From ace0f1891f538e34a7abe4c36dddbf6f6515f1bb Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Wed, 17 Apr 2024 20:48:51 +0000
Subject: [PATCH] Use struct ipsec_level within inpcb.

Instead of passing around u_char[4], introduce struct ipsec_level
that contains 4 ipsec levels.  This provides better type safety.
The embedding struct inpcb is globally visible for netstat(1), so
put struct ipsec_level outside of #ifdef _KERNEL.

OK deraadt@ mvs@
---
 sys/netinet/in_pcb.c       | 10 +++++-----
 sys/netinet/in_pcb.h       |  8 ++------
 sys/netinet/ip_ipsp.h      | 11 +++++++++--
 sys/netinet/ip_output.c    | 29 +++++++++++++++--------------
 sys/netinet/ip_spd.c       | 36 ++++++++++++++++++------------------
 sys/netinet/ip_var.h       |  5 +++--
 sys/netinet/raw_ip.c       |  4 ++--
 sys/netinet/tcp_input.c    | 11 +++++------
 sys/netinet/tcp_output.c   |  6 +++---
 sys/netinet/tcp_subr.c     |  6 +++---
 sys/netinet/udp_usrreq.c   |  6 +++---
 sys/netinet6/ip6_output.c  | 22 +++++++++++-----------
 sys/netinet6/ip6_var.h     |  8 +++++---
 sys/netinet6/raw_ip6.c     |  4 ++--
 sys/netinet6/udp6_output.c |  4 ++--
 usr.bin/netstat/inet.c     | 10 +++++-----
 16 files changed, 93 insertions(+), 87 deletions(-)

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 7a79b6b4cca..958d8ea9be9 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.c,v 1.300 2024/04/12 16:07:09 bluhm Exp $	*/
+/*	$OpenBSD: in_pcb.c,v 1.301 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $	*/
 
 /*
@@ -240,10 +240,10 @@ in_pcballoc(struct socket *so, struct inpcbtable *table, int wait)
 	inp->inp_socket = so;
 	refcnt_init_trace(&inp->inp_refcnt, DT_REFCNT_IDX_INPCB);
 	mtx_init(&inp->inp_mtx, IPL_SOFTNET);
-	inp->inp_seclevel[SL_AUTH] = IPSEC_AUTH_LEVEL_DEFAULT;
-	inp->inp_seclevel[SL_ESP_TRANS] = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
-	inp->inp_seclevel[SL_ESP_NETWORK] = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
-	inp->inp_seclevel[SL_IPCOMP] = IPSEC_IPCOMP_LEVEL_DEFAULT;
+	inp->inp_seclevel.sl_auth = IPSEC_AUTH_LEVEL_DEFAULT;
+	inp->inp_seclevel.sl_esp_trans = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
+	inp->inp_seclevel.sl_esp_network = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
+	inp->inp_seclevel.sl_ipcomp = IPSEC_IPCOMP_LEVEL_DEFAULT;
 	inp->inp_rtableid = curproc->p_p->ps_rtableid;
 	inp->inp_hops = -1;
 #ifdef INET6
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index a8e72f7c91c..60b3ae537e0 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.155 2024/04/15 18:31:04 bluhm Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.156 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -166,11 +166,7 @@ struct inpcb {
 	} inp_mou;
 #define inp_moptions inp_mou.mou_mo	/* [N] IPv4 multicast options */
 #define inp_moptions6 inp_mou.mou_mo6	/* [N] IPv6 multicast options */
-	u_char	  inp_seclevel[4];	/* [N] IPsec level of socket */
-#define SL_AUTH           0             /* Authentication level */
-#define SL_ESP_TRANS      1             /* ESP transport level */
-#define SL_ESP_NETWORK    2             /* ESP network (encapsulation) level */
-#define SL_IPCOMP         3             /* Compression level */
+	struct	ipsec_level   inp_seclevel;	/* [N] IPsec level of socket */
 	u_char	inp_ip_minttl;		/* minimum TTL or drop */
 #define inp_ip6_minhlim inp_ip_minttl	/* minimum Hop Limit or drop */
 #define	inp_flowinfo	inp_hu.hu_ipv6.ip6_flow
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 0b847b9b9b1..e72d17e366f 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.244 2023/11/26 22:08:10 bluhm Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.245 2024/04/17 20:48:51 bluhm Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -149,6 +149,13 @@ struct ipsecstat {
 	uint64_t	ipsec_exctdb;		/* TDBs with hardlimit excess */
 };
 
