svn commit: r310400 - projects/ipsec/sys/netinet

Andrey V. Elsukov ae at FreeBSD.org
Thu Dec 22 14:01:40 UTC 2016 

Author: ae
Date: Thu Dec 22 14:01:39 2016
New Revision: 310400
URL: https://svnweb.freebsd.org/changeset/base/310400

Log:
  Convert TCP code to use IPsec methods.

Modified:
  projects/ipsec/sys/netinet/tcp_input.c
  projects/ipsec/sys/netinet/tcp_output.c
  projects/ipsec/sys/netinet/tcp_subr.c
  projects/ipsec/sys/netinet/tcp_syncache.c
  projects/ipsec/sys/netinet/tcp_usrreq.c

Modified: projects/ipsec/sys/netinet/tcp_input.c
==============================================================================
--- projects/ipsec/sys/netinet/tcp_input.c	Thu Dec 22 13:58:29 2016	(r310399)
+++ projects/ipsec/sys/netinet/tcp_input.c	Thu Dec 22 14:01:39 2016	(r310400)
@@ -120,10 +120,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/tcp_offload.h>
 #endif
 
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#include <netipsec/ipsec6.h>
-#endif /*IPSEC*/
+#include <netipsec/ipsec_support.h>
 
 #include <machine/in_cksum.h>
 
@@ -927,13 +924,15 @@ findpcb:
 		inp->inp_flowid = m->m_pkthdr.flowid;
 		inp->inp_flowtype = M_HASHTYPE_GET(m);
 	}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 #ifdef INET6
-	if (isipv6 && ipsec6_in_reject(m, inp)) {
+	if (isipv6 && IPSEC_ENABLED(ipv6) &&
+	    IPSEC_CHECK_POLICY(ipv6, m, inp) != 0) {
 		goto dropunlock;
 	} else
 #endif /* INET6 */
-	if (ipsec4_in_reject(m, inp) != 0) {
+	if (IPSEC_ENABLED(ipv4) &&
+	    IPSEC_CHECK_POLICY(ipv4, m, inp) != 0) {
 		goto dropunlock;
 	}
 #endif /* IPSEC */
@@ -1408,14 +1407,15 @@ tfo_socket_result:
 		 */
 		goto dropunlock;
 	}
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 	if (tp->t_flags & TF_SIGNATURE) {
 		tcp_dooptions(&to, optp, optlen, thflags);
 		if ((to.to_flags & TOF_SIGNATURE) == 0) {
 			TCPSTAT_INC(tcps_sig_err_nosigopt);
 			goto dropunlock;
 		}
-		if (tcp_ipsec_input(m, th, to.to_signature) != 0)
+		if (!TCPMD5_ENABLED() ||
+		    TCPMD5_INPUT(m, th, to.to_signature) != 0)
 			goto dropunlock;
 	}
 #endif
@@ -1595,7 +1595,7 @@ tcp_do_segment(struct mbuf *m, struct tc
 	    (th->th_off << 2) - sizeof(struct tcphdr),
 	    (thflags & TH_SYN) ? TO_SYN : 0);
 
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 	if ((tp->t_flags & TF_SIGNATURE) != 0 &&
 	    (to.to_flags & TOF_SIGNATURE) == 0) {
 		TCPSTAT_INC(tcps_sig_err_sigopt);

Modified: projects/ipsec/sys/netinet/tcp_output.c
==============================================================================
--- projects/ipsec/sys/netinet/tcp_output.c	Thu Dec 22 13:58:29 2016	(r310399)
+++ projects/ipsec/sys/netinet/tcp_output.c	Thu Dec 22 14:01:39 2016	(r310400)
@@ -90,9 +90,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/tcp_offload.h>
 #endif
 
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#endif /*IPSEC*/
+#include <netipsec/ipsec_support.h>
 
