d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove code related to PACKET_TAG_IPSEC_IN_CRYPTO_DONE mbuf tag.

Browse Source 
It isn't used in FreeBSD.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
This commit is contained in:
Andrey V. Elsukov 2014-12-11 17:07:21 +00:00
parent 566cbcc82a
commit 08537f4526
2 changed files with 68 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
sys/netipsec/xform_ah.c
View File

@ -568,11 +568,9 @@ static int
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
struct auth_hash *ahx;
struct tdb_ident *tdbi;
struct tdb_crypto *tc;
struct m_tag *mtag;
struct newah *ah;
int hl, rplen, authsize;
int hl, rplen, authsize, error;
struct cryptodesc *crda;
struct cryptop *crp;
@ -640,27 +638,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
crda->crd_klen = _KEYBITS(sav->key_auth);
crda->crd_key = sav->key_auth->key_data;
/* Find out if we've already done crypto. */
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
mtag != NULL;
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
tdbi = (struct tdb_ident *) (mtag + 1);
if (tdbi->proto == sav->sah->saidx.proto &&
tdbi->spi == sav->spi &&
!bcmp(&tdbi->dst, &sav->sah->saidx.dst,
sizeof (union sockaddr_union)))
break;
}
/* Allocate IPsec-specific opaque crypto info. */
if (mtag == NULL) {
tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) +
skip + rplen + authsize, M_XDATA, M_NOWAIT|M_ZERO);
} else {
/* Hash verification has already been done successfully. */
tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto),
M_XDATA, M_NOWAIT|M_ZERO);
}
tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) +
skip + rplen + authsize, M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
AHSTAT_INC(ahs_crypto);
@ -669,29 +649,24 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
return ENOBUFS;
}
/* Only save information if crypto processing is needed. */
if (mtag == NULL) {
int error;
/*
* Save the authenticator, the skipped portion of the packet,
* and the AH header.
*/
m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1));
/*
* Save the authenticator, the skipped portion of the packet,
* and the AH header.
*/
m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1));
/* Zeroize the authenticator on the packet. */
m_copyback(m, skip + rplen, authsize, ipseczeroes);
/* Zeroize the authenticator on the packet. */
m_copyback(m, skip + rplen, authsize, ipseczeroes);
/* "Massage" the packet headers for crypto processing. */
error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
skip, ahx->type, 0);
if (error != 0) {
/* NB: mbuf is free'd by ah_massage_headers */
AHSTAT_INC(ahs_hdrops);
free(tc, M_XDATA);
crypto_freereq(crp);
return error;
}
/* "Massage" the packet headers for crypto processing. */
error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
skip, ahx->type, 0);
if (error != 0) {
/* NB: mbuf is free'd by ah_massage_headers */
AHSTAT_INC(ahs_hdrops);
free(tc, M_XDATA);
crypto_freereq(crp);
return (error);
}
/* Crypto operation descriptor. */
@ -709,14 +684,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
tc->tc_nxt = ah->ah_nxt;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */
KEY_ADDREFSA(sav);
tc->tc_sav = sav;
if (mtag == NULL)
return crypto_dispatch(crp);
else
return ah_input_cb(crp);
return (crypto_dispatch(crp));
}
/*
@ -731,7 +701,6 @@ ah_input_cb(struct cryptop *crp)
struct cryptodesc *crd;
struct auth_hash *ahx;
struct tdb_crypto *tc;
struct m_tag *mtag;
struct secasvar *sav;
struct secasindex *saidx;
u_int8_t nxt;
@ -745,7 +714,6 @@ ah_input_cb(struct cryptop *crp)
skip = tc->tc_skip;
nxt = tc->tc_nxt;
protoff = tc->tc_protoff;
mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
sav = tc->tc_sav;
@ -791,34 +759,22 @@ ah_input_cb(struct cryptop *crp)
/* Copy authenticator off the packet. */
m_copydata(m, skip + rplen, authsize, calc);
/*
* If we have an mtag, we don't need to verify the authenticator --
* it has been verified by an IPsec-aware NIC.
*/
if (mtag == NULL) {
ptr = (caddr_t) (tc + 1);
/* Verify authenticator. */
if (bcmp(ptr + skip + rplen, calc, authsize)) {
DPRINTF(("%s: authentication hash mismatch for packet "
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_badauth);
error = EACCES;
goto bad;
}
/* Fix the Next Protocol field. */
((u_int8_t *) ptr)[protoff] = nxt;
/* Copyback the saved (uncooked) network headers. */
m_copyback(m, 0, skip, ptr);
} else {
/* Fix the Next Protocol field. */
m_copyback(m, protoff, sizeof(u_int8_t), &nxt);
/* Verify authenticator. */
ptr = (caddr_t) (tc + 1);
if (bcmp(ptr + skip + rplen, calc, authsize)) {
DPRINTF(("%s: authentication hash mismatch for packet "
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_badauth);
error = EACCES;
goto bad;
}
/* Fix the Next Protocol field. */
((u_int8_t *) ptr)[protoff] = nxt;
/* Copyback the saved (uncooked) network headers. */
m_copyback(m, 0, skip, ptr);
free(tc, M_XDATA), tc = NULL; /* No longer needed */
/*
@ -856,12 +812,12 @@ ah_input_cb(struct cryptop *crp)
switch (saidx->dst.sa.sa_family) {
#ifdef INET6
case AF_INET6:
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
break;
#endif
#ifdef INET
case AF_INET:
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
break;
#endif
default:

