Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prepare to stop using isr->sav 

isr is a shared resource and using isr->sav as a temporal storage
for each packet processing is racy. And also having a reference from
isr to sav makes the lifetime of sav non-deterministic; such a reference
is removed when a packet is processed and isr->sav is overwritten by
new one. Let's have a sav locally for each packet processing instead of
using shared isr->sav.

However this change doesn't stop using isr->sav yet because there are
some users of isr->sav. isr->sav will be removed after the users find
a way to not use isr->sav.
This commit is contained in:
ozaki-r 2017-07-14 12:26:26 +00:00
parent dfda6b6abe
commit 38b8f795b6
10 changed files with 72 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/netipsec/ipsec.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.h,v 1.51 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $NetBSD: ipsec.h,v 1.52 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@ -341,7 +341,7 @@ void ipsec4_common_input(struct mbuf *m, ...);
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *,
int, int);
int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
int ipsec_process_done (struct mbuf *, struct ipsecrequest *);
int ipsec_process_done(struct mbuf *, struct ipsecrequest *, struct secasvar *);
#define ipsec_indone(m) \
(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)

62
sys/netipsec/ipsec_output.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $ */
/* $NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.53 2017/07/13 01:48:52 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.54 2017/07/14 12:26:26 ozaki-r Exp $");
/*
* IPsec output processing.
@ -142,9 +142,9 @@ ipsec_reinject_ipstack(struct mbuf *m, int af)
}
int
ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr,
struct secasvar *sav)
{
struct secasvar *sav;
struct secasindex *saidx;
int error;
#ifdef INET
@ -162,7 +162,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
KASSERT(m != NULL);
KASSERT(isr != NULL);
sav = isr->sav;
KASSERT(sav != NULL);
saidx = &sav->sah->saidx;
@ -293,7 +292,8 @@ ipsec_nextisr(
struct mbuf *m,
struct ipsecrequest *isr,
int af,
int *error
int *error,
struct secasvar **ret
)
{
#define IPSEC_OSTAT(type) \
@ -311,7 +311,7 @@ do { \
} \
} while (/*CONSTCOND*/0)
struct secasvar *sav;
struct secasvar *sav = NULL;
struct secasindex *saidx;
IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr");
@ -380,7 +380,7 @@ again:
/*
* Lookup SA and validate it.
*/
*error = key_checkrequest(isr);
*error = key_checkrequest(isr, &sav);
if (*error != 0) {
/*
* IPsec processing is required, but no SA found.
@ -392,7 +392,6 @@ again:
IPSEC_STATINC(IPSEC_STAT_OUT_NOSA);
goto bad;
}
sav = isr->sav;
/* sav may be NULL here if we have an USE rule */
if (sav == NULL) {
KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
@ -404,6 +403,7 @@ again:
* It can happen when the last rules are USE rules
* */
if (isr == NULL) {
*ret = NULL;
*error = 0;
return isr;
}
@ -420,6 +420,7 @@ again:
" to policy (check your sysctls)\n");
IPSEC_OSTAT(PDROPS);
*error = EHOSTUNREACH;
KEY_FREESAV(&sav);
goto bad;
}
@ -428,6 +429,7 @@ again:
* before they invoke the xform output method.
*/
KASSERT(sav->tdb_xform != NULL);
*ret = sav;
return isr;
bad:
KASSERTMSG(*error != 0, "error return w/ no error code");
@ -442,7 +444,7 @@ bad:
int
ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
{
struct secasvar *sav;
struct secasvar *sav = NULL;
