- fix typo in comments.

- style.
- NULL is not 0.
- some variables were renamed.
- nuke unused logic.
(there is no functional change.)

Obtained from:	KAME

1 files changed, 61 insertions, 56 deletions

diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index 708641b..cdb4aa1 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -103,7 +103,6 @@
 #include <netkey/key_debug.h>
 
 #include <machine/in_cksum.h>
-
 #include <net/net_osdep.h>
 
 #ifdef IPSEC_DEBUG
@@ -190,23 +189,23 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
 
 static int ipsec_setspidx_mbuf
 	__P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
-static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
+static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
 #ifdef INET6
-static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
+static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *));
 #endif
 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
-static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
+static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
 #ifdef INET6
-static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
+static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
 #endif
 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
-static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
-static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
-	int optname, caddr_t request, size_t len, int priv));
-static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
+static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
+static int ipsec_set_policy
+	__P((struct secpolicy **, int, caddr_t, size_t, int));
+static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
 static void vshiftl __P((unsigned char *, int, int));
 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
 static size_t ipsec_hdrsiz __P((struct secpolicy *));
@@ -416,7 +415,7 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
 
 	bzero(&spidx, sizeof(spidx));
 
-	/* Make an index to look for a policy. */
+	/* make an index to look for a policy */
 	*error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
 	    (flag & IP_FORWARDING) ? 0 : 1);
 
@@ -436,11 +435,10 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
 	}
 
 	/* no SP found */
-	if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
-	 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
+	if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD &&
+	    ip4_def_policy.policy != IPSEC_POLICY_NONE) {
 		ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
-			ip4_def_policy.policy,
-			IPSEC_POLICY_NONE));
+		    ip4_def_policy.policy, IPSEC_POLICY_NONE));
 		ip4_def_policy.policy = IPSEC_POLICY_NONE;
 	}
 	ip4_def_policy.refcnt++;
@@ -645,7 +643,7 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
 
 	bzero(&spidx, sizeof(spidx));
 
-	/* Make an index to look for a policy. */
+	/* make an index to look for a policy */
 	*error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
 	    (flag & IP_FORWARDING) ? 0 : 1);
 
@@ -1105,6 +1103,7 @@ static void
 ipsec_delpcbpolicy(p)
 	struct inpcbpolicy *p;
 {
+
 	free(p, M_SECA);
 }
 
@@ -1262,8 +1261,8 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv)
 
 	/* check policy type */
 	/* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
-	if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
-	 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
+	if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
+	    xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
 		return EINVAL;
 
 	/* check privileged socket */
@@ -1373,7 +1372,7 @@ ipsec4_get_policy(inp, request, len, mp)
 		pcb_sp = inp->inp_sp->sp_out;
 		break;
 	default:
-		ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
+		ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
 			xpl->sadb_x_policy_dir));
 		return EINVAL;
 	}
@@ -1473,7 +1472,7 @@ ipsec6_get_policy(in6p, request, len, mp)
 		pcb_sp = in6p->in6p_sp->sp_out;
 		break;
 	default:
-		ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
+		ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
 			xpl->sadb_x_policy_dir));
 		return EINVAL;
 	}
@@ -1635,7 +1634,7 @@ ipsec_in_reject(sp, m)
 	case IPSEC_POLICY_BYPASS:
 	case IPSEC_POLICY_NONE:
 		return 0;
-	
+
 	case IPSEC_POLICY_IPSEC:
 		break;
 
@@ -1651,7 +1650,6 @@ ipsec_in_reject(sp, m)
 	/* XXX should compare policy against ipsec header history */
 
 	for (isr = sp->req; isr != NULL; isr = isr->next) {
-
 		/* get current level */
 		level = ipsec_get_reqlevel(isr);
 
@@ -1717,13 +1715,14 @@ ipsec4_in_reject(m, inp)
 	 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 	 */
 	if (inp == NULL)
-		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
+		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+		    IP_FORWARDING, &error);
 	else
 		sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
 
