diff options
author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-08-21 09:39:55 +0200 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-09-21 10:29:40 +0200 |
commit | 2df56dbd60bb5d925d2ce0ddbdefdbe6107ea783 (patch) | |
tree | bd7bad558534db4a1f400bc38a2c9aa7ea4f411e /freebsd/sys/netipsec | |
parent | Update to FreeBSD head 2018-02-01 (diff) | |
download | rtems-libbsd-2df56dbd60bb5d925d2ce0ddbdefdbe6107ea783.tar.bz2 |
Update to FreeBSD head 2018-04-01
Git mirror commit 8dfb1ccc26d1cea7e2529303003ff61f9f1784c4.
Update #3472.
Diffstat (limited to 'freebsd/sys/netipsec')
-rw-r--r-- | freebsd/sys/netipsec/ipsec.c | 5 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec.h | 4 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keysock.c | 158 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keysock.h | 8 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform.h | 1 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ah.c | 25 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_esp.c | 10 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ipcomp.c | 10 |
8 files changed, 77 insertions, 144 deletions
diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c index 4d75b51b..24a6df5b 100644 --- a/freebsd/sys/netipsec/ipsec.c +++ b/freebsd/sys/netipsec/ipsec.c @@ -112,7 +112,6 @@ VNET_PCPUSTAT_SYSINIT(ipsec4stat); VNET_PCPUSTAT_SYSUNINIT(ipsec4stat); #endif /* VIMAGE */ -VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */ /* DF bit on encap. 0: clear 1: set 2: copy */ VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE; @@ -121,7 +120,6 @@ VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE; VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ VNET_DEFINE(int, ip4_ipsec_ecn) = 0; -VNET_DEFINE(int, ip4_esp_randpad) = -1; static VNET_DEFINE(int, ip4_filtertunnel) = 0; #define V_ip4_filtertunnel VNET(ip4_filtertunnel) @@ -196,9 +194,6 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "If set, clear type-of-service field when doing AH computation."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, - CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, - "If not set, clear offset field mask when doing AH computation."); SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0, "Do not fragment bit on encap."); diff --git a/freebsd/sys/netipsec/ipsec.h b/freebsd/sys/netipsec/ipsec.h index a1e27bbf..ac9361a8 100644 --- a/freebsd/sys/netipsec/ipsec.h +++ b/freebsd/sys/netipsec/ipsec.h @@ -280,10 +280,8 @@ VNET_DECLARE(int, ip4_esp_trans_deflev); VNET_DECLARE(int, ip4_esp_net_deflev); VNET_DECLARE(int, ip4_ah_trans_deflev); VNET_DECLARE(int, ip4_ah_net_deflev); -VNET_DECLARE(int, ip4_ah_offsetmask); VNET_DECLARE(int, ip4_ipsec_dfbit); VNET_DECLARE(int, ip4_ipsec_ecn); -VNET_DECLARE(int, ip4_esp_randpad); VNET_DECLARE(int, crypto_support); VNET_DECLARE(int, async_crypto); VNET_DECLARE(int, natt_cksum_policy); @@ -294,10 +292,8 @@ VNET_DECLARE(int, natt_cksum_policy); #define V_ip4_esp_net_deflev VNET(ip4_esp_net_deflev) #define V_ip4_ah_trans_deflev VNET(ip4_ah_trans_deflev) #define V_ip4_ah_net_deflev VNET(ip4_ah_net_deflev) -#define V_ip4_ah_offsetmask VNET(ip4_ah_offsetmask) #define V_ip4_ipsec_dfbit VNET(ip4_ipsec_dfbit) #define V_ip4_ipsec_ecn VNET(ip4_ipsec_ecn) -#define V_ip4_esp_randpad