Module Name:    src
Committed By:   ozaki-r
Date:           Tue Apr 18 05:26:42 UTC 2017

Modified Files:
        src/sys/netipsec: ipsec.c ipsec_input.c ipsec_mbuf.c ipsec_output.c
            key.c xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c

Log Message:
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG

IPSEC_ASSERT just discarded specified message...


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.39 -r1.40 src/sys/netipsec/ipsec_input.c
cvs rdiff -u -r1.13 -r1.14 src/sys/netipsec/ipsec_mbuf.c
cvs rdiff -u -r1.43 -r1.44 src/sys/netipsec/ipsec_output.c
cvs rdiff -u -r1.107 -r1.108 src/sys/netipsec/key.c
cvs rdiff -u -r1.51 -r1.52 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.35 -r1.36 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.46 -r1.47 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.72 src/sys/netipsec/ipsec.c:1.73
--- src/sys/netipsec/ipsec.c:1.72	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/ipsec.c	Tue Apr 18 05:26:41 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.72 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.73 2017/04/18 05:26:41 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.72 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.73 2017/04/18 05:26:41 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -439,14 +439,14 @@ ipsec_getpolicy(const struct tdb_ident *
 {
 	struct secpolicy *sp;
 
-	IPSEC_ASSERT(tdbi != NULL, ("%s: null tdbi", __func__));
-	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
-	    ("%s: invalid direction %u", __func__, dir));
+	KASSERT(tdbi != NULL);
+	KASSERTMSG(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
+	    "invalid direction %u", dir);
 
 	sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir);
 	if (sp == NULL)			/*XXX????*/
 		sp = KEY_ALLOCSP_DEFAULT(tdbi->dst.sa.sa_family);
-	IPSEC_ASSERT(sp != NULL, ("%s: null SP", __func__));
+	KASSERT(sp != NULL);
 	return sp;
 }
 
@@ -470,20 +470,20 @@ ipsec_getpolicybysock(struct mbuf *m, u_
 	struct secpolicy *sp;
 	int af;
 
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
-	IPSEC_ASSERT(inp != NULL, ("%s: null inpcb", __func__));
-	IPSEC_ASSERT(error != NULL, ("%s: null error", __func__));
-	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
-	    ("%s: invalid direction %u", __func__, dir));
+	KASSERT(m != NULL);
+	KASSERT(inp != NULL);
+	KASSERT(error != NULL);
+	KASSERTMSG(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
+	    "invalid direction %u", dir);
 
-	IPSEC_ASSERT(PCB_SOCKET(inp) != NULL, ("%s: null socket", __func__));
+	KASSERT(PCB_SOCKET(inp) != NULL);
 
 	/* XXX FIXME inpcb/in6pcb  vs socket*/
 	af = PCB_FAMILY(inp);
-	IPSEC_ASSERT(af == AF_INET || af == AF_INET6,
-	    ("%s: unexpected protocol family %u", __func__, af));
+	KASSERTMSG(af == AF_INET || af == AF_INET6,
+	    "unexpected protocol family %u", af);
 
-	IPSEC_ASSERT(inp->inph_sp != NULL, ("null PCB policy cache"));
+	KASSERT(inp->inph_sp != NULL);
 	/* If we have a cached entry, and if it is still valid, use it. */
 	IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP);
 	currsp = ipsec_checkpcbcache(m, /*inpcb_hdr*/inp->inph_sp, dir);
@@ -518,7 +518,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_
 	if (*error)
 		return NULL;
 
-	IPSEC_ASSERT(pcbsp != NULL, ("%s: null pcbsp", __func__));
+	KASSERT(pcbsp != NULL);
 	switch (dir) {
 	case IPSEC_DIR_INBOUND:
 		currsp = pcbsp->sp_in;
@@ -527,7 +527,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_
 		currsp = pcbsp->sp_out;
 		break;
 	}
-	IPSEC_ASSERT(currsp != NULL, ("%s: null currsp", __func__));
+	KASSERT(currsp != NULL);
 
 	if (pcbsp->priv) {			/* when privilieged socket */
 		switch (currsp->policy) {
@@ -578,9 +578,8 @@ ipsec_getpolicybysock(struct mbuf *m, u_
 			}
 		}
 	}
-	IPSEC_ASSERT(sp != NULL,
-	    ("%s: null SP (priv %u policy %u", __func__, pcbsp->priv,
-	    currsp->policy));
+	KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv,
+	    currsp->policy);
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 	    printf("DP %s (priv %u policy %u) allocates SP:%p (refcnt %u)\n",
 	    __func__, pcbsp->priv, currsp->policy, sp, sp->refcnt));
@@ -604,10 +603,10 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_
 	struct secpolicyindex spidx;
 	struct secpolicy *sp;
 
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
-	IPSEC_ASSERT(error != NULL, ("%s: null error", __func__));
-	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
-	    ("%s: invalid direction %u", __func__, dir));
+	KASSERT(m != NULL);
+	KASSERT(error != NULL);
+	KASSERTMSG(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
+	    "invalid direction %u", dir);
 
 	sp = NULL;
 
@@ -628,7 +627,7 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_
 
 	if (sp == NULL)			/* no SP found, use system default */
 		sp = KEY_ALLOCSP_DEFAULT(spidx.dst.sa.sa_family);
-	IPSEC_ASSERT(sp != NULL, ("%s: null SP", __func__));
+	KASSERT(sp != NULL);
 	return sp;
 }
 