+	/* XXX should be panic ? -> No, there may be error. */
 	if (sp == NULL)
-		return 0;	/* XXX should be panic ?
-				 * -> No, there may be error. */
+		return 0;
 
 	result = ipsec_in_reject(sp, m);
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -1743,7 +1742,6 @@ ipsec4_in_reject_so(m, so)
 	return ipsec4_in_reject(m, sotoinpcb(so));
 }
 
-
 #ifdef INET6
 /*
  * Check AH/ESP integrity.
@@ -1768,7 +1766,8 @@ ipsec6_in_reject(m, in6p)
 	 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
 	 */
 	if (in6p == NULL)
-		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
+		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+		    IP_FORWARDING, &error);
 	else
 		sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
 
@@ -1816,7 +1815,7 @@ ipsec_hdrsiz(sp)
 	case IPSEC_POLICY_BYPASS:
 	case IPSEC_POLICY_NONE:
 		return 0;
-	
+
 	case IPSEC_POLICY_IPSEC:
 		break;
 
@@ -2063,7 +2062,7 @@ ipsec4_encapsulate(m, sav)
 		ip->ip_len = htons(plen + sizeof(struct ip));
 	else {
 		ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
-			"leave ip_len as is (invalid packet)\n"));
+		    "leave ip_len as is (invalid packet)\n"));
 	}
 #ifdef RANDOM_IP_ID
 	ip->ip_id = ip_randomid();
@@ -2171,6 +2170,8 @@ ipsec6_encapsulate(m, sav)
  * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
  *
  * based on RFC 2401.
+ *
+ * XXX need to update for 64bit sequence number - 2401bis
  */
 int
 ipsec_chkreplay(seq, sav)
@@ -2218,7 +2219,7 @@ ipsec_chkreplay(seq, sav)
 		fr = frlast - diff / 8;
 
 		/* this packet already seen ? */
-		if ((replay->bitmap)[fr] & (1 << (diff % 8)))
+		if (replay->bitmap[fr] & (1 << (diff % 8)))
 			return 0;
 
 		/* out of order but good */
@@ -2230,6 +2231,7 @@ ipsec_chkreplay(seq, sav)
  * check replay counter whether to update or not.
  * OUT:	0:	OK
  *	1:	NG
+ * XXX need to update for 64bit sequence number - 2401bis
  */
 int
 ipsec_updatereplay(seq, sav)
@@ -2263,7 +2265,7 @@ ipsec_updatereplay(seq, sav)
 	if (replay->count == 0) {
 		replay->lastseq = seq;
 		bzero(replay->bitmap, replay->wsize);
-		(replay->bitmap)[frlast] = 1;
+		replay->bitmap[frlast] = 1;
 		goto ok;
 	}
 
@@ -2276,11 +2278,11 @@ ipsec_updatereplay(seq, sav)
 			/* In window */
 			/* set bit for this packet */
 			vshiftl(replay->bitmap, diff, replay->wsize);
-			(replay->bitmap)[frlast] |= 1;
+			replay->bitmap[frlast] |= 1;
 		} else {
 			/* this packet has a "way larger" */
 			bzero(replay->bitmap, replay->wsize);
-			(replay->bitmap)[frlast] = 1;
+			replay->bitmap[frlast] = 1;
 		}
 		replay->lastseq = seq;
 
@@ -2296,11 +2298,11 @@ ipsec_updatereplay(seq, sav)
 		fr = frlast - diff / 8;
 
 		/* this packet already seen ? */
-		if ((replay->bitmap)[fr] & (1 << (diff % 8)))
+		if (replay->bitmap[fr] & (1 << (diff % 8)))
 			return 1;
 
 		/* mark as seen */
-		(replay->bitmap)[fr] |= (1 << (diff % 8));
+		replay->bitmap[fr] |= (1 << (diff % 8));
 
