From owner-svn-src-projects@freebsd.org Tue Dec 20 10:45:15 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABDD3C895BA for ; Tue, 20 Dec 2016 10:45:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 868891E41; Tue, 20 Dec 2016 10:45:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBKAjETe013808; Tue, 20 Dec 2016 10:45:14 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBKAjE1D013806; Tue, 20 Dec 2016 10:45:14 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612201045.uBKAjE1D013806@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 20 Dec 2016 10:45:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310325 - in projects/ipsec/sys: netinet6 netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2016 10:45:15 -0000 Author: ae Date: Tue Dec 20 10:45:14 2016 New Revision: 310325 URL: https://svnweb.freebsd.org/changeset/base/310325 Log: Remove pr_ctlinput method from IPv6 ESP protocol handler. The only useful thing, that it did, is invoking icmp6_mtudisc_update(). But icmp6_notify_error() does the same just before invoking pr_ctlinput. Modified: projects/ipsec/sys/netinet6/in6_proto.c projects/ipsec/sys/netipsec/ipsec_input.c Modified: projects/ipsec/sys/netinet6/in6_proto.c ============================================================================== --- projects/ipsec/sys/netinet6/in6_proto.c Tue Dec 20 09:46:14 2016 (r310324) +++ projects/ipsec/sys/netinet6/in6_proto.c Tue Dec 20 10:45:14 2016 (r310325) @@ -291,7 +291,6 @@ struct protosw inet6sw[] = { .pr_protocol = IPPROTO_ESP, .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = ipsec6_common_input, - .pr_ctlinput = esp6_ctlinput, .pr_usrreqs = &nousrreqs, }, { Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Tue Dec 20 09:46:14 2016 (r310324) +++ projects/ipsec/sys/netipsec/ipsec_input.c Tue Dec 20 10:45:14 2016 (r310325) @@ -709,92 +709,4 @@ bad: m_freem(m); return (error); } -void -esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) -{ - struct ip6ctlparam *ip6cp = NULL; - struct mbuf *m = NULL; - struct ip6_hdr *ip6; - int off; - - if (sa->sa_family != AF_INET6 || - sa->sa_len != sizeof(struct sockaddr_in6)) - return; - if ((unsigned)cmd >= PRC_NCMDS) - return; - - /* if the parameter is from icmp6, decode it. */ - if (d != NULL) { - ip6cp = (struct ip6ctlparam *)d; - m = ip6cp->ip6c_m; - ip6 = ip6cp->ip6c_ip6; - off = ip6cp->ip6c_off; - } else { - m = NULL; - ip6 = NULL; - off = 0; /* calm gcc */ - } - - if (ip6 != NULL) { - - struct ip6ctlparam ip6cp1; - - /* - * Notify the error to all possible sockets via pfctlinput2. - * Since the upper layer information (such as protocol type, - * source and destination ports) is embedded in the encrypted - * data and might have been cut, we can't directly call - * an upper layer ctlinput function. However, the pcbnotify - * function will consider source and destination addresses - * as well as the flow info value, and may be able to find - * some PCB that should be notified. - * Although pfctlinput2 will call esp6_ctlinput(), there is - * no possibility of an infinite loop of function calls, - * because we don't pass the inner IPv6 header. - */ - bzero(&ip6cp1, sizeof(ip6cp1)); - ip6cp1.ip6c_src = ip6cp->ip6c_src; - pfctlinput2(cmd, sa, (void *)&ip6cp1); - - /* - * Then go to special cases that need ESP header information. - * XXX: We assume that when ip6 is non NULL, - * M and OFF are valid. - */ - - if (cmd == PRC_MSGSIZE) { - struct secasvar *sav; - u_int32_t spi; - int valid; - - /* check header length before using m_copydata */ - if (m->m_pkthdr.len < off + sizeof (struct esp)) - return; - m_copydata(m, off + offsetof(struct esp, esp_spi), - sizeof(u_int32_t), (caddr_t) &spi); - /* - * Check to see if we have a valid SA corresponding to - * the address in the ICMP message payload. - */ - sav = key_allocsa((union sockaddr_union *)sa, - IPPROTO_ESP, spi); - valid = (sav != NULL); - if (sav) - key_freesav(&sav); - - /* XXX Further validation? */ - - /* - * Depending on whether the SA is "valid" and - * routing table size (mtudisc_{hi,lo}wat), we will: - * - recalcurate the new MTU and create the - * corresponding routing entry, or - * - ignore the MTU change notification. - */ - icmp6_mtudisc_update(ip6cp, valid); - } - } else { - /* we normally notify any pcb here */ - } -} #endif /* INET6 */ From owner-svn-src-projects@freebsd.org Tue Dec 20 10:56:09 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6546C89870 for ; Tue, 20 Dec 2016 10:56:09 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 673206A8; Tue, 20 Dec 2016 10:56:09 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBKAu8MH017834; Tue, 20 Dec 2016 10:56:08 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBKAu8cL017831; Tue, 20 Dec 2016 10:56:08 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612201056.uBKAu8cL017831@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 20 Dec 2016 10:56:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310326 - in projects/ipsec/sys: netinet netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2016 10:56:09 -0000 Author: ae Date: Tue Dec 20 10:56:08 2016 New Revision: 310326 URL: https://svnweb.freebsd.org/changeset/base/310326 Log: Use ipsec4_common_input() as generic pr_input method for AH, ESP, and IPCOMP and remove pr_ctlinput method, that does nothing. Modified: projects/ipsec/sys/netinet/in_proto.c projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec_input.c Modified: projects/ipsec/sys/netinet/in_proto.c ============================================================================== --- projects/ipsec/sys/netinet/in_proto.c Tue Dec 20 10:45:14 2016 (r310325) +++ projects/ipsec/sys/netinet/in_proto.c Tue Dec 20 10:56:08 2016 (r310326) @@ -228,8 +228,7 @@ struct protosw inetsw[] = { .pr_domain = &inetdomain, .pr_protocol = IPPROTO_AH, .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ah4_input, - .pr_ctlinput = ah4_ctlinput, + .pr_input = ipsec4_common_input, .pr_usrreqs = &nousrreqs }, { @@ -237,8 +236,7 @@ struct protosw inetsw[] = { .pr_domain = &inetdomain, .pr_protocol = IPPROTO_ESP, .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = esp4_input, - .pr_ctlinput = esp4_ctlinput, + .pr_input = ipsec4_common_input, .pr_usrreqs = &nousrreqs }, { @@ -246,7 +244,7 @@ struct protosw inetsw[] = { .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPCOMP, .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipcomp4_input, + .pr_input = ipsec4_common_input, .pr_usrreqs = &nousrreqs }, #endif /* IPSEC */ Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Tue Dec 20 10:45:14 2016 (r310325) +++ projects/ipsec/sys/netipsec/ipsec.h Tue Dec 20 10:56:08 2016 (r310326) @@ -310,7 +310,6 @@ struct secpolicy *ipsec4_checkpolicy(con int *); u_int ipsec_get_reqlevel(struct secpolicy *, u_int); -int ipsec4_in_reject(const struct mbuf *, struct inpcb *); size_t ipsec_hdrsiz_inpcb(struct inpcb *); int ipsec_init_pcbpolicy(struct inpcb *); @@ -338,18 +337,12 @@ char *ipsec_logsastr(struct secasvar *, extern void ipsec_dumpmbuf(const struct mbuf *); -extern int ah4_input(struct mbuf **mp, int *offp, int proto); -extern void ah4_ctlinput(int cmd, struct sockaddr *sa, void *); -extern int esp4_input(struct mbuf **mp, int *offp, int proto); -extern void esp4_ctlinput(int cmd, struct sockaddr *sa, void *); -extern int ipcomp4_input(struct mbuf **mp, int *offp, int proto); -extern int ipsec_common_input(struct mbuf *m, int, int, int, int); -extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, - int skip, int protoff); -extern int ipsec4_process_packet(struct mbuf *, struct secpolicy *, - struct inpcb *); -extern int ipsec_process_done(struct mbuf *, struct secpolicy *, - struct secasvar *, u_int); +int ipsec4_in_reject(const struct mbuf *, struct inpcb *); +int ipsec4_common_input(struct mbuf **, int *, int); +int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int); +int ipsec4_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *); +int ipsec_process_done(struct mbuf *, struct secpolicy *, struct secasvar *, + u_int); extern void m_checkalignment(const char* where, struct mbuf *m0, int off, int len); Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Tue Dec 20 10:45:14 2016 (r310325) +++ projects/ipsec/sys/netipsec/ipsec_input.c Tue Dec 20 10:56:08 2016 (r310326) @@ -104,10 +104,6 @@ IPCOMPSTAT_INC(ipcomps_##name); \ } while (0) -#ifdef INET -static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); -#endif - /* * ipsec_common_input gets called when an IPsec-protected packet * is received by IPv4 or IPv6. Its job is to find the right SA @@ -230,7 +226,7 @@ ipsec_common_input(struct mbuf *m, int s #ifdef INET int -ah4_input(struct mbuf **mp, int *offp, int proto) +ipsec4_common_input(struct mbuf **mp, int *offp, int proto) { struct mbuf *m; int off; @@ -239,53 +235,7 @@ ah4_input(struct mbuf **mp, int *offp, i off = *offp; *mp = NULL; - ipsec_common_input(m, off, offsetof(struct ip, ip_p), - AF_INET, IPPROTO_AH); - return (IPPROTO_DONE); -} -void -ah4_ctlinput(int cmd, struct sockaddr *sa, void *v) -{ - if (sa->sa_family == AF_INET && - sa->sa_len == sizeof(struct sockaddr_in)) - ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_AH); -} - -int -esp4_input(struct mbuf **mp, int *offp, int proto) -{ - struct mbuf *m; - int off; - - m = *mp; - off = *offp; - mp = NULL; - - ipsec_common_input(m, off, offsetof(struct ip, ip_p), - AF_INET, IPPROTO_ESP); - return (IPPROTO_DONE); -} - -void -esp4_ctlinput(int cmd, struct sockaddr *sa, void *v) -{ - if (sa->sa_family == AF_INET && - sa->sa_len == sizeof(struct sockaddr_in)) - ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_ESP); -} - -int -ipcomp4_input(struct mbuf **mp, int *offp, int proto) -{ - struct mbuf *m; - int off; - - m = *mp; - off = *offp; - mp = NULL; - - ipsec_common_input(m, off, offsetof(struct ip, ip_p), - AF_INET, IPPROTO_IPCOMP); + ipsec_common_input(m, off, offsetof(struct ip, ip_p), AF_INET, proto); return (IPPROTO_DONE); } @@ -461,12 +411,6 @@ bad: m_freem(m); return (error); } - -void -ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto) -{ - /* XXX nothing just yet */ -} #endif /* INET */ #ifdef INET6 From owner-svn-src-projects@freebsd.org Wed Dec 21 07:26:06 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19D52C8AC91 for ; Wed, 21 Dec 2016 07:26:06 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DDEAF1487; Wed, 21 Dec 2016 07:26:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBL7Q57N018150; Wed, 21 Dec 2016 07:26:05 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBL7Q5W8018149; Wed, 21 Dec 2016 07:26:05 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612210726.uBL7Q5W8018149@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 21 Dec 2016 07:26:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310353 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Dec 2016 07:26:06 -0000 Author: ae Date: Wed Dec 21 07:26:04 2016 New Revision: 310353 URL: https://svnweb.freebsd.org/changeset/base/310353 Log: Make ipsec_common_input() static. Modified: projects/ipsec/sys/netipsec/ipsec_input.c Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Wed Dec 21 07:05:34 2016 (r310352) +++ projects/ipsec/sys/netipsec/ipsec_input.c Wed Dec 21 07:26:04 2016 (r310353) @@ -110,7 +110,7 @@ * and call the appropriate transform. The transform callback * takes care of further processing (like ingress filtering). */ -int +static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { char buf[IPSEC_ADDRSTRLEN]; From owner-svn-src-projects@freebsd.org Thu Dec 22 12:33:00 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BB42C8BCD3 for ; Thu, 22 Dec 2016 12:33:00 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E86801589; Thu, 22 Dec 2016 12:32:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMCWxb7032319; Thu, 22 Dec 2016 12:32:59 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMCWxei032317; Thu, 22 Dec 2016 12:32:59 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221232.uBMCWxei032317@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 12:32:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310391 - projects/ipsec/sys/conf X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 12:33:00 -0000 Author: ae Date: Thu Dec 22 12:32:58 2016 New Revision: 310391 URL: https://svnweb.freebsd.org/changeset/base/310391 Log: Add kernel option IPSEC_SUPPORT. It is supposed to be used in kernel that supports IPsec as kernel module. Currently we don't have ability to unregister network domain(9), thus to have loadable IPsec, we need PF_KEY is build in the kernel. There will be three options to control IPsec build: * options IPSEC: all IPsec related code is build in the kernel. * options TCP_SIGNATURE: TCP-MD5 support is build in the kernel. * options IPSEC_SUPPORT: PF_KEY support is build in the kernel and IPsec consumer code contains runtime checks for presence of IPsec modules. TCP_SIGNATURE support is also planned to be implemented as kernel module. If kernel has IPSEC_SUPPORT option, but has not TCP_SIGNATURE option, it will be possible to load TCP_SIGNATURE as module. If kernel has IPSEC option, but has not TCP_SIGNATURE option - TCP_SIGNATURE support will not be available. If both IPSEC and IPSEC_SUPPORT are enabled, but TCP_SIGNATURE is not - TCP_SIGNATURE support would be available as kernel module. Modified: projects/ipsec/sys/conf/NOTES projects/ipsec/sys/conf/options Modified: projects/ipsec/sys/conf/NOTES ============================================================================== --- projects/ipsec/sys/conf/NOTES Thu Dec 22 12:18:40 2016 (r310390) +++ projects/ipsec/sys/conf/NOTES Thu Dec 22 12:32:58 2016 (r310391) @@ -627,6 +627,11 @@ options TCP_OFFLOAD # TCP offload supp # In order to enable IPSEC you MUST also add device crypto to # your kernel configuration options IPSEC #IP security (requires device crypto) + +# Option IPSEC_SUPPORT doesn't enable IPsec, but makes it possible to +# load it as kernel module. You still MUST add device crypto to your kernel +# configuration. +options IPSEC_SUPPORT #options IPSEC_DEBUG #debug for IP security # @@ -1023,7 +1028,8 @@ options ACCEPT_FILTER_HTTP # carried in TCP option 19. This option is commonly used to protect # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. # This is enabled on a per-socket basis using the TCP_MD5SIG socket option. -# This requires the use of 'device crypto' and 'options IPSEC'. +# This requires the use of 'device crypto' and one of 'options IPSEC' or +# 'options IPSEC_SUPPORT'. options TCP_SIGNATURE #include support for RFC 2385 # DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL Modified: projects/ipsec/sys/conf/options ============================================================================== --- projects/ipsec/sys/conf/options Thu Dec 22 12:18:40 2016 (r310390) +++ projects/ipsec/sys/conf/options Thu Dec 22 12:32:58 2016 (r310391) @@ -428,6 +428,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h +IPSEC_SUPPORT opt_ipsec.h IPSTEALTH KRPC LIBALIAS @@ -450,7 +451,7 @@ TCP_HHOOK opt_inet.h TCP_OFFLOAD opt_inet.h # Enable code to dispatch TCP offloading TCP_RFC7413 opt_inet.h TCP_RFC7413_MAX_KEYS opt_inet.h -TCP_SIGNATURE opt_inet.h +TCP_SIGNATURE opt_ipsec.h VLAN_ARRAY opt_vlan.h XBONEHACK FLOWTABLE opt_route.h From owner-svn-src-projects@freebsd.org Thu Dec 22 13:38:51 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9889C8CF7C for ; Thu, 22 Dec 2016 13:38:51 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C403E13D2; Thu, 22 Dec 2016 13:38:51 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDcoLR056863; Thu, 22 Dec 2016 13:38:50 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDco14056862; Thu, 22 Dec 2016 13:38:50 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221338.uBMDco14056862@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:38:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310392 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:38:52 -0000 Author: ae Date: Thu Dec 22 13:38:50 2016 New Revision: 310392 URL: https://svnweb.freebsd.org/changeset/base/310392 Log: Add netipsec/ipsec_support.h header file. This is supposed to be the only file, that provides IPsec interface to the kernel. It is assumed, that each kernel consumer that needs IPsec support will include only "opt_ipsec.h" and ipsec_support.h. IPsec support will be declared as set of methods, specific for IPv4 and IPv6. These methods are invoked by the kernel using macros. Depending from the defined kernel options, macros will be expaned into different code. E.g. if we have defined IPSEC option, macros will directly call defined for given address family method. If defined only IPSEC_SUPPORT option, macros will call special kmod wrappers. Wrappers are needed to protect access to methods, that might be unloaded. The presense of specific IPsec module determined by IPSEC_ENABLED() and TCPMD5_ENABLED() macros. IPsec support provided by following methods: o IPSEC_INPUT() - handles inbound packets for AH/ESP/IPCOMP protocols. For protocols with PR_LASTHDR flag in pr_flags it does inbound policy check. o IPSEC_OUTPUT() - checks outbound packets against security policy and perform IPsec transform if needed. o IPSEC_CHECK_POLICY() - for inbound packets with PCB layer (TCP,UDP,RAW) do check against inbound security policy. o IPSEC_PCBCTL() - for given address family handle socket option requests. o IPSEC_CAPS() - check for specific IPSec capability. o IPSEC_HDRSIZE() - get approximate size that IPsec will consume after transform. TCP-MD5 methods: o TCPMD5_INPUT() - verify MD5 signature for inbound TCP segment. o TCPMD5_OUTPUT() - calculate MD5 signature for outbound TCP segment. o TCPMD5_PCBCTL() - handle TCP_MD5SIG socket option. UDP encapsulation methods (needed for NAT-T): o UDPENCAP_INPUT() - check and decapsulate inbound packet. o UDPENCAP_PCBCTL() - handle UDP_ENCAP socket option. Added: projects/ipsec/sys/netipsec/ipsec_support.h (contents, props changed) Added: projects/ipsec/sys/netipsec/ipsec_support.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/ipsec/sys/netipsec/ipsec_support.h Thu Dec 22 13:38:50 2016 (r310392) @@ -0,0 +1,165 @@ +/*- + * Copyright (c) 2016 Andrey V. Elsukov + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _NETIPSEC_IPSEC_SUPPORT_H_ +#define _NETIPSEC_IPSEC_SUPPORT_H_ + +#ifdef _KERNEL +#if defined(IPSEC) || defined(IPSEC_SUPPORT) +struct mbuf; +struct inpcb; +struct tcphdr; +struct sockopt; +struct sockaddr; + +size_t ipsec_hdrsiz_inpcb(struct inpcb *); +int ipsec_init_pcbpolicy(struct inpcb *); +int ipsec_delete_pcbpolicy(struct inpcb *); +int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); +int ipsec4_pcbctl(struct inpcb *, struct sockopt *); +int ipsec6_pcbctl(struct inpcb *, struct sockopt *); + +struct ipsec_support { + int (*input)(struct mbuf *, int, int); + int (*check_policy)(const struct mbuf *, struct inpcb *); + int (*forward)(struct mbuf *); + int (*output)(struct mbuf *, struct inpcb *); + int (*pcbctl)(struct inpcb *, struct sockopt *); + size_t (*hdrsize)(struct inpcb *); + int (*capability)(struct mbuf *, u_int); + int (*ctlinput)(int, struct sockaddr *, void *); +}; +#define IPSEC_CAP_OPERABLE 1 +#define IPSEC_CAP_BYPASS_FILTER 2 + +#ifdef TCP_SIGNATURE +extern const int tcp_ipsec_support; + +int tcp_ipsec_pcbctl(struct inpcb *, struct sockopt *); +int tcp_ipsec_input(struct mbuf *, struct tcphdr *, u_char *); +int tcp_ipsec_output(struct mbuf *, struct tcphdr *, u_char *); +#define TCPMD5_INPUT(m, ...) tcp_ipsec_input(m, __VA_ARGS__) +#define TCPMD5_OUTPUT(m, ...) tcp_ipsec_output(m, __VA_ARGS__) +#define TCPMD5_PCBCTL(inp, sopt) tcp_ipsec_pcbctl(inp, sopt) +#else +struct tcpmd5_support { + int (*input)(struct mbuf *, struct tcphdr *, u_char *); + int (*output)(struct mbuf *, struct tcphdr *, u_char *); + int (*pcbctl)(struct inpcb *, struct sockopt *); +}; +extern volatile int tcp_ipsec_support; +extern const struct tcpmd5_support * volatile tcp_ipsec_methods; + +int tcpmd5_kmod_pcbctl(struct inpcb *, struct sockopt *); +int tcpmd5_kmod_input(struct mbuf *, struct tcphdr *, u_char *); +int tcpmd5_kmod_output(struct mbuf *, struct tcphdr *, u_char *); +#define TCPMD5_INPUT(m, ...) tcpmd5_kmod_input(m, __VA_ARGS__) +#define TCPMD5_OUTPUT(m, ...) tcpmd5_kmod_output(m, __VA_ARGS__) +#define TCPMD5_PCBCTL(inp, sopt) tcpmd5_kmod_pcbctl(inp, sopt) +#endif + +#define IPSEC_ENABLED(proto) ((proto ## _ipsec_support) != 0) +#define TCPMD5_ENABLED() (tcp_ipsec_support != 0) +#endif /* IPSEC || IPSEC_SUPPORT */ + +#if defined(IPSEC) + +extern const int ipv4_ipsec_support; +extern const struct ipsec_support * const ipv4_ipsec_methods; + +int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *); +int udp_ipsec_input(struct mbuf *, int, int); +#define UDPENCAP_INPUT(m, ...) udp_ipsec_input(m, __VA_ARGS__) +#define UDPENCAP_PCBCTL(inp, sopt) udp_ipsec_pcbctl(inp, sopt) + +extern const int ipv6_ipsec_support; +extern const struct ipsec_support * const ipv6_ipsec_methods; + +#define IPSEC_INPUT(proto, m, ...) \ + (*(proto ## _ipsec_methods)->input)(m, __VA_ARGS__) +#define IPSEC_CHECK_POLICY(proto, m, ...) \ + (*(proto ## _ipsec_methods)->check_policy)(m, __VA_ARGS__) +#define IPSEC_FORWARD(proto, m) \ + (*(proto ## _ipsec_methods)->forward)(m) +#define IPSEC_OUTPUT(proto, m, ...) \ + (*(proto ## _ipsec_methods)->output)(m, __VA_ARGS__) +#define IPSEC_PCBCTL(proto, m, ...) \ + (*(proto ## _ipsec_methods)->pcbctl)(m, __VA_ARGS__) +#define IPSEC_CAPS(proto, m, ...) \ + (*(proto ## _ipsec_methods)->capability)(m, __VA_ARGS__) +#define IPSEC_HDRSIZE(proto, inp) \ + (*(proto ## _ipsec_methods)->hdrsize)(m, inp) + +#elif defined(IPSEC_SUPPORT) + +struct udpencap_support { + int (*input)(struct mbuf *, int, int); + int (*pcbctl)(struct inpcb *, struct sockopt *); +}; + +extern volatile int ipv4_ipsec_support; +extern const struct ipsec_support * volatile ipv4_ipsec_methods; +extern const struct udpencap_support * volatile udp_ipsec_methods; + +int udpencap_kmod_pcbctl(struct inpcb *, struct sockopt *); +int udpencap_kmod_input(struct mbuf *, int, int); +#define UDPENCAP_INPUT(m, ...) udpencap_kmod_input(m, __VA_ARGS__) +#define UDPENCAP_PCBCTL(inp, sopt) udpencap_kmod_pcbctl(inp, sopt) + +extern volatile int ipv6_ipsec_support; +extern const struct ipsec_support * volatile ipv6_ipsec_methods; + +extern struct rmlock ipsec_kmod_lock; +int ipsec_kmod_input(const struct ipsec_support *, struct mbuf *, int, int); +int ipsec_kmod_check_policy(const struct ipsec_support *, struct mbuf *, + struct inpcb *); +int ipsec_kmod_forward(const struct ipsec_support *, struct mbuf *); +int ipsec_kmod_output(const struct ipsec_support *, struct mbuf *, + struct inpcb *); +int ipsec_kmod_pcbctl(const struct ipsec_support *, struct inpcb *, + struct sockopt *); +int ipsec_kmod_capability(const struct ipsec_support *, struct mbuf *, u_int); +size_t ipsec_kmod_hdrsize(const struct ipsec_support *, struct inpcb *); + +#define IPSEC_INPUT(proto, ...) \ + ipsec_kmod_input(proto ## _ipsec_methods, __VA_ARGS__) +#define IPSEC_CHECK_POLICY(proto, ...) \ + ipsec_kmod_check_policy(proto ## _ipsec_methods, __VA_ARGS__) +#define IPSEC_FORWARD(proto, ...) \ + ipsec_kmod_forward(proto ## _ipsec_methods, __VA_ARGS__) +#define IPSEC_OUTPUT(proto, ...) \ + ipsec_kmod_output(proto ## _ipsec_methods, __VA_ARGS__) +#define IPSEC_PCBCTL(proto, ...) \ + ipsec_kmod_pcbctl(proto ## _ipsec_methods, __VA_ARGS__) +#define IPSEC_CAPS(proto, ...) \ + ipsec_kmod_capability(proto ## _ipsec_methods, __VA_ARGS__) +#define IPSEC_HDRSIZE(proto, ...) \ + ipsec_kmod_hdrsize(proto ## _ipsec_methods, __VA_ARGS__) +#endif /* IPSEC_SUPPORT */ +#endif /* _KERNEL */ +#endif /* _NETIPSEC_IPSEC_SUPPORT_H_ */ From owner-svn-src-projects@freebsd.org Thu Dec 22 13:48:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27DC9C8A31D for ; Thu, 22 Dec 2016 13:48:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 029031A7C; Thu, 22 Dec 2016 13:48:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDmTA4060892; Thu, 22 Dec 2016 13:48:29 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDmTSV060890; Thu, 22 Dec 2016 13:48:29 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221348.uBMDmTSV060890@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:48:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310394 - in projects/ipsec/sys: netinet netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:48:30 -0000 Author: ae Date: Thu Dec 22 13:48:28 2016 New Revision: 310394 URL: https://svnweb.freebsd.org/changeset/base/310394 Log: Remove AH/ESP/IPCOMP protocol handlers from inetsw and inet6sw lists. Now inbound IPsec processing will be handled by IPSEC_INPUT() method. Also declare sysctl nodes if one of IPSEC and IPSEC_SUPPORT options is defined. Modified: projects/ipsec/sys/netinet/in_proto.c projects/ipsec/sys/netinet6/in6_proto.c Modified: projects/ipsec/sys/netinet/in_proto.c ============================================================================== --- projects/ipsec/sys/netinet/in_proto.c Thu Dec 22 13:46:17 2016 (r310393) +++ projects/ipsec/sys/netinet/in_proto.c Thu Dec 22 13:48:28 2016 (r310394) @@ -90,10 +90,6 @@ __FBSDID("$FreeBSD$"); static struct pr_usrreqs nousrreqs; -#ifdef IPSEC -#include -#endif /* IPSEC */ - #ifdef SCTP #include #include @@ -222,32 +218,6 @@ struct protosw inetsw[] = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }, -#ifdef IPSEC -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_AH, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipsec4_common_input, - .pr_usrreqs = &nousrreqs -}, -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_ESP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipsec4_common_input, - .pr_usrreqs = &nousrreqs -}, -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_IPCOMP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipsec4_common_input, - .pr_usrreqs = &nousrreqs -}, -#endif /* IPSEC */ { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -364,7 +334,7 @@ SYSCTL_NODE(_net_inet, IPPROTO_TCP, tcp, SYSCTL_NODE(_net_inet, IPPROTO_SCTP, sctp, CTLFLAG_RW, 0, "SCTP"); #endif SYSCTL_NODE(_net_inet, IPPROTO_IGMP, igmp, CTLFLAG_RW, 0, "IGMP"); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* XXX no protocol # to use, pick something "reserved" */ SYSCTL_NODE(_net_inet, 253, ipsec, CTLFLAG_RW, 0, "IPSEC"); SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH"); Modified: projects/ipsec/sys/netinet6/in6_proto.c ============================================================================== --- projects/ipsec/sys/netinet6/in6_proto.c Thu Dec 22 13:46:17 2016 (r310393) +++ projects/ipsec/sys/netinet6/in6_proto.c Thu Dec 22 13:48:28 2016 (r310394) @@ -121,11 +121,6 @@ __FBSDID("$FreeBSD$"); #include #endif /* SCTP */ -#ifdef IPSEC -#include -#include -#endif /* IPSEC */ - #include /* @@ -276,32 +271,6 @@ struct protosw inet6sw[] = { .pr_input = frag6_input, .pr_usrreqs = &nousrreqs }, -#ifdef IPSEC -{ - .pr_type = SOCK_RAW, - .pr_domain = &inet6domain, - .pr_protocol = IPPROTO_AH, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipsec6_common_input, - .pr_usrreqs = &nousrreqs, -}, -{ - .pr_type = SOCK_RAW, - .pr_domain = &inet6domain, - .pr_protocol = IPPROTO_ESP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipsec6_common_input, - .pr_usrreqs = &nousrreqs, -}, -{ - .pr_type = SOCK_RAW, - .pr_domain = &inet6domain, - .pr_protocol = IPPROTO_IPCOMP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipsec6_common_input, - .pr_usrreqs = &nousrreqs, -}, -#endif /* IPSEC */ #ifdef INET { .pr_type = SOCK_RAW, @@ -469,7 +438,7 @@ SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp #ifdef SCTP SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6"); #endif -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6"); #endif /* IPSEC */ From owner-svn-src-projects@freebsd.org Thu Dec 22 13:50:35 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59EF9C8A37A for ; Thu, 22 Dec 2016 13:50:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A04D1BC8; Thu, 22 Dec 2016 13:50:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDoYuT061018; Thu, 22 Dec 2016 13:50:34 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDoYFw061017; Thu, 22 Dec 2016 13:50:34 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221350.uBMDoYFw061017@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:50:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310395 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:50:35 -0000 Author: ae Date: Thu Dec 22 13:50:34 2016 New Revision: 310395 URL: https://svnweb.freebsd.org/changeset/base/310395 Log: Add IPSEC_SUPPORT option to in_pcb.c Modified: projects/ipsec/sys/netinet/in_pcb.c Modified: projects/ipsec/sys/netinet/in_pcb.c ============================================================================== --- projects/ipsec/sys/netinet/in_pcb.c Thu Dec 22 13:48:28 2016 (r310394) +++ projects/ipsec/sys/netinet/in_pcb.c Thu Dec 22 13:50:34 2016 (r310395) @@ -96,11 +96,7 @@ __FBSDID("$FreeBSD$"); #include #endif /* INET6 */ - -#ifdef IPSEC -#include -#include -#endif /* IPSEC */ +#include #include @@ -303,7 +299,7 @@ in_pcballoc(struct socket *so, struct in goto out; mac_inpcb_create(so, inp); #endif -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) error = ipsec_init_pcbpolicy(inp); if (error != 0) { #ifdef MAC @@ -1278,7 +1274,7 @@ in_pcbfree(struct inpcb *inp) INP_WLOCK_ASSERT(inp); /* XXXRW: Do as much as possible here. */ -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) if (inp->inp_sp != NULL) ipsec_delete_pcbpolicy(inp); #endif From owner-svn-src-projects@freebsd.org Thu Dec 22 13:52:32 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09DA0C8A54B for ; Thu, 22 Dec 2016 13:52:32 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D8C6C1F50; Thu, 22 Dec 2016 13:52:31 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDqVu3064605; Thu, 22 Dec 2016 13:52:31 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDqVPn064604; Thu, 22 Dec 2016 13:52:31 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221352.uBMDqVPn064604@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:52:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310396 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:52:32 -0000 Author: ae Date: Thu Dec 22 13:52:30 2016 New Revision: 310396 URL: https://svnweb.freebsd.org/changeset/base/310396 Log: Convert ip_input.c to use IPsec methods. Modified: projects/ipsec/sys/netinet/ip_input.c Modified: projects/ipsec/sys/netinet/ip_input.c ============================================================================== --- projects/ipsec/sys/netinet/ip_input.c Thu Dec 22 13:50:34 2016 (r310395) +++ projects/ipsec/sys/netinet/ip_input.c Thu Dec 22 13:52:30 2016 (r310396) @@ -77,13 +77,10 @@ __FBSDID("$FreeBSD$"); #include #include #include -#ifdef IPSEC -#include -#include -#include -#endif /* IPSEC */ #include +#include + #include #include @@ -430,6 +427,12 @@ ip_direct_input(struct mbuf *m) ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if (IPSEC_INPUT(ipv4, m, hlen, ip->ip_p) != 0) + return; + } +#endif /* IPSEC */ IPSTAT_INC(ips_delivered); (*inetsw[ip_protox[ip->ip_p]].pr_input)(&m, &hlen, ip->ip_p); return; @@ -550,23 +553,37 @@ tooshort: m_adj(m, ip_len - m->m_pkthdr.len); } - /* Try to forward the packet, but if we fail continue */ -#ifdef IPSEC - /* For now we do not handle IPSEC in tryforward. */ - if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) && - (V_ipforwarding == 1)) - if (ip_tryforward(m) == NULL) + /* + * Try to forward the packet, but if we fail continue. + * ip_tryforward() does inbound and outbound packet firewall + * processing. If firewall has decided that destination becomes + * our local address, it sets M_FASTFWD_OURS flag. In this + * case skip another inbound firewall processing and update + * ip pointer. + */ + if (V_ipforwarding != 0 +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + && (!IPSEC_ENABLED(ipv4) || + IPSEC_CAPS(ipv4, m, IPSEC_CAP_OPERABLE) == 0) +#endif + ) { + if ((m = ip_tryforward(m)) == NULL) return; + if (m->m_flags & M_FASTFWD_OURS) { + m->m_flags &= ~M_FASTFWD_OURS; + ip = mtod(m, struct ip *); + goto ours; + } + } + +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Bypass packet filtering for packets previously handled by IPsec. */ - if (ip_ipsec_filtertunnel(m)) - goto passin; -#else - if (V_ipforwarding == 1) - if (ip_tryforward(m) == NULL) - return; -#endif /* IPSEC */ + if (IPSEC_ENABLED(ipv4) && + IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0) + goto passin; +#endif /* * Run through list of hooks for input packets. @@ -791,14 +808,11 @@ ours: hlen = ip->ip_hl << 2; } -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if (IPSEC_INPUT(ipv4, m, ip->ip_p) != 0) - goto bad; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if (IPSEC_INPUT(ipv4, m, hlen, ip->ip_p) != 0) + return; + } #endif /* IPSEC */ /* @@ -1002,21 +1016,17 @@ ip_forward(struct mbuf *m, int srcrt) if (V_ipstealth == 0) #endif ip->ip_ttl -= IPTTLDEC; -#ifdef IPSEC - if (IPSEC_FORWARD(ipv4, m, &error) != 0) { /* mbuf consumed by IPsec */ - m_freem(mcopy); - return; - } - /* - * mbuf wasn't consumed by IPsec, check error code. - */ - if (error != 