svn commit: r310468 - projects/ipsec/sys/netipsec

Andrey V. Elsukov ae at FreeBSD.org
Fri Dec 23 09:10:59 UTC 2016 

Author: ae
Date: Fri Dec 23 09:10:57 2016
New Revision: 310468
URL: https://svnweb.freebsd.org/changeset/base/310468

Log:
  Move ipsec_newisr() and ipsec_delisr() into key.c.
  Move ipsec_address() and ipsec_logsastr() into key_debug.c.
  Also rename ipsec_sa2str() to reflect in the name what it actually does.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c
  projects/ipsec/sys/netipsec/ipsec.h
  projects/ipsec/sys/netipsec/ipsec_input.c
  projects/ipsec/sys/netipsec/key.c
  projects/ipsec/sys/netipsec/key_debug.c
  projects/ipsec/sys/netipsec/key_debug.h
  projects/ipsec/sys/netipsec/xform_ah.c
  projects/ipsec/sys/netipsec/xform_esp.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/ipsec.c	Fri Dec 23 09:10:57 2016	(r310468)
@@ -941,21 +941,6 @@ ipsec_run_hhooks(struct ipsec_ctx_data *
 	return (0);
 }
 
-struct ipsecrequest *
-ipsec_newisr(void)
-{
-
-	return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR,
-	    M_NOWAIT | M_ZERO));
-}
-
-void
-ipsec_delisr(struct ipsecrequest *p)
-{
-
-	free(p, M_IPSEC_SR);
-}
-
 /*
  * Return current level.
  * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
@@ -1428,7 +1413,7 @@ ok:
 
 		ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n",
 		    __func__, replay->overflow,
-		    ipsec_logsastr(sav, buf, sizeof(buf))));
+		    ipsec_sa2str(sav, buf, sizeof(buf))));
 	}
 	return (0);
 }
@@ -1479,73 +1464,6 @@ ipsec_updateid(struct secasvar *sav, uin
 	return (0);
 }
 
-/* Return a printable string for the address. */
-char*
-ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size)
-{
-
-	switch (sa->sa.sa_family) {
-#ifdef INET
-	case AF_INET:
-		return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size));
-#endif /* INET */
-#ifdef INET6
-	case AF_INET6:
-		if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) {
-			snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6,
-			    &sa->sin6.sin6_addr, buf, size),
-			    sa->sin6.sin6_scope_id);
-			return (buf);
-		} else
-			return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr,
-			    buf, size));
-#endif /* INET6 */
-	case 0:
-		return ("*");
-	default:
-		return ("(unknown address family)");
-	}
-}
-
-char *
-ipsec_logsastr(struct secasvar *sav, char *buf, size_t size)
-{
-	char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-
-	IPSEC_ASSERT(sav->sah->saidx.src.sa.sa_family ==
-	    sav->sah->saidx.dst.sa.sa_family, ("address family mismatch"));
-
-	snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)",
-	    (u_long)ntohl(sav->spi),
-	    ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)),
-	    ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf)));
-	return (buf);
-}
-
-void
-ipsec_dumpmbuf(const struct mbuf *m)
-{
-	const u_char *p;
-	int totlen;
-	int i;
-
-	totlen = 0;
-	printf("---\n");
-	while (m) {
-		p = mtod(m, const u_char *);
-		for (i = 0; i < m->m_len; i++) {
-			printf("%02x ", p[i]);
-			totlen++;
-			if (totlen % 16 == 0)
-				printf("\n");
-		}
-		m = m->m_next;
-	}
-	if (totlen % 16 != 0)
-		printf("\n");
-	printf("---\n");
-}
-
 static void
 def_policy_init(const void *unused __unused)
 {

Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.h	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/ipsec.h	Fri Dec 23 09:10:57 2016	(r310468)
@@ -320,10 +320,6 @@ int ipsec_updateid(struct secasvar *, ui
 
 void ipsec_setsockaddrs(const struct mbuf *, union sockaddr_union *,
     union sockaddr_union *);
-char *ipsec_address(const union sockaddr_union *, char *, socklen_t);
-char *ipsec_logsastr(struct secasvar *, char *, size_t);
-
-extern void ipsec_dumpmbuf(const struct mbuf *);
 
 int ipsec4_in_reject(const struct mbuf *, struct inpcb *);
 int ipsec4_input(struct mbuf *, int, int);

Modified: projects/ipsec/sys/netipsec/ipsec_input.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec_input.c	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/ipsec_input.c	Fri Dec 23 09:10:57 2016	(r310468)
@@ -90,6 +90,7 @@ __FBSDID("$FreeBSD$");
 
 #include <netipsec/key.h>
 #include <netipsec/keydb.h>
+#include <netipsec/key_debug.h>
 
