Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav. However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
This commit is contained in:
parent
dfda6b6abe
commit
38b8f795b6
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec.h,v 1.51 2017/07/05 03:44:59 ozaki-r Exp $ */
|
||||
/* $NetBSD: ipsec.h,v 1.52 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
|
||||
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
|
||||
|
||||
@ -341,7 +341,7 @@ void ipsec4_common_input(struct mbuf *m, ...);
|
||||
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *,
|
||||
int, int);
|
||||
int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
|
||||
int ipsec_process_done (struct mbuf *, struct ipsecrequest *);
|
||||
int ipsec_process_done(struct mbuf *, struct ipsecrequest *, struct secasvar *);
|
||||
#define ipsec_indone(m) \
|
||||
(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $ */
|
||||
/* $NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
|
||||
@ -29,7 +29,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
/*
|
||||
* IPsec output processing.
|
||||
@ -142,9 +142,9 @@ ipsec_reinject_ipstack(struct mbuf *m, int af)
|
||||
}
|
||||
|
||||
int
|
||||
ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
|
||||
ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr,
|
||||
struct secasvar *sav)
|
||||
{
|
||||
struct secasvar *sav;
|
||||
struct secasindex *saidx;
|
||||
int error;
|
||||
#ifdef INET
|
||||
@ -162,7 +162,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
|
||||
|
||||
KASSERT(m != NULL);
|
||||
KASSERT(isr != NULL);
|
||||
sav = isr->sav;
|
||||
KASSERT(sav != NULL);
|
||||
|
||||
saidx = &sav->sah->saidx;
|
||||
@ -293,7 +292,8 @@ ipsec_nextisr(
|
||||
struct mbuf *m,
|
||||
struct ipsecrequest *isr,
|
||||
int af,
|
||||
int *error
|
||||
int *error,
|
||||
struct secasvar **ret
|
||||
)
|
||||
{
|
||||
#define IPSEC_OSTAT(type) \
|
||||
@ -311,7 +311,7 @@ do { \
|
||||
} \
|
||||
} while (/*CONSTCOND*/0)
|
||||
|
||||
struct secasvar *sav;
|
||||
struct secasvar *sav = NULL;
|
||||
struct secasindex *saidx;
|
||||
|
||||
IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr");
|
||||
@ -380,7 +380,7 @@ again:
|
||||
/*
|
||||
* Lookup SA and validate it.
|
||||
*/
|
||||
*error = key_checkrequest(isr);
|
||||
*error = key_checkrequest(isr, &sav);
|
||||
if (*error != 0) {
|
||||
/*
|
||||
* IPsec processing is required, but no SA found.
|
||||
@ -392,7 +392,6 @@ again:
|
||||
IPSEC_STATINC(IPSEC_STAT_OUT_NOSA);
|
||||
goto bad;
|
||||
}
|
||||
sav = isr->sav;
|
||||
/* sav may be NULL here if we have an USE rule */
|
||||
if (sav == NULL) {
|
||||
KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
|
||||
@ -404,6 +403,7 @@ again:
|
||||
* It can happen when the last rules are USE rules
|
||||
* */
|
||||
if (isr == NULL) {
|
||||
*ret = NULL;
|
||||
*error = 0;
|
||||
return isr;
|
||||
}
|
||||
@ -420,6 +420,7 @@ again:
|
||||
" to policy (check your sysctls)\n");
|
||||
IPSEC_OSTAT(PDROPS);
|
||||
*error = EHOSTUNREACH;
|
||||
KEY_FREESAV(&sav);
|
||||
goto bad;
|
||||
}
|
||||
|
||||
@ -428,6 +429,7 @@ again:
|
||||
* before they invoke the xform output method.