102
sys/netipsec/xform_esp.c
View File

@ -270,18 +270,16 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
struct auth_hash *esph;
struct enc_xform *espx;
struct tdb_ident *tdbi;
struct tdb_crypto *tc;
int plen, alen, hlen;
struct m_tag *mtag;
struct newesp *esp;
struct cryptodesc *crde;
struct cryptop *crp;
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
alen = 0;
/* Valid IP Packet length ? */
if ( (skip&3) || (m->m_pkthdr.len&3) ){
DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
@ -314,8 +312,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
alen = AH_HMAC_HASHLEN;
break;
}
}else
alen = 0;
}
/*
* Verify payload length is multiple of encryption algorithm
@ -340,7 +337,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/*
* Check sequence number.
*/
if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
if (esph != NULL && sav->replay != NULL &&
!ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav))); /*XXX*/
ESPSTAT_INC(esps_replay);
@ -351,18 +349,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/* Update the counters */
ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
/* Find out if we've already done crypto */
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
mtag != NULL;
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
tdbi = (struct tdb_ident *) (mtag + 1);
if (tdbi->proto == sav->sah->saidx.proto &&
tdbi->spi == sav->spi &&
!bcmp(&tdbi->dst, &sav->sah->saidx.dst,
sizeof(union sockaddr_union)))
break;
}
/* Get crypto descriptors */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
@ -374,12 +360,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
}
/* Get IPsec-specific opaque pointer */
if (esph == NULL || mtag != NULL)
tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT|M_ZERO);
else
tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
M_XDATA, M_NOWAIT|M_ZERO);
tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
@ -388,9 +370,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
return ENOBUFS;
}
tc->tc_ptr = (caddr_t) mtag;
if (esph) {
if (esph != NULL) {
struct cryptodesc *crda = crp->crp_desc;
IPSEC_ASSERT(crda != NULL, ("null ah crypto descriptor"));
@ -405,9 +385,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
crda->crd_klen = _KEYBITS(sav->key_auth);
/* Copy the authenticator */
if (mtag == NULL)
m_copydata(m, m->m_pkthdr.len - alen, alen,
(caddr_t) (tc + 1));
m_copydata(m, m->m_pkthdr.len - alen, alen,
(caddr_t) (tc + 1));
/* Chain authentication request */
crde = crda->crd_next;
@ -433,22 +412,17 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
tc->tc_sav = sav;
/* Decryption descriptor */
if (espx) {
IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor"));
crde->crd_skip = skip + hlen;
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
crde->crd_inject = skip + hlen - sav->ivlen;
IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor"));
crde->crd_skip = skip + hlen;
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
crde->crd_inject = skip + hlen - sav->ivlen;
crde->crd_alg = espx->type;
crde->crd_key = sav->key_enc->key_data;
crde->crd_klen = _KEYBITS(sav->key_enc);
/* XXX Rounds ? */
}
crde->crd_alg = espx->type;
crde->crd_key = sav->key_enc->key_data;
crde->crd_klen = _KEYBITS(sav->key_enc);
/* XXX Rounds ? */
if (mtag == NULL)
return crypto_dispatch(crp);
else
return esp_input_cb(crp);
return (crypto_dispatch(crp));
}
/*
@ -464,7 +438,6 @@ esp_input_cb(struct cryptop *crp)
struct auth_hash *esph;
struct enc_xform *espx;
struct tdb_crypto *tc;
struct m_tag *mtag;
struct secasvar *sav;
struct secasindex *saidx;
caddr_t ptr;
@ -476,7 +449,6 @@ esp_input_cb(struct cryptop *crp)
IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
skip = tc->tc_skip;
protoff = tc->tc_protoff;
mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
sav = tc->tc_sav;
@ -526,30 +498,20 @@ esp_input_cb(struct cryptop *crp)
alen = AH_HMAC_HASHLEN;
break;
}
/*
* If we have a tag, it means an IPsec-aware NIC did
* the verification for us. Otherwise we need to
* check the authentication calculation.
*/
AHSTAT_INC(ahs_hist[sav->alg_auth]);
if (mtag == NULL) {
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - alen,
alen, aalg);
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
ptr = (caddr_t) (tc + 1);
ptr = (caddr_t) (tc + 1);
/* Verify authenticator */
if (bcmp(ptr, aalg, alen) != 0) {
DPRINTF(("%s: "
"authentication hash mismatch for packet in SA %s/%08lx\n",
__func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_badauth);
error = EACCES;
goto bad;
}
/* Verify authenticator */
if (bcmp(ptr, aalg, alen) != 0) {
DPRINTF(("%s: authentication hash mismatch for "
"packet in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_badauth);
error = EACCES;
goto bad;
}
/* Remove trailing authenticator */
@ -635,12 +597,12 @@ esp_input_cb(struct cryptop *crp)
switch (saidx->dst.sa.sa_family) {
#ifdef INET6
case AF_INET6:
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
break;
#endif
#ifdef INET
case AF_INET:
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
break;
#endif
default: