From owner-p4-projects@FreeBSD.ORG  Sun Jan 15 02:42:05 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id AAA2D16A420; Sun, 15 Jan 2006 02:42:04 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B4A216A424
	for <perforce@freebsd.org>; Sun, 15 Jan 2006 02:42:04 +0000 (GMT)
	(envelope-from gnn@neville-neil.com)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9761043D4C
	for <perforce@freebsd.org>; Sun, 15 Jan 2006 02:42:03 +0000 (GMT)
	(envelope-from gnn@neville-neil.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k0F2g3Rp033406
	for <perforce@freebsd.org>; Sun, 15 Jan 2006 02:42:03 GMT
	(envelope-from gnn@neville-neil.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k0F2g3Nn033403
	for perforce@freebsd.org; Sun, 15 Jan 2006 02:42:03 GMT
	(envelope-from gnn@neville-neil.com)
Date: Sun, 15 Jan 2006 02:42:03 GMT
Message-Id: <200601150242.k0F2g3Nn033403@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	gnn@neville-neil.com using -f
From: "George V. Neville-Neil" <gnn@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 89716 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2006 02:42:05 -0000

http://perforce.freebsd.org/chv.cgi?CH=89716

Change 89716 by gnn@gnn_devbox_fast_ipsec on 2006/01/15 02:41:52

	First cut at removing PF_KEY data structures from the keydb.  This code
	does not work completely yet but needs to be saved.

Affected files ...

.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.c#2 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key.c#2 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key_var.h#2 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/keydb.h#2 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/xform_ah.c#2 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/xform_esp.c#2 edit
.. //depot/projects/gnn_fast_ipsec/src/sys/netipsec/xform_tcp.c#2 edit

Differences ...

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/ipsec.c#2 (text+ko) ====

@@ -92,6 +92,7 @@
 
 #include <machine/in_cksum.h>
 
+#define IPSEC_DEBUG
 #ifdef IPSEC_DEBUG
 int ipsec_debug = 1;
 #else

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key.c#2 (text+ko) ====

@@ -420,7 +420,10 @@
 static struct mbuf *key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t));
 static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t,
 	u_int32_t));
-static void *key_dup(const void *, u_int, struct malloc_type *);
+static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int, 
+				     struct malloc_type *);
+static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
+					    struct malloc_type *type);
 #ifdef INET6
 static int key_ismyaddr6 __P((struct sockaddr_in6 *));
 #endif
@@ -488,6 +491,10 @@
 static int key_senderror __P((struct socket *, struct mbuf *, int));
 static int key_validate_ext __P((const struct sadb_ext *, int));
 static int key_align __P((struct mbuf *, struct sadb_msghdr *));
+static struct mbuf *key_setlifetime(struct seclifetime *src, 
+				     u_int16_t exttype);
+static struct mbuf *key_setkey(struct seckey *src, u_int16_t exttype);
+
 #if 0
 static const char *key_getfqdn __P((void));
 static const char *key_getuserfqdn __P((void));
@@ -909,8 +916,8 @@
 
 		/* What the best method is to compare ? */
 		if (key_preferred_oldsa) {
-			if (candidate->lft_c->sadb_lifetime_addtime >
-					sav->lft_c->sadb_lifetime_addtime) {
+			if (candidate->lft_c->addtime >
+					sav->lft_c->addtime) {
 				candidate = sav;
 			}
 			continue;
@@ -918,8 +925,8 @@
 		}
 
 		/* preferred new sa rather than old sa */
-		if (candidate->lft_c->sadb_lifetime_addtime <
-				sav->lft_c->sadb_lifetime_addtime) {
+		if (candidate->lft_c->addtime <
+				sav->lft_c->addtime) {
 			d = candidate;
 			candidate = sav;
 		} else
@@ -930,7 +937,7 @@
 		 * suitable candidate and the lifetime of the SA is not
 		 * permanent.
 		 */
-		if (d->lft_c->sadb_lifetime_addtime != 0) {
+		if (d->lft_c->addtime != 0) {
 			struct mbuf *m, *result;
 			u_int8_t satype;
 
