PERFORCE change 152202 for review
Marko Zec
zec at FreeBSD.org
Thu Oct 30 10:43:20 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=152202
Change 152202 by zec at zec_tpx32 on 2008/10/30 10:42:19
Initialize all V_ variables in initializer functions (like
ip_init() etc.) instead of using initialization at instantiation,
in IPSEC related code (sys/netipsec).
Enclose all the affected V_ globals in #ifdef VIMAGE_GLOBALS, so
that in next step we can simplify switching from globals to vimage
structures / containers.
Affected files ...
.. //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.c#13 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.h#6 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/key.c#14 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/keysock.c#9 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/vipsec.h#5 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ah.c#10 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_esp.c#11 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipcomp.c#9 edit
.. //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipip.c#9 edit
Differences ...
==== //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.c#13 (text+ko) ====
@@ -97,23 +97,19 @@
#include <opencrypto/cryptodev.h>
-#ifdef IPSEC_DEBUG
-int ipsec_debug = 1;
-#else
-int ipsec_debug = 0;
-#endif
-
+#ifdef VIMAGE_GLOBALS
/* NB: name changed so netstat doesn't use it */
struct ipsecstat ipsec4stat;
-int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
-int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
-int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
-int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
-int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
-int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
struct secpolicy ip4_def_policy;
-int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
-int ip4_esp_randpad = -1;
+int ipsec_debug;
+int ip4_ah_offsetmask;
+int ip4_ipsec_dfbit;
+int ip4_esp_trans_deflev;
+int ip4_esp_net_deflev;
+int ip4_ah_trans_deflev;
+int ip4_ah_net_deflev;
+int ip4_ipsec_ecn;
+int ip4_esp_randpad;
/*
* Crypto support requirements:
*
@@ -121,7 +117,8 @@
* -1 require software support
* 0 take anything
*/
-int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+int crypto_support;
+#endif /* VIMAGE_GLOBALS */
SYSCTL_DECL(_net_inet_ipsec);
@@ -164,29 +161,33 @@
"IPsec IPv4 statistics.");
#ifdef REGRESSION
+#ifdef VIMAGE_GLOBALS
+int ipsec_replay;
+int ipsec_integrity;
+#endif
/*
* When set to 1, IPsec will send packets with the same sequence number.
* This allows to verify if the other side has proper replay attacks detection.
*/
-int ipsec_replay = 0;
SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
/*
* When set 1, IPsec will send packets with corrupted HMAC.
* This allows to verify if the other side properly detects modified packets.
*/
-int ipsec_integrity = 0;
SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack");
#endif
#ifdef INET6
+#ifdef VIMAGE_GLOBALS
struct ipsecstat ipsec6stat;
-int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
-int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
-int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
-int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
-int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
+int ip6_esp_trans_deflev;
+int ip6_esp_net_deflev;
+int ip6_ah_trans_deflev;
+int ip6_ah_net_deflev;
+int ip6_ipsec_ecn;
+#endif
SYSCTL_DECL(_net_inet6_ipsec6);
@@ -242,6 +243,39 @@
MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
+void
+ipsec_init(void)
+{
+ INIT_VNET_IPSEC(curvnet);
+
+#ifdef IPSEC_DEBUG
+ V_ipsec_debug = 1;
+#else
+ V_ipsec_debug = 0;
+#endif
+
+ V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */
+ V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
+ V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
+ V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
+ V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
+ V_ip4_esp_randpad = -1;
+ V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+
+#ifdef REGRESSION
+ V_ipsec_replay = 0;
+ V_ipsec_integrity = 0;
+#endif
+
+ V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
+ V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
+ V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
+}
+
/*
* Return a held reference to the default SP.
*/
==== //depot/projects/vimage-commit2/src/sys/netipsec/ipsec.h#6 (text+ko) ====
@@ -359,6 +359,7 @@
extern void ipsec_delisr(struct ipsecrequest *);
struct tdb_ident;
+extern void ipsec_init(void);
extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int));
struct inpcb;
extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int,
==== //depot/projects/vimage-commit2/src/sys/netipsec/key.c#14 (text+ko) ====
@@ -113,20 +113,31 @@
* field hits 0 (= no external reference other than from SA header.
