MFC r275706:

Remove code related to PACKET_TAG_IPSEC_IN_CRYPTO_DONE mbuf tag. It isn't used in FreeBSD. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
author: Luiz Otavio O Souza <luiz@netgate.com> 2015-09-15 14:41:22 -0500
committer: Luiz Otavio O Souza <luiz@netgate.com> 2015-10-20 11:56:31 -0500
commit: b6cb7eb4f96ce8e23574464f50ecfb38b1e01098 (patch)
tree: f9e678383f88c1c59e4a351e55f5e5b274d124d3 /sys/netipsec/xform_esp.c
parent: d011a9a60241839afed4e7c977a6a2c4417bf8c0 (diff)
download: FreeBSD-src-b6cb7eb4f96ce8e23574464f50ecfb38b1e01098.zip
FreeBSD-src-b6cb7eb4f96ce8e23574464f50ecfb38b1e01098.tar.gz
1 files changed, 34 insertions, 72 deletions
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 90f6d56..3add316 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -268,18 +268,16 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
 	struct auth_hash *esph;
 	struct enc_xform *espx;
-	struct tdb_ident *tdbi;
 	struct tdb_crypto *tc;
 	int plen, alen, hlen;
-	struct m_tag *mtag;
 	struct newesp *esp;
-
 	struct cryptodesc *crde;
 	struct cryptop *crp;
 
 	IPSEC_ASSERT(sav != NULL, ("null SA"));
 	IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
 
+	alen = 0;
 	/* Valid IP Packet length ? */
 	if ( (skip&3) || (m->m_pkthdr.len&3) ){
 		DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
@@ -312,8 +310,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 			alen = AH_HMAC_HASHLEN;
 			break;
 		}
-	}else
-		alen = 0;
+	}
 
 	/*
 	 * Verify payload length is multiple of encryption algorithm
@@ -338,7 +335,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	/*
 	 * Check sequence number.
 	 */
-	if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
+	if (esph != NULL && sav->replay != NULL &&
+	    !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
 		DPRINTF(("%s: packet replay check for %s\n", __func__,
 		    ipsec_logsastr(sav)));	/*XXX*/
 		ESPSTAT_INC(esps_replay);
@@ -349,18 +347,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	/* Update the counters */
 	ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
 
-	/* Find out if we've already done crypto */
-	for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
-	     mtag != NULL;
-	     mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
-		tdbi = (struct tdb_ident *) (mtag + 1);
-		if (tdbi->proto == sav->sah->saidx.proto &&
-		    tdbi->spi == sav->spi &&
-		    !bcmp(&tdbi->dst, &sav->sah->saidx.dst,
-			  sizeof(union sockaddr_union)))
-			break;
-	}
-
 	/* Get crypto descriptors */
 	crp = crypto_getreq(esph && espx ? 2 : 1);
 	if (crp == NULL) {
@@ -372,12 +358,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	}
 
 	/* Get IPsec-specific opaque pointer */
-	if (esph == NULL || mtag != NULL)
-		tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
-		    M_XDATA, M_NOWAIT|M_ZERO);
-	else
-		tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
-		    M_XDATA, M_NOWAIT|M_ZERO);
+	tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen,
+	    M_XDATA, M_NOWAIT | M_ZERO);
 	if (tc == NULL) {
 		crypto_freereq(crp);
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
@@ -386,9 +368,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		return ENOBUFS;
 	}
 
-	tc->tc_ptr = (caddr_t) mtag;
-
-	if (esph) {
+	if (esph != NULL) {
 		struct cryptodesc *crda = crp->crp_desc;
 
 		IPSEC_ASSERT(crda != NULL, ("null ah crypto descriptor"));
@@ -403,9 +383,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		crda->crd_klen = _KEYBITS(sav->key_auth);
 
 		/* Copy the authenticator */
-		if (mtag == NULL)
-			m_copydata(m, m->m_pkthdr.len - alen, alen,
-				   (caddr_t) (tc + 1));
+		m_copydata(m, m->m_pkthdr.len - alen, alen,
+		    (caddr_t) (tc + 1));
 
 		/* Chain authentication request */
 		crde = crda->crd_next;
@@ -431,22 +410,17 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	tc->tc_sav = sav;
 
