From cb2c1545ab3b25d366aeb88623dd50ed9349e174 Mon Sep 17 00:00:00 2001 From: ume Date: Wed, 8 Oct 2003 18:26:08 +0000 Subject: - fix typo in comments. - style. - NULL is not 0. - some variables were renamed. - nuke unused logic. (there is no functional change.) Obtained from: KAME --- sys/netinet6/ipsec.c | 117 +++++++++++++++++++++++++++------------------------ 1 file changed, 61 insertions(+), 56 deletions(-) (limited to 'sys/netinet6/ipsec.c') diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 708641b..cdb4aa1 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -103,7 +103,6 @@ #include #include - #include #ifdef IPSEC_DEBUG @@ -190,23 +189,23 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, static int ipsec_setspidx_mbuf __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int)); -static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb)); +static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *)); #ifdef INET6 -static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb)); +static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *)); #endif static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int)); -static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int)); +static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); #ifdef INET6 -static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int)); +static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int)); static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *)); #endif static struct inpcbpolicy *ipsec_newpcbpolicy __P((void)); static void ipsec_delpcbpolicy __P((struct inpcbpolicy *)); -static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src)); -static int ipsec_set_policy __P((struct secpolicy **pcb_sp, - int optname, caddr_t request, size_t len, int priv)); -static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp)); +static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *)); +static int ipsec_set_policy + __P((struct secpolicy **, int, caddr_t, size_t, int)); +static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **)); static void vshiftl __P((unsigned char *, int, int)); static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *)); static size_t ipsec_hdrsiz __P((struct secpolicy *)); @@ -416,7 +415,7 @@ ipsec4_getpolicybyaddr(m, dir, flag, error) bzero(&spidx, sizeof(spidx)); - /* Make an index to look for a policy. */ + /* make an index to look for a policy */ *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m, (flag & IP_FORWARDING) ? 0 : 1); @@ -436,11 +435,10 @@ ipsec4_getpolicybyaddr(m, dir, flag, error) } /* no SP found */ - if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD - && ip4_def_policy.policy != IPSEC_POLICY_NONE) { + if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD && + ip4_def_policy.policy != IPSEC_POLICY_NONE) { ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n", - ip4_def_policy.policy, - IPSEC_POLICY_NONE)); + ip4_def_policy.policy, IPSEC_POLICY_NONE)); ip4_def_policy.policy = IPSEC_POLICY_NONE; } ip4_def_policy.refcnt++; @@ -645,7 +643,7 @@ ipsec6_getpolicybyaddr(m, dir, flag, error) bzero(&spidx, sizeof(spidx)); - /* Make an index to look for a policy. */ + /* make an index to look for a policy */ *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m, (flag & IP_FORWARDING) ? 0 : 1); @@ -1105,6 +1103,7 @@ static void ipsec_delpcbpolicy(p) struct inpcbpolicy *p; { + free(p, M_SECA); } @@ -1262,8 +1261,8 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv) /* check policy type */ /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */ - if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD - || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) + if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD || + xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) return EINVAL; /* check privileged socket */ @@ -1373,7 +1372,7 @@ ipsec4_get_policy(inp, request, len, mp) pcb_sp = inp->inp_sp->sp_out; break; default: - ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", + ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n", xpl->sadb_x_policy_dir)); return EINVAL; } @@ -1473,7 +1472,7 @@ ipsec6_get_policy(in6p, request, len, mp) pcb_sp = in6p->in6p_sp->sp_out; break; default: - ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", + ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n", xpl->sadb_x_policy_dir)); return EINVAL; } @@ -1635,7 +1634,7 @@ ipsec_in_reject(sp, m) case IPSEC_POLICY_BYPASS: case IPSEC_POLICY_NONE: return 0; - + case IPSEC_POLICY_IPSEC: break; @@ -1651,7 +1650,6 @@ ipsec_in_reject(sp, m) /* XXX should compare policy against ipsec header history */ for (isr = sp->req; isr != NULL; isr = isr->next) { - /* get current level */ level = ipsec_get_reqlevel(isr); @@ -1717,13 +1715,14 @@ ipsec4_in_reject(m, inp) * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. */ if (inp == NULL) - sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); + sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); else sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error); + /* XXX should be panic ? -> No, there may be error. */ if (sp == NULL) - return 0; /* XXX should be panic ? - * -> No, there may be error. */ + return 0; result = ipsec_in_reject(sp, m); KEYDEBUG(KEYDEBUG_IPSEC_STAMP, @@ -1743,7 +1742,6 @@ ipsec4_in_reject_so(m, so) return ipsec4_in_reject(m, sotoinpcb(so)); } - #ifdef INET6 /* * Check AH/ESP integrity. @@ -1768,7 +1766,8 @@ ipsec6_in_reject(m, in6p) * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. */ if (in6p == NULL) - sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); + sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); else sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error); @@ -1816,7 +1815,7 @@ ipsec_hdrsiz(sp) case IPSEC_POLICY_BYPASS: case IPSEC_POLICY_NONE: return 0; - + case IPSEC_POLICY_IPSEC: break; @@ -2063,7 +2062,7 @@ ipsec4_encapsulate(m, sav) ip->ip_len = htons(plen + sizeof(struct ip)); else { ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: " - "leave ip_len as is (invalid packet)\n")); + "leave ip_len as is (invalid packet)\n")); } #ifdef RANDOM_IP_ID ip->ip_id = ip_randomid(); @@ -2171,6 +2170,8 @@ ipsec6_encapsulate(m, sav) * 0 (zero) is returned if packet disallowed, 1 if packet permitted. * * based on RFC 2401. + * + * XXX need to update for 64bit sequence number - 2401bis */ int ipsec_chkreplay(seq, sav) @@ -2218,7 +2219,7 @@ ipsec_chkreplay(seq, sav) fr = frlast - diff / 8; /* this packet already seen ? */ - if ((replay->bitmap)[fr] & (1 << (diff % 8))) + if (replay->bitmap[fr] & (1 << (diff % 8))) return 0; /* out of order but good */ @@ -2230,6 +2231,7 @@ ipsec_chkreplay(seq, sav) * check replay counter whether to update or not. * OUT: 0: OK * 1: NG + * XXX need to update for 64bit sequence number - 2401bis */ int ipsec_updatereplay(seq, sav) @@ -2263,7 +2265,7 @@ ipsec_updatereplay(seq, sav) if (replay->count == 0) { replay->lastseq = seq; bzero(replay->bitmap, replay->wsize); - (replay->bitmap)[frlast] = 1; + replay->bitmap[frlast] = 1; goto ok; } @@ -2276,11 +2278,11 @@ ipsec_updatereplay(seq, sav) /* In window */ /* set bit for this packet */ vshiftl(replay->bitmap, diff, replay->wsize); - (replay->bitmap)[frlast] |= 1; + replay->bitmap[frlast] |= 1; } else { /* this packet has a "way larger" */ bzero(replay->bitmap, replay->wsize); - (replay->bitmap)[frlast] = 1; + replay->bitmap[frlast] = 1; } replay->lastseq = seq; @@ -2296,11 +2298,11 @@ ipsec_updatereplay(seq, sav) fr = frlast - diff / 8; /* this packet already seen ? */ - if ((replay->bitmap)[fr] & (1 << (diff % 8))) + if (replay->bitmap[fr] & (1 << (diff % 8))) return 1; /* mark as seen */ - (replay->bitmap)[fr] |= (1 << (diff % 8)); + replay->bitmap[fr] |= (1 << (diff % 8)); /* out of order but good */ } @@ -3026,9 +3028,10 @@ ipsec6_output_tunnel(state, sp, flags) state->ro = &isr->sav->sah->sa_route; state->dst = (struct sockaddr *)&state->ro->ro_dst; dst6 = (struct sockaddr_in6 *)state->dst; - if (state->ro->ro_rt - && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 - || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) { + if (state->ro->ro_rt && + ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 || + !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, + &ip6->ip6_dst))) { RTFREE(state->ro->ro_rt); state->ro->ro_rt = NULL; } @@ -3064,14 +3067,16 @@ ipsec6_output_tunnel(state, sp, flags) switch (isr->saidx.proto) { case IPPROTO_ESP: #ifdef IPSEC_ESP - error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr); + error = esp6_output(state->m, &ip6->ip6_nxt, + state->m->m_next, isr); #else m_freem(state->m); error = EINVAL; #endif break; case IPPROTO_AH: - error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr); + error = ah6_output(state->m, &ip6->ip6_nxt, + state->m->m_next, isr); break; case IPPROTO_IPCOMP: /* XXX code should be here */ @@ -3236,9 +3241,9 @@ ipsec4_tunnel_validate(m, off, nxt0, sav) bzero(&odst, sizeof(odst)); bzero(&isrc, sizeof(isrc)); bzero(&idst, sizeof(idst)); - osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = + osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = AF_INET; - osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = + osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = sizeof(struct sockaddr_in); osrc.sin_addr = oip->ip_src; odst.sin_addr = oip->ip_dst; @@ -3367,12 +3372,12 @@ ipsec_copypkt(m) for (n = m, mpp = &m; n; n = n->m_next) { if (n->m_flags & M_EXT) { /* - * Make a copy only if there are more than one + * Make a copy only if there is more than one * references to the cluster. * XXX: is this approach effective? */ - if (n->m_ext.ext_type != EXT_CLUSTER || MEXT_IS_REF(n)) - { + if (n->m_ext.ext_type != EXT_CLUSTER || + MEXT_IS_REF(n)) { int remain, copied; struct mbuf *mm; @@ -3461,10 +3466,10 @@ void ipsec_delaux(m) struct mbuf *m; { - struct m_tag *tag; + struct m_tag *mtag; - while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL) - m_tag_delete(m, tag); + while ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL) + m_tag_delete(m, mtag); } int @@ -3473,18 +3478,18 @@ ipsec_addhist(m, proto, spi) int proto; u_int32_t spi; { - struct m_tag *tag; + struct m_tag *mtag; struct ipsec_history *p; - tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, + mtag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, sizeof (struct ipsec_history), M_NOWAIT); - if (tag == NULL) + if (mtag == NULL) return ENOBUFS; - p = (struct ipsec_history *)(tag+1); + p = (struct ipsec_history *)(mtag+1); bzero(p, sizeof(*p)); p->ih_proto = proto; p->ih_spi = spi; - m_tag_prepend(m, tag); + m_tag_prepend(m, mtag); return 0; } @@ -3493,13 +3498,13 @@ ipsec_gethist(m, lenp) struct mbuf *m; int *lenp; { - struct m_tag *tag; + struct m_tag *mtag; - tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); - if (tag == NULL) + mtag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); + if (mtag == NULL) return NULL; /* XXX NB: noone uses this so fake it */ if (lenp) *lenp = sizeof (struct ipsec_history); - return ((struct ipsec_history *)(tag+1)); + return ((struct ipsec_history *)(mtag+1)); } -- cgit v1.1