struct ip *ip;
int s, error, i, off;
union sockaddr_union *dst;
@ -453,7 +455,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
s = splsoftnet(); /* insure SA contents don't change */
isr = ipsec_nextisr(m, isr, AF_INET, &error);
isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav);
if (isr == NULL) {
if (error != 0) {
goto bad;
@ -466,7 +468,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
}
}
sav = isr->sav;
KASSERT(sav != NULL);
dst = &sav->sah->saidx.dst;
/*
@ -476,7 +478,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
error = ENOBUFS;
goto bad;
goto unrefsav;
}
ip = mtod(m, struct ip *);
/* Honor system-wide control of how to handle IP_DF */
@ -511,7 +513,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
error = ENOBUFS;
goto bad;
goto unrefsav;
}
ip = mtod(m, struct ip *);
ip->ip_len = htons(m->m_pkthdr.len);
@ -519,7 +521,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
/* Encapsulate the packet */
error = ipip_output(m, isr, &mp, 0, 0);
error = ipip_output(m, isr, sav, &mp, 0, 0);
if (mp == NULL && !error) {
/* Should never happen. */
IPSECLOG(LOG_DEBUG,
@ -532,7 +534,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
m_freem(mp);
}
m = NULL; /* ipip_output() already freed it */
goto bad;
goto unrefsav;
}
m = mp, mp = NULL;
/*
@ -546,7 +548,7 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
if (m->m_len < sizeof (struct ip) &&
(m = m_pullup(m, sizeof (struct ip))) == NULL) {
error = ENOBUFS;
goto bad;
goto unrefsav;
}
ip = mtod(m, struct ip *);
ip->ip_off |= htons(IP_DF);
@ -572,12 +574,15 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
i = sizeof(struct ip6_hdr);
off = offsetof(struct ip6_hdr, ip6_nxt);
}
error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
} else {
error = ipsec_process_done(m, isr);
error = ipsec_process_done(m, isr, sav);
}
KEY_FREESAV(&sav);
splx(s);
return error;
unrefsav:
KEY_FREESAV(&sav);
bad:
splx(s);
if (m)
@ -673,7 +678,7 @@ ipsec6_process_packet(
struct ipsecrequest *isr
)
{
struct secasvar *sav;
struct secasvar *sav = NULL;
struct ip6_hdr *ip6;
int s, error, i, off;
union sockaddr_union *dst;
@ -683,7 +688,7 @@ ipsec6_process_packet(
s = splsoftnet(); /* insure SA contents don't change */
isr = ipsec_nextisr(m, isr, AF_INET6, &error);
isr = ipsec_nextisr(m, isr, AF_INET6, &error, &sav);
if (isr == NULL) {
if (error != 0) {
/* XXX Should we send a notification ? */
@ -697,7 +702,7 @@ ipsec6_process_packet(
}
}
sav = isr->sav;
KASSERT(sav != NULL);
dst = &sav->sah->saidx.dst;
ip6 = mtod(m, struct ip6_hdr *); /* XXX */
@ -715,21 +720,21 @@ ipsec6_process_packet(
if (m->m_len < sizeof(struct ip6_hdr)) {
if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) {
error = ENOBUFS;
goto bad;
goto unrefsav;
}
}
if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) {
/* No jumbogram support. */
error = ENXIO; /*XXX*/
goto bad;
goto unrefsav;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
/* Encapsulate the packet */
error = ipip_output(m, isr, &mp, 0, 0);
error = ipip_output(m, isr, sav, &mp, 0, 0);
if (mp == NULL && !error) {
/* Should never happen. */
IPSECLOG(LOG_DEBUG,
@ -743,7 +748,7 @@ ipsec6_process_packet(
m_freem(mp);
}
m = NULL; /* ipip_output() already freed it */
goto bad;
goto unrefsav;
}
m = mp;
@ -758,9 +763,12 @@ ipsec6_process_packet(
} else {
compute_ipsec_pos(m, &i, &off);
}
error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
KEY_FREESAV(&sav);
splx(s);
return error;
unrefsav:
KEY_FREESAV(&sav);
bad:
splx(s);
if (m)