0) { - IPSTAT_INC(ips_cantforward); - m_freem(m); - m_freem(mcopy); - return; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if ((error = IPSEC_FORWARD(ipv4, m)) != 0) { + /* mbuf consumed by IPsec */ + m_freem(mcopy); + if (error != EINPROGRESS) + IPSTAT_INC(ips_cantforward); + return; + } + /* No IPsec processing required */ } - /* No IPsec processing required */ #endif /* IPSEC */ /* * If forwarding packet using same interface that it came in on, From owner-svn-src-projects@freebsd.org Thu Dec 22 13:53:40 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 212C5C8A5E0 for ; Thu, 22 Dec 2016 13:53:40 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB2C8EF; Thu, 22 Dec 2016 13:53:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDrdxc064687; Thu, 22 Dec 2016 13:53:39 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDrcMD064686; Thu, 22 Dec 2016 13:53:38 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221353.uBMDrcMD064686@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:53:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310397 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:53:40 -0000 Author: ae Date: Thu Dec 22 13:53:38 2016 New Revision: 310397 URL: https://svnweb.freebsd.org/changeset/base/310397 Log: Convert ip_output.c to use IPsec methods. Modified: projects/ipsec/sys/netinet/ip_output.c Modified: projects/ipsec/sys/netinet/ip_output.c ============================================================================== --- projects/ipsec/sys/netinet/ip_output.c Thu Dec 22 13:52:30 2016 (r310396) +++ projects/ipsec/sys/netinet/ip_output.c Thu Dec 22 13:53:38 2016 (r310397) @@ -83,10 +83,7 @@ __FBSDID("$FreeBSD$"); #include #endif -#ifdef IPSEC -#include -#include -#endif /* IPSEC*/ +#include #include @@ -227,7 +224,7 @@ ip_output(struct mbuf *m, struct mbuf *o struct rtentry *rte; /* cache for ro->ro_rt */ uint32_t fibnum; int have_ia_ref; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) int no_route_but_check_spd = 0; #endif M_ASSERTPKTHDR(m); @@ -383,7 +380,7 @@ again: (rte->rt_flags & RTF_UP) == 0 || rte->rt_ifp == NULL || !RT_LINK_IS_UP(rte->rt_ifp)) { -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * There is no route for this packet, but it is * possible that a matching SPD entry exists. @@ -555,9 +552,14 @@ again: } sendit: -#ifdef IPSEC - if (IPSEC_OUTPUT(ipv4, m, inp, &error) != 0) - goto done; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if ((error = IPSEC_OUTPUT(ipv4, m, inp)) != 0) { + if (error == EINPROGRESS) + error = 0; + goto done; + } + } /* * Check if there was a route for this packet; return error if not. */ @@ -1181,10 +1183,13 @@ ip_ctloutput(struct socket *so, struct s INP_WUNLOCK(inp); break; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) case IP_IPSEC_POLICY: - error = ip_ipsec_pcbctl(inp, sopt); - break; + if (IPSEC_ENABLED(ipv4)) { + error = IPSEC_PCBCTL(ipv4, inp, sopt); + break; + } + /* FALLTHROUGH */ #endif /* IPSEC */ default: @@ -1327,10 +1332,13 @@ ip_ctloutput(struct socket *so, struct s error = inp_getmoptions(inp, sopt); break; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) case IP_IPSEC_POLICY: - error = ip_ipsec_pcbctl(inp, sopt); - break; + if (IPSEC_ENABLED(ipv4)) { + error = IPSEC_PCBCTL(ipv4, inp, sopt); + break; + } + /* FALLTHROUGH */ #endif /* IPSEC */ default: From owner-svn-src-projects@freebsd.org Thu Dec 22 13:57:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BBD0C8A6EF for ; Thu, 22 Dec 2016 13:57:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3B538322; Thu, 22 Dec 2016 13:57:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDvThu064873; Thu, 22 Dec 2016 13:57:29 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDvTaE064872; Thu, 22 Dec 2016 13:57:29 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221357.uBMDvTaE064872@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:57:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310398 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:57:30 -0000 Author: ae Date: Thu Dec 22 13:57:29 2016 New Revision: 310398 URL: https://svnweb.freebsd.org/changeset/base/310398 Log: Convert raw_ip.c to use IPsec methods. Modified: projects/ipsec/sys/netinet/raw_ip.c Modified: projects/ipsec/sys/netinet/raw_ip.c ============================================================================== --- projects/ipsec/sys/netinet/raw_ip.c Thu Dec 22 13:53:38 2016 (r310397) +++ projects/ipsec/sys/netinet/raw_ip.c Thu Dec 22 13:57:29 2016 (r310398) @@ -73,9 +73,7 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#endif /*IPSEC*/ +#include #include #include @@ -236,10 +234,11 @@ rip_append(struct inpcb *last, struct ip INP_LOCK_ASSERT(last); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { - policyfail = 1; + if (IPSEC_ENABLED(ipv4)) { + if (IPSEC_CHECK_POLICY(ipv4, n, last) != 0) + policyfail = 1; } #endif /* IPSEC */ #ifdef MAC From owner-svn-src-projects@freebsd.org Thu Dec 22 13:58:31 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16005C8A73E for ; Thu, 22 Dec 2016 13:58:31 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E5124680; Thu, 22 Dec 2016 13:58:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMDwUrv064950; Thu, 22 Dec 2016 13:58:30 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMDwTvk064946; Thu, 22 Dec 2016 13:58:29 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221358.uBMDwTvk064946@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 13:58:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310399 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 13:58:31 -0000 Author: ae Date: Thu Dec 22 13:58:29 2016 New Revision: 310399 URL: https://svnweb.freebsd.org/changeset/base/310399 Log: Convert SCTP code to use IPsec methods. Modified: projects/ipsec/sys/netinet/sctp_input.c projects/ipsec/sys/netinet/sctp_os_bsd.h projects/ipsec/sys/netinet/sctp_pcb.c Modified: projects/ipsec/sys/netinet/sctp_input.c ============================================================================== --- projects/ipsec/sys/netinet/sctp_input.c Thu Dec 22 13:57:29 2016 (r310398) +++ projects/ipsec/sys/netinet/sctp_input.c Thu Dec 22 13:58:29 2016 (r310399) @@ -5771,7 +5771,7 @@ sctp_common_input_processing(struct mbuf } else if (stcb == NULL) { inp_decr = inp; } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /*- * I very much doubt any of the IPSEC stuff will work but I have no * idea, so I will leave it in place. @@ -5780,17 +5780,23 @@ sctp_common_input_processing(struct mbuf switch (dst->sa_family) { #ifdef INET case AF_INET: - if (ipsec4_in_reject(m, &inp->ip_inp.inp)) { - SCTP_STAT_INCR(sctps_hdrops); - goto out; + if (IPSEC_ENABLED(ipv4)) { + if (IPSEC_CHECK_POLICY(ipv4, m, + &inp->ip_inp.inp) != 0) { + SCTP_STAT_INCR(sctps_hdrops); + goto out; + } } break; #endif #ifdef INET6 case AF_INET6: - if (ipsec6_in_reject(m, &inp->ip_inp.inp)) { - SCTP_STAT_INCR(sctps_hdrops); - goto out; + if (IPSEC_ENABLED(ipv6)) { + if (IPSEC_CHECK_POLICY(ipv6, m, + &inp->ip_inp.inp) != 0) { + SCTP_STAT_INCR(sctps_hdrops); + goto out; + } } break; #endif @@ -5798,7 +5804,7 @@ sctp_common_input_processing(struct mbuf break; } } -#endif +#endif /* IPSEC */ SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n", (void *)m, iphlen, offset, length, (void *)stcb); if (stcb) { Modified: projects/ipsec/sys/netinet/sctp_os_bsd.h ============================================================================== --- projects/ipsec/sys/netinet/sctp_os_bsd.h Thu Dec 22 13:57:29 2016 (r310398) +++ projects/ipsec/sys/netinet/sctp_os_bsd.h Thu Dec 22 13:58:29 2016 (r310399) @@ -82,16 +82,10 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#endif /* IPSEC */ +#include #ifdef INET6 #include -#ifdef IPSEC -#include -#endif #include #include #include Modified: projects/ipsec/sys/netinet/sctp_pcb.c ============================================================================== --- projects/ipsec/sys/netinet/sctp_pcb.c Thu Dec 22 13:57:29 2016 (r310398) +++ projects/ipsec/sys/netinet/sctp_pcb.c Thu Dec 22 13:58:29 2016 (r310399) @@ -2459,7 +2459,7 @@ sctp_inpcb_alloc(struct socket *so, uint SCTP_INP_INFO_WUNLOCK(); return (ENOBUFS); } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) error = ipsec_init_pcbpolicy(&inp->ip_inp.inp); if (error != 0) { crfree(inp->ip_inp.inp.inp_cred); @@ -2494,7 +2494,7 @@ sctp_inpcb_alloc(struct socket *so, uint SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EOPNOTSUPP); so->so_pcb = NULL; crfree(inp->ip_inp.inp.inp_cred); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipsec_delete_pcbpolicy(&inp->ip_inp.inp); #endif SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp); @@ -2517,7 +2517,7 @@ sctp_inpcb_alloc(struct socket *so, uint SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS); so->so_pcb = NULL; crfree(inp->ip_inp.inp.inp_cred); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipsec_delete_pcbpolicy(&inp->ip_inp.inp); #endif SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp); @@ -3623,7 +3623,7 @@ sctp_inpcb_free(struct sctp_inpcb *inp, * macro here since le_next will get freed as part of the * sctp_free_assoc() call. */ -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipsec_delete_pcbpolicy(ip_pcb); #endif if (ip_pcb->inp_options) { From owner-svn-src-projects@freebsd.org Thu Dec 22 14:01:40 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0C56C8A8D6 for ; Thu, 22 Dec 2016 14:01:40 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8016E8E5; Thu, 22 Dec 2016 14:01:40 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME1dBw067404; Thu, 22 Dec 2016 14:01:39 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME1dPJ067399; Thu, 22 Dec 2016 14:01:39 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221401.uBME1dPJ067399@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:01:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310400 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:01:40 -0000 Author: ae Date: Thu Dec 22 14:01:39 2016 New Revision: 310400 URL: https://svnweb.freebsd.org/changeset/base/310400 Log: Convert TCP code to use IPsec methods. Modified: projects/ipsec/sys/netinet/tcp_input.c projects/ipsec/sys/netinet/tcp_output.c projects/ipsec/sys/netinet/tcp_subr.c projects/ipsec/sys/netinet/tcp_syncache.c projects/ipsec/sys/netinet/tcp_usrreq.c Modified: projects/ipsec/sys/netinet/tcp_input.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_input.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_input.c Thu Dec 22 14:01:39 2016 (r310400) @@ -120,10 +120,7 @@ __FBSDID("$FreeBSD$"); #include #endif -#ifdef IPSEC -#include -#include -#endif /*IPSEC*/ +#include #include @@ -927,13 +924,15 @@ findpcb: inp->inp_flowid = m->m_pkthdr.flowid; inp->inp_flowtype = M_HASHTYPE_GET(m); } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) #ifdef INET6 - if (isipv6 && ipsec6_in_reject(m, inp)) { + if (isipv6 && IPSEC_ENABLED(ipv6) && + IPSEC_CHECK_POLICY(ipv6, m, inp) != 0) { goto dropunlock; } else #endif /* INET6 */ - if (ipsec4_in_reject(m, inp) != 0) { + if (IPSEC_ENABLED(ipv4) && + IPSEC_CHECK_POLICY(ipv4, m, inp) != 0) { goto dropunlock; } #endif /* IPSEC */ @@ -1408,14 +1407,15 @@ tfo_socket_result: */ goto dropunlock; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (tp->t_flags & TF_SIGNATURE) { tcp_dooptions(&to, optp, optlen, thflags); if ((to.to_flags & TOF_SIGNATURE) == 0) { TCPSTAT_INC(tcps_sig_err_nosigopt); goto dropunlock; } - if (tcp_ipsec_input(m, th, to.to_signature) != 0) + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to.to_signature) != 0) goto dropunlock; } #endif @@ -1595,7 +1595,7 @@ tcp_do_segment(struct mbuf *m, struct tc (th->th_off << 2) - sizeof(struct tcphdr), (thflags & TH_SYN) ? TO_SYN : 0); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if ((tp->t_flags & TF_SIGNATURE) != 0 && (to.to_flags & TOF_SIGNATURE) == 0) { TCPSTAT_INC(tcps_sig_err_sigopt); Modified: projects/ipsec/sys/netinet/tcp_output.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_output.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_output.c Thu Dec 22 14:01:39 2016 (r310400) @@ -90,9 +90,7 @@ __FBSDID("$FreeBSD$"); #include #endif -#ifdef IPSEC -#include -#endif /*IPSEC*/ +#include #include @@ -200,7 +198,7 @@ tcp_output(struct tcpcb *tp) struct tcphdr *th; u_char opt[TCP_MAXOLEN]; unsigned ipoptlen, optlen, hdrlen; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) unsigned ipsec_optlen = 0; #endif int idle, sendalot; @@ -546,17 +544,23 @@ after_sack_rexmit: * makes it impossible to transmit any options which vary per generated * segment or packet. */ -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Pre-calculate here as we save another lookup into the darknesses * of IPsec that way and can actually decide if TSO is ok. */ - ipsec_optlen = ipsec_hdrsiz_inpcb(tp->t_inpcb); +#ifdef INET6 + if (isipv6 && IPSEC_ENABLED(ipv6)) + ipsec_optlen = IPSEC_HDRSIZE(ipv6, tp->t_inpcb); + else +#endif + if (IPSEC_ENABLED(ipv4)) + ipsec_optlen = IPSEC_HDRSIZE(ipv4, tp->t_inpcb); #endif if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg && ((tp->t_flags & TF_SIGNATURE) == 0) && tp->rcv_numsacks == 0 && sack_rxmit == 0 && -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipsec_optlen == 0 && #endif tp->t_inpcb->inp_options == NULL && @@ -823,7 +827,7 @@ send: to.to_sacks = (u_char *)tp->sackblks; } } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* TCP-MD5 (RFC2385). */ /* * Check that TCP_MD5SIG is enabled in tcpcb to @@ -847,7 +851,7 @@ send: offsetof(struct ipoption, ipopt_list); else ipoptlen = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) ipoptlen += ipsec_optlen; #endif @@ -1262,7 +1266,7 @@ send: m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (to.to_flags & TOF_SIGNATURE) { /* * Calculate MD5 signature and put it into the place @@ -1270,8 +1274,8 @@ send: * NOTE: since TCP options buffer doesn't point into * mbuf's data, calculate offset and use it. */ - if ((error = tcp_ipsec_output(m, th, (u_char *)(th + 1) + - (to.to_signature - opt))) != 0) { + if (!TCPMD5_ENABLED() || TCPMD5_OUTPUT(m, th, + (u_char *)(th + 1) + (to.to_signature - opt)) != 0) { /* * Do not send segment if the calculation of MD5 * digest has failed. @@ -1317,7 +1321,7 @@ send: m->m_pkthdr.tso_segsz = tp->t_maxseg - optlen; } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) KASSERT(len + hdrlen + ipoptlen - ipsec_optlen == m_length(m, NULL), ("%s: mbuf chain shorter than expected: %d + %u + %u - %u != %u", __func__, len, hdrlen, ipoptlen, ipsec_optlen, m_length(m, NULL))); Modified: projects/ipsec/sys/netinet/tcp_subr.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_subr.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_subr.c Thu Dec 22 14:01:39 2016 (r310400) @@ -118,15 +118,7 @@ __FBSDID("$FreeBSD$"); #include #endif -#ifdef IPSEC -#include -#include -#ifdef INET6 -#include -#endif -#include -#include -#endif /*IPSEC*/ +#include #include #include @@ -1058,12 +1050,11 @@ tcp_respond(struct tcpcb *tp, void *ipge to.to_tsecr = tp->ts_recent; to.to_flags |= TOF_TS; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* TCP-MD5 (RFC2385). */ if (tp->t_flags & TF_SIGNATURE) to.to_flags |= TOF_SIGNATURE; #endif - /* Add the options. */ tlen += optlen = tcp_addoptions(&to, optp); @@ -1119,9 +1110,10 @@ tcp_respond(struct tcpcb *tp, void *ipge nth->th_win = htons((u_short)win); nth->th_urp = 0; -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (to.to_flags & TOF_SIGNATURE) { - if (tcp_ipsec_output(m, nth, to.to_signature) != 0) { + if (!TCPMD5_ENABLED() || + TCPMD5_OUTPUT(m, nth, to.to_signature) != 0) { m_freem(m); return; } @@ -2498,7 +2490,7 @@ tcp_maxseg(const struct tcpcb *tp) optlen = TCPOLEN_TSTAMP_APPA; else optlen = 0; -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (tp->t_flags & TF_SIGNATURE) optlen += PAD(TCPOLEN_SIGNATURE); #endif @@ -2514,7 +2506,7 @@ tcp_maxseg(const struct tcpcb *tp) optlen = PAD(TCPOLEN_MAXSEG); if (tp->t_flags & TF_REQ_SCALE) optlen += PAD(TCPOLEN_WINDOW); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (tp->t_flags & TF_SIGNATURE) optlen += PAD(TCPOLEN_SIGNATURE); #endif Modified: projects/ipsec/sys/netinet/tcp_syncache.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_syncache.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_syncache.c Thu Dec 22 14:01:39 2016 (r310400) @@ -96,13 +96,7 @@ __FBSDID("$FreeBSD$"); #include #endif -#ifdef IPSEC -#include -#ifdef INET6 -#include -#endif -#include -#endif /*IPSEC*/ +#include #include @@ -736,7 +730,7 @@ syncache_socket(struct syncache *sc, str INP_HASH_WUNLOCK(&V_tcbinfo); goto abort; } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* Copy old policy into new socket's. */ if (ipsec_copy_pcbpolicy(sotoinpcb(lso), inp) != 0) printf("syncache_socket: could not copy policy\n"); @@ -872,7 +866,7 @@ syncache_socket(struct syncache *sc, str tp->ts_recent_age = tcp_ts_getticks(); tp->ts_offset = sc->sc_tsoff; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (sc->sc_flags & SCF_SIGNATURE) tp->t_flags |= TF_SIGNATURE; #endif @@ -996,10 +990,11 @@ syncache_expand(struct in_conninfo *inc, "(probably spoofed)\n", s, __func__); goto failed; } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* If received ACK has MD5 signature, check it. */ if ((to->to_flags & TOF_SIGNATURE) != 0 && - tcp_ipsec_input(m, th, to->to_signature) != 0) { + (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0)) { /* Drop the ACK. */ if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { log(LOG_DEBUG, "%s; %s: Segment rejected, " @@ -1012,7 +1007,7 @@ syncache_expand(struct in_conninfo *inc, } #endif /* TCP_SIGNATURE */ } else { -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* * If listening socket requested TCP digests, check that * received ACK has signature and it is correct. @@ -1032,7 +1027,8 @@ syncache_expand(struct in_conninfo *inc, } return (-1); /* Do not send RST */ } - if (tcp_ipsec_input(m, th, to->to_signature) != 0) { + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0) { /* Doesn't match or no SA */ SCH_UNLOCK(sch); if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { @@ -1315,7 +1311,7 @@ syncache_add(struct in_conninfo *inc, st ipopts = NULL; #endif -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* * If listening socket requested TCP digests, check that received * SYN has signature and it is correct. If signature doesn't match @@ -1326,7 +1322,8 @@ syncache_add(struct in_conninfo *inc, st TCPSTAT_INC(tcps_sig_err_nosigopt); goto done; } - if (tcp_ipsec_input(m, th, to->to_signature) != 0) + if (!TCPMD5_ENABLED() || + TCPMD5_INPUT(m, th, to->to_signature) != 0) goto done; } #endif /* TCP_SIGNATURE */ @@ -1505,7 +1502,7 @@ skip_alloc: sc->sc_flags |= SCF_WINSCALE; } } -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) /* * If listening socket requested TCP digests, flag this in the * syncache so that syncache_respond() will do the right thing @@ -1712,7 +1709,7 @@ syncache_respond(struct syncache *sc, st } if (sc->sc_flags & SCF_SACK) to.to_flags |= TOF_SACKPERM; -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (sc->sc_flags & SCF_SIGNATURE) to.to_flags |= TOF_SIGNATURE; #endif @@ -1737,13 +1734,14 @@ syncache_respond(struct syncache *sc, st else #endif ip->ip_len = htons(ntohs(ip->ip_len) + optlen); -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) if (sc->sc_flags & SCF_SIGNATURE) { KASSERT(to.to_flags & TOF_SIGNATURE, ("tcp_addoptions() didn't set tcp_signature")); /* NOTE: to.to_signature is inside of mbuf */ - if (tcp_ipsec_output(m, th, to.to_signature) != 0) { + if (!TCPMD5_ENABLED() || + TCPMD5_OUTPUT(m, th, to.to_signature) != 0) { m_freem(m); return (EACCES); } Modified: projects/ipsec/sys/netinet/tcp_usrreq.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_usrreq.c Thu Dec 22 13:58:29 2016 (r310399) +++ projects/ipsec/sys/netinet/tcp_usrreq.c Thu Dec 22 14:01:39 2016 (r310400) @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include "opt_ddb.h" #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipsec.h" #include "opt_tcpdebug.h" #include @@ -101,9 +102,7 @@ __FBSDID("$FreeBSD$"); #ifdef TCP_OFFLOAD #include #endif -#ifdef TCP_SIGNATURE -#include -#endif +#include /* * TCP protocol interface to socket abstraction. @@ -1555,13 +1554,17 @@ tcp_default_ctloutput(struct socket *so, switch (sopt->sopt_dir) { case SOPT_SET: switch (sopt->sopt_name) { -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) case TCP_MD5SIG: - error = tcp_ipsec_pcbctl(inp, sopt); + if (!TCPMD5_ENABLED()) { + INP_WUNLOCK(inp); + return (ENOPROTOOPT); + } + error = TCPMD5_PCBCTL(inp, sopt); if (error) return (error); goto unlock_and_done; -#endif /* TCP_SIGNATURE */ +#endif /* IPSEC */ case TCP_NODELAY: case TCP_NOOPT: @@ -1787,9 +1790,13 @@ unlock_and_done: case SOPT_GET: tp = intotcpcb(inp); switch (sopt->sopt_name) { -#ifdef TCP_SIGNATURE +#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE) case TCP_MD5SIG: - error = tcp_ipsec_pcbctl(inp, sopt); + if (!TCPMD5_ENABLED()) { + INP_WUNLOCK(inp); + return (ENOPROTOOPT); + } + error = TCPMD5_PCBCTL(inp, sopt); break; #endif From owner-svn-src-projects@freebsd.org Thu Dec 22 14:02:19 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C429C8A8FE for ; Thu, 22 Dec 2016 14:02:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5C39AB60; Thu, 22 Dec 2016 14:02:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME2IEV069069; Thu, 22 Dec 2016 14:02:18 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME2ITR069068; Thu, 22 Dec 2016 14:02:18 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221402.uBME2ITR069068@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:02:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310401 - projects/ipsec/sys/netinet/tcp_stacks X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:02:19 -0000 Author: ae Date: Thu Dec 22 14:02:18 2016 New Revision: 310401 URL: https://svnweb.freebsd.org/changeset/base/310401 Log: Remove unneded includes. Modified: projects/ipsec/sys/netinet/tcp_stacks/fastpath.c Modified: projects/ipsec/sys/netinet/tcp_stacks/fastpath.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_stacks/fastpath.c Thu Dec 22 14:01:39 2016 (r310400) +++ projects/ipsec/sys/netinet/tcp_stacks/fastpath.c Thu Dec 22 14:02:18 2016 (r310401) @@ -56,7 +56,6 @@ __FBSDID("$FreeBSD$"); #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_ipsec.h" #include "opt_tcpdebug.h" #include @@ -117,11 +116,6 @@ __FBSDID("$FreeBSD$"); #include #endif -#ifdef IPSEC -#include -#include -#endif /*IPSEC*/ - #include #include From owner-svn-src-projects@freebsd.org Thu Dec 22 14:03:02 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AED6CC8A91D for ; Thu, 22 Dec 2016 14:03:02 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 650C6C9A; Thu, 22 Dec 2016 14:03:02 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME31ti069138; Thu, 22 Dec 2016 14:03:01 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME317A069137; Thu, 22 Dec 2016 14:03:01 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221403.uBME317A069137@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:03:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310402 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:03:02 -0000 Author: ae Date: Thu Dec 22 14:03:01 2016 New Revision: 310402 URL: https://svnweb.freebsd.org/changeset/base/310402 Log: Convert UDP code to use IPsec methods. Modified: projects/ipsec/sys/netinet/udp_usrreq.c Modified: projects/ipsec/sys/netinet/udp_usrreq.c ============================================================================== --- projects/ipsec/sys/netinet/udp_usrreq.c Thu Dec 22 14:02:18 2016 (r310401) +++ projects/ipsec/sys/netinet/udp_usrreq.c Thu Dec 22 14:03:01 2016 (r310402) @@ -92,10 +92,7 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#endif +#include #include @@ -330,15 +327,16 @@ udp_append(struct inpcb *inp, struct ip off += sizeof(struct udphdr); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* Check AH/ESP integrity. */ - if (ipsec4_in_reject(n, inp)) { + if (IPSEC_ENABLED(ipv4) && + IPSEC_CHECK_POLICY(ipv4, n, inp) != 0) { m_freem(n); return (0); } - KASSERT(up != NULL, ("%s: udpcb NULL", __func__)); if (up->u_flags & UF_ESPINUDP) {/* IPSec UDP encaps. */ - if (udp_ipsec_input(n, off, AF_INET) != 0) + if (IPSEC_ENABLED(ipv4) && + UDPENCAP_INPUT(n, off, AF_INET) != 0) return (0); /* Consumed. */ } #endif /* IPSEC */ @@ -1008,9 +1006,13 @@ udp_ctloutput(struct socket *so, struct switch (sopt->sopt_dir) { case SOPT_SET: switch (sopt->sopt_name) { -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) case UDP_ENCAP: - error = udp_ipsec_pcbctl(inp, sopt); + if (!IPSEC_ENABLED(ipv4)) { + INP_WUNLOCK(inp); + return (ENOPROTOOPT); + } + error = UDPENCAP_PCBCTL(inp, sopt); break; #endif case UDPLITE_SEND_CSCOV: @@ -1049,9 +1051,13 @@ udp_ctloutput(struct socket *so, struct break; case SOPT_GET: switch (sopt->sopt_name) { -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) case UDP_ENCAP: - error = udp_ipsec_pcbctl(inp, sopt); + if (!IPSEC_ENABLED(ipv4)) { + INP_WUNLOCK(inp); + return (ENOPROTOOPT); + } + error = UDPENCAP_PCBCTL(inp, sopt); break; #endif case UDPLITE_SEND_CSCOV: From owner-svn-src-projects@freebsd.org Thu Dec 22 14:04:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2EA0C8A942 for ; Thu, 22 Dec 2016 14:04:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 72D9FDC3; Thu, 22 Dec 2016 14:04:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME4fkr069228; Thu, 22 Dec 2016 14:04:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME4fIi069227; Thu, 22 Dec 2016 14:04:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221404.uBME4fIi069227@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:04:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310403 - projects/ipsec/sys/netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:04:42 -0000 Author: ae Date: Thu Dec 22 14:04:41 2016 New Revision: 310403 URL: https://svnweb.freebsd.org/changeset/base/310403 Log: Convert ip6_forward.c to use IPsec methods. Modified: projects/ipsec/sys/netinet6/ip6_forward.c Modified: projects/ipsec/sys/netinet6/ip6_forward.c ============================================================================== --- projects/ipsec/sys/netinet6/ip6_forward.c Thu Dec 22 14:03:01 2016 (r310402) +++ projects/ipsec/sys/netinet6/ip6_forward.c Thu Dec 22 14:04:41 2016 (r310403) @@ -69,9 +69,7 @@ __FBSDID("$FreeBSD$"); #include -#ifdef IPSEC -#include -#endif /* IPSEC */ +#include /* * Forward a packet. If some error occurs return the sender @@ -152,22 +150,17 @@ ip6_forward(struct mbuf *m, int srcrt) #endif ip6->ip6_hlim -= IPV6_HLIMDEC; -#ifdef IPSEC - if (IPSEC_FORWARD(ipv6, m, &error) != 0) { - /* mbuf consumed by IPsec */ - m_freem(mcopy); - return; - } - /* - * mbuf wasn't consumed by IPsec, check error code. - */ - if (error != 0) { - IP6STAT_INC(ip6s_cantforward); - m_freem(mcopy); - m_freem(m); - return; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv6)) { + if ((error = IPSEC_FORWARD(ipv4, m)) != 0) { + /* mbuf consumed by IPsec */ + m_freem(mcopy); + if (error != EINPROGRESS) + IP6STAT_INC(ip6s_cantforward); + return; + } + /* No IPsec processing required */ } - /* No IPsec processing required */ #endif again: bzero(&rin6, sizeof(struct route_in6)); From owner-svn-src-projects@freebsd.org Thu Dec 22 14:05:26 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8C60C8A962 for ; Thu, 22 Dec 2016 14:05:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 99BE4ED1; Thu, 22 Dec 2016 14:05:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME5P0w069303; Thu, 22 Dec 2016 14:05:25 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME5Pv4069302; Thu, 22 Dec 2016 14:05:25 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221405.uBME5Pv4069302@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:05:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310404 - projects/ipsec/sys/netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:05:26 -0000 Author: ae Date: Thu Dec 22 14:05:25 2016 New Revision: 310404 URL: https://svnweb.freebsd.org/changeset/base/310404 Log: Convert ip6_input.c to use IPsec methods. Modified: projects/ipsec/sys/netinet6/ip6_input.c Modified: projects/ipsec/sys/netinet6/ip6_input.c ============================================================================== --- projects/ipsec/sys/netinet6/ip6_input.c Thu Dec 22 14:04:41 2016 (r310403) +++ projects/ipsec/sys/netinet6/ip6_input.c Thu Dec 22 14:05:25 2016 (r310404) @@ -118,11 +118,7 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#include -#endif /* IPSEC */ +#include #include @@ -524,14 +520,11 @@ ip6_direct_input(struct mbuf *m) goto bad; } -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if (ip6_ipsec_input(m, nxt)) - goto bad; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv6)) { + if (IPSEC_INPUT(ipv6, m, off, nxt) != 0) + return; + } #endif /* IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); @@ -554,7 +547,7 @@ ip6_input(struct mbuf *m) int nxt, ours = 0; int srcrt = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * should the inner packet be considered authentic? * see comment in ah4_input(). @@ -728,14 +721,39 @@ ip6_input(struct mbuf *m) goto bad; } #endif -#ifdef IPSEC +#if 0 + /* + * Try to forward the packet, but if we fail continue. + * ip6_tryforward() does inbound and outbound packet firewall + * processing. If firewall has decided that destination becomes + * our local address, it sets M_FASTFWD_OURS flag. In this + * case skip another inbound firewall processing and update + * ip6 pointer. + */ + if (V_ip6_forwarding != 0 +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + && (!IPSEC_ENABLED(ipv6) || + IPSEC_CAPS(ipv6, m, IPSEC_CAP_OPERABLE) == 0) +#endif + ) { + if ((m = ip6_tryforward(m)) == NULL) + return; + if (m->m_flags & M_FASTFWD_OURS) { + m->m_flags &= ~M_FASTFWD_OURS; + ours = 1; + ip6 = mtod(m, struct ip6_hdr *); + goto hbhcheck; + } + } +#endif +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Bypass packet filtering for packets previously handled by IPsec. */ - if (ip6_ipsec_filtertunnel(m)) - goto passin; -#endif /* IPSEC */ - + if (IPSEC_ENABLED(ipv6) && + IPSEC_CAPS(ipv6, m, IPSEC_CAP_BYPASS_FILTER) != 0) + goto passin; +#endif /* * Run through list of hooks for input packets. * @@ -945,14 +963,11 @@ passin: goto bad; } -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if (ip6_ipsec_input(m, nxt)) - goto bad; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv6)) { + if (IPSEC_INPUT(ipv6, m, off, nxt) != 0) + return; + } #endif /* IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); From owner-svn-src-projects@freebsd.org Thu Dec 22 14:07:06 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 135ECC8A9F5 for ; Thu, 22 Dec 2016 14:07:06 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF3EDFF0; Thu, 22 Dec 2016 14:07:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME74ml069400; Thu, 22 Dec 2016 14:07:04 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME74XA069399; Thu, 22 Dec 2016 14:07:04 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221407.uBME74XA069399@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:07:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310405 - projects/ipsec/sys/netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:07:06 -0000 Author: ae Date: Thu Dec 22 14:07:04 2016 New Revision: 310405 URL: https://svnweb.freebsd.org/changeset/base/310405 Log: Convert ip6_output.c to use IPsec methods. Modified: projects/ipsec/sys/netinet6/ip6_output.c Modified: projects/ipsec/sys/netinet6/ip6_output.c ============================================================================== --- projects/ipsec/sys/netinet6/ip6_output.c Thu Dec 22 14:05:25 2016 (r310404) +++ projects/ipsec/sys/netinet6/ip6_output.c Thu Dec 22 14:07:04 2016 (r310405) @@ -107,12 +107,7 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#include -#include -#endif /* IPSEC */ +#include #ifdef SCTP #include #include @@ -335,14 +330,19 @@ ip6_output(struct mbuf *m0, struct ip6_p } } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * IPSec checking which handles several cases. * FAST IPSEC: We re-injected the packet. * XXX: need scope argument. */ - if (IPSEC_OUTPUT(ipv6, m, inp, &error) != 0) - goto done; + if (IPSEC_ENABLED(ipv6)) { + if ((error = IPSEC_OUTPUT(ipv6, m, inp)) != 0) { + if (error == EINPROGRESS) + error = 0; + goto done; + } + } #endif /* IPSEC */ bzero(&exthdrs, sizeof(exthdrs)); @@ -1863,10 +1863,13 @@ do { \ INP_WUNLOCK(in6p); break; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) case IPV6_IPSEC_POLICY: - error = ip6_ipsec_pcbctl(in6p, sopt); - break; + if (IPSEC_ENABLED(ipv6)) { + error = IPSEC_PCBCTL(ipv6, in6p, sopt); + break; + } + /* FALLTHROUGH */ #endif /* IPSEC */ default: @@ -2091,12 +2094,14 @@ do { \ error = ip6_getmoptions(in6p, sopt); break; -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) case IPV6_IPSEC_POLICY: - error = ip6_ipsec_pcbctl(in6p, sopt); - break; + if (IPSEC_ENABLED(ipv6)) { + error = IPSEC_PCBCTL(ipv6, in6p, sopt); + break; + } + /* FALLTHROUGH */ #endif /* IPSEC */ - default: error = ENOPROTOOPT; break; From