|
||||
*/
|
||||
KASSERT(sav->tdb_xform != NULL);
|
||||
*ret = sav;
|
||||
return isr;
|
||||
bad:
|
||||
KASSERTMSG(*error != 0, "error return w/ no error code");
|
||||
@ -442,7 +444,7 @@ bad:
|
||||
int
|
||||
ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
{
|
||||
struct secasvar *sav;
|
||||
struct secasvar *sav = NULL;
|
||||
struct ip *ip;
|
||||
int s, error, i, off;
|
||||
union sockaddr_union *dst;
|
||||
@ -453,7 +455,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
|
||||
s = splsoftnet(); /* insure SA contents don't change */
|
||||
|
||||
isr = ipsec_nextisr(m, isr, AF_INET, &error);
|
||||
isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav);
|
||||
if (isr == NULL) {
|
||||
if (error != 0) {
|
||||
goto bad;
|
||||
@ -466,7 +468,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
}
|
||||
}
|
||||
|
||||
sav = isr->sav;
|
||||
KASSERT(sav != NULL);
|
||||
dst = &sav->sah->saidx.dst;
|
||||
|
||||
/*
|
||||
@ -476,7 +478,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
if (m->m_len < sizeof (struct ip) &&
|
||||
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
ip = mtod(m, struct ip *);
|
||||
/* Honor system-wide control of how to handle IP_DF */
|
||||
@ -511,7 +513,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
if (m->m_len < sizeof (struct ip) &&
|
||||
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
ip = mtod(m, struct ip *);
|
||||
ip->ip_len = htons(m->m_pkthdr.len);
|
||||
@ -519,7 +521,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
|
||||
|
||||
/* Encapsulate the packet */
|
||||
error = ipip_output(m, isr, &mp, 0, 0);
|
||||
error = ipip_output(m, isr, sav, &mp, 0, 0);
|
||||
if (mp == NULL && !error) {
|
||||
/* Should never happen. */
|
||||
IPSECLOG(LOG_DEBUG,
|
||||
@ -532,7 +534,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
m_freem(mp);
|
||||
}
|
||||
m = NULL; /* ipip_output() already freed it */
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
m = mp, mp = NULL;
|
||||
/*
|
||||
@ -546,7 +548,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
if (m->m_len < sizeof (struct ip) &&
|
||||
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
ip = mtod(m, struct ip *);
|
||||
ip->ip_off |= htons(IP_DF);
|
||||
@ -572,12 +574,15 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
|
||||
i = sizeof(struct ip6_hdr);
|
||||
off = offsetof(struct ip6_hdr, ip6_nxt);
|
||||
}
|
||||
error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
|
||||
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
|
||||
} else {
|
||||
error = ipsec_process_done(m, isr);
|
||||
error = ipsec_process_done(m, isr, sav);
|
||||
}
|
||||
KEY_FREESAV(&sav);
|
||||
splx(s);
|
||||
return error;
|
||||
unrefsav:
|
||||
KEY_FREESAV(&sav);
|
||||
bad:
|
||||
splx(s);
|
||||
if (m)
|
||||
@ -673,7 +678,7 @@ ipsec6_process_packet(
|
||||
struct ipsecrequest *isr
|
||||
)
|
||||
{
|
||||
struct secasvar *sav;
|
||||
struct secasvar *sav = NULL;
|
||||
struct ip6_hdr *ip6;
|
||||
int s, error, i, off;
|
||||
union sockaddr_union *dst;
|
||||
@ -683,7 +688,7 @@ ipsec6_process_packet(
|
||||
|
||||
s = splsoftnet(); /* insure SA contents don't change */
|
||||
|
||||
isr = ipsec_nextisr(m, isr, AF_INET6, &error);
|
||||
isr = ipsec_nextisr(m, isr, AF_INET6, &error, &sav);
|
||||
if (isr == NULL) {
|
||||
if (error != 0) {
|
||||
/* XXX Should we send a notification ? */
|
||||
@ -697,7 +702,7 @@ ipsec6_process_packet(
|
||||
}
|
||||
