ipsec: replace SECASVAR mtx by rmlock
This mutex is a significant point of contention in the ipsec code, and can be relatively trivially replaced by a read-mostly lock. It does require a separate lock for the replay protection, which we do here by adding a separate mutex. This improves throughput (without replay protection) by 10-15%. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D35763
This commit is contained in:
parent
4eaaacc755
commit
0361f165f2
@ -1196,6 +1196,8 @@ check_window(const struct secreplay *replay, uint64_t seq)
|
||||
{
|
||||
int index, bit_location;
|
||||
|
||||
SECREPLAY_ASSERT(replay);
|
||||
|
||||
bit_location = seq & IPSEC_BITMAP_LOC_MASK;
|
||||
index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS)
|
||||
& IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size);
|
||||
@ -1210,6 +1212,8 @@ advance_window(const struct secreplay *replay, uint64_t seq)
|
||||
int i;
|
||||
uint64_t index, index_cur, diff;
|
||||
|
||||
SECREPLAY_ASSERT(replay);
|
||||
|
||||
index_cur = replay->last >> IPSEC_REDUNDANT_BIT_SHIFTS;
|
||||
index = seq >> IPSEC_REDUNDANT_BIT_SHIFTS;
|
||||
diff = index - index_cur;
|
||||
@ -1230,6 +1234,8 @@ set_window(const struct secreplay *replay, uint64_t seq)
|
||||
{
|
||||
int index, bit_location;
|
||||
|
||||
SECREPLAY_ASSERT(replay);
|
||||
|
||||
bit_location = seq & IPSEC_BITMAP_LOC_MASK;
|
||||
index = (seq >> IPSEC_REDUNDANT_BIT_SHIFTS)
|
||||
& IPSEC_BITMAP_INDEX_MASK(replay->bitmap_size);
|
||||
@ -1263,12 +1269,17 @@ ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav)
|
||||
replay = sav->replay;
|
||||
|
||||
/* No need to check replay if disabled. */
|
||||
if (replay->wsize == 0)
|
||||
if (replay->wsize == 0) {
|
||||
return (1);
|
||||
}
|
||||
|
||||
SECREPLAY_LOCK(replay);
|
||||
|
||||
/* Zero sequence number is not allowed. */
|
||||
if (seq == 0 && replay->last == 0)
|
||||
if (seq == 0 && replay->last == 0) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
|
||||
window = replay->wsize << 3; /* Size of window */
|
||||
tl = (uint32_t)replay->last; /* Top of window, lower part */
|
||||
@ -1286,10 +1297,13 @@ ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav)
|
||||
*seqhigh = th;
|
||||
if (seq <= tl) {
|
||||
/* Sequence number inside window - check against replay */
|
||||
if (check_window(replay, seq))
|
||||
if (check_window(replay, seq)) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
/* Sequence number above top of window or not found in bitmap */
|
||||
return (1);
|
||||
}
|
||||
@ -1307,6 +1321,7 @@ ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav)
|
||||
ESPSTAT_INC(esps_wrap);
|
||||
else if (sav->sah->saidx.proto == IPPROTO_AH)
|
||||
AHSTAT_INC(ahs_wrap);
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -1326,8 +1341,11 @@ ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav)
|
||||
return (0);
|
||||
*seqhigh = th - 1;
|
||||
seqh = th - 1;
|
||||
if (check_window(replay, seq))
|
||||
if (check_window(replay, seq)) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
|
||||
@ -1348,6 +1366,7 @@ ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav)
|
||||
ESPSTAT_INC(esps_wrap);
|
||||
else if (sav->sah->saidx.proto == IPPROTO_AH)
|
||||
AHSTAT_INC(ahs_wrap);
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -1356,6 +1375,7 @@ ipsec_chkreplay(uint32_t seq, uint32_t *seqhigh, struct secasvar *sav)
|
||||
ipsec_sa2str(sav, buf, sizeof(buf))));
|
||||
}
|
||||
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
