Date: Thu, 22 Dec 2016 14:01:39 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310400 - projects/ipsec/sys/netinet Message-ID: <201612221401.uBME1dPJ067399@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 22 14:01:39 2016 New Revision: 310400 URL: https://svnweb.freebsd.org/changeset/base/310400 Log: Convert TCP code to use IPsec methods. Modified: projects/ipsec/sys/netinet/tcp_input.c projects/ipsec/sys/netinet/tcp_output.c projects/ipsec/sys/netinet/tcp_subr.c projects/ipsec/sys/netinet/tcp_syncache.c projects/ipsec/sys/netinet/tcp_usrreq.c Modified: projects/ipsec/sys/netinet/tcp_input.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_input.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_input.c Thu Dec 22 14:01:39 2016 (r310400) @@ -120,10 +120,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/tcp_offload.h> #endif -#ifdef IPSEC -#include <netipsec/ipsec.h> -#include <netipsec/ipsec6.h> -#endif /*IPSEC*/ +#include <netipsec/ipsec_support.h> #include <machine/in_cksum.h> @@ -927,13 +924,15 @@ findpcb: inp->inp_flowid = m->m_pkthdr.flowid; inp->inp_flowtype = M_HASHTYPE_GET(m); } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) #ifdef INET6 - if (isipv6 && ipsec6_in_reject(m, inp)) { + if (isipv6 && IPSEC_ENABLED(ipv6) && + IPSEC_CHECK_POLICY(ipv6, m, inp) != 0) { goto dropunlock; } else #endif /* INET6 */ - if (ipsec4_in_reject(m, inp) != 0) { + if (IPSEC_ENABLED(ipv4) && + IPSEC_CHECK_POLICY(ipv4, m, inp) != 0) { goto dropunlock; } #endif /* IPSEC */ @@ -1408,14 +1407,15 @@ tfo_socket_result: */ goto dropunlock; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (tp->t_flags & TF_SIGNATURE) { tcp_dooptions(&to, optp, optlen, thflags); if ((to.to_flags & TOF_SIGNATURE) == 0) { TCPSTAT_INC(tcps_sig_err_nosigopt); goto dropunlock; } - if (tcp_ipsec_input(m, th, to.to_signature) != 0) + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to.to_signature) != 0) goto dropunlock; } #endif @@ -1595,7 +1595,7 @@ tcp_do_segment(struct mbuf *m, struct tc (th->th_off << 2) - sizeof(struct tcphdr), (thflags & TH_SYN) ? TO_SYN : 0); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if ((tp->t_flags & TF_SIGNATURE) != 0 && (to.to_flags & TOF_SIGNATURE) == 0) { TCPSTAT_INC(tcps_sig_err_sigopt); Modified: projects/ipsec/sys/netinet/tcp_output.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_output.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_output.c Thu Dec 22 14:01:39 2016 (r310400) @@ -90,9 +90,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/tcp_offload.h> #endif -#ifdef IPSEC -#include <netipsec/ipsec.h> -#endif /*IPSEC*/ +#include <netipsec/ipsec_support.h> #include <machine/in_cksum.h> @@ -200,7 +198,7 @@ tcp_output(struct tcpcb *tp) struct tcphdr *th; u_char opt[TCP_MAXOLEN]; unsigned ipoptlen, optlen, hdrlen; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) unsigned ipsec_optlen = 0; #endif int idle, sendalot; @@ -546,17 +544,23 @@ after_sack_rexmit: * makes it impossible to transmit any options which vary per generated * segment or packet. */ -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Pre-calculate here as we save another lookup into the darknesses * of IPsec that way and can actually decide if TSO is ok. */ - ipsec_optlen = ipsec_hdrsiz_inpcb(tp->t_inpcb); +#ifdef INET6 + if (isipv6 && IPSEC_ENABLED(ipv6)) + ipsec_optlen = IPSEC_HDRSIZE(ipv6, tp->t_inpcb); + else +#endif + if (IPSEC_ENABLED(ipv4)) + ipsec_optlen = IPSEC_HDRSIZE(ipv4, tp->t_inpcb); #endif if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg && ((tp->t_flags & TF_SIGNATURE) == 0) && tp->rcv_numsacks == 0 && sack_rxmit == 0 && -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipsec_optlen == 0 && #endif tp->t_inpcb->inp_options == NULL && @@ -823,7 +827,7 @@ send: to.to_sacks = (u_char *)tp->sackblks; } } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* TCP-MD5 (RFC2385). */ /* * Check that TCP_MD5SIG is enabled in tcpcb to @@ -847,7 +851,7 @@ send: offsetof(struct