+struct ipsec_level {
+	u_char	sl_auth;	/* Authentication level */
+	u_char	sl_esp_trans;	/* ESP transport level */
+	u_char	sl_esp_network;	/* ESP network (encapsulation) level */
+	u_char	sl_ipcomp;	/* Compression level */
+};
+
 #ifdef _KERNEL
 
 #include <sys/timeout.h>
@@ -671,7 +678,7 @@ int	checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
 int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
 int	ipsp_process_done(struct mbuf *, struct tdb *);
 int	ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
-	    const u_char[], struct tdb **, struct ipsec_ids *);
+	    const struct ipsec_level *, struct tdb **, struct ipsec_ids *);
 int	ipsp_is_unspecified(union sockaddr_union);
 int	ipsp_aux_match(struct tdb *, struct ipsec_ids *,
 	    struct sockaddr_encap *, struct sockaddr_encap *);
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 3154be3494c..c5a9b419cbe 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.397 2024/04/09 11:05:05 bluhm Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.398 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -84,8 +84,8 @@ void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
 static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t);
 void in_delayed_cksum(struct mbuf *);
 
-int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
-    struct tdb **, int ipsecflowinfo);
+int ip_output_ipsec_lookup(struct mbuf *m, int hlen,
+    const struct ipsec_level *seclevel, struct tdb **, int ipsecflowinfo);
 void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr,
     int, int);
 int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int);
@@ -98,7 +98,8 @@ int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int);
  */
 int
 ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
-    struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo)
+    struct ip_moptions *imo, const struct ipsec_level *seclevel,
+    u_int32_t ipsecflowinfo)
 {
 	struct ip *ip;
 	struct ifnet *ifp = NULL;
@@ -498,8 +499,8 @@ bad:
 
 #ifdef IPSEC
 int
-ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
-    struct tdb **tdbout, int ipsecflowinfo)
+ip_output_ipsec_lookup(struct mbuf *m, int hlen,
+    const struct ipsec_level *seclevel, struct tdb **tdbout, int ipsecflowinfo)
 {
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
@@ -1019,7 +1020,7 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_AUTH] = optval;
+				inp->inp_seclevel.sl_auth = optval;
 				break;
 
 			case IP_ESP_TRANS_LEVEL:
@@ -1028,7 +1029,7 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_ESP_TRANS] = optval;
+				inp->inp_seclevel.sl_esp_trans = optval;
 				break;
 
 			case IP_ESP_NETWORK_LEVEL:
@@ -1037,7 +1038,7 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_ESP_NETWORK] = optval;
+				inp->inp_seclevel.sl_esp_network = optval;
 				break;
 			case IP_IPCOMP_LEVEL:
 				if (optval < IPSEC_IPCOMP_LEVEL_DEFAULT &&
@@ -1045,7 +1046,7 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_IPCOMP] = optval;
+				inp->inp_seclevel.sl_ipcomp = optval;
 				break;
 			}
 #endif
@@ -1189,18 +1190,18 @@ ip_ctloutput(int op, struct socket *so, int level, int optname,
 			m->m_len = sizeof(int);
 			switch (optname) {
 			case IP_AUTH_LEVEL:
-				optval = inp->inp_seclevel[SL_AUTH];
+				optval = inp->inp_seclevel.sl_auth;
 				break;
 
 			case IP_ESP_TRANS_LEVEL:
-				optval = inp->inp_seclevel[SL_ESP_TRANS];
+				optval = inp->inp_seclevel.sl_esp_trans;
 				break;
 
 			case IP_ESP_NETWORK_LEVEL:
-				optval = inp->inp_seclevel[SL_ESP_NETWORK];
+				optval = inp->inp_seclevel.sl_esp_network;
 				break;
 			case IP_IPCOMP_LEVEL:
-				optval = inp->inp_seclevel[SL_IPCOMP];
+				optval = inp->inp_seclevel.sl_ipcomp;
 				break;
 			}
 			*mtod(m, int *) = optval;
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index ed27d5a4e29..bb1de16f0fd 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.119 2023/11/26 22:08:10 bluhm Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.120 2024/04/17 20:48:51 bluhm Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -39,8 +39,8 @@
 #include <netinet/ip_ipsp.h>
 #include <net/pfkeyv2.h>
 
