Print this page
8381 Convert ipsec_alg_lock from mutex to rwlock
*** 296,311 ****
netstack_rele(ns);
return (-1);
}
ekp = (esp_kstats_t *)kp->ks_data;
! mutex_enter(&ipss->ipsec_alg_lock);
ekp->esp_stat_num_aalgs.value.ui64 =
ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
ekp->esp_stat_num_ealgs.value.ui64 =
ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
! mutex_exit(&ipss->ipsec_alg_lock);
netstack_rele(ns);
return (0);
}
--- 296,311 ----
netstack_rele(ns);
return (-1);
}
ekp = (esp_kstats_t *)kp->ks_data;
! rw_enter(&ipss->ipsec_alg_lock, RW_READER);
ekp->esp_stat_num_aalgs.value.ui64 =
ipss->ipsec_nalgs[IPSEC_ALG_AUTH];
ekp->esp_stat_num_ealgs.value.ui64 =
ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
! rw_exit(&ipss->ipsec_alg_lock);
netstack_rele(ns);
return (0);
}
*** 1193,1203 ****
ipsec_action_t *ap;
ipsec_prot_t *prot;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
ipsec_stack_t *ipss = ns->netstack_ipsec;
! ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
prop->sadb_prop_len = SADB_8TO64(sizeof (sadb_prop_t));
*(uint32_t *)(&prop->sadb_prop_replay) = 0; /* Quick zero-out! */
--- 1193,1203 ----
ipsec_action_t *ap;
ipsec_prot_t *prot;
ipsecesp_stack_t *espstack = ns->netstack_ipsecesp;
ipsec_stack_t *ipss = ns->netstack_ipsec;
! ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
prop->sadb_prop_exttype = SADB_EXT_PROPOSAL;
prop->sadb_prop_len = SADB_8TO64(sizeof (sadb_prop_t));
*(uint32_t *)(&prop->sadb_prop_replay) = 0; /* Quick zero-out! */
*** 1323,1333 ****
if (pfkeymp == NULL) {
esp0dbg(("sadb_setup_acquire failed.\n"));
mutex_exit(&acqrec->ipsacq_lock);
return;
}
! ASSERT(MUTEX_HELD(&ipss->ipsec_alg_lock));
combs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] *
ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
msgmp = pfkeymp->b_cont;
samsg = (sadb_msg_t *)(msgmp->b_rptr);
--- 1323,1333 ----
if (pfkeymp == NULL) {
esp0dbg(("sadb_setup_acquire failed.\n"));
mutex_exit(&acqrec->ipsacq_lock);
return;
}
! ASSERT(RW_READ_HELD(&ipss->ipsec_alg_lock));
combs = ipss->ipsec_nalgs[IPSEC_ALG_AUTH] *
ipss->ipsec_nalgs[IPSEC_ALG_ENCR];
msgmp = pfkeymp->b_cont;
samsg = (sadb_msg_t *)(msgmp->b_rptr);
*** 1336,1346 ****
prop = (sadb_prop_t *)(((uint64_t *)samsg) + samsg->sadb_msg_len);
esp_insert_prop(prop, acqrec, combs, ns);
samsg->sadb_msg_len += prop->sadb_prop_len;
msgmp->b_wptr += SADB_64TO8(samsg->sadb_msg_len);
! mutex_exit(&ipss->ipsec_alg_lock);
/*
* Must mutex_exit() before sending PF_KEY message up, in
* order to avoid recursive mutex_enter() if there are no registered
* listeners.
--- 1336,1346 ----
prop = (sadb_prop_t *)(((uint64_t *)samsg) + samsg->sadb_msg_len);
esp_insert_prop(prop, acqrec, combs, ns);
samsg->sadb_msg_len += prop->sadb_prop_len;
msgmp->b_wptr += SADB_64TO8(samsg->sadb_msg_len);
! rw_exit(&ipss->ipsec_alg_lock);
/*
* Must mutex_exit() before sending PF_KEY message up, in
* order to avoid recursive mutex_enter() if there are no registered
* listeners.
*** 3041,3051 ****
/*
* Allocate the PF_KEY message that follows KEYSOCK_OUT.
*/
! mutex_enter(&ipss->ipsec_alg_lock);
/*
* Fill SADB_REGISTER message's algorithm descriptors. Hold
* down the lock while filling it.
*
* Return only valid algorithms, so the number of algorithms
--- 3041,3051 ----
/*
* Allocate the PF_KEY message that follows KEYSOCK_OUT.
*/
! rw_enter(&ipss->ipsec_alg_lock, RW_READER);
/*
* Fill SADB_REGISTER message's algorithm descriptors. Hold
* down the lock while filling it.
*
* Return only valid algorithms, so the number of algorithms
*** 3070,3080 ****
allocsize += (num_ealgs * sizeof (*saalg));
allocsize += sizeof (*sasupp_encr);
}
keysock_out_mp->b_cont = allocb(allocsize, BPRI_HI);
if (keysock_out_mp->b_cont == NULL) {
! mutex_exit(&ipss->ipsec_alg_lock);
freemsg(keysock_out_mp);
return (B_FALSE);
}
pfkey_msg_mp = keysock_out_mp->b_cont;
pfkey_msg_mp->b_wptr += allocsize;
--- 3070,3080 ----
allocsize += (num_ealgs * sizeof (*saalg));
allocsize += sizeof (*sasupp_encr);
}
keysock_out_mp->b_cont = allocb(allocsize, BPRI_HI);
if (keysock_out_mp->b_cont == NULL) {
! rw_exit(&ipss->ipsec_alg_lock);
freemsg(keysock_out_mp);
return (B_FALSE);
}
pfkey_msg_mp = keysock_out_mp->b_cont;
pfkey_msg_mp->b_wptr += allocsize;
*** 3164,3174 ****
}
current_aalgs = num_aalgs;
current_ealgs = num_ealgs;
! mutex_exit(&ipss->ipsec_alg_lock);
if (sens_tsl != NULL) {
sens = (sadb_sens_t *)nextext;
sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
sens_tsl, sens_len);
--- 3164,3174 ----
}
current_aalgs = num_aalgs;
current_ealgs = num_ealgs;
! rw_exit(&ipss->ipsec_alg_lock);
if (sens_tsl != NULL) {
sens = (sadb_sens_t *)nextext;
sadb_sens_from_label(sens, SADB_EXT_SENSITIVITY,
sens_tsl, sens_len);
*** 3689,3699 ****
* XXX Policy : I'm not checking identities at this time,
* but if I did, I'd do them here, before I sent
* the weak key check up to the algorithm.
*/
! mutex_enter(&ipss->ipsec_alg_lock);
/*
* First locate the authentication algorithm.
*/
#ifdef IPSEC_LATENCY_TEST
--- 3689,3699 ----
* XXX Policy : I'm not checking identities at this time,
* but if I did, I'd do them here, before I sent
* the weak key check up to the algorithm.
*/
! rw_enter(&ipss->ipsec_alg_lock, RW_READER);
/*
* First locate the authentication algorithm.
*/
#ifdef IPSEC_LATENCY_TEST
*** 3704,3714 ****
ipsec_alginfo_t *aalg;
aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
[assoc->sadb_sa_auth];
if (aalg == NULL || !ALG_VALID(aalg)) {
! mutex_exit(&ipss->ipsec_alg_lock);
esp1dbg(espstack, ("Couldn't find auth alg #%d.\n",
assoc->sadb_sa_auth));
*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
return (EINVAL);
}
--- 3704,3714 ----
ipsec_alginfo_t *aalg;
aalg = ipss->ipsec_alglists[IPSEC_ALG_AUTH]
[assoc->sadb_sa_auth];
if (aalg == NULL || !ALG_VALID(aalg)) {
! rw_exit(&ipss->ipsec_alg_lock);
esp1dbg(espstack, ("Couldn't find auth alg #%d.\n",
assoc->sadb_sa_auth));
*diagnostic = SADB_X_DIAGNOSTIC_BAD_AALG;
return (EINVAL);
}
*** 3719,3738 ****
* this auth_alg is not defined with ALG_FLAG_VALID. If this
* ever changes, the same check for SADB_AALG_NONE and
* a auth_key != NULL should be made here ( see below).