ipoption, ipopt_list); else ipoptlen = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipoptlen += ipsec_optlen; #endif @@ -1262,7 +1266,7 @@ send: m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (to.to_flags & TOF_SIGNATURE) { /* * Calculate MD5 signature and put it into the place @@ -1270,8 +1274,8 @@ send: * NOTE: since TCP options buffer doesn't point into * mbuf's data, calculate offset and use it. */ - if ((error = tcp_ipsec_output(m, th, (u_char *)(th + 1) + - (to.to_signature - opt))) != 0) { + if (!TCPMD5_ENABLED() || TCPMD5_OUTPUT(m, th, + (u_char *)(th + 1) + (to.to_signature - opt)) != 0) { /* * Do not send segment if the calculation of MD5 * digest has failed. @@ -1317,7 +1321,7 @@ send: m->m_pkthdr.tso_segsz = tp->t_maxseg - optlen; } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) KASSERT(len + hdrlen + ipoptlen - ipsec_optlen == m_length(m, NULL), ("%s: mbuf chain shorter than expected: %d + %u + %u - %u != %u", __func__, len, hdrlen, ipoptlen, ipsec_optlen, m_length(m, NULL))); Modified: projects/ipsec/sys/netinet/tcp_subr.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_subr.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_subr.c Thu Dec 22 14:01:39 2016 (r310400) @@ -118,15 +118,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/tcp_offload.h> #endif -#ifdef IPSEC -#include <netipsec/ipsec.h> -#include <netipsec/xform.h> -#ifdef INET6 -#include <netipsec/ipsec6.h> -#endif -#include <netipsec/key.h> -#include <sys/syslog.h> -#endif /*IPSEC*/ +#include <netipsec/ipsec_support.h> #include <machine/in_cksum.h> #include <sys/md5.h> @@ -1058,12 +1050,11 @@ tcp_respond(struct tcpcb *tp, void *ipge to.to_tsecr = tp->ts_recent; to.to_flags |= TOF_TS; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* TCP-MD5 (RFC2385). */ if (tp->t_flags & TF_SIGNATURE) to.to_flags |= TOF_SIGNATURE; #endif - /* Add the options. */ tlen += optlen = tcp_addoptions(&to, optp); @@ -1119,9 +1110,10 @@ tcp_respond(struct tcpcb *tp, void *ipge nth->th_win = htons((u_short)win); nth->th_urp = 0; -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (to.to_flags & TOF_SIGNATURE) { - if (tcp_ipsec_output(m, nth, to.to_signature) != 0) { + if (!TCPMD5_ENABLED() || + TCPMD5_OUTPUT(m, nth, to.to_signature) != 0) { m_freem(m); return; } @@ -2498,7 +2490,7 @@ tcp_maxseg(const struct tcpcb *tp) optlen = TCPOLEN_TSTAMP_APPA; else optlen = 0; -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (tp->t_flags & TF_SIGNATURE) optlen += PAD(TCPOLEN_SIGNATURE); #endif @@ -2514,7 +2506,7 @@ tcp_maxseg(const struct tcpcb *tp) optlen = PAD(TCPOLEN_MAXSEG); if (tp->t_flags & TF_REQ_SCALE) optlen += PAD(TCPOLEN_WINDOW); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (tp->t_flags & TF_SIGNATURE) optlen += PAD(TCPOLEN_SIGNATURE); #endif Modified: projects/ipsec/sys/netinet/tcp_syncache.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_syncache.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_syncache.c Thu Dec 22 14:01:39 2016 (r310400) @@ -96,13 +96,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/toecore.h> #endif -#ifdef IPSEC -#include <netipsec/ipsec.h> -#ifdef INET6 -#include <netipsec/ipsec6.h> -#endif -#include <netipsec/key.h> -#endif /*IPSEC*/ +#include <netipsec/ipsec_support.h> #include <machine/in_cksum.h> @@ -736,7 +730,7 @@ syncache_socket(struct syncache *sc, str INP_HASH_WUNLOCK(&V_tcbinfo); goto abort; } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* Copy old policy into new socket's. */ if (ipsec_copy_pcbpolicy(sotoinpcb(lso), inp) != 0) printf("syncache_socket: could not copy policy\n"); @@ -872,7 +866,7 @@ syncache_socket(struct syncache *sc, str tp->ts_recent_age = tcp_ts_getticks(); tp->ts_offset = sc->sc_tsoff; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (sc->sc_flags & SCF_SIGNATURE) tp->t_flags |= TF_SIGNATURE; #endif @@ -996,10 +990,11 @@ syncache_expand(struct in_conninfo *inc, "(probably spoofed)\n", s, __func__); goto failed; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* If