@@ -647,13 +646,11 @@ ipsec4_checkpolicy(struct mbuf *m, u_int
 	} else
 		sp = ipsec_getpolicybysock(m, dir, IN4PCB_TO_PCB(inp), error);
 	if (sp == NULL) {
-		IPSEC_ASSERT(*error != 0,
-		    ("%s: getpolicy failed w/o error", __func__));
+		KASSERTMSG(*error != 0, "getpolicy failed w/o error");
 		IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
 		return NULL;
 	}
-	IPSEC_ASSERT(*error == 0, ("%s: sp w/ error set to %u", __func__,
-	    *error));
+	KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
 	switch (sp->policy) {
 	case IPSEC_POLICY_ENTRUST:
 	default:
@@ -894,13 +891,11 @@ ipsec6_checkpolicy(struct mbuf *m, u_int
 	} else
 		sp = ipsec_getpolicybysock(m, dir, IN6PCB_TO_PCB(in6p), error);
 	if (sp == NULL) {
-		IPSEC_ASSERT(*error != 0, ("%s: getpolicy failed w/o error",
-		    __func__));
+		KASSERTMSG(*error != 0, "getpolicy failed w/o error");
 		IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
 		return NULL;
 	}
-	IPSEC_ASSERT(*error == 0, ("%s: sp w/ error set to %u", __func__,
-	    *error));
+	KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
 	switch (sp->policy) {
 	case IPSEC_POLICY_ENTRUST:
 	default:
@@ -934,10 +929,10 @@ ipsec4_setspidx_inpcb(struct mbuf *m, st
 {
 	int error;
 
-	IPSEC_ASSERT(pcb != NULL, ("%s: null pcb", __func__));
-	IPSEC_ASSERT(pcb->inp_sp != NULL, ("%s: null inp_sp", __func__));
-	IPSEC_ASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL,
-	    ("%s: null sp_in || sp_out", __func__));
+	KASSERT(pcb != NULL);
+	KASSERT(pcb->inp_sp != NULL);
+	KASSERT(pcb->inp_sp->sp_out != NULL);
+	KASSERT(pcb->inp_sp->sp_in != NULL);
 
 	error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1);
 	if (error == 0) {
@@ -960,11 +955,10 @@ ipsec6_setspidx_in6pcb(struct mbuf *m, s
 	struct secpolicyindex *spidx;
 	int error;
 
-	IPSEC_ASSERT(pcb != NULL, ("%s: null pcb", __func__));
-	IPSEC_ASSERT(pcb->in6p_sp != NULL, ("%s: null inp_sp", __func__));
-	IPSEC_ASSERT(pcb->in6p_sp->sp_out != NULL &&
-	    pcb->in6p_sp->sp_in != NULL, ("%s: null sp_in || sp_out",
-	    __func__));
+	KASSERT(pcb != NULL);
+	KASSERT(pcb->in6p_sp != NULL);
+	KASSERT(pcb->in6p_sp->sp_out != NULL);
+	KASSERT(pcb->in6p_sp->sp_in != NULL);
 
 	memset(&pcb->in6p_sp->sp_in->spidx, 0, sizeof(*spidx));
 	memset(&pcb->in6p_sp->sp_out->spidx, 0, sizeof(*spidx));
@@ -1005,7 +999,7 @@ ipsec_setspidx(struct mbuf *m, struct se
 	int len;
 	int error;
 
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
+	KASSERT(m != NULL);
 
 	/*
 	 * validate m->m_pkthdr.len.  we see incorrect length if we
@@ -1071,9 +1065,8 @@ ipsec4_get_ulp(struct mbuf *m, struct se
 	int off;
 
 	/* sanity check */
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
-	IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),
-	    ("%s: packet too short", __func__));
+	KASSERT(m != NULL);
+	KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short");
 
 	/* NB: ip_input() flips it into host endian XXX need more checking */
 	if (m->m_len >= sizeof(struct ip)) {
@@ -1504,7 +1497,7 @@ ipsec4_set_policy(struct inpcb *inp, int
 		return EINVAL;
 	xpl = (const struct sadb_x_policy *)request;
 
-	IPSEC_ASSERT(inp->inp_sp != NULL, ("%s: null inp->in_sp", __func__));
+	KASSERT(inp->inp_sp != NULL);
 
 	/* select direction */
 	switch (xpl->sadb_x_policy_dir) {
@@ -1533,7 +1526,7 @@ ipsec4_get_policy(struct inpcb *inp, con
 	/* sanity check. */
 	if (inp == NULL || request == NULL || mp == NULL)
 		return EINVAL;
-	IPSEC_ASSERT(inp->inp_sp != NULL, ("%s: null inp_sp", __func__));
+	KASSERT(inp->inp_sp != NULL);
 	if (len < sizeof(*xpl))
 		return EINVAL;
 	xpl = (const struct sadb_x_policy *)request;
@@ -1559,7 +1552,8 @@ ipsec4_get_policy(struct inpcb *inp, con
 int
 ipsec4_delete_pcbpolicy(struct inpcb *inp)
 {
-	IPSEC_ASSERT(inp != NULL, ("%s: null inp", __func__));
+
+	KASSERT(inp != NULL);
 
 	if (inp->inp_sp == NULL)
 		return 0;
@@ -1620,7 +1614,7 @@ ipsec6_get_policy(struct in6pcb *in6p, c
 	/* sanity check. */
 	if (in6p == NULL || request == NULL || mp == NULL)
 		return EINVAL;
-	IPSEC_ASSERT(in6p->in6p_sp != NULL, ("%s: null in6p_sp", __func__));
+	KASSERT(in6p->in6p_sp != NULL);
 	if (len < sizeof(*xpl))
 		return EINVAL;
 	xpl = (const struct sadb_x_policy *)request;
@@ -1645,7 +1639,8 @@ ipsec6_get_policy(struct in6pcb *in6p, c
 int
 ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
 {
-	IPSEC_ASSERT(in6p != NULL, ("%s: null in6p", __func__));
+
+	KASSERT(in6p != NULL);
 
 	if (in6p->in6p_sp == NULL)
 		return 0;
@@ -1676,12 +1671,12 @@ ipsec_get_reqlevel(const struct ipsecreq
 	u_int esp_trans_deflev, esp_net_deflev;
 	u_int ah_trans_deflev, ah_net_deflev;
 
-	IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("%s: null argument",
-	    __func__));
-	IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family ==
-	    isr->sp->spidx.dst.sa.sa_family,
-	    ("%s: af family mismatch, src %u, dst %u", __func__,
-	    isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family));
+	KASSERT(isr != NULL);
+	KASSERT(isr->sp != NULL);
+	KASSERTMSG(
+	    isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
+	    "af family mismatch, src %u, dst %u",
+	    isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family);
 
