Date: Thu, 24 Nov 2016 17:07:15 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309110 - in projects/ipsec/sys: netinet netipsec Message-ID: <201611241707.uAOH7FAn039470@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Nov 24 17:07:15 2016 New Revision: 309110 URL: https://svnweb.freebsd.org/changeset/base/309110 Log: GC some now unused functions and macros. Update functions declarations, add needed includes. Fix the build. Modified: projects/ipsec/sys/netinet/ip_input.c projects/ipsec/sys/netinet/ip_ipsec.c projects/ipsec/sys/netinet/ip_ipsec.h projects/ipsec/sys/netinet/tcp_subr.c projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec6.h projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key.h projects/ipsec/sys/netipsec/xform_ah.c projects/ipsec/sys/netipsec/xform_esp.c projects/ipsec/sys/netipsec/xform_ipcomp.c Modified: projects/ipsec/sys/netinet/ip_input.c ============================================================================== --- projects/ipsec/sys/netinet/ip_input.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/ip_input.c Thu Nov 24 17:07:15 2016 (r309110) @@ -78,6 +78,8 @@ __FBSDID("$FreeBSD$"); #include <machine/in_cksum.h> #include <netinet/ip_carp.h> #ifdef IPSEC +#include <netipsec/ipsec.h> +#include <netipsec/key.h> #include <netinet/ip_ipsec.h> #endif /* IPSEC */ #include <netinet/in_rss.h> Modified: projects/ipsec/sys/netinet/ip_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/ip_ipsec.c Thu Nov 24 17:07:15 2016 (r309110) @@ -115,23 +115,6 @@ ip_ipsec_input(struct mbuf *m, int nxt) } /* - * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. - * Called from ip_forward(). - * Returns MTU suggestion for ICMP needfrag reply. - */ -int -ip_ipsec_mtu(struct mbuf *m, int mtu) -{ - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ - return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL)); -} - -/* * Called from ip_output(). * 0 = continue processing packet * 1 = packet was consumed, stop processing Modified: projects/ipsec/sys/netinet/ip_ipsec.h ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/ip_ipsec.h Thu Nov 24 17:07:15 2016 (r309110) @@ -38,7 +38,6 @@ int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_input(struct mbuf *, int); -int ip_ipsec_mtu(struct mbuf *, int); int ip_ipsec_forward(struct mbuf *, int *); int ip_ipsec_output(struct mbuf *, struct inpcb *, int *); int ip_ipsec_pcbctl(struct inpcb *, struct sockopt *); Modified: projects/ipsec/sys/netinet/tcp_subr.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_subr.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/tcp_subr.c Thu Nov 24 17:07:15 2016 (r309110) @@ -2587,7 +2587,7 @@ tcp_get_sav(struct mbuf *m, u_int direct } /* Look up an SADB entry which matches the address of the peer. */ - sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); + sav = key_allocsa(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); if (sav == NULL) { ipseclog((LOG_ERR, "%s: SADB lookup failed for %s\n", __func__, (ip->ip_v == IPVERSION) ? inet_ntoa(dst.sin.sin_addr) : @@ -2708,7 +2708,7 @@ tcp_signature_do_compute(struct mbuf *m, break; #endif default: - KEY_FREESAV(&sav); + key_freesav(&sav); return (-1); /* NOTREACHED */ break; @@ -2738,7 +2738,7 @@ tcp_signature_do_compute(struct mbuf *m, MD5Final(buf, &ctx); key_sa_recordxfer(sav, m); - KEY_FREESAV(&sav); + key_freesav(&sav); return (0); } Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/ipsec.c Thu Nov 24 17:07:15 2016 (r309110) @@ -124,6 +124,8 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IP