src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2012-10-18 10:49:49 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2012-10-18 10:49:49 +0000
commit	814a8549472749080b04fc1a4c291134ef69728f (patch)
tree	bc9643fdbc2264b54bac57edd75a99738ae6f570
parent	bf46ee06e9fc03ec2b42c42502e8dfcb232c05ba (diff)

simplify checkreplaywindow() API; make call/return code handling consistent

ok mikeb@

Diffstat

-rw-r--r--

sys/netinet/ip_ah.c

-rw-r--r--

sys/netinet/ip_esp.c

-rw-r--r--

sys/netinet/ip_ipsp.h

3 files changed, 66 insertions, 45 deletions

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index b60215e965b..243c82a7264 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.c,v 1.103 2012/09/26 14:53:23 markus Exp $ */

+/* $OpenBSD: ip_ah.c,v 1.104 2012/10/18 10:49:48 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -568,36 +568,36 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)

sizeof(u_int32_t), (caddr_t) &btsx);

btsx = ntohl(btsx);

- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,

- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 0)) {

+ switch (checkreplaywindow(tdb, btsx, &esn, 0)) {

case 0: /* All's well. */

break;

case 1:

+ m_freem(m);

DPRINTF(("ah_input(): replay counter wrapped for "

"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),

ntohl(tdb->tdb_spi)));

ahstat.ahs_wrap++;

- m_freem(m);

return ENOBUFS;

case 2:

+ m_freem(m);

+ DPRINTF(("ah_input(): old packet received in "

+ "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),

+ ntohl(tdb->tdb_spi)));

+ ahstat.ahs_replay++;

+ return ENOBUFS;

case 3:

+ m_freem(m);

DPRINTF(("ah_input(): duplicate packet received in "

"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),

ntohl(tdb->tdb_spi)));

ahstat.ahs_replay++;

- m_freem(m);

return ENOBUFS;

default:

+ m_freem(m);

DPRINTF(("ah_input(): bogus value from "

"checkreplaywindow() in SA %s/%08x\n",

ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

- m_freem(m);

+ ahstat.ahs_replay++;

return ENOBUFS;

}

@@ -852,38 +852,38 @@ ah_input_cb(void *op)

sizeof(u_int32_t), (caddr_t) &btsx);

btsx = ntohl(btsx);

- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,

- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 1)) {

+ switch (checkreplaywindow(tdb, btsx, &esn, 1)) {

case 0: /* All's well. */

#if NPFSYNC > 0

pfsync_update_tdb(tdb,0);

#endif

break;

case 1:

DPRINTF(("ah_input(): replay counter wrapped for "

"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),

ntohl(tdb->tdb_spi)));

ahstat.ahs_wrap++;

error = ENOBUFS;

goto baddone;

case 2:

+ DPRINTF(("ah_input_cb(): old packet received in "

+ "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),

+ ntohl(tdb->tdb_spi)));

+ ahstat.ahs_replay++;

+ error = ENOBUFS;

+ goto baddone;

case 3:

DPRINTF(("ah_input_cb(): duplicate packet received in "

"SA %s/%08x\n", ipsp_address(tdb->tdb_dst),

ntohl(tdb->tdb_spi)));

ahstat.ahs_replay++;

error = ENOBUFS;

goto baddone;

default:

DPRINTF(("ah_input_cb(): bogus value from "

"checkreplaywindow() in SA %s/%08x\n",

ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ ahstat.ahs_replay++;

error = ENOBUFS;

goto baddone;

}

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 1d724727763..40553c92e9c 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.c,v 1.119 2012/09/20 10:25:03 blambert Exp $ */

+/* $OpenBSD: ip_esp.c,v 1.120 2012/10/18 10:49:48 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -364,27 +364,36 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)

(unsigned char *) &btsx);

btsx = ntohl(btsx);

- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,

- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 0)) {

+ switch (checkreplaywindow(tdb, btsx, &esn, 0)) {

case 0: /* All's well */

break;

case 1:

m_freem(m);

- DPRINTF(("esp_input(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ DPRINTF(("esp_input(): replay counter wrapped"

+ " for SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

espstat.esps_wrap++;

return EACCES;

case 2:

+ m_freem(m);

+ DPRINTF(("esp_input(): old packet received"

+ " in SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ espstat.esps_replay++;

+ return EACCES;

case 3:

- DPRINTF(("esp_input(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

m_freem(m);

+ DPRINTF(("esp_input(): duplicate packet received"

+ " in SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

espstat.esps_replay++;

return EACCES;

default:

m_freem(m);

