Author: jhb Date: Wed Aug 21 22:42:08 2019 New Revision: 351358 URL: https://svnweb.freebsd.org/changeset/base/351358
Log: MFC 348970,348974: Make the warning intervals for deprecated crypto algorithms tunable. 348970: Make the warning intervals for deprecated crypto algorithms tunable. New sysctl/tunables can now set the interval (in seconds) between rate-limited crypto warnings. The new sysctls are: - kern.cryptodev_warn_interval for /dev/crypto - net.inet.ipsec.crypto_warn_interval for IPsec - kern.kgssapi_warn_interval for KGSSAPI 348974: Move declaration of warninterval out from under COMPAT_FREEBSD32. This fixes builds of kernels without COMPAT_FREEBSD32. Modified: stable/11/share/man/man9/Makefile stable/11/share/man/man9/sysctl.9 stable/11/sys/kern/kern_sysctl.c stable/11/sys/kgssapi/krb5/kcrypto.c stable/11/sys/kgssapi/krb5/kcrypto.h stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c stable/11/sys/kgssapi/krb5/kcrypto_des.c stable/11/sys/kgssapi/krb5/kcrypto_des3.c stable/11/sys/netipsec/ipsec.c stable/11/sys/netipsec/ipsec.h stable/11/sys/netipsec/xform_ah.c stable/11/sys/netipsec/xform_esp.c stable/11/sys/opencrypto/cryptodev.c stable/11/sys/sys/sysctl.h Directory Properties: stable/11/ (props changed) Changes in other areas also in this revision: Modified: stable/12/share/man/man9/Makefile stable/12/share/man/man9/sysctl.9 stable/12/sys/kern/kern_sysctl.c stable/12/sys/kgssapi/krb5/kcrypto.c stable/12/sys/kgssapi/krb5/kcrypto.h stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c stable/12/sys/kgssapi/krb5/kcrypto_des.c stable/12/sys/kgssapi/krb5/kcrypto_des3.c stable/12/sys/netipsec/ipsec.c stable/12/sys/netipsec/ipsec.h stable/12/sys/netipsec/xform_ah.c stable/12/sys/netipsec/xform_esp.c stable/12/sys/opencrypto/cryptodev.c stable/12/sys/sys/sysctl.h Directory Properties: stable/12/ (props changed) Modified: stable/11/share/man/man9/Makefile ============================================================================== --- stable/11/share/man/man9/Makefile Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/share/man/man9/Makefile Wed Aug 21 22:42:08 2019 (r351358) @@ -1758,6 +1758,7 @@ MLINKS+=sysctl.9 SYSCTL_DECL.9 \ sysctl.9 SYSCTL_ADD_S64.9 \ sysctl.9 SYSCTL_ADD_STRING.9 \ sysctl.9 SYSCTL_ADD_STRUCT.9 \ + sysctl.9 SYSCTL_ADD_TIMEVAL_SEC.9 \ sysctl.9 SYSCTL_ADD_U8.9 \ sysctl.9 SYSCTL_ADD_U16.9 \ sysctl.9 SYSCTL_ADD_U32.9 \ @@ -1784,6 +1785,7 @@ MLINKS+=sysctl.9 SYSCTL_DECL.9 \ sysctl.9 SYSCTL_S64.9 \ sysctl.9 SYSCTL_STRING.9 \ sysctl.9 SYSCTL_STRUCT.9 \ + sysctl.9 SYSCTL_TIMEVAL_SEC.9 \ sysctl.9 SYSCTL_U8.9 \ sysctl.9 SYSCTL_U16.9 \ sysctl.9 SYSCTL_U32.9 \ Modified: stable/11/share/man/man9/sysctl.9 ============================================================================== --- stable/11/share/man/man9/sysctl.9 Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/share/man/man9/sysctl.9 Wed Aug 21 22:42:08 2019 (r351358) @@ -44,6 +44,7 @@ .Nm SYSCTL_ADD_STRING , .Nm SYSCTL_ADD_CONST_STRING , .Nm SYSCTL_ADD_STRUCT , +.Nm SYSCTL_ADD_TIMEVAL_SEC , .Nm SYSCTL_ADD_U8 , .Nm SYSCTL_ADD_U16 , .Nm SYSCTL_ADD_U32 , @@ -71,6 +72,7 @@ .Nm SYSCTL_STRING , .Nm SYSCTL_CONST_STRING , .Nm SYSCTL_STRUCT , +.Nm SYSCTL_TIMEVAL_SEC , .Nm SYSCTL_U8 , .Nm SYSCTL_U16 , .Nm SYSCTL_U32 , @@ -235,6 +237,16 @@ .Fa "const char *descr" .Fc .Ft struct sysctl_oid * +.Fo SYSCTL_ADD_TIMEVAL_SEC +.Fa "struct sysctl_ctx_list *ctx" +.Fa "struct sysctl_oid_list *parent" +.Fa "int number" +.Fa "const char *name" +.Fa "int ctlflags" +.Fa "struct timeval *ptr" +.Fa "const char *descr" +.Fc +.Ft struct sysctl_oid * .Fo SYSCTL_ADD_U8 .Fa "struct sysctl_ctx_list *ctx" .Fa "struct sysctl_oid_list *parent" @@ -352,6 +364,7 @@ .Fn SYSCTL_STRING parent number name ctlflags arg len descr .Fn SYSCTL_CONST_STRING parent number name ctlflags arg descr .Fn SYSCTL_STRUCT parent number name ctlflags ptr struct_type descr +.Fn SYSCTL_TIMEVAL_SEC parent number name ctlflags ptr descr .Fn SYSCTL_U8 parent number name ctlflags ptr val