Commit 668dc8af authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[IPSEC]: Move integrity stat collection into xfrm_input

Similar to the moving out of the replay processing on the output, this
patch moves the integrity stat collectin from x->type->input into
xfrm_input.

This would eventually allow transforms such as AH/ESP to be lockless.

The error value EBADMSG (currently unused in the crypto layer) is used
to indicate a failed integrity check.  In future this error can be
directly returned by the crypto layer once we switch to aead
algorithms.
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b2aa5e9d
......@@ -177,9 +177,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto out;
err = -EINVAL;
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
x->stats.integrity_failed++;
err = -EBADMSG;
goto out;
}
}
......
......@@ -163,7 +163,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
u8 nexthdr[2];
struct scatterlist *sg;
int padlen;
int err;
int err = -EINVAL;
if (!pskb_may_pull(skb, sizeof(*esph)))
goto out;
......@@ -183,13 +183,14 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
x->stats.integrity_failed++;
err = -EBADMSG;
goto out;
}
}
if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0)
if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
goto out;
nfrags = err;
skb->ip_summed = CHECKSUM_NONE;
......@@ -202,6 +203,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
sg = &esp->sgbuf[0];
if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
err = -ENOMEM;
sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
if (!sg)
goto out;
......@@ -214,11 +216,12 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
if (unlikely(sg != &esp->sgbuf[0]))
kfree(sg);
if (unlikely(err))
return err;
goto out;
if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
BUG();
err = -EINVAL;
padlen = nexthdr[0];
if (padlen+2 >= elen)
goto out;
......@@ -276,7 +279,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
return nexthdr[1];
out:
return -EINVAL;
return err;
}
static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
......
......@@ -379,10 +379,9 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto free_out;
err = -EINVAL;
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
x->stats.integrity_failed++;
err = -EBADMSG;
goto free_out;
}
}
......
......@@ -177,8 +177,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
x->stats.integrity_failed++;
ret = -EINVAL;
ret = -EBADMSG;
goto out;
}
}
......
......@@ -147,8 +147,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
goto drop_unlock;
nexthdr = x->type->input(x, skb);
if (nexthdr <= 0)
if (nexthdr <= 0) {
if (nexthdr == -EBADMSG)
x->stats.integrity_failed++;
goto drop_unlock;
}
skb_network_header(skb)[nhoff] = nexthdr;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment