head 1.75; access; symbols netbsd-10-0-RELEASE:1.75 netbsd-10-0-RC6:1.75 netbsd-10-0-RC5:1.75 netbsd-10-0-RC4:1.75 netbsd-10-0-RC3:1.75 netbsd-10-0-RC2:1.75 thorpej-ifq:1.75.0.6 thorpej-ifq-base:1.75 thorpej-altq-separation:1.75.0.4 thorpej-altq-separation-base:1.75 netbsd-10-0-RC1:1.75 netbsd-10:1.75.0.2 netbsd-10-base:1.75 bouyer-sunxi-drm:1.74.0.2 bouyer-sunxi-drm-base:1.74 netbsd-9-3-RELEASE:1.68 thorpej-i2c-spi-conf2:1.69.0.22 thorpej-i2c-spi-conf2-base:1.69 thorpej-futex2:1.69.0.20 thorpej-futex2-base:1.69 thorpej-cfargs2:1.69.0.18 thorpej-cfargs2-base:1.69 cjep_sun2x-base1:1.69 cjep_sun2x:1.69.0.16 cjep_sun2x-base:1.69 cjep_staticlib_x-base1:1.69 netbsd-9-2-RELEASE:1.68 cjep_staticlib_x:1.69.0.14 cjep_staticlib_x-base:1.69 thorpej-i2c-spi-conf:1.69.0.12 thorpej-i2c-spi-conf-base:1.69 thorpej-cfargs:1.69.0.10 thorpej-cfargs-base:1.69 thorpej-futex:1.69.0.8 thorpej-futex-base:1.69 netbsd-9-1-RELEASE:1.68 bouyer-xenpvh-base2:1.69 phil-wifi-20200421:1.69 bouyer-xenpvh-base1:1.69 phil-wifi-20200411:1.69 bouyer-xenpvh:1.69.0.6 bouyer-xenpvh-base:1.69 is-mlppp:1.69.0.4 is-mlppp-base:1.69 phil-wifi-20200406:1.69 netbsd-8-2-RELEASE:1.38.2.2 ad-namecache-base3:1.69 netbsd-9-0-RELEASE:1.68 netbsd-9-0-RC2:1.68 ad-namecache-base2:1.69 ad-namecache-base1:1.69 ad-namecache:1.69.0.2 ad-namecache-base:1.69 netbsd-9-0-RC1:1.68 phil-wifi-20191119:1.69 netbsd-9:1.68.0.2 netbsd-9-base:1.68 phil-wifi-20190609:1.67 netbsd-8-1-RELEASE:1.38.2.2 netbsd-8-1-RC1:1.38.2.2 isaki-audio2:1.67.0.2 isaki-audio2-base:1.67 pgoyette-compat-merge-20190127:1.59.2.4 pgoyette-compat-20190127:1.66 pgoyette-compat-20190118:1.66 pgoyette-compat-1226:1.66 pgoyette-compat-1126:1.66 pgoyette-compat-1020:1.66 pgoyette-compat-0930:1.66 pgoyette-compat-0906:1.66 netbsd-7-2-RELEASE:1.31 pgoyette-compat-0728:1.66 netbsd-8-0-RELEASE:1.38.2.2 phil-wifi:1.66.0.2 phil-wifi-base:1.66 pgoyette-compat-0625:1.66 netbsd-8-0-RC2:1.38.2.2 pgoyette-compat-0521:1.66 pgoyette-compat-0502:1.64 pgoyette-compat-0422:1.62 netbsd-8-0-RC1:1.38.2.2 pgoyette-compat-0415:1.60 pgoyette-compat-0407:1.60 pgoyette-compat-0330:1.60 pgoyette-compat-0322:1.60 pgoyette-compat-0315:1.60 netbsd-7-1-2-RELEASE:1.31 pgoyette-compat:1.59.0.2 pgoyette-compat-base:1.59 netbsd-7-1-1-RELEASE:1.31 tls-maxphys-base-20171202:1.53 matt-nb8-mediatek:1.38.2.1.0.2 matt-nb8-mediatek-base:1.38.2.1 nick-nhusb-base-20170825:1.52 perseant-stdc-iso10646:1.43.0.2 perseant-stdc-iso10646-base:1.43 netbsd-8:1.38.0.2 netbsd-8-base:1.38 prg-localcount2-base3:1.38 prg-localcount2-base2:1.37 prg-localcount2-base1:1.37 prg-localcount2:1.37.0.2 prg-localcount2-base:1.37 pgoyette-localcount-20170426:1.37 bouyer-socketcan-base1:1.37 jdolecek-ncq:1.32.0.2 jdolecek-ncq-base:1.32 pgoyette-localcount-20170320:1.31 netbsd-7-1:1.31.0.16 netbsd-7-1-RELEASE:1.31 netbsd-7-1-RC2:1.31 nick-nhusb-base-20170204:1.31 netbsd-7-nhusb-base-20170116:1.31 bouyer-socketcan:1.31.0.14 bouyer-socketcan-base:1.31 pgoyette-localcount-20170107:1.31 netbsd-7-1-RC1:1.31 nick-nhusb-base-20161204:1.31 pgoyette-localcount-20161104:1.31 netbsd-7-0-2-RELEASE:1.31 nick-nhusb-base-20161004:1.31 localcount-20160914:1.31 netbsd-7-nhusb:1.31.0.12 netbsd-7-nhusb-base:1.31 pgoyette-localcount-20160806:1.31 pgoyette-localcount-20160726:1.31 pgoyette-localcount:1.31.0.10 pgoyette-localcount-base:1.31 nick-nhusb-base-20160907:1.31 nick-nhusb-base-20160529:1.31 netbsd-7-0-1-RELEASE:1.31 nick-nhusb-base-20160422:1.31 nick-nhusb-base-20160319:1.31 nick-nhusb-base-20151226:1.31 netbsd-7-0:1.31.0.8 netbsd-7-0-RELEASE:1.31 nick-nhusb-base-20150921:1.31 netbsd-7-0-RC3:1.31 netbsd-7-0-RC2:1.31 netbsd-7-0-RC1:1.31 nick-nhusb-base-20150606:1.31 nick-nhusb-base-20150406:1.31 nick-nhusb:1.31.0.6 nick-nhusb-base:1.31 netbsd-5-2-3-RELEASE:1.18.12.1 netbsd-5-1-5-RELEASE:1.18.22.1 netbsd-6-0-6-RELEASE:1.29 netbsd-6-1-5-RELEASE:1.29 netbsd-7:1.31.0.4 netbsd-7-base:1.31 yamt-pagecache-base9:1.31 yamt-pagecache-tag8:1.28.4.1 netbsd-6-1-4-RELEASE:1.29 netbsd-6-0-5-RELEASE:1.29 tls-earlyentropy:1.31.0.2 tls-earlyentropy-base:1.31 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.31 riastradh-drm2-base3:1.31 netbsd-6-1-3-RELEASE:1.29 netbsd-6-0-4-RELEASE:1.29 netbsd-5-2-2-RELEASE:1.18.12.1 netbsd-5-1-4-RELEASE:1.18.22.1 netbsd-6-1-2-RELEASE:1.29 netbsd-6-0-3-RELEASE:1.29 netbsd-5-2-1-RELEASE:1.18.12.1 netbsd-5-1-3-RELEASE:1.18.22.1 rmind-smpnet-nbase:1.31 netbsd-6-1-1-RELEASE:1.29 riastradh-drm2-base2:1.30 riastradh-drm2-base1:1.30 riastradh-drm2:1.30.0.4 riastradh-drm2-base:1.30 rmind-smpnet:1.30.0.2 rmind-smpnet-base:1.31 netbsd-6-1:1.29.0.16 netbsd-6-0-2-RELEASE:1.29 netbsd-6-1-RELEASE:1.29 khorben-n900:1.29.0.14 netbsd-6-1-RC4:1.29 netbsd-6-1-RC3:1.29 agc-symver:1.29.0.12 agc-symver-base:1.29 netbsd-6-1-RC2:1.29 netbsd-6-1-RC1:1.29 yamt-pagecache-base8:1.29 netbsd-5-2:1.18.12.1.0.2 netbsd-6-0-1-RELEASE:1.29 yamt-pagecache-base7:1.29 netbsd-5-2-RELEASE:1.18.12.1 netbsd-5-2-RC1:1.18.12.1 matt-nb6-plus-nbase:1.29 yamt-pagecache-base6:1.29 netbsd-6-0:1.29.0.8 netbsd-6-0-RELEASE:1.29 netbsd-6-0-RC2:1.29 tls-maxphys:1.29.0.6 tls-maxphys-base:1.31 matt-nb6-plus:1.29.0.4 matt-nb6-plus-base:1.29 netbsd-6-0-RC1:1.29 jmcneill-usbmp-base10:1.29 yamt-pagecache-base5:1.29 jmcneill-usbmp-base9:1.29 yamt-pagecache-base4:1.29 jmcneill-usbmp-base8:1.29 jmcneill-usbmp-base7:1.29 jmcneill-usbmp-base6:1.29 jmcneill-usbmp-base5:1.29 jmcneill-usbmp-base4:1.29 jmcneill-usbmp-base3:1.29 jmcneill-usbmp-pre-base2:1.28 jmcneill-usbmp-base2:1.29 netbsd-6:1.29.0.2 netbsd-6-base:1.29 netbsd-5-1-2-RELEASE:1.18.22.1 netbsd-5-1-1-RELEASE:1.18.22.1 jmcneill-usbmp:1.28.0.8 jmcneill-usbmp-base:1.28 jmcneill-audiomp3:1.28.0.6 jmcneill-audiomp3-base:1.28 yamt-pagecache-base3:1.28 yamt-pagecache-base2:1.28 yamt-pagecache:1.28.0.4 yamt-pagecache-base:1.28 rmind-uvmplock-nbase:1.28 cherry-xenmp:1.28.0.2 cherry-xenmp-base:1.28 bouyer-quota2-nbase:1.25 bouyer-quota2:1.20.0.4 bouyer-quota2-base:1.22 jruoho-x86intr:1.20.0.2 jruoho-x86intr-base:1.20 matt-mips64-premerge-20101231:1.20 matt-nb5-mips64-premerge-20101231:1.18 matt-nb5-pq3:1.18.0.24 matt-nb5-pq3-base:1.18 netbsd-5-1:1.18.0.22 netbsd-5-1-RELEASE:1.18 uebayasi-xip-base4:1.20 uebayasi-xip-base3:1.20 yamt-nfs-mp-base11:1.20 netbsd-5-1-RC4:1.18 matt-nb5-mips64-k15:1.18 uebayasi-xip-base2:1.19 yamt-nfs-mp-base10:1.19 netbsd-5-1-RC3:1.18 netbsd-5-1-RC2:1.18 uebayasi-xip-base1:1.19 netbsd-5-1-RC1:1.18 rmind-uvmplock:1.19.0.4 rmind-uvmplock-base:1.28 yamt-nfs-mp-base9:1.19 uebayasi-xip:1.19.0.2 uebayasi-xip-base:1.19 netbsd-5-0-2-RELEASE:1.18 matt-nb5-mips64-premerge-20091211:1.18 matt-premerge-20091211:1.19 yamt-nfs-mp-base8:1.19 matt-nb5-mips64-u2-k2-k4-k7-k8-k9:1.18 matt-nb4-mips64-k7-u2a-k9b:1.18 matt-nb5-mips64-u1-k1-k5:1.18 yamt-nfs-mp-base7:1.19 matt-nb5-mips64:1.18.0.20 netbsd-5-0-1-RELEASE:1.18 jymxensuspend-base:1.19 yamt-nfs-mp-base6:1.19 yamt-nfs-mp-base5:1.19 yamt-nfs-mp-base4:1.19 jym-xensuspend-nbase:1.19 yamt-nfs-mp-base3:1.19 nick-hppapmap-base4:1.19 nick-hppapmap-base3:1.19 netbsd-5-0:1.18.0.18 netbsd-5-0-RELEASE:1.18 netbsd-5-0-RC4:1.18 netbsd-5-0-RC3:1.18 nick-hppapmap-base2:1.18 netbsd-5-0-RC2:1.18 jym-xensuspend:1.18.0.16 jym-xensuspend-base:1.19 netbsd-5-0-RC1:1.18 haad-dm-base2:1.18 haad-nbase2:1.18 ad-audiomp2:1.18.0.14 ad-audiomp2-base:1.18 netbsd-5:1.18.0.12 netbsd-5-base:1.18 nick-hppapmap:1.18.0.10 nick-hppapmap-base:1.19 matt-mips64-base2:1.18 matt-mips64:1.14.0.10 haad-dm-base1:1.18 wrstuden-revivesa-base-4:1.18 netbsd-4-0-1-RELEASE:1.8.2.1 wrstuden-revivesa-base-3:1.18 wrstuden-revivesa-base-2:1.18 wrstuden-fixsa-newbase:1.8.2.1 nick-csl-alignment-base5:1.14 haad-dm:1.18.0.8 haad-dm-base:1.18 wrstuden-revivesa-base-1:1.18 simonb-wapbl-nbase:1.18 yamt-pf42-base4:1.18 simonb-wapbl:1.18.0.6 simonb-wapbl-base:1.18 yamt-pf42-base3:1.18 hpcarm-cleanup-nbase:1.18 yamt-pf42-baseX:1.17 yamt-pf42-base2:1.18 yamt-nfs-mp-base2:1.18 wrstuden-revivesa:1.18.0.4 wrstuden-revivesa-base:1.18 yamt-nfs-mp:1.18.0.2 yamt-nfs-mp-base:1.18 yamt-pf42:1.17.0.8 yamt-pf42-base:1.17 ad-socklock-base1:1.17 yamt-lazymbuf-base15:1.17 yamt-lazymbuf-base14:1.17 keiichi-mipv6-nbase:1.17 mjf-devfs2:1.17.0.6 mjf-devfs2-base:1.18 nick-net80211-sync:1.17.0.4 nick-net80211-sync-base:1.17 keiichi-mipv6:1.17.0.2 keiichi-mipv6-base:1.17 bouyer-xeni386-merge1:1.15.12.1 matt-armv6-prevmlocking:1.14.8.1 wrstuden-fixsa-base-1:1.8.2.1 vmlocking2-base3:1.15 netbsd-4-0:1.8.2.1.0.4 netbsd-4-0-RELEASE:1.8.2.1 bouyer-xeni386-nbase:1.16 yamt-kmem-base3:1.15 cube-autoconf:1.15.0.14 cube-autoconf-base:1.15 yamt-kmem-base2:1.15 bouyer-xeni386:1.15.0.12 bouyer-xeni386-base:1.16 yamt-kmem:1.15.0.10 yamt-kmem-base:1.15 vmlocking2-base2:1.15 reinoud-bufcleanup-nbase:1.15 vmlocking2:1.15.0.8 vmlocking2-base1:1.15 netbsd-4-0-RC5:1.8.2.1 matt-nb4-arm:1.8.2.1.0.2 matt-nb4-arm-base:1.8.2.1 matt-armv6-nbase:1.17 jmcneill-base:1.15 netbsd-4-0-RC4:1.8.2.1 mjf-devfs:1.15.0.6 mjf-devfs-base:1.17 bouyer-xenamd64-base2:1.15 vmlocking-nbase:1.15 yamt-x86pmap-base4:1.15 bouyer-xenamd64:1.15.0.4 bouyer-xenamd64-base:1.15 netbsd-4-0-RC3:1.8.2.1 yamt-x86pmap-base3:1.15 yamt-x86pmap-base2:1.15 netbsd-4-0-RC2:1.8.2.1 yamt-x86pmap:1.15.0.2 yamt-x86pmap-base:1.15 netbsd-4-0-RC1:1.8.2.1 matt-armv6:1.14.0.8 matt-armv6-base:1.16 matt-mips64-base:1.14 jmcneill-pm:1.14.0.6 jmcneill-pm-base:1.15 hpcarm-cleanup:1.14.0.4 hpcarm-cleanup-base:1.17 nick-csl-alignment:1.14.0.2 nick-csl-alignment-base:1.14 netbsd-3-1-1-RELEASE:1.5 netbsd-3-0-3-RELEASE:1.5 yamt-idlelwp-base8:1.13 wrstuden-fixsa:1.8.0.4 wrstuden-fixsa-base:1.8.2.1 thorpej-atomic:1.13.0.8 thorpej-atomic-base:1.13 reinoud-bufcleanup:1.13.0.6 reinoud-bufcleanup-base:1.15 mjf-ufs-trans:1.13.0.4 mjf-ufs-trans-base:1.14 vmlocking:1.13.0.2 vmlocking-base:1.15 ad-audiomp:1.10.0.2 ad-audiomp-base:1.10 yamt-idlelwp:1.9.0.2 post-newlock2-merge:1.8 newlock2-nbase:1.8 yamt-splraiseipl-base5:1.8 yamt-splraiseipl-base4:1.8 yamt-splraiseipl-base3:1.8 abandoned-netbsd-4-base:1.6 abandoned-netbsd-4:1.6.0.18 netbsd-3-1:1.5.0.14 netbsd-3-1-RELEASE:1.5 netbsd-3-0-2-RELEASE:1.5 yamt-splraiseipl-base2:1.7 netbsd-3-1-RC4:1.5 yamt-splraiseipl:1.6.0.22 yamt-splraiseipl-base:1.6 netbsd-3-1-RC3:1.5 yamt-pdpolicy-base9:1.6 newlock2:1.6.0.20 newlock2-base:1.8 yamt-pdpolicy-base8:1.6 netbsd-3-1-RC2:1.5 netbsd-3-1-RC1:1.5 yamt-pdpolicy-base7:1.6 netbsd-4:1.8.0.2 netbsd-4-base:1.8 yamt-pdpolicy-base6:1.6 chap-midi-nbase:1.6 netbsd-3-0-1-RELEASE:1.5 gdamore-uart:1.6.0.16 gdamore-uart-base:1.6 simonb-timcounters-final:1.6 yamt-pdpolicy-base5:1.6 chap-midi:1.6.0.14 chap-midi-base:1.6 yamt-pdpolicy-base4:1.6 yamt-pdpolicy-base3:1.6 peter-altq-base:1.6 peter-altq:1.6.0.12 yamt-pdpolicy-base2:1.6 elad-kernelauth-base:1.6 elad-kernelauth:1.6.0.10 yamt-pdpolicy:1.6.0.8 yamt-pdpolicy-base:1.6 yamt-uio_vmspace-base5:1.6 simonb-timecounters:1.6.0.6 simonb-timecounters-base:1.6 rpaulo-netinet-merge-pcb:1.6.0.4 rpaulo-netinet-merge-pcb-base:1.6 yamt-uio_vmspace:1.6.0.2 netbsd-3-0:1.5.0.12 netbsd-3-0-RELEASE:1.5 netbsd-3-0-RC6:1.5 yamt-readahead-base3:1.5 netbsd-3-0-RC5:1.5 netbsd-3-0-RC4:1.5 netbsd-3-0-RC3:1.5 yamt-readahead-base2:1.5 netbsd-3-0-RC2:1.5 yamt-readahead-pervnode:1.5 yamt-readahead-perfile:1.5 yamt-readahead:1.5.0.10 yamt-readahead-base:1.5 netbsd-3-0-RC1:1.5 yamt-vop-base3:1.5 netbsd-2-0-3-RELEASE:1.4 netbsd-2-1:1.4.0.16 yamt-vop-base2:1.5 thorpej-vnode-attr:1.5.0.8 thorpej-vnode-attr-base:1.5 netbsd-2-1-RELEASE:1.4 yamt-vop:1.5.0.6 yamt-vop-base:1.5 netbsd-2-1-RC6:1.4 netbsd-2-1-RC5:1.4 netbsd-2-1-RC4:1.4 netbsd-2-1-RC3:1.4 netbsd-2-1-RC2:1.4 netbsd-2-1-RC1:1.4 yamt-lazymbuf:1.5.0.4 yamt-km-base4:1.5 netbsd-2-0-2-RELEASE:1.4 yamt-km-base3:1.5 netbsd-3:1.5.0.2 netbsd-3-base:1.5 yamt-km-base2:1.4 yamt-km:1.4.0.12 yamt-km-base:1.4 kent-audio2:1.4.0.10 kent-audio2-base:1.5 netbsd-2-0-1-RELEASE:1.4 kent-audio1-beforemerge:1.4 netbsd-2:1.4.0.8 netbsd-2-base:1.4 kent-audio1:1.4.0.6 kent-audio1-base:1.4 netbsd-2-0-RELEASE:1.4 netbsd-2-0-RC5:1.4 netbsd-2-0-RC4:1.4 netbsd-2-0-RC3:1.4 netbsd-2-0-RC2:1.4 netbsd-2-0-RC1:1.4 ktrace-lwp-base:1.5 ktrace-lwp:1.4.0.4 netbsd-2-0:1.4.0.2 netbsd-2-0-base:1.4; locks; strict; comment @ * @; 1.75 date 2022.10.19.21.28.02; author christos; state Exp; branches; next 1.74; commitid OAdRTTY8flqsgnYD; 1.74 date 2022.05.22.11.40.29; author riastradh; state Exp; branches; next 1.73; commitid 8FHFBB9as7t9Q2FD; 1.73 date 2022.05.22.11.40.03; author riastradh; state Exp; branches; next 1.72; commitid 5B7BCNlJBLq0Q2FD; 1.72 date 2022.05.22.11.39.37; author riastradh; state Exp; branches; next 1.71; commitid 2mGUZUpWaSOQP2FD; 1.71 date 2022.05.22.11.39.08; author riastradh; state Exp; branches; next 1.70; commitid 7PAkk3nx3vXGP2FD; 1.70 date 2022.05.22.11.30.40; author riastradh; state Exp; branches; next 1.69; commitid 4CO82QHtUl2NM2FD; 1.69 date 2019.11.01.04.23.21; author knakahara; state Exp; branches; next 1.68; commitid QBOrTJYs5Http6JB; 1.68 date 2019.06.12.22.23.50; author christos; state Exp; branches; next 1.67; commitid b76Y1luO5sE1XWqB; 1.67 date 2019.01.27.02.08.48; author pgoyette; state Exp; branches; next 1.66; commitid ipPva1Pj3xTcBm9B; 1.66 date 2018.05.13.18.34.59; author maxv; state Exp; branches 1.66.2.1; next 1.65; commitid B7gWgkZsDtHTnaCA; 1.65 date 2018.05.07.09.16.46; author maxv; state Exp; branches; next 1.64; commitid OsWrHU5hJELiulBA; 1.64 date 2018.05.01.08.13.37; author maxv; state Exp; branches; next 1.63; commitid D5JlYzp8SF4FkzAA; 1.63 date 2018.04.28.15.45.16; author maxv; state Exp; branches; next 1.62; commitid ySTKHiWT6KZtVdAA; 1.62 date 2018.04.19.08.27.39; author maxv; state Exp; branches; next 1.61; commitid ggkwBk57H1OiN1zA; 1.61 date 2018.04.19.07.58.26; author maxv; state Exp; branches; next 1.60; commitid zI7KEfpMF1rdD1zA; 1.60 date 2018.03.10.17.48.32; author maxv; state Exp; branches; next 1.59; commitid ldPQ8R0KfrPtbWtA; 1.59 date 2018.02.16.09.24.55; author maxv; state Exp; branches 1.59.2.1; next 1.58; commitid E5iCz0i3BHDA64rA; 1.58 date 2018.02.16.09.07.50; author maxv; state Exp; branches; next 1.57; commitid DGpjsPNfMt8G04rA; 1.57 date 2018.02.15.13.51.32; author maxv; state Exp; branches; next 1.56; commitid 0BqNhWXAMJc2CXqA; 1.56 date 2018.02.15.04.24.32; author ozaki-r; state Exp; branches; next 1.55; commitid af6taIZE33tytUqA; 1.55 date 2018.02.14.09.13.03; author ozaki-r; state Exp; branches; next 1.54; commitid yKLG78KffDAw6OqA; 1.54 date 2018.02.14.08.59.23; author ozaki-r; state Exp; branches; next 1.53; commitid nROnPaypZzvP1OqA; 1.53 date 2017.10.03.08.56.52; author ozaki-r; state Exp; branches; next 1.52; commitid gjLnaa9lvu91kA9A; 1.52 date 2017.08.10.06.33.51; author ozaki-r; state Exp; branches; next 1.51; commitid cadwIFBahZdzgD2A; 1.51 date 2017.08.09.09.48.11; author ozaki-r; state Exp; branches; next 1.50; commitid w2yHAbMz86renw2A; 1.50 date 2017.08.03.06.32.51; author ozaki-r; state Exp; branches; next 1.49; commitid IGJ7EW2p9sCauJ1A; 1.49 date 2017.08.02.01.28.03; author ozaki-r; state Exp; branches; next 1.48; commitid Dp1gBSxIdJJBPz1A; 1.48 date 2017.07.27.06.59.28; author ozaki-r; state Exp; branches; next 1.47; commitid iCqRpwhAuAegRP0A; 1.47 date 2017.07.20.08.07.14; author ozaki-r; state Exp; branches; next 1.46; commitid lLFbglsOW9ossWZz; 1.46 date 2017.07.19.10.26.09; author ozaki-r; state Exp; branches; next 1.45; commitid 4bkOu5aQPyI6gPZz; 1.45 date 2017.07.19.09.38.57; author ozaki-r; state Exp; branches; next 1.44; commitid MGOWtQvlGuWUZOZz; 1.44 date 2017.07.19.09.03.08; author ozaki-r; state Exp; branches; next 1.43; commitid 5a4X5iW26NgCNOZz; 1.43 date 2017.07.14.12.26.26; author ozaki-r; state Exp; branches; next 1.42; commitid bcPl7uj03THk5cZz; 1.42 date 2017.07.14.01.24.23; author ozaki-r; state Exp; branches; next 1.41; commitid x1jhAJywpYtdq8Zz; 1.41 date 2017.07.07.01.37.34; author ozaki-r; state Exp; branches; next 1.40; commitid 15pCWF6fzvoGIeYz; 1.40 date 2017.07.05.03.44.59; author ozaki-r; state Exp; branches; next 1.39; commitid GOUvKdOjcrJnuZXz; 1.39 date 2017.06.29.07.13.41; author ozaki-r; state Exp; branches; next 1.38; commitid PlPF4B5CXXfWPeXz; 1.38 date 2017.05.11.05.55.14; author ryo; state Exp; branches 1.38.2.1; next 1.37; commitid x7EBNRr9UEVFYVQz; 1.37 date 2017.04.19.03.39.14; author ozaki-r; state Exp; branches 1.37.2.1; next 1.36; commitid 0Vp26EUYDwuQV5Oz; 1.36 date 2017.04.18.05.26.42; author ozaki-r; state Exp; branches; next 1.35; commitid VBHrbI9Gu6MIyYNz; 1.35 date 2017.04.18.05.25.32; author ozaki-r; state Exp; branches; next 1.34; commitid aRA6uYMfzq2kyYNz; 1.34 date 2017.04.15.22.01.57; author christos; state Exp; branches; next 1.33; commitid N7hAjuKYuakR9GNz; 1.33 date 2017.04.13.16.38.32; author christos; state Exp; branches; next 1.32; commitid rNEGuqEx5s6GqoNz; 1.32 date 2017.04.06.09.20.07; author ozaki-r; state Exp; branches; next 1.31; commitid 0wn868iaQHxIesMz; 1.31 date 2013.11.03.18.37.10; author mrg; state Exp; branches 1.31.6.1 1.31.10.1 1.31.14.1; next 1.30; commitid 7D2UpGwaslTquRbx; 1.30 date 2013.06.04.22.47.37; author christos; state Exp; branches 1.30.2.1; next 1.29; commitid ggyhenOdIP5sLlSw; 1.29 date 2012.01.25.20.31.23; author drochner; state Exp; branches 1.29.6.1; next 1.28; 1.28 date 2011.05.06.21.48.46; author drochner; state Exp; branches 1.28.4.1 1.28.8.1; next 1.27; 1.27 date 2011.05.05.20.15.15; author drochner; state Exp; branches; next 1.26; 1.26 date 2011.04.01.08.29.29; author spz; state Exp; branches; next 1.25; 1.25 date 2011.02.24.20.03.41; author drochner; state Exp; branches; next 1.24; 1.24 date 2011.02.18.20.40.58; author drochner; state Exp; branches; next 1.23; 1.23 date 2011.02.18.19.06.45; author drochner; state Exp; branches; next 1.22; 1.22 date 2011.02.14.13.43.45; author drochner; state Exp; branches; next 1.21; 1.21 date 2011.02.10.20.24.27; author drochner; state Exp; branches; next 1.20; 1.20 date 2010.09.21.13.41.18; author degroote; state Exp; branches 1.20.2.1 1.20.4.1; next 1.19; 1.19 date 2009.03.18.16.00.23; author cegger; state Exp; branches 1.19.2.1 1.19.4.1; next 1.18; 1.18 date 2008.04.23.06.09.05; author thorpej; state Exp; branches 1.18.2.1 1.18.10.1 1.18.12.1 1.18.16.1 1.18.18.1 1.18.22.1; next 1.17; 1.17 date 2008.02.04.00.35.35; author tls; state Exp; branches 1.17.6.1 1.17.8.1; next 1.16; 1.16 date 2007.12.29.14.56.35; author degroote; state Exp; branches; next 1.15; 1.15 date 2007.09.22.23.33.18; author degroote; state Exp; branches 1.15.6.1 1.15.12.1; next 1.14; 1.14 date 2007.06.27.20.38.33; author degroote; state Exp; branches 1.14.6.1 1.14.8.1; next 1.13; 1.13 date 2007.03.04.21.17.55; author degroote; state Exp; branches 1.13.2.1 1.13.4.1; next 1.12; 1.12 date 2007.03.04.19.54.49; author degroote; state Exp; branches; next 1.11; 1.11 date 2007.03.04.06.03.30; author christos; state Exp; branches; next 1.10; 1.10 date 2007.02.23.19.35.25; author degroote; state Exp; branches; next 1.9; 1.9 date 2007.02.10.09.43.05; author degroote; state Exp; branches 1.9.2.1; next 1.8; 1.8 date 2006.11.16.01.33.49; author christos; state Exp; branches 1.8.2.1 1.8.4.1; next 1.7; 1.7 date 2006.10.13.20.53.59; author christos; state Exp; branches; next 1.6; 1.6 date 2005.12.11.12.25.06; author christos; state Exp; branches 1.6.20.1 1.6.22.1; next 1.5; 1.5 date 2005.02.26.22.45.13; author perry; state Exp; branches 1.5.4.1; next 1.4; 1.4 date 2003.10.06.22.05.15; author tls; state Exp; branches 1.4.4.1 1.4.10.1 1.4.12.1; next 1.3; 1.3 date 2003.09.12.11.21.00; author itojun; state Exp; branches; next 1.2; 1.2 date 2003.08.20.22.33.41; author jonathan; state Exp; branches; next 1.1; 1.1 date 2003.08.13.20.06.52; author jonathan; state Exp; branches; next ; 1.66.2.1 date 2019.06.10.22.09.48; author christos; state Exp; branches; next 1.66.2.2; commitid jtc8rnCzWiEEHGqB; 1.66.2.2 date 2020.04.13.08.05.17; author