-int	ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *,
-	    struct tdb **);
+int	ipsp_spd_inp(struct mbuf *, const struct ipsec_level *,
+	    struct ipsec_policy *, struct tdb **);
 int	ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
 	    union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
 int	ipsp_pending_acquire(struct ipsec_policy *, union sockaddr_union *);
@@ -153,7 +153,7 @@ spd_table_walk(unsigned int rtableid,
  */
 int
 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
-    struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout,
+    struct tdb *tdbin, const struct ipsec_level *seclevel, struct tdb **tdbout,
     struct ipsec_ids *ipsecflowinfo_ids)
 {
 	struct radix_node_head *rnh;
@@ -178,9 +178,9 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 	 * If an input packet is destined to a BYPASS socket, just accept it.
 	 */
 	if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
-	    (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
-	    (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
-	    (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+	    (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
+	    (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
+	    (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
 		if (tdbout != NULL)
 			*tdbout = NULL;
 		return 0;
@@ -385,9 +385,9 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 		 * option set, skip IPsec processing.
 		 */
 		if ((seclevel != NULL) &&
-		    (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
-		    (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
-		    (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+		    (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
+		    (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
+		    (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
 			/* Direct match. */
 			if (dignore ||
 			    !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
@@ -904,8 +904,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
  * Deal with PCB security requirements.
  */
 int
-ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
-    struct tdb **tdbout)
+ipsp_spd_inp(struct mbuf *m, const struct ipsec_level *seclevel,
+    struct ipsec_policy *ipo, struct tdb **tdbout)
 {
 	/* Sanity check. */
 	if (seclevel == NULL)
@@ -913,14 +913,14 @@ ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
 
 	/* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
 
-	if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
-	    seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
-	    seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
+	if (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS &&
+	    seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS &&
+	    seclevel->sl_auth == IPSEC_LEVEL_BYPASS)
 		goto justreturn;
 
-	if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
-	    seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
-	    seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
+	if (seclevel->sl_esp_trans == IPSEC_LEVEL_AVAIL &&
+	    seclevel->sl_esp_network == IPSEC_LEVEL_AVAIL &&
+	    seclevel->sl_auth == IPSEC_LEVEL_AVAIL)
 		goto justreturn;
 
 	return -EINVAL;  /* Silently drop packet. */
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index cdbdd2d4358..a963798db34 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_var.h,v 1.116 2024/04/16 12:56:39 bluhm Exp $	*/
+/*	$OpenBSD: ip_var.h,v 1.117 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $	*/
 
 /*
@@ -235,6 +235,7 @@ extern struct pool ipqent_pool;
 struct rtentry;
 struct route;
 struct inpcb;
+struct ipsec_level;
 
 int	 ip_ctloutput(int, struct socket *, int, int, struct mbuf *);
 int	 ip_fragment(struct mbuf *, struct mbuf_list *, struct ifnet *, u_long);
@@ -246,7 +247,7 @@ struct mbuf*
 int	 ip_mforward(struct mbuf *, struct ifnet *);
 int	 ip_optcopy(struct ip *, struct ip *);
 int	 ip_output(struct mbuf *, struct mbuf *, struct route *, int,
-	    struct ip_moptions *, const u_char[], u_int32_t);
+	    struct ip_moptions *, const struct ipsec_level *, u_int32_t);
 u_int16_t
 	 ip_randomid(void);
 void	 ip_send(struct mbuf *);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 3d19c39cc64..73fd2fd7dd7 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip.c,v 1.158 2024/04/12 12:25:58 bluhm Exp $	*/
+/*	$OpenBSD: raw_ip.c,v 1.159 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $	*/
 