12
sys/netipsec/key.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $ */
/* $NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.183 2017/07/14 01:30:08 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.184 2017/07/14 12:26:26 ozaki-r Exp $");
/*
* This code is referd to RFC 2367
@ -837,7 +837,7 @@ done:
* ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
*/
int
key_checkrequest(struct ipsecrequest *isr)
key_checkrequest(struct ipsecrequest *isr, struct secasvar **ret)
{
u_int level;
int error;
@ -898,8 +898,11 @@ key_checkrequest(struct ipsecrequest *isr)
KEY_FREESAV(&oldsav);
/* When there is SA. */
if (isr->sav != NULL)
if (isr->sav != NULL) {
*ret = isr->sav;
SA_ADDREF(*ret);
return 0;
}
/* there is no SA */
error = key_acquire(saidx, isr->sp);
@ -913,6 +916,7 @@ key_checkrequest(struct ipsecrequest *isr)
if (level != IPSEC_LEVEL_REQUIRE) {
/* XXX sigh, the interface to this routine is botched */
KASSERTMSG(isr->sav == NULL, "unexpected SA");
*ret = NULL;
return 0;
} else {
return ENOENT;

4
sys/netipsec/key.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: key.h,v 1.22 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@ -93,7 +93,7 @@ void key_freesav(struct secasvar **, const char*, int);
key_freesav(psav, __func__, __LINE__)
int key_checktunnelsanity (struct secasvar *, u_int, void *, void *);
int key_checkrequest(struct ipsecrequest *);
int key_checkrequest(struct ipsecrequest *, struct secasvar **);
struct secpolicy *key_msg2sp (const struct sadb_x_policy *, size_t, int *);
struct mbuf *key_sp2msg (const struct secpolicy *);

7
sys/netipsec/xform.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: xform.h,v 1.10 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: xform.h,v 1.11 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
/*
@ -93,7 +93,8 @@ struct xformsw {
int (*xf_input)(struct mbuf*, struct secasvar*, /* input */
int, int);
int (*xf_output)(struct mbuf*, /* output */
struct ipsecrequest *, struct mbuf **, int, int);
struct ipsecrequest *, struct secasvar *,
struct mbuf **, int, int);
struct xformsw *xf_next; /* list of registered xforms */
};
@ -106,7 +107,7 @@ struct cryptoini;
/* XF_IP4 */
extern int ip4_input6(struct mbuf **m, int *offp, int proto);
extern void ip4_input(struct mbuf *m, int, int);
extern int ipip_output(struct mbuf *, struct ipsecrequest *,
extern int ipip_output(struct mbuf *, struct ipsecrequest *, struct secasvar *,
struct mbuf **, int, int);
/* XF_AH */

10
sys/netipsec/xform_ah.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.61 2017/07/14 12:26:26 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@ -955,13 +955,13 @@ static int
ah_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
)
{
char buf[IPSEC_ADDRSTRLEN];
struct secasvar *sav;
const struct auth_hash *ahx;
struct cryptodesc *crda;
struct tdb_crypto *tc;
@ -974,7 +974,6 @@ ah_output(
IPSEC_SPLASSERT_SOFTNET(__func__);
sav = isr->sav;
KASSERT(sav != NULL);
KASSERT(sav->tdb_authalgxform != NULL);
ahx = sav->tdb_authalgxform;
@ -1202,7 +1201,6 @@ ah_output_cb(struct cryptop *crp)
goto bad;
}
}
KASSERTMSG(isr->sav == sav, "SA changed");
/* Check for crypto errors. */
if (crp->crp_etype) {
@ -1256,7 +1254,7 @@ ah_output_cb(struct cryptop *crp)
#endif
/* NB: m is reclaimed by ipsec_process_done. */
err = ipsec_process_done(m, isr);
err = ipsec_process_done(m, isr, sav);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
splx(s);