martin; state Exp; branches; next ; commitid X01YhRUPVUDaec4C; 1.59.2.1 date 2018.03.15.09.12.07; author pgoyette; state Exp; branches; next 1.59.2.2; commitid lb7w3QtkrVH4axuA; 1.59.2.2 date 2018.04.22.07.20.28; author pgoyette; state Exp; branches; next 1.59.2.3; commitid W6xykws0Zbl4kpzA; 1.59.2.3 date 2018.05.02.07.20.24; author pgoyette; state Exp; branches; next 1.59.2.4; commitid o3kRuNRzl9360HAA; 1.59.2.4 date 2018.05.21.04.36.16; author pgoyette; state Exp; branches; next ; commitid X5L8kSrBWQcDt7DA; 1.38.2.1 date 2017.10.21.19.43.54; author snj; state Exp; branches; next 1.38.2.2; commitid oXGWsjkUnhTWjXbA; 1.38.2.2 date 2018.02.26.13.10.52; author martin; state Exp; branches; next ; commitid DECoIpKBph1c2nsA; 1.37.2.1 date 2017.05.19.00.22.58; author pgoyette; state Exp; branches; next ; commitid QNTxgGjVagwoSVRz; 1.31.6.1 date 2017.08.28.17.53.13; author skrll; state Exp; branches; next ; commitid UQQpnjvcNkUZn05A; 1.31.10.1 date 2017.04.26.02.53.29; author pgoyette; state Exp; branches; next ; commitid ojV02aOSdzvBqZOz; 1.31.14.1 date 2017.04.21.16.54.06; author bouyer; state Exp; branches; next ; commitid dUG7nkTKALCadqOz; 1.30.2.1 date 2014.05.18.17.46.14; author rmind; state Exp; branches; next ; commitid mL5ZYSzpqK6QS2Bx; 1.29.6.1 date 2013.06.23.06.20.26; author tls; state Exp; branches; next 1.29.6.2; commitid eVjr9caYRQbRGHUw; 1.29.6.2 date 2014.08.20.00.04.36; author tls; state Exp; branches; next 1.29.6.3; commitid jTnpym9Qu0o4R1Nx; 1.29.6.3 date 2017.12.03.11.39.05; author jdolecek; state Exp; branches; next ; commitid XcIYRZTAh1LmerhA; 1.28.4.1 date 2012.04.17.00.08.46; author yamt; state Exp; branches; next 1.28.4.2; 1.28.4.2 date 2014.05.22.11.41.10; author yamt; state Exp; branches; next ; commitid VUUXuyNWnt3AKwBx; 1.28.8.1 date 2012.02.18.07.35.45; author mrg; state Exp; branches; next ; 1.20.2.1 date 2011.06.06.09.10.01; author jruoho; state Exp; branches; next ; 1.20.4.1 date 2011.02.17.12.00.50; author bouyer; state Exp; branches; next 1.20.4.2; 1.20.4.2 date 2011.03.05.15.10.48; author bouyer; state Exp; branches; next ; 1.19.2.1 date 2010.10.22.07.22.42; author uebayasi; state Exp; branches; next ; 1.19.4.1 date 2011.03.05.20.56.00; author rmind; state Exp; branches; next 1.19.4.2; 1.19.4.2 date 2011.04.21.01.42.15; author rmind; state Exp; branches; next 1.19.4.3; 1.19.4.3 date 2011.05.31.03.05.10; author rmind; state Exp; branches; next ; 1.18.2.1 date 2009.05.04.08.14.20; author yamt; state Exp; branches; next 1.18.2.2; 1.18.2.2 date 2010.10.09.03.32.39; author yamt; state Exp; branches; next ; 1.18.10.1 date 2009.04.28.07.37.34; author skrll; state Exp; branches; next ; 1.18.12.1 date 2011.04.03.06.08.35; author jdc; state Exp; branches; next ; 1.18.16.1 date 2009.05.13.17.22.41; author jym; state Exp; branches; next ; 1.18.18.1 date 2011.04.03.06.09.06; author jdc; state Exp; branches; next ; 1.18.22.1 date 2011.04.03.06.09.26; author jdc; state Exp; branches; next ; 1.17.6.1 date 2008.06.02.13.24.28; author mjf; state Exp; branches; next ; 1.17.8.1 date 2008.05.18.12.35.40; author yamt; state Exp; branches; next ; 1.15.6.1 date 2008.02.18.21.07.13; author mjf; state Exp; branches; next ; 1.15.12.1 date 2008.01.02.21.57.35; author bouyer; state Exp; branches; next ; 1.14.6.1 date 2007.10.02.18.29.24; author joerg; state Exp; branches; next ; 1.14.8.1 date 2007.11.06.23.34.14; author matt; state Exp; branches; next 1.14.8.2; 1.14.8.2 date 2008.01.09.01.57.43; author matt; state Exp; branches; next 1.14.8.3; 1.14.8.3 date 2008.03.23.02.05.07; author matt; state Exp; branches; next ; 1.13.2.1 date 2007.07.15.13.28.04; author ad; state Exp; branches; next 1.13.2.2; 1.13.2.2 date 2007.10.09.13.44.57; author ad; state Exp; branches; next ; 1.13.4.1 date 2007.07.11.20.11.56; author mjf; state Exp; branches; next ; 1.9.2.1 date 2007.02.27.16.55.07; author yamt; state Exp; branches; next 1.9.2.2; 1.9.2.2 date 2007.03.12.06.00.12; author rmind; state Exp; branches; next ; 1.8.2.1 date 2007.05.24.19.13.13; author pavel; state Exp; branches 1.8.2.1.4.1; next 1.8.2.2; 1.8.2.2 date 2011.04.03.15.16.10; author riz; state Exp; branches; next ; 1.8.2.1.4.1 date 2011.04.03.15.15.09; author riz; state Exp; branches; next ; 1.8.4.1 date 2007.06.04.01.54.28; author wrstuden; state Exp; branches; next ; 1.6.20.1 date 2006.11.18.21.39.41; author ad; state Exp; branches; next ; 1.6.22.1 date 2006.10.22.06.07.39; author yamt; state Exp; branches; next 1.6.22.2; 1.6.22.2 date 2006.12.10.07.19.20; author yamt; state Exp; branches; next ; 1.5.4.1 date 2006.12.30.20.50.44; author yamt; state Exp; branches; next 1.5.4.2; 1.5.4.2 date 2007.02.26.09.11.57; author yamt; state Exp; branches; next 1.5.4.3; 1.5.4.3 date 2007.09.03.14.43.48; author yamt; state Exp; branches; next 1.5.4.4; 1.5.4.4 date 2007.10.27.11.36.15; author yamt; state Exp; branches; next 1.5.4.5; 1.5.4.5 date 2008.01.21.09.47.27; author yamt; state Exp; branches; next 1.5.4.6; 1.5.4.6 date 2008.02.04.09.24.42; author yamt; state Exp; branches; next ; 1.4.4.1 date 2003.10.06.22.05.15; author skrll; state dead; branches; next 1.4.4.2; 1.4.4.2 date 2004.08.03.10.55.29; author skrll; state Exp; branches; next 1.4.4.3; 1.4.4.3 date 2004.09.18.14.55.32; author skrll; state Exp; branches; next 1.4.4.4; 1.4.4.4 date 2004.09.21.13.37.48; author skrll; state Exp; branches; next 1.4.4.5; 1.4.4.5 date 2005.03.04.16.53.44; author skrll; state Exp; branches; next ; 1.4.10.1 date 2005.04.29.11.29.35; author kent; state Exp; branches; next ; 1.4.12.1 date 2005.03.19.08.36.41; author yamt; state Exp; branches; next ; desc @@ 1.75 log @PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header Always always send / expect CPI in IPcomp header Fixes kern/56836 where an IPsec interop combining compression and ESP|AH would fail. Since fast ipsec, the outgoing IPcomp header has contained the compression algorithm instead of the CPI. Adding the SADB_X_EXT_RAWCPI flag worked around this but ... The IPcomp's SADB was unconditionally hashed using the compression algorithm instead of the CPI. This meant that an incoming packet with a valid CPI could never match its SADB. @ text @/* $NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $ */ /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@@wabbitt.org) * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) #include "opt_inet.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef INET6 #include #include #endif #include #include #include #include #include #include percpu_t *ipcompstat_percpu; int ipcomp_enable = 1; static void ipcomp_input_cb(struct cryptop *crp); static void ipcomp_output_cb(struct cryptop *crp); const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT }; static pool_cache_t ipcomp_tdb_crypto_pool_cache; const struct comp_algo * ipcomp_algorithm_lookup(int alg) { switch (alg) { case SADB_X_CALG_DEFLATE: return &comp_algo_deflate_nogrow; } return NULL; } /* * ipcomp_init() is called when an CPI is being set up. */ static int ipcomp_init(struct secasvar *sav, const struct xformsw *xsp) { const struct comp_algo *tcomp; struct cryptoini cric; int ses; /* NB: algorithm really comes in alg_enc and not alg_comp! */ tcomp = ipcomp_algorithm_lookup(sav->alg_enc); if (tcomp == NULL) { DPRINTF("unsupported compression algorithm %d\n", sav->alg_comp); return EINVAL; } sav->alg_comp = sav->alg_enc; /* set for doing histogram */ sav->tdb_xform = xsp; sav->tdb_compalgxform = tcomp; /* Initialize crypto session */ memset(&cric, 0, sizeof(cric)); cric.cri_alg = sav->tdb_compalgxform->type; ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); return ses; } /* * ipcomp_zeroize() used when IPCA is deleted */ static void ipcomp_zeroize(struct secasvar *sav) { crypto_freesession(sav->tdb_cryptoid); sav->tdb_cryptoid = 0; } /* * ipcomp_input() gets called to uncompress an input packet */ static int ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; int error, hlen = IPCOMP_HLENGTH, stat = IPCOMP_STAT_CRYPTO; KASSERT(skip + hlen <= m->m_pkthdr.len); /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { DPRINTF("no crypto descriptors\n"); error = ENOBUFS; goto error_m; } /* Get IPsec-specific opaque pointer */ tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); if (tc == NULL) { DPRINTF("cannot allocate tdb_crypto\n"); error = ENOBUFS; goto error_crp; } error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT); if (error) { DPRINTF("m_makewritable failed\n"); goto error_tc; } { int s = pserialize_read_enter(); /* * Take another reference to the SA for opencrypto callback. */ if (__predict_false(sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); stat = IPCOMP_STAT_NOTDB; error = ENOENT; goto error_tc; } KEY_SA_REF(sav); pserialize_read_exit(s); } crdc = crp->crp_desc; crdc->crd_skip = skip + hlen; crdc->crd_len = m->m_pkthdr.len - (skip + hlen); crdc->crd_inject = 0; /* unused */ /* Decompression operation */ crdc->crd_alg = sav->tdb_compalgxform->type; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len - (skip + hlen); crp->crp_olen = MCLBYTES; /* hint to decompression code */ crp->crp_flags = CRYPTO_F_IMBUF; crp->crp_buf = m; crp->crp_callback = ipcomp_input_cb; crp->crp_sid = sav->tdb_cryptoid; crp->crp_opaque = tc; /* These are passed as-is to the callback */ tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_sav = sav; crypto_dispatch(crp); return 0; error_tc: pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); error_crp: crypto_freereq(crp); error_m: m_freem(m); IPCOMP_STATINC(stat); return error; } #ifdef INET6 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \ if (saidx->dst.sa.sa_family == AF_INET6) { \ (void)ipsec6_common_input_cb(m, sav, skip, protoff); \ } else { \ (void)ipsec4_common_input_cb(m, sav, skip, protoff); \ } \ } while (0) #else #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \ ((void)ipsec4_common_input_cb(m, sav, skip, protoff)) #endif /* * IPComp input callback from the crypto driver. */ static void ipcomp_input_cb(struct cryptop *crp) { char buf[IPSEC_ADDRSTRLEN]; struct tdb_crypto *tc; int skip, protoff; struct mbuf *m; struct secasvar *sav; struct secasindex *saidx __diagused; int hlen = IPCOMP_HLENGTH, clen; uint8_t nproto; struct ipcomp *ipc; IPSEC_DECLARE_LOCK_VARIABLE; KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; skip = tc->tc_skip; protoff = tc->tc_protoff; m = crp->crp_buf; IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav; saidx = &sav->sah->saidx; KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, "unexpected protocol family %u", saidx->dst.sa.sa_family); /* Check for crypto errors */ if (crp->crp_etype) { /* Reset the session ID */ if (sav->tdb_cryptoid != 0) sav->tdb_cryptoid = crp->crp_sid; IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); DPRINTF("crypto error %d\n", crp->crp_etype); goto bad; } IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); /* Update the counters */ IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen); /* Length of data after processing */ clen = crp->crp_olen; /* Release the crypto descriptors */ pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); tc = NULL; crypto_freereq(crp); crp = NULL; /* In case it's not done already, adjust the size of the mbuf chain */ m->m_pkthdr.len = clen + hlen + skip; /* * Get the next protocol field. * * XXX: Really, we should use m_copydata instead of m_pullup. */ if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF("m_pullup failed\n"); goto bad; } ipc = (struct ipcomp *)(mtod(m, uint8_t *) + skip); nproto = ipc->comp_nxt; switch (nproto) { case IPPROTO_IPCOMP: case IPPROTO_AH: case IPPROTO_ESP: IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF("nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi)); goto bad; default: break; } /* Remove the IPCOMP header */ if (m_striphdr(m, skip, hlen) != 0) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF("bad mbuf chain, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi)); goto bad; } /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof(nproto), &nproto); IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff); KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); return; bad: if (sav) KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); if (m) m_freem(m); if (tc != NULL) pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); if (crp) crypto_freereq(crp); } /* * IPComp output routine, called by ipsec[46]_process_packet() */ static int ipcomp_output(struct mbuf *m, const struct ipsecrequest *isr, struct secasvar *sav, int skip, int protoff, int flags) { char buf[IPSEC_ADDRSTRLEN]; const struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize; struct cryptodesc *crdc; struct cryptop *crp; struct tdb_crypto *tc; KASSERT(sav != NULL); KASSERT(sav->tdb_compalgxform != NULL); ipcompx = sav->tdb_compalgxform; /* Raw payload length before comp. */ ralen = m->m_pkthdr.len - skip; /* Don't process the packet if it is too short */ if (ralen < ipcompx->minlen) { IPCOMP_STATINC(IPCOMP_STAT_MINLEN); return ipsec_process_done(m, isr, sav, 0); } hlen = IPCOMP_HLENGTH; IPCOMP_STATINC(IPCOMP_STAT_OUTPUT); /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: maxpacketsize = IP_MAXPACKET; break; #endif #ifdef INET6 case AF_INET6: maxpacketsize = IPV6_MAXPACKET; break; #endif default: IPCOMP_STATINC(IPCOMP_STAT_NOPF); DPRINTF("unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi)); error = EPFNOSUPPORT; goto bad; } if (skip + hlen + ralen > maxpacketsize) { IPCOMP_STATINC(IPCOMP_STAT_TOOBIG); DPRINTF("packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), skip + hlen + ralen, maxpacketsize); error = EMSGSIZE; goto bad; } /* Update the counters */ IPCOMP_STATADD(IPCOMP_STAT_OBYTES, m->m_pkthdr.len - skip); m = m_clone(m); if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF("cannot clone mbuf chain, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi)); error = ENOBUFS; goto bad; } /* Ok now, we can pass to the crypto processing */ /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); DPRINTF("failed to acquire crypto descriptor\n"); error = ENOBUFS; goto bad; } crdc = crp->crp_desc; /* Compression descriptor */ crdc->crd_skip = skip; crdc->crd_len = m->m_pkthdr.len - skip; crdc->crd_flags = CRD_F_COMP; crdc->crd_inject = skip; /* Compression operation */ crdc->crd_alg = ipcompx->type; /* IPsec-specific opaque crypto info */ tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); if (tc == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); DPRINTF("failed to allocate tdb_crypto\n"); crypto_freereq(crp); error = ENOBUFS; goto bad; } { int s = pserialize_read_enter(); /* * Take another reference to the SP and the SA for opencrypto callback. */ if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD || sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); error = ENOENT; goto bad; } KEY_SP_REF(isr->sp); KEY_SA_REF(sav); pserialize_read_exit(s); } tc->tc_isr = isr; tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; tc->tc_skip = skip; tc->tc_protoff = protoff; tc->tc_flags = flags; tc->tc_sav = sav; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ crp->crp_flags = CRYPTO_F_IMBUF; crp->crp_buf = m; crp->crp_callback = ipcomp_output_cb; crp->crp_opaque = tc; crp->crp_sid = sav->tdb_cryptoid; crypto_dispatch(crp); return 0; bad: if (m) m_freem(m); return error; } /* * IPComp output callback from the crypto driver. */ static void ipcomp_output_cb(struct cryptop *crp) { char buf[IPSEC_ADDRSTRLEN]; struct tdb_crypto *tc; const struct ipsecrequest *isr; struct secasvar *sav; struct mbuf *m, *mo; int skip, rlen, roff, flags; uint8_t prot; uint16_t cpi; struct ipcomp * ipcomp; IPSEC_DECLARE_LOCK_VARIABLE; KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; m = crp->crp_buf; skip = tc->tc_skip; rlen = crp->crp_ilen - skip; IPSEC_ACQUIRE_GLOBAL_LOCKS(); isr = tc->tc_isr; sav = tc->tc_sav; /* Check for crypto errors */ if (crp->crp_etype) { /* Reset session ID */ if (sav->tdb_cryptoid != 0) sav->tdb_cryptoid = crp->crp_sid; IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); DPRINTF("crypto error %d\n", crp->crp_etype); goto bad; } IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); if (rlen > crp->crp_olen) { /* Inject IPCOMP header */ mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { IPCOMP_STATINC(IPCOMP_STAT_WRAP); DPRINTF("failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi)); goto bad; } ipcomp = (struct ipcomp *)(mtod(mo, char *) + roff); /* Initialize the IPCOMP header */ /* XXX alignment always correct? */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; break; #endif #ifdef INET6 case AF_INET6: ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; break; #endif } ipcomp->comp_flags = 0; cpi = ntohl(sav->spi) & 0xffff; ipcomp->comp_cpi = htons(cpi); /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; m_copyback(m, tc->tc_protoff, sizeof(prot), &prot); /* Adjust the length in the IP header */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len); break; #endif #ifdef INET6 case AF_INET6: mtod(m, struct ip6_hdr *)->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); break; #endif default: IPCOMP_STATINC(IPCOMP_STAT_NOPF); DPRINTF("unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi)); goto bad; } } else { /* compression was useless, we have lost time */ IPCOMP_STATINC(IPCOMP_STAT_USELESS); DPRINTF("compression was useless: initial size was %d " "and compressed size is %d\n", rlen, crp->crp_olen); } flags = tc->tc_flags; /* Release the crypto descriptor */ pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); /* NB: m is reclaimed by ipsec_process_done. */ (void)ipsec_process_done(m, isr, sav, flags); KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); return; bad: if (sav) KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); if (m) m_freem(m); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); } static struct xformsw ipcomp_xformsw = { .xf_type = XF_IPCOMP, .xf_flags = XFT_COMP, .xf_name = "IPcomp", .xf_init = ipcomp_init, .xf_zeroize = ipcomp_zeroize, .xf_input = ipcomp_input, .xf_output = ipcomp_output, .xf_next = NULL, }; void ipcomp_attach(void) { ipcompstat_percpu = percpu_alloc(sizeof(uint64_t) * IPCOMP_NSTATS); ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto), coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET, NULL, NULL, NULL); xform_register(&ipcomp_xformsw); } @ 1.74 log @opencrypto: crypto_dispatch never fails now. Make it return void. Same with crypto_kdispatch. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.73 2022/05/22 11:40:03 riastradh Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.73 2022/05/22 11:40:03 riastradh Exp $"); d576 1 a576 4 if ((sav->flags & SADB_X_EXT_RAWCPI) == 0) cpi = sav->alg_enc; else cpi = ntohl(sav->spi) & 0xffff; @ 1.73 log @opencrypto: Rip out EAGAIN logic when unregistering crypto drivers. I'm pretty sure this never worked reliably based on code inspection, and it's unlikely to have ever been tested because it only applies when unregistering a driver -- but we have no crypto drivers for removable devices, so it would only apply if we went out of our way to trigger detach with drvctl. Instead, just make the operation fail with ENODEV, and remove all the callback logic to resubmit the request on EAGAIN. (Maybe this should be ENXIO, but crypto_kdispatch already does ENODEV.) @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.72 2022/05/22 11:39:37 riastradh Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.72 2022/05/22 11:39:37 riastradh Exp $"); d211 2 a212 1 return crypto_dispatch(crp); d497 2 a498 1 return crypto_dispatch(crp); @ 1.72 log @opencrypto: Make crypto_freesession return void. No callers use the return value. It is not sensible to allow this to fail. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.71 2022/05/22 11:39:08 riastradh Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.71 2022/05/22 11:39:08 riastradh Exp $"); a272 7 if (crp->crp_etype == EAGAIN) { KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); (void)crypto_dispatch(crp); return; } a537 5 if (crp->crp_etype == EAGAIN) { IPSEC_RELEASE_GLOBAL_LOCKS(); (void)crypto_dispatch(crp); return; } @ 1.71 log @netipsec: Nothing uses xf_zeroize return value. Nix it. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.70 2022/05/22 11:30:40 riastradh Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.70 2022/05/22 11:30:40 riastradh Exp $"); d131 1 a131 1 (void)crypto_freesession(sav->tdb_cryptoid); @ 1.70 log @opencrypto: Make crp_callback, krp_callback return void. Nothing uses the return values inside opencrypto, so let's stop making users return them. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.69 2019/11/01 04:23:21 knakahara Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.69 2019/11/01 04:23:21 knakahara Exp $"); d127 1 a127 1 static int a129 1 int err; d131 1 a131 1 err = crypto_freesession(sav->tdb_cryptoid); a132 1 return err; @ 1.69 log @Fix ipsecif(4) IPV6_MINMTU does not work correctly. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.68 2019/06/12 22:23:50 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.68 2019/06/12 22:23:50 christos Exp $"); d78 2 a79 2 static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); d228 1 a228 1 error = ipsec6_common_input_cb(m, sav, skip, protoff); \ d230 1 a230 1 error = ipsec4_common_input_cb(m, sav, skip, protoff); \ d235 1 a235 1 (error = ipsec4_common_input_cb(m, sav, skip, protoff)) d241 1 a241 1 static int d250 1 a250 1 int hlen = IPCOMP_HLENGTH, error, clen; d278 2 a279 1 return crypto_dispatch(crp); a283 1 error = crp->crp_etype; a311 1 error = EINVAL; a324 1 error = EINVAL; d331 1 a331 2 error = m_striphdr(m, skip, hlen); if (error) { d346 1 a346 1 return error; a357 1 return error; d516 1 a516 1 static int d524 1 a524 1 int error, skip, rlen, roff, flags; d549 2 a550 1 return crypto_dispatch(crp); a553 1 error = crp->crp_etype; a567 1 error = ENOBUFS; a617 1 error = EPFNOSUPPORT; d633 1 a633 1 error = ipsec_process_done(m, isr, sav, flags); d637 1 a637 1 return error; a647 1 return error; @ 1.68 log @make DPRINTF use varyadic cpp macros, and merge with IPSECLOG. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.67 2019/01/27 02:08:48 pgoyette Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.67 2019/01/27 02:08:48 pgoyette Exp $"); d369 1 a369 1 struct secasvar *sav, int skip, int protoff) d388 1 a388 1 return ipsec_process_done(m, isr, sav); d498 1 d528 1 a528 1 int error, skip, rlen, roff; d633 1 d639 1 a639 1 error = ipsec_process_done(m, isr, sav); @ 1.67 log @Merge the [pgoyette-compat] branch @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.66 2018/05/13 18:34:59 maxv Exp $"); d108 2 a109 2 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__, sav->alg_comp)); d153 1 a153 1 DPRINTF(("%s: no crypto descriptors\n", __func__)); d160 1 a160 1 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); d167 1 a167 1 DPRINTF(("%s: m_makewritable failed\n", __func__)); d282 1 a282 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d311 1 a311 1 DPRINTF(("%s: m_pullup failed\n", __func__)); d323 1 a323 1 DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, d325 1 a325 1 (u_long) ntohl(sav->spi))); d336 1 a336 1 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, d338 1 a338 1 (u_long) ntohl(sav->spi))); d409 2 a410 2 DPRINTF(("%s: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", __func__, d413 1 a413 1 (u_long) ntohl(sav->spi))); d419 2 a420 2 DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, d423 1 a423 1 skip + hlen + ralen, maxpacketsize)); d434 1 a434 2 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, d436 1 a436 1 (u_long) ntohl(sav->spi))); d447 1 a447 2 DPRINTF(("%s: failed to acquire crypto descriptor\n", __func__)); d466 1 a466 1 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); d555 1 a555 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d567 2 a568 2 DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", __func__, d570 1 a570 1 sizeof(buf)), (u_long) ntohl(sav->spi))); d617 1 a617 1 DPRINTF(("ipcomp_output: unknown/unsupported protocol " d621 1 a621 1 sizeof(buf)), (u_long) ntohl(sav->spi))); d628 2 a629 3 DPRINTF(("ipcomp_output_cb: compression was useless: initial" "size was %d and compressed size is %d\n", rlen, crp->crp_olen)); @ 1.66 log @Remove unused calls to nat_t_ports_get. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.65 2018/05/07 09:16:46 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.65 2018/05/07 09:16:46 maxv Exp $"); @ 1.66.2.1 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.67 2019/01/27 02:08:48 pgoyette Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.67 2019/01/27 02:08:48 pgoyette Exp $"); @ 1.66.2.2 log @Mostly merge changes from HEAD upto 20200411 @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); d108 2 a109 2 DPRINTF("unsupported compression algorithm %d\n", sav->alg_comp); d153 1 a153 1 DPRINTF("no crypto descriptors\n"); d160 1 a160 1 DPRINTF("cannot allocate tdb_crypto\n"); d167 1 a167 1 DPRINTF("m_makewritable failed\n"); d282 1 a282 1 DPRINTF("crypto error %d\n", crp->crp_etype); d311 1 a311 1 DPRINTF("m_pullup failed\n"); d323 1 a323 1 DPRINTF("nested ipcomp, IPCA %s/%08lx\n", d325 1 a325 1 (u_long) ntohl(sav->spi)); d336 1 a336 1 DPRINTF("bad mbuf chain, IPCA %s/%08lx\n", d338 1 a338 1 (u_long) ntohl(sav->spi)); d369 1 a369 1 struct secasvar *sav, int skip, int protoff, int flags) d388 1 a388 1 return ipsec_process_done(m, isr, sav, 0); d409 2 a410 2 DPRINTF("unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", d413 1 a413 1 (u_long) ntohl(sav->spi)); d419 2 a420 2 DPRINTF("packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", d423 1 a423 1 skip + hlen + ralen, maxpacketsize); d434 2 a435 1 DPRINTF("cannot clone mbuf chain, IPCA %s/%08lx\n", d437 1 a437 1 (u_long) ntohl(sav->spi)); d448 2 a449 1 DPRINTF("failed to acquire crypto descriptor\n"); d468 1 a468 1 DPRINTF("failed to allocate tdb_crypto\n"); a499 1 tc->tc_flags = flags; d529 1 a529 1 int error, skip, rlen, roff, flags; d557 1 a557 1 DPRINTF("crypto error %d\n", crp->crp_etype); d569 2 a570 2 DPRINTF("failed to inject IPCOMP header for " "IPCA %s/%08lx\n", d572 1 a572 1 sizeof(buf)), (u_long) ntohl(sav->spi)); d619 1 a619 1 DPRINTF("unknown/unsupported protocol " d623 1 a623 1 sizeof(buf)), (u_long) ntohl(sav->spi)); d630 3 a632 2 DPRINTF("compression was useless: initial size was %d " "and compressed size is %d\n", rlen, crp->crp_olen); a634 1 flags = tc->tc_flags; d640 1 a640 1 error = ipsec_process_done(m, isr, sav, flags); @ 1.65 log @Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.64 2018/05/01 08:13:37 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.64 2018/05/01 08:13:37 maxv Exp $"); a252 2 uint16_t dport; uint16_t sport; a260 3 /* find the source port for NAT-T */ nat_t_ports_get(m, &dport, &sport); @ 1.64 log @Remove double include, opencrypto/xform.h is already included in netipsec/xform.h. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.63 2018/04/28 15:45:16 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.63 2018/04/28 15:45:16 maxv Exp $"); d374 1 a374 1 struct secasvar *sav, struct mbuf **mp, int skip, int protoff) @ 1.63 log @Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.62 2018/04/19 08:27:39 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.62 2018/04/19 08:27:39 maxv Exp $"); a72 1 #include @ 1.62 log @Remove extra long file paths from the headers. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.61 2018/04/19 07:58:26 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.61 2018/04/19 07:58:26 maxv Exp $"); a148 1 IPSEC_SPLASSERT_SOFTNET(__func__); a383 1 IPSEC_SPLASSERT_SOFTNET(__func__); @ 1.61 log @Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts). @ text @d1 2 a2 2 /* $NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $"); @ 1.60 log @Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.59 2018/02/16 09:24:55 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.59 2018/02/16 09:24:55 maxv Exp $"); d150 1 d311 5 a321 2 /* Keep the next protocol field */ d324 1 d350 1 a350 1 m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *)&nproto); d610 1 a610 1 m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); @ 1.59 log @Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. Discussed with ozaki-r@@. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.58 2018/02/16 09:07:50 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.58 2018/02/16 09:07:50 maxv Exp $"); d617 1 a617 1 htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr); @ 1.59.2.1 log @Synch with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.60 2018/03/10 17:48:32 maxv Exp $"); d617 1 a617 1 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); @ 1.59.2.2 log @Sync with HEAD @ text @d1 2 a2 2 /* $NetBSD: xform_ipcomp.c,v 1.62 2018/04/19 08:27:39 maxv Exp $ */ /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.62 2018/04/19 08:27:39 maxv Exp $"); a149 1 KASSERT(skip + hlen <= m->m_pkthdr.len); a309 5 /* * Get the next protocol field. * * XXX: Really, we should use m_copydata instead of m_pullup. */ d316 2 a319 1 d345 1 a345 1 m_copyback(m, protoff, sizeof(nproto), &nproto); d605 1 a605 1 m_copyback(m, tc->tc_protoff, sizeof(prot), &prot); @ 1.59.2.3 log @Synch with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.64 2018/05/01 08:13:37 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.64 2018/05/01 08:13:37 maxv Exp $"); d73 1 d149 1 d385 1 @ 1.59.2.4 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.66 2018/05/13 18:34:59 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.66 2018/05/13 18:34:59 maxv Exp $"); d253 2 d263 3 d374 1 a374 1 struct secasvar *sav, int skip, int protoff) @ 1.58 log @Remove some more FreeBSD sysctl declarations that already have NetBSD counterparts. Discussed with ozaki-r@@. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.57 2018/02/15 13:51:32 maxv Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.57 2018/02/15 13:51:32 maxv Exp $"); a78 6 #ifdef __FreeBSD__ SYSCTL_DECL(_net_inet_ipcomp); SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, ipcomp_enable, CTLFLAG_RW, &ipcomp_enable, 0, ""); #endif /* __FreeBSD__ */ @ 1.57 log @Style and simplify. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $"); a82 2 SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, stats, CTLFLAG_RD, &ipcompstat, ipcompstat, ""); @ 1.56 log @Don't relook up an SP/SA in opencrpyto callbacks We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $"); d77 1 a77 1 int ipcomp_enable = 1; d261 1 a261 1 void *addr; d306 2 a307 2 clen = crp->crp_olen; /* Length of data after processing */ d312 2 a313 1 crypto_freereq(crp), crp = NULL; d319 1 a319 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); /*XXX*/ d321 1 a321 1 error = EINVAL; /*XXX*/ d326 2 a327 2 addr = (uint8_t*) mtod(m, struct ip *) + skip; nproto = ((struct ipcomp *) addr)->comp_nxt; d353 1 a353 1 m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto); d360 1 d378 2 a379 8 ipcomp_output( struct mbuf *m, const struct ipsecrequest *isr, struct secasvar *sav, struct mbuf **mp, int skip, int protoff ) d393 4 a396 3 ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ /* Don't process the packet if it is too short */ d410 1 a410 1 maxpacketsize = IP_MAXPACKET; d412 1 a412 1 #endif /* INET */ d415 1 a415 1 maxpacketsize = IPV6_MAXPACKET; d417 1 a417 1 #endif /* INET6 */ d522 1 d526 1 a526 1 return (error); d595 2 a596 2 break; #endif /* INET */ d600 1 a600 1 break; d606 1 a606 1 cpi = sav->alg_enc; d621 1 a621 1 #endif /* INET */ d625 1 a625 1 htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr); d627 1 a627 1 #endif /* INET6 */ d641 3 a643 2 DPRINTF(("ipcomp_output_cb: compression was useless : initial size was %d" "and compressed size is %d\n", rlen, crp->crp_olen)); a645 1 d656 1 @ 1.55 log @Dedup common codes in error paths (NFCI) @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.54 2018/02/14 08:59:23 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.54 2018/02/14 08:59:23 ozaki-r Exp $"); a277 12 if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } } a557 18 if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); IPSECLOG(LOG_DEBUG, "SP is being destroyed while in crypto (id=%u)\n", isr->sp->id); error = ENOENT; goto bad; } if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } } @ 1.54 log @Fix mbuf leaks on error paths Pointed out by maxv@@ @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.53 2017/10/03 08:56:52 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.53 2017/10/03 08:56:52 ozaki-r Exp $"); d155 1 a155 1 int error, hlen = IPCOMP_HLENGTH; a161 1 m_freem(m); d163 2 a164 2 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return ENOBUFS; a168 2 m_freem(m); crypto_freereq(crp); d170 2 a171 2 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return ENOBUFS; d177 1 a177 5 m_freem(m); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return error; d188 3 a190 5 m_freem(m); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); return ENOENT; d223 9 @ 1.53 log @Constify isr at many places (NFC) @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.52 2017/08/10 06:33:51 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.52 2017/08/10 06:33:51 ozaki-r Exp $"); d195 1 @ 1.52 log @Use pool_cache(9) instead of pool(9) for tdb_crypto objects The change improves network throughput especially on multi-core systems. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.51 2017/08/09 09:48:11 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.51 2017/08/09 09:48:11 ozaki-r Exp $"); d389 1 a389 1 struct ipsecrequest *isr, d550 1 a550 1 struct ipsecrequest *isr; @ 1.51 log @MP-ify SAD (savlist) localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.50 2017/08/03 06:32:51 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.50 2017/08/03 06:32:51 ozaki-r Exp $"); d92 1 a92 1 static struct pool ipcomp_tdb_crypto_pool; d168 1 a168 1 tc = pool_get(&ipcomp_tdb_crypto_pool, PR_NOWAIT); d181 1 a181 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d195 1 a195 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d321 1 a321 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d377 1 a377 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d490 1 a490 1 tc = pool_get(&ipcomp_tdb_crypto_pool, PR_NOWAIT); d508 1 a508 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d678 1 a678 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d694 1 a694 1 pool_put(&ipcomp_tdb_crypto_pool, tc); d714 3 a716 2 pool_init(&ipcomp_tdb_crypto_pool, sizeof(struct tdb_crypto), 0, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET); @ 1.50 log @Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future KEY_SA_UNREF is still key_freesav so no functional change for now. This change reduces diff of further changes. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.49 2017/08/02 01:28:03 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.49 2017/08/02 01:28:03 ozaki-r Exp $"); d187 17 a228 1 KEY_SA_REF(sav); d502 5 a506 1 if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { d515 1 a525 1 KEY_SA_REF(sav); @ 1.49 log @Make IPsec SPD MP-safe We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context. SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list. For more details please read the locking notes in key.c. Proposed on tech-kern@@ and tech-net@@ @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.48 2017/07/27 06:59:28 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.48 2017/07/27 06:59:28 ozaki-r Exp $"); d262 1 a262 1 KEY_FREESAV(&sav); d285 1 a285 1 KEY_FREESAV(&sav); d351 1 a351 1 KEY_FREESAV(&sav); d356 1 a356 1 KEY_FREESAV(&sav); d558 1 a558 1 KEY_FREESAV(&sav); d663 1 a663 1 KEY_FREESAV(&sav); d669 1 a669 1 KEY_FREESAV(&sav); @ 1.48 log @Don't acquire global locks for IPsec if NET_MPSAFE Note that the change is just to make testing easy and IPsec isn't MP-safe yet. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.47 2017/07/20 08:07:14 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.47 2017/07/20 08:07:14 ozaki-r Exp $"); d48 1 d483 15 a498 1 KEY_SP_REF(isr->sp); d664 1 a664 1 KEY_FREESP(&isr->sp); d670 1 a670 1 KEY_FREESP(&isr->sp); @ 1.47 log @Use pool to allocate tdb_crypto For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.46 2017/07/19 10:26:09 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.46 2017/07/19 10:26:09 ozaki-r Exp $"); a46 1 #include /* for softnet_lock */ d241 1 a241 1 int s, hlen = IPCOMP_HLENGTH, error, clen; d246 1 d257 1 a257 2 s = splsoftnet(); mutex_enter(softnet_lock); d285 1 a285 2 mutex_exit(softnet_lock); splx(s); d351 1 a351 2 mutex_exit(softnet_lock); splx(s); d356 1 a356 2 mutex_exit(softnet_lock); splx(s); d518 1 a518 1 int s, error, skip, rlen, roff; d522 1 d530 1 a530 2 s = splsoftnet(); mutex_enter(softnet_lock); d560 1 a560 2 mutex_exit(softnet_lock); splx(s); d650 1 a650 2 mutex_exit(softnet_lock); splx(s); d656 1 a656 2 mutex_exit(softnet_lock); splx(s); @ 1.46 log @Hold a reference to an SP during opencrypto processing An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP. We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed. In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.45 2017/07/19 09:38:57 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.45 2017/07/19 09:38:57 ozaki-r Exp $"); d48 1 d92 2 d168 1 a168 1 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); d181 1 a181 1 free(tc, M_XDATA); d306 2 a307 1 free(tc, M_XDATA), tc = NULL; d364 1 a364 1 free(tc, M_XDATA); d477 1 a477 1 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); d648 1 a648 1 free(tc, M_XDATA); d666 1 a666 1 free(tc, M_XDATA); d686 2 @ 1.45 log @Don't bother the case of crp->crp_buf == NULL in callbacks @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.44 2017/07/19 09:03:08 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.44 2017/07/19 09:03:08 ozaki-r Exp $"); d483 1 d534 8 d650 1 d657 1 @ 1.44 log @Don't release sav if calling crypto_dispatch again @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $"); d293 1 a293 7 /* Shouldn't happen... */ if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); error = EINVAL; goto bad; } d560 1 a560 7 /* Shouldn't happen... */ if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); error = EINVAL; goto bad; } @ 1.43 log @Prepare to stop using isr->sav isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav. However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $"); a556 1 KEY_FREESAV(&sav); @ 1.42 log @Pass sav directly to opencrypto callback In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.41 2017/07/07 01:37:34 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.41 2017/07/07 01:37:34 ozaki-r Exp $"); d379 1 a385 1 struct secasvar *sav; d393 1 a393 2 KASSERT(isr->sav != NULL); sav = isr->sav; d402 1 a402 1 return ipsec_process_done(m,isr); a548 1 KASSERTMSG(isr->sav == sav, "SA changed"); d652 1 a652 1 error = ipsec_process_done(m, isr); @ 1.41 log @Rename key_alloc* functions (NFC) We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.40 2017/07/05 03:44:59 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.40 2017/07/05 03:44:59 ozaki-r Exp $"); d147 1 a147 1 ipcomp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) d208 2 d257 11 a267 6 sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; d385 1 a385 1 const struct secasvar *sav; d495 2 d539 10 a548 6 sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @ 1.40 log @Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet. Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.39 2017/06/29 07:13:41 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.39 2017/06/29 07:13:41 ozaki-r Exp $"); d255 1 a255 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); d530 1 a530 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); @ 1.39 log @Apply C99-style struct initialization to xformsw @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $"); a189 2 tc->tc_ptr = 0; d213 1 a213 1 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ d215 1 a215 1 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ d217 1 a217 1 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ d221 2 a222 2 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) d345 1 a345 1 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); @ 1.38 log @Make ipsec_address() and ipsec_logsastr() mpsafe. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $"); d661 8 a668 4 XF_IPCOMP, XFT_COMP, "IPcomp", ipcomp_init, ipcomp_zeroize, ipcomp_input, ipcomp_output, NULL, @ 1.38.2.1 log @Pull up following revision(s) (requested by ozaki-r in ticket #300): crypto/dist/ipsec-tools/src/setkey/parse.y: 1.19 crypto/dist/ipsec-tools/src/setkey/token.l: 1.20 distrib/sets/lists/tests/mi: 1.754, 1.757, 1.759 doc/TODO.smpnet: 1.12-1.13 sys/net/pfkeyv2.h: 1.32 sys/net/raw_cb.c: 1.23-1.24, 1.28 sys/net/raw_cb.h: 1.28 sys/net/raw_usrreq.c: 1.57-1.58 sys/net/rtsock.c: 1.228-1.229 sys/netinet/in_proto.c: 1.125 sys/netinet/ip_input.c: 1.359-1.361 sys/netinet/tcp_input.c: 1.359-1.360 sys/netinet/tcp_output.c: 1.197 sys/netinet/tcp_var.h: 1.178 sys/netinet6/icmp6.c: 1.213 sys/netinet6/in6_proto.c: 1.119 sys/netinet6/ip6_forward.c: 1.88 sys/netinet6/ip6_input.c: 1.181-1.182 sys/netinet6/ip6_output.c: 1.193 sys/netinet6/ip6protosw.h: 1.26 sys/netipsec/ipsec.c: 1.100-1.122 sys/netipsec/ipsec.h: 1.51-1.61 sys/netipsec/ipsec6.h: 1.18-1.20 sys/netipsec/ipsec_input.c: 1.44-1.51 sys/netipsec/ipsec_netbsd.c: 1.41-1.45 sys/netipsec/ipsec_output.c: 1.49-1.64 sys/netipsec/ipsec_private.h: 1.5 sys/netipsec/key.c: 1.164-1.234 sys/netipsec/key.h: 1.20-1.32 sys/netipsec/key_debug.c: 1.18-1.21 sys/netipsec/key_debug.h: 1.9 sys/netipsec/keydb.h: 1.16-1.20 sys/netipsec/keysock.c: 1.59-1.62 sys/netipsec/keysock.h: 1.10 sys/netipsec/xform.h: 1.9-1.12 sys/netipsec/xform_ah.c: 1.55-1.74 sys/netipsec/xform_esp.c: 1.56-1.72 sys/netipsec/xform_ipcomp.c: 1.39-1.53 sys/netipsec/xform_ipip.c: 1.50-1.54 sys/netipsec/xform_tcp.c: 1.12-1.16 sys/rump/librump/rumpkern/Makefile.rumpkern: 1.170 sys/rump/librump/rumpnet/net_stub.c: 1.27 sys/sys/protosw.h: 1.67-1.68 tests/net/carp/t_basic.sh: 1.7 tests/net/if_gif/t_gif.sh: 1.11 tests/net/if_l2tp/t_l2tp.sh: 1.3 tests/net/ipsec/Makefile: 1.7-1.9 tests/net/ipsec/algorithms.sh: 1.5 tests/net/ipsec/common.sh: 1.4-1.6 tests/net/ipsec/t_ipsec_ah_keys.sh: 1.2 tests/net/ipsec/t_ipsec_esp_keys.sh: 1.2 tests/net/ipsec/t_ipsec_gif.sh: 1.6-1.7 tests/net/ipsec/t_ipsec_l2tp.sh: 1.6-1.7 tests/net/ipsec/t_ipsec_misc.sh: 1.8-1.18 tests/net/ipsec/t_ipsec_sockopt.sh: 1.1-1.2 tests/net/ipsec/t_ipsec_tcp.sh: 1.1-1.2 tests/net/ipsec/t_ipsec_transport.sh: 1.5-1.6 tests/net/ipsec/t_ipsec_tunnel.sh: 1.9 tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh: 1.1-1.2 tests/net/ipsec/t_ipsec_tunnel_odd.sh: 1.3 tests/net/mcast/t_mcast.sh: 1.6 tests/net/net/t_ipaddress.sh: 1.11 tests/net/net_common.sh: 1.20 tests/net/npf/t_npf.sh: 1.3 tests/net/route/t_flags.sh: 1.20 tests/net/route/t_flags6.sh: 1.16 usr.bin/netstat/fast_ipsec.c: 1.22 Do m_pullup before mtod It may fix panicks of some tests on anita/sparc and anita/GuruPlug. --- KNF --- Enable DEBUG for babylon5 --- Apply C99-style struct initialization to xformsw --- Tweak outputs of netstat -s for IPsec - Get rid of "Fast" - Use ipsec and ipsec6 for titles to clarify protocol - Indent outputs of sub protocols Original outputs were organized like this: (Fast) IPsec: IPsec ah: IPsec esp: IPsec ipip: IPsec ipcomp: (Fast) IPsec: IPsec ah: IPsec esp: IPsec ipip: IPsec ipcomp: New outputs are organized like this: ipsec: ah: esp: ipip: ipcomp: ipsec6: ah: esp: ipip: ipcomp: --- Add test cases for IPComp --- Simplify IPSEC_OSTAT macro (NFC) --- KNF; replace leading whitespaces with hard tabs --- Introduce and use SADB_SASTATE_USABLE_P --- KNF --- Add update command for testing Updating an SA (SADB_UPDATE) requires that a process issuing SADB_UPDATE is the same as a process issued SADB_ADD (or SADB_GETSPI). This means that update command must be used with add command in a configuration of setkey. This usage is normally meaningless but useful for testing (and debugging) purposes. --- Add test cases for updating SA/SP The tests require newly-added udpate command of setkey. --- PR/52346: Frank Kardel: Fix checksumming for NAT-T See XXX for improvements. --- Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet. Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code. --- Fix usages of sadb_msg_errno --- Avoid updating sav directly On SADB_UPDATE a target sav was updated directly, which was unsafe. Instead allocate another sav, copy variables of the old sav to the new one and replace the old one with the new one. --- Simplify; we can assume sav->tdb_xform cannot be NULL while it's valid --- Rename key_alloc* functions (NFC) We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory. --- Use explicit_memset to surely zero-clear key_auth and key_enc --- Make sure to clear keys on error paths of key_setsaval --- Add missing KEY_FREESAV --- Make sure a sav is inserted to a sah list after its initialization completes --- Remove unnecessary zero-clearing codes from key_setsaval key_setsaval is now used only for a newly-allocated sav. (It was used to reset variables of an existing sav.) --- Correct wrong assumption of sav->refcnt in key_delsah A sav in a list is basically not to be sav->refcnt == 0. And also KEY_FREESAV assumes sav->refcnt > 0. --- Let key_getsavbyspi take a reference of a returning sav --- Use time_mono_to_wall (NFC) --- Separate sending message routine (NFC) --- Simplify; remove unnecessary zero-clears key_freesaval is used only when a target sav is being destroyed. --- Omit NULL checks for sav->lft_c sav->lft_c can be NULL only when initializing or destroying sav. --- Omit unnecessary NULL checks for sav->sah --- Omit unnecessary check of sav->state key_allocsa_policy picks a sav of either MATURE or DYING so we don't need to check its state again. --- Simplify; omit unnecessary saidx passing - ipsec_nextisr returns a saidx but no caller uses it - key_checkrequest is passed a saidx but it can be gotton by another argument (isr) --- Fix splx isn't called on some error paths --- Fix header size calculation of esp where sav is NULL --- Fix header size calculation of ah in the case sav is NULL This fix was also needed for esp. --- Pass sav directly to opencrypto callback In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead. --- Avoid examining freshness of sav on packet processing If a sav list is sorted (by lft_c->sadb_lifetime_addtime) in advance, we don't need to examine each sav and also don't need to delete one on the fly and send up a message. Fortunately every sav lists are sorted as we need. Added key_validate_savlist validates that each sav list is surely sorted (run only if DEBUG because it's not cheap). --- Add test cases for SAs with different SPIs --- Prepare to stop using isr->sav isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav. However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav. --- Fix wrong argument handling --- fix printf format. --- Don't validate sav lists of LARVAL or DEAD states We don't sort the lists so the validation will always fail. Fix PR kern/52405 --- Make sure to sort the list when changing the state by key_sa_chgstate --- Rename key_allocsa_policy to key_lookup_sa_bysaidx --- Separate test files --- Calculate ah_max_authsize on initialization as well as esp_max_ivlen --- Remove m_tag_find(PACKET_TAG_IPSEC_PENDING_TDB) because nobody sets the tag --- Restore a comment removed in previous The comment is valid for the below code. --- Make tests more stable sleep command seems to wait longer than expected on anita so use polling to wait for a state change. --- Add tests that explicitly delete SAs instead of waiting for expirations --- Remove invalid M_AUTHIPDGM check on ESP isr->sav M_AUTHIPDGM flag is set to a mbuf in ah_input_cb. An sav of ESP can have AH authentication as sav->tdb_authalgxform. However, in that case esp_input and esp_input_cb are used to do ESP decryption and AH authentication and M_AUTHIPDGM never be set to a mbuf. So checking M_AUTHIPDGM of a mbuf on isr->sav of ESP is meaningless. --- Look up sav instead of relying on unstable sp->req->sav This code is executed only in an error path so an additional lookup doesn't matter. --- Correct a comment --- Don't release sav if calling crypto_dispatch again --- Remove extra KEY_FREESAV from ipsec_process_done It should be done by the caller. --- Don't bother the case of crp->crp_buf == NULL in callbacks --- Hold a reference to an SP during opencrypto processing An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP. We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed. In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing. --- Don't make SAs expired on tests that delete SAs explicitly --- Fix a debug message --- Dedup error paths (NFC) --- Use pool to allocate tdb_crypto For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins. --- Don't use unstable isr->sav for header size calculations We may need to optimize to not look up sav here for users that don't need to know an exact size of headers (e.g., TCP segmemt size caclulation). --- Don't use sp->req->sav when handling NAT-T ESP fragmentation In order to do this we need to look up a sav however an additional look-up degrades performance. A sav is later looked up in ipsec4_process_packet so delay the fragmentation check until then to avoid an extra look-up. --- Don't use key_lookup_sp that depends on unstable sp->req->sav It provided a fast look-up of SP. We will provide an alternative method in the future (after basic MP-ification finishes). --- Stop setting isr->sav on looking up sav in key_checkrequest --- Remove ipsecrequest#sav --- Stop setting mtag of PACKET_TAG_IPSEC_IN_DONE because there is no users anymore --- Skip ipsec_spi_*_*_preferred_new_timeout when running on qemu Probably due to PR 43997 --- Add localcount to rump kernels --- Remove unused macro --- Fix key_getcomb_setlifetime The fix adjusts a soft limit to be 80% of a corresponding hard limit. I'm not sure the fix is really correct though, at least the original code is wrong. A passed comb is zero-cleared before calling key_getcomb_setlifetime, so comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100; is meaningless. --- Provide and apply key_sp_refcnt (NFC) It simplifies further changes. --- Fix indentation Pointed out by knakahara@@ --- Use pslist(9) for sptree --- Don't acquire global locks for IPsec if NET_MPSAFE Note that the change is just to make testing easy and IPsec isn't MP-safe yet. --- Let PF_KEY socks hold their own lock instead of softnet_lock Operations on SAD and SPD are executed via PF_KEY socks. The operations include deletions of SAs and SPs that will use synchronization mechanisms such as pserialize_perform to wait for references to SAs and SPs to be released. It is known that using such mechanisms with holding softnet_lock causes a dead lock. We should avoid the situation. --- Make IPsec SPD MP-safe We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context. SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list. For more details please read the locking notes in key.c. Proposed on tech-kern@@ and tech-net@@ --- Fix updating ipsec_used - key_update_used wasn't called in key_api_spddelete2 and key_api_spdflush - key_update_used wasn't called if an SP had been added/deleted but a reply to userland failed --- Fix updating ipsec_used; turn on when SPs on sockets are added --- Add missing IPsec policy checks to icmp6_rip6_input icmp6_rip6_input is quite similar to rip6_input and the same checks exist in rip6_input. --- Add test cases for setsockopt(IP_IPSEC_POLICY) --- Don't use KEY_NEWSP for dummy SP entries By the change KEY_NEWSP is now not called from softint anymore and we can use kmem_zalloc with KM_SLEEP for KEY_NEWSP. --- Comment out unused functions --- Add test cases that there are SPs but no relevant SAs --- Don't allow sav->lft_c to be NULL lft_c of an sav that was created by SADB_GETSPI could be NULL. --- Clean up clunky eval strings - Remove unnecessary \ at EOL - This allows to omit ; too - Remove unnecessary quotes for arguments of atf_set - Don't expand $DEBUG in eval - We expect it's expanded on execution Suggested by kre@@ --- Remove unnecessary KEY_FREESAV in an error path sav should be freed (unreferenced) by the caller. --- Use pslist(9) for sahtree --- Use pslist(9) for sah->savtree --- Rename local variable newsah to sah It may not be new. --- MP-ify SAD slightly - Introduce key_sa_mtx and use it for some list operations - Use pserialize for some list iterations --- Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future KEY_SA_UNREF is still key_freesav so no functional change for now. This change reduces diff of further changes. --- Remove out-of-date log output Pointed out by riastradh@@ --- Use KDASSERT instead of KASSERT for mutex_ownable Because mutex_ownable is too heavy to run in a fast path even for DIAGNOSTIC + LOCKDEBUG. Suggested by riastradh@@ --- Assemble global lists and related locks into cache lines (NFCI) Also rename variable names from *tree to *list because they are just lists, not trees. Suggested by riastradh@@ --- Move locking notes --- Update the locking notes - Add locking order - Add locking notes for misc lists such as reglist - Mention pserialize, key_sp_ref and key_sp_unref on SP operations Requested by riastradh@@ --- Describe constraints of key_sp_ref and key_sp_unref Requested by riastradh@@ --- Hold key_sad.lock on SAVLIST_WRITER_INSERT_TAIL --- Add __read_mostly to key_psz Suggested by riastradh@@ --- Tweak wording (pserialize critical section => pserialize read section) Suggested by riastradh@@ --- Add missing mutex_exit --- Fix setkey -D -P outputs The outputs were tweaked (by me), but I forgot updating libipsec in my local ATF environment... --- MP-ify SAD (key_sad.sahlist and sah entries) localcount(9) is used to protect key_sad.sahlist and sah entries as well as SPD (and will be used for SAD sav). Please read the locking notes of SAD for more details. --- Introduce key_sa_refcnt and replace sav->refcnt with it (NFC) --- Destroy sav only in the loop for DEAD sav --- Fix KASSERT(solocked(sb->sb_so)) failure in sbappendaddr that is called eventually from key_sendup_mbuf If key_sendup_mbuf isn't passed a socket, the assertion fails. Originally in this case sb->sb_so was softnet_lock and callers held softnet_lock so the assertion was magically satisfied. Now sb->sb_so is key_so_mtx and also softnet_lock isn't always held by callers so the assertion can fail. Fix it by holding key_so_mtx if key_sendup_mbuf isn't passed a socket. Reported by knakahara@@ Tested by knakahara@@ and ozaki-r@@ --- Fix locking notes of SAD --- Fix deadlock between key_sendup_mbuf called from key_acquire and localcount_drain If we call key_sendup_mbuf from key_acquire that is called on packet processing, a deadlock can happen like this: - At key_acquire, a reference to an SP (and an SA) is held - key_sendup_mbuf will try to take key_so_mtx - Some other thread may try to localcount_drain to the SP with holding key_so_mtx in say key_api_spdflush - In this case localcount_drain never return because key_sendup_mbuf that has stuck on key_so_mtx never release a reference to the SP Fix the deadlock by deferring key_sendup_mbuf to the timer (key_timehandler). --- Fix that prev isn't cleared on retry --- Limit the number of mbufs queued for deferred key_sendup_mbuf It's easy to be queued hundreds of mbufs on the list under heavy network load. --- MP-ify SAD (savlist) localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details. --- Simplify ipsec_reinject_ipstack (NFC) --- Add per-CPU rtcache to ipsec_reinject_ipstack It reduces route lookups and also reduces rtcache lock contentions when NET_MPSAFE is enabled. --- Use pool_cache(9) instead of pool(9) for tdb_crypto objects The change improves network throughput especially on multi-core systems. --- Update ipsec(4), opencrypto(9) and vlan(4) are now MP-safe. --- Write known issues on scalability --- Share a global dummy SP between PCBs It's never be changed so it can be pre-allocated and shared safely between PCBs. --- Fix race condition on the rawcb list shared by rtsock and keysock keysock now protects itself by its own mutex, which means that the rawcb list is protected by two different mutexes (keysock's one and softnet_lock for rtsock), of course it's useless. Fix the situation by having a discrete rawcb list for each. --- Use a dedicated mutex for rt_rawcb instead of softnet_lock if NET_MPSAFE --- fix localcount leak in sav. fixed by ozaki-r@@n.o. I commit on behalf of him. --- remove unnecessary comment. --- Fix deadlock between pserialize_perform and localcount_drain A typical ussage of localcount_drain looks like this: mutex_enter(&mtx); item = remove_from_list(); pserialize_perform(psz); localcount_drain(&item->localcount, &cv, &mtx); mutex_exit(&mtx); This sequence can cause a deadlock which happens for example on the following situation: - Thread A calls localcount_drain which calls xc_broadcast after releasing a specified mutex - Thread B enters the sequence and calls pserialize_perform with holding the mutex while pserialize_perform also calls xc_broadcast - Thread C (xc_thread) that calls an xcall callback of localcount_drain tries to hold the mutex xc_broadcast of thread B doesn't start until xc_broadcast of thread A finishes, which is a feature of xcall(9). This means that pserialize_perform never complete until xc_broadcast of thread A finishes. On the other hand, thread C that is a callee of xc_broadcast of thread A sticks on the mutex. Finally the threads block each other (A blocks B, B blocks C and C blocks A). A possible fix is to serialize executions of the above sequence by another mutex, but adding another mutex makes the code complex, so fix the deadlock by another way; the fix is to release the mutex before pserialize_perform and instead use a condvar to prevent pserialize_perform from being called simultaneously. Note that the deadlock has happened only if NET_MPSAFE is enabled. --- Add missing ifdef NET_MPSAFE --- Take softnet_lock on pr_input properly if NET_MPSAFE Currently softnet_lock is taken unnecessarily in some cases, e.g., icmp_input and encap4_input from ip_input, or not taken even if needed, e.g., udp_input and tcp_input from ipsec4_common_input_cb. Fix them. NFC if NET_MPSAFE is disabled (default). --- - sanitize key debugging so that we don't print extra newlines or unassociated debugging messages. - remove unused functions and make internal ones static - print information in one line per message --- humanize printing of ip addresses --- cast reduction, NFC. --- Fix typo in comment --- Pull out ipsec_fill_saidx_bymbuf (NFC) --- Don't abuse key_checkrequest just for looking up sav It does more than expected for