Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec Pass sav directly to opencrypto callback



details:   https://anonhg.NetBSD.org/src/rev/67f918e8b4e2
branches:  trunk
changeset: 825427:67f918e8b4e2
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Fri Jul 14 01:24:23 2017 +0000

description:
Pass sav directly to opencrypto callback

In a callback, use a passed sav as-is by default and look up a sav
only if the passed sav is dead.

diffstat:

 sys/netipsec/key.c          |  15 +++++++++-
 sys/netipsec/key.h          |   5 +++-
 sys/netipsec/xform.h        |   7 +++--
 sys/netipsec/xform_ah.c     |  45 ++++++++++++++++++++++------------
 sys/netipsec/xform_esp.c    |  59 +++++++++++++++++++++++++++-----------------
 sys/netipsec/xform_ipcomp.c |  45 ++++++++++++++++++++++------------
 sys/netipsec/xform_ipip.c   |   8 +++---
 sys/netipsec/xform_tcp.c    |   6 ++--
 8 files changed, 122 insertions(+), 68 deletions(-)

diffs (truncated from 479 to 300 lines):

diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/key.c        Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.181 2017/07/13 01:22:44 ozaki-r Exp $        */
+/*     $NetBSD: key.c,v 1.182 2017/07/14 01:24:23 ozaki-r Exp $        */
 /*     $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $        */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.181 2017/07/13 01:22:44 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.182 2017/07/14 01:24:23 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -1246,6 +1246,17 @@
            sp, sp->id, where, tag, sp->refcnt);
 }
 
+void
+key_sa_ref(struct secasvar *sav, const char* where, int tag)
+{
+
+       SA_ADDREF2(sav, where, tag);
+
+       KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
+           "DP cause refcnt++:%d SA:%p from %s:%u\n",
+           sav->refcnt, sav, where, tag);
+}
+
 /*
  * Must be called after calling key_lookup_sp*().
  * For both the packet without socket and key_freeso().
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/key.h
--- a/sys/netipsec/key.h        Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/key.h        Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.h,v 1.21 2017/07/13 01:22:44 ozaki-r Exp $ */
+/*     $NetBSD: key.h,v 1.22 2017/07/14 01:24:23 ozaki-r Exp $ */
 /*     $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $        */
 /*     $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $    */
 
@@ -59,6 +59,7 @@
 /* NB: prepend with _ for KAME IPv6 compatbility */
 void _key_freesp(struct secpolicy **, const char*, int);
 void key_sp_ref(struct secpolicy *, const char*, int);
+void key_sa_ref(struct secasvar *, const char*, int);
 
 /*
  * Access to the SADB are interlocked with splsoftnet.  In particular,
@@ -79,6 +80,8 @@
        _key_freesp(spp, __func__, __LINE__)
 #define        KEY_SP_REF(sp)                                          \
        key_sp_ref(sp, __func__, __LINE__)
+#define KEY_SA_REF(sav)                                                \
+       key_sa_ref(sav, __func__, __LINE__)
 
 struct secasvar *key_lookup_sa(const union sockaddr_union *,
                u_int, u_int32_t, u_int16_t, u_int16_t, const char*, int);
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/xform.h
--- a/sys/netipsec/xform.h      Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/xform.h      Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform.h,v 1.9 2017/07/05 03:44:59 ozaki-r Exp $        */
+/*     $NetBSD: xform.h,v 1.10 2017/07/14 01:24:23 ozaki-r Exp $       */
 /*     $FreeBSD: src/sys/netipsec/xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $      */
 /*     $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $   */
 /*
@@ -62,6 +62,7 @@
 /*
  * Opaque data structure hung off a crypto operation descriptor.
  */
+struct secasvar;
 struct tdb_crypto {
        struct ipsecrequest     *tc_isr;        /* ipsec request state */
        u_int32_t               tc_spi;         /* associated SPI */
@@ -70,9 +71,9 @@
        u_int8_t                tc_nxt;         /* next protocol, e.g. IPV4 */
        int                     tc_protoff;     /* current protocol offset */
        int                     tc_skip;        /* data offset */
+       struct secasvar         *tc_sav;        /* ipsec SA */
 };
 
-struct secasvar;
 struct ipescrequest;
 
 struct xformsw {
@@ -89,7 +90,7 @@
        const char      *xf_name;               /* human-readable name */
        int     (*xf_init)(struct secasvar*, const struct xformsw*);/* setup */
        int     (*xf_zeroize)(struct secasvar*);                /* cleanup */
-       int     (*xf_input)(struct mbuf*, const struct secasvar*, /* input */
+       int     (*xf_input)(struct mbuf*, struct secasvar*, /* input */
                        int, int);
        int     (*xf_output)(struct mbuf*,                      /* output */
                        struct ipsecrequest *, struct mbuf **, int, int);
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/xform_ah.c   Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.59 2017/07/13 03:25:38 ozaki-r Exp $    */
+/*     $NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $    */
 /*     $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.59 2017/07/13 03:25:38 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.60 2017/07/14 01:24:23 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -614,7 +614,7 @@
  * passes authentication.
  */
 static int
-ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff)
+ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
        const struct auth_hash *ahx;
        struct tdb_crypto *tc;
@@ -748,6 +748,8 @@
        tc->tc_nxt = ah->ah_nxt;
        tc->tc_protoff = protoff;
        tc->tc_skip = skip;
+       tc->tc_sav = sav;
+       KEY_SA_REF(sav);
 
        DPRINTF(("%s: hash over %d bytes, skip %d: "
                 "crda len %d skip %d inject %d\n", __func__,
@@ -803,12 +805,17 @@
        s = splsoftnet();
        mutex_enter(softnet_lock);
 