- DPRINTF(("esp_input(): bogus value from checkreplaywindow() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ DPRINTF(("esp_input(): bogus value from"

+ " checkreplaywindow() in SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ espstat.esps_replay++;

return EACCES;

}

@@ -613,8 +622,7 @@ esp_input_cb(void *op)

(unsigned char *) &btsx);

btsx = ntohl(btsx);

- switch (checkreplaywindow(btsx, &tdb->tdb_rpl, tdb->tdb_wnd,

- &tdb->tdb_bitmap, &esn, tdb->tdb_flags & TDBF_ESN, 1)) {

+ switch (checkreplaywindow(tdb, btsx, &esn, 1)) {

case 0: /* All's well */

#if NPFSYNC > 0

pfsync_update_tdb(tdb,0);

@@ -622,20 +630,31 @@ esp_input_cb(void *op)

break;

case 1:

- DPRINTF(("esp_input_cb(): replay counter wrapped for SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ DPRINTF(("esp_input_cb(): replay counter wrapped"

+ " for SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

espstat.esps_wrap++;

error = EACCES;

goto baddone;

case 2:

+ DPRINTF(("esp_input_cb(): old packet received"

+ " in SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ espstat.esps_replay++;

+ error = EACCES;

+ goto baddone;

case 3:

- DPRINTF(("esp_input_cb(): duplicate packet received in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ DPRINTF(("esp_input_cb(): duplicate packet received"

+ " in SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

espstat.esps_replay++;

error = EACCES;

goto baddone;

default:

- DPRINTF(("esp_input_cb(): bogus value from checkreplaywindow() in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ DPRINTF(("esp_input_cb(): bogus value from"

+ " checkreplaywindow() in SA %s/%08x\n",

+ ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ espstat.esps_replay++;

error = EACCES;

goto baddone;

}

@@ -1130,14 +1149,17 @@ setreplay(u_int64_t *bitmap, u_int32_t diff, u_int32_t window, int wupdate)

* return 3 for packet within current window but already received

int

-checkreplaywindow(u_int32_t seq, u_int64_t *last, u_int32_t window,

- u_int64_t *bitmap, u_int32_t *seqhigh, int esn, int commit)

+checkreplaywindow(struct tdb *tdb, u_int32_t seq, u_int32_t *seqhigh,

+ int commit)

{

u_int32_t tl, th, wl;

u_int32_t seqh, diff;

+ u_int32_t window = tdb->tdb_wnd;

+ u_int64_t *bitmap = &tdb->tdb_bitmap;

+ int esn = tdb->tdb_flags & TDBF_ESN;

- tl = (u_int32_t)*last;

- th = (u_int32_t)(*last >> 32);

+ tl = (u_int32_t)tdb->tdb_rpl;

+ th = (u_int32_t)(tdb->tdb_rpl >> 32);

/* Zero SN is not allowed */

if (seq == 0 && tl == 0 && th == 0)

@@ -1160,7 +1182,7 @@ checkreplaywindow(u_int32_t seq, u_int64_t *last, u_int32_t window,

return (2);

if (commit) {

setreplay(bitmap, seq - tl, window, 1);

- *last = ((u_int64_t)seqh << 32) | seq;

+ tdb->tdb_rpl = ((u_int64_t)seqh << 32) | seq;

}

} else {

if (checkreplay(bitmap, tl - seq))

@@ -1207,7 +1229,7 @@ checkreplaywindow(u_int32_t seq, u_int64_t *last, u_int32_t window,

diff = (u_int32_t)((((u_int64_t)seqh << 32) | seq) -

(((u_int64_t)th << 32) | tl));

setreplay(bitmap, diff, window, 1);

- *last = ((u_int64_t)seqh << 32) | seq;

+ tdb->tdb_rpl = ((u_int64_t)seqh << 32) | seq;

}

return (0);

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index ddb9e6d6da3..2e6afe7e398 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipsp.h,v 1.151 2012/10/08 17:41:55 camield Exp $ */

+/* $OpenBSD: ip_ipsp.h,v 1.152 2012/10/18 10:49:48 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr),

@@ -616,8 +616,7 @@ extern int tcp_signature_tdb_output(struct mbuf *, struct tdb *,

struct mbuf **, int, int);

/* Replay window */

-extern int checkreplaywindow(u_int32_t, u_int64_t *, u_int32_t, u_int64_t *,

- u_int32_t *, int, int);

+extern int checkreplaywindow(struct tdb *, u_int32_t, u_int32_t *, int);

extern unsigned char ipseczeroes[];