From owner-svn-src-projects@freebsd.org Sun Nov 20 09:04:18 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 75472C48E95 for ; Sun, 20 Nov 2016 09:04:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35F531351; Sun, 20 Nov 2016 09:04:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAK94HaV065357; Sun, 20 Nov 2016 09:04:17 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAK94Hhm065354; Sun, 20 Nov 2016 09:04:17 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611200904.uAK94Hhm065354@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 09:04:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308875 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 09:04:18 -0000 Author: ae Date: Sun Nov 20 09:04:16 2016 New Revision: 308875 URL: https://svnweb.freebsd.org/changeset/base/308875 Log: Add ip_ipsec_forward() function and call it from ip_forward(). This function is inteded to check inbound and outbound security policies for forwarded packet. If inbound policy doesn't discard packet, then we check outbound policy. Since we act as router, we can apply only tunnel mode IPsec to forwarded traffic (with transport mode we will not receive responces from partner). So, if matched outbound policy has tunnel mode transform, we can handle packet with IPsec. And this packet will be consumed by ipsec4_process_packet(). In ip_forward() do IPsec handling after TTL decrementing. If mbuf will be consumed by IPsec, it will be encapsulated, thus its TTL value should be decremented before (RFC1853). Also by the same reason we need to make mbuf's copy before decrementing TTL and doing IPsec checks. Also add IPSEC_FORWARD() and IPSEC_INPUT() wrapper macros. Modified: projects/ipsec/sys/netinet/ip_input.c projects/ipsec/sys/netinet/ip_ipsec.c projects/ipsec/sys/netinet/ip_ipsec.h Modified: projects/ipsec/sys/netinet/ip_input.c ============================================================================== --- projects/ipsec/sys/netinet/ip_input.c Sun Nov 20 06:11:30 2016 (r308874) +++ projects/ipsec/sys/netinet/ip_input.c Sun Nov 20 09:04:16 2016 (r308875) @@ -79,8 +79,6 @@ __FBSDID("$FreeBSD$"); #include #ifdef IPSEC #include -#include -#include #endif /* IPSEC */ #include @@ -797,7 +795,7 @@ ours: * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if (ip_ipsec_input(m, ip->ip_p) != 0) + if (IPSEC_INPUT(ipv4, m, ip->ip_p) != 0) goto bad; #endif /* IPSEC */ @@ -940,24 +938,14 @@ ip_forward(struct mbuf *m, int srcrt) m_freem(m); return; } -#ifdef IPSEC - if (ip_ipsec_fwd(m) != 0) { - IPSTAT_INC(ips_cantforward); - m_freem(m); - return; - } -#endif /* IPSEC */ + if ( #ifdef IPSTEALTH - if (!V_ipstealth) { + V_ipstealth == 0 && #endif - if (ip->ip_ttl <= IPTTLDEC) { - icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, - 0, 0); - return; - } -#ifdef IPSTEALTH + ip->ip_ttl <= IPTTLDEC) { + icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, 0); + return; } -#endif bzero(&ro, sizeof(ro)); sin = (struct sockaddr_in *)&ro.ro_dst; @@ -976,19 +964,6 @@ ip_forward(struct mbuf *m, int srcrt) ifa_ref(&ia->ia_ifa); } else ia = NULL; -#ifndef IPSEC - /* - * 'ia' may be NULL if there is no route for this destination. - * In case of IPsec, Don't discard it just yet, but pass it to - * ip_output in case of outgoing IPsec policy. - */ - if (!srcrt && ia == NULL) { - icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); - RO_RTFREE(&ro); - return; - } -#endif - /* * Save the IP header and at most 8 bytes of the payload, * in case we need to generate an ICMP message to the src. @@ -1021,15 +996,26 @@ ip_forward(struct mbuf *m, int srcrt) mcopy->m_pkthdr.len = mcopy->m_len; m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t)); } - #ifdef IPSTEALTH - if (!V_ipstealth) { + if (V_ipstealth == 0) #endif ip->ip_ttl -= IPTTLDEC; -#ifdef IPSTEALTH +#ifdef IPSEC + if (IPSEC_FORWARD(ipv4, m, &error) != 0) { /* mbuf consumed by IPsec */ + m_freem(mcopy); + return; } -#endif - + /* + * mbuf wasn't consumed by IPsec, check error code. + */ + if (error != 0) { + IPSTAT_INC(ips_cantforward); + m_freem(m); + m_freem(mcopy); + return; + } + /* No IPsec processing required */ +#endif /* IPSEC */ /* * If forwarding packet using same interface that it came in on, * perhaps should send a redirect to sender to shortcut a hop. @@ -1107,14 +1093,6 @@ ip_forward(struct mbuf *m, int srcrt) case EMSGSIZE: type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; - -#ifdef IPSEC - /* - * If IPsec is configured for this path, - * override any possibly mtu value set by ip_output. - */ - mtu = ip_ipsec_mtu(mcopy, mtu); -#endif /* IPSEC */ /* * If the MTU was set before make sure we are below the * interface MTU. Modified: projects/ipsec/sys/netinet/ip_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.c Sun Nov 20 06:11:30 2016 (r308874) +++ projects/ipsec/sys/netinet/ip_ipsec.c Sun Nov 20 09:04:16 2016 (r308875) @@ -95,19 +95,6 @@ ip_ipsec_filtertunnel(struct mbuf *m) } /* - * Check if this packet has an active SA and needs to be dropped instead - * of forwarded. - * Called from ip_forward(). - * 1 = drop packet, 0 = forward packet. - */ -int -ip_ipsec_fwd(struct mbuf *m) -{ - - return (ipsec4_in_reject(m, NULL)); -} - -/* * Check if protocol type doesn't have a further header and do IPSEC * decryption or reject right now. Protocols with further headers get * their IPSEC treatment within the protocol specific processing. @@ -220,3 +207,80 @@ ip_ipsec_output(struct mbuf *m, struct i } return (0); } + +/* + * Called from ip_forward(). + * 1 = drop packet, 0 = forward packet. + */ +int +ip_ipsec_forward(struct mbuf *m, int *error) +{ + struct secpolicy *sp; + int idx; + + /* + * Check if this packet has an active inbound SP and needs to be + * dropped instead of forwarded. + */ + if (ipsec4_in_reject(m, NULL) != 0) { + *error = EACCES; + return (0); + } + /* + * Now check outbound SP. + */ + sp = ipsec4_checkpolicy(m, NULL, error); + /* + * There are four return cases: + * sp != NULL apply IPsec policy + * sp == NULL, error == 0 no IPsec handling needed + * sp == NULL, error == -EINVAL discard packet w/o error + * sp == NULL, error != 0 discard packet, report error + */ + if (sp != NULL) { + /* + * We have SP with IPsec transform, but we should check that + * it has tunnel mode request, because we can't use transport + * mode when forwarding. + */ + for (idx = 0; idx < sp->tcount; idx++) { + if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL) + break; + } + if (idx == sp->tcount) { + *error = EACCES; + IPSECSTAT_INC(ips_out_inval); + key_freesp(&sp); + return (0); + } + /* NB: callee frees mbuf and releases reference to SP */ + *error = ipsec4_process_packet(m, sp, NULL); + if (*error == EJUSTRETURN) { + /* + * We had a SP with a level of 'use' and no SA. We + * will just continue to process the packet without + * IPsec processing and return without error. + */ + *error = 0; + return (0); + } + return (1); /* mbuf consumed by IPsec */ + } else { /* sp == NULL */ + if (*error != 0) { + /* + * Hack: -EINVAL is used to signal that a packet + * should be silently discarded. This is typically + * because we asked key management for an SA and + * it was delayed (e.g. kicked up to IKE). + */ + if (*error == -EINVAL) + *error = 0; + m_freem(m); + return (1); + } + /* No IPsec processing for this packet. */ + } + return (0); +} + + Modified: projects/ipsec/sys/netinet/ip_ipsec.h ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.h Sun Nov 20 06:11:30 2016 (r308874) +++ projects/ipsec/sys/netinet/ip_ipsec.h Sun Nov 20 09:04:16 2016 (r308875) @@ -32,11 +32,13 @@ #ifndef _NETINET_IP_IPSEC_H_ #define _NETINET_IP_IPSEC_H_ +#define IPSEC_INPUT(sc, m, arg) ip_ipsec_input((m), (arg)) +#define IPSEC_FORWARD(sc, m, perr) ip_ipsec_forward((m), (perr)) #define IPSEC_OUTPUT(sc, m, inp, perr) ip_ipsec_output((m), (inp), (perr)) int ip_ipsec_filtertunnel(struct mbuf *); -int ip_ipsec_fwd(struct mbuf *); int ip_ipsec_input(struct mbuf *, int); int ip_ipsec_mtu(struct mbuf *, int); +int ip_ipsec_forward(struct mbuf *, int *); int ip_ipsec_output(struct mbuf *, struct inpcb *, int *); #endif From owner-svn-src-projects@freebsd.org Sun Nov 20 10:23:06 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68B9AC4A274 for ; Sun, 20 Nov 2016 10:23:06 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2698D14AC; Sun, 20 Nov 2016 10:23:06 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKAN5sh005767; Sun, 20 Nov 2016 10:23:05 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKAN5t2005766; Sun, 20 Nov 2016 10:23:05 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201023.uAKAN5t2005766@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 10:23:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308878 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 10:23:06 -0000 Author: ae Date: Sun Nov 20 10:23:05 2016 New Revision: 308878 URL: https://svnweb.freebsd.org/changeset/base/308878 Log: Add hash table for lookup security policy by SP id. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Sun Nov 20 10:01:21 2016 (r308877) +++ projects/ipsec/sys/netipsec/key.c Sun Nov 20 10:23:05 2016 (r308878) @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -93,7 +94,6 @@ #endif #include - #include /* randomness */ @@ -141,8 +141,10 @@ static VNET_DEFINE(int, key_preferred_ol static VNET_DEFINE(u_int32_t, acq_seq) = 0; #define V_acq_seq VNET(acq_seq) - /* SPD */ -static VNET_DEFINE(TAILQ_HEAD(_sptree, secpolicy), sptree[IPSEC_DIR_MAX]); +/* SPD */ +TAILQ_HEAD(secpolicy_queue, secpolicy); +LIST_HEAD(secpolicy_list, secpolicy); +static VNET_DEFINE(struct secpolicy_queue, sptree[IPSEC_DIR_MAX]); static struct rmlock sptree_lock; #define V_sptree VNET(sptree) #define SPTREE_LOCK_INIT() rm_init(&sptree_lock, "sptree") @@ -156,6 +158,17 @@ static struct rmlock sptree_lock; #define SPTREE_WLOCK_ASSERT() rm_assert(&sptree_lock, RA_WLOCKED) #define SPTREE_UNLOCK_ASSERT() rm_assert(&sptree_lock, RA_UNLOCKED) +/* Hash table for lookup SP using unique id */ +static VNET_DEFINE(struct secpolicy_list *, sphashtbl); +static VNET_DEFINE(u_long, sphash_mask); +#define V_sphashtbl VNET(sphashtbl) +#define V_sphash_mask VNET(sphash_mask) + +#define SPHASH_NHASH_LOG2 7 +#define SPHASH_NHASH (1 << SPHASH_NHASH_LOG2) +#define SPHASH_HASHVAL(id) (key_u32hash(id) & V_sphash_mask) +#define SPHASH_HASH(id) &V_sphashtbl[SPHASH_HASHVAL(id)] + static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */ #define V_sahtree VNET(sahtree) static struct mtx sahtree_lock; @@ -167,6 +180,13 @@ static struct mtx sahtree_lock; #define SAHTREE_UNLOCK() mtx_unlock(&sahtree_lock) #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) +static uint32_t +key_u32hash(uint32_t val) +{ + + return (fnv_32_buf(&val, sizeof(val), FNV1_32_INIT)); +} + /* registed list */ static VNET_DEFINE(LIST_HEAD(_regtree, secreg), regtree[SADB_SATYPE_MAX + 1]); #define V_regtree VNET(regtree) @@ -7676,6 +7696,7 @@ key_init(void) TAILQ_INIT(&V_sptree[i]); LIST_INIT(&V_sahtree); + V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask); for (i = 0; i <= SADB_SATYPE_MAX; i++) LIST_INIT(&V_regtree[i]); @@ -7708,7 +7729,7 @@ key_init(void) void key_destroy(void) { - TAILQ_HEAD(, secpolicy) drainq; + struct secpolicy_queue drainq; struct secpolicy *sp, *nextsp; struct secacq *acq, *nextacq; struct secspacq *spacq, *nextspacq; @@ -7739,6 +7760,8 @@ key_destroy(void) } SAHTREE_UNLOCK(); + hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask); + REGTREE_LOCK(); for (i = 0; i <= SADB_SATYPE_MAX; i++) { LIST_FOREACH(reg, &V_regtree[i], chain) { From owner-svn-src-projects@freebsd.org Sun Nov 20 10:54:19 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1CE1C4AA61 for ; Sun, 20 Nov 2016 10:54:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 999F6227; Sun, 20 Nov 2016 10:54:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKAsIeR018336; Sun, 20 Nov 2016 10:54:18 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKAsIrL018334; Sun, 20 Nov 2016 10:54:18 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201054.uAKAsIrL018334@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 10:54:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308879 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 10:54:19 -0000 Author: ae Date: Sun Nov 20 10:54:18 2016 New Revision: 308879 URL: https://svnweb.freebsd.org/changeset/base/308879 Log: Add SPDB generation id 'sp_genid' variable and key_getspgen() function to read its value. This variable incremented when security policy added or deleted from SPDB. Modify key_insertsp(), key_unlink() and key_spdflush() to modify generation id. Change condition in key_unlink(). Now we have many different SP states, but only SPs with IPSEC_SPSTATE_ALIVE state are linked into the SPDB. If SP has different state, do not try to unlink it. Also remove SP from idhash when it becomes unlinked. Change key_insertsp(), now it should be called with acquired SPTREE_LOCK. Also add new SP into idhash when it linked into SPDB. In key_spdflush() remove all flushed SPs from idhash. Modified: projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key.h Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Sun Nov 20 10:23:05 2016 (r308878) +++ projects/ipsec/sys/netipsec/key.c Sun Nov 20 10:54:18 2016 (r308879) @@ -141,6 +141,9 @@ static VNET_DEFINE(int, key_preferred_ol static VNET_DEFINE(u_int32_t, acq_seq) = 0; #define V_acq_seq VNET(acq_seq) +static VNET_DEFINE(uint32_t, sp_genid) = 0; +#define V_sp_genid VNET(sp_genid) + /* SPD */ TAILQ_HEAD(secpolicy_queue, secpolicy); LIST_HEAD(secpolicy_list, secpolicy); @@ -626,6 +629,16 @@ key_havesp(u_int dir) /* %%% IPsec policy management */ /* + * Return current SPDB generation. + */ +uint32_t +key_getspgen(void) +{ + + return (V_sp_genid); +} + +/* * allocating a SP for OUTBOUND or INBOUND packet. * Must call key_freesp() later. * OUT: NULL: not found @@ -1271,21 +1284,25 @@ static void key_unlink(struct secpolicy *sp) { - IPSEC_ASSERT(sp != NULL, ("null sp")); IPSEC_ASSERT(sp->spidx.dir == IPSEC_DIR_INBOUND || sp->spidx.dir == IPSEC_DIR_OUTBOUND, ("invalid direction %u", sp->spidx.dir)); SPTREE_UNLOCK_ASSERT(); + KEYDBG(KEY_STAMP, + printf("%s: SP(%p)\n", __func__, sp)); SPTREE_WLOCK(); - if (sp->state == IPSEC_SPSTATE_DEAD) { + if (sp->state != IPSEC_SPSTATE_ALIVE) { + /* SP is already unlinked */ SPTREE_WUNLOCK(); return; } sp->state = IPSEC_SPSTATE_DEAD; TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); + LIST_REMOVE(sp, idhash); + V_sp_genid++; SPTREE_WUNLOCK(); - KEY_FREESP(&sp); + key_freesp(&sp); } /* @@ -1296,7 +1313,7 @@ key_insertsp(struct secpolicy *newsp) { struct secpolicy *sp; - SPTREE_WLOCK(); + SPTREE_WLOCK_ASSERT(); TAILQ_FOREACH(sp, &V_sptree[newsp->spidx.dir], chain) { if (newsp->priority < sp->priority) { TAILQ_INSERT_BEFORE(sp, newsp, chain); @@ -1307,8 +1324,9 @@ key_insertsp(struct secpolicy *newsp) TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain); done: + LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash); newsp->state = IPSEC_SPSTATE_ALIVE; - SPTREE_WUNLOCK(); + V_sp_genid++; } /* @@ -2427,7 +2445,7 @@ key_spdacquire(struct secpolicy *sp) static int key_spdflush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - TAILQ_HEAD(, secpolicy) drainq; + struct secpolicy_queue drainq; struct sadb_msg *newmsg; struct secpolicy *sp, *nextsp; u_int dir; @@ -2448,9 +2466,13 @@ key_spdflush(struct socket *so, struct m /* * We need to set state to DEAD for each policy to be sure, * that another thread won't try to unlink it. + * Also remove SP from sphash. */ - TAILQ_FOREACH(sp, &drainq, chain) + TAILQ_FOREACH(sp, &drainq, chain) { sp->state = IPSEC_SPSTATE_DEAD; + LIST_REMOVE(sp, idhash); + } + V_sp_genid++; SPTREE_WUNLOCK(); sp = TAILQ_FIRST(&drainq); while (sp != NULL) { Modified: projects/ipsec/sys/netipsec/key.h ============================================================================== --- projects/ipsec/sys/netipsec/key.h Sun Nov 20 10:23:05 2016 (r308878) +++ projects/ipsec/sys/netipsec/key.h Sun Nov 20 10:54:18 2016 (r308879) @@ -46,6 +46,8 @@ struct sadb_x_policy; struct secasindex; union sockaddr_union; +uint32_t key_getspgen(void); + extern void key_addref(struct secpolicy *sp); extern int key_havesp(u_int dir); extern struct secpolicy *key_allocsp(struct secpolicyindex *, u_int, From owner-svn-src-projects@freebsd.org Sun Nov 20 11:12:43 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9449C4B31F for ; Sun, 20 Nov 2016 11:12:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DBACF30; Sun, 20 Nov 2016 11:12:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKBCgiu026498; Sun, 20 Nov 2016 11:12:42 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKBCg8r026497; Sun, 20 Nov 2016 11:12:42 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201112.uAKBCg8r026497@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 11:12:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308880 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 11:12:43 -0000 Author: ae Date: Sun Nov 20 11:12:42 2016 New Revision: 308880 URL: https://svnweb.freebsd.org/changeset/base/308880 Log: Change locking used by key_flush_spd(). First of we acquire SPTREE_RLOCK() and check all security policies for expiration. If expired SP isn't found, just release the lock and return. When expired SP is found, we acquire extra reference for this SP and link it into drainq using special drainq LIST_ENTRY in struct secpolicy. When all expired SPs will be linked, we acquire SPTREE_WLOCK() and unlink all SPs from ths SPDB and idhash. If SP has spstate != IPSEC_SPSTATE_ALIVE, we skip such SP, since it can be already unlinked (before we acquired wlock). Then we release SPTREE_WLOCK and call key_spdexpire() for each SP. Now we can release extra reference and last reference for each SP. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Sun Nov 20 10:54:18 2016 (r308879) +++ projects/ipsec/sys/netipsec/key.c Sun Nov 20 11:12:42 2016 (r308880) @@ -4304,13 +4304,13 @@ static void key_flush_spd(time_t now) { SPTREE_RLOCK_TRACKER; - struct secpolicy *sp; + struct secpolicy_list drainq; + struct secpolicy *sp, *nextsp; u_int dir; - /* SPD */ + LIST_INIT(&drainq); + SPTREE_RLOCK(); for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { -restart: - SPTREE_RLOCK(); TAILQ_FOREACH(sp, &V_sptree[dir], chain) { if (sp->lifetime == 0 && sp->validtime == 0) continue; @@ -4318,15 +4318,42 @@ restart: now - sp->created > sp->lifetime) || (sp->validtime && now - sp->lastused > sp->validtime)) { + /* Hold extra reference to send SPDEXPIRE */ SP_ADDREF(sp); - SPTREE_RUNLOCK(); - key_spdexpire(sp); - key_unlink(sp); - KEY_FREESP(&sp); - goto restart; + LIST_INSERT_HEAD(&drainq, sp, drainq); } } - SPTREE_RUNLOCK(); + } + SPTREE_RUNLOCK(); + if (LIST_EMPTY(&drainq)) + return; + + SPTREE_WLOCK(); + sp = LIST_FIRST(&drainq); + while (sp != NULL) { + nextsp = LIST_NEXT(sp, drainq); + /* Check that SP is still linked */ + if (sp->state != IPSEC_SPSTATE_ALIVE) { + LIST_REMOVE(sp, drainq); + key_freesp(&sp); /* release extra reference */ + sp = nextsp; + continue; + } + TAILQ_REMOVE(&V_sptree[sp->spidx.dir], sp, chain); + LIST_REMOVE(sp, idhash); + sp->state = IPSEC_SPSTATE_DEAD; + sp = nextsp; + } + V_sp_genid++; + SPTREE_WUNLOCK(); + + sp = LIST_FIRST(&drainq); + while (sp != NULL) { + nextsp = LIST_NEXT(sp, drainq); + key_spdexpire(sp); + key_freesp(&sp); /* release extra reference */ + key_freesp(&sp); /* release last reference */ + sp = nextsp; } } From owner-svn-src-projects@freebsd.org Sun Nov 20 11:36:55 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBD76C4B9C2 for ; Sun, 20 Nov 2016 11:36:55 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9020317A6; Sun, 20 Nov 2016 11:36:55 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKBasau034424; Sun, 20 Nov 2016 11:36:54 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKBasT0034423; Sun, 20 Nov 2016 11:36:54 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201136.uAKBasT0034423@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 11:36:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308881 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 11:36:56 -0000 Author: ae Date: Sun Nov 20 11:36:54 2016 New Revision: 308881 URL: https://svnweb.freebsd.org/changeset/base/308881 Log: Add ipsec_getpcbpolicy(). It returns security policy associated with inpcb. This can be cached SP or policy, that was set by setsockopt() call from application. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:12:42 2016 (r308880) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:36:54 2016 (r308881) @@ -283,6 +283,51 @@ key_allocsp_default(const char* where, i #define KEY_ALLOCSP_DEFAULT() \ key_allocsp_default(__FILE__, __LINE__) +static struct secpolicy * +ipsec_getpcbpolicy(struct inpcb *inp, u_int dir) +{ + struct secpolicy *sp; + int flags; + + if (inp == NULL || inp->inp_sp == NULL) + return (NULL); + + flags = inp->inp_sp->flags; + if (dir == IPSEC_DIR_OUTBOUND) { + sp = inp->inp_sp->sp_out; + flags &= INP_OUTBOUND_POLICY; + } else { + sp = inp->inp_sp->sp_in; + flags &= INP_INBOUND_POLICY; + } + /* + * Check flags. If we have PCB SP, just return it. + * Otherwise we need to check that cached SP entry isn't stale. + */ + if (flags == 0) { + if (sp == NULL) + return (NULL); + if (inp->inp_sp->genid != key_getspgen()) { + /* + * Invalidate the cache. + * Do not touch policy if it was set by PCB. + */ + if ((inp->inp_sp->flags & INP_INBOUND_POLICY) == 0) + inp->inp_sp->sp_in = NULL; + if ((inp->inp_sp->flags & INP_OUTBOUND_POLICY) == 0) + inp->inp_sp->sp_out = NULL; + return (NULL); + } + KEYDBG(IPSEC_STAMP, + printf("%s: PCB(%p): cache hit SP(%p)\n", + __func__, inp, sp)); + /* Return referenced cached policy */ + } + IPSEC_ASSERT(sp != NULL, ("null SP, but flags is 0x%04x", flags)); + key_addref(sp); + return (sp); +} + /* * For OUTBOUND packet having a socket. Searching SPD for packet, * and return a pointer to SP. From owner-svn-src-projects@freebsd.org Sun Nov 20 11:57:36 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1EC91C4BE2B for ; Sun, 20 Nov 2016 11:57:36 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EF3511F5; Sun, 20 Nov 2016 11:57:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKBvZvt042852; Sun, 20 Nov 2016 11:57:35 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKBvZTD042851; Sun, 20 Nov 2016 11:57:35 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201157.uAKBvZTD042851@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 11:57:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308882 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 11:57:36 -0000 Author: ae Date: Sun Nov 20 11:57:34 2016 New Revision: 308882 URL: https://svnweb.freebsd.org/changeset/base/308882 Log: Add ipsec4_getpolicy() function. It returns security policy that matches with give IPv4 packet. First of it uses SP from inpcb. If there is no PCB, or PCB has not cached SP, it fills secpolicyindex using info from given mbuf. Then it does SP lookup using this secpolicyindex. And if SP is not found, it returns default security policy. Modify ipsec4_setspidx_ipaddr() to not return any values, since it never fails. Also move ipsec4_get_ulp() and ipsec4_setspidx_ipaddr() under #ifdef INET. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:36:54 2016 (r308881) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:57:34 2016 (r308882) @@ -244,7 +244,8 @@ static int ipsec_in_reject(struct secpol static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); -static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); +static void ipsec4_setspidx_ipaddr(const struct mbuf *, + struct secpolicyindex *); #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); @@ -645,16 +646,17 @@ ipsec_setspidx(const struct mbuf *m, str } } +#ifdef INET static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, int needport) { - u_int8_t nxt; + uint8_t nxt; int off; /* Sanity check. */ - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); + IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip), + ("packet too short")); if (m->m_len >= sizeof (struct ip)) { const struct ip *ip = mtod(m, const struct ip *); @@ -718,10 +720,12 @@ done: done_proto: spidx->src.sin.sin_port = IPSEC_PORT_ANY; spidx->dst.sin.sin_port = IPSEC_PORT_ANY; + KEYDBG(IPSEC_DUMP, + printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } /* Assumes that m is sane. */ -static int +static void ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx) { static const struct sockaddr_in template = { @@ -748,10 +752,30 @@ ipsec4_setspidx_ipaddr(const struct mbuf spidx->prefs = sizeof(struct in_addr) << 3; spidx->prefd = sizeof(struct in_addr) << 3; +} - return (0); +static struct secpolicy * +ipsec4_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir) +{ + struct secpolicyindex spidx; + struct secpolicy *sp; + + sp = ipsec_getpcbpolicy(inp, dir); + if (sp == NULL && key_havesp(dir)) { + /* Make an index to look for a policy. */ + ipsec4_setspidx_ipaddr(m, &spidx); + /* Fill ports in spidx if we have inpcb. */ + ipsec4_get_ulp(m, &spidx, inp != NULL); + spidx.dir = dir; + sp = key_allocsp(&spidx, dir); + } + if (sp == NULL) /* No SP found, use system default. */ + sp = key_allocsp_default(); + return (sp); } +#endif /* INET */ + #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, From owner-svn-src-projects@freebsd.org Sun Nov 20 12:18:11 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF713C4CBFE for ; Sun, 20 Nov 2016 12:18:11 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 71AC6F22; Sun, 20 Nov 2016 12:18:11 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKCIAdX050673; Sun, 20 Nov 2016 12:18:10 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKCIAgC050672; Sun, 20 Nov 2016 12:18:10 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201218.uAKCIAgC050672@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 12:18:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308883 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 12:18:11 -0000 Author: ae Date: Sun Nov 20 12:18:10 2016 New Revision: 308883 URL: https://svnweb.freebsd.org/changeset/base/308883 Log: Add address family independed function ipsec_checkpolicy(). It takes security policy as argument and returns policy decision: NULL and *error == 0 means "no IPsec processig required"; NULL and *error != -EINVAL means "packet should be discarded"; not NULL means "packet should be handled by IPsec". Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:57:34 2016 (r308882) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:18:10 2016 (r308883) @@ -285,6 +285,49 @@ key_allocsp_default(const char* where, i key_allocsp_default(__FILE__, __LINE__) static struct secpolicy * +ipsec_checkpolicy(struct secpolicy *sp, struct inpcb *inp, int *error) +{ + uint32_t genid; + + if (inp != NULL && + (inp->inp_sp->flags & INP_OUTBOUND_POLICY) == 0 && + inp->inp_sp->sp_out == NULL) { + /* + * Save found OUTBOUND policy into PCB SP cache. + */ + genid = key_getspgen(); + inp->inp_sp->sp_out = sp; + if (genid != inp->inp_sp->genid) { + /* Reset INBOUND cached policy if genid is changed */ + if ((inp->inp_sp->flags & INP_INBOUND_POLICY) == 0) + inp->inp_sp->sp_in = NULL; + inp->inp_sp->genid = genid; + } + KEYDBG(IPSEC_STAMP, + printf("%s: PCB(%p): cached SP(%p)\n", + __func__, inp, sp)); + } + switch (sp->policy) { + default: + printf("%s: invalid policy %u\n", __func__, sp->policy); + /* FALLTHROUGH */ + case IPSEC_POLICY_DISCARD: + *error = -EINVAL; /* Packet is discarded by caller. */ + /* FALLTHROUGH */ + case IPSEC_POLICY_BYPASS: + case IPSEC_POLICY_NONE: + key_freesp(&sp); + sp = NULL; /* NB: force NULL result. */ + break; + case IPSEC_POLICY_IPSEC: + break; + } + KEYDBG(IPSEC_DUMP, + printf("%s: get SP(%p), error %d\n", __func__, sp, *error)); + return (sp); +} + +static struct secpolicy * ipsec_getpcbpolicy(struct inpcb *inp, u_int dir) { struct secpolicy *sp; From owner-svn-src-projects@freebsd.org Sun Nov 20 12:25:15 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE056C49095 for ; Sun, 20 Nov 2016 12:25:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 611B9883; Sun, 20 Nov 2016 12:25:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKCPEto054838; Sun, 20 Nov 2016 12:25:14 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKCPE6D054837; Sun, 20 Nov 2016 12:25:14 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201225.uAKCPE6D054837@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 12:25:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308884 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 12:25:15 -0000 Author: ae Date: Sun Nov 20 12:25:14 2016 New Revision: 308884 URL: https://svnweb.freebsd.org/changeset/base/308884 Log: Modify ipsec4_checkpolicy() to use ipsec4_getpolicy() and ipsec_checkpolicy(). Move it under #ifdef INET. Also count errors from ipsec_checkpolicy in corresponding IPSECSTAT counters. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:18:10 2016 (r308883) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:25:14 2016 (r308884) @@ -546,49 +546,6 @@ ipsec_getpolicybyaddr(const struct mbuf return (sp); } -struct secpolicy * -ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error, - struct inpcb *inp) -{ - struct secpolicy *sp; - - *error = 0; - if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, dir, error); - else - sp = ipsec_getpolicybysock(m, dir, inp, error); - if (sp == NULL) { - IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - IPSECSTAT_INC(ips_out_inval); - return (NULL); - } - IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); - switch (sp->policy) { - case IPSEC_POLICY_ENTRUST: - default: - printf("%s: invalid policy %u\n", __func__, sp->policy); - /* FALLTHROUGH */ - case IPSEC_POLICY_DISCARD: - IPSECSTAT_INC(ips_out_polvio); - *error = -EINVAL; /* Packet is discarded by caller. */ - break; - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - KEY_FREESP(&sp); - sp = NULL; /* NB: force NULL result. */ - break; - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) /* Acquire a SA. */ - *error = key_spdacquire(sp); - break; - } - if (*error != 0) { - KEY_FREESP(&sp); - sp = NULL; - } - return (sp); -} - static int ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp) { @@ -817,6 +774,36 @@ ipsec4_getpolicy(const struct mbuf *m, s return (sp); } +/* + * Check security policy for *OUTBOUND* IPv4 packet. + */ +struct secpolicy * +ipsec4_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error) +{ + struct secpolicy *sp; + + *error = 0; + sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_OUTBOUND); + if (sp != NULL) + sp = ipsec_checkpolicy(sp, inp, error); + if (sp == NULL) { + switch (*error) { + case 0: /* No IPsec required: BYPASS or NONE */ + break; + case -EINVAL: + IPSECSTAT_INC(ips_out_polvio); + break; + default: + IPSECSTAT_INC(ips_out_inval); + } + } + KEYDBG(IPSEC_STAMP, + printf("%s: using SP(%p), error %d\n", __func__, sp, *error)); + if (sp != NULL) + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); + return (sp); +} + #endif /* INET */ #ifdef INET6 From owner-svn-src-projects@freebsd.org Sun Nov 20 13:04:04 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F504C49F5B for ; Sun, 20 Nov 2016 13:04:04 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E66B96CB; Sun, 20 Nov 2016 13:04:03 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKD43HK072172; Sun, 20 Nov 2016 13:04:03 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKD42lb072170; Sun, 20 Nov 2016 13:04:02 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201304.uAKD42lb072170@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 13:04:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308885 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 13:04:04 -0000 Author: ae Date: Sun Nov 20 13:04:02 2016 New Revision: 308885 URL: https://svnweb.freebsd.org/changeset/base/308885 Log: Modify ipsec_in_reject() and add ipsec_check_history() function. Also add net.inet.ipsec.check_policy_history sysctl to enable strict policy checking using history from mbuf tags. In ipsec_in_reject() do cache security policy in PCB if possible. Reflect changes in struct ipsecrequest. Use ipsec_check_history() when this check is enabled. Use security policy and transform index to determine required transform level in ipsec_get_reqlevel(). Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:25:14 2016 (r308884) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 13:04:02 2016 (r308885) @@ -176,6 +176,9 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEB SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(crypto_support), 0, "Crypto driver selection."); +SYSCTL_INT(_net_inet_ipsec, OID_AUTO, check_policy_history, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(check_policy_history), 0, + "Use strict check of inbound packets to security policy compliance"); SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); @@ -240,7 +243,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics."); #endif /* INET6 */ -static int ipsec_in_reject(struct secpolicy *, const struct mbuf *); +static int ipsec_in_reject(struct secpolicy *, struct inpcb *, + const struct mbuf *); static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); @@ -1230,32 +1234,36 @@ ipsec_delete_pcbpolicy(struct inpcb *inp * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned. */ u_int -ipsec_get_reqlevel(struct ipsecrequest *isr) +ipsec_get_reqlevel(struct secpolicy *sp, u_int idx) { - u_int level = 0; + struct ipsecrequest *isr; u_int esp_trans_deflev, esp_net_deflev; u_int ah_trans_deflev, ah_net_deflev; + u_int level = 0; - IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("null argument")); - IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family, - ("af family mismatch, src %u, dst %u", - isr->sp->spidx.src.sa.sa_family, - isr->sp->spidx.dst.sa.sa_family)); - + IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); /* XXX Note that we have ipseclog() expanded here - code sync issue. */ #define IPSEC_CHECK_DEFAULT(lev) \ - (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ - && (lev) != IPSEC_LEVEL_UNIQUE) \ - ? (V_ipsec_debug \ - ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ - (lev), IPSEC_LEVEL_REQUIRE) \ - : 0), \ - (lev) = IPSEC_LEVEL_REQUIRE, \ - (lev) \ - : (lev)) + (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE && \ + (lev) != IPSEC_LEVEL_UNIQUE) \ + ? (V_ipsec_debug ? \ + log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ + (lev), IPSEC_LEVEL_REQUIRE) : 0), \ + (lev) = IPSEC_LEVEL_REQUIRE, (lev) : (lev)) + + /* + * IPsec VTI uses unique security policy with fake spidx filled + * with zeroes. Just return IPSEC_LEVEL_REQUIRE instead of doing + * full level lookup for such policies. + */ + if (sp->state == IPSEC_SPSTATE_IFNET) { + IPSEC_ASSERT(sp->req[idx]->level == IPSEC_LEVEL_UNIQUE, + ("Wrong IPsec request level %d", sp->req[idx]->level)); + return (IPSEC_LEVEL_REQUIRE); + } /* Set default level. */ - switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { + switch (sp->spidx.src.sa.sa_family) { #ifdef INET case AF_INET: esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev); @@ -1274,11 +1282,12 @@ ipsec_get_reqlevel(struct ipsecrequest * #endif /* INET6 */ default: panic("%s: unknown af %u", - __func__, isr->sp->spidx.src.sa.sa_family); + __func__, sp->spidx.src.sa.sa_family); } #undef IPSEC_CHECK_DEFAULT + isr = sp->req[idx]; /* Set level. */ switch (isr->level) { case IPSEC_LEVEL_DEFAULT: @@ -1323,6 +1332,45 @@ ipsec_get_reqlevel(struct ipsecrequest * return (level); } +static int +ipsec_check_history(const struct mbuf *m, struct secpolicy *sp, u_int idx) +{ + struct xform_history *xh; + struct m_tag *mtag; + + mtag = NULL; + while ((mtag = m_tag_find(__DECONST(struct mbuf *, m), + PACKET_TAG_IPSEC_IN_DONE, mtag)) != NULL) { + xh = (struct xform_history *)(mtag + 1); + KEYDBG(IPSEC_DATA, + char buf[IPSEC_ADDRSTRLEN]; + printf("%s: mode %s proto %u dst %s\n", __func__, + kdebug_secasindex_mode(xh->mode), xh->proto, + ipsec_address(&xh->dst, buf, sizeof(buf)))); + if (xh->proto != sp->req[idx]->saidx.proto) + continue; + /* If SA had IPSEC_MODE_ANY, consider this as match. */ + if (xh->mode != sp->req[idx]->saidx.mode && + xh->mode != IPSEC_MODE_ANY) + continue; + /* + * For transport mode IPsec request doesn't contain + * addresses. We need to use address from spidx. + */ + if (sp->req[idx]->saidx.mode == IPSEC_MODE_TRANSPORT) { + if (key_sockaddrcmp_withmask(&xh->dst.sa, + &sp->spidx.dst.sa, sp->spidx.prefd) != 0) + continue; + } else { + if (key_sockaddrcmp(&xh->dst.sa, + &sp->req[idx]->saidx.dst.sa, 0) != 0) + continue; + } + return (0); /* matched */ + } + return (1); +} + /* * Check security policy requirements against the actual * packet contents. Return one if the packet should be @@ -1334,14 +1382,33 @@ ipsec_get_reqlevel(struct ipsecrequest * * 1: invalid */ static int -ipsec_in_reject(struct secpolicy *sp, const struct mbuf *m) +ipsec_in_reject(struct secpolicy *sp, struct inpcb *inp, const struct mbuf *m) { - struct ipsecrequest *isr; - int need_auth; + uint32_t genid; + int i; - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("%s: using SP\n", __func__); kdebug_secpolicy(sp)); + KEYDBG(IPSEC_STAMP, + printf("%s: PCB(%p): using SP(%p)\n", __func__, inp, sp)); + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); + if (inp != NULL && + (inp->inp_sp->flags & INP_INBOUND_POLICY) == 0 && + inp->inp_sp->sp_in == NULL) { + /* + * Save found INBOUND policy into PCB SP cache. + */ + genid = key_getspgen(); + inp->inp_sp->sp_in = sp; + if (genid != inp->inp_sp->genid) { + /* Reset OUTBOUND cached policy if genid is changed */ + if ((inp->inp_sp->flags & INP_OUTBOUND_POLICY) == 0) + inp->inp_sp->sp_out = NULL; + inp->inp_sp->genid = genid; + } + KEYDBG(IPSEC_STAMP, + printf("%s: PCB(%p): cached SP(%p)\n", + __func__, inp, sp)); + } /* Check policy. */ switch (sp->policy) { case IPSEC_POLICY_DISCARD: @@ -1354,48 +1421,42 @@ ipsec_in_reject(struct secpolicy *sp, co IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, ("invalid policy %u", sp->policy)); - /* XXX Should compare policy against IPsec header history. */ - - need_auth = 0; - for (isr = sp->req; isr != NULL; isr = isr->next) { - if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE) + /* + * ipsec[46]_common_input_cb after each transform adds + * PACKET_TAG_IPSEC_IN_DONE mbuf tag. It contains SPI, proto, mode + * and destination address from saidx. We can compare info from + * these tags with requirements in SP. + */ + for (i = 0; i < sp->tcount; i++) { + /* + * Do not check IPcomp, since IPcomp document + * says that we shouldn't compress small packets. + * IPComp policy should always be treated as being + * in "use" level. + */ + if (sp->req[i]->saidx.proto == IPPROTO_IPCOMP || + ipsec_get_reqlevel(sp, i) != IPSEC_LEVEL_REQUIRE) continue; - switch (isr->saidx.proto) { + if (V_check_policy_history != 0 && + ipsec_check_history(m, sp, i) != 0) + return (1); + else switch (sp->req[i]->saidx.proto) { case IPPROTO_ESP: if ((m->m_flags & M_DECRYPTED) == 0) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, + KEYDBG(IPSEC_DUMP, printf("%s: ESP m_flags:%x\n", __func__, m->m_flags)); return (1); } - - if (!need_auth && - isr->sav != NULL && - isr->sav->tdb_authalgxform != NULL && - (m->m_flags & M_AUTHIPDGM) == 0) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: ESP/AH m_flags:%x\n", __func__, - m->m_flags)); - return (1); - } break; case IPPROTO_AH: - need_auth = 1; if ((m->m_flags & M_AUTHIPHDR) == 0) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, + KEYDBG(IPSEC_DUMP, printf("%s: AH m_flags:%x\n", __func__, m->m_flags)); return (1); } break; - case IPPROTO_IPCOMP: - /* - * We don't really care, as IPcomp document - * says that we shouldn't compress small - * packets. IPComp policy should always be - * treated as being in "use" level. - */ - break; } } return (0); /* Valid. */ Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Sun Nov 20 12:25:14 2016 (r308884) +++ projects/ipsec/sys/netipsec/ipsec.h Sun Nov 20 13:04:02 2016 (r308885) @@ -301,18 +301,16 @@ VNET_DECLARE(int, crypto_support); extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); -struct tdb_ident; -extern struct secpolicy *ipsec_getpolicy(struct tdb_ident*, u_int); struct inpcb; -extern struct secpolicy *ipsec4_checkpolicy(const struct mbuf *, u_int, - int *, struct inpcb *); +struct secpolicy *ipsec4_checkpolicy(const struct mbuf *, struct inpcb *, + int *); extern struct secpolicy * ipsec_getpolicybyaddr(const struct mbuf *, u_int, int *); -struct inpcb; extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **); extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *); -extern u_int ipsec_get_reqlevel(struct ipsecrequest *); + +u_int ipsec_get_reqlevel(struct secpolicy *, u_int); extern int ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len, struct ucred *cred); From owner-svn-src-projects@freebsd.org Sun Nov 20 15:52:00 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C965C4C111 for ; Sun, 20 Nov 2016 15:52:00 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 082EECA3; Sun, 20 Nov 2016 15:51:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKFpx3w039275; Sun, 20 Nov 2016 15:51:59 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKFpxcO039274; Sun, 20 Nov 2016 15:51:59 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201551.uAKFpxcO039274@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 15:51:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308888 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 15:52:00 -0000 Author: ae Date: Sun Nov 20 15:51:58 2016 New Revision: 308888 URL: https://svnweb.freebsd.org/changeset/base/308888 Log: Modify ipsec4_in_reject() to use ipsec4_getpolicy() and ipsec_in_reject(). Also move it under #ifdef INET. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 14:00:50 2016 (r308887) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 15:51:58 2016 (r308888) @@ -808,6 +808,25 @@ ipsec4_checkpolicy(const struct mbuf *m, return (sp); } +/* + * Check IPv4 packet against *INBOUND* security policy. + * This function is called from tcp_input(), udp_input(), + * rip_input() and sctp_input(). + */ +int +ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp) +{ + struct secpolicy *sp; + int result; + + sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_INBOUND); + result = ipsec_in_reject(sp, inp, m); + key_freesp(&sp); + if (result != 0) + IPSECSTAT_INC(ips_in_polvio); + return (result); +} + #endif /* INET */ #ifdef INET6 @@ -1492,23 +1511,6 @@ ipsec46_in_reject(const struct mbuf *m, return (result); } -/* - * Check AH/ESP integrity. - * This function is called from tcp_input(), udp_input(), - * and {ah,esp}4_input for tunnel mode. - */ -int -ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp) -{ - int result; - - result = ipsec46_in_reject(m, inp); - if (result) - IPSECSTAT_INC(ips_in_polvio); - - return (result); -} - #ifdef INET6 /* * Check AH/ESP integrity. From owner-svn-src-projects@freebsd.org Sun Nov 20 16:03:32 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C6CAC4C5EF for ; Sun, 20 Nov 2016 16:03:32 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D3DD31961; Sun, 20 Nov 2016 16:03:31 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKG3VF5045974; Sun, 20 Nov 2016 16:03:31 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKG3Vjd045973; Sun, 20 Nov 2016 16:03:31 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201603.uAKG3Vjd045973@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 16:03:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308889 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 16:03:32 -0000 Author: ae Date: Sun Nov 20 16:03:30 2016 New Revision: 308889 URL: https://svnweb.freebsd.org/changeset/base/308889 Log: Remove redundant type casts from ipsec6_get_ulp(). Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 15:51:58 2016 (r308888) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 16:03:30 2016 (r308889) @@ -834,22 +834,18 @@ static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, int needport) { - int off, nxt; struct tcphdr th; struct udphdr uh; struct icmp6_hdr ih; + int off, nxt; - /* Sanity check. */ - if (m == NULL) - panic("%s: NULL pointer was passed.\n", __func__); - - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s:\n", __func__); kdebug_mbuf(m)); + IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip6_hdr), + ("packet too short")); /* Set default. */ spidx->ul_proto = IPSEC_ULPROTO_ANY; - ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY; - ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY; + spidx->src.sin6.sin6_port = IPSEC_PORT_ANY; + spidx->dst.sin6.sin6_port = IPSEC_PORT_ANY; nxt = -1; off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt); @@ -864,8 +860,8 @@ ipsec6_get_ulp(const struct mbuf *m, str if (off + sizeof(struct tcphdr) > m->m_pkthdr.len) break; m_copydata(m, off, sizeof(th), (caddr_t)&th); - ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport; - ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport; + spidx->src.sin6.sin6_port = th.th_sport; + spidx->dst.sin6.sin6_port = th.th_dport; break; case IPPROTO_UDP: spidx->ul_proto = nxt; @@ -874,24 +870,24 @@ ipsec6_get_ulp(const struct mbuf *m, str if (off + sizeof(struct udphdr) > m->m_pkthdr.len) break; m_copydata(m, off, sizeof(uh), (caddr_t)&uh); - ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport; - ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport; + spidx->src.sin6.sin6_port = uh.uh_sport; + spidx->dst.sin6.sin6_port = uh.uh_dport; break; case IPPROTO_ICMPV6: spidx->ul_proto = nxt; if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len) break; m_copydata(m, off, sizeof(ih), (caddr_t)&ih); - ((struct sockaddr_in6 *)&spidx->src)->sin6_port = - htons((uint16_t)ih.icmp6_type); - ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = - htons((uint16_t)ih.icmp6_code); + spidx->src.sin6.sin6_port = htons((uint16_t)ih.icmp6_type); + spidx->dst.sin6.sin6_port = htons((uint16_t)ih.icmp6_code); break; default: /* XXX Intermediate headers??? */ spidx->ul_proto = nxt; break; } + KEYDBG(IPSEC_DUMP, + printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } /* Assumes that m is sane. */ From owner-svn-src-projects@freebsd.org Sun Nov 20 16:16:56 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 671F6C4CA9A for ; Sun, 20 Nov 2016 16:16:56 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 435092D5; Sun, 20 Nov 2016 16:16:56 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKGGtUT050604; Sun, 20 Nov 2016 16:16:55 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKGGtSi050603; Sun, 20 Nov 2016 16:16:55 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201616.uAKGGtSi050603@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 16:16:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308890 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 16:16:56 -0000 Author: ae Date: Sun Nov 20 16:16:55 2016 New Revision: 308890 URL: https://svnweb.freebsd.org/changeset/base/308890 Log: Add ipsec6_getpolicy(), ipsec6_checkpolicy() and ipsec6_in_reject(). They are complete analogue of corresponding IPv4 functions. Also change ipsec6_setspidx_ipaddr() to not return value since it can't fail. Remove now unused ipsec46_in_reject(). Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 16:03:30 2016 (r308889) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 16:16:55 2016 (r308890) @@ -252,7 +252,8 @@ static void ipsec4_setspidx_ipaddr(const struct secpolicyindex *); #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); -static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); +static void ipsec6_setspidx_ipaddr(const struct mbuf *, + struct secpolicyindex *); #endif static void ipsec_delpcbpolicy(struct inpcbpolicy *); static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); @@ -891,7 +892,7 @@ ipsec6_get_ulp(const struct mbuf *m, str } /* Assumes that m is sane. */ -static int +static void ipsec6_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx) { struct ip6_hdr ip6buf; @@ -926,9 +927,77 @@ ipsec6_setspidx_ipaddr(const struct mbuf sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]); } spidx->prefd = sizeof(struct in6_addr) << 3; +} - return (0); +static struct secpolicy * +ipsec6_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir) +{ + struct secpolicyindex spidx; + struct secpolicy *sp; + + sp = ipsec_getpcbpolicy(inp, dir); + if (sp == NULL && key_havesp(dir)) { + /* Make an index to look for a policy. */ + ipsec6_setspidx_ipaddr(m, &spidx); + /* Fill ports in spidx if we have inpcb. */ + ipsec6_get_ulp(m, &spidx, inp != NULL); + spidx.dir = dir; + sp = key_allocsp(&spidx, dir); + } + if (sp == NULL) /* No SP found, use system default. */ + sp = key_allocsp_default(); + return (sp); } + +/* + * Check security policy for *OUTBOUND* IPv6 packet. + */ +struct secpolicy * +ipsec6_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error) +{ + struct secpolicy *sp; + + *error = 0; + sp = ipsec6_getpolicy(m, inp, IPSEC_DIR_OUTBOUND); + if (sp != NULL) + sp = ipsec_checkpolicy(sp, inp, error); + if (sp == NULL) { + switch (*error) { + case 0: /* No IPsec required: BYPASS or NONE */ + break; + case -EINVAL: + IPSEC6STAT_INC(ips_out_polvio); + break; + default: + IPSEC6STAT_INC(ips_out_inval); + } + } + KEYDBG(IPSEC_STAMP, + printf("%s: using SP(%p), error %d\n", __func__, sp, *error)); + if (sp != NULL) + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); + return (sp); +} + +/* + * Check IPv6 packet against inbound security policy. + * This function is called from tcp6_input(), udp6_input(), + * rip6_input() and sctp_input(). + */ +int +ipsec6_in_reject(const struct mbuf *m, struct inpcb *inp) +{ + struct secpolicy *sp; + int result; + + sp = ipsec6_getpolicy(m, inp, IPSEC_DIR_INBOUND); + result = ipsec_in_reject(sp, inp, m); + key_freesp(&sp); + if (result) + IPSEC6STAT_INC(ips_in_polvio); + return (result); +} + #endif int @@ -1478,55 +1547,6 @@ ipsec_in_reject(struct secpolicy *sp, st } /* - * Non zero return value means security policy DISCARD or policy violation. - */ -static int -ipsec46_in_reject(const struct mbuf *m, struct inpcb *inp) -{ - struct secpolicy *sp; - int error; - int result; - - if (!key_havesp(IPSEC_DIR_INBOUND)) - return 0; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - - /* Get SP for this packet. */ - if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - else - sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, inp, &error); - - if (sp != NULL) { - result = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - result = 1; /* treat errors as policy violation */ - } - return (result); -} - -#ifdef INET6 -/* - * Check AH/ESP integrity. - * This function is called from tcp6_input(), udp6_input(), - * and {ah,esp}6_input for tunnel mode. - */ -int -ipsec6_in_reject(const struct mbuf *m, struct inpcb *inp) -{ - int result; - - result = ipsec46_in_reject(m, inp); - if (result) - IPSEC6STAT_INC(ips_in_polvio); - - return (result); -} -#endif - -/* * Compute the byte size to be occupied by IPsec header. * In case it is tunnelled, it includes the size of outer IP header. * NOTE: SP passed is freed in this function. From owner-svn-src-projects@freebsd.org Sun Nov 20 17:17:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A2B2C4C897 for ; Sun, 20 Nov 2016 17:17:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5AA4A1EDE; Sun, 20 Nov 2016 17:17:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKHHfT0074902; Sun, 20 Nov 2016 17:17:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKHHf0C074901; Sun, 20 Nov 2016 17:17:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201717.uAKHHf0C074901@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 17:17:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308892 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 17:17:42 -0000 Author: ae Date: Sun Nov 20 17:17:41 2016 New Revision: 308892 URL: https://svnweb.freebsd.org/changeset/base/308892 Log: Modify ipsec_setspidx_inpcb() function to use given inpcb pointer to fill secpolicyindex's fields instead of taking them from mbuf. Remove ipsec_setspidx() function. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 17:03:52 2016 (r308891) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 17:17:41 2016 (r308892) @@ -245,8 +245,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, static int ipsec_in_reject(struct secpolicy *, struct inpcb *, const struct mbuf *); -static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); -static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); +static void ipsec_setspidx_inpcb(struct inpcb *, struct secpolicyindex *); + static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); static void ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); @@ -551,106 +551,62 @@ ipsec_getpolicybyaddr(const struct mbuf return (sp); } -static int -ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp) -{ - int error; - - IPSEC_ASSERT(inp != NULL, ("null inp")); - IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp")); - IPSEC_ASSERT(inp->inp_sp->sp_out != NULL && inp->inp_sp->sp_in != NULL, - ("null sp_in || sp_out")); - - error = ipsec_setspidx(m, &inp->inp_sp->sp_in->spidx, 1); - if (error == 0) { - inp->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; - inp->inp_sp->sp_out->spidx = inp->inp_sp->sp_in->spidx; - inp->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; - } else { - bzero(&inp->inp_sp->sp_in->spidx, - sizeof (inp->inp_sp->sp_in->spidx)); - bzero(&inp->inp_sp->sp_out->spidx, - sizeof (inp->inp_sp->sp_in->spidx)); - } - return (error); -} - -/* - * Configure security policy index (src/dst/proto/sport/dport) - * by looking at the content of mbuf. - * The caller is responsible for error recovery (like clearing up spidx). - */ -static int -ipsec_setspidx(const struct mbuf *m, struct secpolicyindex *spidx, - int needport) +static void +ipsec_setspidx_inpcb(struct inpcb *inp, struct secpolicyindex *spidx) { - struct ip ipbuf; - const struct ip *ip = NULL; - const struct mbuf *n; - u_int v; - int len; - int error; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - - /* - * Validate m->m_pkthdr.len. We see incorrect length if we - * mistakenly call this function with inconsistent mbuf chain - * (like 4.4BSD tcp/udp processing). XXX Should we panic here? - */ - len = 0; - for (n = m; n; n = n->m_next) - len += n->m_len; - if (m->m_pkthdr.len != len) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: pkthdr len(%d) mismatch (%d), ignored.\n", - __func__, len, m->m_pkthdr.len)); - return (EINVAL); - } - - if (m->m_pkthdr.len < sizeof(struct ip)) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: pkthdr len(%d) too small (v4), ignored.\n", - __func__, m->m_pkthdr.len)); - return (EINVAL); - } - if (m->m_len >= sizeof(*ip)) - ip = mtod(m, const struct ip *); - else { - m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); - ip = &ipbuf; - } - v = ip->ip_v; - switch (v) { - case 4: - error = ipsec4_setspidx_ipaddr(m, spidx); - if (error) - return (error); - ipsec4_get_ulp(m, spidx, needport); - return (0); #ifdef INET6 - case 6: - if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: pkthdr len(%d) too small (v6), " - "ignored\n", __func__, m->m_pkthdr.len)); - return (EINVAL); + if (inp->inp_vflag & INP_IPV6) { + bzero(&spidx->src.sin6, sizeof(spidx->src.sin6)); + spidx->src.sin6.sin6_family = AF_INET6; + spidx->src.sin6.sin6_len = sizeof(struct sockaddr_in6); + spidx->src.sin6.sin6_addr = inp->in6p_laddr; + spidx->src.sin6.sin6_port = inp->inp_lport; + if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_laddr)) { + /* XXXAE: use in6p_zoneid */ + spidx->src.sin6.sin6_addr.s6_addr16[1] = 0; + spidx->src.sin6.sin6_scope_id = ntohs( + inp->in6p_laddr.s6_addr16[1]); } - error = ipsec6_setspidx_ipaddr(m, spidx); - if (error) - return (error); - ipsec6_get_ulp(m, spidx, needport); - return (0); + spidx->prefs = sizeof(struct in6_addr) << 3; + + bzero(&spidx->dst.sin6, sizeof(spidx->dst.sin6)); + spidx->dst.sin6.sin6_family = AF_INET6; + spidx->dst.sin6.sin6_len = sizeof(struct sockaddr_in6); + spidx->dst.sin6.sin6_addr = inp->in6p_faddr; + spidx->dst.sin6.sin6_port = inp->inp_fport; + if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_faddr)) { + /* XXXAE: use in6p_zoneid */ + spidx->dst.sin6.sin6_addr.s6_addr16[1] = 0; + spidx->dst.sin6.sin6_scope_id = ntohs( + inp->in6p_faddr.s6_addr16[1]); + } + spidx->prefd = sizeof(struct in6_addr) << 3; + } #endif - default: - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: " "unknown IP version %u, ignored.\n", - __func__, v)); - return (EINVAL); +#ifdef INET + if (inp->inp_vflag & INP_IPV4) { + bzero(&spidx->src.sin, sizeof(spidx->src.sin)); + spidx->src.sin.sin_family = AF_INET; + spidx->src.sin.sin_len = sizeof(struct sockaddr_in); + spidx->src.sin.sin_addr = inp->inp_laddr; + spidx->src.sin.sin_port = inp->inp_lport; + spidx->prefs = sizeof(struct in_addr) << 3; + + bzero(&spidx->dst.sin, sizeof(spidx->dst.sin)); + spidx->dst.sin.sin_family = AF_INET; + spidx->dst.sin.sin_len = sizeof(struct sockaddr_in); + spidx->dst.sin.sin_addr = inp->inp_faddr; + spidx->dst.sin.sin_port = inp->inp_fport; + spidx->prefd = sizeof(struct in_addr) << 3; } +#endif + spidx->ul_proto = inp->inp_ip_p; + KEYDBG(IPSEC_DUMP, + printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } + #ifdef INET static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, From owner-svn-src-projects@freebsd.org Sun Nov 20 17:50:19 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77E6AC4CFE0 for ; Sun, 20 Nov 2016 17:50:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 382D310E5; Sun, 20 Nov 2016 17:50:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKHoIsC087194; Sun, 20 Nov 2016 17:50:18 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKHoIjT087192; Sun, 20 Nov 2016 17:50:18 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201750.uAKHoIjT087192@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 17:50:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308893 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 17:50:19 -0000 Author: ae Date: Sun Nov 20 17:50:18 2016 New Revision: 308893 URL: https://svnweb.freebsd.org/changeset/base/308893 Log: In ipsec_hdrsiz_internal() reflect the changes of struct ipsecrequest. For now calculate the apporximate size using only information from ipsecrequest. Later we will use information from inpcbpolicy. Add ipsec_hdrsiz_inpcb() it will be called from TCP code. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 17:17:41 2016 (r308892) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 17:50:18 2016 (r308893) @@ -1505,16 +1505,15 @@ ipsec_in_reject(struct secpolicy *sp, st /* * Compute the byte size to be occupied by IPsec header. * In case it is tunnelled, it includes the size of outer IP header. - * NOTE: SP passed is freed in this function. */ static size_t ipsec_hdrsiz_internal(struct secpolicy *sp) { - struct ipsecrequest *isr; size_t size; + int i; - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("%s: using SP\n", __func__); kdebug_secpolicy(sp)); + KEYDBG(IPSEC_STAMP, printf("%s: using SP(%p)\n", __func__, sp)); + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); switch (sp->policy) { case IPSEC_POLICY_DISCARD: @@ -1526,45 +1525,72 @@ ipsec_hdrsiz_internal(struct secpolicy * IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, ("invalid policy %u", sp->policy)); + /* + * XXX: for each transform we need to lookup suitable SA + * and use info from SA to calculate headers size. + * XXX: for NAT-T we need to cosider UDP header size. + */ size = 0; - for (isr = sp->req; isr != NULL; isr = isr->next) { - size_t clen = 0; - - switch (isr->saidx.proto) { + for (i = 0; i < sp->tcount; i++) { + switch (sp->req[i]->saidx.proto) { case IPPROTO_ESP: - clen = esp_hdrsiz(isr->sav); + size += esp_hdrsiz(NULL); break; case IPPROTO_AH: - clen = ah_hdrsiz(isr->sav); + size += ah_hdrsiz(NULL); break; case IPPROTO_IPCOMP: - clen = sizeof(struct ipcomp); + size += sizeof(struct ipcomp); break; } - if (isr->saidx.mode == IPSEC_MODE_TUNNEL) { - switch (isr->saidx.dst.sa.sa_family) { + if (sp->req[i]->saidx.mode == IPSEC_MODE_TUNNEL) { + switch (sp->req[i]->saidx.dst.sa.sa_family) { +#ifdef INET case AF_INET: - clen += sizeof(struct ip); + size += sizeof(struct ip); break; +#endif #ifdef INET6 case AF_INET6: - clen += sizeof(struct ip6_hdr); + size += sizeof(struct ip6_hdr); break; #endif default: ipseclog((LOG_ERR, "%s: unknown AF %d in " "IPsec tunnel SA\n", __func__, - ((struct sockaddr *)&isr->saidx.dst)->sa_family)); + sp->req[i]->saidx.dst.sa.sa_family)); break; } } - size += clen; } - return (size); } +/* + * Compute ESP/AH header size for protocols with PCB, including + * outer IP header. Currently only tcp_output() uses it. + */ +size_t +ipsec_hdrsiz_inpcb(struct inpcb *inp) +{ + struct secpolicyindex spidx; + struct secpolicy *sp; + size_t sz; + + sp = ipsec_getpcbpolicy(inp, IPSEC_DIR_OUTBOUND); + if (sp == NULL && key_havesp(IPSEC_DIR_OUTBOUND)) { + ipsec_setspidx_inpcb(inp, &spidx); + spidx.dir = IPSEC_DIR_OUTBOUND; + sp = key_allocsp(&spidx, IPSEC_DIR_OUTBOUND); + } + if (sp == NULL) + sp = key_allocsp_default(); + sz = ipsec_hdrsiz_internal(sp); + key_freesp(&sp); + return (sz); +} + /* * This function is called from ipsec_hdrsiz_tcp(), ip_ipsec_mtu(), * disabled ip6_ipsec_mtu() and ip6_forward(). Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Sun Nov 20 17:17:41 2016 (r308892) +++ projects/ipsec/sys/netipsec/ipsec.h Sun Nov 20 17:50:18 2016 (r308893) @@ -311,21 +311,20 @@ extern int ipsec_init_policy(struct sock extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *); u_int ipsec_get_reqlevel(struct secpolicy *, u_int); +int ipsec4_in_reject(const struct mbuf *, struct inpcb *); +size_t ipsec_hdrsiz_inpcb(struct inpcb *); extern int ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len, struct ucred *cred); extern int ipsec_get_policy(struct inpcb *inpcb, caddr_t request, size_t len, struct mbuf **mp); extern int ipsec_delete_pcbpolicy(struct inpcb *); -extern int ipsec4_in_reject(const struct mbuf *, struct inpcb *); struct secas; -struct tcpcb; extern int ipsec_chkreplay(u_int32_t, struct secasvar *); extern int ipsec_updatereplay(u_int32_t, struct secasvar *); extern size_t ipsec_hdrsiz(const struct mbuf *, u_int, struct inpcb *); -extern size_t ipsec_hdrsiz_tcp(struct tcpcb *); union sockaddr_union; extern char *ipsec_address(union sockaddr_union *, char *, socklen_t); From owner-svn-src-projects@freebsd.org Sun Nov 20 17:59:55 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DA13C4C163 for ; Sun, 20 Nov 2016 17:59:55 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 20EA21563; Sun, 20 Nov 2016 17:59:55 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKHxsMV091303; Sun, 20 Nov 2016 17:59:54 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKHxsmd091301; Sun, 20 Nov 2016 17:59:54 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201759.uAKHxsmd091301@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 17:59:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308894 - projects/ipsec/sys/netinet X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 17:59:55 -0000 Author: ae Date: Sun Nov 20 17:59:53 2016 New Revision: 308894 URL: https://svnweb.freebsd.org/changeset/base/308894 Log: Remove ipsec_hdrsiz_tcp() function, use ipsec_hdrsiz_inpcb() instead. Modified: projects/ipsec/sys/netinet/tcp_output.c projects/ipsec/sys/netinet/tcp_subr.c Modified: projects/ipsec/sys/netinet/tcp_output.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_output.c Sun Nov 20 17:50:18 2016 (r308893) +++ projects/ipsec/sys/netinet/tcp_output.c Sun Nov 20 17:59:53 2016 (r308894) @@ -551,7 +551,7 @@ after_sack_rexmit: * Pre-calculate here as we save another lookup into the darknesses * of IPsec that way and can actually decide if TSO is ok. */ - ipsec_optlen = ipsec_hdrsiz_tcp(tp); + ipsec_optlen = ipsec_hdrsiz_inpcb(tp->t_inpcb); #endif if ((tp->t_flags & TF_TSO) && V_tcp_do_tso && len > tp->t_maxseg && ((tp->t_flags & TF_SIGNATURE) == 0) && Modified: projects/ipsec/sys/netinet/tcp_subr.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_subr.c Sun Nov 20 17:50:18 2016 (r308893) +++ projects/ipsec/sys/netinet/tcp_subr.c Sun Nov 20 17:59:53 2016 (r308894) @@ -2527,50 +2527,6 @@ tcp_maxseg(const struct tcpcb *tp) return (tp->t_maxseg - optlen); } -#ifdef IPSEC -/* compute ESP/AH header size for TCP, including outer IP header. */ -size_t -ipsec_hdrsiz_tcp(struct tcpcb *tp) -{ - struct inpcb *inp; - struct mbuf *m; - size_t hdrsiz; - struct ip *ip; -#ifdef INET6 - struct ip6_hdr *ip6; -#endif - struct tcphdr *th; - - if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL) || - (!key_havesp(IPSEC_DIR_OUTBOUND))) - return (0); - m = m_gethdr(M_NOWAIT, MT_DATA); - if (!m) - return (0); - -#ifdef INET6 - if ((inp->inp_vflag & INP_IPV6) != 0) { - ip6 = mtod(m, struct ip6_hdr *); - th = (struct tcphdr *)(ip6 + 1); - m->m_pkthdr.len = m->m_len = - sizeof(struct ip6_hdr) + sizeof(struct tcphdr); - tcpip_fillheaders(inp, ip6, th); - hdrsiz = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp); - } else -#endif /* INET6 */ - { - ip = mtod(m, struct ip *); - th = (struct tcphdr *)(ip + 1); - m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr); - tcpip_fillheaders(inp, ip, th); - hdrsiz = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp); - } - - m_free(m); - return (hdrsiz); -} -#endif /* IPSEC */ - #ifdef TCP_SIGNATURE /* * Callback function invoked by m_apply() to digest TCP segment data From owner-svn-src-projects@freebsd.org Mon Nov 21 06:47:58 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 878F4C4C2D3 for ; Mon, 21 Nov 2016 06:47:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 649981E80; Mon, 21 Nov 2016 06:47:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAL6lviJ006825; Mon, 21 Nov 2016 06:47:57 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAL6lvgc006824; Mon, 21 Nov 2016 06:47:57 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611210647.uAL6lvgc006824@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 06:47:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308910 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 06:47:58 -0000 Author: ae Date: Mon Nov 21 06:47:57 2016 New Revision: 308910 URL: https://svnweb.freebsd.org/changeset/base/308910 Log: Change prototype of key_allocsp_default() and remove helper debug macros. Remove unused ipsec_getpolicy(). Also remove ipsec_getpolicybysock() and ipsec_getpolicybyaddr(), we use ipsec[46]_getpolicy() instead. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Mon Nov 21 05:54:31 2016 (r308909) +++ projects/ipsec/sys/netipsec/ipsec.c Mon Nov 21 06:47:57 2016 (r308910) @@ -265,13 +265,10 @@ MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolic * Return a held reference to the default SP. */ static struct secpolicy * -key_allocsp_default(const char* where, int tag) +key_allocsp_default(void) { struct secpolicy *sp; - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP key_allocsp_default from %s:%u\n", where, tag)); - sp = &V_def_policy; if (sp->policy != IPSEC_POLICY_DISCARD && sp->policy != IPSEC_POLICY_NONE) { @@ -280,14 +277,8 @@ key_allocsp_default(const char* where, i sp->policy = IPSEC_POLICY_NONE; } key_addref(sp); - - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP key_allocsp_default returns SP:%p (%u)\n", - sp, sp->refcnt)); return (sp); } -#define KEY_ALLOCSP_DEFAULT() \ - key_allocsp_default(__FILE__, __LINE__) static struct secpolicy * ipsec_checkpolicy(struct secpolicy *sp, struct inpcb *inp, int *error) @@ -377,180 +368,6 @@ ipsec_getpcbpolicy(struct inpcb *inp, u_ return (sp); } -/* - * For OUTBOUND packet having a socket. Searching SPD for packet, - * and return a pointer to SP. - * OUT: NULL: no apropreate SP found, the following value is set to error. - * 0 : bypass - * EACCES : discard packet. - * ENOENT : ipsec_acquire() in progress, maybe. - * others : error occurred. - * others: a pointer to SP - * - * NOTE: IPv6 mapped adddress concern is implemented here. - */ -struct secpolicy * -ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir) -{ - struct secpolicy *sp; - - IPSEC_ASSERT(tdbi != NULL, ("null tdbi")); - IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("invalid direction %u", dir)); - - sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir); - if (sp == NULL) /*XXX????*/ - sp = KEY_ALLOCSP_DEFAULT(); - IPSEC_ASSERT(sp != NULL, ("null SP")); - return (sp); -} - -/* - * For OUTBOUND packet having a socket. Searching SPD for packet, - * and return a pointer to SP. - * OUT: NULL: no apropreate SP found, the following value is set to error. - * 0 : bypass - * EACCES : discard packet. - * ENOENT : ipsec_acquire() in progress, maybe. - * others : error occurred. - * others: a pointer to SP - * - * NOTE: IPv6 mapped adddress concern is implemented here. - */ -static struct secpolicy * -ipsec_getpolicybysock(const struct mbuf *m, u_int dir, struct inpcb *inp, - int *error) -{ - struct inpcbpolicy *pcbsp; - struct secpolicy *currsp = NULL; /* Policy on socket. */ - struct secpolicy *sp; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(inp != NULL, ("null inpcb")); - IPSEC_ASSERT(error != NULL, ("null error")); - IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("invalid direction %u", dir)); - - if (!key_havesp(dir)) { - /* No SP found, use system default. */ - sp = KEY_ALLOCSP_DEFAULT(); - return (sp); - } - - /* Set spidx in pcb. */ - *error = ipsec_setspidx_inpcb(m, inp); - if (*error) - return (NULL); - - pcbsp = inp->inp_sp; - IPSEC_ASSERT(pcbsp != NULL, ("null pcbsp")); - switch (dir) { - case IPSEC_DIR_INBOUND: - currsp = pcbsp->sp_in; - break; - case IPSEC_DIR_OUTBOUND: - currsp = pcbsp->sp_out; - break; - } - IPSEC_ASSERT(currsp != NULL, ("null currsp")); - - if (pcbsp->priv) { /* When privilieged socket. */ - switch (currsp->policy) { - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_IPSEC: - key_addref(currsp); - sp = currsp; - break; - - case IPSEC_POLICY_ENTRUST: - /* Look for a policy in SPD. */ - sp = KEY_ALLOCSP(&currsp->spidx, dir); - if (sp == NULL) /* No SP found. */ - sp = KEY_ALLOCSP_DEFAULT(); - break; - - default: - ipseclog((LOG_ERR, "%s: Invalid policy for PCB %d\n", - __func__, currsp->policy)); - *error = EINVAL; - return (NULL); - } - } else { /* Unpriv, SPD has policy. */ - sp = KEY_ALLOCSP(&currsp->spidx, dir); - if (sp == NULL) { /* No SP found. */ - switch (currsp->policy) { - case IPSEC_POLICY_BYPASS: - ipseclog((LOG_ERR, "%s: Illegal policy for " - "non-priviliged defined %d\n", - __func__, currsp->policy)); - *error = EINVAL; - return (NULL); - - case IPSEC_POLICY_ENTRUST: - sp = KEY_ALLOCSP_DEFAULT(); - break; - - case IPSEC_POLICY_IPSEC: - key_addref(currsp); - sp = currsp; - break; - - default: - ipseclog((LOG_ERR, "%s: Invalid policy for " - "PCB %d\n", __func__, currsp->policy)); - *error = EINVAL; - return (NULL); - } - } - } - IPSEC_ASSERT(sp != NULL, - ("null SP (priv %u policy %u", pcbsp->priv, currsp->policy)); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s (priv %u policy %u) allocate SP:%p (refcnt %u)\n", - __func__, pcbsp->priv, currsp->policy, sp, sp->refcnt)); - return (sp); -} - -/* - * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, - * and return a pointer to SP. - * OUT: positive: a pointer to the entry for security policy leaf matched. - * NULL: no apropreate SP found, the following value is set to error. - * 0 : bypass - * EACCES : discard packet. - * ENOENT : ipsec_acquire() in progress, maybe. - * others : error occurred. - */ -struct secpolicy * -ipsec_getpolicybyaddr(const struct mbuf *m, u_int dir, int *error) -{ - struct secpolicyindex spidx; - struct secpolicy *sp; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(error != NULL, ("null error")); - IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("invalid direction %u", dir)); - - sp = NULL; - *error = 0; - if (key_havesp(dir)) { - /* Make an index to look for a policy. */ - *error = ipsec_setspidx(m, &spidx, 0); - if (*error != 0) { - DPRINTF(("%s: setpidx failed, dir %u\n", - __func__, dir)); - return (NULL); - } - spidx.dir = dir; - sp = KEY_ALLOCSP(&spidx, dir); - } - if (sp == NULL) /* No SP found, use system default. */ - sp = KEY_ALLOCSP_DEFAULT(); - IPSEC_ASSERT(sp != NULL, ("null SP")); - return (sp); -} - static void ipsec_setspidx_inpcb(struct inpcb *inp, struct secpolicyindex *spidx) { From owner-svn-src-projects@freebsd.org Mon Nov 21 07:16:34 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16B2FC4C96C for ; Mon, 21 Nov 2016 07:16:34 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BAAC7FA3; Mon, 21 Nov 2016 07:16:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAL7GW1w019192; Mon, 21 Nov 2016 07:16:32 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAL7GWEG019189; Mon, 21 Nov 2016 07:16:32 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611210716.uAL7GWEG019189@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 07:16:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308911 - in projects/ipsec/sys: netinet netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 07:16:34 -0000 Author: ae Date: Mon Nov 21 07:16:32 2016 New Revision: 308911 URL: https://svnweb.freebsd.org/changeset/base/308911 Log: Modify comments to reflect the reality. Modified: projects/ipsec/sys/netinet/ip_ipsec.c projects/ipsec/sys/netinet6/ip6_ipsec.c Modified: projects/ipsec/sys/netinet/ip_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.c Mon Nov 21 06:47:57 2016 (r308910) +++ projects/ipsec/sys/netinet/ip_ipsec.c Mon Nov 21 07:16:32 2016 (r308911) @@ -195,8 +195,11 @@ ip_ipsec_output(struct mbuf *m, struct i /* * Hack: -EINVAL is used to signal that a packet * should be silently discarded. This is typically - * because we asked key management for an SA and - * it was delayed (e.g. kicked up to IKE). + * because we have DISCARD policy or asked key + * management for an SP and it was delayed (e.g. + * kicked up to IKE). + * XXX: maybe return EACCES to the caller would + * be more useful? */ if (*error == -EINVAL) *error = 0; @@ -270,8 +273,11 @@ ip_ipsec_forward(struct mbuf *m, int *er /* * Hack: -EINVAL is used to signal that a packet * should be silently discarded. This is typically - * because we asked key management for an SA and - * it was delayed (e.g. kicked up to IKE). + * because we have DISCARD policy or asked key + * management for an SP and it was delayed (e.g. + * kicked up to IKE). + * XXX: maybe return EACCES to the caller would + * be more useful? */ if (*error == -EINVAL) *error = 0; Modified: projects/ipsec/sys/netinet6/ip6_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet6/ip6_ipsec.c Mon Nov 21 06:47:57 2016 (r308910) +++ projects/ipsec/sys/netinet6/ip6_ipsec.c Mon Nov 21 07:16:32 2016 (r308911) @@ -195,8 +195,11 @@ ip6_ipsec_output(struct mbuf *m, struct /* * Hack: -EINVAL is used to signal that a packet * should be silently discarded. This is typically - * because we asked key management for an SA and - * it was delayed (e.g. kicked up to IKE). + * because we have DISCARD policy or asked key + * management for an SP and it was delayed (e.g. + * kicked up to IKE). + * XXX: maybe return EACCES to the caller would + * be more useful? */ if (*error == -EINVAL) *error = 0; @@ -277,8 +280,11 @@ ip6_ipsec_forward(struct mbuf *m, int *e /* * Hack: -EINVAL is used to signal that a packet * should be silently discarded. This is typically - * because we asked key management for an SA and - * it was delayed (e.g. kicked up to IKE). + * because we have DISCARD policy or asked key + * management for an SP and it was delayed (e.g. + * kicked up to IKE). + * XXX: maybe return EACCES to the caller would + * be more useful? */ if (*error == -EINVAL) *error = 0; From owner-svn-src-projects@freebsd.org Mon Nov 21 07:30:09 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0449BC4CCBF for ; Mon, 21 Nov 2016 07:30:09 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5B6B7AF; Mon, 21 Nov 2016 07:30:08 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAL7U7K6023197; Mon, 21 Nov 2016 07:30:07 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAL7U76v023191; Mon, 21 Nov 2016 07:30:07 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611210730.uAL7U76v023191@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 07:30:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308912 - in projects/ipsec/sys: netinet netinet6 X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 07:30:09 -0000 Author: ae Date: Mon Nov 21 07:30:07 2016 New Revision: 308912 URL: https://svnweb.freebsd.org/changeset/base/308912 Log: Remove partially working code that handles IP[V6]_IPSEC_POLICY socket options. Introduce ipsec_control_pcbpolicy() function and ip[6]_ipsec_pcbctl() wrappers to invoke it. Modified: projects/ipsec/sys/netinet/ip_ipsec.c projects/ipsec/sys/netinet/ip_ipsec.h projects/ipsec/sys/netinet/ip_output.c projects/ipsec/sys/netinet6/ip6_ipsec.c projects/ipsec/sys/netinet6/ip6_ipsec.h projects/ipsec/sys/netinet6/ip6_output.c Modified: projects/ipsec/sys/netinet/ip_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.c Mon Nov 21 07:16:32 2016 (r308911) +++ projects/ipsec/sys/netinet/ip_ipsec.c Mon Nov 21 07:30:07 2016 (r308912) @@ -289,4 +289,16 @@ ip_ipsec_forward(struct mbuf *m, int *er return (0); } +/* + * Handle IPsec related socket options. + * Called from ip_ctloutput(). + */ +int +ip_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt) +{ + + if (sopt->sopt_name != IP_IPSEC_POLICY) + return (ENOPROTOOPT); + return (ipsec_control_pcbpolicy(inp, sopt)); +} Modified: projects/ipsec/sys/netinet/ip_ipsec.h ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.h Mon Nov 21 07:16:32 2016 (r308911) +++ projects/ipsec/sys/netinet/ip_ipsec.h Mon Nov 21 07:30:07 2016 (r308912) @@ -41,4 +41,5 @@ int ip_ipsec_input(struct mbuf *, int); int ip_ipsec_mtu(struct mbuf *, int); int ip_ipsec_forward(struct mbuf *, int *); int ip_ipsec_output(struct mbuf *, struct inpcb *, int *); +int ip_ipsec_pcbctl(struct inpcb *, struct sockopt *); #endif Modified: projects/ipsec/sys/netinet/ip_output.c ============================================================================== --- projects/ipsec/sys/netinet/ip_output.c Mon Nov 21 07:16:32 2016 (r308911) +++ projects/ipsec/sys/netinet/ip_output.c Mon Nov 21 07:30:07 2016 (r308912) @@ -1183,21 +1183,8 @@ ip_ctloutput(struct socket *so, struct s #ifdef IPSEC case IP_IPSEC_POLICY: - { - caddr_t req; - struct mbuf *m; - - if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ - break; - if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ - break; - req = mtod(m, caddr_t); - error = ipsec_set_policy(inp, sopt->sopt_name, req, - m->m_len, (sopt->sopt_td != NULL) ? - sopt->sopt_td->td_ucred : NULL); - m_freem(m); + error = ip_ipsec_pcbctl(inp, sopt); break; - } #endif /* IPSEC */ default: @@ -1342,22 +1329,8 @@ ip_ctloutput(struct socket *so, struct s #ifdef IPSEC case IP_IPSEC_POLICY: - { - struct mbuf *m = NULL; - caddr_t req = NULL; - size_t len = 0; - - if (m != NULL) { - req = mtod(m, caddr_t); - len = m->m_len; - } - error = ipsec_get_policy(sotoinpcb(so), req, len, &m); - if (error == 0) - error = soopt_mcopyout(sopt, m); /* XXX */ - if (error == 0) - m_freem(m); + error = ip_ipsec_pcbctl(inp, sopt); break; - } #endif /* IPSEC */ default: Modified: projects/ipsec/sys/netinet6/ip6_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet6/ip6_ipsec.c Mon Nov 21 07:16:32 2016 (r308911) +++ projects/ipsec/sys/netinet6/ip6_ipsec.c Mon Nov 21 07:30:07 2016 (r308912) @@ -295,3 +295,16 @@ ip6_ipsec_forward(struct mbuf *m, int *e } return (0); } + +/* + * Handle IPsec related socket options. + * Called from ip6_ctloutput(). + */ +int +ip6_ipsec_pcbctl(struct inpcb *inp, struct sockopt *sopt) +{ + + if (sopt->sopt_name != IPV6_IPSEC_POLICY) + return (ENOPROTOOPT); + return (ipsec_control_pcbpolicy(inp, sopt)); +} Modified: projects/ipsec/sys/netinet6/ip6_ipsec.h ============================================================================== --- projects/ipsec/sys/netinet6/ip6_ipsec.h Mon Nov 21 07:16:32 2016 (r308911) +++ projects/ipsec/sys/netinet6/ip6_ipsec.h Mon Nov 21 07:30:07 2016 (r308912) @@ -39,4 +39,5 @@ int ip6_ipsec_filtertunnel(struct mbuf * int ip6_ipsec_input(struct mbuf *, int); int ip6_ipsec_forward(struct mbuf *, int *); int ip6_ipsec_output(struct mbuf *, struct inpcb *, int *); +int ip6_ipsec_pcbctl(struct inpcb *, struct sockopt *); #endif Modified: projects/ipsec/sys/netinet6/ip6_output.c ============================================================================== --- projects/ipsec/sys/netinet6/ip6_output.c Mon Nov 21 07:16:32 2016 (r308911) +++ projects/ipsec/sys/netinet6/ip6_output.c Mon Nov 21 07:30:07 2016 (r308912) @@ -1865,21 +1865,8 @@ do { \ #ifdef IPSEC case IPV6_IPSEC_POLICY: - { - caddr_t req; - struct mbuf *m; - - if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ - break; - if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ - break; - req = mtod(m, caddr_t); - error = ipsec_set_policy(in6p, optname, req, - m->m_len, (sopt->sopt_td != NULL) ? - sopt->sopt_td->td_ucred : NULL); - m_freem(m); + error = ip6_ipsec_pcbctl(in6p, sopt); break; - } #endif /* IPSEC */ default: @@ -2106,33 +2093,8 @@ do { \ #ifdef IPSEC case IPV6_IPSEC_POLICY: - { - caddr_t req = NULL; - size_t len = 0; - struct mbuf *m = NULL; - struct mbuf **mp = &m; - size_t ovalsize = sopt->sopt_valsize; - caddr_t oval = (caddr_t)sopt->sopt_val; - - error = soopt_getm(sopt, &m); /* XXX */ - if (error != 0) - break; - error = soopt_mcopyin(sopt, m); /* XXX */ - if (error != 0) - break; - sopt->sopt_valsize = ovalsize; - sopt->sopt_val = oval; - if (m) { - req = mtod(m, caddr_t); - len = m->m_len; - } - error = ipsec_get_policy(in6p, req, len, mp); - if (error == 0) - error = soopt_mcopyout(sopt, m); /* XXX */ - if (error == 0 && m) - m_freem(m); + error = ip6_ipsec_pcbctl(in6p, sopt); break; - } #endif /* IPSEC */ default: From owner-svn-src-projects@freebsd.org Mon Nov 21 10:23:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45049C4C4B4 for ; Mon, 21 Nov 2016 10:23:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C9701FDB; Mon, 21 Nov 2016 10:23:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uALANTct093943; Mon, 21 Nov 2016 10:23:29 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uALANTDt093942; Mon, 21 Nov 2016 10:23:29 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611211023.uALANTDt093942@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 10:23:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308916 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 10:23:30 -0000 Author: ae Date: Mon Nov 21 10:23:28 2016 New Revision: 308916 URL: https://svnweb.freebsd.org/changeset/base/308916 Log: Modify key_getspreqmsglen() to reflect changing of struct ipsecrequest. Also make it to return size_t value. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Mon Nov 21 10:14:36 2016 (r308915) +++ projects/ipsec/sys/netipsec/key.c Mon Nov 21 10:23:28 2016 (r308916) @@ -464,7 +464,7 @@ static int key_spddump(struct socket *, const struct sadb_msghdr *); static struct mbuf *key_setdumpsp(struct secpolicy *, u_int8_t, u_int32_t, u_int32_t); -static u_int key_getspreqmsglen(struct secpolicy *); +static size_t key_getspreqmsglen(struct secpolicy *); static int key_spdexpire(struct secpolicy *); static struct secashead *key_newsah(struct secasindex *); static void key_delsah(struct secashead *); @@ -2629,32 +2629,26 @@ fail: /* * get PFKEY message length for security policy and request. */ -static u_int +static size_t key_getspreqmsglen(struct secpolicy *sp) { - u_int tlen; + size_t tlen, len; + int i; tlen = sizeof(struct sadb_x_policy); - /* if is the policy for ipsec ? */ if (sp->policy != IPSEC_POLICY_IPSEC) - return tlen; + return (tlen); /* get length of ipsec requests */ - { - struct ipsecrequest *isr; - int len; - - for (isr = sp->req; isr != NULL; isr = isr->next) { + for (i = 0; i < sp->tcount; i++) { len = sizeof(struct sadb_x_ipsecrequest) - + isr->saidx.src.sa.sa_len - + isr->saidx.dst.sa.sa_len; + + sp->req[i]->saidx.src.sa.sa_len + + sp->req[i]->saidx.dst.sa.sa_len; tlen += PFKEY_ALIGN8(len); } - } - - return tlen; + return (tlen); } /* From owner-svn-src-projects@freebsd.org Mon Nov 21 10:36:27 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B798C4C7A0 for ; Mon, 21 Nov 2016 10:36:27 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5F90920; Mon, 21 Nov 2016 10:36:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uALAaPQj098366; Mon, 21 Nov 2016 10:36:25 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uALAaP0T098364; Mon, 21 Nov 2016 10:36:25 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611211036.uALAaP0T098364@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 10:36:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308917 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 10:36:27 -0000 Author: ae Date: Mon Nov 21 10:36:25 2016 New Revision: 308917 URL: https://svnweb.freebsd.org/changeset/base/308917 Log: Split key_sp2mbuf() function into key_sp2mbuf() and key_sp2msg(). Make key_sp2mbuf() static for private use only in key.c. key_sp2msg() takes buffer and its size as arguments. When given buffer is not enough to store security policy, function calculates needed size and returns it back via sadb_x_policy_len field of struct sadb_x_policy. Also reflect changing of struct ipsecrequest. Modified: projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key.h Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Mon Nov 21 10:23:28 2016 (r308916) +++ projects/ipsec/sys/netipsec/key.c Mon Nov 21 10:36:25 2016 (r308917) @@ -464,6 +464,7 @@ static int key_spddump(struct socket *, const struct sadb_msghdr *); static struct mbuf *key_setdumpsp(struct secpolicy *, u_int8_t, u_int32_t, u_int32_t); +static struct mbuf *key_sp2mbuf(struct secpolicy *); static size_t key_getspreqmsglen(struct secpolicy *); static int key_spdexpire(struct secpolicy *); static struct secashead *key_newsah(struct secasindex *); @@ -1724,43 +1725,66 @@ key_newreqid() /* * copy secpolicy struct to sadb_x_policy structure indicated. */ -struct mbuf * -key_sp2msg(struct secpolicy *sp) +static struct mbuf * +key_sp2mbuf(struct secpolicy *sp) { - struct sadb_x_policy *xpl; - int tlen; - caddr_t p; struct mbuf *m; - - IPSEC_ASSERT(sp != NULL, ("null policy")); + size_t tlen; tlen = key_getspreqmsglen(sp); - m = m_get2(tlen, M_NOWAIT, MT_DATA, 0); if (m == NULL) return (NULL); m_align(m, tlen); m->m_len = tlen; - xpl = mtod(m, struct sadb_x_policy *); - bzero(xpl, tlen); + if (key_sp2msg(sp, m->m_data, &tlen) != 0) { + m_freem(m); + return (NULL); + } + return (m); +} + +int +key_sp2msg(struct secpolicy *sp, void *request, size_t *len) +{ + struct sadb_x_ipsecrequest *xisr; + struct sadb_x_policy *xpl; + struct ipsecrequest *isr; + size_t xlen, ilen; + caddr_t p; + int error, i; + + IPSEC_ASSERT(sp != NULL, ("null policy")); - xpl->sadb_x_policy_len = PFKEY_UNIT64(tlen); + xlen = sizeof(*xpl); + if (*len < xlen) + return (EINVAL); + + error = 0; + bzero(request, *len); + xpl = (struct sadb_x_policy *)request; xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; xpl->sadb_x_policy_type = sp->policy; xpl->sadb_x_policy_dir = sp->spidx.dir; xpl->sadb_x_policy_id = sp->id; xpl->sadb_x_policy_priority = sp->priority; - p = (caddr_t)xpl + sizeof(*xpl); /* if is the policy for ipsec ? */ if (sp->policy == IPSEC_POLICY_IPSEC) { - struct sadb_x_ipsecrequest *xisr; - struct ipsecrequest *isr; - - for (isr = sp->req; isr != NULL; isr = isr->next) { - + p = (caddr_t)xpl + sizeof(*xpl); + for (i = 0; i < sp->tcount; i++) { + isr = sp->req[i]; + ilen = PFKEY_ALIGN8(sizeof(*xisr) + + isr->saidx.src.sa.sa_len + + isr->saidx.dst.sa.sa_len); + xlen += ilen; + if (xlen > *len) { + error = ENOBUFS; + /* Calculate needed size */ + continue; + } xisr = (struct sadb_x_ipsecrequest *)p; - + xisr->sadb_x_ipsecrequest_len = ilen; xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto; xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode; xisr->sadb_x_ipsecrequest_level = isr->level; @@ -1770,16 +1794,15 @@ key_sp2msg(struct secpolicy *sp) bcopy(&isr->saidx.src, p, isr->saidx.src.sa.sa_len); p += isr->saidx.src.sa.sa_len; bcopy(&isr->saidx.dst, p, isr->saidx.dst.sa.sa_len); - p += isr->saidx.src.sa.sa_len; - - xisr->sadb_x_ipsecrequest_len = - PFKEY_ALIGN8(sizeof(*xisr) - + isr->saidx.src.sa.sa_len - + isr->saidx.dst.sa.sa_len); + p += isr->saidx.dst.sa.sa_len; } } - - return m; + xpl->sadb_x_policy_len = PFKEY_UNIT64(xlen); + if (error == 0) + *len = xlen; + else + *len = sizeof(*xpl); + return (error); } /* m will not be freed nor modified */ Modified: projects/ipsec/sys/netipsec/key.h ============================================================================== --- projects/ipsec/sys/netipsec/key.h Mon Nov 21 10:23:28 2016 (r308916) +++ projects/ipsec/sys/netipsec/key.h Mon Nov 21 10:36:25 2016 (r308917) @@ -99,7 +99,9 @@ extern int key_checkrequest(struct ipsec const struct secasindex *); extern struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *); -extern struct mbuf *key_sp2msg(struct secpolicy *); + +int key_sp2msg(struct secpolicy *, void *request, size_t *len); + extern int key_ismyaddr(struct sockaddr *); extern int key_spdacquire(struct secpolicy *); extern u_long key_random(void); From owner-svn-src-projects@freebsd.org Mon Nov 21 13:07:58 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9750C4C430 for ; Mon, 21 Nov 2016 13:07:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9880ECB1; Mon, 21 Nov 2016 13:07:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uALD7vc5059457; Mon, 21 Nov 2016 13:07:57 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uALD7vOA059452; Mon, 21 Nov 2016 13:07:57 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611211307.uALD7vOA059452@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 13:07:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308924 - in projects/ipsec/sys: netinet netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 13:07:58 -0000 Author: ae Date: Mon Nov 21 13:07:57 2016 New Revision: 308924 URL: https://svnweb.freebsd.org/changeset/base/308924 Log: Modify PCB-related functions and unify its names. Some background. When IPsec compiled in the kernel, each inpcb allocates inpcbpolicy structure. This structure keeps two security policies (for INBOUND and OUTBOUND directions). By default these policies have IPSEC_POLICY_ENTRUST type. This means that application has not any preference for used security policies and kernel will use system-wide security policies. Some application could want to bypass IPsec processing (e.g. IKE daemons). Such applications use IP_IPSEC_POLICY/IPV6_IPSEC_POLICY socket option to configure IPsec bypass. In this case policies stored in the inpcbpolicy structure will have type IPSEC_POLICY_BYPASS. Only privileged socket can use this policy type. The last allowed for use by application policy type is IPSEC_POLICY_IPSEC. It also allowed only for privileged sockets. In theory application could configure security policy, that requires IPsec processing (ESP/AH transforms). In reality there are a bunch of problems: 1) ENTRUST policies for each inpcb just waste the memory, even if system doesn't have any security policies; 2) setsockopt/getsockopt interface was broken, only setsockopt worked partially; 3) even if application has configured IPSEC policy, there is no way to set corresponding SA. It looks like all IKEd always require security policy that acquired SA should be visible via PF_KEY. *) I failed to find some application that uses IPSEC type of policies. What I did and plan to do to resolve issues: 1) Now secpolicy pointers in the inpcbpolicy structure will not be initialized with ENTRUST policies. NULL pointer will mean ENTRUST policy. Also, if application didn't set BYPASS/IPSEC policies, the kernel will use these pointers to cache used security policies. 2) Rework IP_IPSEC_POLICY/IPV6_IPSEC_POLICY socket options handling. To get needed policy we need a hint from application, user should correctly fill sadb_x_policy->sadb_x_policy_dir before doing getsockopt(). If passed buffer size is not enough, needed size will be returned in the sadb_x_policy_len field and ENOBUFS will be returned as return code. 3) To resolve this issue we probably need to make PCB policies visible through PF_KEY interface. We can create additional list and link all such policies into it. This also will help when ipsec.ko module will unloaded. We can correctly free all created security policies. TBD. What changed: ipsec_init_pcbpolicy() allocates inpcbpolicy that stored in given inpcb. Now it requires only one inpcb argument. ipsec_control_pcbpolicy() used by IPv4/IPv6 control code to set or get security policies stored in PCB. Make ipsec_set_pcbpolicy() and ipsec_get_pcbpolicy() static. ipsec_delete_pcbpolicy() releases security polices if they are configured, then releases memory from inpcbpolicy structure. Update ipsec_newisr() and ipsec_delisr() to reflect changes in struct ipsecrequest. Modified: projects/ipsec/sys/netinet/in_pcb.c projects/ipsec/sys/netinet/sctp_pcb.c projects/ipsec/sys/netinet/tcp_syncache.c projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h Modified: projects/ipsec/sys/netinet/in_pcb.c ============================================================================== --- projects/ipsec/sys/netinet/in_pcb.c Mon Nov 21 12:00:31 2016 (r308923) +++ projects/ipsec/sys/netinet/in_pcb.c Mon Nov 21 13:07:57 2016 (r308924) @@ -304,7 +304,7 @@ in_pcballoc(struct socket *so, struct in mac_inpcb_create(so, inp); #endif #ifdef IPSEC - error = ipsec_init_policy(so, &inp->inp_sp); + error = ipsec_init_pcbpolicy(inp); if (error != 0) { #ifdef MAC mac_inpcb_destroy(inp); Modified: projects/ipsec/sys/netinet/sctp_pcb.c ============================================================================== --- projects/ipsec/sys/netinet/sctp_pcb.c Mon Nov 21 12:00:31 2016 (r308923) +++ projects/ipsec/sys/netinet/sctp_pcb.c Mon Nov 21 13:07:57 2016 (r308924) @@ -2460,7 +2460,7 @@ sctp_inpcb_alloc(struct socket *so, uint return (ENOBUFS); } #ifdef IPSEC - error = ipsec_init_policy(so, &inp->ip_inp.inp.inp_sp); + error = ipsec_init_pcbpolicy(&inp->ip_inp.inp); if (error != 0) { crfree(inp->ip_inp.inp.inp_cred); SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp); Modified: projects/ipsec/sys/netinet/tcp_syncache.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_syncache.c Mon Nov 21 12:00:31 2016 (r308923) +++ projects/ipsec/sys/netinet/tcp_syncache.c Mon Nov 21 13:07:57 2016 (r308924) @@ -738,7 +738,7 @@ syncache_socket(struct syncache *sc, str } #ifdef IPSEC /* Copy old policy into new socket's. */ - if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) + if (ipsec_copy_pcbpolicy(sotoinpcb(lso), inp) != 0) printf("syncache_socket: could not copy policy\n"); #endif #ifdef INET6 Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Mon Nov 21 12:00:31 2016 (r308923) +++ projects/ipsec/sys/netipsec/ipsec.c Mon Nov 21 13:07:57 2016 (r308924) @@ -255,8 +255,6 @@ static void ipsec6_get_ulp(const struct static void ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); #endif -static void ipsec_delpcbpolicy(struct inpcbpolicy *); -static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); static void vshiftl(unsigned char *, int, int); MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); @@ -801,246 +799,213 @@ ipsec_run_hhooks(struct ipsec_ctx_data * return (0); } -static void -ipsec_delpcbpolicy(struct inpcbpolicy *p) -{ - - free(p, M_IPSEC_INPCB); -} - -/* Initialize policy in PCB. */ +/* Initialize PCB policy. */ int -ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp) +ipsec_init_pcbpolicy(struct inpcb *inp) { - struct inpcbpolicy *new; - /* Sanity check. */ - if (so == NULL || pcb_sp == NULL) - panic("%s: NULL pointer was passed.\n", __func__); + IPSEC_ASSERT(inp != NULL, ("null inp")); + IPSEC_ASSERT(inp->inp_sp == NULL, ("inp_sp already initialized")); - new = (struct inpcbpolicy *) malloc(sizeof(struct inpcbpolicy), - M_IPSEC_INPCB, M_NOWAIT|M_ZERO); - if (new == NULL) { + inp->inp_sp = malloc(sizeof(struct inpcbpolicy), M_IPSEC_INPCB, + M_NOWAIT | M_ZERO); + if (inp->inp_sp == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); return (ENOBUFS); } - - new->priv = IPSEC_IS_PRIVILEGED_SO(so); - - if ((new->sp_in = KEY_NEWSP()) == NULL) { - ipsec_delpcbpolicy(new); - return (ENOBUFS); - } - new->sp_in->policy = IPSEC_POLICY_ENTRUST; - if ((new->sp_out = KEY_NEWSP()) == NULL) { - KEY_FREESP(&new->sp_in); - ipsec_delpcbpolicy(new); - return (ENOBUFS); - } - new->sp_out->policy = IPSEC_POLICY_ENTRUST; - *pcb_sp = new; - return (0); } -/* Copy old IPsec policy into new. */ +/* Delete PCB policy. */ int -ipsec_copy_policy(struct inpcbpolicy *old, struct inpcbpolicy *new) +ipsec_delete_pcbpolicy(struct inpcb *inp) { - struct secpolicy *sp; - sp = ipsec_deepcopy_policy(old->sp_in); - if (sp) { - KEY_FREESP(&new->sp_in); - new->sp_in = sp; - } else - return (ENOBUFS); + if (inp->inp_sp == NULL) + return (0); - sp = ipsec_deepcopy_policy(old->sp_out); - if (sp) { - KEY_FREESP(&new->sp_out); - new->sp_out = sp; - } else - return (ENOBUFS); + if (inp->inp_sp->flags & INP_INBOUND_POLICY) + key_freesp(&inp->inp_sp->sp_in); - new->priv = old->priv; + if (inp->inp_sp->flags & INP_OUTBOUND_POLICY) + key_freesp(&inp->inp_sp->sp_out); + free(inp->inp_sp, M_IPSEC_INPCB); + inp->inp_sp = NULL; return (0); } -struct ipsecrequest * -ipsec_newisr(void) -{ - struct ipsecrequest *p; - - p = malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, M_NOWAIT|M_ZERO); - if (p != NULL) - IPSECREQUEST_LOCK_INIT(p); - return (p); -} - -void -ipsec_delisr(struct ipsecrequest *p) -{ - - IPSECREQUEST_LOCK_DESTROY(p); - free(p, M_IPSEC_SR); -} - /* Deep-copy a policy in PCB. */ static struct secpolicy * -ipsec_deepcopy_policy(struct secpolicy *src) +ipsec_deepcopy_pcbpolicy(struct secpolicy *src) { - struct ipsecrequest *newchain = NULL; - struct ipsecrequest *p; - struct ipsecrequest **q; - struct ipsecrequest *r; struct secpolicy *dst; + int i; if (src == NULL) return (NULL); - dst = KEY_NEWSP(); - if (dst == NULL) - return (NULL); - - /* - * Deep-copy IPsec request chain. This is required since struct - * ipsecrequest is not reference counted. - */ - q = &newchain; - for (p = src->req; p; p = p->next) { - *q = ipsec_newisr(); - if (*q == NULL) - goto fail; - (*q)->saidx.proto = p->saidx.proto; - (*q)->saidx.mode = p->saidx.mode; - (*q)->level = p->level; - (*q)->saidx.reqid = p->saidx.reqid; - bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src)); - bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst)); + IPSEC_ASSERT(src->state == IPSEC_SPSTATE_PCB, ("SP isn't PCB")); - (*q)->sp = dst; - - q = &((*q)->next); - } + dst = key_newsp(); + if (dst == NULL) + return (NULL); - dst->req = newchain; dst->policy = src->policy; - /* Do not touch the refcnt fields. */ - - return (dst); - -fail: - for (p = newchain; p; p = r) { - r = p->next; - ipsec_delisr(p); - p = NULL; + dst->state = src->state; + dst->priority = src->priority; + /* Do not touch the refcnt field. */ + + /* Copy IPsec request chain. */ + for (i = 0; i < src->tcount; i++) { + dst->req[i] = ipsec_newisr(); + if (dst->req[i] == NULL) { + key_freesp(&dst); + return (NULL); + } + bcopy(src->req[i], dst->req[i], sizeof(struct ipsecrequest)); + dst->tcount++; } - KEY_FREESP(&dst); - return (NULL); + KEYDBG(IPSEC_DUMP, + printf("%s: copied SP(%p) -> SP(%p)\n", __func__, src, dst); + kdebug_secpolicy(dst)); + return (dst); } -/* Set policy and IPsec request if present. */ -static int -ipsec_set_policy_internal(struct secpolicy **pcb_sp, int optname, - caddr_t request, size_t len, struct ucred *cred) +/* Copy old IPsec policy into new. */ +int +ipsec_copy_pcbpolicy(struct inpcb *old, struct inpcb *new) { - struct sadb_x_policy *xpl; - struct secpolicy *newsp = NULL; - int error; + struct secpolicy *sp; - /* Sanity check. */ - if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL) - return (EINVAL); - if (len < sizeof(*xpl)) - return (EINVAL); - xpl = (struct sadb_x_policy *)request; + /* + * old->inp_sp can be NULL if PCB was created when an IPsec + * support was unavailable. This is not an error, we don't have + * policies in this PCB, so nothing to copy. + */ + if (old->inp_sp == NULL) + return (0); - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: passed policy\n", __func__); - kdebug_sadb_x_policy((struct sadb_ext *)xpl)); - - /* Check policy type. */ - /* ipsec_set_policy_internal() accepts IPSEC, ENTRUST and BYPASS. */ - if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD - || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE) - return (EINVAL); + IPSEC_ASSERT(new->inp_sp != NULL, ("new inp_sp is NULL")); + INP_WLOCK_ASSERT(new); - /* Check privileged socket. */ - if (cred != NULL && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { - error = priv_check_cred(cred, PRIV_NETINET_IPSEC, 0); - if (error) - return (EACCES); - } + if (old->inp_sp->flags & INP_INBOUND_POLICY) { + sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_in); + if (sp == NULL) + return (ENOBUFS); + } else + sp = NULL; - /* Allocating new SP entry. */ - if ((newsp = key_msg2sp(xpl, len, &error)) == NULL) - return (error); + if (new->inp_sp->flags & INP_INBOUND_POLICY) + key_freesp(&new->inp_sp->sp_in); - /* Clear old SP and set new SP. */ - KEY_FREESP(pcb_sp); - *pcb_sp = newsp; - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: new policy\n", __func__); - kdebug_secpolicy(newsp)); + new->inp_sp->sp_in = sp; + if (sp != NULL) + new->inp_sp->flags |= INP_INBOUND_POLICY; + else + new->inp_sp->flags &= ~INP_INBOUND_POLICY; + + if (old->inp_sp->flags & INP_OUTBOUND_POLICY) { + sp = ipsec_deepcopy_pcbpolicy(old->inp_sp->sp_out); + if (sp == NULL) + return (ENOBUFS); + } else + sp = NULL; + + if (new->inp_sp->flags & INP_OUTBOUND_POLICY) + key_freesp(&new->inp_sp->sp_out); + new->inp_sp->sp_out = sp; + if (sp != NULL) + new->inp_sp->flags |= INP_OUTBOUND_POLICY; + else + new->inp_sp->flags &= ~INP_OUTBOUND_POLICY; return (0); } -int -ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request, - size_t len, struct ucred *cred) +static int +ipsec_set_pcbpolicy(struct inpcb *inp, struct ucred *cred, + void *request, size_t len) { struct sadb_x_policy *xpl; - struct secpolicy **pcb_sp; + struct secpolicy **spp, *newsp; + int error, flags; - /* Sanity check. */ - if (inp == NULL || request == NULL) - return (EINVAL); - if (len < sizeof(*xpl)) - return (EINVAL); xpl = (struct sadb_x_policy *)request; - /* Select direction. */ switch (xpl->sadb_x_policy_dir) { case IPSEC_DIR_INBOUND: - pcb_sp = &inp->inp_sp->sp_in; + spp = &inp->inp_sp->sp_in; + flags = INP_INBOUND_POLICY; break; case IPSEC_DIR_OUTBOUND: - pcb_sp = &inp->inp_sp->sp_out; + spp = &inp->inp_sp->sp_out; + flags = INP_OUTBOUND_POLICY; break; default: ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, xpl->sadb_x_policy_dir)); return (EINVAL); } + /* + * Privileged sockets are allowed to set own security policy + * and configure IPsec bypass. Unprivileged sockets only can + * have ENTRUST policy. + */ + switch (xpl->sadb_x_policy_type) { + case IPSEC_POLICY_IPSEC: + case IPSEC_POLICY_BYPASS: + if (cred != NULL && + priv_check_cred(cred, PRIV_NETINET_IPSEC, 0) != 0) + return (EACCES); + /* Allocate new SP entry. */ + newsp = key_msg2sp(xpl, len, &error); + if (newsp == NULL) + return (error); + newsp->state = IPSEC_SPSTATE_PCB; + break; + case IPSEC_POLICY_ENTRUST: + /* We just use NULL pointer for ENTRUST policy */ + newsp = NULL; + break; + default: + /* Other security policy types aren't allowed for PCB */ + return (EINVAL); + } - return (ipsec_set_policy_internal(pcb_sp, optname, request, len, cred)); + /* Clear old SP and set new SP. */ + if (*spp != NULL) + key_freesp(spp); + *spp = newsp; + KEYDBG(IPSEC_DUMP, + printf("%s: new SP(%p)\n", __func__, newsp)); + if (newsp == NULL) + inp->inp_sp->flags &= ~flags; + else { + inp->inp_sp->flags |= flags; + KEYDBG(IPSEC_DUMP, kdebug_secpolicy(newsp)); + } + return (0); } -int -ipsec_get_policy(struct inpcb *inp, caddr_t request, size_t len, - struct mbuf **mp) +static int +ipsec_get_pcbpolicy(struct inpcb *inp, void *request, size_t *len) { struct sadb_x_policy *xpl; - struct secpolicy *pcb_sp; + struct secpolicy *sp; + int error, flags; - /* Sanity check. */ - if (inp == NULL || request == NULL || mp == NULL) - return (EINVAL); - IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp")); - if (len < sizeof(*xpl)) - return (EINVAL); xpl = (struct sadb_x_policy *)request; - + flags = inp->inp_sp->flags; /* Select direction. */ switch (xpl->sadb_x_policy_dir) { case IPSEC_DIR_INBOUND: - pcb_sp = inp->inp_sp->sp_in; + sp = inp->inp_sp->sp_in; + flags &= INP_INBOUND_POLICY; break; case IPSEC_DIR_OUTBOUND: - pcb_sp = inp->inp_sp->sp_out; + sp = inp->inp_sp->sp_out; + flags &= INP_OUTBOUND_POLICY; break; default: ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, @@ -1048,42 +1013,86 @@ ipsec_get_policy(struct inpcb *inp, cadd return (EINVAL); } - /* Sanity check. Should be an IPSEC_ASSERT. */ - if (pcb_sp == NULL) - return (EINVAL); - - *mp = key_sp2msg(pcb_sp); - if (!*mp) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - return (ENOBUFS); + if (flags == 0) { + /* Return ENTRUST policy */ + xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; + xpl->sadb_x_policy_type = IPSEC_POLICY_ENTRUST; + xpl->sadb_x_policy_id = 0; + xpl->sadb_x_policy_priority = 0; + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl)); + *len = sizeof(*xpl); + return (0); } - (*mp)->m_type = MT_DATA; - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s:\n", __func__); kdebug_mbuf(*mp)); + IPSEC_ASSERT(sp != NULL, + ("sp is NULL, but flags is 0x%04x", inp->inp_sp->flags)); + key_addref(sp); + error = key_sp2msg(sp, request, len); + key_freesp(&sp); + if (error == EINVAL) + return (error); + /* + * We return "success", but user should check *len. + * *len will be set to size of valid data and + * sadb_x_policy_len will contain needed size. + */ return (0); } -/* Delete policy in PCB. */ +/* Handle socket option control request for PCB */ int -ipsec_delete_pcbpolicy(struct inpcb *inp) +ipsec_control_pcbpolicy(struct inpcb *inp, struct sockopt *sopt) { - IPSEC_ASSERT(inp != NULL, ("null inp")); + void *optdata; + size_t optlen; + int error; if (inp->inp_sp == NULL) - return (0); + return (ENOPROTOOPT); - if (inp->inp_sp->sp_in != NULL) - KEY_FREESP(&inp->inp_sp->sp_in); + /* Limit maximum request size to PAGE_SIZE */ + optlen = sopt->sopt_valsize; + if (optlen < sizeof(struct sadb_x_policy) || optlen > PAGE_SIZE) + return (EINVAL); - if (inp->inp_sp->sp_out != NULL) - KEY_FREESP(&inp->inp_sp->sp_out); + optdata = malloc(optlen, M_TEMP, sopt->sopt_td ? M_WAITOK: M_NOWAIT); + if (optdata == NULL) + return (ENOBUFS); + /* + * We need a hint from the user, what policy is requested - input + * or output? User should specify it in the buffer, even for + * setsockopt(). + */ + error = sooptcopyin(sopt, optdata, optlen, optlen); + if (error == 0) { + if (sopt->sopt_dir == SOPT_SET) + error = ipsec_set_pcbpolicy(inp, + sopt->sopt_td ? sopt->sopt_td->td_ucred: NULL, + optdata, optlen); + else { + error = ipsec_get_pcbpolicy(inp, optdata, &optlen); + if (error == 0) + error = sooptcopyout(sopt, optdata, optlen); + } + } + free(optdata, M_TEMP); + return (error); +} - ipsec_delpcbpolicy(inp->inp_sp); - inp->inp_sp = NULL; +struct ipsecrequest * +ipsec_newisr(void) +{ - return (0); + return (malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, + M_NOWAIT | M_ZERO)); +} + +void +ipsec_delisr(struct ipsecrequest *p) +{ + + free(p, M_IPSEC_SR); } /* Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Mon Nov 21 12:00:31 2016 (r308923) +++ projects/ipsec/sys/netipsec/ipsec.h Mon Nov 21 13:07:57 2016 (r308924) @@ -298,29 +298,24 @@ VNET_DECLARE(int, crypto_support); /* for openbsd compatibility */ #define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) -extern struct ipsecrequest *ipsec_newisr(void); -extern void ipsec_delisr(struct ipsecrequest *); - struct inpcb; +struct secasvar; +struct sockopt; + +struct ipsecrequest *ipsec_newisr(void); +void ipsec_delisr(struct ipsecrequest *); struct secpolicy *ipsec4_checkpolicy(const struct mbuf *, struct inpcb *, int *); -extern struct secpolicy * ipsec_getpolicybyaddr(const struct mbuf *, u_int, - int *); - -extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **); -extern int ipsec_copy_policy(struct inpcbpolicy *, struct inpcbpolicy *); u_int ipsec_get_reqlevel(struct secpolicy *, u_int); int ipsec4_in_reject(const struct mbuf *, struct inpcb *); size_t ipsec_hdrsiz_inpcb(struct inpcb *); -extern int ipsec_set_policy(struct inpcb *inp, int optname, - caddr_t request, size_t len, struct ucred *cred); -extern int ipsec_get_policy(struct inpcb *inpcb, caddr_t request, - size_t len, struct mbuf **mp); -extern int ipsec_delete_pcbpolicy(struct inpcb *); +int ipsec_init_pcbpolicy(struct inpcb *); +int ipsec_delete_pcbpolicy(struct inpcb *); +int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); +int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *); -struct secas; extern int ipsec_chkreplay(u_int32_t, struct secasvar *); extern int ipsec_updatereplay(u_int32_t, struct secasvar *); From owner-svn-src-projects@freebsd.org Mon Nov 21 18:13:11 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E43CC4CB3A for ; Mon, 21 Nov 2016 18:13:11 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E9191ABD; Mon, 21 Nov 2016 18:13:11 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uALIDAEF086590; Mon, 21 Nov 2016 18:13:10 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uALIDAsG086589; Mon, 21 Nov 2016 18:13:10 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611211813.uALIDAsG086589@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 18:13:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308929 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 18:13:11 -0000 Author: ae Date: Mon Nov 21 18:13:10 2016 New Revision: 308929 URL: https://svnweb.freebsd.org/changeset/base/308929 Log: Modify ipsec_address() to print out IPv6 scope zone id for link-local IPv6 addresses. Also print "*" for sockaddr with zero sa_family. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Mon Nov 21 15:42:54 2016 (r308928) +++ projects/ipsec/sys/netipsec/ipsec.c Mon Nov 21 18:13:10 2016 (r308929) @@ -1647,8 +1647,17 @@ ipsec_address(union sockaddr_union* sa, #endif /* INET */ #ifdef INET6 case AF_INET6: - return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr, buf, size)); + if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) { + snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6, + &sa->sin6.sin6_addr, buf, size), + sa->sin6.sin6_scope_id); + return (buf); + } else + return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr, + buf, size)); #endif /* INET6 */ + case 0: + return ("*"); default: return ("(unknown address family)"); } @@ -1657,7 +1666,7 @@ ipsec_address(union sockaddr_union* sa, char * ipsec_logsastr(struct secasvar *sav, char *buf, size_t size) { - char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN]; + char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; IPSEC_ASSERT(sav->sah->saidx.src.sa.sa_family == sav->sah->saidx.dst.sa.sa_family, ("address family mismatch")); From owner-svn-src-projects@freebsd.org Mon Nov 21 18:20:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D2C9C4CE4F for ; Mon, 21 Nov 2016 18:20:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DE55B1F70; Mon, 21 Nov 2016 18:20:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uALIKSbv086872; Mon, 21 Nov 2016 18:20:28 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uALIKSAY086871; Mon, 21 Nov 2016 18:20:28 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611211820.uALIKSAY086871@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 18:20:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308930 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 18:20:30 -0000 Author: ae Date: Mon Nov 21 18:20:28 2016 New Revision: 308930 URL: https://svnweb.freebsd.org/changeset/base/308930 Log: Introduce SADB_CHECKHDR() and SADB_CHECKLEN() macros. SADB_CHECKHDR() will be used to check presence of specified SADB extension header. SADB_CHECKLEN() checks that specified header has correct length. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Mon Nov 21 18:13:10 2016 (r308929) +++ projects/ipsec/sys/netipsec/key.c Mon Nov 21 18:20:28 2016 (r308930) @@ -296,6 +296,11 @@ static const int maxsize[] = { sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ }; +#define SADB_CHECKLEN(_mhp, _ext) \ + ((_mhp)->extlen[(_ext)] < minsize[(_ext)] || (maxsize[(_ext)] != 0 && \ + ((_mhp)->extlen[(_ext)] > maxsize[(_ext)]))) +#define SADB_CHECKHDR(_mhp, _ext) ((_mhp)->ext[(_ext)] == NULL) + static VNET_DEFINE(int, ipsec_esp_keymin) = 256; static VNET_DEFINE(int, ipsec_esp_auth) = 0; static VNET_DEFINE(int, ipsec_ah_keymin) = 128; From owner-svn-src-projects@freebsd.org Mon Nov 21 18:33:35 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62593C4D542 for ; Mon, 21 Nov 2016 18:33:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1585AF9A; Mon, 21 Nov 2016 18:33:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uALIXYVg094233; Mon, 21 Nov 2016 18:33:34 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uALIXYXH094232; Mon, 21 Nov 2016 18:33:34 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611211833.uALIXYXH094232@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 21 Nov 2016 18:33:34 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308932 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2016 18:33:35 -0000 Author: ae Date: Mon Nov 21 18:33:33 2016 New Revision: 308932 URL: https://svnweb.freebsd.org/changeset/base/308932 Log: Add some macros to do reference counting. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Mon Nov 21 18:24:05 2016 (r308931) +++ projects/ipsec/sys/netipsec/key.c Mon Nov 21 18:33:33 2016 (r308932) @@ -584,31 +584,41 @@ static struct mbuf *key_setkey(struct se static const char *key_getfqdn(void); static const char *key_getuserfqdn(void); #endif -static void key_sa_chgstate(struct secasvar *, u_int8_t); -static __inline void -sa_initref(struct secasvar *sav) -{ - - refcount_init(&sav->refcnt, 1); -} -static __inline void -sa_addref(struct secasvar *sav) -{ - - refcount_acquire(&sav->refcnt); - IPSEC_ASSERT(sav->refcnt != 0, ("SA refcnt overflow")); -} -static __inline int -sa_delref(struct secasvar *sav) -{ - - IPSEC_ASSERT(sav->refcnt > 0, ("SA refcnt underflow")); - return (refcount_release(&sav->refcnt)); -} - -#define SP_ADDREF(p) refcount_acquire(&(p)->refcnt) -#define SP_DELREF(p) refcount_release(&(p)->refcnt) +#define DBG_IPSEC_INITREF(t, p) do { \ + refcount_init(&(p)->refcnt, 1); \ + KEYDBG(KEY_STAMP, \ + printf("%s: Initialize refcnt %s(%p) = %u\n", \ + __func__, #t, (p), (p)->refcnt)); \ +} while (0) +#define DBG_IPSEC_ADDREF(t, p) do { \ + refcount_acquire(&(p)->refcnt); \ + KEYDBG(KEY_STAMP, \ + printf("%s: Acquire refcnt %s(%p) -> %u\n", \ + __func__, #t, (p), (p)->refcnt)); \ +} while (0) +#define DBG_IPSEC_DELREF(t, p) do { \ + KEYDBG(KEY_STAMP, \ + printf("%s: Release refcnt %s(%p) -> %u\n", \ + __func__, #t, (p), (p)->refcnt - 1)); \ + refcount_release(&(p)->refcnt); \ +} while (0) + +#define IPSEC_INITREF(t, p) refcount_init(&(p)->refcnt, 1) +#define IPSEC_ADDREF(t, p) refcount_acquire(&(p)->refcnt) +#define IPSEC_DELREF(t, p) refcount_release(&(p)->refcnt) + +#define SP_INITREF(p) IPSEC_INITREF(SP, p) +#define SP_ADDREF(p) IPSEC_ADDREF(SP, p) +#define SP_DELREF(p) IPSEC_DELREF(SP, p) + +#define SAH_INITREF(p) IPSEC_INITREF(SAH, p) +#define SAH_ADDREF(p) IPSEC_ADDREF(SAH, p) +#define SAH_DELREF(p) IPSEC_DELREF(SAH, p) + +#define SAV_INITREF(p) IPSEC_INITREF(SAV, p) +#define SAV_ADDREF(p) IPSEC_ADDREF(SAV, p) +#define SAV_DELREF(p) IPSEC_DELREF(SAV, p) /* * Update the refcnt while holding the SPTREE lock. From owner-svn-src-projects@freebsd.org Tue Nov 22 08:56:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F24BAC4FC66 for ; Tue, 22 Nov 2016 08:56:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C49D41AF2; Tue, 22 Nov 2016 08:56:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAM8uT2c041592; Tue, 22 Nov 2016 08:56:29 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAM8uTqk041591; Tue, 22 Nov 2016 08:56:29 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611220856.uAM8uTqk041591@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 08:56:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308959 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 08:56:31 -0000 Author: ae Date: Tue Nov 22 08:56:29 2016 New Revision: 308959 URL: https://svnweb.freebsd.org/changeset/base/308959 Log: Add key_checksockaddrs() function. It will be used to check that sockaddr structures from PF_KEY message are properly filled. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 08:30:32 2016 (r308958) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 08:56:29 2016 (r308959) @@ -654,6 +654,35 @@ key_getspgen(void) return (V_sp_genid); } +static int +key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst) +{ + + /* family match */ + if (src->sa_family != dst->sa_family) + return (EINVAL); + /* sa_len match */ + if (src->sa_len != dst->sa_len) + return (EINVAL); + switch (src->sa_family) { +#ifdef INET + case AF_INET: + if (src->sa_len != sizeof(struct sockaddr_in)) + return (EINVAL); + break; +#endif +#ifdef INET6 + case AF_INET6: + if (src->sa_len != sizeof(struct sockaddr_in6)) + return (EINVAL); + break; +#endif + default: + return (EAFNOSUPPORT); + } + return (0); +} + /* * allocating a SP for OUTBOUND or INBOUND packet. * Must call key_freesp() later. From owner-svn-src-projects@freebsd.org Tue Nov 22 09:04:27 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBBEAC4D242 for ; Tue, 22 Nov 2016 09:04:27 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8727931C; Tue, 22 Nov 2016 09:04:27 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAM94QVC045773; Tue, 22 Nov 2016 09:04:26 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAM94QvP045772; Tue, 22 Nov 2016 09:04:26 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611220904.uAM94QvP045772@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 09:04:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308960 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 09:04:28 -0000 Author: ae Date: Tue Nov 22 09:04:26 2016 New Revision: 308960 URL: https://svnweb.freebsd.org/changeset/base/308960 Log: Make debugging capabilities of key_allocsp() more useful. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 08:56:29 2016 (r308959) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:04:26 2016 (r308960) @@ -690,8 +690,7 @@ key_checksockaddrs(struct sockaddr *src, * others: found and return the pointer. */ struct secpolicy * -key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, - int tag) +key_allocsp(struct secpolicyindex *spidx, u_int dir) { SPTREE_RLOCK_TRACKER; struct secpolicy *sp; @@ -700,38 +699,26 @@ key_allocsp(struct secpolicyindex *spidx IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, ("invalid direction %u", dir)); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u\n", __func__, where, tag)); - - /* get a SP entry */ - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("*** objects\n"); - kdebug_secpolicyindex(spidx)); - SPTREE_RLOCK(); TAILQ_FOREACH(sp, &V_sptree[dir], chain) { - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("*** in SPD\n"); - kdebug_secpolicyindex(&sp->spidx)); - if (key_cmpspidx_withmask(&sp->spidx, spidx)) - goto found; + if (key_cmpspidx_withmask(&sp->spidx, spidx)) { + SP_ADDREF(sp); + break; + } } - sp = NULL; -found: - if (sp) { - /* sanity check */ - KEY_CHKSPDIR(sp->spidx.dir, dir, __func__); + SPTREE_RUNLOCK(); - /* found a SPD entry */ + if (sp != NULL) { /* found a SPD entry */ sp->lastused = time_second; - SP_ADDREF(sp); + KEYDBG(IPSEC_STAMP, + printf("%s: return SP(%p)\n", __func__, sp)); + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); + } else { + KEYDBG(IPSEC_DATA, + printf("%s: lookup failed for ", __func__); + kdebug_secpolicyindex(spidx, NULL)); } - SPTREE_RUNLOCK(); - - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__, - sp, sp ? sp->id : 0, sp ? sp->refcnt : 0)); - return sp; + return (sp); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 09:07:13 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7166CC4D2B5 for ; Tue, 22 Nov 2016 09:07:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4562B66E; Tue, 22 Nov 2016 09:07:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAM97CqZ045908; Tue, 22 Nov 2016 09:07:12 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAM97CrW045907; Tue, 22 Nov 2016 09:07:12 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611220907.uAM97CrW045907@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 09:07:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308961 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 09:07:13 -0000 Author: ae Date: Tue Nov 22 09:07:12 2016 New Revision: 308961 URL: https://svnweb.freebsd.org/changeset/base/308961 Log: Remove unused key_allocsp2() and key_gettunnel() functions. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:04:26 2016 (r308960) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:07:12 2016 (r308961) @@ -722,142 +722,6 @@ key_allocsp(struct secpolicyindex *spidx } /* - * allocating a SP for OUTBOUND or INBOUND packet. - * Must call key_freesp() later. - * OUT: NULL: not found - * others: found and return the pointer. - */ -struct secpolicy * -key_allocsp2(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto, - u_int dir, const char* where, int tag) -{ - SPTREE_RLOCK_TRACKER; - struct secpolicy *sp; - - IPSEC_ASSERT(dst != NULL, ("null dst")); - IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("invalid direction %u", dir)); - - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u\n", __func__, where, tag)); - - /* get a SP entry */ - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("*** objects\n"); - printf("spi %u proto %u dir %u\n", spi, proto, dir); - kdebug_sockaddr(&dst->sa)); - - SPTREE_RLOCK(); - TAILQ_FOREACH(sp, &V_sptree[dir], chain) { - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("*** in SPD\n"); - kdebug_secpolicyindex(&sp->spidx)); - /* compare simple values, then dst address */ - if (sp->spidx.ul_proto != proto) - continue; - /* NB: spi's must exist and match */ - if (!sp->req || !sp->req->sav || sp->req->sav->spi != spi) - continue; - if (key_sockaddrcmp(&sp->spidx.dst.sa, &dst->sa, 1) == 0) - goto found; - } - sp = NULL; -found: - if (sp) { - /* sanity check */ - KEY_CHKSPDIR(sp->spidx.dir, dir, __func__); - - /* found a SPD entry */ - sp->lastused = time_second; - SP_ADDREF(sp); - } - SPTREE_RUNLOCK(); - - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__, - sp, sp ? sp->id : 0, sp ? sp->refcnt : 0)); - return sp; -} - -#if 0 -/* - * return a policy that matches this particular inbound packet. - * XXX slow - */ -struct secpolicy * -key_gettunnel(const struct sockaddr *osrc, - const struct sockaddr *odst, - const struct sockaddr *isrc, - const struct sockaddr *idst, - const char* where, int tag) -{ - struct secpolicy *sp; - const int dir = IPSEC_DIR_INBOUND; - struct ipsecrequest *r1, *r2, *p; - struct secpolicyindex spidx; - - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u\n", __func__, where, tag)); - - if (isrc->sa_family != idst->sa_family) { - ipseclog((LOG_ERR, "%s: protocol family mismatched %d != %d\n.", - __func__, isrc->sa_family, idst->sa_family)); - sp = NULL; - goto done; - } - - SPTREE_LOCK(); - LIST_FOREACH(sp, &V_sptree[dir], chain) { - if (sp->state == IPSEC_SPSTATE_DEAD) - continue; - - r1 = r2 = NULL; - for (p = sp->req; p; p = p->next) { - if (p->saidx.mode != IPSEC_MODE_TUNNEL) - continue; - - r1 = r2; - r2 = p; - - if (!r1) { - /* here we look at address matches only */ - spidx = sp->spidx; - if (isrc->sa_len > sizeof(spidx.src) || - idst->sa_len > sizeof(spidx.dst)) - continue; - bcopy(isrc, &spidx.src, isrc->sa_len); - bcopy(idst, &spidx.dst, idst->sa_len); - if (!key_cmpspidx_withmask(&sp->spidx, &spidx)) - continue; - } else { - if (key_sockaddrcmp(&r1->saidx.src.sa, isrc, 0) || - key_sockaddrcmp(&r1->saidx.dst.sa, idst, 0)) - continue; - } - - if (key_sockaddrcmp(&r2->saidx.src.sa, osrc, 0) || - key_sockaddrcmp(&r2->saidx.dst.sa, odst, 0)) - continue; - - goto found; - } - } - sp = NULL; -found: - if (sp) { - sp->lastused = time_second; - SP_ADDREF(sp); - } - SPTREE_UNLOCK(); -done: - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s return SP:%p (ID=%u) refcnt %u\n", __func__, - sp, sp ? sp->id : 0, sp ? sp->refcnt : 0)); - return sp; -} -#endif - -/* * allocating an SA entry for an *OUTBOUND* packet. * checking each request entries in SP, and acquire an SA if need. * OUT: 0: there are valid requests. From owner-svn-src-projects@freebsd.org Tue Nov 22 09:31:05 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42B8AC4DFBB for ; Tue, 22 Nov 2016 09:31:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 13E021EF6; Tue, 22 Nov 2016 09:31:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAM9V4eK054690; Tue, 22 Nov 2016 09:31:04 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAM9V4th054689; Tue, 22 Nov 2016 09:31:04 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611220931.uAM9V4th054689@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 09:31:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308962 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 09:31:05 -0000 Author: ae Date: Tue Nov 22 09:31:03 2016 New Revision: 308962 URL: https://svnweb.freebsd.org/changeset/base/308962 Log: Rework SADB. SAH entries now stored in TAILQ. Access to the various SADB lists and queues will be protected with rmlock. Hash table sahaddrhashtbl added to speedup lookups in sahtree using secasindex. Hash table savhashtbl added to speedup SA lookups using SPI. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:07:12 2016 (r308961) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:31:03 2016 (r308962) @@ -172,16 +172,78 @@ static VNET_DEFINE(u_long, sphash_mask); #define SPHASH_HASHVAL(id) (key_u32hash(id) & V_sphash_mask) #define SPHASH_HASH(id) &V_sphashtbl[SPHASH_HASHVAL(id)] -static VNET_DEFINE(LIST_HEAD(_sahtree, secashead), sahtree); /* SAD */ +/* SAD */ +TAILQ_HEAD(secashead_queue, secashead); +LIST_HEAD(secashead_list, secashead); +static VNET_DEFINE(struct secashead_queue, sahtree); +static struct rmlock sahtree_lock; #define V_sahtree VNET(sahtree) -static struct mtx sahtree_lock; -#define SAHTREE_LOCK_INIT() \ - mtx_init(&sahtree_lock, "sahtree", \ - "fast ipsec security association database", MTX_DEF) -#define SAHTREE_LOCK_DESTROY() mtx_destroy(&sahtree_lock) -#define SAHTREE_LOCK() mtx_lock(&sahtree_lock) -#define SAHTREE_UNLOCK() mtx_unlock(&sahtree_lock) -#define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) +#define SAHTREE_LOCK_INIT() rm_init(&sahtree_lock, "sahtree") +#define SAHTREE_LOCK_DESTROY() rm_destroy(&sahtree_lock) +#define SAHTREE_RLOCK_TRACKER struct rm_priotracker sahtree_tracker +#define SAHTREE_RLOCK() rm_rlock(&sahtree_lock, &sahtree_tracker) +#define SAHTREE_RUNLOCK() rm_runlock(&sahtree_lock, &sahtree_tracker) +#define SAHTREE_RLOCK_ASSERT() rm_assert(&sahtree_lock, RA_RLOCKED) +#define SAHTREE_WLOCK() rm_wlock(&sahtree_lock) +#define SAHTREE_WUNLOCK() rm_wunlock(&sahtree_lock) +#define SAHTREE_WLOCK_ASSERT() rm_assert(&sahtree_lock, RA_WLOCKED) +#define SAHTREE_UNLOCK_ASSERT() rm_assert(&sahtree_lock, RA_UNLOCKED) + +/* Hash table for lookup in SAD using SA addresses */ +static VNET_DEFINE(struct secashead_list *, sahaddrhashtbl); +static VNET_DEFINE(u_long, sahaddrhash_mask); +#define V_sahaddrhashtbl VNET(sahaddrhashtbl) +#define V_sahaddrhash_mask VNET(sahaddrhash_mask) + +#define SAHHASH_NHASH_LOG2 7 +#define SAHHASH_NHASH (1 << SAHHASH_NHASH_LOG2) +#define SAHADDRHASH_HASHVAL(saidx) \ + (key_saidxhash(saidx) & V_sahaddrhash_mask) +#define SAHADDRHASH_HASH(saidx) \ + &V_sahaddrhashtbl[SAHADDRHASH_HASHVAL(saidx)] + +/* Hash table for lookup in SAD using SPI */ +LIST_HEAD(secasvar_list, secasvar); +static VNET_DEFINE(struct secasvar_list *, savhashtbl); +static VNET_DEFINE(u_long, savhash_mask); +#define V_savhashtbl VNET(savhashtbl) +#define V_savhash_mask VNET(savhash_mask) +#define SAVHASH_NHASH_LOG2 7 +#define SAVHASH_NHASH (1 << SAVHASH_NHASH_LOG2) +#define SAVHASH_HASHVAL(spi) (key_u32hash(spi) & V_savhash_mask) +#define SAVHASH_HASH(spi) &V_savhashtbl[SAVHASH_HASHVAL(spi)] + +static uint32_t +key_saidxhash(const struct secasindex *saidx) +{ + uint32_t hval; + + hval = fnv_32_buf(&saidx->proto, sizeof(saidx->proto), + FNV1_32_INIT); + switch (saidx->dst.sa.sa_family) { +#ifdef INET + case AF_INET: + hval = fnv_32_buf(&saidx->src.sin.sin_addr, + sizeof(in_addr_t), hval); + hval = fnv_32_buf(&saidx->dst.sin.sin_addr, + sizeof(in_addr_t), hval); + break; +#endif +#ifdef INET6 + case AF_INET6: + hval = fnv_32_buf(&saidx->src.sin6.sin6_addr, + sizeof(struct in6_addr), hval); + hval = fnv_32_buf(&saidx->dst.sin6.sin6_addr, + sizeof(struct in6_addr), hval); + break; +#endif + default: + hval = 0; + ipseclog((LOG_DEBUG, "%s: unknown address family %d", + __func__, saidx->dst.sa.sa_family)); + } + return (hval); +} static uint32_t key_u32hash(uint32_t val) @@ -7658,6 +7720,9 @@ key_init(void) LIST_INIT(&V_sahtree); V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask); + V_savhashtbl = hashinit(SAVHASH_NHASH, M_IPSEC_SA, &V_savhash_mask); + V_sahaddrhashtbl = hashinit(SAHHASH_NHASH, M_IPSEC_SAH, + &V_sahaddrhash_mask); for (i = 0; i <= SADB_SATYPE_MAX; i++) LIST_INIT(&V_regtree[i]); @@ -7722,6 +7787,8 @@ key_destroy(void) SAHTREE_UNLOCK(); hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask); + hashdestroy(V_savhashtbl, M_IPSEC_SA, V_savhash_mask); + hashdestroy(V_sahaddrhashtbl, M_IPSEC_SAH, V_sahaddrhash_mask); REGTREE_LOCK(); for (i = 0; i <= SADB_SATYPE_MAX; i++) { From owner-svn-src-projects@freebsd.org Tue Nov 22 09:52:34 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8850C4FC54 for ; Tue, 22 Nov 2016 09:52:34 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9592A871; Tue, 22 Nov 2016 09:52:34 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAM9qXPe066750; Tue, 22 Nov 2016 09:52:33 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAM9qXPc066749; Tue, 22 Nov 2016 09:52:33 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611220952.uAM9qXPc066749@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 09:52:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308968 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 09:52:34 -0000 Author: ae Date: Tue Nov 22 09:52:33 2016 New Revision: 308968 URL: https://svnweb.freebsd.org/changeset/base/308968 Log: Rework key_allocsa_policy() function. Remove old code used for allocating SA for outbound packet. Now only key_allocsa_policy() function will be used for this. As arguments it takes security policy that was found by ipsec[46]_checkpolicy() and secasindex constructed using information from policy and mbuf. Using secasindex we do lookup in SAH hash table, then based on key_preferred_oldsa variable we take LAST or FIRST element from SAH's savtree_alive. If correspondig SAH entry was not found, we acquire SA from IKEd using key_acquire() function. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:49:15 2016 (r308967) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 09:52:33 2016 (r308968) @@ -784,265 +784,75 @@ key_allocsp(struct secpolicyindex *spidx } /* - * allocating an SA entry for an *OUTBOUND* packet. - * checking each request entries in SP, and acquire an SA if need. - * OUT: 0: there are valid requests. - * ENOENT: policy may be valid, but SA with REQUIRE is on acquiring. + * Allocating an SA entry for an *OUTBOUND* packet. + * OUT: positive: corresponding SA for given saidx found. + * NULL: SA not found, but will be acquired, check *error + * for acquiring status. */ -int -key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx) +struct secasvar * +key_allocsa_policy(struct secpolicy *sp, const struct secasindex *saidx, + int *error) { - u_int level; - int error; + SAHTREE_RLOCK_TRACKER; + struct secashead *sah; struct secasvar *sav; - IPSEC_ASSERT(isr != NULL, ("null isr")); IPSEC_ASSERT(saidx != NULL, ("null saidx")); IPSEC_ASSERT(saidx->mode == IPSEC_MODE_TRANSPORT || saidx->mode == IPSEC_MODE_TUNNEL, ("unexpected policy %u", saidx->mode)); /* - * XXX guard against protocol callbacks from the crypto - * thread as they reference ipsecrequest.sav which we - * temporarily null out below. Need to rethink how we - * handle bundled SA's in the callback thread. - */ - IPSECREQUEST_LOCK_ASSERT(isr); - - /* get current level */ - level = ipsec_get_reqlevel(isr); - - /* * We check new SA in the IPsec request because a different * SA may be involved each time this request is checked, either * because new SAs are being configured, or this request is * associated with an unconnected datagram socket, or this request * is associated with a system default policy. - * - * key_allocsa_policy should allocate the oldest SA available. - * See key_do_allocsa_policy(), and draft-jenkins-ipsec-rekeying-03.txt. */ - sav = key_allocsa_policy(saidx); - if (sav != isr->sav) { - /* SA need to be updated. */ - if (!IPSECREQUEST_UPGRADE(isr)) { - /* Kick everyone off. */ - IPSECREQUEST_UNLOCK(isr); - IPSECREQUEST_WLOCK(isr); - } - if (isr->sav != NULL) - KEY_FREESAV(&isr->sav); - isr->sav = sav; - IPSECREQUEST_DOWNGRADE(isr); - } else if (sav != NULL) - KEY_FREESAV(&sav); - - /* When there is SA. */ - if (isr->sav != NULL) { - if (isr->sav->state != SADB_SASTATE_MATURE && - isr->sav->state != SADB_SASTATE_DYING) - return EINVAL; - return 0; - } - - /* there is no SA */ - error = key_acquire(saidx, isr->sp); - if (error != 0) { - /* XXX What should I do ? */ - ipseclog((LOG_DEBUG, "%s: error %d returned from key_acquire\n", - __func__, error)); - return error; - } - - if (level != IPSEC_LEVEL_REQUIRE) { - /* XXX sigh, the interface to this routine is botched */ - IPSEC_ASSERT(isr->sav == NULL, ("unexpected SA")); - return 0; - } else { - return ENOENT; - } -} - -/* - * allocating a SA for policy entry from SAD. - * NOTE: searching SAD of aliving state. - * OUT: NULL: not found. - * others: found and return the pointer. - */ -static struct secasvar * -key_allocsa_policy(const struct secasindex *saidx) -{ -#define N(a) _ARRAYLEN(a) - struct secashead *sah; - struct secasvar *sav; - u_int stateidx, arraysize; - const u_int *state_valid; - - state_valid = NULL; /* silence gcc */ - arraysize = 0; /* silence gcc */ - - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (sah->state == SADB_SASTATE_DEAD) - continue; - if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) { - if (V_key_preferred_oldsa) { - state_valid = saorder_state_valid_prefer_old; - arraysize = N(saorder_state_valid_prefer_old); - } else { - state_valid = saorder_state_valid_prefer_new; - arraysize = N(saorder_state_valid_prefer_new); - } + SAHTREE_RLOCK(); + LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { + KEYDBG(IPSEC_DUMP, + printf("%s: checking SAH\n", __func__); + kdebug_secash(sah, " ")); + if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) break; - } - } - SAHTREE_UNLOCK(); - if (sah == NULL) - return NULL; - /* search valid state */ - for (stateidx = 0; stateidx < arraysize; stateidx++) { - sav = key_do_allocsa_policy(sah, state_valid[stateidx]); - if (sav != NULL) - return sav; } - - return NULL; -#undef N -} - -/* - * searching SAD with direction, protocol, mode and state. - * called by key_allocsa_policy(). - * OUT: - * NULL : not found - * others : found, pointer to a SA. - */ -static struct secasvar * -key_do_allocsa_policy(struct secashead *sah, u_int state) -{ - struct secasvar *sav, *nextsav, *candidate, *d; - - /* initialize */ - candidate = NULL; - - SAHTREE_LOCK(); - for (sav = LIST_FIRST(&sah->savtree[state]); - sav != NULL; - sav = nextsav) { - - nextsav = LIST_NEXT(sav, chain); - - /* sanity check */ - KEY_CHKSASTATE(sav->state, state, __func__); - - /* initialize */ - if (candidate == NULL) { - candidate = sav; - continue; - } - - /* Which SA is the better ? */ - - IPSEC_ASSERT(candidate->lft_c != NULL, - ("null candidate lifetime")); - IPSEC_ASSERT(sav->lft_c != NULL, ("null sav lifetime")); - - /* What the best method is to compare ? */ - if (V_key_preferred_oldsa) { - if (candidate->lft_c->addtime > - sav->lft_c->addtime) { - candidate = sav; - } - continue; - /*NOTREACHED*/ - } - - /* preferred new sa rather than old sa */ - if (candidate->lft_c->addtime < - sav->lft_c->addtime) { - d = candidate; - candidate = sav; - } else - d = sav; - + if (sah != NULL) { /* - * prepared to delete the SA when there is more - * suitable candidate and the lifetime of the SA is not - * permanent. + * Allocate the oldest SA available according to + * draft-jenkins-ipsec-rekeying-03. */ - if (d->lft_h->addtime != 0) { - struct mbuf *m, *result; - u_int8_t satype; - - key_sa_chgstate(d, SADB_SASTATE_DEAD); - - IPSEC_ASSERT(d->refcnt > 0, ("bogus ref count")); - - satype = key_proto2satype(d->sah->saidx.proto); - if (satype == 0) - goto msgfail; - - m = key_setsadbmsg(SADB_DELETE, 0, - satype, 0, 0, d->refcnt - 1); - if (!m) - goto msgfail; - result = m; - - /* set sadb_address for saidx's. */ - m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, - &d->sah->saidx.src.sa, - d->sah->saidx.src.sa.sa_len << 3, - IPSEC_ULPROTO_ANY); - if (!m) - goto msgfail; - m_cat(result, m); - - /* set sadb_address for saidx's. */ - m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, - &d->sah->saidx.dst.sa, - d->sah->saidx.dst.sa.sa_len << 3, - IPSEC_ULPROTO_ANY); - if (!m) - goto msgfail; - m_cat(result, m); - - /* create SA extension */ - m = key_setsadbsa(d); - if (!m) - goto msgfail; - m_cat(result, m); + if (V_key_preferred_oldsa) + sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); + else + sav = TAILQ_FIRST(&sah->savtree_alive); + if (sav != NULL) + SAV_ADDREF(sav); + } else + sav = NULL; + SAHTREE_RUNLOCK(); - if (result->m_len < sizeof(struct sadb_msg)) { - result = m_pullup(result, - sizeof(struct sadb_msg)); - if (result == NULL) - goto msgfail; - } - - result->m_pkthdr.len = 0; - for (m = result; m; m = m->m_next) - result->m_pkthdr.len += m->m_len; - mtod(result, struct sadb_msg *)->sadb_msg_len = - PFKEY_UNIT64(result->m_pkthdr.len); - - if (key_sendup_mbuf(NULL, result, - KEY_SENDUP_REGISTERED)) - goto msgfail; - msgfail: - KEY_FREESAV(&d); - } - } - if (candidate) { - sa_addref(candidate); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s cause refcnt++:%d SA:%p\n", - __func__, candidate->refcnt, candidate)); + if (sav != NULL) { + *error = 0; + KEYDBG(IPSEC_STAMP, + printf("%s: chosen SA(%p) for SP(%p)\n", __func__, + sav, sp)); + KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); + return (sav); /* return referenced SA */ } - SAHTREE_UNLOCK(); - return candidate; + /* there is no SA */ + *error = key_acquire(saidx, sp); + if ((*error) != 0) + ipseclog((LOG_DEBUG, + "%s: error %d returned from key_acquire()\n", + __func__, *error)); + KEYDBG(IPSEC_STAMP, + printf("%s: acquire SA for SP(%p), error %d\n", + __func__, sp, *error)); + KEYDBG(IPSEC_DATA, kdebug_secasindex(saidx, NULL)); + return (NULL); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 10:18:01 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3360C4F860 for ; Tue, 22 Nov 2016 10:18:01 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CCDC986; Tue, 22 Nov 2016 10:18:01 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAI0vA075735; Tue, 22 Nov 2016 10:18:00 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAI0eu075734; Tue, 22 Nov 2016 10:18:00 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221018.uAMAI0eu075734@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:18:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308971 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:18:02 -0000 Author: ae Date: Tue Nov 22 10:18:00 2016 New Revision: 308971 URL: https://svnweb.freebsd.org/changeset/base/308971 Log: Update key_allocsa() to reflect changes in SADB. Use SPI hash table for inbound SA lookup. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:09:04 2016 (r308970) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:18:00 2016 (r308971) @@ -871,92 +871,59 @@ key_allocsa_policy(struct secpolicy *sp, * keep source address in IPsec SA. We see a tricky situation here. */ struct secasvar * -key_allocsa(union sockaddr_union *dst, u_int proto, u_int32_t spi, - const char* where, int tag) +key_allocsa(union sockaddr_union *dst, uint8_t proto, uint32_t spi) { - struct secashead *sah; + SAHTREE_RLOCK_TRACKER; struct secasvar *sav; - u_int stateidx, arraysize, state; - const u_int *saorder_state_valid; -#ifdef IPSEC_NAT_T - int natt_chkport; -#endif + int chkport; IPSEC_ASSERT(dst != NULL, ("null dst address")); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u\n", __func__, where, tag)); - -#ifdef IPSEC_NAT_T - natt_chkport = (dst->sa.sa_family == AF_INET && - dst->sa.sa_len == sizeof(struct sockaddr_in) && - dst->sin.sin_port != 0); -#endif - + chkport = 0; + SAHTREE_RLOCK(); + LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { + if (sav->spi == spi) + break; + } /* - * searching SAD. - * XXX: to be checked internal IP header somewhere. Also when - * IPsec tunnel packet is received. But ESP tunnel mode is - * encrypted so we can't check internal IP header. + * We use single SPI namespace for all protocols, so it is + * impossible to have SPI duplicates in the SAVHASH. + * XXXAE: this breaks TCP_SIGNATURE. */ - SAHTREE_LOCK(); - if (V_key_preferred_oldsa) { - saorder_state_valid = saorder_state_valid_prefer_old; - arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); - } else { - saorder_state_valid = saorder_state_valid_prefer_new; - arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); - } - LIST_FOREACH(sah, &V_sahtree, chain) { - int checkport; - - /* search valid state */ - for (stateidx = 0; stateidx < arraysize; stateidx++) { - state = saorder_state_valid[stateidx]; - LIST_FOREACH(sav, &sah->savtree[state], chain) { - /* sanity check */ - KEY_CHKSASTATE(sav->state, state, __func__); - /* do not return entries w/ unusable state */ - if (sav->state != SADB_SASTATE_MATURE && - sav->state != SADB_SASTATE_DYING) - continue; - if (proto != sav->sah->saidx.proto) - continue; - if (spi != sav->spi) - continue; - checkport = 0; + if (sav != NULL) { #ifdef IPSEC_NAT_T - /* - * Really only check ports when this is a NAT-T - * SA. Otherwise other lookups providing ports - * might suffer. - */ - if (sav->natt_type && natt_chkport) - checkport = 1; -#endif -#if 0 /* don't check src */ - /* check src address */ - if (key_sockaddrcmp(&src->sa, - &sav->sah->saidx.src.sa, checkport) != 0) - continue; -#endif - /* check dst address */ - if (key_sockaddrcmp(&dst->sa, - &sav->sah->saidx.dst.sa, checkport) != 0) - continue; - sa_addref(sav); - goto done; - } - } + /* + * Really only check ports when this is a NAT-T + * SA. Otherwise other lookups providing ports + * might suffer. + */ + chkport = (sav->natt_type != 0 && + dst->sa.sa_family == AF_INET && + dst->sa.sa_len == sizeof(struct sockaddr_in) && + dst->sin.sin_port != 0); +#endif + if (sav->state != SADB_SASTATE_LARVAL && + sav->sah->saidx.proto == proto && + key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, + chkport) == 0) + SAV_ADDREF(sav); + else + sav = NULL; } - sav = NULL; -done: - SAHTREE_UNLOCK(); + SAHTREE_RUNLOCK(); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s return SA:%p; refcnt %u\n", __func__, - sav, sav ? sav->refcnt : 0)); - return sav; + if (sav == NULL) { + KEYDBG(IPSEC_STAMP, + char buf[IPSEC_ADDRSTRLEN]; + printf("%s: SA not found for spi %u proto %u dst %s\n", + __func__, ntohl(spi), proto, ipsec_address(dst, buf, + sizeof(buf)))); + } else { + KEYDBG(IPSEC_STAMP, + printf("%s: return SA(%p)\n", __func__, sav)); + KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); + } + return (sav); } struct secasvar * From owner-svn-src-projects@freebsd.org Tue Nov 22 10:20:07 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A386AC4F92C for ; Tue, 22 Nov 2016 10:20:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DAD8215; Tue, 22 Nov 2016 10:20:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAK6ad075863; Tue, 22 Nov 2016 10:20:06 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAK62q075861; Tue, 22 Nov 2016 10:20:06 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221020.uAMAK62q075861@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:20:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308972 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:20:07 -0000 Author: ae Date: Tue Nov 22 10:20:06 2016 New Revision: 308972 URL: https://svnweb.freebsd.org/changeset/base/308972 Log: Update key_allocsa_tunnel() to use SAHADDRHASH. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:18:00 2016 (r308971) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:20:06 2016 (r308972) @@ -928,61 +928,45 @@ key_allocsa(union sockaddr_union *dst, u struct secasvar * key_allocsa_tunnel(union sockaddr_union *src, union sockaddr_union *dst, - u_int proto, const char* where, int tag) + uint8_t proto) { + SAHTREE_RLOCK_TRACKER; + struct secasindex saidx; struct secashead *sah; struct secasvar *sav; - u_int stateidx, arraysize, state; - const u_int *saorder_state_valid; IPSEC_ASSERT(src != NULL, ("null src address")); IPSEC_ASSERT(dst != NULL, ("null dst address")); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u\n", __func__, where, tag)); - SAHTREE_LOCK(); - if (V_key_preferred_oldsa) { - saorder_state_valid = saorder_state_valid_prefer_old; - arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); - } else { - saorder_state_valid = saorder_state_valid_prefer_new; - arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); - } - LIST_FOREACH(sah, &V_sahtree, chain) { - /* search valid state */ - for (stateidx = 0; stateidx < arraysize; stateidx++) { - state = saorder_state_valid[stateidx]; - LIST_FOREACH(sav, &sah->savtree[state], chain) { - /* sanity check */ - KEY_CHKSASTATE(sav->state, state, __func__); - /* do not return entries w/ unusable state */ - if (sav->state != SADB_SASTATE_MATURE && - sav->state != SADB_SASTATE_DYING) - continue; - if (IPSEC_MODE_TUNNEL != sav->sah->saidx.mode) - continue; - if (proto != sav->sah->saidx.proto) - continue; - /* check src address */ - if (key_sockaddrcmp(&src->sa, - &sav->sah->saidx.src.sa, 0) != 0) - continue; - /* check dst address */ - if (key_sockaddrcmp(&dst->sa, - &sav->sah->saidx.dst.sa, 0) != 0) - continue; - sa_addref(sav); - goto done; - } + KEY_SETSECASIDX(proto, IPSEC_MODE_TUNNEL, 0, &src->sa, + &dst->sa, &saidx); + + sav = NULL; + SAHTREE_RLOCK(); + LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) { + if (IPSEC_MODE_TUNNEL != sah->saidx.mode) + continue; + if (proto != sah->saidx.proto) + continue; + if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, 0) != 0) + continue; + if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, 0) != 0) + continue; + /* XXXAE: is key_preferred_oldsa reasonably?*/ + if (V_key_preferred_oldsa) + sav = TAILQ_LAST(&sah->savtree_alive, secasvar_queue); + else + sav = TAILQ_FIRST(&sah->savtree_alive); + if (sav != NULL) { + SAV_ADDREF(sav); + break; } } - sav = NULL; -done: - SAHTREE_UNLOCK(); - - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s return SA:%p; refcnt %u\n", __func__, - sav, sav ? sav->refcnt : 0)); + SAHTREE_RUNLOCK(); + KEYDBG(IPSEC_STAMP, + printf("%s: return SA(%p)\n", __func__, sav)); + if (sav != NULL) + KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); return (sav); } From owner-svn-src-projects@freebsd.org Tue Nov 22 10:28:27 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C736C4FD81 for ; Tue, 22 Nov 2016 10:28:27 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D195BEB; Tue, 22 Nov 2016 10:28:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMASQOZ079856; Tue, 22 Nov 2016 10:28:26 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMASQub079855; Tue, 22 Nov 2016 10:28:26 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221028.uAMASQub079855@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:28:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308974 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:28:27 -0000 Author: ae Date: Tue Nov 22 10:28:25 2016 New Revision: 308974 URL: https://svnweb.freebsd.org/changeset/base/308974 Log: Update key_freesp() to reflect changes in struct secpolicy and ipsecrequest. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:24:59 2016 (r308973) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:28:25 2016 (r308974) @@ -972,30 +972,23 @@ key_allocsa_tunnel(union sockaddr_union /* * Must be called after calling key_allocsp(). - * For both the packet without socket and key_freeso(). */ void -_key_freesp(struct secpolicy **spp, const char* where, int tag) +key_freesp(struct secpolicy **spp) { - struct ipsecrequest *isr, *nextisr; struct secpolicy *sp = *spp; IPSEC_ASSERT(sp != NULL, ("null sp")); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s SP:%p (ID=%u) from %s:%u; refcnt now %u\n", - __func__, sp, sp->id, where, tag, sp->refcnt)); - if (SP_DELREF(sp) == 0) return; + + KEYDBG(IPSEC_STAMP, + printf("%s: last reference to SP(%p)\n", __func__, sp)); + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); + *spp = NULL; - for (isr = sp->req; isr != NULL; isr = nextisr) { - if (isr->sav != NULL) { - KEY_FREESAV(&isr->sav); - isr->sav = NULL; - } - nextisr = isr->next; - ipsec_delisr(isr); - } + while (sp->tcount > 0) + ipsec_delisr(sp->req[--sp->tcount]); free(sp, M_IPSEC_SP); } From owner-svn-src-projects@freebsd.org Tue Nov 22 10:36:02 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21E9AC4F164 for ; Tue, 22 Nov 2016 10:36:02 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6ED3130B; Tue, 22 Nov 2016 10:36:01 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAa0dZ083960; Tue, 22 Nov 2016 10:36:00 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAa0K4083959; Tue, 22 Nov 2016 10:36:00 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221036.uAMAa0K4083959@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:36:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308975 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:36:02 -0000 Author: ae Date: Tue Nov 22 10:36:00 2016 New Revision: 308975 URL: https://svnweb.freebsd.org/changeset/base/308975 Log: Remove unused key_freeso() and key_freesp_so(). Change debug code in key_freesav(). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:28:25 2016 (r308974) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:36:00 2016 (r308975) @@ -1032,64 +1032,13 @@ key_insertsp(struct secpolicy *newsp) goto done; } } - TAILQ_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, chain); - done: LIST_INSERT_HEAD(SPHASH_HASH(newsp->id), newsp, idhash); newsp->state = IPSEC_SPSTATE_ALIVE; V_sp_genid++; } -/* - * Must be called after calling key_allocsp(). - * For the packet with socket. - */ -void -key_freeso(struct socket *so) -{ - IPSEC_ASSERT(so != NULL, ("null so")); - - switch (so->so_proto->pr_domain->dom_family) { -#if defined(INET) || defined(INET6) -#ifdef INET - case PF_INET: -#endif -#ifdef INET6 - case PF_INET6: -#endif - { - struct inpcb *pcb = sotoinpcb(so); - - /* Does it have a PCB ? */ - if (pcb == NULL) - return; - key_freesp_so(&pcb->inp_sp->sp_in); - key_freesp_so(&pcb->inp_sp->sp_out); - } - break; -#endif /* INET || INET6 */ - default: - ipseclog((LOG_DEBUG, "%s: unknown address family=%d.\n", - __func__, so->so_proto->pr_domain->dom_family)); - return; - } -} - -static void -key_freesp_so(struct secpolicy **sp) -{ - IPSEC_ASSERT(sp != NULL && *sp != NULL, ("null sp")); - - if ((*sp)->policy == IPSEC_POLICY_ENTRUST || - (*sp)->policy == IPSEC_POLICY_BYPASS) - return; - - IPSEC_ASSERT((*sp)->policy == IPSEC_POLICY_IPSEC, - ("invalid policy %u", (*sp)->policy)); - KEY_FREESP(sp); -} - void key_addrefsa(struct secasvar *sav, const char* where, int tag) { @@ -1097,7 +1046,7 @@ key_addrefsa(struct secasvar *sav, const IPSEC_ASSERT(sav != NULL, ("null sav")); IPSEC_ASSERT(sav->refcnt > 0, ("refcount must exist")); - sa_addref(sav); + SAV_ADDREF(sav); } /* @@ -1106,23 +1055,19 @@ key_addrefsa(struct secasvar *sav, const * for a policy. */ void -key_freesav(struct secasvar **psav, const char* where, int tag) +key_freesav(struct secasvar **psav) { struct secasvar *sav = *psav; IPSEC_ASSERT(sav != NULL, ("null sav")); + if (SAV_DELREF(sav) == 0) + return; - if (sa_delref(sav)) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s SA:%p (SPI %u) from %s:%u; refcnt now %u\n", - __func__, sav, ntohl(sav->spi), where, tag, sav->refcnt)); - *psav = NULL; - key_delsav(sav); - } else { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s SA:%p (SPI %u) from %s:%u; refcnt now %u\n", - __func__, sav, ntohl(sav->spi), where, tag, sav->refcnt)); - } + KEYDBG(IPSEC_STAMP, + printf("%s: last reference to SA(%p)\n", __func__, sav)); + + *psav = NULL; + key_delsav(sav); } /* %%% SPD management */ From owner-svn-src-projects@freebsd.org Tue Nov 22 10:39:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F901C4F226 for ; Tue, 22 Nov 2016 10:39:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3211115CE; Tue, 22 Nov 2016 10:39:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAdf8Z084211; Tue, 22 Nov 2016 10:39:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAdfDX084210; Tue, 22 Nov 2016 10:39:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221039.uAMAdfDX084210@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:39:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308976 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:39:42 -0000 Author: ae Date: Tue Nov 22 10:39:41 2016 New Revision: 308976 URL: https://svnweb.freebsd.org/changeset/base/308976 Log: Add key_unlinksav() function that unlinks a SA from SAH's TAILQ. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:36:00 2016 (r308975) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:39:41 2016 (r308976) @@ -1070,6 +1070,41 @@ key_freesav(struct secasvar **psav) key_delsav(sav); } +/* + * Unlink SA from SAH and SPI hash under SAHTREE_WLOCK. + * Expect that SA has extra reference due to lookup. + * Release this references, also release SAH reference after unlink. + */ +static void +key_unlinksav(struct secasvar *sav) +{ + struct secashead *sah; + + KEYDBG(KEY_STAMP, + printf("%s: SA(%p)\n", __func__, sav)); + + SAHTREE_UNLOCK_ASSERT(); + SAHTREE_WLOCK(); + if (sav->state == SADB_SASTATE_DEAD) { + /* SA is already unlinked */ + SAHTREE_WUNLOCK(); + return; + } + /* Unlink from SAH */ + if (sav->state == SADB_SASTATE_LARVAL) + TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); + else + TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); + /* Unlink from SPI hash */ + LIST_REMOVE(sav, spihash); + sav->state = SADB_SASTATE_DEAD; + sah = sav->sah; + SAHTREE_WUNLOCK(); + key_freesav(&sav); + /* Since we are unlinked, release reference to SAH */ + key_freesah(&sah); +} + /* %%% SPD management */ /* * search SPD From owner-svn-src-projects@freebsd.org Tue Nov 22 10:42:54 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48AABC4F370 for ; Tue, 22 Nov 2016 10:42:54 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0BFAD19B7; Tue, 22 Nov 2016 10:42:53 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAgrwi087986; Tue, 22 Nov 2016 10:42:53 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAgrhj087985; Tue, 22 Nov 2016 10:42:53 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221042.uAMAgrhj087985@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:42:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308977 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:42:54 -0000 Author: ae Date: Tue Nov 22 10:42:52 2016 New Revision: 308977 URL: https://svnweb.freebsd.org/changeset/base/308977 Log: Modify key_getspbyid() to use SPHASH. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:39:41 2016 (r308976) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:42:52 2016 (r308977) @@ -1134,32 +1134,23 @@ key_getsp(struct secpolicyindex *spidx) /* * get SP by index. * OUT: NULL : not found - * others : found, pointer to a SP. + * others : found, pointer to referenced SP. */ static struct secpolicy * -key_getspbyid(u_int32_t id) +key_getspbyid(uint32_t id) { SPTREE_RLOCK_TRACKER; struct secpolicy *sp; SPTREE_RLOCK(); - TAILQ_FOREACH(sp, &V_sptree[IPSEC_DIR_INBOUND], chain) { + LIST_FOREACH(sp, SPHASH_HASH(id), idhash) { if (sp->id == id) { SP_ADDREF(sp); - goto done; - } - } - - TAILQ_FOREACH(sp, &V_sptree[IPSEC_DIR_OUTBOUND], chain) { - if (sp->id == id) { - SP_ADDREF(sp); - goto done; + break; } } -done: SPTREE_RUNLOCK(); - - return sp; + return (sp); } struct secpolicy * From owner-svn-src-projects@freebsd.org Tue Nov 22 10:44:05 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50564C4F398 for ; Tue, 22 Nov 2016 10:44:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 22C1A1AD9; Tue, 22 Nov 2016 10:44:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAi4qm088091; Tue, 22 Nov 2016 10:44:04 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAi41w088090; Tue, 22 Nov 2016 10:44:04 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221044.uAMAi41w088090@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:44:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308978 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:44:05 -0000 Author: ae Date: Tue Nov 22 10:44:04 2016 New Revision: 308978 URL: https://svnweb.freebsd.org/changeset/base/308978 Log: Remove debugging code from key_newsp(). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:42:52 2016 (r308977) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:44:04 2016 (r308978) @@ -1154,19 +1154,14 @@ key_getspbyid(uint32_t id) } struct secpolicy * -key_newsp(const char* where, int tag) +key_newsp(void) { - struct secpolicy *newsp = NULL; - - newsp = (struct secpolicy *) - malloc(sizeof(struct secpolicy), M_IPSEC_SP, M_NOWAIT|M_ZERO); - if (newsp) - refcount_init(&newsp->refcnt, 1); + struct secpolicy *sp; - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u return SP:%p\n", __func__, - where, tag, newsp)); - return newsp; + sp = malloc(sizeof(*sp), M_IPSEC_SP, M_NOWAIT | M_ZERO); + if (sp != NULL) + SP_INITREF(sp); + return (sp); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 10:52:59 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 745A5C4F767 for ; Tue, 22 Nov 2016 10:52:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 344CD172; Tue, 22 Nov 2016 10:52:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMAqw1Z091850; Tue, 22 Nov 2016 10:52:58 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMAqwF3091849; Tue, 22 Nov 2016 10:52:58 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221052.uAMAqwF3091849@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 10:52:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308979 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 10:52:59 -0000 Author: ae Date: Tue Nov 22 10:52:58 2016 New Revision: 308979 URL: https://svnweb.freebsd.org/changeset/base/308979 Log: Modify key_msg2sp() to reflect changes in struct secpolicy and ipsecrequest. Also add the check that address families are equal in src and dst addresses. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:44:04 2016 (r308978) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:52:58 2016 (r308979) @@ -1166,8 +1166,8 @@ key_newsp(void) /* * create secpolicy structure from sadb_x_policy structure. - * NOTE: `state', `secpolicyindex' in secpolicy structure are not set, - * so must be set properly later. + * NOTE: `state', `secpolicyindex' and 'id' in secpolicy structure + * are not set, so must be set properly later. */ struct secpolicy * key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int *error) @@ -1183,7 +1183,7 @@ key_msg2sp(struct sadb_x_policy *xpl0, s return NULL; } - if ((newsp = KEY_NEWSP()) == NULL) { + if ((newsp = key_newsp()) == NULL) { *error = ENOBUFS; return NULL; } @@ -1191,6 +1191,7 @@ key_msg2sp(struct sadb_x_policy *xpl0, s newsp->spidx.dir = xpl0->sadb_x_policy_dir; newsp->policy = xpl0->sadb_x_policy_type; newsp->priority = xpl0->sadb_x_policy_priority; + newsp->tcount = 0; /* check policy */ switch (xpl0->sadb_x_policy_type) { @@ -1198,20 +1199,19 @@ key_msg2sp(struct sadb_x_policy *xpl0, s case IPSEC_POLICY_NONE: case IPSEC_POLICY_ENTRUST: case IPSEC_POLICY_BYPASS: - newsp->req = NULL; break; case IPSEC_POLICY_IPSEC: { - int tlen; struct sadb_x_ipsecrequest *xisr; - struct ipsecrequest **p_isr = &newsp->req; + struct ipsecrequest *isr; + int tlen; /* validity check */ if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) { ipseclog((LOG_DEBUG, "%s: Invalid msg length.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } @@ -1224,22 +1224,33 @@ key_msg2sp(struct sadb_x_policy *xpl0, s if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest " "length.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } + if (newsp->tcount >= IPSEC_MAXREQ) { + ipseclog((LOG_DEBUG, + "%s: too many ipsecrequests.\n", + __func__)); + key_freesp(&newsp); + *error = EINVAL; + return (NULL); + } + /* allocate request buffer */ /* NB: data structure is zero'd */ - *p_isr = ipsec_newisr(); - if ((*p_isr) == NULL) { + isr = ipsec_newisr(); + if (isr == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = ENOBUFS; return NULL; } + newsp->req[newsp->tcount++] = isr; + /* set values */ switch (xisr->sadb_x_ipsecrequest_proto) { case IPPROTO_ESP: @@ -1250,11 +1261,12 @@ key_msg2sp(struct sadb_x_policy *xpl0, s ipseclog((LOG_DEBUG, "%s: invalid proto type=%u\n", __func__, xisr->sadb_x_ipsecrequest_proto)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EPROTONOSUPPORT; return NULL; } - (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto; + isr->saidx.proto = + (uint8_t)xisr->sadb_x_ipsecrequest_proto; switch (xisr->sadb_x_ipsecrequest_mode) { case IPSEC_MODE_TRANSPORT: @@ -1265,11 +1277,11 @@ key_msg2sp(struct sadb_x_policy *xpl0, s ipseclog((LOG_DEBUG, "%s: invalid mode=%u\n", __func__, xisr->sadb_x_ipsecrequest_mode)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } - (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode; + isr->saidx.mode = xisr->sadb_x_ipsecrequest_mode; switch (xisr->sadb_x_ipsecrequest_level) { case IPSEC_LEVEL_DEFAULT: @@ -1296,16 +1308,16 @@ key_msg2sp(struct sadb_x_policy *xpl0, s if (xisr->sadb_x_ipsecrequest_reqid == 0) { u_int32_t reqid; if ((reqid = key_newreqid()) == 0) { - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = ENOBUFS; return NULL; } - (*p_isr)->saidx.reqid = reqid; + isr->saidx.reqid = reqid; xisr->sadb_x_ipsecrequest_reqid = reqid; } else { /* set it for manual keying. */ - (*p_isr)->saidx.reqid = - xisr->sadb_x_ipsecrequest_reqid; + isr->saidx.reqid = + xisr->sadb_x_ipsecrequest_reqid; } break; @@ -1313,59 +1325,61 @@ key_msg2sp(struct sadb_x_policy *xpl0, s ipseclog((LOG_DEBUG, "%s: invalid level=%u\n", __func__, xisr->sadb_x_ipsecrequest_level)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } - (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; + isr->level = xisr->sadb_x_ipsecrequest_level; /* set IP addresses if there */ + /* XXXAE: those are needed only for tunnel mode */ if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { struct sockaddr *paddr; paddr = (struct sockaddr *)(xisr + 1); - /* validity check */ if (paddr->sa_len - > sizeof((*p_isr)->saidx.src)) { + > sizeof(isr->saidx.src)) { ipseclog((LOG_DEBUG, "%s: invalid " "request address length.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } - bcopy(paddr, &(*p_isr)->saidx.src, - paddr->sa_len); - - paddr = (struct sockaddr *)((caddr_t)paddr - + paddr->sa_len); + bcopy(paddr, &isr->saidx.src, paddr->sa_len); + paddr = (struct sockaddr *)((caddr_t)paddr + + paddr->sa_len); /* validity check */ if (paddr->sa_len - > sizeof((*p_isr)->saidx.dst)) { + > sizeof(isr->saidx.dst)) { ipseclog((LOG_DEBUG, "%s: invalid " "request address length.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } - bcopy(paddr, &(*p_isr)->saidx.dst, - paddr->sa_len); + /* AF family should match */ + if (paddr->sa_family != + isr->saidx.src.sa.sa_family) { + ipseclog((LOG_DEBUG, "%s: address " + "family doesn't match.\n", + __func__)); + key_freesp(&newsp); + *error = EINVAL; + return (NULL); + } + bcopy(paddr, &isr->saidx.dst, paddr->sa_len); } - - (*p_isr)->sp = newsp; - - /* initialization for the next. */ - p_isr = &(*p_isr)->next; tlen -= xisr->sadb_x_ipsecrequest_len; /* validity check */ if (tlen < 0) { ipseclog((LOG_DEBUG, "%s: becoming tlen < 0.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } @@ -1373,19 +1387,26 @@ key_msg2sp(struct sadb_x_policy *xpl0, s xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr + xisr->sadb_x_ipsecrequest_len); } + /* XXXAE: LARVAL SP */ + if (newsp->tcount < 1) { + ipseclog((LOG_DEBUG, "%s: valid IPSEC transforms " + "not found.\n", __func__)); + key_freesp(&newsp); + *error = EINVAL; + return (NULL); + } } break; default: ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); - KEY_FREESP(&newsp); + key_freesp(&newsp); *error = EINVAL; return NULL; } *error = 0; - return newsp; + return (newsp); } - static u_int32_t key_newreqid() { From owner-svn-src-projects@freebsd.org Tue Nov 22 11:18:20 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED4ADC4FFDA for ; Tue, 22 Nov 2016 11:18:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C7C7010DC; Tue, 22 Nov 2016 11:18:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMBIJdt099981; Tue, 22 Nov 2016 11:18:19 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMBIJVn099980; Tue, 22 Nov 2016 11:18:19 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221118.uAMBIJVn099980@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 11:18:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308981 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 11:18:21 -0000 Author: ae Date: Tue Nov 22 11:18:19 2016 New Revision: 308981 URL: https://svnweb.freebsd.org/changeset/base/308981 Log: Modify key_spdadd() to do more accurate checks. Use SADB_CHECKHDR() and SADB_CHECKLEN() macros to check extension headers. Use key_checksockaddrs() to check sockaddr structures. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 10:58:24 2016 (r308980) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:18:19 2016 (r308981) @@ -1592,15 +1592,16 @@ fail: * SPDSETIDX like SPDADD without a part of policy requests. * SPDUPDATE replace a unique policy entry. * + * XXXAE: serialize this in PF_KEY to avoid races. * m will always be freed. */ static int key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { + struct secpolicyindex spidx; struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0, *xpl; struct sadb_lifetime *lft = NULL; - struct secpolicyindex spidx; struct secpolicy *newsp; int error; @@ -1609,24 +1610,26 @@ key_spdadd(struct socket *so, struct mbu IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); - if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || - mhp->ext[SADB_X_EXT_POLICY] == NULL) { - ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n")); - return key_senderror(so, m, EINVAL); - } - if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || - mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - if (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL) { - if (mhp->extlen[SADB_EXT_LIFETIME_HARD] - < sizeof(struct sadb_lifetime)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); + return key_senderror(so, m, EINVAL); + } + if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); + return key_senderror(so, m, EINVAL); + } + if (!SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD)) { + if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); return key_senderror(so, m, EINVAL); } lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; @@ -1636,130 +1639,92 @@ key_spdadd(struct socket *so, struct mbu dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; - /* + /* * Note: do not parse SADB_X_EXT_NAT_T_* here: * we are processing traffic endpoints. */ - /* make secindex */ - /* XXX boundary check against sa_len */ - KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, - src0 + 1, - dst0 + 1, - src0->sadb_address_prefixlen, - dst0->sadb_address_prefixlen, - src0->sadb_address_proto, - &spidx); - - /* checking the direciton. */ + /* check the direciton */ switch (xpl0->sadb_x_policy_dir) { case IPSEC_DIR_INBOUND: case IPSEC_DIR_OUTBOUND: break; default: - ipseclog((LOG_DEBUG, "%s: Invalid SP direction.\n", __func__)); - mhp->msg->sadb_msg_errno = EINVAL; - return 0; + ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__)); + return key_senderror(so, m, EINVAL); } - - /* check policy */ /* key_spdadd() accepts DISCARD, NONE and IPSEC. */ - if (xpl0->sadb_x_policy_type == IPSEC_POLICY_ENTRUST - || xpl0->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { - ipseclog((LOG_DEBUG, "%s: Invalid policy type.\n", __func__)); + if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && + xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && + xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { + ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); return key_senderror(so, m, EINVAL); } /* policy requests are mandatory when action is ipsec. */ - if (mhp->msg->sadb_msg_type != SADB_X_SPDSETIDX - && xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC - && mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { - ipseclog((LOG_DEBUG, "%s: some policy requests part required\n", - __func__)); + if (xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC && + mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { + ipseclog((LOG_DEBUG, + "%s: policy requests required.\n", __func__)); return key_senderror(so, m, EINVAL); } - /* - * checking there is SP already or not. - * SPDUPDATE doesn't depend on whether there is a SP or not. - * If the type is either SPDADD or SPDSETIDX AND a SP is found, - * then error. - */ - newsp = key_getsp(&spidx); - if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { - if (newsp) { - key_unlink(newsp); - KEY_FREESP(&newsp); - } - } else { - if (newsp != NULL) { - KEY_FREESP(&newsp); - ipseclog((LOG_DEBUG, "%s: a SP entry exists already.\n", - __func__)); - return key_senderror(so, m, EEXIST); - } - } - - /* XXX: there is race between key_getsp and key_msg2sp. */ - - /* allocation new SP entry */ - if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) { + error = key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)); + if (error != 0 || + src0->sadb_address_proto != dst0->sadb_address_proto) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); return key_senderror(so, m, error); } - - if ((newsp->id = key_getnewspid()) == 0) { - KEY_FREESP(&newsp); - return key_senderror(so, m, ENOBUFS); - } - - /* XXX boundary check against sa_len */ + /* make secindex */ KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, src0 + 1, dst0 + 1, src0->sadb_address_prefixlen, dst0->sadb_address_prefixlen, src0->sadb_address_proto, - &newsp->spidx); - - /* sanity check on addr pair */ - if (((struct sockaddr *)(src0 + 1))->sa_family != - ((struct sockaddr *)(dst0+ 1))->sa_family) { - KEY_FREESP(&newsp); - return key_senderror(so, m, EINVAL); - } - if (((struct sockaddr *)(src0 + 1))->sa_len != - ((struct sockaddr *)(dst0+ 1))->sa_len) { - KEY_FREESP(&newsp); - return key_senderror(so, m, EINVAL); - } -#if 1 - if (newsp->req && newsp->req->saidx.src.sa.sa_family && - newsp->req->saidx.dst.sa.sa_family) { - if (newsp->req->saidx.src.sa.sa_family != - newsp->req->saidx.dst.sa.sa_family) { - KEY_FREESP(&newsp); - return key_senderror(so, m, EINVAL); + &spidx); + /* Checking there is SP already or not. */ + newsp = key_getsp(&spidx); + if (newsp != NULL) { + if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { + KEYDBG(KEY_STAMP, + printf("%s: unlink SP(%p) for SPDUPDATE\n", + __func__, newsp)); + KEYDBG(KEY_DATA, kdebug_secpolicy(newsp)); + key_unlink(newsp); + key_freesp(&newsp); + } else { + key_freesp(&newsp); + ipseclog((LOG_DEBUG, "%s: a SP entry exists already.", + __func__)); + return (key_senderror(so, m, EEXIST)); } } -#endif - newsp->created = time_second; - newsp->lastused = newsp->created; + /* allocate new SP entry */ + if ((newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error)) == NULL) { + return key_senderror(so, m, error); + } + + newsp->lastused = newsp->created = time_second; newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0; newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0; + bcopy(&spidx, &newsp->spidx, sizeof(spidx)); + /* XXXAE: there is race between key_getsp() and key_insertsp() */ + SPTREE_WLOCK(); + if ((newsp->id = key_getnewspid()) == 0) { + SPTREE_WUNLOCK(); + key_freesp(&newsp); + return key_senderror(so, m, ENOBUFS); + } key_insertsp(newsp); + SPTREE_WUNLOCK(); - /* delete the entry in spacqtree */ - if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { - struct secspacq *spacq = key_getspacq(&spidx); - if (spacq != NULL) { - /* reset counter in order to deletion by timehandler. */ - spacq->created = time_second; - spacq->count = 0; - SPACQ_UNLOCK(); - } - } + KEYDBG(KEY_STAMP, + printf("%s: SP(%p)\n", __func__, newsp)); + KEYDBG(KEY_DATA, kdebug_secpolicy(newsp)); { struct mbuf *n, *mpolicy; From owner-svn-src-projects@freebsd.org Tue Nov 22 11:23:15 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0430C4F338 for ; Tue, 22 Nov 2016 11:23:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 87BCF173A; Tue, 22 Nov 2016 11:23:15 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMBNEFh003938; Tue, 22 Nov 2016 11:23:14 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMBNE2Y003937; Tue, 22 Nov 2016 11:23:14 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221123.uAMBNE2Y003937@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 11:23:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308982 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 11:23:15 -0000 Author: ae Date: Tue Nov 22 11:23:14 2016 New Revision: 308982 URL: https://svnweb.freebsd.org/changeset/base/308982 Log: Modify key_getnewspid() to use SPHASH. Make key_newreqid() to be global, it will be used from outside key.c. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:18:19 2016 (r308981) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:23:14 2016 (r308982) @@ -1407,17 +1407,19 @@ key_msg2sp(struct sadb_x_policy *xpl0, s *error = 0; return (newsp); } -static u_int32_t -key_newreqid() + +uint32_t +key_newreqid(void) { - static u_int32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; + static uint32_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; - auto_reqid = (auto_reqid == ~0 - ? IPSEC_MANUAL_REQID_MAX + 1 : auto_reqid + 1); + if (auto_reqid == ~0) + auto_reqid = IPSEC_MANUAL_REQID_MAX + 1; + else + auto_reqid++; /* XXX should be unique check */ - - return auto_reqid; + return (auto_reqid); } /* @@ -1783,30 +1785,32 @@ key_spdadd(struct socket *so, struct mbu * 0: failure. * others: success. */ -static u_int32_t -key_getnewspid() +static uint32_t +key_getnewspid(void) { - u_int32_t newid = 0; - int count = V_key_spi_trycnt; /* XXX */ struct secpolicy *sp; + uint32_t newid = 0; + int count = V_key_spi_trycnt; /* XXX */ - /* when requesting to allocate spi ranged */ + SPTREE_WLOCK_ASSERT(); while (count--) { - newid = (V_policy_id = (V_policy_id == ~0 ? 1 : V_policy_id + 1)); - - if ((sp = key_getspbyid(newid)) == NULL) + if (V_policy_id == ~0) /* overflowed */ + newid = V_policy_id = 1; + else + newid = ++V_policy_id; + LIST_FOREACH(sp, SPHASH_HASH(newid), idhash) { + if (sp->id == newid) + break; + } + if (sp == NULL) break; - - KEY_FREESP(&sp); } - if (count == 0 || newid == 0) { - ipseclog((LOG_DEBUG, "%s: to allocate policy id is failed.\n", - __func__)); - return 0; + ipseclog((LOG_DEBUG, "%s: failed to allocate policy id.\n", + __func__)); + return (0); } - - return newid; + return (newid); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 11:27:44 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7117FC4F554 for ; Tue, 22 Nov 2016 11:27:44 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E3F41A36; Tue, 22 Nov 2016 11:27:44 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMBRh2q004121; Tue, 22 Nov 2016 11:27:43 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMBRhL9004120; Tue, 22 Nov 2016 11:27:43 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221127.uAMBRhL9004120@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 11:27:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308983 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 11:27:44 -0000 Author: ae Date: Tue Nov 22 11:27:43 2016 New Revision: 308983 URL: https://svnweb.freebsd.org/changeset/base/308983 Log: Update key_spddelete() to do more accurate checks. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:23:14 2016 (r308982) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:27:43 2016 (r308983) @@ -1829,9 +1829,9 @@ static int key_spddelete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { + struct secpolicyindex spidx; struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0; - struct secpolicyindex spidx; struct secpolicy *sp; IPSEC_ASSERT(so != NULL, ("null so")); @@ -1839,18 +1839,19 @@ key_spddelete(struct socket *so, struct IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); - if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || - mhp->ext[SADB_X_EXT_POLICY] == NULL) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || - mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); return key_senderror(so, m, EINVAL); } @@ -1858,13 +1859,35 @@ key_spddelete(struct socket *so, struct dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; xpl0 = (struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY]; + /* check the direciton */ + switch (xpl0->sadb_x_policy_dir) { + case IPSEC_DIR_INBOUND: + case IPSEC_DIR_OUTBOUND: + break; + default: + ipseclog((LOG_DEBUG, "%s: invalid SP direction.\n", __func__)); + return key_senderror(so, m, EINVAL); + } + /* Only DISCARD, NONE and IPSEC are allowed */ + if (xpl0->sadb_x_policy_type != IPSEC_POLICY_DISCARD && + xpl0->sadb_x_policy_type != IPSEC_POLICY_NONE && + xpl0->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { + ipseclog((LOG_DEBUG, "%s: invalid policy type.\n", __func__)); + return key_senderror(so, m, EINVAL); + } + /* * Note: do not parse SADB_X_EXT_NAT_T_* here: * we are processing traffic endpoints. */ + if (key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)) != 0 || + src0->sadb_address_proto != dst0->sadb_address_proto) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + return key_senderror(so, m, EINVAL); + } /* make secindex */ - /* XXX boundary check against sa_len */ KEY_SETSECSPIDX(xpl0->sadb_x_policy_dir, src0 + 1, dst0 + 1, @@ -1873,16 +1896,6 @@ key_spddelete(struct socket *so, struct src0->sadb_address_proto, &spidx); - /* checking the direciton. */ - switch (xpl0->sadb_x_policy_dir) { - case IPSEC_DIR_INBOUND: - case IPSEC_DIR_OUTBOUND: - break; - default: - ipseclog((LOG_DEBUG, "%s: Invalid SP direction.\n", __func__)); - return key_senderror(so, m, EINVAL); - } - /* Is there SP in SPD ? */ if ((sp = key_getsp(&spidx)) == NULL) { ipseclog((LOG_DEBUG, "%s: no SP found.\n", __func__)); @@ -1892,8 +1905,11 @@ key_spddelete(struct socket *so, struct /* save policy id to buffer to be returned. */ xpl0->sadb_x_policy_id = sp->id; + KEYDBG(KEY_STAMP, + printf("%s: SP(%p)\n", __func__, sp)); + KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); key_unlink(sp); - KEY_FREESP(&sp); + key_freesp(&sp); { struct mbuf *n; From owner-svn-src-projects@freebsd.org Tue Nov 22 11:35:30 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFC29C4F8C3 for ; Tue, 22 Nov 2016 11:35:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 86DE91F8E; Tue, 22 Nov 2016 11:35:30 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMBZTqT007876; Tue, 22 Nov 2016 11:35:29 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMBZTCp007875; Tue, 22 Nov 2016 11:35:29 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221135.uAMBZTCp007875@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 11:35:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308984 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 11:35:30 -0000 Author: ae Date: Tue Nov 22 11:35:29 2016 New Revision: 308984 URL: https://svnweb.freebsd.org/changeset/base/308984 Log: Modify key_spddelete2() to use SADB_CHECKHDR() and SADB_CHECKLEN(). Also make some style changes and add debug code. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:27:43 2016 (r308983) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:35:29 2016 (r308984) @@ -1951,30 +1951,36 @@ static int key_spddelete2(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - u_int32_t id; struct secpolicy *sp; + uint32_t id; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); - if (mhp->ext[SADB_X_EXT_POLICY] == NULL || - mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", __func__)); + if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || + SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { + ipseclog((LOG_DEBUG, "%s: invalid message is passed.", + __func__)); return key_senderror(so, m, EINVAL); } - id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; + id = ((struct sadb_x_policy *) + mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; /* Is there SP in SPD ? */ if ((sp = key_getspbyid(id)) == NULL) { - ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id)); + ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n", + __func__, id)); return key_senderror(so, m, EINVAL); } + KEYDBG(KEY_STAMP, + printf("%s: SP(%p)\n", __func__, sp)); + KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); key_unlink(sp); - KEY_FREESP(&sp); + key_freesp(&sp); { struct mbuf *n, *nn; From owner-svn-src-projects@freebsd.org Tue Nov 22 11:52:34 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A4BEC4F0D9 for ; Tue, 22 Nov 2016 11:52:34 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1E731539; Tue, 22 Nov 2016 11:52:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMBqX2D016306; Tue, 22 Nov 2016 11:52:33 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMBqX4J016305; Tue, 22 Nov 2016 11:52:33 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221152.uAMBqX4J016305@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 11:52:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308991 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 11:52:34 -0000 Author: ae Date: Tue Nov 22 11:52:32 2016 New Revision: 308991 URL: https://svnweb.freebsd.org/changeset/base/308991 Log: Some style changes in key_spdget(). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:51:55 2016 (r308990) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:52:32 2016 (r308991) @@ -1961,7 +1961,7 @@ key_spddelete2(struct socket *so, struct if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.", + ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", __func__)); return key_senderror(so, m, EINVAL); } @@ -2045,33 +2045,35 @@ key_spddelete2(struct socket *so, struct static int key_spdget(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - u_int32_t id; struct secpolicy *sp; struct mbuf *n; + uint32_t id; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); - if (mhp->ext[SADB_X_EXT_POLICY] == NULL || - mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { + if (SADB_CHECKHDR(mhp, SADB_X_EXT_POLICY) || + SADB_CHECKLEN(mhp, SADB_X_EXT_POLICY)) { ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } - id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; + id = ((struct sadb_x_policy *) + mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id; /* Is there SP in SPD ? */ if ((sp = key_getspbyid(id)) == NULL) { - ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id)); + ipseclog((LOG_DEBUG, "%s: no SP found for id %u.\n", + __func__, id)); return key_senderror(so, m, ENOENT); } n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, mhp->msg->sadb_msg_pid); - KEY_FREESP(&sp); + key_freesp(&sp); if (n != NULL) { m_freem(m); return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); From owner-svn-src-projects@freebsd.org Tue Nov 22 11:57:00 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44A7BC4F1AD for ; Tue, 22 Nov 2016 11:57:00 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 147E016F5; Tue, 22 Nov 2016 11:57:00 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMBuxxa016518; Tue, 22 Nov 2016 11:56:59 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMBux2Z016517; Tue, 22 Nov 2016 11:56:59 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221156.uAMBux2Z016517@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 11:56:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308992 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 11:57:00 -0000 Author: ae Date: Tue Nov 22 11:56:58 2016 New Revision: 308992 URL: https://svnweb.freebsd.org/changeset/base/308992 Log: Use key_sp2mbuf() in key_spdexpire(). Also add debug code. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:52:32 2016 (r308991) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:56:58 2016 (r308992) @@ -2377,15 +2377,16 @@ key_getspreqmsglen(struct secpolicy *sp) static int key_spdexpire(struct secpolicy *sp) { - struct mbuf *result = NULL, *m; - int len; - int error = -1; struct sadb_lifetime *lt; - - /* XXX: Why do we lock ? */ + struct mbuf *result = NULL, *m; + int len, error = -1; IPSEC_ASSERT(sp != NULL, ("null secpolicy")); + KEYDBG(KEY_STAMP, + printf("%s: SP(%p)\n", __func__, sp)); + KEYDBG(KEY_DATA, kdebug_secpolicy(sp)); + /* set msg header */ m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0); if (!m) { @@ -2446,7 +2447,7 @@ key_spdexpire(struct secpolicy *sp) m_cat(result, m); /* set secpolicy */ - m = key_sp2msg(sp); + m = key_sp2mbuf(sp); if (!m) { error = ENOBUFS; goto fail; From owner-svn-src-projects@freebsd.org Tue Nov 22 12:23:56 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68A5DC4C56C for ; Tue, 22 Nov 2016 12:23:56 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 43FB0DE4; Tue, 22 Nov 2016 12:23:56 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMCNtuh028380; Tue, 22 Nov 2016 12:23:55 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMCNtIC028379; Tue, 22 Nov 2016 12:23:55 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221223.uAMCNtIC028379@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 12:23:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308993 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 12:23:56 -0000 Author: ae Date: Tue Nov 22 12:23:55 2016 New Revision: 308993 URL: https://svnweb.freebsd.org/changeset/base/308993 Log: Update key_newsah() and key_delsah() to reflect changes in SADB. Now SA head has refcount. Properly initialize refcnt and both savtree_larval and savtree_alive. Add key_freesah() function to release refcount and call key_delsah() for last reference. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 11:56:58 2016 (r308992) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 12:23:55 2016 (r308993) @@ -2484,74 +2484,59 @@ key_spdexpire(struct secpolicy *sp) /* %%% SAD management */ /* - * allocating a memory for new SA head, and copy from the values of mhp. + * allocating and initialize new SA head. * OUT: NULL : failure due to the lack of memory. * others : pointer to new SA head. */ static struct secashead * key_newsah(struct secasindex *saidx) { - struct secashead *newsah; + struct secashead *sah; - IPSEC_ASSERT(saidx != NULL, ("null saidx")); + sah = malloc(sizeof(struct secashead), M_IPSEC_SAH, + M_NOWAIT | M_ZERO); + if (sah == NULL) + return (NULL); + TAILQ_INIT(&sah->savtree_larval); + TAILQ_INIT(&sah->savtree_alive); + sah->saidx = *saidx; + sah->state = SADB_SASTATE_DEAD; + SAH_INITREF(sah); + + KEYDBG(KEY_STAMP, + printf("%s: SAH(%p)\n", __func__, sah)); + KEYDBG(KEY_DATA, kdebug_secash(sah, NULL)); + return (sah); +} + +static void +key_freesah(struct secashead **psah) +{ + struct secashead *sah = *psah; - newsah = malloc(sizeof(struct secashead), M_IPSEC_SAH, M_NOWAIT|M_ZERO); - if (newsah != NULL) { - int i; - for (i = 0; i < sizeof(newsah->savtree)/sizeof(newsah->savtree[0]); i++) - LIST_INIT(&newsah->savtree[i]); - newsah->saidx = *saidx; + if (SAH_DELREF(sah) == 0) + return; - /* add to saidxtree */ - newsah->state = SADB_SASTATE_MATURE; + KEYDBG(KEY_STAMP, + printf("%s: last reference to SAH(%p)\n", __func__, sah)); + KEYDBG(KEY_DATA, kdebug_secash(sah, NULL)); - SAHTREE_LOCK(); - LIST_INSERT_HEAD(&V_sahtree, newsah, chain); - SAHTREE_UNLOCK(); - } - return(newsah); + *psah = NULL; + key_delsah(sah); } -/* - * delete SA index and all SA registerd. - */ static void key_delsah(struct secashead *sah) { - struct secasvar *sav, *nextsav; - u_int stateidx; - int zombie = 0; - IPSEC_ASSERT(sah != NULL, ("NULL sah")); - SAHTREE_LOCK_ASSERT(); + IPSEC_ASSERT(sah->state == SADB_SASTATE_DEAD, + ("Attempt to free non DEAD SAH %p", sah)); + IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_larval), + ("Attempt to free SAH %p with LARVAL SA", sah)); + IPSEC_ASSERT(TAILQ_EMPTY(&sah->savtree_alive), + ("Attempt to free SAH %p with ALIVE SA", sah)); - /* searching all SA registerd in the secindex. */ - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_any); - stateidx++) { - u_int state = saorder_state_any[stateidx]; - LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) { - if (sav->refcnt == 0) { - /* sanity check */ - KEY_CHKSASTATE(state, sav->state, __func__); - /* - * do NOT call KEY_FREESAV here: - * it will only delete the sav if refcnt == 1, - * where we already know that refcnt == 0 - */ - key_delsav(sav); - } else { - /* give up to delete this sa */ - zombie++; - } - } - } - if (!zombie) { /* delete only if there are savs */ - /* remove from tree of SA index */ - if (__LIST_CHAINED(sah)) - LIST_REMOVE(sah, chain); - free(sah, M_IPSEC_SAH); - } + free(sah, M_IPSEC_SAH); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 12:29:25 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6659C4C703 for ; Tue, 22 Nov 2016 12:29:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7342EFCC; Tue, 22 Nov 2016 12:29:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMCTOGY028612; Tue, 22 Nov 2016 12:29:24 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMCTOjj028611; Tue, 22 Nov 2016 12:29:24 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221229.uAMCTOjj028611@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 12:29:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308994 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 12:29:25 -0000 Author: ae Date: Tue Nov 22 12:29:24 2016 New Revision: 308994 URL: https://svnweb.freebsd.org/changeset/base/308994 Log: Add key_lft_zone UMA zone to keep PCPU current lifetime counters. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 12:23:55 2016 (r308993) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 12:29:24 2016 (r308994) @@ -59,6 +59,8 @@ #include #include +#include + #include #include #include @@ -462,6 +464,9 @@ MALLOC_DEFINE(M_IPSEC_MISC, "ipsec-misc" MALLOC_DEFINE(M_IPSEC_SAQ, "ipsec-saq", "ipsec sa acquire"); MALLOC_DEFINE(M_IPSEC_SAR, "ipsec-reg", "ipsec sa acquire"); +static VNET_DEFINE(uma_zone_t, key_lft_zone); +#define V_key_lft_zone VNET(key_lft_zone) + /* * set parameters into secpolicyindex buffer. * Must allocate secpolicyindex buffer passed to this function. @@ -7438,6 +7443,10 @@ key_init(void) for (i = 0; i < IPSEC_DIR_MAX; i++) TAILQ_INIT(&V_sptree[i]); + V_key_lft_zone = uma_zcreate("IPsec SA lft_c", + sizeof(uint64_t) * 2, NULL, NULL, NULL, NULL, + UMA_ALIGN_PTR, UMA_ZONE_PCPU); + LIST_INIT(&V_sahtree); V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask); V_savhashtbl = hashinit(SAVHASH_NHASH, M_IPSEC_SA, &V_savhash_mask); @@ -7542,6 +7551,7 @@ key_destroy(void) } } SPACQ_UNLOCK(); + uma_zdestroy(V_key_lft_zone); } #endif From owner-svn-src-projects@freebsd.org Tue Nov 22 13:43:07 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF8B1C4E428 for ; Tue, 22 Nov 2016 13:43:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 99C431C99; Tue, 22 Nov 2016 13:43:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMDh678060664; Tue, 22 Nov 2016 13:43:06 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMDh6jk060663; Tue, 22 Nov 2016 13:43:06 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221343.uAMDh6jk060663@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 13:43:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308997 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 13:43:07 -0000 Author: ae Date: Tue Nov 22 13:43:06 2016 New Revision: 308997 URL: https://svnweb.freebsd.org/changeset/base/308997 Log: Rework key_newsav(). This function used by SADB_GETSPI and SADB_ADD handlers. It allocates new SA and depending from SADB message does some initialization. SADB_GETSPI initializes only few SA's fields. This SA stored with LARVAL state in savtree_larval list of SA head. Then it can be updated by SADB_UPDATE message. SADB_ADD initializes all SA's fields and this SA stored with MATURE state in savtree_alive list, after initialization it is allowed to change only SA's lifetime fields. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:30:07 2016 (r308996) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:43:06 2016 (r308997) @@ -2545,103 +2545,150 @@ key_delsah(struct secashead *sah) } /* - * allocating a new SA with LARVAL state. key_add() and key_getspi() call, + * allocating a new SA for key_add() and key_getspi() call, * and copy the values of mhp into new buffer. - * When SAD message type is GETSPI: - * to set sequence number from acq_seq++, - * to set zero to SPI. - * not to call key_setsava(). + * When SAD message type is SADB_GETSPI set SA state to LARVAL. + * For SADB_ADD create and initialize SA with MATURE state. * OUT: NULL : fail * others : pointer to new secasvar. - * - * does not modify mbuf. does not free mbuf on error. */ static struct secasvar * -key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp, - struct secashead *sah, int *errp, const char *where, int tag) +key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx, + uint32_t spi, int *errp) { - struct secasvar *newsav; - const struct sadb_sa *xsa; + struct secashead *sah; + struct secasvar *sav; + int isnew; - IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); - IPSEC_ASSERT(sah != NULL, ("null secashead")); + IPSEC_ASSERT(mhp->msg->sadb_msg_type == SADB_GETSPI || + mhp->msg->sadb_msg_type == SADB_ADD, ("wrong message type")); - newsav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT|M_ZERO); - if (newsav == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - *errp = ENOBUFS; - goto done; - } - - switch (mhp->msg->sadb_msg_type) { - case SADB_GETSPI: - newsav->spi = 0; - -#ifdef IPSEC_DOSEQCHECK - /* sync sequence number */ - if (mhp->msg->sadb_msg_seq == 0) - newsav->seq = - (V_acq_seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq)); - else -#endif - newsav->seq = mhp->msg->sadb_msg_seq; - break; - - case SADB_ADD: - /* sanity check */ - if (mhp->ext[SADB_EXT_SA] == NULL) { - free(newsav, M_IPSEC_SA); - newsav = NULL; - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + sav = NULL; + sah = NULL; + /* check SPI value */ + switch (saidx->proto) { + case IPPROTO_ESP: + case IPPROTO_AH: + /* + * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values + * 1-255 reserved by IANA for future use, + * 0 for implementation specific, local use. + */ + if (ntohl(spi) <= 255) { + ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n", + __func__, ntohl(spi))); *errp = EINVAL; goto done; } - xsa = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; - newsav->spi = xsa->sadb_sa_spi; - newsav->seq = mhp->msg->sadb_msg_seq; break; - default: - free(newsav, M_IPSEC_SA); - newsav = NULL; - *errp = EINVAL; - goto done; } + sav = malloc(sizeof(struct secasvar), M_IPSEC_SA, M_NOWAIT | M_ZERO); + if (sav == NULL) { + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + *errp = ENOBUFS; + goto done; + } + sav->lft_c = uma_zalloc(V_key_lft_zone, M_NOWAIT); + if (sav->lft_c == NULL) { + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + free(sav, M_IPSEC_SA), sav = NULL; + *errp = ENOBUFS; + goto done; + } + counter_u64_zero(sav->lft_c_allocations); + counter_u64_zero(sav->lft_c_bytes); - /* copy sav values */ - if (mhp->msg->sadb_msg_type != SADB_GETSPI) { - *errp = key_setsaval(newsav, m, mhp); - if (*errp) { - free(newsav, M_IPSEC_SA); - newsav = NULL; + sav->spi = spi; + sav->seq = mhp->msg->sadb_msg_seq; + sav->state = SADB_SASTATE_LARVAL; + sav->pid = (pid_t)mhp->msg->sadb_msg_pid; + SAV_INITREF(sav); + SECASVAR_LOCK_INIT(sav); +again: + sah = key_getsah(saidx); + if (sah == NULL) { + /* create a new SA index */ + sah = key_newsah(saidx); + if (sah == NULL) { + ipseclog((LOG_DEBUG, + "%s: No more memory.\n", __func__)); + *errp = ENOBUFS; goto done; } + isnew = 1; + } else + isnew = 0; + + sav->sah = sah; + if (mhp->msg->sadb_msg_type == SADB_GETSPI) { + sav->created = time_second; + } else if (sav->state == SADB_SASTATE_LARVAL) { + /* + * Do not call key_setsaval() second time in case + * of `goto again`. We will have MATURE state. + */ + *errp = key_setsaval(sav, mhp); + if (*errp != 0) + goto done; + sav->state = SADB_SASTATE_MATURE; } - SECASVAR_LOCK_INIT(newsav); - - /* reset created */ - newsav->created = time_second; - newsav->pid = mhp->msg->sadb_msg_pid; - - /* add to satree */ - newsav->sah = sah; - sa_initref(newsav); - newsav->state = SADB_SASTATE_LARVAL; - - SAHTREE_LOCK(); - LIST_INSERT_TAIL(&sah->savtree[SADB_SASTATE_LARVAL], newsav, - secasvar, chain); - SAHTREE_UNLOCK(); + SAHTREE_WLOCK(); + /* + * Check that existing SAH wasn't unlinked. + * Since we didn't hold the SAHTREE lock, it is possible, + * that callout handler or key_flush() or key_delete() could + * unlink this SAH. + */ + if (isnew == 0 && sah->state == SADB_SASTATE_DEAD) { + SAHTREE_WUNLOCK(); + key_freesah(&sah); /* reference from key_getsah() */ + goto again; + } + if (isnew != 0) { + /* + * Add new SAH into SADB. + * + * XXXAE: we can serialize key_add and key_getspi calls, so + * several threads will not fight in the race. + * Otherwise we should check under SAHTREE lock, that this + * SAH would not added twice. + */ + TAILQ_INSERT_HEAD(&V_sahtree, sah, chain); + /* Add new SAH into hash by addresses */ + LIST_INSERT_HEAD(SAHADDRHASH_HASH(saidx), sah, addrhash); + /* Now we are linked in the chain */ + sah->state = SADB_SASTATE_MATURE; + /* + * SAV references this new SAH. + * In case of existing SAH we reuse reference + * from key_getsah(). + */ + SAH_ADDREF(sah); + } + /* Link SAV with SAH */ + if (sav->state == SADB_SASTATE_MATURE) + TAILQ_INSERT_HEAD(&sah->savtree_alive, sav, chain); + else + TAILQ_INSERT_HEAD(&sah->savtree_larval, sav, chain); + /* Add SAV into SPI hash */ + LIST_INSERT_HEAD(SAVHASH_HASH(sav->spi), sav, spihash); + SAHTREE_WUNLOCK(); + *errp = 0; /* success */ done: - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s from %s:%u return SP:%p\n", __func__, - where, tag, newsav)); - - return newsav; + if (*errp != 0) { + if (sav != NULL) { + SECASVAR_LOCK_DESTROY(sav); + uma_zfree(V_key_lft_zone, sav->lft_c); + free(sav, M_IPSEC_SA), sav = NULL; + } + if (sah != NULL) + key_freesah(&sah); + } + return (sav); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 13:53:39 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4AE96C4E800 for ; Tue, 22 Nov 2016 13:53:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 16BD42B9; Tue, 22 Nov 2016 13:53:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMDrcg9064884; Tue, 22 Nov 2016 13:53:38 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMDrcCe064883; Tue, 22 Nov 2016 13:53:38 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221353.uAMDrcCe064883@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 13:53:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308998 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 13:53:39 -0000 Author: ae Date: Tue Nov 22 13:53:37 2016 New Revision: 308998 URL: https://svnweb.freebsd.org/changeset/base/308998 Log: Update key_delsav() and key_cleansav() to reflect changes in SADB. Also remove unused sched field from SA. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:43:06 2016 (r308997) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:53:37 2016 (r308998) @@ -2697,6 +2697,7 @@ done: static void key_cleansav(struct secasvar *sav) { + /* * Cleanup xform state. Note that zeroize'ing causes the * keys to be cleared; otherwise we must do it ourself. @@ -2722,19 +2723,10 @@ key_cleansav(struct secasvar *sav) free(sav->key_enc, M_IPSEC_MISC); sav->key_enc = NULL; } - if (sav->sched) { - bzero(sav->sched, sav->schedlen); - free(sav->sched, M_IPSEC_MISC); - sav->sched = NULL; - } if (sav->replay != NULL) { free(sav->replay, M_IPSEC_MISC); sav->replay = NULL; } - if (sav->lft_c != NULL) { - free(sav->lft_c, M_IPSEC_MISC); - sav->lft_c = NULL; - } if (sav->lft_h != NULL) { free(sav->lft_h, M_IPSEC_MISC); sav->lft_h = NULL; @@ -2752,16 +2744,17 @@ static void key_delsav(struct secasvar *sav) { IPSEC_ASSERT(sav != NULL, ("null sav")); - IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", sav->refcnt)); + IPSEC_ASSERT(sav->state == SADB_SASTATE_DEAD, + ("attempt to free non DEAD SA %p", sav)); + IPSEC_ASSERT(sav->refcnt == 0, ("reference count %u > 0", + sav->refcnt)); - /* remove from SA header */ - if (__LIST_CHAINED(sav)) - LIST_REMOVE(sav, chain); + /* SA must be unlinked from the chain and hashtbl */ key_cleansav(sav); SECASVAR_LOCK_DESTROY(sav); + uma_zfree(V_key_lft_zone, sav->lft_c); free(sav, M_IPSEC_SA); } - /* * search SAD. * OUT: From owner-svn-src-projects@freebsd.org Tue Nov 22 13:56:23 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E364AC4E931 for ; Tue, 22 Nov 2016 13:56:23 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B069A7AC; Tue, 22 Nov 2016 13:56:23 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMDuMtp065163; Tue, 22 Nov 2016 13:56:22 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMDuMgQ065162; Tue, 22 Nov 2016 13:56:22 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221356.uAMDuMgQ065162@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 13:56:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308999 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 13:56:24 -0000 Author: ae Date: Tue Nov 22 13:56:22 2016 New Revision: 308999 URL: https://svnweb.freebsd.org/changeset/base/308999 Log: Update key_getsah() to use SAHADDRHASH and return referenced value. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:53:37 2016 (r308998) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:56:22 2016 (r308999) @@ -2755,27 +2755,28 @@ key_delsav(struct secasvar *sav) uma_zfree(V_key_lft_zone, sav->lft_c); free(sav, M_IPSEC_SA); } + /* - * search SAD. + * search SAH. * OUT: * NULL : not found - * others : found, pointer to a SA. + * others : found, referenced pointer to a SAH. */ static struct secashead * key_getsah(struct secasindex *saidx) { + SAHTREE_RLOCK_TRACKER; struct secashead *sah; - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (sah->state == SADB_SASTATE_DEAD) - continue; - if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) - break; + SAHTREE_RLOCK(); + LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { + if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID) != 0) { + SAH_ADDREF(sah); + break; + } } - SAHTREE_UNLOCK(); - - return sah; + SAHTREE_RUNLOCK(); + return (sah); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 13:58:25 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E55ECC4E9AD for ; Tue, 22 Nov 2016 13:58:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5131924; Tue, 22 Nov 2016 13:58:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMDwOfk065288; Tue, 22 Nov 2016 13:58:24 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMDwOsc065287; Tue, 22 Nov 2016 13:58:24 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221358.uAMDwOsc065287@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 13:58:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309000 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 13:58:26 -0000 Author: ae Date: Tue Nov 22 13:58:24 2016 New Revision: 309000 URL: https://svnweb.freebsd.org/changeset/base/309000 Log: Update key_checkspidup() to use SPI hash. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:56:22 2016 (r308999) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:58:24 2016 (r309000) @@ -2780,38 +2780,25 @@ key_getsah(struct secasindex *saidx) } /* - * check not to be duplicated SPI. - * NOTE: this function is too slow due to searching all SAD. + * Check not to be duplicated SPI. * OUT: - * NULL : not found - * others : found, pointer to a SA. + * 0 : not found + * 1 : found SA with given SPI. */ -static struct secasvar * -key_checkspidup(struct secasindex *saidx, u_int32_t spi) +static int +key_checkspidup(uint32_t spi) { - struct secashead *sah; + SAHTREE_RLOCK_TRACKER; struct secasvar *sav; - /* check address family */ - if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) { - ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", - __func__)); - return NULL; - } - - sav = NULL; - /* check all SAD */ - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) - continue; - sav = key_getsavbyspi(sah, spi); - if (sav != NULL) + /* Assume SPI is in network byte order */ + SAHTREE_RLOCK(); + LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { + if (sav->spi == spi) break; } - SAHTREE_UNLOCK(); - - return sav; + SAHTREE_RUNLOCK(); + return (sav != NULL); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 14:03:10 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 651A3C4EC67 for ; Tue, 22 Nov 2016 14:03:10 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34FA1DA2; Tue, 22 Nov 2016 14:03:10 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAME39EF069191; Tue, 22 Nov 2016 14:03:09 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAME39ja069190; Tue, 22 Nov 2016 14:03:09 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221403.uAME39ja069190@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 14:03:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309001 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 14:03:10 -0000 Author: ae Date: Tue Nov 22 14:03:09 2016 New Revision: 309001 URL: https://svnweb.freebsd.org/changeset/base/309001 Log: Modify key_getsavbyspi() to use SPI hash. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 13:58:24 2016 (r309000) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:03:09 2016 (r309001) @@ -2802,41 +2802,27 @@ key_checkspidup(uint32_t spi) } /* - * search SAD litmited alive SA, protocol, SPI. + * Search SA by SPI. * OUT: * NULL : not found - * others : found, pointer to a SA. + * others : found, referenced pointer to a SA. */ static struct secasvar * -key_getsavbyspi(struct secashead *sah, u_int32_t spi) +key_getsavbyspi(uint32_t spi) { + SAHTREE_RLOCK_TRACKER; struct secasvar *sav; - u_int stateidx, state; - - sav = NULL; - SAHTREE_LOCK_ASSERT(); - /* search all status */ - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_alive); - stateidx++) { - - state = saorder_state_alive[stateidx]; - LIST_FOREACH(sav, &sah->savtree[state], chain) { - - /* sanity check */ - if (sav->state != state) { - ipseclog((LOG_DEBUG, "%s: " - "invalid sav->state (queue: %d SA: %d)\n", - __func__, state, sav->state)); - continue; - } - if (sav->spi == spi) - return sav; - } + /* Assume SPI is in network byte order */ + SAHTREE_RLOCK(); + LIST_FOREACH(sav, SAVHASH_HASH(spi), spihash) { + if (sav->spi != spi) + continue; + SAV_ADDREF(sav); + break; } - - return NULL; + SAHTREE_RUNLOCK(); + return (sav); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 14:11:19 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80507C4EF0B for ; Tue, 22 Nov 2016 14:11:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 424831242; Tue, 22 Nov 2016 14:11:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMEBIH1073241; Tue, 22 Nov 2016 14:11:18 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMEBImX073240; Tue, 22 Nov 2016 14:11:18 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221411.uAMEBImX073240@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 14:11:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309002 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 14:11:19 -0000 Author: ae Date: Tue Nov 22 14:11:18 2016 New Revision: 309002 URL: https://svnweb.freebsd.org/changeset/base/309002 Log: Add key_updatelifetimes() function to update SA lifetimes. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:03:09 2016 (r309001) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:11:18 2016 (r309002) @@ -2825,6 +2825,85 @@ key_getsavbyspi(uint32_t spi) return (sav); } +static int +key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp) +{ + struct seclifetime *lft_h, *lft_s, *tmp; + + /* Lifetime extension is optional, check that it is present. */ + if (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && + SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) { + /* + * In case of SADB_UPDATE we may need to change + * existing lifetimes. + */ + if (sav->state == SADB_SASTATE_MATURE) { + lft_h = lft_s = NULL; + goto reset; + } + return (0); + } + /* XXXAE: what should we do with CURRENT lifetime? */ + /* Both HARD and SOFT extensions must present */ + if ((SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && + !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || + (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && + !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); + return (EINVAL); + } + if (SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_HARD) || + SADB_CHECKLEN(mhp, SADB_EXT_LIFETIME_SOFT)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); + return (EINVAL); + } + lft_h = key_dup_lifemsg((const struct sadb_lifetime *) + mhp->ext[SADB_EXT_LIFETIME_HARD], M_IPSEC_MISC); + if (lft_h == NULL) { + PFKEYSTAT_INC(in_nomem); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + return (ENOBUFS); + } + lft_s = key_dup_lifemsg((const struct sadb_lifetime *) + mhp->ext[SADB_EXT_LIFETIME_SOFT], M_IPSEC_MISC); + if (lft_s == NULL) { + PFKEYSTAT_INC(in_nomem); + free(lft_h, M_IPSEC_MISC); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + return (ENOBUFS); + } +reset: + if (sav->state != SADB_SASTATE_LARVAL) { + /* + * key_update() holds reference to this SA, + * so it won't be deleted in meanwhile. + */ + SECASVAR_LOCK(sav); + tmp = sav->lft_h; + sav->lft_h = lft_h; + lft_h = tmp; + + tmp = sav->lft_s; + sav->lft_s = lft_s; + lft_s = tmp; + SECASVAR_UNLOCK(sav); + if (lft_h != NULL) + free(lft_h, M_IPSEC_MISC); + if (lft_s != NULL) + free(lft_s, M_IPSEC_MISC); + return (0); + } + /* We can update lifetime without holding a lock */ + IPSEC_ASSERT(sav->lft_h == NULL, ("lft_h is already initialized\n")); + IPSEC_ASSERT(sav->lft_s == NULL, ("lft_s is already initialized\n")); + sav->lft_h = lft_h; + sav->lft_s = lft_s; + return (0); +} + /* * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*. * You must update these if need. From owner-svn-src-projects@freebsd.org Tue Nov 22 14:25:26 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF06DC4F176 for ; Tue, 22 Nov 2016 14:25:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE9481932; Tue, 22 Nov 2016 14:25:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMEPPYW078138; Tue, 22 Nov 2016 14:25:25 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMEPPfX078137; Tue, 22 Nov 2016 14:25:25 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221425.uAMEPPfX078137@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 14:25:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309003 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 14:25:27 -0000 Author: ae Date: Tue Nov 22 14:25:25 2016 New Revision: 309003 URL: https://svnweb.freebsd.org/changeset/base/309003 Log: Modify key_setsaval() to do more accurate checks on SA initialization. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:11:18 2016 (r309002) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:25:25 2016 (r309003) @@ -2905,59 +2905,51 @@ reset: } /* - * copy SA values from PF_KEY message except *SPI, SEQ, PID, STATE and TYPE*. - * You must update these if need. + * copy SA values from PF_KEY message except *SPI, SEQ, PID and TYPE*. + * You must update these if need. Expects only LARVAL SAs. * OUT: 0: success. * !0: failure. - * - * does not modify mbuf. does not free mbuf on error. */ static int -key_setsaval(struct secasvar *sav, struct mbuf *m, - const struct sadb_msghdr *mhp) +key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp) { - int error = 0; + const struct sadb_sa *sa0; + const struct sadb_key *key0; + size_t len; + int error; - IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); + IPSEC_ASSERT(sav->state == SADB_SASTATE_LARVAL, + ("Attempt to update non LARVAL SA")); - /* initialization */ - sav->replay = NULL; - sav->key_auth = NULL; - sav->key_enc = NULL; - sav->sched = NULL; - sav->schedlen = 0; - sav->lft_c = NULL; - sav->lft_h = NULL; - sav->lft_s = NULL; - sav->tdb_xform = NULL; /* transform */ - sav->tdb_encalgxform = NULL; /* encoding algorithm */ - sav->tdb_authalgxform = NULL; /* authentication algorithm */ - sav->tdb_compalgxform = NULL; /* compression algorithm */ - /* Initialize even if NAT-T not compiled in: */ - sav->natt_type = 0; - sav->natt_esp_frag_len = 0; + /* XXX rewrite */ + error = key_setident(sav->sah, mhp); + if (error != 0) + goto fail; - /* SA */ - if (mhp->ext[SADB_EXT_SA] != NULL) { - const struct sadb_sa *sa0; + error = key_setnatt(sav, mhp); + if (error != 0) + goto fail; - sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; - if (mhp->extlen[SADB_EXT_SA] < sizeof(*sa0)) { + /* SA */ + if (!SADB_CHECKHDR(mhp, SADB_EXT_SA)) { + if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) { error = EINVAL; goto fail; } - + sa0 = (const struct sadb_sa *)mhp->ext[SADB_EXT_SA]; sav->alg_auth = sa0->sadb_sa_auth; sav->alg_enc = sa0->sadb_sa_encrypt; sav->flags = sa0->sadb_sa_flags; /* replay window */ if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { - sav->replay = (struct secreplay *) - malloc(sizeof(struct secreplay)+sa0->sadb_sa_replay, M_IPSEC_MISC, M_NOWAIT|M_ZERO); + sav->replay = malloc(sizeof(struct secreplay) + + sa0->sadb_sa_replay, M_IPSEC_MISC, + M_NOWAIT | M_ZERO); if (sav->replay == NULL) { + PFKEYSTAT_INC(in_nomem); ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); error = ENOBUFS; @@ -2970,18 +2962,14 @@ key_setsaval(struct secasvar *sav, struc } /* Authentication keys */ - if (mhp->ext[SADB_EXT_KEY_AUTH] != NULL) { - const struct sadb_key *key0; - int len; - - key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH]; - len = mhp->extlen[SADB_EXT_KEY_AUTH]; - - error = 0; - if (len < sizeof(*key0)) { + if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) { + if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH)) { error = EINVAL; goto fail; } + error = 0; + key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_AUTH]; + len = mhp->extlen[SADB_EXT_KEY_AUTH]; switch (mhp->msg->sadb_msg_satype) { case SADB_SATYPE_AH: case SADB_SATYPE_ESP: @@ -3001,29 +2989,25 @@ key_setsaval(struct secasvar *sav, struc goto fail; } - sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len, - M_IPSEC_MISC); + sav->key_auth = key_dup_keymsg(key0, len, M_IPSEC_MISC); if (sav->key_auth == NULL ) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + PFKEYSTAT_INC(in_nomem); error = ENOBUFS; goto fail; } } /* Encryption key */ - if (mhp->ext[SADB_EXT_KEY_ENCRYPT] != NULL) { - const struct sadb_key *key0; - int len; - - key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT]; - len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; - - error = 0; - if (len < sizeof(*key0)) { + if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) { + if (SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT)) { error = EINVAL; goto fail; } + error = 0; + key0 = (const struct sadb_key *)mhp->ext[SADB_EXT_KEY_ENCRYPT]; + len = mhp->extlen[SADB_EXT_KEY_ENCRYPT]; switch (mhp->msg->sadb_msg_satype) { case SADB_SATYPE_ESP: if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && @@ -3031,12 +3015,11 @@ key_setsaval(struct secasvar *sav, struc error = EINVAL; break; } - sav->key_enc = (struct seckey *)key_dup_keymsg(key0, - len, - M_IPSEC_MISC); + sav->key_enc = key_dup_keymsg(key0, len, M_IPSEC_MISC); if (sav->key_enc == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + PFKEYSTAT_INC(in_nomem); error = ENOBUFS; goto fail; } @@ -3061,87 +3044,80 @@ key_setsaval(struct secasvar *sav, struc /* set iv */ sav->ivlen = 0; - switch (mhp->msg->sadb_msg_satype) { case SADB_SATYPE_AH: + if (sav->flags & SADB_X_EXT_DERIV) { + ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " + "given to AH SA.\n", __func__)); + error = EINVAL; + goto fail; + } + if (sav->alg_enc != SADB_EALG_NONE) { + ipseclog((LOG_DEBUG, "%s: protocol and algorithm " + "mismated.\n", __func__)); + error = EINVAL; + goto fail; + } error = xform_init(sav, XF_AH); break; case SADB_SATYPE_ESP: + if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) == + (SADB_X_EXT_OLD | SADB_X_EXT_DERIV)) { + ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " + "given to old-esp.\n", __func__)); + error = EINVAL; + goto fail; + } error = xform_init(sav, XF_ESP); break; case SADB_X_SATYPE_IPCOMP: + if (sav->alg_auth != SADB_AALG_NONE) { + ipseclog((LOG_DEBUG, "%s: protocol and algorithm " + "mismated.\n", __func__)); + error = EINVAL; + goto fail; + } + if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 && + ntohl(sav->spi) >= 0x10000) { + ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n", + __func__)); + error = EINVAL; + goto fail; + } error = xform_init(sav, XF_IPCOMP); break; case SADB_X_SATYPE_TCPSIGNATURE: + if (sav->alg_enc != SADB_EALG_NONE) { + ipseclog((LOG_DEBUG, "%s: protocol and algorithm " + "mismated.\n", __func__)); + error = EINVAL; + goto fail; + } error = xform_init(sav, XF_TCPSIGNATURE); break; + default: + ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__)); + error = EPROTONOSUPPORT; + goto fail; } if (error) { ipseclog((LOG_DEBUG, "%s: unable to initialize SA type %u.\n", - __func__, mhp->msg->sadb_msg_satype)); + __func__, mhp->msg->sadb_msg_satype)); goto fail; } - /* reset created */ + /* Initialize lifetime for CURRENT */ + sav->firstused = 0; sav->created = time_second; - /* make lifetime for CURRENT */ - sav->lft_c = malloc(sizeof(struct seclifetime), M_IPSEC_MISC, M_NOWAIT); - if (sav->lft_c == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - error = ENOBUFS; - goto fail; - } - - sav->lft_c->allocations = 0; - sav->lft_c->bytes = 0; - sav->lft_c->addtime = time_second; - sav->lft_c->usetime = 0; - /* lifetimes for HARD and SOFT */ - { - const struct sadb_lifetime *lft0; - - lft0 = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; - if (lft0 != NULL) { - if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(*lft0)) { - error = EINVAL; - goto fail; - } - sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC); - if (sav->lft_h == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); - error = ENOBUFS; - goto fail; - } - /* to be initialize ? */ - } - - lft0 = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_SOFT]; - if (lft0 != NULL) { - if (mhp->extlen[SADB_EXT_LIFETIME_SOFT] < sizeof(*lft0)) { - error = EINVAL; - goto fail; - } - sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC); - if (sav->lft_s == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); - error = ENOBUFS; - goto fail; - } - /* to be initialize ? */ - } - } - - return 0; - - fail: - /* initialization */ + error = key_updatelifetimes(sav, mhp); + if (error == 0) + return (0); +fail: key_cleansav(sav); - - return error; + return (error); } - /* * validation with a secasvar entry, and set SADB_SATYPE_MATURE. * OUT: 0: valid From owner-svn-src-projects@freebsd.org Tue Nov 22 14:31:50 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBD6DC4F331 for ; Tue, 22 Nov 2016 14:31:50 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FDB41CAB; Tue, 22 Nov 2016 14:31:50 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMEVnSa082145; Tue, 22 Nov 2016 14:31:49 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMEVnq9082144; Tue, 22 Nov 2016 14:31:49 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221431.uAMEVnq9082144@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 14:31:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309004 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 14:31:50 -0000 Author: ae Date: Tue Nov 22 14:31:49 2016 New Revision: 309004 URL: https://svnweb.freebsd.org/changeset/base/309004 Log: Remove key_mature() function. The checks that it did now are in key_newsav() and key_setsaval(). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:25:25 2016 (r309003) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:31:49 2016 (r309004) @@ -3118,93 +3118,6 @@ fail: key_cleansav(sav); return (error); } -/* - * validation with a secasvar entry, and set SADB_SATYPE_MATURE. - * OUT: 0: valid - * other: errno - */ -static int -key_mature(struct secasvar *sav) -{ - int error; - - /* check SPI value */ - switch (sav->sah->saidx.proto) { - case IPPROTO_ESP: - case IPPROTO_AH: - /* - * RFC 4302, 2.4. Security Parameters Index (SPI), SPI values - * 1-255 reserved by IANA for future use, - * 0 for implementation specific, local use. - */ - if (ntohl(sav->spi) <= 255) { - ipseclog((LOG_DEBUG, "%s: illegal range of SPI %u.\n", - __func__, (u_int32_t)ntohl(sav->spi))); - return EINVAL; - } - break; - } - - /* check satype */ - switch (sav->sah->saidx.proto) { - case IPPROTO_ESP: - /* check flags */ - if ((sav->flags & (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) == - (SADB_X_EXT_OLD|SADB_X_EXT_DERIV)) { - ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " - "given to old-esp.\n", __func__)); - return EINVAL; - } - error = xform_init(sav, XF_ESP); - break; - case IPPROTO_AH: - /* check flags */ - if (sav->flags & SADB_X_EXT_DERIV) { - ipseclog((LOG_DEBUG, "%s: invalid flag (derived) " - "given to AH SA.\n", __func__)); - return EINVAL; - } - if (sav->alg_enc != SADB_EALG_NONE) { - ipseclog((LOG_DEBUG, "%s: protocol and algorithm " - "mismated.\n", __func__)); - return(EINVAL); - } - error = xform_init(sav, XF_AH); - break; - case IPPROTO_IPCOMP: - if (sav->alg_auth != SADB_AALG_NONE) { - ipseclog((LOG_DEBUG, "%s: protocol and algorithm " - "mismated.\n", __func__)); - return(EINVAL); - } - if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 - && ntohl(sav->spi) >= 0x10000) { - ipseclog((LOG_DEBUG, "%s: invalid cpi for IPComp.\n", - __func__)); - return(EINVAL); - } - error = xform_init(sav, XF_IPCOMP); - break; - case IPPROTO_TCP: - if (sav->alg_enc != SADB_EALG_NONE) { - ipseclog((LOG_DEBUG, "%s: protocol and algorithm " - "mismated.\n", __func__)); - return(EINVAL); - } - error = xform_init(sav, XF_TCPSIGNATURE); - break; - default: - ipseclog((LOG_DEBUG, "%s: Invalid satype.\n", __func__)); - error = EPROTONOSUPPORT; - break; - } - if (error == 0) { - SAHTREE_LOCK(); - key_sa_chgstate(sav, SADB_SASTATE_MATURE); - SAHTREE_UNLOCK(); - } - return (error); -} /* * subroutine for SADB_GET and SADB_DUMP. From owner-svn-src-projects@freebsd.org Tue Nov 22 15:28:22 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46125C4FBBD for ; Tue, 22 Nov 2016 15:28:22 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F2D759E; Tue, 22 Nov 2016 15:28:21 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMFSLIT002643; Tue, 22 Nov 2016 15:28:21 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMFSLaa002642; Tue, 22 Nov 2016 15:28:21 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221528.uAMFSLaa002642@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 15:28:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309005 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 15:28:22 -0000 Author: ae Date: Tue Nov 22 15:28:20 2016 New Revision: 309005 URL: https://svnweb.freebsd.org/changeset/base/309005 Log: Modify key_setdumpsa() to read liftime counters from PCPU counters. Also do some style changes. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 14:31:49 2016 (r309004) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 15:28:20 2016 (r309005) @@ -3123,18 +3123,19 @@ fail: * subroutine for SADB_GET and SADB_DUMP. */ static struct mbuf * -key_setdumpsa(struct secasvar *sav, u_int8_t type, u_int8_t satype, - u_int32_t seq, u_int32_t pid) +key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype, + uint32_t seq, uint32_t pid) { + struct seclifetime lft_c; struct mbuf *result = NULL, *tres = NULL, *m; - int i; - int dumporder[] = { + int i, dumporder[] = { SADB_EXT_SA, SADB_X_EXT_SA2, SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, SADB_EXT_LIFETIME_CURRENT, SADB_EXT_ADDRESS_SRC, - SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, - SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, - SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, + SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, + SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT, + SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, + SADB_EXT_SENSITIVITY, #ifdef IPSEC_NAT_T SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, @@ -3198,10 +3199,12 @@ key_setdumpsa(struct secasvar *sav, u_in break; case SADB_EXT_LIFETIME_CURRENT: - if (!sav->lft_c) - continue; - m = key_setlifetime(sav->lft_c, - SADB_EXT_LIFETIME_CURRENT); + lft_c.addtime = sav->created; + lft_c.allocations = (uint32_t)counter_u64_fetch( + sav->lft_c_allocations); + lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes); + lft_c.usetime = sav->firstused; + m = key_setlifetime(&lft_c, SADB_EXT_LIFETIME_CURRENT); if (!m) goto fail; break; @@ -3231,10 +3234,10 @@ key_setdumpsa(struct secasvar *sav, u_in if (!m) goto fail; break; - + case SADB_X_EXT_NAT_T_DPORT: m = key_setsadbxport( - KEY_PORTFROMSADDR(&sav->sah->saidx.dst), + key_portfromsaddr(&sav->sah->saidx.dst.sa), SADB_X_EXT_NAT_T_DPORT); if (!m) goto fail; @@ -3242,7 +3245,7 @@ key_setdumpsa(struct secasvar *sav, u_in case SADB_X_EXT_NAT_T_SPORT: m = key_setsadbxport( - KEY_PORTFROMSADDR(&sav->sah->saidx.src), + key_portfromsaddr(&sav->sah->saidx.src.sa), SADB_X_EXT_NAT_T_SPORT); if (!m) goto fail; @@ -3269,7 +3272,6 @@ key_setdumpsa(struct secasvar *sav, u_in if (tres) m_cat(m, tres); tres = m; - } m_cat(result, tres); From owner-svn-src-projects@freebsd.org Tue Nov 22 16:24:43 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B3BEC4F8A6 for ; Tue, 22 Nov 2016 16:24:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68376DB8; Tue, 22 Nov 2016 16:24:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMGOgkq027180; Tue, 22 Nov 2016 16:24:42 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMGOgj3027179; Tue, 22 Nov 2016 16:24:42 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221624.uAMGOgj3027179@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 16:24:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309010 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 16:24:43 -0000 Author: ae Date: Tue Nov 22 16:24:42 2016 New Revision: 309010 URL: https://svnweb.freebsd.org/changeset/base/309010 Log: Add key_sockaddrcmp_withmask() that compares only specified number of signifcant bits of addresses. Also add #ifdef INET/INET6 to the key_sockaddrcmp() and some style fixes. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 16:23:46 2016 (r309009) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 16:24:42 2016 (r309010) @@ -3499,10 +3499,10 @@ key_setsadbxport(u_int16_t port, u_int16 return (m); } -/* +/* * Get port from sockaddr. Port is in network byte order. */ -u_int16_t +uint16_t key_portfromsaddr(struct sockaddr *sa) { @@ -3516,9 +3516,6 @@ key_portfromsaddr(struct sockaddr *sa) return ((struct sockaddr_in6 *)sa)->sin6_port; #endif } - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s unexpected address family %d\n", - __func__, sa->sa_family)); return (0); } #endif /* IPSEC_NAT_T */ @@ -3527,7 +3524,7 @@ key_portfromsaddr(struct sockaddr *sa) * Set port in struct sockaddr. Port is in network byte order. */ static void -key_porttosaddr(struct sockaddr *sa, u_int16_t port) +key_porttosaddr(struct sockaddr *sa, uint16_t port) { switch (sa->sa_family) { @@ -3620,20 +3617,18 @@ key_dup_keymsg(const struct sadb_key *sr static struct seclifetime * key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type) { - struct seclifetime *dst = NULL; + struct seclifetime *dst; - dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), - type, M_NOWAIT); + dst = malloc(sizeof(*dst), type, M_NOWAIT); if (dst == NULL) { - /* XXX counter */ ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - } else { - dst->allocations = src->sadb_lifetime_allocations; - dst->bytes = src->sadb_lifetime_bytes; - dst->addtime = src->sadb_lifetime_addtime; - dst->usetime = src->sadb_lifetime_usetime; + return (NULL); } - return dst; + dst->allocations = src->sadb_lifetime_allocations; + dst->bytes = src->sadb_lifetime_bytes; + dst->addtime = src->sadb_lifetime_addtime; + dst->usetime = src->sadb_lifetime_usetime; + return (dst); } /* compare my own address @@ -3892,11 +3887,6 @@ key_cmpspidx_withmask(struct secpolicyin return 1; } -/* returns 0 on match */ -static int -key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2, - int port) -{ #ifdef satosin #undef satosin #endif @@ -3905,10 +3895,16 @@ key_sockaddrcmp(const struct sockaddr *s #undef satosin6 #endif #define satosin6(s) ((const struct sockaddr_in6 *)s) +/* returns 0 on match */ +static int +key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2, + int port) +{ if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) return 1; switch (sa1->sa_family) { +#ifdef INET case AF_INET: if (sa1->sa_len != sizeof(struct sockaddr_in)) return 1; @@ -3919,6 +3915,8 @@ key_sockaddrcmp(const struct sockaddr *s if (port && satosin(sa1)->sin_port != satosin(sa2)->sin_port) return 1; break; +#endif +#ifdef INET6 case AF_INET6: if (sa1->sa_len != sizeof(struct sockaddr_in6)) return 1; /*EINVAL*/ @@ -3935,6 +3933,7 @@ key_sockaddrcmp(const struct sockaddr *s return 1; } break; +#endif default: if (bcmp(sa1, sa2, sa1->sa_len) != 0) return 1; @@ -3942,9 +3941,35 @@ key_sockaddrcmp(const struct sockaddr *s } return 0; +} + +/* returns 0 on match */ +int +key_sockaddrcmp_withmask(const struct sockaddr *sa1, + const struct sockaddr *sa2, size_t mask) +{ + if (sa1->sa_family != sa2->sa_family || sa1->sa_len != sa2->sa_len) + return (1); + + switch (sa1->sa_family) { +#ifdef INET + case AF_INET: + return (!key_bbcmp(&satosin(sa1)->sin_addr, + &satosin(sa2)->sin_addr, mask)); +#endif +#ifdef INET6 + case AF_INET6: + if (satosin6(sa1)->sin6_scope_id != + satosin6(sa2)->sin6_scope_id) + return (1); + return (!key_bbcmp(&satosin6(sa1)->sin6_addr, + &satosin6(sa2)->sin6_addr, mask)); +#endif + } + return (1); +} #undef satosin #undef satosin6 -} /* * compare two buffers with mask. From owner-svn-src-projects@freebsd.org Tue Nov 22 16:43:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF82FC50140 for ; Tue, 22 Nov 2016 16:43:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 873A21AA9; Tue, 22 Nov 2016 16:43:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMGhfSH035201; Tue, 22 Nov 2016 16:43:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMGhfHi035200; Tue, 22 Nov 2016 16:43:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221643.uAMGhfHi035200@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 16:43:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309011 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 16:43:42 -0000 Author: ae Date: Tue Nov 22 16:43:41 2016 New Revision: 309011 URL: https://svnweb.freebsd.org/changeset/base/309011 Log: Rework key_flush_sad(). Do all work in three steps: 1) Acquire SAHTREE_RLOCK and check that we need to cleanup som SAs. Just return if nothing was found. 2) Acquire SAHTREE_WLOCK and properly unlink SA/SAH from the corresponding lists, change state, etc. 3) With released lock finish cleanup (send SADB_EXPIRE message, release references, etc). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 16:24:42 2016 (r309010) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 16:43:41 2016 (r309011) @@ -4068,38 +4068,44 @@ key_flush_spd(time_t now) static void key_flush_sad(time_t now) { + SAHTREE_RLOCK_TRACKER; + struct secashead_list emptyq; + struct secasvar_list drainq, hexpireq, sexpireq, freeq; struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; - /* SAD */ - SAHTREE_LOCK(); - LIST_FOREACH_SAFE(sah, &V_sahtree, chain, nextsah) { - /* if sah has been dead, then delete it and process next sah. */ - if (sah->state == SADB_SASTATE_DEAD) { - key_delsah(sah); + LIST_INIT(&drainq); + LIST_INIT(&hexpireq); + LIST_INIT(&sexpireq); + LIST_INIT(&emptyq); + + SAHTREE_RLOCK(); + TAILQ_FOREACH(sah, &V_sahtree, chain) { + /* Check for empty SAH */ + if (TAILQ_EMPTY(&sah->savtree_larval) && + TAILQ_EMPTY(&sah->savtree_alive)) { + SAH_ADDREF(sah); + LIST_INSERT_HEAD(&emptyq, sah, drainq); continue; } - - /* if LARVAL entry doesn't become MATURE, delete it. */ - LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_LARVAL], chain, nextsav) { - /* Need to also check refcnt for a larval SA ??? */ - if (now - sav->created > V_key_larval_lifetime) - KEY_FREESAV(&sav); + /* Add all stale LARVAL SAs into drainq */ + TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { + if (now - sav->created < V_key_larval_lifetime) + continue; + SAV_ADDREF(sav); + LIST_INSERT_HEAD(&drainq, sav, drainq); } - - /* - * check MATURE entry to start to send expire message - * whether or not. - */ - LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_MATURE], chain, nextsav) { - /* we don't need to check. */ - if (sav->lft_s == NULL) + TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { + /* lifetimes aren't specified */ + if (sav->lft_h == NULL) continue; - - /* sanity check */ - if (sav->lft_c == NULL) { - ipseclog((LOG_DEBUG,"%s: there is no CURRENT " - "time, why?\n", __func__)); + SECASVAR_LOCK(sav); + /* + * Check again with lock held, because it may + * be updated by SADB_UPDATE. + */ + if (sav->lft_h == NULL) { + SECASVAR_UNLOCK(sav); continue; } /* @@ -4112,84 +4118,149 @@ key_flush_sad(time_t now) /* check HARD lifetime */ if ((sav->lft_h->addtime != 0 && now - sav->created > sav->lft_h->addtime) || - (sav->lft_h->bytes != 0 && - sav->lft_h->bytes < sav->lft_c->bytes)) { - key_sa_chgstate(sav, SADB_SASTATE_DEAD); - key_expire(sav, 1); - KEY_FREESAV(&sav); + (sav->lft_h->usetime != 0 && sav->firstused && + now - sav->firstused > sav->lft_h->usetime) || + (sav->lft_h->bytes != 0 && counter_u64_fetch( + sav->lft_c_bytes) > sav->lft_h->bytes)) { + SECASVAR_UNLOCK(sav); + SAV_ADDREF(sav); + LIST_INSERT_HEAD(&hexpireq, sav, drainq); + continue; } - /* check SOFT lifetime */ - else if ((sav->lft_s->addtime != 0 && + /* check SOFT lifetime (only for MATURE SAs) */ + if (sav->state == SADB_SASTATE_MATURE && ( + (sav->lft_s->addtime != 0 && now - sav->created > sav->lft_s->addtime) || - (sav->lft_s->bytes != 0 && - sav->lft_s->bytes < sav->lft_c->bytes)) { - key_sa_chgstate(sav, SADB_SASTATE_DYING); - key_expire(sav, 0); + (sav->lft_s->usetime != 0 && sav->firstused && + now - sav->firstused > sav->lft_s->usetime) || + (sav->lft_s->bytes != 0 && counter_u64_fetch( + sav->lft_c_bytes) > sav->lft_s->bytes))) { + SECASVAR_UNLOCK(sav); + SAV_ADDREF(sav); + LIST_INSERT_HEAD(&sexpireq, sav, drainq); + continue; } + SECASVAR_UNLOCK(sav); } + } + SAHTREE_RUNLOCK(); - /* check DYING entry to change status to DEAD. */ - LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DYING], chain, nextsav) { - /* we don't need to check. */ - if (sav->lft_h == NULL) - continue; - - /* sanity check */ - if (sav->lft_c == NULL) { - ipseclog((LOG_DEBUG, "%s: there is no CURRENT " - "time, why?