summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-06-27 01:34:08 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-06-27 01:34:08 +0000
commitb6a7a7ace82099c72493dcb71528b94a8cfcc618 (patch)
tree206f43270386d5e0bd9306d21f9c5d3670d955c5 /sys
parent1e926cdc915e047be6737f2e7fb3271fb7500c9c (diff)
Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pfkeyv2.c8
-rw-r--r--sys/netinet/ip_ipsp.c19
-rw-r--r--sys/netinet/ip_ipsp.h8
-rw-r--r--sys/netinet/ip_output.c64
-rw-r--r--sys/netinet/ip_spd.c109
5 files changed, 49 insertions, 159 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index cb37ee43350..f0c43398ffc 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.70 2001/06/26 18:56:31 angelos Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.71 2001/06/27 01:34:06 angelos Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
@@ -869,7 +869,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min,
sprng->sadb_spirange_max,
&sa.tdb_src, &sa.tdb_dst,
- sa.tdb_sproto, &rval, smsg->sadb_msg_seq);
+ sa.tdb_sproto, &rval);
if (sa.tdb_spi == 0)
goto ret;
@@ -961,6 +961,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
headers[SADB_EXT_KEY_ENCRYPT] = NULL;
headers[SADB_X_EXT_LOCAL_AUTH] = NULL;
+ newsa->tdb_seq = smsg->sadb_msg_seq;
+
rval = tdb_init(newsa, alg, &ii);
if (rval)
{
@@ -1085,6 +1087,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
headers[SADB_EXT_KEY_ENCRYPT] = NULL;
headers[SADB_X_EXT_LOCAL_AUTH] = NULL;
+ newsa->tdb_seq = smsg->sadb_msg_seq;
+
rval = tdb_init(newsa, alg, &ii);
if (rval)
{
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 9ff9265650b..b998256fc34 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.c,v 1.137 2001/06/26 18:34:39 angelos Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.138 2001/06/27 01:34:07 angelos Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -180,19 +180,19 @@ tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto)
*/
u_int32_t
reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src,
- union sockaddr_union *dst, u_int8_t sproto, int *errval, u_int32_t seq)
+ union sockaddr_union *dst, u_int8_t sproto, int *errval)
{
struct tdb *tdbp;
u_int32_t spi;
int nums, s;
- /* Don't accept ranges only encompassing reserved SPIs. */
+ /* Don't accept ranges only encompassing reserved SPIs. */
if (tspi < sspi || tspi <= SPI_RESERVED_MAX) {
(*errval) = EINVAL;
return 0;
}
- /* Limit the range to not include reserved areas. */
+ /* Limit the range to not include reserved areas. */
if (sspi <= SPI_RESERVED_MAX)
sspi = SPI_RESERVED_MAX + 1;
@@ -227,16 +227,16 @@ reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src,
bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa));
bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa));
tdbp->tdb_sproto = sproto;
- tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now */
+ tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */
tdbp->tdb_satype = SADB_SATYPE_UNSPEC;
- tdbp->tdb_seq = seq;
puttdb(tdbp);
/* Setup a "silent" expiration (since TDBF_INVALID's set) */
if (ipsec_keep_invalid > 0) {
tdbp->tdb_flags |= TDBF_TIMER;
tdbp->tdb_exp_timeout = ipsec_keep_invalid;
- timeout_add(&tdbp->tdb_timer_tmo, hz * ipsec_keep_invalid);
+ timeout_add(&tdbp->tdb_timer_tmo,
+ hz * ipsec_keep_invalid);
}
return spi;
@@ -804,11 +804,6 @@ tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii)
for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) {
if (xsp->xf_type == alg) {
err = (*(xsp->xf_init))(tdbp, xsp, ii);
-
- /* Clear possible pending acquires */
- if (!err)
- ipsp_clear_acquire(tdbp);
-
return err;
}
}
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index c26de99af46..00172430296 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.112 2001/06/26 18:56:30 angelos Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.113 2001/06/27 01:34:07 angelos Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -159,7 +159,6 @@ struct ipsec_acquire {
u_int32_t ipa_seq;
struct sockaddr_encap ipa_info;
struct sockaddr_encap ipa_mask;
- struct mbuf *ipa_packet;
struct timeout ipa_timeout;
TAILQ_ENTRY(ipsec_acquire) ipa_next;
};
@@ -493,7 +492,7 @@ extern char *ipsp_address(union sockaddr_union);
/* TDB management routines */
extern void tdb_add_inp(struct tdb *, struct inpcb *, int);
extern u_int32_t reserve_spi(u_int32_t, u_int32_t, union sockaddr_union *,
- union sockaddr_union *, u_int8_t, int *, u_int32_t);
+ union sockaddr_union *, u_int8_t, int *);
extern struct tdb *gettdb(u_int32_t, union sockaddr_union *, u_int8_t);
extern struct tdb *gettdbbyaddr(union sockaddr_union *, struct ipsec_policy *,
struct mbuf *, int);
