summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2023-11-26 22:08:11 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2023-11-26 22:08:11 +0000
commita68fa4eadf829f718efc31b5949b5e83812e1e2f (patch)
treede1c2e3c0515b35c6bf15a66eeebeb0ab107d7d4
parentc2b025a2707faa1748e9c605c30c9e4ca570e725 (diff)
Remove inp parameter from ip_output().
ip_output() received inp as parameter. This is only used to lookup the IPsec level of the socket. Reasoning about MP locking is much easier if only relevant data is passed around. Convert ip_output() to receive constant inp_seclevel as argument and mark it as protected by net lock. OK mvs@
-rw-r--r--sys/netinet/in_pcb.h4
-rw-r--r--sys/netinet/ip_ipsp.h4
-rw-r--r--sys/netinet/ip_output.c19
-rw-r--r--sys/netinet/ip_spd.c59
-rw-r--r--sys/netinet/ip_var.h4
-rw-r--r--sys/netinet/raw_ip.c4
-rw-r--r--sys/netinet/tcp_input.c6
-rw-r--r--sys/netinet/tcp_output.c10
-rw-r--r--sys/netinet/tcp_subr.c6
-rw-r--r--sys/netinet/udp_usrreq.c6
-rw-r--r--sys/netinet6/ip6_output.c18
-rw-r--r--sys/netinet6/ip6_var.h6
-rw-r--r--sys/netinet6/raw_ip6.c4
-rw-r--r--sys/netinet6/udp6_output.c4
14 files changed, 73 insertions, 81 deletions
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 797f4b289da..7118488fd68 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: in_pcb.h,v 1.137 2023/11/12 23:19:15 bluhm Exp $ */
+/* $OpenBSD: in_pcb.h,v 1.138 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */
/*
@@ -141,7 +141,7 @@ struct inpcb {
} inp_mou;
#define inp_moptions inp_mou.mou_mo
#define inp_moptions6 inp_mou.mou_mo6
- u_char inp_seclevel[4];
+ u_char inp_seclevel[4]; /* [N] IPsec level of socket */
#define SL_AUTH 0 /* Authentication level */
#define SL_ESP_TRANS 1 /* ESP transport level */
#define SL_ESP_NETWORK 2 /* ESP network (encapsulation) level */
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index d5100a55eb8..0b847b9b9b1 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.243 2023/10/11 22:13:16 tobhe Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.244 2023/11/26 22:08:10 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -671,7 +671,7 @@ int checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
int ipsp_process_done(struct mbuf *, struct tdb *);
int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
- struct inpcb *, struct tdb **, struct ipsec_ids *);
+ const u_char[], struct tdb **, struct ipsec_ids *);
int ipsp_is_unspecified(union sockaddr_union);
int ipsp_aux_match(struct tdb *, struct ipsec_ids *,
struct sockaddr_encap *, struct sockaddr_encap *);
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 1094c495ae0..fb9cc84fd14 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.390 2023/07/07 08:05:02 bluhm Exp $ */
+/* $OpenBSD: ip_output.c,v 1.391 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -84,7 +84,7 @@ void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t);
void in_delayed_cksum(struct mbuf *);
-int ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
+int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
struct tdb **, int ipsecflowinfo);
void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr,
int, int);
@@ -98,7 +98,7 @@ int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int);
*/
int
ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
- struct ip_moptions *imo, struct inpcb *inp, u_int32_t ipsecflowinfo)
+ struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo)
{
struct ip *ip;
struct ifnet *ifp = NULL;
@@ -115,11 +115,6 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
NET_ASSERT_LOCKED();
-#ifdef IPSEC
- if (inp && (inp->inp_flags & INP_IPV6) != 0)
- panic("ip_output: IPv6 pcb is passed");
-#endif /* IPSEC */
-
#ifdef DIAGNOSTIC
if ((m->m_flags & M_PKTHDR) == 0)
panic("ip_output no HDR");
@@ -240,9 +235,9 @@ reroute:
}
#ifdef IPSEC
- if (ipsec_in_use || inp != NULL) {
+ if (ipsec_in_use || seclevel != NULL) {
/* Do we have any pending SAs to apply ? */
- error = ip_output_ipsec_lookup(m, hlen, inp, &tdb,
+ error = ip_output_ipsec_lookup(m, hlen, seclevel, &tdb,
ipsecflowinfo);
if (error) {
/* Should silently drop packet */
@@ -514,7 +509,7 @@ bad:
#ifdef IPSEC
int
-ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
+ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
struct tdb **tdbout, int ipsecflowinfo)
{
struct m_tag *mtag;
@@ -527,7 +522,7 @@ ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
if (ipsecflowinfo)
ids = ipsp_ids_lookup(ipsecflowinfo);
error = ipsp_spd_lookup(m, AF_INET, hlen, IPSP_DIRECTION_OUT,
- NULL, inp, &tdb, ids);
+ NULL, seclevel, &tdb, ids);
ipsp_ids_free(ids);
if (error || tdb == NULL) {
*tdbout = NULL;
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index 1d40979bd9f..ed27d5a4e29 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.118 2023/04/22 20:51:56 mvs Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.119 2023/11/26 22:08:10 bluhm Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -39,7 +39,7 @@
#include <netinet/ip_ipsp.h>
#include <net/pfkeyv2.h>
-int ipsp_spd_inp(struct mbuf *, struct inpcb *, struct ipsec_policy *,
+int ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *,
struct tdb **);
int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
@@ -153,7 +153,7 @@ spd_table_walk(unsigned int rtableid,
*/
int
ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
- struct tdb *tdbin, struct inpcb *inp, struct tdb **tdbout,
+ struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout,
struct ipsec_ids *ipsecflowinfo_ids)
{
struct radix_node_head *rnh;
@@ -172,15 +172,15 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
* continuing with the SPD lookup.
