[src/trunk]: src/sys/netipsec Disable secspacq stuffs that are now unused

[ozaki-r <ozaki-r%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/8378729ddbc5
branches:  trunk
changeset: 824091:8378729ddbc5
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Tue May 23 04:26:08 2017 +0000

description:
Disable secspacq stuffs that are now unused

The stuffs are used only if sp->policy == IPSEC_POLICY_IPSEC
&& sp->req == NULL (see ipsec{4,6}_checkpolicy). However, in the
current implementation, sp->req never be NULL (except for the
moments of SP allocation and deallocation) if sp->policy is
IPSEC_POLICY_IPSEC.

It seems that the facility was partially implemented in the KAME
era and wasn't completed. Make it clear that the facility is
unused for now by #ifdef notyet. Eventually we should complete
the implementation or remove it entirely.

diffstat:

 sys/netipsec/ipsec.c |  10 ++++------
 sys/netipsec/key.c   |  20 ++++++++++++++++++--
 2 files changed, 22 insertions(+), 8 deletions(-)

diffs (155 lines):

diff -r 9bf0e984952b -r 8378729ddbc5 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c      Tue May 23 03:23:58 2017 +0000
+++ b/sys/netipsec/ipsec.c      Tue May 23 04:26:08 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.c,v 1.92 2017/05/19 04:34:09 ozaki-r Exp $       */
+/*     $NetBSD: ipsec.c,v 1.93 2017/05/23 04:26:08 ozaki-r Exp $       */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $       */
 /*     $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.92 2017/05/19 04:34:09 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.93 2017/05/23 04:26:08 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -644,8 +644,7 @@
                sp = NULL;              /* NB: force NULL result */
                break;
        case IPSEC_POLICY_IPSEC:
-               if (sp->req == NULL)    /* acquire an SA */
-                       *error = key_spdacquire(sp);
+               KASSERT(sp->req != NULL);
                break;
        }
        if (*error != 0) {
@@ -890,8 +889,7 @@
                sp = NULL;        /* NB: force NULL result */
                break;
        case IPSEC_POLICY_IPSEC:
-               if (sp->req == NULL)    /* acquire an SA */
-                       *error = key_spdacquire(sp);
+               KASSERT(sp->req != NULL);
                break;
        }
        if (*error != 0) {
diff -r 9bf0e984952b -r 8378729ddbc5 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Tue May 23 03:23:58 2017 +0000
+++ b/sys/netipsec/key.c        Tue May 23 04:26:08 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.138 2017/05/23 03:13:52 ozaki-r Exp $        */
+/*     $NetBSD: key.c,v 1.139 2017/05/23 04:26:08 ozaki-r Exp $        */
 /*     $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $        */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.138 2017/05/23 03:13:52 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.139 2017/05/23 04:26:08 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -150,7 +150,9 @@
 #ifndef IPSEC_NONBLOCK_ACQUIRE
 static LIST_HEAD(_acqtree, secacq) acqtree;            /* acquiring list */
 #endif
+#ifdef notyet
 static LIST_HEAD(_spacqtree, secspacq) spacqtree;      /* SP acquiring list */
+#endif
 
 /* search order for SAs */
        /*
@@ -488,8 +490,10 @@
 static struct secacq *key_getacq (const struct secasindex *);
 static struct secacq *key_getacqbyseq (u_int32_t);
 #endif
+#ifdef notyet
 static struct secspacq *key_newspacq (const struct secpolicyindex *);
 static struct secspacq *key_getspacq (const struct secpolicyindex *);
+#endif
 static int key_acquire2 (struct socket *, struct mbuf *,
        const struct sadb_msghdr *);
 static int key_register (struct socket *, struct mbuf *,
@@ -1957,8 +1961,11 @@
 
        newsp->refcnt = 1;      /* do not reclaim until I say I do */
        newsp->state = IPSEC_SPSTATE_ALIVE;
+       if (newsp->policy == IPSEC_POLICY_IPSEC)
+               KASSERT(newsp->req != NULL);
        LIST_INSERT_TAIL(&sptree[newsp->spidx.dir], newsp, secpolicy, chain);
 
+#ifdef notyet
        /* delete the entry in spacqtree */
        if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
                struct secspacq *spacq = key_getspacq(&spidx);
@@ -1968,6 +1975,7 @@
                        spacq->count = 0;
                }
        }
+#endif
 
        /* Invalidate all cached SPD pointers in the PCBs. */
        ipsec_invalpcbcacheall();
@@ -2312,6 +2320,7 @@
                return key_senderror(so, m, ENOBUFS);
 }
 
+#ifdef notyet
 /*
  * SADB_X_SPDACQUIRE processing.
  * Acquire policy and SA(s) for a *OUTBOUND* packet.
@@ -2382,6 +2391,7 @@
                m_freem(result);
        return error;
 }
+#endif /* notyet */
 
 /*
  * SADB_SPDFLUSH processing
@@ -4669,6 +4679,7 @@
     }
 #endif
 
+#ifdef notyet
        /* SP ACQ tree */
     {
        struct secspacq *acq, *nextacq;
@@ -4681,6 +4692,7 @@
                }
        }
     }
+#endif
 
        /* do exchange to tick time !! */
        callout_reset(&key_timehandler_ch, hz, key_timehandler, NULL);
@@ -6418,6 +6430,7 @@
 }
 #endif
 
+#ifdef notyet
 static struct secspacq *
 key_newspacq(const struct secpolicyindex *spidx)
 {
@@ -6450,6 +6463,7 @@
 
        return NULL;
 }
+#endif /* notyet */
 
 /*
  * SADB_ACQUIRE processing,
@@ -7676,7 +7690,9 @@
 #ifndef IPSEC_NONBLOCK_ACQUIRE
        LIST_INIT(&acqtree);
 #endif
+#ifdef notyet
        LIST_INIT(&spacqtree);
+#endif
 
        /* system default */
        ip4_def_policy.policy = IPSEC_POLICY_NONE;