VNET_DEFINE(int, ip4_ipsec_ecn) = 0; VNET_DEFINE(int, ip4_esp_randpad) = -1; +static VNET_DEFINE(int, check_policy_history) = 0; +#define V_check_policy_history VNET(check_policy_history) static VNET_DEFINE(struct secpolicy, def_policy); #define V_def_policy VNET(def_policy) /* @@ -1417,43 +1419,6 @@ ipsec_hdrsiz_inpcb(struct inpcb *inp) return (sz); } -/* - * This function is called from ipsec_hdrsiz_tcp(), ip_ipsec_mtu(), - * disabled ip6_ipsec_mtu() and ip6_forward(). - */ -size_t -ipsec_hdrsiz(const struct mbuf *m, u_int dir, struct inpcb *inp) -{ - struct secpolicy *sp; - int error; - size_t size; - - if (!key_havesp(dir)) - return 0; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - - /* Get SP for this packet. */ - if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, dir, &error); - else - sp = ipsec_getpolicybysock(m, dir, inp, &error); - - if (sp != NULL) { - size = ipsec_hdrsiz_internal(sp); - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("%s: size:%lu.\n", __func__, - (unsigned long)size)); - - KEY_FREESP(&sp); - } else { - size = 0; /* XXX Should be panic? - * -> No, we are called w/o knowing if - * IPsec processing is needed. */ - } - return (size); -} - /* * Check the variable replay window. * ipsec_chkreplay() performs replay check before ICV verification. @@ -1683,7 +1648,7 @@ vshiftl(unsigned char *bitmap, int nbit, /* Return a printable string for the address. */ char* -ipsec_address(union sockaddr_union* sa, char *buf, socklen_t size) +ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size) { switch (sa->sa.sa_family) { Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/ipsec.h Thu Nov 24 17:07:15 2016 (r309110) @@ -53,11 +53,6 @@ #define IPSEC_ASSERT(_c,_m) KASSERT(_c, _m) -#define IPSEC_IS_PRIVILEGED_SO(_so) \ - ((_so)->so_cred != NULL && \ - priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSEC, 0) \ - == 0) - /* * Security Policy Index * Ensure that both address families in the "src" and "dst" are same. @@ -299,8 +294,10 @@ VNET_DECLARE(int, crypto_support); #define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) struct inpcb; +struct m_tag; struct secasvar; struct sockopt; +union sockaddr_union; struct ipsecrequest *ipsec_newisr(void); void ipsec_delisr(struct ipsecrequest *); @@ -316,18 +313,15 @@ int ipsec_delete_pcbpolicy(struct inpcb int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *); -extern int ipsec_chkreplay(u_int32_t, struct secasvar *); -extern int ipsec_updatereplay(u_int32_t, struct secasvar *); +int ipsec_chkreplay(uint32_t, struct secasvar *); +int ipsec_updatereplay(uint32_t, struct secasvar *); +int ipsec_updateid(struct secasvar *, uint64_t *, uint64_t *); -extern size_t ipsec_hdrsiz(const struct mbuf *, u_int, struct inpcb *); - -union sockaddr_union; -extern char *ipsec_address(union sockaddr_union *, char *, socklen_t); -extern char *ipsec_logsastr(struct secasvar *, char *, size_t); +char *ipsec_address(const union sockaddr_union *, char *, socklen_t); +char *ipsec_logsastr(struct secasvar *, char *, size_t); extern void ipsec_dumpmbuf(const struct mbuf *); -struct m_tag; extern int ah4_input(struct mbuf **mp, int *offp, int proto); extern void ah4_ctlinput(int cmd, struct sockaddr *sa, void *); extern int esp4_input(struct mbuf **mp, int *offp, int proto); @@ -336,8 +330,10 @@ extern int ipcomp4_input(struct mbuf **m extern int ipsec_common_input(struct mbuf *m, int, int, int, int); extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff); -extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *); -extern int ipsec_process_done(struct mbuf *, struct ipsecrequest *); +extern int ipsec4_process_packet(struct mbuf *, struct secpolicy *, + struct inpcb *); +extern int ipsec_process_done(struct mbuf *, struct secpolicy *, + struct secasvar *, u_int); extern void m_checkalignment(const char* where, struct mbuf *m0, int off, int len); Modified: projects/ipsec/sys/netipsec/ipsec6.