*/
-u_int32_t key_debug_level = 0;
-static u_int key_spi_trycnt = 1000;
-static u_int32_t key_spi_minval = 0x100;
-static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */
-static u_int32_t policy_id = 0;
-static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/
-static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
-static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
-static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
-static int key_preferred_oldsa = 1; /* preferred old sa rather than new sa.*/
+#ifdef VIMAGE_GLOBALS
+u_int32_t key_debug_level;
+static u_int key_spi_trycnt;
+static u_int32_t key_spi_minval;
+static u_int32_t key_spi_maxval;
+static u_int32_t policy_id;
+static u_int key_int_random;
+static u_int key_larval_lifetime;
+static int key_blockacq_count;
+static int key_blockacq_lifetime;
+static int key_preferred_oldsa;
+
+static u_int32_t acq_seq;
-static u_int32_t acq_seq = 0;
+static int ipsec_esp_keymin;
+static int ipsec_esp_auth;
+static int ipsec_ah_keymin;
static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */
+static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */
+static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
+static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */
+static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
+#endif /* VIMAGE_GLOBALS */
+
static struct mtx sptree_lock;
#define SPTREE_LOCK_INIT() \
mtx_init(&sptree_lock, "sptree", \
@@ -136,7 +147,6 @@
#define SPTREE_UNLOCK() mtx_unlock(&sptree_lock)
#define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED)
-static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */
static struct mtx sahtree_lock;
#define SAHTREE_LOCK_INIT() \
mtx_init(&sahtree_lock, "sahtree", \
@@ -147,7 +157,6 @@
#define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED)
/* registed list */
-static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
static struct mtx regtree_lock;
#define REGTREE_LOCK_INIT() \
mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF)
@@ -156,7 +165,6 @@
#define REGTREE_UNLOCK() mtx_unlock(®tree_lock)
#define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED)
-static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */
static struct mtx acq_lock;
#define ACQ_LOCK_INIT() \
mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF)
@@ -165,7 +173,6 @@
#define ACQ_UNLOCK() mtx_unlock(&acq_lock)
#define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED)
-static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
static struct mtx spacq_lock;
#define SPACQ_LOCK_INIT() \
mtx_init(&spacq_lock, "spacqtree", \
@@ -236,10 +243,6 @@
sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
};
-static int ipsec_esp_keymin = 256;
-static int ipsec_esp_auth = 0;
-static int ipsec_ah_keymin = 128;
-
#ifdef SYSCTL_DECL
SYSCTL_DECL(_net_key);
#endif
@@ -2696,9 +2699,9 @@
/* searching all SA registerd in the secindex. */
for (stateidx = 0;
- stateidx < _ARRAYLEN(V_saorder_state_any);
+ stateidx < _ARRAYLEN(saorder_state_any);
stateidx++) {
- u_int state = V_saorder_state_any[stateidx];
+ u_int state = saorder_state_any[stateidx];
LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) {
if (sav->refcnt == 0) {
/* sanity check */
@@ -2982,10 +2985,10 @@
SAHTREE_LOCK_ASSERT();
/* search all status */
for (stateidx = 0;
- stateidx < _ARRAYLEN(V_saorder_state_alive);
+ stateidx < _ARRAYLEN(saorder_state_alive);
stateidx++) {
- state = V_saorder_state_alive[stateidx];
+ state = saorder_state_alive[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
/* sanity check */
@@ -5310,9 +5313,9 @@
/* Delete all non-LARVAL SAs. */
for (stateidx = 0;
- stateidx < _ARRAYLEN(V_saorder_state_alive);