|
||||
@ -1381,9 +1401,13 @@ ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
|
||||
if (replay->wsize == 0)
|
||||
return (0);
|
||||
|
||||
SECREPLAY_LOCK(replay);
|
||||
|
||||
/* Zero sequence number is not allowed. */
|
||||
if (seq == 0 && replay->last == 0)
|
||||
if (seq == 0 && replay->last == 0) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
|
||||
window = replay->wsize << 3; /* Size of window */
|
||||
tl = (uint32_t)replay->last; /* Top of window, lower part */
|
||||
@ -1401,8 +1425,10 @@ ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
|
||||
seqh = th;
|
||||
if (seq <= tl) {
|
||||
/* Sequence number inside window - check against replay */
|
||||
if (check_window(replay, seq))
|
||||
if (check_window(replay, seq)) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
set_window(replay, seq);
|
||||
} else {
|
||||
advance_window(replay, ((uint64_t)seqh << 32) | seq);
|
||||
@ -1412,11 +1438,14 @@ ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
|
||||
|
||||
/* Sequence number above top of window or not found in bitmap */
|
||||
replay->count++;
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
|
||||
if (!(sav->flags & SADB_X_SAFLAGS_ESN))
|
||||
if (!(sav->flags & SADB_X_SAFLAGS_ESN)) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Seq is within [bl, 0xffffffff] and bl is within
|
||||
@ -1425,13 +1454,18 @@ ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
|
||||
* subspace.
|
||||
*/
|
||||
if (tl < window - 1 && seq >= bl) {
|
||||
if (th == 0)
|
||||
if (th == 0) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
if (check_window(replay, seq))
|
||||
}
|
||||
if (check_window(replay, seq)) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
|
||||
set_window(replay, seq);
|
||||
replay->count++;
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -1442,13 +1476,17 @@ ipsec_updatereplay(uint32_t seq, struct secasvar *sav)
|
||||
seqh = th + 1;
|
||||
|
||||
/* Don't let high part wrap. */
|
||||
if (seqh == 0)
|
||||
if (seqh == 0) {
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (1);
|
||||
}
|
||||
|
||||
advance_window(replay, ((uint64_t)seqh << 32) | seq);
|
||||
set_window(replay, seq);
|
||||
replay->last = ((uint64_t)seqh << 32) | seq;
|
||||
replay->count++;
|
||||
|
||||
SECREPLAY_UNLOCK(replay);
|
||||
return (0);
|
||||
}
|
||||
int
|
||||
@ -1484,17 +1522,17 @@ ipsec_updateid(struct secasvar *sav, crypto_session_t *new,
|
||||
printf("%s: SA(%p) moves cryptoid %p -> %p\n",
|
||||
__func__, sav, *old, *new));
|
||||
KEYDBG(IPSEC_DATA, kdebug_secasv(sav));
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_WLOCK(sav);
|
||||
if (sav->tdb_cryptoid != *old) {
|
||||
/* cryptoid was already updated */
|
||||
tmp = *new;
|
||||
*new = sav->tdb_cryptoid;
|
||||
*old = tmp;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_WUNLOCK(sav);
|
||||
return (1);
|
||||
}
|
||||
sav->tdb_cryptoid = *new;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_WUNLOCK(sav);
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
@ -2965,13 +2965,14 @@ key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx,
|
||||
*errp = ENOBUFS;
|
||||
goto done;
|
||||
}
|
||||
sav->lock = malloc_aligned(max(sizeof(struct mtx), CACHE_LINE_SIZE),
|
||||
CACHE_LINE_SIZE, M_IPSEC_MISC, M_NOWAIT | M_ZERO);
|
||||
sav->lock = malloc_aligned(max(sizeof(struct rmlock),
|
||||
CACHE_LINE_SIZE), CACHE_LINE_SIZE, M_IPSEC_MISC,
|
||||
M_NOWAIT | M_ZERO);
|
||||
if (sav->lock == NULL) {
|
||||
*errp = ENOBUFS;
