[IPSEC]: Move output replay code into xfrm_output
The replay counter is one of only two remaining things in the output code
that requires a lock on the xfrm state (the other being the crypto). This
patch moves it into the generic xfrm_output so we can remove the lock from
the transforms themselves.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index dc1d8e8..58af298 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -96,8 +96,7 @@
ah->reserved = 0;
ah->spi = x->id.spi;
- ah->seq_no = htonl(++x->replay.oseq);
- xfrm_aevent_doreplay(x);
+ ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto error;
@@ -297,6 +296,7 @@
.description = "AH4",
.owner = THIS_MODULE,
.proto = IPPROTO_AH,
+ .flags = XFRM_TYPE_REPLAY_PROT,
.init_state = ah_init_state,
.destructor = ah_destroy,
.input = ah_input,
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index d233e2e..0f62af9 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -95,8 +95,7 @@
top_iph->protocol = IPPROTO_ESP;
esph->spi = x->id.spi;
- esph->seq_no = htonl(++x->replay.oseq);
- xfrm_aevent_doreplay(x);
+ esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
if (esp->conf.ivlen) {
if (unlikely(!esp->conf.ivinitted)) {
@@ -437,6 +436,7 @@
.description = "ESP4",
.owner = THIS_MODULE,
.proto = IPPROTO_ESP,
+ .flags = XFRM_TYPE_REPLAY_PROT,
.init_state = esp_init_state,
.destructor = esp_destroy,
.get_mtu = esp4_get_mtu,
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 69a2030..ae68a90 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -283,8 +283,7 @@
ah->reserved = 0;
ah->spi = x->id.spi;
- ah->seq_no = htonl(++x->replay.oseq);
- xfrm_aevent_doreplay(x);
+ ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto error_free_iph;
@@ -506,6 +505,7 @@
.description = "AH6",
.owner = THIS_MODULE,
.proto = IPPROTO_AH,
+ .flags = XFRM_TYPE_REPLAY_PROT,
.init_state = ah6_init_state,
.destructor = ah6_destroy,
.input = ah6_input,
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 7728106..0c5fb81 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -95,8 +95,7 @@
*skb_network_header(skb) = IPPROTO_ESP;
esph->spi = x->id.spi;
- esph->seq_no = htonl(++x->replay.oseq);
- xfrm_aevent_doreplay(x);
+ esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
if (esp->conf.ivlen) {
if (unlikely(!esp->conf.ivinitted)) {
@@ -373,6 +372,7 @@
.description = "ESP6",
.owner = THIS_MODULE,
.proto = IPPROTO_ESP,
+ .flags = XFRM_TYPE_REPLAY_PROT,
.init_state = esp6_init_state,
.destructor = esp6_destroy,
.get_mtu = esp6_get_mtu,
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 5b1c978..20e789d 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -58,6 +58,11 @@
if (err)
goto error;
+ if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+ XFRM_SKB_CB(skb)->seq = ++x->replay.oseq;
+ xfrm_aevent_doreplay(x);
+ }
+
err = x->mode->output(x, skb);
if (err)
goto error;