diff options
author | obrien <obrien@FreeBSD.org> | 2013-02-07 00:48:42 +0000 |
---|---|---|
committer | obrien <obrien@FreeBSD.org> | 2013-02-07 00:48:42 +0000 |
commit | 952a6d5a7cd3d3f9007acfa06805262fc04a105f (patch) | |
tree | 4226b7d3d85625d95ad5c539915c73d9bf0b873f | |
parent | 5fe646bf30efb481b8410f525dd916b2c189bd7a (diff) | |
download | FreeBSD-src-952a6d5a7cd3d3f9007acfa06805262fc04a105f.zip FreeBSD-src-952a6d5a7cd3d3f9007acfa06805262fc04a105f.tar.gz |
Correct the r242545 sync with head@242525.
175 files changed, 4 insertions, 82743 deletions
diff --git a/contrib/gnu-sort/ABOUT-NLS b/contrib/gnu-sort/ABOUT-NLS deleted file mode 100644 index 8ffb467..0000000 --- a/contrib/gnu-sort/ABOUT-NLS +++ /dev/null @@ -1,716 +0,0 @@ -Notes on the Free Translation Project -************************************* - -Free software is going international! The Free Translation Project is -a way to get maintainers of free software, translators, and users all -together, so that will gradually become able to speak many languages. -A few packages already provide translations for their messages. - - If you found this `ABOUT-NLS' file inside a distribution, you may -assume that the distributed package does use GNU `gettext' internally, -itself available at your nearest GNU archive site. But you do _not_ -need to install GNU `gettext' prior to configuring, installing or using -this package with messages translated. - - Installers will find here some useful hints. These notes also -explain how users should proceed for getting the programs to use the -available translations. They tell how people wanting to contribute and -work at translations should contact the appropriate team. - - When reporting bugs in the `intl/' directory or bugs which may be -related to internationalization, you should tell about the version of -`gettext' which is used. The information can be found in the -`intl/VERSION' file, in internationalized packages. - -Quick configuration advice -========================== - -If you want to exploit the full power of internationalization, you -should configure it using - - ./configure --with-included-gettext - -to force usage of internationalizing routines provided within this -package, despite the existence of internationalizing capabilities in the -operating system where this package is being installed. So far, only -the `gettext' implementation in the GNU C library version 2 provides as -many features (such as locale alias, message inheritance, automatic -charset conversion or plural form handling) as the implementation here. -It is also not possible to offer this additional functionality on top -of a `catgets' implementation. Future versions of GNU `gettext' will -very likely convey even more functionality. So it might be a good idea -to change to GNU `gettext' as soon as possible. - - So you need _not_ provide this option if you are using GNU libc 2 or -you have installed a recent copy of the GNU gettext package with the -included `libintl'. - -INSTALL Matters -=============== - -Some packages are "localizable" when properly installed; the programs -they contain can be made to speak your own native language. Most such -packages use GNU `gettext'. Other packages have their own ways to -internationalization, predating GNU `gettext'. - - By default, this package will be installed to allow translation of -messages. It will automatically detect whether the system already -provides the GNU `gettext' functions. If not, the GNU `gettext' own -library will be used. This library is wholly contained within this -package, usually in the `intl/' subdirectory, so prior installation of -the GNU `gettext' package is _not_ required. Installers may use -special options at configuration time for changing the default -behaviour. The commands: - - ./configure --with-included-gettext - ./configure --disable-nls - -will respectively bypass any pre-existing `gettext' to use the -internationalizing routines provided within this package, or else, -_totally_ disable translation of messages. - - When you already have GNU `gettext' installed on your system and run -configure without an option for your new package, `configure' will -probably detect the previously built and installed `libintl.a' file and -will decide to use this. This might be not what is desirable. You -should use the more recent version of the GNU `gettext' library. I.e. -if the file `intl/VERSION' shows that the library which comes with this -package is more recent, you should use - - ./configure --with-included-gettext - -to prevent auto-detection. - - The configuration process will not test for the `catgets' function -and therefore it will not be used. The reason is that even an -emulation of `gettext' on top of `catgets' could not provide all the -extensions of the GNU `gettext' library. - - Internationalized packages have usually many `po/LL.po' files, where -LL gives an ISO 639 two-letter code identifying the language. Unless -translations have been forbidden at `configure' time by using the -`--disable-nls' switch, all available translations are installed -together with the package. However, the environment variable `LINGUAS' -may be set, prior to configuration, to limit the installed set. -`LINGUAS' should then contain a space separated list of two-letter -codes, stating which languages are allowed. - -Using This Package -================== - -As a user, if your language has been installed for this package, you -only have to set the `LANG' environment variable to the appropriate -`LL_CC' combination. Here `LL' is an ISO 639 two-letter language code, -and `CC' is an ISO 3166 two-letter country code. For example, let's -suppose that you speak German and live in Germany. At the shell -prompt, merely execute `setenv LANG de_DE' (in `csh'), -`export LANG; LANG=de_DE' (in `sh') or `export LANG=de_DE' (in `bash'). -This can be done from your `.login' or `.profile' file, once and for -all. - - You might think that the country code specification is redundant. -But in fact, some languages have dialects in different countries. For -example, `de_AT' is used for Austria, and `pt_BR' for Brazil. The -country code serves to distinguish the dialects. - - The locale naming convention of `LL_CC', with `LL' denoting the -language and `CC' denoting the country, is the one use on systems based -on GNU libc. On other systems, some variations of this scheme are -used, such as `LL' or `LL_CC.ENCODING'. You can get the list of -locales supported by your system for your country by running the command -`locale -a | grep '^LL''. - - Not all programs have translations for all languages. By default, an -English message is shown in place of a nonexistent translation. If you -understand other languages, you can set up a priority list of languages. -This is done through a different environment variable, called -`LANGUAGE'. GNU `gettext' gives preference to `LANGUAGE' over `LANG' -for the purpose of message handling, but you still need to have `LANG' -set to the primary language; this is required by other parts of the -system libraries. For example, some Swedish users who would rather -read translations in German than English for when Swedish is not -available, set `LANGUAGE' to `sv:de' while leaving `LANG' to `sv_SE'. - - In the `LANGUAGE' environment variable, but not in the `LANG' -environment variable, `LL_CC' combinations can be abbreviated as `LL' -to denote the language's main dialect. For example, `de' is equivalent -to `de_DE' (German as spoken in Germany), and `pt' to `pt_PT' -(Portuguese as spoken in Portugal) in this context. - -Translating Teams -================= - -For the Free Translation Project to be a success, we need interested -people who like their own language and write it well, and who are also -able to synergize with other translators speaking the same language. -Each translation team has its own mailing list. The up-to-date list of -teams can be found at the Free Translation Project's homepage, -`http://www.iro.umontreal.ca/contrib/po/HTML/', in the "National teams" -area. - - If you'd like to volunteer to _work_ at translating messages, you -should become a member of the translating team for your own language. -The subscribing address is _not_ the same as the list itself, it has -`-request' appended. For example, speakers of Swedish can send a -message to `sv-request@li.org', having this message body: - - subscribe - - Keep in mind that team members are expected to participate -_actively_ in translations, or at solving translational difficulties, -rather than merely lurking around. If your team does not exist yet and -you want to start one, or if you are unsure about what to do or how to -get started, please write to `translation@iro.umontreal.ca' to reach the -coordinator for all translator teams. - - The English team is special. It works at improving and uniformizing -the terminology in use. Proven linguistic skill are praised more than -programming skill, here. - -Available Packages -================== - -Languages are not equally supported in all packages. The following -matrix shows the current state of internationalization, as of December -2003. The matrix shows, in regard of each package, for which languages -PO files have been submitted to translation coordination, with a -translation percentage of at least 50%. - - Ready PO files am az be bg ca cs da de el en en_GB eo es - +-------------------------------------------+ - a2ps | [] [] [] [] | - aegis | () | - ant-phone | () | - anubis | | - ap-utils | | - bash | [] [] [] [] | - batchelor | | - bfd | [] [] | - binutils | [] [] | - bison | [] [] [] | - bluez-pin | [] [] | - clisp | | - clisp | [] [] [] | - coreutils | [] [] [] [] | - cpio | [] [] [] | - darkstat | [] () [] | - diffutils | [] [] [] [] [] [] [] | - e2fsprogs | [] [] | - enscript | [] [] [] [] | - error | [] [] [] [] [] | - fetchmail | [] () [] [] [] [] | - fileutils | [] [] [] | - findutils | [] [] [] [] [] [] [] | - flex | [] [] [] [] | - fslint | | - gas | [] | - gawk | [] [] [] [] | - gbiff | [] | - gcal | [] | - gcc | [] [] | - gettext | [] [] [] [] [] | - gettext-examples | [] [] [] | - gettext-runtime | [] [] [] [] [] | - gettext-tools | [] [] [] | - gimp-print | [] [] [] [] [] | - gliv | | - glunarclock | [] [] | - gnubiff | [] | - gnucash | [] () [] [] | - gnucash-glossary | [] () [] | - gnupg | [] () [] [] [] [] | - gpe-aerial | [] | - gpe-beam | [] [] | - gpe-calendar | [] [] | - gpe-clock | [] [] | - gpe-conf | [] [] | - gpe-contacts | [] [] | - gpe-edit | [] | - gpe-go | [] | - gpe-login | [] [] | - gpe-ownerinfo | [] [] | - gpe-sketchbook | [] [] | - gpe-su | [] [] | - gpe-taskmanager | [] [] | - gpe-timesheet | [] | - gpe-today | [] [] | - gpe-todo | [] [] | - gphoto2 | [] [] [] [] | - gprof | [] [] [] | - gpsdrive | () () () | - gramadoir | [] | - grep | [] [] [] [] [] [] | - gretl | [] | - gtick | () | - hello | [] [] [] [] [] [] | - id-utils | [] [] | - indent | [] [] [] [] | - jpilot | [] [] [] | - jtag | | - jwhois | [] | - kbd | [] [] [] [] [] | - latrine | () | - ld | [] [] | - libc | [] [] [] [] [] [] | - libgpewidget | [] [] | - libiconv | [] [] [] [] [] | - lifelines | [] () | - lilypond | [] | - lingoteach | | - lingoteach_lessons | () () | - lynx | [] [] [] [] | - m4 | [] [] [] [] | - mailutils | [] [] | - make | [] [] [] | - man-db | [] () [] [] () | - minicom | [] [] [] | - mysecretdiary | [] [] [] | - nano | [] () [] [] [] | - nano_1_0 | [] () [] [] [] | - opcodes | [] | - parted | [] [] [] [] [] | - ptx | [] [] [] [] [] | - python | | - radius | [] | - recode | [] [] [] [] [] [] [] | - rpm | [] [] | - screem | | - scrollkeeper | [] [] [] [] [] [] | - sed | [] [] [] [] [] | - sh-utils | [] [] [] | - shared-mime-info | | - sharutils | [] [] [] [] [] [] | - silky | () | - skencil | [] () [] | - sketch | [] () [] | - soundtracker | [] [] [] | - sp | [] | - tar | [] [] [] [] | - texinfo | [] [] [] | - textutils | [] [] [] [] | - tin | () () | - tuxpaint | [] [] [] [] [] [] [] | - util-linux | [] [] [] [] [] | - vorbis-tools | [] [] [] [] | - wastesedge | () | - wdiff | [] [] [] [] | - wget | [] [] [] [] [] [] | - xchat | [] [] [] [] | - xfree86_xkb_xml | [] | - xpad | [] | - +-------------------------------------------+ - am az be bg ca cs da de el en en_GB eo es - 0 0 8 3 37 38 56 73 15 1 5 12 64 - - et fa fi fr ga gl he hr hu id is it ja - +----------------------------------------+ - a2ps | [] [] [] () | - aegis | | - ant-phone | | - anubis | [] | - ap-utils | [] | - bash | [] [] | - batchelor | [] | - bfd | [] | - binutils | [] [] | - bison | [] [] [] [] | - bluez-pin | [] [] [] [] [] | - clisp | | - clisp | [] | - coreutils | [] [] [] [] [] [] | - cpio | [] [] [] | - darkstat | () [] [] [] | - diffutils | [] [] [] [] [] [] [] | - e2fsprogs | | - enscript | [] [] | - error | [] [] [] [] | - fetchmail | [] | - fileutils | [] [] [] [] [] [] | - findutils | [] [] [] [] [] [] [] [] [] [] | - flex | [] [] | - fslint | | - gas | [] | - gawk | [] [] [] | - gbiff | | - gcal | [] | - gcc | [] | - gettext | [] [] | - gettext-examples | [] [] | - gettext-runtime | [] [] [] [] | - gettext-tools | [] [] | - gimp-print | [] [] | - gliv | () | - glunarclock | [] [] [] [] | - gnubiff | | - gnucash | () [] | - gnucash-glossary | [] | - gnupg | [] [] [] [] [] [] [] | - gpe-aerial | [] | - gpe-beam | [] | - gpe-calendar | [] [] [] | - gpe-clock | [] | - gpe-conf | [] | - gpe-contacts | [] [] | - gpe-edit | [] [] | - gpe-go | [] | - gpe-login | [] [] | - gpe-ownerinfo | [] [] [] | - gpe-sketchbook | [] | - gpe-su | [] | - gpe-taskmanager | [] | - gpe-timesheet | [] [] [] | - gpe-today | [] [] | - gpe-todo | [] [] | - gphoto2 | [] [] [] | - gprof | [] [] | - gpsdrive | () [] () () | - gramadoir | [] | - grep | [] [] [] [] [] [] [] [] [] [] [] | - gretl | [] | - gtick | [] [] | - hello | [] [] [] [] [] [] [] [] [] [] [] [] | - id-utils | [] [] [] [] | - indent | [] [] [] [] [] [] [] [] [] | - jpilot | [] () | - jtag | | - jwhois | [] [] [] [] | - kbd | [] | - latrine | | - ld | [] | - libc | [] [] [] [] [] | - libgpewidget | [] [] [] [] | - libiconv | [] [] [] [] [] [] [] [] [] | - lifelines | () | - lilypond | [] | - lingoteach | [] [] | - lingoteach_lessons | | - lynx | [] [] [] [] | - m4 | [] [] [] [] | - mailutils | | - make | [] [] [] [] [] | - man-db | () () | - minicom | [] [] [] [] | - mysecretdiary | [] [] | - nano | [] [] [] [] | - nano_1_0 | [] [] [] [] | - opcodes | [] | - parted | [] [] [] | - ptx | [] [] [] [] [] [] [] | - python | | - radius | [] | - recode | [] [] [] [] [] [] | - rpm | | - screem | | - scrollkeeper | [] | - sed | [] [] [] [] [] [] [] [] [] | - sh-utils | [] [] [] [] [] [] [] | - shared-mime-info | [] | - sharutils | [] [] [] [] [] | - silky | [] () | - skencil | [] | - sketch | [] | - soundtracker | [] [] [] [] | - sp | [] () | - tar | [] [] [] [] [] [] [] [] [] | - texinfo | [] [] [] [] | - textutils | [] [] [] [] [] | - tin | [] () | - tuxpaint | [] [] [] [] [] [] [] [] | - util-linux | [] [] [] [] () [] | - vorbis-tools | [] | - wastesedge | () | - wdiff | [] [] [] [] [] [] | - wget | [] [] [] [] [] [] [] | - xchat | [] [] [] | - xfree86_xkb_xml | | - xpad | [] | - +----------------------------------------+ - et fa fi fr ga gl he hr hu id is it ja - 21 1 25 86 24 24 8 10 38 31 1 23 32 - - ko lg lt lv ms nb nl nn no pl pt pt_BR ro - +-------------------------------------------+ - a2ps | () [] [] () () [] [] | - aegis | () () | - ant-phone | [] [] | - anubis | [] [] [] [] [] | - ap-utils | [] () [] | - bash | [] [] | - batchelor | [] | - bfd | [] | - binutils | | - bison | [] [] [] [] | - bluez-pin | [] [] [] | - clisp | | - clisp | [] | - coreutils | [] | - cpio | [] [] [] [] [] | - darkstat | [] [] [] [] | - diffutils | [] [] [] [] | - e2fsprogs | [] | - enscript | [] [] [] | - error | [] [] [] | - fetchmail | [] [] () | - fileutils | [] [] | - findutils | [] [] [] [] [] | - flex | [] [] [] [] | - fslint | [] [] | - gas | | - gawk | [] [] [] | - gbiff | [] [] | - gcal | | - gcc | | - gettext | [] [] [] | - gettext-examples | [] [] | - gettext-runtime | [] [] [] | - gettext-tools | [] [] [] | - gimp-print | [] | - gliv | [] [] [] | - glunarclock | [] [] [] | - gnubiff | | - gnucash | [] [] () | - gnucash-glossary | [] [] | - gnupg | [] | - gpe-aerial | [] [] [] | - gpe-beam | [] [] [] | - gpe-calendar | [] [] [] | - gpe-clock | [] [] [] | - gpe-conf | [] [] [] | - gpe-contacts | [] [] [] | - gpe-edit | [] [] [] | - gpe-go | [] [] | - gpe-login | [] [] [] | - gpe-ownerinfo | [] [] [] | - gpe-sketchbook | [] [] [] | - gpe-su | [] [] [] | - gpe-taskmanager | [] [] [] | - gpe-timesheet | [] [] [] | - gpe-today | [] [] [] | - gpe-todo | [] [] [] | - gphoto2 | [] | - gprof | [] [] | - gpsdrive | () () () [] | - gramadoir | [] | - grep | [] [] [] [] | - gretl | | - gtick | [] [] | - hello | [] [] [] [] [] [] [] [] [] [] | - id-utils | [] [] [] | - indent | [] [] [] | - jpilot | () () | - jtag | | - jwhois | [] [] [] [] | - kbd | [] [] [] | - latrine | [] | - ld | | - libc | [] [] [] [] [] | - libgpewidget | [] [] [] | - libiconv | [] [] [] [] | - lifelines | | - lilypond | | - lingoteach | | - lingoteach_lessons | | - lynx | [] [] | - m4 | [] [] [] [] | - mailutils | [] [] | - make | [] [] [] [] | - man-db | [] | - minicom | [] [] [] | - mysecretdiary | [] [] [] | - nano | [] [] [] [] | - nano_1_0 | [] [] [] [] [] | - opcodes | [] [] | - parted | [] [] [] [] | - ptx | [] [] [] [] [] [] [] | - python | | - radius | [] | - recode | [] [] [] | - rpm | [] [] | - screem | | - scrollkeeper | [] [] [] [] | - sed | [] [] [] | - sh-utils | [] | - shared-mime-info | [] | - sharutils | [] | - silky | | - skencil | [] [] | - sketch | [] [] | - soundtracker | | - sp | | - tar | [] [] [] [] [] [] | - texinfo | [] [] [] | - textutils | [] [] | - tin | | - tuxpaint | [] [] [] [] [] [] [] [] [] | - util-linux | [] [] | - vorbis-tools | [] [] | - wastesedge | | - wdiff | [] [] [] [] | - wget | [] [] | - xchat | [] [] | - xfree86_xkb_xml | [] | - xpad | [] [] | - +-------------------------------------------+ - ko lg lt lv ms nb nl nn no pl pt pt_BR ro - 12 0 1 2 12 10 60 4 4 38 25 35 76 - - ru sk sl sr sv ta tr uk vi wa zh_CN zh_TW - +-------------------------------------------+ - a2ps | [] [] [] [] [] | 16 - aegis | () | 0 - ant-phone | | 2 - anubis | [] [] [] | 9 - ap-utils | () | 3 - bash | [] | 9 - batchelor | | 2 - bfd | [] [] | 6 - binutils | [] [] [] | 7 - bison | [] [] [] | 14 - bluez-pin | [] [] [] | 13 - clisp | | 0 - clisp | | 5 - coreutils | [] [] [] [] [] | 16 - cpio | [] [] [] | 14 - darkstat | [] [] [] () () | 12 - diffutils | [] [] [] [] | 22 - e2fsprogs | [] [] | 5 - enscript | [] [] [] | 12 - error | [] [] [] | 15 - fetchmail | [] [] [] | 11 - fileutils | [] [] [] [] [] [] | 17 - findutils | [] [] [] [] [] [] [] | 29 - flex | [] [] [] | 13 - fslint | | 2 - gas | [] | 3 - gawk | [] [] | 12 - gbiff | | 3 - gcal | [] [] | 4 - gcc | [] | 4 - gettext | [] [] [] [] [] [] | 16 - gettext-examples | [] [] [] [] | 11 - gettext-runtime | [] [] [] [] [] [] [] [] [] | 21 - gettext-tools | [] [] [] [] [] [] | 14 - gimp-print | [] [] | 10 - gliv | | 3 - glunarclock | [] [] [] [] | 13 - gnubiff | | 1 - gnucash | [] [] [] | 9 - gnucash-glossary | [] [] [] | 8 - gnupg | [] [] [] [] | 17 - gpe-aerial | [] [] | 7 - gpe-beam | [] [] | 8 - gpe-calendar | [] [] [] [] [] | 13 - gpe-clock | [] [] [] [] | 10 - gpe-conf | [] [] [] | 9 - gpe-contacts | [] [] [] [] | 11 - gpe-edit | [] [] [] [] [] [] | 12 - gpe-go | [] | 5 - gpe-login | [] [] [] [] [] [] | 13 - gpe-ownerinfo | [] [] [] [] [] | 13 - gpe-sketchbook | [] [] [] | 9 - gpe-su | [] [] [] [] | 10 - gpe-taskmanager | [] [] [] [] | 10 - gpe-timesheet | [] [] [] [] [] | 12 - gpe-today | [] [] [] [] [] [] | 13 - gpe-todo | [] [] [] [] [] | 12 - gphoto2 | [] [] [] | 11 - gprof | [] [] | 9 - gpsdrive | [] [] | 4 - gramadoir | | 3 - grep | [] [] [] [] [] | 26 - gretl | | 2 - gtick | [] | 5 - hello | [] [] [] [] [] | 33 - id-utils | [] [] [] | 12 - indent | [] [] [] [] [] | 21 - jpilot | [] [] [] [] [] | 9 - jtag | [] | 1 - jwhois | () () [] [] | 11 - kbd | [] [] | 11 - latrine | | 1 - ld | [] [] | 5 - libc | [] [] [] [] | 20 - libgpewidget | [] [] [] [] | 13 - libiconv | [] [] [] [] [] [] [] [] [] | 27 - lifelines | [] | 2 - lilypond | [] | 3 - lingoteach | | 2 - lingoteach_lessons | () | 0 - lynx | [] [] [] [] | 14 - m4 | [] [] [] | 15 - mailutils | [] | 5 - make | [] [] [] [] | 16 - man-db | [] | 5 - minicom | [] | 11 - mysecretdiary | [] [] | 10 - nano | [] [] [] [] [] | 17 - nano_1_0 | [] [] [] [] | 17 - opcodes | [] [] | 6 - parted | [] [] [] | 15 - ptx | [] [] [] | 22 - python | | 0 - radius | [] | 4 - recode | [] [] [] [] | 20 - rpm | [] [] [] | 7 - screem | [] [] | 2 - scrollkeeper | [] [] [] [] | 15 - sed | [] [] [] [] [] [] | 23 - sh-utils | [] [] [] | 14 - shared-mime-info | [] [] | 4 - sharutils | [] [] [] [] [] | 17 - silky | () | 2 - skencil | [] | 6 - sketch | [] | 6 - soundtracker | [] [] | 9 - sp | [] | 3 - tar | [] [] [] [] [] | 24 - texinfo | [] [] [] [] | 14 - textutils | [] [] [] [] [] | 16 - tin | | 1 - tuxpaint | [] [] [] [] [] | 29 - util-linux | [] [] [] | 15 - vorbis-tools | [] | 8 - wastesedge | | 0 - wdiff | [] [] [] [] | 18 - wget | [] [] [] [] [] [] [] [] | 23 - xchat | [] [] [] [] [] | 14 - xfree86_xkb_xml | [] [] [] [] [] [] | 8 - xpad | | 4 - +-------------------------------------------+ - 51 teams ru sk sl sr sv ta tr uk vi wa zh_CN zh_TW - 120 domains 59 42 16 25 81 0 56 12 1 10 21 22 1260 - - Some counters in the preceding matrix are higher than the number of -visible blocks let us expect. This is because a few extra PO files are -used for implementing regional variants of languages, or language -dialects. - - For a PO file in the matrix above to be effective, the package to -which it applies should also have been internationalized and -distributed as such by its maintainer. There might be an observable -lag between the mere existence a PO file and its wide availability in a -distribution. - - If December 2003 seems to be old, you may fetch a more recent copy -of this `ABOUT-NLS' file on most GNU archive sites. The most -up-to-date matrix with full percentage details can be found at -`http://www.iro.umontreal.ca/contrib/po/HTML/matrix.html'. - -Using `gettext' in new packages -=============================== - -If you are writing a freely available program and want to -internationalize it you are welcome to use GNU `gettext' in your -package. Of course you have to respect the GNU Library General Public -License which covers the use of the GNU `gettext' library. This means -in particular that even non-free programs can use `libintl' as a shared -library, whereas only free software can use `libintl' as a static -library or use modified versions of `libintl'. - - Once the sources are changed appropriately and the setup can handle -the use of `gettext' the only thing missing are the translations. The -Free Translation Project is also available for packages which are not -developed inside the GNU project. Therefore the information given above -applies also for every other Free Software Project. Contact -`translation@iro.umontreal.ca' to make the `.pot' files available to -the translation teams. diff --git a/contrib/gnu-sort/AUTHORS b/contrib/gnu-sort/AUTHORS deleted file mode 100644 index 4e8a5d4..0000000 --- a/contrib/gnu-sort/AUTHORS +++ /dev/null @@ -1,86 +0,0 @@ -Here are the names of the programs in this package, -each followed by the name(s) of its author(s). - -basename: FIXME unknown -cat: Torbjorn Granlund and Richard M. Stallman -chgrp: David MacKenzie -chmod: David MacKenzie -chown: David MacKenzie -chroot: Roland McGrath -cksum: Q. Frank Xia -comm: Richard Stallman and David MacKenzie -cp: Torbjorn Granlund, David MacKenzie, and Jim Meyering -csplit: Stuart Kemp and David MacKenzie -cut: David Ihnat, David MacKenzie, and Jim Meyering -date: David MacKenzie -dd: Paul Rubin, David MacKenzie, and Stuart Kemp -df: Torbjorn Granlund, David MacKenzie, Larry McVoy, and Paul Eggert -dircolors: H. Peter Anvin -dirname: David MacKenzie and Jim Meyering -du: Torbjorn Granlund, David MacKenzie, Larry McVoy, and Paul Eggert -echo: FIXME unknown -env: Richard Mlynarik and David MacKenzie -expand: David MacKenzie -expr: Mike Parker -factor: Paul Rubin -false: no one -fmt: Ross Paterson -fold: David MacKenzie -head: David MacKenzie -hostid: Jim Meyering -hostname: Jim Meyering -id: Arnold Robbins and David MacKenzie -install: David MacKenzie -join: Mike Haertel -kill: Paul Eggert -link: Michael Stone -ln: Mike Parker and David MacKenzie -logname: FIXME: unknown -ls: Richard Stallman and David MacKenzie -md5sum: Ulrich Drepper and Scott Miller -mkdir: David MacKenzie -mkfifo: David MacKenzie -mknod: David MacKenzie -mv: Mike Parker, David MacKenzie, and Jim Meyering -nice: David MacKenzie -nl: Scott Bartram and David MacKenzie -od: Jim Meyering -paste: David M. Ihnat and David MacKenzie -pathchk: David MacKenzie and Jim Meyering -pinky: Joseph Arceneaux, David MacKenzie, and Kaveh Ghazi -pr: Pete TerMaat and Roland Huebner -printenv: David MacKenzie and Richard Mlynarik -printf: David MacKenzie -ptx: François Pinard -pwd: Jim Meyering -rm: Paul Rubin, David MacKenzie, Richard Stallman, and Jim Meyering -rmdir: David MacKenzie -seq: Ulrich Drepper -shred: Colin Plumb -sleep: Jim Meyering and Paul Eggert -sort: Mike Haertel and Paul Eggert -split: Torbjorn Granlund and Richard M. Stallman -stat: Michael Meskes -stty: David MacKenzie -su: David MacKenzie -sum: Kayvan Aghaiepour and David MacKenzie -sync: Jim Meyering -tac: Jay Lepreau and David MacKenzie -tail: Paul Rubin, David MacKenzie, Ian Lance Taylor, and Jim Meyering -tee: Mike Parker, Richard M. Stallman, and David MacKenzie -test: FIXME: ksb and mjb -touch: Paul Rubin, Arnold Robbins, Jim Kingdon, David MacKenzie, and Randy Smith -tr: Jim Meyering -true: no one -tsort: Mark Kettenis -tty: David MacKenzie -uname: David MacKenzie -unexpand: David MacKenzie -uniq: Richard Stallman and David MacKenzie -unlink: Michael Stone -uptime: Joseph Arceneaux, David MacKenzie, and Kaveh Ghazi -users: Joseph Arceneaux and David MacKenzie -wc: Paul Rubin and David MacKenzie -who: Joseph Arceneaux, David MacKenzie, and Michael Stone -whoami: Richard Mlynarik -yes: David MacKenzie diff --git a/contrib/gnu-sort/COPYING b/contrib/gnu-sort/COPYING deleted file mode 100644 index d60c31a..0000000 --- a/contrib/gnu-sort/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - <one line to give the program's name and a brief idea of what it does.> - Copyright (C) <year> <name of author> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - <signature of Ty Coon>, 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/contrib/gnu-sort/ChangeLog b/contrib/gnu-sort/ChangeLog deleted file mode 100644 index c027655..0000000 --- a/contrib/gnu-sort/ChangeLog +++ /dev/null @@ -1,7511 +0,0 @@ -2004-08-11 Paul Eggert <eggert@cs.ucla.edu> - - * tests/install/basic-1: Test for the -d regression. - -2004-08-11 Dmitry V. Levin <ldv@altlinux.org> - - * src/install.c (main): Fix -d regression introduced with - --target-directory support at 2004-06-25. - -2004-08-11 Paul Eggert <eggert@cs.ucla.edu> - - * src/copy.c (copy_internal): When preserving links, unlink - a destination with link count greater than one. This is so - that commands like "cp -a" don't get confused when copying into - a destination that already contains many hard links. Problem - reported by Tim Waugh in: - http://lists.gnu.org/archive/html/bug-coreutils/2004-08/msg00053.html - -2004-08-10 Paul Eggert <eggert@cs.ucla.edu> - - Convert all files to UTF-8. - * tests/fmt/basic (8-bit-pfx): Use UTF-8, not Latin-1. - * tests/sort/Test.pm (16a): Likewise. - * tests/uniq/Test.pm (8): Likewise. - * tests/misc/printf-hex: Use ASCII, not Latin-1. - - * NEWS: Document "sort -o -" and "tee -" POSIX-conformance fixes. - * src/shred.c (usage): "-" is an operand, not an option. - * src/sort.c (die, xfopen, mergefps, first_same_file, merge): - A null file arg means standard output. - (main): "-o -" means to write to a file named "-", - not to standard output. - * src/tee.c (usage, tee): "tee -" writes to standard output, not - to a file named "-". - -2004-08-10 Dmitry V. Levin <ldv@altlinux.org> - - * src/install.c (change_timestamps): Fix int->bool conversion - bugs introduced on 2004-07-29. - -2004-08-09 Paul Eggert <eggert@cs.ucla.edu> - - * src/shred.c (wipename): Work even if the directory is writeable - and not readable. Prefer write access, since this should work - better with fdatasync. - - * src/csplit.c (xalloc_die): New function. - (main): Remove now-obsolete initialization of xalloc_fail_func. - - * src/md5sum.c: Adjust to sha->sha1 renaming. - -2004-08-08 Dmitry V. Levin <ldv@altlinux.org> - - Minor code cleanup. - * src/readlink.c (canonicalize_fname): Remove unneeded proxy function. - (can_mode): Make variable local. - -2004-08-07 Paul Eggert <eggert@cs.ucla.edu> - - * src/system.h (O_BINARY) [!O_BINARY && defined O_BINARY]: - Do not define, to avoid annoying compiler messages on QNX 6.3. - Problem reported by Johan in: - http://lists.gnu.org/archive/html/bug-coreutils/2004-08/msg00050.html - -2004-08-04 Paul Eggert <eggert@cs.ucla.edu> - - * src/system.h (PRIdMAX, PRIoMAX, PRIuMAX, PRIxMAX): - Define to a concatenation of string literals, not to an expression; - needed for concatenation contexts. - (INTMAX_MAX, INTMAX_MIN): New macros. - - * src/stat.c (print_stat): Don't assume st_ino / st_dev fits in - unsigned long; this isn't true for st_ino on Solaris 9. - -2004-08-03 Paul Eggert <eggert@cs.ucla.edu> - - * src/uname.c: Do not depend on HAVE_SYSCTL when deciding - whether to include files. Include <sys/param.h> if - HAVE_SYS_PARAM_H (not HAVE_SYSCTL). - (main) [defined __POWERPC__]: Add a kludge to work around a - Mac OS X bug, so that uname -p defaults to "powerpc" if - sysctl ((int[]) {CTL_HW, HW_MACHINE_ARCH}, 2, buffer, &bufsize, 0, 0) - fails. Problem reported by Petter Reinholdtsen in: - http://lists.gnu.org/archive/html/bug-gnu-utils/2003-02/msg00201.html - - * src/uniq.c (hard_LC_COLLATE, ignore_case, different, check_file, - main): Use bool for booleans. - (writeline, check_file): Use uintmax_t for line counts. - (check_file): Check for and report line number overflow, - when that matters. - * src/wc.c (iswspace, wc): Use to_uchar rather than a cast. - (print_lines, print_words, print_chars, print_bytes, print_linelength, - have_read_stdin, wc, wc_file, main): - Use bool for booleans. - (exit_status): Remove. - (wc, wc_file): Return bool status. All callers changed. - * src/who.c (scan_entries): 0 -> STDIN_FILENO. - * src/whoami.c (main): Print uids using unsigned long int, not - unsigned int. - - * src/unexpand.c: Int cleanup and minor reorganization to be more - like src/expand.c. - Include quote.h, xstrndup.h. - (TAB_STOP_SENTINEL): Increase from INT_MAX to INTMAX_MAX. - (convert_entire_line, have_read_stdin, parse_tabstops, next_file, - unexpand, main): - Use bool for booleans. - (tab_size, tab_list, add_tabstop, validate_tabstops, unexpand): - Use uintmax_t for column counts. - (first_free_tab, validate_tabstops, unexpand): Use size_t for sizes. - (add_tabstop, parse_tabstops, main): Don't reserve UINTMAX_MAX - as a tab stop. - (parse_tabstops): Don't use ISBLANK on possibly-signed char. - Detect overflow in tab stop string. - (next_file, main): Use EXIT_FAILURE/EXIT_SUCCESS instead of 1/0. - (unexpand): Concatenate input files the same way expand does. - - * src/touch.c (no_create, use_ref, posix_date, amtime_now, - touch, main): Use bool for booleans. - (main): Avoid integer overflow when given more than INT_MAX - options. - * src/tsort.c (struct item, n_strings): Use size_t for sizes. - (have_read_stdin, count_items, scan_zeros, detect_loop, - recurse_tree, walk_tree, tsort, main): - Use bool for booleans. - (exit_status): Remove. - (tsort): Return a success flag instead of storing into a global. - (main): Use it. - * src/tty.c (silent, main): Use bool for booleans. - (main): 0 -> STDIN_FILENO. - * src/uname.c (print_element): Use bool for booleans. - - * src/test.c (TRUE, FALSE, SHELL_BOOLEAN, TRUTH_OR, TRUTH_AND): - Remove. All uses replaced by C99 boolean primitives. - (TEST_TRUE, TEST_FALSE): New constants, for readability. - (test_unop, binop, unary_operator, binary_operator, two_arguments, - three_arguments, posixtest, expr, term, and, or, is_int, age_of, - one_argument, main): Use bool for booleans. - (advance, unary_advance): Now inline procedures rather than a macros. - (is_int): Renamed from isint, to avoid namespace clash with ctype.h. - (term, and, or): When it's easy, loop instead of recursing. - (term): Avoid integer overflow if there are INT_MAX-3 args (!). - (binary_operator, unary_operator): Simplify by systematically rewriting - true==FOO to FOO (where FOO is a boolean). - (unary_operator): Don't consider a file to be a regular file - merely because its mode&S_IFMT is zero. Just use S_ISREG. - Remove unnecessary casts. Remove ifdefs for things like - S_ISSOCK that are no longer needed, since stat-macros.h always - defines them now. - - * src/tac-pipe.c (buf_init_from_stdin, find_bol, tac_mem): - Use bool for booleans. - (buf_init_from_stdin, buf_free, find_bol, print_line): - Use size_t for sizes. - * src/tac.c (separator_ends_record, tac_seekable, tac_file, - tac_stdin, tac_stdin_to_mem, main): Use bool for booleans. - (match_length, G_buffer_size, tac_seekable, main): Use size_t for sizes. - (tac_seekable): Use ptrdiff_t for pointer subtraction. - Report an error if the result is out of range. - (tac_seekable, main): Check for integer overflow in buffer size - calculations. - (main): Remove unnecessary casts. - - * src/su.c (run_shell): Pass a new n_additional_args arg, so that - the callee doesn't have to count 'em. All callers changed. - Don't allocate more space for the arg vector than we'll need. - Use memcpy to copy the args rather than rolling our own loop. - Use size_t for sizes. - (fast_startup, simulate_login, change_environment, log_su, - correct_password, restricted_shell, main): Use bool for booleans. - (longopts): Don't assume change_environment is an int. - Use NULL, not 0, for pointers. - (xsetenv): New function, replacing xputenv and concat. - All callers changed. - (elements): Remove; no longer needed. - (log_su, correct_passwd, main): Prefer !x to x==NULL. - (log_su): 2 -> STDERR_FILENO. - (modify_environment, main): Don't assume that getenv's returned value - has an indefinite lifetime. - (modify_environment): Allocate a larger environ. - (main): Remove an impossible 'case 0'; if it happens now, it'll - get diagnosed. Don't assume getpwnam results outlive endpwent. - Check for null or empty pw_name, pw_dir and for null pw_passwd. - - * src/stty.c (VA_START): Remove. All callers now use va_start. - (_POSIX_VDISABLE): Remove unnecessary cast. - (struct control_info, visible): Use cc_t for control chars. - (struct control_info): Use size_t for sizes. - (recover_mode, set_mode, display_speed, display_window_size, - valid_options, main, display_changed): - Use bool for booleans. - (integer_arg): Return unsigned long int, not long int. - Accept new max arg; all callers changed, to specify a maximum - value for integer parameters instead of silently overflowing. - (wrap): Do not overrun the stack buffer if the output contains - more than 1024 bytes. Instead, malloc a buffer. - (main): Remove a "what is this?!?" FIXME. Nobody knows what it is. - Remove unnecessary casts. - (set_control_char): Allow int values only up to cc_t range. - (screen_columns): Don't reject INT_MAX. - (display_changed, display_all, display_speed, recover_mode): - Don't assume cc_t fits in int. - - * src/remove.h: Add copyright notice. - (struct rm_options): Use bool for booleans. - * src/rmdir.c (empty_paths, ignore_fail_on_non_empty, verbose, - errno_rmdir_non_empty, remove_parents, main): Likewise. - * src/sum.c (have_read_stdin, bsd_sum_file, sysv_sum_file, - main): Likewise. - (main): Don't dump core if invoked with argv[0]==NULL. - * src/tee.c (tee, append, ignore_interrupts, main, tee): - Use bool for booleans. - (tee): Use ssize_t for read returns. - - * src/ptx.c: Add a FIXME mentioning that there are many - unchecked integer overflows in this file. - (gnu_extensions, auto_reference, input_reference, right_reference, - ignore_case, initialize_regex, fix_output_parameters, - output_one_roff_line, output_one_text_line, output_one_dumb_line, main): - Use bool for booleans. - (SKIP_SOMETHING, compare_words, digest_break_file, - find_occurs_in_text, fix_output_parameters): - Use to_uchar instead of a caset. - (print_field): Rewrite to avoid cast. - - * src/printf.c (posixly_correct): Use bool for booleans. - (verify, main): Use EXIT_FAILURE/EXIT_SUCCESS instead of 1/0. - (STRTOX): Rewrite to avoid casts. - (print_esc_char): Arg is char, not int. - * src/readlink.c (canonicalize): Remove. All uses now merely inspect - can_mode. - (no_newline, verbose): Use bool for booleans. - (can_mode): Now of type int; use -1 to denote otherwise-uninitialized. - * src/shred.c (struct Options, main): Use bool for booleans. - (isaac_seed_data, fillpattern, wipefile): Rewrite to avoid casts. - * src/split.c (cwrite, bytes_split, lines_split, line_bytes_split): - Use bool for booleans. - * src/stat.c (G_fail): Remove. - (print_statfs): Print various gotta-be-nonnegative values using - unsigned long int, not long int or int. - (do_statfs, do_stat): Return a boolean success flag. - (do_stat, main): Use bool for booleans. - - * src/pr.c: Add a FIXME mentioning that there are many - unchecked integer overflows in this file. - (TRUE, FALSE): Remove. All uses replaced by true and false. - (struct COLUMN, read_line, print_page, print_stored, open_file, - skip_to_page, init_fps, parallel_files, align_empty_cols, - empty_line, FF_only, explicit_columns, extremities, keep_FF, - print_a_FF, print_a_header, use_form_feed, have_read_stdin, - print_across_flag, storing_columns, balance_columns, - truncate_lines, join_lines, untabify_input, failed_opens, - numbered_lines, skip_count, use_esc_sequence, use_cntrl_prefix, - double_space, ignore_failed_opens, use_col_separator, - pad_vertically, last_line, main, init_parameters, skip_read, - read_line, print_stored): - Use bool for booleans. - (struct COLUMN, char_to_clump, store_char, print_char): - Use char for chars. - (clump_buff, print_clump): Use char[], not int[], for an array whose - elements are always chars. - (first_last_page, main, getoptarg, balance, add_line_number, - char_to_uclump): Remove unnecessary casts. - (init_parameters): Allocate chars, not ints, for clump_buff. - (print_char): Use to_uchar before invoking ISPRINT. - (char_to_clump): Convert to unsigned char before invoking ISPRINT. - - * src/nohup.c (main): Use bool for booleans. - * src/paste.c (paste_parallel, paste_serial, main): Likewise. - * src/pathchk.c (validate-path, main, portable_chars_only): Likewise. - (portable_chars_only): Use to_uchar rather than a cast. - * src/printenv.c (main): Use bool for booleans. - Do not assume that the environ has at most one matching entry - for each option (integer overflow was possible otherwise). - - * src/od.c (FMT_BYTES_ALLOCATED): Now an enum, not a decimal - constant. Do not assume PRIdMAX etc. are strings of length 3 or - less. - (struct tspec): Use it. fmt_string is now an array, not - a pointer, as there's little point to the indirection here. - (struct tspec, flag_dump_strings, - traditional, flag_pseudo_start, limit_bytes_to_format, - abbreviate_duplicate_blocks, have_read_stdin, simple_strtoul, - decode_one_format, open_next_file, check_and_close, - decode_format_string, skip, write_block, read_char, read_block, - parse_old_offset, dump, dump_strings, main): - Use bool for booleans. - (struct tspec): Use void *, not char *, for generic pointers. - (bytes_to_oct_digits, bytes_to_signed_dec_digits, - bytes_to_unsigned_dec_digits, bytes_to_hex_digits): - Use char, not unsigned int, since char suffices. - (print_s_char, print_char, print_s_short, print_short, - print_int, print_long, print_long_long, print_float, - print_double, print_long_double): Rewrite to avoid casts. - These now take void * arguments, instead of char *. - Use the same body for all functions, except for the choice - of type. Assume C89 to simplify handling of signed char. - (dump_hexl_mode_trailer, print_named_ascii, print_ascii): - Rewrite to avoid casts. - (print_named_ascii, print_ascii): Now takes void *, not char *. - (decode_one_format): Use int for printf field widths, not - unsigned int. Pass void * to subsidiary printers, - not char *. Simplify handling of floating-point formats - by factoring out common code dealing with precision and field width. - (decode_format_string): Avoid need for temporary copy of - each decoded struct tspec. - (get_lcm): Remove unnecessary cast. - (main): Fix bug where more than INT_MAX failed decodes were ignored. - -2004-08-02 Paul Eggert <eggert@cs.ucla.edu> - - * src/nl.c (TRUE, FALSE): Remove; all uses changed to true, false. - (enum number_format): Remove. - (FORMAT_RIGHT_NOLZ, FORMAT_RIGHT_LZ, FORMAT_LEFT): Now strings, - not enum values. - (DEFAULT_SECTION_DELIMITERS): Now an array constant, not a macro. - (section_del): Now const. - (print_fmt): Remove. - (starting_line_number, page_incr, blank_join, line_no, - print_lineno, proc_text, main): - Use intmax_t for line numbers. - (reset_numbers, have_read_stdin, build_type_arg, nl_file, main): - Use bool for booleans. - (lineno_format): Now a string, not an enum value. - (build_print_fmt): Remove. All calls removed. This work is - now done within print_lineno. - (build_type_arg): Use size_t for sizes. - (print_lineno): Check for line number overflow. - (proc_text, main): Remove unnecessary cast. - - * src/ln.c (symbolic_link, interactive, remove_existing_files, - verbose, hard_dir_link, dereference_dest_dir_symlinks, - do_link, main): Use bool for booleans. - - * src/ls.c (struct fileinfo, file_interesting, - extract_dirs_from_files, color_symlink_as_referent, - FILE_OR_LINK_MODE, sort_reverse, print_owner, print_group, - numeric_ids, print_block_size, dired, print_with_color, - check_symlink_color, print_inode, recursive, immediate_dirs, - all_files, really_all_files, qmark_funny_chars, - print_dir_name, format_needs_stat, format_needs_type, visit_dir, - main, decode_switches, parse_ls_color, print_dir, file_interesting, - gobble_file, make_link_path, basename_is_dot_or_dotdot, - extract_dirs_from_files, print_long_format): - Use bool for booleans. - (dir_defaulted): Remove; no longer needed. - (main): Use int to count files, since it suffices for argv. - Rewrite to avoid need for dir_defaulted. - (main, print_dir, gobble_file, get_link_name, - xstrcoll): - Set exit status to EXIT_SUCCES/EXIT_FAILURE rather than 0/1. - (decode_switches): Put back check for ws.ws_col <= SIZE_MAX. - Remove unnecessary cast to int. Use int instead of unsigned - int to count from 0 to 1. - (get_funky_string, print_type_indicator): Use char for bytes, not int. - (make_link_path): Use NULL for null pointers. - (quote_name): Use to_uchar instead of cast. - - * src/id.c (use_name, main, print_user, xgetgroups, print_group_list, - print_full_info): Use bool for booleans. - (problems): Remove, replacing with.... - (ok): New var (inverted from old sense). - (print_user, print_group, print_full_info): - Print uids/gids with %lu, not %u. - (xgetgroups): Don't run out of memory if getgroups or getugroups - returns -1. - * src/setuidgid.c (main): Print uids/gids with %lu, not %ld. - - * src/factor.c (wheel_tab): Use unsigned char instead of unsigned - int, since it suffices. - (factor, print_factors): Use size_t for sizes. - (print_factors, do_stdin, main): Use bool for booleans. - * src/fold.c (TAB_WIDTH): New macro; use it instead of "8". - (fold_file, main): Use bool for booleans. - (fold_file, main): Use size_t for sizes. - (main): Allow -w options up to SIZE_MAX - TAB_WIDTH - 1, instead - of prohibiting widths greater than INT_MAX. - * src/head.c (presume_input_pipe, print_headers, have_read_stdin, - write_header, elide_tail_bytes_pipe, elide_tail_bytes_file, - elide_tail_lines_pipe, elide_tail_lines_seekable, - elide_tail_lines_file, head_bytes, head_lines, head, head_file, - string_to_integer, main): - Use bool for booleans. - (main): Rewrite to avoid cast. - - * src/csplit.c (struct line): Use size_t for sizes. - (main): Remove unnecessary cast. - * src/cut.c (cut_fields): Use to_uchar rather than a cast. - * src/cut.c (cut_file, main): Use bool for booleans. - * src/date.c (show_date, rfc_format, batch_convert, main): Likewise. - * src/env.c (main): Likewise. - * src/expr.c (nextarg): Likewise. - * src/env.c (main): Remove unused and nonstandard envp arg. - - * src/fmt.c (COST, MAXWORDS): Add a comment describing some of - fmt's arbitrary limits. - (TRUE, FALSE): Remove; all uses changed to (true, false). - (main): Use bool for booleans. - Limit maximum width to MAXCHARS / 2. Use xstrtoul, not xstrtol, - to parse width. - (copy_rest): Remove unnecessary cast. - (get_prefix): Rewrite to avoid cast. - (check_punctuation): Use char *, not unsigned char *; C89 requires - this. Avoid off-by-one buffer read overrun when line is empty. - (flush_paragraph): Don't assume wptr-parabuf is <= INT_MAX. - Remove unnecessary casts. - * tests/fmt/basic (wide-1, wide-2, bad-suffix): Adjust to above - changes. - - * src/expand.c (convert_entire_line, have_read_stdin, parse_tabstops, - next_file, expand, main): - Use bool for booleans. - (tab_size, tab_list, add_tabstop, parse_tabstops, validate_tabstops, - expand, main): - Use uintmax_t for column counts. - (add_tabstop): Don't reserve -1 (now UINTMAX_MAX) as a special value. - All callers changed. - (parse_tabstops): Don't pass a negative char to isblank. - Avoid memory leak with large tab stops. - (validate_tabstops, expand): Don't assume number of tab stops is - <= INT_MAX. - (next_file, main): Use EXIT_SUCCESS/EXIT_FAILURE rather than 0/1 when - storing values into exit_status. - (expand): Use same pattern as unexpand for reading chars. - Report an error when input line is too long, instead of silently - screwing up. Do not mishandle tab stops when backspacing left - over start of line. - - * src/dircolors.c (have_read_stdin, append_quoted, - dc_parse_stream, dc_parse_file, main): Use bool for booleans. - (dc_parse_stream): Use enum for state, rather than int. - Use ssize_t to store getline result. - - * src/dd.c (translation_needed, parse_integer, scanargs, - apply_translations, char_is_saved, swab_buffer, skip_via_lseek): - Use bool for booleans. - (translate_buffer): Use to_uchar rather than a cast. - (swab_buffer, copy_simple, copy_with_unblock): - Use size_t for sizes. - - * src/seq.c (equal_width, valid_format, main): Use bool for booleans. - * src/sleep.c (apply_suffix): Likewise. - * src/tail.c (struct File_spec, reopen_inaccessible_files, count_lines, - forever, from_start, print_headers, have_read_stdin, valid_file_spec, - write_header, file_lines, pipe_lines, pipe_bytes, recheck, - tail_forever, tail_bytes, tail_lines, tail, tail_file, - parse_obsolescent_option, parse_options, main): Likewise. - * src/sleep.c (apply_suffix): Invert sense of result. - Use int (not unsigned int) for multiplier, as this generates better - code with some compilers. Simplify code a bit. - * src/tail.c (struct File_spec, max_n_unchanged_stats_between_opens, - parse_options): Use uintmax_t, not unsigned int or unsigned long int, - for state counters. - (tail_bytes, tail_lines): Redo test of return value (-1, 0, 1) to - make it a bit clearer. - - * src/hostname.c: Include "xgethostname.h". - (xgethostname): Remove decl; xgethostname.h has it. - (sethostname) [!defined(HAVE_SETHOSTNAME) && defined(HAVE_SYSINFO) - && defined (HAVE_SYS_SYSTEMINFO_H) && defined(HAVE_LIMITS_H)]: Use - prototypes rather than K&R form. Assume any negative value from - sysinfo denotes failure, not just -1. - (main): Simplify use of sethostname. - - * src/pinky.c (include_idle, include_heading, include_fullname, - include_project, include_plan, include_home_and_shell, do_short_format, - include_where, main): Use bool for booleans. - (count_ampersands, create_fullname, scan_entries, short_pinky): - Use size_t for sizes. - (create_fullname): Check for overflow in size calculations. - (idle_string): Don't assume that the number of idle days - is less than 10**8 and/or INT_MAX/(24*60*60). - (main): No need to pass a non-NULL last arg to getopt_long. - * src/uptime.c (print_uptime, uptime): Use size_t for sizes. - (print_uptime): Remove unused local variable. - (main): No need to pass a non-NULL last arg to getopt_long. - * src/users.c (list_entries_users, users): Use size_t for sizes. - (list_entries_users): Use char for bytes. - (main): No need to pass a non-NULL last arg to getopt_long. - * src/who.c (do_lookup, short_list, short_output, include_idle, - include_heading, include_mesg, include_exit, need_boottime, - need_deadprocs, need_login, need_initspawn, need_clockchange, - need_runlevel, need_users, my_line_only, main): Use bool for booleans. - (print_runlevel): Use unsigned char for bytes. - (list_entries_who, scan_entries, who): Use size_t for sizes. - (main): No need to pass a non-NULL last arg to getopt_long. - - * src/install.c (isdir): Remove decl. - (install_file_to_path): Rely on make_path to fail if the destination - is not a directory, by passing preserve_existing==true to it. - Hence we no longer need to call isdir. - Free dest_dir immediately when it's no longer needed, rather than - waiting until the end of the function. - (copy_file): Don't bother calling isdir, as copy will do the - right thing if the destination is a directory. - - * src/du.c (fts_debug, opt_all, apparent_size, opt_count_all, - print_grand_total, opt_separate_dirs, hash_ins, process_file, main): - Use bool for booleans. - (max_depth): Now size_t, not int, to avoid an arbitrary limit - of INT_MAX on depth. - (G_fail): Remove: no longer needed, now that the relevant - functions return bool. - (process_file): Use return value to signal success rather than - setting a global. Remove first_call static var; not needed, since - we can look at n_alloc. Use size_t for depths. Remove FIXME - about size_t casts, as it's now fixed. Use xnrealloc rather - than the obsolescent XREALLOC. Don't bother to check whether - reallocation is needed unless level > prev_level. - (du_files): Invert sense of result, for consistency with - other coreutils code. All callers changed. - (main): Allow --max-depth values up to SIZE_MAX. - - * src/df.c (inode_format, show_all_fs, show_local_fs, - show_listed_fs, posix_format, require_sync, print_type, - selected_fstype, excluded_fstype, show_dev, show_point, main): - Use bool for booleans. - (df_readable, show_dev): Use UINTMAX_MAX instead of -1. - (show_dev, show_point, main): - Use EXIT_SUCCESS/EXIT_FAILURE instead of 0/1. - Don't assume disk name lengths are <= INT_MAX. - Rewrite pct calculation to avoid cast. - (show_point): Don't assume resolved length is <= SSIZE_MAX. - - * src/cut.c (hash_int) [!defined UINTPTR_MAX]: Use size_t - instead of uintptr_t. - * src/shred.c (UINT_MAX_32_BITS): Remove. - (word32): Remove. All uses changed to uint32_t. - (isaac_seed_data): Remove unnecessary cast. - * src/system.h (ptr_align): Use size_t; in practice, this is just as - good as uintptr_t in checking for alignments, and has fewer - configuration hassles. - - * src/Makefile.am (localedir.h): Make it readonly; this - undoes part of the 2004-07-27 patch. - -2004-07-30 Paul Eggert <eggert@cs.ucla.edu> - - * src/sort.c (UCHAR): Remove; all uses changed to to_uchar. - (IS_THOUSANDS_SEP): Use bool when appropriate. - (numcompare, main): Use char, not int, when the value is always a char. - (numcompare): Remove "register"; compilers are smart enough these days. - * src/system.h (errno, CHAR_BIT): Remove decls; - no longer needed now we assume C89 or better. - Include <inttypes.h> before <stdint.h>, as it's the - Autoconf-recommended pattern. - (to_uchar): New inline function, moved here from tr.c. - Use full names for int types, e.g. "long int" rather than "long". - * src/tr.c (to_uchar): Remove; now in system.h. - (is_char_class_member): Use bool when appropriate. - - * src/mkdir.c (create_parents, main): Use bool when appropriate. - (main): Use EXIT_SUCCESS/EXIT_FAILURE instead of 0/1. - -2004-07-29 Paul Eggert <eggert@cs.ucla.edu> - - * src/mkfifo.c (main): Use EXIT_SUCCESS and EXIT_FAILURE, not 0 and 1. - - * src/chmod.c (recurse, force_silent, process_file, process_files, - main): Use bool when appropriate. - * src/cksum.c (cksum, main): Likewise. - * src/comm.c (hard_LC_COLLATE, only_file_1, only_file_2, both, - compare_files, main): Likewise. - - * src/copy.h (struct cp_options): Likewise. - * src/copy.c (copy_internal, is_ancestor, copy_dir, copy_reg, - same_file_ok, seen_file, copy_internal, valid_options, copy): Likewise. - * src/cp-hash.h (remember_created): Likewise. - * src/cp-hash.c (remember_created): Likewise. - * src/cp.c (struct dir_attr, flag_path, remove_trailing_slashes, - re_protect, make_path_private, target_directory_operand, do_copy, - cp_option_init, decode_preserve_arg, main): Likewise. - * src/install.c (isdir, change_timestamps, change_attributes, - copy_file, install_file_to_path, install_file_in_dir, - install_file_in_file, strip_files, dir_arg, cp_option_init, main, - change_attributes, change_timestamps): Likewise. - * src/mv.c (remove_trailing_slashes, rm_option_init, - cp_option_init, do_move, movefile, main): Likewise. - * src/remove.c (right_justify), full_filename_, AD_pop_and_chdir, - AD_push, prompt, remove_dir): Likewise. - * src/rm.c (rm_option_init, main): Likewise. - - * src/remove.c (top_dir, pop_dir, full_filename_): - Use size_t for sizes. - * src/cp.c (target_directory_operand): Do not clear *NEW_DST if stat - succeeds. It's not necessary in that case, as *NEW_DST is always - false already. - (do_copy): Rewrite slightly to avoid need for "unreachable" comment. - (main): Use EXIT_SUCCESS, EXIT_FAILURE instead of 0, 1. - * src/rm.c (main): Likewise. - - md5sum, sha1sum integer cleanups. - - * src/checksum.h: Don't include config.h, sys/types.h, stdio.h: - not needed. - (ALG_UNSPECIFIED): Remove. - (ALG_MDT): Don't make it equal to CHAR_MAX + 1; this isn't necessary. - * src/md5.c: Don't include any files other than checksum.h. - * src/sha1sum.c: Likewise. - * src/md5sum.c (OPENOPTS, have_read_stdin, status_only, warn, - bsd_split_3, split_3, hex_digits, digest_file, digest_check, main): - Use bool when appropriate. - (digest_check): Increase limit of number of input lines to - UINTMAX_MAX from INT_MAX. Diagnose any overflows of this counter. - Use ngettext instead of hard-to-i18nize hardcoded stuff for plurals. - -2004-07-28 Paul Eggert <eggert@cs.ucla.edu> - - * src/cat.c (exit_status): Remove. Now done by passing a boolean - 'ok' flag around. - (simple_cat, cat): Return true if successful. All callers changed. - (simple_cat, cat, main): Use bool for booleans. - (simple_cat): Use size_t for sizes. - (cat, main): Use the same names for parameters that we use for - long options, to avoid confusion. This inverts the sense of the - show_tabs (formerly output_tabs) and number_nonblank - (formerly numbers_at_empty_lines) variables. - (main): Don't mess up (due to integer overflow) if we are given - INT_MAX - INT_MIN + 1 options. - [O_BINARY]: Don't invoke isatty unless the other options require it. - (main): When deciding whether to use simple_cat, don't worry - about binary option; it's irrelevant. - - * src/dcgen: Remove comments, trailing white space, and empty - lines from the output strings, to save space. - Use a narrower type like 'unsigned char' for line lengths, if - that will do. - Make the output variables static, not extern. - - * src/chgrp.c (parse_group): Require base 10 when parsing - groups as integers. - (main): int -> bool when appropriate. - * src/chown.c (main): Likewise. - * src/chown-core.c: Include inttostr.h. - (UINT_MAX_DECIMAL_DIGITS, uint_to_string): Remove. - (gid_to_name, uid_to_name): Use imaxtostr/umaxtostr - instead of uint_to_string). - (describe_change): Instead of an int flag, use a char * - auxiliary; this avoids the need for casts. - Assume free (NULL) works. - (change_file_owner): Return true/false, not 0/-1, since - we don't set errno. All callers changed. - Use bool when appropriate. - (chown_files): Likewise. - * src/chown-core.h (chown_files): Likewise. - - * tests/chown/basic: Test for proper handling of uids like - "010", which must be parsed as decimal. - - * tests/misc/pwd: Don't assume that Perl's getpwd agrees with our - pwd when there are multiple names for the working directory - (which can happen with an automounter, sigh). - - * src/Makefile.am ($(SCRIPTS)): Don't depend on Makefile; - this causes Solaris 8 'make' to refuse to build "groups". - (localedir.h): Don't depend on Makefile: this causes Solaris - 8 'make' to build localedir.h unnecessarily. The dependence - on Makefile is ineffective anyway, since $(localedir) might - change even if Makefile hasn't. - - * src/remove.c (remove_dir): If we can't save the state of the - working directory, pretend we started from "/", not ".". - This avoids a bug on hosts like Solaris that don't let you - remove the working directory. - -2004-07-27 Paul Eggert <eggert@cs.ucla.edu> - - * src/printf.c (strtiomax, strtoumax): Declare if not already - declared: this fixes a portability bug with Solaris 8 + GCC. - (STRTOX): Parenthesize use of macro arg as expression. - (vstrtoimax, vstrtoumax, vstrtold): Remove now-unnecessary - parentheses. - * configure.ac: Check for declaration of strtoumax, for - src/printf.c. - - * src/Makefile.am (cp_LDADD, ginstall_LDADD, mv_LDADD, - pathchk_LDADD, rm_LDADD, test_LDADD): New vars, for eaccess. - - * tests/readlink/can-e: Don't assume that we can remove the - working directory: this isn't possible under Solaris 8, say. - * tests/readlink/can-f: Likewise. - * tests/readlink/can-m: Likewise. - - * src/copy.c (copy_internal): find_backup_file_name no longer - returns NULL, so don't bother to check for this. - * src/cp.c (do_copy): Likewise. - * src/ln.c (do_link): Likewise. - -2004-07-25 Paul Eggert <eggert@cs.ucla.edu> - - * src/nice.c (GET_NICE_VALUE): Renamed from GET_PRIORITY. - All uses changed. - (NZERO): New macro, if system doesn't define it already. - (usage): Distinguish priorities from nice values. - Don't assume NZERO is 20. - (main): Use bool instead of int where appropriate. - If user specifies an adjustment out of range, always truncate it - to an inrange value instead of sometimes giving an error message - and sometimes not. - Do not assume that -1 is an error return from "nice" or - "getpriority", as it might be the current nice value minus NZERO. - If nice/setpriority fails with errno == EPERM, go ahead and run - the command anyway; POSIX requires this. - - * src/pathchk.c: Include euidaccess.h. - (dir_ok): Use euidaccess, not access. - * src/test.c (R_OK, W_OK, X_OK, FOK): Remove; system.h defines them. - (eaccess): Remove. All users changed to use euidaccess instead. - -2004-07-24 Paul Eggert <eggert@cs.ucla.edu> - - * src/uptime.c (print_uptime) [defined BOOT_MSG]: - Don't assume ut_line is null-terminated. - * src/who.c (print_line): New arguments USERLEN and LINELEN, - since USER and LINE might not be null terminated. All callers - changed. - -2004-07-23 Paul Eggert <eggert@cs.ucla.edu> - - Fix bug with "tail -f" reported by Rob Holland in - <http://lists.gnu.org/archive/html/bug-coreutils/2004-07/msg00054.html>. - Also, remove the undocumented and unsupported-since-2000 - --max-consecutive-size-changes options. Fix another related bug: - "tail" got confused if stdin, stdout, or stderr were closed. - Also, use output buffering even with "tail -f". - - * NEWS: Document this, plus yesterday's patch. - * doc/coreutils.texi (tail invocation): "size has remained the same" - -> "file has not changed", which is more accurate for fifos. - * src/tail.c: Include fcntl-safer.h. - (COPY_TO_EOF): Set to UINTMAX_MAX, not OFF_T_MAX (which was wrong). - (COPY_A_BUFFER): New macro. - (struct File_spec): New members mtime, mode, blocking. - Remove member n_consecutive_size_changes. - (DEFAULT_MAX_N_CONSECUTIVE_SIZE_CHANGES, - max_n_consecutive_size_changes_between_opens, - MAX_CONSECUTIVE_SIZE_CHANGES_OPTION): Remove. - (long_options, tail_forever, parse_options): - Remove (non-)support for --max-consecutive-size-changes. - (record_open_fd): New function. - (recheck, tail_file): Use it. Don't assume that stdin is open. - (dump_remainder): Add support for new COPY_A_BUFFER special value. - Treat errno==EAGAIN like EOF, since it might be a nonblocking read. - (recheck): New arg BLOCKING, specifying whether to use blocking reads. - All uses changed. - (n_live_files): Remove, replacing with... - (any_live_files): New function. All uses changed. - (tail_forever): Use nonblocking I/O unless we know that blocking I/O - is safe; this avoids some hangs when reading from a fifo. - Avoid invoking fstat or sleep when using blocking I/O. - Do not check for changes to size if the file is not a regular file, - as the size is undefined in that case. - Check for changes to mtime or mode, too; this works for non-regular - files. - (tail_forever, main): Redo fflush strategy to work even when input - is nonblocking. Don't use unbuffered output; just flush when needed. - -2004-07-22 Paul Eggert <eggert@cs.ucla.edu> - - * src/tail.c (main): Ignore -f if no file operand is specified - and standard input is a pipe. - * doc/coreutils.texi (tail invocation): Do not ignore -f for - all pipes, just for when standard input is a pipe and no - file operand is specified. - * tests/tail/Test.pm: Reinstate f-1 test, since we now pass. - Add a new commented-out f-2 test, which we still fail. - (test_vector): All f-* tests are special cases, not just f-1. - -2004-07-12 Paul Eggert <eggert@cs.ucla.edu> - - * src/uptime.c: Include c-strtod.h. - (print_uptime): Use c_strtod instead of setlocale and sscanf. - Use long int rather than int to count days (for 64-bit hosts), - and check for arithmetic overflow when converting double to time_t. - -2004-07-11 Paul Eggert <eggert@cs.ucla.edu> - - * src/printf.c (vstrtold): Renamed from vstrtod. - Now returns long double. All uses changed. - (print_direc): Use "L" length modifier when printing floating point - numbers, since we're now printing long double. - -2004-07-06 Paul Eggert <eggert@cs.ucla.edu> - - * Version 5.3.0. - - printf cleanup, to avoid undefined behavior, to add support for - formats that Bash supports, and to support wide integers like - Bash does. - - * NEWS: Document this. - * src/printf.c (UNSPECIFIED): Remove. All uses now replaced by - booleans, so that we don't reserve any values for precision or - width (like Bash). - (STRTOX): Use prototype, not K&R-style definition. - (vstrtoimax): Renamed from xstrtol (to avoid confusion with xstrtol - in ../lib), with type change to intmax_t. - All uses changed. - (vstrtoumax): Renamed from xstrtoul, with type change to uintmax_t. - All uses changed. - (vstrtod): Renamed from xstrtod. All uses changed. - (print_direc): Use boolean arg instead of special value to indicate - a missing precision or width. LENGTH no longer includes - length modifiers or conversion character. New arg CONVERSION - now specifies conversion character. - Use intmax_t-width formatting for integers (like Bash). - Add support for C99 %a, %A, %F (like Bash). - Add support for field width with %c (POSIX requires this). - Add a FIXME for lack of support for field width and precision - for %b. - Add support for '\'', '0' flags. - Check for invalid combinations of flags, field width, precision, - and conversion, to prevent use of undefined behavior. - Allow multiple length modifiers, for formats like "%lld" (like Bash). - Add support for C99 'j', 't', 'z' length modifiers (like Bash). - In error message, output entire invalid conversion specification, - instead of merely outputting % followed by the conversion char. - * tests/misc/printf: Add tests for the above. - -2004-04-03 Dmitry V. Levin <ldv@altlinux.org> - - Change "readlink -f" to be more compatible with prior implementations. - Add more canonicalize options, -e and -m. - Add comprehensive tests for all readlink modes. - - * m4/canonicalize.m4 (AC_FUNC_CANONICALIZE_FILE_NAME): - Do not add canonicalize.c here. - - * src/readlink.c (longopts): Add new options. - (usage): Document them. - (canonicalize_fname): New proxy function. - (main): Handle new options. - * doc/coreutils.texi (readlink invocation): Document new - "readlink -f" behaviour and new canonicalize options, -e and -m. - - * configure.ac (AC_CONFIG_FILES): Add tests/readlink/Makefile. - * tests/Makefile.am (SUBDIRS): Add readlink. - * tests/readlink/Makefile.am: New file. - * tests/readlink/{rl-1,can-e,can-f,can-m}: New readlink tests. - * tests/misc/Makefile.am (TESTS): Remove basic readlink test. - * tests/misc/readlink: Remove file. - -2004-07-04 Jim Meyering <jim@meyering.net> - - * src/copy.c (copy_internal): Add a FIXME comment. - -2004-07-02 Paul Eggert <eggert@cs.ucla.edu> - - * src/copy.c (copy_dir): Assume path_concat returns non-NULL. - * src/cp.c (do_copy): Likewise. - * src/mv.c (movefile): Likewise. - - * src/cp.c (make_path_private): 2nd arg is now size_t, not int, - to avoid problem when path_concat dir name is longer than 2 GiB (!). - - * src/nohup.c (main): Don't pass NULL first argument to path_concat. - This cleans up the semantics a bit, as we no longer try to open the - same file twice. - -2004-07-01 Paul Eggert <eggert@cs.ucla.edu> - - * NEWS: Add short names -t and -T for --target-directory - and --no-target-directory options, respectively. - - * src/cp.c (NO_TARGET_DIRECTORY_OPTION, TARGET_DIRECTORY_OPTION): - Remove. All uses changed to 'T' and 't', respectively. - * src/install.c, src/ln.c, src/mv.c: Likewise. - - * src/cp.c (long_opts, usage, do_copy, main): Add -t and -T as - aliases for --target-directory and --no-target-directory, - respectively. - * src/install.c (long_options, main, usage): Likewise. - * src/ln.c, src/mv.c: Likewise. - -2004-07-01 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_file_system): New target. - (syntax-check-rules): Add it. - .x-sc_file_system: New file. - * Makefile.am (EXTRA_DIST): Add it. - - * man/sync.x: Use "file system" rather than "filesystem". - * man/stat.x, man/df.x: Likewise. - -2004-06-30 Paul Eggert <eggert@cs.ucla.edu> - - * src/df.c (usage, main): Output "file system" rather than - "filesystem". - * src/du.c (usage): Likewise. - * src/shred.c (usage): Likewise. - * src/stat.c (usage): Likewise. - * src/stat.c (long_options, usage): Rename "--filesystem" to - "--file-system". But keep the old name around, for compatibility - reasons. - -2004-06-29 Paul Eggert <eggert@cs.ucla.edu> - - Add support for --no-target-directory option. - - * NEWS: Document it. - * doc/coreutils.texi (Common options, Target directory, cp - invocation, install invocation, mv invocation, ln invocation): - Likewise. - (link invocation): Explain how to rewrite link using ln now - that we have --no-target-directory. - (ln invocation): Explain that --no-target-directory subsumes - --no-dereference. - (unlink invocation): Modify wording to match new wording in - link invocation. - - * src/cp.c (NO_TARGET_DIRECTORY_OPTION): New constant. - (long_opts, usage, do_copy, main): Add support for - --no-target-directory, - * src/install.c (NO_TARGET_DIRECTORY_OPTION, long_options, main, - usage): Likewise. - * src/ln.c (NO_TARGET_DIRECTORY_OPTION, long_options, usage, - main): Likewise. - * src/mv.c (NO_TARGET_DIRECTORY_OPTION, long_options, usage, - main): Likewise. - * src/mv.c (enum): Sort values. - -2004-06-29 Jim Meyering <jim@meyering.net> - - Don't let verbose-mode output from a subshell obscure actual differences. - * tests/rm/inaccessible: Turn off command-echoing just before - invoking subshell, then turn it back on if VERBOSE=yes afterward. - -2004-06-25 Paul Eggert <eggert@cs.ucla.edu> - - Add support for 'install --target-directory', an option - that has been documented for years but not implemented (!). - * doc/coreutils.texi (install invocation): Document - --target-directory in synopsis, too. - * src/install.c (TARGET_DIRECTORY_OPTION): New var. - (long_options, main, usage): Add --target-directory. - (target_directory_operand): New function, stolen from mv.c. - (main): Use it. Check for -d and --target-directory. - Alter wording of diagnostics to match other programs. - -2004-06-28 Jim Meyering <jim@meyering.net> - - * src/cp.c (usage): Fix copy+paste error in description of - --target-directory: s/move/copy/. From Paul Jarc. - -2004-06-27 Paul Eggert <eggert@cs.ucla.edu> - - Use more-consistent rules among cp, ln, and mv when dealing with - last operands that are (or look like) directories. - - * src/cp.c (target_directory_operand): New, nearly-common function, - It reports an error if the destination appears to be a directory - (e.g., because it has a trailing slash) but is not. - * src/ln.c, src/mv.c: Likewise. - * src/cp.c (do_copy): Use it. - * src/ln.c (main): Likewise. - * src/mv.c (main): Likewise. - - * src/cp.c (do_copy): Don't assume argc is positive. - Don't bother to lstat dest, since copy() will do that for us. - Use "const" to avoid the need for cast. - - * src/cp.c (do_copy): Don't output a usage message because of file - problems (e.g., an operand is not a directory). Use it only for - syntax. Standardize on "target %s is not a directory" for the - diagnostic. - * src/ln.c (main): Likewise. - * src/mv.c (main): Likewise. - - * src/cp.c (do_copy): Remove test for trailing slash, since - target_directory_operand now does this. - * src/ln.c (main): Likewise. - * src/mv.c (movefile): Likewise. - - * src/cp.c (main): Reject multiple target directories. - Check whether a specified target is a directory when parsing the - options, using stat. This gives more-accurate diagnostics. - * src/ln.c (main): Likewise. - - * src/ln.c (isdir): Remove decl; no longer needed. - * src/mv.c (isdir, lstat): Likewise. - - * src/ln.c (do_link): New arg dest_is_dir. All uses changed. - Don't check the destination ourself; rely on dest_is_dir. - This way we can avoid lstatting the destination in the - usual case, and in the worst case we lstat 1, not 3 times. - Don't bother to unlink unless link failed; this saves a syscall. - Remove unnecessary backup_succeeded flag; - it was identical to "dest_backup != NULL". - - * src/ln.c (main): Use int to count to argc, not unsigned int. - This handles negative operand counts. - * src/mv.c (main): Likewise. - - * src/mv.c (do_move): Don't call hash_init; expect the caller to - do it, for consistency with cp.c and ln.c. All callers changed. - (movefile): dest_is_dir parameter is now bool, not int. - (main): Standardize on "missing destination file operand after %s" - for the diagnostic, for consistency with cp.c. - - * tests/mv/diag: Don't assume "mv --target=nonexistentdir" - will complain about the arg count. - Adjust to new (briefer) diagnostics. - * tests/cp/fail-perm: Add a test to verify that we get the new - diagnostic when failing to copy through a symlink-to-inaccessible-dir. - -2004-06-27 Paul Eggert <eggert@cs.ucla.edu> - - Fix a bug: formerly, if d/x was a directory and x a file, "ln x - d/" incorrectly created a link d/x/x. It also saves some system - calls. - - * NEWS: Document the fix. - - * src/ln.c (main): Don't append basename to dest if this - results in an existing directory name. - * tests/ln/misc: See whether a trailing slash is followed too far. - -2004-06-26 Jim Meyering <jim@meyering.net> - - * src/printf.c (main): When given no arguments, print the standard - "missing operand\nTry printf --help..." message -- to be consistent. - -2004-06-26 Jim Meyering <jim@meyering.net> - - * src/mknod.c (main): Add \n at the end of message output via fprintf. - -2004-06-25 Jim Meyering <jim@meyering.net> - - * tests/ln/misc: Add test for ln subscript error. - -2004-06-23 Paul Eggert <eggert@cs.ucla.edu> - - * src/ln.c (do_link): Remove unnecessary call to lstat. - (main): Avoid subscript error when the destination is "". - -2004-06-23 Jim Meyering <jim@meyering.net> - - * tests/*: Replace all occurrences of `(exit N); exit' with - `(exit N); exit N'. Otherwise, those many tests could exit with - improper exit status when exiting via e.g., a trapped interrupt. - Thanks to a report from Bob Proulx. - -2004-06-22 Paul Eggert <eggert@cs.ucla.edu> - - * src/who.c (idle_string, print_user): New arg boottime, - specifying the most recent boot time. All uses changed. - (idle_string) Consider a line to be "old" if it hasn't been used - since the last boot time. Watch out for overflow when computing - times, and for times in the future. - (idle_string): Record latest boot time. - -2004-06-22 Jim Meyering <jim@meyering.net> - - * src/test.c (usage): Correct description of `-t FD'. The file - descriptor, FD, is no longer optional. Reported by Ton Nijkes. - -2004-06-21 Paul Eggert <eggert@cs.ucla.edu> - - The 2004-06-19 fix for who and pinky was incomplete, as ctime - has undefined behavior if the year precedes -999 or follows 9999. - Since we have to stop using ctime anyway, we might as well use - strftime and fix the FIXME, and support internationalized dates. - - * NEWS: Document the new behavior. - * src/who.c: Include "hard-locale.h". - (time_format, time_format_width): New vars. - (time_string, print_line): Use them. - (main): Set them. - (time_string): Use localtime + strftime instead of - ctime, to avoid problems with years before -999 or after 9999. - * src/pinky.c: Likewise. - -2004-06-21 Paul Eggert <eggert@cs.ucla.edu> - - Fix bug: GNU 'ls' didn't count columns correctly if user or group - names contained multibyte characters where the column count - differed from the byte count. This patch also corrects - some comments. - - * src/ls.c (format_user_or_group): New function, which counts - columns correctly. - (format_user, format_group): Use it. - (format_user_or_group_width): New function, which counts columns - correctly. - (format_user_width, format_group_width): Use it. - -2004-06-21 Jim Meyering <jim@meyering.net> - - * tests/priv-check: Quote "$PATH" in PATH=$PATH. - Suggestion from Andreas Schwab. - - * tests/priv-check: When running as root, be sure to propagate - PATH through to the process we exec as non-root. - Reported by michael@aplatform.com. - - * src/mknod.c (main): Don't segfault when calculating the - expected number of operands for `mknod NAME'. - -2004-06-20 Jim Meyering <jim@meyering.net> - - * src/dd.c (input_seek_errno): Declare file-scoped variable as static. - -2004-06-20 Paul Eggert <eggert@cs.ucla.edu> - - * src/basename.c (main): - Standardize on the diagnostics given when someone gives - too few operands ("missing operand after `xxx'") or - too many operands ("extra operand `xxx'"). - Include "quote.h" and/or "error.h" if it wasn't already being included. - * src/chgrp.c (main): Likewise. - * src/chmod.c (main): Likewise. - * src/chown.c (main): Likewise. - * src/chroot.c (main): Likewise. - * src/comm.c (main): Likewise. - * src/cp.c (do_copy): Likewise. - * src/csplit.c (main): Likewise. - * src/date.c (main): Likewise. - * src/dircolors.c (main): Likewise. - * src/dirname.c (main): Likewise. - * src/du.c (main): Likewise. - * src/expr.c (main): Likewise. - * src/hostid.c (main): Likewise. - * src/hostname.c (main): Likewise. - * src/id.c (main): Likewise. - * src/install.c (main): Likewise. - * src/join.c (add_file_name, main): Likewise. - * src/link.c (main): Likewise. - * src/ln.c (main): Likewise. - * src/logname.c (main): Likewise. - * src/md5sum.c (main): Likewise. - * src/mkdir.c (main): Likewise. - * src/mkfifo.c (main): Likewise. - * src/mknod.c (main): Likewise. - * src/mv.c (main): Likewise. - * src/nohup.c (main): Likewise. - * src/od.c (main): Likewise. - * src/pathchk.c (main): Likewise. - * src/ptx.c (main): Likewise. - * src/readlink.c (main): Likewise. - * src/rm.c (main): Likewise. - * src/rmdir.c (main): Likewise. - * src/seq.c (main): Likewise. - * src/setuidgid.c (main): Likewise. - * src/shred.c (main): Likewise. - * src/sleep.c (main): Likewise. - * src/sort.c (main): Likewise. - * src/split.c (main): Likewise. - * src/stat.c (main): Likewise. - * src/test.c (beyond, main): Likewise. - * src/touch.c (main): Likewise. - * src/tr.c (main): Likewise. - * src/tsort.c (main): Likewise. - * src/tty.c (main): Likewise. - * src/uname.c (main): Likewise. - * src/uniq.c (main): Likewise. - * src/unlink.c (main): Likewise. - * src/uptime.c (main): Likewise. - * src/users.c (main): Likewise. - * src/who.c (main): Likewise. - * src/whoami.c (main): Likewise. - - * tests/basename/basic: Adjust to new diagnostics. - * tests/du/files0-from: Likewise. - * tests/expr/basic: Likewise. - * tests/mv/diag: Likewise. - * tests/tsort/basic-1: Likewise. - -2004-06-20 Jim Meyering <jim@meyering.net> - - * src/ln.c: Remove declaration of yesno. - Instead, include yesno.h. - * src/copy.c: Likewise. - - * src/remove.c: Remove declaration of yesno. - Instead, include yesno.h. - (top_dir): Remove now-unnecessary cast of obstack_base. - (pop_dir): Likewise. - (full_filename_): Likewise. - -2004-06-19 Paul Eggert <eggert@cs.ucla.edu> - - Don't dump core if ctime returns NULL; this is possible on - hosts with 64-bit time_t and 32-bit int. - * src/who.c: Include "inttostr.h". - (time_string): If ctime fails, print the raw time as an integer - instead of dumping core. - * src/pinky.c: Likewise, as follows: - Include "inttostr.h". - (time_string): New function, copied from who.c. - (print_entry): Use it. - -2004-06-19 Paul Eggert <eggert@cs.ucla.edu> - - * src/who.c (print_line): Don't truncate user names at 8 bytes. - Problem reported by Guido Leenders in: - http://lists.gnu.org/archive/html/bug-coreutils/2004-06/msg00056.html - * NEWS: document this. - -2004-06-19 Jim Meyering <jim@meyering.net> - - * src/system.h (case_GETOPT_VERSION_CHAR): Switch back to - using GNU_PACKAGE (from PACKAGE) once again. This restores - `GNU' to the parenthesized package name in --version output. - Before, the first argument from AC_INIT, `GNU coreutils', would - be propagated to the PACKAGE variable. Now, `GNU ' is trimmed. - Reported by Richard Stallman. - -2004-06-17 Jim Meyering <jim@meyering.net> - - * src/tr.c (to_uchar): Rename function from `uchar'. The latter - would clash with a typedef in Tru64's <sys/types.h>. From Albert Chin. - -2004-06-15 Paul Eggert <eggert@cs.ucla.edu> - - * NEWS: Remove more special cases for POSIXLY_CORRECT when POSIX - allows the GNU behavior. "--" is now supported by chroot, hostid, - hosname, pwd, sync, yes. - * doc/coreutils.texi (yes invocation, false invocation, - true invocation): Document this. - * src/chroot.c (main): Handle "--". - * src/hostid.c (main): Likewise. - * src/hostname.c (main): Likewise. - * src/pwd.c (main): Likewise. - * src/sync.c (main): Likewise. - * src/yes.c (main): Likewise. - * src/true.c (main): Recognize --help and --version even if - POSIXLY_CORRECT is set. - * src/yes.c (main): Likewise. - -2004-06-09 Paul Eggert <eggert@cs.ucla.edu> - - * NEWS: Remove special cases for POSIXLY_CORRECT when POSIX allows - the GNU behavior. - * doc/coreutils.texi (pr invocation, unlink invocation): Document this. - * src/ls.c (decode_switches): Pay attention to TABSIZE even if - POSIXLY_CORRECT is set. POSIX reserves upper-case environment - variables to the implementation, so it's OK for ls to depend on - TABSIZE. - * src/pr.c: Include "hard-locale.h". - (main): When in a non-POSIX locale, ignore POSIXLY_CORRECT, since - POSIX specifies the behavior only in the POSIX locale. - * src/printf.c (print_esc): Support \x, \u, \U even if POSIXLY_CORRECT, - since POSIX says the behavior is unspecified here. - * src/tail.c (parse_obsolescent_option): Support multiple file operands - even if POSIXLY_CORRECT, since POSIX does not require a diagnostic. - * src/printf.c (main): Recognize --help, --version even if - POSIXLY_CORRECT. POSIX does not specify any options, but it - does not prohibit options either, so "printf" is like "expr" here. - * src/unlink.c (main): Likewise. - * tests/misc/printf: Adjust to the new semantics for \x if - POSIXLY_CORRECT. - -2004-06-14 Jim Meyering <jim@meyering.net> - - * tests/misc/pwd: New test, for fix of 2004-04-19. - * tests/misc/Makefile.am (TESTS): Add pwd. - (BUILD_SRC_DIR): Define BUILD_SRC_DIR. - - * src/copy.c: Remove declaration of euidaccess. - Instead, include "euidaccess.h". - -2004-06-13 Paul Eggert <eggert@cs.ucla.edu> - - * src/who.c (PIDSTR_DECL_AND_INIT): Don't assume pid_t fits in int. - (UT_ID) [!HAVE_STRUCT_XTMP_UT_ID]: Remove bogus comment, - as (sizeof "??") reliably returns 3. - (print_line): Guard against idle and pid being too long - (which is possible when printing headers). - (print_user): Allocate enough bytes for idlestr. Use IDLESTR_LEN. - Avoid unnecessary cast of sizeof to int. - (make_id_equals_comment): Do not assume that UT_ID returns - a string; it might return a non-null-terminated array. - Use strncat instead. It's not very often where strncat is - exactly what you want, but this is one of those rare cases. - -2004-06-11 Paul Eggert <eggert@cs.ucla.edu> - - * src/who.c (list_entries_who): Don't output a trailing space. - -2004-06-09 Jim Meyering <jim@meyering.net> - - * src/touch.c (usage): Improve wording in description of the - --time=WORD option. Reported by Dan Jacobson. - - * src/chown-core.c (change_file_owner): Change names of parameters - old_uid and old_gid to required_uid and required_gid respectively. - - * src/chmod.c (mode_changed): Return false, not 0, now that the - function returns `bool'. - -2004-06-08 Paul Eggert <eggert@cs.ucla.edu> - - Adjust chmod and chown to be similar if -c or -v are given. In - particular, a no-op chown is no longer reported as a change; this - reverts to previous behavior. Also, fix both commands so that -v - report failures even if the failure is not due to the chmod or - chown syscalls. - - * src/chmod.c (CH_NOT_APPLIED): New constant. - (describe_change): Handle it. - (process_file): Use it, if a symlink wasn't changed. - (mode_changed): Return bool, not int. Accept new argument - NEW_MODE; all callers changed. This lets us avoid statting the - file unless the new mode has unusual bits. - (process_file): Return -1 on error. With -v, report all errors - verbosely, not just some. - - * src/chown-core.c (change_file_owner): Return -1 on error, not - 1 sometimes and -1 on others. Our caller ORs together our results, - and (-1 | 1) == 0 on ones-complement hosts. - With -v report all errors verbosely, not just some. - Fix bug when chopt->root_dev_ino && !chopt->affect_symlink_referent: - file_stats wasn't set properly in that case. - - * tests/chgrp/basic: Adjust to above changes. - -2004-05-20 Paul Eggert <eggert@cs.ucla.edu> - - * tests/chgrp/basic: Test that chgrp -h does not fail on - symlinks, even on hosts where that's not supported. - Test that if -R is specified without -H or L, -h is assumed. - Test that chown() is not optimized away. - -2004-05-18 Paul Eggert <eggert@cs.ucla.edu> - - Several fixes to chgrp and chown for compatibility with POSIX and BSD: - - Check for incompatible options. When -R and --dereference are - both used, then either -H or -L must also be used. When -R and -h - are both used, then -P must be in effect. - - -H, -L, and -P have no effect unless -R is also specified. - If -P and -R are both specified, -h is assumed. - - Do not optimize away the chown() system call when the file's owner - and group already have the desired value. This optimization was - incorrect, as it failed to updated the last-changed time and reset - special permission bits, as POSIX requires. - - Do not report an error if the owner or group of a - recursively-encountered symbolic link cannot be updated because - the file system does not support it. - - * NEWS: Document the above. - - * src/chgrp.c (main): Check for incompatible options. -R --dereference - requires either -H or -L, and -R -h requires -P. If -H, specify - FTS_PHYSICAL as well as FTS_COMFOLLOW; this is faster. Make this - file as much like chown.c as possible. - * src/chown.c (main): Likewise. - - * src/chown-core.c (change_file_owner): Use ent->fts_statp only if - needed. Chown a directory only after chowning its children; this - avoids problems if the new directory ownership doesn't permit - access to the children. Dereference symlinks before doing - ROOT_DEV_INO_CHECK, not after, so that we catch symlinks to /. - Do not optimize away the chown() system call when the file's owner - and group already have the desired value. POSIX does not permit - this optimization. Rely on chown and lchown to do the right - thing with symlinks and/or -1 arguments, now that we have wrappers - to do this. Use ENOTSUPP not ENOSYS, and ignore all ENOTSUPP - errors, not just command-line errors. - (chown_files): Pass FTS_NOSTAT to xfts_open if we don't need file status. - - * src/system.h (ENOTSUP): Remove. - - * tests/chgrp/basic: Use chown --from to discover whether the - group changed, since chgrp now changes unconditionally. This - complicates the sed script a bit. Do not specify --dereference, - since it's the default (and we want to test this). Adjust output - to match the fact that chgrp no longer optimizes the case of - changing a file's group to the same value as before. - * tests/chgrp/posix-H: Do not attempt to combine -h and -H; these - options are incompatible, and their behavior is undefined with POSIX. - (changed, not_changed): Adjust to match the fact that -h is no longer - specified. Sort names. - * tests/chown/deref: Adjust error-diagnostic spelling to match new - behavior. - -2004-06-07 Paul Eggert <eggert@cs.ucla.edu> - - * src/uname.c (main): Fix typo introduced on 2003-05-10 that - prevented a diagnostic of any operands. - -2004-06-08 Jim Meyering <jim@meyering.net> - - * src/shred.c (direct_mode): Turn it on/off with directio, too. - -2004-06-07 Jim Meyering <jim@meyering.net> - - Enable direct-mode I/O (bypassing the buffer cache), if possible. - Prompted by a suggestion from Kalle Olavi Niemitalo - in http://bugs.debian.org/207035. - * src/shred.c (direct_mode): New function. - (do_wipefd): Turn on direct-mode I/O. - (dopass): If a file's first write fails with EINVAL, - turn off direct-mode I/O and retry the write. - -2004-06-05 Paul Eggert <eggert@cs.ucla.edu> - - * src/tr.c (main): "tr -d a b" is now a fatal error even if - POSIXLY_CORRECT is set. The POSIX SYNOPSIS does not allow this - option combination. - -2004-06-04 Paul Eggert <eggert@cs.ucla.edu> - - * src/shred.c (dopass): Don't subtract 1 from the offset after - a write error. Problem reported by Jon Peatfield in: - http://lists.gnu.org/archive/html/bug-coreutils/2004-06/msg00020.html - -2004-06-02 Paul Eggert <eggert@cs.ucla.edu> - - Fix bug reported by Buciuman Adrian in - <http://mail.gnu.org/archive/html/bug-coreutils/2003-08/msg00105.html> - where 'dd' created a file that was too large. The bug was that dd - assumed that the input file offset does not advance after a failed - read; but POSIX says that the input file offset is undefined after - a failed read. - - * src/dd.c (MAX_BLOCKSIZE): New macro. - (input_seekable, input_seek_errno, input_offset, - input_offset_overflow): New vars. - (scanargs): Reject block sizes greater than MAX_BLOCKSIZE. - (advance_input_offset): New function. - (skip_via_lseek): Set errno to zero when reporting our failure, - so that we don't report based on garbage errno. - (skip): If fdesc is standard input, advance the input offset. - Do not quit if reading, and if noerror was specified; - POSIX seems to require this. - If read fails on output file, report the earlier lseek failure - instead; this fixes a FIXME in dd_copy. - (advance_input_after_read_error): New function. - (dd_copy): Use it, instead of assuming that failed reads - do not advance the file pointer. Advance input offset - after nonfailed reads. Advance only a partial block if - the previous read (before the failed read) succeeded, and - do not generate an output block of zeros in this case. - (main): Determine initial input offset, seekability of input, - and error if it wasn't seekable. - -2004-06-02 Jim Meyering <jim@meyering.net> - - rm (without -f) could hang unnecessarily when attempting to - remove a symlink to a file on an off-line NFS-mounted partition. - Reported by David Howells in https://bugzilla.redhat.com/124699. - * src/remove.c (write_protected_non_symlink): New function. - Don't invoke euidaccess on symlinks. - (prompt): Use write_protected_non_symlink rather than using - euidaccess directly, being careful not to call lstat twice for a file. - - Fix a bug in how the --output-delimiter=D option works with - abutting byte or character ranges. Reported by David Krider in - http://lists.gnu.org/archive/html/bug-coreutils/2004-05/msg00132.html - * src/cut.c (print_kth): Remove special case for open-ended range. - (set_fields): Record the range start index for an interval even - when it abuts another interval on its low side. - Also record the range start index of the longest right-open-interval. - * tests/cut/Test.pm: Add tests of --output-delimiter=S with - abutting and overlapping byte ranges. - -2004-06-01 Paul Eggert <eggert@cs.ucla.edu> - - Some POSIX-conformance cleanups for tr. - - * src/tr.c (posix_pedantic): Remove; no longer needed since - we need to test this in just one place now. - (usage): Mention -C. - (unquote): Note that \055, \n, etc are escaped. - Do not worry about POSIXLY_CORRECT when warning about ambiguous - escape sequences. - \ at end of string stands for itself. - Do not diagnose invalid backslash escapes: POSIX says the behavior - is unspecified in this case, so we don't need to diagnose it. - (main): Add support for -C (currently an alias for -c). - Do not diagnose 'tr [:upper:] [:upper:], as POSIX does not require - a diagnostic here. - * tests/tr/Test.pm: New tests bs-055, bs-at-end, repeat-Compl. - Fix comment for range-a-a. - -2004-05-25 Paul Eggert <eggert@cs.ucla.edu> - - Improve the efficiency (and in one case, correctness) of code - that reads symlinks. - - * src/copy.c (copy_internal): Don't use alloca, as it can mess up - royally if the link length is long (e.g., GNU/Hurd). Use - xreadlink instead, it's safer. Don't bother to read the link if - it's the wrong size. Add a FIXME because this area is a bit murky - and undocumented. - * src/ls.c (get_link_name): Update use of xreadlink. - * src/readlink.c (main): Likewise. - * src/stat.c (print_stat): Likewise. - -2004-06-01 Jim Meyering <jim@meyering.net> - - * src/env.c (main): Prefer the notation `STREQ (a, b)' - over `!strcmp (a, b)'. - * src/sort.c (main, sort_buffer_size): Prefer the notation - `STREQ (a, b)' over `strcmp (a, b) == 0'. - * src/date.c (batch_convert): Likewise. - * src/expr.c (nextarg): Likewise. - * src/su.c (correct_password, restricted_shell, main): Likewise. - * src/ptx.c (swallow_file_in_memory, main): Likewise. - * src/test.c (binary_operator, and, or, main): Likewise. - -2004-05-13 Paul Eggert <eggert@cs.ucla.edu> - - * NEWS: echo compatibility cleanup. - * doc/coreutils.texi (echo invocation): Document the changes. - * src/echo.c (V9_ECHO): Remove; always enabled. - (DEFAULT_ECHO_TO_XPG): Renamed from V9_DEFAULT, so that - we use the same naming convention as bash. Now an enum, - not a macro. - (usage): Reword to mention -e/-E more accurately. - Mention \0NNN (the POSIX syntax) rather than \NNN (nonstandard). - (hextobin): New function. - (main): Use bool rather than int for local vars when appropriate. - Do not allow options if POSIXLY_CORRECT, unless we are using - BSD semantics and the first argument is "-n". - Don't pass unnecessary extra arg to parse_long_options. - do_v9 now defaults to DEFAULT_ECHO_TO_XPG, not to allow_options. - Do not look for options if !allow_options. - Use size_t rather than int when appropriate. - Open-code option test rather than using strrchr. - Use faster test for "-". - Avoid redundant argc test. - Add support for \x, for Bash compatibility. - Use e.g. '\a' rather than '\007', for portability to EBCDIC hosts. - When '\c' is encountered, stop printing immediately, as POSIX - requires. - Add support for \xhh syntax. - Add support for \0ooo syntax; POSIX requires this. - -2004-06-01 Jim Meyering <jim@meyering.net> - - * Use automake-1.8b. Regenerate dependent files. - -2004-05-31 Jim Meyering <jim@meyering.net> - - * tests/Makefile.am.in (TESTS_ENVIRONMENT): Define PATH to include - the build src/ directory -- at the front. - ($(srcdir)/$x-tests): Depend on Makefile.am. - Use $x as the program name, except when it would be `test' (test is - the sole program tested via mk-script that is also a shell built-in). - In that case, use the old ../../src/$x. - -2004-05-30 Jim Meyering <jim@meyering.net> - - Work around HPUX /bin/cc compiler bug that is exposed, now that - sets are arrays of type `bool'. More details here: - http://lists.gnu.org/archive/html/bug-gnulib/2004-05/msg00094.html - FIXME: verify that the above URL points to the right message - - * src/tr.c (card_of_complement): Use cleaner `sizeof in_set' - rather than `N_CHARS * sizeof(in_set[0])'. Using HPUX's /bin/cc - (aC++/ANSI C B3910B A.05.55 [Dec 04 2003]) on an ia64-hp-hpux11.22 - system, those two expressions are not the same (256 vs. 1024). - The effect of this problem was that `tr -c x y' would fail: - tr: when not truncating set1, string2 must be non-empty - (set_initialize): Remove unnecessary initialization of the `in_set' - buffer; that initialization triggered the same compiler bug as above. - -2004-05-29 Paul Eggert <eggert@cs.ucla.edu> - - tr cleanup, mostly having to do with integer type ranges. - Remove all casts. - - * tests/tr/Test.pm: Add a few tests for the below. Alas, most of - the test cases wouldn't be portable, or would take too much CPU - time, or both. - - * src/tr.c (N_CHARS, N_CHAR_CLASSES): Now an enum, not a macro. - This is safe since the code already assumes N_CHARS fits in int. - (Filter): Remove: we want to prototype everything. - (ORD, CHR): Remove. All uses removed. Some replaced with: - (uchar): New function. All places where a char must be converted - to an unsigned char are now done this way, not by ad-hoc methods. - (count): New type. Use it whenever counts or states are needed. - (BEGIN_STATE): Increase from INT_MAX - 1 (which was bogus, anyway, - since we used it in an unsigned int context) to UINTMAX_MAX - 1. - (REPEAT_COUNT_MAXIMUM): New macro. Use it in place of BEGIN_STATE - whenever appropriate. - (NOT_A_CHAR): Remove global macro; now a local enum. - (UL_LOWER, UL_UPPER, UL_NONE): No longer specify values, since - the rest of the code no longer depends on them. - (class_ok): Remove; all uses changed to use inline comparisons. - (RE_NO_TYPE): Remove; wasn't used or needed. - (struct List_element): normal_char and equiv_code are now unsigned - char, not int. - first_char, last_char, and the_repeated_char are now unsigned char, - not unsigned int. repeat_count is now count, not size_t. - All uses changed. - (struct Spec_list): state is now count, not unsigned int. - lengthis now count, not size_t. - n_indefinite_repeats is now size_t, not int. - has_equiv_class, has_char_class, and has_restricted_char_class - are now bool, not int. All uses changed. - (struct E_string): s is now char *, not unsigned char *. - escaped is now bool *, not int *. All uses changed. - (ES_MATCH): Remove macro, replacing with: - (es_match): New inline function. All uses changed. - (squeeze_repeats, complement, posix_pedantic, truncate_set1, - translating): Now bool, not int. - (io_buf): Now char array, not unsigned char. - (SET_TYPE): Remove. All uses replaced with bool. - (is_equiv_class_member, unquote, append_range, append_char_class, - append_equiv_class, find_closing_delim, star_digits_closebracket, - build_spec_list, parse_str, homogeneous_spec_list): - Now returns bool, not int. All uses changed. - (is_equiv_class_member): Now inline. - (is_equiv_class_member, is_char_class_member, make_printable_str, - append_normal_char, append_range, append_repeated_char, - get_s2_spec_stats): - Args are now of proper integer type. - (unquote, look_up_char_class, make_printable_str, - append_equiv_class, build_spec_list, squeeze_filter): - Avoid unsigned char *p; gently convert *p to unsigned char instead. - (unquote, get_spec_stats): Do not jump past declarations and then - use them; C doesn't allow this in portable programs. - (make_printable_str): Check for overflow in size calculations. - (xmemdup): Remove. All uses rewritten. - (find_bracketed_repeat): Args are now of proper pointer-to-integer - type. Do not reject [c*0]. Use xstrtoumax, not xstrtoul. - (find_bracketed_repeat, star_digits_closebracket): Check that the - digits are not escaped. - (build_spec_list): Don't bother to copy opnd_str; not needed. - (build_spec_list, get_next): Simplify internal logic a bit. - (card_of_complement): Fix bug due to char overflow. - (get_spec_stats): Don't assume len fits into int. - Check for integer overflow. Use abort() rather than assert(0). - (string2_extend): Fix subscript error: is_char_class_member (..., 255) - was being invoked. - (squeeze_filter): READER is never null now; simplify code. - READER arg now has a simpler type. Remove unnecessary casts. - (squeeze_filter, main): Calls to fwrite improperly checked result - against zero, rather than against requested size. - (plain_read): New function. - (read_and_delete, read_and_xlate): - Remove unused filter arg, and don't worry about hit_eof. - Simplify by using plain_read. - (set_initialize): Args are bool and bool *, not int and SET_TYPE *. - (main): Always pass a non-null procedure to squeeze_filter. - Rewrite so that class_ok isn't needed. - -2004-05-29 Paul Eggert <eggert@cs.ucla.edu> - - * src/shred.c (dosync): Ignore EBADF errors, as IRIX 6.5 - fdatasync reports EBADF when syncing (unwritable) directories. - Problem reported by Albert Chin-A-Young in: - http://lists.gnu.org/archive/html/bug-coreutils/2004-05/msg00165.html - -2004-05-29 Jim Meyering <jim@meyering.net> - - * tests/chown/deref: Fix typo: use ls -ldo, not ls -ldg. - Patch from Albert Chin. - - * src/ptx.c (text_buffer_maxend): Remove declaration of unused variable. - - * src/remove.c (push_dir): Merge declaration and adjacent assignment - into a single statement. - -2004-05-28 Jim Meyering <jim@meyering.net> - - * src/remove.c (AD_mark_helper): Eliminate an unnecessary comparison. - -2004-05-22 Jim Meyering <jim@meyering.net> - - rm -r would get a failed assertion when run from an inaccessible - directory and with two or more command line arguments including an - absolute-named directory followed by a relative-named directory. - - * src/remove.h (struct rm_options) [require_restore_cwd]: New member. - * src/remove.c (struct cwd_state): Define. - (AD_pop_and_chdir): Redesign interface so that a restore_cwd failure - can be detected by the caller. Instead of returning a malloc'd - directory name, communicate it to caller via a new parameter, and - return an indication of whether restore_cwd failed. Update caller. - Eliminate an unnecessary call to AC_stack_top. - (remove_dir): Change type of cwd_state parameter to `struct cwd_state' - so we can now communicate to caller whether/how functions like - restore_cwd have failed. Update caller. - (rm_1): Fail if we've failed to restore the working directory - and the name of the next file to remove is `.'