 #include <machine/in_cksum.h>
 
@@ -200,7 +198,7 @@ tcp_output(struct tcpcb *tp)
 	struct tcphdr *th;
 	u_char opt[TCP_MAXOLEN];
 	unsigned ipoptlen, optlen, hdrlen;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	unsigned ipsec_optlen = 0;
 #endif
 	int idle, sendalot;
@@ -546,17 +544,23 @@ after_sack_rexmit:
 	 * makes it impossible to transmit any options which vary per generated
 	 * segment or packet.
 	 */
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	/*
 	 * Pre-calculate here as we save another lookup into the darknesses
 	 * of IPsec that way and can actually decide if TSO is ok.
 	 */
-	ipsec_optlen = ipsec_hdrsiz_inpcb(tp->t_inpcb);
+#ifdef INET6
+	if (isipv6 && IPSEC_ENABLED(ipv6))
+		ipsec_optlen = IPSEC_HDRSIZE(ipv6, tp->t_inpcb);
+	else
+#endif
+	if (IPSEC_ENABLED(ipv4))
+		ipsec_optlen = IPSEC_HDRSIZE(ipv4, tp->t_inpcb);
 #endif
 	if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg &&
 	    ((tp->t_flags & TF_SIGNATURE) == 0) &&
 	    tp->rcv_numsacks == 0 && sack_rxmit == 0 &&
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	    ipsec_optlen == 0 &&
 #endif
 	    tp->t_inpcb->inp_options == NULL &&
@@ -823,7 +827,7 @@ send:
 				to.to_sacks = (u_char *)tp->sackblks;
 			}
 		}
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		/* TCP-MD5 (RFC2385). */
 		/*
 		 * Check that TCP_MD5SIG is enabled in tcpcb to
@@ -847,7 +851,7 @@ send:
 				offsetof(struct ipoption, ipopt_list);
 	else
 		ipoptlen = 0;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	ipoptlen += ipsec_optlen;
 #endif
 
@@ -1262,7 +1266,7 @@ send:
 	m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */
 	m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
 
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 	if (to.to_flags & TOF_SIGNATURE) {
 		/*
 		 * Calculate MD5 signature and put it into the place
@@ -1270,8 +1274,8 @@ send:
 		 * NOTE: since TCP options buffer doesn't point into
 		 * mbuf's data, calculate offset and use it.
 		 */
-		if ((error = tcp_ipsec_output(m, th, (u_char *)(th + 1) +
-		    (to.to_signature - opt))) != 0) {
+		if (!TCPMD5_ENABLED() || TCPMD5_OUTPUT(m, th,
+		    (u_char *)(th + 1) + (to.to_signature - opt)) != 0) {
 			/*
 			 * Do not send segment if the calculation of MD5
 			 * digest has failed.
@@ -1317,7 +1321,7 @@ send:
 		m->m_pkthdr.tso_segsz = tp->t_maxseg - optlen;
 	}
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	KASSERT(len + hdrlen + ipoptlen - ipsec_optlen == m_length(m, NULL),
 	    ("%s: mbuf chain shorter than expected: %d + %u + %u - %u != %u",
 	    __func__, len, hdrlen, ipoptlen, ipsec_optlen, m_length(m, NULL)));

Modified: projects/ipsec/sys/netinet/tcp_subr.c
==============================================================================
--- projects/ipsec/sys/netinet/tcp_subr.c	Thu Dec 22 13:58:29 2016	(r310399)
+++ projects/ipsec/sys/netinet/tcp_subr.c	Thu Dec 22 14:01:39 2016	(r310400)
@@ -118,15 +118,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/tcp_offload.h>
 #endif
 
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#include <netipsec/xform.h>
-#ifdef INET6
-#include <netipsec/ipsec6.h>
-#endif
-#include <netipsec/key.h>
-#include <sys/syslog.h>
-#endif /*IPSEC*/
+#include <netipsec/ipsec_support.h>
 
 #include <machine/in_cksum.h>
 #include <sys/md5.h>
@@ -1058,12 +1050,11 @@ tcp_respond(struct tcpcb *tp, void *ipge
 			to.to_tsecr = tp->ts_recent;
 			to.to_flags |= TOF_TS;
 		}
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		/* TCP-MD5 (RFC2385). */
 		if (tp->t_flags & TF_SIGNATURE)
 			to.to_flags |= TOF_SIGNATURE;
 #endif
-
 		/* Add the options. */
 		tlen += optlen = tcp_addoptions(&to, optp);
 
@@ -1119,9 +1110,10 @@ tcp_respond(struct tcpcb *tp, void *ipge
 		nth->th_win = htons((u_short)win);
 	nth->th_urp = 0;
 