*/
if (!ipsec_in_use)
- return ipsp_spd_inp(m, inp, NULL, tdbout);
+ return ipsp_spd_inp(m, seclevel, NULL, tdbout);
/*
* If an input packet is destined to a BYPASS socket, just accept it.
*/
- if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) &&
- (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+ if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
+ (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
if (tdbout != NULL)
*tdbout = NULL;
return 0;
@@ -311,13 +311,13 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
* Return whatever the socket requirements are, there are no
* system-wide policies.
*/
- return ipsp_spd_inp(m, inp, NULL, tdbout);
+ return ipsp_spd_inp(m, seclevel, NULL, tdbout);
}
ipo = (struct ipsec_policy *)rn;
switch (ipo->ipo_type) {
case IPSP_PERMIT:
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
case IPSP_DENY:
return EHOSTUNREACH;
@@ -384,11 +384,10 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
* gateway/endhost, and the socket has the BYPASS
* option set, skip IPsec processing.
*/
- if ((inp != NULL) &&
- (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_ESP_NETWORK] ==
- IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+ if ((seclevel != NULL) &&
+ (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
/* Direct match. */
if (dignore ||
!memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
@@ -414,7 +413,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
goto nomatchout;
/* Cached entry is good. */
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
@@ -475,7 +474,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
TAILQ_INSERT_TAIL(
&ipo->ipo_tdb->tdb_policy_head,
ipo, ipo_tdb_next);
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
}
@@ -503,7 +502,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
/* FALLTHROUGH */
case IPSP_IPSEC_USE:
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
}
} else { /* IPSP_DIRECTION_IN */
if (tdbin != NULL) {
@@ -528,7 +527,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
/* Direct match in the cache. */
mtx_enter(&ipo_tdb_mtx);
if (ipo->ipo_tdb == tdbin) {
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
}
@@ -556,7 +555,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
ipo->ipo_tdb = tdb_ref(tdbin);
TAILQ_INSERT_TAIL(&tdbin->tdb_policy_head, ipo,
ipo_tdb_next);
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
@@ -647,7 +646,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
case IPSP_IPSEC_ACQUIRE:
/* If appropriate SA exists, don't acquire another. */
if (ipo->ipo_tdb != NULL)
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
/* Acquire SA through key management. */
ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst,
@@ -655,7 +654,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
/* FALLTHROUGH */
case IPSP_IPSEC_USE:
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
}
}
@@ -905,23 +904,23 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
* Deal with PCB security requirements.