@@ -603,9 +602,7 @@ extern struct ipsec_policy *ipsec_add_policy(struct sockaddr_encap *,
struct sockaddr_encap *, union sockaddr_union *, int, int);
extern int ipsec_delete_policy(struct ipsec_policy *);
extern struct ipsec_acquire *ipsp_pending_acquire(union sockaddr_union *);
-extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
extern void ipsp_delete_acquire(void *);
-extern void ipsp_clear_acquire(struct tdb *);
extern int ipsp_is_unspecified(union sockaddr_union);
extern void ipsp_reffree(struct ipsec_ref *);
extern void ipsp_skipcrypto_unmark(struct tdb_ident *);
@@ -615,5 +612,6 @@ extern int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
extern ssize_t ipsec_hdrsz(struct tdb *);
extern void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
extern int ipsp_print_tdb(struct tdb *, char *);
+extern struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
#endif /* _KERNEL */
#endif /* _NETINET_IPSP_H_ */
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 77b3ff88c54..d1fcd970d7e 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.127 2001/06/26 18:17:54 deraadt Exp $ */
+/* $OpenBSD: ip_output.c,v 1.128 2001/06/27 01:34:07 angelos Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -167,27 +167,6 @@ ip_output(m0, va_alist)
hlen = ip->ip_hl << 2;
}
-#ifdef IPSEC
- s = splnet();
-
- /*
- * If the higher-level protocol has cached the SA to use, we
- * can avoid the routing lookup if the source address is zero.
- */
- if (inp != NULL && inp->inp_tdb_out != NULL &&
- ip->ip_src.s_addr == INADDR_ANY) {
- tdb = inp->inp_tdb_out;
- if (tdb->tdb_src.sa.sa_family == AF_INET &&
- tdb->tdb_src.sin.sin_addr.s_addr != INADDR_ANY) {
- ip->ip_src.s_addr = tdb->tdb_src.sin.sin_addr.s_addr;
- splx(s);
- goto skip_routing;
- }
- }
-
- splx(s);
-#endif /* IPSEC */
-
/*
* If we're missing the IP source address, do a route lookup. We'll
* remember this result, in case we don't need to do any IPsec
@@ -259,42 +238,29 @@ ip_output(m0, va_alist)
}
#ifdef IPSEC
- skip_routing:
/*
* splnet is chosen over spltdb because we are not allowed to
* lower the level, and udp_output calls us in splnet().
*/
s = splnet();
- /*
- * Check if there was an outgoing SA bound to the flow
- * from a transport protocol.
- */
- if (inp && inp->inp_tdb_out &&
- inp->inp_tdb_out->tdb_dst.sa.sa_family == AF_INET &&
- !bcmp(&inp->inp_tdb_out->tdb_dst.sin.sin_addr,
- &ip->ip_dst, sizeof(ip->ip_dst)))
- tdb = inp->inp_tdb_out;
- else {
- /* Do we have any pending SAs to apply ? */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
- if (mtag != NULL) {
+ /* Do we have any pending SAs to apply ? */
+ mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
+ if (mtag != NULL) {
#ifdef DIAGNOSTIC
- if (mtag->m_tag_len != sizeof (struct tdb_ident))
- panic("ip_output: tag of length %d (should "
- "be %d", mtag->m_tag_len,
- sizeof (struct tdb_ident));
+ if (mtag->m_tag_len != sizeof (struct tdb_ident))
+ panic("ip_output: tag of length %d (should be %d",
+ mtag->m_tag_len, sizeof (struct tdb_ident));
#endif
- tdbi = (struct tdb_ident *)(mtag + 1);
- tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
- if (tdb == NULL)
- error = -EINVAL;
- m_tag_delete(m, mtag);
- }
- else
- tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
- IPSP_DIRECTION_OUT, NULL, inp);
+ tdbi = (struct tdb_ident *)(mtag + 1);
+ tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
+ if (tdb == NULL)
+ error = -EINVAL;
+ m_tag_delete(m, mtag);
}
+ else
+ tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
+ IPSP_DIRECTION_OUT, NULL, inp);
if (tdb == NULL) {
splx(s);
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index 593e9c289bb..54873b3b116 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.32 2001/06/26 23:30:59 angelos Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.33 2001/06/27 01:34:07 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -220,7 +220,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
return NULL;
}
- /* Actual SPD lookup */
+ /* Actual SPD lookup. */
rtalloc((struct route *) re);
if (re->re_rt == NULL) {
/*
@@ -314,7 +314,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
ipo->ipo_tdb = NULL;
}
- /* Outgoing packet SPD lookup. */
+ /* Outgoing packet policy check. */
if (direction == IPSP_DIRECTION_OUT) {
/*
* If the packet is destined for the policy-specified
@@ -661,64 +661,10 @@ ipsp_delete_acquire(void *v)
timeout_del(&ipa->ipa_timeout);
TAILQ_REMOVE(&ipsec_acquire_head, ipa, ipa_next);
- if (ipa->ipa_packet)
- m_freem(ipa->ipa_packet);
pool_put(&ipsec_acquire_pool, ipa);
}
/*
- * Clear possibly pending ACQUIRE records.
