Simplify IPsec transform-specific teardown.

- Rename from the teardown callback from 'zeroize' to 'cleanup' since this no longer zeroes keys. - Change the callback return type to void. Nothing checked the return value and it was always zero. - Don't have esp call into ah since it no longer needs to depend on this to clear the auth key. Instead, both are now private and self-contained. Reviewed by: delphij Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25443
2020-06-25 23:59:16 +00:00 · 2020-06-25 23:59:16 +00:00 · 9b3292e515
commit 9b3292e515
parent 4a47715bda
6 changed files with 18 additions and 37 deletions
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@ -3059,11 +3059,8 @@ key_cleansav(struct secasvar *sav)
 	}
 	if (sav->flags & SADB_X_EXT_F_CLONED)
 		return;
-	/*
-	 * Cleanup xform state.
-	 */
 	if (sav->tdb_xform != NULL) {
-		sav->tdb_xform->xf_zeroize(sav);
+		sav->tdb_xform->xf_cleanup(sav);
 		sav->tdb_xform = NULL;
 	}
 	if (sav->key_auth != NULL) {
--- a/sys/netipsec/xform.h
+++ b/sys/netipsec/xform.h
@ -89,7 +89,7 @@ struct xformsw {
 	u_short			xf_type;	/* xform ID */
 	const char		*xf_name;	/* human-readable name */
 	int	(*xf_init)(struct secasvar*, struct xformsw*);	/* setup */
-	int	(*xf_zeroize)(struct secasvar*);		/* cleanup */
+	void	(*xf_cleanup)(struct secasvar*);		/* cleanup */
 	int	(*xf_input)(struct mbuf*, struct secasvar*,	/* input */
 			int, int);
 	int	(*xf_output)(struct mbuf*,			/* output */
@ -112,7 +112,6 @@ struct crypto_session_params;
 int xform_ah_authsize(const struct auth_hash *);
 int ah_init0(struct secasvar *, struct xformsw *,
    struct crypto_session_params *);
-extern int ah_zeroize(struct secasvar *sav);
 extern size_t ah_hdrsiz(struct secasvar *);

 /* XF_ESP */
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@ -241,20 +241,13 @@ ah_init(struct secasvar *sav, struct xformsw *xsp)
 		 crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
 }

-/*
- * Paranoia.
- *
- * NB: public for use by esp_zeroize (XXX).
- */
-int
-ah_zeroize(struct secasvar *sav)
+static void
+ah_cleanup(struct secasvar *sav)
 {

 	crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = NULL;
 	sav->tdb_authalgxform = NULL;
-	sav->tdb_xform = NULL;
-	return 0;
 }

 /*
@ -1141,7 +1134,7 @@ static struct xformsw ah_xformsw = {
 	.xf_type =	XF_AH,
 	.xf_name =	"IPsec AH",
 	.xf_init =	ah_init,
-	.xf_zeroize =	ah_zeroize,
+	.xf_cleanup =	ah_cleanup,
 	.xf_input =	ah_input,
 	.xf_output =	ah_output,
 };
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -237,18 +237,14 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 	return error;
 }

-/*
- * Paranoia.
- */
-static int
-esp_zeroize(struct secasvar *sav)
+static void
+esp_cleanup(struct secasvar *sav)
 {
-	/* NB: ah_zeroize free's the crypto session state */
-	int error = ah_zeroize(sav);

+	crypto_freesession(sav->tdb_cryptoid);
+	sav->tdb_cryptoid = NULL;
+	sav->tdb_authalgxform = NULL;
 	sav->tdb_encalgxform = NULL;
-	sav->tdb_xform = NULL;
-	return error;
 }

 /*
@ -964,7 +960,7 @@ static struct xformsw esp_xformsw = {
 	.xf_type =	XF_ESP,
 	.xf_name =	"IPsec ESP",
 	.xf_init =	esp_init,
-	.xf_zeroize =	esp_zeroize,
+	.xf_cleanup =	esp_cleanup,
 	.xf_input =	esp_input,
 	.xf_output =	esp_output,
 };
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@ -179,15 +179,14 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
 }

 /*
- * ipcomp_zeroize() used when IPCA is deleted
+ * ipcomp_cleanup() used when IPCA is deleted
 */
-static int
-ipcomp_zeroize(struct secasvar *sav)
+static void
+ipcomp_cleanup(struct secasvar *sav)
 {

 	crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = NULL;
-	return 0;
 }

 /*
@ -739,7 +738,7 @@ static struct xformsw ipcomp_xformsw = {
 	.xf_type =	XF_IPCOMP,
 	.xf_name =	"IPcomp",
 	.xf_init =	ipcomp_init,
-	.xf_zeroize =	ipcomp_zeroize,
+	.xf_cleanup =	ipcomp_cleanup,
 	.xf_input =	ipcomp_input,
 	.xf_output =	ipcomp_output,
 };
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@ -361,19 +361,16 @@ tcpsignature_init(struct secasvar *sav, struct xformsw *xsp)
 /*
 * Called when the SA is deleted.
 */
-static int
-tcpsignature_zeroize(struct secasvar *sav)
+static void
+tcpsignature_cleanup(struct secasvar *sav)
 {
-
-	sav->tdb_xform = NULL;
-	return (0);
 }

 static struct xformsw tcpsignature_xformsw = {
 	.xf_type =	XF_TCPSIGNATURE,
 	.xf_name =	"TCP-MD5",
 	.xf_init =	tcpsignature_init,
-	.xf_zeroize =	tcpsignature_zeroize,
+	.xf_cleanup =	tcpsignature_cleanup,
 };

 static const struct tcpmd5_methods tcpmd5_methods = {