-/* $OpenBSD: if_bridge.c,v 1.234 2015/04/13 08:52:51 mpi Exp $ */
+/* $OpenBSD: if_bridge.c,v 1.235 2015/04/17 11:04:01 mikeb Exp $ */
/*
* Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
int bridge_ipsec(struct bridge_softc *, struct ifnet *,
struct ether_header *, int, struct llc *,
int, int, int, struct mbuf *);
-#define ICMP_DEFLEN MHLEN
#endif
int bridge_clone_create(struct if_clone *, int);
int bridge_clone_destroy(struct ifnet *ifp);
struct ether_addr *dst;
struct bridge_softc *sc;
int s, error, len;
-#ifdef IPSEC
- struct m_tag *mtag;
-#endif /* IPSEC */
/* ifp must be a member interface of the bridge. */
if (ifp->if_bridgeport == NULL) {
struct mbuf *mc;
int used = 0;
-#ifdef IPSEC
- /*
- * Don't send out the packet if IPsec is needed, and
- * notify IPsec to do its own crypto for now.
- */
- if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED,
- NULL)) != NULL) {
- ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
- m_freem(m);
- return (0);
- }
-#endif /* IPSEC */
bridge_span(sc, NULL, m);
TAILQ_FOREACH(p, &sc->sc_iflist, next) {
-/* $OpenBSD: pf.c,v 1.911 2015/04/11 13:00:12 dlg Exp $ */
+/* $OpenBSD: pf.c,v 1.912 2015/04/17 11:04:01 mikeb Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
struct pf_src_node *sns[PF_SN_MAX];
int error = 0;
unsigned int rtableid;
-#ifdef IPSEC
- struct m_tag *mtag;
-#endif /* IPSEC */
if (m == NULL || *m == NULL || r == NULL ||
(dir != PF_IN && dir != PF_OUT) || oifp == NULL)
ip = mtod(m0, struct ip *);
}
- /* Copied from ip_output. */
-#ifdef IPSEC
- /*
- * If we got here and IPsec crypto processing didn't happen, drop it.
- */
- if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL))
- != NULL) {
- /* Notify IPsec to do its own crypto. */
- ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
- goto bad;
- }
-#endif /* IPSEC */
-
in_proto_cksum_out(m0, ifp);
if (ntohs(ip->ip_len) <= ifp->if_mtu) {
-/* $OpenBSD: ip_ah.c,v 1.115 2015/04/14 14:20:01 mikeb Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.116 2015/04/17 11:04:01 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
{
struct auth_hash *ahx = (struct auth_hash *) tdb->tdb_authalgxform;
struct tdb_crypto *tc;
- struct m_tag *mtag;
u_int32_t btsx, esn;
u_int8_t hl;
int rplen;
crda->crd_flags |= CRD_F_ESN;
}
-#ifdef notyet
- /* Find out if we've already done crypto. */
- for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
- mtag != NULL;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
- struct tdb_ident *tdbi;
-
- tdbi = (struct tdb_ident *) (mtag + 1);
- if (tdbi->proto == tdb->tdb_sproto &&
- tdbi->spi == tdb->tdb_spi &&
- tdbi->rdomain == tdb->tdb_rdomain &&
- !memcmp(&tdbi->dst, &tdb->tdb_dst,
- sizeof(union sockaddr_union)))
- break;
- }
-#else
- mtag = NULL;
-#endif
-
/* Allocate IPsec-specific opaque crypto info. */
- if (mtag == NULL)
- tc = malloc(sizeof(*tc) + skip + rplen + ahx->authsize, M_XDATA,
- M_NOWAIT | M_ZERO);
- else /* Hash verification has already been done successfully. */
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
+ tc = malloc(sizeof(*tc) + skip + rplen + ahx->authsize, M_XDATA,
+ M_NOWAIT | M_ZERO);
if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
return ENOBUFS;
}
- /* Only save information if crypto processing is needed. */
- if (mtag == NULL) {
- /*
- * Save the authenticator, the skipped portion of the packet,
- * and the AH header.