 /* XXX note that we have ipseclog() expanded here - code sync issue */
 #define IPSEC_CHECK_DEFAULT(lev) 					\
@@ -1789,8 +1784,8 @@ ipsec_in_reject(const struct secpolicy *
 		return 0;
 	}
 
-	IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
-	    ("%s: invalid policy %u", __func__, sp->policy));
+	KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
+	    "invalid policy %u", sp->policy);
 
 	/* XXX should compare policy against ipsec header history */
 
@@ -1851,7 +1846,7 @@ ipsec4_in_reject(struct mbuf *m, struct 
 	int error;
 	int result;
 
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
+	KASSERT(m != NULL);
 
 	/* get SP for this packet.
 	 * When we are called from ip_forward(), we call
@@ -1937,8 +1932,8 @@ ipsec_hdrsiz(const struct secpolicy *sp)
 		return 0;
 	}
 
-	IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
-	    ("%s: invalid policy %u", __func__, sp->policy));
+	KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
+	    "invalid policy %u", sp->policy);
 
 	siz = 0;
 	for (isr = sp->req; isr != NULL; isr = isr->next) {
@@ -1988,9 +1983,8 @@ ipsec4_hdrsiz(struct mbuf *m, u_int dir,
 	int error;
 	size_t size;
 
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
-	IPSEC_ASSERT(inp == NULL || inp->inp_socket != NULL,
-	    ("%s: socket w/o inpcb", __func__));
+	KASSERT(m != NULL);
+	KASSERTMSG(inp == NULL || inp->inp_socket != NULL, "socket w/o inpcb");
 
 	/* get SP for this packet.
 	 * When we are called from ip_forward(), we call
@@ -2025,9 +2019,9 @@ ipsec6_hdrsiz(struct mbuf *m, u_int dir,
 	int error;
 	size_t size;
 
-	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
-	IPSEC_ASSERT(in6p == NULL || in6p->in6p_socket != NULL,
-	    ("%s: socket w/o inpcb", __func__));
+	KASSERT(m != NULL);
+	KASSERTMSG(in6p == NULL || in6p->in6p_socket != NULL,
+	    "socket w/o inpcb");
 
 	/* get SP for this packet */
 	/* XXX Is it right to call with IP_FORWARDING. */
@@ -2070,8 +2064,8 @@ ipsec_chkreplay(u_int32_t seq, const str
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
-	IPSEC_ASSERT(sav != NULL, ("%s: Null SA", __func__));
-	IPSEC_ASSERT(sav->replay != NULL, ("%s: Null replay state", __func__));
+	KASSERT(sav != NULL);
+	KASSERT(sav->replay != NULL);
 
 	replay = sav->replay;
 
@@ -2128,8 +2122,8 @@ ipsec_updatereplay(u_int32_t seq, const 
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
-	IPSEC_ASSERT(sav != NULL, ("%s: Null SA", __func__));
-	IPSEC_ASSERT(sav->replay != NULL, ("%s: Null replay state", __func__));
+	KASSERT(sav != NULL);
+	KASSERT(sav->replay != NULL);
 
 	replay = sav->replay;
 
@@ -2279,8 +2273,7 @@ ipsec_logsastr(const struct secasvar *sa
 	char *p;
 	const struct secasindex *saidx = &sav->sah->saidx;
 
-	IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
-	    ("%s: address family mismatch", __func__));
+	KASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family);
 
 	p = buf;
 	snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.39 src/sys/netipsec/ipsec_input.c:1.40
--- src/sys/netipsec/ipsec_input.c:1.39	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/ipsec_input.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.39 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.40 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.39 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.40 2017/04/18 05:26:42 ozaki-r Exp $");
 
 /*
  * IPsec input processing.
@@ -134,7 +134,7 @@ ipsec_common_input(struct mbuf *m, int s
 	IPSEC_ISTAT(sproto, ESP_STAT_INPUT, AH_STAT_INPUT,
 		IPCOMP_STAT_INPUT);
 
-	IPSEC_ASSERT(m != NULL, ("ipsec_common_input: null packet"));
+	KASSERT(m != NULL);
 
 	if ((sproto == IPPROTO_ESP && !esp_enable) ||
 	    (sproto == IPPROTO_AH && !ah_enable) ||
@@ -285,17 +285,16 @@ ipsec4_common_input_cb(struct mbuf *m, s
 
 	IPSEC_SPLASSERT_SOFTNET("ipsec4_common_input_cb");
 
-	IPSEC_ASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf"));
-	IPSEC_ASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA"));
-	IPSEC_ASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH"));
+	KASSERT(m != NULL);
+	KASSERT(sav != NULL);
+	KASSERT(sav->sah != NULL);
 	saidx = &sav->sah->saidx;
 	af = saidx->dst.sa.sa_family;
-	IPSEC_ASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af));
+	KASSERTMSG(af == AF_INET, "unexpected af %u", af);
 	sproto = saidx->proto;
-	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
-		sproto == IPPROTO_IPCOMP,
-		("ipsec4_common_input_cb: unexpected security protocol %u",
-		sproto));
+	KASSERTMSG(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
+	    sproto == IPPROTO_IPCOMP,
+	    "unexpected security protocol %u", sproto);
 
 	/* Sanity check */
 	if (m == NULL) {
@@ -474,8 +473,7 @@ ipsec6_common_input(struct mbuf **mp, in
 				l = (ip6e.ip6e_len + 2) << 2;
 			else
 				l = (ip6e.ip6e_len + 1) << 3;
-			IPSEC_ASSERT(l > 0,
-			  ("ipsec6_common_input: l went zero or negative"));
+			KASSERT(l > 0);
 
 			nxt = ip6e.ip6e_nxt;
 		} while (protoff + l < *offp);
@@ -517,18 +515,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	u_int8_t prot, nxt8;
 	int error, nest;
 