\n", __func__)); - continue; - } + if (LIST_EMPTY(&emptyq) && LIST_EMPTY(&drainq) && + LIST_EMPTY(&hexpireq) && LIST_EMPTY(&sexpireq)) + return; - if (sav->lft_h->addtime != 0 && - now - sav->created > sav->lft_h->addtime) { - key_sa_chgstate(sav, SADB_SASTATE_DEAD); - key_expire(sav, 1); - KEY_FREESAV(&sav); - } -#if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */ - else if (sav->lft_s != NULL - && sav->lft_s->addtime != 0 - && now - sav->created > sav->lft_s->addtime) { - /* - * XXX: should be checked to be - * installed the valid SA. - */ - - /* - * If there is no SA then sending - * expire message. - */ - key_expire(sav, 0); - } -#endif - /* check HARD lifetime by bytes */ - else if (sav->lft_h->bytes != 0 && - sav->lft_h->bytes < sav->lft_c->bytes) { - key_sa_chgstate(sav, SADB_SASTATE_DEAD); - key_expire(sav, 1); - KEY_FREESAV(&sav); - } + LIST_INIT(&freeq); + SAHTREE_WLOCK(); + /* Unlink stale LARVAL SAs */ + sav = LIST_FIRST(&drainq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + /* Check that SA is still LARVAL */ + if (sav->state != SADB_SASTATE_LARVAL) { + LIST_REMOVE(sav, drainq); + LIST_INSERT_HEAD(&freeq, sav, drainq); + sav = nextsav; + continue; } - - /* delete entry in DEAD */ - LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_DEAD], chain, nextsav) { - /* sanity check */ - if (sav->state != SADB_SASTATE_DEAD) { - ipseclog((LOG_DEBUG, "%s: invalid sav->state " - "(queue: %d SA: %d): kill it anyway\n", - __func__, - SADB_SASTATE_DEAD, sav->state)); - } - /* - * do not call key_freesav() here. - * sav should already be freed, and sav->refcnt - * shows other references to sav - * (such as from SPD). - */ + TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); + LIST_REMOVE(sav, spihash); + sav->state = SADB_SASTATE_DEAD; + sav = nextsav; + } + /* Unlink all SAs with expired HARD lifetime */ + sav = LIST_FIRST(&hexpireq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + /* Check that SA is not unlinked */ + if (sav->state == SADB_SASTATE_DEAD) { + LIST_REMOVE(sav, drainq); + LIST_INSERT_HEAD(&freeq, sav, drainq); + sav = nextsav; + continue; } + TAILQ_REMOVE(&sav->sah->savtree_alive, sav, chain); + LIST_REMOVE(sav, spihash); + sav->state = SADB_SASTATE_DEAD; + sav = nextsav; + } + /* Mark all SAs with expired SOFT lifetime as DYING */ + sav = LIST_FIRST(&sexpireq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + /* Check that SA is not unlinked */ + if (sav->state == SADB_SASTATE_DEAD) { + LIST_REMOVE(sav, drainq); + LIST_INSERT_HEAD(&freeq, sav, drainq); + sav = nextsav; + continue; + } + /* + * NOTE: this doesn't change SA order in the chain. + */ + sav->state = SADB_SASTATE_DYING; + sav = nextsav; + } + /* Unlink empty SAHs */ + sah = LIST_FIRST(&emptyq); + while (sah != NULL) { + nextsah = LIST_NEXT(sah, drainq); + /* Check that SAH is still empty and not unlinked */ + if (sah->state == SADB_SASTATE_DEAD || + !TAILQ_EMPTY(&sah->savtree_larval) || + !TAILQ_EMPTY(&sah->savtree_alive)) { + LIST_REMOVE(sah, drainq); + key_freesah(&sah); /* release extra reference */ + sah = nextsah; + continue; + } + TAILQ_REMOVE(&V_sahtree, sah, chain); + LIST_REMOVE(sah, addrhash); + sah->state = SADB_SASTATE_DEAD; + sah = nextsah; + } + SAHTREE_WUNLOCK(); + + /* Send SPDEXPIRE messages */ + sav = LIST_FIRST(&hexpireq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + key_expire(sav, 1); + key_freesah(&sav->sah); /* release reference from SAV */ + key_freesav(&sav); /* release extra reference */ + key_freesav(&sav); /* release last reference */ + sav = nextsav; + } + sav = LIST_FIRST(&sexpireq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + key_expire(sav, 0); + key_freesav(&sav); /* release extra reference */ + sav = nextsav; + } + /* Free stale LARVAL SAs */ + sav = LIST_FIRST(&drainq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + key_freesah(&sav->sah); /* release reference from SAV */ + key_freesav(&sav); /* release extra reference */ + key_freesav(&sav); /* release last reference */ + sav = nextsav; + } + /* Free SAs that were unlinked/changed by someone else */ + sav = LIST_FIRST(&freeq); + while (sav != NULL) { + nextsav = LIST_NEXT(sav, drainq); + key_freesav(&sav); /* release extra reference */ + sav = nextsav; + } + /* Free empty SAH */ + sah = LIST_FIRST(&emptyq); + while (sah != NULL) { + nextsah = LIST_NEXT(sah, drainq); + key_freesah(&sah); /* release extra reference */ + key_freesah(&sah); /* release last reference */ + sah = nextsah; } - SAHTREE_UNLOCK(); } static void From owner-svn-src-projects@freebsd.org Tue Nov 22 17:09:18 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 641D6C5076F for ; Tue, 22 Nov 2016 17:09:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3BA2898F; Tue, 22 Nov 2016 17:09:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMH9Hqh043245; Tue, 22 Nov 2016 17:09:17 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMH9HWw043244; Tue, 22 Nov 2016 17:09:17 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221709.uAMH9HWw043244@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 17:09:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309012 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 17:09:18 -0000 Author: ae Date: Tue Nov 22 17:09:17 2016 New Revision: 309012 URL: https://svnweb.freebsd.org/changeset/base/309012 Log: Modify key_satype2proto() and key_proto2satype() to use uint8_t type. Modify key_getspi() to use SADB_CHECKHDR() and SADB_CHECKLEN() macros, also use key_checksockaddrs() to check addresses. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 16:43:41 2016 (r309011) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 17:09:17 2016 (r309012) @@ -4367,8 +4367,8 @@ key_randomfill(void *p, size_t l) * OUT: * 0: invalid satype. */ -static u_int16_t -key_satype2proto(u_int8_t satype) +static uint8_t +key_satype2proto(uint8_t satype) { switch (satype) { case SADB_SATYPE_UNSPEC: @@ -4392,8 +4392,8 @@ key_satype2proto(u_int8_t satype) * OUT: * 0: invalid protocol type. */ -static u_int8_t -key_proto2satype(u_int16_t proto) +static uint8_t +key_proto2satype(uint8_t proto) { switch (proto) { case IPPROTO_AH: @@ -4426,39 +4426,56 @@ key_proto2satype(u_int16_t proto) static int key_getspi(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - struct sadb_address *src0, *dst0; struct secasindex saidx; - struct secashead *newsah; - struct secasvar *newsav; - u_int8_t proto; - u_int32_t spi; - u_int8_t mode; - u_int32_t reqid; + struct sadb_address *src0, *dst0; + struct secasvar *sav; + uint32_t reqid, spi; int error; + uint8_t mode, proto; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); - if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); - return key_senderror(so, m, EINVAL); + if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) +#ifdef PFKEY_STRICT_CHECKS + || SADB_CHECKHDR(mhp, SADB_EXT_SPIRANGE) +#endif + ) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); + error = EINVAL; + goto fail; } - if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); - return key_senderror(so, m, EINVAL); + if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) +#ifdef PFKEY_STRICT_CHECKS + || SADB_CHECKLEN(mhp, SADB_EXT_SPIRANGE) +#endif + ) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); + error = EINVAL; + goto fail; } - if (mhp->ext[SADB_X_EXT_SA2] != NULL) { - mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; - reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; - } else { + if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { mode = IPSEC_MODE_ANY; reqid = 0; + } else { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + error = EINVAL; + goto fail; + } + mode = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + reqid = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; } src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); @@ -4468,121 +4485,61 @@ key_getspi(struct socket *so, struct mbu if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", __func__)); - return key_senderror(so, m, EINVAL); - } - - /* - * Make sure the port numbers are zero. - * In case of NAT-T we will update them later if needed. - */ - switch (((struct sockaddr *)(src0 + 1))->sa_family) { - case AF_INET: - if (((struct sockaddr *)(src0 + 1))->sa_len != - sizeof(struct sockaddr_in)) - return key_senderror(so, m, EINVAL); - ((struct sockaddr_in *)(src0 + 1))->sin_port = 0; - break; - case AF_INET6: - if (((struct sockaddr *)(src0 + 1))->sa_len != - sizeof(struct sockaddr_in6)) - return key_senderror(so, m, EINVAL); - ((struct sockaddr_in6 *)(src0 + 1))->sin6_port = 0; - break; - default: - ; /*???*/ + error = EINVAL; + goto fail; } - switch (((struct sockaddr *)(dst0 + 1))->sa_family) { - case AF_INET: - if (((struct sockaddr *)(dst0 + 1))->sa_len != - sizeof(struct sockaddr_in)) - return key_senderror(so, m, EINVAL); - ((struct sockaddr_in *)(dst0 + 1))->sin_port = 0; - break; - case AF_INET6: - if (((struct sockaddr *)(dst0 + 1))->sa_len != - sizeof(struct sockaddr_in6)) - return key_senderror(so, m, EINVAL); - ((struct sockaddr_in6 *)(dst0 + 1))->sin6_port = 0; - break; - default: - ; /*???*/ + error = key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)); + if (error != 0) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + error = EINVAL; + goto fail; } - - /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); - -#ifdef IPSEC_NAT_T /* - * Handle NAT-T info if present. - * We made sure the port numbers are zero above, so we do - * not have to worry in case we do not update them. + * Make sure the port numbers are zero. + * In case of NAT-T we will update them later if needed. */ - if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) - ipseclog((LOG_DEBUG, "%s: NAT-T OAi present\n", __func__)); - if (mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) - ipseclog((LOG_DEBUG, "%s: NAT-T OAr present\n", __func__)); - - if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - struct sadb_x_nat_t_type *type; - struct sadb_x_nat_t_port *sport, *dport; - - if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) || - mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid nat-t message " - "passed.\n", __func__)); - return key_senderror(so, m, EINVAL); - } - - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - - if (sport) - KEY_PORTTOSADDR(&saidx.src, sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&saidx.dst, dport->sadb_x_nat_t_port_port); - } -#endif + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); /* SPI allocation */ - spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], - &saidx); - if (spi == 0) - return key_senderror(so, m, EINVAL); - - /* get a SA index */ - if ((newsah = key_getsah(&saidx)) == NULL) { - /* create a new SA index */ - if ((newsah = key_newsah(&saidx)) == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); - return key_senderror(so, m, ENOBUFS); - } + spi = key_do_getnewspi( + (struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx); + if (spi == 0) { + /* + * Requested SPI or SPI range is not available or + * already used. + */ + error = EEXIST; + goto fail; } + sav = key_newsav(mhp, &saidx, spi, &error); + if (sav == NULL) + goto fail; - /* get a new SA */ - /* XXX rewrite */ - newsav = KEY_NEWSAV(m, mhp, newsah, &error); - if (newsav == NULL) { - /* XXX don't free new SA index allocated in above. */ - return key_senderror(so, m, error); + if (sav->seq != 0) { + /* + * RFC2367: + * If the SADB_GETSPI message is in response to a + * kernel-generated SADB_ACQUIRE, the sadb_msg_seq + * MUST be the same as the SADB_ACQUIRE message. + * + * XXXAE: However it doesn't definethe behaviour how to + * check this and what to do if it doesn't match. + * Also what we should do if it matches? + * + * We can compare saidx used in SADB_ACQUIRE with saidx + * used in SADB_GETSPI, but this probably can break + * existing software. For now just warn if it doesn't match. + * + * XXXAE: anyway it looks useless. + */ + key_acqdone(&saidx, sav->seq); } - - /* set spi */ - newsav->spi = htonl(spi); - - /* delete the entry in acqtree */ - if (mhp->msg->sadb_msg_seq != 0) { - struct secacq *acq; - if ((acq = key_getacqbyseq(mhp->msg->sadb_msg_seq)) != NULL) { - /* reset counter in order to deletion by timehandler. */ - acq->created = time_second; - acq->count = 0; - } - } + KEYDBG(KEY_STAMP, + printf("%s: SA(%p)\n", __func__, sav)); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); { struct mbuf *n, *nn; @@ -4601,8 +4558,10 @@ key_getspi(struct socket *so, struct mbu n = NULL; } } - if (!n) - return key_senderror(so, m, ENOBUFS); + if (!n) { + error = ENOBUFS; + goto fail; + } n->m_len = len; n->m_next = NULL; @@ -4614,7 +4573,7 @@ key_getspi(struct socket *so, struct mbu m_sa = (struct sadb_sa *)(mtod(n, caddr_t) + off); m_sa->sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa)); m_sa->sadb_sa_exttype = SADB_EXT_SA; - m_sa->sadb_sa_spi = htonl(spi); + m_sa->sadb_sa_spi = spi; /* SPI is already in network byte order */ off += PFKEY_ALIGN8(sizeof(struct sadb_sa)); IPSEC_ASSERT(off == len, @@ -4624,7 +4583,8 @@ key_getspi(struct socket *so, struct mbu SADB_EXT_ADDRESS_DST); if (!n->m_next) { m_freem(n); - return key_senderror(so, m, ENOBUFS); + error = ENOBUFS; + goto fail; } if (n->m_len < sizeof(struct sadb_msg)) { @@ -4638,13 +4598,16 @@ key_getspi(struct socket *so, struct mbu n->m_pkthdr.len += nn->m_len; newmsg = mtod(n, struct sadb_msg *); - newmsg->sadb_msg_seq = newsav->seq; + newmsg->sadb_msg_seq = sav->seq; newmsg->sadb_msg_errno = 0; newmsg->sadb_msg_len = PFKEY_UNIT64(n->m_pkthdr.len); m_freem(m); return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); } + +fail: + return (key_senderror(so, m, error)); } /* From owner-svn-src-projects@freebsd.org Tue Nov 22 17:14:10 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AD53C50911 for ; Tue, 22 Nov 2016 17:14:10 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 420ADDDC; Tue, 22 Nov 2016 17:14:10 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAMHE9I8047101; Tue, 22 Nov 2016 17:14:09 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAMHE9QP047100; Tue, 22 Nov 2016 17:14:09 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611221714.uAMHE9QP047100@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 22 Nov 2016 17:14:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309013 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2016 17:14:10 -0000 Author: ae Date: Tue Nov 22 17:14:09 2016 New Revision: 309013 URL: https://svnweb.freebsd.org/changeset/base/309013 Log: Update key_do_getnewspi() to reflect changes in key_checkspidup(). Also make some style fixes. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Tue Nov 22 17:09:17 2016 (r309012) +++ projects/ipsec/sys/netipsec/key.c Tue Nov 22 17:14:09 2016 (r309013) @@ -4615,13 +4615,12 @@ fail: * called by key_getspi(). * OUT: * 0: failure. - * others: success. + * others: success, SPI in network byte order. */ -static u_int32_t +static uint32_t key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx) { - u_int32_t newspi; - u_int32_t min, max; + uint32_t min, max, newspi, t; int count = V_key_spi_trycnt; /* set spi range to allocate */ @@ -4634,7 +4633,6 @@ key_do_getnewspi(struct sadb_spirange *s } /* IPCOMP needs 2-byte SPI */ if (saidx->proto == IPPROTO_IPCOMP) { - u_int32_t t; if (min >= 0x10000) min = 0xffff; if (max >= 0x10000) @@ -4645,15 +4643,14 @@ key_do_getnewspi(struct sadb_spirange *s } if (min == max) { - if (key_checkspidup(saidx, min) != NULL) { + if (!key_checkspidup(htonl(min))) { ipseclog((LOG_DEBUG, "%s: SPI %u exists already.\n", - __func__, min)); + __func__, min)); return 0; } count--; /* taking one cost. */ newspi = min; - } else { /* init SPI */ @@ -4663,23 +4660,22 @@ key_do_getnewspi(struct sadb_spirange *s while (count--) { /* generate pseudo-random SPI value ranged. */ newspi = min + (key_random() % (max - min + 1)); - - if (key_checkspidup(saidx, newspi) == NULL) + if (!key_checkspidup(htonl(newspi))) break; } if (count == 0 || newspi == 0) { - ipseclog((LOG_DEBUG, "%s: to allocate spi is failed.\n", - __func__)); + ipseclog((LOG_DEBUG, + "%s: failed to allocate SPI.\n", __func__)); return 0; } } /* statistics */ keystat.getspi_count = - (keystat.getspi_count + V_key_spi_trycnt - count) / 2; + (keystat.getspi_count + V_key_spi_trycnt - count) / 2; - return newspi; + return (htonl(newspi)); } /* From owner-svn-src-projects@freebsd.org Wed Nov 23 06:38:14 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6859EC4E702 for ; Wed, 23 Nov 2016 06:38:14 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 41C94117; Wed, 23 Nov 2016 06:38:14 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN6cDBr077240; Wed, 23 Nov 2016 06:38:13 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN6cDuK077239; Wed, 23 Nov 2016 06:38:13 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230638.uAN6cDuK077239@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 06:38:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309031 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 06:38:14 -0000 Author: ae Date: Wed Nov 23 06:38:13 2016 New Revision: 309031 URL: https://svnweb.freebsd.org/changeset/base/309031 Log: Rework key_update(). Use SADB_CHECKHDR/SADB_CHECKLEN macros and key_checksockaddrs() to do sanity checks. From now SADB_UPDATE for MATURE SAs only can update SA state and lifetimes, for LARVAL SAs all fields except src+dst+SPI can be updated. This follows RFC and allows to do access to almost all SA fields without holding a lock. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 05:03:44 2016 (r309030) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:38:13 2016 (r309031) @@ -4694,21 +4694,13 @@ key_do_getnewspi(struct sadb_spirange *s static int key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - struct sadb_sa *sa0; - struct sadb_address *src0, *dst0; -#ifdef IPSEC_NAT_T - struct sadb_x_nat_t_type *type; - struct sadb_x_nat_t_port *sport, *dport; - struct sadb_address *iaddr, *raddr; - struct sadb_x_nat_t_frag *frag; -#endif struct secasindex saidx; - struct secashead *sah; + struct sadb_address *src0, *dst0; + struct sadb_sa *sa0; struct secasvar *sav; - u_int16_t proto; - u_int8_t mode; - u_int32_t reqid; + uint32_t reqid; int error; + uint8_t mode, proto; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -4718,48 +4710,72 @@ key_update(struct socket *so, struct mbu /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_EXT_SA] == NULL || - mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || - (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && - mhp->ext[SADB_EXT_KEY_ENCRYPT] == NULL) || - (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && - mhp->ext[SADB_EXT_KEY_AUTH] == NULL) || - (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL && - mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) || - (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL && - mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || - mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || + (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && ( + SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || + SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) || + (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && ( + SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) || + SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) || + (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && + !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || + (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && + !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); + return key_senderror(so, m, EINVAL); + } + if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_X_EXT_SA2] != NULL) { - mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; - reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; - } else { + if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { mode = IPSEC_MODE_ANY; reqid = 0; + } else { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + return key_senderror(so, m, EINVAL); + } + mode = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + reqid = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; } - /* XXX boundary checking for other extensions */ sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); - /* XXX boundary check against sa_len */ + /* + * Only SADB_SASTATE_MATURE SAs may be submitted in an + * SADB_UPDATE message. + */ + if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { + ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__)); +#ifdef PFKEY_STRICT_CHECKS + return key_senderror(so, m, EINVAL); +#endif + } + error = key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)); + if (error != 0) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + return key_senderror(so, m, error); + } KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); - /* * Make sure the port numbers are zero. * In case of NAT-T we will update them later if needed. @@ -4767,150 +4783,97 @@ key_update(struct socket *so, struct mbu KEY_PORTTOSADDR(&saidx.src, 0); KEY_PORTTOSADDR(&saidx.dst, 0); -#ifdef IPSEC_NAT_T - /* - * Handle NAT-T info if present. - */ - if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - - if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) || - mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid message.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - type = (struct sadb_x_nat_t_type *) - mhp->ext[SADB_X_EXT_NAT_T_TYPE]; - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - } else { - type = NULL; - sport = dport = NULL; - } - if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) { - if (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr) || - mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr)) { - ipseclog((LOG_DEBUG, "%s: invalid message\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - iaddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; - raddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; - ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__)); - } else { - iaddr = raddr = NULL; - } - if (mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) { - if (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag)) { - ipseclog((LOG_DEBUG, "%s: invalid message\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - frag = (struct sadb_x_nat_t_frag *) - mhp->ext[SADB_X_EXT_NAT_T_FRAG]; - } else { - frag = NULL; - } -#endif - - /* get a SA header */ - if ((sah = key_getsah(&saidx)) == NULL) { - ipseclog((LOG_DEBUG, "%s: no SA index found.\n", __func__)); - return key_senderror(so, m, ENOENT); - } - - /* set spidx if there */ - /* XXX rewrite */ - error = key_setident(sah, m, mhp); - if (error) - return key_senderror(so, m, error); - - /* find a SA with sequence number. */ -#ifdef IPSEC_DOSEQCHECK - if (mhp->msg->sadb_msg_seq != 0 - && (sav = key_getsavbyseq(sah, mhp->msg->sadb_msg_seq)) == NULL) { - ipseclog((LOG_DEBUG, "%s: no larval SA with sequence %u " - "exists.\n", __func__, mhp->msg->sadb_msg_seq)); - return key_senderror(so, m, ENOENT); - } -#else - SAHTREE_LOCK(); - sav = key_getsavbyspi(sah, sa0->sadb_sa_spi); - SAHTREE_UNLOCK(); + sav = key_getsavbyspi(sa0->sadb_sa_spi); if (sav == NULL) { - ipseclog((LOG_DEBUG, "%s: no such a SA found (spi:%u)\n", - __func__, (u_int32_t)ntohl(sa0->sadb_sa_spi))); + ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u\n", + __func__, ntohl(sa0->sadb_sa_spi))); return key_senderror(so, m, EINVAL); } -#endif - - /* validity check */ - if (sav->sah->saidx.proto != proto) { - ipseclog((LOG_DEBUG, "%s: protocol mismatched " - "(DB=%u param=%u)\n", __func__, - sav->sah->saidx.proto, proto)); - return key_senderror(so, m, EINVAL); - } -#ifdef IPSEC_DOSEQCHECK - if (sav->spi != sa0->sadb_sa_spi) { - ipseclog((LOG_DEBUG, "%s: SPI mismatched (DB:%u param:%u)\n", - __func__, - (u_int32_t)ntohl(sav->spi), - (u_int32_t)ntohl(sa0->sadb_sa_spi))); - return key_senderror(so, m, EINVAL); - } -#endif + /* + * Check that SADB_UPDATE issued by the same process that did + * SADB_GETSPI or SADB_ADD. + */ if (sav->pid != mhp->msg->sadb_msg_pid) { - ipseclog((LOG_DEBUG, "%s: pid mismatched (DB:%u param:%u)\n", - __func__, sav->pid, mhp->msg->sadb_msg_pid)); + ipseclog((LOG_DEBUG, + "%s: pid mismatched (SPI %u, pid %u vs. %u)\n", __func__, + ntohl(sav->spi), sav->pid, mhp->msg->sadb_msg_pid)); + key_freesav(&sav); return key_senderror(so, m, EINVAL); } - - /* copy sav values */ - error = key_setsaval(sav, m, mhp); - if (error) { - KEY_FREESAV(&sav); - return key_senderror(so, m, error); - } - -#ifdef IPSEC_NAT_T - /* - * Handle more NAT-T info if present, - * now that we have a sav to fill. - */ - if (type) - sav->natt_type = type->sadb_x_nat_t_type_type; - - if (sport) - KEY_PORTTOSADDR(&sav->sah->saidx.src, - sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&sav->sah->saidx.dst, - dport->sadb_x_nat_t_port_port); - -#if 0 /* - * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0. - * We should actually check for a minimum MTU here, if we - * want to support it in ip_output. + * XXXAE: saidx should match with SA. Use CMP_MODE_REQID since we + * didn't set ports for NAT-T yet and exactly match may fail. */ - if (frag) - sav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen; -#endif -#endif + if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) { + ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u", + __func__, ntohl(sav->spi))); + key_freesav(&sav); + return key_senderror(so, m, ESRCH); + } - /* check SA values to be mature. */ - if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) { - KEY_FREESAV(&sav); - return key_senderror(so, m, 0); + if (sav->state == SADB_SASTATE_LARVAL) { + /* + * We can set any values except src, dst and SPI. + */ + error = key_setsaval(sav, mhp); + if (error != 0) { + key_freesav(&sav); + return (key_senderror(so, m, error)); + } + /* Change SA state to MATURE */ + SAHTREE_WLOCK(); + if (sav->state != SADB_SASTATE_LARVAL) { + /* SA was deleted or another thread made it MATURE. */ + SAHTREE_WUNLOCK(); + key_freesav(&sav); + return (key_senderror(so, m, ESRCH)); + } + /* + * NOTE: we keep SAs in savtree_alive ordered by created + * time. When SA's state changed from LARVAL to MATURE, + * we update its created time in key_setsaval() and move + * it into head of savtree_alive. + */ + TAILQ_REMOVE(&sav->sah->savtree_larval, sav, chain); + TAILQ_INSERT_HEAD(&sav->sah->savtree_alive, sav, chain); + sav->state = SADB_SASTATE_MATURE; + SAHTREE_WUNLOCK(); + } else { + /* + * For DYING and MATURE SA we can change only state + * and lifetimes. Report EINVAL if something else attempted + * to change. + */ + if (!SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || + !SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH)) { + key_freesav(&sav); + return (key_senderror(so, m, EINVAL)); + } + error = key_updatelifetimes(sav, mhp); + if (error != 0) { + key_freesav(&sav); + return (key_senderror(so, m, error)); + } + /* Check that SA is still alive */ + SAHTREE_WLOCK(); + if (sav->state == SADB_SASTATE_DEAD) { + /* SA was unlinked */ + SAHTREE_WUNLOCK(); + key_freesav(&sav); + return (key_senderror(so, m, ESRCH)); + } + /* + * NOTE: there is possible state moving from DYING to MATURE, + * but this doesn't change created time, so we won't reorder + * this SA. + */ + sav->state = SADB_SASTATE_MATURE; + SAHTREE_WUNLOCK(); } + KEYDBG(KEY_STAMP, + printf("%s: SA(%p)\n", __func__, sav)); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); + key_freesav(&sav); { struct mbuf *n; From owner-svn-src-projects@freebsd.org Wed Nov 23 06:51:21 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D120C4ECED for ; Wed, 23 Nov 2016 06:51:21 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BE998A77; Wed, 23 Nov 2016 06:51:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN6pJvs083231; Wed, 23 Nov 2016 06:51:19 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN6pJlw083230; Wed, 23 Nov 2016 06:51:19 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230651.uAN6pJlw083230@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 06:51:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309032 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 06:51:21 -0000 Author: ae Date: Wed Nov 23 06:51:19 2016 New Revision: 309032 URL: https://svnweb.freebsd.org/changeset/base/309032 Log: Rework key_add(). Use SADB_CHECKHDR/SADB_CHECKLEN macros and key_checksockaddrs() to do sanity checks. Now key_newsav() will allocate and initialize all needed SA fields. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:38:13 2016 (r309031) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:51:19 2016 (r309032) @@ -4891,40 +4891,6 @@ key_update(struct socket *so, struct mbu } /* - * search SAD with sequence for a SA which state is SADB_SASTATE_LARVAL. - * only called by key_update(). - * OUT: - * NULL : not found - * others : found, pointer to a SA. - */ -#ifdef IPSEC_DOSEQCHECK -static struct secasvar * -key_getsavbyseq(struct secashead *sah, u_int32_t seq) -{ - struct secasvar *sav; - u_int state; - - state = SADB_SASTATE_LARVAL; - - /* search SAD with sequence number ? */ - LIST_FOREACH(sav, &sah->savtree[state], chain) { - - KEY_CHKSASTATE(state, sav->state, __func__); - - if (sav->seq == seq) { - sa_addref(sav); - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP %s cause refcnt++:%d SA:%p\n", - __func__, sav->refcnt, sav)); - return sav; - } - } - - return NULL; -} -#endif - -/* * SADB_ADD processing * add an entry to SA database, when received * msg->sadb_msg_satype)) == 0) { ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_EXT_SA] == NULL || - mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || - (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && - mhp->ext[SADB_EXT_KEY_ENCRYPT] == NULL) || - (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && - mhp->ext[SADB_EXT_KEY_AUTH] == NULL) || - (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL && - mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) || - (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL && - mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || + (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && ( + SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) || + SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) || + (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && ( + SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) || + SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) || + (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) && + !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) || + (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) && + !SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD))) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || - mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { - /* XXX need more */ - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_X_EXT_SA2] != NULL) { - mode = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; - reqid = ((struct sadb_x_sa2 *)mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; - } else { + if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { mode = IPSEC_MODE_ANY; reqid = 0; + } else { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + return key_senderror(so, m, EINVAL); + } + mode = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + reqid = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; } sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; - /* XXX boundary check against sa_len */ + /* + * Only SADB_SASTATE_MATURE SAs may be submitted in an + * SADB_ADD message. + */ + if (sa0->sadb_sa_state != SADB_SASTATE_MATURE) { + ipseclog((LOG_DEBUG, "%s: invalid state.\n", __func__)); +#ifdef PFKEY_STRICT_CHECKS + return key_senderror(so, m, EINVAL); +#endif + } + error = key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)); + if (error != 0) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + return key_senderror(so, m, error); + } KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); - /* * Make sure the port numbers are zero. * In case of NAT-T we will update them later if needed. @@ -5014,127 +4997,32 @@ key_add(struct socket *so, struct mbuf * KEY_PORTTOSADDR(&saidx.src, 0); KEY_PORTTOSADDR(&saidx.dst, 0); -#ifdef IPSEC_NAT_T - /* - * Handle NAT-T info if present. - */ - if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - struct sadb_x_nat_t_port *sport, *dport; - - if (mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type) || - mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid message.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - type = (struct sadb_x_nat_t_type *) - mhp->ext[SADB_X_EXT_NAT_T_TYPE]; - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - - if (sport) - KEY_PORTTOSADDR(&saidx.src, - sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&saidx.dst, - dport->sadb_x_nat_t_port_port); - } else { - type = NULL; - } - if (mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) { - if (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr) || - mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr)) { - ipseclog((LOG_DEBUG, "%s: invalid message\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - iaddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAI]; - raddr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OAR]; - ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__)); - } else { - iaddr = raddr = NULL; - } - if (mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) { - if (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag)) { - ipseclog((LOG_DEBUG, "%s: invalid message\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - frag = (struct sadb_x_nat_t_frag *) - mhp->ext[SADB_X_EXT_NAT_T_FRAG]; - } else { - frag = NULL; - } -#endif - - /* get a SA header */ - if ((newsah = key_getsah(&saidx)) == NULL) { - /* create a new SA header */ - if ((newsah = key_newsah(&saidx)) == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); - return key_senderror(so, m, ENOBUFS); - } - } - - /* set spidx if there */ - /* XXX rewrite */ - error = key_setident(newsah, m, mhp); - if (error) { - return key_senderror(so, m, error); - } - - /* create new SA entry. */ - /* We can create new SA only if SPI is differenct. */ - SAHTREE_LOCK(); - newsav = key_getsavbyspi(newsah, sa0->sadb_sa_spi); - SAHTREE_UNLOCK(); - if (newsav != NULL) { + /* We can create new SA only if SPI is different. */ + sav = key_getsavbyspi(sa0->sadb_sa_spi); + if (sav != NULL) { + key_freesav(&sav); ipseclog((LOG_DEBUG, "%s: SA already exists.\n", __func__)); return key_senderror(so, m, EEXIST); } - newsav = KEY_NEWSAV(m, mhp, newsah, &error); - if (newsav == NULL) { - return key_senderror(so, m, error); - } -#ifdef IPSEC_NAT_T - /* - * Handle more NAT-T info if present, - * now that we have a sav to fill. - */ - if (type) - newsav->natt_type = type->sadb_x_nat_t_type_type; - -#if 0 - /* - * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0. - * We should actually check for a minimum MTU here, if we - * want to support it in ip_output. - */ - if (frag) - newsav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen; -#endif -#endif - - /* check SA values to be mature. */ - if ((error = key_mature(newsav)) != 0) { - KEY_FREESAV(&newsav); + sav = key_newsav(mhp, &saidx, sa0->sadb_sa_spi, &error); + if (sav == NULL) return key_senderror(so, m, error); - } - + KEYDBG(KEY_STAMP, + printf("%s: return SA(%p)\n", __func__, sav)); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); /* - * don't call key_freesav() here, as we would like to keep the SA - * in the database on success. + * If SADB_ADD was in response to SADB_ACQUIRE, we need to schedule + * ACQ for deletion. */ + if (sav->seq != 0) + key_acqdone(&saidx, sav->seq); { + /* + * Don't call key_freesav() on error here, as we would like to + * keep the SA in the database. + */ struct mbuf *n; /* set msg buf from mhp */ From owner-svn-src-projects@freebsd.org Wed Nov 23 06:55:05 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E24FC4EDBF for ; Wed, 23 Nov 2016 06:55:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 36821CF1; Wed, 23 Nov 2016 06:55:05 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN6t4vr084765; Wed, 23 Nov 2016 06:55:04 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN6t4w7084764; Wed, 23 Nov 2016 06:55:04 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230655.uAN6t4w7084764@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 06:55:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309033 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 06:55:05 -0000 Author: ae Date: Wed Nov 23 06:55:04 2016 New Revision: 309033 URL: https://svnweb.freebsd.org/changeset/base/309033 Log: Add key_setnatt() function to check NAT-T related headers. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:51:19 2016 (r309032) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:55:04 2016 (r309033) @@ -5037,6 +5037,74 @@ key_add(struct socket *so, struct mbuf * } } +static int +key_setnatt(struct secasvar *sav, const struct sadb_msghdr *mhp) +{ +#ifdef IPSEC_NAT_T + struct sadb_x_nat_t_port *sport, *dport; + struct sadb_x_nat_t_type *type; + + if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_TYPE) && + !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_SPORT) && + !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_DPORT)) { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_TYPE) || + SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_SPORT) || + SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_DPORT)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + return (EINVAL); + } + + type = (struct sadb_x_nat_t_type *) + mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + + sav->natt_type = type->sadb_x_nat_t_type_type; + KEY_PORTTOSADDR(&sav->sah->saidx.src, + sport->sadb_x_nat_t_port_port); + KEY_PORTTOSADDR(&sav->sah->saidx.dst, + dport->sadb_x_nat_t_port_port); + } else + return (0); + if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAI) && + !SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_OAR)) { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAI) || + SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_OAR)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + return (EINVAL); + } + ipseclog((LOG_DEBUG, "%s: NAT-T OAi/r present\n", __func__)); + } + if (!SADB_CHECKHDR(mhp, SADB_X_EXT_NAT_T_FRAG)) { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_NAT_T_FRAG)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + return (EINVAL); + } + ipseclog((LOG_DEBUG, "%s: NAT-T frag present\n", __func__)); +#if 0 + struct sadb_x_nat_t_frag *frag; + frag = (struct sadb_x_nat_t_frag *) + mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + /* + * In case SADB_X_EXT_NAT_T_FRAG was not given, leave it at 0. + * We should actually check for a minimum MTU here, if we + * want to support it in ip_output. + */ + sav->natt_esp_frag_len = frag->sadb_x_nat_t_frag_fraglen; +#endif + } +#endif + return (0); +} + /* m is retained */ static int key_setident(struct secashead *sah, struct mbuf *m, From owner-svn-src-projects@freebsd.org Wed Nov 23 06:57:39 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8821FC4EDED for ; Wed, 23 Nov 2016 06:57:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 51EC1E0A; Wed, 23 Nov 2016 06:57:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN6vc6S084886; Wed, 23 Nov 2016 06:57:38 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN6vcph084885; Wed, 23 Nov 2016 06:57:38 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230657.uAN6vcph084885@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 06:57:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309034 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 06:57:39 -0000 Author: ae Date: Wed Nov 23 06:57:38 2016 New Revision: 309034 URL: https://svnweb.freebsd.org/changeset/base/309034 Log: Modify key_setident() to use SADB_CHECKHDR() macro. Also remove unused argument. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:55:04 2016 (r309033) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 06:57:38 2016 (r309034) @@ -5105,31 +5105,28 @@ key_setnatt(struct secasvar *sav, const return (0); } -/* m is retained */ static int -key_setident(struct secashead *sah, struct mbuf *m, - const struct sadb_msghdr *mhp) +key_setident(struct secashead *sah, const struct sadb_msghdr *mhp) { const struct sadb_ident *idsrc, *iddst; int idsrclen, iddstlen; IPSEC_ASSERT(sah != NULL, ("null secashead")); - IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); /* don't make buffer if not there */ - if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL && - mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) { + if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) && + SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) { sah->idents = NULL; sah->identd = NULL; - return 0; + return (0); } - - if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL || - mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) { + + if (SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_IDENTITY_DST)) { ipseclog((LOG_DEBUG, "%s: invalid identity.\n", __func__)); - return EINVAL; + return (EINVAL); } idsrc = (const struct sadb_ident *)mhp->ext[SADB_EXT_IDENTITY_SRC]; From owner-svn-src-projects@freebsd.org Wed Nov 23 08:06:18 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87A66C50F22 for ; Wed, 23 Nov 2016 08:06:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4906EB67; Wed, 23 Nov 2016 08:06:18 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN86Hr4012760; Wed, 23 Nov 2016 08:06:17 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN86HDb012759; Wed, 23 Nov 2016 08:06:17 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230806.uAN86HDb012759@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 08:06:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309036 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 08:06:18 -0000 Author: ae Date: Wed Nov 23 08:06:17 2016 New Revision: 309036 URL: https://svnweb.freebsd.org/changeset/base/309036 Log: Update key_delete() to reflect changes in SADB and use more accurate sanity checks. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 07:57:52 2016 (r309035) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:06:17 2016 (r309036) @@ -5221,12 +5221,11 @@ key_getmsgbuf_x1(struct mbuf *m, const s static int key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - struct sadb_sa *sa0; - struct sadb_address *src0, *dst0; struct secasindex saidx; - struct secashead *sah; - struct secasvar *sav = NULL; - u_int16_t proto; + struct sadb_address *src0, *dst0; + struct secasvar *sav; + struct sadb_sa *sa0; + uint8_t proto; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -5236,45 +5235,28 @@ key_delete(struct socket *so, struct mbu /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_EXT_SA] == NULL) { - /* - * Caller wants us to delete all non-LARVAL SAs - * that match the src/dst. This is used during - * IKE INITIAL-CONTACT. - */ - ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__)); - return key_delete_all(so, m, mhp, proto); - } else if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa)) { + if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } - sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); - /* XXX boundary check against sa_len */ + if (key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)) != 0) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + return (key_senderror(so, m, EINVAL)); + } KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); - /* * Make sure the port numbers are zero. * In case of NAT-T we will update them later if needed. @@ -5282,57 +5264,39 @@ key_delete(struct socket *so, struct mbu KEY_PORTTOSADDR(&saidx.src, 0); KEY_PORTTOSADDR(&saidx.dst, 0); -#ifdef IPSEC_NAT_T - /* - * Handle NAT-T info if present. - */ - if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - struct sadb_x_nat_t_port *sport, *dport; - - if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid message.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - - if (sport) - KEY_PORTTOSADDR(&saidx.src, - sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&saidx.dst, - dport->sadb_x_nat_t_port_port); - } -#endif - - /* get a SA header */ - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (sah->state == SADB_SASTATE_DEAD) - continue; - if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) - continue; - - /* get a SA with SPI. */ - sav = key_getsavbyspi(sah, sa0->sadb_sa_spi); - if (sav) - break; + if (SADB_CHECKHDR(mhp, SADB_EXT_SA)) { + /* + * Caller wants us to delete all non-LARVAL SAs + * that match the src/dst. This is used during + * IKE INITIAL-CONTACT. + * XXXAE: this looks like some extension to RFC2367. + */ + ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__)); + return (key_delete_all(so, m, mhp, &saidx)); } - if (sah == NULL) { - SAHTREE_UNLOCK(); - ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__)); - return key_senderror(so, m, ENOENT); + if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); + return (key_senderror(so, m, EINVAL)); } - - key_sa_chgstate(sav, SADB_SASTATE_DEAD); - KEY_FREESAV(&sav); - SAHTREE_UNLOCK(); + sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA]; + sav = key_getsavbyspi(sa0->sadb_sa_spi); + if (sav == NULL) { + ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n", + __func__, ntohl(sa0->sadb_sa_spi))); + return (key_senderror(so, m, ESRCH)); + } + if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { + ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", + __func__, ntohl(sav->spi))); + key_freesav(&sav); + return (key_senderror(so, m, ESRCH)); + } + KEYDBG(KEY_STAMP, + printf("%s: SA(%p)\n", __func__, sav)); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); + key_unlinksav(sav); + key_freesav(&sav); { struct mbuf *n; From owner-svn-src-projects@freebsd.org Wed Nov 23 08:13:08 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8EE79C5112C for ; Wed, 23 Nov 2016 08:13:08 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 63B0DDA; Wed, 23 Nov 2016 08:13:08 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN8D7jS017043; Wed, 23 Nov 2016 08:13:07 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN8D7Et017042; Wed, 23 Nov 2016 08:13:07 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230813.uAN8D7Et017042@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 08:13:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309037 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 08:13:08 -0000 Author: ae Date: Wed Nov 23 08:13:07 2016 New Revision: 309037 URL: https://svnweb.freebsd.org/changeset/base/309037 Log: Update key_delete_all() to reflect changes in SADB. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:06:17 2016 (r309036) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:13:07 2016 (r309037) @@ -5328,88 +5328,38 @@ key_delete(struct socket *so, struct mbu */ static int key_delete_all(struct socket *so, struct mbuf *m, - const struct sadb_msghdr *mhp, u_int16_t proto) + const struct sadb_msghdr *mhp, struct secasindex *saidx) { - struct sadb_address *src0, *dst0; - struct secasindex saidx; + struct secasvar_queue drainq; struct secashead *sah; struct secasvar *sav, *nextsav; - u_int stateidx, state; - - src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); - dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); - - /* XXX boundary check against sa_len */ - KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); - - /* - * Make sure the port numbers are zero. - * In case of NAT-T we will update them later if needed. - */ - KEY_PORTTOSADDR(&saidx.src, 0); - KEY_PORTTOSADDR(&saidx.dst, 0); - -#ifdef IPSEC_NAT_T - /* - * Handle NAT-T info if present. - */ - - if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - struct sadb_x_nat_t_port *sport, *dport; - - if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid message.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - - if (sport) - KEY_PORTTOSADDR(&saidx.src, - sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&saidx.dst, - dport->sadb_x_nat_t_port_port); - } -#endif - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (sah->state == SADB_SASTATE_DEAD) - continue; - if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) + TAILQ_INIT(&drainq); + SAHTREE_WLOCK(); + LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { + if (key_cmpsaidx(&sah->saidx, saidx, CMP_HEAD) == 0) continue; - - /* Delete all non-LARVAL SAs. */ - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_alive); - stateidx++) { - state = saorder_state_alive[stateidx]; - if (state == SADB_SASTATE_LARVAL) - continue; - for (sav = LIST_FIRST(&sah->savtree[state]); - sav != NULL; sav = nextsav) { - nextsav = LIST_NEXT(sav, chain); - /* sanity check */ - if (sav->state != state) { - ipseclog((LOG_DEBUG, "%s: invalid " - "sav->state (queue %d SA %d)\n", - __func__, state, sav->state)); - continue; - } - - key_sa_chgstate(sav, SADB_SASTATE_DEAD); - KEY_FREESAV(&sav); - } - } + /* Move all ALIVE SAs into drainq */ + TAILQ_CONCAT(&drainq, &sah->savtree_alive, chain); } - SAHTREE_UNLOCK(); + /* Unlink all queued SAs from SPI hash */ + TAILQ_FOREACH(sav, &drainq, chain) { + sav->state = SADB_SASTATE_DEAD; + LIST_REMOVE(sav, spihash); + } + SAHTREE_WUNLOCK(); + /* Now we can release reference for all SAs in drainq */ + sav = TAILQ_FIRST(&drainq); + while (sav != NULL) { + KEYDBG(KEY_STAMP, + printf("%s: SA(%p)\n", __func__, sav)); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); + nextsav = TAILQ_NEXT(sav, chain); + key_freesah(&sav->sah); /* release reference from SAV */ + key_freesav(&sav); /* release last reference */ + sav = nextsav; + } + { struct mbuf *n; struct sadb_msg *newmsg; From owner-svn-src-projects@freebsd.org Wed Nov 23 08:17:06 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 683CDC5127D for ; Wed, 23 Nov 2016 08:17:06 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 29BD15E5; Wed, 23 Nov 2016 08:17:06 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN8H5fn017213; Wed, 23 Nov 2016 08:17:05 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN8H5f0017212; Wed, 23 Nov 2016 08:17:05 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230817.uAN8H5f0017212@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 08:17:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309038 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 08:17:06 -0000 Author: ae Date: Wed Nov 23 08:17:05 2016 New Revision: 309038 URL: https://svnweb.freebsd.org/changeset/base/309038 Log: Update key_get() to reflect changes in SADB. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:13:07 2016 (r309037) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:17:05 2016 (r309038) @@ -5400,12 +5400,11 @@ key_delete_all(struct socket *so, struct static int key_get(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - struct sadb_sa *sa0; - struct sadb_address *src0, *dst0; struct secasindex saidx; - struct secashead *sah; - struct secasvar *sav = NULL; - u_int16_t proto; + struct sadb_address *src0, *dst0; + struct sadb_sa *sa0; + struct secasvar *sav; + uint8_t proto; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -5419,18 +5418,19 @@ key_get(struct socket *so, struct mbuf * return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_EXT_SA] == NULL || - mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKHDR(mhp, SADB_EXT_SA) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || - mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKLEN(mhp, SADB_EXT_SA) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); return key_senderror(so, m, EINVAL); } @@ -5438,9 +5438,12 @@ key_get(struct socket *so, struct mbuf * src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; - /* XXX boundary check against sa_len */ + if (key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)) != 0) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + return key_senderror(so, m, EINVAL); + } KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); - /* * Make sure the port numbers are zero. * In case of NAT-T we will update them later if needed. @@ -5448,69 +5451,35 @@ key_get(struct socket *so, struct mbuf * KEY_PORTTOSADDR(&saidx.src, 0); KEY_PORTTOSADDR(&saidx.dst, 0); -#ifdef IPSEC_NAT_T - /* - * Handle NAT-T info if present. - */ - - if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - struct sadb_x_nat_t_port *sport, *dport; - - if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid message.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - - if (sport) - KEY_PORTTOSADDR(&saidx.src, - sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&saidx.dst, - dport->sadb_x_nat_t_port_port); - } -#endif - - /* get a SA header */ - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (sah->state == SADB_SASTATE_DEAD) - continue; - if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) - continue; - - /* get a SA with SPI. */ - sav = key_getsavbyspi(sah, sa0->sadb_sa_spi); - if (sav) - break; - } - SAHTREE_UNLOCK(); - if (sah == NULL) { + sav = key_getsavbyspi(sa0->sadb_sa_spi); + if (sav == NULL) { ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__)); - return key_senderror(so, m, ENOENT); + return key_senderror(so, m, ESRCH); + } + if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) { + ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n", + __func__, ntohl(sav->spi))); + key_freesav(&sav); + return (key_senderror(so, m, ESRCH)); } { struct mbuf *n; - u_int8_t satype; + uint8_t satype; /* map proto to satype */ - if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { + if ((satype = key_proto2satype(sav->sah->saidx.proto)) == 0) { ipseclog((LOG_DEBUG, "%s: there was invalid proto in SAD.\n", - __func__)); + __func__)); + key_freesav(&sav); return key_senderror(so, m, EINVAL); } /* create new sadb_msg to reply. */ n = key_setdumpsa(sav, SADB_GET, satype, mhp->msg->sadb_msg_seq, mhp->msg->sadb_msg_pid); + + key_freesav(&sav); if (!n) return key_senderror(so, m, ENOBUFS); From owner-svn-src-projects@freebsd.org Wed Nov 23 08:54:52 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3452C51E4E for ; Wed, 23 Nov 2016 08:54:52 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9410DD3E; Wed, 23 Nov 2016 08:54:52 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN8spsC032785; Wed, 23 Nov 2016 08:54:51 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN8spRg032784; Wed, 23 Nov 2016 08:54:51 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230854.uAN8spRg032784@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 08:54:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309040 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 08:54:52 -0000 Author: ae Date: Wed Nov 23 08:54:51 2016 New Revision: 309040 URL: https://svnweb.freebsd.org/changeset/base/309040 Log: Rework ACQ list functions. Move all ACQ logic into ACQ releated functions. Add two hash tables to speedup lookup. Make key_getacq() to return ACQ sequence number instead of secacq structure. When we already have ACQ for given secasindex, do not send SADB_ACQUIRE for each packet. Send SADB_ACQUIRE only for first packet and then repeat it for each V_key_blockacq_count packets. If ACQ doesn't exists, key_getacq() will use key_newacq(). Add key_acqreset() function to reset counter of blocked packets and renew ACQ's TTL. Add key_acqdone() function to force ACQ expiration. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:30:02 2016 (r309039) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 08:54:51 2016 (r309040) @@ -265,16 +265,40 @@ static struct mtx regtree_lock; #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) -static VNET_DEFINE(LIST_HEAD(_acqtree, secacq), acqtree); /* acquiring list */ +/* Acquiring list */ +LIST_HEAD(secacq_list, secacq); +static VNET_DEFINE(struct secacq_list, acqtree); #define V_acqtree VNET(acqtree) static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ - mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) + mtx_init(&acq_lock, "acqtree", "ipsec SA acquiring list", MTX_DEF) #define ACQ_LOCK_DESTROY() mtx_destroy(&acq_lock) #define ACQ_LOCK() mtx_lock(&acq_lock) #define ACQ_UNLOCK() mtx_unlock(&acq_lock) #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) +/* Hash table for lookup in ACQ list using SA addresses */ +static VNET_DEFINE(struct secacq_list *, acqaddrhashtbl); +static VNET_DEFINE(u_long, acqaddrhash_mask); +#define V_acqaddrhashtbl VNET(acqaddrhashtbl) +#define V_acqaddrhash_mask VNET(acqaddrhash_mask) + +/* Hash table for lookup in ACQ list using SEQ number */ +static VNET_DEFINE(struct secacq_list *, acqseqhashtbl); +static VNET_DEFINE(u_long, acqseqhash_mask); +#define V_acqseqhashtbl VNET(acqseqhashtbl) +#define V_acqseqhash_mask VNET(acqseqhash_mask) + +#define ACQHASH_NHASH_LOG2 7 +#define ACQHASH_NHASH (1 << ACQHASH_NHASH_LOG2) +#define ACQADDRHASH_HASHVAL(saidx) \ + (key_saidxhash(saidx) & V_acqaddrhash_mask) +#define ACQSEQHASH_HASHVAL(seq) \ + (key_u32hash(seq) & V_acqseqhash_mask) +#define ACQADDRHASH_HASH(saidx) \ + &V_acqaddrhashtbl[ACQADDRHASH_HASHVAL(saidx)] +#define ACQSEQHASH_HASH(seq) \ + &V_acqseqhashtbl[ACQSEQHASH_HASHVAL(seq)] /* SP acquiring list */ static VNET_DEFINE(LIST_HEAD(_spacqtree, secspacq), spacqtree); #define V_spacqtree VNET(spacqtree) @@ -4270,13 +4294,16 @@ key_flush_acq(time_t now) /* ACQ tree */ ACQ_LOCK(); - for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) { + acq = LIST_FIRST(&V_acqtree); + while (acq != NULL) { nextacq = LIST_NEXT(acq, chain); - if (now - acq->created > V_key_blockacq_lifetime - && __LIST_CHAINED(acq)) { + if (now - acq->created > V_key_blockacq_lifetime) { LIST_REMOVE(acq, chain); + LIST_REMOVE(acq, addrhash); + LIST_REMOVE(acq, seqhash); free(acq, M_IPSEC_SAQ); } + acq = nextacq; } ACQ_UNLOCK(); } @@ -6021,34 +6048,122 @@ key_newacq(const struct secasindex *said return newacq; } -static struct secacq * -key_getacq(const struct secasindex *saidx) +static uint32_t +key_newacq(const struct secasindex *saidx, int *perror) { struct secacq *acq; + uint32_t seq; + acq = malloc(sizeof(*acq), M_IPSEC_SAQ, M_NOWAIT | M_ZERO); + if (acq == NULL) { + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); + *perror = ENOBUFS; + return (0); + } + + /* copy secindex */ + bcopy(saidx, &acq->saidx, sizeof(acq->saidx)); + acq->created = time_second; + acq->count = 0; + + /* add to acqtree */ ACQ_LOCK(); - LIST_FOREACH(acq, &V_acqtree, chain) { - if (key_cmpsaidx(saidx, &acq->saidx, CMP_EXACTLY)) + seq = acq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); + LIST_INSERT_HEAD(&V_acqtree, acq, chain); + LIST_INSERT_HEAD(ACQADDRHASH_HASH(saidx), acq, addrhash); + LIST_INSERT_HEAD(ACQSEQHASH_HASH(seq), acq, seqhash); + ACQ_UNLOCK(); + *perror = 0; + return (seq); +} + +static uint32_t +key_getacq(const struct secasindex *saidx, int *perror) +{ + struct secacq *acq; + uint32_t seq; + + ACQ_LOCK(); + LIST_FOREACH(acq, ACQADDRHASH_HASH(saidx), addrhash) { + if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY)) { + if (acq->count > V_key_blockacq_count) { + /* + * Reset counter and send message. + * Also reset created time to keep ACQ for + * this saidx. + */ + acq->created = time_second; + acq->count = 0; + seq = acq->seq; + } else { + /* + * Increment counter and do nothing. + * We send SADB_ACQUIRE message only + * for each V_key_blockacq_count packet. + */ + acq->count++; + seq = 0; + } break; + } } ACQ_UNLOCK(); - - return acq; + if (acq != NULL) { + *perror = 0; + return (seq); + } + /* allocate new entry */ + return (key_newacq(saidx, perror)); } -static struct secacq * -key_getacqbyseq(u_int32_t seq) +static int +key_acqreset(uint32_t seq) { struct secacq *acq; ACQ_LOCK(); - LIST_FOREACH(acq, &V_acqtree, chain) { - if (acq->seq == seq) + LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) { + if (acq->seq == seq) { + acq->count = 0; + acq->created = time_second; break; + } } ACQ_UNLOCK(); + if (acq == NULL) + return (ESRCH); + return (0); +} +/* + * Mark ACQ entry as stale to remove it in key_flush_acq(). + * Called after successful SADB_GETSPI message. + */ +static int +key_acqdone(const struct secasindex *saidx, uint32_t seq) +{ + struct secacq *acq; - return acq; + ACQ_LOCK(); + LIST_FOREACH(acq, ACQSEQHASH_HASH(seq), seqhash) { + if (acq->seq == seq) + break; + } + if (acq != NULL) { + if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) { + ipseclog((LOG_DEBUG, + "%s: Mismatched saidx for ACQ %u", __func__, seq)); + acq = NULL; + } else { + acq->created = 0; + } + } else { + ipseclog((LOG_DEBUG, + "%s: ACQ %u is not found.", __func__, seq)); + } + ACQ_UNLOCK(); + if (acq == NULL) + return (ESRCH); + return (0); } static struct secspacq * @@ -7285,11 +7400,15 @@ key_init(void) sizeof(uint64_t) * 2, NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_PCPU); - LIST_INIT(&V_sahtree); + TAILQ_INIT(&V_sahtree); V_sphashtbl = hashinit(SPHASH_NHASH, M_IPSEC_SP, &V_sphash_mask); V_savhashtbl = hashinit(SAVHASH_NHASH, M_IPSEC_SA, &V_savhash_mask); V_sahaddrhashtbl = hashinit(SAHHASH_NHASH, M_IPSEC_SAH, &V_sahaddrhash_mask); + V_acqaddrhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ, + &V_acqaddrhash_mask); + V_acqseqhashtbl = hashinit(ACQHASH_NHASH, M_IPSEC_SAQ, + &V_acqseqhash_mask); for (i = 0; i <= SADB_SATYPE_MAX; i++) LIST_INIT(&V_regtree[i]); @@ -7370,12 +7489,12 @@ key_destroy(void) REGTREE_UNLOCK(); ACQ_LOCK(); - for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) { + acq = LIST_FIRST(&V_acqtree); + while (acq != NULL) { nextacq = LIST_NEXT(acq, chain); - if (__LIST_CHAINED(acq)) { - LIST_REMOVE(acq, chain); - free(acq, M_IPSEC_SAQ); - } + LIST_REMOVE(acq, chain); + free(acq, M_IPSEC_SAQ); + acq = nextacq; } ACQ_UNLOCK(); @@ -7389,6 +7508,8 @@ key_destroy(void) } } SPACQ_UNLOCK(); + hashdestroy(V_acqaddrhashtbl, M_IPSEC_SAQ, V_acqaddrhash_mask); + hashdestroy(V_acqseqhashtbl, M_IPSEC_SAQ, V_acqseqhash_mask); uma_zdestroy(V_key_lft_zone); } #endif From owner-svn-src-projects@freebsd.org Wed Nov 23 09:11:38 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8800C512E2 for ; Wed, 23 Nov 2016 09:11:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 92F009E1; Wed, 23 Nov 2016 09:11:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN9BbeI039354; Wed, 23 Nov 2016 09:11:37 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN9Bbfv039353; Wed, 23 Nov 2016 09:11:37 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230911.uAN9Bbfv039353@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 09:11:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309043 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 09:11:38 -0000 Author: ae Date: Wed Nov 23 09:11:37 2016 New Revision: 309043 URL: https://svnweb.freebsd.org/changeset/base/309043 Log: Update key_acquire() and key_acquire2() to reflect changes in SADB. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:10:45 2016 (r309042) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:11:37 2016 (r309043) @@ -5805,11 +5805,10 @@ key_acquire(const struct secasindex *sai { union sockaddr_union addr; struct mbuf *result, *m; - struct secacq *newacq; - u_int32_t seq; + uint32_t seq; int error; - u_int16_t ul_proto; - u_int8_t mask, satype; + uint16_t ul_proto; + uint8_t mask, satype; IPSEC_ASSERT(saidx != NULL, ("null saidx")); satype = key_proto2satype(saidx->proto); @@ -5818,30 +5817,12 @@ key_acquire(const struct secasindex *sai error = -1; result = NULL; ul_proto = IPSEC_ULPROTO_ANY; - /* - * We never do anything about acquirng SA. There is anather - * solution that kernel blocks to send SADB_ACQUIRE message until - * getting something message from IKEd. In later case, to be - * managed with ACQUIRING list. - */ - /* Get an entry to check whether sending message or not. */ - if ((newacq = key_getacq(saidx)) != NULL) { - if (V_key_blockacq_count < newacq->count) { - /* reset counter and do send message. */ - newacq->count = 0; - } else { - /* increment counter and do nothing. */ - newacq->count++; - return 0; - } - } else { - /* make new entry for blocking to send SADB_ACQUIRE. */ - if ((newacq = key_newacq(saidx)) == NULL) - return ENOBUFS; - } + /* Get seq number to check whether sending message or not. */ + seq = key_getacq(saidx, &error); + if (seq == 0) + return (error); - seq = newacq->seq; m = key_setsadbmsg(SADB_ACQUIRE, 0, satype, seq, 0, 0); if (!m) { error = ENOBUFS; @@ -5858,7 +5839,11 @@ key_acquire(const struct secasindex *sai * set sadb_address for saidx's. * * Note that if sp is supplied, then we're being called from - * key_checkrequest and should supply port and protocol information. + * key_allocsa_policy() and should supply port and protocol + * information. + * XXXAE: why only TCP and UDP? ICMP and SCTP looks applicable too. + * XXXAE: probably we can handle this in the ipsec[46]_allocsa(). + * XXXAE: it looks like we should save this info in the ACQ entry. */ if (sp != NULL && (sp->spidx.ul_proto == IPPROTO_TCP || sp->spidx.ul_proto == IPPROTO_UDP)) @@ -5876,7 +5861,8 @@ key_acquire(const struct secasindex *sai break; case AF_INET6: if (sp->spidx.src.sin6.sin6_port != IPSEC_PORT_ANY) { - addr.sin6.sin6_port = sp->spidx.src.sin6.sin6_port; + addr.sin6.sin6_port = + sp->spidx.src.sin6.sin6_port; mask = sp->spidx.prefs; } break; @@ -5903,7 +5889,8 @@ key_acquire(const struct secasindex *sai break; case AF_INET6: if (sp->spidx.dst.sin6.sin6_port != IPSEC_PORT_ANY) { - addr.sin6.sin6_port = sp->spidx.dst.sin6.sin6_port; + addr.sin6.sin6_port = + sp->spidx.dst.sin6.sin6_port; mask = sp->spidx.prefd; } break; @@ -5921,8 +5908,9 @@ key_acquire(const struct secasindex *sai /* XXX proxy address (optional) */ /* set sadb_x_policy */ - if (sp) { - m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id, sp->priority); + if (sp != NULL) { + m = key_setsadbxpolicy(sp->policy, sp->spidx.dir, sp->id, + sp->priority); if (!m) { error = ENOBUFS; goto fail; @@ -6014,6 +6002,10 @@ key_acquire(const struct secasindex *sai mtod(result, struct sadb_msg *)->sadb_msg_len = PFKEY_UNIT64(result->m_pkthdr.len); + KEYDBG(KEY_STAMP, + printf("%s: SP(%p)\n", __func__, sp)); + KEYDBG(KEY_DATA, kdebug_secasindex(saidx, NULL)); + return key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED); fail: @@ -6225,11 +6217,13 @@ key_getspacq(struct secpolicyindex *spid static int key_acquire2(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { - const struct sadb_address *src0, *dst0; + SAHTREE_RLOCK_TRACKER; + struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; - u_int16_t proto; + uint32_t reqid; int error; + uint8_t mode, proto; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -6243,30 +6237,23 @@ key_acquire2(struct socket *so, struct m * We do not raise error even if error occurred in this function. */ if (mhp->msg->sadb_msg_len == PFKEY_UNIT64(sizeof(struct sadb_msg))) { - struct secacq *acq; - /* check sequence number */ - if (mhp->msg->sadb_msg_seq == 0) { + if (mhp->msg->sadb_msg_seq == 0 || + mhp->msg->sadb_msg_errno == 0) { ipseclog((LOG_DEBUG, "%s: must specify sequence " - "number.\n", __func__)); - m_freem(m); - return 0; - } - - if ((acq = key_getacqbyseq(mhp->msg->sadb_msg_seq)) == NULL) { + "number and errno.\n", __func__)); + } else { /* - * the specified larval SA is already gone, or we got - * a bogus sequence number. we can silently ignore it. + * IKEd reported that error occurred. + * XXXAE: what it expects from the kernel? + * Probably we should send SADB_ACQUIRE again? + * If so, reset ACQ's state. + * XXXAE: it looks useless. */ - m_freem(m); - return 0; + key_acqreset(mhp->msg->sadb_msg_seq); } - - /* reset acq counter in order to deletion by timehander. */ - acq->created = time_second; - acq->count = 0; m_freem(m); - return 0; + return (0); } /* @@ -6276,33 +6263,52 @@ key_acquire2(struct socket *so, struct m /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || - mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || - mhp->ext[SADB_EXT_PROPOSAL] == NULL) { - /* error */ - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKHDR(mhp, SADB_EXT_PROPOSAL)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: missing required header.\n", + __func__)); return key_senderror(so, m, EINVAL); } - if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || - mhp->extlen[SADB_EXT_PROPOSAL] < sizeof(struct sadb_prop)) { - /* error */ - ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n", - __func__)); + if (SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) || + SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST) || + SADB_CHECKLEN(mhp, SADB_EXT_PROPOSAL)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", __func__)); return key_senderror(so, m, EINVAL); } + if (SADB_CHECKHDR(mhp, SADB_X_EXT_SA2)) { + mode = IPSEC_MODE_ANY; + reqid = 0; + } else { + if (SADB_CHECKLEN(mhp, SADB_X_EXT_SA2)) { + ipseclog((LOG_DEBUG, + "%s: invalid message: wrong header size.\n", + __func__)); + return key_senderror(so, m, EINVAL); + } + mode = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_mode; + reqid = ((struct sadb_x_sa2 *) + mhp->ext[SADB_X_EXT_SA2])->sadb_x_sa2_reqid; + } + src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; - /* XXX boundary check against sa_len */ - KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); - + error = key_checksockaddrs((struct sockaddr *)(src0 + 1), + (struct sockaddr *)(dst0 + 1)); + if (error != 0) { + ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__)); + return key_senderror(so, m, EINVAL); + } + KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); /* * Make sure the port numbers are zero. * In case of NAT-T we will update them later if needed. @@ -6310,45 +6316,13 @@ key_acquire2(struct socket *so, struct m KEY_PORTTOSADDR(&saidx.src, 0); KEY_PORTTOSADDR(&saidx.dst, 0); -#ifndef IPSEC_NAT_T - /* - * Handle NAT-T info if present. - */ - - if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL && - mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) { - struct sadb_x_nat_t_port *sport, *dport; - - if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) || - mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) { - ipseclog((LOG_DEBUG, "%s: invalid message.\n", - __func__)); - return key_senderror(so, m, EINVAL); - } - - sport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_SPORT]; - dport = (struct sadb_x_nat_t_port *) - mhp->ext[SADB_X_EXT_NAT_T_DPORT]; - - if (sport) - KEY_PORTTOSADDR(&saidx.src, - sport->sadb_x_nat_t_port_port); - if (dport) - KEY_PORTTOSADDR(&saidx.dst, - dport->sadb_x_nat_t_port_port); - } -#endif - /* get a SA index */ - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (sah->state == SADB_SASTATE_DEAD) - continue; + SAHTREE_RLOCK(); + LIST_FOREACH(sah, SAHADDRHASH_HASH(&saidx), addrhash) { if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID)) break; } - SAHTREE_UNLOCK(); + SAHTREE_RUNLOCK(); if (sah != NULL) { ipseclog((LOG_DEBUG, "%s: a SA exists already.\n", __func__)); return key_senderror(so, m, EEXIST); @@ -6356,14 +6330,14 @@ key_acquire2(struct socket *so, struct m error = key_acquire(&saidx, NULL); if (error != 0) { - ipseclog((LOG_DEBUG, "%s: error %d returned from key_acquire\n", - __func__, mhp->msg->sadb_msg_errno)); + ipseclog((LOG_DEBUG, + "%s: error %d returned from key_acquire()\n", + __func__, error)); return key_senderror(so, m, error); } - - return key_sendup_mbuf(so, m, KEY_SENDUP_REGISTERED); + m_freem(m); + return (0); } - /* * SADB_REGISTER processing. * If SATYPE_UNSPEC has been passed as satype, only return sabd_supported. From owner-svn-src-projects@freebsd.org Wed Nov 23 09:18:14 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40263C514DA for ; Wed, 23 Nov 2016 09:18:14 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED05BD7E; Wed, 23 Nov 2016 09:18:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN9IDJw040978; Wed, 23 Nov 2016 09:18:13 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN9IDCv040977; Wed, 23 Nov 2016 09:18:13 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230918.uAN9IDCv040977@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 09:18:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309044 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 09:18:14 -0000 Author: ae Date: Wed Nov 23 09:18:12 2016 New Revision: 309044 URL: https://svnweb.freebsd.org/changeset/base/309044 Log: Update key_expire() to correctly read current lifetime counters. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:11:37 2016 (r309043) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:18:12 2016 (r309044) @@ -6543,15 +6543,18 @@ key_freereg(struct socket *so) static int key_expire(struct secasvar *sav, int hard) { - int satype; struct mbuf *result = NULL, *m; - int len; - int error = -1; struct sadb_lifetime *lt; + int error, len; + uint8_t satype; IPSEC_ASSERT (sav != NULL, ("null sav")); IPSEC_ASSERT (sav->sah != NULL, ("null sa header")); + KEYDBG(KEY_STAMP, + printf("%s: SA(%p) expired %s lifetime\n", __func__, + sav, hard ? "hard": "soft")); + KEYDBG(KEY_DATA, kdebug_secasv(sav)); /* set msg header */ satype = key_proto2satype(sav->sah->saidx.proto); IPSEC_ASSERT(satype != 0, ("invalid proto, satype %u", satype)); @@ -6593,10 +6596,12 @@ key_expire(struct secasvar *sav, int har lt = mtod(m, struct sadb_lifetime *); lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; - lt->sadb_lifetime_allocations = sav->lft_c->allocations; - lt->sadb_lifetime_bytes = sav->lft_c->bytes; - lt->sadb_lifetime_addtime = sav->lft_c->addtime; - lt->sadb_lifetime_usetime = sav->lft_c->usetime; + lt->sadb_lifetime_allocations = + (uint32_t)counter_u64_fetch(sav->lft_c_allocations); + lt->sadb_lifetime_bytes = + counter_u64_fetch(sav->lft_c_bytes); + lt->sadb_lifetime_addtime = sav->created; + lt->sadb_lifetime_usetime = sav->firstused; lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); if (hard) { From owner-svn-src-projects@freebsd.org Wed Nov 23 09:54:29 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A38ACC51D30 for ; Wed, 23 Nov 2016 09:54:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7E1093A0; Wed, 23 Nov 2016 09:54:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN9sSma056949; Wed, 23 Nov 2016 09:54:28 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN9sSr3056948; Wed, 23 Nov 2016 09:54:28 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611230954.uAN9sSr3056948@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 09:54:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309049 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 09:54:29 -0000 Author: ae Date: Wed Nov 23 09:54:28 2016 New Revision: 309049 URL: https://svnweb.freebsd.org/changeset/base/309049 Log: Rework key_flush(). With acquired SAHTREE_WLOCK move all specified objects into flushq, then use new key_freesah_flushed() function to properly release all objects with SAHTREE_WLOCK released. Use the same algorithm in the key_destroy(). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:38:10 2016 (r309048) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:54:28 2016 (r309049) @@ -6671,6 +6671,36 @@ key_expire(struct secasvar *sav, int har return error; } +static void +key_freesah_flushed(struct secashead_queue *flushq) +{ + struct secashead *sah, *nextsah; + struct secasvar *sav, *nextsav; + + sah = TAILQ_FIRST(flushq); + while (sah != NULL) { + sav = TAILQ_FIRST(&sah->savtree_larval); + while (sav != NULL) { + nextsav = TAILQ_NEXT(sav, chain); + TAILQ_REMOVE(&sah->savtree_larval, sav, chain); + key_freesav(&sav); /* release last reference */ + key_freesah(&sah); /* release reference from SAV */ + sav = nextsav; + } + sav = TAILQ_FIRST(&sah->savtree_alive); + while (sav != NULL) { + nextsav = TAILQ_NEXT(sav, chain); + TAILQ_REMOVE(&sah->savtree_alive, sav, chain); + key_freesav(&sav); /* release last reference */ + key_freesah(&sah); /* release reference from SAV */ + sav = nextsav; + } + nextsah = TAILQ_NEXT(sah, chain); + key_freesah(&sah); /* release last reference */ + sah = nextsah; + } +} + /* * SADB_FLUSH processing * receive @@ -6686,12 +6716,12 @@ key_expire(struct secasvar *sav, int har static int key_flush(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { + struct secashead_queue flushq; struct sadb_msg *newmsg; struct secashead *sah, *nextsah; - struct secasvar *sav, *nextsav; - u_int16_t proto; - u_int8_t state; - u_int stateidx; + struct secasvar *sav; + uint8_t proto; + int i; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(mhp != NULL, ("null msghdr")); @@ -6703,37 +6733,71 @@ key_flush(struct socket *so, struct mbuf __func__)); return key_senderror(so, m, EINVAL); } + KEYDBG(KEY_STAMP, + printf("%s: proto %u\n", __func__, proto)); - /* no SATYPE specified, i.e. flushing all SA. */ - SAHTREE_LOCK(); - for (sah = LIST_FIRST(&V_sahtree); - sah != NULL; - sah = nextsah) { - nextsah = LIST_NEXT(sah, chain); - - if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC - && proto != sah->saidx.proto) - continue; - - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_alive); - stateidx++) { - state = saorder_state_any[stateidx]; - for (sav = LIST_FIRST(&sah->savtree[state]); - sav != NULL; - sav = nextsav) { - - nextsav = LIST_NEXT(sav, chain); - - key_sa_chgstate(sav, SADB_SASTATE_DEAD); - KEY_FREESAV(&sav); + TAILQ_INIT(&flushq); + if (proto == IPSEC_PROTO_ANY) { + /* no SATYPE specified, i.e. flushing all SA. */ + SAHTREE_WLOCK(); + /* Move all SAHs into flushq */ + TAILQ_CONCAT(&flushq, &V_sahtree, chain); + /* Flush all buckets in SPI hash */ + for (i = 0; i < V_savhash_mask + 1; i++) + LIST_INIT(&V_savhashtbl[i]); + /* Flush all buckets in SAHADDRHASH */ + for (i = 0; i < V_sahaddrhash_mask + 1; i++) + LIST_INIT(&V_sahaddrhashtbl[i]); + /* Mark all SAHs as unlinked */ + TAILQ_FOREACH(sah, &flushq, chain) { + sah->state = SADB_SASTATE_DEAD; + /* + * Callout handler makes its job using + * RLOCK and drain queues. In case, when this + * function will be called just before it + * acquires WLOCK, we need to mark SAs as + * unlinked to prevent second unlink. + */ + TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { + sav->state = SADB_SASTATE_DEAD; + } + TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { + sav->state = SADB_SASTATE_DEAD; } } - - sah->state = SADB_SASTATE_DEAD; + SAHTREE_WUNLOCK(); + } else { + SAHTREE_WLOCK(); + sah = TAILQ_FIRST(&V_sahtree); + while (sah != NULL) { + IPSEC_ASSERT(sah->state != SADB_SASTATE_DEAD, + ("DEAD SAH %p in SADB_FLUSH", sah)); + nextsah = TAILQ_NEXT(sah, chain); + if (sah->saidx.proto != proto) { + sah = nextsah; + continue; + } + sah->state = SADB_SASTATE_DEAD; + TAILQ_REMOVE(&V_sahtree, sah, chain); + LIST_REMOVE(sah, addrhash); + /* Unlink all SAs from SPI hash */ + TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { + LIST_REMOVE(sav, spihash); + sav->state = SADB_SASTATE_DEAD; + } + TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { + LIST_REMOVE(sav, spihash); + sav->state = SADB_SASTATE_DEAD; + } + /* Add SAH into flushq */ + TAILQ_INSERT_HEAD(&flushq, sah, chain); + sah = nextsah; + } + SAHTREE_WUNLOCK(); } - SAHTREE_UNLOCK(); + key_freesah_flushed(&flushq); + /* Free all queued SAs and SAHs */ if (m->m_len < sizeof(struct sadb_msg) || sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); @@ -7420,6 +7484,7 @@ key_init(void) void key_destroy(void) { + struct secashead_queue sahdrainq; struct secpolicy_queue drainq; struct secpolicy *sp, *nextsp; struct secacq *acq, *nextacq; @@ -7428,6 +7493,10 @@ key_destroy(void) struct secreg *reg; int i; + /* + * XXX: can we just call free() for each object without + * walking through safe way with releasing references? + */ TAILQ_INIT(&drainq); SPTREE_WLOCK(); for (i = 0; i < IPSEC_DIR_MAX; i++) { @@ -7441,16 +7510,25 @@ key_destroy(void) sp = nextsp; } - SAHTREE_LOCK(); - for (sah = LIST_FIRST(&V_sahtree); sah != NULL; sah = nextsah) { - nextsah = LIST_NEXT(sah, chain); - if (__LIST_CHAINED(sah)) { - LIST_REMOVE(sah, chain); - free(sah, M_IPSEC_SAH); + TAILQ_INIT(&sahdrainq); + SAHTREE_WLOCK(); + TAILQ_CONCAT(&sahdrainq, &V_sahtree, chain); + for (i = 0; i < V_savhash_mask + 1; i++) + LIST_INIT(&V_savhashtbl[i]); + for (i = 0; i < V_sahaddrhash_mask + 1; i++) + LIST_INIT(&V_sahaddrhashtbl[i]); + TAILQ_FOREACH(sah, &sahdrainq, chain) { + sah->state = SADB_SASTATE_DEAD; + TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { + sav->state = SADB_SASTATE_DEAD; + } + TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { + sav->state = SADB_SASTATE_DEAD; } } - SAHTREE_UNLOCK(); + SAHTREE_WUNLOCK(); + key_freesah_flushed(&sahdrainq); hashdestroy(V_sphashtbl, M_IPSEC_SP, V_sphash_mask); hashdestroy(V_savhashtbl, M_IPSEC_SA, V_savhash_mask); hashdestroy(V_sahaddrhashtbl, M_IPSEC_SAH, V_sahaddrhash_mask); From owner-svn-src-projects@freebsd.org Wed Nov 23 10:11:17 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 109F2C4F2C8 for ; Wed, 23 Nov 2016 10:11:17 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6D41FF7; Wed, 23 Nov 2016 10:11:16 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uANABFwW063642; Wed, 23 Nov 2016 10:11:15 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uANABFY2063641; Wed, 23 Nov 2016 10:11:15 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611231011.uANABFY2063641@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 10:11:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309050 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 10:11:17 -0000 Author: ae Date: Wed Nov 23 10:11:15 2016 New Revision: 309050 URL: https://svnweb.freebsd.org/changeset/base/309050 Log: Update key_dump() to reflect changes in SADB. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 09:54:28 2016 (r309049) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 10:11:15 2016 (r309050) @@ -6830,15 +6830,13 @@ key_flush(struct socket *so, struct mbuf static int key_dump(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) { + SAHTREE_RLOCK_TRACKER; struct secashead *sah; struct secasvar *sav; - u_int16_t proto; - u_int stateidx; - u_int8_t satype; - u_int8_t state; - int cnt; struct sadb_msg *newmsg; struct mbuf *n; + uint32_t cnt; + uint8_t proto, satype; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -6848,69 +6846,66 @@ key_dump(struct socket *so, struct mbuf /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n", - __func__)); + __func__)); return key_senderror(so, m, EINVAL); } /* count sav entries to be sent to the userland. */ cnt = 0; - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC - && proto != sah->saidx.proto) + SAHTREE_RLOCK(); + TAILQ_FOREACH(sah, &V_sahtree, chain) { + if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && + proto != sah->saidx.proto) continue; - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_any); - stateidx++) { - state = saorder_state_any[stateidx]; - LIST_FOREACH(sav, &sah->savtree[state], chain) { - cnt++; - } - } + TAILQ_FOREACH(sav, &sah->savtree_larval, chain) + cnt++; + TAILQ_FOREACH(sav, &sah->savtree_alive, chain) + cnt++; } if (cnt == 0) { - SAHTREE_UNLOCK(); + SAHTREE_RUNLOCK(); return key_senderror(so, m, ENOENT); } /* send this to the userland, one at a time. */ newmsg = NULL; - LIST_FOREACH(sah, &V_sahtree, chain) { - if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC - && proto != sah->saidx.proto) + TAILQ_FOREACH(sah, &V_sahtree, chain) { + if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && + proto != sah->saidx.proto) continue; /* map proto to satype */ if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { - SAHTREE_UNLOCK(); + SAHTREE_RUNLOCK(); ipseclog((LOG_DEBUG, "%s: there was invalid proto in " - "SAD.\n", __func__)); + "SAD.\n", __func__)); return key_senderror(so, m, EINVAL); } - - for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_any); - stateidx++) { - state = saorder_state_any[stateidx]; - LIST_FOREACH(sav, &sah->savtree[state], chain) { - n = key_setdumpsa(sav, SADB_DUMP, satype, - --cnt, mhp->msg->sadb_msg_pid); - if (!n) { - SAHTREE_UNLOCK(); - return key_senderror(so, m, ENOBUFS); - } - key_sendup_mbuf(so, n, KEY_SENDUP_ONE); + TAILQ_FOREACH(sav, &sah->savtree_larval, chain) { + n = key_setdumpsa(sav, SADB_DUMP, satype, + --cnt, mhp->msg->sadb_msg_pid); + if (n == NULL) { + SAHTREE_RUNLOCK(); + return key_senderror(so, m, ENOBUFS); + } + key_sendup_mbuf(so, n, KEY_SENDUP_ONE); + } + TAILQ_FOREACH(sav, &sah->savtree_alive, chain) { + n = key_setdumpsa(sav, SADB_DUMP, satype, + --cnt, mhp->msg->sadb_msg_pid); + if (n == NULL) { + SAHTREE_RUNLOCK(); + return key_senderror(so, m, ENOBUFS); } + key_sendup_mbuf(so, n, KEY_SENDUP_ONE); } } - SAHTREE_UNLOCK(); - + SAHTREE_RUNLOCK(); m_freem(m); - return 0; + return (0); } - /* * SADB_X_PROMISC processing * From owner-svn-src-projects@freebsd.org Wed Nov 23 11:03:24 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ADA56C50610 for ; Wed, 23 Nov 2016 11:03:24 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 65AC6E1; Wed, 23 Nov 2016 11:03:24 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uANB3NCB085159; Wed, 23 Nov 2016 11:03:23 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uANB3NFV085158; Wed, 23 Nov 2016 11:03:23 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611231103.uANB3NFV085158@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 11:03:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309052 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 11:03:24 -0000 Author: ae Date: Wed Nov 23 11:03:23 2016 New Revision: 309052 URL: https://svnweb.freebsd.org/changeset/base/309052 Log: Update key_sa_recordxfer() to use PCPU counters. NOTE: previously CURRENT usetime was updated every time, when key_sa_recordxfer() is invoked. RFC 2367 says: sadb_lifetime_usetime For CURRENT, the time, in seconds, when association was first used. For HARD and SOFT, the number of seconds after the first use of the association until it expires. Rename usetime into firstused and update it only once. Also, now it is possible to check SA expiration using difference between SOFT/HARD usetime and CURRENT firstused (this is already done in key_flush_sad). Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 10:52:19 2016 (r309051) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 11:03:23 2016 (r309052) @@ -7591,23 +7591,19 @@ key_sa_recordxfer(struct secasvar *sav, { IPSEC_ASSERT(sav != NULL, ("Null secasvar")); IPSEC_ASSERT(m != NULL, ("Null mbuf")); - if (!sav->lft_c) - return; /* * XXX Currently, there is a difference of bytes size * between inbound and outbound processing. */ - sav->lft_c->bytes += m->m_pkthdr.len; - /* to check bytes lifetime is done in key_timehandler(). */ + counter_u64_add(sav->lft_c_bytes, m->m_pkthdr.len); /* * We use the number of packets as the unit of * allocations. We increment the variable * whenever {esp,ah}_{in,out}put is called. */ - sav->lft_c->allocations++; - /* XXX check for expires? */ + counter_u64_add(sav->lft_c_allocations, 1); /* * NOTE: We record CURRENT usetime by using wall clock, @@ -7620,10 +7616,8 @@ key_sa_recordxfer(struct secasvar *sav, * <--------------> HARD * <-----> SOFT */ - sav->lft_c->usetime = time_second; - /* XXX check for expires? */ - - return; + if (sav->firstused == 0) + sav->firstused = time_second; } static void From owner-svn-src-projects@freebsd.org Wed Nov 23 11:32:58 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6342DC50168 for ; Wed, 23 Nov 2016 11:32:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 252019C7; Wed, 23 Nov 2016 11:32:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uANBWvda097501; Wed, 23 Nov 2016 11:32:57 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uANBWvqJ097500; Wed, 23 Nov 2016 11:32:57 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611231132.uANBWvqJ097500@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 11:32:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309054 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 11:32:58 -0000 Author: ae Date: Wed Nov 23 11:32:57 2016 New Revision: 309054 URL: https://svnweb.freebsd.org/changeset/base/309054 Log: GC now unused functions, variables and macros. Update function declarations. Modified: projects/ipsec/sys/netipsec/key.c Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Wed Nov 23 11:30:40 2016 (r309053) +++ projects/ipsec/sys/netipsec/key.c Wed Nov 23 11:32:57 2016 (r309054) @@ -311,22 +311,6 @@ static struct mtx spacq_lock; #define SPACQ_UNLOCK() mtx_unlock(&spacq_lock) #define SPACQ_LOCK_ASSERT() mtx_assert(&spacq_lock, MA_OWNED) -/* search order for SAs */ -static const u_int saorder_state_valid_prefer_old[] = { - SADB_SASTATE_DYING, SADB_SASTATE_MATURE, -}; -static const u_int saorder_state_valid_prefer_new[] = { - SADB_SASTATE_MATURE, SADB_SASTATE_DYING, -}; -static const u_int saorder_state_alive[] = { - /* except DEAD */ - SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL -}; -static const u_int saorder_state_any[] = { - SADB_SASTATE_MATURE, SADB_SASTATE_DYING, - SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD -}; - static const int minsize[] = { sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ sizeof(struct sadb_sa), /* SADB_EXT_SA */ @@ -450,35 +434,6 @@ SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLD #define __LIST_CHAINED(elm) \ (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) -#define LIST_INSERT_TAIL(head, elm, type, field) \ -do {\ - struct type *curelm = LIST_FIRST(head); \ - if (curelm == NULL) {\ - LIST_INSERT_HEAD(head, elm, field); \ - } else { \ - while (LIST_NEXT(curelm, field)) \ - curelm = LIST_NEXT(curelm, field);\ - LIST_INSERT_AFTER(curelm, elm, field);\ - }\ -} while (0) - -#define KEY_CHKSASTATE(head, sav, name) \ -do { \ - if ((head) != (sav)) { \ - ipseclog((LOG_DEBUG, "%s: state mismatched (TREE=%d SA=%d)\n", \ - (name), (head), (sav))); \ - break; \ - } \ -} while (0) - -#define KEY_CHKSPDIR(head, sp, name) \ -do { \ - if ((head) != (sp)) { \ - ipseclog((LOG_DEBUG, "%s: direction mismatched (TREE=%d SP=%d), " \ - "anyway continue.\n", \ - (name), (head), (sp))); \ - } \ -} while (0) MALLOC_DEFINE(M_IPSEC_SA, "secasvar", "ipsec security association"); MALLOC_DEFINE(M_IPSEC_SAH, "sahead", "ipsec sa head"); @@ -536,18 +491,14 @@ struct sadb_msghdr { static struct callout key_timer; #endif -static struct secasvar *key_allocsa_policy(const struct secasindex *); -static void key_freesp_so(struct secpolicy **); -static struct secasvar *key_do_allocsa_policy(struct secashead *, u_int); static void key_unlink(struct secpolicy *); static struct secpolicy *key_getsp(struct secpolicyindex *); static struct secpolicy *key_getspbyid(u_int32_t); -static u_int32_t key_newreqid(void); static struct mbuf *key_gather_mbuf(struct mbuf *, const struct sadb_msghdr *, int, int, ...); static int key_spdadd(struct socket *, struct mbuf *, const struct sadb_msghdr *); -static u_int32_t key_getnewspid(void); +static uint32_t key_getnewspid(void); static int key_spddelete(struct socket *, struct mbuf *, const struct sadb_msghdr *); static int key_spddelete2(struct socket *, struct mbuf *, @@ -564,19 +515,18 @@ static struct mbuf *key_sp2mbuf(struct s static size_t key_getspreqmsglen(struct secpolicy *); static int key_spdexpire(struct secpolicy *); static struct secashead *key_newsah(struct secasindex *); +static void key_freesah(struct secashead **); static void key_delsah(struct secashead *); -static struct secasvar *key_newsav(struct mbuf *, - const struct sadb_msghdr *, struct secashead *, int *, - const char*, int); -#define KEY_NEWSAV(m, sadb, sah, e) \ - key_newsav(m, sadb, sah, e, __FILE__, __LINE__) +static struct secasvar *key_newsav(const struct sadb_msghdr *, + struct secasindex *, uint32_t, int *); static void key_delsav(struct secasvar *); +static void key_unlinksav(struct secasvar *); static struct secashead *key_getsah(struct secasindex *); -static struct secasvar *key_checkspidup(struct secasindex *, u_int32_t); -static struct secasvar *key_getsavbyspi(struct secashead *, u_int32_t); -static int key_setsaval(struct secasvar *, struct mbuf *, - const struct sadb_msghdr *); -static int key_mature(struct secasvar *); +static int key_checkspidup(uint32_t); +static struct secasvar *key_getsavbyspi(uint32_t); +static int key_setnatt(struct secasvar *, const struct sadb_msghdr *); +static int key_setsaval(struct secasvar *, const struct sadb_msghdr *); +static int key_updatelifetimes(struct secasvar *, const struct sadb_msghdr *); static struct mbuf *key_setdumpsa(struct secasvar *, u_int8_t, u_int8_t, u_int32_t, u_int32_t); static struct mbuf *key_setsadbmsg(u_int8_t, u_int16_t, u_int8_t, @@ -594,10 +544,10 @@ static void key_porttosaddr(struct socka static struct mbuf *key_setsadbxsa2(u_int8_t, u_int32_t, u_int32_t); static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t, u_int32_t, u_int32_t); -static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int, - struct malloc_type *); +static struct seckey *key_dup_keymsg(const struct sadb_key *, size_t, + struct malloc_type *); static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, - struct malloc_type *type); + struct malloc_type *); #ifdef INET6 static int key_ismyaddr6(struct sockaddr_in6 *); #endif @@ -613,11 +563,9 @@ static int key_cmpspidx_exactly(struct s struct secpolicyindex *); static int key_cmpspidx_withmask(struct secpolicyindex *, struct secpolicyindex *); -static int key_sockaddrcmp(const struct sockaddr *, - const struct sockaddr *, int); static int key_bbcmp(const void *, const void *, u_int); -static u_int16_t key_satype2proto(u_int8_t); -static u_int8_t key_proto2satype(u_int16_t); +static uint8_t key_satype2proto(uint8_t); +static uint8_t key_proto2satype(uint8_t); static int key_getspi(struct socket *, struct mbuf *, const struct sadb_msghdr *); @@ -630,14 +578,13 @@ static struct secasvar *key_getsavbyseq( #endif static int key_add(struct socket *, struct mbuf *, const struct sadb_msghdr *); -static int key_setident(struct secashead *, struct mbuf *, - const struct sadb_msghdr *); +static int key_setident(struct secashead *, const struct sadb_msghdr *); static struct mbuf *key_getmsgbuf_x1(struct mbuf *, const struct sadb_msghdr *); static int key_delete(struct socket *, struct mbuf *, const struct sadb_msghdr *); static int key_delete_all(struct socket *, struct mbuf *, - const struct sadb_msghdr *, u_int16_t); + const struct sadb_msghdr *, struct secasindex *); static int key_get(struct socket *, struct mbuf *, const struct sadb_msghdr *); @@ -648,9 +595,10 @@ static struct mbuf *key_getcomb_ipcomp(v static struct mbuf *key_getprop(const struct secasindex *); static int key_acquire(const struct secasindex *, struct secpolicy *); -static struct secacq *key_newacq(const struct secasindex *); -static struct secacq *key_getacq(const struct secasindex *); -static struct secacq *key_getacqbyseq(u_int32_t); +static uint32_t key_newacq(const struct secasindex *, int *); +static uint32_t key_getacq(const struct secasindex *, int *); +static int key_acqdone(const struct secasindex *, uint32_t); +static int key_acqreset(uint32_t); static struct secspacq *key_newspacq(struct secpolicyindex *); static struct secspacq *key_getspacq(struct secpolicyindex *); static int key_acquire2(struct socket *, struct mbuf *, @@ -7566,25 +7514,6 @@ key_destroy(void) } #endif -/* - * XXX: maybe This function is called after INBOUND IPsec processing. - * - * Special check for tunnel-mode packets. - * We must make some checks for consistency between inner and outer IP header. - * - * xxx more checks to be provided - */ -int -key_checktunnelsanity(struct secasvar *sav, u_int family, caddr_t src, - caddr_t dst) -{ - IPSEC_ASSERT(sav->sah != NULL, ("null SA header")); - - /* XXX: check inner IP header */ - - return 1; -} - /* record data transfer on SA, and update timestamps */ void key_sa_recordxfer(struct secasvar *sav, struct mbuf *m) @@ -7620,20 +7549,6 @@ key_sa_recordxfer(struct secasvar *sav, sav->firstused = time_second; } -static void -key_sa_chgstate(struct secasvar *sav, u_int8_t state) -{ - IPSEC_ASSERT(sav != NULL, ("NULL sav")); - SAHTREE_LOCK_ASSERT(); - - if (sav->state != state) { - if (__LIST_CHAINED(sav)) - LIST_REMOVE(sav, chain); - sav->state = state; - LIST_INSERT_HEAD(&sav->sah->savtree[state], sav, chain); - } -} - /* * Take one of the kernel's security keys and convert it into a PF_KEY * structure within an mbuf, suitable for sending up to a waiting From owner-svn-src-projects@freebsd.org Wed Nov 23 12:20:39 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F745C4EB22 for ; Wed, 23 Nov 2016 12:20:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2298AA69; Wed, 23 Nov 2016 12:20:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uANCKcaH014713; Wed, 23 Nov 2016 12:20:38 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uANCKcrZ014712; Wed, 23 Nov 2016 12:20:38 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611231220.uANCKcrZ014712@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Nov 2016 12:20:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309056 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2016 12:20:39 -0000 Author: ae Date: Wed Nov 23 12:20:38 2016 New Revision: 309056 URL: https://svnweb.freebsd.org/changeset/base/309056 Log: Update inbound IPsec packet processing for IPv4/IPv6. Use new xform_history structure to save information about used SA. Keep reference to SA until xform callback is not finished. If xform_input fails to queue crypto request, release reference. Otherwise xform callback will release it after sending mbuf to netisr. Modified: projects/ipsec/sys/netipsec/ipsec_input.c Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Wed Nov 23 11:56:22 2016 (r309055) +++ projects/ipsec/sys/netipsec/ipsec_input.c Wed Nov 23 12:20:38 2016 (r309056) @@ -209,7 +209,7 @@ ipsec_common_input(struct mbuf *m, int s } /* NB: only pass dst since key_allocsa follows RFC2401 */ - sav = KEY_ALLOCSA(&dst_address, sproto, spi); + sav = key_allocsa(&dst_address, sproto, spi); if (sav == NULL) { DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address, buf, sizeof(buf)), @@ -234,8 +234,9 @@ ipsec_common_input(struct mbuf *m, int s * everything else. */ error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); - KEY_FREESAV(&sav); - return error; + if (error != 0) + key_freesav(&sav); + return (error); } #ifdef INET @@ -309,21 +310,19 @@ int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - char buf[INET6_ADDRSTRLEN]; + char buf[IPSEC_ADDRSTRLEN]; struct ipsec_ctx_data ctx; - int prot, af, sproto, isr_prot; - struct ip *ip; - struct m_tag *mtag; - struct tdb_ident *tdbi; + struct xform_history *xh; struct secasindex *saidx; - int error; + struct m_tag *mtag; + struct ip *ip; + int error, prot, af, sproto, isr_prot; #ifdef INET6 #ifdef notyet - char ip6buf[INET6_ADDRSTRLEN]; + char ip6buf[IPSEC_ADDRSTRLEN]; #endif #endif - IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); saidx = &sav->sah->saidx; @@ -360,7 +359,7 @@ ipsec4_common_input_cb(struct mbuf *m, s IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) goto bad; - ip = mtod(m, struct ip *); + ip = mtod(m, struct ip *); /* update pointer */ /* IP-in-IP encapsulation */ if (prot == IPPROTO_IPIP && @@ -445,8 +444,8 @@ ipsec4_common_input_cb(struct mbuf *m, s /* * When mode is wildcard, inner protocol is IPv6 and * we have no INET6 support - drop this packet a bit later. - * In other cases we assume transport mode and outer - * header was already stripped in xform_xxx_cb. + * In other cases we assume transport mode. Set prot to + * correctly choose netisr. */ prot = IPPROTO_IPIP; } @@ -457,7 +456,7 @@ ipsec4_common_input_cb(struct mbuf *m, s */ if (sproto != IPPROTO_IPCOMP) { mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, - sizeof(struct tdb_ident), M_NOWAIT); + sizeof(struct xform_history), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); IPSEC_ISTAT(sproto, hdrops); @@ -465,14 +464,11 @@ ipsec4_common_input_cb(struct mbuf *m, s goto bad; } - tdbi = (struct tdb_ident *)(mtag + 1); - bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); - tdbi->proto = sproto; - tdbi->spi = sav->spi; - /* Cache those two for enc(4) in xform_ipip. */ - tdbi->alg_auth = sav->alg_auth; - tdbi->alg_enc = sav->alg_enc; - + xh = (struct xform_history *)(mtag + 1); + bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); + xh->spi = sav->spi; + xh->proto = sproto; + xh->mode = saidx->mode; m_tag_prepend(m, mtag); } @@ -509,17 +505,20 @@ ipsec4_common_input_cb(struct mbuf *m, s IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) goto bad; + error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); + key_freesav(&sav); if (error) { IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); - return error; } - return 0; + return (error); bad: - m_freem(m); - return error; + key_freesav(&sav); + if (m != NULL) + m_freem(m); + return (error); } void @@ -582,21 +581,20 @@ int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - char buf[INET6_ADDRSTRLEN]; + char buf[IPSEC_ADDRSTRLEN]; struct ipsec_ctx_data ctx; - int prot, af, sproto; + struct xform_history *xh; + struct secasindex *saidx; struct ip6_hdr *ip6; struct m_tag *mtag; - struct tdb_ident *tdbi; - struct secasindex *saidx; + int prot, af, sproto; int nxt, isr_prot; - u_int8_t nxt8; int error, nest; + uint8_t nxt8; #ifdef notyet - char ip6buf[INET6_ADDRSTRLEN]; + char ip6buf[IPSEC_ADDRSTRLEN]; #endif - IPSEC_ASSERT(m != NULL, ("null mbuf")); IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); saidx = &sav->sah->saidx; @@ -620,12 +618,13 @@ ipsec6_common_input_cb(struct mbuf *m, s goto bad; } - ip6 = mtod(m, struct ip6_hdr *); - ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); - IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_BEFORE); if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) goto bad; + + ip6 = mtod(m, struct ip6_hdr *); + ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); + /* Save protocol */ m_copydata(m, protoff, 1, &nxt8); prot = nxt8; @@ -715,7 +714,7 @@ ipsec6_common_input_cb(struct mbuf *m, s */ if (sproto != IPPROTO_IPCOMP) { mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, - sizeof(struct tdb_ident), M_NOWAIT); + sizeof(struct xform_history), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); IPSEC_ISTAT(sproto, hdrops); @@ -723,20 +722,16 @@ ipsec6_common_input_cb(struct mbuf *m, s goto bad; } - tdbi = (struct tdb_ident *)(mtag + 1); - bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); - tdbi->proto = sproto; - tdbi->spi = sav->spi; - /* Cache those two for enc(4) in xform_ipip. */ - tdbi->alg_auth = sav->alg_auth; - tdbi->alg_enc = sav->alg_enc; - + xh = (struct xform_history *)(mtag + 1); + bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); + xh->spi = sav->spi; + xh->proto = sproto; + xh->mode = saidx->mode; m_tag_prepend(m, mtag); } key_sa_recordxfer(sav, m); - #ifdef INET if (prot == IPPROTO_IPIP) af = AF_INET; @@ -768,6 +763,7 @@ ipsec6_common_input_cb(struct mbuf *m, s goto bad; } error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); + key_freesav(&sav); if (error) { IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", @@ -810,13 +806,14 @@ ipsec6_common_input_cb(struct mbuf *m, s } nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); } - return 0; + key_freesav(&sav); + return (0); bad: + key_freesav(&sav); if (m) m_freem(m); - return error; + return (error); } - void esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) { @@ -884,11 +881,11 @@ esp6_ctlinput(int cmd, struct sockaddr * * Check to see if we have a valid SA corresponding to * the address in the ICMP message payload. */ - sav = KEY_ALLOCSA((union sockaddr_union *)sa, + sav = key_allocsa((union sockaddr_union *)sa, IPPROTO_ESP, spi); valid = (sav != NULL); if (sav) - KEY_FREESAV(&sav); + key_freesav(&sav); /* XXX Further validation? */ From owner-svn-src-projects@freebsd.org Thu Nov 24 08:08:43 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3F1FC533F7 for ; Thu, 24 Nov 2016 08:08:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9EC271F3; Thu, 24 Nov 2016 08:08:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAO88ge0016302; Thu, 24 Nov 2016 08:08:42 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAO88gYS016300; Thu, 24 Nov 2016 08:08:42 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611240808.uAO88gYS016300@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 08:08:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309086 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 08:08:43 -0000 Author: ae Date: Thu Nov 24 08:08:42 2016 New Revision: 309086 URL: https://svnweb.freebsd.org/changeset/base/309086 Log: Modify inbound AH processing. Use struct xform_data to pass needed information from ah_input() to ah_input_cb(). Protect access to SA replay window structure and cryptoid by acquiring SA lock. Add ipsec_updateid() function to handle EAGAIN error from cryptoid subsystem. Modified: projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/xform_ah.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Thu Nov 24 07:35:16 2016 (r309085) +++ projects/ipsec/sys/netipsec/ipsec.c Thu Nov 24 08:08:42 2016 (r309086) @@ -1612,6 +1612,52 @@ ok: return (0); } +int +ipsec_updateid(struct secasvar *sav, uint64_t *new, uint64_t *old) +{ + uint64_t tmp; + + /* + * tdb_cryptoid is initialized by xform_init(). + * Then it can be changed only when some crypto error occurred or + * when SA is deleted. We stored used cryptoid in the xform_data + * structure. In case when crypto error occurred and crypto + * subsystem has reinited the session, it returns new cryptoid + * and EAGAIN error code. + * + * This function will be called when we got EAGAIN from crypto + * subsystem. + * *new is cryptoid that was returned by crypto subsystem in + * the crp_sid. + * *old is the original cryptoid that we stored in xform_data. + * + * For first failed request *old == sav->tdb_cryptoid, then + * we update sav->tdb_cryptoid and redo crypto_dispatch(). + * For next failed request *old != sav->tdb_cryptoid, then + * we store cryptoid from first request into the *new variable + * and crp_sid from this second session will be returned via + * *old pointer, so caller can release second session. + * + * XXXAE: check this more carefully. + */ + KEYDBG(IPSEC_STAMP, + printf("%s: SA(%p) moves cryptoid %jd -> %jd\n", + __func__, sav, (uintmax_t)(*old), (uintmax_t)(*new))); + KEYDBG(IPSEC_DATA, kdebug_secasv(sav)); + SECASVAR_LOCK(sav); + if (sav->tdb_cryptoid != *old) { + /* cryptoid was already updated */ + tmp = *new; + *new = sav->tdb_cryptoid; + *old = tmp; + SECASVAR_UNLOCK(sav); + return (1); + } + sav->tdb_cryptoid = *new; + SECASVAR_UNLOCK(sav); + return (0); +} + /* * Shift variable length buffer to left. * IN: bitmap: pointer to the buffer Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 07:35:16 2016 (r309085) +++ projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 08:08:42 2016 (r309086) @@ -582,14 +582,14 @@ static int ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { char buf[128]; + struct cryptodesc *crda; + struct cryptop *crp; struct auth_hash *ahx; - struct tdb_crypto *tc; + struct xform_data *xd; struct newah *ah; + uint64_t cryptoid; int hl, rplen, authsize, error; - struct cryptodesc *crda; - struct cryptop *crp; - IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key")); IPSEC_ASSERT(sav->tdb_authalgxform != NULL, @@ -608,13 +608,18 @@ ah_input(struct mbuf *m, struct secasvar } /* Check replay window, if applicable. */ - if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { + SECASVAR_LOCK(sav); + if (sav->replay != NULL && sav->replay->wsize != 0 && + ipsec_chkreplay(ntohl(ah->ah_seq), sav) == 0) { + SECASVAR_UNLOCK(sav); AHSTAT_INC(ahs_replay); DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav, buf, sizeof(buf)))); m_freem(m); - return ENOBUFS; + return (EACCES); } + cryptoid = sav->tdb_cryptoid; + SECASVAR_UNLOCK(sav); /* Verify AH header length. */ hl = ah->ah_len * sizeof (u_int32_t); @@ -635,7 +640,8 @@ ah_input(struct mbuf *m, struct secasvar /* Get crypto descriptors. */ crp = crypto_getreq(1); if (crp == NULL) { - DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); + DPRINTF(("%s: failed to acquire crypto descriptor\n", + __func__)); AHSTAT_INC(ahs_crypto); m_freem(m); return ENOBUFS; @@ -654,10 +660,10 @@ ah_input(struct mbuf *m, struct secasvar crda->crd_key = sav->key_auth->key_data; /* Allocate IPsec-specific opaque crypto info. */ - tc = (struct tdb_crypto *) malloc(sizeof (struct tdb_crypto) + - skip + rplen + authsize, M_XDATA, M_NOWAIT | M_ZERO); - if (tc == NULL) { - DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); + xd = malloc(sizeof(*xd) + skip + rplen + authsize, M_XDATA, + M_NOWAIT | M_ZERO); + if (xd == NULL) { + DPRINTF(("%s: failed to allocate xform_data\n", __func__)); AHSTAT_INC(ahs_crypto); crypto_freereq(crp); m_freem(m); @@ -668,7 +674,7 @@ ah_input(struct mbuf *m, struct secasvar * Save the authenticator, the skipped portion of the packet, * and the AH header. */ - m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(tc+1)); + m_copydata(m, 0, skip + rplen + authsize, (caddr_t)(xd + 1)); /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); @@ -679,7 +685,7 @@ ah_input(struct mbuf *m, struct secasvar if (error != 0) { /* NB: mbuf is free'd by ah_massage_headers */ AHSTAT_INC(ahs_hdrops); - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); return (error); } @@ -689,18 +695,15 @@ ah_input(struct mbuf *m, struct secasvar crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (caddr_t) m; crp->crp_callback = ah_input_cb; - crp->crp_sid = sav->tdb_cryptoid; - crp->crp_opaque = (caddr_t) tc; + crp->crp_sid = cryptoid; + crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback. */ - tc->tc_spi = sav->spi; - tc->tc_dst = sav->sah->saidx.dst; - tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; - tc->tc_protoff = protoff; - tc->tc_skip = skip; - KEY_ADDREFSA(sav); - tc->tc_sav = sav; + xd->sav = sav; + xd->nxt = ah->ah_nxt; + xd->protoff = protoff; + xd->skip = skip; + xd->cryptoid = cryptoid; return (crypto_dispatch(crp)); } @@ -710,31 +713,27 @@ ah_input(struct mbuf *m, struct secasvar static int ah_input_cb(struct cryptop *crp) { - char buf[INET6_ADDRSTRLEN]; - int rplen, error, skip, protoff; + char buf[IPSEC_ADDRSTRLEN]; unsigned char calc[AH_ALEN_MAX]; struct mbuf *m; struct cryptodesc *crd; struct auth_hash *ahx; - struct tdb_crypto *tc; + struct xform_data *xd; struct secasvar *sav; struct secasindex *saidx; - u_int8_t nxt; caddr_t ptr; - int authsize; + uint64_t cryptoid; + int authsize, rplen, error, skip, protoff; + uint8_t nxt; crd = crp->crp_desc; - - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!")); - skip = tc->tc_skip; - nxt = tc->tc_nxt; - protoff = tc->tc_protoff; m = (struct mbuf *) crp->crp_buf; - - sav = tc->tc_sav; - IPSEC_ASSERT(sav != NULL, ("null SA!")); - + xd = (struct xform_data *) crp->crp_opaque; + sav = xd->sav; + skip = xd->skip; + nxt = xd->nxt; + protoff = xd->protoff; + cryptoid = xd->cryptoid; saidx = &sav->sah->saidx; IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, @@ -744,12 +743,13 @@ ah_input_cb(struct cryptop *crp) /* Check for crypto errors. */ if (crp->crp_etype) { - if (sav->tdb_cryptoid != 0) - sav->tdb_cryptoid = crp->crp_sid; - - if (crp->crp_etype == EAGAIN) + if (crp->crp_etype == EAGAIN) { + /* Reset the session ID */ + if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + crypto_freesession(cryptoid); + xd->cryptoid = crp->crp_sid; return (crypto_dispatch(crp)); - + } AHSTAT_INC(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; @@ -776,7 +776,7 @@ ah_input_cb(struct cryptop *crp) m_copydata(m, skip + rplen, authsize, calc); /* Verify authenticator. */ - ptr = (caddr_t) (tc + 1); + ptr = (caddr_t) (xd + 1); if (timingsafe_bcmp(ptr + skip + rplen, calc, authsize)) { DPRINTF(("%s: authentication hash mismatch for packet " "in SA %s/%08lx\n", __func__, @@ -787,11 +787,11 @@ ah_input_cb(struct cryptop *crp) goto bad; } /* Fix the Next Protocol field. */ - ((u_int8_t *) ptr)[protoff] = nxt; + ((uint8_t *) ptr)[protoff] = nxt; /* Copyback the saved (uncooked) network headers. */ m_copyback(m, 0, skip, ptr); - free(tc, M_XDATA), tc = NULL; /* No longer needed */ + free(xd, M_XDATA), xd = NULL; /* No longer needed */ /* * Header is now authenticated. @@ -806,11 +806,14 @@ ah_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newah, ah_seq), sizeof (seq), (caddr_t) &seq); + SECASVAR_LOCK(sav); if (ipsec_updatereplay(ntohl(seq), sav)) { + SECASVAR_UNLOCK(sav); AHSTAT_INC(ahs_replay); - error = ENOBUFS; /*XXX as above*/ + error = EACCES; goto bad; } + SECASVAR_UNLOCK(sav); } /* @@ -840,16 +843,14 @@ ah_input_cb(struct cryptop *crp) panic("%s: Unexpected address family: %d saidx=%p", __func__, saidx->dst.sa.sa_family, saidx); } - - KEY_FREESAV(&sav); return error; bad: if (sav) - KEY_FREESAV(&sav); + key_freesav(&sav); if (m != NULL) m_freem(m); - if (tc != NULL) - free(tc, M_XDATA); + if (xd != NULL) + free(xd, M_XDATA); if (crp != NULL) crypto_freereq(crp); return error; From owner-svn-src-projects@freebsd.org Thu Nov 24 08:26:55 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5044C537ED for ; Thu, 24 Nov 2016 08:26:55 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FA10C7E; Thu, 24 Nov 2016 08:26:55 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAO8QsS0024098; Thu, 24 Nov 2016 08:26:54 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAO8Qs0J024097; Thu, 24 Nov 2016 08:26:54 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611240826.uAO8Qs0J024097@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 08:26:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309087 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 08:26:55 -0000 Author: ae Date: Thu Nov 24 08:26:54 2016 New Revision: 309087 URL: https://svnweb.freebsd.org/changeset/base/309087 Log: Update inbound ESP processing. Use struct xform_data to pass needed information from esp_input() to esp_input_cb(). Protect access to SA replay window structure and cryptoid by acquiring SA lock. Set M_AUTHIPDGM mbuf flag if authentication was performed Modified: projects/ipsec/sys/netipsec/xform_esp.c Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 08:08:42 2016 (r309086) +++ projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 08:26:54 2016 (r309087) @@ -300,12 +300,13 @@ esp_input(struct mbuf *m, struct secasva char buf[128]; struct auth_hash *esph; struct enc_xform *espx; - struct tdb_crypto *tc; - uint8_t *ivp; - int plen, alen, hlen; - struct newesp *esp; + struct xform_data *xd; struct cryptodesc *crde; struct cryptop *crp; + struct newesp *esp; + uint8_t *ivp; + uint64_t cryptoid; + int plen, alen, hlen; IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); @@ -354,14 +355,19 @@ esp_input(struct mbuf *m, struct secasva /* * Check sequence number. */ - if (esph != NULL && sav->replay != NULL && - !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { - DPRINTF(("%s: packet replay check for %s\n", __func__, - ipsec_logsastr(sav, buf, sizeof(buf)))); /*XXX*/ - ESPSTAT_INC(esps_replay); - m_freem(m); - return ENOBUFS; /*XXX*/ + SECASVAR_LOCK(sav); + if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) { + if (ipsec_chkreplay(ntohl(esp->esp_seq), sav) == 0) { + SECASVAR_UNLOCK(sav); + DPRINTF(("%s: packet replay check for %s\n", __func__, + ipsec_logsastr(sav, buf, sizeof(buf)))); + ESPSTAT_INC(esps_replay); + m_freem(m); + return (EACCES); + } } + cryptoid = sav->tdb_cryptoid; + SECASVAR_UNLOCK(sav); /* Update the counters */ ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen)); @@ -377,12 +383,11 @@ esp_input(struct mbuf *m, struct secasva } /* Get IPsec-specific opaque pointer */ - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen, - M_XDATA, M_NOWAIT | M_ZERO); - if (tc == NULL) { - crypto_freereq(crp); - DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); + xd = malloc(sizeof(*xd) + alen, M_XDATA, M_NOWAIT | M_ZERO); + if (xd == NULL) { + DPRINTF(("%s: failed to allocate xform_data\n", __func__)); ESPSTAT_INC(esps_crypto); + crypto_freereq(crp); m_freem(m); return ENOBUFS; } @@ -404,7 +409,7 @@ esp_input(struct mbuf *m, struct secasva /* Copy the authenticator */ m_copydata(m, m->m_pkthdr.len - alen, alen, - (caddr_t) (tc + 1)); + (caddr_t) (xd + 1)); /* Chain authentication request */ crde = crda->crd_next; @@ -417,17 +422,14 @@ esp_input(struct mbuf *m, struct secasva crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (caddr_t) m; crp->crp_callback = esp_input_cb; - crp->crp_sid = sav->tdb_cryptoid; - crp->crp_opaque = (caddr_t) tc; + crp->crp_sid = cryptoid; + crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback */ - tc->tc_spi = sav->spi; - tc->tc_dst = sav->sah->saidx.dst; - tc->tc_proto = sav->sah->saidx.proto; - tc->tc_protoff = protoff; - tc->tc_skip = skip; - KEY_ADDREFSA(sav); - tc->tc_sav = sav; + xd->sav = sav; + xd->protoff = protoff; + xd->skip = skip; + xd->cryptoid = cryptoid; /* Decryption descriptor */ IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor")); @@ -472,40 +474,34 @@ esp_input_cb(struct cryptop *crp) struct cryptodesc *crd; struct auth_hash *esph; struct enc_xform *espx; - struct tdb_crypto *tc; + struct xform_data *xd; struct secasvar *sav; struct secasindex *saidx; caddr_t ptr; + uint64_t cryptoid; crd = crp->crp_desc; IPSEC_ASSERT(crd != NULL, ("null crypto descriptor!")); - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!")); - skip = tc->tc_skip; - protoff = tc->tc_protoff; m = (struct mbuf *) crp->crp_buf; - - sav = tc->tc_sav; - IPSEC_ASSERT(sav != NULL, ("null SA!")); - + xd = (struct xform_data *) crp->crp_opaque; + sav = xd->sav; + skip = xd->skip; + protoff = xd->protoff; + cryptoid = xd->cryptoid; saidx = &sav->sah->saidx; - IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || - saidx->dst.sa.sa_family == AF_INET6, - ("unexpected protocol family %u", saidx->dst.sa.sa_family)); - esph = sav->tdb_authalgxform; espx = sav->tdb_encalgxform; /* Check for crypto errors */ if (crp->crp_etype) { - /* Reset the session ID */ - if (sav->tdb_cryptoid != 0) - sav->tdb_cryptoid = crp->crp_sid; - - if (crp->crp_etype == EAGAIN) + if (crp->crp_etype == EAGAIN) { + /* Reset the session ID */ + if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + crypto_freesession(cryptoid); + xd->cryptoid = crp->crp_sid; return (crypto_dispatch(crp)); - + } ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; @@ -527,7 +523,7 @@ esp_input_cb(struct cryptop *crp) AHSTAT_INC(ahs_hist[sav->alg_auth]); /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - alen, alen, aalg); - ptr = (caddr_t) (tc + 1); + ptr = (caddr_t) (xd + 1); /* Verify authenticator */ if (timingsafe_bcmp(ptr, aalg, alen) != 0) { @@ -539,13 +535,13 @@ esp_input_cb(struct cryptop *crp) error = EACCES; goto bad; } - + m->m_flags |= M_AUTHIPDGM; /* Remove trailing authenticator */ m_adj(m, -alen); } /* Release the crypto descriptors */ - free(tc, M_XDATA), tc = NULL; + free(xd, M_XDATA), xd = NULL; crypto_freereq(crp), crp = NULL; /* @@ -561,13 +557,16 @@ esp_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newesp, esp_seq), sizeof (seq), (caddr_t) &seq); + SECASVAR_LOCK(sav); if (ipsec_updatereplay(ntohl(seq), sav)) { + SECASVAR_UNLOCK(sav); DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav, buf, sizeof(buf)))); ESPSTAT_INC(esps_replay); - error = ENOBUFS; + error = EACCES; goto bad; } + SECASVAR_UNLOCK(sav); } /* Determine the ESP header length */ @@ -635,21 +634,18 @@ esp_input_cb(struct cryptop *crp) panic("%s: Unexpected address family: %d saidx=%p", __func__, saidx->dst.sa.sa_family, saidx); } - - KEY_FREESAV(&sav); return error; bad: - if (sav) - KEY_FREESAV(&sav); + if (sav != NULL) + key_freesav(&sav); if (m != NULL) m_freem(m); - if (tc != NULL) - free(tc, M_XDATA); + if (xd != NULL) + free(xd, M_XDATA); if (crp != NULL) crypto_freereq(crp); return error; } - /* * ESP output routine, called by ipsec[46]_process_packet(). */ From owner-svn-src-projects@freebsd.org Thu Nov 24 08:38:22 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF25BC53AF6 for ; Thu, 24 Nov 2016 08:38:22 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 915E526E; Thu, 24 Nov 2016 08:38:22 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAO8cLY7028445; Thu, 24 Nov 2016 08:38:21 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAO8cLdS028444; Thu, 24 Nov 2016 08:38:21 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611240838.uAO8cLdS028444@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 08:38:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309088 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 08:38:22 -0000 Author: ae Date: Thu Nov 24 08:38:21 2016 New Revision: 309088 URL: https://svnweb.freebsd.org/changeset/base/309088 Log: Update inbound IPcomp processing. Use struct xform_data to pass needed information from ipcomp_input() to ipcomp_input_cb(). Protect access to cryptoid by acquiring SA lock. Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 08:26:54 2016 (r309087) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 08:38:21 2016 (r309088) @@ -116,10 +116,10 @@ ipcomp_encapcheck(union sockaddr_union * { struct secasvar *sav; - sav = KEY_ALLOCSA_TUNNEL(src, dst, IPPROTO_IPCOMP); + sav = key_allocsa_tunnel(src, dst, IPPROTO_IPCOMP); if (sav == NULL) return (0); - KEY_FREESAV(&sav); + key_freesav(&sav); if (src->sa.sa_family == AF_INET) return (sizeof(struct in_addr) << 4); @@ -201,7 +201,7 @@ ipcomp_zeroize(struct secasvar *sav) static int ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - struct tdb_crypto *tc; + struct xform_data *xd; struct cryptodesc *crdc; struct cryptop *crp; struct ipcomp *ipcomp; @@ -236,12 +236,12 @@ ipcomp_input(struct mbuf *m, struct seca return ENOBUFS; } /* Get IPsec-specific opaque pointer */ - tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO); - if (tc == NULL) { - m_freem(m); - crypto_freereq(crp); - DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); + xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO); + if (xd == NULL) { + DPRINTF(("%s: cannot allocate xform_data\n", __func__)); IPCOMPSTAT_INC(ipcomps_crypto); + crypto_freereq(crp); + m_freem(m); return ENOBUFS; } crdc = crp->crp_desc; @@ -250,27 +250,25 @@ ipcomp_input(struct mbuf *m, struct seca crdc->crd_len = m->m_pkthdr.len - (skip + hlen); crdc->crd_inject = skip; - tc->tc_ptr = 0; - /* Decompression operation */ crdc->crd_alg = sav->tdb_compalgxform->type; + /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len - (skip + hlen); crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (caddr_t) m; crp->crp_callback = ipcomp_input_cb; - crp->crp_sid = sav->tdb_cryptoid; - crp->crp_opaque = (caddr_t) tc; + crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback */ - tc->tc_spi = sav->spi; - tc->tc_dst = sav->sah->saidx.dst; - tc->tc_proto = sav->sah->saidx.proto; - tc->tc_protoff = protoff; - tc->tc_skip = skip; - KEY_ADDREFSA(sav); - tc->tc_sav = sav; + xd->sav = sav; + xd->protoff = protoff; + xd->skip = skip; + + SECASVAR_LOCK(sav); + crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid; + SECASVAR_UNLOCK(sav); return crypto_dispatch(crp); } @@ -281,28 +279,26 @@ ipcomp_input(struct mbuf *m, struct seca static int ipcomp_input_cb(struct cryptop *crp) { - char buf[INET6_ADDRSTRLEN]; + char buf[IPSEC_ADDRSTRLEN]; struct cryptodesc *crd; - struct tdb_crypto *tc; - int skip, protoff; + struct xform_data *xd; struct mbuf *m; struct secasvar *sav; struct secasindex *saidx; - int hlen = IPCOMP_HLENGTH, error, clen; - u_int8_t nproto; caddr_t addr; + uint64_t cryptoid; + int hlen = IPCOMP_HLENGTH, error, clen; + int skip, protoff; + uint8_t nproto; crd = crp->crp_desc; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!")); - skip = tc->tc_skip; - protoff = tc->tc_protoff; m = (struct mbuf *) crp->crp_buf; - - sav = tc->tc_sav; - IPSEC_ASSERT(sav != NULL, ("null SA!")); - + xd = (struct xform_data *) crp->crp_opaque; + sav = xd->sav; + skip = xd->skip; + protoff = xd->protoff; + cryptoid = xd->cryptoid; saidx = &sav->sah->saidx; IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, @@ -310,12 +306,12 @@ ipcomp_input_cb(struct cryptop *crp) /* Check for crypto errors */ if (crp->crp_etype) { - /* Reset the session ID */ - if (sav->tdb_cryptoid != 0) - sav->tdb_cryptoid = crp->crp_sid; - if (crp->crp_etype == EAGAIN) { - return crypto_dispatch(crp); + /* Reset the session ID */ + if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + crypto_freesession(cryptoid); + xd->cryptoid = crp->crp_sid; + return (crypto_dispatch(crp)); } IPCOMPSTAT_INC(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); @@ -334,7 +330,7 @@ ipcomp_input_cb(struct cryptop *crp) clen = crp->crp_olen; /* Length of data after processing */ /* Release the crypto descriptors */ - free(tc, M_XDATA), tc = NULL; + free(xd, M_XDATA), xd = NULL; crypto_freereq(crp), crp = NULL; /* In case it's not done already, adjust the size of the mbuf chain */ @@ -379,17 +375,15 @@ ipcomp_input_cb(struct cryptop *crp) panic("%s: Unexpected address family: %d saidx=%p", __func__, saidx->dst.sa.sa_family, saidx); } - - KEY_FREESAV(&sav); return error; bad: - if (sav) - KEY_FREESAV(&sav); - if (m) + if (sav != NULL) + key_freesav(&sav); + if (m != NULL) m_freem(m); - if (tc != NULL) - free(tc, M_XDATA); - if (crp) + if (xd != NULL) + free(xd, M_XDATA); + if (crp != NULL) crypto_freereq(crp); return error; } From owner-svn-src-projects@freebsd.org Thu Nov 24 09:00:20 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 29190C5357E for ; Thu, 24 Nov 2016 09:00:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED39CFBA; Thu, 24 Nov 2016 09:00:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAO90JdX036589; Thu, 24 Nov 2016 09:00:19 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAO90J5k036588; Thu, 24 Nov 2016 09:00:19 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611240900.uAO90J5k036588@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 09:00:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309089 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 09:00:20 -0000 Author: ae Date: Thu Nov 24 09:00:18 2016 New Revision: 309089 URL: https://svnweb.freebsd.org/changeset/base/309089 Log: Use IPSEC_ADDRSTRLEN instead of INET6_ADDRSTRLEN, also use key_freesav instead of macro. Modified: projects/ipsec/sys/netipsec/ipsec_input.c Modified: projects/ipsec/sys/netipsec/ipsec_input.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_input.c Thu Nov 24 08:38:21 2016 (r309088) +++ projects/ipsec/sys/netipsec/ipsec_input.c Thu Nov 24 09:00:18 2016 (r309089) @@ -117,10 +117,10 @@ static void ipsec4_common_ctlinput(int, int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { - char buf[INET6_ADDRSTRLEN]; + char buf[IPSEC_ADDRSTRLEN]; union sockaddr_union dst_address; struct secasvar *sav; - u_int32_t spi; + uint32_t spi; int error; #ifdef INET #ifdef IPSEC_NAT_T @@ -224,7 +224,7 @@ ipsec_common_input(struct mbuf *m, int s __func__, ipsec_address(&dst_address, buf, sizeof(buf)), (u_long) ntohl(spi), sproto)); IPSEC_ISTAT(sproto, noxform); - KEY_FREESAV(&sav); + key_freesav(&sav); m_freem(m); return ENXIO; } From owner-svn-src-projects@freebsd.org Thu Nov 24 09:39:01 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A318BC50DA0 for ; Thu, 24 Nov 2016 09:39:01 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7DAE277; Thu, 24 Nov 2016 09:39:01 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAO9d0Kv052664; Thu, 24 Nov 2016 09:39:00 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAO9d00N052663; Thu, 24 Nov 2016 09:39:00 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611240939.uAO9d00N052663@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 09:39:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309091 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 09:39:01 -0000 Author: ae Date: Thu Nov 24 09:39:00 2016 New Revision: 309091 URL: https://svnweb.freebsd.org/changeset/base/309091 Log: Rework outbound IPsec processing. Add ipsec4_allocsa() and ipsec6_allocsa() functions that are used to lookup for a SA corresponding to security policy. Modified: projects/ipsec/sys/netipsec/ipsec_output.c Modified: projects/ipsec/sys/netipsec/ipsec_output.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_output.c Thu Nov 24 09:00:51 2016 (r309090) +++ projects/ipsec/sys/netipsec/ipsec_output.c Thu Nov 24 09:39:00 2016 (r309091) @@ -88,6 +88,201 @@ #include #endif +#define IPSEC_OSTAT_INC(proto, name) do { \ + if ((proto) == IPPROTO_ESP) \ + ESPSTAT_INC(esps_##name); \ + else if ((proto) == IPPROTO_AH)\ + AHSTAT_INC(ahs_##name); \ + else \ + IPCOMPSTAT_INC(ipcomps_##name); \ +} while (0) + +#ifdef INET +static struct secasvar * +ipsec4_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error) +{ + struct secasindex *saidx, tmpsaidx; + struct ipsecrequest *isr; + struct sockaddr_in *sin; + struct secasvar *sav; + struct ip *ip; + + /* + * Check system global policy controls. + */ +next: + isr = sp->req[*pidx]; + if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || + (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || + (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { + DPRINTF(("%s: IPsec outbound packet dropped due" + " to policy (check your sysctls)\n", __func__)); + IPSEC_OSTAT_INC(isr->saidx.proto, pdrops); + *error = EHOSTUNREACH; + return (NULL); + } + /* + * Craft SA index to search for proper SA. Note that + * we only initialize unspecified SA peers for transport + * mode; for tunnel mode they must already be filled in. + */ + if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { + saidx = &tmpsaidx; + *saidx = isr->saidx; + ip = mtod(m, struct ip *); + if (saidx->src.sa.sa_len == 0) { + sin = &saidx->src.sin; + sin->sin_len = sizeof(*sin); + sin->sin_family = AF_INET; + sin->sin_port = IPSEC_PORT_ANY; + sin->sin_addr = ip->ip_src; + } + if (saidx->dst.sa.sa_len == 0) { + sin = &saidx->dst.sin; + sin->sin_len = sizeof(*sin); + sin->sin_family = AF_INET; + sin->sin_port = IPSEC_PORT_ANY; + sin->sin_addr = ip->ip_dst; + } + } else + saidx = &sp->req[*pidx]->saidx; + /* + * Lookup SA and validate it. + */ + sav = key_allocsa_policy(sp, saidx, error); + if (sav == NULL) { + IPSECSTAT_INC(ips_out_nosa); + if (*error != 0) + return (NULL); + if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) { + /* + * We have no SA and policy that doesn't require + * this IPsec transform, thus we can continue w/o + * IPsec processing, i.e. return EJUSTRETURN. + * But first check if there is some bundled transform. + */ + if (sp->tcount > (*pidx)) { + (*pidx)++; + goto next; + } + *error = EJUSTRETURN; + } + return (NULL); + } + /* + * Sanity check the SA content for the caller + * before they invoke the xform output method. + */ + if (sav->tdb_xform == NULL) { + DPRINTF(("%s: no transform for SA\n", __func__)); + IPSEC_OSTAT_INC(isr->saidx.proto, noxform); + key_freesav(&sav); + *error = EHOSTUNREACH; + return (NULL); + } + return (sav); +} +#endif + +#ifdef INET6 +static struct secasvar * +ipsec6_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error) +{ + struct secasindex *saidx, tmpsaidx; + struct ipsecrequest *isr; + struct sockaddr_in6 *sin6; + struct secasvar *sav; + struct ip6_hdr *ip6; + + /* + * Check system global policy controls. + */ +next: + isr = sp->req[*pidx]; + if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || + (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || + (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { + DPRINTF(("%s: IPsec outbound packet dropped due" + " to policy (check your sysctls)\n", __func__)); + IPSEC_OSTAT_INC(isr->saidx.proto, pdrops); + *error = EHOSTUNREACH; + return (NULL); + } + /* + * Craft SA index to search for proper SA. Note that + * we only fillin unspecified SA peers for transport + * mode; for tunnel mode they must already be filled in. + */ + if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { + saidx = &tmpsaidx; + *saidx = isr->saidx; + ip6 = mtod(m, struct ip6_hdr *); + if (saidx->src.sin6.sin6_len == 0) { + sin6 = (struct sockaddr_in6 *)&saidx->src; + sin6->sin6_len = sizeof(*sin6); + sin6->sin6_family = AF_INET6; + sin6->sin6_port = IPSEC_PORT_ANY; + sin6->sin6_addr = ip6->ip6_src; + if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { + /* fix scope id for comparing SPD */ + sin6->sin6_addr.s6_addr16[1] = 0; + sin6->sin6_scope_id = + ntohs(ip6->ip6_src.s6_addr16[1]); + } + } + if (saidx->dst.sin6.sin6_len == 0) { + sin6 = (struct sockaddr_in6 *)&saidx->dst; + sin6->sin6_len = sizeof(*sin6); + sin6->sin6_family = AF_INET6; + sin6->sin6_port = IPSEC_PORT_ANY; + sin6->sin6_addr = ip6->ip6_dst; + if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { + /* fix scope id for comparing SPD */ + sin6->sin6_addr.s6_addr16[1] = 0; + sin6->sin6_scope_id = + ntohs(ip6->ip6_dst.s6_addr16[1]); + } + } + } else + saidx = &sp->req[*pidx]->saidx; + /* + * Lookup SA and validate it. + */ + sav = key_allocsa_policy(sp, saidx, error); + if (sav == NULL) { + IPSEC6STAT_INC(ips_out_nosa); + if (*error != 0) + return (NULL); + if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) { + /* + * We have no SA and policy that doesn't require + * this IPsec transform, thus we can continue w/o + * IPsec processing, i.e. return EJUSTRETURN. + * But first check if there is some bundled transform. + */ + if (sp->tcount > (*pidx)) { + (*pidx)++; + goto next; + } + *error = EJUSTRETURN; + } + return (NULL); + } + /* + * Sanity check the SA content for the caller + * before they invoke the xform output method. + */ + if (sav->tdb_xform == NULL) { + DPRINTF(("%s: no transform for SA\n", __func__)); + IPSEC_OSTAT_INC(isr->saidx.proto, noxform); + key_freesav(&sav); + *error = EHOSTUNREACH; + return (NULL); + } + return (sav); +} +#endif /* INET6 */ + int ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) { From owner-svn-src-projects@freebsd.org Thu Nov 24 10:41:13 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2B7D0C52659 for ; Thu, 24 Nov 2016 10:41:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7D091510; Thu, 24 Nov 2016 10:41:12 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOAfCIE077680; Thu, 24 Nov 2016 10:41:12 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOAfCoJ077679; Thu, 24 Nov 2016 10:41:12 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611241041.uAOAfCoJ077679@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 10:41:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309101 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 10:41:13 -0000 Author: ae Date: Thu Nov 24 10:41:12 2016 New Revision: 309101 URL: https://svnweb.freebsd.org/changeset/base/309101 Log: Rework outbound IPsec processing. Add ipsec[46]_perform_request() functions that used to perform given IPsec request. Invoke ipsec[46]_perform_request() from ipsec[46]_process_packet() with first ipsecrequest of given security policy. Modify ipsec_process_done() to use xform_history structure and make SA bundles supported by both address families. Remove now unused ipsec_nextisr() and move IPv4 related functions under the #ifdef INET. Modified: projects/ipsec/sys/netipsec/ipsec_output.c Modified: projects/ipsec/sys/netipsec/ipsec_output.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec_output.c Thu Nov 24 10:35:49 2016 (r309100) +++ projects/ipsec/sys/netipsec/ipsec_output.c Thu Nov 24 10:41:12 2016 (r309101) @@ -97,6 +97,8 @@ IPCOMPSTAT_INC(ipcomps_##name); \ } while (0) +static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx); + #ifdef INET static struct secasvar * ipsec4_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error) @@ -182,9 +184,140 @@ next: } return (sav); } + +/* + * IPsec output logic for IPv4. + */ +static int +ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx) +{ + char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; + struct ipsec_ctx_data ctx; + union sockaddr_union *dst; + struct secasvar *sav; + struct ip *ip; + int error, i, off; + + IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); + + /* + * We hold the reference to SP. Content of SP couldn't be changed. + * Craft secasindex and do lookup for suitable SA. + * Then do encapsulation if needed and call xform's output. + * We need to store SP in the xform callback parameters. + * In xform callback we will extract SP and it can be used to + * determine next transform. At the end of transform we can + * release reference to SP. + */ + sav = ipsec4_allocsa(m, sp, &idx, &error); + if (sav == NULL) { + if (error == EJUSTRETURN) { /* No IPsec required */ + key_freesp(&sp); + return (error); + } + goto bad; + } + + IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); + if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) + goto bad; + + ip = mtod(m, struct ip *); + dst = &sav->sah->saidx.dst; + /* Do the appropriate encapsulation, if necessary */ + if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ + dst->sa.sa_family != AF_INET || /* PF mismatch */ + (dst->sa.sa_family == AF_INET && /* Proxy */ + dst->sin.sin_addr.s_addr != INADDR_ANY && + dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) { + /* Fix IPv4 header checksum and length */ + ip->ip_len = htons(m->m_pkthdr.len); + ip->ip_sum = 0; + ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + error = ipsec_encap(&m, &sav->sah->saidx); + if (error != 0) { + DPRINTF(("%s: encapsulation for SA %s->%s " + "SPI 0x%08x failed with error %d\n", __func__, + ipsec_address(&sav->sah->saidx.src, sbuf, + sizeof(sbuf)), + ipsec_address(&sav->sah->saidx.dst, dbuf, + sizeof(dbuf)), ntohl(sav->spi), error)); + /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ + goto bad; + } + } + + IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); + if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) + goto bad; + + /* + * Dispatch to the appropriate IPsec transform logic. The + * packet will be returned for transmission after crypto + * processing, etc. are completed. + * + * NB: m & sav are ``passed to caller'' who's responsible for + * reclaiming their resources. + */ + switch(dst->sa.sa_family) { + case AF_INET: + ip = mtod(m, struct ip *); + i = ip->ip_hl << 2; + off = offsetof(struct ip, ip_p); + break; +#ifdef INET6 + case AF_INET6: + i = sizeof(struct ip6_hdr); + off = offsetof(struct ip6_hdr, ip6_nxt); + break; +#endif /* INET6 */ + default: + DPRINTF(("%s: unsupported protocol family %u\n", + __func__, dst->sa.sa_family)); + error = EPFNOSUPPORT; + IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf); + goto bad; + } + error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off); + if (error != 0) { + key_freesav(&sav); + key_freesp(&sp); + } + return (error); +bad: + IPSECSTAT_INC(ips_out_inval); + if (m != NULL) + m_freem(m); + if (sav != NULL) + key_freesav(&sav); + key_freesp(&sp); + return (error); +} + +int +ipsec4_process_packet(struct mbuf *m, struct secpolicy *sp, + struct inpcb *inp) +{ + + return (ipsec4_perform_request(m, sp, 0)); +} #endif #ifdef INET6 +static int +in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, + const struct in6_addr *ia) +{ + struct in6_addr ia2; + + if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) { + memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); + ia2.s6_addr16[1] = htons(sa->sin6_scope_id); + return (IN6_ARE_ADDR_EQUAL(ia, &ia2)); + } + return (IN6_ARE_ADDR_EQUAL(&sa->sin6_addr, ia)); +} + static struct secasvar * ipsec6_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error) { @@ -281,24 +414,123 @@ next: } return (sav); } + +/* + * IPsec output logic for IPv6. + */ +static int +ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx) +{ + char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; + struct ipsec_ctx_data ctx; + union sockaddr_union *dst; + struct secasvar *sav; + struct ip6_hdr *ip6; + int error, i, off; + + IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); + + sav = ipsec6_allocsa(m, sp, &idx, &error); + if (sav == NULL) { + if (error == EJUSTRETURN) { /* No IPsec required */ + key_freesp(&sp); + return (error); + } + goto bad; + } + + IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET6, IPSEC_ENC_BEFORE); + if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) + goto bad; + + ip6 = mtod(m, struct ip6_hdr *); + ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); + dst = &sav->sah->saidx.dst; + + /* Do the appropriate encapsulation, if necessary */ + if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ + dst->sa.sa_family != AF_INET6 || /* PF mismatch */ + ((dst->sa.sa_family == AF_INET6) && + (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && + (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) { + if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { + /* No jumbogram support. */ + error = ENXIO; /*XXX*/ + goto bad; + } + error = ipsec_encap(&m, &sav->sah->saidx); + if (error != 0) { + DPRINTF(("%s: encapsulation for SA %s->%s " + "SPI 0x%08x failed with error %d\n", __func__, + ipsec_address(&sav->sah->saidx.src, sbuf, + sizeof(sbuf)), + ipsec_address(&sav->sah->saidx.dst, dbuf, + sizeof(dbuf)), ntohl(sav->spi), error)); + /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ + goto bad; + } + } + + IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); + if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) + goto bad; + + switch(dst->sa.sa_family) { +#ifdef INET + case AF_INET: + { + struct ip *ip; + ip = mtod(m, struct ip *); + i = ip->ip_hl << 2; + off = offsetof(struct ip, ip_p); + } + break; +#endif /* AF_INET */ + case AF_INET6: + i = sizeof(struct ip6_hdr); + off = offsetof(struct ip6_hdr, ip6_nxt); + break; + default: + DPRINTF(("%s: unsupported protocol family %u\n", + __func__, dst->sa.sa_family)); + error = EPFNOSUPPORT; + IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf); + goto bad; + } + error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off); + if (error != 0) { + key_freesav(&sav); + key_freesp(&sp); + } + return (error); +bad: + IPSEC6STAT_INC(ips_out_inval); + if (m != NULL) + m_freem(m); + if (sav != NULL) + key_freesav(&sav); + key_freesp(&sp); + return (error); +} + +int +ipsec6_process_packet(struct mbuf *m, struct secpolicy *sp, + struct inpcb *inp) +{ + + return (ipsec6_perform_request(m, sp, 0)); +} #endif /* INET6 */ int -ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) +ipsec_process_done(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, + u_int idx) { - struct tdb_ident *tdbi; - struct m_tag *mtag; - struct secasvar *sav; + struct xform_history *xh; struct secasindex *saidx; + struct m_tag *mtag; int error; - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(isr != NULL, ("null ISR")); - IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp")); - sav = isr->sav; - IPSEC_ASSERT(sav != NULL, ("null SA")); - IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); - saidx = &sav->sah->saidx; switch (saidx->dst.sa.sa_family) { #ifdef INET @@ -331,21 +563,20 @@ ipsec_process_done(struct mbuf *m, struc } /* - * Add a record of what we've done or what needs to be done to the - * packet. + * Add a record of what we've done to the packet. */ - mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, - sizeof(struct tdb_ident), M_NOWAIT); + mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(*xh), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: could not get packet tag\n", __func__)); error = ENOMEM; goto bad; } - tdbi = (struct tdb_ident *)(mtag + 1); - tdbi->dst = saidx->dst; - tdbi->proto = saidx->proto; - tdbi->spi = sav->spi; + xh = (struct xform_history *)(mtag + 1); + xh->dst = saidx->dst; + xh->proto = saidx->proto; + xh->mode = saidx->mode; + xh->spi = sav->spi; m_tag_prepend(m, mtag); key_sa_recordxfer(sav, m); /* record data transfer */ @@ -357,32 +588,31 @@ ipsec_process_done(struct mbuf *m, struc * to set the packet on so we can unwind the stack before * doing further processing. */ - if (isr->next) { - /* XXX-BZ currently only support same AF bundles. */ + if (++idx < sp->tcount) { switch (saidx->dst.sa.sa_family) { #ifdef INET case AF_INET: + key_freesav(&sav); IPSECSTAT_INC(ips_out_bundlesa); - return (ipsec4_process_packet(m, isr->next)); + return (ipsec4_perform_request(m, sp, idx)); /* NOTREACHED */ #endif -#ifdef notyet #ifdef INET6 case AF_INET6: - /* XXX */ + key_freesav(&sav); IPSEC6STAT_INC(ips_out_bundlesa); - return (ipsec6_process_packet(m, isr->next)); + return (ipsec6_perform_request(m, sp, idx)); /* NOTREACHED */ #endif /* INET6 */ -#endif default: DPRINTF(("%s: unknown protocol family %u\n", __func__, saidx->dst.sa.sa_family)); - error = ENXIO; + error = EPFNOSUPPORT; goto bad; } } + key_freesp(&sp), sp = NULL; /* Release reference to SP */ /* * We're done with IPsec processing, transmit the packet using the * appropriate network protocol (IP or IPv6). @@ -425,9 +655,10 @@ ipsec_process_done(struct mbuf *m, struc if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); else - udp->uh_sport = - KEY_PORTFROMSADDR(&sav->sah->saidx.src); - udp->uh_dport = KEY_PORTFROMSADDR(&sav->sah->saidx.dst); + udp->uh_sport = key_portfromsaddr( + &sav->sah->saidx.src.sa); + udp->uh_dport = key_portfromsaddr( + &sav->sah->saidx.dst.sa); udp->uh_sum = 0; udp->uh_ulen = htons(m->m_pkthdr.len - hlen); ip->ip_len = htons(m->m_pkthdr.len); @@ -437,7 +668,7 @@ ipsec_process_done(struct mbuf *m, struc *(u_int64_t *)(udp + 1) = 0; } #endif /* IPSEC_NAT_T */ - + key_freesav(&sav); return ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL); #endif /* INET */ #ifdef INET6 @@ -446,171 +677,19 @@ ipsec_process_done(struct mbuf *m, struc * We don't need massage, IPv6 header fields are always in * net endian. */ + key_freesav(&sav); return ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); #endif /* INET6 */ } panic("ipsec_process_done"); bad: m_freem(m); + key_freesav(&sav); + if (sp != NULL) + key_freesp(&sp); return (error); } -static struct ipsecrequest * -ipsec_nextisr( - struct mbuf *m, - struct ipsecrequest *isr, - int af, - struct secasindex *saidx, - int *error -) -{ -#define IPSEC_OSTAT(name) do { \ - if (isr->saidx.proto == IPPROTO_ESP) \ - ESPSTAT_INC(esps_##name); \ - else if (isr->saidx.proto == IPPROTO_AH)\ - AHSTAT_INC(ahs_##name); \ - else \ - IPCOMPSTAT_INC(ipcomps_##name); \ -} while (0) - struct secasvar *sav; - - IPSECREQUEST_LOCK_ASSERT(isr); - - IPSEC_ASSERT(af == AF_INET || af == AF_INET6, - ("invalid address family %u", af)); -again: - /* - * Craft SA index to search for proper SA. Note that - * we only fillin unspecified SA peers for transport - * mode; for tunnel mode they must already be filled in. - */ - *saidx = isr->saidx; - if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { - /* Fillin unspecified SA peers only for transport mode */ - if (af == AF_INET) { - struct sockaddr_in *sin; - struct ip *ip = mtod(m, struct ip *); - - if (saidx->src.sa.sa_len == 0) { - sin = &saidx->src.sin; - sin->sin_len = sizeof(*sin); - sin->sin_family = AF_INET; - sin->sin_port = IPSEC_PORT_ANY; - sin->sin_addr = ip->ip_src; - } - if (saidx->dst.sa.sa_len == 0) { - sin = &saidx->dst.sin; - sin->sin_len = sizeof(*sin); - sin->sin_family = AF_INET; - sin->sin_port = IPSEC_PORT_ANY; - sin->sin_addr = ip->ip_dst; - } - } else { - struct sockaddr_in6 *sin6; - struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); - - if (saidx->src.sin6.sin6_len == 0) { - sin6 = (struct sockaddr_in6 *)&saidx->src; - sin6->sin6_len = sizeof(*sin6); - sin6->sin6_family = AF_INET6; - sin6->sin6_port = IPSEC_PORT_ANY; - sin6->sin6_addr = ip6->ip6_src; - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { - /* fix scope id for comparing SPD */ - sin6->sin6_addr.s6_addr16[1] = 0; - sin6->sin6_scope_id = - ntohs(ip6->ip6_src.s6_addr16[1]); - } - } - if (saidx->dst.sin6.sin6_len == 0) { - sin6 = (struct sockaddr_in6 *)&saidx->dst; - sin6->sin6_len = sizeof(*sin6); - sin6->sin6_family = AF_INET6; - sin6->sin6_port = IPSEC_PORT_ANY; - sin6->sin6_addr = ip6->ip6_dst; - if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { - /* fix scope id for comparing SPD */ - sin6->sin6_addr.s6_addr16[1] = 0; - sin6->sin6_scope_id = - ntohs(ip6->ip6_dst.s6_addr16[1]); - } - } - } - } - - /* - * Lookup SA and validate it. - */ - *error = key_checkrequest(isr, saidx); - if (*error != 0) { - /* - * IPsec processing is required, but no SA found. - * I assume that key_acquire() had been called - * to get/establish the SA. Here I discard - * this packet because it is responsibility for - * upper layer to retransmit the packet. - */ - switch(af) { - case AF_INET: - IPSECSTAT_INC(ips_out_nosa); - break; -#ifdef INET6 - case AF_INET6: - IPSEC6STAT_INC(ips_out_nosa); - break; -#endif - } - goto bad; - } - sav = isr->sav; - if (sav == NULL) { - IPSEC_ASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, - ("no SA found, but required; level %u", - ipsec_get_reqlevel(isr))); - IPSECREQUEST_UNLOCK(isr); - isr = isr->next; - /* - * If isr is NULL, we found a 'use' policy w/o SA. - * Return w/o error and w/o isr so we can drop out - * and continue w/o IPsec processing. - */ - if (isr == NULL) - return isr; - IPSECREQUEST_LOCK(isr); - goto again; - } - - /* - * Check system global policy controls. - */ - if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || - (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || - (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { - DPRINTF(("%s: IPsec outbound packet dropped due" - " to policy (check your sysctls)\n", __func__)); - IPSEC_OSTAT(pdrops); - *error = EHOSTUNREACH; - goto bad; - } - - /* - * Sanity check the SA contents for the caller - * before they invoke the xform output method. - */ - if (sav->tdb_xform == NULL) { - DPRINTF(("%s: no transform for SA\n", __func__)); - IPSEC_OSTAT(noxform); - *error = EHOSTUNREACH; - goto bad; - } - return isr; -bad: - IPSEC_ASSERT(*error != 0, ("error return w/ no error code")); - IPSECREQUEST_UNLOCK(isr); - return NULL; -#undef IPSEC_OSTAT -} - static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx) { @@ -712,219 +791,3 @@ ipsec_encap(struct mbuf **mp, struct sec } return (0); } - -#ifdef INET -/* - * IPsec output logic for IPv4. - */ -int -ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr) -{ - char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN]; - struct ipsec_ctx_data ctx; - union sockaddr_union *dst; - struct secasindex saidx; - struct secasvar *sav; - struct ip *ip; - int error, i, off; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(isr != NULL, ("null isr")); - - IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ - - isr = ipsec_nextisr(m, isr, AF_INET, &saidx, &error); - if (isr == NULL) { - if (error != 0) - goto bad; - return EJUSTRETURN; - } - - sav = isr->sav; - if (m->m_len < sizeof(struct ip) && - (m = m_pullup(m, sizeof (struct ip))) == NULL) { - error = ENOBUFS; - goto bad; - } - - IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); - if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) - goto bad; - - ip = mtod(m, struct ip *); - dst = &sav->sah->saidx.dst; - /* Do the appropriate encapsulation, if necessary */ - if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ - dst->sa.sa_family != AF_INET || /* PF mismatch */ - (dst->sa.sa_family == AF_INET && /* Proxy */ - dst->sin.sin_addr.s_addr != INADDR_ANY && - dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) { - /* Fix IPv4 header checksum and length */ - ip->ip_len = htons(m->m_pkthdr.len); - ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); - error = ipsec_encap(&m, &sav->sah->saidx); - if (error != 0) { - DPRINTF(("%s: encapsulation for SA %s->%s " - "SPI 0x%08x failed with error %d\n", __func__, - ipsec_address(&sav->sah->saidx.src, sbuf, - sizeof(sbuf)), - ipsec_address(&sav->sah->saidx.dst, dbuf, - sizeof(dbuf)), ntohl(sav->spi), error)); - goto bad; - } - } - - IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); - if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) - goto bad; - - /* - * Dispatch to the appropriate IPsec transform logic. The - * packet will be returned for transmission after crypto - * processing, etc. are completed. - * - * NB: m & sav are ``passed to caller'' who's responsible for - * for reclaiming their resources. - */ - switch(dst->sa.sa_family) { - case AF_INET: - ip = mtod(m, struct ip *); - i = ip->ip_hl << 2; - off = offsetof(struct ip, ip_p); - break; -#ifdef INET6 - case AF_INET6: - i = sizeof(struct ip6_hdr); - off = offsetof(struct ip6_hdr, ip6_nxt); - break; -#endif /* INET6 */ - default: - DPRINTF(("%s: unsupported protocol family %u\n", - __func__, dst->sa.sa_family)); - error = EPFNOSUPPORT; - IPSECSTAT_INC(ips_out_inval); - goto bad; - } - error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); - IPSECREQUEST_UNLOCK(isr); - return (error); -bad: - if (isr) - IPSECREQUEST_UNLOCK(isr); - if (m) - m_freem(m); - return error; -} -#endif - - -#ifdef INET6 -static int -in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr *ia) -{ - struct in6_addr ia2; - - memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); - if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) - ia2.s6_addr16[1] = htons(sa->sin6_scope_id); - - return IN6_ARE_ADDR_EQUAL(ia, &ia2); -} - -/* - * IPsec output logic for IPv6. - */ -int -ipsec6_process_packet(struct mbuf *m, struct ipsecrequest *isr) -{ - char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN]; - struct ipsec_ctx_data ctx; - struct secasindex saidx; - struct secasvar *sav; - struct ip6_hdr *ip6; - int error, i, off; - union sockaddr_union *dst; - - IPSEC_ASSERT(m != NULL, ("ipsec6_process_packet: null mbuf")); - IPSEC_ASSERT(isr != NULL, ("ipsec6_process_packet: null isr")); - - IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ - - isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error); - if (isr == NULL) { - if (error != 0) - goto bad; - return EJUSTRETURN; - } - sav = isr->sav; - dst = &sav->sah->saidx.dst; - - IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET6, IPSEC_ENC_BEFORE); - if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) - goto bad; - - ip6 = mtod(m, struct ip6_hdr *); - ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); - - /* Do the appropriate encapsulation, if necessary */ - if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ - dst->sa.sa_family != AF_INET6 || /* PF mismatch */ - ((dst->sa.sa_family == AF_INET6) && - (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && - (!in6_sa_equal_addrwithscope(&dst->sin6, - &ip6->ip6_dst)))) { - if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { - /* No jumbogram support. */ - error = ENXIO; /*XXX*/ - goto bad; - } - error = ipsec_encap(&m, &sav->sah->saidx); - if (error != 0) { - DPRINTF(("%s: encapsulation for SA %s->%s " - "SPI 0x%08x failed with error %d\n", __func__, - ipsec_address(&sav->sah->saidx.src, sbuf, - sizeof(sbuf)), - ipsec_address(&sav->sah->saidx.dst, dbuf, - sizeof(dbuf)), ntohl(sav->spi), error)); - goto bad; - } - } - - IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); - if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) - goto bad; - - switch(dst->sa.sa_family) { -#ifdef INET - case AF_INET: - { - struct ip *ip; - ip = mtod(m, struct ip *); - i = ip->ip_hl << 2; - off = offsetof(struct ip, ip_p); - } - break; -#endif /* AF_INET */ - case AF_INET6: - i = sizeof(struct ip6_hdr); - off = offsetof(struct ip6_hdr, ip6_nxt); - break; - default: - DPRINTF(("%s: unsupported protocol family %u\n", - __func__, dst->sa.sa_family)); - error = EPFNOSUPPORT; - goto bad; - } - error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off); - IPSECREQUEST_UNLOCK(isr); - return error; -bad: - IPSEC6STAT_INC(ips_out_inval); - if (isr) - IPSECREQUEST_UNLOCK(isr); - if (m) - m_freem(m); - return error; -} -#endif /*INET6*/ From owner-svn-src-projects@freebsd.org Thu Nov 24 13:04:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABBA9C517C3 for ; Thu, 24 Nov 2016 13:04:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C6E21E0; Thu, 24 Nov 2016 13:04:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOD4f6l037899; Thu, 24 Nov 2016 13:04:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOD4fxK037898; Thu, 24 Nov 2016 13:04:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611241304.uAOD4fxK037898@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 13:04:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309102 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 13:04:42 -0000 Author: ae Date: Thu Nov 24 13:04:41 2016 New Revision: 309102 URL: https://svnweb.freebsd.org/changeset/base/309102 Log: Update outbound AH processing. Use xform_data structure to pass needed information to xform callback. Use SA lock to protect access to replay window structure and cryptoid. Use new rules how we hold references to SP and SA. Modified: projects/ipsec/sys/netipsec/xform_ah.c Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 10:41:12 2016 (r309101) +++ projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 13:04:41 2016 (r309102) @@ -857,25 +857,24 @@ bad: } /* - * AH output routine, called by ipsec[46]_process_packet(). + * AH output routine, called by ipsec[46]_perform_request(). */ static int -ah_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, - int skip, int protoff) +ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, + u_int idx, int skip, int protoff) { - char buf[INET6_ADDRSTRLEN]; - struct secasvar *sav; + char buf[IPSEC_ADDRSTRLEN]; struct auth_hash *ahx; struct cryptodesc *crda; - struct tdb_crypto *tc; + struct xform_data *xd; struct mbuf *mi; struct cryptop *crp; - u_int16_t iplen; - int