descr .Fn SYSCTL_U16 parent number name ctlflags ptr val descr .Fn SYSCTL_U32 parent number name ctlflags ptr val descr @@ -509,6 +522,21 @@ Similarly, .Fn sysctl_msec_to_ticks accepts new values in milliseconds and stores an equivalent value in ticks to .Fa *arg2 . +.Pp +The +.Fn SYSCTL_ADD_TIMEVAL_SEC +function and +.Fn SYSCTL_TIMEVAL_SEC +macro create nodes which export an in-kernel variable of type +.Vt struct timeval . +These nodes do not export full value of the associated structure. +Instead, they export a count in seconds as a simple integer which is +stored in the +.Fa tv_sec +field of the associated variable. +This function and macro are intended to be used with variables which +store a non-negative interval rather than an absolute time. +As a result, they reject attempts to store negative values. .Sh CREATING ROOT NODES Sysctl MIBs or OIDs are created in a hierarchical tree. The nodes at the bottom of the tree are called root nodes, and have no @@ -584,6 +612,7 @@ Static sysctls are declared using one of the .Fn SYSCTL_STRING , .Fn SYSCTL_CONST_STRING , .Fn SYSCTL_STRUCT , +.Fn SYSCTL_TIMEVAL_SEC , .Fn SYSCTL_U8 , .Fn SYSCTL_U16 , .Fn SYSCTL_U32 , @@ -609,6 +638,7 @@ Dynamic nodes are created using one of the .Fn SYSCTL_ADD_STRING , .Fn SYSCTL_ADD_CONST_STRING , .Fn SYSCTL_ADD_STRUCT , +.Fn SYSCTL_ADD_TIMEVAL_SEC , .Fn SYSCTL_ADD_U8 , .Fn SYSCTL_ADD_U16 , .Fn SYSCTL_ADD_U32 , Modified: stable/11/sys/kern/kern_sysctl.c ============================================================================== --- stable/11/sys/kern/kern_sysctl.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/kern/kern_sysctl.c Wed Aug 21 22:42:08 2019 (r351358) @@ -1576,6 +1576,30 @@ retry: } /* + * Convert seconds to a struct timeval. Intended for use with + * intervals and thus does not permit negative seconds. + */ +int +sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS) +{ + struct timeval *tv; + int error, secs; + + tv = arg1; + secs = tv->tv_sec; + + error = sysctl_handle_int(oidp, &secs, 0, req); + if (error || req->newptr == NULL) + return (error); + + if (secs < 0) + return (EINVAL); + tv->tv_sec = secs; + + return (0); +} + +/* * Transfer functions to/from kernel space. * XXX: rather untested at this point */ Modified: stable/11/sys/kgssapi/krb5/kcrypto.c ============================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/kgssapi/krb5/kcrypto.c Wed Aug 21 22:42:08 2019 (r351358) @@ -32,6 +32,7 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/kobj.h> #include <sys/mbuf.h> +#include <sys/sysctl.h> #include <kgssapi/gssapi.h> #include <kgssapi/gssapi_impl.h> @@ -47,6 +48,11 @@ static struct krb5_encryption_class *krb5_encryption_c &krb5_arcfour_56_encryption_class, NULL }; + +struct timeval krb5_warn_interval = { .tv_sec = 3600, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, kgssapi_warn_interval, CTLFLAG_RW, + &krb5_warn_interval, + "Delay in seconds between warnings of deprecated KGSSAPI crypto."); struct krb5_encryption_class * krb5_find_encryption_class(int etype) Modified: stable/11/sys/kgssapi/krb5/kcrypto.h ============================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto.h Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/kgssapi/krb5/kcrypto.h Wed Aug 21 22:42:08 2019 (r351358) @@ -99,6 +99,7 @@ extern struct krb5_encryption_class krb5_aes128_encryp extern struct krb5_encryption_class krb5_aes256_encryption_class; extern struct krb5_encryption_class krb5_arcfour_encryption_class; extern struct krb5_encryption_class krb5_arcfour_56_encryption_class; +extern struct timeval krb5_warn_interval; static __inline void krb5_set_key(struct krb5_key_state *ks, const void *keydata) Modified: stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c ============================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c Wed Aug 21 22:42:08 2019 (r351358) @@ -45,10 +45,9 @@ static void arcfour_init(struct krb5_key_state *ks) { static struct timeval lastwarn; - static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; ks->ks_priv = NULL; - if (ratecheck(&lastwarn, &warninterval)) + if (ratecheck(&lastwarn, &krb5_warn_interval)) gone_in(13, "RC4 cipher for Kerberos GSS"); } Modified: stable/11/sys/kgssapi/krb5/kcrypto_des.c ============================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto_des.