Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
details: https://anonhg.NetBSD.org/src/rev/e23e9c6b69c0
branches: trunk
changeset: 825238:e23e9c6b69c0
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Wed Jul 05 03:44:59 2017 +0000
description:
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters
that have IPsec accelerators; a driver sets the mtag to a packet
when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long
years and seems unlikely to implement them soon. (Note that neither
FreeBSD nor Linux doesn't have such drivers.) Let's remove related
(unused) codes and simplify the IPsec code.
diffstat:
sys/netipsec/ipsec.h | 4 +-
sys/netipsec/ipsec6.h | 5 +-
sys/netipsec/ipsec_input.c | 38 +++--------
sys/netipsec/xform.h | 3 +-
sys/netipsec/xform_ah.c | 143 ++++++++++++++++---------------------------
sys/netipsec/xform_esp.c | 72 +++++++--------------
sys/netipsec/xform_ipcomp.c | 18 ++---
7 files changed, 103 insertions(+), 180 deletions(-)
diffs (truncated from 619 to 300 lines):
diff -r 6b9bf5ebe64d -r e23e9c6b69c0 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h Wed Jul 05 01:25:03 2017 +0000
+++ b/sys/netipsec/ipsec.h Wed Jul 05 03:44:59 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.50 2017/06/02 03:41:20 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.51 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -339,7 +339,7 @@
struct m_tag;
void ipsec4_common_input(struct mbuf *m, ...);
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *,
- int, int, struct m_tag *);
+ int, int);
int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
int ipsec_process_done (struct mbuf *, struct ipsecrequest *);
#define ipsec_indone(m) \
diff -r 6b9bf5ebe64d -r e23e9c6b69c0 sys/netipsec/ipsec6.h
--- a/sys/netipsec/ipsec6.h Wed Jul 05 01:25:03 2017 +0000
+++ b/sys/netipsec/ipsec6.h Wed Jul 05 03:44:59 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec6.h,v 1.17 2017/04/20 08:46:07 ozaki-r Exp $ */
+/* $NetBSD: ipsec6.h,v 1.18 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */
/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
@@ -82,8 +82,7 @@
struct m_tag;
int ipsec6_common_input(struct mbuf **, int *, int);
-int ipsec6_common_input_cb(struct mbuf *, struct secasvar *,
- int, int, struct m_tag *);
+int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
int ipsec6_process_packet (struct mbuf*,struct ipsecrequest *);
#endif /*_KERNEL*/
diff -r 6b9bf5ebe64d -r e23e9c6b69c0 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c Wed Jul 05 01:25:03 2017 +0000
+++ b/sys/netipsec/ipsec_input.c Wed Jul 05 03:44:59 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.44 2017/06/28 13:12:37 christos Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.45 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.44 2017/06/28 13:12:37 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.45 2017/07/05 03:44:59 ozaki-r Exp $");
/*
* IPsec input processing.
@@ -331,11 +331,10 @@
*/
int
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
- int skip, int protoff, struct m_tag *mt)
+ int skip, int protoff)
{
int prot, af __diagused, sproto;
struct ip *ip;
- struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secasindex *saidx;
int error;
@@ -476,13 +475,10 @@
/*
* Record what we've done to the packet (under what SA it was
- * processed). If we've been passed an mtag, it means the packet
- * was already processed by an ethernet/crypto combo card and
- * thus has a tag attached with all the right information, but
- * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
- * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
+ * processed).
*/
- if (mt == NULL && sproto != IPPROTO_IPCOMP) {
+ if (sproto != IPPROTO_IPCOMP) {
+ struct m_tag *mtag;
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
@@ -499,10 +495,6 @@
tdbi->spi = sav->spi;
m_tag_prepend(m, mtag);
- } else {
- if (mt != NULL)
- mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
- /* XXX do we need to mark m_flags??? */
}
key_sa_recordxfer(sav, m); /* record data transfer */
@@ -580,12 +572,11 @@
* filtering and other sanity checks on the processed packet.
*/
int
-ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
- struct m_tag *mt)
+ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
+ int protoff)
{
int af __diagused, sproto;
struct ip6_hdr *ip6;
- struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secasindex *saidx;
int nxt;
@@ -710,13 +701,10 @@
/*
* Record what we've done to the packet (under what SA it was
- * processed). If we've been passed an mtag, it means the packet
- * was already processed by an ethernet/crypto combo card and
- * thus has a tag attached with all the right information, but
- * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
- * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
+ * processed).