+ stateidx < _ARRAYLEN(saorder_state_alive);
stateidx++) {
- state = V_saorder_state_alive[stateidx];
+ state = saorder_state_alive[stateidx];
if (state == SADB_SASTATE_LARVAL)
continue;
for (sav = LIST_FIRST(&sah->savtree[state]);
@@ -6515,9 +6518,9 @@
continue;
for (stateidx = 0;
- stateidx < _ARRAYLEN(V_saorder_state_alive);
+ stateidx < _ARRAYLEN(saorder_state_alive);
stateidx++) {
- state = V_saorder_state_any[stateidx];
+ state = saorder_state_any[stateidx];
for (sav = LIST_FIRST(&sah->savtree[state]);
sav != NULL;
sav = nextsav) {
@@ -6600,9 +6603,9 @@
continue;
for (stateidx = 0;
- stateidx < _ARRAYLEN(V_saorder_state_any);
+ stateidx < _ARRAYLEN(saorder_state_any);
stateidx++) {
- state = V_saorder_state_any[stateidx];
+ state = saorder_state_any[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
cnt++;
}
@@ -6630,9 +6633,9 @@
}
for (stateidx = 0;
- stateidx < _ARRAYLEN(V_saorder_state_any);
+ stateidx < _ARRAYLEN(saorder_state_any);
stateidx++) {
- state = V_saorder_state_any[stateidx];
+ state = saorder_state_any[stateidx];
LIST_FOREACH(sav, &sah->savtree[state], chain) {
n = key_setdumpsa(sav, SADB_DUMP, satype,
--cnt, mhp->msg->sadb_msg_pid);
@@ -7184,6 +7187,23 @@
INIT_VNET_IPSEC(curvnet);
int i;
+ V_key_debug_level = 0;
+ V_key_spi_trycnt = 1000;
+ V_key_spi_minval = 0x100;
+ V_key_spi_maxval = 0x0fffffff; /* XXX */
+ V_policy_id = 0;
+ V_key_int_random = 60; /*interval to initialize randseed,1(m)*/
+ V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
+ V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
+ V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
+ V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/
+
+ V_acq_seq = 0;
+
+ V_ipsec_esp_keymin = 256;
+ V_ipsec_esp_auth = 0;
+ V_ipsec_ah_keymin = 128;
+
SPTREE_LOCK_INIT();
REGTREE_LOCK_INIT();
SAHTREE_LOCK_INIT();
==== //depot/projects/vimage-commit2/src/sys/netipsec/keysock.c#9 (text+ko) ====
@@ -70,14 +70,16 @@
int key_count;
int any_count;
};
+
+#ifdef VIMAGE_GLOBALS
static struct key_cb key_cb;
+struct pfkeystat pfkeystat;
+#endif
static struct sockaddr key_src = { 2, PF_KEY, };
static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
-struct pfkeystat pfkeystat;
-
/*
* key_output()
*/
@@ -164,7 +166,7 @@
V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
}
- if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&V_key_src,
+ if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src,
m, NULL)) {
V_pfkeystat.in_nomem++;
m_freem(m);
@@ -570,7 +572,9 @@
key_init0(void)
{
INIT_VNET_IPSEC(curvnet);
+
bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
+ ipsec_init();
key_init();
}
==== //depot/projects/vimage-commit2/src/sys/netipsec/vipsec.h#5 (text+ko) ====
@@ -81,8 +81,6 @@
int _key_preferred_oldsa;
u_int32_t _acq_seq;
- u_int _saorder_state_alive[3];
- u_int _saorder_state_any[4];
int _esp_enable;
struct espstat _espstat;
int _esp_max_ivlen;
@@ -98,7 +96,6 @@
int _ip6_ah_trans_deflev;
int _ip6_ah_net_deflev;
int _ip6_ipsec_ecn;
- int _ip6_esp_randpad;
int _ah_enable;
int _ah_cleartos;
@@ -109,8 +106,6 @@
struct pfkeystat _pfkeystat;
struct key_cb _key_cb;
- struct sockaddr _key_dst;
- struct sockaddr _key_src;
LIST_HEAD(, secpolicy) _sptree[IPSEC_DIR_MAX];
LIST_HEAD(, secashead) _sahtree;
@@ -149,7 +144,6 @@
#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev)
#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev)
#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev)
-#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad)
#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev)
#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn)
#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable)
@@ -168,20 +162,16 @@
