From: claudio Date: Mon, 29 May 2017 10:55:34 +0000 (+0000) Subject: PFKEY version 2 is the only pfkey version supported. No need for extra X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6da397cf67babd571c90fba2caa1b1dbcf103e77;p=openbsd PFKEY version 2 is the only pfkey version supported. No need for extra abstraction. First step of making PF_KEY a bit more like PF_ROUTE. OK mpi@ --- diff --git a/sys/conf/files b/sys/conf/files index af7b8ba7912..15798f5a26d 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.645 2017/05/15 11:23:25 mikeb Exp $ +# $OpenBSD: files,v 1.646 2017/05/29 10:55:34 claudio Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -979,10 +979,9 @@ file netinet6/raw_ip6.c inet6 file netinet6/udp6_output.c inet6 # ... PF_KEY -file net/pfkey.c key | ipsec | tcp_signature -file net/pfkeyv2.c key | ipsec | tcp_signature -file net/pfkeyv2_parsemessage.c key | ipsec | tcp_signature -file net/pfkeyv2_convert.c key | ipsec | tcp_signature +file net/pfkeyv2.c ipsec | tcp_signature +file net/pfkeyv2_parsemessage.c ipsec | tcp_signature +file net/pfkeyv2_convert.c ipsec | tcp_signature # libx86emu file dev/x86emu/x86emu.c x86emu diff --git a/sys/net/pfkey.c b/sys/net/pfkey.c deleted file mode 100644 index 1e45e822c93..00000000000 --- a/sys/net/pfkey.c +++ /dev/null @@ -1,241 +0,0 @@ -/* $OpenBSD: pfkey.c,v 1.42 2017/05/26 19:11:20 claudio Exp $ */ - -/* - * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 - * - * NRL grants permission for redistribution and use in source and binary - * forms, with or without modification, of the software and documentation - * created at NRL provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgements: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * This product includes software developed at the Information - * Technology Division, US Naval Research Laboratory. - * 4. Neither the name of the NRL nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS - * IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR - * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - * The views and conclusions contained in the software and documentation - * are those of the authors and should not be interpreted as representing - * official policies, either expressed or implied, of the US Naval - * Research Laboratory (NRL). - */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Craig Metz. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the author nor the names of any contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -#define PFKEYV2_PROTOCOL 2 - -#define PFKEY_MSG_MAXSZ 4096 - -struct domain pfkeydomain; -struct sockaddr pfkey_addr = { 2, PF_KEY, }; - -int pfkey_usrreq(struct socket *, int , struct mbuf *, struct mbuf *, - struct mbuf *, struct proc *); -int pfkey_output(struct mbuf *, struct socket *, struct sockaddr *, - struct mbuf *); - -void pfkey_init(void); - -int -pfkey_sendup(struct socket *socket, struct mbuf *packet, int more) -{ - struct mbuf *packet2; - - NET_ASSERT_LOCKED(); - - if (more) { - if (!(packet2 = m_dup_pkt(packet, 0, M_DONTWAIT))) - return (ENOMEM); - } else - packet2 = packet; - - if (!sbappendaddr(&socket->so_rcv, &pfkey_addr, packet2, NULL)) { - m_freem(packet2); - return (ENOBUFS); - } - - sorwakeup(socket); - return (0); -} - -int -pfkey_output(struct mbuf *mbuf, struct socket *socket, struct sockaddr *dstaddr, - struct mbuf *control) -{ - void *message; - int error = 0; - -#ifdef DIAGNOSTIC - if (!mbuf || !(mbuf->m_flags & M_PKTHDR)) { - error = EINVAL; - goto ret; - } -#endif /* DIAGNOSTIC */ - - if (mbuf->m_pkthdr.len > PFKEY_MSG_MAXSZ) { - error = EMSGSIZE; - goto ret; - } - - if (!