform_ah.c Fri Apr 13 09:34:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.87 2018/02/26 06:40:08 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.88 2018/04/13 09:34:20 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.87 2018/02/26 06:40:08 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.88 2018/04/13 09:34:20 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -310,21 +310,16 @@ ah_massage_headers(struct mbuf **m0, int * whereas on NetBSD, we should not. */ if (!out) { + /* XXX XXX: What are we trying to achieve here? */ uint16_t inlen = ntohs(ip->ip_len); - ip->ip_len = htons(inlen); - - if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) -ip->ip_off &= htons(IP_DF); - else -ip->ip_off = 0; - } else { - if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) -ip->ip_off &= htons(IP_DF); - else -ip->ip_off = 0; } + if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK) + ip->ip_off &= htons(IP_DF); + else + ip->ip_off = 0; + ptr = mtod(m, unsigned char *); /* IPv4 option processing */
CVS commit: src/sys/netipsec
Module Name:src Committed By: yamaguchi Date: Mon Apr 9 06:26:05 UTC 2018 Modified Files: src/sys/netipsec: key.c Log Message: Removed the unnecessary order check of key_lookup_sa key_prefered_oldsa flag can change the sa to use if an sah has multiple sav. However the multiple saves whose protocol is ah, esp, or tcp cannot exist because their duplications are checked by the spi value. Although the multiple saves can exist in the case of ipcomp, the values using in the post processing are same between the saves. For those reasons, it is no need to select an sav by its lifetime. In addition, FreeBSD has already remove this. reviewed by ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.249 -r1.250 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.249 src/sys/netipsec/key.c:1.250 --- src/sys/netipsec/key.c:1.249 Fri Mar 2 07:37:13 2018 +++ src/sys/netipsec/key.c Mon Apr 9 06:26:05 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.249 2018/03/02 07:37:13 ozaki-r Exp $ */ +/* $NetBSD: key.c,v 1.250 2018/04/09 06:26:05 yamaguchi Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.249 2018/03/02 07:37:13 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.250 2018/04/09 06:26:05 yamaguchi Exp $"); /* * This code is referred to RFC 2367 @@ -424,6 +424,12 @@ static const u_int saorder_state_any[] = _i < __arraycount(saorder_state_any) ? \ (s) = saorder_state_any[_i], true : false; \ _i++) +#define SASTATE_USABLE_FOREACH(s)\ + for (int _i = 0; \ + _i < __arraycount(saorder_state_valid_prefer_new) ? \ + (s) = saorder_state_valid_prefer_new[_i], \ + true : false; \ + _i++) static const int minsize[] = { sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ @@ -1196,9 +1202,8 @@ key_lookup_sa( { struct secashead *sah; struct secasvar *sav; - u_int stateidx, state; - const u_int *saorder_state_valid; - int arraysize, chkport; + u_int state; + int chkport; int s; int must_check_spi = 1; @@ -1242,18 +1247,10 @@ key_lookup_sa( * IPsec tunnel packet is received. But ESP tunnel mode is * encrypted so we can't check internal IP header. */ - if (key_prefered_oldsa) { - saorder_state_valid = saorder_state_valid_prefer_old; - arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); - } else { - saorder_state_valid = saorder_state_valid_prefer_new; - arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); - } s = pserialize_read_enter(); SAHLIST_READER_FOREACH(sah) { /* search valid state */ - for (stateidx = 0; stateidx < arraysize; stateidx++) { - state = saorder_state_valid[stateidx]; + SASTATE_USABLE_FOREACH(state) { SAVLIST_READER_FOREACH(sav, sah, state) { KEYDEBUG_PRINTF(KEYDEBUG_MATCH, "try match spi %#x, %#x\n",
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Fri Apr 6 10:31:35 UTC 2018 Modified Files: src/sys/netipsec: ipsecif.c Log Message: Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks. This modification reduces packet loss of fragmented packets on a network where reordering occurs. Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems. XXX pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.5 src/sys/netipsec/ipsecif.c:1.6 --- src/sys/netipsec/ipsecif.c:1.5 Tue Mar 13 03:05:12 2018 +++ src/sys/netipsec/ipsecif.c Fri Apr 6 10:31:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.5 2018/03/13 03:05:12 knakahara Exp $ */ +/* $NetBSD: ipsecif.c,v 1.6 2018/04/06 10:31:35 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.5 2018/03/13 03:05:12 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.6 2018/04/06 10:31:35 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -135,7 +135,10 @@ ipsecif4_prepend_hdr(struct ipsec_varian ip = mtod(m, struct ip *); ip->ip_v = IPVERSION; ip->ip_off = htons(0); - ip->ip_id = 0; + if (m->m_pkthdr.len < IP_MINFRAGSIZE) + ip->ip_id = 0; + else + ip->ip_id = ip_newid(NULL); ip->ip_hl = sizeof(*ip) >> 2; if (ip_ipsec_copy_tos) ip->ip_tos = tos;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Mar 31 19:27:14 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: typo in comments To generate a diff of this commit: cvs rdiff -u -r1.151 -r1.152 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.151 src/sys/netipsec/ipsec.c:1.152 --- src/sys/netipsec/ipsec.c:1.151 Sat Mar 3 09:54:55 2018 +++ src/sys/netipsec/ipsec.c Sat Mar 31 19:27:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.151 2018/03/03 09:54:55 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.152 2018/03/31 19:27:14 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.151 2018/03/03 09:54:55 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.152 2018/03/31 19:27:14 maxv Exp $"); /* * IPsec controller part. @@ -391,7 +391,7 @@ key_get_default_sp(int af, const char *w /* * For OUTBOUND packet having a socket. Searching SPD for packet, * and return a pointer to SP. - * OUT: NULL: no apropreate SP found, the following value is set to error. + * OUT: NULL: no appropriate SP found, the following value is set to error. * 0 : bypass * EACCES : discard packet. * ENOENT : ipsec_acquire() in progress, maybe. @@ -520,7 +520,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_ * For FORWARDING packet or OUTBOUND without a socket. Searching SPD for packet, * and return a pointer to SP. * OUT: positive: a pointer to the entry for security policy leaf matched. - * NULL: no apropreate SP found, the following value is set to error. + * NULL: no appropriate SP found, the following value is set to error. * 0 : bypass * EACCES : discard packet. * ENOENT : ipsec_acquire() in progress, maybe.
