Print this page
8927 sadb_x_kmc_t's KM cookie should be 64-bits
Reviewed by: Jason King <jason.king@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Yuri Pankov <yuripv@gmx.com>
*** 1041,1051 ****
/*
* Construct a key management cookie extension.
*/
static uint8_t *
! sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc)
{
sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur;
if (cur == NULL)
return (NULL);
--- 1041,1051 ----
/*
* Construct a key management cookie extension.
*/
static uint8_t *
! sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint64_t kmc)
{
sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur;
if (cur == NULL)
return (NULL);
*** 1056,1067 ****
return (NULL);
kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext));
kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE;
kmcext->sadb_x_kmc_proto = kmp;
! kmcext->sadb_x_kmc_cookie = kmc;
! kmcext->sadb_x_kmc_reserved = 0;
return (cur);
}
/*
--- 1056,1066 ----
return (NULL);
kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext));
kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE;
kmcext->sadb_x_kmc_proto = kmp;
! kmcext->sadb_x_kmc_cookie64 = kmc;
return (cur);
}
/*
*** 2328,2339 ****
sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
sq->kmc = 0;
sq->kmp = 0;
if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
- sq->kmc = sq->kmcext->sadb_x_kmc_cookie;
sq->kmp = sq->kmcext->sadb_x_kmc_proto;
*mfpp++ = sadb_match_kmc;
}
if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
if (sq->af == AF_INET6)
--- 2327,2343 ----
sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
sq->kmc = 0;
sq->kmp = 0;
if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
sq->kmp = sq->kmcext->sadb_x_kmc_proto;
+ /* Be liberal in what we receive. Special-case IKEv1. */
+ if (sq->kmp == SADB_X_KMP_IKE) {
+ /* Just in case in.iked is misbehaving... */
+ sq->kmcext->sadb_x_kmc_reserved = 0;
+ }
+ sq->kmc = sq->kmcext->sadb_x_kmc_cookie64;
*mfpp++ = sadb_match_kmc;
}
if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
if (sq->af == AF_INET6)
*** 3131,3142 ****
newbie->ipsa_addtime = gethrestime_sec();
if (kmcext != NULL) {
newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
! newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie;
}
/*
* XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
* The spec says that one can update current lifetimes, but
* that seems impractical, especially in the larval-to-mature
--- 3135,3151 ----
newbie->ipsa_addtime = gethrestime_sec();
if (kmcext != NULL) {
newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
! /* Be liberal in what we receive. Special-case IKEv1. */
! if (newbie->ipsa_kmp == SADB_X_KMP_IKE) {
! /* Just in case in.iked is misbehaving... */
! kmcext->sadb_x_kmc_reserved = 0;
}
+ newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie64;
+ }
/*
* XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
* The spec says that one can update current lifetimes, but
* that seems impractical, especially in the larval-to-mature
*** 4434,4457 ****
*/
static int
sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic)
{
uint32_t kmp = sq->kmp;
! uint32_t kmc = sq->kmc;
if (sa == NULL)
return (0);
if (sa->ipsa_state == IPSA_STATE_DEAD)
return (ESRCH); /* DEAD == Not there, in this case. */
! if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) {
*diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP;
return (EINVAL);
}
! if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) {
*diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC;
return (EINVAL);
}
return (0);
--- 4443,4466 ----
*/
static int
sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic)
{
uint32_t kmp = sq->kmp;
! uint64_t kmc = sq->kmc;
if (sa == NULL)
return (0);
if (sa->ipsa_state == IPSA_STATE_DEAD)
return (ESRCH); /* DEAD == Not there, in this case. */
! if ((kmp != 0) && (sa->ipsa_kmp != 0) && (sa->ipsa_kmp != kmp)) {
*diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP;
return (EINVAL);
}
! if ((kmc != 0) && (sa->ipsa_kmc != 0) && (sa->ipsa_kmc != kmc)) {
*diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC;
return (EINVAL);
}
return (0);
*** 4462,4472 ****
*/
static void
sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa)
{
uint32_t kmp = sq->kmp;
! uint32_t kmc = sq->kmc;
if (kmp != 0)
sa->ipsa_kmp = kmp;
if (kmc != 0)
sa->ipsa_kmc = kmc;
--- 4471,4481 ----
*/
static void
sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa)
{
uint32_t kmp = sq->kmp;
! uint64_t kmc = sq->kmc;
if (kmp != 0)
sa->ipsa_kmp = kmp;
if (kmc != 0)
sa->ipsa_kmc = kmc;
*** 4499,4509 ****
ipsa_query_t sq;
time_t current = gethrestime_sec();
sq.spp = spp; /* XXX param */
int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA,
! IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
&sq, diagnostic);
if (error != 0)
return (error);
--- 4508,4519 ----
ipsa_query_t sq;
time_t current = gethrestime_sec();
sq.spp = spp; /* XXX param */
int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA,
! IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND|
! IPSA_Q_KMC,
&sq, diagnostic);
if (error != 0)
return (error);
*** 5105,5115 ****
ipsec_action_t *walker;
int ncombs, allocsize, ealgid, aalgid, aminbits, amaxbits, eminbits,
emaxbits, replay;
uint64_t softbytes, hardbytes, softaddtime, hardaddtime, softusetime,
hardusetime;
! uint32_t kmc = 0, kmp = 0;
/*
* Since it's an rwlock read, AND writing to the IPsec algorithms is
* rare, just acquire it once up top, and drop it upon return.
*/
--- 5115,5126 ----
ipsec_action_t *walker;
int ncombs, allocsize, ealgid, aalgid, aminbits, amaxbits, eminbits,
emaxbits, replay;
uint64_t softbytes, hardbytes, softaddtime, hardaddtime, softusetime,
hardusetime;
! uint64_t kmc = 0;
! uint32_t kmp = 0;
/*
* Since it's an rwlock read, AND writing to the IPsec algorithms is
* rare, just acquire it once up top, and drop it upon return.
*/
*** 5295,5313 ****
}
/*
* Generate an extended ACQUIRE's extended-proposal extension.
*/
- /* ARGSUSED */
static mblk_t *
sadb_acquire_extended_prop(ipsec_action_t *ap, netstack_t *ns)
{
sadb_prop_t *eprop;
uint8_t *cur, *end;
mblk_t *mp;
int allocsize, numecombs = 0, numalgdescs = 0;
! uint32_t kmc = 0, kmp = 0, replay = 0;
ipsec_action_t *walker;
allocsize = sizeof (*eprop);
/*
--- 5306,5324 ----
}
/*
* Generate an extended ACQUIRE's extended-proposal extension.
*/
static mblk_t *
sadb_acquire_extended_prop(ipsec_action_t *ap, netstack_t *ns)
{
sadb_prop_t *eprop;
uint8_t *cur, *end;
mblk_t *mp;
int allocsize, numecombs = 0, numalgdescs = 0;
! uint32_t kmp = 0, replay = 0;
! uint64_t kmc = 0;
ipsec_action_t *walker;
allocsize = sizeof (*eprop);
/*