Update to FreeBSD head 2018-09-17

Git mirror commit 6c2192b1ef8c50788c751f878552526800b1e319. Update #3472.
author: Sebastian Huber <sebastian.huber@embedded-brains.de> 2018-08-22 14:59:50 +0200
committer: Sebastian Huber <sebastian.huber@embedded-brains.de> 2018-09-21 10:29:41 +0200
commit: 3489e3b6396ee9944a6a2e19e675ca54c36993b4 (patch)
tree: cd55cfac1c96ff4b888a9606fd6a0d8eb65bb446 /freebsd/sys/netipsec
parent: ck: Define CK_MD_PPC32_LWSYNC if available (diff)
download: rtems-libbsd-3489e3b6396ee9944a6a2e19e675ca54c36993b4.tar.bz2
11 files changed, 244 insertions, 154 deletions
diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c
index 24a6df5b..116557ed 100644
--- a/freebsd/sys/netipsec/ipsec.c
+++ b/freebsd/sys/netipsec/ipsec.c
@@ -121,11 +121,11 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE;
 /* ECN ignore(-1)/forbidden(0)/allowed(1) */
 VNET_DEFINE(int, ip4_ipsec_ecn) = 0;
 
-static VNET_DEFINE(int, ip4_filtertunnel) = 0;
+VNET_DEFINE_STATIC(int, ip4_filtertunnel) = 0;
 #define	V_ip4_filtertunnel VNET(ip4_filtertunnel)
-static VNET_DEFINE(int, check_policy_history) = 0;
+VNET_DEFINE_STATIC(int, check_policy_history) = 0;
 #define	V_check_policy_history	VNET(check_policy_history)
-static VNET_DEFINE(struct secpolicy *, def_policy) = NULL;
+VNET_DEFINE_STATIC(struct secpolicy *, def_policy) = NULL;
 #define	V_def_policy	VNET(def_policy)
 static int
 sysctl_def_policy(SYSCTL_HANDLER_ARGS)
@@ -251,7 +251,7 @@ VNET_DEFINE(int, ip6_ah_trans_deflev) = IPSEC_LEVEL_USE;
 VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE;
 VNET_DEFINE(int, ip6_ipsec_ecn) = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 
-static VNET_DEFINE(int, ip6_filtertunnel) = 0;
+VNET_DEFINE_STATIC(int, ip6_filtertunnel) = 0;
 #define	V_ip6_filtertunnel	VNET(ip6_filtertunnel)
 
 SYSCTL_DECL(_net_inet6_ipsec6);
@@ -1324,9 +1324,10 @@ ok:
 }
 
 int
-ipsec_updateid(struct secasvar *sav, uint64_t *new, uint64_t *old)
+ipsec_updateid(struct secasvar *sav, crypto_session_t *new,
+    crypto_session_t *old)
 {
-	uint64_t tmp;
+	crypto_session_t tmp;
 
 	/*
 	 * tdb_cryptoid is initialized by xform_init().
@@ -1352,8 +1353,8 @@ ipsec_updateid(struct secasvar *sav, uint64_t *new, uint64_t *old)
 	 * XXXAE: check this more carefully.
 	 */
 	KEYDBG(IPSEC_STAMP,
-	    printf("%s: SA(%p) moves cryptoid %jd -> %jd\n",
-		__func__, sav, (uintmax_t)(*old), (uintmax_t)(*new)));
+	    printf("%s: SA(%p) moves cryptoid %p -> %p\n",
+		__func__, sav, *old, *new));
 	KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
 	SECASVAR_LOCK(sav);
 	if (sav->tdb_cryptoid != *old) {
diff --git a/freebsd/sys/netipsec/ipsec.h b/freebsd/sys/netipsec/ipsec.h
index 936e7bca..eed2d077 100644
--- a/freebsd/sys/netipsec/ipsec.h
+++ b/freebsd/sys/netipsec/ipsec.h
@@ -332,7 +332,7 @@ int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *);
 
 int ipsec_chkreplay(uint32_t, struct secasvar *);
 int ipsec_updatereplay(uint32_t, struct secasvar *);
-int ipsec_updateid(struct secasvar *, uint64_t *, uint64_t *);
+int ipsec_updateid(struct secasvar *, crypto_session_t *, crypto_session_t *);
 int ipsec_initialized(void);
 
 void ipsec_setspidx_inpcb(struct inpcb *, struct secpolicyindex *, u_int);
diff --git a/freebsd/sys/netipsec/key.c b/freebsd/sys/netipsec/key.c
index fbf12f41..9bd3f234 100644
--- a/freebsd/sys/netipsec/key.c
+++ b/freebsd/sys/netipsec/key.c
@@ -115,20 +115,20 @@
  */
 
 VNET_DEFINE(u_int32_t, key_debug_level) = 0;
-static VNET_DEFINE(u_int, key_spi_trycnt) = 1000;
-static VNET_DEFINE(u_int32_t, key_spi_minval) = 0x100;
-static VNET_DEFINE(u_int32_t, key_spi_maxval) = 0x0fffffff;	/* XXX */
-static VNET_DEFINE(u_int32_t, policy_id) = 0;
+VNET_DEFINE_STATIC(u_int, key_spi_trycnt) = 1000;
+VNET_DEFINE_STATIC(u_int32_t, key_spi_minval) = 0x100;
+VNET_DEFINE_STATIC(u_int32_t, key_spi_maxval) = 0x0fffffff;	/* XXX */
+VNET_DEFINE_STATIC(u_int32_t, policy_id) = 0;
 /*interval to initialize randseed,1(m)*/
-static VNET_DEFINE(u_int, key_int_random) = 60;
+VNET_DEFINE_STATIC(u_int, key_int_random) = 60;
 /* interval to expire acquiring, 30(s)*/
-static VNET_DEFINE(u_int, key_larval_lifetime) = 30;
+VNET_DEFINE_STATIC(u_int, key_larval_lifetime) = 30;
 /* counter for blocking SADB_ACQUIRE.*/
-static VNET_DEFINE(int, key_blockacq_count) = 10;
+VNET_DEFINE_STATIC(int, key_blockacq_count) = 10;
 /* lifetime for blocking SADB_ACQUIRE.*/
-static VNET_DEFINE(int, key_blockacq_lifetime) = 20;
+VNET_DEFINE_STATIC(int, key_blockacq_lifetime) = 20;
 /* preferred old sa rather than new sa.*/
-static VNET_DEFINE(int, key_preferred_oldsa) = 1;
+VNET_DEFINE_STATIC(int, key_preferred_oldsa) = 1;
 #define	V_key_spi_trycnt	VNET(key_spi_trycnt)
 #define	V_key_spi_minval	VNET(key_spi_minval)
 #define	V_key_spi_maxval	VNET(key_spi_maxval)
@@ -139,17 +139,17 @@ static VNET_DEFINE(int, key_preferred_oldsa) = 1;
 #define	V_key_blockacq_lifetime	VNET(key_blockacq_lifetime)
 #define	V_key_preferred_oldsa	VNET(key_preferred_oldsa)
 
