Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Don't abuse key_checkrequest just for looking u...
details: https://anonhg.NetBSD.org/src/rev/483255826782
branches: trunk
changeset: 826875:483255826782
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Tue Oct 03 08:25:21 2017 +0000
description:
Don't abuse key_checkrequest just for looking up sav
It does more than expected for example key_acquire.
diffstat:
sys/netipsec/ipsec.c | 52 ++++++++++++++++++++++----------------------
sys/netipsec/ipsec.h | 4 ++-
sys/netipsec/ipsec_output.c | 18 +++++++++++++-
sys/netipsec/key.c | 7 ++---
sys/netipsec/key.h | 3 +-
5 files changed, 50 insertions(+), 34 deletions(-)
diffs (228 lines):
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/ipsec.c Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.120 2017/09/28 17:21:42 christos Exp $ */
+/* $NetBSD: ipsec.c,v 1.121 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.120 2017/09/28 17:21:42 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.121 2017/10/03 08:25:21 ozaki-r Exp $");
/*
* IPsec controller part.
@@ -212,7 +212,7 @@
static int ipsec_get_policy (struct secpolicy *, struct mbuf **);
static void ipsec_destroy_policy(struct secpolicy *);
static void vshiftl (unsigned char *, int, int);
-static size_t ipsec_hdrsiz (const struct secpolicy *);
+static size_t ipsec_hdrsiz(const struct secpolicy *, const struct mbuf *);
/*
* Try to validate and use cached policy on a PCB.
@@ -801,22 +801,23 @@
* Find the correct route for outer IPv4 header, compute tunnel MTU.
*/
if (sp->req) {
- struct route *ro;
- struct rtentry *rt;
- struct secasvar *sav = NULL;
+ struct secasvar *sav;
+
+ sav = ipsec_lookup_sa(sp->req, m);
+ if (sav != NULL) {
+ struct route *ro;
+ struct rtentry *rt;
- error = key_checkrequest(sp->req, &sav);
- if (error != 0)
- return error;
- ro = &sav->sah->sa_route;
- rt = rtcache_validate(ro);
- if (rt && rt->rt_ifp) {
- *destmtu = rt->rt_rmx.rmx_mtu ?
- rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
- *destmtu -= ipsechdr;
+ ro = &sav->sah->sa_route;
+ rt = rtcache_validate(ro);
+ if (rt && rt->rt_ifp) {
+ *destmtu = rt->rt_rmx.rmx_mtu ?
+ rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
+ *destmtu -= ipsechdr;
+ }
+ rtcache_unref(rt, ro);
+ KEY_SA_UNREF(&sav);
}
- rtcache_unref(rt, ro);
- KEY_SA_UNREF(&sav);
}
KEY_SP_UNREF(&sp);
return 0;
@@ -1860,7 +1861,7 @@
* NOTE: SP passed is free in this function.
*/
static size_t
-ipsec_hdrsiz(const struct secpolicy *sp)
+ipsec_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
{
struct ipsecrequest *isr;
size_t siz;
@@ -1883,21 +1884,20 @@
siz = 0;
for (isr = sp->req; isr != NULL; isr = isr->next) {
size_t clen = 0;
- struct secasvar *sav = NULL;
- int error;
+ struct secasvar *sav;
switch (isr->saidx.proto) {
case IPPROTO_ESP:
- error = key_checkrequest(isr, &sav);
- if (error == 0) {
+ sav = ipsec_lookup_sa(isr, m);
+ if (sav != NULL) {
clen = esp_hdrsiz(sav);
KEY_SA_UNREF(&sav);
} else
clen = esp_hdrsiz(NULL);
break;
case IPPROTO_AH:
- error = key_checkrequest(isr, &sav);
- if (error == 0) {
+ sav = ipsec_lookup_sa(isr, m);
+ if (sav != NULL) {
clen = ah_hdrsiz(sav);
KEY_SA_UNREF(&sav);
} else
@@ -1954,7 +1954,7 @@
(struct inpcb_hdr *)inp, &error);
if (sp != NULL) {
- size = ipsec_hdrsiz(sp);
+ size = ipsec_hdrsiz(sp, m);
KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%lu.\n",
(unsigned long)size);
@@ -1991,7 +1991,7 @@
if (sp == NULL)
return 0;
- size = ipsec_hdrsiz(sp);
+ size = ipsec_hdrsiz(sp, m);
KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
KEY_SP_UNREF(&sp);
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/ipsec.h Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.59 2017/08/10 06:11:24 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.60 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -314,6 +314,8 @@
int ipsec4_delete_pcbpolicy (struct inpcb *);
int ipsec4_in_reject (struct mbuf *, struct inpcb *);
+struct secasvar *
+ ipsec_lookup_sa(const struct ipsecrequest *, const struct mbuf *);
struct secas;
struct tcpcb;
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/ipsec_output.c Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.61 2017/10/03 07:32:53 ozaki-r Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.61 2017/10/03 07:32:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $");
/*
* IPsec output processing.
@@ -339,6 +339,20 @@
}
}
+struct secasvar *
+ipsec_lookup_sa(const struct ipsecrequest *isr, const struct mbuf *m)
+{
+ struct secasindex saidx;
+
+ saidx = isr->saidx;
+ if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
+ /* Fillin unspecified SA peers only for transport mode */
+ ipsec_fill_saidx_bymbuf(&saidx, m, isr->saidx.dst.sa.sa_family);
+ }
+
+ return key_lookup_sa_bysaidx(&saidx);
+}
+
/*
* ipsec_nextisr can return :
* - isr == NULL and error != 0 => something is bad : the packet must be
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/key.c
--- a/sys/netipsec/key.c Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/key.c Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.231 2017/10/01 09:45:16 ryoon Exp $ */
+/* $NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.231 2017/10/01 09:45:16 ryoon Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $");
/*
* This code is referred to RFC 2367
@@ -620,7 +620,6 @@
return m;
}
-static struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *);
#if 0
static void key_freeso(struct socket *);
static void key_freesp_so(struct secpolicy **);
@@ -1049,7 +1048,7 @@
* OUT: NULL: not found.
* others: found and return the pointer.
*/
-static struct secasvar *
+struct secasvar *
key_lookup_sa_bysaidx(const struct secasindex *saidx)
{
struct secashead *sah;
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/key.h
--- a/sys/netipsec/key.h Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/key.h Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.h,v 1.29 2017/08/09 09:48:11 ozaki-r Exp $ */
+/* $NetBSD: key.h,v 1.30 2017/10/03 08:25:21 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@@ -91,6 +91,7 @@
struct secasvar *key_lookup_sa(const union sockaddr_union *,
u_int, u_int32_t, u_int16_t, u_int16_t, const char*, int);
void key_freesav(struct secasvar **, const char*, int);
+struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *);
#define KEY_LOOKUP_SA(dst, proto, spi, sport, dport) \
key_lookup_sa(dst, proto, spi, sport, dport, __func__, __LINE__)
Home |
Main Index |
Thread Index |
Old Index