Module Name: src Committed By: martin Date: Tue Mar 13 15:34:34 UTC 2018
Modified Files: src/sys/net [netbsd-8]: if_ipsec.c src/sys/netipsec [netbsd-8]: ipsecif.c src/tests/net/if_ipsec [netbsd-8]: t_ipsec.sh Log Message: Pull up following revision(s) (requested by knakahara in ticket #627): sys/netipsec/ipsecif.c: revision 1.5 tests/net/if_ipsec/t_ipsec.sh: revision 1.4 sys/net/if_ipsec.c: revision 1.7 Fix IPv6 ipsecif(4) ATF regression, sorry. There must *not* be padding between the src sockaddr and the dst sockaddr after struct sadb_x_policy. Comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks. Enhance assertion ipsecif(4) ATF to avoid confusing setkey(8) error message. When setkey(8) says "syntax error at [-E]", it must mean get_if_ipsec_unique() failed. To generate a diff of this commit: cvs rdiff -u -r1.3.2.3 -r1.3.2.4 src/sys/net/if_ipsec.c cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/sys/netipsec/ipsecif.c cvs rdiff -u -r1.3.2.3 -r1.3.2.4 src/tests/net/if_ipsec/t_ipsec.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/if_ipsec.c diff -u src/sys/net/if_ipsec.c:1.3.2.3 src/sys/net/if_ipsec.c:1.3.2.4 --- src/sys/net/if_ipsec.c:1.3.2.3 Tue Mar 13 15:29:45 2018 +++ src/sys/net/if_ipsec.c Tue Mar 13 15:34:33 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ipsec.c,v 1.3.2.3 2018/03/13 15:29:45 martin Exp $ */ +/* $NetBSD: if_ipsec.c,v 1.3.2.4 2018/03/13 15:34:33 martin Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.3 2018/03/13 15:29:45 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.4 2018/03/13 15:34:33 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1310,27 +1310,37 @@ if_ipsec_unshare_sp(struct ipsec_variant } static inline void -if_ipsec_add_mbuf(struct mbuf *m0, void *data, size_t len) +if_ipsec_add_mbuf_optalign(struct mbuf *m0, void *data, size_t len, bool align) { struct mbuf *m; MGET(m, M_WAITOK | M_ZERO, MT_DATA); - m->m_len = PFKEY_ALIGN8(len); + if (align) + m->m_len = PFKEY_ALIGN8(len); + else + m->m_len = len; m_copyback(m, 0, len, data); m_cat(m0, m); } static inline void -if_ipsec_add_mbuf_addr_port(struct mbuf *m0, struct sockaddr *addr, in_port_t port) +if_ipsec_add_mbuf(struct mbuf *m0, void *data, size_t len) +{ + + if_ipsec_add_mbuf_optalign(m0, data, len, true); +} + +static inline void +if_ipsec_add_mbuf_addr_port(struct mbuf *m0, struct sockaddr *addr, in_port_t port, bool align) { if (port == 0) { - if_ipsec_add_mbuf(m0, addr, addr->sa_len); + if_ipsec_add_mbuf_optalign(m0, addr, addr->sa_len, align); } else { struct sockaddr addrport; if_ipsec_set_addr_port(&addrport, addr, port); - if_ipsec_add_mbuf(m0, &addrport, addrport.sa_len); + if_ipsec_add_mbuf_optalign(m0, &addrport, addrport.sa_len, align); } } @@ -1412,10 +1422,8 @@ if_ipsec_set_sadb_x_policy(struct sadb_x size = sizeof(*xpl); if (policy == IPSEC_POLICY_IPSEC) { size += PFKEY_ALIGN8(sizeof(*xisr)); - if (src != NULL) - size += PFKEY_ALIGN8(src->sa_len); - if (dst != NULL) - size += PFKEY_ALIGN8(dst->sa_len); + if (src != NULL && dst != NULL) + size += PFKEY_ALIGN8(src->sa_len + dst->sa_len); } xpl->sadb_x_policy_len = PFKEY_UNIT64(size); xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; @@ -1427,10 +1435,9 @@ if_ipsec_set_sadb_x_policy(struct sadb_x if (policy == IPSEC_POLICY_IPSEC) { xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(sizeof(*xisr)); - if (src != NULL) - xisr->sadb_x_ipsecrequest_len += PFKEY_ALIGN8(src->sa_len); - if (dst != NULL) - xisr->sadb_x_ipsecrequest_len += PFKEY_ALIGN8(dst->sa_len); + if (src != NULL && dst != NULL) + xisr->sadb_x_ipsecrequest_len += + PFKEY_ALIGN8(src->sa_len + dst->sa_len); xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP; xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT; xisr->sadb_x_ipsecrequest_level = level; @@ -1539,13 +1546,13 @@ if_ipsec_add_sp0(struct sockaddr *src, i m_copyback(m, 0, sizeof(msg), &msg); if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc)); - if_ipsec_add_mbuf_addr_port(m, src, sport); + if_ipsec_add_mbuf_addr_port(m, src, sport, true); padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len) - (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len)); if_ipsec_add_pad(m, padlen); if_ipsec_add_mbuf(m, &xdst, sizeof(xdst)); - if_ipsec_add_mbuf_addr_port(m, dst, dport); + if_ipsec_add_mbuf_addr_port(m, dst, dport, true); padlen = PFKEY_UNUNIT64(xdst.sadb_address_len) - (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len)); if_ipsec_add_pad(m, padlen); @@ -1553,14 +1560,12 @@ if_ipsec_add_sp0(struct sockaddr *src, i if_ipsec_add_mbuf(m, &xpl, sizeof(xpl)); if (policy == IPSEC_POLICY_IPSEC) { if_ipsec_add_mbuf(m, &xisr, sizeof(xisr)); - if_ipsec_add_mbuf_addr_port(m, src, sport); - if_ipsec_add_mbuf_addr_port(m, dst, dport); + if_ipsec_add_mbuf_addr_port(m, src, sport, false); + if_ipsec_add_mbuf_addr_port(m, dst, dport, false); } padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl); - if (src != NULL) - padlen -= PFKEY_ALIGN8(src->sa_len); - if (dst != NULL) - padlen -= PFKEY_ALIGN8(dst->sa_len); + if (src != NULL && dst != NULL) + padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len); if_ipsec_add_pad(m, padlen); /* key_kpi_spdadd() has already done KEY_SP_REF(). */ Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.1.2.4 src/sys/netipsec/ipsecif.c:1.1.2.5 --- src/sys/netipsec/ipsecif.c:1.1.2.4 Tue Mar 13 15:29:45 2018 +++ src/sys/netipsec/ipsecif.c Tue Mar 13 15:34:33 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.1.2.4 2018/03/13 15:29:45 martin Exp $ */ +/* $NetBSD: ipsecif.c,v 1.1.2.5 2018/03/13 15:34:33 martin Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.4 2018/03/13 15:29:45 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.5 2018/03/13 15:34:33 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -489,7 +489,9 @@ ipsecif6_output(struct ipsec_variant *va ip6->ip6_flow = 0; ip6->ip6_vfc &= ~IPV6_VERSION_MASK; ip6->ip6_vfc |= IPV6_VERSION; - ip6->ip6_plen = htons((u_short)m->m_pkthdr.len); +#if 0 /* ip6->ip6_plen will be filled by ip6_output */ + ip6->ip6_plen = htons((u_short)m->m_pkthdr.len - sizeof(*ip6)); +#endif ip6->ip6_nxt = proto; ip6->ip6_hlim = ip6_ipsec_hlim; ip6->ip6_src = sin6_src->sin6_addr; Index: src/tests/net/if_ipsec/t_ipsec.sh diff -u src/tests/net/if_ipsec/t_ipsec.sh:1.3.2.3 src/tests/net/if_ipsec/t_ipsec.sh:1.3.2.4 --- src/tests/net/if_ipsec/t_ipsec.sh:1.3.2.3 Mon Feb 26 00:41:13 2018 +++ src/tests/net/if_ipsec/t_ipsec.sh Tue Mar 13 15:34:33 2018 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec.sh,v 1.3.2.3 2018/02/26 00:41:13 snj Exp $ +# $NetBSD: t_ipsec.sh,v 1.3.2.4 2018/03/13 15:34:33 martin Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -269,7 +269,9 @@ setup_if_ipsec_sa() local algo_args="$(generate_algo_args $proto $algo)" inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` + atf_check -s exit:0 test "X$inunique" != "X" outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` + atf_check -s exit:0 test "X$outunique" != "X" if [ ${dir} = "1to2" ] ; then if [ ${mode} = "ipv6" ] ; then @@ -446,7 +448,9 @@ setup_dummy_if_ipsec_sa() local algo_args="$(generate_algo_args $proto $algo)" inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` + atf_check -s exit:0 test "X$inunique" != "X" outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` + atf_check -s exit:0 test "X$outunique" != "X" if [ ${dir} = "1to2" ] ; then inid="20000"