}
|
||||
|
||||
sav = isr->sav;
|
||||
KASSERT(sav != NULL);
|
||||
dst = &sav->sah->saidx.dst;
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *); /* XXX */
|
||||
@ -715,21 +720,21 @@ ipsec6_process_packet(
|
||||
if (m->m_len < sizeof(struct ip6_hdr)) {
|
||||
if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) {
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
}
|
||||
|
||||
if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) {
|
||||
/* No jumbogram support. */
|
||||
error = ENXIO; /*XXX*/
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
|
||||
|
||||
/* Encapsulate the packet */
|
||||
error = ipip_output(m, isr, &mp, 0, 0);
|
||||
error = ipip_output(m, isr, sav, &mp, 0, 0);
|
||||
if (mp == NULL && !error) {
|
||||
/* Should never happen. */
|
||||
IPSECLOG(LOG_DEBUG,
|
||||
@ -743,7 +748,7 @@ ipsec6_process_packet(
|
||||
m_freem(mp);
|
||||
}
|
||||
m = NULL; /* ipip_output() already freed it */
|
||||
goto bad;
|
||||
goto unrefsav;
|
||||
}
|
||||
|
||||
m = mp;
|
||||
@ -758,9 +763,12 @@ ipsec6_process_packet(
|
||||
} else {
|
||||
compute_ipsec_pos(m, &i, &off);
|
||||
}
|
||||
error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
|
||||
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
|
||||
KEY_FREESAV(&sav);
|
||||
splx(s);
|
||||
return error;
|
||||
unrefsav:
|
||||
KEY_FREESAV(&sav);
|
||||
bad:
|
||||
splx(s);
|
||||
if (m)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $ */
|
||||
/* $NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
|
||||
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
|
||||
|
||||
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
/*
|
||||
* This code is referd to RFC 2367
|
||||
@ -837,7 +837,7 @@ done:
|
||||
* ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
|
||||
*/
|
||||
int
|
||||
key_checkrequest(struct ipsecrequest *isr)
|
||||
key_checkrequest(struct ipsecrequest *isr, struct secasvar **ret)
|
||||
{
|
||||
u_int level;
|
||||
int error;
|
||||
@ -898,8 +898,11 @@ key_checkrequest(struct ipsecrequest *isr)
|
||||
KEY_FREESAV(&oldsav);
|
||||
|
||||
/* When there is SA. */
|
||||
if (isr->sav != NULL)
|
||||
if (isr->sav != NULL) {
|
||||
*ret = isr->sav;
|
||||
SA_ADDREF(*ret);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* there is no SA */
|
||||
error = key_acquire(saidx, isr->sp);
|
||||
@ -913,6 +916,7 @@ key_checkrequest(struct ipsecrequest *isr)
|
||||
if (level != IPSEC_LEVEL_REQUIRE) {
|
||||
/* XXX sigh, the interface to this routine is botched */
|
||||
KASSERTMSG(isr->sav == NULL, "unexpected SA");
|
||||
*ret = NULL;
|
||||
return 0;
|
||||
} else {
|
||||
return ENOENT;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: key.h,v 1.22 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
|
||||
|
||||
@ -93,7 +93,7 @@ void key_freesav(struct secasvar **, const char*, int);
|
||||
key_freesav(psav, __func__, __LINE__)
|
||||
|
||||
int key_checktunnelsanity (struct secasvar *, u_int, void *, void *);
|
||||
int key_checkrequest(struct ipsecrequest *);
|
||||
int key_checkrequest(struct ipsecrequest *, struct secasvar **);
|
||||
|
||||
struct secpolicy *key_msg2sp (const struct sadb_x_policy *, size_t, int *);
|
||||
struct mbuf *key_sp2msg (const struct secpolicy *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform.h,v 1.10 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform.h,v 1.11 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
|
||||
/*
|
