| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: ipsec.c,v 1.113 2017/08/02 01:28:03 ozaki-r Exp $ */ | | 1 | /* $NetBSD: ipsec.c,v 1.114 2017/08/02 03:45:57 ozaki-r Exp $ */ |
2 | /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ | | 2 | /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ |
3 | /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ | | 3 | /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ |
4 | | | 4 | |
5 | /* | | 5 | /* |
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | | 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
7 | * All rights reserved. | | 7 | * All rights reserved. |
8 | * | | 8 | * |
9 | * Redistribution and use in source and binary forms, with or without | | 9 | * Redistribution and use in source and binary forms, with or without |
10 | * modification, are permitted provided that the following conditions | | 10 | * modification, are permitted provided that the following conditions |
11 | * are met: | | 11 | * are met: |
12 | * 1. Redistributions of source code must retain the above copyright | | 12 | * 1. Redistributions of source code must retain the above copyright |
13 | * notice, this list of conditions and the following disclaimer. | | 13 | * notice, this list of conditions and the following disclaimer. |
14 | * 2. Redistributions in binary form must reproduce the above copyright | | 14 | * 2. Redistributions in binary form must reproduce the above copyright |
| @@ -22,27 +22,27 @@ | | | @@ -22,27 +22,27 @@ |
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | | 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | | 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | | 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
31 | * SUCH DAMAGE. | | 31 | * SUCH DAMAGE. |
32 | */ | | 32 | */ |
33 | | | 33 | |
34 | #include <sys/cdefs.h> | | 34 | #include <sys/cdefs.h> |
35 | __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.113 2017/08/02 01:28:03 ozaki-r Exp $"); | | 35 | __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.114 2017/08/02 03:45:57 ozaki-r Exp $"); |
36 | | | 36 | |
37 | /* | | 37 | /* |
38 | * IPsec controller part. | | 38 | * IPsec controller part. |
39 | */ | | 39 | */ |
40 | | | 40 | |
41 | #if defined(_KERNEL_OPT) | | 41 | #if defined(_KERNEL_OPT) |
42 | #include "opt_inet.h" | | 42 | #include "opt_inet.h" |
43 | #include "opt_ipsec.h" | | 43 | #include "opt_ipsec.h" |
44 | #endif | | 44 | #endif |
45 | | | 45 | |
46 | #include <sys/param.h> | | 46 | #include <sys/param.h> |
47 | #include <sys/systm.h> | | 47 | #include <sys/systm.h> |
48 | #include <sys/mbuf.h> | | 48 | #include <sys/mbuf.h> |
| @@ -1243,36 +1243,38 @@ ipsec_init_policy(struct socket *so, str | | | @@ -1243,36 +1243,38 @@ ipsec_init_policy(struct socket *so, str |
1243 | IPSECLOG(LOG_DEBUG, "No more memory.\n"); | | 1243 | IPSECLOG(LOG_DEBUG, "No more memory.\n"); |
1244 | return ENOBUFS; | | 1244 | return ENOBUFS; |
1245 | } | | 1245 | } |
1246 | | | 1246 | |
1247 | if (IPSEC_PRIVILEGED_SO(so)) | | 1247 | if (IPSEC_PRIVILEGED_SO(so)) |
1248 | new->priv = 1; | | 1248 | new->priv = 1; |
1249 | else | | 1249 | else |
1250 | new->priv = 0; | | 1250 | new->priv = 0; |
1251 | | | 1251 | |
1252 | /* | | 1252 | /* |
1253 | * These SPs are dummy. Never be used because the policy | | 1253 | * These SPs are dummy. Never be used because the policy |
1254 | * is ENTRUST. See ipsec_getpolicybysock. | | 1254 | * is ENTRUST. See ipsec_getpolicybysock. |
