-/* $OpenBSD: in_pcb.h,v 1.137 2023/11/12 23:19:15 bluhm Exp $ */
+/* $OpenBSD: in_pcb.h,v 1.138 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */
/*
} inp_mou;
#define inp_moptions inp_mou.mou_mo
#define inp_moptions6 inp_mou.mou_mo6
- u_char inp_seclevel[4];
+ u_char inp_seclevel[4]; /* [N] IPsec level of socket */
#define SL_AUTH 0 /* Authentication level */
#define SL_ESP_TRANS 1 /* ESP transport level */
#define SL_ESP_NETWORK 2 /* ESP network (encapsulation) level */
-/* $OpenBSD: ip_ipsp.h,v 1.243 2023/10/11 22:13:16 tobhe Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.244 2023/11/26 22:08:10 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
int ipsp_process_done(struct mbuf *, struct tdb *);
int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
- struct inpcb *, struct tdb **, struct ipsec_ids *);
+ const u_char[], struct tdb **, struct ipsec_ids *);
int ipsp_is_unspecified(union sockaddr_union);
int ipsp_aux_match(struct tdb *, struct ipsec_ids *,
struct sockaddr_encap *, struct sockaddr_encap *);
-/* $OpenBSD: ip_output.c,v 1.390 2023/07/07 08:05:02 bluhm Exp $ */
+/* $OpenBSD: ip_output.c,v 1.391 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t);
void in_delayed_cksum(struct mbuf *);
-int ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
+int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
struct tdb **, int ipsecflowinfo);
void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr,
int, int);
*/
int
ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
- struct ip_moptions *imo, struct inpcb *inp, u_int32_t ipsecflowinfo)
+ struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo)
{
struct ip *ip;
struct ifnet *ifp = NULL;
NET_ASSERT_LOCKED();
-#ifdef IPSEC
- if (inp && (inp->inp_flags & INP_IPV6) != 0)
- panic("ip_output: IPv6 pcb is passed");
-#endif /* IPSEC */
-
#ifdef DIAGNOSTIC
if ((m->m_flags & M_PKTHDR) == 0)
panic("ip_output no HDR");
}
#ifdef IPSEC
- if (ipsec_in_use || inp != NULL) {
+ if (ipsec_in_use || seclevel != NULL) {
/* Do we have any pending SAs to apply ? */
- error = ip_output_ipsec_lookup(m, hlen, inp, &tdb,
+ error = ip_output_ipsec_lookup(m, hlen, seclevel, &tdb,
ipsecflowinfo);
if (error) {
/* Should silently drop packet */
#ifdef IPSEC
int
-ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
+ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
struct tdb **tdbout, int ipsecflowinfo)
{
struct m_tag *mtag;
if (ipsecflowinfo)
ids = ipsp_ids_lookup(ipsecflowinfo);
error = ipsp_spd_lookup(m, AF_INET, hlen, IPSP_DIRECTION_OUT,
- NULL, inp, &tdb, ids);
+ NULL, seclevel, &tdb, ids);
ipsp_ids_free(ids);
if (error || tdb == NULL) {
*tdbout = NULL;
-/* $OpenBSD: ip_spd.c,v 1.118 2023/04/22 20:51:56 mvs Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.119 2023/11/26 22:08:10 bluhm Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
#include <netinet/ip_ipsp.h>
#include <net/pfkeyv2.h>
-int ipsp_spd_inp(struct mbuf *, struct inpcb *, struct ipsec_policy *,
+int ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *,
struct tdb **);
int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
*/
int
ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
- struct tdb *tdbin, struct inpcb *inp, struct tdb **tdbout,
+ struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout,
struct ipsec_ids *ipsecflowinfo_ids)
{
struct radix_node_head *rnh;
* continuing with the SPD lookup.
*/
if (!ipsec_in_use)
- return ipsp_spd_inp(m, inp, NULL, tdbout);
+ return ipsp_spd_inp(m, seclevel, NULL, tdbout);
/*
* If an input packet is destined to a BYPASS socket, just accept it.
*/
- if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) &&
- (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+ if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
+ (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
if (tdbout != NULL)
*tdbout = NULL;
return 0;
* Return whatever the socket requirements are, there are no
* system-wide policies.
*/
- return ipsp_spd_inp(m, inp, NULL, tdbout);
+ return ipsp_spd_inp(m, seclevel, NULL, tdbout);
}
ipo = (struct ipsec_policy *)rn;
switch (ipo->ipo_type) {
case IPSP_PERMIT:
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
case IPSP_DENY:
return EHOSTUNREACH;
* gateway/endhost, and the socket has the BYPASS
* option set, skip IPsec processing.
