Author: jhb
Date: Wed Aug 21 22:42:08 2019
New Revision: 351358
URL: https://svnweb.freebsd.org/changeset/base/351358

Log:
  MFC 348970,348974:
  Make the warning intervals for deprecated crypto algorithms tunable.
  
  348970:
  Make the warning intervals for deprecated crypto algorithms tunable.
  
  New sysctl/tunables can now set the interval (in seconds) between
  rate-limited crypto warnings.  The new sysctls are:
  - kern.cryptodev_warn_interval for /dev/crypto
  - net.inet.ipsec.crypto_warn_interval for IPsec
  - kern.kgssapi_warn_interval for KGSSAPI
  
  348974:
  Move declaration of warninterval out from under COMPAT_FREEBSD32.
  
  This fixes builds of kernels without COMPAT_FREEBSD32.

Modified:
  stable/11/share/man/man9/Makefile
  stable/11/share/man/man9/sysctl.9
  stable/11/sys/kern/kern_sysctl.c
  stable/11/sys/kgssapi/krb5/kcrypto.c
  stable/11/sys/kgssapi/krb5/kcrypto.h
  stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c
  stable/11/sys/kgssapi/krb5/kcrypto_des.c
  stable/11/sys/kgssapi/krb5/kcrypto_des3.c
  stable/11/sys/netipsec/ipsec.c
  stable/11/sys/netipsec/ipsec.h
  stable/11/sys/netipsec/xform_ah.c
  stable/11/sys/netipsec/xform_esp.c
  stable/11/sys/opencrypto/cryptodev.c
  stable/11/sys/sys/sysctl.h
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/share/man/man9/Makefile
  stable/12/share/man/man9/sysctl.9
  stable/12/sys/kern/kern_sysctl.c
  stable/12/sys/kgssapi/krb5/kcrypto.c
  stable/12/sys/kgssapi/krb5/kcrypto.h
  stable/12/sys/kgssapi/krb5/kcrypto_arcfour.c
  stable/12/sys/kgssapi/krb5/kcrypto_des.c
  stable/12/sys/kgssapi/krb5/kcrypto_des3.c
  stable/12/sys/netipsec/ipsec.c
  stable/12/sys/netipsec/ipsec.h
  stable/12/sys/netipsec/xform_ah.c
  stable/12/sys/netipsec/xform_esp.c
  stable/12/sys/opencrypto/cryptodev.c
  stable/12/sys/sys/sysctl.h
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/share/man/man9/Makefile
==============================================================================
--- stable/11/share/man/man9/Makefile   Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/share/man/man9/Makefile   Wed Aug 21 22:42:08 2019        
(r351358)
@@ -1758,6 +1758,7 @@ MLINKS+=sysctl.9 SYSCTL_DECL.9 \
        sysctl.9 SYSCTL_ADD_S64.9 \
        sysctl.9 SYSCTL_ADD_STRING.9 \
        sysctl.9 SYSCTL_ADD_STRUCT.9 \
+       sysctl.9 SYSCTL_ADD_TIMEVAL_SEC.9 \
        sysctl.9 SYSCTL_ADD_U8.9 \
        sysctl.9 SYSCTL_ADD_U16.9 \
        sysctl.9 SYSCTL_ADD_U32.9 \
@@ -1784,6 +1785,7 @@ MLINKS+=sysctl.9 SYSCTL_DECL.9 \
        sysctl.9 SYSCTL_S64.9 \
        sysctl.9 SYSCTL_STRING.9 \
        sysctl.9 SYSCTL_STRUCT.9 \
+       sysctl.9 SYSCTL_TIMEVAL_SEC.9 \
        sysctl.9 SYSCTL_U8.9 \
        sysctl.9 SYSCTL_U16.9 \
        sysctl.9 SYSCTL_U32.9 \

