Module Name: src Committed By: ozaki-r Date: Tue May 23 04:26:08 UTC 2017
Modified Files: src/sys/netipsec: ipsec.c key.c Log Message: Disable secspacq stuffs that are now unused The stuffs are used only if sp->policy == IPSEC_POLICY_IPSEC && sp->req == NULL (see ipsec{4,6}_checkpolicy). However, in the current implementation, sp->req never be NULL (except for the moments of SP allocation and deallocation) if sp->policy is IPSEC_POLICY_IPSEC. It seems that the facility was partially implemented in the KAME era and wasn't completed. Make it clear that the facility is unused for now by #ifdef notyet. Eventually we should complete the implementation or remove it entirely. To generate a diff of this commit: cvs rdiff -u -r1.92 -r1.93 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.138 -r1.139 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.92 src/sys/netipsec/ipsec.c:1.93 --- src/sys/netipsec/ipsec.c:1.92 Fri May 19 04:34:09 2017 +++ src/sys/netipsec/ipsec.c Tue May 23 04:26:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.92 2017/05/19 04:34:09 ozaki-r Exp $ */ +/* $NetBSD: ipsec.c,v 1.93 2017/05/23 04:26:08 ozaki-r Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.92 2017/05/19 04:34:09 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.93 2017/05/23 04:26:08 ozaki-r Exp $"); /* * IPsec controller part. @@ -644,8 +644,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int sp = NULL; /* NB: force NULL result */ break; case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) /* acquire an SA */ - *error = key_spdacquire(sp); + KASSERT(sp->req != NULL); break; } if (*error != 0) { @@ -890,8 +889,7 @@ ipsec6_checkpolicy(struct mbuf *m, u_int sp = NULL; /* NB: force NULL result */ break; case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) /* acquire an SA */ - *error = key_spdacquire(sp); + KASSERT(sp->req != NULL); break; } if (*error != 0) { Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.138 src/sys/netipsec/key.c:1.139 --- src/sys/netipsec/key.c:1.138 Tue May 23 03:13:52 2017 +++ src/sys/netipsec/key.c Tue May 23 04:26:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.138 2017/05/23 03:13:52 ozaki-r Exp $ */ +/* $NetBSD: key.c,v 1.139 2017/05/23 04:26:08 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.138 2017/05/23 03:13:52 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.139 2017/05/23 04:26:08 ozaki-r Exp $"); /* * This code is referd to RFC 2367 @@ -150,7 +150,9 @@ static LIST_HEAD(_regtree, secreg) regtr #ifndef IPSEC_NONBLOCK_ACQUIRE static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ #endif +#ifdef notyet static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ +#endif /* search order for SAs */ /* @@ -488,8 +490,10 @@ static struct secacq *key_newacq (const static struct secacq *key_getacq (const struct secasindex *); static struct secacq *key_getacqbyseq (u_int32_t); #endif +#ifdef notyet static struct secspacq *key_newspacq (const struct secpolicyindex *); static struct secspacq *key_getspacq (const struct secpolicyindex *); +#endif static int key_acquire2 (struct socket *, struct mbuf *, const struct sadb_msghdr *); static int key_register (struct socket *, struct mbuf *, @@ -1957,8 +1961,11 @@ key_spdadd(struct socket *so, struct mbu newsp->refcnt = 1; /* do not reclaim until I say I do */ newsp->state = IPSEC_SPSTATE_ALIVE; + if (newsp->policy == IPSEC_POLICY_IPSEC) + KASSERT(newsp->req != NULL); LIST_INSERT_TAIL(&sptree[newsp->spidx.dir], newsp, secpolicy, chain); +#ifdef notyet /* delete the entry in spacqtree */ if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { struct secspacq *spacq = key_getspacq(&spidx); @@ -1968,6 +1975,7 @@ key_spdadd(struct socket *so, struct mbu spacq->count = 0; } } +#endif /* Invalidate all cached SPD pointers in the PCBs. */ ipsec_invalpcbcacheall(); @@ -2312,6 +2320,7 @@ key_spdget(struct socket *so, struct mbu return key_senderror(so, m, ENOBUFS); } +#ifdef notyet /* * SADB_X_SPDACQUIRE processing. * Acquire policy and SA(s) for a *OUTBOUND* packet. @@ -2382,6 +2391,7 @@ fail: m_freem(result); return error; } +#endif /* notyet */ /* * SADB_SPDFLUSH processing @@ -4669,6 +4679,7 @@ key_timehandler_work(struct work *wk, vo } #endif +#ifdef notyet /* SP ACQ tree */ { struct secspacq *acq, *nextacq; @@ -4681,6 +4692,7 @@ key_timehandler_work(struct work *wk, vo } } } +#endif /* do exchange to tick time !! */ callout_reset(&key_timehandler_ch, hz, key_timehandler, NULL); @@ -6418,6 +6430,7 @@ key_getacqbyseq(u_int32_t seq) } #endif +#ifdef notyet static struct secspacq * key_newspacq(const struct secpolicyindex *spidx) { @@ -6450,6 +6463,7 @@ key_getspacq(const struct secpolicyindex return NULL; } +#endif /* notyet */ /* * SADB_ACQUIRE processing, @@ -7676,7 +7690,9 @@ key_do_init(void) #ifndef IPSEC_NONBLOCK_ACQUIRE LIST_INIT(&acqtree); #endif +#ifdef notyet LIST_INIT(&spacqtree); +#endif /* system default */ ip4_def_policy.policy = IPSEC_POLICY_NONE;