Module Name: src
Committed By: ozaki-r
Date: Wed Jul 5 03:44:59 UTC 2017
Modified Files:
src/sys/netipsec: ipsec.h ipsec6.h ipsec_input.c xform.h xform_ah.c
xform_esp.c xform_ipcomp.c
Log Message:
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters
that have IPsec accelerators; a driver sets the mtag to a packet
when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long
years and seems unlikely to implement them soon. (Note that neither
FreeBSD nor Linux doesn't have such drivers.) Let's remove related
(unused) codes and simplify the IPsec code.
To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.51 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.17 -r1.18 src/sys/netipsec/ipsec6.h
cvs rdiff -u -r1.44 -r1.45 src/sys/netipsec/ipsec_input.c
cvs rdiff -u -r1.8 -r1.9 src/sys/netipsec/xform.h
cvs rdiff -u -r1.55 -r1.56 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.56 -r1.57 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.39 -r1.40 src/sys/netipsec/xform_ipcomp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.50 src/sys/netipsec/ipsec.h:1.51
--- src/sys/netipsec/ipsec.h:1.50 Fri Jun 2 03:41:20 2017
+++ src/sys/netipsec/ipsec.h Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.50 2017/06/02 03:41:20 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.51 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -339,7 +339,7 @@ void *ah4_ctlinput(int, const struct soc
struct m_tag;
void ipsec4_common_input(struct mbuf *m, ...);
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *,
- int, int, struct m_tag *);
+ int, int);
int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
int ipsec_process_done (struct mbuf *, struct ipsecrequest *);
#define ipsec_indone(m) \
Index: src/sys/netipsec/ipsec6.h
diff -u src/sys/netipsec/ipsec6.h:1.17 src/sys/netipsec/ipsec6.h:1.18
--- src/sys/netipsec/ipsec6.h:1.17 Thu Apr 20 08:46:07 2017
+++ src/sys/netipsec/ipsec6.h Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec6.h,v 1.17 2017/04/20 08:46:07 ozaki-r Exp $ */
+/* $NetBSD: ipsec6.h,v 1.18 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */
/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
@@ -82,8 +82,7 @@ void * ah6_ctlinput(int, const struct so
struct m_tag;
int ipsec6_common_input(struct mbuf **, int *, int);
-int ipsec6_common_input_cb(struct mbuf *, struct secasvar *,
- int, int, struct m_tag *);
+int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
int ipsec6_process_packet (struct mbuf*,struct ipsecrequest *);
#endif /*_KERNEL*/
Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.44 src/sys/netipsec/ipsec_input.c:1.45
--- src/sys/netipsec/ipsec_input.c:1.44 Wed Jun 28 13:12:37 2017
+++ src/sys/netipsec/ipsec_input.c Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.44 2017/06/28 13:12:37 christos Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.45 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.44 2017/06/28 13:12:37 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.45 2017/07/05 03:44:59 ozaki-r Exp $");
/*
* IPsec input processing.
@@ -331,11 +331,10 @@ ipsec4_common_input(struct mbuf *m, ...)
*/
int
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
- int skip, int protoff, struct m_tag *mt)
+ int skip, int protoff)
{
int prot, af __diagused, sproto;
struct ip *ip;
- struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secasindex *saidx;
int error;
@@ -476,13 +475,10 @@ cantpull:
/*
* Record what we've done to the packet (under what SA it was
- * processed). If we've been passed an mtag, it means the packet
- * was already processed by an ethernet/crypto combo card and
- * thus has a tag attached with all the right information, but
- * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
- * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
+ * processed).
*/
- if (mt == NULL && sproto != IPPROTO_IPCOMP) {
+ if (sproto != IPPROTO_IPCOMP) {
+ struct m_tag *mtag;
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
@@ -499,10 +495,6 @@ cantpull:
tdbi->spi = sav->spi;
m_tag_prepend(m, mtag);
- } else {
- if (mt != NULL)
- mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
- /* XXX do we need to mark m_flags??? */
}
key_sa_recordxfer(sav, m); /* record data transfer */
@@ -580,12 +572,11 @@ extern u_char ip6_protox[];
* filtering and other sanity checks on the processed packet.