VNET(ip4_esp_randpad) #define V_crypto_support VNET(crypto_support) #define V_async_crypto VNET(async_crypto) #define V_natt_cksum_policy VNET(natt_cksum_policy) diff --git a/freebsd/sys/netipsec/keysock.c b/freebsd/sys/netipsec/keysock.c index 7ecd50b8..170335bc 100644 --- a/freebsd/sys/netipsec/keysock.c +++ b/freebsd/sys/netipsec/keysock.c @@ -174,104 +174,20 @@ key_sendup0(struct rawcb *rp, struct mbuf *m, int promisc) return error; } -/* XXX this interface should be obsoleted. */ -int -key_sendup(struct socket *so, struct sadb_msg *msg, u_int len, int target) -{ - struct mbuf *m, *n, *mprev; - int tlen; - - /* sanity check */ - if (so == NULL || msg == NULL) - panic("%s: NULL pointer was passed.\n", __func__); - - KEYDBG(KEY_DUMP, - printf("%s: \n", __func__); - kdebug_sadb(msg)); - - /* - * we increment statistics here, just in case we have ENOBUFS - * in this function. - */ - PFKEYSTAT_INC(in_total); - PFKEYSTAT_ADD(in_bytes, len); - PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]); - - /* - * Get mbuf chain whenever possible (not clusters), - * to save socket buffer. We'll be generating many SADB_ACQUIRE - * messages to listening key sockets. If we simply allocate clusters, - * sbappendaddr() will raise ENOBUFS due to too little sbspace(). - * sbspace() computes # of actual data bytes AND mbuf region. - * - * TODO: SADB_ACQUIRE filters should be implemented. - */ - tlen = len; - m = mprev = NULL; - while (tlen > 0) { - if (tlen == len) { - MGETHDR(n, M_NOWAIT, MT_DATA); - if (n == NULL) { - PFKEYSTAT_INC(in_nomem); - return ENOBUFS; - } - n->m_len = MHLEN; - } else { - MGET(n, M_NOWAIT, MT_DATA); - if (n == NULL) { - PFKEYSTAT_INC(in_nomem); - return ENOBUFS; - } - n->m_len = MLEN; - } - if (tlen >= MCLBYTES) { /*XXX better threshold? */ - if (!(MCLGET(n, M_NOWAIT))) { - m_free(n); - m_freem(m); - PFKEYSTAT_INC(in_nomem); - return ENOBUFS; - } - n->m_len = MCLBYTES; - } - - if (tlen < n->m_len) - n->m_len = tlen; - n->m_next = NULL; - if (m == NULL) - m = mprev = n; - else { - mprev->m_next = n; - mprev = n; - } - tlen -= n->m_len; - n = NULL; - } - m->m_pkthdr.len = len; - m->m_pkthdr.rcvif = NULL; - m_copyback(m, 0, len, (caddr_t)msg); - - /* avoid duplicated statistics */ - PFKEYSTAT_ADD(in_total, -1); - PFKEYSTAT_ADD(in_bytes, -len); - PFKEYSTAT_ADD(in_msgtype[msg->sadb_msg_type], -1); - - return key_sendup_mbuf(so, m, target); -} - /* so can be NULL if target != KEY_SENDUP_ONE */ int key_sendup_mbuf(struct socket *so, struct mbuf *m, int target) { struct mbuf *n; struct keycb *kp; - int sendup; struct rawcb *rp; int error = 0; - if (m == NULL) - panic("key_sendup_mbuf: NULL pointer was passed.\n"); - if (so == NULL && target == KEY_SENDUP_ONE) - panic("%s: NULL pointer was passed.\n", __func__); + KASSERT(m != NULL, ("NULL mbuf pointer was passed.")); + KASSERT(so != NULL || target != KEY_SENDUP_ONE, + ("NULL socket pointer was passed.")); + KASSERT(target == KEY_SENDUP_ONE || target == KEY_SENDUP_ALL || + target == KEY_SENDUP_REGISTERED, ("Wrong target %d", target)); PFKEYSTAT_INC(in_total); PFKEYSTAT_ADD(in_bytes, m->m_pkthdr.len); @@ -288,6 +204,11 @@ key_sendup_mbuf(struct socket *so, struct mbuf *m, int target) PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]); } mtx_lock(&rawcb_mtx); + if (V_key_cb.any_count == 0) { + mtx_unlock(&rawcb_mtx); + m_freem(m); + return (0); + } LIST_FOREACH(rp, &V_rawcb_list, list) { if (rp->rcb_proto.sp_family != PF_KEY) @@ -297,69 +218,50 @@ key_sendup_mbuf(struct socket *so, struct mbuf *m, int target) continue; } - kp = (struct keycb *)rp; - /* * If you are in promiscuous mode, and when you get broadcasted * reply, you'll get two PF_KEY messages. * (based on pf_key@inner.net message on 14 Oct 1998) */ - if (((struct keycb *)rp)->kp_promisc) { - if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) != NULL) { - (void)key_sendup0(rp, n, 1); - n = NULL; - } + kp = (struct keycb *)rp; + if (kp->kp_promisc) { + n = m_copym(m, 0, M_COPYALL, M_NOWAIT); + if (n != NULL) + key_sendup0(rp, n, 1); + else + PFKEYSTAT_INC(in_nomem); } /* the exact target will be processed later */ if (so && sotorawcb(so) == rp) continue; - sendup = 0; - switch (target) { - case KEY_SENDUP_ONE: - /* the statement has no effect */ - if (so && sotorawcb(so) == rp) - sendup++; - break; - case KEY_SENDUP_ALL: - sendup++; - break; - case KEY_SENDUP_REGISTERED: - if (kp->kp_registered) - sendup++; - break; - } - PFKEYSTAT_INC(in_msgtarget[target]); - - if (!sendup) + if (target == KEY_SENDUP_ONE || ( + target == KEY_SENDUP_REGISTERED && kp->kp_registered == 0)) continue; - if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) == NULL) { - m_freem(m); + /* KEY_SENDUP_ALL + KEY_SENDUP_REGISTERED */ + n = m_copym(m, 0, M_COPYALL, M_NOWAIT); + if (n == NULL) { PFKEYSTAT_INC(in_nomem); - mtx_unlock(&rawcb_mtx); - return ENOBUFS; - } - - if ((error = key_sendup0(rp, n, 0)) != 0) { - m_freem(m); - mtx_unlock(&rawcb_mtx); - return error; + /* Try send to another socket */ + continue; } - n = NULL; + if (key_sendup0(rp, n, 0) == 0) + PFKEYSTAT_INC(in_msgtarget[target]); } - if (so) { + if (so) { /* KEY_SENDUP_ONE */ error = key_sendup0(sotorawcb(so), m, 0); - m = NULL; + if (error == 0) + PFKEYSTAT_INC(in_msgtarget[KEY_SENDUP_ONE]); } else { error = 0; m_freem(m); } mtx_unlock(&rawcb_mtx); - return error; + return (error); } /* diff --git a/freebsd/sys/netipsec/keysock.h b/freebsd/sys/netipsec/keysock.h index 30b68da6..484c6536 100644 --- a/freebsd/sys/netipsec/keysock.h +++ b/freebsd/sys/netipsec/keysock.h @@ -78,12 +78,8 @@ VNET_PCPUSTAT_DECLARE(struct pfkeystat, pfkeystat); VNET_PCPUSTAT_ADD(struct pfkeystat, pfkeystat, name, (val)) #define PFKEYSTAT_INC(name) PFKEYSTAT_ADD(name, 1) -extern int key_output(struct mbuf *m, struct socket *so, ...); -extern int key_usrreq(struct socket *, int, struct mbuf *, - struct mbuf *, struct mbuf *); - -extern int key_sendup(struct socket *, struct sadb_msg *, u_int, int); -extern int key_sendup_mbuf(struct socket *, struct mbuf *, int); +int key_output(struct mbuf *m, struct socket *so, ...); +int key_sendup_mbuf(struct socket *, struct mbuf *, int); #endif /* _KERNEL */ #endif /*_NETIPSEC_KEYSOCK_H_*/ diff --git a/freebsd/sys/netipsec/xform.h b/freebsd/sys/netipsec/xform.h index 8e6f8bdb..2720f72a 100644 --- a/freebsd/sys/netipsec/xform.h +++ b/freebsd/sys/netipsec/xform.h @@ -76,6 +76,7 @@ struct xform_data { int protoff; /* current protocol offset */ int skip; /* data offset */ uint8_t nxt; /* next protocol, e.g. IPV4 */ + struct vnet *vnet; }; #define XF_IP4 1 /* unused */ diff --git a/freebsd/sys/netipsec/xform_ah.c b/freebsd/sys/netipsec/xform_ah.c index 9125ba40..13999f41 100644 --- a/freebsd/sys/netipsec/xform_ah.c +++ b/freebsd/sys/netipsec/xform_ah.c @@ -584,6 +584,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) error = EACCES; goto bad; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -628,6 +638,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -652,10 +665,11 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* These are passed as-is to the callback. */ xd->sav = sav; - xd->nxt = ah->ah_nxt; + xd->nxt = hl; xd->protoff = protoff; xd->skip = skip; xd->cryptoid = cryptoid; + xd->vnet = curvnet; return (crypto_dispatch(crp)); bad: m_freem(m); @@ -682,6 +696,7 @@ ah_input_cb(struct cryptop *crp) m = (struct mbuf *) crp->crp_buf; xd = (struct xform_data *) crp->crp_opaque; + CURVNET_SET(xd->vnet); sav = xd->sav; skip = xd->skip; nxt = xd->nxt; @@ -699,6 +714,7 @@ ah_input_cb(struct cryptop *crp) if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) crypto_freesession(cryptoid); xd->cryptoid = crp->crp_sid; + CURVNET_RESTORE(); return (crypto_dispatch(crp)); } AHSTAT_INC(ahs_noxform); @@ -794,8 +810,10 @@ ah_input_cb(struct cryptop *crp) panic("%s: Unexpected address family: %d saidx=%p", __func__, saidx->dst.sa.sa_family, saidx); } + CURVNET_RESTORE(); return error; bad: + CURVNET_RESTORE(); if (sav) key_freesav(&sav); if (m != NULL) @@ -1029,6 +1047,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, xd->skip = skip; xd->idx = idx; xd->cryptoid = cryptoid; + xd->vnet = curvnet; return crypto_dispatch(crp); bad: @@ -1056,6 +1075,7 @@ ah_output_cb(struct cryptop *crp) m = (struct mbuf *) crp->crp_buf; xd = (struct xform_data *) crp->crp_opaque; + CURVNET_SET(xd->vnet); sp = xd->sp; sav = xd->sav; skip = xd->skip; @@ -1070,6 +1090,7 @@ ah_output_cb(struct cryptop *crp) if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) crypto_freesession(cryptoid); xd->cryptoid = crp->crp_sid; + CURVNET_RESTORE(); return (crypto_dispatch(crp)); } AHSTAT_INC(ahs_noxform); @@ -1111,8 +1132,10 @@ ah_output_cb(struct cryptop *crp) /* NB: m is reclaimed by ipsec_process_done. */ error = ipsec_process_done(m, sp, sav, idx); + CURVNET_RESTORE(); return (error); bad: + CURVNET_RESTORE(); free(xd, M_XDATA); crypto_freereq(crp); key_freesav(&sav); diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c index f26b8ae7..49b08ba6 100644 --- a/freebsd/sys/netipsec/xform_esp.c +++ b/freebsd/sys/netipsec/xform_esp.c @@ -399,6 +399,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) xd->protoff = protoff; xd->skip = skip; xd->cryptoid = cryptoid; + xd->vnet = curvnet; /* Decryption descriptor */ IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor")); @@ -457,6 +458,7 @@ esp_input_cb(struct cryptop *crp) m = (struct mbuf *) crp->crp_buf; xd = (struct xform_data *) crp->crp_opaque; + CURVNET_SET(xd->vnet); sav = xd->sav; skip = xd->skip; protoff = xd->protoff; @@ -471,6 +473,7 @@ esp_input_cb(struct cryptop *crp) if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) crypto_freesession(cryptoid); xd->cryptoid = crp->crp_sid; + CURVNET_RESTORE(); return (crypto_dispatch(crp)); } ESPSTAT_INC(esps_noxform); @@ -605,8 +608,10 @@ esp_input_cb(struct cryptop *crp) panic("%s: Unexpected address family: %d saidx=%p", __func__, saidx->dst.sa.sa_family, saidx); } + CURVNET_RESTORE(); return error; bad: + CURVNET_RESTORE(); if (sav != NULL) key_freesav(&sav); if (m != NULL) @@ -839,6 +844,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, xd->sav = sav; xd->idx = idx; xd->cryptoid = cryptoid; + xd->vnet = curvnet; /* Crypto operation descriptor. */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ @@ -884,6 +890,7 @@ esp_output_cb(struct cryptop *crp) int error; xd = (struct xform_data *) crp->crp_opaque; + CURVNET_SET(xd->vnet); m = (struct mbuf *) crp->crp_buf; sp = xd->sp; sav = xd->sav; @@ -897,6 +904,7 @@ esp_output_cb(struct cryptop *crp) if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) crypto_freesession(cryptoid); xd->cryptoid = crp->crp_sid; + CURVNET_RESTORE(); return (crypto_dispatch(crp)); } ESPSTAT_INC(esps_noxform); @@ -942,8 +950,10 @@ esp_output_cb(struct cryptop *crp) /* NB: m is reclaimed by ipsec_process_done. */ error = ipsec_process_done(m, sp, sav, idx); + CURVNET_RESTORE(); return (error); bad: + CURVNET_RESTORE(); free(xd, M_XDATA); crypto_freereq(crp); key_freesav(&sav); diff --git a/freebsd/sys/netipsec/xform_ipcomp.c b/freebsd/sys/netipsec/xform_ipcomp.c index 956383d5..b3fdee49 100644 --- a/freebsd/sys/netipsec/xform_ipcomp.c +++ b/freebsd/sys/netipsec/xform_ipcomp.c @@ -257,6 +257,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) xd->sav = sav; xd->protoff = protoff; xd->skip = skip; + xd->vnet = curvnet; SECASVAR_LOCK(sav); crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid; @@ -288,6 +289,7 @@ ipcomp_input_cb(struct cryptop *crp) m = (struct mbuf *) crp->crp_buf; xd = (struct xform_data *) crp->crp_opaque; + CURVNET_SET(xd->vnet); sav = xd->sav; skip = xd->skip; protoff = xd->protoff; @@ -304,6 +306,7 @@ ipcomp_input_cb(struct cryptop *crp) if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) crypto_freesession(cryptoid); xd->cryptoid = crp->crp_sid; + CURVNET_RESTORE(); return (crypto_dispatch(crp)); } IPCOMPSTAT_INC(ipcomps_noxform); @@ -368,8 +371,10 @@ ipcomp_input_cb(struct cryptop *crp) panic("%s: Unexpected address family: %d saidx=%p", __func__, saidx->dst.sa.sa_family, saidx); } + CURVNET_RESTORE(); return error; bad: + CURVNET_RESTORE(); if (sav != NULL) key_freesav(&sav); if (m != NULL) @@ -495,6 +500,7 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, xd->idx = idx; xd->skip = skip; xd->protoff = protoff; + xd->vnet = curvnet; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ @@ -533,6 +539,7 @@ ipcomp_output_cb(struct cryptop *crp) m = (struct mbuf *) crp->crp_buf; xd = (struct xform_data *) crp->crp_opaque; + CURVNET_SET(xd->vnet); idx = xd->idx; sp = xd->sp; sav = xd->sav; @@ -547,6 +554,7 @@ ipcomp_output_cb(struct cryptop *crp) if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) crypto_freesession(cryptoid); xd->cryptoid = crp->crp_sid; + CURVNET_RESTORE(); return (crypto_dispatch(crp)); } IPCOMPSTAT_INC(ipcomps_noxform); @@ -642,10 +650,12 @@ ipcomp_output_cb(struct cryptop *crp) /* NB: m is reclaimed by ipsec_process_done. */ error = ipsec_process_done(m, sp, sav, idx); + CURVNET_RESTORE(); return (error); bad: if (m) m_freem(m); + CURVNET_RESTORE(); free(xd, M_XDATA); crypto_freereq(crp); key_freesav(&sav); |