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec6.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/ipsec6.h Thu Nov 24 17:07:15 2016 (r309110) @@ -60,13 +60,16 @@ VNET_DECLARE(int, ip6_ipsec_ecn); struct inpcb; extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *); +struct secpolicy *ipsec6_checkpolicy(const struct mbuf *, + struct inpcb *, int *); struct m_tag; extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto); extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff); extern void esp6_ctlinput(int, struct sockaddr *, void *); -extern int ipsec6_process_packet(struct mbuf *, struct ipsecrequest *); +int ipsec6_process_packet(struct mbuf *, struct secpolicy *, + struct inpcb *); #endif /*_KERNEL*/ #endif /*_NETIPSEC_IPSEC6_H_*/ Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/key.c Thu Nov 24 17:07:15 2016 (r309110) @@ -548,9 +548,6 @@ static struct seckey *key_dup_keymsg(con struct malloc_type *); static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *); -#ifdef INET6 -static int key_ismyaddr6(struct sockaddr_in6 *); -#endif /* flags for key_cmpsaidx() */ #define CMP_HEAD 1 /* protocol, addresses. */ @@ -1016,16 +1013,6 @@ done: V_sp_genid++; } -void -key_addrefsa(struct secasvar *sav, const char* where, int tag) -{ - - IPSEC_ASSERT(sav != NULL, ("null sav")); - IPSEC_ASSERT(sav->refcnt > 0, ("refcount must exist")); - - SAV_ADDREF(sav); -} - /* * Must be called after calling key_allocsa(). * This function is called by key_freesp() to free some SA allocated @@ -2168,7 +2155,7 @@ key_spdflush(struct socket *so, struct m sp = TAILQ_FIRST(&drainq); while (sp != NULL) { nextsp = TAILQ_NEXT(sp, chain); - KEY_FREESP(&sp); + key_freesp(&sp); sp = nextsp; } @@ -2273,7 +2260,7 @@ key_setdumpsp(struct secpolicy *sp, u_in goto fail; m_cat(result, m); - m = key_sp2msg(sp); + m = key_sp2mbuf(sp); if (!m) goto fail; m_cat(result, m); @@ -2316,7 +2303,6 @@ fail: m_freem(result); return NULL; } - /* * get PFKEY message length for security policy and request. */ @@ -3554,29 +3540,29 @@ key_setsadbxpolicy(u_int16_t type, u_int * OUT: NULL no more memory */ struct seckey * -key_dup_keymsg(const struct sadb_key *src, u_int len, +key_dup_keymsg(const struct sadb_key *src, size_t len, struct malloc_type *type) { struct seckey *dst; - dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); + + dst = malloc(sizeof(*dst), type, M_NOWAIT); if (dst != NULL) { dst->bits = src->sadb_key_bits; - dst->key_data = (char *)malloc(len, type, M_NOWAIT); + dst->key_data = malloc(len, type, M_NOWAIT); if (dst->key_data != NULL) { - bcopy((const char *)src + sizeof(struct sadb_key), - dst->key_data, len); + bcopy((const char *)(src + 1), dst->key_data, len); } else { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", - __func__)); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); free(dst, type); dst = NULL; } } else { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", - __func__)); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); } - return dst; + return (dst); } /* Take a lifetime message (sadb_lifetime) passed in on a socket and @@ -3603,50 +3589,6 @@ key_dup_lifemsg(const