diff options
author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-08-22 14:59:50 +0200 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-09-21 10:29:41 +0200 |
commit | 3489e3b6396ee9944a6a2e19e675ca54c36993b4 (patch) | |
tree | cd55cfac1c96ff4b888a9606fd6a0d8eb65bb446 /freebsd/sys/netipsec | |
parent | ck: Define CK_MD_PPC32_LWSYNC if available (diff) | |
download | rtems-libbsd-3489e3b6396ee9944a6a2e19e675ca54c36993b4.tar.bz2 |
Update to FreeBSD head 2018-09-17
Git mirror commit 6c2192b1ef8c50788c751f878552526800b1e319.
Update #3472.
Diffstat (limited to 'freebsd/sys/netipsec')
-rw-r--r-- | freebsd/sys/netipsec/ipsec.c | 17 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/key.c | 78 | ||||
-rw-r--r-- | freebsd/sys/netipsec/key_debug.c | 87 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keydb.h | 3 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keysock.c | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ah.c | 83 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_esp.c | 21 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ipcomp.c | 87 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_tcp.c | 16 |
11 files changed, 244 insertions, 154 deletions
diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c index 24a6df5b..116557ed 100644 --- a/freebsd/sys/netipsec/ipsec.c +++ b/freebsd/sys/netipsec/ipsec.c @@ -121,11 +121,11 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ VNET_DEFINE(int, ip4_ipsec_ecn) = 0; -static VNET_DEFINE(int, ip4_filtertunnel) = 0; +VNET_DEFINE_STATIC(int, ip4_filtertunnel) = 0; #define V_ip4_filtertunnel VNET(ip4_filtertunnel) -static VNET_DEFINE(int, check_policy_history) = 0; +VNET_DEFINE_STATIC(int, check_policy_history) = 0; #define V_check_policy_history VNET(check_policy_history) -static VNET_DEFINE(struct secpolicy *, def_policy) = NULL; +VNET_DEFINE_STATIC(struct secpolicy *, def_policy) = NULL; #define V_def_policy VNET(def_policy) static int sysctl_def_policy(SYSCTL_HANDLER_ARGS) @@ -251,7 +251,7 @@ VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE; VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE; VNET_DEFINE(int, ip6_ipsec_ecn) = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -static VNET_DEFINE(int, ip6_filtertunnel) = 0; +VNET_DEFINE_STATIC(int, ip6_filtertunnel) = 0; #define V_ip6_filtertunnel VNET(ip6_filtertunnel) SYSCTL_DECL(_net_inet6_ipsec6); @@ -1324,9 +1324,10 @@ ok: } int -ipsec_updateid(struct secasvar *sav, uint64_t *new, uint64_t *old) +ipsec_updateid(struct secasvar *sav, crypto_session_t *new, + crypto_session_t *old) { - uint64_t tmp; + crypto_session_t tmp; /* * tdb_cryptoid is initialized by xform_init(). @@ -1352,8 +1353,8 @@ ipsec_updateid(struct secasvar *sav, uint64_t *new, uint64_t *old) * XXXAE: check this more carefully. */ KEYDBG(IPSEC_STAMP, - printf("%s: SA(%p) moves cryptoid %jd -> %jd\n", - __func__, sav, (uintmax_t)(*old), (uintmax_t)(*new))); + printf("%s: SA(%p) moves cryptoid %p -> %p\n", + __func__, sav, *old, *new)); KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); SECASVAR_LOCK(sav); if (sav->tdb_cryptoid != *old) { diff --git a/freebsd/sys/netipsec/ipsec.h b/freebsd/sys/netipsec/ipsec.h index 936e7bca..eed2d077 100644 --- a/freebsd/sys/netipsec/ipsec.h +++ b/freebsd/sys/netipsec/ipsec.h @@ -332,7 +332,7 @@ int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *); int ipsec_chkreplay(uint32_t, struct secasvar *); int ipsec_updatereplay(uint32_t, struct secasvar *); -int ipsec_updateid(struct secasvar *, uint64_t *, uint64_t *); +int ipsec_updateid(struct secasvar *, crypto_session_t *, crypto_session_t *); int ipsec_initialized(void); void ipsec_setspidx_inpcb(struct inpcb *, struct secpolicyindex *, u_int); diff --git a/freebsd/sys/netipsec/key.c b/freebsd/sys/netipsec/key.c index fbf12f41..9bd3f234 100644 --- a/freebsd/sys/netipsec/key.c +++ b/freebsd/sys/netipsec/key.c @@ -115,20 +115,20 @@ */ VNET_DEFINE(u_int32_t, key_debug_level) = 0; -static VNET_DEFINE(u_int, key_spi_trycnt) = 1000; -static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100; -static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ -static VNET_DEFINE(u_int32_t, policy_id) = 0; +VNET_DEFINE_STATIC(u_int, key_spi_trycnt) = 1000; +VNET_DEFINE_STATIC(u_int32_t, key_spi_minval) = 0x100; +VNET_DEFINE_STATIC(u_int32_t, key_spi_maxval) = 0x0fffffff; /* XXX */ +VNET_DEFINE_STATIC(u_int32_t, policy_id) = 0; /*interval to initialize randseed,1(m)*/ -static VNET_DEFINE(u_int, key_int_random) = 60; +VNET_DEFINE_STATIC(u_int, key_int_random) = 60; /* interval to expire acquiring, 30(s)*/ -static VNET_DEFINE(u_int, key_larval_lifetime) = 30; +VNET_DEFINE_STATIC(u_int, key_larval_lifetime) = 30; /* counter for blocking SADB_ACQUIRE.