||||
@ -93,7 +93,8 @@ struct xformsw {
|
||||
int (*xf_input)(struct mbuf*, struct secasvar*, /* input */
|
||||
int, int);
|
||||
int (*xf_output)(struct mbuf*, /* output */
|
||||
struct ipsecrequest *, struct mbuf **, int, int);
|
||||
struct ipsecrequest *, struct secasvar *,
|
||||
struct mbuf **, int, int);
|
||||
struct xformsw *xf_next; /* list of registered xforms */
|
||||
};
|
||||
|
||||
@ -106,7 +107,7 @@ struct cryptoini;
|
||||
/* XF_IP4 */
|
||||
extern int ip4_input6(struct mbuf **m, int *offp, int proto);
|
||||
extern void ip4_input(struct mbuf *m, int, int);
|
||||
extern int ipip_output(struct mbuf *, struct ipsecrequest *,
|
||||
extern int ipip_output(struct mbuf *, struct ipsecrequest *, struct secasvar *,
|
||||
struct mbuf **, int, int);
|
||||
|
||||
/* XF_AH */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
|
||||
/*
|
||||
@ -39,7 +39,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
@ -955,13 +955,13 @@ static int
|
||||
ah_output(
|
||||
struct mbuf *m,
|
||||
struct ipsecrequest *isr,
|
||||
struct secasvar *sav,
|
||||
struct mbuf **mp,
|
||||
int skip,
|
||||
int protoff
|
||||
)
|
||||
{
|
||||
char buf[IPSEC_ADDRSTRLEN];
|
||||
struct secasvar *sav;
|
||||
const struct auth_hash *ahx;
|
||||
struct cryptodesc *crda;
|
||||
struct tdb_crypto *tc;
|
||||
@ -974,7 +974,6 @@ ah_output(
|
||||
|
||||
IPSEC_SPLASSERT_SOFTNET(__func__);
|
||||
|
||||
sav = isr->sav;
|
||||
KASSERT(sav != NULL);
|
||||
KASSERT(sav->tdb_authalgxform != NULL);
|
||||
ahx = sav->tdb_authalgxform;
|
||||
@ -1202,7 +1201,6 @@ ah_output_cb(struct cryptop *crp)
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
KASSERTMSG(isr->sav == sav, "SA changed");
|
||||
|
||||
/* Check for crypto errors. */
|
||||
if (crp->crp_etype) {
|
||||
@ -1256,7 +1254,7 @@ ah_output_cb(struct cryptop *crp)
|
||||
#endif
|
||||
|
||||
/* NB: m is reclaimed by ipsec_process_done. */
|
||||
err = ipsec_process_done(m, isr);
|
||||
err = ipsec_process_done(m, isr, sav);
|
||||
KEY_FREESAV(&sav);
|
||||
mutex_exit(softnet_lock);
|
||||
splx(s);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
|
||||
|
||||
@ -39,7 +39,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
@ -698,6 +698,7 @@ static int
|
||||
esp_output(
|
||||
struct mbuf *m,
|
||||
struct ipsecrequest *isr,
|
||||
struct secasvar *sav,
|
||||
struct mbuf **mp,
|
||||
int skip,
|
||||
int protoff
|
||||
@ -709,7 +710,6 @@ esp_output(
|
||||
int hlen, rlen, padding, blks, alen, i, roff;
|
||||
struct mbuf *mo = NULL;
|
||||
struct tdb_crypto *tc;
|
||||
struct secasvar *sav;
|
||||
struct secasindex *saidx;
|
||||
unsigned char *pad;
|
||||
uint8_t prot;
|
||||
@ -720,8 +720,6 @@ esp_output(
|
||||
|
||||
IPSEC_SPLASSERT_SOFTNET(__func__);
|
||||
|
||||
KASSERT(isr->sav != NULL);
|
||||
sav = isr->sav;
|
||||
esph = sav->tdb_authalgxform;
|
||||
KASSERT(sav->tdb_encalgxform != NULL);
|
||||
espx = sav->tdb_encalgxform;
|
||||
@ -981,8 +979,6 @@ esp_output_cb(struct cryptop *crp)
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
KASSERTMSG(isr->sav == sav,
|
||||
"SA changed was %p now %p", isr->sav, sav);
|
||||
|
||||
/* Check for crypto errors. */
|
||||
if (crp->crp_etype) {
|
||||
@ -1037,7 +1033,7 @@ esp_output_cb(struct cryptop *crp)
|
||||
#endif
|
||||
|
||||
/* NB: m is reclaimed by ipsec_process_done. */
|
||||
err = ipsec_process_done(m, isr);
|
||||
err = ipsec_process_done(m, isr, sav);
|
||||
KEY_FREESAV(&sav);
|
||||