*/
int
-ipsp_spd_inp(struct mbuf *m, struct inpcb *inp, struct ipsec_policy *ipo,
+ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
struct tdb **tdbout)
{
/* Sanity check. */
- if (inp == NULL)
+ if (seclevel == NULL)
goto justreturn;
/* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
- if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
- inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
- inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
+ if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
+ seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
+ seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
goto justreturn;
- if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
- inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
- inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
+ if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
+ seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
+ seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
goto justreturn;
return -EINVAL; /* Silently drop packet. */
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index b93b27ca337..789796633e3 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_var.h,v 1.109 2023/04/05 21:51:47 bluhm Exp $ */
+/* $OpenBSD: ip_var.h,v 1.110 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $ */
/*
@@ -236,7 +236,7 @@ struct mbuf*
int ip_mforward(struct mbuf *, struct ifnet *);
int ip_optcopy(struct ip *, struct ip *);
int ip_output(struct mbuf *, struct mbuf *, struct route *, int,
- struct ip_moptions *, struct inpcb *, u_int32_t);
+ struct ip_moptions *, const u_char[], u_int32_t);
u_int16_t
ip_randomid(void);
void ip_send(struct mbuf *);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 66597c5ebea..72c9229979d 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: raw_ip.c,v 1.151 2023/01/22 12:05:44 mvs Exp $ */
+/* $OpenBSD: raw_ip.c,v 1.152 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */
/*
@@ -326,7 +326,7 @@ rip_output(struct mbuf *m, struct socket *so, struct sockaddr *dstaddr,
#endif
error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
- inp->inp_moptions, inp, 0);
+ inp->inp_moptions, inp->inp_seclevel, 0);
return (error);
}
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 19b6a182065..0b36decfdda 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_input.c,v 1.392 2023/11/16 18:27:48 bluhm Exp $ */
+/* $OpenBSD: tcp_input.c,v 1.393 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
@@ -586,7 +586,7 @@ findpcb:
&tdbi->dst, tdbi->proto);
}
error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
- tdb, inp, NULL, NULL);
+ tdb, inp->inp_seclevel, NULL, NULL);
tdb_unref(tdb);
if (error) {
tcpstat_inc(tcps_rcvnosec);
@@ -4162,7 +4162,7 @@ syn_cache_respond(struct syn_cache *sc, struct mbuf *m, uint64_t now)
ip->ip_tos = inp->inp_ip.ip_tos;
error = ip_output(m, sc->sc_ipopts, &sc->sc_route4,
- (ip_mtudisc ? IP_MTUDISC : 0), NULL, inp, 0);
+ (ip_mtudisc ? IP_MTUDISC : 0), NULL, inp->inp_seclevel, 0);
break;
#ifdef INET6
case AF_INET6:
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index 8903d420065..80d1956839f 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_output.c,v 1.140 2023/07/06 09:15:24 bluhm Exp $ */
+/* $OpenBSD: tcp_output.c,v 1.141 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */
/*
@@ -1087,8 +1087,9 @@ send:
SET(m->m_pkthdr.csum_flags, M_FLOWID);
#endif
error = ip_output(m, tp->t_inpcb->inp_options,
- &tp->t_inpcb->inp_route,
- (ip_mtudisc ? IP_MTUDISC : 0), NULL, tp->t_inpcb, 0);
+ &tp->t_inpcb->inp_route,
+ (ip_mtudisc ? IP_MTUDISC : 0), NULL,
+ tp->t_inpcb->inp_seclevel, 0);
break;
#ifdef INET6
case AF_INET6:
@@ -1107,7 +1108,8 @@ send:
#endif
}
error = ip6_output(m, tp->t_inpcb->inp_outputopts6,
- &tp->t_inpcb->inp_route6, 0, NULL, tp->t_inpcb);
+ &tp->t_inpcb->inp_route6, 0, NULL,
+ tp->t_inpcb->inp_seclevel);
break;
#endif /* INET6 */
}
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 7c68c484e31..bc78132a7ee 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_subr.c,v 1.192 2023/07/06 09:15:24 bluhm Exp $ */
+/* $OpenBSD: tcp_subr.c,v 1.193 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */
/*
@@ -402,7 +402,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0,
ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL,
tp ? &tp->t_inpcb->inp_route6 : NULL,
0, NULL,
- tp ? tp->t_inpcb : NULL);
+ tp ? tp->t_inpcb->inp_seclevel : NULL);
break;
#endif /* INET6 */
case AF_INET:
@@ -412,7 +412,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0,
ip_output(m, NULL,
tp ? &tp->t_inpcb->inp_route : NULL,
ip_mtudisc ? IP_MTUDISC : 0, NULL,
- tp ? tp->t_inpcb : NULL, 0);
+ tp ? tp->t_inpcb->inp_seclevel : NULL, 0);
break;
}
}
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 5daee4d8efb..c9b4c51ea09 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp_usrreq.c,v 1.306 2023/09/16 09:33:27 mpi Exp $ */