-	IPSEC_ASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf"));
-	IPSEC_ASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA"));
-	IPSEC_ASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH"));
+	KASSERT(m != NULL);
+	KASSERT(sav != NULL);
+	KASSERT(sav->sah != NULL);
 	saidx = &sav->sah->saidx;
 	af = saidx->dst.sa.sa_family;
-	IPSEC_ASSERT(af == AF_INET6,
-		("ipsec6_common_input_cb: unexpected af %u", af));
+	KASSERTMSG(af == AF_INET6, "unexpected af %u", af);
 	sproto = saidx->proto;
-	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
-		sproto == IPPROTO_IPCOMP,
-		("ipsec6_common_input_cb: unexpected security protocol %u",
-		sproto));
+	KASSERTMSG(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
+	    sproto == IPPROTO_IPCOMP,
+	    "unexpected security protocol %u", sproto);
 
 	/* Sanity check */
 	if (m == NULL) {

Index: src/sys/netipsec/ipsec_mbuf.c
diff -u src/sys/netipsec/ipsec_mbuf.c:1.13 src/sys/netipsec/ipsec_mbuf.c:1.14
--- src/sys/netipsec/ipsec_mbuf.c:1.13	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/ipsec_mbuf.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_mbuf.c,v 1.13 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_mbuf.c,v 1.14 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
  * All rights reserved.
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.13 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.14 2017/04/18 05:26:42 ozaki-r Exp $");
 
 /*
  * IPsec-specific mbuf routines.
@@ -65,7 +65,7 @@ m_clone(struct mbuf *m0)
 	struct mbuf *n, *mfirst, *mlast;
 	int len, off;
 
-	IPSEC_ASSERT(m0 != NULL, ("m_clone: null mbuf"));
+	KASSERT(m0 != NULL);
 
 	mprev = NULL;
 	for (m = m0; m != NULL; m = mprev->m_next) {
@@ -113,8 +113,7 @@ m_clone(struct mbuf *m0)
 		 * it anyway, we try to reduce the number of mbufs and
 		 * clusters so that future work is easier).
 		 */
-		IPSEC_ASSERT(m->m_flags & M_EXT,
-			("m_clone: m_flags 0x%x", m->m_flags));
+		KASSERTMSG(m->m_flags & M_EXT, "m_flags 0x%x", m->m_flags);
 		/* NB: we only coalesce into a cluster or larger */
 		if (mprev != NULL && (mprev->m_flags & M_EXT) &&
 		    m->m_len <= M_TRAILINGSPACE(mprev)) {
@@ -216,8 +215,8 @@ m_makespace(struct mbuf *m0, int skip, i
 	struct mbuf *m;
 	unsigned remain;
 
-	IPSEC_ASSERT(m0 != NULL, ("m_dmakespace: null mbuf"));
-	IPSEC_ASSERT(hlen < MHLEN, ("m_makespace: hlen too big: %u", hlen));
+	KASSERT(m0 != NULL);
+	KASSERTMSG(hlen < MHLEN, "hlen too big: %u", hlen);
 
 	for (m = m0; m && skip > m->m_len; m = m->m_next)
 		skip -= m->m_len;
@@ -333,7 +332,8 @@ m_pad(struct mbuf *m, int n)
 	m0 = m;
 
 	while (m0->m_len < len) {
-IPSEC_ASSERT(m0->m_next != NULL, ("m_pad: m0 null, len %u m_len %u", len, m0->m_len));/*XXX*/
+		KASSERTMSG(m0->m_next != NULL,
+		    "m0 null, len %u m_len %u", len, m0->m_len);/*XXX*/
 		len -= m0->m_len;
 		m0 = m0->m_next;
 	}

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.43 src/sys/netipsec/ipsec_output.c:1.44
--- src/sys/netipsec/ipsec_output.c:1.43	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/ipsec_output.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.43 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.44 2017/04/18 05:26:42 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.43 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.44 2017/04/18 05:26:42 ozaki-r Exp $");
 
 /*
  * IPsec output processing.
@@ -161,11 +161,11 @@ ipsec_process_done(struct mbuf *m, struc
 
 	IPSEC_SPLASSERT_SOFTNET("ipsec_process_done");
 
-	IPSEC_ASSERT(m != NULL, ("ipsec_process_done: null mbuf"));
-	IPSEC_ASSERT(isr != NULL, ("ipsec_process_done: null ISR"));
+	KASSERT(m != NULL);
+	KASSERT(isr != NULL);
 	sav = isr->sav;
-	IPSEC_ASSERT(sav != NULL, ("ipsec_process_done: null SA"));
-	IPSEC_ASSERT(sav->sah != NULL, ("ipsec_process_done: null SAH"));
+	KASSERT(sav != NULL);
+	KASSERT(sav->sah != NULL);
 
 	saidx = &sav->sah->saidx;
 
@@ -316,8 +316,8 @@ do {									\
 	struct secasvar *sav;
 
 	IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr");
-	IPSEC_ASSERT(af == AF_INET || af == AF_INET6,
-		("ipsec_nextisr: invalid address family %u", af));
+	KASSERTMSG(af == AF_INET || af == AF_INET6,
+	    "invalid address family %u", af);
 again:
 	/*
 	 * Craft SA index to search for proper SA.  Note that
@@ -396,9 +396,9 @@ again:
 	sav = isr->sav;
 	/* sav may be NULL here if we have an USE rule */
 	if (sav == NULL) {		
-		IPSEC_ASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
-			("ipsec_nextisr: no SA found, but required; level %u",
-			ipsec_get_reqlevel(isr)));
+		KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
+		    "no SA found, but required; level %u",
+		    ipsec_get_reqlevel(isr));
 		isr = isr->next;
 		/* 
 		 * No more rules to apply, return NULL isr and no error 
@@ -438,7 +438,7 @@ again:
 	}
 	return isr;
 bad:
-	IPSEC_ASSERT(*error != 0, ("ipsec_nextisr: error return w/ no error code"));
+	KASSERTMSG(*error != 0, "error return w/ no error code");
 	return NULL;
 #undef IPSEC_OSTAT
 }
@@ -460,8 +460,8 @@ ipsec4_process_packet(
 	struct ip *ip;
 	int s, error, i, off;
 
