From 0245ebf419b769c384222b9c4ff5c3a54eeda630 Mon Sep 17 00:00:00 2001 From: mikeb Date: Fri, 17 Apr 2015 11:04:01 +0000 Subject: [PATCH] Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer --- sys/net/if_bridge.c | 18 +--- sys/net/pf.c | 18 +--- sys/netinet/ip_ah.c | 210 ++++++++++++++----------------------- sys/netinet/ip_esp.c | 80 ++++---------- sys/netinet/ip_ipcomp.c | 6 +- sys/netinet/ip_ipsp.c | 32 +----- sys/netinet/ip_ipsp.h | 9 +- sys/netinet/ip_output.c | 18 +--- sys/netinet/ipsec_input.c | 11 +- sys/netinet/ipsec_output.c | 12 +-- sys/netinet6/ip6_forward.c | 6 +- sys/netinet6/ip6_output.c | 6 +- sys/netinet6/nd6.c | 20 +--- sys/sys/mbuf.h | 4 +- 14 files changed, 119 insertions(+), 331 deletions(-) diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index 3b5651e6261..7d9637d16ef 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.234 2015/04/13 08:52:51 mpi Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.235 2015/04/17 11:04:01 mikeb Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -151,7 +151,6 @@ void bridge_send_icmp_err(struct bridge_softc *, struct ifnet *, int bridge_ipsec(struct bridge_softc *, struct ifnet *, struct ether_header *, int, struct llc *, int, int, int, struct mbuf *); -#define ICMP_DEFLEN MHLEN #endif int bridge_clone_create(struct if_clone *, int); int bridge_clone_destroy(struct ifnet *ifp); @@ -947,9 +946,6 @@ bridge_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *sa, struct ether_addr *dst; struct bridge_softc *sc; int s, error, len; -#ifdef IPSEC - struct m_tag *mtag; -#endif /* IPSEC */ /* ifp must be a member interface of the bridge. */ if (ifp->if_bridgeport == NULL) { @@ -994,18 +990,6 @@ bridge_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *sa, struct mbuf *mc; int used = 0; -#ifdef IPSEC - /* - * Don't send out the packet if IPsec is needed, and - * notify IPsec to do its own crypto for now. - */ - if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, - NULL)) != NULL) { - ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); - m_freem(m); - return (0); - } -#endif /* IPSEC */ bridge_span(sc, NULL, m); TAILQ_FOREACH(p, &sc->sc_iflist, next) { diff --git a/sys/net/pf.c b/sys/net/pf.c index 3ad4278d264..402c01c4f0d 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.911 2015/04/11 13:00:12 dlg Exp $ */ +/* $OpenBSD: pf.c,v 1.912 2015/04/17 11:04:01 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -5451,9 +5451,6 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, struct pf_src_node *sns[PF_SN_MAX]; int error = 0; unsigned int rtableid; -#ifdef IPSEC - struct m_tag *mtag; -#endif /* IPSEC */ if (m == NULL || *m == NULL || r == NULL || (dir != PF_IN && dir != PF_OUT) || oifp == NULL) @@ -5542,19 +5539,6 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, ip = mtod(m0, struct ip *); } - /* Copied from ip_output. */ -#ifdef IPSEC - /* - * If we got here and IPsec crypto processing didn't happen, drop it. - */ - if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) - != NULL) { - /* Notify IPsec to do its own crypto. */ - ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); - goto bad; - } -#endif /* IPSEC */ - in_proto_cksum_out(m0, ifp); if (ntohs(ip->ip_len) <= ifp->if_mtu) { diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 64d6ee09832..c449cc221c0 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.115 2015/04/14 14:20:01 mikeb Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.116 2015/04/17 11:04:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -529,7 +529,6 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) { struct auth_hash *ahx = (struct auth_hash *) tdb->tdb_authalgxform; struct tdb_crypto *tc; - struct m_tag *mtag; u_int32_t btsx, esn; u_int8_t hl; int rplen; @@ -647,31 +646,9 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) crda->crd_flags |= CRD_F_ESN; } -#ifdef notyet - /* Find out if we've already done crypto. */ - for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); - mtag != NULL; - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { - struct tdb_ident *tdbi; - - tdbi = (struct tdb_ident *) (mtag + 1); - if (tdbi->proto == tdb->tdb_sproto && - tdbi->spi == tdb->tdb_spi && - tdbi->rdomain == tdb->tdb_rdomain && - !memcmp(&tdbi->dst, &tdb->tdb_dst, - sizeof(union sockaddr_union))) - break; - } -#else - mtag = NULL; -#endif - /* Allocate IPsec-specific opaque crypto info. */ - if (mtag == NULL) - tc = malloc(sizeof(*tc) + skip + rplen + ahx->authsize, M_XDATA, - M_NOWAIT | M_ZERO); - else /* Hash verification has already been done successfully. */ - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); + tc = malloc(sizeof(*tc) + skip + rplen + ahx->authsize, M_XDATA, + M_NOWAIT | M_ZERO); if (tc == NULL) { m_freem(m); crypto_freereq(crp); @@ -680,27 +657,22 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) return ENOBUFS; } - /* Only save information if crypto processing is needed. */ - if (mtag == NULL) { - /* - * Save the authenticator, the skipped portion of the packet, - * and the AH header. - */ - m_copydata(m, 0, skip + rplen + ahx->authsize, - (caddr_t) (tc + 1)); - - /* Zeroize the authenticator on the packet. */ - m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes, - M_NOWAIT); - - /* "Massage" the packet headers for crypto processing. */ - if ((btsx = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, - skip, ahx->type, 0)) != 0) { - /* mbuf will be free'd by callee. */ - free(tc, M_XDATA, 0); - crypto_freereq(crp); - return btsx; - } + /* + * Save the authenticator, the skipped portion of the packet, + * and the AH header. + */ + m_copydata(m, 0, skip + rplen + ahx->authsize, (caddr_t) (tc + 1)); + + /* Zeroize the authenticator on the packet. */ + m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes, M_NOWAIT); + + /* "Massage" the packet headers for crypto processing. */ + if ((btsx = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, + skip, ahx->type, 0)) != 0) { + /* mbuf will be free'd by callee. */ + free(tc, M_XDATA, 0); + crypto_freereq(crp); + return btsx; } /* Crypto operation descriptor. */ @@ -716,14 +688,10 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) tc->tc_protoff = protoff; tc->tc_spi = tdb->tdb_spi; tc->tc_proto = tdb->tdb_sproto; - tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ tc->tc_rdomain = tdb->tdb_rdomain; bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); - if (mtag == NULL) - return crypto_dispatch(crp); - else - return ah_input_cb(crp); + return crypto_dispatch(crp); } /* @@ -738,10 +706,8 @@ ah_input_cb(void *op) struct auth_hash *ahx; struct tdb_crypto *tc; struct cryptop *crp; - struct m_tag *mtag; struct tdb *tdb; u_int32_t btsx, esn; - u_int8_t prot; caddr_t ptr; #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; @@ -752,7 +718,6 @@ ah_input_cb(void *op) tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; protoff = tc->tc_protoff; - mtag = (struct m_tag *) tc->tc_ptr; m = (struct mbuf *) crp->crp_buf; if (m == NULL) { @@ -802,37 +767,27 @@ ah_input_cb(void *op) /* Copy authenticator off the packet. */ m_copydata(m, skip + rplen, ahx->authsize, calc); - /* - * If we have an mtag, we don't need to verify the authenticator -- - * it has been verified by an IPsec-aware NIC. - */ - if (mtag == NULL) { - ptr = (caddr_t) (tc + 1); + ptr = (caddr_t) (tc + 1); - /* Verify authenticator. */ - if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) { - free(tc, M_XDATA, 0); + /* Verify authenticator. */ + if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) { + free(tc, M_XDATA, 0); - DPRINTF(("ah_input(): authentication failed for " - "packet in SA %s/%08x\n", - ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), - ntohl(tdb->tdb_spi))); + DPRINTF(("ah_input(): authentication failed for " + "packet in SA %s/%08x\n", + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); - ahstat.ahs_badauth++; - error = EACCES; - goto baddone; - } + ahstat.ahs_badauth++; + error = EACCES; + goto baddone; + } - /* Fix the Next Protocol field. */ - ((u_int8_t *) ptr)[protoff] = ((u_int8_t *) ptr)[skip]; + /* Fix the Next Protocol field. */ + ((u_int8_t *) ptr)[protoff] = ((u_int8_t *) ptr)[skip]; - /* Copyback the saved (uncooked) network headers. */ - m_copyback(m, 0, skip, ptr, M_NOWAIT); - } else { - /* Fix the Next Protocol field. */ - m_copydata(m, skip, sizeof(u_int8_t), &prot); - m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); - } + /* Copyback the saved (uncooked) network headers. */ + m_copyback(m, 0, skip, ptr, M_NOWAIT); free(tc, M_XDATA, 0); @@ -952,7 +907,7 @@ ah_input_cb(void *op) m->m_pkthdr.len -= rplen + ahx->authsize; } - error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag); + error = ipsec_common_input_cb(m, tdb, skip, protoff); splx(s); return (error); @@ -1176,10 +1131,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, } /* Allocate IPsec-specific opaque crypto info. */ - if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) - tc = malloc(sizeof(*tc) + skip, M_XDATA, M_NOWAIT | M_ZERO); - else - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); + tc = malloc(sizeof(*tc) + skip, M_XDATA, M_NOWAIT | M_ZERO); if (tc == NULL) { m_freem(m); crypto_freereq(crp); @@ -1189,55 +1141,49 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, } /* Save the skipped portion of the packet. */ - if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) { - m_copydata(m, 0, skip, (caddr_t) (tc + 1)); + m_copydata(m, 0, skip, (caddr_t) (tc + 1)); - /* - * Fix IP header length on the header used for - * authentication. We don't need to fix the original - * header length as it will be fixed by our caller. - */ - switch (tdb->tdb_dst.sa.sa_family) { - case AF_INET: - bcopy(((caddr_t)(tc + 1)) + - offsetof(struct ip, ip_len), - (caddr_t) &iplen, sizeof(u_int16_t)); - iplen = htons(ntohs(iplen) + rplen + ahx->authsize); - m_copyback(m, offsetof(struct ip, ip_len), - sizeof(u_int16_t), &iplen, M_NOWAIT); - break; + /* + * Fix IP header length on the header used for + * authentication. We don't need to fix the original + * header length as it will be fixed by our caller. + */ + switch (tdb->tdb_dst.sa.sa_family) { + case AF_INET: + bcopy(((caddr_t)(tc + 1)) + + offsetof(struct ip, ip_len), + (caddr_t) &iplen, sizeof(u_int16_t)); + iplen = htons(ntohs(iplen) + rplen + ahx->authsize); + m_copyback(m, offsetof(struct ip, ip_len), + sizeof(u_int16_t), &iplen, M_NOWAIT); + break; #ifdef INET6 - case AF_INET6: - bcopy(((caddr_t)(tc + 1)) + - offsetof(struct ip6_hdr, ip6_plen), - (caddr_t) &iplen, sizeof(u_int16_t)); - iplen = htons(ntohs(iplen) + rplen + ahx->authsize); - m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), - sizeof(u_int16_t), &iplen, M_NOWAIT); - break; + case AF_INET6: + bcopy(((caddr_t)(tc + 1)) + + offsetof(struct ip6_hdr, ip6_plen), + (caddr_t) &iplen, sizeof(u_int16_t)); + iplen = htons(ntohs(iplen) + rplen + ahx->authsize); + m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), + sizeof(u_int16_t), &iplen, M_NOWAIT); + break; #endif /* INET6 */ - } + } - /* Fix the Next Header field in saved header. */ - ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH; + /* Fix the Next Header field in saved header. */ + ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH; - /* Update the Next Protocol field in the IP header. */ - prot = IPPROTO_AH; - m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); + /* Update the Next Protocol field in the IP header. */ + prot = IPPROTO_AH; + m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); - /* "Massage" the packet headers for crypto processing. */ - if ((len = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, - skip, ahx->type, 1)) != 0) { - /* mbuf will be free'd by callee. */ - free(tc, M_XDATA, 0); - crypto_freereq(crp); - return len; - } - } else { - /* Update the Next Protocol field in the IP header. */ - prot = IPPROTO_AH; - m_copyback(m, protoff, sizeof(u_int8_t), &prot, M_NOWAIT); + /* "Massage" the packet headers for crypto processing. */ + if ((len = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, + skip, ahx->type, 1)) != 0) { + /* mbuf will be free'd by callee. */ + free(tc, M_XDATA, 0); + crypto_freereq(crp); + return len; } /* Crypto operation descriptor. */ @@ -1256,10 +1202,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, tc->tc_rdomain = tdb->tdb_rdomain; bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); - if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) - return crypto_dispatch(crp); - else - return ah_output_cb(crp); + return crypto_dispatch(crp); } /* @@ -1323,8 +1266,7 @@ ah_output_cb(void *op) * Copy original headers (with the new protocol number) back * in place. */ - if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) - m_copyback(m, 0, skip, ptr, M_NOWAIT); + m_copyback(m, 0, skip, ptr, M_NOWAIT); free(tc, M_XDATA, 0); diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 863b2622da1..11e2de714db 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.130 2015/04/14 14:20:01 mikeb Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.131 2015/04/17 11:04:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -334,7 +334,6 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) struct cryptop *crp; struct tdb_crypto *tc; int plen, alen, hlen; - struct m_tag *mtag; u_int32_t btsx, esn; #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; @@ -431,23 +430,6 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ } -#ifdef notyet - /* Find out if we've already done crypto */ - for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); - mtag != NULL; - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { - struct tdb_ident *tdbi; - - tdbi = (struct tdb_ident *) (mtag + 1); - if (tdbi->proto == tdb->tdb_sproto && tdbi->spi == tdb->tdb_spi && - tdbi->rdomain == tdb->tdb_rdomain && !memcmp(&tdbi->dst, - &tdb->tdb_dst, sizeof(union sockaddr_union))) - break; - } -#else - mtag = NULL; -#endif - /* Get crypto descriptors */ crp = crypto_getreq(esph && espx ? 