-static VNET_DEFINE(u_int32_t, acq_seq) = 0;
+VNET_DEFINE_STATIC(u_int32_t, acq_seq) = 0;
 #define	V_acq_seq		VNET(acq_seq)
 
-static VNET_DEFINE(uint32_t, sp_genid) = 0;
+VNET_DEFINE_STATIC(uint32_t, sp_genid) = 0;
 #define	V_sp_genid		VNET(sp_genid)
 
 /* SPD */
 TAILQ_HEAD(secpolicy_queue, secpolicy);
 LIST_HEAD(secpolicy_list, secpolicy);
-static VNET_DEFINE(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]);
-static VNET_DEFINE(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]);
+VNET_DEFINE_STATIC(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]);
+VNET_DEFINE_STATIC(struct secpolicy_queue, sptree_ifnet[IPSEC_DIR_MAX]);
 static struct rmlock sptree_lock;
 #define	V_sptree		VNET(sptree)
 #define	V_sptree_ifnet		VNET(sptree_ifnet)
@@ -165,8 +165,8 @@ static struct rmlock sptree_lock;
 #define	SPTREE_UNLOCK_ASSERT()  rm_assert(&sptree_lock, RA_UNLOCKED)
 
 /* Hash table for lookup SP using unique id */
-static VNET_DEFINE(struct secpolicy_list *, sphashtbl);
-static VNET_DEFINE(u_long, sphash_mask);
+VNET_DEFINE_STATIC(struct secpolicy_list *, sphashtbl);
+VNET_DEFINE_STATIC(u_long, sphash_mask);
 #define	V_sphashtbl		VNET(sphashtbl)
 #define	V_sphash_mask		VNET(sphash_mask)
 
@@ -186,19 +186,19 @@ LIST_HEAD(spdcache_entry_list, spdcache_entry);
 
 #define	SPDCACHE_MAX_ENTRIES_PER_HASH	8
 
-static VNET_DEFINE(u_int, key_spdcache_maxentries) = 0;
+VNET_DEFINE_STATIC(u_int, key_spdcache_maxentries) = 0;
 #define	V_key_spdcache_maxentries	VNET(key_spdcache_maxentries)
-static VNET_DEFINE(u_int, key_spdcache_threshold) = 32;
+VNET_DEFINE_STATIC(u_int, key_spdcache_threshold) = 32;
 #define	V_key_spdcache_threshold	VNET(key_spdcache_threshold)
-static VNET_DEFINE(unsigned long, spd_size) = 0;
+VNET_DEFINE_STATIC(unsigned long, spd_size) = 0;
 #define	V_spd_size		VNET(spd_size)
 
 #define SPDCACHE_ENABLED()	(V_key_spdcache_maxentries != 0)
 #define SPDCACHE_ACTIVE() \
 	(SPDCACHE_ENABLED() && V_spd_size >= V_key_spdcache_threshold)
 
-static VNET_DEFINE(struct spdcache_entry_list *, spdcachehashtbl);
-static VNET_DEFINE(u_long, spdcachehash_mask);
+VNET_DEFINE_STATIC(struct spdcache_entry_list *, spdcachehashtbl);
+VNET_DEFINE_STATIC(u_long, spdcachehash_mask);
 #define	V_spdcachehashtbl	VNET(spdcachehashtbl)
 #define	V_spdcachehash_mask	VNET(spdcachehash_mask)
 
@@ -207,7 +207,7 @@ static VNET_DEFINE(u_long, spdcachehash_mask);
 	    V_spdcachehash_mask)
 
 /* Each cache line is protected by a mutex */
-static VNET_DEFINE(struct mtx *, spdcache_lock);
+VNET_DEFINE_STATIC(struct mtx *, spdcache_lock);
 #define	V_spdcache_lock		VNET(spdcache_lock)
 
 #define	SPDCACHE_LOCK_INIT(a) \
@@ -220,7 +220,7 @@ static VNET_DEFINE(struct mtx *, spdcache_lock);
 /* SAD */
 TAILQ_HEAD(secashead_queue, secashead);
 LIST_HEAD(secashead_list, secashead);
-static VNET_DEFINE(struct secashead_queue, sahtree);
+VNET_DEFINE_STATIC(struct secashead_queue, sahtree);
 static struct rmlock sahtree_lock;
 #define	V_sahtree		VNET(sahtree)
 #define	SAHTREE_LOCK_INIT()	rm_init(&sahtree_lock, "sahtree")
@@ -235,8 +235,8 @@ static struct rmlock sahtree_lock;
 #define	SAHTREE_UNLOCK_ASSERT()	rm_assert(&sahtree_lock, RA_UNLOCKED)
 
 /* Hash table for lookup in SAD using SA addresses */
-static VNET_DEFINE(struct secashead_list *, sahaddrhashtbl);
-static VNET_DEFINE(u_long, sahaddrhash_mask);
+VNET_DEFINE_STATIC(struct secashead_list *, sahaddrhashtbl);
+VNET_DEFINE_STATIC(u_long, sahaddrhash_mask);
 #define	V_sahaddrhashtbl	VNET(sahaddrhashtbl)
 #define	V_sahaddrhash_mask	VNET(sahaddrhash_mask)
 