-relative. - (rm): Fail if the require_restore_cwd flag is true and we've - failed to restore the working directory. - * src/mv.c (rm_option_init): Initialize new member, - x->require_restore_cwd. - * src/rm.c (rm_option_init): Likewise. - -2004-05-21 Jim Meyering <jim@meyering.net> - - * tests/rm/inaccessible: New test for the above fix. - * tests/rm/Makefile.am (TESTS): Add inaccessible. - - * src/remove.c (rm): Use free rather than XFREE. - (remove_dir): Use xmalloc, not XMALLOC. - (ds_init): Likewise. - -2004-05-20 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_unmarked_diagnostics): Now that the unmarked - diagnostics in shred.c have been fixed, don't exempt shred.c from - this check. - - * src/shred.c: Use translatable diagnostics, e.g. - change "%s: remove" to _("%s: failed to remove") and - change "%s: close" to _("%s: failed to close"). - -2004-05-17 Paul Eggert <eggert@cs.ucla.edu> - - * src/shred.c (names): Bring back lower-case letters, "_", and - ".". But continue to omit +, =, %, @, #, as they're either - shell metacharacters (for some shells) or are not in some - character sets, or (in the case of '%') must be a - metacharacter somewhere. - -2004-05-16 Paul Eggert <eggert@cs.ucla.edu> - - * src/cut.c (cut_fields): Adjust to new signature of getndelim2. - -2004-05-17 Jim Meyering <jim@meyering.net> - - * src/shred.c (incname): Decrement `len' only once per loop iteration. - - chgrp and chown now dereference symlinks by default, per POSIX. - Reported by Michal Politowski as http://bugs.debian.org/249177. - - * src/chown-core.c (chopt_init): Affect each symlink referent by default. - * src/chown.c (usage): Update to reflect this. - * src/chgrp.c (usage): Likewise. - * NEWS: Describe the change. - Adapt tests accordingly. - * tests/chgrp/basic: Use -h where necessary to retain semantics. - * tests/chgrp/deref: Likewise. - * tests/chgrp/posix-H: Likewise. - -2004-05-15 Paul Eggert <eggert@cs.ucla.edu> - - In shred, check for errors from fdatasync more carefully. If - fdatasync fails with errno==EINVAL, it means this implementation - does not support synchronized I/O for this file. Do not report - this as an error, as (for example) AIX 5.2 fdatasync reports it - for raw disk devices. Problem reported by Albert Chin in - <http://mail.gnu.org/archive/html/bug-gnu-utils/2004-05/msg00028.html>. - - Check for write errors, though: the old code ignored them. - Improve error checking in a few other cases, too (e.g., close of a - directory). - - Also, change several 'int' values to 'bool', so that the error - checking is a bit clearer. Similarly, change unsigned values - to size_t where appropriate. - - * src/shred.c: Include "dirname.h". - (datasync) [!HAVE_FDATASYNC]: Remove. - (dosync): New function. - (dopass): Use it. Return 1 on write error, -1 on other error. - All callers changed. Report write error if dosync does. - (do_wipefd, wipefd, wipename, wipefile): Return bool (true/false), - not int (0/-1). All callers changed. Return false if there's a - write error. - (incname): Return bool (true/false), not int (0/1). Accept - size_t length, not unsigned. All callers changed. Do not - bother checking for non-digits; it can't happen. Replace - recursion with iteration. - (wipename): Use dir_name, base_name, etc. instead of assuming - Unix file names. Use size_t for length, not unsigned. - Report error if unlink or close fails. - (wipename, main): Use bool for booleans. - - (names): Use only digits and uppercase letters, for greater - portability. - -2004-05-16 Jim Meyering <jim@meyering.net> - - * tests/chown/deref: New test for the yesterday's change. - * tests/chown/Makefile.am (TESTS): Add deref. - -2004-05-15 Jim Meyering <jim@meyering.net> - - chown --dereference did nothing when the owner/group of a - symlink matched the desired owner/group. Reported by David Malone. - Also reported in 1999 as http://bugs.debian.org/39642. - - * src/chown-core.c (change_file_owner): When --dereference has - been specified, and when processing a symlink, stat it to get the - owner and group of the referent. - -2004-05-14 Jim Meyering <jim@meyering.net> - - * man/pwd.x, man/echo.x, man/printf.x: Fix typo: - s/supercede/supersede/ reported by Andrew Fabbro. - -2004-05-13 Paul Eggert <eggert@cs.ucla.edu> - - Improve performance of `sort -m' on large files, at the cost of - making some contrived examples unsafe. POSIX allows this - optimization. Performance problem reported by Jonathan Baker in - <http://mail.gnu.org/archive/html/bug-coreutils/2004-05/msg00071.html>. - - * src/sort.c (first_same_file): Do not treat input pipes - differently from other files. - * doc/coreutils.texi (sort invocation): Document that "sort -m -o F" - might write F before reading all the input. - * NEWS: Likewise. - -2004-05-12 Paul Eggert <eggert@cs.ucla.edu> - - * src/od.c (print_ascii, dump_strings): Use e.g. '\a' rather than - '\007', for portability to EBCDIC hosts. - * src/printf.c (print_esc_char): Likewise. - * src/tr.c (unquote, make_printable_str): Likewise. - -2004-05-12 Jim Meyering <jim@meyering.net> - - * src/remove.c (AD_pop_and_chdir): Move lstat-`.' into if-block - where the result is used. This avoids one unnecessary lstat call - per command line argument. - -2004-05-12 Paul Eggert <eggert@cs.ucla.edu> - - Don't assume that "make -C" works; Solaris "make" doesn't have -C. - - * src/Makefile.am (all_programs.list): New rule, copied from - man/Makefile.am and tests/Makefile.am, except that we use the - system tr rather than ./tr and we don't use tr -s. - * tests/Makefile.am (all_programs): Use it. - * man/Makefile.am (all_programs): Likewise. Renamed from programs, - for consistency. All uses changed. - -2004-05-11 Jim Meyering <jim@meyering.net> - - * tests/rm/unread3: New test, for the above fix and today's - lib/save-cwd.c improvement. - * tests/rm/Makefile.am (TESTS): Add unread3. - - * src/rm.c: Don't include "save-cwd.h". It's no longer used. - -2004-05-10 Jim Meyering <jim@meyering.net> - - * tests/install/trap: New file. Test for bug fix of 2004-04-18. - * tests/install/Makefile.am (TESTS): Add trap. - - * src/remove.c (AD_push): Don't use errno in diagnostic about - `changed dev/ino'. - - Remove these generated files from CVS. - * tests/cut/cut-tests, tests/date/date-tests, tests/join/join-tests: - * tests/ls/ls-tests, tests/pr/pr-tests, tests/tac/tac-tests: - * tests/tail/tail-tests, tests/test/test-tests, tests/tr/range-tests: - * tests/tr/tr-tests, tests/wc/wc-tests: - -2004-05-09 Jim Meyering <jim@meyering.net> - - * src/tr.c (unquote): Use xcalloc rather than xmalloc and - a loop initializing the just-allocated memory to zero. - -2004-05-08 Jim Meyering <jim@meyering.net> - - * tests/rm/no-give-up: New file; check for today's fix. - * tests/rm/Makefile.am (TESTS): Add no-give-up. - -2004-05-08 Paul Eggert <eggert@cs.ucla.edu> - - Fix bug where "rm" gave up too easily, reported by Dan Jacobsen in - <http://mail.gnu.org/archive/html/bug-coreutils/2004-05/msg00013.html>. - - * src/remove.c (remove_entry): Check for errno values like ENOENT - that show the file cannot be directory, instead of for errno - values like EPERM that show the file might be a directory. This - is necessary because, when a single unlink() call has multiple - reasons to fail, it can set errno to any of those reasons; it's - only the rare errno value like ENOENT that excludes all the other - possible reasons to fail even when the file is a directory. - (remove_cwd_entries): Don't attempt chdir if the file is known - to not be a directory. - (remove_dir): Use the same method that remove_cwd_entries uses - (for some reason they differed). Don't assert that saved_errno - must be EPERM; it might be just about anything. - -2004-05-06 Jim Meyering <jim@meyering.net> - - * src/id.c (xgetgroups): Use xnmalloc, rather than xmalloc. - Don't add `1' to the buffer size (it was to protect against malloc - implementations that fail to allocate a buffer of size zero). - That is no longer necessary, since we use a malloc wrapper - on such systems. - - * src/wc.c (get_input_fstatus): Use xnmalloc, rather than xmalloc. - * src/head.c (elide_tail_bytes_pipe): Likewise. - * src/df.c (main): Likewise. - * src/shred.c (do_wipefd): Likewise. - * src/users.c (list_entries_users): Likewise. - * src/tail.c (main): Likewise. - * src/md5sum.c (main): Likewise. - -2004-04-29 Paul Eggert <eggert@cs.ucla.edu> - - * src/df.c (show_disk, show_point): If several filesystems are - mounted on the same mount point, prefer the last one, not the first. - Problem reported by Christian Jones in - <http://mail.gnu.org/archive/html/bug-coreutils/2004-04/msg00200.html>. - (show_disk): Remove unused statp arg. Return bool, not int. - (show_point): Rewrite to avoid gotos. Use the same algorithm - for lofs and dummies for each pass through the mount table, - rather than subtly different algorithms (which are probably - inadvertent). - -2004-05-03 Jim Meyering <jim@meyering.net> - - * Makefile.am (EXTRA_DIST): Add m4/ChangeLog, now that we no longer - have m4/Makefile*. - -2004-05-01 Jim Meyering <jim@meyering.net> - - When chown or chgrp is modifying the referent of a symlink, - use the chown(2) function, if possible. - * src/chown-core.c (change_file_owner): Don't hard-code the - open/fchown/close kludge here. Use `chown' instead. - The chown function works just fine on conforming systems. - Other systems now go through the new chown wrapper that - resorts to the old kludge. - - * src/chown-core.c (change_file_owner): Add a comment. - -2004-04-27 Jim Meyering <jim@meyering.net> - - * src/ptx.c: Make over 40 global extern variables `static'. - (syntax_table, re_syntax_table): Remove declarations of two unused - variables (they were exposed by the above change). - - * src/du.c (G_fail, opt_nul_terminate_output): Declare `static'. - * src/ln.c (backup_type): Likewise. - - * src/remove.c (rm): Add `extern' keyword. - * src/cp-hash.c (forget_created, remember_created) - (src_to_dest_lookup, remember_copied, hash_init, forget_all): Likewise. - * src/copy.c (dest_info_init, src_info_init, copy): Likewise. - * src/chown-core.c (chopt_init, chopt_free, gid_to_name) - (uid_to_name, chown_files): Likewise. - - * src/Makefile.am (sc_tight_scope): New rule. - * Makefile.maint (sc_tight_scope): New rule. - (syntax-check-rules): Add it. - -2004-04-26 Jim Meyering <jim@meyering.net> - - * Use automake-1.8.4. Regenerate dependent files. - - * src/sort.c (limfield): Make a comment clearer. - -2004-04-25 Paul Eggert <eggert@twinsun.com> - - Fix POSIX-conformance bug: "sort -k 3,3.5b" is supposed to skip - leading blanks when computing the location of the field end; - it is not supposed to skip trailing blanks. Solaris 8 "sort" - does conform to POSIX. Also fix the documentation to clarify - this and related issues. - - * doc/coreutils.texi (sort invocation): Mention -k earlier, so - that the options are in alphabetical order. Describe how -b works - more-accurately; this involves fixing some examples, too. Mention - what happens if the start field falls after an end field or after - a line end. Warn about using -k without -b, -g, -M, -n, or -t. - Add an example of how to sort IPv4 addresses and Apache Common - Log Format dates. Remove a duplicate example. - (Putting the tools together): Use separate options rather - than agglomerating them. - * src/sort.c (limfield): Use skipeblanks, not skipsblanks, to - decode whether to skip leading blanks. - (trailing_blanks): Remove. - (fillbuf, getmonth, keycompare): Don't trim trailing blanks. - - * tests/pr/Test.pm: Fix typo in env_default comment. - * tests/sort/Test.pm: Likewise. - (18c, 18d): Reverse the order of output lines, so that the - test cases conform to POSIX. - -2004-04-22 Paul Eggert <eggert@twinsun.com> - - More signal-handling cleanup for ls.c. Do not allow signals to - happen between arbitrary output bytes, as the - restore-default-color sequence can bollix up multibyte chars or - color-change sequences in the ordinary output. Instead, process - signals only between printing a file name and changing the color - back to non_filename_text color. That way, if the signal handler - changes the color (to the default), 'ls' will change it back when - 'ls' continues (after being suspended). - - Also, do not bother with signal-handling unless stdout is a - controlling terminal; this lets stdio buffer better when "ls - --color" is piped or sent to a file. - - * src/ls.c (sigprocmask, sigset_t) [!defined SA_NOCLDSTOP]: New macros. - Do not include "full-write.h"; no longer needed. - (tcgetpgrp) [! HAVE_TCGETPGRP]: New macro. - (put_indicator_direct): Remove. All callers changed to use - put_indicator. - (caught_signals, interrupt_signal, stop_signal_count): New vars. - (restore_default_color): Don't bother checking for put_indicator - failure. - (sighandler): Don't handle SIGTSTP; that's another handler now. - Simply set interrupt_signal to the signal, then exit. - (stophandler, process_signals): New functions. - (main): Don't output any color changes until _after_ the signal - handlers are set up. This fixes a race condition where 'ls' - could be interrupted while initializing colors, and leaving the - terminal in an undesirable state. - Don't mess with signal-handling if standard output is not a - controlling terminal. - When exiting, restore the default color, then restore the - default signal handling, then act on any signals that weren't - acted on yet. - Do not print //DIRED// etc. in colors; this avoids the need - to catch signals when printing them. - (print_name_with_quoting): Process signals just before switching - color back to non_filename_text. - -2004-04-23 Jim Meyering <jim@meyering.net> - - Avoid segfault on systems for which SIZE_MAX != (size_t) -1. - * src/ls.c (quote_name): Use SIZE_MAX, not -1, in calls - of quotearg_buffer. Patch by Mikulas Patocka. - -2004-04-18 Paul Eggert <eggert@twinsun.com> - - tee ignored SIGPIPE, but POSIX doesn't allow this. - - * src/tee.c (main): Do not ignore SIGPIPE, as POSIX 1003.1-2001 - does not allow this. This undoes the 1996-10-24 patch. - -2004-04-18 Paul Eggert <eggert@twinsun.com> - - Signal-handling cleanup for coreutils. Here are the highlights: - - - csplit sometimes failed to remove files when interrupted. - - csplit didn't clean up if two signals arrived nearly simultaneously. - - install -s would infloop on System V if SIGCHLD was ignored. - - ls could incorrectly restore color if multiple signals - arrived nearly simultaneously. - - * src/csplit.c (sigprocmask, sigset_t) [!defined SA_NOCLDSTOP]: - Define. - (filename_space, prefix, suffix, digits, files_created, remove_files): - Now volatile. - (caught_signals): New var. - (cleanup): Block signals while deleting all files. - (cleanup_fatal, handle_line_error, regexp_error): - Mark with ATTRIBUTE_NORETURN. - (create_output_file, close_output_file, interrupt_handler): - Block signals while changing the number of output files, - to fix some race conditions. - (delete_all_files): Do nothing if remove_files is zero. - Clear files_created. - (main): Don't mess with signals until after argument processing - is done. - - * src/csplit.c (main): Rewrite signal-catching code to make it - similar to other coreutils programs. When processing signals, - block all signals that we catch, but do not block signals that we - don't catch. Avoid problems with unsigned int warnings. - * src/ls.c (main): Likewise. - * src/sort.c (main): Likewise. - - * src/csplit.c (interrupt_handler): - Use void, not (obsolete) RETSIGTYPE. - * src/shred.c (sigill_handler, isaac_seed_machdep): Likewise. - - * src/csplit.c (interrupt_handler) [defined SA_NOCLDSTOP]: - Use simpler "signal (sig, SIG_DFL)" rather than sigaction equivalent. - * src/ls.c (sighandler) [defined SA_NOCLDSTOP]: Likewise. - * src/sort.c (sighandler) [defined SA_NOCLDSTOP]: Likewise. - * src/nohup.c (main) [!defined _POSIX_SOURCE]: Likewise, except - for SIG_IGN. - * src/tee.c (main) [!defined _POSIX_SOURCE]: Likewise. - - * src/install.c: Include <signal.h>. - (main) [defined SIGCHLD]: Set SIGCHLD handler to the default, if -s is - given, since System V fork+wait does not work if SIGCHLD is ignored. - - * src/ls.c (sighandler) [!defined SA_NOCLDSTOP]: Reset signal - handler to self, not to SIG_IGN, since SIGTSTP can be received - more than once. - (main): Use SA_RESTART, as that is simpler than checking for EINTR - failures all over the place. - -2004-04-20 Jim Meyering <jim@meyering.net> - - * src/remove.c (is_empty_dir): Clarify comment. - - * man/help2man: Accept new option: --program-name=NAME, so that we - can override the one in --version output. This is needed solely - so that test.1 doesn't refer to `[' as the program name. - Reported by Benjamin Cutler as http://bugs.debian.org/205251. - * man/Makefile.am (.x.1): Use help2man's new --program-name option. - - * src/pwd.c: Don't include pathmax.h; system.h already does it. - - * src/cut.c (cut_fields): Free buffer upon getndelim2 failure. - -2004-04-19 Jim Meyering <jim@meyering.net> - - * src/shred.c (isaac_seed_start) [AVOID_USED_UNINITIALIZED_WARNINGS]: - Initialize a buffer to avoid warnings from tools like valgrind. - - * Makefile.maint (sc_trailing_blank): New rule. - (syntax-check-rules): Add it. - * .x-sc_trailing_blank: New file. - - Make pwd work even if the resulting name is so long that getcwd fails. - * src/pwd.c: (path_free, path_init, path_prepend): New functions. - (nth_parent, find_dir_entry, robust_getcwd): New functions. - (main): First try getcwd, then, upon failure, robust_getcwd. - -2004-04-18 Jim Meyering <jim@meyering.net> - - * src/who.c (print_user): Use xrealloc here, rather than - unchecked realloc. Remove anachronistic casts. - - * src/remove.c (full_filename_): Don't leak upon failed realloc. - - * src/system.h (readdir_ignoring_dot_and_dotdot): New inline function, - from remove.c. - * src/remove.c (readdir_ignoring_dotdirs): Move function to system.h, - renaming it. Update uses. - -2004-04-17 Jim Meyering <jim@meyering.net> - - * configure.ac: Depend on automake-1.8.3. - - * src/join.c (add_file_name): Declare function to be `static'. - (string_to_join_field): Likewise. - * src/remove.c (ds_init, ds_free): Likewise. - - * Makefile.maint (sc_prohibit_jm_in_m4): New rule. - (syntax-check-rules): Add to the list. - -2004-04-13 Paul Eggert <eggert@twinsun.com> - - Use page-aligned buffers whenever we bother to do I/O using buffer - sizes that are tailored for the files. - - * src/cat.c: Include getpagesize.h. - * src/copy.c: Likewise. - * src/shred.c: Likewise. - * src/split.c: Likewise. - * src/cat.c (main): Align I/O buffers to page boundaries. - * src/copy.c (copy_reg): Likewise. - * src/shred.c (dopass): Likewise. - * src/split.c (main): Likewise. - * src/dd.c (ROUND_UP_OFFSET, PTR_ALIGN): Remove. - All uses replaced by ptr_align. - * src/od.c (gcd, lcm): Remove; now in system.h. - * src/system.h (gcd, lcm, ptr_align): New functions, moved from od.c. - -2004-04-14 Jim Meyering <jim@meyering.net> - - Remove m4/Makefile.am: it's no longer needed, with newer automake - * configure.ac (AC_CONFIG_FILES): Remove m4/Makefile.in from the list. - * Makefile.am (SUBDIRS): Remove `m4' from the list. - -2004-04-13 Jim Meyering <jim@meyering.net> - - * configure.ac: Change `jm_' in AC_DEFINE'd names to `gl_'. - -2004-03-27 Paul Eggert <eggert@twinsun.com> - - * NEWS: cp -pu and mv -u (when copying) now take the destination - file system time stamp resolution into account. - * doc/coreutils.texi (mv invocation): Document this. - (cp invocation): Document -u (it was missing!) with new behavior. - - * src/copy.c: Include "utimecmp.h". - (copy_internal): Compare time stamps using utimecmp rather than - MTIME_CMP. - -2004-04-09 Jim Meyering <jim@meyering.net> - - * Makefile.maint (.re-list): New rule/file, to replace - hard-coded list of header file names. - (sc_system_h_headers): Use the new file. - Don't look for sys2.h anymore. - - * src/system.h: Include new "stat-macros.h" rather than hard-coding - all of its macro definitions -- the list was slightly out of date. - Suggestion from Dmitry V. Levin. - -2004-04-08 Paul Eggert <eggert@cs.ucla.edu> - - * NEWS: Remove noctty flag from dd. Suggested by Philippe Troin. - * doc/coreutils.texi (dd invocation): Likewise. - * src/shred.c (O_NOCTTY): Remove redundant decl. - * src/dd.c (flags, usage): Remove noctty flag. - (main): Always use O_NOCTTY when opening files. - -2004-04-08 Jim Meyering <jim@meyering.net> - - * src/dd.c (dd_copy): Mark two diagnostics for translations. - (set_fd_flags): Undo part of today's change: it's a little - cleaner -- and more efficient in the common case -- to go - ahead and OR in the -1 when fcntl fails. - - * Makefile.maint (sc_dd_max_sym_length): New target. - (syntax-check-rules): Add it. - - * src/md5sum.c (PROGRAM_NAME) [algorithm == ALG_SHA1]: - Correct spelling: s/shasum/sha1sum. Reported by Jesse Kornblum. - - * src/dd.c (set_fd_flags): Don't OR in -1 when fcntl fails. - Rename parameter, flags, to avoid shadowing global. - (LONGEST_SYMBOL): Tweak comment. - -2004-04-07 Paul Eggert <eggert@twinsun.com> - - * NEWS: New dd conv= symbols nocreat, excl, fdatasync, fsync, - and new dd options iflag= and oflag=. - * src/dd.c (usage): Likewise. - * src/Makefile.am (dd_LDADD, shred_LDADD): Add fdatasync's lib. - * src/dd.c (fdatasync) [!HAVE_FDATASYNC]: New macro. - (C_NOCREAT, C_EXCL, C_FDATASYNC, C_FSYNC): New macros. - (input_flags, output_flags): New vars. - (LONGEST_SYMBOL): New macro. - (struct symbol_value): Renamed from struct conversion. Members - symbol and value renamed from convname and conversion. The - symbol value is now an array instead of a pointer; this saves - a bit of space and time in practice. All uses changed. - (conversions): Add nocreat, excl, fdatasync, fsync. Now const. - (flags): New constant array. - (iflag_error_msgid, oflag_error_msgid): New constants. - (parse_symbols): Renamed from parse_conversion and generalized - to handle either conversion or flag symbols. - (scanargs): Adjust uses of parse_symbols accodingly. Add - support for iflag= and oflag=. Reject attempts to use - both excl and nocreat. - (set_fd_flags): New function. - (dd_copy): Just return X rather than calling quit (X), since our - caller invokes quit with the returned value. Add support for - fdatasync and fsync. - (main): Add support for iflag=, oflag=, and new conv= symbols. - * src/system.h (O_DIRECT, O_DSYNC, O_NDELAY, O_NOFOLLOW, - O_RSYNC, O_SYNC): Define to 0 if not already defined. - - * NEWS: Remove duplicate mention of BLOCKSIZE. - -2004-04-02 Andreas Schwab <schwab@suse.de> - - * src/stty.c: Add support for IUTF8 input flag. - -2004-04-06 Jim Meyering <jim@meyering.net> - - * src/system.h (makedev) [mkdev && !makedev]: Define in terms of mkdev. - Interix spells it `mkdev'. Reported by Mark Funkenhauser. - -2004-04-04 Jim Meyering <jim@meyering.net> - - A specified format is no longer automatically newline terminated. - If you want a newline at the end of your format, use `\n'. - * src/stat.c (print_it): Don't print a newline at the end of - every format. - (do_statfs): Add a newline at end of each default format string. - -2004-03-30 Paul Eggert <eggert@twinsun.com> - - * src/nohup.c (main): Adjust to new calling convention - for set_cloexec_flag. - -2004-03-31 Jim Meyering <jim@meyering.net> - - * tests/Fetish.pm (run_tests): Remove `.orig' file. - Remove debugging diagnostic. - - Specifying an invalid --width=N (-w) or --gap-size=N (-g) - would not elicit an error. - * src/ptx.c: Include "xstrtol.h" and "quotearg.h". - (main): Don't use atoi. Use xstrtoul instead. - -2004-03-30 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_prohibit_atoi_atof): New rule. - (syntax-check-rules): Add it. - * .x-sc_prohibit_atoi_atof: New file. - -2004-03-29 Jim Meyering <jim@meyering.net> - - * tests/du/files0-from: Use new OUT_SUBST directive, so that this - test is not sensitive to system-dependent block size differences. - Prompted by a report of Solaris 8 differences from Paul Eggert. - - * tests/Fetish.pm: Accept new directives: OUT_SUBST, ERR_SUBST. - Rename `%tmp' to `%actual'. Reverse order of last two args to - _compare_files (to $actual, $expected) so as to match declaration. - -2004-03-28 Paul Eggert <eggert@twinsun.com> - - Fix some gotchas encountered when porting to Solaris 8, using - the Forte 6u2 compiler. - - * src/hostname.c [HAVE_SETHOSTNAME && !defined sethostname]: - Declare sethostname, since no Solaris header does it. - * src/who.c: Include "vasprintf.h", for asprintf. - -2004-03-28 Jim Meyering <jim@meyering.net> - - Minor optimization: - * src/du.c (process_file): Don't record dev/inode for directories. - - Under some circumstances, without -c, du would mistakenly count the - space of hard-linked files, not just the first one it encountered. - Reported by Anthony Thyssen. - * src/du.c (du_files): Don't ever clear the set of `seen' dev/inodes. - - * src/du.c: Rename global `print_totals' to `print_grand_total'. - - * src/du.c (main): Rearrange filtering loop to be a tiny bit - more efficient. - - * src/chown-core.c: Don't include savedir.h -- no longer needed. - * src/chmod.c: Likewise. - -2004-03-25 Jim Meyering <jim@meyering.net> - - * src/du.c (main): Remove now-unused declaration of `i'. - -2004-03-24 Paul Eggert <eggert@twinsun.com> - - * src/du.c (main): Filter out file names of length zero before - invoking fts, so that they don't cause fatal errors. - -2004-03-25 Jim Meyering <jim@meyering.net> - - * tests/du/files0-from (zero-len): Add a test for the above. - -2004-02-25 Paul Eggert <eggert@twinsun.com> - - * NEWS: New environment var BLOCKSIZE. - * lib/human.c (humblock): Support BLOCKSIZE as well as BLOCK_SIZE. - * tests/envvar-check: Test for it. Factor the code to simplify it. - -2004-03-23 Paul Eggert <eggert@twinsun.com> - - * NEWS: Shorten the du --files0-from announcement, and say - "NUL-terminated" rather than "NUL-separated". - * src/du.c (EXPECTED_BYTES_PER_FILE_NAME, DEFAULT_PROJECTED_N_FILES): - Remove: not used. - (usage): Say "NUL-terminated", not "NUL-separated". - (main): Check for I/O error when istream is closed. - Allow --files0-from=F even if F is empty; this specifies no files. - (du_files): Now that we allow the list of files to be empty, - handle that case. - * tests/du/files0-from: Adjust to above changes to src/du.c. - -2004-03-24 Jim Meyering <jim@meyering.net> - - * tests/tail-2/assert: Avoid race condition that could cause - spurious failure. Based on a patch from Andreas Schwab. - -2004-03-23 Jim Meyering <jim@meyering.net> - - * src/du.c (main): Free the hash table, too. - -2004-03-22 Jim Meyering <jim@meyering.net> - - * man/Makefile.am (.x.1): Remove --info-page= option, reverting - the change of 2004-01-22. I can no longer reproduce the problem - that prompted that change, and `info coreutils pr' would display the - `printing text' section of the manual, not the one on `pr invocation'. - - * tests/du/files0-from (nul-1, nul-2): Adjust expected diagnostics - to match corrected output. - - * src/du.c: Include "readtokens0.h" rather than "readtokens.h". - (main): Use readtoken0 functions rather than readtokens. - Don't use errno when diagnosing readtokens0 failure. - Fix off-by-one error in the token number reported in a diagnostic. - (du_files): Return bool, rather than int. - (main): Call readtokens0_free. - -2004-03-21 Jim Meyering <jim@meyering.net> - - * src/remove.c (ds_free): Plug a small leak. - - * tests/Fetish.pm: Fix typo in comment. - -2004-03-07 Jim Meyering <jim@meyering.net> - - * NEWS: du accepts a new option --files0-from=FILE, where FILE - contains a list of NUL-separated file names. - - * src/du.c: Include "readtokens.h". - (usage): Describe the new option, and adjust the `Usage': - with this option, no FILE may be specified on the command line. - (main): Handle the new option. - - * tests/du/files0-from: New tests, for the above. - * tests/du/Makefile.am (TESTS): Add files0-from. - - * src/factor.c (do_stdin): Reflect changes in use of readtoken. - * src/tsort.c (tsort): Likewise. - -2004-02-29 Paul Eggert <eggert@twinsun.com> - - * NEWS: Add support for a new notation @N to get_date to represent - the time stamp with numeric value N. Improve support for - fractional time stamps. date's -d and -f options now accept them. - Likewise for touch -t. date has a new option --iso-8601=ns. - - * doc/coreutils.texi (touch invocation): - Describe use of fractional seconds. - (date invocation, Options for date): Likewise. - * doc/getdate.texi (General date syntax, Time of day items): Likewise. - * doc/coreutils.texi (date invocation): Mention effect of LC_TIME. - (Options for date): Describe new --iso-8601=ns option. - - * doc/getdate.texi: Add copyright notice. Change getdate to - get_date when talking about the function name. - (Seconds since the Epoch): New section, containing the time_t - info moved from Date input formats section, along with new - info about the @ syntax. Mention negative time stamps, - fractional time stamps, and leap seconds. - (General date syntax): Modernize examples a bit to reflect new - features. - (General date syntax, Relative items in date strings): - Use ' rather than " to quote formats. - (Time of day items): Add an example with fractional seconds. - Describe fractional-second syntax. - - * src/Makefile.am (touch_LDADD): New macro, since `touch' now - needs clock_gettime. - - * src/date.c (enum Time_spec): New enum TIME_SPEC_NS. - (time_spec_string, time_spec, show_date): Support it. - (usage): Remove description of -ITIMESPEC, as it's obsolete and - confusing. Mention --iso-8601=ns. - (batch_convert): getline returns ssize_t, not int. - - * src/touch.c (newtime): Now an array of two timespecs, one - for access and one for modification. - (ref_stats): Remove. - (get_reldate): Use get_date's parameter profile. - (touch, main): Adjust to above changes. - (main): Work even if tm_year == INT_MAX (so long as long int is wider). - Use gettime instead of gettimeofday, for new get_date signature. - - * tests/date/Test.pm (test_vector): New tests epoch, ns-10, ns-max32, - ns-relative. - -2004-03-15 Jim Meyering <jim@meyering.net> - - * Makefile.maint (alpha beta major): `Make' the emit_upload_commands - target before updating $(prev_version_file). - - * tests/misc/date-sec: New file, to test for just-fixed bug in date. - See today's change in lib/getdate.y. - * tests/misc/Makefile.am (TESTS): Add date-sec. - -2004-03-14 Jim Meyering <jim@meyering.net> - - * announce-gen (print_changelog_deltas): Use `.sig' suffix for - signature files, not `.asc'. Reported by angico@yahoo.com. - -2004-03-13 Jim Meyering <jim@meyering.net> - - * src/cp.c (do_copy): Tweak wording in a diagnostic. - Suggestion from Karl Berry. - Include "quoatearg.h". - (do_copy): Use quotearg_colon (not quote) for diagnostics - that begin with `"%s:'. - - * src/nl.c (usage): Specify that nl uses _basic_ regular expressions. - Suggestion from Dan Jacobson. - -2004-03-12 Jim Meyering <jim@meyering.net> - - * Version 5.2.1. - - Sometimes, when source and destination partition are different, - mv mistakenly fails to preserve a hard link. Reported by IIDA Yosiaki. - - * src/copy.c: When moving a set of N hard-linked files between - partitions, via two or more command line arguments where the - command line argument containing the Nth link contains no other - link to that same file, mv would mistakenly copy the file, rather - than hard-linking it to the other(s). That happens because when the - final link is processed, its link count has been reduced to 1 since - the other links have been `copied' to the destination partition - and the source links have been removed. - (copy_internal): When in move mode, use the source dev/inode - pair to look up destination name even when st_nlink == 1. - * src/cp-hash.c (src_to_dest_lookup): New function. - * src/cp-hash.h (src_to_dest_lookup): Add prototype. - * tests/mv/part-hardlink: New file. Test for the above fix. - * tests/mv/Makefile.am (TESTS): Add part-hardlink. - - * announce-gen: Sync with autoconf. - - * tests/ls/time-1: Exit 77 (not 1) if we can't set up for the test. - This was triggered on a Linux-2.2.19 system using a file system - NFS-mounted from some sort of Sun. - -2004-03-11 Jim Meyering <jim@meyering.net> - - * Use automake-1.8.3. Regenerate dependent files. - -2004-03-10 Jim Meyering <jim@meyering.net> - - * tests/du/deref-args: Also convert sizes in the 70-79 kB range, - so that this test works with SELinux-enabled systems. - Based on a patch from Tim Waugh. - - `join -1 x' would give a misleading diagnostic - * src/join.c (string_to_join_field): Report that a non-numeric field - number is invalid, rather than `so large that it is not representable'. - * tests/join/Test.pm (invalid-j): New partial test for the above fix. - -2004-03-06 Jim Meyering <jim@meyering.net> - - cp --sparse=always sparse-image-file.img /dev/hda1 could - produce an invalid copy on the destination device. - - * src/copy.c (copy_reg): Even with --sparse=always, try to - make `holes' only if the destination is a regular file. - Reported by Szakacsits Szabolcs. - -2004-03-03 Paul Eggert <eggert@twinsun.com> - - * src/nohup.c (main): Don't invoke set_cloexec_flag with - a file descriptor of -1. - -2004-03-02 Dmitry V. Levin <ldv@altlinux.org> - - * src/nohup.c: Include "cloexec.h". - (main): Set the copy of stderr to close on exec. - -2004-03-01 Paul Eggert <eggert@twinsun.com> - - * configure.ac: Include <signal.h> when checking for strsignal, - sys_siglist, and friends. Problem reported by Tony Leneis in - <http://mail.gnu.org/archive/html/bug-coreutils/2004-02/msg00136.html>. - -2004-02-25 Paul Eggert <eggert@twinsun.com> - - * tests/du/deref-args, tests/du/exclude, tests/du/slash: - * tests/du/trailing-slash: Run envvar-check in case BLOCK_SIZE - etc. are set. - -2004-02-23 Paul Eggert <eggert@twinsun.com> - - * NEWS: Document how chown's USER.GROUP argument is now parsed. - -2004-02-23 Jim Meyering <jim@meyering.net> - - * src/seq.c (usage): Remove stray space after \n in --help output. - -2004-02-22 Jim Meyering <jim@meyering.net> - - * src/du.c (usage): Separate -H and --si. Say that the meaning - of -H will soon change to that of --dereference-args (-D). - -2004-02-21 Jim Meyering <jim@meyering.net> - - * src/comm.c (usage): Tell what comm does when there are no options. - Reword in terms of FILE1 and FILE2 rather than `left file' and - `right file'. Suggestion from Dan Jacobson. - -2004-02-15 Paul Eggert <eggert@twinsun.com> - - Fix some POSIX-conformance bugs in expr. - - * NEWS: document the following changes to src/expr.c. - * doc/coreutils.texi (expr invocation): Likewise. - Document what forms integers may take, and say "integer" - consistently instead of "number". Warn about operands - that "expr" can misinterpret, and how to work around the - problem. - * src/expr.c (eval, eval7, eval6, eval5, eval4, eval3, eval2, eval1): - Accept a bool argument specifying whether to evaluate the - expression. This is to allow short-circuit evaluation. All - callers changed. - (null): Report that a string is zero even if it has - a form like "-0" or "00". - (eval1, eval): Use short-circuit evaluation for | and &. - (eval): Return 0 if both arguments are null or zero, instead - of returning the first argument. - * tests/expr/basic: Add some tests for the above. - -2004-02-17 Jim Meyering <jim@meyering.net> - - * Version 5.2.0. - - `make check' from a build inside a chroot environment would fail - * tests/help-version: Specify an argument (`/') for df, in the - unusual event that there is no valid entry in /etc/mtab. - Likewise for id: add the -u option, so we don't get spurious - failures when there are no user or group names. - Patch by Tim Waugh. - - * src/sort.c (usage) [-u]: Add punctuation so that the description in - the help2man-generated (line-joined) man page is more readable. - Reported by Tim Waugh. - [-T]: Add a semicolon, for the same reason. - -2004-02-15 Jim Meyering <jim@meyering.net> - - * Makefile.am (dist-hook): Qualify target with $(srcdir)/ prefix. - -2004-02-11 Jim Meyering <jim@meyering.net> - - * tests/Makefile.am.in ($(srcdir)/Makefile.am): Use more portable - $(srcdir)/../Makefile.am.in, rather than $<. - Suggestion from Michael Elizabeth Chastain. - -2004-02-10 Jim Meyering <jim@meyering.net> - - * config/install-sh: Make this script executable. - * Makefile.am (dist-hook): New target, to ensure that config/install-sh - is executable. Otherwise, on systems that lack a suitable install - binary, `make install' would fail, because of the way this script - is invoked (without `$SHELL ' prefix). - Reported by Bob Proulx. - -2004-02-08 Jim Meyering <jim@meyering.net> - - * Version 5.1.3. - - * tests/rm/rm5: Avoid triggering a bug in OSF/Tru64's sed - that would cause an unwarranted test failure. - * tests/rm/rm3: Likewise. - -2004-02-07 Jim Meyering <jim@meyering.net> - - Remove xstat function pointer member. The way it was used was not - portable, since some systems (OSF V5.1, Solaris 2.5.1) provide static - inline `stat' and `lstat' functions, thus making the tests of - `xstat == lstat' in copy.c always fail. - * src/copy.h (struct cp_options) [xstat]: Remove member. - (XSTAT): New macro. - * src/copy.c (copy_dir): Set `.dereference' member, not .xstat. - (copy_internal): Use `XSTAT (x, ...)' in place of `*(x->xstat) (...)'. - Use `x->dereference == DEREF_NEVER' in place of `x->xstat == lstat'. - (valid_options): Remove now-obsolete FIXME comments. - - * src/cp.c (re_protect): Use `XSTAT (x, ...)' in place of - `*(x->xstat) (...)'. - (do_copy): Declare/use local xstat rather than x->xstat. - (main): Remove code that set x.xstat. - * src/mv.c (cp_option_init): Don't initialize xstat member. - * src/install.c (cp_option_init): Likewise. - - * Makefile.cfg (gnu_ftp_host-alpha, etc.): Un-factor .gnu.org suffix, - so that emit_upload_commands can use these variables, too. - -2004-02-06 Jim Meyering <jim@meyering.net> - - * tests/rm/deep-1: Remove `du' stack space test. - Apparently, `ulimit -s N' isn't portable enough. - This test will be restored (with a guard against losing ulimit) - in its own file later. - - * tests/rm/deep-1 (deep): Remove progress-style diagnostics, - since this test doesn't take long enough to merit them. - Run du on $tmp (the containing dir), not $deep, the full path to leaf. - - * Makefile.maint (signatures): Remove definition. - Now, automake's gnupload handles this. - (%.sig: %): Remove now-unused rule. - (rel-files): Use automake's $(DIST_ARCHIVES), rather than - `$(distdir).tar.bz2 $(distdir).tar.gz'. - (emit-upload-commands): Adjust to use gnupload. - -2004-02-05 Jim Meyering <jim@meyering.net> - - * src/system.h (ST_TIME_CMP_NS, ST_TIME_CMP): Remove definitions. - (ATIME_CMP, CTIME_CMP, MTIME_CMP, TIMESPEC_NS): Likewise. - Now, those are all defined in timespec.h. - Include timespec.h. - - * src/date.c: Don't include timespec.h, now that system.h does it. - -2004-02-02 Paul Eggert <eggert@twinsun.com> - - Don't dump core if localtime returns NULL (possible on - hosts with 64-bit time_t and 32-bit int). - * src/date.c: Include "inttostr.h". - (batch_convert, main): - If time conversion fails, exit with nonzero status. - (show_date): Return int to report conversion failure. - Print the time as an int if localtime fails. - * src/uptime.c: Print "??" if the current clock can't - be converted by localtime. This won't happen until the year - 2*31 + 1900, but we don't want to dump core even if the current - clock has the wrong value. - - * src/stat.c: Include "inttostr.h". - (human_time): Print the date/time as a number of seconds since the - epoch if it can't be converted by localtime. This is better than - just saying "invalid", and is consistent with what "ls" does. - Don't dump core if the year has more than 48 digits; this isn't - possible on any contemporary host, but we might as well do it right. - -2004-01-31 Paul Eggert <eggert@twinsun.com> - - * src/stat.c (human_time): Accept time rather than - pointer-to-const-time parameter, for clarity. All callers changed. - -2004-02-02 Jim Meyering <jim@meyering.net> - - * src/stat.c (do_stat): Remove extra trailing newline from - default formats. Reported by Nelson H. F. Beebe. - - Print actual fractional seconds in time stamps, not just `.00000000'. - * src/stat.c (human_time): Add and use new parameter, t_ns. - (print_stat): Update callers. - * src/ls.c (TIMESPEC_NS): Remove definition. - * src/system.h (TIMESPEC_NS): Define here, instead, now that stat.c - also uses this macro. - Nelson H. F. Beebe noticed that ls --full-time printed nonzero - fractional seconds for files on an XFS file system, but that stat's - fractional seconds were always zero. - -2004-01-28 Paul Eggert <eggert@twinsun.com> - - * src/seq.c (print_numbers): Use 'double' for loop index, not - 'int', to avoid problems with integer overflow. On almost all - machines 'double' works in every case where 'int' works, and - it works on other cases besides. - -2004-01-27 Jim Meyering <jim@meyering.net> - - * src/seq.c (usage): Mention that if INCREMENT is omitted, - it defaults to 1, even when FIRST is larger than LAST. - Reword so as not to exclude the possibility that INCREMENT be zero. - -2004-01-25 Jim Meyering <jim@meyering.net> - - * Version 5.1.2. - - * Makefile.maint (signatures): Comment out definition. - -2004-01-23 Jim Meyering <jim@meyering.net> - - * Makefile.maint (header_regexp): Add exitfail. - - * man/Makefile.am (EXTRA_DIST): Add help2man. - Reported by Nelson H. F. Beebe. - - * man/Makefile.am (.x.1): Prefix help2man invocation with `$(PERL) --' - so it works on systems with Perl installed somewhere other than in - /usr/bin. - - * src/paste.c (paste_parallel): Declare local, chr, to be of type - `int', not `char', since it must hold EOF. This bug would make - paste infloop on some systems. Test failures reported by - Nelson H. F. Beebe and Christian Krackowizer. - -2004-01-22 Jim Meyering <jim@meyering.net> - - * tests/rmdir/fail-perm: New file. Test for just-fixed rmdir bug. - * tests/rmdir/Makefile.am (TESTS): Add fail-perm. - - * man/help2man: Fix it so using --info-page='coreutils PROG' works. - * man/Makefile.am (.x.1): Invoke our own (tweaked) copy of help2man. - Use --info-page='coreutils PROG' option. - Now, readlink.1 refers the user to `info coreutils readlink' - rather than to `info readlink'. Reported by Matt Swift. - -2004-01-21 Paul Eggert <eggert@twinsun.com> - - Exit status cleanup. - - * src/basename.c (usage): Use EXIT_SUCCESS, not 0, for clarity. - * src/cat.c, src/chgrp.c, src/chmod.c, src/chown.c, src/chroot.c, - * src/cksum.c, src/comm.c, src/cp.c, src/csplit.c, src/cut.c, - * src/date.c, src/dd.c, src/df.c, src/dircolors.c, src/dirname.c, - * src/du.c, src/echo.c, src/env.c, src/expand.c, src/expr.c, - * src/factor.c, src/fmt.c, src/fold.c, src/head.c, src/hostid.c, - * src/hostname.c, src/id.c, src/install.c, src/join.c, src/kill.c, - * src/link.c, src/ln.c, src/logname.c, src/ls.c, src/md5sum.c, - * src/mkdir.c, src/mkfifo.c, src/mknod.c, src/mv.c, src/nice.c, - * src/nl.c, src/nohup.c, src/od.c, src/paste.c, src/pathchk.c, - * src/pinky.c, src/pr.c, src/printenv.c, src/printf.c, src/pwd.c, - * src/rm.c, src/rmdir.c, src/seq.c, src/setuidgid.c, src/shred.c, - * src/sleep.c, src/sort.c, src/split.c, src/stat.c, src/stty.c, - * src/su.c, src/sum.c, src/sync.c, src/tac.c, src/tail.c, src/tee.c, - * src/test.c, src/touch.c, src/tr.c, src/tsort.c, src/tty.c, - * src/uname.c, src/unexpand.c, src/uniq.c, src/unlink.c, src/uptime.c, - * src/users.c, src/wc.c, src/who.c, src/whoami.c, src/yes.c: Likewise. - - * src/cat.c (usage): Don't bother normalizing exit status - since the arg is already the correct exit status now. - * src/cksum.c, src/comm.c, src/csplit.c, src/cut.c, - * src/dircolors.c, src/expand.c, src/fmt.c, src/fold.c, src/head.c, - * src/join.c, src/md5sum.c, src/nl.c, src/od.c, src/paste.c, - * src/pr.c, src/split.c, src/sum.c, src/tac.c, src/tail.c, src/tr.c, - * src/tsort.c, unexpand.c, src/src/uniq.c, src/src/wc.c: Likewise. - - * src/chown.c (main): Removed unused local 'fail'. - - * src/chroot.c (CHROOT_FOUND_BUT_CANNOT_INVOKE, CHROOT_FAILURE): - Remove. - - * src/chroot.c (main): Initialize exit_failure to EXIT_FAIL. - * src/env.c, src/nice.c, src/su.c: Likewise. - * src/nohup.c (main): Likewise, to NOHUP_FAILURE. - * src/setuidgid.c (main): Likewise, to SETUIDGID_FAILURE. - * src/expr.c (main): Use initialize_exit_failure rather than - setting exit_failure directly; this optimizes away redundant - assignments. - * src/printenv.c, src/sort.c, src/test.c, src/tty.c: Likewise. - - * src/chroot.c (main): Exit with status 1 rather than 127 - if chroot itself fails, as per documentation. - - * src/chroot.c (main): Use EXIT_ENOENT and EXIT_CANNOT_INVOKE - rather than roll-your-own symbols or integers. - * src/env.c (main): Likewise. - * src/nohup.c (main): Likewise. - * src/su.c (run_shell): Likewise. - - * src/cp.c (exit_status): Remove static var.... - (main): Making it local here instead. Use =, not |=, to set it. - - * src/cut.c (FATAL_ERROR, main): Exit with status EXIT_FAILURE, - not 2, on errors. - * src/date.c (batch_convert, main): Likewise. - * src/dd.c (dd_copy): Likewise. - * src/pr.c (first_last_page, main, getoptarg): Likewise. - * src/tr.c (main): Likewise. - * src/date.c (main): Don't assume EXIT_FAILURE == 1, as - POSIX doesn't require it. - * src/dd.c (write_output, skip, dd_copy): Likewise. - * src/df.c (main): Likewise. - * src/id.c (main): Likewise. - * src/install.c (main): Likewise. - * src/ln.c (main): Likewise. - * src/ls.c (main): Likewise. - * src/mv.c (main): Likewise. - * src/shred.c (main): Likewise. - - * src/env.c (main): Exit with status 1, not 2, on errors detected - by env proper. - * src/hostname.c (main): Likewise. - * src/nl.c (main): Likewise. - * src/stty.c (main): Likewise. - - * src/expr.c (EXPR_FAILURE): Renamed from EXPR_ERROR, for - consistency with the other programs' naming conventions. - All uses changed. - - * src/factor.c (main): Do not report a usage error simply - because stdin has bad numbers. - - * src/id.c (problems): Now a boolean int, not a counter, - so that we don't have to worry about int overflow. All uses changed. - * src/touch.c (err): Likewise. - - * src/md5sum.c (main): Use int, not size_t, to store boolean int. - - * src/mkfifo.c (main): Exit with status 1, not 4, if not implemented. - * src/mknod.c: Likewise. - - * src/nice.c (main): Exit with status EXIT_FAIL, not EXIT_FAILURE, - on error; this is in case EXIT_FAILURE is unusual. - * src/su.c (main): Likewise. - - * src/nohup.c (NOHUP_FOUND_BUT_CANNOT_INVOKE): Remove; all uses - changed to EXIT_CANNOT_INVOKE. - - * src/printenv.c (PRINTENV_FAILURE): New constant. - (main): Exit with status PRINTENV_FAILURE, not EXIT_FAILURE, on - command-line syntax problems. - - * src/rmdir.c (remove_parents): Don't set 'fail' to a negative number. - (main): Avoid integer overflow when seeing whether errors occurred. - - * src/seq.c (print_numbers): Now returns void, not (zero) int. - All callers changed. - (main): Remove unused local variable 'errs'. Always exit successfully - if we reach the end. - - * src/setuidgid.c (SETUIDGID_FAILURE): Renamed from FAIL_STATUS, - for consistency with other programs here. All uses changed. - (main): Use 'error' to exit rather than invoking 'exit' here. - - * src/sort.c: Don't include <assert.h>. - (SORT_OUT_OF_ORDER, SORT_FAILURE): Now enums, not macros. - (usage): Don't use 'assert'. - (main): Remove redundant assignment to exit_failure. - - * src/system.h (EXIT_FAIL, EXIT_CANNOT_INVOKE, EXIT_ENOENT): - New enum values. - (initialize_exit_failure): New inline function. - Include exitfail.h here, since we refer to exit_failure. - All callers changed to not include exitfail.h. - - * src/tty.c (TTY_FAILURE, TTY_WRITE_ERROR): New enum values; - substitute them for the corresponding integer constants. - - * tests/help-version (expected_failure_status_date): Remove, as - 'date' is now normal. - (expected_failure_status_nohup): New var. - -2004-01-21 Jim Meyering <jim@meyering.net> - - * tests/touch/relative: Remove `command' syntax. - Thanks to Nelson H. F. Beebe and Paul Eggert. - - * tests/touch/relative: Test only year/month/day, not hours/min/sec, - so as to avoid problems with systems using TAI clocks. - Although it's no longer necessary, set TZ=UTC0 also for the - initial touch command. Reported by Paul Jarc here: - http://article.gmane.org/gmane.comp.gnu.core-utils.bugs/1504 - -2004-01-20 Diego Biurrun <diego@biurrun.de> - - * src/dircolors.hin: Add .mov to the list of media files. - -2004-01-19 Paul Eggert <eggert@twinsun.com> - - * tests/touch/relative: Use TZ=UTC0, not TZ=utc (which isn't - portable). Problem reported by Christian Krackowizer. Also, use - +0000 rather than +0 to specify a time zone, as the documentation - requires four digits. - -2004-01-19 Jim Meyering <jim@meyering.net> - - * tests/mv/hard-4: Run envvar-check in case SIMPLE_BACKUP_SUFFIX is set. - * tests/mv/backup-is-src: Likewise. - Problem reported by Peter Horst - -2004-01-17 Jim Meyering <jim@meyering.net> - - * announce-gen (print_changelog_deltas): Use .sig suffix, not .asc. - - * Version 5.1.1. - -2003-12-15 Paul Eggert <eggert@twinsun.com> - - * NEWS, doc/coreutils.texi: touch -r and -d can now both be specified, - with -r specifying the origin for -d. - * src/touch.c (flexible_date): Remove static var. - (get_reldate): New function. - (main): Use it, to implement this new behavior. - -2004-01-16 Jim Meyering <jim@meyering.net> - - * tests/touch/relative: New test for the above. - * tests/touch/Makefile.am (TESTS): Add relative. - -2004-01-13 Jim Meyering <jim@meyering.net> - - * src/system.h: Include contents of sys2.h. - * src/sys2.h: Remove file. - * src/Makefile.am (noinst_HEADERS): Remove sys2.h. - - * Use automake-1.8.2. Regenerate dependent files. - - * Update to gettext-0.13.1. - * configure.ac: Use gettext-0.13.1. - * .x-sc_space_tab: Add m4/po.m4 to the list of exceptions. - -2004-01-12 Jim Meyering <jim@meyering.net> - - * Makefile.maint (%.sig): Use .sig suffix rather than .asc. - - * Makefile.maint (po-check): Ensure that cvsu works before using it. - Reported by Alexandre Duret-Lutz. - - * src/tail.c (main): Warn about following stdin only when it's a tty. - - * configure.ac: Use gl_DEFAULT_POSIX2_VERSION. - -2004-01-10 Jim Meyering <jim@meyering.net> - - * tests/misc/stat-fmt: Use backticks, not `$()' notation. - -2004-01-09 Jim Meyering <jim@meyering.net> - - * configure.ac: Quote underquoted `jm_DUMMY_1' to avoid new warning. - -2004-01-08 Jim Meyering <jim@meyering.net> - - * src/stat.c (human_fstype): Use %lx, not %x format for `unsigned long'. - From Andreas Schwab. - - * tests/Makefile.am (TESTS_ENVIRONMENT): Remove `/vg' (prerelease test - remnant) from PATH component. That would cause tests in this directory - not to run the just-built binaries, but rather whatever happened - to be in one's PATH. Reported by Christian Krackowizer. - -2004-01-04 Jim Meyering <jim@meyering.net> - - * src/csplit.c (new_control_record): Use x2nrealloc - rather than xrealloc. - - * src/cp.c (re_protect): Use ASSIGN_STRDUPA rather than - alloca and strcpy. - (make_path_private): Likewise. - -2004-01-03 Jim Meyering <jim@meyering.net> - - * src/paste.c: Use `bool' (not int) as the type for a few - global variables. - (collapse_escapes): Rewrite to set globals rather than modifying - its parameter. - Use size_t (not int) for all counters and related index variables. - (paste_parallel): Remove needless complexity of - using xrealloc in the loop; just allocate the buffers up front. - Free the two temporary buffers. - Move declarations of locals `down' into scope where used. - (paste_serial): Remove `register' attributes. - (main): Simplify delim-related code. - Free `delims', now that it's malloc'd. - -2004-01-02 Jim Meyering <jim@meyering.net> - - * src/chroot.c: Include "quote.h". - (CHROOT_FOUND_BUT_CANNOT_INVOKE, CHROOT_FAILURE): Define. - (main): Exit with status of 127, not 1, for too-few-args, - chroot failure, or chdir failure. - Give a better diagnostic upon execvp failure. - - * src/du.c (usage): Mention that, with its current meaning, - -H is deprecated. - - * src/tail.c (main): Warn about following stdin when it's a tty. - Fail when following by name but no names are specified. - -2003-12-30 Jim Meyering <jim@meyering.net> - - * src/fold.c (main): Use memcpy, not strcpy. - - * src/copy.c (copy_internal): Use ASSIGN_STRDUPA rather than - alloca and strcpy. - -2003-12-28 Jim Meyering <jim@meyering.net> - - * src/unexpand.c (n_tabs_allocated): New global. - (add_tabstop): Use x2nrealloc rather than xrealloc. - * src/expand.c: Likewise. - - * tests/misc/expand: New file. - * tests/misc/Makefile.am (TESTS): Add expand. - - * src/sort.c (add_temp_dir): Use x2nrealloc rather than xrealloc. - (fillbuf): Use x2nrealloc rather than xrealloc. - (sort): Use xnmalloc rather than xmalloc. - (main): Likewise. - -2003-12-27 Jim Meyering <jim@meyering.net> - - * src/tee.c (tee): Use xnmalloc rather than xmalloc. - -2003-12-29 Paul Eggert <eggert@twinsun.com> - - * NEWS: Remove support for join -j1 FIELD, -j2 FIELD, and -o LIST1 - LIST2 in POSIX 1003.1-2001 hosts, as required by POSIX. - - * doc/coreutils.texi (join invocation): Remove documentation - accordingly. Document that -t makes all separators significant. - - * src/join.c: Include posixver.h. - (obsolete_usage): New var. - (longopts): Put obsolete options first. - (OBSOLETE_LONG_OPTIONS): New constant. - (get_option, add_file_name): New functions. - (main): Use them to support new behavior. - (usage): Remove documentation for -j1 FIELD and -j2 FIELD. - Do not mark -j FIELD as obsolescent; it is longstanding - UNIX tradition and is a valid extension to POSIX. - - * tests/join/Test.pm (tv): Avoid obsolete -o usage. - -2003-12-28 Paul Eggert <eggert@twinsun.com> - - * src/join.c (add_field_list): Don't use alloca with unbounded - size; just modify the argument, which is no longer const *. - - Various other minor cleanups, mostly to avoid the need for casts. - - (extract_field): Renamed from ADD_FIELD, as it's now a function. - - (struct field.beg): Now char *, not unsigned char const *. All - uses changed. It shouldn't be const since xmemcoll writes on its - arguments. - (extract_field): Likewise, for 2nd arg. - (keycmp): Remove now-unnecessary cast of xmemcoll args. - - (is_blank): New function, to avoid need to cast arg to unsigned char. - (extract_field): Use it. - - (xfields): Rewrite pretty much from scratch. - - (hard_LC_COLLATE): Now bool, not int. - (get_line, getseq, add_field_list): Now returns bool, not int. - (decode_field_spec, add_field_list): Return true on success (not - false), for consistency with the rest of the code. All uses changed. - - (tab): Now char, not unsigned char. This wasn't 100% necessary - but is slightly cleaner. - (prjoin): Hoist (tab ? tab : ' ') expression, to help the compiler. - - (empty_filler): Now const *. - - (make_blank): Remove; wasn't needed. Remove all calls. - (main): Don't set uni_blank.nfields; zero is fine. - -2003-12-27 Jim Meyering <jim@meyering.net> - - * src/join.c: Include "quote.h". - (min, max): Remove definitions. - Make a few function parameters and corresponding - locals `const'. Use bool for boolean variables. - Use size_t (not int) for all counters and related index variables. - (prjoin): Remove now-useless assertion. - (string_to_join_field): New function. - (main): Accept join fields as large as SIZE_MAX. - (keycmp): Rename `min' to MIN and max to MAX. - -2003-12-26 Jim Meyering <jim@meyering.net> - - fold -s didn't work on e.g., alpha-based systems. - * src/fold.c (fold_file): Adjust types (int->size_t) so that using - x2nrealloc works properly on systems with differing sizes for int - and size_t. Reported by Nelson Beebe. - - * src/fold.c: Use `bool' (not int) as the type for a few - global variables. - -2003-12-23 Paul Eggert <eggert@twinsun.com> - - * src/ls.c (length_of_file_names_and_frills): - Remove forward decl; not needed. - (print_file_name_and_frills, length_of_file_name_and_frills): - With -m, don't output spaces before inum or size. - (print_with_commas): Don't output space just before newline. - -2003-12-24 Jim Meyering <jim@meyering.net> - - * tests/ls/Makefile.am (TESTS): Add m-option. - * tests/ls/m-option: New file. Test for above fixes. - -2003-12-20 Jim Meyering <jim@meyering.net> - - * Version 5.1.0. - - * src/pr.c: Change type of global, buff_allocated, to size_t. - - * src/join.c [struct seq]: Change types of members count and alloc - from `int' to `size_t'. - - * tests/Makefile.am (root-hint): Tweak wording. - - * src/du.c: Accept new option (-0, --null) that makes it so each - output line is NUL-terminated rather than newline-terminated. - - * src/dd.c (apply_translations): Don't prohibit conv=unblock,sync. - Reported by Volker Paul. - * tests/dd/Makefile.am (TESTS): Add unblock-sync. - * tests/dd/unblock-sync: New test for the above. - -2003-12-19 Jim Meyering <jim@meyering.net> - - * tests/misc/nohup: Double quote back-ticked expression, - in case it ends up having an unexpected value. - - * tests/ls/no-arg: Use ls's -1 option in both runs. - - * src/du.c (fts_debug): New global. - (FTS_CROSS_CHECK, DEBUG_OPT): Define. - (main): Make fts use FTS_TIGHT_CYCLE_CHECK. - (main) [DU_DEBUG]: Accept -d option. - -2003-12-18 Jim Meyering <jim@meyering.net> - - * src/ls.c (format_user): Increment dired_pos via two statements, - `dired_pos += width; dired_pos++;' rather than one, - `dired_pos += width + 1;' since the latter could conceivably overflow. - (format_group): Likewise. - From Paul Eggert. - - * configure.ac: Require automake-1.8. - -2003-12-12 Jim Meyering <jim@meyering.net> - - * Use automake-1.8. Regenerate dependent files. - -2003-12-08 Jim Meyering <jim@meyering.net> - - * Makefile.maint (news-date-check): New rule. - (alpha beta major): Depend on it. - -2003-12-03 Paul Eggert <eggert@twinsun.com> - - * NEWS: ls -l (and similar options) now adjust all columns to - fit the data. Generalized from a suggestion by Leah Q for file sizes. - * src/ls.c (INODE_DIGITS, LOGIN_NAME_MAX, ID_LENGTH_MAX): Remove. - (format_user_width, format_group_width, unsigned_file_size, - format_group): New functions. - (block_size_width): Renamed from block_size_size. - (inode_number_width, nlink_width, owner_width, group_width, - author_width, major_device_number_width, minor_device_number_width, - file_size_width): New vars. - (clear_files): Initialize them. - (gobble_file): Set them. Don't ceiling block_size_width to 7. - (print_long_file): Use them. - (gobble_file): Use a new local variable 'f' to make the code - smaller and more consistent with other functions. - (format_user): Output to stdout, not to a buffer, so that we - don't have to worry about buffer overrun. Update dired_pos. - (print_long_file): Don't put owner, group, author into buffer; - just print them directly. Don't assume link counts and - major and minor numbers fit into unsigned long int. - * tests/cp/same-file, tests/mv/part-symlink: Don't assume that - 'ls' output is fixed-width. - -2003-12-02 Jim Meyering <jim@meyering.net> - - * src/md5sum.c: Include sha1.h (reflect renaming: sha.h -> sha1.h. - -2003-11-27 Jim Meyering <jim@meyering.net> - - * Use automake-1.7f. Regenerate dependent files. - -2003-11-24 Paul Eggert <eggert@twinsun.com> - - Parse floating-point operands and options in the C locale. - POSIX requires this for printf, and we might as well be - consistent elsewhere (tail, sleep, seq). - - * src/printf.c: Remove decls of strtod, strtol, strtoul; no longer - needed now that we assume C89. Include "c-strtod.h". - (xstrtod): Call c_strtod, not strtod. - * src/sleep.c: Include "c-strtod.h". - (main): Update xstrtod call to include new argument, c_strtod. - * src/seq.c (scan_double_arg): Likewise. - * src/tail.c (parse_options): Likewise. - -2003-11-24 Jim Meyering <jim@meyering.net> - - * tests/rm/fail-2eperm: Handle another errno variant (HPUX, EPERM). - Reported by Mark Conty. - -2003-11-22 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_xalloc_h_in_src): Remove rule. Subsumed by... - (sc_system_h_headers): Do this test only if sys2.h exists. - -2003-11-20 Jim Meyering <jim@meyering.net> - - * tests/help-version: Ensure that the bug-reporting address is - included in the --help output for every program. - * tests/Makefile.am (TESTS_ENVIRONMENT): Add $PACKAGE_BUGREPORT. - - * src/ptx.c (usage): Output bug-reporting address. - Reported by Dan Jacobson. - -2003-11-19 Jim Meyering <jim@meyering.net> - - * src/join.c (usage): Mention that FILE1 and FILE2 must be sorted - on the join fields. Suggestion from Bruce Robertson. - -2003-11-18 Jim Meyering <jim@meyering.net> - - `od -c -w9999999' could segfault - * src/od.c (dump): Use xnmalloc/free, not alloca. - -2003-11-16 Jim Meyering <jim@meyering.net> - - * Use autoconf-2.59. Regenerate dependent files. - - * tests/du/hard-link: Minor tweak: use mkdir -p. - - Fix read-from-free'd-buffer error detected by valgrind. - * src/csplit.c (remove_line): Don't return a pointer to data in - a freed buffer. Instead, arrange to free the buffer on the - subsequent call. - - * tests/misc/csplit: New test for above fix. - -2003-11-11 Jim Meyering <jim@meyering.net> - - * src/ls.c (extract_dirs_from_files): Avoid useless copy operations. - This avoids a warning from valgrind about memcpy with overlapping - source and destination. - - * configure.ac: Require automake-1.7.8. - -2003-11-09 Jim Meyering <jim@meyering.net> - - * Use automake-1.7.9. Regenerate dependent files. - - * src/rm.c: Support new options: --preserve-root and --no-preserve-root. - * src/chown.c: Likewise. - - * src/chown-core.c: Include "root-dev-ino.h". - (chopt_init): Initialize new member. - (change_file_owner): Support rm's new --preserve-root option. - - * src/remove.c: Include "root-dev-ino.h". - (remove_cwd_entries): Remove now-obsolete FIXME comment. - (remove_dir): Support rm's new --preserve-root option. - - * src/chown.c: Include "root-dev-ino.h". - Add new options: --preserve-root and --no-preserve-root. - - * src/chmod.c: Include "root-dev-ino.h". - (process_file): Use newly-factored-out ROOT_DEV_INO_CHECK and - ROOT_DEV_INO_WARN macros. - (get_root_dev_ino): Remove function definition, now that it's - been moved to a separate file. - (usage): Describe new options. - - * src/mv.c (rm_option_init): Initialized new member. - - * src/remove.h: Include "dev-ino.h". - (struct rm_options): Add new member: root_dev_ino. - * src/chown-core.h: Include "dev-ino.h". - (struct Chown_option): Add new member: root_dev_ino. - -2003-11-06 Jim Meyering <jim@meyering.net> - - * src/paste.c (paste_parallel): Use `sizeof *var' rather than - hard-coding `sizeof FILE*'. - -2003-11-05 Dennis Smit <ds@nerds-incorporated.org> - - * src/wc.c (main): Free `fstatus' so there is no confusion about - whether it's leaked or not. - * src/who.c (who): Likewise for `utmp_buf'. - -2003-11-05 Paul Eggert <eggert@twinsun.com> - - Fix 'cut' problems with size_t overflow and unsigned int. - More generally, resize integer variables to fit use more precisely. - * src/cut.c (ADD_RANGE_PAIR): Remove unnecessary parens. - (struct range_pair): Make members to be of type size_t, not unsigned. - (max_range_endpoint, eol_range_start): Now size_t, not unsigned. - (suppress_non_delimited, output_delimiter_specified, - have_read_stdin, print_kth, set_fields): Now bool, nt int. - (delim): Now unsigned char, not int. - (mark_printable_field, is_printable_field, is_range_start_index, - set_fields, set_fields, cut_bytes, cut_fields): - Use size_t, not unsigned, for field and byte counts. - (hash_int): Use uintptr_t, not unsigned, for pointers converted - to integers. This squeezes more info out of them. - (set_fields, cut_bytes, cut_fields, main): - Use bool, not int, for booleans. - (set_fields): Allocate zeroed byte array with xzalloc, not xcalloc. - -2003-11-05 Paul Eggert <eggert@twinsun.com> - - * man/Makefile.am (check-programs-vs-x): - Work even if $(programs) contains '$'. - Work even if 'missing=1' in environment. - Don't report an error simply because $(programs) outputs nothing. - -2003-11-05 Jim Meyering <jim@meyering.net> - - * Use autoconf-2.58. Regenerate dependent files. - - * src/tr.c (spec_init): Fix typo in last change. - - * src/sys2.h (case_GETOPT_VERSION_CHAR): Cast NULL to `(char *)' in - call to variadic version_etc function, so that it works even on systems - for which sizeof char* != sizeof int. - * src/true.c (main): Likewise. - * basename.c, chroot.c, cksum.c, dd.c, dirname.c, echo.c, expr.c: - * factor.c, hostid.c, hostname.c, link.c, logname.c, nice.c, nohup.c: - * pathchk.c, printenv.c, printf.c, pwd.c, setuidgid.c, sleep.c, stty.c: - * sync.c, test.c, tsort.c, unlink.c, uptime.c, users.c, whoami.c, yes.c: - Similarly, cast NULL to `(char *)' in call to variadic function, - parse_long_options, so that it works even on systems for which - sizeof char* != sizeof int. - A similar problem was reported by Harti Brandt in - http://mail.gnu.org/archive/html/bug-gnu-utils/2003-10/msg00320.html. - - * src/users.c (users): Free `utmp_buf' explicitly so that people - don't mistake this for a real leak. - Patch by Dennis Smit <ds@nerds-incorporated.org. - -2003-11-04 Paul Eggert <eggert@twinsun.com> - - * README: Document _POSIX2_VERSION. - -2003-11-04 Jim Meyering <jim@meyering.net> - - * src/tac.c (memrchr): Remove #if-0'd function. - (tac_stdin_to_mem): Clean up #if-0'd code. - - * src/od.c (decode_format_string): Remove unnecessary casts. - Use more maintainable `sizeof *var'. - (main): Call decode_format_string rather than decode_one_format, - now that `spec' may be NULL. - - * src/chmod.c (AUTHORS): Add my name. - - * src/split.c (next_file_name): Use `sizeof *var' rather than - hard-coding `sizeof size_t'. - - * src/sort.c (new_key): Use xzalloc, not xcalloc (1, ...). - - * src/cut.c (ADD_RANGE_PAIR): Use x2nrealloc rather than xrealloc, - to avoid potential overflow in pointer arithmetic. - (set_fields): Use not `1', but rather `sizeof *printable_field' as - second argument to xcalloc. - * src/od.c (decode_format_string, dump_strings): Use x2nrealloc - rather than xrealloc. - * src/date.c (show_date): Likewise. - * src/join.c (ADD_FIELD, initseq, getseq): Likewise. - * src/pr.c (store_char): Likewise. - * src/fold.c (fold_file): Likewise. - - * src/copy.c (triple_hash, triple_hash_no_name): Adjust to reflect - type changes (unsigned int -> size_t) in hash.c. - * src/cp-hash.c (src_to_dest_hash): Likewise. - * src/du.c (entry_hash): Likewise. - * src/ls.c (dev_ino_hash): Likewise. - * src/cut.c (hash_int): Likewise. Declare function as static. - -2003-11-03 Jim Meyering <jim@meyering.net> - - * tests/misc/Makefile.am (TESTS_ENVIRONMENT): Define PACKAGE_VERSION. - * tests/misc/fold: Fail the test immediately if we're not running - the expected version of fold. - -2003-11-02 Jim Meyering <jim@meyering.net> - - * src/tr.c (append_normal_char, append_range, append_char_class) - (append_repeated_char, append_equiv_class, spec_init): Use `sizeof *var' - rather than `sizeof EXPLICIT_TYPE'. The former is more maintainable - and usually shorter. - * src/copy.c (copy_internal): Likewise. - * src/join.c (initseq, add_field, make_blank): Likewise. - * src/od.c (main): Likewise. - * src/cp.c (make_path_private): Likewise. - * src/tsort.c (new_item, record_relation): Likewise. - - * src/df.c (add_fs_type, add_excluded_fs_type, main): Likewise. - (main): Also remove anachronistic cast of xmalloc return value. - * src/ptx.c (alloc_and_compile_regex, main): Likewise. - (main): Also remove anachronistic cast of xmalloc return value. - * src/sort.c (inittables): Likewise. - (sort): Also Split a long line. - -2003-10-25 Jim Meyering <jim@meyering.net> - - * src/copy.c (triple_hash, triple_hash_no_name): Adjust to reflect - type changes (unsigned int -> size_t) in hash.c. - * src/cp-hash.c (src_to_dest_hash): Likewise. - * src/du.c (entry_hash): Likewise. - * src/ls.c (dev_ino_hash): Likewise. - * src/cut.c (hash_int): Likewise. Declare function as static. - -2003-10-21 Jim Meyering <jim@meyering.net> - - Don't fail when run with VERBOSE=yes. - * tests/chgrp/basic: Do `set +x' before starting the subshell - from which we invoke chgrp. Otherwise, the output from the - VERBOSE=yes-induced `set -x' would result in spurious differences. - Reported by Russel Coker via Michael Stone. - -2003-10-19 Jim Meyering <jim@meyering.net> - - chmod now uses fts to perform a directory traversal when -R is - specified. Before, it operated on full path names, and as such - would encounter the PATH_MAX (often 4096) limit. - - * src/chmod.c: Include "xfts.h". - (process_file): Rename from change_file_mode. - Adapt to be used with fts. - (process_files): New function. - -2003-10-18 Jim Meyering <jim@meyering.net> - - * tests/du/deref-args: Ensure that du -D now dereferences all - symlinks specified on the command line, not just those that - reference directories. - - * basename.c, cat.c, chroot.c, cksum.c, comm.c, cp.c, csplit.c, cut.c: - * dd.c, df.c, dirname.c, du.c, echo.c, env.c, expr.c, factor.c, head.c: - * hostid.c, hostname.c, id.c, link.c, ln.c, logname.c, ls.c, md5sum.c: - * mv.c, nice.c, nl.c, nohup.c, paste.c, pathchk.c, pinky.c, pr.c: - * printenv.c, printf.c, pwd.c, rm.c, setuidgid.c, sleep.c, sort.c: - * split.c, stty.c, sum.c, sync.c, tac.c, tail.c, tee.c, test.c: - * touch.c, tsort.c, uniq.c, unlink.c, uptime.c, users.c, wc.c: - * who.c, whoami.c, yes.c (AUTHORS): Revert the WRITTEN_BY/AUTHORS change - of 2003-09-19. Now, AUTHORS is a comma-separated list of strings. - Update the call to parse_long_options so that `AUTHORS, NULL' are the - last parameters. - * src/true.c (main): Append NULL to version_etc argument list. - * src/sys2.h (case_GETOPT_VERSION_CHAR): Likewise. - -2003-10-17 Andreas Schwab <schwab@suse.de> - - * tests/mk-script: Get $srcdir from first parameter instead of - hardcoding it. - (main): Update usage. - - * tests/Makefile.am.in ($(srcdir)/$x-tests): Pass $(srcdir) as - first argument of mk-script. - ($(srcdir)/Makefile.am): Likewise. Prepend $(srcdir) to target. - -2003-10-17 Jim Meyering <jim@meyering.net> - - * src/mv.c (usage): Tweak descriptions of -i and -f so that the - generated `man' page is more readable. Suggestion from Dan Jacobson. - - * src/chown-core.c (change_file_owner): Handle the cases in - which fts_info indicates an error with the given entry. - - * src/du.c (main): Simply assign to bit_flags. - Don't bother with bit arithmetic. - - * tests/chmod/no-x: New file. - * tests/chgrp/no-x: New file. - * tests/chmod/Makefile.am (TESTS): Add no-x. - * tests/chgrp/Makefile.am (TESTS): Likewise. - - * src/du.c: Include "xfts.h". - (du_files): Use xfts_open, rather than fts_open. - * src/chown-core.c (chown_files): Likewise. - -2003-10-16 Jim Meyering <jim@meyering.net> - - * src/chgrp.c (main): Simply assign to bit_flags. - Don't bother with bit arithmetic. - * src/chown.c (main): Likewise. - Rename a couple of local variables. - Remove unnecessary casts. - - * src/tail.c (start_bytes): Rename local, remainder, to avoid - gcc's warning about shadowing a global. - -2003-10-15 Jim Meyering <jim@meyering.net> - - chown and chgrp now accept POSIX-mandated -H, -L, -P options and - use fts to perform a directory traversal when -R is specified. - Before, they operated on full path names, and as such would - encounter the PATH_MAX (often 4096) limit. - They are more efficient. For example, before, chgrp -R would - take almost 5 seconds to change about 2000 directories and fail - (with `File name too long'), while now it succeeds on a hierarchy - of depth 20,000 in 1/10 the time. - - * src/chown.c: Include "userspec.h" and "fts_.h". - (WRITTEN_BY): Add my name. - (getpwnam, getgrnam, getgrgid): Remove declarations. - (endpwent): Remove definition. - (usage): Update. - (main): Handle new options. - Call new function, chown_files rather than change_file_owner. - - * src/chgrp.c: Include "fts_.h". - (WRITTEN_BY): Add my name. - (MAXUID, MAXGID): Remove definitions. Use GID_T_MAX instead of - the latter. - (usage): Update. - (main): Handle new options. - Call new function, chown_files rather than change_file_owner. - - Rewrite to iterate through hierarchies using fts rather than - via explicit recursion. - * src/chown-core.c: Include "fts_.h" - (change_file_owner): Rewrite to use FTS* and FTSENT* and to operate - on a single file at a time. - (chown_files): New function. - * src/chown-core.h [enum Dereference_symlink]: Remove declaration. - [struct Chown_option] (recurse, force_silent): Change type to `bool'. - [struct Chown_option] (dereference): Remove member with ambiguous name. - [struct Chown_option] (affect_symlink_referent): New member. - (chown_files): New prototype. - - * tests/chgrp/recurse: Update tests accordingly. - * tests/chgrp/posix-H: New tests for the above. - * tests/chgrp/Makefile.am (TESTS): Add posix-H. - - * src/ln.c (usage): Clarify that --directory, -d, -F probably won't - work even for superuser. Suggestion from Dan Jacobson. - -2003-10-14 Paul Eggert <eggert@twinsun.com> - - Fix some number-parsing bugs, e.g., "head -n 100k@" wasn't - properly diagnosed. - * lib/human.c, lib/xstrtoimax.c, lib/xstrtol.c, lib/xstrtol.h, - lib/xstrtoul.c, lib/xstrtoumax.c: Sync with gnulib. - * src/sort.c (parse_field_count): Handle the case where overflow - and invalid suffix char are both reported. - -2003-10-14 Jim Meyering <jim@meyering.net> - - * src/ls.c (decode_switches) [TIOCGWINSZ]: Comment out the - warning-inducing test, ws.ws_col <= SIZE_MAX, since it was always - true on Linux. - -2003-10-13 Paul Eggert <eggert@twinsun.com> - - Fix to avoid a denial-of-service attack if the display width is - enormous. Also, clean up the code a bit by removing duplicate code. - - * src/ls.c (init_column_info): Remove forward decl; no longer needed. - (calculate_columns): New function, that contains code that used - to be common to print_many_per_line and print_horizontal. - (print_many_per_line, print_horizontal): Use it. - (decode_switches): Set max_idx here, not in calculate_columns. - (print_current_files): Don't call init_column_info; calculate_columns - now does that. - (init_column_info): Don't allocate a lot more space than is needed - to represent the current set of files. Allocate all the new - size_t cells in one call to xnmalloc, rather than a row at a time. - -2003-10-13 Jim Meyering <jim@meyering.net> - - * src/ls.c (init_column_info): Add another FIXME comment. - -2003-10-13 Paul Eggert <eggert@twinsun.com> - - Fix address-arithmetic bug in 'ls', reported by Georgi Guninski. - Remove several arbitrary limits on hosts where int cannot represent - all size_t values. - - * src/ls.c (struct bin_str.len, length_of_file_name_and_frills, indent, - nfiles, files_index, tabsize, line_length, struct column_info.line_len, - struct column_info.col_arr[0], max_idx): - Now size_t, not int. - (get_funky_string): Return bool indicating success, instead of - a negative count to indicate failure. Store number of columns - through new parameter OUTPUT_COUNT; that way, they can never - go negative. Change equals_end from int to bool. All uses - changed. - (struct column_info.valid_len): Now bool, not int. All uses changed. - (dired_dump_obstack, get_funky_string, clear_files, - extract_dirs_from_files, print_current_files, - print_many_per_line, print_horizontal, init_column_info, - put_indicator, length_of_file_name_and_frills, - print_with_commas): Use size_t, not int, for local variables - that count sizes. - (decode_switches): Decode sizes using xstrtoul, not xstrtol. - Check for TIOCGWINSZ returing negative values (or values greater - than SIZE_MAX!). - (visit_dir, main, parse_ls_color, queue_directory, add_ignore_pattern, - init_column_info): - Use xmalloc and xnmalloc, not XMALLOC. - (gobble_file): Use xnrealloc, not XREALLOC. - (print_color_indicator): Remove now-unnecessary cast to size_t. - -2003-10-12 Paul Eggert <eggert@twinsun.com> - - * tests/du/no-x: Change wording of diagnostic to match latest du.c. - * tests/sort/sort-tests: Remove from CVS; assume that people - brave enough to check coreutils out from CVS can rebuild it. - -2003-10-12 Jim Meyering <jim@meyering.net> - - New options: --preserve-root and --no-preserve-root. - * src/chmod.c (change_file_mode): Honor new option. - (change_file_mode): Strip trailing slashes on directory - argument passed to change_dir_mode. - (get_root_dev_ino): New function. - (main): Initialize global, root_dev_ino. - - * src/copy.c (copy_internal): Don't #ifdef-out simple uses of - S_ISLNK or S_ISSOCK. The S_IS* macros are guaranteed to be defined - via system.h. - * src/chmod.c (change_file_mode): Likewise. - -2003-10-08 Jim Meyering <jim@meyering.net> - - * src/csplit.c (main): Remove obsolete FIXME. - -2003-10-07 Jim Meyering <jim@meyering.net> - - * Use automake-1.7.8. Regenerate dependent files. - -2003-09-29 Paul Eggert <eggert@twinsun.com> - - csplit cleanup. - - * doc/coreutils.texi (csplit invocation): - The regexp offset need not have a sign; POSIX requires support - for signless offets. - - Be more careful about int widths. For example, remove some - arbitrary limits by replacing 'unsigned' with 'size_t', - 'uintmax_t', etc. Use standard bool rather than a homegrown type. - * lib/Makefile.am (libfetish_a_SOURCES): Add xstrtoimax.c. - * src/csplit.c (FALSE, TRUE, boolean): Remove. All uses changed - to <stdbool.h> usage. - (struct control): offset is now intmax_t, not int. - repeat_forever is now bool, not int. - (struct cstring): len is now size_t, not unsigned int. - (struct buffer_record): bytes_alloc, bytes_used, num_lines are now - size_t, not unsigned. start_line, first_available are now - uintmax_t, not unsigned. - (hold_count, control_used): Now size_t, not unsigned. - (last_line_number, current_line, bytes_written): - Now uintmax_t, not unsigned. - (save_to_hold_area, red_input, keep_new_line, record_line_starts, - create_new_buffer, get_new_buffer, load_buffer, find_line, - process_regexp, split_file, new_control_record, extract_regexp, - get_format_width, get_format_prec, max_out): - size args, locals, and returned values are now size_t, not unsigned - or int. - (get_first_line_in_buffer, find_line, write_to_file, - handle_line_error, process_line_count, regexp_error, process_regexp, - split_file): - File line, byte, and repetition counts are now uintmax_t, not unsigned. - (check_for_offset): Don't require a sign before the offset. - Use xstrtoimax to do the real work. - (extract_regexp): Remove harmful cast of size to unsigned. - 256 -> 1<<CHAR_BIT, for clarity. - (get_format_flags): Return at most 3, to avoid worries about overflow. - - (bytes_to_octal_digits): Remove. - - (cleanup): Don't check whether output_stream is NULL, since - close_output_file does that for us. - - (new_line_control, create_new_buffer): Use "foo *p = xmalloc - (sizeof *p);" instead of the more long-winded alternatives. - - (get_new_buffer): Use O(1) algorithm for resizing a buffer - to a much larger size, instead of an O(N) algorithm. - - (process_regexp): Use plain NULL rather than casted 0. - - (make_filename): Use %u, not %d, to format unsigned file number. - - (new_control_record): Use xrealloc exclusively, since it handles - NULL reliably. - - (extract_regexp): Change misspelled word in diagnostic. - - (get_format_width): Even if a minimum field width is specified, - allow room for enough octal digits to represent the value of - the maximum representible integer. This fixes a potential - buffer overrun. Calculate this room at compile-time, not - at run-time; this removes the need for bytes_to_octal_digits. - Check for overflow; this removes a FIXME. - - (get_format_prec): Don't allow precision to be signed; it's - not ANSI. Check for overflow. Remove hardcoded "11" as - default precision; this fixes a potential buffer overrun - on hosts with wider size_t. - - (get_format_conv_type): Change local variable to be of type - unsigned char, not int; this removes a potential subscript - violation on hosts where char is signed. - - (max_out): Replace "for (;*p;)" with more-standard "while (*p)". - Allow "%%" in format. Don't overflow when - counting lots of percents. - - (usage): Default sprintf format is %02u, not %d. - -2003-10-05 Jim Meyering <jim@meyering.net> - - * src/chown-core.c (change_file_owner): Remove set-but-not-used local. - - * src/du.c (du_files): Mark diagnostic for translation. - -2003-10-04 Jim Meyering <jim@meyering.net> - - * src/du.c (du_files): Ignore any failure of fts_close. - Give better diagnostics for failed fts_open. - - * src/du.c (MAX_N_DESCRIPTORS): Remove now-unused definition. - - Deprecate existing use of -H (aka --si). - * src/du.c (enum) [HUMAN_SI_OPTION]: New member. - [long_options]: Use HUMAN_SI_OPTION, not 'H'. - (main): Warn that the meaning of -H will soon change to be - POSIX compliant. - -2003-10-03 Jim Meyering <jim@meyering.net> - - * src/du.c: Accept --no-dereference (-P). - -2003-10-02 Jim Meyering <jim@meyering.net> - - * tests/du/trailing-slash: Adjust for slightly different output. - - Rewrite du.c to use fts. - * src/du.c: Include "fts_.h", not ftw.h. - (opt_dereference_arguments, arg_length, suffix_length): Remove globals. - (IS_FTW_DIR_TYPE): Remove definition. - (IS_DIR_TYPE): Define. - (is_symlink_to_dir): Remove now-unnecessary function. - (process_file, du_files): Rewrite to use fts. - - * tests/du/inaccessible-cwd: Ensure that even when run from an - inaccessible directory, du can still operate on accessible - directories elsewhere. - * tests/du/Makefile.am (TESTS): Add inaccessible-cwd. - - * tests/rm/deep-1: Ensure that du can process a hierarchy - of depth 400 while using no more than 50KB of stack space. - -2003-10-01 Akim Demaille <akim@epita.fr> - - * announce-gen (print_news_deltas): New function, extracted from main. - (main): Make `news_file' an array. - Use '...=s' => \@var for --news and --url-directory specs. - Before there were a couple of portability problems. - -2003-09-28 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_cast_of_alloca_return_value): New rule. - (syntax-check-rules): Add it. - - * src/copy.c: Remove unnecessary cast of alloca, since now it's - guaranteed to be (void *). - * src/cp.c: Likewise. - * src/join.c: Likewise. - * src/ln.c: Likewise. - * src/ls.c: Likewise. - * src/od.c: Likewise. - * src/sys2.h (ASSIGN_STRDUPA): Likewise. - -2003-09-27 Jim Meyering <jim@meyering.net> - - Don't exhaust virtual memory when processing large inputs. - Fix this by removing csplit's internal free-list management; - instead rely on malloc for that. - - * src/csplit.c (free_list): Remove global. - (clear_all_line_control): Remove function. - (get_new_buffer): Always use create_new_buffer to obtain a - new buffer, rather than searching free_list. - (free_buffer): Just call free. - Reported by Nikola Milutinovic. - -2003-09-26 Jim Meyering <jim@meyering.net> - - * man/rm.x: Also list `chattr' in SEE ALSO section. - Suggestion from Mark Hubbart. - -2003-09-25 Jim Meyering <jim@meyering.net> - - * configure.ac: Don't invoke AC_AIX or AC_MINIX explicitly, now - that we use gl_USE_SYSTEM_EXTENSIONS, since it AC_REQUIREs them. - - * Use autoconf-2.57d. Regenerate dependent files. - -2003-09-24 Jim Meyering <jim@meyering.net> - - Minor efficiency tweak. - * src/ln.c (PATH_BASENAME_CONCAT): Use memcpy rather than strcpy. - (do_link): Likewise. - -2003-09-23 Jim Meyering <jim@meyering.net> - - * src/paste.c (paste_serial): Save errno after input error, - to report proper errno value. - Based on a patch from Paul Eggert. - - * src/tee.c (tee): Adjust fwrite arguments so that the return - value is the number of bytes written. - -2003-09-16 Paul Eggert <eggert@twinsun.com> - - Don't assume ferror sets errno. Bug reported by Bruno Haible. - - * src/comm.c (compare_files): Save errno after input error, - to report proper errno value. - * src/fold.c (fold_file): Likewise. - * src/od.c (check_and_close, skip, read_char, read_block): Likewise. - * src/unexpand.c (unexpand): Likewise. - - * src/csplit.c (close_output_file): Don't report bogus errno value - after ferror discovers an output error. We don't know the proper - errno value, since it might have been caused by any of a whole - bunch of calls, and it might have been trashed in the meantime. - Fixing this problem will require much more extensive changes; - in the meantime just say "write error". - * src/od.c (check_and_close, dump, dump_strings): Likewise. - * src/uniq.c (check_file): Likewise. - - * src/join.c (get_line): Report error right away if I/O fails, - so that the proper errno value is used. - * src/tac.c (tac_seekable, tac_file, save_stdin): Likewise. - * src/tee.c (tee): Likewise. - * src/uniq.c (check_file): Likewise. - - * src/od.c (skip): If a read fails, don't retry it later, so - that we report the proper errno. - - * src/tac.c (tac_mem): Don't return a value; nobody uses it. - - * src/tee.c (tee): Once a write failure has occurred, don't bother - writing anything more to that stream. - - * src/uniq.c (check_file): Check for ferror (stdout) even if - ostream == stdout. - - * src/yes.c (UNROLL): Remove. - (main): Exit immediately when write failure is detected. - Simplify code by assigning to argv when argc == 1. - -2003-09-21 Paul Eggert <eggert@twinsun.com> - - * src/ptx.c: Switch encoding from Latin-1 to UTF-8. - (WRITTEN_BY): Change "Franc,ois" (actually using - c-with-cedilla in Latin-1) to "F.", so that it's ASCII, as - xgettext requires. - -2003-09-19 Jim Meyering <jim@meyering.net> - - `du -D symlink-to-dir' would mistakenly omit the slash in - lines like this: 24 symlink-to-dir/subdir - * src/du.c (process_file): Fix offset calculation. - Reported by Jeff Sheinberg as Debian bug #211591; - http://bugs.debian.org/205251 - - * tests/du/deref-args: New file/test for the above. - * tests/du/Makefile.am (TESTS): Add deref-args. - - * src/du.c (process_file): Remove useless disjunct. - - * src/sys2.h (case_GETOPT_VERSION_CHAR): Rename parameter, Authors, - to Written_by. - * nearly all src/*.c files (WRITTEN_BY): Rename from AUTHORS. - Begin each WRITTEN_BY string with `Written by ' and end it with `.'. - Mark each WRITTEN_BY string as translatable. - - * basename.c, cat.c, chroot.c, cksum.c, comm.c, cp.c, csplit.c, cut.c: - * dd.c, df.c, dirname.c, du.c, echo.c, env.c, expr.c, factor.c, head.c: - * hostid.c, hostname.c, id.c, link.c, ln.c, logname.c, ls.c, md5sum.c: - * mv.c, nice.c, nl.c, nohup.c, paste.c, pathchk.c, pinky.c, pr.c: - * printenv.c, printf.c, pwd.c, rm.c, setuidgid.c, sleep.c, sort.c: - * split.c, stty.c, sum.c, sync.c, tac.c, tail.c, tee.c, test.c: - * touch.c, tsort.c, uniq.c, unlink.c, uptime.c, users.c, wc.c: - * who.c, whoami.c, yes.c: Revert yesterday's changes. - Instead, a subsequent change will embed `Written by ' in - each string along with the author names. - - * src/true.c: Revert yesterday's changes. - * src/sys2.h: Likewise. - -2003-09-18 Jim Meyering <jim@meyering.net> - - * basename.c, cat.c, chroot.c, cksum.c, comm.c, cp.c, csplit.c, cut.c: - * dd.c, df.c, dirname.c, du.c, echo.c, env.c, expr.c, factor.c, head.c: - * hostid.c, hostname.c, id.c, link.c, ln.c, logname.c, ls.c, md5sum.c: - * mv.c, nice.c, nl.c, nohup.c, paste.c, pathchk.c, pinky.c, pr.c: - * printenv.c, printf.c, pwd.c, rm.c, setuidgid.c, sleep.c, sort.c: - * split.c, stty.c, sum.c, sync.c, tac.c, tail.c, tee.c, test.c: - * touch.c, tsort.c, uniq.c, unlink.c, uptime.c, users.c, wc.c: - * who.c, whoami.c, yes.c: Update AUTHORS definition to be a - comma-separated list of strings and/or update the call to - parse_long_options so that `AUTHORS, NULL' are the last parameters. - * src/true.c (main): Append NULL to version_etc argument list. - * src/sys2.h (case_GETOPT_VERSION_CHAR): Likewise. - - * src/sort.c (numcompare): Rename local, logb, to log_b to avoid - shadowing the math function name. Also rename loga to log_a. - -2003-09-14 Jim Meyering <jim@meyering.net> - - * src/factor.c (print_factors): Give a separate diagnostic - for numbers that are too large, but otherwise valid. - Reported by Dániel Varga. - -2003-09-10 Jim Meyering <jim@meyering.net> - - * Use automake-1.7.7. Regenerate dependent files. - - * tests/Makefile.am (all_programs): Use ../src/tr -s ' ' '\n' in place - of `fmt -1'. Using the just-built tr is a little cleaner. - Christian Krackowizer reported that HPUX 10.20 doesn't have fmt. - * man/Makefile.am (programs, check-x-vs-1): Likewise. - -2003-09-09 Jim Meyering <jim@meyering.net> - - * src/copy.c: Alphabetize includes. - Remove duplicate inclusion of "same.h". - -2003-09-08 Jim Meyering <jim@meyering.net> - - * Makefile.maint (GZIP_ENV): Remove --rsyncable. - Didn't give enough of a benefit, mainly because it's not yet - in wide enough use. - - * Version 5.0.91. - - * man/Makefile.am (programs): Use ../src, not $(srcdir)/../src. - (check-programs-vs-x): Fail if $(programs) is empty. - - * src/remove.c: Add a comment. - -2003-09-07 Jim Meyering <jim@meyering.net> - - * src/remove.c (D_INO, ENABLE_CYCLE_CHECK) [D_INO_IN_DIRENT]: - Don't define. These symbols are no longer used. - - * tests/misc/tty-eof: Write ^D as \cD. - Complete the change of 2003-08-02. - - * Makefile.maint (po-check): Use cvsu, so that a temporary source - file in lib/ or src/ doesn't induce an unwarranted failure. - Add a kludge to filter out the sole generated source file that - also has translatable messages: src/false.c. - -2003-09-06 Jim Meyering <jim@meyering.net> - - * src/tail.c (enum): Add ALLOW_MISSING_OPTION. - (parse_options): Give a diagnostic for (but still accept) the - deprecated --allow-missing option. - -2003-09-04 Paul Eggert <eggert@twinsun.com> - - Don't ignore -S if input is a pipe. Bug report by Michael McFarland in - <http://mail.gnu.org/archive/html/bug-coreutils/2003-09/msg00008.html>. - - * src/sort.c (sort_buffer_size): Omit SIZE_BOUND arg. Compute the - size_bound ourselves. if an input file is a pipe and the user - specified a size, use that size instead of trying to guess the - pipe size. This has the beneficial side effect of avoiding the - overhead of default_sort_size in that case. All callers changed. - (sort): Remove static var size; now done by sort_buffer_size. - -2003-09-05 Jim Meyering <jim@meyering.net> - - * Use automake-1.7.6b and autoconf-2.57b. Regenerate dependent files. - - * tests/tail-2/tail-n0f: Wait .5 seconds for backgrounded process - to start, rather than just .1. Upon failure, print unexpected state. - -2003-09-04 Paul Eggert <eggert@twinsun.com> - - * src/head.c (elide_tail_lines_pipe): Don't assign 0 or - SAFE_READ_ERROR to tmp->nbytes. - * src/tail.c (pipe_lines, pipe_bytes): Likewise. - - * src/head.c (struct linebuffer): Change nbytes and nlines - from unsigned int to size_t. unsigned int is safe (after the - 2003-09-03 patch) but size_t is cleaner. - * src/tail.c (struct linebuffer, struct charbuffer): Likewise. - (pipe_bytes): Likewise for local variable 'i', which was 'int'. - - Standardize on BUFSIZ as opposed to other macro names and values. - * src/head.c (BUFSIZE): Remove. All uses changed to BUFSIZ. - * src/tail.c (BUFSIZ) [!defined BUFSIZ]: Remove. - stdio.h has always defined it, - and other code already assumes it's defined. - * src/tr.c (BUFSIZ) [!defined BUFSIZ]: Likewise. - (IO_BUF_SIZE): Remove; replace all uses with sizeof io_buf. - (io_buf): IO_BUF_SIZE -> BUFSIZ. - -2003-09-04 Paul Eggert <eggert@twinsun.com> - - * src/seq.c (step): Default to 1. - (print_numbers): Allow the output to be empty. - (main): The default step is 1, even if LAST < FIRST; - as per documentation. - * tests/seq/basic (onearg-2): Output should be empty. - -2003-09-05 Jim Meyering <jim@meyering.net> - - * Makefile.cfg (wget_files): Temporarily disable, until master - versions are restored to ftp.gnu.org. - - * configure.ac (AM_INIT_AUTOMAKE): Specify automake-1.7.6. - - Make seq's --width (-w) option work properly even when the - endpoint requiring the larger width is negative and smaller than - the other endpoint. - * src/seq.c (get_width_format): Include `-' in the set of bytes - allowed in a `simple' number (no decimal point, no exponent). - Reported by Patrick Mauritz. - -2003-09-02 Paul Eggert <eggert@twinsun.com> - - * NEWS: sort -t '\0' now uses a NUL tab. - sort option order no longer matters, unless POSIX requires it. - * src/sort.c (usage): Say "blanks" instead of "whitespace", - Similar fixes for many comments. - (TAB_DEFAULT): New constant, so that we can support NUL as - the field separator. - (tab): Now int, not char. Initialize to TAB_DEFAULT. - (specify_sort_size): If multiple sizes are specified, use the largest. - (begfield, limfield): Support NUL tab char. - (set_ordering): Do not let -i override -d. - (main): Report an error if incompatible -o or -t options are given. - Report an error for "-t ''". Allow "-t '\0'" to specify a NUL tab. - -2003-09-05 Jim Meyering <jim@meyering.net> - - * tests/sort/Test.pm [o2, nul-tab]: New tests for the above. - -2003-09-03 Andreas Schwab <schwab@suse.de> - - Bug report and patch here: - <http://mail.gnu.org/archive/html/bug-coreutils/2003-09/msg00009.html> - * src/tail.c (pipe_lines): Don't truncate return value from safe_read. - * src/head.c (elide_tail_lines_pipe): Likewise. - -2003-09-03 Jim Meyering <jim@meyering.net> - - * src/du.c (AUTHORS): Remove Larry McVoy's name, since the relatively - small amount of code from him was first moved to lib/human.c, and was - subsequently rewritten entirely. - * src/df.c (AUTHORS): Likewise. - -2003-08-22 Lawrence Teo <lcteo@uncc.edu> - - * src/md5sum.c (split_3): Accept the BSD format for generic - message digest modes. Currently works with BSD's MD5 and SHA1 - formats since these are the two algorithms presently used in - coreutils. Updated comments to reflect this change. - (bsd_split_3): Updated comments. - - * tests/md5sum/basic-1: New test to make sure that - `md5sum --check' doesn't accept the BSD SHA1 format (adapted - from `check-bsd' test in tests/sha1sum/basic-1). - - * tests/sha1sum/basic-1 (check-bsd2, check-bsd3): New tests for - --check exit status and BSD SHA1 format (adapted from tests - in tests/md5sum/basic-1). - -2003-08-30 Jim Meyering <jim@meyering.net> - - * src/ln.c (do_link): Use SAME_INODE rather than open-coding it. - - When source and destination arguments refer to the same file, reside - on a partition (e.g. VFAT) on which distinct names may refer to the - same directory entry (often due to variations in case), and when the - link count for the file is 1, mv no longer unlinks the file. Instead, - it gives the expected diagnostic that the source and destination are - the same. WARNING: this is an incomplete fix. If the file happens - to have a link count of 2 or greater, such an erroneous mv command - will still unlink it. - Although that is not possible on vfat or umsdos, it is possible on - other file system types, e.g., ntfs, and hpfs. - * src/copy.c (same_file_ok): Invoke same_name (which might still - return false for names that refer to the same directory entry) - only if the link count is 2 or more. - * tests/mv/vfat: Show how to demonstrate the above problem. - This test is not run. - * tests/mv/Makefile.am (EXTRA_DIST): Add vfat. - -2003-08-27 Jim Meyering <jim@meyering.net> - - * src/who.c: Change meaning of -l from --lookup to --login, per POSIX. - who's -l option has been eliciting an unconditional warning about - this impending change since sh-utils-2.0.12 (April 2002). - - * src/paste.c (paste_parallel): Don't output `EOF' (aka -1) as a `char'. - This would happen for nonempty files not ending with a newline. - Reported by Dan Jacobson. - * tests/misc/paste-no-nl: New file. Test for above-fixed bug. - * tests/misc/Makefile.am (TESTS): Add paste-no-nl. - - * src/stat.c (print_it): Avoid buffer overrun that would - occur when the user-specified format string ends with `%'. - Patch by Tommi Kyntola. - * tests/misc/stat-fmt: New file. Test for above-fixed bug. - * tests/misc/Makefile.am (TESTS): Add stat-fmt. - -2003-08-26 Jim Meyering <jim@meyering.net> - - Apply changes from bison. - * GNUmakefile (SHELL): Define to `sh', if necessary. - Add copyright. - * Makefile.maint (WGETFLAGS): Define to `-C off'. - Update all uses of $(WGET). - -2003-08-22 Akim Demaille <akim@epita.fr> - - * Makefile.cfg (local-checks-to-skip): New. - * Makefile.maint (local-check): Rename as... - (local-checks-available): this. - (local-check): New. - -2003-08-26 Akim Demaille <akim@epita.fr> - - * announce-gen (print_changelog_deltas): Neutralize "<#" as - "<\#" to avoid magic from Gnus when posting parts of this script. - -2003-08-25 Jim Meyering <jim@meyering.net> - - * src/stat.c (main): Warn about use of deprecated `-l' option. - -2003-08-22 Jim Meyering <jim@meyering.net> - - * src/stat.c (do_stat): For link count at end of line, use %h format, - instead of %-5h. The latter would make stat emit trailing spaces. - Reported by Dan Jacobson. - -2003-08-20 Jim Meyering <jim@meyering.net> - - * Makefile.am (EXTRA_DIST): Add .x-sc_space_tab .x-sc_sun_os_names - -2003-08-19 Jim Meyering <jim@meyering.net> - - * src/system.h: Include stdlib.h unconditionally, - as we're now assuming that part of hosted C89. - -2003-08-18 Jim Meyering <jim@meyering.net> - - * src/sys2.h (textdomain, bindtextdomain) [! ENABLE_NLS]: Define away, - to avoid warnings from gcc. - -2003-08-17 Jim Meyering <jim@meyering.net> - - Avoid unnecessary and sometimes time-consuming hostname lookups. - * src/who.c (print_user): Use strchr, not strrchr. - * src/pinky.c (print_entry): Likewise. - Patch by Michael Stone. - This fixes a typo I introduced in who-users.c on 1996-02-23. - - * Makefile.maint (makefile-check): Add 0-9 to the range of characters - disallowed between `@...@'. - -2003-08-16 Paul Eggert <eggert@twinsun.com> - - * configure.ac (fu_cv_sys_truncating_statfs): Remove; now - done by gnulib .m4 files. - (jm_DUMMY_1): Require gl_READUTMP, not jm_PREREQ_READUTMP. - * src/sys2.h (strtoull): Remove unused declaration. - -2003-08-16 Jim Meyering <jim@meyering.net> - - * man/Makefile.am (.x.1): Ensure that generated PROGRAM.1 files - are read-only. - - * src/tail.c (tail_lines): Fix a potential (but very hard to exercise) - race condition bug. The bug would be triggered when tailing a file - with file pointer not at beginning of file, and where the file was - truncated to have a length of less than the initial offset at just - the right moment (between the two lseek calls in this function). - - An invalid initial value for *read_pos would result in - `tail -n0 -f FILE' and `tail -c0 -f FILE' doing what amounted to a - busy-wait rather than sleeping between iterations. The bug manifests - itself only when tailing regular files that are initially nonempty. - * src/tail.c (tail_bytes): Set *read_pos to new file offset after - each xlseek call. - (tail_lines): Likewise, after lseek calls. - Reported by Nick Estes. See http://bugs.debian.org/205251 for details. - * tests/tail-2/tail-n0f: New file. Test for above fix. - * tests/tail-2/Makefile.am (TESTS): Add tail-n0f. - -2003-08-15 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_space_tab): Use exclusion list in separate file. - (sc_sun_os_names): Likewise. - * .x-sc_space_tab, .x-sc_sun_os_names: New files. - - * man/help2man: Remove some SPACEs before TAB. - -2003-08-14 Paul Eggert <eggert@twinsun.com> - - * Makefile.maint (LC_ALL): Set to C. - * man/Makefile.am (ASSORT): New var. - (check-x-vs-1, programs): Use it. - * src/Makefile.am (ASSORT, check-README, ../AUTHORS): Likewise. - * tests/Makefile.am (ASSORT, all_programs): Likewise. - -2003-08-11 Jim Meyering <jim@meyering.net> - - fold -s -wN would infloop for N < 8 with TABs in the input. - E.g., this would not terminate: printf 'a\tb' | fold -w2 -s - * src/fold.c (fold_file): Move contents of `else'-block - out of conditional so it's used also for --spaces (-s). - * tests/misc/fold: Test for the above fix. - * tests/misc/Makefile.am (TESTS): Add fold. - -2003-08-10 Jim Meyering <jim@meyering.net> - - * src/nice.c [!NICE_PRIORITY]: Include <sys/resource.h> after - system.h so the types from time.h and sys/time.h are available. - It appears that this is necessary for OpenBSD, NetBSD, and - Darwin 6.5 (MacOS 10.2.5). Reported by Nelson Beebe. - -2003-08-06 Paul Eggert <eggert@twinsun.com> - - * NEWS: Add support for setting file timestamps to microsecond - resolution, on hosts that support this. - * src/copy.c, src/cp.c, src/install.c, src/touch.c: Include utimens.h. - * src/copy.c (copy_internal): - Set file timestamps with utimens, not utime. - * src/cp.c (re_protect): Likewise. - * src/install.c (change_timestamps): Likewise. - * src/touch.c (newtime, touch, main): Likewise. - -2003-08-09 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_sun_os_names): New rule based on a regexp - from Paul Eggert. - (syntax-check-rules): Add it. - - * src/tail.c (main): Tweak Solaris OS version number in comment. - * src/wc.c (wc): Likewise - * tests/tail-2/fflush: Likewise. - - * src/tail.c: Add new undocumented option, --presume-input-pipe. - (pipe_lines): Use memchr to skip lines, rather than an explicit loop. - -2003-08-08 Paul Eggert <eggert@twinsun.com> - - Use new gnulib 'extensions' module. - * configure.ac: Invoke gl_USE_SYSTEM_EXTENSIONS instead of - AC_GNU_SOURCE. - -2003-08-08 Paul Eggert <eggert@twinsun.com> - - * tests/du/basic: Ensure that a/b/F has at least 65 bytes too. - -2003-08-09 Jim Meyering <jim@meyering.net> - - * tests/misc/split-fail: Reflect that `split -a 0' is now accepted. - For tests of obsolete behavior, don't presume that unsetting - _POSIX2_VERSION is equivalent to _POSIX2_VERSION=199209. - -2003-08-07 Paul Eggert <eggert@twinsun.com> - - * doc/coreutils.texi (split invocation): - Add -d or --numeric-suffixes option to 'split'. - From a suggestion by Jesse Kornblum. - * src/split.c (suffix_alphabet): New var. - (longopts, usage, next_file_name, main): Support -d. - (next_file_name, main): Allow -a0, as POSIX requires. - (next_file_name): Don't assume ASCII-like encoding; - 'a' through 'z' are not contiguous in EBCDIC. - -2003-08-05 Paul Eggert <eggert@twinsun.com> - - Merge getline from gnulib. - * lib/getline.h, lib/getline.c, m4/getline.m4: Merge from gnulib. - * lib/getndelim2.h, lib/getndelim2.c, m4/getndelim2.m4, m4/ssize_t.m4: - New files, from gnulib. - * lib/getdelim2.c, lib/getdelim2.h: Remove. - * lib/Makefile.am (libfetish_a_SOURCES): Change getdelim2.c and - getdelim2.h to getndelim2.c and getndelim2.h. - * m4/jm-macros.m4 (jm_MACROS): Use gl_GETNDELIM2 rather than - checking for getdelim. - (jm_CHECK_ALL_TYPES): Use gt_TYPE_SSIZE_T for ssize_t rather - than rolling our own. - * src/cut.c: Include getndelim2.h rather than getdelim2.h. - (cut_fields): Invoke getndelim2 rather than getdelim2. - -2003-08-04 Jim Meyering <jim@meyering.net> - - * src/sort.c (main): Use unsigned int instead of int for `nsigs' - and for the indices to iterate through nsigs. - -2003-08-02 Paul Eggert <eggert@twinsun.com> - - * src/sort.c: Minor code cleanups, mostly to use more accurate - types and to remove unnecessary casts. - (min, max): Remove. All uses changed to MIN and MAX. - (hard_lc_collate, hard_LC_TIME, struct buffer.eof, struct - keyfield.skipsblanks, struct keyfield.skipeblanks, struct - keyfield.numeric, struct keyfield.general_numeric, struct - keyfield.month, struct keyfield.reverse, reverse, unique, - have_read_stdin): Now bool, not int. All uses changed. - (eolchar): Now char, not int. - (struct keyfield.ignore): Now bool const *, not int *. - (struct keyfield.translate): Now char const *, not char *. - (struct month.name): Likewise. - (blanks, nonprinting, nondictionary): Now bool[], not int[]. - (cleanup, inittables, keycompare, check, mergefps, first_same_file, - check, sort, main): Use const * pointers when possible. - (month_cmp): Rewrite to avoid casts. - (inittables): Initialize tables unconditionally, to avoid branches. - (fillbuf): Return bool, not int. All uses changed. - (fillbuf, keycompare, new_key, main): - Use SIZE_MAX rather than (size_t) -1. - (trailing_blanks): Renamed from trim_trailing_blanks. - Return the number of blanks to trim. All uses changed. - (getmonth): Use trailing_blanks rather than open code. - (keycompare): Do not cast char * to unsigned char *; not needed. - CMP_WITH_IGNORE converts args to UCHAR, so no need to convert it - ourselves. - (compare, main): Use | rather than || to avoid jumps. - Replace "diff = NONZERO (alen)" with "diff = 1", since alen must - be nonzero there. - (check, first_same_file, sort, main): - Use bool instead of int local vars when possible. - (check): Merge the old 'checkfp' and 'check' into a single function, - that returns a boolean (true if the file was ordered). - All uses changed. - (main): Use int instead of unsigned for iterating through nsigs. - Rename local var "posix_pedantic" to "posixly_correct". - -2003-08-02 Jim Meyering <jim@meyering.net> - - * src/nice.c [!NICE_PRIORITY]: Include <time.h> before <sys/resource.h> - to avoid compilation error on Ultrix. Reported by Christian Krackowizer. - - * src/cut.c (cut_fields): Don't read again after encountering an - initial EOF. E.g., `cut -f2' would do so. - * tests/misc/tty-eof: Add a test for the above fix. - - * src/sort.c (sortlines): Add description and references. - From Paul Eggert. - - * tests/Makefile.am (TESTS_ENVIRONMENT): Set PATH so that - the tests in help-version will use the just-built binaries. - Reported by Christian Krackowizer. - -2003-07-31 Paul Eggert <eggert@twinsun.com> - - * NEWS: Add --rfc-2822 option to GNU date. - * doc/coreutils.texi (Time directives, Options for date, Examples - of date): Likewise. - * src/date.c (long_options, usage, main): Likewise. - * doc/getdate.texi (General date syntax): Likewise. - * doc/coreutils.texi (Options for date): Fix a typo in format: - it's now %d not %_d. Add URLs. - -2003-08-01 Jim Meyering <jim@meyering.net> - - * tests/shred/remove: Ensure that $? is 0 for the final `exit 0'. - Otherwise, with at least the /bin/sh from HPUX 10.20, - the trap code would end up converting that to exit 1 and thus an - unexpected test failure. Reported by Christian Krackowizer. - -2003-07-31 Paul Eggert <eggert@twinsun.com> - - * src/ptx.c: Do not include bumpalloc.h. - (WORD_TABLE): New member alloc. - (ALLOC_NEW_WORD): Remove. - (occurs_alloc): New var. - (digest_word_file, find_occurs_in_text): Check for arithmetic - overflow when computing table size. Use xrealloc rather than - bumpalloc primitives. - -2003-07-29 Jim Meyering <jim@meyering.net> - - * Version 5.0.90. - - * README: When running tests as root, suggest using - sudo with NON_ROOT_USERNAME=$USER. - - * tests/Makefile.am (all_programs): Makefile is in ../src, not - $(srcdir)/../src. - -2003-07-28 Jim Meyering <jim@meyering.net> - - * Makefile.maint (GZIP_ENV): Try Debian/gzip's new --rsyncable option. - -2003-07-28 Paul Eggert <eggert@twinsun.com> - - * lib/stdbool.hin (_Bool): Make it signed char, instead of - an enum type, so that it's guaranteed to promote to int. - * src/sort.c (sortlines_temp): Undo previous change. - -2003-07-28 Jim Meyering <jim@meyering.net> - - * src/sort.c (sortlines_temp): Declare local `swap' to be `int', not - `bool'. Otherwise, at least one buggy compiler (alpha gcc-2.95.4) - would cause lines[-1 - swap] (with swap = false) to evaluate to - lines[4294967295]. - -2003-07-27 Jim Meyering <jim@meyering.net> - - * tests/priv-check (my_uid): Use `!', not `^' in case pattern `[!0-9]', - since /bin/sh of at least NetBSD 1.6 and OpenBSD 3.2 don't accept `^'. - - * src/remove.c (prompt) [! recursive]: Don't prompt about unwritable - directories, as required by POSIX. Reported by Karl Berry. - * tests/rm/dir-no-w: New file. Test for the above fix. - * tests/rm/Makefile.am (TESTS): Add dir-no-w. - - * tests/mk-script: Emit `$xx', not its expansion. - -2003-07-27 Paul Eggert <eggert@twinsun.com> - - This change was inspired by a similar proposal by Stepan Kasal. - * src/sort.c (mergelines, sortlines_temp): New functions. - (sortlines): Use them, to reduce the number of times that - we need to copy 'struct line' values. This improved CPU - performance by about 30% on one 18 MB test. - (sort): Don't invoke sortlines unless we have 2 or more lines. - -2003-07-26 Stepan Kasal <kasal@ucw.cz> - - * src/sort.c (sort): Don't require two `struct line's per text line, - the new sort algorithm requires just 1.5. - -2003-07-27 Jim Meyering <jim@meyering.net> - - * src/pathchk.c (validate_path): Use %lu, not %ld. - From Paul Eggert. - * src/cut.c (is_printable_field): Simplify bit arithmetic. - From Paul Eggert. - * src/ls.c (sort_files): Put `volatile' in the right place. - From Paul Eggert. - -2003-07-26 Jim Meyering <jim@meyering.net> - - Use only one bit per field/offset in array, not one `int'. - * src/cut.c (printable_field): Change type to `unsigned char'. - (mark_printable_field, is_printable_field): New functions. - Use them in place of all direct accesses of `printable_field'. - - * src/expand.c (parse_tabstops): Detect overflow properly. - * src/cut.c (set_fields): Likewise. - - * src/rm.c: Include "dirname.h". - (usage): Use base_name (program_name) in body of --help output. - This lets me... - * man/Makefile.am (.x.1): ...back out the kludge of 2003-07-22. - Idea from Brendan O'Dea, who suggested using - `program_name = basename (argv[0]);' everywhere -- - can't do that, but using base_name works just fine here. - - * src/Makefile.am (AM_INSTALLCHECK_STD_OPTIONS_EXEMPT): Exempt test. - -2003-07-24 Paul Eggert <eggert@twinsun.com> - - Fix some POSIX-compliance problems with 'test'. This makes - 'test' more compatible with Bash. - - * NEWS, doc/coreutils.texi: Document the following. - * src/test.c: Include exitfail.h. - (TEST_FAILURE): New constant, used for exit status if 'test' fails. - (test-syntax_error): Use it. - (binary_operator): Now takes bool arg specifying whether left operand - is -l ARG, so that caller determines this rather than us. - All uses changed. - (term): Use posixtest to evaluate parenthesized subexpressions. - (unary_operator, one_argument): Remove support for -t without operand. - (one_argument): Take argument from argv[pos]. - (one_argument, two_arguments, three_arguments): Advance pos. - All callers changed. - (three_arguments): Look for binary ops before "!". Then look - for parenthesized one_argument expressions, instead of trusting - expr () to do the right thing. - (posixtest): Now takes number of args. All callers changed. - Treat "( A B )" like "A B". - (main): Set exit_failure to TEST_FAILURE. Don't depend on - POSIXLY_CORRECT, as we now conform to POSIX by default. - (main) [!LBRACKET]: Do not recognize "--help" or "--verbose" unless. - * tests/test/Test.pm (test_vector): Add several tests to check - the above. Syntax errors now exit with status 2, not 1. - * man/Makefile.am (mapped_name): Use `../src/[' binary to create test.1. - -2003-07-26 Jim Meyering <jim@meyering.net> - - * tests/help-version: Adjust for above change in test behavior: - `[' exits with 2, not 1, and test doesn't accept --help or --version. - - * Makefile.maint (ME): Don't use trick suggested in Make manual. - It doesn't work for make-3.79.1. Reported by Christian Krackowizer. - - * Makefile.maint (sc_system_h_headers): Another syntax check. - (syntax-check-rules): Add it to the list. - - * src/pathchk.c (validate_path): Cast strlen value to `unsigned long' - so it matches `%ld' format even on 32-bit systems. - - * src/fmt.c (flush_paragraph): Cast field width to `int' to - avoid warning on 64-bit systems. - - * src/ls.c (sort_files): Make `func' volatile, so it can't be - clobbered by a `longjmp' into this function. - -2003-07-25 Jim Meyering <jim@meyering.net> - - * src/pathchk.c (validate_path): Use %ld format (not %d) for size_t - value. - - * tests/misc/split-fail: Disable the --line-bytes=$_4gb test, - because it'd evoke spurious failure on 64-bit systems. - -2003-07-24 Jim Meyering <jim@meyering.net> - - * src/dd.c (usage): Document the fact that SIGUSR1 makes dd - output its current record counts. Reported by Jurriaan. - - * tests/wc/Test.pm (test_vector): Disable the `PIPE' tests when running - `wc' with no options. This goes along with the change of 2003-07-20. - -2003-07-23 Jim Meyering <jim@meyering.net> - - Don't include headers already included by system.h: - * src/tr.c: Don't include errno.h. - * src/true.c: Don't include version-etc.h. - * src/test.c: Don't include limits.h or error.h. - * src/stat.c: Don't include unistd.h or time.h. - * src/readlink.c: Don't include stdlib.h, unistd.h, or limits.h. - * src/pr.c: Don't include time.h. - * src/pathchk.c: Don't include errno.h. - * src/nice.c: Don't include sys/time.h. - * src/ls.c: Don't include stdlib.h. - - * basename.c, cat.c, chroot.c, cksum.c, comm.c, csplit.c, cut.c, date.c: - * dd.c, dirname.c, echo.c, env.c, expand.c, expr.c, factor.c, fmt.c: - * fold.c, head.c, hostid.c, hostname.c, id.c, join.c, kill.c, logname.c: - * md5sum.c, nice.c, nl.c, nohup.c, od.c, paste.c, pathchk.c, pinky.c: - * pr.c, printenv.c, printf.c, ptx.c, pwd.c, seq.c, setuidgid.c, shred.c: - * sleep.c, sort.c, split.c, stat.c, stty.c, su.c, sum.c, tac.c, tail.c: - * tee.c, test.c, tr.c, true.c, tsort.c, tty.c, uname.c, unexpand.c: - * uniq.c, uptime.c, users.c, wc.c, who.c, whoami.c, yes.c: - Don't include closeout.h. - - * tests/rm/fail-2eperm: Add a check for whether $NON_ROOT_USERNAME - can access the required version of rm. - * tests/rm/Makefile.am (TESTS_ENVIRONMENT): Define PACKAGE_VERSION. - - * tests/cut/Test.pm (out-delim3a): New test. - - * man/help2man: Update to version 1.33. - - * src/expand.c (parse_tabstops): Detect overflow in tabstop sizes. - - * src/dircolors.c: Include xstrndup.h. - (xstrndup): Remove function, now that it's been factored out into - it's own file. - -2003-07-22 Paul Eggert <eggert@twinsun.com> - - * src/wc.c (wc): Fix typo in computation of file from file_x, - which caused the former to be used uninitialized if file_x was - nonzero. - -2003-07-22 Jim Meyering <jim@meyering.net> - - * src/cut.c (set_fields): Use xcalloc in place of xmalloc+memset. - - * man/Makefile.am (.x.1): Substitute 's,$t/$*,$*,' on output of - help2man, to avoid having `rm.td/rm' appear in rm.1. Reported by - Thomas Luzat. See http://bugs.debian.org/202413 for details. - - * src/cut.c (main) [lint]: Initialize spec_list_string to avoid warning. - - * src/hostid.c: Don't include <unistd.h>. system.h already does that. - - * src/cut.c (set_fields): Mark all selected indices before trying to - determine range endpoints. - * tests/cut/Test.pm: New test for the above fix. - - Begin to address this comment: What if someone wants to - extract the 1,000,000-th field of some huge input file? - The first step is to rearrange things so that the values - in the printable_field array are all 0/1 rather than 0/1/2. - * src/cut.c (RANGE_START_SENTINEL): Remove. - Store range-start indices in a hash table, rather than - overloading the `printable_field' array. - (range_start_ht): New global. - (hash_int, hash_compare_ints, is_range_start_index): New functions. - (print_kth): Use is_range_start_index; don't test printable_field. - (set_fields): Detect overflow. - (set_fields): Insert each range-start index into range_start_ht. - (main): Call set_fields only once, and only after - output_delimiter_specified and (if required) range_start_ht have - been defined. - -2003-07-20 Paul Eggert <eggert@twinsun.com> - - * src/wc.c (get_input_fstatus): Fix typo: `stat' was being - invoked with a null pointer when there were no file arguments. - -2003-07-20 Jim Meyering <jim@meyering.net> - - * Makefile.maint (sc_changelog): Add another nit-picky check. - - * src/wc.c (write_counts): Add a comment. - (wc): Rename `file' parameter. - Set new local, `file', to be the file name, or (when it's NULL) - _("standard output") so that all uses of `file' use the proper value. - Use STREQ, not strcmp. - -2003-07-20 Paul Eggert <eggert@twinsun.com> - - wc count field widths now are heuristically adjusted depending - on the input size, if known. If only one count is printed, it - is guaranteed to be printed without leading spaces. - - Previously, wc did not align the count fields if - POSIXLY_CORRECT was set, but POSIX did not actually require - this undesirable behavior, so it has been removed. - - * NEWS: Document this. - * doc/coreutils.texi (wc invocation): Likewise. - - * src/wc.c (number_width): New var. - (posixly_correct): Remove. - (struct fstatus): New struct. - (write_counts): Output fields of width number_width. - Do not worry about POSIXLY_CORRECT. - Use null file, not empty-string file, to denote stdin, - since "" is a valid file name on some hosts. - (wc, wc_file): New arg fstatus. Use it to avoid invoking fstat - if possible. - (wc): Avoid problems if end_pos - current_pos overflows. - Do not print odd message if stdin has a read error. - (get_input_fstatus, compute_number_width): New functions. - (main): Use them to implement the new behavior. - Ignore POSIXLY_CORRECT. - - * tests/wc/Test.pm: Adjust to the new output widths. - -2003-07-19 Jim Meyering <jim@meyering.net> - - * tests/rm/fail-eperm: Don't create temporary directory -- - we don't use it. - - * tests/shred/remove: Don't open-code test for UID != 0. - Use priv-check's require-non-root instead. - Update to use newer framework. - - * tests/help-version (expected_failure_status_expr): Record that - expr exits with status of 3 for e.g., a write error. - - * tests/priv-check: Use `id -u' to see if we're running as root, - rather than trying go write to an write-protected file. - When running as root, ensure $NON_ROOT_USERNAME is valid. - When running as root with `require-non-root', ensure that `.' - is writable by $NON_ROOT_USERNAME, then reinvoke $0 set-user-ID - to $NON_ROOT_USERNAME. If `.' is not writable, then skip the test. - - * src/printenv.c: Include "exitfail.h". - (main): Set exit_failure rather than calling close_stdout_set_status. - * src/date.c: Likewise. - * src/sort.c: Likewise. - * src/tty.c: Likewise. - -2003-07-18 Jim Meyering <jim@meyering.net> - - * tests/touch/not-owner: Update to use newer framework. - - * tests/rm/fail-eperm: Use $srcdir/../priv-check, create a temporary - directory, and remove Perl-coded `you may not run as root' test. - * tests/cp/fail-perm: Use $srcdir/../priv-check, rather than - hard-coding something not quite equivalent. - Paul Jarc reported the inconsistent diagnostics. - - * src/sort.c (main): Use close_stdout via atexit. - Now `sort --version' and `sort --help' fail, as they should - when their output is redirected to /dev/full. - - * src/su.c (usage): Don't call close_stdout here. - (main): Use close_stdout via atexit. - Now `su --version > /dev/full' fails, as it should. - Somehow, the change of 2000-05-07 that purports to fix this - was not checked in. - - * tests/help-version (--help/--version vs. /dev/full): Special-case - `[' to protect it from expected_failure_status-`eval'. - - * src/uniq.c (writeline): Use a SPACE, not a TAB between the - count and the corresponding line, as required by POSIX. - Reported by Clement Wang. - * tests/uniq/Test.pm (101, 102): Update tests of -c accordingly. - - * tests/expr/basic: Add tests for when exit status is 2. - - * src/nohup.c (NOHUP_FOUND_BUT_CANNOT_INVOKE, NOHUP_FAILURE): - Use an anonymous `enum', rather than #define. - -2003-07-17 Paul Eggert <eggert@twinsun.com> - - * src/expr.c: Include "exitfail.h", "quotearg.h". - (EXPR_INVALID, EXPR_ERROR): New constants. - (nomoreargs, null, toarith, nextarg): Return bool, not int. - (syntax_error): New function, exiting with status 2. Use it - insteading of printing "syntax error" ourselves. - (main): Initialize exit_failure to EXPR_ERROR. - Exit with EXPR_INVALID on syntax error (too few arguments). - (nextarg): Use strcmp, not strcoll; strcoll might return - an undesirable 0, or might fail. - (docolon, eval4, eval3): Exit with status 3 on invalid argument type - or other such error. - (eval2): Report an error if strcoll fails in a string comparison. - * src/sort.c: Include "exitfail.h". - (main): Set exit_failure, not xalloc_exit_failure and - xmemcoll_exit_failure. - * tests/expr/basic: Invalid value exits with status 3, not 2. - -2003-07-16 Jim Meyering <jim@meyering.net> - - * configure.ac (AC_INIT): Use 5.0.90 as the version, rather than 5.0.2, - per GNU maintainer guidelines. The next non-beta release will be 5.1. - - This script would have caught at least two recent bugs: - those in [ and kill. - * tests/help-version: Revive this script. - It wasn't doing anything useful, since $all_programs wasn't being - defined by the invoking Makefile.am. - Reflect that nohup is no longer a script, so don't exclude it. - Add framework to handle the programs added since it was last run: - kill, stat, unlink, [, link, readlink. - Fix path-related problems deriving from the move of this script - from src/ to its present location. - * tests/Makefile.am (all_programs): Define. - (TESTS_ENVIRONMENT): Use it. - - * src/kill.c (main): Fix bug introduced on 2003-05-10 (for 5.0.1) - whereby kill would always attempt to operate on argv[0] and fail. - - * src/test.c (integer_expected_error): Improve diagnostic -- now, - it also matches the one from bash's builtin test. - (binary_operator): Add \n at end of diagnostic. - - * tests/rm/fail-2eperm: Remove setuidgid-related code. Move it to ... - * tests/priv-check: Move setuidgid-related and - NON_ROOT_USERNAME-checking code to this file. - - * README: Update section on testing as `root'. - Suggestion from Paul Jarc. - - * src/test.c (AUTHORS): Replace 3-letter usernames with the actual - names of authors that I just found in bash's builtins/test.def. - - Running `[' with no arguments would evoke a segfault. - * src/test.c (main) [LBRACKET]: Move initialization of argv to - precede potential use via test_syntax_error. - - * src/Makefile.am (AM_CPPFLAGS): Rename from `INCLUDES', to avoid - warning from automake -Wall. - -2003-07-15 Jim Meyering <jim@meyering.net> - - * Version 5.0.1. - - * Makefile.maint (%.asc): Remove target first, so gpg doesn't - prompt us about it. - - * announce-gen (print_changelog_deltas): Relax tests for matching - version-number line in NEWS. - Change the .sig suffix to .asc here, too. - -2003-07-14 Jim Meyering <jim@meyering.net> - - * Makefile.maint (%.asc): Renamed from %.sig. - Generate and use ascii-armored signatures. - Use gpg's -o option. - -2003-07-13 Jim Meyering <jim@meyering.net> - - * src/nohup.c (NOHUP_FAILURE, NOHUP_FOUND_BUT_CANNOT_INVOKE): Define. - (main): Use them. - - * Makefile.maint (syntax-check): Move each individual check into - its own target. - (syntax-check-rules): This is the list of syntax-check targets. - (sc_unmarked_diagnostics, sc_cast_of_argument_to_free): - (sc_cast_of_x_alloc_return_value, sc_space_tab): - (sc_error_exit_success, sc_xalloc_h_in_src): New targets. - -2003-07-12 Jim Meyering <jim@meyering.net> - - * configure.ac: Remove uses of OPTIONAL_BIN_ZCRIPTS and last - traces of the nohup script. - - * src/Makefile.am (bin_SCRIPTS): Remove use of just-removed - $(OPTIONAL_BIN_ZCRIPTS). - - * src/Makefile.am (localedir.h): Put the `2>&1' after the redirect - target, not before the `>'. - - * src/remove.c (remove_dir): Give a diagnostic upon failed save_cwd, - now that that function no longer calls `error'. - - * src/df.c (find_mount_point): Emit a diagnostic for each - failed syscall, rather than relying on caller to do that. - The caller couldn't do a good job, anyhow -- too many different - ways to fail (each with a different referent). - Give a diagnostic upon failed save_cwd, now that that function - no longer calls `error'. - (show_point): Don't diagnose find_mount_point's errors, now that - it handles them itself. - - * src/df.c (find_mount_point): Don't let free clobber errno upon - failed chdir. - - * src/sys2.h: Remove alloca-related block. - * src/system.h: Include <alloca.h> here, instead. - - It appears that the `#pragma alloca' included via "system.h" is - adequate, since join.c uses alloca, yet lacked an in-file #pragma. - * src/copy.c, src/cp.c, src/df.c, src/install.c, src/ln.c: - * src/ls.c, src/mv.c, src/remove.c: Remove `#pragma alloca'. - - * src/chown-core.c (change_file_owner): Do not restore any special - permission bits (e.g., set-user-ID, set-group-ID) that are reset - by chown(2) on some systems. Suggestion and insistence :-) from - Michael Stone. - - * tests/input-tty: Also check `test -t 1'. - This is necessary on linux-2.4.21. Otherwise, the stty/basic-1 - test would block when run in the background. - -2003-07-11 Jim Meyering <jim@meyering.net> - - * tests/sample-test: Also fail if cat-to-create-expected-output - fails. Otherwise, if both `exp' and `out' were to end up empty - because of e.g., a full disk, they would mistakenly compare equal. - - * src/nohup.c: New file. Rewrite of nohup.sh in C. - This solves a portability problem: on at least Solaris systems, - when nohup.sh used the vendor /bin/sh, it would exit with status - of `1' rather than the required 126 or 127 upon failure to exec - the specified program. - - * src/Makefile.am (EXTRA_SCRIPTS): Remove definition. - (bin_PROGRAMS): Add nohup. - (EXTRA_DIST): Remove nohup.sh. - (all_programs): Remove use of $(EXTRA_SCRIPTS). - * src/nohup.sh: Remove file. - * man/Makefile.am (nohup.1): Depend on nohup.c, rather than nohup.sh. - - * tests/misc/nohup: Tests for the above. - * tests/misc/Makefile.am (TESTS): Add nohup. - - * src/head.c (diagnose_copy_fd_failure): New function, renamed from - the macro, COPY_FD_DIAGNOSE. - (diagnose_copy_fd_failure): Enclose diagnostic in _(...). - (head_file): Likewise. - - * src/date.c: Include "quote.h". - (batch_convert): Use the quote function rather than using literal `...' - in a diagnostic. - - * src/setuidgid.c (main): Enclose diagnostic in _(...). - * src/fmt.c (main): Likewise. - * src/mknod.c (main): Likewise. - * src/tac.c (tac_seekable): Likewise. - * src/yes.c (main): Likewise. - * src/od.c (main): Likewise. - * src/install.c (change_attributes): Likewise. - -2003-07-10 Jim Meyering <jim@meyering.net> - - * src/head.c (usage): Use 1024*1024 in place of 1048576. - * src/tail.c (usage): Likewise. - - * tests/rm/fail-2eperm: Now that we have setuidgid, use it in - place of the kludge in this test. Suggestion from Paul Jarc. - - * src/Makefile.am (noinst_PROGRAMS): Define to setuidgid. - * src/setuidgid.c: New program, solely for testing (not installed). - - * src/chown-core.c (change_file_owner): Don't leak file descriptors - when dereferencing symlinks. - -2003-07-09 Jim Meyering <jim@meyering.net> - - * tests/du/slash: New file/test for today's lib/ftw.c fix. - * tests/du/Makefile.am (TESTS): Add slash - - * src/tail.c (xlseek): Avoid warning about ``return without value - from function returning non-void''. - -2003-07-08 Jim Meyering <jim@meyering.net> - - * man/help2man: Update to version 1.29. - - * man/help2man: Add END handler to close STDOUT and check for errors. - -2003-06-30 Paul Eggert <eggert@twinsun.com> - - Add support for a "[" that conforms to the GNU coding standards, - i.e., that does not depend on its name. - * src/lbracket.c: New file. - * README: Add "[". - * man/Makefile.am (programs): Ignore "[", since it doesn't have - a separate man page. - * src/Makefile.am (bin_PROGRAMS): Add "[". - (__SOURCES): New var. - * src/test.c (LBRACKET): Define to 0 if not defined. - (main): Use LBRACKET rather than argv[0]. - - * src/test.c (one_argument): Do not check for -t if POSIXLY_CORRECT. - Reported by Paul Jarc and Dan Jacobson. - - * src/test.c (main): Do not recognize --help or --version if - POSIXLY_CORRECT, when invoked as "test". Handle "[ ]" correctly. - Do not bother testing that margv[margc] is non-null. - -2003-07-04 Jim Meyering <jim@meyering.net> - - * src/who.c (print_line): Rewrite to use asprintf, in order to be - able to avoid emitting trailing spaces. Reported by Dan Jacobson. - - * tests/misc/head-elide-tail: Add tests of head's new --lines=-N - option, and perform the +1600 invocations of head IFF the envvar - RUN_EXPENSIVE_TESTS is set. - -2003-07-03 Jim Meyering <jim@meyering.net> - - * src/cp.c (do_copy): Give a better diagnostic when failing due - to nonexistent destination directory. Reported by Dmitry Rutsky. - See http://bugs.debian.org/199730 for details. - -2003-06-27 Jim Meyering <jim@meyering.net> - - split's --verbose option did nothing [broken in 4.5.10 and 5.0] - * src/split.c (longopts): Use `1', not `0' as the value for - for &verbose. Reported by Keith Thompson. - - Test for the above fix. - * tests/misc/split-a: Also use --verbose and compare stderr - output with what we'd expect. - -2003-06-20 Jim Meyering <jim@meyering.net> - - * src/copy.c (copy_internal) [HAVE_STRUCT_STAT_ST_AUTHOR]: - Use `error_t' (rather than int) as type for local `err'. - From Alfred M. Szmidt. - -2003-06-19 Marcus Brinkmann <marcus@gnu.org> - - * src/copy.c (copy_internal) [HAVE_STRUCT_STAT_ST_AUTHOR]: - Fix author preservation code. - -2003-06-19 Jim Meyering <jim@meyering.net> - - * src/ln.c (ENABLE_HARD_LINK_TO_SYMLINK_WARNING): Define to 0. - (do_link): Don't warn about hard link to symlink. - -2003-06-18 Jim Meyering <jim@meyering.net> - - * src/cut.c: Include "getdelim2.h", not "getstr.h". - Reflect renaming: getstr -> getdelim2. - - * src/comm.c, src/join.c, src/nl.c, src/uniq.c: Reflect renaming: - readline -> readlinebuffer. - -2003-06-09 John David Anglin <dave.anglin@nrc-cnrc.gc.ca> - - * src/readlink.c: Include <sys/types.h> before system.h (because - the latter includes <sys/stat.h>). Required on Ultrix 4.3. - -2003-06-17 Jim Meyering <jim@meyering.net> - - * src/system.h (initialize_main): Define. - Use it in every `main'. Applied via this: - p='initialize_main (&argc, &argv);' - perl -ni -e '/program_name.=.argv.0/ and print " '"$p"'\n"; print' \ - $(grep -l program_name.