netipsec

Ryota Ozaki Wed, 14 Feb 2018 20:24:50 -0800

Module Name:    src
Committed By:   ozaki-r
Date:           Thu Feb 15 04:24:32 UTC 2018


Modified Files:
        src/sys/netipsec: xform_ah.c xform_esp.c xform_ipcomp.c

Log Message:
Don't relook up an SP/SA in opencrpyto callbacks

We don't need to do so because we have a reference to it. And also
relooking-up one there may return an sp/sav that has different
parameters from an original one.


To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.75 -r1.76 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.55 -r1.56 src/sys/netipsec/xform_ipcomp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.77 src/sys/netipsec/xform_ah.c:1.78
--- src/sys/netipsec/xform_ah.c:1.77	Wed Jan 24 13:49:23 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 04:24:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.77 2018/01/24 13:49:23 maxv Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.78 2018/02/15 04:24:32 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.77 2018/01/24 13:49:23 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.78 2018/02/15 04:24:32 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -824,18 +824,6 @@ ah_input_cb(struct cryptop *crp)
 	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	sav = tc->tc_sav;
-	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-		KEY_SA_UNREF(&sav);
-		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
-		    sport, dport);
-		if (sav == NULL) {
-			AH_STATINC(AH_STAT_NOTDB);
-			DPRINTF(("%s: SA expired while in crypto\n", __func__));
-			error = ENOBUFS;		/*XXX*/
-			goto bad;
-		}
-	}
-
 	saidx = &sav->sah->saidx;
 	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
 	    saidx->dst.sa.sa_family == AF_INET6,
@@ -1218,24 +1206,6 @@ ah_output_cb(struct cryptop *crp)
 
 	isr = tc->tc_isr;
 	sav = tc->tc_sav;
-	if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
-		AH_STATINC(AH_STAT_NOTDB);
-		IPSECLOG(LOG_DEBUG,
-		    "SP is being destroyed while in crypto (id=%u)\n",
-		    isr->sp->id);
-		error = ENOENT;
-		goto bad;
-	}
-	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-		KEY_SA_UNREF(&sav);
-		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-		if (sav == NULL) {
-			AH_STATINC(AH_STAT_NOTDB);
-			DPRINTF(("%s: SA expired while in crypto\n", __func__));
-			error = ENOBUFS;		/*XXX*/
-			goto bad;
-		}
-	}
 
 	/* Check for crypto errors. */
 	if (crp->crp_etype) {

Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.75 src/sys/netipsec/xform_esp.c:1.76
--- src/sys/netipsec/xform_esp.c:1.75	Wed Feb 14 09:13:03 2018
+++ src/sys/netipsec/xform_esp.c	Thu Feb 15 04:24:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_esp.c,v 1.75 2018/02/14 09:13:03 ozaki-r Exp $	*/
+/*	$NetBSD: xform_esp.c,v 1.76 2018/02/15 04:24:32 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.75 2018/02/14 09:13:03 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.76 2018/02/15 04:24:32 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -538,21 +538,6 @@ esp_input_cb(struct cryptop *crp)
 	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	sav = tc->tc_sav;
-	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-		KEY_SA_UNREF(&sav);
-		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
-		    sport, dport);
-		if (sav == NULL) {
-			ESP_STATINC(ESP_STAT_NOTDB);
-			DPRINTF(("%s: SA expired while in crypto "
-			    "(SA %s/%08lx proto %u)\n", __func__,
-			    ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
-			    (u_long) ntohl(tc->tc_spi), tc->tc_proto));
-			error = ENOBUFS;		/*XXX*/
-			goto bad;
-		}
-	}
-
 	saidx = &sav->sah->saidx;
 	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
 	    saidx->dst.sa.sa_family == AF_INET6,
@@ -1000,28 +985,6 @@ esp_output_cb(struct cryptop *crp)
 
 	isr = tc->tc_isr;
 	sav = tc->tc_sav;
-	if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
-		ESP_STATINC(ESP_STAT_NOTDB);
-		IPSECLOG(LOG_DEBUG,
-		    "SP is being destroyed while in crypto (id=%u)\n",
-		    isr->sp->id);
-		error = ENOENT;
-		goto bad;
-	}
-	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-		KEY_SA_UNREF(&sav);
-		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-		if (sav == NULL) {
-			char buf[IPSEC_ADDRSTRLEN];
-			ESP_STATINC(ESP_STAT_NOTDB);
-			DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx "
-			    "proto %u)\n", __func__,
-			    ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
-			    (u_long) ntohl(tc->tc_spi), tc->tc_proto));
-			error = ENOBUFS;		/*XXX*/
-			goto bad;
-		}
-	}
 
 	/* Check for crypto errors. */
 	if (crp->crp_etype) {

Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.55 src/sys/netipsec/xform_ipcomp.c:1.56
--- src/sys/netipsec/xform_ipcomp.c:1.55	Wed Feb 14 09:13:03 2018
+++ src/sys/netipsec/xform_ipcomp.c	Thu Feb 15 04:24:32 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #if defined(_KERNEL_OPT)
@@ -275,18 +275,6 @@ ipcomp_input_cb(struct cryptop *crp)
 	IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
 	sav = tc->tc_sav;
-	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-		KEY_SA_UNREF(&sav);
-		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
-		    sport, dport);
-		if (sav == NULL) {
-			IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
-			DPRINTF(("%s: SA expired while in crypto\n", __func__));
-			error = ENOBUFS;		/*XXX*/
-			goto bad;
-		}
-	}
-
 	saidx = &sav->sah->saidx;
 	KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
 	    saidx->dst.sa.sa_family == AF_INET6,
@@ -567,24 +555,6 @@ ipcomp_output_cb(struct cryptop *crp)
 
 	isr = tc->tc_isr;
 	sav = tc->tc_sav;
-	if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
-		IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
-		IPSECLOG(LOG_DEBUG,
-		    "SP is being destroyed while in crypto (id=%u)\n",
-		    isr->sp->id);
-		error = ENOENT;
-		goto bad;
-	}
-	if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-		KEY_SA_UNREF(&sav);
-		sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-		if (sav == NULL) {
-			IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
-			DPRINTF(("%s: SA expired while in crypto\n", __func__));
-			error = ENOBUFS;		/*XXX*/
-			goto bad;
-		}
-	}
 
 	/* Check for crypto errors */
 	if (crp->crp_etype) {

CVS commit: src/sys/netipsec

Reply via email to