-	IPSEC_ASSERT(m != NULL, ("ipsec4_process_packet: null mbuf"));
-	IPSEC_ASSERT(isr != NULL, ("ipsec4_process_packet: null isr"));
+	KASSERT(m != NULL);
+	KASSERT(isr != NULL);
 
 	s = splsoftnet();			/* insure SA contents don't change */
 
@@ -695,8 +695,8 @@ ipsec6_process_packet(
 	int s, error, i, off;
 	union sockaddr_union *dst;
 
-	IPSEC_ASSERT(m != NULL, ("ipsec6_process_packet: null mbuf"));
-	IPSEC_ASSERT(isr != NULL, ("ipsec6_process_packet: null isr"));
+	KASSERT(m != NULL);
+	KASSERT(isr != NULL);
 
 	s = splsoftnet();   /* insure SA contents don't change */
 

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.107 src/sys/netipsec/key.c:1.108
--- src/sys/netipsec/key.c:1.107	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/key.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.107 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.108 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.107 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.108 2017/04/18 05:26:42 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -531,23 +531,19 @@ struct callout key_timehandler_ch;
 
 #define	SA_ADDREF(p) do {						\
 	(p)->refcnt++;							\
-	IPSEC_ASSERT((p)->refcnt != 0,					\
-		("SA refcnt overflow at %s:%u", __FILE__, __LINE__));	\
+	KASSERTMSG((p)->refcnt != 0, "SA refcnt overflow");		\
 } while (0)
 #define	SA_DELREF(p) do {						\
-	IPSEC_ASSERT((p)->refcnt > 0,					\
-		("SA refcnt underflow at %s:%u", __FILE__, __LINE__));	\
+	KASSERTMSG((p)->refcnt > 0, "SA refcnt underflow");		\
 	(p)->refcnt--;							\
 } while (0)
 
 #define	SP_ADDREF(p) do {						\
 	(p)->refcnt++;							\
-	IPSEC_ASSERT((p)->refcnt != 0,					\
-		("SP refcnt overflow at %s:%u", __FILE__, __LINE__));	\
+	KASSERTMSG((p)->refcnt != 0, "SP refcnt overflow");		\
 } while (0)
 #define	SP_DELREF(p) do {						\
-	IPSEC_ASSERT((p)->refcnt > 0,					\
-		("SP refcnt underflow at %s:%u", __FILE__, __LINE__));	\
+	KASSERTMSG((p)->refcnt > 0, "SP refcnt underflow");		\
 	(p)->refcnt--;							\
 } while (0)
 
@@ -598,9 +594,9 @@ key_allocsp(const struct secpolicyindex 
 	struct secpolicy *sp;
 	int s;
 
-	IPSEC_ASSERT(spidx != NULL, ("key_allocsp: null spidx"));
-	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
-		("key_allocsp: invalid direction %u", dir));
+	KASSERT(spidx != NULL);
+	KASSERTMSG(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
+	    "invalid direction %u", dir);
 
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 		printf("DP %s from %s:%u\n", __func__, where, tag));
@@ -655,9 +651,9 @@ key_allocsp2(u_int32_t spi,
 	struct secpolicy *sp;
 	int s;
 
-	IPSEC_ASSERT(dst != NULL, ("key_allocsp2: null dst"));
-	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
-		("key_allocsp2: invalid direction %u", dir));
+	KASSERT(dst != NULL);
+	KASSERTMSG(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
+	    "invalid direction %u", dir);
 
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 		printf("DP %s from %s:%u\n", __func__, where, tag));
@@ -792,11 +788,11 @@ key_checkrequest(struct ipsecrequest *is
 	u_int level;
 	int error;
 
-	IPSEC_ASSERT(isr != NULL, ("key_checkrequest: null isr"));
-	IPSEC_ASSERT(saidx != NULL, ("key_checkrequest: null saidx"));
-	IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT ||
-		saidx->mode == IPSEC_MODE_TUNNEL,
-		("key_checkrequest: unexpected policy %u", saidx->mode));
+	KASSERT(isr != NULL);
+	KASSERT(saidx != NULL);
+	KASSERTMSG(saidx->mode == IPSEC_MODE_TRANSPORT ||
+	    saidx->mode == IPSEC_MODE_TUNNEL,
+	    "unexpected policy %u", saidx->mode);
 
 	/* get current level */
 	level = ipsec_get_reqlevel(isr);
@@ -867,7 +863,7 @@ key_checkrequest(struct ipsecrequest *is
 
 	if (level != IPSEC_LEVEL_REQUIRE) {
 		/* XXX sigh, the interface to this routine is botched */
-		IPSEC_ASSERT(isr->sav == NULL, ("key_checkrequest: unexpected SA"));
+		KASSERTMSG(isr->sav == NULL, "unexpected SA");
 		return 0;
 	} else {
 		return ENOENT;
@@ -993,8 +989,7 @@ key_do_allocsa_policy(struct secashead *
 
 			key_sa_chgstate(d, SADB_SASTATE_DEAD);
 
-			IPSEC_ASSERT(d->refcnt > 0,
-				("key_do_allocsa_policy: bogus ref count"));
+			KASSERT(d->refcnt > 0);
 
 			satype = key_proto2satype(d->sah->saidx.proto);
 			if (satype == 0)
@@ -1105,7 +1100,7 @@ key_allocsa(
 	else
 		chkport = PORT_NONE;
 
-	IPSEC_ASSERT(dst != NULL, ("key_allocsa: null dst address"));
+	KASSERT(dst != NULL);
 
 	/*
 	 * XXX IPCOMP case
@@ -1218,7 +1213,7 @@ _key_freesp(struct secpolicy **spp, cons
 {
 	struct secpolicy *sp = *spp;
 
-	IPSEC_ASSERT(sp != NULL, ("key_freesp: null sp"));
+	KASSERT(sp != NULL);
 
 	SP_DELREF(sp);
 
