Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related

to old crypto API.

ok bluhm@

diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index a8b99eb..6e381a0 100644 (file)
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.85 2021/10/24 17:08:27 bluhm Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.86 2021/10/24 18:15:58 tobhe Exp $ */
 
 /*
  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -135,11 +135,17 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
 {
        const struct comp_algo *ipcompx = tdb->tdb_compalgxform;
        struct mbuf *m = *mp;
-       struct tdb_crypto *tc = NULL;
-       int hlen, error, clen;
-
        struct cryptodesc *crdc = NULL;
        struct cryptop *crp;
+       int hlen, error, clen, roff;
+       u_int8_t nproto;
+       u_int64_t ibytes;
+       struct mbuf *m1, *mo;
+       struct ipcomp  *ipcomp;
+       caddr_t addr;
+#ifdef ENCDEBUG
+       char buf[INET6_ADDRSTRLEN];
+#endif
 
        hlen = IPCOMP_HLENGTH;
 
@@ -151,14 +157,6 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
                error = ENOBUFS;
                goto drop;
        }
-       /* Get IPsec-specific opaque pointer */
-       tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
-       if (tc == NULL) {
-               DPRINTF("failed to allocate tdb_crypto");
-               ipcompstat_inc(ipcomps_crypto);
-               error = ENOBUFS;
-               goto drop;
-       }
        crdc = &crp->crp_desc[0];
 
        crdc->crd_skip = skip + hlen;
@@ -174,14 +172,6 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        crp->crp_buf = (caddr_t)m;
        crp->crp_sid = tdb->tdb_cryptoid;
 
-       /* These are passed as-is to the callback */
-       tc->tc_skip = skip;
-       tc->tc_protoff = protoff;
-       tc->tc_spi = tdb->tdb_spi;
-       tc->tc_proto = IPPROTO_IPCOMP;
-       tc->tc_rdomain = tdb->tdb_rdomain;
-       tc->tc_dst = tdb->tdb_dst;
-
        KERNEL_LOCK();
        while ((error = crypto_invoke(crp)) == EAGAIN) {
                /* Reset the session ID */
@@ -199,35 +189,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
 
        /* Release the crypto descriptors */
        crypto_freereq(crp);
-
-       return ipcomp_input_cb(tdb, tc, mp, clen);
-
- drop:
-       m_freemp(mp);
-       crypto_freereq(crp);
-       free(tc, M_XDATA, 0);
-       return error;
-}
-
-int
-ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
-    int clen)
-{
-       struct mbuf *m = *mp;
-       int skip, protoff, roff, hlen = IPCOMP_HLENGTH;
-       u_int8_t nproto;
-       u_int64_t ibytes;
-       struct mbuf *m1, *mo;
-       struct ipcomp  *ipcomp;
-       caddr_t addr;
-#ifdef ENCDEBUG
-       char buf[INET6_ADDRSTRLEN];
-#endif
-
-       NET_ASSERT_LOCKED();
-
-       skip = tc->tc_skip;
-       protoff = tc->tc_protoff;
+       crp = NULL;
 
        /* update the counters */
        ibytes = m->m_pkthdr.len - (skip + hlen);
@@ -240,7 +202,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
            (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
                pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
                tdb_delete(tdb);
-               goto baddone;
+               error = -1;
+               goto drop;
        }
        /* Notify on soft expiration */
        if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
@@ -255,7 +218,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
        if (m->m_len < skip + hlen &&
            (m = *mp = m_pullup(m, skip + hlen)) == NULL) {
                ipcompstat_inc(ipcomps_hdrops);
-               goto baddone;
+               error = -1;
+               goto drop;
        }
 
        /* Find the beginning of the IPCOMP header */
@@ -265,7 +229,8 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
                    ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
                    ntohl(tdb->tdb_spi));
                ipcompstat_inc(ipcomps_hdrops);
-               goto baddone;
+               error = -1;
+               goto drop;
        }
        /* Keep the next protocol field */
        addr = (caddr_t) mtod(m, struct ip *) + skip;
@@ -321,19 +286,16 @@ ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
                m->m_pkthdr.len -= hlen;
        }
 
-       /* Release the crypto descriptors */
-       free(tc, M_XDATA, 0);
-
        /* Restore the Next Protocol field */
        m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT);
 
        /* Back to generic IPsec input processing */
        return ipsec_common_input_cb(mp, tdb, skip, protoff);
 
- baddone:
+ drop:
        m_freemp(mp);
-       free(tc, M_XDATA, 0);
-       return -1;
+       crypto_freereq(crp);
+       return error;
 }
 
