Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec Make ipsec_address() and ipsec_logsastr() mpsafe.



details:   https://anonhg.NetBSD.org/src/rev/6857fdcc4d1e
branches:  trunk
changeset: 823839:6857fdcc4d1e
user:      ryo <ryo%NetBSD.org@localhost>
date:      Thu May 11 05:55:14 2017 +0000

description:
Make ipsec_address() and ipsec_logsastr() mpsafe.

diffstat:

 sys/netipsec/ipsec.c        |  53 ++++++++++++--------------------------------
 sys/netipsec/ipsec.h        |  11 ++++++--
 sys/netipsec/ipsec_input.c  |  38 +++++++++++++++++++------------
 sys/netipsec/ipsec_output.c |  13 +++++-----
 sys/netipsec/xform_ah.c     |  29 ++++++++++++++----------
 sys/netipsec/xform_esp.c    |  50 ++++++++++++++++++++++++++----------------
 sys/netipsec/xform_ipcomp.c |  28 +++++++++++++----------
 sys/netipsec/xform_ipip.c   |   9 ++++---
 8 files changed, 122 insertions(+), 109 deletions(-)

diffs (truncated from 771 to 300 lines):

diff -r 40166732940a -r 6857fdcc4d1e sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c      Thu May 11 04:33:14 2017 +0000
+++ b/sys/netipsec/ipsec.c      Thu May 11 05:55:14 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $       */
+/*     $NetBSD: ipsec.c,v 1.88 2017/05/11 05:55:14 ryo Exp $   */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $       */
 /*     $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.88 2017/05/11 05:55:14 ryo Exp $");
 
 /*
  * IPsec controller part.
@@ -2101,6 +2101,7 @@
        int fr;
        u_int32_t wsizeb;       /* constant: bits of window size */
        int frlast;             /* constant: last frame */
+       char buf[INET6_ADDRSTRLEN];
 
        IPSEC_SPLASSERT_SOFTNET(__func__);
 
@@ -2177,7 +2178,7 @@
                        return 1;
 
                ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
-                   replay->overflow, ipsec_logsastr(sav)));
+                   replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf))));
        }
 
        replay->count++;
@@ -2210,37 +2211,21 @@
        return;
 }
 
-/* Return a printable string for the IPv4 address. */
-static char *
-inet_ntoa4(struct in_addr ina)
-{
-       static char buf[4][4 * sizeof "123" + 4];
-       unsigned char *ucp = (unsigned char *) &ina;
-       static int i = 3;
-
-       i = (i + 1) % 4;
-       snprintf(buf[i], sizeof(buf[i]), "%d.%d.%d.%d",
-               ucp[0] & 0xff, ucp[1] & 0xff, ucp[2] & 0xff, ucp[3] & 0xff);
-       return (buf[i]);
-}
-
 /* Return a printable string for the address. */
 const char *
-ipsec_address(const union sockaddr_union *sa)
+ipsec_address(const union sockaddr_union *sa, char *buf, size_t size)
 {
-#if INET6
-       static char ip6buf[INET6_ADDRSTRLEN];   /* XXX: NOMPSAFE */
-#endif
-
        switch (sa->sa.sa_family) {
 #if INET
        case AF_INET:
-               return inet_ntoa4(sa->sin.sin_addr);
+               in_print(buf, size, &sa->sin.sin_addr);
+               return buf;
 #endif /* INET */
 
 #if INET6
        case AF_INET6:
-               return IN6_PRINT(ip6buf, &sa->sin6.sin6_addr);
+               in6_print(buf, size, &sa->sin6.sin6_addr);
+               return buf;
 #endif /* INET6 */
 
        default:
@@ -2249,27 +2234,19 @@
 }
 
 const char *
-ipsec_logsastr(const struct secasvar *sav)
+ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size)
 {
-       static char buf[256];
-       char *p;
        const struct secasindex *saidx = &sav->sah->saidx;
+       char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
 
        KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
            "af family mismatch, src %u, dst %u",
            saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
 