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/kgssapi/krb5/kcrypto_des.c Wed Aug 21 22:42:08 2019 (r351358) @@ -52,13 +52,12 @@ static void des1_init(struct krb5_key_state *ks) { static struct timeval lastwarn; - static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des1_state *ds; ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF); ks->ks_priv = ds; - if (ratecheck(&lastwarn, &warninterval)) + if (ratecheck(&lastwarn, &krb5_warn_interval)) gone_in(13, "DES cipher for Kerberos GSS"); } Modified: stable/11/sys/kgssapi/krb5/kcrypto_des3.c ============================================================================== --- stable/11/sys/kgssapi/krb5/kcrypto_des3.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/kgssapi/krb5/kcrypto_des3.c Wed Aug 21 22:42:08 2019 (r351358) @@ -53,13 +53,12 @@ static void des3_init(struct krb5_key_state *ks) { static struct timeval lastwarn; - static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 }; struct des3_state *ds; ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO); mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF); ks->ks_priv = ds; - if (ratecheck(&lastwarn, &warninterval)) + if (ratecheck(&lastwarn, &krb5_warn_interval)) gone_in(13, "DES3 cipher for Kerberos GSS"); } Modified: stable/11/sys/netipsec/ipsec.c ============================================================================== --- stable/11/sys/netipsec/ipsec.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/netipsec/ipsec.c Wed Aug 21 22:42:08 2019 (r351358) @@ -202,6 +202,11 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); +struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW, + &ipsec_warn_interval, + "Delay in seconds between warnings of deprecated IPsec crypto algorithms."); + #ifdef REGRESSION /* * When set to 1, IPsec will send packets with the same sequence number. Modified: stable/11/sys/netipsec/ipsec.h ============================================================================== --- stable/11/sys/netipsec/ipsec.h Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/netipsec/ipsec.h Wed Aug 21 22:42:08 2019 (r351358) @@ -283,6 +283,8 @@ VNET_DECLARE(int, ip4_ipsec_ecn); VNET_DECLARE(int, crypto_support); VNET_DECLARE(int, natt_cksum_policy); +extern struct timeval ipsec_warn_interval; + #define IPSECSTAT_INC(name) \ VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1) #define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev) Modified: stable/11/sys/netipsec/xform_ah.c ============================================================================== --- stable/11/sys/netipsec/xform_ah.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/netipsec/xform_ah.c Wed Aug 21 22:42:08 2019 (r351358) @@ -109,7 +109,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, sta static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; -static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); @@ -179,19 +178,19 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, st switch (sav->alg_auth) { case SADB_AALG_MD5HMAC: - if (ratecheck(&md5warn, &warninterval)) + if (ratecheck(&md5warn, &ipsec_warn_interval)) gone_in(13, "MD5-HMAC authenticator for IPsec"); break; case SADB_X_AALG_RIPEMD160HMAC: - if (ratecheck(&ripewarn, &warninterval)) + if (ratecheck(&ripewarn, &ipsec_warn_interval)) gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); break; case SADB_X_AALG_MD5: - if (ratecheck(&kpdkmd5warn, &warninterval)) + if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval)) gone_in(13, "Keyed-MD5 authenticator for IPsec"); break; case SADB_X_AALG_SHA: - if (ratecheck(&kpdksha1warn, &warninterval)) + if (ratecheck(&kpdksha1warn, &ipsec_warn_interval)) gone_in(13, "Keyed-SHA1 authenticator for IPsec"); break; } Modified: stable/11/sys/netipsec/xform_esp.c ============================================================================== --- stable/11/sys/netipsec/xform_esp.