diff options
author | Tobias Heider <tobhe@cvs.openbsd.org> | 2021-10-24 18:15:59 +0000 |
---|---|---|
committer | Tobias Heider <tobhe@cvs.openbsd.org> | 2021-10-24 18:15:59 +0000 |
commit | 45b1bea4b11d2420bea5874f47944b05075dd1b0 (patch) | |
tree | 12367239f604317e4c2e946c2c72cce2dee8f22f | |
parent | a2e27f6d5828a33928151a40b864dd5a71931f0a (diff) |
Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API.
ok bluhm@
-rw-r--r-- | sys/netinet/ip_ipcomp.c | 145 | ||||
-rw-r--r-- | sys/netinet/ip_ipsp.h | 5 |
2 files changed, 32 insertions, 118 deletions
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index a8b99ebb456..6e381a0a830 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.85 2021/10/24 17:08:27 bluhm Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.86 2021/10/24 18:15:58 tobhe Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -135,11 +135,17 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) { const struct comp_algo *ipcompx = tdb->tdb_compalgxform; struct mbuf *m = *mp; - struct tdb_crypto *tc = NULL; - int hlen, error, clen; - struct cryptodesc *crdc = NULL; struct cryptop *crp; + int hlen, error, clen, roff; + u_int8_t nproto; + u_int64_t ibytes; + struct mbuf *m1, *mo; + struct ipcomp *ipcomp; + caddr_t addr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif hlen = IPCOMP_HLENGTH; @@ -151,14 +157,6 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) error = ENOBUFS; goto drop; } - /* Get IPsec-specific opaque pointer */ - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); - if (tc == NULL) { - DPRINTF("failed to allocate tdb_crypto"); - ipcompstat_inc(ipcomps_crypto); - error = ENOBUFS; - goto drop; - } crdc = &crp->crp_desc[0]; crdc->crd_skip = skip + hlen; @@ -174,14 +172,6 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) crp->crp_buf = (caddr_t)m; crp->crp_sid = tdb->tdb_cryptoid; - /* These are passed as-is to the callback */ - tc->tc_skip = skip; - tc->tc_protoff = protoff; - tc->tc_spi = tdb->tdb_spi; - tc->tc_proto = IPPROTO_IPCOMP; - tc->tc_rdomain = tdb->tdb_rdomain; - tc->tc_dst = tdb->tdb_dst; - KERNEL_LOCK(); while ((error = crypto_invoke(crp)) == EAGAIN) { /* Reset the session ID */ @@ -199,35 +189,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) /* Release the crypto descriptors */ crypto_freereq(crp); - - return ipcomp_input_cb(tdb, tc, mp, clen); - - drop: - m_freemp(mp); - crypto_freereq(crp); - free(tc, M_XDATA, 0); - return error; -} - -int -ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp, - int clen) -{ - struct mbuf *m = *mp; - int skip, protoff, roff, hlen = IPCOMP_HLENGTH; - u_int8_t nproto; - u_int64_t ibytes; - struct mbuf *m1, *mo; - struct ipcomp *ipcomp; - caddr_t addr; -#ifdef ENCDEBUG - char buf[INET6_ADDRSTRLEN]; -#endif - - NET_ASSERT_LOCKED(); - - skip = tc->tc_skip; - protoff = tc->tc_protoff; + crp = NULL; /* update the counters */ ibytes = m->m_pkthdr.len - (skip + hlen); @@ -240,7 +202,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp, (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) { pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); - goto baddone; + error = -1; + goto drop; } /* Notify on soft expiration */ if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && @@ -255,7 +218,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp, if (m->m_len < skip + hlen && (m = *mp = m_pullup(m, skip + hlen)) == NULL) { ipcompstat_inc(ipcomps_hdrops); - goto baddone; + error = -1; + goto drop; } /* Find the beginning of the IPCOMP header */ @@ -265,7 +229,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ipcompstat_inc(ipcomps_hdrops); - goto baddone; + error = -1; + goto drop; } /* Keep the next protocol field */ addr = (caddr_t) mtod(m, struct ip *) + skip; @@ -321,19 +286,16 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp, m->m_pkthdr.len -= hlen; } - /* Release