owner-svn-src-projects@freebsd.org Thu Dec 22 14:08:18 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7524CC8AA2D for ; Thu, 22 Dec 2016 14:08:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 36F551118; Thu, 22 Dec 2016 14:08:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME8Hpk069480; Thu, 22 Dec 2016 14:08:17 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME8Hpk069478; Thu, 22 Dec 2016 14:08:17 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221408.uBME8Hpk069478@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:08:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310406 - projects/ipsec/sys/netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:08:18 -0000 Author: ae Date: Thu Dec 22 14:08:17 2016 New Revision: 310406 URL: https://svnweb.freebsd.org/changeset/base/310406 Log: Convert raw_ip6.c and udp6_usrreq.c to use IPsec methods. Modified: projects/ipsec/sys/netinet6/raw_ip6.c projects/ipsec/sys/netinet6/udp6_usrreq.c Modified: projects/ipsec/sys/netinet6/raw_ip6.c ============================================================================== --- projects/ipsec/sys/netinet6/raw_ip6.c Thu Dec 22 14:07:04 2016 (r310405) +++ projects/ipsec/sys/netinet6/raw_ip6.c Thu Dec 22 14:08:17 2016 (r310406) @@ -104,10 +104,7 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#endif /* IPSEC */ +#include #include @@ -258,14 +255,18 @@ rip6_input(struct mbuf **mp, int *offp, if (last != NULL) { struct mbuf *n = m_copym(m, 0, M_COPYALL, M_NOWAIT); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Check AH/ESP integrity. */ - if (n && ipsec6_in_reject(n, last)) { - m_freem(n); - /* Do not inject data into pcb. */ - } else + if (IPSEC_ENABLED(ipv6)) { + if (n != NULL && + IPSEC_CHECK_POLICY(ipv6, n, last) != 0) { + m_freem(n); + /* Do not inject data into pcb. */ + n = NULL; + } + } #endif /* IPSEC */ if (n) { if (last->inp_flags & INP_CONTROLOPTS || @@ -289,11 +290,12 @@ rip6_input(struct mbuf **mp, int *offp, last = in6p; } INP_INFO_RUNLOCK(&V_ripcbinfo); -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Check AH/ESP integrity. */ - if ((last != NULL) && ipsec6_in_reject(m, last)) { + if (IPSEC_ENABLED(ipv6) && last != NULL && + IPSEC_CHECK_POLICY(ipv6, m, last) != 0) { m_freem(m); IP6STAT_DEC(ip6s_delivered); /* Do not inject data into pcb. */ Modified: projects/ipsec/sys/netinet6/udp6_usrreq.c ============================================================================== --- projects/ipsec/sys/netinet6/udp6_usrreq.c Thu Dec 22 14:07:04 2016 (r310405) +++ projects/ipsec/sys/netinet6/udp6_usrreq.c Thu Dec 22 14:08:17 2016 (r310406) @@ -120,10 +120,7 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#endif /* IPSEC */ +#include #include @@ -157,11 +154,13 @@ udp6_append(struct inpcb *inp, struct mb INP_RLOCK(inp); return (in_pcbrele_rlocked(inp)); } -#ifdef IPSEC +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* Check AH/ESP integrity. */ - if (ipsec6_in_reject(n, inp)) { - m_freem(n); - return (0); + if (IPSEC_ENABLED(ipv6)) { + if (IPSEC_CHECK_POLICY(ipv6, n, inp) != 0) { + m_freem(n); + return (0); + } } #endif /* IPSEC */ #ifdef MAC From owner-svn-src-projects@freebsd.org Thu Dec 22 14:09:02 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D390C8AA4C for ; Thu, 22 Dec 2016 14:09:02 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D4631275; Thu, 22 Dec 2016 14:09:02 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME91MM069550; Thu, 22 Dec 2016 14:09:01 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME9122069548; Thu, 22 Dec 2016 14:09:01 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221409.uBME9122069548@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:09:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310407 - projects/ipsec/sys/netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:09:02 -0000 Author: ae Date: Thu Dec 22 14:09:01 2016 New Revision: 310407 URL: https://svnweb.freebsd.org/changeset/base/310407 Log: Remove unneded includes and ifdefs. Modified: projects/ipsec/sys/netinet6/in6.h projects/ipsec/sys/netinet6/sctp6_usrreq.c Modified: projects/ipsec/sys/netinet6/in6.h ============================================================================== --- projects/ipsec/sys/netinet6/in6.h Thu Dec 22 14:08:17 2016 (r310406) +++ projects/ipsec/sys/netinet6/in6.h Thu Dec 22 14:09:01 2016 (r310407) @@ -432,10 +432,7 @@ struct route_in6 { #define IPV6_BINDV6ONLY IPV6_V6ONLY #endif -#if 1 /* IPSEC */ #define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */ -#endif /* IPSEC */ - /* 29; unused; was IPV6_FAITH */ #if 1 /* IPV6FIREWALL */ #define IPV6_FW_ADD 30 /* add a firewall rule to chain */ Modified: projects/ipsec/sys/netinet6/sctp6_usrreq.c ============================================================================== --- projects/ipsec/sys/netinet6/sctp6_usrreq.c Thu Dec 22 14:08:17 2016 (r310406) +++ projects/ipsec/sys/netinet6/sctp6_usrreq.c Thu Dec 22 14:09:01 2016 (r310407) @@ -55,11 +55,6 @@ __FBSDID("$FreeBSD$"); #include #include -#ifdef IPSEC -#include -#include -#endif /* IPSEC */ - extern struct protosw inetsw[]; int From owner-svn-src-projects@freebsd.org Thu Dec 22 14:11:41 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A205C8AD78 for ; Thu, 22 Dec 2016 14:11:41 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B39231676; Thu, 22 Dec 2016 14:11:40 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMEBduV072522; Thu, 22 Dec 2016 14:11:39 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMEBdbp072521; Thu, 22 Dec 2016 14:11:39 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221411.uBMEBdbp072521@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:11:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310408 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:11:41 -0000 Author: ae Date: Thu Dec 22 14:11:39 2016 New Revision: 310408 URL: https://svnweb.freebsd.org/changeset/base/310408 Log: Make ipsec_control_pcbpolicy() static and implement IPSEC_PCBCTL() method for IPv4 and IPv6. Modified: projects/ipsec/sys/netipsec/ipsec_pcb.c Modified: projects/ipsec/sys/netipsec/ipsec_pcb.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_pcb.c Thu Dec 22 14:09:01 2016 (r310407) +++ projects/ipsec/sys/netipsec/ipsec_pcb.c Thu Dec 22 14:11:39 2016 (r310408) @@ -27,6 +27,10 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_inet.h" +#include "opt_inet6.h" +#include "opt_ipsec.h" + #include #include #include @@ -43,9 +47,12 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include +MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); + /* Initialize PCB policy. */ int ipsec_init_pcbpolicy(struct inpcb *inp) @@ -288,7 +295,7 @@ ipsec_get_pcbpolicy(struct inpcb *inp, v } /* Handle socket option control request for PCB */ -int +static int ipsec_control_pcbpolicy(struct inpcb *inp, struct sockopt *sopt) { void *optdata; @@ -327,3 +334,31 @@ ipsec_control_pcbpolicy(struct inpcb *in return (error); } +#ifdef INET +/* + * IPSEC_PCBCTL() method implementation for IPv4. + */ +int +ipsec4_pcbctl(struct inpcb *inp, struct sockopt *sopt) +{ + + if (sopt->sopt_name != IP_IPSEC_POLICY) + return (ENOPROTOOPT); + return (ipsec_control_pcbpolicy(inp, sopt)); +} +#endif + +#ifdef INET6 +/* + * IPSEC_PCBCTL() method implementation for IPv6. + */ +int +ipsec6_pcbctl(struct inpcb *inp, struct sockopt *sopt) +{ + + if (sopt->sopt_name != IPV6_IPSEC_POLICY) + return (ENOPROTOOPT); + return (ipsec_control_pcbpolicy(inp, sopt)); +} +#endif + From owner-svn-src-projects@freebsd.org Thu Dec 22 14:15:29 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38184C8AE57 for ; Thu, 22 Dec 2016 14:15:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EE45B18C5; Thu, 22 Dec 2016 14:15:28 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMEFSvL073351; Thu, 22 Dec 2016 14:15:28 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMEFSKQ073350; Thu, 22 Dec 2016 14:15:28 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221415.uBMEFSKQ073350@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:15:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310409 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:15:29 -0000 Author: ae Date: Thu Dec 22 14:15:27 2016 New Revision: 310409 URL: https://svnweb.freebsd.org/changeset/base/310409 Log: Add IPSEC_CAPS() method implementation. Currently there are two capabilities defined: o IPSEC_CAP_BYPASS_FILTER: checks that packet filter processing should be skipped for inbound packet. o IPSEC_CAP_OPERABLE: checks that there are some security policies configured. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Thu Dec 22 14:11:39 2016 (r310408) +++ projects/ipsec/sys/netipsec/ipsec.c Thu Dec 22 14:15:27 2016 (r310409) @@ -88,6 +88,7 @@ #include #include /*XXX*/ #include +#include #include #include @@ -124,6 +125,8 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IP VNET_DEFINE(int, ip4_ipsec_ecn) = 0; VNET_DEFINE(int, ip4_esp_randpad) = -1; +static VNET_DEFINE(int, ip4_filtertunnel) = 0; +#define V_ip4_filtertunnel VNET(ip4_filtertunnel) static VNET_DEFINE(int, check_policy_history) = 0; #define V_check_policy_history VNET(check_policy_history) static VNET_DEFINE(struct secpolicy, def_policy); @@ -190,6 +193,9 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, ch SYSCTL_INT(_net_inet_ipsec, OID_AUTO, natt_cksum_policy, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(natt_cksum_policy), 0, "Method to fix TCP/UDP checksum for transport mode IPsec after NAT."); +SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_filtertunnel), 0, + "If set filter packets from an IPsec tunnel."); SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); @@ -226,6 +232,9 @@ VNET_DEFINE(int, ip6_ah_trans_deflev) = VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE; VNET_DEFINE(int, ip6_ipsec_ecn) = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +static VNET_DEFINE(int, ip6_filtertunnel) = 0; +#define V_ip6_filtertunnel VNET(ip6_filtertunnel) + SYSCTL_DECL(_net_inet6_ipsec6); /* net.inet6.ipsec6 */ @@ -250,6 +259,9 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_E SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, "Enable IPsec debugging output when set."); +SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel), 0, + "If set filter packets from an IPsec tunnel."); SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics."); #endif /* INET6 */ @@ -272,8 +284,6 @@ static void ipsec6_setspidx_ipaddr(const struct secpolicyindex *); #endif -MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); - /* * Return a held reference to the default SP. */ @@ -329,6 +339,7 @@ ipsec_checkpolicy(struct secpolicy *sp, sp = NULL; /* NB: force NULL result. */ break; case IPSEC_POLICY_IPSEC: + /* XXXAE: handle LARVAL SP */ break; } KEYDBG(IPSEC_DUMP, @@ -685,6 +696,33 @@ ipsec4_in_reject(const struct mbuf *m, s return (result); } +/* + * IPSEC_CAP() method implementation for IPv4. + */ +int +ipsec4_capability(struct mbuf *m, u_int cap) +{ + + switch (cap) { + case IPSEC_CAP_BYPASS_FILTER: + /* + * Bypass packet filtering for packets previously handled + * by IPsec. + */ + if (!V_ip4_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + return (1); + return (0); + case IPSEC_CAP_OPERABLE: + /* Do we have active security policies? */ + if (key_havesp(IPSEC_DIR_INBOUND) != 0 || + key_havesp(IPSEC_DIR_OUTBOUND) != 0) + return (1); + return (0); + }; + return (EOPNOTSUPP); +} + #endif /* INET */ #ifdef INET6 @@ -859,7 +897,33 @@ ipsec6_in_reject(const struct mbuf *m, s return (result); } -#endif +/* + * IPSEC_CAP() method implementation for IPv6. + */ +int +ipsec6_capability(struct mbuf *m, u_int cap) +{ + + switch (cap) { + case IPSEC_CAP_BYPASS_FILTER: + /* + * Bypass packet filtering for packets previously handled + * by IPsec. + */ + if (!V_ip6_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + return (1); + return (0); + case IPSEC_CAP_OPERABLE: + /* Do we have active security policies? */ + if (key_havesp(IPSEC_DIR_INBOUND) != 0 || + key_havesp(IPSEC_DIR_OUTBOUND) != 0) + return (1); + return (0); + }; + return (EOPNOTSUPP); +} +#endif /* INET6 */ int ipsec_run_hhooks(struct ipsec_ctx_data *ctx, int type) From owner-svn-src-projects@freebsd.org Thu Dec 22 14:17:32 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4165BC8AEFE for ; Thu, 22 Dec 2016 14:17:32 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 024F11AAE; Thu, 22 Dec 2016 14:17:31 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMEHVvc073462; Thu, 22 Dec 2016 14:17:31 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMEHV2J073461; Thu, 22 Dec 2016 14:17:31 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221417.uBMEHV2J073461@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:17:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310410 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:17:32 -0000 Author: ae Date: Thu Dec 22 14:17:30 2016 New Revision: 310410 URL: https://svnweb.freebsd.org/changeset/base/310410 Log: Add IPSEC_INPUT() method implementation for IPv4 and IPv6. Modified: projects/ipsec/sys/netipsec/ipsec_input.c Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Thu Dec 22 14:15:27 2016 (r310409) +++ projects/ipsec/sys/netipsec/ipsec_input.c Thu Dec 22 14:17:30 2016 (r310410) @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ /*- * The authors of this code are John Ioannidis (ji@tla.org), @@ -19,6 +18,7 @@ * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, * Angelos D. Keromytis and Niels Provos. * Copyright (c) 2001, Angelos D. Keromytis. + * Copyright (c) 2016 Andrey V. Elsukov * * Permission to use, copy, and modify this software with or without fee * is hereby granted, provided that this entire notice is included in @@ -40,6 +40,9 @@ * IPsec input processing. */ +#include +__FBSDID("$FreeBSD$"); + #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" @@ -225,18 +228,44 @@ ipsec_common_input(struct mbuf *m, int s } #ifdef INET +extern struct protosw inetsw[]; + +/* + * IPSEC_INPUT() method implementation for IPv4. + * 0 - Permitted by inbound security policy for further processing. + * EACCES - Forbidden by inbound security policy. + * EINPROGRESS - consumed by IPsec. + */ int -ipsec4_common_input(struct mbuf **mp, int *offp, int proto) +ipsec4_input(struct mbuf *m, int offset, int proto) { - struct mbuf *m; - int off; - m = *mp; - off = *offp; - *mp = NULL; - - ipsec_common_input(m, off, offsetof(struct ip, ip_p), AF_INET, proto); - return (IPPROTO_DONE); + switch (proto) { + case IPPROTO_AH: + case IPPROTO_ESP: + case IPPROTO_IPCOMP: + /* Do inbound IPsec processing for AH/ESP/IPCOMP */ + ipsec_common_input(m, offset, + offsetof(struct ip, ip_p), AF_INET, proto); + return (EINPROGRESS); /* mbuf consumed by IPsec */ + default: + /* + * Protocols with further headers get their IPsec treatment + * within the protocol specific processing. + */ + if ((inetsw[ip_protox[proto]].pr_flags & PR_LASTHDR) == 0) + return (0); + /* FALLTHROUGH */ + }; + /* + * Enforce IPsec policy checking if we are seeing last header. + */ + if (ipsec4_in_reject(m, NULL) != 0) { + /* Forbidden by inbound security policy */ + m_freem(m); + return (EACCES); + } + return (0); } /* @@ -414,48 +443,44 @@ bad: #endif /* INET */ #ifdef INET6 -/* IPv6 AH wrapper. */ +extern struct protosw inet6sw[]; + +/* + * IPSEC_INPUT() method implementation for IPv6. + * 0 - Permitted by inbound security policy for further processing. + * EACCES - Forbidden by inbound security policy. + * EINPROGRESS - consumed by IPsec. + */ int -ipsec6_common_input(struct mbuf **mp, int *offp, int proto) +ipsec6_input(struct mbuf *m, int offset, int proto) { - int l = 0; - int protoff; - struct ip6_ext ip6e; - - if (*offp < sizeof(struct ip6_hdr)) { - DPRINTF(("%s: bad offset %u\n", __func__, *offp)); - return IPPROTO_DONE; - } else if (*offp == sizeof(struct ip6_hdr)) { - protoff = offsetof(struct ip6_hdr, ip6_nxt); - } else { - /* Chase down the header chain... */ - protoff = sizeof(struct ip6_hdr); - do { - protoff += l; - m_copydata(*mp, protoff, sizeof(ip6e), - (caddr_t) &ip6e); - - if (ip6e.ip6e_nxt == IPPROTO_AH) - l = (ip6e.ip6e_len + 2) << 2; - else - l = (ip6e.ip6e_len + 1) << 3; - IPSEC_ASSERT(l > 0, ("l went zero or negative")); - } while (protoff + l < *offp); - - /* Malformed packet check */ - if (protoff + l != *offp) { - DPRINTF(("%s: bad packet header chain, protoff %u, " - "l %u, off %u\n", __func__, protoff, l, *offp)); - IPSEC_ISTAT(proto, hdrops); - m_freem(*mp); - *mp = NULL; - return IPPROTO_DONE; - } - protoff += offsetof(struct ip6_ext, ip6e_nxt); + switch (proto) { + case IPPROTO_AH: + case IPPROTO_ESP: + case IPPROTO_IPCOMP: + /* Do inbound IPsec processing for AH/ESP/IPCOMP */ + ipsec_common_input(m, offset, + offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto); + return (EINPROGRESS); /* mbuf consumed by IPsec */ + default: + /* + * Protocols with further headers get their IPsec treatment + * within the protocol specific processing. + */ + if ((inet6sw[ip6_protox[proto]].pr_flags & PR_LASTHDR) == 0) + return (0); + /* FALLTHROUGH */ + }; + /* + * Enforce IPsec policy checking if we are seeing last header. + */ + if (ipsec4_in_reject(m, NULL) != 0) { + /* Forbidden by inbound security policy */ + m_freem(m); + return (EACCES); } - (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); - return IPPROTO_DONE; + return (0); } /* From owner-svn-src-projects@freebsd.org Thu Dec 22 14:18:44 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8437AC8AF73 for ; Thu, 22 Dec 2016 14:18:44 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EEB31C00; Thu, 22 Dec 2016 14:18:44 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMEIhXq073540; Thu, 22 Dec 2016 14:18:43 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMEIhsZ073539; Thu, 22 Dec 2016 14:18:43 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221418.uBMEIhsZ073539@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:18:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310411 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:18:44 -0000 Author: ae Date: Thu Dec 22 14:18:43 2016 New Revision: 310411 URL: https://svnweb.freebsd.org/changeset/base/310411 Log: Add IPSEC_OUTPUT() and IPSEC_FORWARD() methods implementation. Modified: projects/ipsec/sys/netipsec/ipsec_output.c Modified: projects/ipsec/sys/netipsec/ipsec_output.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_output.c Thu Dec 22 14:17:30 2016 (r310410) +++ projects/ipsec/sys/netipsec/ipsec_output.c Thu Dec 22 14:18:43 2016 (r310411) @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting + * Copyright (c) 2016 Andrey V. Elsukov * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -32,6 +33,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_sctp.h" #include #include @@ -67,6 +69,9 @@ #ifdef INET6 #include #endif +#ifdef SCTP +#include +#endif #include #ifdef INET6 @@ -84,10 +89,6 @@ #include -#ifdef IPSEC_NAT_T -#include -#endif - #define IPSEC_OSTAT_INC(proto, name) do { \ if ((proto) == IPPROTO_ESP) \ ESPSTAT_INC(esps_##name); \ @@ -293,6 +294,111 @@ ipsec4_process_packet(struct mbuf *m, st return (ipsec4_perform_request(m, sp, 0)); } + +static int +ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding) +{ + struct secpolicy *sp; + int error, idx; + + /* Lookup for the corresponding outbound security policy */ + sp = ipsec4_checkpolicy(m, inp, &error); + if (sp == NULL) { + if (error == -EINVAL) { + /* Discarded by policy. */ + m_freem(m); + return (EACCES); + } + return (0); /* No IPsec required. */ + } + + if (forwarding) { + /* + * Check that SP has tunnel mode IPsec transform. + * We can't use transport mode when forwarding. + */ + for (idx = 0; idx < sp->tcount; idx++) { + if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL) + break; + } + if (idx == sp->tcount) { + IPSECSTAT_INC(ips_out_inval); + key_freesp(&sp); + m_freem(m); + return (EACCES); + } + } else { + /* + * Do delayed checksums now because we send before + * this is done in the normal processing path. + */ + if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { + in_delayed_cksum(m); + m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; + } +#ifdef SCTP + if (m->m_pkthdr.csum_flags & CSUM_SCTP) { + struct ip *ip = mtod(m, struct ip *); + + sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2)); + m->m_pkthdr.csum_flags &= ~CSUM_SCTP; + } +#endif + } + /* NB: callee frees mbuf and releases reference to SP */ + error = ipsec4_process_packet(m, sp, inp); + if (error == EJUSTRETURN) { + /* + * We had a SP with a level of 'use' and no SA. We + * will just continue to process the packet without + * IPsec processing and return without error. + */ + return (0); + } + if (error == 0) + return (EINPROGRESS); /* consumed by IPsec */ + return (error); +} + +/* + * IPSEC_OUTPUT() method implementation for IPv4. + * 0 - no IPsec handling needed + * other values - mbuf consumed by IPsec. + */ +int +ipsec4_output(struct mbuf *m, struct inpcb *inp) +{ + + /* + * If the packet is resubmitted to ip_output (e.g. after + * AH, ESP, etc. processing), there will be a tag to bypass + * the lookup and related policy checking. + */ + if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) + return (0); + + return (ipsec4_common_output(m, inp, 0)); +} + +/* + * IPSEC_FORWARD() method implementation for IPv4. + * 0 - no IPsec handling needed + * other values - mbuf consumed by IPsec. + */ +int +ipsec4_forward(struct mbuf *m) +{ + + /* + * Check if this packet has an active inbound SP and needs to be + * dropped instead of forwarded. + */ + if (ipsec4_in_reject(m, NULL) != 0) { + m_freem(m); + return (EACCES); + } + return (ipsec4_common_output(m, NULL, 1)); +} #endif #ifdef INET6 @@ -502,6 +608,117 @@ ipsec6_process_packet(struct mbuf *m, st return (ipsec6_perform_request(m, sp, 0)); } + +static int +ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding) +{ + struct secpolicy *sp; + int error, idx; + + /* Lookup for the corresponding outbound security policy */ + sp = ipsec6_checkpolicy(m, inp, &error); + if (sp == NULL) { + if (error == -EINVAL) { + /* Discarded by policy. */ + m_freem(m); + return (EACCES); + } + return (0); /* No IPsec required. */ + } + + if (forwarding) { + /* + * Check that SP has tunnel mode IPsec transform. + * We can't use transport mode when forwarding. + * + * RFC2473 says: + * "A tunnel IPv6 packet resulting from the encapsulation of + * an original packet is considered an IPv6 packet originating + * from the tunnel entry-point node." + * So, we don't need MTU checking, after IPsec processing + * we will just fragment it if needed. + */ + for (idx = 0; idx < sp->tcount; idx++) { + if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL) + break; + } + if (idx == sp->tcount) { + IPSEC6STAT_INC(ips_out_inval); + key_freesp(&sp); + m_freem(m); + return (EACCES); + } + } else { + /* + * Do delayed checksums now because we send before + * this is done in the normal processing path. + */ + if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { + in6_delayed_cksum(m, m->m_pkthdr.len - + sizeof(struct ip6_hdr), sizeof(struct ip6_hdr)); + m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; + } +#ifdef SCTP + if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) { + sctp_delayed_cksum(m, sizeof(struct ip6_hdr)); + m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6; + } +#endif + } + /* NB: callee frees mbuf and releases reference to SP */ + error = ipsec6_process_packet(m, sp, inp); + if (error == EJUSTRETURN) { + /* + * We had a SP with a level of 'use' and no SA. We + * will just continue to process the packet without + * IPsec processing and return without error. + */ + return (0); + } + if (error == 0) + return (EINPROGRESS); /* consumed by IPsec */ + return (error); +} + +/* + * IPSEC_OUTPUT() method implementation for IPv6. + * 0 - no IPsec handling needed + * other values - mbuf consumed by IPsec. + */ +int +ipsec6_output(struct mbuf *m, struct inpcb *inp) +{ + + /* + * If the packet is resubmitted to ip_output (e.g. after + * AH, ESP, etc. processing), there will be a tag to bypass + * the lookup and related policy checking. + */ + if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) + return (0); + + return (ipsec6_common_output(m, inp, 0)); +} + +/* + * IPSEC_FORWARD() method implementation for IPv6. + * 0 - no IPsec handling needed + * other values - mbuf consumed by IPsec. + */ +int +ipsec6_forward(struct mbuf *m) +{ + + /* + * Check if this packet has an active inbound SP and needs to be + * dropped instead of forwarded. + */ + if (ipsec6_in_reject(m, NULL) != 0) { + m_freem(m); + return (EACCES); + } + return (ipsec6_common_output(m, NULL, 1)); +} #endif /* INET6 */ int From owner-svn-src-projects@freebsd.org Thu Dec 22 14:21:15 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90E3EC8AFFF for ; Thu, 22 Dec 2016 14:21:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 471791DAB; Thu, 22 Dec 2016 14:21:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMELE0m075769; Thu, 22 Dec 2016 14:21:14 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMELE8E075768; Thu, 22 Dec 2016 14:21:14 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221421.uBMELE8E075768@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:21:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310412 - in projects/ipsec/sys: netinet netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:21:15 -0000 Author: ae Date: Thu Dec 22 14:21:14 2016 New Revision: 310412 URL: https://svnweb.freebsd.org/changeset/base/310412 Log: Remove ip_ipsec.[ch] and ip6_ipsec.[ch]. Now this functional reworked into IPsec methods. Deleted: projects/ipsec/sys/netinet/ip_ipsec.c projects/ipsec/sys/netinet/ip_ipsec.h projects/ipsec/sys/netinet6/ip6_ipsec.c projects/ipsec/sys/netinet6/ip6_ipsec.h From owner-svn-src-projects@freebsd.org Thu Dec 22 14:27:09 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2B35DC8B1DE for ; Thu, 22 Dec 2016 14:27:09 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E3E64180; Thu, 22 Dec 2016 14:27:08 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMER8vW077534; Thu, 22 Dec 2016 14:27:08 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMER7ka077529; Thu, 22 Dec 2016 14:27:07 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221427.uBMER7ka077529@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 14:27:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310413 - in projects/ipsec/sys: conf netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 14:27:09 -0000 Author: ae Date: Thu Dec 22 14:27:07 2016 New Revision: 310413 URL: https://svnweb.freebsd.org/changeset/base/310413 Log: Add netipsec/subr_ipsec.c file. It is build into kernel when IPSEC or IPSEC_SUPPORT options configured. It contains code that is expanded for IPsec methods macros. Also update sys/conf/files to reflect changes related to IPSEC_SUPPORT option. And update functions declarations in ipsec[6].h. Added: projects/ipsec/sys/netipsec/subr_ipsec.c (contents, props changed) Modified: projects/ipsec/sys/conf/files projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec6.h projects/ipsec/sys/netipsec/udpencap.c Modified: projects/ipsec/sys/conf/files ============================================================================== --- projects/ipsec/sys/conf/files Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/conf/files Thu Dec 22 14:27:07 2016 (r310413) @@ -4067,7 +4067,6 @@ netinet/ip_encap.c optional inet | inet netinet/ip_fastfwd.c optional inet netinet/ip_icmp.c optional inet | inet6 netinet/ip_input.c optional inet -netinet/ip_ipsec.c optional inet ipsec netinet/ip_mroute.c optional mrouting inet netinet/ip_options.c optional inet netinet/ip_output.c optional inet @@ -4136,7 +4135,6 @@ netinet6/ip6_id.c optional inet6 netinet6/ip6_input.c optional inet6 netinet6/ip6_mroute.c optional mrouting inet6 netinet6/ip6_output.c optional inet6 -netinet6/ip6_ipsec.c optional inet6 ipsec netinet6/mld6.c optional inet6 netinet6/nd6.c optional inet6 netinet6/nd6_nbr.c optional inet6 @@ -4150,16 +4148,22 @@ netipsec/ipsec.c optional ipsec inet | netipsec/ipsec_input.c optional ipsec inet | ipsec inet6 netipsec/ipsec_mbuf.c optional ipsec inet | ipsec inet6 netipsec/ipsec_output.c optional ipsec inet | ipsec inet6 -netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6 -netipsec/key.c optional ipsec inet | ipsec inet6 -netipsec/key_debug.c optional ipsec inet | ipsec inet6 -netipsec/keysock.c optional ipsec inet | ipsec inet6 +netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/key.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/key_debug.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/keysock.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/subr_ipsec.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 netipsec/udpencap.c optional ipsec inet netipsec/xform_ah.c optional ipsec inet | ipsec inet6 netipsec/xform_esp.c optional ipsec inet | ipsec inet6 netipsec/xform_ipcomp.c optional ipsec inet | ipsec inet6 netipsec/xform_tcp.c optional ipsec inet tcp_signature | \ - ipsec inet6 tcp_signature + ipsec inet6 tcp_signature netnatm/natm.c optional natm netnatm/natm_pcb.c optional natm netnatm/natm_proto.c optional natm Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/netipsec/ipsec.h Thu Dec 22 14:27:07 2016 (r310413) @@ -310,19 +310,7 @@ struct secpolicy *ipsec4_checkpolicy(con int *); u_int ipsec_get_reqlevel(struct secpolicy *, u_int); -size_t ipsec_hdrsiz_inpcb(struct inpcb *); -int ipsec_init_pcbpolicy(struct inpcb *); -int ipsec_delete_pcbpolicy(struct inpcb *); -int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); -int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *); - -int tcp_ipsec_pcbctl(struct inpcb *, struct sockopt *); -int tcp_ipsec_input(struct mbuf *, struct tcphdr *, u_char *); -int tcp_ipsec_output(struct mbuf *, struct tcphdr *, u_char *); - -int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *); -int udp_ipsec_input(struct mbuf *, int, int); void udp_ipsec_adjust_cksum(struct mbuf *, struct secasvar *, int, int); int udp_ipsec_output(struct mbuf *, struct secasvar *); @@ -338,7 +326,10 @@ char *ipsec_logsastr(struct secasvar *, extern void ipsec_dumpmbuf(const struct mbuf *); int ipsec4_in_reject(const struct mbuf *, struct inpcb *); -int ipsec4_common_input(struct mbuf **, int *, int); +int ipsec4_input(struct mbuf *, int, int); +int ipsec4_forward(struct mbuf *); +int ipsec4_output(struct mbuf *, struct inpcb *); +int ipsec4_capability(struct mbuf *, u_int); int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int); int ipsec4_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *); int ipsec_process_done(struct mbuf *, struct secpolicy *, struct secasvar *, Modified: projects/ipsec/sys/netipsec/ipsec6.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec6.h Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/netipsec/ipsec6.h Thu Dec 22 14:27:07 2016 (r310413) @@ -59,17 +59,19 @@ VNET_DECLARE(int, ip6_ipsec_ecn); #define V_ip6_ipsec_ecn VNET(ip6_ipsec_ecn) struct inpcb; -extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *); struct secpolicy *ipsec6_checkpolicy(const struct mbuf *, struct inpcb *, int *); -struct m_tag; -extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto); -extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, - int skip, int protoff); -extern void esp6_ctlinput(int, struct sockaddr *, void *); -int ipsec6_process_packet(struct mbuf *, struct secpolicy *, - struct inpcb *); +int ipsec6_input(struct mbuf *, int, int); +int ipsec6_in_reject(const struct mbuf *, struct inpcb *); +int ipsec6_forward(struct mbuf *); +int ipsec6_output(struct mbuf *, struct inpcb *); +int ipsec6_capability(struct mbuf *, u_int); +int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int); +int ipsec6_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *); + +int ip6_ipsec_filtertunnel(struct mbuf *); +int ip6_ipsec_pcbctl(struct inpcb *, struct sockopt *); #endif /*_KERNEL*/ #endif /*_NETIPSEC_IPSEC6_H_*/ Added: projects/ipsec/sys/netipsec/subr_ipsec.