Print this page
8927 sadb_x_kmc_t's KM cookie should be 64-bits
Reviewed by: Jason King <jason.king@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Yuri Pankov <yuripv@gmx.com>
@@ -1041,11 +1041,11 @@
/*
* Construct a key management cookie extension.
*/
static uint8_t *
-sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint32_t kmc)
+sadb_make_kmc_ext(uint8_t *cur, uint8_t *end, uint32_t kmp, uint64_t kmc)
{
sadb_x_kmc_t *kmcext = (sadb_x_kmc_t *)cur;
if (cur == NULL)
return (NULL);
@@ -1056,12 +1056,11 @@
return (NULL);
kmcext->sadb_x_kmc_len = SADB_8TO64(sizeof (*kmcext));
kmcext->sadb_x_kmc_exttype = SADB_X_EXT_KM_COOKIE;
kmcext->sadb_x_kmc_proto = kmp;
- kmcext->sadb_x_kmc_cookie = kmc;
- kmcext->sadb_x_kmc_reserved = 0;
+ kmcext->sadb_x_kmc_cookie64 = kmc;
return (cur);
}
/*
@@ -2328,12 +2327,17 @@
sq->kmcext = (sadb_x_kmc_t *)ksi->ks_in_extv[SADB_X_EXT_KM_COOKIE];
sq->kmc = 0;
sq->kmp = 0;
if ((match & IPSA_Q_KMC) && (sq->kmcext)) {
- sq->kmc = sq->kmcext->sadb_x_kmc_cookie;
sq->kmp = sq->kmcext->sadb_x_kmc_proto;
+ /* Be liberal in what we receive. Special-case IKEv1. */
+ if (sq->kmp == SADB_X_KMP_IKE) {
+ /* Just in case in.iked is misbehaving... */
+ sq->kmcext->sadb_x_kmc_reserved = 0;
+ }
+ sq->kmc = sq->kmcext->sadb_x_kmc_cookie64;
*mfpp++ = sadb_match_kmc;
}
if (match & (IPSA_Q_INBOUND|IPSA_Q_OUTBOUND)) {
if (sq->af == AF_INET6)
@@ -3131,12 +3135,17 @@
newbie->ipsa_addtime = gethrestime_sec();
if (kmcext != NULL) {
newbie->ipsa_kmp = kmcext->sadb_x_kmc_proto;
- newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie;
+ /* Be liberal in what we receive. Special-case IKEv1. */
+ if (newbie->ipsa_kmp == SADB_X_KMP_IKE) {
+ /* Just in case in.iked is misbehaving... */
+ kmcext->sadb_x_kmc_reserved = 0;
}
+ newbie->ipsa_kmc = kmcext->sadb_x_kmc_cookie64;
+ }
/*
* XXX CURRENT lifetime checks MAY BE needed for an UPDATE.
* The spec says that one can update current lifetimes, but
* that seems impractical, especially in the larval-to-mature
@@ -4434,24 +4443,24 @@
*/
static int
sadb_check_kmc(ipsa_query_t *sq, ipsa_t *sa, int *diagnostic)
{
uint32_t kmp = sq->kmp;
- uint32_t kmc = sq->kmc;
+ uint64_t kmc = sq->kmc;
if (sa == NULL)
return (0);
if (sa->ipsa_state == IPSA_STATE_DEAD)
return (ESRCH); /* DEAD == Not there, in this case. */
- if ((kmp != 0) && ((sa->ipsa_kmp != 0) || (sa->ipsa_kmp != kmp))) {
+ if ((kmp != 0) && (sa->ipsa_kmp != 0) && (sa->ipsa_kmp != kmp)) {
*diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMP;
return (EINVAL);
}
- if ((kmc != 0) && ((sa->ipsa_kmc != 0) || (sa->ipsa_kmc != kmc))) {
+ if ((kmc != 0) && (sa->ipsa_kmc != 0) && (sa->ipsa_kmc != kmc)) {
*diagnostic = SADB_X_DIAGNOSTIC_DUPLICATE_KMC;
return (EINVAL);
}
return (0);
@@ -4462,11 +4471,11 @@
*/
static void
sadb_update_kmc(ipsa_query_t *sq, ipsa_t *sa)
{
uint32_t kmp = sq->kmp;
- uint32_t kmc = sq->kmc;
+ uint64_t kmc = sq->kmc;
if (kmp != 0)
sa->ipsa_kmp = kmp;
if (kmc != 0)
sa->ipsa_kmc = kmc;
@@ -4499,11 +4508,12 @@
ipsa_query_t sq;
time_t current = gethrestime_sec();
sq.spp = spp; /* XXX param */
int error = sadb_form_query(ksi, IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA,
- IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND,
+ IPSA_Q_SRC|IPSA_Q_DST|IPSA_Q_SA|IPSA_Q_INBOUND|IPSA_Q_OUTBOUND|
+ IPSA_Q_KMC,
&sq, diagnostic);
if (error != 0)
return (error);
@@ -5105,11 +5115,12 @@
ipsec_action_t *walker;
int ncombs, allocsize, ealgid, aalgid, aminbits, amaxbits, eminbits,
emaxbits, replay;
uint64_t softbytes, hardbytes, softaddtime, hardaddtime, softusetime,
hardusetime;
- uint32_t kmc = 0, kmp = 0;
+ uint64_t kmc = 0;
+ uint32_t kmp = 0;
/*
* Since it's an rwlock read, AND writing to the IPsec algorithms is
* rare, just acquire it once up top, and drop it upon return.
*/
@@ -5295,19 +5306,19 @@
}
/*
* Generate an extended ACQUIRE's extended-proposal extension.
*/
-/* ARGSUSED */
static mblk_t *
sadb_acquire_extended_prop(ipsec_action_t *ap, netstack_t *ns)
{
sadb_prop_t *eprop;
uint8_t *cur, *end;
mblk_t *mp;
int allocsize, numecombs = 0, numalgdescs = 0;
- uint32_t kmc = 0, kmp = 0, replay = 0;
+ uint32_t kmp = 0, replay = 0;
+ uint64_t kmc = 0;
ipsec_action_t *walker;
allocsize = sizeof (*eprop);
/*