*/
int
-ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
- struct m_tag *mt)
+ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
+ int protoff)
{
int af __diagused, sproto;
struct ip6_hdr *ip6;
- struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secasindex *saidx;
int nxt;
@@ -710,13 +701,10 @@ ipsec6_common_input_cb(struct mbuf *m, s
/*
* Record what we've done to the packet (under what SA it was
- * processed). If we've been passed an mtag, it means the packet
- * was already processed by an ethernet/crypto combo card and
- * thus has a tag attached with all the right information, but
- * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
- * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
+ * processed).
*/
- if (mt == NULL && sproto != IPPROTO_IPCOMP) {
+ if (sproto != IPPROTO_IPCOMP) {
+ struct m_tag *mtag;
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
@@ -733,10 +721,6 @@ ipsec6_common_input_cb(struct mbuf *m, s
tdbi->spi = sav->spi;
m_tag_prepend(m, mtag);
- } else {
- if (mt != NULL)
- mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
- /* XXX do we need to mark m_flags??? */
}
key_sa_recordxfer(sav, m);
Index: src/sys/netipsec/xform.h
diff -u src/sys/netipsec/xform.h:1.8 src/sys/netipsec/xform.h:1.9
--- src/sys/netipsec/xform.h:1.8 Tue Jan 26 06:00:10 2016
+++ src/sys/netipsec/xform.h Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform.h,v 1.8 2016/01/26 06:00:10 knakahara Exp $ */
+/* $NetBSD: xform.h,v 1.9 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
/*
@@ -70,7 +70,6 @@ struct tdb_crypto {
u_int8_t tc_nxt; /* next protocol, e.g. IPV4 */
int tc_protoff; /* current protocol offset */
int tc_skip; /* data offset */
- void * tc_ptr; /* associated crypto data */
};
struct secasvar;
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.55 src/sys/netipsec/xform_ah.c:1.56
--- src/sys/netipsec/xform_ah.c:1.55 Thu Jun 29 07:13:41 2017
+++ src/sys/netipsec/xform_ah.c Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.55 2017/06/29 07:13:41 ozaki-r Exp $ */
+/* $NetBSD: xform_ah.c,v 1.56 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.55 2017/06/29 07:13:41 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.56 2017/07/05 03:44:59 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -614,9 +614,7 @@ static int
ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff)
{
const struct auth_hash *ahx;
- struct tdb_ident *tdbi;
struct tdb_crypto *tc;
- struct m_tag *mtag;
struct newah *ah;
int hl, rplen, authsize, error;
@@ -689,23 +687,10 @@ ah_input(struct mbuf *m, const struct se
crda->crd_key = _KEYBUF(sav->key_auth);
crda->crd_klen = _KEYBITS(sav->key_auth);
- /* Find out if we've already done crypto. */
- for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
- mtag != NULL;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
- tdbi = (struct tdb_ident *) (mtag + 1);
- if (tdbi->proto == sav->sah->saidx.proto &&
- tdbi->spi == sav->spi &&
- !memcmp(&tdbi->dst, &sav->sah->saidx.dst,
- sizeof(union sockaddr_union)))
- break;
- }
-
/* Allocate IPsec-specific opaque crypto info. */
size_t size = sizeof(*tc);
size_t extra = skip + rplen + authsize;
- if (mtag == NULL)
- size += extra;
+ size += extra;
tc = malloc(size, M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
@@ -726,26 +711,23 @@ ah_input(struct mbuf *m, const struct se
return error;
}
- /* Only save information if crypto processing is needed. */
- if (mtag == NULL) {
- /*
- * Save the authenticator, the skipped portion of the packet,
- * and the AH header.
