Date: Thu, 30 Oct 2008 10:43:19 GMT From: Marko Zec <zec@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 152202 for review Message-ID: <200810301043.m9UAhJZc007882@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=152202 Change 152202 by zec@zec_tpx32 on 2008/10/30 10:42:19 Initialize all V_ variables in initializer functions (like ip_init() etc.) instead of using initialization at instantiation, in IPSEC related code (sys/netipsec). Enclose all the affected V_ globals in #ifdef VIMAGE_GLOBALS, so that in next step we can simplify switching from globals to vimage structures / containers. Affected files ... .. //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.c#13 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.h#6 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/key.c#14 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/keysock.c#9 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/vipsec.h#5 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ah.c#10 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/xform_esp.c#11 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipcomp.c#9 edit .. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipip.c#9 edit Differences ... ==== //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.c#13 (text+ko) ==== @@ -97,23 +97,19 @@ #include <opencrypto/cryptodev.h> -#ifdef IPSEC_DEBUG -int ipsec_debug = 1; -#else -int ipsec_debug = 0; -#endif - +#ifdef VIMAGE_GLOBALS /* NB: name changed so netstat doesn't use it */ struct ipsecstat ipsec4stat; -int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ -int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ -int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; -int ip4_esp_net_deflev = IPSEC_LEVEL_USE; -int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; -int ip4_ah_net_deflev = IPSEC_LEVEL_USE; struct secpolicy ip4_def_policy; -int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -int ip4_esp_randpad = -1; +int ipsec_debug; +int ip4_ah_offsetmask; +int ip4_ipsec_dfbit; +int ip4_esp_trans_deflev; +int ip4_esp_net_deflev; +int ip4_ah_trans_deflev; +int ip4_ah_net_deflev; +int ip4_ipsec_ecn; +int ip4_esp_randpad; /* * Crypto support requirements: * @@ -121,7 +117,8 @@ * -1 require software support * 0 take anything */ -int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; +int crypto_support; +#endif /* VIMAGE_GLOBALS */ SYSCTL_DECL(_net_inet_ipsec); @@ -164,29 +161,33 @@ "IPsec IPv4 statistics."); #ifdef REGRESSION +#ifdef VIMAGE_GLOBALS +int ipsec_replay; +int ipsec_integrity; +#endif /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. */ -int ipsec_replay = 0; SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ -int ipsec_integrity = 0; SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); #endif #ifdef INET6 +#ifdef VIMAGE_GLOBALS struct ipsecstat ipsec6stat; -int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; -int ip6_esp_net_deflev = IPSEC_LEVEL_USE; -int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; -int ip6_ah_net_deflev = IPSEC_LEVEL_USE; -int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +int ip6_esp_trans_deflev; +int ip6_esp_net_deflev; +int ip6_ah_trans_deflev; +int ip6_ah_net_deflev; +int ip6_ipsec_ecn; +#endif SYSCTL_DECL(_net_inet6_ipsec6); @@ -242,6 +243,39 @@ MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); +void +ipsec_init(void) +{ + INIT_VNET_IPSEC(curvnet); + +#ifdef IPSEC_DEBUG + V_ipsec_debug = 1; +#else + V_ipsec_debug = 0; +#endif + + V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ + V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ + V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ + V_ip4_esp_randpad = -1; + V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; + +#ifdef REGRESSION + V_ipsec_replay = 0; + V_ipsec_integrity = 0; +#endif + + V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +} + /* * Return a held reference to the default SP. */ ==== //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.h#6 (text+ko) ==== @@ -359,6 +359,7 @@ extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; +extern void ipsec_init(void); extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int)); struct inpcb; extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int, ==== //depot/projects/vimage-commit2/src/sys/netipsec/key.c#14 (text+ko) ==== @@ -113,20 +113,31 @@ * field hits 0 (= no external reference other than from SA header. */ -u_int32_t key_debug_level = 0; -static u_int key_spi_trycnt = 1000; -static u_int32_t key_spi_minval = 0x100; -static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ -static u_int32_t policy_id = 0; -static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/ -static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ -static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ -static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ -static int key_preferred_oldsa = 1; /* preferred old sa rather than new sa.*/ +#ifdef VIMAGE_GLOBALS +u_int32_t key_debug_level; +static u_int key_spi_trycnt; +static u_int32_t key_spi_minval; +static u_int32_t key_spi_maxval; +static u_int32_t policy_id; +static u_int key_int_random; +static u_int key_larval_lifetime; +static int key_blockacq_count; +static int key_blockacq_lifetime; +static int key_preferred_oldsa; + +static u_int32_t acq_seq; -static u_int32_t acq_seq = 0; +static int ipsec_esp_keymin; +static int ipsec_esp_auth; +static int ipsec_ah_keymin; static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */ +static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ +static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; +static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ +static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ +#endif /* VIMAGE_GLOBALS */ + static struct mtx sptree_lock; #define SPTREE_LOCK_INIT() \ mtx_init(&sptree_lock, "sptree", \ @@ -136,7 +147,6 @@ #define SPTREE_UNLOCK() mtx_unlock(&sptree_lock) #define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED) -static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ static struct mtx sahtree_lock; #define SAHTREE_LOCK_INIT() \ mtx_init(&sahtree_lock, "sahtree", \ @@ -147,7 +157,6 @@ #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) /* registed list */ -static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; static struct mtx regtree_lock; #define REGTREE_LOCK_INIT() \ mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) @@ -156,7 +165,6 @@ #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) -static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) @@ -165,7 +173,6 @@ #define ACQ_UNLOCK() mtx_unlock(&acq_lock) #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) -static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ static struct mtx spacq_lock; #define SPACQ_LOCK_INIT() \ mtx_init(&spacq_lock, "spacqtree", \ @@ -236,10 +243,6 @@ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ }; -static int ipsec_esp_keymin = 256; -static int ipsec_esp_auth = 0; -static int ipsec_ah_keymin = 128; - #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); #endif @@ -2696,9 +2699,9 @@ /* searching all SA registerd in the secindex. */ for (stateidx = 0; - stateidx < _ARRAYLEN(V_saorder_state_any); + stateidx < _ARRAYLEN(saorder_state_any); stateidx++) { - u_int state = V_saorder_state_any[stateidx]; + u_int state = saorder_state_any[stateidx]; LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) { if (sav->refcnt == 0) { /* sanity check */ @@ -2982,10 +2985,10 @@ SAHTREE_LOCK_ASSERT(); /* search all status */ for (stateidx = 0; - stateidx < _ARRAYLEN(V_saorder_state_alive); + stateidx < _ARRAYLEN(saorder_state_alive); stateidx++) { - state = V_saorder_state_alive[stateidx]; + state = saorder_state_alive[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { /* sanity check */ @@ -5310,9 +5313,9 @@ /* Delete all non-LARVAL SAs. */ for (stateidx = 0; - stateidx < _ARRAYLEN(V_saorder_state_alive); + stateidx < _ARRAYLEN(saorder_state_alive); stateidx++) { - state = V_saorder_state_alive[stateidx]; + state = saorder_state_alive[stateidx]; if (state == SADB_SASTATE_LARVAL) continue; for (sav = LIST_FIRST(&sah->savtree[state]); @@ -6515,9 +6518,9 @@ continue; for (stateidx = 0; - stateidx < _ARRAYLEN(V_saorder_state_alive); + stateidx < _ARRAYLEN(saorder_state_alive); stateidx++) { - state = V_saorder_state_any[stateidx]; + state = saorder_state_any[stateidx]; for (sav = LIST_FIRST(&sah->savtree[state]); sav != NULL; sav = nextsav) { @@ -6600,9 +6603,9 @@ continue; for (stateidx = 0; - stateidx < _ARRAYLEN(V_saorder_state_any); + stateidx < _ARRAYLEN(saorder_state_any); stateidx++) { - state = V_saorder_state_any[stateidx]; + state = saorder_state_any[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { cnt++; } @@ -6630,9 +6633,9 @@ } for (stateidx = 0; - stateidx < _ARRAYLEN(V_saorder_state_any); + stateidx < _ARRAYLEN(saorder_state_any); stateidx++) { - state = V_saorder_state_any[stateidx]; + state = saorder_state_any[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { n = key_setdumpsa(sav, SADB_DUMP, satype, --cnt, mhp->msg->sadb_msg_pid); @@ -7184,6 +7187,23 @@ INIT_VNET_IPSEC(curvnet); int i; + V_key_debug_level = 0; + V_key_spi_trycnt = 1000; + V_key_spi_minval = 0x100; + V_key_spi_maxval = 0x0fffffff; /* XXX */ + V_policy_id = 0; + V_key_int_random = 60; /*interval to initialize randseed,1(m)*/ + V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ + V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ + V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ + V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/ + + V_acq_seq = 0; + + V_ipsec_esp_keymin = 256; + V_ipsec_esp_auth = 0; + V_ipsec_ah_keymin = 128; + SPTREE_LOCK_INIT(); REGTREE_LOCK_INIT(); SAHTREE_LOCK_INIT(); ==== //depot/projects/vimage-commit2/src/sys/netipsec/keysock.c#9 (text+ko) ==== @@ -70,14 +70,16 @@ int key_count; int any_count; }; + +#ifdef VIMAGE_GLOBALS static struct key_cb key_cb; +struct pfkeystat pfkeystat; +#endif static struct sockaddr key_src = { 2, PF_KEY, }; static int key_sendup0 __P((struct rawcb *, struct mbuf *, int)); -struct pfkeystat pfkeystat; - /* * key_output() */ @@ -164,7 +166,7 @@ V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++; } - if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&V_key_src, + if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src, m, NULL)) { V_pfkeystat.in_nomem++; m_freem(m); @@ -570,7 +572,9 @@ key_init0(void) { INIT_VNET_IPSEC(curvnet); + bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); + ipsec_init(); key_init(); } ==== //depot/projects/vimage-commit2/src/sys/netipsec/vipsec.h#5 (text+ko) ==== @@ -81,8 +81,6 @@ int _key_preferred_oldsa; u_int32_t _acq_seq; - u_int _saorder_state_alive[3]; - u_int _saorder_state_any[4]; int _esp_enable; struct espstat _espstat; int _esp_max_ivlen; @@ -98,7 +96,6 @@ int _ip6_ah_trans_deflev; int _ip6_ah_net_deflev; int _ip6_ipsec_ecn; - int _ip6_esp_randpad; int _ah_enable; int _ah_cleartos; @@ -109,8 +106,6 @@ struct pfkeystat _pfkeystat; struct key_cb _key_cb; - struct sockaddr _key_dst; - struct sockaddr _key_src; LIST_HEAD(, secpolicy) _sptree[IPSEC_DIR_MAX]; LIST_HEAD(, secashead) _sahtree; @@ -149,7 +144,6 @@ #define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) #define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) #define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) -#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) #define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) #define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) #define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) @@ -168,20 +162,16 @@ #define V_key_blockacq_lifetime VNET_IPSEC(key_blockacq_lifetime) #define V_key_cb VNET_IPSEC(key_cb) #define V_key_debug_level VNET_IPSEC(key_debug_level) -#define V_key_dst VNET_IPSEC(key_dst) #define V_key_int_random VNET_IPSEC(key_int_random) #define V_key_larval_lifetime VNET_IPSEC(key_larval_lifetime) #define V_key_preferred_oldsa VNET_IPSEC(key_preferred_oldsa) #define V_key_spi_maxval VNET_IPSEC(key_spi_maxval) #define V_key_spi_minval VNET_IPSEC(key_spi_minval) #define V_key_spi_trycnt VNET_IPSEC(key_spi_trycnt) -#define V_key_src VNET_IPSEC(key_src) #define V_pfkeystat VNET_IPSEC(pfkeystat) #define V_policy_id VNET_IPSEC(policy_id) #define V_regtree VNET_IPSEC(regtree) #define V_sahtree VNET_IPSEC(sahtree) -#define V_saorder_state_alive VNET_IPSEC(saorder_state_alive) -#define V_saorder_state_any VNET_IPSEC(saorder_state_any) #define V_spacqtree VNET_IPSEC(spacqtree) #define V_sptree VNET_IPSEC(sptree) ==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ah.c#10 (text+ko) ==== @@ -88,9 +88,11 @@ #define AUTHSIZE(sav) \ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) -int ah_enable = 1; /* control flow of packets with AH */ -int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ +#ifdef VIMAGE_GLOBALS +int ah_enable; +int ah_cleartos; struct ahstat ahstat; +#endif SYSCTL_DECL(_net_inet_ah); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, @@ -1217,6 +1219,10 @@ static void ah_attach(void) { + + V_ah_enable = 1; /* control flow of packets with AH */ + V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ + xform_register(&ah_xformsw); } SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); ==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_esp.c#11 (text+ko) ==== @@ -76,8 +76,11 @@ #include <opencrypto/cryptodev.h> #include <opencrypto/xform.h> -int esp_enable = 1; +#ifdef VIMAGE_GLOBALS struct espstat espstat; +static int esp_max_ivlen; /* max iv length over all algorithms */ +int esp_enable; +#endif SYSCTL_DECL(_net_inet_esp); SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, @@ -85,8 +88,6 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, stats, CTLFLAG_RD, espstat, espstat, ""); -static int esp_max_ivlen; /* max iv length over all algorithms */ - static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -993,7 +994,9 @@ if (xform.blocksize > V_esp_max_ivlen) \ V_esp_max_ivlen = xform.blocksize \ + V_esp_enable = 1; V_esp_max_ivlen = 0; + MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ ==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipcomp.c#9 (text+ko) ==== @@ -67,8 +67,10 @@ #include <opencrypto/deflate.h> #include <opencrypto/xform.h> -int ipcomp_enable = 0; +#ifdef VIMAGE_GLOBALS +int ipcomp_enable; struct ipcompstat ipcompstat; +#endif SYSCTL_DECL(_net_inet_ipcomp); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, @@ -597,6 +599,8 @@ static void ipcomp_attach(void) { + + V_ipcomp_enable = 0; xform_register(&ipcomp_xformsw); } SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); ==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipip.c#9 (text+ko) ==== @@ -91,8 +91,10 @@ * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ -int ipip_allow = 0; +#ifdef VIMAGE_GLOBALS +int ipip_allow; struct ipipstat ipipstat; +#endif SYSCTL_DECL(_net_inet_ipip); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO, @@ -694,6 +696,9 @@ static void ipe4_attach(void) { + + V_ipip_allow = 0; + xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810301043.m9UAhJZc007882>