*/ -static VNET_DEFINE(int, key_blockacq_count) = 10; +VNET_DEFINE_STATIC(int, key_blockacq_count) = 10; /* lifetime for blocking SADB_ACQUIRE.*/ -static VNET_DEFINE(int, key_blockacq_lifetime) = 20; +VNET_DEFINE_STATIC(int, key_blockacq_lifetime) = 20; /* preferred old sa rather than new sa.*/ -static VNET_DEFINE(int, key_preferred_oldsa) = 1; +VNET_DEFINE_STATIC(int, key_preferred_oldsa) = 1; #define V_key_spi_trycnt VNET(key_spi_trycnt) #define V_key_spi_minval VNET(key_spi_minval) #define V_key_spi_maxval VNET(key_spi_maxval) @@ -139,17 +139,17 @@ static VNET_DEFINE(int, key_preferred_oldsa) = 1; #define V_key_blockacq_lifetime VNET(key_blockacq_lifetime) #define V_key_preferred_oldsa VNET(key_preferred_oldsa) -static VNET_DEFINE(u_int32_t, acq_seq) = 0; +VNET_DEFINE_STATIC(u_int32_t, acq_seq) = 0; #define V_acq_seq VNET(acq_seq) -static VNET_DEFINE(uint32_t, sp_genid) = 0; +VNET_DEFINE_STATIC(uint32_t, sp_genid) = 0; #define V_sp_genid VNET(sp_genid) /* SPD */ TAILQ_HEAD(secpolicy_queue, secpolicy); LIST_HEAD(secpolicy_list, secpolicy); -static VNET_DEFINE(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]); -static VNET_DEFINE(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]); +VNET_DEFINE_STATIC(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]); +VNET_DEFINE_STATIC(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]); static struct rmlock sptree_lock; #define V_sptree VNET(sptree) #define V_sptree_ifnet VNET(sptree_ifnet) @@ -165,8 +165,8 @@ static struct rmlock sptree_lock; #define SPTREE_UNLOCK_ASSERT() rm_assert(&sptree_lock, RA_UNLOCKED) /* Hash table for lookup SP using unique id */ -static VNET_DEFINE(struct secpolicy_list *, sphashtbl); -static VNET_DEFINE(u_long, sphash_mask); +VNET_DEFINE_STATIC(struct secpolicy_list *, sphashtbl); +VNET_DEFINE_STATIC(u_long, sphash_mask); #define V_sphashtbl VNET(sphashtbl) #define V_sphash_mask VNET(sphash_mask) @@ -186,19 +186,19 @@ LIST_HEAD(spdcache_entry_list, spdcache_entry); #define SPDCACHE_MAX_ENTRIES_PER_HASH 8 -static VNET_DEFINE(u_int, key_spdcache_maxentries) = 0; +VNET_DEFINE_STATIC(u_int, key_spdcache_maxentries) = 0; #define V_key_spdcache_maxentries VNET(key_spdcache_maxentries) -static VNET_DEFINE(u_int, key_spdcache_threshold) = 32; +VNET_DEFINE_STATIC(u_int, key_spdcache_threshold) = 32; #define V_key_spdcache_threshold VNET(key_spdcache_threshold) -static VNET_DEFINE(unsigned long, spd_size) = 0; +VNET_DEFINE_STATIC(unsigned long, spd_size) = 0; #define V_spd_size VNET(spd_size) #define SPDCACHE_ENABLED() (V_key_spdcache_maxentries != 0) #define SPDCACHE_ACTIVE() \ (SPDCACHE_ENABLED() && V_spd_size >= V_key_spdcache_threshold) -static VNET_DEFINE(struct spdcache_entry_list *, spdcachehashtbl); -static VNET_DEFINE(u_long, spdcachehash_mask); +VNET_DEFINE_STATIC(struct spdcache_entry_list *, spdcachehashtbl); +VNET_DEFINE_STATIC(u_long, spdcachehash_mask); #define V_spdcachehashtbl VNET(spdcachehashtbl) #define V_spdcachehash_mask VNET(spdcachehash_mask) @@ -207,7 +207,7 @@ static VNET_DEFINE(u_long, spdcachehash_mask); V_spdcachehash_mask) /* Each cache line is protected by a mutex */ -static VNET_DEFINE(struct mtx *, spdcache_lock); +VNET_DEFINE_STATIC(struct mtx *, spdcache_lock); #define V_spdcache_lock VNET(spdcache_lock) #define SPDCACHE_LOCK_INIT(a) \ @@ -220,7 +220,7 @@ static VNET_DEFINE(struct mtx *, spdcache_lock); /* SAD */ TAILQ_HEAD(secashead_queue, secashead); LIST_HEAD(secashead_list, secashead); -static VNET_DEFINE(struct secashead_queue, sahtree); +VNET_DEFINE_STATIC(struct secashead_queue, sahtree); static struct rmlock sahtree_lock; #define V_sahtree VNET(sahtree) #define SAHTREE_LOCK_INIT() rm_init(&sahtree_lock, "sahtree") @@ -235,8 +235,8 @@ static struct rmlock sahtree_lock; #define SAHTREE_UNLOCK_ASSERT() rm_assert(&sahtree_lock, RA_UNLOCKED) /* Hash