(message = malloc((unsigned long) mbuf->m_pkthdr.len, - M_PFKEY, M_DONTWAIT))) { - error = ENOMEM; - goto ret; - } - - m_copydata(mbuf, 0, mbuf->m_pkthdr.len, message); - - error = pfkeyv2_send(socket, message, mbuf->m_pkthdr.len); - -ret: - m_freem(mbuf); - return (error); -} - -int -pfkey_attach(struct socket *so, int proto) -{ - int rval; - - if ((so->so_state & SS_PRIV) == 0) - return EACCES; - - if (!(so->so_pcb = malloc(sizeof(struct rawcb), - M_PCB, M_DONTWAIT | M_ZERO))) - return (ENOMEM); - - rval = raw_attach(so, so->so_proto->pr_protocol); - if (rval) - goto ret; - - ((struct rawcb *)so->so_pcb)->rcb_faddr = &pfkey_addr; - soisconnected(so); - - so->so_options |= SO_USELOOPBACK; - if ((rval = pfkeyv2_create(so)) != 0) - goto ret; - - return (0); - -ret: - free(so->so_pcb, M_PCB, sizeof(struct rawcb)); - return (rval); -} - -static int -pfkey_detach(struct socket *socket, struct proc *p) -{ - int rval, i; - - rval = pfkeyv2_release(socket); - i = raw_usrreq(socket, PRU_DETACH, NULL, NULL, NULL, p); - - if (!rval) - rval = i; - - return (rval); -} - -int -pfkey_usrreq(struct socket *socket, int req, struct mbuf *mbuf, - struct mbuf *nam, struct mbuf *control, struct proc *p) -{ - int rval; - - switch (req) { - case PRU_DETACH: - return (pfkey_detach(socket, p)); - - default: - rval = raw_usrreq(socket, req, mbuf, nam, control, p); - } - - return (rval); -} - -static struct protosw pfkeysw[] = { -{ - .pr_type = SOCK_RAW, - .pr_domain = &pfkeydomain, - .pr_protocol = PFKEYV2_PROTOCOL, - .pr_flags = PR_ATOMIC | PR_ADDR, - .pr_output = pfkey_output, - .pr_usrreq = pfkey_usrreq, - .pr_attach = pfkey_attach, - .pr_sysctl = pfkeyv2_sysctl, -} -}; - -struct domain pfkeydomain = { - .dom_family = PF_KEY, - .dom_name = "PF_KEY", - .dom_init = pfkey_init, - .dom_protosw = pfkeysw, - .dom_protoswNPROTOSW = &pfkeysw[nitems(pfkeysw)], -}; - -void -pfkey_init(void) -{ - rn_init(sizeof(struct sockaddr_encap)); -} diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index d61fc480862..3f51e93a975 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.157 2017/05/27 18:50:53 claudio Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.158 2017/05/29 10:55:34 claudio Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -73,6 +73,9 @@ #include #include #include +#include +#include +#include #include #include #include @@ -82,6 +85,7 @@ #include #include #include +#include #include #include #include @@ -128,6 +132,20 @@ extern struct pool ipsec_policy_pool; extern struct radix_node_head **spd_tables; +#define PFKEY_MSG_MAXSZ 4096 +struct sockaddr pfkey_addr = { 2, PF_KEY, }; +struct domain pfkeydomain; + +void pfkey_init(void); + +int pfkeyv2_attach(struct socket *, int); +int pfkeyv2_detach(struct socket *, struct proc *); +int pfkeyv2_usrreq(struct socket *, int, struct mbuf *, struct mbuf *, + struct mbuf *, struct proc *); +int pfkeyv2_output(struct mbuf *, struct socket *, struct sockaddr *, + struct mbuf *); +int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more); + /* * Wrapper around m_devget(); copy data from contiguous buffer to mbuf * chain. @@ -144,20 +162,62 @@ pfdatatopacket(void *data, int len, struct mbuf **packet) return (0); } +static struct protosw pfkeysw[] = { +{ + .pr_type = SOCK_RAW, + .pr_domain = &pfkeydomain, + .pr_protocol = PF_KEY_V2, + .pr_flags = PR_ATOMIC | PR_ADDR, + .pr_output = pfkeyv2_output, + .pr_usrreq = pfkeyv2_usrreq, + .pr_attach = pfkeyv2_attach, + .pr_sysctl = pfkeyv2_sysctl, +} +}; + +struct domain pfkeydomain = { + .dom_family = PF_KEY, + .dom_name = "PF_KEY", + .dom_init = pfkey_init, + .dom_protosw = pfkeysw, + .dom_protoswNPROTOSW = &pfkeysw[nitems(pfkeysw)], +}; + +void +pfkey_init(void) +{ + rn_init(sizeof(struct sockaddr_encap)); +} + + /* - * Create a new PF_KEYv2 socket. + * Attach a new PF_KEYv2 socket. */ int -pfkeyv2_create(struct socket *socket) +pfkeyv2_attach(struct socket *so, int proto) { struct pfkeyv2_socket *pfkeyv2_socket; + int error; + + if ((so->so_state & SS_PRIV) == 0) + return EACCES; + + if (!