From owner-svn-src-all@freebsd.org Tue Jun 11 23:00:59 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D239215C9699; Tue, 11 Jun 2019 23:00:58 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 84FD38433E; Tue, 11 Jun 2019 23:00:58 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6161E8640; Tue, 11 Jun 2019 23:00:58 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x5BN0wnv086931; Tue, 11 Jun 2019 23:00:58 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x5BN0tIp086917; Tue, 11 Jun 2019 23:00:55 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201906112300.x5BN0tIp086917@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Tue, 11 Jun 2019 23:00:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r348970 - in head: share/man/man9 sys/kern sys/kgssapi/krb5 sys/netipsec sys/opencrypto sys/sys X-SVN-Group: head X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: in head: share/man/man9 sys/kern sys/kgssapi/krb5 sys/netipsec sys/opencrypto sys/sys X-SVN-Commit-Revision: 348970 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 84FD38433E X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.982,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jun 2019 23:00:59 -0000 Author: jhb Date: Tue Jun 11 23:00:55 2019 New Revision: 348970 URL: https://svnweb.freebsd.org/changeset/base/348970 Log: Make the warning intervals for deprecated crypto algorithms tunable. New sysctl/tunables can now set the interval (in seconds) between rate-limited crypto warnings. The new sysctls are: - kern.cryptodev_warn_interval for /dev/crypto - net.inet.ipsec.crypto_warn_interval for IPsec - kern.kgssapi_warn_interval for KGSSAPI Reviewed by: cem MFC after: 1 month Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D20555 Modified: head/share/man/man9/Makefile head/share/man/man9/sysctl.9 head/sys/kern/kern_sysctl.c head/sys/kgssapi/krb5/kcrypto.c head/sys/kgssapi/krb5/kcrypto.h head/sys/kgssapi/krb5/kcrypto_arcfour.c head/sys/kgssapi/krb5/kcrypto_des.c head/sys/kgssapi/krb5/kcrypto_des3.c head/sys/netipsec/ipsec.c head/sys/netipsec/ipsec.h head/sys/netipsec/xform_ah.c head/sys/netipsec/xform_esp.c head/sys/opencrypto/cryptodev.c head/sys/sys/sysctl.h Modified: head/share/man/man9/Makefile ============================================================================== --- head/share/man/man9/Makefile Tue Jun 11 22:57:25 2019 (r348969) +++ head/share/man/man9/Makefile Tue Jun 11 23:00:55 2019 (r348970) @@ -1996,6 +1996,7 @@ MLINKS+=sysctl.9 SYSCTL_DECL.9 \ sysctl.9 SYSCTL_ADD_S64.9 \ sysctl.9 SYSCTL_ADD_STRING.9 \ sysctl.9 SYSCTL_ADD_STRUCT.9 \ + sysctl.9 SYSCTL_ADD_TIMEVAL_SEC.9 \ sysctl.9 SYSCTL_ADD_U8.9 \ sysctl.9 SYSCTL_ADD_U16.9 \ sysctl.9 SYSCTL_ADD_U32.9 \ @@ -2024,6 +2025,7 @@ MLINKS+=sysctl.9 SYSCTL_DECL.9 \ sysctl.9 SYSCTL_S64.9 \ sysctl.9 SYSCTL_STRING.9 \ sysctl.9 SYSCTL_STRUCT.9 \ + sysctl.9 SYSCTL_TIMEVAL_SEC.9 \ sysctl.9 SYSCTL_U8.9 \ sysctl.9 SYSCTL_U16.9 \ sysctl.9 SYSCTL_U32.9 \ Modified: head/share/man/man9/sysctl.9 ============================================================================== --- head/share/man/man9/sysctl.9 Tue Jun 11 22:57:25 2019 (r348969) +++ head/share/man/man9/sysctl.9 Tue Jun 11 23:00:55 2019 (r348970) @@ -50,6 +50,7 @@ .Nm SYSCTL_ADD_STRING , .Nm SYSCTL_ADD_CONST_STRING , .Nm SYSCTL_ADD_STRUCT , +.Nm SYSCTL_ADD_TIMEVAL_SEC , .Nm SYSCTL_ADD_U8 , .Nm SYSCTL_ADD_U16 , .Nm SYSCTL_ADD_U32 , @@ -86,6 +87,7 @@ .Nm SYSCTL_STRING , .Nm SYSCTL_CONST_STRING , .Nm SYSCTL_STRUCT , +.Nm SYSCTL_TIMEVAL_SEC , .Nm SYSCTL_U8 , .Nm SYSCTL_U16 , .Nm SYSCTL_U32 , @@ -315,6 +317,16 @@ .Fa "const char *descr" .Fc .Ft struct sysctl_oid * +.Fo SYSCTL_ADD_TIMEVAL_SEC +.Fa "struct sysctl_ctx_list *ctx" +.Fa "struct sysctl_oid_list *parent" +.Fa "int number" +.Fa "const char *name" +.Fa "int ctlflags" +.Fa "struct timeval *ptr" +.Fa "const char *descr" +.Fc +.Ft struct sysctl_oid * .Fo SYSCTL_ADD_U8 .Fa "struct sysctl_ctx_list *ctx" .Fa "struct sysctl_oid_list *parent" @@ -460,6 +472,7 @@ .Fn SYSCTL_STRING parent