table for lookup in SAD using SA addresses */ -static VNET_DEFINE(struct secashead_list *, sahaddrhashtbl); -static VNET_DEFINE(u_long, sahaddrhash_mask); +VNET_DEFINE_STATIC(struct secashead_list *, sahaddrhashtbl); +VNET_DEFINE_STATIC(u_long, sahaddrhash_mask); #define V_sahaddrhashtbl VNET(sahaddrhashtbl) #define V_sahaddrhash_mask VNET(sahaddrhash_mask) @@ -250,8 +250,8 @@ static VNET_DEFINE(u_long, sahaddrhash_mask); /* Hash table for lookup in SAD using SPI */ LIST_HEAD(secasvar_list, secasvar); -static VNET_DEFINE(struct secasvar_list *, savhashtbl); -static VNET_DEFINE(u_long, savhash_mask); +VNET_DEFINE_STATIC(struct secasvar_list *, savhashtbl); +VNET_DEFINE_STATIC(u_long, savhash_mask); #define V_savhashtbl VNET(savhashtbl) #define V_savhash_mask VNET(savhash_mask) #define SAVHASH_NHASH_LOG2 7 @@ -300,7 +300,7 @@ key_u32hash(uint32_t val) } /* registed list */ -static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); +VNET_DEFINE_STATIC(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); #define V_regtree VNET(regtree) static struct mtx regtree_lock; #define REGTREE_LOCK_INIT() \ @@ -312,7 +312,7 @@ static struct mtx regtree_lock; /* Acquiring list */ LIST_HEAD(secacq_list, secacq); -static VNET_DEFINE(struct secacq_list, acqtree); +VNET_DEFINE_STATIC(struct secacq_list, acqtree); #define V_acqtree VNET(acqtree) static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ @@ -323,14 +323,14 @@ static struct mtx acq_lock; #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) /* Hash table for lookup in ACQ list using SA addresses */ -static VNET_DEFINE(struct secacq_list *, acqaddrhashtbl); -static VNET_DEFINE(u_long, acqaddrhash_mask); +VNET_DEFINE_STATIC(struct secacq_list *, acqaddrhashtbl); +VNET_DEFINE_STATIC(u_long, acqaddrhash_mask); #define V_acqaddrhashtbl VNET(acqaddrhashtbl) #define V_acqaddrhash_mask VNET(acqaddrhash_mask) /* Hash table for lookup in ACQ list using SEQ number */ -static VNET_DEFINE(struct secacq_list *, acqseqhashtbl); -static VNET_DEFINE(u_long, acqseqhash_mask); +VNET_DEFINE_STATIC(struct secacq_list *, acqseqhashtbl); +VNET_DEFINE_STATIC(u_long, acqseqhash_mask); #define V_acqseqhashtbl VNET(acqseqhashtbl) #define V_acqseqhash_mask VNET(acqseqhash_mask) @@ -346,7 +346,7 @@ static VNET_DEFINE(u_long, acqseqhash_mask); #define ACQSEQHASH_HASH(seq) \ &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)] /* SP acquiring list */ -static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree); +VNET_DEFINE_STATIC(LIST_HEAD(_spacqtree, secspacq), spacqtree); #define V_spacqtree VNET(spacqtree) static struct mtx spacq_lock; #define SPACQ_LOCK_INIT() \ @@ -435,9 +435,9 @@ _Static_assert(sizeof(maxsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mi ((_mhp)->extlen[(_ext)] > maxsize[(_ext)]))) #define SADB_CHECKHDR(_mhp, _ext) ((_mhp)->ext[(_ext)] == NULL) -static VNET_DEFINE(int, ipsec_esp_keymin) = 256; -static VNET_DEFINE(int, ipsec_esp_auth) = 0; -static VNET_DEFINE(int, ipsec_ah_keymin) = 128; +VNET_DEFINE_STATIC(int, ipsec_esp_keymin) = 256; +VNET_DEFINE_STATIC(int, ipsec_esp_auth) = 0; +VNET_DEFINE_STATIC(int, ipsec_ah_keymin) = 128; #define V_ipsec_esp_keymin VNET(ipsec_esp_keymin) #define V_ipsec_esp_auth VNET(ipsec_esp_auth) @@ -533,7 +533,7 @@ MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire"); MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire"); MALLOC_DEFINE(M_IPSEC_SPDCACHE, "ipsec-spdcache", "ipsec SPD cache"); -static VNET_DEFINE(uma_zone_t, key_lft_zone); +VNET_DEFINE_STATIC(uma_zone_t, key_lft_zone); #define V_key_lft_zone VNET(key_lft_zone) static LIST_HEAD(xforms_list, xformsw) xforms = LIST_HEAD_INITIALIZER(); @@ -2959,7 +2959,7 @@ key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx, goto done; } mtx_init(sav->lock, "ipsec association", NULL, MTX_DEF); - sav->lft_c = uma_zalloc(V_key_lft_zone, M_NOWAIT); + sav->lft_c = uma_zalloc_pcpu(V_key_lft_zone, M_NOWAIT); if (sav->lft_c == NULL) { *errp = ENOBUFS; goto done; @@ -3051,7 +3051,7 @@ done: free(sav->lock, M_IPSEC_MISC); } if (sav->lft_c != NULL) - uma_zfree(V_key_lft_zone, sav->lft_c); + uma_zfree_pcpu(V_key_lft_zone, sav->lft_c); free(sav, M_IPSEC_SA), sav = NULL; } if (sah != NULL) diff --git a/freebsd/sys/netipsec/key_debug.c b/freebsd/sys/netipsec/key_debug.c