[hipl-commit] [trunk] Rev 4063: removed locking facilities from user ipsec

  • From: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
  • To: hipl-commit@xxxxxxxxxxxxx
  • Date: Mon, 29 Mar 2010 16:58:21 +0300

Committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
Date: 29/03/2010 at 16:58:21
Revision: 4063
Revision-id: rene.hummen@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Branch nick: trunk

Log:
  removed locking facilities from user ipsec
  
  locking is not needed due to the firewall being single threaded. additionally
  the current implementation was incomplete.

Modified:
  M  firewall/user_ipsec_api.c
  M  firewall/user_ipsec_esp.c
  M  firewall/user_ipsec_sadb.c
  M  firewall/user_ipsec_sadb.h

=== modified file 'firewall/user_ipsec_api.c'
--- firewall/user_ipsec_api.c   2010-03-19 07:12:39 +0000
+++ firewall/user_ipsec_api.c   2010-03-29 13:57:13 +0000
@@ -288,13 +288,11 @@
         HIP_DEBUG("dropping original packet...\n");
 
         // update SA statistics for replay protection etc
-        pthread_mutex_lock(&entry->rw_lock);
         entry->bytes             += err;
         entry->usetime.tv_sec     = now.tv_sec;
         entry->usetime.tv_usec    = now.tv_usec;
         entry->usetime_ka.tv_sec  = now.tv_sec;
         entry->usetime_ka.tv_usec = now.tv_usec;
-        pthread_mutex_unlock(&entry->rw_lock);
 
         // the original packet has to be dropped
         err                       = 1;
@@ -371,13 +369,11 @@
         HIP_DEBUG("new packet SUCCESSFULLY re-inserted into network stack\n");
         HIP_DEBUG("dropping ESP packet...\n");
 
-        pthread_mutex_lock(&entry->rw_lock);
         entry->bytes             += err;
         entry->usetime.tv_sec     = now.tv_sec;
         entry->usetime.tv_usec    = now.tv_usec;
         entry->usetime_ka.tv_sec  = now.tv_sec;
         entry->usetime_ka.tv_usec = now.tv_usec;
-        pthread_mutex_unlock(&entry->rw_lock);
 
         // the original packet has to be dropped
         err                       = 1;

=== modified file 'firewall/user_ipsec_esp.c'
--- firewall/user_ipsec_esp.c   2010-03-19 09:00:54 +0000
+++ firewall/user_ipsec_esp.c   2010-03-29 13:57:13 +0000
@@ -153,8 +153,6 @@
         elen              = ctx->ipq_packet->data_len - sizeof(struct ip6_hdr);
 
         /* encrypt data now */
-        pthread_mutex_lock(&entry->rw_lock);
-
         HIP_DEBUG("encrypting data...\n");
 
         /* encrypts the payload and puts the encrypted data right
@@ -165,8 +163,6 @@
                                      esp_packet + next_hdr_offset, 
&encryption_len, entry),
                  -1, "failed to encrypt data");
 
-        pthread_mutex_unlock(&entry->rw_lock);
-
         // this also includes the ESP tail
         *esp_packet_len += encryption_len;
 
@@ -236,8 +232,6 @@
          * starting at the transport layer header */
         elen              = ctx->ipq_packet->data_len - sizeof(struct ip6_hdr);
 
-        pthread_mutex_lock(&entry->rw_lock);
-
         HIP_DEBUG("encrypting data...\n");
 
         /* encrypts the payload and puts the encrypted data right
@@ -249,8 +243,6 @@
                                      &encryption_len, entry),
                  -1, "failed to encrypt data");
 
-        pthread_mutex_unlock(&entry->rw_lock);
-
         // this also includes the ESP tail
         *esp_packet_len += encryption_len;
 
@@ -267,9 +259,6 @@
              "failed to cache hash of packet for cumulative authentication 
extension\n");
 
 out_err:
-    // needed in case something breaks during encryption -> unlock for next 
packet
-    pthread_mutex_unlock(&entry->rw_lock);
-
     return err;
 }
 
@@ -308,16 +297,12 @@
     }
 
     // decrypt now
-    pthread_mutex_lock(&entry->rw_lock);
-
     HIP_DEBUG("decrypting ESP packet...\n");
 
     HIP_IFEL(hip_payload_decrypt((unsigned char *) ctx->transport_hdr.esp, 
esp_len,
                                  decrypted_packet + next_hdr_offset, &next_hdr,
                                  &decrypted_data_len, entry), -1, "ESP 
decryption is not successful\n");
 
-    pthread_mutex_unlock(&entry->rw_lock);
-
     *decrypted_packet_len += decrypted_data_len;
 
     // now we know the next_hdr and can set up the IPv6 header
@@ -327,9 +312,6 @@
     HIP_DEBUG("original packet length: %i \n", *decrypted_packet_len);
 
 out_err:
-    // needed in case something breaks during decryption -> unlock for next 
packet
-    pthread_mutex_unlock(&entry->rw_lock);
-
     return err;
 }
 

=== modified file 'firewall/user_ipsec_sadb.c'
--- firewall/user_ipsec_sadb.c  2010-03-18 21:15:21 +0000
+++ firewall/user_ipsec_sadb.c  2010-03-29 13:57:13 +0000
@@ -15,9 +15,9 @@
 /* required for s6_addr32 */
 #define _BSD_SOURCE
 
-#include <pthread.h>
+//#include <pthread.h>
 #include <openssl/sha.h>
-#include <string.h>
+//#include <string.h>
 
 #include "user_ipsec_sadb.h"
 #include "esp_prot_api.h"
@@ -592,7 +592,6 @@
                                                          inner_dst_addr)), -1,
                                                          "failed to retrieve 
sa entry\n");
 
-    pthread_mutex_lock(&stored_entry->rw_lock);
     /* delete all links
      *
      * XX TODO more efficient to delete entries in inbound db for all (addr, 
oldspi)
@@ -611,7 +610,6 @@
 
     HIP_IFEL(hip_link_entry_add(stored_entry->dst_addr, stored_entry), -1,
              "failed to add links\n");
-    pthread_mutex_unlock(&stored_entry->rw_lock);
 
     HIP_DEBUG("sa entry updated\n");
 
@@ -761,10 +759,6 @@
     HIP_IFEL(!(stored_entry = hip_sa_entry_find_outbound(src_addr, dst_addr)), 
-1,
              "failed to retrieve sa entry\n");
 
-    /* NOTE: no need to unlock mutex as the entry is already freed and can't be
-     * accessed any more */
-    pthread_mutex_lock(&stored_entry->rw_lock);
-
     HIP_IFEL(hip_link_entry_delete(stored_entry->dst_addr, stored_entry->spi), 
-1, "failed to delete links\n");
 
     // delete the entry from the sadb

=== modified file 'firewall/user_ipsec_sadb.h'
--- firewall/user_ipsec_sadb.h  2010-03-18 21:15:21 +0000
+++ firewall/user_ipsec_sadb.h  2010-03-29 13:57:13 +0000
@@ -21,7 +21,7 @@
 #include <openssl/blowfish.h>   /* bf_key */
 #endif
 #include <sys/time.h>
-#include <pthread.h>
+//#include <pthread.h>
 #include <inttypes.h>
 #include "lib/core/hashchain.h"
 #include "esp_prot_defines.h"
@@ -31,7 +31,6 @@
 
 /* IPsec Security Association entry */
 typedef struct hip_sa_entry {
-    pthread_mutex_t        rw_lock;        /* keep other threads from 
modifying */
     int                    direction;      /* direction of the SA: 
inbound/outbound */
     uint32_t               spi;            /* IPsec SPI number */
     uint32_t               mode;           /* ESP mode :  1-transport, 
2-tunnel, 3-beet */

Other related posts:

  • » [hipl-commit] [trunk] Rev 4063: removed locking facilities from user ipsec - Rene Hummen