mutex_exit(softnet_lock);
|
||||
splx(s);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
/* IP payload compression protocol (IPComp), see RFC 2393 */
|
||||
#if defined(_KERNEL_OPT)
|
||||
@ -376,13 +376,13 @@ static int
|
||||
ipcomp_output(
|
||||
struct mbuf *m,
|
||||
struct ipsecrequest *isr,
|
||||
struct secasvar *sav,
|
||||
struct mbuf **mp,
|
||||
int skip,
|
||||
int protoff
|
||||
)
|
||||
{
|
||||
char buf[IPSEC_ADDRSTRLEN];
|
||||
struct secasvar *sav;
|
||||
const struct comp_algo *ipcompx;
|
||||
int error, ralen, hlen, maxpacketsize;
|
||||
struct cryptodesc *crdc;
|
||||
@ -390,8 +390,7 @@ ipcomp_output(
|
||||
struct tdb_crypto *tc;
|
||||
|
||||
IPSEC_SPLASSERT_SOFTNET(__func__);
|
||||
KASSERT(isr->sav != NULL);
|
||||
sav = isr->sav;
|
||||
KASSERT(sav != NULL);
|
||||
KASSERT(sav->tdb_compalgxform != NULL);
|
||||
ipcompx = sav->tdb_compalgxform;
|
||||
|
||||
@ -400,7 +399,7 @@ ipcomp_output(
|
||||
/* Don't process the packet if it is too short */
|
||||
if (ralen < ipcompx->minlen) {
|
||||
IPCOMP_STATINC(IPCOMP_STAT_MINLEN);
|
||||
return ipsec_process_done(m,isr);
|
||||
return ipsec_process_done(m, isr, sav);
|
||||
}
|
||||
|
||||
hlen = IPCOMP_HLENGTH;
|
||||
@ -547,7 +546,6 @@ ipcomp_output_cb(struct cryptop *crp)
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
KASSERTMSG(isr->sav == sav, "SA changed");
|
||||
|
||||
/* Check for crypto errors */
|
||||
if (crp->crp_etype) {
|
||||
@ -651,7 +649,7 @@ ipcomp_output_cb(struct cryptop *crp)
|
||||
crypto_freereq(crp);
|
||||
|
||||
/* NB: m is reclaimed by ipsec_process_done. */
|
||||
error = ipsec_process_done(m, isr);
|
||||
error = ipsec_process_done(m, isr, sav);
|
||||
KEY_FREESAV(&sav);
|
||||
mutex_exit(softnet_lock);
|
||||
splx(s);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
|
||||
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
|
||||
|
||||
@ -39,7 +39,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
/*
|
||||
* IP-inside-IP processing
|
||||
@ -397,13 +397,13 @@ int
|
||||
ipip_output(
|
||||
struct mbuf *m,
|
||||
struct ipsecrequest *isr,
|
||||
struct secasvar *sav,
|
||||
struct mbuf **mp,
|
||||
int skip,
|
||||
int protoff
|
||||
)
|
||||
{
|
||||
char buf[IPSEC_ADDRSTRLEN];
|
||||
struct secasvar *sav;
|
||||
uint8_t tp, otos;
|
||||
struct secasindex *saidx;
|
||||
int error;
|
||||
@ -416,9 +416,7 @@ ipip_output(
|
||||
#endif /* INET6 */
|
||||
|
||||
IPSEC_SPLASSERT_SOFTNET(__func__);
|
||||
|
||||
KASSERT(isr->sav != NULL);
|
||||
sav = isr->sav;
|
||||
KASSERT(sav != NULL);
|
||||
|
||||
/* XXX Deal with empty TDB source/destination addresses. */
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $ */
|
||||
/* $NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $ */
|
||||
/* $FreeBSD: sys/netipsec/xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */
|
||||
|
||||
/*
|
||||
@ -31,7 +31,7 @@
|
||||
/* TCP MD5 Signature Option (RFC2385) */
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $");
|
||||
|
||||
#if defined(_KERNEL_OPT)
|
||||
#include "opt_inet.h"
|
||||
@ -155,7 +155,7 @@ tcpsignature_input(struct mbuf *m, struct secasvar *sav, int skip,
|
||||
*/
|
||||
static int
|
||||
tcpsignature_output(struct mbuf *m, struct ipsecrequest *isr,
|
||||
struct mbuf **mp, int skip, int protoff)
|
||||
struct secasvar *sav, struct mbuf **mp, int skip, int protoff)
|
||||
{
|
||||
|
||||
return (EINVAL);
|
||||
|
Loading…
Reference in New Issue
Block a user