On Sun, Oct 24, 2021 at 07:16:27PM +0200, Tobias Heider wrote:
> On Sun, Oct 24, 2021 at 07:10:22PM +0200, Tobias Heider wrote:
> > The diff below removes ipcomp_input_cb(), ipcomp_output_cb() and some other
> > things related to the old crypto API.
> >
> > ok?
>
> small update to move ip6_hdr out of '#if NBPFILTER > 0'
update to work with the latest changes
Index: ip_ipcomp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipcomp.c,v
retrieving revision 1.85
diff -u -p -r1.85 ip_ipcomp.c
--- ip_ipcomp.c 24 Oct 2021 17:08:27 -0000 1.85
+++ ip_ipcomp.c 24 Oct 2021 17:56:03 -0000
@@ -135,11 +135,17 @@ ipcomp_input(struct mbuf **mp, struct td
{
const struct comp_algo *ipcompx = tdb->tdb_compalgxform;
struct mbuf *m = *mp;
- struct tdb_crypto *tc = NULL;
- int hlen, error, clen;
-
struct cryptodesc *crdc = NULL;
struct cryptop *crp;
+ int hlen, error, clen, roff;
+ u_int8_t nproto;
+ u_int64_t ibytes;
+ struct mbuf *m1, *mo;
+ struct ipcomp *ipcomp;
+ caddr_t addr;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
hlen = IPCOMP_HLENGTH;
@@ -151,14 +157,6 @@ ipcomp_input(struct mbuf **mp, struct td
error = ENOBUFS;
goto drop;
}
- /* Get IPsec-specific opaque pointer */
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
- if (tc == NULL) {
- DPRINTF("failed to allocate tdb_crypto");
- ipcompstat_inc(ipcomps_crypto);
- error = ENOBUFS;
- goto drop;
- }
crdc = &crp->crp_desc[0];
crdc->crd_skip = skip + hlen;
@@ -174,14 +172,6 @@ ipcomp_input(struct mbuf **mp, struct td
crp->crp_buf = (caddr_t)m;
crp->crp_sid = tdb->tdb_cryptoid;
- /* These are passed as-is to the callback */
- tc->tc_skip = skip;
- tc->tc_protoff = protoff;
- tc->tc_spi = tdb->tdb_spi;
- tc->tc_proto = IPPROTO_IPCOMP;
- tc->tc_rdomain = tdb->tdb_rdomain;
- tc->tc_dst = tdb->tdb_dst;
-
KERNEL_LOCK();
while ((error = crypto_invoke(crp)) == EAGAIN) {
/* Reset the session ID */
@@ -199,35 +189,7 @@ ipcomp_input(struct mbuf **mp, struct td
/* Release the crypto descriptors */
crypto_freereq(crp);
-
- return ipcomp_input_cb(tdb, tc, mp, clen);
-
- drop:
- m_freemp(mp);
- crypto_freereq(crp);
- free(tc, M_XDATA, 0);
- return error;
-}
-
-int
-ipcomp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf **mp,
- int clen)
-{
- struct mbuf *m = *mp;
- int skip, protoff, roff, hlen = IPCOMP_HLENGTH;
- u_int8_t nproto;
- u_int64_t ibytes;
- struct mbuf *m1, *mo;
- struct ipcomp *ipcomp;
- caddr_t addr;
-#ifdef ENCDEBUG
- char buf[INET6_ADDRSTRLEN];
-#endif
-
- NET_ASSERT_LOCKED();
-
- skip = tc->tc_skip;
- protoff = tc->tc_protoff;
+ crp = 0;
/* update the counters */
ibytes = m->m_pkthdr.len - (skip + hlen);
@@ -240,7 +202,8 @@ ipcomp_input_cb(struct tdb *tdb, struct
(tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
- goto baddone;
+ error = -1;
+ goto drop;
}
/* Notify on soft expiration */
if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
@@ -255,7 +218,8 @@ ipcomp_input_cb(struct tdb *tdb, struct
if (m->m_len < skip + hlen &&
(m = *mp = m_pullup(m, skip + hlen)) == NULL) {
ipcompstat_inc(ipcomps_hdrops);
- goto baddone;
+ error = -1;
+ goto drop;
}
/* Find the beginning of the IPCOMP header */
@@ -265,7 +229,8 @@ ipcomp_input_cb(struct tdb *tdb, struct
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_hdrops);
- goto baddone;
+ error = -1;
+ goto drop;
}
/* Keep the next protocol field */
addr = (caddr_t) mtod(m, struct ip *) + skip;
@@ -321,19 +286,16 @@ ipcomp_input_cb(struct tdb *tdb, struct
m->m_pkthdr.len -= hlen;
}
- /* Release the crypto descriptors */
- free(tc, M_XDATA, 0);
-
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT);