 #include <netipsec/xform.h>
 #include <netinet6/ip6protosw.h>

Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/key.c	Fri Dec 23 09:10:57 2016	(r310468)
@@ -1245,6 +1245,21 @@ key_newsp(void)
 	return (sp);
 }
 
+struct ipsecrequest *
+ipsec_newisr(void)
+{
+
+	return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR,
+	    M_NOWAIT | M_ZERO));
+}
+
+void
+ipsec_delisr(struct ipsecrequest *p)
+{
+
+	free(p, M_IPSEC_SR);
+}
+
 /*
  * create secpolicy structure from sadb_x_policy structure.
  * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure

Modified: projects/ipsec/sys/netipsec/key_debug.c
==============================================================================
--- projects/ipsec/sys/netipsec/key_debug.c	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/key_debug.c	Fri Dec 23 09:10:57 2016	(r310468)
@@ -787,6 +787,47 @@ kdebug_mbuf(const struct mbuf *m0)
 
 	return;
 }
+
+/* Return a printable string for the address. */
+char *
+ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size)
+{
+
+	switch (sa->sa.sa_family) {
+#ifdef INET
+	case AF_INET:
+		return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size));
+#endif /* INET */
+#ifdef INET6
+	case AF_INET6:
+		if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) {
+			snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6,
+			    &sa->sin6.sin6_addr, buf, size),
+			    sa->sin6.sin6_scope_id);
+			return (buf);
+		} else
+			return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr,
+			    buf, size));
+#endif /* INET6 */
+	case 0:
+		return ("*");
+	default:
+		return ("(unknown address family)");
+	}
+}
+
+char *
+ipsec_sa2str(struct secasvar *sav, char *buf, size_t size)
+{
+	char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
+
+	snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)",
+	    (u_long)ntohl(sav->spi),
+	    ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)),
+	    ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf)));
+	return (buf);
+}
+
 #endif /* _KERNEL */
 
 void

Modified: projects/ipsec/sys/netipsec/key_debug.h
==============================================================================
--- projects/ipsec/sys/netipsec/key_debug.h	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/key_debug.h	Fri Dec 23 09:10:57 2016	(r310468)
@@ -75,6 +75,7 @@ struct secashead;
 struct secasvar;
 struct secreplay;
 struct mbuf;
+union sockaddr_union;
 const char* kdebug_secpolicy_state(u_int);
 const char* kdebug_secpolicy_policy(u_int);
 const char* kdebug_secpolicyindex_dir(u_int);
@@ -88,6 +89,8 @@ void kdebug_secash(struct secashead *, c
 void kdebug_secasv(struct secasvar *);
 void kdebug_mbufhdr(const struct mbuf *);
 void kdebug_mbuf(const struct mbuf *);
+char *ipsec_address(const union sockaddr_union *, char *, socklen_t);
+char *ipsec_sa2str(struct secasvar *, char *, size_t);
 #endif /*_KERNEL*/
 
 struct sockaddr;

Modified: projects/ipsec/sys/netipsec/xform_ah.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_ah.c	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/xform_ah.c	Fri Dec 23 09:10:57 2016	(r310468)
@@ -614,7 +614,7 @@ ah_input(struct mbuf *m, struct secasvar
 		SECASVAR_UNLOCK(sav);
 		AHSTAT_INC(ahs_replay);
 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
-		    ipsec_logsastr(sav, buf, sizeof(buf))));
+		    ipsec_sa2str(sav, buf, sizeof(buf))));
 		m_freem(m);
 		return (EACCES);
 	}

Modified: projects/ipsec/sys/netipsec/xform_esp.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_esp.c	Fri Dec 23 08:59:23 2016	(r310467)
+++ projects/ipsec/sys/netipsec/xform_esp.c	Fri Dec 23 09:10:57 2016	(r310468)
@@ -360,7 +360,7 @@ esp_input(struct mbuf *m, struct secasva
 		if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) {
 			SECASVAR_UNLOCK(sav);
 			DPRINTF(("%s: packet replay check for %s\n", __func__,
-			    ipsec_logsastr(sav, buf, sizeof(buf))));
+			    ipsec_sa2str(sav, buf, sizeof(buf))));
 			ESPSTAT_INC(esps_replay);
 			m_freem(m);
 			return (EACCES);
@@ -561,7 +561,7 @@ esp_input_cb(struct cryptop *crp)
 		if (ipsec_updatereplay(ntohl(seq), sav)) {
 			SECASVAR_UNLOCK(sav);
 			DPRINTF(("%s: packet replay check for %s\n", __func__,
-			    ipsec_logsastr(sav, buf, sizeof(buf))));
+			    ipsec_sa2str(sav, buf, sizeof(buf))));
 			ESPSTAT_INC(esps_replay);
 			error = EACCES;
 			goto bad;

More information about the svn-src-projects mailing list