=.argv.0 *.c) - test.c uses margc/margv, so I made the change manually for that file. - Based on a patch from Bernard Giroud. - -2003-06-09 John David Anglin <dave.anglin@nrc-cnrc.gc.ca> - - Fix for build failure on Ultrix 4.3. - * src/stat.c: Include sys/statvfs.h in preference to sys/vfs.h. - Include sys/param.h and sys/mount.h on ultrix. - -2003-06-16 Jim Meyering <jim@meyering.net> - - * src/touch.c (O_NDELAY, O_NONBLOCK, O_NOCTTY, EISDIR): Remove - definitions. - * src/system.h (O_NDELAY, O_NONBLOCK, O_NOCTTY, EISDIR): Define - them here instead, but with one change: define EISDIR to -1, not 0. - - * src/cat.c (cat): Remove `#ifndef ENOSYS', now that it's - guaranteed to be defined. - * src/system.h (ENOSYS, ENOTSUP): Define to -1 if not defined. - - * README: Mention the CVS repository. - Encourage addition of test cases. - -2003-06-12 Jim Meyering <jim@meyering.net> - - * src/touch.c (touch): Call close only if necessary. - From Bruno Haible. - - * src/wc.c (usage): Correct wording: wc prints counts in the order - `newline, word, byte'. Reported by Keith M. Briggs. - * man/wc.x: Fix it here, too. And change `lines' to `newlines'. - -2003-06-10 Jim Meyering <jim@meyering.net> - - * tests/date/Test.pm: Add a test for the new format, e.g., May-23-2003. - -2003-06-07 Jim Meyering <jim@meyering.net> - - * Makefile.maint (syntax-check): Add commented-out (over-aggressive) - rule. - -2003-06-06 Jim Meyering <jim@meyering.net> - - * src/extract-magic (main): Avoid newer 3-arg form of open, - so this script works also with e.g., perl5.005_03. - Patch by John David Anglin. - -2003-06-04 Paul Eggert <eggert@twinsun.com> - - * src/system.h: Include <stdbool.h> unconditionally. - -2003-06-04 Jim Meyering <jim@meyering.net> - - * man/Makefile.am (check-programs-vs-x): Rename target - from check-programs-vs-1. Adjust rule to check for the - primary (.x) file, not the generated one (.1). - -2003-06-03 Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> - - * man/kill.x: New file. - * man/Makefile.am (dist_man_MANS): Add kill.1. - (kill.1): New rule. - -2003-06-04 Jim Meyering <jim@meyering.net> - - Ensure that the .x file for a new program is never forgotten again. - * man/Makefile.am (programs): Define. - (check-programs-vs-1): New phony target. - (check-local): Depend on it. - -2003-06-03 Jim Meyering <jim@meyering.net> - - Avoid unnecessary copying of environment. - * src/env.c (main): Rather than clearing the environment and -- - unless told to ignore environment -- copying all settings from - the saved, original environment, clear the environment only when - that is requested. Suggested by Jens Elkner. - -2003-06-02 Jim Meyering <jim@meyering.net> - - * src/system.h: Always include <string.h>, since we assume C89. - Include <limits.h> without checking for HAVE_LIMITS_H. - - * src/test.c [!TEST_STANDALONE]: Remove #if-0'd block. - (STREQ, S_IXUGO): Remove redundant (in system.h) definitions. - -2003-06-01 Jim Meyering <jim@meyering.net> - - Avoid a race condition in `tail -f' described by Ken Raeburn in - http://mail.gnu.org/archive/html/bug-textutils/2003-05/msg00007.html - * src/tail.c (file_lines): Add new parameter, *read_pos, and set it. - (pipe_lines, pipe_bytes, start_bytes, start_lines): Likewise. - (tail_bytes, tail_lines, tail): Likewise. - (tail_file): Use the new `read_pos' value as the size, - rather than stats.st_size from the fstat call. - -2003-05-28 Jim Meyering <jim@meyering.net> - - * src/extract-magic: Allow expansion of `$file' in the here- - document corresponding to the comment at the top of fs.h. - -2003-05-26 Jim Meyering <jim@meyering.net> - - * src/stat.c: Fix portability problem on FreeBSD5.0: don't include - <sys/statvfs.h> on systems without HAVE_STRUCT_STATVFS_F_BASETYPE. - Use #if/#elif/... cascade so we get only one set of include files. - Reported by Nelson Beebe. - -2003-05-24 Jim Meyering <jim@meyering.net> - - * src/md5sum.c (split_3): Accept the BSD format only when in MD5 mode. - * tests/sha1sum/basic-1: Make sure `sha1sum --check' doesn't - accept the BSD format. - -2003-03-28 Joe Orton <jorton@redhat.com> - - * src/md5sum.c (bsd_split_3): New function. - (split_3): Detect checksums from BSD 'md5' command and handle them - using bsd_split_3. - - * tests/md5sum/basic-1: New tests for --check exit status, and for - BSD-style checksum files. - -2003-05-21 Jim Meyering <jim@meyering.net> - - * src/head.c (elide_tail_lines_pipe): Fix a thinko. - This sort of thing is why it'd be *Really Good* to factor - out the common code used here and in tail.c. - -2003-05-14 Jim Meyering <jim@meyering.net> - - * src/head.c (usage): Document new feature: --bytes=-N and --lines=-N. - - * tests/du/slink: Skip this test if `.' is on an XFS file system. - - * tests/du/fd-leak: New file. Test for the bug in du that - was fixed by the 2003-05-12 change to lib/ftw.c. - * tests/du/Makefile.am (TESTS): Add fd-leak. - - * src/head.c (AUTHORS): Enclose string in N_(...), now that it - includes a translatable word, `and'. - - * src/dd.c (usage): Don't use `,' as the thousands separator - in e.g. 1,000,000 and 1,048,576. Instead, do this: - `SIZE may be ..., MB 1000*1000, M 1024*1024 and so on...' - * src/df.c (usage): Likewise. - * src/du.c (usage): Likewise. - * src/ls.c (usage): Likewise. - - * Makefile.maint (syntax-check): Add another check. - -2003-05-13 Paul Eggert <eggert@twinsun.com> - - Fix uniq to conform to POSIX, which requires that "uniq -d -u" - must output nothing. Problem reported by Josh Hyman. - - * src/uniq.c (enum output_mode, mode): Remove, replacing with: - (output_unique, output_first_repeated, output_later_repeated): - New vars. All uses of "mode" changed to use these variables, - which are not mutually exclusive as "mode" was. - (writeline): New arg "match", used to control whether to - obey output_first_repeated or output_later_repeated. - All callers changed. - (check_file, main): Adjust to above changes. - - * tests/uniq/Test.pm: Test that 'uniq -d -u' outputs nothing. - -2003-05-14 Jim Meyering <jim@meyering.net> - - * tests/rm/rm3: Use tr's \n notation rather than \012. - This package can afford to do that, since its tests are guaranteed use - GNU tr, which has accepted the more modern notation for 10 years. - * tests/rm/rm5: Likewise. - * tests/cp/same-file: Likewise. - * tests/stty/row-col-1: Likewise. - * tests/stty/basic-1: Likewise. - * tests/rm/deep-1: Likewise. - * tests/mv/part-symlink: Likewise. - * tests/mkdir/perm: Likewise. - * tests/misc/nice: Likewise. - -2003-05-13 Jim Meyering <jim@meyering.net> - - * src/copy.c (struct F_triple) [name]: Remove const attribute. - (triple_free): Don't apply cast to argument of free. - (seen_file): Add cast here instead. - - * src/cp-hash.c (struct Src_to_dest) [name]: Remove const attribute. - (src_to_dest_free): Don't apply cast to argument of free. - - * src/sort.c (zaptemp): Don't apply cast to argument of free. - * src/pr.c (init_fps, init_store_cols): Likewise. - * src/join.c (delseq, freeline): Likewise. - * src/expr.c (OLD): Likewise. - * src/sort.c (sort): Likewise. - * src/head.c (elide_tail_lines_pipe): Likewise. - - * src/tail.c: Include "quote.h". - Use quote in diagnostics. Change many error format strings - from just `%s' to e.g., `error reading %s'. - (pipe_lines): Change type of parameter, n_lines, to uintmax_t. - Rewrite newline-counting loop to use memchr. - - * src/head.c (elide_tail_lines_pipe): Use `if', not assert. - Now that assert is no longer used, don't include <assert.h>. - -2003-05-12 Jim Meyering <jim@meyering.net> - - * src/head.c: Include <assert.h>. - (AUTHORS): Add my name. - (elide_tail_lines_pipe): New function. - -2003-05-10 Jim Meyering <jim@meyering.net> - - * Makefile.maint (syntax-check): Check for `error (EXIT_SUCCESS,'. - - * src/readlink.c (main): Set program_name before first use. - Remove that (redundant) first use. - Don't exit successfully just because --verbose was specified. - Pass 0, not EXIT_SUCCESS, as first argument to error; when that - parameter is 0, error does not exit. - - * src/uname.c (main): When failing due to too many arguments, also say - that, rather than just "Try `uname --help' for more information.". - * src/comm.c (main): Likewise, but for too few arguments. - * src/logname.c: Include error.h. - (main): Say why we're failing. - - * src/uniq.c (main): Don't segfault when argc < optind. - * src/who.c (main): Handle argc < optind. - * src/df.c (main): Likewise. - * src/install.c (main): Likewise. - * src/mv.c (main): Likewise. - * src/pwd.c (main): Likewise. - * src/tty.c (main): Likewise. - * src/chroot.c (main): Likewise. - * src/hostname.c: Likewise. - * src/du.c (main): Likewise. - * src/expand.c (main): Likewise. - * src/env.c (main): Likewise. - * src/unexpand.c (main): Likewise. - * src/printenv.c (main): Likewise. - * src/sync.c (main): Handle argc == 0. - * src/expr.c (main): Likewise. - * src/printf.c (main): Likewise. - * src/basename.c (main): Likewise. - * src/ln.c (main): Test for `missing argument' before computing n_files. - * src/tail.c (main): Test for the case of no arguments before - computing n_files. - - * src/kill.c (send_signals): Don't check command line arguments here. - (main): Check them here instead. Handle argc < optind. - - * src/logname.c (main): Use error, rather than fprintf, for the sake - of consistency. - - * src/rm.c (main): Don't overrun array bound if argc is 0. - -2003-05-09 Jim Meyering <jim@meyering.net> - - * src/sort.c (main): Don't overrun array bound if argc is 0. - That would happen when invoked via: execl ("/usr/bin/sort", NULL); - Reported by Wartan Hachaturow. - -2003-05-07 Jim Meyering <jim@meyering.net> - - Implement support so that `head --lines=-N' works on seekable files. - * src/head.c (enum Copy_fd_status): Define. - (COPY_FD_DIAGNOSE): New macro. - (elide_tail_lines_seekable): New funtion. - (elide_tail_lines_file): Call it here. - -2003-05-06 Jim Meyering <jim@meyering.net> - - * src/sys2.h (CHAR_BIT): Remove duplicate definition. - -2003-05-04 Jim Meyering <jim@meyering.net> - - * tests/head/Test.pm: Remove tests of --bytes=-N; using that framework - caused the addition of thousands of small files to the tar archive. - * tests/misc/head-elide-tail: New file. Add them here instead. - * tests/misc/Makefile.am (TESTS): Add head-elide-tail. - -2003-05-04 Paul Eggert <eggert@twinsun.com> - - * src/remove.c (HAVE_WORKING_READDIR): Define to 0 if not defined. - (IF_READDIR_NEEDS_REWINDDIR): Remove. - (remove_cwd_entries): Rewrite to avoid IF_READDIR_NEEDS_REWINDDIR, - which was a bit weird because it couldn't be emulated by a function. - -2003-05-03 Jim Meyering <jim@meyering.net> - - Extend head to accept --lines=-N (--bytes=-N) and to print all - but the N lines (bytes) at the end of the file. - * src/head.c: Include full-write.h, full-read.h, inttostr.h, quote.h. - Use quote() in diagnostics, rather than literal `' marks. - (copy_fd, elide_tail_bytes_pipe, elide_tail_bytes_file): - New functions. - (elide_tail_lines_pipe, elide_tail_lines_file): New functions. - (head_file): Reorganize so as to call head from only one place. - (main): Likewise, for head_file. - Handle new, undocumented option, --presume-input-pipe. - Handle negative line and byte counts. - * tests/head/Test.pm: Add lots of tests to exercise --bytes=-N. - - * tests/du/8gb: Skip test if the file system of `.' doesn't support - sparse files -- otherwise it'd create a file of size 8GB. - -2003-05-02 Jim Meyering <jim@meyering.net> - - * src/fmt.c (usage): Don't mention obsolescent -WIDTH option. - Instead explain about `-' and standard input. - (main): Give a proper diagnostic for e.g., `fmt -c -72'. - Reported by Keith Thompson. - * tests/fmt/basic: Add test for the above fix. - - * src/fmt.c: Include "quote.h". - Use quote() in diagnostics, rather than literal `' marks. - (main): Exit nonzero when unable to open an input file. - * tests/fmt/basic: Add test for the above fix. - - * src/fmt.c (main): Diagnose invalid suffix on obsolescent width - specifications like `-72x'. - * tests/fmt/basic: Add test for the above fix. - - Work around nasty readdir bug on Darwin6.5. - * src/remove.c (IF_READDIR_NEEDS_REWINDDIR): Define. - [! HAVE_WORKING_READDIR] (remove_cwd_entries): If readdir has just - returned NULL and there has been at least one successful unlink or - rmdir call since the opendir or previous rewinddir, then call - rewinddir and reiterate the loop. - - Factor out common code. - * src/remove.c (readdir_ignoring_dotdirs): New function. - (is_empty_dir): Use it here. - (remove_cwd_entries): Use it here. - -2003-05-01 Jim Meyering <jim@meyering.net> - - * tests/rm/r-3: Create 500 rather than just 300 files. - There's a bug in Darwin6.5's readdir that shows up only with - 338 or more files. - Fix a bug in this test: `cd $pwd' (not to `..'), now that $tmp - has two components. - - * src/tail.c: - Change type of n_units, n_bytes, n_lines to be `uintmax_t'. - (dump_remainder): Move two declarations `down' into the scope - where they are used. - (xlseek): Return the resulting offset. - (file_lines): Rename parameter, file_length, to end_pos. - (pipe_lines): Don't coerce safe_read return value to `int'. - Adapt tests accordingly. - (pipe_bytes) [struct charbuffer] (nbytes): Change type from `int' - to `unsigned int'. - Change type of `total_bytes' from `int' to `size_t', - since the former wouldn't always be wide enough. - Don't coerce safe_read return value to `int', - and adapt tests accordingly. - Now that testing for a read error no longer involves - using `tmp', handle that case *after* freeing `tmp'. - (start_bytes): Clean up. - (tail_bytes): Now that `n_bytes' may be larger than - OFF_T_MAX, test for that condition and, if it's true, don't - use lseek optimizations. - (parse_options): Don't fail just because N_UNITS is larger than - the maximum size of a file -- tail may be applied to an input - stream (e.g., a pipe) with more data than that. - - * Makefile.maint (syntax-check): Rename from alloc-check. - Also check for SPACE-TAB sequences. - Also check for malloc/calloc/realloc casts. - -2003-05-01 Jim Meyering <jim@meyering.net> - - * src/tail.c (start_lines): Rewrite to use memchr. Clean up. - -2003-04-28 Jim Meyering <jim@meyering.net> - - * tests/misc/tty-eof: Send two tokens, not just one, so we don't - make the now-more-picky tsort fail. - -2003-04-24 Jim Meyering <jim@meyering.net> - - * src/tsort.c (tsort): Remove unnecessary test of have_read_stdin. - (main): Minor syntactic clean-up. - - * src/tsort.c (tsort): Fail if the input contains an odd number of - tokens. Reported by junkio@cox.net. - - * tests/tsort/basic-1: Test for the above fix. - -2003-04-21 Jim Meyering <jim@meyering.net> - - * tests/misc/printf: Add tests for the printf fixes below. - - * Makefile.cfg (cvs_files): Add $(srcdir)/config/depcomp to the list. - -2003-04-20 Paul Eggert <eggert@twinsun.com> - - Fix printf POSIX compatibility bug reported by Ben Harris in - <http://mail.gnu.org/archive/html/bug-coreutils/2003-04/msg00070.html>. - * doc/coreutils.texi (printf invocation): It's \NNN in the format, - \0NNN in the %b operand. - * src/printf.c (usage): Likewise. - (print_esc): New arg OCTAL0 to specify whether \0NNN or \NNN - is desired. All uses changed. Behave like Bash printf if %b - operand uses \NNN where the initial N is not 0. - -2003-04-17 Jim Meyering <jim@meyering.net> - - * src/stty.c: Remove uses of PROTOTYPE macro. - -2003-04-15 Jim Meyering <jim@meyering.net> - - * Makefile.maint: Remove (or replace-with-TAB(s) to retain alignment) - each sequence of spaces before a TAB character. - -2003-04-13 Jim Meyering <jim@meyering.net> - - * src/remove.c (is_empty_dir): Don't closedir (NULL). - -2003-04-12 Jim Meyering <jim@meyering.net> - - Giving nl an invalid STYLE argument (in --header-numbering=STYLE (-h), - --body-numbering=STYLE (-b), or --footer-numbering=STYLE (-f)) or - FORMAT (--number-format=FORMAT (-n)) would not give a useful diagnostic. - * src/nl.c (main): Fix those problems and remove literal quote marks - (e.g., "`%s'") from format string; instead use "%s" in each format - string and `quote (optarg)' as the corresponding argument. - Also, diagnose all invalid command line options before failing. - - * src/nl.c (proc_text): Fix a bug that would make nl output extra - newlines in some cases. Details here: http://bugs.debian.org/177256. - This bug was introduced on 2001-11-10 for textutils-2.0.17. - * tests/misc/nl: Add test for the above-fixed bug. - - * tests/misc/readlink: New file. Test the --canonicalize option. - * tests/misc/Makefile.am (TESTS): Add readlink. - -2003-04-11 Jim Meyering <jim@meyering.net> - - Clean up. - * src/chown.c, src/cp.c, src/dircolors.hin, src/du.c, src/ln.c: - * src/mkfifo.c, src/ptx.c, src/spline.c, src/stty.c, src/tail.c: - * src/test.c, src/unexpand.c: Remove (or replace-with-TAB(s) to - retain alignment) each sequence of spaces before a TAB character. - - * src/ls.c: Include <stdlib.h> unconditionally. - - * Makefile.maint (xalloc-check): Rename from header-check. - - * src/yes.c: Include error.h after system.h, not before. - - Clean up. - * src/copy.c, src/cp-hash.c, src/cp.c, src/csplit.c, src/cut.c: - * src/date.c, src/df.c, src/du.c, src/expand.c, src/expr.c, src/id.c: - * src/join.c, src/md5sum.c, src/nl.c, src/od.c, src/paste.c, src/pr.c: - * src/ptx.c, src/sort.c, src/split.c, src/su.c, src/tail.c, src/tee.c: - * src/tr.c: * src/unexpand.c, src/users.c: - Remove anachronistic casts of xmalloc, xrealloc, and xcalloc - return values and of xrealloc's first argument. - Fix the former with this: - perl -pi -e 's/\([^(]*?\*\) *(x(m|c|re)alloc)\b/$1/' - -2003-04-10 Jim Meyering <jim@meyering.net> - - * src/stty.c (wrapf): Declare with format attribute. - - The S_MAGIC_... names shouldn't be maintained in two places (prior - to this change, one would have to keep stat.c and fs.h in sync). - This change makes it so those names and the corresponding - hexadecimal constants all reside in stat.c. fs.h is now generated. - * src/Makefile.am (fs.h): New rule to generate fs.h from stat.c. - (BUILT_SOURCES): Add fs.h, now that it's generated. - (EXTRA_DIST): Add extract-magic. - * src/extract-magic: New script to extract fs.h definitions from stat.c. - * src/stat.c (human_fstype) [__linux__]: Append each hex constant from - fs.h in a comment after the corresponding `case S_MAGIC_...:' statement. - - * tests/tail-2/big-4gb: Skip this test (don't fail) if creating a - file with nominal length > 4GB fails. Reported by Michael Deutschmann. - - * man/unexpand.x: Add `SEE ALSO' reference to expand. - * man/expand.x: Add `SEE ALSO' reference to unexpand. - Suggestion from Dan Jacobson. - -2003-04-10 Maciej W. Rozycki <macro@ds2.pg.gda.pl> - - * src/fs.h (S_MAGIC_DEVPTS): New magic for Linux's devpts. - * src/stat.c (human_fstype): Handle Linux's devpts. - -2003-04-09 Paul Eggert <eggert@twinsun.com> - - * src/split.c (line_bytes_split): Arg is of type size_t, since - that's all that is supported for now. - (main): Check for overflow in obsolescent line count option. - -2003-04-09 Jim Meyering <jim@meyering.net> - - * tests/misc/split-fail: Add a new test for the above fix. - - * src/split.c (bytes_split): Use size_t temporary (rather than - uintmax_t original) in remaining computations. From Paul Eggert. - - Handle command line option arguments larger than 2^31. - This allows e.g., splitting into files of size 2GB and larger, - and running split --lines=N with N=2^31 or more. - But for --line-bytes=N, the restriction that N <= SIZE_MAX - remains (for now), due to the way it is implemented. - - * src/split.c: Include "inttostr.h". - (bytes_split, lines_split, line_bytes_split, main): - Use uintmax_t, not size_t, for file sizes. - (main): Give a better diagnostic for option arguments == 0. - Use umaxtostr to print file sizes. - Reported by Luke Hassell. - -2003-04-08 Jim Meyering <jim@meyering.net> - - * src/rm.c (usage): Mention that --directory (-d) works only - on some systems. Suggestion from Samuel Tardieu. - - * tests/basename/basic: Run $PERL to see if it is available, - rather than testing its value. - * tests/sum/sysv, tests/tsort/basic-1, tests/unexpand/basic-1: - * tests/basename/basic, tests/dd/skip-seek, tests/dircolors/simple: - * tests/expr/basic, tests/factor/basic, tests/fmt/basic: - * tests/ls-2/tests, tests/md5sum/basic-1, tests/md5sum/newline-1: - * tests/misc/sort, tests/misc/tty-eof, tests/mv/i-1: - * tests/rm/empty-name, tests/rm/fail-eperm, tests/rm/unreadable: - * tests/seq/basic, tests/sha1sum/basic-1, tests/sha1sum/sample-vec: - * tests/sum/basic-1, tests/seq/basic: Likewise. - - * tests/misc/Makefile.am (TESTS): Add split-fail. - * tests/misc/split-fail: New file. - - * src/split.c: Rename local variables: nchars -> n_bytes. - (lines_split): Rename local, nlines -> n_lines. - (main): Rename local variable: s/accum/n_units/. - (main): Use STDIN_FILENO, not literal `0'. - -2003-04-07 Jim Meyering <jim@meyering.net> - - * src/stat.c: Add #include directives for Ultrix 4.4. - Based on a suggested change from Bert Deknuydt. - -2003-04-06 Jim Meyering <jim@meyering.net> - - * Makefile.maint (makefile-check): New rule. - (local-check): Add it. - -2003-04-05 Jim Meyering <jim@meyering.net> - - * Makefile.am (nearly all of them): - Use $(VAR) rather than @VAR@, now that we can rely on automake to - emit a definition for each substituted variable. - * tests/Makefile.am.in: Likewise. - - * tests/rm/rm5: Add a comment explaining why this test fails when - using Tru64's broken sed. - * tests/rm/rm3: Likewise. - - Make `kill -t' output signal descriptions (not `?') on Tru64. - * src/kill.c (sys_siglist): Also check for __sys_siglist. - Patch by Tony Leneis. - * configure.ac: Also check for declaration of __sys_siglist. - Required for Tru64 4.0D, 4.0F, and 5.1. - Reported by Tony Leneis. - -2003-04-04 Jim Meyering <jim@meyering.net> - - * src/Makefile.am (PERL): Remove unnecessary definition. - - Because of inappropriate (but POSIX-mandated) behavior of rename, - `mv a b' would not remove `a' in some unusual cases. Work around - this by unlinking `a' when necessary. - - * src/copy.c (same_file_ok): Add an output parameter. - Set it in the offending case. - (copy_internal): When necessary, unlink SRC_PATH and inform caller. - Reported by Ed Avis. - * tests/mv/hard-4: New test for the above. - * tests/mv/Makefile.am (TESTS): Add hard-4. - - Clean up rules for automatically generated sources: - * src/Makefile.am (dircolors.h, wheel-size.h, wheel.h, false.c): - Make each generated file be read-only. - Add each file name to BUILT_SOURCES separately. - (MAINTAINERCLEANFILES): Set to $(BUILT_SOURCES). - - Put LOCALEDIR macro definition in new file: localedir.h. - * src/Makefile.am (DEFS): Remove definition. - (localedir.h): New rule. - (BUILT_SOURCES, DISTCLEANFILES): Add localedir.h. - * src/system.h: Include "localedir.h". - -2003-04-02 Jim Meyering <jim@meyering.net> - - * Version 5.0. - - * tests/misc/Makefile.am (TESTS): Add false. - - * Makefile.maint (TMPDIR): Make sure it's defined. - (my-distcheck): Build in $(TMPDIR), not `.'. - - * src/Makefile.am (false.c): Change all occurrences of - `(EXIT_SUCCESS)' to `(EXIT_FAILURE)' so that false exits - unsuccessfully also with --help. Reported by Paul Jarc, - * tests/misc/false: New test for the above. - -2003-03-30 Jim Meyering <jim@meyering.net> - - * NEWS: Note the location of older NEWS files. - - * src/remove.c (is_empty_dir): Don't let a failing closedir - clobber errno. Spotted by Arnold Robbins. - - * src/env.c: Fix typo in comment. From Arnold Robbins. - -2003-03-29 Jim Meyering <jim@meyering.net> - - * Version 4.5.12. - - * README: Note to expect build problems for stat.c on Ultrix 4.3. - Note that there are some harmless test failures when running - `make check' as root on some systems. - -2003-03-28 Jim Meyering <jim@meyering.net> - - * tests/stty/row-col-1: Skip this test if stty can't get window size. - This happens when connecting to sparc-solaris5.7 via ssh from within - emacs. Reported by Karl Berry. - - * tests/du/basic: Use seq, not `yes' to generate 4KB of data. - Otherwise, on systems (DJGPP) that emulate pipes using files, - this test would never complete, waiting for `yes' to terminate. - * tests/du/slink: As above, use seq, not `yes' to generate link target. - * tests/rm/hash: As above, use seq, not `yes' to generate dir name. - Reported by Rich Dawe. - -2003-03-27 Jim Meyering <jim@meyering.net> - - * src/id.c: Remove Arnold Robbins' obsolete e-mail address - from `written by...' comment, at his request. - -2003-03-24 Paul Eggert <eggert@twinsun.com> - - Fix buffer overrun problem reported by TAKAI Kousuke, along - with some other POSIX incompatibilities. - - * src/printf.c (print_esc): Do not treat \x specially if - POSIXLY_CORRECT. Avoid buffer overrun if the format ends - in backslash. Treat incomplete escape sequences as strings - of characters, as POSIX requires. - (print_formatted): Allow multiple flags. Avoid buffer overrun - if the format is incomplete. - -2003-03-24 Jim Meyering <jim@meyering.net> - - * tests/misc/printf: Add tests for the above fixes and changes. - -2003-03-26 Jim Meyering <jim@meyering.net> - - * src/copy.h (struct cp_options): Add a comment. - -2003-03-23 Jim Meyering <jim@meyering.net> - - * README: Describe problem with 64-bit mode on HPUX 11.x, - with patch for /usr/include/inttypes.h. - * TODO: Plan to add an autoconf test to work around the bug. - -2003-03-22 Jim Meyering <jim@meyering.net> - - * src/stat.c: Don't include <sys/sysmacros.h>. - That is already done via system.h. Otherwise, the multiple - inclusion would evoke redefinition warnings from Cray's /bin/cc, - aka Cray Standard C Version 4.0.3 (057126) Mar 22 2003 22:02:28. - (human_fstype): Factor some directives `up', out of this function. - Cast away `const' to avoid error from Cray's /bin/cc. - -2003-03-20 Jim Meyering <jim@meyering.net> - - * announce-gen (print_changelog_deltas): Ensure that a newline - precedes each row of `*'s. - -2003-03-20 Jim Meyering <jim@meyering.net> - - * Version 4.5.11. - - * src/seq.c (valid_format): Also accept ` ' and `'' as valid - format flag characters. - Do not require that a field width be specified. - Do not fail when given a field width of `0'. - Reported by Dan Jacobson. - * tests/seq/basic: Add new tests for the above-fixed bug. - - * src/Makefile.am (all-local): Append $(EXEEXT) to use of `su' - (install-root): Likewise. - (install-exec-local): Likewise. - Based on a patch from Richard Dawe. - -2003-03-19 Jim Meyering <jim@meyering.net> - - * man/Makefile.am (.x.1): Use $(LN_S) instead of 'ln -s', - because the DJGPP 2.03 port of 'ln -s' doesn't work. - Include $(EXEEXT) in program names. - Since $(LN_S) may degenerate to `cp -p', be careful - to invoke it from the destination directory. - Mostly from Richard Dawe. - * configure.ac: Use AC_PROG_LN_S. - - * tests/mv/part-symlink: Unset CDPATH. Otherwise, having the - CDPATH shell variable set could cause this test to fail. - Reported by Karl Berry. - -2003-03-18 Jim Meyering <jim@meyering.net> - - * src/fmt.c [struct Word] (paren, period, punct, final): Change the - type of each member from bool <MEMBER>:1 to unsigned int <MEMBER>:1. - AIX 5.1's xlc could not compile the former. - Patch by Petter Reinholdtsen. Also reported by Mike Jetzer. - -2003-03-17 Richard Dawe <rich@phekda.freeserve.co.uk> - - * configure.ac: Include $(EXEEXT) in OPTIONAL_BIN_PROGS' - program names, since automake only adds $(EXEEXT) to programs - in its *_PROGRAMS. - -2003-03-16 Jim Meyering <jim@meyering.net> - - * src/remove.c (rm): Put two local variables in static storage, - so they can't be clobbered by the potential longjmp. - -2003-03-15 Jim Meyering <jim@meyering.net> - - * Makefile.cfg (gnu_rel_host): Fix code to match the comment - so that a version number with a two-digit component can still count - as an alpha release. Reported by Richard A Downing. - (gnu_rel_host): Define in terms of $(RELEASE_TYPE) instead. - -2003-03-14 Jim Meyering <jim@meyering.net> - - * src/ansi2knr.c: Remove no-longer-used file. - * src/ansi2knr.1: Likewise. - - * Makefile.maint (prev_version_file): Don't use ?= for this particular - assignment, since it causes trouble with old versions of GNU make - (e.g. 3.76.1). The other uses of `?=' are inoffensive. Details here. - http://mail.gnu.org/archive/html/bug-coreutils/2003-03/msg00028.html - Patch from Alexandre Duret-Lutz. - - * Use patched automake-1.7.3. Regenerate Makefile.in files in - subdirectories so that each includes a definition of ACLOCAL_M4. - - * announce-gen (main): Label the compressed source URLs. - - * Version 4.5.10. - - * tests/du/slink: Relax the test for the `local'ness of a file system, - so that now it works also for tmpfs. - - * tests/du/hard-link: Transform output from first du, so that this - test doesn't fail on file systems like tmpfs that order directory - entries differently. - -2003-03-13 Jim Meyering <jim@meyering.net> - - * tests/du/8gb: Work around what appears to be an NFS failure that - would make this test fail on some systems. - -2003-03-11 Jim Meyering <jim@meyering.net> - - * tests/du/basic: Make the test file exactly 4k bytes long. - - * src/split.c (longopts): Don't hard-code `2' here. - Instead, just specify `&verbose', and ... - (main): ... remove the `case 2:' block for --verbose. - - * tests/du/basic: Make the test file larger than 64 bytes, so that - we don't immediately disqualify file systems (e.g., NetApp) on which - smaller files take up zero disk blocks. Reported by Vin Shelton. - -2003-03-10 Jim Meyering <jim@meyering.net> - - Don't segfault for a negative field width or precision in format string. - Note that this is just a stopgap fix. The longer term solution may - involve adapting bash's builtins/printf.def. - - * src/printf.c: (UNSPECIFIED): Define. - (print_direc): Use the special value, UNSPECIFIED, to indicate - that field_width or precision has not been specified. - (print_formatted): Fail if field_width or precision is the - special value, UNSPECIFIED. - Reported by Oliver Kiddle <okiddle@yahoo.co.uk> - - * src/sys2.h (INT_MIN): Define, if necessary. - * tests/misc/printf: Add a test for the above-fixed bug. - -2003-03-09 Jim Meyering <jim@meyering.net> - - * src/remove.c (AD_stack_pop): Cast sizeof... to int before - changing its sign. This avoids a warning from gcc on 64-bit systems. - Reported by Bob Proulx. - (pop_dir): Reverse order of sign change and cast, to be consistent - with the above. - -2003-03-08 Jim Meyering <jim@meyering.net> - - * tests/Makefile.am (evar-check): Check for POSIXLY_CORRECT not as a - shell variable, but only in the environment. With /bin/sh->bash, the - shell variable is set to `y', and that would cause a spurious warning. - Reported by Bob Proulx. - - * tests/Makefile.am (check-root): Remove touch/fifo. - It doesn't appear to have to be run as root. - - * tests/rm/fail-2eperm: Rather than simply using the first non-root - user name, make sure that the selected user name has a usable shell. - Reported by Paul Jarc. - - Before, when using shred on a device, one had to specify --exact, - or be careful to choose a size that would not be rounded up and - exceed the maximum value; that could result in a failure of - the final write. - * src/shred.c (do_wipefd): --exact is now the default for non-regular - files. Suggestion from Ben Elliston. - (usage): Say it. - - * tests/misc/tty-eof: Require at least version 1.11 of Expect.pm. - Old versions of Expect.pm (e.g., 1.07) lack the log_user function. - Patch by Bob Proulx. - - * src/Makefile.am (check-misc): Check for use of `defined' in - #define directives. - Change to $(srcdir) before running grep. - - * src/sleep.c: Remove now-unused #include and #define directives. - - * src/du.c (process_file): If a file's size is not being counted - e.g., because it's a hard link to a file we've already counted, - then don't print a line for it. - - * tests/du/hard-link: New test for the above-fixed bug. - * tests/du/Makefile.am (TESTS): Add hard-link. - - `du -S' didn't work - * src/du.c: Revert most of the `reorganization' change of 2003-02-20, - and make the two-array approach work. - - * tests/du/basic: Correct/add tests for the above fix. - Set LC_ALL, etc., now that we use sort. - Check the block/size of a small file, too. - Correct expected results for simple dir1/dir2/file case. - Add another test of du -S. - -2003-03-07 John David Anglin <dave.anglin@nrc-cnrc.gc.ca> - - Avoid build failure with gcc on hppa1.1-hp-hpux10.20 (see GCC PR - middle-end/9986). As one of GCC's optimizations, it transforms a - fputs_unlocked call to a fputc_unlocked call when the string is - one character long. However, hpux doesn't have fputc_unlocked. - - * expr.c (usage): Use putchar, not fputs, to output a single character. - * ls.c (dired_dump_obstack): Likewise. - * ptx.c (output_one_tex_line, output_one_dumb_line): Likewise. - * stat.c (print_it): Likewise. - -2003-03-07 Jim Meyering <jim@meyering.net> - - * src/cp.c: Remove everything associated with mmap-stack.c. - This reverts the two changes of 2003-02-21. - * src/du.c: Remove everything associated with mmap-stack.c. - This reverts the change of 2003-02-19. - -2003-03-06 Jim Meyering <jim@meyering.net> - - * tests/cp/same-file: Unset CDPATH. Otherwise, having the - CDPATH shell variable set could cause this test to fail. - Reported by Karl Berry. - -2003-03-05 Jim Meyering <jim@meyering.net> - - * Version 4.5.9. - - * src/printf.c (print_esc): Remove pointless comparison of unsigned - integer with zero, to avoid a warning from Intel's ecc. - Reported by Nelson Beebe. - - * src/du.c (process_file): Sizes must all be of type uintmax_t. - Otherwise, for files or totals that are too big, numbers would - be truncated. Patch mostly by Michael Stone. - Reported by Ingo Saitz as Debian bug #183210. - - * tests/du/8gb: New test for the above-fixed bug. - * tests/du/Makefile.am (TESTS): Add 8gb. - - * src/du.c (MAX_N_DESCRIPTORS): Use 3 * UTILS_OPEN_MAX / 4 - rather than UTILS_OPEN_MAX - 10. - -2003-03-04 Jim Meyering <jim@meyering.net> - - * README: Refer new feature discussion to bug-coreutils@gnu.org, - rather than bug-gnu-utils, now that the former is better known. - Suggestion from Göran Uddeborg. - - * src/stat.c (usage): Capitalize consistently. - Reported by Göran Uddeborg. - - * Makefile.maint (rel-files): Include $(signatures), so that - those files are also copied into $(release_archive_dir). - - * src/df.c (find_mount_point): Call error here, now that restore_cwd - no longer does it. - * src/remove.c (AD_pop_and_chdir): Likewise. - - * tests/Makefile.am (check-root): Add fail-2eperm. - -2003-03-03 Jim Meyering <jim@meyering.net> - - * src/remove.c (remove_cwd_entries): Include the full filename of - the offending file, not just the basename. - - * tests/misc/tty-eof: Set $ME properly. - - * Makefile.maint (THIS_VERSION_REGEXP, PREV_VERSION_REGEXP): - Remove now-unused variables. - (tag-prev-version, prev-cvs-tag): Likewise. - - * src/remove.c (remove_cwd_entries) [!ROOT_CAN_UNLINK_DIRS]: Give an - accurate diagnostic when failing to remove a file owned by some other - user. Reported by Ivo Timmermans via Michael Stone. - This fixes Debian bug# 178471. - - * tests/rm/Makefile.am (TESTS): Add fail-2eperm. - * tests/rm/fail-2eperm: New test, for the above-fixed bug. - Based on a report from Ivo Timmermans. - -2003-03-02 Jim Meyering <jim@meyering.net> - - * src/copy.c (copy_internal) [un_backup]: When recovering from a - failure to create a hard link, do not remove the entry associating - the source dev/ino with the destination file name. - * tests/mv/Makefile.am (TESTS): Add hard-3. - * tests/mv/hard-3: New test, for the above-fixed bug. - Inspired by a report from Iida Yosiaki. - -2003-03-01 Jim Meyering <jim@meyering.net> - - * src/df.c (print_header): Don't embed spaces in a separate `Type' - header string. Instead, put `Filesystem' and `Type' headers in the - same string, so translators can use horizontal space as needed. - Reported by Jean Charles Delepine. - -2003-02-28 Jim Meyering <jim@meyering.net> - - * src/copy.c (copy_internal): When link fails because of an - existing destination file, unlink that file and try again. - Reported by Iida Yosiaki. - - * tests/mv/Makefile.am (TESTS): Add hard-2. - * tests/mv/hard-2: New test for the above-fixed bug. - Based on a test case from Iida Yosiaki. - -2003-02-26 Jim Meyering <jim@meyering.net> - - * tests/du/basic: Don't test du's -b option here. Directory byte - counts are smaller (512 rather than 4096) on at least OSF/1 5.1 - and IBM AIX 4.2. Reported by Nelson Beebe. - -2003-02-25 Jim Meyering <jim@meyering.net> - - * Makefile.maint (announcement): Now that ChangeLog entries - are output by announce-gen, don't do it here. - * announce-gen (print_changelog_deltas): New function. - (main): Use it. - -2003-02-22 Jim Meyering <jim@meyering.net> - - * announce-gen: New option: --release-type=TYPE - * Makefile.maint (beta, major): New targets. Remove `release'. - Put them all together on a line. - Pass the release type (via RELEASE_TYPE envvar) to the MAKE - invocation of `announcement'. - (announcement): Invoke announce-gen with --release-type=$RELEASE_TYPE. - - * announce-gen: New option: --news=NEWS_FILE. - Extract NEWS entries here, not via rules in Makefile.maint. - * Makefile.maint (announcement): Now that NEWS entries are - extracted by announce-gen, don't do it here. - (news-r1, news-r2): Remove now-unused definitions. - -2003-02-21 Jim Meyering <jim@meyering.net> - - * Version 4.5.8. - - Merge in changes from autoconf's version of this file. - * Makefile.maint (www-gnu): Define. - (standards.texi-url_prefix): Use $(www-gnu). - (make-stds.texi-url_prefix): Likewise. - - * src/cp.c: Include "mmap-stack.h". - (main): Invoke `run' through a macro that (when possible) runs it - with a large, mmap'd stack. - - * src/cp.c (run): New function, preparing for the above. - Exit from this function, not from main - (main): Call run. - - * src/du.c: New option: --apparent-size. - (enum) [APPARENT_SIZE_OPTION]: New member. - (long_options): Add it. - (usage): Describe it. - (main): Handle it. - ['b']: Set apparent_size. - David Eisner reported that the behavior of --bytes had changed. - Paul Eggert proposed the use of a new option, --apparent-size. - - * src/du.c (apparent_size): New global. - (print_only_size): Reflect the fact that we're printing byte counts, - not ST_NBLOCKSIZE-byte-block counts. - (print_size): Call print_only_size rather than duplicating its code. - (process_file): Accumulate byte counts, rather than block counts. - - * src/du.c (process_file): Always reset size_to_propagate_to_parent - for --separate-dirs (-S). - -2003-02-20 Jim Meyering <jim@meyering.net> - - * Use automake-1.7.3. Regenerate dependent files. - - * src/stat.c (print_stat): New format: %B (to print ST_NBLOCKSIZE). - This makes %b (number of ST_NBLOCKSIZE-byte blocks) more useful. - (usage) [%B]: Describe it. - [%b]: Refer to %B. - - * src/du.c (process_file): Reorganize the code to use only - one `sum' array, and change how -S works back to the way it was - before 2003-01-31. Patch by Bruno Haible. - - * tests/du/basic: New test. - * tests/du/Makefile.am (TESTS): Add basic. - - * tests/envvar-check: Add checks for the following: - BLOCK_SIZE, DU_BLOCK_SIZE, DF_BLOCK_SIZE, LS_BLOCK_SIZE. - - * tests/Makefile.am: Rename phony target envvar-check to evar-check - so as not to conflict with the distributed file by the same name. - - * src/du.c (process_file): Set info->skip before any possible return. - - Report correct usage for directories, not 0. - * src/du.c (process_file): Return for `file_type == FTW_DPRE' - _before_ recording the dev/ino of a directory. - Reported by Bruno Haible. - - Now, df always displays the device file name corresponding to the - listed mount point under `Filesystem'. Before, for an unmounted - block- or character-special file argument, it would display the - command-line argument instead. - * src/df.c (show_disk): Return a value indicating whether - there was a match. Don't try to find a mount point here. - (show_entry): If show_disk doesn't find a match, call show_point. - -2003-02-19 Jim Meyering <jim@meyering.net> - - * src/du.c: Include "mmap-stack.h". - (du_files): Add prototype with ATTRIBUTE_NORETURN. - Exit from this function, not from... - (main): ...here. - Instead, if possible, invoke du_files through a macro that - runs it with a large, mmap'd stack. - - * src/join.c (usage): Change wording in --help output: - use FILENUM instead of `SIDE' and say what FILENUM means. - Reported by Bernhard Gabler. - - * src/df.c (print_header): Rather than using a hard-coded literal - string of spaces matching the length of the English `...Type' header, - output the right number of spaces to match the selected translation. - Reported by Yann Dirson and Jean Charles Delepine as Debian bug 131113. - - * src/split.c (bytes_split): Remove unnecessary `else' after break. - (lines_split): Likewise. and correct misleading indentation. - - * src/split.c: Include "full-read.h". - (bytes_split, lines_split, line_bytes_split): Use full_read, - not safe_read. The way split was using the latter, a short read - could cause split to terminate before EOF. - - * tests/misc/tty-eof: Test all programs that can read stdin, - requiring no arguments and that write to standard output. - - * tests/misc/tty-eof: New file. Renamed from ... - * tests/misc/cat-tty-eof: Remove file. Rename to tty-eof. - * tests/misc/Makefile.am (TESTS): Reflect renaming. - -2003-02-18 Jim Meyering <jim@meyering.net> - - cksum would perform an extra read after encountering EOF - * src/cksum.c (cksum): Exit the loop upon EOF, too. - Patch by Michael Bacarella. - - Test for the bug fixed today in cksum, md5sum, and sha1sum. - * tests/misc/cat-tty-eof: Generalize, clean-up, and test for - cat, cksum, md5sum, and sha1sum all in the same loop. - -2003-02-14 Jim Meyering <jim@meyering.net> - - * src/remove.c: Include "euidaccess.h". - Remove declaration of euidaccess. - -2003-02-12 Jim Meyering <jim@meyering.net> - - * src/pathchk.c (portable_chars_only): Remove unnecessary `const' - in cast to avoid warning from icc. Reported by Alexandre Duret-Lutz. - -2003-02-10 Jim Meyering <jim@meyering.net> - - * src/test.c: Don't include group-member.h. - Include euidaccess.h. - (eaccess): Rewrite function to set the real uid and gid temporarily - to the effective uid and gid, then invoke 'access', and then set the - real uid and gid back. On systems that lack setreuid or setregid, - fall back on the kludges in euidaccess. Before, it would not work - for e.g., files with ACLs, files that were marked immutable, - or on file systems mounted read-only. Nelson Beebe raised the issue. - Paul Eggert suggested the new implementation. - -2003-02-09 Jim Meyering <jim@meyering.net> - - * src/test.c (test_stat): Remove function. It's job is done (only - when necessary) by the wrapper in lib/stat.c. Adjust all uses. - -2003-02-08 Jim Meyering <jim@meyering.net> - - * Version 4.5.7. - - * tests/mv/part-symlink: Don't assume that the file owner username - length is less than 9 in ls output: instead, omit that field - altogether. Reported by, and suggested fix from, Ferdinand. - - * tests/du/restore-wd: New test for just-fixed bug in ftw.c. - * tests/du/Makefile.am (TESTS): Add restore-wd. - - * src/rm.c: Correct now-invalid comment about cycle-detection. - -2003-02-06 Jim Meyering <jim@meyering.net> - - * NEWS: Add entries from old/*/NEWS - from fileutils-4.1 through 4.1.11 and - from sh-utils-2.0 through 2.0.15. Suggestion from Karl Berry. - - * Version 4.5.6. - - * src/du.c (process_file): Don't return early for excluded files - or for files whose dev/inode we've already seen. - -2003-02-05 Jim Meyering <jim@meyering.net> - - * tests/du/exclude: New file. - * tests/du/Makefile.am (TESTS): Add exclude. - -2003-02-04 Dmitry V. Levin <ldv@altlinux.org> - - * src/who.c (print_boottime, print_deadprocs, print_runlevel): - Fix memory allocation arithmetic. - -2003-02-04 Jim Meyering <jim@meyering.net> - - `df /dev/block-or-char-device-file--not-mounted' now reports - the name of the file system on which the file resides, usually `/'. - Before, it would leave the `Mounted on' field blank. - * src/df.c (show_disk): Move function to precede find_mount_point. - (show_disk): Add parameter: STATP. - If we don't find a matching device name, then resort to calling - find_mount_point. Reported by Bob Proulx. - -2003-02-03 Andreas Schwab <schwab@suse.de> - - * tests/rm/cycle: Require non-root. - * tests/rm/isatty: Likewise. - -2003-02-02 Jim Meyering <jim@meyering.net> - - * Version 4.5.5. - - * man/Makefile.am (check-x-vs-1): Use @PATH_SEPARATOR@, not `:'. - - Ensure that there are no offending uses of `:'. - * Makefile.maint (makefile_path_separator_check): New rule. - (local-check): Add it to the list. - -2003-02-01 Jim Meyering <jim@meyering.net> - - * src/du.c (MAX_N_DESCRIPTORS): Define. - - * src/stat.c (G_fail): New global. - (human_time): Diagnose failed localtime, not failed nstrftime. - (main): Fail if G_fail is set. - -2003-01-31 Richard Dawe <rich@phekda.freeserve.co.uk> - - * tests/basename/Makefile.am: Use @PATH_SEPARATOR@ instead of - hard-coding the path-separator. Also double-quote the new PATH, - to avoid problems when the path-separator is a semi-colon or when - `pwd` contains e.g. a space. - * tests/chgrp/Makefile.am: Likewise. - * tests/chmod/Makefile.am: Likewise. - * tests/chown/Makefile.am: Likewise. - * tests/cp/Makefile.am: Likewise. - * tests/dd/Makefile.am: Likewise. - * tests/dircolors/Makefile.am: Likewise. - * tests/du/Makefile.am: Likewise. - * tests/expr/Makefile.am: Likewise. - * tests/factor/Makefile.am: Likewise. - * tests/fmt/Makefile.am: Likewise. - * tests/install/Makefile.am: Likewise. - * tests/ln/Makefile.am: Likewise. - * tests/ls/Makefile.am: Likewise. - * tests/ls-2/Makefile.am: Likewise. - * tests/md5sum/Makefile.am: Likewise. - * tests/misc/Makefile.am: Likewise. - * tests/mkdir/Makefile.am: Likewise. - * tests/mv/Makefile.am: Likewise. - * tests/od/Makefile.am: Likewise. - * tests/rm/Makefile.am: Likewise. - * tests/rmdir/Makefile.am: Likewise. - * tests/seq/Makefile.am: Likewise. - * tests/sha1sum/Makefile.am: Likewise. - * tests/shred/Makefile.am: Likewise. - * tests/stty/Makefile.am: Likewise. - * tests/sum/Makefile.am: Likewise. - * tests/tail-2/Makefile.am: Likewise. - * tests/touch/Makefile.am: Likewise. - * tests/tsort/Makefile.am: Likewise. - * tests/unexpand/Makefile.am: Likewise. - -2003-01-31 Jim Meyering <jim@meyering.net> - - * src/stat.c: Include "file-type.h" - (print_human_type): Remove function. - (human_access): Rename from print_human_access. Return a string. - (human_time): Rename from print_human_time. Return a string. - (print_stat): Arrange so that field width and an alignment specifier - are honored for the %A, %F, %x, %y, and %z formats. - [%F]: Use file_type; this gives slightly different file type strings, - e.g., `directory' instead of `Directory' and `regular file' or - `regular empty file' instead of `Regular file'. - Prompted by a report from Richard Dawe that the uses of - S_IFSOCK and S_IFIFO in print_human_time were not portable - to systems using e.g., DJGPP. - -2003-01-31 Richard Dawe <rich@phekda.freeserve.co.uk> - - * src/stat.c (print_stat): Use S_ISLNK rather than an explicit - test using S_IFMT and S_IFLNK. S_IFLNK may not be defined. - -2003-01-31 Jim Meyering <jim@meyering.net> - - * src/du.c (main): Upon processing an invalid option or an invalid - --exclude-from or --max-depth option argument, don't exit right away, - in case there are others. Rather record the failure and exit after - processing other options. - - * GNUmakefile (TAR_OPTIONS): Set and export, in order to make - tar archive easier to reproduce. - - Rewrite to perform directory traversal using nftw. - - * src/du.c: Include "dirname.h", "ftw.h", and "quotearg.h". - (AUTHORS): Add self. - (opt_one_file_system): Move global into `main'. - (path, xstat, exit_status): Remove declarations. - (arg_length, suffix_length): New globals. - (G_fail): New global, sort of like the old `exit_status'. - (IS_FTW_DIR_TYPE): Define. - (print_only_size): New function. - (process_file): New function. - (str_init, ensure_space, str_copyc, str_concatc): Remove functions. - (str_trunc, pop_dir, count_entry): Likewise. - (du_files): Rewrite to use nftw. - -2003-01-30 Jim Meyering <jim@meyering.net> - - * tests/du/trailing-slash: Ensure that du/ftw follows a command-line - symlink-to-directory with -L, even without the trailing slash. - -2003-01-27 Jim Meyering <jim@meyering.net> - - * src/Makefile.am (check-misc): Check for st_blocks, too. - - * src/stat.c (print_stat): Use ST_NBLOCKS rather than `->st_blocks'. - Reported by Richard Dawe. - -2003-01-27 Andreas Schwab <schwab@suse.de> - - * src/ls.c (quote_name): Add fourth parameter, width, into which to - store the screen columns, and return the number of bytes instead. - (print_dir): Pass NULL as fourth parameter of quote_name. - (print_name_with_quoting): Likewise. - (length_of_file_name_and_frills): Get the width from the fourth - parameter of quote_name instead of return value. - -2003-01-27 Jim Meyering <jim@meyering.net> - - * src/ls.c (decode_switches): If `dired' is set without - `format == long_format', then silently reset dired. This doesn't - change the behavior of ls (all prior uses of dired were protected - by `&& format == long_format'), and lets us... - (DIRED_INDENT): ... remove the `format == long_format' conjunct. - (PUSH_CURRENT_DIRED_POS): Likewise. - (main): Likewise. - -2003-01-22 Jim Meyering <jim@meyering.net> - - * tests/du/no-x: New test, for functionality added to lib/ftw.c. - * tests/du/Makefile.am (TESTS): Add no-x. - -2003-01-21 Jim Meyering <jim@meyering.net> - - * src/remove.c (remove_entry) [ROOT_CAN_UNLINK_DIRS - && HAVE_STRUCT_DIRENT_D_TYPE]: If a file has d_type == DT_UNKNOWN - it may still be a directory -- or not (e.g., with FreeBSD on an - NFS-mounted file system), so resort to calling lstat to find out. - Based on a patch by Michael van Elst. - - * tests/cp/same-file: Don't assume that the file owner username - length is less than 9 in ls output: instead, omit that field - altogether. Reported by, and suggested fix from, Ferdinand. - -2003-01-20 Jim Meyering <jim@meyering.net> - - * tests/date/Test.pm (wide-fmt): New test to demonstrate that - large format widths no longer cause strftime to infloop. - - * Makefile.maint (mail_gpg_sign_cookie): Remove now-unused definition. - -2003-01-19 Jim Meyering <jim@meyering.net> - - * src/readlink.c: Include "canonicalize.h". - -2003-01-18 Jim Meyering <jim@meyering.net> - - * src/ls.c (Dereference_symlink) [DEREF_COMMAND_LINE_SYMLINK_TO_DIR]: - New member. - (enum) [DEREFERENCE_COMMAND_LINE_SYMLINK_TO_DIR_OPTION]: New member. - (long_options): Add option --dereference-command-line-symlink-to-dir. - (main): Make DEREF_COMMAND_LINE_SYMLINK_TO_DIR be the default, - rather than DEREF_COMMAND_LINE_ARGUMENTS, when none of the - -d, -F, -l options is specified. - (decode_switches): Handle --dereference-command-line-symlink-to-dir. - (gobble_file): Honor DEREF_COMMAND_LINE_SYMLINK_TO_DIR. - Change --dereference-command-line (-H) to dereference *all* - command line arguments, including broken symlinks. - -2003-01-15 Paul Eggert <eggert@twinsun.com> - - Change ls -H back to the way it was yesterday, since this is - compatible with FreeBSD and the POSIX spec is confusing - and somewhat contradictory. - - * src/ls.c (DEREF_COMMAND_LINE_ARGUMENTS): Change name back - from DEREF_COMMAND_LINE_SYMLINK_TO_DIR, updating all uses. - (long_options): Change the long option name back. - (usage): Change the usage back. - (gobble_file): When -H is specified, dereference a top-level - arg even if it points to a non-directory. - -2003-01-15 Jim Meyering <jim@meyering.net> - - * src/ls.c (gobble_file): Fall back on using lstat when required: - when --dereference (-L) is not specified, and - - when operating on a dangling symlink - - when operating on command-line-symlink-to-directories - This fixes numerous problems. Here are examples: - - `ls dangling-symlink' would fail with `no such file...' - Now it prints `dangling-symlink'. - - `ls -i symlink' would mistakenly print the inode of the referent. - Now it prints the inode of the symlink. Likewise for --size (-s). - Based on a patch from Michael Stone. - Reported by Deepak Goel as Debian bug #173793. - - Rename ls's --dereference-command-line (-H) - option to --dereference-command-line-symlink-to-dir. - * src/ls.c [enum Dereference_symlink] - (DEREF_COMMAND_LINE_SYMLINK_TO_DIR): Rename from - DEREF_COMMAND_LINE_ARGUMENTS. Update all uses. - (long_options): Rename the long option. - (usage): Say that --dereference-... changes how ls treats - only symlinks to directories specified on the command line. - -2003-01-14 Jim Meyering <jim@meyering.net> - - * tests/ls/dangle: New file/test, for the above fix. - * tests/ls/inode: Another new file/test, for the above fix. - * tests/ls/Makefile.am (TESTS): Add dangle and inode. - - * src/ls.c (gobble_file): Fix a bug introduced in 4.5.4 that made it - so that ls --color would no longer highlight the names of files with - the execute bit set when not specified on the command line. - Patch by Michael Stone. Reported by Stephen Depooter as - Debian bug 175135. - - * tests/ls-2/tests (color-exe): New test, for the above fix. - -2003-01-13 Jim Meyering <jim@meyering.net> - - * tests/shred/exact: Also test for just fixed bug with --zero. - - * src/shred.c (long_opts): --zero does not require an argument. - Patch by Michael Stone. Reported by Roland Turner as Debian bug 172019. - -2003-01-12 Jim Meyering <jim@meyering.net> - - * Makefile.maint (cvs-update): Skip any file with local modifications. - - * src/unexpand.c (usage): Document --first-only and mention that - --tabs=N (-t) enables --all (-a). Reported by wiregauze@yahoo.com. - -2002-12-01 Dmitry V. Levin <ldv@altlinux.org> - - * src/df.c: Include "canonicalize.h". - Use canonicalize_file_name unconditionally. - -2003-01-09 Jim Meyering <jim@meyering.net> - - * README: Add readlink. - -2002-11-30 Dmitry V. Levin <ldv@altlinux.org> - - * src/df.c: Include "xgetcwd.h". - * src/pwd.c: Likewise. - -2002-11-30 Dmitry V. Levin <ldv@altlinux.org> - - * src/shred.c: Remove declaration of xstrdup. - We already get it via xalloc.h which is included via system.h. - -2002-08-27 Dmitry V. Levin <ldv@altlinux.org> - - New program: readlink. - - * src/Makefile.am (bin_PROGRAMS): Add readlink. - * src/readlink.c: New file. - - * man/readlink.x: New file. - * man/Makefile.am (dist_man_MANS): Add readlink.1. - (readlink.1): New rule. - -2003-01-09 Jim Meyering <jim@meyering.net> - - When selecting ranges of byte offsets (as opposed to ranges of fields) - and when --output-delimiter=STRING is specified, output STRING between - ranges of selected bytes. - * src/cut.c (RANGE_START_SENTINEL): Define. - (output_delimiter_specified): New global. - (print_kth): Add parameter. Adjust all callers. - (set_fields): Mark each range-start index with RANGE_START_SENTINEL. - (cut_bytes): When requested, output STRING between ranges of - selected bytes. - (main): Make a diagnostic a little clearer. - Based on a patch from Jan Nieuwenhuizen. - - * tests/cut/Test.pm: New tests for the above. - - * src/cut.c (set_fields): Make code agree with comment: - Don't merge abutting ranges like 4- and 2-3. This makes no - difference currently, but is required to support an upcoming change. - -2003-01-07 Jim Meyering <jim@meyering.net> - - * src/cut.c (set_fields): Fix typo in comment. - - * tests/touch/not-owner: New test, mostly extracted from fail-diag. - * tests/touch/Makefile.am (TESTS): Add not-owner. - * tests/touch/fail-diag: Remove the test for non-owner diagnostic. - Now, this tests only the nonexistent-directory diagnostic. - Suggestion from Michael Stone. - - * tests/touch/fail-diag: Fix typo: s/ld/ls/. - -2003-01-04 Jim Meyering <jim@meyering.net> - - * src/copy.h: Remove use of PARAMS. - * src/remove.h: Likewise. - * src/chown-core.h: Likewise. - - rm could be tricked into mistakenly reporting a cycle. - * src/remove.c: [cycle_check_state]: New global. - (remove_cwd_entries): Adapt to new semantics of cycle_check. - (rm): Call cycle_check_init and cycle_check_free for each file. - * tests/rm/cycle (rm): New test, for the above fix. - * tests/rm/Makefile.am (TESTS): Add cycle. - - When rm detects a cycle, don't abort the entire command, - but rather just the affected command line argument. - * src/remove.c: Include <setjmp.h> - (struct dirstack_state) [current_arg_jumpbuf]: New member. - (remove_cwd_entries): Call longjmp if we detect a cycle. - (rm): Call setjmp here. - - * src/remove.c (cycle_check, is_power_of_two): Remove functions. - Instead, include cycle-check.h and use it. - - * src/remove.h (struct dev_ino): Remove declaration. - - * src/remove.c (remove_cwd_entries): Fix typos in comment. - - Don't include trailing /. in diagnostics about directories. - * src/remove.c (full_filename_): When FILENAME is just `.' - and there is a nonempty directory-name part, don't append `/.'. - * tests/rm/unread2: Remove trailing /. from diagnostic. - * tests/rm/rm2: Likewise. - - * src/remove.c (struct dirstack_state): Define. - To be used in place of these file-scoped globals ... - (dir_stack, len_stack, Active_dir): Remove globals. - (ds_init, ds_free): New functions. - (full_filename): Define. - (full_filename_): Rename from full_filename. - - Begin to make AD_* functions more generic. - * src/remove.c (AD_push_initial): Don't set status to RM_OK here. - (AD_push): Likewise. - (AD_INIT_OTHER_MEMBERS): Define. - (remove_dir): Define the `status' member manually after each - call to AD_push or AD_push_initial. - - * src/Makefile.am (check-misc): New rule, to ensure that no more - S_IS* macro definitions sneak into the code. - (check): Depend on check-misc. - - * src/remove.c [S_ISLNK]: Don't define. It's already defined in sys2.h. - * src/du.c (count_entry) [S_ISLNK]: Don't define. - * src/shred.c [S_ISLNK, S_ISFIFO, S_ISSOCK]: Don't define. - -2003-01-03 Jim Meyering <jim@meyering.net> - - * src/true.c: Add copyright. - (AUTHORS): I suppose I've written it. - - * src/Makefile.am (false.c): Make the generated file be read-only. - -2003-01-04 Jim Meyering <jim@meyering.net> - - * src/ls.c: Include "dev-ino.h". - [struct dev_ino]: Remove declaration. - -2003-01-02 Jim Meyering <jim@meyering.net> - - * src/cp.c (do_copy): Tweak diagnostic to be consistent with the one - from mv: s/missing file arguments/missing file argument/. - With --target-directory=DIR, cp and mv work with a single file argument. - Reported by Karl Berry. - - * tests/rm/isatty: Enable this test. - -2002-12-31 Jim Meyering <jim@meyering.net> - - * src/remove.c (AD_push_initial): Don't set status to RM_OK here. - (AD_push): Likewise. - (AD_INIT_OTHER_MEMBERS): Define. - (remove_dir): Define the `status' member manually after each - call to AD_push or AD_push_initial. - - * src/ls.c [struct dev_ino]: Remove definition. - Include "dev-ino.h" instead. - -2002-12-28 Jim Meyering <jim@meyering.net> - - * tests/du/Makefile.am (TESTS): Add no-deref. - * tests/du/no-deref: New script. - -2002-12-23 Jim Meyering <jim@meyering.net> - - * src/remove.c (remove_cwd_entries): Fix typo in comment. - -2002-12-21 Jim Meyering <jim@meyering.net> - - * announce-gen: Generate MML-formatted announcement. - This makes it a *lot* harder to send stale MD5/SHA1 signatures. - -2002-12-20 Jim Meyering <jim@meyering.net> - - * src/touch.c (touch): Change the wording of a diagnostic so - that it makes sense both when the file exists and when it doesn't. - Suggestion from Michael Stone. - -2002-12-18 Jim Meyering <jim@meyering.net> - - * src/stty.c (valid_options): Declare to be static. - -2002-12-15 Jim Meyering <jim@meyering.net> - - * Makefile.cfg: Remove rules related to generating m4/jm-glibc-io.m4. - - * src/chmod.c, src/copy.c, src/copy.h, src/cp-hash.h, src/csplit.c: - * src/date.c, src/expr.c, src/fmt.c, src/id.c, src/install.c: - * src/ls.c, src/od.c, src/pathchk.c, src/pr.c, src/remove.c: - * src/shred.c, src/sort.c, src/stat.c, src/stty.c, src/sum.c: - * src/tee.c, src/test.c: Remove all uses of `PARAMS'. - - * src/remove.c (PARAMS): Remove definition. - * src/sys2.h: Likewise. - - * src/ls.c, src/stat.c, src/date.c: Remove declaration of nstrftime. - Include strftime.h instead. - -2002-12-14 Jim Meyering <jim@meyering.net> - - * Makefile.cfg ($(url_dir_list)): Use .../coreutils, not .../fetish. - - * src/system.h [! HAVE_DECL_MEMRCHR]: Declare memrchr. - This is necessary at least for Irix6.5 when using c89. - Reported by Nelson Beebe. - - * tests/misc/Makefile.am (TESTS): Add cat-tty-eof. - - * tests/misc/cat-tty-eof: New test. - - * src/mknod.c (usage): Specify how major and minor mode numbers - are interpreted. Report forwarded by Kristin E Thomas. - * src/mknod.c: Remove now-redundant usage-specifying comment. - -2002-12-13 Jim Meyering <jim@meyering.net> - - * Version 4.5.4. - - * tests/du/trailing-slash: Allow for a directory of size `0'. - That happens at least on file systems of type tmpfs on linux-2.4.18. - - * announce-gen: New script to begin replacing the commands - associated with the rule here... - * Makefile.maint (announcement): Invoke announce-gen. - * Makefile.am (EXTRA_DIST): Add announce-gen. - - * tests/cp/preserve-2: New file/test, for latest fix. - * tests/cp/Makefile.am (TESTS): Add preserve-2. - -2002-12-11 TAKAI Kousuke <takai@vlsi.kuee.kyoto-u.ac.jp> - - Fix a bug whereby cp would fail to parse an option like - --preserve=mode,ownership. - * src/cp.c (decode_preserve_arg): Advance `comma' to - point the character following the comma. - -2002-12-11 Jim Meyering <jim@meyering.net> - - * src/pathchk.c (NEED_PATHCONF_WRAPPER): Undefine before defining, - in case it's already defined. - -2002-12-09 Jim Meyering <jim@meyering.net> - - * tests/touch/fail-diag: Don't get a test failure if /no exists. - Instead, evoke a framework failure if /no-$$ exists. - Reported by Michael Stone. - -2002-12-08 Jim Meyering <jim@meyering.net> - - * src/du.c (lstat) [! LSTAT_FOLLOWS_SLASHED_SYMLINK]: - Define to rpl_lstat, so that even on systems like Solaris 5.8, - du honors (per POSIX) the trailing slash on an argument referring - to a symlink-to-directory. - -2002-12-06 Jim Meyering <jim@meyering.net> - - * Use autoconf-2.57. Regenerate dependent files. - * Use automake-1.7.2. Regenerate dependent files. - - * src/ls.c (gobble_file): Also stat the file if it's a - regular file and --indicator-style=classify (aka -F). - Thanks to Ed Santiago for opening my eyes. - - * tests/ls/file-type: New file. Test for the above. - A test to contrast ls -F and ls --indicator-style=file-type. - * tests/ls/Makefile.am (TESTS): Add file-type. - -2002-12-04 Jim Meyering <jim@meyering.net> - - * tests/ls/follow-slink: Make sure the symlink was created. - Richard Dawe reported that `ln -s link link' succeeds, but creates - no file on systems running some version of the DJGPP libc. - -2002-12-03 Jim Meyering <jim@meyering.net> - - * src/Makefile.am (AUTOMAKE_OPTIONS): Remove definition (to ansi2knr) - since this package no longer panders to K&R compilers. - -2002-12-02 Jim Meyering <jim@meyering.net> - - * tests/du/slink: Skip this test if `.' is on a non-local file system. - - * tests/Fetish.pm (_at_replace): Do the substitution only if there's - something to replace. - -2002-12-01 Jim Meyering <jim@meyering.net> - - * src/stat.c: Don't include <string.h> or <ctype.h>. - That's already done via system.h. - * src/dircolors.c: Don't include <ctype.h>. - -2002-11-30 Jim Meyering <jim@meyering.net> - - * ls.c (gobble_file): Remove the block of code that caused - `ls --color -F symlink-to-dir' to list the files in - `symlink-to-dir/.'. Now, it prints `symlink-to-dir@', (just - like `ls -F symlink-to-dir') but with the addition of highlighting. - Similarly, `ls --color -dF symlink-to-dir' would print - `symlink-to-dir/'; now it prints `symlink-to-dir@'. - Reported by Jeff Sheinberg as Debian bug #168203. - * tests/ls-2/tests (sl-F-color, sl-dF-color): New tests for the above. - - ls is now more efficient: with certain options, it no longer needs - to stat each directory entry on systems with valid dirent.d_type. - * src/ls.c (print_dir): Add DT_LNK and DT_REG. - (main): Make --recursive set format_needs_type, not format_needs_stat. - (gobble_file): Remove a FIXME comment, now that it's fixed. - -2002-11-24 Jim Meyering <jim@meyering.net> - - * src/du.c (du_files): Don't strip any trailing slash. - Rewrite so that `/' is no longer represented internally as - the empty string. - (count_entry): When appending a file name component, - account for the fact that the current path may end in `/'. - François Pinard reported that `du symlink-to-dir/' was not - equivalent to `du symlink-to-dir/.'. Now it is. - * tests/du/trailing-slash: New file/test, for the above fix. - * tests/du/Makefile.am (TESTS): Add trailing-slash. - -2002-11-23 Jim Meyering <jim@meyering.net> - - * src/tac.c (output): Declare some local variables to be of type size_t, - rather than `int' to avoid warnings from gcc. - -2002-11-21 Paul Eggert <eggert@twinsun.com> - - * src/ls.c (decode_switches): Use case-sensitive matching to - decode the QUOTING_STYLE environment variable. This is more - consistent with the documentation, and with --quoting-style. - -2002-11-21 Martin Buck <martin.buck@ascom.ch - - * src/stty.c (struct speeds): Add support for all baud rates defined - in linux-2.4.19. - -2002-11-19 Jim Meyering <jim@meyering.net> - - * tests/sum/sysv: Export LC_ALL=C, to avoid failure when - run in a UTF locale. Report and suggested fix by Bruno Haible. - * tests/fmt/basic: Likewise. - -2002-11-17 Jim Meyering <jim@meyering.net> - - * configure.ac: Update via autoupdate. - Add `AM_GNU_GETTEXT_VERSION(0.11.5)'. - - * src/mv.c (movefile): Don't remove trailing slashes from SOURCE. - Reported by Hans Ginzel. - -2002-11-15 Jim Meyering <jim@meyering.net> - - * Makefile.cfg (gnu_rel_host): Define. - (url_dir_list): Choose from (alpha|ftp).gnu.org depending - on whether $(VERSION) looks like a major release number. - - * Makefile.maint (mail_gpg_sign_cookie): Backslash-escape `#'. - (release): Rename from `alpha'. - (alpha): Depend on release. - - * Makefile.maint (signatures): Define with ?=, so it's easy to override. - -2002-11-14 Jim Meyering <jim@meyering.net> - - * Makefile.maint (mail_gpg_sign_cookie): Make optional. - (announcement): Use the new variable. - - * Makefile.maint: Sync with Bison, i.e.: - (po-check): Scan .l and .y files instead of the - .c and the .h files that they generate. This fixes the bug - reported by Tim Van Holder in: - <http://mail.gnu.org/pipermail/bison-patches/2002-November/001352.html> - Look for N_ as well as for _. Try to avoid matching #define for - N_ and _. - From Paul Eggert. - -2002-11-12 Jim Meyering <jim@meyering.net> - - * src/ls.c (HAVE_SYMLINKS): Remove unnecessary macro definition. - Replace sole use with equivalent `#ifdef S_ISLNK'. - Inconsistency reported by Dmitry V. Levin. - -2002-11-11 Jim Meyering <jim@meyering.net> - - * src/stat.c (usage): Transform --help items output via s/ - / /, - so that help2man produces properly formatted man pages. - Reported by Herbert Xu as Debian bug #168400. - -2002-11-10 Jim Meyering <jim@meyering.net> - - * src/ls.c (sighandler): Handle SIGTSTP specially. - Based on suggestions from Solar Designer and Dmitry V. Levin. - Add comments. - - * Makefile.cfg (cvs_files): Define. From autoconf. - (local_updates): Likewise. - - * src/ls.c (restore_default_color_handler, sigtstp_handler): - Remove functions. - (sighandler): New function, based on the one in sort.c. - (main): Use sigaction, if possible; otherwise signal. - Handle these signals: - SIGHUP, SIGINT, SIGPIPE, SIGQUIT, SIGTERM, SIGTSTP. - Don't register our handler if the signal is already being ignored. - - * src/dd.c (interrupt_handler): Use raise, rather than kill+getpid. - * src/csplit.c (interrupt_handler): Likewise. - * src/sort.c (sighandler): Likewise. - (main): Declare `i' and `nsigs' to be unsigned, not int. - -2002-11-09 Jim Meyering <jim@meyering.net> - - ls --color: restore terminal text color upon signal. - * src/ls.c: Include "full-write.h" and <signal.h>. - (restore_default_color, restore_default_color_handler): New functions. - (sigtstp_handler, put_indicator_direct): New functions. - (main) [print_with_color]: Register signal handlers. - Patch mostly by Solar Designer and Stanislav Ievlev. - - Update from autoconf. - * Makefile.maint (AMTAR): Remove definition. - (update, cvs-update, po-update, do-po-update): New rules. - (wget-update): Update (thus renaming to cvs-update). - (automake_repo): Use anoncvs@sources.redhat.com. - -2002-11-06 Jim Meyering <jim@meyering.net> - - * tests/misc/Makefile.am (TESTS): Add printf-hex. - - * tests/misc/printf: Be careful to test the code in this package, - not the shell built-in function. - - * src/printf.c (print_esc): A hexadecimal escape sequence has - at most two hex. digits, not three. Reported by Padraig Brady. - (usage): Update description. - * tests/misc/printf-hex: New file/test, for the above fix. - -2002-10-07 Paul Eggert <eggert@twinsun.com> - - Add support for locale-specific size indications (e.g., - thousands-separators) and for explicit size suffixes on output. - - * doc/coreutils.texi (Block size): Say that: - This affects display format as well as block size. - Fractional block counts are rounded up. - ls file size blocksize defaults to 1. - A block size spec preceded by ' generates thousands separators. - A suffix without a preceding integer generates suffixes. - (tail invocation): 32k -> 32 KiB. - (What information is listed): ls -h is now equivalent to - ls --block-size=human, and ls -H is now equivalent to - ls --block-size=si. Displayed file size is now always affected by - --block-size. - - * lib/inttostr.c, lib/inttostr.h, lib/imaxtostr.c, lib/offtostr.c, - lib/umaxtostr.c: New files, taken from GNU tar. - - * lib/Makefile.am (libfetish_a_SOURCES): Add imaxtostr.c, offtostr.c, - umaxtostr.c. - (EXTRA_DIST): Add inttostr.c. - - * lib/human.c, lib/human.h: Rewrite to support locale-specific - notations like thousands separators. - Specify what includer of include.h must include beforehand. - (human_group_digits, human_suppress_point_zero, human_autoscale, - human_base_1024, human_SI, human_B): New enum values. - (human_readable): Rename from human_readable_inexact; put the - options before the sizes. All uses changed. The old human_readable - function has been removed; use inttostr.h instead. - (human_options): Renamed from human_block_size, with new signature - that allows block sizes up to UINTMAX_MAX. All callers changed. - - * m4/prereq.m4 (jm_PREREQ_HUMAN): Check for locale.h, localeconv, - AC_HEADER_STDBOOL. No need to check for limits.h since it's in - freestanding C89. No need to check for stdlib.h or string.h since - autoconf does this now. - - * src/cksum.c (cksum): Use primitives from inttostr.h, not - human.h, to print large numbers simply. - * src/csplit.c (handle_line_error, parse_patterns): Likewise. - * src/dd.c (print_stats, main): Likewise. - * src/df.c (print_header): Likewise. - * src/factor.c (print_factors): Likewise. - * src/ls.c (print_long_format, print_file_name_and_frills): Likewise. - * src/shred.c (dopass): Likewise. - * src/sort.c (checkfp): Likewise. - * src/sum.c (bsd_sum_file, sysv_sym_file): Likewise. - * src/tail.c (xlseek): Likewise. - * src/wc.c (write_counts, wc): Likewise. - - * src/df.c (human_output_opts): New var. - (output_block_size): Now uintmax_t, not int, to handle larger - block sizes. All uses changed. - * src/du.c: Likewise. - * src/ls.c: Likewise. - - * src/df.c (print_header): In the header line, prefer SI to human - representation if it's shorter; if neither is shorter, try to - intuit what the user would prefer. - - * src/expr.c (inttostr): Remove; use new imaxtostr library - function instead. - - * src/ls.c (file_output_block_size): New var, to distinguish - file sizes from other sizes. - (decode_switches): Set it. - - * src/shred.c (OUTPUT_BLOCK_SIZE): remove. - (dopass): When printing progress, use floor for what has been done - so far (since we should be conservative there), and ceiling for - what needs to be done (since that's what other programs use). - -2002-10-19 Jim Meyering <jim@meyering.net> - - * src/pinky.c (print_heading): Align TTY and Name headings. - Reported by Karl Eichwalder. - -2002-10-18 Jim Meyering <jim@meyering.net> - - * src/split.c (cwrite): Change type of `bytes' parameter to size_t - Remove now-useless cast. - (stdread): Remove function. - (bytes_split): Use size_t instead of int. - Use safe_read, not stdread. - (lines_split): Likewise. - Use memchr rather than a `while' loop. - (line_bytes_split): Use size_t instead of int. - Use safe_read, not stdread. - (main): Add some FIXME comments to remind me to remove casts. - - * src/system.h (ST_BLKSIZE): Correct comment describing how to - reproduce HPUX-11 cat failure. From Petter Reinholdtsen. - -2002-10-17 Jim Meyering <jim@meyering.net> - - Fix a problem that could make e.g., `cat' misbehave on systems which - give invalid (unreasonably large) values for stat.st_blksize. - * src/system.h (ST_BLKSIZE): Ensure that the result is in [1..4MB]. - Reported by Petter Reinholdtsen. - -2002-10-14 Jim Meyering <jim@meyering.net> - - Specifying a printf conversion specifer as nl's separator string - could cause nl to segfault. - * src/nl.c (build_print_fmt): Don't include separator string - in the printf format; it might contain `%'. - Use a better bound on the length of the print_fmt buffer. - (print_lineno): Print the separator here instead. - Reported by Doug Coleman. - - * tests/misc/nl: New file/tests, including a test for the above. - * tests/misc/Makefile.am (TESTS): Add nl. - - * tests/misc/split-l: New test, to make sure `split --lines=N' works. - * tests/misc/Makefile.am (TESTS): Add split-l. - -2002-10-13 Jim Meyering <jim@meyering.net> - - * Version 4.5.3. - - * src/du.c (usage): Tweak description of --dereference-args/-D. - - * src/du.c (count_entry): Also save cwd when dereferencing (via - --dereference-args, -D) a command-line argument. - Reported by Michal Svec. Based on a patch by Andreas Schwab. - - * src/Makefile.am (../AUTHORS): New target/rule. - -2002-10-12 Jim Meyering <jim@meyering.net> - - * src/paste.c (paste_parallel): Declare local, `delims_saved', to be - of type size_t, since that's the way it's used and avoids a warning. - - * src/csplit.c (struct cstring) [len]: Declare to be unsigned int, - since that's how it's always used and avoids a new warning from gcc. - (read_input): Adapt to new safe_read ABI. - - * src/cut.c (cut_fields): Add a temporary size_t variable, n_bytes, - to avoid warnings. - - * src/pinky.c (print_long_entry): fread returns size_t. - Declare local `bytes' accordingly, to avoid warning. - - tail -c +N would perform an extra read after encountering EOF - [this change is analogous (bytes vs. lines) to the one of 2002-01-27] - * src/tail.c (start_bytes): Detect EOF, inform caller. - (tail_bytes): Upon EOF in start_bytes, return immediately. - (file_lines): Reorganize to use memrchr rather than an explicit loop. - Adapt to new safe_read ABI. - -2002-10-11 Jim Meyering <jim@meyering.net> - - * tests/du/deref: New file/test, for the above fix. - * tests/du/Makefile.am (TESTS): Add deref. - -2002-10-10 Jim Meyering <jim@meyering.net> - - * tests/ln/Makefile.am (TESTS): Add target-1. - * tests/ln/target-1: New file/test, for the fix on 2002-10-08. - -2002-10-09 Jim Meyering <jim@meyering.net> - - * tests/cp/backup-is-src: Ensure that certain environment variables - are not set (e.g., SIMPLE_BACKUP_SUFFIX). Reported by Duncan Roe. - - * tests/tail-2/big-4gb: Mark this as an expensive test; it would - consume 4GB of disk space on systems without support for sparse files. - Fix a logic error that'd make it `cat err' even though dd didn't fail. - - * src/dircolors.hin (.jar): Fix typo: s/;3$/;31/. - Patch by steven@magelico.net, forwarded by Michael Stone. - - * tests/ls/dired: Ensure that ls produces English messages. - Patch by Alexey Vyskubov, forwarded by Michael Stone. - -2002-10-08 Dmitry V. Levin <ldv@altlinux.org> - - * src/ln.c (main): Fix target_directory parsing when n_files == 1. - -2002-10-08 Jim Meyering <jim@meyering.net> - - * tests/tail-2/big-4gb: Use double quotes around diagnostic. - Fix syntax in test: use =, not ==. - Reported by Bob Proulx. - Change all the rest like this: grep -lR "testing framework'" .\ - |xargs perl -pi -e 's/'\''(\$0: failure in testing framework)'\''/"$1"/' - - * src/sum.c (sysv_sum_file): Adapt to new safe_read ABI. - * src/tr.c (squeeze_filter, read_and_delete, read_and_xlate): Likewise. - * src/tac.c (save_stdin, tac_stdin_to_mem): Likewise. - * src/wc.c (wc): Likewise. - -2002-10-07 Paul Eggert <eggert@twinsun.com> - - * src/cat.c (cat): - Don't advance the write pointer past the end of the write buffer. - * src/sort.c (begfield, limfield): Likewise. - -2002-10-07 Jim Meyering <jim@meyering.net> - - * src/cat.c (simple_cat, cat): Adapt to new safe_read ABI. - * src/head.c (head_bytes, head_lines): Likewise. - -2002-10-06 Jim Meyering <jim@meyering.net> - - * src/dd.c (scanargs): Ensure that specified block sizes (specified - via ibs=N, obs=N, and bs=N) are no larger than SSIZE_MAX. - (skip, dd_copy): Adapt to new safe_read ABI. - - * Makefile.maint (signatures): Define. - (%.sig): New rule. - (announcement): Depend on $(signatures). - - * Makefile.maint (announcement): Output all URLs for detached - signatures, not just the last one from the previous loop. - -2002-10-05 Jim Meyering <jim@meyering.net> - - * Version 4.5.2. - - * src/remove.c (remove_entry) [ROOT_CAN_UNLINK_DIRS]: With `rm -i DIR', - don't recurse into directory, DIR. Prompted by a report from - Leonardo Milano. - - * tests/rm/i-no-r: New file/test, for the above fix. - * tests/rm/Makefile.am (TESTS): Add i-no-r. - - * tests/tail-2/big-4gb: New file/test, for the fix of 2002-09-27. - * tests/tail-2/Makefile.am (TESTS): Add big-4gb. - -2002-10-03 Jim Meyering <jim@meyering.net> - - * src/rm.c (AUTHORS): Mark translatable string with `N_ (...)'. - * src/df.c (AUTHORS): Likewise. - * src/du.c (AUTHORS): Likewise. - * src/tail.c (AUTHORS): Likewise. - * src/touch.c (AUTHORS): Likewise. - -2002-10-02 Jim Meyering <jim@meyering.net> - - * Makefile.am (SUBDIRS): Remove `old'. - (EXTRA_DIST): List the files in old/. - * configure.ac (AC_CONFIG_FILES): Remove old/* names. - Suggestion from Akim Demaille. - -2002-10-01 Jim Meyering <jim@meyering.net> - - * src/sys2.h (SSIZE_MAX): Define. - -2002-09-30 Jim Meyering <jim@meyering.net> - - * src/csplit.c: Don't include stdlib.h here. It's already included - via system.h. - -2002-09-29 Jim Meyering <jim@meyering.net> - - * src/tr.c (find_bracketed_repeat): Rearrange pointer/integer - expression to avoid bogus warning from gcc. - - * src/cat.c (simple_cat): Use a temporary to avoid bogus warnings. - (cat): Declare insize and outsize to be of type size_t, not int. - Rearrange pointer/integer expressions to avoid bogus warnings. - (main): Declare insize and outsize to be of type size_t, not int. - - * src/tail.c (parse_options): Give a sensible diagnostic for - an invalid byte or line count. Reported by Mikko Tuumanen. - - * src/touch.c (main): Split a long line. - - * tests/du/Makefile.am (TESTS): Add slink. - * tests/du/slink: New test for system.h change of 2002-08-31. - - In move mode, always first try to rename. Before, upon failure to - rename a directory, this code would never attempt to rename any - other file in that directory, but would thenceforth always copy. - On some systems (e.g., NetApp's OnTap-6.4), renaming a directory - may fail with EXDEV, yet renaming files within that directory to - a newly-created destination directory succeeds. - * src/copy.c (copy_internal): Remove local, move_mode; - use x->move_mode instead. Based on a patch from Tom Haynes. - -2002-09-28 Jim Meyering <jim@meyering.net> - - * src/split.c (FAIL_ONLY_ONE_WAY): New macro. - Factor out some duplication. - (main): Use it. - [case 'a']: Use strtoul rather than strtol to avoid compiler warnings. - - * src/sort.c (begfield, limfield): Rearrange comparisons to avoid - compiler warnings. - (fillbuf, keycompare): Cast literal `-1' to size_t in comparisons, - to avoid compiler warnings. - - * src/shred.c (dopass): Use a uintmax_t temporary to avoid bogus - compiler warnings. - - Fix things so `mkdir -p' can create very deep directories, e.g., - mkdir -p $(perl -e 'print "a/" x 40000') now works. - * src/mkdir.c (main): For --parents (-p), call make_path with the - entire directory name, so we don't ever require that file operations - like stat or chmod be performed on the entire command line argument. - * makepath.c (make_path): Restore umask *before* creating the final - component. - -2002-09-27 Andreas Schwab <schwab@suse.de> - - * src/tail.c (tail_bytes): Change type of bytes_remaining to off_t - to avoid overflow. Reported by Hans Lermen. - -2002-09-26 Jim Meyering <jim@meyering.net> - - * src/install.c (get_ids): Use strtoul, not strtol. Remove some casts. - -2002-09-25 Jim Meyering <jim@meyering.net> - - * src/test.c (eaccess): Change type of local `euid' from int to uid_t - and add a cast, to avoid a warning about `signed and unsigned type in - conditional expression'. - -2002-09-22 Jim Meyering <jim@meyering.net> - - * src/rmdir.c: Include "dirname.h", for declaration of - strip_trailing_slashes. - - * src/stat.c (PRIdMAX, PRIuMAX): Remove definitions. - Now they're defined through system.h. - - * src/cp-hash.c, src/dd.c, src/df.c, src/du.c, src/ls.c, - * src/stat.c, src/wc.c: Remove all inclusions of inttypes.h, - since it's already included from sys2.h via system.h. - - * Use automake-1.6f. Regenerate dependent files. - - * src/Makefile.am (PERL): Remove duplicate definition. - - fmt's -s, -t, -c options didn't work properly for long lines. - Since get_line may end up calling put_paragraph (for long lines), - be sure to set global, `other_indent', before it is used there. - - * src/fmt.c (set_other_indent): New function, factored out of... - (get_paragraph): ... here. Call it. - (get_line): Call set_other_indent before calling flush_paragraph, - which calls fmt_paragraph, which in turn calls put_paragraph, - which uses other_indent. - - * tests/fmt/Makefile.am (TESTS): Add long-line. - * tests/fmt/long-line: New file/test, for the above fix. - -2002-09-21 Jim Meyering <jim@meyering.net> - - * src/od.c: No longer include deprecated <values.h>. - It was required solely for now-removed reference to BITSPERBYTE. - * src/install.c: Likewise. - Suggestion from Bruno Haible. - -2002-09-06 Andreas Schwab <schwab@suse.de> - - `rmdir -p dir-specified-with-trailing-slash/' would fail. - * src/rmdir.c (remove_parents): Strip trailing slashes. - -2002-09-20 Jim Meyering <jim@meyering.net> - - * tests/rmdir/t-slash: New file/test, for the above fix. - * tests/rmdir/Makefile.am (TESTS): Add t-slash. - - * Makefile.maint (announcement): Arrange to gpg-sign the message. - Add a URL for each detached signature file. - -2002-09-07 Bruno Haible <bruno@clisp.org> - - * configure.ac: Add need-ngettext to AM_GNU_GETTEXT invocation. - -2002-09-18 Jim Meyering <jim@meyering.net> - - `od -t x8' used the wrong (`l'-prefixed) printf format. - Likewise for the o8 and u8 formats. - * src/od.c (ISPEC_TO_FORMAT): Define macro. - (decode_one_format): Use PRIdMAX, PRIoMAX, etc. for LONG_LONG. - Reported by Arun Sharma. - -2002-09-17 Jim Meyering <jim@meyering.net> - - * src/sys2.h (PRIdMAX, PRIoMAX, PRIuMAX, PRIxMAX): Define if necessary. - From gettext's intl/loadmsgcat.c. - - * tests/od/x8: New file/test, for the above fix. - * tests/od/Makefile.am (TESTS): Add x8. - -2002-09-15 Jim Meyering <jim@meyering.net> - - * Use autoconf-2.54. Regenerate dependent files. - - * src/csplit.c (get_format_width): Add cast to avoid - warning about `signed and unsigned type in conditional expression'. - -2002-09-14 Jim Meyering <jim@meyering.net> - - * src/who.c (print_user): Change type of local to size_t - to avoid warnings about `comparison between signed and unsigned'. - * src/ptx.c (generate_all_output): Likewise. - - * src/dd.c (main, skip): Add casts to avoid warnings about - `comparison between signed and unsigned'. - - * src/id.c (print_full_info, print_group_list): Add casts to avoid - warnings about `signed and unsigned type in conditional expression'. - - * src/md5sum.c: Change type of global, digest_hex_bytes, to size_t - to avoid warnings about `comparison between signed and unsigned'. - (split_3): Change parameter names to be readable and add comment. - Clean up the test for whether a line may be ignored. - -2002-09-13 Jim Meyering <jim@meyering.net> - - * src/printf.c (main): Handle leading command line argument of `--'. - Reported by Raul: DervishD <raul@pleyades.net> - * tests/misc/printf: New file: test for the above. - * tests/misc/Makefile.am (TESTS): Add printf. - - * src/date.c (usage): Explain that %S's range of [0..60] is required -- - rather than 0..59 -- to accommodate the occasional positive leap second. - Reported by Richard Neill. - -2002-09-12 Jim Meyering <jim@meyering.net> - - * src/Makefile.am (nanosec_libs): Define. - (sleep_LDADD, tail_LDADD): Use it here. - - Factor nanosleep-related code into ../lib/xnanosleep.c. - * src/sleep.c: Include xnanosleep.h. - Factor out fenv.h-related code. - (timespec_subtract): Remove function. - (main): Remove code that deals with computing start and stop times - as well as the loop around nanosleep. Now that's in xnanosleep.c. - - Allow S (in --sleep-interval=S) to be a floating point value. - * src/tail.c: Include xnanosleep.h and xstrtod.h. - Move declaration of global variable, sleep_interval, to ... - (main): ...here. - (usage): Update description of --sleep-interval option. - (tail_forever): New parameter, sleep_interval. Update caller. - Use xnanosleep, rather than sleep. - (parse_options): New parameter, sleep_interval. Update caller. - Use xstrtod, now that we accept floating point values. - Prompted by a patch from Augey Mikus. - -2002-09-06 Jim Meyering <jim@meyering.net> - - * src/remove.c (prompt): Change comment to give a better note to - translators. From Michael Piefel. - -2002-09-02 Jim Meyering <jim@meyering.net> - - * README: A good problem report/patch includes diffs against - the most recent test release. - - * src/pathchk.c (NEED_PATHCONF_WRAPPER): Define. - (pathconf_wrapper): Define only if NEED_PATHCONF_WRAPPER is set. - - * src/kill.c (print_table_row): Use an unsigned type for widths - to avoid warning about comparison between signed and unsigned. - (list_signals): Likewise. - - * src/od.c (skip): Add a cast to avoid warning about comparison - between signed and unsigned. - * src/install.c (get_ids): Likewise. Also rearrange range-checking - comparisons to make them more readable. - -2002-09-01 Jim Meyering <jim@meyering.net> - - * Version 4.5.1. - -2002-08-31 Jim Meyering <jim@meyering.net> - - Symlinks were always reported as using 0 blocks. - * src/system.h (ST_NBLOCKS): Don't depend on file type. - This reverts the change of 2000-01-30. - Based on a report and patch from Neil Brown via Michael Stone. - This fixes Debian Bug#156358. - - * Most files: Change `exit (0)' to `exit (EXIT_SUCCESS)', - `exit (1)' to `exit (EXIT_FAILURE)', and - `usage (1)' to `usage (EXIT_FAILURE)'. - - * chgrp.c, chmod.c, chown.c, chroot.c, cp.c, date.c, dd.c, du.c, - * hostname.c, id.c, install.c, ln.c, mkdir.c, mkfifo.c, mknod.c, - * nice.c, pinky.c, printf.c, pwd.c, shred.c, sleep.c, stty.c, - * su.c, tac-pipe.c, tail.c, tee.c, touch.c, uname.c, uptime.c, - * users.c, who.c: Change `error (1, ...' to `error (EXIT_FAILURE, ...'. - But don't change `error (0, ...' to `error (EXIT_SUCCESS, ...', since - error never exits successfully. - -2002-08-29 Jim Meyering <jim@meyering.net> - - * src/remove.c (remove_cwd_entries): Use closedir (not CLOSEDIR) - when ignoring any return value. - - * src/remove.c (remove_cwd_entries): Detect and diagnose readdir - failures. On some systems (at least EMC Celerra and Solaris5.8), - this appears to be necessary. - (is_empty_dir): Likewise. Also, always close directory handle. - * src/ls.c (print_dir): Likewise. - (print_dir): Rename local variable: reading -> dirp. - Reported by Mike Coleman. - -2002-08-28 Jim Meyering <jim@meyering.net> - - * src/remove.c (remove_cwd_entries): Use CLOSEDIR, not closedir. - Give a diagnostic and fail if closedir fails. - -2002-08-26 Jim Meyering <jim@meyering.net> - - * Makefile.am (THANKS-to-translators): New rule. - (EXTRA_DIST): Add both THANKS-to-translators and THANKStt.in. - * THANKStt.in: New file. - - * src/cat.c (close_stdout_wrapper): New, kludgey, function and - file-scoped global. - (main): Register it with atexit. - Close STDOUT_FILENO, to avoid a problem when writing to - /dev/audio on at least Solaris 5.7 and 5.8 systems. - Reported by Shing-Shong Shei. - -2002-08-25 Jim Meyering <jim@meyering.net> - - * src/cat.c (main): Close STDIN_FILENO rather than a literal `0'. - * src/tac.c (main): Likewise. - * src/tail.c (main): Likewise. - * src/tee.c (main): Likewise. - * src/tr.c (main): Likewise. - * src/wc.c (main): Likewise. - -2002-08-20 Jim Meyering <jim@meyering.net> - - * tests/mv/setup: Rewrite not to use `: ${VAR=not_set}' paradigm. - -2002-08-10 Paul Eggert <eggert@twinsun.com> - - * src/nohup.sh: Don't use "exec --"; it's not portable and - shouldn't be needed. - -2002-08-09 Jim Meyering <jim@meyering.net> - - * src/pr.c (main): Don't ignore -COLUMN if it's the last option. - (usage): Clarify help text for the -COLUMN option. - Patch by Padraig Brady. - * tests/pr/Test.pm [col-last]: New test for the above. - - * configure.ac: Start with version 4.5.1, chosen so that it's larger - than the latest version numbers of the component packages. - - * man/Makefile.am (check-x-vs-1): Set and export PATH so we use - programs in ../src. - -2002-08-08 Jim Meyering <jim@meyering.net> - - * src/date.c: Guard inclusion of <langinfo.h> with - `#if HAVE_LANGINFO_CODESET', not `#if HAVE_LANGINFO_H'. - * src/sort.c: Likewise. - Patch by GOTO Masanori. - -2002-08-05 Paul Eggert <eggert@twinsun.com> - - Fix some minor time-related bugs with POSIX time arguments. - Some valid time stamps were being rejected (notably -1, and - time stamps before 1900 on 64-bit hosts). And some invalid - time stamps were being accepted, e.g. September 31. - - * src/date.c (main): Adjust to posixtime signature change. - * src/touch.c (main): Likewise. Remove unnecessary initialization. - Use localtime, not posixtm, to warn about obsolete "touch". - -2002-08-05 Jim Meyering <jim@meyering.net> - - * tests/misc/Makefile.am (TESTS): Add nice and pathchk1. - -2002-08-04 Jim Meyering <jim@meyering.net> - - * src/Makefile.am (check-README): New target/rule. - (check): Depend on it. - - * configure.ac (AC_CONFIG_FILES): Add old/Makefile and old/*/Makefile. - -2002-08-03 Jim Meyering <jim@meyering.net> - - * Makefile.am (SUBDIRS): Add old. - * old/: New directory, containing legacy ChangeLog* and NEWS files - from the fileutils, sh-utils, and textutils packages. - - * src/Makefile.am (AM_INSTALLCHECK_STD_OPTIONS_EXEMPT): Set to false. - -2002-08-02 Paul Eggert <eggert@twinsun.com> - - * NEWS, doc/coreutils.texi: uniq now obeys LC_COLLATE. - - * src/uniq.c: Include hard-locale.h, xmemcoll.h. - (hard_LC_COLLATE): New var. - (different): Args are now char *, not const char *. - Use xmemcoll instead of memcmp to compare lines, so that - LC_COLLATE has effect. However, use memcmp if it is an - easy locale. - (check_file): Do not include newline in comparison, so that - xmemcoll has a byte to stomp on temporarily. - (main): Set hard_LC_COLLATE. - -2002-07-29 Jim Meyering <jim@meyering.net> - - * Makefile.am (SUBDIRS): Remove djgpp, for now. - -2002-07-20 Jim Meyering <jim@meyering.net> - - * Makefile.am (false.c): Convert only the final EXIT_SUCCESS - into EXIT_FAILURE. Otherwise, false --help and false --version - would fail. - -2002-07-08 Jim Meyering <jim@meyering.net> - - * src/Makefile.am (uninstall-local): Search for @GNU_PACKAGE@, - rather than the hard-coded `sh-utils'. - -2002-07-01 Jim Meyering <jim@meyering.net> - - * configure.ac: Merge the three files from fileutils, - textutils, and sh-utils. - * Makefile.am: Likewise. - * src/Makefile.am: Likewise. diff --git a/contrib/gnu-sort/FREEBSD-upgrade b/contrib/gnu-sort/FREEBSD-upgrade deleted file mode 100644 index 5cb5371..0000000 --- a/contrib/gnu-sort/FREEBSD-upgrade +++ /dev/null @@ -1,14 +0,0 @@ -$FreeBSD$ - -GNU Sort - originals can be found at: ftp://ftp.gnu.org/gnu/coreutils/ - -Configure by: - ./configure --disable-nls --without-libiconv-prefix \ - --without-libintl-prefix - -Imported by: - - cvs import \ - -m "Virgin import (trimmed) of GNU Sort, coreutils 5.2.1" \ - src/contrib/gnu-sort FSF SORT_v5_2_1 diff --git a/contrib/gnu-sort/INSTALL b/contrib/gnu-sort/INSTALL deleted file mode 100644 index 54caf7c..0000000 --- a/contrib/gnu-sort/INSTALL +++ /dev/null @@ -1,229 +0,0 @@ -Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002 Free Software -Foundation, Inc. - - This file is free documentation; the Free Software Foundation gives -unlimited permission to copy, distribute and modify it. - -Basic Installation -================== - - These are generic installation instructions. - - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). - - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. (Caching is -disabled by default to prevent problems with accidental use of stale -cache files.) - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you -may remove or edit it. - - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You only need -`configure.ac' if you want to change it or regenerate `configure' using -a newer version of `autoconf'. - -The simplest way to compile this package is: - - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. If you're - using `csh' on an old version of System V, you might need to type - `sh ./configure' instead to prevent `csh' from trying to execute - `configure' itself. - - Running `configure' takes awhile. While running, it prints some - messages telling which features it is checking for. - - 2. Type `make' to compile the package. - - 3. Optionally, type `make check' to run any self-tests that come with - the package. - - 4. Type `make install' to install the programs and any data files and - documentation. - - 5. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly - for the package's developers. If you use it, you may have to get - all sorts of other programs in order to regenerate files that came - with the distribution. - -Compilers and Options -===================== - - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' -for details on some of the pertinent environment variables. - - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: - - ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix - - *Note Defining Variables::, for more details. - -Compiling For Multiple Architectures -==================================== - - You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you must use a version of `make' that -supports the `VPATH' variable, such as GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. - - If you have to use a `make' that does not support the `VPATH' -variable, you have to compile the package for one architecture at a -time in the source code directory. After you have installed the -package for one architecture, use `make distclean' before reconfiguring -for another architecture. - -Installation Names -================== - - By default, `make install' will install the package's files in -`/usr/local/bin', `/usr/local/man', etc. You can specify an -installation prefix other than `/usr/local' by giving `configure' the -option `--prefix=PATH'. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -give `configure' the option `--exec-prefix=PATH', the package will use -PATH as the prefix for installing programs and libraries. -Documentation and other data files will still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=PATH' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. - -Optional Features -================= - - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - -Specifying the System Type -========================== - - There may be some features `configure' cannot figure out -automatically, but needs to determine by the type of machine the package -will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints -a message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: - - CPU-COMPANY-SYSTEM - -where SYSTEM can have one of these forms: - - OS KERNEL-OS - - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the machine type. - - If you are _building_ compiler tools for cross-compiling, you should -use the `--target=TYPE' option to select the type of system they will -produce code for. - - If you want to _use_ a cross compiler, that generates code for a -platform different from the build platform, you should specify the -"host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. - -Sharing Defaults -================ - - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. - -Defining Variables -================== - - Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run -configure again during the build, and the customized values of these -variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: - - ./configure CC=/usr/local2/bin/gcc - -will cause the specified gcc to be used as the C compiler (unless it is -overridden in the site shell script). - -`configure' Invocation -====================== - - `configure' recognizes the following options to control how it -operates. - -`--help' -`-h' - Print a summary of the options to `configure', and exit. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' - script, and exit. - -`--cache-file=FILE' - Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to - disable caching. - -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' - Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error - messages will still be shown). - -`--srcdir=DIR' - Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. - -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. - diff --git a/contrib/gnu-sort/NEWS b/contrib/gnu-sort/NEWS deleted file mode 100644 index 31f459b..0000000 --- a/contrib/gnu-sort/NEWS +++ /dev/null @@ -1,904 +0,0 @@ -GNU coreutils NEWS -*- outline -*- - -* Major changes in release 5.3.0 (2004-03-17) [unstable] - -** Bug fixes - - rm (without -f) no longer hangs when attempting to remove a symlink - to a file on an off-line NFS-mounted partition. - - cut's --output-delimiter=D option works with abutting byte ranges. - - rm no longer gets a failed assertion under some unusual conditions. - - Several fixes to chgrp and chown for compatibility with POSIX and BSD: - - Do not affect symbolic links by default. - Now, operate on whatever a symbolic points to, instead. - To get the old behavior, use --no-dereference (-h). - - --dereference now works, even when the specified owner - and/or group match those of an affected symlink. - - Check for incompatible options. When -R and --dereference are - both used, then either -H or -L must also be used. When -R and -h - are both used, then -P must be in effect. - - -H, -L, and -P have no effect unless -R is also specified. - If -P and -R are both specified, -h is assumed. - - Do not optimize away the chown() system call when the file's owner - and group already have the desired value. This optimization was - incorrect, as it failed to update the last-changed time and reset - special permission bits, as POSIX requires. - - Do not report an error if the owner or group of a - recursively-encountered symbolic link cannot be updated because - the file system does not support it. - - md5sum and sha1sum now report an error when given so many input - lines that their line counter overflows, instead of silently - reporting incorrect results. - - rm no longer requires read access to the current directory. - - "sort -o -" now writes to a file named "-" instead of to standard - output; POSIX requires this. - - tail -f no longer mishandles pipes and fifos. With no operands, - tail now ignores -f if standard input is a pipe, as POSIX requires. - - For some types of errors (e.g., read-only file system, I/O error) - when first encountering a directory, `rm -r' would mistakenly fail - to remove files under that directory. - - If d/x is a directory and x a file, "ln x d/" now reports an error - instead of incorrectly creating a link to d/x/x. - - Fixes for "nice": - - If it fails to lower the nice value due to lack of permissions, - it goes ahead and runs the command anyway, as POSIX requires. - - It no longer incorrectly reports an error if the current nice - value happens to be -1. - - It no longer assumes that nice values range from -20 through 19. - - It now consistently adjusts out-of-range nice values to the - closest values in range; formerly it sometimes reported an error. - - ptx now diagnoses invalid values for its --width=N (-w) - and --gap-size=N (-g) options. - - tee now exits when it gets a SIGPIPE signal, as POSIX requires. - To get tee's old behavior, use the shell command "(trap '' PIPE; tee)". - Also, "tee -" now writes to standard output instead of to a file named "-". - - ls no longer segfaults on systems for which SIZE_MAX != (size_t) -1 - - echo now conforms to POSIX better. It supports the \0ooo syntax for - octal escapes, and \c now terminates printing immediately. If - POSIXLY_CORRECT is set and the first argument is not "-n", echo now - outputs all option-like arguments instead of treating them as options. - - printf has several changes: - - It now uses 'intmax_t' (not 'long int') to format integers, so it - can now format 64-bit integers on most modern hosts. - - On modern hosts it now supports the C99-inspired %a, %A, %F conversion - specs, the "'" and "0" flags, and the ll, j, t, and z length modifiers - (this is compatible with recent Bash versions). - - The printf command now rejects invalid conversion specifications - like %#d, instead of relying on undefined behavior in the underlying - printf function. - - who now prints user names in full instead of truncating them after 8 bytes. - -** New features - - For efficiency, `sort -m' no longer copies input to a temporary file - merely because the input happens to come from a pipe. As a result, - some relatively-contrived examples like `cat F | sort -m -o F - G' - are no longer safe, as `sort' might start writing F before `cat' is - done reading it. This problem cannot occur unless `-m' is used. - - When outside the default POSIX locale, the 'who' and 'pinky' - commands now output time stamps like "2004-06-21 13:09" instead of - the traditional "Jun 21 13:09". - - pwd now works even when run from a working directory whose name - is longer than PATH_MAX. - - cp, install, ln, and mv have a new --no-target-directory (-T) option, - and -t is now a short name for their --target-directory option. - - cp -pu and mv -u (when copying) now don't bother to update the - destination if the resulting time stamp would be no newer than the - preexisting time stamp. This saves work in the common case when - copying or moving multiple times to the same destination in a file - system with a coarse time stamp resolution. - - dd has new conversions for the conv= option: - - nocreat do not create the output file - excl fail if the output file already exists - fdatasync physically write output file data before finishing - fsync likewise, but also write metadata - - dd has new iflag= and oflag= options with the following flags: - - append append mode (makes sense for output file only) - direct use direct I/O for data - dsync use synchronized I/O for data - sync likewise, but also for metadata - nonblock use non-blocking I/O - nofollow do not follow symlinks - - stty now provides support (iutf8) for setting UTF-8 input mode. - - With stat, a specified format is no longer automatically newline terminated. - If you want a newline at the end of your output, append `\n' to the format - string. - - 'df', 'du', and 'ls' now take the default block size from the - BLOCKSIZE environment variable if the BLOCK_SIZE, DF_BLOCK_SIZE, - DU_BLOCK_SIZE, and LS_BLOCK_SIZE environment variables are not set. - Unlike the other variables, though, BLOCKSIZE does not affect - values like 'ls -l' sizes that are normally displayed as bytes. - This new behavior is for compatibility with BSD. - - du accepts a new option --files0-from=FILE, where FILE contains a - list of NUL-terminated file names. - - `date -d' and `touch -d' now accept integer counts of seconds since - 1970 when prefixed by `@'. For example, `@321' represents - 1970-01-01 00:05:21 UTC. - - `date -d', `date -f' and `touch -d' now handle fractional time - stamps like 2004-02-27 14:19:13.489392193. - - `date' has a new option --iso-8601=ns that outputs - nanosecond-resolution time stamps. - - echo -e '\xHH' now outputs a byte whose hexadecimal value is HH, - for compatibility with bash. - - In the following cases POSIX allows the default GNU behavior, - so when POSIXLY_CORRECT is set: - - false, printf, true, unlink, and yes all support --help and --option. - ls supports TABSIZE. - pr no longer depends on LC_TIME for the date format in non-POSIX locales. - printf supports \u, \U, \x. - tail supports two or more files when using the obsolete option syntax. - - The usual `--' operand is now supported by chroot, hostid, hostname, - pwd, sync, and yes. - - The stat option --filesystem has been renamed to --file-system, for - consistency with POSIX "file system" and with cp and du --one-file-system. - -** Removed features - - tail's undocumented --max-consecutive-size-changes option has been removed. - -* Major changes in release 5.2.1 (2004-03-12) [stable] - -** Bug fixes - - mv could mistakenly fail to preserve hard links when moving two - or more arguments between partitions. - - `cp --sparse=always F /dev/hdx' no longer tries to use lseek to create - holes in the destination. - - nohup now sets the close-on-exec flag for its copy of the stderr file - descriptor. This avoids some nohup-induced hangs. For example, before - this change, if you ran `ssh localhost', then `nohup sleep 600 </dev/null &', - and then exited that remote shell, the ssh session would hang until the - 10-minute sleep terminated. With the fixed nohup, the ssh session - terminates immediately. - - `expr' now conforms to POSIX better: - - Integers like -0 and 00 are now treated as zero. - - The `|' operator now returns 0, not its first argument, if both - arguments are null or zero. E.g., `expr "" \| ""' now returns 0, - not the empty string. - - The `|' and `&' operators now use short-circuit evaluation, e.g., - `expr 1 \| 1 / 0' no longer reports a division by zero. - -** New features - - `chown user.group file' now has its traditional meaning even when - conforming to POSIX 1003.1-2001, so long as no user has a name - containing `.' that happens to equal `user.group'. - - -* Major changes in release 5.2.0 (2004-02-19) [stable] - -** Bug fixes - - none - - -* Major changes in release 5.1.3 (2004-02-08): candidate to become stable 5.2.0 - -** Bug fixes - - `cp -d' now works as required even on systems like OSF V5.1 that - declare stat and lstat as `static inline' functions. - - time stamps output by stat now include actual fractional seconds, - when available -- or .0000000 for files without that information. - - seq no longer infloops when printing 2^31 or more numbers. - For reference, seq `echo 2^31|bc` > /dev/null takes about one hour - on a 1.6 GHz Athlon 2000 XP. Now it can output 2^53-1 numbers before - misbehaving. - -* Major changes in release 5.1.2 (2004-01-25): - -** Bug fixes - - rmdir -p exits with status 1 on error; formerly it sometimes exited - with status 0 when given more than one argument. - - nohup now always exits with status 127 when it finds an error, - as POSIX requires; formerly it sometimes exited with status 1. - - Several programs (including cut, date, dd, env, hostname, nl, pr, - stty, and tr) now always exit with status 1 when they find an error; - formerly they sometimes exited with status 2. - - factor no longer reports a usage error if stdin has the wrong format. - - paste no longer infloops on ppc systems (bug introduced in 5.1.1) - - -* Major changes in release 5.1.1 (2004-01-17): - -** Configuration option - - You can select the default level of POSIX conformance at configure-time, - e.g., by ./configure DEFAULT_POSIX2_VERSION=199209 - -** Bug fixes - - fold -s works once again on systems with differing sizes for int - and size_t (bug introduced in 5.1.0) - -** New features - - touch -r now specifies the origin for any relative times in the -d - operand, if both options are given. For example, "touch -r FOO -d - '-5 seconds' BAR" sets BAR's modification time to be five seconds - before FOO's. - - join: The obsolete options "-j1 FIELD", "-j2 FIELD", and - "-o LIST1 LIST2..." are no longer supported on POSIX 1003.1-2001 systems. - Portable scripts should use "-1 FIELD", "-2 FIELD", and - "-o LIST1,LIST2..." respectively. If join was compiled on a - POSIX 1003.1-2001 system, you may enable the old behavior - by setting _POSIX2_VERSION=199209 in your environment. - - -* Major changes in release 5.1.0 (2003-12-21): - -** New features - - chgrp, chmod, and chown can now process (with -R) hierarchies of virtually - unlimited depth. Before, they would fail to operate on any file they - encountered with a relative name of length PATH_MAX (often 4096) or longer. - - chgrp, chmod, chown, and rm accept the new options: - --preserve-root, --no-preserve-root (default) - - chgrp and chown now accept POSIX-mandated -L, -H, and -P options - - du can now process hierarchies of virtually unlimited depth. - Before, du was limited by the user's stack size and it would get a - stack overflow error (often a segmentation fault) when applied to - a hierarchy of depth around 30,000 or larger. - - du works even when run from an inaccessible directory - - du -D now dereferences all symlinks specified on the command line, - not just the ones that reference directories - - du now accepts -P (--no-dereference), for compatibility with du - of NetBSD and for consistency with e.g., chown and chgrp - - du's -H option will soon have the meaning required by POSIX - (--dereference-args, aka -D) rather then the current meaning of --si. - Now, using -H elicits a warning to that effect. - - When given -l and similar options, ls now adjusts the output column - widths to fit the data, so that output lines are shorter and have - columns that line up better. This may adversely affect shell - scripts that expect fixed-width columns, but such shell scripts were - not portable anyway, even with old GNU ls where the columns became - ragged when a datum was too wide. - - du accepts a new option, -0/--null, to make it produce NUL-terminated - output lines - -** Bug fixes - - printf, seq, tail, and sleep now parse floating-point operands - and options in the C locale. POSIX requires this for printf. - - od -c -w9999999 no longer segfaults - - csplit no longer reads from freed memory (dumping core on some systems) - - csplit would mistakenly exhaust virtual memory in some cases - - ls --width=N (for very large N) is no longer subject to an address - arithmetic bug that could result in bounds violations. - - ls --width=N (with -x or -C) no longer allocates more space - (potentially much more) than necessary for a given directory. - - dd `unblock' and `sync' may now be combined (e.g., dd conv=unblock,sync) - -* Major changes in release 5.0.91 (2003-09-08): - -** New features - - date accepts a new option --rfc-2822, an alias for --rfc-822. - - split accepts a new option -d or --numeric-suffixes. - - cp, install, mv, and touch now preserve microsecond resolution on - file timestamps, on platforms that have the 'utimes' system call. - Unfortunately there is no system call yet to preserve file - timestamps to their full nanosecond resolution; microsecond - resolution is the best we can do right now. - - sort now supports the zero byte (NUL) as a field separator; use -t '\0'. - The -t '' option, which formerly had no effect, is now an error. - - sort option order no longer matters for the options -S, -d, -i, -o, and -t. - Stronger options override weaker, and incompatible options are diagnosed. - - `sha1sum --check' now accepts the BSD format for SHA1 message digests - in addition to the BSD format for MD5 ones. - - who -l now means `who --login', not `who --lookup', per POSIX. - who's -l option has been eliciting an unconditional warning about - this impending change since sh-utils-2.0.12 (April 2002). - -** Bug fixes - - Mistakenly renaming a file onto itself, e.g., via `mv B b' when `B' is - the same directory entry as `b' no longer destroys the directory entry - referenced by both `b' and `B'. Note that this would happen only on - file systems like VFAT where two different names may refer to the same - directory entry, usually due to lower->upper case mapping of file names. - Now, the above can happen only on file systems that perform name mapping and - that support hard links (stat.st_nlink > 1). This mitigates the problem - in two ways: few file systems appear to be affected (hpfs and ntfs are), - when the bug is triggered, mv no longer removes the last hard link to a file. - *** ATTENTION ***: if you know how to distinguish the following two cases - without writing to the file system in question, please let me know: - 1) B and b refer to the same directory entry on a file system like NTFS - (B may well have a link count larger than 1) - 2) B and b are hard links to the same file - - stat no longer overruns a buffer for format strings ending in `%' - - fold -s -wN would infloop for N < 8 with TABs in the input. - E.g., this would not terminate: printf 'a\t' | fold -w2 -s - - `split -a0', although of questionable utility, is accepted once again. - - `df DIR' used to hang under some conditions on OSF/1 5.1. Now it doesn't. - - seq's --width (-w) option now works properly even when the endpoint - requiring the larger width is negative and smaller than the other endpoint. - - seq's default step is 1, even if LAST < FIRST. - - paste no longer mistakenly outputs 0xFF bytes for a nonempty input file - without a trailing newline. - - `tail -n0 -f FILE' and `tail -c0 -f FILE' no longer perform what amounted - to a busy wait, rather than sleeping between iterations. - - tail's long-undocumented --allow-missing option now elicits a warning - - -* Major changes in release 5.0.90 (2003-07-29): - -** New features - - sort is now up to 30% more CPU-efficient in some cases - - `test' is now more compatible with Bash and POSIX: - - `test -t', `test --help', and `test --version' now silently exit - with status 0. To test whether standard output is a terminal, use - `test -t 1'. To get help and version info for `test', use - `[ --help' and `[ --version'. - - `test' now exits with status 2 (not 1) if there is an error. - - wc count field widths now are heuristically adjusted depending on the input - size, if known. If only one count is printed, it is guaranteed to - be printed without leading spaces. - - Previously, wc did not align the count fields if POSIXLY_CORRECT was set, - but POSIX did not actually require this undesirable behavior, so it - has been removed. - -** Bug fixes - - kill no longer tries to operate on argv[0] (introduced in 5.0.1) - Why wasn't this noticed? Although many tests use kill, none of - them made an effort to avoid using the shell's built-in kill. - - `[' invoked with no arguments no longer evokes a segfault - - rm without --recursive (aka -r or -R) no longer prompts regarding - unwritable directories, as required by POSIX. - - uniq -c now uses a SPACE, not a TAB between the count and the - corresponding line, as required by POSIX. - - expr now exits with status 2 if the expression is syntactically valid, - and with status 3 if an error occurred. POSIX requires this. - - expr now reports trouble if string comparison fails due to a collation error. - - split now generates suffixes properly on EBCDIC hosts. - - split -a0 now works, as POSIX requires. - - `sort --version' and `sort --help' fail, as they should - when their output is redirected to /dev/full. - - `su --version > /dev/full' now fails, as it should. - -** Fewer arbitrary limitations - - cut requires 97% less memory when very large field numbers or - byte offsets are specified. - - -* Major changes in release 5.0.1 (2003-07-15): - -** New programs -- new program: `[' (much like `test') - -** New features -- head now accepts --lines=-N (--bytes=-N) to print all but the - N lines (bytes) at the end of the file -- md5sum --check now accepts the output of the BSD md5sum program, e.g., - MD5 (f) = d41d8cd98f00b204e9800998ecf8427e -- date -d DATE can now parse a DATE string like May-23-2003 -- chown: `.' is no longer recognized as a separator in the OWNER:GROUP - specifier on POSIX 1003.1-2001 systems. If chown *was not* compiled - on such a system, then it still accepts `.', by default. If chown - was compiled on a POSIX 1003.1-2001 system, then you may enable the - old behavior by setting _POSIX2_VERSION=199209 in your environment. -- chown no longer tries to preserve set-user-ID and set-group-ID bits; - on some systems, the chown syscall resets those bits, and previous - versions of the chown command would call chmod to restore the original, - pre-chown(2) settings, but that behavior is problematic. - 1) There was a window whereby a malicious user, M, could subvert a - chown command run by some other user and operating on files in a - directory where M has write access. - 2) Before (and even now, on systems with chown(2) that doesn't reset - those bits), an unwary admin. could use chown unwittingly to create e.g., - a set-user-ID root copy of /bin/sh. - -** Bug fixes -- chown --dereference no longer leaks a file descriptor per symlink processed -- `du /' once again prints the `/' on the last line -- split's --verbose option works once again [broken in 4.5.10 and 5.0] -- tail -f is no longer subject to a race condition that could make it - delay displaying the last part of a file that had stopped growing. That - bug could also make tail -f give an unwarranted `file truncated' warning. -- du no longer runs out of file descriptors unnecessarily -- df and `readlink --canonicalize' no longer corrupt the heap on - non-glibc, non-solaris systems -- `env -u UNSET_VARIABLE' no longer dumps core on non-glibc systems -- readlink's --canonicalize option now works on systems like Solaris that - lack the canonicalize_file_name function but do have resolvepath. -- mv now removes `a' in this example on all systems: touch a; ln a b; mv a b - This behavior is contrary to POSIX (which requires that the mv command do - nothing and exit successfully), but I suspect POSIX will change. -- date's %r format directive now honors locale settings -- date's `-' (no-pad) format flag now affects the space-padded-by-default - conversion specifiers, %e, %k, %l -- fmt now diagnoses invalid obsolescent width specifications like `-72x' -- fmt now exits nonzero when unable to open an input file -- tsort now fails when given an odd number of input tokens, - as required by POSIX. Before, it would act as if the final token - appeared one additional time. - -** Fewer arbitrary limitations -- tail's byte and line counts are no longer limited to OFF_T_MAX. - Now the limit is UINTMAX_MAX (usually 2^64). -- split can now handle --bytes=N and --lines=N with N=2^31 or more. - -** Portability -- `kill -t' now prints signal descriptions (rather than `?') on systems - like Tru64 with __sys_siglist but no strsignal function. -- stat.c now compiles on Ultrix systems -- sleep now works on AIX systems that lack support for clock_gettime -- rm now works around Darwin6.5's broken readdir function - Before `rm -rf DIR' would fail to remove all files in DIR - if there were more than 338. - -* Major changes in release 5.0 (2003-04-02): -- false --help now exits nonzero - -[4.5.12] -* printf no longer treats \x specially when POSIXLY_CORRECT is set -* printf avoids buffer overrun with format ending in a backslash and -* printf avoids buffer overrun with incomplete conversion specifier -* printf accepts multiple flags in a single conversion specifier - -[4.5.11] -* seq no longer requires that a field width be specified -* seq no longer fails when given a field width of `0' -* seq now accepts ` ' and `'' as valid format flag characters -* df now shows a HOSTNAME: prefix for each remote-mounted file system on AIX 5.1 -* portability tweaks for HP-UX, AIX 5.1, DJGPP - -[4.5.10] -* printf no longer segfaults for a negative field width or precision -* shred now always enables --exact for non-regular files -* du no longer lists hard-linked files more than once -* du no longer dumps core on some systems due to `infinite' recursion - via nftw's use of the buggy replacement function in getcwd.c -* portability patches for a few vendor compilers and 64-bit systems -* du -S *really* now works like it did before the change in 4.5.5 - -[4.5.9] -* du no longer truncates file sizes or sums to fit in 32-bit size_t -* work around Linux kernel bug in getcwd (fixed in 2.4.21-pre4), so that pwd - now fails if the name of the working directory is so long that getcwd - truncates it. Before it would print the truncated name and exit successfully. -* `df /some/mount-point' no longer hangs on a GNU libc system when another - hard-mounted NFS file system (preceding /some/mount-point in /proc/mounts) - is inaccessible. -* rm -rf now gives an accurate diagnostic when failing to remove a file - under certain unusual conditions -* mv and `cp --preserve=links' now preserve multiple hard links even under - certain unusual conditions where they used to fail - -[4.5.8] -* du -S once again works like it did before the change in 4.5.5 -* stat accepts a new file format, %B, for the size of each block reported by %b -* du accepts new option: --apparent-size -* du --bytes (-b) works the same way it did in fileutils-3.16 and before -* du reports proper sizes for directories (not zero) (broken in 4.5.6 or 4.5.7) -* df now always displays under `Filesystem', the device file name - corresponding to the listed mount point. Before, for a block- or character- - special file command line argument, df would display that argument. E.g., - `df /dev/hda' would list `/dev/hda' as the `Filesystem', rather than say - /dev/hda3 (the device on which `/' is mounted), as it does now. -* test now works properly when invoked from a set user ID or set group ID - context and when testing access to files subject to alternate protection - mechanisms. For example, without this change, a set-UID program that invoked - `test -w F' (to see if F is writable) could mistakenly report that it *was* - writable, even though F was on a read-only file system, or F had an ACL - prohibiting write access, or F was marked as immutable. - -[4.5.7] -* du would fail with more than one DIR argument when any but the last did not - contain a slash (due to a bug in ftw.c) - -[4.5.6] -* du no longer segfaults on Solaris systems (fixed heap-corrupting bug in ftw.c) -* du --exclude=FILE works once again (this was broken by the rewrite for 4.5.5) -* du no longer gets a failed assertion for certain hierarchy lay-outs - involving hard-linked directories -* `who -r' no longer segfaults when using non-C-locale messages -* df now displays a mount point (usually `/') for non-mounted - character-special and block files - -[4.5.5] -* ls --dired produces correct byte offset for file names containing - nonprintable characters in a multibyte locale -* du has been rewritten to use a variant of GNU libc's ftw.c -* du now counts the space associated with a directory's directory entry, - even if it cannot list or chdir into that subdirectory. -* du -S now includes the st_size of each entry corresponding to a subdirectory -* rm on FreeBSD can once again remove directories from NFS-mounted file systems -* ls has a new option --dereference-command-line-symlink-to-dir, which - corresponds to the new default behavior when none of -d, -l -F, -H, -L - has been specified. -* ls dangling-symlink now prints `dangling-symlink'. - Before, it would fail with `no such file or directory'. -* ls -s symlink-to-non-dir and ls -i symlink-to-non-dir now print - attributes of `symlink', rather than attributes of their referents. -* Fix a bug introduced in 4.5.4 that made it so that ls --color would no - longer highlight the names of files with the execute bit set when not - specified on the command line. -* shred's --zero (-z) option no longer gobbles up any following argument. - Before, `shred --zero file' would produce `shred: missing file argument', - and worse, `shred --zero f1 f2 ...' would appear to work, but would leave - the first file untouched. -* readlink: new program -* cut: new feature: when used to select ranges of byte offsets (as opposed - to ranges of fields) and when --output-delimiter=STRING is specified, - output STRING between ranges of selected bytes. -* rm -r can no longer be tricked into mistakenly reporting a cycle. -* when rm detects a directory cycle, it no longer aborts the entire command, - but rather merely stops processing the affected command line argument. - -[4.5.4] -* cp no longer fails to parse options like this: --preserve=mode,ownership -* `ls --color -F symlink-to-dir' works properly -* ls is much more efficient on directories with valid dirent.d_type. -* stty supports all baud rates defined in linux-2.4.19. -* `du symlink-to-dir/' would improperly remove the trailing slash -* `du ""' would evoke a bounds violation. -* In the unlikely event that running `du /' resulted in `stat ("/", ...)' - failing, du would give a diagnostic about `' (empty string) rather than `/'. -* printf: a hexadecimal escape sequence has at most two hex. digits, not three. -* The following features have been added to the --block-size option - and similar environment variables of df, du, and ls. - - A leading "'" generates numbers with thousands separators. - For example: - $ ls -l --block-size="'1" file - -rw-rw-r-- 1 eggert src 47,483,707 Sep 24 23:40 file - - A size suffix without a leading integer generates a suffix in the output. - For example: - $ ls -l --block-size="K" - -rw-rw-r-- 1 eggert src 46371K Sep 24 23:40 file -* ls's --block-size option now affects file sizes in all cases, not - just for --block-size=human-readable and --block-size=si. Fractional - sizes are now always rounded up, for consistency with df and du. -* df now displays the block size using powers of 1000 if the requested - block size seems to be a multiple of a power of 1000. -* nl no longer gets a segfault when run like this `yes|nl -s%n' - -[4.5.3] -* du --dereference-args (-D) no longer fails in certain cases -* `ln --target-dir=DIR' no longer fails when given a single argument - -[4.5.2] -* `rm -i dir' (without --recursive (-r)) no longer recurses into dir -* `tail -c N FILE' now works with files of size >= 4GB -* `mkdir -p' can now create very deep (e.g. 40,000-component) directories -* rmdir -p dir-with-trailing-slash/ no longer fails -* printf now honors the `--' command line delimiter -* od's 8-byte formats x8, o8, and u8 now work -* tail now accepts fractional seconds for its --sleep-interval=S (-s) option - -[4.5.1] -* du and ls now report sizes of symbolic links (before they'd always report 0) -* uniq now obeys the LC_COLLATE locale, as per POSIX 1003.1-2001 TC1. - -======================================================================== -Here are the NEWS entries made from fileutils-4.1 until the -point at which the packages merged to form the coreutils: - -[4.1.11] -* `rm symlink-to-unwritable' doesn't prompt [introduced in 4.1.10] -[4.1.10] -* rm once again gives a reasonable diagnostic when failing to remove a file - owned by someone else in a sticky directory [introduced in 4.1.9] -* df now rounds all quantities up, as per POSIX. -* New ls time style: long-iso, which generates YYYY-MM-DD HH:MM. -* Any time style can be preceded by "posix-"; this causes "ls" to - use traditional timestamp format when in the POSIX locale. -* The default time style is now posix-long-iso instead of posix-iso. - Set TIME_STYLE="posix-iso" to revert to the behavior of 4.1.1 thru 4.1.9. -* `rm dangling-symlink' doesn't prompt [introduced in 4.1.9] -* stat: remove support for --secure/-s option and related %S and %C format specs -* stat: rename --link/-l to --dereference/-L. - The old options will continue to work for a while. -[4.1.9] -* rm can now remove very deep hierarchies, in spite of any limit on stack size -* new programs: link, unlink, and stat -* New ls option: --author (for the Hurd). -* `touch -c no-such-file' no longer fails, per POSIX -[4.1.8] -* mv no longer mistakenly creates links to preexisting destination files - that aren't moved -[4.1.7] -* rm: close a hole that would allow a running rm process to be subverted -[4.1.6] -* New cp option: --copy-contents. -* cp -r is now equivalent to cp -R. Use cp -R -L --copy-contents to get the - traditional (and rarely desirable) cp -r behavior. -* ls now accepts --time-style=+FORMAT, where +FORMAT works like date's format -* The obsolete usage `touch [-acm] MMDDhhmm[YY] FILE...' is no longer - supported on systems conforming to POSIX 1003.1-2001. Use touch -t instead. -* cp and inter-partition mv no longer give a misleading diagnostic in some - unusual cases -[4.1.5] -* cp -r no longer preserves symlinks -* The block size notation is now compatible with SI and with IEC 60027-2. - For example, --block-size=1MB now means --block-size=1000000, - whereas --block-size=1MiB now means --block-size=1048576. - A missing `B' (e.g. `1M') has the same meaning as before. - A trailing `B' now means decimal, not binary; this is a silent change. - The nonstandard `D' suffix (e.g. `1MD') is now obsolescent. -* -H or --si now outputs the trailing 'B', for consistency with the above. -* Programs now output trailing 'K' (not 'k') to mean 1024, as per IEC 60027-2. -* New df, du short option -B is short for --block-size. -* You can omit an integer `1' before a block size suffix, - e.g. `df -BG' is equivalent to `df -B 1G' and to `df --block-size=1G'. -* The following options are now obsolescent, as their names are - incompatible with IEC 60027-2: - df, du: -m or --megabytes (use -BM or --block-size=1M) - df, du, ls: --kilobytes (use --block-size=1K) -[4.1.4] -* df --local no longer lists smbfs file systems whose name starts with // -* dd now detects the Linux/tape/lseek bug at run time and warns about it. -[4.1.3] -* ls -R once again outputs a blank line between per-directory groups of files. - This was broken by the cycle-detection change in 4.1.1. -* dd once again uses `lseek' on character devices like /dev/mem and /dev/kmem. - On systems with the linux kernel (at least up to 2.4.16), dd must still - resort to emulating `skip=N' behavior using reads on tape devices, because - lseek has no effect, yet appears to succeed. This may be a kernel bug. -[4.1.2] -* cp no longer fails when two or more source files are the same; - now it just gives a warning and doesn't copy the file the second time. - E.g., cp a a d/ produces this: - cp: warning: source file `a' specified more than once -* chmod would set the wrong bit when given symbolic mode strings like - these: g=o, o=g, o=u. E.g., `chmod a=,o=w,ug=o f' would give a mode - of --w-r---w- rather than --w--w--w-. -[4.1.1] -* mv (likewise for cp), now fails rather than silently clobbering one of - the source files in the following example: - rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c -* ls -R detects directory cycles, per POSIX. It warns and doesn't infloop. -* cp's -P option now means the same as --no-dereference, per POSIX. - Use --parents to get the old meaning. -* When copying with the -H and -L options, cp can preserve logical - links between source files with --preserve=links -* cp accepts new options: - --preserve[={mode,ownership,timestamps,links,all}] - --no-preserve={mode,ownership,timestamps,links,all} -* cp's -p and --preserve options remain unchanged and are equivalent - to `--preserve=mode,ownership,timestamps' -* mv and cp accept a new option: --reply={yes,no,query}; provides a consistent - mechanism to control whether one is prompted about certain existing - destination files. Note that cp's and mv's -f options don't have the - same meaning: cp's -f option no longer merely turns off `-i'. -* remove portability limitations (e.g., PATH_MAX on the Hurd, fixes for - 64-bit systems) -* mv now prompts before overwriting an existing, unwritable destination file - when stdin is a tty, unless --force (-f) is specified, as per POSIX. -* mv: fix the bug whereby `mv -uf source dest' would delete source, - even though it's older than dest. -* chown's --from=CURRENT_OWNER:CURRENT_GROUP option now works -* cp now ensures that the set-user-ID and set-group-ID bits are cleared for - the destination file when when copying and not preserving permissions. -* `ln -f --backup k k' gives a clearer diagnostic -* ls no longer truncates user names or group names that are longer - than 8 characters. -* ls's new --dereference-command-line option causes it to dereference - symbolic links on the command-line only. It is the default unless - one of the -d, -F, or -l options are given. -* ls -H now means the same as ls --dereference-command-line, as per POSIX. -* ls -g now acts like ls -l, except it does not display owner, as per POSIX. -* ls -n now implies -l, as per POSIX. -* ls can now display dates and times in one of four time styles: - - - The `full-iso' time style gives full ISO-style time stamps like - `2001-05-14 23:45:56.477817180 -0700'. - - The 'iso' time style gives ISO-style time stamps like '2001-05-14 ' - and '05-14 23:45'. - - The 'locale' time style gives locale-dependent time stamps like - 'touko 14 2001' and 'touko 14 23:45' (in a Finnish locale). - - The 'posix-iso' time style gives traditional POSIX-locale - time stamps like 'May 14 2001' and 'May 14 23:45' unless the user - specifies a non-POSIX locale, in which case it uses ISO-style dates. - This is the default. - - You can specify a time style with an option like --time-style='iso' - or with an environment variable like TIME_STYLE='iso'. GNU Emacs 21 - and later can parse ISO dates, but older Emacs versions cannot, so - if you are using an older version of Emacs outside the default POSIX - locale, you may need to set TIME_STYLE="locale". - -* --full-time is now an alias for "-l --time-style=full-iso". - - -======================================================================== -Here are the NEWS entries made from sh-utils-2.0 until the -point at which the packages merged to form the coreutils: - - [2.0.15] -* date no longer accepts e.g., September 31 in the MMDDhhmm syntax -* fix a bug in this package's .m4 files and in configure.ac - [2.0.14] -* nohup's behavior is changed as follows, to conform to POSIX 1003.1-2001: - - nohup no longer adjusts scheduling priority; use "nice" for that. - - nohup now redirects stderr to stdout, if stderr is not a terminal. - - nohup exit status is now 126 if command was found but not invoked, - 127 if nohup failed or if command was not found. - [2.0.13] -* uname and uptime work better on *BSD systems -* pathchk now exits nonzero for a path with a directory component - that specifies a non-directory - [2.0.12] -* kill: new program -* who accepts new options: --all (-a), --boot (-b), --dead (-d), --login, - --process (-p), --runlevel (-r), --short (-s), --time (-t), --users (-u). - The -u option now produces POSIX-specified results and is the same as - the long option `--users'. --idle is no longer the same as -u. -* The following changes apply on systems conforming to POSIX 1003.1-2001, - and are required by the new POSIX standard: - - `date -I' is no longer supported. Instead, use `date --iso-8601'. - - `nice -NUM' is no longer supported. Instead, use `nice -n NUM'. -* New 'uname' options -i or --hardware-platform, and -o or --operating-system. - 'uname -a' now outputs -i and -o information at the end. - New uname option --kernel-version is an alias for -v. - Uname option --release has been renamed to --kernel-release, - and --sysname has been renamed to --kernel-name; - the old options will work for a while, but are no longer documented. -* 'expr' now uses the LC_COLLATE locale for string comparison, as per POSIX. -* 'expr' now requires '+' rather than 'quote' to quote tokens; - this removes an incompatibility with POSIX. -* date -d 'last friday' would print a date/time that was one hour off - (e.g., 23:00 on *thursday* rather than 00:00 of the preceding friday) - when run such that the current time and the target date/time fall on - opposite sides of a daylight savings time transition. - This problem arose only with relative date strings like `last monday'. - It was not a problem with strings that include absolute dates. -* factor is twice as fast, for large numbers - [2.0.11] -* setting the date now works properly, even when using -u -* `date -f - < /dev/null' no longer dumps core -* some DOS/Windows portability changes - [2.0j] -* `date -d DATE' now parses certain relative DATEs correctly - [2.0i] -* fixed a bug introduced in 2.0h that made many programs fail with a - `write error' when invoked with the --version option - [2.0h] -* all programs fail when printing --help or --version output to a full device -* printf exits nonzero upon write failure -* yes now detects and terminates upon write failure -* date --rfc-822 now always emits day and month names from the `C' locale -* portability tweaks for Solaris8, Ultrix, and DOS - [2.0g] -* date now handles two-digit years with leading zeros correctly. -* printf interprets unicode, \uNNNN \UNNNNNNNN, on systems with the - required support; from Bruno Haible. -* stty's rprnt attribute now works on HPUX 10.20 -* seq's --equal-width option works more portably - [2.0f] -* fix build problems with ut_name vs. ut_user - [2.0e] -* stty: fix long-standing bug that caused test failures on at least HPUX - systems when COLUMNS was set to zero -* still more portability fixes -* unified lib/: now that directory and most of the configuration framework - is common between fileutils, textutils, and sh-utils - [2.0d] -* fix portability problem with sleep vs lib/strtod.c's requirement for -lm - [2.0c] -* fix portability problems with nanosleep.c and with the new code in sleep.c - [2.0b] -* Regenerate lib/Makefile.in so that nanosleep.c is distributed. - [2.0a] -* sleep accepts floating point arguments on command line -* sleep's clock continues counting down when sleep is suspended -* when a suspended sleep process is resumed, it continues sleeping if - there is any time remaining -* who once again prints whatever host information it has, even without --lookup - -======================================================================== -For older NEWS entries for the fileutils, textutils, and sh-utils -packages, see ./old/*/NEWS. - - This package began as the union of the following: - textutils-2.1, fileutils-4.1.11, sh-utils-2.0.15. diff --git a/contrib/gnu-sort/README b/contrib/gnu-sort/README deleted file mode 100644 index df35be4..0000000 --- a/contrib/gnu-sort/README +++ /dev/null @@ -1,147 +0,0 @@ -These are the GNU core utilities. This package is the union of -the GNU fileutils, sh-utils, and textutils packages. - -Most of these programs have significant advantages over their Unix -counterparts, such as greater speed, additional options, and fewer -arbitrary limits. - -The programs that can be built with this package are: - - [ basename cat chgrp chmod chown chroot cksum comm cp csplit cut date dd - df dir dircolors dirname du echo env expand expr factor false fmt fold - ginstall groups head hostid hostname id join kill link ln logname ls - md5sum mkdir mkfifo mknod mv nice nl nohup od paste pathchk pinky pr - printenv printf ptx pwd readlink rm rmdir seq sha1sum shred sleep sort - split stat stty su sum sync tac tail tee test touch tr true tsort tty - uname unexpand uniq unlink uptime users vdir wc who whoami yes - -See the file NEWS for a list of major changes in the current release. - -See the file INSTALL for compilation and installation instructions. - -These programs are intended to conform to POSIX (with BSD and other -extensions), like the rest of the GNU system. By default they conform -to older POSIX (1003.2-1992), and therefore support obsolete usages -like "head -10" and "chown owner.group file". This default is -overridden at build-time by the value of <unistd.h>'s _POSIX2_VERSION -macro, and this in turn can be overridden at runtime as described in -the documentation under "Standards conformance". - -The ls, dir, and vdir commands are all separate executables instead of -one program that checks argv[0] because people often rename these -programs to things like gls, gnuls, l, etc. Renaming a program -file shouldn't affect how it operates, so that people can get the -behavior they want with whatever name they want. - -Special thanks to Paul Eggert, Brian Matthews, Bruce Evans, Karl Berry, -Kaveh Ghazi, and François Pinard for help with debugging and porting -these programs. Many thanks to all of the people who have taken the -time to submit problem reports and fixes. All contributed changes are -attributed in the ChangeLog file. - -And thanks to the following people who have provided accounts for -portability testing on many different types of systems: Bob Proulx, -Christian Robert, François Pinard, Greg McGary, Harlan Stenn, -Joel N. Weber, Mark D. Roth, Matt Schalit, Nelson H. F. Beebe, -Réjean Payette, Sam Tardieu. - -Thanks to Michael Stone for inflicting test releases of the fileutils -on Debian's unstable distribution, and to all the kind folks who used -that distribution and found and reported bugs. - -Note that each man page is now automatically generated from a template -and from the corresponding --help usage message. Patches to the template -files (man/*.x) are welcome. However, the authoritative documentation -is in texinfo form in the doc directory. - -If you run the tests on a SunOS4.1.4 system, expect the ctime-part of -the ls `time-1' test to fail. I believe that is due to a bug in the -way Sun implemented link(2) and chmod(2). - -*************************************** -Last-minute notes, before coreutils-5.0 ---------------------------------------- - -A known problem exists when compiling on HPUX on both hppa and ia64 -in 64-bit mode (i.e. +DD64) on all known HPUX 11.x versions. This -is not due to a bug in the package but instead due to a bug in the -system header file which breaks things in 64-bit mode. The default -compilation mode is 32-bit and the software compiles fine using the -default mode. To build this software in 64-bit mode you will need -to fix the system /usr/include/inttypes.h header file. After -correcting that file the software also compiles fine in 64-bit mode. -Here is one possible patch to correct the problem. - ---- /usr/include/inttypes.h.orig Thu May 30 01:00:00 1996 -+++ /usr/include/inttypes.h Sun Mar 23 00:20:36 2003 -@@ -489 +489 @@ --#ifndef __STDC_32_MODE__ -+#ifndef __LP64__ - -If you run the tests as root, note that a few of them create files -and/or run programs as a non-root user, `nobody' by default. -If you want to use some other non-root username, specify it via -the NON_ROOT_USERNAME environment variable. Depending on the -permissions with which the working directories have been created, -using `nobody' may fail, because that user won't have the required -read and write access to the build and test directories. -I find that it is best to unpack and build as a non-privileged -user, and then to run the following command as that user in order -to run the privilege-requiring tests: - - sudo env NON_ROOT_USERNAME=$USER make check - -If you can run the tests as root, please do so and report any -problems. We get much less test coverage in that mode, and it's -arguably more important that these tools work well when run by -root than when run by less privileged users. - -*************************************** - -There are pretty many tests, but nowhere near as many as we need. -Additions and corrections are very welcome. - -If you see a problem that you've already reported, feel free to re-report -it -- it won't bother me to get a reminder. Besides, the more messages I -get regarding a particular problem the sooner it'll be fixed -- usually. -If you sent a complete patch and, after a couple weeks you haven't -received any acknowledgement, please ping us. A complete patch includes -a well-written ChangeLog entry, unified (diff -u format) diffs relative -to the most recent test release (or, better, relative to the latest -sources in the CVS repository), an explanation for why the patch is -necessary or useful, and if at all possible, enough information to -reproduce whatever problem prompted it. Plus, you'll earn lots of -karma if you include a test case to exercise any bug(s) you fix. -Instructions for checking out the latest source via CVS are here: - - http://savannah.gnu.org/cvs/?group=coreutils - - -If your patch adds a new feature, please try to get some sort of consensus -that it is a worthwhile change. One way to do that is to send mail to -bug-coreutils@gnu.org including as much description and justification -as you can. Based on the feedback that generates, you may be able to -convince us that it's worth adding. - - -WARNING: If you modify files like configure.in, m4/*.m4, aclocal.m4, -or any Makefile.am, then don't be surprised if what gets regenerated no -longer works. To make things work, you'll have to be using appropriate -versions of automake and autoconf. As for what versions are `appropriate', -use the versions of - - * autoconf specified via AC_PREREQ in m4/jm-macros.m4 - * automake specified via AM_INIT_AUTOMAKE in configure.ac - -Usually it's fine to use versions that are newer than those specified. - -These programs all recognize the `--version' option. When reporting -bugs, please include in the subject line both the package name/version -and the name of the program for which you found a problem. - -For general documentation on the coding and usage standards -this distribution follows, see the GNU Coding Standards, -http://www.gnu.org/prep/standards_toc.html. - -Mail suggestions and bug reports for these programs to -the address on the last line of --help output. diff --git a/contrib/gnu-sort/THANKS b/contrib/gnu-sort/THANKS deleted file mode 100644 index 44b7b02..0000000 --- a/contrib/gnu-sort/THANKS +++ /dev/null @@ -1,463 +0,0 @@ -These people have contributed to the GNU coreutils (formerly, the fileutils, -textutils, and/or sh-utils packages). Some have reported problems, others -have contributed improvements to the documentation, actual code, and even -complete programs. Those contributions are described in the ChangeLog -files. If your name has been left out, if you'd rather not be listed, -or if you'd prefer a different address be used, please send a note to -the bug-report mailing list (as seen on last line of e.g., cp --help). - -??? kytek@cybercomm.net -A Costa agcosta@gis.net -Achim Blumensath blume@corona.oche.de -Adam Klein aklein@debian.org -Akim Demaille demaille@inf.enst.fr -Alain Magloire alain@qnx.com -Alan Iwi iwi@atm.ox.ac.uk -Albert Chin-A-Young china@thewrittenword.com -Albert Hopkins ahopkins@dynacare.com -Alberto Accomazzi alberto@cfa0.harvard.edu -aldomel aldomel@ix.netcom.com -Alen Muzinic zveki@fly.cc.fer.hr -Alexandre Duret-Lutz duret_g@epita.fr -Alexey Solovyov alekso@math.uu.se -Alexey Vyskubov alexey@pippuri.mawhrin.net -Alfred M. Szmidt ams@kemisten.nu -Andi Kleen freitag@alancoxonachip.com -Andre Novaes Cunha Andre.Cunha@br.global-one.net -Andreas Gruenbacher ag@bestbits.at -Andreas Jaeger jaeger@gnu.org -Andreas Luik luik@isa.de -Andreas Schwab schwab@suse.de -Andreas Stolcke stolcke@ICSI.Berkeley.EDU -Andrei Gaponenko andr@triumf.ca -Andres Soolo andres@soolo.matti.ee -Andrew Burgess aab@cichlid.com -Andrew Dalke dalke@bioreason.com -Andrew Fabbro andrew@fabbro.org -Andrew Pham andpha@us.ibm.com -Andrew Tridgell tridge@samba.org -Andrey Borzenkov arvidjaar@mail.ru -Andries Brouwer Andries.Brouwer@cwi.nl -Andy Longton alongton@metamark.com -Anthony Thyssen anthony@griffith.edu.au -Antonio Rendas ajrendas@yahoo.com -Ariel Faigon ariel@cthulhu.engr.sgi.com -Arne H. Juul arnej@solan.unit.no -Arne Henrik Juul arnej@imf.unit.no -Arnold Robbins arnold@skeeve.com -Arthur Pool pool@commerce.uq.edu.au -Arun Sharma arun.sharma@intel.com -Arvind Autar Autar022@planet.nl -Augey Mikus mikus@dqc.org -Austin Donnelly Austin.Donnelly@cl.cam.ac.uk -Axel Kittenberger Anshil@gmx.net -Bauke Jan Douma bjdouma@xs4all.nl -Ben Elliston bje@air.net.au -Ben Harris bjh21@netbsd.org -Benjamin Cutler cutlerbc@simla.colostate.edu -Bengt Martensson bengt@mathematik.uni-Bremen.de -Bernard Giroud bernard.giroud@creditlyonnais.ch -Bernd Leibing bernd.leibing@rz.uni-ulm.de -Bernd Melchers melchers@cis.fu-berlin.de -Bernhard Baehr bernhard.baehr@gmx.de -Bernhard Gabler bernhard@uni-koblenz.de -Bernhard Rosenkraenzer bero@redhat.de -Bert Deknuydt Bert.Deknuydt@esat.kuleuven.ac.be -Bill Peters peters@gaffel.as.arizona.edu -Bjorn Helgaas helgaas@rsn.hp.com -Bob McCracken kerouac@ravenet.com -Bob Proulx rwp@fc.hp.com -Branden Robinson branden@necrotic.deadbeast.net -Brendan O'Dea bod@compusol.com.au -Brian Kimball bfk@footbag.org -Brian Youmans 3diff@gnu.org -Bruce Korb bkorb@veritas.com -Bruce Robertson brucer@theodolite.dyndns.org -Bruno Haible haible@clisp.cons.org -Carl Johnson carlj@cjlinux.home.org -Carl Lowenstein cdl@mpl.UCSD.EDU -Carlos Canau Carlos.Canau@relay.puug.pt -Charles Karney karney@pppl.gov -Charles Randall crandall@matchlogic.com -Chip Salzenberg chip@valinux.com -Chris Faylor cgf@cygnus.com -Chris J. Bednar cjb@AdvancedDataSolutions.com -Chris Lesniewski ctl@mit.edu -Chris Sylvain csylvain@umm.edu -Chris Yeo cyeo@biking.org -Christi Alice Scarborough christi@chiark.greenend.org.uk -Christian Harkort christian.harkort@web.de -Christian Krackowizer ckrackowiz@std.schuler-ag.com -Christian Rose menthos@menthos.com -Christian von Roques roques@pond.sub.org -Chuck Hedrick hedrick@klinzhai.rutgers.edu -Clark Morgan cmorgan@aracnet.com -Clement Wang clem.wang@overture.com -Colin Plumb colin@nyx.net -Colin Watson cjw44@riva.ucam.org -Collin Rogowski collin@rogowski.de -Cray-Cyber Project http://www.cray-cyber.org -Dale Scheetz dwarf@polaris.net -Dan Hagerty hag@gnu.ai.it.edu -Dan Jacobson http://www.geocities.com/jidani -Dan Pascu dan@services.iiruc.ro -Daniel Bergstrom noa@melody.se -Dániel Varga danielv@axelero.hu -Danny Levinson danny.levinson@overture.com -Darren Salt ds@youmustbejoking.demon.co.uk -Dave Beckett dajobe@dajobe.org -David Dyck dcd@tc.fluke.COM -David Eisner cradle@umd.edu -David Flynn dav@chess.plus.com -David Godfrey dave@delta.demon.co.uk -David Luyer david_luyer@pacific.net.au -David Malone dwmalone@cnri.dit.ie -Deepak Goel deego@gnufans.org -Dennis Henriksen opus@flamingo.osrl.dk -Dennis Smit ds@nerds-incorporated.org -Derek Clegg dclegg@next.com -Dick Streefland dick_streefland@tasking.com -Dirk Lattermann dlatt@t-online.de -Dirk-Jan Faber djfaber@snow.nl -Dmitry Rutsky rutsky@school.ioffe.rssi.ru -Dmitry V. Levin ldv@altlinux.org -Don Parsons dparsons@synapse.kent.edu -Donni Erpel donald@appc11.gsi.de -Doug Coleman coleman@iarc1.ece.utexas.edu -Doug McLaren dougmc@comco.com -Dragos Harabor dharabor@us.oracle.com -Duncan Roe duncanr@optimation.com.au -Ed Avis ed@membled.com -Edzer Pebesma Edzer.Pebesma@rivm.nl -Eirik Fuller eirik@hackrat.com -Eivind eivindt@multinet.no -Eli Zaretskii eliz@is.elta.co.il -Emile LeBlanc leblanc@math.toronto.edu -Eric Backus ericb@lsid.hp.com -Eric G. Miller egm2@jps.net -Eric Pemente pemente@northpark.edu -Eric S. Raymond esr@snark.thyrsus.com -Erik Bennett bennett@cvo.oneworld.com -Erik Corry erik@kroete2.freinet.de -Felix Lee flee@teleport.com -Ferdinand fw@scenic.mine.nu -Fletcher Mattox fletcher@cs.utexas.edu -Florin Iucha fiucha@hsys.mic.ro -François Pinard pinard@iro.umontreal.ca -Frank Adler fadler@allesklar.de -Frank T Lofaro ftlofaro@snooks.Egr.UNLV.EDU -Fred Fish fnf@ninemoons.com -Frédéric L. W. Meunier 0@pervalidus.net -Frederik Eaton frederik@caltech.edu -Gabor Z. Papp gzp@gzp.org.hu -Gaël Quéri gqueri@mail.dotcom.fr -Galen Hazelwood galenh@micron.net -Gary Anderson ganderson@clark.net -Gary V. Vaughan gary@gnu.org -Gaute Hvoslef Kvalnes gaute@verdsveven.com -Geoff Collyer geoff at collyer.net -Geoff Kuenning geoff@cs.hmc.edu -Geoff Odhner geoff@franklin.com -Geoff Whale geoffw@cse.unsw.EDU.AU -Gerhard Poul gpoul@gnu.org -Germano Leichsenring germano@jedi.cs.kobe-u.ac.jp -Göran Uddeborg goeran@uddeborg.pp.se -GOTO Masanori gotom@debian.or.jp -Greg Louis glouis@dynamicro.on.ca -Greg McGary gkm@gnu.org -Greg Schafer gschafer@zip.com.au -Greg Troxel gdt@bbn.com -Greg Wooledge gawooledge@sherwin.com -Gregory Leblanc gleblanc@cu-portland.edu -Guido Leenders guido.leenders@invantive.com -H. J. Lu hjl@valinux.com -Hans Ginzel hans@matfyz.cz -Hans Lermen lermen@fgan.de -Hans Verkuil hans@wyst.hobby.nl -Harry Liu rliu@lek.ugcs.caltech.edu -Harti Brandt brandt@fokus.fraunhofer.de -Herbert Xu herbert@gondor.apana.org.au -Holger Berger hberger@ess.nec.de -Hon-Yin Kok hkok@yoda.unl.edu -Hugh Daniel hugh@xanadu.com -Ian Bruce ian.bruce@myrealbox.com -Ian Jackson ijackson@chiark.greenend.org.uk -Ian Lance Taylor ian@cygnus.com -Ian Turner vectro@pipeline.com -Iida Yosiaki iida@gnu.org -Ingo Saitz ingo@debian.org -Ivo Timmermans ivo@debian.org -James james@albion.glarp.com -James Antill jmanti%essex.ac.uk@seralph21.essex.ac.uk -James Sneeringer jvs@ocslink.com -James Tanis jtt@soscorp.com -James Youngman james+usenet@free-lunch.demon.co.uk -Jamie Lokier jamie@imbolc.ucc.ie -Jan Fedak J.Fedak@sh.cvut.cz -Jan Nieuwenhuizen janneke@gnu.org -Janos Farkas chexum@shadow.banki.hu -Jarkko Hietaniemi jhi@epsilon.hut.fi -Jean Charles Delepine delepine@u-picardie.fr -Jeff Moore jbm@mordor.com -Jeff Sheinberg jeff@bsrd.net -Jens Elkner elkner@imsgroup.de -Jens Schmidt jms@jsds.hamburg.com -Jerome Abela abela@hsc.fr -Jérôme Zago bug-coreutils-ml@agt-the-walker.net -Jesse Kornblum kornblum@usna.edu -Jesse Thilo jgt2@eecs.lehigh.edu -Jie Xu xuj@iag.net -Jim Blandy jimb@cyclic.com -Jim Dennis jimd@starshine.org -Joakim Rosqvist dvljrt@cs.umu.se -Jochen Hein jochen@jochen.org -Joe Orton joe@manyfish.co.uk -Johan Danielsson joda@pdc.kth.se -John Bley jbb6@acpub.duke.edu -John David Anglin dave.anglin@nrc.ca -John Gatewood Ham zappaman@alphabox.compsci.buu.ac.th -John Gotts jgotts@umich.edu -John Kendall kendall@capps.com -John Kodis kodis@acm.org -John Murphy jam@philabs.research.philips.com -John Roll john@panic.harvard.edu -John Salmon johns@mullet.anu.edu.au -John Summerfield summer@OS2.ami.com.au -Jon Peatfield J.S.Peatfield@damtp.cam.ac.uk -Joost van Baal joostvb@xs4all.nl -Jorge Stolfi stolfi@ic.unicamp.br -Joseph S. Myers jsm28@cam.ac.uk -Juan F. Codagnone juam@arnet.com.ar -Jungshik Shin jshin@pantheon.yale.edu -Jürgen Fluk louis@dachau.marco.de -Jurriaan thunder7@xs4all.nl -jvogel jvogel@linkny.com -Kai Henningsen kai@debian.org -Kai-Uwe Rommel rommel@informatik.tu-muenchen.de -Kalle Olavi Niemitalo kon@iki.fi -Kamal Paul Nigam Kamal_Paul_Nigam@gs35.sp.cs.cmu.edu -Karl Eichwalder keichwa@gmx.net -Karl Heuer kwzh@gnu.org -Karl-Michael Schneider schneide@phil.uni-passau.de -Karsten Thygesen karthy@kom.auc.dk -Kaveh R. Ghazi ghazi@caip.rutgers.edu -Keith M. Briggs keith.briggs@bt.com -Keith Owens kaos@audio.apana.org.au -Keith Thompson kst@cts.com -Ken Pizzini kenp@halcyon.com -Kristin E Thomas kristint@us.ibm.com -Kjetil Torgrim Homme kjetilho@ifi.uio.no -Kristoffer Rose kris@diku.dk -Larry McVoy lm@sgi.com -Lars Hecking lhecking@nmrc.ucc.ie -Leah Q eequor@earthlink.net -Lehti Rami rammer@cs.tut.fi -Leonard N. Zubkoff lnz@dandelion.com -Leonardo Milano lmilano@udel.edu -Lorne Baker lbaker@nitro.avint.net -Luke Hassell lukehassell@yahoo.com -M. P. Suzuki mpsuzuki@hiroshima-u.ac.jp -Maciej Kwapulinski pikpok@univ.gda.pl -Manas Garg manas@cygsoft.com -Manfred Hollstein manfred@s-direktnet.de -Marc Boucher marc@mbsi.ca -Marc Haber mh+debian-bugs@zugschlus.de -Marc Olzheim marcolz@stack.nl -Marco Franzen Marco.Franzen@Thyron.com -Marcus Brinkmann http://www.marcus-brinkmann.de -Marcus Daniels marcus@ee.pdx.edu -Mark A. Thomas thommark@access.digex.net -Mark Conty Mark_Conty@cargill.com -Mark D. Roth roth@uiuc.edu -Mark Funkenhauser mfunkenhauser@rogers.com -Mark Harris mark@monitor.designacc.com -Mark Hewitt mhewitt@armature.com -Mark Hounschell markh@compro.net -Mark Hubbart discord@mac.com -Mark Kettenis kettenis@phys.uva.nl -Mark Nudelman marknu@flash.net -Mark W. Eichin eichin@cygnus.com -Markus Demleitner msdemlei@auriga.ari.uni-heidelberg.de -Martin martin@dresden.nacamar.de -Martin Buck martin.buck@ascom.ch -Martin Gallant martyg@goodbit.net -Martin Hippe martin.hippe@schlund.de -Martin Michlmayr tbm@cyrius.com -Martin Mitchell martin@debian.org -Martin P.J. Zinser zinser@decus.de -Marty Leisner leisner@sdsp.mc.xerox.com -Masami Takikawa takikawm@CS.ORST.EDU -Mate Wierdl mw@moni.msci.memphis.edu -Matej Vela mvela@public.srce.hr -Matt Perry matt@primefactor.com -Matt Schalit mschalit@pacbell.net -Matt Swift swift@alum.mit.edu -Matthew Arnison maffew@cat.org.au -Matthew Braun matthew@ans.net -Matthew Clarke Matthew_Clarke@mindlink.bc.ca -Matthew S. Levine mslevine@theory.lcs.mit.edu -Matthew Smith matts@bluesguitar.org -Matthew Swift swift@alum.mit.edu -Matthias Urlichs smurf@noris.de -Matti Aarnio matti.aarnio@zmailer.org -Mattias Wadenstein maswan@acc.umu.se -Meelis Roos mroos@tartu.cyber.ee -Michael michael@aplatform.com -Michael ??? michael@roka.net -Michael Bacarella mbac@netgraft.com> -Michael Deutschmann michael@talamasca.ocis.net -Michael Elizabeth Chastain mec.gnu@mindspring.com -Michael Gaughen mgaughen@polyserve.com -Michael Hasselberg mikelh@zonta.ping.de -Michael Hohn hohn@math.utah.edu -Michael J. Croghan mcroghan@usatoday.com -Michael McFarland sidlon@yahoo.com -Michael Piefel piefel@informatik.hu-berlin.de -Michael Steffens michael.steffens@s.netic.de -Michael Stone mstone@debian.org -Michael Stutz stutz@dsl.org -Michael van Elst mlelstv@dev.de.cw.net -Michael Veksler mveksler@techunix.technion.ac.il -Michail Litvak mci@owl.openwall.com -Michal Politowski mpol@charybda.icm.edu.pl -Michal Svec msvec@suse.cz -Michel Robitaille robitail@IRO.UMontreal.CA -Michiel Bacchiani bacchian@raven.bu.edu -Mike Castle dalgoda@ix.netcom.com -Mike Coleman mkc@mathdogs.com -Mike Jetzer mjetzer@mke.catalystwms.com -Mikko Tuumanen m@sorvankyla.yok.utu.fi -Mikulas Patocka mikulas@artax.karlin.mff.cuni.cz -Miles Bader miles@gnu.ai.mit.edu -Minh Tran-Le tranle@intellicorp.com -Morten Welinder terra@diku.dk -Neal H Walfield neal@cs.uml.edu -Neil Brown neilb@cse.unsw.edu.au -Nelson H. F. Beebe beebe@math.utah.edu -Nick Estes debian@nickstoys.com -Nick Lawes nlawes@silverplatter.com -Niklas Edmundsson nikke@acc.umu.se -Nikola Milutinovic Nikola.Milutinovic@ev.co.yu -Noah Friedman friedman@splode.com -Noel Cragg noel@red-bean.com -Olatunji Oluwabukunmi Ruwase tjruwase@stanford.edu -Olav Morkrid olav@funcom.com -Ole Laursen olau@hardworking.dk -Oliver Kiddle okiddle@yahoo.co.uk -Ørn E. Hansen oehansen@daimi.aau.dk -Oskar Liljeblad osk@hem.passagen.se -Patrick Mauritz oxygene@studentenbude.ath.cx -Paul Eggert eggert@twinsun.com -Paul Jarc prj@po.cwru.edu -Paul Nevai nevai@ops.mps.ohio-state.edu -Paul Sauer paul@alexa.com -Paul Slootman paul@debian.org -Paul Worrall paul@basilisk.uklinux.net -Pawel Prokop pablo@wizard.ae.krakow.pl -Per Cederqvist ceder@lysator.liu.se -Per Kristian Hove perhov@math.ntnu.no -Peter Eriksson peter@ifm.liu.se -Peter Horst peter@ointment.org -Peter Moulder reiter@netspace.net.au -Peter Samuelson psamuels@sampo.creighton.edu -Peter Seebach seebs@taniemarie.solon.com -Petter Reinholdtsen pere@hungry.com -Phelippe Neveu pneveu@pcigeomatics.com -Phil Richards phil.richards@vf.vodafone.co.uk -Philippe De Muyter phdm@macqel.be -Philippe Schnoebelen Philippe.Schnoebelen@imag.fr -Phillip Jones mouse@datastacks.com -Piergiorgio Sartor sartor@sony.de -Piotr Kwapulinski kwap@univ.gda.pl -Prashant TR tr@eth.net -Rainer Orth ro@TechFak.Uni-Bielefeld.DE -Ralf W. Stephan stephan@tmt.de -Ralph Loader loader@maths.ox.ac.uk -Raul Miller moth@magenta.com -Raúl Núñez de Arenas Coronado raul@pleyades.net -Reuben Thomas rrt@sc3d.org -Richard A Downing richard.downing@bcs.org.uk -Richard Braakman dark@xs4all.nl -Richard Dawe rich@phekda.freeserve.co.uk -Richard J. Rauenzahn rrauenza@hairball.cup.hp.com -Richard Neill rn214@hermes.cam.ac.uk -Richard Sharman rsharman@magmacom.com -Rick Sladkey jrs@world.std.com -Rik Faith faith@cs.unc.edu -Risto Kankkunen kankkune@lingsoft.fi -Robert H. de Vries robert@and.nl -Robert Millan zeratul2@wanadoo.es -Rogier Wolff R.E.Wolff@BitWizard.nl -Roland Huebner ro-huebner@gmx.de -Roland Turner raz.tah.bet@raz.cx -Ronald F. Guilmette rfg@netcom.com -Ross Alexander r.alexander@auckland.ac.nz -Ross Paterson rap@doc.ic.ac.uk -Ross Ridge rridge@calum.csclub.uwaterloo.ca -Sami Farin sfarin@ratol.fi -Samuel Tardieu sam@rfc1149.net -Samuli Karkkainen Samuli.Karkkainen@hut.fi -Sander van Malssen svm@kozmix.ow.nl -Santiago Vila Doncel sanvila@unex.es -Savochkin Andrey Vladimirovich saw@msu.ru -Scott Lurndal slurn@griffin.engr.sgi.com -Shing-Shong Shei shei@cs.indiana.edu -Soeren Sonnenburg sonnenburg@informatik.hu-berlin.de -Solar Designer solar@owl.openwall.com -Stanislav Ievlev inger@altlinux.ru -Stéphane Chazelas Stephane_CHAZELAS@yahoo.fr -Stephen Depooter sbdep@myrealbox.com -Stephen Eglen eglen@pcg.wustl.edu -Stephen Gildea gildea@stop.mail-abuse.org -Stephen Smoogen smooge@mindspring.com -Steve McConnel steve@acadcomp.sil.org -Steven G. Johnson stevenj@alum.mit.edu -Steven Mocking ufo@quicknet.nl -Steven P Watson steven@magelico.net -Stuart Kemp skemp@peter.bmc.com -Szakacsits Szabolcs szaka@sienet.hu -Tadayoshi Funaba tadf@kt.rim.or.jp -TAKAI Kousuke takai@vlsi.kuee.kyoto-u.ac.jp -Theodore Ts'o tytso@rsts-11.mit.edu -Thomas Bushnell thomas@gnu.ai.mit.edu -Thomas Goerlich thomas@schnappmatik.de -Thomas Luzat thomas@luzat.com -Thomas Quinot thomas@Cuivre.FR.EU.ORG -Tim J. Robbins tjr@FreeBSD.org -Tim Mooney mooney@dogbert.cc.ndsu.NoDak.edu -Tim Smithers mouse@dmouse.com.au -Tim Waugh twaugh@redhat -Todd A. Jacobs tjacobs@codegnome.org -Tom Haynes thomas@netapp.com -Tom Quinn trq@dionysos.thphys.ox.ac.uk -Tommi Kyntola tkyntola@cc.hut.fi -Ton Hospel thospel@mail.dma.be -Ton Nijkes ton@murphy.nl -Tony Kocurko akocurko@mun.ca -Tony Leneis tony@plaza.ds.adp.com -Tony Robinson ajr@eng.cam.ac.uk -Torbjorn Granlund tege@nada.kth.se -Torbjorn Lindgren tl@funcom.no -Torsten Landschoff torsten@pclab.ifg.uni-kiel.de -Ulrich Drepper drepper@gnu.org -Urs Thuermann urs@isnogud.escape.de -Uwe H. Steinfeld usteinfeld@gmx.net -Vesselin Atanasov vesselin@bgnet.bg -Vin Shelton acs@alumni.princeton.edu -Volker Borchert bt@teknon.de -Volker Paul vpaul@dohle.com -Wartan Hachaturow wart@tepkom.ru -Wayne Stewart wstewa@atl.com -Wenjun Zheng zwj@yahoo.com -Werner Almesberger Werner.Almesberger@epfl.ch -Wichert Akkerman wichert@cistron.nl -Will Edgington wedgingt@acm.org -William Bader william@nscs.fast.net -William Dowling will@franklin.com -William Lewis wiml@omnigroup.com -wiregauze wiregauze@yahoo.com -Wojciech Purczynski cliph@isec.pl -Wolfram Kleff kleff@cs.uni-bonn.de -Won-kyu Park wkpark@chem.skku.ac.kr -Yann Dirson dirson@debian.org -Zvi Har'El rl@math.technion.ac.il diff --git a/contrib/gnu-sort/THANKS-to-translators b/contrib/gnu-sort/THANKS-to-translators deleted file mode 100644 index c84ff64..0000000 --- a/contrib/gnu-sort/THANKS-to-translators +++ /dev/null @@ -1,36 +0,0 @@ -The following teams have translated the many diagnostics of this -package into many different languages. Thank you! - ---- -http://www.iro.umontreal.ca/contrib/po/HTML/team-af.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-be.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-ca.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-cs.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-da.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-de.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-el.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-es.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-et.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-fi.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-fr.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-ga.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-gl.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-hu.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-it.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-ja.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-ko.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-lg.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-ms.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-nb.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-nl.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-no.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-pl.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-pt.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-pt_BR.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-ru.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-sk.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-sl.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-sv.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-tr.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-zh_CN.html -http://www.iro.umontreal.ca/contrib/po/HTML/team-zh_TW.html diff --git a/contrib/gnu-sort/TODO b/contrib/gnu-sort/TODO deleted file mode 100644 index 82a74bf..0000000 --- a/contrib/gnu-sort/TODO +++ /dev/null @@ -1,171 +0,0 @@ -restore djgpp, eventually -merge TODO lists -add unit tests for lib/*.c - -strip: add an option to specify the program used to strip binaries. - suggestion from Karl Berry - -doc/coreutils.texi: - Address this comment: FIXME: mv's behavior in this case is system-dependent - Better still: fix the code so it's *not* system-dependent. - -implement --target-directory=DIR for install (per texinfo documentation) - -ls: add --format=FORMAT option that controls how each line is printed. - -cp --no-preserve=X should not attempt to preserve attribute X - reported by Andreas Schwab - -copy.c: Address the FIXME-maybe comment in copy_internal. -And once that's done, add an exclusion so that `cp --link' -no longer incurs the overhead of saving src. dev/ino and dest. filename -in the hash table. - -See if we can be consistent about where --verbose sends its output: - These all send --verbose output to stdout: - head, tail, rm, cp, mv, ln, chmod, chown, chgrp, install, ln - These send it to stderr: - shred mkdir split - readlink is different - -Write an autoconf test to work around build failure in HPUX's 64-bit mode. -See notes in README -- and remove them once there's a work-around. - -Integrate use of sendfile, suggested here: - http://mail.gnu.org/archive/html/bug-fileutils/2003-03/msg00030.html -I don't plan to do that, since a few tests demonstrate no significant benefit. - -Should printf '\0123' print "\n3"? - per report from TAKAI Kousuke on Mar 27 - http://mail.gnu.org/archive/html/bug-coreutils/2003-03/index.html - -printf: consider adapting builtins/printf.def from bash - -df: add `--total' option, suggested here http://bugs.debian.org/186007 - -seq: give better diagnostics for invalid formats: - e.g. no or too many % directives -seq: consider allowing format string to contain no %-directives - -m4: rename all macros that start with AC_ to start with another prefix - -resolve RH report on cp -a forwarded by Tim Waugh - -Martin Michlmayr's patch to provide ls with `--sort directory' option - -tail: don't use xlseek; it *exits*. - Instead, maybe use a macro and return nonzero. - -add mktemp? Suggested by Nelson Beebe - -df: alignment problem of `Used' heading with e.g., -mP - reported by Karl Berry - -tr: support nontrivial equivalence classes, e.g. [=e=] with LC_COLLATE=fr_FR - -fix tail -f to work with named pipes; reported by Ian D. Allen - $ mkfifo j; tail -f j & sleep 1; echo x > j - ./tail: j: file truncated - ./tail: j: cannot seek to offset 0: Illegal seek - -lib/strftime.c: Since %N is the only format that we need but that - glibc's strftime doesn't support, consider using a wrapper that - would expand /%(-_)?\d*N/ to the desired string and then pass the - resulting string to glibc's strftime. - -sort: Compress temporary files when doing large external sort/merges. - This improves performance when you can compress/uncompress faster than - you can read/write, which is common in these days of fast CPUs. - suggestion from Charles Randall on 2001-08-10 - -sort: Add an ordering option -R that causes 'sort' to sort according - to a random permutation of the correct sort order. Also, add an - option --random-seed=SEED that causes 'sort' to use an arbitrary - string SEED to select which permutations to use, in a deterministic - manner: that is, if you sort a permutation of the same input file - with the same --random-seed=SEED option twice, you'll get the same - output. The default SEED is chosen at random, and contains enough - information to ensure that the output permutation is random. - suggestion from Feth AREZKI, Stephan Kasal, and Paul Eggert on 2003-07-17 - -unexpand: [http://www.opengroup.org/onlinepubs/007908799/xcu/unexpand.html] - printf 'x\t \t y\n'|unexpand -t 8,9 should print its input, unmodified. - printf 'x\t \t y\n'|unexpand -t 5,8 should print "x\ty\n" - -Let GNU su use the `wheel' group if appropriate. - (there are a couple patches, already) - -sort: Investigate better sorting algorithms; see Knuth vol. 3. - - We tried list merge sort, but it was about 50% slower than the - recursive algorithm currently used by sortlines, and it used more - comparisons. We're not sure why this was, as the theory suggests it - should do fewer comparisons, so perhaps this should be revisited. - List merge sort was implemented in the style of Knuth algorithm - 5.2.4L, with the optimization suggested by exercise 5.2.4-22. The - test case was 140,213,394 bytes, 426,4424 lines, text taken from the - GCC 3.3 distribution, sort.c compiled with GCC 2.95.4 and running on - Debian 3.0r1 GNU/Linux, 2.4GHz Pentium 4, single pass with no - temporary files and plenty of RAM. - - Since comparisons seem to be the bottleneck, perhaps the best - algorithm to try next should be merge insertion. See Knuth section - 5.3.1, who credits Lester Ford, Jr. and Selmer Johnson, American - Mathematical Monthly 66 (1959), 387-389. - -cp --recursive: perform dir traversals in source and dest hierarchy rather - than forming full file names. The latter (current) approach fails - unnecessarily when the names become very long. - -tail --p is now ambiguous - -Remove suspicious uses of alloca (ones that may allocate more than - about 4k) - -Adapt these contribution guidelines for coreutils: - http://sources.redhat.com/automake/contribute.html - - -Changes expected to go in, post-5.2.1: -====================================== - - wc: add an option, --files0-from [as for du] to make it read NUL-delimited - file name arguments from a file. - - dd patch from Olivier Delhomme - - Apply Andreas Gruenbacher's ACL and xattr changes - - Apply Bruno Haible's hostname changes - - test/mv/*: clean up $other_partition_tmpdir in all cases - - ls: when both -l and --dereference-command-line-symlink-to-dir are - specified, consider whether to let the latter select whether to - dereference command line symlinks to directories. Since -l has - an implicit --NO-dereference-command-line-symlink-to-dir meaning. - Pointed out by Karl Berry. - - A more efficient version of factor, and possibly one that - accepts inputs of size 2^64 and larger. - - Re-add a separate test for du's stack space usage (like the one removed - from tests/rm/deep-1). - - dd: consider adding an option to suppress `bytes/block read/written' - output to stderr. Suggested here: - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=165045 - - Pending copyright papers: - ------------------------ - ls --color: Ed Avis' patch to suppress escape sequences for - non-highlighted files - - getpwnam from Bruce Korb - - pb (progress bar) from Miika Pekkarinen - - Look into improving the performance of md5sum. - `openssl md5' is consistently about 30% faster than md5sum on an idle - AMD 2000-XP system with plenty of RAM and a 261 MB input file. - openssl's md5 implementation is in assembly, generated by a perl script. diff --git a/contrib/gnu-sort/lib/__fpending.c b/contrib/gnu-sort/lib/__fpending.c deleted file mode 100644 index a872102..0000000 --- a/contrib/gnu-sort/lib/__fpending.c +++ /dev/null @@ -1,30 +0,0 @@ -/* __fpending.c -- return the number of pending output bytes on a stream - Copyright (C) 2000 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Jim Meyering. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "__fpending.h" - -size_t -__fpending (FILE *fp) -{ - return PENDING_OUTPUT_N_BYTES; -} diff --git a/contrib/gnu-sort/lib/__fpending.h b/contrib/gnu-sort/lib/__fpending.h deleted file mode 100644 index 5a51582..0000000 --- a/contrib/gnu-sort/lib/__fpending.h +++ /dev/null @@ -1,17 +0,0 @@ -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include <stddef.h> -#include <stdio.h> - -#if HAVE_STDIO_EXT_H -# include <stdio_ext.h> -#endif - -#ifndef HAVE_DECL___FPENDING -"this configure-time declaration test was not run" -#endif -#if !HAVE_DECL___FPENDING -size_t __fpending (FILE *); -#endif diff --git a/contrib/gnu-sort/lib/argmatch.c b/contrib/gnu-sort/lib/argmatch.c deleted file mode 100644 index 1a8ec2f..0000000 --- a/contrib/gnu-sort/lib/argmatch.c +++ /dev/null @@ -1,278 +0,0 @@ -/* argmatch.c -- find a match for a string in an array - - Copyright (C) 1990, 1998, 1999, 2001, 2002, 2003, 2004 Free - Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by David MacKenzie <djm@ai.mit.edu> - Modified by Akim Demaille <demaille@inf.enst.fr> */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -/* Specification. */ -#include "argmatch.h" - -#include <stdbool.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "gettext.h" -#define _(msgid) gettext (msgid) - -#include "error.h" -#include "exit.h" -#include "quotearg.h" -#include "quote.h" -#include "unlocked-io.h" - -/* When reporting an invalid argument, show nonprinting characters - by using the quoting style ARGMATCH_QUOTING_STYLE. Do not use - literal_quoting_style. */ -#ifndef ARGMATCH_QUOTING_STYLE -# define ARGMATCH_QUOTING_STYLE locale_quoting_style -#endif - -/* Non failing version of argmatch call this function after failing. */ -#ifndef ARGMATCH_DIE -# include "exitfail.h" -# define ARGMATCH_DIE exit (exit_failure) -#endif - -#ifdef ARGMATCH_DIE_DECL -ARGMATCH_DIE_DECL; -#endif - -static void -__argmatch_die (void) -{ - ARGMATCH_DIE; -} - -/* Used by XARGMATCH and XARGCASEMATCH. See description in argmatch.h. - Default to __argmatch_die, but allow caller to change this at run-time. */ -argmatch_exit_fn argmatch_die = __argmatch_die; - - -/* If ARG is an unambiguous match for an element of the - null-terminated array ARGLIST, return the index in ARGLIST - of the matched element, else -1 if it does not match any element - or -2 if it is ambiguous (is a prefix of more than one element). - - If VALLIST is none null, use it to resolve ambiguities limited to - synonyms, i.e., for - "yes", "yop" -> 0 - "no", "nope" -> 1 - "y" is a valid argument, for `0', and "n" for `1'. */ - -ptrdiff_t -argmatch (const char *arg, const char *const *arglist, - const char *vallist, size_t valsize) -{ - size_t i; /* Temporary index in ARGLIST. */ - size_t arglen; /* Length of ARG. */ - ptrdiff_t matchind = -1; /* Index of first nonexact match. */ - bool ambiguous = false; /* If true, multiple nonexact match(es). */ - - arglen = strlen (arg); - - /* Test all elements for either exact match or abbreviated matches. */ - for (i = 0; arglist[i]; i++) - { - if (!strncmp (arglist[i], arg, arglen)) - { - if (strlen (arglist[i]) == arglen) - /* Exact match found. */ - return i; - else if (matchind == -1) - /* First nonexact match found. */ - matchind = i; - else - { - /* Second nonexact match found. */ - if (vallist == NULL - || memcmp (vallist + valsize * matchind, - vallist + valsize * i, valsize)) - { - /* There is a real ambiguity, or we could not - disambiguate. */ - ambiguous = true; - } - } - } - } - if (ambiguous) - return -2; - else - return matchind; -} - -/* Error reporting for argmatch. - CONTEXT is a description of the type of entity that was being matched. - VALUE is the invalid value that was given. - PROBLEM is the return value from argmatch. */ - -void -argmatch_invalid (const char *context, const char *value, ptrdiff_t problem) -{ - char const *format = (problem == -1 - ? _("invalid argument %s for %s") - : _("ambiguous argument %s for %s")); - - error (0, 0, format, quotearg_n_style (0, ARGMATCH_QUOTING_STYLE, value), - quote_n (1, context)); -} - -/* List the valid arguments for argmatch. - ARGLIST is the same as in argmatch. - VALLIST is a pointer to an array of values. - VALSIZE is the size of the elements of VALLIST */ -void -argmatch_valid (const char *const *arglist, - const char *vallist, size_t valsize) -{ - size_t i; - const char *last_val = NULL; - - /* We try to put synonyms on the same line. The assumption is that - synonyms follow each other */ - fprintf (stderr, _("Valid arguments are:")); - for (i = 0; arglist[i]; i++) - if ((i == 0) - || memcmp (last_val, vallist + valsize * i, valsize)) - { - fprintf (stderr, "\n - `%s'", arglist[i]); - last_val = vallist + valsize * i; - } - else - { - fprintf (stderr, ", `%s'", arglist[i]); - } - putc ('\n', stderr); -} - -/* Never failing versions of the previous functions. - - CONTEXT is the context for which argmatch is called (e.g., - "--version-control", or "$VERSION_CONTROL" etc.). Upon failure, - calls the (supposed never to return) function EXIT_FN. */ - -ptrdiff_t -__xargmatch_internal (const char *context, - const char *arg, const char *const *arglist, - const char *vallist, size_t valsize, - argmatch_exit_fn exit_fn) -{ - ptrdiff_t res = argmatch (arg, arglist, vallist, valsize); - if (res >= 0) - /* Success. */ - return res; - - /* We failed. Explain why. */ - argmatch_invalid (context, arg, res); - argmatch_valid (arglist, vallist, valsize); - (*exit_fn) (); - - return -1; /* To please the compilers. */ -} - -/* Look for VALUE in VALLIST, an array of objects of size VALSIZE and - return the first corresponding argument in ARGLIST */ -const char * -argmatch_to_argument (const char *value, - const char *const *arglist, - const char *vallist, size_t valsize) -{ - size_t i; - - for (i = 0; arglist[i]; i++) - if (!memcmp (value, vallist + valsize * i, valsize)) - return arglist[i]; - return NULL; -} - -#ifdef TEST -/* - * Based on "getversion.c" by David MacKenzie <djm@gnu.ai.mit.edu> - */ -char *program_name; - -/* When to make backup files. */ -enum backup_type -{ - /* Never make backups. */ - none, - - /* Make simple backups of every file. */ - simple, - - /* Make numbered backups of files that already have numbered backups, - and simple backups of the others. */ - numbered_existing, - - /* Make numbered backups of every file. */ - numbered -}; - -/* Two tables describing arguments (keys) and their corresponding - values */ -static const char *const backup_args[] = -{ - "no", "none", "off", - "simple", "never", - "existing", "nil", - "numbered", "t", - 0 -}; - -static const enum backup_type backup_vals[] = -{ - none, none, none, - simple, simple, - numbered_existing, numbered_existing, - numbered, numbered -}; - -int -main (int argc, const char *const *argv) -{ - const char *cp; - enum backup_type backup_type = none; - - program_name = (char *) argv[0]; - - if (argc > 2) - { - fprintf (stderr, "Usage: %s [VERSION_CONTROL]\n", program_name); - exit (1); - } - - if ((cp = getenv ("VERSION_CONTROL"))) - backup_type = XARGMATCH ("$VERSION_CONTROL", cp, - backup_args, backup_vals); - - if (argc == 2) - backup_type = XARGMATCH (program_name, argv[1], - backup_args, backup_vals); - - printf ("The version control is `%s'\n", - ARGMATCH_TO_ARGUMENT (backup_type, backup_args, backup_vals)); - - return 0; -} -#endif diff --git a/contrib/gnu-sort/lib/argmatch.h b/contrib/gnu-sort/lib/argmatch.h deleted file mode 100644 index 8952394..0000000 --- a/contrib/gnu-sort/lib/argmatch.h +++ /dev/null @@ -1,112 +0,0 @@ -/* argmatch.h -- definitions and prototypes for argmatch.c - - Copyright (C) 1990, 1998, 1999, 2001, 2002, 2004 Free Software - Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by David MacKenzie <djm@ai.mit.edu> - Modified by Akim Demaille <demaille@inf.enst.fr> */ - -#ifndef ARGMATCH_H_ -# define ARGMATCH_H_ 1 - -# include <stddef.h> - -# define ARRAY_CARDINALITY(Array) (sizeof (Array) / sizeof *(Array)) - -# define ARGMATCH_CONSTRAINT(Arglist, Vallist) \ - (ARRAY_CARDINALITY (Arglist) == ARRAY_CARDINALITY (Vallist) + 1) - -/* Assert there are as many real arguments as there are values - (argument list ends with a NULL guard). ARGMATCH_VERIFY is - preferred, since it is guaranteed to be checked at compile-time. - ARGMATCH_ASSERT is for backward compatibility only. */ - -# define ARGMATCH_VERIFY(Arglist, Vallist) \ - struct argmatch_verify \ - { \ - char argmatch_verify[ARGMATCH_CONSTRAINT(Arglist, Vallist) ? 1 : -1]; \ - } - -# define ARGMATCH_ASSERT(Arglist, Vallist) \ - assert (ARGMATCH_CONSTRAINT (Arglist, Vallist)) - -/* Return the index of the element of ARGLIST (NULL terminated) that - matches with ARG. If VALLIST is not NULL, then use it to resolve - false ambiguities (i.e., different matches of ARG but corresponding - to the same values in VALLIST). */ - -ptrdiff_t argmatch (char const *arg, char const *const *arglist, - char const *vallist, size_t valsize); - -# define ARGMATCH(Arg, Arglist, Vallist) \ - argmatch (Arg, Arglist, (char const *) (Vallist), sizeof *(Vallist)) - -/* xargmatch calls this function when it fails. This function should not - return. By default, this is a function that calls ARGMATCH_DIE which - in turn defaults to `exit (exit_failure)'. */ -typedef void (*argmatch_exit_fn) (void); -extern argmatch_exit_fn argmatch_die; - -/* Report on stderr why argmatch failed. Report correct values. */ - -void argmatch_invalid (char const *context, char const *value, - ptrdiff_t problem); - -/* Left for compatibility with the old name invalid_arg */ - -# define invalid_arg(Context, Value, Problem) \ - argmatch_invalid (Context, Value, Problem) - - - -/* Report on stderr the list of possible arguments. */ - -void argmatch_valid (char const *const *arglist, - char const *vallist, size_t valsize); - -# define ARGMATCH_VALID(Arglist, Vallist) \ - argmatch_valid (Arglist, (char const *) (Vallist), sizeof *(Vallist)) - - - -/* Same as argmatch, but upon failure, reports a explanation on the - failure, and exits using the function EXIT_FN. */ - -ptrdiff_t __xargmatch_internal (char const *context, - char const *arg, char const *const *arglist, - char const *vallist, size_t valsize, - argmatch_exit_fn exit_fn); - -/* Programmer friendly interface to __xargmatch_internal. */ - -# define XARGMATCH(Context, Arg, Arglist, Vallist) \ - ((Vallist) [__xargmatch_internal (Context, Arg, Arglist, \ - (char const *) (Vallist), \ - sizeof *(Vallist), \ - argmatch_die)]) - -/* Convert a value into a corresponding argument. */ - -char const *argmatch_to_argument (char const *value, - char const *const *arglist, - char const *vallist, size_t valsize); - -# define ARGMATCH_TO_ARGUMENT(Value, Arglist, Vallist) \ - argmatch_to_argument (Value, Arglist, \ - (char const *) (Vallist), sizeof *(Vallist)) - -#endif /* ARGMATCH_H_ */ diff --git a/contrib/gnu-sort/lib/closeout.c b/contrib/gnu-sort/lib/closeout.c deleted file mode 100644 index 3c7bed9..0000000 --- a/contrib/gnu-sort/lib/closeout.c +++ /dev/null @@ -1,93 +0,0 @@ -/* closeout.c - close standard output - - Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004 Free Software - Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "closeout.h" - -#include <stdio.h> -#include <errno.h> - -#include "gettext.h" -#define _(msgid) gettext (msgid) - -#include "error.h" -#include "exitfail.h" -#include "quotearg.h" -#include "unlocked-io.h" -#include "__fpending.h" - -static const char *file_name; - -/* Set the file name to be reported in the event an error is detected - by close_stdout. */ -void -close_stdout_set_file_name (const char *file) -{ - file_name = file; -} - -/* Close standard output, exiting with status 'exit_failure' on failure. - If a program writes *anything* to stdout, that program should `fflush' - stdout and make sure that it succeeds before exiting. Otherwise, - suppose that you go to the extreme of checking the return status - of every function that does an explicit write to stdout. The last - printf can succeed in writing to the internal stream buffer, and yet - the fclose(stdout) could still fail (due e.g., to a disk full error) - when it tries to write out that buffered data. Thus, you would be - left with an incomplete output file and the offending program would - exit successfully. - - FIXME: note the fflush suggested above is implicit in the fclose - we actually do below. Consider doing only the fflush and/or using - setvbuf to inhibit buffering. - - Besides, it's wasteful to check the return value from every call - that writes to stdout -- just let the internal stream state record - the failure. That's what the ferror test is checking below. - - It's important to detect such failures and exit nonzero because many - tools (most notably `make' and other build-management systems) depend - on being able to detect failure in other tools via their exit status. */ - -void -close_stdout (void) -{ - int e = ferror (stdout) ? 0 : -1; - - /* If the stream's error bit is clear and there is nothing to flush, - then return right away. */ - if (e && __fpending (stdout) == 0) - return; - - if (fclose (stdout) != 0) - e = errno; - - if (0 <= e) - { - char const *write_error = _("write error"); - if (file_name) - error (exit_failure, e, "%s: %s", quotearg_colon (file_name), - write_error); - else - error (exit_failure, e, "%s", write_error); - } -} diff --git a/contrib/gnu-sort/lib/closeout.h b/contrib/gnu-sort/lib/closeout.h deleted file mode 100644 index 1b715ee..0000000 --- a/contrib/gnu-sort/lib/closeout.h +++ /dev/null @@ -1,33 +0,0 @@ -/* Close standard output. - - Copyright (C) 1998, 2000, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef CLOSEOUT_H -# define CLOSEOUT_H 1 - -# ifdef __cplusplus -extern "C" { -# endif - -void close_stdout_set_file_name (const char *file); -void close_stdout (void); - -# ifdef __cplusplus -} -# endif - -#endif diff --git a/contrib/gnu-sort/lib/dup-safer.c b/contrib/gnu-sort/lib/dup-safer.c deleted file mode 100644 index 408a1bd..0000000 --- a/contrib/gnu-sort/lib/dup-safer.c +++ /dev/null @@ -1,59 +0,0 @@ -/* Invoke dup, but avoid some glitches. - Copyright (C) 2001, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include <errno.h> - -#if HAVE_FCNTL_H -# include <fcntl.h> -#endif - -#if HAVE_UNISTD_H -# include <unistd.h> -#endif -#ifndef STDERR_FILENO -# define STDERR_FILENO 2 -#endif - -#include <unistd-safer.h> - -/* Like dup, but do not return STDIN_FILENO, STDOUT_FILENO, or - STDERR_FILENO. */ - -int -dup_safer (int fd) -{ -#ifdef F_DUPFD - return fcntl (fd, F_DUPFD, STDERR_FILENO + 1); -#else - int f = dup (fd); - if (0 <= f && f <= STDERR_FILENO) - { - int f1 = dup_safer (f); - int e = errno; - close (f); - errno = e; - f = f1; - } - return f; -#endif -} diff --git a/contrib/gnu-sort/lib/error.c b/contrib/gnu-sort/lib/error.c deleted file mode 100644 index 5a5e126..0000000 --- a/contrib/gnu-sort/lib/error.c +++ /dev/null @@ -1,306 +0,0 @@ -/* Error handler for noninteractive utilities - Copyright (C) 1990-1998, 2000-2002, 2003, 2004 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by David MacKenzie <djm@gnu.ai.mit.edu>. */ - -#ifdef HAVE_CONFIG_H -# include <config.h> -#endif - -#include "error.h" - -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#ifdef _LIBC -# include <libintl.h> -#else -# include "gettext.h" -#endif - -#ifdef _LIBC -# include <wchar.h> -# define mbsrtowcs __mbsrtowcs -#endif - -#if !_LIBC -# include "unlocked-io.h" -#endif - -#ifndef _ -# define _(String) String -#endif - -/* If NULL, error will flush stdout, then print on stderr the program - name, a colon and a space. Otherwise, error will call this - function without parameters instead. */ -void (*error_print_progname) (void); - -/* This variable is incremented each time `error' is called. */ -unsigned int error_message_count; - -#ifdef _LIBC -/* In the GNU C library, there is a predefined variable for this. */ - -# define program_name program_invocation_name -# include <errno.h> -# include <libio/libioP.h> - -/* In GNU libc we want do not want to use the common name `error' directly. - Instead make it a weak alias. */ -extern void __error (int status, int errnum, const char *message, ...) - __attribute__ ((__format__ (__printf__, 3, 4))); -extern void __error_at_line (int status, int errnum, const char *file_name, - unsigned int line_number, const char *message, - ...) - __attribute__ ((__format__ (__printf__, 5, 6)));; -# define error __error -# define error_at_line __error_at_line - -# include <libio/iolibio.h> -# define fflush(s) INTUSE(_IO_fflush) (s) -# undef putc -# define putc(c, fp) INTUSE(_IO_putc) (c, fp) - -# include <bits/libc-lock.h> - -#else /* not _LIBC */ - -# if !HAVE_DECL_STRERROR_R && STRERROR_R_CHAR_P -# ifndef HAVE_DECL_STRERROR_R -"this configure-time declaration test was not run" -# endif -char *strerror_r (); -# endif - -# ifndef SIZE_MAX -# define SIZE_MAX ((size_t) -1) -# endif - -/* The calling program should define program_name and set it to the - name of the executing program. */ -extern char *program_name; - -# if HAVE_STRERROR_R || defined strerror_r -# define __strerror_r strerror_r -# endif -#endif /* not _LIBC */ - -static void -print_errno_message (int errnum) -{ - char const *s = NULL; - -#if defined HAVE_STRERROR_R || _LIBC - char errbuf[1024]; -# if STRERROR_R_CHAR_P || _LIBC - s = __strerror_r (errnum, errbuf, sizeof errbuf); -# else - if (__strerror_r (errnum, errbuf, sizeof errbuf) == 0) - s = errbuf; -# endif -#endif - -#if !_LIBC - if (! s && ! (s = strerror (errnum))) - s = _("Unknown system error"); -#endif - -#if _LIBC - if (_IO_fwide (stderr, 0) > 0) - { - __fwprintf (stderr, L": %s", s); - return; - } -#endif - - fprintf (stderr, ": %s", s); -} - -static void -error_tail (int status, int errnum, const char *message, va_list args) -{ -#if _LIBC - if (_IO_fwide (stderr, 0) > 0) - { -# define ALLOCA_LIMIT 2000 - size_t len = strlen (message) + 1; - const wchar_t *wmessage = L"out of memory"; - wchar_t *wbuf = (len < ALLOCA_LIMIT - ? alloca (len * sizeof *wbuf) - : len <= SIZE_MAX / sizeof *wbuf - ? malloc (len * sizeof *wbuf) - : NULL); - - if (wbuf) - { - size_t res; - mbstate_t st; - const char *tmp = message; - memset (&st, '\0', sizeof (st)); - res = mbsrtowcs (wbuf, &tmp, len, &st); - wmessage = res == (size_t) -1 ? L"???" : wbuf; - } - - __vfwprintf (stderr, wmessage, args); - if (! (len < ALLOCA_LIMIT)) - free (wbuf); - } - else -#endif - vfprintf (stderr, message, args); - va_end (args); - - ++error_message_count; - if (errnum) - print_errno_message (errnum); -#if _LIBC - if (_IO_fwide (stderr, 0) > 0) - putwc (L'\n', stderr); - else -#endif - putc ('\n', stderr); - fflush (stderr); - if (status) - exit (status); -} - - -/* Print the program name and error message MESSAGE, which is a printf-style - format string with optional args. - If ERRNUM is nonzero, print its corresponding system error message. - Exit with status STATUS if it is nonzero. */ -void -error (int status, int errnum, const char *message, ...) -{ - va_list args; - -#if defined _LIBC && defined __libc_ptf_call - /* We do not want this call to be cut short by a thread - cancellation. Therefore disable cancellation for now. */ - int state = PTHREAD_CANCEL_ENABLE; - __libc_ptf_call (pthread_setcancelstate, (PTHREAD_CANCEL_DISABLE, &state), - 0); -#endif - - fflush (stdout); -#ifdef _LIBC - _IO_flockfile (stderr); -#endif - if (error_print_progname) - (*error_print_progname) (); - else - { -#if _LIBC - if (_IO_fwide (stderr, 0) > 0) - __fwprintf (stderr, L"%s: ", program_name); - else -#endif - fprintf (stderr, "%s: ", program_name); - } - - va_start (args, message); - error_tail (status, errnum, message, args); - -#ifdef _LIBC - _IO_funlockfile (stderr); -# ifdef __libc_ptf_call - __libc_ptf_call (pthread_setcancelstate, (state, NULL), 0); -# endif -#endif -} - -/* Sometimes we want to have at most one error per line. This - variable controls whether this mode is selected or not. */ -int error_one_per_line; - -void -error_at_line (int status, int errnum, const char *file_name, - unsigned int line_number, const char *message, ...) -{ - va_list args; - - if (error_one_per_line) - { - static const char *old_file_name; - static unsigned int old_line_number; - - if (old_line_number == line_number - && (file_name == old_file_name - || strcmp (old_file_name, file_name) == 0)) - /* Simply return and print nothing. */ - return; - - old_file_name = file_name; - old_line_number = line_number; - } - -#if defined _LIBC && defined __libc_ptf_call - /* We do not want this call to be cut short by a thread - cancellation. Therefore disable cancellation for now. */ - int state = PTHREAD_CANCEL_ENABLE; - __libc_ptf_call (pthread_setcancelstate, (PTHREAD_CANCEL_DISABLE, &state), - 0); -#endif - - fflush (stdout); -#ifdef _LIBC - _IO_flockfile (stderr); -#endif - if (error_print_progname) - (*error_print_progname) (); - else - { -#if _LIBC - if (_IO_fwide (stderr, 0) > 0) - __fwprintf (stderr, L"%s: ", program_name); - else -#endif - fprintf (stderr, "%s:", program_name); - } - - if (file_name != NULL) - { -#if _LIBC - if (_IO_fwide (stderr, 0) > 0) - __fwprintf (stderr, L"%s:%d: ", file_name, line_number); - else -#endif - fprintf (stderr, "%s:%d: ", file_name, line_number); - } - - va_start (args, message); - error_tail (status, errnum, message, args); - -#ifdef _LIBC - _IO_funlockfile (stderr); -# ifdef __libc_ptf_call - __libc_ptf_call (pthread_setcancelstate, (state, NULL), 0); -# endif -#endif -} - -#ifdef _LIBC -/* Make the weak alias. */ -# undef error -# undef error_at_line -weak_alias (__error, error) -weak_alias (__error_at_line, error_at_line) -#endif diff --git a/contrib/gnu-sort/lib/error.h b/contrib/gnu-sort/lib/error.h deleted file mode 100644 index 8ed6359..0000000 --- a/contrib/gnu-sort/lib/error.h +++ /dev/null @@ -1,66 +0,0 @@ -/* Declaration for error-reporting function - Copyright (C) 1995, 1996, 1997, 2003 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef _ERROR_H -#define _ERROR_H 1 - -#ifndef __attribute__ -/* This feature is available in gcc versions 2.5 and later. */ -# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) -# define __attribute__(Spec) /* empty */ -# endif -/* The __-protected variants of `format' and `printf' attributes - are accepted by gcc versions 2.6.4 (effectively 2.7) and later. */ -# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 7) -# define __format__ format -# define __printf__ printf -# endif -#endif - -#ifdef __cplusplus -extern "C" { -#endif - -/* Print a message with `fprintf (stderr, FORMAT, ...)'; - if ERRNUM is nonzero, follow it with ": " and strerror (ERRNUM). - If STATUS is nonzero, terminate the program with `exit (STATUS)'. */ - -extern void error (int __status, int __errnum, const char *__format, ...) - __attribute__ ((__format__ (__printf__, 3, 4))); - -extern void error_at_line (int __status, int __errnum, const char *__fname, - unsigned int __lineno, const char *__format, ...) - __attribute__ ((__format__ (__printf__, 5, 6))); - -/* If NULL, error will flush stdout, then print on stderr the program - name, a colon and a space. Otherwise, error will call this - function without parameters instead. */ -extern void (*error_print_progname) (void); - -/* This variable is incremented each time `error' is called. */ -extern unsigned int error_message_count; - -/* Sometimes we want to have at most one error per line. This - variable controls whether this mode is selected or not. */ -extern int error_one_per_line; - -#ifdef __cplusplus -} -#endif - -#endif /* error.h */ diff --git a/contrib/gnu-sort/lib/exit.h b/contrib/gnu-sort/lib/exit.h deleted file mode 100644 index 4e8d465..0000000 --- a/contrib/gnu-sort/lib/exit.h +++ /dev/null @@ -1,32 +0,0 @@ -/* exit() function. - Copyright (C) 1995, 2001 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef _EXIT_H -#define _EXIT_H - -/* Get exit() declaration. */ -#include <stdlib.h> - -/* Some systems do not define EXIT_*, even with STDC_HEADERS. */ -#ifndef EXIT_SUCCESS -# define EXIT_SUCCESS 0 -#endif -#ifndef EXIT_FAILURE -# define EXIT_FAILURE 1 -#endif - -#endif /* _EXIT_H */ diff --git a/contrib/gnu-sort/lib/exitfail.c b/contrib/gnu-sort/lib/exitfail.c deleted file mode 100644 index 2ae5f69..0000000 --- a/contrib/gnu-sort/lib/exitfail.c +++ /dev/null @@ -1,27 +0,0 @@ -/* Failure exit status - - Copyright (C) 2002, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; see the file COPYING. - If not, write to the Free Software Foundation, - 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "exitfail.h" -#include "exit.h" - -int volatile exit_failure = EXIT_FAILURE; diff --git a/contrib/gnu-sort/lib/exitfail.h b/contrib/gnu-sort/lib/exitfail.h deleted file mode 100644 index cf5ab71..0000000 --- a/contrib/gnu-sort/lib/exitfail.h +++ /dev/null @@ -1,20 +0,0 @@ -/* Failure exit status - - Copyright (C) 2002 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; see the file COPYING. - If not, write to the Free Software Foundation, - 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -extern int volatile exit_failure; diff --git a/contrib/gnu-sort/lib/fopen-safer.c b/contrib/gnu-sort/lib/fopen-safer.c deleted file mode 100644 index c5c97c8..0000000 --- a/contrib/gnu-sort/lib/fopen-safer.c +++ /dev/null @@ -1,72 +0,0 @@ -/* Invoke fopen, but avoid some glitches. - Copyright (C) 2001, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#if HAVE_UNISTD_H -# include <unistd.h> -#endif -#include <unistd-safer.h> - -#ifndef STDERR_FILENO -# define STDERR_FILENO 2 -#endif - -#include <errno.h> -#include <stdio.h> -#include <stdio-safer.h> - -/* Like fopen, but do not return stdin, stdout, or stderr. */ - -FILE * -fopen_safer (char const *file, char const *mode) -{ - FILE *fp = fopen (file, mode); - - if (fp) - { - int fd = fileno (fp); - - if (0 <= fd && fd <= STDERR_FILENO) - { - int f = dup_safer (fd); - - if (f < 0) - { - int e = errno; - fclose (fp); - errno = e; - return NULL; - } - - if (fclose (fp) != 0 - || ! (fp = fdopen (f, mode))) - { - int e = errno; - close (f); - errno = e; - return NULL; - } - } - } - - return fp; -} diff --git a/contrib/gnu-sort/lib/gettext.h b/contrib/gnu-sort/lib/gettext.h deleted file mode 100644 index 835732e..0000000 --- a/contrib/gnu-sort/lib/gettext.h +++ /dev/null @@ -1,68 +0,0 @@ -/* Convenience header for conditional use of GNU <libintl.h>. - Copyright (C) 1995-1998, 2000-2002 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef _LIBGETTEXT_H -#define _LIBGETTEXT_H 1 - -/* NLS can be disabled through the configure --disable-nls option. */ -#if ENABLE_NLS - -/* Get declarations of GNU message catalog functions. */ -# include <libintl.h> - -#else - -/* Solaris /usr/include/locale.h includes /usr/include/libintl.h, which - chokes if dcgettext is defined as a macro. So include it now, to make - later inclusions of <locale.h> a NOP. We don't include <libintl.h> - as well because people using "gettext.h" will not include <libintl.h>, - and also including <libintl.h> would fail on SunOS 4, whereas <locale.h> - is OK. */ -#if defined(__sun) -# include <locale.h> -#endif - -/* Disabled NLS. - The casts to 'const char *' serve the purpose of producing warnings - for invalid uses of the value returned from these functions. - On pre-ANSI systems without 'const', the config.h file is supposed to - contain "#define const". */ -# define gettext(Msgid) ((const char *) (Msgid)) -# define dgettext(Domainname, Msgid) ((const char *) (Msgid)) -# define dcgettext(Domainname, Msgid, Category) ((const char *) (Msgid)) -# define ngettext(Msgid1, Msgid2, N) \ - ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) -# define dngettext(Domainname, Msgid1, Msgid2, N) \ - ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) -# define dcngettext(Domainname, Msgid1, Msgid2, N, Category) \ - ((N) == 1 ? (const char *) (Msgid1) : (const char *) (Msgid2)) -# define textdomain(Domainname) ((const char *) (Domainname)) -# define bindtextdomain(Domainname, Dirname) ((const char *) (Dirname)) -# define bind_textdomain_codeset(Domainname, Codeset) ((const char *) (Codeset)) - -#endif - -/* A pseudo function call that serves as a marker for the automated - extraction of messages, but does not call gettext(). The run-time - translation is done at a different place in the code. - The argument, String, should be a literal string. Concatenated strings - and other string expressions won't work. - The macro's expansion is not parenthesized, so that it is suitable as - initializer for static 'char[]' or 'const char[]' variables. */ -#define gettext_noop(String) String - -#endif /* _LIBGETTEXT_H */ diff --git a/contrib/gnu-sort/lib/hard-locale.c b/contrib/gnu-sort/lib/hard-locale.c deleted file mode 100644 index 45b7d05..0000000 --- a/contrib/gnu-sort/lib/hard-locale.c +++ /dev/null @@ -1,76 +0,0 @@ -/* hard-locale.c -- Determine whether a locale is hard. - - Copyright (C) 1997, 1998, 1999, 2002, 2003, 2004 Free Software - Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/* $FreeBSD$ */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "hard-locale.h" - -#if HAVE_LOCALE_H -# include <locale.h> -#endif - -#include <stdlib.h> -#include <string.h> - -/* Return true if the current CATEGORY locale is hard, i.e. if you - can't get away with assuming traditional C or POSIX behavior. */ -bool -hard_locale (int category) -{ -#if ! HAVE_SETLOCALE - return false; -#else - - bool hard = true; - char const *p = setlocale (category, NULL); - - if (p) - { -# if defined(__FreeBSD__) || (defined __GLIBC__ && 2 <= __GLIBC__) - if (strcmp (p, "C") == 0 || strcmp (p, "POSIX") == 0) - hard = false; -# else - char *locale = malloc (strlen (p) + 1); - if (locale) - { - strcpy (locale, p); - - /* Temporarily set the locale to the "C" and "POSIX" locales - to find their names, so that we can determine whether one - or the other is the caller's locale. */ - if (((p = setlocale (category, "C")) - && strcmp (p, locale) == 0) - || ((p = setlocale (category, "POSIX")) - && strcmp (p, locale) == 0)) - hard = false; - - /* Restore the caller's locale. */ - setlocale (category, locale); - free (locale); - } -# endif - } - - return hard; - -#endif -} diff --git a/contrib/gnu-sort/lib/hard-locale.h b/contrib/gnu-sort/lib/hard-locale.h deleted file mode 100644 index 010cb27..0000000 --- a/contrib/gnu-sort/lib/hard-locale.h +++ /dev/null @@ -1,26 +0,0 @@ -/* Determine whether a locale is hard. - - Copyright (C) 1999, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef HARD_LOCALE_H_ -# define HARD_LOCALE_H_ 1 - -# include <stdbool.h> - -bool hard_locale (int); - -#endif /* HARD_LOCALE_H_ */ diff --git a/contrib/gnu-sort/lib/human.c b/contrib/gnu-sort/lib/human.c deleted file mode 100644 index f024c73..0000000 --- a/contrib/gnu-sort/lib/human.c +++ /dev/null @@ -1,485 +0,0 @@ -/* human.c -- print human readable file size - - Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 - Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert and Larry McVoy. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "human.h" - -#ifndef SIZE_MAX -# define SIZE_MAX ((size_t) -1) -#endif -#ifndef UINTMAX_MAX -# define UINTMAX_MAX ((uintmax_t) -1) -#endif - -#if HAVE_LOCALE_H && HAVE_LOCALECONV -# include <locale.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "gettext.h" -#define _(msgid) gettext (msgid) - -#include <argmatch.h> -#include <error.h> -#include <xstrtol.h> - -/* The maximum length of a suffix like "KiB". */ -#define HUMAN_READABLE_SUFFIX_LENGTH_MAX 3 - -static const char power_letter[] = -{ - 0, /* not used */ - 'K', /* kibi ('k' for kilo is a special case) */ - 'M', /* mega or mebi */ - 'G', /* giga or gibi */ - 'T', /* tera or tebi */ - 'P', /* peta or pebi */ - 'E', /* exa or exbi */ - 'Z', /* zetta or 2**70 */ - 'Y' /* yotta or 2**80 */ -}; - - -/* If INEXACT_STYLE is not human_round_to_nearest, and if easily - possible, adjust VALUE according to the style. */ - -static long double -adjust_value (int inexact_style, long double value) -{ - /* Do not use the floorl or ceill functions, as that would mean - checking for their presence and possibly linking with the - standard math library, which is a porting pain. So leave the - value alone if it is too large to easily round. */ - if (inexact_style != human_round_to_nearest && value < UINTMAX_MAX) - { - uintmax_t u = value; - value = u + (inexact_style == human_ceiling && u != value); - } - - return value; -} - -/* Group the digits of NUMBER according to the grouping rules of the - current locale. NUMBER contains NUMBERLEN digits. Modify the - bytes pointed to by NUMBER in place, subtracting 1 from NUMBER for - each byte inserted. Return the starting address of the modified - number. - - To group the digits, use GROUPING and THOUSANDS_SEP as in `struct - lconv' from <locale.h>. */ - -static char * -group_number (char *number, size_t numberlen, - char const *grouping, char const *thousands_sep) -{ - register char *d; - size_t grouplen = SIZE_MAX; - size_t thousands_seplen = strlen (thousands_sep); - size_t i = numberlen; - - /* The maximum possible value for NUMBERLEN is the number of digits - in the square of the largest uintmax_t, so double the size of - uintmax_t before converting to a bound. 302 / 1000 is ceil - (log10 (2.0)). Add 1 for integer division truncation. */ - char buf[2 * sizeof (uintmax_t) * CHAR_BIT * 302 / 1000 + 1]; - - memcpy (buf, number, numberlen); - d = number + numberlen; - - for (;;) - { - unsigned char g = *grouping; - - if (g) - { - grouplen = g < CHAR_MAX ? g : i; - grouping++; - } - - if (i < grouplen) - grouplen = i; - - d -= grouplen; - i -= grouplen; - memcpy (d, buf + i, grouplen); - if (i == 0) - return d; - - d -= thousands_seplen; - memcpy (d, thousands_sep, thousands_seplen); - } -} - -/* Convert N to a human readable format in BUF, using the options OPTS. - - N is expressed in units of FROM_BLOCK_SIZE. FROM_BLOCK_SIZE must - be nonnegative. - - Use units of TO_BLOCK_SIZE in the output number. TO_BLOCK_SIZE - must be positive. - - Use (OPTS & (human_round_to_nearest | human_floor | human_ceiling)) - to determine whether to take the ceiling or floor of any result - that cannot be expressed exactly. - - If (OPTS & human_group_digits), group the thousands digits - according to the locale, e.g., `1,000,000' in an American English - locale. - - If (OPTS & human_autoscale), deduce the output block size - automatically; TO_BLOCK_SIZE must be 1 but it has no effect on the - output. Use powers of 1024 if (OPTS & human_base_1024), and powers - of 1000 otherwise. For example, assuming powers of 1024, 8500 - would be converted to 8.3, 133456345 to 127, 56990456345 to 53, and - so on. Numbers smaller than the power aren't modified. - human_autoscale is normally used together with human_SI. - - If (OPTS & human_SI), append an SI prefix indicating which power is - being used. If in addition (OPTS & human_B), append "B" (if base - 1000) or "iB" (if base 1024) to the SI prefix. When ((OPTS & - human_SI) && ! (OPTS & human_autoscale)), TO_BLOCK_SIZE must be a - power of 1024 or of 1000, depending on (OPTS & - human_base_1024). */ - -char * -human_readable (uintmax_t n, char *buf, int opts, - uintmax_t from_block_size, uintmax_t to_block_size) -{ - int inexact_style = - opts & (human_round_to_nearest | human_floor | human_ceiling); - unsigned int base = opts & human_base_1024 ? 1024 : 1000; - uintmax_t amt; - int tenths; - int exponent = -1; - int exponent_max = sizeof power_letter - 1; - char *p; - char *psuffix; - char const *integerlim; - - /* 0 means adjusted N == AMT.TENTHS; - 1 means AMT.TENTHS < adjusted N < AMT.TENTHS + 0.05; - 2 means adjusted N == AMT.TENTHS + 0.05; - 3 means AMT.TENTHS + 0.05 < adjusted N < AMT.TENTHS + 0.1. */ - int rounding; - - char const *decimal_point = "."; - size_t decimal_pointlen = 1; - char const *grouping = ""; - char const *thousands_sep = ""; -#if HAVE_LOCALE_H && HAVE_LOCALECONV - struct lconv const *l = localeconv (); - size_t pointlen = strlen (l->decimal_point); - if (0 < pointlen && pointlen <= MB_LEN_MAX) - { - decimal_point = l->decimal_point; - decimal_pointlen = pointlen; - } - grouping = l->grouping; - if (strlen (l->thousands_sep) <= MB_LEN_MAX) - thousands_sep = l->thousands_sep; -#endif - - psuffix = buf + LONGEST_HUMAN_READABLE - HUMAN_READABLE_SUFFIX_LENGTH_MAX; - p = psuffix; - - /* Adjust AMT out of FROM_BLOCK_SIZE units and into TO_BLOCK_SIZE - units. If this can be done exactly with integer arithmetic, do - not use floating point operations. */ - if (to_block_size <= from_block_size) - { - if (from_block_size % to_block_size == 0) - { - uintmax_t multiplier = from_block_size / to_block_size; - amt = n * multiplier; - if (amt / multiplier == n) - { - tenths = 0; - rounding = 0; - goto use_integer_arithmetic; - } - } - } - else if (from_block_size != 0 && to_block_size % from_block_size == 0) - { - uintmax_t divisor = to_block_size / from_block_size; - uintmax_t r10 = (n % divisor) * 10; - uintmax_t r2 = (r10 % divisor) * 2; - amt = n / divisor; - tenths = r10 / divisor; - rounding = r2 < divisor ? 0 < r2 : 2 + (divisor < r2); - goto use_integer_arithmetic; - } - - { - /* Either the result cannot be computed easily using uintmax_t, - or from_block_size is zero. Fall back on floating point. - FIXME: This can yield answers that are slightly off. */ - - long double dto_block_size = to_block_size; - long double damt = n * (from_block_size / dto_block_size); - size_t buflen; - size_t nonintegerlen; - - if (! (opts & human_autoscale)) - { - sprintf (buf, "%.0Lf", adjust_value (inexact_style, damt)); - buflen = strlen (buf); - nonintegerlen = 0; - } - else - { - long double e = 1; - exponent = 0; - - do - { - e *= base; - exponent++; - } - while (e * base <= damt && exponent < exponent_max); - - damt /= e; - - sprintf (buf, "%.1Lf", adjust_value (inexact_style, damt)); - buflen = strlen (buf); - nonintegerlen = decimal_pointlen + 1; - - if (1 + nonintegerlen + ! (opts & human_base_1024) < buflen - || ((opts & human_suppress_point_zero) - && buf[buflen - 1] == '0')) - { - sprintf (buf, "%.0Lf", - adjust_value (inexact_style, damt * 10) / 10); - buflen = strlen (buf); - nonintegerlen = 0; - } - } - - p = psuffix - buflen; - memmove (p, buf, buflen); - integerlim = p + buflen - nonintegerlen; - } - goto do_grouping; - - use_integer_arithmetic: - { - /* The computation can be done exactly, with integer arithmetic. - - Use power of BASE notation if requested and if adjusted AMT is - large enough. */ - - if (opts & human_autoscale) - { - exponent = 0; - - if (base <= amt) - { - do - { - unsigned int r10 = (amt % base) * 10 + tenths; - unsigned int r2 = (r10 % base) * 2 + (rounding >> 1); - amt /= base; - tenths = r10 / base; - rounding = (r2 < base - ? (r2 + rounding) != 0 - : 2 + (base < r2 + rounding)); - exponent++; - } - while (base <= amt && exponent < exponent_max); - - if (amt < 10) - { - if (inexact_style == human_round_to_nearest - ? 2 < rounding + (tenths & 1) - : inexact_style == human_ceiling && 0 < rounding) - { - tenths++; - rounding = 0; - - if (tenths == 10) - { - amt++; - tenths = 0; - } - } - - if (amt < 10 - && (tenths || ! (opts & human_suppress_point_zero))) - { - *--p = '0' + tenths; - p -= decimal_pointlen; - memcpy (p, decimal_point, decimal_pointlen); - tenths = rounding = 0; - } - } - } - } - - if (inexact_style == human_round_to_nearest - ? 5 < tenths + (0 < rounding + (amt & 1)) - : inexact_style == human_ceiling && 0 < tenths + rounding) - { - amt++; - - if ((opts & human_autoscale) - && amt == base && exponent < exponent_max) - { - exponent++; - if (! (opts & human_suppress_point_zero)) - { - *--p = '0'; - p -= decimal_pointlen; - memcpy (p, decimal_point, decimal_pointlen); - } - amt = 1; - } - } - - integerlim = p; - - do - { - int digit = amt % 10; - *--p = digit + '0'; - } - while ((amt /= 10) != 0); - } - - do_grouping: - if (opts & human_group_digits) - p = group_number (p, integerlim - p, grouping, thousands_sep); - - if (opts & human_SI) - { - if (exponent < 0) - { - uintmax_t power; - exponent = 0; - for (power = 1; power < to_block_size; power *= base) - if (++exponent == exponent_max) - break; - } - - if (exponent) - *psuffix++ = (! (opts & human_base_1024) && exponent == 1 - ? 'k' - : power_letter[exponent]); - - if (opts & human_B) - { - if ((opts & human_base_1024) && exponent) - *psuffix++ = 'i'; - *psuffix++ = 'B'; - } - } - - *psuffix = '\0'; - - return p; -} - - -/* The default block size used for output. This number may change in - the future as disks get larger. */ -#ifndef DEFAULT_BLOCK_SIZE -# define DEFAULT_BLOCK_SIZE 1024 -#endif - -static char const *const block_size_args[] = { "human-readable", "si", 0 }; -static int const block_size_opts[] = - { - human_autoscale + human_SI + human_base_1024, - human_autoscale + human_SI - }; - -static uintmax_t -default_block_size (void) -{ - return getenv ("POSIXLY_CORRECT") ? 512 : DEFAULT_BLOCK_SIZE; -} - -static strtol_error -humblock (char const *spec, uintmax_t *block_size, int *options) -{ - int i; - int opts = 0; - - if (! spec - && ! (spec = getenv ("BLOCK_SIZE")) - && ! (spec = getenv ("BLOCKSIZE"))) - *block_size = default_block_size (); - else - { - if (*spec == '\'') - { - opts |= human_group_digits; - spec++; - } - - if (0 <= (i = ARGMATCH (spec, block_size_args, block_size_opts))) - { - opts |= block_size_opts[i]; - *block_size = 1; - } - else - { - char *ptr; - strtol_error e = xstrtoumax (spec, &ptr, 0, block_size, - "eEgGkKmMpPtTyYzZ0"); - if (e != LONGINT_OK) - return e; - for (; ! ('0' <= *spec && *spec <= '9'); spec++) - if (spec == ptr) - { - opts |= human_SI; - if (ptr[-1] == 'B') - opts |= human_B; - if (ptr[-1] != 'B' || ptr[-2] == 'i') - opts |= human_base_1024; - break; - } - } - } - - *options = opts; - return LONGINT_OK; -} - -int -human_options (char const *spec, bool report_errors, uintmax_t *block_size) -{ - int opts; - strtol_error e = humblock (spec, block_size, &opts); - if (*block_size == 0) - { - *block_size = default_block_size (); - e = LONGINT_INVALID; - } - if (e != LONGINT_OK && report_errors) - STRTOL_FATAL_ERROR (spec, _("block size"), e); - return opts; -} diff --git a/contrib/gnu-sort/lib/human.h b/contrib/gnu-sort/lib/human.h deleted file mode 100644 index b67ba4e..0000000 --- a/contrib/gnu-sort/lib/human.h +++ /dev/null @@ -1,88 +0,0 @@ -/* human.h -- print human readable file size - - Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 - Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert and Larry McVoy. */ - -#ifndef HUMAN_H_ -# define HUMAN_H_ 1 - -# if HAVE_CONFIG_H -# include <config.h> -# endif - -# include <limits.h> -# include <stdbool.h> - -# if HAVE_STDINT_H -# include <stdint.h> -# endif -# if HAVE_UNISTD_H -# include <unistd.h> -# endif - -/* A conservative bound on the maximum length of a human-readable string. - The output can be the square of the largest uintmax_t, so double - its size before converting to a bound. - 302 / 1000 is ceil (log10 (2.0)). Add 1 for integer division truncation. - Also, the output can have a thousands separator between every digit, - so multiply by MB_LEN_MAX + 1 and then subtract MB_LEN_MAX. - Finally, append 3, the maximum length of a suffix. */ -# define LONGEST_HUMAN_READABLE \ - ((2 * sizeof (uintmax_t) * CHAR_BIT * 302 / 1000 + 1) * (MB_LEN_MAX + 1) \ - - MB_LEN_MAX + 3) - -/* Options for human_readable. */ -enum -{ - /* Unless otherwise specified these options may be ORed together. */ - - /* The following three options are mutually exclusive. */ - /* Round to plus infinity (default). */ - human_ceiling = 0, - /* Round to nearest, ties to even. */ - human_round_to_nearest = 1, - /* Round to minus infinity. */ - human_floor = 2, - - /* Group digits together, e.g. `1,000,000'. This uses the - locale-defined grouping; the traditional C locale does not group, - so this has effect only if some other locale is in use. */ - human_group_digits = 4, - - /* When autoscaling, suppress ".0" at end. */ - human_suppress_point_zero = 8, - - /* Scale output and use SI-style units, ignoring the output block size. */ - human_autoscale = 16, - - /* Prefer base 1024 to base 1000. */ - human_base_1024 = 32, - - /* Append SI prefix, e.g. "k" or "M". */ - human_SI = 64, - - /* Append "B" (if base 1000) or "iB" (if base 1024) to SI prefix. */ - human_B = 128 -}; - -char *human_readable (uintmax_t, char *, int, uintmax_t, uintmax_t); - -int human_options (char const *, bool, uintmax_t *); - -#endif /* HUMAN_H_ */ diff --git a/contrib/gnu-sort/lib/inttostr.c b/contrib/gnu-sort/lib/inttostr.c deleted file mode 100644 index 78a48af..0000000 --- a/contrib/gnu-sort/lib/inttostr.c +++ /dev/null @@ -1,49 +0,0 @@ -/* inttostr.c -- convert integers to printable strings - - Copyright (C) 2001 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert */ - -#include "inttostr.h" - -/* Convert I to a printable string in BUF, which must be at least - INT_BUFSIZE_BOUND (INTTYPE) bytes long. Return the address of the - printable string, which need not start at BUF. */ - -char * -inttostr (inttype i, char *buf) -{ - char *p = buf + INT_STRLEN_BOUND (inttype); - *p = 0; - - if (i < 0) - { - do - *--p = '0' - i % 10; - while ((i /= 10) != 0); - - *--p = '-'; - } - else - { - do - *--p = '0' + i % 10; - while ((i /= 10) != 0); - } - - return p; -} diff --git a/contrib/gnu-sort/lib/inttostr.h b/contrib/gnu-sort/lib/inttostr.h deleted file mode 100644 index 6f2416b..0000000 --- a/contrib/gnu-sort/lib/inttostr.h +++ /dev/null @@ -1,47 +0,0 @@ -/* inttostr.h -- convert integers to printable strings - - Copyright (C) 2001, 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#if HAVE_INTTYPES_H -# include <inttypes.h> -#endif -#if HAVE_STDINT_H -# include <stdint.h> -#endif - -#include <limits.h> - -#if HAVE_SYS_TYPES_H -# include <sys/types.h> -#endif - -/* Upper bound on the string length of an integer converted to string. - 302 / 1000 is ceil (log10 (2.0)). Subtract 1 for the sign bit; - add 1 for integer division truncation; add 1 more for a minus sign. */ -#define INT_STRLEN_BOUND(t) ((sizeof (t) * CHAR_BIT - 1) * 302 / 1000 + 2) - -#define INT_BUFSIZE_BOUND(t) (INT_STRLEN_BOUND (t) + 1) - -char *offtostr (off_t, char *); -char *imaxtostr (intmax_t, char *); -char *umaxtostr (uintmax_t, char *); diff --git a/contrib/gnu-sort/lib/long-options.c b/contrib/gnu-sort/lib/long-options.c deleted file mode 100644 index 1c4e74a..0000000 --- a/contrib/gnu-sort/lib/long-options.c +++ /dev/null @@ -1,91 +0,0 @@ -/* Utility to accept --help and --version options as unobtrusively as possible. - - Copyright (C) 1993, 1994, 1998, 1999, 2000, 2002, 2003, 2004 Free - Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Jim Meyering. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -/* Specification. */ -#include "long-options.h" - -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> - -#include "version-etc.h" - -static struct option const long_options[] = -{ - {"help", no_argument, 0, 'h'}, - {"version", no_argument, 0, 'v'}, - {0, 0, 0, 0} -}; - -/* Process long options --help and --version, but only if argc == 2. - Be careful not to gobble up `--'. */ - -void -parse_long_options (int argc, - char **argv, - const char *command_name, - const char *package, - const char *version, - void (*usage_func) (int), - /* const char *author1, ...*/ ...) -{ - int c; - int saved_opterr; - - saved_opterr = opterr; - - /* Don't print an error message for unrecognized options. */ - opterr = 0; - - if (argc == 2 - && (c = getopt_long (argc, argv, "+", long_options, NULL)) != -1) - { - switch (c) - { - case 'h': - (*usage_func) (EXIT_SUCCESS); - - case 'v': - { - va_list authors; - va_start (authors, usage_func); - version_etc_va (stdout, command_name, package, version, authors); - exit (0); - } - - default: - /* Don't process any other long-named options. */ - break; - } - } - - /* Restore previous value. */ - opterr = saved_opterr; - - /* Reset this to zero so that getopt internals get initialized from - the probably-new parameters when/if getopt is called later. */ - optind = 0; -} diff --git a/contrib/gnu-sort/lib/long-options.h b/contrib/gnu-sort/lib/long-options.h deleted file mode 100644 index 50f0c34..0000000 --- a/contrib/gnu-sort/lib/long-options.h +++ /dev/null @@ -1,26 +0,0 @@ -/* long-options.h -- declaration for --help- and --version-handling function. - Copyright (C) 1993, 1994, 1998, 1999, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Jim Meyering. */ - -void parse_long_options (int _argc, - char **_argv, - const char *_command_name, - const char *_package, - const char *_version, - void (*_usage) (int), - /* const char *author1, ...*/ ...); diff --git a/contrib/gnu-sort/lib/memcoll.c b/contrib/gnu-sort/lib/memcoll.c deleted file mode 100644 index e777e6a..0000000 --- a/contrib/gnu-sort/lib/memcoll.c +++ /dev/null @@ -1,85 +0,0 @@ -/* Locale-specific memory comparison. - Copyright (C) 1999, 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Contributed by Paul Eggert <eggert@twinsun.com>. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "memcoll.h" - -#include <errno.h> -#include <string.h> - -/* Compare S1 (with length S1LEN) and S2 (with length S2LEN) according - to the LC_COLLATE locale. S1 and S2 do not overlap, and are not - adjacent. Perhaps temporarily modify the bytes after S1 and S2, - but restore their original contents before returning. Set errno to an - error number if there is an error, and to zero otherwise. */ -int -memcoll (char *s1, size_t s1len, char *s2, size_t s2len) -{ - int diff; - -#if HAVE_STRCOLL - - char n1 = s1[s1len]; - char n2 = s2[s2len]; - - s1[s1len++] = '\0'; - s2[s2len++] = '\0'; - - while (! (errno = 0, (diff = strcoll (s1, s2)) || errno)) - { - /* strcoll found no difference, but perhaps it was fooled by NUL - characters in the data. Work around this problem by advancing - past the NUL chars. */ - size_t size1 = strlen (s1) + 1; - size_t size2 = strlen (s2) + 1; - s1 += size1; - s2 += size2; - s1len -= size1; - s2len -= size2; - - if (s1len == 0) - { - if (s2len != 0) - diff = -1; - break; - } - else if (s2len == 0) - { - diff = 1; - break; - } - } - - s1[s1len - 1] = n1; - s2[s2len - 1] = n2; - -#else - - diff = memcmp (s1, s2, s1len < s2len ? s1len : s2len); - if (! diff) - diff = s1len < s2len ? -1 : s1len != s2len; - errno = 0; - -#endif - - return diff; -} diff --git a/contrib/gnu-sort/lib/memcoll.h b/contrib/gnu-sort/lib/memcoll.h deleted file mode 100644 index 66b2ecb..0000000 --- a/contrib/gnu-sort/lib/memcoll.h +++ /dev/null @@ -1,28 +0,0 @@ -/* Locale-specific memory comparison. - - Copyright (C) 1999, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Contributed by Paul Eggert <eggert@twinsun.com>. */ - -#ifndef MEMCOLL_H_ -# define MEMCOLL_H_ 1 - -# include <stddef.h> - -int memcoll (char *, size_t, char *, size_t); - -#endif /* MEMCOLL_H_ */ diff --git a/contrib/gnu-sort/lib/pathmax.h b/contrib/gnu-sort/lib/pathmax.h deleted file mode 100644 index bdd756e..0000000 --- a/contrib/gnu-sort/lib/pathmax.h +++ /dev/null @@ -1,54 +0,0 @@ -/* Define PATH_MAX somehow. Requires sys/types.h. - Copyright (C) 1992, 1999, 2001, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef _PATHMAX_H -# define _PATHMAX_H - -# if HAVE_UNISTD_H -# include <unistd.h> -# endif - -/* Non-POSIX BSD systems might have gcc's limits.h, which doesn't define - PATH_MAX but might cause redefinition warnings when sys/param.h is - later included (as on MORE/BSD 4.3). */ -# if defined _POSIX_VERSION || !defined __GNUC__ -# include <limits.h> -# endif - -# ifndef _POSIX_PATH_MAX -# define _POSIX_PATH_MAX 255 -# endif - -# if !defined PATH_MAX && defined _PC_PATH_MAX -# define PATH_MAX (pathconf ("/", _PC_PATH_MAX) < 1 ? 1024 \ - : pathconf ("/", _PC_PATH_MAX)) -# endif - -/* Don't include sys/param.h if it already has been. */ -# if defined HAVE_SYS_PARAM_H && !defined PATH_MAX && !defined MAXPATHLEN -# include <sys/param.h> -# endif - -# if !defined PATH_MAX && defined MAXPATHLEN -# define PATH_MAX MAXPATHLEN -# endif - -# ifndef PATH_MAX -# define PATH_MAX _POSIX_PATH_MAX -# endif - -#endif /* _PATHMAX_H */ diff --git a/contrib/gnu-sort/lib/physmem.c b/contrib/gnu-sort/lib/physmem.c deleted file mode 100644 index dc67b57..0000000 --- a/contrib/gnu-sort/lib/physmem.c +++ /dev/null @@ -1,307 +0,0 @@ -/* Calculate the size of physical memory. - Copyright (C) 2000, 2001, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "physmem.h" - -#if HAVE_UNISTD_H -# include <unistd.h> -#endif - -#if HAVE_SYS_PSTAT_H -# include <sys/pstat.h> -#endif - -#if HAVE_SYS_SYSMP_H -# include <sys/sysmp.h> -#endif - -#if HAVE_SYS_SYSINFO_H && HAVE_MACHINE_HAL_SYSINFO_H -# include <sys/sysinfo.h> -# include <machine/hal_sysinfo.h> -#endif - -#if HAVE_SYS_TABLE_H -# include <sys/table.h> -#endif - -#include <sys/types.h> - -#if HAVE_SYS_PARAM_H -# include <sys/param.h> -#endif - -#if HAVE_SYS_SYSCTL_H -# include <sys/sysctl.h> -#endif - -#if HAVE_SYS_SYSTEMCFG_H -# include <sys/systemcfg.h> -#endif - -#ifdef _WIN32 -# define WIN32_LEAN_AND_MEAN -# include <windows.h> -/* MEMORYSTATUSEX is missing from older windows headers, so define - a local replacement. */ -typedef struct -{ - DWORD dwLength; - DWORD dwMemoryLoad; - DWORDLONG ullTotalPhys; - DWORDLONG ullAvailPhys; - DWORDLONG ullTotalPageFile; - DWORDLONG ullAvailPageFile; - DWORDLONG ullTotalVirtual; - DWORDLONG ullAvailVirtual; - DWORDLONG ullAvailExtendedVirtual; -} lMEMORYSTATUSEX; -typedef WINBOOL (WINAPI *PFN_MS_EX) (lMEMORYSTATUSEX*); -#endif - -#define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) - -/* Return the total amount of physical memory. */ -double -physmem_total (void) -{ -#if defined _SC_PHYS_PAGES && defined _SC_PAGESIZE - { /* This works on linux-gnu, solaris2 and cygwin. */ - double pages = sysconf (_SC_PHYS_PAGES); - double pagesize = sysconf (_SC_PAGESIZE); - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } -#endif - -#if HAVE_PSTAT_GETSTATIC - { /* This works on hpux11. */ - struct pst_static pss; - if (0 <= pstat_getstatic (&pss, sizeof pss, 1, 0)) - { - double pages = pss.physical_memory; - double pagesize = pss.page_size; - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } - } -#endif - -#if HAVE_SYSMP && defined MP_SAGET && defined MPSA_RMINFO && defined _SC_PAGESIZE - { /* This works on irix6. */ - struct rminfo realmem; - if (sysmp (MP_SAGET, MPSA_RMINFO, &realmem, sizeof realmem) == 0) - { - double pagesize = sysconf (_SC_PAGESIZE); - double pages = realmem.physmem; - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } - } -#endif - -#if HAVE_GETSYSINFO && defined GSI_PHYSMEM - { /* This works on Tru64 UNIX V4/5. */ - int physmem; - - if (getsysinfo (GSI_PHYSMEM, (caddr_t) &physmem, sizeof (physmem), - NULL, NULL, NULL) == 1) - { - double kbytes = physmem; - - if (0 <= kbytes) - return kbytes * 1024.0; - } - } -#endif - -#if HAVE_SYSCTL && defined HW_PHYSMEM - { /* This works on *bsd and darwin. */ - unsigned int physmem; - size_t len = sizeof physmem; - static int mib[2] = { CTL_HW, HW_PHYSMEM }; - - if (sysctl (mib, ARRAY_SIZE (mib), &physmem, &len, NULL, 0) == 0 - && len == sizeof (physmem)) - return (double) physmem; - } -#endif - -#if HAVE__SYSTEM_CONFIGURATION - /* This works on AIX. */ - return _system_configuration.physmem; -#endif - -#if defined _WIN32 - { /* this works on windows */ - PFN_MS_EX pfnex; - HMODULE h = GetModuleHandle ("kernel32.dll"); - - if (!h) - return 0.0; - - /* Use GlobalMemoryStatusEx if available. */ - if ((pfnex = (PFN_MS_EX) GetProcAddress (h, "GlobalMemoryStatusEx"))) - { - lMEMORYSTATUSEX lms_ex; - lms_ex.dwLength = sizeof lms_ex; - if (!pfnex (&lms_ex)) - return 0.0; - return (double) lms_ex.ullTotalPhys; - } - - /* Fall back to GlobalMemoryStatus which is always available. - but returns wrong results for physical memory > 4GB. */ - else - { - MEMORYSTATUS ms; - GlobalMemoryStatus (&ms); - return (double) ms.dwTotalPhys; - } - } -#endif - - /* Guess 64 MB. It's probably an older host, so guess small. */ - return 64 * 1024 * 1024; -} - -/* Return the amount of physical memory available. */ -double -physmem_available (void) -{ -#if defined _SC_AVPHYS_PAGES && defined _SC_PAGESIZE - { /* This works on linux-gnu, solaris2 and cygwin. */ - double pages = sysconf (_SC_AVPHYS_PAGES); - double pagesize = sysconf (_SC_PAGESIZE); - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } -#endif - -#if HAVE_PSTAT_GETSTATIC && HAVE_PSTAT_GETDYNAMIC - { /* This works on hpux11. */ - struct pst_static pss; - struct pst_dynamic psd; - if (0 <= pstat_getstatic (&pss, sizeof pss, 1, 0) - && 0 <= pstat_getdynamic (&psd, sizeof psd, 1, 0)) - { - double pages = psd.psd_free; - double pagesize = pss.page_size; - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } - } -#endif - -#if HAVE_SYSMP && defined MP_SAGET && defined MPSA_RMINFO && defined _SC_PAGESIZE - { /* This works on irix6. */ - struct rminfo realmem; - if (sysmp (MP_SAGET, MPSA_RMINFO, &realmem, sizeof realmem) == 0) - { - double pagesize = sysconf (_SC_PAGESIZE); - double pages = realmem.availrmem; - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } - } -#endif - -#if HAVE_TABLE && defined TBL_VMSTATS - { /* This works on Tru64 UNIX V4/5. */ - struct tbl_vmstats vmstats; - - if (table (TBL_VMSTATS, 0, &vmstats, 1, sizeof (vmstats)) == 1) - { - double pages = vmstats.free_count; - double pagesize = vmstats.pagesize; - - if (0 <= pages && 0 <= pagesize) - return pages * pagesize; - } - } -#endif - -#if HAVE_SYSCTL && defined HW_USERMEM - { /* This works on *bsd and darwin. */ - unsigned int usermem; - size_t len = sizeof usermem; - static int mib[2] = { CTL_HW, HW_USERMEM }; - - if (sysctl (mib, ARRAY_SIZE (mib), &usermem, &len, NULL, 0) == 0 - && len == sizeof (usermem)) - return (double) usermem; - } -#endif - -#if defined _WIN32 - { /* this works on windows */ - PFN_MS_EX pfnex; - HMODULE h = GetModuleHandle ("kernel32.dll"); - - if (!h) - return 0.0; - - /* Use GlobalMemoryStatusEx if available. */ - if ((pfnex = (PFN_MS_EX) GetProcAddress (h, "GlobalMemoryStatusEx"))) - { - lMEMORYSTATUSEX lms_ex; - lms_ex.dwLength = sizeof lms_ex; - if (!pfnex (&lms_ex)) - return 0.0; - return (double) lms_ex.ullAvailPhys; - } - - /* Fall back to GlobalMemoryStatus which is always available. - but returns wrong results for physical memory > 4GB */ - else - { - MEMORYSTATUS ms; - GlobalMemoryStatus (&ms); - return (double) ms.dwAvailPhys; - } - } -#endif - - /* Guess 25% of physical memory. */ - return physmem_total () / 4; -} - - -#if DEBUG - -# include <stdio.h> -# include <stdlib.h> - -int -main (void) -{ - printf ("%12.f %12.f\n", physmem_total (), physmem_available ()); - exit (0); -} - -#endif /* DEBUG */ - -/* -Local Variables: -compile-command: "gcc -DDEBUG -DHAVE_CONFIG_H -I.. -g -O -Wall -W physmem.c" -End: -*/ diff --git a/contrib/gnu-sort/lib/physmem.h b/contrib/gnu-sort/lib/physmem.h deleted file mode 100644 index 67f880c..0000000 --- a/contrib/gnu-sort/lib/physmem.