*/
- if ((inp != NULL) &&
- (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_ESP_NETWORK] ==
- IPSEC_LEVEL_BYPASS) &&
- (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+ if ((seclevel != NULL) &&
+ (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
+ (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
/* Direct match. */
if (dignore ||
!memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
goto nomatchout;
/* Cached entry is good. */
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
TAILQ_INSERT_TAIL(
&ipo->ipo_tdb->tdb_policy_head,
ipo, ipo_tdb_next);
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
}
/* FALLTHROUGH */
case IPSP_IPSEC_USE:
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
}
} else { /* IPSP_DIRECTION_IN */
if (tdbin != NULL) {
/* Direct match in the cache. */
mtx_enter(&ipo_tdb_mtx);
if (ipo->ipo_tdb == tdbin) {
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
}
ipo->ipo_tdb = tdb_ref(tdbin);
TAILQ_INSERT_TAIL(&tdbin->tdb_policy_head, ipo,
ipo_tdb_next);
- error = ipsp_spd_inp(m, inp, ipo, tdbout);
+ error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
mtx_leave(&ipo_tdb_mtx);
return error;
case IPSP_IPSEC_ACQUIRE:
/* If appropriate SA exists, don't acquire another. */
if (ipo->ipo_tdb != NULL)
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
/* Acquire SA through key management. */
ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst,
/* FALLTHROUGH */
case IPSP_IPSEC_USE:
- return ipsp_spd_inp(m, inp, ipo, tdbout);
+ return ipsp_spd_inp(m, seclevel, ipo, tdbout);
}
}
* Deal with PCB security requirements.
*/
int
-ipsp_spd_inp(struct mbuf *m, struct inpcb *inp, struct ipsec_policy *ipo,
+ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
struct tdb **tdbout)
{
/* Sanity check. */
- if (inp == NULL)
+ if (seclevel == NULL)
goto justreturn;
/* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
- if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
- inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
- inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
+ if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
+ seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
+ seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
goto justreturn;
- if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
- inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
- inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
+ if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
+ seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
+ seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
goto justreturn;
return -EINVAL; /* Silently drop packet. */
-/* $OpenBSD: ip_var.h,v 1.109 2023/04/05 21:51:47 bluhm Exp $ */
+/* $OpenBSD: ip_var.h,v 1.110 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $ */
/*
int ip_mforward(struct mbuf *, struct ifnet *);
int ip_optcopy(struct ip *, struct ip *);
int ip_output(struct mbuf *, struct mbuf *, struct route *, int,
- struct ip_moptions *, struct inpcb *, u_int32_t);
+ struct ip_moptions *, const u_char[], u_int32_t);
u_int16_t
ip_randomid(void);
void ip_send(struct mbuf *);
-/* $OpenBSD: raw_ip.c,v 1.151 2023/01/22 12:05:44 mvs Exp $ */
+/* $OpenBSD: raw_ip.c,v 1.152 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */
/*
#endif
error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
- inp->inp_moptions, inp, 0);
+ inp->inp_moptions, inp->inp_seclevel, 0);
return (error);
}
-/* $OpenBSD: tcp_input.c,v 1.392 2023/11/16 18:27:48 bluhm Exp $ */
+/* $OpenBSD: tcp_input.c,v 1.393 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
&tdbi->dst, tdbi->proto);
}
error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
- tdb, inp, NULL, NULL);
+ tdb, inp->inp_seclevel, NULL, NULL);
tdb_unref(tdb);
if (error) {
tcpstat_inc(tcps_rcvnosec);
ip->ip_tos = inp->inp_ip.ip_tos;
error = ip_output(m, sc->sc_ipopts, &sc->sc_route4,
- (ip_mtudisc ? IP_MTUDISC : 0), NULL, inp, 0);
+ (ip_mtudisc ? IP_MTUDISC : 0), NULL, inp->inp_seclevel, 0);
break;
#ifdef INET6
case AF_INET6:
-/* $OpenBSD: tcp_output.c,v 1.140 2023/07/06 09:15:24 bluhm Exp $ */
+/* $OpenBSD: tcp_output.c,v 1.141 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */
/*
SET(m->m_pkthdr.csum_flags, M_FLOWID);
#endif
error = ip_output(m, tp->t_inpcb->inp_options,
- &tp->t_inpcb->inp_route,
- (ip_mtudisc ? IP_MTUDISC : 0), NULL, tp->t_inpcb, 0);
+ &tp->t_inpcb->inp_route,
+ (ip_mtudisc ? IP_MTUDISC : 0), NULL,
