Merge "old" and "new" ESP and AH in two files (one for each).

Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).

2 files changed, 46 insertions, 25 deletions

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index d2e8b7e0069..844d2493350 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -179,6 +179,12 @@ import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii)
 
 	if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
 	  tdb->tdb_flags |= TDBF_TUNNELING;
+
+	if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_RANDOMPADDING)
+	  tdb->tdb_flags |= TDBF_RANDOMPADDING;
+
+	if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_NOREPLAY)
+	  tdb->tdb_flags |= TDBF_NOREPLAY;
     }
 
     if (sadb_sa->sadb_sa_state != SADB_SASTATE_MATURE)
@@ -217,6 +223,12 @@ export_sa(void **p, struct tdb *tdb)
     if (tdb->tdb_flags & TDBF_TUNNELING)
       sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
 
+    if (tdb->tdb_flags & TDBF_RANDOMPADDING)
+      sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING;
+
+    if (tdb->tdb_flags & TDBF_NOREPLAY)
+      sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY;
+
     *p += sizeof(struct sadb_sa);
 }
 
@@ -807,26 +819,24 @@ pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg)
     switch (satype)
     {
 	case SADB_SATYPE_AH:
-	case SADB_X_SATYPE_AH_OLD:
 	    if (!ah_enable)
 	      return EOPNOTSUPP;
 
 	    *sproto = IPPROTO_AH;
 
 	    if(alg != NULL) 
-	      *alg = satype == SADB_SATYPE_AH ? XF_NEW_AH : XF_OLD_AH;
+	      *alg = satype = XF_AH;
 
 	    break;
 
 	case SADB_SATYPE_ESP:
-	case SADB_X_SATYPE_ESP_OLD:
 	    if (!esp_enable)
 	      return EOPNOTSUPP;
 
 	    *sproto = IPPROTO_ESP;
 
 	    if(alg != NULL) 
-	      *alg = satype == SADB_SATYPE_ESP ? XF_NEW_ESP : XF_OLD_ESP;
+	      *alg = satype = XF_ESP;
 
 	    break;
 
@@ -1307,8 +1317,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 		case SADB_SATYPE_AH:
 		case SADB_SATYPE_ESP:
-		case SADB_X_SATYPE_AH_OLD:
-		case SADB_X_SATYPE_ESP_OLD:
 		case SADB_X_SATYPE_IPIP:
 #ifdef TCP_SIGNATURE
 		case SADB_X_SATYPE_TCPSIGNATURE:
@@ -1356,8 +1364,13 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 	    struct rtentry *rt;
 	
 	    ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
-	    sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] +
-						sizeof(struct sadb_address));
+
+	    if (headers[SADB_EXT_ADDRESS_DST])
+	      sunionp = (union sockaddr_union *)
+			(headers[SADB_EXT_ADDRESS_DST] +
+			 sizeof(struct sadb_address));
+	    else
+	      sunionp = NULL;
 
 	    /*
 	     * SADB_X_SAFLAGS_REPLACEFLOW set means we should remove any
@@ -1410,6 +1423,12 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 	    if (!delflag || ingress)
 	    {
+		if ((ssa == NULL) || (sunionp == NULL))
+		{
+		    rval = EINVAL;
+		    goto splxret;
+		}
+
 		/* Find the relevant SA */
 		sa2 = gettdb(ssa->sadb_sa_spi, sunionp,
 			     SADB_GETSPROTO(smsg->sadb_msg_satype));
@@ -1463,8 +1482,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 	    else
 	      if (ingress)
 	      {
-		  /* If we're deleting a flow... */
-		  flow = find_flow(src, dst, srcmask, dstmask, sproto,
+		  /* If we're deleting an ingress flow... */
+		  flow = find_flow(src, srcmask, dst, dstmask, sproto,
 				   sa2, FLOW_INGRESS);
 		  if (flow == NULL)
 		  {
@@ -1481,6 +1500,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 	    encapdst.sen_family = PF_KEY;
 	    switch (flow->flow_src.sa.sa_family)
 	    {
+#ifdef INET
 		case AF_INET:
 		    encapdst.sen_len = SENT_IP4_LEN;
 		    encapdst.sen_type = SENT_IP4;
@@ -1496,8 +1516,9 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 		    encapnetmask.sen_ip_src = flow->flow_srcmask.sin.sin_addr;
 		    encapnetmask.sen_ip_dst = flow->flow_dstmask.sin.sin_addr;
 		    break;
+#endif /* INET */
 