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Calculate the size of physical memory. - - Copyright (C) 2000, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#ifndef PHYSMEM_H_ -# define PHYSMEM_H_ 1 - -double physmem_total (void); -double physmem_available (void); - -#endif /* PHYSMEM_H_ */ diff --git a/contrib/gnu-sort/lib/posixver.c b/contrib/gnu-sort/lib/posixver.c deleted file mode 100644 index 754d7ac..0000000 --- a/contrib/gnu-sort/lib/posixver.c +++ /dev/null @@ -1,59 +0,0 @@ -/* Which POSIX version to conform to, for utilities. - - Copyright (C) 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "posixver.h" - -#include <limits.h> -#include <stdlib.h> - -#if HAVE_UNISTD_H -# include <unistd.h> -#endif -#ifndef _POSIX2_VERSION -# define _POSIX2_VERSION 0 -#endif - -#ifndef DEFAULT_POSIX2_VERSION -# define DEFAULT_POSIX2_VERSION _POSIX2_VERSION -#endif - -/* The POSIX version that utilities should conform to. The default is - specified by the system. */ - -int -posix2_version (void) -{ - long int v = DEFAULT_POSIX2_VERSION; - char const *s = getenv ("_POSIX2_VERSION"); - - if (s && *s) - { - char *e; - long int i = strtol (s, &e, 10); - if (! *e) - v = i; - } - - return v < INT_MIN ? INT_MIN : v < INT_MAX ? v : INT_MAX; -} diff --git a/contrib/gnu-sort/lib/posixver.h b/contrib/gnu-sort/lib/posixver.h deleted file mode 100644 index b64f6a2..0000000 --- a/contrib/gnu-sort/lib/posixver.h +++ /dev/null @@ -1 +0,0 @@ -int posix2_version (void); diff --git a/contrib/gnu-sort/lib/quote.c b/contrib/gnu-sort/lib/quote.c deleted file mode 100644 index 5f11d83..0000000 --- a/contrib/gnu-sort/lib/quote.c +++ /dev/null @@ -1,41 +0,0 @@ -/* quote.c - quote arguments for output - Copyright (C) 1998, 1999, 2000, 2001, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert <eggert@twinsun.com> */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "quotearg.h" -#include "quote.h" - -/* Return an unambiguous printable representation of NAME, - allocated in slot N, suitable for diagnostics. */ -char const * -quote_n (int n, char const *name) -{ - return quotearg_n_style (n, locale_quoting_style, name); -} - -/* Return an unambiguous printable representation of NAME, - suitable for diagnostics. */ -char const * -quote (char const *name) -{ - return quote_n (0, name); -} diff --git a/contrib/gnu-sort/lib/quote.h b/contrib/gnu-sort/lib/quote.h deleted file mode 100644 index 682f9d1..0000000 --- a/contrib/gnu-sort/lib/quote.h +++ /dev/null @@ -1,22 +0,0 @@ -/* quote.h - prototypes for quote.c - - Copyright (C) 1998, 1999, 2000, 2001, 2003 Free Software - Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - - -char const *quote_n (int n, char const *name); -char const *quote (char const *name); diff --git a/contrib/gnu-sort/lib/quotearg.c b/contrib/gnu-sort/lib/quotearg.c deleted file mode 100644 index 64fa676..0000000 --- a/contrib/gnu-sort/lib/quotearg.c +++ /dev/null @@ -1,673 +0,0 @@ -/* quotearg.c - quote arguments for output - - Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004 Free Software - Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert <eggert@twinsun.com> */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "quotearg.h" - -#include "xalloc.h" - -#include <ctype.h> -#include <errno.h> -#include <limits.h> -#include <stdbool.h> -#include <stdlib.h> -#include <string.h> - -#include "gettext.h" -#define _(msgid) gettext (msgid) -#define N_(msgid) msgid - -#if HAVE_WCHAR_H - -/* BSD/OS 4.1 wchar.h requires FILE and struct tm to be declared. */ -# include <stdio.h> -# include <time.h> - -# include <wchar.h> -#endif - -#if !HAVE_MBRTOWC -/* Disable multibyte processing entirely. Since MB_CUR_MAX is 1, the - other macros are defined only for documentation and to satisfy C - syntax. */ -# undef MB_CUR_MAX -# define MB_CUR_MAX 1 -# define mbrtowc(pwc, s, n, ps) ((*(pwc) = *(s)) != 0) -# define iswprint(wc) isprint ((unsigned char) (wc)) -# undef HAVE_MBSINIT -#endif - -#if !defined mbsinit && !HAVE_MBSINIT -# define mbsinit(ps) 1 -#endif - -#ifndef iswprint -# if HAVE_WCTYPE_H -# include <wctype.h> -# endif -# if !defined iswprint && !HAVE_ISWPRINT -# define iswprint(wc) 1 -# endif -#endif - -#ifndef SIZE_MAX -# define SIZE_MAX ((size_t) -1) -#endif - -#define INT_BITS (sizeof (int) * CHAR_BIT) - -struct quoting_options -{ - /* Basic quoting style. */ - enum quoting_style style; - - /* Quote the characters indicated by this bit vector even if the - quoting style would not normally require them to be quoted. */ - int quote_these_too[(UCHAR_MAX / INT_BITS) + 1]; -}; - -/* Names of quoting styles. */ -char const *const quoting_style_args[] = -{ - "literal", - "shell", - "shell-always", - "c", - "escape", - "locale", - "clocale", - 0 -}; - -/* Correspondences to quoting style names. */ -enum quoting_style const quoting_style_vals[] = -{ - literal_quoting_style, - shell_quoting_style, - shell_always_quoting_style, - c_quoting_style, - escape_quoting_style, - locale_quoting_style, - clocale_quoting_style -}; - -/* The default quoting options. */ -static struct quoting_options default_quoting_options; - -/* Allocate a new set of quoting options, with contents initially identical - to O if O is not null, or to the default if O is null. - It is the caller's responsibility to free the result. */ -struct quoting_options * -clone_quoting_options (struct quoting_options *o) -{ - int e = errno; - struct quoting_options *p = xmalloc (sizeof *p); - *p = *(o ? o : &default_quoting_options); - errno = e; - return p; -} - -/* Get the value of O's quoting style. If O is null, use the default. */ -enum quoting_style -get_quoting_style (struct quoting_options *o) -{ - return (o ? o : &default_quoting_options)->style; -} - -/* In O (or in the default if O is null), - set the value of the quoting style to S. */ -void -set_quoting_style (struct quoting_options *o, enum quoting_style s) -{ - (o ? o : &default_quoting_options)->style = s; -} - -/* In O (or in the default if O is null), - set the value of the quoting options for character C to I. - Return the old value. Currently, the only values defined for I are - 0 (the default) and 1 (which means to quote the character even if - it would not otherwise be quoted). */ -int -set_char_quoting (struct quoting_options *o, char c, int i) -{ - unsigned char uc = c; - int *p = (o ? o : &default_quoting_options)->quote_these_too + uc / INT_BITS; - int shift = uc % INT_BITS; - int r = (*p >> shift) & 1; - *p ^= ((i & 1) ^ r) << shift; - return r; -} - -/* MSGID approximates a quotation mark. Return its translation if it - has one; otherwise, return either it or "\"", depending on S. */ -static char const * -gettext_quote (char const *msgid, enum quoting_style s) -{ - char const *translation = _(msgid); - if (translation == msgid && s == clocale_quoting_style) - translation = "\""; - return translation; -} - -/* Place into buffer BUFFER (of size BUFFERSIZE) a quoted version of - argument ARG (of size ARGSIZE), using QUOTING_STYLE and the - non-quoting-style part of O to control quoting. - Terminate the output with a null character, and return the written - size of the output, not counting the terminating null. - If BUFFERSIZE is too small to store the output string, return the - value that would have been returned had BUFFERSIZE been large enough. - If ARGSIZE is SIZE_MAX, use the string length of the argument for ARGSIZE. - - This function acts like quotearg_buffer (BUFFER, BUFFERSIZE, ARG, - ARGSIZE, O), except it uses QUOTING_STYLE instead of the quoting - style specified by O, and O may not be null. */ - -static size_t -quotearg_buffer_restyled (char *buffer, size_t buffersize, - char const *arg, size_t argsize, - enum quoting_style quoting_style, - struct quoting_options const *o) -{ - size_t i; - size_t len = 0; - char const *quote_string = 0; - size_t quote_string_len = 0; - bool backslash_escapes = false; - bool unibyte_locale = MB_CUR_MAX == 1; - -#define STORE(c) \ - do \ - { \ - if (len < buffersize) \ - buffer[len] = (c); \ - len++; \ - } \ - while (0) - - switch (quoting_style) - { - case c_quoting_style: - STORE ('"'); - backslash_escapes = true; - quote_string = "\""; - quote_string_len = 1; - break; - - case escape_quoting_style: - backslash_escapes = true; - break; - - case locale_quoting_style: - case clocale_quoting_style: - { - /* Get translations for open and closing quotation marks. - - The message catalog should translate "`" to a left - quotation mark suitable for the locale, and similarly for - "'". If the catalog has no translation, - locale_quoting_style quotes `like this', and - clocale_quoting_style quotes "like this". - - For example, an American English Unicode locale should - translate "`" to U+201C (LEFT DOUBLE QUOTATION MARK), and - should translate "'" to U+201D (RIGHT DOUBLE QUOTATION - MARK). A British English Unicode locale should instead - translate these to U+2018 (LEFT SINGLE QUOTATION MARK) and - U+2019 (RIGHT SINGLE QUOTATION MARK), respectively. */ - - char const *left = gettext_quote (N_("`"), quoting_style); - char const *right = gettext_quote (N_("'"), quoting_style); - for (quote_string = left; *quote_string; quote_string++) - STORE (*quote_string); - backslash_escapes = true; - quote_string = right; - quote_string_len = strlen (quote_string); - } - break; - - case shell_always_quoting_style: - STORE ('\''); - quote_string = "'"; - quote_string_len = 1; - break; - - default: - break; - } - - for (i = 0; ! (argsize == SIZE_MAX ? arg[i] == '\0' : i == argsize); i++) - { - unsigned char c; - unsigned char esc; - - if (backslash_escapes - && quote_string_len - && i + quote_string_len <= argsize - && memcmp (arg + i, quote_string, quote_string_len) == 0) - STORE ('\\'); - - c = arg[i]; - switch (c) - { - case '\0': - if (backslash_escapes) - { - STORE ('\\'); - STORE ('0'); - STORE ('0'); - c = '0'; - } - break; - - case '?': - switch (quoting_style) - { - case shell_quoting_style: - goto use_shell_always_quoting_style; - - case c_quoting_style: - if (i + 2 < argsize && arg[i + 1] == '?') - switch (arg[i + 2]) - { - case '!': case '\'': - case '(': case ')': case '-': case '/': - case '<': case '=': case '>': - /* Escape the second '?' in what would otherwise be - a trigraph. */ - c = arg[i + 2]; - i += 2; - STORE ('?'); - STORE ('\\'); - STORE ('?'); - break; - } - break; - - default: - break; - } - break; - - case '\a': esc = 'a'; goto c_escape; - case '\b': esc = 'b'; goto c_escape; - case '\f': esc = 'f'; goto c_escape; - case '\n': esc = 'n'; goto c_and_shell_escape; - case '\r': esc = 'r'; goto c_and_shell_escape; - case '\t': esc = 't'; goto c_and_shell_escape; - case '\v': esc = 'v'; goto c_escape; - case '\\': esc = c; goto c_and_shell_escape; - - c_and_shell_escape: - if (quoting_style == shell_quoting_style) - goto use_shell_always_quoting_style; - c_escape: - if (backslash_escapes) - { - c = esc; - goto store_escape; - } - break; - - case '{': case '}': /* sometimes special if isolated */ - if (! (argsize == SIZE_MAX ? arg[1] == '\0' : argsize == 1)) - break; - /* Fall through. */ - case '#': case '~': - if (i != 0) - break; - /* Fall through. */ - case ' ': - case '!': /* special in bash */ - case '"': case '$': case '&': - case '(': case ')': case '*': case ';': - case '<': - case '=': /* sometimes special in 0th or (with "set -k") later args */ - case '>': case '[': - case '^': /* special in old /bin/sh, e.g. SunOS 4.1.4 */ - case '`': case '|': - /* A shell special character. In theory, '$' and '`' could - be the first bytes of multibyte characters, which means - we should check them with mbrtowc, but in practice this - doesn't happen so it's not worth worrying about. */ - if (quoting_style == shell_quoting_style) - goto use_shell_always_quoting_style; - break; - - case '\'': - switch (quoting_style) - { - case shell_quoting_style: - goto use_shell_always_quoting_style; - - case shell_always_quoting_style: - STORE ('\''); - STORE ('\\'); - STORE ('\''); - break; - - default: - break; - } - break; - - case '%': case '+': case ',': case '-': case '.': case '/': - case '0': case '1': case '2': case '3': case '4': case '5': - case '6': case '7': case '8': case '9': case ':': - case 'A': case 'B': case 'C': case 'D': case 'E': case 'F': - case 'G': case 'H': case 'I': case 'J': case 'K': case 'L': - case 'M': case 'N': case 'O': case 'P': case 'Q': case 'R': - case 'S': case 'T': case 'U': case 'V': case 'W': case 'X': - case 'Y': case 'Z': case ']': case '_': case 'a': case 'b': - case 'c': case 'd': case 'e': case 'f': case 'g': case 'h': - case 'i': case 'j': case 'k': case 'l': case 'm': case 'n': - case 'o': case 'p': case 'q': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': - /* These characters don't cause problems, no matter what the - quoting style is. They cannot start multibyte sequences. */ - break; - - default: - /* If we have a multibyte sequence, copy it until we reach - its end, find an error, or come back to the initial shift - state. For C-like styles, if the sequence has - unprintable characters, escape the whole sequence, since - we can't easily escape single characters within it. */ - { - /* Length of multibyte sequence found so far. */ - size_t m; - - bool printable; - - if (unibyte_locale) - { - m = 1; - printable = isprint (c) != 0; - } - else - { - mbstate_t mbstate; - memset (&mbstate, 0, sizeof mbstate); - - m = 0; - printable = true; - if (argsize == SIZE_MAX) - argsize = strlen (arg); - - do - { - wchar_t w; - size_t bytes = mbrtowc (&w, &arg[i + m], - argsize - (i + m), &mbstate); - if (bytes == 0) - break; - else if (bytes == (size_t) -1) - { - printable = false; - break; - } - else if (bytes == (size_t) -2) - { - printable = false; - while (i + m < argsize && arg[i + m]) - m++; - break; - } - else - { - /* Work around a bug with older shells that "see" a '\' - that is really the 2nd byte of a multibyte character. - In practice the problem is limited to ASCII - chars >= '@' that are shell special chars. */ - if ('[' == 0x5b && quoting_style == shell_quoting_style) - { - size_t j; - for (j = 1; j < bytes; j++) - switch (arg[i + m + j]) - { - case '[': case '\\': case '^': - case '`': case '|': - goto use_shell_always_quoting_style; - } - } - - if (! iswprint (w)) - printable = false; - m += bytes; - } - } - while (! mbsinit (&mbstate)); - } - - if (1 < m || (backslash_escapes && ! printable)) - { - /* Output a multibyte sequence, or an escaped - unprintable unibyte character. */ - size_t ilim = i + m; - - for (;;) - { - if (backslash_escapes && ! printable) - { - STORE ('\\'); - STORE ('0' + (c >> 6)); - STORE ('0' + ((c >> 3) & 7)); - c = '0' + (c & 7); - } - if (ilim <= i + 1) - break; - STORE (c); - c = arg[++i]; - } - - goto store_c; - } - } - } - - if (! (backslash_escapes - && o->quote_these_too[c / INT_BITS] & (1 << (c % INT_BITS)))) - goto store_c; - - store_escape: - STORE ('\\'); - - store_c: - STORE (c); - } - - if (i == 0 && quoting_style == shell_quoting_style) - goto use_shell_always_quoting_style; - - if (quote_string) - for (; *quote_string; quote_string++) - STORE (*quote_string); - - if (len < buffersize) - buffer[len] = '\0'; - return len; - - use_shell_always_quoting_style: - return quotearg_buffer_restyled (buffer, buffersize, arg, argsize, - shell_always_quoting_style, o); -} - -/* Place into buffer BUFFER (of size BUFFERSIZE) a quoted version of - argument ARG (of size ARGSIZE), using O to control quoting. - If O is null, use the default. - Terminate the output with a null character, and return the written - size of the output, not counting the terminating null. - If BUFFERSIZE is too small to store the output string, return the - value that would have been returned had BUFFERSIZE been large enough. - If ARGSIZE is SIZE_MAX, use the string length of the argument for - ARGSIZE. */ -size_t -quotearg_buffer (char *buffer, size_t buffersize, - char const *arg, size_t argsize, - struct quoting_options const *o) -{ - struct quoting_options const *p = o ? o : &default_quoting_options; - int e = errno; - size_t r = quotearg_buffer_restyled (buffer, buffersize, arg, argsize, - p->style, p); - errno = e; - return r; -} - -/* Like quotearg_buffer (..., ARG, ARGSIZE, O), except return newly - allocated storage containing the quoted string. */ -char * -quotearg_alloc (char const *arg, size_t argsize, - struct quoting_options const *o) -{ - int e = errno; - size_t bufsize = quotearg_buffer (0, 0, arg, argsize, o) + 1; - char *buf = xmalloc (bufsize); - quotearg_buffer (buf, bufsize, arg, argsize, o); - errno = e; - return buf; -} - -/* Use storage slot N to return a quoted version of argument ARG. - ARG is of size ARGSIZE, but if that is SIZE_MAX, ARG is a - null-terminated string. - OPTIONS specifies the quoting options. - The returned value points to static storage that can be - reused by the next call to this function with the same value of N. - N must be nonnegative. N is deliberately declared with type "int" - to allow for future extensions (using negative values). */ -static char * -quotearg_n_options (int n, char const *arg, size_t argsize, - struct quoting_options const *options) -{ - int e = errno; - - /* Preallocate a slot 0 buffer, so that the caller can always quote - one small component of a "memory exhausted" message in slot 0. */ - static char slot0[256]; - static unsigned int nslots = 1; - unsigned int n0 = n; - struct slotvec - { - size_t size; - char *val; - }; - static struct slotvec slotvec0 = {sizeof slot0, slot0}; - static struct slotvec *slotvec = &slotvec0; - - if (n < 0) - abort (); - - if (nslots <= n0) - { - unsigned int n1 = n0 + 1; - - if (xalloc_oversized (n1, sizeof *slotvec)) - xalloc_die (); - - if (slotvec == &slotvec0) - { - slotvec = xmalloc (sizeof *slotvec); - *slotvec = slotvec0; - } - slotvec = xrealloc (slotvec, n1 * sizeof *slotvec); - memset (slotvec + nslots, 0, (n1 - nslots) * sizeof *slotvec); - nslots = n1; - } - - { - size_t size = slotvec[n].size; - char *val = slotvec[n].val; - size_t qsize = quotearg_buffer (val, size, arg, argsize, options); - - if (size <= qsize) - { - slotvec[n].size = size = qsize + 1; - if (val != slot0) - free (val); - slotvec[n].val = val = xmalloc (size); - quotearg_buffer (val, size, arg, argsize, options); - } - - errno = e; - return val; - } -} - -char * -quotearg_n (int n, char const *arg) -{ - return quotearg_n_options (n, arg, SIZE_MAX, &default_quoting_options); -} - -char * -quotearg (char const *arg) -{ - return quotearg_n (0, arg); -} - -/* Return quoting options for STYLE, with no extra quoting. */ -static struct quoting_options -quoting_options_from_style (enum quoting_style style) -{ - struct quoting_options o; - o.style = style; - memset (o.quote_these_too, 0, sizeof o.quote_these_too); - return o; -} - -char * -quotearg_n_style (int n, enum quoting_style s, char const *arg) -{ - struct quoting_options const o = quoting_options_from_style (s); - return quotearg_n_options (n, arg, SIZE_MAX, &o); -} - -char * -quotearg_n_style_mem (int n, enum quoting_style s, - char const *arg, size_t argsize) -{ - struct quoting_options const o = quoting_options_from_style (s); - return quotearg_n_options (n, arg, argsize, &o); -} - -char * -quotearg_style (enum quoting_style s, char const *arg) -{ - return quotearg_n_style (0, s, arg); -} - -char * -quotearg_char (char const *arg, char ch) -{ - struct quoting_options options; - options = default_quoting_options; - set_char_quoting (&options, ch, 1); - return quotearg_n_options (0, arg, SIZE_MAX, &options); -} - -char * -quotearg_colon (char const *arg) -{ - return quotearg_char (arg, ':'); -} diff --git a/contrib/gnu-sort/lib/quotearg.h b/contrib/gnu-sort/lib/quotearg.h deleted file mode 100644 index 14dc316..0000000 --- a/contrib/gnu-sort/lib/quotearg.h +++ /dev/null @@ -1,137 +0,0 @@ -/* quotearg.h - quote arguments for output - - Copyright (C) 1998, 1999, 2000, 2001, 2002, 2004 Free Software - Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert <eggert@twinsun.com> */ - -#ifndef QUOTEARG_H_ -# define QUOTEARG_H_ 1 - -# include <stddef.h> - -/* Basic quoting styles. */ -enum quoting_style - { - /* Output names as-is (ls --quoting-style=literal). */ - literal_quoting_style, - - /* Quote names for the shell if they contain shell metacharacters - or would cause ambiguous output (ls --quoting-style=shell). */ - shell_quoting_style, - - /* Quote names for the shell, even if they would normally not - require quoting (ls --quoting-style=shell-always). */ - shell_always_quoting_style, - - /* Quote names as for a C language string (ls --quoting-style=c). */ - c_quoting_style, - - /* Like c_quoting_style except omit the surrounding double-quote - characters (ls --quoting-style=escape). */ - escape_quoting_style, - - /* Like clocale_quoting_style, but quote `like this' instead of - "like this" in the default C locale (ls --quoting-style=locale). */ - locale_quoting_style, - - /* Like c_quoting_style except use quotation marks appropriate for - the locale (ls --quoting-style=clocale). */ - clocale_quoting_style - }; - -/* For now, --quoting-style=literal is the default, but this may change. */ -# ifndef DEFAULT_QUOTING_STYLE -# define DEFAULT_QUOTING_STYLE literal_quoting_style -# endif - -/* Names of quoting styles and their corresponding values. */ -extern char const *const quoting_style_args[]; -extern enum quoting_style const quoting_style_vals[]; - -struct quoting_options; - -/* The functions listed below set and use a hidden variable - that contains the default quoting style options. */ - -/* Allocate a new set of quoting options, with contents initially identical - to O if O is not null, or to the default if O is null. - It is the caller's responsibility to free the result. */ -struct quoting_options *clone_quoting_options (struct quoting_options *o); - -/* Get the value of O's quoting style. If O is null, use the default. */ -enum quoting_style get_quoting_style (struct quoting_options *o); - -/* In O (or in the default if O is null), - set the value of the quoting style to S. */ -void set_quoting_style (struct quoting_options *o, enum quoting_style s); - -/* In O (or in the default if O is null), - set the value of the quoting options for character C to I. - Return the old value. Currently, the only values defined for I are - 0 (the default) and 1 (which means to quote the character even if - it would not otherwise be quoted). */ -int set_char_quoting (struct quoting_options *o, char c, int i); - -/* Place into buffer BUFFER (of size BUFFERSIZE) a quoted version of - argument ARG (of size ARGSIZE), using O to control quoting. - If O is null, use the default. - Terminate the output with a null character, and return the written - size of the output, not counting the terminating null. - If BUFFERSIZE is too small to store the output string, return the - value that would have been returned had BUFFERSIZE been large enough. - If ARGSIZE is -1, use the string length of the argument for ARGSIZE. */ -size_t quotearg_buffer (char *buffer, size_t buffersize, - char const *arg, size_t argsize, - struct quoting_options const *o); - -/* Like quotearg_buffer, except return the result in a newly allocated - buffer. It is the caller's responsibility to free the result. */ -char *quotearg_alloc (char const *arg, size_t argsize, - struct quoting_options const *o); - -/* Use storage slot N to return a quoted version of the string ARG. - Use the default quoting options. - The returned value points to static storage that can be - reused by the next call to this function with the same value of N. - N must be nonnegative. */ -char *quotearg_n (int n, char const *arg); - -/* Equivalent to quotearg_n (0, ARG). */ -char *quotearg (char const *arg); - -/* Use style S and storage slot N to return a quoted version of the string ARG. - This is like quotearg_n (N, ARG), except that it uses S with no other - options to specify the quoting method. */ -char *quotearg_n_style (int n, enum quoting_style s, char const *arg); - -/* Use style S and storage slot N to return a quoted version of the - argument ARG of size ARGSIZE. This is like quotearg_n_style - (N, S, ARG), except it can quote null bytes. */ -char *quotearg_n_style_mem (int n, enum quoting_style s, - char const *arg, size_t argsize); - -/* Equivalent to quotearg_n_style (0, S, ARG). */ -char *quotearg_style (enum quoting_style s, char const *arg); - -/* Like quotearg (ARG), except also quote any instances of CH. */ -char *quotearg_char (char const *arg, char ch); - -/* Equivalent to quotearg_char (ARG, ':'). */ -char *quotearg_colon (char const *arg); - -#endif /* !QUOTEARG_H_ */ diff --git a/contrib/gnu-sort/lib/stat-macros.h b/contrib/gnu-sort/lib/stat-macros.h deleted file mode 100644 index facbabb..0000000 --- a/contrib/gnu-sort/lib/stat-macros.h +++ /dev/null @@ -1,255 +0,0 @@ -/* stat-related macros - - Copyright (C) 1993, 1994, 2001, 2002, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert and Jim Meyering. */ - -#ifndef STAT_MACROS_H -# define STAT_MACROS_H 1 - -# if ! defined S_ISREG && ! defined S_IFREG -# error "you must include <sys/stat.h> before including this file" -# endif - -# ifndef S_IFMT -# define S_IFMT 0170000 -# endif - -# if STAT_MACROS_BROKEN -# undef S_ISBLK -# undef S_ISCHR -# undef S_ISDIR -# undef S_ISDOOR -# undef S_ISFIFO -# undef S_ISLNK -# undef S_ISNAM -# undef S_ISMPB -# undef S_ISMPC -# undef S_ISNWK -# undef S_ISREG -# undef S_ISSOCK -# endif - - -# ifndef S_ISBLK -# ifdef S_IFBLK -# define S_ISBLK(m) (((m) & S_IFMT) == S_IFBLK) -# else -# define S_ISBLK(m) 0 -# endif -# endif - -# ifndef S_ISCHR -# ifdef S_IFCHR -# define S_ISCHR(m) (((m) & S_IFMT) == S_IFCHR) -# else -# define S_ISCHR(m) 0 -# endif -# endif - -# ifndef S_ISDIR -# ifdef S_IFDIR -# define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) -# else -# define S_ISDIR(m) 0 -# endif -# endif - -# ifndef S_ISDOOR /* Solaris 2.5 and up */ -# ifdef S_IFDOOR -# define S_ISDOOR(m) (((m) & S_IFMT) == S_IFDOOR) -# else -# define S_ISDOOR(m) 0 -# endif -# endif - -# ifndef S_ISFIFO -# ifdef S_IFIFO -# define S_ISFIFO(m) (((m) & S_IFMT) == S_IFIFO) -# else -# define S_ISFIFO(m) 0 -# endif -# endif - -# ifndef S_ISLNK -# ifdef S_IFLNK -# define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK) -# else -# define S_ISLNK(m) 0 -# endif -# endif - -# ifndef S_ISMPB /* V7 */ -# ifdef S_IFMPB -# define S_ISMPB(m) (((m) & S_IFMT) == S_IFMPB) -# define S_ISMPC(m) (((m) & S_IFMT) == S_IFMPC) -# else -# define S_ISMPB(m) 0 -# define S_ISMPC(m) 0 -# endif -# endif - -# ifndef S_ISNAM /* Xenix */ -# ifdef S_IFNAM -# define S_ISNAM(m) (((m) & S_IFMT) == S_IFNAM) -# else -# define S_ISNAM(m) 0 -# endif -# endif - -# ifndef S_ISNWK /* HP/UX */ -# ifdef S_IFNWK -# define S_ISNWK(m) (((m) & S_IFMT) == S_IFNWK) -# else -# define S_ISNWK(m) 0 -# endif -# endif - -# ifndef S_ISREG -# ifdef S_IFREG -# define S_ISREG(m) (((m) & S_IFMT) == S_IFREG) -# else -# define S_ISREG(m) 0 -# endif -# endif - -# ifndef S_ISSOCK -# ifdef S_IFSOCK -# define S_ISSOCK(m) (((m) & S_IFMT) == S_IFSOCK) -# else -# define S_ISSOCK(m) 0 -# endif -# endif - - -# ifndef S_TYPEISMQ -# define S_TYPEISMQ(p) 0 -# endif - -# ifndef S_TYPEISTMO -# define S_TYPEISTMO(p) 0 -# endif - - -# ifndef S_TYPEISSEM -# ifdef S_INSEM -# define S_TYPEISSEM(p) (S_ISNAM ((p)->st_mode) && (p)->st_rdev == S_INSEM) -# else -# define S_TYPEISSEM(p) 0 -# endif -# endif - -# ifndef S_TYPEISSHM -# ifdef S_INSHD -# define S_TYPEISSHM(p) (S_ISNAM ((p)->st_mode) && (p)->st_rdev == S_INSHD) -# else -# define S_TYPEISSHM(p) 0 -# endif -# endif - -/* contiguous */ -# ifndef S_ISCTG -# define S_ISCTG(p) 0 -# endif - -/* Cray DMF (data migration facility): off line, with data */ -# ifndef S_ISOFD -# define S_ISOFD(p) 0 -# endif - -/* Cray DMF (data migration facility): off line, with no data */ -# ifndef S_ISOFL -# define S_ISOFL(p) 0 -# endif - -/* If any of the following are undefined, - define them to their de facto standard values. */ -# if !S_ISUID -# define S_ISUID 04000 -# endif -# if !S_ISGID -# define S_ISGID 02000 -# endif - -/* S_ISVTX is a common extension to POSIX. */ -# ifndef S_ISVTX -# define S_ISVTX 01000 -# endif - -# if !S_IRUSR && S_IREAD -# define S_IRUSR S_IREAD -# endif -# if !S_IRUSR -# define S_IRUSR 00400 -# endif -# if !S_IRGRP -# define S_IRGRP (S_IRUSR >> 3) -# endif -# if !S_IROTH -# define S_IROTH (S_IRUSR >> 6) -# endif - -# if !S_IWUSR && S_IWRITE -# define S_IWUSR S_IWRITE -# endif -# if !S_IWUSR -# define S_IWUSR 00200 -# endif -# if !S_IWGRP -# define S_IWGRP (S_IWUSR >> 3) -# endif -# if !S_IWOTH -# define S_IWOTH (S_IWUSR >> 6) -# endif - -# if !S_IXUSR && S_IEXEC -# define S_IXUSR S_IEXEC -# endif -# if !S_IXUSR -# define S_IXUSR 00100 -# endif -# if !S_IXGRP -# define S_IXGRP (S_IXUSR >> 3) -# endif -# if !S_IXOTH -# define S_IXOTH (S_IXUSR >> 6) -# endif - -# if !S_IRWXU -# define S_IRWXU (S_IRUSR | S_IWUSR | S_IXUSR) -# endif -# if !S_IRWXG -# define S_IRWXG (S_IRGRP | S_IWGRP | S_IXGRP) -# endif -# if !S_IRWXO -# define S_IRWXO (S_IROTH | S_IWOTH | S_IXOTH) -# endif - -/* S_IXUGO is a common extension to POSIX. */ -# if !S_IXUGO -# define S_IXUGO (S_IXUSR | S_IXGRP | S_IXOTH) -# endif - -# ifndef S_IRWXUGO -# define S_IRWXUGO (S_IRWXU | S_IRWXG | S_IRWXO) -# endif - -/* All the mode bits that can be affected by chmod. */ -# define CHMOD_MODE_BITS \ - (S_ISUID | S_ISGID | S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO) - -#endif /* STAT_MACROS_H */ diff --git a/contrib/gnu-sort/lib/stdio-safer.h b/contrib/gnu-sort/lib/stdio-safer.h deleted file mode 100644 index 8a22f12..0000000 --- a/contrib/gnu-sort/lib/stdio-safer.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Invoke stdio functions, but avoid some glitches. - - Copyright (C) 2001, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#include <stdio.h> - -FILE *fopen_safer (char const *, char const *); diff --git a/contrib/gnu-sort/lib/strnlen.c b/contrib/gnu-sort/lib/strnlen.c deleted file mode 100644 index c9f3898..0000000 --- a/contrib/gnu-sort/lib/strnlen.c +++ /dev/null @@ -1,48 +0,0 @@ -/* Find the length of STRING, but scan at most MAXLEN characters. - Copyright (C) 1996, 1997, 1998, 2000-2003 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif -#undef strnlen - -#include <string.h> - -#undef __strnlen -#undef strnlen - -#ifndef _LIBC -# define strnlen rpl_strnlen -#endif - -#ifndef weak_alias -# define __strnlen strnlen -#endif - -/* Find the length of STRING, but scan at most MAXLEN characters. - If no '\0' terminator is found in that many characters, return MAXLEN. */ - -size_t -__strnlen (const char *string, size_t maxlen) -{ - const char *end = memchr (string, '\0', maxlen); - return end ? (size_t) (end - string) : maxlen; -} -#ifdef weak_alias -weak_alias (__strnlen, strnlen) -#endif diff --git a/contrib/gnu-sort/lib/timespec.h b/contrib/gnu-sort/lib/timespec.h deleted file mode 100644 index 2c32a23..0000000 --- a/contrib/gnu-sort/lib/timespec.h +++ /dev/null @@ -1,71 +0,0 @@ -/* timespec -- System time interface - - Copyright (C) 2000, 2002, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#if ! defined TIMESPEC_H -# define TIMESPEC_H - -/* You must include config.h before including this file. */ - -# include <sys/types.h> -# if TIME_WITH_SYS_TIME -# include <sys/time.h> -# include <time.h> -# else -# if HAVE_SYS_TIME_H -# include <sys/time.h> -# else -# include <time.h> -# endif -# endif - -# if ! HAVE_STRUCT_TIMESPEC -/* Some systems don't define this struct, e.g., AIX 4.1, Ultrix 4.3. */ -struct timespec -{ - time_t tv_sec; - long tv_nsec; -}; -# endif - -# ifdef ST_MTIM_NSEC -# define ST_TIME_CMP_NS(a, b, ns) ((a).ns < (b).ns ? -1 : (a).ns > (b).ns) -# else -# define ST_TIME_CMP_NS(a, b, ns) 0 -# endif -# define ST_TIME_CMP(a, b, s, ns) \ - ((a).s < (b).s ? -1 : (a).s > (b).s ? 1 : ST_TIME_CMP_NS(a, b, ns)) -# define ATIME_CMP(a, b) ST_TIME_CMP (a, b, st_atime, st_atim.ST_MTIM_NSEC) -# define CTIME_CMP(a, b) ST_TIME_CMP (a, b, st_ctime, st_ctim.ST_MTIM_NSEC) -# define MTIME_CMP(a, b) ST_TIME_CMP (a, b, st_mtime, st_mtim.ST_MTIM_NSEC) - -# ifdef ST_MTIM_NSEC -# define TIMESPEC_NS(timespec) ((timespec).ST_MTIM_NSEC) -# else -# define TIMESPEC_NS(timespec) 0 -# endif - -# if ! HAVE_DECL_NANOSLEEP -/* Don't specify a prototype here. Some systems (e.g., OSF) declare - nanosleep with a conflicting one (const-less first parameter). */ -int nanosleep (); -# endif - -int gettime (struct timespec *); -int settime (struct timespec const *); - -#endif diff --git a/contrib/gnu-sort/lib/umaxtostr.c b/contrib/gnu-sort/lib/umaxtostr.c deleted file mode 100644 index 4f49a7f..0000000 --- a/contrib/gnu-sort/lib/umaxtostr.c +++ /dev/null @@ -1,3 +0,0 @@ -#define inttostr umaxtostr -#define inttype uintmax_t -#include "inttostr.c" diff --git a/contrib/gnu-sort/lib/unistd-safer.h b/contrib/gnu-sort/lib/unistd-safer.h deleted file mode 100644 index 2976e9d..0000000 --- a/contrib/gnu-sort/lib/unistd-safer.h +++ /dev/null @@ -1,21 +0,0 @@ -/* Invoke unistd functions, but avoid some glitches. - - Copyright (C) 2001, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -int dup_safer (int); diff --git a/contrib/gnu-sort/lib/version-etc.c b/contrib/gnu-sort/lib/version-etc.c deleted file mode 100644 index ccc135b..0000000 --- a/contrib/gnu-sort/lib/version-etc.c +++ /dev/null @@ -1,181 +0,0 @@ -/* Utility to help print --version output in a consistent format. - Copyright (C) 1999-2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* $FreeBSD$ */ - -/* Written by Jim Meyering. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -/* Specification. */ -#include "version-etc.h" - -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include "unlocked-io.h" - -#include "gettext.h" -#define _(msgid) gettext (msgid) - -/* Default copyright goes to the FSF. */ - -const char* version_etc_copyright = - /* Do *not* mark this string for translation. */ - "Copyright (C) 2004 Free Software Foundation, Inc."; - - -/* Like version_etc, below, but with the NULL-terminated author list - provided via a variable of type va_list. */ -void -version_etc_va (FILE *stream, - const char *command_name, const char *package, - const char *version, va_list authors) -{ - size_t n_authors; - - /* Count the number of authors. */ - { - va_list tmp_authors; - -#ifdef va_copy - va_copy (tmp_authors, authors); -#else - tmp_authors = authors; -#endif - - n_authors = 0; - while (va_arg (tmp_authors, const char *) != NULL) - ++n_authors; -#ifdef va_copy - va_end (tmp_authors); -#endif - } - - if (command_name) - fprintf (stream, "%s (%s) %s\n", command_name, package, version); - else - fprintf (stream, "%s %s\n", package, version); - - switch (n_authors) - { - case 0: - /* The caller must provide at least one author name. */ - abort (); - case 1: - /* TRANSLATORS: %s denotes an author name. */ - vfprintf (stream, _("Written by %s.\n"), authors); - break; - case 2: - /* TRANSLATORS: Each %s denotes an author name. */ - vfprintf (stream, _("Written by %s and %s.\n"), authors); - break; - case 3: - /* TRANSLATORS: Each %s denotes an author name. */ - vfprintf (stream, _("Written by %s, %s, and %s.\n"), authors); - break; - case 4: - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("Written by %s, %s, %s,\nand %s.\n"), authors); - break; - case 5: - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("Written by %s, %s, %s,\n%s, and %s.\n"), authors); - break; - case 6: - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("Written by %s, %s, %s,\n%s, %s, and %s.\n"), - authors); - break; - case 7: - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("Written by %s, %s, %s,\n%s, %s, %s, and %s.\n"), - authors); - break; - case 8: - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("\ -Written by %s, %s, %s,\n%s, %s, %s, %s,\nand %s.\n"), - authors); - break; - case 9: - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("\ -Written by %s, %s, %s,\n%s, %s, %s, %s,\n%s, and %s.\n"), - authors); - break; - default: - /* 10 or more authors. Use an abbreviation, since the human reader - will probably not want to read the entire list anyway. */ - /* TRANSLATORS: Each %s denotes an author name. - You can use line breaks, estimating that each author name occupies - ca. 16 screen columns and that a screen line has ca. 80 columns. */ - vfprintf (stream, _("\ -Written by %s, %s, %s,\n%s, %s, %s, %s,\n%s, %s, and others.\n"), - authors); - break; - } - va_end (authors); - putc ('\n', stream); - - fputs (version_etc_copyright, stream); - putc ('\n', stream); - - fputs (_("\ -This is free software; see the source for copying conditions. There is NO\n\ -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"), - stream); -} - - -/* Display the --version information the standard way. - - If COMMAND_NAME is NULL, the PACKAGE is asumed to be the name of - the program. The formats are therefore: - - PACKAGE VERSION - - or - - COMMAND_NAME (PACKAGE) VERSION. - - The author names are passed as separate arguments, with an additional - NULL argument at the end. */ -void -version_etc (FILE *stream, - const char *command_name, const char *package, - const char *version, /* const char *author1, ...*/ ...) -{ - va_list authors; - - va_start (authors, version); - version_etc_va (stream, command_name, package, version, authors); -} diff --git a/contrib/gnu-sort/lib/version-etc.h b/contrib/gnu-sort/lib/version-etc.h deleted file mode 100644 index d505e75..0000000 --- a/contrib/gnu-sort/lib/version-etc.h +++ /dev/null @@ -1,37 +0,0 @@ -/* Utility to help print --version output in a consistent format. - Copyright (C) 1999, 2003 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Jim Meyering. */ - -#ifndef VERSION_ETC_H -# define VERSION_ETC_H 1 - -# include <stdarg.h> -# include <stdio.h> - -extern const char *version_etc_copyright; - -extern void version_etc_va (FILE *stream, - const char *command_name, const char *package, - const char *version, va_list authors); - -extern void version_etc (FILE *stream, - const char *command_name, const char *package, - const char *version, - /* const char *author1, ...*/ ...); - -#endif /* VERSION_ETC_H */ diff --git a/contrib/gnu-sort/lib/xalloc-die.c b/contrib/gnu-sort/lib/xalloc-die.c deleted file mode 100644 index ca3a689..0000000 --- a/contrib/gnu-sort/lib/xalloc-die.c +++ /dev/null @@ -1,45 +0,0 @@ -/* Report a memory allocation failure and exit. - - Copyright (C) 1997, 1998, 1999, 2000, 2002, 2003, 2004 Free - Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "xalloc.h" - -#include <stdlib.h> - -#include "error.h" -#include "exitfail.h" - -#include "gettext.h" -#define _(msgid) gettext (msgid) -#define N_(msgid) msgid - -void -xalloc_die (void) -{ - error (exit_failure, 0, "%s", _("memory exhausted")); - - /* The `noreturn' cannot be given to error, since it may return if - its first argument is 0. To help compilers understand the - xalloc_die does not return, call abort. Also, the abort is a - safety feature if exit_failure is 0 (which shouldn't happen). */ - abort (); -} diff --git a/contrib/gnu-sort/lib/xalloc.h b/contrib/gnu-sort/lib/xalloc.h deleted file mode 100644 index d81f2a6..0000000 --- a/contrib/gnu-sort/lib/xalloc.h +++ /dev/null @@ -1,90 +0,0 @@ -/* xalloc.h -- malloc with out-of-memory checking - - Copyright (C) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, - 1999, 2000, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef XALLOC_H_ -# define XALLOC_H_ - -# include <stddef.h> - - -# ifdef __cplusplus -extern "C" { -# endif - - -# ifndef __attribute__ -# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 8) || __STRICT_ANSI__ -# define __attribute__(x) -# endif -# endif - -# ifndef ATTRIBUTE_NORETURN -# define ATTRIBUTE_NORETURN __attribute__ ((__noreturn__)) -# endif - -/* This function is always triggered when memory is exhausted. - It must be defined by the application, either explicitly - or by using gnulib's xalloc-die module. This is the - function to call when one wants the program to die because of a - memory allocation failure. */ -extern void xalloc_die (void) ATTRIBUTE_NORETURN; - -void *xmalloc (size_t s); -void *xnmalloc (size_t n, size_t s); -void *xzalloc (size_t s); -void *xcalloc (size_t n, size_t s); -void *xrealloc (void *p, size_t s); -void *xnrealloc (void *p, size_t n, size_t s); -void *x2realloc (void *p, size_t *pn); -void *x2nrealloc (void *p, size_t *pn, size_t s); -void *xclone (void const *p, size_t s); -char *xstrdup (const char *str); - -/* Return 1 if an array of N objects, each of size S, cannot exist due - to size arithmetic overflow. S must be positive and N must be - nonnegative. This is a macro, not an inline function, so that it - works correctly even when SIZE_MAX < N. - - By gnulib convention, SIZE_MAX represents overflow in size - calculations, so the conservative dividend to use here is - SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. - However, malloc (SIZE_MAX) fails on all known hosts where - sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for - exactly-SIZE_MAX allocations on such hosts; this avoids a test and - branch when S is known to be 1. */ -# define xalloc_oversized(n, s) \ - ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) - -/* These macros are deprecated; they will go away soon, and are retained - temporarily only to ease conversion to the functions described above. */ -# define CCLONE(p, n) xclone (p, (n) * sizeof *(p)) -# define CLONE(p) xclone (p, sizeof *(p)) -# define NEW(type, var) type *var = xmalloc (sizeof (type)) -# define XCALLOC(type, n) xcalloc (n, sizeof (type)) -# define XMALLOC(type, n) xnmalloc (n, sizeof (type)) -# define XREALLOC(p, type, n) xnrealloc (p, n, sizeof (type)) -# define XFREE(p) free (p) - - -# ifdef __cplusplus -} -# endif - - -#endif /* !XALLOC_H_ */ diff --git a/contrib/gnu-sort/lib/xmalloc.c b/contrib/gnu-sort/lib/xmalloc.c deleted file mode 100644 index 9b7a948..0000000 --- a/contrib/gnu-sort/lib/xmalloc.c +++ /dev/null @@ -1,221 +0,0 @@ -/* xmalloc.c -- malloc with out of memory checking - - Copyright (C) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, - 1999, 2000, 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "xalloc.h" - -#include <stdlib.h> -#include <string.h> - -#ifndef SIZE_MAX -# define SIZE_MAX ((size_t) -1) -#endif - -/* Allocate an array of N objects, each with S bytes of memory, - dynamically, with error checking. S must be nonzero. */ - -static inline void * -xnmalloc_inline (size_t n, size_t s) -{ - void *p; - if (xalloc_oversized (n, s) || (! (p = malloc (n * s)) && n != 0)) - xalloc_die (); - return p; -} - -void * -xnmalloc (size_t n, size_t s) -{ - return xnmalloc_inline (n, s); -} - -/* Allocate N bytes of memory dynamically, with error checking. */ - -void * -xmalloc (size_t n) -{ - return xnmalloc_inline (n, 1); -} - -/* Change the size of an allocated block of memory P to an array of N - objects each of S bytes, with error checking. S must be nonzero. */ - -static inline void * -xnrealloc_inline (void *p, size_t n, size_t s) -{ - if (xalloc_oversized (n, s) || (! (p = realloc (p, n * s)) && n != 0)) - xalloc_die (); - return p; -} - -void * -xnrealloc (void *p, size_t n, size_t s) -{ - return xnrealloc_inline (p, n, s); -} - -/* Change the size of an allocated block of memory P to N bytes, - with error checking. */ - -void * -xrealloc (void *p, size_t n) -{ - return xnrealloc_inline (p, n, 1); -} - - -/* If P is null, allocate a block of at least *PN such objects; - otherwise, reallocate P so that it contains more than *PN objects - each of S bytes. *PN must be nonzero unless P is null, and S must - be nonzero. Set *PN to the new number of objects, and return the - pointer to the new block. *PN is never set to zero, and the - returned pointer is never null. - - Repeated reallocations are guaranteed to make progress, either by - allocating an initial block with a nonzero size, or by allocating a - larger block. - - In the following implementation, nonzero sizes are doubled so that - repeated reallocations have O(N log N) overall cost rather than - O(N**2) cost, but the specification for this function does not - guarantee that sizes are doubled. - - Here is an example of use: - - int *p = NULL; - size_t used = 0; - size_t allocated = 0; - - void - append_int (int value) - { - if (used == allocated) - p = x2nrealloc (p, &allocated, sizeof *p); - p[used++] = value; - } - - This causes x2nrealloc to allocate a block of some nonzero size the - first time it is called. - - To have finer-grained control over the initial size, set *PN to a - nonzero value before calling this function with P == NULL. For - example: - - int *p = NULL; - size_t used = 0; - size_t allocated = 0; - size_t allocated1 = 1000; - - void - append_int (int value) - { - if (used == allocated) - { - p = x2nrealloc (p, &allocated1, sizeof *p); - allocated = allocated1; - } - p[used++] = value; - } - - */ - -static inline void * -x2nrealloc_inline (void *p, size_t *pn, size_t s) -{ - size_t n = *pn; - - if (! p) - { - if (! n) - { - /* The approximate size to use for initial small allocation - requests, when the invoking code specifies an old size of - zero. 64 bytes is the largest "small" request for the - GNU C library malloc. */ - enum { DEFAULT_MXFAST = 64 }; - - n = DEFAULT_MXFAST / s; - n += !n; - } - } - else - { - if (SIZE_MAX / 2 / s < n) - xalloc_die (); - n *= 2; - } - - *pn = n; - return xrealloc (p, n * s); -} - -void * -x2nrealloc (void *p, size_t *pn, size_t s) -{ - return x2nrealloc_inline (p, pn, s); -} - -/* If P is null, allocate a block of at least *PN bytes; otherwise, - reallocate P so that it contains more than *PN bytes. *PN must be - nonzero unless P is null. Set *PN to the new block's size, and - return the pointer to the new block. *PN is never set to zero, and - the returned pointer is never null. */ - -void * -x2realloc (void *p, size_t *pn) -{ - return x2nrealloc_inline (p, pn, 1); -} - -/* Allocate S bytes of zeroed memory dynamically, with error checking. - There's no need for xnzalloc (N, S), since it would be equivalent - to xcalloc (N, S). */ - -void * -xzalloc (size_t s) -{ - return memset (xmalloc (s), 0, s); -} - -/* Allocate zeroed memory for N elements of S bytes, with error - checking. S must be nonzero. */ - -void * -xcalloc (size_t n, size_t s) -{ - void *p; - /* Test for overflow, since some calloc implementations don't have - proper overflow checks. */ - if (xalloc_oversized (n, s) || (! (p = calloc (n, s)) && n != 0)) - xalloc_die (); - return p; -} - -/* Clone an object P of size S, with error checking. There's no need - for xnclone (P, N, S), since xclone (P, N * S) works without any - need for an arithmetic overflow check. */ - -void * -xclone (void const *p, size_t s) -{ - return memcpy (xmalloc (s), p, s); -} diff --git a/contrib/gnu-sort/lib/xmemcoll.c b/contrib/gnu-sort/lib/xmemcoll.c deleted file mode 100644 index 433d67f..0000000 --- a/contrib/gnu-sort/lib/xmemcoll.c +++ /dev/null @@ -1,59 +0,0 @@ -/* Locale-specific memory comparison. - Copyright (C) 2002, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Contributed by Paul Eggert <eggert@twinsun.com>. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include <errno.h> -#include <stdlib.h> - -#include "gettext.h" -#define _(msgid) gettext (msgid) - -#include "error.h" -#include "exitfail.h" -#include "memcoll.h" -#include "quotearg.h" -#include "xmemcoll.h" - -/* Compare S1 (with length S1LEN) and S2 (with length S2LEN) according - to the LC_COLLATE locale. S1 and S2 do not overlap, and are not - adjacent. Temporarily modify the bytes after S1 and S2, but - restore their original contents before returning. Report an error - and exit if there is an error. */ - -int -xmemcoll (char *s1, size_t s1len, char *s2, size_t s2len) -{ - int diff = memcoll (s1, s1len, s2, s2len); - int collation_errno = errno; - - if (collation_errno) - { - error (0, collation_errno, _("string comparison failed")); - error (0, 0, _("Set LC_ALL='C' to work around the problem.")); - error (exit_failure, 0, - _("The strings compared were %s and %s."), - quotearg_n_style_mem (0, locale_quoting_style, s1, s1len), - quotearg_n_style_mem (1, locale_quoting_style, s2, s2len)); - } - - return diff; -} diff --git a/contrib/gnu-sort/lib/xmemcoll.h b/contrib/gnu-sort/lib/xmemcoll.h deleted file mode 100644 index 2f422e8..0000000 --- a/contrib/gnu-sort/lib/xmemcoll.h +++ /dev/null @@ -1,2 +0,0 @@ -#include <stddef.h> -int xmemcoll (char *, size_t, char *, size_t); diff --git a/contrib/gnu-sort/lib/xstrtol.c b/contrib/gnu-sort/lib/xstrtol.c deleted file mode 100644 index 906e4a1..0000000 --- a/contrib/gnu-sort/lib/xstrtol.c +++ /dev/null @@ -1,291 +0,0 @@ -/* A more useful interface to strtol. - - Copyright (C) 1995, 1996, 1998, 1999, 2000, 2001, 2003, 2004 Free - Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Jim Meyering. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#ifndef __strtol -# define __strtol strtol -# define __strtol_t long int -# define __xstrtol xstrtol -# define STRTOL_T_MINIMUM LONG_MIN -# define STRTOL_T_MAXIMUM LONG_MAX -#endif - -/* Some pre-ANSI implementations (e.g. SunOS 4) - need stderr defined if assertion checking is enabled. */ -#include <stdio.h> - -#include <assert.h> -#include <ctype.h> -#include <errno.h> -#include <limits.h> -#include <stdlib.h> -#include <string.h> - -/* The extra casts work around common compiler bugs. */ -#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1)) -#define TYPE_MINIMUM(t) ((t) (TYPE_SIGNED (t) \ - ? ~ (t) 0 << (sizeof (t) * CHAR_BIT - 1) \ - : (t) 0)) -#define TYPE_MAXIMUM(t) ((t) (~ (t) 0 - TYPE_MINIMUM (t))) - -#ifndef STRTOL_T_MINIMUM -# define STRTOL_T_MINIMUM TYPE_MINIMUM (__strtol_t) -# define STRTOL_T_MAXIMUM TYPE_MAXIMUM (__strtol_t) -#endif - -#if defined (STDC_HEADERS) || (!defined (isascii) && !defined (HAVE_ISASCII)) -# define IN_CTYPE_DOMAIN(c) 1 -#else -# define IN_CTYPE_DOMAIN(c) isascii(c) -#endif - -#define ISSPACE(c) (IN_CTYPE_DOMAIN (c) && isspace (c)) - -#include "xstrtol.h" - -#if !HAVE_DECL_STRTOIMAX && !defined strtoimax -intmax_t strtoimax (); -#endif - -#if !HAVE_DECL_STRTOUMAX && !defined strtoumax -uintmax_t strtoumax (); -#endif - -static strtol_error -bkm_scale (__strtol_t *x, int scale_factor) -{ - if (TYPE_SIGNED (__strtol_t) && *x < STRTOL_T_MINIMUM / scale_factor) - { - *x = STRTOL_T_MINIMUM; - return LONGINT_OVERFLOW; - } - if (STRTOL_T_MAXIMUM / scale_factor < *x) - { - *x = STRTOL_T_MAXIMUM; - return LONGINT_OVERFLOW; - } - *x *= scale_factor; - return LONGINT_OK; -} - -static strtol_error -bkm_scale_by_power (__strtol_t *x, int base, int power) -{ - strtol_error err = LONGINT_OK; - while (power--) - err |= bkm_scale (x, base); - return err; -} - -/* FIXME: comment. */ - -strtol_error -__xstrtol (const char *s, char **ptr, int strtol_base, - __strtol_t *val, const char *valid_suffixes) -{ - char *t_ptr; - char **p; - __strtol_t tmp; - strtol_error err = LONGINT_OK; - - assert (0 <= strtol_base && strtol_base <= 36); - - p = (ptr ? ptr : &t_ptr); - - if (! TYPE_SIGNED (__strtol_t)) - { - const char *q = s; - unsigned char ch = *q; - while (ISSPACE (ch)) - ch = *++q; - if (ch == '-') - return LONGINT_INVALID; - } - - errno = 0; - tmp = __strtol (s, p, strtol_base); - - if (*p == s) - { - /* If there is no number but there is a valid suffix, assume the - number is 1. The string is invalid otherwise. */ - if (valid_suffixes && **p && strchr (valid_suffixes, **p)) - tmp = 1; - else - return LONGINT_INVALID; - } - else if (errno != 0) - { - if (errno != ERANGE) - return LONGINT_INVALID; - err = LONGINT_OVERFLOW; - } - - /* Let valid_suffixes == NULL mean `allow any suffix'. */ - /* FIXME: update all callers except the ones that allow suffixes - after the number, changing last parameter NULL to `""'. */ - if (!valid_suffixes) - { - *val = tmp; - return err; - } - - if (**p != '\0') - { - int base = 1024; - int suffixes = 1; - strtol_error overflow; - - if (!strchr (valid_suffixes, **p)) - { - *val = tmp; - return err | LONGINT_INVALID_SUFFIX_CHAR; - } - - if (strchr (valid_suffixes, '0')) - { - /* The ``valid suffix'' '0' is a special flag meaning that - an optional second suffix is allowed, which can change - the base. A suffix "B" (e.g. "100MB") stands for a power - of 1000, whereas a suffix "iB" (e.g. "100MiB") stands for - a power of 1024. If no suffix (e.g. "100M"), assume - power-of-1024. */ - - switch (p[0][1]) - { - case 'i': - if (p[0][2] == 'B') - suffixes += 2; - break; - - case 'B': - case 'D': /* 'D' is obsolescent */ - base = 1000; - suffixes++; - break; - } - } - - switch (**p) - { - case 'b': - overflow = bkm_scale (&tmp, 512); - break; - - case 'B': - overflow = bkm_scale (&tmp, 1024); - break; - - case 'c': - overflow = 0; - break; - - case 'E': /* exa or exbi */ - overflow = bkm_scale_by_power (&tmp, base, 6); - break; - - case 'G': /* giga or gibi */ - case 'g': /* 'g' is undocumented; for compatibility only */ - overflow = bkm_scale_by_power (&tmp, base, 3); - break; - - case 'k': /* kilo */ - case 'K': /* kibi */ - overflow = bkm_scale_by_power (&tmp, base, 1); - break; - - case 'M': /* mega or mebi */ - case 'm': /* 'm' is undocumented; for compatibility only */ - overflow = bkm_scale_by_power (&tmp, base, 2); - break; - - case 'P': /* peta or pebi */ - overflow = bkm_scale_by_power (&tmp, base, 5); - break; - - case 'T': /* tera or tebi */ - case 't': /* 't' is undocumented; for compatibility only */ - overflow = bkm_scale_by_power (&tmp, base, 4); - break; - - case 'w': - overflow = bkm_scale (&tmp, 2); - break; - - case 'Y': /* yotta or 2**80 */ - overflow = bkm_scale_by_power (&tmp, base, 8); - break; - - case 'Z': /* zetta or 2**70 */ - overflow = bkm_scale_by_power (&tmp, base, 7); - break; - - default: - *val = tmp; - return err | LONGINT_INVALID_SUFFIX_CHAR; - } - - err |= overflow; - *p += suffixes; - if (**p) - err |= LONGINT_INVALID_SUFFIX_CHAR; - } - - *val = tmp; - return err; -} - -#ifdef TESTING_XSTRTO - -# include <stdio.h> -# include "error.h" - -char *program_name; - -int -main (int argc, char **argv) -{ - strtol_error s_err; - int i; - - program_name = argv[0]; - for (i=1; i<argc; i++) - { - char *p; - __strtol_t val; - - s_err = __xstrtol (argv[i], &p, 0, &val, "bckmw"); - if (s_err == LONGINT_OK) - { - printf ("%s->%lu (%s)\n", argv[i], val, p); - } - else - { - STRTOL_FATAL_ERROR (argv[i], "arg", s_err); - } - } - exit (0); -} - -#endif /* TESTING_XSTRTO */ diff --git a/contrib/gnu-sort/lib/xstrtol.h b/contrib/gnu-sort/lib/xstrtol.h deleted file mode 100644 index 0d6b984..0000000 --- a/contrib/gnu-sort/lib/xstrtol.h +++ /dev/null @@ -1,89 +0,0 @@ -/* A more useful interface to strtol. - - Copyright (C) 1995, 1996, 1998, 1999, 2001, 2002, 2003, 2004 Free - Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#ifndef XSTRTOL_H_ -# define XSTRTOL_H_ 1 - -# include "exitfail.h" - -# if HAVE_INTTYPES_H -# include <inttypes.h> -# endif -# if HAVE_STDINT_H -# include <stdint.h> -# endif - -# ifndef _STRTOL_ERROR -enum strtol_error - { - LONGINT_OK = 0, - - /* These two values can be ORed together, to indicate that both - errors occurred. */ - LONGINT_OVERFLOW = 1, - LONGINT_INVALID_SUFFIX_CHAR = 2, - - LONGINT_INVALID_SUFFIX_CHAR_WITH_OVERFLOW = (LONGINT_INVALID_SUFFIX_CHAR - | LONGINT_OVERFLOW), - LONGINT_INVALID = 4 - }; -typedef enum strtol_error strtol_error; -# endif - -# define _DECLARE_XSTRTOL(name, type) \ - strtol_error name (const char *, char **, int, type *, const char *); -_DECLARE_XSTRTOL (xstrtol, long int) -_DECLARE_XSTRTOL (xstrtoul, unsigned long int) -_DECLARE_XSTRTOL (xstrtoimax, intmax_t) -_DECLARE_XSTRTOL (xstrtoumax, uintmax_t) - -# define _STRTOL_ERROR(Exit_code, Str, Argument_type_string, Err) \ - do \ - { \ - switch ((Err)) \ - { \ - default: \ - abort (); \ - \ - case LONGINT_INVALID: \ - error ((Exit_code), 0, "invalid %s `%s'", \ - (Argument_type_string), (Str)); \ - break; \ - \ - case LONGINT_INVALID_SUFFIX_CHAR: \ - case LONGINT_INVALID_SUFFIX_CHAR | LONGINT_OVERFLOW: \ - error ((Exit_code), 0, "invalid character following %s in `%s'", \ - (Argument_type_string), (Str)); \ - break; \ - \ - case LONGINT_OVERFLOW: \ - error ((Exit_code), 0, "%s `%s' too large", \ - (Argument_type_string), (Str)); \ - break; \ - } \ - } \ - while (0) - -# define STRTOL_FATAL_ERROR(Str, Argument_type_string, Err) \ - _STRTOL_ERROR (exit_failure, Str, Argument_type_string, Err) - -# define STRTOL_FAIL_WARN(Str, Argument_type_string, Err) \ - _STRTOL_ERROR (0, Str, Argument_type_string, Err) - -#endif /* not XSTRTOL_H_ */ diff --git a/contrib/gnu-sort/lib/xstrtoul.c b/contrib/gnu-sort/lib/xstrtoul.c deleted file mode 100644 index 285f7b9..0000000 --- a/contrib/gnu-sort/lib/xstrtoul.c +++ /dev/null @@ -1,6 +0,0 @@ -#define __strtol strtoul -#define __strtol_t unsigned long int -#define __xstrtol xstrtoul -#define STRTOL_T_MINIMUM 0 -#define STRTOL_T_MAXIMUM ULONG_MAX -#include "xstrtol.c" diff --git a/contrib/gnu-sort/lib/xstrtoumax.c b/contrib/gnu-sort/lib/xstrtoumax.c deleted file mode 100644 index 8518ef0..0000000 --- a/contrib/gnu-sort/lib/xstrtoumax.c +++ /dev/null @@ -1,33 +0,0 @@ -/* xstrtoumax.c -- A more useful interface to strtoumax. - Copyright (C) 1999, 2003, 2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -/* Written by Paul Eggert. */ - -#if HAVE_CONFIG_H -# include <config.h> -#endif - -#include "xstrtol.h" - -#define __strtol strtoumax -#define __strtol_t uintmax_t -#define __xstrtol xstrtoumax -#ifdef UINTMAX_MAX -# define STRTOL_T_MINIMUM 0 -# define STRTOL_T_MAXIMUM UINTMAX_MAX -#endif -#include "xstrtol.c" diff --git a/contrib/gnu-sort/man/sort.1 b/contrib/gnu-sort/man/sort.1 deleted file mode 100644 index 2bb445d..0000000 --- a/contrib/gnu-sort/man/sort.1 +++ /dev/null @@ -1,113 +0,0 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.33. -.TH SORT "1" "March 2004" "sort (coreutils) 5.2.1" "User Commands" -.SH NAME -sort \- sort lines of text files -.SH SYNOPSIS -.B sort -[\fIOPTION\fR]... [\fIFILE\fR]... -.SH DESCRIPTION -.\" Add any additional description here -.PP -Write sorted concatenation of all FILE(s) to standard output. -.PP -Ordering options: -.PP -Mandatory arguments to long options are mandatory for short options too. -.HP -\fB\-b\fR, \fB\-\-ignore\-leading\-blanks\fR ignore leading blanks -.TP -\fB\-d\fR, \fB\-\-dictionary\-order\fR -consider only blanks and alphanumeric characters -.TP -\fB\-f\fR, \fB\-\-ignore\-case\fR -fold lower case to upper case characters -.TP -\fB\-g\fR, \fB\-\-general\-numeric\-sort\fR -compare according to general numerical value -.TP -\fB\-i\fR, \fB\-\-ignore\-nonprinting\fR -consider only printable characters -.TP -\fB\-M\fR, \fB\-\-month\-sort\fR -compare (unknown) < `JAN' < ... < `DEC' -.TP -\fB\-n\fR, \fB\-\-numeric\-sort\fR -compare according to string numerical value -.TP -\fB\-r\fR, \fB\-\-reverse\fR -reverse the result of comparisons -.PP -Other options: -.TP -\fB\-c\fR, \fB\-\-check\fR -check whether input is sorted; do not sort -.TP -\fB\-k\fR, \fB\-\-key\fR=\fIPOS1[\fR,POS2] -start a key at POS1, end it at POS 2 (origin 1) -.TP -\fB\-m\fR, \fB\-\-merge\fR -merge already sorted files; do not sort -.TP -\fB\-o\fR, \fB\-\-output\fR=\fIFILE\fR -write result to FILE instead of standard output -.TP -\fB\-s\fR, \fB\-\-stable\fR -stabilize sort by disabling last-resort comparison -.TP -\fB\-S\fR, \fB\-\-buffer\-size\fR=\fISIZE\fR -use SIZE for main memory buffer -.HP -\fB\-t\fR, \fB\-\-field\-separator\fR=\fISEP\fR use SEP instead of non-blank to blank transition -.TP -\fB\-T\fR, \fB\-\-temporary\-directory\fR=\fIDIR\fR -use DIR for temporaries, not $TMPDIR or /tmp; -multiple options specify multiple directories -.TP -\fB\-u\fR, \fB\-\-unique\fR -with \fB\-c\fR, check for strict ordering; -without \fB\-c\fR, output only the first of an equal run -.TP -\fB\-z\fR, \fB\-\-zero\-terminated\fR -end lines with 0 byte, not newline -.TP -\fB\-\-help\fR -display this help and exit -.TP -\fB\-\-version\fR -output version information and exit -.PP -POS is F[.C][OPTS], where F is the field number and C the character position -in the field. OPTS is one or more single-letter ordering options, which -override global ordering options for that key. If no key is given, use the -entire line as the key. -.PP -SIZE may be followed by the following multiplicative suffixes: -% 1% of memory, b 1, K 1024 (default), and so on for M, G, T, P, E, Z, Y. -.PP -With no FILE, or when FILE is -, read standard input. -.PP -*** WARNING *** -The locale specified by the environment affects sort order. -Set LC_ALL=C to get the traditional sort order that uses -native byte values. -.SH AUTHOR -Written by Mike Haertel and Paul Eggert. -.SH "REPORTING BUGS" -Report bugs to <bug-coreutils@gnu.org>. -.SH COPYRIGHT -Copyright \(co 2004 Free Software Foundation, Inc. -.br -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -.SH "SEE ALSO" -The full documentation for -.B sort -is maintained as a Texinfo manual. If the -.B info -and -.B sort -programs are properly installed at your site, the command -.IP -.B info coreutils sort -.PP -should give you access to the complete manual. diff --git a/contrib/gnu-sort/src/sort.c b/contrib/gnu-sort/src/sort.c deleted file mode 100644 index 0b9d33f..0000000 --- a/contrib/gnu-sort/src/sort.c +++ /dev/null @@ -1,3237 +0,0 @@ -/* $FreeBSD$ */ -/* sort - sort lines of text (with all kinds of options). - Copyright (C) 88, 1991-2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - - Written December 1988 by Mike Haertel. - The author may be reached (Email) at the address mike@gnu.ai.mit.edu, - or (US mail) as Mike Haertel c/o Free Software Foundation. - - Ørn E. Hansen added NLS support in 1997. */ - -#include <config.h> - -#include <assert.h> -#include <getopt.h> -#include <sys/types.h> -#include <signal.h> -#include <stdio.h> - -/* Solaris 2.5 has a bug: <wchar.h> must be included before <wctype.h>. */ -/* Get mbstate_t, mbrtowc(), wcwidth(). */ -#if HAVE_WCHAR_H -# include <wchar.h> -#endif - -/* Get isw* functions. */ -#if HAVE_WCTYPE_H -# include <wctype.h> -#endif - -/* Get nl_langinfo(). */ -#if HAVE_LANGINFO_CODESET -# include <langinfo.h> -#endif - -/* Include this after wctype.h so that we `#undef' ISPRINT - (from Solaris's euc.h, from widec.h, from wctype.h) before - redefining and using it. */ -#include "system.h" -#include "error.h" -#include "hard-locale.h" -#include "inttostr.h" -#include "long-options.h" -#include "physmem.h" -#include "posixver.h" -#include "quote.h" -#include "stdio-safer.h" -#include "xmemcoll.h" -#include "xstrtol.h" - -#if HAVE_SYS_RESOURCE_H -# include <sys/resource.h> -#endif -#ifndef RLIMIT_DATA -struct rlimit { size_t rlim_cur; }; -# define getrlimit(Resource, Rlp) (-1) -#endif - -/* MB_LEN_MAX is incorrectly defined to be 1 in at least one GCC - installation; work around this configuration error. */ -#if !defined MB_LEN_MAX || MB_LEN_MAX == 1 -# define MB_LEN_MAX 16 -#endif - -/* Some systems, like BeOS, have multibyte encodings but lack mbstate_t. */ -#if HAVE_MBRTOWC && defined mbstate_t -# define mbrtowc(pwc, s, n, ps) (mbrtowc) (pwc, s, n, 0) -#endif - -/* The official name of this program (e.g., no `g' prefix). */ -#define PROGRAM_NAME "sort" - -#define AUTHORS "Mike Haertel", "Paul Eggert" - -#if HAVE_LANGINFO_CODESET -# include <langinfo.h> -#endif - -#ifndef SA_NOCLDSTOP -# define sigprocmask(How, Set, Oset) /* empty */ -# define sigset_t int -#endif - -#ifndef STDC_HEADERS -double strtod (); -#endif - -#define UCHAR_LIM (UCHAR_MAX + 1) - -#ifndef DEFAULT_TMPDIR -# define DEFAULT_TMPDIR "/tmp" -#endif - -/* Exit statuses. */ -enum - { - /* POSIX says to exit with status 1 if invoked with -c and the - input is not properly sorted. */ - SORT_OUT_OF_ORDER = 1, - - /* POSIX says any other irregular exit must exit with a status - code greater than 1. */ - SORT_FAILURE = 2 - }; - -#define C_DECIMAL_POINT '.' -#define NEGATION_SIGN '-' -#define NUMERIC_ZERO '0' - -#if HAVE_SETLOCALE - -static char decimal_point; -static int th_sep; /* if CHAR_MAX + 1, then there is no thousands separator */ -static int force_general_numcompare = 0; - -/* Nonzero if the corresponding locales are hard. */ -static bool hard_LC_COLLATE; -# if HAVE_NL_LANGINFO -static bool hard_LC_TIME; -# endif - -# define IS_THOUSANDS_SEP(x) ((x) == th_sep) - -#else - -# define decimal_point C_DECIMAL_POINT -# define IS_THOUSANDS_SEP(x) false - -#endif - -#define NONZERO(x) (x != 0) - -/* get a multibyte character's byte length. */ -#define GET_BYTELEN_OF_CHAR(LIM, PTR, MBLENGTH, STATE) \ - do \ - { \ - wchar_t wc; \ - mbstate_t state_bak; \ - \ - state_bak = STATE; \ - mblength = mbrtowc (&wc, PTR, LIM - PTR, &STATE); \ - \ - switch (MBLENGTH) \ - { \ - case (size_t)-1: \ - case (size_t)-2: \ - STATE = state_bak; \ - /* Fall through. */ \ - case 0: \ - MBLENGTH = 1; \ - } \ - } \ - while (0) - -/* The kind of blanks for '-b' to skip in various options. */ -enum blanktype { bl_start, bl_end, bl_both }; - -/* The character marking end of line. Default to \n. */ -static char eolchar = '\n'; - -/* Lines are held in core as counted strings. */ -struct line -{ - char *text; /* Text of the line. */ - size_t length; /* Length including final newline. */ - char *keybeg; /* Start of first key. */ - char *keylim; /* Limit of first key. */ -}; - -/* Input buffers. */ -struct buffer -{ - char *buf; /* Dynamically allocated buffer, - partitioned into 3 regions: - - input data; - - unused area; - - an array of lines, in reverse order. */ - size_t used; /* Number of bytes used for input data. */ - size_t nlines; /* Number of lines in the line array. */ - size_t alloc; /* Number of bytes allocated. */ - size_t left; /* Number of bytes left from previous reads. */ - size_t line_bytes; /* Number of bytes to reserve for each line. */ - bool eof; /* An EOF has been read. */ -}; - -struct keyfield -{ - size_t sword; /* Zero-origin 'word' to start at. */ - size_t schar; /* Additional characters to skip. */ - size_t eword; /* Zero-origin first word after field. */ - size_t echar; /* Additional characters in field. */ - bool const *ignore; /* Boolean array of characters to ignore. */ - char const *translate; /* Translation applied to characters. */ - bool skipsblanks; /* Skip leading blanks when finding start. */ - bool skipeblanks; /* Skip leading blanks when finding end. */ - bool numeric; /* Flag for numeric comparison. Handle - strings of digits with optional decimal - point, but no exponential notation. */ - bool general_numeric; /* Flag for general, numeric comparison. - Handle numbers in exponential notation. */ - bool month; /* Flag for comparison by month name. */ - bool reverse; /* Reverse the sense of comparison. */ - struct keyfield *next; /* Next keyfield to try. */ -}; - -struct month -{ - char const *name; - int val; -}; - -/* The name this program was run with. */ -char *program_name; - -/* FIXME: None of these tables work with multibyte character sets. - Also, there are many other bugs when handling multibyte characters. - One way to fix this is to rewrite `sort' to use wide characters - internally, but doing this with good performance is a bit - tricky. */ - -/* Table of blanks. */ -static bool blanks[UCHAR_LIM]; - -/* Table of non-printing characters. */ -static bool nonprinting[UCHAR_LIM]; - -/* Table of non-dictionary characters (not letters, digits, or blanks). */ -static bool nondictionary[UCHAR_LIM]; - -/* Translation table folding lower case to upper. */ -static char fold_toupper[UCHAR_LIM]; - -#define MONTHS_PER_YEAR 12 - -/* Table mapping month names to integers. - Alphabetic order allows binary search. */ -static struct month monthtab[] = -{ - {"APR", 4}, - {"AUG", 8}, - {"DEC", 12}, - {"FEB", 2}, - {"JAN", 1}, - {"JUL", 7}, - {"JUN", 6}, - {"MAR", 3}, - {"MAY", 5}, - {"NOV", 11}, - {"OCT", 10}, - {"SEP", 9} -}; - -/* During the merge phase, the number of files to merge at once. */ -#define NMERGE 16 - -/* Minimum size for a merge or check buffer. */ -#define MIN_MERGE_BUFFER_SIZE (2 + sizeof (struct line)) - -/* Minimum sort size; the code might not work with smaller sizes. */ -#define MIN_SORT_SIZE (NMERGE * MIN_MERGE_BUFFER_SIZE) - -/* The number of bytes needed for a merge or check buffer, which can - function relatively efficiently even if it holds only one line. If - a longer line is seen, this value is increased. */ -static size_t merge_buffer_size = MAX (MIN_MERGE_BUFFER_SIZE, 256 * 1024); - -/* The approximate maximum number of bytes of main memory to use, as - specified by the user. Zero if the user has not specified a size. */ -static size_t sort_size; - -/* The guessed size for non-regular files. */ -#define INPUT_FILE_SIZE_GUESS (1024 * 1024) - -/* Array of directory names in which any temporary files are to be created. */ -static char const **temp_dirs; - -/* Number of temporary directory names used. */ -static size_t temp_dir_count; - -/* Number of allocated slots in temp_dirs. */ -static size_t temp_dir_alloc; - -/* Flag to reverse the order of all comparisons. */ -static bool reverse; - -/* Flag for stable sort. This turns off the last ditch bytewise - comparison of lines, and instead leaves lines in the same order - they were read if all keys compare equal. */ -static bool stable; - -/* Tab character separating fields. If tab_default, then fields are - separated by the empty string between a non-blank character and a blank - character. */ -static bool tab_default = true; -static unsigned char tab[MB_LEN_MAX + 1]; -static size_t tab_length = 1; - -/* Flag to remove consecutive duplicate lines from the output. - Only the last of a sequence of equal lines will be output. */ -static bool unique; - -/* Nonzero if any of the input files are the standard input. */ -static bool have_read_stdin; - -/* List of key field comparisons to be tried. */ -static struct keyfield *keylist; - -static void sortlines_temp (struct line *, size_t, struct line *); - -void -usage (int status) -{ - if (status != EXIT_SUCCESS) - fprintf (stderr, _("Try `%s --help' for more information.\n"), - program_name); - else - { - printf (_("\ -Usage: %s [OPTION]... [FILE]...\n\ -"), - program_name); - fputs (_("\ -Write sorted concatenation of all FILE(s) to standard output.\n\ -\n\ -Ordering options:\n\ -\n\ -"), stdout); - fputs (_("\ -Mandatory arguments to long options are mandatory for short options too.\n\ -"), stdout); - fputs (_("\ - -b, --ignore-leading-blanks ignore leading blanks\n\ - -d, --dictionary-order consider only blanks and alphanumeric characters\n\ - -f, --ignore-case fold lower case to upper case characters\n\ -"), stdout); - fputs (_("\ - -g, --general-numeric-sort compare according to general numerical value\n\ - -i, --ignore-nonprinting consider only printable characters\n\ - -M, --month-sort compare (unknown) < `JAN' < ... < `DEC'\n\ - -n, --numeric-sort compare according to string numerical value\n\ - -r, --reverse reverse the result of comparisons\n\ -\n\ -"), stdout); - fputs (_("\ -Other options:\n\ -\n\ - -c, --check check whether input is sorted; do not sort\n\ - -k, --key=POS1[,POS2] start a key at POS1, end it at POS 2 (origin 1)\n\ - -m, --merge merge already sorted files; do not sort\n\ - -o, --output=FILE write result to FILE instead of standard output\n\ - -s, --stable stabilize sort by disabling last-resort comparison\n\ - -S, --buffer-size=SIZE use SIZE for main memory buffer\n\ -"), stdout); - printf (_("\ - -t, --field-separator=SEP use SEP instead of non-blank to blank transition\n\ - -T, --temporary-directory=DIR use DIR for temporaries, not $TMPDIR or %s;\n\ - multiple options specify multiple directories\n\ - -u, --unique with -c, check for strict ordering;\n\ - without -c, output only the first of an equal run\n\ -"), DEFAULT_TMPDIR); - fputs (_("\ - -z, --zero-terminated end lines with 0 byte, not newline\n\ -"), stdout); - fputs (HELP_OPTION_DESCRIPTION, stdout); - fputs (VERSION_OPTION_DESCRIPTION, stdout); - fputs (_("\ -\n\ -POS is F[.C][OPTS], where F is the field number and C the character position\n\ -in the field. OPTS is one or more single-letter ordering options, which\n\ -override global ordering options for that key. If no key is given, use the\n\ -entire line as the key.\n\ -\n\ -SIZE may be followed by the following multiplicative suffixes:\n\ -"), stdout); - fputs (_("\ -% 1% of memory, b 1, K 1024 (default), and so on for M, G, T, P, E, Z, Y.\n\ -\n\ -With no FILE, or when FILE is -, read standard input.\n\ -\n\ -*** WARNING ***\n\ -The locale specified by the environment affects sort order.\n\ -Set LC_ALL=C to get the traditional sort order that uses\n\ -native byte values.\n\ -"), stdout ); - printf (_("\nReport bugs to <%s>.\n"), PACKAGE_BUGREPORT); - } - - exit (status); -} - -#define COMMON_SHORT_OPTIONS "-bcdfgik:mMno:rsS:t:T:uz" - -static struct option const long_options[] = -{ - {"ignore-leading-blanks", no_argument, NULL, 'b'}, - {"check", no_argument, NULL, 'c'}, - {"dictionary-order", no_argument, NULL, 'd'}, - {"ignore-case", no_argument, NULL, 'f'}, - {"general-numeric-sort", no_argument, NULL, 'g'}, - {"ignore-nonprinting", no_argument, NULL, 'i'}, - {"key", required_argument, NULL, 'k'}, - {"merge", no_argument, NULL, 'm'}, - {"month-sort", no_argument, NULL, 'M'}, - {"numeric-sort", no_argument, NULL, 'n'}, - {"output", required_argument, NULL, 'o'}, - {"reverse", no_argument, NULL, 'r'}, - {"stable", no_argument, NULL, 's'}, - {"buffer-size", required_argument, NULL, 'S'}, - {"field-separator", required_argument, NULL, 't'}, - {"temporary-directory", required_argument, NULL, 'T'}, - {"unique", no_argument, NULL, 'u'}, - {"zero-terminated", no_argument, NULL, 'z'}, - {GETOPT_HELP_OPTION_DECL}, - {GETOPT_VERSION_OPTION_DECL}, - {0, 0, 0, 0}, -}; - -/* The set of signals that are caught. */ -static sigset_t caught_signals; - -/* The list of temporary files. */ -struct tempnode -{ - struct tempnode *volatile next; - char name[1]; /* Actual size is 1 + file name length. */ -}; -static struct tempnode *volatile temphead; - -/* Fucntion pointers. */ -static void -(*inittables) (void); - -static char * -(* begfield) (const struct line *line, const struct keyfield *key); - -static char * -(* limfield) (const struct line *line, const struct keyfield *key); - -static int -(*getmonth) (const char *s, size_t len); - -static int -(* keycompare) (const struct line *a, const struct line *b); - -/* Test for white space multibyte character. - Set LENGTH the byte length of investigated multibyte character. */ -#if HAVE_MBRTOWC -static int -ismbblank (const char *str, size_t len, size_t *length) -{ - size_t mblength; - wchar_t wc; - mbstate_t state; - - memset (&state, '\0', sizeof(mbstate_t)); - mblength = mbrtowc (&wc, str, len, &state); - - if (mblength == (size_t)-1 || mblength == (size_t)-2) - { - *length = 1; - return 0; - } - - *length = (mblength < 1) ? 1 : mblength; - return iswblank (wc); -} -#endif - -/* Clean up any remaining temporary files. */ - -static void -cleanup (void) -{ - struct tempnode const *node; - - for (node = temphead; node; node = node->next) - unlink (node->name); -} - -/* Report MESSAGE for FILE, then clean up and exit. - If FILE is null, it represents standard output. */ - -static void die (char const *, char const *) ATTRIBUTE_NORETURN; -static void -die (char const *message, char const *file) -{ - error (0, errno, "%s: %s", message, file ? file : _("standard output")); - exit (SORT_FAILURE); -} - -/* Create a new temporary file, returning its newly allocated name. - Store into *PFP a stream open for writing. */ - -static char * -create_temp_file (FILE **pfp) -{ - static char const slashbase[] = "/sortXXXXXX"; - static size_t temp_dir_index; - sigset_t oldset; - int fd; - int saved_errno; - char const *temp_dir = temp_dirs[temp_dir_index]; - size_t len = strlen (temp_dir); - struct tempnode *node = - xmalloc (sizeof node->next + len + sizeof slashbase); - char *file = node->name; - - memcpy (file, temp_dir, len); - memcpy (file + len, slashbase, sizeof slashbase); - node->next = temphead; - if (++temp_dir_index == temp_dir_count) - temp_dir_index = 0; - - /* Create the temporary file in a critical section, to avoid races. */ - sigprocmask (SIG_BLOCK, &caught_signals, &oldset); - fd = mkstemp (file); - if (0 <= fd) - temphead = node; - saved_errno = errno; - sigprocmask (SIG_SETMASK, &oldset, NULL); - errno = saved_errno; - - if (fd < 0 || (*pfp = fdopen (fd, "w")) == NULL) - die (_("cannot create temporary file"), file); - - return file; -} - -/* Return a stream for FILE, opened with mode HOW. A null FILE means - standard output; HOW should be "w". When opening for input, "-" - means standard input. To avoid confusion, do not return file - descriptors 0, 1, or 2. */ - -static FILE * -xfopen (const char *file, const char *how) -{ - FILE *fp; - - if (!file) - fp = stdout; - else if (STREQ (file, "-") && *how == 'r') - { - have_read_stdin = true; - fp = stdin; - } - else - { - if ((fp = fopen_safer (file, how)) == NULL) - die (_("open failed"), file); - } - - return fp; -} - -/* Close FP, whose name is FILE, and report any errors. */ - -static void -xfclose (FILE *fp, char const *file) -{ - if (fp == stdin) - { - /* Allow reading stdin from tty more than once. */ - if (feof (fp)) - clearerr (fp); - } - else - { - if (fclose (fp) != 0) - die (_("close failed"), file); - } -} - -static void -write_bytes (const char *buf, size_t n_bytes, FILE *fp, const char *output_file) -{ - if (fwrite (buf, 1, n_bytes, fp) != n_bytes) - die (_("write failed"), output_file); -} - -/* Append DIR to the array of temporary directory names. */ -static void -add_temp_dir (char const *dir) -{ - if (temp_dir_count == temp_dir_alloc) - temp_dirs = x2nrealloc (temp_dirs, &temp_dir_alloc, sizeof *temp_dirs); - - temp_dirs[temp_dir_count++] = dir; -} - -/* Search through the list of temporary files for NAME; - remove it if it is found on the list. */ - -static void -zaptemp (const char *name) -{ - struct tempnode *volatile *pnode; - struct tempnode *node; - - for (pnode = &temphead; (node = *pnode); pnode = &node->next) - if (node->name == name) - { - unlink (name); - *pnode = node->next; - free (node); - break; - } -} - -#if HAVE_LANGINFO_CODESET - -static int -struct_month_cmp (const void *m1, const void *m2) -{ - struct month const *month1 = m1; - struct month const *month2 = m2; - return strcmp (month1->name, month2->name); -} - -#endif - -/* Initialize the character class tables. */ - -static void -inittables_uni (void) -{ - int i; - - for (i = 0; i < UCHAR_LIM; ++i) - { - blanks[i] = !!ISBLANK (i); - nonprinting[i] = !ISPRINT (i); - nondictionary[i] = !ISALNUM (i) && !ISBLANK (i); - fold_toupper[i] = (ISLOWER (i) ? toupper (i) : i); - } - -#if HAVE_NL_LANGINFO - /* If we're not in the "C" locale, read different names for months. */ - if (hard_LC_TIME) - { - for (i = 0; i < MONTHS_PER_YEAR; i++) - { - char const *s; - size_t s_len; - size_t j; - char *name; - - s = (char *) nl_langinfo (ABMON_1 + i); - s_len = strlen (s); - monthtab[i].name = name = xmalloc (s_len + 1); - monthtab[i].val = i + 1; - - for (j = 0; j < s_len; j++) - name[j] = fold_toupper[to_uchar (s[j])]; - name[j] = '\0'; - } - qsort ((void *) monthtab, MONTHS_PER_YEAR, - sizeof *monthtab, struct_month_cmp); - } -#endif -} - -#if HAVE_MBRTOWC -static void -inittables_mb (void) -{ - int i, j, k, l; - char *name, *s; - size_t s_len, mblength; - char mbc[MB_LEN_MAX]; - wchar_t wc, pwc; - mbstate_t state_mb, state_wc; - - for (i = 0; i < MONTHS_PER_YEAR; i++) - { - s = (char *) nl_langinfo (ABMON_1 + i); - s_len = strlen (s); - monthtab[i].name = name = (char *) xmalloc (s_len + 1); - monthtab[i].val = i + 1; - - memset (&state_mb, '\0', sizeof (mbstate_t)); - memset (&state_wc, '\0', sizeof (mbstate_t)); - - for (j = 0; j < s_len;) - { - if (!ismbblank (s + j, s_len - j, &mblength)) - break; - j += mblength; - } - - for (k = 0; j < s_len;) - { - mblength = mbrtowc (&wc, (s + j), (s_len - j), &state_mb); - assert (mblength != (size_t)-1 && mblength != (size_t)-2); - if (mblength == 0) - break; - - pwc = towupper (wc); - if (pwc == wc) - { - memcpy (mbc, s + j, mblength); - j += mblength; - } - else - { - j += mblength; - mblength = wcrtomb (mbc, pwc, &state_wc); - assert (mblength != (size_t)0 && mblength != (size_t)-1); - } - - for (l = 0; l < mblength; l++) - name[k++] = mbc[l]; - } - name[k] = '\0'; - } - qsort ((void *) monthtab, MONTHS_PER_YEAR, - sizeof (struct month), struct_month_cmp); -} -#endif - -/* Specify the amount of main memory to use when sorting. */ -static void -specify_sort_size (char const *s) -{ - uintmax_t n; - char *suffix; - enum strtol_error e = xstrtoumax (s, &suffix, 10, &n, "EgGkKmMPtTYZ"); - - /* The default unit is KiB. */ - if (e == LONGINT_OK && ISDIGIT (suffix[-1])) - { - if (n <= UINTMAX_MAX / 1024) - n *= 1024; - else - e = LONGINT_OVERFLOW; - } - - /* A 'b' suffix means bytes; a '%' suffix means percent of memory. */ - if (e == LONGINT_INVALID_SUFFIX_CHAR && ISDIGIT (suffix[-1]) && ! suffix[1]) - switch (suffix[0]) - { - case 'b': - e = LONGINT_OK; - break; - - case '%': - { - double mem = physmem_total () * n / 100; - - /* Use "<", not "<=", to avoid problems with rounding. */ - if (mem < UINTMAX_MAX) - { - n = mem; - e = LONGINT_OK; - } - else - e = LONGINT_OVERFLOW; - } - break; - } - - if (e == LONGINT_OK) - { - /* If multiple sort sizes are specified, take the maximum, so - that option order does not matter. */ - if (n < sort_size) - return; - - sort_size = n; - if (sort_size == n) - { - sort_size = MAX (sort_size, MIN_SORT_SIZE); - return; - } - - e = LONGINT_OVERFLOW; - } - - STRTOL_FATAL_ERROR (s, _("sort size"), e); -} - -/* Return the default sort size. */ -static size_t -default_sort_size (void) -{ - /* Let MEM be available memory or 1/8 of total memory, whichever - is greater. */ - double avail = physmem_available (); - double total = physmem_total (); - double mem = MAX (avail, total / 8); - struct rlimit rlimit; - - /* Let SIZE be MEM, but no more than the maximum object size or - system resource limits. Avoid the MIN macro here, as it is not - quite right when only one argument is floating point. Don't - bother to check for values like RLIM_INFINITY since in practice - they are not much less than SIZE_MAX. */ - size_t size = SIZE_MAX; - if (mem < size) - size = mem; - if (getrlimit (RLIMIT_DATA, &rlimit) == 0 && rlimit.rlim_cur < size) - size = rlimit.rlim_cur; -#ifdef RLIMIT_AS - if (getrlimit (RLIMIT_AS, &rlimit) == 0 && rlimit.rlim_cur < size) - size = rlimit.rlim_cur; -#endif - - /* Leave a large safety margin for the above limits, as failure can - occur when they are exceeded. */ - size /= 2; - -#ifdef RLIMIT_RSS - /* Leave a 1/16 margin for RSS to leave room for code, stack, etc. - Exceeding RSS is not fatal, but can be quite slow. */ - if (getrlimit (RLIMIT_RSS, &rlimit) == 0 && rlimit.rlim_cur / 16 * 15 < size) - size = rlimit.rlim_cur / 16 * 15; -#endif - - /* Use no less than the minimum. */ - return MAX (size, MIN_SORT_SIZE); -} - -/* Return the sort buffer size to use with the input files identified - by FPS and FILES, which are alternate paths to the same files. - NFILES gives the number of input files; NFPS may be less. Assume - that each input line requires LINE_BYTES extra bytes' worth of line - information. Do not exceed a bound on the size: if the bound is - not specified by the user, use a default. */ - -static size_t -sort_buffer_size (FILE *const *fps, int nfps, - char *const *files, int nfiles, - size_t line_bytes) -{ - /* A bound on the input size. If zero, the bound hasn't been - determined yet. */ - static size_t size_bound; - - /* In the worst case, each input byte is a newline. */ - size_t worst_case_per_input_byte = line_bytes + 1; - - /* Keep enough room for one extra input line and an extra byte. - This extra room might be needed when preparing to read EOF. */ - size_t size = worst_case_per_input_byte + 1; - - int i; - - for (i = 0; i < nfiles; i++) - { - struct stat st; - off_t file_size; - size_t worst_case; - - if ((i < nfps ? fstat (fileno (fps[i]), &st) - : STREQ (files[i], "-") ? fstat (STDIN_FILENO, &st) - : stat (files[i], &st)) - != 0) - die (_("stat failed"), files[i]); - - if (S_ISREG (st.st_mode)) - file_size = st.st_size; - else - { - /* The file has unknown size. If the user specified a sort - buffer size, use that; otherwise, guess the size. */ - if (sort_size) - return sort_size; - file_size = INPUT_FILE_SIZE_GUESS; - } - - if (! size_bound) - { - size_bound = sort_size; - if (! size_bound) - size_bound = default_sort_size (); - } - - /* Add the amount of memory needed to represent the worst case - where the input consists entirely of newlines followed by a - single non-newline. Check for overflow. */ - worst_case = file_size * worst_case_per_input_byte + 1; - if (file_size != worst_case / worst_case_per_input_byte - || size_bound - size <= worst_case) - return size_bound; - size += worst_case; - } - - return size; -} - -/* Initialize BUF. Reserve LINE_BYTES bytes for each line; LINE_BYTES - must be at least sizeof (struct line). Allocate ALLOC bytes - initially. */ - -static void -initbuf (struct buffer *buf, size_t line_bytes, size_t alloc) -{ - /* Ensure that the line array is properly aligned. If the desired - size cannot be allocated, repeatedly halve it until allocation - succeeds. The smaller allocation may hurt overall performance, - but that's better than failing. */ - for (;;) - { - alloc += sizeof (struct line) - alloc % sizeof (struct line); - buf->buf = malloc (alloc); - if (buf->buf) - break; - alloc /= 2; - if (alloc <= line_bytes + 1) - xalloc_die (); - } - - buf->line_bytes = line_bytes; - buf->alloc = alloc; - buf->used = buf->left = buf->nlines = 0; - buf->eof = false; -} - -/* Return one past the limit of the line array. */ - -static inline struct line * -buffer_linelim (struct buffer const *buf) -{ - return (struct line *) (buf->buf + buf->alloc); -} - -/* Return a pointer to the first character of the field specified - by KEY in LINE. */ - -static char * -begfield_uni (const struct line *line, const struct keyfield *key) -{ - register char *ptr = line->text, *lim = ptr + line->length - 1; - register size_t sword = key->sword; - register size_t schar = key->schar; - register size_t remaining_bytes; - - /* The leading field separator itself is included in a field when -t - is absent. */ - - if (!tab_default) - while (ptr < lim && sword--) - { - while (ptr < lim && *ptr != tab[0]) - ++ptr; - if (ptr < lim) - ++ptr; - } - else - while (ptr < lim && sword--) - { - while (ptr < lim && blanks[to_uchar (*ptr)]) - ++ptr; - while (ptr < lim && !blanks[to_uchar (*ptr)]) - ++ptr; - } - - if (key->skipsblanks) - while (ptr < lim && blanks[to_uchar (*ptr)]) - ++ptr; - - /* Advance PTR by SCHAR (if possible), but no further than LIM. */ - remaining_bytes = lim - ptr; - if (schar < remaining_bytes) - ptr += schar; - else - ptr = lim; - - return ptr; -} - -#if HAVE_MBRTOWC -static char * -begfield_mb (const struct line *line, const struct keyfield *key) -{ - int i; - char *ptr = line->text, *lim = ptr + line->length - 1; - size_t sword = key->sword; - size_t schar = key->schar; - size_t mblength; - mbstate_t state; - - memset (&state, '\0', sizeof(mbstate_t)); - - if (!tab_default) - while (ptr < lim && sword--) - { - while (ptr < lim && memcmp (ptr, tab, tab_length) != 0) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - if (ptr < lim) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - } - else - while (ptr < lim && sword--) - { - while (ptr < lim && ismbblank (ptr, lim - ptr, &mblength)) - ptr += mblength; - if (ptr < lim) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - while (ptr < lim && !ismbblank (ptr, lim - ptr, &mblength)) - ptr += mblength; - } - - if (key->skipsblanks) - while (ptr < lim && ismbblank (ptr, lim - ptr, &mblength)) - ptr += mblength; - - for (i = 0; i < schar; i++) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - - if (ptr + mblength > lim) - break; - else - ptr += mblength; - } - - return ptr; -} -#endif - -/* Return the limit of (a pointer to the first character after) the field - in LINE specified by KEY. */ - -static char * -limfield_uni (const struct line *line, const struct keyfield *key) -{ - register char *ptr = line->text, *lim = ptr + line->length - 1; - register size_t eword = key->eword, echar = key->echar; - register size_t remaining_bytes; - - /* Move PTR past EWORD fields or to one past the last byte on LINE, - whichever comes first. If there are more than EWORD fields, leave - PTR pointing at the beginning of the field having zero-based index, - EWORD. If a delimiter character was specified (via -t), then that - `beginning' is the first character following the delimiting TAB. - Otherwise, leave PTR pointing at the first `blank' character after - the preceding field. */ - if (!tab_default) - while (ptr < lim && eword--) - { - while (ptr < lim && *ptr != tab[0]) - ++ptr; - if (ptr < lim && (eword | echar)) - ++ptr; - } - else - while (ptr < lim && eword--) - { - while (ptr < lim && blanks[to_uchar (*ptr)]) - ++ptr; - while (ptr < lim && !blanks[to_uchar (*ptr)]) - ++ptr; - } - -#ifdef POSIX_UNSPECIFIED - /* The following block of code makes GNU sort incompatible with - standard Unix sort, so it's ifdef'd out for now. - The POSIX spec isn't clear on how to interpret this. - FIXME: request clarification. - - From: kwzh@gnu.ai.mit.edu (Karl Heuer) - Date: Thu, 30 May 96 12:20:41 -0400 - [Translated to POSIX 1003.1-2001 terminology by Paul Eggert.] - - [...]I believe I've found another bug in `sort'. - - $ cat /tmp/sort.in - a b c 2 d - pq rs 1 t - $ textutils-1.15/src/sort -k1.7,1.7 </tmp/sort.in - a b c 2 d - pq rs 1 t - $ /bin/sort -k1.7,1.7 </tmp/sort.in - pq rs 1 t - a b c 2 d - - Unix sort produced the answer I expected: sort on the single character - in column 7. GNU sort produced different results, because it disagrees - on the interpretation of the key-end spec "M.N". Unix sort reads this - as "skip M-1 fields, then N-1 characters"; but GNU sort wants it to mean - "skip M-1 fields, then either N-1 characters or the rest of the current - field, whichever comes first". This extra clause applies only to - key-ends, not key-starts. - */ - - /* Make LIM point to the end of (one byte past) the current field. */ - if (!tab_default) - { - char *newlim; - newlim = memchr (ptr, tab[0], lim - ptr); - if (newlim) - lim = newlim; - } - else - { - char *newlim; - newlim = ptr; - while (newlim < lim && blanks[to_uchar (*newlim)]) - ++newlim; - while (newlim < lim && !blanks[to_uchar (*newlim)]) - ++newlim; - lim = newlim; - } -#endif - - /* If we're ignoring leading blanks when computing the End - of the field, don't start counting bytes until after skipping - past any leading blanks. */ - if (key->skipeblanks) - while (ptr < lim && blanks[to_uchar (*ptr)]) - ++ptr; - - /* Advance PTR by ECHAR (if possible), but no further than LIM. */ - remaining_bytes = lim - ptr; - if (echar < remaining_bytes) - ptr += echar; - else - ptr = lim; - - return ptr; -} - -#if HAVE_MBRTOWC -static char * -limfield_mb (const struct line *line, const struct keyfield *key) -{ - char *ptr = line->text, *lim = ptr + line->length - 1; - size_t eword = key->eword, echar = key->echar; - int i; - size_t mblength; - mbstate_t state; - - memset (&state, '\0', sizeof(mbstate_t)); - - if (!tab_default) - while (ptr < lim && eword--) - { - while (ptr < lim && memcmp (ptr, tab, tab_length) != 0) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - if (ptr < lim && (eword | echar)) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - } - else - while (ptr < lim && eword--) - { - while (ptr < lim && ismbblank (ptr, lim - ptr, &mblength)) - ptr += mblength; - if (ptr < lim) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - while (ptr < lim && !ismbblank (ptr, lim - ptr, &mblength)) - ptr += mblength; - } - - -# ifdef POSIX_UNSPECIFIED - /* Make LIM point to the end of (one byte past) the current field. */ - if (!tab_default) - { - char *newlim, *p; - - newlim = NULL; - for (p = ptr; p < lim;) - { - if (memcmp (p, tab, tab_length) == 0) - { - newlim = p; - break; - } - - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - p += mblength; - } - } - else - { - char *newlim; - newlim = ptr; - - while (newlim < lim && ismbblank (newlim, lim - newlim, &mblength)) - newlim += mblength; - if (ptr < lim) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - ptr += mblength; - } - while (newlim < lim && !ismbblank (newlim, lim - newlim, &mblength)) - newlim += mblength; - lim = newlim; - } -# endif - - /* If we're skipping leading blanks, don't start counting characters - * until after skipping past any leading blanks. */ - if (key->skipeblanks) - while (ptr < lim && ismbblank (ptr, lim - ptr, &mblength)) - ptr += mblength; - - memset (&state, '\0', sizeof(mbstate_t)); - - /* Advance PTR by ECHAR (if possible), but no further than LIM. */ - for (i = 0; i < echar; i++) - { - GET_BYTELEN_OF_CHAR (lim, ptr, mblength, state); - - if (ptr + mblength > lim) - break; - else - ptr += mblength; - } - - return ptr; -} -#endif - -/* Fill BUF reading from FP, moving buf->left bytes from the end - of buf->buf to the beginning first. If EOF is reached and the - file wasn't terminated by a newline, supply one. Set up BUF's line - table too. FILE is the name of the file corresponding to FP. - Return true if some input was read. */ - -static bool -fillbuf (struct buffer *buf, register FILE *fp, char const *file) -{ - struct keyfield const *key = keylist; - char eol = eolchar; - size_t line_bytes = buf->line_bytes; - size_t mergesize = merge_buffer_size - MIN_MERGE_BUFFER_SIZE; - - if (buf->eof) - return false; - - if (buf->used != buf->left) - { - memmove (buf->buf, buf->buf + buf->used - buf->left, buf->left); - buf->used = buf->left; - buf->nlines = 0; - } - - for (;;) - { - char *ptr = buf->buf + buf->used; - struct line *linelim = buffer_linelim (buf); - struct line *line = linelim - buf->nlines; - size_t avail = (char *) linelim - buf->nlines * line_bytes - ptr; - char *line_start = buf->nlines ? line->text + line->length : buf->buf; - - while (line_bytes + 1 < avail) - { - /* Read as many bytes as possible, but do not read so many - bytes that there might not be enough room for the - corresponding line array. The worst case is when the - rest of the input file consists entirely of newlines, - except that the last byte is not a newline. */ - size_t readsize = (avail - 1) / (line_bytes + 1); - size_t bytes_read = fread (ptr, 1, readsize, fp); - char *ptrlim = ptr + bytes_read; - char *p; - avail -= bytes_read; - - if (bytes_read != readsize) - { - if (ferror (fp)) - die (_("read failed"), file); - if (feof (fp)) - { - buf->eof = true; - if (buf->buf == ptrlim) - return false; - if (ptrlim[-1] != eol) - *ptrlim++ = eol; - } - } - - /* Find and record each line in the just-read input. */ - while ((p = memchr (ptr, eol, ptrlim - ptr))) - { - ptr = p + 1; - line--; - line->text = line_start; - line->length = ptr - line_start; - mergesize = MAX (mergesize, line->length); - avail -= line_bytes; - - if (key) - { - /* Precompute the position of the first key for - efficiency. */ - line->keylim = (key->eword == SIZE_MAX - ? p - : limfield (line, key)); - - if (key->sword != SIZE_MAX) - line->keybeg = begfield (line, key); - else - { - if (key->skipsblanks) -#if HAVE_MBRTOWC - { - if (MB_CUR_MAX > 1) - { - size_t mblength; - - while (ismbblank (line_start, ptr - line_start, &mblength)) - line_start += mblength; - } - else -#endif - { - while (blanks[to_uchar (*line_start)]) - line_start++; - } - } - line->keybeg = line_start; - } - } - - line_start = ptr; - } - - ptr = ptrlim; - if (buf->eof) - break; - } - - buf->used = ptr - buf->buf; - buf->nlines = buffer_linelim (buf) - line; - if (buf->nlines != 0) - { - buf->left = ptr - line_start; - merge_buffer_size = mergesize + MIN_MERGE_BUFFER_SIZE; - return true; - } - - /* The current input line is too long to fit in the buffer. - Double the buffer size and try again. */ - buf->buf = x2nrealloc (buf->buf, &buf->alloc, sizeof *(buf->buf)); - } -} - -/* Compare strings A and B containing decimal fractions < 1. Each string - should begin with a decimal point followed immediately by the digits - of the fraction. Strings not of this form are considered to be zero. */ - -/* The goal here, is to take two numbers a and b... compare these - in parallel. Instead of converting each, and then comparing the - outcome. Most likely stopping the comparison before the conversion - is complete. The algorithm used, in the old sort: - - Algorithm: fraccompare - Action : compare two decimal fractions - accepts : char *a, char *b - returns : -1 if a<b, 0 if a=b, 1 if a>b. - implement: - - if *a == decimal_point AND *b == decimal_point - find first character different in a and b. - if both are digits, return the difference *a - *b. - if *a is a digit - skip past zeros - if digit return 1, else 0 - if *b is a digit - skip past zeros - if digit return -1, else 0 - if *a is a decimal_point - skip past decimal_point and zeros - if digit return 1, else 0 - if *b is a decimal_point - skip past decimal_point and zeros - if digit return -1, else 0 - return 0 */ - -static int -fraccompare (register const char *a, register const char *b) -{ - if (*a == decimal_point && *b == decimal_point) - { - while (*++a == *++b) - if (! ISDIGIT (*a)) - return 0; - if (ISDIGIT (*a) && ISDIGIT (*b)) - return *a - *b; - if (ISDIGIT (*a)) - goto a_trailing_nonzero; - if (ISDIGIT (*b)) - goto b_trailing_nonzero; - return 0; - } - else if (*a++ == decimal_point) - { - a_trailing_nonzero: - while (*a == NUMERIC_ZERO) - a++; - return ISDIGIT (*a); - } - else if (*b++ == decimal_point) - { - b_trailing_nonzero: - while (*b == NUMERIC_ZERO) - b++; - return - ISDIGIT (*b); - } - return 0; -} - -/* Compare strings A and B as numbers without explicitly converting them to - machine numbers. Comparatively slow for short strings, but asymptotically - hideously fast. */ - -static int -numcompare (register const char *a, register const char *b) -{ - char tmpa; - char tmpb; - int tmp; - size_t log_a; - size_t log_b; - -#if HAVE_MBRTOWC - if (MB_CUR_MAX > 1) - { - size_t mblength; - size_t alen = strnlen (a, MB_LEN_MAX); - size_t blen = strnlen (b, MB_LEN_MAX); - - while (ismbblank (a, alen, &mblength)) - a += mblength, alen -= mblength; - while (ismbblank (b, blen, &mblength)) - b += mblength, blen -= mblength; - - tmpa = *a; - tmpb = *b; - } - else -#endif - { - tmpa = *a; - tmpb = *b; - - while (blanks[to_uchar (tmpa)]) - tmpa = *++a; - while (blanks[to_uchar (tmpb)]) - tmpb = *++b; - } - - if (tmpa == NEGATION_SIGN) - { - do - tmpa = *++a; - while (tmpa == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpa)); - if (tmpb != NEGATION_SIGN) - { - if (tmpa == decimal_point) - do - tmpa = *++a; - while (tmpa == NUMERIC_ZERO); - if (ISDIGIT (tmpa)) - return -1; - while (tmpb == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpb)) - tmpb = *++b; - if (tmpb == decimal_point) - do - tmpb = *++b; - while (tmpb == NUMERIC_ZERO); - if (ISDIGIT (tmpb)) - return -1; - return 0; - } - do - tmpb = *++b; - while (tmpb == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpb)); - - while (tmpa == tmpb && ISDIGIT (tmpa)) - { - do - tmpa = *++a; - while (IS_THOUSANDS_SEP (tmpa)); - do - tmpb = *++b; - while (IS_THOUSANDS_SEP (tmpb)); - } - - if ((tmpa == decimal_point && !ISDIGIT (tmpb)) - || (tmpb == decimal_point && !ISDIGIT (tmpa))) - return -fraccompare (a, b); - - tmp = tmpb - tmpa; - - for (log_a = 0; ISDIGIT (tmpa); ++log_a) - do - tmpa = *++a; - while (IS_THOUSANDS_SEP (tmpa)); - - for (log_b = 0; ISDIGIT (tmpb); ++log_b) - do - tmpb = *++b; - while (IS_THOUSANDS_SEP (tmpb)); - - if (log_a != log_b) - return log_a < log_b ? 1 : -1; - - if (!log_a) - return 0; - - return tmp; - } - else if (tmpb == NEGATION_SIGN) - { - do - tmpb = *++b; - while (tmpb == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpb)); - if (tmpb == decimal_point) - do - tmpb = *++b; - while (tmpb == NUMERIC_ZERO); - if (ISDIGIT (tmpb)) - return 1; - while (tmpa == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpa)) - tmpa = *++a; - if (tmpa == decimal_point) - do - tmpa = *++a; - while (tmpa == NUMERIC_ZERO); - if (ISDIGIT (tmpa)) - return 1; - return 0; - } - else - { - while (tmpa == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpa)) - tmpa = *++a; - while (tmpb == NUMERIC_ZERO || IS_THOUSANDS_SEP (tmpb)) - tmpb = *++b; - - while (tmpa == tmpb && ISDIGIT (tmpa)) - { - do - tmpa = *++a; - while (IS_THOUSANDS_SEP (tmpa)); - do - tmpb = *++b; - while (IS_THOUSANDS_SEP (tmpb)); - } - - if ((tmpa == decimal_point && !ISDIGIT (tmpb)) - || (tmpb == decimal_point && !ISDIGIT (tmpa))) - return fraccompare (a, b); - - tmp = tmpa - tmpb; - - for (log_a = 0; ISDIGIT (tmpa); ++log_a) - do - tmpa = *++a; - while (IS_THOUSANDS_SEP (tmpa)); - - for (log_b = 0; ISDIGIT (tmpb); ++log_b) - do - tmpb = *++b; - while (IS_THOUSANDS_SEP (tmpb)); - - if (log_a != log_b) - return log_a < log_b ? -1 : 1; - - if (!log_a) - return 0; - - return tmp; - } -} - -static int -general_numcompare (const char *sa, const char *sb) -{ - /* FIXME: add option to warn about failed conversions. */ - /* FIXME: maybe add option to try expensive FP conversion - only if A and B can't be compared more cheaply/accurately. */ - - char *bufa, *ea; - char *bufb, *eb; - double a; - double b; - - char *p; - struct lconv *lconvp = localeconv (); - size_t thousands_sep_len = strlen (lconvp->thousands_sep); - - bufa = (char *) xmalloc (strlen (sa) + 1); - bufb = (char *) xmalloc (strlen (sb) + 1); - strcpy (bufa, sa); - strcpy (bufb, sb); - - if (force_general_numcompare) - { - while (1) - { - a = strtod (bufa, &ea); - if (memcmp (ea, lconvp->thousands_sep, thousands_sep_len) == 0) - { - for (p = ea; *(p + thousands_sep_len) != '\0'; p++) - *p = *(p + thousands_sep_len); - *p = '\0'; - continue; - } - break; - } - - while (1) - { - b = strtod (bufb, &eb); - if (memcmp (eb, lconvp->thousands_sep, thousands_sep_len) == 0) - { - for (p = eb; *(p + thousands_sep_len) != '\0'; p++) - *p = *(p + thousands_sep_len); - *p = '\0'; - continue; - } - break; - } - } - else - { - a = strtod (bufa, &ea); - b = strtod (bufb, &eb); - } - - /* Put conversion errors at the start of the collating sequence. */ - free (bufa); - free (bufb); - if (bufa == ea) - return bufb == eb ? 0 : -1; - if (bufb == eb) - return 1; - - /* Sort numbers in the usual way, where -0 == +0. Put NaNs after - conversion errors but before numbers; sort them by internal - bit-pattern, for lack of a more portable alternative. */ - return (a < b ? -1 - : a > b ? 1 - : a == b ? 0 - : b == b ? -1 - : a == a ? 1 - : memcmp ((char *) &a, (char *) &b, sizeof a)); -} - -/* Return an integer in 1..12 of the month name S with length LEN. - Return 0 if the name in S is not recognized. */ - -static int -getmonth_uni (const char *s, size_t len) -{ - char *month; - register size_t i; - register int lo = 0, hi = MONTHS_PER_YEAR, result; - - while (len > 0 && blanks[to_uchar (*s)]) - { - ++s; - --len; - } - - if (len == 0) - return 0; - - month = alloca (len + 1); - for (i = 0; i < len; ++i) - month[i] = fold_toupper[to_uchar (s[i])]; - month[len] = '\0'; - - do - { - int ix = (lo + hi) / 2; - - if (strncmp (month, monthtab[ix].name, strlen (monthtab[ix].name)) < 0) - hi = ix; - else - lo = ix; - } - while (hi - lo > 1); - - result = (!strncmp (month, monthtab[lo].name, strlen (monthtab[lo].name)) - ? monthtab[lo].val : 0); - - return result; -} - -#if HAVE_MBRTOWC -static int -getmonth_mb (const char *s, size_t len) -{ - char *month; - register size_t i; - register int lo = 0, hi = MONTHS_PER_YEAR, result; - char *tmp; - size_t wclength, mblength; - const char **pp; - const wchar_t **wpp; - wchar_t *month_wcs; - mbstate_t state; - - while (len > 0 && ismbblank (s, len, &mblength)) - { - s += mblength; - len -= mblength; - } - - if (len == 0) - return 0; - - month = (char *) alloca (len + 1); - - tmp = (char *) alloca (len + 1); - memcpy (tmp, s, len); - tmp[len] = '\0'; - pp = (const char **)&tmp; - month_wcs = (wchar_t *) alloca ((len + 1) * sizeof (wchar_t)); - memset (&state, '\0', sizeof(mbstate_t)); - - wclength = mbsrtowcs (month_wcs, pp, len + 1, &state); - assert (wclength != (size_t)-1 && *pp == NULL); - - for (i = 0; i < wclength; i++) - month_wcs[i] = towupper(month_wcs[i]); - month_wcs[i] = L'\0'; - - wpp = (const wchar_t **)&month_wcs; - - mblength = wcsrtombs (month, wpp, len + 1, &state); - assert (mblength != (-1) && *wpp == NULL); - - do - { - int ix = (lo + hi) / 2; - - if (strncmp (month, monthtab[ix].name, strlen (monthtab[ix].name)) < 0) - hi = ix; - else - lo = ix; - } - while (hi - lo > 1); - - result = (!strncmp (month, monthtab[lo].name, strlen (monthtab[lo].name)) - ? monthtab[lo].val : 0); - - return result; -} -#endif - -/* Compare two lines A and B trying every key in sequence until there - are no more keys or a difference is found. */ - -static int -keycompare_uni (const struct line *a, const struct line *b) -{ - struct keyfield const *key = keylist; - - /* For the first iteration only, the key positions have been - precomputed for us. */ - register char *texta = a->keybeg; - register char *textb = b->keybeg; - register char *lima = a->keylim; - register char *limb = b->keylim; - - int diff; - - for (;;) - { - register char const *translate = key->translate; - register bool const *ignore = key->ignore; - - /* Find the lengths. */ - size_t lena = lima <= texta ? 0 : lima - texta; - size_t lenb = limb <= textb ? 0 : limb - textb; - - /* Actually compare the fields. */ - if (key->numeric | key->general_numeric) - { - char savea = *lima, saveb = *limb; - - *lima = *limb = '\0'; - diff = ((key->numeric ? numcompare : general_numcompare) - (texta, textb)); - *lima = savea, *limb = saveb; - } - else if (key->month) - diff = getmonth (texta, lena) - getmonth (textb, lenb); - /* Sorting like this may become slow, so in a simple locale the user - can select a faster sort that is similar to ascii sort */ - else if (HAVE_SETLOCALE && hard_LC_COLLATE) - { - if (ignore || translate) - { - char *copy_a = alloca (lena + 1 + lenb + 1); - char *copy_b = copy_a + lena + 1; - size_t new_len_a, new_len_b, i; - - /* Ignore and/or translate chars before comparing. */ - for (new_len_a = new_len_b = i = 0; i < MAX (lena, lenb); i++) - { - if (i < lena) - { - copy_a[new_len_a] = (translate - ? translate[to_uchar (texta[i])] - : texta[i]); - if (!ignore || !ignore[to_uchar (texta[i])]) - ++new_len_a; - } - if (i < lenb) - { - copy_b[new_len_b] = (translate - ? translate[to_uchar (textb[i])] - : textb [i]); - if (!ignore || !ignore[to_uchar (textb[i])]) - ++new_len_b; - } - } - - diff = xmemcoll (copy_a, new_len_a, copy_b, new_len_b); - } - else if (lena == 0) - diff = - NONZERO (lenb); - else if (lenb == 0) - goto greater; - else - diff = xmemcoll (texta, lena, textb, lenb); - } - else if (ignore) - { -#define CMP_WITH_IGNORE(A, B) \ - do \ - { \ - for (;;) \ - { \ - while (texta < lima && ignore[to_uchar (*texta)]) \ - ++texta; \ - while (textb < limb && ignore[to_uchar (*textb)]) \ - ++textb; \ - if (! (texta < lima && textb < limb)) \ - break; \ - diff = to_uchar (A) - to_uchar (B); \ - if (diff) \ - goto not_equal; \ - ++texta; \ - ++textb; \ - } \ - \ - diff = (texta < lima) - (textb < limb); \ - } \ - while (0) - - if (translate) - CMP_WITH_IGNORE (translate[to_uchar (*texta)], - translate[to_uchar (*textb)]); - else - CMP_WITH_IGNORE (*texta, *textb); - } - else if (lena == 0) - diff = - NONZERO (lenb); - else if (lenb == 0) - goto greater; - else - { - if (translate) - { - while (texta < lima && textb < limb) - { - diff = (to_uchar (translate[to_uchar (*texta++)]) - - to_uchar (translate[to_uchar (*textb++)])); - if (diff) - goto not_equal; - } - } - else - { - diff = memcmp (texta, textb, MIN (lena, lenb)); - if (diff) - goto not_equal; - } - diff = lena < lenb ? -1 : lena != lenb; - } - - if (diff) - goto not_equal; - - key = key->next; - if (! key) - break; - - /* Find the beginning and limit of the next field. */ - if (key->eword != SIZE_MAX) - lima = limfield (a, key), limb = limfield (b, key); - else - lima = a->text + a->length - 1, limb = b->text + b->length - 1; - - if (key->sword != SIZE_MAX) - texta = begfield (a, key), textb = begfield (b, key); - else - { - texta = a->text, textb = b->text; - if (key->skipsblanks) - { - while (texta < lima && blanks[to_uchar (*texta)]) - ++texta; - while (textb < limb && blanks[to_uchar (*textb)]) - ++textb; - } - } - } - - return 0; - - greater: - diff = 1; - not_equal: - return key->reverse ? -diff : diff; -} - -#if HAVE_MBRTOWC -static int -keycompare_mb (const struct line *a, const struct line *b) -{ - struct keyfield *key = keylist; - - /* For the first iteration only, the key positions have been - precomputed for us. */ - char *texta = a->keybeg; - char *textb = b->keybeg; - char *lima = a->keylim; - char *limb = b->keylim; - - size_t mblength_a, mblength_b; - wchar_t wc_a, wc_b; - mbstate_t state_a, state_b; - - int diff; - - memset (&state_a, '\0', sizeof(mbstate_t)); - memset (&state_b, '\0', sizeof(mbstate_t)); - - for (;;) - { - unsigned char *translate = (unsigned char *) key->translate; - bool const *ignore = key->ignore; - - /* Find the lengths. */ - size_t lena = lima <= texta ? 0 : lima - texta; - size_t lenb = limb <= textb ? 