- */
- m_copydata(m, 0, skip + rplen + ahx->authsize,
- (caddr_t) (tc + 1));
-
- /* Zeroize the authenticator on the packet. */
- m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes,
- M_NOWAIT);
-
- /* "Massage" the packet headers for crypto processing. */
- if ((btsx = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family,
- skip, ahx->type, 0)) != 0) {
- /* mbuf will be free'd by callee. */
- free(tc, M_XDATA, 0);
- crypto_freereq(crp);
- return btsx;
- }
+ /*
+ * Save the authenticator, the skipped portion of the packet,
+ * and the AH header.
+ */
+ m_copydata(m, 0, skip + rplen + ahx->authsize, (caddr_t) (tc + 1));
+
+ /* Zeroize the authenticator on the packet. */
+ m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes, M_NOWAIT);
+
+ /* "Massage" the packet headers for crypto processing. */
+ if ((btsx = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family,
+ skip, ahx->type, 0)) != 0) {
+ /* mbuf will be free'd by callee. */
+ free(tc, M_XDATA, 0);
+ crypto_freereq(crp);
+ return btsx;
}
/* Crypto operation descriptor. */
tc->tc_protoff = protoff;
tc->tc_spi = tdb->tdb_spi;
tc->tc_proto = tdb->tdb_sproto;
- tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */
tc->tc_rdomain = tdb->tdb_rdomain;
bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
- if (mtag == NULL)
- return crypto_dispatch(crp);
- else
- return ah_input_cb(crp);
+ return crypto_dispatch(crp);
}
/*
struct auth_hash *ahx;
struct tdb_crypto *tc;
struct cryptop *crp;
- struct m_tag *mtag;
struct tdb *tdb;
u_int32_t btsx, esn;
- u_int8_t prot;
caddr_t ptr;
#ifdef ENCDEBUG
char buf[INET6_ADDRSTRLEN];
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
protoff = tc->tc_protoff;
- mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
if (m == NULL) {
/* Copy authenticator off the packet. */
m_copydata(m, skip + rplen, ahx->authsize, calc);
- /*
- * If we have an mtag, we don't need to verify the authenticator --
- * it has been verified by an IPsec-aware NIC.
- */
- if (mtag == NULL) {
- ptr = (caddr_t) (tc + 1);
+ ptr = (caddr_t) (tc + 1);
- /* Verify authenticator. */
- if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) {
- free(tc, M_XDATA, 0);
+ /* Verify authenticator. */
+ if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) {
+ free(tc, M_XDATA, 0);
- DPRINTF(("ah_input(): authentication failed for "
- "packet in SA %s/%08x\n",
- ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ DPRINTF(("ah_input(): authentication failed for "
+ "packet in SA %s/%08x\n",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
- ahstat.ahs_badauth++;
- error = EACCES;
- goto baddone;
- }
+ ahstat.ahs_badauth++;
+ error = EACCES;
+ goto baddone;
+ }
- /* Fix the Next Protocol field. */
- ((u_int8_t *) ptr)[protoff] = ((u_int8_t *) ptr)[skip];
+ /* Fix the Next Protocol field. */
+ ((u_int8_t *) ptr)[protoff] = ((u_int8_t *) ptr)[skip];
- /* Copyback the saved (uncooked) network headers. */
- m_copyback(m, 0, skip, ptr, M_NOWAIT);
- } else {
- /* Fix the Next Protocol field. */
- m_copydata(m, skip, sizeof(u_int8_t), &prot);
- m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT);
- }
+ /* Copyback the saved (uncooked) network headers. */
+ m_copyback(m, 0, skip, ptr, M_NOWAIT);
free(tc, M_XDATA, 0);
m->m_pkthdr.len -= rplen + ahx->authsize;
}
- error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag);
+ error = ipsec_common_input_cb(m, tdb, skip, protoff);
splx(s);
return (error);
}
/* Allocate IPsec-specific opaque crypto info. */
- if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
- tc = malloc(sizeof(*tc) + skip, M_XDATA, M_NOWAIT | M_ZERO);
- else
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
+ tc = malloc(sizeof(*tc) + skip, M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
}
/* Save the skipped portion of the packet. */
- if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) {
- m_copydata(m, 0, skip, (caddr_t) (tc + 1));
+ m_copydata(m, 0, skip, (caddr_t) (tc + 1));
- /*
- * Fix IP header length on the header used for
- * authentication. We don't need to fix the original
- * header length as it will be fixed by our caller.