1255 | */ | | 1255 | */ |
1256 | if ((new->sp_in = KEY_NEWSP()) == NULL) { | | 1256 | new->sp_in = kmem_intr_zalloc(sizeof(struct secpolicy), KM_NOSLEEP); |
| | | 1257 | if (new->sp_in == NULL) { |
1257 | ipsec_delpcbpolicy(new); | | 1258 | ipsec_delpcbpolicy(new); |
1258 | return ENOBUFS; | | 1259 | return ENOBUFS; |
1259 | } | | 1260 | } |
1260 | new->sp_in->state = IPSEC_SPSTATE_ALIVE; | | 1261 | new->sp_in->state = IPSEC_SPSTATE_ALIVE; |
1261 | new->sp_in->policy = IPSEC_POLICY_ENTRUST; | | 1262 | new->sp_in->policy = IPSEC_POLICY_ENTRUST; |
1262 | new->sp_in->created = 0; /* Indicates dummy */ | | 1263 | new->sp_in->created = 0; /* Indicates dummy */ |
1263 | | | 1264 | |
1264 | if ((new->sp_out = KEY_NEWSP()) == NULL) { | | 1265 | new->sp_out = kmem_intr_zalloc(sizeof(struct secpolicy), KM_NOSLEEP); |
1265 | KEY_SP_UNREF(&new->sp_in); | | 1266 | if (new->sp_out == NULL) { |
| | | 1267 | kmem_intr_free(new->sp_in, sizeof(struct secpolicy)); |
1266 | ipsec_delpcbpolicy(new); | | 1268 | ipsec_delpcbpolicy(new); |
1267 | return ENOBUFS; | | 1269 | return ENOBUFS; |
1268 | } | | 1270 | } |
1269 | new->sp_out->state = IPSEC_SPSTATE_ALIVE; | | 1271 | new->sp_out->state = IPSEC_SPSTATE_ALIVE; |
1270 | new->sp_out->policy = IPSEC_POLICY_ENTRUST; | | 1272 | new->sp_out->policy = IPSEC_POLICY_ENTRUST; |
1271 | new->sp_out->created = 0; /* Indicates dummy */ | | 1273 | new->sp_out->created = 0; /* Indicates dummy */ |
1272 | | | 1274 | |
1273 | *policy = new; | | 1275 | *policy = new; |
1274 | | | 1276 | |
1275 | return 0; | | 1277 | return 0; |
1276 | } | | 1278 | } |
1277 | | | 1279 | |
1278 | /* copy old ipsec policy into new */ | | 1280 | /* copy old ipsec policy into new */ |
| @@ -1341,27 +1343,27 @@ ipsec_deepcopy_policy(const struct secpo | | | @@ -1341,27 +1343,27 @@ ipsec_deepcopy_policy(const struct secpo |
1341 | dst->state = src->state; | | 1343 | dst->state = src->state; |
1342 | dst->policy = src->policy; | | 1344 | dst->policy = src->policy; |
1343 | /* do not touch the refcnt fields */ | | 1345 | /* do not touch the refcnt fields */ |
1344 | | | 1346 | |
1345 | return dst; | | 1347 | return dst; |
1346 | } | | 1348 | } |
1347 | | | 1349 | |
1348 | static void | | 1350 | static void |
1349 | ipsec_destroy_policy(struct secpolicy *sp) | | 1351 | ipsec_destroy_policy(struct secpolicy *sp) |
1350 | { | | 1352 | { |
1351 | | | 1353 | |
1352 | if (sp->created == 0) | | 1354 | if (sp->created == 0) |
1353 | /* It's dummy. We can simply free it */ | | 1355 | /* It's dummy. We can simply free it */ |
1354 | key_free_sp(sp); | | 1356 | kmem_intr_free(sp, sizeof(*sp)); |
1355 | else { | | 1357 | else { |
1356 | /* | | 1358 | /* |
1357 | * We cannot destroy here because it can be called in | | 1359 | * We cannot destroy here because it can be called in |
1358 | * softint. So mark the SP as DEAD and let the timer | | 1360 | * softint. So mark the SP as DEAD and let the timer |
1359 | * destroy it. See key_timehandler_spd. | | 1361 | * destroy it. See key_timehandler_spd. |
1360 | */ | | 1362 | */ |
1361 | sp->state = IPSEC_SPSTATE_DEAD; | | 1363 | sp->state = IPSEC_SPSTATE_DEAD; |
1362 | } | | 1364 | } |
1363 | } | | 1365 | } |
1364 | | | 1366 | |
1365 | /* set policy and ipsec request if present. */ | | 1367 | /* set policy and ipsec request if present. */ |
1366 | static int | | 1368 | static int |
1367 | ipsec_set_policy( | | 1369 | ipsec_set_policy( |