*/
- if (mt == NULL && sproto != IPPROTO_IPCOMP) {
+ if (sproto != IPPROTO_IPCOMP) {
+ struct m_tag *mtag;
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
@@ -733,10 +721,6 @@
tdbi->spi = sav->spi;
m_tag_prepend(m, mtag);
- } else {
- if (mt != NULL)
- mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
- /* XXX do we need to mark m_flags??? */
}
key_sa_recordxfer(sav, m);
diff -r 6b9bf5ebe64d -r e23e9c6b69c0 sys/netipsec/xform.h
--- a/sys/netipsec/xform.h Wed Jul 05 01:25:03 2017 +0000
+++ b/sys/netipsec/xform.h Wed Jul 05 03:44:59 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform.h,v 1.8 2016/01/26 06:00:10 knakahara Exp $ */
+/* $NetBSD: xform.h,v 1.9 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
/*
@@ -70,7 +70,6 @@
u_int8_t tc_nxt; /* next protocol, e.g. IPV4 */
int tc_protoff; /* current protocol offset */
int tc_skip; /* data offset */
- void * tc_ptr; /* associated crypto data */
};
struct secasvar;
diff -r 6b9bf5ebe64d -r e23e9c6b69c0 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c Wed Jul 05 01:25:03 2017 +0000
+++ b/sys/netipsec/xform_ah.c Wed Jul 05 03:44:59 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.55 2017/06/29 07:13:41 ozaki-r Exp $ */
+/* $NetBSD: xform_ah.c,v 1.56 2017/07/05 03:44:59 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.55 2017/06/29 07:13:41 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.56 2017/07/05 03:44:59 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -614,9 +614,7 @@
ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff)
{
const struct auth_hash *ahx;
- struct tdb_ident *tdbi;
struct tdb_crypto *tc;
- struct m_tag *mtag;
struct newah *ah;
int hl, rplen, authsize, error;
@@ -689,23 +687,10 @@
crda->crd_key = _KEYBUF(sav->key_auth);
crda->crd_klen = _KEYBITS(sav->key_auth);
- /* Find out if we've already done crypto. */
- for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
- mtag != NULL;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
- tdbi = (struct tdb_ident *) (mtag + 1);
- if (tdbi->proto == sav->sah->saidx.proto &&
- tdbi->spi == sav->spi &&
- !memcmp(&tdbi->dst, &sav->sah->saidx.dst,
- sizeof(union sockaddr_union)))
- break;
- }
-
/* Allocate IPsec-specific opaque crypto info. */
size_t size = sizeof(*tc);
size_t extra = skip + rplen + authsize;
- if (mtag == NULL)
- size += extra;
+ size += extra;
tc = malloc(size, M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
@@ -726,26 +711,23 @@
return error;
}
- /* Only save information if crypto processing is needed. */
- if (mtag == NULL) {
- /*
- * Save the authenticator, the skipped portion of the packet,
- * and the AH header.
- */
- m_copydata(m, 0, extra, (tc + 1));
- /* Zeroize the authenticator on the packet. */
- m_copyback(m, skip + rplen, authsize, ipseczeroes);
+ /*
+ * Save the authenticator, the skipped portion of the packet,
+ * and the AH header.
+ */
+ m_copydata(m, 0, extra, (tc + 1));
+ /* Zeroize the authenticator on the packet. */
+ m_copyback(m, skip + rplen, authsize, ipseczeroes);
- /* "Massage" the packet headers for crypto processing. */
- error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
- skip, ahx->type, 0);
- if (error != 0) {
- /* NB: mbuf is free'd by ah_massage_headers */
- AH_STATINC(AH_STAT_HDROPS);
- free(tc, M_XDATA);
- crypto_freereq(crp);
- return error;
- }
+ /* "Massage" the packet headers for crypto processing. */
+ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
+ skip, ahx->type, 0);
+ if (error != 0) {
+ /* NB: mbuf is free'd by ah_massage_headers */
+ AH_STATINC(AH_STAT_HDROPS);
+ free(tc, M_XDATA);
+ crypto_freereq(crp);
+ return error;
}
/* Crypto operation descriptor. */
@@ -763,30 +745,26 @@
tc->tc_nxt = ah->ah_nxt;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
- tc->tc_ptr = mtag; /* Save the mtag we've identified. */
- DPRINTF(("%s: mtag %p hash over %d bytes, skip %d: "
- "crda len %d skip %d inject %d\n", __func__, mtag,
+ DPRINTF(("%s: hash over %d bytes, skip %d: "
+ "crda len %d skip %d inject %d\n", __func__,
crp->crp_ilen, tc->tc_skip,
crda->crd_len, crda->crd_skip, crda->crd_inject));
- if (mtag == NULL)
- return crypto_dispatch(crp);
- else
- return ah_input_cb(crp);
+ return crypto_dispatch(crp);
}
#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \
if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec6_common_input_cb(m, sav, skip, protoff); \
} else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
+ error = ipsec4_common_input_cb(m, sav, skip, protoff); \
} \
} while (0)
#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
+#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \
+ (error = ipsec4_common_input_cb(m, sav, skip, protoff))
#endif
/*
@@ -800,7 +778,6 @@
unsigned char calc[AH_ALEN_MAX];
struct mbuf *m;
struct tdb_crypto *tc;
- struct m_tag *mtag;
struct secasvar *sav;
struct secasindex *saidx;
uint8_t nxt;
@@ -814,7 +791,6 @@
Home |
Main Index |
Thread Index |
Old Index