@@ -250,8 +250,8 @@ static VNET_DEFINE(u_long, sahaddrhash_mask);
 
 /* Hash table for lookup in SAD using SPI */
 LIST_HEAD(secasvar_list, secasvar);
-static VNET_DEFINE(struct secasvar_list *, savhashtbl);
-static VNET_DEFINE(u_long, savhash_mask);
+VNET_DEFINE_STATIC(struct secasvar_list *, savhashtbl);
+VNET_DEFINE_STATIC(u_long, savhash_mask);
 #define	V_savhashtbl		VNET(savhashtbl)
 #define	V_savhash_mask		VNET(savhash_mask)
 #define	SAVHASH_NHASH_LOG2	7
@@ -300,7 +300,7 @@ key_u32hash(uint32_t val)
 }
 
 							/* registed list */
-static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
+VNET_DEFINE_STATIC(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]);
 #define	V_regtree		VNET(regtree)
 static struct mtx regtree_lock;
 #define	REGTREE_LOCK_INIT() \
@@ -312,7 +312,7 @@ static struct mtx regtree_lock;
 
 /* Acquiring list */
 LIST_HEAD(secacq_list, secacq);
-static VNET_DEFINE(struct secacq_list, acqtree);
+VNET_DEFINE_STATIC(struct secacq_list, acqtree);
 #define	V_acqtree		VNET(acqtree)
 static struct mtx acq_lock;
 #define	ACQ_LOCK_INIT() \
@@ -323,14 +323,14 @@ static struct mtx acq_lock;
 #define	ACQ_LOCK_ASSERT()	mtx_assert(&acq_lock, MA_OWNED)
 
 /* Hash table for lookup in ACQ list using SA addresses */
-static VNET_DEFINE(struct secacq_list *, acqaddrhashtbl);
-static VNET_DEFINE(u_long, acqaddrhash_mask);
+VNET_DEFINE_STATIC(struct secacq_list *, acqaddrhashtbl);
+VNET_DEFINE_STATIC(u_long, acqaddrhash_mask);
 #define	V_acqaddrhashtbl	VNET(acqaddrhashtbl)
 #define	V_acqaddrhash_mask	VNET(acqaddrhash_mask)
 
 /* Hash table for lookup in ACQ list using SEQ number */
-static VNET_DEFINE(struct secacq_list *, acqseqhashtbl);
-static VNET_DEFINE(u_long, acqseqhash_mask);
+VNET_DEFINE_STATIC(struct secacq_list *, acqseqhashtbl);
+VNET_DEFINE_STATIC(u_long, acqseqhash_mask);
 #define	V_acqseqhashtbl		VNET(acqseqhashtbl)
 #define	V_acqseqhash_mask	VNET(acqseqhash_mask)
 
@@ -346,7 +346,7 @@ static VNET_DEFINE(u_long, acqseqhash_mask);
 #define	ACQSEQHASH_HASH(seq)	\
     &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)]
 							/* SP acquiring list */
-static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree);
+VNET_DEFINE_STATIC(LIST_HEAD(_spacqtree, secspacq), spacqtree);
 #define	V_spacqtree		VNET(spacqtree)
 static struct mtx spacq_lock;
 #define	SPACQ_LOCK_INIT() \
@@ -435,9 +435,9 @@ _Static_assert(sizeof(maxsize)/sizeof(int) == SADB_EXT_MAX + 1, "minsize size mi
 	((_mhp)->extlen[(_ext)] > maxsize[(_ext)])))
 #define	SADB_CHECKHDR(_mhp, _ext)	((_mhp)->ext[(_ext)] == NULL)
 
-static VNET_DEFINE(int, ipsec_esp_keymin) = 256;
-static VNET_DEFINE(int, ipsec_esp_auth) = 0;
-static VNET_DEFINE(int, ipsec_ah_keymin) = 128;
+VNET_DEFINE_STATIC(int, ipsec_esp_keymin) = 256;
+VNET_DEFINE_STATIC(int, ipsec_esp_auth) = 0;
+VNET_DEFINE_STATIC(int, ipsec_ah_keymin) = 128;
 
 #define	V_ipsec_esp_keymin	VNET(ipsec_esp_keymin)
 #define	V_ipsec_esp_auth	VNET(ipsec_esp_auth)
@@ -533,7 +533,7 @@ MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire");
 MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire");
 MALLOC_DEFINE(M_IPSEC_SPDCACHE, "ipsec-spdcache", "ipsec SPD cache");
 
-static VNET_DEFINE(uma_zone_t, key_lft_zone);
+VNET_DEFINE_STATIC(uma_zone_t, key_lft_zone);
 #define	V_key_lft_zone		VNET(key_lft_zone)
 
 static LIST_HEAD(xforms_list, xformsw) xforms = LIST_HEAD_INITIALIZER();
@@ -2959,7 +2959,7 @@ key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx,
 		goto done;
 	}
 	mtx_init(sav->lock, "ipsec association", NULL, MTX_DEF);
-	sav->lft_c = uma_zalloc(V_key_lft_zone, M_NOWAIT);
+	sav->lft_c = uma_zalloc_pcpu(V_key_lft_zone, M_NOWAIT);
 	if (sav->lft_c == NULL) {
 		*errp = ENOBUFS;
 		goto done;
@@ -3051,7 +3051,7 @@ done:
 				free(sav->lock, M_IPSEC_MISC);
 			}
 			if (sav->lft_c != NULL)
-				uma_zfree(V_key_lft_zone, sav->lft_c);
+				uma_zfree_pcpu(V_key_lft_zone, sav->lft_c);
 			free(sav, M_IPSEC_SA), sav = NULL;
 		}
 		if (sah != NULL)
diff --git a/freebsd/sys/netipsec/key_debug.c b/freebsd/sys/netipsec/key_debug.c
index 12cfe34e..07eec79e 100644
--- a/freebsd/sys/netipsec/key_debug.c
+++ b/freebsd/sys/netipsec/key_debug.c
@@ -87,6 +87,85 @@ static void kdebug_sadb_x_natt(struct sadb_ext *);
 