example key_acquire. --- Fix SP is broken on transport mode isr->saidx was modified accidentally in ipsec_nextisr. Reported by christos@@ Helped investigations by christos@@ and knakahara@@ --- Constify isr at many places (NFC) --- Include socketvar.h for softnet_lock --- Fix buffer length for ipsec_logsastr @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.53 2017/10/03 08:56:52 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.53 2017/10/03 08:56:52 ozaki-r Exp $"); d47 1 a47 2 #include #include a90 2 static pool_cache_t ipcomp_tdb_crypto_pool_cache; d147 1 a147 1 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) d165 1 a165 1 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); d178 1 a178 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); a183 17 { int s = pserialize_read_enter(); /* * Take another reference to the SA for opencrypto callback. */ if (__predict_false(sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); return ENOENT; } KEY_SA_REF(sav); pserialize_read_exit(s); } d190 2 a209 1 tc->tc_sav = sav; d215 1 a215 1 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \ d217 1 a217 1 error = ipsec6_common_input_cb(m, sav, skip, protoff); \ d219 1 a219 1 error = ipsec4_common_input_cb(m, sav, skip, protoff); \ d223 2 a224 2 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \ (error = ipsec4_common_input_cb(m, sav, skip, protoff)) d239 1 a239 1 int hlen = IPCOMP_HLENGTH, error, clen; a243 1 IPSEC_DECLARE_LOCK_VARIABLE; d254 2 a255 1 IPSEC_ACQUIRE_GLOBAL_LOCKS(); d257 6 a262 11 sav = tc->tc_sav; if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } d277 3 a279 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d288 7 a294 1 d304 1 a304 2 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); tc = NULL; d347 1 a347 1 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff); d349 3 a351 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d355 3 a357 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d361 1 a361 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d373 1 a373 2 const struct ipsecrequest *isr, struct secasvar *sav, d380 1 d388 2 a389 1 KASSERT(sav != NULL); d398 1 a398 1 return ipsec_process_done(m, isr, sav); d475 1 a475 1 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); a483 20 { int s = pserialize_read_enter(); /* * Take another reference to the SP and the SA for opencrypto callback. */ if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD || sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); error = ENOENT; goto bad; } KEY_SP_REF(isr->sp); KEY_SA_REF(sav); pserialize_read_exit(s); } a489 1 tc->tc_sav = sav; d514 1 a514 1 const struct ipsecrequest *isr; d517 1 a517 1 int error, skip, rlen, roff; a520 1 IPSEC_DECLARE_LOCK_VARIABLE; d528 2 a529 1 IPSEC_ACQUIRE_GLOBAL_LOCKS(); d532 2 a533 2 sav = tc->tc_sav; if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { d535 2 a536 4 IPSECLOG(LOG_DEBUG, "SP is being destroyed while in crypto (id=%u)\n", isr->sp->id); error = ENOENT; d539 1 a539 10 if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } } d548 3 a550 1 IPSEC_RELEASE_GLOBAL_LOCKS(); d558 7 a564 1 d639 1 a639 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d643 4 a646 4 error = ipsec_process_done(m, isr, sav); KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); d650 3 a652 3 KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); d655 1 a655 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d661 4 a664 8 .xf_type = XF_IPCOMP, .xf_flags = XFT_COMP, .xf_name = "IPcomp", .xf_init = ipcomp_init, .xf_zeroize = ipcomp_zeroize, .xf_input = ipcomp_input, .xf_output = ipcomp_output, .xf_next = NULL, a670 3 ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto), coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET, NULL, NULL, NULL); @ 1.38.2.2 log @Pull up following revision(s) (requested by ozaki-r in ticket #587): sys/netipsec/xform_ipcomp.c: revision 1.54-1.56 sys/netipsec/xform_ah.c: revision 1.78,1.79(patch),1.82-1.84 sys/netipsec/xform_esp.c: revision 1.74-1.76 Fix mbuf leaks on error paths Dedup common codes in error paths (NFCI) Don't relook up an SP/SA in opencrpyto callbacks We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one. Fix kernel panic (assertion failure) on receiving an IPv6 packet with large options If an IPv6 packet has large options, a necessary space for evacuation can exceed the expected size (ah_pool_item_size). Give up using the pool_cache if it happens. Style. Commonalize error paths (NFC) Fix buffer overflow on sending an IPv6 packet with large options If an IPv6 packet has large options, a necessary space for evacuation can exceed the expected size (ah_pool_item_size). Give up using the pool_cache if it happens. Pointed out by maxv@@ @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.38.2.1 2017/10/21 19:43:54 snj Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.38.2.1 2017/10/21 19:43:54 snj Exp $"); d155 1 a155 1 int error, hlen = IPCOMP_HLENGTH, stat = IPCOMP_STAT_CRYPTO; d162 1 d164 2 a165 2 error = ENOBUFS; goto error_m; d170 2 d173 2 a174 2 error = ENOBUFS; goto error_crp; d180 5 a184 1 goto error_tc; d195 4 a198 3 stat = IPCOMP_STAT_NOTDB; error = ENOENT; goto error_tc; a230 9 error_tc: pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); error_crp: crypto_freereq(crp); error_m: m_freem(m); IPCOMP_STATINC(stat); return error; d277 12 d569 18 @ 1.37 log @Retire ipsec_osdep.h We don't need to care other OSes (FreeBSD) anymore. Some macros are alive in ipsec_private.h. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.36 2017/04/18 05:26:42 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.36 2017/04/18 05:26:42 ozaki-r Exp $"); d233 1 d326 1 a326 1 ipsec_address(&sav->sah->saidx.dst), d339 2 a340 2 ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); d379 1 d422 1 a422 1 ipsec_address(&sav->sah->saidx.dst), d431 1 a431 1 ipsec_address(&sav->sah->saidx.dst), d445 2 a446 1 __func__, ipsec_address(&sav->sah->saidx.dst), d512 1 d574 2 a575 2 ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); d625 2 a626 2 ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @ 1.37.2.1 log @Resolve conflicts from previous merge (all resulting from $NetBSD keywork expansion) @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $"); a232 1 char buf[IPSEC_ADDRSTRLEN]; d325 1 a325 1 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d338 2 a339 2 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); a377 1 char buf[IPSEC_ADDRSTRLEN]; d420 1 a420 1 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d429 1 a429 1 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d443 1 a443 2 __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), a508 1 char buf[IPSEC_ADDRSTRLEN]; d570 2 a571 2 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d621 2 a622 2 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); @ 1.36 log @Convert IPSEC_ASSERT to KASSERT or KASSERTMSG IPSEC_ASSERT just discarded specified message... @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.35 2017/04/18 05:25:32 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.35 2017/04/18 05:25:32 ozaki-r Exp $"); a69 2 #include d663 1 a663 1 INITFN void @ 1.35 log @Remove __FreeBSD__ and __NetBSD__ switches No functional changes (except for a debug printf). Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.34 2017/04/15 22:01:57 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.34 2017/04/15 22:01:57 christos Exp $"); d246 1 a247 2 IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!", __func__)); d267 3 a269 4 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, ("%s: unexpected protocol family %u", __func__, saidx->dst.sa.sa_family)); d388 1 d390 1 a390 1 IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); a391 1 IPSEC_ASSERT(ipcompx != NULL, ("%s: null compression xform", __func__)); d520 1 a520 1 a521 1 IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__)); d537 1 a537 1 IPSEC_ASSERT(isr->sav == sav, ("%s: SA changed", __func__)); @ 1.34 log @cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.33 2017/04/13 16:38:32 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.33 2017/04/13 16:38:32 christos Exp $"); a37 3 #ifdef __FreeBSD__ #include "opt_inet6.h" #endif a673 4 #ifdef __FreeBSD__ SYSINIT(ipcomp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, ipcomp_attach, NULL) #endif /* __FreeBSD__ */ @ 1.33 log @Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.32 2017/04/06 09:20:07 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.32 2017/04/06 09:20:07 ozaki-r Exp $"); d119 2 a120 2 DPRINTF(("ipcomp_init: unsupported compression algorithm %d\n", sav->alg_comp)); d128 1 a128 1 memset(&cric, 0, sizeof (cric)); d159 1 a159 1 IPSEC_SPLASSERT_SOFTNET("ipcomp_input"); d165 1 a165 1 DPRINTF(("ipcomp_input: no crypto descriptors\n")); d170 1 a170 1 tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO); d174 1 a174 1 DPRINTF(("ipcomp_input: cannot allocate tdb_crypto\n")); d181 1 a181 1 DPRINTF(("ipcomp_input: m_makewritable failed\n")); d244 1 a244 1 u_int8_t nproto; d246 2 a247 2 u_int16_t dport; u_int16_t sport; d249 3 a251 2 tc = (struct tdb_crypto *) crp->crp_opaque; IPSEC_ASSERT(tc != NULL, ("ipcomp_input_cb: null opaque crypto data area!")); d254 1 a254 1 m = (struct mbuf *) crp->crp_buf; d265 1 a265 1 DPRINTF(("ipcomp_input_cb: SA expired while in crypto\n")); d273 1 a273 1 ("ipcomp_input_cb: unexpected protocol family %u", d290 1 a290 1 DPRINTF(("ipcomp_input_cb: crypto error %d\n", crp->crp_etype)); d297 1 a297 1 DPRINTF(("ipcomp_input_cb: null mbuf returned from crypto\n")); d318 1 a318 1 DPRINTF(("ipcomp_input_cb: m_pullup failed\n")); d326 4 a329 1 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { d331 3 a333 3 DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); d336 2 d344 1 a344 1 DPRINTF(("ipcomp_input_cb: bad mbuf chain, IPCA %s/%08lx\n", d351 1 a351 1 m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); d392 1 a392 1 IPSEC_SPLASSERT_SOFTNET("ipcomp_output"); d394 1 a394 1 IPSEC_ASSERT(sav != NULL, ("ipcomp_output: null SA")); d396 1 a396 1 IPSEC_ASSERT(ipcompx != NULL, ("ipcomp_output: null compression xform")); d424 2 a425 2 DPRINTF(("ipcomp_output: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", d434 2 a435 2 DPRINTF(("ipcomp_output: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", d449 2 a450 2 DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), d462 2 a463 1 DPRINTF(("ipcomp_output: failed to acquire crypto descriptor\n")); d479 1 a479 2 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), M_XDATA, M_NOWAIT|M_ZERO); d482 1 a482 1 DPRINTF(("ipcomp_output: failed to allocate tdb_crypto\n")); d521 2 a522 2 u_int8_t prot; u_int16_t cpi; d526 3 a528 3 tc = (struct tdb_crypto *) crp->crp_opaque; IPSEC_ASSERT(tc != NULL, ("ipcomp_output_cb: null opaque data area!")); m = (struct mbuf *) crp->crp_buf; d539 1 a539 1 DPRINTF(("ipcomp_output_cb: SA expired while in crypto\n")); d543 1 a543 1 IPSEC_ASSERT(isr->sav == sav, ("ipcomp_output_cb: SA changed\n")); d558 1 a558 1 DPRINTF(("ipcomp_output_cb: crypto error %d\n", crp->crp_etype)); d565 1 a565 1 DPRINTF(("ipcomp_output_cb: bogus return buffer from crypto\n")); d576 4 a579 4 DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); d609 1 a609 1 m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), (u_char *)&prot); @ 1.32 log @Prepare netipsec for rump-ification - Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.31 2013/11/03 18:37:10 mrg Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.31 2013/11/03 18:37:10 mrg Exp $"); d94 2 a98 2 if (alg >= IPCOMP_ALG_MAX) return NULL; d300 1 a300 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); d563 1 a563 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); @ 1.31 log @- apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $"); d36 1 d41 1 @ 1.31.6.1 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.52 2017/08/10 06:33:51 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.52 2017/08/10 06:33:51 ozaki-r Exp $"); a35 1 #if defined(_KERNEL_OPT) d37 2 d48 1 a48 2 #include #include d71 2 a91 4 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT }; static pool_cache_t ipcomp_tdb_crypto_pool_cache; d95 2 d117 2 a118 2 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__, sav->alg_comp)); d126 1 a126 1 memset(&cric, 0, sizeof(cric)); d150 1 a150 1 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) d157 1 a157 1 IPSEC_SPLASSERT_SOFTNET(__func__); d163 1 a163 1 DPRINTF(("%s: no crypto descriptors\n", __func__)); d168 1 a168 1 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); d172 1 a172 1 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); d179 1 a179 1 DPRINTF(("%s: m_makewritable failed\n", __func__)); d181 1 a181 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); a186 17 { int s = pserialize_read_enter(); /* * Take another reference to the SA for opencrypto callback. */ if (__predict_false(sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); return ENOENT; } KEY_SA_REF(sav); pserialize_read_exit(s); } d193 2 a212 1 tc->tc_sav = sav; d218 1 a218 1 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \ d220 1 a220 1 error = ipsec6_common_input_cb(m, sav, skip, protoff); \ d222 1 a222 1 error = ipsec4_common_input_cb(m, sav, skip, protoff); \ d226 2 a227 2 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \ (error = ipsec4_common_input_cb(m, sav, skip, protoff)) a235 1 char buf[IPSEC_ADDRSTRLEN]; d241 2 a242 2 int hlen = IPCOMP_HLENGTH, error, clen; uint8_t nproto; d244 2 a245 3 uint16_t dport; uint16_t sport; IPSEC_DECLARE_LOCK_VARIABLE; d247 2 a248 2 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; d251 1 a251 1 m = crp->crp_buf; d256 2 a257 1 IPSEC_ACQUIRE_GLOBAL_LOCKS(); d259 6 a264 11 sav = tc->tc_sav; if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } d268 4 a271 3 KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, "unexpected protocol family %u", saidx->dst.sa.sa_family); d280 3 a282 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d287 1 a287 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d291 8 a298 2 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d307 1 a307 2 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); tc = NULL; d315 1 a315 1 DPRINTF(("%s: m_pullup failed\n", __func__)); d323 1 a323 4 switch (nproto) { case IPPROTO_IPCOMP: case IPPROTO_AH: case IPPROTO_ESP: d325 3 a327 3 DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); a329 2 default: break; d336 3 a338 3 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d343 1 a343 1 m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto); d345 1 a345 1 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff); d347 3 a349 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d353 3 a355 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d359 1 a359 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); a371 1 struct secasvar *sav, d377 1 a377 1 char buf[IPSEC_ADDRSTRLEN]; d384 3 a386 3 IPSEC_SPLASSERT_SOFTNET(__func__); KASSERT(sav != NULL); KASSERT(sav->tdb_compalgxform != NULL); d388 1 d395 1 a395 1 return ipsec_process_done(m, isr, sav); d416 2 a417 2 DPRINTF(("%s: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", __func__, d419 1 a419 1 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d426 3 a428 3 DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d441 2 a442 3 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d454 1 a454 2 DPRINTF(("%s: failed to acquire crypto descriptor\n", __func__)); d470 2 a471 1 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); d474 1 a474 1 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); a479 20 { int s = pserialize_read_enter(); /* * Take another reference to the SP and the SA for opencrypto callback. */ if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD || sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); error = ENOENT; goto bad; } KEY_SP_REF(isr->sp); KEY_SA_REF(sav); pserialize_read_exit(s); } a485 1 tc->tc_sav = sav; a507 1 char buf[IPSEC_ADDRSTRLEN]; d512 3 a514 3 int error, skip, rlen, roff; uint8_t prot; uint16_t cpi; a515 1 IPSEC_DECLARE_LOCK_VARIABLE; d517 4 a520 3 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; m = crp->crp_buf; d524 2 a525 1 IPSEC_ACQUIRE_GLOBAL_LOCKS(); d528 2 a529 2 sav = tc->tc_sav; if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { d531 2 a532 4 IPSECLOG(LOG_DEBUG, "SP is being destroyed while in crypto (id=%u)\n", isr->sp->id); error = ENOENT; d535 1 a535 10 if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } } d544 3 a546 1 IPSEC_RELEASE_GLOBAL_LOCKS(); d550 1 a550 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d554 8 a561 2 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d568 4 a571 4 DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d601 1 a601 1 m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); d621 2 a622 2 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d635 1 a635 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d639 4 a642 4 error = ipsec_process_done(m, isr, sav); KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); d646 3 a648 3 KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); d651 1 a651 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d657 4 a660 8 .xf_type = XF_IPCOMP, .xf_flags = XFT_COMP, .xf_name = "IPcomp", .xf_init = ipcomp_init, .xf_zeroize = ipcomp_zeroize, .xf_input = ipcomp_input, .xf_output = ipcomp_output, .xf_next = NULL, d663 1 a663 1 void a666 3 ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto), coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET, NULL, NULL, NULL); d669 4 @ 1.31.10.1 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $"); a35 1 #if defined(_KERNEL_OPT) d37 2 d71 2 a91 2 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT }; d95 2 d117 2 a118 2 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__, sav->alg_comp)); d126 1 a126 1 memset(&cric, 0, sizeof(cric)); d157 1 a157 1 IPSEC_SPLASSERT_SOFTNET(__func__); d163 1 a163 1 DPRINTF(("%s: no crypto descriptors\n", __func__)); d168 1 a168 1 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); d172 1 a172 1 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); d179 1 a179 1 DPRINTF(("%s: m_makewritable failed\n", __func__)); d242 1 a242 1 uint8_t nproto; d244 2 a245 2 uint16_t dport; uint16_t sport; d247 2 a248 2 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; d251 1 a251 1 m = crp->crp_buf; d262 1 a262 1 DPRINTF(("%s: SA expired while in crypto\n", __func__)); d268 4 a271 3 KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, "unexpected protocol family %u", saidx->dst.sa.sa_family); d287 1 a287 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d294 1 a294 1 DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); d298 1 a298 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d315 1 a315 1 DPRINTF(("%s: m_pullup failed\n", __func__)); d323 1 a323 4 switch (nproto) { case IPPROTO_IPCOMP: case IPPROTO_AH: case IPPROTO_ESP: d325 3 a327 3 DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); a329 2 default: break; d336 1 a336 1 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, d343 1 a343 1 m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto); d384 1 a384 2 IPSEC_SPLASSERT_SOFTNET(__func__); KASSERT(isr->sav != NULL); d386 1 a386 1 KASSERT(sav->tdb_compalgxform != NULL); d388 1 d416 2 a417 2 DPRINTF(("%s: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", __func__, d426 2 a427 2 DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, d441 2 a442 2 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), d454 1 a454 2 DPRINTF(("%s: failed to acquire crypto descriptor\n", __func__)); d470 