Module Name: src
Committed By: ozaki-r
Date: Tue Oct 3 08:25:21 UTC 2017
Modified Files:
src/sys/netipsec: ipsec.c ipsec.h ipsec_output.c key.c key.h
Log Message:
Don't abuse key_checkrequest just for looking up sav
It does more than expected for example key_acquire.
To generate a diff of this commit:
cvs rdiff -u -r1.120 -r1.121 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.59 -r1.60 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.61 -r1.62 src/sys/netipsec/ipsec_output.c
cvs rdiff -u -r1.231 -r1.232 src/sys/netipsec/key.c
cvs rdiff -u -r1.29 -r1.30 src/sys/netipsec/key.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.120 src/sys/netipsec/ipsec.c:1.121
--- src/sys/netipsec/ipsec.c:1.120 Thu Sep 28 17:21:42 2017
+++ src/sys/netipsec/ipsec.c Tue Oct 3 08:25:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.120 2017/09/28 17:21:42 christos Exp $ */
+/* $NetBSD: ipsec.c,v 1.121 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.120 2017/09/28 17:21:42 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.121 2017/10/03 08:25:21 ozaki-r Exp $");
/*
* IPsec controller part.
@@ -212,7 +212,7 @@ static int ipsec_set_policy (struct secp
static int ipsec_get_policy (struct secpolicy *, struct mbuf **);
static void ipsec_destroy_policy(struct secpolicy *);
static void vshiftl (unsigned char *, int, int);
-static size_t ipsec_hdrsiz (const struct secpolicy *);
+static size_t ipsec_hdrsiz(const struct secpolicy *, const struct mbuf *);
/*
* Try to validate and use cached policy on a PCB.
@@ -801,22 +801,23 @@ ipsec4_forward(struct mbuf *m, int *dest
* Find the correct route for outer IPv4 header, compute tunnel MTU.
*/
if (sp->req) {
- struct route *ro;
- struct rtentry *rt;
- struct secasvar *sav = NULL;
+ struct secasvar *sav;
- error = key_checkrequest(sp->req, &sav);
- if (error != 0)
- return error;
- ro = &sav->sah->sa_route;
- rt = rtcache_validate(ro);
- if (rt && rt->rt_ifp) {
- *destmtu = rt->rt_rmx.rmx_mtu ?
- rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
- *destmtu -= ipsechdr;
+ sav = ipsec_lookup_sa(sp->req, m);
+ if (sav != NULL) {
+ struct route *ro;
+ struct rtentry *rt;
+
+ ro = &sav->sah->sa_route;
+ rt = rtcache_validate(ro);
+ if (rt && rt->rt_ifp) {
+ *destmtu = rt->rt_rmx.rmx_mtu ?
+ rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
+ *destmtu -= ipsechdr;
+ }
+ rtcache_unref(rt, ro);
+ KEY_SA_UNREF(&sav);
}
- rtcache_unref(rt, ro);
- KEY_SA_UNREF(&sav);
}
KEY_SP_UNREF(&sp);
return 0;
@@ -1860,7 +1861,7 @@ ipsec6_in_reject(struct mbuf *m, struct
* NOTE: SP passed is free in this function.