@@ -2787,9 +2794,9 @@
 	} else {
 		KASSERT(sav->iv == NULL, ("iv but no xform"));
 		if (sav->key_auth != NULL)
-			bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
+			bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
 		if (sav->key_enc != NULL)
-			bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
+			bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
 	}
 	if (sav->key_auth != NULL) {
 		free(sav->key_auth, M_IPSEC_MISC);
@@ -3038,9 +3045,11 @@
 			goto fail;
 		}
 
-		sav->key_auth = key_dup(key0, len, M_IPSEC_MISC);
-		if (sav->key_auth == NULL) {
-			ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
+		sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len,
+								M_IPSEC_MISC);
+		if (sav->key_auth == NULL ) {
+			ipseclog((LOG_DEBUG, "%s: No more memory.\n",
+				  __func__));
 			error = ENOBUFS;
 			goto fail;
 		}
@@ -3061,12 +3070,15 @@
 		}
 		switch (mhp->msg->sadb_msg_satype) {
 		case SADB_SATYPE_ESP:
+		  /* XXX FIX ME */
 			if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
 			    sav->alg_enc != SADB_EALG_NULL) {
 				error = EINVAL;
 				break;
 			}
-			sav->key_enc = key_dup(key0, len, M_IPSEC_MISC);
+			sav->key_enc = (struct seckey *)key_dup_keymsg(key0,
+								       len,
+								       M_IPSEC_MISC);
 			if (sav->key_enc == NULL) {
 				ipseclog((LOG_DEBUG, "%s: No more memory.\n",
 					__func__));
@@ -3126,13 +3138,10 @@
 		goto fail;
 	}
 
-	sav->lft_c->sadb_lifetime_len =
-	    PFKEY_UNIT64(sizeof(struct sadb_lifetime));
-	sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
-	sav->lft_c->sadb_lifetime_allocations = 0;
-	sav->lft_c->sadb_lifetime_bytes = 0;
-	sav->lft_c->sadb_lifetime_addtime = time_second;
-	sav->lft_c->sadb_lifetime_usetime = 0;
+	sav->lft_c->allocations = 0;
+	sav->lft_c->bytes = 0;
+	sav->lft_c->addtime = time_second;
+	sav->lft_c->usetime = 0;
 
 	/* lifetimes for HARD and SOFT */
     {
@@ -3144,7 +3153,7 @@
 			error = EINVAL;
 			goto fail;
 		}
-		sav->lft_h = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);
+		sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC);
 		if (sav->lft_h == NULL) {
 			ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
 			error = ENOBUFS;
@@ -3159,7 +3168,7 @@
 			error = EINVAL;
 			goto fail;
 		}
-		sav->lft_s = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);
+		sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC);
 		if (sav->lft_s == NULL) {
 			ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
 			error = ENOBUFS;
@@ -3271,9 +3280,7 @@
 	u_int32_t seq, pid;
 {
 	struct mbuf *result = NULL, *tres = NULL, *m;
-	int l = 0;
 	int i;
-	void *p;
 	int dumporder[] = {
 		SADB_EXT_SA, SADB_X_EXT_SA2,
 		SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
@@ -3290,7 +3297,6 @@
 
 	for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) {
 		m = NULL;
-		p = NULL;
 		switch (dumporder[i]) {
 		case SADB_EXT_SA:
 			m = key_setsadbsa(sav);
@@ -3325,36 +3331,45 @@
 		case SADB_EXT_KEY_AUTH:
 			if (!sav->key_auth)
 				continue;
-			l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len);
-			p = sav->key_auth;
+			m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
+			if (!m)
+				goto fail;
 			break;
 