-       p = buf;
-       snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
-       while (p && *p)
-               p++;
-       /* NB: only use ipsec_address on one address at a time */
-       snprintf(p, sizeof (buf) - (p - buf), "src=%s ",
-               ipsec_address(&saidx->src));
-       while (p && *p)
-               p++;
-       snprintf(p, sizeof (buf) - (p - buf), "dst=%s)",
-               ipsec_address(&saidx->dst));
+       snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)",
+           (u_int32_t)ntohl(sav->spi),
+           ipsec_address(&saidx->src, sbuf, sizeof(sbuf)),
+           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)));
 
        return buf;
 }
diff -r 40166732940a -r 6857fdcc4d1e sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h      Thu May 11 04:33:14 2017 +0000
+++ b/sys/netipsec/ipsec.h      Thu May 11 05:55:14 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.h,v 1.46 2017/05/10 09:34:52 ozaki-r Exp $       */
+/*     $NetBSD: ipsec.h,v 1.47 2017/05/11 05:55:14 ryo Exp $   */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $       */
 /*     $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
@@ -149,6 +149,11 @@
 };
 #endif /* _KERNEL */
 
+/* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */
+#define        IPSEC_ADDRSTRLEN        (INET6_ADDRSTRLEN + 11)
+/* buffer size for ipsec_logsastr() */
+#define        IPSEC_LOGSASTRLEN       192
+
 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
 #define IPSEC_PORT_ANY         0
 #define IPSEC_ULPROTO_ANY      255
@@ -307,8 +312,8 @@
 #define ipsec4_getpolicybyaddr ipsec_getpolicybyaddr
 
 union sockaddr_union;
-const char *ipsec_address(const union sockaddr_union* sa);
-const char *ipsec_logsastr (const struct secasvar *);
+const char *ipsec_address(const union sockaddr_union* sa, char *, size_t);
+const char *ipsec_logsastr(const struct secasvar *, char *, size_t);
 
 void ipsec_dumpmbuf (struct mbuf *);
 
diff -r 40166732940a -r 6857fdcc4d1e sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c        Thu May 11 04:33:14 2017 +0000
+++ b/sys/netipsec/ipsec_input.c        Thu May 11 05:55:14 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_input.c,v 1.41 2017/04/19 03:39:14 ozaki-r Exp $ */
+/*     $NetBSD: ipsec_input.c,v 1.42 2017/05/11 05:55:14 ryo Exp $     */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
 /*     $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $        */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.41 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.42 2017/05/11 05:55:14 ryo Exp $");
 
 /*
  * IPsec input processing.
@@ -122,6 +122,7 @@
 static int
 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 {
+       char buf[IPSEC_ADDRSTRLEN];
        union sockaddr_union dst_address;
        struct secasvar *sav;
        u_int32_t spi;
@@ -213,7 +214,7 @@
        if (sav == NULL) {
                DPRINTF(("ipsec_common_input: no key association found for"
                          " SA %s/%08lx/%u/%u\n",
-                         ipsec_address(&dst_address),
+                         ipsec_address(&dst_address, buf, sizeof(buf)),
                          (u_long) ntohl(spi), sproto, ntohs(dport)));
                IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB,
                    IPCOMP_STAT_NOTDB);
@@ -225,7 +226,7 @@
        if (sav->tdb_xform == NULL) {
                DPRINTF(("ipsec_common_input: attempted to use uninitialized"
                         " SA %s/%08lx/%u\n",
-                        ipsec_address(&dst_address),
+                        ipsec_address(&dst_address, buf, sizeof(buf)),
                         (u_long) ntohl(spi), sproto));
                IPSEC_ISTAT(sproto, ESP_STAT_NOXFORM, AH_STAT_NOXFORM,
                    IPCOMP_STAT_NOXFORM);
@@ -305,9 +306,10 @@
 