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/ipsec/sys/netipsec/subr_ipsec.c Thu Dec 22 14:27:07 2016 (r310413) @@ -0,0 +1,241 @@ +/*- + * Copyright (c) 2016 Andrey V. Elsukov + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "opt_inet.h" +#include "opt_inet6.h" +#include "opt_ipsec.h" + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include +#include +#include +#include + +/* + * This file is build in the kernel only when 'options IPSEC' or + * 'options IPSEC_SUPPORT' is enabled. + */ + +struct rmlock ipsec_kmod_lock; +RM_SYSINIT(ipsec_kmod_lock, &ipsec_kmod_lock, "IPsec KLD lock"); + +#define METHOD_DECL(...) __VA_ARGS__ +#define METHOD_ARGS(...) __VA_ARGS__ +#define IPSEC_KMOD_METHOD(name, sc, method, decl, args) \ +name (decl) \ +{ \ + struct rm_priotracker tracker; \ + int ret; \ + IPSEC_ASSERT(sc != NULL, ("called with NULL methods")); \ + rm_rlock(&ipsec_kmod_lock, &tracker); \ + ret = (*sc->method)(args); \ + rm_runlock(&ipsec_kmod_lock, &tracker); \ + return (ret); \ +} + +static int +ipsec_support_modevent(module_t mod, int type, void *data) +{ + + switch (type) { + case MOD_LOAD: + return (0); + case MOD_UNLOAD: + return (EBUSY); + default: + return (EOPNOTSUPP); + } +} + +static moduledata_t ipsec_support_mod = { + "ipsec_support", + ipsec_support_modevent, + 0 +}; + +/* + * Declare IPSEC_SUPPORT as module to be able add dependency in + * ipsec.ko and tcpmd5.ko + */ +DECLARE_MODULE(ipsec_support, ipsec_support_mod, + SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY); +MODULE_VERSION(ipsec_support, 1); + +#ifdef TCP_SIGNATURE +const int tcp_ipsec_support = 1; +#else +#ifdef IPSEC_SUPPORT +volatile int tcp_ipsec_support = 0; +const struct tcpmd5_support * volatile tcp_ipsec_methods = NULL; + +int IPSEC_KMOD_METHOD(tcpmd5_kmod_input, + tcp_ipsec_methods, + input, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf), + METHOD_ARGS(m, th, buf) +) + +int IPSEC_KMOD_METHOD(tcpmd5_kmod_output, + tcp_ipsec_methods, + output, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf), + METHOD_ARGS(m, th, buf) +) + +int IPSEC_KMOD_METHOD(tcpmd5_kmod_pcbctl, + tcp_ipsec_methods, + pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt), + METHOD_ARGS(inp, sopt) +) +#endif +#endif + +#ifdef IPSEC +/* + * IPsec support is build in the kernel. Additional locking isn't required. + */ +#ifdef INET +static struct ipsec_support ipv4_ipsec = { + .input = ipsec4_input, + .forward = ipsec4_forward, + .output = ipsec4_output, + .pcbctl = ipsec4_pcbctl, + .capability = ipsec4_capability, + .check_policy = ipsec4_in_reject, + .hdrsize = ipsec_hdrsiz_inpcb +}; +const int ipv4_ipsec_support = 1; +const struct ipsec_support * const ipv4_ipsec_methods = &ipv4_ipsec; +#endif + +#ifdef INET6 +static struct ipsec_support ipv6_ipsec = { + .input = ipsec6_input, + .forward = ipsec6_forward, + .output = ipsec6_output, + .pcbctl = ipsec6_pcbctl, + .capability = ipsec6_capability, + .check_policy = ipsec6_in_reject + .hdrsize = ipsec_hdrsiz_inpcb +}; +const int ipv6_ipsec_support = 1; +const struct ipsec_support * const ipv6_ipsec_methods = &ipv6_ipsec; +#endif +#else /* IPSEC_SUPPORT */ +/* + * IPsec support is build as kernel module. + */ +#ifdef INET +volatile int ipv4_ipsec_support = 0; +const struct ipsec_support * volatile ipv4_ipsec_methods = NULL; +const struct udpencap_support * volatile udp_ipsec_methods = NULL; + +int IPSEC_KMOD_METHOD(udpencap_kmod_input, + udp_ipsec_methods, + input, METHOD_DECL(struct mbuf *m, int off, int af), + METHOD_ARGS(m, off, af) +) + +int IPSEC_KMOD_METHOD(udpencap_kmod_pcbctl, + udp_ipsec_methods, + pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt), + METHOD_ARGS(inp, sopt) +) +#endif + +#ifdef INET6 +volatile int ipv6_ipsec_support = 0; +const struct ipsec_support * volatile ipv6_ipsec_methods = NULL; +#endif + +int IPSEC_KMOD_METHOD(ipsec_kmod_input, sc, + input, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + int offset,int proto), METHOD_ARGS(m, offset, proto) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_check_policy, sc, + check_policy, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + struct inpcb *inp), METHOD_ARGS(m, inp) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_forward, sc, + forward, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m), + (m) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_output, sc, + output, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + struct inpcb *inp), METHOD_ARGS(m, inp) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_pcbctl, sc, + pcbctl, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp, + struct sockopt *sopt), METHOD_ARGS(inp, sopt) +) + +size_t IPSEC_KMOD_METHOD(ipsec_kmod_hdrsize, sc, + hdrsize, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp), + (inp) +) + +int static IPSEC_KMOD_METHOD(ipsec_kmod_caps, sc, + capability, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + u_int cap), METHOD_ARGS(m, cap) +) + +int +ipsec_kmod_capability(const struct ipsec_support *sc, struct mbuf *m, + u_int cap) +{ + + /* + * Since PF_KEY is build in the kernel, we can use key_havesp() + * without taking the lock. + */ + if (cap == IPSEC_CAP_OPERABLE) + return (key_havesp(IPSEC_DIR_INBOUND) != 0 || + key_havesp(IPSEC_DIR_OUTBOUND) != 0); + return (ipsec_kmod_caps(sc, m, cap)); +} +#endif Modified: projects/ipsec/sys/netipsec/udpencap.c ============================================================================== --- projects/ipsec/sys/netipsec/udpencap.c Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/netipsec/udpencap.c Thu Dec 22 14:27:07 2016 (r310413) @@ -28,6 +28,7 @@ __FBSDID("$FreeBSD$"); #include "opt_inet.h" +#include "opt_ipsec.h" #include #include @@ -57,6 +58,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include /* From owner-svn-src-projects@freebsd.org Thu Dec 22 15:19:36 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D805C8BE9C for ; Thu, 22 Dec 2016 15:19:36 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FB431E0C; Thu, 22 Dec 2016 15:19:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMFJZjk098195; Thu, 22 Dec 2016 15:19:35 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMFJW0Z098170; Thu, 22 Dec 2016 15:19:32 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221519.uBMFJW0Z098170@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 15:19:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310415 - in projects/ipsec: . bin/dd bin/df bin/ed bin/ls/tests bin/pax cddl/contrib/opensolaris/lib/libdtrace/common cddl/usr.sbin/dtrace/tests/tools contrib/binutils/bfd contrib/bmak... X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 15:19:36 -0000 Author: ae Date: Thu Dec 22 15:19:31 2016 New Revision: 310415 URL: https://svnweb.freebsd.org/changeset/base/310415 Log: Merge from head/. Added: projects/ipsec/contrib/bmake/mk/sys.debug.mk - copied unchanged from r310413, head/contrib/bmake/mk/sys.debug.mk projects/ipsec/contrib/bmake/mk/sys.vars.mk - copied unchanged from r310413, head/contrib/bmake/mk/sys.vars.mk projects/ipsec/contrib/compiler-rt/lib/builtins/unwind-ehabi-helpers.h - copied unchanged from r310413, head/contrib/compiler-rt/lib/builtins/unwind-ehabi-helpers.h projects/ipsec/contrib/libarchive/libarchive/archive_openssl_evp_private.h - copied unchanged from r310413, head/contrib/libarchive/libarchive/archive_openssl_evp_private.h projects/ipsec/contrib/libarchive/libarchive/archive_openssl_hmac_private.h - copied unchanged from r310413, head/contrib/libarchive/libarchive/archive_openssl_hmac_private.h projects/ipsec/contrib/llvm/tools/clang/lib/Headers/msa.h - copied unchanged from r310413, head/contrib/llvm/tools/clang/lib/Headers/msa.h projects/ipsec/share/colldef/fr_CA.UTF-8.src - copied unchanged from r310413, head/share/colldef/fr_CA.UTF-8.src projects/ipsec/share/colldef/ja_JP.eucJP.src - copied unchanged from r310413, head/share/colldef/ja_JP.eucJP.src projects/ipsec/share/colldef/nn_NO.ISO8859-1.src - copied unchanged from r310413, head/share/colldef/nn_NO.ISO8859-1.src projects/ipsec/share/colldef/nn_NO.ISO8859-15.src - copied unchanged from r310413, head/share/colldef/nn_NO.ISO8859-15.src projects/ipsec/share/colldef/nn_NO.UTF-8.src - copied unchanged from r310413, head/share/colldef/nn_NO.UTF-8.src projects/ipsec/share/colldef/sr_RS.ISO8859-2.src - copied unchanged from r310413, head/share/colldef/sr_RS.ISO8859-2.src projects/ipsec/share/colldef/sr_RS.ISO8859-5.src - copied unchanged from r310413, head/share/colldef/sr_RS.ISO8859-5.src projects/ipsec/share/colldef/sr_RS.UTF-8.src - copied unchanged from r310413, head/share/colldef/sr_RS.UTF-8.src projects/ipsec/share/colldef/sr_RS.UTF-8@latin.src - copied unchanged from r310413, head/share/colldef/sr_RS.UTF-8@latin.src projects/ipsec/share/colldef/zh_CN.GB18030.src - copied unchanged from r310413, head/share/colldef/zh_CN.GB18030.src projects/ipsec/share/colldef/zh_CN.GBK.src - copied unchanged from r310413, head/share/colldef/zh_CN.GBK.src projects/ipsec/share/colldef/zh_TW.Big5.src - copied unchanged from r310413, head/share/colldef/zh_TW.Big5.src projects/ipsec/share/ctypedef/ja_JP.eucJP.src - copied unchanged from r310413, head/share/ctypedef/ja_JP.eucJP.src projects/ipsec/share/ctypedef/zh_CN.eucCN.src - copied unchanged from r310413, head/share/ctypedef/zh_CN.eucCN.src projects/ipsec/share/man/man4/xdma.4 - copied unchanged from r310413, head/share/man/man4/xdma.4 projects/ipsec/share/monetdef/nl_BE.UTF-8.src - copied unchanged from r310413, head/share/monetdef/nl_BE.UTF-8.src projects/ipsec/sys/arm/rockchip/rk30xx_mp.h - copied unchanged from r310413, head/sys/arm/rockchip/rk30xx_mp.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_sprom_subr.c - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_data_sprom_subr.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_ioptr.c - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_ioptr.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_plist.c - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_plist.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_plist.h - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_plist.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_plistvar.h - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_plistvar.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_store_subr.c - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_store_subr.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_value_subr.c - copied unchanged from r310413, head/sys/dev/bhnd/nvram/bhnd_nvram_value_subr.c projects/ipsec/sys/dev/hdmi/ - copied from r310413, head/sys/dev/hdmi/ projects/ipsec/sys/dev/hyperv/utilities/vmbus_heartbeat.c - copied unchanged from r310413, head/sys/dev/hyperv/utilities/vmbus_heartbeat.c projects/ipsec/sys/dev/hyperv/utilities/vmbus_ic.c - copied unchanged from r310413, head/sys/dev/hyperv/utilities/vmbus_ic.c projects/ipsec/sys/dev/hyperv/utilities/vmbus_icvar.h - copied unchanged from r310413, head/sys/dev/hyperv/utilities/vmbus_icvar.h projects/ipsec/sys/dev/hyperv/utilities/vmbus_shutdown.c - copied unchanged from r310413, head/sys/dev/hyperv/utilities/vmbus_shutdown.c projects/ipsec/sys/dev/hyperv/utilities/vmbus_timesync.c - copied unchanged from r310413, head/sys/dev/hyperv/utilities/vmbus_timesync.c projects/ipsec/sys/dev/xdma/ - copied from r310413, head/sys/dev/xdma/ projects/ipsec/sys/mips/ingenic/jz4780_aic.c - copied unchanged from r310413, head/sys/mips/ingenic/jz4780_aic.c projects/ipsec/sys/mips/ingenic/jz4780_lcd.c - copied unchanged from r310413, head/sys/mips/ingenic/jz4780_lcd.c projects/ipsec/sys/mips/ingenic/jz4780_lcd.h - copied unchanged from r310413, head/sys/mips/ingenic/jz4780_lcd.h projects/ipsec/sys/mips/ingenic/jz4780_pdma.c - copied unchanged from r310413, head/sys/mips/ingenic/jz4780_pdma.c projects/ipsec/sys/mips/ingenic/jz4780_smb.c - copied unchanged from r310413, head/sys/mips/ingenic/jz4780_smb.c projects/ipsec/sys/mips/ingenic/jz4780_smb.h - copied unchanged from r310413, head/sys/mips/ingenic/jz4780_smb.h projects/ipsec/sys/netinet6/ip6_fastfwd.c - copied unchanged from r310413, head/sys/netinet6/ip6_fastfwd.c projects/ipsec/tests/sys/kern/reaper.c - copied unchanged from r310413, head/tests/sys/kern/reaper.c projects/ipsec/tests/sys/vfs/lookup_cap_dotdot.c - copied unchanged from r310413, head/tests/sys/vfs/lookup_cap_dotdot.c projects/ipsec/tools/build/options/WITH_REPRODUCIBLE_BUILD - copied unchanged from r310413, head/tools/build/options/WITH_REPRODUCIBLE_BUILD projects/ipsec/tools/tools/locale/etc/final-maps/map.CP949 - copied unchanged from r310413, head/tools/tools/locale/etc/final-maps/map.CP949 projects/ipsec/usr.sbin/prometheus_sysctl_exporter/ - copied from r310413, head/usr.sbin/prometheus_sysctl_exporter/ Deleted: projects/ipsec/share/colldef/hr_HR.UTF-8.src projects/ipsec/share/colldef/nb_NO.UTF-8.src projects/ipsec/share/ctypedef/ja_JP.SJIS.src projects/ipsec/share/ctypedef/zh_CN.GB18030.src projects/ipsec/share/monetdef/be_BY.CP1251.src projects/ipsec/share/monetdef/lv_LV.ISO8859-13.src projects/ipsec/share/monetdef/lv_LV.UTF-8.src projects/ipsec/share/monetdef/ru_RU.CP1251.src projects/ipsec/share/msgdef/he_IL.UTF-8.src projects/ipsec/share/numericdef/hy_AM.UTF-8.src projects/ipsec/sys/arm/arm/hdmi_if.m projects/ipsec/sys/arm/freescale/imx/imx6_hdmireg.h projects/ipsec/sys/dev/hyperv/utilities/hv_heartbeat.c projects/ipsec/sys/dev/hyperv/utilities/hv_shutdown.c projects/ipsec/sys/dev/hyperv/utilities/hv_timesync.c projects/ipsec/sys/dev/hyperv/utilities/hv_util.c projects/ipsec/sys/dev/hyperv/utilities/hv_util.h Modified: projects/ipsec/Makefile.inc1 projects/ipsec/ObsoleteFiles.inc projects/ipsec/UPDATING projects/ipsec/bin/dd/dd.c projects/ipsec/bin/df/Makefile projects/ipsec/bin/df/df.c projects/ipsec/bin/ed/buf.c projects/ipsec/bin/ed/ed.h projects/ipsec/bin/ed/glbl.c projects/ipsec/bin/ed/main.c projects/ipsec/bin/ls/tests/ls_tests.sh projects/ipsec/bin/pax/buf_subs.c projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_dis.c projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c projects/ipsec/cddl/usr.sbin/dtrace/tests/tools/exclude.sh projects/ipsec/contrib/binutils/bfd/elf.c projects/ipsec/contrib/binutils/bfd/elflink.c projects/ipsec/contrib/bmake/ChangeLog projects/ipsec/contrib/bmake/Makefile projects/ipsec/contrib/bmake/bmake.1 projects/ipsec/contrib/bmake/bmake.cat1 projects/ipsec/contrib/bmake/compat.c projects/ipsec/contrib/bmake/job.c projects/ipsec/contrib/bmake/main.c projects/ipsec/contrib/bmake/make.1 projects/ipsec/contrib/bmake/make.c projects/ipsec/contrib/bmake/make.h projects/ipsec/contrib/bmake/mk/ChangeLog projects/ipsec/contrib/bmake/mk/FILES projects/ipsec/contrib/bmake/mk/dirdeps.mk projects/ipsec/contrib/bmake/mk/gendirdeps.mk projects/ipsec/contrib/bmake/mk/install-mk projects/ipsec/contrib/bmake/mk/lib.mk projects/ipsec/contrib/bmake/mk/meta.stage.mk projects/ipsec/contrib/bmake/mk/meta.sys.mk projects/ipsec/contrib/bmake/mk/meta2deps.py projects/ipsec/contrib/bmake/mk/meta2deps.sh projects/ipsec/contrib/bmake/mk/sys.mk projects/ipsec/contrib/bmake/nonints.h projects/ipsec/contrib/bmake/parse.c projects/ipsec/contrib/bsnmp/lib/snmpclient.c projects/ipsec/contrib/byacc/CHANGES projects/ipsec/contrib/byacc/MANIFEST projects/ipsec/contrib/byacc/VERSION projects/ipsec/contrib/byacc/aclocal.m4 projects/ipsec/contrib/byacc/btyaccpar.c projects/ipsec/contrib/byacc/btyaccpar.skel projects/ipsec/contrib/byacc/config.guess projects/ipsec/contrib/byacc/config.sub projects/ipsec/contrib/byacc/configure projects/ipsec/contrib/byacc/defs.h projects/ipsec/contrib/byacc/error.c projects/ipsec/contrib/byacc/main.c projects/ipsec/contrib/byacc/mstring.c projects/ipsec/contrib/byacc/output.c projects/ipsec/contrib/byacc/package/byacc.spec projects/ipsec/contrib/byacc/package/debian/changelog projects/ipsec/contrib/byacc/package/mingw-byacc.spec projects/ipsec/contrib/byacc/package/pkgsrc/Makefile projects/ipsec/contrib/byacc/reader.c projects/ipsec/contrib/byacc/test/btyacc/btyacc_calc1.tab.c projects/ipsec/contrib/byacc/test/btyacc/btyacc_demo.tab.c projects/ipsec/contrib/byacc/test/btyacc/btyacc_demo.tab.h projects/ipsec/contrib/byacc/test/btyacc/btyacc_destroy1.tab.c projects/ipsec/contrib/byacc/test/btyacc/btyacc_destroy2.tab.c projects/ipsec/contrib/byacc/test/btyacc/btyacc_destroy3.tab.c projects/ipsec/contrib/byacc/test/btyacc/calc.tab.c projects/ipsec/contrib/byacc/test/btyacc/calc1.tab.c projects/ipsec/contrib/byacc/test/btyacc/calc2.tab.c projects/ipsec/contrib/byacc/test/btyacc/calc3.tab.c projects/ipsec/contrib/byacc/test/btyacc/code_calc.code.c projects/ipsec/contrib/byacc/test/btyacc/code_calc.tab.c projects/ipsec/contrib/byacc/test/btyacc/code_error.code.c projects/ipsec/contrib/byacc/test/btyacc/code_error.tab.c projects/ipsec/contrib/byacc/test/btyacc/empty.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_inherit3.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_inherit4.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_inherit4.tab.h projects/ipsec/contrib/byacc/test/btyacc/err_syntax10.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_syntax11.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_syntax12.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_syntax18.tab.c projects/ipsec/contrib/byacc/test/btyacc/err_syntax20.tab.c projects/ipsec/contrib/byacc/test/btyacc/error.tab.c projects/ipsec/contrib/byacc/test/btyacc/grammar.tab.c projects/ipsec/contrib/byacc/test/btyacc/inherit0.tab.c projects/ipsec/contrib/byacc/test/btyacc/inherit1.tab.c projects/ipsec/contrib/byacc/test/btyacc/inherit2.tab.c projects/ipsec/contrib/byacc/test/btyacc/ok_syntax1.tab.c projects/ipsec/contrib/byacc/test/btyacc/pure_calc.tab.c projects/ipsec/contrib/byacc/test/btyacc/pure_error.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc-s.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc2-s.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc2.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc3-s.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc3.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc4-s.tab.c projects/ipsec/contrib/byacc/test/btyacc/quote_calc4.tab.c projects/ipsec/contrib/byacc/test/btyacc/rename_debug.c projects/ipsec/contrib/byacc/test/btyacc/varsyntax_calc1.tab.c projects/ipsec/contrib/byacc/yaccpar.c projects/ipsec/contrib/byacc/yaccpar.skel projects/ipsec/contrib/compiler-rt/lib/builtins/gcc_personality_v0.c projects/ipsec/contrib/dma/dma-mbox-create.c projects/ipsec/contrib/elftoolchain/libelf/gelf_phdr.c projects/ipsec/contrib/elftoolchain/libelf/libelf_ehdr.c projects/ipsec/contrib/libarchive/cat/bsdcat.c projects/ipsec/contrib/libarchive/cpio/cpio.c projects/ipsec/contrib/libarchive/cpio/test/test_option_J_upper.c projects/ipsec/contrib/libarchive/cpio/test/test_option_Z_upper.c projects/ipsec/contrib/libarchive/cpio/test/test_option_lz4.c projects/ipsec/contrib/libarchive/cpio/test/test_option_u.c projects/ipsec/contrib/libarchive/cpio/test/test_option_y.c projects/ipsec/contrib/libarchive/libarchive/archive.h projects/ipsec/contrib/libarchive/libarchive/archive_acl.c projects/ipsec/contrib/libarchive/libarchive/archive_cryptor.c projects/ipsec/contrib/libarchive/libarchive/archive_cryptor_private.h projects/ipsec/contrib/libarchive/libarchive/archive_digest.c projects/ipsec/contrib/libarchive/libarchive/archive_digest_private.h projects/ipsec/contrib/libarchive/libarchive/archive_entry.c projects/ipsec/contrib/libarchive/libarchive/archive_hmac.c projects/ipsec/contrib/libarchive/libarchive/archive_hmac_private.h projects/ipsec/contrib/libarchive/libarchive/archive_options.c projects/ipsec/contrib/libarchive/libarchive/archive_read.c projects/ipsec/contrib/libarchive/libarchive/archive_read_append_filter.c projects/ipsec/contrib/libarchive/libarchive/archive_read_disk_posix.c projects/ipsec/contrib/libarchive/libarchive/archive_read_extract2.c projects/ipsec/contrib/libarchive/libarchive/archive_read_open_memory.c projects/ipsec/contrib/libarchive/libarchive/archive_read_private.h projects/ipsec/contrib/libarchive/libarchive/archive_read_support_filter_uu.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_7zip.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_ar.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_cpio.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_mtree.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_rar.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_tar.c projects/ipsec/contrib/libarchive/libarchive/archive_read_support_format_warc.c projects/ipsec/contrib/libarchive/libarchive/archive_string.c projects/ipsec/contrib/libarchive/libarchive/archive_write.c projects/ipsec/contrib/libarchive/libarchive/archive_write_add_filter_lz4.c projects/ipsec/contrib/libarchive/libarchive/archive_write_disk_posix.c projects/ipsec/contrib/libarchive/libarchive/archive_write_disk_set_standard_lookup.c projects/ipsec/contrib/libarchive/libarchive/archive_write_open_memory.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_ar.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_cpio_newc.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_iso9660.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_pax.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_shar.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_ustar.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_v7tar.c projects/ipsec/contrib/libarchive/libarchive/archive_write_set_format_xar.c projects/ipsec/contrib/libarchive/libarchive/test/read_open_memory.c projects/ipsec/contrib/libarchive/libarchive/test/test_archive_read_add_passphrase.c projects/ipsec/contrib/libarchive/libarchive/test/test_fuzz.c projects/ipsec/contrib/libarchive/libarchive/test/test_pax_filename_encoding.c projects/ipsec/contrib/libarchive/libarchive/test/test_read_disk_directory_traversals.c projects/ipsec/contrib/libarchive/libarchive/test/test_read_set_format.c projects/ipsec/contrib/libarchive/tar/test/main.c projects/ipsec/contrib/libarchive/tar/test/test_leading_slash.c projects/ipsec/contrib/libarchive/tar/test/test_option_a.c projects/ipsec/contrib/libarchive/tar/test/test_option_b.c projects/ipsec/contrib/libarchive/tar/test/test_option_b64encode.c projects/ipsec/contrib/libarchive/tar/test/test_option_gid_gname.c projects/ipsec/contrib/libarchive/tar/test/test_option_grzip.c projects/ipsec/contrib/libarchive/tar/test/test_option_j.c projects/ipsec/contrib/libarchive/tar/test/test_option_lrzip.c projects/ipsec/contrib/libarchive/tar/test/test_option_lz4.c projects/ipsec/contrib/libarchive/tar/test/test_option_lzma.c projects/ipsec/contrib/libarchive/tar/test/test_option_lzop.c projects/ipsec/contrib/libarchive/tar/test/test_option_r.c projects/ipsec/contrib/libarchive/tar/test/test_option_uid_uname.c projects/ipsec/contrib/libarchive/tar/test/test_option_uuencode.c projects/ipsec/contrib/libarchive/tar/test/test_option_xz.c projects/ipsec/contrib/libarchive/tar/test/test_option_z.c projects/ipsec/contrib/libarchive/tar/test/test_stdio.c projects/ipsec/contrib/libarchive/tar/test/test_version.c projects/ipsec/contrib/libc++/include/tuple projects/ipsec/contrib/llvm/include/llvm/Analysis/LoopAccessAnalysis.h projects/ipsec/contrib/llvm/include/llvm/ExecutionEngine/RTDyldMemoryManager.h projects/ipsec/contrib/llvm/include/llvm/IR/Intrinsics.td projects/ipsec/contrib/llvm/include/llvm/IR/TypeFinder.h projects/ipsec/contrib/llvm/include/llvm/Support/Threading.h projects/ipsec/contrib/llvm/lib/Analysis/LoopAccessAnalysis.cpp projects/ipsec/contrib/llvm/lib/Bitcode/Writer/ValueEnumerator.h projects/ipsec/contrib/llvm/lib/CodeGen/BranchFolding.cpp projects/ipsec/contrib/llvm/lib/CodeGen/SelectionDAG/LegalizeIntegerTypes.cpp projects/ipsec/contrib/llvm/lib/Linker/IRMover.cpp projects/ipsec/contrib/llvm/lib/Support/Unix/Signals.inc projects/ipsec/contrib/llvm/lib/Target/AArch64/AArch64ExpandPseudoInsts.cpp projects/ipsec/contrib/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp projects/ipsec/contrib/llvm/lib/Target/AMDGPU/SIInstrInfo.cpp projects/ipsec/contrib/llvm/lib/Target/AMDGPU/SIInstructions.td projects/ipsec/contrib/llvm/lib/Target/AMDGPU/SIWholeQuadMode.cpp projects/ipsec/contrib/llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp projects/ipsec/contrib/llvm/lib/Target/ARM/ARMInstrThumb2.td projects/ipsec/contrib/llvm/lib/Target/ARM/AsmParser/ARMAsmParser.cpp projects/ipsec/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.cpp projects/ipsec/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.h projects/ipsec/contrib/llvm/lib/Target/PowerPC/PPCInstr64Bit.td projects/ipsec/contrib/llvm/lib/Target/PowerPC/PPCInstrInfo.td projects/ipsec/contrib/llvm/lib/Target/X86/X86ISelLowering.cpp projects/ipsec/contrib/llvm/lib/Target/X86/X86InstrAVX512.td projects/ipsec/contrib/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp projects/ipsec/contrib/llvm/lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp projects/ipsec/contrib/llvm/lib/Transforms/Scalar/JumpThreading.cpp projects/ipsec/contrib/llvm/lib/Transforms/Utils/SimplifyCFG.cpp projects/ipsec/contrib/llvm/projects/libunwind/src/UnwindLevel1-gcc-ext.c projects/ipsec/contrib/llvm/tools/clang/include/clang/AST/DeclTemplate.h projects/ipsec/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticDriverKinds.td projects/ipsec/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticSemaKinds.td projects/ipsec/contrib/llvm/tools/clang/include/clang/Sema/Sema.h projects/ipsec/contrib/llvm/tools/clang/lib/Basic/Targets.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Basic/Version.cpp projects/ipsec/contrib/llvm/tools/clang/lib/CodeGen/CGExpr.cpp projects/ipsec/contrib/llvm/tools/clang/lib/CodeGen/CGStmt.cpp projects/ipsec/contrib/llvm/tools/clang/lib/CodeGen/CGStmtOpenMP.cpp projects/ipsec/contrib/llvm/tools/clang/lib/CodeGen/CodeGenFunction.cpp projects/ipsec/contrib/llvm/tools/clang/lib/CodeGen/CodeGenFunction.h projects/ipsec/contrib/llvm/tools/clang/lib/Driver/ToolChains.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Driver/Tools.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/Sema.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaCXXScopeSpec.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaChecking.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaDecl.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaExpr.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaLambda.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaOpenMP.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaTemplate.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaTemplateInstantiate.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Sema/SemaTemplateInstantiateDecl.cpp projects/ipsec/contrib/llvm/tools/clang/lib/Serialization/ASTReaderDecl.cpp projects/ipsec/contrib/llvm/tools/lld/COFF/CMakeLists.txt projects/ipsec/contrib/llvm/tools/lld/ELF/InputFiles.cpp projects/ipsec/contrib/llvm/tools/lldb/include/lldb/Core/ArchSpec.h projects/ipsec/contrib/llvm/tools/lldb/source/Core/ArchSpec.cpp projects/ipsec/contrib/llvm/tools/lldb/source/Core/RegisterValue.cpp projects/ipsec/contrib/llvm/tools/lldb/source/Plugins/ABI/SysV-mips64/ABISysV_mips64.cpp projects/ipsec/contrib/llvm/tools/lldb/source/Plugins/Process/Utility/RegisterInfos_mips.h projects/ipsec/contrib/llvm/tools/lldb/source/Plugins/Process/Utility/RegisterInfos_mips64.h projects/ipsec/contrib/llvm/tools/lldb/source/Plugins/Process/Utility/lldb-mips-linux-register-enums.h projects/ipsec/contrib/llvm/tools/lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationClient.cpp projects/ipsec/contrib/llvm/tools/lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerCommon.cpp projects/ipsec/contrib/netbsd-tests/lib/libc/sys/t_mincore.c projects/ipsec/etc/inetd.conf projects/ipsec/etc/mtree/BSD.debug.dist projects/ipsec/etc/mtree/BSD.usr.dist projects/ipsec/etc/services projects/ipsec/include/Makefile projects/ipsec/lib/clang/freebsd_cc_version.h projects/ipsec/lib/clang/headers/Makefile projects/ipsec/lib/clang/include/clang/Basic/Version.inc projects/ipsec/lib/clang/include/clang/Config/config.h projects/ipsec/lib/clang/include/llvm/Config/config.h projects/ipsec/lib/clang/include/llvm/Config/llvm-config.h projects/ipsec/lib/libc/stdio/vfprintf.c projects/ipsec/lib/libc/x86/sys/__vdso_gettc.c projects/ipsec/lib/libcapsicum/capsicum_helpers.h projects/ipsec/lib/libclang_rt/Makefile.inc projects/ipsec/lib/libcompiler_rt/Makefile projects/ipsec/lib/libelftc/Makefile projects/ipsec/lib/libkvm/kvm_private.c projects/ipsec/libexec/rtld-elf/rtld.c projects/ipsec/release/scripts/make-pkg-package.sh projects/ipsec/release/tools/openstack.conf projects/ipsec/sbin/camcontrol/timestamp.c projects/ipsec/sbin/decryptcore/decryptcore.8 projects/ipsec/sbin/ifconfig/ifieee80211.c projects/ipsec/sbin/mount/getmntopts.c projects/ipsec/sbin/mount/mntopts.h projects/ipsec/sbin/tunefs/Makefile projects/ipsec/sbin/tunefs/tunefs.c projects/ipsec/share/colldef/Makefile projects/ipsec/share/colldef/af_ZA.UTF-8.src projects/ipsec/share/colldef/am_ET.UTF-8.src projects/ipsec/share/colldef/ar_SA.UTF-8.src projects/ipsec/share/colldef/be_BY.UTF-8.src projects/ipsec/share/colldef/ca_AD.UTF-8.src projects/ipsec/share/colldef/cs_CZ.ISO8859-2.src projects/ipsec/share/colldef/cs_CZ.UTF-8.src projects/ipsec/share/colldef/da_DK.ISO8859-1.src projects/ipsec/share/colldef/da_DK.ISO8859-15.src projects/ipsec/share/colldef/da_DK.UTF-8.src projects/ipsec/share/colldef/el_GR.UTF-8.src projects/ipsec/share/colldef/en_US.UTF-8.src projects/ipsec/share/colldef/es_MX.UTF-8.src projects/ipsec/share/colldef/et_EE.UTF-8.src projects/ipsec/share/colldef/fi_FI.UTF-8.src projects/ipsec/share/colldef/he_IL.UTF-8.src projects/ipsec/share/colldef/hi_IN.UTF-8.src projects/ipsec/share/colldef/hr_HR.ISO8859-2.src projects/ipsec/share/colldef/hu_HU.ISO8859-2.src projects/ipsec/share/colldef/hu_HU.UTF-8.src projects/ipsec/share/colldef/hy_AM.UTF-8.src projects/ipsec/share/colldef/is_IS.UTF-8.src projects/ipsec/share/colldef/ja_JP.UTF-8.src projects/ipsec/share/colldef/kk_KZ.UTF-8.src projects/ipsec/share/colldef/ko_KR.UTF-8.src projects/ipsec/share/colldef/lt_LT.UTF-8.src projects/ipsec/share/colldef/lv_LV.UTF-8.src projects/ipsec/share/colldef/nb_NO.ISO8859-1.src projects/ipsec/share/colldef/nb_NO.ISO8859-15.src projects/ipsec/share/colldef/pl_PL.UTF-8.src projects/ipsec/share/colldef/ro_RO.UTF-8.src projects/ipsec/share/colldef/ru_RU.UTF-8.src projects/ipsec/share/colldef/se_NO.UTF-8.src projects/ipsec/share/colldef/sk_SK.ISO8859-2.src projects/ipsec/share/colldef/sk_SK.UTF-8.src projects/ipsec/share/colldef/sl_SI.UTF-8.src projects/ipsec/share/colldef/sv_SE.UTF-8.src projects/ipsec/share/colldef/tr_TR.UTF-8.src projects/ipsec/share/colldef/uk_UA.UTF-8.src projects/ipsec/share/colldef/zh_CN.GB2312.src projects/ipsec/share/colldef/zh_CN.UTF-8.src projects/ipsec/share/colldef/zh_CN.eucCN.src projects/ipsec/share/colldef/zh_TW.UTF-8.src projects/ipsec/share/ctypedef/Makefile projects/ipsec/share/ctypedef/be_BY.CP1131.src projects/ipsec/share/ctypedef/ca_IT.ISO8859-1.src projects/ipsec/share/ctypedef/en_US.ISO8859-1.src projects/ipsec/share/ctypedef/en_US.UTF-8.src projects/ipsec/share/ctypedef/hi_IN.ISCII-DEV.src projects/ipsec/share/ctypedef/uk_UA.CP1251.src projects/ipsec/share/man/man4/isp.4 projects/ipsec/share/man/man5/src.conf.5 projects/ipsec/share/man/man9/Makefile projects/ipsec/share/man/man9/sysctl.9 projects/ipsec/share/man/man9/sysctl_add_oid.9 projects/ipsec/share/misc/committers-ports.dot projects/ipsec/share/misc/organization.dot projects/ipsec/share/mk/bsd.own.mk projects/ipsec/share/mk/src.opts.mk projects/ipsec/share/monetdef/Makefile projects/ipsec/share/monetdef/ar_AE.UTF-8.src projects/ipsec/share/monetdef/ar_EG.UTF-8.src projects/ipsec/share/monetdef/ar_JO.UTF-8.src projects/ipsec/share/monetdef/ar_QA.UTF-8.src projects/ipsec/share/monetdef/ar_SA.UTF-8.src projects/ipsec/share/monetdef/be_BY.CP1131.src projects/ipsec/share/monetdef/be_BY.ISO8859-5.src projects/ipsec/share/monetdef/be_BY.UTF-8.src projects/ipsec/share/monetdef/bg_BG.CP1251.src projects/ipsec/share/monetdef/bg_BG.UTF-8.src projects/ipsec/share/monetdef/es_AR.UTF-8.src projects/ipsec/share/monetdef/es_CR.UTF-8.src projects/ipsec/share/monetdef/hu_HU.ISO8859-2.src projects/ipsec/share/monetdef/hu_HU.UTF-8.src projects/ipsec/share/monetdef/hy_AM.ARMSCII-8.src projects/ipsec/share/monetdef/hy_AM.UTF-8.src projects/ipsec/share/monetdef/ru_RU.CP866.src projects/ipsec/share/monetdef/ru_RU.ISO8859-5.src projects/ipsec/share/monetdef/ru_RU.KOI8-R.src projects/ipsec/share/monetdef/ru_RU.UTF-8.src projects/ipsec/share/monetdef/sl_SI.UTF-8.src projects/ipsec/share/monetdef/tr_TR.ISO8859-9.src projects/ipsec/share/monetdef/tr_TR.UTF-8.src projects/ipsec/share/monetdef/zh_CN.GB2312.src projects/ipsec/share/monetdef/zh_CN.GBK.src projects/ipsec/share/monetdef/zh_CN.UTF-8.src projects/ipsec/share/monetdef/zh_CN.eucCN.src projects/ipsec/share/monetdef/zh_TW.Big5.src projects/ipsec/share/monetdef/zh_TW.UTF-8.src projects/ipsec/share/msgdef/Makefile projects/ipsec/share/msgdef/ja_JP.SJIS.src projects/ipsec/share/msgdef/ja_JP.UTF-8.src projects/ipsec/share/msgdef/ja_JP.eucJP.src projects/ipsec/share/msgdef/tr_TR.ISO8859-9.src projects/ipsec/share/msgdef/tr_TR.UTF-8.src projects/ipsec/share/numericdef/Makefile projects/ipsec/sys/amd64/amd64/machdep.c projects/ipsec/sys/amd64/amd64/trap.c projects/ipsec/sys/amd64/conf/GENERIC projects/ipsec/sys/amd64/conf/MINIMAL projects/ipsec/sys/arm/allwinner/a10/a10_padconf.c projects/ipsec/sys/arm/allwinner/a10_mmc.c projects/ipsec/sys/arm/allwinner/a13/a13_padconf.c projects/ipsec/sys/arm/allwinner/a20/a20_padconf.c projects/ipsec/sys/arm/allwinner/a31/a31_padconf.c projects/ipsec/sys/arm/allwinner/a31/a31_r_padconf.c projects/ipsec/sys/arm/allwinner/a31/a31s_padconf.c projects/ipsec/sys/arm/allwinner/a64/a64_padconf.c projects/ipsec/sys/arm/allwinner/a64/a64_r_padconf.c projects/ipsec/sys/arm/allwinner/allwinner_pinctrl.h projects/ipsec/sys/arm/allwinner/aw_machdep.c projects/ipsec/sys/arm/allwinner/aw_wdog.c projects/ipsec/sys/arm/allwinner/clk/aw_debeclk.c projects/ipsec/sys/arm/allwinner/clk/aw_hdmiclk.c projects/ipsec/sys/arm/allwinner/clk/aw_lcdclk.c projects/ipsec/sys/arm/allwinner/clk/aw_mmcclk.c