 		case SADB_EXT_KEY_ENCRYPT:
 			if (!sav->key_enc)
 				continue;
-			l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len);
-			p = sav->key_enc;
+			m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
+			if (!m)
+				goto fail;
 			break;
 
 		case SADB_EXT_LIFETIME_CURRENT:
 			if (!sav->lft_c)
 				continue;
-			l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len);
-			p = sav->lft_c;
+			m = key_setlifetime(sav->lft_c, 
+					    SADB_EXT_LIFETIME_CURRENT);
+			if (!m)
+				goto fail;
 			break;
 
 		case SADB_EXT_LIFETIME_HARD:
 			if (!sav->lft_h)
 				continue;
-			l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len);
-			p = sav->lft_h;
+			m = key_setlifetime(sav->lft_h, 
+					    SADB_EXT_LIFETIME_HARD);
+			if (!m)
+				goto fail;
 			break;
 
 		case SADB_EXT_LIFETIME_SOFT:
 			if (!sav->lft_s)
 				continue;
-			l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len);
-			p = sav->lft_s;
+			m = key_setlifetime(sav->lft_h, 
+					    SADB_EXT_LIFETIME_SOFT);
+
+			if (!m)
+				goto fail;
 			break;
 
 		case SADB_EXT_ADDRESS_PROXY:
@@ -3366,29 +3381,15 @@
 			continue;
 		}
 
-		if ((!m && !p) || (m && p))
+		if (!m)
 			goto fail;
-		if (p && tres) {
-			M_PREPEND(tres, l, M_DONTWAIT);
-			if (!tres)
-				goto fail;
-			bcopy(p, mtod(tres, caddr_t), l);
-			continue;
-		}
-		if (p) {
-			m = key_alloc_mbuf(l);
-			if (!m)
-				goto fail;
-			m_copyback(m, 0, l, p);
-		}
-
 		if (tres)
 			m_cat(m, tres);
 		tres = m;
+		  
 	}
 
 	m_cat(result, tres);
-
 	if (result->m_len < sizeof(struct sadb_msg)) {
 		result = m_pullup(result, sizeof(struct sadb_msg));
 		if (result == NULL)
@@ -3609,21 +3610,67 @@
 }
 
 /* %%% utilities */
-/*
- * copy a buffer into the new buffer allocated.
+/* Take a key message (sadb_key) from the socket and turn it into one
+ * of the kernel's key structures (seckey).
+ *
+ * IN: pointer to the src
+ * OUT: NULL no more memory
+ */
+struct seckey *
+key_dup_keymsg(const struct sadb_key *src, u_int len,
+	       struct malloc_type *type)
+{
+	struct seckey *dst = NULL;
+	dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
+	if (dst != NULL) {
+		dst->bits = src->sadb_key_bits;
+		dst->key_data = (char *)malloc(len, type, M_NOWAIT);
+		if (dst->key_data != NULL) {
+			bcopy(src + sizeof(struct sadb_key), 
+			      dst->key_data, len);
+			ipseclog((LOG_DEBUG, "%s: source bits %p\n", __func__,
+				  src + sizeof(struct sadb_key)));
+			ipseclog((LOG_DEBUG, "%s: dst bits %p\n", __func__,
+				  dst->key_data));
+		} else {
+			ipseclog((LOG_DEBUG, "%s: No more memory.\n", 
+				  __func__));
+			free(dst, type);
+			dst = NULL;
+		}
+	} else {
+		ipseclog((LOG_DEBUG, "%s: No more memory.\n", 
+			  __func__));
+
+	}
+	return dst;
+}
+
+/* Take a lifetime message (sadb_lifetime) passed in on a socket and
+ * turn it into one of the kernel's lifetime structures (seclifetime).
+ *
+ * IN: pointer to the destination, source and malloc type
+ * OUT: NULL, no more memory
  */
-static void *
-key_dup(const void *src, u_int len, struct malloc_type *type)
+
+static struct seclifetime *
+key_dup_lifemsg(const struct sadb_lifetime *src,
+		 struct malloc_type *type)
 {
-	void *copy;
+	struct seclifetime *dst = NULL;
 