@@ -1240,7 +1235,7 @@ void
 key_freeso(struct socket *so)
 {
 	/* sanity check */
-	IPSEC_ASSERT(so != NULL, ("key_freeso: null so"));
+	KASSERT(so != NULL);
 
 	switch (so->so_proto->pr_domain->dom_family) {
 #ifdef INET
@@ -1292,14 +1287,16 @@ key_freeso(struct socket *so)
 static void
 key_freesp_so(struct secpolicy **sp)
 {
-	IPSEC_ASSERT(sp != NULL && *sp != NULL, ("key_freesp_so: null sp"));
+
+	KASSERT(sp != NULL);
+	KASSERT(*sp != NULL);
 
 	if ((*sp)->policy == IPSEC_POLICY_ENTRUST ||
 	    (*sp)->policy == IPSEC_POLICY_BYPASS)
 		return;
 
-	IPSEC_ASSERT((*sp)->policy == IPSEC_POLICY_IPSEC,
-		("key_freesp_so: invalid policy %u", (*sp)->policy));
+	KASSERTMSG((*sp)->policy == IPSEC_POLICY_IPSEC,
+	    "invalid policy %u", (*sp)->policy);
 	KEY_FREESP(sp);
 }
 
@@ -1313,7 +1310,7 @@ key_freesav(struct secasvar **psav, cons
 {
 	struct secasvar *sav = *psav;
 
-	IPSEC_ASSERT(sav != NULL, ("key_freesav: null sav"));
+	KASSERT(sav != NULL);
 
 	SA_DELREF(sav);
 
@@ -1337,13 +1334,12 @@ key_delsp(struct secpolicy *sp)
 {
 	int s;
 
-	IPSEC_ASSERT(sp != NULL, ("key_delsp: null sp"));
+	KASSERT(sp != NULL);
 
 	key_sp_dead(sp);
 
-	IPSEC_ASSERT(sp->refcnt == 0,
-		("key_delsp: SP with references deleted (refcnt %u)",
-		sp->refcnt));
+	KASSERTMSG(sp->refcnt == 0,
+	    "SP with references deleted (refcnt %u)", sp->refcnt);
 
 	s = splsoftnet();	/*called from softclock()*/
 
@@ -1377,7 +1373,7 @@ key_getsp(const struct secpolicyindex *s
 {
 	struct secpolicy *sp;
 
-	IPSEC_ASSERT(spidx != NULL, ("key_getsp: null spidx"));
+	KASSERT(spidx != NULL);
 
 	LIST_FOREACH(sp, &sptree[spidx->dir], chain) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)
@@ -2863,7 +2859,7 @@ key_newsah(const struct secasindex *said
 {
 	struct secashead *newsah;
 
-	IPSEC_ASSERT(saidx != NULL, ("key_newsaidx: null saidx"));
+	KASSERT(saidx != NULL);
 
 	newsah = (struct secashead *)
 		malloc(sizeof(struct secashead), M_SECA, M_NOWAIT|M_ZERO);
@@ -3035,9 +3031,10 @@ done:
 static void
 key_delsav(struct secasvar *sav)
 {
-	IPSEC_ASSERT(sav != NULL, ("key_delsav: null sav"));
-	IPSEC_ASSERT(sav->refcnt == 0,
-		("key_delsav: reference count %u > 0", sav->refcnt));
+
+	KASSERT(sav != NULL);
+	KASSERTMSG(sav->refcnt == 0,
+	    "reference count %u > 0", sav->refcnt);
 
 	/* remove from SA header */
 	if (__LIST_CHAINED(sav))
@@ -6047,9 +6044,8 @@ key_getcomb_esp(void)
 		if (ipsec_esp_auth)
 			m = key_getcomb_ah();
 		else {
-			IPSEC_ASSERT(l <= MLEN,
-				("key_getcomb_esp: l=%u > MLEN=%lu",
-				l, (u_long) MLEN));
+			KASSERTMSG(l <= MLEN,
+			    "l=%u > MLEN=%lu", l, (u_long) MLEN);
 			MGET(m, M_DONTWAIT, MT_DATA);
 			if (m) {
 				M_ALIGN(m, l);
@@ -6064,8 +6060,7 @@ key_getcomb_esp(void)
 		totlen = 0;
 		for (n = m; n; n = n->m_next)
 			totlen += n->m_len;
-		IPSEC_ASSERT((totlen % l) == 0,
-			("key_getcomb_esp: totlen=%u, l=%u", totlen, l));
+		KASSERTMSG((totlen % l) == 0, "totlen=%u, l=%u", totlen, l);
 
 		for (off = 0; off < totlen; off += l) {
 			n = m_pulldown(m, off, l, &o);
@@ -6150,9 +6145,8 @@ key_getcomb_ah(void)
 			continue;
 
 		if (!m) {
-			IPSEC_ASSERT(l <= MLEN,
-				("key_getcomb_ah: l=%u > MLEN=%lu",
-				l, (u_long) MLEN));
+			KASSERTMSG(l <= MLEN,
+			    "l=%u > MLEN=%lu", l, (u_long) MLEN);
 			MGET(m, M_DONTWAIT, MT_DATA);
 			if (m) {
 				M_ALIGN(m, l);
@@ -6195,9 +6189,8 @@ key_getcomb_ipcomp(void)
 			continue;
 
 		if (!m) {
-			IPSEC_ASSERT(l <= MLEN,
-				("key_getcomb_ipcomp: l=%u > MLEN=%lu",
-				l, (u_long) MLEN));
+			KASSERTMSG(l <= MLEN,
+			    "l=%u > MLEN=%lu", l, (u_long) MLEN);
 			MGET(m, M_DONTWAIT, MT_DATA);
 			if (m) {
 				M_ALIGN(m, l);
@@ -6297,10 +6290,9 @@ key_acquire(const struct secasindex *sai
 	u_int32_t seq;
 
 	/* sanity check */
-	IPSEC_ASSERT(saidx != NULL, ("key_acquire: null saidx"));
+	KASSERT(saidx != NULL);
 	satype = key_proto2satype(saidx->proto);
-	IPSEC_ASSERT(satype != 0,
-		("key_acquire: null satype, protocol %u", saidx->proto));
+	KASSERTMSG(satype != 0, "null satype, protocol %u", saidx->proto);
 