- */
- switch (tdb->tdb_dst.sa.sa_family) {
- case AF_INET:
- bcopy(((caddr_t)(tc + 1)) +
- offsetof(struct ip, ip_len),
- (caddr_t) &iplen, sizeof(u_int16_t));
- iplen = htons(ntohs(iplen) + rplen + ahx->authsize);
- m_copyback(m, offsetof(struct ip, ip_len),
- sizeof(u_int16_t), &iplen, M_NOWAIT);
- break;
+ /*
+ * Fix IP header length on the header used for
+ * authentication. We don't need to fix the original
+ * header length as it will be fixed by our caller.
+ */
+ switch (tdb->tdb_dst.sa.sa_family) {
+ case AF_INET:
+ bcopy(((caddr_t)(tc + 1)) +
+ offsetof(struct ip, ip_len),
+ (caddr_t) &iplen, sizeof(u_int16_t));
+ iplen = htons(ntohs(iplen) + rplen + ahx->authsize);
+ m_copyback(m, offsetof(struct ip, ip_len),
+ sizeof(u_int16_t), &iplen, M_NOWAIT);
+ break;
#ifdef INET6
- case AF_INET6:
- bcopy(((caddr_t)(tc + 1)) +
- offsetof(struct ip6_hdr, ip6_plen),
- (caddr_t) &iplen, sizeof(u_int16_t));
- iplen = htons(ntohs(iplen) + rplen + ahx->authsize);
- m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
- sizeof(u_int16_t), &iplen, M_NOWAIT);
- break;
+ case AF_INET6:
+ bcopy(((caddr_t)(tc + 1)) +
+ offsetof(struct ip6_hdr, ip6_plen),
+ (caddr_t) &iplen, sizeof(u_int16_t));
+ iplen = htons(ntohs(iplen) + rplen + ahx->authsize);
+ m_copyback(m, offsetof(struct ip6_hdr, ip6_plen),
+ sizeof(u_int16_t), &iplen, M_NOWAIT);
+ break;
#endif /* INET6 */
- }
+ }
- /* Fix the Next Header field in saved header. */
- ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH;
+ /* Fix the Next Header field in saved header. */
+ ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH;
- /* Update the Next Protocol field in the IP header. */
- prot = IPPROTO_AH;
- m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT);
+ /* Update the Next Protocol field in the IP header. */
+ prot = IPPROTO_AH;
+ m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT);
- /* "Massage" the packet headers for crypto processing. */
- if ((len = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family,
- skip, ahx->type, 1)) != 0) {
- /* mbuf will be free'd by callee. */
- free(tc, M_XDATA, 0);
- crypto_freereq(crp);
- return len;
- }
- } else {
- /* Update the Next Protocol field in the IP header. */
- prot = IPPROTO_AH;
- m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT);
+ /* "Massage" the packet headers for crypto processing. */
+ if ((len = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family,
+ skip, ahx->type, 1)) != 0) {
+ /* mbuf will be free'd by callee. */
+ free(tc, M_XDATA, 0);
+ crypto_freereq(crp);
+ return len;
}
/* Crypto operation descriptor. */
tc->tc_rdomain = tdb->tdb_rdomain;
bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
- if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
- return crypto_dispatch(crp);
- else
- return ah_output_cb(crp);
+ return crypto_dispatch(crp);
}
/*
* Copy original headers (with the new protocol number) back
* in place.