Modified: stable/11/share/man/man9/sysctl.9
==============================================================================
--- stable/11/share/man/man9/sysctl.9   Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/share/man/man9/sysctl.9   Wed Aug 21 22:42:08 2019        
(r351358)
@@ -44,6 +44,7 @@
 .Nm SYSCTL_ADD_STRING ,
 .Nm SYSCTL_ADD_CONST_STRING ,
 .Nm SYSCTL_ADD_STRUCT ,
+.Nm SYSCTL_ADD_TIMEVAL_SEC ,
 .Nm SYSCTL_ADD_U8 ,
 .Nm SYSCTL_ADD_U16 ,
 .Nm SYSCTL_ADD_U32 ,
@@ -71,6 +72,7 @@
 .Nm SYSCTL_STRING ,
 .Nm SYSCTL_CONST_STRING ,
 .Nm SYSCTL_STRUCT ,
+.Nm SYSCTL_TIMEVAL_SEC ,
 .Nm SYSCTL_U8 ,
 .Nm SYSCTL_U16 ,
 .Nm SYSCTL_U32 ,
@@ -235,6 +237,16 @@
 .Fa "const char *descr"
 .Fc
 .Ft struct sysctl_oid *
+.Fo SYSCTL_ADD_TIMEVAL_SEC
+.Fa "struct sysctl_ctx_list *ctx"
+.Fa "struct sysctl_oid_list *parent"
+.Fa "int number"
+.Fa "const char *name"
+.Fa "int ctlflags"
+.Fa "struct timeval *ptr"
+.Fa "const char *descr"
+.Fc
+.Ft struct sysctl_oid *
 .Fo SYSCTL_ADD_U8
 .Fa "struct sysctl_ctx_list *ctx"
 .Fa "struct sysctl_oid_list *parent"
@@ -352,6 +364,7 @@
 .Fn SYSCTL_STRING parent number name ctlflags arg len descr
 .Fn SYSCTL_CONST_STRING parent number name ctlflags arg descr
 .Fn SYSCTL_STRUCT parent number name ctlflags ptr struct_type descr
+.Fn SYSCTL_TIMEVAL_SEC parent number name ctlflags ptr descr
 .Fn SYSCTL_U8 parent number name ctlflags ptr val descr
 .Fn SYSCTL_U16 parent number name ctlflags ptr val descr
 .Fn SYSCTL_U32 parent number name ctlflags ptr val descr
@@ -509,6 +522,21 @@ Similarly,
 .Fn sysctl_msec_to_ticks
 accepts new values in milliseconds and stores an equivalent value in ticks to
 .Fa *arg2 .
+.Pp
+The
+.Fn SYSCTL_ADD_TIMEVAL_SEC
+function and
+.Fn SYSCTL_TIMEVAL_SEC
+macro create nodes which export an in-kernel variable of type
+.Vt struct timeval .
+These nodes do not export full value of the associated structure.
+Instead, they export a count in seconds as a simple integer which is
+stored in the
+.Fa tv_sec
+field of the associated variable.
+This function and macro are intended to be used with variables which
+store a non-negative interval rather than an absolute time.
+As a result, they reject attempts to store negative values.
 .Sh CREATING ROOT NODES
 Sysctl MIBs or OIDs are created in a hierarchical tree.
 The nodes at the bottom of the tree are called root nodes, and have no
@@ -584,6 +612,7 @@ Static sysctls are declared using one of the
 .Fn SYSCTL_STRING ,
 .Fn SYSCTL_CONST_STRING ,
 .Fn SYSCTL_STRUCT ,
+.Fn SYSCTL_TIMEVAL_SEC ,
 .Fn SYSCTL_U8 ,
 .Fn SYSCTL_U16 ,
 .Fn SYSCTL_U32 ,
@@ -609,6 +638,7 @@ Dynamic nodes are created using one of the
 .Fn SYSCTL_ADD_STRING ,
 .Fn SYSCTL_ADD_CONST_STRING ,
 .Fn SYSCTL_ADD_STRUCT ,
+.Fn SYSCTL_ADD_TIMEVAL_SEC ,
 .Fn SYSCTL_ADD_U8 ,
 .Fn SYSCTL_ADD_U16 ,
 .Fn SYSCTL_ADD_U32 ,

Modified: stable/11/sys/kern/kern_sysctl.c
==============================================================================
--- stable/11/sys/kern/kern_sysctl.c    Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/kern/kern_sysctl.c    Wed Aug 21 22:42:08 2019        
(r351358)
@@ -1576,6 +1576,30 @@ retry:
 }
 
