Module Name: src Committed By: ozaki-r Date: Thu Feb 15 04:24:32 UTC 2018
Modified Files: src/sys/netipsec: xform_ah.c xform_esp.c xform_ipcomp.c Log Message: Don't relook up an SP/SA in opencrpyto callbacks We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.55 -r1.56 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.77 src/sys/netipsec/xform_ah.c:1.78 --- src/sys/netipsec/xform_ah.c:1.77 Wed Jan 24 13:49:23 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 04:24:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.77 2018/01/24 13:49:23 maxv Exp $ */ +/* $NetBSD: xform_ah.c,v 1.78 2018/02/15 04:24:32 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.77 2018/01/24 13:49:23 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.78 2018/02/15 04:24:32 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -824,18 +824,6 @@ ah_input_cb(struct cryptop *crp) IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav; - if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { - KEY_SA_UNREF(&sav); - sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, - sport, dport); - if (sav == NULL) { - AH_STATINC(AH_STAT_NOTDB); - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } - } - saidx = &sav->sah->saidx; KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, @@ -1218,24 +1206,6 @@ ah_output_cb(struct cryptop *crp) isr = tc->tc_isr; sav = tc->tc_sav; - if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { - AH_STATINC(AH_STAT_NOTDB); - IPSECLOG(LOG_DEBUG, - "SP is being destroyed while in crypto (id=%u)\n", - isr->sp->id); - error = ENOENT; - goto bad; - } - if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { - KEY_SA_UNREF(&sav); - sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); - if (sav == NULL) { - AH_STATINC(AH_STAT_NOTDB); - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } - } /* Check for crypto errors. */ if (crp->crp_etype) { Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.75 src/sys/netipsec/xform_esp.c:1.76 --- src/sys/netipsec/xform_esp.c:1.75 Wed Feb 14 09:13:03 2018 +++ src/sys/netipsec/xform_esp.c Thu Feb 15 04:24:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.75 2018/02/14 09:13:03 ozaki-r Exp $ */ +/* $NetBSD: xform_esp.c,v 1.76 2018/02/15 04:24:32 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.75 2018/02/14 09:13:03 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.76 2018/02/15 04:24:32 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -538,21 +538,6 @@ esp_input_cb(struct cryptop *crp) IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav; - if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { - KEY_SA_UNREF(&sav); - sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, - sport, dport); - if (sav == NULL) { - ESP_STATINC(ESP_STAT_NOTDB); - DPRINTF(("%s: SA expired while in crypto " - "(SA %s/%08lx proto %u)\n", __func__, - ipsec_address(&tc->tc_dst, buf, sizeof(buf)), - (u_long) ntohl(tc->tc_spi), tc->tc_proto)); - error = ENOBUFS; /*XXX*/ - goto bad; - } - } - saidx = &sav->sah->saidx; KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, @@ -1000,28 +985,6 @@ esp_output_cb(struct cryptop *crp) isr = tc->tc_isr; sav = tc->tc_sav; - if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { - ESP_STATINC(ESP_STAT_NOTDB); - IPSECLOG(LOG_DEBUG, - "SP is being destroyed while in crypto (id=%u)\n", - isr->sp->id); - error = ENOENT; - goto bad; - } - if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { - KEY_SA_UNREF(&sav); - sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); - if (sav == NULL) { - char buf[IPSEC_ADDRSTRLEN]; - ESP_STATINC(ESP_STAT_NOTDB); - DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx " - "proto %u)\n", __func__, - ipsec_address(&tc->tc_dst, buf, sizeof(buf)), - (u_long) ntohl(tc->tc_spi), tc->tc_proto)); - error = ENOBUFS; /*XXX*/ - goto bad; - } - } /* Check for crypto errors. */ if (crp->crp_etype) { Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.55 src/sys/netipsec/xform_ipcomp.c:1.56 --- src/sys/netipsec/xform_ipcomp.c:1.55 Wed Feb 14 09:13:03 2018 +++ src/sys/netipsec/xform_ipcomp.c Thu Feb 15 04:24:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -275,18 +275,6 @@ ipcomp_input_cb(struct cryptop *crp) IPSEC_ACQUIRE_GLOBAL_LOCKS(); sav = tc->tc_sav; - if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { - KEY_SA_UNREF(&sav); - sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, - sport, dport); - if (sav == NULL) { - IPCOMP_STATINC(IPCOMP_STAT_NOTDB); - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } - } - saidx = &sav->sah->saidx; KASSERTMSG(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, @@ -567,24 +555,6 @@ ipcomp_output_cb(struct cryptop *crp) isr = tc->tc_isr; sav = tc->tc_sav; - if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) { - IPCOMP_STATINC(IPCOMP_STAT_NOTDB); - IPSECLOG(LOG_DEBUG, - "SP is being destroyed while in crypto (id=%u)\n", - isr->sp->id); - error = ENOENT; - goto bad; - } - if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) { - KEY_SA_UNREF(&sav); - sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); - if (sav == NULL) { - IPCOMP_STATINC(IPCOMP_STAT_NOTDB); - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } - } /* Check for crypto errors */ if (crp->crp_etype) {