summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Heider <tobhe@cvs.openbsd.org>2021-10-24 18:15:59 +0000
committerTobias Heider <tobhe@cvs.openbsd.org>2021-10-24 18:15:59 +0000
commit45b1bea4b11d2420bea5874f47944b05075dd1b0 (patch)
tree12367239f604317e4c2e946c2c72cce2dee8f22f
parenta2e27f6d5828a33928151a40b864dd5a71931f0a (diff)
Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related
to old crypto API. ok bluhm@
-rw-r--r--sys/netinet/ip_ipcomp.c145
-rw-r--r--sys/netinet/ip_ipsp.h5
2 files changed, 32 insertions, 118 deletions
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index a8b99ebb456..6e381a0a830 100644
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.85 2021/10/24 17:08:27 bluhm Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.86 2021/10/24 18:15:58 tobhe Exp $ */
/*
* Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -135,11 +135,17 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
{
const struct comp_algo *ipcompx = tdb->tdb_compalgxform;
struct mbuf *m = *mp;
- struct tdb_crypto *tc = NULL;
- int hlen, error, clen;
-
struct cryptodesc *crdc = NULL;
struct cryptop *crp;
+ int hlen, error, clen, roff;
+ u_int8_t nproto;
+ u_int64_t ibytes;
+ struct mbuf *m1, *mo;
+ struct ipcomp *ipcomp;
+ caddr_t addr;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
hlen = IPCOMP_HLENGTH;
@@ -151,14 +157,6 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
error = ENOBUFS;
goto drop;
}
- /* Get IPsec-specific opaque pointer */
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
- if (tc == NULL) {
- DPRINTF("failed to allocate tdb_crypto");
- ipcompstat_inc(ipcomps_crypto);
- error = ENOBUFS;
- goto drop;
- }
crdc = &crp->crp_desc[0];
crdc->crd_skip = skip + hlen;
@@ -174,14 +172,6 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
crp->crp_buf = (caddr_t)m;
crp->crp_sid = tdb->tdb_cryptoid;
- /* These are passed as-is to the callback */
- tc->tc_skip = skip;
- tc->tc_protoff = protoff;
- tc->tc_spi = tdb->tdb_spi;
- tc->tc_proto = IPPROTO_IPCOMP;
- tc->tc_rdomain = tdb->tdb_rdomain;
- tc->tc_dst = tdb->tdb_dst;
-
KERNEL_LOCK();
while ((error = crypto_invoke(crp)) == EAGAIN) {
/* Reset the session ID */
@@ -199,35 +189,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
/* Release the crypto descriptors */
crypto_freereq(crp);
-
- return ipcomp_input_cb(tdb, tc, mp, clen);
-
- drop:
- m_freemp(mp);
- crypto_freereq(crp);
- free(tc, M_XDATA, 0);
- return error;
-}
-
-int
-ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
- int clen)
-{
- struct mbuf *m = *mp;
- int skip, protoff, roff, hlen = IPCOMP_HLENGTH;
- u_int8_t nproto;
- u_int64_t ibytes;
- struct mbuf *m1, *mo;
- struct ipcomp *ipcomp;
- caddr_t addr;
-#ifdef ENCDEBUG
- char buf[INET6_ADDRSTRLEN];
-#endif
-
- NET_ASSERT_LOCKED();
-
- skip = tc->tc_skip;
- protoff = tc->tc_protoff;
+ crp = NULL;
/* update the counters */
ibytes = m->m_pkthdr.len - (skip + hlen);
@@ -240,7 +202,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
(tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
- goto baddone;
+ error = -1;
+ goto drop;
}
/* Notify on soft expiration */
if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
@@ -255,7 +218,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
if (m->m_len < skip + hlen &&
(m = *mp = m_pullup(m, skip + hlen)) == NULL) {
ipcompstat_inc(ipcomps_hdrops);
- goto baddone;
+ error = -1;
+ goto drop;
}
/* Find the beginning of the IPCOMP header */
@@ -265,7 +229,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_hdrops);
- goto baddone;
+ error = -1;
+ goto drop;
}
/* Keep the next protocol field */
addr = (caddr_t) mtod(m, struct ip *) + skip;
@@ -321,19 +286,16 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
m->m_pkthdr.len -= hlen;
}
- /* Release the crypto descriptors */
- free(tc, M_XDATA, 0);
