iked remove SA bundles

Alexander Bluhm Fri, 14 Apr 2017 14:40:38 -0700

Hi,

iked does not use SA bundles.


Does anyone plan to implement this?
ok to remove the dead code?

bluhm

Index: sbin/iked/iked.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/iked/iked.h,v
retrieving revision 1.114
diff -u -p -r1.114 iked.h
--- sbin/iked/iked.h    13 Apr 2017 07:04:09 -0000      1.114
+++ sbin/iked/iked.h    14 Apr 2017 20:55:26 -0000
@@ -858,7 +858,7 @@ int  pfkey_flow_add(int fd, struct iked_
 int     pfkey_flow_delete(int fd, struct iked_flow *);
 int     pfkey_block(int, int, unsigned int);
 int     pfkey_sa_init(int, struct iked_childsa *, uint32_t *);
-int     pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *);
+int     pfkey_sa_add(int, struct iked_childsa *);
 int     pfkey_sa_delete(int, struct iked_childsa *);
 int     pfkey_sa_last_used(int, struct iked_childsa *, uint64_t *);
 int     pfkey_flush(int);
Index: sbin/iked/ikev2.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.153
diff -u -p -r1.153 ikev2.c
--- sbin/iked/ikev2.c   13 Apr 2017 07:04:09 -0000      1.153
+++ sbin/iked/ikev2.c   14 Apr 2017 20:55:26 -0000
@@ -5080,7 +5080,7 @@ ikev2_childsa_enable(struct iked *env, s
                if (csa->csa_rekey || csa->csa_loaded)
                        continue;
 
-               if (pfkey_sa_add(env->sc_pfkey, csa, NULL) != 0) {
+               if (pfkey_sa_add(env->sc_pfkey, csa) != 0) {
                        log_debug("%s: failed to load CHILD SA spi %s",
                            __func__, print_spi(csa->csa_spi.spi,
                            csa->csa_spi.spi_size));
Index: sbin/iked/pfkey.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/iked/pfkey.c,v
retrieving revision 1.57
diff -u -p -r1.57 pfkey.c
--- sbin/iked/pfkey.c   27 Mar 2017 10:29:02 -0000      1.57
+++ sbin/iked/pfkey.c   14 Apr 2017 20:56:46 -0000
@@ -101,8 +101,6 @@ int pfkey_map(const struct pfkey_constma
 int    pfkey_flow(int, uint8_t, uint8_t, struct iked_flow *);
 int    pfkey_sa(int, uint8_t, uint8_t, struct iked_childsa *);
 int    pfkey_sa_getspi(int, uint8_t, struct iked_childsa *, uint32_t *);
-int    pfkey_sagroup(int, uint8_t, uint8_t,
-           struct iked_childsa *, struct iked_childsa *);
 int    pfkey_write(int, struct sadb_msg *, struct iovec *, int,
            uint8_t **, ssize_t *);
 int    pfkey_reply(int, uint8_t **, ssize_t *);
@@ -139,7 +137,7 @@ pfkey_couple(int sd, struct iked_sas *sa
        RB_FOREACH(sa, iked_sas, sas) {
                TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) {
                        if (!csa->csa_loaded && couple)
-                               (void)pfkey_sa_add(sd, csa, NULL);
+                               (void)pfkey_sa_add(sd, csa);
                        else if (csa->csa_loaded && !couple)
                                (void)pfkey_sa_delete(sd, csa);
                }
@@ -964,119 +962,6 @@ done:
 }
 