0 : limb - textb; - - /* Actually compare the fields. */ - if (key->numeric | key->general_numeric) - { - char savea = *lima, saveb = *limb; - - *lima = *limb = '\0'; - if (force_general_numcompare) - diff = general_numcompare (texta, textb); - else - diff = ((key->numeric ? numcompare : general_numcompare) - (texta, textb)); - *lima = savea, *limb = saveb; - } - else if (key->month) - diff = getmonth (texta, lena) - getmonth (textb, lenb); - else - { - if (ignore || translate) - { - char *copy_a = (char *) alloca (lena + 1 + lenb + 1); - char *copy_b = copy_a + lena + 1; - size_t new_len_a, new_len_b; - size_t i, j; - - /* Ignore and/or translate chars before comparing. */ -# define IGNORE_CHARS(NEW_LEN, LEN, TEXT, COPY, WC, MBLENGTH, STATE) \ - do \ - { \ - wchar_t uwc; \ - char mbc[MB_LEN_MAX]; \ - mbstate_t state_wc; \ - \ - for (NEW_LEN = i = 0; i < LEN;) \ - { \ - mbstate_t state_bak; \ - \ - state_bak = STATE; \ - MBLENGTH = mbrtowc (&WC, TEXT + i, LEN - i, &STATE); \ - \ - if (MBLENGTH == (size_t)-2 || MBLENGTH == (size_t)-1 \ - || MBLENGTH == 0) \ - { \ - if (MBLENGTH == (size_t)-2 || MBLENGTH == (size_t)-1) \ - STATE = state_bak; \ - if (!ignore) \ - COPY[NEW_LEN++] = TEXT[i++]; \ - continue; \ - } \ - \ - if (ignore) \ - { \ - if ((ignore == nonprinting && !iswprint (WC)) \ - || (ignore == nondictionary \ - && !iswalnum (WC) && !iswblank (WC))) \ - { \ - i += MBLENGTH; \ - continue; \ - } \ - } \ - \ - if (translate) \ - { \ - \ - uwc = toupper(WC); \ - if (WC == uwc) \ - { \ - memcpy (mbc, TEXT + i, MBLENGTH); \ - i += MBLENGTH; \ - } \ - else \ - { \ - i += MBLENGTH; \ - WC = uwc; \ - memset (&state_wc, '\0', sizeof (mbstate_t)); \ - \ - MBLENGTH = wcrtomb (mbc, WC, &state_wc); \ - assert (MBLENGTH != (size_t)-1 && MBLENGTH != 0); \ - } \ - \ - for (j = 0; j < MBLENGTH; j++) \ - COPY[NEW_LEN++] = mbc[j]; \ - } \ - else \ - for (j = 0; j < MBLENGTH; j++) \ - COPY[NEW_LEN++] = TEXT[i++]; \ - } \ - COPY[NEW_LEN] = '\0'; \ - } \ - while (0) - IGNORE_CHARS (new_len_a, lena, texta, copy_a, - wc_a, mblength_a, state_a); - IGNORE_CHARS (new_len_b, lenb, textb, copy_b, - wc_b, mblength_b, state_b); - diff = xmemcoll (copy_a, new_len_a, copy_b, new_len_b); - } - else if (lena == 0) - diff = - NONZERO (lenb); - else if (lenb == 0) - goto greater; - else - diff = xmemcoll (texta, lena, textb, lenb); - } - - if (diff) - goto not_equal; - - key = key->next; - if (! key) - break; - - /* Find the beginning and limit of the next field. */ - if (key->eword != -1) - lima = limfield (a, key), limb = limfield (b, key); - else - lima = a->text + a->length - 1, limb = b->text + b->length - 1; - - if (key->sword != -1) - texta = begfield (a, key), textb = begfield (b, key); - else - { - texta = a->text, textb = b->text; - if (key->skipsblanks) - { - while (texta < lima && ismbblank (texta, lima - texta, &mblength_a)) - texta += mblength_a; - while (textb < limb && ismbblank (textb, limb - textb, &mblength_b)) - textb += mblength_b; - } - } - } - - return 0; - -greater: - diff = 1; -not_equal: - return key->reverse ? -diff : diff; -} -#endif - -/* Compare two lines A and B, returning negative, zero, or positive - depending on whether A compares less than, equal to, or greater than B. */ - -static int -compare (register const struct line *a, register const struct line *b) -{ - int diff; - size_t alen, blen; - - /* First try to compare on the specified keys (if any). - The only two cases with no key at all are unadorned sort, - and unadorned sort -r. */ - if (keylist) - { - diff = keycompare (a, b); - alloca (0); - if (diff | unique | stable) - return diff; - } - - /* If the keys all compare equal (or no keys were specified) - fall through to the default comparison. */ - alen = a->length - 1, blen = b->length - 1; - - if (alen == 0) - diff = - NONZERO (blen); - else if (blen == 0) - diff = 1; - else if (HAVE_SETLOCALE && hard_LC_COLLATE) - diff = xmemcoll (a->text, alen, b->text, blen); - else if (! (diff = memcmp (a->text, b->text, MIN (alen, blen)))) - diff = alen < blen ? -1 : alen != blen; - - return reverse ? -diff : diff; -} - -/* Check that the lines read from FILE_NAME come in order. Print a - diagnostic (FILE_NAME, line number, contents of line) to stderr and return - false if they are not in order. Otherwise, print no diagnostic - and return true. */ - -static bool -check (char const *file_name) -{ - FILE *fp = xfopen (file_name, "r"); - struct buffer buf; /* Input buffer. */ - struct line temp; /* Copy of previous line. */ - size_t alloc = 0; - uintmax_t line_number = 0; - struct keyfield const *key = keylist; - bool nonunique = ! unique; - bool ordered = true; - - initbuf (&buf, sizeof (struct line), - MAX (merge_buffer_size, sort_size)); - temp.text = NULL; - - while (fillbuf (&buf, fp, file_name)) - { - struct line const *line = buffer_linelim (&buf); - struct line const *linebase = line - buf.nlines; - - /* Make sure the line saved from the old buffer contents is - less than or equal to the first line of the new buffer. */ - if (alloc && nonunique <= compare (&temp, line - 1)) - { - found_disorder: - { - struct line const *disorder_line = line - 1; - uintmax_t disorder_line_number = - buffer_linelim (&buf) - disorder_line + line_number; - char hr_buf[INT_BUFSIZE_BOUND (uintmax_t)]; - fprintf (stderr, _("%s: %s:%s: disorder: "), - program_name, file_name, - umaxtostr (disorder_line_number, hr_buf)); - write_bytes (disorder_line->text, disorder_line->length, stderr, - _("standard error")); - ordered = false; - break; - } - } - - /* Compare each line in the buffer with its successor. */ - while (linebase < --line) - if (nonunique <= compare (line, line - 1)) - goto found_disorder; - - line_number += buf.nlines; - - /* Save the last line of the buffer. */ - if (alloc < line->length) - { - do - { - alloc *= 2; - if (! alloc) - { - alloc = line->length; - break; - } - } - while (alloc < line->length); - - temp.text = xrealloc (temp.text, alloc); - } - memcpy (temp.text, line->text, line->length); - temp.length = line->length; - if (key) - { - temp.keybeg = temp.text + (line->keybeg - line->text); - temp.keylim = temp.text + (line->keylim - line->text); - } - } - - xfclose (fp, file_name); - free (buf.buf); - if (temp.text) - free (temp.text); - return ordered; -} - -/* Merge lines from FILES onto OFP. NFILES cannot be greater than - NMERGE. Close input and output files before returning. - OUTPUT_FILE gives the name of the output file. If it is NULL, - the output file is standard output. If OFP is NULL, the output - file has not been opened yet (or written to, if standard output). */ - -static void -mergefps (char **files, register int nfiles, - FILE *ofp, const char *output_file) -{ - FILE *fps[NMERGE]; /* Input streams for each file. */ - struct buffer buffer[NMERGE]; /* Input buffers for each file. */ - struct line saved; /* Saved line storage for unique check. */ - struct line const *savedline = NULL; - /* &saved if there is a saved line. */ - size_t savealloc = 0; /* Size allocated for the saved line. */ - struct line const *cur[NMERGE]; /* Current line in each line table. */ - struct line const *base[NMERGE]; /* Base of each line table. */ - int ord[NMERGE]; /* Table representing a permutation of fps, - such that cur[ord[0]] is the smallest line - and will be next output. */ - register int i, j, t; - struct keyfield const *key = keylist; - saved.text = NULL; - - /* Read initial lines from each input file. */ - for (i = 0; i < nfiles; ) - { - fps[i] = xfopen (files[i], "r"); - initbuf (&buffer[i], sizeof (struct line), - MAX (merge_buffer_size, sort_size / nfiles)); - if (fillbuf (&buffer[i], fps[i], files[i])) - { - struct line const *linelim = buffer_linelim (&buffer[i]); - cur[i] = linelim - 1; - base[i] = linelim - buffer[i].nlines; - i++; - } - else - { - /* fps[i] is empty; eliminate it from future consideration. */ - xfclose (fps[i], files[i]); - zaptemp (files[i]); - free (buffer[i].buf); - --nfiles; - for (j = i; j < nfiles; ++j) - files[j] = files[j + 1]; - } - } - - if (! ofp) - ofp = xfopen (output_file, "w"); - - /* Set up the ord table according to comparisons among input lines. - Since this only reorders two items if one is strictly greater than - the other, it is stable. */ - for (i = 0; i < nfiles; ++i) - ord[i] = i; - for (i = 1; i < nfiles; ++i) - if (0 < compare (cur[ord[i - 1]], cur[ord[i]])) - t = ord[i - 1], ord[i - 1] = ord[i], ord[i] = t, i = 0; - - /* Repeatedly output the smallest line until no input remains. */ - while (nfiles) - { - struct line const *smallest = cur[ord[0]]; - - /* If uniquified output is turned on, output only the first of - an identical series of lines. */ - if (unique) - { - if (savedline && compare (savedline, smallest)) - { - savedline = 0; - write_bytes (saved.text, saved.length, ofp, output_file); - } - if (!savedline) - { - savedline = &saved; - if (savealloc < smallest->length) - { - do - if (! savealloc) - { - savealloc = smallest->length; - break; - } - while ((savealloc *= 2) < smallest->length); - - saved.text = xrealloc (saved.text, savealloc); - } - saved.length = smallest->length; - memcpy (saved.text, smallest->text, saved.length); - if (key) - { - saved.keybeg = - saved.text + (smallest->keybeg - smallest->text); - saved.keylim = - saved.text + (smallest->keylim - smallest->text); - } - } - } - else - write_bytes (smallest->text, smallest->length, ofp, output_file); - - /* Check if we need to read more lines into core. */ - if (base[ord[0]] < smallest) - cur[ord[0]] = smallest - 1; - else - { - if (fillbuf (&buffer[ord[0]], fps[ord[0]], files[ord[0]])) - { - struct line const *linelim = buffer_linelim (&buffer[ord[0]]); - cur[ord[0]] = linelim - 1; - base[ord[0]] = linelim - buffer[ord[0]].nlines; - } - else - { - /* We reached EOF on fps[ord[0]]. */ - for (i = 1; i < nfiles; ++i) - if (ord[i] > ord[0]) - --ord[i]; - --nfiles; - xfclose (fps[ord[0]], files[ord[0]]); - zaptemp (files[ord[0]]); - free (buffer[ord[0]].buf); - for (i = ord[0]; i < nfiles; ++i) - { - fps[i] = fps[i + 1]; - files[i] = files[i + 1]; - buffer[i] = buffer[i + 1]; - cur[i] = cur[i + 1]; - base[i] = base[i + 1]; - } - for (i = 0; i < nfiles; ++i) - ord[i] = ord[i + 1]; - continue; - } - } - - /* The new line just read in may be larger than other lines - already in core; push it back in the queue until we encounter - a line larger than it. */ - for (i = 1; i < nfiles; ++i) - { - t = compare (cur[ord[0]], cur[ord[i]]); - if (!t) - t = ord[0] - ord[i]; - if (t < 0) - break; - } - t = ord[0]; - for (j = 1; j < i; ++j) - ord[j - 1] = ord[j]; - ord[i - 1] = t; - } - - if (unique && savedline) - { - write_bytes (saved.text, saved.length, ofp, output_file); - free (saved.text); - } - - xfclose (ofp, output_file); -} - -/* Merge into T the two sorted arrays of lines LO (with NLO members) - and HI (with NHI members). T, LO, and HI point just past their - respective arrays, and the arrays are in reverse order. NLO and - NHI must be positive, and HI - NHI must equal T - (NLO + NHI). */ - -static inline void -mergelines (struct line *t, - struct line const *lo, size_t nlo, - struct line const *hi, size_t nhi) -{ - for (;;) - if (compare (lo - 1, hi - 1) <= 0) - { - *--t = *--lo; - if (! --nlo) - { - /* HI - NHI equalled T - (NLO + NHI) when this function - began. Therefore HI must equal T now, and there is no - need to copy from HI to T. */ - return; - } - } - else - { - *--t = *--hi; - if (! --nhi) - { - do - *--t = *--lo; - while (--nlo); - - return; - } - } -} - -/* Sort the array LINES with NLINES members, using TEMP for temporary space. - NLINES must be at least 2. - The input and output arrays are in reverse order, and LINES and - TEMP point just past the end of their respective arrays. - - Use a recursive divide-and-conquer algorithm, in the style - suggested by Knuth volume 3 (2nd edition), exercise 5.2.4-23. Use - the optimization suggested by exercise 5.2.4-10; this requires room - for only 1.5*N lines, rather than the usual 2*N lines. Knuth - writes that this memory optimization was originally published by - D. A. Bell, Comp J. 1 (1958), 75. */ - -static void -sortlines (struct line *lines, size_t nlines, struct line *temp) -{ - if (nlines == 2) - { - if (0 < compare (&lines[-1], &lines[-2])) - { - struct line tmp = lines[-1]; - lines[-1] = lines[-2]; - lines[-2] = tmp; - } - } - else - { - size_t nlo = nlines / 2; - size_t nhi = nlines - nlo; - struct line *lo = lines; - struct line *hi = lines - nlo; - struct line *sorted_lo = temp; - - sortlines (hi, nhi, temp); - if (1 < nlo) - sortlines_temp (lo, nlo, sorted_lo); - else - sorted_lo[-1] = lo[-1]; - - mergelines (lines, sorted_lo, nlo, hi, nhi); - } -} - -/* Like sortlines (LINES, NLINES, TEMP), except output into TEMP - rather than sorting in place. */ - -static void -sortlines_temp (struct line *lines, size_t nlines, struct line *temp) -{ - if (nlines == 2) - { - bool swap = (0 < compare (&lines[-1], &lines[-2])); - temp[-1] = lines[-1 - swap]; - temp[-2] = lines[-2 + swap]; - } - else - { - size_t nlo = nlines / 2; - size_t nhi = nlines - nlo; - struct line *lo = lines; - struct line *hi = lines - nlo; - struct line *sorted_hi = temp - nlo; - - sortlines_temp (hi, nhi, sorted_hi); - if (1 < nlo) - sortlines (lo, nlo, temp); - - mergelines (temp, lo, nlo, sorted_hi, nhi); - } -} - -/* Return the index of the first of NFILES FILES that is the same file - as OUTFILE. If none can be the same, return NFILES. - - This test ensures that an otherwise-erroneous use like - "sort -m -o FILE ... FILE ..." copies FILE before writing to it. - It's not clear that POSIX requires this nicety. - Detect common error cases, but don't try to catch obscure cases like - "cat ... FILE ... | sort -m -o FILE" - where traditional "sort" doesn't copy the input and where - people should know that they're getting into trouble anyway. - Catching these obscure cases would slow down performance in - common cases. */ - -static int -first_same_file (char * const *files, int nfiles, char const *outfile) -{ - int i; - bool got_outstat = false; - struct stat instat, outstat; - - for (i = 0; i < nfiles; i++) - { - bool standard_input = STREQ (files[i], "-"); - - if (outfile && STREQ (outfile, files[i]) && ! standard_input) - return i; - - if (! got_outstat) - { - got_outstat = true; - if ((outfile - ? stat (outfile, &outstat) - : fstat (STDOUT_FILENO, &outstat)) - != 0) - return nfiles; - } - - if (((standard_input - ? fstat (STDIN_FILENO, &instat) - : stat (files[i], &instat)) - == 0) - && SAME_INODE (instat, outstat)) - return i; - } - - return nfiles; -} - -/* Merge NFILES FILES onto OUTPUT_FILE. However, merge at most - MAX_MERGE input files directly onto OUTPUT_FILE. MAX_MERGE cannot - exceed NMERGE. A null OUTPUT_FILE stands for standard output. */ - -static void -merge (char **files, int nfiles, int max_merge, char const *output_file) -{ - while (max_merge < nfiles) - { - FILE *tfp; - int i, t = 0; - char *temp; - for (i = 0; i < nfiles / NMERGE; ++i) - { - temp = create_temp_file (&tfp); - mergefps (&files[i * NMERGE], NMERGE, tfp, temp); - files[t++] = temp; - } - temp = create_temp_file (&tfp); - mergefps (&files[i * NMERGE], nfiles % NMERGE, tfp, temp); - files[t++] = temp; - nfiles = t; - if (nfiles == 1) - break; - } - - mergefps (files, nfiles, NULL, output_file); -} - -/* Sort NFILES FILES onto OUTPUT_FILE. */ - -static void -sort (char * const *files, int nfiles, char const *output_file) -{ - struct buffer buf; - int n_temp_files = 0; - bool output_file_created = false; - - buf.alloc = 0; - - while (nfiles) - { - char const *temp_output; - char const *file = *files; - FILE *fp = xfopen (file, "r"); - FILE *tfp; - size_t bytes_per_line = (2 * sizeof (struct line) - - sizeof (struct line) / 2); - - if (! buf.alloc) - initbuf (&buf, bytes_per_line, - sort_buffer_size (&fp, 1, files, nfiles, bytes_per_line)); - buf.eof = false; - files++; - nfiles--; - - while (fillbuf (&buf, fp, file)) - { - struct line *line; - struct line *linebase; - - if (buf.eof && nfiles - && (bytes_per_line + 1 - < (buf.alloc - buf.used - bytes_per_line * buf.nlines))) - { - /* End of file, but there is more input and buffer room. - Concatenate the next input file; this is faster in - the usual case. */ - buf.left = buf.used; - break; - } - - line = buffer_linelim (&buf); - linebase = line - buf.nlines; - if (1 < buf.nlines) - sortlines (line, buf.nlines, linebase); - if (buf.eof && !nfiles && !n_temp_files && !buf.left) - { - xfclose (fp, file); - tfp = xfopen (output_file, "w"); - temp_output = output_file; - output_file_created = true; - } - else - { - ++n_temp_files; - temp_output = create_temp_file (&tfp); - } - - do - { - line--; - write_bytes (line->text, line->length, tfp, temp_output); - if (unique) - while (linebase < line && compare (line, line - 1) == 0) - line--; - } - while (linebase < line); - - xfclose (tfp, temp_output); - - if (output_file_created) - goto finish; - } - xfclose (fp, file); - } - - finish: - free (buf.buf); - - if (! output_file_created) - { - int i = n_temp_files; - struct tempnode *node; - char **tempfiles = xnmalloc (n_temp_files, sizeof *tempfiles); - for (node = temphead; i > 0; node = node->next) - tempfiles[--i] = node->name; - merge (tempfiles, n_temp_files, NMERGE, output_file); - free (tempfiles); - } -} - -/* Insert key KEY at the end of the key list. */ - -static void -insertkey (struct keyfield *key) -{ - struct keyfield **p; - - for (p = &keylist; *p; p = &(*p)->next) - continue; - *p = key; - key->next = NULL; -} - -/* Report a bad field specification SPEC, with extra info MSGID. */ - -static void badfieldspec (char const *, char const *) - ATTRIBUTE_NORETURN; -static void -badfieldspec (char const *spec, char const *msgid) -{ - error (SORT_FAILURE, 0, _("%s: invalid field specification `%s'"), - _(msgid), spec); - abort (); -} - -/* Parse the leading integer in STRING and store the resulting value - (which must fit into size_t) into *VAL. Return the address of the - suffix after the integer. If MSGID is NULL, return NULL after - failure; otherwise, report MSGID and exit on failure. */ - -static char const * -parse_field_count (char const *string, size_t *val, char const *msgid) -{ - char *suffix; - uintmax_t n; - - switch (xstrtoumax (string, &suffix, 10, &n, "")) - { - case LONGINT_OK: - case LONGINT_INVALID_SUFFIX_CHAR: - *val = n; - if (*val == n) - break; - /* Fall through. */ - case LONGINT_OVERFLOW: - case LONGINT_OVERFLOW | LONGINT_INVALID_SUFFIX_CHAR: - if (msgid) - error (SORT_FAILURE, 0, _("%s: count `%.*s' too large"), - _(msgid), (int) (suffix - string), string); - return NULL; - - case LONGINT_INVALID: - if (msgid) - error (SORT_FAILURE, 0, _("%s: invalid count at start of `%s'"), - _(msgid), string); - return NULL; - } - - return suffix; -} - -/* Handle interrupts and hangups. */ - -static void -sighandler (int sig) -{ -#ifndef SA_NOCLDSTOP - signal (sig, SIG_IGN); -#endif - - cleanup (); - - signal (sig, SIG_DFL); - raise (sig); -} - -/* Set the ordering options for KEY specified in S. - Return the address of the first character in S that - is not a valid ordering option. - BLANKTYPE is the kind of blanks that 'b' should skip. */ - -static char * -set_ordering (register const char *s, struct keyfield *key, - enum blanktype blanktype) -{ - while (*s) - { - switch (*s) - { - case 'b': - if (blanktype == bl_start || blanktype == bl_both) - key->skipsblanks = true; - if (blanktype == bl_end || blanktype == bl_both) - key->skipeblanks = true; - break; - case 'd': - key->ignore = nondictionary; - break; - case 'f': - key->translate = fold_toupper; - break; - case 'g': - key->general_numeric = true; - break; - case 'i': - /* Option order should not matter, so don't let -i override - -d. -d implies -i, but -i does not imply -d. */ - if (! key->ignore) - key->ignore = nonprinting; - break; - case 'M': - key->month = true; - break; - case 'n': - key->numeric = true; - break; - case 'r': - key->reverse = true; - break; - default: - return (char *) s; - } - ++s; - } - return (char *) s; -} - -static struct keyfield * -new_key (void) -{ - struct keyfield *key = xzalloc (sizeof *key); - key->eword = SIZE_MAX; - return key; -} - -int -main (int argc, char **argv) -{ - struct keyfield *key; - struct keyfield gkey; - char const *s; - int c = 0; - bool checkonly = false; - bool mergeonly = false; - int nfiles = 0; - bool posixly_correct = (getenv ("POSIXLY_CORRECT") != NULL); - bool obsolete_usage = (posix2_version () < 200112); - char const *short_options = (obsolete_usage - ? COMMON_SHORT_OPTIONS "y::" - : COMMON_SHORT_OPTIONS "y:"); - char *minus = "-", **files; - char const *outfile = NULL; - - initialize_main (&argc, &argv); - program_name = argv[0]; - setlocale (LC_ALL, ""); - bindtextdomain (PACKAGE, LOCALEDIR); - textdomain (PACKAGE); - - atexit (cleanup); - - initialize_exit_failure (SORT_FAILURE); - atexit (close_stdout); - - hard_LC_COLLATE = hard_locale (LC_COLLATE); -#if HAVE_NL_LANGINFO - hard_LC_TIME = hard_locale (LC_TIME); -#endif - -#if HAVE_SETLOCALE - /* Let's get locale's representation of the decimal point */ - { - struct lconv const *lconvp = localeconv (); - - decimal_point = *lconvp->decimal_point; - if (! decimal_point || lconvp->decimal_point[1]) - { - decimal_point = C_DECIMAL_POINT; - if (lconvp->decimal_point[0] && lconvp->decimal_point[1]) - force_general_numcompare = 1; - } - - /* We don't support multibyte thousands separators yet. */ - th_sep = *lconvp->thousands_sep; - if (! th_sep || lconvp->thousands_sep[1]) - { - th_sep = CHAR_MAX + 1; - if (lconvp->thousands_sep[0] && lconvp->thousands_sep[1]) - force_general_numcompare = 1; - } - } -#endif - -#if HAVE_MBRTOWC - if (MB_CUR_MAX > 1) - { - inittables = inittables_mb; - begfield = begfield_mb; - limfield = limfield_mb; - getmonth = getmonth_mb; - keycompare = keycompare_mb; - } - else -#endif - { - inittables = inittables_uni; - begfield = begfield_uni; - limfield = limfield_uni; - keycompare = keycompare_uni; - getmonth = getmonth_uni; - } - - have_read_stdin = false; - inittables (); - - { - int i; - static int const sig[] = { SIGHUP, SIGINT, SIGPIPE, SIGTERM }; - enum { nsigs = sizeof sig / sizeof sig[0] }; - -#ifdef SA_NOCLDSTOP - struct sigaction act; - - sigemptyset (&caught_signals); - for (i = 0; i < nsigs; i++) - { - sigaction (sig[i], NULL, &act); - if (act.sa_handler != SIG_IGN) - sigaddset (&caught_signals, sig[i]); - } - - act.sa_handler = sighandler; - act.sa_mask = caught_signals; - act.sa_flags = 0; - - for (i = 0; i < nsigs; i++) - if (sigismember (&caught_signals, sig[i])) - sigaction (sig[i], &act, NULL); -#else - for (i = 0; i < nsigs; i++) - if (signal (sig[i], SIG_IGN) != SIG_IGN) - signal (sig[i], sighandler); -#endif - } - - gkey.sword = gkey.eword = SIZE_MAX; - gkey.ignore = NULL; - gkey.translate = NULL; - gkey.numeric = gkey.general_numeric = gkey.month = gkey.reverse = false; - gkey.skipsblanks = gkey.skipeblanks = false; - - files = xnmalloc (argc, sizeof *files); - - for (;;) - { - /* Parse an operand as a file after "--" was seen; or if - pedantic and a file was seen, unless the POSIX version - predates 1003.1-2001 and -c was not seen and the operand is - "-o FILE" or "-oFILE". */ - - if (c == -1 - || (posixly_correct && nfiles != 0 - && ! (obsolete_usage - && ! checkonly - && optind != argc - && argv[optind][0] == '-' && argv[optind][1] == 'o' - && (argv[optind][2] || optind + 1 != argc))) - || ((c = getopt_long (argc, argv, short_options, - long_options, NULL)) - == -1)) - { - if (argc <= optind) - break; - files[nfiles++] = argv[optind++]; - } - else switch (c) - { - case 1: - key = NULL; - if (obsolete_usage && optarg[0] == '+') - { - /* Treat +POS1 [-POS2] as a key if possible; but silently - treat an operand as a file if it is not a valid +POS1. */ - key = new_key (); - s = parse_field_count (optarg + 1, &key->sword, NULL); - if (s && *s == '.') - s = parse_field_count (s + 1, &key->schar, NULL); - if (! (key->sword | key->schar)) - key->sword = SIZE_MAX; - if (! s || *set_ordering (s, key, bl_start)) - { - free (key); - key = NULL; - } - else - { - if (optind != argc && argv[optind][0] == '-' - && ISDIGIT (argv[optind][1])) - { - char const *optarg1 = argv[optind++]; - s = parse_field_count (optarg1 + 1, &key->eword, - N_("invalid number after `-'")); - if (*s == '.') - s = parse_field_count (s + 1, &key->echar, - N_("invalid number after `.'")); - if (*set_ordering (s, key, bl_end)) - badfieldspec (optarg1, - N_("stray character in field spec")); - } - insertkey (key); - } - } - if (! key) - files[nfiles++] = optarg; - break; - - case 'b': - case 'd': - case 'f': - case 'g': - case 'i': - case 'M': - case 'n': - case 'r': - { - char str[2]; - str[0] = c; - str[1] = '\0'; - set_ordering (str, &gkey, bl_both); - } - break; - - case 'c': - checkonly = true; - break; - - case 'k': - key = new_key (); - - /* Get POS1. */ - s = parse_field_count (optarg, &key->sword, - N_("invalid number at field start")); - if (! key->sword--) - { - /* Provoke with `sort -k0' */ - badfieldspec (optarg, N_("field number is zero")); - } - if (*s == '.') - { - s = parse_field_count (s + 1, &key->schar, - N_("invalid number after `.'")); - if (! key->schar--) - { - /* Provoke with `sort -k1.0' */ - badfieldspec (optarg, N_("character offset is zero")); - } - } - if (! (key->sword | key->schar)) - key->sword = SIZE_MAX; - s = set_ordering (s, key, bl_start); - if (*s != ',') - { - key->eword = SIZE_MAX; - key->echar = 0; - } - else - { - /* Get POS2. */ - s = parse_field_count (s + 1, &key->eword, - N_("invalid number after `,'")); - if (! key->eword--) - { - /* Provoke with `sort -k1,0' */ - badfieldspec (optarg, N_("field number is zero")); - } - if (*s == '.') - s = parse_field_count (s + 1, &key->echar, - N_("invalid number after `.'")); - else - { - /* `-k 2,3' is equivalent to `+1 -3'. */ - key->eword++; - } - s = set_ordering (s, key, bl_end); - } - if (*s) - badfieldspec (optarg, N_("stray character in field spec")); - insertkey (key); - break; - - case 'm': - mergeonly = true; - break; - - case 'o': - if (outfile && !STREQ (outfile, optarg)) - error (SORT_FAILURE, 0, _("multiple output files specified")); - outfile = optarg; - break; - - case 's': - stable = true; - break; - - case 'S': - specify_sort_size (optarg); - break; - - case 't': - { - char newtab[MB_LEN_MAX + 1]; - size_t newtab_length = 1; - strncpy (newtab, optarg, MB_LEN_MAX); - if (! newtab[0]) - error (SORT_FAILURE, 0, _("empty tab")); -#if HAVE_MBRTOWC - if (MB_CUR_MAX > 1) - { - wchar_t wc; - mbstate_t state; - size_t i; - - memset (&state, '\0', sizeof (mbstate_t)); - newtab_length = mbrtowc (&wc, newtab, strnlen (newtab, MB_LEN_MAX), &state); - switch (newtab_length) - { - case (size_t) -1: - case (size_t) -2: - case 0: - newtab_length = 1; - } - - if (optarg[newtab_length]) - { - /* Provoke with `sort -txx'. Complain about - "multi-character tab" instead of "multibyte tab", so - that the diagnostic's wording does not need to be - changed once multibyte characters are supported. */ - error (SORT_FAILURE, 0, _("multi-character tab `%s'"), - optarg); - } - } - else -#endif - - if (optarg[1]) - { - if (STREQ (optarg, "\\0")) - newtab[0] = '\0'; - else - { - /* Provoke with `sort -txx'. Complain about - "multi-character tab" instead of "multibyte tab", so - that the diagnostic's wording does not need to be - changed once multibyte characters are supported. */ - error (SORT_FAILURE, 0, _("multi-character tab `%s'"), - optarg); - } - } - if (!tab_default && (tab_length != newtab_length - || memcmp(tab, newtab, tab_length) != 0)) - error (SORT_FAILURE, 0, _("incompatible tabs")); - memcpy(tab, newtab, newtab_length); - tab_length = newtab_length; - tab_default = false; - } - break; - - case 'T': - add_temp_dir (optarg); - break; - - case 'u': - unique = true; - break; - - case 'y': - /* Accept and ignore e.g. -y0 for compatibility with Solaris - 2.x through Solaris 7. -y is marked as obsolete starting - with Solaris 8. */ - break; - - case 'z': - eolchar = 0; - break; - - case_GETOPT_HELP_CHAR; - - case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS); - - default: - usage (SORT_FAILURE); - } - } - - /* Inheritance of global options to individual keys. */ - for (key = keylist; key; key = key->next) - if (! (key->ignore || key->translate - || (key->skipsblanks | key->reverse - | key->skipeblanks | key->month | key->numeric - | key->general_numeric))) - { - key->ignore = gkey.ignore; - key->translate = gkey.translate; - key->skipsblanks = gkey.skipsblanks; - key->skipeblanks = gkey.skipeblanks; - key->month = gkey.month; - key->numeric = gkey.numeric; - key->general_numeric = gkey.general_numeric; - key->reverse = gkey.reverse; - } - - if (!keylist && (gkey.ignore || gkey.translate - || (gkey.skipsblanks | gkey.skipeblanks | gkey.month - | gkey.numeric | gkey.general_numeric))) - insertkey (&gkey); - reverse = gkey.reverse; - - if (temp_dir_count == 0) - { - char const *tmp_dir = getenv ("TMPDIR"); - add_temp_dir (tmp_dir ? tmp_dir : DEFAULT_TMPDIR); - } - - if (nfiles == 0) - { - nfiles = 1; - files = − - } - - if (checkonly) - { - if (nfiles > 1) - { - error (0, 0, _("extra operand %s not allowed with -c"), - quote (files[1])); - usage (SORT_FAILURE); - } - - /* POSIX requires that sort return 1 IFF invoked with -c and the - input is not properly sorted. */ - exit (check (files[0]) ? EXIT_SUCCESS : SORT_OUT_OF_ORDER); - } - - if (mergeonly) - { - int max_merge = first_same_file (files, MIN (nfiles, NMERGE), outfile); - merge (files, nfiles, max_merge, outfile); - } - else - sort (files, nfiles, outfile); - - if (have_read_stdin && fclose (stdin) == EOF) - die (_("close failed"), "-"); - - exit (EXIT_SUCCESS); -} diff --git a/contrib/gnu-sort/src/system.h b/contrib/gnu-sort/src/system.h deleted file mode 100644 index 3497969..0000000 --- a/contrib/gnu-sort/src/system.h +++ /dev/null @@ -1,831 +0,0 @@ -/* system-dependent definitions for fileutils, textutils, and sh-utils packages. - Copyright (C) 1989, 1991-2004 Free Software Foundation, Inc. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2, or (at your option) - any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ - -#include <alloca.h> - -/* Include sys/types.h before this file. */ - -#if 2 <= __GLIBC__ && 2 <= __GLIBC_MINOR__ -# if ! defined _SYS_TYPES_H -you must include <sys/types.h> before including this file -# endif -#endif - -#include <sys/stat.h> - -#if !defined HAVE_MKFIFO -# define mkfifo(path, mode) (mknod ((path), (mode) | S_IFIFO, 0)) -#endif - -#if HAVE_SYS_PARAM_H -# include <sys/param.h> -#endif - -/* <unistd.h> should be included before any preprocessor test - of _POSIX_VERSION. */ -#if HAVE_UNISTD_H -# include <unistd.h> -#endif - -#ifndef STDIN_FILENO -# define STDIN_FILENO 0 -#endif - -#ifndef STDOUT_FILENO -# define STDOUT_FILENO 1 -#endif - -#ifndef STDERR_FILENO -# define STDERR_FILENO 2 -#endif - - -/* limits.h must come before pathmax.h because limits.h on some systems - undefs PATH_MAX, whereas pathmax.h sets PATH_MAX. */ -#include <limits.h> - -#include "pathmax.h" -#include "localedir.h" - -#if TIME_WITH_SYS_TIME -# include <sys/time.h> -# include <time.h> -#else -# if HAVE_SYS_TIME_H -# include <sys/time.h> -# else -# include <time.h> -# endif -#endif - -/* Since major is a function on SVR4, we can't use `ifndef major'. */ -#if MAJOR_IN_MKDEV -# include <sys/mkdev.h> -# define HAVE_MAJOR -#endif -#if MAJOR_IN_SYSMACROS -# include <sys/sysmacros.h> -# define HAVE_MAJOR -#endif -#ifdef major /* Might be defined in sys/types.h. */ -# define HAVE_MAJOR -#endif - -#ifndef HAVE_MAJOR -# define major(dev) (((dev) >> 8) & 0xff) -# define minor(dev) ((dev) & 0xff) -# define makedev(maj, min) (((maj) << 8) | (min)) -#endif -#undef HAVE_MAJOR - -#if ! defined makedev && defined mkdev -# define makedev(maj, min) mkdev (maj, min) -#endif - -#if HAVE_UTIME_H -# include <utime.h> -#endif - -/* Some systems (even some that do have <utime.h>) don't declare this - structure anywhere. */ -#ifndef HAVE_STRUCT_UTIMBUF -struct utimbuf -{ - long actime; - long modtime; -}; -#endif - -/* Don't use bcopy! Use memmove if source and destination may overlap, - memcpy otherwise. */ - -#include <string.h> -#if ! HAVE_DECL_MEMRCHR -void *memrchr (const void *, int, size_t); -#endif - -#include <errno.h> - -/* Some systems don't define the following symbols. */ -#ifndef ENOSYS -# define ENOSYS (-1) -#endif -#ifndef EISDIR -# define EISDIR (-1) -#endif - -#include <stdbool.h> - -#define getopt system_getopt -#include <stdlib.h> -#undef getopt - -/* The following test is to work around the gross typo in - systems like Sony NEWS-OS Release 4.0C, whereby EXIT_FAILURE - is defined to 0, not 1. */ -#if !EXIT_FAILURE -# undef EXIT_FAILURE -# define EXIT_FAILURE 1 -#endif - -#ifndef EXIT_SUCCESS -# define EXIT_SUCCESS 0 -#endif - -/* Exit statuses for programs like 'env' that exec other programs. - EXIT_FAILURE might not be 1, so use EXIT_FAIL in such programs. */ -enum -{ - EXIT_FAIL = 1, - EXIT_CANNOT_INVOKE = 126, - EXIT_ENOENT = 127 -}; - -#include "exitfail.h" - -/* Set exit_failure to STATUS if that's not the default already. */ -static inline void -initialize_exit_failure (int status) -{ - if (status != EXIT_FAILURE) - exit_failure = status; -} - -#if HAVE_FCNTL_H -# include <fcntl.h> -#else -# include <sys/file.h> -#endif - -#if !defined SEEK_SET -# define SEEK_SET 0 -# define SEEK_CUR 1 -# define SEEK_END 2 -#endif -#ifndef F_OK -# define F_OK 0 -# define X_OK 1 -# define W_OK 2 -# define R_OK 4 -#endif - -/* For systems that distinguish between text and binary I/O. - O_BINARY is usually declared in fcntl.h */ -#if !defined O_BINARY && defined _O_BINARY - /* For MSC-compatible compilers. */ -# define O_BINARY _O_BINARY -# define O_TEXT _O_TEXT -#endif - -#if !defined O_DIRECT -# define O_DIRECT 0 -#endif - -#if !defined O_DSYNC -# define O_DSYNC 0 -#endif - -#if !defined O_NDELAY -# define O_NDELAY 0 -#endif - -#if !defined O_NONBLOCK -# define O_NONBLOCK O_NDELAY -#endif - -#if !defined O_NOCTTY -# define O_NOCTTY 0 -#endif - -#if !defined O_NOFOLLOW -# define O_NOFOLLOW 0 -#endif - -#if !defined O_RSYNC -# define O_RSYNC 0 -#endif - -#if !defined O_SYNC -# define O_SYNC 0 -#endif - -#ifdef __BEOS__ - /* BeOS 5 has O_BINARY and O_TEXT, but they have no effect. */ -# undef O_BINARY -# undef O_TEXT -#endif - -#if O_BINARY -# ifndef __DJGPP__ -# define setmode _setmode -# define fileno(_fp) _fileno (_fp) -# endif /* not DJGPP */ -# define SET_MODE(_f, _m) setmode (_f, _m) -# define SET_BINARY(_f) do {if (!isatty(_f)) setmode (_f, O_BINARY);} while (0) -# define SET_BINARY2(_f1, _f2) \ - do { \ - if (!isatty (_f1)) \ - { \ - setmode (_f1, O_BINARY); \ - if (!isatty (_f2)) \ - setmode (_f2, O_BINARY); \ - } \ - } while(0) -#else -# define SET_MODE(_f, _m) (void)0 -# define SET_BINARY(f) (void)0 -# define SET_BINARY2(f1,f2) (void)0 -# ifndef O_BINARY -# define O_BINARY 0 -# endif -# define O_TEXT 0 -#endif /* O_BINARY */ - -#if HAVE_DIRENT_H -# include <dirent.h> -# define NLENGTH(direct) (strlen((direct)->d_name)) -#else /* not HAVE_DIRENT_H */ -# define dirent direct -# define NLENGTH(direct) ((direct)->d_namlen) -# if HAVE_SYS_NDIR_H -# include <sys/ndir.h> -# endif /* HAVE_SYS_NDIR_H */ -# if HAVE_SYS_DIR_H -# include <sys/dir.h> -# endif /* HAVE_SYS_DIR_H */ -# if HAVE_NDIR_H -# include <ndir.h> -# endif /* HAVE_NDIR_H */ -#endif /* HAVE_DIRENT_H */ - -#if CLOSEDIR_VOID -/* Fake a return value. */ -# define CLOSEDIR(d) (closedir (d), 0) -#else -# define CLOSEDIR(d) closedir (d) -#endif - -/* Get or fake the disk device blocksize. - Usually defined by sys/param.h (if at all). */ -#if !defined DEV_BSIZE && defined BSIZE -# define DEV_BSIZE BSIZE -#endif -#if !defined DEV_BSIZE && defined BBSIZE /* SGI */ -# define DEV_BSIZE BBSIZE -#endif -#ifndef DEV_BSIZE -# define DEV_BSIZE 4096 -#endif - -/* Extract or fake data from a `struct stat'. - ST_BLKSIZE: Preferred I/O blocksize for the file, in bytes. - ST_NBLOCKS: Number of blocks in the file, including indirect blocks. - ST_NBLOCKSIZE: Size of blocks used when calculating ST_NBLOCKS. */ -#ifndef HAVE_STRUCT_STAT_ST_BLOCKS -# define ST_BLKSIZE(statbuf) DEV_BSIZE -# if defined _POSIX_SOURCE || !defined BSIZE /* fileblocks.c uses BSIZE. */ -# define ST_NBLOCKS(statbuf) \ - ((statbuf).st_size / ST_NBLOCKSIZE + ((statbuf).st_size % ST_NBLOCKSIZE != 0)) -# else /* !_POSIX_SOURCE && BSIZE */ -# define ST_NBLOCKS(statbuf) \ - (S_ISREG ((statbuf).st_mode) \ - || S_ISDIR ((statbuf).st_mode) \ - ? st_blocks ((statbuf).st_size) : 0) -# endif /* !_POSIX_SOURCE && BSIZE */ -#else /* HAVE_STRUCT_STAT_ST_BLOCKS */ -/* Some systems, like Sequents, return st_blksize of 0 on pipes. - Also, when running `rsh hpux11-system cat any-file', cat would - determine that the output stream had an st_blksize of 2147421096. - So here we arbitrarily limit the `optimal' block size to 4MB. - If anyone knows of a system for which the legitimate value for - st_blksize can exceed 4MB, please report it as a bug in this code. */ -# define ST_BLKSIZE(statbuf) ((0 < (statbuf).st_blksize \ - && (statbuf).st_blksize <= (1 << 22)) /* 4MB */ \ - ? (statbuf).st_blksize : DEV_BSIZE) -# if defined hpux || defined __hpux__ || defined __hpux -/* HP-UX counts st_blocks in 1024-byte units. - This loses when mixing HP-UX and BSD file systems with NFS. */ -# define ST_NBLOCKSIZE 1024 -# else /* !hpux */ -# if defined _AIX && defined _I386 -/* AIX PS/2 counts st_blocks in 4K units. */ -# define ST_NBLOCKSIZE (4 * 1024) -# else /* not AIX PS/2 */ -# if defined _CRAY -# define ST_NBLOCKS(statbuf) \ - (S_ISREG ((statbuf).st_mode) \ - || S_ISDIR ((statbuf).st_mode) \ - ? (statbuf).st_blocks * ST_BLKSIZE(statbuf)/ST_NBLOCKSIZE : 0) -# endif /* _CRAY */ -# endif /* not AIX PS/2 */ -# endif /* !hpux */ -#endif /* HAVE_STRUCT_STAT_ST_BLOCKS */ - -#ifndef ST_NBLOCKS -# define ST_NBLOCKS(statbuf) ((statbuf).st_blocks) -#endif - -#ifndef ST_NBLOCKSIZE -# define ST_NBLOCKSIZE 512 -#endif - -/* Redirection and wildcarding when done by the utility itself. - Generally a noop, but used in particular for native VMS. */ -#ifndef initialize_main -# define initialize_main(ac, av) -#endif - -#include "stat-macros.h" - -#include "timespec.h" - -#ifndef RETSIGTYPE -# define RETSIGTYPE void -#endif - -#ifdef __DJGPP__ - /* We need the declaration of setmode. */ -# include <io.h> - /* We need the declaration of __djgpp_set_ctrl_c. */ -# include <sys/exceptn.h> -#endif - -#if HAVE_INTTYPES_H -# include <inttypes.h> -#endif -#if HAVE_STDINT_H -# include <stdint.h> -#endif - -#if ULONG_MAX < ULLONG_MAX -# define LONGEST_MODIFIER "ll" -#else -# define LONGEST_MODIFIER "l" -#endif -#if PRI_MACROS_BROKEN -# undef PRIdMAX -# undef PRIoMAX -# undef PRIuMAX -# undef PRIxMAX -#endif -#ifndef PRIdMAX -# define PRIdMAX LONGEST_MODIFIER "d" -#endif -#ifndef PRIoMAX -# define PRIoMAX LONGEST_MODIFIER "o" -#endif -#ifndef PRIuMAX -# define PRIuMAX LONGEST_MODIFIER "u" -#endif -#ifndef PRIxMAX -# define PRIxMAX LONGEST_MODIFIER "x" -#endif - -#include <ctype.h> - -/* Jim Meyering writes: - - "... Some ctype macros are valid only for character codes that - isascii says are ASCII (SGI's IRIX-4.0.5 is one such system --when - using /bin/cc or gcc but without giving an ansi option). So, all - ctype uses should be through macros like ISPRINT... If - STDC_HEADERS is defined, then autoconf has verified that the ctype - macros don't need to be guarded with references to isascii. ... - Defining isascii to 1 should let any compiler worth its salt - eliminate the && through constant folding." - - Bruno Haible adds: - - "... Furthermore, isupper(c) etc. have an undefined result if c is - outside the range -1 <= c <= 255. One is tempted to write isupper(c) - with c being of type `char', but this is wrong if c is an 8-bit - character >= 128 which gets sign-extended to a negative value. - The macro ISUPPER protects against this as well." */ - -#if STDC_HEADERS || (!defined (isascii) && !HAVE_ISASCII) -# define IN_CTYPE_DOMAIN(c) 1 -#else -# define IN_CTYPE_DOMAIN(c) isascii(c) -#endif - -#ifdef isblank -# define ISBLANK(c) (IN_CTYPE_DOMAIN (c) && isblank (c)) -#else -# define ISBLANK(c) ((c) == ' ' || (c) == '\t') -#endif -#ifdef isgraph -# define ISGRAPH(c) (IN_CTYPE_DOMAIN (c) && isgraph (c)) -#else -# define ISGRAPH(c) (IN_CTYPE_DOMAIN (c) && isprint (c) && !isspace (c)) -#endif - -/* This is defined in <sys/euc.h> on at least Solaris2.6 systems. */ -#undef ISPRINT - -#define ISPRINT(c) (IN_CTYPE_DOMAIN (c) && isprint (c)) -#define ISALNUM(c) (IN_CTYPE_DOMAIN (c) && isalnum (c)) -#define ISALPHA(c) (IN_CTYPE_DOMAIN (c) && isalpha (c)) -#define ISCNTRL(c) (IN_CTYPE_DOMAIN (c) && iscntrl (c)) -#define ISLOWER(c) (IN_CTYPE_DOMAIN (c) && islower (c)) -#define ISPUNCT(c) (IN_CTYPE_DOMAIN (c) && ispunct (c)) -#define ISSPACE(c) (IN_CTYPE_DOMAIN (c) && isspace (c)) -#define ISUPPER(c) (IN_CTYPE_DOMAIN (c) && isupper (c)) -#define ISXDIGIT(c) (IN_CTYPE_DOMAIN (c) && isxdigit (c)) -#define ISDIGIT_LOCALE(c) (IN_CTYPE_DOMAIN (c) && isdigit (c)) - -#if STDC_HEADERS -# define TOLOWER(Ch) tolower (Ch) -# define TOUPPER(Ch) toupper (Ch) -#else -# define TOLOWER(Ch) (ISUPPER (Ch) ? tolower (Ch) : (Ch)) -# define TOUPPER(Ch) (ISLOWER (Ch) ? toupper (Ch) : (Ch)) -#endif - -/* ISDIGIT differs from ISDIGIT_LOCALE, as follows: - - Its arg may be any int or unsigned int; it need not be an unsigned char. - - It's guaranteed to evaluate its argument exactly once. - - It's typically faster. - POSIX says that only '0' through '9' are digits. Prefer ISDIGIT to - ISDIGIT_LOCALE unless it's important to use the locale's definition - of `digit' even when the host does not conform to POSIX. */ -#define ISDIGIT(c) ((unsigned int) (c) - '0' <= 9) - -/* Convert a possibly-signed character to an unsigned character. This is - a bit safer than casting to unsigned char, since it catches some type - errors that the cast doesn't. */ -static inline unsigned char to_uchar (char ch) { return ch; } - -/* Take care of NLS matters. */ - -#if HAVE_LOCALE_H -# include <locale.h> -#else -# define setlocale(Category, Locale) /* empty */ -#endif - -#include "gettext.h" -#if ! ENABLE_NLS -# undef textdomain -# define textdomain(Domainname) /* empty */ -# undef bindtextdomain -# define bindtextdomain(Domainname, Dirname) /* empty */ -#endif - -#define _(msgid) gettext (msgid) -#define N_(msgid) msgid - -#ifndef HAVE_SETLOCALE -# define HAVE_SETLOCALE 0 -#endif - -#define STREQ(a, b) (strcmp ((a), (b)) == 0) - -#if !HAVE_DECL_FREE -void free (); -#endif - -#if !HAVE_DECL_MALLOC -char *malloc (); -#endif - -#if !HAVE_DECL_MEMCHR -char *memchr (); -#endif - -#if !HAVE_DECL_REALLOC -char *realloc (); -#endif - -#if !HAVE_DECL_STPCPY -# ifndef stpcpy -char *stpcpy (); -# endif -#endif - -#if !HAVE_DECL_STRNDUP -char *strndup (); -#endif - -#if !HAVE_DECL_STRSTR -char *strstr (); -#endif - -#if !HAVE_DECL_GETENV -char *getenv (); -#endif - -#if !HAVE_DECL_LSEEK -off_t lseek (); -#endif - -/* This is needed on some AIX systems. */ -#if !HAVE_DECL_STRTOUL -unsigned long strtoul (); -#endif - -#if !HAVE_DECL_GETLOGIN -char *getlogin (); -#endif - -#if !HAVE_DECL_TTYNAME -char *ttyname (); -#endif - -#if !HAVE_DECL_GETEUID -uid_t geteuid (); -#endif - -#if !HAVE_DECL_GETPWUID -struct passwd *getpwuid (); -#endif - -#if !HAVE_DECL_GETGRGID -struct group *getgrgid (); -#endif - -#if !HAVE_DECL_GETUID -uid_t getuid (); -#endif - -#include "xalloc.h" - -#if ! defined HAVE_MEMPCPY && ! defined mempcpy -/* Be CAREFUL that there are no side effects in N. */ -# define mempcpy(D, S, N) ((void *) ((char *) memcpy (D, S, N) + (N))) -#endif - -/* Include automatically-generated macros for unlocked I/O. */ -#include "unlocked-io.h" - -#define SAME_INODE(Stat_buf_1, Stat_buf_2) \ - ((Stat_buf_1).st_ino == (Stat_buf_2).st_ino \ - && (Stat_buf_1).st_dev == (Stat_buf_2).st_dev) - -#define DOT_OR_DOTDOT(Basename) \ - (Basename[0] == '.' && (Basename[1] == '\0' \ - || (Basename[1] == '.' && Basename[2] == '\0'))) - -/* A wrapper for readdir so that callers don't see entries for `.' or `..'. */ -static inline struct dirent const * -readdir_ignoring_dot_and_dotdot (DIR *dirp) -{ - while (1) - { - struct dirent const *dp = readdir (dirp); - if (dp == NULL || ! DOT_OR_DOTDOT (dp->d_name)) - return dp; - } -} - -#if SETVBUF_REVERSED -# define SETVBUF(Stream, Buffer, Type, Size) \ - setvbuf (Stream, Type, Buffer, Size) -#else -# define SETVBUF(Stream, Buffer, Type, Size) \ - setvbuf (Stream, Buffer, Type, Size) -#endif - -/* Factor out some of the common --help and --version processing code. */ - -/* These enum values cannot possibly conflict with the option values - ordinarily used by commands, including CHAR_MAX + 1, etc. Avoid - CHAR_MIN - 1, as it may equal -1, the getopt end-of-options value. */ -enum -{ - GETOPT_HELP_CHAR = (CHAR_MIN - 2), - GETOPT_VERSION_CHAR = (CHAR_MIN - 3) -}; - -#define GETOPT_HELP_OPTION_DECL \ - "help", no_argument, 0, GETOPT_HELP_CHAR -#define GETOPT_VERSION_OPTION_DECL \ - "version", no_argument, 0, GETOPT_VERSION_CHAR - -#define case_GETOPT_HELP_CHAR \ - case GETOPT_HELP_CHAR: \ - usage (EXIT_SUCCESS); \ - break; - -#define HELP_OPTION_DESCRIPTION \ - _(" --help display this help and exit\n") -#define VERSION_OPTION_DESCRIPTION \ - _(" --version output version information and exit\n") - -#include "closeout.h" -#include "version-etc.h" - -#define case_GETOPT_VERSION_CHAR(Program_name, Authors) \ - case GETOPT_VERSION_CHAR: \ - version_etc (stdout, Program_name, GNU_PACKAGE, VERSION, Authors, \ - (char *) NULL); \ - exit (EXIT_SUCCESS); \ - break; - -#ifndef MAX -# define MAX(a, b) ((a) > (b) ? (a) : (b)) -#endif - -#ifndef MIN -# define MIN(a,b) (((a) < (b)) ? (a) : (b)) -#endif - -/* The extra casts work around common compiler bugs. */ -#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1)) -/* The outer cast is needed to work around a bug in Cray C 5.0.3.0. - It is necessary at least when t == time_t. */ -#define TYPE_MINIMUM(t) ((t) (TYPE_SIGNED (t) \ - ? ~ (t) 0 << (sizeof (t) * CHAR_BIT - 1) : (t) 0)) -#define TYPE_MAXIMUM(t) ((t) (~ (t) 0 - TYPE_MINIMUM (t))) - -/* Upper bound on the string length of an integer converted to string. - 302 / 1000 is ceil (log10 (2.0)). Subtract 1 for the sign bit; - add 1 for integer division truncation; add 1 more for a minus sign. */ -#define INT_STRLEN_BOUND(t) ((sizeof (t) * CHAR_BIT - 1) * 302 / 1000 + 2) - -#ifndef CHAR_MIN -# define CHAR_MIN TYPE_MINIMUM (char) -#endif - -#ifndef CHAR_MAX -# define CHAR_MAX TYPE_MAXIMUM (char) -#endif - -#ifndef SCHAR_MIN -# define SCHAR_MIN (-1 - SCHAR_MAX) -#endif - -#ifndef SCHAR_MAX -# define SCHAR_MAX (CHAR_MAX == UCHAR_MAX ? CHAR_MAX / 2 : CHAR_MAX) -#endif - -#ifndef UCHAR_MAX -# define UCHAR_MAX TYPE_MAXIMUM (unsigned char) -#endif - -#ifndef SHRT_MIN -# define SHRT_MIN TYPE_MINIMUM (short int) -#endif - -#ifndef SHRT_MAX -# define SHRT_MAX TYPE_MAXIMUM (short int) -#endif - -#ifndef INT_MAX -# define INT_MAX TYPE_MAXIMUM (int) -#endif - -#ifndef INT_MIN -# define INT_MIN TYPE_MINIMUM (int) -#endif - -#ifndef INTMAX_MAX -# define INTMAX_MAX TYPE_MAXIMUM (intmax_t) -#endif - -#ifndef INTMAX_MIN -# define INTMAX_MIN TYPE_MINIMUM (intmax_t) -#endif - -#ifndef UINT_MAX -# define UINT_MAX TYPE_MAXIMUM (unsigned int) -#endif - -#ifndef LONG_MAX -# define LONG_MAX TYPE_MAXIMUM (long int) -#endif - -#ifndef ULONG_MAX -# define ULONG_MAX TYPE_MAXIMUM (unsigned long int) -#endif - -#ifndef SIZE_MAX -# define SIZE_MAX TYPE_MAXIMUM (size_t) -#endif - -#ifndef SSIZE_MAX -# define SSIZE_MAX TYPE_MAXIMUM (ssize_t) -#endif - -#ifndef UINTMAX_MAX -# define UINTMAX_MAX TYPE_MAXIMUM (uintmax_t) -#endif - -#ifndef OFF_T_MIN -# define OFF_T_MIN TYPE_MINIMUM (off_t) -#endif - -#ifndef OFF_T_MAX -# define OFF_T_MAX TYPE_MAXIMUM (off_t) -#endif - -#ifndef UID_T_MAX -# define UID_T_MAX TYPE_MAXIMUM (uid_t) -#endif - -#ifndef GID_T_MAX -# define GID_T_MAX TYPE_MAXIMUM (gid_t) -#endif - -#ifndef PID_T_MAX -# define PID_T_MAX TYPE_MAXIMUM (pid_t) -#endif - -/* Use this to suppress gcc's `...may be used before initialized' warnings. */ -#ifdef lint -# define IF_LINT(Code) Code -#else -# define IF_LINT(Code) /* empty */ -#endif - -#ifndef __attribute__ -# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 8) || __STRICT_ANSI__ -# define __attribute__(x) -# endif -#endif - -#ifndef ATTRIBUTE_NORETURN -# define ATTRIBUTE_NORETURN __attribute__ ((__noreturn__)) -#endif - -#ifndef ATTRIBUTE_UNUSED -# define ATTRIBUTE_UNUSED __attribute__ ((__unused__)) -#endif - -#if defined strdupa -# define ASSIGN_STRDUPA(DEST, S) \ - do { DEST = strdupa (S); } while (0) -#else -# define ASSIGN_STRDUPA(DEST, S) \ - do \ - { \ - const char *s_ = (S); \ - size_t len_ = strlen (s_) + 1; \ - char *tmp_dest_ = alloca (len_); \ - DEST = memcpy (tmp_dest_, (s_), len_); \ - } \ - while (0) -#endif - -#ifndef EOVERFLOW -# define EOVERFLOW EINVAL -#endif - -#if ! HAVE_FSEEKO && ! defined fseeko -# define fseeko(s, o, w) ((o) == (long int) (o) \ - ? fseek (s, o, w) \ - : (errno = EOVERFLOW, -1)) -#endif - -/* Compute the greatest common divisor of U and V using Euclid's - algorithm. U and V must be nonzero. */ - -static inline size_t -gcd (size_t u, size_t v) -{ - do - { - size_t t = u % v; - u = v; - v = t; - } - while (v); - - return u; -} - -/* Compute the least common multiple of U and V. U and V must be - nonzero. There is no overflow checking, so callers should not - specify outlandish sizes. */ - -static inline size_t -lcm (size_t u, size_t v) -{ - return u * (v / gcd (u, v)); -} - -/* Return PTR, aligned upward to the next multiple of ALIGNMENT. - ALIGNMENT must be nonzero. The caller must arrange for ((char *) - PTR) through ((char *) PTR + ALIGNMENT - 1) to be addressable - locations. */ - -static inline void * -ptr_align (void *ptr, size_t alignment) -{ - char *p0 = ptr; - char *p1 = p0 + alignment - 1; - return p1 - (size_t) p1 % alignment; -} diff --git a/crypto/openssl/fips/Makefile b/crypto/openssl/fips/Makefile deleted file mode 100644 index 546b54b..0000000 --- a/crypto/openssl/fips/Makefile +++ /dev/null @@ -1,230 +0,0 @@ -# -# OpenSSL/crypto/Makefile -# - -DIR= fips -TOP= .. -CC= cc -INCLUDE= -I. -I$(TOP) -I../include -# INCLUDES targets sudbirs! -INCLUDES= -I.. -I../.. -I../../include -CFLAG= -g -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -RM= rm -f -AR= ar r -ARD= ar d -TEST= fips_test_suite.c -FIPS_TVDIR= testvectors -FIPS_TVOK= $$HOME/fips/tv.ok - -FIPSCANLOC= $(FIPSLIBDIR)fipscanister.o - -RECURSIVE_MAKE= [ -n "$(FDIRS)" ] && for i in $(FDIRS) ; do \ - (cd $$i && echo "making $$target in $(DIR)/$$i..." && \ - $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='${INCLUDES}' $$target ) || exit 1; \ - done; - -PEX_LIBS= -EX_LIBS= - -CFLAGS= $(INCLUDE) $(CFLAG) -DHMAC_EXT=\"$${HMAC_EXT:-sha1}\" -ASFLAGS= $(INCLUDE) $(ASFLAG) -AFLAGS=$(ASFLAGS) - -LIBS= - -FDIRS=sha rand des aes dsa rsa dh hmac - -GENERAL=Makefile README fips-lib.com install.com - -LIB= $(TOP)/libcrypto.a -SHARED_LIB= $(FIPSCANLIB)$(SHLIB_EXT) -LIBSRC=fips.c -LIBOBJ=fips.o - -FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib - -SRC= $(LIBSRC) - -EXHEADER=fips.h -HEADER=$(EXHEADER) fips_utl.h fips_locl.h -EXE=fipsld - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - @(cd ..; $(MAKE) DIRS=$(DIR) all) - -testapps: - @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi - -all: - @if [ -z "$(FIPSLIBDIR)" ]; then \ - $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ - else \ - $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ - fi - -# Idea behind fipscanister.o is to "seize" the sequestered code between -# known symbols for fingerprinting purposes, which would be commonly -# done with ld -r start.o ... end.o. The latter however presents a minor -# challenge on multi-ABI platforms. As just implied, we'd rather use ld, -# but the trouble is that we don't generally know how ABI-selection -# compiler flag is translated to corresponding linker flag. All compiler -# drivers seem to recognize -r flag and pass it down to linker, but some -# of them, including gcc, erroneously add -lc, as well as run-time -# components, such as crt1.o and alike. Fortunately among those vendor -# compilers which were observed to misinterpret -r flag multi-ABI ones -# are equipped with smart linkers, which don't require any ABI-selection -# flag and simply assume that all objects are of the same type as first -# one in command line. So the idea is to identify gcc and deficient -# vendor compiler drivers... - -fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o - FIPS_ASM=""; \ - list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ - list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ - list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ - list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ - if [ -n "$(CPUID_OBJ)" ]; then \ - CPUID=../crypto/$(CPUID_OBJ) ; \ - else \ - CPUID="" ; \ - fi ; \ - objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ - for i in $(FIPS_OBJ_LISTS); do \ - dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ - objs="$$objs `sed "$$script" $$i`"; \ - done; \ - objs="$$objs fips_end.o" ; \ - os="`(uname -s) 2>/dev/null`"; cflags="$(CFLAGS)"; \ - [ "$$os" = "AIX" ] && cflags="$$cflags -Wl,-bnoobjreorder"; \ - if [ -n "${FIPS_SITE_LD}" ]; then \ - set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \ - elif $(CC) -dumpversion >/dev/null 2>&1; then \ - set -x; $(CC) $$cflags -r -nostdlib -o $@ $$objs ; \ - else case "$$os" in \ - HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ - *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ - esac fi - ./fips_standalone_sha1$(EXE_EXT) fipscanister.o > fipscanister.o.sha1 - -# If another exception is immediately required, assign approprite -# site-specific ld command to FIPS_SITE_LD environment variable. - -fips_start.o: fips_canister.c - $(CC) $(CFLAGS) -DFIPS_START -c -o $@ fips_canister.c -fips_end.o: fips_canister.c - $(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c -fips_premain_dso$(EXE_EXT): fips_premain.c - $(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \ - $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) -# this is executed only when linking with external fipscanister.o -fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c - if [ -z "$(HOSTCC)" ] ; then \ - $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \ - else \ - $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \ - fi - -subdirs: - @target=all; $(RECURSIVE_MAKE) - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - @target=files; $(RECURSIVE_MAKE) - -links: - @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) - @target=links; $(RECURSIVE_MAKE) - -# lib: and $(LIB): are splitted to avoid end-less loop -lib: $(LIB) - if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi - @touch lib - -$(LIB): $(FIPSLIBDIR)fipscanister.o - $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o - $(RANLIB) $(LIB) || echo Never mind. - -$(FIPSCANLIB): $(FIPSCANLOC) - $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC) - if [ "$(FIPSCANLIB)" = "libfips" ]; then \ - $(AR) $(LIB) $(FIPSCANLOC) ; \ - $(RANLIB) $(LIB) || echo Never Mind. ; \ - fi - $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. - @touch lib - -shared: lib subdirs fips_premain_dso$(EXE_EXT) - -libs: - @target=lib; $(RECURSIVE_MAKE) - -fips_test: top - @target=fips_test; $(RECURSIVE_MAKE) - -fips_test_diff: - @if diff -b -B -I '^\#' -cr -X fips-nodiff.txt $(FIPS_TVDIR) $(FIPS_TVOK) ; then \ - echo "FIPS diff OK" ; \ - else \ - echo "***FIPS DIFF ERROR***" ; exit 1 ; \ - fi - - -install: - @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... - @headerlist="$(EXHEADER)"; for i in $$headerlist ;\ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; - @target=install; $(RECURSIVE_MAKE) - for i in $(EXE) ; \ - do \ - echo "installing $$i"; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \ - done - cp -p -f $(FIPSLIBDIR)fipscanister.o $(FIPSLIBDIR)fipscanister.o.sha1 \ - $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fips_premain.c.sha1 \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/; \ - chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/fips* - -lint: - @target=lint; $(RECURSIVE_MAKE) - -depend: - @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) - @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) - @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi - -clean: - rm -f fipscanister.o.sha1 fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT) \ - *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff - @target=clean; $(RECURSIVE_MAKE) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - @target=dclean; $(RECURSIVE_MAKE) - -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips.o: ../include/openssl/asn1.h ../include/openssl/bio.h -fips.o: ../include/openssl/crypto.h ../include/openssl/des.h -fips.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h -fips.o: ../include/openssl/err.h ../include/openssl/evp.h -fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h -fips.o: ../include/openssl/hmac.h ../include/openssl/lhash.h -fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h -fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c -fips.o: fips_locl.h diff --git a/crypto/openssl/fips/aes/Makefile b/crypto/openssl/fips/aes/Makefile deleted file mode 100644 index 7b8b3a2..0000000 --- a/crypto/openssl/fips/aes/Makefile +++ /dev/null @@ -1,111 +0,0 @@ -# -# OpenSSL/fips/aes/Makefile -# - -DIR= aes -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -ASFLAGS= $(INCLUDES) $(ASFLAG) -AFLAGS= $(ASFLAGS) - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST=fips_aesavs.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_aes_selftest.c -LIBOBJ=fips_aes_selftest.o - -SRC= $(LIBSRC) - -EXHEADER= -HEADER= - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -fips_test: - -find ../testvectors/aes/req -name '*.req' > testlist - -rm -rf ../testvectors/aes/rsp - mkdir ../testvectors/aes/rsp - if [ -s testlist ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_aesavs -d testlist; fi - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) \ - $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff testlist -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_aes_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_aes_selftest.o: ../../include/openssl/crypto.h -fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_aes_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_aes_selftest.o: ../../include/openssl/lhash.h -fips_aes_selftest.o: ../../include/openssl/obj_mac.h -fips_aes_selftest.o: ../../include/openssl/objects.h -fips_aes_selftest.o: ../../include/openssl/opensslconf.h -fips_aes_selftest.o: ../../include/openssl/opensslv.h -fips_aes_selftest.o: ../../include/openssl/ossl_typ.h -fips_aes_selftest.o: ../../include/openssl/safestack.h -fips_aes_selftest.o: ../../include/openssl/stack.h -fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c -fips_aesavs.o: ../../e_os.h ../../include/openssl/aes.h -fips_aesavs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_aesavs.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_aesavs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_aesavs.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_aesavs.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_aesavs.o: ../../include/openssl/objects.h -fips_aesavs.o: ../../include/openssl/opensslconf.h -fips_aesavs.o: ../../include/openssl/opensslv.h -fips_aesavs.o: ../../include/openssl/ossl_typ.h -fips_aesavs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_aesavs.o: ../../include/openssl/symhacks.h ../fips_utl.h fips_aesavs.c diff --git a/crypto/openssl/fips/aes/fips_aes_selftest.c b/crypto/openssl/fips/aes/fips_aes_selftest.c deleted file mode 100644 index 441bbc1..0000000 --- a/crypto/openssl/fips/aes/fips_aes_selftest.c +++ /dev/null @@ -1,101 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <string.h> -#include <openssl/err.h> -#include <openssl/fips.h> -#include <openssl/evp.h> - -#ifdef OPENSSL_FIPS -static struct - { - unsigned char key[16]; - unsigned char plaintext[16]; - unsigned char ciphertext[16]; - } tests[]= - { - { - { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07, - 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F }, - { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77, - 0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF }, - { 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30, - 0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A }, - }, - }; - -void FIPS_corrupt_aes() - { - tests[0].key[0]++; - } - -int FIPS_selftest_aes() - { - int n; - int ret = 0; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - - for(n=0 ; n < 1 ; ++n) - { - if (fips_cipher_test(&ctx, EVP_aes_128_ecb(), - tests[n].key, NULL, - tests[n].plaintext, - tests[n].ciphertext, - 16) <= 0) - goto err; - } - ret = 1; - err: - EVP_CIPHER_CTX_cleanup(&ctx); - if (ret == 0) - FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED); - return ret; - } -#endif diff --git a/crypto/openssl/fips/aes/fips_aesavs.c b/crypto/openssl/fips/aes/fips_aesavs.c deleted file mode 100644 index a3c8b40..0000000 --- a/crypto/openssl/fips/aes/fips_aesavs.c +++ /dev/null @@ -1,939 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ -/*--------------------------------------------- - NIST AES Algorithm Validation Suite - Test Program - - Donated to OpenSSL by: - V-ONE Corporation - 20250 Century Blvd, Suite 300 - Germantown, MD 20874 - U.S.A. - ----------------------------------------------*/ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <errno.h> -#include <assert.h> -#include <ctype.h> -#include <openssl/aes.h> -#include <openssl/evp.h> -#include <openssl/bn.h> - -#include <openssl/err.h> -#include "e_os.h" - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS AES support\n"); - return(0); -} - -#else - -#include <openssl/fips.h> -#include "fips_utl.h" - -#define AES_BLOCK_SIZE 16 - -#define VERBOSE 0 - -/*-----------------------------------------------*/ - -static int AESTest(EVP_CIPHER_CTX *ctx, - char *amode, int akeysz, unsigned char *aKey, - unsigned char *iVec, - int dir, /* 0 = decrypt, 1 = encrypt */ - unsigned char *plaintext, unsigned char *ciphertext, int len) - { - const EVP_CIPHER *cipher = NULL; - - if (strcasecmp(amode, "CBC") == 0) - { - switch (akeysz) - { - case 128: - cipher = EVP_aes_128_cbc(); - break; - - case 192: - cipher = EVP_aes_192_cbc(); - break; - - case 256: - cipher = EVP_aes_256_cbc(); - break; - } - - } - else if (strcasecmp(amode, "ECB") == 0) - { - switch (akeysz) - { - case 128: - cipher = EVP_aes_128_ecb(); - break; - - case 192: - cipher = EVP_aes_192_ecb(); - break; - - case 256: - cipher = EVP_aes_256_ecb(); - break; - } - } - else if (strcasecmp(amode, "CFB128") == 0) - { - switch (akeysz) - { - case 128: - cipher = EVP_aes_128_cfb128(); - break; - - case 192: - cipher = EVP_aes_192_cfb128(); - break; - - case 256: - cipher = EVP_aes_256_cfb128(); - break; - } - - } - else if (strncasecmp(amode, "OFB", 3) == 0) - { - switch (akeysz) - { - case 128: - cipher = EVP_aes_128_ofb(); - break; - - case 192: - cipher = EVP_aes_192_ofb(); - break; - - case 256: - cipher = EVP_aes_256_ofb(); - break; - } - } - else if(!strcasecmp(amode,"CFB1")) - { - switch (akeysz) - { - case 128: - cipher = EVP_aes_128_cfb1(); - break; - - case 192: - cipher = EVP_aes_192_cfb1(); - break; - - case 256: - cipher = EVP_aes_256_cfb1(); - break; - } - } - else if(!strcasecmp(amode,"CFB8")) - { - switch (akeysz) - { - case 128: - cipher = EVP_aes_128_cfb8(); - break; - - case 192: - cipher = EVP_aes_192_cfb8(); - break; - - case 256: - cipher = EVP_aes_256_cfb8(); - break; - } - } - else - { - printf("Unknown mode: %s\n", amode); - return 0; - } - if (!cipher) - { - printf("Invalid key size: %d\n", akeysz); - return 0; - } - if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) - return 0; - if(!strcasecmp(amode,"CFB1")) - M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); - if (dir) - EVP_Cipher(ctx, ciphertext, plaintext, len); - else - EVP_Cipher(ctx, plaintext, ciphertext, len); - return 1; - } - -/*-----------------------------------------------*/ -char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"}; -char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB128"}; -enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB128}; -enum XCrypt {XDECRYPT, XENCRYPT}; - -/*=============================*/ -/* Monte Carlo Tests */ -/*-----------------------------*/ - -/*#define gb(a,b) (((a)[(b)/8] >> ((b)%8))&1)*/ -/*#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << ((b)%8)))|(!!(v) << ((b)%8)))*/ - -#define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1) -#define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8))) - -static int do_mct(char *amode, - int akeysz, unsigned char *aKey,unsigned char *iVec, - int dir, unsigned char *text, int len, - FILE *rfp) - { - int ret = 0; - unsigned char key[101][32]; - unsigned char iv[101][AES_BLOCK_SIZE]; - unsigned char ptext[1001][32]; - unsigned char ctext[1001][32]; - unsigned char ciphertext[64+4]; - int i, j, n, n1, n2; - int imode = 0, nkeysz = akeysz/8; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - - if (len > 32) - { - printf("\n>>>> Length exceeds 32 for %s %d <<<<\n\n", - amode, akeysz); - return -1; - } - for (imode = 0; imode < 6; ++imode) - if (strcmp(amode, t_mode[imode]) == 0) - break; - if (imode == 6) - { - printf("Unrecognized mode: %s\n", amode); - return -1; - } - - memcpy(key[0], aKey, nkeysz); - if (iVec) - memcpy(iv[0], iVec, AES_BLOCK_SIZE); - if (dir == XENCRYPT) - memcpy(ptext[0], text, len); - else - memcpy(ctext[0], text, len); - for (i = 0; i < 100; ++i) - { - /* printf("Iteration %d\n", i); */ - if (i > 0) - { - fprintf(rfp,"COUNT = %d\n",i); - OutputValue("KEY",key[i],nkeysz,rfp,0); - if (imode != ECB) /* ECB */ - OutputValue("IV",iv[i],AES_BLOCK_SIZE,rfp,0); - /* Output Ciphertext | Plaintext */ - OutputValue(t_tag[dir^1],dir ? ptext[0] : ctext[0],len,rfp, - imode == CFB1); - } - for (j = 0; j < 1000; ++j) - { - switch (imode) - { - case ECB: - if (j == 0) - { /* set up encryption */ - ret = AESTest(&ctx, amode, akeysz, key[i], NULL, - dir, /* 0 = decrypt, 1 = encrypt */ - ptext[j], ctext[j], len); - if (dir == XENCRYPT) - memcpy(ptext[j+1], ctext[j], len); - else - memcpy(ctext[j+1], ptext[j], len); - } - else - { - if (dir == XENCRYPT) - { - EVP_Cipher(&ctx, ctext[j], ptext[j], len); - memcpy(ptext[j+1], ctext[j], len); - } - else - { - EVP_Cipher(&ctx, ptext[j], ctext[j], len); - memcpy(ctext[j+1], ptext[j], len); - } - } - break; - - case CBC: - case OFB: - case CFB128: - if (j == 0) - { - ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], - dir, /* 0 = decrypt, 1 = encrypt */ - ptext[j], ctext[j], len); - if (dir == XENCRYPT) - memcpy(ptext[j+1], iv[i], len); - else - memcpy(ctext[j+1], iv[i], len); - } - else - { - if (dir == XENCRYPT) - { - EVP_Cipher(&ctx, ctext[j], ptext[j], len); - memcpy(ptext[j+1], ctext[j-1], len); - } - else - { - EVP_Cipher(&ctx, ptext[j], ctext[j], len); - memcpy(ctext[j+1], ptext[j-1], len); - } - } - break; - - case CFB8: - if (j == 0) - { - ret = AESTest(&ctx, amode, akeysz, key[i], iv[i], - dir, /* 0 = decrypt, 1 = encrypt */ - ptext[j], ctext[j], len); - } - else - { - if (dir == XENCRYPT) - EVP_Cipher(&ctx, ctext[j], ptext[j], len); - else - EVP_Cipher(&ctx, ptext[j], ctext[j], len); - } - if (dir == XENCRYPT) - { - if (j < 16) - memcpy(ptext[j+1], &iv[i][j], len); - else - memcpy(ptext[j+1], ctext[j-16], len); - } - else - { - if (j < 16) - memcpy(ctext[j+1], &iv[i][j], len); - else - memcpy(ctext[j+1], ptext[j-16], len); - } - break; - - case CFB1: - if(j == 0) - { -#if 0 - /* compensate for wrong endianness of input file */ - if(i == 0) - ptext[0][0]<<=7; -#endif - ret = AESTest(&ctx,amode,akeysz,key[i],iv[i],dir, - ptext[j], ctext[j], len); - } - else - { - if (dir == XENCRYPT) - EVP_Cipher(&ctx, ctext[j], ptext[j], len); - else - EVP_Cipher(&ctx, ptext[j], ctext[j], len); - - } - if(dir == XENCRYPT) - { - if(j < 128) - sb(ptext[j+1],0,gb(iv[i],j)); - else - sb(ptext[j+1],0,gb(ctext[j-128],0)); - } - else - { - if(j < 128) - sb(ctext[j+1],0,gb(iv[i],j)); - else - sb(ctext[j+1],0,gb(ptext[j-128],0)); - } - break; - } - } - --j; /* reset to last of range */ - /* Output Ciphertext | Plaintext */ - OutputValue(t_tag[dir],dir ? ctext[j] : ptext[j],len,rfp, - imode == CFB1); - fprintf(rfp, "\n"); /* add separator */ - - /* Compute next KEY */ - if (dir == XENCRYPT) - { - if (imode == CFB8) - { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */ - for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2) - ciphertext[n1] = ctext[j-n2][0]; - } - else if(imode == CFB1) - { - for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2) - sb(ciphertext,n1,gb(ctext[j-n2],0)); - } - else - switch (akeysz) - { - case 128: - memcpy(ciphertext, ctext[j], 16); - break; - case 192: - memcpy(ciphertext, ctext[j-1]+8, 8); - memcpy(ciphertext+8, ctext[j], 16); - break; - case 256: - memcpy(ciphertext, ctext[j-1], 16); - memcpy(ciphertext+16, ctext[j], 16); - break; - } - } - else - { - if (imode == CFB8) - { /* ct = CT[j-15] || CT[j-14] || ... || CT[j] */ - for (n1 = 0, n2 = nkeysz-1; n1 < nkeysz; ++n1, --n2) - ciphertext[n1] = ptext[j-n2][0]; - } - else if(imode == CFB1) - { - for(n1=0,n2=akeysz-1 ; n1 < akeysz ; ++n1,--n2) - sb(ciphertext,n1,gb(ptext[j-n2],0)); - } - else - switch (akeysz) - { - case 128: - memcpy(ciphertext, ptext[j], 16); - break; - case 192: - memcpy(ciphertext, ptext[j-1]+8, 8); - memcpy(ciphertext+8, ptext[j], 16); - break; - case 256: - memcpy(ciphertext, ptext[j-1], 16); - memcpy(ciphertext+16, ptext[j], 16); - break; - } - } - /* Compute next key: Key[i+1] = Key[i] xor ct */ - for (n = 0; n < nkeysz; ++n) - key[i+1][n] = key[i][n] ^ ciphertext[n]; - - /* Compute next IV and text */ - if (dir == XENCRYPT) - { - switch (imode) - { - case ECB: - memcpy(ptext[0], ctext[j], AES_BLOCK_SIZE); - break; - case CBC: - case OFB: - case CFB128: - memcpy(iv[i+1], ctext[j], AES_BLOCK_SIZE); - memcpy(ptext[0], ctext[j-1], AES_BLOCK_SIZE); - break; - case CFB8: - /* IV[i+1] = ct */ - for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2) - iv[i+1][n1] = ctext[j-n2][0]; - ptext[0][0] = ctext[j-16][0]; - break; - case CFB1: - for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2) - sb(iv[i+1],n1,gb(ctext[j-n2],0)); - ptext[0][0]=ctext[j-128][0]&0x80; - break; - } - } - else - { - switch (imode) - { - case ECB: - memcpy(ctext[0], ptext[j], AES_BLOCK_SIZE); - break; - case CBC: - case OFB: - case CFB128: - memcpy(iv[i+1], ptext[j], AES_BLOCK_SIZE); - memcpy(ctext[0], ptext[j-1], AES_BLOCK_SIZE); - break; - case CFB8: - for (n1 = 0, n2 = 15; n1 < 16; ++n1, --n2) - iv[i+1][n1] = ptext[j-n2][0]; - ctext[0][0] = ptext[j-16][0]; - break; - case CFB1: - for(n1=0,n2=127 ; n1 < 128 ; ++n1,--n2) - sb(iv[i+1],n1,gb(ptext[j-n2],0)); - ctext[0][0]=ptext[j-128][0]&0x80; - break; - } - } - } - - return ret; - } - -/*================================================*/ -/*---------------------------- - # Config info for v-one - # AESVS MMT test data for ECB - # State : Encrypt and Decrypt - # Key Length : 256 - # Fri Aug 30 04:07:22 PM - ----------------------------*/ - -static int proc_file(char *rqfile, char *rspfile) - { - char afn[256], rfn[256]; - FILE *afp = NULL, *rfp = NULL; - char ibuf[2048]; - char tbuf[2048]; - int ilen, len, ret = 0; - char algo[8] = ""; - char amode[8] = ""; - char atest[8] = ""; - int akeysz = 0; - unsigned char iVec[20], aKey[40]; - int dir = -1, err = 0, step = 0; - unsigned char plaintext[2048]; - unsigned char ciphertext[2048]; - char *rp; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - - if (!rqfile || !(*rqfile)) - { - printf("No req file\n"); - return -1; - } - strcpy(afn, rqfile); - - if ((afp = fopen(afn, "r")) == NULL) - { - printf("Cannot open file: %s, %s\n", - afn, strerror(errno)); - return -1; - } - if (!rspfile) - { - strcpy(rfn,afn); - rp=strstr(rfn,"req/"); -#ifdef OPENSSL_SYS_WIN32 - if (!rp) - rp=strstr(rfn,"req\\"); -#endif - assert(rp); - memcpy(rp,"rsp",3); - rp = strstr(rfn, ".req"); - memcpy(rp, ".rsp", 4); - rspfile = rfn; - } - if ((rfp = fopen(rspfile, "w")) == NULL) - { - printf("Cannot open file: %s, %s\n", - rfn, strerror(errno)); - fclose(afp); - afp = NULL; - return -1; - } - while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) - { - tidy_line(tbuf, ibuf); - ilen = strlen(ibuf); - /* printf("step=%d ibuf=%s",step,ibuf); */ - switch (step) - { - case 0: /* read preamble */ - if (ibuf[0] == '\n') - { /* end of preamble */ - if ((*algo == '\0') || - (*amode == '\0') || - (akeysz == 0)) - { - printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n", - algo,amode,akeysz); - err = 1; - } - else - { - fputs(ibuf, rfp); - ++ step; - } - } - else if (ibuf[0] != '#') - { - printf("Invalid preamble item: %s\n", ibuf); - err = 1; - } - else - { /* process preamble */ - char *xp, *pp = ibuf+2; - int n; - if (akeysz) - { /* insert current time & date */ - time_t rtim = time(0); - fprintf(rfp, "# %s", ctime(&rtim)); - } - else - { - fputs(ibuf, rfp); - if (strncmp(pp, "AESVS ", 6) == 0) - { - strcpy(algo, "AES"); - /* get test type */ - pp += 6; - xp = strchr(pp, ' '); - n = xp-pp; - strncpy(atest, pp, n); - atest[n] = '\0'; - /* get mode */ - xp = strrchr(pp, ' '); /* get mode" */ - n = strlen(xp+1)-1; - strncpy(amode, xp+1, n); - amode[n] = '\0'; - /* amode[3] = '\0'; */ - if (VERBOSE) - printf("Test = %s, Mode = %s\n", atest, amode); - } - else if (strncasecmp(pp, "Key Length : ", 13) == 0) - { - akeysz = atoi(pp+13); - if (VERBOSE) - printf("Key size = %d\n", akeysz); - } - } - } - break; - - case 1: /* [ENCRYPT] | [DECRYPT] */ - if (ibuf[0] == '[') - { - fputs(ibuf, rfp); - ++step; - if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0) - dir = 1; - else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0) - dir = 0; - else - { - printf("Invalid keyword: %s\n", ibuf); - err = 1; - } - break; - } - else if (dir == -1) - { - err = 1; - printf("Missing ENCRYPT/DECRYPT keyword\n"); - break; - } - else - step = 2; - - case 2: /* KEY = xxxx */ - fputs(ibuf, rfp); - if(*ibuf == '\n') - break; - if(!strncasecmp(ibuf,"COUNT = ",8)) - break; - - if (strncasecmp(ibuf, "KEY = ", 6) != 0) - { - printf("Missing KEY\n"); - err = 1; - } - else - { - len = hex2bin((char*)ibuf+6, aKey); - if (len < 0) - { - printf("Invalid KEY\n"); - err =1; - break; - } - PrintValue("KEY", aKey, len); - if (strcmp(amode, "ECB") == 0) - { - memset(iVec, 0, sizeof(iVec)); - step = (dir)? 4: 5; /* no ivec for ECB */ - } - else - ++step; - } - break; - - case 3: /* IV = xxxx */ - fputs(ibuf, rfp); - if (strncasecmp(ibuf, "IV = ", 5) != 0) - { - printf("Missing IV\n"); - err = 1; - } - else - { - len = hex2bin((char*)ibuf+5, iVec); - if (len < 0) - { - printf("Invalid IV\n"); - err =1; - break; - } - PrintValue("IV", iVec, len); - step = (dir)? 4: 5; - } - break; - - case 4: /* PLAINTEXT = xxxx */ - fputs(ibuf, rfp); - if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) - { - printf("Missing PLAINTEXT\n"); - err = 1; - } - else - { - int nn = strlen(ibuf+12); - if(!strcmp(amode,"CFB1")) - len=bint2bin(ibuf+12,nn-1,plaintext); - else - len=hex2bin(ibuf+12, plaintext); - if (len < 0) - { - printf("Invalid PLAINTEXT: %s", ibuf+12); - err =1; - break; - } - if (len >= (int)sizeof(plaintext)) - { - printf("Buffer overflow\n"); - } - PrintValue("PLAINTEXT", (unsigned char*)plaintext, len); - if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */ - { - if(do_mct(amode, akeysz, aKey, iVec, - dir, (unsigned char*)plaintext, len, - rfp) < 0) - EXIT(1); - } - else - { - ret = AESTest(&ctx, amode, akeysz, aKey, iVec, - dir, /* 0 = decrypt, 1 = encrypt */ - plaintext, ciphertext, len); - OutputValue("CIPHERTEXT",ciphertext,len,rfp, - !strcmp(amode,"CFB1")); - } - step = 6; - } - break; - - case 5: /* CIPHERTEXT = xxxx */ - fputs(ibuf, rfp); - if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) - { - printf("Missing KEY\n"); - err = 1; - } - else - { - if(!strcmp(amode,"CFB1")) - len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext); - else - len = hex2bin(ibuf+13,ciphertext); - if (len < 0) - { - printf("Invalid CIPHERTEXT\n"); - err =1; - break; - } - - PrintValue("CIPHERTEXT", ciphertext, len); - if (strcmp(atest, "MCT") == 0) /* Monte Carlo Test */ - { - do_mct(amode, akeysz, aKey, iVec, - dir, ciphertext, len, rfp); - } - else - { - ret = AESTest(&ctx, amode, akeysz, aKey, iVec, - dir, /* 0 = decrypt, 1 = encrypt */ - plaintext, ciphertext, len); - OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp, - !strcmp(amode,"CFB1")); - } - step = 6; - } - break; - - case 6: - if (ibuf[0] != '\n') - { - err = 1; - printf("Missing terminator\n"); - } - else if (strcmp(atest, "MCT") != 0) - { /* MCT already added terminating nl */ - fputs(ibuf, rfp); - } - step = 1; - break; - } - } - if (rfp) - fclose(rfp); - if (afp) - fclose(afp); - return err; - } - -/*-------------------------------------------------- - Processes either a single file or - a set of files whose names are passed in a file. - A single file is specified as: - aes_test -f xxx.req - A set of files is specified as: - aes_test -d xxxxx.xxx - The default is: -d req.txt ---------------------------------------------------*/ -int main(int argc, char **argv) - { - char *rqlist = "req.txt", *rspfile = NULL; - FILE *fp = NULL; - char fn[250] = "", rfn[256] = ""; - int f_opt = 0, d_opt = 1; - -#ifdef OPENSSL_FIPS - if(!FIPS_mode_set(1)) - { - do_print_errors(); - EXIT(1); - } -#endif - if (argc > 1) - { - if (strcasecmp(argv[1], "-d") == 0) - { - d_opt = 1; - } - else if (strcasecmp(argv[1], "-f") == 0) - { - f_opt = 1; - d_opt = 0; - } - else - { - printf("Invalid parameter: %s\n", argv[1]); - return 0; - } - if (argc < 3) - { - printf("Missing parameter\n"); - return 0; - } - if (d_opt) - rqlist = argv[2]; - else - { - strcpy(fn, argv[2]); - rspfile = argv[3]; - } - } - if (d_opt) - { /* list of files (directory) */ - if (!(fp = fopen(rqlist, "r"))) - { - printf("Cannot open req list file\n"); - return -1; - } - while (fgets(fn, sizeof(fn), fp)) - { - strtok(fn, "\r\n"); - strcpy(rfn, fn); - if (VERBOSE) - printf("Processing: %s\n", rfn); - if (proc_file(rfn, rspfile)) - { - printf(">>> Processing failed for: %s <<<\n", rfn); - EXIT(1); - } - } - fclose(fp); - } - else /* single file */ - { - if (VERBOSE) - printf("Processing: %s\n", fn); - if (proc_file(fn, rspfile)) - { - printf(">>> Processing failed for: %s <<<\n", fn); - } - } - EXIT(0); - return 0; - } - -#endif diff --git a/crypto/openssl/fips/des/Makefile b/crypto/openssl/fips/des/Makefile deleted file mode 100644 index ba1d095..0000000 --- a/crypto/openssl/fips/des/Makefile +++ /dev/null @@ -1,111 +0,0 @@ -# -# OpenSSL/fips/des/Makefile -# - -DIR= des -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -ASFLAGS= $(INCLUDES) $(ASFLAG) -AFLAGS= $(ASFLAGS) - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST= fips_desmovs.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_des_selftest.c -LIBOBJ=fips_des_selftest.o - -SRC= $(LIBSRC) - -EXHEADER= -HEADER= - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -fips_test: - -find ../testvectors/tdes/req -name '*.req' > testlist - -rm -rf ../testvectors/tdes/rsp - mkdir ../testvectors/tdes/rsp - if [ -s testlist ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_desmovs -d testlist; fi - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) \ - $(SRC) $(TEST) -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff testlist -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_des_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_des_selftest.o: ../../include/openssl/crypto.h -fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_des_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_des_selftest.o: ../../include/openssl/lhash.h -fips_des_selftest.o: ../../include/openssl/obj_mac.h -fips_des_selftest.o: ../../include/openssl/objects.h -fips_des_selftest.o: ../../include/openssl/opensslconf.h -fips_des_selftest.o: ../../include/openssl/opensslv.h -fips_des_selftest.o: ../../include/openssl/ossl_typ.h -fips_des_selftest.o: ../../include/openssl/safestack.h -fips_des_selftest.o: ../../include/openssl/stack.h -fips_des_selftest.o: ../../include/openssl/symhacks.h fips_des_selftest.c -fips_desmovs.o: ../../e_os.h ../../include/openssl/asn1.h -fips_desmovs.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_desmovs.o: ../../include/openssl/crypto.h ../../include/openssl/des.h -fips_desmovs.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h -fips_desmovs.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_desmovs.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_desmovs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -fips_desmovs.o: ../../include/openssl/opensslconf.h -fips_desmovs.o: ../../include/openssl/opensslv.h -fips_desmovs.o: ../../include/openssl/ossl_typ.h -fips_desmovs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_desmovs.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -fips_desmovs.o: ../../include/openssl/ui_compat.h ../fips_utl.h fips_desmovs.c diff --git a/crypto/openssl/fips/des/fips_des_selftest.c b/crypto/openssl/fips/des/fips_des_selftest.c deleted file mode 100644 index 61c39ce..0000000 --- a/crypto/openssl/fips/des/fips_des_selftest.c +++ /dev/null @@ -1,137 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <string.h> -#include <openssl/err.h> -#include <openssl/fips.h> -#include <openssl/evp.h> -#include <openssl/opensslconf.h> - -#ifdef OPENSSL_FIPS - -static struct - { - unsigned char key[16]; - unsigned char plaintext[8]; - unsigned char ciphertext[8]; - } tests2[]= - { - { - { 0x7c,0x4f,0x6e,0xf7,0xa2,0x04,0x16,0xec, - 0x0b,0x6b,0x7c,0x9e,0x5e,0x19,0xa7,0xc4 }, - { 0x06,0xa7,0xd8,0x79,0xaa,0xce,0x69,0xef }, - { 0x4c,0x11,0x17,0x55,0xbf,0xc4,0x4e,0xfd } - }, - { - { 0x5d,0x9e,0x01,0xd3,0x25,0xc7,0x3e,0x34, - 0x01,0x16,0x7c,0x85,0x23,0xdf,0xe0,0x68 }, - { 0x9c,0x50,0x09,0x0f,0x5e,0x7d,0x69,0x7e }, - { 0xd2,0x0b,0x18,0xdf,0xd9,0x0d,0x9e,0xff }, - } - }; - -static struct - { - unsigned char key[24]; - unsigned char plaintext[8]; - unsigned char ciphertext[8]; - } tests3[]= - { - { - { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10, - 0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0 }, - { 0x8f,0x8f,0xbf,0x9b,0x5d,0x48,0xb4,0x1c }, - { 0x59,0x8c,0xe5,0xd3,0x6c,0xa2,0xea,0x1b }, - }, - { - { 0xDC,0xBA,0x98,0x76,0x54,0x32,0x10,0xFE, - 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, - 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 }, - { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, - { 0x11,0x25,0xb0,0x35,0xbe,0xa0,0x82,0x86 }, - }, - }; - -void FIPS_corrupt_des() - { - tests2[0].plaintext[0]++; - } - -int FIPS_selftest_des() - { - int n, ret = 0; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ - for(n=0 ; n < 2 ; ++n) - { - if (!fips_cipher_test(&ctx, EVP_des_ede_ecb(), - tests2[n].key, NULL, - tests2[n].plaintext, tests2[n].ciphertext, 8)) - goto err; - } - - /* Encrypt/decrypt with 3DES and compare to known answers */ - for(n=0 ; n < 2 ; ++n) - { - if (!fips_cipher_test(&ctx, EVP_des_ede3_ecb(), - tests3[n].key, NULL, - tests3[n].plaintext, tests3[n].ciphertext, 8)) - goto err; - } - ret = 1; - err: - EVP_CIPHER_CTX_cleanup(&ctx); - if (ret == 0) - FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED); - - return ret; - } -#endif diff --git a/crypto/openssl/fips/des/fips_desmovs.c b/crypto/openssl/fips/des/fips_desmovs.c deleted file mode 100644 index f96a5ca..0000000 --- a/crypto/openssl/fips/des/fips_desmovs.c +++ /dev/null @@ -1,702 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ -/*--------------------------------------------- - NIST DES Modes of Operation Validation System - Test Program - - Based on the AES Validation Suite, which was: - Donated to OpenSSL by: - V-ONE Corporation - 20250 Century Blvd, Suite 300 - Germantown, MD 20874 - U.S.A. - ----------------------------------------------*/ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <errno.h> -#include <assert.h> -#include <ctype.h> -#include <openssl/des.h> -#include <openssl/evp.h> -#include <openssl/bn.h> - -#include <openssl/err.h> -#include "e_os.h" - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS DES support\n"); - return(0); -} - -#else - -#include <openssl/fips.h> -#include "fips_utl.h" - -#define DES_BLOCK_SIZE 8 - -#define VERBOSE 0 - -static int DESTest(EVP_CIPHER_CTX *ctx, - char *amode, int akeysz, unsigned char *aKey, - unsigned char *iVec, - int dir, /* 0 = decrypt, 1 = encrypt */ - unsigned char *out, unsigned char *in, int len) - { - const EVP_CIPHER *cipher = NULL; - - if (akeysz != 192) - { - printf("Invalid key size: %d\n", akeysz); - EXIT(1); - } - - if (strcasecmp(amode, "CBC") == 0) - cipher = EVP_des_ede3_cbc(); - else if (strcasecmp(amode, "ECB") == 0) - cipher = EVP_des_ede3_ecb(); - else if (strcasecmp(amode, "CFB64") == 0) - cipher = EVP_des_ede3_cfb64(); - else if (strncasecmp(amode, "OFB", 3) == 0) - cipher = EVP_des_ede3_ofb(); - else if(!strcasecmp(amode,"CFB8")) - cipher = EVP_des_ede3_cfb8(); - else if(!strcasecmp(amode,"CFB1")) - cipher = EVP_des_ede3_cfb1(); - else - { - printf("Unknown mode: %s\n", amode); - EXIT(1); - } - - if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) - return 0; - if(!strcasecmp(amode,"CFB1")) - M_EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS); - EVP_Cipher(ctx, out, in, len); - - return 1; - } -#if 0 -static void DebugValue(char *tag, unsigned char *val, int len) - { - char obuf[2048]; - int olen; - olen = bin2hex(val, len, obuf); - printf("%s = %.*s\n", tag, olen, obuf); - } -#endif -static void shiftin(unsigned char *dst,unsigned char *src,int nbits) - { - int n; - - /* move the bytes... */ - memmove(dst,dst+nbits/8,3*8-nbits/8); - /* append new data */ - memcpy(dst+3*8-nbits/8,src,(nbits+7)/8); - /* left shift the bits */ - if(nbits%8) - for(n=0 ; n < 3*8 ; ++n) - dst[n]=(dst[n] << (nbits%8))|(dst[n+1] >> (8-nbits%8)); - } - -/*-----------------------------------------------*/ -char *t_tag[2] = {"PLAINTEXT", "CIPHERTEXT"}; -char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"}; -enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64}; -int Sizes[6]={64,64,64,1,8,64}; - -static void do_mct(char *amode, - int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec, - int dir, unsigned char *text, int len, - FILE *rfp) - { - int i,imode; - unsigned char nk[4*8]; /* longest key+8 */ - unsigned char text0[8]; - - for (imode=0 ; imode < 6 ; ++imode) - if(!strcmp(amode,t_mode[imode])) - break; - if (imode == 6) - { - printf("Unrecognized mode: %s\n", amode); - EXIT(1); - } - - for(i=0 ; i < 400 ; ++i) - { - int j; - int n; - int kp=akeysz/64; - unsigned char old_iv[8]; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - - fprintf(rfp,"\nCOUNT = %d\n",i); - if(kp == 1) - OutputValue("KEY",akey,8,rfp,0); - else - for(n=0 ; n < kp ; ++n) - { - fprintf(rfp,"KEY%d",n+1); - OutputValue("",akey+n*8,8,rfp,0); - } - - if(imode != ECB) - OutputValue("IV",ivec,8,rfp,0); - OutputValue(t_tag[dir^1],text,len,rfp,imode == CFB1); -#if 0 - /* compensate for endianness */ - if(imode == CFB1) - text[0]<<=7; -#endif - memcpy(text0,text,8); - - for(j=0 ; j < 10000 ; ++j) - { - unsigned char old_text[8]; - - memcpy(old_text,text,8); - if(j == 0) - { - memcpy(old_iv,ivec,8); - DESTest(&ctx,amode,akeysz,akey,ivec,dir,text,text,len); - } - else - { - memcpy(old_iv,ctx.iv,8); - EVP_Cipher(&ctx,text,text,len); - } - if(j == 9999) - { - OutputValue(t_tag[dir],text,len,rfp,imode == CFB1); - /* memcpy(ivec,text,8); */ - } - /* DebugValue("iv",ctx.iv,8); */ - /* accumulate material for the next key */ - shiftin(nk,text,Sizes[imode]); - /* DebugValue("nk",nk,24);*/ - if((dir && (imode == CFB1 || imode == CFB8 || imode == CFB64 - || imode == CBC)) || imode == OFB) - memcpy(text,old_iv,8); - - if(!dir && (imode == CFB1 || imode == CFB8 || imode == CFB64)) - { - /* the test specifies using the output of the raw DES operation - which we don't have, so reconstruct it... */ - for(n=0 ; n < 8 ; ++n) - text[n]^=old_text[n]; - } - } - for(n=0 ; n < 8 ; ++n) - akey[n]^=nk[16+n]; - for(n=0 ; n < 8 ; ++n) - akey[8+n]^=nk[8+n]; - for(n=0 ; n < 8 ; ++n) - akey[16+n]^=nk[n]; - if(numkeys < 3) - memcpy(&akey[2*8],akey,8); - if(numkeys < 2) - memcpy(&akey[8],akey,8); - DES_set_odd_parity((DES_cblock *)akey); - DES_set_odd_parity((DES_cblock *)(akey+8)); - DES_set_odd_parity((DES_cblock *)(akey+16)); - memcpy(ivec,ctx.iv,8); - - /* pointless exercise - the final text doesn't depend on the - initial text in OFB mode, so who cares what it is? (Who - designed these tests?) */ - if(imode == OFB) - for(n=0 ; n < 8 ; ++n) - text[n]=text0[n]^old_iv[n]; - } - } - -static int proc_file(char *rqfile, char *rspfile) - { - char afn[256], rfn[256]; - FILE *afp = NULL, *rfp = NULL; - char ibuf[2048], tbuf[2048]; - int ilen, len, ret = 0; - char amode[8] = ""; - char atest[100] = ""; - int akeysz=0; - unsigned char iVec[20], aKey[40]; - int dir = -1, err = 0, step = 0; - unsigned char plaintext[2048]; - unsigned char ciphertext[2048]; - char *rp; - EVP_CIPHER_CTX ctx; - int numkeys=1; - EVP_CIPHER_CTX_init(&ctx); - - if (!rqfile || !(*rqfile)) - { - printf("No req file\n"); - return -1; - } - strcpy(afn, rqfile); - - if ((afp = fopen(afn, "r")) == NULL) - { - printf("Cannot open file: %s, %s\n", - afn, strerror(errno)); - return -1; - } - if (!rspfile) - { - strcpy(rfn,afn); - rp=strstr(rfn,"req/"); -#ifdef OPENSSL_SYS_WIN32 - if (!rp) - rp=strstr(rfn,"req\\"); -#endif - assert(rp); - memcpy(rp,"rsp",3); - rp = strstr(rfn, ".req"); - memcpy(rp, ".rsp", 4); - rspfile = rfn; - } - if ((rfp = fopen(rspfile, "w")) == NULL) - { - printf("Cannot open file: %s, %s\n", - rfn, strerror(errno)); - fclose(afp); - afp = NULL; - return -1; - } - while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL) - { - tidy_line(tbuf, ibuf); - ilen = strlen(ibuf); - /* printf("step=%d ibuf=%s",step,ibuf);*/ - if(step == 3 && !strcmp(amode,"ECB")) - { - memset(iVec, 0, sizeof(iVec)); - step = (dir)? 4: 5; /* no ivec for ECB */ - } - switch (step) - { - case 0: /* read preamble */ - if (ibuf[0] == '\n') - { /* end of preamble */ - if (*amode == '\0') - { - printf("Missing Mode\n"); - err = 1; - } - else - { - fputs(ibuf, rfp); - ++ step; - } - } - else if (ibuf[0] != '#') - { - printf("Invalid preamble item: %s\n", ibuf); - err = 1; - } - else - { /* process preamble */ - char *xp, *pp = ibuf+2; - int n; - if(*amode) - { /* insert current time & date */ - time_t rtim = time(0); - fprintf(rfp, "# %s", ctime(&rtim)); - } - else - { - fputs(ibuf, rfp); - if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4) - || !strncmp(pp,"TDES ",5) - || !strncmp(pp,"PERMUTATION ",12) - || !strncmp(pp,"SUBSTITUTION ",13) - || !strncmp(pp,"VARIABLE ",9)) - { - /* get test type */ - if(!strncmp(pp,"DES ",4)) - pp+=4; - else if(!strncmp(pp,"TDES ",5)) - pp+=5; - xp = strchr(pp, ' '); - n = xp-pp; - strncpy(atest, pp, n); - atest[n] = '\0'; - /* get mode */ - xp = strrchr(pp, ' '); /* get mode" */ - n = strlen(xp+1)-1; - strncpy(amode, xp+1, n); - amode[n] = '\0'; - /* amode[3] = '\0'; */ - if (VERBOSE) - printf("Test=%s, Mode=%s\n",atest,amode); - } - } - } - break; - - case 1: /* [ENCRYPT] | [DECRYPT] */ - if(ibuf[0] == '\n') - break; - if (ibuf[0] == '[') - { - fputs(ibuf, rfp); - ++step; - if (strncasecmp(ibuf, "[ENCRYPT]", 9) == 0) - dir = 1; - else if (strncasecmp(ibuf, "[DECRYPT]", 9) == 0) - dir = 0; - else - { - printf("Invalid keyword: %s\n", ibuf); - err = 1; - } - break; - } - else if (dir == -1) - { - err = 1; - printf("Missing ENCRYPT/DECRYPT keyword\n"); - break; - } - else - step = 2; - - case 2: /* KEY = xxxx */ - if(*ibuf == '\n') - { - fputs(ibuf, rfp); - break; - } - if(!strncasecmp(ibuf,"COUNT = ",8)) - { - fputs(ibuf, rfp); - break; - } - if(!strncasecmp(ibuf,"COUNT=",6)) - { - fputs(ibuf, rfp); - break; - } - if(!strncasecmp(ibuf,"NumKeys = ",10)) - { - numkeys=atoi(ibuf+10); - break; - } - - fputs(ibuf, rfp); - if(!strncasecmp(ibuf,"KEY = ",6)) - { - akeysz=64; - len = hex2bin((char*)ibuf+6, aKey); - if (len < 0) - { - printf("Invalid KEY\n"); - err=1; - break; - } - PrintValue("KEY", aKey, len); - ++step; - } - else if(!strncasecmp(ibuf,"KEYs = ",7)) - { - akeysz=64*3; - len=hex2bin(ibuf+7,aKey); - if(len != 8) - { - printf("Invalid KEY\n"); - err=1; - break; - } - memcpy(aKey+8,aKey,8); - memcpy(aKey+16,aKey,8); - ibuf[4]='\0'; - PrintValue("KEYs",aKey,len); - ++step; - } - else if(!strncasecmp(ibuf,"KEY",3)) - { - int n=ibuf[3]-'1'; - - akeysz=64*3; - len=hex2bin(ibuf+7,aKey+n*8); - if(len != 8) - { - printf("Invalid KEY\n"); - err=1; - break; - } - ibuf[4]='\0'; - PrintValue(ibuf,aKey,len); - if(n == 2) - ++step; - } - else - { - printf("Missing KEY\n"); - err = 1; - } - break; - - case 3: /* IV = xxxx */ - fputs(ibuf, rfp); - if (strncasecmp(ibuf, "IV = ", 5) != 0) - { - printf("Missing IV\n"); - err = 1; - } - else - { - len = hex2bin((char*)ibuf+5, iVec); - if (len < 0) - { - printf("Invalid IV\n"); - err =1; - break; - } - PrintValue("IV", iVec, len); - step = (dir)? 4: 5; - } - break; - - case 4: /* PLAINTEXT = xxxx */ - fputs(ibuf, rfp); - if (strncasecmp(ibuf, "PLAINTEXT = ", 12) != 0) - { - printf("Missing PLAINTEXT\n"); - err = 1; - } - else - { - int nn = strlen(ibuf+12); - if(!strcmp(amode,"CFB1")) - len=bint2bin(ibuf+12,nn-1,plaintext); - else - len=hex2bin(ibuf+12, plaintext); - if (len < 0) - { - printf("Invalid PLAINTEXT: %s", ibuf+12); - err =1; - break; - } - if (len >= (int)sizeof(plaintext)) - { - printf("Buffer overflow\n"); - } - PrintValue("PLAINTEXT", (unsigned char*)plaintext, len); - if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */ - { - do_mct(amode,akeysz,numkeys,aKey,iVec,dir,plaintext,len,rfp); - } - else - { - assert(dir == 1); - ret = DESTest(&ctx, amode, akeysz, aKey, iVec, - dir, /* 0 = decrypt, 1 = encrypt */ - ciphertext, plaintext, len); - OutputValue("CIPHERTEXT",ciphertext,len,rfp, - !strcmp(amode,"CFB1")); - } - step = 6; - } - break; - - case 5: /* CIPHERTEXT = xxxx */ - fputs(ibuf, rfp); - if (strncasecmp(ibuf, "CIPHERTEXT = ", 13) != 0) - { - printf("Missing KEY\n"); - err = 1; - } - else - { - if(!strcmp(amode,"CFB1")) - len=bint2bin(ibuf+13,strlen(ibuf+13)-1,ciphertext); - else - len = hex2bin(ibuf+13,ciphertext); - if (len < 0) - { - printf("Invalid CIPHERTEXT\n"); - err =1; - break; - } - - PrintValue("CIPHERTEXT", ciphertext, len); - if (strcmp(atest, "Monte") == 0) /* Monte Carlo Test */ - { - do_mct(amode, akeysz, numkeys, aKey, iVec, - dir, ciphertext, len, rfp); - } - else - { - assert(dir == 0); - ret = DESTest(&ctx, amode, akeysz, aKey, iVec, - dir, /* 0 = decrypt, 1 = encrypt */ - plaintext, ciphertext, len); - OutputValue("PLAINTEXT",(unsigned char *)plaintext,len,rfp, - !strcmp(amode,"CFB1")); - } - step = 6; - } - break; - - case 6: - if (ibuf[0] != '\n') - { - err = 1; - printf("Missing terminator\n"); - } - else if (strcmp(atest, "MCT") != 0) - { /* MCT already added terminating nl */ - fputs(ibuf, rfp); - } - step = 1; - break; - } - } - if (rfp) - fclose(rfp); - if (afp) - fclose(afp); - return err; - } - -/*-------------------------------------------------- - Processes either a single file or - a set of files whose names are passed in a file. - A single file is specified as: - aes_test -f xxx.req - A set of files is specified as: - aes_test -d xxxxx.xxx - The default is: -d req.txt ---------------------------------------------------*/ -int main(int argc, char **argv) - { - char *rqlist = "req.txt", *rspfile = NULL; - FILE *fp = NULL; - char fn[250] = "", rfn[256] = ""; - int f_opt = 0, d_opt = 1; - -#ifdef OPENSSL_FIPS - if(!FIPS_mode_set(1)) - { - do_print_errors(); - EXIT(1); - } -#endif - if (argc > 1) - { - if (strcasecmp(argv[1], "-d") == 0) - { - d_opt = 1; - } - else if (strcasecmp(argv[1], "-f") == 0) - { - f_opt = 1; - d_opt = 0; - } - else - { - printf("Invalid parameter: %s\n", argv[1]); - return 0; - } - if (argc < 3) - { - printf("Missing parameter\n"); - return 0; - } - if (d_opt) - rqlist = argv[2]; - else - { - strcpy(fn, argv[2]); - rspfile = argv[3]; - } - } - if (d_opt) - { /* list of files (directory) */ - if (!(fp = fopen(rqlist, "r"))) - { - printf("Cannot open req list file\n"); - return -1; - } - while (fgets(fn, sizeof(fn), fp)) - { - strtok(fn, "\r\n"); - strcpy(rfn, fn); - printf("Processing: %s\n", rfn); - if (proc_file(rfn, rspfile)) - { - printf(">>> Processing failed for: %s <<<\n", rfn); - EXIT(1); - } - } - fclose(fp); - } - else /* single file */ - { - if (VERBOSE) - printf("Processing: %s\n", fn); - if (proc_file(fn, rspfile)) - { - printf(">>> Processing failed for: %s <<<\n", fn); - } - } - EXIT(0); - return 0; - } - -#endif diff --git a/crypto/openssl/fips/dh/Makefile b/crypto/openssl/fips/dh/Makefile deleted file mode 100644 index 2d3833a..0000000 --- a/crypto/openssl/fips/dh/Makefile +++ /dev/null @@ -1,115 +0,0 @@ -# -# OpenSSL/fips/dh/Makefile -# - -DIR= dh -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST= -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_dh_check.c fips_dh_gen.c fips_dh_key.c fips_dh_lib.c -LIBOBJ=fips_dh_check.o fips_dh_gen.o fips_dh_key.o fips_dh_lib.o - -SRC= $(LIBSRC) - -EXHEADER= -HEADER= $(EXHEADER) - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -fips_test: - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff - -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_dh_check.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_dh_check.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h -fips_dh_check.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_dh_check.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dh_check.o: ../../include/openssl/opensslconf.h -fips_dh_check.o: ../../include/openssl/opensslv.h -fips_dh_check.o: ../../include/openssl/ossl_typ.h -fips_dh_check.o: ../../include/openssl/safestack.h -fips_dh_check.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_dh_check.o: fips_dh_check.c -fips_dh_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_dh_gen.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h -fips_dh_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_dh_gen.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dh_gen.o: ../../include/openssl/opensslconf.h -fips_dh_gen.o: ../../include/openssl/opensslv.h -fips_dh_gen.o: ../../include/openssl/ossl_typ.h -fips_dh_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_dh_gen.o: ../../include/openssl/symhacks.h fips_dh_gen.c -fips_dh_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h -fips_dh_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_dh_key.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dh_key.o: ../../include/openssl/opensslconf.h -fips_dh_key.o: ../../include/openssl/opensslv.h -fips_dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -fips_dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_dh_key.o: ../../include/openssl/symhacks.h fips_dh_key.c -fips_dh_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h -fips_dh_lib.o: ../../include/openssl/e_os2.h -fips_dh_lib.o: ../../include/openssl/opensslconf.h -fips_dh_lib.o: ../../include/openssl/opensslv.h -fips_dh_lib.o: ../../include/openssl/ossl_typ.h -fips_dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_dh_lib.o: ../../include/openssl/symhacks.h fips_dh_lib.c diff --git a/crypto/openssl/fips/dh/dh_gen.c b/crypto/openssl/fips/dh/dh_gen.c deleted file mode 100644 index 999e1de..0000000 --- a/crypto/openssl/fips/dh/dh_gen.c +++ /dev/null @@ -1,179 +0,0 @@ -/* crypto/dh/dh_gen.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* NB: These functions have been upgraded - the previous prototypes are in - * dh_depr.c as wrappers to these ones. - * - Geoff - */ - -#include <stdio.h> -#include "cryptlib.h" -#include <openssl/bn.h> -#include <openssl/dh.h> - -#ifndef OPENSSL_FIPS - -static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); - -int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) - { - if(ret->meth->generate_params) - return ret->meth->generate_params(ret, prime_len, generator, cb); - return dh_builtin_genparams(ret, prime_len, generator, cb); - } - -/* We generate DH parameters as follows - * find a prime q which is prime_len/2 bits long. - * p=(2*q)+1 or (p-1)/2 = q - * For this case, g is a generator if - * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1. - * Since the factors of p-1 are q and 2, we just need to check - * g^2 mod p != 1 and g^q mod p != 1. - * - * Having said all that, - * there is another special case method for the generators 2, 3 and 5. - * for 2, p mod 24 == 11 - * for 3, p mod 12 == 5 <<<<< does not work for safe primes. - * for 5, p mod 10 == 3 or 7 - * - * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the - * special generators and for answering some of my questions. - * - * I've implemented the second simple method :-). - * Since DH should be using a safe prime (both p and q are prime), - * this generator function can take a very very long time to run. - */ -/* Actually there is no reason to insist that 'generator' be a generator. - * It's just as OK (and in some sense better) to use a generator of the - * order-q subgroup. - */ -static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb) - { - BIGNUM *t1,*t2; - int g,ok= -1; - BN_CTX *ctx=NULL; - - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - BN_CTX_start(ctx); - t1 = BN_CTX_get(ctx); - t2 = BN_CTX_get(ctx); - if (t1 == NULL || t2 == NULL) goto err; - - /* Make sure 'ret' has the necessary elements */ - if(!ret->p && ((ret->p = BN_new()) == NULL)) goto err; - if(!ret->g && ((ret->g = BN_new()) == NULL)) goto err; - - if (generator <= 1) - { - DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_BAD_GENERATOR); - goto err; - } - if (generator == DH_GENERATOR_2) - { - if (!BN_set_word(t1,24)) goto err; - if (!BN_set_word(t2,11)) goto err; - g=2; - } -#if 0 /* does not work for safe primes */ - else if (generator == DH_GENERATOR_3) - { - if (!BN_set_word(t1,12)) goto err; - if (!BN_set_word(t2,5)) goto err; - g=3; - } -#endif - else if (generator == DH_GENERATOR_5) - { - if (!BN_set_word(t1,10)) goto err; - if (!BN_set_word(t2,3)) goto err; - /* BN_set_word(t3,7); just have to miss - * out on these ones :-( */ - g=5; - } - else - { - /* in the general case, don't worry if 'generator' is a - * generator or not: since we are using safe primes, - * it will generate either an order-q or an order-2q group, - * which both is OK */ - if (!BN_set_word(t1,2)) goto err; - if (!BN_set_word(t2,1)) goto err; - g=generator; - } - - if(!BN_generate_prime_ex(ret->p,prime_len,1,t1,t2,cb)) goto err; - if(!BN_GENCB_call(cb, 3, 0)) goto err; - if (!BN_set_word(ret->g,g)) goto err; - ok=1; -err: - if (ok == -1) - { - DHerr(DH_F_DH_BUILTIN_GENPARAMS,ERR_R_BN_LIB); - ok=0; - } - - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - return ok; - } - -#endif diff --git a/crypto/openssl/fips/dh/fips_dh_check.c b/crypto/openssl/fips/dh/fips_dh_check.c deleted file mode 100644 index 7333f7c..0000000 --- a/crypto/openssl/fips/dh/fips_dh_check.c +++ /dev/null @@ -1,147 +0,0 @@ -/* crypto/dh/dh_check.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> -#include <openssl/bn.h> -#include <openssl/dh.h> -#include <openssl/err.h> -#include <openssl/fips.h> - -/* Check that p is a safe prime and - * if g is 2, 3 or 5, check that is is a suitable generator - * where - * for 2, p mod 24 == 11 - * for 3, p mod 12 == 5 - * for 5, p mod 10 == 3 or 7 - * should hold. - */ - -#ifdef OPENSSL_FIPS - -int DH_check(const DH *dh, int *ret) - { - int ok=0; - BN_CTX *ctx=NULL; - BN_ULONG l; - BIGNUM *q=NULL; - - *ret=0; - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - q=BN_new(); - if (q == NULL) goto err; - - if (BN_is_word(dh->g,DH_GENERATOR_2)) - { - l=BN_mod_word(dh->p,24); - if (l != 11) *ret|=DH_NOT_SUITABLE_GENERATOR; - } -#if 0 - else if (BN_is_word(dh->g,DH_GENERATOR_3)) - { - l=BN_mod_word(dh->p,12); - if (l != 5) *ret|=DH_NOT_SUITABLE_GENERATOR; - } -#endif - else if (BN_is_word(dh->g,DH_GENERATOR_5)) - { - l=BN_mod_word(dh->p,10); - if ((l != 3) && (l != 7)) - *ret|=DH_NOT_SUITABLE_GENERATOR; - } - else - *ret|=DH_UNABLE_TO_CHECK_GENERATOR; - - if (!BN_is_prime_ex(dh->p,BN_prime_checks,ctx,NULL)) - *ret|=DH_CHECK_P_NOT_PRIME; - else - { - if (!BN_rshift1(q,dh->p)) goto err; - if (!BN_is_prime_ex(q,BN_prime_checks,ctx,NULL)) - *ret|=DH_CHECK_P_NOT_SAFE_PRIME; - } - ok=1; -err: - if (ctx != NULL) BN_CTX_free(ctx); - if (q != NULL) BN_free(q); - return(ok); - } - -int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { - int ok=0; - BIGNUM *q=NULL; - - *ret=0; - q=BN_new(); - if (q == NULL) goto err; - BN_set_word(q,1); - if (BN_cmp(pub_key,q) <= 0) - *ret|=DH_CHECK_PUBKEY_TOO_SMALL; - BN_copy(q,dh->p); - BN_sub_word(q,1); - if (BN_cmp(pub_key,q) >= 0) - *ret|=DH_CHECK_PUBKEY_TOO_LARGE; - - ok = 1; -err: - if (q != NULL) BN_free(q); - return(ok); - } - -#endif diff --git a/crypto/openssl/fips/dh/fips_dh_gen.c b/crypto/openssl/fips/dh/fips_dh_gen.c deleted file mode 100644 index d115f9d..0000000 --- a/crypto/openssl/fips/dh/fips_dh_gen.c +++ /dev/null @@ -1,192 +0,0 @@ -/* crypto/dh/dh_gen.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* NB: These functions have been upgraded - the previous prototypes are in - * dh_depr.c as wrappers to these ones. - * - Geoff - */ - -#include <stdio.h> -#include <openssl/bn.h> -#include <openssl/dh.h> -#include <openssl/err.h> -#include <openssl/fips.h> - -#ifdef OPENSSL_FIPS - -static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); - -int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) - { - if(ret->meth->generate_params) - return ret->meth->generate_params(ret, prime_len, generator, cb); - return dh_builtin_genparams(ret, prime_len, generator, cb); - } - -/* We generate DH parameters as follows - * find a prime q which is prime_len/2 bits long. - * p=(2*q)+1 or (p-1)/2 = q - * For this case, g is a generator if - * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1. - * Since the factors of p-1 are q and 2, we just need to check - * g^2 mod p != 1 and g^q mod p != 1. - * - * Having said all that, - * there is another special case method for the generators 2, 3 and 5. - * for 2, p mod 24 == 11 - * for 3, p mod 12 == 5 <<<<< does not work for safe primes. - * for 5, p mod 10 == 3 or 7 - * - * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the - * special generators and for answering some of my questions. - * - * I've implemented the second simple method :-). - * Since DH should be using a safe prime (both p and q are prime), - * this generator function can take a very very long time to run. - */ -/* Actually there is no reason to insist that 'generator' be a generator. - * It's just as OK (and in some sense better) to use a generator of the - * order-q subgroup. - */ -static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb) - { - BIGNUM *t1,*t2; - int g,ok= -1; - BN_CTX *ctx=NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS,FIPS_R_FIPS_SELFTEST_FAILED); - return 0; - } - - if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) - { - DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); - goto err; - } - - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - BN_CTX_start(ctx); - t1 = BN_CTX_get(ctx); - t2 = BN_CTX_get(ctx); - if (t1 == NULL || t2 == NULL) goto err; - - /* Make sure 'ret' has the necessary elements */ - if(!ret->p && ((ret->p = BN_new()) == NULL)) goto err; - if(!ret->g && ((ret->g = BN_new()) == NULL)) goto err; - - if (generator <= 1) - { - DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_BAD_GENERATOR); - goto err; - } - if (generator == DH_GENERATOR_2) - { - if (!BN_set_word(t1,24)) goto err; - if (!BN_set_word(t2,11)) goto err; - g=2; - } -#if 0 /* does not work for safe primes */ - else if (generator == DH_GENERATOR_3) - { - if (!BN_set_word(t1,12)) goto err; - if (!BN_set_word(t2,5)) goto err; - g=3; - } -#endif - else if (generator == DH_GENERATOR_5) - { - if (!BN_set_word(t1,10)) goto err; - if (!BN_set_word(t2,3)) goto err; - /* BN_set_word(t3,7); just have to miss - * out on these ones :-( */ - g=5; - } - else - { - /* in the general case, don't worry if 'generator' is a - * generator or not: since we are using safe primes, - * it will generate either an order-q or an order-2q group, - * which both is OK */ - if (!BN_set_word(t1,2)) goto err; - if (!BN_set_word(t2,1)) goto err; - g=generator; - } - - if(!BN_generate_prime_ex(ret->p,prime_len,1,t1,t2,cb)) goto err; - if(!BN_GENCB_call(cb, 3, 0)) goto err; - if (!BN_set_word(ret->g,g)) goto err; - ok=1; -err: - if (ok == -1) - { - DHerr(DH_F_DH_BUILTIN_GENPARAMS,ERR_R_BN_LIB); - ok=0; - } - - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - return ok; - } - -#endif diff --git a/crypto/openssl/fips/dh/fips_dh_key.c b/crypto/openssl/fips/dh/fips_dh_key.c deleted file mode 100644 index d20fa91..0000000 --- a/crypto/openssl/fips/dh/fips_dh_key.c +++ /dev/null @@ -1,276 +0,0 @@ -/* crypto/dh/dh_key.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> -#include <openssl/err.h> -#include <openssl/bn.h> -#ifndef OPENSSL_NO_RAND -#include <openssl/rand.h> -#endif -#ifndef OPENSSL_NO_DH -#include <openssl/dh.h> -#include <openssl/fips.h> - -#ifdef OPENSSL_FIPS - -static int generate_key(DH *dh); -static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, - const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx); -static int dh_init(DH *dh); -static int dh_finish(DH *dh); - -int DH_generate_key(DH *dh) - { - return dh->meth->generate_key(dh); - } - -int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { - return dh->meth->compute_key(key, pub_key, dh); - } - -static const DH_METHOD dh_ossl = { -"OpenSSL DH Method", -generate_key, -compute_key, -dh_bn_mod_exp, -dh_init, -dh_finish, -0, -NULL -}; - -const DH_METHOD *DH_OpenSSL(void) -{ - return &dh_ossl; -} - -static int generate_key(DH *dh) - { - int ok=0; - int generate_new_key=0; - unsigned l; - BN_CTX *ctx; - BN_MONT_CTX *mont=NULL; - BIGNUM *pub_key=NULL,*priv_key=NULL; - - if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) - { - DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); - return 0; - } - - ctx = BN_CTX_new(); - if (ctx == NULL) goto err; - - if (dh->priv_key == NULL) - { - priv_key=BN_new(); - if (priv_key == NULL) goto err; - generate_new_key=1; - } - else - priv_key=dh->priv_key; - - if (dh->pub_key == NULL) - { - pub_key=BN_new(); - if (pub_key == NULL) goto err; - } - else - pub_key=dh->pub_key; - - if (dh->flags & DH_FLAG_CACHE_MONT_P) - { - mont = BN_MONT_CTX_set_locked( - (BN_MONT_CTX **)&dh->method_mont_p, - CRYPTO_LOCK_DH, dh->p, ctx); - if (!mont) - goto err; - } - - if (generate_new_key) - { - l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ - if (!BN_rand(priv_key, l, 0, 0)) goto err; - } - - { - BIGNUM local_prk; - BIGNUM *prk; - - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) - { - BN_init(&local_prk); - prk = &local_prk; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } - else - prk = priv_key; - - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) - goto err; - } - - dh->pub_key=pub_key; - dh->priv_key=priv_key; - ok=1; -err: - if (ok != 1) - DHerr(DH_F_GENERATE_KEY,ERR_R_BN_LIB); - - if ((pub_key != NULL) && (dh->pub_key == NULL)) BN_free(pub_key); - if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key); - BN_CTX_free(ctx); - return(ok); - } - -static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - { - BN_CTX *ctx; - BN_MONT_CTX *mont=NULL; - BIGNUM *tmp; - int ret= -1; - - ctx = BN_CTX_new(); - if (ctx == NULL) goto err; - BN_CTX_start(ctx); - tmp = BN_CTX_get(ctx); - - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) - { - DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE); - goto err; - } - - if (FIPS_mode() && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) - { - DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); - goto err; - } - - if (dh->priv_key == NULL) - { - DHerr(DH_F_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE); - goto err; - } - - if (dh->flags & DH_FLAG_CACHE_MONT_P) - { - mont = BN_MONT_CTX_set_locked( - (BN_MONT_CTX **)&dh->method_mont_p, - CRYPTO_LOCK_DH, dh->p, ctx); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) - { - /* XXX */ - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - } - if (!mont) - goto err; - } - - if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont)) - { - DHerr(DH_F_COMPUTE_KEY,ERR_R_BN_LIB); - goto err; - } - - ret=BN_bn2bin(tmp,key); -err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return(ret); - } - -static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, - const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx) - { - /* If a is only one word long and constant time is false, use the faster - * exponenentiation function. - */ - if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) - { - BN_ULONG A = a->d[0]; - return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx); - } - else - return BN_mod_exp_mont(r,a,p,m,ctx,m_ctx); - } - - -static int dh_init(DH *dh) - { - FIPS_selftest_check(); - dh->flags |= DH_FLAG_CACHE_MONT_P; - return(1); - } - -static int dh_finish(DH *dh) - { - if(dh->method_mont_p) - BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p); - return(1); - } - -#endif -#endif diff --git a/crypto/openssl/fips/dh/fips_dh_lib.c b/crypto/openssl/fips/dh/fips_dh_lib.c deleted file mode 100644 index 4a822cf..0000000 --- a/crypto/openssl/fips/dh/fips_dh_lib.c +++ /dev/null @@ -1,95 +0,0 @@ -/* fips_dh_lib.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2007. - */ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <string.h> -#include <openssl/bn.h> -#include <openssl/dh.h> - -/* Minimal FIPS versions of FIPS_dh_new() and FIPS_dh_free(): to - * reduce external dependencies. - */ - -DH *FIPS_dh_new(void) - { - DH *ret; - ret = OPENSSL_malloc(sizeof(DH)); - if (!ret) - return NULL; - memset(ret, 0, sizeof(DH)); - ret->meth = DH_OpenSSL(); - if (ret->meth->init) - ret->meth->init(ret); - return ret; - } - -void FIPS_dh_free(DH *r) - { - if (!r) - return; - if (r->meth->finish) - r->meth->finish(r); - if (r->p != NULL) BN_clear_free(r->p); - if (r->g != NULL) BN_clear_free(r->g); - if (r->q != NULL) BN_clear_free(r->q); - if (r->j != NULL) BN_clear_free(r->j); - if (r->seed) OPENSSL_free(r->seed); - if (r->counter != NULL) BN_clear_free(r->counter); - if (r->pub_key != NULL) BN_clear_free(r->pub_key); - if (r->priv_key != NULL) BN_clear_free(r->priv_key); - OPENSSL_free(r); - } diff --git a/crypto/openssl/fips/dsa/Makefile b/crypto/openssl/fips/dsa/Makefile deleted file mode 100644 index 251615e..0000000 --- a/crypto/openssl/fips/dsa/Makefile +++ /dev/null @@ -1,191 +0,0 @@ -# -# OpenSSL/fips/dsa/Makefile -# - -DIR= dsa -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST=fips_dsatest.c fips_dssvs.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_dsa_ossl.c fips_dsa_gen.c fips_dsa_selftest.c fips_dsa_key.c \ - fips_dsa_lib.c fips_dsa_sign.c -LIBOBJ=fips_dsa_ossl.o fips_dsa_gen.o fips_dsa_selftest.o fips_dsa_key.o \ - fips_dsa_lib.o fips_dsa_sign.o - -SRC= $(LIBSRC) - -EXHEADER= -HEADER= $(EXHEADER) - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -Q=../testvectors/dsa/req -A=../testvectors/dsa/rsp - -fips_test: - -rm -rf $A - mkdir $A - if [ -f $(Q)/PQGGen.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs pqg < $(Q)/PQGGen.req > $(A)/PQGGen.rsp; fi - if [ -f $(Q)/KeyPair.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs keypair < $(Q)/KeyPair.req > $(A)/KeyPair.rsp; fi - if [ -f $(Q)/SigGen.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs siggen < $(Q)/SigGen.req > $(A)/SigGen.rsp; fi - if [ -f $(Q)/SigVer.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_dssvs sigver < $Q/SigVer.req > $A/SigVer.rsp; fi - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_dsa_gen.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_dsa_gen.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_dsa_gen.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_dsa_gen.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dsa_gen.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -fips_dsa_gen.o: ../../include/openssl/opensslconf.h -fips_dsa_gen.o: ../../include/openssl/opensslv.h -fips_dsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -fips_dsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -fips_dsa_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_dsa_gen.o: fips_dsa_gen.c -fips_dsa_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_dsa_key.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_dsa_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_dsa_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_dsa_key.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dsa_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -fips_dsa_key.o: ../../include/openssl/opensslconf.h -fips_dsa_key.o: ../../include/openssl/opensslv.h -fips_dsa_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -fips_dsa_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_dsa_key.o: ../../include/openssl/symhacks.h ../fips_locl.h fips_dsa_key.c -fips_dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h -fips_dsa_lib.o: ../../include/openssl/e_os2.h -fips_dsa_lib.o: ../../include/openssl/opensslconf.h -fips_dsa_lib.o: ../../include/openssl/opensslv.h -fips_dsa_lib.o: ../../include/openssl/ossl_typ.h -fips_dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_dsa_lib.o: ../../include/openssl/symhacks.h fips_dsa_lib.c -fips_dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_dsa_ossl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h -fips_dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -fips_dsa_ossl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -fips_dsa_ossl.o: ../../include/openssl/engine.h ../../include/openssl/err.h -fips_dsa_ossl.