Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Jun 2020 23:59:16 +0000 (UTC)
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r362636 - head/sys/netipsec
Message-ID:  <202006252359.05PNxGIR037396@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jhb
Date: Thu Jun 25 23:59:16 2020
New Revision: 362636
URL: https://svnweb.freebsd.org/changeset/base/362636

Log:
  Simplify IPsec transform-specific teardown.
  
  - Rename from the teardown callback from 'zeroize' to 'cleanup' since
    this no longer zeroes keys.
  
  - Change the callback return type to void.  Nothing checked the return
    value and it was always zero.
  
  - Don't have esp call into ah since it no longer needs to depend on
    this to clear the auth key.  Instead, both are now private and
    self-contained.
  
  Reviewed by:	delphij
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D25443

Modified:
  head/sys/netipsec/key.c
  head/sys/netipsec/xform.h
  head/sys/netipsec/xform_ah.c
  head/sys/netipsec/xform_esp.c
  head/sys/netipsec/xform_ipcomp.c
  head/sys/netipsec/xform_tcp.c

Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c	Thu Jun 25 23:57:30 2020	(r362635)
+++ head/sys/netipsec/key.c	Thu Jun 25 23:59:16 2020	(r362636)
@@ -3059,11 +3059,8 @@ key_cleansav(struct secasvar *sav)
 	}
 	if (sav->flags & SADB_X_EXT_F_CLONED)
 		return;
-	/*
-	 * Cleanup xform state.
-	 */
 	if (sav->tdb_xform != NULL) {
-		sav->tdb_xform->xf_zeroize(sav);
+		sav->tdb_xform->xf_cleanup(sav);
 		sav->tdb_xform = NULL;
 	}
 	if (sav->key_auth != NULL) {

Modified: head/sys/netipsec/xform.h
==============================================================================
--- head/sys/netipsec/xform.h	Thu Jun 25 23:57:30 2020	(r362635)
+++ head/sys/netipsec/xform.h	Thu Jun 25 23:59:16 2020	(r362636)
@@ -89,7 +89,7 @@ struct xformsw {
 	u_short			xf_type;	/* xform ID */
 	const char		*xf_name;	/* human-readable name */
 	int	(*xf_init)(struct secasvar*, struct xformsw*);	/* setup */
-	int	(*xf_zeroize)(struct secasvar*);		/* cleanup */
+	void	(*xf_cleanup)(struct secasvar*);		/* cleanup */
 	int	(*xf_input)(struct mbuf*, struct secasvar*,	/* input */
 			int, int);
 	int	(*xf_output)(struct mbuf*,			/* output */
@@ -112,7 +112,6 @@ struct crypto_session_params;
 int xform_ah_authsize(const struct auth_hash *);
 int ah_init0(struct secasvar *, struct xformsw *,
     struct crypto_session_params *);
-extern int ah_zeroize(struct secasvar *sav);
 extern size_t ah_hdrsiz(struct secasvar *);
 
 /* XF_ESP */

Modified: head/sys/netipsec/xform_ah.c
==============================================================================
--- head/sys/netipsec/xform_ah.c	Thu Jun 25 23:57:30 2020	(r362635)
+++ head/sys/netipsec/xform_ah.c	Thu Jun 25 23:59:16 2020	(r362636)
@@ -241,20 +241,13 @@ ah_init(struct secasvar *sav, struct xformsw *xsp)
 		 crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
 }
 
-/*
- * Paranoia.
- *
- * NB: public for use by esp_zeroize (XXX).
- */
-int
-ah_zeroize(struct secasvar *sav)
+static void
+ah_cleanup(struct secasvar *sav)
 {
 
 	crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = NULL;
 	sav->tdb_authalgxform = NULL;
-	sav->tdb_xform = NULL;
-	return 0;
 }
 
