Received: with ECARTIS (v1.0.0; list netdev); Thu, 30 Dec 2004 00:47:49 -0800 (PST) Received: from smtp.knology.net (smtp.knology.net [24.214.63.101]) by oss.sgi.com (8.13.0/8.13.0) with SMTP id iBU8kNOO024568 for ; Thu, 30 Dec 2004 00:46:44 -0800 Received: (qmail 19776 invoked by uid 0); 30 Dec 2004 08:53:06 -0000 Received: from user-69-1-45-93.knology.net (HELO ori.thedillows.org) (69.1.45.93) by smtp8.knology.net with SMTP; 30 Dec 2004 08:53:06 -0000 Received: from ori.thedillows.org (localhost [127.0.0.1]) by ori.thedillows.org (8.13.1/8.13.1) with ESMTP id iBU8ma1w009799; Thu, 30 Dec 2004 03:48:36 -0500 Received: (from root@localhost) by ori.thedillows.org (8.13.1/8.13.1/Submit) id iBU8ma3u009798; Thu, 30 Dec 2004 03:48:36 -0500 Date: Thu, 30 Dec 2004 03:48:36 -0500 To: netdev@oss.sgi.com Cc: linux-kernel@vger.kernel.org, dave@thedillows.org From: David Dillow Subject: [RFC 2.6.10 11/22] AH, ESP: Add offloading of inbound packets Message-Id: <20041230035000.20@ori.thedillows.org> References: <20041230035000.19@ori.thedillows.org> X-Virus-Scanned: ClamAV 0.80/638/Tue Dec 21 14:41:34 2004 clamav-milter version 0.80j on 127.0.0.1 X-Virus-Status: Clean X-archive-position: 13210 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: dave@thedillows.org Precedence: bulk X-list: netdev # This is a BitKeeper generated diff -Nru style patch. # # ChangeSet # 2004/12/30 00:47:54-05:00 dave@thedillows.org # Add crypto offload for inbound IPv4 AH xfrms. # # Signed-off-by: David Dillow # # net/ipv4/esp4.c # 2004/12/30 00:47:36-05:00 dave@thedillows.org +30 -16 # Add crypto offload for inbound IPv4 AH xfrms. # # Signed-off-by: David Dillow # # net/ipv4/ah4.c # 2004/12/30 00:47:36-05:00 dave@thedillows.org +13 -4 # Add crypto offload for inbound IPv4 AH xfrms. # # Signed-off-by: David Dillow # diff -Nru a/net/ipv4/ah4.c b/net/ipv4/ah4.c --- a/net/ipv4/ah4.c 2004-12-30 01:10:02 -05:00 +++ b/net/ipv4/ah4.c 2004-12-30 01:10:02 -05:00 @@ -138,6 +138,7 @@ struct iphdr *iph; struct ip_auth_hdr *ah; struct ah_data *ahp; + int offload; char work_buf[60]; if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr))) @@ -164,6 +165,7 @@ ah = (struct ip_auth_hdr*)skb->data; iph = skb->nh.iph; + offload = skb_pop_xfrm_result(skb); memcpy(work_buf, iph, iph->ihl*4); @@ -181,10 +183,17 @@ memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len); skb_push(skb, skb->data - skb->nh.raw); - ahp->icv(ahp, skb, ah->auth_data); - if (memcmp(ah->auth_data, auth_data, ahp->icv_trunc_len)) { - x->stats.integrity_failed++; - goto out; + if (offload & XFRM_OFFLOAD_AUTH) { + if (unlikely(offload & XFRM_OFFLOAD_AUTH_FAIL)) { + x->stats.integrity_failed++; + goto out; + } + } else { + ahp->icv(ahp, skb, ah->auth_data); + if (memcmp(ah->auth_data, auth_data, ahp->icv_trunc_len)) { + x->stats.integrity_failed++; + goto out; + } } } ((struct iphdr*)work_buf)->protocol = ah->nexthdr; diff -Nru a/net/ipv4/esp4.c b/net/ipv4/esp4.c --- a/net/ipv4/esp4.c 2004-12-30 01:10:02 -05:00 +++ b/net/ipv4/esp4.c 2004-12-30 01:10:02 -05:00 @@ -164,6 +164,7 @@ int elen = skb->len - sizeof(struct ip_esp_hdr) - esp->conf.ivlen - alen; int nfrags; int encap_len = 0; + int offload; if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr))) goto out; @@ -171,22 +172,32 @@ if (elen <= 0 || (elen & (blksize-1))) goto out; + offload = skb_pop_xfrm_result(skb); + /* If integrity check is required, do this. */ if (esp->auth.icv_full_len) { - u8 sum[esp->auth.icv_full_len]; - u8 sum1[alen]; + if (unlikely(offload & XFRM_OFFLOAD_AUTH_FAIL)) { + x->stats.integrity_failed++; + goto out; + } + + if (!(offload & XFRM_OFFLOAD_AUTH)) { + u8 sum[esp->auth.icv_full_len]; + u8 sum1[alen]; - esp->auth.icv(esp, skb, 0, skb->len-alen, sum); + esp->auth.icv(esp, skb, 0, skb->len-alen, sum); - if (skb_copy_bits(skb, skb->len-alen, sum1, alen)) - BUG(); + if (skb_copy_bits(skb, skb->len-alen, sum1, alen)) + BUG(); - if (unlikely(memcmp(sum, sum1, alen))) { - x->stats.integrity_failed++; - goto out; + if (unlikely(memcmp(sum, sum1, alen))) { + x->stats.integrity_failed++; + goto out; + } } } + /* XXX I think this can be moved to the !offload case */ if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) goto out; @@ -195,15 +206,12 @@ esph = (struct ip_esp_hdr*)skb->data; iph = skb->nh.iph; - /* Get ivec. This can be wrong, check against another impls. */ - if (esp->conf.ivlen) - crypto_cipher_set_iv(esp->conf.tfm, esph->enc_data, crypto_tfm_alg_ivsize(esp->conf.tfm)); - - { - u8 nexthdr[2]; + if (!(offload & XFRM_OFFLOAD_CONF)) { struct scatterlist *sg = &esp->sgbuf[0]; - u8 workbuf[60]; - int padlen; + + /* Get ivec. This can be wrong, check against another impls. */ + if (esp->conf.ivlen) + crypto_cipher_set_iv(esp->conf.tfm, esph->enc_data, crypto_tfm_alg_ivsize(esp->conf.tfm)); if (unlikely(nfrags > ESP_NUM_FAST_SG)) { sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); @@ -214,6 +222,12 @@ crypto_cipher_decrypt(esp->conf.tfm, sg, sg, elen); if (unlikely(sg != &esp->sgbuf[0])) kfree(sg); + } + + { + u8 nexthdr[2]; + u8 workbuf[60]; + int padlen; if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2)) BUG();