#define V_key_blockacq_lifetime VNET_IPSEC(key_blockacq_lifetime)
#define V_key_cb VNET_IPSEC(key_cb)
#define V_key_debug_level VNET_IPSEC(key_debug_level)
-#define V_key_dst VNET_IPSEC(key_dst)
#define V_key_int_random VNET_IPSEC(key_int_random)
#define V_key_larval_lifetime VNET_IPSEC(key_larval_lifetime)
#define V_key_preferred_oldsa VNET_IPSEC(key_preferred_oldsa)
#define V_key_spi_maxval VNET_IPSEC(key_spi_maxval)
#define V_key_spi_minval VNET_IPSEC(key_spi_minval)
#define V_key_spi_trycnt VNET_IPSEC(key_spi_trycnt)
-#define V_key_src VNET_IPSEC(key_src)
#define V_pfkeystat VNET_IPSEC(pfkeystat)
#define V_policy_id VNET_IPSEC(policy_id)
#define V_regtree VNET_IPSEC(regtree)
#define V_sahtree VNET_IPSEC(sahtree)
-#define V_saorder_state_alive VNET_IPSEC(saorder_state_alive)
-#define V_saorder_state_any VNET_IPSEC(saorder_state_any)
#define V_spacqtree VNET_IPSEC(spacqtree)
#define V_sptree VNET_IPSEC(sptree)
==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ah.c#10 (text+ko) ====
@@ -88,9 +88,11 @@
#define AUTHSIZE(sav) \
((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
-int ah_enable = 1; /* control flow of packets with AH */
-int ah_cleartos = 1; /* clear ip_tos when doing AH calc */
+#ifdef VIMAGE_GLOBALS
+int ah_enable;
+int ah_cleartos;
struct ahstat ahstat;
+#endif
SYSCTL_DECL(_net_inet_ah);
SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
@@ -1217,6 +1219,10 @@
static void
ah_attach(void)
{
+
+ V_ah_enable = 1; /* control flow of packets with AH */
+ V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */
+
xform_register(&ah_xformsw);
}
SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_esp.c#11 (text+ko) ====
@@ -76,8 +76,11 @@
#include <opencrypto/cryptodev.h>
#include <opencrypto/xform.h>
-int esp_enable = 1;
+#ifdef VIMAGE_GLOBALS
struct espstat espstat;
+static int esp_max_ivlen; /* max iv length over all algorithms */
+int esp_enable;
+#endif
SYSCTL_DECL(_net_inet_esp);
SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO,
@@ -85,8 +88,6 @@
SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS,
stats, CTLFLAG_RD, espstat, espstat, "");
-static int esp_max_ivlen; /* max iv length over all algorithms */
-
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
@@ -993,7 +994,9 @@
if (xform.blocksize > V_esp_max_ivlen) \
V_esp_max_ivlen = xform.blocksize \
+ V_esp_enable = 1;
V_esp_max_ivlen = 0;
+
MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */
MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */
MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */
==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipcomp.c#9 (text+ko) ====
@@ -67,8 +67,10 @@
#include <opencrypto/deflate.h>
#include <opencrypto/xform.h>
-int ipcomp_enable = 0;
+#ifdef VIMAGE_GLOBALS
+int ipcomp_enable;
struct ipcompstat ipcompstat;
+#endif
SYSCTL_DECL(_net_inet_ipcomp);
SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
@@ -597,6 +599,8 @@
static void
ipcomp_attach(void)
{
+
+ V_ipcomp_enable = 0;
xform_register(&ipcomp_xformsw);
}
SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
==== //depot/projects/vimage-commit2/src/sys/netipsec/xform_ipip.c#9 (text+ko) ====
@@ -91,8 +91,10 @@
* We can control the acceptance of IP4 packets by altering the sysctl
* net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
*/
-int ipip_allow = 0;
+#ifdef VIMAGE_GLOBALS
+int ipip_allow;
struct ipipstat ipipstat;
+#endif
SYSCTL_DECL(_net_inet_ipip);
SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO,
@@ -694,6 +696,9 @@
static void
ipe4_attach(void)
{
+
+ V_ipip_allow = 0;
+
xform_register(&ipe4_xformsw);
/* attach to encapsulation framework */
/* XXX save return cookie for detach on module remove */
More information about the p4-projects
mailing list