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 	if (to.to_flags & TOF_SIGNATURE) {
-		if (tcp_ipsec_output(m, nth, to.to_signature) != 0) {
+		if (!TCPMD5_ENABLED() ||
+		    TCPMD5_OUTPUT(m, nth, to.to_signature) != 0) {
 			m_freem(m);
 			return;
 		}
@@ -2498,7 +2490,7 @@ tcp_maxseg(const struct tcpcb *tp)
 			optlen = TCPOLEN_TSTAMP_APPA;
 		else
 			optlen = 0;
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		if (tp->t_flags & TF_SIGNATURE)
 			optlen += PAD(TCPOLEN_SIGNATURE);
 #endif
@@ -2514,7 +2506,7 @@ tcp_maxseg(const struct tcpcb *tp)
 			optlen = PAD(TCPOLEN_MAXSEG);
 		if (tp->t_flags & TF_REQ_SCALE)
 			optlen += PAD(TCPOLEN_WINDOW);
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		if (tp->t_flags & TF_SIGNATURE)
 			optlen += PAD(TCPOLEN_SIGNATURE);
 #endif

Modified: projects/ipsec/sys/netinet/tcp_syncache.c
==============================================================================
--- projects/ipsec/sys/netinet/tcp_syncache.c	Thu Dec 22 13:58:29 2016	(r310399)
+++ projects/ipsec/sys/netinet/tcp_syncache.c	Thu Dec 22 14:01:39 2016	(r310400)
@@ -96,13 +96,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/toecore.h>
 #endif
 
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#ifdef INET6
-#include <netipsec/ipsec6.h>
-#endif
-#include <netipsec/key.h>
-#endif /*IPSEC*/
+#include <netipsec/ipsec_support.h>
 
 #include <machine/in_cksum.h>
 
@@ -736,7 +730,7 @@ syncache_socket(struct syncache *sc, str
 		INP_HASH_WUNLOCK(&V_tcbinfo);
 		goto abort;
 	}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	/* Copy old policy into new socket's. */
 	if (ipsec_copy_pcbpolicy(sotoinpcb(lso), inp) != 0)
 		printf("syncache_socket: could not copy policy\n");
@@ -872,7 +866,7 @@ syncache_socket(struct syncache *sc, str
 			tp->ts_recent_age = tcp_ts_getticks();
 			tp->ts_offset = sc->sc_tsoff;
 		}
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		if (sc->sc_flags & SCF_SIGNATURE)
 			tp->t_flags |= TF_SIGNATURE;
 #endif
@@ -996,10 +990,11 @@ syncache_expand(struct in_conninfo *inc,
 				    "(probably spoofed)\n", s, __func__);
 			goto failed;
 		}
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		/* If received ACK has MD5 signature, check it. */
 		if ((to->to_flags & TOF_SIGNATURE) != 0 &&
-		    tcp_ipsec_input(m, th, to->to_signature) != 0) {
+		    (!TCPMD5_ENABLED() ||
+		    TCPMD5_INPUT(m, th, to->to_signature) != 0)) {
 			/* Drop the ACK. */
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL))) {
 				log(LOG_DEBUG, "%s; %s: Segment rejected, "
@@ -1012,7 +1007,7 @@ syncache_expand(struct in_conninfo *inc,
 		}
 #endif /* TCP_SIGNATURE */
 	} else {
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		/*
 		 * If listening socket requested TCP digests, check that
 		 * received ACK has signature and it is correct.
@@ -1032,7 +1027,8 @@ syncache_expand(struct in_conninfo *inc,
 				}
 				return (-1); /* Do not send RST */
 			}
-			if (tcp_ipsec_input(m, th, to->to_signature) != 0) {
+			if (!TCPMD5_ENABLED() ||
+			    TCPMD5_INPUT(m, th, to->to_signature) != 0) {
 				/* Doesn't match or no SA */
 				SCH_UNLOCK(sch);
 				if ((s = tcp_log_addrs(inc, th, NULL, NULL))) {
@@ -1315,7 +1311,7 @@ syncache_add(struct in_conninfo *inc, st
 		ipopts = NULL;
 #endif
 