 int
-pfkey_sagroup(int sd, uint8_t satype1, uint8_t action,
-    struct iked_childsa *sa1, struct iked_childsa *sa2)
-{
-       struct sadb_msg         smsg;
-       struct sadb_sa          sadb1, sadb2;
-       struct sadb_address     sa_dst1, sa_dst2;
-       struct sockaddr_storage sdst1, sdst2;
-       struct sadb_protocol    sa_proto;
-       struct iovec            iov[IOV_CNT];
-       int                     iov_cnt;
-       uint8_t                 satype2;
-
-       if (pfkey_map(pfkey_satype, sa2->csa_saproto, &satype2) == -1)
-               return (-1);
-
-       bzero(&sdst1, sizeof(sdst1));
-       memcpy(&sdst1, &sa1->csa_peer->addr, sizeof(sdst1));
-       if (socket_af((struct sockaddr *)&sdst1, 0) == -1) {
-               log_warnx("%s: unsupported address family %d",
-                   __func__, sdst1.ss_family);
-               return (-1);
-       }
-
-       bzero(&sdst2, sizeof(sdst2));
-       memcpy(&sdst2, &sa2->csa_peer->addr, sizeof(sdst2));
-       if (socket_af((struct sockaddr *)&sdst2, 0) == -1) {
-               log_warnx("%s: unsupported address family %d",
-                   __func__, sdst2.ss_family);
-               return (-1);
-       }
-
-       bzero(&smsg, sizeof(smsg));
-       smsg.sadb_msg_version = PF_KEY_V2;
-       smsg.sadb_msg_seq = ++sadb_msg_seq;
-       smsg.sadb_msg_pid = getpid();
-       smsg.sadb_msg_len = sizeof(smsg) / 8;
-       smsg.sadb_msg_type = action;
-       smsg.sadb_msg_satype = satype1;
-
-       bzero(&sadb1, sizeof(sadb1));
-       sadb1.sadb_sa_len = sizeof(sadb1) / 8;
-       sadb1.sadb_sa_exttype = SADB_EXT_SA;
-       sadb1.sadb_sa_spi = htonl(sa1->csa_spi.spi);
-       sadb1.sadb_sa_state = SADB_SASTATE_MATURE;
-
-       bzero(&sadb2, sizeof(sadb2));
-       sadb2.sadb_sa_len = sizeof(sadb2) / 8;
-       sadb2.sadb_sa_exttype = SADB_X_EXT_SA2;
-       sadb2.sadb_sa_spi = htonl(sa2->csa_spi.spi);
-       sadb2.sadb_sa_state = SADB_SASTATE_MATURE;
-       iov_cnt = 0;
-
-       bzero(&sa_dst1, sizeof(sa_dst1));
-       sa_dst1.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
-       sa_dst1.sadb_address_len =
-           (sizeof(sa_dst1) + ROUNDUP(sdst1.ss_len)) / 8;
-
-       bzero(&sa_dst2, sizeof(sa_dst2));
-       sa_dst2.sadb_address_exttype = SADB_X_EXT_DST2;
-       sa_dst2.sadb_address_len =
-           (sizeof(sa_dst2) + ROUNDUP(sdst2.ss_len)) / 8;
-
-       bzero(&sa_proto, sizeof(sa_proto));
-       sa_proto.sadb_protocol_exttype = SADB_X_EXT_SATYPE2;
-       sa_proto.sadb_protocol_len = sizeof(sa_proto) / 8;
-       sa_proto.sadb_protocol_direction = 0;
-       sa_proto.sadb_protocol_proto = satype2;
-
-       /* header */
-       iov[iov_cnt].iov_base = &smsg;
-       iov[iov_cnt].iov_len = sizeof(smsg);
-       iov_cnt++;
-
-       /* sa */
-       iov[iov_cnt].iov_base = &sadb1;
-       iov[iov_cnt].iov_len = sizeof(sadb1);
-       smsg.sadb_msg_len += sadb1.sadb_sa_len;
-       iov_cnt++;
-
-       /* dst addr */
-       iov[iov_cnt].iov_base = &sa_dst1;
-       iov[iov_cnt].iov_len = sizeof(sa_dst1);
-       iov_cnt++;
-       iov[iov_cnt].iov_base = &sdst1;
-       iov[iov_cnt].iov_len = ROUNDUP(sdst1.ss_len);
-       smsg.sadb_msg_len += sa_dst1.sadb_address_len;
-       iov_cnt++;
-
-       /* second sa */
-       iov[iov_cnt].iov_base = &sadb2;
-       iov[iov_cnt].iov_len = sizeof(sadb2);
-       smsg.sadb_msg_len += sadb2.sadb_sa_len;
-       iov_cnt++;
-
-       /* second dst addr */
-       iov[iov_cnt].iov_base = &sa_dst2;
-       iov[iov_cnt].iov_len = sizeof(sa_dst2);
-       iov_cnt++;
-       iov[iov_cnt].iov_base = &sdst2;
-       iov[iov_cnt].iov_len = ROUNDUP(sdst2.ss_len);
-       smsg.sadb_msg_len += sa_dst2.sadb_address_len;
-       iov_cnt++;
-
-       /* SA type */
-       iov[iov_cnt].iov_base = &sa_proto;
-       iov[iov_cnt].iov_len = sizeof(sa_proto);
-       smsg.sadb_msg_len += sa_proto.sadb_protocol_len;
-       iov_cnt++;
-
-       return (pfkey_write(sd, &smsg, iov, iov_cnt, NULL, NULL));
-}
-
-int
 pfkey_write(int sd, struct sadb_msg *smsg, struct iovec *iov, int iov_cnt,
     uint8_t **datap, ssize_t *lenp)
 {
@@ -1300,7 +1185,7 @@ pfkey_sa_init(int fd, struct iked_childs
 }
 
 int
-pfkey_sa_add(int fd, struct iked_childsa *sa, struct iked_childsa *last)
+pfkey_sa_add(int fd, struct iked_childsa *sa)
 {
        uint8_t          satype;
        unsigned int     cmd;
@@ -1328,14 +1213,6 @@ pfkey_sa_add(int fd, struct iked_childsa
                        if (pfkey_sa(fd, satype, SADB_ADD, sa) == -1)
                                return (-1);
                } else {
-                       return (-1);
-               }
-       }
-
-       if (last && cmd == SADB_ADD) {
-               if (pfkey_sagroup(fd, satype,
-                   SADB_X_GRPSPIS, sa, last) == -1) {
-                       (void)pfkey_sa_delete(fd, sa);
                        return (-1);
                }
        }

iked remove SA bundles

Reply via email to