2 : 1); if (crp == NULL) { @@ -458,7 +440,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) } /* Get IPsec-specific opaque pointer */ - if (esph == NULL || mtag != NULL) + if (esph == NULL) tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); else tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); @@ -470,8 +452,6 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) return ENOBUFS; } - tc->tc_ptr = (caddr_t) mtag; - if (esph) { crda = crp->crp_desc; crde = crda->crd_next; @@ -496,9 +476,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) crda->crd_len = m->m_pkthdr.len - (skip + alen); /* Copy the authenticator */ - if (mtag == NULL) - m_copydata(m, m->m_pkthdr.len - alen, alen, - (caddr_t)(tc + 1)); + m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t)(tc + 1)); } else crde = crp->crp_desc; @@ -533,10 +511,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); } - if (mtag == NULL) - return crypto_dispatch(crp); - else - return esp_input_cb(crp); + return crypto_dispatch(crp); } /* @@ -551,7 +526,6 @@ esp_input_cb(void *op) struct auth_hash *esph; struct tdb_crypto *tc; struct cryptop *crp; - struct m_tag *mtag; struct tdb *tdb; u_int32_t btsx, esn; caddr_t ptr; @@ -564,7 +538,6 @@ esp_input_cb(void *op) tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; protoff = tc->tc_protoff; - mtag = (struct m_tag *) tc->tc_ptr; m = (struct mbuf *) crp->crp_buf; if (m == NULL) { @@ -607,28 +580,22 @@ esp_input_cb(void *op) /* If authentication was performed, check now. */ if (esph != NULL) { - /* - * If we have a tag, it means an IPsec-aware NIC did the - * verification for us. - */ - if (mtag == NULL) { - /* Copy the authenticator from the packet */ - m_copydata(m, m->m_pkthdr.len - esph->authsize, - esph->authsize, aalg); - - ptr = (caddr_t) (tc + 1); - - /* Verify authenticator */ - if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { - free(tc, M_XDATA, 0); - DPRINTF(("esp_input_cb(): authentication " - "failed for packet in SA %s/%08x\n", - ipsp_address(&tdb->tdb_dst, buf, - sizeof(buf)), ntohl(tdb->tdb_spi))); - espstat.esps_badauth++; - error = EACCES; - goto baddone; - } + /* Copy the authenticator from the packet */ + m_copydata(m, m->m_pkthdr.len - esph->authsize, + esph->authsize, aalg); + + ptr = (caddr_t) (tc + 1); + + /* Verify authenticator */ + if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { + free(tc, M_XDATA, 0); + DPRINTF(("esp_input_cb(): authentication " + "failed for packet in SA %s/%08x\n", + ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); + espstat.esps_badauth++; + error = EACCES; + goto baddone; } /* Remove trailing authenticator */ @@ -778,7 +745,7 @@ esp_input_cb(void *op) m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); /* Back to generic IPsec input processing */ - error = ipsec_common_input_cb(m, tdb, skip, protoff, mtag); + error = ipsec_common_input_cb(m, tdb, skip, protoff); splx(s); return (error); @@ -1068,10 +1035,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, crda->crd_len = m->m_pkthdr.len - (skip + alen); } - if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) - return crypto_dispatch(crp); - else - return esp_output_cb(crp); + return crypto_dispatch(crp); } /* diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index 8c75c7a34c3..f2f1aebc64a 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.41 2015/04/14 14:20:01 mikeb Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.42 2015/04/17 11:04:01 mikeb Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -172,8 +172,6 @@ ipcomp_input(m, tdb, skip, protoff) crdc->crd_len = m->m_pkthdr.len - (skip + hlen); crdc->crd_inject = skip; - tc->tc_ptr = 0; - /* Decompression operation */ crdc->crd_alg = ipcompx->type; @@ -349,7 +347,7 @@ ipcomp_input_cb(op) m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT); /* Back to generic IPsec input processing */ - error = ipsec_common_input_cb(m, tdb, skip, protoff, NULL); + error = ipsec_common_input_cb(m, tdb, skip, protoff); splx(s); return error; diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 828a055d3c2..c39c3372f6b 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.212 2015/04/17 10:08:07 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.213 2015/04/17 11:04:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -906,36 +906,6 @@ ipsp_reffree(struct ipsec_ref *ipr) free(ipr, ipr->ref_malloctype, 0); } -/* Mark a TDB as TDBF_SKIPCRYPTO. */ -void -ipsp_skipcrypto_mark(struct tdb_ident *tdbi) -{ - struct tdb *tdb; - int s = splsoftnet(); - - tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); - if (tdb != NULL) { - tdb->tdb_flags |= TDBF_SKIPCRYPTO; - tdb->tdb_last_marked = time_second; - } - splx(s); -} - -/* Unmark a TDB as TDBF_SKIPCRYPTO. */ -void -ipsp_skipcrypto_unmark(struct tdb_ident *tdbi) -{ - struct tdb *tdb; - int s = splsoftnet(); - - tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); - if (tdb != NULL) { - tdb->tdb_flags &= ~TDBF_SKIPCRYPTO; - tdb->tdb_last_marked = time_second; - } - splx(s); -} - /* Return true if the two structures match. */ int ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2) diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 76b215603dc..365e985e3ad 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.168 2015/04/17 10:04:37 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.169 2015/04/17 11:04:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -268,7 +268,6 @@ struct tdb { /* tunnel descriptor block */ #define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ #define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */ #define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */ -#define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */ #define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */ #define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */ #define TDBF_PFSYNC 0x40000 /* TDB will be synced */ @@ -364,7 +363,6 @@ struct tdb_crypto { u_int8_t tc_proto; int tc_protoff; int tc_skip; - caddr_t tc_ptr; u_int tc_rdomain; }; @@ -545,14 +543,11 @@ struct tdb *ipsp_spd_inp(struct mbuf *, int, int, int *, int, int ipsp_is_unspecified(union sockaddr_union); int ipsp_ref_match(struct ipsec_ref *, struct ipsec_ref *); void ipsp_reffree(struct ipsec_ref *); -void ipsp_skipcrypto_mark(struct tdb_ident *); -void ipsp_skipcrypto_unmark(struct tdb_ident *); int ipsp_aux_match(struct tdb *, struct ipsec_ref *, struct ipsec_ref *, struct sockaddr_encap *, struct sockaddr_encap *); int ipsec_common_input(struct mbuf *, int, int, int, int, int); -int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int, - struct m_tag *); +int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); int ipsec_delete_policy(struct ipsec_policy *); ssize_t ipsec_hdrsz(struct tdb *); void ipsec_adjust_mtu(struct mbuf *, u_int32_t); diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 1935254527b..92a45e5bcc8 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.278 2015/04/16 19:24:13 markus Exp $ */ +/* $OpenBSD: ip_output.c,v 1.279 2015/04/17 11:04:01 mikeb Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -272,9 +272,7 @@ reroute: /* Loop detection */ for (mtag = m_tag_first(m); mtag != NULL; mtag = m_tag_next(m, mtag)) { - if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && - mtag->m_tag_id != - PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) + if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE) continue; tdbi = (struct tdb_ident *)(mtag + 1); if (tdbi->spi == tdb->tdb_spi && @@ -603,18 +601,6 @@ sendit: error = ipsp_process_packet(m, tdb, AF_INET, 0); return error; /* Nothing more to be done */ } - - /* - * If we got here and IPsec crypto processing didn't happen, drop it. - */ - if (ipsec_in_use && (mtag = m_tag_find(m, - PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) != NULL) { - /* Notify IPsec to do its own crypto. */ - ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); - m_freem(m); - error = EHOSTUNREACH; - goto done; - } #endif /* IPSEC */ /* diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 5e05a3a3213..cd1bfcfb320 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.129 2015/04/14 14:20:01 mikeb Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.130 2015/04/17 11:04:02 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -323,8 +323,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, * filtering and other sanity checks on the processed packet. */ int -ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, - struct m_tag *mt) +ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) { int af, sproto; u_char prot; @@ -514,11 +513,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* * Record what we've done to the packet (under what SA it was - * processed). If we've been passed an mtag, it means the packet - * was already processed by an ethernet/crypto