Print this page
First attempt at further IPsec cluster cleanup
*** 1373,1383 ****
/*
* Randomly generate a proposed SPI value
*/
(void) random_get_pseudo_bytes((uint8_t *)&newspi, sizeof (uint32_t));
newbie = sadb_getspi(ksi, newspi, &diagnostic,
! espstack->ipsecesp_netstack, IPPROTO_ESP);
if (newbie == NULL) {
sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, diagnostic,
ksi->ks_in_serial);
return;
--- 1373,1383 ----
/*
* Randomly generate a proposed SPI value
*/
(void) random_get_pseudo_bytes((uint8_t *)&newspi, sizeof (uint32_t));
newbie = sadb_getspi(ksi, newspi, &diagnostic,
! espstack->ipsecesp_netstack);
if (newbie == NULL) {
sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, diagnostic,
ksi->ks_in_serial);
return;
*** 1566,1582 ****
#endif
static void
esp_port_freshness(uint32_t ports, ipsa_t *assoc)
{
uint16_t remote = FIRST_16(ports);
- uint16_t local = NEXT_16(ports);
ipsa_t *outbound_peer;
isaf_t *bucket;
ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
/* We found a conn_t, therefore local != 0. */
! ASSERT(local != 0);
/* Assume an IPv4 SA. */
ASSERT(assoc->ipsa_addrfam == AF_INET);
/*
* On-the-wire rport == 0 means something's very wrong.
--- 1566,1581 ----
#endif
static void
esp_port_freshness(uint32_t ports, ipsa_t *assoc)
{
uint16_t remote = FIRST_16(ports);
ipsa_t *outbound_peer;
isaf_t *bucket;
ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
/* We found a conn_t, therefore local != 0. */
! ASSERT(NEXT_16(ports) != 0);
/* Assume an IPv4 SA. */
ASSERT(assoc->ipsa_addrfam == AF_INET);
/*
* On-the-wire rport == 0 means something's very wrong.
*** 1751,1769 ****
}
}
if (is_natt)
return (esp_fix_natt_checksums(data_mp, assoc));
- if (assoc->ipsa_state == IPSA_STATE_IDLE) {
- /*
- * Cluster buffering case. Tell caller that we're
- * handling the packet.
- */
- sadb_buf_pkt(assoc, data_mp, ira);
- return (NULL);
- }
-
return (data_mp);
}
esp1dbg(espstack, ("esp_in_done: esp_strip_header() failed\n"));
drop_and_bail:
--- 1750,1759 ----
*** 3618,3629 ****
natt_rem6 = (struct sockaddr_in6 *)(nttext_rem + 1);
/* Sundry ADD-specific reality checks. */
/* XXX STATS : Logging/stats here? */
! if ((assoc->sadb_sa_state != SADB_SASTATE_MATURE) &&
! (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
return (EINVAL);
}
if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
--- 3608,3618 ----
natt_rem6 = (struct sockaddr_in6 *)(nttext_rem + 1);
/* Sundry ADD-specific reality checks. */
/* XXX STATS : Logging/stats here? */
! if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
return (EINVAL);
}
if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
*** 3788,3822 ****
*/
static int
esp_update_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
{
- sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
- mblk_t *buf_pkt;
- int rcode;
-
sadb_address_t *dstext =
(sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
if (dstext == NULL) {
*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
return (EINVAL);
}
! rcode = sadb_update_sa(mp, ksi, &buf_pkt, &espstack->esp_sadb,
! diagnostic, espstack->esp_pfkey_q, esp_add_sa,
! espstack->ipsecesp_netstack, sadb_msg_type);
!
! if ((assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE) ||
! (rcode != 0)) {
! return (rcode);
! }
!
! HANDLE_BUF_PKT(esp_taskq, espstack->ipsecesp_netstack->netstack_ipsec,
! espstack->esp_dropper, buf_pkt);
!
! return (rcode);
}
/* XXX refactor me */
/*
* Delete a security association. This is REALLY likely to be code common to
--- 3777,3797 ----
*/
static int
esp_update_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
{
sadb_address_t *dstext =
(sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
if (dstext == NULL) {
*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
return (EINVAL);
}
! return (sadb_update_sa(mp, ksi, &espstack->esp_sadb, diagnostic,
! espstack->esp_pfkey_q, esp_add_sa, espstack->ipsecesp_netstack,
! sadb_msg_type));
}
/* XXX refactor me */
/*
* Delete a security association. This is REALLY likely to be code common to
*** 3953,3963 ****
}
/* else esp_add_sa() took care of things. */
break;
case SADB_DELETE:
case SADB_X_DELPAIR:
- case SADB_X_DELPAIR_STATE:
error = esp_del_sa(mp, ksi, &diagnostic, espstack,
samsg->sadb_msg_type);
if (error != 0) {
sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
diagnostic, ksi->ks_in_serial);
--- 3928,3937 ----