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_dsa_ossl.o: ../../include/openssl/objects.h -fips_dsa_ossl.o: ../../include/openssl/opensslconf.h -fips_dsa_ossl.o: ../../include/openssl/opensslv.h -fips_dsa_ossl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h -fips_dsa_ossl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -fips_dsa_ossl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -fips_dsa_ossl.o: ../../include/openssl/x509_vfy.h fips_dsa_ossl.c -fips_dsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_dsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_dsa_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dsa_selftest.o: ../../include/openssl/obj_mac.h -fips_dsa_selftest.o: ../../include/openssl/objects.h -fips_dsa_selftest.o: ../../include/openssl/opensslconf.h -fips_dsa_selftest.o: ../../include/openssl/opensslv.h -fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h -fips_dsa_selftest.o: ../../include/openssl/safestack.h -fips_dsa_selftest.o: ../../include/openssl/stack.h -fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c -fips_dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_dsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_dsa_sign.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dsa_sign.o: ../../include/openssl/obj_mac.h -fips_dsa_sign.o: ../../include/openssl/objects.h -fips_dsa_sign.o: ../../include/openssl/opensslconf.h -fips_dsa_sign.o: ../../include/openssl/opensslv.h -fips_dsa_sign.o: ../../include/openssl/ossl_typ.h -fips_dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -fips_dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_dsa_sign.o: fips_dsa_sign.c -fips_dsatest.o: ../../e_os.h ../../include/openssl/asn1.h -fips_dsatest.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -fips_dsatest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -fips_dsatest.o: ../../include/openssl/des.h ../../include/openssl/des_old.h -fips_dsatest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_dsatest.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -fips_dsatest.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -fips_dsatest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_dsatest.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h -fips_dsatest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_dsatest.o: ../../include/openssl/objects.h -fips_dsatest.o: ../../include/openssl/opensslconf.h -fips_dsatest.o: ../../include/openssl/opensslv.h -fips_dsatest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_dsatest.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h -fips_dsatest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -fips_dsatest.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -fips_dsatest.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h -fips_dsatest.o: ../../include/openssl/x509_vfy.h ../fips_utl.h fips_dsatest.c -fips_dssvs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_dssvs.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_dssvs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_dssvs.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_dssvs.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_dssvs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -fips_dssvs.o: ../../include/openssl/opensslconf.h -fips_dssvs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -fips_dssvs.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_dssvs.o: ../../include/openssl/symhacks.h ../fips_utl.h fips_dssvs.c diff --git a/crypto/openssl/fips/dsa/fips_dsa_gen.c b/crypto/openssl/fips/dsa/fips_dsa_gen.c deleted file mode 100644 index 0cecf34..0000000 --- a/crypto/openssl/fips/dsa/fips_dsa_gen.c +++ /dev/null @@ -1,339 +0,0 @@ -/* crypto/dsa/dsa_gen.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#undef GENUINE_DSA - -#ifdef GENUINE_DSA -/* Parameter generation follows the original release of FIPS PUB 186, - * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */ -#define HASH EVP_sha() -#else -/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186, - * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in - * FIPS PUB 180-1) */ -#define HASH EVP_sha1() -#endif - -#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */ - -#ifndef OPENSSL_NO_SHA - -#include <stdio.h> -#include <time.h> -#include <string.h> -#include <openssl/evp.h> -#include <openssl/bn.h> -#include <openssl/dsa.h> -#include <openssl/rand.h> -#include <openssl/sha.h> -#include <openssl/err.h> - -#ifdef OPENSSL_FIPS - -static int dsa_builtin_paramgen(DSA *ret, int bits, - unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); - -int DSA_generate_parameters_ex(DSA *ret, int bits, - unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) - { - if(ret->meth->dsa_paramgen) - return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, - counter_ret, h_ret, cb); - return dsa_builtin_paramgen(ret, bits, seed_in, seed_len, - counter_ret, h_ret, cb); - } - -static int dsa_builtin_paramgen(DSA *ret, int bits, - unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) - { - int ok=0; - unsigned char seed[SHA_DIGEST_LENGTH]; - unsigned char md[SHA_DIGEST_LENGTH]; - unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH]; - BIGNUM *r0,*W,*X,*c,*test; - BIGNUM *g=NULL,*q=NULL,*p=NULL; - BN_MONT_CTX *mont=NULL; - int k,n=0,i,b,m=0; - int counter=0; - int r=0; - BN_CTX *ctx=NULL; - unsigned int h=2; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN, - FIPS_R_FIPS_SELFTEST_FAILED); - goto err; - } - - if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) - { - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } - - if (bits < 512) bits=512; - bits=(bits+63)/64*64; - - /* NB: seed_len == 0 is special case: copy generated seed to - * seed_in if it is not NULL. - */ - if (seed_len && (seed_len < 20)) - seed_in = NULL; /* seed buffer too small -- ignore */ - if (seed_len > 20) - seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED, - * but our internal buffers are restricted to 160 bits*/ - if ((seed_in != NULL) && (seed_len == 20)) - { - memcpy(seed,seed_in,seed_len); - /* set seed_in to NULL to avoid it being copied back */ - seed_in = NULL; - } - - if ((ctx=BN_CTX_new()) == NULL) goto err; - - if ((mont=BN_MONT_CTX_new()) == NULL) goto err; - - BN_CTX_start(ctx); - r0 = BN_CTX_get(ctx); - g = BN_CTX_get(ctx); - W = BN_CTX_get(ctx); - q = BN_CTX_get(ctx); - X = BN_CTX_get(ctx); - c = BN_CTX_get(ctx); - p = BN_CTX_get(ctx); - test = BN_CTX_get(ctx); - - if (!BN_lshift(test,BN_value_one(),bits-1)) - goto err; - - for (;;) - { - for (;;) /* find q */ - { - int seed_is_random; - - /* step 1 */ - if(!BN_GENCB_call(cb, 0, m++)) - goto err; - - if (!seed_len) - { - RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH); - seed_is_random = 1; - } - else - { - seed_is_random = 0; - seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/ - } - memcpy(buf,seed,SHA_DIGEST_LENGTH); - memcpy(buf2,seed,SHA_DIGEST_LENGTH); - /* precompute "SEED + 1" for step 7: */ - for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) - { - buf[i]++; - if (buf[i] != 0) break; - } - - /* step 2 */ - EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL); - EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL); - for (i=0; i<SHA_DIGEST_LENGTH; i++) - md[i]^=buf2[i]; - - /* step 3 */ - md[0]|=0x80; - md[SHA_DIGEST_LENGTH-1]|=0x01; - if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; - - /* step 4 */ - r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, - seed_is_random, cb); - if (r > 0) - break; - if (r != 0) - goto err; - - /* do a callback call */ - /* step 5 */ - } - - if(!BN_GENCB_call(cb, 2, 0)) goto err; - if(!BN_GENCB_call(cb, 3, 0)) goto err; - - /* step 6 */ - counter=0; - /* "offset = 2" */ - - n=(bits-1)/160; - b=(bits-1)-n*160; - - for (;;) - { - if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) - goto err; - - /* step 7 */ - BN_zero(W); - /* now 'buf' contains "SEED + offset - 1" */ - for (k=0; k<=n; k++) - { - /* obtain "SEED + offset + k" by incrementing: */ - for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--) - { - buf[i]++; - if (buf[i] != 0) break; - } - - EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL); - - /* step 8 */ - if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) - goto err; - if (!BN_lshift(r0,r0,160*k)) goto err; - if (!BN_add(W,W,r0)) goto err; - } - - /* more of step 8 */ - if (!BN_mask_bits(W,bits-1)) goto err; - if (!BN_copy(X,W)) goto err; - if (!BN_add(X,X,test)) goto err; - - /* step 9 */ - if (!BN_lshift1(r0,q)) goto err; - if (!BN_mod(c,X,r0,ctx)) goto err; - if (!BN_sub(r0,c,BN_value_one())) goto err; - if (!BN_sub(p,X,r0)) goto err; - - /* step 10 */ - if (BN_cmp(p,test) >= 0) - { - /* step 11 */ - r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, - ctx, 1, cb); - if (r > 0) - goto end; /* found it */ - if (r != 0) - goto err; - } - - /* step 13 */ - counter++; - /* "offset = offset + n + 1" */ - - /* step 14 */ - if (counter >= 4096) break; - } - } -end: - if(!BN_GENCB_call(cb, 2, 1)) - goto err; - - /* We now need to generate g */ - /* Set r0=(p-1)/q */ - if (!BN_sub(test,p,BN_value_one())) goto err; - if (!BN_div(r0,NULL,test,q,ctx)) goto err; - - if (!BN_set_word(test,h)) goto err; - if (!BN_MONT_CTX_set(mont,p,ctx)) goto err; - - for (;;) - { - /* g=test^r0%p */ - if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err; - if (!BN_is_one(g)) break; - if (!BN_add(test,test,BN_value_one())) goto err; - h++; - } - - if(!BN_GENCB_call(cb, 3, 1)) - goto err; - - ok=1; -err: - if (ok) - { - if(ret->p) BN_free(ret->p); - if(ret->q) BN_free(ret->q); - if(ret->g) BN_free(ret->g); - ret->p=BN_dup(p); - ret->q=BN_dup(q); - ret->g=BN_dup(g); - if (ret->p == NULL || ret->q == NULL || ret->g == NULL) - { - ok=0; - goto err; - } - if (seed_in != NULL) memcpy(seed_in,seed,20); - if (counter_ret != NULL) *counter_ret=counter; - if (h_ret != NULL) *h_ret=h; - } - if(ctx) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - if (mont != NULL) BN_MONT_CTX_free(mont); - return ok; - } -#endif -#endif diff --git a/crypto/openssl/fips/dsa/fips_dsa_key.c b/crypto/openssl/fips/dsa/fips_dsa_key.c deleted file mode 100644 index 9f21033..0000000 --- a/crypto/openssl/fips/dsa/fips_dsa_key.c +++ /dev/null @@ -1,169 +0,0 @@ -/* crypto/dsa/dsa_key.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> -#include <time.h> -#ifndef OPENSSL_NO_SHA -#include <openssl/bn.h> -#include <openssl/dsa.h> -#include <openssl/rand.h> -#include <openssl/err.h> -#include <openssl/evp.h> -#include <openssl/fips.h> -#include "fips_locl.h" - -#ifdef OPENSSL_FIPS - -static int fips_dsa_pairwise_fail = 0; - -void FIPS_corrupt_dsa_keygen(void) - { - fips_dsa_pairwise_fail = 1; - } - -static int dsa_builtin_keygen(DSA *dsa); - -static int fips_check_dsa(DSA *dsa) - { - EVP_PKEY pk; - unsigned char tbs[] = "DSA Pairwise Check Data"; - pk.type = EVP_PKEY_DSA; - pk.pkey.dsa = dsa; - - if (!fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_dss1(), 0, NULL)) - { - FIPSerr(FIPS_F_FIPS_CHECK_DSA,FIPS_R_PAIRWISE_TEST_FAILED); - fips_set_selftest_fail(); - return 0; - } - return 1; - } - -int DSA_generate_key(DSA *dsa) - { - if(dsa->meth->dsa_keygen) - return dsa->meth->dsa_keygen(dsa); - return dsa_builtin_keygen(dsa); - } - -static int dsa_builtin_keygen(DSA *dsa) - { - int ok=0; - BN_CTX *ctx=NULL; - BIGNUM *pub_key=NULL,*priv_key=NULL; - - if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) - { - DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } - - if ((ctx=BN_CTX_new()) == NULL) goto err; - - if (dsa->priv_key == NULL) - { - if ((priv_key=BN_new()) == NULL) goto err; - } - else - priv_key=dsa->priv_key; - - do - if (!BN_rand_range(priv_key,dsa->q)) goto err; - while (BN_is_zero(priv_key)); - - if (dsa->pub_key == NULL) - { - if ((pub_key=BN_new()) == NULL) goto err; - } - else - pub_key=dsa->pub_key; - - { - BIGNUM local_prk; - BIGNUM *prk; - - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) - { - BN_init(&local_prk); - prk = &local_prk; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } - else - prk = priv_key; - - if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err; - } - - dsa->priv_key=priv_key; - dsa->pub_key=pub_key; - if (fips_dsa_pairwise_fail) - BN_add_word(dsa->pub_key, 1); - if(!fips_check_dsa(dsa)) - goto err; - ok=1; - -err: - if ((pub_key != NULL) && (dsa->pub_key == NULL)) BN_free(pub_key); - if ((priv_key != NULL) && (dsa->priv_key == NULL)) BN_free(priv_key); - if (ctx != NULL) BN_CTX_free(ctx); - return(ok); - } -#endif - -#endif diff --git a/crypto/openssl/fips/dsa/fips_dsa_lib.c b/crypto/openssl/fips/dsa/fips_dsa_lib.c deleted file mode 100644 index 2545966..0000000 --- a/crypto/openssl/fips/dsa/fips_dsa_lib.c +++ /dev/null @@ -1,95 +0,0 @@ -/* fips_dsa_lib.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2007. - */ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <string.h> -#include <openssl/dsa.h> -#include <openssl/bn.h> - -/* Minimal FIPS versions of FIPS_dsa_new() and FIPS_dsa_free: to - * reduce external dependencies. - */ - -DSA *FIPS_dsa_new(void) - { - DSA *ret; - ret = OPENSSL_malloc(sizeof(DSA)); - if (!ret) - return NULL; - memset(ret, 0, sizeof(DSA)); - ret->meth = DSA_OpenSSL(); - if (ret->meth->init) - ret->meth->init(ret); - return ret; - } - -void FIPS_dsa_free(DSA *r) - { - if (!r) - return; - if (r->meth->finish) - r->meth->finish(r); - if (r->p != NULL) BN_clear_free(r->p); - if (r->q != NULL) BN_clear_free(r->q); - if (r->g != NULL) BN_clear_free(r->g); - if (r->pub_key != NULL) BN_clear_free(r->pub_key); - if (r->priv_key != NULL) BN_clear_free(r->priv_key); - if (r->kinv != NULL) BN_clear_free(r->kinv); - if (r->r != NULL) BN_clear_free(r->r); - OPENSSL_free(r); - } - diff --git a/crypto/openssl/fips/dsa/fips_dsa_ossl.c b/crypto/openssl/fips/dsa/fips_dsa_ossl.c deleted file mode 100644 index 50a6c13..0000000 --- a/crypto/openssl/fips/dsa/fips_dsa_ossl.c +++ /dev/null @@ -1,435 +0,0 @@ -/* crypto/dsa/dsa_ossl.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */ - -#include <stdio.h> -#include <openssl/bn.h> -#include <openssl/dsa.h> -#include <openssl/rand.h> -#include <openssl/asn1.h> -#include <openssl/err.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif -#include <openssl/fips.h> - -#ifdef OPENSSL_FIPS - -static DSA_SIG *dsa_do_sign(const unsigned char *dgst, FIPS_DSA_SIZE_T dlen, DSA *dsa); -static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); -static int dsa_do_verify(const unsigned char *dgst, FIPS_DSA_SIZE_T dgst_len, DSA_SIG *sig, - DSA *dsa); -static int dsa_init(DSA *dsa); -static int dsa_finish(DSA *dsa); -static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, - BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont); -static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx); - -static const DSA_METHOD openssl_dsa_meth = { -"OpenSSL FIPS DSA method", -dsa_do_sign, -dsa_sign_setup, -dsa_do_verify, -dsa_mod_exp, -dsa_bn_mod_exp, -dsa_init, -dsa_finish, -DSA_FLAG_FIPS_METHOD, -NULL -}; -#if 0 -int FIPS_dsa_check(struct dsa_st *dsa) - { - if(dsa->meth != &openssl_dsa_meth || dsa->meth->dsa_do_sign != dsa_do_sign - || dsa->meth->dsa_sign_setup != dsa_sign_setup - || dsa->meth->dsa_mod_exp != dsa_mod_exp - || dsa->meth->bn_mod_exp != dsa_bn_mod_exp - || dsa->meth->init != dsa_init - || dsa->meth->finish != dsa_finish) - { - FIPSerr(FIPS_F_FIPS_DSA_CHECK,FIPS_R_NON_FIPS_METHOD); - return 0; - } - return 1; - } -#endif - -const DSA_METHOD *DSA_OpenSSL(void) -{ - return &openssl_dsa_meth; -} - -static DSA_SIG *dsa_do_sign(const unsigned char *dgst, FIPS_DSA_SIZE_T dlen, DSA *dsa) - { - BIGNUM *kinv=NULL,*r=NULL,*s=NULL; - BIGNUM m; - BIGNUM xr; - BN_CTX *ctx=NULL; - int i,reason=ERR_R_BN_LIB; - DSA_SIG *ret=NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_DSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED); - return NULL; - } - - if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) - { - DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); - return NULL; - } - - BN_init(&m); - BN_init(&xr); - - if (!dsa->p || !dsa->q || !dsa->g) - { - reason=DSA_R_MISSING_PARAMETERS; - goto err; - } - - s=BN_new(); - if (s == NULL) goto err; - - i=BN_num_bytes(dsa->q); /* should be 20 */ - if ((dlen > i) || (dlen > 50)) - { - reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE; - goto err; - } - - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - - if (!dsa->meth->dsa_sign_setup(dsa,ctx,&kinv,&r)) goto err; - - if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err; - - /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ - if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */ - if (BN_cmp(s,dsa->q) > 0) - BN_sub(s,s,dsa->q); - if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; - - ret= DSA_SIG_new(); - if (ret == NULL) goto err; - ret->r = r; - ret->s = s; - -err: - if (!ret) - { - DSAerr(DSA_F_DSA_DO_SIGN,reason); - BN_free(r); - BN_free(s); - } - if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&m); - BN_clear_free(&xr); - if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ - BN_clear_free(kinv); - return(ret); - } - -static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) - { - BN_CTX *ctx; - BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; - int ret=0; - - if (!dsa->p || !dsa->q || !dsa->g) - { - DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS); - return 0; - } - - BN_init(&k); - BN_init(&kq); - - if (ctx_in == NULL) - { - if ((ctx=BN_CTX_new()) == NULL) goto err; - } - else - ctx=ctx_in; - - if ((r=BN_new()) == NULL) goto err; - - /* Get random k */ - do - if (!BN_rand_range(&k, dsa->q)) goto err; - while (BN_is_zero(&k)); - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) - { - BN_set_flags(&k, BN_FLG_CONSTTIME); - } - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) - { - if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p, - CRYPTO_LOCK_DSA, - dsa->p, ctx)) - goto err; - } - - /* Compute r = (g^k mod p) mod q */ - - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) - { - if (!BN_copy(&kq, &k)) goto err; - - /* We do not want timing information to leak the length of k, - * so we compute g^k using an equivalent exponent of fixed length. - * - * (This is a kludge that we need because the BN_mod_exp_mont() - * does not let us specify the desired timing behaviour.) */ - - if (!BN_add(&kq, &kq, dsa->q)) goto err; - if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) - { - if (!BN_add(&kq, &kq, dsa->q)) goto err; - } - - K = &kq; - } - else - { - K = &k; - } - if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx, - (BN_MONT_CTX *)dsa->method_mont_p)) goto err; - if (!BN_mod(r,r,dsa->q,ctx)) goto err; - - /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; - - if (*kinvp != NULL) BN_clear_free(*kinvp); - *kinvp=kinv; - kinv=NULL; - if (*rp != NULL) BN_clear_free(*rp); - *rp=r; - ret=1; -err: - if (!ret) - { - DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB); - if (kinv != NULL) BN_clear_free(kinv); - if (r != NULL) BN_clear_free(r); - } - if (ctx_in == NULL) BN_CTX_free(ctx); - if (kinv != NULL) BN_clear_free(kinv); - BN_clear_free(&k); - BN_clear_free(&kq); - return(ret); - } - -static int dsa_do_verify(const unsigned char *dgst, FIPS_DSA_SIZE_T dgst_len, DSA_SIG *sig, - DSA *dsa) - { - BN_CTX *ctx; - BIGNUM u1,u2,t1; - BN_MONT_CTX *mont=NULL; - int ret = -1; - - if (!dsa->p || !dsa->q || !dsa->g) - { - DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS); - return -1; - } - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_DSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED); - return -1; - } - - if (BN_num_bits(dsa->q) != 160) - { - DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE); - return -1; - } - - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) - { - DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); - return -1; - } - - if (FIPS_mode() && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) - { - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); - return -1; - } - - BN_init(&u1); - BN_init(&u2); - BN_init(&t1); - - if ((ctx=BN_CTX_new()) == NULL) goto err; - - if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0) - { - ret = 0; - goto err; - } - if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0) - { - ret = 0; - goto err; - } - - /* Calculate W = inv(S) mod Q - * save W in u2 */ - if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err; - - /* save M in u1 */ - if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err; - - /* u1 = M * w mod q */ - if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err; - - /* u2 = r * w mod q */ - if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err; - - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) - { - mont = BN_MONT_CTX_set_locked( - (BN_MONT_CTX **)&dsa->method_mont_p, - CRYPTO_LOCK_DSA, dsa->p, ctx); - if (!mont) - goto err; - } - -#if 0 - { - BIGNUM t2; - - BN_init(&t2); - /* v = ( g^u1 * y^u2 mod p ) mod q */ - /* let t1 = g ^ u1 mod p */ - if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err; - /* let t2 = y ^ u2 mod p */ - if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err; - /* let u1 = t1 * t2 mod p */ - if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn; - BN_free(&t2); - } - /* let u1 = u1 mod q */ - if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err; -#else - { - if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2, - dsa->p,ctx,mont)) goto err; - /* BN_copy(&u1,&t1); */ - /* let u1 = u1 mod q */ - if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err; - } -#endif - /* V is now in u1. If the signature is correct, it will be - * equal to R. */ - ret=(BN_ucmp(&u1, sig->r) == 0); - - err: - if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB); - if (ctx != NULL) BN_CTX_free(ctx); - BN_free(&u1); - BN_free(&u2); - BN_free(&t1); - return(ret); - } - -static int dsa_init(DSA *dsa) -{ - FIPS_selftest_check(); - dsa->flags|=DSA_FLAG_CACHE_MONT_P; - return(1); -} - -static int dsa_finish(DSA *dsa) -{ - if(dsa->method_mont_p) - BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p); - return(1); -} - -static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, - BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) -{ - return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); -} - -static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx) -{ - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); -} - -#else /* ndef OPENSSL_FIPS */ - -static void *dummy=&dummy; - -#endif /* ndef OPENSSL_FIPS */ diff --git a/crypto/openssl/fips/dsa/fips_dsa_selftest.c b/crypto/openssl/fips/dsa/fips_dsa_selftest.c deleted file mode 100644 index 6880760..0000000 --- a/crypto/openssl/fips/dsa/fips_dsa_selftest.c +++ /dev/null @@ -1,180 +0,0 @@ -/* crypto/dsa/dsatest.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <string.h> -#include <openssl/crypto.h> -#include <openssl/dsa.h> -#include <openssl/fips.h> -#include <openssl/err.h> -#include <openssl/evp.h> -#include <openssl/bn.h> - -#ifdef OPENSSL_FIPS - -/* seed, out_p, out_q, out_g are taken the NIST test vectors */ - -static unsigned char seed[20] = { - 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34, - 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a - }; - -static unsigned char out_p[] = { - 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57, - 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b, - 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43, - 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69, - 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12, - 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47, - 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4, - 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8, - 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef, - 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8, - 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef - }; - -static unsigned char out_q[] = { - 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c, - 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3 - }; - -static unsigned char out_g[] = { - 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb, - 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e, - 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63, - 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35, - 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf, - 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a, - 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed, - 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf, - 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2, - 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36, - 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec - }; - -static const unsigned char str1[]="12345678901234567890"; - -void FIPS_corrupt_dsa() - { - ++seed[0]; - } - -int FIPS_selftest_dsa() - { - DSA *dsa=NULL; - int counter,i,j, ret = 0; - unsigned int slen; - unsigned char buf[256]; - unsigned long h; - EVP_MD_CTX mctx; - EVP_PKEY pk; - - EVP_MD_CTX_init(&mctx); - - dsa = FIPS_dsa_new(); - - if(dsa == NULL) - goto err; - if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL)) - goto err; - if (counter != 378) - goto err; - if (h != 2) - goto err; - i=BN_bn2bin(dsa->q,buf); - j=sizeof(out_q); - if (i != j || memcmp(buf,out_q,i) != 0) - goto err; - - i=BN_bn2bin(dsa->p,buf); - j=sizeof(out_p); - if (i != j || memcmp(buf,out_p,i) != 0) - goto err; - - i=BN_bn2bin(dsa->g,buf); - j=sizeof(out_g); - if (i != j || memcmp(buf,out_g,i) != 0) - goto err; - DSA_generate_key(dsa); - pk.type = EVP_PKEY_DSA; - pk.pkey.dsa = dsa; - - if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) - goto err; - if (!EVP_SignUpdate(&mctx, str1, 20)) - goto err; - if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) - goto err; - - if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) - goto err; - if (!EVP_VerifyUpdate(&mctx, str1, 20)) - goto err; - if (EVP_VerifyFinal(&mctx, buf, slen, &pk) != 1) - goto err; - - ret = 1; - - err: - EVP_MD_CTX_cleanup(&mctx); - if (dsa) - FIPS_dsa_free(dsa); - if (ret == 0) - FIPSerr(FIPS_F_FIPS_SELFTEST_DSA,FIPS_R_SELFTEST_FAILED); - return ret; - } -#endif diff --git a/crypto/openssl/fips/dsa/fips_dsa_sign.c b/crypto/openssl/fips/dsa/fips_dsa_sign.c deleted file mode 100644 index 7a4d51d..0000000 --- a/crypto/openssl/fips/dsa/fips_dsa_sign.c +++ /dev/null @@ -1,258 +0,0 @@ -/* fips_dsa_sign.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2007. - */ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <string.h> -#include <openssl/evp.h> -#include <openssl/dsa.h> -#include <openssl/err.h> -#include <openssl/sha.h> -#include <openssl/bn.h> - -#ifdef OPENSSL_FIPS - -/* FIPS versions of DSA_sign() and DSA_verify(). - * These include a tiny ASN1 encoder/decoder to handle the specific - * case of a DSA signature. - */ - -#if 0 -int FIPS_dsa_size(DSA *r) - { - int ilen; - ilen = BN_num_bytes(r->q); - if (ilen > 20) - return -1; - /* If MSB set need padding byte */ - ilen ++; - /* Also need 2 bytes INTEGER header for r and s plus - * 2 bytes SEQUENCE header making 6 in total. - */ - return ilen * 2 + 6; - } -#endif - -/* Tiny ASN1 encoder for DSA_SIG structure. We can assume r, s smaller than - * 0x80 octets as by the DSA standards they will be less than 2^160 - */ - -int FIPS_dsa_sig_encode(unsigned char *out, DSA_SIG *sig) - { - int rlen, slen, rpad, spad, seqlen; - rlen = BN_num_bytes(sig->r); - if (rlen > 20) - return -1; - if (BN_num_bits(sig->r) & 0x7) - rpad = 0; - else - rpad = 1; - slen = BN_num_bytes(sig->s); - if (slen > 20) - return -1; - if (BN_num_bits(sig->s) & 0x7) - spad = 0; - else - spad = 1; - /* Length of SEQUENCE, (1 tag + 1 len octet) * 2 + content octets */ - seqlen = rlen + rpad + slen + spad + 4; - /* Actual encoded length: include SEQUENCE header */ - if (!out) - return seqlen + 2; - - /* Output SEQUENCE header */ - *out++ = V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED; - *out++ = (unsigned char)seqlen; - - /* Output r */ - *out++ = V_ASN1_INTEGER; - *out++ = (unsigned char)(rlen + rpad); - if (rpad) - *out++ = 0; - BN_bn2bin(sig->r, out); - out += rlen; - - /* Output s */ - *out++ = V_ASN1_INTEGER; - *out++ = (unsigned char)(slen + spad); - if (spad) - *out++ = 0; - BN_bn2bin(sig->s, out); - return seqlen + 2; - } - -/* Companion DSA_SIG decoder */ - -int FIPS_dsa_sig_decode(DSA_SIG *sig, const unsigned char *in, int inlen) - { - int seqlen, rlen, slen; - const unsigned char *rbin; - /* Sanity check */ - - /* Need SEQUENCE tag */ - if (*in++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) - return 0; - /* Get length octet */ - seqlen = *in++; - /* Check sensible length value */ - if (seqlen < 4 || seqlen > 0x7F) - return 0; - /* Check INTEGER tag */ - if (*in++ != V_ASN1_INTEGER) - return 0; - rlen = *in++; - seqlen -= 2 + rlen; - /* Check sensible seqlen value */ - if (seqlen < 2) - return 0; - rbin = in; - in += rlen; - /* Check INTEGER tag */ - if (*in++ != V_ASN1_INTEGER) - return 0; - slen = *in++; - /* Remaining bytes of SEQUENCE should exactly match - * encoding of s - */ - if (seqlen != (slen + 2)) - return 0; - if (!sig->r && !(sig->r = BN_new())) - return 0; - if (!sig->s && !(sig->s = BN_new())) - return 0; - if (!BN_bin2bn(rbin, rlen, sig->r)) - return 0; - if (!BN_bin2bn(in, slen, sig->s)) - return 0; - return 1; - } - -static int fips_dsa_sign(int type, const unsigned char *x, int y, - unsigned char *sig, unsigned int *siglen, EVP_MD_SVCTX *sv) - { - DSA *dsa = sv->key; - unsigned char dig[EVP_MAX_MD_SIZE]; - unsigned int dlen; - DSA_SIG *s; - EVP_DigestFinal_ex(sv->mctx, dig, &dlen); - s=dsa->meth->dsa_do_sign(dig,dlen,dsa); - OPENSSL_cleanse(dig, dlen); - if (s == NULL) - { - *siglen=0; - return 0; - } - *siglen= FIPS_dsa_sig_encode(sig, s); - DSA_SIG_free(s); - if (*siglen < 0) - return 0; - return 1; - } - -static int fips_dsa_verify(int type, const unsigned char *x, int y, - const unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv) - { - DSA *dsa = sv->key; - DSA_SIG *s; - int ret=-1; - unsigned char dig[EVP_MAX_MD_SIZE]; - unsigned int dlen; - - s = DSA_SIG_new(); - if (s == NULL) - return ret; - if (!FIPS_dsa_sig_decode(s,sigbuf,siglen)) - goto err; - EVP_DigestFinal_ex(sv->mctx, dig, &dlen); - ret=dsa->meth->dsa_do_verify(dig,dlen,s,dsa); - OPENSSL_cleanse(dig, dlen); -err: - DSA_SIG_free(s); - return ret; - } - -static int init(EVP_MD_CTX *ctx) - { return SHA1_Init(ctx->md_data); } - -static int update(EVP_MD_CTX *ctx,const void *data,size_t count) - { return SHA1_Update(ctx->md_data,data,count); } - -static int final(EVP_MD_CTX *ctx,unsigned char *md) - { return SHA1_Final(md,ctx->md_data); } - -static const EVP_MD dss1_md= - { - NID_dsa, - NID_dsaWithSHA1, - SHA_DIGEST_LENGTH, - EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, - init, - update, - final, - NULL, - NULL, - (evp_sign_method *)fips_dsa_sign, - (evp_verify_method *)fips_dsa_verify, - {EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3, EVP_PKEY_DSA4,0}, - SHA_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA_CTX), - }; - -const EVP_MD *EVP_dss1(void) - { - return(&dss1_md); - } -#endif diff --git a/crypto/openssl/fips/dsa/fips_dsatest.c b/crypto/openssl/fips/dsa/fips_dsatest.c deleted file mode 100644 index 1aec089..0000000 --- a/crypto/openssl/fips/dsa/fips_dsatest.c +++ /dev/null @@ -1,271 +0,0 @@ -/* crypto/dsa/dsatest.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <sys/types.h> -#include <sys/stat.h> - -#include "e_os.h" - -#include <openssl/crypto.h> -#include <openssl/rand.h> -#include <openssl/bio.h> -#include <openssl/err.h> -#include <openssl/bn.h> -#ifndef OPENSSL_NO_ENGINE -#include <openssl/engine.h> -#endif - - -#if defined(OPENSSL_NO_DSA) || !defined(OPENSSL_FIPS) -int main(int argc, char *argv[]) -{ - printf("No FIPS DSA support\n"); - return(0); -} -#else -#include <openssl/dsa.h> -#include <openssl/fips.h> -#include <openssl/fips_rand.h> -#include <openssl/dsa.h> - -#ifdef OPENSSL_SYS_WIN16 -#define MS_CALLBACK _far _loadds -#else -#define MS_CALLBACK -#endif - -#include "fips_utl.h" - -static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb); - -/* seed, out_p, out_q, out_g are taken from the earlier validation test - * vectors. - */ - -static unsigned char seed[20] = { - 0x1c, 0xfb, 0xa9, 0x6c, 0xf7, 0x95, 0xb3, 0x2e, 0x01, 0x01, 0x3c, 0x8d, - 0x7f, 0x6e, 0xf4, 0x59, 0xcc, 0x2f, 0x19, 0x59 - }; - -static unsigned char out_p[] = { - 0xc2, 0x3c, 0x48, 0x31, 0x7e, 0x3b, 0x4e, 0x5d, 0x3c, 0x93, 0x78, 0x60, - 0x5c, 0xf2, 0x60, 0xbb, 0x5a, 0xfa, 0x7f, 0x17, 0xf9, 0x26, 0x69, 0x46, - 0xe7, 0x07, 0xbb, 0x3b, 0x2e, 0xc4, 0xb5, 0x66, 0xf7, 0x4d, 0xae, 0x9b, - 0x8f, 0xf0, 0x42, 0xea, 0xb3, 0xa0, 0x7e, 0x81, 0x85, 0x89, 0xe6, 0xb0, - 0x29, 0x03, 0x6b, 0xcc, 0xfb, 0x8e, 0x46, 0x15, 0x4d, 0xc1, 0x69, 0xd8, - 0x2f, 0xef, 0x5c, 0x8b, 0x29, 0x32, 0x41, 0xbd, 0x13, 0x72, 0x3d, 0xac, - 0x81, 0xcc, 0x86, 0x6c, 0x06, 0x5d, 0x51, 0xa1, 0xa5, 0x07, 0x0c, 0x3e, - 0xbe, 0xdd, 0xf4, 0x6e, 0xa8, 0xed, 0xb4, 0x2f, 0xbd, 0x3e, 0x64, 0xea, - 0xee, 0x92, 0xec, 0x51, 0xe1, 0x0d, 0xab, 0x25, 0x45, 0xae, 0x55, 0x21, - 0x4d, 0xd6, 0x96, 0x6f, 0xe6, 0xaa, 0xd3, 0xca, 0x87, 0x92, 0xb1, 0x1c, - 0x3c, 0xaf, 0x29, 0x09, 0x8b, 0xc6, 0xed, 0xe1 - }; - -static unsigned char out_q[] = { - 0xae, 0x0a, 0x8c, 0xfb, 0x80, 0xe1, 0xc6, 0xd1, 0x09, 0x0f, 0x26, 0xde, - 0x91, 0x53, 0xc2, 0x8b, 0x2b, 0x0f, 0xde, 0x7f - }; - -static unsigned char out_g[] = { - 0x0d, 0x7d, 0x92, 0x74, 0x10, 0xf6, 0xa4, 0x43, 0x86, 0x9a, 0xd1, 0xd9, - 0x56, 0x00, 0xbc, 0x18, 0x97, 0x99, 0x4e, 0x9a, 0x93, 0xfb, 0x00, 0x3d, - 0x6c, 0xa0, 0x1b, 0x95, 0x6b, 0xbd, 0xf7, 0x7a, 0xbc, 0x36, 0x3f, 0x3d, - 0xb9, 0xbf, 0xf9, 0x91, 0x37, 0x68, 0xd1, 0xb9, 0x1e, 0xfe, 0x7f, 0x10, - 0xc0, 0x6a, 0xcd, 0x5f, 0xc1, 0x65, 0x1a, 0xb8, 0xe7, 0xab, 0xb5, 0xc6, - 0x8d, 0xb7, 0x86, 0xad, 0x3a, 0xbf, 0x6b, 0x7b, 0x0a, 0x66, 0xbe, 0xd5, - 0x58, 0x23, 0x16, 0x48, 0x83, 0x29, 0xb6, 0xa7, 0x64, 0xc7, 0x08, 0xbe, - 0x55, 0x4c, 0x6f, 0xcb, 0x34, 0xc1, 0x73, 0xb0, 0x39, 0x68, 0x52, 0xdf, - 0x27, 0x7f, 0x32, 0xbc, 0x2b, 0x0d, 0x63, 0xed, 0x75, 0x3e, 0xb5, 0x54, - 0xac, 0xc8, 0x20, 0x2a, 0x73, 0xe8, 0x29, 0x51, 0x03, 0x77, 0xe8, 0xc9, - 0x61, 0x32, 0x25, 0xaf, 0x21, 0x5b, 0x6e, 0xda - }; - - -static const unsigned char str1[]="12345678901234567890"; - -static const char rnd_seed[] = "string to make the random number generator think it has entropy"; - -int main(int argc, char **argv) - { - DSA *dsa=NULL; - EVP_PKEY pk; - int counter,ret=0,i,j; - unsigned int slen; - unsigned char buf[256]; - unsigned long h; - BN_GENCB cb; - EVP_MD_CTX mctx; - BN_GENCB_set(&cb, dsa_cb, stderr); - EVP_MD_CTX_init(&mctx); - - if(!FIPS_mode_set(1)) - { - do_print_errors(); - EXIT(1); - } - - fprintf(stderr,"test generation of DSA parameters\n"); - - dsa = FIPS_dsa_new(); - DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,&cb); - - fprintf(stderr,"seed\n"); - for (i=0; i<20; i+=4) - { - fprintf(stderr,"%02X%02X%02X%02X ", - seed[i],seed[i+1],seed[i+2],seed[i+3]); - } - fprintf(stderr,"\ncounter=%d h=%ld\n",counter,h); - - if (dsa == NULL) goto end; - if (counter != 16) - { - fprintf(stderr,"counter should be 105\n"); - goto end; - } - if (h != 2) - { - fprintf(stderr,"h should be 2\n"); - goto end; - } - - i=BN_bn2bin(dsa->q,buf); - j=sizeof(out_q); - if ((i != j) || (memcmp(buf,out_q,i) != 0)) - { - fprintf(stderr,"q value is wrong\n"); - goto end; - } - - i=BN_bn2bin(dsa->p,buf); - j=sizeof(out_p); - if ((i != j) || (memcmp(buf,out_p,i) != 0)) - { - fprintf(stderr,"p value is wrong\n"); - goto end; - } - - i=BN_bn2bin(dsa->g,buf); - j=sizeof(out_g); - if ((i != j) || (memcmp(buf,out_g,i) != 0)) - { - fprintf(stderr,"g value is wrong\n"); - goto end; - } - DSA_generate_key(dsa); - pk.type = EVP_PKEY_DSA; - pk.pkey.dsa = dsa; - - if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) - goto end; - if (!EVP_SignUpdate(&mctx, str1, 20)) - goto end; - if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) - goto end; - - if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) - goto end; - if (!EVP_VerifyUpdate(&mctx, str1, 20)) - goto end; - if (EVP_VerifyFinal(&mctx, buf, slen, &pk) != 1) - goto end; - - ret = 1; - -end: - if (!ret) - do_print_errors(); - if (dsa != NULL) FIPS_dsa_free(dsa); - EVP_MD_CTX_cleanup(&mctx); -#if 0 - CRYPTO_mem_leaks(bio_err); -#endif - EXIT(!ret); - return(!ret); - } - -static int cb_exit(int ec) - { - EXIT(ec); - return(0); /* To keep some compilers quiet */ - } - -static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb) - { - char c='*'; - static int ok=0,num=0; - - if (p == 0) { c='.'; num++; }; - if (p == 1) c='+'; - if (p == 2) { c='*'; ok++; } - if (p == 3) c='\n'; - fwrite(&c,1, 1, cb->arg); - fflush(cb->arg); - - if (!ok && (p == 0) && (num > 1)) - { - fprintf(cb->arg,"error in dsatest\n"); - cb_exit(1); - } - return 1; - } -#endif diff --git a/crypto/openssl/fips/dsa/fips_dssvs.c b/crypto/openssl/fips/dsa/fips_dssvs.c deleted file mode 100644 index 45f4e1c..0000000 --- a/crypto/openssl/fips/dsa/fips_dssvs.c +++ /dev/null @@ -1,537 +0,0 @@ -#include <openssl/opensslconf.h> - -#ifndef OPENSSL_FIPS -#include <stdio.h> - -int main(int argc, char **argv) -{ - printf("No FIPS DSA support\n"); - return(0); -} -#else - -#include <openssl/bn.h> -#include <openssl/dsa.h> -#include <openssl/fips.h> -#include <openssl/err.h> -#include <openssl/evp.h> -#include <string.h> -#include <ctype.h> - -#include "fips_utl.h" - -static void pbn(const char *name, BIGNUM *bn) - { - int len, i; - unsigned char *tmp; - len = BN_num_bytes(bn); - tmp = OPENSSL_malloc(len); - if (!tmp) - { - fprintf(stderr, "Memory allocation error\n"); - return; - } - BN_bn2bin(bn, tmp); - printf("%s = ", name); - for (i = 0; i < len; i++) - printf("%02X", tmp[i]); - fputs("\n", stdout); - OPENSSL_free(tmp); - return; - } - -static void primes() - { - char buf[10240]; - char lbuf[10240]; - char *keyword, *value; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - fputs(buf,stdout); - if (!parse_line(&keyword, &value, lbuf, buf)) - continue; - if(!strcmp(keyword,"Prime")) - { - BIGNUM *pp; - - pp=BN_new(); - do_hex2bn(&pp,value); - printf("result= %c\n", - BN_is_prime_ex(pp,20,NULL,NULL) ? 'P' : 'F'); - } - } - } - -static void pqg() - { - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - int nmod=0; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - if (!parse_line(&keyword, &value, lbuf, buf)) - { - fputs(buf,stdout); - continue; - } - if(!strcmp(keyword,"[mod")) - nmod=atoi(value); - else if(!strcmp(keyword,"N")) - { - int n=atoi(value); - - printf("[mod = %d]\n\n",nmod); - - while(n--) - { - unsigned char seed[20]; - DSA *dsa; - int counter; - unsigned long h; - dsa = FIPS_dsa_new(); - - if (!DSA_generate_parameters_ex(dsa, nmod,seed,0,&counter,&h,NULL)) - { - do_print_errors(); - exit(1); - } - pbn("P",dsa->p); - pbn("Q",dsa->q); - pbn("G",dsa->g); - pv("Seed",seed,20); - printf("c = %d\n",counter); - printf("H = %lx\n",h); - putc('\n',stdout); - } - } - else - fputs(buf,stdout); - } - } - -static void pqgver() - { - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - BIGNUM *p = NULL, *q = NULL, *g = NULL; - int counter, counter2; - unsigned long h, h2; - DSA *dsa=NULL; - int nmod=0; - unsigned char seed[1024]; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - if (!parse_line(&keyword, &value, lbuf, buf)) - { - fputs(buf,stdout); - continue; - } - fputs(buf, stdout); - if(!strcmp(keyword,"[mod")) - nmod=atoi(value); - else if(!strcmp(keyword,"P")) - p=hex2bn(value); - else if(!strcmp(keyword,"Q")) - q=hex2bn(value); - else if(!strcmp(keyword,"G")) - g=hex2bn(value); - else if(!strcmp(keyword,"Seed")) - { - int slen = hex2bin(value, seed); - if (slen != 20) - { - fprintf(stderr, "Seed parse length error\n"); - exit (1); - } - } - else if(!strcmp(keyword,"c")) - counter =atoi(buf+4); - else if(!strcmp(keyword,"H")) - { - h = atoi(value); - if (!p || !q || !g) - { - fprintf(stderr, "Parse Error\n"); - exit (1); - } - dsa = FIPS_dsa_new(); - if (!DSA_generate_parameters_ex(dsa, nmod,seed,20 ,&counter2,&h2,NULL)) - { - do_print_errors(); - exit(1); - } - if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g) - || (counter != counter2) || (h != h2)) - printf("Result = F\n"); - else - printf("Result = P\n"); - BN_free(p); - BN_free(q); - BN_free(g); - p = NULL; - q = NULL; - g = NULL; - FIPS_dsa_free(dsa); - dsa = NULL; - } - } - } - -/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2 - * algorithm tests. It is an additional test to perform sanity checks on the - * output of the KeyPair test. - */ - -static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g, - BN_CTX *ctx) - { - BIGNUM *rem = NULL; - if (BN_num_bits(p) != nmod) - return 0; - if (BN_num_bits(q) != 160) - return 0; - if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL) != 1) - return 0; - if (BN_is_prime_ex(q, BN_prime_checks, ctx, NULL) != 1) - return 0; - rem = BN_new(); - if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem) - || (BN_cmp(g, BN_value_one()) <= 0) - || !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem)) - { - BN_free(rem); - return 0; - } - /* Todo: check g */ - BN_free(rem); - return 1; - } - -static void keyver() - { - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL; - BIGNUM *Y2; - BN_CTX *ctx = NULL; - int nmod=0, paramcheck = 0; - - ctx = BN_CTX_new(); - Y2 = BN_new(); - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - if (!parse_line(&keyword, &value, lbuf, buf)) - { - fputs(buf,stdout); - continue; - } - if(!strcmp(keyword,"[mod")) - { - if (p) - BN_free(p); - p = NULL; - if (q) - BN_free(q); - q = NULL; - if (g) - BN_free(g); - g = NULL; - paramcheck = 0; - nmod=atoi(value); - } - else if(!strcmp(keyword,"P")) - p=hex2bn(value); - else if(!strcmp(keyword,"Q")) - q=hex2bn(value); - else if(!strcmp(keyword,"G")) - g=hex2bn(value); - else if(!strcmp(keyword,"X")) - X=hex2bn(value); - else if(!strcmp(keyword,"Y")) - { - Y=hex2bn(value); - if (!p || !q || !g || !X || !Y) - { - fprintf(stderr, "Parse Error\n"); - exit (1); - } - pbn("P",p); - pbn("Q",q); - pbn("G",g); - pbn("X",X); - pbn("Y",Y); - if (!paramcheck) - { - if (dss_paramcheck(nmod, p, q, g, ctx)) - paramcheck = 1; - else - paramcheck = -1; - } - if (paramcheck != 1) - printf("Result = F\n"); - else - { - if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y)) - printf("Result = F\n"); - else - printf("Result = P\n"); - } - BN_free(X); - BN_free(Y); - X = NULL; - Y = NULL; - } - } - if (p) - BN_free(p); - if (q) - BN_free(q); - if (g) - BN_free(g); - if (Y2) - BN_free(Y2); - } - -static void keypair() - { - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - int nmod=0; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - if (!parse_line(&keyword, &value, lbuf, buf)) - { - fputs(buf,stdout); - continue; - } - if(!strcmp(keyword,"[mod")) - nmod=atoi(value); - else if(!strcmp(keyword,"N")) - { - DSA *dsa; - int n=atoi(value); - - printf("[mod = %d]\n\n",nmod); - dsa = FIPS_dsa_new(); - if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL)) - { - do_print_errors(); - exit(1); - } - pbn("P",dsa->p); - pbn("Q",dsa->q); - pbn("G",dsa->g); - putc('\n',stdout); - - while(n--) - { - if (!DSA_generate_key(dsa)) - { - do_print_errors(); - exit(1); - } - - pbn("X",dsa->priv_key); - pbn("Y",dsa->pub_key); - putc('\n',stdout); - } - } - } - } - -static void siggen() - { - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - int nmod=0; - DSA *dsa=NULL; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - if (!parse_line(&keyword, &value, lbuf, buf)) - { - fputs(buf,stdout); - continue; - } - if(!strcmp(keyword,"[mod")) - { - nmod=atoi(value); - printf("[mod = %d]\n\n",nmod); - if (dsa) - FIPS_dsa_free(dsa); - dsa = FIPS_dsa_new(); - if (!DSA_generate_parameters_ex(dsa, nmod,NULL,0,NULL,NULL,NULL)) - { - do_print_errors(); - exit(1); - } - pbn("P",dsa->p); - pbn("Q",dsa->q); - pbn("G",dsa->g); - putc('\n',stdout); - } - else if(!strcmp(keyword,"Msg")) - { - unsigned char msg[1024]; - unsigned char sbuf[60]; - unsigned int slen; - int n; - EVP_PKEY pk; - EVP_MD_CTX mctx; - DSA_SIG *sig; - EVP_MD_CTX_init(&mctx); - - n=hex2bin(value,msg); - pv("Msg",msg,n); - - if (!DSA_generate_key(dsa)) - { - do_print_errors(); - exit(1); - } - pk.type = EVP_PKEY_DSA; - pk.pkey.dsa = dsa; - pbn("Y",dsa->pub_key); - - EVP_SignInit_ex(&mctx, EVP_dss1(), NULL); - EVP_SignUpdate(&mctx, msg, n); - EVP_SignFinal(&mctx, sbuf, &slen, &pk); - - sig = DSA_SIG_new(); - FIPS_dsa_sig_decode(sig, sbuf, slen); - - pbn("R",sig->r); - pbn("S",sig->s); - putc('\n',stdout); - DSA_SIG_free(sig); - EVP_MD_CTX_cleanup(&mctx); - } - } - if (dsa) - FIPS_dsa_free(dsa); - } - -static void sigver() - { - DSA *dsa=NULL; - char buf[1024]; - char lbuf[1024]; - unsigned char msg[1024]; - char *keyword, *value; - int nmod=0, n=0; - DSA_SIG sg, *sig = &sg; - - sig->r = NULL; - sig->s = NULL; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - if (!parse_line(&keyword, &value, lbuf, buf)) - { - fputs(buf,stdout); - continue; - } - if(!strcmp(keyword,"[mod")) - { - nmod=atoi(value); - if(dsa) - FIPS_dsa_free(dsa); - dsa=FIPS_dsa_new(); - } - else if(!strcmp(keyword,"P")) - dsa->p=hex2bn(value); - else if(!strcmp(keyword,"Q")) - dsa->q=hex2bn(value); - else if(!strcmp(keyword,"G")) - { - dsa->g=hex2bn(value); - - printf("[mod = %d]\n\n",nmod); - pbn("P",dsa->p); - pbn("Q",dsa->q); - pbn("G",dsa->g); - putc('\n',stdout); - } - else if(!strcmp(keyword,"Msg")) - { - n=hex2bin(value,msg); - pv("Msg",msg,n); - } - else if(!strcmp(keyword,"Y")) - dsa->pub_key=hex2bn(value); - else if(!strcmp(keyword,"R")) - sig->r=hex2bn(value); - else if(!strcmp(keyword,"S")) - { - EVP_MD_CTX mctx; - EVP_PKEY pk; - unsigned char sigbuf[60]; - unsigned int slen; - int r; - EVP_MD_CTX_init(&mctx); - pk.type = EVP_PKEY_DSA; - pk.pkey.dsa = dsa; - sig->s=hex2bn(value); - - pbn("Y",dsa->pub_key); - pbn("R",sig->r); - pbn("S",sig->s); - - slen = FIPS_dsa_sig_encode(sigbuf, sig); - EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL); - EVP_VerifyUpdate(&mctx, msg, n); - r = EVP_VerifyFinal(&mctx, sigbuf, slen, &pk); - EVP_MD_CTX_cleanup(&mctx); - - printf("Result = %c\n", r == 1 ? 'P' : 'F'); - putc('\n',stdout); - } - } - } - -int main(int argc,char **argv) - { - if(argc != 2) - { - fprintf(stderr,"%s [prime|pqg|pqgver|keypair|siggen|sigver]\n",argv[0]); - exit(1); - } - if(!FIPS_mode_set(1)) - { - do_print_errors(); - exit(1); - } - if(!strcmp(argv[1],"prime")) - primes(); - else if(!strcmp(argv[1],"pqg")) - pqg(); - else if(!strcmp(argv[1],"pqgver")) - pqgver(); - else if(!strcmp(argv[1],"keypair")) - keypair(); - else if(!strcmp(argv[1],"keyver")) - keyver(); - else if(!strcmp(argv[1],"siggen")) - siggen(); - else if(!strcmp(argv[1],"sigver")) - sigver(); - else - { - fprintf(stderr,"Don't know how to %s.\n",argv[1]); - exit(1); - } - - return 0; - } - -#endif diff --git a/crypto/openssl/fips/fips-nodiff.txt b/crypto/openssl/fips/fips-nodiff.txt deleted file mode 100644 index fb2944b..0000000 --- a/crypto/openssl/fips/fips-nodiff.txt +++ /dev/null @@ -1,7 +0,0 @@ -KeyPair.rsp -PQGGen.rsp -SigGen.rsp -SigGen15.rsp -SigGenPSS.rsp -SigGenRSA.rsp -SigGenPSS.rsp diff --git a/crypto/openssl/fips/fips.c b/crypto/openssl/fips/fips.c deleted file mode 100644 index 7dcc344..0000000 --- a/crypto/openssl/fips/fips.c +++ /dev/null @@ -1,519 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - - -#include <openssl/rand.h> -#include <openssl/fips_rand.h> -#include <openssl/err.h> -#include <openssl/bio.h> -#include <openssl/hmac.h> -#include <openssl/rsa.h> -#include <string.h> -#include <limits.h> -#include "fips_locl.h" - -#ifdef OPENSSL_FIPS - -#include <openssl/fips.h> - -#ifndef PATH_MAX -#define PATH_MAX 1024 -#endif - -static int fips_selftest_fail; -static int fips_mode; -static const void *fips_rand_check; - -static void fips_set_mode(int onoff) - { - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) fips_w_lock(); - fips_mode = onoff; - if (!owning_thread) fips_w_unlock(); - } - } - -static void fips_set_rand_check(const void *rand_check) - { - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) fips_w_lock(); - fips_rand_check = rand_check; - if (!owning_thread) fips_w_unlock(); - } - } - -int FIPS_mode(void) - { - int ret = 0; - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) fips_r_lock(); - ret = fips_mode; - if (!owning_thread) fips_r_unlock(); - } - return ret; - } - -const void *FIPS_rand_check(void) - { - const void *ret = 0; - int owning_thread = fips_is_owning_thread(); - - if (fips_is_started()) - { - if (!owning_thread) fips_r_lock(); - ret = fips_rand_check; - if (!owning_thread) fips_r_unlock(); - } - return ret; - } - -int FIPS_selftest_failed(void) - { - int ret = 0; - if (fips_is_started()) - { - int owning_thread = fips_is_owning_thread(); - - if (!owning_thread) fips_r_lock(); - ret = fips_selftest_fail; - if (!owning_thread) fips_r_unlock(); - } - return ret; - } - -/* Selftest failure fatal exit routine. This will be called - * during *any* cryptographic operation. It has the minimum - * overhead possible to avoid too big a performance hit. - */ - -void FIPS_selftest_check(void) - { - if (fips_selftest_fail) - { - OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); - } - } - -void fips_set_selftest_fail(void) - { - fips_selftest_fail = 1; - } - -int FIPS_selftest() - { - - return FIPS_selftest_sha1() - && FIPS_selftest_hmac() - && FIPS_selftest_aes() - && FIPS_selftest_des() - && FIPS_selftest_rsa() - && FIPS_selftest_dsa(); - } - -extern const void *FIPS_text_start(), *FIPS_text_end(); -extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; -unsigned char FIPS_signature [20] = { 0 }; -static const char FIPS_hmac_key[]="etaonrishdlcupfm"; - -unsigned int FIPS_incore_fingerprint(unsigned char *sig,unsigned int len) - { - const unsigned char *p1 = FIPS_text_start(); - const unsigned char *p2 = FIPS_text_end(); - const unsigned char *p3 = FIPS_rodata_start; - const unsigned char *p4 = FIPS_rodata_end; - HMAC_CTX c; - - HMAC_CTX_init(&c); - HMAC_Init(&c,FIPS_hmac_key,strlen(FIPS_hmac_key),EVP_sha1()); - - /* detect overlapping regions */ - if (p1<=p3 && p2>=p3) - p3=p1, p4=p2>p4?p2:p4, p1=NULL, p2=NULL; - else if (p3<=p1 && p4>=p1) - p3=p3, p4=p2>p4?p2:p4, p1=NULL, p2=NULL; - - if (p1) - HMAC_Update(&c,p1,(size_t)p2-(size_t)p1); - - if (FIPS_signature>=p3 && FIPS_signature<p4) - { - /* "punch" hole */ - HMAC_Update(&c,p3,(size_t)FIPS_signature-(size_t)p3); - p3 = FIPS_signature+sizeof(FIPS_signature); - if (p3<p4) - HMAC_Update(&c,p3,(size_t)p4-(size_t)p3); - } - else - HMAC_Update(&c,p3,(size_t)p4-(size_t)p3); - - HMAC_Final(&c,sig,&len); - HMAC_CTX_cleanup(&c); - - return len; - } - -int FIPS_check_incore_fingerprint(void) - { - unsigned char sig[EVP_MAX_MD_SIZE]; - unsigned int len; -#if defined(__sgi) && (defined(__mips) || defined(mips)) - extern int __dso_displacement[]; -#else - extern int OPENSSL_NONPIC_relocated; -#endif - - if (FIPS_text_start()==NULL) - { - FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_UNSUPPORTED_PLATFORM); - return 0; - } - - len=FIPS_incore_fingerprint (sig,sizeof(sig)); - - if (len!=sizeof(FIPS_signature) || - memcmp(FIPS_signature,sig,sizeof(FIPS_signature))) - { - if (FIPS_signature>=FIPS_rodata_start && FIPS_signature<FIPS_rodata_end) - FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING); -#if defined(__sgi) && (defined(__mips) || defined(mips)) - else if (__dso_displacement!=NULL) -#else - else if (OPENSSL_NONPIC_relocated) -#endif - FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED); - else - FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - return 0; - } - - return 1; - } - -int FIPS_mode_set(int onoff) - { - int fips_set_owning_thread(); - int fips_clear_owning_thread(); - int ret = 0; - - fips_w_lock(); - fips_set_started(); - fips_set_owning_thread(); - - if(onoff) - { - unsigned char buf[48]; - - fips_selftest_fail = 0; - - /* Don't go into FIPS mode twice, just so we can do automagic - seeding */ - if(FIPS_mode()) - { - FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FIPS_MODE_ALREADY_SET); - fips_selftest_fail = 1; - ret = 0; - goto end; - } - -#ifdef OPENSSL_IA32_SSE2 - if ((OPENSSL_ia32cap & (1<<25|1<<26)) != (1<<25|1<<26)) - { - FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); - fips_selftest_fail = 1; - ret = 0; - goto end; - } -#endif - - if(fips_signature_witness() != FIPS_signature) - { - FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); - fips_selftest_fail = 1; - ret = 0; - goto end; - } - - if(!FIPS_check_incore_fingerprint()) - { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - - /* Perform RNG KAT before seeding */ - if (!FIPS_selftest_rng()) - { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - - /* automagically seed PRNG if not already seeded */ - if(!FIPS_rand_status()) - { - if(RAND_bytes(buf,sizeof buf) <= 0) - { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - FIPS_rand_set_key(buf,32); - FIPS_rand_seed(buf+32,16); - } - - /* now switch into FIPS mode */ - fips_set_rand_check(FIPS_rand_method()); - RAND_set_rand_method(FIPS_rand_method()); - if(FIPS_selftest()) - fips_set_mode(1); - else - { - fips_selftest_fail = 1; - ret = 0; - goto end; - } - ret = 1; - goto end; - } - fips_set_mode(0); - fips_selftest_fail = 0; - ret = 1; -end: - fips_clear_owning_thread(); - fips_w_unlock(); - return ret; - } - -void fips_w_lock(void) { CRYPTO_w_lock(CRYPTO_LOCK_FIPS); } -void fips_w_unlock(void) { CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); } -void fips_r_lock(void) { CRYPTO_r_lock(CRYPTO_LOCK_FIPS); } -void fips_r_unlock(void) { CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); } - -static int fips_started = 0; -static unsigned long fips_thread = 0; - -void fips_set_started(void) - { - fips_started = 1; - } - -int fips_is_started(void) - { - return fips_started; - } - -int fips_is_owning_thread(void) - { - int ret = 0; - - if (fips_is_started()) - { - CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); - if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) - ret = 1; - CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); - } - return ret; - } - -int fips_set_owning_thread(void) - { - int ret = 0; - - if (fips_is_started()) - { - CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); - if (fips_thread == 0) - { - fips_thread = CRYPTO_thread_id(); - ret = 1; - } - CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); - } - return ret; - } - -int fips_clear_owning_thread(void) - { - int ret = 0; - - if (fips_is_started()) - { - CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); - if (fips_thread == CRYPTO_thread_id()) - { - fips_thread = 0; - ret = 1; - } - CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); - } - return ret; - } - -unsigned char *fips_signature_witness(void) - { - extern unsigned char FIPS_signature[]; - return FIPS_signature; - } - -/* Generalized public key test routine. Signs and verifies the data - * supplied in tbs using mesage digest md and setting option digest - * flags md_flags. If the 'kat' parameter is not NULL it will - * additionally check the signature matches it: a known answer test - * The string "fail_str" is used for identification purposes in case - * of failure. - */ - -int fips_pkey_signature_test(EVP_PKEY *pkey, - const unsigned char *tbs, int tbslen, - const unsigned char *kat, unsigned int katlen, - const EVP_MD *digest, unsigned int md_flags, - const char *fail_str) - { - int ret = 0; - unsigned char sigtmp[256], *sig = sigtmp; - unsigned int siglen; - EVP_MD_CTX mctx; - EVP_MD_CTX_init(&mctx); - - if ((pkey->type == EVP_PKEY_RSA) - && (RSA_size(pkey->pkey.rsa) > sizeof(sigtmp))) - { - sig = OPENSSL_malloc(RSA_size(pkey->pkey.rsa)); - if (!sig) - { - FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,ERR_R_MALLOC_FAILURE); - return 0; - } - } - - if (tbslen == -1) - tbslen = strlen((char *)tbs); - - if (md_flags) - M_EVP_MD_CTX_set_flags(&mctx, md_flags); - - if (!EVP_SignInit_ex(&mctx, digest, NULL)) - goto error; - if (!EVP_SignUpdate(&mctx, tbs, tbslen)) - goto error; - if (!EVP_SignFinal(&mctx, sig, &siglen, pkey)) - goto error; - - if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) - goto error; - - if (!EVP_VerifyInit_ex(&mctx, digest, NULL)) - goto error; - if (!EVP_VerifyUpdate(&mctx, tbs, tbslen)) - goto error; - ret = EVP_VerifyFinal(&mctx, sig, siglen, pkey); - - error: - if (sig != sigtmp) - OPENSSL_free(sig); - EVP_MD_CTX_cleanup(&mctx); - if (ret != 1) - { - FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST,FIPS_R_TEST_FAILURE); - if (fail_str) - ERR_add_error_data(2, "Type=", fail_str); - return 0; - } - return 1; - } - -/* Generalized symmetric cipher test routine. Encrypt data, verify result - * against known answer, decrypt and compare with original plaintext. - */ - -int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - const unsigned char *key, - const unsigned char *iv, - const unsigned char *plaintext, - const unsigned char *ciphertext, - int len) - { - unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; - unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; - OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); - if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) - return 0; - EVP_Cipher(ctx, citmp, plaintext, len); - if (memcmp(citmp, ciphertext, len)) - return 0; - if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) - return 0; - EVP_Cipher(ctx, pltmp, citmp, len); - if (memcmp(pltmp, plaintext, len)) - return 0; - return 1; - } - -#if 0 -/* The purpose of this is to ensure the error code exists and the function - * name is to keep the error checking script quiet - */ -void hash_final(void) - { - FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); - } -#endif - - -#endif diff --git a/crypto/openssl/fips/fips.h b/crypto/openssl/fips/fips.h deleted file mode 100644 index 42bdcf2..0000000 --- a/crypto/openssl/fips/fips.h +++ /dev/null @@ -1,163 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <openssl/opensslconf.h> - -#ifndef OPENSSL_FIPS -#error FIPS is disabled. -#endif - -#ifdef OPENSSL_FIPS - -#ifdef __cplusplus -extern "C" { -#endif - -struct dsa_st; -struct evp_pkey_st; -struct env_md_st; -struct evp_cipher_st; -struct evp_cipher_ctx_st; - -int FIPS_mode_set(int onoff); -int FIPS_mode(void); -const void *FIPS_rand_check(void); -int FIPS_selftest_failed(void); -void FIPS_selftest_check(void); -void FIPS_corrupt_sha1(void); -int FIPS_selftest_sha1(void); -void FIPS_corrupt_aes(void); -int FIPS_selftest_aes(void); -void FIPS_corrupt_des(void); -int FIPS_selftest_des(void); -void FIPS_corrupt_rsa(void); -void FIPS_corrupt_rsa_keygen(void); -int FIPS_selftest_rsa(void); -void FIPS_corrupt_dsa(void); -void FIPS_corrupt_dsa_keygen(void); -int FIPS_selftest_dsa(void); -void FIPS_corrupt_rng(void); -void FIPS_rng_stick(void); -int FIPS_selftest_rng(void); -int FIPS_selftest_hmac(void); - -int fips_pkey_signature_test(struct evp_pkey_st *pkey, - const unsigned char *tbs, int tbslen, - const unsigned char *kat, unsigned int katlen, - const struct env_md_st *digest, unsigned int md_flags, - const char *fail_str); - -int fips_cipher_test(struct evp_cipher_ctx_st *ctx, - const struct evp_cipher_st *cipher, - const unsigned char *key, - const unsigned char *iv, - const unsigned char *plaintext, - const unsigned char *ciphertext, - int len); - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_FIPS_strings(void); - -/* Error codes for the FIPS functions. */ - -/* Function codes. */ -#define FIPS_F_DH_BUILTIN_GENPARAMS 100 -#define FIPS_F_DSA_BUILTIN_PARAMGEN 101 -#define FIPS_F_DSA_DO_SIGN 102 -#define FIPS_F_DSA_DO_VERIFY 103 -#define FIPS_F_EVP_CIPHERINIT_EX 124 -#define FIPS_F_EVP_DIGESTINIT_EX 125 -#define FIPS_F_FIPS_CHECK_DSA 104 -#define FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT 105 -#define FIPS_F_FIPS_CHECK_RSA 106 -#define FIPS_F_FIPS_DSA_CHECK 107 -#define FIPS_F_FIPS_MODE_SET 108 -#define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 -#define FIPS_F_FIPS_SELFTEST_AES 110 -#define FIPS_F_FIPS_SELFTEST_DES 111 -#define FIPS_F_FIPS_SELFTEST_DSA 112 -#define FIPS_F_FIPS_SELFTEST_HMAC 113 -#define FIPS_F_FIPS_SELFTEST_RNG 114 -#define FIPS_F_FIPS_SELFTEST_SHA1 115 -#define FIPS_F_HASH_FINAL 123 -#define FIPS_F_RSA_BUILTIN_KEYGEN 116 -#define FIPS_F_RSA_EAY_PRIVATE_DECRYPT 117 -#define FIPS_F_RSA_EAY_PRIVATE_ENCRYPT 118 -#define FIPS_F_RSA_EAY_PUBLIC_DECRYPT 119 -#define FIPS_F_RSA_EAY_PUBLIC_ENCRYPT 120 -#define FIPS_F_RSA_X931_GENERATE_KEY_EX 121 -#define FIPS_F_SSLEAY_RAND_BYTES 122 - -/* Reason codes. */ -#define FIPS_R_CANNOT_READ_EXE 103 -#define FIPS_R_CANNOT_READ_EXE_DIGEST 104 -#define FIPS_R_CONTRADICTING_EVIDENCE 114 -#define FIPS_R_EXE_DIGEST_DOES_NOT_MATCH 105 -#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 -#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED 111 -#define FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING 112 -#define FIPS_R_FIPS_MODE_ALREADY_SET 102 -#define FIPS_R_FIPS_SELFTEST_FAILED 106 -#define FIPS_R_INVALID_KEY_LENGTH 109 -#define FIPS_R_KEY_TOO_SHORT 108 -#define FIPS_R_NON_FIPS_METHOD 100 -#define FIPS_R_PAIRWISE_TEST_FAILED 107 -#define FIPS_R_RSA_DECRYPT_ERROR 115 -#define FIPS_R_RSA_ENCRYPT_ERROR 116 -#define FIPS_R_SELFTEST_FAILED 101 -#define FIPS_R_TEST_FAILURE 117 -#define FIPS_R_UNSUPPORTED_PLATFORM 113 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/crypto/openssl/fips/fips_canister.c b/crypto/openssl/fips/fips_canister.c deleted file mode 100644 index 17446618..0000000 --- a/crypto/openssl/fips/fips_canister.c +++ /dev/null @@ -1,187 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#include "e_os.h" - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - defined(__ANDROID__) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - -#if defined(__xlC__) && __xlC__>=0x600 && (defined(_POWER) || defined(_ARCH_PPC)) -static void *instruction_pointer_xlc(void); -# pragma mc_func instruction_pointer_xlc {\ - "7c0802a6" /* mflr r0 */ \ - "48000005" /* bl $+4 */ \ - "7c6802a6" /* mflr r3 */ \ - "7c0803a6" /* mtlr r0 */ } -# pragma reg_killed_by instruction_pointer_xlc gr0 gr3 -# define INSTRUCTION_POINTER_IMPLEMENTED(ret) (ret=instruction_pointer_xlc()); -#endif - -#ifdef FIPS_START -#define FIPS_ref_point FIPS_text_start -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_start[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 }; -#else -#define FIPS_ref_point FIPS_text_end -const unsigned int FIPS_rodata_end[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b }; -#endif - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ void *ret=NULL; -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl $+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__s390__) || defined(__s390x__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "bras %0,1f\n1:" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/crypto/openssl/fips/fips_locl.h b/crypto/openssl/fips/fips_locl.h deleted file mode 100644 index b3ea289..0000000 --- a/crypto/openssl/fips/fips_locl.h +++ /dev/null @@ -1,74 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifdef OPENSSL_FIPS - -#ifdef __cplusplus -extern "C" { -#endif - -void fips_w_lock(void); -void fips_w_unlock(void); -void fips_r_lock(void); -void fips_r_unlock(void); -int fips_is_started(void); -void fips_set_started(void); -int fips_is_owning_thread(void); -int fips_set_owning_thread(void); -void fips_set_selftest_fail(void); -int fips_clear_owning_thread(void); -unsigned char *fips_signature_witness(void); -int fips_check_rsa(RSA *rsa); - -#define FIPS_MAX_CIPHER_TEST_SIZE 16 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/crypto/openssl/fips/fips_premain.c b/crypto/openssl/fips/fips_premain.c deleted file mode 100644 index 165d2c5..0000000 --- a/crypto/openssl/fips/fips_premain.c +++ /dev/null @@ -1,176 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#if defined(__unix) || defined(__unix__) -#include <unistd.h> -#endif - -#ifndef FINGERPRINT_PREMAIN_DSO_LOAD - -#if defined(__GNUC__) && __GNUC__>=2 - void FINGERPRINT_premain(void) __attribute__((constructor)); - /* Most commonly this results in pointer to premain to be dropped - * to .ctors segment, which is traversed by GCC crtbegin.o upon - * program startup. Except on a.out OpenBSD where it results in - * _GLOBAL_$I$premain() {premain();} being auto-generated by - * compiler... But one way or another this is believed to cover - * *all* GCC targets. */ -#elif defined(_MSC_VER) -# ifdef _WINDLL - __declspec(dllexport) /* this is essentially cosmetics... */ -# endif - void FINGERPRINT_premain(void); - static int premain_wrapper(void) { FINGERPRINT_premain(); return 0; } -# ifdef _WIN64 -# pragma section(".CRT$XCU",read) - __declspec(allocate(".CRT$XCU")) -# else -# pragma data_seg(".CRT$XCU") -# endif - static int (*p)(void) = premain_wrapper; - /* This results in pointer to premain to appear in .CRT segment, - * which is traversed by Visual C run-time initialization code. - * This applies to both Win32 and [all flavors of] Win64. */ -# pragma data_seg() -#elif defined(__SUNPRO_C) - void FINGERPRINT_premain(void); -# pragma init(FINGERPRINT_premain) - /* This results in a call to premain to appear in .init segment. */ -#elif defined(__DECC) && (defined(__VMS) || defined(VMS)) - void FINGERPRINT_premain(void); -# pragma __nostandard - globaldef { "LIB$INITIALIZ" } readonly _align (LONGWORD) - int spare[8] = {0}; - globaldef { "LIB$INITIALIZE" } readonly _align (LONGWORD) - void (*x_FINGERPRINT_premain)(void) = FINGERPRINT_premain; - /* Refer to LIB$INITIALIZE to ensure it exists in the image. */ - int lib$initialize(); - globaldef int (*lib_init_ref)() = lib$initialize; -# pragma __standard -#elif 0 - The rest has to be taken care of through command line: - - -Wl,-init,FINGERPRINT_premain on OSF1 and IRIX - -Wl,+init,FINGERPRINT_premain on HP-UX - -Wl,-binitfini:FINGERPRINT_premain on AIX - - On ELF platforms this results in a call to premain to appear in - .init segment... -#endif - -#ifndef HMAC_SHA1_SIG -#define HMAC_SHA1_SIG "?have to make sure this string is unique" -#endif - -static const unsigned char FINGERPRINT_ascii_value[40] = HMAC_SHA1_SIG; - -#define atox(c) ((c)>='a'?((c)-'a'+10):((c)>='A'?(c)-'A'+10:(c)-'0')) - -extern const void *FIPS_text_start(), *FIPS_text_end(); -extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; -extern unsigned char FIPS_signature[20]; -extern unsigned int FIPS_incore_fingerprint(unsigned char *,unsigned int); - -/* - * As name suggests this code is executed prior main(). We use this - * opportunity to fingerprint sequestered code in virtual address - * space of target application. - */ -void FINGERPRINT_premain(void) -{ unsigned char sig[sizeof(FIPS_signature)]; - const unsigned char * volatile p=FINGERPRINT_ascii_value; - unsigned int len=sizeof(sig),i; - - /* "volatilization" is done to disengage unwanted optimization... */ - if (*((volatile unsigned char *)p)=='?') - { if (FIPS_text_start()==NULL) - { fprintf(stderr,"FIPS_text_start() returns NULL\n"); - _exit(1); - } -#if defined(DEBUG_FINGERPRINT_PREMAIN) - fprintf(stderr,".text:%p+%d=%p\n",FIPS_text_start(), - (int)((size_t)FIPS_text_end()-(size_t)FIPS_text_start()), - FIPS_text_end()); - fprintf(stderr,".rodata:%p+%d=%p\n",FIPS_rodata_start, - (int)((size_t)FIPS_rodata_end-(size_t)FIPS_rodata_start), - FIPS_rodata_end); -#endif - - len=FIPS_incore_fingerprint(sig,sizeof(sig)); - - if (len!=sizeof(sig)) - { fprintf(stderr,"fingerprint length mismatch: %u\n",len); - _exit(1); - } - - for (i=0;i<len;i++) printf("%02x",sig[i]); - printf("\n"); - fflush(stdout); - _exit(0); - } - else if (FIPS_signature[0]=='\0') do - { for (i=0;i<sizeof(FIPS_signature);i++,p+=2) - FIPS_signature[i] = (atox(p[0])<<4)|atox(p[1]); - -#if defined(DEBUG_FINGERPRINT_PREMAIN) - if (getenv("OPENSSL_FIPS")==NULL) break; - - len=FIPS_incore_fingerprint(sig,sizeof(sig)); - - if (memcmp(FIPS_signature,sig,sizeof(FIPS_signature))) - { fprintf(stderr,"FINGERPRINT_premain: FIPS_signature mismatch\n"); - _exit(1); - } -#endif - } while(0); -} - -#else - -#include <openssl/bio.h> -#include <openssl/dso.h> -#include <openssl/err.h> - -int main(int argc,char *argv[]) -{ DSO *dso; - DSO_FUNC_TYPE func; - BIO *bio_err; - - if (argc < 2) - { fprintf (stderr,"usage: %s libcrypto.dso\n",argv[0]); - return 1; - } - - if ((bio_err=BIO_new(BIO_s_file())) == NULL) - { fprintf (stderr,"unable to allocate BIO\n"); - return 1; - } - BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); - ERR_load_crypto_strings(); - - dso = DSO_load(NULL,argv[1],NULL,DSO_FLAG_NO_NAME_TRANSLATION); - if (dso == NULL) - { ERR_print_errors(bio_err); - return 1; - } - - /* This is not normally reached, because FINGERPRINT_premain should - * have executed and terminated application already upon DSO_load... */ - func = DSO_bind_func(dso,"FINGERPRINT_premain"); - if (func == NULL) - { ERR_print_errors(bio_err); - return 1; - } - - (*func)(); - - return 0; -} - -#endif diff --git a/crypto/openssl/fips/fips_premain.c.sha1 b/crypto/openssl/fips/fips_premain.c.sha1 deleted file mode 100644 index c16f964..0000000 --- a/crypto/openssl/fips/fips_premain.c.sha1 +++ /dev/null @@ -1 +0,0 @@ -HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c diff --git a/crypto/openssl/fips/fips_test_suite.c b/crypto/openssl/fips/fips_test_suite.c deleted file mode 100644 index 2bc0ba9..0000000 --- a/crypto/openssl/fips/fips_test_suite.c +++ /dev/null @@ -1,579 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * - * This command is intended as a test driver for the FIPS-140 testing - * lab performing FIPS-140 validation. It demonstrates the use of the - * OpenSSL library ito perform a variety of common cryptographic - * functions. A power-up self test is demonstrated by deliberately - * pointing to an invalid executable hash - * - * Contributed by Steve Marquess. - * - */ -#include <stdio.h> -#include <assert.h> -#include <ctype.h> -#include <string.h> -#include <stdlib.h> -#include <openssl/aes.h> -#include <openssl/des.h> -#include <openssl/hmac.h> -#include <openssl/err.h> - -#include <openssl/bn.h> -#include <openssl/rand.h> -#include <openssl/sha.h> - - -#ifndef OPENSSL_FIPS -int main(int argc, char *argv[]) - { - printf("No FIPS support\n"); - return(0); - } -#else - -#include <openssl/rsa.h> -#include <openssl/dsa.h> -#include <openssl/dh.h> - -#include <openssl/fips.h> -#include "fips_utl.h" - -/* AES: encrypt and decrypt known plaintext, verify result matches original plaintext -*/ -static int FIPS_aes_test(void) - { - int ret = 0; - unsigned char pltmp[16]; - unsigned char citmp[16]; - unsigned char key[16] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; - unsigned char plaintext[16] = "etaonrishdlcu"; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 1) <= 0) - goto err; - EVP_Cipher(&ctx, citmp, plaintext, 16); - if (EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(),NULL, key, NULL, 0) <= 0) - goto err; - EVP_Cipher(&ctx, pltmp, citmp, 16); - if (memcmp(pltmp, plaintext, 16)) - goto err; - ret = 1; - err: - EVP_CIPHER_CTX_cleanup(&ctx); - return ret; - } - -static int FIPS_des3_test(void) - { - int ret = 0; - unsigned char pltmp[8]; - unsigned char citmp[8]; - unsigned char key[] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, - 19,20,21,22,23,24}; - unsigned char plaintext[] = { 'e', 't', 'a', 'o', 'n', 'r', 'i', 's' }; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 1) <= 0) - goto err; - EVP_Cipher(&ctx, citmp, plaintext, 8); - if (EVP_CipherInit_ex(&ctx, EVP_des_ede3_ecb(),NULL, key, NULL, 0) <= 0) - goto err; - EVP_Cipher(&ctx, pltmp, citmp, 8); - if (memcmp(pltmp, plaintext, 8)) - goto err; - ret = 1; - err: - EVP_CIPHER_CTX_cleanup(&ctx); - return ret; - } - -/* - * DSA: generate keys and sign, verify input plaintext. - */ -static int FIPS_dsa_test(int bad) - { - DSA *dsa = NULL; - EVP_PKEY pk; - unsigned char dgst[] = "etaonrishdlc"; - unsigned char buf[60]; - unsigned int slen; - int r = 0; - EVP_MD_CTX mctx; - - ERR_clear_error(); - EVP_MD_CTX_init(&mctx); - dsa = FIPS_dsa_new(); - if (!dsa) - goto end; - if (!DSA_generate_parameters_ex(dsa, 1024,NULL,0,NULL,NULL,NULL)) - goto end; - if (!DSA_generate_key(dsa)) - goto end; - if (bad) - BN_add_word(dsa->pub_key, 1); - - pk.type = EVP_PKEY_DSA; - pk.pkey.dsa = dsa; - - if (!EVP_SignInit_ex(&mctx, EVP_dss1(), NULL)) - goto end; - if (!EVP_SignUpdate(&mctx, dgst, sizeof(dgst) - 1)) - goto end; - if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) - goto end; - - if (!EVP_VerifyInit_ex(&mctx, EVP_dss1(), NULL)) - goto end; - if (!EVP_VerifyUpdate(&mctx, dgst, sizeof(dgst) - 1)) - goto end; - r = EVP_VerifyFinal(&mctx, buf, slen, &pk); - end: - EVP_MD_CTX_cleanup(&mctx); - if (dsa) - FIPS_dsa_free(dsa); - if (r != 1) - return 0; - return 1; - } - -/* - * RSA: generate keys and sign, verify input plaintext. - */ -static int FIPS_rsa_test(int bad) - { - RSA *key; - unsigned char input_ptext[] = "etaonrishdlc"; - unsigned char buf[256]; - unsigned int slen; - BIGNUM *bn; - EVP_MD_CTX mctx; - EVP_PKEY pk; - int r = 0; - - ERR_clear_error(); - EVP_MD_CTX_init(&mctx); - key = FIPS_rsa_new(); - bn = BN_new(); - if (!key || !bn) - return 0; - BN_set_word(bn, 65537); - if (!RSA_generate_key_ex(key, 1024,bn,NULL)) - return 0; - BN_free(bn); - if (bad) - BN_add_word(key->n, 1); - - pk.type = EVP_PKEY_RSA; - pk.pkey.rsa = key; - - if (!EVP_SignInit_ex(&mctx, EVP_sha1(), NULL)) - goto end; - if (!EVP_SignUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) - goto end; - if (!EVP_SignFinal(&mctx, buf, &slen, &pk)) - goto end; - - if (!EVP_VerifyInit_ex(&mctx, EVP_sha1(), NULL)) - goto end; - if (!EVP_VerifyUpdate(&mctx, input_ptext, sizeof(input_ptext) - 1)) - goto end; - r = EVP_VerifyFinal(&mctx, buf, slen, &pk); - end: - EVP_MD_CTX_cleanup(&mctx); - if (key) - FIPS_rsa_free(key); - if (r != 1) - return 0; - return 1; - } - -/* SHA1: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_sha1_test() - { - unsigned char digest[SHA_DIGEST_LENGTH] = - { 0x11, 0xf1, 0x9a, 0x3a, 0xec, 0x1a, 0x1e, 0x8e, 0x65, 0xd4, 0x9a, 0x38, 0x0c, 0x8b, 0x1e, 0x2c, 0xe8, 0xb3, 0xc5, 0x18 }; - unsigned char str[] = "etaonrishd"; - - unsigned char md[SHA_DIGEST_LENGTH]; - - ERR_clear_error(); - if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha1(), NULL)) return 0; - if (memcmp(md,digest,sizeof(md))) - return 0; - return 1; - } - -/* SHA256: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_sha256_test() - { - unsigned char digest[SHA256_DIGEST_LENGTH] = - {0xf5, 0x53, 0xcd, 0xb8, 0xcf, 0x1, 0xee, 0x17, 0x9b, 0x93, 0xc9, 0x68, 0xc0, 0xea, 0x40, 0x91, - 0x6, 0xec, 0x8e, 0x11, 0x96, 0xc8, 0x5d, 0x1c, 0xaf, 0x64, 0x22, 0xe6, 0x50, 0x4f, 0x47, 0x57}; - unsigned char str[] = "etaonrishd"; - - unsigned char md[SHA256_DIGEST_LENGTH]; - - ERR_clear_error(); - if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha256(), NULL)) return 0; - if (memcmp(md,digest,sizeof(md))) - return 0; - return 1; - } - -/* SHA512: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_sha512_test() - { - unsigned char digest[SHA512_DIGEST_LENGTH] = - {0x99, 0xc9, 0xe9, 0x5b, 0x88, 0xd4, 0x78, 0x88, 0xdf, 0x88, 0x5f, 0x94, 0x71, 0x64, 0x28, 0xca, - 0x16, 0x1f, 0x3d, 0xf4, 0x1f, 0xf3, 0x0f, 0xc5, 0x03, 0x99, 0xb2, 0xd0, 0xe7, 0x0b, 0x94, 0x4a, - 0x45, 0xd2, 0x6c, 0x4f, 0x20, 0x06, 0xef, 0x71, 0xa9, 0x25, 0x7f, 0x24, 0xb1, 0xd9, 0x40, 0x22, - 0x49, 0x54, 0x10, 0xc2, 0x22, 0x9d, 0x27, 0xfe, 0xbd, 0xd6, 0xd6, 0xeb, 0x2d, 0x42, 0x1d, 0xa3}; - unsigned char str[] = "etaonrishd"; - - unsigned char md[SHA512_DIGEST_LENGTH]; - - ERR_clear_error(); - if (!EVP_Digest(str,sizeof(str) - 1,md, NULL, EVP_sha512(), NULL)) return 0; - if (memcmp(md,digest,sizeof(md))) - return 0; - return 1; - } - -/* HMAC-SHA1: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_hmac_sha1_test() - { - unsigned char key[] = "etaonrishd"; - unsigned char iv[] = "Sample text"; - unsigned char kaval[EVP_MAX_MD_SIZE] = - {0x73, 0xf7, 0xa0, 0x48, 0xf8, 0x94, 0xed, 0xdd, 0x0a, 0xea, 0xea, 0x56, 0x1b, 0x61, 0x2e, 0x70, - 0xb2, 0xfb, 0xec, 0xc6}; - - unsigned char out[EVP_MAX_MD_SIZE]; - unsigned int outlen; - - ERR_clear_error(); - if (!HMAC(EVP_sha1(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; - if (memcmp(out,kaval,outlen)) - return 0; - return 1; - } - -/* HMAC-SHA224: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_hmac_sha224_test() - { - unsigned char key[] = "etaonrishd"; - unsigned char iv[] = "Sample text"; - unsigned char kaval[EVP_MAX_MD_SIZE] = - {0x75, 0x58, 0xd5, 0xbd, 0x55, 0x6d, 0x87, 0x0f, 0x75, 0xff, 0xbe, 0x1c, 0xb2, 0xf0, 0x20, 0x35, - 0xe5, 0x62, 0x49, 0xb6, 0x94, 0xb9, 0xfc, 0x65, 0x34, 0x33, 0x3a, 0x19}; - - unsigned char out[EVP_MAX_MD_SIZE]; - unsigned int outlen; - - ERR_clear_error(); - if (!HMAC(EVP_sha224(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; - if (memcmp(out,kaval,outlen)) - return 0; - return 1; - } - -/* HMAC-SHA256: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_hmac_sha256_test() - { - unsigned char key[] = "etaonrishd"; - unsigned char iv[] = "Sample text"; - unsigned char kaval[EVP_MAX_MD_SIZE] = - {0xe9, 0x17, 0xc1, 0x7b, 0x4c, 0x6b, 0x77, 0xda, 0xd2, 0x30, 0x36, 0x02, 0xf5, 0x72, 0x33, 0x87, - 0x9f, 0xc6, 0x6e, 0x7b, 0x7e, 0xa8, 0xea, 0xaa, 0x9f, 0xba, 0xee, 0x51, 0xff, 0xda, 0x24, 0xf4}; - - unsigned char out[EVP_MAX_MD_SIZE]; - unsigned int outlen; - - ERR_clear_error(); - if (!HMAC(EVP_sha256(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; - if (memcmp(out,kaval,outlen)) - return 0; - return 1; - } - -/* HMAC-SHA384: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_hmac_sha384_test() - { - unsigned char key[] = "etaonrishd"; - unsigned char iv[] = "Sample text"; - unsigned char kaval[EVP_MAX_MD_SIZE] = - {0xb2, 0x9d, 0x40, 0x58, 0x32, 0xc4, 0xe3, 0x31, 0xb6, 0x63, 0x08, 0x26, 0x99, 0xef, 0x3b, 0x10, - 0xe2, 0xdf, 0xf8, 0xff, 0xc6, 0xe1, 0x03, 0x29, 0x81, 0x2a, 0x1b, 0xac, 0xb0, 0x07, 0x39, 0x08, - 0xf3, 0x91, 0x35, 0x11, 0x76, 0xd6, 0x4c, 0x20, 0xfb, 0x4d, 0xc3, 0xf3, 0xb8, 0x9b, 0x88, 0x1c}; - - unsigned char out[EVP_MAX_MD_SIZE]; - unsigned int outlen; - - ERR_clear_error(); - if (!HMAC(EVP_sha384(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; - if (memcmp(out,kaval,outlen)) - return 0; - return 1; - } - -/* HMAC-SHA512: generate hash of known digest value and compare to known - precomputed correct hash -*/ -static int FIPS_hmac_sha512_test() - { - unsigned char key[] = "etaonrishd"; - unsigned char iv[] = "Sample text"; - unsigned char kaval[EVP_MAX_MD_SIZE] = - {0xcd, 0x3e, 0xb9, 0x51, 0xb8, 0xbc, 0x7f, 0x9a, 0x23, 0xaf, 0xf3, 0x77, 0x59, 0x85, 0xa9, 0xe6, - 0xf7, 0xd1, 0x51, 0x96, 0x17, 0xe0, 0x92, 0xd8, 0xa6, 0x3b, 0xc1, 0xad, 0x7e, 0x24, 0xca, 0xb1, - 0xd7, 0x79, 0x0a, 0xa5, 0xea, 0x2c, 0x02, 0x58, 0x0b, 0xa6, 0x52, 0x6b, 0x61, 0x7f, 0xeb, 0x9c, - 0x47, 0x86, 0x5d, 0x74, 0x2b, 0x88, 0xdf, 0xee, 0x46, 0x69, 0x96, 0x3d, 0xa6, 0xd9, 0x2a, 0x53}; - - unsigned char out[EVP_MAX_MD_SIZE]; - unsigned int outlen; - - ERR_clear_error(); - if (!HMAC(EVP_sha512(),key,sizeof(key)-1,iv,sizeof(iv)-1,out,&outlen)) return 0; - if (memcmp(out,kaval,outlen)) - return 0; - return 1; - } - - -/* DH: generate shared parameters -*/ -static int dh_test() - { - DH *dh; - ERR_clear_error(); - dh = FIPS_dh_new(); - if (!dh) - return 0; - if (!DH_generate_parameters_ex(dh, 1024, 2, NULL)) - return 0; - FIPS_dh_free(dh); - return 1; - } - -/* Zeroize -*/ -static int Zeroize() - { - RSA *key; - BIGNUM *bn; - unsigned char userkey[16] = - { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 }; - size_t i; - int n; - - key = FIPS_rsa_new(); - bn = BN_new(); - if (!key || !bn) - return 0; - BN_set_word(bn, 65537); - if (!RSA_generate_key_ex(key, 1024,bn,NULL)) - return 0; - BN_free(bn); - - n = BN_num_bytes(key->d); - printf(" Generated %d byte RSA private key\n", n); - printf("\tBN key before overwriting:\n"); - do_bn_print(stdout, key->d); - BN_rand(key->d,n*8,-1,0); - printf("\tBN key after overwriting:\n"); - do_bn_print(stdout, key->d); - - printf("\tchar buffer key before overwriting: \n\t\t"); - for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]); - printf("\n"); - RAND_bytes(userkey, sizeof userkey); - printf("\tchar buffer key after overwriting: \n\t\t"); - for(i = 0; i < sizeof(userkey); i++) printf("%02x", userkey[i]); - printf("\n"); - - return 1; - } - -static int Error; -static const char * Fail(const char *msg) - { - do_print_errors(); - Error++; - return msg; - } - -static void test_msg(const char *msg, int result) - { - printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!")); - } - -int main(int argc,char **argv) - { - - int do_corrupt_rsa_keygen = 0, do_corrupt_dsa_keygen = 0; - int bad_rsa = 0, bad_dsa = 0; - int do_rng_stick = 0; - int no_exit = 0; - - printf("\tFIPS-mode test application\n\n"); - - /* Load entropy from external file, if any */ - RAND_load_file(".rnd", 1024); - - if (argv[1]) { - /* Corrupted KAT tests */ - if (!strcmp(argv[1], "aes")) { - FIPS_corrupt_aes(); - printf("AES encryption/decryption with corrupted KAT...\n"); - } else if (!strcmp(argv[1], "des")) { - FIPS_corrupt_des(); - printf("DES3-ECB encryption/decryption with corrupted KAT...\n"); - } else if (!strcmp(argv[1], "dsa")) { - FIPS_corrupt_dsa(); - printf("DSA key generation and signature validation with corrupted KAT...\n"); - } else if (!strcmp(argv[1], "rsa")) { - FIPS_corrupt_rsa(); - printf("RSA key generation and signature validation with corrupted KAT...\n"); - } else if (!strcmp(argv[1], "rsakey")) { - printf("RSA key generation and signature validation with corrupted key...\n"); - bad_rsa = 1; - no_exit = 1; - } else if (!strcmp(argv[1], "rsakeygen")) { - do_corrupt_rsa_keygen = 1; - no_exit = 1; - printf("RSA key generation and signature validation with corrupted keygen...\n"); - } else if (!strcmp(argv[1], "dsakey")) { - printf("DSA key generation and signature validation with corrupted key...\n"); - bad_dsa = 1; - no_exit = 1; - } else if (!strcmp(argv[1], "dsakeygen")) { - do_corrupt_dsa_keygen = 1; - no_exit = 1; - printf("DSA key generation and signature validation with corrupted keygen...\n"); - } else if (!strcmp(argv[1], "sha1")) { - FIPS_corrupt_sha1(); - printf("SHA-1 hash with corrupted KAT...\n"); - } else if (!strcmp(argv[1], "rng")) { - FIPS_corrupt_rng(); - } else if (!strcmp(argv[1], "rngstick")) { - do_rng_stick = 1; - no_exit = 1; - printf("RNG test with stuck continuous test...\n"); - } else { - printf("Bad argument \"%s\"\n", argv[1]); - exit(1); - } - if (!no_exit) { - if (!FIPS_mode_set(1)) { - do_print_errors(); - printf("Power-up self test failed\n"); - exit(1); - } - printf("Power-up self test successful\n"); - exit(0); - } - } - - /* Non-Approved cryptographic operation - */ - printf("1. Non-Approved cryptographic operation test...\n"); - test_msg("\ta. Included algorithm (D-H)...", dh_test()); - - /* Power-up self test - */ - ERR_clear_error(); - test_msg("2. Automatic power-up self test", FIPS_mode_set(1)); - if (!FIPS_mode()) - exit(1); - if (do_corrupt_dsa_keygen) - FIPS_corrupt_dsa_keygen(); - if (do_corrupt_rsa_keygen) - FIPS_corrupt_rsa_keygen(); - if (do_rng_stick) - FIPS_rng_stick(); - - /* AES encryption/decryption - */ - test_msg("3. AES encryption/decryption", FIPS_aes_test()); - - /* RSA key generation and encryption/decryption - */ - test_msg("4. RSA key generation and encryption/decryption", - FIPS_rsa_test(bad_rsa)); - - /* DES-CBC encryption/decryption - */ - test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test()); - - /* DSA key generation and signature validation - */ - test_msg("6. DSA key generation and signature validation", - FIPS_dsa_test(bad_dsa)); - - /* SHA-1 hash - */ - test_msg("7a. SHA-1 hash", FIPS_sha1_test()); - - /* SHA-256 hash - */ - test_msg("7b. SHA-256 hash", FIPS_sha256_test()); - - /* SHA-512 hash - */ - test_msg("7c. SHA-512 hash", FIPS_sha512_test()); - - /* HMAC-SHA-1 hash - */ - test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test()); - - /* HMAC-SHA-224 hash - */ - test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test()); - - /* HMAC-SHA-256 hash - */ - test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test()); - - /* HMAC-SHA-384 hash - */ - test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test()); - - /* HMAC-SHA-512 hash - */ - test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test()); - - /* Non-Approved cryptographic operation - */ - printf("8. Non-Approved cryptographic operation test...\n"); - printf("\ta. Included algorithm (D-H)...%s\n", - dh_test() ? "successful as expected" - : Fail("failed INCORRECTLY!") ); - - /* Zeroization - */ - printf("9. Zero-ization...\n\t%s\n", - Zeroize() ? "successful as expected" - : Fail("failed INCORRECTLY!") ); - - printf("\nAll tests completed with %d errors\n", Error); - return Error ? 1 : 0; - } - -#endif diff --git a/crypto/openssl/fips/fips_utl.h b/crypto/openssl/fips/fips_utl.h deleted file mode 100644 index 85d9e12..0000000 --- a/crypto/openssl/fips/fips_utl.h +++ /dev/null @@ -1,359 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -void do_print_errors(void); -int hex2bin(const char *in, unsigned char *out); -unsigned char *hex2bin_m(const char *in, long *plen); -int do_hex2bn(BIGNUM **pr, const char *in); -int do_bn_print(FILE *out, BIGNUM *bn); -int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn); -int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf); -BIGNUM *hex2bn(const char *in); -int bin2hex(const unsigned char *in,int len,char *out); -void pv(const char *tag,const unsigned char *val,int len); -int tidy_line(char *linebuf, char *olinebuf); -int bint2bin(const char *in, int len, unsigned char *out); -int bin2bint(const unsigned char *in,int len,char *out); -void PrintValue(char *tag, unsigned char *val, int len); -void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode); - -void do_print_errors(void) - { - const char *file, *data; - int line, flags; - unsigned long l; - while ((l = ERR_get_error_line_data(&file, &line, &data, &flags))) - { - fprintf(stderr, "ERROR:%lx:lib=%d,func=%d,reason=%d" - ":file=%s:line=%d:%s\n", - l, ERR_GET_LIB(l), ERR_GET_FUNC(l), ERR_GET_REASON(l), - file, line, flags & ERR_TXT_STRING ? data : ""); - } - } - -int hex2bin(const char *in, unsigned char *out) - { - int n1, n2; - unsigned char ch; - - for (n1=0,n2=0 ; in[n1] && in[n1] != '\n' ; ) - { /* first byte */ - if ((in[n1] >= '0') && (in[n1] <= '9')) - ch = in[n1++] - '0'; - else if ((in[n1] >= 'A') && (in[n1] <= 'F')) - ch = in[n1++] - 'A' + 10; - else if ((in[n1] >= 'a') && (in[n1] <= 'f')) - ch = in[n1++] - 'a' + 10; - else - return -1; - if(!in[n1]) - { - out[n2++]=ch; - break; - } - out[n2] = ch << 4; - /* second byte */ - if ((in[n1] >= '0') && (in[n1] <= '9')) - ch = in[n1++] - '0'; - else if ((in[n1] >= 'A') && (in[n1] <= 'F')) - ch = in[n1++] - 'A' + 10; - else if ((in[n1] >= 'a') && (in[n1] <= 'f')) - ch = in[n1++] - 'a' + 10; - else - return -1; - out[n2++] |= ch; - } - return n2; - } - -unsigned char *hex2bin_m(const char *in, long *plen) - { - unsigned char *p; - p = OPENSSL_malloc((strlen(in) + 1)/2); - *plen = hex2bin(in, p); - return p; - } - -int do_hex2bn(BIGNUM **pr, const char *in) - { - unsigned char *p; - long plen; - int r = 0; - p = hex2bin_m(in, &plen); - if (!p) - return 0; - if (!*pr) - *pr = BN_new(); - if (!*pr) - return 0; - if (BN_bin2bn(p, plen, *pr)) - r = 1; - OPENSSL_free(p); - return r; - } - -int do_bn_print(FILE *out, BIGNUM *bn) - { - int len, i; - unsigned char *tmp; - len = BN_num_bytes(bn); - if (len == 0) - { - fputs("00", out); - return 1; - } - - tmp = OPENSSL_malloc(len); - if (!tmp) - { - fprintf(stderr, "Memory allocation error\n"); - return 0; - } - BN_bn2bin(bn, tmp); - for (i = 0; i < len; i++) - fprintf(out, "%02x", tmp[i]); - OPENSSL_free(tmp); - return 1; - } - -int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn) - { - int r; - fprintf(out, "%s = ", name); - r = do_bn_print(out, bn); - if (!r) - return 0; - fputs("\n", out); - return 1; - } - -int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf) - { - char *keyword, *value, *p, *q; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no '=' exit */ - if (!p) - return 0; - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - *pkw = keyword; - *pval = value; - return 1; - } - -BIGNUM *hex2bn(const char *in) - { - BIGNUM *p=NULL; - - if (!do_hex2bn(&p, in)) - return NULL; - - return p; - } - -int bin2hex(const unsigned char *in,int len,char *out) - { - int n1, n2; - unsigned char ch; - - for (n1=0,n2=0 ; n1 < len ; ++n1) - { - ch=in[n1] >> 4; - if (ch <= 0x09) - out[n2++]=ch+'0'; - else - out[n2++]=ch-10+'a'; - ch=in[n1] & 0x0f; - if(ch <= 0x09) - out[n2++]=ch+'0'; - else - out[n2++]=ch-10+'a'; - } - out[n2]='\0'; - return n2; - } - -void pv(const char *tag,const unsigned char *val,int len) - { - char obuf[2048]; - - bin2hex(val,len,obuf); - printf("%s = %s\n",tag,obuf); - } - -/* To avoid extensive changes to test program at this stage just convert - * the input line into an acceptable form. Keyword lines converted to form - * "keyword = value\n" no matter what white space present, all other lines - * just have leading and trailing space removed. - */ - -int tidy_line(char *linebuf, char *olinebuf) - { - char *keyword, *value, *p, *q; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no '=' just chop leading, trailing ws */ - if (!p) - { - p = keyword + strlen(keyword) - 1; - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - strcpy(olinebuf, keyword); - strcat(olinebuf, "\n"); - return 1; - } - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - strcpy(olinebuf, keyword); - strcat(olinebuf, " = "); - strcat(olinebuf, value); - strcat(olinebuf, "\n"); - - return 1; - } - -/* NB: this return the number of _bits_ read */ -int bint2bin(const char *in, int len, unsigned char *out) - { - int n; - - memset(out,0,len); - for(n=0 ; n < len ; ++n) - if(in[n] == '1') - out[n/8]|=(0x80 >> (n%8)); - return len; - } - -int bin2bint(const unsigned char *in,int len,char *out) - { - int n; - - for(n=0 ; n < len ; ++n) - out[n]=(in[n/8]&(0x80 >> (n%8))) ? '1' : '0'; - return n; - } - -/*-----------------------------------------------*/ - -void PrintValue(char *tag, unsigned char *val, int len) -{ -#if VERBOSE - char obuf[2048]; - int olen; - olen = bin2hex(val, len, obuf); - printf("%s = %.*s\n", tag, olen, obuf); -#endif -} - -void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode) - { - char obuf[2048]; - int olen; - - if(bitmode) - olen=bin2bint(val,len,obuf); - else - olen=bin2hex(val,len,obuf); - - fprintf(rfp, "%s = %.*s\n", tag, olen, obuf); -#if VERBOSE - printf("%s = %.*s\n", tag, olen, obuf); -#endif - } - diff --git a/crypto/openssl/fips/fipsalgtest.pl b/crypto/openssl/fips/fipsalgtest.pl deleted file mode 100755 index 851cc98..0000000 --- a/crypto/openssl/fips/fipsalgtest.pl +++ /dev/null @@ -1,887 +0,0 @@ -#!/usr/bin/perl -w -# Perl utility to run or verify FIPS 140-2 CMVP algorithm tests based on the -# pathnames of input algorithm test files actually present (the unqualified -# file names are consistent but the pathnames are not). -# - -# FIPS test definitions -# List of all the unqualified file names we expect and command lines to run - -# DSA tests -my @fips_dsa_test_list = ( - - "DSA", - - [ "PQGGen", "fips_dssvs pqg" ], - [ "KeyPair", "fips_dssvs keypair" ], - [ "SigGen", "fips_dssvs siggen" ], - [ "SigVer", "fips_dssvs sigver" ] - -); - -my @fips_dsa_pqgver_test_list = ( - - [ "PQGVer", "fips_dssvs pqgver" ] - -); - -# RSA tests - -my @fips_rsa_test_list = ( - - "RSA", - - [ "SigGen15", "fips_rsastest" ], - [ "SigVer15", "fips_rsavtest" ], - [ "SigVerRSA", "fips_rsavtest -x931" ], - [ "KeyGenRSA", "fips_rsagtest" ], - [ "SigGenRSA", "fips_rsastest -x931" ] - -); - -# Special cases for PSS. The filename itself is -# not sufficient to determine the test. Addditionally we -# need to examine the file contents to determine the salt length -# In these cases the test filename has (saltlen) appended. - -# RSA PSS salt length 0 tests - -my @fips_rsa_pss0_test_list = ( - - [ "SigGenPSS(0)", "fips_rsastest -saltlen 0" ], - [ "SigVerPSS(0)", "fips_rsavtest -saltlen 0" ] - -); - -# RSA PSS salt length 62 tests - -my @fips_rsa_pss62_test_list = ( - [ "SigGenPSS(62)", "fips_rsastest -saltlen 62" ], - [ "SigVerPSS(62)", "fips_rsavtest -saltlen 62" ] - -); - -# SHA tests - -my @fips_sha_test_list = ( - - "SHA", - - [ "SHA1LongMsg", "fips_shatest" ], - [ "SHA1Monte", "fips_shatest" ], - [ "SHA1ShortMsg", "fips_shatest" ], - [ "SHA224LongMsg", "fips_shatest" ], - [ "SHA224Monte", "fips_shatest" ], - [ "SHA224ShortMsg", "fips_shatest" ], - [ "SHA256LongMsg", "fips_shatest" ], - [ "SHA256Monte", "fips_shatest" ], - [ "SHA256ShortMsg", "fips_shatest" ], - [ "SHA384LongMsg", "fips_shatest" ], - [ "SHA384Monte", "fips_shatest" ], - [ "SHA384ShortMsg", "fips_shatest" ], - [ "SHA512LongMsg", "fips_shatest" ], - [ "SHA512Monte", "fips_shatest" ], - [ "SHA512ShortMsg", "fips_shatest" ] - -); - -# HMAC - -my @fips_hmac_test_list = ( - - "HMAC", - - [ "HMAC", "fips_hmactest" ] - -); - -# RAND tests, AES version - -my @fips_rand_aes_test_list = ( - - "RAND (AES)", - - [ "ANSI931_AES128MCT", "fips_rngvs mct" ], - [ "ANSI931_AES192MCT", "fips_rngvs mct" ], - [ "ANSI931_AES256MCT", "fips_rngvs mct" ], - [ "ANSI931_AES128VST", "fips_rngvs vst" ], - [ "ANSI931_AES192VST", "fips_rngvs vst" ], - [ "ANSI931_AES256VST", "fips_rngvs vst" ] - -); - -# RAND tests, DES2 version - -my @fips_rand_des2_test_list = ( - - "RAND (DES2)", - - [ "ANSI931_TDES2MCT", "fips_rngvs mct" ], - [ "ANSI931_TDES2VST", "fips_rngvs vst" ] - -); - -# AES tests - -my @fips_aes_test_list = ( - - "AES", - - [ "CBCGFSbox128", "fips_aesavs -f" ], - [ "CBCGFSbox192", "fips_aesavs -f" ], - [ "CBCGFSbox256", "fips_aesavs -f" ], - [ "CBCKeySbox128", "fips_aesavs -f" ], - [ "CBCKeySbox192", "fips_aesavs -f" ], - [ "CBCKeySbox256", "fips_aesavs -f" ], - [ "CBCMCT128", "fips_aesavs -f" ], - [ "CBCMCT192", "fips_aesavs -f" ], - [ "CBCMCT256", "fips_aesavs -f" ], - [ "CBCMMT128", "fips_aesavs -f" ], - [ "CBCMMT192", "fips_aesavs -f" ], - [ "CBCMMT256", "fips_aesavs -f" ], - [ "CBCVarKey128", "fips_aesavs -f" ], - [ "CBCVarKey192", "fips_aesavs -f" ], - [ "CBCVarKey256", "fips_aesavs -f" ], - [ "CBCVarTxt128", "fips_aesavs -f" ], - [ "CBCVarTxt192", "fips_aesavs -f" ], - [ "CBCVarTxt256", "fips_aesavs -f" ], - [ "CFB128GFSbox128", "fips_aesavs -f" ], - [ "CFB128GFSbox192", "fips_aesavs -f" ], - [ "CFB128GFSbox256", "fips_aesavs -f" ], - [ "CFB128KeySbox128", "fips_aesavs -f" ], - [ "CFB128KeySbox192", "fips_aesavs -f" ], - [ "CFB128KeySbox256", "fips_aesavs -f" ], - [ "CFB128MCT128", "fips_aesavs -f" ], - [ "CFB128MCT192", "fips_aesavs -f" ], - [ "CFB128MCT256", "fips_aesavs -f" ], - [ "CFB128MMT128", "fips_aesavs -f" ], - [ "CFB128MMT192", "fips_aesavs -f" ], - [ "CFB128MMT256", "fips_aesavs -f" ], - [ "CFB128VarKey128", "fips_aesavs -f" ], - [ "CFB128VarKey192", "fips_aesavs -f" ], - [ "CFB128VarKey256", "fips_aesavs -f" ], - [ "CFB128VarTxt128", "fips_aesavs -f" ], - [ "CFB128VarTxt192", "fips_aesavs -f" ], - [ "CFB128VarTxt256", "fips_aesavs -f" ], - [ "CFB8GFSbox128", "fips_aesavs -f" ], - [ "CFB8GFSbox192", "fips_aesavs -f" ], - [ "CFB8GFSbox256", "fips_aesavs -f" ], - [ "CFB8KeySbox128", "fips_aesavs -f" ], - [ "CFB8KeySbox192", "fips_aesavs -f" ], - [ "CFB8KeySbox256", "fips_aesavs -f" ], - [ "CFB8MCT128", "fips_aesavs -f" ], - [ "CFB8MCT192", "fips_aesavs -f" ], - [ "CFB8MCT256", "fips_aesavs -f" ], - [ "CFB8MMT128", "fips_aesavs -f" ], - [ "CFB8MMT192", "fips_aesavs -f" ], - [ "CFB8MMT256", "fips_aesavs -f" ], - [ "CFB8VarKey128", "fips_aesavs -f" ], - [ "CFB8VarKey192", "fips_aesavs -f" ], - [ "CFB8VarKey256", "fips_aesavs -f" ], - [ "CFB8VarTxt128", "fips_aesavs -f" ], - [ "CFB8VarTxt192", "fips_aesavs -f" ], - [ "CFB8VarTxt256", "fips_aesavs -f" ], - - [ "ECBGFSbox128", "fips_aesavs -f" ], - [ "ECBGFSbox192", "fips_aesavs -f" ], - [ "ECBGFSbox256", "fips_aesavs -f" ], - [ "ECBKeySbox128", "fips_aesavs -f" ], - [ "ECBKeySbox192", "fips_aesavs -f" ], - [ "ECBKeySbox256", "fips_aesavs -f" ], - [ "ECBMCT128", "fips_aesavs -f" ], - [ "ECBMCT192", "fips_aesavs -f" ], - [ "ECBMCT256", "fips_aesavs -f" ], - [ "ECBMMT128", "fips_aesavs -f" ], - [ "ECBMMT192", "fips_aesavs -f" ], - [ "ECBMMT256", "fips_aesavs -f" ], - [ "ECBVarKey128", "fips_aesavs -f" ], - [ "ECBVarKey192", "fips_aesavs -f" ], - [ "ECBVarKey256", "fips_aesavs -f" ], - [ "ECBVarTxt128", "fips_aesavs -f" ], - [ "ECBVarTxt192", "fips_aesavs -f" ], - [ "ECBVarTxt256", "fips_aesavs -f" ], - [ "OFBGFSbox128", "fips_aesavs -f" ], - [ "OFBGFSbox192", "fips_aesavs -f" ], - [ "OFBGFSbox256", "fips_aesavs -f" ], - [ "OFBKeySbox128", "fips_aesavs -f" ], - [ "OFBKeySbox192", "fips_aesavs -f" ], - [ "OFBKeySbox256", "fips_aesavs -f" ], - [ "OFBMCT128", "fips_aesavs -f" ], - [ "OFBMCT192", "fips_aesavs -f" ], - [ "OFBMCT256", "fips_aesavs -f" ], - [ "OFBMMT128", "fips_aesavs -f" ], - [ "OFBMMT192", "fips_aesavs -f" ], - [ "OFBMMT256", "fips_aesavs -f" ], - [ "OFBVarKey128", "fips_aesavs -f" ], - [ "OFBVarKey192", "fips_aesavs -f" ], - [ "OFBVarKey256", "fips_aesavs -f" ], - [ "OFBVarTxt128", "fips_aesavs -f" ], - [ "OFBVarTxt192", "fips_aesavs -f" ], - [ "OFBVarTxt256", "fips_aesavs -f" ] - -); - -my @fips_aes_cfb1_test_list = ( - - # AES CFB1 tests - - [ "CFB1GFSbox128", "fips_aesavs -f" ], - [ "CFB1GFSbox192", "fips_aesavs -f" ], - [ "CFB1GFSbox256", "fips_aesavs -f" ], - [ "CFB1KeySbox128", "fips_aesavs -f" ], - [ "CFB1KeySbox192", "fips_aesavs -f" ], - [ "CFB1KeySbox256", "fips_aesavs -f" ], - [ "CFB1MCT128", "fips_aesavs -f" ], - [ "CFB1MCT192", "fips_aesavs -f" ], - [ "CFB1MCT256", "fips_aesavs -f" ], - [ "CFB1MMT128", "fips_aesavs -f" ], - [ "CFB1MMT192", "fips_aesavs -f" ], - [ "CFB1MMT256", "fips_aesavs -f" ], - [ "CFB1VarKey128", "fips_aesavs -f" ], - [ "CFB1VarKey192", "fips_aesavs -f" ], - [ "CFB1VarKey256", "fips_aesavs -f" ], - [ "CFB1VarTxt128", "fips_aesavs -f" ], - [ "CFB1VarTxt192", "fips_aesavs -f" ], - [ "CFB1VarTxt256", "fips_aesavs -f" ] - -); - -# Triple DES tests - -my @fips_des3_test_list = ( - - "Triple DES", - - [ "TCBCinvperm", "fips_desmovs -f" ], - [ "TCBCMMT1", "fips_desmovs -f" ], - [ "TCBCMMT2", "fips_desmovs -f" ], - [ "TCBCMMT3", "fips_desmovs -f" ], - [ "TCBCMonte1", "fips_desmovs -f" ], - [ "TCBCMonte2", "fips_desmovs -f" ], - [ "TCBCMonte3", "fips_desmovs -f" ], - [ "TCBCpermop", "fips_desmovs -f" ], - [ "TCBCsubtab", "fips_desmovs -f" ], - [ "TCBCvarkey", "fips_desmovs -f" ], - [ "TCBCvartext", "fips_desmovs -f" ], - [ "TCFB64invperm", "fips_desmovs -f" ], - [ "TCFB64MMT1", "fips_desmovs -f" ], - [ "TCFB64MMT2", "fips_desmovs -f" ], - [ "TCFB64MMT3", "fips_desmovs -f" ], - [ "TCFB64Monte1", "fips_desmovs -f" ], - [ "TCFB64Monte2", "fips_desmovs -f" ], - [ "TCFB64Monte3", "fips_desmovs -f" ], - [ "TCFB64permop", "fips_desmovs -f" ], - [ "TCFB64subtab", "fips_desmovs -f" ], - [ "TCFB64varkey", "fips_desmovs -f" ], - [ "TCFB64vartext", "fips_desmovs -f" ], - [ "TCFB8invperm", "fips_desmovs -f" ], - [ "TCFB8MMT1", "fips_desmovs -f" ], - [ "TCFB8MMT2", "fips_desmovs -f" ], - [ "TCFB8MMT3", "fips_desmovs -f" ], - [ "TCFB8Monte1", "fips_desmovs -f" ], - [ "TCFB8Monte2", "fips_desmovs -f" ], - [ "TCFB8Monte3", "fips_desmovs -f" ], - [ "TCFB8permop", "fips_desmovs -f" ], - [ "TCFB8subtab", "fips_desmovs -f" ], - [ "TCFB8varkey", "fips_desmovs -f" ], - [ "TCFB8vartext", "fips_desmovs -f" ], - [ "TECBinvperm", "fips_desmovs -f" ], - [ "TECBMMT1", "fips_desmovs -f" ], - [ "TECBMMT2", "fips_desmovs -f" ], - [ "TECBMMT3", "fips_desmovs -f" ], - [ "TECBMonte1", "fips_desmovs -f" ], - [ "TECBMonte2", "fips_desmovs -f" ], - [ "TECBMonte3", "fips_desmovs -f" ], - [ "TECBpermop", "fips_desmovs -f" ], - [ "TECBsubtab", "fips_desmovs -f" ], - [ "TECBvarkey", "fips_desmovs -f" ], - [ "TECBvartext", "fips_desmovs -f" ], - [ "TOFBinvperm", "fips_desmovs -f" ], - [ "TOFBMMT1", "fips_desmovs -f" ], - [ "TOFBMMT2", "fips_desmovs -f" ], - [ "TOFBMMT3", "fips_desmovs -f" ], - [ "TOFBMonte1", "fips_desmovs -f" ], - [ "TOFBMonte2", "fips_desmovs -f" ], - [ "TOFBMonte3", "fips_desmovs -f" ], - [ "TOFBpermop", "fips_desmovs -f" ], - [ "TOFBsubtab", "fips_desmovs -f" ], - [ "TOFBvarkey", "fips_desmovs -f" ], - [ "TOFBvartext", "fips_desmovs -f" ] - -); - -my @fips_des3_cfb1_test_list = ( - - # DES3 CFB1 tests - - [ "TCFB1invperm", "fips_desmovs -f" ], - [ "TCFB1MMT1", "fips_desmovs -f" ], - [ "TCFB1MMT2", "fips_desmovs -f" ], - [ "TCFB1MMT3", "fips_desmovs -f" ], - [ "TCFB1Monte1", "fips_desmovs -f" ], - [ "TCFB1Monte2", "fips_desmovs -f" ], - [ "TCFB1Monte3", "fips_desmovs -f" ], - [ "TCFB1permop", "fips_desmovs -f" ], - [ "TCFB1subtab", "fips_desmovs -f" ], - [ "TCFB1varkey", "fips_desmovs -f" ], - [ "TCFB1vartext", "fips_desmovs -f" ], - -); - -# Verification special cases. -# In most cases the output of a test is deterministic and -# it can be compared to a known good result. A few involve -# the genration and use of random keys and the output will -# be different each time. In thoses cases we perform special tests -# to simply check their consistency. For example signature generation -# output will be run through signature verification to see if all outputs -# show as valid. -# - -my %verify_special = ( - "PQGGen" => "fips_dssvs pqgver", - "KeyPair" => "fips_dssvs keyver", - "SigGen" => "fips_dssvs sigver", - "SigGen15" => "fips_rsavtest", - "SigGenRSA" => "fips_rsavtest -x931", - "SigGenPSS(0)" => "fips_rsavtest -saltlen 0", - "SigGenPSS(62)" => "fips_rsavtest -saltlen 62", -); - -my $win32 = $^O =~ m/mswin/i; -my $onedir = 0; -my $filter = ""; -my $tvdir; -my $tprefix; -my $shwrap_prefix; -my $debug = 0; -my $quiet = 0; -my $notest = 0; -my $verify = 1; -my $rspdir = "rsp"; -my $ignore_missing = 0; -my $ignore_bogus = 0; -my $bufout = ''; -my $list_tests = 0; - -my %fips_enabled = ( - dsa => 1, - "dsa-pqgver" => 0, - rsa => 1, - "rsa-pss0" => 0, - "rsa-pss62" => 1, - sha => 1, - hmac => 1, - "rand-aes" => 1, - "rand-des2" => 0, - aes => 1, - "aes-cfb1" => 0, - des3 => 1, - "des3-cfb1" => 0 -); - -foreach (@ARGV) { - if ( $_ eq "--win32" ) { - $win32 = 1; - } - elsif ( $_ eq "--onedir" ) { - $onedir = 1; - } - elsif ( $_ eq "--debug" ) { - $debug = 1; - } - elsif ( $_ eq "--ignore-missing" ) { - $ignore_missing = 1; - } - elsif ( $_ eq "--ignore-bogus" ) { - $ignore_bogus = 1; - } - elsif ( $_ eq "--generate" ) { - $verify = 0; - } - elsif ( $_ eq "--notest" ) { - $notest = 1; - } - elsif ( $_ eq "--quiet" ) { - $quiet = 1; - } - elsif (/--dir=(.*)$/) { - $tvdir = $1; - } - elsif (/--rspdir=(.*)$/) { - $rspdir = $1; - } - elsif (/--tprefix=(.*)$/) { - $tprefix = $1; - } - elsif (/--shwrap_prefix=(.*)$/) { - $shwrap_prefix = $1; - } - elsif (/^--(enable|disable)-(.*)$/) { - if ( !exists $fips_enabled{$2} ) { - print STDERR "Unknown test $2\n"; - } - if ( $1 eq "enable" ) { - $fips_enabled{$2} = 1; - } - else { - $fips_enabled{$2} = 0; - } - } - elsif (/--filter=(.*)$/) { - $filter = $1; - } - elsif (/^--list-tests$/) { - $list_tests = 1; - } - else { - Help(); - exit(1); - } -} - -my @fips_test_list; - -push @fips_test_list, @fips_dsa_test_list if $fips_enabled{"dsa"}; -push @fips_test_list, @fips_dsa_pqgver_test_list if $fips_enabled{"dsa-pqgver"}; -push @fips_test_list, @fips_rsa_test_list if $fips_enabled{"rsa"}; -push @fips_test_list, @fips_rsa_pss0_test_list if $fips_enabled{"rsa-pss0"}; -push @fips_test_list, @fips_rsa_pss62_test_list if $fips_enabled{"rsa-pss62"}; -push @fips_test_list, @fips_sha_test_list if $fips_enabled{"sha"}; -push @fips_test_list, @fips_hmac_test_list if $fips_enabled{"hmac"}; -push @fips_test_list, @fips_rand_aes_test_list if $fips_enabled{"rand-aes"}; -push @fips_test_list, @fips_rand_des2_test_list if $fips_enabled{"rand-des2"}; -push @fips_test_list, @fips_aes_test_list if $fips_enabled{"aes"}; -push @fips_test_list, @fips_aes_cfb1_test_list if $fips_enabled{"aes-cfb1"}; -push @fips_test_list, @fips_des3_test_list if $fips_enabled{"des3"}; -push @fips_test_list, @fips_des3_cfb1_test_list if $fips_enabled{"des3-cfb1"}; - -if ($list_tests) { - my ( $test, $en ); - print "=====TEST LIST=====\n"; - foreach $test ( sort keys %fips_enabled ) { - $en = $fips_enabled{$test}; - $test =~ tr/[a-z]/[A-Z]/; - printf "%-10s %s\n", $test, $en ? "enabled" : "disabled"; - } - exit(0); -} - -foreach (@fips_test_list) { - next unless ref($_); - my $nm = $_->[0]; - $_->[2] = ""; - $_->[3] = ""; - print STDERR "Duplicate test $nm\n" if exists $fips_tests{$nm}; - $fips_tests{$nm} = $_; -} - -$tvdir = "." unless defined $tvdir; - -if ($win32) { - if ( !defined $tprefix ) { - if ($onedir) { - $tprefix = ".\\"; - } - else { - $tprefix = "..\\out32dll\\"; - } - } -} -else { - if ($onedir) { - $tprefix = "./" unless defined $tprefix; - $shwrap_prefix = "./" unless defined $shwrap_prefix; - } - else { - $tprefix = "../test/" unless defined $tprefix; - $shwrap_prefix = "../util/" unless defined $shwrap_prefix; - } -} - -sanity_check_exe( $win32, $tprefix, $shwrap_prefix ); - -my $cmd_prefix = $win32 ? "" : "${shwrap_prefix}shlib_wrap.sh "; - -find_files( $filter, $tvdir ); - -sanity_check_files(); - -my ( $runerr, $cmperr, $cmpok, $scheckrunerr, $scheckerr, $scheckok, $skipcnt ) - = ( 0, 0, 0, 0, 0, 0, 0 ); - -exit(0) if $notest; - -run_tests( $verify, $win32, $tprefix, $filter, $tvdir ); - -if ($verify) { - print "ALGORITHM TEST VERIFY SUMMARY REPORT:\n"; - print "Tests skipped due to missing files: $skipcnt\n"; - print "Algorithm test program execution failures: $runerr\n"; - print "Test comparisons successful: $cmpok\n"; - print "Test comparisons failed: $cmperr\n"; - print "Test sanity checks successful: $scheckok\n"; - print "Test sanity checks failed: $scheckerr\n"; - print "Sanity check program execution failures: $scheckrunerr\n"; - - if ( $runerr || $cmperr || $scheckrunerr || $scheckerr ) { - print "***TEST FAILURE***\n"; - } - else { - print "***ALL TESTS SUCCESSFUL***\n"; - } -} -else { - print "ALGORITHM TEST SUMMARY REPORT:\n"; - print "Tests skipped due to missing files: $skipcnt\n"; - print "Algorithm test program execution failures: $runerr\n"; - - if ($runerr) { - print "***TEST FAILURE***\n"; - } - else { - print "***ALL TESTS SUCCESSFUL***\n"; - } -} - -#-------------------------------- -sub Help { - ( my $cmd ) = ( $0 =~ m#([^/]+)$# ); - print <<EOF; -$cmd: generate run CMVP algorithm tests - --debug Enable debug output - --dir=<dirname> Optional root for *.req file search - --filter=<regexp> - --onedir <dirname> Assume all components in current directory - --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "rsp" - --shwrap_prefix=<prefix> - --tprefix=<prefix> - --ignore-bogus Ignore duplicate or bogus files - --ignore-missing Ignore missing test files - --quiet Shhh.... - --generate Generate algorithm test output - --win32 Win32 environment - --enable-<alg> Enable algorithm set <alg>. - --disable-<alg> Disable algorithm set <alg>. - Where <alg> can be one of: -EOF - -while (my ($key, $value) = each %fips_enabled) - { - printf "\t\t%-20s(%s by default)\n", $key , - $value ? "enabled" : "disabled"; - } -} - -# Sanity check to see if all necessary executables exist - -sub sanity_check_exe { - my ( $win32, $tprefix, $shwrap_prefix ) = @_; - my %exe_list; - my $bad = 0; - $exe_list{ $shwrap_prefix . "shlib_wrap.sh" } = 1 unless $win32; - foreach (@fips_test_list) { - next unless ref($_); - my $cmd = $_->[1]; - $cmd =~ s/ .*$//; - $cmd = $tprefix . $cmd; - $cmd .= ".exe" if $win32; - $exe_list{$cmd} = 1; - } - - foreach ( sort keys %exe_list ) { - if ( !-f $_ ) { - print STDERR "ERROR: can't find executable $_\n"; - $bad = 1; - } - } - if ($bad) { - print STDERR "FATAL ERROR: executables missing\n"; - exit(1); - } - elsif ($debug) { - print STDERR "Executable sanity check passed OK\n"; - } -} - -# Search for all request and response files - -sub find_files { - my ( $filter, $dir ) = @_; - my ( $dirh, $testname ); - opendir( $dirh, $dir ); - while ( $_ = readdir($dirh) ) { - next if ( $_ eq "." || $_ eq ".." ); - $_ = "$dir/$_"; - if ( -f "$_" ) { - if (/\/([^\/]*)\.rsp$/) { - $testname = fix_pss( $1, $_ ); - if ( exists $fips_tests{$testname} ) { - if ( $fips_tests{$testname}->[3] eq "" ) { - $fips_tests{$testname}->[3] = $_; - } - else { - print STDERR -"WARNING: duplicate response file $_ for test $testname\n"; - $nbogus++; - } - } - else { - print STDERR "WARNING: bogus file $_\n"; - $nbogus++; - } - } - next unless /$filter.*\.req$/i; - if (/\/([^\/]*)\.req$/) { - $testname = fix_pss( $1, $_ ); - if ( exists $fips_tests{$testname} ) { - if ( $fips_tests{$testname}->[2] eq "" ) { - $fips_tests{$testname}->[2] = $_; - } - else { - print STDERR -"WARNING: duplicate request file $_ for test $testname\n"; - $nbogus++; - } - - } - elsif ( !/SHAmix\.req$/ ) { - print STDERR "WARNING: unrecognized filename $_\n"; - $nbogus++; - } - } - } - elsif ( -d "$_" ) { - find_files( $filter, $_ ); - } - } - closedir($dirh); -} - -sub fix_pss { - my ( $test, $path ) = @_; - my $sl = ""; - local $_; - if ( $test =~ /PSS/ ) { - open( IN, $path ) || die "Can't Open File $path"; - while (<IN>) { - if (/^\s*#\s*salt\s+len:\s+(\d+)\s*$/i) { - $sl = $1; - last; - } - } - close IN; - if ( $sl eq "" ) { - print STDERR "WARNING: No Salt length detected for file $path\n"; - } - else { - return $test . "($sl)"; - } - } - return $test; -} - -sub sanity_check_files { - my $bad = 0; - foreach (@fips_test_list) { - next unless ref($_); - my ( $tst, $cmd, $req, $resp ) = @$_; - - #print STDERR "FILES $tst, $cmd, $req, $resp\n"; - if ( $req eq "" ) { - print STDERR "WARNING: missing request file for $tst\n"; - $bad = 1; - next; - } - if ( $verify && $resp eq "" ) { - print STDERR "WARNING: no response file for test $tst\n"; - $bad = 1; - } - elsif ( !$verify && $resp ne "" ) { - print STDERR "WARNING: response file $resp will be overwritten\n"; - } - } - if ($bad) { - print STDERR "ERROR: test vector file set not complete\n"; - exit(1) unless $ignore_missing; - } - if ($nbogus) { - print STDERR - "ERROR: $nbogus bogus or duplicate request and response files\n"; - exit(1) unless $ignore_bogus; - } - if ( $debug && !$nbogus && !$bad ) { - print STDERR "test vector file set complete\n"; - } -} - -sub run_tests { - my ( $verify, $win32, $tprefix, $filter, $tvdir ) = @_; - my ( $tname, $tref ); - my $bad = 0; - foreach (@fips_test_list) { - if ( !ref($_) ) { - print "Running $_ tests\n" unless $quiet; - next; - } - my ( $tname, $tcmd, $req, $rsp ) = @$_; - my $out = $rsp; - if ($verify) { - $out =~ s/\.rsp$/.tst/; - } - if ( $req eq "" ) { - print STDERR - "WARNING: Request file for $tname missing: test skipped\n"; - $skipcnt++; - next; - } - if ( $verify && $rsp eq "" ) { - print STDERR - "WARNING: Response file for $tname missing: test skipped\n"; - $skipcnt++; - next; - } - elsif ( !$verify ) { - if ( $rsp ne "" ) { - print STDERR "WARNING: Response file for $tname deleted\n"; - unlink $rsp; - } - $out = $req; - $out =~ s|/req/(\S+)\.req|/$rspdir/$1.rsp|; - my $outdir = $out; - $outdir =~ s|/[^/]*$||; - if ( !-d $outdir ) { - print STDERR "DEBUG: Creating directory $outdir\n" if $debug; - mkdir($outdir) || die "Can't create directory $outdir"; - } - } - my $cmd = "$cmd_prefix$tprefix$tcmd "; - if ( $tcmd =~ /-f$/ ) { - $cmd .= "\"$req\" \"$out\""; - } - else { - $cmd .= "<\"$req\" >\"$out\""; - } - print STDERR "DEBUG: running test $tname\n" if ( $debug && !$verify ); - system($cmd); - if ( $? != 0 ) { - print STDERR - "WARNING: error executing test $tname for command: $cmd\n"; - $runerr++; - next; - } - if ($verify) { - if ( exists $verify_special{$tname} ) { - my $vout = $rsp; - $vout =~ s/\.rsp$/.ver/; - $tcmd = $verify_special{$tname}; - $cmd = "$cmd_prefix$tprefix$tcmd "; - $cmd .= "<\"$out\" >\"$vout\""; - system($cmd); - if ( $? != 0 ) { - print STDERR - "WARNING: error executing verify test $tname $cmd\n"; - $scheckrunerr++; - next; - } - my ( $fcount, $pcount ) = ( 0, 0 ); - open VER, "$vout"; - while (<VER>) { - if (/^Result\s*=\s*(\S*)\s*$/i) - - { - if ( $1 eq "F" ) { - $fcount++; - } - else { - $pcount++; - } - } - } - close VER; - - unlink $vout; - if ( $fcount || $debug ) { - print STDERR "DEBUG: $tname, Pass=$pcount, Fail=$fcount\n"; - } - if ( $fcount || !$pcount ) { - $scheckerr++; - } - else { - $scheckok++; - } - - } - elsif ( !cmp_file( $tname, $rsp, $out ) ) { - $cmperr++; - } - else { - $cmpok++; - } - unlink $out; - } - } -} - -sub cmp_file { - my ( $tname, $rsp, $tst ) = @_; - my ( $rspf, $tstf ); - my ( $rspline, $tstline ); - if ( !open( $rspf, $rsp ) ) { - print STDERR "ERROR: can't open request file $rsp\n"; - return 0; - } - if ( !open( $tstf, $tst ) ) { - print STDERR "ERROR: can't open output file $tst\n"; - return 0; - } - for ( ; ; ) { - $rspline = next_line($rspf); - $tstline = next_line($tstf); - if ( !defined($rspline) && !defined($tstline) ) { - print STDERR "DEBUG: $tname file comparison OK\n" if $debug; - return 1; - } - if ( !defined($rspline) ) { - print STDERR "ERROR: $tname EOF on $rsp\n"; - return 0; - } - if ( !defined($tstline) ) { - print STDERR "ERROR: $tname EOF on $tst\n"; - return 0; - } - - # Workaround for bug in RAND des2 test output */ - if ( $tstline =~ /^Key2 =/ && $rspline =~ /^Key1 =/ ) { - $rspline =~ s/^Key1/Key2/; - } - - if ( $tstline ne $rspline ) { - print STDERR "ERROR: $tname mismatch:\n"; - print STDERR "\t \"$tstline\" != \"$rspline\"\n"; - return 0; - } - } - return 1; -} - -sub next_line { - my ($in) = @_; - - while (<$in>) { - chomp; - - # Delete comments - s/#.*$//; - - # Ignore blank lines - next if (/^\s*$/); - - # Translate multiple space into one - s/\s+/ /g; - # Delete trailing whitespace - s/\s+$//; - return $_; - } - return undef; -} diff --git a/crypto/openssl/fips/fipsld b/crypto/openssl/fips/fipsld deleted file mode 100755 index 8c26c85..0000000 --- a/crypto/openssl/fips/fipsld +++ /dev/null @@ -1,178 +0,0 @@ -#!/bin/sh -e -# -# Copyright (c) 2005-2007 The OpenSSL Project. -# -# Depending on output file name, the script either embeds fingerprint -# into libcrypto.so or static application. "Static" refers to static -# libcrypto.a, not [necessarily] application per se. -# -# Even though this script is called fipsld, it expects C compiler -# command line syntax and $FIPSLD_CC or $CC environment variable set -# and can even be used to compile source files. - -#set -x - -CC=${FIPSLD_CC:-${CC}} -[ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; } - -# Initially -c wasn't intended to be interpreted here, but it might -# make life easier for those who want to build FIPS-ified applications -# with minimal [if any] modifications to their Makefiles... -( while [ "x$1" != "x" -a "x$1" != "x-c" -a "x$1" != "x-E" ]; do shift; done; - [ $# -ge 1 ] -) && exec ${CC} "$@" - -TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)` - -# If using an auto-tooled (autoconf/automake/libtool) project, -# configure will fail when testing the compiler or even performing -# simple checks. Pass-through to compiler directly if application is -# is not being linked with libcrypto, allowing auto-tooled applications -# to utilize fipsld (e.g. CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc -# ./configure && make). But keep in mind[!] that if certified code -# resides in a shared library, then fipsld *may not* be used and -# end-developer should not modify application configuration and build -# procedures. This is because in-core fingerprint and associated -# procedures are already embedded into and executed in shared library -# context. -case `basename "${TARGET}"` in -libcrypto*|libfips*|*.dll) ;; -*) case "$*" in - *libcrypto.a*|*-lcrypto*|*fipscanister.o*) ;; - *) exec ${CC} "$@" ;; - esac -esac - -[ -n "${TARGET}" ] || { echo 'no -o specified'; exit 1; } - -# Turn on debugging output? -( while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done; - [ $# -ge 1 ] -) && set -x - -THERE="`echo $0 | sed -e 's|[^/]*$||'`".. - -# fipscanister.o can appear in command line -CANISTER_O=`(while [ "x$1" != "x" ]; do case "$1" in *fipscanister.o) echo $1; exit;; esac; shift; done)` -if [ -z "${CANISTER_O}" ]; then - # If set, FIPSLIBDIR is location of installed validated FIPS module - if [ -n "${FIPSLIBDIR}" ]; then - CANISTER_O="${FIPSLIBDIR}/fipscanister.o" - elif [ -f "${THERE}/fips/fipscanister.o" ]; then - CANISTER_O="${THERE}/fips/fipscanister.o" - elif [ -f "${THERE}/lib/fipscanister.o" ]; then - CANISTER_O="${THERE}/lib/fipscanister.o" - fi - CANISTER_O_CMD="${CANISTER_O}" -fi -[ -f ${CANISTER_O} ] || { echo "unable to find ${CANISTER_O}"; exit 1; } - -PREMAIN_C=`dirname "${CANISTER_O}"`/fips_premain.c - -HMAC_KEY="etaonrishdlcupfm" - -case "`(uname -s) 2>/dev/null`" in -OSF1|IRIX*) _WL_PREMAIN="-Wl,-init,FINGERPRINT_premain" ;; -HP-UX) _WL_PREMAIN="-Wl,+init,FINGERPRINT_premain" ;; -AIX) _WL_PREMAIN="-Wl,-binitfini:FINGERPRINT_premain,-bnoobjreorder";; -Darwin) ( while [ "x$1" != "x" -a "x$1" != "x-dynamiclib" ]; do shift; done; - [ $# -ge 1 ] - ) && _WL_PREMAIN="-Wl,-init,_FINGERPRINT_premain" ;; -esac - -case "${TARGET}" in -[!