|
||||
goto done;
|
||||
}
|
||||
mtx_init(sav->lock, "ipsec association", NULL, MTX_DEF);
|
||||
rm_init(sav->lock, "ipsec association");
|
||||
sav->lft_c = uma_zalloc_pcpu(ipsec_key_lft_zone, M_NOWAIT | M_ZERO);
|
||||
if (sav->lft_c == NULL) {
|
||||
*errp = ENOBUFS;
|
||||
@ -3058,7 +3059,7 @@ key_newsav(const struct sadb_msghdr *mhp, struct secasindex *saidx,
|
||||
if (*errp != 0) {
|
||||
if (sav != NULL) {
|
||||
if (sav->lock != NULL) {
|
||||
mtx_destroy(sav->lock);
|
||||
rm_destroy(sav->lock);
|
||||
free(sav->lock, M_IPSEC_MISC);
|
||||
}
|
||||
if (sav->lft_c != NULL)
|
||||
@ -3104,6 +3105,7 @@ key_cleansav(struct secasvar *sav)
|
||||
sav->key_enc = NULL;
|
||||
}
|
||||
if (sav->replay != NULL) {
|
||||
mtx_destroy(&sav->replay->lock);
|
||||
if (sav->replay->bitmap != NULL)
|
||||
free(sav->replay->bitmap, M_IPSEC_MISC);
|
||||
free(sav->replay, M_IPSEC_MISC);
|
||||
@ -3138,7 +3140,7 @@ key_delsav(struct secasvar *sav)
|
||||
*/
|
||||
key_cleansav(sav);
|
||||
if ((sav->flags & SADB_X_EXT_F_CLONED) == 0) {
|
||||
mtx_destroy(sav->lock);
|
||||
rm_destroy(sav->lock);
|
||||
free(sav->lock, M_IPSEC_MISC);
|
||||
uma_zfree_pcpu(ipsec_key_lft_zone, sav->lft_c);
|
||||
}
|
||||
@ -3269,7 +3271,7 @@ key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp)
|
||||
* key_update() holds reference to this SA,
|
||||
* so it won't be deleted in meanwhile.
|
||||
*/
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_WLOCK(sav);
|
||||
tmp = sav->lft_h;
|
||||
sav->lft_h = lft_h;
|
||||
lft_h = tmp;
|
||||
@ -3277,7 +3279,7 @@ key_updatelifetimes(struct secasvar *sav, const struct sadb_msghdr *mhp)
|
||||
tmp = sav->lft_s;
|
||||
sav->lft_s = lft_s;
|
||||
lft_s = tmp;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_WUNLOCK(sav);
|
||||
if (lft_h != NULL)
|
||||
free(lft_h, M_IPSEC_MISC);
|
||||
if (lft_s != NULL)
|
||||
@ -3366,6 +3368,7 @@ key_setsaval(struct secasvar *sav, const struct sadb_msghdr *mhp)
|
||||
error = ENOBUFS;
|
||||
goto fail;
|
||||
}
|
||||
mtx_init(&sav->replay->lock, "ipsec replay", NULL, MTX_DEF);
|
||||
|
||||
if (replay != 0) {
|
||||
/* number of 32b blocks to be allocated */
|
||||
@ -3583,6 +3586,8 @@ key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype,
|
||||
};
|
||||
uint32_t replay_count;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt);
|
||||
if (m == NULL)
|
||||
goto fail;
|
||||
@ -3597,16 +3602,16 @@ key_setdumpsa(struct secasvar *sav, uint8_t type, uint8_t satype,
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
case SADB_X_EXT_SA2:
|
||||
SECASVAR_LOCK(sav);
|
||||
case SADB_X_EXT_SA2: {
|
||||
SECASVAR_RLOCK(sav);
|
||||
replay_count = sav->replay ? sav->replay->count : 0;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
|
||||
sav->sah->saidx.reqid);
|
||||
if (!m)
|
||||
goto fail;
|
||||
break;
|
||||
|
||||
}
|
||||
case SADB_X_EXT_SA_REPLAY:
|
||||
if (sav->replay == NULL ||
|
||||
sav->replay->wsize <= UINT8_MAX)
|
||||
@ -4508,6 +4513,8 @@ key_flush_sad(time_t now)
|
||||
struct secashead *sah, *nextsah;
|
||||
struct secasvar *sav, *nextsav;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
LIST_INIT(&drainq);
|
||||
LIST_INIT(&hexpireq);
|
||||
LIST_INIT(&sexpireq);
|
||||
@ -4533,13 +4540,13 @@ key_flush_sad(time_t now)
|
||||
/* lifetimes aren't specified */
|
||||
if (sav->lft_h == NULL)
|
||||
continue;
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
/*
|
||||
* Check again with lock held, because it may
|
||||
* be updated by SADB_UPDATE.