index 12cfe34e..07eec79e 100644 --- a/freebsd/sys/netipsec/key_debug.c +++ b/freebsd/sys/netipsec/key_debug.c @@ -87,6 +87,85 @@ static void kdebug_sadb_x_natt(struct sadb_ext *); /* NOTE: host byte order */ +static const char* +kdebug_sadb_type(uint8_t type) +{ +#define SADB_NAME(n) case SADB_ ## n: return (#n) + + switch (type) { + SADB_NAME(RESERVED); + SADB_NAME(GETSPI); + SADB_NAME(UPDATE); + SADB_NAME(ADD); + SADB_NAME(DELETE); + SADB_NAME(GET); + SADB_NAME(ACQUIRE); + SADB_NAME(REGISTER); + SADB_NAME(EXPIRE); + SADB_NAME(FLUSH); + SADB_NAME(DUMP); + SADB_NAME(X_PROMISC); + SADB_NAME(X_PCHANGE); + SADB_NAME(X_SPDUPDATE); + SADB_NAME(X_SPDADD); + SADB_NAME(X_SPDDELETE); + SADB_NAME(X_SPDGET); + SADB_NAME(X_SPDACQUIRE); + SADB_NAME(X_SPDDUMP); + SADB_NAME(X_SPDFLUSH); + SADB_NAME(X_SPDSETIDX); + SADB_NAME(X_SPDEXPIRE); + SADB_NAME(X_SPDDELETE2); + default: + return ("UNKNOWN"); + } +#undef SADB_NAME +} + +static const char* +kdebug_sadb_exttype(uint16_t type) +{ +#define EXT_NAME(n) case SADB_EXT_ ## n: return (#n) +#define X_NAME(n) case SADB_X_EXT_ ## n: return (#n) + + switch (type) { + EXT_NAME(RESERVED); + EXT_NAME(SA); + EXT_NAME(LIFETIME_CURRENT); + EXT_NAME(LIFETIME_HARD); + EXT_NAME(LIFETIME_SOFT); + EXT_NAME(ADDRESS_SRC); + EXT_NAME(ADDRESS_DST); + EXT_NAME(ADDRESS_PROXY); + EXT_NAME(KEY_AUTH); + EXT_NAME(KEY_ENCRYPT); + EXT_NAME(IDENTITY_SRC); + EXT_NAME(IDENTITY_DST); + EXT_NAME(SENSITIVITY); + EXT_NAME(PROPOSAL); + EXT_NAME(SUPPORTED_AUTH); + EXT_NAME(SUPPORTED_ENCRYPT); + EXT_NAME(SPIRANGE); + X_NAME(KMPRIVATE); + X_NAME(POLICY); + X_NAME(SA2); + X_NAME(NAT_T_TYPE); + X_NAME(NAT_T_SPORT); + X_NAME(NAT_T_DPORT); + X_NAME(NAT_T_OAI); + X_NAME(NAT_T_OAR); + X_NAME(NAT_T_FRAG); + X_NAME(SA_REPLAY); + X_NAME(NEW_ADDRESS_SRC); + X_NAME(NEW_ADDRESS_DST); + default: + return ("UNKNOWN"); + }; +#undef EXT_NAME +#undef X_NAME +} + + /* %%%: about struct sadb_msg */ void kdebug_sadb(struct sadb_msg *base) @@ -98,8 +177,9 @@ kdebug_sadb(struct sadb_msg *base) if (base == NULL) panic("%s: NULL pointer was passed.\n", __func__); - printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n", + printf("sadb_msg{ version=%u type=%u(%s) errno=%u satype=%u\n", base->sadb_msg_version, base->sadb_msg_type, + kdebug_sadb_type(base->sadb_msg_type), base->sadb_msg_errno, base->sadb_msg_satype); printf(" len=%u reserved=%u seq=%u pid=%u\n", base->sadb_msg_len, base->sadb_msg_reserved, @@ -109,8 +189,9 @@ kdebug_sadb(struct sadb_msg *base) ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg)); while (tlen > 0) { - printf("sadb_ext{ len=%u type=%u }\n", - ext->sadb_ext_len, ext->sadb_ext_type); + printf("sadb_ext{ len=%u type=%u(%s) }\n", + ext->sadb_ext_len, ext->sadb_ext_type, + kdebug_sadb_exttype(ext->sadb_ext_type)); if (ext->sadb_ext_len == 0) { printf("%s: invalid ext_len=0 was passed.\n", __func__); diff --git a/freebsd/sys/netipsec/keydb.h b/freebsd/sys/netipsec/keydb.h index 19eae767..6993b4e4 100644 --- a/freebsd/sys/netipsec/keydb.h +++ b/freebsd/sys/netipsec/keydb.h @@ -41,6 +41,7 @@ #include <sys/mutex.h> #include <netipsec/key_var.h> +#include <opencrypto/_cryptodev.h> #ifndef _SOCKADDR_UNION_DEFINED #define _SOCKADDR_UNION_DEFINED @@ -162,7 +163,7 @@ struct secasvar { const struct enc_xform *tdb_encalgxform;/* encoding algorithm */ const struct auth_hash *tdb_authalgxform;/* authentication algorithm */ const struct comp_algo *tdb_compalgxform;/* compression algorithm */ - uint64_t tdb_cryptoid; /* crypto session id */ + crypto_session_t tdb_cryptoid; /* crypto session */ uint8_t alg_auth; /* Authentication Algorithm Identifier*/ uint8_t alg_enc; /* Cipher Algorithm Identifier */ diff --git a/freebsd/sys/netipsec/keysock.c b/freebsd/sys/netipsec/keysock.c index 170335bc..9ea1d8f1 100644 --- a/freebsd/sys/netipsec/keysock.c +++ b/freebsd/sys/netipsec/keysock.c @@ -73,7 +73,7 @@ struct key_cb { int key_count; int any_count; }; -static VNET_DEFINE(struct key_cb, key_cb); +VNET_DEFINE_STATIC(struct key_cb, key_cb); #define V_key_cb VNET(key_cb) static struct sockaddr key_src = { 2, PF_KEY, }; diff --git a/freebsd/sys/netipsec/xform.h b/freebsd/sys/netipsec/xform.h index 2720f72a..389d0b66 100644 --- a/freebsd/sys/netipsec/xform.h +++ b/freebsd/sys/netipsec/xform.h @@ -71,7 +71,7 @@ struct xform_history { struct xform_data { struct secpolicy *sp; /* security policy */ struct secasvar *sav; /* related SA */ - uint64_t cryptoid; /* used crypto session id */ + crypto_session_t cryptoid; /* used crypto session */ u_int idx; /* IPsec request index */ int protoff; /* current protocol offset */ int skip; /* data offset */ diff --git a/freebsd/sys/netipsec/xform_ah.c b/freebsd/sys/netipsec/xform_ah.c index 13999f41..84ba6c16 100644 --- a/freebsd/sys/netipsec/xform_ah.c +++ b/freebsd/sys/netipsec/xform_ah.c @@ -149,11 +149,21 @@ ah_hdrsiz(struct secasvar *sav) size_t size; if (sav != NULL) { - int authsize; + int authsize, rplen, align; + IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform")); /*XXX not right for null algorithm--does it matter??*/ + + /* RFC4302: use the correct alignment. */ + align = sizeof(uint32_t); +#ifdef INET6 + if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) { + align = sizeof(uint64_t); + } +#endif + rplen = HDRSIZE(sav); authsize = AUTHSIZE(sav); - size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav); + size = roundup(rplen + authsize, align); } else { /* default guess */ size = sizeof (struct ah) + sizeof (u_int32_t) + 16; @@ -237,16 +247,15 @@ ah_init(struct secasvar *sav, struct xformsw *xsp) int ah_zeroize(struct secasvar *sav) { - int err; if (sav->key_auth) bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); - err = crypto_freesession(sav->tdb_cryptoid); - sav->tdb_cryptoid = 0; + crypto_freesession(sav->tdb_cryptoid); + sav->tdb_cryptoid = NULL; sav->tdb_authalgxform = NULL; sav->tdb_xform = NULL; - return err; + return 0; } /* @@ -536,8 +545,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) struct cryptop *crp; struct xform_data *xd; struct newah *ah; - uint64_t cryptoid; - int hl, rplen, authsize, error; + crypto_session_t cryptoid; + int hl, rplen, authsize, ahsize, error; IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key")); @@ -571,23 +580,24 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) SECASVAR_UNLOCK(sav); /* Verify AH header length. */ - hl = ah->ah_len * sizeof (u_int32_t); + hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t)); ahx = sav->tdb_authalgxform; authsize = AUTHSIZE(sav); - if (hl != authsize + rplen - sizeof (struct ah)) { + ahsize = ah_hdrsiz(sav); + if (hl != ahsize) { DPRINTF(("%s: bad authenticator length %u (expecting %lu)" " for packet in SA %s/%08lx\n", __func__, hl, - (u_long) (authsize + rplen - sizeof (struct ah)), + (u_long)ahsize, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AHSTAT_INC(ahs_badauthl); error = EACCES; goto bad; } - if (skip + authsize + rplen > m->m_pkthdr.len) { + if (skip + ahsize > m->m_pkthdr.len) { DPRINTF(("%s: bad mbuf length %u (expecting %lu)" " for packet in SA %s/%08lx\n", __func__, - m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + m->m_pkthdr.len, (u_long)(skip + ahsize), ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AHSTAT_INC(ahs_badauthl); @@ -660,7 +670,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER; crp->crp_buf = (caddr_t) m; crp->crp_callback = ah_input_cb; - crp->crp_sid = cryptoid; + crp->crp_session = cryptoid; crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback. */ @@ -690,8 +700,8 @@ ah_input_cb(struct cryptop *crp) struct secasvar *sav; struct secasindex *saidx; caddr_t ptr; - uint64_t cryptoid; - int authsize, rplen, error, skip, protoff; + crypto_session_t cryptoid; + int authsize, rplen, ahsize, error, skip, protoff; uint8_t nxt; m = (struct mbuf *) crp->crp_buf; @@ -711,9 +721,9 @@ ah_input_cb(struct cryptop *crp) if (crp->crp_etype) { if (crp->crp_etype == EAGAIN) { /* Reset the session ID */ - if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0) crypto_freesession(cryptoid); - xd->cryptoid = crp->crp_sid; + xd->cryptoid = crp->crp_session; CURVNET_RESTORE(); return (crypto_dispatch(crp)); } @@ -738,6 +748,7 @@ ah_input_cb(struct cryptop *crp) /* Figure out header size. */ rplen = HDRSIZE(sav); authsize = AUTHSIZE(sav); + ahsize = ah_hdrsiz(sav); /* Copy authenticator off the packet. */ m_copydata(m, skip + rplen, authsize, calc); @@ -786,7 +797,7 @@ ah_input_cb(struct cryptop *crp) /* * Remove the AH header and authenticator from the mbuf. */ - error = m_striphdr(m, skip, rplen + authsize); + error = m_striphdr(m, skip, ahsize); if (error) { DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst, buf, sizeof(buf)), @@ -839,9 +850,9 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, struct mbuf *mi; struct cryptop *crp; struct newah *ah; - uint64_t cryptoid; + crypto_session_t cryptoid; uint16_t iplen; - int error, rplen, authsize, maxpacketsize, roff; + int error, rplen, authsize, ahsize, maxpacketsize, roff; uint8_t prot; IPSEC_ASSERT(sav != NULL, ("null SA")); @@ -852,6 +863,8 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, /* Figure out header size. */ rplen = HDRSIZE(sav); + authsize = AUTHSIZE(sav); + ahsize = ah_hdrsiz(sav); /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { @@ -875,13 +888,12 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, error = EPFNOSUPPORT; goto bad; } - authsize = AUTHSIZE(sav); - if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) { + if (ahsize + m->m_pkthdr.len > maxpacketsize) { DPRINTF(("%s: packet in SA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), - rplen + authsize + m->m_pkthdr.len, maxpacketsize)); + ahsize + m->m_pkthdr.len, maxpacketsize)); AHSTAT_INC(ahs_toobig); error = EMSGSIZE; goto bad; @@ -901,11 +913,10 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, } /* Inject AH header. */ - mi = m_makespace(m, skip, rplen + authsize, &roff); + mi = m_makespace(m, skip, ahsize, &roff); if (mi == NULL) { DPRINTF(("%s: failed to inject %u byte AH header for SA " - "%s/%08lx\n", __func__, - rplen + authsize, + "%s/%08lx\n", __func__, ahsize, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */ @@ -921,13 +932,17 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, /* Initialize the AH header. */ m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt); - ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t); + ah->ah_len = (ahsize - sizeof(struct ah)) / sizeof(u_int32_t); ah->ah_reserve = 0; ah->ah_spi = sav->spi; /* Zeroize authenticator. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Zeroize padding */ + m_copyback(m, skip + rplen + authsize, ahsize - (rplen + authsize), + ipseczeroes); + /* Insert packet replay counter, as requested. */ SECASVAR_LOCK(sav); if (sav->replay) { @@ -996,7 +1011,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, bcopy(((caddr_t)(xd + 1)) + offsetof(struct ip, ip_len), (caddr_t) &iplen, sizeof(u_int16_t)); - iplen = htons(ntohs(iplen) + rplen + authsize); + iplen = htons(ntohs(iplen) + ahsize); m_copyback(m, offsetof(struct ip, ip_len), sizeof(u_int16_t), (caddr_t) &iplen); break; @@ -1007,7 +1022,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, bcopy(((caddr_t)(xd + 1)) + offsetof(struct ip6_hdr, ip6_plen), (caddr_t) &iplen, sizeof(uint16_t)); - iplen = htons(ntohs(iplen) + rplen + authsize); + iplen = htons(ntohs(iplen) + ahsize); m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), sizeof(uint16_t), (caddr_t) &iplen); break; @@ -1038,7 +1053,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER; crp->crp_buf = (caddr_t) m; crp->crp_callback = ah_output_cb; - crp->crp_sid = cryptoid; + crp->crp_session = cryptoid; crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback. */ @@ -1068,7 +1083,7 @@ ah_output_cb(struct cryptop *crp) struct secpolicy *sp; struct secasvar *sav; struct mbuf *m; - uint64_t cryptoid; + crypto_session_t cryptoid; caddr_t ptr; u_int idx; int skip, error; @@ -1087,9 +1102,9 @@ ah_output_cb(struct cryptop *crp) if (crp->crp_etype) { if (crp->crp_etype == EAGAIN) { /* Reset the session ID */ - if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0) crypto_freesession(cryptoid); - xd->cryptoid = crp->crp_sid; + xd->cryptoid = crp->crp_session; CURVNET_RESTORE(); return (crypto_dispatch(crp)); } diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c index 49b08ba6..f8473575 100644 --- a/freebsd/sys/netipsec/xform_esp.c +++ b/freebsd/sys/netipsec/xform_esp.c @@ -273,7 +273,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) struct cryptop *crp; struct newesp *esp; uint8_t *ivp; - uint64_t cryptoid; + crypto_session_t cryptoid; int alen, error, hlen, plen; IPSEC_ASSERT(sav != NULL, ("null SA")); @@ -391,7 +391,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER; crp->crp_buf = (caddr_t) m; crp->crp_callback = esp_input_cb; - crp->crp_sid = cryptoid; + crp->crp_session = cryptoid; crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback */ @@ -450,7 +450,7 @@ esp_input_cb(struct cryptop *crp) struct secasvar *sav; struct secasindex *saidx; caddr_t ptr; - uint64_t cryptoid; + crypto_session_t cryptoid; int hlen, skip, protoff, error, alen; crd = crp->crp_desc; @@ -470,9 +470,9 @@ esp_input_cb(struct cryptop *crp) if (crp->crp_etype) { if (crp->crp_etype == EAGAIN) { /* Reset the session ID */ - if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0) crypto_freesession(cryptoid); - xd->cryptoid = crp->crp_sid; + xd->cryptoid = crp->crp_session; CURVNET_RESTORE(); return (crypto_dispatch(crp)); } @@ -639,7 +639,8 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, struct secasindex *saidx; unsigned char *pad; uint8_t *ivp; - uint64_t cntr, cryptoid; + uint64_t cntr; + crypto_session_t cryptoid; int hlen, rlen, padding, blks, alen, i, roff; int error, maxpacketsize; uint8_t prot; @@ -854,7 +855,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, crp->crp_buf = (caddr_t) m; crp->crp_callback = esp_output_cb; crp->crp_opaque = (caddr_t) xd; - crp->crp_sid = cryptoid; + crp->crp_session = cryptoid; if (esph) { /* Authentication descriptor. */ @@ -885,7 +886,7 @@ esp_output_cb(struct cryptop *crp) struct secpolicy *sp; struct secasvar *sav; struct mbuf *m; - uint64_t cryptoid; + crypto_session_t cryptoid; u_int idx; int error; @@ -901,9 +902,9 @@ esp_output_cb(struct cryptop *crp) if (crp->crp_etype) { if (crp->crp_etype == EAGAIN) { /* Reset the session ID */ - if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0) crypto_freesession(cryptoid); - xd->cryptoid = crp->crp_sid; + xd->cryptoid = crp->crp_session; CURVNET_RESTORE(); return (crypto_dispatch(crp)); } diff --git a/freebsd/sys/netipsec/xform_ipcomp.c b/freebsd/sys/netipsec/xform_ipcomp.c index b3fdee49..86addc87 100644 --- a/freebsd/sys/netipsec/xform_ipcomp.c +++ b/freebsd/sys/netipsec/xform_ipcomp.c @@ -120,7 +120,7 @@ ipcomp_encapcheck(union sockaddr_union *src, union sockaddr_union *dst) } static int -ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto) +ipcomp_nonexp_input(struct mbuf *m, int off, int proto, void *arg __unused) { int isr; @@ -137,13 +137,13 @@ ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto) #endif default: IPCOMPSTAT_INC(ipcomps_nopf); - m_freem(*mp); + m_freem(m); return (IPPROTO_DONE); } - m_adj(*mp, *offp); - IPCOMPSTAT_ADD(ipcomps_ibytes, (*mp)->m_pkthdr.len); + m_adj(m, off); + IPCOMPSTAT_ADD(ipcomps_ibytes, m->m_pkthdr.len); IPCOMPSTAT_INC(ipcomps_input); - netisr_dispatch(isr, *mp); + netisr_dispatch(isr, m); return (IPPROTO_DONE); } @@ -180,11 +180,10 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp) static int ipcomp_zeroize(struct secasvar *sav) { - int err; - err = crypto_freesession(sav->tdb_cryptoid); - sav->tdb_cryptoid = 0; - return err; + crypto_freesession(sav->tdb_cryptoid); + sav->tdb_cryptoid = NULL; + return 0; } /* @@ -260,7 +259,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) xd->vnet = curvnet; SECASVAR_LOCK(sav); - crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid; + crp->crp_session = xd->cryptoid = sav->tdb_cryptoid; SECASVAR_UNLOCK(sav); return crypto_dispatch(crp); @@ -282,7 +281,7 @@ ipcomp_input_cb(struct cryptop *crp) struct secasvar *sav; struct secasindex *saidx; caddr_t addr; - uint64_t cryptoid; + crypto_session_t cryptoid; int hlen = IPCOMP_HLENGTH, error, clen; int skip, protoff; uint8_t nproto; @@ -303,9 +302,9 @@ ipcomp_input_cb(struct cryptop *crp) if (crp->crp_etype) { if (crp->crp_etype == EAGAIN) { /* Reset the session ID */ - if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0) crypto_freesession(cryptoid); - xd->cryptoid = crp->crp_sid; + xd->cryptoid = crp->crp_session; CURVNET_RESTORE(); return (crypto_dispatch(crp)); } @@ -510,7 +509,7 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, crp->crp_opaque = (caddr_t) xd; SECASVAR_LOCK(sav); - crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid; + crp->crp_session = xd->cryptoid = sav->tdb_cryptoid; SECASVAR_UNLOCK(sav); return crypto_dispatch(crp); @@ -533,7 +532,7 @@ ipcomp_output_cb(struct cryptop *crp) struct secpolicy *sp; struct secasvar *sav; struct mbuf *m; - uint64_t