-       sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport);
-       if (sav == NULL) {
-               AH_STATINC(AH_STAT_NOTDB);
-               DPRINTF(("%s: SA expired while in crypto\n", __func__));
-               error = ENOBUFS;                /*XXX*/
-               goto bad;
+       sav = tc->tc_sav;
+       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
+               KEY_FREESAV(&sav);
+               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
+                   sport, dport);
+               if (sav == NULL) {
+                       AH_STATINC(AH_STAT_NOTDB);
+                       DPRINTF(("%s: SA expired while in crypto\n", __func__));
+                       error = ENOBUFS;                /*XXX*/
+                       goto bad;
+               }
        }
 
        saidx = &sav->sah->saidx;
@@ -954,7 +961,7 @@
 )
 {
        char buf[IPSEC_ADDRSTRLEN];
-       const struct secasvar *sav;
+       struct secasvar *sav;
        const struct auth_hash *ahx;
        struct cryptodesc *crda;
        struct tdb_crypto *tc;
@@ -1150,6 +1157,8 @@
        tc->tc_proto = sav->sah->saidx.proto;
        tc->tc_skip = skip;
        tc->tc_protoff = protoff;
+       tc->tc_sav = sav;
+       KEY_SA_REF(sav);
 
        return crypto_dispatch(crp);
 bad:
@@ -1182,12 +1191,16 @@
        mutex_enter(softnet_lock);
 
        isr = tc->tc_isr;
-       sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-       if (sav == NULL) {
-               AH_STATINC(AH_STAT_NOTDB);
-               DPRINTF(("%s: SA expired while in crypto\n", __func__));
-               error = ENOBUFS;                /*XXX*/
-               goto bad;
+       sav = tc->tc_sav;
+       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
+               KEY_FREESAV(&sav);
+               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
+               if (sav == NULL) {
+                       AH_STATINC(AH_STAT_NOTDB);
+                       DPRINTF(("%s: SA expired while in crypto\n", __func__));
+                       error = ENOBUFS;                /*XXX*/
+                       goto bad;
+               }
        }
        KASSERTMSG(isr->sav == sav, "SA changed");
 
diff -r 707d1da77db5 -r 67f918e8b4e2 sys/netipsec/xform_esp.c
--- a/sys/netipsec/xform_esp.c  Thu Jul 13 22:17:09 2017 +0000
+++ b/sys/netipsec/xform_esp.c  Fri Jul 14 01:24:23 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_esp.c,v 1.60 2017/07/13 03:00:46 ozaki-r Exp $   */
+/*     $NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $   */
 /*     $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $  */
 /*     $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.60 2017/07/13 03:00:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.61 2017/07/14 01:24:23 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -297,7 +297,7 @@
  * ESP input processing, called (eventually) through the protocol switch.
  */
 static int
-esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff)
+esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 {
        const struct auth_hash *esph;
        const struct enc_xform *espx;
@@ -436,6 +436,8 @@
        tc->tc_proto = sav->sah->saidx.proto;
        tc->tc_protoff = protoff;
        tc->tc_skip = skip;
+       tc->tc_sav = sav;
+       KEY_SA_REF(sav);
 
        /* Decryption descriptor */
        if (espx) {
@@ -510,15 +512,20 @@
        s = splsoftnet();
        mutex_enter(softnet_lock);
 
-       sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport);
-       if (sav == NULL) {
-               ESP_STATINC(ESP_STAT_NOTDB);
-               DPRINTF(("%s: SA expired while in crypto "
-                   "(SA %s/%08lx proto %u)\n", __func__,
-                   ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
-                   (u_long) ntohl(tc->tc_spi), tc->tc_proto));
-               error = ENOBUFS;                /*XXX*/
-               goto bad;
+       sav = tc->tc_sav;
+       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
+               KEY_FREESAV(&sav);
+               sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi,
+                   sport, dport);
+               if (sav == NULL) {
+                       ESP_STATINC(ESP_STAT_NOTDB);
+                       DPRINTF(("%s: SA expired while in crypto "
+                           "(SA %s/%08lx proto %u)\n", __func__,
+                           ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
+                           (u_long) ntohl(tc->tc_spi), tc->tc_proto));
+                       error = ENOBUFS;                /*XXX*/
+                       goto bad;
+               }
        }
 
        saidx = &sav->sah->saidx;
@@ -702,7 +709,7 @@
        int hlen, rlen, padding, blks, alen, i, roff;
        struct mbuf *mo = NULL;
        struct tdb_crypto *tc;
-       const struct secasvar *sav;
+       struct secasvar *sav;
        struct secasindex *saidx;
        unsigned char *pad;
        uint8_t prot;
@@ -900,6 +907,8 @@
        tc->tc_spi = sav->spi;
        tc->tc_dst = saidx->dst;
        tc->tc_proto = saidx->proto;
+       tc->tc_sav = sav;
+       KEY_SA_REF(sav);
 
        /* Crypto operation descriptor. */
        crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
@@ -957,16 +966,20 @@
        mutex_enter(softnet_lock);
 
        isr = tc->tc_isr;
-       sav = KEY_LOOKUP_SA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
-       if (sav == NULL) {
-               char buf[IPSEC_ADDRSTRLEN];
-               ESP_STATINC(ESP_STAT_NOTDB);
-               DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx "
-                   "proto %u)\n", __func__,
-                   ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
-                   (u_long) ntohl(tc->tc_spi), tc->tc_proto));
-               error = ENOBUFS;                /*XXX*/
-               goto bad;
+       sav = tc->tc_sav;
+       if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {



Home | Main Index | Thread Index | Old Index