-#if INET6
+#ifdef INET6
 		case AF_INET6:
 		    encapdst.sen_len = SENT_IP6_LEN;
 		    encapdst.sen_type = SENT_IP6;
@@ -1522,6 +1543,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 	    {
 		switch (sa2->tdb_dst.sa.sa_family)
 		{
+#ifdef INET
 		    case AF_INET:
 			encapgw.sen_len = SENT_IPSP_LEN;
 			encapgw.sen_family = PF_KEY;
@@ -1541,6 +1563,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			      encapnetmask.sen_dport = 0xffff;
 			}
 			break;
+#endif /* INET */
 
 #if INET6
 		    case AF_INET6:
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index 4c8f30fdd57..1952b82a05b 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -160,9 +160,7 @@ struct sadb_protocol {
 };
     
 #define SADB_GETSPROTO(x) ( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\
-                              (x) == SADB_X_SATYPE_AH_OLD ? IPPROTO_AH :\
                                 (x) == SADB_SATYPE_ESP ? IPPROTO_ESP :\
-                                  (x) == SADB_X_SATYPE_ESP_OLD ? IPPROTO_ESP :\
                                     (x) == SADB_X_SATYPE_BYPASS ? IPPROTO_IP :\
                                       IPPROTO_IPIP )
 
@@ -199,12 +197,10 @@ struct sadb_protocol {
 #define SADB_SATYPE_OSPFV2		 4
 #define SADB_SATYPE_RIPV2		 5
 #define SADB_SATYPE_MIP			 6
-#define SADB_X_SATYPE_AH_OLD		 7
-#define SADB_X_SATYPE_ESP_OLD		 8
-#define SADB_X_SATYPE_IPIP		 9
-#define SADB_X_SATYPE_TCPSIGNATURE	10
-#define SADB_X_SATYPE_BYPASS		11
-#define SADB_SATYPE_MAX			11
+#define SADB_X_SATYPE_IPIP		 7
+#define SADB_X_SATYPE_TCPSIGNATURE	 8
+#define SADB_X_SATYPE_BYPASS		 9
+#define SADB_SATYPE_MAX			 9
 
 #define SADB_SASTATE_LARVAL   0
 #define SADB_SASTATE_MATURE   1
@@ -230,12 +226,14 @@ struct sadb_protocol {
 #define SADB_X_EALG_SKIPJACK  5
 #define SADB_EALG_MAX         5
 
-#define SADB_SAFLAGS_PFS         	0x01    /* perfect forward secrecy */
-#define SADB_X_SAFLAGS_HALFIV    	0x02    /* Used for ESP-old */
-#define SADB_X_SAFLAGS_TUNNEL	 	0x04    /* Force tunneling */
-#define SADB_X_SAFLAGS_CHAINDEL  	0x08    /* Delete whole SA chain */
-#define SADB_X_SAFLAGS_REPLACEFLOW	0x20    /* Replace existing flow */
-#define SADB_X_SAFLAGS_INGRESS_FLOW     0x40    /* Ingress ACL entry */
+#define SADB_SAFLAGS_PFS         	0x001    /* perfect forward secrecy */
+#define SADB_X_SAFLAGS_HALFIV    	0x002    /* Used for ESP-old */
+#define SADB_X_SAFLAGS_TUNNEL	 	0x004    /* Force tunneling */
+#define SADB_X_SAFLAGS_CHAINDEL  	0x008    /* Delete whole SA chain */
+#define SADB_X_SAFLAGS_REPLACEFLOW	0x020    /* Replace existing flow */
+#define SADB_X_SAFLAGS_INGRESS_FLOW     0x040    /* Ingress ACL entry */
+#define SADB_X_SAFLAGS_RANDOMPADDING    0x080    /* Random ESP padding */
+#define SADB_X_SAFLAGS_NOREPLAY         0x100    /* No replay counter */
 
 #define SADB_IDENTTYPE_RESERVED   0
 #define SADB_IDENTTYPE_PREFIX     1