Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
257,209 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

627 Commits

Author SHA1 Message Date
knakahara 4fda12c619 Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks. 
XXX need pullup-8
 2018-03-06 10:07:06 +00:00
maxv f2110e8589 Improve stupid check, style, and fix leak (m, not m0). 2018-03-05 12:42:28 +00:00
maxv 052a8431bf Call m_pullup earlier, fixes one branch. 2018-03-05 11:50:25 +00:00
maxv 52489f2bdd Reduce the diff between ipsec4_output and ipsec6_check_policy. While here 
style.
 2018-03-03 09:54:55 +00:00
maxv d219e3b4ad Dedup. 2018-03-03 09:47:01 +00:00
maxv 6c5d24ed60 Add KASSERTs, we don't want m_nextpkt in ipsec{4/6}_process_packet. 2018-03-03 09:39:29 +00:00
ozaki-r c17f87d4e1 Avoid data races on lifetime counters by using percpu(9) 
We don't make them percpu(9) directly because the structure is exposed to
userland and we don't want to break ABI.  So we add another member variable
for percpu(9) and use it internally.  When we export them to userland, they
are converted to the original format.
 2018-03-02 07:37:13 +00:00
maxv f3215192fd add missing static 2018-02-28 11:29:14 +00:00
maxv d81439a881 Remove unused macros, and while here style. 2018-02-28 11:19:49 +00:00
maxv e9a0140794 Remove duplicate IPSEC_STATINC(IPSEC_STAT_IN_POLVIO), ipsec_in_reject 
already increases it. IPSEC6_STATINC is now unused, so remove it too.
 2018-02-28 11:09:03 +00:00
maxv 247966d592 Dedup: merge ipsec4_setspidx_inpcb and ipsec6_setspidx_in6pcb. 2018-02-28 10:16:19 +00:00
maxv f931621816 ipsec6_setspidx_in6pcb: call ipsec_setspidx() only once, just like the 
IPv4 code. While here put the correct variable in sizeof.

ok ozaki-r@
 2018-02-28 10:09:17 +00:00
maxv faad9849ec Dedup: merge ipsec4_set_policy and ipsec6_set_policy. The content of the 
original ipsec_set_policy function is inlined into the new one.
 2018-02-27 15:01:30 +00:00
maxv 6fd7a9a762 Remove duplicate checks, and no need to initialize 'newsp' in 
ipsec_set_policy.
 2018-02-27 14:52:51 +00:00
maxv 580ac4be42 Dedup: merge 
ipsec4_get_policy and ipsec6_get_policy
	ipsec4_delete_pcbpolicy and ipsec6_delete_pcbpolicy

The already-existing ipsec_get_policy() function is inlined in the new
one.
 2018-02-27 14:44:10 +00:00
maxv be32dea43c Use inpcb_hdr to reduce the diff between 
ipsec4_set_policy and ipsec6_set_policy
	ipsec4_get_policy and ipsec6_get_policy
	ipsec4_delete_pcbpolicy and ipsec6_delete_pcbpolicy

No real functional change.
 2018-02-27 13:36:21 +00:00
maxv 215e1b4181 Optimize: use ipsec_sp_hdrsiz instead of ipsec_hdrsiz, not to re-query 
the SP.

ok ozaki-r@
 2018-02-27 08:05:19 +00:00
maxv 0695fe90b1 Dedup: call ipsec_in_reject directly. IPSEC_STAT_IN_POLVIO also gets 
increased now.
 2018-02-26 10:36:24 +00:00
maxv 768c43840b Reduce the diff between ipsec6_input and ipsec4_input. 2018-02-26 10:19:13 +00:00
maxv b39a0dd1f8 Dedup: merge ipsec4_in_reject and ipsec6_in_reject into ipsec_in_reject. 
While here fix misleading comment.

ok ozaki-r@
 2018-02-26 09:04:29 +00:00
maxv c3c5f13028 Dedup: merge ipsec4_hdrsiz and ipsec6_hdrsiz into ipsec_hdrsiz. 
ok ozaki-r@
 2018-02-26 08:50:25 +00:00
maxv 2953bb2565 Dedup: merge ipsec4_checkpolicy and ipsec6_checkpolicy into 
ipsec_checkpolicy.