projects/ipsec/sys/arm/allwinner/clk/aw_modclk.c projects/ipsec/sys/arm/allwinner/clk/aw_pll.c projects/ipsec/sys/arm/allwinner/clk/aw_thsclk.c projects/ipsec/sys/arm/allwinner/files.allwinner projects/ipsec/sys/arm/allwinner/h3/h3_padconf.c projects/ipsec/sys/arm/allwinner/h3/h3_r_padconf.c projects/ipsec/sys/arm/amlogic/aml8726/aml8726_identsoc.c projects/ipsec/sys/arm/amlogic/aml8726/aml8726_machdep.c projects/ipsec/sys/arm/amlogic/aml8726/aml8726_wdt.c projects/ipsec/sys/arm/arm/cpufunc.c projects/ipsec/sys/arm/arm/db_trace.c projects/ipsec/sys/arm/arm/gic.c projects/ipsec/sys/arm/arm/gic_common.h projects/ipsec/sys/arm/arm/physmem.c projects/ipsec/sys/arm/arm/platform_if.m projects/ipsec/sys/arm/arm/undefined.c projects/ipsec/sys/arm/at91/at91_spi.c projects/ipsec/sys/arm/broadcom/bcm2835/bcm2835_machdep.c projects/ipsec/sys/arm/broadcom/bcm2835/bcm2835_spi.c projects/ipsec/sys/arm/broadcom/bcm2835/bcm2835_wdog.c projects/ipsec/sys/arm/conf/RK3188 projects/ipsec/sys/arm/freescale/imx/files.imx6 projects/ipsec/sys/arm/freescale/imx/imx51_machdep.c projects/ipsec/sys/arm/freescale/imx/imx53_machdep.c projects/ipsec/sys/arm/freescale/imx/imx6_anatop.c projects/ipsec/sys/arm/freescale/imx/imx6_hdmi.c projects/ipsec/sys/arm/freescale/imx/imx6_machdep.c projects/ipsec/sys/arm/freescale/imx/imx6_sdma.c projects/ipsec/sys/arm/freescale/imx/imx6_sdma.h projects/ipsec/sys/arm/freescale/imx/imx6_src.c projects/ipsec/sys/arm/freescale/imx/imx6_ssi.c projects/ipsec/sys/arm/freescale/imx/imx_gpt.c projects/ipsec/sys/arm/freescale/vybrid/vf_spi.c projects/ipsec/sys/arm/lpc/lpc_gpio.c projects/ipsec/sys/arm/lpc/lpc_spi.c projects/ipsec/sys/arm/nvidia/tegra124/tegra124_machdep.c projects/ipsec/sys/arm/nvidia/tegra_efuse.c projects/ipsec/sys/arm/qemu/virt_machdep.c projects/ipsec/sys/arm/rockchip/rk30xx_machdep.c projects/ipsec/sys/arm/rockchip/rk30xx_mp.c projects/ipsec/sys/arm/rockchip/rk30xx_wdog.c projects/ipsec/sys/arm/samsung/exynos/exynos5_spi.c projects/ipsec/sys/arm/ti/am335x/am335x_dmtpps.c projects/ipsec/sys/arm/ti/cpsw/if_cpsw.c projects/ipsec/sys/arm/ti/ti_machdep.c projects/ipsec/sys/arm/ti/ti_spi.c projects/ipsec/sys/arm/versatile/versatile_machdep.c projects/ipsec/sys/arm/xilinx/zy7_machdep.c projects/ipsec/sys/arm/xilinx/zy7_slcr.c projects/ipsec/sys/arm/xscale/pxa/pxa_gpio.c projects/ipsec/sys/arm/xscale/pxa/pxa_icu.c projects/ipsec/sys/arm/xscale/pxa/pxa_space.c projects/ipsec/sys/arm/xscale/pxa/pxa_timer.c projects/ipsec/sys/arm64/arm64/gic_v3.c projects/ipsec/sys/arm64/arm64/gic_v3_reg.h projects/ipsec/sys/arm64/conf/GENERIC projects/ipsec/sys/boot/arm/uboot/Makefile projects/ipsec/sys/boot/common/Makefile.inc projects/ipsec/sys/boot/common/interp_forth.c projects/ipsec/sys/boot/common/newvers.sh projects/ipsec/sys/boot/efi/loader/Makefile projects/ipsec/sys/boot/efi/loader/main.c projects/ipsec/sys/boot/i386/loader/Makefile projects/ipsec/sys/boot/i386/loader/main.c projects/ipsec/sys/boot/mips/beri/loader/Makefile projects/ipsec/sys/boot/mips/beri/loader/loader.h projects/ipsec/sys/boot/mips/beri/loader/main.c projects/ipsec/sys/boot/mips/uboot/Makefile projects/ipsec/sys/boot/ofw/common/main.c projects/ipsec/sys/boot/pc98/loader/Makefile projects/ipsec/sys/boot/pc98/loader/main.c projects/ipsec/sys/boot/powerpc/kboot/Makefile projects/ipsec/sys/boot/powerpc/kboot/main.c projects/ipsec/sys/boot/powerpc/ofw/Makefile projects/ipsec/sys/boot/powerpc/ps3/Makefile projects/ipsec/sys/boot/powerpc/ps3/main.c projects/ipsec/sys/boot/powerpc/uboot/Makefile projects/ipsec/sys/boot/sparc64/loader/Makefile projects/ipsec/sys/boot/sparc64/loader/main.c projects/ipsec/sys/boot/uboot/common/main.c projects/ipsec/sys/boot/userboot/userboot/Makefile projects/ipsec/sys/boot/userboot/userboot/main.c projects/ipsec/sys/cam/ata/ata_da.c projects/ipsec/sys/cam/ata/ata_pmp.c projects/ipsec/sys/cam/cam_xpt.c projects/ipsec/sys/cam/ctl/ctl.c projects/ipsec/sys/cam/ctl/ctl.h projects/ipsec/sys/cam/ctl/ctl_backend_block.c projects/ipsec/sys/cam/ctl/ctl_cmd_table.c projects/ipsec/sys/cam/ctl/ctl_error.c projects/ipsec/sys/cam/ctl/ctl_error.h projects/ipsec/sys/cam/ctl/ctl_private.h projects/ipsec/sys/cam/ctl/ctl_tpc.c projects/ipsec/sys/cam/nvme/nvme_da.c projects/ipsec/sys/cam/scsi/scsi_all.c projects/ipsec/sys/cam/scsi/scsi_all.h projects/ipsec/sys/cam/scsi/scsi_cd.c projects/ipsec/sys/cam/scsi/scsi_da.c projects/ipsec/sys/cam/scsi/scsi_da.h projects/ipsec/sys/cam/scsi/scsi_sa.c projects/ipsec/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dmu_zfetch.c projects/ipsec/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zvol.c projects/ipsec/sys/cddl/contrib/opensolaris/uts/common/sys/dtrace.h projects/ipsec/sys/compat/linuxkpi/common/include/linux/pci.h projects/ipsec/sys/compat/linuxkpi/common/include/linux/sysfs.h projects/ipsec/sys/conf/files projects/ipsec/sys/conf/files.amd64 projects/ipsec/sys/conf/files.arm projects/ipsec/sys/conf/files.i386 projects/ipsec/sys/conf/kern.opts.mk projects/ipsec/sys/conf/kern.post.mk projects/ipsec/sys/conf/newvers.sh projects/ipsec/sys/conf/options projects/ipsec/sys/conf/options.arm projects/ipsec/sys/ddb/db_sym.c projects/ipsec/sys/dev/acpica/acpi.c projects/ipsec/sys/dev/acpica/acpi_thermal.c projects/ipsec/sys/dev/acpica/acpivar.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_bcm.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_bcmraw.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_bcmreg.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_bcmvar.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_btxt.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_sprom.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_spromvar.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_data_tlv.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_datavar.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_io.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_private.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_store.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_store.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_storevar.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_subr.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_value.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_value.h projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_value_fmts.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_value_prf.c projects/ipsec/sys/dev/bhnd/nvram/bhnd_nvram_valuevar.h projects/ipsec/sys/dev/bhnd/tools/nvram_map_gen.awk projects/ipsec/sys/dev/cxgbe/adapter.h projects/ipsec/sys/dev/cxgbe/common/common.h projects/ipsec/sys/dev/cxgbe/common/t4_hw.c projects/ipsec/sys/dev/cxgbe/common/t4_msg.h projects/ipsec/sys/dev/cxgbe/firmware/t6fw_cfg.txt projects/ipsec/sys/dev/cxgbe/t4_main.c projects/ipsec/sys/dev/cxgbe/t4_sge.c projects/ipsec/sys/dev/drm2/i915/i915_gem.c projects/ipsec/sys/dev/extres/clk/clk_div.c projects/ipsec/sys/dev/extres/clk/clk_div.h projects/ipsec/sys/dev/gpio/gpiobus.c projects/ipsec/sys/dev/gpio/gpiospi.c projects/ipsec/sys/dev/hyperv/include/hyperv.h projects/ipsec/sys/dev/hyperv/include/vmbus.h projects/ipsec/sys/dev/hyperv/netvsc/if_hn.c projects/ipsec/sys/dev/hyperv/netvsc/if_hnvar.h projects/ipsec/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c projects/ipsec/sys/dev/hyperv/utilities/hv_kvp.c projects/ipsec/sys/dev/hyperv/utilities/hv_snapshot.c projects/ipsec/sys/dev/hyperv/vmbus/amd64/hyperv_machdep.c projects/ipsec/sys/dev/hyperv/vmbus/hyperv_reg.h projects/ipsec/sys/dev/hyperv/vmbus/vmbus.c projects/ipsec/sys/dev/hyperv/vmbus/vmbus_chan.c projects/ipsec/sys/dev/hyperv/vmbus/vmbus_chanvar.h projects/ipsec/sys/dev/hyperv/vmbus/vmbus_var.h projects/ipsec/sys/dev/ichiic/ig4_pci.c projects/ipsec/sys/dev/isp/isp_pci.c projects/ipsec/sys/dev/iwn/if_iwn.c projects/ipsec/sys/dev/mlx4/mlx4_core/mlx4_main.c projects/ipsec/sys/dev/mlx4/mlx4_ib/mlx4_ib_sysfs.c projects/ipsec/sys/dev/mlx5/mlx5_en/mlx5_en_main.c projects/ipsec/sys/dev/mmc/mmc.c projects/ipsec/sys/dev/ow/ow_temp.c projects/ipsec/sys/dev/pci/pci_host_generic_fdt.c projects/ipsec/sys/dev/rtwn/rtl8188e/usb/r88eu_attach.c projects/ipsec/sys/dev/rtwn/rtl8188e/usb/r88eu_init.c projects/ipsec/sys/dev/rtwn/rtl8192c/r92c.h projects/ipsec/sys/dev/rtwn/rtl8192c/r92c_init.c projects/ipsec/sys/dev/rtwn/rtl8812a/r12a_priv.h projects/ipsec/sys/dev/sdhci/sdhci_pci.c projects/ipsec/sys/dev/spibus/ofw_spibus.c projects/ipsec/sys/dev/spibus/spibus.c projects/ipsec/sys/dev/spibus/spibusvar.h projects/ipsec/sys/dev/spibus/spigen.c projects/ipsec/sys/dev/uart/uart_dev_pl011.c projects/ipsec/sys/dev/usb/usb_hub.c projects/ipsec/sys/dev/usb/usb_process.c projects/ipsec/sys/dev/usb/wlan/if_rsu.c projects/ipsec/sys/dev/usb/wlan/if_rsureg.h projects/ipsec/sys/dev/xen/blkfront/blkfront.c projects/ipsec/sys/dev/xilinx/axi_quad_spi.c projects/ipsec/sys/fs/tmpfs/tmpfs_subr.c projects/ipsec/sys/geom/geom_map.c projects/ipsec/sys/i386/conf/GENERIC projects/ipsec/sys/kern/kern_descrip.c projects/ipsec/sys/kern/kern_et.c projects/ipsec/sys/kern/kern_event.c projects/ipsec/sys/kern/kern_exit.c projects/ipsec/sys/kern/kern_fork.c projects/ipsec/sys/kern/kern_procctl.c projects/ipsec/sys/kern/kern_synch.c projects/ipsec/sys/kern/kern_sysctl.c projects/ipsec/sys/kern/kern_tc.c projects/ipsec/sys/kern/subr_bus.c projects/ipsec/sys/kern/subr_counter.c projects/ipsec/sys/kern/uipc_shm.c projects/ipsec/sys/kern/vfs_cache.c projects/ipsec/sys/kern/vfs_lookup.c projects/ipsec/sys/kern/vfs_subr.c projects/ipsec/sys/kern/vfs_syscalls.c projects/ipsec/sys/mips/atheros/ar531x/ar5315_spi.c projects/ipsec/sys/mips/atheros/ar71xx_spi.c projects/ipsec/sys/mips/broadcom/bcm_nvram_cfe.c projects/ipsec/sys/mips/conf/CANNA projects/ipsec/sys/mips/conf/CI20 projects/ipsec/sys/mips/conf/JZ4780 projects/ipsec/sys/mips/conf/std.AR933X projects/ipsec/sys/mips/ingenic/files.jz4780 projects/ipsec/sys/mips/ingenic/files.x1000 projects/ipsec/sys/mips/ingenic/jz4780_clk_gen.c projects/ipsec/sys/mips/ingenic/jz4780_clock.c projects/ipsec/sys/mips/ingenic/jz4780_codec.c projects/ipsec/sys/mips/mediatek/mtk_spi_v1.c projects/ipsec/sys/mips/mediatek/mtk_spi_v2.c projects/ipsec/sys/mips/mips/cpu.c projects/ipsec/sys/mips/mips/db_trace.c projects/ipsec/sys/mips/mips/pm_machdep.c projects/ipsec/sys/mips/rt305x/rt305x_spi.c projects/ipsec/sys/modules/bhnd/Makefile projects/ipsec/sys/modules/hyperv/utilities/Makefile projects/ipsec/sys/net/if_lagg.c projects/ipsec/sys/net/if_media.h projects/ipsec/sys/net80211/_ieee80211.h projects/ipsec/sys/net80211/ieee80211.c projects/ipsec/sys/net80211/ieee80211_node.h projects/ipsec/sys/net80211/ieee80211_var.h projects/ipsec/sys/netinet/sctp_indata.c projects/ipsec/sys/netinet/sctputil.c projects/ipsec/sys/netinet/tcp_output.c projects/ipsec/sys/netinet/tcp_syncache.c projects/ipsec/sys/netinet6/in6_var.h projects/ipsec/sys/netinet6/ip6_input.c projects/ipsec/sys/netinet6/nd6_rtr.c projects/ipsec/sys/powerpc/powerpc/db_disasm.c projects/ipsec/sys/powerpc/powerpc/trap.c projects/ipsec/sys/sys/param.h projects/ipsec/sys/sys/sysctl.h projects/ipsec/sys/sys/systm.h projects/ipsec/sys/sys/vdso.h projects/ipsec/sys/sys/vnode.h projects/ipsec/sys/vm/default_pager.c projects/ipsec/sys/vm/swap_pager.c projects/ipsec/sys/vm/swap_pager.h projects/ipsec/sys/vm/vm_map.c projects/ipsec/sys/vm/vm_object.c projects/ipsec/sys/vm/vm_object.h projects/ipsec/sys/vm/vm_page.c projects/ipsec/sys/vm/vm_page.h projects/ipsec/sys/vm/vm_reserv.c projects/ipsec/sys/x86/acpica/srat.c projects/ipsec/sys/x86/include/vdso.h projects/ipsec/sys/x86/x86/mca.c projects/ipsec/tests/sys/kern/Makefile projects/ipsec/tests/sys/vfs/Makefile projects/ipsec/tools/build/mk/OptionalObsoleteFiles.inc projects/ipsec/tools/tools/locale/Makefile projects/ipsec/tools/tools/locale/README projects/ipsec/tools/tools/locale/etc/charmaps.xml projects/ipsec/tools/tools/locale/etc/common.UTF-8.src (contents, props changed) projects/ipsec/tools/tools/locale/etc/final-maps/map.GB2312 projects/ipsec/tools/tools/locale/etc/final-maps/map.UTF-8 (contents, props changed) projects/ipsec/tools/tools/locale/etc/unicode.conf projects/ipsec/tools/tools/locale/tools/extract-colldef.awk projects/ipsec/tools/tools/locale/tools/finalize projects/ipsec/usr.bin/bmake/Makefile projects/ipsec/usr.bin/hexdump/display.c projects/ipsec/usr.bin/hexdump/hexdump.c projects/ipsec/usr.bin/iconv/iconv.c projects/ipsec/usr.bin/ident/ident.c projects/ipsec/usr.bin/ktrdump/ktrdump.c projects/ipsec/usr.bin/last/last.c projects/ipsec/usr.bin/ministat/ministat.c projects/ipsec/usr.sbin/Makefile projects/ipsec/usr.sbin/bsdinstall/scripts/wlanconfig projects/ipsec/usr.sbin/bsnmpd/modules/snmp_bridge/BEGEMOT-BRIDGE-MIB.txt projects/ipsec/usr.sbin/bsnmpd/tools/bsnmptools/bsnmpget.c projects/ipsec/usr.sbin/cron/crontab/crontab.1 projects/ipsec/usr.sbin/cron/crontab/crontab.c projects/ipsec/usr.sbin/ctladm/ctladm.8 projects/ipsec/usr.sbin/portsnap/portsnap/portsnap.sh projects/ipsec/usr.sbin/syslogd/Makefile projects/ipsec/usr.sbin/syslogd/syslogd.8 projects/ipsec/usr.sbin/syslogd/syslogd.c Directory Properties: projects/ipsec/ (props changed) projects/ipsec/cddl/ (props changed) projects/ipsec/cddl/contrib/opensolaris/ (props changed) projects/ipsec/contrib/binutils/ (props changed) projects/ipsec/contrib/bmake/ (props changed) projects/ipsec/contrib/byacc/ (props changed) projects/ipsec/contrib/compiler-rt/ (props changed) projects/ipsec/contrib/dma/ (props changed) projects/ipsec/contrib/elftoolchain/ (props changed) projects/ipsec/contrib/groff/ (props changed) projects/ipsec/contrib/libarchive/ (props changed) projects/ipsec/contrib/libc++/ (props changed) projects/ipsec/contrib/libc-vis/ (props changed) projects/ipsec/contrib/llvm/ (props changed) projects/ipsec/contrib/llvm/projects/libunwind/ (props changed) projects/ipsec/contrib/llvm/tools/clang/ (props changed) projects/ipsec/contrib/llvm/tools/lld/ (props changed) projects/ipsec/contrib/llvm/tools/lldb/ (props changed) projects/ipsec/contrib/netbsd-tests/ (props changed) projects/ipsec/contrib/subversion/ (props changed) projects/ipsec/contrib/tcpdump/ (props changed) projects/ipsec/contrib/tzdata/ (props changed) projects/ipsec/sys/amd64/amd64/efirt.c (props changed) projects/ipsec/sys/cddl/contrib/opensolaris/ (props changed) Modified: projects/ipsec/Makefile.inc1 ============================================================================== --- projects/ipsec/Makefile.inc1 Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/Makefile.inc1 Thu Dec 22 15:19:31 2016 (r310415) @@ -1379,7 +1379,8 @@ packages: .PHONY package-pkg: .PHONY rm -rf /tmp/ports.${TARGET} || : env ${WMAKEENV:Q} SRCDIR=${.CURDIR} PORTSDIR=${PORTSDIR} REVISION=${_REVISION} \ - PKG_VERSION=${PKG_VERSION} REPODIR=${REPODIR} WSTAGEDIR=${WSTAGEDIR} \ + PKG_CMD=${PKG_CMD} PKG_VERSION=${PKG_VERSION} REPODIR=${REPODIR} \ + WSTAGEDIR=${WSTAGEDIR} \ sh ${.CURDIR}/release/scripts/make-pkg-package.sh real-packages: stage-packages create-packages sign-packages .PHONY @@ -1417,11 +1418,11 @@ create-world-packages: _pkgbootstrap .PH /^name/ { printf("===> Creating %s-", $$2); next } \ /^version/ { print $$2; next } \ ' ${WSTAGEDIR}/$${pkgname}.ucl ; \ - pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh -o ALLOW_BASE_SHLIBS=yes \ + ${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh -o ALLOW_BASE_SHLIBS=yes \ create -M ${WSTAGEDIR}/$${pkgname}.ucl \ -p ${WSTAGEDIR}/$${pkgname}.plist \ -r ${WSTAGEDIR} \ - -o ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} ; \ + -o ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} ; \ done create-kernel-packages: _pkgbootstrap .PHONY @@ -1445,11 +1446,11 @@ create-kernel-packages: _pkgbootstrap .P /name/ { printf("===> Creating %s-", $$2); next } \ /version/ {print $$2; next } ' \ ${KSTAGEDIR}/${DISTDIR}/kernel.${INSTALLKERNEL}${flavor}.ucl ; \ - pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh -o ALLOW_BASE_SHLIBS=yes \ + ${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh -o ALLOW_BASE_SHLIBS=yes \ create -M ${KSTAGEDIR}/${DISTDIR}/kernel.${INSTALLKERNEL}${flavor}.ucl \ -p ${KSTAGEDIR}/${DISTDIR}/kernel.${INSTALLKERNEL}${flavor}.plist \ -r ${KSTAGEDIR}/${DISTDIR} \ - -o ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} + -o ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} .endfor .endif .if ${BUILDKERNELS:[#]} > 1 && ${NO_INSTALLEXTRAKERNELS} != "yes" @@ -1474,25 +1475,25 @@ create-kernel-packages: _pkgbootstrap .P /name/ { printf("===> Creating %s-", $$2); next } \ /version/ {print $$2; next } ' \ ${KSTAGEDIR}/kernel.${_kernel}/kernel.${_kernel}${flavor}.ucl ; \ - pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh -o ALLOW_BASE_SHLIBS=yes \ + ${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh -o ALLOW_BASE_SHLIBS=yes \ create -M ${KSTAGEDIR}/kernel.${_kernel}/kernel.${_kernel}${flavor}.ucl \ -p ${KSTAGEDIR}/kernel.${_kernel}/kernel.${_kernel}${flavor}.plist \ -r ${KSTAGEDIR}/kernel.${_kernel} \ - -o ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} + -o ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} .endfor .endif .endfor .endif sign-packages: _pkgbootstrap .PHONY - @[ -L "${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/latest" ] && \ - unlink ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/latest ; \ - pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh repo \ - -o ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} \ - ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} \ + @[ -L "${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/latest" ] && \ + unlink ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/latest ; \ + ${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh repo \ + -o ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} \ + ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} \ ${PKGSIGNKEY} ; \ - ln -s ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} \ - ${REPODIR}/$$(pkg -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/latest + ln -s ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/${PKG_VERSION} \ + ${REPODIR}/$$(${PKG_CMD} -o ABI_FILE=${WSTAGEDIR}/bin/sh config ABI)/latest # # Modified: projects/ipsec/ObsoleteFiles.inc ============================================================================== --- projects/ipsec/ObsoleteFiles.inc Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/ObsoleteFiles.inc Thu Dec 22 15:19:31 2016 (r310415) @@ -38,6 +38,115 @@ # xargs -n1 | sort | uniq -d; # done +# 20161217: new clang import which bumps version from 3.9.0 to 3.9.1. +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/allocator_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/asan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/common_interface_defs.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/coverage_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/dfsan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/esan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/linux_syscall_hooks.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/lsan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/msan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/tsan_interface_atomic.h +OLD_DIRS+=usr/lib/clang/3.9.0/include/sanitizer +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_cmath.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_intrinsics.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_math_forward_declares.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_runtime_wrapper.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__stddef_max_align_t.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__wmmintrin_aes.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__wmmintrin_pclmul.h +OLD_FILES+=usr/lib/clang/3.9.0/include/adxintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/altivec.h +OLD_FILES+=usr/lib/clang/3.9.0/include/ammintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/arm_acle.h +OLD_FILES+=usr/lib/clang/3.9.0/include/arm_neon.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx2intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512bwintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512cdintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512dqintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512erintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512fintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512ifmaintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512ifmavlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512pfintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vbmiintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vbmivlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlbwintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlcdintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vldqintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avxintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/bmi2intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/bmiintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/clflushoptintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/cpuid.h +OLD_FILES+=usr/lib/clang/3.9.0/include/cuda_builtin_vars.h +OLD_FILES+=usr/lib/clang/3.9.0/include/emmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/f16cintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/fma4intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/fmaintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/fxsrintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/htmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/htmxlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/ia32intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/immintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/lzcntintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/mm3dnow.h +OLD_FILES+=usr/lib/clang/3.9.0/include/mm_malloc.h +OLD_FILES+=usr/lib/clang/3.9.0/include/mmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/module.modulemap +OLD_FILES+=usr/lib/clang/3.9.0/include/mwaitxintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/nmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/opencl-c.h +OLD_FILES+=usr/lib/clang/3.9.0/include/pkuintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/pmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/popcntintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/prfchwintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/rdseedintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/rtmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/s390intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/shaintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/smmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/tbmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/tmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/vadefs.h +OLD_FILES+=usr/lib/clang/3.9.0/include/vecintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/wmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/x86intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xopintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsavecintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsaveintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsaveoptintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsavesintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xtestintrin.h +OLD_DIRS+=usr/lib/clang/3.9.0/include +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-i386.so +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-preinit-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-preinit-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-x86_64.so +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan_cxx-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan_cxx-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-arm.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.safestack-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.safestack-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.stats-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.stats-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.stats_client-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.stats_client-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_64.a +OLD_DIRS+=usr/lib/clang/3.9.0/lib/freebsd +OLD_DIRS+=usr/lib/clang/3.9.0/lib +OLD_DIRS+=usr/lib/clang/3.9.0 # 20161205: libproc version bump OLD_LIBS+=usr/lib/libproc.so.3 OLD_LIBS+=usr/lib32/libproc.so.3 @@ -533,6 +642,8 @@ OLD_FILES+=usr/share/mdocml/style.css OLD_DIRS+=usr/share/mdocml # 20160114: SA-16:06.snmpd OLD_FILES+=usr/share/examples/etc/snmpd.config +# 20160107: GNU ld installed as ld.bfd and linked as ld +OLD_FILES+=usr/lib/debug/usr/bin/ld.debug # 20151225: new clang import which bumps version from 3.7.0 to 3.7.1. OLD_FILES+=usr/lib/clang/3.7.0/include/sanitizer/allocator_interface.h OLD_FILES+=usr/lib/clang/3.7.0/include/sanitizer/asan_interface.h @@ -2939,7 +3050,6 @@ OLD_FILES+=usr/lib32/libftpio_p.a OLD_FILES+=usr/include/ftpio.h OLD_FILES+=usr/share/man/man3/ftpio.3.gz # 20110915: rename congestion control manpages -OLD_FILES+=usr/share/man/man4/cc.4.gz OLD_FILES+=usr/share/man/man9/cc.9.gz # 20110831: atomic page flags operations OLD_FILES+=usr/share/man/man9/vm_page_flag.9.gz Modified: projects/ipsec/UPDATING ============================================================================== --- projects/ipsec/UPDATING Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/UPDATING Thu Dec 22 15:19:31 2016 (r310415) @@ -51,6 +51,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12 ****************************** SPECIAL WARNING: ****************************** +20161217: + Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.1. + Please see the 20141231 entry below for information about prerequisites + and upgrading, if you are not already using clang 3.5.0 or higher. + 20161124: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.0. Please see the 20141231 entry below for information about prerequisites Modified: projects/ipsec/bin/dd/dd.c ============================================================================== --- projects/ipsec/bin/dd/dd.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/dd/dd.c Thu Dec 22 15:19:31 2016 (r310415) @@ -142,8 +142,6 @@ setup(void) in.fd = open(in.name, O_RDONLY, 0); if (in.fd == -1) err(1, "%s", in.name); - if (caph_limit_stdin() == -1) - err(1, "unable to limit capability rights"); } getfdtype(&in); @@ -176,8 +174,6 @@ setup(void) } if (out.fd == -1) err(1, "%s", out.name); - if (caph_limit_stdout() == -1) - err(1, "unable to limit capability rights"); } getfdtype(&out); @@ -188,6 +184,16 @@ setup(void) errno != ENOSYS) err(1, "unable to limit capability rights"); + if (in.fd != STDIN_FILENO && out.fd != STDIN_FILENO) { + if (caph_limit_stdin() == -1) + err(1, "unable to limit capability rights"); + } + + if (in.fd != STDOUT_FILENO && out.fd != STDOUT_FILENO) { + if (caph_limit_stdout() == -1) + err(1, "unable to limit capability rights"); + } + if (in.fd != STDERR_FILENO && out.fd != STDERR_FILENO) { if (caph_limit_stderr() == -1) err(1, "unable to limit capability rights"); Modified: projects/ipsec/bin/df/Makefile ============================================================================== --- projects/ipsec/bin/df/Makefile Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/df/Makefile Thu Dec 22 15:19:31 2016 (r310415) @@ -10,6 +10,9 @@ SRCS= df.c vfslist.c CFLAGS+= -I${MOUNT} +CFLAGS+= -DMOUNT_CHAR_DEVS +SRCS+= getmntopts.c + LIBADD= xo util .include Modified: projects/ipsec/bin/df/df.c ============================================================================== --- projects/ipsec/bin/df/df.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/df/df.c Thu Dec 22 15:19:31 2016 (r310415) @@ -50,10 +50,15 @@ __FBSDID("$FreeBSD$"); #include #include #include +#ifdef MOUNT_CHAR_DEVS #include +#endif #include #include #include +#ifdef MOUNT_CHAR_DEVS +#include +#endif #include #include #include @@ -98,7 +103,9 @@ imax(int a, int b) static int aflag = 0, cflag, hflag, iflag, kflag, lflag = 0, nflag, Tflag; static int thousands; +#ifdef MOUNT_CHAR_DEVS static struct ufs_args mdev; +#endif int main(int argc, char *argv[]) @@ -107,11 +114,21 @@ main(int argc, char *argv[]) struct statfs statfsbuf, totalbuf; struct maxwidths maxwidths; struct statfs *mntbuf; +#ifdef MOUNT_CHAR_DEVS + struct iovec *iov = NULL; +#endif const char *fstype; - char *mntpath, *mntpt; +#ifdef MOUNT_CHAR_DEVS + char *mntpath; + char errmsg[255] = {0}; +#endif + char *mntpt; const char **vfslist; int i, mntsize; int ch, rv; +#ifdef MOUNT_CHAR_DEVS + int iovlen = 0; +#endif fstype = "ufs"; (void)setlocale(LC_ALL, ""); @@ -227,6 +244,7 @@ main(int argc, char *argv[]) rv = 1; continue; } +#ifdef MOUNT_CHAR_DEVS } else if (S_ISCHR(stbuf.st_mode)) { if ((mntpt = getmntpt(*argv)) == NULL) { mdev.fspec = *argv; @@ -243,9 +261,23 @@ main(int argc, char *argv[]) free(mntpath); continue; } - if (mount(fstype, mntpt, MNT_RDONLY, - &mdev) != 0) { - xo_warn("%s", *argv); + if (iov != NULL) + free_iovec(&iov, &iovlen); + build_iovec_argf(&iov, &iovlen, "fstype", "%s", + fstype); + build_iovec_argf(&iov, &iovlen, "fspath", "%s", + mntpath); + build_iovec_argf(&iov, &iovlen, "from", "%s", + *argv); + build_iovec(&iov, &iovlen, "errmsg", errmsg, + sizeof(errmsg)); + if (nmount(iov, iovlen, + MNT_RDONLY|MNT_NOEXEC) < 0) { + if (errmsg[0]) + xo_warn("%s: %s", *argv, + errmsg); + else + xo_warn("%s", *argv); rv = 1; (void)rmdir(mntpt); free(mntpath); @@ -264,6 +296,7 @@ main(int argc, char *argv[]) free(mntpath); continue; } +#endif } else mntpt = *argv; Modified: projects/ipsec/bin/ed/buf.c ============================================================================== --- projects/ipsec/bin/ed/buf.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/ed/buf.c Thu Dec 22 15:19:31 2016 (r310415) @@ -46,9 +46,9 @@ char * get_sbuf_line(line_t *lp) { static char *sfbuf = NULL; /* buffer */ - static int sfbufsz = 0; /* buffer size */ + static size_t sfbufsz; /* buffer size */ - int len, ct; + size_t len; if (lp == &buffer_head) return NULL; @@ -64,7 +64,7 @@ get_sbuf_line(line_t *lp) } len = lp->len; REALLOC(sfbuf, sfbufsz, len + 1, NULL); - if ((ct = fread(sfbuf, sizeof(char), len, sfp)) < 0 || ct != len) { + if (fread(sfbuf, sizeof(char), len, sfp) != len) { fprintf(stderr, "%s\n", strerror(errno)); errmsg = "cannot read temp file"; return NULL; @@ -81,7 +81,7 @@ const char * put_sbuf_line(const char *cs) { line_t *lp; - int len, ct; + size_t len; const char *s; if ((lp = (line_t *) malloc(sizeof(line_t))) == NULL) { @@ -110,7 +110,7 @@ put_sbuf_line(const char *cs) seek_write = 0; } /* assert: SPL1() */ - if ((ct = fwrite(cs, sizeof(char), len, sfp)) < 0 || ct != len) { + if (fwrite(cs, sizeof(char), len, sfp) != len) { sfseek = -1; fprintf(stderr, "%s\n", strerror(errno)); errmsg = "cannot write temp file"; Modified: projects/ipsec/bin/ed/ed.h ============================================================================== --- projects/ipsec/bin/ed/ed.h Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/ed/ed.h Thu Dec 22 15:19:31 2016 (r310415) @@ -115,7 +115,7 @@ if (--mutex == 0) { \ /* REALLOC: assure at least a minimum size for buffer b */ #define REALLOC(b,n,i,err) \ if ((i) > (n)) { \ - int ti = (n); \ + size_t ti = (n); \ char *ts; \ SPL1(); \ if ((b) != NULL) { \ @@ -141,7 +141,7 @@ if ((i) > (n)) { \ /* REALLOC: assure at least a minimum size for buffer b */ #define REALLOC(b,n,i,err) \ if ((i) > (n)) { \ - int ti = (n); \ + size_t ti = (n); \ char *ts; \ SPL1(); \ if ((ts = (char *) realloc((b), ti += max((i), MINBUFSZ))) == NULL) { \ Modified: projects/ipsec/bin/ed/glbl.c ============================================================================== --- projects/ipsec/bin/ed/glbl.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/ed/glbl.c Thu Dec 22 15:19:31 2016 (r310415) @@ -146,7 +146,7 @@ int set_active_node(line_t *lp) { if (active_last + 1 > active_size) { - int ti = active_size; + size_t ti = active_size; line_t **ts; SPL1(); #if defined(sun) || defined(NO_REALLOC_NULL) Modified: projects/ipsec/bin/ed/main.c ============================================================================== --- projects/ipsec/bin/ed/main.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/ed/main.c Thu Dec 22 15:19:31 2016 (r310415) @@ -1356,7 +1356,7 @@ handle_hup(int signo) char *hup = NULL; /* hup filename */ char *s; char ed_hup[] = "ed.hup"; - int n; + size_t n; if (!sigactive) quit(1); Modified: projects/ipsec/bin/ls/tests/ls_tests.sh ============================================================================== --- projects/ipsec/bin/ls/tests/ls_tests.sh Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/ls/tests/ls_tests.sh Thu Dec 22 15:19:31 2016 (r310415) @@ -697,7 +697,6 @@ atf_test_case o_flag o_flag_head() { atf_set "descr" "Verify that the output from ls -o prints out the chflag values or '-' if none are set" - atf_set "require.user" "root" } o_flag_body() @@ -711,6 +710,7 @@ o_flag_body() atf_check -e ignore -o empty -s exit:0 dd if=/dev/zero of=b.file \ bs=$size count=1 atf_check -e empty -o empty -s exit:0 chflags uarch a.file + atf_check -e empty -o empty -s exit:0 chflags 0 b.file atf_check -e empty -o match:"[[:space:]]+uarch[[:space:]]$size+.