combo card and - * thus has a tag attached with all the right information, but - * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to - * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. + * processed). */ if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index 2814ec0327a..b6bb4510f3d 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.57 2015/04/14 14:20:01 mikeb Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.58 2015/04/17 11:04:02 mikeb Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -445,14 +445,8 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb) * Add a record of what we've done or what needs to be done to the * packet. */ - if ((tdb->tdb_flags & TDBF_SKIPCRYPTO) == 0) - mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, - sizeof(struct tdb_ident), - M_NOWAIT); - else - mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, - sizeof(struct tdb_ident), M_NOWAIT); - + mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(struct tdb_ident), + M_NOWAIT); if (mtag == NULL) { m_freem(m); DPRINTF(("ipsp_process_done(): could not allocate packet " diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index dbea200e608..516be30d3c9 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.72 2015/03/14 03:38:52 jsg Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.73 2015/04/17 11:04:02 mikeb Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -206,9 +206,7 @@ reroute: /* Loop detection */ for (mtag = m_tag_first(m); mtag != NULL; mtag = m_tag_next(m, mtag)) { - if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && - mtag->m_tag_id != - PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) + if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE) continue; tdbi = (struct tdb_ident *)(mtag + 1); if (tdbi->spi == tdb->tdb_spi && diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index c098f926f0e..3b8ec6a1269 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.169 2015/04/16 19:24:13 markus Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.170 2015/04/17 11:04:02 mikeb Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -268,9 +268,7 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, struct route_in6 *ro, /* Loop detection */ for (mtag = m_tag_first(m); mtag != NULL; mtag = m_tag_next(m, mtag)) { - if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && - mtag->m_tag_id != - PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) + if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE) continue; tdbi = (struct tdb_ident *)(mtag + 1); if (tdbi->spi == tdb->tdb_spi && diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 32cebd51284..607f1a6073e 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6.c,v 1.133 2015/03/25 17:39:33 florian Exp $ */ +/* $OpenBSD: nd6.c,v 1.134 2015/04/17 11:04:02 mikeb Exp $ */ /* $KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $ */ /* @@ -1648,9 +1648,6 @@ nd6_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr_in6 *dst, struct rtentry *rt = rt0; struct llinfo_nd6 *ln = NULL; int error = 0; -#ifdef IPSEC - struct m_tag *mtag; -#endif /* IPSEC */ if (IN6_IS_ADDR_MULTICAST(&dst->sin6_addr)) goto sendpkt; @@ -1780,21 +1777,6 @@ nd6_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr_in6 *dst, return (0); sendpkt: -#ifdef IPSEC - /* - * If we got here and IPsec crypto processing didn't happen, drop it. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL); -#endif /* IPSEC */ - -#ifdef IPSEC - if (mtag != NULL) { - /* Tell IPsec to do its own crypto. */ - ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); - error = EACCES; - goto bad; - } -#endif /* IPSEC */ return ((*ifp->if_output)(ifp, m, sin6tosa(dst), rt)); bad: diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 76711471eb4..4ecf86ed006 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.189 2015/04/13 08:45:48 mpi Exp $ */ +/* $OpenBSD: mbuf.h,v 1.190 2015/04/17 11:04:02 mikeb Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -454,8 +454,6 @@ struct m_tag *m_tag_next(struct mbuf *, struct m_tag *); /* Packet tag types */ #define PACKET_TAG_IPSEC_IN_DONE 0x0001 /* IPsec applied, in */ #define PACKET_TAG_IPSEC_OUT_DONE 0x0002 /* IPsec applied, out */ -#define PACKET_TAG_IPSEC_IN_CRYPTO_DONE 0x0004 /* NIC IPsec crypto done */ -#define PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED 0x0008 /* NIC IPsec crypto req'ed */ #define PACKET_TAG_IPSEC_PENDING_TDB 0x0010 /* Reminder to do IPsec */ #define PACKET_TAG_BRIDGE 0x0020 /* Bridge processing done */ #define PACKET_TAG_GIF 0x0040 /* GIF processing done */ -- 2.20.1