        /* Fix IPv4 header */
        if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
+               char buf[IPSEC_ADDRSTRLEN];
                DPRINTF(("ipsec4_common_input_cb: processing failed "
                    "for SA %s/%08lx\n",
-                   ipsec_address(&sav->sah->saidx.dst),
+                   ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
                    (u_long) ntohl(sav->spi)));
                IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
                    IPCOMP_STAT_HDROPS);
@@ -340,10 +342,11 @@
                    (saidx->proxy.sa.sa_family != AF_INET &&
                        saidx->proxy.sa.sa_family != 0)) {
 
+                       char ipbuf[INET_ADDRSTRLEN];
                        DPRINTF(("ipsec4_common_input_cb: inner "
                            "source address %s doesn't correspond to "
                            "expected proxy source %s, SA %s/%08lx\n",
-                           inet_ntoa4(ipn.ip_src),
+                           IN_PRINT(ipbuf, ipn.ip_src),
                            ipsp_address(saidx->proxy),
                            ipsp_address(saidx->dst),
                            (u_long) ntohl(sav->spi)));
@@ -377,12 +380,13 @@
                        saidx->proxy.sa.sa_family != 0)) {
 
                        char ip6buf[INET6_ADDRSTRLEN];
+                       char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
                        DPRINTF(("ipsec4_common_input_cb: inner "
                            "source address %s doesn't correspond to "
                            "expected proxy source %s, SA %s/%08lx\n",
                            ip6_sprintf(ip6buf, &ip6n.ip6_src),
-                           ipsec_address(&saidx->proxy),
-                           ipsec_address(&saidx->dst),
+                           ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
+                           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
                            (u_long) ntohl(sav->spi)));
 
                        IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
@@ -537,9 +541,10 @@
        if (m->m_len < sizeof(struct ip6_hdr) &&
            (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
 
+               char buf[IPSEC_ADDRSTRLEN];
                DPRINTF(("ipsec6_common_input_cb: processing failed "
-                   "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst),
-                   (u_long) ntohl(sav->spi)));
+                   "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst,
+                   buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
 
                IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
                    IPCOMP_STAT_HDROPS);
@@ -572,12 +577,14 @@
                    (saidx->proxy.sa.sa_family != AF_INET &&
                        saidx->proxy.sa.sa_family != 0)) {
 
+                       char ipbuf[INET_ADDRSTRLEN];
+                       char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
                        DPRINTF(("ipsec6_common_input_cb: inner "
                            "source address %s doesn't correspond to "
                            "expected proxy source %s, SA %s/%08lx\n",
-                           inet_ntoa4(ipn.ip_src),
-                           ipsec_address(&saidx->proxy),
-                           ipsec_address(&saidx->dst),
+                           IN_PRINT(ipbuf, ipn.ip_src),
+                           ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
+                           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
                            (u_long) ntohl(sav->spi)));
 
                        IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
@@ -609,12 +616,13 @@
                        saidx->proxy.sa.sa_family != 0)) {
 
                        char ip6buf[INET6_ADDRSTRLEN];
+                       char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
                        DPRINTF(("ipsec6_common_input_cb: inner "
                            "source address %s doesn't correspond to "
                            "expected proxy source %s, SA %s/%08lx\n",
                            ip6_sprintf(ip6buf, &ip6n.ip6_src),
-                           ipsec_address(&saidx->proxy),
-                           ipsec_address(&saidx->dst),
+                           ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
+                           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
                            (u_long) ntohl(sav->spi)));
 
                        IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
diff -r 40166732940a -r 6857fdcc4d1e sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c       Thu May 11 04:33:14 2017 +0000
+++ b/sys/netipsec/ipsec_output.c       Thu May 11 05:55:14 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $        */
+/*     $NetBSD: ipsec_output.c,v 1.47 2017/05/11 05:55:14 ryo Exp $    */
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.47 2017/05/11 05:55:14 ryo Exp $");
 
 /*
  * IPsec output processing.
@@ -177,10 +177,11 @@
 
                mo = m_makespace(m, sizeof(struct ip), hlen, &roff);
                if (mo == NULL) {
-                       DPRINTF(("ipsec_process_done : failed to inject" 
-                                "%u byte UDP for SA %s/%08lx\n",



Home | Main Index | Thread Index | Old Index