[src/trunk]: src/sys/netipsec Don't relook up an SP/SA in opencrpyto callbacks

[ozaki-r <ozaki-r%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/18f4b621673e
branches:  trunk
changeset: 359550:18f4b621673e
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Thu Feb 15 04:24:32 2018 +0000

description:
Don't relook up an SP/SA in opencrpyto callbacks

We don't need to do so because we have a reference to it. And also
relooking-up one there may return an sp/sav that has different
parameters from an original one.

diffstat:

 sys/netipsec/xform_ah.c     |  34 ++--------------------------------
 sys/netipsec/xform_esp.c    |  41 ++---------------------------------------
 sys/netipsec/xform_ipcomp.c |  34 ++--------------------------------
 3 files changed, 6 insertions(+), 103 deletions(-)

diffs (193 lines):

diff -r 0820bcc67ac1 -r 18f4b621673e sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Wed Feb 14 20:10:17 2018 +0000
+++ b/sys/netipsec/xform_ah.c   Thu Feb 15 04:24:32 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.77 2018/01/24 13:49:23 maxv Exp $       */
+/*     $NetBSD: xform_ah.c,v 1.78 2018/02/15 04:24:32 ozaki-r Exp $    */
 /*     $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.77 2018/01/24 13:49:23 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.78 2018/02/15 04:24:32 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -824,18 +824,6 @@
        IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
        sav = tc->tc_sav;
-       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-               KEY_SA_UNREF(&sav);
-               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
-                   sport, dport);
-               if (sav == NULL) {
-                       AH_STATINC(AH_STAT_NOTDB);
-                       DPRINTF(("%s: SA expired while in crypto\n", __func__));
-                       error = ENOBUFS;                /*XXX*/
-                       goto bad;
-               }
-       }
-
        saidx = &sav->sah->saidx;
        KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
            saidx->dst.sa.sa_family == AF_INET6,
@@ -1218,24 +1206,6 @@
 
        isr = tc->tc_isr;
        sav = tc->tc_sav;
-       if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
-               AH_STATINC(AH_STAT_NOTDB);
-               IPSECLOG(LOG_DEBUG,
-                   "SP is being destroyed while in crypto (id=%u)\n",
-                   isr->sp->id);
-               error = ENOENT;
-               goto bad;
-       }
-       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-               KEY_SA_UNREF(&sav);
-               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-               if (sav == NULL) {
-                       AH_STATINC(AH_STAT_NOTDB);
-                       DPRINTF(("%s: SA expired while in crypto\n", __func__));
-                       error = ENOBUFS;                /*XXX*/
-                       goto bad;
-               }
-       }
 
        /* Check for crypto errors. */
        if (crp->crp_etype) {
diff -r 0820bcc67ac1 -r 18f4b621673e sys/netipsec/xform_esp.c
--- a/sys/netipsec/xform_esp.c  Wed Feb 14 20:10:17 2018 +0000
+++ b/sys/netipsec/xform_esp.c  Thu Feb 15 04:24:32 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_esp.c,v 1.75 2018/02/14 09:13:03 ozaki-r Exp $   */
+/*     $NetBSD: xform_esp.c,v 1.76 2018/02/15 04:24:32 ozaki-r Exp $   */
 /*     $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $  */
 /*     $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.75 2018/02/14 09:13:03 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.76 2018/02/15 04:24:32 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -538,21 +538,6 @@
        IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
        sav = tc->tc_sav;
-       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-               KEY_SA_UNREF(&sav);
-               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
-                   sport, dport);
-               if (sav == NULL) {
-                       ESP_STATINC(ESP_STAT_NOTDB);
-                       DPRINTF(("%s: SA expired while in crypto "
-                           "(SA %s/%08lx proto %u)\n", __func__,
-                           ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
-                           (u_long) ntohl(tc->tc_spi), tc->tc_proto));
-                       error = ENOBUFS;                /*XXX*/
-                       goto bad;
-               }
-       }
-
        saidx = &sav->sah->saidx;
        KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
            saidx->dst.sa.sa_family == AF_INET6,
@@ -1000,28 +985,6 @@
 
        isr = tc->tc_isr;
        sav = tc->tc_sav;
-       if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
-               ESP_STATINC(ESP_STAT_NOTDB);
-               IPSECLOG(LOG_DEBUG,
-                   "SP is being destroyed while in crypto (id=%u)\n",
-                   isr->sp->id);
-               error = ENOENT;
-               goto bad;
-       }
-       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-               KEY_SA_UNREF(&sav);
-               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-               if (sav == NULL) {
-                       char buf[IPSEC_ADDRSTRLEN];
-                       ESP_STATINC(ESP_STAT_NOTDB);
-                       DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx "
-                           "proto %u)\n", __func__,
-                           ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
-                           (u_long) ntohl(tc->tc_spi), tc->tc_proto));
-                       error = ENOBUFS;                /*XXX*/
-                       goto bad;
-               }
-       }
 
        /* Check for crypto errors. */
        if (crp->crp_etype) {
diff -r 0820bcc67ac1 -r 18f4b621673e sys/netipsec/xform_ipcomp.c
--- a/sys/netipsec/xform_ipcomp.c       Wed Feb 14 20:10:17 2018 +0000
+++ b/sys/netipsec/xform_ipcomp.c       Thu Feb 15 04:24:32 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $        */
+/*     $NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $        */
 /*     $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $       */
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.55 2018/02/14 09:13:03 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.56 2018/02/15 04:24:32 ozaki-r Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #if defined(_KERNEL_OPT)
@@ -275,18 +275,6 @@
        IPSEC_ACQUIRE_GLOBAL_LOCKS();
 
        sav = tc->tc_sav;
-       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-               KEY_SA_UNREF(&sav);
-               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
-                   sport, dport);
-               if (sav == NULL) {
-                       IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
-                       DPRINTF(("%s: SA expired while in crypto\n", __func__));
-                       error = ENOBUFS;                /*XXX*/
-                       goto bad;
-               }
-       }
-
        saidx = &sav->sah->saidx;
        KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
            saidx->dst.sa.sa_family == AF_INET6,
@@ -567,24 +555,6 @@
 
        isr = tc->tc_isr;
        sav = tc->tc_sav;
-       if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
-               IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
-               IPSECLOG(LOG_DEBUG,
-                   "SP is being destroyed while in crypto (id=%u)\n",
-                   isr->sp->id);
-               error = ENOENT;
-               goto bad;
-       }
-       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
-               KEY_SA_UNREF(&sav);
-               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-               if (sav == NULL) {
-                       IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
-                       DPRINTF(("%s: SA expired while in crypto\n", __func__));
-                       error = ENOBUFS;                /*XXX*/
-                       goto bad;
-               }
-       }
 
        /* Check for crypto errors */
        if (crp->crp_etype) {