number name ctlflags arg len descr .Fn SYSCTL_CONST_STRING parent number name ctlflags arg descr .Fn SYSCTL_STRUCT parent number name ctlflags ptr struct_type descr +.Fn SYSCTL_TIMEVAL_SEC parent number name ctlflags ptr descr .Fn SYSCTL_U8 parent number name ctlflags ptr val descr .Fn SYSCTL_U16 parent number name ctlflags ptr val descr .Fn SYSCTL_U32 parent number name ctlflags ptr val descr @@ -649,6 +662,21 @@ macros all create nodes which export an in-kernel vari These nodes do not export the raw value of the associated variable. Instead, they export a 64-bit integer containing a count of either milliseconds (the MSEC variants) or microseconds (the USEC variants). +.Pp +The +.Fn SYSCTL_ADD_TIMEVAL_SEC +function and +.Fn SYSCTL_TIMEVAL_SEC +macro create nodes which export an in-kernel variable of type +.Vt struct timeval . +These nodes do not export full value of the associated structure. +Instead, they export a count in seconds as a simple integer which is +stored in the +.Fa tv_sec +field of the associated variable. +This function and macro are intended to be used with variables which +store a non-negative interval rather than an absolute time. +As a result, they reject attempts to store negative values. .Sh CREATING ROOT NODES Sysctl MIBs or OIDs are created in a hierarchical tree. The nodes at the bottom of the tree are called root nodes, and have no @@ -731,6 +759,7 @@ Static sysctls are declared using one of the .Fn SYSCTL_STRING , .Fn SYSCTL_CONST_STRING , .Fn SYSCTL_STRUCT , +.Fn SYSCTL_TIMEVAL_SEC , .Fn SYSCTL_U8 , .Fn SYSCTL_U16 , .Fn SYSCTL_U32 , @@ -764,6 +793,7 @@ Dynamic nodes are created using one of the .Fn SYSCTL_ADD_STRING , .Fn SYSCTL_ADD_CONST_STRING , .Fn SYSCTL_ADD_STRUCT , +.Fn SYSCTL_ADD_TIMEVAL_SEC , .Fn SYSCTL_ADD_U8 , .Fn SYSCTL_ADD_U16 , .Fn SYSCTL_ADD_U32 , Modified: head/sys/kern/kern_sysctl.c ============================================================================== --- head/sys/kern/kern_sysctl.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/kern/kern_sysctl.c Tue Jun 11 23:00:55 2019 (r348970) @@ -1732,6 +1732,29 @@ sysctl_msec_to_sbintime(SYSCTL_HANDLER_ARGS) return (0); } +/* + * Convert seconds to a struct timeval. Intended for use with + * intervals and thus does not permit negative seconds. + */ +int +sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS) +{ + struct timeval *tv; + int error, secs; + + tv = arg1; + secs = tv->tv_sec; + + error = sysctl_handle_int(oidp, &secs, 0, req); + if (error || req->newptr == NULL) + return (error); + + if (secs < 0) + return (EINVAL); + tv->tv_sec = secs; + + return (0); +} /* * Transfer functions to/from kernel space. Modified: head/sys/kgssapi/krb5/kcrypto.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/kgssapi/krb5/kcrypto.c Tue Jun 11 23:00:55 2019 (r348970) @@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -49,6 +50,11 @@ static struct krb5_encryption_class *krb5_encryption_c &krb5_arcfour_56_encryption_class, NULL }; + +struct timeval krb5_warn_interval = { .tv_sec = 3600, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, kgssapi_warn_interval, CTLFLAG_RW, + &krb5_warn_interval, + "Delay in seconds between warnings of deprecated KGSSAPI crypto."); struct krb5_encryption_class * krb5_find_encryption_class(int etype) Modified: head/sys/kgssapi/krb5/kcrypto.h ============================================================================== --- head/sys/kgssapi/krb5/kcrypto.h Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/kgssapi/krb5/kcrypto.h Tue Jun 11 23:00:55 2019 (r348970) @@ -101,6 +101,7 @@ extern struct krb5_encryption_class krb5_aes128_encryp extern struct krb5_encryption_class krb5_aes256_encryption_class; extern struct krb5_encryption_class krb5_arcfour_encryption_class; extern struct krb5_encryption_class krb5_arcfour_56_encryption_class; +extern struct timeval krb5_warn_interval; static __inline void krb5_set_key(struct krb5_key_state *ks, const void *keydata) Modified: head/sys/kgssapi/krb5/kcrypto_arcfour.