-	copy = malloc(len, type, M_NOWAIT);
-	if (copy == NULL) {
+	dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), 
+					   type, M_NOWAIT);
+	if (dst == NULL) {
 		/* XXX counter */
 		ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
-	} else
-		bcopy(src, copy, len);
-	return copy;
+	} else {
+		dst->allocations = src->sadb_lifetime_allocations;
+		dst->bytes = src->sadb_lifetime_bytes;
+		dst->addtime = src->sadb_lifetime_addtime;
+		dst->usetime = src->sadb_lifetime_usetime;
+	}
+	return dst;
 }
 
 /* compare my own address
@@ -4071,13 +4118,13 @@
 			}
 
 			/* check SOFT lifetime */
-			if (sav->lft_s->sadb_lifetime_addtime != 0 &&
-			    now - sav->created > sav->lft_s->sadb_lifetime_addtime) {
+			if (sav->lft_s->addtime != 0 &&
+			    now - sav->created > sav->lft_s->addtime) {
 				/*
 				 * check SA to be used whether or not.
 				 * when SA hasn't been used, delete it.
 				 */
-				if (sav->lft_c->sadb_lifetime_usetime == 0) {
+				if (sav->lft_c->usetime == 0) {
 					key_sa_chgstate(sav, SADB_SASTATE_DEAD);
 					KEY_FREESAV(&sav);
 				} else {
@@ -4096,8 +4143,8 @@
 			 * when new SA is installed.  Caution when it's
 			 * installed too big lifetime by time.
 			 */
-			else if (sav->lft_s->sadb_lifetime_bytes != 0 &&
-			    sav->lft_s->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
+			else if (sav->lft_s->bytes != 0 &&
+			    sav->lft_s->bytes < sav->lft_c->bytes) {
 
 				key_sa_chgstate(sav, SADB_SASTATE_DYING);
 				/*
@@ -4122,15 +4169,15 @@
 				continue;
 			}
 
-			if (sav->lft_h->sadb_lifetime_addtime != 0 &&
-			    now - sav->created > sav->lft_h->sadb_lifetime_addtime) {
+			if (sav->lft_h->addtime != 0 &&
+			    now - sav->created > sav->lft_h->addtime) {
 				key_sa_chgstate(sav, SADB_SASTATE_DEAD);
 				KEY_FREESAV(&sav);
 			}
 #if 0	/* XXX Should we keep to send expire message until HARD lifetime ? */
 			else if (sav->lft_s != NULL
-			      && sav->lft_s->sadb_lifetime_addtime != 0
-			      && now - sav->created > sav->lft_s->sadb_lifetime_addtime) {
+			      && sav->lft_s->addtime != 0
+			      && now - sav->created > sav->lft_s->addtime) {
 				/*
 				 * XXX: should be checked to be
 				 * installed the valid SA.
@@ -4144,8 +4191,8 @@
 			}
 #endif
 			/* check HARD lifetime by bytes */
-			else if (sav->lft_h->sadb_lifetime_bytes != 0 &&
-			    sav->lft_h->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
+			else if (sav->lft_h->bytes != 0 &&
+			    sav->lft_h->bytes < sav->lft_c->bytes) {
 				key_sa_chgstate(sav, SADB_SASTATE_DEAD);
 				KEY_FREESAV(&sav);
 			}
@@ -4977,20 +5024,23 @@
 	}
 