- */
-void
-ipsp_clear_acquire(struct tdb *tdb)
-{
- struct ipsec_acquire *ipa;
-
- ipa = ipsec_get_acquire(tdb->tdb_seq);
- if (ipa == NULL)
- return;
-
- /* Just delete and return if no pending packet. */
- if (ipa->ipa_packet == NULL) {
- ipsp_delete_acquire(ipa);
- return;
- }
-
- /* Retransmit last packet. */
- switch (ipa->ipa_info.sen_type) {
-#ifdef INET
- case SENT_IP4:
- {
- struct ip *ip;
-
- ip = mtod(ipa->ipa_packet, struct ip *);
-
- if (ipa->ipa_packet->m_len < sizeof(struct ip))
- break;
-
- /* Same as in ip_output() -- massage the header. */
- ip->ip_len = htons((u_short) ip->ip_len);
- ip->ip_off = htons((u_short) ip->ip_off);
-
- ipsp_process_packet(ipa->ipa_packet, tdb, AF_INET, 0);
- ipa->ipa_packet = NULL;
- break;
- }
-#endif /* INET */
-
-#ifdef INET6
- case SENT_IP6:
- ipsp_process_packet(ipa->ipa_packet, tdb, AF_INET6, 0);
- ipa->ipa_packet = NULL;
- break;
-#endif /* INET6 */
- }
-
- /* Delete. */
- ipsp_delete_acquire(ipa);
-}
-
-/*
* Find out if there's an ACQUIRE pending.
* XXX Need a better structure.
*/
@@ -750,20 +696,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
#endif
/* Check whether request has been made already. */
- if ((ipa = ipsp_pending_acquire(gw)) != NULL) {
- if ((ipo->ipo_addr.sen_type == SENT_IP4 &&
- ipo->ipo_addr.sen_direction == IPSP_DIRECTION_OUT) ||
- (ipo->ipo_addr.sen_type == SENT_IP6 &&
- ipo->ipo_addr.sen_ip6_direction == IPSP_DIRECTION_OUT)) {
- if (ipa->ipa_packet != NULL && m != NULL) {
- m_freem(ipa->ipa_packet);
- ipa->ipa_packet = m_copym2(m, 0, M_COPYALL,
- M_DONTWAIT);
- }
- }
-
+ if ((ipa = ipsp_pending_acquire(gw)) != NULL)
return 0;
- }
/* Add request in cache and proceed. */
if (ipsec_acquire_pool_initialized == 0) {
@@ -876,13 +810,6 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
return 0;
}
- /*
- * Store the packet for eventual retransmission -- failure is not
- * catastrophic.
- */
- if (m != NULL)
- ipa->ipa_packet = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
-
timeout_add(&ipa->ipa_timeout, ipsec_expire_acquire * hz);
TAILQ_INSERT_TAIL(&ipsec_acquire_head, ipa, ipa_next);
@@ -891,6 +818,20 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
}
/*
+ * Deal with PCB security requirements.
+ */
+struct tdb *
+ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
+ struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo)
+{
+ /* XXX */
+ if (ipo != NULL)
+ return ipo->ipo_tdb;
+ else
+ return NULL;
+}
+
+/*
* Find a pending ACQUIRE record based on its sequence number.
* XXX Need to use a better data structure.
*/
@@ -906,17 +847,3 @@ ipsec_get_acquire(u_int32_t seq)
return NULL;
}
-
-/*
- * Deal with PCB security requirements.
- */
-struct tdb *
-ipsp_spd_inp(struct mbuf *m, int af, int hlen, int *error, int direction,
- struct tdb *tdbp, struct inpcb *inp, struct ipsec_policy *ipo)
-{
- /* XXX */
- if (ipo != NULL)
- return ipo->ipo_tdb;
- else
- return NULL;
-}