error, rplen, authsize, maxpacketsize, roff; - u_int8_t prot; struct newah *ah; + uint64_t cryptoid; + uint16_t iplen; + int error, rplen, authsize, maxpacketsize, roff; + uint8_t prot; - sav = isr->sav; IPSEC_ASSERT(sav != NULL, ("null SA")); ahx = sav->tdb_authalgxform; IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); @@ -961,14 +960,16 @@ ah_output(struct mbuf *m, struct ipsecre m_copyback(m, skip + rplen, authsize, ipseczeroes); /* Insert packet replay counter, as requested. */ + SECASVAR_LOCK(sav); if (sav->replay) { if (sav->replay->count == ~0 && (sav->flags & SADB_X_EXT_CYCSEQ) == 0) { + SECASVAR_UNLOCK(sav); DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AHSTAT_INC(ahs_wrap); - error = EINVAL; + error = EACCES; goto bad; } #ifdef REGRESSION @@ -978,6 +979,8 @@ ah_output(struct mbuf *m, struct ipsecre sav->replay->count++; ah->ah_seq = htonl(sav->replay->count); } + cryptoid = sav->tdb_cryptoid; + SECASVAR_UNLOCK(sav); /* Get crypto descriptors. */ crp = crypto_getreq(1); @@ -990,7 +993,6 @@ ah_output(struct mbuf *m, struct ipsecre } crda = crp->crp_desc; - crda->crd_skip = 0; crda->crd_inject = skip + rplen; crda->crd_len = m->m_pkthdr.len; @@ -1001,18 +1003,18 @@ ah_output(struct mbuf *m, struct ipsecre crda->crd_klen = _KEYBITS(sav->key_auth); /* Allocate IPsec-specific opaque crypto info. */ - tc = (struct tdb_crypto *) malloc( - sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO); - if (tc == NULL) { + xd = malloc(sizeof(struct xform_data) + skip, M_XDATA, + M_NOWAIT | M_ZERO); + if (xd == NULL) { crypto_freereq(crp); - DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); + DPRINTF(("%s: failed to allocate xform_data\n", __func__)); AHSTAT_INC(ahs_crypto); error = ENOBUFS; goto bad; } /* Save the skipped portion of the packet. */ - m_copydata(m, 0, skip, (caddr_t) (tc + 1)); + m_copydata(m, 0, skip, (caddr_t) (xd + 1)); /* * Fix IP header length on the header used for @@ -1022,7 +1024,7 @@ ah_output(struct mbuf *m, struct ipsecre switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET case AF_INET: - bcopy(((caddr_t)(tc + 1)) + + bcopy(((caddr_t)(xd + 1)) + offsetof(struct ip, ip_len), (caddr_t) &iplen, sizeof(u_int16_t)); iplen = htons(ntohs(iplen) + rplen + authsize); @@ -1033,29 +1035,29 @@ ah_output(struct mbuf *m, struct ipsecre #ifdef INET6 case AF_INET6: - bcopy(((caddr_t)(tc + 1)) + + bcopy(((caddr_t)(xd + 1)) + offsetof(struct ip6_hdr, ip6_plen), - (caddr_t) &iplen, sizeof(u_int16_t)); + (caddr_t) &iplen, sizeof(uint16_t)); iplen = htons(ntohs(iplen) + rplen + authsize); m_copyback(m, offsetof(struct ip6_hdr, ip6_plen), - sizeof(u_int16_t), (caddr_t) &iplen); + sizeof(uint16_t), (caddr_t) &iplen); break; #endif /* INET6 */ } /* Fix the Next Header field in saved header. */ - ((u_int8_t *) (tc + 1))[protoff] = IPPROTO_AH; + ((uint8_t *) (xd + 1))[protoff] = IPPROTO_AH; /* Update the Next Protocol field in the IP header. */ prot = IPPROTO_AH; - m_copyback(m, protoff, sizeof(u_int8_t), (caddr_t) &prot); + m_copyback(m, protoff, sizeof(uint8_t), (caddr_t) &prot); /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 1); if (error != 0) { m = NULL; /* mbuf was free'd by ah_massage_headers. */ - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); goto bad; } @@ -1065,19 +1067,15 @@ ah_output(struct mbuf *m, struct ipsecre crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (caddr_t) m; crp->crp_callback = ah_output_cb; - crp->crp_sid = sav->tdb_cryptoid; - crp->crp_opaque = (caddr_t) tc; + crp->crp_sid = cryptoid; + crp->crp_opaque = (caddr_t) xd; /* These are passed as-is to the callback. */ - key_addref(isr->sp); - tc->tc_isr = isr; - KEY_ADDREFSA(sav); - tc->tc_sav = sav; - tc->tc_spi = sav->spi; - tc->tc_dst = sav->sah->saidx.dst; - tc->tc_proto = sav->sah->saidx.proto; - tc->tc_skip = skip; - tc->tc_protoff = protoff; + xd->sp = sp; + xd->sav = sav; + xd->skip = skip; + xd->idx = idx; + xd->cryptoid = cryptoid; return crypto_dispatch(crp); bad: @@ -1092,45 +1090,37 @@ bad: static int ah_output_cb(struct cryptop *crp) { - int skip, protoff, error; - struct tdb_crypto *tc; - struct ipsecrequest *isr; + struct xform_data *xd; + struct secpolicy *sp; struct secasvar *sav; struct mbuf *m; + uint64_t cryptoid; caddr_t ptr; + u_int idx; + int skip, error; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); - skip = tc->tc_skip; - protoff = tc->tc_protoff; - ptr = (caddr_t) (tc + 1); m = (struct mbuf *) crp->crp_buf; - - isr = tc->tc_isr; - IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp")); - IPSECREQUEST_LOCK(isr); - sav = tc->tc_sav; - /* With the isr lock released SA pointer can be updated. */ - if (sav != isr->sav) { - AHSTAT_INC(ahs_notdb); - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } + xd = (struct xform_data *) crp->crp_opaque; + sp = xd->sp; + sav = xd->sav; + skip = xd->skip; + idx = xd->idx; + cryptoid = xd->cryptoid; + ptr = (caddr_t) (xd + 1); /* Check for crypto errors. */ if (crp->crp_etype) { - if (sav->tdb_cryptoid != 0) - sav->tdb_cryptoid = crp->crp_sid; - if (crp->crp_etype == EAGAIN) { - IPSECREQUEST_UNLOCK(isr); + /* Reset the session ID */ + if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + crypto_freesession(cryptoid); + xd->cryptoid = crp->crp_sid; return (crypto_dispatch(crp)); } - AHSTAT_INC(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; + m_freem(m); goto bad; } @@ -1141,18 +1131,15 @@ ah_output_cb(struct cryptop *crp) error = EINVAL; goto bad; } - AHSTAT_INC(ahs_hist[sav->alg_auth]); - /* * Copy original headers (with the new protocol number) back * in place. */ m_copyback(m, 0, skip, ptr); - /* No longer needed. */ - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); - + AHSTAT_INC(ahs_hist[sav->alg_auth]); #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ if (V_ipsec_integrity) { @@ -1168,20 +1155,13 @@ ah_output_cb(struct cryptop *crp) #endif /* NB: m is reclaimed by ipsec_process_done. */ - error = ipsec_process_done(m, isr); - KEY_FREESAV(&sav); - IPSECREQUEST_UNLOCK(isr); - KEY_FREESP(&isr->sp); + error = ipsec_process_done(m, sp, sav, idx); return (error); bad: - if (sav) - KEY_FREESAV(&sav); - IPSECREQUEST_UNLOCK(isr); - KEY_FREESP(&isr->sp); - if (m) - m_freem(m); - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); + key_freesav(&sav); + key_freesp(&sp); return (error); } From owner-svn-src-projects@freebsd.org Thu Nov 24 13:20:25 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F39CC522C2 for ; Thu, 24 Nov 2016 13:20:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C42176EB; Thu, 24 Nov 2016 13:20:24 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAODKNJR042064; Thu, 24 Nov 2016 13:20:23 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAODKNjY042063; Thu, 24 Nov 2016 13:20:23 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611241320.uAODKNjY042063@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 13:20:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309103 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 13:20:25 -0000 Author: ae Date: Thu Nov 24 13:20:23 2016 New Revision: 309103 URL: https://svnweb.freebsd.org/changeset/base/309103 Log: Update outbound ESP processing. Use xform_data structure to pass needed information to xform callback. Use SA lock to protect access to replay window structure, cryptoid and CTR counter. Use new rules how we hold references to SP and SA. Modified: projects/ipsec/sys/netipsec/xform_esp.c Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 13:04:41 2016 (r309102) +++ projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 13:20:23 2016 (r309103) @@ -647,30 +647,27 @@ bad: return error; } /* - * ESP output routine, called by ipsec[46]_process_packet(). + * ESP output routine, called by ipsec[46]_perform_request(). */ static int -esp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, - int skip, int protoff) +esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, + u_int idx, int skip, int protoff) { - char buf[INET6_ADDRSTRLEN]; + char buf[IPSEC_ADDRSTRLEN]; + struct cryptodesc *crde = NULL, *crda = NULL; + struct cryptop *crp; struct enc_xform *espx; struct auth_hash *esph; - uint8_t *ivp; - uint64_t cntr; - int hlen, rlen, padding, blks, alen, i, roff; - struct mbuf *mo = (struct mbuf *) NULL; - struct tdb_crypto *tc; - struct secasvar *sav; + struct mbuf *mo = NULL; + struct xform_data *xd; struct secasindex *saidx; unsigned char *pad; - u_int8_t prot; + uint8_t *ivp; + uint64_t cntr, cryptoid; + int hlen, rlen, padding, blks, alen, i, roff; int error, maxpacketsize; + uint8_t prot; - struct cryptodesc *crde = NULL, *crda = NULL; - struct cryptop *crp; - - sav = isr->sav; IPSEC_ASSERT(sav != NULL, ("null SA")); esph = sav->tdb_authalgxform; espx = sav->tdb_encalgxform; @@ -716,8 +713,9 @@ esp_output(struct mbuf *m, struct ipsecr error = EPFNOSUPPORT; goto bad; } + /* DPRINTF(("%s: skip %d hlen %d rlen %d padding %d alen %d blksd %d\n", - __func__, skip, hlen, rlen, padding, alen, blks)); + __func__, skip, hlen, rlen, padding, alen, blks)); */ if (skip + hlen + rlen + padding + alen > maxpacketsize) { DPRINTF(("%s: packet in SA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, @@ -748,15 +746,17 @@ esp_output(struct mbuf *m, struct ipsecr DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); - ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */ + ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */ error = ENOBUFS; goto bad; } /* Initialize ESP header. */ - bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff, sizeof(u_int32_t)); + bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff, + sizeof(uint32_t)); + SECASVAR_LOCK(sav); if (sav->replay) { - u_int32_t replay; + uint32_t replay; #ifdef REGRESSION /* Emulate replay attack when ipsec_replay is TRUE. */ @@ -764,10 +764,14 @@ esp_output(struct mbuf *m, struct ipsecr #endif sav->replay->count++; replay = htonl(sav->replay->count); - bcopy((caddr_t) &replay, - mtod(mo, caddr_t) + roff + sizeof(u_int32_t), - sizeof(u_int32_t)); + + bcopy((caddr_t) &replay, mtod(mo, caddr_t) + roff + + sizeof(uint32_t), sizeof(uint32_t)); } + cryptoid = sav->tdb_cryptoid; + if (SAV_ISCTRORGCM(sav)) + cntr = sav->cntr++; + SECASVAR_UNLOCK(sav); /* * Add padding -- better to do it ourselves than use the crypto engine, @@ -819,11 +823,10 @@ esp_output(struct mbuf *m, struct ipsecr } /* IPsec-specific opaque crypto info. */ - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), - M_XDATA, M_NOWAIT|M_ZERO); - if (tc == NULL) { + xd = malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO); + if (xd == NULL) { crypto_freereq(crp); - DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); + DPRINTF(("%s: failed to allocate xform_data\n", __func__)); ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; @@ -849,13 +852,10 @@ esp_output(struct mbuf *m, struct ipsecr /* Nonce is last four bytes of key, RFC3686 5.1 */ memcpy(ivp, sav->key_enc->key_data + _KEYLEN(sav->key_enc) - 4, 4); - SECASVAR_LOCK(sav); - cntr = sav->cntr++; - SECASVAR_UNLOCK(sav); be64enc(&ivp[4], cntr); - if (SAV_ISCTR(sav)) { /* Initial block counter is 1, RFC3686 4 */ + /* XXXAE: should we use this only for first packet? */ be32enc(&ivp[sav->ivlen + 4], 1); } @@ -864,21 +864,18 @@ esp_output(struct mbuf *m, struct ipsecr } /* Callback parameters */ - key_addref(isr->sp); - tc->tc_isr = isr; - KEY_ADDREFSA(sav); - tc->tc_sav = sav; - tc->tc_spi = sav->spi; - tc->tc_dst = saidx->dst; - tc->tc_proto = saidx->proto; + xd->sp = sp; + xd->sav = sav; + xd->idx = idx; + xd->cryptoid = cryptoid; /* Crypto operation descriptor. */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (caddr_t) m; crp->crp_callback = esp_output_cb; - crp->crp_opaque = (caddr_t) tc; - crp->crp_sid = sav->tdb_cryptoid; + crp->crp_opaque = (caddr_t) xd; + crp->crp_sid = cryptoid; if (esph) { /* Authentication descriptor. */ @@ -897,53 +894,40 @@ bad: m_freem(m); return (error); } - /* * ESP output callback from the crypto driver. */ static int esp_output_cb(struct cryptop *crp) { - char buf[INET6_ADDRSTRLEN]; - struct tdb_crypto *tc; - struct ipsecrequest *isr; + struct xform_data *xd; + struct secpolicy *sp; struct secasvar *sav; struct mbuf *m; + uint64_t cryptoid; + u_int idx; int error; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); + xd = (struct xform_data *) crp->crp_opaque; m = (struct mbuf *) crp->crp_buf; - - isr = tc->tc_isr; - IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp")); - IPSECREQUEST_LOCK(isr); - sav = tc->tc_sav; - - /* With the isr lock released, SA pointer may have changed. */ - if (sav != isr->sav) { - ESPSTAT_INC(esps_notdb); - DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", - __func__, ipsec_address(&tc->tc_dst, buf, sizeof(buf)), - (u_long) ntohl(tc->tc_spi), tc->tc_proto)); - error = ENOBUFS; /*XXX*/ - goto bad; - } + sp = xd->sp; + sav = xd->sav; + idx = xd->idx; + cryptoid = xd->cryptoid; /* Check for crypto errors. */ if (crp->crp_etype) { - /* Reset session ID. */ - if (sav->tdb_cryptoid != 0) - sav->tdb_cryptoid = crp->crp_sid; - if (crp->crp_etype == EAGAIN) { - IPSECREQUEST_UNLOCK(isr); + /* Reset the session ID */ + if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + crypto_freesession(cryptoid); + xd->cryptoid = crp->crp_sid; return (crypto_dispatch(crp)); } - ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; + m_freem(m); goto bad; } @@ -954,14 +938,12 @@ esp_output_cb(struct cryptop *crp) error = EINVAL; goto bad; } + free(xd, M_XDATA); + crypto_freereq(crp); ESPSTAT_INC(esps_hist[sav->alg_enc]); if (sav->tdb_authalgxform != NULL) AHSTAT_INC(ahs_hist[sav->alg_auth]); - /* Release crypto descriptors. */ - free(tc, M_XDATA); - crypto_freereq(crp); - #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ if (V_ipsec_integrity) { @@ -984,23 +966,15 @@ esp_output_cb(struct cryptop *crp) #endif /* NB: m is reclaimed by ipsec_process_done. */ - error = ipsec_process_done(m, isr); - KEY_FREESAV(&sav); - IPSECREQUEST_UNLOCK(isr); - KEY_FREESP(&isr->sp); + error = ipsec_process_done(m, sp, sav, idx); return (error); bad: - if (sav) - KEY_FREESAV(&sav); - IPSECREQUEST_UNLOCK(isr); - KEY_FREESP(&isr->sp); - if (m) - m_freem(m); - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); + key_freesav(&sav); + key_freesp(&sp); return (error); } - static struct xformsw esp_xformsw = { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", esp_init, esp_zeroize, esp_input, From owner-svn-src-projects@freebsd.org Thu Nov 24 13:26:33 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5D84C5269D for ; Thu, 24 Nov 2016 13:26:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 80943CAB; Thu, 24 Nov 2016 13:26:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAODQWIY045752; Thu, 24 Nov 2016 13:26:32 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAODQWTn045751; Thu, 24 Nov 2016 13:26:32 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611241326.uAODQWTn045751@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 13:26:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309104 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 13:26:33 -0000 Author: ae Date: Thu Nov 24 13:26:32 2016 New Revision: 309104 URL: https://svnweb.freebsd.org/changeset/base/309104 Log: Update outbound IPcomp processing. Use xform_data structure to pass needed information to xform callback. Use SA lock to protect access to cryptoid. Use new rules how we hold references to SP and SA. Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 13:20:23 2016 (r309103) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 13:26:32 2016 (r309104) @@ -389,21 +389,19 @@ bad: } /* - * IPComp output routine, called by ipsec[46]_process_packet() + * IPComp output routine, called by ipsec[46]_perform_request() */ static int -ipcomp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp, - int skip, int protoff) +ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, + u_int idx, int skip, int protoff) { - char buf[INET6_ADDRSTRLEN]; - struct secasvar *sav; + char buf[IPSEC_ADDRSTRLEN]; struct comp_algo *ipcompx; - int error, ralen, maxpacketsize; struct cryptodesc *crdc; struct cryptop *crp; - struct tdb_crypto *tc; + struct xform_data *xd; + int error, ralen, maxpacketsize; - sav = isr->sav; IPSEC_ASSERT(sav != NULL, ("null SA")); ipcompx = sav->tdb_compalgxform; IPSEC_ASSERT(ipcompx != NULL, ("null compression xform")); @@ -416,7 +414,7 @@ ipcomp_output(struct mbuf *m, struct ips */ if (m->m_pkthdr.len <= ipcompx->minlen) { IPCOMPSTAT_INC(ipcomps_threshold); - return ipsec_process_done(m, isr); + return ipsec_process_done(m, sp, sav, idx); } ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ @@ -490,33 +488,31 @@ ipcomp_output(struct mbuf *m, struct ips crdc->crd_alg = ipcompx->type; /* IPsec-specific opaque crypto info */ - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), - M_XDATA, M_NOWAIT|M_ZERO); - if (tc == NULL) { + xd = malloc(sizeof(struct xform_data), M_XDATA, M_NOWAIT | M_ZERO); + if (xd == NULL) { IPCOMPSTAT_INC(ipcomps_crypto); - DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); + DPRINTF(("%s: failed to allocate xform_data\n", __func__)); crypto_freereq(crp); error = ENOBUFS; goto bad; } - key_addref(isr->sp); - tc->tc_isr = isr; - KEY_ADDREFSA(sav); - tc->tc_sav = sav; - tc->tc_spi = sav->spi; - tc->tc_dst = sav->sah->saidx.dst; - tc->tc_proto = sav->sah->saidx.proto; - tc->tc_protoff = protoff; - tc->tc_skip = skip; + xd->sp = sp; + xd->sav = sav; + xd->idx = idx; + xd->skip = skip; + xd->protoff = protoff; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC; crp->crp_buf = (caddr_t) m; crp->crp_callback = ipcomp_output_cb; - crp->crp_opaque = (caddr_t) tc; - crp->crp_sid = sav->tdb_cryptoid; + crp->crp_opaque = (caddr_t) xd; + + SECASVAR_LOCK(sav); + crp->crp_sid = xd->cryptoid = sav->tdb_cryptoid; + SECASVAR_UNLOCK(sav); return crypto_dispatch(crp); bad: @@ -531,39 +527,32 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { - char buf[INET6_ADDRSTRLEN]; - struct tdb_crypto *tc; - struct ipsecrequest *isr; + char buf[IPSEC_ADDRSTRLEN]; + struct xform_data *xd; + struct secpolicy *sp; struct secasvar *sav; struct mbuf *m; - int error, skip; + uint64_t cryptoid; + u_int idx; + int error, skip, protoff; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); m = (struct mbuf *) crp->crp_buf; - skip = tc->tc_skip; - - isr = tc->tc_isr; - IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp")); - IPSECREQUEST_LOCK(isr); - sav = tc->tc_sav; - /* With the isr lock released SA pointer can be updated. */ - if (sav != isr->sav) { - IPCOMPSTAT_INC(ipcomps_notdb); - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } + xd = (struct xform_data *) crp->crp_opaque; + idx = xd->idx; + sp = xd->sp; + sav = xd->sav; + skip = xd->skip; + protoff = xd->protoff; + cryptoid = xd->cryptoid; /* Check for crypto errors */ if (crp->crp_etype) { - /* Reset the session ID */ - if (sav->tdb_cryptoid != 0) - sav->tdb_cryptoid = crp->crp_sid; - if (crp->crp_etype == EAGAIN) { - IPSECREQUEST_UNLOCK(isr); - return crypto_dispatch(crp); + /* Reset the session ID */ + if (ipsec_updateid(sav, &crp->crp_sid, &cryptoid) != 0) + crypto_freesession(cryptoid); + xd->cryptoid = crp->crp_sid; + return (crypto_dispatch(crp)); } IPCOMPSTAT_INC(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); @@ -589,7 +578,8 @@ ipcomp_output_cb(struct cryptop *crp) mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { IPCOMPSTAT_INC(ipcomps_wrap); - DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", + DPRINTF(("%s: IPCOMP header inject failed " + "for IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); error = ENOBUFS; @@ -616,7 +606,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; - m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), + m_copyback(m, protoff, sizeof(u_int8_t), (u_char *)&prot); /* Adjust the length in the IP header */ @@ -652,24 +642,19 @@ ipcomp_output_cb(struct cryptop *crp) } /* Release the crypto descriptor */ - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); /* NB: m is reclaimed by ipsec_process_done. */ - error = ipsec_process_done(m, isr); - KEY_FREESAV(&sav); - IPSECREQUEST_UNLOCK(isr); - KEY_FREESP(&isr->sp); + error = ipsec_process_done(m, sp, sav, idx); return (error); bad: - if (sav) - KEY_FREESAV(&sav); - IPSECREQUEST_UNLOCK(isr); - KEY_FREESP(&isr->sp); if (m) m_freem(m); - free(tc, M_XDATA); + free(xd, M_XDATA); crypto_freereq(crp); + key_freesav(&sav); + key_freesp(&sp); return (error); } From owner-svn-src-projects@freebsd.org Thu Nov 24 13:28:58 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74A3DC52861 for ; Thu, 24 Nov 2016 13:28:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3B4F0E87; Thu, 24 Nov 2016 13:28:58 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAODSvom045866; Thu, 24 Nov 2016 13:28:57 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAODSv7R045865; Thu, 24 Nov 2016 13:28:57 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611241328.uAODSv7R045865@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 13:28:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309105 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 13:28:58 -0000 Author: ae Date: Thu Nov 24 13:28:57 2016 New Revision: 309105 URL: https://svnweb.freebsd.org/changeset/base/309105 Log: Update tcpsignature_output() definition to match new xf_output type. Modified: projects/ipsec/sys/netipsec/xform_tcp.c Modified: projects/ipsec/sys/netipsec/xform_tcp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_tcp.c Thu Nov 24 13:26:32 2016 (r309104) +++ projects/ipsec/sys/netipsec/xform_tcp.c Thu Nov 24 13:28:57 2016 (r309105) @@ -146,8 +146,8 @@ tcpsignature_input(struct mbuf *m, struc * We do this from within tcp itself, so this routine is just a stub. */ static int -tcpsignature_output(struct mbuf *m, struct ipsecrequest *isr, - struct mbuf **mp, int skip, int protoff) +tcpsignature_output(struct mbuf *m, struct secpolicy *sp, + struct secasvar *sav, u_int idx, int skip, int protoff) { return (EINVAL); From owner-svn-src-projects@freebsd.org Thu Nov 24 14:39:07 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52F2DC53432 for ; Thu, 24 Nov 2016 14:39:07 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 092BBB0C; Thu, 24 Nov 2016 14:39:06 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOEd6m8074449; Thu, 24 Nov 2016 14:39:06 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOEd5qS074442; Thu, 24 Nov 2016 14:39:05 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611241439.uAOEd5qS074442@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 24 Nov 2016 14:39:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309106 - in projects/clang390-import: . cddl/contrib/opensolaris/lib/libzfs/common contrib/ntp contrib/ntp/html contrib/ntp/html/drivers contrib/ntp/include contrib/ntp/lib/isc contrib... X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 14:39:07 -0000 Author: dim Date: Thu Nov 24 14:39:04 2016 New Revision: 309106 URL: https://svnweb.freebsd.org/changeset/base/309106 Log: Merge ^/head r308870 through r309105. Added: projects/clang390-import/contrib/ntp/include/libssl_compat.h - copied unchanged from r309105, head/contrib/ntp/include/libssl_compat.h projects/clang390-import/contrib/ntp/libntp/libssl_compat.c - copied unchanged from r309105, head/contrib/ntp/libntp/libssl_compat.c projects/clang390-import/contrib/ntp/sntp/unity/ulib_setup.c - copied unchanged from r309105, head/contrib/ntp/sntp/unity/ulib_setup.c projects/clang390-import/contrib/ntp/sntp/unity/ulib_teardown.c - copied unchanged from r309105, head/contrib/ntp/sntp/unity/ulib_teardown.c projects/clang390-import/lib/libpathconv/ - copied from r309105, head/lib/libpathconv/ projects/clang390-import/release/packages/jail-debug.ucl - copied unchanged from r309105, head/release/packages/jail-debug.ucl projects/clang390-import/release/packages/jail-development.ucl - copied unchanged from r309105, head/release/packages/jail-development.ucl projects/clang390-import/release/packages/jail-lib32-debug.ucl - copied unchanged from r309105, head/release/packages/jail-lib32-debug.ucl projects/clang390-import/release/packages/jail-lib32-development.ucl - copied unchanged from r309105, head/release/packages/jail-lib32-development.ucl projects/clang390-import/release/packages/jail-lib32-profile.ucl - copied unchanged from r309105, head/release/packages/jail-lib32-profile.ucl projects/clang390-import/release/packages/jail-lib32.ucl - copied unchanged from r309105, head/release/packages/jail-lib32.ucl projects/clang390-import/release/packages/jail-profile.ucl - copied unchanged from r309105, head/release/packages/jail-profile.ucl projects/clang390-import/share/man/man4/armv8crypto.4 - copied unchanged from r309105, head/share/man/man4/armv8crypto.4 projects/clang390-import/share/man/man4/bytgpio.4 - copied unchanged from r309105, head/share/man/man4/bytgpio.4 projects/clang390-import/sys/boot/fdt/dts/arm/h3.dtsi - copied unchanged from r309105, head/sys/boot/fdt/dts/arm/h3.dtsi projects/clang390-import/sys/boot/fdt/dts/arm/nanopi-neo.dts - copied unchanged from r309105, head/sys/boot/fdt/dts/arm/nanopi-neo.dts projects/clang390-import/sys/boot/fdt/dts/arm/orangepi-plus-2e.dts - copied unchanged from r309105, head/sys/boot/fdt/dts/arm/orangepi-plus-2e.dts projects/clang390-import/sys/boot/fdt/dts/arm/sun8i-h3-nanopi-neo.dts - copied unchanged from r309105, head/sys/boot/fdt/dts/arm/sun8i-h3-nanopi-neo.dts projects/clang390-import/sys/crypto/armv8/ - copied from r309105, head/sys/crypto/armv8/ projects/clang390-import/sys/dev/pci/pci_host_generic_fdt.c - copied unchanged from r309105, head/sys/dev/pci/pci_host_generic_fdt.c projects/clang390-import/sys/dev/pci/pci_host_generic_fdt.h - copied unchanged from r309105, head/sys/dev/pci/pci_host_generic_fdt.h projects/clang390-import/sys/dev/uart/uart_cpu_arm64.c - copied unchanged from r309105, head/sys/dev/uart/uart_cpu_arm64.c projects/clang390-import/sys/mips/conf/MALTA64EL - copied unchanged from r309105, head/sys/mips/conf/MALTA64EL projects/clang390-import/sys/mips/conf/MALTAEL - copied unchanged from r309105, head/sys/mips/conf/MALTAEL projects/clang390-import/sys/mips/ingenic/jz4780_pdma.h - copied unchanged from r309105, head/sys/mips/ingenic/jz4780_pdma.h projects/clang390-import/sys/modules/armv8crypto/ - copied from r309105, head/sys/modules/armv8crypto/ projects/clang390-import/sys/modules/bytgpio/ - copied from r309105, head/sys/modules/bytgpio/ Deleted: projects/clang390-import/sys/boot/fdt/dts/arm/am335x-evm.dts Modified: projects/clang390-import/ObsoleteFiles.inc projects/clang390-import/UPDATING projects/clang390-import/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c projects/clang390-import/contrib/ntp/ChangeLog projects/clang390-import/contrib/ntp/CommitLog projects/clang390-import/contrib/ntp/NEWS projects/clang390-import/contrib/ntp/configure projects/clang390-import/contrib/ntp/html/drivers/driver40-ja.html projects/clang390-import/contrib/ntp/html/drivers/driver40.html projects/clang390-import/contrib/ntp/html/miscopt.html projects/clang390-import/contrib/ntp/include/Makefile.am projects/clang390-import/contrib/ntp/include/Makefile.in projects/clang390-import/contrib/ntp/include/ntp.h projects/clang390-import/contrib/ntp/include/ntp_intres.h projects/clang390-import/contrib/ntp/include/ntpd.h projects/clang390-import/contrib/ntp/lib/isc/netaddr.c projects/clang390-import/contrib/ntp/libntp/Makefile.am projects/clang390-import/contrib/ntp/libntp/Makefile.in projects/clang390-import/contrib/ntp/libntp/a_md5encrypt.c projects/clang390-import/contrib/ntp/libntp/audio.c projects/clang390-import/contrib/ntp/libntp/ntp_calendar.c projects/clang390-import/contrib/ntp/libntp/ntp_intres.c projects/clang390-import/contrib/ntp/libntp/ssl_init.c projects/clang390-import/contrib/ntp/libntp/work_fork.c projects/clang390-import/contrib/ntp/libparse/clk_hopf6021.c projects/clang390-import/contrib/ntp/ntpd/complete.conf.in projects/clang390-import/contrib/ntp/ntpd/invoke-ntp.conf.texi projects/clang390-import/contrib/ntp/ntpd/invoke-ntp.keys.texi projects/clang390-import/contrib/ntp/ntpd/invoke-ntpd.texi projects/clang390-import/contrib/ntp/ntpd/keyword-gen-utd projects/clang390-import/contrib/ntp/ntpd/keyword-gen.c projects/clang390-import/contrib/ntp/ntpd/ntp.conf.5man projects/clang390-import/contrib/ntp/ntpd/ntp.conf.5mdoc projects/clang390-import/contrib/ntp/ntpd/ntp.conf.def projects/clang390-import/contrib/ntp/ntpd/ntp.conf.html projects/clang390-import/contrib/ntp/ntpd/ntp.conf.man.in projects/clang390-import/contrib/ntp/ntpd/ntp.conf.mdoc.in projects/clang390-import/contrib/ntp/ntpd/ntp.keys.5man projects/clang390-import/contrib/ntp/ntpd/ntp.keys.5mdoc projects/clang390-import/contrib/ntp/ntpd/ntp.keys.html projects/clang390-import/contrib/ntp/ntpd/ntp.keys.man.in projects/clang390-import/contrib/ntp/ntpd/ntp.keys.mdoc.in projects/clang390-import/contrib/ntp/ntpd/ntp_config.c projects/clang390-import/contrib/ntp/ntpd/ntp_control.c projects/clang390-import/contrib/ntp/ntpd/ntp_crypto.c projects/clang390-import/contrib/ntp/ntpd/ntp_keyword.h projects/clang390-import/contrib/ntp/ntpd/ntp_loopfilter.c projects/clang390-import/contrib/ntp/ntpd/ntp_parser.c projects/clang390-import/contrib/ntp/ntpd/ntp_parser.h projects/clang390-import/contrib/ntp/ntpd/ntp_peer.c projects/clang390-import/contrib/ntp/ntpd/ntp_proto.c projects/clang390-import/contrib/ntp/ntpd/ntp_refclock.c projects/clang390-import/contrib/ntp/ntpd/ntpd-opts.c projects/clang390-import/contrib/ntp/ntpd/ntpd-opts.h projects/clang390-import/contrib/ntp/ntpd/ntpd.1ntpdman projects/clang390-import/contrib/ntp/ntpd/ntpd.1ntpdmdoc projects/clang390-import/contrib/ntp/ntpd/ntpd.html projects/clang390-import/contrib/ntp/ntpd/ntpd.man.in projects/clang390-import/contrib/ntp/ntpd/ntpd.mdoc.in projects/clang390-import/contrib/ntp/ntpd/refclock_gpsdjson.c projects/clang390-import/contrib/ntp/ntpd/refclock_jjy.c projects/clang390-import/contrib/ntp/ntpd/refclock_jupiter.c projects/clang390-import/contrib/ntp/ntpdc/invoke-ntpdc.texi projects/clang390-import/contrib/ntp/ntpdc/ntpdc-opts.c projects/clang390-import/contrib/ntp/ntpdc/ntpdc-opts.h projects/clang390-import/contrib/ntp/ntpdc/ntpdc.1ntpdcman projects/clang390-import/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc projects/clang390-import/contrib/ntp/ntpdc/ntpdc.html projects/clang390-import/contrib/ntp/ntpdc/ntpdc.man.in projects/clang390-import/contrib/ntp/ntpdc/ntpdc.mdoc.in projects/clang390-import/contrib/ntp/ntpq/invoke-ntpq.texi projects/clang390-import/contrib/ntp/ntpq/ntpq-opts.c projects/clang390-import/contrib/ntp/ntpq/ntpq-opts.h projects/clang390-import/contrib/ntp/ntpq/ntpq.1ntpqman projects/clang390-import/contrib/ntp/ntpq/ntpq.1ntpqmdoc projects/clang390-import/contrib/ntp/ntpq/ntpq.c projects/clang390-import/contrib/ntp/ntpq/ntpq.html projects/clang390-import/contrib/ntp/ntpq/ntpq.man.in projects/clang390-import/contrib/ntp/ntpq/ntpq.mdoc.in projects/clang390-import/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd.html projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in projects/clang390-import/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in projects/clang390-import/contrib/ntp/packageinfo.sh projects/clang390-import/contrib/ntp/scripts/build/genAuthors.in projects/clang390-import/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman projects/clang390-import/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc projects/clang390-import/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html projects/clang390-import/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in projects/clang390-import/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in projects/clang390-import/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi projects/clang390-import/contrib/ntp/scripts/invoke-plot_summary.texi projects/clang390-import/contrib/ntp/scripts/invoke-summary.texi projects/clang390-import/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi projects/clang390-import/contrib/ntp/scripts/ntp-wait/ntp-wait-opts projects/clang390-import/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman projects/clang390-import/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc projects/clang390-import/contrib/ntp/scripts/ntp-wait/ntp-wait.html projects/clang390-import/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in projects/clang390-import/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in projects/clang390-import/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi projects/clang390-import/contrib/ntp/scripts/ntpsweep/ntpsweep-opts projects/clang390-import/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman projects/clang390-import/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc projects/clang390-import/contrib/ntp/scripts/ntpsweep/ntpsweep.html projects/clang390-import/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in projects/clang390-import/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in projects/clang390-import/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi projects/clang390-import/contrib/ntp/scripts/ntptrace/ntptrace-opts projects/clang390-import/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman projects/clang390-import/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc projects/clang390-import/contrib/ntp/scripts/ntptrace/ntptrace.html projects/clang390-import/contrib/ntp/scripts/ntptrace/ntptrace.man.in projects/clang390-import/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in projects/clang390-import/contrib/ntp/scripts/plot_summary-opts projects/clang390-import/contrib/ntp/scripts/plot_summary.1plot_summaryman projects/clang390-import/contrib/ntp/scripts/plot_summary.1plot_summarymdoc projects/clang390-import/contrib/ntp/scripts/plot_summary.html projects/clang390-import/contrib/ntp/scripts/plot_summary.man.in projects/clang390-import/contrib/ntp/scripts/plot_summary.mdoc.in projects/clang390-import/contrib/ntp/scripts/summary-opts projects/clang390-import/contrib/ntp/scripts/summary.1summaryman projects/clang390-import/contrib/ntp/scripts/summary.1summarymdoc projects/clang390-import/contrib/ntp/scripts/summary.html projects/clang390-import/contrib/ntp/scripts/summary.man.in projects/clang390-import/contrib/ntp/scripts/summary.mdoc.in projects/clang390-import/contrib/ntp/scripts/update-leap/invoke-update-leap.texi projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap-opts projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap.1update-leapman projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap.html projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap.in projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap.man.in projects/clang390-import/contrib/ntp/scripts/update-leap/update-leap.mdoc.in projects/clang390-import/contrib/ntp/sntp/configure projects/clang390-import/contrib/ntp/sntp/crypto.c projects/clang390-import/contrib/ntp/sntp/include/version.def projects/clang390-import/contrib/ntp/sntp/include/version.texi projects/clang390-import/contrib/ntp/sntp/invoke-sntp.texi projects/clang390-import/contrib/ntp/sntp/m4/version.m4 projects/clang390-import/contrib/ntp/sntp/sntp-opts.c projects/clang390-import/contrib/ntp/sntp/sntp-opts.h projects/clang390-import/contrib/ntp/sntp/sntp.1sntpman projects/clang390-import/contrib/ntp/sntp/sntp.1sntpmdoc projects/clang390-import/contrib/ntp/sntp/sntp.html projects/clang390-import/contrib/ntp/sntp/sntp.man.in projects/clang390-import/contrib/ntp/sntp/sntp.mdoc.in projects/clang390-import/contrib/ntp/sntp/tests/packetProcessing.c projects/clang390-import/contrib/ntp/sntp/tests/run-packetProcessing.c projects/clang390-import/contrib/ntp/sntp/unity/Makefile.am projects/clang390-import/contrib/ntp/sntp/unity/Makefile.in projects/clang390-import/contrib/ntp/sntp/unity/unity_fixture.c projects/clang390-import/contrib/ntp/sntp/version.c projects/clang390-import/contrib/ntp/tests/libntp/a_md5encrypt.c projects/clang390-import/contrib/ntp/tests/libntp/calendar.c projects/clang390-import/contrib/ntp/tests/libntp/run-calendar.c projects/clang390-import/contrib/ntp/tests/libntp/sfptostr.c projects/clang390-import/contrib/ntp/tests/ntpd/Makefile.am projects/clang390-import/contrib/ntp/tests/ntpd/Makefile.in projects/clang390-import/contrib/ntp/util/invoke-ntp-keygen.texi projects/clang390-import/contrib/ntp/util/ntp-keygen-opts.c projects/clang390-import/contrib/ntp/util/ntp-keygen-opts.h projects/clang390-import/contrib/ntp/util/ntp-keygen.1ntp-keygenman projects/clang390-import/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc projects/clang390-import/contrib/ntp/util/ntp-keygen.c projects/clang390-import/contrib/ntp/util/ntp-keygen.html projects/clang390-import/contrib/ntp/util/ntp-keygen.man.in projects/clang390-import/contrib/ntp/util/ntp-keygen.mdoc.in projects/clang390-import/etc/rc.subr projects/clang390-import/lib/libc/gen/setproctitle.c projects/clang390-import/lib/libc/locale/wcstod.c projects/clang390-import/lib/libc/locale/wcstof.c projects/clang390-import/lib/libc/locale/wcstold.c projects/clang390-import/lib/libc/sys/open.2 projects/clang390-import/lib/libfetch/common.c projects/clang390-import/lib/libfetch/common.h projects/clang390-import/lib/libfetch/ftp.c projects/clang390-import/lib/libmemstat/memstat_uma.c projects/clang390-import/libexec/rtld-elf/aarch64/reloc.c projects/clang390-import/libexec/rtld-elf/amd64/reloc.c projects/clang390-import/libexec/rtld-elf/arm/reloc.c projects/clang390-import/libexec/rtld-elf/i386/reloc.c projects/clang390-import/libexec/rtld-elf/mips/reloc.c projects/clang390-import/libexec/rtld-elf/powerpc/reloc.c projects/clang390-import/libexec/rtld-elf/powerpc64/reloc.c projects/clang390-import/libexec/rtld-elf/riscv/reloc.c projects/clang390-import/libexec/rtld-elf/rtld.c projects/clang390-import/libexec/rtld-elf/rtld.h projects/clang390-import/libexec/rtld-elf/sparc64/reloc.c projects/clang390-import/release/doc/en_US.ISO8859-1/hardware/article.xml projects/clang390-import/release/packages/Makefile.package projects/clang390-import/release/packages/generate-ucl.sh projects/clang390-import/release/packages/jail.ucl projects/clang390-import/release/packages/runtime.ucl projects/clang390-import/sbin/dhclient/dispatch.c projects/clang390-import/sbin/umount/umount.c projects/clang390-import/share/man/man4/Makefile projects/clang390-import/share/man/man4/bhnd.4 projects/clang390-import/share/man/man4/bhndb.4 projects/clang390-import/share/man/man4/chromebook_platform.4 projects/clang390-import/share/man/man4/hv_vss.4 projects/clang390-import/share/man/man4/mpr.4 projects/clang390-import/share/man/man4/mps.4 projects/clang390-import/share/man/man4/ng_checksum.4 projects/clang390-import/share/man/man4/ng_mppc.4 projects/clang390-import/share/man/man4/ntb_hw.4 projects/clang390-import/share/man/man4/rtwn.4 projects/clang390-import/share/man/man4/rtwn_pci.4 projects/clang390-import/share/man/man4/rtwn_usb.4 projects/clang390-import/share/man/man5/nsmb.conf.5 (contents, props changed) projects/clang390-import/share/man/man9/bus_map_resource.9 projects/clang390-import/share/man/man9/cnv.9 projects/clang390-import/share/man/man9/counter.9 projects/clang390-import/share/man/man9/osd.9 projects/clang390-import/share/man/man9/pmap_zero_page.9 projects/clang390-import/share/man/man9/rman.9 projects/clang390-import/share/man/man9/tcp_functions.9 projects/clang390-import/share/misc/committers-ports.dot projects/clang390-import/share/misc/committers-src.dot projects/clang390-import/sys/arm/allwinner/a10_ehci.c projects/clang390-import/sys/arm/allwinner/a10_hdmi.c projects/clang390-import/sys/arm/allwinner/if_emac.c projects/clang390-import/sys/arm/annapurna/alpine/alpine_pci.c projects/clang390-import/sys/arm/arm/pmu.c projects/clang390-import/sys/arm/broadcom/bcm2835/bcm2836.c projects/clang390-import/sys/arm/conf/GENERIC projects/clang390-import/sys/arm64/acpica/acpi_machdep.c projects/clang390-import/sys/arm64/arm64/mp_machdep.c projects/clang390-import/sys/arm64/arm64/nexus.c projects/clang390-import/sys/arm64/cavium/thunder_pcie_common.c projects/clang390-import/sys/arm64/cavium/thunder_pcie_fdt.c projects/clang390-import/sys/arm64/conf/GENERIC projects/clang390-import/sys/arm64/conf/GENERIC-UP projects/clang390-import/sys/arm64/include/acpica_machdep.h projects/clang390-import/sys/boot/fdt/dts/arm/olimex-a20-som-evb.dts projects/clang390-import/sys/cddl/compat/opensolaris/sys/kmem.h projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace.c projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_dataset.c projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_pool.c projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sys/dsl_dataset.h projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sys/zfs_vfsops.h projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c projects/clang390-import/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c projects/clang390-import/sys/cddl/dev/dtrace/dtrace_load.c projects/clang390-import/sys/cddl/dev/dtrace/dtrace_sysctl.c projects/clang390-import/sys/compat/linprocfs/linprocfs.c projects/clang390-import/sys/conf/files projects/clang390-import/sys/conf/files.amd64 projects/clang390-import/sys/conf/files.arm projects/clang390-import/sys/conf/files.arm64 projects/clang390-import/sys/conf/files.i386 projects/clang390-import/sys/contrib/dev/acpica/changes.txt projects/clang390-import/sys/contrib/dev/acpica/common/acfileio.c projects/clang390-import/sys/contrib/dev/acpica/common/dmtbdump.c projects/clang390-import/sys/contrib/dev/acpica/common/dmtbinfo.c projects/clang390-import/sys/contrib/dev/acpica/compiler/aslbtypes.c projects/clang390-import/sys/contrib/dev/acpica/compiler/aslcompiler.l projects/clang390-import/sys/contrib/dev/acpica/compiler/aslcstyle.y projects/clang390-import/sys/contrib/dev/acpica/compiler/aslexternal.c projects/clang390-import/sys/contrib/dev/acpica/compiler/aslkeywords.y projects/clang390-import/sys/contrib/dev/acpica/compiler/aslopcodes.c projects/clang390-import/sys/contrib/dev/acpica/compiler/aslprimaries.y projects/clang390-import/sys/contrib/dev/acpica/compiler/aslresources.y projects/clang390-import/sys/contrib/dev/acpica/compiler/aslrestype2.c projects/clang390-import/sys/contrib/dev/acpica/compiler/aslrules.y projects/clang390-import/sys/contrib/dev/acpica/compiler/aslstubs.c projects/clang390-import/sys/contrib/dev/acpica/compiler/asltokens.y projects/clang390-import/sys/contrib/dev/acpica/compiler/asltypes.y projects/clang390-import/sys/contrib/dev/acpica/compiler/aslwalks.c projects/clang390-import/sys/contrib/dev/acpica/compiler/dttable.c projects/clang390-import/sys/contrib/dev/acpica/components/disassembler/dmbuffer.c projects/clang390-import/sys/contrib/dev/acpica/components/disassembler/dmcstyle.c projects/clang390-import/sys/contrib/dev/acpica/components/disassembler/dmresrc.c projects/clang390-import/sys/contrib/dev/acpica/components/dispatcher/dsinit.c projects/clang390-import/sys/contrib/dev/acpica/components/dispatcher/dsmethod.c projects/clang390-import/sys/contrib/dev/acpica/components/dispatcher/dsopcode.c projects/clang390-import/sys/contrib/dev/acpica/components/dispatcher/dswload2.c projects/clang390-import/sys/contrib/dev/acpica/components/events/evrgnini.c projects/clang390-import/sys/contrib/dev/acpica/components/executer/exconfig.c projects/clang390-import/sys/contrib/dev/acpica/components/executer/exconvrt.c projects/clang390-import/sys/contrib/dev/acpica/components/executer/exresop.c projects/clang390-import/sys/contrib/dev/acpica/components/namespace/nsload.c projects/clang390-import/sys/contrib/dev/acpica/components/namespace/nsnames.c projects/clang390-import/sys/contrib/dev/acpica/components/namespace/nsxfname.c projects/clang390-import/sys/contrib/dev/acpica/components/parser/psargs.c projects/clang390-import/sys/contrib/dev/acpica/components/parser/psloop.c projects/clang390-import/sys/contrib/dev/acpica/components/parser/psobject.c projects/clang390-import/sys/contrib/dev/acpica/components/parser/pstree.c projects/clang390-import/sys/contrib/dev/acpica/components/tables/tbdata.c projects/clang390-import/sys/contrib/dev/acpica/components/tables/tbfadt.c projects/clang390-import/sys/contrib/dev/acpica/components/tables/tbutils.c projects/clang390-import/sys/contrib/dev/acpica/components/tables/tbxface.c projects/clang390-import/sys/contrib/dev/acpica/components/tables/tbxfload.c projects/clang390-import/sys/contrib/dev/acpica/components/utilities/utdecode.c projects/clang390-import/sys/contrib/dev/acpica/components/utilities/utresrc.c projects/clang390-import/sys/contrib/dev/acpica/include/acdisasm.h projects/clang390-import/sys/contrib/dev/acpica/include/acevents.h projects/clang390-import/sys/contrib/dev/acpica/include/acnamesp.h projects/clang390-import/sys/contrib/dev/acpica/include/acopcode.h projects/clang390-import/sys/contrib/dev/acpica/include/acpixf.h projects/clang390-import/sys/contrib/dev/acpica/include/actables.h projects/clang390-import/sys/contrib/dev/acpica/include/actbl.h projects/clang390-import/sys/contrib/dev/acpica/include/acutils.h projects/clang390-import/sys/contrib/dev/acpica/include/amlcode.h projects/clang390-import/sys/dev/ath/if_ath_tx_ht.c projects/clang390-import/sys/dev/bnxt/bnxt.h projects/clang390-import/sys/dev/bnxt/if_bnxt.c projects/clang390-import/sys/dev/etherswitch/ukswitch/ukswitch.c projects/clang390-import/sys/dev/firewire/firewire.c projects/clang390-import/sys/dev/firewire/fwohci.c projects/clang390-import/sys/dev/gpio/bytgpio.c projects/clang390-import/sys/dev/hyperv/include/vmbus.h projects/clang390-import/sys/dev/hyperv/include/vmbus_xact.h projects/clang390-import/sys/dev/hyperv/netvsc/hn_nvs.c projects/clang390-import/sys/dev/hyperv/netvsc/hn_rndis.c projects/clang390-import/sys/dev/hyperv/netvsc/if_hn.c projects/clang390-import/sys/dev/hyperv/netvsc/if_hnvar.h projects/clang390-import/sys/dev/hyperv/vmbus/vmbus_chan.c projects/clang390-import/sys/dev/hyperv/vmbus/vmbus_chanvar.h projects/clang390-import/sys/dev/hyperv/vmbus/vmbus_xact.c projects/clang390-import/sys/dev/pci/pci_host_generic.c projects/clang390-import/sys/dev/pci/pci_host_generic.h projects/clang390-import/sys/dev/rtwn/rtl8812a/r12a_rom_image.h projects/clang390-import/sys/dev/spibus/spigen.c projects/clang390-import/sys/dev/uart/uart_bus_pci.c projects/clang390-import/sys/dev/uart/uart_cpu_acpi.h projects/clang390-import/sys/dev/uart/uart_dev_pl011.c projects/clang390-import/sys/fs/ext2fs/ext2_vnops.c projects/clang390-import/sys/fs/nfsclient/nfs_clbio.c projects/clang390-import/sys/fs/nfsclient/nfs_clvnops.c projects/clang390-import/sys/fs/tmpfs/tmpfs_subr.c projects/clang390-import/sys/fs/udf/udf_vnops.c projects/clang390-import/sys/kern/kern_clock.c projects/clang390-import/sys/kern/kern_descrip.c projects/clang390-import/sys/kern/subr_param.c projects/clang390-import/sys/kern/uipc_socket.c projects/clang390-import/sys/kern/vfs_bio.c projects/clang390-import/sys/kern/vfs_cache.c projects/clang390-import/sys/mips/conf/CANNA projects/clang390-import/sys/mips/conf/CI20 projects/clang390-import/sys/mips/conf/JZ4780 projects/clang390-import/sys/mips/conf/MALTA projects/clang390-import/sys/mips/conf/MALTA64 projects/clang390-import/sys/mips/conf/X1000 projects/clang390-import/sys/mips/include/pcpu.h projects/clang390-import/sys/mips/ingenic/jz4780_gpio.c projects/clang390-import/sys/modules/Makefile projects/clang390-import/sys/modules/dtb/allwinner/Makefile projects/clang390-import/sys/net80211/ieee80211_adhoc.c projects/clang390-import/sys/net80211/ieee80211_crypto_ccmp.c projects/clang390-import/sys/net80211/ieee80211_ht.c projects/clang390-import/sys/net80211/ieee80211_node.c projects/clang390-import/sys/net80211/ieee80211_node.h projects/clang390-import/sys/netinet/tcp_syncache.c projects/clang390-import/sys/powerpc/include/pmap.h projects/clang390-import/sys/riscv/include/vmparam.h projects/clang390-import/sys/security/audit/audit_bsm.c projects/clang390-import/sys/sys/buf.h projects/clang390-import/sys/sys/param.h projects/clang390-import/sys/sys/vmmeter.h projects/clang390-import/sys/sys/vnode.h projects/clang390-import/sys/ufs/ffs/ffs_vnops.c projects/clang390-import/sys/vm/swap_pager.c projects/clang390-import/sys/vm/vm_meter.c projects/clang390-import/sys/vm/vm_page.c projects/clang390-import/sys/vm/vm_pageout.c projects/clang390-import/sys/vm/vm_pager.h projects/clang390-import/sys/vm/vnode_pager.c projects/clang390-import/tools/tools/nanobsd/Files/root/save_cfg projects/clang390-import/tools/tools/sysbuild/sysbuild.sh projects/clang390-import/tools/tools/umastat/umastat.c projects/clang390-import/usr.sbin/fifolog/lib/fifolog_create.c projects/clang390-import/usr.sbin/ntp/config.h projects/clang390-import/usr.sbin/ntp/doc/ntp-keygen.8 projects/clang390-import/usr.sbin/ntp/doc/ntp.conf.5 projects/clang390-import/usr.sbin/ntp/doc/ntp.keys.5 projects/clang390-import/usr.sbin/ntp/doc/ntpd.8 projects/clang390-import/usr.sbin/ntp/doc/ntpdc.8 projects/clang390-import/usr.sbin/ntp/doc/ntpq.8 projects/clang390-import/usr.sbin/ntp/doc/sntp.8 projects/clang390-import/usr.sbin/ntp/libntp/Makefile projects/clang390-import/usr.sbin/ntp/scripts/mkver Directory Properties: projects/clang390-import/ (props changed) projects/clang390-import/cddl/ (props changed) projects/clang390-import/cddl/contrib/opensolaris/ (props changed) projects/clang390-import/cddl/contrib/opensolaris/lib/libzfs/ (props changed) projects/clang390-import/contrib/ntp/ (props changed) projects/clang390-import/sys/cddl/contrib/opensolaris/ (props changed) projects/clang390-import/sys/contrib/dev/acpica/ (props changed) Modified: projects/clang390-import/ObsoleteFiles.inc ============================================================================== --- projects/clang390-import/ObsoleteFiles.inc Thu Nov 24 13:28:57 2016 (r309105) +++ projects/clang390-import/ObsoleteFiles.inc Thu Nov 24 14:39:04 2016 (r309106) @@ -130,6 +130,17 @@ OLD_FILES+=usr/lib/clang/3.8.0/lib/freeb OLD_DIRS+=usr/lib/clang/3.8.0/lib/freebsd OLD_DIRS+=usr/lib/clang/3.8.0/lib OLD_DIRS+=usr/lib/clang/3.8.0 +# 20161121: Hyper-V manuals only apply to amd64 and i386. +.if ${TARGET_ARCH} != "amd64" && ${TARGET_ARCH} != "i386" +OLD_FILES+=usr/share/man/man4/hv_kvp.4.gz +OLD_FILES+=usr/share/man/man4/hv_netvsc.4.gz +OLD_FILES+=usr/share/man/man4/hv_storvsc.4.gz +OLD_FILES+=usr/share/man/man4/hv_utils.4.gz +OLD_FILES+=usr/share/man/man4/hv_vmbus.4.gz +OLD_FILES+=usr/share/man/man4/hv_vss.4.gz +.endif +# 20161118: Remove hv_ata_pci_disengage(4) +OLD_FILES+=usr/share/man/man4/hv_ata_pci_disengage.4.gz # 20161017: urtwn(4) was merged into rtwn(4) OLD_FILES+=usr/share/man/man4/urtwn.4.gz OLD_FILES+=usr/share/man/man4/urtwnfw.4.gz Modified: projects/clang390-import/UPDATING ============================================================================== --- projects/clang390-import/UPDATING Thu Nov 24 13:28:57 2016 (r309105) +++ projects/clang390-import/UPDATING Thu Nov 24 14:39:04 2016 (r309106) @@ -51,6 +51,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12 ****************************** SPECIAL WARNING: ****************************** +20161119: + The layout of the pmap structure has changed for powerpc to put the pmap + statistics at the front for all CPU variations. libkvm(3) and all tools + that link against it need to be recompiled. + 20161030: isl(4) and cyapa(4) drivers now require a new driver, chromebook_platform(4), to work properly on Chromebook-class hardware. Modified: projects/clang390-import/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c ============================================================================== --- projects/clang390-import/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c Thu Nov 24 13:28:57 2016 (r309105) +++ projects/clang390-import/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c Thu Nov 24 14:39:04 2016 (r309106) @@ -1615,17 +1615,12 @@ zfs_prop_set_list(zfs_handle_t *zhp, nvl assert(cl_idx < nvl_len); /* * We don't want to unmount & remount the dataset when changing - * its canmount property. We only use the changelist logic to - * unmount when setting canmount=off for a mounted filesystem - * or when setting canmount=on for an unmounted filesystem. - * For all other changes to canmount property the filesystem - * remains the same. + * its canmount property to 'on' or 'noauto'. We only use + * the changelist logic to unmount when setting canmount=off. */ if (prop != ZFS_PROP_CANMOUNT || (fnvpair_value_uint64(elem) == ZFS_CANMOUNT_OFF && - zfs_is_mounted(zhp, NULL)) || - (fnvpair_value_uint64(elem) == ZFS_CANMOUNT_ON && - !zfs_is_mounted(zhp, NULL))) { + zfs_is_mounted(zhp, NULL))) { cls[cl_idx] = changelist_gather(zhp, prop, 0, 0); if (cls[cl_idx] == NULL) goto error; Modified: projects/clang390-import/contrib/ntp/ChangeLog ============================================================================== --- projects/clang390-import/contrib/ntp/ChangeLog Thu Nov 24 13:28:57 2016 (r309105) +++ projects/clang390-import/contrib/ntp/ChangeLog Thu Nov 24 14:39:04 2016 (r309106) @@ -1,4 +1,73 @@ --- +(4.2.8p9) 2016/11/21 Released by Harlan Stenn +(4.2.8p9) 2016/MM/DD Released by Harlan Stenn + +* [Sec 3119] Trap crash +* [Sec 3118] Mode 6 information disclosure and DDoS vector + - TRAP config via mode 6 packet requires AUTH now. +* [Sec 3114] Broadcast Mode Replay Prevention DoS + - applied patches by Matthew Van Gundy. + - with bcpollbstep, tweaks and cleanup by stenn@ntp.org +* [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS + - applied fix as suggested by Matthew Van Gundy +* [Sec 3110] Windows: ntpd DoS by oversized UDP packet + - fixed error handling for truncated UDP packets. +* [Sec 3102] Zero origin issues. HStenn. +* [Sec 3082] null pointer dereference in _IO_str_init_static_internal() + - more hardening to read_mru_list(). perlinger@ntp.org +* [Sec 3072] Attack on interface selection + - implemented Miroslav Lichvars suggestion + to skip interface updates based on incoming packets +* [Bug 3142] bug in netmask prefix length detection +* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org +* [Bug 3129] Unknown hosts can put resolver thread into a hard loop + - moved retry decision where it belongs. +* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order + using the loopback-ppsapi-provider.dll +* [Bug 3116] unit tests for NTP time stamp expansion. +* [Bug 3100] ntpq can't retrieve daemon_version + - fixed extended sysvar lookup (bug introduced with bug 3008 fix) +* [Bug 3095] Compatibility with openssl 1.1 + - applied patches by Kurt Roeckx to source + - added shim layer for SSL API calls with issues (both directions) +* [Bug 3089] Serial Parser does not work anymore for hopfser like device + - simplified / refactored hex-decoding in driver. +* [Bug 3084] update-leap mis-parses the leapfile name. HStenn. +* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org + - applied patch thanks to Andrew Stormont +* [Bug 3067] Root distance calculation needs improvement. HStenn. +* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org + - PPS-HACK works again. +* [Bug 3059] Potential buffer overrun from oversized hash + - applied patch by Brian Utterback +* [Bug 3053] ntp_loopfilter.c frequency calc precedence error. Sarah White. +* [Bug 3050] Fix for bug #2960 causes [...] spurious error message. + + - patches by Reinhard Max and Havard Eidnes +* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org + - Patch provided by Kuramatsu. +* [Bug 3021] unity_fixture.c needs pragma weak + - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()' +* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. + DMayer and JPerlinger. +* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger +* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY. HStenn. +* [Bug 2959] refclock_jupiter: gps week correction + - fixed GPS week expansion to work based on build date. Special thanks + to Craig Leres for initial patch and testing. +* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd' + - fixed Makefile.am +* [Bug 2689] ATOM driver processes last PPS pulse at startup, + even if it is very old + - make sure PPS source is alive before processing samples + - improve stability close to the 500ms phase jump (phase gate) +* Fix typos in include/ntp.h. +* Shim X509_get_signature_nid() if needed. +* git author attribution cleanup +* bk ignore file cleanup +* remove locks in Windows IO, use rpc-like thread synchronisation instead + +--- (4.2.8p8) 2016/06/02 Released by Harlan Stenn * [Sec 3042] Broadcast Interleave. HStenn. @@ -19,7 +88,7 @@ * Fix typo in ntp-wait and plot_summary. HStenn. * Make sure we have an "author" file for git imports. HStenn. * Update the sntp problem tests for MacOS. HStenn. - + --- (4.2.8p7) 2016/04/26 Released by Harlan Stenn Modified: projects/clang390-import/contrib/ntp/CommitLog ============================================================================== --- projects/clang390-import/contrib/ntp/CommitLog Thu Nov 24 13:28:57 2016 (r309105) +++ projects/clang390-import/contrib/ntp/CommitLog Thu Nov 24 14:39:04 2016 (r309106) @@ -1,3 +1,1866 @@ +ChangeSet@1.3720, 2016-11-21 08:08:21-05:00, stenn@deacon.udel.edu + NTP_4_2_8P9 + TAG: NTP_4_2_8P9 + + ChangeLog@1.1852 +1 -0 + NTP_4_2_8P9 + + ntpd/invoke-ntp.conf.texi@1.203 +1 -1 + NTP_4_2_8P9 + + ntpd/invoke-ntp.keys.texi@1.192 +1 -1 + NTP_4_2_8P9 + + ntpd/invoke-ntpd.texi@1.508 +2 -2 + NTP_4_2_8P9 + + ntpd/ntp.conf.5man@1.237 +3 -3 + NTP_4_2_8P9 + + ntpd/ntp.conf.5mdoc@1.237 +2 -2 + NTP_4_2_8P9 + + ntpd/ntp.conf.html@1.187 +157 -154 + NTP_4_2_8P9 + + ntpd/ntp.conf.man.in@1.237 +3 -3 + NTP_4_2_8P9 + + ntpd/ntp.conf.mdoc.in@1.237 +2 -2 + NTP_4_2_8P9 + + ntpd/ntp.keys.5man@1.226 +2 -2 + NTP_4_2_8P9 + + ntpd/ntp.keys.5mdoc@1.226 +3 -3 + NTP_4_2_8P9 + + ntpd/ntp.keys.html@1.188 +21 -33 + NTP_4_2_8P9 + + ntpd/ntp.keys.man.in@1.226 +2 -2 + NTP_4_2_8P9 + + ntpd/ntp.keys.mdoc.in@1.226 +3 -3 + NTP_4_2_8P9 + + ntpd/ntpd-opts.c@1.530 +245 -245 + NTP_4_2_8P9 + + ntpd/ntpd-opts.h@1.529 +3 -3 + NTP_4_2_8P9 + + ntpd/ntpd.1ntpdman@1.337 +3 -3 + NTP_4_2_8P9 + + ntpd/ntpd.1ntpdmdoc@1.337 +2 -2 + NTP_4_2_8P9 + + ntpd/ntpd.html@1.181 +142 -186 + NTP_4_2_8P9 + + ntpd/ntpd.man.in@1.337 +3 -3 + NTP_4_2_8P9 + + ntpd/ntpd.mdoc.in@1.337 +2 -2 + NTP_4_2_8P9 + + ntpdc/invoke-ntpdc.texi@1.505 +2 -2 + NTP_4_2_8P9 + + ntpdc/ntpdc-opts.c@1.523 +106 -106 + NTP_4_2_8P9 + + ntpdc/ntpdc-opts.h@1.522 +3 -3 + NTP_4_2_8P9 + + ntpdc/ntpdc.1ntpdcman@1.336 +3 -3 + NTP_4_2_8P9 + + ntpdc/ntpdc.1ntpdcmdoc@1.336 +2 -2 + NTP_4_2_8P9 + + ntpdc/ntpdc.html@1.349 +75 -95 + NTP_4_2_8P9 + + ntpdc/ntpdc.man.in@1.336 +3 -3 + NTP_4_2_8P9 + + ntpdc/ntpdc.mdoc.in@1.336 +2 -2 + NTP_4_2_8P9 + + ntpq/invoke-ntpq.texi@1.513 +2 -2 + NTP_4_2_8P9 + + ntpq/ntpq-opts.c@1.530 +113 -113 + NTP_4_2_8P9 + + ntpq/ntpq-opts.h@1.528 +3 -3 + NTP_4_2_8P9 + + ntpq/ntpq.1ntpqman@1.341 +3 -3 + NTP_4_2_8P9 + + ntpq/ntpq.1ntpqmdoc@1.341 +2 -2 + NTP_4_2_8P9 + + ntpq/ntpq.html@1.178 +136 -160 + NTP_4_2_8P9 + + ntpq/ntpq.man.in@1.341 +3 -3 + NTP_4_2_8P9 + + ntpq/ntpq.mdoc.in@1.341 +2 -2 + NTP_4_2_8P9 + + ntpsnmpd/invoke-ntpsnmpd.texi@1.507 +2 -2 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd-opts.c@1.525 +67 -67 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd-opts.h@1.524 +3 -3 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd.1ntpsnmpdman@1.336 +3 -3 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc@1.336 +2 -2 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd.html@1.176 +10 -14 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd.man.in@1.336 +3 -3 + NTP_4_2_8P9 + + ntpsnmpd/ntpsnmpd.mdoc.in@1.336 +2 -2 + NTP_4_2_8P9 + + packageinfo.sh@1.532 +2 -2 + NTP_4_2_8P9 + + scripts/calc_tickadj/calc_tickadj.1calc_tickadjman@1.97 +3 -3 + NTP_4_2_8P9 + + scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc@1.98 +2 -2 + NTP_4_2_8P9 + + scripts/calc_tickadj/calc_tickadj.html@1.99 +30 -42 + NTP_4_2_8P9 + + scripts/calc_tickadj/calc_tickadj.man.in@1.96 +3 -3 + NTP_4_2_8P9 + + scripts/calc_tickadj/calc_tickadj.mdoc.in@1.98 +2 -2 + NTP_4_2_8P9 + + scripts/calc_tickadj/invoke-calc_tickadj.texi@1.101 +1 -1 + NTP_4_2_8P9 + + scripts/invoke-plot_summary.texi@1.119 +2 -2 + NTP_4_2_8P9 + + scripts/invoke-summary.texi@1.118 +2 -2 + NTP_4_2_8P9 + + scripts/ntp-wait/invoke-ntp-wait.texi@1.328 +2 -2 + NTP_4_2_8P9 + + scripts/ntp-wait/ntp-wait-opts@1.64 +2 -2 + NTP_4_2_8P9 + + scripts/ntp-wait/ntp-wait.1ntp-waitman@1.325 +3 -3 + NTP_4_2_8P9 + + scripts/ntp-wait/ntp-wait.1ntp-waitmdoc@1.326 +2 -2 + NTP_4_2_8P9 + + scripts/ntp-wait/ntp-wait.html@1.345 +41 -59 + NTP_4_2_8P9 + + scripts/ntp-wait/ntp-wait.man.in@1.325 +3 -3 + NTP_4_2_8P9 + + scripts/ntp-wait/ntp-wait.mdoc.in@1.326 +2 -2 + NTP_4_2_8P9 + + scripts/ntpsweep/invoke-ntpsweep.texi@1.116 +2 -2 + NTP_4_2_8P9 + + scripts/ntpsweep/ntpsweep-opts@1.66 +2 -2 + NTP_4_2_8P9 + + scripts/ntpsweep/ntpsweep.1ntpsweepman@1.104 +3 -3 + NTP_4_2_8P9 + + scripts/ntpsweep/ntpsweep.1ntpsweepmdoc@1.104 +2 -2 + NTP_4_2_8P9 + + scripts/ntpsweep/ntpsweep.html@1.117 +46 -57 + NTP_4_2_8P9 + + scripts/ntpsweep/ntpsweep.man.in@1.104 +3 -3 + NTP_4_2_8P9 + + scripts/ntpsweep/ntpsweep.mdoc.in@1.105 +2 -2 + NTP_4_2_8P9 + + scripts/ntptrace/invoke-ntptrace.texi@1.117 +2 -2 + NTP_4_2_8P9 + + scripts/ntptrace/ntptrace-opts@1.66 +2 -2 + NTP_4_2_8P9 + + scripts/ntptrace/ntptrace.1ntptraceman@1.104 +3 -3 + NTP_4_2_8P9 + + scripts/ntptrace/ntptrace.1ntptracemdoc@1.105 +2 -2 + NTP_4_2_8P9 + + scripts/ntptrace/ntptrace.html@1.118 +38 -47 + NTP_4_2_8P9 + + scripts/ntptrace/ntptrace.man.in@1.104 +3 -3 + NTP_4_2_8P9 + + scripts/ntptrace/ntptrace.mdoc.in@1.106 +2 -2 + NTP_4_2_8P9 + + scripts/plot_summary-opts@1.67 +2 -2 + NTP_4_2_8P9 + + scripts/plot_summary.1plot_summaryman@1.117 +3 -3 + NTP_4_2_8P9 + + scripts/plot_summary.1plot_summarymdoc@1.117 +2 -2 + NTP_4_2_8P9 + + scripts/plot_summary.html@1.120 +40 -58 + NTP_4_2_8P9 + + scripts/plot_summary.man.in@1.117 +3 -3 + NTP_4_2_8P9 + + scripts/plot_summary.mdoc.in@1.117 +2 -2 + NTP_4_2_8P9 + + scripts/summary-opts@1.66 +2 -2 + NTP_4_2_8P9 + + scripts/summary.1summaryman@1.116 +3 -3 + NTP_4_2_8P9 + + scripts/summary.1summarymdoc@1.116 +2 -2 + NTP_4_2_8P9 + + scripts/summary.html@1.119 +37 -49 + NTP_4_2_8P9 + + scripts/summary.man.in@1.116 +3 -3 + NTP_4_2_8P9 + + scripts/summary.mdoc.in@1.116 +2 -2 + NTP_4_2_8P9 + + scripts/update-leap/invoke-update-leap.texi@1.17 +1 -1 + NTP_4_2_8P9 + + scripts/update-leap/update-leap-opts@1.17 +2 -2 + NTP_4_2_8P9 + + scripts/update-leap/update-leap.1update-leapman@1.17 +3 -3 + NTP_4_2_8P9 + + scripts/update-leap/update-leap.1update-leapmdoc@1.17 +2 -2 + NTP_4_2_8P9 + + scripts/update-leap/update-leap.html@1.17 +48 -72 + NTP_4_2_8P9 + + scripts/update-leap/update-leap.man.in@1.17 +3 -3 + NTP_4_2_8P9 + + scripts/update-leap/update-leap.mdoc.in@1.17 +2 -2 + NTP_4_2_8P9 + + sntp/invoke-sntp.texi@1.505 +2 -2 + NTP_4_2_8P9 + + sntp/sntp-opts.c@1.524 +158 -158 + NTP_4_2_8P9 + + sntp/sntp-opts.h@1.522 +3 -3 + NTP_4_2_8P9 + + sntp/sntp.1sntpman@1.340 +3 -3 + NTP_4_2_8P9 + + sntp/sntp.1sntpmdoc@1.340 +2 -2 + NTP_4_2_8P9 + + sntp/sntp.html@1.520 +111 -135 + NTP_4_2_8P9 + + sntp/sntp.man.in@1.340 +3 -3 + NTP_4_2_8P9 + + sntp/sntp.mdoc.in@1.340 +2 -2 + NTP_4_2_8P9 + + util/invoke-ntp-keygen.texi@1.508 +2 -2 + NTP_4_2_8P9 + + util/ntp-keygen-opts.c@1.526 +172 -172 + NTP_4_2_8P9 + + util/ntp-keygen-opts.h@1.524 +3 -3 + NTP_4_2_8P9 + + util/ntp-keygen.1ntp-keygenman@1.336 +3 -3 + NTP_4_2_8P9 + + util/ntp-keygen.1ntp-keygenmdoc@1.336 +2 -2 + NTP_4_2_8P9 + + util/ntp-keygen.html@1.182 +157 -216 + NTP_4_2_8P9 + + util/ntp-keygen.man.in@1.336 +3 -3 + NTP_4_2_8P9 + + util/ntp-keygen.mdoc.in@1.336 +2 -2 + NTP_4_2_8P9 + +ChangeSet@1.3719, 2016-11-21 07:07:04-05:00, stenn@deacon.udel.edu + ntp-4.2.8p9 + + packageinfo.sh@1.531 +1 -1 + ntp-4.2.8p9 + +ChangeSet@1.3718, 2016-11-21 03:47:58+00:00, stenn@psp-deb1.ntp.org + NEWS updates, final p9 testing + + NEWS@1.203 +25 -17 + NEWS updates, final p9 testing + + packageinfo.sh@1.530 +2 -2 + NEWS updates, final p9 testing + +ChangeSet@1.3717, 2016-11-18 10:33:02+00:00, stenn@psp-deb1.ntp.org + NEWS update for 3142 + + NEWS@1.202 +2 -1 + NEWS update for 3142 + +ChangeSet@1.3686.23.1, 2016-11-18 08:55:13+01:00, perlinger@ntp.org + [Bug 3142] bug in netmask prefix length detection + + ChangeLog@1.1834.23.1 +3 -0 + [Bug 3142] bug in netmask prefix length detection + + lib/isc/netaddr.c@1.15 +0 -1 + [Bug 3142] bug in netmask prefix length detection + +ChangeSet@1.3715, 2016-11-16 21:25:49-08:00, harlan@fb-x86-a.pfcs.com + NEWS file update + + NEWS@1.201 +7 -22 + NEWS file update + +ChangeSet@1.3707.1.1, 2016-11-13 21:59:31-08:00, harlan@fb-x86-a.pfcs.com + cleanup + + NEWS@1.197.1.1 +201 -77 + cleanup + +ChangeSet@1.3713, 2016-11-13 21:56:18-08:00, harlan@hms-mbp11.pfcs.com + cleanip + + ChangeLog@1.1850 +2 -0 + cleanip + +ChangeSet@1.3712, 2016-11-13 02:43:02+00:00, stenn@psp-deb1.ntp.org + NEWS updates + + NEWS@1.199 +17 -0 + NEWS updates + +ChangeSet@1.3710, 2016-11-13 02:30:31+00:00, stenn@psp-deb1.ntp.org + NEWS cleanup + + NEWS@1.198 +2 -0 + NEWS cleanup + +ChangeSet@1.3707, 2016-11-12 17:36:54-08:00, harlan@fb-x86-a.pfcs.com + NEWS cleanup + + NEWS@1.197 +41 -6 + NEWS cleanup + +ChangeSet@1.3706, 2016-11-12 16:55:59-08:00, harlan@fb-x86-a.pfcs.com + [Bug 3067] Root distance calculation needs improvement. HStenn + + ChangeLog@1.1846.1.2 +1 -0 + [Bug 3067] Root distance calculation needs improvement. HStenn + + NEWS@1.196 +1 -0 + [Bug 3067] Root distance calculation needs improvement. HStenn + + ntpd/ntp_proto.c@1.396 +16 -11 + [Bug 3067] Root distance calculation needs improvement. HStenn + +ChangeSet@1.3705, 2016-11-12 15:57:34-08:00, harlan@fb-x86-a.pfcs.com + [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org + + ChangeLog@1.1846.1.1 +1 -0 + [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org + + NEWS@1.195 +1 -0 + [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org + + ntpd/refclock_gpsdjson.c@1.25 +1 -1 + [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org + +ChangeSet@1.3686.22.1, 2016-11-12 05:54:39+01:00, perlinger@ntp.org + [Bug 3129] Unknown hosts can put resolver thread into a hard loop + + ChangeLog@1.1834.22.1 +4 -0 + [Bug 3129] Unknown hosts can put resolver thread into a hard loop + + include/ntp_intres.h@1.2 +6 -0 + [Bug 3129] Unknown hosts can put resolver thread into a hard loop + - add flags and prototype for 'getaddrinfo_sometime_ex()' + + libntp/ntp_intres.c@1.101 +48 -14 + [Bug 3129] Unknown hosts can put resolver thread into a hard loop + - implement 'getaddrinfo_sometime_ex()', support ignoring all errors + + ntpd/ntp_config.c@1.338.1.1 +11 -10 + [Bug 3129] Unknown hosts can put resolver thread into a hard loop + - move decison about igoring DNS errors to resolver code + +ChangeSet@1.3703.1.2, 2016-11-09 12:32:07+00:00, stenn@psp-deb1.ntp.org + [Bug 3114] bcpollbstep, tweaks and cleanup + + ChangeLog@1.1848 +1 -1 + [Bug 3114] bcpollbstep, tweaks and cleanup + + html/miscopt.html@1.87 +4 -2 + [Bug 3114] bcpollbstep, tweaks and cleanup + + include/ntp.h@1.223 +1 -0 + [Bug 3114] bcpollbstep, tweaks and cleanup + + include/ntpd.h@1.194 +1 -0 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/complete.conf.in@1.32 +1 -1 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/invoke-ntp.conf.texi@1.202 +16 -1 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/keyword-gen-utd@1.29 +1 -1 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/keyword-gen.c@1.35 +1 -0 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp.conf.5man@1.236 +29 -8 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp.conf.5mdoc@1.236 +21 -2 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp.conf.def@1.25 +19 -0 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp.conf.man.in@1.236 +29 -8 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp.conf.mdoc.in@1.236 +21 -2 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp_config.c@1.339 +15 -0 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp_keyword.h@1.31 +1068 -1058 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp_parser.c@1.103 +1196 -1193 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp_parser.h@1.67 +373 -371 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp_parser.y@1.93 +3 -1 + [Bug 3114] bcpollbstep, tweaks and cleanup + + ntpd/ntp_proto.c@1.394.1.2 +43 -26 + [Bug 3114] bcpollbstep, tweaks and cleanup + +ChangeSet@1.3703, 2016-11-09 06:06:04+00:00, stenn@psp-deb1.ntp.org + typo + + ChangeLog@1.1846 +1 -1 + typo + +ChangeSet@1.3686.21.1, 2016-11-08 20:01:41+01:00, perlinger@ntp.org + [Bug 3089] Serial Parser does not work anymore for hopfser like device + + ChangeLog@1.1834.21.1 +4 -0 + [Bug 3089] Serial Parser does not work anymore for hopfser like device + + libparse/clk_hopf6021.c@1.13 +43 -25 + [Bug 3089] Serial Parser does not work anymore for hopfser like device + - simplified / refactored hex-decoding in driver. + +ChangeSet@1.3698.2.1, 2016-11-03 17:02:24-07:00, harlan@max.pfcs.com + Added leap smear/root dispersion comment + + ntpd/ntp_proto.c@1.393.1.1 +4 -0 + Added leap smear/root dispersion comment + +ChangeSet@1.3699.1.2, 2016-10-31 10:56:33+00:00, stenn@psp-deb1.ntp.org + Add bug 3125 to the NEWS file + + NEWS@1.194 +2 -0 + Add bug 3125 to the NEWS file + +ChangeSet@1.3701, 2016-10-24 07:37:25+02:00, perlinger@ntp.org + [winio2 - unlocked] + - the great lock removal + - the great renaming + + ChangeLog@1.1844 +1 -0 + [winio2 - unlocked] notes on changes + + ntpd/ntp_refclock.c@1.123 +1 -1 + [winio2 - unlocked] + - whitespace at EOL + + ports/winnt/include/ntp_iocpltypes.h@1.3 +21 -24 + [winio2 - unlocked] + - eliminate critical section, simplify API + - the great renaming + + ports/winnt/ntpd/ntp_iocompletionport.c@1.77 +331 -209 + [winio2 - unlocked] + - the great lock removal + - handle context objects are only manipulated by IOCPL thread + - closing handles is done by main thread after informing IOCPL thread (RPC-style) + - the great renaming + - restructured UNIX line mode emulation + + ports/winnt/ntpd/ntp_iocpltypes.c@1.3 +31 -95 + [winio2 - unlocked] + - eliminate critical section, simplify API + - the great renaming + + +ChangeSet@1.3698.1.7, 2016-10-23 05:18:04+00:00, stenn@psp-deb1.ntp.org + ntp-4.2.8p9-PRE + + ntpd/invoke-ntp.conf.texi@1.201 +1 -1 + ntp-4.2.8p9-PRE + + ntpd/invoke-ntp.keys.texi@1.191 +1 -1 + ntp-4.2.8p9-PRE + + ntpd/invoke-ntpd.texi@1.507 +2 -2 + ntp-4.2.8p9-PRE + + ntpd/ntp.conf.5man@1.235 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntp.conf.5mdoc@1.235 +2 -2 + ntp-4.2.8p9-PRE + + ntpd/ntp.conf.html@1.186 +104 -91 + ntp-4.2.8p9-PRE + + ntpd/ntp.conf.man.in@1.235 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntp.conf.mdoc.in@1.235 +2 -2 + ntp-4.2.8p9-PRE + + ntpd/ntp.keys.5man@1.225 +2 -2 + ntp-4.2.8p9-PRE + + ntpd/ntp.keys.5mdoc@1.225 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntp.keys.html@1.187 +29 -17 + ntp-4.2.8p9-PRE + + ntpd/ntp.keys.man.in@1.225 +2 -2 + ntp-4.2.8p9-PRE + + ntpd/ntp.keys.mdoc.in@1.225 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntpd-opts.c@1.529 +245 -245 + ntp-4.2.8p9-PRE + + ntpd/ntpd-opts.h@1.528 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntpd.1ntpdman@1.336 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntpd.1ntpdmdoc@1.336 +2 -2 + ntp-4.2.8p9-PRE + + ntpd/ntpd.html@1.180 +146 -102 + ntp-4.2.8p9-PRE + + ntpd/ntpd.man.in@1.336 +3 -3 + ntp-4.2.8p9-PRE + + ntpd/ntpd.mdoc.in@1.336 +2 -2 + ntp-4.2.8p9-PRE + + ntpdc/invoke-ntpdc.texi@1.504 +2 -2 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc-opts.c@1.522 +106 -106 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc-opts.h@1.521 +3 -3 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc.1ntpdcman@1.335 +3 -3 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc.1ntpdcmdoc@1.335 +2 -2 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc.html@1.348 +77 -57 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc.man.in@1.335 +3 -3 + ntp-4.2.8p9-PRE + + ntpdc/ntpdc.mdoc.in@1.335 +2 -2 + ntp-4.2.8p9-PRE + + ntpq/invoke-ntpq.texi@1.512 +2 -2 + ntp-4.2.8p9-PRE + + ntpq/ntpq-opts.c@1.529 +113 -113 + ntp-4.2.8p9-PRE + + ntpq/ntpq-opts.h@1.527 +3 -3 + ntp-4.2.8p9-PRE + + ntpq/ntpq.1ntpqman@1.340 +3 -3 + ntp-4.2.8p9-PRE + + ntpq/ntpq.1ntpqmdoc@1.340 +2 -2 + ntp-4.2.8p9-PRE + + ntpq/ntpq.html@1.177 +129 -105 + ntp-4.2.8p9-PRE + + ntpq/ntpq.man.in@1.340 +3 -3 + ntp-4.2.8p9-PRE + + ntpq/ntpq.mdoc.in@1.340 +2 -2 + ntp-4.2.8p9-PRE + + ntpsnmpd/invoke-ntpsnmpd.texi@1.506 +2 -2 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd-opts.c@1.524 +67 -67 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd-opts.h@1.523 +3 -3 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd.1ntpsnmpdman@1.335 +3 -3 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc@1.335 +2 -2 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd.html@1.175 +14 -10 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd.man.in@1.335 +3 -3 + ntp-4.2.8p9-PRE + + ntpsnmpd/ntpsnmpd.mdoc.in@1.335 +2 -2 + ntp-4.2.8p9-PRE + + packageinfo.sh@1.529 +2 -2 + ntp-4.2.8p9-PRE + + scripts/calc_tickadj/calc_tickadj.1calc_tickadjman@1.96 +3 -3 + ntp-4.2.8p9-PRE + + scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc@1.97 +2 -2 + ntp-4.2.8p9-PRE + + scripts/calc_tickadj/calc_tickadj.html@1.98 +34 -22 + ntp-4.2.8p9-PRE + + scripts/calc_tickadj/calc_tickadj.man.in@1.95 +3 -3 + ntp-4.2.8p9-PRE + + scripts/calc_tickadj/calc_tickadj.mdoc.in@1.97 +2 -2 + ntp-4.2.8p9-PRE + + scripts/calc_tickadj/invoke-calc_tickadj.texi@1.100 +1 -1 + ntp-4.2.8p9-PRE + + scripts/invoke-plot_summary.texi@1.118 +2 -2 + ntp-4.2.8p9-PRE + + scripts/invoke-summary.texi@1.117 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/invoke-ntp-wait.texi@1.327 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/ntp-wait-opts@1.63 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/ntp-wait.1ntp-waitman@1.324 +3 -3 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/ntp-wait.1ntp-waitmdoc@1.325 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/ntp-wait.html@1.344 +49 -31 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/ntp-wait.man.in@1.324 +3 -3 + ntp-4.2.8p9-PRE + + scripts/ntp-wait/ntp-wait.mdoc.in@1.325 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/invoke-ntpsweep.texi@1.115 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/ntpsweep-opts@1.65 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/ntpsweep.1ntpsweepman@1.103 +3 -3 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/ntpsweep.1ntpsweepmdoc@1.103 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/ntpsweep.html@1.116 +44 -33 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/ntpsweep.man.in@1.103 +3 -3 + ntp-4.2.8p9-PRE + + scripts/ntpsweep/ntpsweep.mdoc.in@1.104 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntptrace/invoke-ntptrace.texi@1.116 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntptrace/ntptrace-opts@1.65 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntptrace/ntptrace.1ntptraceman@1.103 +3 -3 + ntp-4.2.8p9-PRE + + scripts/ntptrace/ntptrace.1ntptracemdoc@1.104 +2 -2 + ntp-4.2.8p9-PRE + + scripts/ntptrace/ntptrace.html@1.117 +36 -27 + ntp-4.2.8p9-PRE + + scripts/ntptrace/ntptrace.man.in@1.103 +3 -3 + ntp-4.2.8p9-PRE + + scripts/ntptrace/ntptrace.mdoc.in@1.105 +2 -2 + ntp-4.2.8p9-PRE + + scripts/plot_summary-opts@1.66 +2 -2 + ntp-4.2.8p9-PRE + + scripts/plot_summary.1plot_summaryman@1.116 +3 -3 + ntp-4.2.8p9-PRE + + scripts/plot_summary.1plot_summarymdoc@1.116 +2 -2 + ntp-4.2.8p9-PRE + + scripts/plot_summary.html@1.119 +47 -29 + ntp-4.2.8p9-PRE + + scripts/plot_summary.man.in@1.116 +3 -3 + ntp-4.2.8p9-PRE + + scripts/plot_summary.mdoc.in@1.116 +2 -2 + ntp-4.2.8p9-PRE + + scripts/summary-opts@1.65 +2 -2 + ntp-4.2.8p9-PRE + + scripts/summary.1summaryman@1.115 +3 -3 + ntp-4.2.8p9-PRE + + scripts/summary.1summarymdoc@1.115 +2 -2 + ntp-4.2.8p9-PRE + + scripts/summary.html@1.118 +39 -27 + ntp-4.2.8p9-PRE + + scripts/summary.man.in@1.115 +3 -3 + ntp-4.2.8p9-PRE + + scripts/summary.mdoc.in@1.115 +2 -2 + ntp-4.2.8p9-PRE + + scripts/update-leap/invoke-update-leap.texi@1.16 +1 -1 + ntp-4.2.8p9-PRE + + scripts/update-leap/update-leap-opts@1.16 +2 -2 + ntp-4.2.8p9-PRE + + scripts/update-leap/update-leap.1update-leapman@1.16 +3 -3 + ntp-4.2.8p9-PRE + + scripts/update-leap/update-leap.1update-leapmdoc@1.16 +2 -2 + ntp-4.2.8p9-PRE + + scripts/update-leap/update-leap.html@1.16 +59 -35 + ntp-4.2.8p9-PRE + + scripts/update-leap/update-leap.man.in@1.16 +3 -3 + ntp-4.2.8p9-PRE + + scripts/update-leap/update-leap.mdoc.in@1.16 +2 -2 + ntp-4.2.8p9-PRE + + sntp/invoke-sntp.texi@1.504 +2 -2 + ntp-4.2.8p9-PRE + + sntp/sntp-opts.c@1.523 +158 -158 + ntp-4.2.8p9-PRE + + sntp/sntp-opts.h@1.521 +3 -3 + ntp-4.2.8p9-PRE + + sntp/sntp.1sntpman@1.339 +3 -3 + ntp-4.2.8p9-PRE + *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-projects@freebsd.org Thu Nov 24 14:44:54 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58363C5383B for ; Thu, 24 Nov 2016 14:44:54 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FCF71D8; Thu, 24 Nov 2016 14:44:53 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOEiruN078508; Thu, 24 Nov 2016 14:44:53 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOEirMq078506; Thu, 24 Nov 2016 14:44:53 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611241444.uAOEirMq078506@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 24 Nov 2016 14:44:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309107 - projects/clang390-import/contrib/llvm X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 14:44:54 -0000 Author: dim Date: Thu Nov 24 14:44:53 2016 New Revision: 309107 URL: https://svnweb.freebsd.org/changeset/base/309107 Log: Fix up contrib/llvm mergeinfo. Modified: Directory Properties: projects/clang390-import/contrib/llvm/ (props changed) From owner-svn-src-projects@freebsd.org Thu Nov 24 17:07:17 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E52DFC52604 for ; Thu, 24 Nov 2016 17:07:17 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AECD0B7A; Thu, 24 Nov 2016 17:07:17 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOH7GTC039483; Thu, 24 Nov 2016 17:07:16 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOH7FAn039470; Thu, 24 Nov 2016 17:07:15 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611241707.uAOH7FAn039470@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 17:07:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309110 - in projects/ipsec/sys: netinet netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 17:07:18 -0000 Author: ae Date: Thu Nov 24 17:07:15 2016 New Revision: 309110 URL: https://svnweb.freebsd.org/changeset/base/309110 Log: GC some now unused functions and macros. Update functions declarations, add needed includes. Fix the build. Modified: projects/ipsec/sys/netinet/ip_input.c projects/ipsec/sys/netinet/ip_ipsec.c projects/ipsec/sys/netinet/ip_ipsec.h projects/ipsec/sys/netinet/tcp_subr.c projects/ipsec/sys/netipsec/ipsec.c projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec6.h projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key.h projects/ipsec/sys/netipsec/xform_ah.c projects/ipsec/sys/netipsec/xform_esp.c projects/ipsec/sys/netipsec/xform_ipcomp.c Modified: projects/ipsec/sys/netinet/ip_input.c ============================================================================== --- projects/ipsec/sys/netinet/ip_input.