 	/* make structure */
-	sah->idents = malloc(idsrclen, M_IPSEC_MISC, M_NOWAIT);
+	sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
 	if (sah->idents == NULL) {
 		ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 		return ENOBUFS;
 	}
-	sah->identd = malloc(iddstlen, M_IPSEC_MISC, M_NOWAIT);
+	sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
 	if (sah->identd == NULL) {
 		free(sah->idents, M_IPSEC_MISC);
 		sah->idents = NULL;
 		ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
 		return ENOBUFS;
 	}
-	bcopy(idsrc, sah->idents, idsrclen);
-	bcopy(iddst, sah->identd, iddstlen);
+	sah->idents->type = idsrc->sadb_ident_type;
+	sah->idents->id = idsrc->sadb_ident_id;
+
+	sah->identd->type = iddst->sadb_ident_type;
+	sah->identd->id = iddst->sadb_ident_id;
 
 	return 0;
 }
@@ -6262,10 +6312,10 @@
 	lt = mtod(m, struct sadb_lifetime *);
 	lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
 	lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
-	lt->sadb_lifetime_allocations = sav->lft_c->sadb_lifetime_allocations;
-	lt->sadb_lifetime_bytes = sav->lft_c->sadb_lifetime_bytes;
-	lt->sadb_lifetime_addtime = sav->lft_c->sadb_lifetime_addtime;
-	lt->sadb_lifetime_usetime = sav->lft_c->sadb_lifetime_usetime;
+	lt->sadb_lifetime_allocations = sav->lft_c->allocations;
+	lt->sadb_lifetime_bytes = sav->lft_c->bytes;
+	lt->sadb_lifetime_addtime = sav->lft_c->addtime;
+	lt->sadb_lifetime_usetime = sav->lft_c->usetime;
 	lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
 	bcopy(sav->lft_s, lt, sizeof(*lt));
 	m_cat(result, m);
@@ -7103,21 +7153,21 @@
 	 * XXX Currently, there is a difference of bytes size
 	 * between inbound and outbound processing.
 	 */
-	sav->lft_c->sadb_lifetime_bytes += m->m_pkthdr.len;
+	sav->lft_c->bytes += m->m_pkthdr.len;
 	/* to check bytes lifetime is done in key_timehandler(). */
 
 	/*
 	 * We use the number of packets as the unit of
-	 * sadb_lifetime_allocations.  We increment the variable
+	 * allocations.  We increment the variable
 	 * whenever {esp,ah}_{in,out}put is called.
 	 */
-	sav->lft_c->sadb_lifetime_allocations++;
+	sav->lft_c->allocations++;
 	/* XXX check for expires? */
 
 	/*
-	 * NOTE: We record CURRENT sadb_lifetime_usetime by using wall clock,
+	 * NOTE: We record CURRENT usetime by using wall clock,
 	 * in seconds.  HARD and SOFT lifetime are measured by the time
-	 * difference (again in seconds) from sadb_lifetime_usetime.
+	 * difference (again in seconds) from usetime.
 	 *
 	 *	usetime
 	 *	v     expire   expire
@@ -7125,7 +7175,7 @@
 	 *	<--------------> HARD
 	 *	<-----> SOFT
 	 */
-	sav->lft_c->sadb_lifetime_usetime = time_second;
+	sav->lft_c->usetime = time_second;
 	/* XXX check for expires? */
 