- */
- m_copydata(m, 0, extra, (tc + 1));
- /* Zeroize the authenticator on the packet. */
- m_copyback(m, skip + rplen, authsize, ipseczeroes);
-
- /* "Massage" the packet headers for crypto processing. */
- error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
- skip, ahx->type, 0);
- if (error != 0) {
- /* NB: mbuf is free'd by ah_massage_headers */
- AH_STATINC(AH_STAT_HDROPS);
- free(tc, M_XDATA);
- crypto_freereq(crp);
- return error;
- }
+ /*
+ * Save the authenticator, the skipped portion of the packet,
+ * and the AH header.
+ */
+ m_copydata(m, 0, extra, (tc + 1));
+ /* Zeroize the authenticator on the packet. */
+ m_copyback(m, skip + rplen, authsize, ipseczeroes);
+
+ /* "Massage" the packet headers for crypto processing. */
+ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
+ skip, ahx->type, 0);
+ if (error != 0) {
+ /* NB: mbuf is free'd by ah_massage_headers */
+ AH_STATINC(AH_STAT_HDROPS);
+ free(tc, M_XDATA);
+ crypto_freereq(crp);
+ return error;
}
/* Crypto operation descriptor. */
@@ -763,30 +745,26 @@ ah_input(struct mbuf *m, const struct se
tc->tc_nxt = ah->ah_nxt;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
- tc->tc_ptr = mtag; /* Save the mtag we've identified. */
- DPRINTF(("%s: mtag %p hash over %d bytes, skip %d: "
- "crda len %d skip %d inject %d\n", __func__, mtag,
+ DPRINTF(("%s: hash over %d bytes, skip %d: "
+ "crda len %d skip %d inject %d\n", __func__,
crp->crp_ilen, tc->tc_skip,
crda->crd_len, crda->crd_skip, crda->crd_inject));
- if (mtag == NULL)
- return crypto_dispatch(crp);
- else
- return ah_input_cb(crp);
+ return crypto_dispatch(crp);
}
#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \
if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec6_common_input_cb(m, sav, skip, protoff); \
} else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec4_common_input_cb(m, sav, skip, protoff); \
} \
} while (0)
#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \
+ (error = ipsec4_common_input_cb(m, sav, skip, protoff))
#endif
/*
@@ -800,7 +778,6 @@ ah_input_cb(struct cryptop *crp)
unsigned char calc[AH_ALEN_MAX];
struct mbuf *m;
struct tdb_crypto *tc;
- struct m_tag *mtag;
struct secasvar *sav;
struct secasindex *saidx;
uint8_t nxt;
@@ -814,7 +791,6 @@ ah_input_cb(struct cryptop *crp)
skip = tc->tc_skip;
nxt = tc->tc_nxt;
protoff = tc->tc_protoff;
- mtag = tc->tc_ptr;
m = crp->crp_buf;
@@ -876,46 +852,37 @@ ah_input_cb(struct cryptop *crp)
/* Copy authenticator off the packet. */
m_copydata(m, skip + rplen, authsize, calc);
- /*
- * If we have an mtag, we don't need to verify the authenticator --
- * it has been verified by an IPsec-aware NIC.