 #ifndef IPSEC_NONBLOCK_ACQUIRE
 	/*
@@ -7923,8 +7915,9 @@ key_getuserfqdn(void)
 void
 key_sa_recordxfer(struct secasvar *sav, struct mbuf *m)
 {
-	IPSEC_ASSERT(sav != NULL, ("key_sa_recordxfer: Null secasvar"));
-	IPSEC_ASSERT(m != NULL, ("key_sa_recordxfer: Null mbuf"));
+
+	KASSERT(sav != NULL);
+	KASSERT(m != NULL);
 	if (!sav->lft_c)
 		return;
 

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.51 src/sys/netipsec/xform_ah.c:1.52
--- src/sys/netipsec/xform_ah.c:1.51	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/xform_ah.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.51 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.52 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.51 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.52 2017/04/18 05:26:42 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -159,8 +159,7 @@ ah_hdrsiz(const struct secasvar *sav)
 
 	if (sav != NULL) {
 		int authsize;
-		IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
-			("%s: null xform", __func__));
+		KASSERT(sav->tdb_authalgxform != NULL);
 		/*XXX not right for null algorithm--does it matter??*/
 		authsize = AUTHSIZE(sav);
 		size = roundup(authsize, sizeof(uint32_t)) + HDRSIZE(sav);
@@ -627,11 +626,9 @@ ah_input(struct mbuf *m, const struct se
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
-	IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__));
-	IPSEC_ASSERT(sav->key_auth != NULL,
-		("%s: null authentication key", __func__));
-	IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
-		("%s: null authentication xform", __func__));
+	KASSERT(sav != NULL);
+	KASSERT(sav->key_auth != NULL);
+	KASSERT(sav->tdb_authalgxform != NULL);
 
 	/* Figure out header size. */
 	rplen = HDRSIZE(sav);
@@ -680,7 +677,7 @@ ah_input(struct mbuf *m, const struct se
 	}
 
 	crda = crp->crp_desc;
-	IPSEC_ASSERT(crda != NULL, ("%s: null crypto descriptor", __func__));
+	KASSERT(crda != NULL);
 
 	crda->crd_skip = 0;
 	crda->crd_len = m->m_pkthdr.len;
@@ -810,9 +807,8 @@ ah_input_cb(struct cryptop *crp)
 	uint16_t dport;
 	uint16_t sport;
 
+	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
-	IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!",
-	    __func__));
 	skip = tc->tc_skip;
 	nxt = tc->tc_nxt;
 	protoff = tc->tc_protoff;
@@ -835,10 +831,9 @@ ah_input_cb(struct cryptop *crp)
 	}
 
 	saidx = &sav->sah->saidx;
-	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
-		saidx->dst.sa.sa_family == AF_INET6,
-		("%s: unexpected protocol family %u", __func__,
-		 saidx->dst.sa.sa_family));
+	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
+	    saidx->dst.sa.sa_family == AF_INET6,
+	    "unexpected protocol family %u", saidx->dst.sa.sa_family);
 
 	/* Check for crypto errors. */
 	if (crp->crp_etype) {
@@ -999,9 +994,9 @@ ah_output(
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
 	sav = isr->sav;
-	IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__));
+	KASSERT(sav != NULL);
+	KASSERT(sav->tdb_authalgxform != NULL);
 	ahx = sav->tdb_authalgxform;
-	IPSEC_ASSERT(ahx != NULL, ("%s: null authentication xform", __func__));
 
 	AH_STATINC(AH_STAT_OUTPUT);
 
@@ -1203,8 +1198,8 @@ ah_output_cb(struct cryptop *crp)
 	void *ptr;
 	int s, err;
 
+	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
-	IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__));
 	skip = tc->tc_skip;
 	ptr = (tc + 1);
 	m = crp->crp_buf;
@@ -1220,7 +1215,7 @@ ah_output_cb(struct cryptop *crp)
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
 	}
-	IPSEC_ASSERT(isr->sav == sav, ("%s: SA changed\n", __func__));
+	KASSERTMSG(isr->sav == sav, "SA changed");
 
 	/* Check for crypto errors. */
 	if (crp->crp_etype) {

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.52 src/sys/netipsec/xform_esp.c:1.53
--- src/sys/netipsec/xform_esp.c:1.52	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/xform_esp.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.52 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.53 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.52 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.53 2017/04/18 05:26:42 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -147,8 +147,7 @@ esp_hdrsiz(const struct secasvar *sav)
 
 	if (sav != NULL) {
 		/*XXX not right for null algorithm--does it matter??*/
-		IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
-			("%s: SA with null xform", __func__));
+		KASSERT(sav->tdb_encalgxform != NULL);
 		if (sav->flags & SADB_X_EXT_OLD)
 			size = sizeof(struct esp);
 		else
@@ -312,12 +311,11 @@ esp_input(struct mbuf *m, const struct s
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
-	IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__));
-	IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
-	    ("%s: null encoding xform", __func__));
-	IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
-	    ("%s: misaligned packet, skip %u pkt len %u", __func__,
-	    skip, m->m_pkthdr.len));
+	KASSERT(sav != NULL);
+	KASSERT(sav->tdb_encalgxform != NULL);
+	KASSERTMSG((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
+	    "misaligned packet, skip %u pkt len %u",
+	    skip, m->m_pkthdr.len);
 
 	/* XXX don't pullup, just copy header */
 	IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof(struct newesp));
@@ -405,10 +403,10 @@ esp_input(struct mbuf *m, const struct s
 	tc->tc_ptr = mtag;
 
 	if (esph) {
-		struct cryptodesc *crda = crp->crp_desc;
+		struct cryptodesc *crda;
 
-		IPSEC_ASSERT(crda != NULL, ("%s: null ah crypto descriptor",
-		    __func__));
+		KASSERT(crp->crp_desc != NULL);
+		crda = crp->crp_desc;
 
 		/* Authentication descriptor */
 		crda->crd_skip = skip;
@@ -455,8 +453,7 @@ esp_input(struct mbuf *m, const struct s
 