 /*
+ * Convert seconds to a struct timeval.  Intended for use with
+ * intervals and thus does not permit negative seconds.
+ */
+int
+sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS)
+{
+       struct timeval *tv;
+       int error, secs;
+
+       tv = arg1;
+       secs = tv->tv_sec;
+
+       error = sysctl_handle_int(oidp, &secs, 0, req);
+       if (error || req->newptr == NULL)
+               return (error);
+
+       if (secs < 0)
+               return (EINVAL);
+       tv->tv_sec = secs;
+
+       return (0);
+}
+
+/*
  * Transfer functions to/from kernel space.
  * XXX: rather untested at this point
  */

Modified: stable/11/sys/kgssapi/krb5/kcrypto.c
==============================================================================
--- stable/11/sys/kgssapi/krb5/kcrypto.c        Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/kgssapi/krb5/kcrypto.c        Wed Aug 21 22:42:08 2019        
(r351358)
@@ -32,6 +32,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/kobj.h>
 #include <sys/mbuf.h>
+#include <sys/sysctl.h>
 
 #include <kgssapi/gssapi.h>
 #include <kgssapi/gssapi_impl.h>
@@ -47,6 +48,11 @@ static struct krb5_encryption_class *krb5_encryption_c
        &krb5_arcfour_56_encryption_class,
        NULL
 };
+
+struct timeval krb5_warn_interval = { .tv_sec = 3600, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, kgssapi_warn_interval, CTLFLAG_RW,
+    &krb5_warn_interval,
+    "Delay in seconds between warnings of deprecated KGSSAPI crypto.");
 
 struct krb5_encryption_class *
 krb5_find_encryption_class(int etype)

Modified: stable/11/sys/kgssapi/krb5/kcrypto.h
==============================================================================
--- stable/11/sys/kgssapi/krb5/kcrypto.h        Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/kgssapi/krb5/kcrypto.h        Wed Aug 21 22:42:08 2019        
(r351358)
@@ -99,6 +99,7 @@ extern struct krb5_encryption_class krb5_aes128_encryp
 extern struct krb5_encryption_class krb5_aes256_encryption_class;
 extern struct krb5_encryption_class krb5_arcfour_encryption_class;
 extern struct krb5_encryption_class krb5_arcfour_56_encryption_class;
+extern struct timeval krb5_warn_interval;
 
 static __inline void
 krb5_set_key(struct krb5_key_state *ks, const void *keydata)

Modified: stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c
==============================================================================
--- stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c        Wed Aug 21 22:18:07 
2019        (r351357)
+++ stable/11/sys/kgssapi/krb5/kcrypto_arcfour.c        Wed Aug 21 22:42:08 
2019        (r351358)
@@ -45,10 +45,9 @@ static void
 arcfour_init(struct krb5_key_state *ks)
 {
        static struct timeval lastwarn;
-       static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
 
        ks->ks_priv = NULL;
-       if (ratecheck(&lastwarn, &warninterval))
+       if (ratecheck(&lastwarn, &krb5_warn_interval))
                gone_in(13, "RC4 cipher for Kerberos GSS");
 }
 

Modified: stable/11/sys/kgssapi/krb5/kcrypto_des.c
==============================================================================
--- stable/11/sys/kgssapi/krb5/kcrypto_des.c    Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/kgssapi/krb5/kcrypto_des.c    Wed Aug 21 22:42:08 2019        
(r351358)
@@ -52,13 +52,12 @@ static void
 des1_init(struct krb5_key_state *ks)
 {
        static struct timeval lastwarn;
-       static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
        struct des1_state *ds;
 
        ds = malloc(sizeof(struct des1_state), M_GSSAPI, M_WAITOK|M_ZERO);
        mtx_init(&ds->ds_lock, "gss des lock", NULL, MTX_DEF);
        ks->ks_priv = ds;
-       if (ratecheck(&lastwarn, &warninterval))
+       if (ratecheck(&lastwarn, &krb5_warn_interval))
                gone_in(13, "DES cipher for Kerberos GSS");
 }
 