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Tue Mar 13 03:05:13 UTC 2018 Modified Files: src/sys/netipsec: ipsecif.c Log Message: comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.4 src/sys/netipsec/ipsecif.c:1.5 --- src/sys/netipsec/ipsecif.c:1.4 Fri Mar 9 11:05:21 2018 +++ src/sys/netipsec/ipsecif.c Tue Mar 13 03:05:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.4 2018/03/09 11:05:21 knakahara Exp $ */ +/* $NetBSD: ipsecif.c,v 1.5 2018/03/13 03:05:12 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.4 2018/03/09 11:05:21 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.5 2018/03/13 03:05:12 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -483,7 +483,9 @@ ipsecif6_output(struct ipsec_variant *va ip6->ip6_flow = 0; ip6->ip6_vfc &= ~IPV6_VERSION_MASK; ip6->ip6_vfc |= IPV6_VERSION; - ip6->ip6_plen = htons((u_short)m->m_pkthdr.len); +#if 0 /* ip6->ip6_plen will be filled by ip6_output */ + ip6->ip6_plen = htons((u_short)m->m_pkthdr.len - sizeof(*ip6)); +#endif ip6->ip6_nxt = proto; ip6->ip6_hlim = ip6_ipsec_hlim; ip6->ip6_src = sin6_src->sin6_addr;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Mar 10 17:52:50 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c Log Message: Add KASSERTs. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.21 src/sys/netipsec/ipsec_mbuf.c:1.22 --- src/sys/netipsec/ipsec_mbuf.c:1.21 Mon Mar 5 12:42:28 2018 +++ src/sys/netipsec/ipsec_mbuf.c Sat Mar 10 17:52:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.21 2018/03/05 12:42:28 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.22 2018/03/10 17:52:50 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.21 2018/03/05 12:42:28 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.22 2018/03/10 17:52:50 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -214,6 +214,7 @@ m_makespace(struct mbuf *m0, int skip, i unsigned remain; KASSERT(m0 != NULL); + KASSERT(m0->m_flags & M_PKTHDR); KASSERTMSG(hlen < MHLEN, "hlen too big: %u", hlen); for (m = m0; m && skip > m->m_len; m = m->m_next) @@ -320,6 +321,7 @@ m_pad(struct mbuf *m, int n) if (__predict_false(n > MLEN)) { panic("%s: %d > MLEN", __func__, n); } + KASSERT(m->m_flags & M_PKTHDR); len = m->m_pkthdr.len; pad = n; @@ -386,6 +388,8 @@ m_striphdr(struct mbuf *m, int skip, int struct mbuf *m1; int roff; + KASSERT(m->m_flags & M_PKTHDR); + /* Find beginning of header */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL)
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Mar 10 17:48:32 UTC 2018 Modified Files: src/sys/netipsec: xform_ipcomp.c Log Message: Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.60 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.59 src/sys/netipsec/xform_ipcomp.c:1.60 --- src/sys/netipsec/xform_ipcomp.c:1.59 Fri Feb 16 09:24:55 2018 +++ src/sys/netipsec/xform_ipcomp.c Sat Mar 10 17:48:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.59 2018/02/16 09:24:55 maxv Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.59 2018/02/16 09:24:55 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -614,7 +614,7 @@ ipcomp_output_cb(struct cryptop *crp) #ifdef INET6 case AF_INET6: mtod(m, struct ip6_hdr *)->ip6_plen = - htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr); + htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); break; #endif default:
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Fri Mar 9 11:05:21 UTC 2018 Modified Files: src/sys/netipsec: ipsecif.c Log Message: Fix ipsec(4) I/F esp_frag support. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.3 src/sys/netipsec/ipsecif.c:1.4 --- src/sys/netipsec/ipsecif.c:1.3 Tue Mar 6 10:07:06 2018 +++ src/sys/netipsec/ipsecif.c Fri Mar 9 11:05:21 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.3 2018/03/06 10:07:06 knakahara Exp $ */ +/* $NetBSD: ipsecif.c,v 1.4 2018/03/09 11:05:21 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.3 2018/03/06 10:07:06 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.4 2018/03/09 11:05:21 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -259,7 +259,13 @@ ipsecif4_fragout(struct ipsec_variant *v if (mtag) m_tag_delete(m, mtag); - error = ip_fragment(m, ifp, mtu); + /* consider new IP header prepended in ipsecif4_output() */ + if (mtu <= sizeof(struct ip)) { + m_freem(m); + return ENETUNREACH; + } + m->m_pkthdr.csum_flags |= M_CSUM_IPv4; + error = ip_fragment(m, ifp, mtu - sizeof(struct ip)); if (error) return error; @@ -396,7 +402,7 @@ ipsecif4_output(struct ipsec_variant *va * frangmentation is already done in ipsecif4_fragout(), * so ipsec4_process_packet() must not do fragmentation here. */ - KASSERT(error != 0 || sa_mtu == 0); + KASSERT(sa_mtu == 0); done: return error;
CVS commit: src/sys/netipsec
Module Name:src Committed By: knakahara Date: Tue Mar 6 10:07:06 UTC 2018 Modified Files: src/sys/netipsec: ipsecif.c Log Message: Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks. XXX need pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.2 src/sys/netipsec/ipsecif.c:1.3 --- src/sys/netipsec/ipsecif.c:1.2 Mon Feb 26 06:17:01 2018 +++ src/sys/netipsec/ipsecif.c Tue Mar 6 10:07:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.2 2018/02/26 06:17:01 maxv Exp $ */ +/* $NetBSD: ipsecif.c,v 1.3 2018/03/06 10:07:06 knakahara Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.2 2018/02/26 06:17:01 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.3 2018/03/06 10:07:06 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -265,7 +265,7 @@ ipsecif4_fragout(struct ipsec_variant *v for (error = 0; m; m = next) { next = m->m_nextpkt; - m->m_next = NULL; + m->m_nextpkt = NULL; if (error) { m_freem(m); continue;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Mar 5 12:42:28 UTC 2018 Modified Files: src/sys/netipsec: ipsec_mbuf.c Log Message: Improve stupid check, style, and fix leak (m, not m0). To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_mbuf.c diff -u src/sys/netipsec/ipsec_mbuf.c:1.20 src/sys/netipsec/ipsec_mbuf.c:1.21 --- src/sys/netipsec/ipsec_mbuf.c:1.20 Mon Feb 26 06:17:01 2018 +++ src/sys/netipsec/ipsec_mbuf.c Mon Mar 5 12:42:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_mbuf.c,v 1.20 2018/02/26 06:17:01 maxv Exp $ */ +/* $NetBSD: ipsec_mbuf.c,v 1.21 2018/03/05 12:42:28 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.20 2018/02/26 06:17:01 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.21 2018/03/05 12:42:28 maxv Exp $"); /* * IPsec-specific mbuf routines. @@ -317,10 +317,8 @@ m_pad(struct mbuf *m, int n) register int len, pad; void *retval; - if (n <= 0) { /* No stupid arguments. */ - IPSECLOG(LOG_DEBUG, "pad length