CVS commit: src

[Ryota Ozaki]

Module Name:    src
Committed By:   ozaki-r
Date:           Fri Jul 21 04:43:42 UTC 2017

Modified Files:
        src/sys/netipsec: key.c
        src/tests/net/ipsec: t_ipsec_misc.sh

Log Message:
Stop setting isr->sav on looking up sav in key_checkrequest


To generate a diff of this commit:
cvs rdiff -u -r1.189 -r1.190 src/sys/netipsec/key.c
cvs rdiff -u -r1.14 -r1.15 src/tests/net/ipsec/t_ipsec_misc.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.189 src/sys/netipsec/key.c:1.190
--- src/sys/netipsec/key.c:1.189	Fri Jul 21 04:39:08 2017
+++ src/sys/netipsec/key.c	Fri Jul 21 04:43:42 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.190 2017/07/21 04:43:42 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.190 2017/07/21 04:43:42 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -777,8 +777,8 @@ key_checkrequest(struct ipsecrequest *is
 {
 	u_int level;
 	int error;
-	struct secasvar *oldsav = NULL;
 	const struct secasindex *saidx = &isr->saidx;
+	struct secasvar *sav;
 
 	KASSERT(isr != NULL);
 	KASSERTMSG(saidx->mode == IPSEC_MODE_TRANSPORT ||
@@ -795,43 +795,10 @@ key_checkrequest(struct ipsecrequest *is
 	 * handle bundled SA's in the callback thread.
 	 */
 	IPSEC_SPLASSERT_SOFTNET("key_checkrequest");
-#if 0
-	/*
-	 * We do allocate new SA only if the state of SA in the holder is
-	 * SADB_SASTATE_DEAD.  The SA for outbound must be the oldest.
-	 */
-	if (isr->sav != NULL) {
-		if (isr->sav == (struct secasvar *)LIST_FIRST(
-			    &isr->sav->sah->savtree[SADB_SASTATE_DEAD])) {
-			KEY_FREESAV(&isr->sav);
-			isr->sav = NULL;
-		}
-	}
-#else
-	/*
-	 * we free any SA stashed in the IPsec request because a different
-	 * SA may be involved each time this request is checked, either
-	 * because new SAs are being configured, or this request is
-	 * associated with an unconnected datagram socket, or this request
-	 * is associated with a system default policy.
-	 *
-	 * The operation may have negative impact to performance.  We may
-	 * want to check cached SA carefully, rather than picking new SA
-	 * every time.
-	 */
-	if (isr->sav != NULL)
-		oldsav = isr->sav;
-#endif
 
-	isr->sav = key_lookup_sa_bysaidx(saidx);
-	membar_producer();
-	if (oldsav != NULL)
-		KEY_FREESAV(&oldsav);
-
-	/* When there is SA. */
-	if (isr->sav != NULL) {
-		*ret = isr->sav;
-		SA_ADDREF(*ret);
+	sav = key_lookup_sa_bysaidx(saidx);
+	if (sav != NULL) {
+		*ret = sav;
 		return 0;
 	}
 
@@ -846,7 +813,6 @@ key_checkrequest(struct ipsecrequest *is
 
 	if (level != IPSEC_LEVEL_REQUIRE) {
 		/* XXX sigh, the interface to this routine is botched */
-		KASSERTMSG(isr->sav == NULL, "unexpected SA");
 		*ret = NULL;
 		return 0;
 	} else {

Index: src/tests/net/ipsec/t_ipsec_misc.sh
diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.14 src/tests/net/ipsec/t_ipsec_misc.sh:1.15
--- src/tests/net/ipsec/t_ipsec_misc.sh:1.14	Thu Jul 20 01:10:57 2017
+++ src/tests/net/ipsec/t_ipsec_misc.sh	Fri Jul 21 04:43:42 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: t_ipsec_misc.sh,v 1.14 2017/07/20 01:10:57 ozaki-r Exp $
+#	$NetBSD: t_ipsec_misc.sh,v 1.15 2017/07/21 04:43:42 ozaki-r Exp $
 #
 # Copyright (c) 2017 Internet Initiative Japan Inc.
 # All rights reserved.
@@ -152,21 +152,11 @@ test_ipsec4_lifetime()
 
 	export RUMP_SERVER=$SOCK_LOCAL
 	$DEBUG && $HIJACKING setkey -D
-	atf_check -s exit:0 -o empty $HIJACKING setkey -D
-	# The SA on output remain because sp/isr still refers it
-	atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
-	    $HIJACKING setkey -D -a
-	atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \
-	    $HIJACKING setkey -D -a
+	atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a
 
 	export RUMP_SERVER=$SOCK_PEER
 	$DEBUG && $HIJACKING setkey -D
-	atf_check -s exit:0 -o empty $HIJACKING setkey -D
-	atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \
-	    $HIJACKING setkey -D -a
-	# The SA on output remain because sp/isr still refers it
-	atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
-	    $HIJACKING setkey -D -a
+	atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a
 
 	export RUMP_SERVER=$SOCK_LOCAL
 	atf_check -s not-exit:0 -o match:'0 packets received' \
@@ -248,21 +238,11 @@ test_ipsec6_lifetime()
 
 	export RUMP_SERVER=$SOCK_LOCAL
 	$DEBUG && $HIJACKING setkey -D
-	atf_check -s exit:0 -o empty $HIJACKING setkey -D
-	# The SA on output remain because sp/isr still refers it
-	atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
-	    $HIJACKING setkey -D -a
-	atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \
-	    $HIJACKING setkey -D -a
+	atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a
 
 	export RUMP_SERVER=$SOCK_PEER
 	$DEBUG && $HIJACKING setkey -D
-	atf_check -s exit:0 -o empty $HIJACKING setkey -D
-	atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \
-	    $HIJACKING setkey -D -a
-	# The SA on output remain because sp/isr still refers it
-	atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
-	    $HIJACKING setkey -D -a
+	atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a
 
 	export RUMP_SERVER=$SOCK_LOCAL
 	atf_check -s not-exit:0 -o match:'0 packets received' \