 	/* Decryption descriptor */
 	if (espx) {
-		IPSEC_ASSERT(crde != NULL, ("%s: null esp crypto descriptor",
-		    __func__));
+		KASSERTMSG(crde != NULL, "null esp crypto descriptor");
 		crde->crd_skip = skip + hlen;
 		if (espx->type == CRYPTO_AES_GMAC)
 			crde->crd_len = 0;
@@ -507,7 +504,6 @@ esp_input_cb(struct cryptop *crp)
 	uint8_t lastthree[3], aalg[AH_ALEN_MAX];
 	int s, hlen, skip, protoff, error;
 	struct mbuf *m;
-	struct cryptodesc *crd __diagused;
 	const struct auth_hash *esph;
 	struct tdb_crypto *tc;
 	struct m_tag *mtag;
@@ -517,12 +513,10 @@ esp_input_cb(struct cryptop *crp)
 	uint16_t dport;
 	uint16_t sport;
 
-	crd = crp->crp_desc;
-	IPSEC_ASSERT(crd != NULL, ("%s: null crypto descriptor!", __func__));
+	KASSERT(crp->crp_desc != NULL);
+	KASSERT(crp->crp_opaque != NULL);
 
 	tc = crp->crp_opaque;
-	IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!",
-	    __func__));
 	skip = tc->tc_skip;
 	protoff = tc->tc_protoff;
 	mtag = tc->tc_ptr;
@@ -546,10 +540,9 @@ esp_input_cb(struct cryptop *crp)
 	}
 
 	saidx = &sav->sah->saidx;
-	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
+	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
 	    saidx->dst.sa.sa_family == AF_INET6,
-	    ("%s: unexpected protocol family %u", __func__,
-	    saidx->dst.sa.sa_family));
+	    "unexpected protocol family %u", saidx->dst.sa.sa_family);
 
 	esph = sav->tdb_authalgxform;
 
@@ -738,11 +731,11 @@ esp_output(
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
+	KASSERT(isr->sav != NULL);
 	sav = isr->sav;
-	IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__));
 	esph = sav->tdb_authalgxform;
+	KASSERT(sav->tdb_encalgxform != NULL);
 	espx = sav->tdb_encalgxform;
-	IPSEC_ASSERT(espx != NULL, ("%s: null encoding xform", __func__));
 
 	if (sav->flags & SADB_X_EXT_OLD)
 		hlen = sizeof(struct esp) + sav->ivlen;
@@ -969,8 +962,8 @@ esp_output_cb(struct cryptop *crp)
 	struct mbuf *m;
 	int s, err, error;
 
+	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
-	IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__));
 	m = crp->crp_buf;
 
 	s = splsoftnet();
@@ -986,8 +979,8 @@ esp_output_cb(struct cryptop *crp)
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
 	}
-	IPSEC_ASSERT(isr->sav == sav,
-	    ("%s: SA changed was %p now %p", __func__, isr->sav, sav));
+	KASSERTMSG(isr->sav == sav,
+	    "SA changed was %p now %p", isr->sav, sav);
 
 	/* Check for crypto errors. */
 	if (crp->crp_etype) {

Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.35 src/sys/netipsec/xform_ipcomp.c:1.36
--- src/sys/netipsec/xform_ipcomp.c:1.35	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/xform_ipcomp.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.35 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.36 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.35 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.36 2017/04/18 05:26:42 ozaki-r Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #if defined(_KERNEL_OPT)
@@ -243,9 +243,8 @@ ipcomp_input_cb(struct cryptop *crp)
 	uint16_t dport;
 	uint16_t sport;
 
+	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
-	IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!",
-	    __func__));
 	skip = tc->tc_skip;
 	protoff = tc->tc_protoff;
 	m = crp->crp_buf;
@@ -265,10 +264,9 @@ ipcomp_input_cb(struct cryptop *crp)
 	}
 
 	saidx = &sav->sah->saidx;
-	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
-		saidx->dst.sa.sa_family == AF_INET6,
-		("%s: unexpected protocol family %u", __func__,
-		 saidx->dst.sa.sa_family));
+	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
+	    saidx->dst.sa.sa_family == AF_INET6,
+	    "unexpected protocol family %u", saidx->dst.sa.sa_family);
 
 	/* Check for crypto errors */
 	if (crp->crp_etype) {
@@ -387,10 +385,10 @@ ipcomp_output(
 	struct tdb_crypto *tc;
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
+	KASSERT(isr->sav != NULL);
 	sav = isr->sav;
-	IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__));
+	KASSERT(sav->tdb_compalgxform != NULL);
 	ipcompx = sav->tdb_compalgxform;
-	IPSEC_ASSERT(ipcompx != NULL, ("%s: null compression xform", __func__));
 
 	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
     
@@ -519,9 +517,8 @@ ipcomp_output_cb(struct cryptop *crp)
 	uint16_t cpi;
 	struct ipcomp * ipcomp;
 
-
+	KASSERT(crp->crp_opaque != NULL);
 	tc = crp->crp_opaque;
-	IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__));
 	m = crp->crp_buf;
 	skip = tc->tc_skip;
 	rlen = crp->crp_ilen - skip;
@@ -537,7 +534,7 @@ ipcomp_output_cb(struct cryptop *crp)
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
 	}
-	IPSEC_ASSERT(isr->sav == sav, ("%s: SA changed", __func__));
+	KASSERTMSG(isr->sav == sav, "SA changed");
 
 	/* Check for crypto errors */
 	if (crp->crp_etype) {

Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.46 src/sys/netipsec/xform_ipip.c:1.47
--- src/sys/netipsec/xform_ipip.c:1.46	Tue Apr 18 05:25:32 2017
+++ src/sys/netipsec/xform_ipip.c	Tue Apr 18 05:26:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipip.c,v 1.46 2017/04/18 05:25:32 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ipip.c,v 1.47 2017/04/18 05:26:42 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.46 2017/04/18 05:25:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.47 2017/04/18 05:26:42 ozaki-r Exp $");
 
 /*
  * IP-inside-IP processing
@@ -417,9 +417,9 @@ ipip_output(
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
+	KASSERT(isr->sav != NULL);
 	sav = isr->sav;
-	IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__));
-	IPSEC_ASSERT(sav->sah != NULL, ("%s: null SAH", __func__));
+	KASSERT(sav->sah != NULL);
 
 	/* XXX Deal with empty TDB source/destination addresses. */
 

Reply via email to