 /* NOTE: host byte order */
 
+static const char*
+kdebug_sadb_type(uint8_t type)
+{
+#define	SADB_NAME(n)	case SADB_ ## n: return (#n)
+
+	switch (type) {
+	SADB_NAME(RESERVED);
+	SADB_NAME(GETSPI);
+	SADB_NAME(UPDATE);
+	SADB_NAME(ADD);
+	SADB_NAME(DELETE);
+	SADB_NAME(GET);
+	SADB_NAME(ACQUIRE);
+	SADB_NAME(REGISTER);
+	SADB_NAME(EXPIRE);
+	SADB_NAME(FLUSH);
+	SADB_NAME(DUMP);
+	SADB_NAME(X_PROMISC);
+	SADB_NAME(X_PCHANGE);
+	SADB_NAME(X_SPDUPDATE);
+	SADB_NAME(X_SPDADD);
+	SADB_NAME(X_SPDDELETE);
+	SADB_NAME(X_SPDGET);
+	SADB_NAME(X_SPDACQUIRE);
+	SADB_NAME(X_SPDDUMP);
+	SADB_NAME(X_SPDFLUSH);
+	SADB_NAME(X_SPDSETIDX);
+	SADB_NAME(X_SPDEXPIRE);
+	SADB_NAME(X_SPDDELETE2);
+	default:
+		return ("UNKNOWN");
+	}
+#undef SADB_NAME
+}
+
+static const char*
+kdebug_sadb_exttype(uint16_t type)
+{
+#define	EXT_NAME(n)	case SADB_EXT_ ## n: return (#n)
+#define	X_NAME(n)	case SADB_X_EXT_ ## n: return (#n)
+
+	switch (type) {
+	EXT_NAME(RESERVED);
+	EXT_NAME(SA);
+	EXT_NAME(LIFETIME_CURRENT);
+	EXT_NAME(LIFETIME_HARD);
+	EXT_NAME(LIFETIME_SOFT);
+	EXT_NAME(ADDRESS_SRC);
+	EXT_NAME(ADDRESS_DST);
+	EXT_NAME(ADDRESS_PROXY);
+	EXT_NAME(KEY_AUTH);
+	EXT_NAME(KEY_ENCRYPT);
+	EXT_NAME(IDENTITY_SRC);
+	EXT_NAME(IDENTITY_DST);
+	EXT_NAME(SENSITIVITY);
+	EXT_NAME(PROPOSAL);
+	EXT_NAME(SUPPORTED_AUTH);
+	EXT_NAME(SUPPORTED_ENCRYPT);
+	EXT_NAME(SPIRANGE);
+	X_NAME(KMPRIVATE);
+	X_NAME(POLICY);
+	X_NAME(SA2);
+	X_NAME(NAT_T_TYPE);
+	X_NAME(NAT_T_SPORT);
+	X_NAME(NAT_T_DPORT);
+	X_NAME(NAT_T_OAI);
+	X_NAME(NAT_T_OAR);
+	X_NAME(NAT_T_FRAG);
+	X_NAME(SA_REPLAY);
+	X_NAME(NEW_ADDRESS_SRC);
+	X_NAME(NEW_ADDRESS_DST);
+	default:
+		return ("UNKNOWN");
+	};
+#undef EXT_NAME
+#undef X_NAME
+}
+
+
 /* %%%: about struct sadb_msg */
 void
 kdebug_sadb(struct sadb_msg *base)
@@ -98,8 +177,9 @@ kdebug_sadb(struct sadb_msg *base)
 	if (base == NULL)
 		panic("%s: NULL pointer was passed.\n", __func__);
 
-	printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
+	printf("sadb_msg{ version=%u type=%u(%s) errno=%u satype=%u\n",
 	    base->sadb_msg_version, base->sadb_msg_type,
+	    kdebug_sadb_type(base->sadb_msg_type),
 	    base->sadb_msg_errno, base->sadb_msg_satype);
 	printf("  len=%u reserved=%u seq=%u pid=%u\n",
 	    base->sadb_msg_len, base->sadb_msg_reserved,
@@ -109,8 +189,9 @@ kdebug_sadb(struct sadb_msg *base)
 	ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
 
 	while (tlen > 0) {
-		printf("sadb_ext{ len=%u type=%u }\n",
-		    ext->sadb_ext_len, ext->sadb_ext_type);
+		printf("sadb_ext{ len=%u type=%u(%s) }\n",
+		    ext->sadb_ext_len, ext->sadb_ext_type,
+		    kdebug_sadb_exttype(ext->sadb_ext_type));
 
 		if (ext->sadb_ext_len == 0) {
 			printf("%s: invalid ext_len=0 was passed.\n", __func__);
diff --git a/freebsd/sys/netipsec/keydb.h b/freebsd/sys/netipsec/keydb.h
index 19eae767..6993b4e4 100644
--- a/freebsd/sys/netipsec/keydb.h
+++ b/freebsd/sys/netipsec/keydb.h
@@ -41,6 +41,7 @@
 #include <sys/mutex.h>
 
 #include <netipsec/key_var.h>
+#include <opencrypto/_cryptodev.h>
 
 #ifndef _SOCKADDR_UNION_DEFINED
 #define	_SOCKADDR_UNION_DEFINED
@@ -162,7 +163,7 @@ struct secasvar {
 	const struct enc_xform *tdb_encalgxform;/* encoding algorithm */
 	const struct auth_hash *tdb_authalgxform;/* authentication algorithm */
 	const struct comp_algo *tdb_compalgxform;/* compression algorithm */
-	uint64_t tdb_cryptoid;		/* crypto session id */
+	crypto_session_t tdb_cryptoid;		/* crypto session */
 
 	uint8_t alg_auth;		/* Authentication Algorithm Identifier*/
 	uint8_t alg_enc;		/* Cipher Algorithm Identifier */
diff --git a/freebsd/sys/netipsec/keysock.c b/freebsd/sys/netipsec/keysock.c
index 170335bc..9ea1d8f1 100644
--- a/freebsd/sys/netipsec/keysock.c
+++ b/freebsd/sys/netipsec/keysock.c
@@ -73,7 +73,7 @@ struct key_cb {
 	int key_count;
 	int any_count;
 };
-static VNET_DEFINE(struct key_cb, key_cb);
+VNET_DEFINE_STATIC(struct key_cb, key_cb);
 #define	V_key_cb		VNET(key_cb)
 
 static struct sockaddr key_src = { 2, PF_KEY, };
diff --git a/freebsd/sys/netipsec/xform.h b/freebsd/sys/netipsec/xform.h
index 2720f72a..389d0b66 100644
--- a/freebsd/sys/netipsec/xform.h
+++ b/freebsd/sys/netipsec/xform.h
@@ -71,7 +71,7 @@ struct xform_history {
 struct xform_data {
 	struct secpolicy	*sp;		/* security policy */
 	struct secasvar		*sav;		/* related SA */
-	uint64_t		cryptoid;	/* used crypto session id */
+	crypto_session_t	cryptoid;	/* used crypto session */
 	u_int			idx;		/* IPsec request index */
 	int			protoff;	/* current protocol offset */
 	int			skip;		/* data offset */
diff --git a/freebsd/sys/netipsec/xform_ah.c b/freebsd/sys/netipsec/xform_ah.c
index 13999f41..84ba6c16 100644
--- a/freebsd/sys/netipsec/xform_ah.c
+++ b/freebsd/sys/netipsec/xform_ah.c
@@ -149,11 +149,21 @@ ah_hdrsiz(struct secasvar *sav)
 	size_t size;
 
 	if (sav != NULL) {
-		int authsize;
+		int authsize, rplen, align;
+
 		IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
 		/*XXX not right for null algorithm--does it matter??*/
+
+		/* RFC4302: use the correct alignment. */
+		align = sizeof(uint32_t);
+#ifdef INET6
+		if (sav->sah->saidx.dst.sa.sa_family == AF_INET6) {
+			align = sizeof(uint64_t);
+		}
+#endif
+		rplen = HDRSIZE(sav);
 		authsize = AUTHSIZE(sav);
-		size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav);
+		size = roundup(rplen + authsize, align);
 	} else {
 		/* default guess */
 		size = sizeof (struct ah) + sizeof (u_int32_t) + 16;
@@ -237,16 +247,15 @@ ah_init(struct secasvar *sav, struct xformsw *xsp)
 int
 ah_zeroize(struct secasvar *sav)
 {
-	int err;
 
 	if (sav->key_auth)
 		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
 
-	err = crypto_freesession(sav->tdb_cryptoid);
-	sav->tdb_cryptoid = 0;
+	crypto_freesession(sav->tdb_cryptoid);
+	sav->tdb_cryptoid = NULL;
 	sav->tdb_authalgxform = NULL;
 	sav->tdb_xform = NULL;
-	return err;
+	return 0;
 }
 
 /*
@@ -536,8 +545,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	struct cryptop *crp;
 	struct xform_data *xd;
 	struct newah *ah;
-	uint64_t cryptoid;
-	int hl, rplen, authsize, error;
+	crypto_session_t cryptoid;
+	int hl, rplen, authsize, ahsize, error;
 
 	IPSEC_ASSERT(sav != NULL, ("null SA"));
 	IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
@@ -571,23 +580,24 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	SECASVAR_UNLOCK(sav);
 
 	/* Verify AH header length. */
-	hl = ah->ah_len * sizeof (u_int32_t);
+	hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t));
 	ahx = sav->tdb_authalgxform;
 	authsize = AUTHSIZE(sav);
-	if (hl != authsize + rplen - sizeof (struct ah)) {
+	ahsize = ah_hdrsiz(sav);
+	if (hl != ahsize) {
 		DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
 		    " for packet in SA %s/%08lx\n", __func__, hl,
-		    (u_long) (authsize + rplen - sizeof (struct ah)),
+		    (u_long)ahsize,
 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
 		    (u_long) ntohl(sav->spi)));
 		AHSTAT_INC(ahs_badauthl);
 		error = EACCES;
 		goto bad;
 	}
-	if (skip + authsize + rplen > m->m_pkthdr.len) {
+	if (skip + ahsize > m->m_pkthdr.len) {
 		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
 		    " for packet in SA %s/%08lx\n", __func__,
-		    m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
+		    m->m_pkthdr.len, (u_long)(skip + ahsize),
 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
 		    (u_long) ntohl(sav->spi)));
 		AHSTAT_INC(ahs_badauthl);
@@ -660,7 +670,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
 	crp->crp_buf = (caddr_t) m;
 	crp->crp_callback = ah_input_cb;
-	crp->crp_sid = cryptoid;
+	crp->crp_session = cryptoid;
 	crp->crp_opaque = (caddr_t) xd;
 
 	/* These are passed as-is to the callback. */
@@ -690,8 +700,8 @@ ah_input_cb(struct cryptop *crp)
 	struct secasvar *sav;
 	struct secasindex *saidx;
 	caddr_t ptr;
-	uint64_t cryptoid;
-	int authsize, rplen, error, skip, protoff;
+	crypto_session_t cryptoid;
+	int authsize, rplen, ahsize, error, skip, protoff;
 	uint8_t nxt;
 
 	m = (struct mbuf *) crp->crp_buf;
@@ -711,9 +721,9 @@ ah_input_cb(struct cryptop *crp)
 	if (crp->crp_etype) {
 		if (crp->crp_etype == EAGAIN) {
 			/* Reset the session ID */
-			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
+			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
 				crypto_freesession(cryptoid);
-			xd->cryptoid = crp->crp_sid;
+			xd->cryptoid = crp->crp_session;
 			CURVNET_RESTORE();
 			return (crypto_dispatch(crp));
 		}
@@ -738,6 +748,7 @@ ah_input_cb(struct cryptop *crp)
 	/* Figure out header size. */
 	rplen = HDRSIZE(sav);
 	authsize = AUTHSIZE(sav);
+	ahsize = ah_hdrsiz(sav);
 
 	/* Copy authenticator off the packet. */
 	m_copydata(m, skip + rplen, authsize, calc);
@@ -786,7 +797,7 @@ ah_input_cb(struct cryptop *crp)
 	/*
 	 * Remove the AH header and authenticator from the mbuf.
 	 */
-	error = m_striphdr(m, skip, rplen + authsize);
+	error = m_striphdr(m, skip, ahsize);
 	if (error) {
 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
 		    ipsec_address(&saidx->dst, buf, sizeof(buf)),
@@ -839,9 +850,9 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	struct mbuf *mi;
 	struct cryptop *crp;
 	struct newah *ah;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	uint16_t iplen;
-	int error, rplen, authsize, maxpacketsize, roff;
+	int error, rplen, authsize, ahsize, maxpacketsize, roff;
 	uint8_t prot;
 
 	IPSEC_ASSERT(sav != NULL, ("null SA"));
@@ -852,6 +863,8 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 
 	/* Figure out header size. */
 	rplen = HDRSIZE(sav);
+	authsize = AUTHSIZE(sav);
+	ahsize = ah_hdrsiz(sav);
 
 	/* Check for maximum packet size violations. */
 	switch (sav->sah->saidx.dst.sa.sa_family) {
@@ -875,13 +888,12 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 		error = EPFNOSUPPORT;
 		goto bad;
 	}
-	authsize = AUTHSIZE(sav);
-	if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
+	if (ahsize + m->m_pkthdr.len > maxpacketsize) {
 		DPRINTF(("%s: packet in SA %s/%08lx got too big "
 		    "(len %u, max len %u)\n", __func__,
 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
 		    (u_long) ntohl(sav->spi),
-		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
+		    ahsize + m->m_pkthdr.len, maxpacketsize));
 		AHSTAT_INC(ahs_toobig);
 		error = EMSGSIZE;
 		goto bad;
@@ -901,11 +913,10 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	}
 
 	/* Inject AH header. */
-	mi = m_makespace(m, skip, rplen + authsize, &roff);
+	mi = m_makespace(m, skip, ahsize, &roff);
 	if (mi == NULL) {
 		DPRINTF(("%s: failed to inject %u byte AH header for SA "
-		    "%s/%08lx\n", __func__,
-		    rplen + authsize,
+		    "%s/%08lx\n", __func__, ahsize,
 		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
 		    (u_long) ntohl(sav->spi)));
 		AHSTAT_INC(ahs_hdrops);		/*XXX differs from openbsd */
@@ -921,13 +932,17 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 
 	/* Initialize the AH header. */
 	m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &ah->ah_nxt);
-	ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t);
+	ah->ah_len = (ahsize - sizeof(struct ah)) / sizeof(u_int32_t);
 	ah->ah_reserve = 0;
 	ah->ah_spi = sav->spi;
 
 	/* Zeroize authenticator. */
 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
 
+	/* Zeroize padding */
+	m_copyback(m, skip + rplen + authsize, ahsize - (rplen + authsize),
+	    ipseczeroes);
+
 	/* Insert packet replay counter, as requested.  */
 	SECASVAR_LOCK(sav);
 	if (sav->replay) {
@@ -996,7 +1011,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 		bcopy(((caddr_t)(xd + 1)) +
 		    offsetof(struct ip, ip_len),
 		    (caddr_t) &iplen, sizeof(u_int16_t));
-		iplen = htons(ntohs(iplen) + rplen + authsize);
+		iplen = htons(ntohs(iplen) + ahsize);
 		m_copyback(m, offsetof(struct ip, ip_len),
 		    sizeof(u_int16_t), (caddr_t) &iplen);
 		break;
@@ -1007,7 +1022,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 		bcopy(((caddr_t)(xd + 1)) +
 		    offsetof(struct ip6_hdr, ip6_plen),
 		    (caddr_t) &iplen, sizeof(uint16_t));
-		iplen = htons(ntohs(iplen) + rplen + authsize);
+		iplen = htons(ntohs(iplen) + ahsize);
 		m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
 		    sizeof(uint16_t), (caddr_t) &iplen);
 		break;
@@ -1038,7 +1053,7 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
 	crp->crp_buf = (caddr_t) m;
 	crp->crp_callback = ah_output_cb;
-	crp->crp_sid = cryptoid;
+	crp->crp_session = cryptoid;
 	crp->crp_opaque = (caddr_t) xd;
 
 	/* These are passed as-is to the callback. */
@@ -1068,7 +1083,7 @@ ah_output_cb(struct cryptop *crp)
 	struct secpolicy *sp;
 	struct secasvar *sav;
 	struct mbuf *m;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	caddr_t ptr;
 	u_int idx;
 	int skip, error;
@@ -1087,9 +1102,9 @@ ah_output_cb(struct cryptop *crp)
 	if (crp->crp_etype) {
 		if (crp->crp_etype == EAGAIN) {
 			/* Reset the session ID */
-			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
+			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
 				crypto_freesession(cryptoid);
-			xd->cryptoid = crp->crp_sid;
+			xd->cryptoid = crp->crp_session;
 			CURVNET_RESTORE();
 			return (crypto_dispatch(crp));
 		}
diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c
index 49b08ba6..f8473575 100644
--- a/freebsd/sys/netipsec/xform_esp.c
+++ b/freebsd/sys/netipsec/xform_esp.c
@@ -273,7 +273,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	struct cryptop *crp;
 	struct newesp *esp;
 	uint8_t *ivp;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	int alen, error, hlen, plen;
 
 	IPSEC_ASSERT(sav != NULL, ("null SA"));
@@ -391,7 +391,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		crp->crp_flags |= CRYPTO_F_ASYNC | CRYPTO_F_ASYNC_KEEPORDER;
 	crp->crp_buf = (caddr_t) m;
 	crp->crp_callback = esp_input_cb;
-	crp->crp_sid = cryptoid;
+	crp->crp_session = cryptoid;
 	crp->crp_opaque = (caddr_t) xd;
 