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/ip_input.c Thu Nov 24 17:07:15 2016 (r309110) @@ -78,6 +78,8 @@ __FBSDID("$FreeBSD$"); #include #include #ifdef IPSEC +#include +#include #include #endif /* IPSEC */ #include Modified: projects/ipsec/sys/netinet/ip_ipsec.c ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/ip_ipsec.c Thu Nov 24 17:07:15 2016 (r309110) @@ -115,23 +115,6 @@ ip_ipsec_input(struct mbuf *m, int nxt) } /* - * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. - * Called from ip_forward(). - * Returns MTU suggestion for ICMP needfrag reply. - */ -int -ip_ipsec_mtu(struct mbuf *m, int mtu) -{ - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ - return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL)); -} - -/* * Called from ip_output(). * 0 = continue processing packet * 1 = packet was consumed, stop processing Modified: projects/ipsec/sys/netinet/ip_ipsec.h ============================================================================== --- projects/ipsec/sys/netinet/ip_ipsec.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/ip_ipsec.h Thu Nov 24 17:07:15 2016 (r309110) @@ -38,7 +38,6 @@ int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_input(struct mbuf *, int); -int ip_ipsec_mtu(struct mbuf *, int); int ip_ipsec_forward(struct mbuf *, int *); int ip_ipsec_output(struct mbuf *, struct inpcb *, int *); int ip_ipsec_pcbctl(struct inpcb *, struct sockopt *); Modified: projects/ipsec/sys/netinet/tcp_subr.c ============================================================================== --- projects/ipsec/sys/netinet/tcp_subr.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netinet/tcp_subr.c Thu Nov 24 17:07:15 2016 (r309110) @@ -2587,7 +2587,7 @@ tcp_get_sav(struct mbuf *m, u_int direct } /* Look up an SADB entry which matches the address of the peer. */ - sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); + sav = key_allocsa(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI)); if (sav == NULL) { ipseclog((LOG_ERR, "%s: SADB lookup failed for %s\n", __func__, (ip->ip_v == IPVERSION) ? inet_ntoa(dst.sin.sin_addr) : @@ -2708,7 +2708,7 @@ tcp_signature_do_compute(struct mbuf *m, break; #endif default: - KEY_FREESAV(&sav); + key_freesav(&sav); return (-1); /* NOTREACHED */ break; @@ -2738,7 +2738,7 @@ tcp_signature_do_compute(struct mbuf *m, MD5Final(buf, &ctx); key_sa_recordxfer(sav, m); - KEY_FREESAV(&sav); + key_freesav(&sav); return (0); } Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/ipsec.c Thu Nov 24 17:07:15 2016 (r309110) @@ -124,6 +124,8 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IP VNET_DEFINE(int, ip4_ipsec_ecn) = 0; VNET_DEFINE(int, ip4_esp_randpad) = -1; +static VNET_DEFINE(int, check_policy_history) = 0; +#define V_check_policy_history VNET(check_policy_history) static VNET_DEFINE(struct secpolicy, def_policy); #define V_def_policy VNET(def_policy) /* @@ -1417,43 +1419,6 @@ ipsec_hdrsiz_inpcb(struct inpcb *inp) return (sz); } -/* - * This function is called from ipsec_hdrsiz_tcp(), ip_ipsec_mtu(), - * disabled ip6_ipsec_mtu() and ip6_forward(). - */ -size_t -ipsec_hdrsiz(const struct mbuf *m, u_int dir, struct inpcb *inp) -{ - struct secpolicy *sp; - int error; - size_t size; - - if (!key_havesp(dir)) - return 0; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - - /* Get SP for this packet. */ - if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, dir, &error); - else - sp = ipsec_getpolicybysock(m, dir, inp, &error); - - if (sp != NULL) { - size = ipsec_hdrsiz_internal(sp); - KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("%s: size:%lu.\n", __func__, - (unsigned long)size)); - - KEY_FREESP(&sp); - } else { - size = 0; /* XXX Should be panic? - * -> No, we are called w/o knowing if - * IPsec processing is needed. */ - } - return (size); -} - /* * Check the variable replay window. * ipsec_chkreplay() performs replay check before ICV verification. @@ -1683,7 +1648,7 @@ vshiftl(unsigned char *bitmap, int nbit, /* Return a printable string for the address. */ char* -ipsec_address(union sockaddr_union* sa, char *buf, socklen_t size) +ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size) { switch (sa->sa.sa_family) { Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/ipsec.h Thu Nov 24 17:07:15 2016 (r309110) @@ -53,11 +53,6 @@ #define IPSEC_ASSERT(_c,_m) KASSERT(_c, _m) -#define IPSEC_IS_PRIVILEGED_SO(_so) \ - ((_so)->so_cred != NULL && \ - priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSEC, 0) \ - == 0) - /* * Security Policy Index * Ensure that both address families in the "src" and "dst" are same. @@ -299,8 +294,10 @@ VNET_DECLARE(int, crypto_support); #define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) struct inpcb; +struct m_tag; struct secasvar; struct sockopt; +union sockaddr_union; struct ipsecrequest *ipsec_newisr(void); void ipsec_delisr(struct ipsecrequest *); @@ -316,18 +313,15 @@ int ipsec_delete_pcbpolicy(struct inpcb int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *); -extern int ipsec_chkreplay(u_int32_t, struct secasvar *); -extern int ipsec_updatereplay(u_int32_t, struct secasvar *); +int ipsec_chkreplay(uint32_t, struct secasvar *); +int ipsec_updatereplay(uint32_t, struct secasvar *); +int ipsec_updateid(struct secasvar *, uint64_t *, uint64_t *); -extern size_t ipsec_hdrsiz(const struct mbuf *, u_int, struct inpcb *); - -union sockaddr_union; -extern char *ipsec_address(union sockaddr_union *, char *, socklen_t); -extern char *ipsec_logsastr(struct secasvar *, char *, size_t); +char *ipsec_address(const union sockaddr_union *, char *, socklen_t); +char *ipsec_logsastr(struct secasvar *, char *, size_t); extern void ipsec_dumpmbuf(const struct mbuf *); -struct m_tag; extern int ah4_input(struct mbuf **mp, int *offp, int proto); extern void ah4_ctlinput(int cmd, struct sockaddr *sa, void *); extern int esp4_input(struct mbuf **mp, int *offp, int proto); @@ -336,8 +330,10 @@ extern int ipcomp4_input(struct mbuf **m extern int ipsec_common_input(struct mbuf *m, int, int, int, int); extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff); -extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *); -extern int ipsec_process_done(struct mbuf *, struct ipsecrequest *); +extern int ipsec4_process_packet(struct mbuf *, struct secpolicy *, + struct inpcb *); +extern int ipsec_process_done(struct mbuf *, struct secpolicy *, + struct secasvar *, u_int); extern void m_checkalignment(const char* where, struct mbuf *m0, int off, int len); Modified: projects/ipsec/sys/netipsec/ipsec6.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec6.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/ipsec6.h Thu Nov 24 17:07:15 2016 (r309110) @@ -60,13 +60,16 @@ VNET_DECLARE(int, ip6_ipsec_ecn); struct inpcb; extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *); +struct secpolicy *ipsec6_checkpolicy(const struct mbuf *, + struct inpcb *, int *); struct m_tag; extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto); extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff); extern void esp6_ctlinput(int, struct sockaddr *, void *); -extern int ipsec6_process_packet(struct mbuf *, struct ipsecrequest *); +int ipsec6_process_packet(struct mbuf *, struct secpolicy *, + struct inpcb *); #endif /*_KERNEL*/ #endif /*_NETIPSEC_IPSEC6_H_*/ Modified: projects/ipsec/sys/netipsec/key.c ============================================================================== --- projects/ipsec/sys/netipsec/key.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/key.c Thu Nov 24 17:07:15 2016 (r309110) @@ -548,9 +548,6 @@ static struct seckey *key_dup_keymsg(con struct malloc_type *); static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *); -#ifdef INET6 -static int key_ismyaddr6(struct sockaddr_in6 *); -#endif /* flags for key_cmpsaidx() */ #define CMP_HEAD 1 /* protocol, addresses. */ @@ -1016,16 +1013,6 @@ done: V_sp_genid++; } -void -key_addrefsa(struct secasvar *sav, const char* where, int tag) -{ - - IPSEC_ASSERT(sav != NULL, ("null sav")); - IPSEC_ASSERT(sav->refcnt > 0, ("refcount must exist")); - - SAV_ADDREF(sav); -} - /* * Must be called after calling key_allocsa(). * This function is called by key_freesp() to free some SA allocated @@ -2168,7 +2155,7 @@ key_spdflush(struct socket *so, struct m sp = TAILQ_FIRST(&drainq); while (sp != NULL) { nextsp = TAILQ_NEXT(sp, chain); - KEY_FREESP(&sp); + key_freesp(&sp); sp = nextsp; } @@ -2273,7 +2260,7 @@ key_setdumpsp(struct secpolicy *sp, u_in goto fail; m_cat(result, m); - m = key_sp2msg(sp); + m = key_sp2mbuf(sp); if (!m) goto fail; m_cat(result, m); @@ -2316,7 +2303,6 @@ fail: m_freem(result); return NULL; } - /* * get PFKEY message length for security policy and request. */ @@ -3554,29 +3540,29 @@ key_setsadbxpolicy(u_int16_t type, u_int * OUT: NULL no more memory */ struct seckey * -key_dup_keymsg(const struct sadb_key *src, u_int len, +key_dup_keymsg(const struct sadb_key *src, size_t len, struct malloc_type *type) { struct seckey *dst; - dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); + + dst = malloc(sizeof(*dst), type, M_NOWAIT); if (dst != NULL) { dst->bits = src->sadb_key_bits; - dst->key_data = (char *)malloc(len, type, M_NOWAIT); + dst->key_data = malloc(len, type, M_NOWAIT); if (dst->key_data != NULL) { - bcopy((const char *)src + sizeof(struct sadb_key), - dst->key_data, len); + bcopy((const char *)(src + 1), dst->key_data, len); } else { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", - __func__)); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); free(dst, type); dst = NULL; } } else { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", - __func__)); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); } - return dst; + return (dst); } /* Take a lifetime message (sadb_lifetime) passed in on a socket and @@ -3603,50 +3589,6 @@ key_dup_lifemsg(const struct sadb_lifeti return (dst); } -/* compare my own address - * OUT: 1: true, i.e. my address. - * 0: false - */ -int -key_ismyaddr(struct sockaddr *sa) -{ - - IPSEC_ASSERT(sa != NULL, ("null sockaddr")); - switch (sa->sa_family) { -#ifdef INET - case AF_INET: - return (in_localip(satosin(sa)->sin_addr)); -#endif -#ifdef INET6 - case AF_INET6: - return key_ismyaddr6((struct sockaddr_in6 *)sa); -#endif - } - - return 0; -} - -#ifdef INET6 -/* - * compare my own address for IPv6. - * 1: ours - * 0: other - */ -static int -key_ismyaddr6(struct sockaddr_in6 *sin6) -{ - struct in6_addr in6; - - if (!IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr)) - return (in6_localip(&sin6->sin6_addr)); - - /* Convert address into kernel-internal form */ - in6 = sin6->sin6_addr; - in6.s6_addr16[1] = htons(sin6->sin6_scope_id & 0xffff); - return (in6_localip(&in6)); -} -#endif /*INET6*/ - /* * compare two secasindex structure. * flag can specify to compare 2 saidxes. @@ -3868,7 +3810,7 @@ key_cmpspidx_withmask(struct secpolicyin #endif #define satosin6(s) ((const struct sockaddr_in6 *)s) /* returns 0 on match */ -static int +int key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2, int port) { @@ -5962,32 +5904,6 @@ key_acquire(const struct secasindex *sai return error; } -static struct secacq * -key_newacq(const struct secasindex *saidx) -{ - struct secacq *newacq; - - /* get new entry */ - newacq = malloc(sizeof(struct secacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO); - if (newacq == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - return NULL; - } - - /* copy secindex */ - bcopy(saidx, &newacq->saidx, sizeof(newacq->saidx)); - newacq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); - newacq->created = time_second; - newacq->count = 0; - - /* add to acqtree */ - ACQ_LOCK(); - LIST_INSERT_HEAD(&V_acqtree, newacq, chain); - ACQ_UNLOCK(); - - return newacq; -} - static uint32_t key_newacq(const struct secasindex *saidx, int *perror) { @@ -7449,7 +7365,7 @@ key_destroy(void) sp = TAILQ_FIRST(&drainq); while (sp != NULL) { nextsp = TAILQ_NEXT(sp, chain); - KEY_FREESP(&sp); + key_freesp(&sp); sp = nextsp; } Modified: projects/ipsec/sys/netipsec/key.h ============================================================================== --- projects/ipsec/sys/netipsec/key.h Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/key.h Thu Nov 24 17:07:15 2016 (r309110) @@ -37,7 +37,6 @@ struct secpolicy; struct secpolicyindex; -struct ipsecrequest; struct secasvar; struct sockaddr; struct socket; @@ -46,64 +45,28 @@ struct sadb_x_policy; struct secasindex; union sockaddr_union; +struct secpolicy *key_newsp(void); +struct secpolicy *key_allocsp(struct secpolicyindex *, u_int); +struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *); +int key_sp2msg(struct secpolicy *, void *, size_t *); +void key_addref(struct secpolicy *); +void key_freesp(struct secpolicy **); +int key_spdacquire(struct secpolicy *); +int key_havesp(u_int); uint32_t key_getspgen(void); +uint32_t key_newreqid(void); -extern void key_addref(struct secpolicy *sp); -extern int key_havesp(u_int dir); -extern struct secpolicy *key_allocsp(struct secpolicyindex *, u_int, - const char*, int); -extern struct secpolicy *key_allocsp2(u_int32_t spi, union sockaddr_union *dst, - u_int8_t proto, u_int dir, const char*, int); -extern struct secpolicy *key_newsp(const char*, int); -#if 0 -extern struct secpolicy *key_gettunnel(const struct sockaddr *, - const struct sockaddr *, const struct sockaddr *, - const struct sockaddr *, const char*, int); -#endif -/* NB: prepend with _ for KAME IPv6 compatbility */ -extern void _key_freesp(struct secpolicy **, const char*, int); - -#define KEY_ALLOCSP(spidx, dir) \ - key_allocsp(spidx, dir, __FILE__, __LINE__) -#define KEY_ALLOCSP2(spi, dst, proto, dir) \ - key_allocsp2(spi, dst, proto, dir, __FILE__, __LINE__) -#define KEY_NEWSP() \ - key_newsp(__FILE__, __LINE__) -#if 0 -#define KEY_GETTUNNEL(osrc, odst, isrc, idst) \ - key_gettunnel(osrc, odst, isrc, idst, __FILE__, __LINE__) -#endif -#define KEY_FREESP(spp) \ - _key_freesp(spp, __FILE__, __LINE__) - -extern struct secasvar *key_allocsa(union sockaddr_union *, u_int, u_int32_t, - const char*, int); -extern struct secasvar *key_allocsa_tunnel(union sockaddr_union *, - union sockaddr_union *, u_int, const char*, int); -extern void key_addrefsa(struct secasvar *, const char*, int); -extern void key_freesav(struct secasvar **, const char*, int); - -#define KEY_ALLOCSA(dst, proto, spi) \ - key_allocsa(dst, proto, spi, __FILE__, __LINE__) -#define KEY_ALLOCSA_TUNNEL(src, dst, proto) \ - key_allocsa_tunnel(src, dst, proto, __FILE__, __LINE__) -#define KEY_ADDREFSA(sav) \ - key_addrefsa(sav, __FILE__, __LINE__) -#define KEY_FREESAV(psav) \ - key_freesav(psav, __FILE__, __LINE__) - -extern void key_freeso(struct socket *); -extern int key_checktunnelsanity(struct secasvar *, u_int, - caddr_t, caddr_t); -extern int key_checkrequest(struct ipsecrequest *isr, - const struct secasindex *); -extern struct secpolicy *key_msg2sp(struct sadb_x_policy *, - size_t, int *); - -int key_sp2msg(struct secpolicy *, void *request, size_t *len); +struct secasvar *key_allocsa(union sockaddr_union *, uint8_t, uint32_t); +struct secasvar *key_allocsa_tunnel(union sockaddr_union *, + union sockaddr_union *, uint8_t); +struct secasvar *key_allocsa_policy(struct secpolicy *, + const struct secasindex *, int *); +void key_freesav(struct secasvar **); + +int key_sockaddrcmp(const struct sockaddr *, const struct sockaddr *, int); +int key_sockaddrcmp_withmask(const struct sockaddr *, const struct sockaddr *, + size_t); -extern int key_ismyaddr(struct sockaddr *); -extern int key_spdacquire(struct secpolicy *); extern u_long key_random(void); extern void key_randomfill(void *, size_t); extern void key_freereg(struct socket *); @@ -114,9 +77,7 @@ extern void key_destroy(void); #endif extern void key_sa_recordxfer(struct secasvar *, struct mbuf *); #ifdef IPSEC_NAT_T -u_int16_t key_portfromsaddr(struct sockaddr *); -#define KEY_PORTFROMSADDR(saddr) \ - key_portfromsaddr((struct sockaddr *)(saddr)) +uint16_t key_portfromsaddr(struct sockaddr *); #endif #ifdef MALLOC_DECLARE Modified: projects/ipsec/sys/netipsec/xform_ah.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/xform_ah.c Thu Nov 24 17:07:15 2016 (r309110) @@ -46,7 +46,7 @@ #include #include #include -#include +#include #include #include Modified: projects/ipsec/sys/netipsec/xform_esp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/xform_esp.c Thu Nov 24 17:07:15 2016 (r309110) @@ -46,7 +46,7 @@ #include #include #include -#include +#include #include #include #include Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c ============================================================================== --- projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 14:50:21 2016 (r309109) +++ projects/ipsec/sys/netipsec/xform_ipcomp.c Thu Nov 24 17:07:15 2016 (r309110) @@ -37,7 +37,6 @@ #include #include #include -#include #include #include #include From owner-svn-src-projects@freebsd.org Thu Nov 24 21:01:26 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C94ECC538B3 for ; Thu, 24 Nov 2016 21:01:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 79273C2E; Thu, 24 Nov 2016 21:01:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOL1Pji035248; Thu, 24 Nov 2016 21:01:25 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOL1PEm035243; Thu, 24 Nov 2016 21:01:25 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611242101.uAOL1PEm035243@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 24 Nov 2016 21:01:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309115 - in projects/ipsec: sbin/ifconfig sys/conf sys/net sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 21:01:26 -0000 Author: ae Date: Thu Nov 24 21:01:25 2016 New Revision: 309115 URL: https://svnweb.freebsd.org/changeset/base/309115 Log: Add IPsec virtual tunneling interface. It can be created with ifconfig ipsec create. Then it can be configured like gif(4) interface: tunnel addresses and interface addresses. But it has one additional parameter - IPsec reqid. The reqid has the same meaning that request id in the security policy. If no reqid was specified, its value will be automatically assigned. How it works. When interface is configured, it creates several security policies that will look like: 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid And similat policies for IPv6. These policies match all IPv4/IPv6 traffic. But they only works within the used ipsecN interface. Interface supports BPF consumers and `tcpdump -ni ipsecN` will show unencrypted traffic within this virtual tunnel. It is possible to manually configure SA for IPsec tunnel using ipsecN interface. setkey(8) has '-u' option to specify reqid for SA: add RemoteIP LocalIP esp SPI1 -m tunnel -u ReqID -E rijndael-cbc Key; add LocalIP RemoteIP esp SPI2 -m tunnel -u ReqID -E rijndael-cbc Key; Also IKEd can be configured to create needed SAs. How it works internally. When interface is configured, it registers its policies in the separate SPDB, for this reason such policies do not affect all traffic of the system. When outbound packet routed via this interface, interface uses its policies and invokes ipsec[46]_process_packet. For inbound packets ipsec[46]_input_cb() passes used SA and decrypted mbuf to the if_input routine, then it checks if used SA corresponds to configured policies. Added: projects/ipsec/sbin/ifconfig/ifipsec.c (contents, props changed) projects/ipsec/sys/net/if_ipsec.c (contents, props changed) projects/ipsec/sys/net/if_ipsec.h (contents, props changed) Modified: projects/ipsec/sbin/ifconfig/Makefile projects/ipsec/sys/conf/files projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec_input.c projects/ipsec/sys/netipsec/ipsec_output.c projects/ipsec/sys/netipsec/key.c projects/ipsec/sys/netipsec/key.h Modified: projects/ipsec/sbin/ifconfig/Makefile ============================================================================== --- projects/ipsec/sbin/ifconfig/Makefile Thu Nov 24 20:31:46 2016 (r309114) +++ projects/ipsec/sbin/ifconfig/Makefile Thu Nov 24 21:01:25 2016 (r309115) @@ -34,6 +34,7 @@ SRCS+= ifvlan.c # SIOC[GS]ETVLAN suppor SRCS+= ifvxlan.c # VXLAN support SRCS+= ifgre.c # GRE keys etc SRCS+= ifgif.c # GIF reversed header workaround +SRCS+= ifipsec.c # IPsec VTI SRCS+= sfp.c # SFP/SFP+ information LIBADD+= m Added: projects/ipsec/sbin/ifconfig/ifipsec.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/ipsec/sbin/ifconfig/ifipsec.c Thu Nov 24 21:01:25 2016 (r309115) @@ -0,0 +1,101 @@ +/*- + * Copyright (c) 2016 Yandex LLC + * Copyright (c) 2016 Andrey V. Elsukov + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include + +#include +#include + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "ifconfig.h" + +static void +ipsec_status(int s) +{ + uint32_t reqid; + + ifr.ifr_data = (caddr_t)&reqid; + if (ioctl(s, IPSECGREQID, &ifr) == -1) + return; + printf("\treqid: %u\n", reqid); +} + +static +DECL_CMD_FUNC(setreqid, val, arg) +{ + char *ep; + uint32_t v; + + v = strtoul(val, &ep, 0); + if (*ep != '\0') { + warn("Invalid reqid value %s", val); + return; + } + ifr.ifr_data = (char *)&v; + if (ioctl(s, IPSECSREQID, &ifr) == -1) { + warn("ioctl(IPSECSREQID)"); + return; + } +} + +static struct cmd ipsec_cmds[] = { + DEF_CMD_ARG("reqid", setreqid), +}; + +static struct afswtch af_ipsec = { + .af_name = "af_ipsec", + .af_af = AF_UNSPEC, + .af_other_status = ipsec_status, +}; + +static __constructor void +ipsec_ctor(void) +{ + size_t i; + + for (i = 0; i < nitems(ipsec_cmds); i++) + cmd_register(&ipsec_cmds[i]); + af_register(&af_ipsec); +#undef N +} Modified: projects/ipsec/sys/conf/files ============================================================================== --- projects/ipsec/sys/conf/files Thu Nov 24 20:31:46 2016 (r309114) +++ projects/ipsec/sys/conf/files Thu Nov 24 21:01:25 2016 (r309115) @@ -3837,6 +3837,7 @@ net/if_fwsubr.c optional fwip net/if_gif.c optional gif inet | gif inet6 | \ netgraph_gif inet | netgraph_gif inet6 net/if_gre.c optional gre inet | gre inet6 +net/if_ipsec.c optional inet ipsec | inet6 ipsec net/if_iso88025subr.c optional token net/if_lagg.c optional lagg net/if_loop.c optional loop Added: projects/ipsec/sys/net/if_ipsec.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/ipsec/sys/net/if_ipsec.c Thu Nov 24 21:01:25 2016 (r309115) @@ -0,0 +1,992 @@ +/*- + * Copyright (c) 2016 Yandex LLC + * Copyright (c) 2016 Andrey V. Elsukov + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +__FBSDID("$FreeBSD$"); + +#include "opt_inet.h" +#include "opt_inet6.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include + +#ifdef INET +#include +#endif +#ifdef INET6 +#include +#endif + +#include +#include + +#include + +static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface"); +static const char ipsecname[] = "ipsec"; + +#if defined(INET) && defined(INET6) +#define IPSEC_SPCOUNT 4 +#else +#define IPSEC_SPCOUNT 2 +#endif + +struct ipsec_softc { + struct ifnet *ifp; + + struct rmlock lock; + struct secpolicy *sp[IPSEC_SPCOUNT]; + + uint32_t reqid; + u_int family; + u_int fibnum; + LIST_ENTRY(ipsec_softc) chain; + LIST_ENTRY(ipsec_softc) hash; +}; + +#define IPSEC_LOCK_INIT(sc) rm_init(&(sc)->lock, "if_ipsec softc") +#define IPSEC_LOCK_DESTROY(sc) rm_destroy(&(sc)->lock) +#define IPSEC_RLOCK_TRACKER struct rm_priotracker ipsec_tracker +#define IPSEC_RLOCK(sc) rm_rlock(&(sc)->lock, &ipsec_tracker) +#define IPSEC_RUNLOCK(sc) rm_runlock(&(sc)->lock, &ipsec_tracker) +#define IPSEC_RLOCK_ASSERT(sc) rm_assert(&(sc)->lock, RA_RLOCKED) +#define IPSEC_WLOCK(sc) rm_wlock(&(sc)->lock) +#define IPSEC_WUNLOCK(sc) rm_wunlock(&(sc)->lock) +#define IPSEC_WLOCK_ASSERT(sc) rm_assert(&(sc)->lock, RA_WLOCKED) + +static struct rmlock ipsec_sc_lock; +RM_SYSINIT(ipsec_sc_lock, &ipsec_sc_lock, "if_ipsec softc list"); + +#define IPSEC_SC_RLOCK_TRACKER struct rm_priotracker ipsec_sc_tracker +#define IPSEC_SC_RLOCK() rm_rlock(&ipsec_sc_lock, &ipsec_sc_tracker) +#define IPSEC_SC_RUNLOCK() rm_runlock(&ipsec_sc_lock, &ipsec_sc_tracker) +#define IPSEC_SC_RLOCK_ASSERT() rm_assert(&ipsec_sc_lock, RA_RLOCKED) +#define IPSEC_SC_WLOCK() rm_wlock(&ipsec_sc_lock) +#define IPSEC_SC_WUNLOCK() rm_wunlock(&ipsec_sc_lock) +#define IPSEC_SC_WLOCK_ASSERT() rm_assert(&ipsec_sc_lock, RA_WLOCKED) + +LIST_HEAD(ipsec_iflist, ipsec_softc); +static VNET_DEFINE(struct ipsec_iflist, ipsec_sc_list); +static VNET_DEFINE(struct ipsec_iflist *, ipsec_sc_htbl); +static VNET_DEFINE(u_long, ipsec_sc_hmask); +#define V_ipsec_sc_list VNET(ipsec_sc_list) +#define V_ipsec_sc_htbl VNET(ipsec_sc_htbl) +#define V_ipsec_sc_hmask VNET(ipsec_sc_hmask) + +static uint32_t +ipsec_hash(uint32_t id) +{ + + return (fnv_32_buf(&id, sizeof(id), FNV1_32_INIT)); +} + +#define SCHASH_NHASH_LOG2 5 +#define SCHASH_NHASH (1 << SCHASH_NHASH_LOG2) +#define SCHASH_HASHVAL(id) (ipsec_hash((id)) & V_ipsec_sc_hmask) +#define SCHASH_HASH(id) &V_ipsec_sc_htbl[SCHASH_HASHVAL(id)] + +/* + * ipsec_ioctl_sx protects from concurrent ioctls. + */ +static struct sx ipsec_ioctl_sx; +SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl"); + +static int ipsec_init_reqid(struct ipsec_softc *); +static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *, + struct sockaddr *, uint32_t); +static void ipsec_delete_tunnel(struct ifnet *, int); + +static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, + struct sockaddr *); +static int ipsec_set_reqid(struct ifnet *, uint32_t); +static int ipsec_input(struct mbuf *, struct secasvar *, uint32_t); + +static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); +static int ipsec_transmit(struct ifnet *, struct mbuf *); +static int ipsec_output(struct ifnet *, struct mbuf *, + const struct sockaddr *, struct route *); +static void ipsec_qflush(struct ifnet *); +static int ipsec_clone_create(struct if_clone *, int, caddr_t); +static void ipsec_clone_destroy(struct ifnet *); +static int ipsec_modevent(module_t, int, void *); + +static VNET_DEFINE(struct if_clone *, ipsec_cloner); +#define V_ipsec_cloner VNET(ipsec_cloner) + +static int +ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params) +{ + struct ipsec_softc *sc; + struct ifnet *ifp; + + sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO); + sc->fibnum = curthread->td_proc->p_fibnum; + sc->ifp = ifp = if_alloc(IFT_TUNNEL); + IPSEC_LOCK_INIT(sc); + ifp->if_softc = sc; + if_initname(ifp, ipsecname, unit); + + ifp->if_addrlen = 0; + ifp->if_mtu = IPSEC_MTU; + ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; + ifp->if_ioctl = ipsec_ioctl; + ifp->if_transmit = ipsec_transmit; + ifp->if_qflush = ipsec_qflush; + ifp->if_output = ipsec_output; + if_attach(ifp); + bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); + + IPSEC_SC_WLOCK(); + LIST_INSERT_HEAD(&V_ipsec_sc_list, sc, chain); + IPSEC_SC_WUNLOCK(); + return (0); +} + +static void +ipsec_clone_destroy(struct ifnet *ifp) +{ + struct ipsec_softc *sc; + + sx_xlock(&ipsec_ioctl_sx); + sc = ifp->if_softc; + + IPSEC_SC_WLOCK(); + ipsec_delete_tunnel(ifp, 1); + LIST_REMOVE(sc, chain); + IPSEC_SC_WUNLOCK(); + + bpfdetach(ifp); + if_detach(ifp); + ifp->if_softc = NULL; + sx_xunlock(&ipsec_ioctl_sx); + + if_free(ifp); + IPSEC_LOCK_DESTROY(sc); + free(sc, M_IPSEC); +} + +static void +vnet_ipsec_init(const void *unused __unused) +{ + + LIST_INIT(&V_ipsec_sc_list); + V_ipsec_sc_htbl = hashinit(SCHASH_NHASH, M_IPSEC, &V_ipsec_sc_hmask); + V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create, + ipsec_clone_destroy, 0); +} +VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, + vnet_ipsec_init, NULL); + +static void +vnet_ipsec_uninit(const void *unused __unused) +{ + + if_clone_detach(V_ipsec_cloner); + hashdestroy(V_ipsec_sc_htbl, M_IPSEC, V_ipsec_sc_hmask); +} +VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, + vnet_ipsec_uninit, NULL); + +static struct secpolicy * +ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af) +{ + + switch (af) { +#ifdef INET + case AF_INET: + return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]); +#endif +#ifdef INET6 + case AF_INET6: + return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1) +#ifdef INET + + 2 +#endif + ]); +#endif + } + return (NULL); +} + +static struct secasindex * +ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af) +{ + struct secpolicy *sp; + + sp = ipsec_getpolicy(sc, dir, af); + if (sp == NULL) + return (NULL); + return (&sp->req[0]->saidx); +} + +static int +ipsec_transmit(struct ifnet *ifp, struct mbuf *m) +{ + IPSEC_RLOCK_TRACKER; + struct ipsec_softc *sc; + struct secpolicy *sp; + struct ip *ip; + uint32_t af; + int error; + +#ifdef MAC + error = mac_ifnet_check_transmit(ifp, m); + if (error) { + m_freem(m); + goto err; + } +#endif + error = ENETDOWN; + sc = ifp->if_softc; + if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || + (ifp->if_flags & IFF_MONITOR) != 0 || + (ifp->if_flags & IFF_UP) == 0) { + m_freem(m); + goto err; + } + + /* Determine address family to correctly handle packet in BPF */ + ip = mtod(m, struct ip *); + switch (ip->ip_v) { +#ifdef INET + case IPVERSION: + af = AF_INET; + break; +#endif +#ifdef INET6 + case (IPV6_VERSION >> 4): + af = AF_INET6; + break; +#endif + default: + error = EAFNOSUPPORT; + m_freem(m); + goto err; + } + + /* + * Loop prevention. + * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag. + * We can read full chain and compare destination address, + * proto and mode from xform_history with values from softc. + */ + if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { + m_freem(m); + goto err; + } + + IPSEC_RLOCK(sc); + if (sc->family == 0) { + IPSEC_RUNLOCK(sc); + m_freem(m); + goto err; + } + sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af); + key_addref(sp); + M_SETFIB(m, sc->fibnum); + IPSEC_RUNLOCK(sc); + + BPF_MTAP2(ifp, &af, sizeof(af), m); + if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); + if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); + + switch (af) { +#ifdef INET + case AF_INET: + error = ipsec4_process_packet(m, sp, NULL); + break; +#endif +#ifdef INET6 + case AF_INET6: + error = ipsec6_process_packet(m, sp, NULL); + break; +#endif + default: + panic("%s: unknown address family\n", __func__); + } +err: + if (error != 0) + if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); + return (error); +} + +static void +ipsec_qflush(struct ifnet *ifp __unused) +{ + +} + +static int +ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + struct route *ro) +{ + + return (ifp->if_transmit(ifp, m)); +} + +int +ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af) +{ + IPSEC_SC_RLOCK_TRACKER; + struct secasindex *saidx; + struct ipsec_softc *sc; + struct ifnet *ifp; + + if (sav->state != SADB_SASTATE_MATURE && + sav->state != SADB_SASTATE_DYING) { + m_freem(m); + return (ENETDOWN); + } + + if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL || + sav->sah->saidx.proto != IPPROTO_ESP) + return (0); + + IPSEC_SC_RLOCK(); + /* + * We only acquire SC_RLOCK() while we are doing search in + * ipsec_sc_htbl. It is safe, because removing softc or changing + * of reqid/addresses requires removing from hash table. + */ + LIST_FOREACH(sc, SCHASH_HASH(sav->sah->saidx.reqid), hash) { + saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND, + sav->sah->saidx.src.sa.sa_family); + /* SA's reqid should match reqid in SP */ + if (saidx == NULL || + sav->sah->saidx.reqid != saidx->reqid) + continue; + /* SAH's addresses should match tunnel endpoints. */ + if (key_sockaddrcmp(&sav->sah->saidx.dst.sa, + &saidx->dst.sa, 0) != 0) + continue; + if (key_sockaddrcmp(&sav->sah->saidx.src.sa, + &saidx->src.sa, 0) == 0) + break; + } + if (sc == NULL) { + IPSEC_SC_RUNLOCK(); + /* Tunnel was not found. Nothing to do. */ + return (0); + } + ifp = sc->ifp; + if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || + (ifp->if_flags & IFF_UP) == 0) { + IPSEC_SC_RUNLOCK(); + m_freem(m); + return (ENETDOWN); + } + /* + * We found matching and working tunnel. + * Set its ifnet as receiving interface. + */ + m->m_pkthdr.rcvif = ifp; + IPSEC_SC_RUNLOCK(); + + /* m_clrprotoflags(m); */ + M_SETFIB(m, ifp->if_fib); + BPF_MTAP2(ifp, &af, sizeof(af), m); + if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); + if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); + if ((ifp->if_flags & IFF_MONITOR) != 0) { + m_freem(m); + return (ENETDOWN); + } + return (0); +} + +/* XXX how should we handle IPv6 scope on SIOC[GS]IFPHYADDR? */ +int +ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) +{ + IPSEC_RLOCK_TRACKER; + struct ifreq *ifr = (struct ifreq*)data; + struct sockaddr *dst, *src; + struct ipsec_softc *sc; + struct secasindex *saidx; +#ifdef INET + struct sockaddr_in *sin = NULL; +#endif +#ifdef INET6 + struct sockaddr_in6 *sin6 = NULL; +#endif + uint32_t reqid; + int error; + + switch (cmd) { + case SIOCSIFADDR: + ifp->if_flags |= IFF_UP; + case SIOCADDMULTI: + case SIOCDELMULTI: + case SIOCGIFMTU: + case SIOCSIFFLAGS: + return (0); + case SIOCSIFMTU: + if (ifr->ifr_mtu < IPSEC_MTU_MIN || + ifr->ifr_mtu > IPSEC_MTU_MAX) + return (EINVAL); + else + ifp->if_mtu = ifr->ifr_mtu; + return (0); + } + sx_xlock(&ipsec_ioctl_sx); + sc = ifp->if_softc; + /* Check that softc is still here */ + if (sc == NULL) { + error = ENXIO; + goto bad; + } + error = 0; + switch (cmd) { + case SIOCSIFPHYADDR: +#ifdef INET6 + case SIOCSIFPHYADDR_IN6: +#endif + error = EINVAL; + switch (cmd) { +#ifdef INET + case SIOCSIFPHYADDR: + src = (struct sockaddr *) + &(((struct in_aliasreq *)data)->ifra_addr); + dst = (struct sockaddr *) + &(((struct in_aliasreq *)data)->ifra_dstaddr); + break; +#endif +#ifdef INET6 + case SIOCSIFPHYADDR_IN6: + src = (struct sockaddr *) + &(((struct in6_aliasreq *)data)->ifra_addr); + dst = (struct sockaddr *) + &(((struct in6_aliasreq *)data)->ifra_dstaddr); + break; +#endif + default: + goto bad; + } + /* sa_family must be equal */ + if (src->sa_family != dst->sa_family || + src->sa_len != dst->sa_len) + goto bad; + + /* validate sa_len */ + switch (src->sa_family) { +#ifdef INET + case AF_INET: + if (src->sa_len != sizeof(struct sockaddr_in)) + goto bad; + break; +#endif +#ifdef INET6 + case AF_INET6: + if (src->sa_len != sizeof(struct sockaddr_in6)) + goto bad; + break; +#endif + default: + error = EAFNOSUPPORT; + goto bad; + } + /* check sa_family looks sane for the cmd */ + error = EAFNOSUPPORT; + switch (cmd) { +#ifdef INET + case SIOCSIFPHYADDR: + if (src->sa_family == AF_INET) + break; + goto bad; +#endif +#ifdef INET6 + case SIOCSIFPHYADDR_IN6: + if (src->sa_family == AF_INET6) + break; + goto bad; +#endif + } + error = EADDRNOTAVAIL; + switch (src->sa_family) { +#ifdef INET + case AF_INET: + if (satosin(src)->sin_addr.s_addr == INADDR_ANY || + satosin(dst)->sin_addr.s_addr == INADDR_ANY) + goto bad; + break; +#endif +#ifdef INET6 + case AF_INET6: + if (IN6_IS_ADDR_UNSPECIFIED(&satosin6(src)->sin6_addr) + || + IN6_IS_ADDR_UNSPECIFIED(&satosin6(dst)->sin6_addr)) + goto bad; + /* + * Check validity of the scope zone ID of the + * addresses, and convert it into the kernel + * internal form if necessary. + */ + error = sa6_embedscope(satosin6(src), 0); + if (error != 0) + goto bad; + error = sa6_embedscope(satosin6(dst), 0); + if (error != 0) + goto bad; +#endif + }; + error = ipsec_set_addresses(ifp, src, dst); + break; + case SIOCDIFPHYADDR: + ipsec_delete_tunnel(ifp, 0); + break; + case SIOCGIFPSRCADDR: + case SIOCGIFPDSTADDR: +#ifdef INET6 + case SIOCGIFPSRCADDR_IN6: + case SIOCGIFPDSTADDR_IN6: +#endif + IPSEC_RLOCK(sc); + if (sc->family == 0) { + IPSEC_RUNLOCK(sc); + error = EADDRNOTAVAIL; + break; + } + saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); + switch (cmd) { +#ifdef INET + case SIOCGIFPSRCADDR: + case SIOCGIFPDSTADDR: + if (saidx->src.sa.sa_family != AF_INET) { + error = EADDRNOTAVAIL; + break; + } + sin = (struct sockaddr_in *)&ifr->ifr_addr; + memset(sin, 0, sizeof(*sin)); + sin->sin_family = AF_INET; + sin->sin_len = sizeof(*sin); + break; +#endif +#ifdef INET6 + case SIOCGIFPSRCADDR_IN6: + case SIOCGIFPDSTADDR_IN6: + if (saidx->src.sa.sa_family != AF_INET6) { + error = EADDRNOTAVAIL; + break; + } + sin6 = (struct sockaddr_in6 *) + &(((struct in6_ifreq *)data)->ifr_addr); + memset(sin6, 0, sizeof(*sin6)); + sin6->sin6_family = AF_INET6; + sin6->sin6_len = sizeof(*sin6); + break; +#endif + default: + error = EAFNOSUPPORT; + } + if (error == 0) { + switch (cmd) { +#ifdef INET + case SIOCGIFPSRCADDR: + sin->sin_addr = saidx->src.sin.sin_addr; + break; + case SIOCGIFPDSTADDR: + sin->sin_addr = saidx->dst.sin.sin_addr; + break; +#endif +#ifdef INET6 + case SIOCGIFPSRCADDR_IN6: + sin6->sin6_addr = saidx->src.sin6.sin6_addr; + break; + case SIOCGIFPDSTADDR_IN6: + sin6->sin6_addr = saidx->dst.sin6.sin6_addr; + break; +#endif + } + } + IPSEC_RUNLOCK(sc); + if (error != 0) + break; + switch (cmd) { +#ifdef INET + case SIOCGIFPSRCADDR: + case SIOCGIFPDSTADDR: + error = prison_if(curthread->td_ucred, + (struct sockaddr *)sin); + if (error != 0) + memset(sin, 0, sizeof(*sin)); + break; +#endif +#ifdef INET6 + case SIOCGIFPSRCADDR_IN6: + case SIOCGIFPDSTADDR_IN6: + error = prison_if(curthread->td_ucred, + (struct sockaddr *)sin6); + if (error == 0) + error = sa6_recoverscope(sin6); + if (error != 0) + memset(sin6, 0, sizeof(*sin6)); +#endif + } + break; + case SIOCGTUNFIB: + ifr->ifr_fib = sc->fibnum; + break; + case SIOCSTUNFIB: + if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0) + break; + if (ifr->ifr_fib >= rt_numfibs) + error = EINVAL; + else + sc->fibnum = ifr->ifr_fib; + break; + case IPSECGREQID: + reqid = sc->reqid; + error = copyout(&reqid, ifr->ifr_data, sizeof(reqid)); + break; + case IPSECSREQID: + if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0) + break; + error = copyin(ifr->ifr_data, &reqid, sizeof(reqid)); + if (error != 0) + break; + error = ipsec_set_reqid(ifp, reqid); + break; + default: + error = EINVAL; + break; + } +bad: + sx_xunlock(&ipsec_ioctl_sx); + return (error); +} + +/* + * Allocate new private security policies for tunneling interface. + * Each tunneling interface has following security policies for + * both AF: + * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ + * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid + * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ + * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid + */ +static int +ipsec_newpolicies(struct secpolicy *sp[IPSEC_SPCOUNT], + const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) +{ + struct ipsecrequest *isr; + int i; + + memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); + for (i = 0; i < IPSEC_SPCOUNT; i++) { + if ((sp[i] = key_newsp()) == NULL) + goto fail; + if ((isr = ipsec_newisr()) == NULL) + goto fail; + + sp[i]->policy = IPSEC_POLICY_IPSEC; + sp[i]->state = IPSEC_SPSTATE_DEAD; + sp[i]->req[sp[i]->tcount++] = isr; + sp[i]->created = time_second; + isr->level = IPSEC_LEVEL_UNIQUE; + isr->saidx.proto = IPPROTO_ESP; + isr->saidx.mode = IPSEC_MODE_TUNNEL; + isr->saidx.reqid = reqid; + if (i % 2 == 0) { + sp[i]->spidx.dir = IPSEC_DIR_INBOUND; + bcopy(src, &isr->saidx.dst, src->sa_len); + bcopy(dst, &isr->saidx.src, dst->sa_len); + } else { + sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND; + bcopy(src, &isr->saidx.src, src->sa_len); + bcopy(dst, &isr->saidx.dst, dst->sa_len); + } + sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY; +#ifdef INET + if (i < 2) { + sp[i]->spidx.src.sa.sa_family = + sp[i]->spidx.dst.sa.sa_family = AF_INET; + sp[i]->spidx.src.sa.sa_len = + sp[i]->spidx.dst.sa.sa_len = + sizeof(struct sockaddr_in); + continue; + } +#endif +#ifdef INET6 + sp[i]->spidx.src.sa.sa_family = + sp[i]->spidx.dst.sa.sa_family = AF_INET6; + sp[i]->spidx.src.sa.sa_len = + sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6); +#endif + } + return (0); +fail: + for (i = 0; i < IPSEC_SPCOUNT; i++) + key_freesp(&sp[i]); + return (ENOMEM); +} + +static int +ipsec_check_reqid(uint32_t reqid) +{ + struct ipsec_softc *sc; + + IPSEC_SC_RLOCK_ASSERT(); + LIST_FOREACH(sc, &V_ipsec_sc_list, chain) { + if (sc->reqid == reqid) + return (EEXIST); + } + return (0); +} + +static int +ipsec_init_reqid(struct ipsec_softc *sc) +{ + uint32_t reqid; + int trycount; + + IPSEC_SC_RLOCK_ASSERT(); + + if (sc->reqid != 0) /* already initialized */ + return (0); + + trycount = 64; + while (--trycount > 0) { + reqid = key_newreqid(); + if (ipsec_check_reqid(reqid) == 0) + break; + } + if (trycount == 0) + return (EEXIST); + sc->reqid = reqid; + return (0); +} + +/* + * Set or update reqid for given tunneling interface. + * When specified reqid is zero, generate new one. + * We are protected by ioctl_sx lock from concurrent id generation. + * Also softc would not disappear while we hold ioctl_sx lock. + */ +static int +ipsec_set_reqid(struct ifnet *ifp, uint32_t reqid) +{ + IPSEC_SC_RLOCK_TRACKER; + struct ipsec_softc *sc; + struct secasindex *saidx; + + sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); + + sc = ifp->if_softc; + if (sc->reqid == reqid && reqid != 0) + return (0); + + IPSEC_SC_RLOCK(); + if (reqid != 0) { + /* Check that specified reqid doesn't exist */ + if (ipsec_check_reqid(reqid) != 0) { + IPSEC_SC_RUNLOCK(); + return (EEXIST); + } + sc->reqid = reqid; + } else { + /* Generate new reqid */ + if (ipsec_init_reqid(sc) != 0) { + IPSEC_SC_RUNLOCK(); + return (EEXIST); + } + } + IPSEC_SC_RUNLOCK(); + + /* Tunnel isn't fully configured, just return. */ + if (sc->family == 0) + return (0); + + saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); + KASSERT(saidx != NULL, + ("saidx is NULL, but family is %d", sc->family)); + return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa, + sc->reqid)); +} + +/* + * Set tunnel endpoints addresses. + */ +static int +ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src, + struct sockaddr *dst) +{ + IPSEC_SC_RLOCK_TRACKER; + struct ipsec_softc *sc, *tsc; + struct secasindex *saidx; + + sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-projects@freebsd.org Thu Nov 24 21:12:45 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08D77C53CA9 for ; Thu, 24 Nov 2016 21:12:45 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B40DF9C8; Thu, 24 Nov 2016 21:12:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOLChdB039791; Thu, 24 Nov 2016 21:12:43 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOLChDG039788; Thu, 24 Nov 2016 21:12:43 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611242112.uAOLChDG039788@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 24 Nov 2016 21:12:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309117 - in projects/clang390-import: . lib/clang sys/sys X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 21:12:45 -0000 Author: dim Date: Thu Nov 24 21:12:43 2016 New Revision: 309117 URL: https://svnweb.freebsd.org/changeset/base/309117 Log: In preparation for merging back to head, bump __FreeBSD_version, FREEBSD_CC_VERSION and set date in ObsoleteFiles.inc. Modified: projects/clang390-import/ObsoleteFiles.inc projects/clang390-import/lib/clang/freebsd_cc_version.h projects/clang390-import/sys/sys/param.h Modified: projects/clang390-import/ObsoleteFiles.inc ============================================================================== --- projects/clang390-import/ObsoleteFiles.inc Thu Nov 24 21:12:32 2016 (r309116) +++ projects/clang390-import/ObsoleteFiles.inc Thu Nov 24 21:12:43 2016 (r309117) @@ -38,7 +38,7 @@ # xargs -n1 | sort | uniq -d; # done -# 2016mmdd: new clang import which bumps version from 3.8.0 to 3.9.0. +# 20161124: new clang import which bumps version from 3.8.0 to 3.9.0. OLD_FILES+=usr/lib/clang/3.8.0/include/sanitizer/allocator_interface.h OLD_FILES+=usr/lib/clang/3.8.0/include/sanitizer/asan_interface.h OLD_FILES+=usr/lib/clang/3.8.0/include/sanitizer/common_interface_defs.h Modified: projects/clang390-import/lib/clang/freebsd_cc_version.h ============================================================================== --- projects/clang390-import/lib/clang/freebsd_cc_version.h Thu Nov 24 21:12:32 2016 (r309116) +++ projects/clang390-import/lib/clang/freebsd_cc_version.h Thu Nov 24 21:12:43 2016 (r309117) @@ -1,3 +1,3 @@ /* $FreeBSD$ */ -#define FREEBSD_CC_VERSION 1200002 +#define FREEBSD_CC_VERSION 1200003 Modified: projects/clang390-import/sys/sys/param.h ============================================================================== --- projects/clang390-import/sys/sys/param.h Thu Nov 24 21:12:32 2016 (r309116) +++ projects/clang390-import/sys/sys/param.h Thu Nov 24 21:12:43 2016 (r309117) @@ -58,7 +58,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1200016 /* Master, propagated to newvers */ +#define __FreeBSD_version 1200017 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, From owner-svn-src-projects@freebsd.org Thu Nov 24 21:14:24 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5B1AC53DBF for ; Thu, 24 Nov 2016 21:14:24 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A441DC25; Thu, 24 Nov 2016 21:14:24 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOLENTS040091; Thu, 24 Nov 2016 21:14:23 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOLENTH040081; Thu, 24 Nov 2016 21:14:23 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611242114.uAOLENTH040081@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 24 Nov 2016 21:14:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309118 - in projects/clang390-import: lib/libutil sys/arm/ti/cpsw sys/conf sys/dev/virtio/console sys/kern sys/modules sys/powerpc/include X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 21:14:24 -0000 Author: dim Date: Thu Nov 24 21:14:22 2016 New Revision: 309118 URL: https://svnweb.freebsd.org/changeset/base/309118 Log: Merge ^/head r309106 through r309117. Modified: projects/clang390-import/lib/libutil/flopen.c projects/clang390-import/sys/arm/ti/cpsw/if_cpsw.c projects/clang390-import/sys/arm/ti/cpsw/if_cpswreg.h projects/clang390-import/sys/arm/ti/cpsw/if_cpswvar.h projects/clang390-import/sys/conf/options.arm projects/clang390-import/sys/dev/virtio/console/virtio_console.c projects/clang390-import/sys/kern/kern_exit.c projects/clang390-import/sys/modules/Makefile projects/clang390-import/sys/powerpc/include/pcpu.h Directory Properties: projects/clang390-import/ (props changed) Modified: projects/clang390-import/lib/libutil/flopen.c ============================================================================== --- projects/clang390-import/lib/libutil/flopen.c Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/lib/libutil/flopen.c Thu Nov 24 21:14:22 2016 (r309118) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2007 Dag-Erling Coïdan Smørgrav + * Copyright (c) 2007-2009 Dag-Erling Coïdan Smørgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -37,6 +37,14 @@ __FBSDID("$FreeBSD$"); #include +/* + * Reliably open and lock a file. + * + * DO NOT, UNDER PAIN OF DEATH, modify this code without first reading the + * revision history and discussing your changes with . + * Don't be fooled by the code's apparent simplicity; there would be no + * need for this function if it was as easy to get right as you think. + */ int flopen(const char *path, int flags, ...) { @@ -100,6 +108,14 @@ flopen(const char *path, int flags, ...) errno = serrno; return (-1); } +#ifdef DONT_EVEN_THINK_ABOUT_IT + if (fcntl(fd, F_SETFD, FD_CLOEXEC) != 0) { + serrno = errno; + (void)close(fd); + errno = serrno; + return (-1); + } +#endif return (fd); } } Modified: projects/clang390-import/sys/arm/ti/cpsw/if_cpsw.c ============================================================================== --- projects/clang390-import/sys/arm/ti/cpsw/if_cpsw.c Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/arm/ti/cpsw/if_cpsw.c Thu Nov 24 21:14:22 2016 (r309118) @@ -47,6 +47,8 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_cpsw.h" + #include #include #include @@ -78,6 +80,11 @@ __FBSDID("$FreeBSD$"); #include #include + +#ifdef CPSW_ETHERSWITCH +#include +#include "etherswitch_if.h" +#endif #include "if_cpswreg.h" #include "if_cpswvar.h" @@ -142,6 +149,19 @@ static void cpsw_add_sysctls(struct cpsw static void cpsw_stats_collect(struct cpsw_softc *); static int cpsw_stats_sysctl(SYSCTL_HANDLER_ARGS); +#ifdef CPSW_ETHERSWITCH +static etherswitch_info_t *cpsw_getinfo(device_t); +static int cpsw_getport(device_t, etherswitch_port_t *); +static int cpsw_setport(device_t, etherswitch_port_t *); +static int cpsw_getconf(device_t, etherswitch_conf_t *); +static int cpsw_getvgroup(device_t, etherswitch_vlangroup_t *); +static int cpsw_setvgroup(device_t, etherswitch_vlangroup_t *); +static int cpsw_readreg(device_t, int); +static int cpsw_writereg(device_t, int, int); +static int cpsw_readphy(device_t, int, int); +static int cpsw_writephy(device_t, int, int, int); +#endif + /* * Arbitrary limit on number of segments in an mbuf to be transmitted. * Packets with more segments than this will be defragmented before @@ -158,8 +178,23 @@ static device_method_t cpsw_methods[] = DEVMETHOD(device_shutdown, cpsw_shutdown), DEVMETHOD(device_suspend, cpsw_suspend), DEVMETHOD(device_resume, cpsw_resume), + /* Bus interface */ + DEVMETHOD(bus_add_child, device_add_child_ordered), /* OFW methods */ DEVMETHOD(ofw_bus_get_node, cpsw_get_node), +#ifdef CPSW_ETHERSWITCH + /* etherswitch interface */ + DEVMETHOD(etherswitch_getinfo, cpsw_getinfo), + DEVMETHOD(etherswitch_readreg, cpsw_readreg), + DEVMETHOD(etherswitch_writereg, cpsw_writereg), + DEVMETHOD(etherswitch_readphyreg, cpsw_readphy), + DEVMETHOD(etherswitch_writephyreg, cpsw_writephy), + DEVMETHOD(etherswitch_getport, cpsw_getport), + DEVMETHOD(etherswitch_setport, cpsw_setport), + DEVMETHOD(etherswitch_getvgroup, cpsw_getvgroup), + DEVMETHOD(etherswitch_setvgroup, cpsw_setvgroup), + DEVMETHOD(etherswitch_getconf, cpsw_getconf), +#endif DEVMETHOD_END }; @@ -194,11 +229,20 @@ static driver_t cpswp_driver = { static devclass_t cpswp_devclass; +#ifdef CPSW_ETHERSWITCH +DRIVER_MODULE(etherswitch, cpswss, etherswitch_driver, etherswitch_devclass, 0, 0); +MODULE_DEPEND(cpswss, etherswitch, 1, 1, 1); +#endif + DRIVER_MODULE(cpsw, cpswss, cpswp_driver, cpswp_devclass, 0, 0); DRIVER_MODULE(miibus, cpsw, miibus_driver, miibus_devclass, 0, 0); MODULE_DEPEND(cpsw, ether, 1, 1, 1); MODULE_DEPEND(cpsw, miibus, 1, 1, 1); +#ifdef CPSW_ETHERSWITCH +static struct cpsw_vlangroups cpsw_vgroups[CPSW_VLANS]; +#endif + static uint32_t slave_mdio_addr[] = { 0x4a100200, 0x4a100300 }; static struct resource_spec irq_res_spec[] = { @@ -576,7 +620,8 @@ cpsw_init(struct cpsw_softc *sc) cpsw_write_4(sc, CPSW_PORT_P0_CPDMA_RX_CH_MAP, 0); /* Initialize ALE: set host port to forwarding(3). */ - cpsw_write_4(sc, CPSW_ALE_PORTCTL(0), 3); + cpsw_write_4(sc, CPSW_ALE_PORTCTL(0), + ALE_PORTCTL_INGRESS | ALE_PORTCTL_FORWARD); cpsw_write_4(sc, CPSW_SS_PTYPE, 0); @@ -851,6 +896,11 @@ cpsw_attach(device_t dev) return (ENXIO); } +#ifdef CPSW_ETHERSWITCH + for (i = 0; i < CPSW_VLANS; i++) + cpsw_vgroups[i].vid = -1; +#endif + /* Reset the controller. */ cpsw_reset(sc); cpsw_init(sc); @@ -864,6 +914,7 @@ cpsw_attach(device_t dev) return (ENXIO); } } + bus_generic_probe(dev); bus_generic_attach(dev); return (0); @@ -918,7 +969,12 @@ cpsw_detach(device_t dev) mtx_destroy(&sc->rx.lock); mtx_destroy(&sc->tx.lock); - return (0); + /* Detach the switch device, if present. */ + error = bus_generic_detach(dev); + if (error != 0) + return (error); + + return (device_delete_children(dev)); } static phandle_t @@ -1085,6 +1141,9 @@ cpswp_init(void *arg) static void cpswp_init_locked(void *arg) { +#ifdef CPSW_ETHERSWITCH + int i; +#endif struct cpswp_softc *sc = arg; struct ifnet *ifp; uint32_t reg; @@ -1115,8 +1174,9 @@ cpswp_init_locked(void *arg) reg |= CPSW_SL_MACTL_GMII_ENABLE; cpsw_write_4(sc->swsc, CPSW_SL_MACCONTROL(sc->unit), reg); - /* Initialize ALE: set port to forwarding(3), initialize addrs */ - cpsw_write_4(sc->swsc, CPSW_ALE_PORTCTL(sc->unit + 1), 3); + /* Initialize ALE: set port to forwarding, initialize addrs */ + cpsw_write_4(sc->swsc, CPSW_ALE_PORTCTL(sc->unit + 1), + ALE_PORTCTL_INGRESS | ALE_PORTCTL_FORWARD); cpswp_ale_update_addresses(sc, 1); if (sc->swsc->dualemac) { @@ -1127,6 +1187,14 @@ cpswp_init_locked(void *arg) (1 << (sc->unit + 1)) | (1 << 0), /* Member list */ (1 << (sc->unit + 1)) | (1 << 0), /* Untagged egress */ (1 << (sc->unit + 1)) | (1 << 0), 0); /* mcast reg flood */ +#ifdef CPSW_ETHERSWITCH + for (i = 0; i < CPSW_VLANS; i++) { + if (cpsw_vgroups[i].vid != -1) + continue; + cpsw_vgroups[i].vid = sc->vlan; + break; + } +#endif } mii_mediachg(sc->mii); @@ -2699,3 +2767,229 @@ cpsw_add_sysctls(struct cpsw_softc *sc) CTLFLAG_RD, NULL, "Watchdog Statistics"); cpsw_add_watchdog_sysctls(ctx, node, sc); } + +#ifdef CPSW_ETHERSWITCH +static etherswitch_info_t etherswitch_info = { + .es_nports = CPSW_PORTS + 1, + .es_nvlangroups = CPSW_VLANS, + .es_name = "TI Common Platform Ethernet Switch (CPSW)", + .es_vlan_caps = ETHERSWITCH_VLAN_DOT1Q, +}; + +static etherswitch_info_t * +cpsw_getinfo(device_t dev) +{ + return (ðerswitch_info); +} + +static int +cpsw_getport(device_t dev, etherswitch_port_t *p) +{ + int err; + struct cpsw_softc *sc; + struct cpswp_softc *psc; + struct ifmediareq *ifmr; + uint32_t reg; + + if (p->es_port < 0 || p->es_port > CPSW_PORTS) + return (ENXIO); + + err = 0; + sc = device_get_softc(dev); + if (p->es_port == CPSW_CPU_PORT) { + p->es_flags |= ETHERSWITCH_PORT_CPU; + ifmr = &p->es_ifmr; + ifmr->ifm_current = ifmr->ifm_active = + IFM_ETHER | IFM_1000_T | IFM_FDX; + ifmr->ifm_mask = 0; + ifmr->ifm_status = IFM_ACTIVE | IFM_AVALID; + ifmr->ifm_count = 0; + } else { + psc = device_get_softc(sc->port[p->es_port - 1].dev); + err = ifmedia_ioctl(psc->ifp, &p->es_ifr, + &psc->mii->mii_media, SIOCGIFMEDIA); + } + reg = cpsw_read_4(sc, CPSW_PORT_P_VLAN(p->es_port)); + p->es_pvid = reg & ETHERSWITCH_VID_MASK; + + reg = cpsw_read_4(sc, CPSW_ALE_PORTCTL(p->es_port)); + if (reg & ALE_PORTCTL_DROP_UNTAGGED) + p->es_flags |= ETHERSWITCH_PORT_DROPUNTAGGED; + if (reg & ALE_PORTCTL_INGRESS) + p->es_flags |= ETHERSWITCH_PORT_INGRESS; + + return (err); +} + +static int +cpsw_setport(device_t dev, etherswitch_port_t *p) +{ + struct cpsw_softc *sc; + struct cpswp_softc *psc; + struct ifmedia *ifm; + uint32_t reg; + + if (p->es_port < 0 || p->es_port > CPSW_PORTS) + return (ENXIO); + + sc = device_get_softc(dev); + if (p->es_pvid != 0) { + cpsw_write_4(sc, CPSW_PORT_P_VLAN(p->es_port), + p->es_pvid & ETHERSWITCH_VID_MASK); + } + + reg = cpsw_read_4(sc, CPSW_ALE_PORTCTL(p->es_port)); + if (p->es_flags & ETHERSWITCH_PORT_DROPUNTAGGED) + reg |= ALE_PORTCTL_DROP_UNTAGGED; + else + reg &= ~ALE_PORTCTL_DROP_UNTAGGED; + if (p->es_flags & ETHERSWITCH_PORT_INGRESS) + reg |= ALE_PORTCTL_INGRESS; + else + reg &= ~ALE_PORTCTL_INGRESS; + cpsw_write_4(sc, CPSW_ALE_PORTCTL(p->es_port), reg); + + /* CPU port does not allow media settings. */ + if (p->es_port == CPSW_CPU_PORT) + return (0); + + psc = device_get_softc(sc->port[p->es_port - 1].dev); + ifm = &psc->mii->mii_media; + + return (ifmedia_ioctl(psc->ifp, &p->es_ifr, ifm, SIOCSIFMEDIA)); +} + +static int +cpsw_getconf(device_t dev, etherswitch_conf_t *conf) +{ + + /* Return the VLAN mode. */ + conf->cmd = ETHERSWITCH_CONF_VLAN_MODE; + conf->vlan_mode = ETHERSWITCH_VLAN_DOT1Q; + + return (0); +} + +static int +cpsw_getvgroup(device_t dev, etherswitch_vlangroup_t *vg) +{ + int i, vid; + uint32_t ale_entry[3]; + struct cpsw_softc *sc; + + sc = device_get_softc(dev); + + if (vg->es_vlangroup >= CPSW_VLANS) + return (EINVAL); + + vg->es_vid = 0; + vid = cpsw_vgroups[vg->es_vlangroup].vid; + if (vid == -1) + return (0); + + for (i = 0; i < CPSW_MAX_ALE_ENTRIES; i++) { + cpsw_ale_read_entry(sc, i, ale_entry); + if (ALE_TYPE(ale_entry) != ALE_TYPE_VLAN) + continue; + if (vid != ALE_VLAN(ale_entry)) + continue; + + vg->es_fid = 0; + vg->es_vid = ALE_VLAN(ale_entry) | ETHERSWITCH_VID_VALID; + vg->es_member_ports = ALE_VLAN_MEMBERS(ale_entry); + vg->es_untagged_ports = ALE_VLAN_UNTAG(ale_entry); + } + + return (0); +} + +static void +cpsw_remove_vlan(struct cpsw_softc *sc, int vlan) +{ + int i; + uint32_t ale_entry[3]; + + for (i = 0; i < CPSW_MAX_ALE_ENTRIES; i++) { + cpsw_ale_read_entry(sc, i, ale_entry); + if (ALE_TYPE(ale_entry) != ALE_TYPE_VLAN) + continue; + if (vlan != ALE_VLAN(ale_entry)) + continue; + ale_entry[0] = ale_entry[1] = ale_entry[2] = 0; + cpsw_ale_write_entry(sc, i, ale_entry); + break; + } +} + +static int +cpsw_setvgroup(device_t dev, etherswitch_vlangroup_t *vg) +{ + int i; + struct cpsw_softc *sc; + + sc = device_get_softc(dev); + + for (i = 0; i < CPSW_VLANS; i++) { + /* Is this Vlan ID in use by another vlangroup ? */ + if (vg->es_vlangroup != i && cpsw_vgroups[i].vid == vg->es_vid) + return (EINVAL); + } + + if (vg->es_vid == 0) { + if (cpsw_vgroups[vg->es_vlangroup].vid == -1) + return (0); + cpsw_remove_vlan(sc, cpsw_vgroups[vg->es_vlangroup].vid); + cpsw_vgroups[vg->es_vlangroup].vid = -1; + vg->es_untagged_ports = 0; + vg->es_member_ports = 0; + vg->es_vid = 0; + return (0); + } + + vg->es_vid &= ETHERSWITCH_VID_MASK; + vg->es_member_ports &= CPSW_PORTS_MASK; + vg->es_untagged_ports &= CPSW_PORTS_MASK; + + if (cpsw_vgroups[vg->es_vlangroup].vid != -1 && + cpsw_vgroups[vg->es_vlangroup].vid != vg->es_vid) + return (EINVAL); + + cpsw_vgroups[vg->es_vlangroup].vid = vg->es_vid; + cpsw_ale_update_vlan_table(sc, vg->es_vid, vg->es_member_ports, + vg->es_untagged_ports, vg->es_member_ports, 0); + + return (0); +} + +static int +cpsw_readreg(device_t dev, int addr) +{ + + /* Not supported. */ + return (0); +} + +static int +cpsw_writereg(device_t dev, int addr, int value) +{ + + /* Not supported. */ + return (0); +} + +static int +cpsw_readphy(device_t dev, int phy, int reg) +{ + + /* Not supported. */ + return (0); +} + +static int +cpsw_writephy(device_t dev, int phy, int reg, int data) +{ + + /* Not supported. */ + return (0); +} +#endif Modified: projects/clang390-import/sys/arm/ti/cpsw/if_cpswreg.h ============================================================================== --- projects/clang390-import/sys/arm/ti/cpsw/if_cpswreg.h Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/arm/ti/cpsw/if_cpswreg.h Thu Nov 24 21:14:22 2016 (r309118) @@ -106,6 +106,14 @@ #define ALE_VLAN_UNTAG(_a) ((_a[0] >> 24) & 7) #define ALE_VLAN_MEMBERS(_a) (_a[0] & 7) #define CPSW_ALE_PORTCTL(p) (CPSW_ALE_OFFSET + 0x40 + ((p) * 0x04)) +#define ALE_PORTCTL_NO_SA_UPDATE (1 << 5) +#define ALE_PORTCTL_NO_LEARN (1 << 4) +#define ALE_PORTCTL_INGRESS (1 << 3) +#define ALE_PORTCTL_DROP_UNTAGGED (1 << 2) +#define ALE_PORTCTL_FORWARD 3 +#define ALE_PORTCTL_LEARN 2 +#define ALE_PORTCTL_BLOCKED 1 +#define ALE_PORTCTL_DISABLED 0 /* SL1 is at 0x0D80, SL2 is at 0x0DC0 */ #define CPSW_SL_OFFSET 0x0D80 Modified: projects/clang390-import/sys/arm/ti/cpsw/if_cpswvar.h ============================================================================== --- projects/clang390-import/sys/arm/ti/cpsw/if_cpswvar.h Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/arm/ti/cpsw/if_cpswvar.h Thu Nov 24 21:14:22 2016 (r309118) @@ -40,6 +40,16 @@ #define CPSW_SYSCTL_COUNT 34 +#ifdef CPSW_ETHERSWITCH +#define CPSW_CPU_PORT 0 +#define CPSW_PORTS_MASK 0x7 +#define CPSW_VLANS 128 /* Arbitrary number. */ + +struct cpsw_vlangroups { + int vid; +}; +#endif + struct cpsw_slot { uint32_t bd_offset; /* Offset of corresponding BD within CPPI RAM. */ bus_dmamap_t dmamap; Modified: projects/clang390-import/sys/conf/options.arm ============================================================================== --- projects/clang390-import/sys/conf/options.arm Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/conf/options.arm Thu Nov 24 21:14:22 2016 (r309118) @@ -7,6 +7,7 @@ ARM_MANY_BOARD opt_global.h NKPT2PG opt_pmap.h ARM_WANT_TP_ADDRESS opt_global.h COUNTS_PER_SEC opt_timer.h +CPSW_ETHERSWITCH opt_cpsw.h CPU_ARM9 opt_global.h CPU_ARM9E opt_global.h CPU_ARM1176 opt_global.h Modified: projects/clang390-import/sys/dev/virtio/console/virtio_console.c ============================================================================== --- projects/clang390-import/sys/dev/virtio/console/virtio_console.c Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/dev/virtio/console/virtio_console.c Thu Nov 24 21:14:22 2016 (r309118) @@ -888,9 +888,9 @@ vtcon_ctrl_task_cb(void *xsc, int pendin if (control == NULL) break; - if (len > sizeof(control)) { + if (len > sizeof(*control)) { payload = (void *)(control + 1); - plen = len - sizeof(control); + plen = len - sizeof(*control); } VTCON_UNLOCK(sc); Modified: projects/clang390-import/sys/kern/kern_exit.c ============================================================================== --- projects/clang390-import/sys/kern/kern_exit.c Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/kern/kern_exit.c Thu Nov 24 21:14:22 2016 (r309118) @@ -1061,7 +1061,6 @@ proc_to_reap(struct thread *td, struct p proc_reap(td, p, status, options); return (-1); } - PROC_UNLOCK(p); return (1); } @@ -1162,7 +1161,7 @@ loop: return (0); } - PROC_LOCK(p); + PROC_LOCK_ASSERT(p, MA_OWNED); PROC_SLOCK(p); if ((options & WTRAPPED) != 0 && @@ -1263,6 +1262,7 @@ loop: if (ret != 0) { KASSERT(ret != -1, ("reaped an orphan (pid %d)", (int)td->td_retval[0])); + PROC_UNLOCK(p); nfound++; break; } Modified: projects/clang390-import/sys/modules/Makefile ============================================================================== --- projects/clang390-import/sys/modules/Makefile Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/modules/Makefile Thu Nov 24 21:14:22 2016 (r309118) @@ -552,7 +552,6 @@ _an= an _aout= aout _bktr= bktr _bxe= bxe -_bytgpio= bytgpio _cardbus= cardbus _cbb= cbb _cpuctl= cpuctl @@ -609,6 +608,7 @@ _amdsbwd= amdsbwd _amdtemp= amdtemp _arcmsr= arcmsr _asmc= asmc +_bytgpio= bytgpio _ciss= ciss _chromebook_platform= chromebook_platform _cmx= cmx Modified: projects/clang390-import/sys/powerpc/include/pcpu.h ============================================================================== --- projects/clang390-import/sys/powerpc/include/pcpu.h Thu Nov 24 21:12:43 2016 (r309117) +++ projects/clang390-import/sys/powerpc/include/pcpu.h Thu Nov 24 21:14:22 2016 (r309118) @@ -88,7 +88,7 @@ struct pvo_entry; vm_offset_t pc_qmap_addr; \ uint32_t *pc_booke_tlb_lock; \ int pc_tid_next; \ - char __pad[165] + char __pad[173] /* Definitions for register offsets within the exception tmp save areas */ #define CPUSAVE_R27 0 /* where r27 gets saved */ From owner-svn-src-projects@freebsd.org Thu Nov 24 22:18:56 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64464C54F4B for ; Thu, 24 Nov 2016 22:18:56 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34084195; Thu, 24 Nov 2016 22:18:56 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOMIt1R065851; Thu, 24 Nov 2016 22:18:55 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOMItMB065850; Thu, 24 Nov 2016 22:18:55 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611242218.uAOMItMB065850@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 24 Nov 2016 22:18:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309122 - projects/clang390-import X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 22:18:56 -0000 Author: dim Date: Thu Nov 24 22:18:55 2016 New Revision: 309122 URL: https://svnweb.freebsd.org/changeset/base/309122 Log: Add UPDATING entry for clang/llvm 3.9.0 import. Modified: projects/clang390-import/UPDATING Modified: projects/clang390-import/UPDATING ============================================================================== --- projects/clang390-import/UPDATING Thu Nov 24 22:16:18 2016 (r309121) +++ projects/clang390-import/UPDATING Thu Nov 24 22:18:55 2016 (r309122) @@ -51,6 +51,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12 ****************************** SPECIAL WARNING: ****************************** +20161124: + Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.0. + Please see the 20141231 entry below for information about prerequisites + and upgrading, if you are not already using clang 3.5.0 or higher. + 20161119: The layout of the pmap structure has changed for powerpc to put the pmap statistics at the front for all CPU variations. libkvm(3) and all tools From owner-svn-src-projects@freebsd.org Thu Nov 24 22:33:19 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B952FC54209 for ; Thu, 24 Nov 2016 22:33:19 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 93C4CC4E; Thu, 24 Nov 2016 22:33:19 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAOMXILb073526; Thu, 24 Nov 2016 22:33:18 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAOMXInv073524; Thu, 24 Nov 2016 22:33:18 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611242233.uAOMXInv073524@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 24 Nov 2016 22:33:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309123 - in projects/clang390-import: sys/dev/virtio/pci usr.sbin/bhyve X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2016 22:33:19 -0000 Author: dim Date: Thu Nov 24 22:33:18 2016 New Revision: 309123 URL: https://svnweb.freebsd.org/changeset/base/309123 Log: Merge ^/head r309118 through r309122. Modified: projects/clang390-import/sys/dev/virtio/pci/virtio_pci.c projects/clang390-import/usr.sbin/bhyve/pci_virtio_console.c Directory Properties: projects/clang390-import/ (props changed) Modified: projects/clang390-import/sys/dev/virtio/pci/virtio_pci.c ============================================================================== --- projects/clang390-import/sys/dev/virtio/pci/virtio_pci.c Thu Nov 24 22:18:55 2016 (r309122) +++ projects/clang390-import/sys/dev/virtio/pci/virtio_pci.c Thu Nov 24 22:33:18 2016 (r309123) @@ -1087,7 +1087,8 @@ vtpci_set_host_msix_vectors(struct vtpci * For shared MSIX, all the virtqueues share the first * interrupt. */ - if ((sc->vtpci_flags & VTPCI_FLAG_SHARED_MSIX) == 0) + if (!sc->vtpci_vqs[idx].vtv_no_intr && + (sc->vtpci_flags & VTPCI_FLAG_SHARED_MSIX) == 0) intr++; } Modified: projects/clang390-import/usr.sbin/bhyve/pci_virtio_console.c ============================================================================== --- projects/clang390-import/usr.sbin/bhyve/pci_virtio_console.c Thu Nov 24 22:18:55 2016 (r309122) +++ projects/clang390-import/usr.sbin/bhyve/pci_virtio_console.c Thu Nov 24 22:33:18 2016 (r309123) @@ -53,6 +53,7 @@ __FBSDID("$FreeBSD$"); #include "pci_emul.h" #include "virtio.h" #include "mevent.h" +#include "sockstream.h" #define VTCON_RINGSZ 64 #define VTCON_MAXPORTS 16 @@ -90,6 +91,7 @@ struct pci_vtcon_port { bool vsp_enabled; bool vsp_console; bool vsp_rx_ready; + bool vsp_open; int vsp_rxq; int vsp_txq; void * vsp_arg; @@ -116,6 +118,7 @@ struct pci_vtcon_softc { char * vsc_rootdir; int vsc_kq; int vsc_nports; + bool vsc_ready; struct pci_vtcon_port vsc_control_port; struct pci_vtcon_port vsc_ports[VTCON_MAXPORTS]; struct pci_vtcon_config *vsc_config; @@ -359,6 +362,7 @@ pci_vtcon_sock_accept(int fd __unused, e sock->vss_open = true; sock->vss_conn_fd = s; sock->vss_conn_evp = mevent_add(s, EVF_READ, pci_vtcon_sock_rx, sock); + pci_vtcon_open_port(sock->vss_port, true); } @@ -422,16 +426,21 @@ pci_vtcon_sock_tx(struct pci_vtcon_port int niov) { struct pci_vtcon_sock *sock; - int ret; + int i, ret; sock = (struct pci_vtcon_sock *)arg; if (sock->vss_conn_fd == -1) return; - ret = writev(sock->vss_conn_fd, iov, niov); + for (i = 0; i < niov; i++) { + ret = stream_write(sock->vss_conn_fd, iov[i].iov_base, + iov[i].iov_len); + if (ret <= 0) + break; + } - if (ret < 0 && errno != EWOULDBLOCK) { + if (ret <= 0) { mevent_delete_close(sock->vss_conn_evp); sock->vss_conn_fd = -1; sock->vss_open = false; @@ -454,11 +463,15 @@ pci_vtcon_control_tx(struct pci_vtcon_po switch (ctrl->event) { case VTCON_DEVICE_READY: + sc->vsc_ready = true; /* set port ready events for registered ports */ for (i = 0; i < VTCON_MAXPORTS; i++) { tmp = &sc->vsc_ports[i]; if (tmp->vsp_enabled) pci_vtcon_announce_port(tmp); + + if (tmp->vsp_open) + pci_vtcon_open_port(tmp, true); } break; @@ -500,6 +513,11 @@ pci_vtcon_open_port(struct pci_vtcon_por { struct pci_vtcon_control event; + if (!port->vsp_sc->vsc_ready) { + port->vsp_open = true; + return; + } + event.id = port->vsp_id; event.event = VTCON_PORT_OPEN; event.value = (int)open; From owner-svn-src-projects@freebsd.org Fri Nov 25 00:46:31 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE12EC53B20 for ; Fri, 25 Nov 2016 00:46:31 +0000 (UTC) (envelope-from markmi@dsl-only.net) Received: from asp.reflexion.net (outbound-mail-210-32.reflexion.net [208.70.210.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 97D68D18 for ; Fri, 25 Nov 2016 00:46:30 +0000 (UTC) (envelope-from markmi@dsl-only.net) Received: (qmail 6062 invoked from network); 25 Nov 2016 00:46:32 -0000 Received: from unknown (HELO mail-cs-01.app.dca.reflexion.local) (10.81.19.1) by 0 (rfx-qmail) with SMTP; 25 Nov 2016 00:46:32 -0000 Received: by mail-cs-01.app.dca.reflexion.local (Reflexion email security v8.20.0) with SMTP; Thu, 24 Nov 2016 19:46:39 -0500 (EST) Received: (qmail 21939 invoked from network); 25 Nov 2016 00:46:39 -0000 Received: from unknown (HELO iron2.pdx.net) (69.64.224.71) by 0 (rfx-qmail) with (AES256-SHA encrypted) SMTP; 25 Nov 2016 00:46:39 -0000 Received: from [192.168.1.106] (c-76-115-7-162.hsd1.or.comcast.net [76.115.7.162]) by iron2.pdx.net (Postfix) with ESMTPSA id 7C728EC7977; Thu, 24 Nov 2016 16:46:28 -0800 (PST) From: Mark Millard Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\)) Subject: Re: svn commit: r309117 - in projects/clang390-import: . lib/clang sys/sys [merging into head vs. powerpc and powerpc64 clang status] Message-Id: <37918185-F8CC-4093-AB70-F6373819C56C@dsl-only.net> Date: Thu, 24 Nov 2016 16:46:27 -0800 Cc: FreeBSD PowerPC ML To: Dimitry Andric , svn-src-projects@freebsd.org, FreeBSD Toolchain X-Mailer: Apple Mail (2.3251) X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2016 00:46:32 -0000 > Author: dim > Date: Thu Nov 24 21:12:43 2016 > New Revision: 309117 > URL:=20 > https://svnweb.freebsd.org/changeset/base/309117 >=20 >=20 > Log: > In preparation for merging back to head, bump __FreeBSD_version, > FREEBSD_CC_VERSION and set date in ObsoleteFiles.inc. . . . Are the following TARGET_ARCH=3Dpowerpc and TARGET_ARCH=3Dpowerpc64 items from llvm going to be taken care of before the merge of clang 3.9.0 into head? If not, is there a plan to sometime after the merge? https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214433 Bug ID: 214433 Summary: projects/clang390-import: powerpc and powerpc64 support needs to pick up two fixes from llvm (ABI = fix for ppc; softfloat enabled for ppc64) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee:=20 freebsd-bugs at FreeBSD.org Reporter:=20 markmi at dsl-only.net There is a powerpc llvm tack-handling ABI violation bugfix and a = powerpc64 softfloat support addition (needed for libstand) that have yet to be = merged into projects/clang390-import (if they reasonably fit). Both of these fixes are ones required for FreeBSD to support using clang = for powerpc and powerpc64 targets. (llvm's bugzilla still has some of the = C++ exception handling defects waiting for fixes. But the two fixes below = should allow more testing and possibly finding of additional things that need = to be worked on for FreeBSD to use clang for powerpc and/or powerpc64.) The llvm reports of fixes are: From: bugzilla-daemon[ at ]llvm.org Subject: [Bug 26519] Clang 3.8.0's "Target: powerpc-unknown-freebsd11.0" = code generation is violating the SVR4 ABI (SEGV can result) Date: September 22, 2016 at 10:23:21 AM PDT To: Krzysztof Parzyszek changed bug 26519=20 What Removed Added Status REOPENED RESOLVED Resolution --- FIXED Comment # 11 on bug 26519 from Krzysztof Parzyszek Committed in r282174. You are receiving this mail because: =E2=80=A2 You reported the bug. From: bugzilla-daemon[ at ]llvm.org Subject: [Bug 26970] clang 3.8.0 for powerpc64 vs. FreeBSD buildworld: = error: invalid float ABI 'soft float is not supported for ppc64' Date: October 1, 2016 at 7:12:07 PM PDT To: Hal Finkel changed bug 26970=20 What Removed Added Status NEW RESOLVED Resolution --- FIXED Comment # 1 on bug 26970 from Hal Finkel r283060/r283061 enables soft-float for PPC64. You are receiving this mail because: =E2=80=A2 You reported the bug. =3D=3D=3D Mark Millard markmi at dsl-only.net From owner-svn-src-projects@freebsd.org Fri Nov 25 07:43:33 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 144AFC54413 for ; Fri, 25 Nov 2016 07:43:33 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D86AF11FA; Fri, 25 Nov 2016 07:43:32 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAP7hW0G095476; Fri, 25 Nov 2016 07:43:32 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAP7hWMG095475; Fri, 25 Nov 2016 07:43:32 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611250743.uAP7hWMG095475@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 25 Nov 2016 07:43:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309137 - projects/ipsec/sys/net X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2016 07:43:33 -0000 Author: ae Date: Fri Nov 25 07:43:31 2016 New Revision: 309137 URL: https://svnweb.freebsd.org/changeset/base/309137 Log: GC unneded declarations. Modified: projects/ipsec/sys/net/if_ipsec.c Modified: projects/ipsec/sys/net/if_ipsec.c ============================================================================== --- projects/ipsec/sys/net/if_ipsec.c Fri Nov 25 07:41:42 2016 (r309136) +++ projects/ipsec/sys/net/if_ipsec.c Fri Nov 25 07:43:31 2016 (r309137) @@ -155,7 +155,6 @@ static void ipsec_delete_tunnel(struct i static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, struct sockaddr *); static int ipsec_set_reqid(struct ifnet *, uint32_t); -static int ipsec_input(struct mbuf *, struct secasvar *, uint32_t); static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); static int ipsec_transmit(struct ifnet *, struct mbuf *); @@ -164,7 +163,6 @@ static int ipsec_output(struct ifnet *, static void ipsec_qflush(struct ifnet *); static int ipsec_clone_create(struct if_clone *, int, caddr_t); static void ipsec_clone_destroy(struct ifnet *); -static int ipsec_modevent(module_t, int, void *); static VNET_DEFINE(struct if_clone *, ipsec_cloner); #define V_ipsec_cloner VNET(ipsec_cloner) From owner-svn-src-projects@freebsd.org Fri Nov 25 19:25:22 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CD2CC54C17 for ; Fri, 25 Nov 2016 19:25:22 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 02F53F1E; Fri, 25 Nov 2016 19:25:21 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAPJPL7v080808; Fri, 25 Nov 2016 19:25:21 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAPJPLtY080807; Fri, 25 Nov 2016 19:25:21 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611251925.uAPJPLtY080807@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Fri, 25 Nov 2016 19:25:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309166 - projects/clang391-import X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2016 19:25:22 -0000 Author: dim Date: Fri Nov 25 19:25:20 2016 New Revision: 309166 URL: https://svnweb.freebsd.org/changeset/base/309166 Log: Create a project for importing clang, llvm, lld, lldb, compiler-rt and libc++ 3.9.1. Added: - copied from r309165, head/ Directory Properties: projects/clang391-import/ (props changed) From owner-svn-src-projects@freebsd.org Fri Nov 25 22:36:08 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57266C5407E for ; Fri, 25 Nov 2016 22:36:08 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 271161BAD; Fri, 25 Nov 2016 22:36:08 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAPMa7Y9057364; Fri, 25 Nov 2016 22:36:07 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAPMa7oi057363; Fri, 25 Nov 2016 22:36:07 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611252236.uAPMa7oi057363@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Fri, 25 Nov 2016 22:36:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309170 - projects/clang391-import/sys/powerpc/include X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2016 22:36:08 -0000 Author: dim Date: Fri Nov 25 22:36:07 2016 New Revision: 309170 URL: https://svnweb.freebsd.org/changeset/base/309170 Log: Merge ^/head r309166 through r309169. Modified: projects/clang391-import/sys/powerpc/include/cpufunc.h Directory Properties: projects/clang391-import/ (props changed) projects/clang391-import/contrib/llvm/ (props changed) projects/clang391-import/contrib/llvm/tools/llvm-dwarfdump/ (props changed) projects/clang391-import/contrib/llvm/tools/llvm-lto/ (props changed) Modified: projects/clang391-import/sys/powerpc/include/cpufunc.h ============================================================================== --- projects/clang391-import/sys/powerpc/include/cpufunc.h Fri Nov 25 22:33:15 2016 (r309169) +++ projects/clang391-import/sys/powerpc/include/cpufunc.h Fri Nov 25 22:36:07 2016 (r309170) @@ -82,7 +82,7 @@ static __inline void mtsrin(vm_offset_t va, register_t value) { - __asm __volatile ("mtsrin %0,%1" :: "r"(value), "r"(va)); + __asm __volatile ("mtsrin %0,%1; isync" :: "r"(value), "r"(va)); } static __inline register_t From owner-svn-src-projects@freebsd.org Sat Nov 26 01:02:57 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8FB89C528FA for ; Sat, 26 Nov 2016 01:02:57 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3419326B; Sat, 26 Nov 2016 01:02:57 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAQ12uA2016746; Sat, 26 Nov 2016 01:02:56 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAQ12r0f016719; Sat, 26 Nov 2016 01:02:53 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611260102.uAQ12r0f016719@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Sat, 26 Nov 2016 01:02:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309175 - in projects/clang391-import/contrib/llvm: include/llvm/Analysis include/llvm/ExecutionEngine include/llvm/IR lib/Analysis lib/CodeGen lib/Linker lib/Support/Unix lib/Target/AR... X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2016 01:02:57 -0000 Author: dim Date: Sat Nov 26 01:02:53 2016 New Revision: 309175 URL: https://svnweb.freebsd.org/changeset/base/309175 Log: Update llvm, clang, lld and lldb to release_39 branch r287912. Modified: projects/clang391-import/contrib/llvm/include/llvm/Analysis/LoopAccessAnalysis.h projects/clang391-import/contrib/llvm/include/llvm/ExecutionEngine/RTDyldMemoryManager.h projects/clang391-import/contrib/llvm/include/llvm/IR/Intrinsics.td projects/clang391-import/contrib/llvm/include/llvm/IR/TypeFinder.h projects/clang391-import/contrib/llvm/lib/Analysis/LoopAccessAnalysis.cpp projects/clang391-import/contrib/llvm/lib/CodeGen/BranchFolding.cpp projects/clang391-import/contrib/llvm/lib/Linker/IRMover.cpp projects/clang391-import/contrib/llvm/lib/Support/Unix/Signals.inc projects/clang391-import/contrib/llvm/lib/Target/ARM/ARMInstrThumb2.td projects/clang391-import/contrib/llvm/lib/Target/ARM/AsmParser/ARMAsmParser.cpp projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.cpp projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.h projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstr64Bit.td projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstrInfo.td projects/clang391-import/contrib/llvm/lib/Target/X86/X86ISelLowering.cpp projects/clang391-import/contrib/llvm/lib/Target/X86/X86InstrAVX512.td projects/clang391-import/contrib/llvm/lib/Transforms/Scalar/JumpThreading.cpp projects/clang391-import/contrib/llvm/tools/clang/include/clang/AST/DeclTemplate.h projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticDriverKinds.td projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticSemaKinds.td projects/clang391-import/contrib/llvm/tools/clang/include/clang/Sema/Sema.h projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Targets.