|
||||
*/
|
||||
if (sav->lft_h == NULL) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
@ -4556,7 +4563,7 @@ key_flush_sad(time_t now)
|
||||
now - sav->firstused > sav->lft_h->usetime) ||
|
||||
(sav->lft_h->bytes != 0 && counter_u64_fetch(
|
||||
sav->lft_c_bytes) > sav->lft_h->bytes)) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
SAV_ADDREF(sav);
|
||||
LIST_INSERT_HEAD(&hexpireq, sav, drainq);
|
||||
continue;
|
||||
@ -4573,12 +4580,12 @@ key_flush_sad(time_t now)
|
||||
(sav->replay != NULL) && (
|
||||
(sav->replay->count > UINT32_80PCT) ||
|
||||
(sav->replay->last > UINT32_80PCT))))) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
SAV_ADDREF(sav);
|
||||
LIST_INSERT_HEAD(&sexpireq, sav, drainq);
|
||||
continue;
|
||||
}
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
}
|
||||
}
|
||||
SAHTREE_RUNLOCK();
|
||||
@ -5282,11 +5289,11 @@ key_updateaddresses(struct socket *so, struct mbuf *m,
|
||||
* isnew == 0 -> we use the same @sah, that was used by @sav,
|
||||
* and we use its reference for @newsav.
|
||||
*/
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_WLOCK(sav);
|
||||
/* XXX: replace cntr with pointer? */
|
||||
newsav->cntr = sav->cntr;
|
||||
sav->flags |= SADB_X_EXT_F_CLONED;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_WUNLOCK(sav);
|
||||
|
||||
SAHTREE_WUNLOCK();
|
||||
|
||||
@ -7310,6 +7317,8 @@ key_expire(struct secasvar *sav, int hard)
|
||||
int error, len;
|
||||
uint8_t satype;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
IPSEC_ASSERT (sav != NULL, ("null sav"));
|
||||
IPSEC_ASSERT (sav->sah != NULL, ("null sa header"));
|
||||
|
||||
@ -7336,9 +7345,9 @@ key_expire(struct secasvar *sav, int hard)
|
||||
m_cat(result, m);
|
||||
|
||||
/* create SA extension */
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
replay_count = sav->replay ? sav->replay->count : 0;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
m = key_setsadbxsa2(sav->sah->saidx.mode, replay_count,
|
||||
sav->sah->saidx.reqid);
|
||||
|
@ -808,12 +808,15 @@ kdebug_secreplay(struct secreplay *rpl)
|
||||
{
|
||||
int len, l;
|
||||
|
||||
SECREPLAY_LOCK(rpl);
|
||||
|
||||
IPSEC_ASSERT(rpl != NULL, ("null rpl"));
|
||||
printf(" secreplay{ count=%lu bitmap_size=%u wsize=%u last=%lu",
|
||||
rpl->count, rpl->bitmap_size, rpl->wsize, rpl->last);
|
||||
|
||||
if (rpl->bitmap == NULL) {
|
||||
printf(" }\n");
|
||||
SECREPLAY_UNLOCK(rpl);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -823,6 +826,7 @@ kdebug_secreplay(struct secreplay *rpl)
|
||||
printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
|
||||
}
|
||||
printf(" }\n");
|
||||
SECREPLAY_UNLOCK(rpl);
|
||||
}
|
||||
#endif /* IPSEC_DEBUG */
|
||||
|
||||
|
@ -39,6 +39,7 @@
|
||||
#include <sys/counter.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/rmlock.h>
|
||||
|
||||
#include <netipsec/key_var.h>
|
||||
#include <opencrypto/_cryptodev.h>
|
||||
@ -157,7 +158,7 @@ struct secasvar {
|
||||