+a\\.file" \ -s exit:0 ls -lo a.file Modified: projects/ipsec/bin/pax/buf_subs.c ============================================================================== --- projects/ipsec/bin/pax/buf_subs.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/bin/pax/buf_subs.c Thu Dec 22 15:19:31 2016 (r310415) @@ -852,10 +852,13 @@ buf_fill(void) /* * errors require resync, EOF goes to next archive + * but in case we have not determined yet the format, + * this means that we have a very short file, so we + * are done again. */ if (cnt < 0) break; - if (ar_next() < 0) { + if (frmt == NULL || ar_next() < 0) { fini = 1; return(0); } Modified: projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_dis.c ============================================================================== --- projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_dis.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_dis.c Thu Dec 22 15:19:31 2016 (r310415) @@ -499,7 +499,7 @@ dt_dis(const dtrace_difo_t *dp, FILE *fp if (v->dtdv_flags & DIFV_F_MOD) (void) strcat(flags, "/w"); - (void) fprintf(fp, "%-16s %-4x %-3s %-3s %-4s %s\n", + (void) fprintf(fp, "%-16s %-4u %-3s %-3s %-4s %s\n", &dp->dtdo_strtab[v->dtdv_name], v->dtdv_id, kind, scope, flags + 1, dt_dis_typestr(&v->dtdv_type, type, sizeof (type))); Modified: projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c ============================================================================== --- projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c Thu Dec 22 15:19:31 2016 (r310415) @@ -1223,6 +1223,7 @@ process_obj(dtrace_hdl_t *dtp, const cha static const char dt_enabled[] = "enabled"; static const char dt_symprefix[] = "$dtrace"; static const char dt_symfmt[] = "%s%ld.%s"; + char probename[DTRACE_NAMELEN]; int fd, i, ndx, eprobe, mod = 0; Elf *elf = NULL; GElf_Ehdr ehdr; @@ -1576,8 +1577,6 @@ process_obj(dtrace_hdl_t *dtp, const cha bcopy(s, pname, p - s); pname[p - s] = '\0'; - p = strhyphenate(p + 3); /* strlen("___") */ - if (dt_symtab_lookup(data_sym, isym, rela.r_offset, shdr_rel.sh_info, &fsym, (emachine1 == EM_PPC64), elf) != 0) @@ -1628,10 +1627,14 @@ process_obj(dtrace_hdl_t *dtp, const cha "no such provider %s", pname)); } - if ((prp = dt_probe_lookup(pvp, p)) == NULL) { + if (strlcpy(probename, p + 3, sizeof (probename)) >= + sizeof (probename)) return (dt_link_error(dtp, elf, fd, bufs, - "no such probe %s", p)); - } + "invalid probe name %s", probename)); + (void) strhyphenate(probename); + if ((prp = dt_probe_lookup(pvp, probename)) == NULL) + return (dt_link_error(dtp, elf, fd, bufs, + "no such probe %s", probename)); assert(fsym.st_value <= rela.r_offset); Modified: projects/ipsec/cddl/usr.sbin/dtrace/tests/tools/exclude.sh ============================================================================== --- projects/ipsec/cddl/usr.sbin/dtrace/tests/tools/exclude.sh Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/cddl/usr.sbin/dtrace/tests/tools/exclude.sh Thu Dec 22 15:19:31 2016 (r310415) @@ -188,3 +188,6 @@ exclude EXFAIL common/usdt/tst.static2.k # Uses the Solaris-specific ppriv(1). exclude EXFAIL common/usdt/tst.user.ksh + +# Triggers a lock assertion by using the raise() action from a profile probe. +exclude SKIP common/ustack/tst.spin.ksh Modified: projects/ipsec/contrib/binutils/bfd/elf.c ============================================================================== --- projects/ipsec/contrib/binutils/bfd/elf.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/binutils/bfd/elf.c Thu Dec 22 15:19:31 2016 (r310415) @@ -8826,7 +8826,7 @@ _bfd_elf_get_synthetic_symtab (bfd *abfd count = relplt->size / hdr->sh_entsize; size = count * sizeof (asymbol); p = relplt->relocation; - for (i = 0; i < count; i++, s++, p++) + for (i = 0; i < count; i++, p++) size += strlen ((*p->sym_ptr_ptr)->name) + sizeof ("@plt"); s = *ret = bfd_malloc (size); Modified: projects/ipsec/contrib/binutils/bfd/elflink.c ============================================================================== --- projects/ipsec/contrib/binutils/bfd/elflink.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/binutils/bfd/elflink.c Thu Dec 22 15:19:31 2016 (r310415) @@ -11487,7 +11487,7 @@ _bfd_elf_section_already_linked (bfd *ab abfd, sec); else if (sec->size != 0) { - bfd_byte *sec_contents, *l_sec_contents; + bfd_byte *sec_contents, *l_sec_contents = NULL; if (!bfd_malloc_and_get_section (abfd, sec, &sec_contents)) (*_bfd_error_handler) Modified: projects/ipsec/contrib/bmake/ChangeLog ============================================================================== --- projects/ipsec/contrib/bmake/ChangeLog Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/ChangeLog Thu Dec 22 15:19:31 2016 (r310415) @@ -1,3 +1,32 @@ +2016-12-12 Simon J. Gerraty + + * Makefile (_MAKE_VERSION): 20161212 + Merge with NetBSD make, pick up + o main.c: look for obj.${MACHINE}-${MACHINE_ARCH} too. + +2016-12-09 Simon J. Gerraty + + * Makefile (_MAKE_VERSION): 20161209 + Merge with NetBSD make, pick up + o main.c: cleanup setting of .OBJDIR + o parse.c: avoid coredump from (var)=val + +2016-11-26 Simon J. Gerraty + + * Makefile (_MAKE_VERSION): 20161126 + Merge with NetBSD make, pick up + o make.c: Make_OODate: report src node name if path not set + +2016-09-26 Simon J. Gerraty + + * Makefile (_MAKE_VERSION): 20160926 + Merge with NetBSD make, pick up + o support for .DELETE_ON_ERROR: (remove targets that fail) + +2016-09-26 Simon J. Gerraty + + * Makefile MAN: tweak .Dt to match ${PROG} + 2016-08-18 Simon J. Gerraty * Makefile (_MAKE_VERSION): 20160818 Modified: projects/ipsec/contrib/bmake/Makefile ============================================================================== --- projects/ipsec/contrib/bmake/Makefile Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/Makefile Thu Dec 22 15:19:31 2016 (r310415) @@ -1,7 +1,7 @@ -# $Id: Makefile,v 1.72 2016/08/18 23:02:26 sjg Exp $ +# $Id: Makefile,v 1.77 2016/12/12 07:34:19 sjg Exp $ # Base version on src date -_MAKE_VERSION= 20160818 +_MAKE_VERSION= 20161212 PROG= bmake @@ -156,7 +156,10 @@ my.history: ${MAKEFILE} .NOPATH: ${MAN} ${MAN}: make.1 my.history @echo making $@ - @sed -e 's/^.Nx/NetBSD/' -e '/^.Nm/s/make/${PROG}/' \ + @sed \ + -e '/^.Dt/s/MAKE/${PROG:tu}/' \ + -e 's/^.Nx/NetBSD/' \ + -e '/^.Nm/s/make/${PROG}/' \ -e '/^.Sh HISTORY/rmy.history' \ -e '/^.Sh HISTORY/,$$s,^.Nm,make,' ${srcdir}/make.1 > $@ Modified: projects/ipsec/contrib/bmake/bmake.1 ============================================================================== --- projects/ipsec/contrib/bmake/bmake.1 Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/bmake.1 Thu Dec 22 15:19:31 2016 (r310415) @@ -1,4 +1,4 @@ -.\" $NetBSD: make.1,v 1.262 2016/08/18 19:23:20 wiz Exp $ +.\" $NetBSD: make.1,v 1.263 2016/08/26 23:37:54 dholland Exp $ .\" .\" Copyright (c) 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,8 +29,8 @@ .\" .\" from: @(#)make.1 8.4 (Berkeley) 3/19/94 .\" -.Dd August 15, 2016 -.Dt MAKE 1 +.Dd August 26, 2016 +.Dt BMAKE 1 .Os .Sh NAME .Nm bmake @@ -2011,6 +2011,14 @@ variable of a target that inherits .Ic .DEFAULT Ns 's commands is set to the target's own name. +.It Ic .DELETE_ON_ERROR +If this target is present in the makefile, it globally causes make to +delete targets whose commands fail. +(By default, only targets whose commands are interrupted during +execution are deleted. +This is the historical behavior.) +This setting can be used to help prevent half-finished or malformed +targets from being left around and corrupting future rebuilds. .It Ic .END Any command lines attached to this target are executed after everything else is done. Modified: projects/ipsec/contrib/bmake/bmake.cat1 ============================================================================== --- projects/ipsec/contrib/bmake/bmake.cat1 Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/bmake.cat1 Thu Dec 22 15:19:31 2016 (r310415) @@ -1,4 +1,4 @@ -MAKE(1) NetBSD General Commands Manual MAKE(1) +BMAKE(1) NetBSD General Commands Manual BMAKE(1) NNAAMMEE bbmmaakkee -- maintain program dependencies @@ -1285,6 +1285,14 @@ SSPPEECCIIAALL TTAARRGGEETT target that inherits ..DDEEFFAAUULLTT's commands is set to the target's own name. + ..DDEELLEETTEE__OONN__EERRRROORR + If this target is present in the makefile, it globally causes + make to delete targets whose commands fail. (By default, only + targets whose commands are interrupted during execution are + deleted. This is the historical behavior.) This setting can be + used to help prevent half-finished or malformed targets from + being left around and corrupting future rebuilds. + ..EENNDD Any command lines attached to this target are executed after everything else is done. @@ -1498,4 +1506,4 @@ BBUUGGSS There is no way of escaping a space character in a filename. -NetBSD 5.1 August 15, 2016 NetBSD 5.1 +NetBSD 5.1 August 26, 2016 NetBSD 5.1 Modified: projects/ipsec/contrib/bmake/compat.c ============================================================================== --- projects/ipsec/contrib/bmake/compat.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/compat.c Thu Dec 22 15:19:31 2016 (r310415) @@ -1,4 +1,4 @@ -/* $NetBSD: compat.c,v 1.105 2016/05/12 20:28:34 sjg Exp $ */ +/* $NetBSD: compat.c,v 1.106 2016/08/26 23:28:39 dholland Exp $ */ /* * Copyright (c) 1988, 1989, 1990 The Regents of the University of California. @@ -70,14 +70,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: compat.c,v 1.105 2016/05/12 20:28:34 sjg Exp $"; +static char rcsid[] = "$NetBSD: compat.c,v 1.106 2016/08/26 23:28:39 dholland Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)compat.c 8.2 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: compat.c,v 1.105 2016/05/12 20:28:34 sjg Exp $"); +__RCSID("$NetBSD: compat.c,v 1.106 2016/08/26 23:28:39 dholland Exp $"); #endif #endif /* not lint */ #endif @@ -119,6 +119,25 @@ static GNode *curTarg = NULL; static GNode *ENDNode; static void CompatInterrupt(int); +/* + * CompatDeleteTarget -- delete a failed, interrupted, or otherwise + * duffed target if not inhibited by .PRECIOUS. + */ +static void +CompatDeleteTarget(GNode *gn) +{ + if ((gn != NULL) && !Targ_Precious (gn)) { + char *p1; + char *file = Var_Value(TARGET, gn, &p1); + + if (!noExecute && eunlink(file) != -1) { + Error("*** %s removed", file); + } + + free(p1); + } +} + /*- *----------------------------------------------------------------------- * CompatInterrupt -- @@ -132,6 +151,9 @@ static void CompatInterrupt(int); * The target is removed and the process exits. If .INTERRUPT exists, * its commands are run first WITH INTERRUPTS IGNORED.. * + * XXX: is .PRECIOUS supposed to inhibit .INTERRUPT? I doubt it, but I've + * left the logic alone for now. - dholland 20160826 + * *----------------------------------------------------------------------- */ static void @@ -139,16 +161,9 @@ CompatInterrupt(int signo) { GNode *gn; - if ((curTarg != NULL) && !Targ_Precious (curTarg)) { - char *p1; - char *file = Var_Value(TARGET, curTarg, &p1); - - if (!noExecute && eunlink(file) != -1) { - Error("*** %s removed", file); - } - - free(p1); + CompatDeleteTarget(curTarg); + if ((curTarg != NULL) && !Targ_Precious (curTarg)) { /* * Run .INTERRUPT only if hit with interrupt signal */ @@ -158,7 +173,6 @@ CompatInterrupt(int signo) Compat_Make(gn, gn); } } - } if (signo == SIGQUIT) _exit(signo); @@ -447,6 +461,11 @@ again: * continue. */ printf(" (continuing)\n"); + } else { + printf("\n"); + } + if (deleteOnError) { + CompatDeleteTarget(gn); } } else { /* @@ -607,7 +626,7 @@ Compat_Make(void *gnp, void *pgnp) } else if (keepgoing) { pgn->flags &= ~REMAKE; } else { - PrintOnError(gn, "\n\nStop."); + PrintOnError(gn, "\nStop."); exit(1); } } else if (gn->made == ERROR) { @@ -698,7 +717,7 @@ Compat_Run(Lst targs) if (gn != NULL) { Compat_Make(gn, gn); if (gn->made == ERROR) { - PrintOnError(gn, "\n\nStop."); + PrintOnError(gn, "\nStop."); exit(1); } } @@ -739,7 +758,7 @@ Compat_Run(Lst targs) if (errors == 0) { Compat_Make(ENDNode, ENDNode); if (gn->made == ERROR) { - PrintOnError(gn, "\n\nStop."); + PrintOnError(gn, "\nStop."); exit(1); } } Modified: projects/ipsec/contrib/bmake/job.c ============================================================================== --- projects/ipsec/contrib/bmake/job.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/job.c Thu Dec 22 15:19:31 2016 (r310415) @@ -1,4 +1,4 @@ -/* $NetBSD: job.c,v 1.187 2016/05/12 20:28:34 sjg Exp $ */ +/* $NetBSD: job.c,v 1.188 2016/08/26 23:28:39 dholland Exp $ */ /* * Copyright (c) 1988, 1989, 1990 The Regents of the University of California. @@ -70,14 +70,14 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: job.c,v 1.187 2016/05/12 20:28:34 sjg Exp $"; +static char rcsid[] = "$NetBSD: job.c,v 1.188 2016/08/26 23:28:39 dholland Exp $"; #else #include #ifndef lint #if 0 static char sccsid[] = "@(#)job.c 8.2 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: job.c,v 1.187 2016/05/12 20:28:34 sjg Exp $"); +__RCSID("$NetBSD: job.c,v 1.188 2016/08/26 23:28:39 dholland Exp $"); #endif #endif /* not lint */ #endif @@ -404,6 +404,21 @@ job_table_dump(const char *where) } /* + * Delete the target of a failed, interrupted, or otherwise + * unsuccessful job unless inhibited by .PRECIOUS. + */ +static void +JobDeleteTarget(GNode *gn) +{ + if ((gn->type & (OP_JOIN|OP_PHONY)) == 0 && !Targ_Precious(gn)) { + char *file = (gn->path == NULL ? gn->name : gn->path); + if (!noExecute && eunlink(file) != -1) { + Error("*** %s removed", file); + } + } +} + +/* * JobSigLock/JobSigUnlock * * Signal lock routines to get exclusive access. Currently used to @@ -1049,6 +1064,9 @@ JobFinish (Job *job, WAIT_T status) if (job->flags & JOB_IGNERR) { WAIT_STATUS(status) = 0; } else { + if (deleteOnError) { + JobDeleteTarget(job->node); + } PrintOnError(job->node, NULL); } } else if (DEBUG(JOB)) { @@ -1066,6 +1084,9 @@ JobFinish (Job *job, WAIT_T status) } (void)printf("*** [%s] Signal %d\n", job->node->name, WTERMSIG(status)); + if (deleteOnError) { + JobDeleteTarget(job->node); + } } (void)fflush(stdout); } @@ -2601,12 +2622,7 @@ JobInterrupt(int runINTERRUPT, int signo gn = job->node; - if ((gn->type & (OP_JOIN|OP_PHONY)) == 0 && !Targ_Precious(gn)) { - char *file = (gn->path == NULL ? gn->name : gn->path); - if (!noExecute && eunlink(file) != -1) { - Error("*** %s removed", file); - } - } + JobDeleteTarget(gn); if (job->pid) { if (DEBUG(JOB)) { (void)fprintf(debug_file, Modified: projects/ipsec/contrib/bmake/main.c ============================================================================== --- projects/ipsec/contrib/bmake/main.c Thu Dec 22 15:01:06 2016 (r310414) +++ projects/ipsec/contrib/bmake/main.c Thu Dec 22 15:19:31 2016 (r310415) @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.250 2016/08/11 19:53:17 sjg Exp $ */ +/* $NetBSD: main.c,v 1.254 2016/12/10 23:12:39 christos Exp $ */ /* * Copyright (c) 1988, 1989, 1990, 1993 @@ -69,7 +69,7 @@ */ #ifndef MAKE_NATIVE -static char rcsid[] = "$NetBSD: main.c,v 1.250 2016/08/11 19:53:17 sjg Exp $"; +static char rcsid[] = "$NetBSD: main.c,v 1.254 2016/12/10 23:12:39 christos Exp $"; #else #include #ifndef lint @@ -81,7 +81,7 @@ __COPYRIGHT("@(#) Copyright (c) 1988, 19 #if 0 static char sccsid[] = "@(#)main.c 8.3 (Berkeley) 3/19/94"; #else -__RCSID("$NetBSD: main.c,v 1.250 2016/08/11 19:53:17 sjg Exp $"); +__RCSID("$NetBSD: main.c,v 1.254 2016/12/10 23:12:39 christos Exp $"); #endif #endif /* not lint */ #endif @@ -155,6 +155,7 @@ Lst create; /* Targets to be made */ time_t now; /* Time at start of make */ GNode *DEFAULT; /* .DEFAULT node */ Boolean allPrecious; /* .PRECIOUS given on line by itself */ +Boolean deleteOnError; /* .DELETE_ON_ERROR: set */ static Boolean noBuiltins; /* -r flag */ static Lst makefiles; /* ordered list of makefiles to read */ @@ -711,18 +712,24 @@ Main_ParseArgLine(const char *line) } Boolean -Main_SetObjdir(const char *path) +Main_SetObjdir(const char *fmt, ...) { struct stat sb; - char *p = NULL; - char buf[MAXPATHLEN + 1]; + char *p, *path; + char buf[MAXPATHLEN + 1], pbuf[MAXPATHLEN + 1]; Boolean rc = FALSE; + va_list ap; + + va_start(ap, fmt); + vsnprintf(path = pbuf, MAXPATHLEN, fmt, ap); + va_end(ap); /* expand variable substitutions */ if (strchr(path, '$') != 0) { snprintf(buf, MAXPATHLEN, "%s", path); path = p = Var_Subst(NULL, buf, VAR_GLOBAL, VARF_WANTRES); - } + } else + p = NULL; if (path[0] != '/') { snprintf(buf, MAXPATHLEN, "%s/%s", curdir, path); @@ -749,6 +756,18 @@ Main_SetObjdir(const char *path) return rc; } +static Boolean +Main_SetVarObjdir(const char *var, const char *suffix) +{ + char *p1, *path; + if ((path = Var_Value(var, VAR_CMD, &p1)) == NULL) + return FALSE; + + (void)Main_SetObjdir("%s%s", path, suffix); + free(p1); + return TRUE; +} + /*- * ReadAllMakefiles -- * wrapper around ReadMakefile() to read all. @@ -979,6 +998,7 @@ main(int argc, char **argv) noRecursiveExecute = FALSE; /* Execute all .MAKE targets */ keepgoing = FALSE; /* Stop on error */ allPrecious = FALSE; /* Remove targets when interrupted */ + deleteOnError = FALSE; /* Historical default behavior */ queryFlag = FALSE; /* This is not just a check-run */ noBuiltins = FALSE; /* Read the built-in rules */ touchFlag = FALSE; /* Actually update targets */ @@ -1128,28 +1148,19 @@ main(int argc, char **argv) * MAKEOBJDIR is set in the environment, try only that value * and fall back to .CURDIR if it does not exist. * - * Otherwise, try _PATH_OBJDIR.MACHINE, _PATH_OBJDIR, and - * finally _PATH_OBJDIRPREFIX`pwd`, in that order. If none + * Otherwise, try _PATH_OBJDIR.MACHINE-MACHINE_ARCH, _PATH_OBJDIR.MACHINE, + * and * finally _PATH_OBJDIRPREFIX`pwd`, in that order. If none * of these paths exist, just use .CURDIR. */ Dir_Init(curdir); - (void)Main_SetObjdir(curdir); + (void)Main_SetObjdir("%s", curdir); - if ((path = Var_Value("MAKEOBJDIRPREFIX", VAR_CMD, &p1)) != NULL) { - (void)snprintf(mdpath, MAXPATHLEN, "%s%s", path, curdir); *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-projects@freebsd.org Thu Dec 22 15:46:13 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A235FC8B735 for ; Thu, 22 Dec 2016 15:46:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 633DE1259; Thu, 22 Dec 2016 15:46:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBMFkCHi010575; Thu, 22 Dec 2016 15:46:12 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBMFkCR0010573; Thu, 22 Dec 2016 15:46:12 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612221546.uBMFkCR0010573@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 22 Dec 2016 15:46:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310416 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2016 15:46:13 -0000 Author: ae Date: Thu Dec 22 15:46:12 2016 New Revision: 310416 URL: https://svnweb.freebsd.org/changeset/base/310416 Log: Fix the build. Modified: projects/ipsec/sys/netipsec/ipsec_support.h projects/ipsec/sys/netipsec/subr_ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec_support.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_support.h Thu Dec 22 15:19:31 2016 (r310415) +++ projects/ipsec/sys/netipsec/ipsec_support.h Thu Dec 22 15:46:12 2016 (r310416) @@ -113,7 +113,7 @@ extern const struct ipsec_support * cons #define IPSEC_CAPS(proto, m, ...) \ (*(proto ## _ipsec_methods)->capability)(m, __VA_ARGS__) #define IPSEC_HDRSIZE(proto, inp) \ - (*(proto ## _ipsec_methods)->hdrsize)(m, inp) + (*(proto ## _ipsec_methods)->hdrsize)(inp) #elif defined(IPSEC_SUPPORT) Modified: projects/ipsec/sys/netipsec/subr_ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/subr_ipsec.c Thu Dec 22 15:19:31 2016 (r310415) +++ projects/ipsec/sys/netipsec/subr_ipsec.c Thu Dec 22 15:46:12 2016 (r310416) @@ -64,11 +64,11 @@ RM_SYSINIT(ipsec_kmod_lock, &ipsec_kmod_ #define METHOD_DECL(...) __VA_ARGS__ #define METHOD_ARGS(...) __VA_ARGS__ -#define IPSEC_KMOD_METHOD(name, sc, method, decl, args) \ -name (decl) \ +#define IPSEC_KMOD_METHOD(type, name, sc, method, decl, args) \ +type name (decl) \ { \ struct rm_priotracker tracker; \ - int ret; \ + type ret; \ IPSEC_ASSERT(sc != NULL, ("called with NULL methods")); \ rm_rlock(&ipsec_kmod_lock, &tracker); \ ret = (*sc->method)(args); \ @@ -111,19 +111,19 @@ const int tcp_ipsec_support = 1; volatile int tcp_ipsec_support = 0; const struct tcpmd5_support * volatile tcp_ipsec_methods = NULL; -int IPSEC_KMOD_METHOD(tcpmd5_kmod_input, +IPSEC_KMOD_METHOD(int, tcpmd5_kmod_input, tcp_ipsec_methods, input, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf), METHOD_ARGS(m, th, buf) ) -int IPSEC_KMOD_METHOD(tcpmd5_kmod_output, +IPSEC_KMOD_METHOD(int, tcpmd5_kmod_output, tcp_ipsec_methods, output, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf), METHOD_ARGS(m, th, buf) ) -int IPSEC_KMOD_METHOD(tcpmd5_kmod_pcbctl, +IPSEC_KMOD_METHOD(int, tcpmd5_kmod_pcbctl, tcp_ipsec_methods, pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt), METHOD_ARGS(inp, sopt) @@ -156,7 +156,7 @@ static struct ipsec_support ipv6_ipsec = .output = ipsec6_output, .pcbctl = ipsec6_pcbctl, .capability = ipsec6_capability, - .check_policy = ipsec6_in_reject + .check_policy = ipsec6_in_reject, .hdrsize = ipsec_hdrsiz_inpcb }; const int ipv6_ipsec_support = 1; @@ -171,13 +171,13 @@ volatile int ipv4_ipsec_support = 0; const struct ipsec_support * volatile ipv4_ipsec_methods = NULL; const struct udpencap_support * volatile udp_ipsec_methods = NULL; -int IPSEC_KMOD_METHOD(udpencap_kmod_input, +IPSEC_KMOD_METHOD(int, udpencap_kmod_input, udp_ipsec_methods, input, METHOD_DECL(struct mbuf *m, int off, int af), METHOD_ARGS(m, off, af) ) -int IPSEC_KMOD_METHOD(udpencap_kmod_pcbctl, +IPSEC_KMOD_METHOD(int, udpencap_kmod_pcbctl, udp_ipsec_methods, pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt), METHOD_ARGS(inp, sopt) @@ -189,37 +189,37 @@ volatile int ipv6_ipsec_support = 0; const struct ipsec_support * volatile ipv6_ipsec_methods = NULL; #endif -int IPSEC_KMOD_METHOD(ipsec_kmod_input, sc, +IPSEC_KMOD_METHOD(int, ipsec_kmod_input, sc, input, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, - int offset,int proto), METHOD_ARGS(m, offset, proto) + int offset, int proto), METHOD_ARGS(m, offset, proto) ) -int IPSEC_KMOD_METHOD(ipsec_kmod_check_policy, sc, +IPSEC_KMOD_METHOD(int, ipsec_kmod_check_policy, sc, check_policy, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, struct inpcb *inp), METHOD_ARGS(m, inp) ) -int IPSEC_KMOD_METHOD(ipsec_kmod_forward, sc, +IPSEC_KMOD_METHOD(int, ipsec_kmod_forward, sc, forward, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m), (m) ) -int IPSEC_KMOD_METHOD(ipsec_kmod_output, sc, +IPSEC_KMOD_METHOD(int, ipsec_kmod_output, sc, output, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, struct inpcb *inp), METHOD_ARGS(m, inp) ) -int IPSEC_KMOD_METHOD(ipsec_kmod_pcbctl, sc, +IPSEC_KMOD_METHOD(int, ipsec_kmod_pcbctl, sc, pcbctl, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp, struct sockopt *sopt), METHOD_ARGS(inp, sopt) ) -size_t IPSEC_KMOD_METHOD(ipsec_kmod_hdrsize, sc, +IPSEC_KMOD_METHOD(size_t, ipsec_kmod_hdrsize, sc, hdrsize, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp), (inp) ) -int static IPSEC_KMOD_METHOD(ipsec_kmod_caps, sc, +static IPSEC_KMOD_METHOD(int, ipsec_kmod_caps, sc, capability, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, u_int cap), METHOD_ARGS(m, cap) ) From owner-svn-src-projects@freebsd.org Fri Dec 23 08:18:50 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5DE5C89228 for ; Fri, 23 Dec 2016 08:18:50 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6BEFB1C5B; Fri, 23 Dec 2016 08:18:50 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBN8InNn021087; Fri, 23 Dec 2016 08:18:49 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBN8Incr021084; Fri, 23 Dec 2016 08:18:49 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612230818.uBN8Incr021084@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 08:18:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310460 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 08:18:50 -0000 Author: ae Date: Fri Dec 23 08:18:49 2016 New Revision: 310460 URL: https://svnweb.freebsd.org/changeset/base/310460 Log: Remove last remnants of KEY_DEBUG macro. Modified: projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key_debug.h projects/ipsec/sys/netipsec/keysock.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Fri Dec 23 07:55:13 2016 (r310459) +++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 08:18:49 2016 (r310460) @@ -7199,12 +7199,6 @@ key_parse(struct mbuf *m, struct socket IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); -#if 0 /*kdebug_sadb assumes msg in linear buffer*/ - KEYDEBUG(KEYDEBUG_KEY_DUMP, - ipseclog((LOG_DEBUG, "%s: passed sadb_msg\n", __func__)); - kdebug_sadb(msg)); -#endif - if (m->m_len < sizeof(struct sadb_msg)) { m = m_pullup(m, sizeof(struct sadb_msg)); if (!m) Modified: projects/ipsec/sys/netipsec/key_debug.h ============================================================================== --- projects/ipsec/sys/netipsec/key_debug.h Fri Dec 23 07:55:13 2016 (r310459) +++ projects/ipsec/sys/netipsec/key_debug.h Fri Dec 23 08:18:49 2016 (r310460) @@ -58,9 +58,6 @@ arg; \ } -#define KEYDEBUG(lev,arg) \ - do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0) - VNET_DECLARE(uint32_t, key_debug_level); #define V_key_debug_level VNET(key_debug_level) #endif /*_KERNEL*/ Modified: projects/ipsec/sys/netipsec/keysock.c ============================================================================== --- projects/ipsec/sys/netipsec/keysock.c Fri Dec 23 07:55:13 2016 (r310459) +++ projects/ipsec/sys/netipsec/keysock.c Fri Dec 23 08:18:49 2016 (r310460) @@ -115,7 +115,7 @@ key_output(struct mbuf *m, struct socket M_ASSERTPKTHDR(m); - KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m)); + KEYDBG(KEY_DUMP, kdebug_mbuf(m)); msg = mtod(m, struct sadb_msg *); PFKEYSTAT_INC(out_msgtype[msg->sadb_msg_type]); @@ -181,9 +181,9 @@ key_sendup(struct socket *so, struct sad if (so == NULL || msg == NULL) panic("%s: NULL pointer was passed.\n", __func__); - KEYDEBUG(KEYDEBUG_KEY_DUMP, - printf("%s: \n", __func__); - kdebug_sadb(msg)); + KEYDBG(KEY_DUMP, + printf("%s: \n", __func__); + kdebug_sadb(msg)); /* * we increment statistics here, just in case we have ENOBUFS From owner-svn-src-projects@freebsd.org Fri Dec 23 08:31:31 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49037C894F1 for ; Fri, 23 Dec 2016 08:31:31 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 046CD1229; Fri, 23 Dec 2016 08:31:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBN8VUam025232; Fri, 23 Dec 2016 08:31:30 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBN8VUbv025231; Fri, 23 Dec 2016 08:31:30 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612230831.uBN8VUbv025231@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 08:31:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310461 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 08:31:31 -0000 Author: ae Date: Fri Dec 23 08:31:29 2016 New Revision: 310461 URL: https://svnweb.freebsd.org/changeset/base/310461 Log: Do not log error message in ipsec_init_pcbpolicy(). This code is invoked from PCB layer and PCB usually doesn't reports errors via syslog. I think it is enough to return proper error code. Modified: projects/ipsec/sys/netipsec/ipsec_pcb.c Modified: projects/ipsec/sys/netipsec/ipsec_pcb.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_pcb.c Fri Dec 23 08:18:49 2016 (r310460) +++ projects/ipsec/sys/netipsec/ipsec_pcb.c Fri Dec 23 08:31:29 2016 (r310461) @@ -63,10 +63,8 @@ ipsec_init_pcbpolicy(struct inpcb *inp) inp->inp_sp = malloc(sizeof(struct inpcbpolicy), M_IPSEC_INPCB, M_NOWAIT | M_ZERO); - if (inp->inp_sp == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + if (inp->inp_sp == NULL) return (ENOBUFS); - } return (0); } From owner-svn-src-projects@freebsd.org Fri Dec 23 08:49:32 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CDBFC899DF for ; Fri, 23 Dec 2016 08:49:32 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E38DC1D0E; Fri, 23 Dec 2016 08:49:31 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBN8nV5l033464; Fri, 23 Dec 2016 08:49:31 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBN8nUu1033462; Fri, 23 Dec 2016 08:49:30 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612230849.uBN8nUu1033462@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 08:49:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310464 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 08:49:32 -0000 Author: ae Date: Fri Dec 23 08:49:30 2016 New Revision: 310464 URL: https://svnweb.freebsd.org/changeset/base/310464 Log: Move ipsec_debug definition into key.c. IPsec related sysctl nodes are defined in the in[6]_proto.c. When only IPSEC_SUPPORT option is defined, ipsec.c will not be build in the kernel, but a lot of debugging code depends from ipsec_debug variable. Having ipsec_debug in the key.c allows to use debugging code. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Fri Dec 23 08:44:10 2016 (r310463) +++ projects/ipsec/sys/netipsec/ipsec.c Fri Dec 23 08:49:30 2016 (r310464) @@ -100,12 +100,6 @@ #include -#ifdef IPSEC_DEBUG -VNET_DEFINE(int, ipsec_debug) = 1; -#else -VNET_DEFINE(int, ipsec_debug) = 0; -#endif - /* NB: name changed so netstat doesn't use it. */ VNET_PCPUSTAT_DEFINE(struct ipsecstat, ipsec4stat); VNET_PCPUSTAT_SYSINIT(ipsec4stat); @@ -181,9 +175,6 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFB SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0, "Explicit Congestion Notification handling."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug, - CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, - "Enable IPsec debugging output when set."); SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(crypto_support), 0, "Crypto driver selection."); @@ -256,9 +247,6 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_D SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, ecn, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_ipsec_ecn), 0, "Explicit Congestion Notification handling."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, - CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, - "Enable IPsec debugging output when set."); SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel), 0, "If set filter packets from an IPsec tunnel."); Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Fri Dec 23 08:44:10 2016 (r310463) +++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 08:49:30 2016 (r310464) @@ -383,10 +383,26 @@ static VNET_DEFINE(int, ipsec_ah_keymin) #define V_ipsec_esp_auth VNET(ipsec_esp_auth) #define V_ipsec_ah_keymin VNET(ipsec_ah_keymin) -#ifdef SYSCTL_DECL -SYSCTL_DECL(_net_key); +#ifdef IPSEC_DEBUG +VNET_DEFINE(int, ipsec_debug) = 1; +#else +VNET_DEFINE(int, ipsec_debug) = 0; +#endif + +#ifdef INET +SYSCTL_DECL(_net_inet_ipsec); +SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, debug, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, + "Enable IPsec debugging output when set."); +#endif +#ifdef INET6 +SYSCTL_DECL(_net_inet6_ipsec6); +SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, + "Enable IPsec debugging output when set."); #endif +SYSCTL_DECL(_net_key); SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(key_debug_level), 0, ""); From owner-svn-src-projects@freebsd.org Fri Dec 23 09:10:59 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16E63C8C5B3 for ; Fri, 23 Dec 2016 09:10:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DABBE1BEE; Fri, 23 Dec 2016 09:10:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBN9AwQq042222; Fri, 23 Dec 2016 09:10:58 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBN9AvRA042214; Fri, 23 Dec 2016 09:10:57 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612230910.uBN9AvRA042214@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 09:10:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310468 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 09:10:59 -0000 Author: ae Date: Fri Dec 23 09:10:57 2016 New Revision: 310468 URL: https://svnweb.freebsd.org/changeset/base/310468 Log: Move ipsec_newisr() and ipsec_delisr() into key.c. Move ipsec_address() and ipsec_logsastr() into key_debug.c. Also rename ipsec_sa2str() to reflect in the name what it actually does. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec_input.c projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key_debug.c projects/ipsec/sys/netipsec/key_debug.h projects/ipsec/sys/netipsec/xform_ah.c projects/ipsec/sys/netipsec/xform_esp.