*/
- if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
- m_copyback(m, 0, skip, ptr, M_NOWAIT);
+ m_copyback(m, 0, skip, ptr, M_NOWAIT);
free(tc, M_XDATA, 0);
-/* $OpenBSD: ip_esp.c,v 1.130 2015/04/14 14:20:01 mikeb Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.131 2015/04/17 11:04:01 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
struct cryptop *crp;
struct tdb_crypto *tc;
int plen, alen, hlen;
- struct m_tag *mtag;
u_int32_t btsx, esn;
#ifdef ENCDEBUG
char buf[INET6_ADDRSTRLEN];
tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */
}
-#ifdef notyet
- /* Find out if we've already done crypto */
- for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
- mtag != NULL;
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) {
- struct tdb_ident *tdbi;
-
- tdbi = (struct tdb_ident *) (mtag + 1);
- if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi &&
- tdbi->rdomain == tdb->tdb_rdomain && !memcmp(&tdbi->dst,
- &tdb->tdb_dst, sizeof(union sockaddr_union)))
- break;
- }
-#else
- mtag = NULL;
-#endif
-
/* Get crypto descriptors */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
}
/* Get IPsec-specific opaque pointer */
- if (esph == NULL || mtag != NULL)
+ if (esph == NULL)
tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
else
tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO);
return ENOBUFS;
}
- tc->tc_ptr = (caddr_t) mtag;
-
if (esph) {
crda = crp->crp_desc;
crde = crda->crd_next;
crda->crd_len = m->m_pkthdr.len - (skip + alen);
/* Copy the authenticator */
- if (mtag == NULL)
- m_copydata(m, m->m_pkthdr.len - alen, alen,
- (caddr_t)(tc + 1));
+ m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t)(tc + 1));
} else
crde = crp->crp_desc;
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
}
- if (mtag == NULL)
- return crypto_dispatch(crp);
- else
- return esp_input_cb(crp);
+ return crypto_dispatch(crp);
}
/*
struct auth_hash *esph;
struct tdb_crypto *tc;
struct cryptop *crp;
- struct m_tag *mtag;
struct tdb *tdb;
u_int32_t btsx, esn;
caddr_t ptr;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
protoff = tc->tc_protoff;
- mtag = (struct m_tag *) tc->tc_ptr;
m = (struct mbuf *) crp->crp_buf;
if (m == NULL) {
/* If authentication was performed, check now. */
if (esph != NULL) {
- /*
- * If we have a tag, it means an IPsec-aware NIC did the
- * verification for us.
- */
- if (mtag == NULL) {
- /* Copy the authenticator from the packet */
- m_copydata(m, m->m_pkthdr.len - esph->authsize,
- esph->authsize, aalg);
-
- ptr = (caddr_t) (tc + 1);
-
- /* Verify authenticator */
- if (timingsafe_bcmp(ptr, aalg, esph->authsize)) {
- free(tc, M_XDATA, 0);
- DPRINTF(("esp_input_cb(): authentication "
- "failed for packet in SA %s/%08x\n",
- ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
- espstat.esps_badauth++;
- error = EACCES;
- goto baddone;
- }
+ /* Copy the authenticator from the packet */
+ m_copydata(m, m->m_pkthdr.len - esph->authsize,
+ esph->authsize, aalg);
+
+ ptr = (caddr_t) (tc + 1);
+
+ /* Verify authenticator */
+ if (timingsafe_bcmp(ptr, aalg, esph->authsize)) {
+ free(tc, M_XDATA, 0);
+ DPRINTF(("esp_input_cb(): authentication "
+ "failed for packet in SA %s/%08x\n",
+ ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
+ espstat.esps_badauth++;
+ error = EACCES;
+ goto baddone;
}
/* Remove trailing authenticator */
m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT);
/* Back to generic IPsec input processing */
- error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag);
+ error = ipsec_common_input_cb(m, tdb, skip, protoff);
splx(s);
return (error);
crda->crd_len = m->m_pkthdr.len - (skip + alen);
}
- if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
- return crypto_dispatch(crp);
- else
- return esp_output_cb(crp);
+ return crypto_dispatch(crp);
}
/*
-/* $OpenBSD: ip_ipcomp.c,v 1.41 2015/04/14 14:20:01 mikeb Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.42 2015/04/17 11:04:01 mikeb Exp $ */
/*
* Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
crdc->crd_inject = skip;
- tc->tc_ptr = 0;
-
/* Decompression operation */
crdc->crd_alg = ipcompx->type;
m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT);