 	return;
@@ -7214,3 +7264,55 @@
 
 	return m;
 }
+
+static struct mbuf *
+key_setkey(struct seckey *src, u_int16_t exttype) 
+{
+	struct mbuf *m;
+	struct sadb_key *p;
+	int len = PFKEY_ALIGN8(sizeof(struct sadb_key));
+
+	if (src == NULL)
+		return NULL;
+
+	m = key_alloc_mbuf(len);
+	if (m == NULL)
+		return NULL;
+	p = mtod(m, struct sadb_key *);
+	bzero(p, len);
+	p->sadb_key_len = PFKEY_UNIT64(len);
+	p->sadb_key_exttype = exttype;
+	p->sadb_key_bits = src->bits;
+	ipseclog((LOG_DEBUG, "%s: setting key data %s\n", 
+			   __func__, src->key_data));
+	bcopy(src->key_data, _KEYBUF(p), len);
+
+	return m;
+}
+
+static struct mbuf *
+key_setlifetime(struct seclifetime *src, u_int16_t exttype)
+{
+	struct mbuf *m = NULL;
+	struct sadb_lifetime *p;
+	int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime));
+
+	if (src == NULL)
+		return NULL;
+
+	m = key_alloc_mbuf(len);
+	if (m == NULL)
+		return m;
+	p = mtod(m, struct sadb_lifetime *);
+
+	bzero(p, len);
+	p->sadb_lifetime_len = PFKEY_UNIT64(len);
+	p->sadb_lifetime_exttype = exttype;
+	p->sadb_lifetime_allocations = src->allocations;
+	p->sadb_lifetime_bytes = src->bytes;
+	p->sadb_lifetime_addtime = src->addtime;
+	p->sadb_lifetime_usetime = src->usetime;
+	
+	return m;
+
+}

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/key_var.h#2 (text+ko) ====

@@ -66,8 +66,8 @@
 
 #ifdef _KERNEL
 #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
-#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
-#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
+#define _KEYLEN(key) ((u_int)((key)->bits >> 3))
+#define _KEYBITS(key) ((u_int)((key)->bits))
 #define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
 #endif /*_KERNEL*/
 

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/keydb.h#2 (text+ko) ====

@@ -60,14 +60,39 @@
 					/* see IPSEC_MANUAL_REQID_MAX. */
 };
 
+/* 
+ * In order to split out the keydb implementation from that of the
+ * PF_KEY sockets we need to define a few structures that while they
+ * may seem common are likely to diverge over time. 
+ */
+
+/* sadb_identity */
+struct secident {
+	u_int16_t type;
+	u_int64_t id;
+};
+
+/* sadb_key */
+struct seckey {
+	u_int16_t bits;
+	char *key_data;
+};
+
+struct seclifetime {
+	u_int32_t allocations;
+	u_int64_t bytes;
+	u_int64_t addtime;
+	u_int64_t usetime;
+};
+
 /* Security Association Data Base */
 struct secashead {
 	LIST_ENTRY(secashead) chain;
 
 	struct secasindex saidx;
 
-	struct sadb_ident *idents;	/* source identity */
-	struct sadb_ident *identd;	/* destination identity */
+	struct secident *idents;	/* source identity */
+	struct secident *identd;	/* destination identity */
 					/* XXX I don't know how to use them. */
 
 	u_int8_t state;			/* MATURE or DEAD. */
@@ -97,8 +122,8 @@
 	u_int32_t spi;			/* SPI Value, network byte order */
 	u_int32_t flags;		/* holder for SADB_KEY_FLAGS */
 
-	struct sadb_key *key_auth;	/* Key for Authentication */
-	struct sadb_key *key_enc;	/* Key for Encryption */
+	struct seckey *key_auth;	/* Key for Authentication */
+	struct seckey *key_enc;	        /* Key for Encryption */
 	caddr_t iv;			/* Initilization Vector */
 	u_int ivlen;			/* length of IV */
 	void *sched;			/* intermediate encryption key */
@@ -107,9 +132,9 @@
 	struct secreplay *replay;	/* replay prevention */
 	time_t created;			/* for lifetime */
 
-	struct sadb_lifetime *lft_c;	/* CURRENT lifetime, it's constant. */
-	struct sadb_lifetime *lft_h;	/* HARD lifetime */
-	struct sadb_lifetime *lft_s;	/* SOFT lifetime */
+	struct seclifetime *lft_c;	/* CURRENT lifetime, it's constant. */
+	struct seclifetime *lft_h;	/* HARD lifetime */
+	struct seclifetime *lft_s;	/* SOFT lifetime */
 
 	u_int32_t seq;			/* sequence number */
 	pid_t pid;			/* message's pid */

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/xform_ah.c#2 (text+ko) ====