-
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT);
/* Back to generic IPsec input processing */
return ipsec_common_input_cb(mp, tdb, skip, protoff);
- baddone:
+ drop:
m_freemp(mp);
- free(tc, M_XDATA, 0);
- return -1;
+ crypto_freereq(crp);
+ return error;
}
/*
@@ -343,16 +305,21 @@ int
ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
{
const struct comp_algo *ipcompx = tdb->tdb_compalgxform;
- int error, hlen, ilen, olen;
+ int error, hlen, ilen, olen, rlen, roff;
struct cryptodesc *crdc = NULL;
struct cryptop *crp = NULL;
- struct tdb_crypto *tc;
- struct mbuf *mi;
+ struct mbuf *mi, *mo;
+ struct ip *ip;
+ u_int16_t cpi;
+#ifdef INET6
+ struct ip6_hdr *ip6;
+#endif
#ifdef ENCDEBUG
char buf[INET6_ADDRSTRLEN];
#endif
#if NBPFILTER > 0
struct ifnet *encif;
+ struct ipcomp *ipcomp;
if ((encif = enc_getif(0, tdb->tdb_tap)) != NULL) {
encif->if_opackets++;
@@ -417,7 +384,6 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
}
/* Update the counters */
-
tdb->tdb_cur_bytes += m->m_pkthdr.len - skip;
ipcompstat_add(ipcomps_obytes, m->m_pkthdr.len - skip);
@@ -479,21 +445,6 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
/* Compression operation */
crdc->crd_alg = ipcompx->type;
- /* IPsec-specific opaque crypto info */
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
- if (tc == NULL) {
- DPRINTF("failed to allocate tdb_crypto");
- ipcompstat_inc(ipcomps_crypto);
- error = ENOBUFS;
- goto drop;
- }
-
- tc->tc_spi = tdb->tdb_spi;
- tc->tc_proto = tdb->tdb_sproto;
- tc->tc_skip = skip;
- tc->tc_rdomain = tdb->tdb_rdomain;
- tc->tc_dst = tdb->tdb_dst;
-
/* Crypto operation descriptor */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE;
@@ -510,10 +461,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
if (error) {
DPRINTF("crypto error %d", error);
ipsecstat_inc(ipsec_noxform);
- free(tc, M_XDATA, 0);
- m_freem(m);
- crypto_freereq(crp);
- return error;
+ goto drop;
}
ilen = crp->crp_ilen;
@@ -521,36 +469,8 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
/* Release the crypto descriptors */
crypto_freereq(crp);
+ crp = NULL;
- return ipcomp_output_cb(tdb, tc, m, ilen, olen);
-
- drop:
- m_freem(m);
- crypto_freereq(crp);
- return error;
-}
-
-/*
- * IPComp output callback.
- */
-int
-ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
- int ilen, int olen)
-{
- struct mbuf *mo;
- int skip, rlen, roff;
- u_int16_t cpi;
- struct ip *ip;
-#ifdef INET6
- struct ip6_hdr *ip6;
-#endif
- struct ipcomp *ipcomp;
-#ifdef ENCDEBUG
- char buf[INET6_ADDRSTRLEN];
-#endif
- int error;
-
- skip = tc->tc_skip;
rlen = ilen - skip;
/* Check sizes. */
@@ -602,9 +522,6 @@ ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
}
skiphdr:
- /* Release the crypto descriptor. */
- free(tc, M_XDATA, 0);
-
error = ipsp_process_done(m, tdb);
if (error)
ipcompstat_inc(ipcomps_outfail);
@@ -612,6 +529,6 @@ ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
drop:
m_freem(m);
- free(tc, M_XDATA, 0);
+ crypto_freereq(crp);
return error;
}
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index a3712372fa3..f79d393197b 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.214 2021/10/24 17:08:27 bluhm Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.215 2021/10/24 18:15:58 tobhe Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -607,10 +607,7 @@ int ipcomp_attach(void);
int ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
int ipcomp_zeroize(struct tdb *);
int ipcomp_input(struct mbuf **, struct tdb *, int, int);
-int ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf **, int);
int ipcomp_output(struct mbuf *, struct tdb *, int, int);
-int ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
- int);
int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
int ipcomp4_input(struct mbuf **, int *, int, int);
#ifdef INET6