the crypto descriptors */ - free(tc, M_XDATA, 0); - /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT); /* Back to generic IPsec input processing */ return ipsec_common_input_cb(mp, tdb, skip, protoff); - baddone: + drop: m_freemp(mp); - free(tc, M_XDATA, 0); - return -1; + crypto_freereq(crp); + return error; } /* @@ -343,16 +305,21 @@ int ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) { const struct comp_algo *ipcompx = tdb->tdb_compalgxform; - int error, hlen, ilen, olen; + int error, hlen, ilen, olen, rlen, roff; struct cryptodesc *crdc = NULL; struct cryptop *crp = NULL; - struct tdb_crypto *tc; - struct mbuf *mi; + struct mbuf *mi, *mo; + struct ip *ip; + u_int16_t cpi; +#ifdef INET6 + struct ip6_hdr *ip6; +#endif #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; #endif #if NBPFILTER > 0 struct ifnet *encif; + struct ipcomp *ipcomp; if ((encif = enc_getif(0, tdb->tdb_tap)) != NULL) { encif->if_opackets++; @@ -417,7 +384,6 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) } /* Update the counters */ - tdb->tdb_cur_bytes += m->m_pkthdr.len - skip; ipcompstat_add(ipcomps_obytes, m->m_pkthdr.len - skip); @@ -479,21 +445,6 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Compression operation */ crdc->crd_alg = ipcompx->type; - /* IPsec-specific opaque crypto info */ - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); - if (tc == NULL) { - DPRINTF("failed to allocate tdb_crypto"); - ipcompstat_inc(ipcomps_crypto); - error = ENOBUFS; - goto drop; - } - - tc->tc_spi = tdb->tdb_spi; - tc->tc_proto = tdb->tdb_sproto; - tc->tc_skip = skip; - tc->tc_rdomain = tdb->tdb_rdomain; - tc->tc_dst = tdb->tdb_dst; - /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE; @@ -510,10 +461,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) if (error) { DPRINTF("crypto error %d", error); ipsecstat_inc(ipsec_noxform); - free(tc, M_XDATA, 0); - m_freem(m); - crypto_freereq(crp); - return error; + goto drop; } ilen = crp->crp_ilen; @@ -521,36 +469,8 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Release the crypto descriptors */ crypto_freereq(crp); + crp = NULL; - return ipcomp_output_cb(tdb, tc, m, ilen, olen); - - drop: - m_freem(m); - crypto_freereq(crp); - return error; -} - -/* - * IPComp output callback. - */ -int -ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, - int ilen, int olen) -{ - struct mbuf *mo; - int skip, rlen, roff; - u_int16_t cpi; - struct ip *ip; -#ifdef INET6 - struct ip6_hdr *ip6; -#endif - struct ipcomp *ipcomp; -#ifdef ENCDEBUG - char buf[INET6_ADDRSTRLEN]; -#endif - int error; - - skip = tc->tc_skip; rlen = ilen - skip; /* Check sizes. */ @@ -602,9 +522,6 @@ ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, } skiphdr: - /* Release the crypto descriptor. */ - free(tc, M_XDATA, 0); - error = ipsp_process_done(m, tdb); if (error) ipcompstat_inc(ipcomps_outfail); @@ -612,6 +529,6 @@ ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, drop: m_freem(m); - free(tc, M_XDATA, 0); + crypto_freereq(crp); return error; } diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index a3712372fa3..f79d393197b 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.214 2021/10/24 17:08:27 bluhm Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.215 2021/10/24 18:15:58 tobhe Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -607,10 +607,7 @@ int ipcomp_attach(void); int ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *); int ipcomp_zeroize(struct tdb *); int ipcomp_input(struct mbuf **, struct tdb *, int, int); -int ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf **, int); int ipcomp_output(struct mbuf *, struct tdb *, int, int); -int ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int, - int); int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t); int ipcomp4_input(struct mbuf **, int *, int, int); #ifdef INET6 |