Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Pass sav directly to opencrypto callback
details: https://anonhg.NetBSD.org/src/rev/67f918e8b4e2
branches: trunk
changeset: 825427:67f918e8b4e2
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Fri Jul 14 01:24:23 2017 +0000
description:
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav
only if the passed sav is dead.
diffstat:
sys/netipsec/key.c | 15 +++++++++-
sys/netipsec/key.h | 5 +++-
sys/netipsec/xform.h | 7 +++--
sys/netipsec/xform_ah.c | 45 ++++++++++++++++++++++------------
sys/netipsec/xform_esp.c | 59 +++++++++++++++++++++++++++-----------------
sys/netipsec/xform_ipcomp.c | 45 ++++++++++++++++++++++------------
sys/netipsec/xform_ipip.c | 8 +++---
sys/netipsec/xform_tcp.c | 6 ++--
8 files changed, 122 insertions(+), 68 deletions(-)
diffs (truncated from 479 to 300 lines):
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/key.c
--- a/sys/netipsec/key.c Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/key.c Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.181 2017/07/13 01:22:44 ozaki-r Exp $ */
+/* $NetBSD: key.c,v 1.182 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.181 2017/07/13 01:22:44 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.182 2017/07/14 01:24:23 ozaki-r Exp $");
/*
* This code is referd to RFC 2367
@@ -1246,6 +1246,17 @@
sp, sp->id, where, tag, sp->refcnt);
}
+void
+key_sa_ref(struct secasvar *sav, const char* where, int tag)
+{
+
+ SA_ADDREF2(sav, where, tag);
+
+ KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
+ "DP cause refcnt++:%d SA:%p from %s:%u\n",
+ sav->refcnt, sav, where, tag);
+}
+
/*
* Must be called after calling key_lookup_sp*().
* For both the packet without socket and key_freeso().
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/key.h
--- a/sys/netipsec/key.h Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/key.h Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.h,v 1.21 2017/07/13 01:22:44 ozaki-r Exp $ */
+/* $NetBSD: key.h,v 1.22 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@@ -59,6 +59,7 @@
/* NB: prepend with _ for KAME IPv6 compatbility */
void _key_freesp(struct secpolicy **, const char*, int);
void key_sp_ref(struct secpolicy *, const char*, int);
+void key_sa_ref(struct secasvar *, const char*, int);
/*
* Access to the SADB are interlocked with splsoftnet. In particular,
@@ -79,6 +80,8 @@
_key_freesp(spp, __func__, __LINE__)
#define KEY_SP_REF(sp) \
key_sp_ref(sp, __func__, __LINE__)
+#define KEY_SA_REF(sav) \
+ key_sa_ref(sav, __func__, __LINE__)
struct secasvar *key_lookup_sa(const union sockaddr_union *,
u_int, u_int32_t, u_int16_t, u_int16_t, const char*, int);
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/xform.h
--- a/sys/netipsec/xform.h Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/xform.h Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform.h,v 1.9 2017/07/05 03:44:59 ozaki-r Exp $ */
+/* $NetBSD: xform.h,v 1.10 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
/*
@@ -62,6 +62,7 @@
/*
* Opaque data structure hung off a crypto operation descriptor.
*/
+struct secasvar;
struct tdb_crypto {
struct ipsecrequest *tc_isr; /* ipsec request state */
u_int32_t tc_spi; /* associated SPI */
@@ -70,9 +71,9 @@
u_int8_t tc_nxt; /* next protocol, e.g. IPV4 */
int tc_protoff; /* current protocol offset */
int tc_skip; /* data offset */
+ struct secasvar *tc_sav; /* ipsec SA */
};
-struct secasvar;
struct ipescrequest;
struct xformsw {
@@ -89,7 +90,7 @@
const char *xf_name; /* human-readable name */
int (*xf_init)(struct secasvar*, const struct xformsw*);/* setup */
int (*xf_zeroize)(struct secasvar*); /* cleanup */
- int (*xf_input)(struct mbuf*, const struct secasvar*, /* input */
+ int (*xf_input)(struct mbuf*, struct secasvar*, /* input */
int, int);
int (*xf_output)(struct mbuf*, /* output */
struct ipsecrequest *, struct mbuf **, int, int);
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/xform_ah.c Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.59 2017/07/13 03:25:38 ozaki-r Exp $ */
+/* $NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.59 2017/07/13 03:25:38 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -614,7 +614,7 @@
* passes authentication.