 /*
@@ -332,7 +332,7 @@ rip_output(struct mbuf *m, struct socket *so, struct sockaddr *dstaddr,
 #endif
 
 	error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
-	    inp->inp_moptions, inp->inp_seclevel, 0);
+	    inp->inp_moptions, &inp->inp_seclevel, 0);
 	return (error);
 }
 
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 8a64d59fec3..328521d6f01 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.404 2024/04/13 23:44:11 jsg Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.405 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -590,7 +590,7 @@ findpcb:
 			    &tdbi->dst, tdbi->proto);
 		}
 		error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
-		    tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
+		    tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL);
 		tdb_unref(tdb);
 		if (error) {
 			tcpstat_inc(tcps_rcvnosec);
@@ -3541,8 +3541,7 @@ syn_cache_get(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
 	 * from the old pcb. Ditto for any other
 	 * IPsec-related information.
 	 */
-	memcpy(inp->inp_seclevel, oldinp->inp_seclevel,
-	    sizeof(oldinp->inp_seclevel));
+	inp->inp_seclevel = oldinp->inp_seclevel;
 #endif /* IPSEC */
 #ifdef INET6
 	if (ISSET(inp->inp_flags, INP_IPV6)) {
@@ -4150,7 +4149,7 @@ syn_cache_respond(struct syn_cache *sc, struct mbuf *m, uint64_t now)
 
 		error = ip_output(m, sc->sc_ipopts, &sc->sc_route,
 		    (ip_mtudisc ? IP_MTUDISC : 0),  NULL,
-		    inp ? inp->inp_seclevel : NULL, 0);
+		    inp ? &inp->inp_seclevel : NULL, 0);
 		break;
 #ifdef INET6
 	case AF_INET6:
@@ -4161,7 +4160,7 @@ syn_cache_respond(struct syn_cache *sc, struct mbuf *m, uint64_t now)
 		/* leave flowlabel = 0, it is legal and require no state mgmt */
 
 		error = ip6_output(m, NULL /*XXX*/, &sc->sc_route, 0,
-		    NULL, inp ? inp->inp_seclevel : NULL);
+		    NULL, inp ? &inp->inp_seclevel : NULL);
 		break;
 #endif
 	}
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index cd21dfe9cff..c695cb0d55d 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_output.c,v 1.143 2024/02/13 12:22:09 bluhm Exp $	*/
+/*	$OpenBSD: tcp_output.c,v 1.144 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $	*/
 
 /*
@@ -1090,7 +1090,7 @@ send:
 		error = ip_output(m, tp->t_inpcb->inp_options,
 		    &tp->t_inpcb->inp_route,
 		    (ip_mtudisc ? IP_MTUDISC : 0), NULL,
-		    tp->t_inpcb->inp_seclevel, 0);
+		    &tp->t_inpcb->inp_seclevel, 0);
 		break;
 #ifdef INET6
 	case AF_INET6:
@@ -1110,7 +1110,7 @@ send:
 		}
 		error = ip6_output(m, tp->t_inpcb->inp_outputopts6,
 		    &tp->t_inpcb->inp_route, 0, NULL,
-		    tp->t_inpcb->inp_seclevel);
+		    &tp->t_inpcb->inp_seclevel);
 		break;
 #endif /* INET6 */
 	}
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 61cd51830d6..851e23f54bb 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_subr.c,v 1.200 2024/04/12 16:07:09 bluhm Exp $	*/
+/*	$OpenBSD: tcp_subr.c,v 1.201 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $	*/
 
 /*
@@ -406,7 +406,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0,
 		ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL,
 		    tp ? &tp->t_inpcb->inp_route : NULL,
 		    0, NULL,
-		    tp ? tp->t_inpcb->inp_seclevel : NULL);
+		    tp ? &tp->t_inpcb->inp_seclevel : NULL);
 		break;
 #endif /* INET6 */
 	case AF_INET:
@@ -416,7 +416,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0,
 		ip_output(m, NULL,
 		    tp ? &tp->t_inpcb->inp_route : NULL,
 		    ip_mtudisc ? IP_MTUDISC : 0, NULL,
-		    tp ? tp->t_inpcb->inp_seclevel : NULL, 0);
+		    tp ? &tp->t_inpcb->inp_seclevel : NULL, 0);
 		break;
 	}
 }
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 0a9c1afb5f4..ecf2a90818f 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.319 2024/04/12 16:07:09 bluhm Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.320 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -562,7 +562,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af)
 		} else
 			tdb = NULL;
 		error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
-		    tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
+		    tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL);
 		if (error) {
 			udpstat_inc(udps_nosec);
 			tdb_unref(tdb);
@@ -1084,7 +1084,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct mbuf *addr,
 