invalid (%d)\n", n); - m_freem(m); - return NULL; + if (__predict_false(n > MLEN)) { + panic("%s: %d > MLEN", __func__, n); } len = m->m_pkthdr.len; @@ -329,7 +327,7 @@ m_pad(struct mbuf *m, int n) while (m0->m_len < len) { KASSERTMSG(m0->m_next != NULL, - "m0 null, len %u m_len %u", len, m0->m_len);/*XXX*/ + "m0 null, len %u m_len %u", len, m0->m_len); len -= m0->m_len; m0 = m0->m_next; } @@ -338,7 +336,6 @@ m_pad(struct mbuf *m, int n) IPSECLOG(LOG_DEBUG, "length mismatch (should be %d instead of %d)\n", m->m_pkthdr.len, m->m_pkthdr.len + m0->m_len - len); - m_freem(m); return NULL; } @@ -350,7 +347,6 @@ m_pad(struct mbuf *m, int n) "length mismatch (should be %d instead of %d)\n", m->m_pkthdr.len, m->m_pkthdr.len + m1->m_next->m_len); - m_freem(m); return NULL; } @@ -361,8 +357,8 @@ m_pad(struct mbuf *m, int n) if (pad > M_TRAILINGSPACE(m0)) { /* Add an mbuf to the chain. */ MGET(m1, M_DONTWAIT, MT_DATA); - if (m1 == 0) { - m_freem(m0); + if (m1 == NULL) { + m_freem(m); IPSECLOG(LOG_DEBUG, "unable to get extra mbuf\n"); return NULL; }
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Mar 5 11:50:25 UTC 2018 Modified Files: src/sys/netipsec: ipsec_output.c Log Message: Call m_pullup earlier, fixes one branch. To generate a diff of this commit: cvs rdiff -u -r1.70 -r1.71 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.70 src/sys/netipsec/ipsec_output.c:1.71 --- src/sys/netipsec/ipsec_output.c:1.70 Sat Mar 3 09:39:29 2018 +++ src/sys/netipsec/ipsec_output.c Mon Mar 5 11:50:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.70 2018/03/03 09:39:29 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.71 2018/03/05 11:50:25 maxv Exp $ */ /* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.70 2018/03/03 09:39:29 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.71 2018/03/05 11:50:25 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -485,6 +485,12 @@ ipsec4_process_packet(struct mbuf *m, co } KASSERT(sav != NULL); + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) { + error = ENOBUFS; + goto unrefsav; + } + /* * Check if we need to handle NAT-T fragmentation. */ @@ -509,11 +515,6 @@ noneed: * Collect IP_DF state from the outer header. */ if (dst->sa.sa_family == AF_INET) { - if (m->m_len < sizeof(struct ip) && - (m = m_pullup(m, sizeof(struct ip))) == NULL) { - error = ENOBUFS; - goto unrefsav; - } ip = mtod(m, struct ip *); /* Honor system-wide control of how to handle IP_DF */ switch (ip4_ipsec_dfbit) { @@ -545,11 +546,6 @@ noneed: struct mbuf *mp; /* Fix IPv4 header checksum and length */ - if (m->m_len < sizeof(struct ip) && - (m = m_pullup(m, sizeof(struct ip))) == NULL) { - error = ENOBUFS; - goto unrefsav; - } ip = mtod(m, struct ip *); ip->ip_len = htons(m->m_pkthdr.len); ip->ip_sum = 0;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Mar 3 09:54:55 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Reduce the diff between ipsec4_output and ipsec6_check_policy. While here style. To generate a diff of this commit: cvs rdiff -u -r1.150 -r1.151 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.150 src/sys/netipsec/ipsec.c:1.151 --- src/sys/netipsec/ipsec.c:1.150 Sat Mar 3 09:47:01 2018 +++ src/sys/netipsec/ipsec.c Sat Mar 3 09:54:55 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.150 2018/03/03 09:47:01 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.151 2018/03/03 09:54:55 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.150 2018/03/03 09:47:01 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.151 2018/03/03 09:54:55 maxv Exp $"); /* * IPsec controller part. @@ -458,7 +458,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_ } KASSERT(currsp != NULL); - if (pcbsp->priv) { /* when privilieged socket */ + if (pcbsp->priv) { /* when privileged socket */ switch (currsp->policy) { case IPSEC_POLICY_BYPASS: case IPSEC_POLICY_IPSEC: @@ -613,6 +613,7 @@ ipsec4_output(struct mbuf *m, struct inp u_long *mtu, bool *natt_frag, bool *done) { struct secpolicy *sp = NULL; + u_long _mtu = 0; int error, s; /* @@ -635,10 +636,10 @@ ipsec4_output(struct mbuf *m, struct inp /* * There are four return cases: - * sp != NULL apply IPsec policy - * sp == NULL, error == 0 no IPsec handling needed - * sp == NULL, error == -EINVAL discard packet w/o error - * sp == NULL, error != 0 discard packet, report error + * sp != NULLapply IPsec policy + * sp == NULL, error == 0no IPsec handling needed + * sp == NULL, error == -EINVAL discard packet w/o error + * sp == NULL, error != 0discard packet, report error */ if (sp == NULL) { splx(s); @@ -668,11 +669,7 @@ ipsec4_output(struct mbuf *m, struct inp m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4); } -{ - u_long _mtu = 0; - error = ipsec4_process_packet(m, sp->req, &_mtu); - if (error == 0 && _mtu != 0) { /* * NAT-T ESP fragmentation: do not do IPSec processing @@ -684,7 +681,6 @@ ipsec4_output(struct mbuf *m, struct inp splx(s); return 0; } -} /* * Preserve KAME behaviour: ENOENT can be returned @@ -1923,37 +1919,31 @@ ipsec6_check_policy(struct mbuf *m, stru int error = 0; int needipsec = 0; - if (!ipsec_outdone(m)) { - s = splsoftnet(); - if (in6p != NULL && - ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) { - splx(s); - goto skippolicycheck; - } - sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, - in6p); - - /* - * There are four return cases: - * sp != NULL apply IPsec policy - * sp == NULL, error == 0 no IPsec handling needed - * sp == NULL, error == -EINVAL discard packet w/o error - * sp == NULL, error != 0 discard packet, report error - */ - + if (ipsec_outdone(m)) { + goto skippolicycheck; + } + s = splsoftnet(); + if (in6p && ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) { splx(s); - if (sp == NULL) { - /* - * Caller must check the error return to see if it needs to discard - * the packet. - */ - needipsec = 0; - } else { - needipsec = 1; - } + goto skippolicycheck; + } + sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, in6p); + splx(s); + + /* + * There are four return cases: + * sp != NULLapply IPsec policy + * sp == NULL, error == 0no IPsec handling needed + * sp == NULL, error == -EINVAL discard packet w/o error + * sp == NULL, error != 0discard packet, report error + */ + if (sp == NULL) { + needipsec = 0; + } else { + needipsec = 1; } -skippolicycheck:; +skippolicycheck: *errorp = error; *needipsecp = needipsec; return sp;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Sat Mar 3 09:47:01 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Dedup. To generate a diff of this commit: cvs rdiff -u -r1.149 -r1.150 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.149 