svn commit: r309671 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Wed Dec 7 09:36:10 UTC 2016
Author: ae
Date: Wed Dec 7 09:36:08 2016
New Revision: 309671
URL: https://svnweb.freebsd.org/changeset/base/309671
Log:
TCP-MD5 SAs can not contain initialized ports, so remove unneded checks
and initializations.
Modified:
projects/ipsec/sys/netipsec/key.c
projects/ipsec/sys/netipsec/xform_tcp.c
Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c Wed Dec 7 08:12:02 2016 (r309670)
+++ projects/ipsec/sys/netipsec/key.c Wed Dec 7 09:36:08 2016 (r309671)
@@ -777,13 +777,7 @@ key_allocsa_tcpmd5(struct secasindex *sa
kdebug_secash(sah, " "));
if (sah->saidx.proto != IPPROTO_TCP)
continue;
- /*
- * addrhash uses only IP addresses without ports, but if
- * SA contains TCP port, use ports in comparison for exact
- * match.
- */
- if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa,
- key_portfromsaddr(&sah->saidx.dst.sa)))
+ if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
break;
}
if (sah != NULL) {
@@ -4747,8 +4741,7 @@ key_getsav_tcpmd5(struct secasindex *sai
LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
if (sah->saidx.proto != IPPROTO_TCP)
continue;
- if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa,
- key_portfromsaddr(&sah->saidx.dst.sa)))
+ if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
break;
}
if (sah != NULL) {
@@ -5098,7 +5091,6 @@ key_add(struct socket *so, struct mbuf *
/*
* Make sure the port numbers are zero.
* In case of NAT-T we will update them later if needed.
- * XXXAE: TCP-MD5 may set dst port.
*/
key_porttosaddr(&saidx.src.sa, 0);
key_porttosaddr(&saidx.dst.sa, 0);
Modified: projects/ipsec/sys/netipsec/xform_tcp.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_tcp.c Wed Dec 7 08:12:02 2016 (r309670)
+++ projects/ipsec/sys/netipsec/xform_tcp.c Wed Dec 7 09:36:08 2016 (r309671)
@@ -245,7 +245,6 @@ tcp_ipsec_input(struct mbuf *m, struct t
*/
tcp_fields_to_net(th);
ipsec_setsockaddrs(m, &saidx.src, &saidx.dst);
- key_porttosaddr(&saidx.dst.sa, th->th_dport);
saidx.proto = IPPROTO_TCP;
saidx.mode = IPSEC_MODE_TCPMD5;
saidx.reqid = 0;
@@ -282,7 +281,6 @@ tcp_ipsec_output(struct mbuf *m, struct
struct secasvar *sav;
ipsec_setsockaddrs(m, &saidx.src, &saidx.dst);
- key_porttosaddr(&saidx.dst.sa, th->th_dport);
saidx.proto = IPPROTO_TCP;
saidx.mode = IPSEC_MODE_TCPMD5;
saidx.reqid = 0;
More information about the svn-src-projects
mailing list