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/ipsec.c Fri Dec 23 09:10:57 2016 (r310468) @@ -941,21 +941,6 @@ ipsec_run_hhooks(struct ipsec_ctx_data * return (0); } -struct ipsecrequest * -ipsec_newisr(void) -{ - - return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, - M_NOWAIT | M_ZERO)); -} - -void -ipsec_delisr(struct ipsecrequest *p) -{ - - free(p, M_IPSEC_SR); -} - /* * Return current level. * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. @@ -1428,7 +1413,7 @@ ok: ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n", __func__, replay->overflow, - ipsec_logsastr(sav, buf, sizeof(buf)))); + ipsec_sa2str(sav, buf, sizeof(buf)))); } return (0); } @@ -1479,73 +1464,6 @@ ipsec_updateid(struct secasvar *sav, uin return (0); } -/* Return a printable string for the address. */ -char* -ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size) -{ - - switch (sa->sa.sa_family) { -#ifdef INET - case AF_INET: - return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size)); -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) { - snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6, - &sa->sin6.sin6_addr, buf, size), - sa->sin6.sin6_scope_id); - return (buf); - } else - return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr, - buf, size)); -#endif /* INET6 */ - case 0: - return ("*"); - default: - return ("(unknown address family)"); - } -} - -char * -ipsec_logsastr(struct secasvar *sav, char *buf, size_t size) -{ - char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; - - IPSEC_ASSERT(sav->sah->saidx.src.sa.sa_family == - sav->sah->saidx.dst.sa.sa_family, ("address family mismatch")); - - snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)", - (u_long)ntohl(sav->spi), - ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)), - ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf))); - return (buf); -} - -void -ipsec_dumpmbuf(const struct mbuf *m) -{ - const u_char *p; - int totlen; - int i; - - totlen = 0; - printf("---\n"); - while (m) { - p = mtod(m, const u_char *); - for (i = 0; i < m->m_len; i++) { - printf("%02x ", p[i]); - totlen++; - if (totlen % 16 == 0) - printf("\n"); - } - m = m->m_next; - } - if (totlen % 16 != 0) - printf("\n"); - printf("---\n"); -} - static void def_policy_init(const void *unused __unused) { Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/ipsec.h Fri Dec 23 09:10:57 2016 (r310468) @@ -320,10 +320,6 @@ int ipsec_updateid(struct secasvar *, ui void ipsec_setsockaddrs(const struct mbuf *, union sockaddr_union *, union sockaddr_union *); -char *ipsec_address(const union sockaddr_union *, char *, socklen_t); -char *ipsec_logsastr(struct secasvar *, char *, size_t); - -extern void ipsec_dumpmbuf(const struct mbuf *); int ipsec4_in_reject(const struct mbuf *, struct inpcb *); int ipsec4_input(struct mbuf *, int, int); Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/ipsec_input.c Fri Dec 23 09:10:57 2016 (r310468) @@ -90,6 +90,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 09:10:57 2016 (r310468) @@ -1245,6 +1245,21 @@ key_newsp(void) return (sp); } +struct ipsecrequest * +ipsec_newisr(void) +{ + + return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, + M_NOWAIT | M_ZERO)); +} + +void +ipsec_delisr(struct ipsecrequest *p) +{ + + free(p, M_IPSEC_SR); +} + /* * create secpolicy structure from sadb_x_policy structure. * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure Modified: projects/ipsec/sys/netipsec/key_debug.c ============================================================================== --- projects/ipsec/sys/netipsec/key_debug.c Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/key_debug.c Fri Dec 23 09:10:57 2016 (r310468) @@ -787,6 +787,47 @@ kdebug_mbuf(const struct mbuf *m0) return; } + +/* Return a printable string for the address. */ +char * +ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size) +{ + + switch (sa->sa.sa_family) { +#ifdef INET + case AF_INET: + return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size)); +#endif /* INET */ +#ifdef INET6 + case AF_INET6: + if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) { + snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6, + &sa->sin6.sin6_addr, buf, size), + sa->sin6.sin6_scope_id); + return (buf); + } else + return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr, + buf, size)); +#endif /* INET6 */ + case 0: + return ("*"); + default: + return ("(unknown address family)"); + } +} + +char * +ipsec_sa2str(struct secasvar *sav, char *buf, size_t size) +{ + char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; + + snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)", + (u_long)ntohl(sav->spi), + ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)), + ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf))); + return (buf); +} + #endif /* _KERNEL */ void Modified: projects/ipsec/sys/netipsec/key_debug.h ============================================================================== --- projects/ipsec/sys/netipsec/key_debug.h Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/key_debug.h Fri Dec 23 09:10:57 2016 (r310468) @@ -75,6 +75,7 @@ struct secashead; struct secasvar; struct secreplay; struct mbuf; +union sockaddr_union; const char* kdebug_secpolicy_state(u_int); const char* kdebug_secpolicy_policy(u_int); const char* kdebug_secpolicyindex_dir(u_int); @@ -88,6 +89,8 @@ void kdebug_secash(struct secashead *, c void kdebug_secasv(struct secasvar *); void kdebug_mbufhdr(const struct mbuf *); void kdebug_mbuf(const struct mbuf *); +char *ipsec_address(const union sockaddr_union *, char *, socklen_t); +char *ipsec_sa2str(struct secasvar *, char *, size_t); #endif /*_KERNEL*/ struct sockaddr; Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 09:10:57 2016 (r310468) @@ -614,7 +614,7 @@ ah_input(struct mbuf *m, struct secasvar SECASVAR_UNLOCK(sav); AHSTAT_INC(ahs_replay); DPRINTF(("%s: packet replay failure: %s\n", __func__, - ipsec_logsastr(sav, buf, sizeof(buf)))); + ipsec_sa2str(sav, buf, sizeof(buf)))); m_freem(m); return (EACCES); } Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 08:59:23 2016 (r310467) +++ projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 09:10:57 2016 (r310468) @@ -360,7 +360,7 @@ esp_input(struct mbuf *m, struct secasva if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) { SECASVAR_UNLOCK(sav); DPRINTF(("%s: packet replay check for %s\n", __func__, - ipsec_logsastr(sav, buf, sizeof(buf)))); + ipsec_sa2str(sav, buf, sizeof(buf)))); ESPSTAT_INC(esps_replay); m_freem(m); return (EACCES); @@ -561,7 +561,7 @@ esp_input_cb(struct cryptop *crp) if (ipsec_updatereplay(ntohl(seq), sav)) { SECASVAR_UNLOCK(sav); DPRINTF(("%s: packet replay check for %s\n", __func__, - ipsec_logsastr(sav, buf, sizeof(buf)))); + ipsec_sa2str(sav, buf, sizeof(buf)))); ESPSTAT_INC(esps_replay); error = EACCES; goto bad; From owner-svn-src-projects@freebsd.org Fri Dec 23 11:26:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F2F0C8D105 for ; Fri, 23 Dec 2016 11:26:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1EA8B1E85; Fri, 23 Dec 2016 11:26:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBNBQTxh099417; Fri, 23 Dec 2016 11:26:29 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBNBQSFb099412; Fri, 23 Dec 2016 11:26:28 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612231126.uBNBQSFb099412@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 11:26:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310473 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 11:26:30 -0000 Author: ae Date: Fri Dec 23 11:26:28 2016 New Revision: 310473 URL: https://svnweb.freebsd.org/changeset/base/310473 Log: Rework [ah|esp|ipcomp]_algorithm_lookup() functions. Since these functions depend from crypto(4), move them into key.c. Modified: projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/xform.h projects/ipsec/sys/netipsec/xform_ah.c projects/ipsec/sys/netipsec/xform_esp.c projects/ipsec/sys/netipsec/xform_ipcomp.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Fri Dec 23 09:39:50 2016 (r310472) +++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 11:26:28 2016 (r310473) @@ -509,6 +509,47 @@ struct sadb_msghdr { int extlen[SADB_EXT_MAX + 1]; }; +static struct supported_ealgs { + int sadb_alg; + const struct enc_xform *xform; +} supported_ealgs[] = { + { SADB_EALG_DESCBC, &enc_xform_des }, + { SADB_EALG_3DESCBC, &enc_xform_3des }, + { SADB_X_EALG_AES, &enc_xform_rijndael128 }, + { SADB_X_EALG_BLOWFISHCBC, &enc_xform_blf }, + { SADB_X_EALG_CAST128CBC, &enc_xform_cast5 }, + { SADB_EALG_NULL, &enc_xform_null }, + { SADB_X_EALG_CAMELLIACBC, &enc_xform_camellia }, + { SADB_X_EALG_AESCTR, &enc_xform_aes_icm }, + { SADB_X_EALG_AESGCM16, &enc_xform_aes_nist_gcm }, + { SADB_X_EALG_AESGMAC, &enc_xform_aes_nist_gmac }, +}; + +static struct supported_aalgs { + int sadb_alg; + const struct auth_hash *xform; +} supported_aalgs[] = { + { SADB_X_AALG_NULL, &auth_hash_null }, + { SADB_AALG_MD5HMAC, &auth_hash_hmac_md5 }, + { SADB_AALG_SHA1HMAC, &auth_hash_hmac_sha1 }, + { SADB_X_AALG_RIPEMD160HMAC, &auth_hash_hmac_ripemd_160 }, + { SADB_X_AALG_MD5, &auth_hash_key_md5 }, + { SADB_X_AALG_SHA, &auth_hash_key_sha1 }, + { SADB_X_AALG_SHA2_256, &auth_hash_hmac_sha2_256 }, + { SADB_X_AALG_SHA2_384, &auth_hash_hmac_sha2_384 }, + { SADB_X_AALG_SHA2_512, &auth_hash_hmac_sha2_512 }, + { SADB_X_AALG_AES128GMAC, &auth_hash_nist_gmac_aes_128 }, + { SADB_X_AALG_AES192GMAC, &auth_hash_nist_gmac_aes_192 }, + { SADB_X_AALG_AES256GMAC, &auth_hash_nist_gmac_aes_256 }, +}; + +static struct supported_calgs { + int sadb_alg; + const struct comp_algo *xform; +} supported_calgs[] = { + { SADB_X_CALG_DEFLATE, &comp_algo_deflate }, +}; + #ifndef IPSEC_DEBUG2 static struct callout key_timer; #endif @@ -600,7 +641,7 @@ static int key_get(struct socket *, stru const struct sadb_msghdr *); static void key_getcomb_setlifetime(struct sadb_comb *); -static struct mbuf *key_getcomb_esp(void); +static struct mbuf *key_getcomb_ealg(void); static struct mbuf *key_getcomb_ah(void); static struct mbuf *key_getcomb_ipcomp(void); static struct mbuf *key_getprop(const struct secasindex *); @@ -5777,10 +5818,10 @@ key_getcomb_setlifetime(struct sadb_comb * XXX no idea if the user wants ESP authentication or not */ static struct mbuf * -key_getcomb_esp() +key_getcomb_ealg(void) { struct sadb_comb *comb; - struct enc_xform *algo; + const struct enc_xform *algo; struct mbuf *result = NULL, *m, *n; int encmin; int i, off, o; @@ -5789,7 +5830,7 @@ key_getcomb_esp() m = NULL; for (i = 1; i <= SADB_EALG_MAX; i++) { - algo = esp_algorithm_lookup(i); + algo = enc_algorithm_lookup(i); if (algo == NULL) continue; @@ -5882,8 +5923,8 @@ key_getsizes_ah(const struct auth_hash * static struct mbuf * key_getcomb_ah() { + const struct auth_hash *algo; struct sadb_comb *comb; - struct auth_hash *algo; struct mbuf *m; u_int16_t minkeysize, maxkeysize; int i; @@ -5900,7 +5941,7 @@ key_getcomb_ah() i != SADB_X_AALG_SHA2_512) continue; #endif - algo = ah_algorithm_lookup(i); + algo = auth_algorithm_lookup(i); if (!algo) continue; key_getsizes_ah(algo, i, &minkeysize, &maxkeysize); @@ -5940,15 +5981,15 @@ key_getcomb_ah() static struct mbuf * key_getcomb_ipcomp() { + const struct comp_algo *algo; struct sadb_comb *comb; - struct comp_algo *algo; struct mbuf *m; int i; const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb)); m = NULL; for (i = 1; i <= SADB_X_CALG_MAX; i++) { - algo = ipcomp_algorithm_lookup(i); + algo = comp_algorithm_lookup(i); if (!algo) continue; @@ -5991,7 +6032,7 @@ key_getprop(const struct secasindex *sai switch (saidx->proto) { case IPPROTO_ESP: - m = key_getcomb_esp(); + m = key_getcomb_ealg(); break; case IPPROTO_AH: m = key_getcomb_ah(); @@ -6614,14 +6655,14 @@ key_register(struct socket *so, struct m /* create new sadb_msg to reply. */ alen = 0; for (i = 1; i <= SADB_AALG_MAX; i++) { - if (ah_algorithm_lookup(i)) + if (auth_algorithm_lookup(i)) alen += sizeof(struct sadb_alg); } if (alen) alen += sizeof(struct sadb_supported); elen = 0; for (i = 1; i <= SADB_EALG_MAX; i++) { - if (esp_algorithm_lookup(i)) + if (enc_algorithm_lookup(i)) elen += sizeof(struct sadb_alg); } if (elen) @@ -6660,10 +6701,10 @@ key_register(struct socket *so, struct m off += PFKEY_ALIGN8(sizeof(*sup)); for (i = 1; i <= SADB_AALG_MAX; i++) { - struct auth_hash *aalgo; + const struct auth_hash *aalgo; u_int16_t minkeysize, maxkeysize; - aalgo = ah_algorithm_lookup(i); + aalgo = auth_algorithm_lookup(i); if (!aalgo) continue; alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); @@ -6684,9 +6725,9 @@ key_register(struct socket *so, struct m off += PFKEY_ALIGN8(sizeof(*sup)); for (i = 1; i <= SADB_EALG_MAX; i++) { - struct enc_xform *ealgo; + const struct enc_xform *ealgo; - ealgo = esp_algorithm_lookup(i); + ealgo = enc_algorithm_lookup(i); if (!ealgo) continue; alg = (struct sadb_alg *)(mtod(n, caddr_t) + off); @@ -7900,6 +7941,39 @@ key_setlifetime(struct seclifetime *src, } +const struct enc_xform * +enc_algorithm_lookup(int alg) +{ + int i; + + for (i = 0; i < nitems(supported_ealgs); i++) + if (alg == supported_ealgs[i].sadb_alg) + return (supported_ealgs[i].xform); + return (NULL); +} + +const struct auth_hash * +auth_algorithm_lookup(int alg) +{ + int i; + + for (i = 0; i < nitems(supported_aalgs); i++) + if (alg == supported_aalgs[i].sadb_alg) + return (supported_aalgs[i].xform); + return (NULL); +} + +const struct comp_algo * +comp_algorithm_lookup(int alg) +{ + int i; + + for (i = 0; i < nitems(supported_calgs); i++) + if (alg == supported_calgs[i].sadb_alg) + return (supported_calgs[i].xform); + return (NULL); +} + /* * Register a transform; typically at system startup. */ Modified: projects/ipsec/sys/netipsec/xform.h ============================================================================== --- projects/ipsec/sys/netipsec/xform.h Fri Dec 23 09:39:50 2016 (r310472) +++ projects/ipsec/sys/netipsec/xform.h Fri Dec 23 11:26:28 2016 (r310473) @@ -98,6 +98,10 @@ struct xformsw { }; #ifdef _KERNEL +const struct enc_xform * enc_algorithm_lookup(int); +const struct auth_hash * auth_algorithm_lookup(int); +const struct comp_algo * comp_algorithm_lookup(int); + extern void xform_register(struct xformsw*); extern int xform_ah_authsize(struct auth_hash *esph); @@ -106,15 +110,10 @@ struct cryptoini; /* XF_AH */ extern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *); extern int ah_zeroize(struct secasvar *sav); -extern struct auth_hash *ah_algorithm_lookup(int alg); extern size_t ah_hdrsiz(struct secasvar *); /* XF_ESP */ -extern struct enc_xform *esp_algorithm_lookup(int alg); extern size_t esp_hdrsiz(struct secasvar *sav); -/* XF_COMP */ -extern struct comp_algo *ipcomp_algorithm_lookup(int alg); - #endif /* _KERNEL */ #endif /* _NETIPSEC_XFORM_H_ */ Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 09:39:50 2016 (r310472) +++ projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 11:26:28 2016 (r310473) @@ -141,43 +141,6 @@ xform_ah_authsize(struct auth_hash *esph return alen; } -/* - * NB: this is public for use by the PF_KEY support. - */ -struct auth_hash * -ah_algorithm_lookup(int alg) -{ - if (alg > SADB_AALG_MAX) - return NULL; - switch (alg) { - case SADB_X_AALG_NULL: - return &auth_hash_null; - case SADB_AALG_MD5HMAC: - return &auth_hash_hmac_md5; - case SADB_AALG_SHA1HMAC: - return &auth_hash_hmac_sha1; - case SADB_X_AALG_RIPEMD160HMAC: - return &auth_hash_hmac_ripemd_160; - case SADB_X_AALG_MD5: - return &auth_hash_key_md5; - case SADB_X_AALG_SHA: - return &auth_hash_key_sha1; - case SADB_X_AALG_SHA2_256: - return &auth_hash_hmac_sha2_256; - case SADB_X_AALG_SHA2_384: - return &auth_hash_hmac_sha2_384; - case SADB_X_AALG_SHA2_512: - return &auth_hash_hmac_sha2_512; - case SADB_X_AALG_AES128GMAC: - return &auth_hash_nist_gmac_aes_128; - case SADB_X_AALG_AES192GMAC: - return &auth_hash_nist_gmac_aes_192; - case SADB_X_AALG_AES256GMAC: - return &auth_hash_nist_gmac_aes_256; - } - return NULL; -} - size_t ah_hdrsiz(struct secasvar *sav) { @@ -202,10 +165,10 @@ ah_hdrsiz(struct secasvar *sav) int ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) { - struct auth_hash *thash; + const struct auth_hash *thash; int keylen; - thash = ah_algorithm_lookup(sav->alg_auth); + thash = auth_algorithm_lookup(sav->alg_auth); if (thash == NULL) { DPRINTF(("%s: unsupported authentication algorithm %u\n", __func__, sav->alg_auth)); Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 09:39:50 2016 (r310472) +++ projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 11:26:28 2016 (r310473) @@ -97,40 +97,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSE static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); -/* - * NB: this is public for use by the PF_KEY support. - * NB: if you add support here; be sure to add code to esp_attach below! - */ -struct enc_xform * -esp_algorithm_lookup(int alg) -{ - if (alg >= ESP_ALG_MAX) - return NULL; - switch (alg) { - case SADB_EALG_DESCBC: - return &enc_xform_des; - case SADB_EALG_3DESCBC: - return &enc_xform_3des; - case SADB_X_EALG_AES: - return &enc_xform_rijndael128; - case SADB_X_EALG_BLOWFISHCBC: - return &enc_xform_blf; - case SADB_X_EALG_CAST128CBC: - return &enc_xform_cast5; - case SADB_EALG_NULL: - return &enc_xform_null; - case SADB_X_EALG_CAMELLIACBC: - return &enc_xform_camellia; - case SADB_X_EALG_AESCTR: - return &enc_xform_aes_icm; - case SADB_X_EALG_AESGCM16: - return &enc_xform_aes_nist_gcm; - case SADB_X_EALG_AESGMAC: - return &enc_xform_aes_nist_gmac; - } - return NULL; -} - size_t esp_hdrsiz(struct secasvar *sav) { @@ -168,12 +134,12 @@ esp_hdrsiz(struct secasvar *sav) static int esp_init(struct secasvar *sav, struct xformsw *xsp) { - struct enc_xform *txform; + const struct enc_xform *txform; struct cryptoini cria, crie; int keylen; int error; - txform = esp_algorithm_lookup(sav->alg_enc); + txform = enc_algorithm_lookup(sav->alg_enc); if (txform == NULL) { DPRINTF(("%s: unsupported encryption algorithm %d\n", __func__, sav->alg_enc)); Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 09:39:50 2016 (r310472) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 11:26:28 2016 (r310473) @@ -87,18 +87,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, I static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); -struct comp_algo * -ipcomp_algorithm_lookup(int alg) -{ - if (alg >= IPCOMP_ALG_MAX) - return NULL; - switch (alg) { - case SADB_X_CALG_DEFLATE: - return &comp_algo_deflate; - } - return NULL; -} - /* * RFC 3173 p 2.2. Non-Expansion Policy: * If the total size of a compressed payload and the IPComp header, as @@ -160,11 +148,11 @@ ipcomp_nonexp_input(struct mbuf **mp, in static int ipcomp_init(struct secasvar *sav, struct xformsw *xsp) { - struct comp_algo *tcomp; + const struct comp_algo *tcomp; struct cryptoini cric; /* NB: algorithm really comes in alg_enc and not alg_comp! */ - tcomp = ipcomp_algorithm_lookup(sav->alg_enc); + tcomp = comp_algorithm_lookup(sav->alg_enc); if (tcomp == NULL) { DPRINTF(("%s: unsupported compression algorithm %d\n", __func__, sav->alg_comp)); From owner-svn-src-projects@freebsd.org Fri Dec 23 11:45:34 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7747CC8D478 for ; Fri, 23 Dec 2016 11:45:34 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 445D29B3; Fri, 23 Dec 2016 11:45:34 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBNBjXlE007796; Fri, 23 Dec 2016 11:45:33 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBNBjXSY007795; Fri, 23 Dec 2016 11:45:33 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612231145.uBNBjXSY007795@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 11:45:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310474 - projects/ipsec/sys/conf X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 11:45:34 -0000 Author: ae Date: Fri Dec 23 11:45:33 2016 New Revision: 310474 URL: https://svnweb.freebsd.org/changeset/base/310474 Log: Unconditionally build crypto(4) when IPSEC_SUPPORT is enabled. Modified: projects/ipsec/sys/conf/files Modified: projects/ipsec/sys/conf/files ============================================================================== --- projects/ipsec/sys/conf/files Fri Dec 23 11:26:28 2016 (r310473) +++ projects/ipsec/sys/conf/files Fri Dec 23 11:45:33 2016 (r310474) @@ -587,22 +587,24 @@ contrib/ngatm/netnatm/sig/sig_unimsgcpy. compile-with "${NORMAL_C} -I$S/contrib/ngatm" contrib/ngatm/netnatm/sig/sig_verify.c optional ngatm_uni \ compile-with "${NORMAL_C} -I$S/contrib/ngatm" -crypto/blowfish/bf_ecb.c optional ipsec -crypto/blowfish/bf_skey.c optional crypto | ipsec -crypto/camellia/camellia.c optional crypto | ipsec -crypto/camellia/camellia-api.c optional crypto | ipsec -crypto/des/des_ecb.c optional crypto | ipsec | netsmb -crypto/des/des_setkey.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_ecb.c optional ipsec | ipsec_support +crypto/blowfish/bf_skey.c optional crypto | ipsec | ipsec_support +crypto/camellia/camellia.c optional crypto | ipsec | ipsec_support +crypto/camellia/camellia-api.c optional crypto | ipsec | ipsec_support +crypto/des/des_ecb.c optional crypto | ipsec | ipsec_support | netsmb +crypto/des/des_setkey.c optional crypto | ipsec | ipsec_support | netsmb crypto/rc4/rc4.c optional netgraph_mppc_encryption | kgssapi crypto/rijndael/rijndael-alg-fst.c optional crypto | ekcd | geom_bde | \ - ipsec | random !random_loadable | wlan_ccmp + ipsec | ipsec_support | random !random_loadable | wlan_ccmp crypto/rijndael/rijndael-api-fst.c optional ekcd | geom_bde | random !random_loadable -crypto/rijndael/rijndael-api.c optional crypto | ipsec | wlan_ccmp +crypto/rijndael/rijndael-api.c optional crypto | ipsec | ipsec_support | \ + wlan_ccmp crypto/sha1.c optional carp | crypto | ipsec | \ - netgraph_mppc_encryption | sctp -crypto/sha2/sha256c.c optional crypto | ekcd | geom_bde | ipsec | random !random_loadable | \ - sctp | zfs -crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | zfs + ipsec_support | netgraph_mppc_encryption | sctp +crypto/sha2/sha256c.c optional crypto | ekcd | geom_bde | ipsec | \ + ipsec_support | random !random_loadable | sctp | zfs +crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | \ + ipsec_support | zfs crypto/skein/skein.c optional crypto | zfs crypto/skein/skein_block.c optional crypto | zfs crypto/siphash/siphash.c optional inet | inet6 @@ -3850,8 +3852,7 @@ libkern/strtouq.c standard libkern/strvalid.c standard libkern/timingsafe_bcmp.c standard libkern/zlib.c optional crypto | geom_uzip | ipsec | \ - mxge | netgraph_deflate | \ - ddb_ctf | gzio + ipsec_support | mxge | netgraph_deflate | ddb_ctf | gzio net/altq/altq_cbq.c optional altq net/altq/altq_cdnr.c optional altq net/altq/altq_codel.c optional altq @@ -4522,18 +4523,18 @@ ofed/drivers/infiniband/hw/mthca/mthca_u compile-with "${OFED_C}" # crypto support -opencrypto/cast.c optional crypto | ipsec -opencrypto/criov.c optional crypto | ipsec -opencrypto/crypto.c optional crypto | ipsec +opencrypto/cast.c optional crypto | ipsec | ipsec_support +opencrypto/criov.c optional crypto | ipsec | ipsec_support +opencrypto/crypto.c optional crypto | ipsec | ipsec_support opencrypto/cryptodev.c optional cryptodev -opencrypto/cryptodev_if.m optional crypto | ipsec -opencrypto/cryptosoft.c optional crypto | ipsec -opencrypto/cryptodeflate.c optional crypto | ipsec -opencrypto/gmac.c optional crypto | ipsec -opencrypto/gfmult.c optional crypto | ipsec -opencrypto/rmd160.c optional crypto | ipsec -opencrypto/skipjack.c optional crypto | ipsec -opencrypto/xform.c optional crypto | ipsec +opencrypto/cryptodev_if.m optional crypto | ipsec | ipsec_support +opencrypto/cryptosoft.c optional crypto | ipsec | ipsec_support +opencrypto/cryptodeflate.c optional crypto | ipsec | ipsec_support +opencrypto/gmac.c optional crypto | ipsec | ipsec_support +opencrypto/gfmult.c optional crypto | ipsec | ipsec_support +opencrypto/rmd160.c optional crypto | ipsec | ipsec_support +opencrypto/skipjack.c optional crypto | ipsec | ipsec_support +opencrypto/xform.c optional crypto | ipsec | ipsec_support rpc/auth_none.c optional krpc | nfslockd | nfscl | nfsd rpc/auth_unix.c optional krpc | nfslockd | nfscl | nfsd rpc/authunix_prot.c optional krpc | nfslockd | nfscl | nfsd From owner-svn-src-projects@freebsd.org Fri Dec 23 12:11:58 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F6C9C8E7AA for ; Fri, 23 Dec 2016 12:11:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EDF0E1CFF; Fri, 23 Dec 2016 12:11:57 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBNCBvvB019892; Fri, 23 Dec 2016 12:11:57 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBNCBuLO019883; Fri, 23 Dec 2016 12:11:56 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612231211.uBNCBuLO019883@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 12:11:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310475 - projects/ipsec/sys/conf X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 12:11:58 -0000 Author: ae Date: Fri Dec 23 12:11:56 2016 New Revision: 310475 URL: https://svnweb.freebsd.org/changeset/base/310475 Log: Unconditionally build machine depended crypto(4) code when IPSEC_SUPPORT is enabled. Modified: projects/ipsec/sys/conf/files.amd64 projects/ipsec/sys/conf/files.arm projects/ipsec/sys/conf/files.arm64 projects/ipsec/sys/conf/files.i386 projects/ipsec/sys/conf/files.mips projects/ipsec/sys/conf/files.pc98 projects/ipsec/sys/conf/files.powerpc projects/ipsec/sys/conf/files.riscv projects/ipsec/sys/conf/files.sparc64 Modified: projects/ipsec/sys/conf/files.amd64 ============================================================================== --- projects/ipsec/sys/conf/files.amd64 Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.amd64 Fri Dec 23 12:11:56 2016 (r310475) @@ -180,8 +180,9 @@ aesni_wrap.o optional aesni \ compile-with "${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc} ${WERROR} ${NO_WCAST_QUAL} ${PROF} -mmmx -msse -msse4 -maes ${.IMPSRC}" \ no-implicit-rule \ clean "aesni_wrap.o" -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | \ + ipsec_support | netsmb crypto/via/padlock.c optional padlock crypto/via/padlock_cipher.c optional padlock crypto/via/padlock_hash.c optional padlock Modified: projects/ipsec/sys/conf/files.arm ============================================================================== --- projects/ipsec/sys/conf/files.arm Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.arm Fri Dec 23 12:11:56 2016 (r310475) @@ -112,8 +112,8 @@ cddl/compat/opensolaris/kern/opensolaris cddl/dev/dtrace/arm/dtrace_asm.S optional dtrace compile-with "${DTRACE_S}" cddl/dev/dtrace/arm/dtrace_subr.c optional dtrace compile-with "${DTRACE_C}" cddl/dev/fbt/arm/fbt_isa.c optional dtrace_fbt | dtraceall compile-with "${FBT_C}" -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb dev/cpufreq/cpufreq_dt.c optional cpufreq fdt dev/dwc/if_dwc.c optional dwc dev/dwc/if_dwc_if.m optional dwc Modified: projects/ipsec/sys/conf/files.arm64 ============================================================================== --- projects/ipsec/sys/conf/files.arm64 Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.arm64 Fri Dec 23 12:11:56 2016 (r310475) @@ -142,8 +142,8 @@ armv8_crypto_wrap.o optional armv8crypt compile-with "${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc:N-mgeneral-regs-only} ${WERROR} ${NO_WCAST_QUAL} ${PROF} -march=armv8a+crypto ${.IMPSRC}" \ no-implicit-rule \ clean "armv8_crypto_wrap.o" -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb dev/acpica/acpi_if.m optional acpi dev/ahci/ahci_generic.c optional ahci fdt dev/cpufreq/cpufreq_dt.c optional cpufreq fdt Modified: projects/ipsec/sys/conf/files.i386 ============================================================================== --- projects/ipsec/sys/conf/files.i386 Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.i386 Fri Dec 23 12:11:56 2016 (r310475) @@ -143,7 +143,7 @@ compat/svr4/svr4_syscallnames.c optional compat/svr4/svr4_sysent.c optional compat_svr4 compat/svr4/svr4_sysvec.c optional compat_svr4 compat/svr4/svr4_termios.c optional compat_svr4 -bf_enc.o optional crypto | ipsec \ +bf_enc.o optional crypto | ipsec | ipsec_support \ dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \ compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \ no-implicit-rule @@ -159,7 +159,7 @@ aesni_wrap.o optional aesni \ compile-with "${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc} ${WERROR} ${NO_WCAST_QUAL} ${PROF} -mmmx -msse -msse4 -maes ${.IMPSRC}" \ no-implicit-rule \ clean "aesni_wrap.o" -crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb +crypto/des/arch/i386/des_enc.S optional crypto | ipsec | ipsec_support | netsmb crypto/via/padlock.c optional padlock crypto/via/padlock_cipher.c optional padlock crypto/via/padlock_hash.c optional padlock Modified: projects/ipsec/sys/conf/files.mips ============================================================================== --- projects/ipsec/sys/conf/files.mips Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.mips Fri Dec 23 12:11:56 2016 (r310475) @@ -82,8 +82,10 @@ mips/mips/sc_machdep.c optional sc dev/uart/uart_cpu_fdt.c optional uart fdt # crypto support -- use generic -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | \ + ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | \ + ipsec_support | netsmb # AP common nvram interface MIPS specific, but maybe should be more generic dev/nvram2env/nvram2env_mips.c optional nvram2env Modified: projects/ipsec/sys/conf/files.pc98 ============================================================================== --- projects/ipsec/sys/conf/files.pc98 Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.pc98 Fri Dec 23 12:11:56 2016 (r310475) @@ -90,11 +90,13 @@ compat/svr4/svr4_syscallnames.c optional compat/svr4/svr4_sysent.c optional compat_svr4 compat/svr4/svr4_sysvec.c optional compat_svr4 compat/svr4/svr4_termios.c optional compat_svr4 -bf_enc.o optional crypto | ipsec \ +bf_enc.o optional crypto | ipsec |\ + ipsec_support \ dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \ compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \ no-implicit-rule -crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb +crypto/des/arch/i386/des_enc.S optional crypto | ipsec | \ + ipsec_support | netsmb dev/agp/agp_ali.c optional agp dev/agp/agp_amd.c optional agp dev/agp/agp_i810.c optional agp Modified: projects/ipsec/sys/conf/files.powerpc ============================================================================== --- projects/ipsec/sys/conf/files.powerpc Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.powerpc Fri Dec 23 12:11:56 2016 (r310475) @@ -20,8 +20,8 @@ cddl/contrib/opensolaris/common/atomic/p cddl/dev/dtrace/powerpc/dtrace_asm.S optional dtrace compile-with "${DTRACE_S}" cddl/dev/dtrace/powerpc/dtrace_subr.c optional dtrace compile-with "${DTRACE_C}" cddl/dev/fbt/powerpc/fbt_isa.c optional dtrace_fbt | dtraceall compile-with "${FBT_C}" -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb dev/bm/if_bm.c optional bm powermac dev/adb/adb_bus.c optional adb dev/adb/adb_kbd.c optional adb Modified: projects/ipsec/sys/conf/files.riscv ============================================================================== --- projects/ipsec/sys/conf/files.riscv Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.riscv Fri Dec 23 12:11:56 2016 (r310475) @@ -3,8 +3,8 @@ cddl/compat/opensolaris/kern/opensolaris cddl/dev/dtrace/riscv/dtrace_asm.S optional dtrace compile-with "${DTRACE_S}" cddl/dev/dtrace/riscv/dtrace_subr.c optional dtrace compile-with "${DTRACE_C}" cddl/dev/fbt/riscv/fbt_isa.c optional dtrace_fbt | dtraceall compile-with "${FBT_C}" -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb dev/ofw/ofw_cpu.c optional fdt dev/uart/uart_cpu_fdt.c optional uart fdt dev/xilinx/axi_quad_spi.c optional xilinx_spi Modified: projects/ipsec/sys/conf/files.sparc64 ============================================================================== --- projects/ipsec/sys/conf/files.sparc64 Fri Dec 23 11:45:33 2016 (r310474) +++ projects/ipsec/sys/conf/files.sparc64 Fri Dec 23 12:11:56 2016 (r310475) @@ -23,8 +23,8 @@ ukbdmap.h optional ukbd_dflt_keymap \ clean "ukbdmap.h" # cddl/contrib/opensolaris/common/atomic/sparc64/opensolaris_atomic.S optional zfs compile-with "${ZFS_S}" -crypto/blowfish/bf_enc.c optional crypto | ipsec -crypto/des/des_enc.c optional crypto | ipsec | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec | ipsec_support +crypto/des/des_enc.c optional crypto | ipsec | ipsec_support | netsmb dev/atkbdc/atkbd.c optional atkbd atkbdc dev/atkbdc/atkbd_atkbdc.c optional atkbd atkbdc dev/atkbdc/atkbdc.c optional atkbdc From owner-svn-src-projects@freebsd.org Fri Dec 23 12:48:45 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73E63C8D14B for ; Fri, 23 Dec 2016 12:48:45 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C4B511AF; Fri, 23 Dec 2016 12:48:44 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id uBNCmd9b058697 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 23 Dec 2016 14:48:39 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua uBNCmd9b058697 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id uBNCmdS7058696; Fri, 23 Dec 2016 14:48:39 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 23 Dec 2016 14:48:39 +0200 From: Konstantin Belousov To: "Andrey V. Elsukov" Cc: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: Re: svn commit: r310475 - projects/ipsec/sys/conf Message-ID: <20161223124839.GX94325@kib.kiev.ua> References: <201612231211.uBNCBuLO019883@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201612231211.uBNCBuLO019883@repo.freebsd.org> User-Agent: Mutt/1.7.2 (2016-11-26) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 12:48:45 -0000 On Fri, Dec 23, 2016 at 12:11:56PM +0000, Andrey V. Elsukov wrote: > Author: ae > Date: Fri Dec 23 12:11:56 2016 > New Revision: 310475 > URL: https://svnweb.freebsd.org/changeset/base/310475 > > Log: > Unconditionally build machine depended crypto(4) code when > IPSEC_SUPPORT is enabled. Why ? If ipsec is a module, why crypto cannot be a module as well ? From owner-svn-src-projects@freebsd.org Fri Dec 23 13:01:38 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D27B9C8D555 for ; Fri, 23 Dec 2016 13:01:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) by mx1.freebsd.org (Postfix) with ESMTP id EC6A61904; Fri, 23 Dec 2016 13:01:37 +0000 (UTC) (envelope-from ae@FreeBSD.org) Subject: Re: svn commit: r310475 - projects/ipsec/sys/conf To: Konstantin Belousov References: <201612231211.uBNCBuLO019883@repo.freebsd.org> <20161223124839.GX94325@kib.kiev.ua> Cc: src-committers@freebsd.org, svn-src-projects@freebsd.org From: "Andrey V. Elsukov" Message-ID: Date: Fri, 23 Dec 2016 16:01:07 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <20161223124839.GX94325@kib.kiev.ua> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 13:01:38 -0000 On 23.12.2016 15:48, Konstantin Belousov wrote: > On Fri, Dec 23, 2016 at 12:11:56PM +0000, Andrey V. Elsukov wrote: >> Author: ae >> Date: Fri Dec 23 12:11:56 2016 >> New Revision: 310475 >> URL: https://svnweb.freebsd.org/changeset/base/310475 >> >> Log: >> Unconditionally build machine depended crypto(4) code when >> IPSEC_SUPPORT is enabled. > > Why ? If ipsec is a module, why crypto cannot be a module as well ? Hi, Currently PF_KEY code can not be a module and it depends from crypto. This imposes such restriction. The only benefit from having 'options IPSEC_SUPPORT' instead of 'options IPSEC' is reduced overhead for traffic flows that IPsec checking does. But if we add ability to unload network domain(9), it will be possible to make PF_KEY as module too. Then this restriction could be deleted. -- WBR, Andrey V. Elsukov From owner-svn-src-projects@freebsd.org Fri Dec 23 14:22:33 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E921BC8EB58 for ; Fri, 23 Dec 2016 14:22:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A9C308D1; Fri, 23 Dec 2016 14:22:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBNEMWex073419; Fri, 23 Dec 2016 14:22:32 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBNEMW2h073413; Fri, 23 Dec 2016 14:22:32 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612231422.uBNEMW2h073413@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 14:22:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310476 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 14:22:34 -0000 Author: ae Date: Fri Dec 23 14:22:32 2016 New Revision: 310476 URL: https://svnweb.freebsd.org/changeset/base/310476 Log: Add an ability to unregister IPsec transforms. Remove unused xf_flags field from xformsw structure. Add xform_attach() and xform_detach() functions. Use them in each xform_* file to register and unregister xform using SYSINIT interface. In key.c add xforms_lock to protect access to xforms list. Modified: projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/xform.h projects/ipsec/sys/netipsec/xform_ah.c projects/ipsec/sys/netipsec/xform_esp.c projects/ipsec/sys/netipsec/xform_ipcomp.c projects/ipsec/sys/netipsec/xform_tcp.