From f387735cee371e3eb6a4188ba79f2d4ae70d2157 Mon Sep 17 00:00:00 2001 From: markus Date: Thu, 16 Apr 2015 19:18:10 +0000 Subject: [PATCH] change {import,export}_identity so it can be used for policies; ok mikeb (fixes sadb_ident_type conversion for policies) --- sys/net/pfkeyv2.c | 79 +++++++++------------------------------ sys/net/pfkeyv2.h | 6 +-- sys/net/pfkeyv2_convert.c | 19 ++-------- 3 files changed, 23 insertions(+), 81 deletions(-) diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index b29f50e0c88..1f70ebaf119 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.141 2015/04/14 12:22:15 mikeb Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.142 2015/04/16 19:18:10 markus Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -616,13 +616,13 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer, int *lenp) /* Export source identity, if present */ if (sa->tdb_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; - export_identity(&p, sa, PFKEYV2_IDENTITY_SRC); + export_identity(&p, &sa->tdb_srcid); } /* Export destination identity, if present */ if (sa->tdb_dstid) { headers[SADB_EXT_IDENTITY_DST] = p; - export_identity(&p, sa, PFKEYV2_IDENTITY_DST); + export_identity(&p, &sa->tdb_dstid); } /* Export authentication key, if present */ @@ -995,10 +995,10 @@ pfkeyv2_send(struct socket *socket, void *message, int len) PFKEYV2_AUTHENTICATION_KEY); import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], PFKEYV2_ENCRYPTION_KEY); - import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], - PFKEYV2_IDENTITY_SRC); - import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], - PFKEYV2_IDENTITY_DST); + import_identity(&newsa->tdb_srcid, + headers[SADB_EXT_IDENTITY_SRC]); + import_identity(&newsa->tdb_dstid, + headers[SADB_EXT_IDENTITY_DST]); import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK], @@ -1151,10 +1151,10 @@ pfkeyv2_send(struct socket *socket, void *message, int len) import_key(&ii, headers[SADB_EXT_KEY_ENCRYPT], PFKEYV2_ENCRYPTION_KEY); - import_identity(newsa, headers[SADB_EXT_IDENTITY_SRC], - PFKEYV2_IDENTITY_SRC); - import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], - PFKEYV2_IDENTITY_DST); + import_identity(&newsa->tdb_srcid, + headers[SADB_EXT_IDENTITY_SRC]); + import_identity(&newsa->tdb_dstid, + headers[SADB_EXT_IDENTITY_DST]); import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask, headers[SADB_X_EXT_SRC_FLOW], @@ -1623,11 +1623,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) } if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) { - int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); - - ipo->ipo_srcid = malloc(clen + sizeof(struct ipsec_ref), - M_CREDENTIALS, M_NOWAIT); + import_identity(&ipo->ipo_srcid, sid); if (ipo->ipo_srcid == NULL) { if (exists) ipsec_delete_policy(ipo); @@ -1637,19 +1633,10 @@ pfkeyv2_send(struct socket *socket, void *message, int len) rval = ENOBUFS; goto ret; } - ipo->ipo_srcid->ref_type = sid->sadb_ident_type; - ipo->ipo_srcid->ref_len = clen; - ipo->ipo_srcid->ref_count = 1; - ipo->ipo_srcid->ref_malloctype = M_CREDENTIALS; - bcopy(sid + 1, ipo->ipo_srcid + 1, ipo->ipo_srcid->ref_len); } if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) { - int clen = (sid->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); - - ipo->ipo_dstid = malloc(clen + sizeof(struct ipsec_ref), - M_CREDENTIALS, M_NOWAIT); + import_identity(&ipo->ipo_dstid, sid); if (ipo->ipo_dstid == NULL) { if (exists) ipsec_delete_policy(ipo); @@ -1663,12 +1650,6 @@ pfkeyv2_send(struct socket *socket, void *message, int len) rval = ENOBUFS; goto ret; } - ipo->ipo_dstid->ref_type = sid->sadb_ident_type; - ipo->ipo_dstid->ref_len = clen; - ipo->ipo_dstid->ref_count = 1; - ipo->ipo_dstid->ref_malloctype = M_CREDENTIALS; - bcopy(sid + 1, ipo->ipo_dstid + 1, - ipo->ipo_dstid->ref_len); } /* Flow type */ @@ -1808,7 +1789,6 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, union sockaddr_union *laddr, u_int32_t *seq, struct sockaddr_encap *ddst) { void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; - struct sadb_ident *srcid, *dstid; struct sadb_comb *sadb_comb; struct sadb_address *sadd; struct sadb_prop *sa_prop; @@ -1883,24 +1863,12 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, if (ipo->ipo_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); - srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; - srcid->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_srcid->ref_len)) / sizeof(u_int64_t); - srcid->sadb_ident_type = ipo->ipo_srcid->ref_type; - bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + - sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); + export_identity(&p, &ipo->ipo_srcid); } if (ipo->ipo_dstid) { headers[SADB_EXT_IDENTITY_DST] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); - dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; - dstid->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_dstid->ref_len)) / sizeof(u_int64_t); - dstid->sadb_ident_type = ipo->ipo_dstid->ref_type; - bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + - sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); + export_identity(&p, &ipo->ipo_dstid); } headers[SADB_EXT_PROPOSAL] = p; @@ -2179,7 +2147,6 @@ int pfkeyv2_dump_policy(struct ipsec_policy *ipo, void **headers, void **buffer, int *lenp) { - struct sadb_ident *ident; int i, rval, perm; void *p; @@ -2277,23 +2244,11 @@ pfkeyv2_dump_policy(struct ipsec_policy *ipo, void **headers, void **buffer, perm = suser(curproc, 0); if (perm == 0 && ipo->ipo_srcid) { headers[SADB_EXT_IDENTITY_SRC] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid->ref_len); - ident = (struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC]; - ident->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_srcid->ref_len)) / sizeof(uint64_t); - ident->sadb_ident_type = ipo->ipo_srcid->ref_type; - bcopy(ipo->ipo_srcid + 1, headers[SADB_EXT_IDENTITY_SRC] + - sizeof(struct sadb_ident), ipo->ipo_srcid->ref_len); + export_identity(&p, &ipo->ipo_srcid); } if (perm == 0 && ipo->ipo_dstid) { headers[SADB_EXT_IDENTITY_DST] = p; - p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid->ref_len); - ident = (struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST]; - ident->sadb_ident_len = (sizeof(struct sadb_ident) + - PADUP(ipo->ipo_dstid->ref_len)) / sizeof(uint64_t); - ident->sadb_ident_type = ipo->ipo_dstid->ref_type; - bcopy(ipo->ipo_dstid + 1, headers[SADB_EXT_IDENTITY_DST] + - sizeof(struct sadb_ident), ipo->ipo_dstid->ref_len); + export_identity(&p, &ipo->ipo_dstid); } rval = 0; diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index 7ffab950ab8..e7e87b27786 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.h,v 1.66 2015/04/14 12:22:15 mikeb Exp $ */ +/* $OpenBSD: pfkeyv2.h,v 1.67 2015/04/16 19:18:10 markus Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) January 1998 * @@ -425,7 +425,7 @@ int pfkeyv2_sysctl_policydumper(struct ipsec_policy *, void *); int pfdatatopacket(void *, int, struct mbuf **); void export_address(void **, struct sockaddr *); -void export_identity(void **, struct tdb *, int); +void export_identity(void **, struct ipsec_ref **); void export_lifetime(void **, struct tdb *, int); void export_sa(void **, struct tdb *); void export_flow(void **, u_int8_t, struct sockaddr_encap *, @@ -436,7 +436,7 @@ void export_tag(void **, struct tdb *); void export_tap(void **, struct tdb *); void import_address(struct sockaddr *, struct sadb_address *); -void import_identity(struct tdb *, struct sadb_ident *, int); +void import_identity(struct ipsec_ref **, struct sadb_ident *); void import_key(struct ipsecinit *, struct sadb_key *, int); void import_lifetime(struct tdb *, struct sadb_lifetime *, int); void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *); diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c index 08cf583aa04..1de21367eb4 100644 --- a/sys/net/pfkeyv2_convert.c +++ b/sys/net/pfkeyv2_convert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_convert.c,v 1.48 2015/04/14 12:22:15 mikeb Exp $ */ +/* $OpenBSD: pfkeyv2_convert.c,v 1.49 2015/04/16 19:18:10 markus Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) * @@ -703,18 +703,11 @@ export_address(void **p, struct sockaddr *sa) * Import an identity payload into the TDB. */ void -import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) +import_identity(struct ipsec_ref **ipr, struct sadb_ident *sadb_ident) { - struct ipsec_ref **ipr; - if (!sadb_ident) return; - if (type == PFKEYV2_IDENTITY_SRC) - ipr = &tdb->tdb_srcid; - else - ipr = &tdb->tdb_dstid; - *ipr = malloc(EXTLEN(sadb_ident) - sizeof(struct sadb_ident) + sizeof(struct ipsec_ref), M_CREDENTIALS, M_WAITOK); (*ipr)->ref_len = EXTLEN(sadb_ident) - sizeof(struct sadb_ident); @@ -744,16 +737,10 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) } void -export_identity(void **p, struct tdb *tdb, int type) +export_identity(void **p, struct ipsec_ref **ipr) { - struct ipsec_ref **ipr; struct sadb_ident *sadb_ident = (struct sadb_ident *) *p; - if (type == PFKEYV2_IDENTITY_SRC) - ipr = &tdb->tdb_srcid; - else - ipr = &tdb->tdb_dstid; - sadb_ident->sadb_ident_len = (sizeof(struct sadb_ident) + PADUP((*ipr)->ref_len)) / sizeof(uint64_t); -- 2.20.1