 	/* Decryption descriptor */
-	if (espx) {
-		IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor"));
-		crde->crd_skip = skip + hlen;
-		crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
-		crde->crd_inject = skip + hlen - sav->ivlen;
-
-		crde->crd_alg = espx->type;
-		crde->crd_key = sav->key_enc->key_data;
-		crde->crd_klen = _KEYBITS(sav->key_enc);
-		/* XXX Rounds ? */
-	}
+	IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor"));
+	crde->crd_skip = skip + hlen;
+	crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
+	crde->crd_inject = skip + hlen - sav->ivlen;
+
+	crde->crd_alg = espx->type;
+	crde->crd_key = sav->key_enc->key_data;
+	crde->crd_klen = _KEYBITS(sav->key_enc);
+	/* XXX Rounds ? */
 
-	if (mtag == NULL)
-		return crypto_dispatch(crp);
-	else
-		return esp_input_cb(crp);
+	return (crypto_dispatch(crp));
 }
 
 /*
@@ -462,7 +436,6 @@ esp_input_cb(struct cryptop *crp)
 	struct auth_hash *esph;
 	struct enc_xform *espx;
 	struct tdb_crypto *tc;
-	struct m_tag *mtag;
 	struct secasvar *sav;
 	struct secasindex *saidx;
 	caddr_t ptr;
@@ -474,7 +447,6 @@ esp_input_cb(struct cryptop *crp)
 	IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
 	skip = tc->tc_skip;
 	protoff = tc->tc_protoff;
-	mtag = (struct m_tag *) tc->tc_ptr;
 	m = (struct mbuf *) crp->crp_buf;
 
 	sav = tc->tc_sav;
@@ -524,30 +496,20 @@ esp_input_cb(struct cryptop *crp)
 			alen = AH_HMAC_HASHLEN;
 			break;
 		}
-		/*
-		 * If we have a tag, it means an IPsec-aware NIC did
-		 * the verification for us.  Otherwise we need to
-		 * check the authentication calculation.
-		 */
 		AHSTAT_INC(ahs_hist[sav->alg_auth]);
-		if (mtag == NULL) {
-			/* Copy the authenticator from the packet */
-			m_copydata(m, m->m_pkthdr.len - alen,
-				alen, aalg);
-
-			ptr = (caddr_t) (tc + 1);
-
-			/* Verify authenticator */
-			if (bcmp(ptr, aalg, alen) != 0) {
-				DPRINTF(("%s: "
-		    "authentication hash mismatch for packet in SA %s/%08lx\n",
-				    __func__,
-				    ipsec_address(&saidx->dst),
-				    (u_long) ntohl(sav->spi)));
-				ESPSTAT_INC(esps_badauth);
-				error = EACCES;
-				goto bad;
-			}
+		/* Copy the authenticator from the packet */
+		m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
+		ptr = (caddr_t) (tc + 1);
+
+		/* Verify authenticator */
+		if (bcmp(ptr, aalg, alen) != 0) {
+			DPRINTF(("%s: authentication hash mismatch for "
+			    "packet in SA %s/%08lx\n", __func__,
+			    ipsec_address(&saidx->dst),
+			    (u_long) ntohl(sav->spi)));
+			ESPSTAT_INC(esps_badauth);
+			error = EACCES;
+			goto bad;
 		}
 
 		/* Remove trailing authenticator */
@@ -633,12 +595,12 @@ esp_input_cb(struct cryptop *crp)
 	switch (saidx->dst.sa.sa_family) {
 #ifdef INET6
 	case AF_INET6:
-		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
+		error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
 		break;
 #endif
 #ifdef INET
 	case AF_INET:
-		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
+		error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
 		break;
 #endif
 	default:
author	Luiz Otavio O Souza <luiz@netgate.com>	2015-09-15 14:41:22 -0500
committer	Luiz Otavio O Souza <luiz@netgate.com>	2015-10-20 11:56:31 -0500
commit	b6cb7eb4f96ce8e23574464f50ecfb38b1e01098 (patch)
tree	f9e678383f88c1c59e4a351e55f5e5b274d124d3 /sys/netipsec/xform_esp.c
parent	d011a9a60241839afed4e7c977a6a2c4417bf8c0 (diff)
download	FreeBSD-src-b6cb7eb4f96ce8e23574464f50ecfb38b1e01098.zip FreeBSD-src-b6cb7eb4f96ce8e23574464f50ecfb38b1e01098.tar.gz