*/
if (!ipsec_valid_key_size(akey->sadb_key_bits, aalg)) {
! mutex_exit(&ipss->ipsec_alg_lock);
*diagnostic = SADB_X_DIAGNOSTIC_BAD_AKEYBITS;
return (EINVAL);
}
ASSERT(aalg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
/* check key and fix parity if needed */
if (ipsec_check_key(aalg->alg_mech_type, akey, B_TRUE,
diagnostic) != 0) {
! mutex_exit(&ipss->ipsec_alg_lock);
return (EINVAL);
}
}
/*
--- 3719,3738 ----
* this auth_alg is not defined with ALG_FLAG_VALID. If this
* ever changes, the same check for SADB_AALG_NONE and
* a auth_key != NULL should be made here ( see below).
*/
if (!ipsec_valid_key_size(akey->sadb_key_bits, aalg)) {
! rw_exit(&ipss->ipsec_alg_lock);
*diagnostic = SADB_X_DIAGNOSTIC_BAD_AKEYBITS;
return (EINVAL);
}
ASSERT(aalg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
/* check key and fix parity if needed */
if (ipsec_check_key(aalg->alg_mech_type, akey, B_TRUE,
diagnostic) != 0) {
! rw_exit(&ipss->ipsec_alg_lock);
return (EINVAL);
}
}
/*
*** 3743,3753 ****
ipsec_alginfo_t *ealg;
ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
[assoc->sadb_sa_encrypt];
if (ealg == NULL || !ALG_VALID(ealg)) {
! mutex_exit(&ipss->ipsec_alg_lock);
esp1dbg(espstack, ("Couldn't find encr alg #%d.\n",
assoc->sadb_sa_encrypt));
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
return (EINVAL);
}
--- 3743,3753 ----
ipsec_alginfo_t *ealg;
ealg = ipss->ipsec_alglists[IPSEC_ALG_ENCR]
[assoc->sadb_sa_encrypt];
if (ealg == NULL || !ALG_VALID(ealg)) {
! rw_exit(&ipss->ipsec_alg_lock);
esp1dbg(espstack, ("Couldn't find encr alg #%d.\n",
assoc->sadb_sa_encrypt));
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
return (EINVAL);
}
*** 3764,3787 ****
keybits = ekey->sadb_key_bits;
keybits -= ekey->sadb_key_reserved;
keybits -= SADB_8TO1(ealg->alg_saltlen);
if ((assoc->sadb_sa_encrypt == SADB_EALG_NULL) ||
(!ipsec_valid_key_size(keybits, ealg))) {
! mutex_exit(&ipss->ipsec_alg_lock);
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
return (EINVAL);
}
ASSERT(ealg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
/* check key */
if (ipsec_check_key(ealg->alg_mech_type, ekey, B_FALSE,
diagnostic) != 0) {
! mutex_exit(&ipss->ipsec_alg_lock);
return (EINVAL);
}
}
! mutex_exit(&ipss->ipsec_alg_lock);
return (esp_add_sa_finish(mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
diagnostic, espstack));
}
--- 3764,3787 ----
keybits = ekey->sadb_key_bits;
keybits -= ekey->sadb_key_reserved;
keybits -= SADB_8TO1(ealg->alg_saltlen);
if ((assoc->sadb_sa_encrypt == SADB_EALG_NULL) ||
(!ipsec_valid_key_size(keybits, ealg))) {
! rw_exit(&ipss->ipsec_alg_lock);
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EKEYBITS;
return (EINVAL);
}
ASSERT(ealg->alg_mech_type != CRYPTO_MECHANISM_INVALID);
/* check key */
if (ipsec_check_key(ealg->alg_mech_type, ekey, B_FALSE,
diagnostic) != 0) {
! rw_exit(&ipss->ipsec_alg_lock);
return (EINVAL);
}
}
! rw_exit(&ipss->ipsec_alg_lock);
return (esp_add_sa_finish(mp, (sadb_msg_t *)mp->b_cont->b_rptr, ksi,
diagnostic, espstack));
}