 	error = ip_output(m, inp->inp_options, &inp->inp_route,
 	    (inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
-	    inp->inp_seclevel, ipsecflowinfo);
+	    &inp->inp_seclevel, ipsecflowinfo);
 
 bail:
 	m_freem(control);
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 99d494df528..c65bfd0b9f4 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.290 2024/04/16 12:56:39 bluhm Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.291 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -161,7 +161,7 @@ struct idgen32_ctx ip6_id_ctx;
  */
 int
 ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route *ro,
-    int flags, struct ip6_moptions *im6o, const u_char seclevel[])
+    int flags, struct ip6_moptions *im6o, const struct ipsec_level *seclevel)
 {
 	struct ip6_hdr *ip6;
 	struct ifnet *ifp = NULL;
@@ -1326,7 +1326,7 @@ do { \
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_AUTH] = optval;
+				inp->inp_seclevel.sl_auth = optval;
 				break;
 
 			case IPV6_ESP_TRANS_LEVEL:
@@ -1335,7 +1335,7 @@ do { \
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_ESP_TRANS] = optval;
+				inp->inp_seclevel.sl_esp_trans = optval;
 				break;
 
 			case IPV6_ESP_NETWORK_LEVEL:
@@ -1344,7 +1344,7 @@ do { \
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_ESP_NETWORK] = optval;
+				inp->inp_seclevel.sl_esp_network = optval;
 				break;
 
 			case IPV6_IPCOMP_LEVEL:
@@ -1353,7 +1353,7 @@ do { \
 					error = EACCES;
 					break;
 				}
-				inp->inp_seclevel[SL_IPCOMP] = optval;
+				inp->inp_seclevel.sl_ipcomp = optval;
 				break;
 			}
 #endif
@@ -1548,21 +1548,21 @@ do { \
 			m->m_len = sizeof(int);
 			switch (optname) {
 			case IPV6_AUTH_LEVEL:
-				optval = inp->inp_seclevel[SL_AUTH];
+				optval = inp->inp_seclevel.sl_auth;
 				break;
 
 			case IPV6_ESP_TRANS_LEVEL:
 				optval =
-				    inp->inp_seclevel[SL_ESP_TRANS];
+				    inp->inp_seclevel.sl_esp_trans;
 				break;
 
 			case IPV6_ESP_NETWORK_LEVEL:
 				optval =
-				    inp->inp_seclevel[SL_ESP_NETWORK];
+				    inp->inp_seclevel.sl_esp_network;
 				break;
 
 			case IPV6_IPCOMP_LEVEL:
-				optval = inp->inp_seclevel[SL_IPCOMP];
+				optval = inp->inp_seclevel.sl_ipcomp;
 				break;
 			}
 			*mtod(m, int *) = optval;
@@ -2730,7 +2730,7 @@ in6_proto_cksum_out(struct mbuf *m, struct ifnet *ifp)
 
 #ifdef IPSEC
 int
-ip6_output_ipsec_lookup(struct mbuf *m, const u_char seclevel[],
+ip6_output_ipsec_lookup(struct mbuf *m, const struct ipsec_level *seclevel,
     struct tdb **tdbout)
 {
 	struct tdb *tdb;
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index 1b9ae82c482..986bc45e51d 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_var.h,v 1.115 2024/04/16 12:56:39 bluhm Exp $	*/
+/*	$OpenBSD: ip6_var.h,v 1.116 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $	*/
 
 /*
@@ -302,6 +302,7 @@ extern uint8_t	ip6_soiikey[IP6_SOIIKEY_LEN];
 extern const struct pr_usrreqs rip6_usrreqs;
 
 struct inpcb;
+struct ipsec_level;
 
 int	icmp6_ctloutput(int, struct socket *, int, int, struct mbuf *);
 