Modified: stable/11/sys/kgssapi/krb5/kcrypto_des3.c
==============================================================================
--- stable/11/sys/kgssapi/krb5/kcrypto_des3.c   Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/kgssapi/krb5/kcrypto_des3.c   Wed Aug 21 22:42:08 2019        
(r351358)
@@ -53,13 +53,12 @@ static void
 des3_init(struct krb5_key_state *ks)
 {
        static struct timeval lastwarn;
-       static struct timeval warninterval = { .tv_sec = 3600, .tv_usec = 0 };
        struct des3_state *ds;
 
        ds = malloc(sizeof(struct des3_state), M_GSSAPI, M_WAITOK|M_ZERO);
        mtx_init(&ds->ds_lock, "gss des3 lock", NULL, MTX_DEF);
        ks->ks_priv = ds;
-       if (ratecheck(&lastwarn, &warninterval))
+       if (ratecheck(&lastwarn, &krb5_warn_interval))
                gone_in(13, "DES3 cipher for Kerberos GSS");
 }
 

Modified: stable/11/sys/netipsec/ipsec.c
==============================================================================
--- stable/11/sys/netipsec/ipsec.c      Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/netipsec/ipsec.c      Wed Aug 21 22:42:08 2019        
(r351358)
@@ -202,6 +202,11 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
 SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
     ipsec4stat, "IPsec IPv4 statistics.");
 
+struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW,
+    &ipsec_warn_interval,
+    "Delay in seconds between warnings of deprecated IPsec crypto 
algorithms.");
+
 #ifdef REGRESSION
 /*
  * When set to 1, IPsec will send packets with the same sequence number.

Modified: stable/11/sys/netipsec/ipsec.h
==============================================================================
--- stable/11/sys/netipsec/ipsec.h      Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/netipsec/ipsec.h      Wed Aug 21 22:42:08 2019        
(r351358)
@@ -283,6 +283,8 @@ VNET_DECLARE(int, ip4_ipsec_ecn);
 VNET_DECLARE(int, crypto_support);
 VNET_DECLARE(int, natt_cksum_policy);
 
+extern struct timeval ipsec_warn_interval;
+
 #define        IPSECSTAT_INC(name)     \
     VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1)
 #define        V_ip4_esp_trans_deflev  VNET(ip4_esp_trans_deflev)

Modified: stable/11/sys/netipsec/xform_ah.c
==============================================================================
--- stable/11/sys/netipsec/xform_ah.c   Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/netipsec/xform_ah.c   Wed Aug 21 22:42:08 2019        
(r351358)
@@ -109,7 +109,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, sta
 
 static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
 static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
-static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
 
 static int ah_input_cb(struct cryptop*);
 static int ah_output_cb(struct cryptop*);
@@ -179,19 +178,19 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, st
 
        switch (sav->alg_auth) {
        case SADB_AALG_MD5HMAC:
-               if (ratecheck(&md5warn, &warninterval))
+               if (ratecheck(&md5warn, &ipsec_warn_interval))
                        gone_in(13, "MD5-HMAC authenticator for IPsec");
                break;
        case SADB_X_AALG_RIPEMD160HMAC:
-               if (ratecheck(&ripewarn, &warninterval))
+               if (ratecheck(&ripewarn, &ipsec_warn_interval))
                        gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
                break;
        case SADB_X_AALG_MD5:
-               if (ratecheck(&kpdkmd5warn, &warninterval))
+               if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval))
                        gone_in(13, "Keyed-MD5 authenticator for IPsec");
                break;
        case SADB_X_AALG_SHA:
-               if (ratecheck(&kpdksha1warn, &warninterval))
+               if (ratecheck(&kpdksha1warn, &ipsec_warn_interval))
                        gone_in(13, "Keyed-SHA1 authenticator for IPsec");
                break;
        }

Modified: stable/11/sys/netipsec/xform_esp.c
==============================================================================
--- stable/11/sys/netipsec/xform_esp.c  Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/netipsec/xform_esp.c  Wed Aug 21 22:42:08 2019        
(r351358)
@@ -95,7 +95,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, st
     "ESP statistics (struct espstat, netipsec/esp_var.h");
 
 static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
-static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 };
 
 static int esp_input_cb(struct cryptop *op);
 static int esp_output_cb(struct cryptop *crp);
@@ -162,19 +161,19 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
 