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 	/*
 	 * If listening socket requested TCP digests, check that received
 	 * SYN has signature and it is correct. If signature doesn't match
@@ -1326,7 +1322,8 @@ syncache_add(struct in_conninfo *inc, st
 			TCPSTAT_INC(tcps_sig_err_nosigopt);
 			goto done;
 		}
-		if (tcp_ipsec_input(m, th, to->to_signature) != 0)
+		if (!TCPMD5_ENABLED() ||
+		    TCPMD5_INPUT(m, th, to->to_signature) != 0)
 			goto done;
 	}
 #endif	/* TCP_SIGNATURE */
@@ -1505,7 +1502,7 @@ skip_alloc:
 			sc->sc_flags |= SCF_WINSCALE;
 		}
 	}
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 	/*
 	 * If listening socket requested TCP digests, flag this in the
 	 * syncache so that syncache_respond() will do the right thing
@@ -1712,7 +1709,7 @@ syncache_respond(struct syncache *sc, st
 		}
 		if (sc->sc_flags & SCF_SACK)
 			to.to_flags |= TOF_SACKPERM;
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		if (sc->sc_flags & SCF_SIGNATURE)
 			to.to_flags |= TOF_SIGNATURE;
 #endif
@@ -1737,13 +1734,14 @@ syncache_respond(struct syncache *sc, st
 		else
 #endif
 			ip->ip_len = htons(ntohs(ip->ip_len) + optlen);
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		if (sc->sc_flags & SCF_SIGNATURE) {
 			KASSERT(to.to_flags & TOF_SIGNATURE,
 			    ("tcp_addoptions() didn't set tcp_signature"));
 
 			/* NOTE: to.to_signature is inside of mbuf */
-			if (tcp_ipsec_output(m, th, to.to_signature) != 0) {
+			if (!TCPMD5_ENABLED() ||
+			    TCPMD5_OUTPUT(m, th, to.to_signature) != 0) {
 				m_freem(m);
 				return (EACCES);
 			}

Modified: projects/ipsec/sys/netinet/tcp_usrreq.c
==============================================================================
--- projects/ipsec/sys/netinet/tcp_usrreq.c	Thu Dec 22 13:58:29 2016	(r310399)
+++ projects/ipsec/sys/netinet/tcp_usrreq.c	Thu Dec 22 14:01:39 2016	(r310400)
@@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$");
 #include "opt_ddb.h"
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 #include "opt_tcpdebug.h"
 
 #include <sys/param.h>
@@ -101,9 +102,7 @@ __FBSDID("$FreeBSD$");
 #ifdef TCP_OFFLOAD
 #include <netinet/tcp_offload.h>
 #endif
-#ifdef TCP_SIGNATURE
-#include <netipsec/ipsec.h>
-#endif
+#include <netipsec/ipsec_support.h>
 
 /*
  * TCP protocol interface to socket abstraction.
@@ -1555,13 +1554,17 @@ tcp_default_ctloutput(struct socket *so,
 	switch (sopt->sopt_dir) {
 	case SOPT_SET:
 		switch (sopt->sopt_name) {
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		case TCP_MD5SIG:
-			error = tcp_ipsec_pcbctl(inp, sopt);
+			if (!TCPMD5_ENABLED()) {
+				INP_WUNLOCK(inp);
+				return (ENOPROTOOPT);
+			}
+			error = TCPMD5_PCBCTL(inp, sopt);
 			if (error)
 				return (error);
 			goto unlock_and_done;
-#endif /* TCP_SIGNATURE */
+#endif /* IPSEC */
 
 		case TCP_NODELAY:
 		case TCP_NOOPT:
@@ -1787,9 +1790,13 @@ unlock_and_done:
 	case SOPT_GET:
 		tp = intotcpcb(inp);
 		switch (sopt->sopt_name) {
-#ifdef TCP_SIGNATURE
+#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
 		case TCP_MD5SIG:
-			error = tcp_ipsec_pcbctl(inp, sopt);
+			if (!TCPMD5_ENABLED()) {
+				INP_WUNLOCK(inp);
+				return (ENOPROTOOPT);
+			}
+			error = TCPMD5_PCBCTL(inp, sopt);
 			break;
 #endif

More information about the svn-src-projects mailing list