cryptoid; + crypto_session_t cryptoid; u_int idx; int error, skip, protoff; @@ -551,9 +550,9 @@ ipcomp_output_cb(struct cryptop *crp) if (crp->crp_etype) { if (crp->crp_etype == EAGAIN) { /* Reset the session ID */ - if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0) crypto_freesession(cryptoid); - xd->cryptoid = crp->crp_sid; + xd->cryptoid = crp->crp_session; CURVNET_RESTORE(); return (crypto_dispatch(crp)); } @@ -664,19 +663,6 @@ bad: } #ifdef INET -static const struct encaptab *ipe4_cookie = NULL; -extern struct domain inetdomain; -static struct protosw ipcomp4_protosw = { - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = 0 /* IPPROTO_IPV[46] */, - .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, - .pr_input = ipcomp_nonexp_input, - .pr_output = rip_output, - .pr_ctloutput = rip_ctloutput, - .pr_usrreqs = &rip_usrreqs -}; - static int ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto, void *arg __unused) @@ -697,21 +683,17 @@ ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto, dst.sin.sin_addr = ip->ip_dst; return (ipcomp_encapcheck(&src, &dst)); } + +static const struct encaptab *ipe4_cookie = NULL; +static const struct encap_config ipv4_encap_cfg = { + .proto = -1, + .min_length = sizeof(struct ip), + .exact_match = sizeof(in_addr_t) << 4, + .check = ipcomp4_nonexp_encapcheck, + .input = ipcomp_nonexp_input +}; #endif #ifdef INET6 -static const struct encaptab *ipe6_cookie = NULL; -extern struct domain inet6domain; -static struct protosw ipcomp6_protosw = { - .pr_type = SOCK_RAW, - .pr_domain = &inet6domain, - .pr_protocol = 0 /* IPPROTO_IPV[46] */, - .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR, - .pr_input = ipcomp_nonexp_input, - .pr_output = rip6_output, - .pr_ctloutput = rip6_ctloutput, - .pr_usrreqs = &rip6_usrreqs -}; - static int ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto, void *arg __unused) @@ -744,6 +726,15 @@ ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto, } return (ipcomp_encapcheck(&src, &dst)); } + +static const struct encaptab *ipe6_cookie = NULL; +static const struct encap_config ipv6_encap_cfg = { + .proto = -1, + .min_length = sizeof(struct ip6_hdr), + .exact_match = sizeof(struct in6_addr) << 4, + .check = ipcomp6_nonexp_encapcheck, + .input = ipcomp_nonexp_input +}; #endif static struct xformsw ipcomp_xformsw = { @@ -760,12 +751,10 @@ ipcomp_attach(void) { #ifdef INET - ipe4_cookie = encap_attach_func(AF_INET, -1, - ipcomp4_nonexp_encapcheck, &ipcomp4_protosw, NULL); + ipe4_cookie = ip_encap_attach(&ipv4_encap_cfg, NULL, M_WAITOK); #endif #ifdef INET6 - ipe6_cookie = encap_attach_func(AF_INET6, -1, - ipcomp6_nonexp_encapcheck, &ipcomp6_protosw, NULL); + ipe6_cookie = ip6_encap_attach(&ipv6_encap_cfg, NULL, M_WAITOK); #endif xform_attach(&ipcomp_xformsw); } @@ -775,10 +764,10 @@ ipcomp_detach(void) { #ifdef INET - encap_detach(ipe4_cookie); + ip_encap_detach(ipe4_cookie); #endif #ifdef INET6 - encap_detach(ipe6_cookie); + ip6_encap_detach(ipe6_cookie); #endif xform_detach(&ipcomp_xformsw); } diff --git a/freebsd/sys/netipsec/xform_tcp.c b/freebsd/sys/netipsec/xform_tcp.c index 9310cf2c..f9cd3964 100644 --- a/freebsd/sys/netipsec/xform_tcp.c +++ b/freebsd/sys/netipsec/xform_tcp.c @@ -82,23 +82,24 @@ tcp_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt) struct tcpcb *tp; int error, optval; - INP_WLOCK_ASSERT(inp); if (sopt->sopt_name != TCP_MD5SIG) { - INP_WUNLOCK(inp); return (ENOPROTOOPT); } - tp = intotcpcb(inp); if (sopt->sopt_dir == SOPT_GET) { + INP_RLOCK(inp); + if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { + INP_RUNLOCK(inp); + return (ECONNRESET); + } + tp = intotcpcb(inp); optval = (tp->t_flags & TF_SIGNATURE) ? 1 : 0; - INP_WUNLOCK(inp); + INP_RUNLOCK(inp); /* On success return with released INP_WLOCK */ return (sooptcopyout(sopt, &optval, sizeof(optval))); } - INP_WUNLOCK(inp); - error = sooptcopyin(sopt, &optval, sizeof(optval), sizeof(optval)); if (error != 0) return (error); @@ -109,12 +110,13 @@ tcp_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt) INP_WUNLOCK(inp); return (ECONNRESET); } + tp = intotcpcb(inp); if (optval > 0) tp->t_flags |= TF_SIGNATURE; else tp->t_flags &= ~TF_SIGNATURE; - /* On success return with acquired INP_WLOCK */ + INP_WUNLOCK(inp); return (error); } |