diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-06-27 01:34:08 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-06-27 01:34:08 +0000 |
commit | b6a7a7ace82099c72493dcb71528b94a8cfcc618 (patch) | |
tree | 206f43270386d5e0bd9306d21f9c5d3670d955c5 /sys | |
parent | 1e926cdc915e047be6737f2e7fb3271fb7500c9c (diff) |
Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pfkeyv2.c | 8 | ||||
-rw-r--r-- | sys/netinet/ip_ipsp.c | 19 | ||||
-rw-r--r-- | sys/netinet/ip_ipsp.h | 8 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 64 | ||||
-rw-r--r-- | sys/netinet/ip_spd.c | 109 |
5 files changed, 49 insertions, 159 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index cb37ee43350..f0c43398ffc 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.70 2001/06/26 18:56:31 angelos Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.71 2001/06/27 01:34:06 angelos Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -869,7 +869,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min, sprng->sadb_spirange_max, &sa.tdb_src, &sa.tdb_dst, - sa.tdb_sproto, &rval, smsg->sadb_msg_seq); + sa.tdb_sproto, &rval); if (sa.tdb_spi == 0) goto ret; @@ -961,6 +961,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_KEY_ENCRYPT] = NULL; headers[SADB_X_EXT_LOCAL_AUTH] = NULL; + newsa->tdb_seq = smsg->sadb_msg_seq; + rval = tdb_init(newsa, alg, &ii); if (rval) { @@ -1085,6 +1087,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_KEY_ENCRYPT] = NULL; headers[SADB_X_EXT_LOCAL_AUTH] = NULL; + newsa->tdb_seq = smsg->sadb_msg_seq; + rval = tdb_init(newsa, alg, &ii); if (rval) { diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 9ff9265650b..b998256fc34 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.137 2001/06/26 18:34:39 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.138 2001/06/27 01:34:07 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -180,19 +180,19 @@ tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) */ u_int32_t reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src, - union sockaddr_union *dst, u_int8_t sproto, int *errval, u_int32_t seq) + union sockaddr_union *dst, u_int8_t sproto, int *errval) { struct tdb *tdbp; u_int32_t spi; int nums, s; - /* Don't accept ranges only encompassing reserved SPIs. */ + /* Don't accept ranges only encompassing reserved SPIs. */ if (tspi < sspi || tspi <= SPI_RESERVED_MAX) { (*errval) = EINVAL; return 0; } - /* Limit the range to not include reserved areas. */ + /* Limit the range to not include reserved areas. */ if (sspi <= SPI_RESERVED_MAX) sspi = SPI_RESERVED_MAX + 1; @@ -227,16 +227,16 @@ reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src, bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa)); bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa)); tdbp->tdb_sproto = sproto; - tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now */ + tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ tdbp->tdb_satype = SADB_SATYPE_UNSPEC; - tdbp->tdb_seq = seq; puttdb(tdbp); /* Setup a "silent" expiration (since TDBF_INVALID's set) */ if (ipsec_keep_invalid > 0) { tdbp->tdb_flags |= TDBF_TIMER; tdbp->tdb_exp_timeout = ipsec_keep_invalid; - timeout_add(&tdbp->tdb_timer_tmo, hz * ipsec_keep_invalid); + timeout_add(&tdbp->tdb_timer_tmo, + hz * ipsec_keep_invalid); } return spi; @@ -804,11 +804,6 @@ tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { if (xsp->xf_type == alg) { err = (*(xsp->xf_init))(tdbp, xsp, ii); - - /* Clear possible pending acquires */ - if (!err) - ipsp_clear_acquire(tdbp); - return err; } } diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index c26de99af46..00172430296 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.112 2001/06/26 18:56:30 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.113 2001/06/27 01:34:07 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -159,7 +159,6 @@ struct ipsec_acquire { u_int32_t ipa_seq; struct sockaddr_encap ipa_info; struct sockaddr_encap ipa_mask; - struct mbuf *ipa_packet; struct timeout