ok ozaki-r@
 2018-02-26 08:42:16 +00:00
maxv 0f3ae0526d If 'skip' is lower than sizeof(struct ip), we are in trouble. So remove a 
nonsensical branch, and add a panic at the beginning of the function.
 2018-02-26 06:58:56 +00:00
maxv 1d337420b7 m is never allowed to be NULL, so turn the KASSERT (and the null check) 
to a panic.
 2018-02-26 06:53:22 +00:00
maxv 8a440faae1 Fix nonsensical checks, neither in6p nor request is allowed to be NULL, 
and the former is already dereferenced in a kassert. This code should be
the same as ipsec4_set_policy.
 2018-02-26 06:48:01 +00:00
maxv 3e1c4ac085 Add XXX, it seems to me we need to free the mbuf here. 2018-02-26 06:41:27 +00:00
maxv 20ee129912 Reinforce this area, make sure the length field fits the option. Normally 
it always does because the options were already sanitized earlier.
 2018-02-26 06:40:08 +00:00
maxv 589f503d3d Fix mbuf mistake: we are using ip6 before it is pulled up properly. 2018-02-26 06:34:39 +00:00
maxv 16a6b57077 Merge some minor (mostly stylistic) changes from last week. 2018-02-26 06:17:01 +00:00
maxv 790020449d Style, no functional change. 2018-02-21 17:04:52 +00:00
maxv 2256f36f66 Strengthen this check, to make sure there is room for an ip6_ext structure. 
Seems possible to crash m_copydata here (but I didn't test more than that).
 2018-02-21 16:55:53 +00:00
maxv 8084c6496d Argh, in my previous commit in this file I forgot to fix the IPv6 
entry point; apply the same fix there.
 2018-02-21 16:48:28 +00:00
maxv b9badffce8 Fix ipsec4_get_ulp(). We should do "goto done" instead of "return", 
otherwise the port fields of spidx are uninitialized.

ok mlelstv@
 2018-02-21 16:42:33 +00:00
maxv 8df55a522b Use inpcb_hdr to reduce the diff between: 
ipsec4_hdrsiz      and ipsec6_hdrsiz
	ipsec4_in_reject   and ipsec6_in_reject
	ipsec4_checkpolicy and ipsec4_checkpolicy

The members of these couples are now identical, and could be merged,
giving only three functions instead of six...
 2018-02-21 16:38:15 +00:00
maxv af69f63988 Rename: 
ipsec_in_reject -> ipsec_sp_reject
	ipsec_hdrsiz    -> ipsec_sp_hdrsiz

localify the former, and do some cleanup while here.
 2018-02-21 16:18:52 +00:00
maxv ff46a2a32a Extend these #ifdef notyet. The m_copydata's in these branches are wrong, 
we are not guaranteed to have enough room for another struct ip, and we
may crash here. Triggerable remotely, but after authentication, by sending
an AH packet that has a one-byte-sized IPIP payload.
 2018-02-21 16:08:55 +00:00
maxv 22e66c740d Style, remove unused and misleading macros and comments, localify, and 
reduce the diff between similar functions. No functional change.
 2018-02-16 15:18:41 +00:00
maxv 2603d1d6e8 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte 
AH packet. Triggerable before authentication when IPsec and forwarding
are both enabled.
 2018-02-16 11:25:16 +00:00
maxv 9a3c5d51fb Style a bit, no functional change. 2018-02-16 11:07:44 +00:00
maxv 0911911c9c Remove unused. 2018-02-16 10:07:07 +00:00
maxv 9ceac8f0d8 Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. 
Discussed with ozaki-r@.
 2018-02-16 09:24:55 +00:00
maxv e7ef501d6b Remove some more FreeBSD sysctl declarations that already have NetBSD 
counterparts. Discussed with ozaki-r@.
 2018-02-16 09:07:50 +00:00
maxv 85384b6c32 Remove ipsec_replay and ipsec_integrity from this place, they are already 
declared as sysctls. Discussed with ozaki-r@.
 2018-02-16 08:56:50 +00:00
maxv 2ff2bfdeb3 Remove ip4_esp_randpad and ip6_esp_randpad, unused. Discussed with 
ozaki-r@.
 2018-02-16 08:51:28 +00:00
maxv 30a9923153 Style and simplify. 2018-02-15 13:51:32 +00:00
maxv 2ebc96e2af Style a bit, and if we don't know the pad-filling policy use 
SADB_X_EXT_PZERO by default.

There doesn't seem to be a sanity check in the keysock API to make sure
this place is never reached, and it's better to fill in with zeros than
not filling in at all (and leaking uninitialized mbuf data).
 2018-02-15 12:40:12 +00:00
maxv a0cc537671 Remove broken MROUTING code, rename ipo->ip4, and simplify. 2018-02-15 10:41:51 +00:00
maxv 7c3a8f9a1f Fix the IPIP_STAT_IBYTES stats; we did m_adj(m, iphlen) which substracted 
iphlen, so no need to re-substract it again.
 2018-02-15 10:28:49 +00:00
maxv 79a778597c dedup again 2018-02-15 10:21:39 +00:00
maxv f281f715a5 dedup 2018-02-15 10:09:53 +00:00