        switch (sav->alg_enc) {
        case SADB_EALG_DESCBC:
-               if (ratecheck(&deswarn, &warninterval))
+               if (ratecheck(&deswarn, &ipsec_warn_interval))
                        gone_in(13, "DES cipher for IPsec");
                break;
        case SADB_X_EALG_BLOWFISHCBC:
-               if (ratecheck(&blfwarn, &warninterval))
+               if (ratecheck(&blfwarn, &ipsec_warn_interval))
                        gone_in(13, "Blowfish cipher for IPsec");
                break;
        case SADB_X_EALG_CAST128CBC:
-               if (ratecheck(&castwarn, &warninterval))
+               if (ratecheck(&castwarn, &ipsec_warn_interval))
                        gone_in(13, "CAST cipher for IPsec");
                break;
        case SADB_X_EALG_CAMELLIACBC:
-               if (ratecheck(&camelliawarn, &warninterval))
+               if (ratecheck(&camelliawarn, &ipsec_warn_interval))
                        gone_in(13, "Camellia cipher for IPsec");
                break;
        }

Modified: stable/11/sys/opencrypto/cryptodev.c
==============================================================================
--- stable/11/sys/opencrypto/cryptodev.c        Wed Aug 21 22:18:07 2019        
(r351357)
+++ stable/11/sys/opencrypto/cryptodev.c        Wed Aug 21 22:42:08 2019        
(r351358)
@@ -296,6 +296,11 @@ struct fcrypt {
        int             sesn;
 };
 
+static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
+SYSCTL_TIMEVAL_SEC(_kern, OID_AUTO, cryptodev_warn_interval, CTLFLAG_RW,
+    &warninterval,
+    "Delay in seconds between warnings of deprecated /dev/crypto algorithms");
+
 static int cryptof_ioctl(struct file *, u_long, void *,
                    struct ucred *, struct thread *);
 static int cryptof_stat(struct file *, struct stat *,
@@ -390,7 +395,6 @@ cryptof_ioctl(
 #endif
        static struct timeval arc4warn, blfwarn, castwarn, deswarn, md5warn;
        static struct timeval skipwarn, tdeswarn;
-       static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
 
        switch (cmd) {
        case CIOCGSESSION:

Modified: stable/11/sys/sys/sysctl.h
==============================================================================
--- stable/11/sys/sys/sysctl.h  Wed Aug 21 22:18:07 2019        (r351357)
+++ stable/11/sys/sys/sysctl.h  Wed Aug 21 22:42:08 2019        (r351358)
@@ -211,6 +211,8 @@ int sysctl_handle_counter_u64_array(SYSCTL_HANDLER_ARG
 int sysctl_handle_uma_zone_max(SYSCTL_HANDLER_ARGS);
 int sysctl_handle_uma_zone_cur(SYSCTL_HANDLER_ARGS);
 
+int sysctl_sec_to_timeval(SYSCTL_HANDLER_ARGS);
+
 int sysctl_dpcpu_int(SYSCTL_HANDLER_ARGS);
 int sysctl_dpcpu_long(SYSCTL_HANDLER_ARGS);
 int sysctl_dpcpu_quad(SYSCTL_HANDLER_ARGS);
@@ -790,6 +792,24 @@ TAILQ_HEAD(sysctl_ctx_list, sysctl_ctx_entry);
        sysctl_add_oid(ctx, parent, nbr, name,                          \
            CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access),       \
            __ptr, 0, sysctl_handle_uma_zone_cur, "I", __DESCR(descr)); \
+})
+
+/* OID expressing a struct timeval as seconds */
+#define        SYSCTL_TIMEVAL_SEC(parent, nbr, name, access, ptr, descr)       
\
+       SYSCTL_OID(parent, nbr, name,                                   \
+           CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access),       \
+           (ptr), 0, sysctl_sec_to_timeval, "I", descr);               \
+       CTASSERT(((access) & CTLTYPE) == 0 ||                           \
+           ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT)
+#define        SYSCTL_ADD_TIMEVAL_SEC(ctx, parent, nbr, name, access, ptr, 
descr) \
+({                                                                     \
+       struct timeval *__ptr = (ptr);                                  \
+       CTASSERT(((access) & CTLTYPE) == 0 ||                           \
+           ((access) & SYSCTL_CT_ASSERT_MASK) == CTLTYPE_INT);         \
+       sysctl_add_oid(ctx, parent, nbr, name,                          \
+           CTLTYPE_INT | CTLFLAG_MPSAFE | CTLFLAG_RD | (access),       \
+           __ptr, 0, sysctl_sec_to_timeval, "I", __DESCR(descr),       \
+           NULL);                                                      \
 })
 
 /*
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to