+/* $OpenBSD: udp_usrreq.c,v 1.307 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
@@ -543,7 +543,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af)
} else
tdb = NULL;
error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
- tdb, inp, NULL, NULL);
+ tdb, inp->inp_seclevel, NULL, NULL);
if (error) {
udpstat_inc(udps_nosec);
tdb_unref(tdb);
@@ -1065,7 +1065,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct mbuf *addr,
error = ip_output(m, inp->inp_options, &inp->inp_route,
(inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
- inp, ipsecflowinfo);
+ inp->inp_seclevel, ipsecflowinfo);
bail:
m_freem(control);
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 8057f26e8aa..df8fecdc9ed 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip6_output.c,v 1.279 2023/07/07 08:05:02 bluhm Exp $ */
+/* $OpenBSD: ip6_output.c,v 1.280 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -161,7 +161,7 @@ struct idgen32_ctx ip6_id_ctx;
*/
int
ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route_in6 *ro,
- int flags, struct ip6_moptions *im6o, struct inpcb *inp)
+ int flags, struct ip6_moptions *im6o, const u_char seclevel[])
{
struct ip6_hdr *ip6;
struct ifnet *ifp = NULL;
@@ -185,11 +185,6 @@ ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route_in6 *ro,
struct tdb *tdb = NULL;
#endif /* IPSEC */
-#ifdef IPSEC
- if (inp && (inp->inp_flags & INP_IPV6) == 0)
- panic("%s: IPv4 pcb is passed", __func__);
-#endif /* IPSEC */
-
ip6 = mtod(m, struct ip6_hdr *);
finaldst = ip6->ip6_dst;
@@ -218,8 +213,8 @@ ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route_in6 *ro,
}
#ifdef IPSEC
- if (ipsec_in_use || inp != NULL) {
- error = ip6_output_ipsec_lookup(m, inp, &tdb);
+ if (ipsec_in_use || seclevel != NULL) {
+ error = ip6_output_ipsec_lookup(m, seclevel, &tdb);
if (error) {
/*
* -EINVAL is used to indicate that the packet should
@@ -2751,7 +2746,8 @@ in6_proto_cksum_out(struct mbuf *m, struct ifnet *ifp)
#ifdef IPSEC
int
-ip6_output_ipsec_lookup(struct mbuf *m, struct inpcb *inp, struct tdb **tdbout)
+ip6_output_ipsec_lookup(struct mbuf *m, const u_char seclevel[],
+ struct tdb **tdbout)
{
struct tdb *tdb;
struct m_tag *mtag;
@@ -2765,7 +2761,7 @@ ip6_output_ipsec_lookup(struct mbuf *m, struct inpcb *inp, struct tdb **tdbout)
/* Do we have any pending SAs to apply ? */
error = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
- IPSP_DIRECTION_OUT, NULL, inp, &tdb, NULL);
+ IPSP_DIRECTION_OUT, NULL, seclevel, &tdb, NULL);
if (error || tdb == NULL) {
*tdbout = NULL;
return error;
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index 9ded8f10151..f5b8839b266 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip6_var.h,v 1.106 2022/11/12 02:49:34 kn Exp $ */
+/* $OpenBSD: ip6_var.h,v 1.107 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */
/*
@@ -325,7 +325,7 @@ void ip6_forward(struct mbuf *, struct rtentry *, int);
void ip6_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in6 *);
int ip6_output(struct mbuf *, struct ip6_pktopts *, struct route_in6 *, int,
- struct ip6_moptions *, struct inpcb *);
+ struct ip6_moptions *, const u_char[]);
int ip6_fragment(struct mbuf *, struct mbuf_list *, int, u_char, u_long);
int ip6_ctloutput(int, struct socket *, int, int, struct mbuf *);
int ip6_raw_ctloutput(int, struct socket *, int, int, struct mbuf *);
@@ -376,7 +376,7 @@ u_int32_t ip6_randomflowlabel(void);
#ifdef IPSEC
struct tdb;
-int ip6_output_ipsec_lookup(struct mbuf *, struct inpcb *, struct tdb **);
+int ip6_output_ipsec_lookup(struct mbuf *, const u_char[], struct tdb **);
int ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route_in6 *,
int, int);
#endif /* IPSEC */
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 05879b42fad..e4ff181897d 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: raw_ip6.c,v 1.173 2023/09/16 09:33:27 mpi Exp $ */
+/* $OpenBSD: raw_ip6.c,v 1.174 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */
/*
@@ -514,7 +514,7 @@ rip6_output(struct mbuf *m, struct socket *so, struct sockaddr *dstaddr,
#endif
error = ip6_output(m, optp, &in6p->inp_route6, flags,
- in6p->inp_moptions6, in6p);
+ in6p->inp_moptions6, in6p->inp_seclevel);
if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
icmp6stat_inc(icp6s_outhist + type);
} else
diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c
index 0920133863e..15f7ad06a39 100644
--- a/sys/netinet6/udp6_output.c
+++ b/sys/netinet6/udp6_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp6_output.c,v 1.59 2022/02/22 01:35:41 guenther Exp $ */
+/* $OpenBSD: udp6_output.c,v 1.60 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: udp6_output.c,v 1.21 2001/02/07 11:51:54 itojun Exp $ */
/*
@@ -232,7 +232,7 @@ udp6_output(struct inpcb *in6p, struct mbuf *m, struct mbuf *addr6,
#endif
error = ip6_output(m, optp, &in6p->inp_route6,
- flags, in6p->inp_moptions6, in6p);
+ flags, in6p->inp_moptions6, in6p->inp_seclevel);
goto releaseopt;
release: