diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-05-21 03:02:20 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-05-21 03:02:20 +0000 |
| commit | 6b3cea3c65ad5cccd36f82f34478d8f04b861900 (patch) | |
| tree | 91b910b34577e59a092048af8e4fe42a2169167a | |
| parent | 9d69a064b7f2692568aa1cc6ee78b6f403635f3c (diff) | |
Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@
| -rw-r--r-- | sys/net/pfkeyv2.c | 195 | ||||
| -rw-r--r-- | sys/netinet/in_pcb.c | 10 | ||||
| -rw-r--r-- | sys/netinet/in_pcb.h | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 82 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 40 |
5 files changed, 170 insertions, 163 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index ab7d0f597d4..f9c07747108 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.59 2001/05/05 00:33:46 angelos Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.60 2001/05/21 03:02:17 angelos Exp $ */ /* %%% copyright-nrl-97 This software is Copyright 1997-1998 by Randall Atkinson, Ronald Lee, @@ -489,28 +489,25 @@ export_address(void **p, struct sockaddr *sa) void import_credentials(struct tdb *tdb, struct sadb_cred *sadb_cred, int dstcred) { + struct ipsec_ref **ipr; + if (!sadb_cred) return; if (dstcred) - { - tdb->tdb_remote_cred_len = EXTLEN(sadb_cred) - - sizeof(struct sadb_cred); - tdb->tdb_remote_cred_type = sadb_cred->sadb_cred_type; - MALLOC(tdb->tdb_remote_cred, caddr_t, tdb->tdb_remote_cred_len, - M_CREDENTIALS, M_WAITOK); - bcopy((void *) sadb_cred + sizeof(struct sadb_cred), - tdb->tdb_remote_cred, tdb->tdb_remote_cred_len); - } + ipr = &tdb->tdb_remote_cred; else - { - tdb->tdb_local_cred_len = EXTLEN(sadb_cred) - sizeof(struct sadb_cred); - tdb->tdb_local_cred_type = sadb_cred->sadb_cred_type; - MALLOC(tdb->tdb_local_cred, caddr_t, tdb->tdb_local_cred_len, - M_CREDENTIALS, M_WAITOK); - bcopy((void *) sadb_cred + sizeof(struct sadb_cred), - tdb->tdb_local_cred, tdb->tdb_local_cred_len); - } + ipr = &tdb->tdb_local_cred; + + MALLOC(*ipr, struct ipsec_ref *, EXTLEN(sadb_cred) - + sizeof(struct sadb_cred) + sizeof(struct ipsec_ref), + M_CREDENTIALS, M_WAITOK); + (*ipr)->ref_len = EXTLEN(sadb_cred) - sizeof(struct sadb_cred); + (*ipr)->ref_type = sadb_cred->sadb_cred_type; + (*ipr)->ref_count = 1; + (*ipr)->ref_malloctype = M_CREDENTIALS; + bcopy((void *) sadb_cred + sizeof(struct sadb_cred), + (*ipr) + 1, (*ipr)->ref_len); } /* @@ -519,83 +516,63 @@ import_credentials(struct tdb *tdb, struct sadb_cred *sadb_cred, int dstcred) void import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) { + struct ipsec_ref **ipr; + if (!sadb_ident) return; if (type == PFKEYV2_IDENTITY_SRC) - { - tdb->tdb_srcid_len = EXTLEN(sadb_ident) - - sizeof(struct sadb_ident); - tdb->tdb_srcid_type = sadb_ident->sadb_ident_type; - MALLOC(tdb->tdb_srcid, u_int8_t *, tdb->tdb_srcid_len, M_CREDENTIALS, - M_WAITOK); - bcopy((void *) sadb_ident + sizeof(struct sadb_ident), - tdb->tdb_srcid, tdb->tdb_srcid_len); - } + ipr = &tdb->tdb_srcid; else - { - tdb->tdb_dstid_len = EXTLEN(sadb_ident) - - sizeof(struct sadb_ident); - tdb->tdb_dstid_type = sadb_ident->sadb_ident_type; - MALLOC(tdb->tdb_dstid, u_int8_t *, tdb->tdb_dstid_len, M_CREDENTIALS, - M_WAITOK); - bcopy((void *) sadb_ident + sizeof(struct sadb_ident), - tdb->tdb_dstid, tdb->tdb_dstid_len); - } + ipr = &tdb->tdb_dstid; + + MALLOC(*ipr, struct ipsec_ref *, EXTLEN(sadb_ident) - + sizeof(struct sadb_ident) + sizeof(struct ipsec_ref), M_CREDENTIALS, + M_WAITOK); + (*ipr)->ref_len = EXTLEN(sadb_ident) - sizeof(struct sadb_ident); + (*ipr)->ref_type = sadb_ident->sadb_ident_type; + (*ipr)->ref_count = 1; + (*ipr)->ref_malloctype = M_CREDENTIALS; + bcopy((void *) sadb_ident + sizeof(struct sadb_ident), (*ipr) + 1, + (*ipr)->ref_len); } void export_credentials(void **p, struct tdb *tdb, int dstcred) { + struct ipsec_ref **ipr; struct sadb_cred *sadb_cred = (struct sadb_cred *) *p; if (dstcred) - { - sadb_cred->sadb_cred_len = (sizeof(struct sadb_cred) + - PADUP(tdb->tdb_remote_cred_len)) / - sizeof(uint64_t); - sadb_cred->sadb_cred_type = tdb->tdb_remote_cred_type; - *p += sizeof(struct sadb_cred); - bcopy(tdb->tdb_remote_cred, *p, tdb->tdb_remote_cred_len); - *p += PADUP(tdb->tdb_remote_cred_len); - } + ipr = &tdb->tdb_remote_cred; else - { - sadb_cred->sadb_cred_len = (sizeof(struct sadb_cred) + - PADUP(tdb->tdb_local_cred_len)) / - sizeof(uint64_t); - sadb_cred->sadb_cred_type = tdb->tdb_local_cred_type; - *p += sizeof(struct sadb_cred); - bcopy(tdb->tdb_local_cred, *p, tdb->tdb_local_cred_len); - *p += PADUP(tdb->tdb_local_cred_len); - } + ipr = &tdb->tdb_local_cred; + + sadb_cred->sadb_cred_len = (sizeof(struct sadb_cred) + + PADUP((*ipr)->ref_len)) / sizeof(uint64_t); + sadb_cred->sadb_cred_type = (*ipr)->ref_type; + *p += sizeof(struct sadb_cred); + bcopy((*ipr) + 1, *p, (*ipr)->ref_len); + *p += PADUP((*ipr)->ref_len); } void export_identity(void **p, struct tdb *tdb, int type) { + struct ipsec_ref **ipr; struct sadb_ident *sadb_ident = (struct sadb_ident *) *p; if (type == PFKEYV2_IDENTITY_SRC) - { - sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(tdb->tdb_srcid_len)) / - sizeof(uint64_t); - sadb_ident->sadb_ident_type = tdb->tdb_srcid_type; - *p += sizeof(struct sadb_ident); - bcopy(tdb->tdb_srcid, *p, tdb->tdb_srcid_len); - *p += PADUP(tdb->tdb_srcid_len); - } + ipr = &tdb->tdb_srcid; else - { - sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(tdb->tdb_dstid_len)) / - sizeof(uint64_t); - sadb_ident->sadb_ident_type = tdb->tdb_dstid_type; - *p += sizeof(struct sadb_ident); - bcopy(tdb->tdb_dstid, *p, tdb->tdb_dstid_len); - *p += PADUP(tdb->tdb_dstid_len); - } + ipr = &tdb->tdb_dstid; + + sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + + PADUP((*ipr)->ref_len)) / sizeof(uint64_t); + sadb_ident->sadb_ident_type = (*ipr)->ref_type; + *p += sizeof(struct sadb_ident); + bcopy((*ipr) + 1, *p, (*ipr)->ref_len); + *p += PADUP((*ipr)->ref_len); } /* ... */ @@ -991,11 +968,11 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer) if (sa->tdb_proxy.sa.sa_family) i += sizeof(struct sadb_address) + PADUP(SA_LEN(&sa->tdb_proxy.sa)); - if (sa->tdb_srcid_len) - i += PADUP(sa->tdb_srcid_len) + sizeof(struct sadb_ident); + if (sa->tdb_srcid) + i += PADUP(sa->tdb_srcid->ref_len) + sizeof(struct sadb_ident); - if (sa->tdb_dstid_len) - i += PADUP(sa->tdb_dstid_len) + sizeof(struct sadb_ident); + if (sa->tdb_dstid) + i += PADUP(sa->tdb_dstid->ref_len) + sizeof(struct sadb_ident); if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { @@ -1046,14 +1023,14 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer) } /* Export source identity, if present */ - if (sa->tdb_srcid_len) + if (sa->tdb_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; export_identity(&p, sa, PFKEYV2_IDENTITY_SRC); } /* Export destination identity, if present */ - if (sa->tdb_dstid_len) + if (sa->tdb_dstid) { headers[SADB_EXT_IDENTITY_DST] = p; export_identity(&p, sa, PFKEYV2_IDENTITY_DST); @@ -1991,23 +1968,26 @@ pfkeyv2_send(struct socket *socket, void *message, int len) ipo->ipo_sproto = SADB_GETSPROTO(smsg->sadb_msg_satype); if (ipo->ipo_srcid) { - FREE(ipo->ipo_srcid, M_CREDENTIALS); + ipsp_reffree(ipo->ipo_srcid); ipo->ipo_srcid = NULL; } if (ipo->ipo_dstid) { - FREE(ipo->ipo_dstid, M_CREDENTIALS); + ipsp_reffree(ipo->ipo_dstid); ipo->ipo_dstid = NULL; } if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) { - ipo->ipo_srcid_type = sid->sadb_ident_type; - ipo->ipo_srcid_len = (sid->sadb_ident_len * sizeof(u_int64_t)) - sizeof(struct sadb_ident); + int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - sizeof(struct sadb_ident); + MALLOC(ipo->ipo_srcid, struct ipsec_ref *, clen + + sizeof(struct ipsec_ref), M_CREDENTIALS, M_DONTWAIT); + ipo->ipo_srcid->ref_type = sid->sadb_ident_type; + ipo->ipo_srcid->ref_len = clen; + ipo->ipo_srcid->ref_count = 1; + ipo->ipo_srcid->ref_malloctype = M_CREDENTIALS; - MALLOC(ipo->ipo_srcid, u_int8_t *, ipo->ipo_srcid_len, - M_CREDENTIALS, M_DONTWAIT); if (ipo->ipo_srcid == NULL) { if (exists) @@ -2022,17 +2002,20 @@ pfkeyv2_send(struct socket *socket, void *message, int len) goto ret; } - bcopy(sid + 1, ipo->ipo_srcid, ipo->ipo_srcid_len); + bcopy(sid + 1, ipo->ipo_srcid + 1, ipo->ipo_srcid->ref_len); } if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) { - ipo->ipo_dstid_type = sid->sadb_ident_type; - ipo->ipo_dstid_len = (sid->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); + int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - sizeof(struct sadb_ident); + + MALLOC(ipo->ipo_dstid, struct ipsec_ref *, clen + + sizeof(struct ipsec_ref), M_CREDENTIALS, M_DONTWAIT); + ipo->ipo_dstid->ref_type = sid->sadb_ident_type; + ipo->ipo_dstid->ref_len = clen; + ipo->ipo_dstid->ref_count = 1; + ipo->ipo_dstid->ref_malloctype = M_CREDENTIALS; - MALLOC(ipo->ipo_dstid, u_int8_t *, ipo->ipo_dstid_len, - M_CREDENTIALS, M_DONTWAIT); if (ipo->ipo_dstid == NULL) { if (exists) @@ -2044,7 +2027,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) else { if (ipo->ipo_dstid) - FREE(ipo->ipo_dstid, M_CREDENTIALS); + ipsp_reffree(ipo->ipo_dstid); FREE(ipo, M_IPSEC_POLICY); } @@ -2052,7 +2035,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) goto ret; } - bcopy(sid + 1, ipo->ipo_dstid, ipo->ipo_dstid_len); + bcopy(sid + 1, ipo->ipo_dstid + 1, ipo->ipo_dstid->ref_len); } /* Flow type */ @@ -2075,9 +2058,9 @@ pfkeyv2_send(struct socket *socket, void *message, int len) } if (ipo->ipo_srcid) - FREE(ipo->ipo_srcid, M_CREDENTIALS); + ipsp_reffree(ipo->ipo_srcid); if (ipo->ipo_dstid) - FREE(ipo->ipo_dstid, M_CREDENTIALS); + ipsp_reffree(ipo->ipo_dstid); FREE(ipo, M_IPSEC_POLICY); /* Free policy entry */ goto ret; } @@ -2220,10 +2203,10 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb); if (ipo->ipo_srcid) - i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid_len); + i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); if (ipo->ipo_dstid) - i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid_len); + i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); /* Allocate */ if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) @@ -2276,27 +2259,27 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, if (ipo->ipo_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid_len); + p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; srcid->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_srcid_len)) / + PADUP(ipo->ipo_srcid->ref_len)) / sizeof(u_int64_t); - srcid->sadb_ident_type = ipo->ipo_srcid_type; - bcopy(ipo->ipo_srcid, headers[SADB_EXT_IDENTITY_SRC] + - sizeof(struct sadb_ident), ipo->ipo_srcid_len); + srcid->sadb_ident_type = ipo->ipo_srcid->ref_type; + bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + + sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); } if (ipo->ipo_dstid) { headers[SADB_EXT_IDENTITY_DST] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid_len); + p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; dstid->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_dstid_len)) / + PADUP(ipo->ipo_dstid->ref_len)) / sizeof(u_int64_t); - dstid->sadb_ident_type = ipo->ipo_dstid_type; - bcopy(ipo->ipo_dstid, headers[SADB_EXT_IDENTITY_DST] + - sizeof(struct sadb_ident), ipo->ipo_dstid_len); + dstid->sadb_ident_type = ipo->ipo_dstid->ref_type; + bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + + sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); } headers[SADB_EXT_PROPOSAL] = p; diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index ef54a590596..88b6d935cb5 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.50 2001/03/28 20:03:02 angelos Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.51 2001/05/21 03:02:18 angelos Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -560,6 +560,14 @@ in_pcbdetach(v) if (inp->inp_tdb_out) TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, inp_tdb_out_next); + if (inp->inp_ipsec_localid) + ipsp_reffree(inp->inp_ipsec_localid); + if (inp->inp_ipsec_remoteid) + ipsp_reffree(inp->inp_ipsec_remoteid); + if (inp->inp_ipsec_localcred) + ipsp_reffree(inp->inp_ipsec_localcred); + if (inp->inp_ipsec_remotecred) + ipsp_reffree(inp->inp_ipsec_remotecred); splx(s); #endif s = splnet(); diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index cdce9721bb9..88722c0e453 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.h,v 1.33 2001/03/28 20:03:02 angelos Exp $ */ +/* $OpenBSD: in_pcb.h,v 1.34 2001/05/21 03:02:18 angelos Exp $ */ /* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */ /* @@ -133,6 +133,10 @@ struct inpcb { #define SR_WAIT 3 /* Waiting for SA */ TAILQ_ENTRY(inpcb) inp_tdb_in_next, inp_tdb_out_next; struct tdb *inp_tdb_in, *inp_tdb_out; + struct ipsec_ref *inp_ipsec_localid; + struct ipsec_ref *inp_ipsec_remoteid; + struct ipsec_ref *inp_ipsec_localcred; + struct ipsec_ref *inp_ipsec_remotecred; #define inp_flowinfo inp_hu.hu_ipv6.ip6_flow int in6p_cksum; diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 008bd04ff4e..38633950e1f 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.114 2001/05/05 00:31:19 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.115 2001/05/21 03:02:19 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -317,10 +317,11 @@ gettdbbyaddr(union sockaddr_union *dst, struct ipsec_policy *ipo, { if (ipo->ipo_srcid != NULL) { - if ((tdbp->tdb_srcid_type != ipo->ipo_srcid_type) || - (tdbp->tdb_srcid_len != ipo->ipo_srcid_len) || - (bcmp(tdbp->tdb_srcid, ipo->ipo_srcid, - ipo->ipo_srcid_len))) + if ((tdbp->tdb_srcid->ref_type != + ipo->ipo_srcid->ref_type) || + (tdbp->tdb_srcid->ref_len != ipo->ipo_srcid->ref_len) || + (bcmp(tdbp->tdb_srcid + 1, ipo->ipo_srcid + 1, + ipo->ipo_srcid->ref_len))) continue; } @@ -334,10 +335,11 @@ gettdbbyaddr(union sockaddr_union *dst, struct ipsec_policy *ipo, { if (ipo->ipo_dstid != NULL) { - if ((tdbp->tdb_dstid_type != ipo->ipo_dstid_type) || - (tdbp->tdb_dstid_len != ipo->ipo_dstid_len) || - (bcmp(tdbp->tdb_dstid, ipo->ipo_dstid, - ipo->ipo_dstid_len))) + if ((tdbp->tdb_dstid->ref_type != + ipo->ipo_dstid->ref_type) || + (tdbp->tdb_dstid->ref_len != ipo->ipo_dstid->ref_len) || + (bcmp(tdbp->tdb_dstid + 1, ipo->ipo_dstid + 1, + ipo->ipo_dstid->ref_len))) continue; } @@ -352,11 +354,12 @@ gettdbbyaddr(union sockaddr_union *dst, struct ipsec_policy *ipo, { if (ipo->ipo_local_cred != NULL) { - if ((tdbp->tdb_local_cred_type != - ipo->ipo_local_cred_type) || - (tdbp->tdb_local_cred_len != ipo->ipo_local_cred_len) || - (bcmp(tdbp->tdb_local_cred, ipo->ipo_local_cred, - ipo->ipo_local_cred_len))) + if ((tdbp->tdb_local_cred->ref_type != + ipo->ipo_local_cred->ref_type) || + (tdbp->tdb_local_cred->ref_len != + ipo->ipo_local_cred->ref_len) || + (bcmp(tdbp->tdb_local_cred + 1, ipo->ipo_local_cred + 1, + ipo->ipo_local_cred->ref_len))) continue; } else @@ -407,10 +410,11 @@ gettdbbysrc(union sockaddr_union *src, struct ipsec_policy *ipo, { if (ipo->ipo_srcid != NULL) { - if ((tdbp->tdb_srcid_type != ipo->ipo_srcid_type) || - (tdbp->tdb_srcid_len != ipo->ipo_srcid_len) || - (bcmp(tdbp->tdb_srcid, ipo->ipo_srcid, - ipo->ipo_srcid_len))) + if ((tdbp->tdb_srcid->ref_type != + ipo->ipo_srcid->ref_type) || + (tdbp->tdb_srcid->ref_len != ipo->ipo_srcid->ref_len) || + (bcmp(tdbp->tdb_srcid + 1, ipo->ipo_srcid + 1, + ipo->ipo_srcid->ref_len))) continue; } @@ -424,10 +428,11 @@ gettdbbysrc(union sockaddr_union *src, struct ipsec_policy *ipo, { if (ipo->ipo_dstid != NULL) { - if ((tdbp->tdb_dstid_type != ipo->ipo_dstid_type) || - (tdbp->tdb_dstid_len != ipo->ipo_dstid_len) || - (bcmp(tdbp->tdb_dstid, ipo->ipo_dstid, - ipo->ipo_dstid_len))) + if ((tdbp->tdb_dstid->ref_type != + ipo->ipo_dstid->ref_type) || + (tdbp->tdb_dstid->ref_len != ipo->ipo_dstid->ref_len) || + (bcmp(tdbp->tdb_dstid + 1, ipo->ipo_dstid + 1, + ipo->ipo_dstid->ref_len))) continue; } @@ -442,11 +447,12 @@ gettdbbysrc(union sockaddr_union *src, struct ipsec_policy *ipo, { if (ipo->ipo_local_cred != NULL) { - if ((tdbp->tdb_local_cred_type != - ipo->ipo_local_cred_type) || - (tdbp->tdb_local_cred_len != ipo->ipo_local_cred_len) || - (bcmp(tdbp->tdb_local_cred, ipo->ipo_local_cred, - ipo->ipo_local_cred_len))) + if ((tdbp->tdb_local_cred->ref_type != + ipo->ipo_local_cred->ref_type) || + (tdbp->tdb_local_cred->ref_len != + ipo->ipo_local_cred->ref_len) || + (bcmp(tdbp->tdb_local_cred, ipo->ipo_local_cred + 1, + ipo->ipo_local_cred->ref_len))) continue; } else @@ -808,25 +814,25 @@ tdb_delete(struct tdb *tdbp) if (tdbp->tdb_srcid) { - FREE(tdbp->tdb_srcid, M_CREDENTIALS); + ipsp_reffree(tdbp->tdb_srcid); tdbp->tdb_srcid = NULL; } if (tdbp->tdb_dstid) { - FREE(tdbp->tdb_dstid, M_CREDENTIALS); + ipsp_reffree(tdbp->tdb_dstid); tdbp->tdb_dstid = NULL; } if (tdbp->tdb_local_cred) { - FREE(tdbp->tdb_local_cred, M_CREDENTIALS); + ipsp_reffree(tdbp->tdb_local_cred); tdbp->tdb_local_cred = NULL; } if (tdbp->tdb_remote_cred) { - FREE(tdbp->tdb_remote_cred, M_CREDENTIALS); + ipsp_reffree(tdbp->tdb_remote_cred); tdbp->tdb_local_cred = NULL; } @@ -1274,7 +1280,7 @@ ipsp_copy_ident(void *arg) return (void *) tdbii; } -/* Check whether an IP{4,6} address is unspecified */ +/* Check whether an IP{4,6} address is unspecified. */ int ipsp_is_unspecified(union sockaddr_union addr) { @@ -1301,3 +1307,15 @@ ipsp_is_unspecified(union sockaddr_union addr) return 1; } } + +/* Free reference-counted structure. */ +void +ipsp_reffree(struct ipsec_ref *ipr) +{ +#ifdef DIAGNOSTIC + if (ipr->ref_count <= 0) + printf("ipsp_reffree: illegal reference count %d for object %p (len = %d, malloctype = %d)\n", ipr->ref_count, ipr, ipr->ref_len, ipr->ref_malloctype); +#endif + if (--ipr->ref_count <= 0) + FREE(ipr, ipr->ref_malloctype); +} diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 3fe118cd345..b407516cefc 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.85 2001/05/05 00:31:20 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.86 2001/05/21 03:02:19 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -154,6 +154,14 @@ struct sockaddr_encap #define SENT_LEN sizeof(struct sockaddr_encap) +struct ipsec_ref +{ + int ref_type; /* Subtype of data */ + int ref_len; /* Length of data following */ + int ref_count; /* Reference count */ + int ref_malloctype; /* malloc(9) type, for free'ing purposes */ +}; + struct ipsec_acquire { union sockaddr_union ipa_addr; @@ -188,16 +196,9 @@ struct ipsec_policy struct tdb *ipo_tdb; /* Cached entry */ - u_int16_t ipo_srcid_len; - u_int16_t ipo_dstid_len; - u_int16_t ipo_local_cred_len; - u_int16_t ipo_srcid_type; - u_int16_t ipo_dstid_type; - u_int16_t ipo_local_cred_type; - - u_int8_t *ipo_srcid; - u_int8_t *ipo_dstid; - u_int8_t *ipo_local_cred; + struct ipsec_ref *ipo_srcid; + struct ipsec_ref *ipo_dstid; + struct ipsec_ref *ipo_local_cred; TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List of policies on TDB */ TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policy entries */ @@ -298,20 +299,14 @@ struct tdb /* tunnel descriptor block */ u_int16_t tdb_amxkeylen; /* Raw authentication key length */ u_int16_t tdb_emxkeylen; /* Raw encryption key length */ u_int16_t tdb_ivlen; /* IV length */ - u_int16_t tdb_local_cred_len; /* size of tdb_local_cred */ - u_int16_t tdb_remote_cred_len; /* size of tdb_remote_cred */ u_int8_t tdb_sproto; /* IPsec protocol */ u_int8_t tdb_wnd; /* Replay window */ u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */ - u_int8_t tdb_local_cred_type;/* type of tdb_local_cred */ - u_int8_t tdb_remote_cred_type;/* type of tdb_remote_cred */ union sockaddr_union tdb_dst; /* Destination address for this SA */ union sockaddr_union tdb_src; /* Source address for this SA */ union sockaddr_union tdb_proxy; - u_int8_t *tdb_srcid; /* Source ID for this SA */ - u_int8_t *tdb_dstid; /* Destination ID for this SA */ u_int8_t *tdb_amxkey; /* Raw authentication key */ u_int8_t *tdb_emxkey; /* Raw encryption key */ @@ -320,15 +315,13 @@ struct tdb /* tunnel descriptor block */ u_int32_t tdb_initial; /* Initial replay value */ u_int32_t tdb_epoch; /* Used by the kernfs interface */ - u_int16_t tdb_srcid_len; - u_int16_t tdb_dstid_len; - u_int16_t tdb_srcid_type; - u_int16_t tdb_dstid_type; u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ - caddr_t tdb_local_cred; - caddr_t tdb_remote_cred; + struct ipsec_ref *tdb_local_cred; + struct ipsec_ref *tdb_remote_cred; + struct ipsec_ref *tdb_srcid; /* Source ID for this SA */ + struct ipsec_ref *tdb_dstid; /* Destination ID for this SA */ TAILQ_HEAD(tdb_inp_head_in, inpcb) tdb_inp_in; TAILQ_HEAD(tdb_inp_head_out, inpcb) tdb_inp_out; @@ -601,5 +594,6 @@ extern void ipsp_delete_acquire(struct ipsec_acquire *); extern void ipsp_clear_acquire(struct tdb *); extern void *ipsp_copy_ident(void *); extern int ipsp_is_unspecified(union sockaddr_union); +extern void ipsp_reffree(struct ipsec_ref *); #endif /* _KERNEL */ #endif /* _NETINET_IPSP_H_ */ |