K 10
svn:author
V 2
ae
K 8
svn:date
V 27
2016-11-21T13:07:57.170270Z
K 7
svn:log
V 2947
Modify PCB-related functions and unify its names.

Some background.
When IPsec compiled in the kernel, each inpcb allocates inpcbpolicy
structure. This structure keeps two security policies (for INBOUND and
OUTBOUND directions). By default these policies have IPSEC_POLICY_ENTRUST
type. This means that application has not any preference for used security
policies and kernel will use system-wide security policies.
Some application could want to bypass IPsec processing (e.g. IKE daemons).
Such applications use IP_IPSEC_POLICY/IPV6_IPSEC_POLICY socket option
to configure IPsec bypass. In this case policies stored in the inpcbpolicy
structure will have type IPSEC_POLICY_BYPASS. Only privileged socket
can use this policy type. The last allowed for use by application policy
type is IPSEC_POLICY_IPSEC. It also allowed only for privileged sockets.
In theory application could configure security policy, that requires
IPsec processing (ESP/AH transforms).
In reality there are a bunch of problems:
1) ENTRUST policies for each inpcb just waste the memory, even if system
   doesn't have any security policies;
2) setsockopt/getsockopt interface was broken, only setsockopt worked
   partially;
3) even if application has configured IPSEC policy, there is no way
   to set corresponding SA. It looks like all IKEd always require
   security policy that acquired SA should be visible via PF_KEY.
*) I failed to find some application that uses IPSEC type of policies.

What I did and plan to do to resolve issues:
1) Now secpolicy pointers in the inpcbpolicy structure will not be
   initialized with ENTRUST policies. NULL pointer will mean ENTRUST
   policy. Also, if application didn't set BYPASS/IPSEC policies,
   the kernel will use these pointers to cache used security policies.
2) Rework IP_IPSEC_POLICY/IPV6_IPSEC_POLICY socket options handling.
   To get needed policy we need a hint from application, user
   should correctly fill sadb_x_policy->sadb_x_policy_dir before
   doing getsockopt(). If passed buffer size is not enough, needed
   size will be returned in the sadb_x_policy_len field and ENOBUFS
   will be returned as return code.
3) To resolve this issue we probably need to make PCB policies
   visible through PF_KEY interface. We can create additional list
   and link all such policies into it. This also will help when
   ipsec.ko module will unloaded. We can correctly free all created
   security policies. TBD.

What changed:
ipsec_init_pcbpolicy() allocates inpcbpolicy that stored in given inpcb.
Now it requires only one inpcb argument.

ipsec_control_pcbpolicy() used by IPv4/IPv6 control code to set or get
security policies stored in PCB. Make ipsec_set_pcbpolicy() and
ipsec_get_pcbpolicy() static.

ipsec_delete_pcbpolicy() releases security polices if they are
configured, then releases memory from inpcbpolicy structure.

Update ipsec_newisr() and ipsec_delisr() to reflect changes in
struct ipsecrequest.

END