aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2020-06-25 23:59:16 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2020-06-25 23:59:16 +0000
commitdae61c9d09a79fc93c9486c212a586512339e6a0 (patch)
tree1545d554f406b443890e7ce49371fdce2655e095 /sys/netipsec
parentf82eb2a6f04c2a4193378f932fe8ab9b84fbb67d (diff)
downloadsrc-dae61c9d09a79fc93c9486c212a586512339e6a0.tar.gz
src-dae61c9d09a79fc93c9486c212a586512339e6a0.zip
Simplify IPsec transform-specific teardown.
- Rename from the teardown callback from 'zeroize' to 'cleanup' since this no longer zeroes keys. - Change the callback return type to void. Nothing checked the return value and it was always zero. - Don't have esp call into ah since it no longer needs to depend on this to clear the auth key. Instead, both are now private and self-contained. Reviewed by: delphij Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25443
Notes
Notes: svn path=/head/; revision=362636
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/key.c5
-rw-r--r--sys/netipsec/xform.h3
-rw-r--r--sys/netipsec/xform_ah.c13
-rw-r--r--sys/netipsec/xform_esp.c16
-rw-r--r--sys/netipsec/xform_ipcomp.c9
-rw-r--r--sys/netipsec/xform_tcp.c9
6 files changed, 18 insertions, 37 deletions
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 8bdda61f5b36..0497187db856 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -3059,11 +3059,8 @@ key_cleansav(struct secasvar *sav)
}
if (sav->flags & SADB_X_EXT_F_CLONED)
return;
- /*
- * Cleanup xform state.
- */
if (sav->tdb_xform != NULL) {
- sav->tdb_xform->xf_zeroize(sav);
+ sav->tdb_xform->xf_cleanup(sav);
sav->tdb_xform = NULL;
}
if (sav->key_auth != NULL) {
diff --git a/sys/netipsec/xform.h b/sys/netipsec/xform.h
index 85c9b65d1643..ff59971cf133 100644
--- a/sys/netipsec/xform.h
+++ b/sys/netipsec/xform.h
@@ -89,7 +89,7 @@ struct xformsw {
u_short xf_type; /* xform ID */
const char *xf_name; /* human-readable name */
int (*xf_init)(struct secasvar*, struct xformsw*); /* setup */
- int (*xf_zeroize)(struct secasvar*); /* cleanup */
+ void (*xf_cleanup)(struct secasvar*); /* cleanup */
int (*xf_input)(struct mbuf*, struct secasvar*, /* input */
int, int);
int (*xf_output)(struct mbuf*, /* output */
@@ -112,7 +112,6 @@ struct crypto_session_params;
int xform_ah_authsize(const struct auth_hash *);
int ah_init0(struct secasvar *, struct xformsw *,
struct crypto_session_params *);
-extern int ah_zeroize(struct secasvar *sav);
extern size_t ah_hdrsiz(struct secasvar *);
/* XF_ESP */
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 8aea3a45dd96..a707930b046c 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -241,20 +241,13 @@ ah_init(struct secasvar *sav, struct xformsw *xsp)
crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
}
-/*
- * Paranoia.
- *
- * NB: public for use by esp_zeroize (XXX).
- */
-int
-ah_zeroize(struct secasvar *sav)
+static void
+ah_cleanup(struct secasvar *sav)
{
crypto_freesession(sav->tdb_cryptoid);
sav->tdb_cryptoid = NULL;
sav->tdb_authalgxform = NULL;
- sav->tdb_xform = NULL;
- return 0;
}
/*
@@ -1141,7 +1134,7 @@ static struct xformsw ah_xformsw = {
.xf_type = XF_AH,
.xf_name = "IPsec AH",
.xf_init = ah_init,
- .xf_zeroize = ah_zeroize,
+ .xf_cleanup = ah_cleanup,
.xf_input = ah_input,
.xf_output = ah_output,
};
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index f4292d62a0a7..803d36da5f82 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -237,18 +237,14 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
return error;
}
-/*
- * Paranoia.
- */
-static int
-esp_zeroize(struct secasvar *sav)
+static void
+esp_cleanup(struct secasvar *sav)
{
- /* NB: ah_zeroize free's the crypto session state */
- int error = ah_zeroize(sav);
+ crypto_freesession(sav->tdb_cryptoid);
+ sav->tdb_cryptoid = NULL;
+ sav->tdb_authalgxform = NULL;
sav->tdb_encalgxform = NULL;
- sav->tdb_xform = NULL;
- return error;
}
/*
@@ -964,7 +960,7 @@ static struct xformsw esp_xformsw = {
.xf_type = XF_ESP,
.xf_name = "IPsec ESP",
.xf_init = esp_init,
- .xf_zeroize = esp_zeroize,
+ .xf_cleanup = esp_cleanup,
.xf_input = esp_input,
.xf_output = esp_output,
};
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 0949062f4395..b9dfe0e3532f 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -179,15 +179,14 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
}
/*
- * ipcomp_zeroize() used when IPCA is deleted
+ * ipcomp_cleanup() used when IPCA is deleted
*/
-static int
-ipcomp_zeroize(struct secasvar *sav)
+static void
+ipcomp_cleanup(struct secasvar *sav)
{
crypto_freesession(sav->tdb_cryptoid);
sav->tdb_cryptoid = NULL;
- return 0;
}
/*
@@ -739,7 +738,7 @@ static struct xformsw ipcomp_xformsw = {
.xf_type = XF_IPCOMP,
.xf_name = "IPcomp",
.xf_init = ipcomp_init,
- .xf_zeroize = ipcomp_zeroize,
+ .xf_cleanup = ipcomp_cleanup,
.xf_input = ipcomp_input,
.xf_output = ipcomp_output,
};
diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index 61f9aaee46e2..54681f7df5d2 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -361,19 +361,16 @@ tcpsignature_init(struct secasvar *sav, struct xformsw *xsp)
/*
* Called when the SA is deleted.
*/
-static int
-tcpsignature_zeroize(struct secasvar *sav)
+static void
+tcpsignature_cleanup(struct secasvar *sav)
{
-
- sav->tdb_xform = NULL;
- return (0);
}
static struct xformsw tcpsignature_xformsw = {
.xf_type = XF_TCPSIGNATURE,
.xf_name = "TCP-MD5",
.xf_init = tcpsignature_init,
- .xf_zeroize = tcpsignature_zeroize,
+ .xf_cleanup = tcpsignature_cleanup,
};
static const struct tcpmd5_methods tcpmd5_methods = {