+ tp->t_inpcb->inp_seclevel, 0);
break;
#ifdef INET6
case AF_INET6:
#endif
}
error = ip6_output(m, tp->t_inpcb->inp_outputopts6,
- &tp->t_inpcb->inp_route6, 0, NULL, tp->t_inpcb);
+ &tp->t_inpcb->inp_route6, 0, NULL,
+ tp->t_inpcb->inp_seclevel);
break;
#endif /* INET6 */
}
-/* $OpenBSD: tcp_subr.c,v 1.192 2023/07/06 09:15:24 bluhm Exp $ */
+/* $OpenBSD: tcp_subr.c,v 1.193 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */
/*
ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL,
tp ? &tp->t_inpcb->inp_route6 : NULL,
0, NULL,
- tp ? tp->t_inpcb : NULL);
+ tp ? tp->t_inpcb->inp_seclevel : NULL);
break;
#endif /* INET6 */
case AF_INET:
ip_output(m, NULL,
tp ? &tp->t_inpcb->inp_route : NULL,
ip_mtudisc ? IP_MTUDISC : 0, NULL,
- tp ? tp->t_inpcb : NULL, 0);
+ tp ? tp->t_inpcb->inp_seclevel : NULL, 0);
break;
}
}
-/* $OpenBSD: udp_usrreq.c,v 1.306 2023/09/16 09:33:27 mpi Exp $ */
+/* $OpenBSD: udp_usrreq.c,v 1.307 2023/11/26 22:08:10 bluhm Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
} else
tdb = NULL;
error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
- tdb, inp, NULL, NULL);
+ tdb, inp->inp_seclevel, NULL, NULL);
if (error) {
udpstat_inc(udps_nosec);
tdb_unref(tdb);
error = ip_output(m, inp->inp_options, &inp->inp_route,
(inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
- inp, ipsecflowinfo);
+ inp->inp_seclevel, ipsecflowinfo);
bail:
m_freem(control);
-/* $OpenBSD: ip6_output.c,v 1.279 2023/07/07 08:05:02 bluhm Exp $ */
+/* $OpenBSD: ip6_output.c,v 1.280 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
*/
int
ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route_in6 *ro,
- int flags, struct ip6_moptions *im6o, struct inpcb *inp)
+ int flags, struct ip6_moptions *im6o, const u_char seclevel[])
{
struct ip6_hdr *ip6;
struct ifnet *ifp = NULL;
struct tdb *tdb = NULL;
#endif /* IPSEC */
-#ifdef IPSEC
- if (inp && (inp->inp_flags & INP_IPV6) == 0)
- panic("%s: IPv4 pcb is passed", __func__);
-#endif /* IPSEC */
-
ip6 = mtod(m, struct ip6_hdr *);
finaldst = ip6->ip6_dst;
}
#ifdef IPSEC
- if (ipsec_in_use || inp != NULL) {
- error = ip6_output_ipsec_lookup(m, inp, &tdb);
+ if (ipsec_in_use || seclevel != NULL) {
+ error = ip6_output_ipsec_lookup(m, seclevel, &tdb);
if (error) {
/*
* -EINVAL is used to indicate that the packet should
#ifdef IPSEC
int
-ip6_output_ipsec_lookup(struct mbuf *m, struct inpcb *inp, struct tdb **tdbout)
+ip6_output_ipsec_lookup(struct mbuf *m, const u_char seclevel[],
+ struct tdb **tdbout)
{
struct tdb *tdb;
struct m_tag *mtag;
/* Do we have any pending SAs to apply ? */
error = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
- IPSP_DIRECTION_OUT, NULL, inp, &tdb, NULL);
+ IPSP_DIRECTION_OUT, NULL, seclevel, &tdb, NULL);
if (error || tdb == NULL) {
*tdbout = NULL;
return error;
-/* $OpenBSD: ip6_var.h,v 1.106 2022/11/12 02:49:34 kn Exp $ */
+/* $OpenBSD: ip6_var.h,v 1.107 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */
/*
void ip6_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in6 *);
int ip6_output(struct mbuf *, struct ip6_pktopts *, struct route_in6 *, int,
- struct ip6_moptions *, struct inpcb *);
+ struct ip6_moptions *, const u_char[]);
int ip6_fragment(struct mbuf *, struct mbuf_list *, int, u_char, u_long);
int ip6_ctloutput(int, struct socket *, int, int, struct mbuf *);
int ip6_raw_ctloutput(int, struct socket *, int, int, struct mbuf *);
#ifdef IPSEC
struct tdb;
-int ip6_output_ipsec_lookup(struct mbuf *, struct inpcb *, struct tdb **);
+int ip6_output_ipsec_lookup(struct mbuf *, const u_char[], struct tdb **);
int ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route_in6 *,
int, int);
#endif /* IPSEC */
-/* $OpenBSD: raw_ip6.c,v 1.173 2023/09/16 09:33:27 mpi Exp $ */
+/* $OpenBSD: raw_ip6.c,v 1.174 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */
/*
#endif
error = ip6_output(m, optp, &in6p->inp_route6, flags,
- in6p->inp_moptions6, in6p);
+ in6p->inp_moptions6, in6p->inp_seclevel);
if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
icmp6stat_inc(icp6s_outhist + type);
} else
-/* $OpenBSD: udp6_output.c,v 1.59 2022/02/22 01:35:41 guenther Exp $ */
+/* $OpenBSD: udp6_output.c,v 1.60 2023/11/26 22:08:10 bluhm Exp $ */
/* $KAME: udp6_output.c,v 1.21 2001/02/07 11:51:54 itojun Exp $ */
/*
#endif
error = ip6_output(m, optp, &in6p->inp_route6,
- flags, in6p->inp_moptions6, in6p);
+ flags, in6p->inp_moptions6, in6p->inp_seclevel);
goto releaseopt;
release:
projects / openbsd / commitdiff