2 a471 1 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); d474 1 a474 1 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); d513 2 a514 2 uint8_t prot; uint16_t cpi; d517 4 a520 3 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; m = crp->crp_buf; d531 1 a531 1 DPRINTF(("%s: SA expired while in crypto\n", __func__)); d535 1 a535 1 KASSERTMSG(isr->sav == sav, "SA changed"); d550 1 a550 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d557 1 a557 1 DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); d561 1 a561 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d568 4 a571 4 DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); d601 1 a601 1 m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); d663 1 a663 1 void d669 4 @ 1.31.14.1 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $"); a35 1 #if defined(_KERNEL_OPT) d37 2 d71 2 a91 2 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT }; d95 2 d117 2 a118 2 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__, sav->alg_comp)); d126 1 a126 1 memset(&cric, 0, sizeof(cric)); d157 1 a157 1 IPSEC_SPLASSERT_SOFTNET(__func__); d163 1 a163 1 DPRINTF(("%s: no crypto descriptors\n", __func__)); d168 1 a168 1 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); d172 1 a172 1 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); d179 1 a179 1 DPRINTF(("%s: m_makewritable failed\n", __func__)); d242 1 a242 1 uint8_t nproto; d244 2 a245 2 uint16_t dport; uint16_t sport; d247 2 a248 2 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; d251 1 a251 1 m = crp->crp_buf; d262 1 a262 1 DPRINTF(("%s: SA expired while in crypto\n", __func__)); d268 4 a271 3 KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, "unexpected protocol family %u", saidx->dst.sa.sa_family); d287 1 a287 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d294 1 a294 1 DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); d298 1 a298 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d315 1 a315 1 DPRINTF(("%s: m_pullup failed\n", __func__)); d323 1 a323 4 switch (nproto) { case IPPROTO_IPCOMP: case IPPROTO_AH: case IPPROTO_ESP: d325 3 a327 3 DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); a329 2 default: break; d336 1 a336 1 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, d343 1 a343 1 m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto); d384 1 a384 2 IPSEC_SPLASSERT_SOFTNET(__func__); KASSERT(isr->sav != NULL); d386 1 a386 1 KASSERT(sav->tdb_compalgxform != NULL); d388 1 d416 2 a417 2 DPRINTF(("%s: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", __func__, d426 2 a427 2 DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, d441 2 a442 2 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), d454 1 a454 2 DPRINTF(("%s: failed to acquire crypto descriptor\n", __func__)); d470 2 a471 1 tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); d474 1 a474 1 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); d513 2 a514 2 uint8_t prot; uint16_t cpi; d517 4 a520 3 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; m = crp->crp_buf; d531 1 a531 1 DPRINTF(("%s: SA expired while in crypto\n", __func__)); d535 1 a535 1 KASSERTMSG(isr->sav == sav, "SA changed"); d550 1 a550 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d557 1 a557 1 DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); d561 1 a561 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d568 4 a571 4 DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); d601 1 a601 1 m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); d663 1 a663 1 void d669 4 @ 1.30 log @PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $"); a235 1 struct cryptodesc *crd; a237 1 struct mtag *mtag; d240 1 a240 1 struct secasindex *saidx; a246 2 crd = crp->crp_desc; a250 1 mtag = (struct mtag *) tc->tc_ptr; @ 1.30.2.1 log @sync with head @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.30 2013/06/04 22:47:37 christos Exp $"); d236 1 d239 1 d242 1 a242 1 struct secasindex *saidx __diagused; d249 2 d255 1 @ 1.29 log @Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $"); d246 2 a247 5 u_int16_t dport = 0; u_int16_t sport = 0; #ifdef IPSEC_NAT_T struct m_tag * tag = NULL; #endif a257 1 #ifdef IPSEC_NAT_T d259 1 a259 5 if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { sport = ((u_int16_t *)(tag + 1))[0]; dport = ((u_int16_t *)(tag + 1))[1]; } #endif @ 1.29.6.1 log @resync from head @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); d246 5 a250 2 u_int16_t dport; u_int16_t sport; d261 1 d263 5 a267 1 nat_t_ports_get(m, &dport, &sport); @ 1.29.6.2 log @Rebase to HEAD as of a few days ago. @ text @d236 1 d239 1 d242 1 a242 1 struct secasindex *saidx __diagused; d249 2 d255 1 @ 1.29.6.3 log @update from HEAD @ text @a35 1 #if defined(_KERNEL_OPT) d37 2 d48 1 a48 2 #include #include d71 2 a91 4 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT }; static pool_cache_t ipcomp_tdb_crypto_pool_cache; d95 2 d117 2 a118 2 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__, sav->alg_comp)); d126 1 a126 1 memset(&cric, 0, sizeof(cric)); d150 1 a150 1 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) d157 1 a157 1 IPSEC_SPLASSERT_SOFTNET(__func__); d163 1 a163 1 DPRINTF(("%s: no crypto descriptors\n", __func__)); d168 1 a168 1 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); d172 1 a172 1 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); d179 1 a179 1 DPRINTF(("%s: m_makewritable failed\n", __func__)); d181 1 a181 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); a186 17 { int s = pserialize_read_enter(); /* * Take another reference to the SA for opencrypto callback. */ if (__predict_false(sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); return ENOENT; } KEY_SA_REF(sav); pserialize_read_exit(s); } d193 2 a212 1 tc->tc_sav = sav; d218 1 a218 1 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \ d220 1 a220 1 error = ipsec6_common_input_cb(m, sav, skip, protoff); \ d222 1 a222 1 error = ipsec4_common_input_cb(m, sav, skip, protoff); \ d226 2 a227 2 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \ (error = ipsec4_common_input_cb(m, sav, skip, protoff)) a235 1 char buf[IPSEC_ADDRSTRLEN]; d241 2 a242 2 int hlen = IPCOMP_HLENGTH, error, clen; uint8_t nproto; d244 2 a245 3 uint16_t dport; uint16_t sport; IPSEC_DECLARE_LOCK_VARIABLE; d247 2 a248 2 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; d251 1 a251 1 m = crp->crp_buf; d256 2 a257 1 IPSEC_ACQUIRE_GLOBAL_LOCKS(); d259 6 a264 11 sav = tc->tc_sav; if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } d268 4 a271 3 KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, "unexpected protocol family %u", saidx->dst.sa.sa_family); d280 3 a282 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d287 1 a287 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d291 8 a298 2 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d307 1 a307 2 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); tc = NULL; d315 1 a315 1 DPRINTF(("%s: m_pullup failed\n", __func__)); d323 1 a323 4 switch (nproto) { case IPPROTO_IPCOMP: case IPPROTO_AH: case IPPROTO_ESP: d325 3 a327 3 DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); a329 2 default: break; d336 3 a338 3 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d343 1 a343 1 m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto); d345 1 a345 1 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff); d347 3 a349 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d353 3 a355 2 KEY_SA_UNREF(&sav); IPSEC_RELEASE_GLOBAL_LOCKS(); d359 1 a359 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d371 1 a371 2 const struct ipsecrequest *isr, struct secasvar *sav, d377 1 a377 1 char buf[IPSEC_ADDRSTRLEN]; d384 3 a386 3 IPSEC_SPLASSERT_SOFTNET(__func__); KASSERT(sav != NULL); KASSERT(sav->tdb_compalgxform != NULL); d388 1 d395 1 a395 1 return ipsec_process_done(m, isr, sav); d416 2 a417 2 DPRINTF(("%s: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", __func__, d419 1 a419 1 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d426 3 a428 3 DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d441 2 a442 3 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), d454 1 a454 2 DPRINTF(("%s: failed to acquire crypto descriptor\n", __func__)); d470 2 a471 1 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT); d474 1 a474 1 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); a479 20 { int s = pserialize_read_enter(); /* * Take another reference to the SP and the SA for opencrypto callback. */ if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD || sav->state == SADB_SASTATE_DEAD)) { pserialize_read_exit(s); pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_NOTDB); error = ENOENT; goto bad; } KEY_SP_REF(isr->sp); KEY_SA_REF(sav); pserialize_read_exit(s); } a485 1 tc->tc_sav = sav; a507 1 char buf[IPSEC_ADDRSTRLEN]; d509 1 a509 1 const struct ipsecrequest *isr; d512 3 a514 3 int error, skip, rlen, roff; uint8_t prot; uint16_t cpi; a515 1 IPSEC_DECLARE_LOCK_VARIABLE; d517 4 a520 3 KASSERT(crp->crp_opaque != NULL); tc = crp->crp_opaque; m = crp->crp_buf; d524 2 a525 1 IPSEC_ACQUIRE_GLOBAL_LOCKS(); d528 2 a529 2 sav = tc->tc_sav; if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { d531 2 a532 4 IPSECLOG(LOG_DEBUG, "SP is being destroyed while in crypto (id=%u)\n", isr->sp->id); error = ENOENT; d535 1 a535 10 if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { KEY_SA_UNREF(&sav); sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } } d544 3 a546 1 IPSEC_RELEASE_GLOBAL_LOCKS(); d550 1 a550 1 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); d554 8 a561 2 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); d568 4 a571 4 DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d601 1 a601 1 m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); d621 2 a622 2 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); d635 1 a635 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d639 4 a642 4 error = ipsec_process_done(m, isr, sav); KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); d646 3 a648 3 KEY_SA_UNREF(&sav); KEY_SP_UNREF(&isr->sp); IPSEC_RELEASE_GLOBAL_LOCKS(); d651 1 a651 1 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc); d657 4 a660 8 .xf_type = XF_IPCOMP, .xf_flags = XFT_COMP, .xf_name = "IPcomp", .xf_init = ipcomp_init, .xf_zeroize = ipcomp_zeroize, .xf_input = ipcomp_input, .xf_output = ipcomp_output, .xf_next = NULL, d663 1 a663 1 void a666 3 ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto), coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET, NULL, NULL, NULL); d669 4 @ 1.28 log @As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.27 2011/05/05 20:15:15 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.27 2011/05/05 20:15:15 drochner Exp $"); d155 1 a155 1 int hlen = IPCOMP_HLENGTH; d176 11 d191 1 a191 1 crdc->crd_inject = skip; @ 1.28.4.1 log @sync with head @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $"); d155 1 a155 1 int error, hlen = IPCOMP_HLENGTH; a175 11 error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT); if (error) { DPRINTF(("ipcomp_input: m_makewritable failed\n")); m_freem(m); free(tc, M_XDATA); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return error; } d180 1 a180 1 crdc->crd_inject = 0; /* unused */ @ 1.28.4.2 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.28.4.1 2012/04/17 00:08:46 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.28.4.1 2012/04/17 00:08:46 yamt Exp $"); d236 1 d239 1 d242 1 a242 1 struct secasindex *saidx __diagused; d246 7 a252 2 u_int16_t dport; u_int16_t sport; d258 1 d261 1 d263 5 a267 1 nat_t_ports_get(m, &dport, &sport); @ 1.28.8.1 log @merge to -current. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $"); d155 1 a155 1 int error, hlen = IPCOMP_HLENGTH; a175 11 error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT); if (error) { DPRINTF(("ipcomp_input: m_makewritable failed\n")); m_freem(m); free(tc, M_XDATA); crypto_freereq(crp); IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return error; } d180 1 a180 1 crdc->crd_inject = 0; /* unused */ @ 1.27 log @fix C&P botch in diagnostic printfs @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.26 2011/04/01 08:29:29 spz Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.26 2011/04/01 08:29:29 spz Exp $"); a128 1 mutex_spin_enter(&crypto_mtx); a129 1 mutex_spin_exit(&crypto_mtx); a140 1 mutex_spin_enter(&crypto_mtx); a141 1 mutex_spin_exit(&crypto_mtx); @ 1.26 log @mitigation for CVE-2011-1547 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.25 2011/02/24 20:03:41 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.25 2011/02/24 20:03:41 drochner Exp $"); d276 1 a276 1 ("ah_input_cb: unexpected protocol family %u", @ 1.25 log @small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.24 2011/02/18 20:40:58 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.24 2011/02/18 20:40:58 drochner Exp $"); d329 8 @ 1.24 log @more "const" @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.23 2011/02/18 19:06:45 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.23 2011/02/18 19:06:45 drochner Exp $"); d99 1 a99 1 return &comp_algo_deflate; d193 1 @ 1.23 log @sprinkle some "const", documenting that the SA is not supposed to change during an xform operation @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.22 2011/02/14 13:43:45 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.22 2011/02/14 13:43:45 drochner Exp $"); d92 1 a92 1 struct comp_algo * d108 1 a108 1 ipcomp_init(struct secasvar *sav, struct xformsw *xsp) d110 1 a110 1 struct comp_algo *tcomp; d375 1 a375 1 struct comp_algo *ipcompx; @ 1.22 log @change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.21 2011/02/10 20:24:27 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.21 2011/02/10 20:24:27 drochner Exp $"); d154 1 a154 1 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) d374 1 a374 1 struct secasvar *sav; @ 1.21 log @-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.20 2010/09/21 13:41:18 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.20 2010/09/21 13:41:18 degroote Exp $"); d261 1 a262 1 s = splsoftnet(); d286 1 a287 1 mutex_exit(softnet_lock); d345 1 a346 1 mutex_exit(softnet_lock); d351 1 a352 1 mutex_exit(softnet_lock); d521 1 a522 1 s = splsoftnet(); d542 1 a543 1 mutex_exit(softnet_lock); d638 1 a639 1 mutex_exit(softnet_lock); d644 1 a645 1 mutex_exit(softnet_lock); @ 1.20 log @Fix ipcomp input counter Reported Wolfgang Stukenbrock in pr/43250. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.19 2009/03/18 16:00:23 cegger Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.19 2009/03/18 16:00:23 cegger Exp $"); d48 1 d261 1 d287 1 d346 1 d352 1 d521 1 d543 1 d639 1 d645 1 @ 1.20.2.1 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $"); a47 1 #include /* for softnet_lock */ d91 1 a91 1 const struct comp_algo * d98 1 a98 1 return &comp_algo_deflate_nogrow; d107 1 a107 1 ipcomp_init(struct secasvar *sav, const struct xformsw *xsp) d109 1 a109 1 const struct comp_algo *tcomp; d128 1 d130 1 d142 1 d144 1 d153 1 a153 1 ipcomp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) a191 1 crp->crp_olen = MCLBYTES; /* hint to decompression code */ a260 1 mutex_enter(softnet_lock); d273 1 a273 1 ("ipcomp_input_cb: unexpected protocol family %u", a283 1 mutex_exit(softnet_lock); a324 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } a341 1 mutex_exit(softnet_lock); a346 1 mutex_exit(softnet_lock); d369 2 a370 2 const struct secasvar *sav; const struct comp_algo *ipcompx; a516 1 mutex_enter(softnet_lock); a535 1 mutex_exit(softnet_lock); a630 1 mutex_exit(softnet_lock); a635 1 mutex_exit(softnet_lock); @ 1.20.4.1 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.22 2011/02/14 13:43:45 drochner Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.22 2011/02/14 13:43:45 drochner Exp $"); a47 1 #include /* for softnet_lock */ a260 1 mutex_enter(softnet_lock); a283 1 mutex_exit(softnet_lock); a341 1 mutex_exit(softnet_lock); a346 1 mutex_exit(softnet_lock); a516 1 mutex_enter(softnet_lock); a535 1 mutex_exit(softnet_lock); a630 1 mutex_exit(softnet_lock); a635 1 mutex_exit(softnet_lock); @ 1.20.4.2 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); d92 1 a92 1 const struct comp_algo * d99 1 a99 1 return &comp_algo_deflate_nogrow; d108 1 a108 1 ipcomp_init(struct secasvar *sav, const struct xformsw *xsp) d110 1 a110 1 const struct comp_algo *tcomp; d154 1 a154 1 ipcomp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) a192 1 crp->crp_olen = MCLBYTES; /* hint to decompression code */ d374 2 a375 2 const struct secasvar *sav; const struct comp_algo *ipcompx; @ 1.19 log @bzero -> memset @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $"); d302 4 @ 1.19.4.1 log @sync with head @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); a47 1 #include /* for softnet_lock */ d91 1 a91 1 const struct comp_algo * d98 1 a98 1 return &comp_algo_deflate_nogrow; d107 1 a107 1 ipcomp_init(struct secasvar *sav, const struct xformsw *xsp) d109 1 a109 1 const struct comp_algo *tcomp; d153 1 a153 1 ipcomp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) a191 1 crp->crp_olen = MCLBYTES; /* hint to decompression code */ a260 1 mutex_enter(softnet_lock); a283 1 mutex_exit(softnet_lock); a301 4 /* Update the counters */ IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen); a337 1 mutex_exit(softnet_lock); a342 1 mutex_exit(softnet_lock); d365 2 a366 2 const struct secasvar *sav; const struct comp_algo *ipcompx; a512 1 mutex_enter(softnet_lock); a531 1 mutex_exit(softnet_lock); a626 1 mutex_exit(softnet_lock); a631 1 mutex_exit(softnet_lock); @ 1.19.4.2 log @sync with head @ text @a328 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @ 1.19.4.3 log @sync with head @ text @d129 1 d131 1 d143 1 d145 1 d276 1 a276 1 ("ipcomp_input_cb: unexpected protocol family %u", @ 1.19.2.1 log @Sync with HEAD (-D20101022). @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); a301 4 /* Update the counters */ IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen); @ 1.18 log @Make IPSEC and FAST_IPSEC stats per-cpu. Use and netstat_sysctl(). @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.17 2008/02/04 00:35:35 tls Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.17 2008/02/04 00:35:35 tls Exp $"); d125 1 a125 1 bzero(&cric, sizeof (cric)); @ 1.18.22.1 log @Pull up: src/sys/netinet6/ipcomp_input.c revision 1.37 src/sys/netipsec/xform_ipcomp.c revision 1.26 (requested by spz in ticket #1590). mitigation for CVE-2011-1547 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $"); a320 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @ 1.18.18.1 log @Pull up: src/sys/netinet6/ipcomp_input.c revision 1.37 src/sys/netipsec/xform_ipcomp.c revision 1.26 (requested by spz in ticket #1590). mitigation for CVE-2011-1547 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $"); a320 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @ 1.18.12.1 log @Pull up: src/sys/netinet6/ipcomp_input.c revision 1.37 src/sys/netipsec/xform_ipcomp.c revision 1.26 (requested by spz in ticket #1590). mitigation for CVE-2011-1547 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $"); a320 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @ 1.18.16.1 log @Sync with HEAD. Commit is split, to avoid a "too many arguments" protocol error. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.19 2009/03/18 16:00:23 cegger Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.19 2009/03/18 16:00:23 cegger Exp $"); d125 1 a125 1 memset(&cric, 0, sizeof (cric)); @ 1.18.2.1 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $"); d125 1 a125 1 memset(&cric, 0, sizeof (cric)); @ 1.18.2.2 log @sync with head @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.18.2.1 2009/05/04 08:14:20 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18.2.1 2009/05/04 08:14:20 yamt Exp $"); a301 4 /* Update the counters */ IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen); @ 1.18.10.1 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.19 2009/03/18 16:00:23 cegger Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.19 2009/03/18 16:00:23 cegger Exp $"); d125 1 a125 1 memset(&cric, 0, sizeof (cric)); @ 1.17 log @Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there. Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition. Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out. Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed. This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree. pjd@@FreeBSD.ORG, ad@@NetBSD.ORG, and darran@@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.16 2007/12/29 14:56:35 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.16 2007/12/29 14:56:35 degroote Exp $"); d56 1 d76 2 a78 1 struct ipcompstat ipcompstat; d167 1 a167 1 ipcompstat.ipcomps_crypto++; d176 1 a176 1 ipcompstat.ipcomps_crypto++; d264 1 a264 1 ipcompstat.ipcomps_notdb++; d288 1 a288 1 ipcompstat.ipcomps_noxform++; d295 1 a295 1 ipcompstat.ipcomps_crypto++; d300 1 a300 1 ipcompstat.ipcomps_hist[sav->alg_comp]++; d312 1 a312 1 ipcompstat.ipcomps_hdrops++; /*XXX*/ d325 1 a325 1 ipcompstat.ipcomps_hdrops++; d382 1 a382 1 ipcompstat.ipcomps_minlen++; d388 1 a388 1 ipcompstat.ipcomps_output++; d403 1 a403 1 ipcompstat.ipcomps_nopf++; d413 1 a413 1 ipcompstat.ipcomps_toobig++; d424 1 a424 1 ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; d428 1 a428 1 ipcompstat.ipcomps_hdrops++; d441 1 a441 1 ipcompstat.ipcomps_crypto++; d461 1 a461 1 ipcompstat.ipcomps_crypto++; d517 1 a517 1 ipcompstat.ipcomps_notdb++; d535 1 a535 1 ipcompstat.ipcomps_noxform++; d542 1 a542 1 ipcompstat.ipcomps_crypto++; d547 1 a547 1 ipcompstat.ipcomps_hist[sav->alg_comp]++; d553 1 a553 1 ipcompstat.ipcomps_wrap++; d603 1 a603 1 ipcompstat.ipcomps_nopf++; d614 1 a614 1 ipcompstat.ipcomps_uselesscomp++; d650 1 @ 1.17.6.1 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); a55 1 #include a74 2 percpu_t *ipcompstat_percpu; d76 1 d165 1 a165 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d174 1 a174 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d262 1 a262 1 IPCOMP_STATINC(IPCOMP_STAT_NOTDB); d286 1 a286 1 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); d293 1 a293 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d298 1 a298 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); d310 1 a310 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); /*XXX*/ d323 1 a323 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); d380 1 a380 1 IPCOMP_STATINC(IPCOMP_STAT_MINLEN); d386 1 a386 1 IPCOMP_STATINC(IPCOMP_STAT_OUTPUT); d401 1 a401 1 IPCOMP_STATINC(IPCOMP_STAT_NOPF); d411 1 a411 1 IPCOMP_STATINC(IPCOMP_STAT_TOOBIG); d422 1 a422 1 IPCOMP_STATADD(IPCOMP_STAT_OBYTES, m->m_pkthdr.len - skip); d426 1 a426 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); d439 1 a439 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d459 1 a459 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d515 1 a515 1 IPCOMP_STATINC(IPCOMP_STAT_NOTDB); d533 1 a533 1 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); d540 1 a540 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d545 1 a545 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); d551 1 a551 1 IPCOMP_STATINC(IPCOMP_STAT_WRAP); d601 1 a601 1 IPCOMP_STATINC(IPCOMP_STAT_NOPF); d612 1 a612 1 IPCOMP_STATINC(IPCOMP_STAT_USELESS); a647 1 ipcompstat_percpu = percpu_alloc(sizeof(uint64_t) * IPCOMP_NSTATS); @ 1.17.8.1 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.17 2008/02/04 00:35:35 tls Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.17 2008/02/04 00:35:35 tls Exp $"); a55 1 #include a74 2 percpu_t *ipcompstat_percpu; d76 1 d165 1 a165 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d174 1 a174 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d262 1 a262 1 IPCOMP_STATINC(IPCOMP_STAT_NOTDB); d286 1 a286 1 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); d293 1 a293 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d298 1 a298 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); d310 1 a310 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); /*XXX*/ d323 1 a323 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); d380 1 a380 1 IPCOMP_STATINC(IPCOMP_STAT_MINLEN); d386 1 a386 1 IPCOMP_STATINC(IPCOMP_STAT_OUTPUT); d401 1 a401 1 IPCOMP_STATINC(IPCOMP_STAT_NOPF); d411 1 a411 1 IPCOMP_STATINC(IPCOMP_STAT_TOOBIG); d422 1 a422 1 IPCOMP_STATADD(IPCOMP_STAT_OBYTES, m->m_pkthdr.len - skip); d426 1 a426 1 IPCOMP_STATINC(IPCOMP_STAT_HDROPS); d439 1 a439 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d459 1 a459 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d515 1 a515 1 IPCOMP_STATINC(IPCOMP_STAT_NOTDB); d533 1 a533 1 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); d540 1 a540 1 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); d545 1 a545 1 IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); d551 1 a551 1 IPCOMP_STATINC(IPCOMP_STAT_WRAP); d601 1 a601 1 IPCOMP_STATINC(IPCOMP_STAT_NOPF); d612 1 a612 1 IPCOMP_STATINC(IPCOMP_STAT_USELESS); a647 1 ipcompstat_percpu = percpu_alloc(sizeof(uint64_t) * IPCOMP_NSTATS); @ 1.16 log @Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet)) @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.15 2007/09/22 23:33:18 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.15 2007/09/22 23:33:18 degroote Exp $"); d109 1 d126 4 a129 1 return crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); d140 1 d142 1 @ 1.15 log @Fix my previous stupid caddr_t fix. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.14 2007/06/27 20:38:33 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.14 2007/06/27 20:38:33 degroote Exp $"); d606 3 a608 1 /* XXX add statistic */ d611 1 @ 1.15.6.1 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.17 2008/02/04 00:35:35 tls Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.17 2008/02/04 00:35:35 tls Exp $"); a108 1 int ses; d125 1 a125 4 mutex_spin_enter(&crypto_mtx); ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); mutex_spin_exit(&crypto_mtx); return ses; a135 1 mutex_spin_enter(&crypto_mtx); a136 1 mutex_spin_exit(&crypto_mtx); d606 1 a606 3 ipcompstat.ipcomps_uselesscomp++; DPRINTF(("ipcomp_output_cb: compression was useless : initial size was %d" "and compressed size is %d\n", rlen, crp->crp_olen)); a608 1 @ 1.15.12.1 log @Sync with HEAD @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); d606 1 a606 3 ipcompstat.ipcomps_uselesscomp++; DPRINTF(("ipcomp_output_cb: compression was useless : initial size was %d" "and compressed size is %d\n", rlen, crp->crp_olen)); a608 1 @ 1.14 log @Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4). No objection on tech-net@@ @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.13 2007/03/04 21:17:55 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.13 2007/03/04 21:17:55 degroote Exp $"); d311 1 a311 1 addr = mtod(m, struct ip *) + skip; @ 1.14.8.1 log @sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.15 2007/09/22 23:33:18 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.15 2007/09/22 23:33:18 degroote Exp $"); d311 1 a311 1 addr = (uint8_t*) mtod(m, struct ip *) + skip; @ 1.14.8.2 log @sync with HEAD @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.14.8.1 2007/11/06 23:34:14 matt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.14.8.1 2007/11/06 23:34:14 matt Exp $"); d606 1 a606 3 ipcompstat.ipcomps_uselesscomp++; DPRINTF(("ipcomp_output_cb: compression was useless : initial size was %d" "and compressed size is %d\n", rlen, crp->crp_olen)); a608 1 @ 1.14.8.3 log @sync with HEAD @ text @d1 1 a1 1 /* xform_ipcomp.c,v 1.14.8.2 2008/01/09 01:57:43 matt Exp */ d33 1 a33 1 __KERNEL_RCSID(0, "xform_ipcomp.c,v 1.14.8.2 2008/01/09 01:57:43 matt Exp"); a108 1 int ses; d125 1 a125 4 mutex_spin_enter(&crypto_mtx); ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); mutex_spin_exit(&crypto_mtx); return ses; a135 1 mutex_spin_enter(&crypto_mtx); a136 1 mutex_spin_exit(&crypto_mtx); @ 1.14.6.1 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.15 2007/09/22 23:33:18 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.15 2007/09/22 23:33:18 degroote Exp $"); d311 1 a311 1 addr = (uint8_t*) mtod(m, struct ip *) + skip; @ 1.13 log @Remove useless cast Use NULL instead of (void*) 0 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.12 2007/03/04 19:54:49 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.12 2007/03/04 19:54:49 degroote Exp $"); d229 5 d244 8 d254 1 a254 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); d507 1 a507 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); @ 1.13.2.1 log @Sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.13 2007/03/04 21:17:55 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.13 2007/03/04 21:17:55 degroote Exp $"); a228 5 u_int16_t dport = 0; u_int16_t sport = 0; #ifdef IPSEC_NAT_T struct m_tag * tag = NULL; #endif a238 8 #ifdef IPSEC_NAT_T /* find the source port for NAT-T */ if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { sport = ((u_int16_t *)(tag + 1))[0]; dport = ((u_int16_t *)(tag + 1))[1]; } #endif d241 1 a241 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); d494 1 a494 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); @ 1.13.2.2 log @Sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.13.2.1 2007/07/15 13:28:04 ad Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.13.2.1 2007/07/15 13:28:04 ad Exp $"); d311 1 a311 1 addr = (uint8_t*) mtod(m, struct ip *) + skip; @ 1.13.4.1 log @Sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.14 2007/06/27 20:38:33 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.14 2007/06/27 20:38:33 degroote Exp $"); a228 5 u_int16_t dport = 0; u_int16_t sport = 0; #ifdef IPSEC_NAT_T struct m_tag * tag = NULL; #endif a238 8 #ifdef IPSEC_NAT_T /* find the source port for NAT-T */ if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { sport = ((u_int16_t *)(tag + 1))[0]; dport = ((u_int16_t *)(tag + 1))[1]; } #endif d241 1 a241 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); d494 1 a494 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); @ 1.12 log @Fix fallout from caddr_t changes @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.11 2007/03/04 06:03:30 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.11 2007/03/04 06:03:30 christos Exp $"); d185 1 a185 1 crp->crp_buf = (void *) m; d188 1 a188 1 crp->crp_opaque = (void *) tc; d457 1 a457 1 crp->crp_buf = (void *) m; d459 1 a459 1 crp->crp_opaque = (void *) tc; @ 1.11 log @Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.10 2007/02/23 19:35:25 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.10 2007/02/23 19:35:25 degroote Exp $"); d298 1 a298 1 addr = (void *) mtod(m, struct ip *) + skip; d540 1 a540 1 ipcomp = (struct ipcomp *)(mtod(mo, void *) + roff); @ 1.10 log @Oops, I forgot to commit some bits last time fast_ipsec and ipcomp works better now. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.9 2007/02/10 09:43:05 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.9 2007/02/10 09:43:05 degroote Exp $"); d185 1 a185 1 crp->crp_buf = (caddr_t) m; d188 1 a188 1 crp->crp_opaque = (caddr_t) tc; d228 1 a228 1 caddr_t addr; d298 1 a298 1 addr = (caddr_t) mtod(m, struct ip *) + skip; d457 1 a457 1 crp->crp_buf = (caddr_t) m; d459 1 a459 1 crp->crp_opaque = (caddr_t) tc; d540 1 a540 1 ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); @ 1.9 log @Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.8 2006/11/16 01:33:49 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8 2006/11/16 01:33:49 christos Exp $"); d451 2 a452 1 tc->tc_skip = skip + hlen; @ 1.9.2.1 log @- sync with head. - move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.9 2007/02/10 09:43:05 degroote Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.9 2007/02/10 09:43:05 degroote Exp $"); d451 1 a451 2 tc->tc_skip = skip; tc->tc_protoff = protoff; @ 1.9.2.2 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.9.2.1 2007/02/27 16:55:07 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.9.2.1 2007/02/27 16:55:07 yamt Exp $"); d185 1 a185 1 crp->crp_buf = m; d188 1 a188 1 crp->crp_opaque = tc; d228 1 a228 1 void *addr; d298 1 a298 1 addr = mtod(m, struct ip *) + skip; d457 1 a457 1 crp->crp_buf = m; d459 1 a459 1 crp->crp_opaque = tc; d540 1 a540 1 ipcomp = (struct ipcomp *)(mtod(mo, char *) + roff); @ 1.8 log @__unused removal on arguments; approved by core. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.7 2006/10/13 20:53:59 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.7 2006/10/13 20:53:59 christos Exp $"); d75 1 a75 1 int ipcomp_enable = 0; d346 1 a346 2 int error, ralen, hlen, maxpacketsize, roff; u_int8_t prot; a349 2 struct mbuf *mo; struct ipcomp *ipcomp; d358 7 a414 34 /* Inject IPCOMP header */ mo = m_makespace(m, skip, hlen, &roff); if (mo == NULL) { ipcompstat.ipcomps_wrap++; DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); /* Initialize the IPCOMP header */ /* XXX alignment always correct? */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; break; #endif /* INET */ #ifdef INET6 case AF_INET6: ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; break; #endif } ipcomp->comp_flags = 0; ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi)); /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); d428 2 a429 2 crdc->crd_skip = skip + hlen; crdc->crd_len = m->m_pkthdr.len - (skip + hlen); d431 1 a431 1 crdc->crd_inject = skip + hlen; d477 6 a482 2 struct mbuf *m; int s, error, skip, rlen; d528 39 @ 1.8.4.1 log @Update to today's netbsd-4. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $"); d75 1 a75 1 int ipcomp_enable = 1; d346 2 a347 1 int error, ralen, hlen, maxpacketsize; d351 2 a360 7 /* Don't process the packet if it is too short */ if (ralen < ipcompx->minlen) { ipcompstat.ipcomps_minlen++; return ipsec_process_done(m,isr); } d411 34 d458 2 a459 2 crdc->crd_skip = skip; crdc->crd_len = m->m_pkthdr.len - skip; d461 1 a461 1 crdc->crd_inject = skip; d507 2 a508 6 struct mbuf *m, *mo; int s, error, skip, rlen, roff; u_int8_t prot; u_int16_t cpi; struct ipcomp * ipcomp; a553 39 /* Inject IPCOMP header */ mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { ipcompstat.ipcomps_wrap++; DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); /* Initialize the IPCOMP header */ /* XXX alignment always correct? */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; break; #endif /* INET */ #ifdef INET6 case AF_INET6: ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; break; #endif } ipcomp->comp_flags = 0; if ((sav->flags & SADB_X_EXT_RAWCPI) == 0) cpi = sav->alg_enc; else cpi = ntohl(sav->spi) & 0xffff; ipcomp->comp_cpi = htons(cpi); /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), (u_char *)&prot); @ 1.8.2.1 log @Pull up following revision(s) (requested by degroote in ticket #667): sys/netinet/tcp_input.c: revision 1.260 sys/netinet/tcp_output.c: revision 1.154 sys/netinet/tcp_subr.c: revision 1.210 sys/netinet6/icmp6.c: revision 1.129 sys/netinet6/in6_proto.c: revision 1.70 sys/netinet6/ip6_forward.c: revision 1.54 sys/netinet6/ip6_input.c: revision 1.94 sys/netinet6/ip6_output.c: revision 1.114 sys/netinet6/raw_ip6.c: revision 1.81 sys/netipsec/ipcomp_var.h: revision 1.4 sys/netipsec/ipsec.c: revision 1.26 via patch,1.31-1.32 sys/netipsec/ipsec6.h: revision 1.5 sys/netipsec/ipsec_input.c: revision 1.14 sys/netipsec/ipsec_netbsd.c: revision 1.18,1.26 sys/netipsec/ipsec_output.c: revision 1.21 via patch sys/netipsec/key.c: revision 1.33,1.44 sys/netipsec/xform_ipcomp.c: revision 1.9 sys/netipsec/xform_ipip.c: revision 1.15 sys/opencrypto/deflate.c: revision 1.8 Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar to the sysctl kame interface. Choose the good default policy, depending of the adress family of the desired policy Increase the refcount for the default ipv6 policy so nobody can reclaim it Always compute the sp index even if we don't have any sp in spd. It will let us to choose the right default policy (based on the adress family requested). While here, fix an error message Use dynamic array instead of an static array to decompress. It lets us to decompress any data, whatever is the radio decompressed data / compressed data. It fixes the last issues with fast_ipsec and ipcomp. While here, bzero -> memset, bcopy -> memcpy, FREE -> free Reviewed a long time ago by sam@@ @ text @d1 1 a1 1 /* $NetBSD$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD$"); d75 1 a75 1 int ipcomp_enable = 1; d346 2 a347 1 int error, ralen, hlen, maxpacketsize; d351 2 a360 7 /* Don't process the packet if it is too short */ if (ralen < ipcompx->minlen) { ipcompstat.ipcomps_minlen++; return ipsec_process_done(m,isr); } d411 34 d458 2 a459 2 crdc->crd_skip = skip; crdc->crd_len = m->m_pkthdr.len - skip; d461 1 a461 1 crdc->crd_inject = skip; d507 2 a508 6 struct mbuf *m, *mo; int s, error, skip, rlen, roff; u_int8_t prot; u_int16_t cpi; struct ipcomp * ipcomp; a553 39 /* Inject IPCOMP header */ mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { ipcompstat.ipcomps_wrap++; DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); /* Initialize the IPCOMP header */ /* XXX alignment always correct? */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; break; #endif /* INET */ #ifdef INET6 case AF_INET6: ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; break; #endif } ipcomp->comp_flags = 0; if ((sav->flags & SADB_X_EXT_RAWCPI) == 0) cpi = sav->alg_enc; else cpi = ntohl(sav->spi) & 0xffff; ipcomp->comp_cpi = htons(cpi); /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), (u_char *)&prot); @ 1.8.2.2 log @Pull up following revision(s) (requested by spz in ticket #1425): sys/netipsec/xform_ipcomp.c: revision 1.26 sys/netinet6/ipcomp_input.c: revision 1.37 mitigation for CVE-2011-1547 this should really be solved by counting nested headers (like in the inet6 case) instead mitigation for CVE-2011-1547 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.26 2011/04/01 08:29:29 spz Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $"); a299 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { ipcompstat.ipcomps_hdrops++; DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @ 1.8.2.1.4.1 log @Pull up following revision(s) (requested by spz in ticket #1425): sys/netipsec/xform_ipcomp.c: revision 1.26 sys/netinet6/ipcomp_input.c: revision 1.37 mitigation for CVE-2011-1547 this should really be solved by counting nested headers (like in the inet6 case) instead mitigation for CVE-2011-1547 @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.26 2011/04/01 08:29:29 spz Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $"); a299 8 if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { ipcompstat.ipcomps_hdrops++; DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @ 1.7 log @more __unused @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.6 2005/12/11 12:25:06 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.6 2005/12/11 12:25:06 christos Exp $"); d339 1 a339 1 struct mbuf **mp __unused, @ 1.6 log @merge ktrace-lwp. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.4.4.4 2005/03/04 16:53:44 skrll Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4.4.4 2005/03/04 16:53:44 skrll Exp $"); d337 5 a341 5 struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, int skip, int protoff d605 2 a606 1 ipcomp_output @ 1.6.20.1 log @Sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.8 2006/11/16 01:33:49 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8 2006/11/16 01:33:49 christos Exp $"); d337 5 a341 5 struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, int skip, int protoff d605 1 a605 2 ipcomp_output, NULL, @ 1.6.22.1 log @sync with head @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.6 2005/12/11 12:25:06 christos Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.6 2005/12/11 12:25:06 christos Exp $"); d337 5 a341 5 struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp __unused, int skip, int protoff d605 1 a605 2 ipcomp_output, NULL, @ 1.6.22.2 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.6.22.1 2006/10/22 06:07:39 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.6.22.1 2006/10/22 06:07:39 yamt Exp $"); d339 1 a339 1 struct mbuf **mp, @ 1.5 log @nuke trailing whitespace @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.4 2003/10/06 22:05:15 tls Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4 2003/10/06 22:05:15 tls Exp $"); @ 1.5.4.1 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5 2005/02/26 22:45:13 perry Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5 2005/02/26 22:45:13 perry Exp $"); d337 5 a341 5 struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, int skip, int protoff d605 1 a605 2 ipcomp_output, NULL, @ 1.5.4.2 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5.4.1 2006/12/30 20:50:44 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5.4.1 2006/12/30 20:50:44 yamt Exp $"); d75 1 a75 1 int ipcomp_enable = 1; d346 2 a347 1 int error, ralen, hlen, maxpacketsize; d351 2 a360 7 /* Don't process the packet if it is too short */ if (ralen < ipcompx->minlen) { ipcompstat.ipcomps_minlen++; return ipsec_process_done(m,isr); } d411 34 d458 2 a459 2 crdc->crd_skip = skip; crdc->crd_len = m->m_pkthdr.len - skip; d461 1 a461 1 crdc->crd_inject = skip; d481 1 a481 2 tc->tc_skip = skip; tc->tc_protoff = protoff; d507 2 a508 6 struct mbuf *m, *mo; int s, error, skip, rlen, roff; u_int8_t prot; u_int16_t cpi; struct ipcomp * ipcomp; a553 39 /* Inject IPCOMP header */ mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { ipcompstat.ipcomps_wrap++; DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); /* Initialize the IPCOMP header */ /* XXX alignment always correct? */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; break; #endif /* INET */ #ifdef INET6 case AF_INET6: ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; break; #endif } ipcomp->comp_flags = 0; if ((sav->flags & SADB_X_EXT_RAWCPI) == 0) cpi = sav->alg_enc; else cpi = ntohl(sav->spi) & 0xffff; ipcomp->comp_cpi = htons(cpi); /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), (u_char *)&prot); @ 1.5.4.3 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5.4.2 2007/02/26 09:11:57 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5.4.2 2007/02/26 09:11:57 yamt Exp $"); d185 1 a185 1 crp->crp_buf = m; d188 1 a188 1 crp->crp_opaque = tc; d228 1 a228 6 void *addr; u_int16_t dport = 0; u_int16_t sport = 0; #ifdef IPSEC_NAT_T struct m_tag * tag = NULL; #endif a238 8 #ifdef IPSEC_NAT_T /* find the source port for NAT-T */ if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) { sport = ((u_int16_t *)(tag + 1))[0]; dport = ((u_int16_t *)(tag + 1))[1]; } #endif d241 1 a241 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); d298 1 a298 1 addr = mtod(m, struct ip *) + skip; d457 1 a457 1 crp->crp_buf = m; d459 1 a459 1 crp->crp_opaque = tc; d494 1 a494 1 sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); d540 1 a540 1 ipcomp = (struct ipcomp *)(mtod(mo, char *) + roff); @ 1.5.4.4 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5.4.3 2007/09/03 14:43:48 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5.4.3 2007/09/03 14:43:48 yamt Exp $"); d311 1 a311 1 addr = (uint8_t*) mtod(m, struct ip *) + skip; @ 1.5.4.5 log @sync with head @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5.4.4 2007/10/27 11:36:15 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5.4.4 2007/10/27 11:36:15 yamt Exp $"); d606 1 a606 3 ipcompstat.ipcomps_uselesscomp++; DPRINTF(("ipcomp_output_cb: compression was useless : initial size was %d" "and compressed size is %d\n", rlen, crp->crp_olen)); a608 1 @ 1.5.4.6 log @sync with head. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5.4.5 2008/01/21 09:47:27 yamt Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5.4.5 2008/01/21 09:47:27 yamt Exp $"); a108 1 int ses; d125 1 a125 4 mutex_spin_enter(&crypto_mtx); ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); mutex_spin_exit(&crypto_mtx); return ses; a135 1 mutex_spin_enter(&crypto_mtx); a136 1 mutex_spin_exit(&crypto_mtx); @ 1.4 log @Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes: 1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h 2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless). 3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it. An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors). @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.2 2003/08/20 22:33:41 jonathan Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.2 2003/08/20 22:33:41 jonathan Exp $"); d380 1 a380 1 ", IPCA %s/%08lx\n", d404 1 a404 1 DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", d570 1 a570 1 "family %d, IPCA %s/%08lx\n", d572 1 a572 1 ipsec_address(&sav->sah->saidx.dst), @ 1.4.4.1 log @file xform_ipcomp.c was added on branch ktrace-lwp on 2004-08-03 10:55:29 +0000 @ text @d1 616 @ 1.4.4.2 log @Sync with HEAD @ text @a0 616 /* $NetBSD: xform_ipcomp.c,v 1.4.4.1 2004/08/03 10:55:29 skrll Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@@wabbitt.org) * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4.4.1 2004/08/03 10:55:29 skrll Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #include "opt_inet.h" #ifdef __FreeBSD__ #include "opt_inet6.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef INET6 #include #include #endif #include #include #include #include #include #include #include #include int ipcomp_enable = 0; struct ipcompstat ipcompstat; #ifdef __FreeBSD__ SYSCTL_DECL(_net_inet_ipcomp); SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, ipcomp_enable, CTLFLAG_RW, &ipcomp_enable, 0, ""); SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, stats, CTLFLAG_RD, &ipcompstat, ipcompstat, ""); #endif /* __FreeBSD__ */ static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); struct comp_algo * ipcomp_algorithm_lookup(int alg) { if (alg >= IPCOMP_ALG_MAX) return NULL; switch (alg) { case SADB_X_CALG_DEFLATE: return &comp_algo_deflate; } return NULL; } /* * ipcomp_init() is called when an CPI is being set up. */ static int ipcomp_init(struct secasvar *sav, struct xformsw *xsp) { struct comp_algo *tcomp; struct cryptoini cric; /* NB: algorithm really comes in alg_enc and not alg_comp! */ tcomp = ipcomp_algorithm_lookup(sav->alg_enc); if (tcomp == NULL) { DPRINTF(("ipcomp_init: unsupported compression algorithm %d\n", sav->alg_comp)); return EINVAL; } sav->alg_comp = sav->alg_enc; /* set for doing histogram */ sav->tdb_xform = xsp; sav->tdb_compalgxform = tcomp; /* Initialize crypto session */ bzero(&cric, sizeof (cric)); cric.cri_alg = sav->tdb_compalgxform->type; return crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); } /* * ipcomp_zeroize() used when IPCA is deleted */ static int ipcomp_zeroize(struct secasvar *sav) { int err; err = crypto_freesession(sav->tdb_cryptoid); sav->tdb_cryptoid = 0; return err; } /* * ipcomp_input() gets called to uncompress an input packet */ static int ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; int hlen = IPCOMP_HLENGTH; IPSEC_SPLASSERT_SOFTNET("ipcomp_input"); /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { m_freem(m); DPRINTF(("ipcomp_input: no crypto descriptors\n")); ipcompstat.ipcomps_crypto++; return ENOBUFS; } /* Get IPsec-specific opaque pointer */ tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { m_freem(m); crypto_freereq(crp); DPRINTF(("ipcomp_input: cannot allocate tdb_crypto\n")); ipcompstat.ipcomps_crypto++; return ENOBUFS; } crdc = crp->crp_desc; crdc->crd_skip = skip + hlen; crdc->crd_len = m->m_pkthdr.len - (skip + hlen); crdc->crd_inject = skip; tc->tc_ptr = 0; /* Decompression operation */ crdc->crd_alg = sav->tdb_compalgxform->type; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len - (skip + hlen); crp->crp_flags = CRYPTO_F_IMBUF; crp->crp_buf = (caddr_t) m; crp->crp_callback = ipcomp_input_cb; crp->crp_sid = sav->tdb_cryptoid; crp->crp_opaque = (caddr_t) tc; /* These are passed as-is to the callback */ tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; tc->tc_protoff = protoff; tc->tc_skip = skip; return crypto_dispatch(crp); } #ifdef INET6 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ if (saidx->dst.sa.sa_family == AF_INET6) { \ error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ } else { \ error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ } \ } while (0) #else #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) #endif /* * IPComp input callback from the crypto driver. */ static int ipcomp_input_cb(struct cryptop *crp) { struct cryptodesc *crd; struct tdb_crypto *tc; int skip, protoff; struct mtag *mtag; struct mbuf *m; struct secasvar *sav; struct secasindex *saidx; int s, hlen = IPCOMP_HLENGTH, error, clen; u_int8_t nproto; caddr_t addr; crd = crp->crp_desc; tc = (struct tdb_crypto *) crp->crp_opaque; IPSEC_ASSERT(tc != NULL, ("ipcomp_input_cb: null opaque crypto data area!")); skip = tc->tc_skip; protoff = tc->tc_protoff; mtag = (struct mtag *) tc->tc_ptr; m = (struct mbuf *) crp->crp_buf; s = splsoftnet(); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { ipcompstat.ipcomps_notdb++; DPRINTF(("ipcomp_input_cb: SA expired while in crypto\n")); error = ENOBUFS; /*XXX*/ goto bad; } saidx = &sav->sah->saidx; IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, ("ah_input_cb: unexpected protocol family %u", saidx->dst.sa.sa_family)); /* Check for crypto errors */ if (crp->crp_etype) { /* Reset the session ID */ if (sav->tdb_cryptoid != 0) sav->tdb_cryptoid = crp->crp_sid; if (crp->crp_etype == EAGAIN) { KEY_FREESAV(&sav); splx(s); return crypto_dispatch(crp); } ipcompstat.ipcomps_noxform++; DPRINTF(("ipcomp_input_cb: crypto error %d\n", crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { ipcompstat.ipcomps_crypto++; DPRINTF(("ipcomp_input_cb: null mbuf returned from crypto\n")); error = EINVAL; goto bad; } ipcompstat.ipcomps_hist[sav->alg_comp]++; clen = crp->crp_olen; /* Length of data after processing */ /* Release the crypto descriptors */ free(tc, M_XDATA), tc = NULL; crypto_freereq(crp), crp = NULL; /* In case it's not done already, adjust the size of the mbuf chain */ m->m_pkthdr.len = clen + hlen + skip; if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { ipcompstat.ipcomps_hdrops++; /*XXX*/ DPRINTF(("ipcomp_input_cb: m_pullup failed\n")); error = EINVAL; /*XXX*/ goto bad; } /* Keep the next protocol field */ addr = (caddr_t) mtod(m, struct ip *) + skip; nproto = ((struct ipcomp *) addr)->comp_nxt; /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen); if (error) { ipcompstat.ipcomps_hdrops++; DPRINTF(("ipcomp_input_cb: bad mbuf chain, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); goto bad; } /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); KEY_FREESAV(&sav); splx(s); return error; bad: if (sav) KEY_FREESAV(&sav); splx(s); if (m) m_freem(m); if (tc != NULL) free(tc, M_XDATA); if (crp) crypto_freereq(crp); return error; } /* * IPComp output routine, called by ipsec[46]_process_packet() */ static int ipcomp_output( struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, int skip, int protoff ) { struct secasvar *sav; struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize, roff; u_int8_t prot; struct cryptodesc *crdc; struct cryptop *crp; struct tdb_crypto *tc; struct mbuf *mo; struct ipcomp *ipcomp; IPSEC_SPLASSERT_SOFTNET("ipcomp_output"); sav = isr->sav; IPSEC_ASSERT(sav != NULL, ("ipcomp_output: null SA")); ipcompx = sav->tdb_compalgxform; IPSEC_ASSERT(ipcompx != NULL, ("ipcomp_output: null compression xform")); ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ hlen = IPCOMP_HLENGTH; ipcompstat.ipcomps_output++; /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: maxpacketsize = IP_MAXPACKET; break; #endif /* INET */ #ifdef INET6 case AF_INET6: maxpacketsize = IPV6_MAXPACKET; break; #endif /* INET6 */ default: ipcompstat.ipcomps_nopf++; DPRINTF(("ipcomp_output: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EPFNOSUPPORT; goto bad; } if (skip + hlen + ralen > maxpacketsize) { ipcompstat.ipcomps_toobig++; DPRINTF(("ipcomp_output: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), skip + hlen + ralen, maxpacketsize)); error = EMSGSIZE; goto bad; } /* Update the counters */ ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; m = m_clone(m); if (m == NULL) { ipcompstat.ipcomps_hdrops++; DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } /* Inject IPCOMP header */ mo = m_makespace(m, skip, hlen, &roff); if (mo == NULL) { ipcompstat.ipcomps_wrap++; DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); /* Initialize the IPCOMP header */ /* XXX alignment always correct? */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; break; #endif /* INET */ #ifdef INET6 case AF_INET6: ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; break; #endif } ipcomp->comp_flags = 0; ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi)); /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); /* Ok now, we can pass to the crypto processing */ /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { ipcompstat.ipcomps_crypto++; DPRINTF(("ipcomp_output: failed to acquire crypto descriptor\n")); error = ENOBUFS; goto bad; } crdc = crp->crp_desc; /* Compression descriptor */ crdc->crd_skip = skip + hlen; crdc->crd_len = m->m_pkthdr.len - (skip + hlen); crdc->crd_flags = CRD_F_COMP; crdc->crd_inject = skip + hlen; /* Compression operation */ crdc->crd_alg = ipcompx->type; /* IPsec-specific opaque crypto info */ tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { ipcompstat.ipcomps_crypto++; DPRINTF(("ipcomp_output: failed to allocate tdb_crypto\n")); crypto_freereq(crp); error = ENOBUFS; goto bad; } tc->tc_isr = isr; tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; tc->tc_skip = skip + hlen; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ crp->crp_flags = CRYPTO_F_IMBUF; crp->crp_buf = (caddr_t) m; crp->crp_callback = ipcomp_output_cb; crp->crp_opaque = (caddr_t) tc; crp->crp_sid = sav->tdb_cryptoid; return crypto_dispatch(crp); bad: if (m) m_freem(m); return (error); } /* * IPComp output callback from the crypto driver. */ static int ipcomp_output_cb(struct cryptop *crp) { struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; struct mbuf *m; int s, error, skip, rlen; tc = (struct tdb_crypto *) crp->crp_opaque; IPSEC_ASSERT(tc != NULL, ("ipcomp_output_cb: null opaque data area!")); m = (struct mbuf *) crp->crp_buf; skip = tc->tc_skip; rlen = crp->crp_ilen - skip; s = splsoftnet(); isr = tc->tc_isr; sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { ipcompstat.ipcomps_notdb++; DPRINTF(("ipcomp_output_cb: SA expired while in crypto\n")); error = ENOBUFS; /*XXX*/ goto bad; } IPSEC_ASSERT(isr->sav == sav, ("ipcomp_output_cb: SA changed\n")); /* Check for crypto errors */ if (crp->crp_etype) { /* Reset session ID */ if (sav->tdb_cryptoid != 0) sav->tdb_cryptoid = crp->crp_sid; if (crp->crp_etype == EAGAIN) { KEY_FREESAV(&sav); splx(s); return crypto_dispatch(crp); } ipcompstat.ipcomps_noxform++; DPRINTF(("ipcomp_output_cb: crypto error %d\n", crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { ipcompstat.ipcomps_crypto++; DPRINTF(("ipcomp_output_cb: bogus return buffer from crypto\n")); error = EINVAL; goto bad; } ipcompstat.ipcomps_hist[sav->alg_comp]++; if (rlen > crp->crp_olen) { /* Adjust the length in the IP header */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len); break; #endif /* INET */ #ifdef INET6 case AF_INET6: mtod(m, struct ip6_hdr *)->ip6_plen = htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr); break; #endif /* INET6 */ default: ipcompstat.ipcomps_nopf++; DPRINTF(("ipcomp_output: unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = EPFNOSUPPORT; goto bad; } } else { /* compression was useless, we have lost time */ /* XXX add statistic */ } /* Release the crypto descriptor */ free(tc, M_XDATA); crypto_freereq(crp); /* NB: m is reclaimed by ipsec_process_done. */ error = ipsec_process_done(m, isr); KEY_FREESAV(&sav); splx(s); return error; bad: if (sav) KEY_FREESAV(&sav); splx(s); if (m) m_freem(m); free(tc, M_XDATA); crypto_freereq(crp); return error; } static struct xformsw ipcomp_xformsw = { XF_IPCOMP, XFT_COMP, "IPcomp", ipcomp_init, ipcomp_zeroize, ipcomp_input, ipcomp_output }; INITFN void ipcomp_attach(void) { xform_register(&ipcomp_xformsw); } #ifdef __FreeBSD__ SYSINIT(ipcomp_xform_init, SI_SUB_DRIVERS, SI_ORDER_FIRST, ipcomp_attach, NULL) #endif /* __FreeBSD__ */ @ 1.4.4.3 log @Sync with HEAD. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.4.4.2 2004/09/18 14:55:32 skrll Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4.4.2 2004/09/18 14:55:32 skrll Exp $"); @ 1.4.4.4 log @Fix the sync with head I botched. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.4.4.3 2004/09/21 13:37:48 skrll Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4.4.3 2004/09/21 13:37:48 skrll Exp $"); @ 1.4.4.5 log @Sync with HEAD. Hi Perry! @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.4.4.4 2005/03/04 16:53:44 skrll Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4.4.4 2005/03/04 16:53:44 skrll Exp $"); d380 1 a380 1 ", IPCA %s/%08lx\n", d404 1 a404 1 DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", d570 1 a570 1 "family %d, IPCA %s/%08lx\n", d572 1 a572 1 ipsec_address(&sav->sah->saidx.dst), @ 1.4.10.1 log @sync with -current @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.5 2005/02/26 22:45:13 perry Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.5 2005/02/26 22:45:13 perry Exp $"); d380 1 a380 1 ", IPCA %s/%08lx\n", d404 1 a404 1 DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", d570 1 a570 1 "family %d, IPCA %s/%08lx\n", d572 1 a572 1 ipsec_address(&sav->sah->saidx.dst), @ 1.4.12.1 log @sync with head. xen and whitespace. xen part is not finished. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.4 2003/10/06 22:05:15 tls Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.4 2003/10/06 22:05:15 tls Exp $"); d380 1 a380 1 ", IPCA %s/%08lx\n", d404 1 a404 1 DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", d570 1 a570 1 "family %d, IPCA %s/%08lx\n", d572 1 a572 1 ipsec_address(&sav->sah->saidx.dst), @ 1.3 log @merge netipsec/key* into netkey/key*. no need for both. change confusing filename @ text @d66 2 a67 2 #include #include d78 1 a78 1 #ifdef __freeBSD__ d84 1 a84 1 #endif __FreeBSD__ d616 1 a616 1 #endif __FreeBSD__ @ 1.2 log @opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif. @ text @d1 1 a1 1 /* $NetBSD: xform_ipcomp.c,v 1.1 2003/08/13 20:06:52 jonathan Exp $ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.1 2003/08/13 20:06:52 jonathan Exp $"); d66 2 a67 2 #include #include @ 1.1 log @Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements. This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD. @ text @d1 1 a1 1 /* $NetBSD:$ */ d33 1 a33 1 __KERNEL_RCSID(0, "$NetBSD:$"); d37 1 d39 1 @