src/sys/netipsec/ipsec.c:1.150 --- src/sys/netipsec/ipsec.c:1.149 Wed Feb 28 11:29:14 2018 +++ src/sys/netipsec/ipsec.c Sat Mar 3 09:47:01 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.149 2018/02/28 11:29:14 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.150 2018/03/03 09:47:01 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.149 2018/02/28 11:29:14 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.150 2018/03/03 09:47:01 maxv Exp $"); /* * IPsec controller part. @@ -417,7 +417,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_ KASSERT(inph->inph_socket != NULL); KASSERT(inph_locked(inph)); - /* XXX FIXME inpcb/in6pcb vs socket*/ + /* XXX FIXME inpcb/in6pcb vs socket*/ af = inph->inph_af; KASSERTMSG(af == AF_INET || af == AF_INET6, "unexpected protocol family %u", af); @@ -433,22 +433,13 @@ ipsec_getpolicybysock(struct mbuf *m, u_ IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS); switch (af) { - case AF_INET: { - struct inpcb *in4p = (struct inpcb *)inph; - /* set spidx in pcb */ - *error = ipsec_setspidx_inpcb(m, in4p); - pcbsp = in4p->inp_sp; - break; - } + case AF_INET: #if defined(INET6) - case AF_INET6: { - struct in6pcb *in6p = (struct in6pcb *)inph; - /* set spidx in pcb */ - *error = ipsec_setspidx_inpcb(m, in6p); - pcbsp = in6p->in6p_sp; - break; - } + case AF_INET6: #endif + *error = ipsec_setspidx_inpcb(m, inph); + pcbsp = inph->inph_sp; + break; default: *error = EPFNOSUPPORT; break;
CVS commit: src/sys/netipsec
Module Name:src Committed By: ozaki-r Date: Fri Mar 2 07:37:14 UTC 2018 Modified Files: src/sys/netipsec: key.c keydb.h Log Message: Avoid data races on lifetime counters by using percpu(9) We don't make them percpu(9) directly because the structure is exposed to userland and we don't want to break ABI. So we add another member variable for percpu(9) and use it internally. When we export them to userland, they are converted to the original format. To generate a diff of this commit: cvs rdiff -u -r1.248 -r1.249 src/sys/netipsec/key.c cvs rdiff -u -r1.20 -r1.21 src/sys/netipsec/keydb.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.248 src/sys/netipsec/key.c:1.249 --- src/sys/netipsec/key.c:1.248 Thu Feb 8 20:57:41 2018 +++ src/sys/netipsec/key.c Fri Mar 2 07:37:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.248 2018/02/08 20:57:41 maxv Exp $ */ +/* $NetBSD: key.c,v 1.249 2018/03/02 07:37:13 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.248 2018/02/08 20:57:41 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.249 2018/03/02 07:37:13 ozaki-r Exp $"); /* * This code is referred to RFC 2367 @@ -785,6 +785,26 @@ static struct callout key_timehandler_ch static struct workqueue *key_timehandler_wq; static struct work key_timehandler_wk; +/* + * Utilities for percpu counters for sadb_lifetime_allocations and + * sadb_lifetime_bytes. + */ +#define LIFETIME_COUNTER_ALLOCATIONS 0 +#define LIFETIME_COUNTER_BYTES 1 +#define LIFETIME_COUNTER_SIZE 2 + +typedef uint64_t lifetime_counters_t[LIFETIME_COUNTER_SIZE]; + +static void +key_sum_lifetime_counters(void *p, void *arg, struct cpu_info *ci __unused) +{ + lifetime_counters_t *one = p; + lifetime_counters_t *sum = arg; + + (*sum)[LIFETIME_COUNTER_ALLOCATIONS] += (*one)[LIFETIME_COUNTER_ALLOCATIONS]; + (*sum)[LIFETIME_COUNTER_BYTES] += (*one)[LIFETIME_COUNTER_BYTES]; +} + u_int key_sp_refcnt(const struct secpolicy *sp) { @@ -3257,6 +3277,8 @@ key_newsav(struct mbuf *m, const struct /* We don't allow lft_c to be NULL */ newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime), KM_SLEEP); + newsav->lft_c_counters_percpu = + percpu_alloc(sizeof(lifetime_counters_t)); } /* reset created */ @@ -3467,6 +3489,10 @@ key_freesaval(struct secasvar *sav) kmem_intr_free(sav->key_auth, sav->key_auth_len); if (sav->key_enc != NULL) kmem_intr_free(sav->key_enc, sav->key_enc_len); + if (sav->lft_c_counters_percpu != NULL) { + percpu_free(sav->lft_c_counters_percpu, + sizeof(lifetime_counters_t)); + } if (sav->lft_c != NULL) kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c))); if (sav->lft_h != NULL) @@ -3635,6 +3661,8 @@ key_setsaval(struct secasvar *sav, struc sav->lft_c->sadb_lifetime_addtime = time_uptime; sav->lft_c->sadb_lifetime_usetime = 0; + sav->lft_c_counters_percpu = percpu_alloc(sizeof(lifetime_counters_t)); + /* lifetimes for HARD and SOFT */ { const struct sadb_lifetime *lft0; @@ -3818,7 +3846,9 @@ key_setdumpsa(struct secasvar *sav, u_in p = sav->key_enc; break; - case SADB_EXT_LIFETIME_CURRENT: + case SADB_EXT_LIFETIME_CURRENT: { + lifetime_counters_t sum = {0}; + KASSERT(sav->lft_c != NULL); l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len); memcpy(<, sav->lft_c, sizeof(struct sadb_lifetime)); @@ -3826,8 +3856,15 @@ key_setdumpsa(struct secasvar *sav, u_in time_mono_to_wall(lt.sadb_lifetime_addtime); lt.sadb_lifetime_usetime = time_mono_to_wall(lt.sadb_lifetime_usetime); + percpu_foreach(sav->lft_c_counters_percpu, + key_sum_lifetime_counters, sum); + lt.sadb_lifetime_allocations = + sum[LIFETIME_COUNTER_ALLOCATIONS]; + lt.sadb_lifetime_bytes = + sum[LIFETIME_COUNTER_BYTES]; p = < break; + } case SADB_EXT_LIFETIME_HARD: if (!sav->lft_h) @@ -4857,9 +4894,17 @@ restart: * when new SA is installed. Caution when it's * installed too big lifetime by time. */ - else if (sav->lft_s->sadb_lifetime_bytes != 0 && - sav->lft_s->sadb_lifetime_bytes < - sav->lft_c->sadb_lifetime_bytes) { + else { +uint64_t lft_c_bytes = 0; +lifetime_counters_t sum = {0}; + +percpu_foreach(sav->lft_c_counters_percpu, +key_sum_lifetime_counters, sum); +lft_c_bytes = sum[LIFETIME_COUNTER_BYTES]; + +if (sav->lft_s->sadb_lifetime_bytes == 0 || +sav->lft_s->sadb_lifetime_bytes >= lft_c_bytes) + continue; key_sa_chgstate(sav, SADB_SASTATE_DYING); mutex_exit(&key_sad.lock); @@ -4907,9 +4952,18 @@ restart: } #endif /* check HARD lifetime by bytes */ - else if (sa