/* Back to generic IPsec input processing */
- error = ipsec_common_input_cb(m, tdb, skip, protoff, NULL);
+ error = ipsec_common_input_cb(m, tdb, skip, protoff);
splx(s);
return error;
-/* $OpenBSD: ip_ipsp.c,v 1.212 2015/04/17 10:08:07 mikeb Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.213 2015/04/17 11:04:01 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
free(ipr, ipr->ref_malloctype, 0);
}
-/* Mark a TDB as TDBF_SKIPCRYPTO. */
-void
-ipsp_skipcrypto_mark(struct tdb_ident *tdbi)
-{
- struct tdb *tdb;
- int s = splsoftnet();
-
- tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto);
- if (tdb != NULL) {
- tdb->tdb_flags |= TDBF_SKIPCRYPTO;
- tdb->tdb_last_marked = time_second;
- }
- splx(s);
-}
-
-/* Unmark a TDB as TDBF_SKIPCRYPTO. */
-void
-ipsp_skipcrypto_unmark(struct tdb_ident *tdbi)
-{
- struct tdb *tdb;
- int s = splsoftnet();
-
- tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto);
- if (tdb != NULL) {
- tdb->tdb_flags &= ~TDBF_SKIPCRYPTO;
- tdb->tdb_last_marked = time_second;
- }
- splx(s);
-}
-
/* Return true if the two structures match. */
int
ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2)
-/* $OpenBSD: ip_ipsp.h,v 1.168 2015/04/17 10:04:37 mikeb Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.169 2015/04/17 11:04:01 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
-#define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */
#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */
#define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */
#define TDBF_PFSYNC 0x40000 /* TDB will be synced */
u_int8_t tc_proto;
int tc_protoff;
int tc_skip;
- caddr_t tc_ptr;
u_int tc_rdomain;
};
int ipsp_is_unspecified(union sockaddr_union);
int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *);
void ipsp_reffree(struct ipsec_ref *);
-void ipsp_skipcrypto_mark(struct tdb_ident *);
-void ipsp_skipcrypto_unmark(struct tdb_ident *);
int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *,
struct sockaddr_encap *, struct sockaddr_encap *);
int ipsec_common_input(struct mbuf *, int, int, int, int, int);
-int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int,
- struct m_tag *);
+int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
int ipsec_delete_policy(struct ipsec_policy *);
ssize_t ipsec_hdrsz(struct tdb *);
void ipsec_adjust_mtu(struct mbuf *, u_int32_t);
-/* $OpenBSD: ip_output.c,v 1.278 2015/04/16 19:24:13 markus Exp $ */
+/* $OpenBSD: ip_output.c,v 1.279 2015/04/17 11:04:01 mikeb Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
/* Loop detection */
for (mtag = m_tag_first(m); mtag != NULL;
mtag = m_tag_next(m, mtag)) {
- if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
- mtag->m_tag_id !=
- PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
+ if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE)
continue;
tdbi = (struct tdb_ident *)(mtag + 1);
if (tdbi->spi == tdb->tdb_spi &&
error = ipsp_process_packet(m, tdb, AF_INET, 0);
return error; /* Nothing more to be done */
}
-
- /*
- * If we got here and IPsec crypto processing didn't happen, drop it.
- */
- if (ipsec_in_use && (mtag = m_tag_find(m,
- PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL) {
- /* Notify IPsec to do its own crypto. */
- ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
- m_freem(m);
- error = EHOSTUNREACH;
- goto done;
- }
#endif /* IPSEC */
/*
-/* $OpenBSD: ipsec_input.c,v 1.129 2015/04/14 14:20:01 mikeb Exp $ */
+/* $OpenBSD: ipsec_input.c,v 1.130 2015/04/17 11:04:02 mikeb Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
* filtering and other sanity checks on the processed packet.
*/
int
-ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff,
- struct m_tag *mt)
+ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff)
{
int af, sproto;
u_char prot;
/*
* Record what we've done to the packet (under what SA it was
- * processed). If we've been passed an mtag, it means the packet
- * was already processed by an ethernet/crypto combo card and
- * thus has a tag attached with all the right information, but
- * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
- * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
+ * processed).
