Date: Wed, 7 Dec 2016 09:36:08 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309671 - projects/ipsec/sys/netipsec Message-ID: <201612070936.uB79a8u3081090@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Wed Dec 7 09:36:08 2016 New Revision: 309671 URL: https://svnweb.freebsd.org/changeset/base/309671 Log: TCP-MD5 SAs can not contain initialized ports, so remove unneded checks and initializations. Modified: projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/xform_tcp.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Dec 7 08:12:02 2016 (r309670) +++ projects/ipsec/sys/netipsec/key.c Wed Dec 7 09:36:08 2016 (r309671) @@ -777,13 +777,7 @@ key_allocsa_tcpmd5(struct secasindex *sa kdebug_secash(sah, " ")); if (sah->saidx.proto != IPPROTO_TCP) continue; - /* - * addrhash uses only IP addresses without ports, but if - * SA contains TCP port, use ports in comparison for exact - * match. - */ - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, - key_portfromsaddr(&sah->saidx.dst.sa))) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) break; } if (sah != NULL) { @@ -4747,8 +4741,7 @@ key_getsav_tcpmd5(struct secasindex *sai LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, - key_portfromsaddr(&sah->saidx.dst.sa))) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) break; } if (sah != NULL) { @@ -5098,7 +5091,6 @@ key_add(struct socket *so, struct mbuf * /* * Make sure the port numbers are zero. * In case of NAT-T we will update them later if needed. - * XXXAE: TCP-MD5 may set dst port. */ key_porttosaddr(&saidx.src.sa, 0); key_porttosaddr(&saidx.dst.sa, 0); Modified: projects/ipsec/sys/netipsec/xform_tcp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_tcp.c Wed Dec 7 08:12:02 2016 (r309670) +++ projects/ipsec/sys/netipsec/xform_tcp.c Wed Dec 7 09:36:08 2016 (r309671) @@ -245,7 +245,6 @@ tcp_ipsec_input(struct mbuf *m, struct t */ tcp_fields_to_net(th); ipsec_setsockaddrs(m, &saidx.src, &saidx.dst); - key_porttosaddr(&saidx.dst.sa, th->th_dport); saidx.proto = IPPROTO_TCP; saidx.mode = IPSEC_MODE_TCPMD5; saidx.reqid = 0; @@ -282,7 +281,6 @@ tcp_ipsec_output(struct mbuf *m, struct struct secasvar *sav; ipsec_setsockaddrs(m, &saidx.src, &saidx.dst); - key_porttosaddr(&saidx.dst.sa, th->th_dport); saidx.proto = IPPROTO_TCP; saidx.mode = IPSEC_MODE_TCPMD5; saidx.reqid = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612070936.uB79a8u3081090>