Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec Don't abuse key_checkrequest just for looking u...



details:   https://anonhg.NetBSD.org/src/rev/483255826782
branches:  trunk
changeset: 826875:483255826782
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Tue Oct 03 08:25:21 2017 +0000

description:
Don't abuse key_checkrequest just for looking up sav

It does more than expected for example key_acquire.

diffstat:

 sys/netipsec/ipsec.c        |  52 ++++++++++++++++++++++----------------------
 sys/netipsec/ipsec.h        |   4 ++-
 sys/netipsec/ipsec_output.c |  18 +++++++++++++-
 sys/netipsec/key.c          |   7 ++---
 sys/netipsec/key.h          |   3 +-
 5 files changed, 50 insertions(+), 34 deletions(-)

diffs (228 lines):

diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c      Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/ipsec.c      Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.c,v 1.120 2017/09/28 17:21:42 christos Exp $     */
+/*     $NetBSD: ipsec.c,v 1.121 2017/10/03 08:25:21 ozaki-r Exp $      */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $       */
 /*     $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.120 2017/09/28 17:21:42 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.121 2017/10/03 08:25:21 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -212,7 +212,7 @@
 static int ipsec_get_policy (struct secpolicy *, struct mbuf **);
 static void ipsec_destroy_policy(struct secpolicy *);
 static void vshiftl (unsigned char *, int, int);
-static size_t ipsec_hdrsiz (const struct secpolicy *);
+static size_t ipsec_hdrsiz(const struct secpolicy *, const struct mbuf *);
 
 /*
  * Try to validate and use cached policy on a PCB.
@@ -801,22 +801,23 @@
         * Find the correct route for outer IPv4 header, compute tunnel MTU.
         */
        if (sp->req) {
-               struct route *ro;
-               struct rtentry *rt;
-               struct secasvar *sav = NULL;
+               struct secasvar *sav;
+
+               sav = ipsec_lookup_sa(sp->req, m);
+               if (sav != NULL) {
+                       struct route *ro;
+                       struct rtentry *rt;
 
-               error = key_checkrequest(sp->req, &sav);
-               if (error != 0)
-                       return error;
-               ro = &sav->sah->sa_route;
-               rt = rtcache_validate(ro);
-               if (rt && rt->rt_ifp) {
-                       *destmtu = rt->rt_rmx.rmx_mtu ?
-                           rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
-                       *destmtu -= ipsechdr;
+                       ro = &sav->sah->sa_route;
+                       rt = rtcache_validate(ro);
+                       if (rt && rt->rt_ifp) {
+                               *destmtu = rt->rt_rmx.rmx_mtu ?
+                                   rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
+                               *destmtu -= ipsechdr;
+                       }
+                       rtcache_unref(rt, ro);
+                       KEY_SA_UNREF(&sav);
                }
-               rtcache_unref(rt, ro);
-               KEY_SA_UNREF(&sav);
        }
        KEY_SP_UNREF(&sp);
        return 0;
@@ -1860,7 +1861,7 @@
  * NOTE: SP passed is free in this function.
  */
 static size_t
-ipsec_hdrsiz(const struct secpolicy *sp)
+ipsec_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
 {
        struct ipsecrequest *isr;
        size_t siz;
@@ -1883,21 +1884,20 @@
        siz = 0;
        for (isr = sp->req; isr != NULL; isr = isr->next) {
                size_t clen = 0;
-               struct secasvar *sav = NULL;
-               int error;
+               struct secasvar *sav;
 
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
-                       error = key_checkrequest(isr, &sav);
-                       if (error == 0) {
+                       sav = ipsec_lookup_sa(isr, m);
+                       if (sav != NULL) {
                                clen = esp_hdrsiz(sav);
                                KEY_SA_UNREF(&sav);
                        } else
                                clen = esp_hdrsiz(NULL);
                        break;
                case IPPROTO_AH:
-                       error = key_checkrequest(isr, &sav);
-                       if (error == 0) {
+                       sav = ipsec_lookup_sa(isr, m);
+                       if (sav != NULL) {
                                clen = ah_hdrsiz(sav);
                                KEY_SA_UNREF(&sav);
                        } else
@@ -1954,7 +1954,7 @@
                                           (struct inpcb_hdr *)inp, &error);
 
        if (sp != NULL) {
-               size = ipsec_hdrsiz(sp);
+               size = ipsec_hdrsiz(sp, m);
                KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%lu.\n",
                    (unsigned long)size);
 