@@ -201,7 +201,7 @@
 	bzero(cria, sizeof (*cria));
 	cria->cri_alg = sav->tdb_authalgxform->type;
 	cria->cri_klen = _KEYBITS(sav->key_auth);
-	cria->cri_key = _KEYBUF(sav->key_auth);
+	cria->cri_key = sav->key_auth->key_data;
 
 	return 0;
 }
@@ -231,7 +231,7 @@
 	int err;
 
 	if (sav->key_auth)
-		bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
+		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
 
 	err = crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = 0;
@@ -622,8 +622,8 @@
 
 	/* Authentication operation. */
 	crda->crd_alg = ahx->type;
-	crda->crd_key = _KEYBUF(sav->key_auth);
 	crda->crd_klen = _KEYBITS(sav->key_auth);
+	crda->crd_key = sav->key_auth->key_data;
 
 	/* Find out if we've already done crypto. */
 	for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
@@ -1014,7 +1014,7 @@
 
 	/* Authentication operation. */
 	crda->crd_alg = ahx->type;
-	crda->crd_key = _KEYBUF(sav->key_auth);
+	crda->crd_key = sav->key_auth->key_data;
 	crda->crd_klen = _KEYBITS(sav->key_auth);
 
 	/* Allocate IPsec-specific opaque crypto info. */

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/xform_esp.c#2 (text+ko) ====

@@ -215,7 +215,7 @@
 	bzero(&crie, sizeof (crie));
 	crie.cri_alg = sav->tdb_encalgxform->type;
 	crie.cri_klen = _KEYBITS(sav->key_enc);
-	crie.cri_key = _KEYBUF(sav->key_enc);
+	crie.cri_key = sav->key_enc->key_data;
 	/* XXX Rounds ? */
 
 	if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
@@ -248,7 +248,7 @@
 	int error = ah_zeroize(sav);
 
 	if (sav->key_enc)
-		bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
+		bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
 	if (sav->iv) {
 		free(sav->iv, M_XDATA);
 		sav->iv = NULL;
@@ -381,7 +381,7 @@
 		crda->crd_inject = m->m_pkthdr.len - alen;
 
 		crda->crd_alg = esph->type;
-		crda->crd_key = _KEYBUF(sav->key_auth);
+		crda->crd_key = sav->key_auth->key_data;
 		crda->crd_klen = _KEYBITS(sav->key_auth);
 
 		/* Copy the authenticator */
@@ -418,7 +418,7 @@
 		crde->crd_inject = skip + hlen - sav->ivlen;
 
 		crde->crd_alg = espx->type;
-		crde->crd_key = _KEYBUF(sav->key_enc);
+		crde->crd_key = sav->key_enc->key_data;
 		crde->crd_klen = _KEYBITS(sav->key_enc);
 		/* XXX Rounds ? */
 	}
@@ -802,7 +802,7 @@
 
 		/* Encryption operation. */
 		crde->crd_alg = espx->type;
-		crde->crd_key = _KEYBUF(sav->key_enc);
+		crde->crd_key = sav->key_enc->key_data;
 		crde->crd_klen = _KEYBITS(sav->key_enc);
 		/* XXX Rounds ? */
 	} else
@@ -841,7 +841,7 @@
 
 		/* Authentication operation. */
 		crda->crd_alg = esph->type;
-		crda->crd_key = _KEYBUF(sav->key_auth);
+		crda->crd_key = sav->key_auth->key_data;
 		crda->crd_klen = _KEYBITS(sav->key_auth);
 	}
 

==== //depot/projects/gnn_fast_ipsec/src/sys/netipsec/xform_tcp.c#2 (text+ko) ====

@@ -117,7 +117,7 @@
 {
 
 	if (sav->key_auth)
-		bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
+		bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
 
 	sav->tdb_cryptoid = 0;
 	sav->tdb_authalgxform = NULL;