received ACK has MD5 signature, check it. */ if ((to->to_flags & TOF_SIGNATURE) != 0 && - tcp_ipsec_input(m, th, to->to_signature) != 0) { + (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0)) { /* Drop the ACK. */ if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { log(LOG_DEBUG, "%s; %s: Segment rejected, " @@ -1012,7 +1007,7 @@ syncache_expand(struct in_conninfo *inc, } #endif /* TCP_SIGNATURE */ } else { -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* * If listening socket requested TCP digests, check that * received ACK has signature and it is correct. @@ -1032,7 +1027,8 @@ syncache_expand(struct in_conninfo *inc, } return (-1); /* Do not send RST */ } - if (tcp_ipsec_input(m, th, to->to_signature) != 0) { + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0) { /* Doesn't match or no SA */ SCH_UNLOCK(sch); if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { @@ -1315,7 +1311,7 @@ syncache_add(struct in_conninfo *inc, st ipopts = NULL; #endif -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* * If listening socket requested TCP digests, check that received * SYN has signature and it is correct. If signature doesn't match @@ -1326,7 +1322,8 @@ syncache_add(struct in_conninfo *inc, st TCPSTAT_INC(tcps_sig_err_nosigopt); goto done; } - if (tcp_ipsec_input(m, th, to->to_signature) != 0) + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0) goto done; } #endif /* TCP_SIGNATURE */ @@ -1505,7 +1502,7 @@ skip_alloc: sc->sc_flags |= SCF_WINSCALE; } } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* * If listening socket requested TCP digests, flag this in the * syncache so that syncache_respond() will do the right thing @@ -1712,7 +1709,7 @@ syncache_respond(struct syncache *sc, st } if (sc->sc_flags & SCF_SACK) to.to_flags |= TOF_SACKPERM; -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (sc->sc_flags & SCF_SIGNATURE) to.to_flags |= TOF_SIGNATURE; #endif @@ -1737,13 +1734,14 @@ syncache_respond(struct syncache *sc, st else #endif ip->ip_len = htons(ntohs(ip->ip_len) + optlen); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (sc->sc_flags & SCF_SIGNATURE) { KASSERT(to.to_flags & TOF_SIGNATURE, ("tcp_addoptions() didn't set tcp_signature")); /* NOTE: to.to_signature is inside of mbuf */ - if (tcp_ipsec_output(m, th, to.to_signature) != 0) { + if (!TCPMD5_ENABLED() || + TCPMD5_OUTPUT(m, th, to.to_signature) != 0) { m_freem(m); return (EACCES); } Modified: projects/ipsec/sys/netinet/tcp_usrreq.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_usrreq.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_usrreq.c Thu Dec 22 14:01:39 2016 (r310400) @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include "opt_ddb.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipsec.h" #include "opt_tcpdebug.h" #include <sys/param.h> @@ -101,9 +102,7 @@ __FBSDID("$FreeBSD$"); #ifdef TCP_OFFLOAD #include <netinet/tcp_offload.h> #endif -#ifdef TCP_SIGNATURE -#include <netipsec/ipsec.h> -#endif +#include <netipsec/ipsec_support.h> /* * TCP protocol interface to socket abstraction. @@ -1555,13 +1554,17 @@ tcp_default_ctloutput(struct socket *so, switch (sopt->sopt_dir) { case SOPT_SET: switch (sopt->sopt_name) { -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) case TCP_MD5SIG: - error = tcp_ipsec_pcbctl(inp, sopt); + if (!TCPMD5_ENABLED()) { + INP_WUNLOCK(inp); + return (ENOPROTOOPT); + } + error = TCPMD5_PCBCTL(inp, sopt); if (error) return (error); goto unlock_and_done; -#endif /* TCP_SIGNATURE */ +#endif /* IPSEC */ case TCP_NODELAY: case TCP_NOOPT: @@ -1787,9 +1790,13 @@ unlock_and_done: case SOPT_GET: tp = intotcpcb(inp); switch (sopt->sopt_name) { -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) case TCP_MD5SIG: - error = tcp_ipsec_pcbctl(inp, sopt); + if (!TCPMD5_ENABLED()) { + INP_WUNLOCK(inp); + return (ENOPROTOOPT); + } + error = TCPMD5_PCBCTL(inp, sopt); break; #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612221401.uBME1dPJ067399>