sync with OpenBSD -current

sys/netinet/in_pcb.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.137 2023/11/12 23:19:15 bluhm Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.138 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -141,7 +141,7 @@ struct inpcb {
 	} inp_mou;
 #define inp_moptions inp_mou.mou_mo
 #define inp_moptions6 inp_mou.mou_mo6
-	u_char	  inp_seclevel[4];
+	u_char	  inp_seclevel[4];	/* [N] IPsec level of socket */
 #define SL_AUTH           0             /* Authentication level */
 #define SL_ESP_TRANS      1             /* ESP transport level */
 #define SL_ESP_NETWORK    2             /* ESP network (encapsulation) level */

sys/netinet/ip_ipsp.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.243 2023/10/11 22:13:16 tobhe Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.244 2023/11/26 22:08:10 bluhm Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -671,7 +671,7 @@ int	checkreplaywindow(struct tdb *, u_int64_t, u_int32_t, u_int32_t *, int);
 int	ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
 int	ipsp_process_done(struct mbuf *, struct tdb *);
 int	ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
-	    struct inpcb *, struct tdb **, struct ipsec_ids *);
+	    const u_char[], struct tdb **, struct ipsec_ids *);
 int	ipsp_is_unspecified(union sockaddr_union);
 int	ipsp_aux_match(struct tdb *, struct ipsec_ids *,
 	    struct sockaddr_encap *, struct sockaddr_encap *);

sys/netinet/ip_output.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.390 2023/07/07 08:05:02 bluhm Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.391 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -84,7 +84,7 @@ void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *);
 static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t);
 void in_delayed_cksum(struct mbuf *);
 
-int ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
+int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
     struct tdb **, int ipsecflowinfo);
 void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr,
     int, int);
@@ -98,7 +98,7 @@ int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int);
  */
 int
 ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
-    struct ip_moptions *imo, struct inpcb *inp, u_int32_t ipsecflowinfo)
+    struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo)
 {
 	struct ip *ip;
 	struct ifnet *ifp = NULL;
@@ -115,11 +115,6 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
 
 	NET_ASSERT_LOCKED();
 
-#ifdef IPSEC
-	if (inp && (inp->inp_flags & INP_IPV6) != 0)
-		panic("ip_output: IPv6 pcb is passed");
-#endif /* IPSEC */
-
 #ifdef	DIAGNOSTIC
 	if ((m->m_flags & M_PKTHDR) == 0)
 		panic("ip_output no HDR");
@@ -240,9 +235,9 @@ reroute:
 	}
 
 #ifdef IPSEC
-	if (ipsec_in_use || inp != NULL) {
+	if (ipsec_in_use || seclevel != NULL) {
 		/* Do we have any pending SAs to apply ? */
-		error = ip_output_ipsec_lookup(m, hlen, inp, &tdb,
+		error = ip_output_ipsec_lookup(m, hlen, seclevel, &tdb,
 		    ipsecflowinfo);
 		if (error) {
 			/* Should silently drop packet */
@@ -514,7 +509,7 @@ bad:
 
 #ifdef IPSEC
 int
-ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
+ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
     struct tdb **tdbout, int ipsecflowinfo)
 {
 	struct m_tag *mtag;
@@ -527,7 +522,7 @@ ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
 	if (ipsecflowinfo)
 		ids = ipsp_ids_lookup(ipsecflowinfo);
 	error = ipsp_spd_lookup(m, AF_INET, hlen, IPSP_DIRECTION_OUT,
-	    NULL, inp, &tdb, ids);
+	    NULL, seclevel, &tdb, ids);
 	ipsp_ids_free(ids);
 	if (error || tdb == NULL) {
 		*tdbout = NULL;

sys/netinet/ip_spd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.118 2023/04/22 20:51:56 mvs Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.119 2023/11/26 22:08:10 bluhm Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -39,7 +39,7 @@
 #include <netinet/ip_ipsp.h>
 #include <net/pfkeyv2.h>
 
-int	ipsp_spd_inp(struct mbuf *, struct inpcb *, struct ipsec_policy *,
+int	ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *,
 	    struct tdb **);
 int	ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
 	    union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
@@ -153,7 +153,7 @@ spd_table_walk(unsigned int rtableid,
  */
 int
 ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
-    struct tdb *tdbin, struct inpcb *inp, struct tdb **tdbout,
+    struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout,
     struct ipsec_ids *ipsecflowinfo_ids)
 {
 	struct radix_node_head *rnh;
@@ -172,15 +172,15 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 	 * continuing with the SPD lookup.
 	 */
 	if (!ipsec_in_use)
-		return ipsp_spd_inp(m, inp, NULL, tdbout);
+		return ipsp_spd_inp(m, seclevel, NULL, tdbout);
 