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/netipsec/xform_esp.c Wed Aug 21 22:42:08 2019 (r351358) @@ -95,7 +95,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, st "ESP statistics (struct espstat, netipsec/esp_var.h"); static struct timeval deswarn, blfwarn, castwarn, camelliawarn; -static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -162,19 +161,19 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) switch (sav->alg_enc) { case SADB_EALG_DESCBC: - if (ratecheck(&deswarn, &warninterval)) + if (ratecheck(&deswarn, &ipsec_warn_interval)) gone_in(13, "DES cipher for IPsec"); break; case SADB_X_EALG_BLOWFISHCBC: - if (ratecheck(&blfwarn, &warninterval)) + if (ratecheck(&blfwarn, &ipsec_warn_interval)) gone_in(13, "Blowfish cipher for IPsec"); break; case SADB_X_EALG_CAST128CBC: - if (ratecheck(&castwarn, &warninterval)) + if (ratecheck(&castwarn, &ipsec_warn_interval)) gone_in(13, "CAST cipher for IPsec"); break; case SADB_X_EALG_CAMELLIACBC: - if (ratecheck(&camelliawarn, &warninterval)) + if (ratecheck(&camelliawarn, &ipsec_warn_interval)) gone_in(13, "Camellia cipher for IPsec"); break; } Modified: stable/11/sys/opencrypto/cryptodev.c ============================================================================== --- stable/11/sys/opencrypto/cryptodev.c Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/opencrypto/cryptodev.c Wed Aug 21 22:42:08 2019 (r351358) @@ -296,6 +296,11 @@ struct fcrypt { int sesn; }; +static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW, + &warninterval, + "Delay in seconds between warnings of deprecated /dev/crypto algorithms"); + static int cryptof_ioctl(struct file *, u_long, void *, struct ucred *, struct thread *); static int cryptof_stat(struct file *, struct stat *, @@ -390,7 +395,6 @@ cryptof_ioctl( #endif static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn; static struct timeval skipwarn, tdeswarn; - static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 }; switch (cmd) { case CIOCGSESSION: Modified: stable/11/sys/sys/sysctl.h ============================================================================== --- stable/11/sys/sys/sysctl.h Wed Aug 21 22:18:07 2019 (r351357) +++ stable/11/sys/sys/sysctl.h Wed Aug 21 22:42:08 2019 (r351358) @@ -211,6 +211,8 @@ int sysctl_handle_counter_u64_array(SYSCTL_HANDLER_ARG int sysctl_handle_uma_zone_max(SYSCTL_HANDLER_ARGS); int sysctl_handle_uma_zone_cur(SYSCTL_HANDLER_ARGS); +int sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS); + int sysctl_dpcpu_int(SYSCTL_HANDLER_ARGS); int sysctl_dpcpu_long(SYSCTL_HANDLER_ARGS); int sysctl_dpcpu_quad(SYSCTL_HANDLER_ARGS); @@ -790,6 +792,24 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry); sysctl_add_oid(ctx, parent, nbr, name, \ CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access), \ __ptr, 0, sysctl_handle_uma_zone_cur, "I", __DESCR(descr)); \ +}) + +/* OID expressing a struct timeval as seconds */ +#define SYSCTL_TIMEVAL_SEC(parent, nbr, name, access, ptr, descr) \ + SYSCTL_OID(parent, nbr, name, \ + CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access), \ + (ptr), 0, sysctl_sec_to_timeval, "I", descr); \ + CTASSERT(((access) & CTLTYPE) == 0 || \ + ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT) +#define SYSCTL_ADD_TIMEVAL_SEC(ctx, parent, nbr, name, access, ptr, descr) \ +({ \ + struct timeval *__ptr = (ptr); \ + CTASSERT(((access) & CTLTYPE) == 0 || \ + ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT); \ + sysctl_add_oid(ctx, parent, nbr, name, \ + CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access), \ + __ptr, 0, sysctl_sec_to_timeval, "I", __DESCR(descr), \ + NULL); \ }) /* _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"