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Version.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGExpr.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmt.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmtOpenMP.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CodeGenFunction.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CodeGenFunction.h projects/clang391-import/contrib/llvm/tools/clang/lib/Driver/ToolChains.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Driver/Tools.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/Sema.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaCXXScopeSpec.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaDecl.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaExpr.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaLambda.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaOpenMP.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaTemplate.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaTemplateInstantiate.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Sema/SemaTemplateInstantiateDecl.cpp projects/clang391-import/contrib/llvm/tools/clang/lib/Serialization/ASTReaderDecl.cpp projects/clang391-import/contrib/llvm/tools/lld/ELF/InputFiles.cpp projects/clang391-import/contrib/llvm/tools/lldb/include/lldb/Core/ArchSpec.h projects/clang391-import/contrib/llvm/tools/lldb/source/Core/ArchSpec.cpp projects/clang391-import/contrib/llvm/tools/lldb/source/Core/RegisterValue.cpp projects/clang391-import/contrib/llvm/tools/lldb/source/Plugins/ABI/SysV-mips64/ABISysV_mips64.cpp projects/clang391-import/contrib/llvm/tools/lldb/source/Plugins/Process/Utility/RegisterInfos_mips.h projects/clang391-import/contrib/llvm/tools/lldb/source/Plugins/Process/Utility/RegisterInfos_mips64.h projects/clang391-import/contrib/llvm/tools/lldb/source/Plugins/Process/Utility/lldb-mips-linux-register-enums.h projects/clang391-import/contrib/llvm/tools/lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationClient.cpp projects/clang391-import/contrib/llvm/tools/lldb/source/Plugins/Process/gdb-remote/GDBRemoteCommunicationServerCommon.cpp Directory Properties: projects/clang391-import/contrib/llvm/ (props changed) projects/clang391-import/contrib/llvm/tools/clang/ (props changed) projects/clang391-import/contrib/llvm/tools/lld/ (props changed) projects/clang391-import/contrib/llvm/tools/lldb/ (props changed) Modified: projects/clang391-import/contrib/llvm/include/llvm/Analysis/LoopAccessAnalysis.h ============================================================================== --- projects/clang391-import/contrib/llvm/include/llvm/Analysis/LoopAccessAnalysis.h Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/include/llvm/Analysis/LoopAccessAnalysis.h Sat Nov 26 01:02:53 2016 (r309175) @@ -334,9 +334,11 @@ public: struct PointerInfo { /// Holds the pointer value that we need to check. TrackingVH PointerValue; - /// Holds the pointer value at the beginning of the loop. + /// Holds the smallest byte address accessed by the pointer throughout all + /// iterations of the loop. const SCEV *Start; - /// Holds the pointer value at the end of the loop. + /// Holds the largest byte address accessed by the pointer throughout all + /// iterations of the loop, plus 1. const SCEV *End; /// Holds the information if this pointer is used for writing to memory. bool IsWritePtr; Modified: projects/clang391-import/contrib/llvm/include/llvm/ExecutionEngine/RTDyldMemoryManager.h ============================================================================== --- projects/clang391-import/contrib/llvm/include/llvm/ExecutionEngine/RTDyldMemoryManager.h Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/include/llvm/ExecutionEngine/RTDyldMemoryManager.h Sat Nov 26 01:02:53 2016 (r309175) @@ -72,7 +72,7 @@ public: } void deregisterEHFrames(uint8_t *Addr, uint64_t LoadAddr, size_t Size) override { - registerEHFramesInProcess(Addr, Size); + deregisterEHFramesInProcess(Addr, Size); } /// This method returns the address of the specified function or variable in Modified: projects/clang391-import/contrib/llvm/include/llvm/IR/Intrinsics.td ============================================================================== --- projects/clang391-import/contrib/llvm/include/llvm/IR/Intrinsics.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/include/llvm/IR/Intrinsics.td Sat Nov 26 01:02:53 2016 (r309175) @@ -668,13 +668,12 @@ def int_masked_gather: Intrinsic<[llvm_a [LLVMVectorOfPointersToElt<0>, llvm_i32_ty, LLVMVectorSameWidth<0, llvm_i1_ty>, LLVMMatchType<0>], - [IntrReadMem, IntrArgMemOnly]>; + [IntrReadMem]>; def int_masked_scatter: Intrinsic<[], [llvm_anyvector_ty, LLVMVectorOfPointersToElt<0>, llvm_i32_ty, - LLVMVectorSameWidth<0, llvm_i1_ty>], - [IntrArgMemOnly]>; + LLVMVectorSameWidth<0, llvm_i1_ty>]>; // Test whether a pointer is associated with a type metadata identifier. def int_type_test : Intrinsic<[llvm_i1_ty], [llvm_ptr_ty, llvm_metadata_ty], Modified: projects/clang391-import/contrib/llvm/include/llvm/IR/TypeFinder.h ============================================================================== --- projects/clang391-import/contrib/llvm/include/llvm/IR/TypeFinder.h Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/include/llvm/IR/TypeFinder.h Sat Nov 26 01:02:53 2016 (r309175) @@ -59,6 +59,8 @@ public: StructType *&operator[](unsigned Idx) { return StructTypes[Idx]; } + DenseSet &getVisitedMetadata() { return VisitedMetadata; } + private: /// incorporateType - This method adds the type to the list of used /// structures if it's not in there already. Modified: projects/clang391-import/contrib/llvm/lib/Analysis/LoopAccessAnalysis.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Analysis/LoopAccessAnalysis.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Analysis/LoopAccessAnalysis.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -148,6 +148,19 @@ const SCEV *llvm::replaceSymbolicStrideS return OrigSCEV; } +/// Calculate Start and End points of memory access. +/// Let's assume A is the first access and B is a memory access on N-th loop +/// iteration. Then B is calculated as: +/// B = A + Step*N . +/// Step value may be positive or negative. +/// N is a calculated back-edge taken count: +/// N = (TripCount > 0) ? RoundDown(TripCount -1 , VF) : 0 +/// Start and End points are calculated in the following way: +/// Start = UMIN(A, B) ; End = UMAX(A, B) + SizeOfElt, +/// where SizeOfElt is the size of single memory access in bytes. +/// +/// There is no conflict when the intervals are disjoint: +/// NoConflict = (P2.Start >= P1.End) || (P1.Start >= P2.End) void RuntimePointerChecking::insert(Loop *Lp, Value *Ptr, bool WritePtr, unsigned DepSetId, unsigned ASId, const ValueToValueMap &Strides, @@ -176,12 +189,17 @@ void RuntimePointerChecking::insert(Loop if (CStep->getValue()->isNegative()) std::swap(ScStart, ScEnd); } else { - // Fallback case: the step is not constant, but the we can still + // Fallback case: the step is not constant, but we can still // get the upper and lower bounds of the interval by using min/max // expressions. ScStart = SE->getUMinExpr(ScStart, ScEnd); ScEnd = SE->getUMaxExpr(AR->getStart(), ScEnd); } + // Add the size of the pointed element to ScEnd. + unsigned EltSize = + Ptr->getType()->getPointerElementType()->getScalarSizeInBits() / 8; + const SCEV *EltSizeSCEV = SE->getConstant(ScEnd->getType(), EltSize); + ScEnd = SE->getAddExpr(ScEnd, EltSizeSCEV); } Pointers.emplace_back(Ptr, ScStart, ScEnd, WritePtr, DepSetId, ASId, Sc); @@ -1863,9 +1881,17 @@ std::pair Value *End0 = ChkBuilder.CreateBitCast(A.End, PtrArithTy1, "bc"); Value *End1 = ChkBuilder.CreateBitCast(B.End, PtrArithTy0, "bc"); - Value *Cmp0 = ChkBuilder.CreateICmpULE(Start0, End1, "bound0"); + // [A|B].Start points to the first accessed byte under base [A|B]. + // [A|B].End points to the last accessed byte, plus one. + // There is no conflict when the intervals are disjoint: + // NoConflict = (B.Start >= A.End) || (A.Start >= B.End) + // + // bound0 = (B.Start < A.End) + // bound1 = (A.Start < B.End) + // IsConflict = bound0 & bound1 + Value *Cmp0 = ChkBuilder.CreateICmpULT(Start0, End1, "bound0"); FirstInst = getFirstInst(FirstInst, Cmp0, Loc); - Value *Cmp1 = ChkBuilder.CreateICmpULE(Start1, End0, "bound1"); + Value *Cmp1 = ChkBuilder.CreateICmpULT(Start1, End0, "bound1"); FirstInst = getFirstInst(FirstInst, Cmp1, Loc); Value *IsConflict = ChkBuilder.CreateAnd(Cmp0, Cmp1, "found.conflict"); FirstInst = getFirstInst(FirstInst, IsConflict, Loc); Modified: projects/clang391-import/contrib/llvm/lib/CodeGen/BranchFolding.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/CodeGen/BranchFolding.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/CodeGen/BranchFolding.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -776,9 +776,8 @@ bool BranchFolder::CreateCommonTailOnlyB } static void -mergeMMOsFromMemoryOperations(MachineBasicBlock::iterator MBBIStartPos, - MachineBasicBlock &MBBCommon) { - // Merge MMOs from memory operations in the common block. +mergeOperations(MachineBasicBlock::iterator MBBIStartPos, + MachineBasicBlock &MBBCommon) { MachineBasicBlock *MBB = MBBIStartPos->getParent(); // Note CommonTailLen does not necessarily matches the size of // the common BB nor all its instructions because of debug @@ -808,8 +807,18 @@ mergeMMOsFromMemoryOperations(MachineBas "Reached BB end within common tail length!"); assert(MBBICommon->isIdenticalTo(*MBBI) && "Expected matching MIIs!"); + // Merge MMOs from memory operations in the common block. if (MBBICommon->mayLoad() || MBBICommon->mayStore()) MBBICommon->setMemRefs(MBBICommon->mergeMemRefsWith(*MBBI)); + // Drop undef flags if they aren't present in all merged instructions. + for (unsigned I = 0, E = MBBICommon->getNumOperands(); I != E; ++I) { + MachineOperand &MO = MBBICommon->getOperand(I); + if (MO.isReg() && MO.isUndef()) { + const MachineOperand &OtherMO = MBBI->getOperand(I); + if (!OtherMO.isUndef()) + MO.setIsUndef(false); + } + } ++MBBI; ++MBBICommon; @@ -928,8 +937,8 @@ bool BranchFolder::TryTailMergeBlocks(Ma continue; DEBUG(dbgs() << "BB#" << SameTails[i].getBlock()->getNumber() << (i == e-1 ? "" : ", ")); - // Merge MMOs from memory operations as needed. - mergeMMOsFromMemoryOperations(SameTails[i].getTailStartPos(), *MBB); + // Merge operations (MMOs, undef flags) + mergeOperations(SameTails[i].getTailStartPos(), *MBB); // Hack the end off BB i, making it jump to BB commonTailIndex instead. ReplaceTailWithBranchTo(SameTails[i].getTailStartPos(), MBB); // BB i is no longer a predecessor of SuccBB; remove it from the worklist. Modified: projects/clang391-import/contrib/llvm/lib/Linker/IRMover.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Linker/IRMover.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Linker/IRMover.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -694,6 +694,14 @@ void IRLinker::computeTypeMapping() { if (!ST->hasName()) continue; + if (TypeMap.DstStructTypesSet.hasType(ST)) { + // This is actually a type from the destination module. + // getIdentifiedStructTypes() can have found it by walking debug info + // metadata nodes, some of which get linked by name when ODR Type Uniquing + // is enabled on the Context, from the source to the destination module. + continue; + } + // Check to see if there is a dot in the name followed by a digit. size_t DotPos = ST->getName().rfind('.'); if (DotPos == 0 || DotPos == StringRef::npos || @@ -1336,13 +1344,19 @@ bool IRMover::IdentifiedStructTypeSet::h IRMover::IRMover(Module &M) : Composite(M) { TypeFinder StructTypes; - StructTypes.run(M, true); + StructTypes.run(M, /* OnlyNamed */ false); for (StructType *Ty : StructTypes) { if (Ty->isOpaque()) IdentifiedStructTypes.addOpaque(Ty); else IdentifiedStructTypes.addNonOpaque(Ty); } + // Self-map metadatas in the destination module. This is needed when + // DebugTypeODRUniquing is enabled on the LLVMContext, since metadata in the + // destination module may be reached from the source module. + for (auto *MD : StructTypes.getVisitedMetadata()) { + SharedMDs[MD].reset(const_cast(MD)); + } } Error IRMover::move( Modified: projects/clang391-import/contrib/llvm/lib/Support/Unix/Signals.inc ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Support/Unix/Signals.inc Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Support/Unix/Signals.inc Sat Nov 26 01:02:53 2016 (r309175) @@ -412,7 +412,7 @@ void llvm::sys::PrintStackTrace(raw_ostr if (printSymbolizedStackTrace(Argv0, StackTrace, depth, OS)) return; -#if HAVE_DLFCN_H && __GNUG__ +#if HAVE_DLFCN_H && __GNUG__ && !defined(__CYGWIN__) int width = 0; for (int i = 0; i < depth; ++i) { Dl_info dlinfo; Modified: projects/clang391-import/contrib/llvm/lib/Target/ARM/ARMInstrThumb2.td ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/ARM/ARMInstrThumb2.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/ARM/ARMInstrThumb2.td Sat Nov 26 01:02:53 2016 (r309175) @@ -4819,6 +4819,10 @@ def : t2InstAlias<"add${p} $Rd, pc, $imm def t2LDRConstPool : t2AsmPseudo<"ldr${p} $Rt, $immediate", (ins GPRnopc:$Rt, const_pool_asm_imm:$immediate, pred:$p)>; +// Version w/ the .w suffix. +def : t2InstAlias<"ldr${p}.w $Rt, $immediate", + (t2LDRConstPool GPRnopc:$Rt, + const_pool_asm_imm:$immediate, pred:$p)>; // PLD/PLDW/PLI with alternate literal form. def : t2InstAlias<"pld${p} $addr", Modified: projects/clang391-import/contrib/llvm/lib/Target/ARM/AsmParser/ARMAsmParser.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/ARM/AsmParser/ARMAsmParser.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/ARM/AsmParser/ARMAsmParser.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -6933,6 +6933,9 @@ bool ARMAsmParser::processInstruction(MC else if (Inst.getOpcode() == ARM::t2LDRConstPool) TmpInst.setOpcode(ARM::t2LDRpci); const ARMOperand &PoolOperand = + (static_cast(*Operands[2]).isToken() && + static_cast(*Operands[2]).getToken() == ".w") ? + static_cast(*Operands[4]) : static_cast(*Operands[3]); const MCExpr *SubExprVal = PoolOperand.getConstantPoolImm(); // If SubExprVal is a constant we may be able to use a MOV Modified: projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -667,9 +667,10 @@ PPCTargetLowering::PPCTargetLowering(con addRegisterClass(MVT::v2i64, &PPC::VRRCRegClass); addRegisterClass(MVT::v1i128, &PPC::VRRCRegClass); } + if (Subtarget.hasP9Vector()) { - setOperationAction(ISD::INSERT_VECTOR_ELT, MVT::v4i32, Legal); - setOperationAction(ISD::INSERT_VECTOR_ELT, MVT::v4f32, Legal); + setOperationAction(ISD::INSERT_VECTOR_ELT, MVT::v4i32, Custom); + setOperationAction(ISD::INSERT_VECTOR_ELT, MVT::v4f32, Custom); } } @@ -7868,6 +7869,17 @@ SDValue PPCTargetLowering::LowerSCALAR_T return DAG.getLoad(Op.getValueType(), dl, Store, FIdx, MachinePointerInfo()); } +SDValue PPCTargetLowering::LowerINSERT_VECTOR_ELT(SDValue Op, + SelectionDAG &DAG) const { + assert(Op.getOpcode() == ISD::INSERT_VECTOR_ELT && + "Should only be called for ISD::INSERT_VECTOR_ELT"); + ConstantSDNode *C = dyn_cast(Op.getOperand(2)); + // We have legal lowering for constant indices but not for variable ones. + if (C) + return Op; + return SDValue(); +} + SDValue PPCTargetLowering::LowerEXTRACT_VECTOR_ELT(SDValue Op, SelectionDAG &DAG) const { SDLoc dl(Op); @@ -8273,6 +8285,7 @@ SDValue PPCTargetLowering::LowerOperatio case ISD::SCALAR_TO_VECTOR: return LowerSCALAR_TO_VECTOR(Op, DAG); case ISD::SIGN_EXTEND_INREG: return LowerSIGN_EXTEND_INREG(Op, DAG); case ISD::EXTRACT_VECTOR_ELT: return LowerEXTRACT_VECTOR_ELT(Op, DAG); + case ISD::INSERT_VECTOR_ELT: return LowerINSERT_VECTOR_ELT(Op, DAG); case ISD::MUL: return LowerMUL(Op, DAG); // For counter-based loop handling. @@ -8397,7 +8410,9 @@ Instruction* PPCTargetLowering::emitTrai MachineBasicBlock * PPCTargetLowering::EmitAtomicBinary(MachineInstr &MI, MachineBasicBlock *BB, unsigned AtomicSize, - unsigned BinOpcode) const { + unsigned BinOpcode, + unsigned CmpOpcode, + unsigned CmpPred) const { // This also handles ATOMIC_SWAP, indicated by BinOpcode==0. const TargetInstrInfo *TII = Subtarget.getInstrInfo(); @@ -8437,8 +8452,12 @@ PPCTargetLowering::EmitAtomicBinary(Mach DebugLoc dl = MI.getDebugLoc(); MachineBasicBlock *loopMBB = F->CreateMachineBasicBlock(LLVM_BB); + MachineBasicBlock *loop2MBB = + CmpOpcode ? F->CreateMachineBasicBlock(LLVM_BB) : nullptr; MachineBasicBlock *exitMBB = F->CreateMachineBasicBlock(LLVM_BB); F->insert(It, loopMBB); + if (CmpOpcode) + F->insert(It, loop2MBB); F->insert(It, exitMBB); exitMBB->splice(exitMBB->begin(), BB, std::next(MachineBasicBlock::iterator(MI)), BB->end()); @@ -8460,11 +8479,40 @@ PPCTargetLowering::EmitAtomicBinary(Mach // st[wd]cx. r0, ptr // bne- loopMBB // fallthrough --> exitMBB + + // For max/min... + // loopMBB: + // l[wd]arx dest, ptr + // cmpl?[wd] incr, dest + // bgt exitMBB + // loop2MBB: + // st[wd]cx. dest, ptr + // bne- loopMBB + // fallthrough --> exitMBB + BB = loopMBB; BuildMI(BB, dl, TII->get(LoadMnemonic), dest) .addReg(ptrA).addReg(ptrB); if (BinOpcode) BuildMI(BB, dl, TII->get(BinOpcode), TmpReg).addReg(incr).addReg(dest); + if (CmpOpcode) { + // Signed comparisons of byte or halfword values must be sign-extended. + if (CmpOpcode == PPC::CMPW && AtomicSize < 4) { + unsigned ExtReg = RegInfo.createVirtualRegister(&PPC::GPRCRegClass); + BuildMI(BB, dl, TII->get(AtomicSize == 1 ? PPC::EXTSB : PPC::EXTSH), + ExtReg).addReg(dest); + BuildMI(BB, dl, TII->get(CmpOpcode), PPC::CR0) + .addReg(incr).addReg(ExtReg); + } else + BuildMI(BB, dl, TII->get(CmpOpcode), PPC::CR0) + .addReg(incr).addReg(dest); + + BuildMI(BB, dl, TII->get(PPC::BCC)) + .addImm(CmpPred).addReg(PPC::CR0).addMBB(exitMBB); + BB->addSuccessor(loop2MBB); + BB->addSuccessor(exitMBB); + BB = loop2MBB; + } BuildMI(BB, dl, TII->get(StoreMnemonic)) .addReg(TmpReg).addReg(ptrA).addReg(ptrB); BuildMI(BB, dl, TII->get(PPC::BCC)) @@ -8482,10 +8530,13 @@ MachineBasicBlock * PPCTargetLowering::EmitPartwordAtomicBinary(MachineInstr &MI, MachineBasicBlock *BB, bool is8bit, // operation - unsigned BinOpcode) const { + unsigned BinOpcode, + unsigned CmpOpcode, + unsigned CmpPred) const { // If we support part-word atomic mnemonics, just use them if (Subtarget.hasPartwordAtomics()) - return EmitAtomicBinary(MI, BB, is8bit ? 1 : 2, BinOpcode); + return EmitAtomicBinary(MI, BB, is8bit ? 1 : 2, BinOpcode, + CmpOpcode, CmpPred); // This also handles ATOMIC_SWAP, indicated by BinOpcode==0. const TargetInstrInfo *TII = Subtarget.getInstrInfo(); @@ -8507,8 +8558,12 @@ PPCTargetLowering::EmitPartwordAtomicBin DebugLoc dl = MI.getDebugLoc(); MachineBasicBlock *loopMBB = F->CreateMachineBasicBlock(LLVM_BB); + MachineBasicBlock *loop2MBB = + CmpOpcode ? F->CreateMachineBasicBlock(LLVM_BB) : nullptr; MachineBasicBlock *exitMBB = F->CreateMachineBasicBlock(LLVM_BB); F->insert(It, loopMBB); + if (CmpOpcode) + F->insert(It, loop2MBB); F->insert(It, exitMBB); exitMBB->splice(exitMBB->begin(), BB, std::next(MachineBasicBlock::iterator(MI)), BB->end()); @@ -8593,6 +8648,32 @@ PPCTargetLowering::EmitPartwordAtomicBin .addReg(TmpDestReg).addReg(MaskReg); BuildMI(BB, dl, TII->get(is64bit ? PPC::AND8 : PPC::AND), Tmp3Reg) .addReg(TmpReg).addReg(MaskReg); + if (CmpOpcode) { + // For unsigned comparisons, we can directly compare the shifted values. + // For signed comparisons we shift and sign extend. + unsigned SReg = RegInfo.createVirtualRegister(RC); + BuildMI(BB, dl, TII->get(is64bit ? PPC::AND8 : PPC::AND), SReg) + .addReg(TmpDestReg).addReg(MaskReg); + unsigned ValueReg = SReg; + unsigned CmpReg = Incr2Reg; + if (CmpOpcode == PPC::CMPW) { + ValueReg = RegInfo.createVirtualRegister(RC); + BuildMI(BB, dl, TII->get(PPC::SRW), ValueReg) + .addReg(SReg).addReg(ShiftReg); + unsigned ValueSReg = RegInfo.createVirtualRegister(RC); + BuildMI(BB, dl, TII->get(is8bit ? PPC::EXTSB : PPC::EXTSH), ValueSReg) + .addReg(ValueReg); + ValueReg = ValueSReg; + CmpReg = incr; + } + BuildMI(BB, dl, TII->get(CmpOpcode), PPC::CR0) + .addReg(CmpReg).addReg(ValueReg); + BuildMI(BB, dl, TII->get(PPC::BCC)) + .addImm(CmpPred).addReg(PPC::CR0).addMBB(exitMBB); + BB->addSuccessor(loop2MBB); + BB->addSuccessor(exitMBB); + BB = loop2MBB; + } BuildMI(BB, dl, TII->get(is64bit ? PPC::OR8 : PPC::OR), Tmp4Reg) .addReg(Tmp3Reg).addReg(Tmp2Reg); BuildMI(BB, dl, TII->get(PPC::STWCX)) @@ -9099,6 +9180,42 @@ PPCTargetLowering::EmitInstrWithCustomIn else if (MI.getOpcode() == PPC::ATOMIC_LOAD_SUB_I64) BB = EmitAtomicBinary(MI, BB, 8, PPC::SUBF8); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MIN_I8) + BB = EmitPartwordAtomicBinary(MI, BB, true, 0, PPC::CMPW, PPC::PRED_GE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MIN_I16) + BB = EmitPartwordAtomicBinary(MI, BB, false, 0, PPC::CMPW, PPC::PRED_GE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MIN_I32) + BB = EmitAtomicBinary(MI, BB, 4, 0, PPC::CMPW, PPC::PRED_GE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MIN_I64) + BB = EmitAtomicBinary(MI, BB, 8, 0, PPC::CMPD, PPC::PRED_GE); + + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MAX_I8) + BB = EmitPartwordAtomicBinary(MI, BB, true, 0, PPC::CMPW, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MAX_I16) + BB = EmitPartwordAtomicBinary(MI, BB, false, 0, PPC::CMPW, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MAX_I32) + BB = EmitAtomicBinary(MI, BB, 4, 0, PPC::CMPW, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_MAX_I64) + BB = EmitAtomicBinary(MI, BB, 8, 0, PPC::CMPD, PPC::PRED_LE); + + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMIN_I8) + BB = EmitPartwordAtomicBinary(MI, BB, true, 0, PPC::CMPLW, PPC::PRED_GE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMIN_I16) + BB = EmitPartwordAtomicBinary(MI, BB, false, 0, PPC::CMPLW, PPC::PRED_GE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMIN_I32) + BB = EmitAtomicBinary(MI, BB, 4, 0, PPC::CMPLW, PPC::PRED_GE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMIN_I64) + BB = EmitAtomicBinary(MI, BB, 8, 0, PPC::CMPLD, PPC::PRED_GE); + + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMAX_I8) + BB = EmitPartwordAtomicBinary(MI, BB, true, 0, PPC::CMPLW, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMAX_I16) + BB = EmitPartwordAtomicBinary(MI, BB, false, 0, PPC::CMPLW, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMAX_I32) + BB = EmitAtomicBinary(MI, BB, 4, 0, PPC::CMPLW, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_LOAD_UMAX_I64) + BB = EmitAtomicBinary(MI, BB, 8, 0, PPC::CMPLD, PPC::PRED_LE); + else if (MI.getOpcode() == PPC::ATOMIC_SWAP_I8) BB = EmitPartwordAtomicBinary(MI, BB, true, 0); else if (MI.getOpcode() == PPC::ATOMIC_SWAP_I16) Modified: projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.h ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.h Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCISelLowering.h Sat Nov 26 01:02:53 2016 (r309175) @@ -585,11 +585,15 @@ namespace llvm { MachineBasicBlock *EmitAtomicBinary(MachineInstr &MI, MachineBasicBlock *MBB, unsigned AtomicSize, - unsigned BinOpcode) const; + unsigned BinOpcode, + unsigned CmpOpcode = 0, + unsigned CmpPred = 0) const; MachineBasicBlock *EmitPartwordAtomicBinary(MachineInstr &MI, MachineBasicBlock *MBB, bool is8bit, - unsigned Opcode) const; + unsigned Opcode, + unsigned CmpOpcode = 0, + unsigned CmpPred = 0) const; MachineBasicBlock *emitEHSjLjSetJmp(MachineInstr &MI, MachineBasicBlock *MBB) const; @@ -825,6 +829,7 @@ namespace llvm { SDValue LowerSRA_PARTS(SDValue Op, SelectionDAG &DAG) const; SDValue LowerBUILD_VECTOR(SDValue Op, SelectionDAG &DAG) const; SDValue LowerVECTOR_SHUFFLE(SDValue Op, SelectionDAG &DAG) const; + SDValue LowerINSERT_VECTOR_ELT(SDValue Op, SelectionDAG &DAG) const; SDValue LowerEXTRACT_VECTOR_ELT(SDValue Op, SelectionDAG &DAG) const; SDValue LowerINTRINSIC_WO_CHAIN(SDValue Op, SelectionDAG &DAG) const; SDValue LowerSCALAR_TO_VECTOR(SDValue Op, SelectionDAG &DAG) const; Modified: projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstr64Bit.td ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstr64Bit.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstr64Bit.td Sat Nov 26 01:02:53 2016 (r309175) @@ -224,6 +224,18 @@ let usesCustomInserter = 1 in { def ATOMIC_LOAD_NAND_I64 : Pseudo< (outs g8rc:$dst), (ins memrr:$ptr, g8rc:$incr), "#ATOMIC_LOAD_NAND_I64", [(set i64:$dst, (atomic_load_nand_64 xoaddr:$ptr, i64:$incr))]>; + def ATOMIC_LOAD_MIN_I64 : Pseudo< + (outs g8rc:$dst), (ins memrr:$ptr, g8rc:$incr), "#ATOMIC_LOAD_MIN_I64", + [(set i64:$dst, (atomic_load_min_64 xoaddr:$ptr, i64:$incr))]>; + def ATOMIC_LOAD_MAX_I64 : Pseudo< + (outs g8rc:$dst), (ins memrr:$ptr, g8rc:$incr), "#ATOMIC_LOAD_MAX_I64", + [(set i64:$dst, (atomic_load_max_64 xoaddr:$ptr, i64:$incr))]>; + def ATOMIC_LOAD_UMIN_I64 : Pseudo< + (outs g8rc:$dst), (ins memrr:$ptr, g8rc:$incr), "#ATOMIC_LOAD_UMIN_I64", + [(set i64:$dst, (atomic_load_umin_64 xoaddr:$ptr, i64:$incr))]>; + def ATOMIC_LOAD_UMAX_I64 : Pseudo< + (outs g8rc:$dst), (ins memrr:$ptr, g8rc:$incr), "#ATOMIC_LOAD_UMAX_I64", + [(set i64:$dst, (atomic_load_umax_64 xoaddr:$ptr, i64:$incr))]>; def ATOMIC_CMP_SWAP_I64 : Pseudo< (outs g8rc:$dst), (ins memrr:$ptr, g8rc:$old, g8rc:$new), "#ATOMIC_CMP_SWAP_I64", Modified: projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstrInfo.td ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstrInfo.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/PowerPC/PPCInstrInfo.td Sat Nov 26 01:02:53 2016 (r309175) @@ -1509,6 +1509,18 @@ let usesCustomInserter = 1 in { def ATOMIC_LOAD_NAND_I8 : Pseudo< (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_NAND_I8", [(set i32:$dst, (atomic_load_nand_8 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_MIN_I8 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_MIN_I8", + [(set i32:$dst, (atomic_load_min_8 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_MAX_I8 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_MAX_I8", + [(set i32:$dst, (atomic_load_max_8 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_UMIN_I8 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_UMIN_I8", + [(set i32:$dst, (atomic_load_umin_8 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_UMAX_I8 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_UMAX_I8", + [(set i32:$dst, (atomic_load_umax_8 xoaddr:$ptr, i32:$incr))]>; def ATOMIC_LOAD_ADD_I16 : Pseudo< (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_ADD_I16", [(set i32:$dst, (atomic_load_add_16 xoaddr:$ptr, i32:$incr))]>; @@ -1527,6 +1539,18 @@ let usesCustomInserter = 1 in { def ATOMIC_LOAD_NAND_I16 : Pseudo< (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_NAND_I16", [(set i32:$dst, (atomic_load_nand_16 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_MIN_I16 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_MIN_I16", + [(set i32:$dst, (atomic_load_min_16 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_MAX_I16 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_MAX_I16", + [(set i32:$dst, (atomic_load_max_16 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_UMIN_I16 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_UMIN_I16", + [(set i32:$dst, (atomic_load_umin_16 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_UMAX_I16 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_UMAX_I16", + [(set i32:$dst, (atomic_load_umax_16 xoaddr:$ptr, i32:$incr))]>; def ATOMIC_LOAD_ADD_I32 : Pseudo< (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_ADD_I32", [(set i32:$dst, (atomic_load_add_32 xoaddr:$ptr, i32:$incr))]>; @@ -1545,6 +1569,18 @@ let usesCustomInserter = 1 in { def ATOMIC_LOAD_NAND_I32 : Pseudo< (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_NAND_I32", [(set i32:$dst, (atomic_load_nand_32 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_MIN_I32 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_MIN_I32", + [(set i32:$dst, (atomic_load_min_32 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_MAX_I32 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_MAX_I32", + [(set i32:$dst, (atomic_load_max_32 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_UMIN_I32 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_UMIN_I32", + [(set i32:$dst, (atomic_load_umin_32 xoaddr:$ptr, i32:$incr))]>; + def ATOMIC_LOAD_UMAX_I32 : Pseudo< + (outs gprc:$dst), (ins memrr:$ptr, gprc:$incr), "#ATOMIC_LOAD_UMAX_I32", + [(set i32:$dst, (atomic_load_umax_32 xoaddr:$ptr, i32:$incr))]>; def ATOMIC_CMP_SWAP_I8 : Pseudo< (outs gprc:$dst), (ins memrr:$ptr, gprc:$old, gprc:$new), "#ATOMIC_CMP_SWAP_I8", Modified: projects/clang391-import/contrib/llvm/lib/Target/X86/X86ISelLowering.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/X86/X86ISelLowering.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/X86/X86ISelLowering.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -8656,6 +8656,17 @@ static SDValue lowerVectorShuffleAsBroad V = DAG.getLoad(SVT, DL, Ld->getChain(), NewAddr, DAG.getMachineFunction().getMachineMemOperand( Ld->getMemOperand(), Offset, SVT.getStoreSize())); + + // Make sure the newly-created LOAD is in the same position as Ld in + // terms of dependency. We create a TokenFactor for Ld and V, + // and update uses of Ld's output chain to use the TokenFactor. + if (Ld->hasAnyUseOfValue(1)) { + SDValue NewChain = DAG.getNode(ISD::TokenFactor, DL, MVT::Other, + SDValue(Ld, 1), SDValue(V.getNode(), 1)); + DAG.ReplaceAllUsesOfValueWith(SDValue(Ld, 1), NewChain); + DAG.UpdateNodeOperands(NewChain.getNode(), SDValue(Ld, 1), + SDValue(V.getNode(), 1)); + } } else if (!BroadcastFromReg) { // We can't broadcast from a vector register. return SDValue(); Modified: projects/clang391-import/contrib/llvm/lib/Target/X86/X86InstrAVX512.td ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Target/X86/X86InstrAVX512.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Target/X86/X86InstrAVX512.td Sat Nov 26 01:02:53 2016 (r309175) @@ -2124,7 +2124,7 @@ let Predicates = [HasAVX512] in { (COPY_TO_REGCLASS (i16 (EXTRACT_SUBREG $src, sub_16bit)), VK1)>; def : Pat<(i1 (trunc (i8 GR8:$src))), - (COPY_TO_REGCLASS (i16 (SUBREG_TO_REG (i64 0), (AND8ri8 $src, (i8 1)), + (COPY_TO_REGCLASS (i16 (SUBREG_TO_REG (i64 0), (AND8ri $src, (i8 1)), sub_8bit)), VK1)>; def : Pat<(i1 (trunc (i8 (assertzext_i1 GR8:$src)))), Modified: projects/clang391-import/contrib/llvm/lib/Transforms/Scalar/JumpThreading.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/lib/Transforms/Scalar/JumpThreading.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/lib/Transforms/Scalar/JumpThreading.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -1322,6 +1322,10 @@ bool JumpThreadingPass::ProcessBranchOnX if (!isa(BB->front())) return false; + // If this BB is a landing pad, we won't be able to split the edge into it. + if (BB->isEHPad()) + return false; + // If we have a xor as the branch input to this block, and we know that the // LHS or RHS of the xor in any predecessor is true/false, then we can clone // the condition into the predecessor and fix that value to true, saving some Modified: projects/clang391-import/contrib/llvm/tools/clang/include/clang/AST/DeclTemplate.h ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/include/clang/AST/DeclTemplate.h Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/include/clang/AST/DeclTemplate.h Sat Nov 26 01:02:53 2016 (r309175) @@ -44,6 +44,8 @@ class VarTemplatePartialSpecializationDe typedef llvm::PointerUnion3 TemplateParameter; +NamedDecl *getAsNamedDecl(TemplateParameter P); + /// \brief Stores a list of template parameters for a TemplateDecl and its /// derived classes. class TemplateParameterList final @@ -2912,6 +2914,14 @@ public: friend class ASTDeclWriter; }; +inline NamedDecl *getAsNamedDecl(TemplateParameter P) { + if (auto *PD = P.dyn_cast()) + return PD; + if (auto *PD = P.dyn_cast()) + return PD; + return P.get(); +} + } /* end of namespace clang */ #endif Modified: projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticDriverKinds.td ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticDriverKinds.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticDriverKinds.td Sat Nov 26 01:02:53 2016 (r309175) @@ -159,8 +159,6 @@ def err_drv_bitcode_unsupported_on_toolc "-fembed-bitcode is not supported on versions of iOS prior to 6.0">; def warn_O4_is_O3 : Warning<"-O4 is equivalent to -O3">, InGroup; -def warn_drv_lto_libpath : Warning<"libLTO.dylib relative to clang installed dir not found; using 'ld' default search path instead">, - InGroup; def warn_drv_optimization_value : Warning<"optimization level '%0' is not supported; using '%1%2' instead">, InGroup; def warn_ignored_gcc_optimization : Warning<"optimization flag '%0' is not supported">, Modified: projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticSemaKinds.td ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticSemaKinds.td Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/include/clang/Basic/DiagnosticSemaKinds.td Sat Nov 26 01:02:53 2016 (r309175) @@ -4291,7 +4291,7 @@ def err_definition_of_implicitly_declare def err_definition_of_explicitly_defaulted_member : Error< "definition of explicitly defaulted %select{default constructor|copy " "constructor|move constructor|copy assignment operator|move assignment " - "operator|destructor}0">; + "operator|destructor|function}0">; def err_redefinition_extern_inline : Error< "redefinition of a 'extern inline' function %0 is not supported in " "%select{C99 mode|C++}1">; @@ -6917,6 +6917,10 @@ def err_in_class_initializer_not_yet_par def err_in_class_initializer_not_yet_parsed_outer_class : Error<"cannot use defaulted default constructor of %0 within " "%1 outside of member functions because %2 has an initializer">; +def err_in_class_initializer_cycle + : Error<"default member initializer for %0 uses itself">; +def err_exception_spec_cycle + : Error<"exception specification of %0 uses itself">; def ext_in_class_initializer_non_constant : Extension< "in-class initializer for static data member is not a constant expression; " Modified: projects/clang391-import/contrib/llvm/tools/clang/include/clang/Sema/Sema.h ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/include/clang/Sema/Sema.h Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/include/clang/Sema/Sema.h Sat Nov 26 01:02:53 2016 (r309175) @@ -18,6 +18,7 @@ #include "clang/AST/Attr.h" #include "clang/AST/Availability.h" #include "clang/AST/DeclarationName.h" +#include "clang/AST/DeclTemplate.h" #include "clang/AST/Expr.h" #include "clang/AST/ExprObjC.h" #include "clang/AST/ExternalASTSource.h" @@ -1217,8 +1218,10 @@ public: /// \brief Retrieve the current block, if any. sema::BlockScopeInfo *getCurBlock(); - /// \brief Retrieve the current lambda scope info, if any. - sema::LambdaScopeInfo *getCurLambda(); + /// Retrieve the current lambda scope info, if any. + /// \param IgnoreCapturedRegions true if should find the top-most lambda scope + /// info ignoring all inner captured regions scope infos. + sema::LambdaScopeInfo *getCurLambda(bool IgnoreCapturedRegions = false); /// \brief Retrieve the current generic lambda info, if any. sema::LambdaScopeInfo *getCurGenericLambda(); @@ -6613,10 +6616,10 @@ public: TemplateInstantiation, /// We are instantiating a default argument for a template - /// parameter. The Entity is the template, and - /// TemplateArgs/NumTemplateArguments provides the template - /// arguments as specified. - /// FIXME: Use a TemplateArgumentList + /// parameter. The Entity is the template parameter whose argument is + /// being instantiated, the Template is the template, and the + /// TemplateArgs/NumTemplateArguments provide the template arguments as + /// specified. DefaultTemplateArgumentInstantiation, /// We are instantiating a default argument for a function. @@ -6731,6 +6734,9 @@ public: SmallVector ActiveTemplateInstantiations; + /// Specializations whose definitions are currently being instantiated. + llvm::DenseSet> InstantiatingSpecializations; + /// \brief Extra modules inspected when performing a lookup during a template /// instantiation. Computed lazily. SmallVector ActiveTemplateInstantiationLookupModules; @@ -6837,12 +6843,12 @@ public: /// \brief Note that we are instantiating a default argument in a /// template-id. InstantiatingTemplate(Sema &SemaRef, SourceLocation PointOfInstantiation, - TemplateDecl *Template, + TemplateParameter Param, TemplateDecl *Template, ArrayRef TemplateArgs, SourceRange InstantiationRange = SourceRange()); - /// \brief Note that we are instantiating a default argument in a - /// template-id. + /// \brief Note that we are substituting either explicitly-specified or + /// deduced template arguments during function template argument deduction. InstantiatingTemplate(Sema &SemaRef, SourceLocation PointOfInstantiation, FunctionTemplateDecl *FunctionTemplate, ArrayRef TemplateArgs, @@ -6909,9 +6915,14 @@ public: /// recursive template instantiations. bool isInvalid() const { return Invalid; } + /// \brief Determine whether we are already instantiating this + /// specialization in some surrounding active instantiation. + bool isAlreadyInstantiating() const { return AlreadyInstantiating; } + private: Sema &SemaRef; bool Invalid; + bool AlreadyInstantiating; bool SavedInNonInstantiationSFINAEContext; bool CheckInstantiationDepth(SourceLocation PointOfInstantiation, SourceRange InstantiationRange); Modified: projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Targets.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Targets.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Targets.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -158,14 +158,25 @@ static void getDarwinDefines(MacroBuilde // Set the appropriate OS version define. if (Triple.isiOS()) { - assert(Maj < 10 && Min < 100 && Rev < 100 && "Invalid version!"); - char Str[6]; - Str[0] = '0' + Maj; - Str[1] = '0' + (Min / 10); - Str[2] = '0' + (Min % 10); - Str[3] = '0' + (Rev / 10); - Str[4] = '0' + (Rev % 10); - Str[5] = '\0'; + assert(Maj < 100 && Min < 100 && Rev < 100 && "Invalid version!"); + char Str[7]; + if (Maj < 10) { + Str[0] = '0' + Maj; + Str[1] = '0' + (Min / 10); + Str[2] = '0' + (Min % 10); + Str[3] = '0' + (Rev / 10); + Str[4] = '0' + (Rev % 10); + Str[5] = '\0'; + } else { + // Handle versions >= 10. + Str[0] = '0' + (Maj / 10); + Str[1] = '0' + (Maj % 10); + Str[2] = '0' + (Min / 10); + Str[3] = '0' + (Min % 10); + Str[4] = '0' + (Rev / 10); + Str[5] = '0' + (Rev % 10); + Str[6] = '\0'; + } if (Triple.isTvOS()) Builder.defineMacro("__ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__", Str); else @@ -8170,6 +8181,8 @@ static TargetInfo *AllocateTarget(const return new DarwinARMTargetInfo(Triple, Opts); switch (os) { + case llvm::Triple::CloudABI: + return new CloudABITargetInfo(Triple, Opts); case llvm::Triple::Linux: return new LinuxTargetInfo(Triple, Opts); case llvm::Triple::FreeBSD: Modified: projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Version.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Version.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/lib/Basic/Version.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -36,7 +36,7 @@ std::string getClangRepositoryPath() { // If the SVN_REPOSITORY is empty, try to use the SVN keyword. This helps us // pick up a tag in an SVN export, for example. - StringRef SVNRepository("$URL: https://llvm.org/svn/llvm-project/cfe/tags/RELEASE_390/final/lib/Basic/Version.cpp $"); + StringRef SVNRepository("$URL: https://llvm.org/svn/llvm-project/cfe/branches/release_39/lib/Basic/Version.cpp $"); if (URL.empty()) { URL = SVNRepository.slice(SVNRepository.find(':'), SVNRepository.find("/lib/Basic")); Modified: projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGExpr.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGExpr.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGExpr.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -2105,12 +2105,11 @@ LValue CodeGenFunction::EmitDeclRefLValu if (auto *FD = LambdaCaptureFields.lookup(VD)) return EmitCapturedFieldLValue(*this, FD, CXXABIThisValue); else if (CapturedStmtInfo) { - auto it = LocalDeclMap.find(VD); - if (it != LocalDeclMap.end()) { - if (auto RefTy = VD->getType()->getAs()) { - return EmitLoadOfReferenceLValue(it->second, RefTy); - } - return MakeAddrLValue(it->second, T); + auto I = LocalDeclMap.find(VD); + if (I != LocalDeclMap.end()) { + if (auto RefTy = VD->getType()->getAs()) + return EmitLoadOfReferenceLValue(I->second, RefTy); + return MakeAddrLValue(I->second, T); } LValue CapLVal = EmitCapturedFieldLValue(*this, CapturedStmtInfo->lookup(VD), @@ -2249,13 +2248,15 @@ LValue CodeGenFunction::EmitUnaryOpLValu return LV; } - assert(E->getSubExpr()->getType()->isAnyComplexType()); + QualType T = ExprTy->castAs()->getElementType(); Address Component = (E->getOpcode() == UO_Real ? emitAddrOfRealComponent(LV.getAddress(), LV.getType()) : emitAddrOfImagComponent(LV.getAddress(), LV.getType())); - return MakeAddrLValue(Component, ExprTy, LV.getAlignmentSource()); + LValue ElemLV = MakeAddrLValue(Component, T, LV.getAlignmentSource()); + ElemLV.getQuals().addQualifiers(LV.getQuals()); + return ElemLV; } case UO_PreInc: case UO_PreDec: { Modified: projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmt.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmt.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmt.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -1323,6 +1323,10 @@ static CSFC_Result CollectStatementsForC // Handle this as two cases: we might be looking for the SwitchCase (if so // the skipped statements must be skippable) or we might already have it. CompoundStmt::const_body_iterator I = CS->body_begin(), E = CS->body_end(); + bool StartedInLiveCode = FoundCase; + unsigned StartSize = ResultStmts.size(); + + // If we've not found the case yet, scan through looking for it. if (Case) { // Keep track of whether we see a skipped declaration. The code could be // using the declaration even if it is skipped, so we can't optimize out @@ -1332,7 +1336,7 @@ static CSFC_Result CollectStatementsForC // If we're looking for the case, just see if we can skip each of the // substatements. for (; Case && I != E; ++I) { - HadSkippedDecl |= isa(*I); + HadSkippedDecl |= CodeGenFunction::mightAddDeclToScope(*I); switch (CollectStatementsForCase(*I, Case, FoundCase, ResultStmts)) { case CSFC_Failure: return CSFC_Failure; @@ -1368,11 +1372,19 @@ static CSFC_Result CollectStatementsForC break; } } + + if (!FoundCase) + return CSFC_Success; + + assert(!HadSkippedDecl && "fallthrough after skipping decl"); } // If we have statements in our range, then we know that the statements are // live and need to be added to the set of statements we're tracking. + bool AnyDecls = false; for (; I != E; ++I) { + AnyDecls |= CodeGenFunction::mightAddDeclToScope(*I); + switch (CollectStatementsForCase(*I, nullptr, FoundCase, ResultStmts)) { case CSFC_Failure: return CSFC_Failure; case CSFC_FallThrough: @@ -1390,7 +1402,24 @@ static CSFC_Result CollectStatementsForC } } - return Case ? CSFC_Success : CSFC_FallThrough; + // If we're about to fall out of a scope without hitting a 'break;', we + // can't perform the optimization if there were any decls in that scope + // (we'd lose their end-of-lifetime). + if (AnyDecls) { + // If the entire compound statement was live, there's one more thing we + // can try before giving up: emit the whole thing as a single statement. + // We can do that unless the statement contains a 'break;'. + // FIXME: Such a break must be at the end of a construct within this one. + // We could emit this by just ignoring the BreakStmts entirely. + if (StartedInLiveCode && !CodeGenFunction::containsBreak(S)) { + ResultStmts.resize(StartSize); + ResultStmts.push_back(S); + } else { + return CSFC_Failure; + } + } + + return CSFC_FallThrough; } // Okay, this is some other statement that we don't handle explicitly, like a Modified: projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmtOpenMP.cpp ============================================================================== --- projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmtOpenMP.cpp Sat Nov 26 00:59:01 2016 (r309174) +++ projects/clang391-import/contrib/llvm/tools/clang/lib/CodeGen/CGStmtOpenMP.cpp Sat Nov 26 01:02:53 2016 (r309175) @@ -232,8 +232,15 @@ CodeGenFunction::GenerateOpenMPCapturedS assert(I->capturesVariableArrayType()); II = &getContext().Idents.get("vla"); } - if (ArgType->isVariablyModifiedType()) - ArgType = getContext().getVariableArrayDecayedType(ArgType); + if (ArgType->isVariablyModifiedType()) { + bool IsReference = ArgType->isLValueReferenceType(); + ArgType = + getContext().getCanonicalParamType(ArgType.getNonReferenceType()); + if (IsReference && !ArgType->isPointerType()) { + ArgType = getContext().getLValueReferenceType( + ArgType, /*SpelledAsLValue=*/false); + } + } Args.push_back(ImplicitParamDecl::Create(getContext(), nullptr, FD->getLocation(), II, ArgType)); ++I; @@ -287,8 +294,14 @@ CodeGenFunction::GenerateOpenMPCapturedS QualType VarTy = Var->getType(); Address ArgAddr = ArgLVal.getAddress(); if (!VarTy->isReferenceType()) { - ArgAddr = EmitLoadOfReference( - ArgAddr, ArgLVal.getType()->castAs()); + if (ArgLVal.getType()->isLValueReferenceType()) { + ArgAddr = EmitLoadOfReference( + ArgAddr, ArgLVal.getType()->castAs()); + } else if (!VarTy->isVariablyModifiedType() || !VarTy->isPointerType()) { + assert(ArgLVal.getType()->isPointerType()); + ArgAddr = EmitLoadOfPointer( + ArgAddr, ArgLVal.getType()->castAs()); + } } setAddrOfLocalVar( Var, Address(ArgAddr.getPointer(), getContext().getDeclAlign(Var))); @@ -1754,9 +1767,17 @@ void CodeGenFunction::EmitOMPOuterLoop(b EmitBlock(LoopExit.getBlock()); // Tell the runtime we are done. - if (!DynamicOrOrdered) - RT.emitForStaticFinish(*this, S.getLocEnd()); - + SourceLocation ELoc = S.getLocEnd(); + auto &&CodeGen = [DynamicOrOrdered, ELoc](CodeGenFunction &CGF) { + if (!DynamicOrOrdered) + CGF.CGM.getOpenMPRuntime().emitForStaticFinish(CGF, ELoc); + }; + CodeGen(*this); + + OpenMPDirectiveKind DKind = S.getDirectiveKind(); + if (DKind == OMPD_for || DKind == OMPD_parallel_for || + DKind == OMPD_distribute_parallel_for) + OMPCancelStack.back().CodeGen = CodeGen; } void CodeGenFunction::EmitOMPForOuterLoop( @@ -1868,6 +1889,7 @@ void CodeGenFunction::EmitOMPDistributeO void CodeGenFunction::EmitOMPDistributeParallelForDirective( const OMPDistributeParallelForDirective &S) { OMPLexicalScope Scope(*this, S, /*AsInlined=*/true); + OMPCancelStackRAII CancelRegion(*this); CGM.getOpenMPRuntime().emitInlinedDirective( *this, OMPD_distribute_parallel_for, [&S](CodeGenFunction &CGF, PrePostActionTy &) { @@ -2060,7 +2082,15 @@ bool CodeGenFunction::EmitOMPWorksharing [](CodeGenFunction &) {}); EmitBlock(LoopExit.getBlock()); // Tell the runtime we are done. - RT.emitForStaticFinish(*this, S.getLocStart()); + SourceLocation ELoc = S.getLocEnd(); + auto &&CodeGen = [ELoc](CodeGenFunction &CGF) { + CGF.CGM.getOpenMPRuntime().emitForStaticFinish(CGF, ELoc); + }; + CodeGen(*this); + OpenMPDirectiveKind DKind = S.getDirectiveKind(); + if (DKind == OMPD_for || DKind == OMPD_parallel_for || + DKind == OMPD_distribute_parallel_for) + OMPCancelStack.back().CodeGen = CodeGen; } else { const bool IsMonotonic = Ordered || ScheduleKind.Schedule == OMPC_SCHEDULE_static || @@ -2114,6 +2144,7 @@ void CodeGenFunction::EmitOMPForDirectiv }; { OMPLexicalScope Scope(*this, S, /*AsInlined=*/true); + OMPCancelStackRAII CancelRegion(*this); CGM.getOpenMPRuntime().emitInlinedDirective(*this, OMPD_for, CodeGen, S.hasCancel()); } @@ -2156,6 +2187,7 @@ void CodeGenFunction::EmitSections(const bool HasLastprivates = false; auto &&CodeGen = [&S, Stmt, CS, &HasLastprivates](CodeGenFunction &CGF, PrePostActionTy &) { + OMPCancelStackRAII CancelRegion(CGF); auto &C = CGF.CGM.getContext(); auto KmpInt32Ty = C.getIntTypeForBitwidth(/*DestWidth=*/32, /*Signed=*/1); // Emit helper vars inits. @@ -2250,7 +2282,12 @@ void CodeGenFunction::EmitSections(const CGF.EmitOMPInnerLoop(S, /*RequiresCleanup=*/false, &Cond, &Inc, BodyGen, [](CodeGenFunction &) {}); *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-projects@freebsd.org Sat Nov 26 01:17:05 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0430CC52FED for ; Sat, 26 Nov 2016 01:17:05 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C6C80D3F; Sat, 26 Nov 2016 01:17:04 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAQ1H4rA021161; Sat, 26 Nov 2016 01:17:04 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAQ1H3om021158; Sat, 26 Nov 2016 01:17:03 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611260117.uAQ1H3om021158@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Sat, 26 Nov 2016 01:17:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309178 - in projects/clang391-import: . tools/build/mk X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2016 01:17:05 -0000 Author: dim Date: Sat Nov 26 01:17:03 2016 New Revision: 309178 URL: https://svnweb.freebsd.org/changeset/base/309178 Log: Add UPDATING entry and update ObsoleteFiles.inc. Modified: projects/clang391-import/ObsoleteFiles.inc projects/clang391-import/UPDATING projects/clang391-import/tools/build/mk/OptionalObsoleteFiles.inc Modified: projects/clang391-import/ObsoleteFiles.inc ============================================================================== --- projects/clang391-import/ObsoleteFiles.inc Sat Nov 26 01:16:33 2016 (r309177) +++ projects/clang391-import/ObsoleteFiles.inc Sat Nov 26 01:17:03 2016 (r309178) @@ -38,6 +38,110 @@ # xargs -n1 | sort | uniq -d; # done +# 2016mmdd: new clang import which bumps version from 3.9.0 to 3.9.1. +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/allocator_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/asan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/common_interface_defs.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/coverage_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/dfsan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/linux_syscall_hooks.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/lsan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/msan_interface.h +OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/tsan_interface_atomic.h +OLD_DIRS+=usr/lib/clang/3.9.0/include/sanitizer +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_cmath.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_intrinsics.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_math_forward_declares.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_runtime_wrapper.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__stddef_max_align_t.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__wmmintrin_aes.h +OLD_FILES+=usr/lib/clang/3.9.0/include/__wmmintrin_pclmul.h +OLD_FILES+=usr/lib/clang/3.9.0/include/adxintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/altivec.h +OLD_FILES+=usr/lib/clang/3.9.0/include/ammintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/arm_acle.h +OLD_FILES+=usr/lib/clang/3.9.0/include/arm_neon.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx2intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512bwintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512cdintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512dqintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512erintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512fintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512ifmaintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512ifmavlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512pfintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vbmiintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vbmivlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlbwintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlcdintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vldqintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/avxintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/bmi2intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/bmiintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/clflushoptintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/cpuid.h +OLD_FILES+=usr/lib/clang/3.9.0/include/cuda_builtin_vars.h +OLD_FILES+=usr/lib/clang/3.9.0/include/emmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/f16cintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/fma4intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/fmaintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/fxsrintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/htmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/htmxlintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/ia32intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/immintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/lzcntintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/mm3dnow.h +OLD_FILES+=usr/lib/clang/3.9.0/include/mm_malloc.h +OLD_FILES+=usr/lib/clang/3.9.0/include/mmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/module.modulemap +OLD_FILES+=usr/lib/clang/3.9.0/include/mwaitxintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/nmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/opencl-c.h +OLD_FILES+=usr/lib/clang/3.9.0/include/pkuintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/pmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/popcntintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/prfchwintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/rdseedintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/rtmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/s390intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/shaintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/smmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/tbmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/tmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/vadefs.h +OLD_FILES+=usr/lib/clang/3.9.0/include/vecintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/wmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/x86intrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xopintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsavecintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsaveintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsaveoptintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xsavesintrin.h +OLD_FILES+=usr/lib/clang/3.9.0/include/xtestintrin.h +OLD_DIRS+=usr/lib/clang/3.9.0/include +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-i386.so +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-preinit-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-preinit-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-x86_64.so +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan_cxx-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan_cxx-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-arm.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.safestack-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.safestack-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-i386.a +OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_64.a +OLD_DIRS+=usr/lib/clang/3.9.0/lib/freebsd +OLD_DIRS+=usr/lib/clang/3.9.0/lib +OLD_DIRS+=usr/lib/clang/3.9.0 # 20161124: new clang import which bumps version from 3.8.0 to 3.9.0. OLD_FILES+=usr/lib/clang/3.8.0/include/sanitizer/allocator_interface.h OLD_FILES+=usr/lib/clang/3.8.0/include/sanitizer/asan_interface.h Modified: projects/clang391-import/UPDATING ============================================================================== --- projects/clang391-import/UPDATING Sat Nov 26 01:16:33 2016 (r309177) +++ projects/clang391-import/UPDATING Sat Nov 26 01:17:03 2016 (r309178) @@ -51,6 +51,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12 ****************************** SPECIAL WARNING: ****************************** +2016mmdd: + Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.1. + Please see the 20141231 entry below for information about prerequisites + and upgrading, if you are not already using clang 3.5.0 or higher. + 20161124: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.0. Please see the 20141231 entry below for information about prerequisites Modified: projects/clang391-import/tools/build/mk/OptionalObsoleteFiles.inc ============================================================================== --- projects/clang391-import/tools/build/mk/OptionalObsoleteFiles.inc Sat Nov 26 01:16:33 2016 (r309177) +++ projects/clang391-import/tools/build/mk/OptionalObsoleteFiles.inc Sat Nov 26 01:17:03 2016 (r309178) @@ -1137,109 +1137,109 @@ OLD_FILES+=usr/bin/clang++ OLD_FILES+=usr/bin/clang-cpp OLD_FILES+=usr/bin/clang-tblgen OLD_FILES+=usr/bin/llvm-tblgen -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/allocator_interface.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/asan_interface.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/common_interface_defs.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/coverage_interface.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/dfsan_interface.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/linux_syscall_hooks.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/lsan_interface.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/msan_interface.h -OLD_FILES+=usr/lib/clang/3.9.0/include/sanitizer/tsan_interface_atomic.h -OLD_DIRS+=usr/lib/clang/3.9.0/include/sanitizer -OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_cmath.h -OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_intrinsics.h -OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_math_forward_declares.h -OLD_FILES+=usr/lib/clang/3.9.0/include/__clang_cuda_runtime_wrapper.h -OLD_FILES+=usr/lib/clang/3.9.0/include/__stddef_max_align_t.h -OLD_FILES+=usr/lib/clang/3.9.0/include/__wmmintrin_aes.h -OLD_FILES+=usr/lib/clang/3.9.0/include/__wmmintrin_pclmul.h -OLD_FILES+=usr/lib/clang/3.9.0/include/adxintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/altivec.h -OLD_FILES+=usr/lib/clang/3.9.0/include/ammintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/arm_acle.h -OLD_FILES+=usr/lib/clang/3.9.0/include/arm_neon.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx2intrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512bwintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512cdintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512dqintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512erintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512fintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512ifmaintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512ifmavlintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512pfintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vbmiintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vbmivlintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlbwintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlcdintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vldqintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avx512vlintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/avxintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/bmi2intrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/bmiintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/clflushoptintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/cpuid.h -OLD_FILES+=usr/lib/clang/3.9.0/include/cuda_builtin_vars.h -OLD_FILES+=usr/lib/clang/3.9.0/include/emmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/f16cintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/fma4intrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/fmaintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/fxsrintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/htmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/htmxlintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/ia32intrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/immintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/lzcntintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/mm3dnow.h -OLD_FILES+=usr/lib/clang/3.9.0/include/mm_malloc.h -OLD_FILES+=usr/lib/clang/3.9.0/include/mmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/module.modulemap -OLD_FILES+=usr/lib/clang/3.9.0/include/mwaitxintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/nmmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/opencl-c.h -OLD_FILES+=usr/lib/clang/3.9.0/include/pkuintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/pmmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/popcntintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/prfchwintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/rdseedintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/rtmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/s390intrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/shaintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/smmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/tbmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/tmmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/vadefs.h -OLD_FILES+=usr/lib/clang/3.9.0/include/vecintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/wmmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/x86intrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xmmintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xopintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xsavecintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xsaveintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xsaveoptintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xsavesintrin.h -OLD_FILES+=usr/lib/clang/3.9.0/include/xtestintrin.h -OLD_DIRS+=usr/lib/clang/3.9.0/include -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-i386.so -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-preinit-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-preinit-x86_64.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-x86_64.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan-x86_64.so -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan_cxx-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.asan_cxx-x86_64.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-arm.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.profile-x86_64.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.safestack-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.safestack-x86_64.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone-x86_64.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-i386.a -OLD_FILES+=usr/lib/clang/3.9.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_64.a -OLD_DIRS+=usr/lib/clang/3.9.0/lib/freebsd -OLD_DIRS+=usr/lib/clang/3.9.0/lib -OLD_DIRS+=usr/lib/clang/3.9.0 +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/allocator_interface.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/asan_interface.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/common_interface_defs.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/coverage_interface.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/dfsan_interface.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/linux_syscall_hooks.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/lsan_interface.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/msan_interface.h +OLD_FILES+=usr/lib/clang/3.9.1/include/sanitizer/tsan_interface_atomic.h +OLD_DIRS+=usr/lib/clang/3.9.1/include/sanitizer +OLD_FILES+=usr/lib/clang/3.9.1/include/__clang_cuda_cmath.h +OLD_FILES+=usr/lib/clang/3.9.1/include/__clang_cuda_intrinsics.h +OLD_FILES+=usr/lib/clang/3.9.1/include/__clang_cuda_math_forward_declares.h +OLD_FILES+=usr/lib/clang/3.9.1/include/__clang_cuda_runtime_wrapper.h +OLD_FILES+=usr/lib/clang/3.9.1/include/__stddef_max_align_t.h +OLD_FILES+=usr/lib/clang/3.9.1/include/__wmmintrin_aes.h +OLD_FILES+=usr/lib/clang/3.9.1/include/__wmmintrin_pclmul.h +OLD_FILES+=usr/lib/clang/3.9.1/include/adxintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/altivec.h +OLD_FILES+=usr/lib/clang/3.9.1/include/ammintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/arm_acle.h +OLD_FILES+=usr/lib/clang/3.9.1/include/arm_neon.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx2intrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512bwintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512cdintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512dqintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512erintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512fintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512ifmaintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512ifmavlintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512pfintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512vbmiintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512vbmivlintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512vlbwintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512vlcdintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512vldqintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avx512vlintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/avxintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/bmi2intrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/bmiintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/clflushoptintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/cpuid.h +OLD_FILES+=usr/lib/clang/3.9.1/include/cuda_builtin_vars.h +OLD_FILES+=usr/lib/clang/3.9.1/include/emmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/f16cintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/fma4intrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/fmaintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/fxsrintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/htmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/htmxlintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/ia32intrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/immintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/lzcntintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/mm3dnow.h +OLD_FILES+=usr/lib/clang/3.9.1/include/mm_malloc.h +OLD_FILES+=usr/lib/clang/3.9.1/include/mmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/module.modulemap +OLD_FILES+=usr/lib/clang/3.9.1/include/mwaitxintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/nmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/opencl-c.h +OLD_FILES+=usr/lib/clang/3.9.1/include/pkuintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/pmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/popcntintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/prfchwintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/rdseedintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/rtmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/s390intrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/shaintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/smmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/tbmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/tmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/vadefs.h +OLD_FILES+=usr/lib/clang/3.9.1/include/vecintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/wmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/x86intrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xmmintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xopintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xsavecintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xsaveintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xsaveoptintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xsavesintrin.h +OLD_FILES+=usr/lib/clang/3.9.1/include/xtestintrin.h +OLD_DIRS+=usr/lib/clang/3.9.1/include +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan-i386.so +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan-preinit-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan-preinit-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan-x86_64.so +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan_cxx-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.asan_cxx-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.profile-arm.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.profile-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.profile-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.safestack-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.safestack-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.ubsan_standalone-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.ubsan_standalone-x86_64.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.ubsan_standalone_cxx-i386.a +OLD_FILES+=usr/lib/clang/3.9.1/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_64.a +OLD_DIRS+=usr/lib/clang/3.9.1/lib/freebsd +OLD_DIRS+=usr/lib/clang/3.9.1/lib +OLD_DIRS+=usr/lib/clang/3.9.1 OLD_DIRS+=usr/lib/clang OLD_FILES+=usr/share/doc/llvm/clang/LICENSE.TXT OLD_DIRS+=usr/share/doc/llvm/clang From owner-svn-src-projects@freebsd.org Sat Nov 26 01:13:55 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C52E8C52DEC for ; Sat, 26 Nov 2016 01:13:55 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 875DFA4B; Sat, 26 Nov 2016 01:13:55 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAQ1DsQO020930; Sat, 26 Nov 2016 01:13:54 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAQ1DrGc020922; Sat, 26 Nov 2016 01:13:53 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611260113.uAQ1DrGc020922@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Sat, 26 Nov 2016 01:13:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309176 - in projects/clang391-import: etc/mtree lib/clang/headers lib/clang/include/clang/Basic lib/clang/include/clang/Config lib/clang/include/llvm/Config lib/libclang_rt X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2016 01:13:55 -0000 Author: dim Date: Sat Nov 26 01:13:53 2016 New Revision: 309176 URL: https://svnweb.freebsd.org/changeset/base/309176 Log: Update build glue for llvm/clang 3.9.1. Modified: projects/clang391-import/etc/mtree/BSD.debug.dist projects/clang391-import/etc/mtree/BSD.usr.dist projects/clang391-import/lib/clang/headers/Makefile projects/clang391-import/lib/clang/include/clang/Basic/Version.inc projects/clang391-import/lib/clang/include/clang/Config/config.h projects/clang391-import/lib/clang/include/llvm/Config/config.h projects/clang391-import/lib/clang/include/llvm/Config/llvm-config.h projects/clang391-import/lib/libclang_rt/Makefile.inc Modified: projects/clang391-import/etc/mtree/BSD.debug.dist ============================================================================== --- projects/clang391-import/etc/mtree/BSD.debug.dist Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/etc/mtree/BSD.debug.dist Sat Nov 26 01:13:53 2016 (r309176) @@ -29,7 +29,7 @@ .. lib clang - 3.9.0 + 3.9.1 lib freebsd .. Modified: projects/clang391-import/etc/mtree/BSD.usr.dist ============================================================================== --- projects/clang391-import/etc/mtree/BSD.usr.dist Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/etc/mtree/BSD.usr.dist Sat Nov 26 01:13:53 2016 (r309176) @@ -19,7 +19,7 @@ aout .. clang - 3.9.0 + 3.9.1 include sanitizer .. Modified: projects/clang391-import/lib/clang/headers/Makefile ============================================================================== --- projects/clang391-import/lib/clang/headers/Makefile Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/lib/clang/headers/Makefile Sat Nov 26 01:13:53 2016 (r309176) @@ -4,7 +4,7 @@ .PATH: ${CLANG_SRCS}/lib/Headers -INCSDIR= ${LIBDIR}/clang/3.9.0/include +INCSDIR= ${LIBDIR}/clang/3.9.1/include GENINCS+= arm_neon.h Modified: projects/clang391-import/lib/clang/include/clang/Basic/Version.inc ============================================================================== --- projects/clang391-import/lib/clang/include/clang/Basic/Version.inc Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/lib/clang/include/clang/Basic/Version.inc Sat Nov 26 01:13:53 2016 (r309176) @@ -1,10 +1,10 @@ /* $FreeBSD$ */ -#define CLANG_VERSION 3.9.0 +#define CLANG_VERSION 3.9.1 #define CLANG_VERSION_MAJOR 3 #define CLANG_VERSION_MINOR 9 -#define CLANG_VERSION_PATCHLEVEL 0 +#define CLANG_VERSION_PATCHLEVEL 1 #define CLANG_VENDOR "FreeBSD " -#define SVN_REVISION "280324" +#define SVN_REVISION "287912" Modified: projects/clang391-import/lib/clang/include/clang/Config/config.h ============================================================================== --- projects/clang391-import/lib/clang/include/clang/Config/config.h Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/lib/clang/include/clang/Config/config.h Sat Nov 26 01:13:53 2016 (r309176) @@ -34,7 +34,7 @@ /* #undef CLANG_HAVE_LIBXML */ /* The LLVM product name and version */ -#define BACKEND_PACKAGE_STRING "LLVM 3.9.0" +#define BACKEND_PACKAGE_STRING "LLVM 3.9.1" /* Linker version detected at compile time. */ /* #undef HOST_LINK_VERSION */ Modified: projects/clang391-import/lib/clang/include/llvm/Config/config.h ============================================================================== --- projects/clang391-import/lib/clang/include/llvm/Config/config.h Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/lib/clang/include/llvm/Config/config.h Sat Nov 26 01:13:53 2016 (r309176) @@ -508,10 +508,10 @@ #define LLVM_VERSION_MINOR 9 /* Patch version of the LLVM API */ -#define LLVM_VERSION_PATCH 0 +#define LLVM_VERSION_PATCH 1 /* LLVM version string */ -#define LLVM_VERSION_STRING "3.9.0" +#define LLVM_VERSION_STRING "3.9.1" /* LLVM version information */ /* #undef LLVM_VERSION_INFO */ @@ -546,13 +546,13 @@ #define PACKAGE_NAME "LLVM" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "LLVM 3.9.0" +#define PACKAGE_STRING "LLVM 3.9.1" /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the version of this package. */ -#define PACKAGE_VERSION "3.9.0" +#define PACKAGE_VERSION "3.9.1" /* Define to the vendor of this package. */ /* #undef PACKAGE_VENDOR */ Modified: projects/clang391-import/lib/clang/include/llvm/Config/llvm-config.h ============================================================================== --- projects/clang391-import/lib/clang/include/llvm/Config/llvm-config.h Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/lib/clang/include/llvm/Config/llvm-config.h Sat Nov 26 01:13:53 2016 (r309176) @@ -98,10 +98,10 @@ #define LLVM_VERSION_MINOR 9 /* Patch version of the LLVM API */ -#define LLVM_VERSION_PATCH 0 +#define LLVM_VERSION_PATCH 1 /* LLVM version string */ -#define LLVM_VERSION_STRING "3.9.0" +#define LLVM_VERSION_STRING "3.9.1" /* Define if we link Polly to the tools */ /* #undef LINK_POLLY_INTO_TOOLS */ Modified: projects/clang391-import/lib/libclang_rt/Makefile.inc ============================================================================== --- projects/clang391-import/lib/libclang_rt/Makefile.inc Sat Nov 26 01:02:53 2016 (r309175) +++ projects/clang391-import/lib/libclang_rt/Makefile.inc Sat Nov 26 01:13:53 2016 (r309176) @@ -7,7 +7,7 @@ CRTSRC= ${SRCTOP}/contrib/compiler-rt .PATH: ${CRTSRC}/lib -CLANGDIR= /usr/lib/clang/3.9.0 +CLANGDIR= /usr/lib/clang/3.9.1 LIBDIR= ${CLANGDIR}/lib/freebsd NO_PIC= From owner-svn-src-projects@freebsd.org Sat Nov 26 15:01:36 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CACDDC56A39 for ; Sat, 26 Nov 2016 15:01:36 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B7E0B7E; Sat, 26 Nov 2016 15:01:36 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAQF1Z6g054747; Sat, 26 Nov 2016 15:01:35 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAQF1Zc3054746; Sat, 26 Nov 2016 15:01:35 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201611261501.uAQF1Zc3054746@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Sat, 26 Nov 2016 15:01:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r309193 - projects/clang391-import/contrib/libc++/include X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2016 15:01:36 -0000 Author: dim Date: Sat Nov 26 15:01:35 2016 New Revision: 309193 URL: https://svnweb.freebsd.org/changeset/base/309193 Log: Update libc++ to release_39 branch r287912. Modified: projects/clang391-import/contrib/libc++/include/tuple Directory Properties: projects/clang391-import/contrib/libc++/ (props changed) Modified: projects/clang391-import/contrib/libc++/include/tuple ============================================================================== --- projects/clang391-import/contrib/libc++/include/tuple Sat Nov 26 13:26:29 2016 (r309192) +++ projects/clang391-import/contrib/libc++/include/tuple Sat Nov 26 15:01:35 2016 (r309193) @@ -681,7 +681,7 @@ public: < _CheckArgsConstructor< _Dummy - >::template __enable_implicit<_Tp...>(), + >::template __enable_implicit<_Tp const&...>(), bool >::type = false > @@ -699,7 +699,7 @@ public: < _CheckArgsConstructor< _Dummy - >::template __enable_explicit<_Tp...>(), + >::template __enable_explicit<_Tp const&...>(), bool >::type = false > @@ -717,7 +717,7 @@ public: < _CheckArgsConstructor< _Dummy - >::template __enable_implicit<_Tp...>(), + >::template __enable_implicit<_Tp const&...>(), bool >::type = false > @@ -736,7 +736,7 @@ public: < _CheckArgsConstructor< _Dummy - >::template __enable_explicit<_Tp...>(), + >::template __enable_explicit<_Tp const&...>(), bool >::type = false >