struct sadb_lifeti return (dst); } -/* compare my own address - * OUT: 1: true, i.e. my address. - * 0: false - */ -int -key_ismyaddr(struct sockaddr *sa) -{ - - IPSEC_ASSERT(sa != NULL, ("null sockaddr")); - switch (sa->sa_family) { -#ifdef INET - case AF_INET: - return (in_localip(satosin(sa)->sin_addr)); -#endif -#ifdef INET6 - case AF_INET6: - return key_ismyaddr6((struct sockaddr_in6 *)sa); -#endif - } - - return 0; -} - -#ifdef INET6 -/* - * compare my own address for IPv6. - * 1: ours - * 0: other - */ -static int -key_ismyaddr6(struct sockaddr_in6 *sin6) -{ - struct in6_addr in6; - - if (!IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr)) - return (in6_localip(&sin6->sin6_addr)); - - /* Convert address into kernel-internal form */ - in6 = sin6->sin6_addr; - in6.s6_addr16[1] = htons(sin6->sin6_scope_id & 0xffff); - return (in6_localip(&in6)); -} -#endif /*INET6*/ - /* * compare two secasindex structure. * flag can specify to compare 2 saidxes. @@ -3868,7 +3810,7 @@ key_cmpspidx_withmask(struct secpolicyin #endif #define satosin6(s) ((const struct sockaddr_in6 *)s) /* returns 0 on match */ -static int +int key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2, int port) { @@ -5962,32 +5904,6 @@ key_acquire(const struct secasindex *sai return error; } -static struct secacq * -key_newacq(const struct secasindex *saidx) -{ - struct secacq *newacq; - - /* get new entry */ - newacq = malloc(sizeof(struct secacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO); - if (newacq == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - return NULL; - } - - /* copy secindex */ - bcopy(saidx, &newacq->saidx, sizeof(newacq->saidx)); - newacq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); - newacq->created = time_second; - newacq->count = 0; - - /* add to acqtree */ - ACQ_LOCK(); - LIST_INSERT_HEAD(&V_acqtree, newacq, chain); - ACQ_UNLOCK(); - - return newacq; -} - static uint32_t key_newacq(const struct secasindex *saidx, int *perror) { @@ -7449,7 +7365,7 @@ key_destroy(void) sp = TAILQ_FIRST(&drainq); while (sp != NULL) { nextsp = TAILQ_NEXT(sp, chain); - KEY_FREESP(&sp); + key_freesp(&sp); sp = nextsp; } Modified: projects/ipsec/sys/netipsec/key.h ============================================================================== --- projects/ipsec/sys/netipsec/key.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/key.h Thu Nov 24 17:07:15 2016 (r309110) @@ -37,7 +37,6 @@ struct secpolicy; struct secpolicyindex; -struct ipsecrequest; struct secasvar; struct sockaddr; struct socket; @@ -46,64 +45,28 @@ struct sadb_x_policy; struct secasindex; union sockaddr_union; +struct secpolicy *key_newsp(void); +struct secpolicy *key_allocsp(struct secpolicyindex *, u_int); +struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *); +int key_sp2msg(struct secpolicy *, void *, size_t *); +void key_addref(struct secpolicy *); +void key_freesp(struct secpolicy **); +int key_spdacquire(struct secpolicy *); +int key_havesp(u_int); uint32_t key_getspgen(void); +uint32_t key_newreqid(void); -extern void key_addref(struct secpolicy *sp); -extern int key_havesp(u_int dir); -extern struct secpolicy *key_allocsp(struct secpolicyindex *, u_int, - const char*, int); -extern struct secpolicy *key_allocsp2(u_int32_t spi, union sockaddr_union *dst, - u_int8_t proto, u_int dir, const char*, int); -extern struct secpolicy *key_newsp(const char*, int); -#if 0 -extern struct secpolicy *key_gettunnel(const struct sockaddr *, - const struct sockaddr *, const struct sockaddr *, - const struct sockaddr *, const char*, int); -#endif -/* NB: prepend with _ for KAME IPv6 compatbility */ -extern void _key_freesp(struct secpolicy **, const char*, int); - -#define KEY_ALLOCSP(spidx, dir) \ - key_allocsp(spidx, dir, __FILE__, __LINE__) -#define KEY_ALLOCSP2(spi, dst, proto, dir) \ - key_allocsp2(spi, dst, proto, dir, __FILE__, __LINE__) -#define KEY_NEWSP() \ - key_newsp(__FILE__, __LINE__) -#if 0 -#define KEY_GETTUNNEL(osrc, odst, isrc, idst) \ - key_gettunnel(osrc, odst, isrc, idst, __FILE__, __LINE__) -#endif -#define KEY_FREESP(spp) \ - _key_freesp(spp, __FILE__, __LINE__) - -extern struct secasvar *key_allocsa(union sockaddr_union *, u_int, u_int32_t, - const char*, int); -extern struct secasvar *key_allocsa_tunnel(union sockaddr_union *, - union sockaddr_union *, u_int, const char*, int); -extern void key_addrefsa(struct secasvar *, const char*, int); -extern void key_freesav(struct secasvar **, const char*, int); - -#define KEY_ALLOCSA(dst, proto, spi) \ - key_allocsa(dst, proto, spi, __FILE__, __LINE__) -#define KEY_ALLOCSA_TUNNEL(src, dst, proto) \ - key_allocsa_tunnel(src, dst, proto, __FILE__, __LINE__) -#define KEY_ADDREFSA(sav) \ - key_addrefsa(sav, __FILE__, __LINE__) -#define KEY_FREESAV(psav) \ - key_freesav(psav, __FILE__, __LINE__) - -extern void key_freeso(struct socket *); -extern int key_checktunnelsanity(struct secasvar *, u_int, - caddr_t, caddr_t); -extern int key_checkrequest(struct ipsecrequest *isr, - const struct secasindex *); -extern struct secpolicy *key_msg2sp(struct sadb_x_policy *, - size_t, int *); - -int key_sp2msg(struct secpolicy *, void *request, size_t *len); +struct secasvar *key_allocsa(union sockaddr_union *, uint8_t, uint32_t); +struct secasvar *key_allocsa_tunnel(union sockaddr_union *, + union sockaddr_union *, uint8_t); +struct secasvar *key_allocsa_policy(struct secpolicy *, + const struct secasindex *, int *); +void key_freesav(struct secasvar **); + +int key_sockaddrcmp(const struct sockaddr *, const struct sockaddr *, int); +int key_sockaddrcmp_withmask(const struct sockaddr *, const struct sockaddr *, + size_t); -extern int key_ismyaddr(struct sockaddr *); -extern int key_spdacquire(struct secpolicy *); extern u_long key_random(void); extern void key_randomfill(void *, size_t); extern void key_freereg(struct socket *); @@ -114,9 +77,7 @@ extern void key_destroy(void); #endif extern void key_sa_recordxfer(struct secasvar *, struct mbuf *); #ifdef IPSEC_NAT_T -u_int16_t key_portfromsaddr(struct sockaddr *); -#define KEY_PORTFROMSADDR(saddr) \ - key_portfromsaddr((struct sockaddr *)(saddr)) +uint16_t key_portfromsaddr(struct sockaddr *); #endif #ifdef MALLOC_DECLARE Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 17:07:15 2016 (r309110) @@ -46,7 +46,7 @@ #include <sys/syslog.h> #include <sys/kernel.h> #include <sys/lock.h> -#include <sys/rwlock.h> +#include <sys/mutex.h> #include <sys/sysctl.h> #include <net/if.h> Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 17:07:15 2016 (r309110) @@ -46,7 +46,7 @@ #include <sys/kernel.h> #include <sys/lock.h> #include <sys/random.h> -#include <sys/rwlock.h> +#include <sys/mutex.h> #include <sys/sysctl.h> #include <sys/mutex.h> #include <machine/atomic.h> Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 17:07:15 2016 (r309110) @@ -37,7 +37,6 @@ #include <sys/mbuf.h> #include <sys/lock.h> #include <sys/mutex.h> -#include <sys/rwlock.h> #include <sys/socket.h> #include <sys/kernel.h> #include <sys/protosw.h>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611241707.uAOH7FAn039470>