 	/* These are passed as-is to the callback */
@@ -450,7 +450,7 @@ esp_input_cb(struct cryptop *crp)
 	struct secasvar *sav;
 	struct secasindex *saidx;
 	caddr_t ptr;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	int hlen, skip, protoff, error, alen;
 
 	crd = crp->crp_desc;
@@ -470,9 +470,9 @@ esp_input_cb(struct cryptop *crp)
 	if (crp->crp_etype) {
 		if (crp->crp_etype == EAGAIN) {
 			/* Reset the session ID */
-			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
+			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
 				crypto_freesession(cryptoid);
-			xd->cryptoid = crp->crp_sid;
+			xd->cryptoid = crp->crp_session;
 			CURVNET_RESTORE();
 			return (crypto_dispatch(crp));
 		}
@@ -639,7 +639,8 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	struct secasindex *saidx;
 	unsigned char *pad;
 	uint8_t *ivp;
-	uint64_t cntr, cryptoid;
+	uint64_t cntr;
+	crypto_session_t cryptoid;
 	int hlen, rlen, padding, blks, alen, i, roff;
 	int error, maxpacketsize;
 	uint8_t prot;
@@ -854,7 +855,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	crp->crp_buf = (caddr_t) m;
 	crp->crp_callback = esp_output_cb;
 	crp->crp_opaque = (caddr_t) xd;
-	crp->crp_sid = cryptoid;
+	crp->crp_session = cryptoid;
 
 	if (esph) {
 		/* Authentication descriptor. */
@@ -885,7 +886,7 @@ esp_output_cb(struct cryptop *crp)
 	struct secpolicy *sp;
 	struct secasvar *sav;
 	struct mbuf *m;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	u_int idx;
 	int error;
 
@@ -901,9 +902,9 @@ esp_output_cb(struct cryptop *crp)
 	if (crp->crp_etype) {
 		if (crp->crp_etype == EAGAIN) {
 			/* Reset the session ID */
-			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
+			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
 				crypto_freesession(cryptoid);
-			xd->cryptoid = crp->crp_sid;
+			xd->cryptoid = crp->crp_session;
 			CURVNET_RESTORE();
 			return (crypto_dispatch(crp));
 		}
diff --git a/freebsd/sys/netipsec/xform_ipcomp.c b/freebsd/sys/netipsec/xform_ipcomp.c
index b3fdee49..86addc87 100644
--- a/freebsd/sys/netipsec/xform_ipcomp.c
+++ b/freebsd/sys/netipsec/xform_ipcomp.c
@@ -120,7 +120,7 @@ ipcomp_encapcheck(union sockaddr_union *src, union sockaddr_union *dst)
 }
 
 static int
-ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto)
+ipcomp_nonexp_input(struct mbuf *m, int off, int proto, void *arg __unused)
 {
 	int isr;
 
@@ -137,13 +137,13 @@ ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto)
 #endif
 	default:
 		IPCOMPSTAT_INC(ipcomps_nopf);
-		m_freem(*mp);
+		m_freem(m);
 		return (IPPROTO_DONE);
 	}
-	m_adj(*mp, *offp);
-	IPCOMPSTAT_ADD(ipcomps_ibytes, (*mp)->m_pkthdr.len);
+	m_adj(m, off);
+	IPCOMPSTAT_ADD(ipcomps_ibytes, m->m_pkthdr.len);
 	IPCOMPSTAT_INC(ipcomps_input);
-	netisr_dispatch(isr, *mp);
+	netisr_dispatch(isr, m);
 	return (IPPROTO_DONE);
 }
 
@@ -180,11 +180,10 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
 static int
 ipcomp_zeroize(struct secasvar *sav)
 {
-	int err;
 
-	err = crypto_freesession(sav->tdb_cryptoid);
-	sav->tdb_cryptoid = 0;
-	return err;
+	crypto_freesession(sav->tdb_cryptoid);
+	sav->tdb_cryptoid = NULL;
+	return 0;
 }
 
 /*
@@ -260,7 +259,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	xd->vnet = curvnet;
 
 	SECASVAR_LOCK(sav);
-	crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid;
+	crp->crp_session = xd->cryptoid = sav->tdb_cryptoid;
 	SECASVAR_UNLOCK(sav);
 
 	return crypto_dispatch(crp);
@@ -282,7 +281,7 @@ ipcomp_input_cb(struct cryptop *crp)
 	struct secasvar *sav;
 	struct secasindex *saidx;
 	caddr_t addr;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	int hlen = IPCOMP_HLENGTH, error, clen;
 	int skip, protoff;
 	uint8_t nproto;
@@ -303,9 +302,9 @@ ipcomp_input_cb(struct cryptop *crp)
 	if (crp->crp_etype) {
 		if (crp->crp_etype == EAGAIN) {
 			/* Reset the session ID */
-			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
+			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
 				crypto_freesession(cryptoid);
-			xd->cryptoid = crp->crp_sid;
+			xd->cryptoid = crp->crp_session;
 			CURVNET_RESTORE();
 			return (crypto_dispatch(crp));
 		}
@@ -510,7 +509,7 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
 	crp->crp_opaque = (caddr_t) xd;
 
 	SECASVAR_LOCK(sav);
-	crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid;
+	crp->crp_session = xd->cryptoid = sav->tdb_cryptoid;
 	SECASVAR_UNLOCK(sav);
 
 	return crypto_dispatch(crp);
@@ -533,7 +532,7 @@ ipcomp_output_cb(struct cryptop *crp)
 	struct secpolicy *sp;
 	struct secasvar *sav;
 	struct mbuf *m;
-	uint64_t cryptoid;
+	crypto_session_t cryptoid;
 	u_int idx;
 	int error, skip, protoff;
 
@@ -551,9 +550,9 @@ ipcomp_output_cb(struct cryptop *crp)
 	if (crp->crp_etype) {
 		if (crp->crp_etype == EAGAIN) {
 			/* Reset the session ID */
-			if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0)
+			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
 				crypto_freesession(cryptoid);
-			xd->cryptoid = crp->crp_sid;
+			xd->cryptoid = crp->crp_session;
 			CURVNET_RESTORE();
 			return (crypto_dispatch(crp));
 		}
@@ -664,19 +663,6 @@ bad:
 }
 