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Feb 28 11:29:14 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: add missing static To generate a diff of this commit: cvs rdiff -u -r1.148 -r1.149 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.148 src/sys/netipsec/ipsec.c:1.149 --- src/sys/netipsec/ipsec.c:1.148 Wed Feb 28 10:16:19 2018 +++ src/sys/netipsec/ipsec.c Wed Feb 28 11:29:14 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.148 2018/02/28 10:16:19 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.149 2018/02/28 11:29:14 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.148 2018/02/28 10:16:19 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.149 2018/02/28 11:29:14 maxv Exp $"); /* * IPsec controller part. @@ -1483,7 +1483,7 @@ ipsec_get_reqlevel(const struct ipsecreq * If the SP requires an IPsec packet, and the packet was neither AH nor ESP, * then kick it. */ -int +static int ipsec_sp_reject(const struct secpolicy *sp, const struct mbuf *m) { struct ipsecrequest *isr;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Feb 28 11:19:49 UTC 2018 Modified Files: src/sys/netipsec: ipsec_private.h Log Message: Remove unused macros, and while here style. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/netipsec/ipsec_private.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_private.h diff -u src/sys/netipsec/ipsec_private.h:1.6 src/sys/netipsec/ipsec_private.h:1.7 --- src/sys/netipsec/ipsec_private.h:1.6 Wed Feb 28 11:09:03 2018 +++ src/sys/netipsec/ipsec_private.h Wed Feb 28 11:19:49 2018 @@ -1,6 +1,6 @@ -/* $NetBSD: ipsec_private.h,v 1.6 2018/02/28 11:09:03 maxv Exp $ */ +/* $NetBSD: ipsec_private.h,v 1.7 2018/02/28 11:19:49 maxv Exp $ */ -/*- +/* * Copyright (c) 2008 The NetBSD Foundation, Inc. * All rights reserved. * @@ -35,21 +35,18 @@ #ifdef _KERNEL #include -extern percpu_t *ipsecstat_percpu; -extern percpu_t *ahstat_percpu; -extern percpu_t *espstat_percpu; -extern percpu_t *ipcompstat_percpu; -extern percpu_t *ipipstat_percpu; -extern percpu_t *pfkeystat_percpu; +extern percpu_t *ipsecstat_percpu; +extern percpu_t *ahstat_percpu; +extern percpu_t *espstat_percpu; +extern percpu_t *ipcompstat_percpu; +extern percpu_t *ipipstat_percpu; +extern percpu_t *pfkeystat_percpu; #define IPSEC_STAT_GETREF() _NET_STAT_GETREF(ipsecstat_percpu) #define IPSEC_STAT_PUTREF() _NET_STAT_PUTREF(ipsecstat_percpu) #define IPSEC_STATINC(x) _NET_STATINC(ipsecstat_percpu, x) #define IPSEC_STATADD(x, v) _NET_STATADD(ipsecstat_percpu, x, v) -#define IPSEC6_STAT_GETREF() IPSEC_STAT_GETREF() -#define IPSEC6_STAT_PUTREF() IPSEC_STAT_PUTREF() - #define AH_STATINC(x) _NET_STATINC(ahstat_percpu, x) #define AH_STATADD(x, v) _NET_STATADD(ahstat_percpu, x, v) @@ -90,14 +87,16 @@ extern percpu_t *pfkeystat_percpu; #include /* for softnet_lock */ #define IPSEC_DECLARE_LOCK_VARIABLE int __s -#define IPSEC_ACQUIRE_GLOBAL_LOCKS() do { \ - __s = splsoftnet(); \ - mutex_enter(softnet_lock); \ -} while (0) -#define IPSEC_RELEASE_GLOBAL_LOCKS() do { \ - mutex_exit(softnet_lock); \ - splx(__s); \ -} while (0) +#define IPSEC_ACQUIRE_GLOBAL_LOCKS() \ + do { \ + __s = splsoftnet(); \ + mutex_enter(softnet_lock); \ + } while (0) +#define IPSEC_RELEASE_GLOBAL_LOCKS() \ + do { \ + mutex_exit(softnet_lock); \ + splx(__s); \ + } while (0) #endif #endif /* _KERNEL */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Feb 28 10:16:19 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Dedup: merge ipsec4_setspidx_inpcb and ipsec6_setspidx_in6pcb. To generate a diff of this commit: cvs rdiff -u -r1.147 -r1.148 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.147 src/sys/netipsec/ipsec.c:1.148 --- src/sys/netipsec/ipsec.c:1.147 Wed Feb 28 10:09:17 2018 +++ src/sys/netipsec/ipsec.c Wed Feb 28 10:16:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.147 2018/02/28 10:09:17 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.148 2018/02/28 10:16:19 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.147 2018/02/28 10:09:17 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.148 2018/02/28 10:16:19 maxv Exp $"); /* * IPsec controller part. @@ -170,10 +170,7 @@ struct secpolicy ip6_def_policy; int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ #endif -static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *); -#ifdef INET6 -static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *); -#endif +static int ipsec_setspidx_inpcb(struct mbuf *, void *); static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int); static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); @@ -439,7 +436,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_ case AF_INET: { struct inpcb *in4p = (struct inpcb *)inph; /* set spidx in pcb */ - *error = ipsec4_setspidx_inpcb(m, in4p); + *error = ipsec_setspidx_inpcb(m, in4p); pcbsp = in4p->inp_sp; break; } @@ -447,7 +444,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_ case AF_INET6: { struct in6pcb *in6p = (struct in6pcb *)inph; /* set spidx in pcb */ - *error = ipsec6_setspidx_in6pcb(m, in6p); + *error = ipsec_setspidx_inpcb(m, in6p); pcbsp = in6p->in6p_sp; break; } @@ -794,54 +791,29 @@ ipsec4_forward(struct mbuf *m, int *dest } static int -ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb) +ipsec_setspidx_inpcb(struct mbuf *m, void *pcb) { + struct inpcb_hdr *inph = (struct inpcb_hdr *)pcb; int error; - KASSERT(pcb != NULL); - KASSERT(pcb->inp_sp != NULL); - KASSERT(pcb->inp_sp->sp_out != NULL); - KASSERT(pcb->inp_sp->sp_in != NULL); - - error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1); - if (error == 0) { - pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; - pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx; - pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; - } else { - memset(&pcb->inp_sp->sp_in->spidx, 0, - sizeof(pcb->inp_sp->sp_in->spidx)); - memset(&pcb->inp_sp->sp_out->spidx, 0, - sizeof(pcb->inp_sp->sp_out->spidx)); - } - return error; -} - -#ifdef INET6 -static int -ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb) -{ - int error; - - KASSERT(pcb != NULL); - KASSERT(pcb->in6p_sp != NULL); - KASSERT(pcb->in6p_sp->sp_out != NULL); - KASSERT(pcb->in6p_sp->sp_in != NULL); + KASSERT(inph != NULL); + KASSERT(inph->inph_sp != NULL); + KASSERT(inph->inph_sp->sp_out != NULL); + KASSERT(inph->inph_sp->sp_in != NULL); - error = ipsec_setspidx(m, &pcb->in6p_sp->sp_in->spidx, 1); + error = ipsec_setspidx(m, &inph->inph_sp->sp_in->spidx, 1); if (error == 0) { - pcb->in6p_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; - pcb->in6p_sp->sp_out->spidx = pcb->in6p_sp->sp_in->spidx; - pcb->in6p_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; + inph->inph_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; + inph->inph_sp->sp_out->spidx = inph->inph_sp->sp_in->spidx; + inph->inph_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; } else { - memset(&pcb->in6p_sp->sp_in->spidx, 0, - sizeof(pcb->in6p_sp->sp_in->spidx)); - memset(&pcb->in6p_sp->sp_out->spidx, 0, - sizeof(pcb->in6p_sp->sp_out->spidx)); + memset(&inph->inph_sp->sp_in->spidx, 0, + sizeof(inph->inph_sp->sp_in->spidx)); + memset(&inph->inph_sp->sp_out->spidx, 0, + sizeof(inph->inph_sp->sp_out->spidx)); } return error; } -#endif /* * configure security policy index (src/dst/proto/sport/dport)