 		/* out of order but good */
 	}
@@ -3026,9 +3028,10 @@ ipsec6_output_tunnel(state, sp, flags)
 			state->ro = &isr->sav->sah->sa_route;
 			state->dst = (struct sockaddr *)&state->ro->ro_dst;
 			dst6 = (struct sockaddr_in6 *)state->dst;
-			if (state->ro->ro_rt
-			 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
-			  || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
+			if (state->ro->ro_rt &&
+			    ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 ||
+			     !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr,
+						 &ip6->ip6_dst))) {
 				RTFREE(state->ro->ro_rt);
 				state->ro->ro_rt = NULL;
 			}
@@ -3064,14 +3067,16 @@ ipsec6_output_tunnel(state, sp, flags)
 		switch (isr->saidx.proto) {
 		case IPPROTO_ESP:
 #ifdef IPSEC_ESP
-			error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
+			error = esp6_output(state->m, &ip6->ip6_nxt,
+			    state->m->m_next, isr);
 #else
 			m_freem(state->m);
 			error = EINVAL;
 #endif
 			break;
 		case IPPROTO_AH:
-			error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
+			error = ah6_output(state->m, &ip6->ip6_nxt,
+			    state->m->m_next, isr);
 			break;
 		case IPPROTO_IPCOMP:
 			/* XXX code should be here */
@@ -3236,9 +3241,9 @@ ipsec4_tunnel_validate(m, off, nxt0, sav)
 	bzero(&odst, sizeof(odst));
 	bzero(&isrc, sizeof(isrc));
 	bzero(&idst, sizeof(idst));
-	osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = 
+	osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
 	    AF_INET;
-	osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = 
+	osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
 	    sizeof(struct sockaddr_in);
 	osrc.sin_addr = oip->ip_src;
 	odst.sin_addr = oip->ip_dst;
@@ -3367,12 +3372,12 @@ ipsec_copypkt(m)
 	for (n = m, mpp = &m; n; n = n->m_next) {
 		if (n->m_flags & M_EXT) {
 			/*
-			 * Make a copy only if there are more than one
+			 * Make a copy only if there is more than one
 			 * references to the cluster.
 			 * XXX: is this approach effective?
 			 */
-			if (n->m_ext.ext_type != EXT_CLUSTER || MEXT_IS_REF(n)) 
-			{
+			if (n->m_ext.ext_type != EXT_CLUSTER ||
+			    MEXT_IS_REF(n)) {
 				int remain, copied;
 				struct mbuf *mm;
 
@@ -3461,10 +3466,10 @@ void
 ipsec_delaux(m)
 	struct mbuf *m;
 {
-	struct m_tag *tag;
+	struct m_tag *mtag;
 
-	while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
-		m_tag_delete(m, tag);
+	while ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
+		m_tag_delete(m, mtag);
 }
 
 int
@@ -3473,18 +3478,18 @@ ipsec_addhist(m, proto, spi)
 	int proto;
 	u_int32_t spi;
 {
-	struct m_tag *tag;
+	struct m_tag *mtag;
 	struct ipsec_history *p;
 
-	tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
+	mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
 			sizeof (struct ipsec_history), M_NOWAIT);
-	if (tag == NULL)
+	if (mtag == NULL)
 		return ENOBUFS;
-	p = (struct ipsec_history *)(tag+1);
+	p = (struct ipsec_history *)(mtag+1);
 	bzero(p, sizeof(*p));
 	p->ih_proto = proto;
 	p->ih_spi = spi;
-	m_tag_prepend(m, tag);
+	m_tag_prepend(m, mtag);
 	return 0;
 }
 
@@ -3493,13 +3498,13 @@ ipsec_gethist(m, lenp)
 	struct mbuf *m;
 	int *lenp;
 {
-	struct m_tag *tag;
+	struct m_tag *mtag;
 
-	tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
-	if (tag == NULL)
+	mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
+	if (mtag == NULL)
 		return NULL;
 	/* XXX NB: noone uses this so fake it */
 	if (lenp)
 		*lenp = sizeof (struct ipsec_history);
-	return ((struct ipsec_history *)(tag+1));
+	return ((struct ipsec_history *)(mtag+1));
 }