Module Name: src Committed By: ozaki-r Date: Fri Jul 21 04:43:42 UTC 2017
Modified Files: src/sys/netipsec: key.c src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Stop setting isr->sav on looking up sav in key_checkrequest To generate a diff of this commit: cvs rdiff -u -r1.189 -r1.190 src/sys/netipsec/key.c cvs rdiff -u -r1.14 -r1.15 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.189 src/sys/netipsec/key.c:1.190 --- src/sys/netipsec/key.c:1.189 Fri Jul 21 04:39:08 2017 +++ src/sys/netipsec/key.c Fri Jul 21 04:43:42 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $ */ +/* $NetBSD: key.c,v 1.190 2017/07/21 04:43:42 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.190 2017/07/21 04:43:42 ozaki-r Exp $"); /* * This code is referd to RFC 2367 @@ -777,8 +777,8 @@ key_checkrequest(struct ipsecrequest *is { u_int level; int error; - struct secasvar *oldsav = NULL; const struct secasindex *saidx = &isr->saidx; + struct secasvar *sav; KASSERT(isr != NULL); KASSERTMSG(saidx->mode == IPSEC_MODE_TRANSPORT || @@ -795,43 +795,10 @@ key_checkrequest(struct ipsecrequest *is * handle bundled SA's in the callback thread. */ IPSEC_SPLASSERT_SOFTNET("key_checkrequest"); -#if 0 - /* - * We do allocate new SA only if the state of SA in the holder is - * SADB_SASTATE_DEAD. The SA for outbound must be the oldest. - */ - if (isr->sav != NULL) { - if (isr->sav == (struct secasvar *)LIST_FIRST( - &isr->sav->sah->savtree[SADB_SASTATE_DEAD])) { - KEY_FREESAV(&isr->sav); - isr->sav = NULL; - } - } -#else - /* - * we free any SA stashed in the IPsec request because a different - * SA may be involved each time this request is checked, either - * because new SAs are being configured, or this request is - * associated with an unconnected datagram socket, or this request - * is associated with a system default policy. - * - * The operation may have negative impact to performance. We may - * want to check cached SA carefully, rather than picking new SA - * every time. - */ - if (isr->sav != NULL) - oldsav = isr->sav; -#endif - isr->sav = key_lookup_sa_bysaidx(saidx); - membar_producer(); - if (oldsav != NULL) - KEY_FREESAV(&oldsav); - - /* When there is SA. */ - if (isr->sav != NULL) { - *ret = isr->sav; - SA_ADDREF(*ret); + sav = key_lookup_sa_bysaidx(saidx); + if (sav != NULL) { + *ret = sav; return 0; } @@ -846,7 +813,6 @@ key_checkrequest(struct ipsecrequest *is if (level != IPSEC_LEVEL_REQUIRE) { /* XXX sigh, the interface to this routine is botched */ - KASSERTMSG(isr->sav == NULL, "unexpected SA"); *ret = NULL; return 0; } else { Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.14 src/tests/net/ipsec/t_ipsec_misc.sh:1.15 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.14 Thu Jul 20 01:10:57 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Fri Jul 21 04:43:42 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.14 2017/07/20 01:10:57 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.15 2017/07/21 04:43:42 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -152,21 +152,11 @@ test_ipsec4_lifetime() export RUMP_SERVER=$SOCK_LOCAL $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o empty $HIJACKING setkey -D - # The SA on output remain because sp/isr still refers it - atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ - $HIJACKING setkey -D -a - atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ - $HIJACKING setkey -D -a + atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a export RUMP_SERVER=$SOCK_PEER $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o empty $HIJACKING setkey -D - atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ - $HIJACKING setkey -D -a - # The SA on output remain because sp/isr still refers it - atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ - $HIJACKING setkey -D -a + atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a export RUMP_SERVER=$SOCK_LOCAL atf_check -s not-exit:0 -o match:'0 packets received' \ @@ -248,21 +238,11 @@ test_ipsec6_lifetime() export RUMP_SERVER=$SOCK_LOCAL $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o empty $HIJACKING setkey -D - # The SA on output remain because sp/isr still refers it - atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ - $HIJACKING setkey -D -a - atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ - $HIJACKING setkey -D -a + atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a export RUMP_SERVER=$SOCK_PEER $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o empty $HIJACKING setkey -D - atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ - $HIJACKING setkey -D -a - # The SA on output remain because sp/isr still refers it - atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ - $HIJACKING setkey -D -a + atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a export RUMP_SERVER=$SOCK_LOCAL atf_check -s not-exit:0 -o match:'0 packets received' \