*/
static int
-ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff)
+ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
const struct auth_hash *ahx;
struct tdb_crypto *tc;
@@ -748,6 +748,8 @@
tc->tc_nxt = ah->ah_nxt;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
+ tc->tc_sav = sav;
+ KEY_SA_REF(sav);
DPRINTF(("%s: hash over %d bytes, skip %d: "
"crda len %d skip %d inject %d\n", __func__,
@@ -803,12 +805,17 @@
s = splsoftnet();
mutex_enter(softnet_lock);
- sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport);
- if (sav == NULL) {
- AH_STATINC(AH_STAT_NOTDB);
- DPRINTF(("%s: SA expired while in crypto\n", __func__));
- error = ENOBUFS; /*XXX*/
- goto bad;
+ sav = tc->tc_sav;
+ if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
+ KEY_FREESAV(&sav);
+ sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
+ sport, dport);
+ if (sav == NULL) {
+ AH_STATINC(AH_STAT_NOTDB);
+ DPRINTF(("%s: SA expired while in crypto\n", __func__));
+ error = ENOBUFS; /*XXX*/
+ goto bad;
+ }
}
saidx = &sav->sah->saidx;
@@ -954,7 +961,7 @@
)
{
char buf[IPSEC_ADDRSTRLEN];
- const struct secasvar *sav;
+ struct secasvar *sav;
const struct auth_hash *ahx;
struct cryptodesc *crda;
struct tdb_crypto *tc;
@@ -1150,6 +1157,8 @@
tc->tc_proto = sav->sah->saidx.proto;
tc->tc_skip = skip;
tc->tc_protoff = protoff;
+ tc->tc_sav = sav;
+ KEY_SA_REF(sav);
return crypto_dispatch(crp);
bad:
@@ -1182,12 +1191,16 @@
mutex_enter(softnet_lock);
isr = tc->tc_isr;
- sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
- if (sav == NULL) {
- AH_STATINC(AH_STAT_NOTDB);
- DPRINTF(("%s: SA expired while in crypto\n", __func__));
- error = ENOBUFS; /*XXX*/
- goto bad;
+ sav = tc->tc_sav;
+ if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
+ KEY_FREESAV(&sav);
+ sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
+ if (sav == NULL) {
+ AH_STATINC(AH_STAT_NOTDB);
+ DPRINTF(("%s: SA expired while in crypto\n", __func__));
+ error = ENOBUFS; /*XXX*/
+ goto bad;
+ }
}
KASSERTMSG(isr->sav == sav, "SA changed");
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/xform_esp.c
--- a/sys/netipsec/xform_esp.c Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/xform_esp.c Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.60 2017/07/13 03:00:46 ozaki-r Exp $ */
+/* $NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.60 2017/07/13 03:00:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -297,7 +297,7 @@
* ESP input processing, called (eventually) through the protocol switch.
*/
static int
-esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff)
+esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
const struct auth_hash *esph;
const struct enc_xform *espx;
@@ -436,6 +436,8 @@
tc->tc_proto = sav->sah->saidx.proto;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
+ tc->tc_sav = sav;
+ KEY_SA_REF(sav);
/* Decryption descriptor */
if (espx) {
@@ -510,15 +512,20 @@
s = splsoftnet();
mutex_enter(softnet_lock);
- sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport);
- if (sav == NULL) {
- ESP_STATINC(ESP_STAT_NOTDB);
- DPRINTF(("%s: SA expired while in crypto "
- "(SA %s/%08lx proto %u)\n", __func__,
- ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
- (u_long) ntohl(tc->tc_spi), tc->tc_proto));
- error = ENOBUFS; /*XXX*/
- goto bad;
+ sav = tc->tc_sav;
+ if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
+ KEY_FREESAV(&sav);
+ sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
+ sport, dport);
+ if (sav == NULL) {
+ ESP_STATINC(ESP_STAT_NOTDB);
+ DPRINTF(("%s: SA expired while in crypto "
+ "(SA %s/%08lx proto %u)\n", __func__,
+ ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
+ (u_long) ntohl(tc->tc_spi), tc->tc_proto));
+ error = ENOBUFS; /*XXX*/
+ goto bad;
+ }
}
saidx = &sav->sah->saidx;
@@ -702,7 +709,7 @@
int hlen, rlen, padding, blks, alen, i, roff;
struct mbuf *mo = NULL;
struct tdb_crypto *tc;
- const struct secasvar *sav;
+ struct secasvar *sav;
struct secasindex *saidx;
unsigned char *pad;
uint8_t prot;
@@ -900,6 +907,8 @@
tc->tc_spi = sav->spi;
tc->tc_dst = saidx->dst;
tc->tc_proto = saidx->proto;
+ tc->tc_sav = sav;
+ KEY_SA_REF(sav);
/* Crypto operation descriptor. */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
@@ -957,16 +966,20 @@
mutex_enter(softnet_lock);
isr = tc->tc_isr;
- sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
- if (sav == NULL) {
- char buf[IPSEC_ADDRSTRLEN];
- ESP_STATINC(ESP_STAT_NOTDB);
- DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx "
- "proto %u)\n", __func__,
- ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
- (u_long) ntohl(tc->tc_spi), tc->tc_proto));
- error = ENOBUFS; /*XXX*/
- goto bad;
+ sav = tc->tc_sav;
+ if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
Home |
Main Index |
Thread Index |
Old Index