 #ifdef INET
-static const struct encaptab *ipe4_cookie = NULL;
-extern struct domain inetdomain;
-static struct protosw ipcomp4_protosw = {
-	.pr_type =	SOCK_RAW,
-	.pr_domain =	&inetdomain,
-	.pr_protocol =	0 /* IPPROTO_IPV[46] */,
-	.pr_flags =	PR_ATOMIC | PR_ADDR | PR_LASTHDR,
-	.pr_input =	ipcomp_nonexp_input,
-	.pr_output =	rip_output,
-	.pr_ctloutput =	rip_ctloutput,
-	.pr_usrreqs =	&rip_usrreqs
-};
-
 static int
 ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
     void *arg __unused)
@@ -697,21 +683,17 @@ ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
 	dst.sin.sin_addr = ip->ip_dst;
 	return (ipcomp_encapcheck(&src, &dst));
 }
+
+static const struct encaptab *ipe4_cookie = NULL;
+static const struct encap_config ipv4_encap_cfg = {
+	.proto = -1,
+	.min_length = sizeof(struct ip),
+	.exact_match = sizeof(in_addr_t) << 4,
+	.check = ipcomp4_nonexp_encapcheck,
+	.input = ipcomp_nonexp_input
+};
 #endif
 #ifdef INET6
-static const struct encaptab *ipe6_cookie = NULL;
-extern struct domain inet6domain;
-static struct protosw ipcomp6_protosw = {
-	.pr_type =	SOCK_RAW,
-	.pr_domain =	&inet6domain,
-	.pr_protocol =	0 /* IPPROTO_IPV[46] */,
-	.pr_flags =	PR_ATOMIC | PR_ADDR | PR_LASTHDR,
-	.pr_input =	ipcomp_nonexp_input,
-	.pr_output =	rip6_output,
-	.pr_ctloutput =	rip6_ctloutput,
-	.pr_usrreqs =	&rip6_usrreqs
-};
-
 static int
 ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
     void *arg __unused)
@@ -744,6 +726,15 @@ ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
 	}
 	return (ipcomp_encapcheck(&src, &dst));
 }
+
+static const struct encaptab *ipe6_cookie = NULL;
+static const struct encap_config ipv6_encap_cfg = {
+	.proto = -1,
+	.min_length = sizeof(struct ip6_hdr),
+	.exact_match = sizeof(struct in6_addr) << 4,
+	.check = ipcomp6_nonexp_encapcheck,
+	.input = ipcomp_nonexp_input
+};
 #endif
 
 static struct xformsw ipcomp_xformsw = {
@@ -760,12 +751,10 @@ ipcomp_attach(void)
 {
 
 #ifdef INET
-	ipe4_cookie = encap_attach_func(AF_INET, -1,
-	    ipcomp4_nonexp_encapcheck, &ipcomp4_protosw, NULL);
+	ipe4_cookie = ip_encap_attach(&ipv4_encap_cfg, NULL, M_WAITOK);
 #endif
 #ifdef INET6
-	ipe6_cookie = encap_attach_func(AF_INET6, -1,
-	    ipcomp6_nonexp_encapcheck, &ipcomp6_protosw, NULL);
+	ipe6_cookie = ip6_encap_attach(&ipv6_encap_cfg, NULL, M_WAITOK);
 #endif
 	xform_attach(&ipcomp_xformsw);
 }
@@ -775,10 +764,10 @@ ipcomp_detach(void)
 {
 
 #ifdef INET
-	encap_detach(ipe4_cookie);
+	ip_encap_detach(ipe4_cookie);
 #endif
 #ifdef INET6
-	encap_detach(ipe6_cookie);
+	ip6_encap_detach(ipe6_cookie);
 #endif
 	xform_detach(&ipcomp_xformsw);
 }
diff --git a/freebsd/sys/netipsec/xform_tcp.c b/freebsd/sys/netipsec/xform_tcp.c
index 9310cf2c..f9cd3964 100644
--- a/freebsd/sys/netipsec/xform_tcp.c
+++ b/freebsd/sys/netipsec/xform_tcp.c
@@ -82,23 +82,24 @@ tcp_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt)
 	struct tcpcb *tp;
 	int error, optval;
 
-	INP_WLOCK_ASSERT(inp);
 	if (sopt->sopt_name != TCP_MD5SIG) {
-		INP_WUNLOCK(inp);
 		return (ENOPROTOOPT);
 	}
 
-	tp = intotcpcb(inp);
 	if (sopt->sopt_dir == SOPT_GET) {
+		INP_RLOCK(inp);
+		if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+			INP_RUNLOCK(inp);
+			return (ECONNRESET);
+		}
+		tp = intotcpcb(inp);
 		optval = (tp->t_flags & TF_SIGNATURE) ? 1 : 0;
-		INP_WUNLOCK(inp);
+		INP_RUNLOCK(inp);
 
 		/* On success return with released INP_WLOCK */
 		return (sooptcopyout(sopt, &optval, sizeof(optval)));
 	}
 
-	INP_WUNLOCK(inp);
-
 	error = sooptcopyin(sopt, &optval, sizeof(optval), sizeof(optval));
 	if (error != 0)
 		return (error);
@@ -109,12 +110,13 @@ tcp_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt)
 		INP_WUNLOCK(inp);
 		return (ECONNRESET);
 	}
+	tp = intotcpcb(inp);
 	if (optval > 0)
 		tp->t_flags |= TF_SIGNATURE;
 	else
 		tp->t_flags &= ~TF_SIGNATURE;
 
-	/* On success return with acquired INP_WLOCK */
+	INP_WUNLOCK(inp);
 	return (error);
 }
author	Sebastian Huber <sebastian.huber@embedded-brains.de>	2018-08-22 14:59:50 +0200
committer	Sebastian Huber <sebastian.huber@embedded-brains.de>	2018-09-21 10:29:41 +0200
commit	3489e3b6396ee9944a6a2e19e675ca54c36993b4 (patch)
tree	cd55cfac1c96ff4b888a9606fd6a0d8eb65bb446 /freebsd/sys/netipsec
parent	ck: Define CK_MD_PPC32_LWSYNC if available (diff)
download	rtems-libbsd-3489e3b6396ee9944a6a2e19e675ca54c36993b4.tar.bz2