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Wed Feb 28 10:09:17 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: ipsec6_setspidx_in6pcb: call ipsec_setspidx() only once, just like the IPv4 code. While here put the correct variable in sizeof. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.146 -r1.147 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.146 src/sys/netipsec/ipsec.c:1.147 --- src/sys/netipsec/ipsec.c:1.146 Tue Feb 27 15:01:30 2018 +++ src/sys/netipsec/ipsec.c Wed Feb 28 10:09:17 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.146 2018/02/27 15:01:30 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.147 2018/02/28 10:09:17 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.146 2018/02/27 15:01:30 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.147 2018/02/28 10:09:17 maxv Exp $"); /* * IPsec controller part. @@ -812,7 +812,7 @@ ipsec4_setspidx_inpcb(struct mbuf *m, st memset(&pcb->inp_sp->sp_in->spidx, 0, sizeof(pcb->inp_sp->sp_in->spidx)); memset(&pcb->inp_sp->sp_out->spidx, 0, - sizeof(pcb->inp_sp->sp_in->spidx)); + sizeof(pcb->inp_sp->sp_out->spidx)); } return error; } @@ -821,7 +821,6 @@ ipsec4_setspidx_inpcb(struct mbuf *m, st static int ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb) { - struct secpolicyindex *spidx; int error; KASSERT(pcb != NULL); @@ -829,26 +828,17 @@ ipsec6_setspidx_in6pcb(struct mbuf *m, s KASSERT(pcb->in6p_sp->sp_out != NULL); KASSERT(pcb->in6p_sp->sp_in != NULL); - memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx)); - memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx)); - - spidx = &pcb->in6p_sp->sp_in->spidx; - error = ipsec_setspidx(m, spidx, 1); - if (error) - goto bad; - spidx->dir = IPSEC_DIR_INBOUND; - - spidx = &pcb->in6p_sp->sp_out->spidx; - error = ipsec_setspidx(m, spidx, 1); - if (error) - goto bad; - spidx->dir = IPSEC_DIR_OUTBOUND; - - return 0; - -bad: - memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx)); - memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx)); + error = ipsec_setspidx(m, &pcb->in6p_sp->sp_in->spidx, 1); + if (error == 0) { + pcb->in6p_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; + pcb->in6p_sp->sp_out->spidx = pcb->in6p_sp->sp_in->spidx; + pcb->in6p_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; + } else { + memset(&pcb->in6p_sp->sp_in->spidx, 0, + sizeof(pcb->in6p_sp->sp_in->spidx)); + memset(&pcb->in6p_sp->sp_out->spidx, 0, + sizeof(pcb->in6p_sp->sp_out->spidx)); + } return error; } #endif
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Feb 27 14:52:51 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Remove duplicate checks, and no need to initialize 'newsp' in ipsec_set_policy. To generate a diff of this commit: cvs rdiff -u -r1.144 -r1.145 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.144 src/sys/netipsec/ipsec.c:1.145 --- src/sys/netipsec/ipsec.c:1.144 Tue Feb 27 14:44:10 2018 +++ src/sys/netipsec/ipsec.c Tue Feb 27 14:52:51 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.144 2018/02/27 14:44:10 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.145 2018/02/27 14:52:51 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.144 2018/02/27 14:44:10 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.145 2018/02/27 14:52:51 maxv Exp $"); /* * IPsec controller part. @@ -1278,15 +1278,13 @@ ipsec_set_policy(struct secpolicy **poli size_t len, kauth_cred_t cred) { const struct sadb_x_policy *xpl; - struct secpolicy *newsp = NULL, *oldsp; + struct secpolicy *newsp, *oldsp; int error; KASSERT(!cpu_softintr_p()); /* sanity check. */ - if (policy == NULL || *policy == NULL || request == NULL) - return EINVAL; - if (len < sizeof(*xpl)) + if (policy == NULL || *policy == NULL) return EINVAL; xpl = (const struct sadb_x_policy *)request; @@ -1396,8 +1394,7 @@ ipsec_get_policy(void *inp, const void * return EINVAL; } - /* sanity check. */ - if (policy == NULL || mp == NULL) + if (policy == NULL) return EINVAL; *mp = key_sp2msg(policy, M_NOWAIT);
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Feb 27 13:36:21 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Use inpcb_hdr to reduce the diff between ipsec4_set_policy and ipsec6_set_policy ipsec4_get_policy and ipsec6_get_policy ipsec4_delete_pcbpolicy and ipsec6_delete_pcbpolicy No real functional change. To generate a diff of this commit: cvs rdiff -u -r1.142 -r1.143 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.142 src/sys/netipsec/ipsec.c:1.143 --- src/sys/netipsec/ipsec.c:1.142 Tue Feb 27 08:05:19 2018 +++ src/sys/netipsec/ipsec.c Tue Feb 27 13:36:21 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.142 2018/02/27 08:05:19 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.143 2018/02/27 13:36:21 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.142 2018/02/27 08:05:19 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.143 2018/02/27 13:36:21 maxv Exp $"); /* * IPsec controller part. @@ -1357,27 +1357,28 @@ int ipsec4_set_policy(struct inpcb *inp, int optname, const void *request, size_t len, kauth_cred_t cred) { + struct inpcb_hdr *inph = (struct inpcb_hdr *)inp; const struct sadb_x_policy *xpl; struct secpolicy **policy; KASSERT(!cpu_softintr_p()); - KASSERT(inp != NULL); - KASSERT(inp_locked(inp)); + KASSERT(inph != NULL); + KASSERT(inph_locked(inph)); KASSERT(request != NULL); if (len < sizeof(*xpl)) return EINVAL; xpl = (const struct sadb_x_policy *)request; - KASSERT(inp->inp_sp != NULL); + KASSERT(inph->inph_sp != NULL); /* select direction */ switch (xpl->sadb_x_policy_dir) { case IPSEC_DIR_INBOUND: - policy = &inp->inp_sp->sp_in; + policy = &inph->inph_sp->sp_in; break; case IPSEC_DIR_OUTBOUND: - policy = &inp->inp_sp->sp_out; + policy = &inph->inph_sp->sp_out; break; default: IPSECLOG(LOG_ERR, "invalid direction=%u\n", @@ -1392,13 +1393,14 @@ int ipsec4_get_policy(struct inpcb *inp, const void *request, size_t len, struct mbuf **mp) { + struct inpcb_hdr *inph = (struct inpcb_hdr *)inp; const struct sadb_x_policy *xpl; struct secpolicy *policy; /* sanity check. */ - if (inp == NULL || request == NULL || mp == NULL) + if (inph == NULL || request == NULL || mp == NULL) return EINVAL; - KASSERT(inp->inp_sp != NULL); + KASSERT(inph->inph_sp != NULL); if (len < sizeof(*xpl)) return EINVAL; xpl = (const struct sadb_x_policy *)request; @@ -1406,10 +1408,10 @@ ipsec4_get_policy(struct inpcb *inp, con /* select direction */ switch (xpl->sadb_x_policy_dir) { case IPSEC_DIR_INBOUND: - policy = inp->inp_sp->sp_in; + policy = inph->inph_sp->sp_in; break; case IPSEC_DIR_OUTBOUND: - policy = inp->inp_sp->sp_out; + policy = inph->inph_sp->sp_out; break; default: IPSECLOG(LOG_ERR, "invalid direction=%u\n", @@ -1423,22 +1425,23 @@ ipsec4_get_policy(struct inpcb *inp, con int ipsec4_delete_pcbpolicy(struct inpcb *inp) { + struct inpcb_hdr *inph = (struct inpcb_hdr *)inp; - KASSERT(inp != NULL); + KASSERT(inph != NULL); - if (inp->inp_sp == NULL) + if (inph->inph_sp == NULL) return 0; - if (inp->inp_sp->sp_in != NULL) - ipsec_destroy_policy(inp->inp_sp->sp_in); + if (inph->inph_sp->sp_in != NULL) + ipsec_destroy_policy(inph->inph_sp->sp_in); - if (inp->inp_sp->sp_out != NULL) - ipsec_destroy_policy(inp->inp_sp->sp_out); + if (inph->inph_sp->sp_out != NULL) + ipsec_destroy_policy(inph->inph_sp->sp_out); - ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY); + ipsec_invalpcbcache(inph->inph_sp, IPSEC_DIR_ANY); - ipsec_delpcbpolicy(inp->inp_sp); - inp->inp_sp = NULL; + ipsec_delpcbpolicy(inph->inph_sp); + inph->inph_sp = NULL; return 0; } @@ -1448,12 +1451,13 @@ int ipsec6_set_policy(struct in6pcb *in6p, int optname, const void *request, size_t len, kauth_cred_t cred) { + struct inpcb_hdr *inph = (struct inpcb_hdr *)in6p; const struct sadb_x_policy *xpl; struct secpolicy **policy; KASSERT(!cpu_softintr_p()); - KASSERT(in6p != NULL); - KASSERT(in6p_locked(in6p)); + KASSERT(inph != NULL); + KASSERT(inph_locked(inph)); KASSERT(request != NULL); if (len < sizeof(*xpl)) @@ -1463,10 +1467,10 @@ ipsec6_set_policy(struct in6pcb *in6p, i /* select direction */ switch (xpl->sadb_x_policy_dir) { case IPSEC_DIR_INBOUND: - policy = &in6p->in6p_sp->sp_in; + policy = &inph->inph_sp->sp_in; break; case IPSEC_DIR_OUTBOUND: - policy = &in6p->in6p_sp->sp_out; + policy = &inph->inph_sp->sp_out; break; default: IPSECLOG(LOG_ERR, "invalid direction=%u\n", @@ -1481,13 +1485,14 @@ int ipsec6_get_policy(struct in6pcb *in6p, const void *request, size_t le
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Tue Feb 27 08:05:19 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Optimize: use ipsec_sp_hdrsiz instead of ipsec_hdrsiz, not to re-query the SP. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.141 -r1.142 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.141 src/sys/netipsec/ipsec.c:1.142 --- src/sys/netipsec/ipsec.c:1.141 Mon Feb 26 10:36:24 2018 +++ src/sys/netipsec/ipsec.c Tue Feb 27 08:05:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.141 2018/02/26 10:36:24 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.142 2018/02/27 08:05:19 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.141 2018/02/26 10:36:24 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.142 2018/02/27 08:05:19 maxv Exp $"); /* * IPsec controller part. @@ -768,7 +768,7 @@ ipsec4_forward(struct mbuf *m, int *dest } /* Count IPsec header size. */ - ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); + ipsechdr = ipsec_sp_hdrsiz(sp, m); /* * Find the correct route for outer IPv4 header, compute tunnel MTU.
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Feb 26 10:36:24 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Dedup: call ipsec_in_reject directly. IPSEC_STAT_IN_POLVIO also gets increased now. To generate a diff of this commit: cvs rdiff -u -r1.140 -r1.141 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.140 src/sys/netipsec/ipsec.c:1.141 --- src/sys/netipsec/ipsec.c:1.140 Mon Feb 26 10:19:13 2018 +++ src/sys/netipsec/ipsec.c Mon Feb 26 10:36:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.140 2018/02/26 10:19:13 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.141 2018/02/26 10:36:24 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.140 2018/02/26 10:19:13 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.141 2018/02/26 10:36:24 maxv Exp $"); /* * IPsec controller part. @@ -723,20 +723,10 @@ ipsec4_input(struct mbuf *m, int flags) int error, s; s = splsoftnet(); - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); - if (sp == NULL) { - splx(s); - return EINVAL; - } - - /* - * Check security policy against packet attributes. - */ - error = ipsec_sp_reject(sp, m); - KEY_SP_UNREF(&sp); + error = ipsec_in_reject(m, NULL); splx(s); if (error) { - return error; + return EINVAL; } if (flags == 0) { @@ -1702,9 +1692,6 @@ ipsec_sp_reject(const struct secpolicy * /* * Check security policy requirements. - * - * This function is called from tcp{6}_input(), udp{6}_input(), - * and {ah,esp}_input for tunnel mode */ int ipsec_in_reject(struct mbuf *m, void *inp) @@ -2135,24 +2122,16 @@ skippolicycheck:; int ipsec6_input(struct mbuf *m) { - struct secpolicy *sp; int s, error; s = splsoftnet(); - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); - if (sp == NULL) { - splx(s); + error = ipsec_in_reject(m, NULL); + splx(s); + if (error) { return EINVAL; } - /* - * Check security policy against packet attributes. - */ - error = ipsec_sp_reject(sp, m); - KEY_SP_UNREF(&sp); - splx(s); - - return error; + return 0; } #endif /* INET6 */
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Feb 26 10:19:13 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c Log Message: Reduce the diff between ipsec6_input and ipsec4_input. To generate a diff of this commit: cvs rdiff -u -r1.139 -r1.140 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.139 src/sys/netipsec/ipsec.c:1.140 --- src/sys/netipsec/ipsec.c:1.139 Mon Feb 26 09:04:29 2018 +++ src/sys/netipsec/ipsec.c Mon Feb 26 10:19:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.139 2018/02/26 09:04:29 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.140 2018/02/26 10:19:13 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.139 2018/02/26 09:04:29 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.140 2018/02/26 10:19:13 maxv Exp $"); /* * IPsec controller part. @@ -2140,18 +2140,16 @@ ipsec6_input(struct mbuf *m) s = splsoftnet(); sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); - if (sp != NULL) { - /* - * Check security policy against packet - * attributes. - */ - error = ipsec_sp_reject(sp, m); - KEY_SP_UNREF(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; - IPSECLOG(LOG_DEBUG, "no SP, packet discarded\n");/*XXX*/ + if (sp == NULL) { + splx(s); + return EINVAL; } + + /* + * Check security policy against packet attributes. + */ + error = ipsec_sp_reject(sp, m); + KEY_SP_UNREF(&sp); splx(s); return error;