struct seckey *key_enc; /* Key for Encryption */
|
||||
struct secreplay *replay; /* replay prevention */
|
||||
struct secnatt *natt; /* NAT-T config */
|
||||
struct mtx *lock; /* update/access lock */
|
||||
struct rmlock *lock; /* update/access lock */
|
||||
|
||||
const struct xformsw *tdb_xform; /* transform */
|
||||
const struct enc_xform *tdb_encalgxform;/* encoding algorithm */
|
||||
@ -187,9 +188,13 @@ struct secasvar {
|
||||
volatile u_int refcnt; /* reference count */
|
||||
};
|
||||
|
||||
#define SECASVAR_LOCK(_sav) mtx_lock((_sav)->lock)
|
||||
#define SECASVAR_UNLOCK(_sav) mtx_unlock((_sav)->lock)
|
||||
#define SECASVAR_LOCK_ASSERT(_sav) mtx_assert((_sav)->lock, MA_OWNED)
|
||||
#define SECASVAR_RLOCK_TRACKER struct rm_priotracker _secas_tracker
|
||||
#define SECASVAR_RLOCK(_sav) rm_rlock((_sav)->lock, &_secas_tracker)
|
||||
#define SECASVAR_RUNLOCK(_sav) rm_runlock((_sav)->lock, &_secas_tracker)
|
||||
#define SECASVAR_WLOCK(_sav) rm_wlock((_sav)->lock)
|
||||
#define SECASVAR_WUNLOCK(_sav) rm_wunlock((_sav)->lock)
|
||||
#define SECASVAR_LOCK_ASSERT(_sav) rm_assert((_sav)->lock, RA_LOCKED)
|
||||
#define SECASVAR_LOCK_WASSERT(_sav) rm_assert((_sav)->lock, RA_WLOCKED)
|
||||
#define SAV_ISGCM(_sav) \
|
||||
((_sav)->alg_enc == SADB_X_EALG_AESGCM8 || \
|
||||
(_sav)->alg_enc == SADB_X_EALG_AESGCM12 || \
|
||||
@ -204,6 +209,7 @@ struct secasvar {
|
||||
* (c) read only except during creation / free
|
||||
*/
|
||||
struct secreplay {
|
||||
struct mtx lock;
|
||||
u_int64_t count; /* (m) */
|
||||
u_int wsize; /* (c) window size, i.g. 4 bytes */
|
||||
u_int64_t last; /* (m) used by receiver */
|
||||
@ -212,6 +218,10 @@ struct secreplay {
|
||||
int overflow; /* (m) overflow flag */
|
||||
};
|
||||
|
||||
#define SECREPLAY_LOCK(_r) mtx_lock(&(_r)->lock)
|
||||
#define SECREPLAY_UNLOCK(_r) mtx_unlock(&(_r)->lock)
|
||||
#define SECREPLAY_ASSERT(_r) mtx_assert(&(_r)->lock, MA_OWNED)
|
||||
|
||||
/* socket table due to send PF_KEY messages. */
|
||||
struct secreg {
|
||||
LIST_ENTRY(secreg) chain;
|
||||
|
@ -543,6 +543,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
int hl, rplen, authsize, ahsize, error;
|
||||
uint32_t seqh;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
||||
IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
|
||||
IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
|
||||
@ -563,10 +565,10 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
ah = (struct newah *)(mtod(m, caddr_t) + skip);
|
||||
|
||||
/* Check replay window, if applicable. */
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
if (sav->replay != NULL && sav->replay->wsize != 0 &&
|
||||
ipsec_chkreplay(ntohl(ah->ah_seq), &seqh, sav) == 0) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
AHSTAT_INC(ahs_replay);
|
||||
DPRINTF(("%s: packet replay failure: %s\n", __func__,
|
||||
ipsec_sa2str(sav, buf, sizeof(buf))));
|
||||
@ -574,7 +576,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
goto bad;
|
||||
}
|
||||