/* Back to generic IPsec input processing */
return ipsec_common_input_cb(mp, tdb, skip, protoff);
- baddone:
+ drop:
m_freemp(mp);
- free(tc, M_XDATA, 0);
- return -1;
+ crypto_freereq(crp);
+ return error;
}
/*
@@ -343,16 +305,21 @@ int
ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
{
const struct comp_algo *ipcompx = tdb->tdb_compalgxform;
- int error, hlen, ilen, olen;
+ int error, hlen, ilen, olen, rlen, roff;
struct cryptodesc *crdc = NULL;
struct cryptop *crp = NULL;
- struct tdb_crypto *tc;
- struct mbuf *mi;
+ struct mbuf *mi, *mo;
+ struct ip *ip;
+ u_int16_t cpi;
+#ifdef INET6
+ struct ip6_hdr *ip6;
+#endif
#ifdef ENCDEBUG
char buf[INET6_ADDRSTRLEN];
#endif
#if NBPFILTER > 0
struct ifnet *encif;
+ struct ipcomp *ipcomp;
if ((encif = enc_getif(0, tdb->tdb_tap)) != NULL) {
encif->if_opackets++;
@@ -417,7 +384,6 @@ ipcomp_output(struct mbuf *m, struct tdb
}
/* Update the counters */
-
tdb->tdb_cur_bytes += m->m_pkthdr.len - skip;
ipcompstat_add(ipcomps_obytes, m->m_pkthdr.len - skip);
@@ -479,21 +445,6 @@ ipcomp_output(struct mbuf *m, struct tdb
/* Compression operation */
crdc->crd_alg = ipcompx->type;
- /* IPsec-specific opaque crypto info */
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
- if (tc == NULL) {
- DPRINTF("failed to allocate tdb_crypto");
- ipcompstat_inc(ipcomps_crypto);
- error = ENOBUFS;
- goto drop;
- }
-
- tc->tc_spi = tdb->tdb_spi;
- tc->tc_proto = tdb->tdb_sproto;
- tc->tc_skip = skip;
- tc->tc_rdomain = tdb->tdb_rdomain;
- tc->tc_dst = tdb->tdb_dst;
-
/* Crypto operation descriptor */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE;
@@ -510,10 +461,7 @@ ipcomp_output(struct mbuf *m, struct tdb
if (error) {
DPRINTF("crypto error %d", error);
ipsecstat_inc(ipsec_noxform);
- free(tc, M_XDATA, 0);
- m_freem(m);
- crypto_freereq(crp);
- return error;
+ goto drop;
}
ilen = crp->crp_ilen;
@@ -521,36 +469,8 @@ ipcomp_output(struct mbuf *m, struct tdb
/* Release the crypto descriptors */
crypto_freereq(crp);
+ crp = NULL;
- return ipcomp_output_cb(tdb, tc, m, ilen, olen);
-
- drop:
- m_freem(m);
- crypto_freereq(crp);
- return error;
-}
-
-/*
- * IPComp output callback.
- */
-int
-ipcomp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m,
- int ilen, int olen)
-{
- struct mbuf *mo;
- int skip, rlen, roff;
- u_int16_t cpi;
- struct ip *ip;
-#ifdef INET6
- struct ip6_hdr *ip6;
-#endif
- struct ipcomp *ipcomp;
-#ifdef ENCDEBUG
- char buf[INET6_ADDRSTRLEN];
-#endif
- int error;
-
- skip = tc->tc_skip;
rlen = ilen - skip;
/* Check sizes. */
@@ -602,9 +522,6 @@ ipcomp_output_cb(struct tdb *tdb, struct
}
skiphdr:
- /* Release the crypto descriptor. */
- free(tc, M_XDATA, 0);
-
error = ipsp_process_done(m, tdb);
if (error)
ipcompstat_inc(ipcomps_outfail);
@@ -612,6 +529,6 @@ ipcomp_output_cb(struct tdb *tdb, struct
drop:
m_freem(m);
- free(tc, M_XDATA, 0);
+ crypto_freereq(crp);
return error;
}
Index: ip_ipsp.h
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
retrieving revision 1.214
diff -u -p -r1.214 ip_ipsp.h
--- ip_ipsp.h 24 Oct 2021 17:08:27 -0000 1.214
+++ ip_ipsp.h 24 Oct 2021 17:56:03 -0000
@@ -607,10 +607,7 @@ int ipcomp_attach(void);
int ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
int ipcomp_zeroize(struct tdb *);
int ipcomp_input(struct mbuf **, struct tdb *, int, int);
-int ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf **, int);
int ipcomp_output(struct mbuf *, struct tdb *, int, int);
-int ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
- int);
int ipcomp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
int ipcomp4_input(struct mbuf **, int *, int, int);
#ifdef INET6