 	/*
 	 * If an input packet is destined to a BYPASS socket, just accept it.
 	 */
-	if ((inp != NULL) && (direction == IPSP_DIRECTION_IN) &&
-	    (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
-	    (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
-	    (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+	if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
+	    (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
+	    (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
+	    (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
 		if (tdbout != NULL)
 			*tdbout = NULL;
 		return 0;
@@ -311,13 +311,13 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 		 * Return whatever the socket requirements are, there are no
 		 * system-wide policies.
 		 */
-		return ipsp_spd_inp(m, inp, NULL, tdbout);
+		return ipsp_spd_inp(m, seclevel, NULL, tdbout);
 	}
 	ipo = (struct ipsec_policy *)rn;
 
 	switch (ipo->ipo_type) {
 	case IPSP_PERMIT:
-		return ipsp_spd_inp(m, inp, ipo, tdbout);
+		return ipsp_spd_inp(m, seclevel, ipo, tdbout);
 
 	case IPSP_DENY:
 		return EHOSTUNREACH;
@@ -384,11 +384,10 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 		 * gateway/endhost, and the socket has the BYPASS
 		 * option set, skip IPsec processing.
 		 */
-		if ((inp != NULL) &&
-		    (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
-		    (inp->inp_seclevel[SL_ESP_NETWORK] ==
-			IPSEC_LEVEL_BYPASS) &&
-		    (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+		if ((seclevel != NULL) &&
+		    (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
+		    (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
+		    (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
 			/* Direct match. */
 			if (dignore ||
 			    !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
@@ -414,7 +413,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 				goto nomatchout;
 
 			/* Cached entry is good. */
-			error = ipsp_spd_inp(m, inp, ipo, tdbout);
+			error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
 			mtx_leave(&ipo_tdb_mtx);
 			return error;
 
@@ -475,7 +474,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 				TAILQ_INSERT_TAIL(
 				    &ipo->ipo_tdb->tdb_policy_head,
 				    ipo, ipo_tdb_next);
-				error = ipsp_spd_inp(m, inp, ipo, tdbout);
+				error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
 				mtx_leave(&ipo_tdb_mtx);
 				return error;
 			}
@@ -503,7 +502,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 
 			/* FALLTHROUGH */
 		case IPSP_IPSEC_USE:
-			return ipsp_spd_inp(m, inp, ipo, tdbout);
+			return ipsp_spd_inp(m, seclevel, ipo, tdbout);
 		}
 	} else { /* IPSP_DIRECTION_IN */
 		if (tdbin != NULL) {
@@ -528,7 +527,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 			/* Direct match in the cache. */
 			mtx_enter(&ipo_tdb_mtx);
 			if (ipo->ipo_tdb == tdbin) {
-				error = ipsp_spd_inp(m, inp, ipo, tdbout);
+				error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
 				mtx_leave(&ipo_tdb_mtx);
 				return error;
 			}
@@ -556,7 +555,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 			ipo->ipo_tdb = tdb_ref(tdbin);
 			TAILQ_INSERT_TAIL(&tdbin->tdb_policy_head, ipo,
 			    ipo_tdb_next);
-			error = ipsp_spd_inp(m, inp, ipo, tdbout);
+			error = ipsp_spd_inp(m, seclevel, ipo, tdbout);
 			mtx_leave(&ipo_tdb_mtx);
 			return error;
 
@@ -647,7 +646,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 		case IPSP_IPSEC_ACQUIRE:
 			/* If appropriate SA exists, don't acquire another. */
 			if (ipo->ipo_tdb != NULL)
-				return ipsp_spd_inp(m, inp, ipo, tdbout);
+				return ipsp_spd_inp(m, seclevel, ipo, tdbout);
 
 			/* Acquire SA through key management. */
 			ipsp_acquire_sa(ipo, dignore ? &ssrc : &ipo->ipo_dst,
@@ -655,7 +654,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
 
 			/* FALLTHROUGH */
 		case IPSP_IPSEC_USE:
-			return ipsp_spd_inp(m, inp, ipo, tdbout);
+			return ipsp_spd_inp(m, seclevel, ipo, tdbout);
 		}
 	}
 
@@ -905,23 +904,23 @@ ipsp_acquire_sa(struct ipsec_policy *ipo, union sockaddr_union *gw,
  * Deal with PCB security requirements.
  */
 int
-ipsp_spd_inp(struct mbuf *m, struct inpcb *inp, struct ipsec_policy *ipo,
+ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
     struct tdb **tdbout)
 {
 	/* Sanity check. */
-	if (inp == NULL)
+	if (seclevel == NULL)
 		goto justreturn;
 
 	/* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
 
-	if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
-	    inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
-	    inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
+	if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
+	    seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
+	    seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
 		goto justreturn;
 
-	if (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
-	    inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
-	    inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
+	if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
+	    seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
+	    seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
 		goto justreturn;
 
 	return -EINVAL;  /* Silently drop packet. */

sys/netinet/ip_var.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_var.h,v 1.109 2023/04/05 21:51:47 bluhm Exp $	*/
+/*	$OpenBSD: ip_var.h,v 1.110 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $	*/
 