*/
if (tdbp->tdb_sproto != IPPROTO_IPCOMP) {
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
-/* $OpenBSD: ipsec_output.c,v 1.57 2015/04/14 14:20:01 mikeb Exp $ */
+/* $OpenBSD: ipsec_output.c,v 1.58 2015/04/17 11:04:02 mikeb Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
* Add a record of what we've done or what needs to be done to the
* packet.
*/
- if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0)
- mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE,
- sizeof(struct tdb_ident),
- M_NOWAIT);
- else
- mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED,
- sizeof(struct tdb_ident), M_NOWAIT);
-
+ mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(struct tdb_ident),
+ M_NOWAIT);
if (mtag == NULL) {
m_freem(m);
DPRINTF(("ipsp_process_done(): could not allocate packet "
-/* $OpenBSD: ip6_forward.c,v 1.72 2015/03/14 03:38:52 jsg Exp $ */
+/* $OpenBSD: ip6_forward.c,v 1.73 2015/04/17 11:04:02 mikeb Exp $ */
/* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */
/*
/* Loop detection */
for (mtag = m_tag_first(m); mtag != NULL;
mtag = m_tag_next(m, mtag)) {
- if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
- mtag->m_tag_id !=
- PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
+ if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE)
continue;
tdbi = (struct tdb_ident *)(mtag + 1);
if (tdbi->spi == tdb->tdb_spi &&
-/* $OpenBSD: ip6_output.c,v 1.169 2015/04/16 19:24:13 markus Exp $ */
+/* $OpenBSD: ip6_output.c,v 1.170 2015/04/17 11:04:02 mikeb Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
/* Loop detection */
for (mtag = m_tag_first(m); mtag != NULL;
mtag = m_tag_next(m, mtag)) {
- if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
- mtag->m_tag_id !=
- PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
+ if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE)
continue;
tdbi = (struct tdb_ident *)(mtag + 1);
if (tdbi->spi == tdb->tdb_spi &&
-/* $OpenBSD: nd6.c,v 1.133 2015/03/25 17:39:33 florian Exp $ */
+/* $OpenBSD: nd6.c,v 1.134 2015/04/17 11:04:02 mikeb Exp $ */
/* $KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $ */
/*
struct rtentry *rt = rt0;
struct llinfo_nd6 *ln = NULL;
int error = 0;
-#ifdef IPSEC
- struct m_tag *mtag;
-#endif /* IPSEC */
if (IN6_IS_ADDR_MULTICAST(&dst->sin6_addr))
goto sendpkt;
return (0);
sendpkt:
-#ifdef IPSEC
- /*
- * If we got here and IPsec crypto processing didn't happen, drop it.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL);
-#endif /* IPSEC */
-
-#ifdef IPSEC
- if (mtag != NULL) {
- /* Tell IPsec to do its own crypto. */
- ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
- error = EACCES;
- goto bad;
- }
-#endif /* IPSEC */
return ((*ifp->if_output)(ifp, m, sin6tosa(dst), rt));
bad:
-/* $OpenBSD: mbuf.h,v 1.189 2015/04/13 08:45:48 mpi Exp $ */
+/* $OpenBSD: mbuf.h,v 1.190 2015/04/17 11:04:02 mikeb Exp $ */
/* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */
/*
/* Packet tag types */
#define PACKET_TAG_IPSEC_IN_DONE 0x0001 /* IPsec applied, in */
#define PACKET_TAG_IPSEC_OUT_DONE 0x0002 /* IPsec applied, out */
-#define PACKET_TAG_IPSEC_IN_CRYPTO_DONE 0x0004 /* NIC IPsec crypto done */
-#define PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED 0x0008 /* NIC IPsec crypto req'ed */
#define PACKET_TAG_IPSEC_PENDING_TDB 0x0010 /* Reminder to do IPsec */
#define PACKET_TAG_BRIDGE 0x0020 /* Bridge processing done */
#define PACKET_TAG_GIF 0x0040 /* GIF processing done */
projects / openbsd / commitdiff