*/
static size_t
-ipsec_hdrsiz(const struct secpolicy *sp)
+ipsec_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
{
struct ipsecrequest *isr;
size_t siz;
@@ -1883,21 +1884,20 @@ ipsec_hdrsiz(const struct secpolicy *sp)
siz = 0;
for (isr = sp->req; isr != NULL; isr = isr->next) {
size_t clen = 0;
- struct secasvar *sav = NULL;
- int error;
+ struct secasvar *sav;
switch (isr->saidx.proto) {
case IPPROTO_ESP:
- error = key_checkrequest(isr, &sav);
- if (error == 0) {
+ sav = ipsec_lookup_sa(isr, m);
+ if (sav != NULL) {
clen = esp_hdrsiz(sav);
KEY_SA_UNREF(&sav);
} else
clen = esp_hdrsiz(NULL);
break;
case IPPROTO_AH:
- error = key_checkrequest(isr, &sav);
- if (error == 0) {
+ sav = ipsec_lookup_sa(isr, m);
+ if (sav != NULL) {
clen = ah_hdrsiz(sav);
KEY_SA_UNREF(&sav);
} else
@@ -1954,7 +1954,7 @@ ipsec4_hdrsiz(struct mbuf *m, u_int dir,
(struct inpcb_hdr *)inp, &error);
if (sp != NULL) {
- size = ipsec_hdrsiz(sp);
+ size = ipsec_hdrsiz(sp, m);
KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%lu.\n",
(unsigned long)size);
@@ -1991,7 +1991,7 @@ ipsec6_hdrsiz(struct mbuf *m, u_int dir,
if (sp == NULL)
return 0;
- size = ipsec_hdrsiz(sp);
+ size = ipsec_hdrsiz(sp, m);
KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
KEY_SP_UNREF(&sp);
Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.59 src/sys/netipsec/ipsec.h:1.60
--- src/sys/netipsec/ipsec.h:1.59 Thu Aug 10 06:11:24 2017
+++ src/sys/netipsec/ipsec.h Tue Oct 3 08:25:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.59 2017/08/10 06:11:24 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.60 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -314,6 +314,8 @@ int ipsec4_get_policy (struct inpcb *, c
int ipsec4_delete_pcbpolicy (struct inpcb *);
int ipsec4_in_reject (struct mbuf *, struct inpcb *);
+struct secasvar *
+ ipsec_lookup_sa(const struct ipsecrequest *, const struct mbuf *);
struct secas;
struct tcpcb;
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.61 src/sys/netipsec/ipsec_output.c:1.62
--- src/sys/netipsec/ipsec_output.c:1.61 Tue Oct 3 07:32:53 2017
+++ src/sys/netipsec/ipsec_output.c Tue Oct 3 08:25:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.61 2017/10/03 07:32:53 ozaki-r Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.61 2017/10/03 07:32:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $");
/*
* IPsec output processing.
@@ -339,6 +339,20 @@ ipsec_fill_saidx_bymbuf(struct secasinde
}
}
+struct secasvar *
+ipsec_lookup_sa(const struct ipsecrequest *isr, const struct mbuf *m)
+{
+ struct secasindex saidx;
+
+ saidx = isr->saidx;
+ if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
+ /* Fillin unspecified SA peers only for transport mode */
+ ipsec_fill_saidx_bymbuf(&saidx, m, isr->saidx.dst.sa.sa_family);
+ }
+
+ return key_lookup_sa_bysaidx(&saidx);
+}
+
/*
* ipsec_nextisr can return :
* - isr == NULL and error != 0 => something is bad : the packet must be
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.231 src/sys/netipsec/key.c:1.232
--- src/sys/netipsec/key.c:1.231 Sun Oct 1 09:45:16 2017
+++ src/sys/netipsec/key.c Tue Oct 3 08:25:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.231 2017/10/01 09:45:16 ryoon Exp $ */
+/* $NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.231 2017/10/01 09:45:16 ryoon Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $");
/*
* This code is referred to RFC 2367
@@ -620,7 +620,6 @@ key_fill_replymsg(struct mbuf *m, int se
return m;
}
-static struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *);
#if 0
static void key_freeso(struct socket *);
static void key_freesp_so(struct secpolicy **);
@@ -1049,7 +1048,7 @@ key_checkrequest(struct ipsecrequest *is
* OUT: NULL: not found.
* others: found and return the pointer.
*/
-static struct secasvar *
+struct secasvar *
key_lookup_sa_bysaidx(const struct secasindex *saidx)
{
struct secashead *sah;
Index: src/sys/netipsec/key.h
diff -u src/sys/netipsec/key.h:1.29 src/sys/netipsec/key.h:1.30
--- src/sys/netipsec/key.h:1.29 Wed Aug 9 09:48:11 2017
+++ src/sys/netipsec/key.h Tue Oct 3 08:25:21 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: key.h,v 1.29 2017/08/09 09:48:11 ozaki-r Exp $ */
+/* $NetBSD: key.h,v 1.30 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@@ -91,6 +91,7 @@ void key_socksplist_add(struct secpolicy
struct secasvar *key_lookup_sa(const union sockaddr_union *,
u_int, u_int32_t, u_int16_t, u_int16_t, const char*, int);
void key_freesav(struct secasvar **, const char*, int);
+struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *);
#define KEY_LOOKUP_SA(dst, proto, spi, sport, dport) \
key_lookup_sa(dst, proto, spi, sport, dport, __func__, __LINE__)