 /*
@@ -343,16 +305,21 @@ int
 ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
 {
        const struct comp_algo *ipcompx = tdb->tdb_compalgxform;
-       int error, hlen, ilen, olen;
+       int error, hlen, ilen, olen, rlen, roff;
        struct cryptodesc *crdc = NULL;
        struct cryptop *crp = NULL;
-       struct tdb_crypto *tc;
-       struct mbuf    *mi;
+       struct mbuf *mi, *mo;
+       struct ip *ip;
+       u_int16_t cpi;
+#ifdef INET6
+       struct ip6_hdr *ip6;
+#endif
 #ifdef ENCDEBUG
        char buf[INET6_ADDRSTRLEN];
 #endif
 #if NBPFILTER > 0
        struct ifnet *encif;
+       struct ipcomp  *ipcomp;
 
        if ((encif = enc_getif(0, tdb->tdb_tap)) != NULL) {
                encif->if_opackets++;
@@ -417,7 +384,6 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        }
 
        /* Update the counters */
-
        tdb->tdb_cur_bytes += m->m_pkthdr.len - skip;
        ipcompstat_add(ipcomps_obytes, m->m_pkthdr.len - skip);
 
@@ -479,21 +445,6 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Compression operation */
        crdc->crd_alg = ipcompx->type;
 
-       /* IPsec-specific opaque crypto info */
-       tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
-       if (tc == NULL) {
-               DPRINTF("failed to allocate tdb_crypto");
-               ipcompstat_inc(ipcomps_crypto);
-               error = ENOBUFS;
-               goto drop;
-       }
-
-       tc->tc_spi = tdb->tdb_spi;
-       tc->tc_proto = tdb->tdb_sproto;
-       tc->tc_skip = skip;
-       tc->tc_rdomain = tdb->tdb_rdomain;
-       tc->tc_dst = tdb->tdb_dst;
-
        /* Crypto operation descriptor */
        crp->crp_ilen = m->m_pkthdr.len;        /* Total input length */
        crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE;
@@ -510,10 +461,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        if (error) {
                DPRINTF("crypto error %d", error);
                ipsecstat_inc(ipsec_noxform);
-               free(tc, M_XDATA, 0);
-               m_freem(m);
-               crypto_freereq(crp);
-               return error;
+               goto drop;
        }
 
        ilen = crp->crp_ilen;
@@ -521,36 +469,8 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
 
        /* Release the crypto descriptors */
        crypto_freereq(crp);
+       crp = NULL;
 
-       return ipcomp_output_cb(tdb, tc, m, ilen, olen);
-
- drop:
-       m_freem(m);
-       crypto_freereq(crp);
-       return error;
-}
-
-/*
- * IPComp output callback.
- */
-int
-ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
-    int ilen, int olen)
-{
-       struct mbuf *mo;
-       int skip, rlen, roff;
-       u_int16_t cpi;
-       struct ip *ip;
-#ifdef INET6
-       struct ip6_hdr *ip6;
-#endif
-       struct ipcomp  *ipcomp;
-#ifdef ENCDEBUG
-       char buf[INET6_ADDRSTRLEN];
-#endif
-       int error;
-
-       skip = tc->tc_skip;
        rlen = ilen - skip;
 
        /* Check sizes. */
@@ -602,9 +522,6 @@ ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
        }
 
  skiphdr:
-       /* Release the crypto descriptor. */
-       free(tc, M_XDATA, 0);
-
        error = ipsp_process_done(m, tdb);
        if (error)
                ipcompstat_inc(ipcomps_outfail);
@@ -612,6 +529,6 @@ ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
 
  drop:
        m_freem(m);
-       free(tc, M_XDATA, 0);
+       crypto_freereq(crp);
        return error;
 }

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index a371237..f79d393 100644 (file)
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ipsp.h,v 1.214 2021/10/24 17:08:27 bluhm Exp $     */
+/*     $OpenBSD: ip_ipsp.h,v 1.215 2021/10/24 18:15:58 tobhe Exp $     */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -607,10 +607,7 @@ int        ipcomp_attach(void);
 int    ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
 int    ipcomp_zeroize(struct tdb *);
 int    ipcomp_input(struct mbuf **, struct tdb *, int, int);
-int    ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf **, int);
 int    ipcomp_output(struct mbuf *, struct tdb *, int, int);
-int    ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
-           int);
 int    ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
 int    ipcomp4_input(struct mbuf **, int *, int, int);
 #ifdef INET6