cryptoid = sav->tdb_cryptoid;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
/* Verify AH header length. */
|
||||
hl = sizeof(struct ah) + (ah->ah_len * sizeof (u_int32_t));
|
||||
@ -699,6 +701,8 @@ ah_input_cb(struct cryptop *crp)
|
||||
int authsize, rplen, ahsize, error, skip, protoff;
|
||||
uint8_t nxt;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
m = crp->crp_buf.cb_mbuf;
|
||||
xd = crp->crp_opaque;
|
||||
CURVNET_SET(xd->vnet);
|
||||
@ -779,14 +783,14 @@ ah_input_cb(struct cryptop *crp)
|
||||
|
||||
m_copydata(m, skip + offsetof(struct newah, ah_seq),
|
||||
sizeof (seq), (caddr_t) &seq);
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
if (ipsec_updatereplay(ntohl(seq), sav)) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
AHSTAT_INC(ahs_replay);
|
||||
error = EACCES;
|
||||
goto bad;
|
||||
}
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -850,6 +854,8 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
uint8_t prot;
|
||||
uint32_t seqh;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
||||
ahx = sav->tdb_authalgxform;
|
||||
IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
|
||||
@ -939,13 +945,15 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
ipseczeroes);
|
||||
|
||||
/* Insert packet replay counter, as requested. */
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
if (sav->replay) {
|
||||
SECREPLAY_LOCK(sav->replay);
|
||||
if ((sav->replay->count == ~0 ||
|
||||
(!(sav->flags & SADB_X_SAFLAGS_ESN) &&
|
||||
((uint32_t)sav->replay->count) == ~0)) &&
|
||||
(sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECREPLAY_UNLOCK(sav->replay);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
|
||||
__func__, ipsec_address(&sav->sah->saidx.dst, buf,
|
||||
sizeof(buf)), (u_long) ntohl(sav->spi)));
|
||||
@ -959,9 +967,10 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
#endif
|
||||
sav->replay->count++;
|
||||
ah->ah_seq = htonl((uint32_t)sav->replay->count);
|
||||
SECREPLAY_UNLOCK(sav->replay);
|
||||
}
|
||||
cryptoid = sav->tdb_cryptoid;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
/* Get crypto descriptors. */
|
||||
crp = crypto_getreq(cryptoid, M_NOWAIT);
|
||||
@ -1045,8 +1054,10 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
crp->crp_opaque = xd;
|
||||
|
||||
if (sav->flags & SADB_X_SAFLAGS_ESN && sav->replay != NULL) {
|
||||
SECREPLAY_LOCK(sav->replay);
|
||||
seqh = htonl((uint32_t)(sav->replay->count >> IPSEC_SEQH_SHIFT));
|
||||
memcpy(crp->crp_esn, &seqh, sizeof(seqh));
|
||||
SECREPLAY_UNLOCK(sav->replay);
|
||||
}
|
||||
|
||||
/* These are passed as-is to the callback. */
|
||||
|
@ -274,6 +274,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
uint32_t seqh;
|
||||
const struct crypto_session_params *csp;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
||||
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
|
||||
|
||||
@ -329,10 +331,10 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
/*
|
||||
* Check sequence number.