 /*
@@ -236,7 +236,7 @@ struct mbuf*
 int	 ip_mforward(struct mbuf *, struct ifnet *);
 int	 ip_optcopy(struct ip *, struct ip *);
 int	 ip_output(struct mbuf *, struct mbuf *, struct route *, int,
-	    struct ip_moptions *, struct inpcb *, u_int32_t);
+	    struct ip_moptions *, const u_char[], u_int32_t);
 u_int16_t
 	 ip_randomid(void);
 void	 ip_send(struct mbuf *);

sys/netinet/raw_ip.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip.c,v 1.151 2023/01/22 12:05:44 mvs Exp $	*/
+/*	$OpenBSD: raw_ip.c,v 1.152 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $	*/
 
 /*
@@ -326,7 +326,7 @@ rip_output(struct mbuf *m, struct socket *so, struct sockaddr *dstaddr,
 #endif
 
 	error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
-	    inp->inp_moptions, inp, 0);
+	    inp->inp_moptions, inp->inp_seclevel, 0);
 	return (error);
 }
 

sys/netinet/tcp_input.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.392 2023/11/16 18:27:48 bluhm Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.393 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -586,7 +586,7 @@ findpcb:
 			    &tdbi->dst, tdbi->proto);
 		}
 		error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
-		    tdb, inp, NULL, NULL);
+		    tdb, inp->inp_seclevel, NULL, NULL);
 		tdb_unref(tdb);
 		if (error) {
 			tcpstat_inc(tcps_rcvnosec);
@@ -4162,7 +4162,7 @@ syn_cache_respond(struct syn_cache *sc, struct mbuf *m, uint64_t now)
 			ip->ip_tos = inp->inp_ip.ip_tos;
 
 		error = ip_output(m, sc->sc_ipopts, &sc->sc_route4,
-		    (ip_mtudisc ? IP_MTUDISC : 0),  NULL, inp, 0);
+		    (ip_mtudisc ? IP_MTUDISC : 0),  NULL, inp->inp_seclevel, 0);
 		break;
 #ifdef INET6
 	case AF_INET6:

sys/netinet/tcp_output.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_output.c,v 1.140 2023/07/06 09:15:24 bluhm Exp $	*/
+/*	$OpenBSD: tcp_output.c,v 1.141 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $	*/
 
 /*
@@ -1087,8 +1087,9 @@ send:
 		SET(m->m_pkthdr.csum_flags, M_FLOWID);
 #endif
 		error = ip_output(m, tp->t_inpcb->inp_options,
-			&tp->t_inpcb->inp_route,
-			(ip_mtudisc ? IP_MTUDISC : 0), NULL, tp->t_inpcb, 0);
+		    &tp->t_inpcb->inp_route,
+		    (ip_mtudisc ? IP_MTUDISC : 0), NULL,
+		    tp->t_inpcb->inp_seclevel, 0);
 		break;
 #ifdef INET6
 	case AF_INET6:
@@ -1107,7 +1108,8 @@ send:
 #endif
 		}
 		error = ip6_output(m, tp->t_inpcb->inp_outputopts6,
-		    &tp->t_inpcb->inp_route6, 0, NULL, tp->t_inpcb);
+		    &tp->t_inpcb->inp_route6, 0, NULL,
+		    tp->t_inpcb->inp_seclevel);
 		break;
 #endif /* INET6 */
 	}

sys/netinet/tcp_subr.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_subr.c,v 1.192 2023/07/06 09:15:24 bluhm Exp $	*/
+/*	$OpenBSD: tcp_subr.c,v 1.193 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $	*/
 
 /*
@@ -402,7 +402,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0,
 		ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL,
 		    tp ? &tp->t_inpcb->inp_route6 : NULL,
 		    0, NULL,
-		    tp ? tp->t_inpcb : NULL);
+		    tp ? tp->t_inpcb->inp_seclevel : NULL);
 		break;
 #endif /* INET6 */
 	case AF_INET:
@@ -412,7 +412,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0,
 		ip_output(m, NULL,
 		    tp ? &tp->t_inpcb->inp_route : NULL,
 		    ip_mtudisc ? IP_MTUDISC : 0, NULL,
-		    tp ? tp->t_inpcb : NULL, 0);
+		    tp ? tp->t_inpcb->inp_seclevel : NULL, 0);
 		break;
 	}
 }

sys/netinet/udp_usrreq.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.306 2023/09/16 09:33:27 mpi Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.307 2023/11/26 22:08:10 bluhm Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -543,7 +543,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af)
 		} else
 			tdb = NULL;
 		error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
-		    tdb, inp, NULL, NULL);
+		    tdb, inp->inp_seclevel, NULL, NULL);
 		if (error) {
 			udpstat_inc(udps_nosec);
 			tdb_unref(tdb);
@@ -1065,7 +1065,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct mbuf *addr,
 
 	error = ip_output(m, inp->inp_options, &inp->inp_route,
 	    (inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
-	    inp, ipsecflowinfo);
+	    inp->inp_seclevel, ipsecflowinfo);
 
 bail:
 	m_freem(control);