CVS commit: [netbsd-9] src/sys/netipsec

2020-10-08 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Thu Oct  8 17:49:03 UTC 2020

Modified Files:
src/sys/netipsec [netbsd-9]: xform_esp.c

Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1103):

sys/netipsec/xform_esp.c: revision 1.101

Make sequence number of esp header MP-safe for IPsec Tx side. reviewed by 
ozaki-r@n.o

In IPsec Tx side, one Security Association can be used by multiple CPUs.
On the other hand, in IPsec Rx side, one Security Association is used
by only one CPU.

XXX pullup-{8,9}


To generate a diff of this commit:
cvs rdiff -u -r1.98 -r1.98.2.1 src/sys/netipsec/xform_esp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.98 src/sys/netipsec/xform_esp.c:1.98.2.1
--- src/sys/netipsec/xform_esp.c:1.98	Wed Jun 12 22:23:50 2019
+++ src/sys/netipsec/xform_esp.c	Thu Oct  8 17:49:03 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.98 2019/06/12 22:23:50 christos Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.98.2.1 2020/10/08 17:49:03 martin Exp $	*/
 /*	$FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.98 2019/06/12 22:23:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.98.2.1 2020/10/08 17:49:03 martin Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -796,11 +796,12 @@ esp_output(struct mbuf *m, const struct 
 
 #ifdef IPSEC_DEBUG
 		/* Emulate replay attack when ipsec_replay is TRUE. */
-		if (!ipsec_replay)
+		if (ipsec_replay)
+			replay = htonl(sav->replay->count);
+		else
 #endif
-			sav->replay->count++;
+			replay = htonl(atomic_inc_32_nv(>replay->count));
 
-		replay = htonl(sav->replay->count);
 		memcpy(mtod(mo,char *) + roff + sizeof(uint32_t), ,
 		sizeof(uint32_t));
 	}

CVS commit: [netbsd-9] src/sys/netipsec

2020-01-31 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Fri Jan 31 11:30:24 UTC 2020

Modified Files:
src/sys/netipsec [netbsd-9]: ipsecif.c

Log Message:
Pull up following revision(s) (requested by knakahara in ticket #679):

sys/netipsec/ipsecif.c: revision 1.19

Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly.  Pointed out by ohishi@IIJ.
XXX pullup-8, pullup-9


To generate a diff of this commit:
cvs rdiff -u -r1.16.2.1 -r1.16.2.2 src/sys/netipsec/ipsecif.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsecif.c
diff -u src/sys/netipsec/ipsecif.c:1.16.2.1 src/sys/netipsec/ipsecif.c:1.16.2.2
--- src/sys/netipsec/ipsecif.c:1.16.2.1	Tue Sep 24 03:10:35 2019
+++ src/sys/netipsec/ipsecif.c	Fri Jan 31 11:30:24 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsecif.c,v 1.16.2.1 2019/09/24 03:10:35 martin Exp $  */
+/*	$NetBSD: ipsecif.c,v 1.16.2.2 2020/01/31 11:30:24 martin Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.16.2.1 2019/09/24 03:10:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.16.2.2 2020/01/31 11:30:24 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -380,7 +380,17 @@ ipsecif4_output(struct ipsec_variant *va
 	KASSERT(var->iv_psrc->sa_family == AF_INET);
 	KASSERT(var->iv_pdst->sa_family == AF_INET);
 
-	sp = IV_SP_OUT(var);
+	switch (family) {
+	case AF_INET:
+		sp = IV_SP_OUT(var);
+		break;
+	case AF_INET6:
+		sp = IV_SP_OUT6(var);
+		break;
+	default:
+		m_freem(m);
+		return EAFNOSUPPORT;
+	}
 	KASSERT(sp != NULL);
 	/*
 	 * The SPs in ipsec_variant are prevented from freed by