@@ -1991,7 +1991,7 @@
 
        if (sp == NULL)
                return 0;
-       size = ipsec_hdrsiz(sp);
+       size = ipsec_hdrsiz(sp, m);
        KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
        KEY_SP_UNREF(&sp);
 
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h      Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/ipsec.h      Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.h,v 1.59 2017/08/10 06:11:24 ozaki-r Exp $       */
+/*     $NetBSD: ipsec.h,v 1.60 2017/10/03 08:25:21 ozaki-r Exp $       */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $       */
 /*     $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
@@ -314,6 +314,8 @@
 int ipsec4_delete_pcbpolicy (struct inpcb *);
 int ipsec4_in_reject (struct mbuf *, struct inpcb *);
 
+struct secasvar *
+       ipsec_lookup_sa(const struct ipsecrequest *, const struct mbuf *);
 
 struct secas;
 struct tcpcb;
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c       Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/ipsec_output.c       Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_output.c,v 1.61 2017/10/03 07:32:53 ozaki-r Exp $        */
+/*     $NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $        */
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.61 2017/10/03 07:32:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $");
 
 /*
  * IPsec output processing.
@@ -339,6 +339,20 @@
        }
 }
 
+struct secasvar *
+ipsec_lookup_sa(const struct ipsecrequest *isr, const struct mbuf *m)
+{
+       struct secasindex saidx;
+
+       saidx = isr->saidx;
+       if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
+               /* Fillin unspecified SA peers only for transport mode */
+               ipsec_fill_saidx_bymbuf(&saidx, m, isr->saidx.dst.sa.sa_family);
+       }
+
+       return key_lookup_sa_bysaidx(&saidx);
+}
+
 /*
  * ipsec_nextisr can return :
  * - isr == NULL and error != 0 => something is bad : the packet must be
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/key.c        Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.231 2017/10/01 09:45:16 ryoon Exp $  */
+/*     $NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $        */
 /*     $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $        */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.231 2017/10/01 09:45:16 ryoon Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -620,7 +620,6 @@
        return m;
 }
 
-static struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *);
 #if 0
 static void key_freeso(struct socket *);
 static void key_freesp_so(struct secpolicy **);
@@ -1049,7 +1048,7 @@
  * OUT:        NULL:   not found.
  *     others: found and return the pointer.
  */
-static struct secasvar *
+struct secasvar *
 key_lookup_sa_bysaidx(const struct secasindex *saidx)
 {
        struct secashead *sah;
diff -r 229b5dc6cd72 -r 483255826782 sys/netipsec/key.h
--- a/sys/netipsec/key.h        Tue Oct 03 07:32:53 2017 +0000
+++ b/sys/netipsec/key.h        Tue Oct 03 08:25:21 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.h,v 1.29 2017/08/09 09:48:11 ozaki-r Exp $ */
+/*     $NetBSD: key.h,v 1.30 2017/10/03 08:25:21 ozaki-r Exp $ */
 /*     $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $        */
 /*     $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $    */
 
@@ -91,6 +91,7 @@
 struct secasvar *key_lookup_sa(const union sockaddr_union *,
                u_int, u_int32_t, u_int16_t, u_int16_t, const char*, int);
 void key_freesav(struct secasvar **, const char*, int);
+struct secasvar *key_lookup_sa_bysaidx(const struct secasindex *);
 
 #define        KEY_LOOKUP_SA(dst, proto, spi, sport, dport)            \
        key_lookup_sa(dst, proto, spi, sport, dport,  __func__, __LINE__)



Home | Main Index | Thread Index | Old Index