- */
- if (mtag == NULL) {
- ptr = (char *)(tc + 1);
- const uint8_t *pppp = ptr + skip + rplen;
-
- /* Verify authenticator. */
- if (!consttime_memequal(pppp, calc, authsize)) {
- DPRINTF(("%s: authentication hash mismatch " \
- "over %d bytes " \
- "for packet in SA %s/%08lx:\n" \
- "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \
- "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n",
- __func__, authsize,
- ipsec_address(&saidx->dst, buf, sizeof(buf)),
- (u_long) ntohl(sav->spi),
- calc[0], calc[1], calc[2], calc[3],
- calc[4], calc[5], calc[6], calc[7],
- calc[8], calc[9], calc[10], calc[11],
- pppp[0], pppp[1], pppp[2], pppp[3],
- pppp[4], pppp[5], pppp[6], pppp[7],
- pppp[8], pppp[9], pppp[10], pppp[11]
- ));
- AH_STATINC(AH_STAT_BADAUTH);
- error = EACCES;
- goto bad;
- }
-
- /* Fix the Next Protocol field. */
- ptr[protoff] = nxt;
+ ptr = (char *)(tc + 1);
+ const uint8_t *pppp = ptr + skip + rplen;
- /* Copyback the saved (uncooked) network headers. */
- m_copyback(m, 0, skip, ptr);
- } else {
- /* Fix the Next Protocol field. */
- m_copyback(m, protoff, sizeof(uint8_t), &nxt);
+ /* Verify authenticator. */
+ if (!consttime_memequal(pppp, calc, authsize)) {
+ DPRINTF(("%s: authentication hash mismatch " \
+ "over %d bytes " \
+ "for packet in SA %s/%08lx:\n" \
+ "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \
+ "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n",
+ __func__, authsize,
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi),
+ calc[0], calc[1], calc[2], calc[3],
+ calc[4], calc[5], calc[6], calc[7],
+ calc[8], calc[9], calc[10], calc[11],
+ pppp[0], pppp[1], pppp[2], pppp[3],
+ pppp[4], pppp[5], pppp[6], pppp[7],
+ pppp[8], pppp[9], pppp[10], pppp[11]
+ ));
+ AH_STATINC(AH_STAT_BADAUTH);
+ error = EACCES;
+ goto bad;
}
+ /* Fix the Next Protocol field. */
+ ptr[protoff] = nxt;
+
+ /* Copyback the saved (uncooked) network headers. */
+ m_copyback(m, 0, skip, ptr);
+
free(tc, M_XDATA), tc = NULL; /* No longer needed */
/*
@@ -951,7 +918,7 @@ ah_input_cb(struct cryptop *crp)
goto bad;
}
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+ IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.56 src/sys/netipsec/xform_esp.c:1.57
--- src/sys/netipsec/xform_esp.c:1.56 Thu Jun 29 07:13:41 2017
+++ src/sys/netipsec/xform_esp.c Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.56 2017/06/29 07:13:41 ozaki-r Exp $ */
+/* $NetBSD: xform_esp.c,v 1.57 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.56 2017/06/29 07:13:41 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.57 2017/07/05 03:44:59 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -298,10 +298,8 @@ esp_input(struct mbuf *m, const struct s
{
const struct auth_hash *esph;
const struct enc_xform *espx;
- struct tdb_ident *tdbi;
struct tdb_crypto *tc;
int plen, alen, hlen, error;
- struct m_tag *mtag;
struct newesp *esp;
struct cryptodesc *crde;
@@ -364,18 +362,6 @@ esp_input(struct mbuf *m, const struct s
/* Update the counters */
ESP_STATADD(ESP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen - alen);
- /* Find out if we've already done crypto */
- for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
- mtag != NULL;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
- tdbi = (struct tdb_ident *) (mtag + 1);
- if (tdbi->proto == sav->sah->saidx.proto &&
- tdbi->spi == sav->spi &&
- !memcmp(&tdbi->dst, &sav->sah->saidx.dst,
- sizeof(union sockaddr_union)))
- break;
- }
-
/* Get crypto descriptors */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
@@ -386,7 +372,7 @@ esp_input(struct mbuf *m, const struct s
}
/* Get IPsec-specific opaque pointer */
- size_t extra = esph == NULL || mtag != NULL ? 0 : alen;
+ size_t extra = esph == NULL ? 0 : alen;
tc = malloc(sizeof(*tc) + extra, M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
@@ -400,8 +386,6 @@ esp_input(struct mbuf *m, const struct s
goto out2;
}
- tc->tc_ptr = mtag;
-
if (esph) {
struct cryptodesc *crda;
@@ -427,8 +411,7 @@ esp_input(struct mbuf *m, const struct s
}
/* Copy the authenticator */
- if (mtag == NULL)
- m_copydata(m, m->m_pkthdr.len - alen, alen, (tc + 1));
+ m_copydata(m, m->m_pkthdr.len - alen, alen, (tc + 1));
/* Chain authentication request */
crde = crda->crd_next;
@@ -467,10 +450,7 @@ esp_input(struct mbuf *m, const struct s
/* XXX Rounds ? */
}
- if (mtag == NULL)
- return crypto_dispatch(crp);
- else
- return esp_input_cb(crp);
+ return crypto_dispatch(crp);
out2:
free(tc, M_XDATA);
@@ -483,16 +463,16 @@ out:
}
#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \
if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec6_common_input_cb(m, sav, skip, protoff); \
} else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec4_common_input_cb(m, sav, skip, protoff); \
} \
} while (0)
#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \
+ (error = ipsec4_common_input_cb(m, sav, skip, protoff))
#endif
/*
@@ -507,7 +487,6 @@ esp_input_cb(struct cryptop *crp)
struct mbuf *m;
const struct auth_hash *esph;
struct tdb_crypto *tc;
- struct m_tag *mtag;
struct secasvar *sav;
struct secasindex *saidx;
void *ptr;
@@ -520,7 +499,6 @@ esp_input_cb(struct cryptop *crp)
tc = crp->crp_opaque;
skip = tc->tc_skip;
protoff = tc->tc_protoff;
- mtag = tc->tc_ptr;
m = crp->crp_buf;
/* find the source port for NAT-T */
@@ -583,23 +561,21 @@ esp_input_cb(struct cryptop *crp)
* check the authentication calculation.
