Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Jun 2017 11:11:08 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r319599 - stable/11/sys/netipsec
Message-ID:  <201706051111.v55BB8eu057778@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ae
Date: Mon Jun  5 11:11:07 2017
New Revision: 319599
URL: https://svnweb.freebsd.org/changeset/base/319599

Log:
  MFC r319118:
    Disable IPsec debugging code by default when IPSEC_DEBUG kernel option
    is not specified.
  
    Due to the long call chain IPsec code can produce the kernel stack
    exhaustion on the i386 architecture. The debugging code usually is not
    used, but it requires a lot of stack space to keep buffers for strings
    formatting. This patch conditionally defines macros to disable building
    of IPsec debugging code.
  
    IPsec currently has two sysctl variables to configure debug output:
     * net.key.debug variable is used to enable debug output for PF_KEY
       protocol. Such debug messages are produced by KEYDBG() macro and
       usually they can be interesting for developers.
     * net.inet.ipsec.debug variable is used to enable debug output for
       DPRINTF() macro and ipseclog() function. DPRINTF() macro usually
       is used for development debugging. ipseclog() function is used for
       debugging by administrator.
  
    The patch disables KEYDBG() and DPRINTF() macros, and formatting buffers
    declarations when IPSEC_DEBUG is not present in kernel config. This
    reduces stack requirement for up to several hundreds of bytes.
    The net.inet.ipsec.debug variable still can be used to enable ipseclog()
    messages by administrator.
  
    PR:		219476
  
  MFC r319412:
    Build kdebug_secreplay() function only when IPSEC_DEBUG is defined.
    This should fix the build on sparc.
  
  Approved by: re (kib)

Modified:
  stable/11/sys/netipsec/ipsec.h
  stable/11/sys/netipsec/ipsec_input.c
  stable/11/sys/netipsec/ipsec_output.c
  stable/11/sys/netipsec/key_debug.c
  stable/11/sys/netipsec/key_debug.h
  stable/11/sys/netipsec/xform_ah.c
  stable/11/sys/netipsec/xform_esp.c
  stable/11/sys/netipsec/xform_ipcomp.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netipsec/ipsec.h
==============================================================================
--- stable/11/sys/netipsec/ipsec.h	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/ipsec.h	Mon Jun  5 11:11:07 2017	(r319599)
@@ -299,7 +299,13 @@ VNET_DECLARE(int, natt_cksum_policy);
 
 #define ipseclog(x)	do { if (V_ipsec_debug) log x; } while (0)
 /* for openbsd compatibility */
+#ifdef IPSEC_DEBUG
+#define	IPSEC_DEBUG_DECLARE(x)	x
 #define	DPRINTF(x)	do { if (V_ipsec_debug) printf x; } while (0)
+#else
+#define	IPSEC_DEBUG_DECLARE(x)
+#define	DPRINTF(x)
+#endif
 
 struct inpcb;
 struct m_tag;

Modified: stable/11/sys/netipsec/ipsec_input.c
==============================================================================
--- stable/11/sys/netipsec/ipsec_input.c	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/ipsec_input.c	Mon Jun  5 11:11:07 2017	(r319599)
@@ -117,7 +117,7 @@ __FBSDID("$FreeBSD$");
 static int
 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	union sockaddr_union dst_address;
 	struct secasvar *sav;
 	uint32_t spi;
@@ -277,7 +277,7 @@ int
 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
     int protoff)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	struct ipsec_ctx_data ctx;
 	struct xform_history *xh;
 	struct secasindex *saidx;
@@ -488,7 +488,7 @@ int
 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
     int protoff)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	struct ipsec_ctx_data ctx;
 	struct xform_history *xh;
 	struct secasindex *saidx;

Modified: stable/11/sys/netipsec/ipsec_output.c
==============================================================================
--- stable/11/sys/netipsec/ipsec_output.c	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/ipsec_output.c	Mon Jun  5 11:11:07 2017	(r319599)
@@ -183,7 +183,6 @@ next:
 static int
 ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
 {
-	char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
 	struct ipsec_ctx_data ctx;
 	union sockaddr_union *dst;
 	struct secasvar *sav;
@@ -230,12 +229,9 @@ ipsec4_perform_request(struct mbuf *m, struct secpolic
 		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
 		error = ipsec_encap(&m, &sav->sah->saidx);
 		if (error != 0) {
-			DPRINTF(("%s: encapsulation for SA %s->%s "
-			    "SPI 0x%08x failed with error %d\n", __func__,
-			    ipsec_address(&sav->sah->saidx.src, sbuf,
-				sizeof(sbuf)),
-			    ipsec_address(&sav->sah->saidx.dst, dbuf,
-				sizeof(dbuf)), ntohl(sav->spi), error));
+			DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
+			    "with error %d\n", __func__, ntohl(sav->spi),
+			    error));
 			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
 			goto bad;
 		}
@@ -497,7 +493,6 @@ next:
 static int
 ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
 {
-	char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
 	struct ipsec_ctx_data ctx;
 	union sockaddr_union *dst;
 	struct secasvar *sav;
@@ -539,12 +534,9 @@ ipsec6_perform_request(struct mbuf *m, struct secpolic
 		}
 		error = ipsec_encap(&m, &sav->sah->saidx);
 		if (error != 0) {
-			DPRINTF(("%s: encapsulation for SA %s->%s "
-			    "SPI 0x%08x failed with error %d\n", __func__,
-			    ipsec_address(&sav->sah->saidx.src, sbuf,
-				sizeof(sbuf)),
-			    ipsec_address(&sav->sah->saidx.dst, dbuf,
-				sizeof(dbuf)), ntohl(sav->spi), error));
+			DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
+			    "with error %d\n", __func__, ntohl(sav->spi),
+			    error));
 			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
 			goto bad;
 		}