|
||||
*/
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
if (esph != NULL && sav->replay != NULL && sav->replay->wsize != 0) {
|
||||
if (ipsec_chkreplay(ntohl(esp->esp_seq), &seqh, sav) == 0) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
DPRINTF(("%s: packet replay check for %s\n", __func__,
|
||||
ipsec_sa2str(sav, buf, sizeof(buf))));
|
||||
ESPSTAT_INC(esps_replay);
|
||||
@ -342,7 +344,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
seqh = htonl(seqh);
|
||||
}
|
||||
cryptoid = sav->tdb_cryptoid;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
/* Update the counters */
|
||||
ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
|
||||
@ -494,6 +496,8 @@ esp_input_cb(struct cryptop *crp)
|
||||
crypto_session_t cryptoid;
|
||||
int hlen, skip, protoff, error, alen;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
m = crp->crp_buf.cb_mbuf;
|
||||
xd = crp->crp_opaque;
|
||||
CURVNET_SET(xd->vnet);
|
||||
@ -570,16 +574,16 @@ esp_input_cb(struct cryptop *crp)
|
||||
|
||||
m_copydata(m, skip + offsetof(struct newesp, esp_seq),
|
||||
sizeof (seq), (caddr_t) &seq);
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
if (ipsec_updatereplay(ntohl(seq), sav)) {
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
DPRINTF(("%s: packet replay check for %s\n", __func__,
|
||||
ipsec_sa2str(sav, buf, sizeof(buf))));
|
||||
ESPSTAT_INC(esps_replay);
|
||||
error = EACCES;
|
||||
goto bad;
|
||||
}
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
}
|
||||
|
||||
/* Determine the ESP header length */
|
||||
@ -694,6 +698,8 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
uint32_t seqh;
|
||||
const struct crypto_session_params *csp;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
||||
esph = sav->tdb_authalgxform;
|
||||
espx = sav->tdb_encalgxform;
|
||||
@ -786,10 +792,11 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
/* Initialize ESP header. */
|
||||
bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff,
|
||||
sizeof(uint32_t));
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
if (sav->replay) {
|
||||
uint32_t replay;
|
||||
|
||||
SECREPLAY_LOCK(sav->replay);
|
||||
#ifdef REGRESSION
|
||||
/* Emulate replay attack when ipsec_replay is TRUE. */
|
||||
if (!V_ipsec_replay)
|
||||
@ -801,11 +808,12 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
sizeof(uint32_t), sizeof(uint32_t));
|
||||
|
||||
seqh = htonl((uint32_t)(sav->replay->count >> IPSEC_SEQH_SHIFT));
|
||||
SECREPLAY_UNLOCK(sav->replay);
|
||||
}
|
||||
cryptoid = sav->tdb_cryptoid;
|
||||
if (SAV_ISCTRORGCM(sav))
|
||||
cntr = sav->cntr++;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
/*
|
||||
* Add padding -- better to do it ourselves than use the crypto engine,
|
||||
|
@ -205,6 +205,8 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
caddr_t addr;
|
||||
int error, hlen = IPCOMP_HLENGTH;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
/*
|
||||
* Check that the next header of the IPComp is not IPComp again, before
|
||||
* doing any real work. Given it is not possible to do double
|
||||
@ -226,9 +228,9 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
goto bad;
|
||||
}
|
||||
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
cryptoid = sav->tdb_cryptoid;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
/* Get crypto descriptors */
|
||||
crp = crypto_getreq(cryptoid, M_NOWAIT);
|
||||
@ -264,9 +266,9 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
||||
xd->vnet = curvnet;
|
||||
xd->cryptoid = cryptoid;
|
||||
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
crp->crp_session = xd->cryptoid = sav->tdb_cryptoid;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
return crypto_dispatch(crp);
|
||||
bad:
|
||||
@ -405,6 +407,8 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
crypto_session_t cryptoid;
|
||||
int error, ralen, maxpacketsize;
|
||||
|
||||
SECASVAR_RLOCK_TRACKER;
|
||||
|
||||
IPSEC_ASSERT(sav != NULL, ("null SA"));
|
||||
ipcompx = sav->tdb_compalgxform;
|
||||
IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
|
||||
@ -470,9 +474,9 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
}
|
||||
|
||||
/* Ok now, we can pass to the crypto processing. */
|
||||
SECASVAR_LOCK(sav);
|
||||
SECASVAR_RLOCK(sav);
|
||||
cryptoid = sav->tdb_cryptoid;
|
||||
SECASVAR_UNLOCK(sav);
|
||||
SECASVAR_RUNLOCK(sav);
|
||||
|
||||
/* Get crypto descriptors */
|
||||
crp = crypto_getreq(cryptoid, M_NOWAIT);
|
||||
|
Loading…
Reference in New Issue
Block a user