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Feb 26 08:42:16 UTC 2018 Modified Files: src/sys/netipsec: ipsec.c ipsec6.h Log Message: Dedup: merge ipsec4_checkpolicy and ipsec6_checkpolicy into ipsec_checkpolicy. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.136 -r1.137 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.22 -r1.23 src/sys/netipsec/ipsec6.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.136 src/sys/netipsec/ipsec.c:1.137 --- src/sys/netipsec/ipsec.c:1.136 Mon Feb 26 06:48:01 2018 +++ src/sys/netipsec/ipsec.c Mon Feb 26 08:42:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.136 2018/02/26 06:48:01 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.137 2018/02/26 08:42:16 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.136 2018/02/26 06:48:01 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.137 2018/02/26 08:42:16 maxv Exp $"); /* * IPsec controller part. @@ -574,8 +574,8 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_ } static struct secpolicy * -ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, -struct inpcb *inp) +ipsec_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, +void *inp) { struct secpolicy *sp; @@ -634,7 +634,7 @@ ipsec4_output(struct mbuf *m, struct inp * Check the security policy (SP) for the packet and, if required, * do IPsec-related processing. There are two cases here; the first * time a packet is sent through it will be untagged and handled by - * ipsec4_checkpolicy(). If the packet is resubmitted to ip_output + * ipsec_checkpolicy(). If the packet is resubmitted to ip_output * (e.g. after AH, ESP, etc. processing), there will be a tag to * bypass the lookup and related policy checking. */ @@ -646,7 +646,7 @@ ipsec4_output(struct mbuf *m, struct inp splx(s); return 0; } - sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp); + sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp); /* * There are four return cases: @@ -749,7 +749,7 @@ ipsec4_input(struct mbuf *m, int flags) * it is a Fast Forward candidate. */ s = splsoftnet(); - sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL); + sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL); if (sp != NULL) { m->m_flags &= ~M_CANFASTFWD; KEY_SP_UNREF(&sp); @@ -806,55 +806,6 @@ ipsec4_forward(struct mbuf *m, int *dest return 0; } -#ifdef INET6 -struct secpolicy * -ipsec6_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, -struct in6pcb *in6p) -{ - struct secpolicy *sp; - - *error = 0; - - if (in6p == NULL) { - sp = ipsec_getpolicybyaddr(m, dir, flag, error); - } else { - struct inpcb_hdr *inph = (struct inpcb_hdr *)in6p; - KASSERT(inph->inph_socket != NULL); - sp = ipsec_getpolicybysock(m, dir, inph, error); - } - if (sp == NULL) { - KASSERTMSG(*error != 0, "getpolicy failed w/o error"); - IPSEC_STATINC(IPSEC_STAT_OUT_INVAL); - return NULL; - } - KASSERTMSG(*error == 0, "sp w/ error set to %u", *error); - switch (sp->policy) { - case IPSEC_POLICY_ENTRUST: - default: - printf("%s: invalid policy %u\n", __func__, sp->policy); - /* fall thru... */ - case IPSEC_POLICY_DISCARD: - IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO); - *error = -EINVAL; /* packet is discarded by caller */ - break; - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - KEY_SP_UNREF(&sp); - sp = NULL; /* NB: force NULL result */ - break; - case IPSEC_POLICY_IPSEC: - KASSERT(sp->req != NULL); - break; - } - if (*error != 0) { - KEY_SP_UNREF(&sp); - sp = NULL; - IPSECLOG(LOG_DEBUG, "done, error %d\n", *error); - } - return sp; -} -#endif /* INET6 */ - static int ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb) { @@ -2216,7 +2167,7 @@ ipsec6_check_policy(struct mbuf *m, stru splx(s); goto skippolicycheck; } - sp = ipsec6_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, + sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, in6p); /* Index: src/sys/netipsec/ipsec6.h diff -u src/sys/netipsec/ipsec6.h:1.22 src/sys/netipsec/ipsec6.h:1.23 --- src/sys/netipsec/ipsec6.h:1.22 Fri Feb 16 15:18:41 2018 +++ src/sys/netipsec/ipsec6.h Mon Feb 26 08:42:16 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec6.h,v 1.22 2018/02/16 15:18:41 maxv Exp $ */ +/* $NetBSD: ipsec6.h,v 1.23 2018/02/26 08:42:16 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */ @@ -56,8 +56,6 @@ struct in6pcb; int ipsec6_delete_pcbpolicy(struct in6pcb *); int ipsec6_set_policy(struct in6pcb *, int, const voi
CVS commit: src/sys/netipsec
Module Name:src Committed By: maxv Date: Mon Feb 26 06:58:56 UTC 2018 Modified Files: src/sys/netipsec: ipsec_input.c Log Message: If 'skip' is lower than sizeof(struct ip), we are in trouble. So remove a nonsensical branch, and add a panic at the beginning of the function. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.60 src/sys/netipsec/ipsec_input.c:1.61 --- src/sys/netipsec/ipsec_input.c:1.60 Mon Feb 26 06:53:22 2018 +++ src/sys/netipsec/ipsec_input.c Mon Feb 26 06:58:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.60 2018/02/26 06:53:22 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.61 2018/02/26 06:58:56 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.60 2018/02/26 06:53:22 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.61 2018/02/26 06:58:56 maxv Exp $"); /* * IPsec input processing. @@ -332,6 +332,9 @@ ipsec4_common_input_cb(struct mbuf *m, s if (__predict_false(m == NULL)) { panic("%s: NULL mbuf", __func__); } + if (__predict_false(skip < sizeof(struct ip))) { + panic("%s: short skip", __func__); + } KASSERT(sav != NULL); saidx = &sav->sah->saidx; @@ -342,29 +345,26 @@ ipsec4_common_input_cb(struct mbuf *m, s sproto == IPPROTO_IPCOMP, "unexpected security protocol %u", sproto); - /* Fix IPv4 header */ - if (skip != 0) { - if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { - char buf[IPSEC_ADDRSTRLEN]; + /* + * Update the IPv4 header. The length of the packet may have changed, + * so fix it, and recompute the checksum. + */ + if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { + char buf[IPSEC_ADDRSTRLEN]; cantpull: - IPSECLOG(LOG_DEBUG, - "processing failed for SA %s/%08lx\n", - ipsec_address(&sav->sah->saidx.dst, buf, - sizeof(buf)), (u_long) ntohl(sav->spi)); - IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS, - IPCOMP_STAT_HDROPS); - error = ENOBUFS; - goto bad; - } - - ip = mtod(m, struct ip *); - ip->ip_len = htons(m->m_pkthdr.len); - ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); - } else { - /* XXX this branch is never taken */ - ip = mtod(m, struct ip *); + IPSECLOG(LOG_DEBUG, + "processing failed for SA %s/%08lx\n", + ipsec_address(&sav->sah->saidx.dst, buf, + sizeof(buf)), (u_long) ntohl(sav->spi)); + IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS, + IPCOMP_STAT_HDROPS); + error = ENOBUFS; + goto bad; } + ip = mtod(m, struct ip *); + ip->ip_len = htons(m->m_pkthdr.len); + ip->ip_sum = 0; + ip->ip_sum = in_cksum(m, ip->ip_hl << 2); /* * Update TCP/UDP checksum @@ -692,6 +692,7 @@ ipsec6_common_input_cb(struct mbuf *m, s nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); } return 0; + bad: if (m) m_freem(m);