Modified: stable/11/sys/netipsec/key_debug.c
==============================================================================
--- stable/11/sys/netipsec/key_debug.c	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/key_debug.c	Mon Jun  5 11:11:07 2017	(r319599)
@@ -77,10 +77,6 @@ static void kdebug_sadb_x_sa2(struct sadb_ext *);
 static void kdebug_sadb_x_sa_replay(struct sadb_ext *);
 static void kdebug_sadb_x_natt(struct sadb_ext *);
 
-#ifdef _KERNEL
-static void kdebug_secreplay(struct secreplay *);
-#endif
-
 #ifndef _KERNEL
 #define panic(fmt, ...)	{ printf(fmt, ## __VA_ARGS__); exit(-1); }
 #endif
@@ -724,6 +720,7 @@ kdebug_secash(struct secashead *sah, const char *inden
 	printf("}\n");
 }
 
+#ifdef IPSEC_DEBUG
 static void
 kdebug_secreplay(struct secreplay *rpl)
 {
@@ -745,6 +742,7 @@ kdebug_secreplay(struct secreplay *rpl)
 	}
 	printf("    }\n");
 }
+#endif /* IPSEC_DEBUG */
 
 static void
 kdebug_secnatt(struct secnatt *natt)

Modified: stable/11/sys/netipsec/key_debug.h
==============================================================================
--- stable/11/sys/netipsec/key_debug.h	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/key_debug.h	Mon Jun  5 11:11:07 2017	(r319599)
@@ -53,10 +53,14 @@
 #define KEYDEBUG_IPSEC_DATA	(KEYDEBUG_IPSEC | KEYDEBUG_DATA)
 #define KEYDEBUG_IPSEC_DUMP	(KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
 
+#ifdef IPSEC_DEBUG
 #define KEYDBG(lev, arg)	\
     if ((V_key_debug_level & (KEYDEBUG_ ## lev)) == (KEYDEBUG_ ## lev)) { \
 	    arg;		\
     }
+#else
+#define	KEYDBG(lev, arg)
+#endif /* !IPSEC_DEBUG */
 
 VNET_DECLARE(uint32_t, key_debug_level);
 #define	V_key_debug_level	VNET(key_debug_level)

Modified: stable/11/sys/netipsec/xform_ah.c
==============================================================================
--- stable/11/sys/netipsec/xform_ah.c	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/xform_ah.c	Mon Jun  5 11:11:07 2017	(r319599)
@@ -544,7 +544,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int sk
 static int
 ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
-	char buf[128];
+	IPSEC_DEBUG_DECLARE(char buf[128]);
 	const struct auth_hash *ahx;
 	struct cryptodesc *crda;
 	struct cryptop *crp;
@@ -681,7 +681,7 @@ bad:
 static int
 ah_input_cb(struct cryptop *crp)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	unsigned char calc[AH_ALEN_MAX];
 	const struct auth_hash *ahx;
 	struct mbuf *m;
@@ -831,7 +831,7 @@ static int
 ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
     u_int idx, int skip, int protoff)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	const struct auth_hash *ahx;
 	struct cryptodesc *crda;
 	struct xform_data *xd;

Modified: stable/11/sys/netipsec/xform_esp.c
==============================================================================
--- stable/11/sys/netipsec/xform_esp.c	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/xform_esp.c	Mon Jun  5 11:11:07 2017	(r319599)
@@ -263,7 +263,7 @@ esp_zeroize(struct secasvar *sav)
 static int
 esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
-	char buf[128];
+	IPSEC_DEBUG_DECLARE(char buf[128]);
 	const struct auth_hash *esph;
 	const struct enc_xform *espx;
 	struct xform_data *xd;
@@ -436,7 +436,7 @@ bad:
 static int
 esp_input_cb(struct cryptop *crp)
 {
-	char buf[128];
+	IPSEC_DEBUG_DECLARE(char buf[128]);
 	u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN];
 	const struct auth_hash *esph;
 	const struct enc_xform *espx;
@@ -622,7 +622,7 @@ static int
 esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
     u_int idx, int skip, int protoff)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	struct cryptodesc *crde = NULL, *crda = NULL;
 	struct cryptop *crp;
 	const struct auth_hash *esph;

Modified: stable/11/sys/netipsec/xform_ipcomp.c
==============================================================================
--- stable/11/sys/netipsec/xform_ipcomp.c	Mon Jun  5 11:04:22 2017	(r319598)
+++ stable/11/sys/netipsec/xform_ipcomp.c	Mon Jun  5 11:11:07 2017	(r319599)
@@ -271,7 +271,7 @@ bad:
 static int
 ipcomp_input_cb(struct cryptop *crp)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	struct cryptodesc *crd;
 	struct xform_data *xd;
 	struct mbuf *m;
@@ -387,7 +387,7 @@ static int
 ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
     u_int idx, int skip, int protoff)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	const struct comp_algo *ipcompx;
 	struct cryptodesc *crdc;
 	struct cryptop *crp;
@@ -521,7 +521,7 @@ bad:
 static int
 ipcomp_output_cb(struct cryptop *crp)
 {
-	char buf[IPSEC_ADDRSTRLEN];
+	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
 	struct xform_data *xd;
 	struct secpolicy *sp;
 	struct secasvar *sav;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706051111.v55BB8eu057778>