@@ -324,7 +325,7 @@ void	ip6_forward(struct mbuf *, struct route *, int);
 
 void	ip6_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in6 *);
 int	ip6_output(struct mbuf *, struct ip6_pktopts *, struct route *, int,
-	    struct ip6_moptions *, const u_char[]);
+	    struct ip6_moptions *, const struct ipsec_level *);
 int	ip6_fragment(struct mbuf *, struct mbuf_list *, int, u_char, u_long);
 int	ip6_ctloutput(int, struct socket *, int, int, struct mbuf *);
 int	ip6_raw_ctloutput(int, struct socket *, int, int, struct mbuf *);
@@ -376,7 +377,8 @@ u_int32_t ip6_randomflowlabel(void);
 
 #ifdef IPSEC
 struct tdb;
-int	ip6_output_ipsec_lookup(struct mbuf *, const u_char[], struct tdb **);
+int	ip6_output_ipsec_lookup(struct mbuf *, const struct ipsec_level *,
+	    struct tdb **);
 int	ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route *,
 	    int, int);
 #endif /* IPSEC */
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 5804af2624f..c16c69d53b5 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip6.c,v 1.183 2024/04/16 12:40:40 bluhm Exp $	*/
+/*	$OpenBSD: raw_ip6.c,v 1.184 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $	*/
 
 /*
@@ -521,7 +521,7 @@ rip6_output(struct mbuf *m, struct socket *so, struct sockaddr *dstaddr,
 #endif
 
 	error = ip6_output(m, optp, &inp->inp_route, flags,
-	    inp->inp_moptions6, inp->inp_seclevel);
+	    inp->inp_moptions6, &inp->inp_seclevel);
 	if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
 		icmp6stat_inc(icp6s_outhist + type);
 	} else
diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c
index 324092ce7dd..55485d6950a 100644
--- a/sys/netinet6/udp6_output.c
+++ b/sys/netinet6/udp6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp6_output.c,v 1.64 2024/02/13 12:22:09 bluhm Exp $	*/
+/*	$OpenBSD: udp6_output.c,v 1.65 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$KAME: udp6_output.c,v 1.21 2001/02/07 11:51:54 itojun Exp $	*/
 
 /*
@@ -233,7 +233,7 @@ udp6_output(struct inpcb *inp, struct mbuf *m, struct mbuf *addr6,
 #endif
 
 	error = ip6_output(m, optp, &inp->inp_route,
-	    flags, inp->inp_moptions6, inp->inp_seclevel);
+	    flags, inp->inp_moptions6, &inp->inp_seclevel);
 	goto releaseopt;
 
 release:
diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c
index a5bcd793822..88d37be055e 100644
--- a/usr.bin/netstat/inet.c
+++ b/usr.bin/netstat/inet.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: inet.c,v 1.181 2024/02/13 12:22:09 bluhm Exp $	*/
+/*	$OpenBSD: inet.c,v 1.182 2024/04/17 20:48:51 bluhm Exp $	*/
 /*	$NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $	*/
 
 /*
@@ -1489,10 +1489,10 @@ inpcb_dump(u_long off, short protocol, int af)
 	printf("ro_dst %s\n ", raddr);
 	p("%#.8x", inp_flags, "\n ");
 	p("%d", inp_hops, "\n ");
-	p("%u", inp_seclevel[0], ", ");
-	p("%u", inp_seclevel[1], ", ");
-	p("%u", inp_seclevel[2], ", ");
-	p("%u", inp_seclevel[3], "\n ");
+	p("%u", inp_seclevel.sl_auth, ", ");
+	p("%u", inp_seclevel.sl_esp_trans, ", ");
+	p("%u", inp_seclevel.sl_esp_network, ", ");
+	p("%u", inp_seclevel.sl_ipcomp, "\n ");
 	p("%u", inp_ip_minttl, "\n ");
 	p("%d", inp_cksum6, "\n ");
 	pp("%p", inp_icmp6filt, "\n ");
-- 
2.20.1