ipa_timeout; TAILQ_ENTRY(ipsec_acquire) ipa_next; }; @@ -493,7 +492,7 @@ extern char *ipsp_address(union sockaddr_union); /* TDB management routines */ extern void tdb_add_inp(struct tdb *, struct inpcb *, int); extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *, - union sockaddr_union *, u_int8_t, int *, u_int32_t); + union sockaddr_union *, u_int8_t, int *); extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t); extern struct tdb *gettdbbyaddr(union sockaddr_union *, struct ipsec_policy *, struct mbuf *, int); @@ -603,9 +602,7 @@ extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *, struct sockaddr_encap *, union sockaddr_union *, int, int); extern int ipsec_delete_policy(struct ipsec_policy *); extern struct ipsec_acquire *ipsp_pending_acquire(union sockaddr_union *); -extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t); extern void ipsp_delete_acquire(void *); -extern void ipsp_clear_acquire(struct tdb *); extern int ipsp_is_unspecified(union sockaddr_union); extern void ipsp_reffree(struct ipsec_ref *); extern void ipsp_skipcrypto_unmark(struct tdb_ident *); @@ -615,5 +612,6 @@ extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); extern ssize_t ipsec_hdrsz(struct tdb *); extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t); extern int ipsp_print_tdb(struct tdb *, char *); +extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t); #endif /* _KERNEL */ #endif /* _NETINET_IPSP_H_ */ diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 77b3ff88c54..d1fcd970d7e 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.127 2001/06/26 18:17:54 deraadt Exp $ */ +/* $OpenBSD: ip_output.c,v 1.128 2001/06/27 01:34:07 angelos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -167,27 +167,6 @@ ip_output(m0, va_alist) hlen = ip->ip_hl << 2; } -#ifdef IPSEC - s = splnet(); - - /* - * If the higher-level protocol has cached the SA to use, we - * can avoid the routing lookup if the source address is zero. - */ - if (inp != NULL && inp->inp_tdb_out != NULL && - ip->ip_src.s_addr == INADDR_ANY) { - tdb = inp->inp_tdb_out; - if (tdb->tdb_src.sa.sa_family == AF_INET && - tdb->tdb_src.sin.sin_addr.s_addr != INADDR_ANY) { - ip->ip_src.s_addr = tdb->tdb_src.sin.sin_addr.s_addr; - splx(s); - goto skip_routing; - } - } - - splx(s); -#endif /* IPSEC */ - /* * If we're missing the IP source address, do a route lookup. We'll * remember this result, in case we don't need to do any IPsec @@ -259,42 +238,29 @@ ip_output(m0, va_alist) } #ifdef IPSEC - skip_routing: /* * splnet is chosen over spltdb because we are not allowed to * lower the level, and udp_output calls us in splnet(). */ s = splnet(); - /* - * Check if there was an outgoing SA bound to the flow - * from a transport protocol. - */ - if (inp && inp->inp_tdb_out && - inp->inp_tdb_out->tdb_dst.sa.sa_family == AF_INET && - !bcmp(&inp->inp_tdb_out->tdb_dst.sin.sin_addr, - &ip->ip_dst, sizeof(ip->ip_dst))) - tdb = inp->inp_tdb_out; - else { - /* Do we have any pending SAs to apply ? */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); - if (mtag != NULL) { + /* Do we have any pending SAs to apply ? */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); + if (mtag != NULL) { #ifdef DIAGNOSTIC - if (mtag->m_tag_len != sizeof (struct tdb_ident)) - panic("ip_output: tag of length %d (should " - "be %d", mtag->m_tag_len, - sizeof (struct tdb_ident)); + if (mtag->m_tag_len != sizeof (struct tdb_ident)) + panic("ip_output: tag of length %d (should be %d", + mtag->m_tag_len, sizeof (struct tdb_ident)); #endif - tdbi = (struct tdb_ident *)(mtag + 1); - tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); - if (tdb == NULL) - error = -EINVAL; - m_tag_delete(m, mtag); - } - else - tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, - IPSP_DIRECTION_OUT, NULL, inp); + tdbi = (struct tdb_ident *)(mtag + 1); + tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); + if (tdb == NULL) + error = -EINVAL; + m_tag_delete(m, mtag); } + else + tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, + IPSP_DIRECTION_OUT, NULL, inp); if (tdb == NULL) { splx(s); diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index 593e9c289bb..54873b3b116 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.32 2001/06/26 23:30:59 angelos Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.33 2001/06/27 01:34:07 angelos Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -220,7 +220,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, return NULL; } - /* Actual SPD lookup */ + /* Actual SPD lookup. */ rtalloc((struct route *) re); if (re->re_rt == NULL) { /* @@ -314,7 +314,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, ipo->ipo_tdb = NULL; } - /* Outgoing packet SPD lookup. */ + /* Outgoing packet policy check. */ if (direction == IPSP_DIRECTION_OUT) { /* * If the packet is destined for the policy-specified @@ -661,64 +661,10 @@ ipsp_delete_acquire(void *v) timeout_del(&ipa->ipa_timeout); TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next); - if (ipa->ipa_packet) - m_freem(ipa->ipa_packet); pool_put(&ipsec_acquire_pool, ipa); } /* - * Clear possibly pending ACQUIRE records. - */ -void -ipsp_clear_acquire(struct tdb *tdb) -{ - struct ipsec_acquire *ipa; - - ipa = ipsec_get_acquire(tdb->tdb_seq); - if (ipa == NULL) - return; - - /* Just delete and return if no pending packet. */ - if (ipa->ipa_packet == NULL) { - ipsp_delete_acquire(ipa); - return; - } - - /* Retransmit last packet. */ - switch (ipa->ipa_info.sen_type) { -#ifdef INET - case SENT_IP4: - { - struct ip *ip; - - ip = mtod(ipa->ipa_packet, struct ip *); - - if (ipa->ipa_packet->m_len < sizeof(struct ip)) - break; - - /* Same as in ip_output() -- massage the header. */ - ip->ip_len = htons((u_short) ip->ip_len); - ip->ip_off = htons((u_short) ip->ip_off); - - ipsp_process_packet(ipa->ipa_packet, tdb, AF_INET, 0); - ipa->ipa_packet = NULL; - break; - } -#endif /* INET */ - -#ifdef INET6 - case SENT_IP6: - ipsp_process_packet(ipa->ipa_packet, tdb, AF_INET6, 0); - ipa->ipa_packet = NULL; - break; -#endif /* INET6 */ - } - - /* Delete. */ - ipsp_delete_acquire(ipa); -} - -/* * Find out if there's an ACQUIRE pending. * XXX Need a better structure. */ @@ -750,20 +696,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, #endif /* Check whether request has been made already. */ - if ((ipa = ipsp_pending_acquire(gw)) != NULL) { - if ((ipo->ipo_addr.sen_type == SENT_IP4 && - ipo->ipo_addr.sen_direction == IPSP_DIRECTION_OUT) || - (ipo->ipo_addr.sen_type == SENT_IP6 && - ipo->ipo_addr.sen_ip6_direction == IPSP_DIRECTION_OUT)) { - if (ipa->ipa_packet != NULL && m != NULL) { - m_freem(ipa->ipa_packet); - ipa->ipa_packet = m_copym2(m, 0, M_COPYALL, - M_DONTWAIT); - } - } - + if ((ipa = ipsp_pending_acquire(gw)) != NULL) return 0; - } /* Add request in cache and proceed. */ if (ipsec_acquire_pool_initialized == 0) { @@ -876,13 +810,6 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, return 0; } - /* - * Store the packet for eventual retransmission -- failure is not - * catastrophic. - */ - if (m != NULL) - ipa->ipa_packet = m_copym2(m, 0, M_COPYALL, M_DONTWAIT); - timeout_add(&ipa->ipa_timeout, ipsec_expire_acquire * hz); TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next); @@ -891,6 +818,20 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw, } /* + * Deal with PCB security requirements. + */ +struct tdb * +ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, + struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) +{ + /* XXX */ + if (ipo != NULL) + return ipo->ipo_tdb; + else + return NULL; +} + +/* * Find a pending ACQUIRE record based on its sequence number. * XXX Need to use a better data structure. */ @@ -906,17 +847,3 @@ ipsec_get_acquire(u_int32_t seq) return NULL; } - -/* - * Deal with PCB security requirements. - */ -struct tdb * -ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction, - struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo) -{ - /* XXX */ - if (ipo != NULL) - return ipo->ipo_tdb; - else - return NULL; -} |