*/
AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]);
- if (mtag == NULL) {
- /* Copy the authenticator from the packet */
- m_copydata(m, m->m_pkthdr.len - esph->authsize,
- esph->authsize, aalg);
-
- ptr = (tc + 1);
-
- /* Verify authenticator */
- if (!consttime_memequal(ptr, aalg, esph->authsize)) {
- DPRINTF(("%s: authentication hash mismatch "
- "for packet in SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst, buf,
- sizeof(buf)), (u_long) ntohl(sav->spi)));
- ESP_STATINC(ESP_STAT_BADAUTH);
- error = EACCES;
- goto bad;
- }
+ /* Copy the authenticator from the packet */
+ m_copydata(m, m->m_pkthdr.len - esph->authsize,
+ esph->authsize, aalg);
+
+ ptr = (tc + 1);
+
+ /* Verify authenticator */
+ if (!consttime_memequal(ptr, aalg, esph->authsize)) {
+ DPRINTF(("%s: authentication hash mismatch "
+ "for packet in SA %s/%08lx\n", __func__,
+ ipsec_address(&saidx->dst, buf,
+ sizeof(buf)), (u_long) ntohl(sav->spi)));
+ ESP_STATINC(ESP_STAT_BADAUTH);
+ error = EACCES;
+ goto bad;
}
/* Remove trailing authenticator */
@@ -685,7 +661,7 @@ esp_input_cb(struct cryptop *crp)
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(uint8_t), lastthree + 2);
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+ IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.39 src/sys/netipsec/xform_ipcomp.c:1.40
--- src/sys/netipsec/xform_ipcomp.c:1.39 Thu Jun 29 07:13:41 2017
+++ src/sys/netipsec/xform_ipcomp.c Wed Jul 5 03:44:59 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.39 2017/06/29 07:13:41 ozaki-r Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.40 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.39 2017/06/29 07:13:41 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.40 2017/07/05 03:44:59 ozaki-r Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#if defined(_KERNEL_OPT)
@@ -187,8 +187,6 @@ ipcomp_input(struct mbuf *m, const struc
crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
crdc->crd_inject = 0; /* unused */
- tc->tc_ptr = 0;
-
/* Decompression operation */
crdc->crd_alg = sav->tdb_compalgxform->type;
@@ -212,16 +210,16 @@ ipcomp_input(struct mbuf *m, const struc
}
#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \
if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec6_common_input_cb(m, sav, skip, protoff); \
} else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec4_common_input_cb(m, sav, skip, protoff); \
} \
} while (0)
#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \
+ (error = ipsec4_common_input_cb(m, sav, skip, protoff))
#endif
/*
@@ -344,7 +342,7 @@ ipcomp_input_cb(struct cryptop *crp)
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto);
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL);
+ IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
KEY_FREESAV(&sav);
mutex_exit(softnet_lock);