 /*
@@ -1141,7 +1134,7 @@ static struct xformsw ah_xformsw = {
 	.xf_type =	XF_AH,
 	.xf_name =	"IPsec AH",
 	.xf_init =	ah_init,
-	.xf_zeroize =	ah_zeroize,
+	.xf_cleanup =	ah_cleanup,
 	.xf_input =	ah_input,
 	.xf_output =	ah_output,
 };

Modified: head/sys/netipsec/xform_esp.c
==============================================================================
--- head/sys/netipsec/xform_esp.c	Thu Jun 25 23:57:30 2020	(r362635)
+++ head/sys/netipsec/xform_esp.c	Thu Jun 25 23:59:16 2020	(r362636)
@@ -237,18 +237,14 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 	return error;
 }
 
-/*
- * Paranoia.
- */
-static int
-esp_zeroize(struct secasvar *sav)
+static void
+esp_cleanup(struct secasvar *sav)
 {
-	/* NB: ah_zeroize free's the crypto session state */
-	int error = ah_zeroize(sav);
 
+	crypto_freesession(sav->tdb_cryptoid);
+	sav->tdb_cryptoid = NULL;
+	sav->tdb_authalgxform = NULL;
 	sav->tdb_encalgxform = NULL;
-	sav->tdb_xform = NULL;
-	return error;
 }
 
 /*
@@ -964,7 +960,7 @@ static struct xformsw esp_xformsw = {
 	.xf_type =	XF_ESP,
 	.xf_name =	"IPsec ESP",
 	.xf_init =	esp_init,
-	.xf_zeroize =	esp_zeroize,
+	.xf_cleanup =	esp_cleanup,
 	.xf_input =	esp_input,
 	.xf_output =	esp_output,
 };

Modified: head/sys/netipsec/xform_ipcomp.c
==============================================================================
--- head/sys/netipsec/xform_ipcomp.c	Thu Jun 25 23:57:30 2020	(r362635)
+++ head/sys/netipsec/xform_ipcomp.c	Thu Jun 25 23:59:16 2020	(r362636)
@@ -179,15 +179,14 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
 }
 
 /*
- * ipcomp_zeroize() used when IPCA is deleted
+ * ipcomp_cleanup() used when IPCA is deleted
  */
-static int
-ipcomp_zeroize(struct secasvar *sav)
+static void
+ipcomp_cleanup(struct secasvar *sav)
 {
 
 	crypto_freesession(sav->tdb_cryptoid);
 	sav->tdb_cryptoid = NULL;
-	return 0;
 }
 
 /*
@@ -739,7 +738,7 @@ static struct xformsw ipcomp_xformsw = {
 	.xf_type =	XF_IPCOMP,
 	.xf_name =	"IPcomp",
 	.xf_init =	ipcomp_init,
-	.xf_zeroize =	ipcomp_zeroize,
+	.xf_cleanup =	ipcomp_cleanup,
 	.xf_input =	ipcomp_input,
 	.xf_output =	ipcomp_output,
 };

Modified: head/sys/netipsec/xform_tcp.c
==============================================================================
--- head/sys/netipsec/xform_tcp.c	Thu Jun 25 23:57:30 2020	(r362635)
+++ head/sys/netipsec/xform_tcp.c	Thu Jun 25 23:59:16 2020	(r362636)
@@ -361,19 +361,16 @@ tcpsignature_init(struct secasvar *sav, struct xformsw
 /*
  * Called when the SA is deleted.
  */
-static int
-tcpsignature_zeroize(struct secasvar *sav)
+static void
+tcpsignature_cleanup(struct secasvar *sav)
 {
-
-	sav->tdb_xform = NULL;
-	return (0);
 }
 
 static struct xformsw tcpsignature_xformsw = {
 	.xf_type =	XF_TCPSIGNATURE,
 	.xf_name =	"TCP-MD5",
 	.xf_init =	tcpsignature_init,
-	.xf_zeroize =	tcpsignature_zeroize,
+	.xf_cleanup =	tcpsignature_cleanup,
 };
 
 static const struct tcpmd5_methods tcpmd5_methods = {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006252359.05PNxGIR037396>