(so->so_pcb = malloc(sizeof(struct rawcb), + M_PCB, M_DONTWAIT | M_ZERO))) + return (ENOMEM); + + error = raw_attach(so, so->so_proto->pr_protocol); + if (error) + goto ret; + + ((struct rawcb *)so->so_pcb)->rcb_faddr = &pfkey_addr; if (!(pfkeyv2_socket = malloc(sizeof(struct pfkeyv2_socket), M_PFKEY, M_NOWAIT | M_ZERO))) return (ENOMEM); pfkeyv2_socket->next = pfkeyv2_sockets; - pfkeyv2_socket->socket = socket; + pfkeyv2_socket->socket = so; pfkeyv2_socket->pid = curproc->p_p->ps_pid; /* @@ -168,16 +228,23 @@ pfkeyv2_create(struct socket *socket) pfkeyv2_sockets = pfkeyv2_socket; + so->so_options |= SO_USELOOPBACK; + soisconnected(so); + return (0); +ret: + free(so->so_pcb, M_PCB, sizeof(struct rawcb)); + return (error); } /* * Close a PF_KEYv2 socket. */ int -pfkeyv2_release(struct socket *socket) +pfkeyv2_detach(struct socket *socket, struct proc *p) { struct pfkeyv2_socket **pp; + int error; for (pp = &pfkeyv2_sockets; *pp && ((*pp)->socket != socket); pp = &((*pp)->next)) @@ -198,6 +265,75 @@ pfkeyv2_release(struct socket *socket) free(pfkeyv2_socket, M_PFKEY, 0); } + error = raw_usrreq(socket, PRU_DETACH, NULL, NULL, NULL, p); + return (error); +} + +int +pfkeyv2_usrreq(struct socket *so, int req, struct mbuf *mbuf, + struct mbuf *nam, struct mbuf *control, struct proc *p) +{ + switch (req) { + case PRU_DETACH: + return (pfkeyv2_detach(so, p)); + default: + return (raw_usrreq(so, req, mbuf, nam, control, p)); + } +} + +int +pfkeyv2_output(struct mbuf *mbuf, struct socket *socket, + struct sockaddr *dstaddr, struct mbuf *control) +{ + void *message; + int error = 0; + +#ifdef DIAGNOSTIC + if (!mbuf || !(mbuf->m_flags & M_PKTHDR)) { + error = EINVAL; + goto ret; + } +#endif /* DIAGNOSTIC */ + + if (mbuf->m_pkthdr.len > PFKEY_MSG_MAXSZ) { + error = EMSGSIZE; + goto ret; + } + + if (!(message = malloc((unsigned long) mbuf->m_pkthdr.len, + M_PFKEY, M_DONTWAIT))) { + error = ENOMEM; + goto ret; + } + + m_copydata(mbuf, 0, mbuf->m_pkthdr.len, message); + + error = pfkeyv2_send(socket, message, mbuf->m_pkthdr.len); + +ret: + m_freem(mbuf); + return (error); +} + +int +pfkey_sendup(struct socket *socket, struct mbuf *packet, int more) +{ + struct mbuf *packet2; + + NET_ASSERT_LOCKED(); + + if (more) { + if (!(packet2 = m_dup_pkt(packet, 0, M_DONTWAIT))) + return (ENOMEM); + } else + packet2 = packet; + + if (!sbappendaddr(&socket->so_rcv, &pfkey_addr, packet2, NULL)) { + m_freem(packet2); + return (ENOBUFS); + } + + sorwakeup(socket); return (0); } diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index 0e2ffdaf967..ba920779bc0 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.75 2017/05/26 19:11:20 claudio Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.76 2017/05/29 10:55:34 claudio Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -394,12 +394,8 @@ int pfkeyv2_expire(struct tdb *, u_int16_t); int pfkeyv2_acquire(struct ipsec_policy *, union sockaddr_union *, union sockaddr_union *, u_int32_t *, struct sockaddr_encap *); -int pfkey_sendup(struct socket *socket, struct mbuf *packet, int more); - -int pfkeyv2_create(struct socket *); int pfkeyv2_get(struct tdb *, void **, void **, int *); int pfkeyv2_policy(struct ipsec_acquire *, void **, void **); -int pfkeyv2_release(struct socket *); int pfkeyv2_send(struct socket *, void *, int); int pfkeyv2_sendmessage(void **, int, struct socket *, u_int8_t, int, u_int); int pfkeyv2_dump_policy(struct ipsec_policy *, void **, void **, int *);