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Fri Dec 23 12:11:56 2016 (r310475) +++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 14:22:32 2016 (r310476) @@ -464,7 +464,13 @@ MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", static VNET_DEFINE(uma_zone_t, key_lft_zone); #define V_key_lft_zone VNET(key_lft_zone) -static struct xformsw* xforms = NULL; +static LIST_HEAD(xforms_list, xformsw) xforms = LIST_HEAD_INITIALIZER(); +static struct mtx xforms_lock; +#define XFORMS_LOCK_INIT() \ + mtx_init(&xforms_lock, "xforms_list", "IPsec transforms list", MTX_DEF) +#define XFORMS_LOCK_DESTROY() mtx_destroy(&xforms_lock) +#define XFORMS_LOCK() mtx_lock(&xforms_lock) +#define XFORMS_UNLOCK() mtx_unlock(&xforms_lock) /* * set parameters into secpolicyindex buffer. @@ -669,7 +675,7 @@ static int key_validate_ext(const struct static int key_align(struct mbuf *, struct sadb_msghdr *); static struct mbuf *key_setlifetime(struct seclifetime *, uint16_t); static struct mbuf *key_setkey(struct seckey *, uint16_t); -static int xform_init(struct secasvar *, int); +static int xform_init(struct secasvar *, u_short); #define DBG_IPSEC_INITREF(t, p) do { \ refcount_init(&(p)->refcnt, 1); \ @@ -7714,6 +7720,7 @@ key_init(void) if (!IS_DEFAULT_VNET(curvnet)) return; + XFORMS_LOCK_INIT(); SPTREE_LOCK_INIT(); REGTREE_LOCK_INIT(); SAHTREE_LOCK_INIT(); @@ -7975,28 +7982,66 @@ comp_algorithm_lookup(int alg) } /* - * Register a transform; typically at system startup. + * Register a transform. */ -void +static int xform_register(struct xformsw* xsp) { + struct xformsw *entry; - xsp->xf_next = xforms; - xforms = xsp; + XFORMS_LOCK(); + LIST_FOREACH(entry, &xforms, chain) { + if (entry->xf_type == xsp->xf_type) { + XFORMS_UNLOCK(); + return (EEXIST); + } + } + LIST_INSERT_HEAD(&xforms, xsp, chain); + XFORMS_UNLOCK(); + return (0); +} + +void +xform_attach(void *data) +{ + struct xformsw *xsp = (struct xformsw *)data; + + if (xform_register(xsp) != 0) + printf("%s: failed to register %s xform\n", __func__, + xsp->xf_name); +} + +void +xform_detach(void *data) +{ + struct xformsw *xsp = (struct xformsw *)data; + + XFORMS_LOCK(); + LIST_REMOVE(xsp, chain); + XFORMS_UNLOCK(); } /* * Initialize transform support in an sav. */ static int -xform_init(struct secasvar *sav, int xftype) +xform_init(struct secasvar *sav, u_short xftype) { - struct xformsw *xsp; + struct xformsw *entry; + int ret; - if (sav->tdb_xform != NULL) /* Previously initialized. */ - return (0); - for (xsp = xforms; xsp; xsp = xsp->xf_next) - if (xsp->xf_type == xftype) - return ((*xsp->xf_init)(sav, xsp)); + IPSEC_ASSERT(sav->tdb_xform == NULL, + ("tdb_xform is already initialized")); + + ret = EINVAL; + XFORMS_LOCK(); + LIST_FOREACH(entry, &xforms, chain) { + if (entry->xf_type == xftype) { + ret = (*entry->xf_init)(sav, entry); + break; + } + } + XFORMS_UNLOCK(); return (EINVAL); } + Modified: projects/ipsec/sys/netipsec/xform.h ============================================================================== --- projects/ipsec/sys/netipsec/xform.h Fri Dec 23 12:11:56 2016 (r310475) +++ projects/ipsec/sys/netipsec/xform.h Fri Dec 23 14:22:32 2016 (r310476) @@ -42,6 +42,7 @@ #define _NETIPSEC_XFORM_H_ #include +#include #include #include @@ -49,6 +50,7 @@ #define AH_HMAC_MAXHASHLEN (SHA2_512_HASH_LEN/2) /* Keep this updated */ #define AH_HMAC_INITIAL_RPL 1 /* replay counter initial value */ +#ifdef _KERNEL struct secpolicy; struct secasvar; @@ -76,38 +78,34 @@ struct xform_data { uint8_t nxt; /* next protocol, e.g. IPV4 */ }; -struct xformsw { - u_short xf_type; /* xform ID */ #define XF_IP4 1 /* unused */ #define XF_AH 2 /* AH */ #define XF_ESP 3 /* ESP */ #define XF_TCPSIGNATURE 5 /* TCP MD5 Signature option, RFC 2358 */ #define XF_IPCOMP 6 /* IPCOMP */ - u_short xf_flags; -#define XFT_AUTH 0x0001 -#define XFT_CONF 0x0100 -#define XFT_COMP 0x1000 - char *xf_name; /* human-readable name */ + +struct xformsw { + u_short xf_type; /* xform ID */ + char *xf_name; /* human-readable name */ int (*xf_init)(struct secasvar*, struct xformsw*); /* setup */ int (*xf_zeroize)(struct secasvar*); /* cleanup */ int (*xf_input)(struct mbuf*, struct secasvar*, /* input */ int, int); int (*xf_output)(struct mbuf*, /* output */ struct secpolicy *, struct secasvar *, u_int, int, int); - struct xformsw *xf_next; /* list of registered xforms */ + LIST_ENTRY(xformsw) chain; }; -#ifdef _KERNEL const struct enc_xform * enc_algorithm_lookup(int); const struct auth_hash * auth_algorithm_lookup(int); const struct comp_algo * comp_algorithm_lookup(int); -extern void xform_register(struct xformsw*); -extern int xform_ah_authsize(struct auth_hash *esph); +void xform_attach(void *); +void xform_detach(void *); struct cryptoini; - /* XF_AH */ +extern int xform_ah_authsize(struct auth_hash *esph); extern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *); extern int ah_zeroize(struct secasvar *sav); extern size_t ah_hdrsiz(struct secasvar *); Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 12:11:56 2016 (r310475) +++ projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 14:22:32 2016 (r310476) @@ -1129,15 +1129,15 @@ bad: } static struct xformsw ah_xformsw = { - XF_AH, XFT_AUTH, "IPsec AH", - ah_init, ah_zeroize, ah_input, ah_output, + .xf_type = XF_AH, + .xf_name = "IPsec AH", + .xf_init = ah_init, + .xf_zeroize = ah_zeroize, + .xf_input = ah_input, + .xf_output = ah_output, }; -static void -ah_attach(void) -{ - - xform_register(&ah_xformsw); -} - -SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); +SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, + xform_attach, &ah_xformsw); +SYSUNINIT(ah_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, + xform_detach, &ah_xformsw); Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 12:11:56 2016 (r310475) +++ projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 14:22:32 2016 (r310476) @@ -941,16 +941,17 @@ bad: key_freesp(&sp); return (error); } + static struct xformsw esp_xformsw = { - XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", - esp_init, esp_zeroize, esp_input, - esp_output + .xf_type = XF_ESP, + .xf_name = "IPsec ESP", + .xf_init = esp_init, + .xf_zeroize = esp_zeroize, + .xf_input = esp_input, + .xf_output = esp_output, }; -static void -esp_attach(void) -{ - - xform_register(&esp_xformsw); -} -SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, esp_attach, NULL); +SYSINIT(esp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, + xform_attach, &esp_xformsw); +SYSUNINIT(esp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, + xform_detach, &esp_xformsw); Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 12:11:56 2016 (r310475) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 14:22:32 2016 (r310476) @@ -645,12 +645,6 @@ bad: return (error); } -static struct xformsw ipcomp_xformsw = { - XF_IPCOMP, XFT_COMP, "IPcomp", - ipcomp_init, ipcomp_zeroize, ipcomp_input, - ipcomp_output -}; - #ifdef INET static const struct encaptab *ipe4_cookie = NULL; extern struct domain inetdomain; @@ -734,6 +728,15 @@ ipcomp6_nonexp_encapcheck(const struct m } #endif +static struct xformsw ipcomp_xformsw = { + .xf_type = XF_IPCOMP, + .xf_name = "IPcomp", + .xf_init = ipcomp_init, + .xf_zeroize = ipcomp_zeroize, + .xf_input = ipcomp_input, + .xf_output = ipcomp_output, +}; + static void ipcomp_attach(void) { @@ -746,8 +749,23 @@ ipcomp_attach(void) ipe6_cookie = encap_attach_func(AF_INET6, -1, ipcomp6_nonexp_encapcheck, &ipcomp6_protosw, NULL); #endif - xform_register(&ipcomp_xformsw); + xform_attach(&ipcomp_xformsw); +} + +static void +ipcomp_detach(void) +{ + +#ifdef INET + encap_detach(ipe4_cookie); +#endif +#ifdef INET6 + encap_detach(ipe6_cookie); +#endif + xform_attach(&ipcomp_xformsw); } SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); +SYSUNINIT(ipcomp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, + ipcomp_detach, NULL); Modified: projects/ipsec/sys/netipsec/xform_tcp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_tcp.c Fri Dec 23 12:11:56 2016 (r310475) +++ projects/ipsec/sys/netipsec/xform_tcp.c Fri Dec 23 14:22:32 2016 (r310476) @@ -393,17 +393,15 @@ tcpsignature_output(struct mbuf *m, stru } static struct xformsw tcpsignature_xformsw = { - XF_TCPSIGNATURE, XFT_AUTH, "TCPMD5", - tcpsignature_init, tcpsignature_zeroize, - tcpsignature_input, tcpsignature_output + .xf_type = XF_TCPSIGNATURE, + .xf_name = "TCPMD5", + .xf_init = tcpsignature_init, + .xf_zeroize = tcpsignature_zeroize, + .xf_input = tcpsignature_input, + .xf_output = tcpsignature_output, }; -static void -tcpsignature_attach(void) -{ - - xform_register(&tcpsignature_xformsw); -} - SYSINIT(tcpsignature_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, - tcpsignature_attach, NULL); + xform_attach, &tcpsignature_xformsw); +SYSUNINIT(tcpsignature_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, + xform_detach, &tcpsignature_xformsw); From owner-svn-src-projects@freebsd.org Fri Dec 23 14:44:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7CBA2C8E3ED for ; Fri, 23 Dec 2016 14:44:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 574951621; Fri, 23 Dec 2016 14:44:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBNEifR3081723; Fri, 23 Dec 2016 14:44:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBNEifxh081718; Fri, 23 Dec 2016 14:44:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612231444.uBNEifxh081718@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 14:44:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310477 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 14:44:42 -0000 Author: ae Date: Fri Dec 23 14:44:40 2016 New Revision: 310477 URL: https://svnweb.freebsd.org/changeset/base/310477 Log: PF_KEY and each xform transform do not change any data in tdb_* structures. Constify such fields of struct secasvar and everywhere where they are used. Also include missing key_debug.h in xform_ipcomp.c. Modified: projects/ipsec/sys/netipsec/keydb.h projects/ipsec/sys/netipsec/xform.h projects/ipsec/sys/netipsec/xform_ah.c projects/ipsec/sys/netipsec/xform_esp.c projects/ipsec/sys/netipsec/xform_ipcomp.c Modified: projects/ipsec/sys/netipsec/keydb.h ============================================================================== --- projects/ipsec/sys/netipsec/keydb.h Fri Dec 23 14:22:32 2016 (r310476) +++ projects/ipsec/sys/netipsec/keydb.h Fri Dec 23 14:44:40 2016 (r310477) @@ -173,10 +173,10 @@ struct secasvar { * to interface to the OpenBSD crypto support. This was done * to distinguish this code from the mainline KAME code. */ - struct xformsw *tdb_xform; /* transform */ - struct enc_xform *tdb_encalgxform; /* encoding algorithm */ - struct auth_hash *tdb_authalgxform; /* authentication algorithm */ - struct comp_algo *tdb_compalgxform; /* compression algorithm */ + const struct xformsw *tdb_xform; /* transform */ + const struct enc_xform *tdb_encalgxform;/* encoding algorithm */ + const struct auth_hash *tdb_authalgxform;/* authentication algorithm */ + const struct comp_algo *tdb_compalgxform;/* compression algorithm */ uint64_t tdb_cryptoid; /* crypto session id */ struct mtx lock; /* update/access lock */ Modified: projects/ipsec/sys/netipsec/xform.h ============================================================================== --- projects/ipsec/sys/netipsec/xform.h Fri Dec 23 14:22:32 2016 (r310476) +++ projects/ipsec/sys/netipsec/xform.h Fri Dec 23 14:44:40 2016 (r310477) @@ -105,7 +105,7 @@ void xform_detach(void *); struct cryptoini; /* XF_AH */ -extern int xform_ah_authsize(struct auth_hash *esph); +int xform_ah_authsize(const struct auth_hash *); extern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *); extern int ah_zeroize(struct secasvar *sav); extern size_t ah_hdrsiz(struct secasvar *); Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 14:22:32 2016 (r310476) +++ projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 14:44:40 2016 (r310477) @@ -113,7 +113,7 @@ static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); int -xform_ah_authsize(struct auth_hash *esph) +xform_ah_authsize(const struct auth_hash *esph) { int alen; @@ -545,9 +545,9 @@ static int ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { char buf[128]; + const struct auth_hash *ahx; struct cryptodesc *crda; struct cryptop *crp; - struct auth_hash *ahx; struct xform_data *xd; struct newah *ah; uint64_t cryptoid; @@ -678,9 +678,9 @@ ah_input_cb(struct cryptop *crp) { char buf[IPSEC_ADDRSTRLEN]; unsigned char calc[AH_ALEN_MAX]; + const struct auth_hash *ahx; struct mbuf *m; struct cryptodesc *crd; - struct auth_hash *ahx; struct xform_data *xd; struct secasvar *sav; struct secasindex *saidx; @@ -702,7 +702,7 @@ ah_input_cb(struct cryptop *crp) saidx->dst.sa.sa_family == AF_INET6, ("unexpected protocol family %u", saidx->dst.sa.sa_family)); - ahx = (struct auth_hash *) sav->tdb_authalgxform; + ahx = sav->tdb_authalgxform; /* Check for crypto errors. */ if (crp->crp_etype) { @@ -827,7 +827,7 @@ ah_output(struct mbuf *m, struct secpoli u_int idx, int skip, int protoff) { char buf[IPSEC_ADDRSTRLEN]; - struct auth_hash *ahx; + const struct auth_hash *ahx; struct cryptodesc *crda; struct xform_data *xd; struct mbuf *mi; Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 14:22:32 2016 (r310476) +++ projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 14:44:40 2016 (r310477) @@ -264,8 +264,8 @@ static int esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { char buf[128]; - struct auth_hash *esph; - struct enc_xform *espx; + const struct auth_hash *esph; + const struct enc_xform *espx; struct xform_data *xd; struct cryptodesc *crde; struct cryptop *crp; @@ -435,16 +435,16 @@ esp_input_cb(struct cryptop *crp) { char buf[128]; u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN]; - int hlen, skip, protoff, error, alen; + const struct auth_hash *esph; + const struct enc_xform *espx; struct mbuf *m; struct cryptodesc *crd; - struct auth_hash *esph; - struct enc_xform *espx; struct xform_data *xd; struct secasvar *sav; struct secasindex *saidx; caddr_t ptr; uint64_t cryptoid; + int hlen, skip, protoff, error, alen; crd = crp->crp_desc; IPSEC_ASSERT(crd != NULL, ("null crypto descriptor!")); @@ -622,8 +622,8 @@ esp_output(struct mbuf *m, struct secpol char buf[IPSEC_ADDRSTRLEN]; struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp; - struct enc_xform *espx; - struct auth_hash *esph; + const struct auth_hash *esph; + const struct enc_xform *espx; struct mbuf *mo = NULL; struct xform_data *xd; struct secasindex *saidx; Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 14:22:32 2016 (r310476) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 14:44:40 2016 (r310477) @@ -64,6 +64,7 @@ #include #include +#include #include #include @@ -383,7 +384,7 @@ ipcomp_output(struct mbuf *m, struct sec u_int idx, int skip, int protoff) { char buf[IPSEC_ADDRSTRLEN]; - struct comp_algo *ipcompx; + const struct comp_algo *ipcompx; struct cryptodesc *crdc; struct cryptop *crp; struct xform_data *xd; From owner-svn-src-projects@freebsd.org Fri Dec 23 16:06:43 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 11CE6C8DC51 for ; Fri, 23 Dec 2016 16:06:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D570F991; Fri, 23 Dec 2016 16:06:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBNG6gKv014687; Fri, 23 Dec 2016 16:06:42 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBNG6gvi014686; Fri, 23 Dec 2016 16:06:42 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612231606.uBNG6gvi014686@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 23 Dec 2016 16:06:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310482 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 16:06:43 -0000 Author: ae Date: Fri Dec 23 16:06:41 2016 New Revision: 310482 URL: https://svnweb.freebsd.org/changeset/base/310482 Log: Fix the returned value. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Fri Dec 23 15:14:56 2016 (r310481) +++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 16:06:41 2016 (r310482) @@ -8042,6 +8042,6 @@ xform_init(struct secasvar *sav, u_short } } XFORMS_UNLOCK(); - return (EINVAL); + return (ret); } From owner-svn-src-projects@freebsd.org Sat Dec 24 11:47:48 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A849CC8EFCE for ; Sat, 24 Dec 2016 11:47:48 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5E6B061D; Sat, 24 Dec 2016 11:47:48 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBOBllqB094713; Sat, 24 Dec 2016 11:47:47 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBOBllWO094712; Sat, 24 Dec 2016 11:47:47 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612241147.uBOBllWO094712@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sat, 24 Dec 2016 11:47:47 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310502 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2016 11:47:48 -0000 Author: ae Date: Sat Dec 24 11:47:47 2016 New Revision: 310502 URL: https://svnweb.freebsd.org/changeset/base/310502 Log: Add key_delete_xform() function. It deletes all SAs releated to xform. Use this function when xform is removed. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Sat Dec 24 11:41:16 2016 (r310501) +++ projects/ipsec/sys/netipsec/key.c Sat Dec 24 11:47:47 2016 (r310502) @@ -643,6 +643,7 @@ static int key_delete(struct socket *, s const struct sadb_msghdr *); static int key_delete_all(struct socket *, struct mbuf *, const struct sadb_msghdr *, struct secasindex *); +static void key_delete_xform(const struct xformsw *); static int key_get(struct socket *, struct mbuf *, const struct sadb_msghdr *); @@ -5705,6 +5706,52 @@ key_delete_all(struct socket *so, struct } /* + * Delete all alive SAs for corresponding xform. + * Larval SAs have not initialized tdb_xform, so it is safe to leave them + * here when xform disappears. + */ +static void +key_delete_xform(const struct xformsw *xsp) +{ + struct secasvar_queue drainq; + struct secashead *sah; + struct secasvar *sav, *nextsav; + + TAILQ_INIT(&drainq); + SAHTREE_WLOCK(); + TAILQ_FOREACH(sah, &V_sahtree, chain) { + sav = TAILQ_FIRST(&sah->savtree_alive); + if (sav == NULL) + continue; + if (sav->tdb_xform != xsp) + continue; + /* + * It is supposed that all SAs in the chain are related to + * one xform. + */ + TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); + } + /* Unlink all queued SAs from SPI hash */ + TAILQ_FOREACH(sav, &drainq, chain) { + sav->state = SADB_SASTATE_DEAD; + LIST_REMOVE(sav, spihash); + } + SAHTREE_WUNLOCK(); + + /* Now we can release reference for all SAs in drainq */ + sav = TAILQ_FIRST(&drainq); + while (sav != NULL) { + KEYDBG(KEY_STAMP, + printf("%s: SA(%p)\n", __func__, sav)); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); + nextsav = TAILQ_NEXT(sav, chain); + key_freesah(&sav->sah); /* release reference from SAV */ + key_freesav(&sav); /* release last reference */ + sav = nextsav; + } +} + +/* * SADB_GET processing * receive * @@ -8019,6 +8066,9 @@ xform_detach(void *data) XFORMS_LOCK(); LIST_REMOVE(xsp, chain); XFORMS_UNLOCK(); + + /* Delete all SAs related to this xform. */ + key_delete_xform(xsp); } /* From owner-svn-src-projects@freebsd.org Sat Dec 24 20:02:29 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA7DEC8F1C1 for ; Sat, 24 Dec 2016 20:02:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CBEC16F5; Sat, 24 Dec 2016 20:02:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBOK2SMG001248; Sat, 24 Dec 2016 20:02:28 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBOK2SbI001244; Sat, 24 Dec 2016 20:02:28 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612242002.uBOK2SbI001244@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sat, 24 Dec 2016 20:02:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310525 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2016 20:02:30 -0000 Author: ae Date: Sat Dec 24 20:02:28 2016 New Revision: 310525 URL: https://svnweb.freebsd.org/changeset/base/310525 Log: Move ipsec[46]_setsockaddrs() into subr_ipsec.c. These functions are needed for both ipsec.ko and tcpmd5.ko. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec6.h projects/ipsec/sys/netipsec/subr_ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sat Dec 24 17:42:34 2016 (r310524) +++ projects/ipsec/sys/netipsec/ipsec.c Sat Dec 24 20:02:28 2016 (r310525) @@ -260,14 +260,10 @@ static void ipsec_setspidx_inpcb(struct u_int); static void ipsec4_get_ulp(const struct mbuf *, struct secpolicyindex *, int); -static void ipsec4_setsockaddrs(const struct mbuf *, union sockaddr_union *, - union sockaddr_union *); static void ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); -static void ipsec6_setsockaddrs(const struct mbuf *, union sockaddr_union *, - union sockaddr_union *); static void ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); #endif @@ -475,61 +471,8 @@ ipsec_setspidx_inpcb(struct inpcb *inp, printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } -void -ipsec_setsockaddrs(const struct mbuf *m, union sockaddr_union *src, - union sockaddr_union *dst) -{ - struct ip *ip; - - IPSEC_ASSERT(m->m_len >= sizeof(*ip), ("unexpected mbuf len")); - - ip = mtod(m, struct ip *); - switch (ip->ip_v) { -#ifdef INET - case IPVERSION: - ipsec4_setsockaddrs(m, src, dst); - break; -#endif -#ifdef INET6 - case (IPV6_VERSION >> 4): - ipsec6_setsockaddrs(m, src, dst); - break; -#endif - default: - bzero(src, sizeof(*src)); - bzero(dst, sizeof(*dst)); - } -} - #ifdef INET static void -ipsec4_setsockaddrs(const struct mbuf *m, union sockaddr_union *src, - union sockaddr_union *dst) -{ - static const struct sockaddr_in template = { - sizeof (struct sockaddr_in), - AF_INET, - 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 } - }; - - src->sin = template; - dst->sin = template; - - if (m->m_len < sizeof (struct ip)) { - m_copydata(m, offsetof(struct ip, ip_src), - sizeof (struct in_addr), - (caddr_t) &src->sin.sin_addr); - m_copydata(m, offsetof(struct ip, ip_dst), - sizeof (struct in_addr), - (caddr_t) &dst->sin.sin_addr); - } else { - const struct ip *ip = mtod(m, const struct ip *); - src->sin.sin_addr = ip->ip_src; - dst->sin.sin_addr = ip->ip_dst; - } -} - -static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, int needport) { @@ -715,39 +658,6 @@ ipsec4_capability(struct mbuf *m, u_int #ifdef INET6 static void -ipsec6_setsockaddrs(const struct mbuf *m, union sockaddr_union *src, - union sockaddr_union *dst) -{ - struct ip6_hdr ip6buf; - const struct ip6_hdr *ip6; - - if (m->m_len >= sizeof(*ip6)) - ip6 = mtod(m, const struct ip6_hdr *); - else { - m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); - ip6 = &ip6buf; - } - - bzero(&src->sin6, sizeof(struct sockaddr_in6)); - src->sin6.sin6_family = AF_INET6; - src->sin6.sin6_len = sizeof(struct sockaddr_in6); - bcopy(&ip6->ip6_src, &src->sin6.sin6_addr, sizeof(ip6->ip6_src)); - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { - src->sin6.sin6_addr.s6_addr16[1] = 0; - src->sin6.sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); - } - - bzero(&dst->sin6, sizeof(struct sockaddr_in6)); - dst->sin6.sin6_family = AF_INET6; - dst->sin6.sin6_len = sizeof(struct sockaddr_in6); - bcopy(&ip6->ip6_dst, &dst->sin6.sin6_addr, sizeof(ip6->ip6_dst)); - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { - dst->sin6.sin6_addr.s6_addr16[1] = 0; - dst->sin6.sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); - } -} - -static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, int needport) { Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Sat Dec 24 17:42:34 2016 (r310524) +++ projects/ipsec/sys/netipsec/ipsec.h Sat Dec 24 20:02:28 2016 (r310525) @@ -318,9 +318,8 @@ int ipsec_chkreplay(uint32_t, struct sec int ipsec_updatereplay(uint32_t, struct secasvar *); int ipsec_updateid(struct secasvar *, uint64_t *, uint64_t *); -void ipsec_setsockaddrs(const struct mbuf *, union sockaddr_union *, +void ipsec4_setsockaddrs(const struct mbuf *, union sockaddr_union *, union sockaddr_union *); - int ipsec4_in_reject(const struct mbuf *, struct inpcb *); int ipsec4_input(struct mbuf *, int, int); int ipsec4_forward(struct mbuf *); Modified: projects/ipsec/sys/netipsec/ipsec6.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec6.h Sat Dec 24 17:42:34 2016 (r310524) +++ projects/ipsec/sys/netipsec/ipsec6.h Sat Dec 24 20:02:28 2016 (r310525) @@ -62,6 +62,8 @@ struct inpcb; struct secpolicy *ipsec6_checkpolicy(const struct mbuf *, struct inpcb *, int *); +void ipsec6_setsockaddrs(const struct mbuf *, union sockaddr_union *, + union sockaddr_union *); int ipsec6_input(struct mbuf *, int, int); int ipsec6_in_reject(const struct mbuf *, struct inpcb *); int ipsec6_forward(struct mbuf *); Modified: projects/ipsec/sys/netipsec/subr_ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/subr_ipsec.c Sat Dec 24 17:42:34 2016 (r310524) +++ projects/ipsec/sys/netipsec/subr_ipsec.c Sat Dec 24 20:02:28 2016 (r310525) @@ -104,6 +104,69 @@ DECLARE_MODULE(ipsec_support, ipsec_supp SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY); MODULE_VERSION(ipsec_support, 1); +#ifdef INET +void +ipsec4_setsockaddrs(const struct mbuf *m, union sockaddr_union *src, + union sockaddr_union *dst) +{ + static const struct sockaddr_in template = { + sizeof (struct sockaddr_in), + AF_INET, + 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 } + }; + + src->sin = template; + dst->sin = template; + + if (m->m_len < sizeof (struct ip)) { + m_copydata(m, offsetof(struct ip, ip_src), + sizeof (struct in_addr), + (caddr_t) &src->sin.sin_addr); + m_copydata(m, offsetof(struct ip, ip_dst), + sizeof (struct in_addr), + (caddr_t) &dst->sin.sin_addr); + } else { + const struct ip *ip = mtod(m, const struct ip *); + src->sin.sin_addr = ip->ip_src; + dst->sin.sin_addr = ip->ip_dst; + } +} +#endif +#ifdef INET6 +void +ipsec6_setsockaddrs(const struct mbuf *m, union sockaddr_union *src, + union sockaddr_union *dst) +{ + struct ip6_hdr ip6buf; + const struct ip6_hdr *ip6; + + if (m->m_len >= sizeof(*ip6)) + ip6 = mtod(m, const struct ip6_hdr *); + else { + m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); + ip6 = &ip6buf; + } + + bzero(&src->sin6, sizeof(struct sockaddr_in6)); + src->sin6.sin6_family = AF_INET6; + src->sin6.sin6_len = sizeof(struct sockaddr_in6); + bcopy(&ip6->ip6_src, &src->sin6.sin6_addr, sizeof(ip6->ip6_src)); + if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { + src->sin6.sin6_addr.s6_addr16[1] = 0; + src->sin6.sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]); + } + + bzero(&dst->sin6, sizeof(struct sockaddr_in6)); + dst->sin6.sin6_family = AF_INET6; + dst->sin6.sin6_len = sizeof(struct sockaddr_in6); + bcopy(&ip6->ip6_dst, &dst->sin6.sin6_addr, sizeof(ip6->ip6_dst)); + if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { + dst->sin6.sin6_addr.s6_addr16[1] = 0; + dst->sin6.sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); + } +} +#endif + #ifdef TCP_SIGNATURE const int tcp_ipsec_support = 1; #else From owner-svn-src-projects@freebsd.org Sat Dec 24 20:36:28 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9EC48C8FB1D for ; Sat, 24 Dec 2016 20:36:28 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5477963A; Sat, 24 Dec 2016 20:36:28 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBOKaRji013506; Sat, 24 Dec 2016 20:36:27 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBOKaRZo013504; Sat, 24 Dec 2016 20:36:27 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201612242036.uBOKaRZo013504@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sat, 24 Dec 2016 20:36:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310526 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2016 20:36:28 -0000 Author: ae Date: Sat Dec 24 20:36:27 2016 New Revision: 310526 URL: https://svnweb.freebsd.org/changeset/base/310526 Log: Move ipsec_setsockaddrs() into xform_tcp.c and make it static. Also include needed headers into subr_ipsec.c. Modified: projects/ipsec/sys/netipsec/subr_ipsec.c projects/ipsec/sys/netipsec/xform_tcp.c Modified: projects/ipsec/sys/netipsec/subr_ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/subr_ipsec.c Sat Dec 24 20:02:28 2016 (r310525) +++ projects/ipsec/sys/netipsec/subr_ipsec.c Sat Dec 24 20:36:27 2016 (r310526) @@ -47,6 +47,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include #include #include Modified: projects/ipsec/sys/netipsec/xform_tcp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_tcp.c Sat Dec 24 20:02:28 2016 (r310525) +++ projects/ipsec/sys/netipsec/xform_tcp.c Sat Dec 24 20:36:27 2016 (r310526) @@ -223,6 +223,32 @@ tcp_signature_compute(struct mbuf *m, st return (0); } +static void +setsockaddrs(const struct mbuf *m, union sockaddr_union *src, + union sockaddr_union *dst) +{ + struct ip *ip; + + IPSEC_ASSERT(m->m_len >= sizeof(*ip), ("unexpected mbuf len")); + + ip = mtod(m, struct ip *); + switch (ip->ip_v) { +#ifdef INET + case IPVERSION: + ipsec4_setsockaddrs(m, src, dst); + break; +#endif +#ifdef INET6 + case (IPV6_VERSION >> 4): + ipsec6_setsockaddrs(m, src, dst); + break; +#endif + default: + bzero(src, sizeof(*src)); + bzero(dst, sizeof(*dst)); + } +} + /* * Compute TCP-MD5 hash of an *INBOUND* TCP segment. * Parameters: @@ -239,7 +265,7 @@ tcp_ipsec_input(struct mbuf *m, struct t struct secasindex saidx; struct secasvar *sav; - ipsec_setsockaddrs(m, &saidx.src, &saidx.dst); + setsockaddrs(m, &saidx.src, &saidx.dst); saidx.proto = IPPROTO_TCP; saidx.mode = IPSEC_MODE_TCPMD5; saidx.reqid = 0; @@ -279,7 +305,7 @@ tcp_ipsec_output(struct mbuf *m, struct struct secasindex saidx; struct secasvar *sav; - ipsec_setsockaddrs(m, &saidx.src, &saidx.dst); + setsockaddrs(m, &saidx.src, &saidx.dst); saidx.proto = IPPROTO_TCP; saidx.mode = IPSEC_MODE_TCPMD5; saidx.reqid = 0;