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto_arcfour.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/kgssapi/krb5/kcrypto_arcfour.c Tue Jun 11 23:00:55 2019 (r348970) @@ -47,10 +47,9 @@ static void arcfour_init(struct krb5_key_state *ks) { static struct timeval lastwarn; - static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; ks->ks_priv = NULL; - if (ratecheck(&lastwarn, &warninterval)) + if (ratecheck(&lastwarn, &krb5_warn_interval)) gone_in(13, "RC4 cipher for Kerberos GSS"); } Modified: head/sys/kgssapi/krb5/kcrypto_des.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto_des.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/kgssapi/krb5/kcrypto_des.c Tue Jun 11 23:00:55 2019 (r348970) @@ -54,13 +54,12 @@ static void des1_init(struct krb5_key_state *ks) { static struct timeval lastwarn; - static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des1_state *ds; ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); ks->ks_priv = ds; - if (ratecheck(&lastwarn, &warninterval)) + if (ratecheck(&lastwarn, &krb5_warn_interval)) gone_in(13, "DES cipher for Kerberos GSS"); } Modified: head/sys/kgssapi/krb5/kcrypto_des3.c ============================================================================== --- head/sys/kgssapi/krb5/kcrypto_des3.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/kgssapi/krb5/kcrypto_des3.c Tue Jun 11 23:00:55 2019 (r348970) @@ -55,13 +55,12 @@ static void des3_init(struct krb5_key_state *ks) { static struct timeval lastwarn; - static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des3_state *ds; ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); ks->ks_priv = ds; - if (ratecheck(&lastwarn, &warninterval)) + if (ratecheck(&lastwarn, &krb5_warn_interval)) gone_in(13, "DES3 cipher for Kerberos GSS"); } Modified: head/sys/netipsec/ipsec.c ============================================================================== --- head/sys/netipsec/ipsec.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/netipsec/ipsec.c Tue Jun 11 23:00:55 2019 (r348970) @@ -216,6 +216,11 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); +struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW, + &ipsec_warn_interval, + "Delay in seconds between warnings of deprecated IPsec crypto algorithms."); + #ifdef REGRESSION /* * When set to 1, IPsec will send packets with the same sequence number. Modified: head/sys/netipsec/ipsec.h ============================================================================== --- head/sys/netipsec/ipsec.h Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/netipsec/ipsec.h Tue Jun 11 23:00:55 2019 (r348970) @@ -287,6 +287,8 @@ VNET_DECLARE(int, crypto_support); VNET_DECLARE(int, async_crypto); VNET_DECLARE(int, natt_cksum_policy); +extern struct timeval ipsec_warn_interval; + #define IPSECSTAT_INC(name) \ VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1) #define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev) Modified: head/sys/netipsec/xform_ah.c ============================================================================== --- head/sys/netipsec/xform_ah.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/netipsec/xform_ah.c Tue Jun 11 23:00:55 2019 (r348970) @@ -109,7 +109,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, sta static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; -static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); @@ -189,19 +188,19 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, st switch (sav->alg_auth) { case SADB_AALG_MD5HMAC: - if (ratecheck(&md5warn, &warninterval)) + if (ratecheck(&md5warn, &ipsec_warn_interval)) gone_in(13, "MD5-HMAC authenticator for IPsec"); break; case SADB_X_AALG_RIPEMD160HMAC: - if (ratecheck(&ripewarn, &warninterval)) + if (ratecheck(&ripewarn, &ipsec_warn_interval)) gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); break; case SADB_X_AALG_MD5: - if (ratecheck(&kpdkmd5warn, &warninterval)) + if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval)) gone_in(13, "Keyed-MD5 authenticator for IPsec"); break; case SADB_X_AALG_SHA: - if (ratecheck(&kpdksha1warn, &warninterval)) + if (ratecheck(&kpdksha1warn, &ipsec_warn_interval)) gone_in(13, "Keyed-SHA1 authenticator for IPsec"); break; } Modified: head/sys/netipsec/xform_esp.c ============================================================================== --- head/sys/netipsec/xform_esp.