12
sys/netipsec/xform_esp.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.62 2017/07/14 12:26:26 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@ -698,6 +698,7 @@ static int
esp_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
@ -709,7 +710,6 @@ esp_output(
int hlen, rlen, padding, blks, alen, i, roff;
struct mbuf *mo = NULL;
struct tdb_crypto *tc;
struct secasvar *sav;
struct secasindex *saidx;
unsigned char *pad;
uint8_t prot;
@ -720,8 +720,6 @@ esp_output(
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(isr->sav != NULL);
sav = isr->sav;
esph = sav->tdb_authalgxform;
KASSERT(sav->tdb_encalgxform != NULL);
espx = sav->tdb_encalgxform;
@ -981,8 +979,6 @@ esp_output_cb(struct cryptop *crp)
goto bad;
}
}
KASSERTMSG(isr->sav == sav,
"SA changed was %p now %p", isr->sav, sav);
/* Check for crypto errors. */
if (crp->crp_etype) {
@ -1037,7 +1033,7 @@ esp_output_cb(struct cryptop *crp)
#endif
/* NB: m is reclaimed by ipsec_process_done. */
err = ipsec_process_done(m, isr);
err = ipsec_process_done(m, isr, sav);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
splx(s);

14
sys/netipsec/xform_ipcomp.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.42 2017/07/14 01:24:23 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.43 2017/07/14 12:26:26 ozaki-r Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#if defined(_KERNEL_OPT)
@ -376,13 +376,13 @@ static int
ipcomp_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
)
{
char buf[IPSEC_ADDRSTRLEN];
struct secasvar *sav;
const struct comp_algo *ipcompx;
int error, ralen, hlen, maxpacketsize;
struct cryptodesc *crdc;
@ -390,8 +390,7 @@ ipcomp_output(
struct tdb_crypto *tc;
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(isr->sav != NULL);
sav = isr->sav;
KASSERT(sav != NULL);
KASSERT(sav->tdb_compalgxform != NULL);
ipcompx = sav->tdb_compalgxform;
@ -400,7 +399,7 @@ ipcomp_output(
/* Don't process the packet if it is too short */
if (ralen < ipcompx->minlen) {
IPCOMP_STATINC(IPCOMP_STAT_MINLEN);
return ipsec_process_done(m,isr);
return ipsec_process_done(m, isr, sav);
}
hlen = IPCOMP_HLENGTH;
@ -547,7 +546,6 @@ ipcomp_output_cb(struct cryptop *crp)
goto bad;
}
}
KASSERTMSG(isr->sav == sav, "SA changed");
/* Check for crypto errors */
if (crp->crp_etype) {
@ -651,7 +649,7 @@ ipcomp_output_cb(struct cryptop *crp)
crypto_freereq(crp);
/* NB: m is reclaimed by ipsec_process_done. */
error = ipsec_process_done(m, isr);
error = ipsec_process_done(m, isr, sav);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
splx(s);

10
sys/netipsec/xform_ipip.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.52 2017/07/14 01:24:23 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.53 2017/07/14 12:26:26 ozaki-r Exp $");
/*
* IP-inside-IP processing
@ -397,13 +397,13 @@ int
ipip_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct secasvar *sav,
struct mbuf **mp,
int skip,
int protoff
)
{
char buf[IPSEC_ADDRSTRLEN];
struct secasvar *sav;
uint8_t tp, otos;
struct secasindex *saidx;
int error;
@ -416,9 +416,7 @@ ipip_output(
#endif /* INET6 */
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(isr->sav != NULL);
sav = isr->sav;
KASSERT(sav != NULL);
/* XXX Deal with empty TDB source/destination addresses. */

6
sys/netipsec/xform_tcp.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $ */
/* $FreeBSD: sys/netipsec/xform_tcp.c,v 1.1.2.1 2004/02/14 22:24:09 bms Exp $ */
/*
@ -31,7 +31,7 @@
/* TCP MD5 Signature Option (RFC2385) */
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.14 2017/07/14 01:24:23 ozaki-r Exp $");
__KERNEL_RCSID(0, "$NetBSD: xform_tcp.c,v 1.15 2017/07/14 12:26:26 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@ -155,7 +155,7 @@ tcpsignature_input(struct mbuf *m, struct secasvar *sav, int skip,
*/
static int
tcpsignature_output(struct mbuf *m, struct ipsecrequest *isr,
struct mbuf **mp, int skip, int protoff)
struct secasvar *sav, struct mbuf **mp, int skip, int protoff)
{
return (EINVAL);