From owner-svn-src-stable-12@freebsd.org  Sat Nov 17 23:54:20 2018
Return-Path: <owner-svn-src-stable-12@freebsd.org>
Delivered-To: svn-src-stable-12@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A904110AFCF;
 Sat, 17 Nov 2018 23:54:20 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D87E3865B9;
 Sat, 17 Nov 2018 23:54:19 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B98E33274;
 Sat, 17 Nov 2018 23:54:19 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAHNsJdF072264;
 Sat, 17 Nov 2018 23:54:19 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAHNsJ3x072263;
 Sat, 17 Nov 2018 23:54:19 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201811172354.wAHNsJ3x072263@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Sat, 17 Nov 2018 23:54:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject: svn commit: r340527 - stable/12/sys/netipsec
X-SVN-Group: stable-12
X-SVN-Commit-Author: ae
X-SVN-Commit-Paths: stable/12/sys/netipsec
X-SVN-Commit-Revision: 340527
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: D87E3865B9
X-Spamd-Result: default: False [0.06 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_SPAM_SHORT(0.06)[0.062,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: svn-src-stable-12@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for only the 12-stable src tree
 <svn-src-stable-12.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-12>, 
 <mailto:svn-src-stable-12-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-12/>
List-Post: <mailto:svn-src-stable-12@freebsd.org>
List-Help: <mailto:svn-src-stable-12-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-12>, 
 <mailto:svn-src-stable-12-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Nov 2018 23:54:20 -0000

Author: ae
Date: Sat Nov 17 23:54:19 2018
New Revision: 340527
URL: https://svnweb.freebsd.org/changeset/base/340527

Log:
  MFC r339533:
    Add sadb_x_sa2 extension to SADB_ACQUIRE requests.
  
    SADB_ACQUIRE requests are send by kernel, when security policy doesn't
    have corresponding security association for outbound packet. IKE daemon
    usually registers its handler for such messages and when the kernel asks
    for SA it can handle this request. Now such requests will contain
    additional fields that can help IKE daemon to create SA. And IKE now
    can create SAs using only information from SADB_ACQUIRE request, this
    is useful when many if_ipsec(4) interfaces are in use and IKE doesn track
    security policies that was installed by kernel.
  
    Obtained from:	Yandex LLC
    Sponsored by:	Yandex LLC

Modified:
  stable/12/sys/netipsec/key.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netipsec/key.c
==============================================================================
--- stable/12/sys/netipsec/key.c	Sat Nov 17 23:52:56 2018	(r340526)
+++ stable/12/sys/netipsec/key.c	Sat Nov 17 23:54:19 2018	(r340527)
@@ -6685,7 +6685,9 @@ key_acquire(const struct secasindex *saidx, struct sec
 
 	/* XXX proxy address (optional) */
 
-	/* set sadb_x_policy */
+	/*
+	 * Set sadb_x_policy. This is KAME extension to RFC2367.
+	 */
 	if (sp != NULL) {
 		m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id,
 		    sp->priority);
@@ -6696,6 +6698,18 @@ key_acquire(const struct secasindex *saidx, struct sec
 		m_cat(result, m);
 	}
 
+	/*
+	 * Set sadb_x_sa2 extension if saidx->reqid is not zero.
+	 * This is FreeBSD extension to RFC2367.
+	 */
+	if (saidx->reqid != 0) {
+		m = key_setsadbxsa2(saidx->mode, 0, saidx->reqid);
+		if (m == NULL) {
+			error = ENOBUFS;
+			goto fail;
+		}
+		m_cat(result, m);
+	}
 	/* XXX identity (optional) */
 #if 0
 	if (idexttype && fqdn) {