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/netipsec/xform_esp.c Tue Jun 11 23:00:55 2019 (r348970) @@ -95,7 +95,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, st "ESP statistics (struct espstat, netipsec/esp_var.h"); static struct timeval deswarn, blfwarn, castwarn, camelliawarn; -static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -162,19 +161,19 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) switch (sav->alg_enc) { case SADB_EALG_DESCBC: - if (ratecheck(&deswarn, &warninterval)) + if (ratecheck(&deswarn, &ipsec_warn_interval)) gone_in(13, "DES cipher for IPsec"); break; case SADB_X_EALG_BLOWFISHCBC: - if (ratecheck(&blfwarn, &warninterval)) + if (ratecheck(&blfwarn, &ipsec_warn_interval)) gone_in(13, "Blowfish cipher for IPsec"); break; case SADB_X_EALG_CAST128CBC: - if (ratecheck(&castwarn, &warninterval)) + if (ratecheck(&castwarn, &ipsec_warn_interval)) gone_in(13, "CAST cipher for IPsec"); break; case SADB_X_EALG_CAMELLIACBC: - if (ratecheck(&camelliawarn, &warninterval)) + if (ratecheck(&camelliawarn, &ipsec_warn_interval)) gone_in(13, "Camellia cipher for IPsec"); break; } Modified: head/sys/opencrypto/cryptodev.c ============================================================================== --- head/sys/opencrypto/cryptodev.c Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/opencrypto/cryptodev.c Tue Jun 11 23:00:55 2019 (r348970) @@ -146,6 +146,11 @@ struct cryptostats32 { #define CIOCGSESSION232 _IOWR('c', 106, struct session2_op32) #define CIOCKEY232 _IOWR('c', 107, struct crypt_kop32) +static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW, + &warninterval, + "Delay in seconds between warnings of deprecated /dev/crypto algorithms"); + static void session_op_from_32(const struct session_op32 *from, struct session_op *to) { @@ -388,7 +393,6 @@ cryptof_ioctl( #endif static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn; static struct timeval skipwarn, tdeswarn; - static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; switch (cmd) { case CIOCGSESSION: Modified: head/sys/sys/sysctl.h ============================================================================== --- head/sys/sys/sysctl.h Tue Jun 11 22:57:25 2019 (r348969) +++ head/sys/sys/sysctl.h Tue Jun 11 23:00:55 2019 (r348970) @@ -218,6 +218,7 @@ int sysctl_handle_uma_zone_cur(SYSCTL_HANDLER_ARGS); int sysctl_msec_to_sbintime(SYSCTL_HANDLER_ARGS); int sysctl_usec_to_sbintime(SYSCTL_HANDLER_ARGS); +int sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS); int sysctl_dpcpu_int(SYSCTL_HANDLER_ARGS); int sysctl_dpcpu_long(SYSCTL_HANDLER_ARGS); @@ -854,6 +855,24 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry); sysctl_add_oid(ctx, parent, nbr, name, \ CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access), \ __ptr, 0, sysctl_msec_to_sbintime, "Q", __DESCR(descr), \ + NULL); \ +}) + +/* OID expressing a struct timeval as seconds */ +#define SYSCTL_TIMEVAL_SEC(parent, nbr, name, access, ptr, descr) \ + SYSCTL_OID(parent, nbr, name, \ + CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access), \ + (ptr), 0, sysctl_sec_to_timeval, "I", descr); \ + CTASSERT(((access) & CTLTYPE) == 0 || \ + ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT) +#define SYSCTL_ADD_TIMEVAL_SEC(ctx, parent, nbr, name, access, ptr, descr) \ +({ \ + struct timeval *__ptr = (ptr); \ + CTASSERT(((access) & CTLTYPE) == 0 || \ + ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT); \ + sysctl_add_oid(ctx, parent, nbr, name, \ + CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access), \ + __ptr, 0, sysctl_sec_to_timeval, "I", __DESCR(descr), \ NULL); \ })