From owner-svn-src-projects@freebsd.org  Sun Nov 20 11:36:55 2016
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBD76C4B9C2
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Sun, 20 Nov 2016 11:36:55 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9020317A6;
 Sun, 20 Nov 2016 11:36:55 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKBasau034424;
 Sun, 20 Nov 2016 11:36:54 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKBasT0034423;
 Sun, 20 Nov 2016 11:36:54 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201611201136.uAKBasT0034423@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Sun, 20 Nov 2016 11:36:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r308881 - projects/ipsec/sys/netipsec
X-SVN-Group: projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2016 11:36:56 -0000

Author: ae
Date: Sun Nov 20 11:36:54 2016
New Revision: 308881
URL: https://svnweb.freebsd.org/changeset/base/308881

Log:
  Add ipsec_getpcbpolicy().
  
  It returns security policy associated with inpcb. This can be cached SP
  or policy, that was set by setsockopt() call from application.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 11:12:42 2016	(r308880)
+++ projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 11:36:54 2016	(r308881)
@@ -283,6 +283,51 @@ key_allocsp_default(const char* where, i
 #define	KEY_ALLOCSP_DEFAULT() \
 	key_allocsp_default(__FILE__, __LINE__)
 
+static struct secpolicy *
+ipsec_getpcbpolicy(struct inpcb *inp, u_int dir)
+{
+	struct secpolicy *sp;
+	int flags;
+
+	if (inp == NULL || inp->inp_sp == NULL)
+		return (NULL);
+
+	flags = inp->inp_sp->flags;
+	if (dir == IPSEC_DIR_OUTBOUND) {
+		sp = inp->inp_sp->sp_out;
+		flags &= INP_OUTBOUND_POLICY;
+	} else {
+		sp = inp->inp_sp->sp_in;
+		flags &= INP_INBOUND_POLICY;
+	}
+	/*
+	 * Check flags. If we have PCB SP, just return it.
+	 * Otherwise we need to check that cached SP entry isn't stale.
+	 */
+	if (flags == 0) {
+		if (sp == NULL)
+			return (NULL);
+		if (inp->inp_sp->genid != key_getspgen()) {
+			/*
+			 * Invalidate the cache.
+			 * Do not touch policy if it was set by PCB.
+			 */
+			if ((inp->inp_sp->flags & INP_INBOUND_POLICY) == 0)
+				inp->inp_sp->sp_in = NULL;
+			if ((inp->inp_sp->flags & INP_OUTBOUND_POLICY) == 0)
+				inp->inp_sp->sp_out = NULL;
+			return (NULL);
+		}
+		KEYDBG(IPSEC_STAMP,
+		    printf("%s: PCB(%p): cache hit SP(%p)\n",
+		    __func__, inp, sp));
+		/* Return referenced cached policy */
+	}
+	IPSEC_ASSERT(sp != NULL, ("null SP, but flags is 0x%04x", flags));
+	key_addref(sp);
+	return (sp);
+}
+
 /*
  * For OUTBOUND packet having a socket. Searching SPD for packet,
  * and return a pointer to SP.