src - OpenBSD base system

diff options


context:
space:
mode:

author	Angelos D. Keromytis <angelos@cvs.openbsd.org>	2001-06-01 00:09:25 +0000
committer	Angelos D. Keromytis <angelos@cvs.openbsd.org>	2001-06-01 00:09:25 +0000
commit	1aad248ec909ab518820148b025dd872ca3ba72f (patch)
tree	ea662675f15ffa8cc2726255c142dffef6b26344 /sys/netinet
parent	d0650c3abac4e6d4b1ab6558380a7ba8a679fd12 (diff)

The IPsec-aware NIC cards don't pass the ICV for later verification

by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC.

Diffstat (limited to 'sys/netinet')

-rw-r--r--

sys/netinet/ip_ah.c

-rw-r--r--

sys/netinet/ip_esp.c

-rw-r--r--

sys/netinet/ip_ipsp.h

3 files changed, 37 insertions, 81 deletions

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 36cf6c2cfd8..e3ea676ff6a 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.c,v 1.57 2001/05/30 12:29:03 angelos Exp $ */

+/* $OpenBSD: ip_ah.c,v 1.58 2001/06/01 00:09:23 angelos Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -621,27 +621,9 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)

if (mtag == NULL)

MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto) + skip +

rplen + ahx->authsize, M_XDATA, M_NOWAIT);

- else

- {

-#ifdef DEBUG

- /*

- * Check that it has the proper length -- i.e., contains the

- * authenticator.

- */

- if (mtag->m_tag_len != sizeof(struct tdb_ident) + ahx->authsize)

- {

- m_freem(m);

- crypto_freereq(crp);

- DPRINTF(("ah_input(): tag had wrong length (%d, should be %d)\n",

- mtag->m_tag_len,

- sizeof(struct tdb_ident) + ahx->authsize));

- ahstat.ahs_crypto++;

- return EINVAL;

- }

-#endif

- MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto), M_XDATA,

- M_NOWAIT);

- }

+ else /* Hash verification has already been done successfully */

+ MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto), M_XDATA,

+ M_NOWAIT);

if (tc == NULL)

{

m_freem(m);

@@ -710,11 +692,11 @@ ah_input_cb(void *op)

struct cryptodesc *crd;

struct auth_hash *ahx;

struct tdb_crypto *tc;

- caddr_t ptr, authptr;

struct cryptop *crp;

struct m_tag *mtag;

struct tdb *tdb;

u_int8_t prot;

+ caddr_t ptr;

int s, err;

crp = (struct cryptop *) op;

@@ -780,13 +762,21 @@ ah_input_cb(void *op)

m_copydata(m, skip + rplen, ahx->authsize, calc);

- * If we have an mtag, it means we can get the authenticator off

- * of it, as opposed to right after the tdb_crypto.

+ * If we have an mtag, we don't need to verify the authenticator --

+ * it has been verified by an IPsec-aware NIC.

if (mtag == NULL)

{

ptr = (caddr_t) (tc + 1);

- authptr = ptr + skip + rplen;

+ /* Verify authenticator */

+ if (bcmp(ptr + skip + rplen, calc, ahx->authsize))

+ {

+ DPRINTF(("ah_input(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ ahstat.ahs_badauth++;

+ error = EACCES;

+ goto baddone;

+ }

/* Fix the Next Protocol field */

((u_int8_t *) ptr)[protoff] = ((u_int8_t *) ptr)[skip];

@@ -796,23 +786,11 @@ ah_input_cb(void *op)

}

else

{

- authptr = (caddr_t) (mtag + 1);

- authptr += sizeof(struct tdb_crypto);

/* Fix the Next Protocol field */

m_copydata(m, skip, sizeof(u_int8_t), &prot);

m_copyback(m, protoff, sizeof(u_int8_t), &prot);

}

- /* Verify authenticator */

- if (bcmp(authptr, calc, ahx->authsize))

- {

- DPRINTF(("ah_input(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

- ahstat.ahs_badauth++;

- error = EACCES;

- goto baddone;

- }

/* Record the beginning of the AH header */

m1 = m_getptr(m, skip, &roff);

if (m1 == NULL)

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 65d77943214..1b580793b6c 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.c,v 1.62 2001/05/30 12:29:04 angelos Exp $ */

+/* $OpenBSD: ip_esp.c,v 1.63 2001/06/01 00:09:23 angelos Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -380,20 +380,6 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)

!bcmp(&tdbi->dst, &tdb->tdb_dst, sizeof(union sockaddr_union)))

break;

}

-#ifdef DEBUG

- /*

- * Check the the length of the tag is correct, i.e., it contains the

- * authenticator.

- */

- if (mtag != NULL && mtag->m_tag_len != sizeof(struct tdb_ident) + alen)

- {

- m_freem(m);

- DPRINTF(("esp_input(): bad tag length %d (should be %d)\n",

- mtag->m_tag_len, sizeof(struct tdb_ident) + alen));

- espstat.esps_crypto++;

- return EINVAL;

- }

-#endif

/* Get crypto descriptors */

crp = crypto_getreq(esph && espx ? 2 : 1);

@@ -561,27 +547,29 @@ esp_input_cb(void *op)

goto baddone;

}

- /* If authentication was performed, check now */

- if (esph)

+ /* If authentication was performed, check now. */

+ if (esph != NULL)

{

- /* Copy the authenticator from the packet */

- m_copydata(m, m->m_pkthdr.len - esph->authsize, esph->authsize, aalg);

+ /*

+ * If we have a tag, it means an IPsec-aware NIC did the verification

+ * for us.

+ */

if (mtag != NULL)

{

- ptr = (caddr_t) (mtag + 1);

- ptr += sizeof(struct tdb_ident);

- }

- else

- ptr = (caddr_t) (tc + 1);

+ /* Copy the authenticator from the packet */

+ m_copydata(m, m->m_pkthdr.len - esph->authsize, esph->authsize,

+ aalg);

- /* Verify authenticator */

- if (bcmp(ptr, aalg, esph->authsize))

- {

- DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

- espstat.esps_badauth++;

- error = EACCES;

- goto baddone;

+ ptr = (caddr_t) (tc + 1);

+ /* Verify authenticator */

+ if (bcmp(ptr, aalg, esph->authsize))

+ {

+ DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));

+ espstat.esps_badauth++;

+ error = EACCES;

+ goto baddone;

+ }

}

/* Remove trailing authenticator */

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index f1e715e86e7..f7fd4603b03 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipsp.h,v 1.99 2001/05/31 23:45:50 angelos Exp $ */

+/* $OpenBSD: ip_ipsp.h,v 1.100 2001/06/01 00:09:24 angelos Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -89,16 +89,6 @@ union sockaddr_union

#define IPSEC_DEFAULT_DEF_AUTH "hmac-sha1"

#define IPSEC_DEFAULT_EXPIRE_ACQUIRE 30

-/* Status for IPsec processing done on IPsec-aware NICs */

-struct ipsec_nic_crypto

- u_int8_t nic_status; /* Bitfield */

-};

-#define IPSEC_NIC_STATUS_OK 0

-#define IPSEC_NIC_HASH_FAILED 0x0001

-#define IPSEC_NIC_ BAD_ESP_FORMAT 0x0002

struct sockaddr_encap

{

u_int8_t sen_len; /* length */