hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[IPSEC]: Move integrity stat collection into xfrm_input 

Similar to the moving out of the replay processing on the output, this
patch moves the integrity stat collectin from x->type->input into
xfrm_input.

This would eventually allow transforms such as AH/ESP to be lockless.

The error value EBADMSG (currently unused in the crypto layer) is used
to indicate a failed integrity check.  In future this error can be
directly returned by the crypto layer once we switch to aead
algorithms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Herbert Xu 2007-12-16 15:55:02 -08:00 committed by David S. Miller
parent b2aa5e9d43
commit 668dc8af31
5 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/ipv4/ah4.c
View File

@ -177,9 +177,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto out;
err = -EINVAL;
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
x->stats.integrity_failed++;
err = -EBADMSG;
goto out;
}
}

13
net/ipv4/esp4.c
View File

@ -163,7 +163,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
u8 nexthdr[2];
struct scatterlist *sg;
int padlen;
int err;
int err = -EINVAL;
if (!pskb_may_pull(skb, sizeof(*esph)))
goto out;
@ -183,13 +183,14 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
x->stats.integrity_failed++;
err = -EBADMSG;
goto out;
}
}
if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0)
if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
goto out;
nfrags = err;
skb->ip_summed = CHECKSUM_NONE;
@ -202,6 +203,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
sg = &esp->sgbuf[0];
if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
err = -ENOMEM;
sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
if (!sg)
goto out;
@ -214,11 +216,12 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
if (unlikely(sg != &esp->sgbuf[0]))
kfree(sg);
if (unlikely(err))
return err;
goto out;
if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
BUG();
err = -EINVAL;
padlen = nexthdr[0];
if (padlen+2 >= elen)
goto out;
@ -276,7 +279,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
return nexthdr[1];
out:
return -EINVAL;
return err;
}
static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)

3
net/ipv6/ah6.c
View File

@ -379,10 +379,9 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto free_out;
err = -EINVAL;
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
x->stats.integrity_failed++;
err = -EBADMSG;
goto free_out;
}
}

3
net/ipv6/esp6.c
View File

@ -177,8 +177,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
x->stats.integrity_failed++;
ret = -EINVAL;
ret = -EBADMSG;
goto out;
}
}

5
net/xfrm/xfrm_input.c
View File

@ -147,8 +147,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
goto drop_unlock;
nexthdr = x->type->input(x, skb);
if (nexthdr <= 0)
if (nexthdr <= 0) {
if (nexthdr == -EBADMSG)
x->stats.integrity_failed++;
goto drop_unlock;
}
skb_network_header(skb)[nhoff] = nexthdr;