/]*) TARGET=./${TARGET} ;; -esac - -case `basename "${TARGET}"` in -lib*|*.dll) # must be linking a shared lib... - # Shared lib creation can be taking place in the source - # directory only, but fipscanister.o can reside elsewhere... - FINGERTYPE="${THERE}/fips/fips_standalone_sha1" - - # verify fipspremain.c against its detached signature... - ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ - diff -w "${PREMAIN_C}.sha1" - || \ - { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } - # verify fipscanister.o against its detached signature... - ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ - diff -w "${CANISTER_O}.sha1" - || \ - { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } - - # Temporarily remove fipscanister.o from libcrypto.a! - # We are required to use the standalone copy... - if [ -f "${THERE}/libcrypto.a" ]; then - if ar d "${THERE}/libcrypto.a" fipscanister.o; then - (ranlib "${THERE}/libcrypto.a") 2>/dev/null || : - trap 'ar r "${THERE}/libcrypto.a" "${CANISTER_O}"; - (ranlib "${THERE}/libcrypto.a") 2>/dev/null || :; - sleep 1; - touch -c "${TARGET}"' 0 - fi - fi - - /bin/rm -f "${TARGET}" - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - - # generate signature... - if [ -z "${FIPS_SIG}" ]; then - SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"` - else - SIG=`"${FIPS_SIG}" -dso "${TARGET}"` - fi - /bin/rm -f "${TARGET}" - if [ -z "${SIG}" ]; then - echo "unable to collect signature"; exit 1 - fi - - # recompile with signature... - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - ;; - -*) # must be linking statically... - # Static linking can be taking place either in the source - # directory or off the installed binary target destination. - if [ -x "${THERE}/fips/fips_standalone_sha1" ]; then - FINGERTYPE="${THERE}/fips/fips_standalone_sha1" - else # Installed tree is expected to contain - # lib/fipscanister.o, lib/fipscanister.o.sha1 and - # lib/fips_premain.c [not to mention bin/openssl]. - FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}" - fi - - # verify fipscanister.o against its detached signature... - ${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \ - diff -w "${CANISTER_O}.sha1" - || \ - { echo "${CANISTER_O} fingerprint mismatch"; exit 1; } - - # verify fips_premain.c against its detached signature... - ${FINGERTYPE} "${PREMAIN_C}" | sed "s/(.*\//(/" | \ - diff -w "${PREMAIN_C}.sha1" - || \ - { echo "${PREMAIN_C} fingerprint mismatch"; exit 1; } - - /bin/rm -f "${TARGET}" - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - - # generate signature... - if [ -z "${FIPS_SIG}" ]; then - SIG=`"${TARGET}"` - else - SIG=`"${FIPS_SIG}" -exe "${TARGET}"` - fi - /bin/rm -f "${TARGET}" - if [ -z "${SIG}" ]; then - echo "unable to collect signature"; exit 1 - fi - - # recompile with signature... - ${CC} ${CANISTER_O_CMD:+"${CANISTER_O_CMD}"} \ - -DHMAC_SHA1_SIG=\"${SIG}\" "${PREMAIN_C}" \ - ${_WL_PREMAIN} "$@" - ;; -esac diff --git a/crypto/openssl/fips/fipstests.sh b/crypto/openssl/fips/fipstests.sh deleted file mode 100755 index a351446..0000000 --- a/crypto/openssl/fips/fipstests.sh +++ /dev/null @@ -1,400 +0,0 @@ -#!/bin/sh - -# Test vector run script -# Auto generated by mkfipsscr.pl script -# Do not edit - - -echo Running tests in "./testvectors/AES/req" -rm -rf "./testvectors/AES/rsp" -mkdir "./testvectors/AES/rsp" - -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCGFSbox128.req" "./testvectors/AES/rsp/CBCGFSbox128.rsp" || { echo "./testvectors/AES/req/CBCGFSbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCGFSbox192.req" "./testvectors/AES/rsp/CBCGFSbox192.rsp" || { echo "./testvectors/AES/req/CBCGFSbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCGFSbox256.req" "./testvectors/AES/rsp/CBCGFSbox256.rsp" || { echo "./testvectors/AES/req/CBCGFSbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCKeySbox128.req" "./testvectors/AES/rsp/CBCKeySbox128.rsp" || { echo "./testvectors/AES/req/CBCKeySbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCKeySbox192.req" "./testvectors/AES/rsp/CBCKeySbox192.rsp" || { echo "./testvectors/AES/req/CBCKeySbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCKeySbox256.req" "./testvectors/AES/rsp/CBCKeySbox256.rsp" || { echo "./testvectors/AES/req/CBCKeySbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCMCT128.req" "./testvectors/AES/rsp/CBCMCT128.rsp" || { echo "./testvectors/AES/req/CBCMCT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCMCT192.req" "./testvectors/AES/rsp/CBCMCT192.rsp" || { echo "./testvectors/AES/req/CBCMCT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCMCT256.req" "./testvectors/AES/rsp/CBCMCT256.rsp" || { echo "./testvectors/AES/req/CBCMCT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCMMT128.req" "./testvectors/AES/rsp/CBCMMT128.rsp" || { echo "./testvectors/AES/req/CBCMMT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCMMT192.req" "./testvectors/AES/rsp/CBCMMT192.rsp" || { echo "./testvectors/AES/req/CBCMMT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCMMT256.req" "./testvectors/AES/rsp/CBCMMT256.rsp" || { echo "./testvectors/AES/req/CBCMMT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCVarKey128.req" "./testvectors/AES/rsp/CBCVarKey128.rsp" || { echo "./testvectors/AES/req/CBCVarKey128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCVarKey192.req" "./testvectors/AES/rsp/CBCVarKey192.rsp" || { echo "./testvectors/AES/req/CBCVarKey192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCVarKey256.req" "./testvectors/AES/rsp/CBCVarKey256.rsp" || { echo "./testvectors/AES/req/CBCVarKey256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCVarTxt128.req" "./testvectors/AES/rsp/CBCVarTxt128.rsp" || { echo "./testvectors/AES/req/CBCVarTxt128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCVarTxt192.req" "./testvectors/AES/rsp/CBCVarTxt192.rsp" || { echo "./testvectors/AES/req/CBCVarTxt192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CBCVarTxt256.req" "./testvectors/AES/rsp/CBCVarTxt256.rsp" || { echo "./testvectors/AES/req/CBCVarTxt256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128GFSbox128.req" "./testvectors/AES/rsp/CFB128GFSbox128.rsp" || { echo "./testvectors/AES/req/CFB128GFSbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128GFSbox192.req" "./testvectors/AES/rsp/CFB128GFSbox192.rsp" || { echo "./testvectors/AES/req/CFB128GFSbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128GFSbox256.req" "./testvectors/AES/rsp/CFB128GFSbox256.rsp" || { echo "./testvectors/AES/req/CFB128GFSbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128KeySbox128.req" "./testvectors/AES/rsp/CFB128KeySbox128.rsp" || { echo "./testvectors/AES/req/CFB128KeySbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128KeySbox192.req" "./testvectors/AES/rsp/CFB128KeySbox192.rsp" || { echo "./testvectors/AES/req/CFB128KeySbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128KeySbox256.req" "./testvectors/AES/rsp/CFB128KeySbox256.rsp" || { echo "./testvectors/AES/req/CFB128KeySbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128MCT128.req" "./testvectors/AES/rsp/CFB128MCT128.rsp" || { echo "./testvectors/AES/req/CFB128MCT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128MCT192.req" "./testvectors/AES/rsp/CFB128MCT192.rsp" || { echo "./testvectors/AES/req/CFB128MCT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128MCT256.req" "./testvectors/AES/rsp/CFB128MCT256.rsp" || { echo "./testvectors/AES/req/CFB128MCT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128MMT128.req" "./testvectors/AES/rsp/CFB128MMT128.rsp" || { echo "./testvectors/AES/req/CFB128MMT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128MMT192.req" "./testvectors/AES/rsp/CFB128MMT192.rsp" || { echo "./testvectors/AES/req/CFB128MMT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128MMT256.req" "./testvectors/AES/rsp/CFB128MMT256.rsp" || { echo "./testvectors/AES/req/CFB128MMT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128VarKey128.req" "./testvectors/AES/rsp/CFB128VarKey128.rsp" || { echo "./testvectors/AES/req/CFB128VarKey128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128VarKey192.req" "./testvectors/AES/rsp/CFB128VarKey192.rsp" || { echo "./testvectors/AES/req/CFB128VarKey192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128VarKey256.req" "./testvectors/AES/rsp/CFB128VarKey256.rsp" || { echo "./testvectors/AES/req/CFB128VarKey256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128VarTxt128.req" "./testvectors/AES/rsp/CFB128VarTxt128.rsp" || { echo "./testvectors/AES/req/CFB128VarTxt128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128VarTxt192.req" "./testvectors/AES/rsp/CFB128VarTxt192.rsp" || { echo "./testvectors/AES/req/CFB128VarTxt192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB128VarTxt256.req" "./testvectors/AES/rsp/CFB128VarTxt256.rsp" || { echo "./testvectors/AES/req/CFB128VarTxt256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1GFSbox128.req" "./testvectors/AES/rsp/CFB1GFSbox128.rsp" || { echo "./testvectors/AES/req/CFB1GFSbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1GFSbox192.req" "./testvectors/AES/rsp/CFB1GFSbox192.rsp" || { echo "./testvectors/AES/req/CFB1GFSbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1GFSbox256.req" "./testvectors/AES/rsp/CFB1GFSbox256.rsp" || { echo "./testvectors/AES/req/CFB1GFSbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1KeySbox128.req" "./testvectors/AES/rsp/CFB1KeySbox128.rsp" || { echo "./testvectors/AES/req/CFB1KeySbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1KeySbox192.req" "./testvectors/AES/rsp/CFB1KeySbox192.rsp" || { echo "./testvectors/AES/req/CFB1KeySbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1KeySbox256.req" "./testvectors/AES/rsp/CFB1KeySbox256.rsp" || { echo "./testvectors/AES/req/CFB1KeySbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1MCT128.req" "./testvectors/AES/rsp/CFB1MCT128.rsp" || { echo "./testvectors/AES/req/CFB1MCT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1MCT192.req" "./testvectors/AES/rsp/CFB1MCT192.rsp" || { echo "./testvectors/AES/req/CFB1MCT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1MCT256.req" "./testvectors/AES/rsp/CFB1MCT256.rsp" || { echo "./testvectors/AES/req/CFB1MCT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1MMT128.req" "./testvectors/AES/rsp/CFB1MMT128.rsp" || { echo "./testvectors/AES/req/CFB1MMT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1MMT192.req" "./testvectors/AES/rsp/CFB1MMT192.rsp" || { echo "./testvectors/AES/req/CFB1MMT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1MMT256.req" "./testvectors/AES/rsp/CFB1MMT256.rsp" || { echo "./testvectors/AES/req/CFB1MMT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1VarKey128.req" "./testvectors/AES/rsp/CFB1VarKey128.rsp" || { echo "./testvectors/AES/req/CFB1VarKey128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1VarKey192.req" "./testvectors/AES/rsp/CFB1VarKey192.rsp" || { echo "./testvectors/AES/req/CFB1VarKey192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1VarKey256.req" "./testvectors/AES/rsp/CFB1VarKey256.rsp" || { echo "./testvectors/AES/req/CFB1VarKey256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1VarTxt128.req" "./testvectors/AES/rsp/CFB1VarTxt128.rsp" || { echo "./testvectors/AES/req/CFB1VarTxt128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1VarTxt192.req" "./testvectors/AES/rsp/CFB1VarTxt192.rsp" || { echo "./testvectors/AES/req/CFB1VarTxt192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB1VarTxt256.req" "./testvectors/AES/rsp/CFB1VarTxt256.rsp" || { echo "./testvectors/AES/req/CFB1VarTxt256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8GFSbox128.req" "./testvectors/AES/rsp/CFB8GFSbox128.rsp" || { echo "./testvectors/AES/req/CFB8GFSbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8GFSbox192.req" "./testvectors/AES/rsp/CFB8GFSbox192.rsp" || { echo "./testvectors/AES/req/CFB8GFSbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8GFSbox256.req" "./testvectors/AES/rsp/CFB8GFSbox256.rsp" || { echo "./testvectors/AES/req/CFB8GFSbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8KeySbox128.req" "./testvectors/AES/rsp/CFB8KeySbox128.rsp" || { echo "./testvectors/AES/req/CFB8KeySbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8KeySbox192.req" "./testvectors/AES/rsp/CFB8KeySbox192.rsp" || { echo "./testvectors/AES/req/CFB8KeySbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8KeySbox256.req" "./testvectors/AES/rsp/CFB8KeySbox256.rsp" || { echo "./testvectors/AES/req/CFB8KeySbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8MCT128.req" "./testvectors/AES/rsp/CFB8MCT128.rsp" || { echo "./testvectors/AES/req/CFB8MCT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8MCT192.req" "./testvectors/AES/rsp/CFB8MCT192.rsp" || { echo "./testvectors/AES/req/CFB8MCT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8MCT256.req" "./testvectors/AES/rsp/CFB8MCT256.rsp" || { echo "./testvectors/AES/req/CFB8MCT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8MMT128.req" "./testvectors/AES/rsp/CFB8MMT128.rsp" || { echo "./testvectors/AES/req/CFB8MMT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8MMT192.req" "./testvectors/AES/rsp/CFB8MMT192.rsp" || { echo "./testvectors/AES/req/CFB8MMT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8MMT256.req" "./testvectors/AES/rsp/CFB8MMT256.rsp" || { echo "./testvectors/AES/req/CFB8MMT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8VarKey128.req" "./testvectors/AES/rsp/CFB8VarKey128.rsp" || { echo "./testvectors/AES/req/CFB8VarKey128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8VarKey192.req" "./testvectors/AES/rsp/CFB8VarKey192.rsp" || { echo "./testvectors/AES/req/CFB8VarKey192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8VarKey256.req" "./testvectors/AES/rsp/CFB8VarKey256.rsp" || { echo "./testvectors/AES/req/CFB8VarKey256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8VarTxt128.req" "./testvectors/AES/rsp/CFB8VarTxt128.rsp" || { echo "./testvectors/AES/req/CFB8VarTxt128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8VarTxt192.req" "./testvectors/AES/rsp/CFB8VarTxt192.rsp" || { echo "./testvectors/AES/req/CFB8VarTxt192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/CFB8VarTxt256.req" "./testvectors/AES/rsp/CFB8VarTxt256.rsp" || { echo "./testvectors/AES/req/CFB8VarTxt256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBGFSbox128.req" "./testvectors/AES/rsp/ECBGFSbox128.rsp" || { echo "./testvectors/AES/req/ECBGFSbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBGFSbox192.req" "./testvectors/AES/rsp/ECBGFSbox192.rsp" || { echo "./testvectors/AES/req/ECBGFSbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBGFSbox256.req" "./testvectors/AES/rsp/ECBGFSbox256.rsp" || { echo "./testvectors/AES/req/ECBGFSbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBKeySbox128.req" "./testvectors/AES/rsp/ECBKeySbox128.rsp" || { echo "./testvectors/AES/req/ECBKeySbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBKeySbox192.req" "./testvectors/AES/rsp/ECBKeySbox192.rsp" || { echo "./testvectors/AES/req/ECBKeySbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBKeySbox256.req" "./testvectors/AES/rsp/ECBKeySbox256.rsp" || { echo "./testvectors/AES/req/ECBKeySbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBMCT128.req" "./testvectors/AES/rsp/ECBMCT128.rsp" || { echo "./testvectors/AES/req/ECBMCT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBMCT192.req" "./testvectors/AES/rsp/ECBMCT192.rsp" || { echo "./testvectors/AES/req/ECBMCT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBMCT256.req" "./testvectors/AES/rsp/ECBMCT256.rsp" || { echo "./testvectors/AES/req/ECBMCT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBMMT128.req" "./testvectors/AES/rsp/ECBMMT128.rsp" || { echo "./testvectors/AES/req/ECBMMT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBMMT192.req" "./testvectors/AES/rsp/ECBMMT192.rsp" || { echo "./testvectors/AES/req/ECBMMT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBMMT256.req" "./testvectors/AES/rsp/ECBMMT256.rsp" || { echo "./testvectors/AES/req/ECBMMT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBVarKey128.req" "./testvectors/AES/rsp/ECBVarKey128.rsp" || { echo "./testvectors/AES/req/ECBVarKey128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBVarKey192.req" "./testvectors/AES/rsp/ECBVarKey192.rsp" || { echo "./testvectors/AES/req/ECBVarKey192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBVarKey256.req" "./testvectors/AES/rsp/ECBVarKey256.rsp" || { echo "./testvectors/AES/req/ECBVarKey256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBVarTxt128.req" "./testvectors/AES/rsp/ECBVarTxt128.rsp" || { echo "./testvectors/AES/req/ECBVarTxt128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBVarTxt192.req" "./testvectors/AES/rsp/ECBVarTxt192.rsp" || { echo "./testvectors/AES/req/ECBVarTxt192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/ECBVarTxt256.req" "./testvectors/AES/rsp/ECBVarTxt256.rsp" || { echo "./testvectors/AES/req/ECBVarTxt256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBGFSbox128.req" "./testvectors/AES/rsp/OFBGFSbox128.rsp" || { echo "./testvectors/AES/req/OFBGFSbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBGFSbox192.req" "./testvectors/AES/rsp/OFBGFSbox192.rsp" || { echo "./testvectors/AES/req/OFBGFSbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBGFSbox256.req" "./testvectors/AES/rsp/OFBGFSbox256.rsp" || { echo "./testvectors/AES/req/OFBGFSbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBKeySbox128.req" "./testvectors/AES/rsp/OFBKeySbox128.rsp" || { echo "./testvectors/AES/req/OFBKeySbox128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBKeySbox192.req" "./testvectors/AES/rsp/OFBKeySbox192.rsp" || { echo "./testvectors/AES/req/OFBKeySbox192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBKeySbox256.req" "./testvectors/AES/rsp/OFBKeySbox256.rsp" || { echo "./testvectors/AES/req/OFBKeySbox256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBMCT128.req" "./testvectors/AES/rsp/OFBMCT128.rsp" || { echo "./testvectors/AES/req/OFBMCT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBMCT192.req" "./testvectors/AES/rsp/OFBMCT192.rsp" || { echo "./testvectors/AES/req/OFBMCT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBMCT256.req" "./testvectors/AES/rsp/OFBMCT256.rsp" || { echo "./testvectors/AES/req/OFBMCT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBMMT128.req" "./testvectors/AES/rsp/OFBMMT128.rsp" || { echo "./testvectors/AES/req/OFBMMT128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBMMT192.req" "./testvectors/AES/rsp/OFBMMT192.rsp" || { echo "./testvectors/AES/req/OFBMMT192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBMMT256.req" "./testvectors/AES/rsp/OFBMMT256.rsp" || { echo "./testvectors/AES/req/OFBMMT256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBVarKey128.req" "./testvectors/AES/rsp/OFBVarKey128.rsp" || { echo "./testvectors/AES/req/OFBVarKey128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBVarKey192.req" "./testvectors/AES/rsp/OFBVarKey192.rsp" || { echo "./testvectors/AES/req/OFBVarKey192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBVarKey256.req" "./testvectors/AES/rsp/OFBVarKey256.rsp" || { echo "./testvectors/AES/req/OFBVarKey256.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBVarTxt128.req" "./testvectors/AES/rsp/OFBVarTxt128.rsp" || { echo "./testvectors/AES/req/OFBVarTxt128.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBVarTxt192.req" "./testvectors/AES/rsp/OFBVarTxt192.rsp" || { echo "./testvectors/AES/req/OFBVarTxt192.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_aesavs -f "./testvectors/AES/req/OFBVarTxt256.req" "./testvectors/AES/rsp/OFBVarTxt256.rsp" || { echo "./testvectors/AES/req/OFBVarTxt256.req failure" ; exit 1 -} - -echo Running tests in "./testvectors/DSA/req" -rm -rf "./testvectors/DSA/rsp" -mkdir "./testvectors/DSA/rsp" - -../util/shlib_wrap.sh ../test/fips_dssvs keypair < "./testvectors/DSA/req/KeyPair.req" > "./testvectors/DSA/rsp/KeyPair.rsp" || { echo "./testvectors/DSA/req/KeyPair.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_dssvs pqg < "./testvectors/DSA/req/PQGGen.req" > "./testvectors/DSA/rsp/PQGGen.rsp" || { echo "./testvectors/DSA/req/PQGGen.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_dssvs siggen < "./testvectors/DSA/req/SigGen.req" > "./testvectors/DSA/rsp/SigGen.rsp" || { echo "./testvectors/DSA/req/SigGen.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_dssvs sigver < "./testvectors/DSA/req/SigVer.req" > "./testvectors/DSA/rsp/SigVer.rsp" || { echo "./testvectors/DSA/req/SigVer.req failure" ; exit 1; } - -echo Running tests in "./testvectors/HMAC/req" -rm -rf "./testvectors/HMAC/rsp" -mkdir "./testvectors/HMAC/rsp" - -../util/shlib_wrap.sh ../test/fips_hmactest < "./testvectors/HMAC/req/HMAC.req" > "./testvectors/HMAC/rsp/HMAC.rsp" || { echo "./testvectors/HMAC/req/HMAC.req failure" ; exit 1; } - -echo Running tests in "./testvectors/RNG/req" -rm -rf "./testvectors/RNG/rsp" -mkdir "./testvectors/RNG/rsp" - -../util/shlib_wrap.sh ../test/fips_rngvs mct < "./testvectors/RNG/req/ANSI931_AES128MCT.req" > "./testvectors/RNG/rsp/ANSI931_AES128MCT.rsp" || { echo "./testvectors/RNG/req/ANSI931_AES128MCT.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rngvs vst < "./testvectors/RNG/req/ANSI931_AES128VST.req" > "./testvectors/RNG/rsp/ANSI931_AES128VST.rsp" || { echo "./testvectors/RNG/req/ANSI931_AES128VST.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rngvs mct < "./testvectors/RNG/req/ANSI931_AES192MCT.req" > "./testvectors/RNG/rsp/ANSI931_AES192MCT.rsp" || { echo "./testvectors/RNG/req/ANSI931_AES192MCT.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rngvs vst < "./testvectors/RNG/req/ANSI931_AES192VST.req" > "./testvectors/RNG/rsp/ANSI931_AES192VST.rsp" || { echo "./testvectors/RNG/req/ANSI931_AES192VST.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rngvs mct < "./testvectors/RNG/req/ANSI931_AES256MCT.req" > "./testvectors/RNG/rsp/ANSI931_AES256MCT.rsp" || { echo "./testvectors/RNG/req/ANSI931_AES256MCT.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rngvs vst < "./testvectors/RNG/req/ANSI931_AES256VST.req" > "./testvectors/RNG/rsp/ANSI931_AES256VST.rsp" || { echo "./testvectors/RNG/req/ANSI931_AES256VST.req failure" ; exit 1; } - -echo Running tests in "./testvectors/RSA/req" -rm -rf "./testvectors/RSA/rsp" -mkdir "./testvectors/RSA/rsp" - -../util/shlib_wrap.sh ../test/fips_rsagtest < "./testvectors/RSA/req/KeyGenRSA.req" > "./testvectors/RSA/rsp/KeyGenRSA.rsp" || { echo "./testvectors/RSA/req/KeyGenRSA.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rsastest < "./testvectors/RSA/req/SigGen15.req" > "./testvectors/RSA/rsp/SigGen15.rsp" || { echo "./testvectors/RSA/req/SigGen15.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rsastest -saltlen 0 < "./testvectors/RSA/req/SigGenPSS.req" > "./testvectors/RSA/rsp/SigGenPSS.rsp" || { echo "./testvectors/RSA/req/SigGenPSS.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rsastest -x931 < "./testvectors/RSA/req/SigGenRSA.req" > "./testvectors/RSA/rsp/SigGenRSA.rsp" || { echo "./testvectors/RSA/req/SigGenRSA.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rsavtest < "./testvectors/RSA/req/SigVer15.req" > "./testvectors/RSA/rsp/SigVer15.rsp" || { echo "./testvectors/RSA/req/SigVer15.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rsavtest -saltlen 0 < "./testvectors/RSA/req/SigVerPSS.req" > "./testvectors/RSA/rsp/SigVerPSS.rsp" || { echo "./testvectors/RSA/req/SigVerPSS.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_rsavtest -x931 < "./testvectors/RSA/req/SigVerRSA.req" > "./testvectors/RSA/rsp/SigVerRSA.rsp" || { echo "./testvectors/RSA/req/SigVerRSA.req failure" ; exit 1; } - -echo Running tests in "./testvectors/SHA/req" -rm -rf "./testvectors/SHA/rsp" -mkdir "./testvectors/SHA/rsp" - -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA1LongMsg.req" > "./testvectors/SHA/rsp/SHA1LongMsg.rsp" || { echo "./testvectors/SHA/req/SHA1LongMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA1Monte.req" > "./testvectors/SHA/rsp/SHA1Monte.rsp" || { echo "./testvectors/SHA/req/SHA1Monte.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA1ShortMsg.req" > "./testvectors/SHA/rsp/SHA1ShortMsg.rsp" || { echo "./testvectors/SHA/req/SHA1ShortMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA224LongMsg.req" > "./testvectors/SHA/rsp/SHA224LongMsg.rsp" || { echo "./testvectors/SHA/req/SHA224LongMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA224Monte.req" > "./testvectors/SHA/rsp/SHA224Monte.rsp" || { echo "./testvectors/SHA/req/SHA224Monte.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA224ShortMsg.req" > "./testvectors/SHA/rsp/SHA224ShortMsg.rsp" || { echo "./testvectors/SHA/req/SHA224ShortMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA256LongMsg.req" > "./testvectors/SHA/rsp/SHA256LongMsg.rsp" || { echo "./testvectors/SHA/req/SHA256LongMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA256Monte.req" > "./testvectors/SHA/rsp/SHA256Monte.rsp" || { echo "./testvectors/SHA/req/SHA256Monte.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA256ShortMsg.req" > "./testvectors/SHA/rsp/SHA256ShortMsg.rsp" || { echo "./testvectors/SHA/req/SHA256ShortMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA384LongMsg.req" > "./testvectors/SHA/rsp/SHA384LongMsg.rsp" || { echo "./testvectors/SHA/req/SHA384LongMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA384Monte.req" > "./testvectors/SHA/rsp/SHA384Monte.rsp" || { echo "./testvectors/SHA/req/SHA384Monte.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA384ShortMsg.req" > "./testvectors/SHA/rsp/SHA384ShortMsg.rsp" || { echo "./testvectors/SHA/req/SHA384ShortMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA512LongMsg.req" > "./testvectors/SHA/rsp/SHA512LongMsg.rsp" || { echo "./testvectors/SHA/req/SHA512LongMsg.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA512Monte.req" > "./testvectors/SHA/rsp/SHA512Monte.rsp" || { echo "./testvectors/SHA/req/SHA512Monte.req failure" ; exit 1; } -../util/shlib_wrap.sh ../test/fips_shatest < "./testvectors/SHA/req/SHA512ShortMsg.req" > "./testvectors/SHA/rsp/SHA512ShortMsg.rsp" || { echo "./testvectors/SHA/req/SHA512ShortMsg.req failure" ; exit 1; } - -echo Running tests in "./testvectors/TDES/req" -rm -rf "./testvectors/TDES/rsp" -mkdir "./testvectors/TDES/rsp" - -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCinvperm.req" "./testvectors/TDES/rsp/TCBCinvperm.rsp" || { echo "./testvectors/TDES/req/TCBCinvperm.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCMMT1.req" "./testvectors/TDES/rsp/TCBCMMT1.rsp" || { echo "./testvectors/TDES/req/TCBCMMT1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCMMT2.req" "./testvectors/TDES/rsp/TCBCMMT2.rsp" || { echo "./testvectors/TDES/req/TCBCMMT2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCMMT3.req" "./testvectors/TDES/rsp/TCBCMMT3.rsp" || { echo "./testvectors/TDES/req/TCBCMMT3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCMonte1.req" "./testvectors/TDES/rsp/TCBCMonte1.rsp" || { echo "./testvectors/TDES/req/TCBCMonte1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCMonte2.req" "./testvectors/TDES/rsp/TCBCMonte2.rsp" || { echo "./testvectors/TDES/req/TCBCMonte2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCMonte3.req" "./testvectors/TDES/rsp/TCBCMonte3.rsp" || { echo "./testvectors/TDES/req/TCBCMonte3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCpermop.req" "./testvectors/TDES/rsp/TCBCpermop.rsp" || { echo "./testvectors/TDES/req/TCBCpermop.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCsubtab.req" "./testvectors/TDES/rsp/TCBCsubtab.rsp" || { echo "./testvectors/TDES/req/TCBCsubtab.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCvarkey.req" "./testvectors/TDES/rsp/TCBCvarkey.rsp" || { echo "./testvectors/TDES/req/TCBCvarkey.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCBCvartext.req" "./testvectors/TDES/rsp/TCBCvartext.rsp" || { echo "./testvectors/TDES/req/TCBCvartext.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64invperm.req" "./testvectors/TDES/rsp/TCFB64invperm.rsp" || { echo "./testvectors/TDES/req/TCFB64invperm.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64MMT1.req" "./testvectors/TDES/rsp/TCFB64MMT1.rsp" || { echo "./testvectors/TDES/req/TCFB64MMT1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64MMT2.req" "./testvectors/TDES/rsp/TCFB64MMT2.rsp" || { echo "./testvectors/TDES/req/TCFB64MMT2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64MMT3.req" "./testvectors/TDES/rsp/TCFB64MMT3.rsp" || { echo "./testvectors/TDES/req/TCFB64MMT3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64Monte1.req" "./testvectors/TDES/rsp/TCFB64Monte1.rsp" || { echo "./testvectors/TDES/req/TCFB64Monte1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64Monte2.req" "./testvectors/TDES/rsp/TCFB64Monte2.rsp" || { echo "./testvectors/TDES/req/TCFB64Monte2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64Monte3.req" "./testvectors/TDES/rsp/TCFB64Monte3.rsp" || { echo "./testvectors/TDES/req/TCFB64Monte3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64permop.req" "./testvectors/TDES/rsp/TCFB64permop.rsp" || { echo "./testvectors/TDES/req/TCFB64permop.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64subtab.req" "./testvectors/TDES/rsp/TCFB64subtab.rsp" || { echo "./testvectors/TDES/req/TCFB64subtab.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64varkey.req" "./testvectors/TDES/rsp/TCFB64varkey.rsp" || { echo "./testvectors/TDES/req/TCFB64varkey.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB64vartext.req" "./testvectors/TDES/rsp/TCFB64vartext.rsp" || { echo "./testvectors/TDES/req/TCFB64vartext.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8invperm.req" "./testvectors/TDES/rsp/TCFB8invperm.rsp" || { echo "./testvectors/TDES/req/TCFB8invperm.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8MMT1.req" "./testvectors/TDES/rsp/TCFB8MMT1.rsp" || { echo "./testvectors/TDES/req/TCFB8MMT1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8MMT2.req" "./testvectors/TDES/rsp/TCFB8MMT2.rsp" || { echo "./testvectors/TDES/req/TCFB8MMT2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8MMT3.req" "./testvectors/TDES/rsp/TCFB8MMT3.rsp" || { echo "./testvectors/TDES/req/TCFB8MMT3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8Monte1.req" "./testvectors/TDES/rsp/TCFB8Monte1.rsp" || { echo "./testvectors/TDES/req/TCFB8Monte1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8Monte2.req" "./testvectors/TDES/rsp/TCFB8Monte2.rsp" || { echo "./testvectors/TDES/req/TCFB8Monte2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8Monte3.req" "./testvectors/TDES/rsp/TCFB8Monte3.rsp" || { echo "./testvectors/TDES/req/TCFB8Monte3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8permop.req" "./testvectors/TDES/rsp/TCFB8permop.rsp" || { echo "./testvectors/TDES/req/TCFB8permop.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8subtab.req" "./testvectors/TDES/rsp/TCFB8subtab.rsp" || { echo "./testvectors/TDES/req/TCFB8subtab.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8varkey.req" "./testvectors/TDES/rsp/TCFB8varkey.rsp" || { echo "./testvectors/TDES/req/TCFB8varkey.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TCFB8vartext.req" "./testvectors/TDES/rsp/TCFB8vartext.rsp" || { echo "./testvectors/TDES/req/TCFB8vartext.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBinvperm.req" "./testvectors/TDES/rsp/TECBinvperm.rsp" || { echo "./testvectors/TDES/req/TECBinvperm.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBMMT1.req" "./testvectors/TDES/rsp/TECBMMT1.rsp" || { echo "./testvectors/TDES/req/TECBMMT1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBMMT2.req" "./testvectors/TDES/rsp/TECBMMT2.rsp" || { echo "./testvectors/TDES/req/TECBMMT2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBMMT3.req" "./testvectors/TDES/rsp/TECBMMT3.rsp" || { echo "./testvectors/TDES/req/TECBMMT3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBMonte1.req" "./testvectors/TDES/rsp/TECBMonte1.rsp" || { echo "./testvectors/TDES/req/TECBMonte1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBMonte2.req" "./testvectors/TDES/rsp/TECBMonte2.rsp" || { echo "./testvectors/TDES/req/TECBMonte2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBMonte3.req" "./testvectors/TDES/rsp/TECBMonte3.rsp" || { echo "./testvectors/TDES/req/TECBMonte3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBpermop.req" "./testvectors/TDES/rsp/TECBpermop.rsp" || { echo "./testvectors/TDES/req/TECBpermop.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBsubtab.req" "./testvectors/TDES/rsp/TECBsubtab.rsp" || { echo "./testvectors/TDES/req/TECBsubtab.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBvarkey.req" "./testvectors/TDES/rsp/TECBvarkey.rsp" || { echo "./testvectors/TDES/req/TECBvarkey.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TECBvartext.req" "./testvectors/TDES/rsp/TECBvartext.rsp" || { echo "./testvectors/TDES/req/TECBvartext.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBinvperm.req" "./testvectors/TDES/rsp/TOFBinvperm.rsp" || { echo "./testvectors/TDES/req/TOFBinvperm.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBMMT1.req" "./testvectors/TDES/rsp/TOFBMMT1.rsp" || { echo "./testvectors/TDES/req/TOFBMMT1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBMMT2.req" "./testvectors/TDES/rsp/TOFBMMT2.rsp" || { echo "./testvectors/TDES/req/TOFBMMT2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBMMT3.req" "./testvectors/TDES/rsp/TOFBMMT3.rsp" || { echo "./testvectors/TDES/req/TOFBMMT3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBMonte1.req" "./testvectors/TDES/rsp/TOFBMonte1.rsp" || { echo "./testvectors/TDES/req/TOFBMonte1.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBMonte2.req" "./testvectors/TDES/rsp/TOFBMonte2.rsp" || { echo "./testvectors/TDES/req/TOFBMonte2.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBMonte3.req" "./testvectors/TDES/rsp/TOFBMonte3.rsp" || { echo "./testvectors/TDES/req/TOFBMonte3.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBpermop.req" "./testvectors/TDES/rsp/TOFBpermop.rsp" || { echo "./testvectors/TDES/req/TOFBpermop.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBsubtab.req" "./testvectors/TDES/rsp/TOFBsubtab.rsp" || { echo "./testvectors/TDES/req/TOFBsubtab.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBvarkey.req" "./testvectors/TDES/rsp/TOFBvarkey.rsp" || { echo "./testvectors/TDES/req/TOFBvarkey.req failure" ; exit 1 -} -../util/shlib_wrap.sh ../test/fips_desmovs -f "./testvectors/TDES/req/TOFBvartext.req" "./testvectors/TDES/rsp/TOFBvartext.rsp" || { echo "./testvectors/TDES/req/TOFBvartext.req failure" ; exit 1 -} diff --git a/crypto/openssl/fips/hmac/Makefile b/crypto/openssl/fips/hmac/Makefile deleted file mode 100644 index be230ad..0000000 --- a/crypto/openssl/fips/hmac/Makefile +++ /dev/null @@ -1,123 +0,0 @@ -# -# OpenSSL/fips/hmac/Makefile -# - -DIR= hmac -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST=fips_hmactest.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_hmac.c fips_hmac_selftest.c -LIBOBJ=fips_hmac.o fips_hmac_selftest.o - -SRC= $(LIBSRC) - -EXHEADER= -HEADER= $(EXHEADER) - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -Q=../testvectors/hmac/req -A=../testvectors/hmac/rsp - -fips_test: - -rm -rf $(A) - mkdir $(A) - if [ -f $(Q)/HMAC.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_hmactest < $(Q)/HMAC.req > $(A)/HMAC.rsp; fi - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_hmac.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_hmac.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -fips_hmac.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h -fips_hmac.o: ../../include/openssl/objects.h -fips_hmac.o: ../../include/openssl/opensslconf.h -fips_hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -fips_hmac.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_hmac.o: ../../include/openssl/symhacks.h fips_hmac.c -fips_hmac_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_hmac_selftest.o: ../../include/openssl/crypto.h -fips_hmac_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_hmac_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_hmac_selftest.o: ../../include/openssl/hmac.h -fips_hmac_selftest.o: ../../include/openssl/lhash.h -fips_hmac_selftest.o: ../../include/openssl/obj_mac.h -fips_hmac_selftest.o: ../../include/openssl/objects.h -fips_hmac_selftest.o: ../../include/openssl/opensslconf.h -fips_hmac_selftest.o: ../../include/openssl/opensslv.h -fips_hmac_selftest.o: ../../include/openssl/ossl_typ.h -fips_hmac_selftest.o: ../../include/openssl/safestack.h -fips_hmac_selftest.o: ../../include/openssl/stack.h -fips_hmac_selftest.o: ../../include/openssl/symhacks.h fips_hmac_selftest.c -fips_hmactest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_hmactest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_hmactest.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -fips_hmactest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -fips_hmactest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -fips_hmactest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_hmactest.o: ../../include/openssl/fips.h ../../include/openssl/hmac.h -fips_hmactest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_hmactest.o: ../../include/openssl/objects.h -fips_hmactest.o: ../../include/openssl/opensslconf.h -fips_hmactest.o: ../../include/openssl/opensslv.h -fips_hmactest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_hmactest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -fips_hmactest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_hmactest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -fips_hmactest.o: ../../include/openssl/x509v3.h ../fips_utl.h fips_hmactest.c diff --git a/crypto/openssl/fips/hmac/fips_hmac.c b/crypto/openssl/fips/hmac/fips_hmac.c deleted file mode 100644 index 69a10da..0000000 --- a/crypto/openssl/fips/hmac/fips_hmac.c +++ /dev/null @@ -1,191 +0,0 @@ -/* crypto/hmac/hmac.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <openssl/hmac.h> -#include <openssl/fips.h> - -#ifdef OPENSSL_FIPS - -void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, - const EVP_MD *md, ENGINE *impl) - { - int i,j,reset=0; - unsigned char pad[HMAC_MAX_MD_CBLOCK]; - - if (md != NULL) - { - reset=1; - ctx->md=md; - } - else - md=ctx->md; - - if (key != NULL) - { - if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) - && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) - || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) - || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) - OpenSSLDie(__FILE__,__LINE__, - "HMAC: digest not allowed in FIPS mode"); - - reset=1; - j=M_EVP_MD_block_size(md); - OPENSSL_assert(j <= (int)sizeof ctx->key); - if (j < len) - { - EVP_DigestInit_ex(&ctx->md_ctx,md, impl); - EVP_DigestUpdate(&ctx->md_ctx,key,len); - EVP_DigestFinal_ex(&(ctx->md_ctx),ctx->key, - &ctx->key_length); - } - else - { - OPENSSL_assert(len <= (int)sizeof ctx->key); - memcpy(ctx->key,key,len); - ctx->key_length=len; - } - if(ctx->key_length != HMAC_MAX_MD_CBLOCK) - memset(&ctx->key[ctx->key_length], 0, - HMAC_MAX_MD_CBLOCK - ctx->key_length); - } - - if (reset) - { - for (i=0; i<HMAC_MAX_MD_CBLOCK; i++) - pad[i]=0x36^ctx->key[i]; - EVP_DigestInit_ex(&ctx->i_ctx,md, impl); - EVP_DigestUpdate(&ctx->i_ctx,pad,M_EVP_MD_block_size(md)); - - for (i=0; i<HMAC_MAX_MD_CBLOCK; i++) - pad[i]=0x5c^ctx->key[i]; - EVP_DigestInit_ex(&ctx->o_ctx,md, impl); - EVP_DigestUpdate(&ctx->o_ctx,pad,M_EVP_MD_block_size(md)); - } - EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->i_ctx); - } - -void HMAC_Init(HMAC_CTX *ctx, const void *key, int len, - const EVP_MD *md) - { - if(key && md) - HMAC_CTX_init(ctx); - HMAC_Init_ex(ctx,key,len,md, NULL); - } - -void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) - { - EVP_DigestUpdate(&ctx->md_ctx,data,len); - } - -void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) - { - int j; - unsigned int i; - unsigned char buf[EVP_MAX_MD_SIZE]; - - j=M_EVP_MD_block_size(ctx->md); - - EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i); - EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->o_ctx); - EVP_DigestUpdate(&ctx->md_ctx,buf,i); - EVP_DigestFinal_ex(&ctx->md_ctx,md,len); - } - -void HMAC_CTX_init(HMAC_CTX *ctx) - { - EVP_MD_CTX_init(&ctx->i_ctx); - EVP_MD_CTX_init(&ctx->o_ctx); - EVP_MD_CTX_init(&ctx->md_ctx); - } - -void HMAC_CTX_cleanup(HMAC_CTX *ctx) - { - EVP_MD_CTX_cleanup(&ctx->i_ctx); - EVP_MD_CTX_cleanup(&ctx->o_ctx); - EVP_MD_CTX_cleanup(&ctx->md_ctx); - memset(ctx,0,sizeof *ctx); - } - -unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, - const unsigned char *d, size_t n, unsigned char *md, - unsigned int *md_len) - { - HMAC_CTX c; - static unsigned char m[EVP_MAX_MD_SIZE]; - - if (md == NULL) md=m; - HMAC_CTX_init(&c); - HMAC_Init(&c,key,key_len,evp_md); - HMAC_Update(&c,d,n); - HMAC_Final(&c,md,md_len); - HMAC_CTX_cleanup(&c); - return(md); - } - -void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) - { - M_EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); - M_EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); - M_EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); - } - -#endif - diff --git a/crypto/openssl/fips/hmac/fips_hmac_selftest.c b/crypto/openssl/fips/hmac/fips_hmac_selftest.c deleted file mode 100644 index 73455ff..0000000 --- a/crypto/openssl/fips/hmac/fips_hmac_selftest.c +++ /dev/null @@ -1,135 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <string.h> -#include <openssl/err.h> -#include <openssl/fips.h> -#include <openssl/hmac.h> - -#ifdef OPENSSL_FIPS -typedef struct { - const EVP_MD *(*alg)(void); - const char *key, *iv; - unsigned char kaval[EVP_MAX_MD_SIZE]; -} HMAC_KAT; - -static const HMAC_KAT vector[] = { - { EVP_sha1, - /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ - "0123456789:;<=>?@ABC", - "Sample #2", - { 0x09,0x22,0xd3,0x40,0x5f,0xaa,0x3d,0x19, - 0x4f,0x82,0xa4,0x58,0x30,0x73,0x7d,0x5c, - 0xc6,0xc7,0x5d,0x24 } - }, - { EVP_sha224, - /* just keep extending the above... */ - "0123456789:;<=>?@ABC", - "Sample #2", - { 0xdd,0xef,0x0a,0x40,0xcb,0x7d,0x50,0xfb, - 0x6e,0xe6,0xce,0xa1,0x20,0xba,0x26,0xaa, - 0x08,0xf3,0x07,0x75,0x87,0xb8,0xad,0x1b, - 0x8c,0x8d,0x12,0xc7 } - }, - { EVP_sha256, - "0123456789:;<=>?@ABC", - "Sample #2", - { 0xb8,0xf2,0x0d,0xb5,0x41,0xea,0x43,0x09, - 0xca,0x4e,0xa9,0x38,0x0c,0xd0,0xe8,0x34, - 0xf7,0x1f,0xbe,0x91,0x74,0xa2,0x61,0x38, - 0x0d,0xc1,0x7e,0xae,0x6a,0x34,0x51,0xd9 } - }, - { EVP_sha384, - "0123456789:;<=>?@ABC", - "Sample #2", - { 0x08,0xbc,0xb0,0xda,0x49,0x1e,0x87,0xad, - 0x9a,0x1d,0x6a,0xce,0x23,0xc5,0x0b,0xf6, - 0xb7,0x18,0x06,0xa5,0x77,0xcd,0x49,0x04, - 0x89,0xf1,0xe6,0x23,0x44,0x51,0x51,0x9f, - 0x85,0x56,0x80,0x79,0x0c,0xbd,0x4d,0x50, - 0xa4,0x5f,0x29,0xe3,0x93,0xf0,0xe8,0x7f } - }, - { EVP_sha512, - "0123456789:;<=>?@ABC", - "Sample #2", - { 0x80,0x9d,0x44,0x05,0x7c,0x5b,0x95,0x41, - 0x05,0xbd,0x04,0x13,0x16,0xdb,0x0f,0xac, - 0x44,0xd5,0xa4,0xd5,0xd0,0x89,0x2b,0xd0, - 0x4e,0x86,0x64,0x12,0xc0,0x90,0x77,0x68, - 0xf1,0x87,0xb7,0x7c,0x4f,0xae,0x2c,0x2f, - 0x21,0xa5,0xb5,0x65,0x9a,0x4f,0x4b,0xa7, - 0x47,0x02,0xa3,0xde,0x9b,0x51,0xf1,0x45, - 0xbd,0x4f,0x25,0x27,0x42,0x98,0x99,0x05 } - }, -}; - -int FIPS_selftest_hmac() - { - size_t n; - unsigned int outlen; - unsigned char out[EVP_MAX_MD_SIZE]; - const EVP_MD *md; - const HMAC_KAT *t; - - for(n=0,t=vector; n<sizeof(vector)/sizeof(vector[0]); n++,t++) - { - md = (*t->alg)(); - HMAC(md,t->key,strlen(t->key), - (const unsigned char *)t->iv,strlen(t->iv), - out,&outlen); - - if(memcmp(out,t->kaval,outlen)) - { - FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC,FIPS_R_SELFTEST_FAILED); - return 0; - } - } - return 1; - } -#endif diff --git a/crypto/openssl/fips/hmac/fips_hmactest.c b/crypto/openssl/fips/hmac/fips_hmactest.c deleted file mode 100644 index 69ebf68..0000000 --- a/crypto/openssl/fips/hmac/fips_hmactest.c +++ /dev/null @@ -1,328 +0,0 @@ -/* fips_hmactest.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2005. - */ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include <openssl/bio.h> -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/err.h> -#include <openssl/bn.h> - -#include <openssl/x509v3.h> - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS HMAC support\n"); - return(0); -} - -#else - -#include <openssl/fips.h> -#include "fips_utl.h" - -static int hmac_test(const EVP_MD *md, FILE *out, FILE *in); -static int print_hmac(const EVP_MD *md, FILE *out, - unsigned char *Key, int Klen, - unsigned char *Msg, int Msglen, int Tlen); - -int main(int argc, char **argv) - { - FILE *in = NULL, *out = NULL; - - int ret = 1; - - if(!FIPS_mode_set(1)) - { - do_print_errors(); - goto end; - } - - if (argc == 1) - in = stdin; - else - in = fopen(argv[1], "r"); - - if (argc < 2) - out = stdout; - else - out = fopen(argv[2], "w"); - - if (!in) - { - fprintf(stderr, "FATAL input initialization error\n"); - goto end; - } - - if (!out) - { - fprintf(stderr, "FATAL output initialization error\n"); - goto end; - } - - if (!hmac_test(EVP_sha1(), out, in)) - { - fprintf(stderr, "FATAL hmac file processing error\n"); - goto end; - } - else - ret = 0; - - end: - - if (ret) - do_print_errors(); - - if (in && (in != stdin)) - fclose(in); - if (out && (out != stdout)) - fclose(out); - - return ret; - - } - -#define HMAC_TEST_MAXLINELEN 1024 - -int hmac_test(const EVP_MD *md, FILE *out, FILE *in) - { - char *linebuf, *olinebuf, *p, *q; - char *keyword, *value; - unsigned char *Key = NULL, *Msg = NULL; - int Count, Klen, Tlen; - long Keylen, Msglen; - int ret = 0; - int lnum = 0; - - olinebuf = OPENSSL_malloc(HMAC_TEST_MAXLINELEN); - linebuf = OPENSSL_malloc(HMAC_TEST_MAXLINELEN); - - if (!linebuf || !olinebuf) - goto error; - - Count = -1; - Klen = -1; - Tlen = -1; - - while (fgets(olinebuf, HMAC_TEST_MAXLINELEN, in)) - { - lnum++; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no = or starts with [ (for [L=20] line) just copy */ - if (!p) - { - if (fputs(olinebuf, out) < 0) - goto error; - continue; - } - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - if (!strcmp(keyword,"[L") && *p==']') - { - switch (atoi(value)) - { - case 20: md=EVP_sha1(); break; - case 28: md=EVP_sha224(); break; - case 32: md=EVP_sha256(); break; - case 48: md=EVP_sha384(); break; - case 64: md=EVP_sha512(); break; - default: goto parse_error; - } - } - else if (!strcmp(keyword, "Count")) - { - if (Count != -1) - goto parse_error; - Count = atoi(value); - if (Count < 0) - goto parse_error; - } - else if (!strcmp(keyword, "Klen")) - { - if (Klen != -1) - goto parse_error; - Klen = atoi(value); - if (Klen < 0) - goto parse_error; - } - else if (!strcmp(keyword, "Tlen")) - { - if (Tlen != -1) - goto parse_error; - Tlen = atoi(value); - if (Tlen < 0) - goto parse_error; - } - else if (!strcmp(keyword, "Msg")) - { - if (Msg) - goto parse_error; - Msg = hex2bin_m(value, &Msglen); - if (!Msg) - goto parse_error; - } - else if (!strcmp(keyword, "Key")) - { - if (Key) - goto parse_error; - Key = hex2bin_m(value, &Keylen); - if (!Key) - goto parse_error; - } - else if (!strcmp(keyword, "Mac")) - continue; - else - goto parse_error; - - fputs(olinebuf, out); - - if (Key && Msg && (Tlen > 0) && (Klen > 0)) - { - if (!print_hmac(md, out, Key, Klen, Msg, Msglen, Tlen)) - goto error; - OPENSSL_free(Key); - Key = NULL; - OPENSSL_free(Msg); - Msg = NULL; - Klen = -1; - Tlen = -1; - Count = -1; - } - - } - - - ret = 1; - - - error: - - if (olinebuf) - OPENSSL_free(olinebuf); - if (linebuf) - OPENSSL_free(linebuf); - if (Key) - OPENSSL_free(Key); - if (Msg) - OPENSSL_free(Msg); - - return ret; - - parse_error: - - fprintf(stderr, "FATAL parse error processing line %d\n", lnum); - - goto error; - - } - -static int print_hmac(const EVP_MD *emd, FILE *out, - unsigned char *Key, int Klen, - unsigned char *Msg, int Msglen, int Tlen) - { - int i, mdlen; - unsigned char md[EVP_MAX_MD_SIZE]; - if (!HMAC(emd, Key, Klen, Msg, Msglen, md, - (unsigned int *)&mdlen)) - { - fputs("Error calculating HMAC\n", stderr); - return 0; - } - if (Tlen > mdlen) - { - fputs("Parameter error, Tlen > HMAC length\n", stderr); - return 0; - } - fputs("Mac = ", out); - for (i = 0; i < Tlen; i++) - fprintf(out, "%02x", md[i]); - fputs("\n", out); - return 1; - } - -#endif diff --git a/crypto/openssl/fips/mkfipsscr.pl b/crypto/openssl/fips/mkfipsscr.pl deleted file mode 100755 index 361641d..0000000 --- a/crypto/openssl/fips/mkfipsscr.pl +++ /dev/null @@ -1,657 +0,0 @@ -#!/usr/local/bin/perl -w -# Quick & dirty utility to generate a script for executing the -# FIPS 140-2 CMVP algorithm tests based on the pathnames of -# input algorithm test files actually present (the unqualified -# file names are consistent but the pathnames are not). -# - -# List of all the unqualified file names we expect. -my %fips_tests = ( - -# FIPS test definitions - -# DSA tests - -"PQGGen" => "fips_dssvs pqg", -"KeyPair" => "fips_dssvs keypair", -"SigGen" => "fips_dssvs siggen", -"SigVer" => "fips_dssvs sigver", - -# SHA tests - -"SHA1LongMsg" => "fips_shatest", -"SHA1Monte" => "fips_shatest", -"SHA1ShortMsg" => "fips_shatest", -"SHA224LongMsg" => "fips_shatest", -"SHA224Monte" => "fips_shatest", -"SHA224ShortMsg" => "fips_shatest", -"SHA256LongMsg" => "fips_shatest", -"SHA256Monte" => "fips_shatest", -"SHA256ShortMsg" => "fips_shatest", -"SHA384LongMsg" => "fips_shatest", -"SHA384Monte" => "fips_shatest", -"SHA384ShortMsg" => "fips_shatest", -"SHA512LongMsg" => "fips_shatest", -"SHA512Monte" => "fips_shatest", -"SHA512ShortMsg" => "fips_shatest", - -# HMAC - -"HMAC" => "fips_hmactest", - -# RAND tests - -"ANSI931_AES128MCT" => "fips_rngvs mct", -"ANSI931_AES192MCT" => "fips_rngvs mct", -"ANSI931_AES256MCT" => "fips_rngvs mct", -"ANSI931_AES128VST" => "fips_rngvs vst", -"ANSI931_AES192VST" => "fips_rngvs vst", -"ANSI931_AES256VST" => "fips_rngvs vst", - -# RSA tests - -"SigGen15" => "fips_rsastest", -"SigVer15" => "fips_rsavtest", -"SigGenPSS" => "fips_rsastest -saltlen SALT", -"SigVerPSS" => "fips_rsavtest -saltlen SALT", -"SigGenRSA" => "fips_rsastest -x931", -"SigVerRSA" => "fips_rsavtest -x931", -"KeyGenRSA" => "fips_rsagtest", - -# AES tests - -"CBCGFSbox128" => "fips_aesavs -f", -"CBCGFSbox192" => "fips_aesavs -f", -"CBCGFSbox256" => "fips_aesavs -f", -"CBCKeySbox128" => "fips_aesavs -f", -"CBCKeySbox192" => "fips_aesavs -f", -"CBCKeySbox256" => "fips_aesavs -f", -"CBCMCT128" => "fips_aesavs -f", -"CBCMCT192" => "fips_aesavs -f", -"CBCMCT256" => "fips_aesavs -f", -"CBCMMT128" => "fips_aesavs -f", -"CBCMMT192" => "fips_aesavs -f", -"CBCMMT256" => "fips_aesavs -f", -"CBCVarKey128" => "fips_aesavs -f", -"CBCVarKey192" => "fips_aesavs -f", -"CBCVarKey256" => "fips_aesavs -f", -"CBCVarTxt128" => "fips_aesavs -f", -"CBCVarTxt192" => "fips_aesavs -f", -"CBCVarTxt256" => "fips_aesavs -f", -"CFB128GFSbox128" => "fips_aesavs -f", -"CFB128GFSbox192" => "fips_aesavs -f", -"CFB128GFSbox256" => "fips_aesavs -f", -"CFB128KeySbox128" => "fips_aesavs -f", -"CFB128KeySbox192" => "fips_aesavs -f", -"CFB128KeySbox256" => "fips_aesavs -f", -"CFB128MCT128" => "fips_aesavs -f", -"CFB128MCT192" => "fips_aesavs -f", -"CFB128MCT256" => "fips_aesavs -f", -"CFB128MMT128" => "fips_aesavs -f", -"CFB128MMT192" => "fips_aesavs -f", -"CFB128MMT256" => "fips_aesavs -f", -"CFB128VarKey128" => "fips_aesavs -f", -"CFB128VarKey192" => "fips_aesavs -f", -"CFB128VarKey256" => "fips_aesavs -f", -"CFB128VarTxt128" => "fips_aesavs -f", -"CFB128VarTxt192" => "fips_aesavs -f", -"CFB128VarTxt256" => "fips_aesavs -f", -"CFB8GFSbox128" => "fips_aesavs -f", -"CFB8GFSbox192" => "fips_aesavs -f", -"CFB8GFSbox256" => "fips_aesavs -f", -"CFB8KeySbox128" => "fips_aesavs -f", -"CFB8KeySbox192" => "fips_aesavs -f", -"CFB8KeySbox256" => "fips_aesavs -f", -"CFB8MCT128" => "fips_aesavs -f", -"CFB8MCT192" => "fips_aesavs -f", -"CFB8MCT256" => "fips_aesavs -f", -"CFB8MMT128" => "fips_aesavs -f", -"CFB8MMT192" => "fips_aesavs -f", -"CFB8MMT256" => "fips_aesavs -f", -"CFB8VarKey128" => "fips_aesavs -f", -"CFB8VarKey192" => "fips_aesavs -f", -"CFB8VarKey256" => "fips_aesavs -f", -"CFB8VarTxt128" => "fips_aesavs -f", -"CFB8VarTxt192" => "fips_aesavs -f", -"CFB8VarTxt256" => "fips_aesavs -f", -#"CFB1GFSbox128" => "fips_aesavs -f", -#"CFB1GFSbox192" => "fips_aesavs -f", -#"CFB1GFSbox256" => "fips_aesavs -f", -#"CFB1KeySbox128" => "fips_aesavs -f", -#"CFB1KeySbox192" => "fips_aesavs -f", -#"CFB1KeySbox256" => "fips_aesavs -f", -#"CFB1MCT128" => "fips_aesavs -f", -#"CFB1MCT192" => "fips_aesavs -f", -#"CFB1MCT256" => "fips_aesavs -f", -#"CFB1MMT128" => "fips_aesavs -f", -#"CFB1MMT192" => "fips_aesavs -f", -#"CFB1MMT256" => "fips_aesavs -f", -#"CFB1VarKey128" => "fips_aesavs -f", -#"CFB1VarKey192" => "fips_aesavs -f", -#"CFB1VarKey256" => "fips_aesavs -f", -#"CFB1VarTxt128" => "fips_aesavs -f", -#"CFB1VarTxt192" => "fips_aesavs -f", -#"CFB1VarTxt256" => "fips_aesavs -f", -"ECBGFSbox128" => "fips_aesavs -f", -"ECBGFSbox192" => "fips_aesavs -f", -"ECBGFSbox256" => "fips_aesavs -f", -"ECBKeySbox128" => "fips_aesavs -f", -"ECBKeySbox192" => "fips_aesavs -f", -"ECBKeySbox256" => "fips_aesavs -f", -"ECBMCT128" => "fips_aesavs -f", -"ECBMCT192" => "fips_aesavs -f", -"ECBMCT256" => "fips_aesavs -f", -"ECBMMT128" => "fips_aesavs -f", -"ECBMMT192" => "fips_aesavs -f", -"ECBMMT256" => "fips_aesavs -f", -"ECBVarKey128" => "fips_aesavs -f", -"ECBVarKey192" => "fips_aesavs -f", -"ECBVarKey256" => "fips_aesavs -f", -"ECBVarTxt128" => "fips_aesavs -f", -"ECBVarTxt192" => "fips_aesavs -f", -"ECBVarTxt256" => "fips_aesavs -f", -"OFBGFSbox128" => "fips_aesavs -f", -"OFBGFSbox192" => "fips_aesavs -f", -"OFBGFSbox256" => "fips_aesavs -f", -"OFBKeySbox128" => "fips_aesavs -f", -"OFBKeySbox192" => "fips_aesavs -f", -"OFBKeySbox256" => "fips_aesavs -f", -"OFBMCT128" => "fips_aesavs -f", -"OFBMCT192" => "fips_aesavs -f", -"OFBMCT256" => "fips_aesavs -f", -"OFBMMT128" => "fips_aesavs -f", -"OFBMMT192" => "fips_aesavs -f", -"OFBMMT256" => "fips_aesavs -f", -"OFBVarKey128" => "fips_aesavs -f", -"OFBVarKey192" => "fips_aesavs -f", -"OFBVarKey256" => "fips_aesavs -f", -"OFBVarTxt128" => "fips_aesavs -f", -"OFBVarTxt192" => "fips_aesavs -f", -"OFBVarTxt256" => "fips_aesavs -f", - -# Triple DES tests - -"TCBCinvperm" => "fips_desmovs -f", -"TCBCMMT1" => "fips_desmovs -f", -"TCBCMMT2" => "fips_desmovs -f", -"TCBCMMT3" => "fips_desmovs -f", -"TCBCMonte1" => "fips_desmovs -f", -"TCBCMonte2" => "fips_desmovs -f", -"TCBCMonte3" => "fips_desmovs -f", -"TCBCpermop" => "fips_desmovs -f", -"TCBCsubtab" => "fips_desmovs -f", -"TCBCvarkey" => "fips_desmovs -f", -"TCBCvartext" => "fips_desmovs -f", -"TCFB64invperm" => "fips_desmovs -f", -"TCFB64MMT1" => "fips_desmovs -f", -"TCFB64MMT2" => "fips_desmovs -f", -"TCFB64MMT3" => "fips_desmovs -f", -"TCFB64Monte1" => "fips_desmovs -f", -"TCFB64Monte2" => "fips_desmovs -f", -"TCFB64Monte3" => "fips_desmovs -f", -"TCFB64permop" => "fips_desmovs -f", -"TCFB64subtab" => "fips_desmovs -f", -"TCFB64varkey" => "fips_desmovs -f", -"TCFB64vartext" => "fips_desmovs -f", -"TCFB8invperm" => "fips_desmovs -f", -"TCFB8MMT1" => "fips_desmovs -f", -"TCFB8MMT2" => "fips_desmovs -f", -"TCFB8MMT3" => "fips_desmovs -f", -"TCFB8Monte1" => "fips_desmovs -f", -"TCFB8Monte2" => "fips_desmovs -f", -"TCFB8Monte3" => "fips_desmovs -f", -"TCFB8permop" => "fips_desmovs -f", -"TCFB8subtab" => "fips_desmovs -f", -"TCFB8varkey" => "fips_desmovs -f", -"TCFB8vartext" => "fips_desmovs -f", -"TECBinvperm" => "fips_desmovs -f", -"TECBMMT1" => "fips_desmovs -f", -"TECBMMT2" => "fips_desmovs -f", -"TECBMMT3" => "fips_desmovs -f", -"TECBMonte1" => "fips_desmovs -f", -"TECBMonte2" => "fips_desmovs -f", -"TECBMonte3" => "fips_desmovs -f", -"TECBpermop" => "fips_desmovs -f", -"TECBsubtab" => "fips_desmovs -f", -"TECBvarkey" => "fips_desmovs -f", -"TECBvartext" => "fips_desmovs -f", -"TOFBinvperm" => "fips_desmovs -f", -"TOFBMMT1" => "fips_desmovs -f", -"TOFBMMT2" => "fips_desmovs -f", -"TOFBMMT3" => "fips_desmovs -f", -"TOFBMonte1" => "fips_desmovs -f", -"TOFBMonte2" => "fips_desmovs -f", -"TOFBMonte3" => "fips_desmovs -f", -"TOFBpermop" => "fips_desmovs -f", -"TOFBsubtab" => "fips_desmovs -f", -"TOFBvarkey" => "fips_desmovs -f", -"TOFBvartext" => "fips_desmovs -f", -"TCBCinvperm" => "fips_desmovs -f", -"TCBCMMT1" => "fips_desmovs -f", -"TCBCMMT2" => "fips_desmovs -f", -"TCBCMMT3" => "fips_desmovs -f", -"TCBCMonte1" => "fips_desmovs -f", -"TCBCMonte2" => "fips_desmovs -f", -"TCBCMonte3" => "fips_desmovs -f", -"TCBCpermop" => "fips_desmovs -f", -"TCBCsubtab" => "fips_desmovs -f", -"TCBCvarkey" => "fips_desmovs -f", -"TCBCvartext" => "fips_desmovs -f", -"TCFB64invperm" => "fips_desmovs -f", -"TCFB64MMT1" => "fips_desmovs -f", -"TCFB64MMT2" => "fips_desmovs -f", -"TCFB64MMT3" => "fips_desmovs -f", -"TCFB64Monte1" => "fips_desmovs -f", -"TCFB64Monte2" => "fips_desmovs -f", -"TCFB64Monte3" => "fips_desmovs -f", -"TCFB64permop" => "fips_desmovs -f", -"TCFB64subtab" => "fips_desmovs -f", -"TCFB64varkey" => "fips_desmovs -f", -"TCFB64vartext" => "fips_desmovs -f", -"TCFB8invperm" => "fips_desmovs -f", -"TCFB8MMT1" => "fips_desmovs -f", -"TCFB8MMT2" => "fips_desmovs -f", -"TCFB8MMT3" => "fips_desmovs -f", -"TCFB8Monte1" => "fips_desmovs -f", -"TCFB8Monte2" => "fips_desmovs -f", -"TCFB8Monte3" => "fips_desmovs -f", -"TCFB8permop" => "fips_desmovs -f", -"TCFB8subtab" => "fips_desmovs -f", -"TCFB8varkey" => "fips_desmovs -f", -"TCFB8vartext" => "fips_desmovs -f", -"TECBinvperm" => "fips_desmovs -f", -"TECBMMT1" => "fips_desmovs -f", -"TECBMMT2" => "fips_desmovs -f", -"TECBMMT3" => "fips_desmovs -f", -"TECBMonte1" => "fips_desmovs -f", -"TECBMonte2" => "fips_desmovs -f", -"TECBMonte3" => "fips_desmovs -f", -"TECBpermop" => "fips_desmovs -f", -"TECBsubtab" => "fips_desmovs -f", -"TECBvarkey" => "fips_desmovs -f", -"TECBvartext" => "fips_desmovs -f", -"TOFBinvperm" => "fips_desmovs -f", -"TOFBMMT1" => "fips_desmovs -f", -"TOFBMMT2" => "fips_desmovs -f", -"TOFBMMT3" => "fips_desmovs -f", -"TOFBMonte1" => "fips_desmovs -f", -"TOFBMonte2" => "fips_desmovs -f", -"TOFBMonte3" => "fips_desmovs -f", -"TOFBpermop" => "fips_desmovs -f", -"TOFBsubtab" => "fips_desmovs -f", -"TOFBvarkey" => "fips_desmovs -f", -"TOFBvartext" => "fips_desmovs -f" - -); -my %salt_names = ( -"SigVerPSS (salt 0)" => "SigVerPSS", -"SigVerPSS (salt 62)" => "SigVerPSS", -"SigGenPSS (salt 0)" => "SigGenPSS", -"SigGenPSS (salt 62)" => "SigGenPSS", -); - - -my $win32 = $^O =~ m/mswin/i; -my $onedir = 0; -my $filter = ""; -my $tvdir; -my $tprefix; -my $shwrap_prefix; -my $shwrap; -my $rmcmd = "rm -rf"; -my $mkcmd = "mkdir"; -my $debug = 0; -my $quiet = 0; -my $rspdir = "rsp"; -my $rspignore = 0; -my @bogus = (); # list of unmatched *.rsp files -my $bufout = ''; -my $bufdir = ''; -my %_programs = (); # list of external programs to check - -foreach (@ARGV) - { - if ($_ eq "--win32") - { - $win32 = 1; - } - elsif ($_ eq "--onedir") - { - $onedir = 1; - } - elsif ($_ eq "--debug") - { - $debug = 1; - } - elsif ($_ eq "--quiet") - { - $quiet = 1; - } - elsif (/--dir=(.*)$/) - { - $tvdir = $1; - } - elsif (/--rspdir=(.*)$/) - { - $rspdir = $1; - } - elsif (/--noshwrap$/) - { - $shwrap = ""; - } - elsif (/--rspignore$/) - { - $rspignore = 1; - } - elsif (/--tprefix=(.*)$/) - { - $tprefix = $1; - } - elsif (/--shwrap_prefix=(.*)$/) - { - $shwrap_prefix = $1; - } - elsif (/--filter=(.*)$/) - { - $filter = $1; - } - elsif (/--mkdir=(.*)$/) - { - $mkcmd = $1; - } - elsif (/--rm=(.*)$/) - { - $rmcmd = $1; - } - elsif (/--outfile=(.*)$/) - { - $outfile = $1; - } - else - { - &Help(); - exit(1); - } - } - -$tvdir = "." unless defined $tvdir; - -if ($win32) - { - if (!defined $tprefix) - { - if ($onedir) - { - $tprefix = ".\\"; - } - else - { - $tprefix = "..\\out32dll\\"; - } - } - - $bufinit .= <<END; -\@echo off -rem Test vector run script -rem Auto generated by mkfipsscr.pl script -rem Do not edit - -END - - } -else - { - if ($onedir) - { - $tprefix = "./" unless defined $tprefix; - $shwrap_prefix = "./" unless defined $shwrap_prefix; - } - else - { - $tprefix = "../test/" unless defined $tprefix; - $shwrap_prefix = "../util/" unless defined $shwrap_prefix; - } - - $shwrap = "${shwrap_prefix}shlib_wrap.sh " unless defined $shwrap; - - $bufinit .= <<END; -#!/bin/sh - -# Test vector run script -# Auto generated by mkfipsscr.pl script -# Do not edit - -RM="$rmcmd" -MKDIR="$mkcmd" -TPREFIX=$tprefix -END - - } -my %fips_found; -foreach (keys %fips_tests) - { - $fips_found{$_} = 0; - } -my %saltPSS; -for (keys %salt_names) - { - $salt_found{$_} = 0; - } - -recurse_test($win32, $tprefix, $filter, $tvdir); - -while (($key, $value) = each %salt_found) - { - &countentry($key, $value); - delete $fips_found{$salt_names{$key}}; - } -while (($key, $value) = each %fips_found) - { - &countentry($key, $value); - } - -# If no fatal errors write out the script file - $outfile = "fipstests.sh" unless defined $outfile; - open(OUT, ">$outfile") || die "Error opening $outfile: $!"; - print OUT $bufinit; - if (!$rspignore && @bogus) - { - print STDERR "ERROR: please remove bogus *.rsp files\n"; - print OUT <<EOF; -echo $outfile generation failed due to presence of bogus *.rsp files -EOF - } - else - { - print OUT $bufout; - } - close OUT; - -# Check for external programs - for (keys %_programs) - { - s/ .*$//; - -x $_ || print STDERR "WARNING: program $_ not found\n"; - } - -#-------------------------------- -sub Help { -(my $cmd) = ($0 =~ m#([^/]+)$#); - print <<EOF; -$cmd: generate script for CMVP algorithm tests - --debug Enable debug output - --dir=<dirname> Optional root for *.req file search - --filter=<regexp> - --onedir <dirname> Assume all components in current directory - --outfile=<filename> Optional name of output script, default fipstests.{sh|bat} - --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "resp" - --rspignore Ignore any bogus *.rsp files - --shwrap_prefix=<prefix> - --tprefix=<prefix> - --quiet Shhh.... - --win32 Generate script for Win32 environment -EOF -} - -#-------------------------------- -sub countentry { - my ($key,$value) = @_; - if ($value == 0) - { - print STDERR "WARNING: test file $key not found\n" unless $quiet; - } - elsif ($value > 1) - { - print STDERR "WARNING: test file $key found $value times\n" unless $quiet; - } - else - { - print STDERR "Found test file $key\n" if $debug; - } - } - -#-------------------------------- -sub recurse_test - { - my ($win32, $tprefix, $filter, $dir) = @_; - my $dirh; - opendir($dirh, $dir); - while ($_ = readdir($dirh)) - { - next if ($_ eq "." || $_ eq ".."); - $_ = "$dir/$_"; - if (-f "$_") - { - if (/\/([^\/]*)\.rsp$/) - { - if (exists $fips_tests{$1}) - { - $debug && print "DEBUG: $1 found, will be overwritten\n"; - } - else - { - print STDERR "ERROR: bogus file $_\n"; - push @bogus, $_; - } - } - next unless /$filter.*\.req$/i; - if (/\/([^\/]*)\.req$/ && exists $fips_tests{$1}) - { - $fips_found{$1}++; - test_line($win32, $_, $tprefix, $1); - } - elsif (! /SHAmix\.req$/) - { - print STDERR "WARNING: unrecognized filename $_\n"; - } - } - elsif (-d "$_") - { - if (/$filter.*req$/i) - { - test_dir($win32, $_); - } - recurse_test($win32, $tprefix, $filter, $_); - } - } - closedir($dirh); - } - -#-------------------------------- -sub test_dir - { - my ($win32, $req) = @_; - my $rsp = $req; - $rsp =~ s/req$/$rspdir/; - if ($win32) - { - $rsp =~ tr|/|\\|; - $req =~ tr|/|\\|; - $bufdir = <<END; - -echo Running tests in $req -if exist "$rsp" rd /s /q "$rsp" -md "$rsp" -END - } - else - { - $bufdir = <<END; - -echo Running tests in "$req" -\$RM "$rsp" -\$MKDIR "$rsp" - -END - } - } - -#-------------------------------- -sub test_line - { - my ($win32, $req, $tprefix, $tnam) = @_; - my $rsp = $req; - my $tcmd = $fips_tests{$tnam}; - - $bufout .= $bufdir; - $bufdir = ""; - - $rsp =~ s/req\/([^\/]*).req$/$rspdir\/$1.rsp/; - if ($tcmd =~ /-f$/) - { - if ($win32) - { - $req =~ tr|/|\\|; - $rsp =~ tr|/|\\|; - $bufout .= "$tprefix$tcmd \"$req\" \"$rsp\"\n"; - $_programs{"$tprefix$tcmd.exe"} = 1; - } - else - { - $bufout .= <<END; -${shwrap}\${TPREFIX}$tcmd "$req" "$rsp" || { echo "$req failure" ; exit 1 -} -END - $_programs{"${shwrap_prefix}shlib_wrap.sh"} = 1; - $_programs{"$tprefix$tcmd"} = 1; - } - return; - } - if ($tcmd =~ /SALT$/) - { - open (IN, $req) || die "Can't Open File $req"; - my $saltlen; - while (<IN>) - { - if (/^\s*#\s*salt\s+len:\s+(\d+)\s*$/i) - { - my $sl = $1; - print STDERR "$req salt length $sl\n" if $debug; - $tcmd =~ s/SALT$/$sl/; - $salt_found{"$tnam (salt $sl)"}++; - last; - } - } - close IN; - if ($tcmd =~ /SALT$/) - { - die "Can't detect salt length for $req"; - } - } - - if ($win32) - { - $req =~ tr|/|\\|; - $rsp =~ tr|/|\\|; - $bufout .= "$tprefix$tcmd < \"$req\" > \"$rsp\"\n"; - $_programs{"$tprefix$tcmd.exe"} = 1; - } - else - { - $bufout .= <<END; -${shwrap}\${TPREFIX}$tcmd < "$req" > "$rsp" || { echo "$req failure" ; exit 1; } -END - $_programs{"$tprefix$tcmd"} = 1; - } - } - diff --git a/crypto/openssl/fips/openssl_fips_fingerprint b/crypto/openssl/fips/openssl_fips_fingerprint deleted file mode 100755 index f59a67d..0000000 --- a/crypto/openssl/fips/openssl_fips_fingerprint +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -# -# Check the library fingerprint and generate an executable fingerprint, or -# return an error - -lib=$1 -exe=$2 -ext=${HMAC_EXT:-sha1} - -# deal with the case where we're run from within the build and OpenSSL is -# not yet installed. Also, make sure LD_LIBRARY_PATH is properly set in -# case shared libraries are built. -if [ "X$TOP" != "X" ] -then - if test "$OSTYPE" = msdosdjgpp; then - PATH="$TOP/apps;$TOP;$PATH" - else - PATH="$TOP/apps:$TOP:$PATH" - fi - LD_LIBRARY_PATH=$TOP; export LD_LIBRARY_PATH -else - LD_LIBRARY_PATH=.; export LD_LIBRARY_PATH -fi - -echo "Checking library fingerprint for $lib" -openssl sha1 -hmac etaonrishdlcupfm $lib | sed "s/(.*\//(/" | diff -w $lib.sha1 - || { echo "$libs fingerprint mismatch"; exit 1; } - -[ -x $exe.exe ] && exe=$exe.exe - -echo "Making fingerprint for $exe" -openssl sha1 -hmac etaonrishdlcupfm -binary $exe > $exe.$ext || rm $exe.$ext diff --git a/crypto/openssl/fips/rand/Makefile b/crypto/openssl/fips/rand/Makefile deleted file mode 100644 index 20303c8..0000000 --- a/crypto/openssl/fips/rand/Makefile +++ /dev/null @@ -1,149 +0,0 @@ -# -# OpenSSL/fips/rand/Makefile -# - -DIR= rand -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST= fips_randtest.c fips_rngvs.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_rand.c fips_rand_selftest.c -LIBOBJ=fips_rand.o fips_rand_selftest.o - -SRC= $(LIBSRC) - -EXHEADER= fips_rand.h -HEADER= $(EXHEADER) - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips SDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -Q=../testvectors/rng/req -A=../testvectors/rng/rsp - -fips_test: - -rm -rf $(A) - mkdir $(A) - if [ -f $(Q)/ANSI931_AES128MCT.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs mct < $(Q)/ANSI931_AES128MCT.req > $(A)/ANSI931_AES128MCT.rsp; fi - if [ -f $(Q)/ANSI931_AES192MCT.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs mct < $(Q)/ANSI931_AES192MCT.req > $(A)/ANSI931_AES192MCT.rsp; fi - if [ -f $(Q)/ANSI931_AES256MCT.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs mct < $(Q)/ANSI931_AES256MCT.req > $(A)/ANSI931_AES256MCT.rsp; fi - if [ -f $(Q)/ANSI931_AES128VST.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs vst < $(Q)/ANSI931_AES128VST.req > $(A)/ANSI931_AES128VST.rsp; fi - if [ -f $(Q)/ANSI931_AES192VST.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs vst < $(Q)/ANSI931_AES192VST.req > $(A)/ANSI931_AES192VST.rsp; fi - if [ -f $(Q)/ANSI931_AES256VST.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rngvs vst < $(Q)/ANSI931_AES256VST.req > $(A)/ANSI931_AES256VST.rsp; fi - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff - -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_rand.o: ../../e_os.h ../../include/openssl/aes.h -fips_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h -fips_rand.o: ../../include/openssl/des.h ../../include/openssl/des_old.h -fips_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rand.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h -fips_rand.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h -fips_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -fips_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h -fips_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_rand.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h -fips_rand.o: ../fips_locl.h fips_rand.c -fips_rand_selftest.o: ../../include/openssl/bio.h -fips_rand_selftest.o: ../../include/openssl/crypto.h -fips_rand_selftest.o: ../../include/openssl/des.h -fips_rand_selftest.o: ../../include/openssl/des_old.h -fips_rand_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rand_selftest.o: ../../include/openssl/fips.h -fips_rand_selftest.o: ../../include/openssl/fips_rand.h -fips_rand_selftest.o: ../../include/openssl/lhash.h -fips_rand_selftest.o: ../../include/openssl/opensslconf.h -fips_rand_selftest.o: ../../include/openssl/opensslv.h -fips_rand_selftest.o: ../../include/openssl/ossl_typ.h -fips_rand_selftest.o: ../../include/openssl/rand.h -fips_rand_selftest.o: ../../include/openssl/safestack.h -fips_rand_selftest.o: ../../include/openssl/stack.h -fips_rand_selftest.o: ../../include/openssl/symhacks.h -fips_rand_selftest.o: ../../include/openssl/ui.h -fips_rand_selftest.o: ../../include/openssl/ui_compat.h fips_rand_selftest.c -fips_randtest.o: ../../e_os.h ../../include/openssl/bio.h -fips_randtest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_randtest.o: ../../include/openssl/des.h ../../include/openssl/des_old.h -fips_randtest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_randtest.o: ../../include/openssl/fips_rand.h -fips_randtest.o: ../../include/openssl/lhash.h -fips_randtest.o: ../../include/openssl/opensslconf.h -fips_randtest.o: ../../include/openssl/opensslv.h -fips_randtest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -fips_randtest.o: ../../include/openssl/safestack.h -fips_randtest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_randtest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h -fips_randtest.o: ../fips_utl.h fips_randtest.c -fips_rngvs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rngvs.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_rngvs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -fips_rngvs.o: ../../include/openssl/des.h ../../include/openssl/des_old.h -fips_rngvs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -fips_rngvs.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -fips_rngvs.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h -fips_rngvs.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_rngvs.o: ../../include/openssl/fips_rand.h ../../include/openssl/lhash.h -fips_rngvs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -fips_rngvs.o: ../../include/openssl/opensslconf.h -fips_rngvs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -fips_rngvs.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h -fips_rngvs.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -fips_rngvs.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_rngvs.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h -fips_rngvs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -fips_rngvs.o: ../../include/openssl/x509v3.h ../fips_utl.h fips_rngvs.c diff --git a/crypto/openssl/fips/rand/fips_rand.c b/crypto/openssl/fips/rand/fips_rand.c deleted file mode 100644 index 9492b15..0000000 --- a/crypto/openssl/fips/rand/fips_rand.c +++ /dev/null @@ -1,410 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -/* - * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4. - */ - -#include "e_os.h" - -/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't - be defined and gettimeofday() won't be declared with strict compilers - like DEC C in ANSI C mode. */ -#ifndef _XOPEN_SOURCE_EXTENDED -#define _XOPEN_SOURCE_EXTENDED 1 -#endif - -#include <openssl/rand.h> -#include <openssl/aes.h> -#include <openssl/err.h> -#include <openssl/fips_rand.h> -#ifndef OPENSSL_SYS_WIN32 -#include <sys/time.h> -#endif -#include <assert.h> -#ifndef OPENSSL_SYS_WIN32 -# ifdef OPENSSL_UNISTD -# include OPENSSL_UNISTD -# else -# include <unistd.h> -# endif -#endif -#include <string.h> -#include <openssl/fips.h> -#include "fips_locl.h" - -#ifdef OPENSSL_FIPS - -void *OPENSSL_stderr(void); - -#define AES_BLOCK_LENGTH 16 - - -/* AES FIPS PRNG implementation */ - -typedef struct - { - int seeded; - int keyed; - int test_mode; - int second; - int error; - unsigned long counter; - AES_KEY ks; - int vpos; - /* Temporary storage for key if it equals seed length */ - unsigned char tmp_key[AES_BLOCK_LENGTH]; - unsigned char V[AES_BLOCK_LENGTH]; - unsigned char DT[AES_BLOCK_LENGTH]; - unsigned char last[AES_BLOCK_LENGTH]; - } FIPS_PRNG_CTX; - -static FIPS_PRNG_CTX sctx; - -static int fips_prng_fail = 0; - -void FIPS_rng_stick(void) - { - fips_prng_fail = 1; - } - -static void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx) - { - ctx->seeded = 0; - ctx->keyed = 0; - ctx->test_mode = 0; - ctx->counter = 0; - ctx->second = 0; - ctx->error = 0; - ctx->vpos = 0; - OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH); - OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY)); - } - - -static int fips_set_prng_key(FIPS_PRNG_CTX *ctx, - const unsigned char *key, FIPS_RAND_SIZE_T keylen) - { - FIPS_selftest_check(); - if (keylen != 16 && keylen != 24 && keylen != 32) - { - /* error: invalid key size */ - return 0; - } - AES_set_encrypt_key(key, keylen << 3, &ctx->ks); - if (keylen == 16) - { - memcpy(ctx->tmp_key, key, 16); - ctx->keyed = 2; - } - else - ctx->keyed = 1; - ctx->seeded = 0; - ctx->second = 0; - return 1; - } - -static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx, - const unsigned char *seed, FIPS_RAND_SIZE_T seedlen) - { - int i; - if (!ctx->keyed) - return 0; - /* In test mode seed is just supplied data */ - if (ctx->test_mode) - { - if (seedlen != AES_BLOCK_LENGTH) - return 0; - memcpy(ctx->V, seed, AES_BLOCK_LENGTH); - ctx->seeded = 1; - return 1; - } - /* Outside test mode XOR supplied data with existing seed */ - for (i = 0; i < seedlen; i++) - { - ctx->V[ctx->vpos++] ^= seed[i]; - if (ctx->vpos == AES_BLOCK_LENGTH) - { - ctx->vpos = 0; - /* Special case if first seed and key length equals - * block size check key and seed do not match. - */ - if (ctx->keyed == 2) - { - if (!memcmp(ctx->tmp_key, ctx->V, 16)) - { - RANDerr(RAND_F_FIPS_SET_PRNG_SEED, - RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY); - return 0; - } - OPENSSL_cleanse(ctx->tmp_key, 16); - ctx->keyed = 1; - } - ctx->seeded = 1; - } - } - return 1; - } - -static int fips_set_test_mode(FIPS_PRNG_CTX *ctx) - { - if (ctx->keyed) - { - RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED); - return 0; - } - ctx->test_mode = 1; - return 1; - } - -int FIPS_rand_test_mode(void) - { - return fips_set_test_mode(&sctx); - } - -int FIPS_rand_set_dt(unsigned char *dt) - { - if (!sctx.test_mode) - { - RANDerr(RAND_F_FIPS_RAND_SET_DT,RAND_R_NOT_IN_TEST_MODE); - return 0; - } - memcpy(sctx.DT, dt, AES_BLOCK_LENGTH); - return 1; - } - -static void fips_get_dt(FIPS_PRNG_CTX *ctx) - { -#ifdef OPENSSL_SYS_WIN32 - FILETIME ft; -#else - struct timeval tv; -#endif - unsigned char *buf = ctx->DT; - -#ifndef GETPID_IS_MEANINGLESS - unsigned long pid; -#endif - -#ifdef OPENSSL_SYS_WIN32 - GetSystemTimeAsFileTime(&ft); - buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff); - buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff); - buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff); - buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff); - buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff); - buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff); - buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff); - buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff); -#else - gettimeofday(&tv,NULL); - buf[0] = (unsigned char) (tv.tv_sec & 0xff); - buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff); - buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff); - buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff); - buf[4] = (unsigned char) (tv.tv_usec & 0xff); - buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff); - buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff); - buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff); -#endif - buf[8] = (unsigned char) (ctx->counter & 0xff); - buf[9] = (unsigned char) ((ctx->counter >> 8) & 0xff); - buf[10] = (unsigned char) ((ctx->counter >> 16) & 0xff); - buf[11] = (unsigned char) ((ctx->counter >> 24) & 0xff); - - ctx->counter++; - - -#ifndef GETPID_IS_MEANINGLESS - pid=(unsigned long)getpid(); - buf[12] = (unsigned char) (pid & 0xff); - buf[13] = (unsigned char) ((pid >> 8) & 0xff); - buf[14] = (unsigned char) ((pid >> 16) & 0xff); - buf[15] = (unsigned char) ((pid >> 24) & 0xff); -#endif - } - -static int fips_rand(FIPS_PRNG_CTX *ctx, - unsigned char *out, FIPS_RAND_SIZE_T outlen) - { - unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; - unsigned char tmp[AES_BLOCK_LENGTH]; - int i; - if (ctx->error) - { - RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); - return 0; - } - if (!ctx->keyed) - { - RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET); - return 0; - } - if (!ctx->seeded) - { - RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED); - return 0; - } - for (;;) - { - if (!ctx->test_mode) - fips_get_dt(ctx); - AES_encrypt(ctx->DT, I, &ctx->ks); - for (i = 0; i < AES_BLOCK_LENGTH; i++) - tmp[i] = I[i] ^ ctx->V[i]; - AES_encrypt(tmp, R, &ctx->ks); - for (i = 0; i < AES_BLOCK_LENGTH; i++) - tmp[i] = R[i] ^ I[i]; - AES_encrypt(tmp, ctx->V, &ctx->ks); - /* Continuous PRNG test */ - if (ctx->second) - { - if (fips_prng_fail) - memcpy(ctx->last, R, AES_BLOCK_LENGTH); - if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH)) - { - RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK); - ctx->error = 1; - fips_set_selftest_fail(); - return 0; - } - } - memcpy(ctx->last, R, AES_BLOCK_LENGTH); - if (!ctx->second) - { - ctx->second = 1; - if (!ctx->test_mode) - continue; - } - - if (outlen <= AES_BLOCK_LENGTH) - { - memcpy(out, R, outlen); - break; - } - - memcpy(out, R, AES_BLOCK_LENGTH); - out += AES_BLOCK_LENGTH; - outlen -= AES_BLOCK_LENGTH; - } - return 1; - } - - -int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen) - { - int ret; - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - ret = fips_set_prng_key(&sctx, key, keylen); - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - return ret; - } - -int FIPS_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen) - { - int ret; - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - ret = fips_set_prng_seed(&sctx, seed, seedlen); - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - return ret; - } - - -int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T count) - { - int ret; - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - ret = fips_rand(&sctx, out, count); - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - return ret; - } - -int FIPS_rand_status(void) - { - int ret; - CRYPTO_r_lock(CRYPTO_LOCK_RAND); - ret = sctx.seeded; - CRYPTO_r_unlock(CRYPTO_LOCK_RAND); - return ret; - } - -void FIPS_rand_reset(void) - { - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - fips_rand_prng_reset(&sctx); - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); - } - -static void fips_do_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen) - { - FIPS_rand_seed(seed, seedlen); - } - -static void fips_do_rand_add(const void *seed, FIPS_RAND_SIZE_T seedlen, - double add_entropy) - { - FIPS_rand_seed(seed, seedlen); - } - -static const RAND_METHOD rand_fips_meth= - { - fips_do_rand_seed, - FIPS_rand_bytes, - FIPS_rand_reset, - fips_do_rand_add, - FIPS_rand_bytes, - FIPS_rand_status - }; - -const RAND_METHOD *FIPS_rand_method(void) -{ - return &rand_fips_meth; -} - -#endif diff --git a/crypto/openssl/fips/rand/fips_rand.h b/crypto/openssl/fips/rand/fips_rand.h deleted file mode 100644 index a175aaf..0000000 --- a/crypto/openssl/fips/rand/fips_rand.h +++ /dev/null @@ -1,77 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef HEADER_FIPS_RAND_H -#define HEADER_FIPS_RAND_H - -#include "des.h" - -#ifdef OPENSSL_FIPS - -#ifdef __cplusplus -extern "C" { -#endif - -int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen); -int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num); -int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen); - -int FIPS_rand_test_mode(void); -void FIPS_rand_reset(void); -int FIPS_rand_set_dt(unsigned char *dt); - -int FIPS_rand_status(void); - -const RAND_METHOD *FIPS_rand_method(void); - -#ifdef __cplusplus -} -#endif -#endif -#endif diff --git a/crypto/openssl/fips/rand/fips_rand_selftest.c b/crypto/openssl/fips/rand/fips_rand_selftest.c deleted file mode 100644 index 2194a76..0000000 --- a/crypto/openssl/fips/rand/fips_rand_selftest.c +++ /dev/null @@ -1,371 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <string.h> -#include <openssl/err.h> -#include <openssl/fips.h> -#include <openssl/rand.h> -#include <openssl/fips_rand.h> - -#ifdef OPENSSL_FIPS - - - -typedef struct - { - unsigned char DT[16]; - unsigned char V[16]; - unsigned char R[16]; - } AES_PRNG_TV; - -/* The following test vectors are taken directly from the RGNVS spec */ - -static unsigned char aes_128_key[16] = - {0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42, - 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02}; - -static AES_PRNG_TV aes_128_tv[] = { - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9}, - /* V */ - {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55, - 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41} - }, - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfa}, - /* V */ - {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x7c,0x22,0x2c,0xf4,0xca,0x8f,0xa2,0x4c, - 0x1c,0x9c,0xb6,0x41,0xa9,0xf3,0x22,0x0d} - }, - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfb}, - /* V */ - {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x8a,0xaa,0x00,0x39,0x66,0x67,0x5b,0xe5, - 0x29,0x14,0x28,0x81,0xa9,0x4d,0x4e,0xc7} - }, - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfc}, - /* V */ - {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x88,0xdd,0xa4,0x56,0x30,0x24,0x23,0xe5, - 0xf6,0x9d,0xa5,0x7e,0x7b,0x95,0xc7,0x3a} - }, - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfd}, - /* V */ - {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x05,0x25,0x92,0x46,0x61,0x79,0xd2,0xcb, - 0x78,0xc4,0x0b,0x14,0x0a,0x5a,0x9a,0xc8} - }, - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x77}, - /* V */ - {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, - 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, - /* R */ - {0x0d,0xd5,0xa0,0x36,0x7a,0x59,0x26,0xbc, - 0x48,0xd9,0x38,0xbf,0xf0,0x85,0x8f,0xea} - }, - { - /* DT */ - {0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62, - 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x78}, - /* V */ - {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, - 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, - /* R */ - {0xae,0x53,0x87,0xee,0x8c,0xd9,0x12,0xf5, - 0x73,0x53,0xae,0x03,0xf9,0xd5,0x13,0x33} - }, -}; - -static unsigned char aes_192_key[24] = - {0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e, - 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc, - 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b}; - -static AES_PRNG_TV aes_192_tv[] = { - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b}, - /* V */ - {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef, - 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93} - }, - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4c}, - /* V */ - {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x92,0x8d,0xbe,0x07,0xdd,0xc7,0x58,0xc0, - 0x6f,0x35,0x41,0x9b,0x17,0xc9,0xbd,0x9b} - }, - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4d}, - /* V */ - {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0xd5,0xde,0xf4,0x50,0xf3,0xb7,0x10,0x4e, - 0xb8,0xc6,0xf8,0xcf,0xe2,0xb1,0xca,0xa2} - }, - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4e}, - /* V */ - {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0xce,0x29,0x08,0x43,0xfc,0x34,0x41,0xe7, - 0x47,0x8f,0xb3,0x66,0x2b,0x46,0xb1,0xbb} - }, - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4f}, - /* V */ - {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0xb3,0x26,0x0f,0xf5,0xd6,0xca,0xa8,0xbf, - 0x89,0xb8,0x5e,0x2f,0x22,0x56,0x92,0x2f} - }, - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xc9}, - /* V */ - {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, - 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, - /* R */ - {0x05,0xeb,0x18,0x52,0x34,0x43,0x00,0x43, - 0x6e,0x5a,0xa5,0xfe,0x7b,0x32,0xc4,0x2d} - }, - { - /* DT */ - {0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1, - 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xca}, - /* V */ - {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, - 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, - /* R */ - {0x15,0x3c,0xe8,0xd1,0x04,0xc7,0xad,0x50, - 0x0b,0xf0,0x07,0x16,0xe7,0x56,0x7a,0xea} - }, -}; - -static unsigned char aes_256_key[32] = - {0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d, - 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f, - 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5, - 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb}; - -static AES_PRNG_TV aes_256_tv[] = { - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88}, - /* V */ - {0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc, - 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72} - }, - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x89}, - /* V */ - {0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x6c,0xf4,0x42,0x5d,0xc7,0x04,0x1a,0x41, - 0x28,0x2a,0x78,0xa9,0xb0,0x12,0xc4,0x95} - }, - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8a}, - /* V */ - {0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x16,0x90,0xa4,0xff,0x7b,0x7e,0xb9,0x30, - 0xdb,0x67,0x4b,0xac,0x2d,0xe1,0xd1,0x75} - }, - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8b}, - /* V */ - {0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x14,0x6f,0xf5,0x95,0xa1,0x46,0x65,0x30, - 0xbc,0x57,0xe2,0x4a,0xf7,0x45,0x62,0x05} - }, - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8c}, - /* V */ - {0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - /* R */ - {0x96,0xe2,0xb4,0x1e,0x66,0x5e,0x0f,0xa4, - 0xc5,0xcd,0xa2,0x07,0xcc,0xb7,0x94,0x40} - }, - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x06}, - /* V */ - {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, - 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe}, - /* R */ - {0x61,0xce,0x1d,0x6a,0x48,0x75,0x97,0x28, - 0x4b,0x41,0xde,0x18,0x44,0x4f,0x56,0xec} - }, - { - /* DT */ - {0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5, - 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x07}, - /* V */ - {0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, - 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, - /* R */ - {0x52,0x89,0x59,0x79,0x2d,0xaa,0x28,0xb3, - 0xb0,0x8a,0x3e,0x70,0xfa,0x71,0x59,0x84} - }, -}; - - -void FIPS_corrupt_rng() - { - aes_192_tv[0].V[0]++; - } - -#define fips_rand_test(key, tv) \ - do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV)) - -static int do_rand_test(unsigned char *key, int keylen, - AES_PRNG_TV *tv, int ntv) - { - unsigned char R[16]; - int i; - if (!FIPS_rand_set_key(key, keylen)) - return 0; - for (i = 0; i < ntv; i++) - { - FIPS_rand_seed(tv[i].V, 16); - FIPS_rand_set_dt(tv[i].DT); - FIPS_rand_bytes(R, 16); - if (memcmp(R, tv[i].R, 16)) - return 0; - } - return 1; - } - - -int FIPS_selftest_rng() - { - FIPS_rand_reset(); - if (!FIPS_rand_test_mode()) - { - FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); - return 0; - } - if (!fips_rand_test(aes_128_key,aes_128_tv) - || !fips_rand_test(aes_192_key, aes_192_tv) - || !fips_rand_test(aes_256_key, aes_256_tv)) - { - FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED); - return 0; - } - FIPS_rand_reset(); - return 1; - } - -#endif diff --git a/crypto/openssl/fips/rand/fips_randtest.c b/crypto/openssl/fips/rand/fips_randtest.c deleted file mode 100644 index 5582941..0000000 --- a/crypto/openssl/fips/rand/fips_randtest.c +++ /dev/null @@ -1,248 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <openssl/rand.h> -#include <openssl/fips_rand.h> -#include <openssl/err.h> -#include <openssl/bn.h> - -#include "e_os.h" - -#ifndef OPENSSL_FIPS -int main(int argc, char *argv[]) -{ - printf("No FIPS RAND support\n"); - return(0); -} - -#else - -#include "fips_utl.h" - -typedef struct - { - unsigned char DT[16]; - unsigned char V[16]; - unsigned char R[16]; - } AES_PRNG_MCT; - -static unsigned char aes_128_mct_key[16] = - {0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5, - 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48}; - -static AES_PRNG_MCT aes_128_mct_tv = { - /* DT */ - {0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b, - 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac}, - /* V */ - {0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97, - 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1}, - /* R */ - {0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb, - 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73} -}; - -static unsigned char aes_192_mct_key[24] = - {0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73, - 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91, - 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a}; - -static AES_PRNG_MCT aes_192_mct_tv = { - /* DT */ - {0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9, - 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52}, - /* V */ - {0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64, - 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d}, - /* R */ - {0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21, - 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47} -}; - -static unsigned char aes_256_mct_key[32] = - {0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a, - 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0, - 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d, - 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50}; - -static AES_PRNG_MCT aes_256_mct_tv = { - /* DT */ - {0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee, - 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c}, - /* V */ - {0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1, - 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca}, - /* R */ - {0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1, - 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d} -}; - -static void dump(const unsigned char *b,int n) - { - while(n-- > 0) - { - printf(" %02x",*b++); - } - } - -static void compare(const unsigned char *result,const unsigned char *expected, - int n) - { - int i; - - for(i=0 ; i < n ; ++i) - if(result[i] != expected[i]) - { - puts("Random test failed, got:"); - dump(result,n); - puts("\n expected:"); - dump(expected,n); - putchar('\n'); - EXIT(1); - } - } - - -static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv) - { - unsigned char buf[16], dt[16]; - int i, j; - FIPS_rand_reset(); - FIPS_rand_test_mode(); - FIPS_rand_set_key(key, keylen); - FIPS_rand_seed(tv->V, 16); - memcpy(dt, tv->DT, 16); - for (i = 0; i < 10000; i++) - { - FIPS_rand_set_dt(dt); - FIPS_rand_bytes(buf, 16); - /* Increment DT */ - for (j = 15; j >= 0; j--) - { - dt[j]++; - if (dt[j]) - break; - } - } - - compare(buf,tv->R, 16); - } - -int main() - { - run_test(aes_128_mct_key, 16, &aes_128_mct_tv); - printf("FIPS PRNG test 1 done\n"); - run_test(aes_192_mct_key, 24, &aes_192_mct_tv); - printf("FIPS PRNG test 2 done\n"); - run_test(aes_256_mct_key, 32, &aes_256_mct_tv); - printf("FIPS PRNG test 3 done\n"); - return 0; - } - -#endif diff --git a/crypto/openssl/fips/rand/fips_rngvs.c b/crypto/openssl/fips/rand/fips_rngvs.c deleted file mode 100644 index 80a8017..0000000 --- a/crypto/openssl/fips/rand/fips_rngvs.c +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Crude test driver for processing the VST and MCT testvector files - * generated by the CMVP RNGVS product. - * - * Note the input files are assumed to have a _very_ specific format - * as described in the NIST document "The Random Number Generator - * Validation System (RNGVS)", May 25, 2004. - * - */ -#include <openssl/opensslconf.h> - -#ifndef OPENSSL_FIPS -#include <stdio.h> - -int main(int argc, char **argv) -{ - printf("No FIPS RNG support\n"); - return 0; -} -#else - -#include <openssl/bn.h> -#include <openssl/dsa.h> -#include <openssl/fips.h> -#include <openssl/err.h> -#include <openssl/rand.h> -#include <openssl/fips_rand.h> -#include <openssl/x509v3.h> -#include <string.h> -#include <ctype.h> - -#include "fips_utl.h" - -static void vst() - { - unsigned char *key = NULL; - unsigned char *v = NULL; - unsigned char *dt = NULL; - unsigned char ret[16]; - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - long i, keylen; - - keylen = 0; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - fputs(buf,stdout); - if(!strncmp(buf,"[AES 128-Key]", 13)) - keylen = 16; - else if(!strncmp(buf,"[AES 192-Key]", 13)) - keylen = 24; - else if(!strncmp(buf,"[AES 256-Key]", 13)) - keylen = 32; - if (!parse_line(&keyword, &value, lbuf, buf)) - continue; - if(!strcmp(keyword,"Key")) - { - key=hex2bin_m(value,&i); - if (i != keylen) - { - fprintf(stderr, "Invalid key length, expecting %ld\n", keylen); - return; - } - } - else if(!strcmp(keyword,"DT")) - { - dt=hex2bin_m(value,&i); - if (i != 16) - { - fprintf(stderr, "Invalid DT length\n"); - return; - } - } - else if(!strcmp(keyword,"V")) - { - v=hex2bin_m(value,&i); - if (i != 16) - { - fprintf(stderr, "Invalid V length\n"); - return; - } - - if (!key || !dt) - { - fprintf(stderr, "Missing key or DT\n"); - return; - } - - FIPS_rand_set_key(key, keylen); - FIPS_rand_seed(v,16); - FIPS_rand_set_dt(dt); - if (FIPS_rand_bytes(ret,16) <= 0) - { - fprintf(stderr, "Error getting PRNG value\n"); - return; - } - - pv("R",ret,16); - OPENSSL_free(key); - key = NULL; - OPENSSL_free(dt); - dt = NULL; - OPENSSL_free(v); - v = NULL; - } - } - } - -static void mct() - { - unsigned char *key = NULL; - unsigned char *v = NULL; - unsigned char *dt = NULL; - unsigned char ret[16]; - char buf[1024]; - char lbuf[1024]; - char *keyword, *value; - long i, keylen; - int j; - - keylen = 0; - - while(fgets(buf,sizeof buf,stdin) != NULL) - { - fputs(buf,stdout); - if(!strncmp(buf,"[AES 128-Key]", 13)) - keylen = 16; - else if(!strncmp(buf,"[AES 192-Key]", 13)) - keylen = 24; - else if(!strncmp(buf,"[AES 256-Key]", 13)) - keylen = 32; - if (!parse_line(&keyword, &value, lbuf, buf)) - continue; - if(!strcmp(keyword,"Key")) - { - key=hex2bin_m(value,&i); - if (i != keylen) - { - fprintf(stderr, "Invalid key length, expecting %ld\n", keylen); - return; - } - } - else if(!strcmp(keyword,"DT")) - { - dt=hex2bin_m(value,&i); - if (i != 16) - { - fprintf(stderr, "Invalid DT length\n"); - return; - } - } - else if(!strcmp(keyword,"V")) - { - v=hex2bin_m(value,&i); - if (i != 16) - { - fprintf(stderr, "Invalid V length\n"); - return; - } - - if (!key || !dt) - { - fprintf(stderr, "Missing key or DT\n"); - return; - } - - FIPS_rand_set_key(key, keylen); - FIPS_rand_seed(v,16); - for (i = 0; i < 10000; i++) - { - FIPS_rand_set_dt(dt); - if (FIPS_rand_bytes(ret,16) <= 0) - { - fprintf(stderr, "Error getting PRNG value\n"); - return; - } - /* Increment DT */ - for (j = 15; j >= 0; j--) - { - dt[j]++; - if (dt[j]) - break; - } - } - - pv("R",ret,16); - OPENSSL_free(key); - key = NULL; - OPENSSL_free(dt); - dt = NULL; - OPENSSL_free(v); - v = NULL; - } - } - } - -int main(int argc,char **argv) - { - if(argc != 2) - { - fprintf(stderr,"%s [mct|vst]\n",argv[0]); - exit(1); - } - if(!FIPS_mode_set(1)) - { - do_print_errors(); - exit(1); - } - FIPS_rand_reset(); - if (!FIPS_rand_test_mode()) - { - fprintf(stderr, "Error setting PRNG test mode\n"); - do_print_errors(); - exit(1); - } - if(!strcmp(argv[1],"mct")) - mct(); - else if(!strcmp(argv[1],"vst")) - vst(); - else - { - fprintf(stderr,"Don't know how to %s.\n",argv[1]); - exit(1); - } - - return 0; - } -#endif diff --git a/crypto/openssl/fips/rsa/Makefile b/crypto/openssl/fips/rsa/Makefile deleted file mode 100644 index da28c13..0000000 --- a/crypto/openssl/fips/rsa/Makefile +++ /dev/null @@ -1,215 +0,0 @@ -# -# OpenSSL/fips/rsa/Makefile -# - -DIR= rsa -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST= fips_rsavtest.c fips_rsastest.c fips_rsagtest.c -APPS= - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c \ - fips_rsa_sign.c fips_rsa_lib.c -LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o \ - fips_rsa_sign.o fips_rsa_lib.o - -SRC= $(LIBSRC) - -EXHEADER= -HEADER= $(EXHEADER) - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all) - -all: lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -Q=../testvectors/rsa/req -A=../testvectors/rsa/rsp -Q62=../testvectors/rsa_salt_62/req -A62=../testvectors/rsa_salt_62/rsp - -fips_test: - -rm -rf $(A) $(A62) - mkdir $(A) $(A62) - if [ -f $(Q)/SigGen15.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest < $(Q)/SigGen15.req > $(A)/SigGen15.rsp; fi - if [ -f $(Q)/SigVer15.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest < $(Q)/SigVer15.req > $(A)/SigVer15.rsp; fi - if [ -f $(Q)/SigGenPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest -saltlen 0 < $(Q)/SigGenPSS.req > $(A)/SigGenPSS.rsp; fi - if [ -f $(Q)/SigVerPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest -saltlen 0 < $(Q)/SigVerPSS.req > $(A)/SigVerPSS.rsp; fi - if [ -f $(Q)/SigGenRSA.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest -x931 < $(Q)/SigGenRSA.req > $(A)/SigGenRSA.rsp; fi - if [ -f $(Q)/SigVerRSA.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest -x931 < $(Q)/SigVerRSA.req > $(A)/SigVerRSA.rsp; fi - if [ -f $(Q62)/SigGenPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsastest -saltlen 62 < $(Q62)/SigGenPSS.req >$(A62)/SigGenPSS.rsp; fi - if [ -f $(Q62)/SigVerPSS.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsavtest -saltlen 62 <$(Q62)/SigVerPSS.req >$(A62)/SigVerPSS.rsp; fi - if [ -f $(Q)/KeyGenRSA.req ]; then $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_rsagtest < $(Q)/KeyGenRSA.req > $(A)/KeyGenRSA.rsp; fi - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_rsa_eay.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsa_eay.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rsa_eay.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_rsa_eay.o: ../../include/openssl/opensslconf.h -fips_rsa_eay.o: ../../include/openssl/opensslv.h -fips_rsa_eay.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h -fips_rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -fips_rsa_eay.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_rsa_eay.o: fips_rsa_eay.c -fips_rsa_gen.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsa_gen.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_rsa_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rsa_gen.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_rsa_gen.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_rsa_gen.o: ../../include/openssl/objects.h -fips_rsa_gen.o: ../../include/openssl/opensslconf.h -fips_rsa_gen.o: ../../include/openssl/opensslv.h -fips_rsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h -fips_rsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_rsa_gen.o: ../../include/openssl/symhacks.h ../fips_locl.h fips_rsa_gen.c -fips_rsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsa_lib.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_rsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_rsa_lib.o: ../../include/openssl/objects.h -fips_rsa_lib.o: ../../include/openssl/opensslconf.h -fips_rsa_lib.o: ../../include/openssl/opensslv.h -fips_rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h -fips_rsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -fips_rsa_lib.o: ../../include/openssl/symhacks.h fips_rsa_lib.c -fips_rsa_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsa_selftest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_rsa_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rsa_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_rsa_selftest.o: ../../include/openssl/lhash.h -fips_rsa_selftest.o: ../../include/openssl/obj_mac.h -fips_rsa_selftest.o: ../../include/openssl/objects.h -fips_rsa_selftest.o: ../../include/openssl/opensslconf.h -fips_rsa_selftest.o: ../../include/openssl/opensslv.h -fips_rsa_selftest.o: ../../include/openssl/ossl_typ.h -fips_rsa_selftest.o: ../../include/openssl/rsa.h -fips_rsa_selftest.o: ../../include/openssl/safestack.h -fips_rsa_selftest.o: ../../include/openssl/stack.h -fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c -fips_rsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -fips_rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_rsa_sign.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_rsa_sign.o: ../../include/openssl/obj_mac.h -fips_rsa_sign.o: ../../include/openssl/objects.h -fips_rsa_sign.o: ../../include/openssl/opensslconf.h -fips_rsa_sign.o: ../../include/openssl/opensslv.h -fips_rsa_sign.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h -fips_rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -fips_rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_rsa_sign.o: fips_rsa_sign.c -fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h -fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_rsa_x931g.o: ../../include/openssl/opensslconf.h -fips_rsa_x931g.o: ../../include/openssl/opensslv.h -fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h -fips_rsa_x931g.o: ../../include/openssl/safestack.h -fips_rsa_x931g.o: ../../include/openssl/stack.h -fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c -fips_rsagtest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsagtest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_rsagtest.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -fips_rsagtest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -fips_rsagtest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -fips_rsagtest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_rsagtest.o: ../../include/openssl/fips.h ../../include/openssl/hmac.h -fips_rsagtest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_rsagtest.o: ../../include/openssl/objects.h -fips_rsagtest.o: ../../include/openssl/opensslconf.h -fips_rsagtest.o: ../../include/openssl/opensslv.h -fips_rsagtest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_rsagtest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -fips_rsagtest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -fips_rsagtest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -fips_rsagtest.o: ../../include/openssl/x509_vfy.h -fips_rsagtest.o: ../../include/openssl/x509v3.h ../fips_utl.h fips_rsagtest.c -fips_rsastest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsastest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_rsastest.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -fips_rsastest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -fips_rsastest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -fips_rsastest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_rsastest.o: ../../include/openssl/fips.h ../../include/openssl/hmac.h -fips_rsastest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_rsastest.o: ../../include/openssl/objects.h -fips_rsastest.o: ../../include/openssl/opensslconf.h -fips_rsastest.o: ../../include/openssl/opensslv.h -fips_rsastest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_rsastest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -fips_rsastest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -fips_rsastest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -fips_rsastest.o: ../../include/openssl/x509_vfy.h -fips_rsastest.o: ../../include/openssl/x509v3.h ../fips_utl.h fips_rsastest.c -fips_rsavtest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_rsavtest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_rsavtest.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -fips_rsavtest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -fips_rsavtest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -fips_rsavtest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_rsavtest.o: ../../include/openssl/fips.h ../../include/openssl/hmac.h -fips_rsavtest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -fips_rsavtest.o: ../../include/openssl/objects.h -fips_rsavtest.o: ../../include/openssl/opensslconf.h -fips_rsavtest.o: ../../include/openssl/opensslv.h -fips_rsavtest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_rsavtest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -fips_rsavtest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -fips_rsavtest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -fips_rsavtest.o: ../../include/openssl/x509_vfy.h -fips_rsavtest.o: ../../include/openssl/x509v3.h ../fips_utl.h fips_rsavtest.c diff --git a/crypto/openssl/fips/rsa/fips_rsa_eay.c b/crypto/openssl/fips/rsa/fips_rsa_eay.c deleted file mode 100644 index 937a14e..0000000 --- a/crypto/openssl/fips/rsa/fips_rsa_eay.c +++ /dev/null @@ -1,934 +0,0 @@ -/* crypto/rsa/rsa_eay.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <openssl/bn.h> -#include <openssl/rsa.h> -#include <openssl/rand.h> -#include <openssl/err.h> -#include <openssl/fips.h> - -#if !defined(RSA_NULL) && defined(OPENSSL_FIPS) - -static int RSA_eay_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa,int padding); -static int RSA_eay_private_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa,int padding); -static int RSA_eay_public_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa,int padding); -static int RSA_eay_private_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa,int padding); -static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); -static int RSA_eay_init(RSA *rsa); -static int RSA_eay_finish(RSA *rsa); -static RSA_METHOD rsa_pkcs1_eay_meth={ - "Eric Young's PKCS#1 RSA", - RSA_eay_public_encrypt, - RSA_eay_public_decrypt, /* signature verification */ - RSA_eay_private_encrypt, /* signing */ - RSA_eay_private_decrypt, - RSA_eay_mod_exp, - BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ - RSA_eay_init, - RSA_eay_finish, - RSA_FLAG_FIPS_METHOD, /* flags */ - NULL, - 0, /* rsa_sign */ - 0, /* rsa_verify */ - NULL /* rsa_keygen */ - }; - -const RSA_METHOD *RSA_PKCS1_SSLeay(void) - { - return(&rsa_pkcs1_eay_meth); - } - -/* Usage example; - * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); - */ -#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ - if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ - !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ - CRYPTO_LOCK_RSA, \ - (rsa)->m, (ctx))) \ - err_instr - -static int RSA_eay_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { - BIGNUM *f,*ret; - int i,j,k,num=0,r= -1; - unsigned char *buf=NULL; - BN_CTX *ctx=NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_RSA_EAY_PUBLIC_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); - goto err; - } - - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); - return -1; - } - - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; - } - - if (BN_ucmp(rsa->n, rsa->e) <= 0) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); - return -1; - } - - /* for large moduli, enforce exponent limit */ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) - { - if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); - return -1; - } - } - - if ((ctx=BN_CTX_new()) == NULL) goto err; - BN_CTX_start(ctx); - f = BN_CTX_get(ctx); - ret = BN_CTX_get(ctx); - num=BN_num_bytes(rsa->n); - buf = OPENSSL_malloc(num); - if (!f || !ret || !buf) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); - goto err; - } - - switch (padding) - { - case RSA_PKCS1_PADDING: - i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen); - break; -#ifndef OPENSSL_NO_SHA - case RSA_PKCS1_OAEP_PADDING: - i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0); - break; -#endif - case RSA_SSLV23_PADDING: - i=RSA_padding_add_SSLv23(buf,num,from,flen); - break; - case RSA_NO_PADDING: - i=RSA_padding_add_none(buf,num,from,flen); - break; - default: - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); - goto err; - } - if (i <= 0) goto err; - - if (BN_bin2bn(buf,num,f) == NULL) goto err; - - if (BN_ucmp(f, rsa->n) >= 0) - { - /* usually the padding functions would catch this */ - RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); - goto err; - } - - MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, - rsa->_method_mod_n)) goto err; - - /* put in leading 0 bytes if the number is less than the - * length of the modulus */ - j=BN_num_bytes(ret); - i=BN_bn2bin(ret,&(to[num-j])); - for (k=0; k<(num-i); k++) - to[k]=0; - - r=num; -err: - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - if (buf != NULL) - { - OPENSSL_cleanse(buf,num); - OPENSSL_free(buf); - } - return(r); - } - -static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) -{ - BN_BLINDING *ret; - int got_write_lock = 0; - - CRYPTO_r_lock(CRYPTO_LOCK_RSA); - - if (rsa->blinding == NULL) - { - CRYPTO_r_unlock(CRYPTO_LOCK_RSA); - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - got_write_lock = 1; - - if (rsa->blinding == NULL) - rsa->blinding = RSA_setup_blinding(rsa, ctx); - } - - ret = rsa->blinding; - if (ret == NULL) - goto err; - - if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) - { - /* rsa->blinding is ours! */ - - *local = 1; - } - else - { - /* resort to rsa->mt_blinding instead */ - - *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() - * that the BN_BLINDING is shared, meaning that accesses - * require locks, and that the blinding factor must be - * stored outside the BN_BLINDING - */ - - if (rsa->mt_blinding == NULL) - { - if (!got_write_lock) - { - CRYPTO_r_unlock(CRYPTO_LOCK_RSA); - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - got_write_lock = 1; - } - - if (rsa->mt_blinding == NULL) - rsa->mt_blinding = RSA_setup_blinding(rsa, ctx); - } - ret = rsa->mt_blinding; - } - - err: - if (got_write_lock) - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - else - CRYPTO_r_unlock(CRYPTO_LOCK_RSA); - return ret; -} - -static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, - BIGNUM *r, BN_CTX *ctx) -{ - if (local) - return BN_BLINDING_convert_ex(f, NULL, b, ctx); - else - { - int ret; - CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); - ret = BN_BLINDING_convert_ex(f, r, b, ctx); - CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING); - return ret; - } -} - -static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f, - BIGNUM *r, BN_CTX *ctx) -{ - if (local) - return BN_BLINDING_invert_ex(f, NULL, b, ctx); - else - { - int ret; - CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); - ret = BN_BLINDING_invert_ex(f, r, b, ctx); - CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); - return ret; - } -} - -/* signing */ -static int RSA_eay_private_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { - BIGNUM *f, *ret, *br, *res; - int i,j,k,num=0,r= -1; - unsigned char *buf=NULL; - BN_CTX *ctx=NULL; - int local_blinding = 0; - BN_BLINDING *blinding = NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_RSA_EAY_PRIVATE_ENCRYPT,FIPS_R_FIPS_SELFTEST_FAILED); - goto err; - } - - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); - return -1; - } - - if ((ctx=BN_CTX_new()) == NULL) goto err; - BN_CTX_start(ctx); - f = BN_CTX_get(ctx); - br = BN_CTX_get(ctx); - ret = BN_CTX_get(ctx); - num = BN_num_bytes(rsa->n); - buf = OPENSSL_malloc(num); - if(!f || !ret || !buf) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); - goto err; - } - - switch (padding) - { - case RSA_PKCS1_PADDING: - i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); - break; - case RSA_X931_PADDING: - i=RSA_padding_add_X931(buf,num,from,flen); - break; - case RSA_NO_PADDING: - i=RSA_padding_add_none(buf,num,from,flen); - break; - case RSA_SSLV23_PADDING: - default: - RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_UNKNOWN_PADDING_TYPE); - goto err; - } - if (i <= 0) goto err; - - if (BN_bin2bn(buf,num,f) == NULL) goto err; - - if (BN_ucmp(f, rsa->n) >= 0) - { - /* usually the padding functions would catch this */ - RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); - goto err; - } - - if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) - { - blinding = rsa_get_blinding(rsa, &local_blinding, ctx); - if (blinding == NULL) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); - goto err; - } - } - - if (blinding != NULL) - if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) - goto err; - - if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || - ((rsa->p != NULL) && - (rsa->q != NULL) && - (rsa->dmp1 != NULL) && - (rsa->dmq1 != NULL) && - (rsa->iqmp != NULL)) ) - { - if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; - } - else - { - BIGNUM local_d; - BIGNUM *d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - BN_init(&local_d); - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } - else - d = rsa->d; - - MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, - rsa->_method_mod_n)) goto err; - } - - if (blinding) - if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) - goto err; - - if (padding == RSA_X931_PADDING) - { - BN_sub(f, rsa->n, ret); - if (BN_cmp(ret, f)) - res = f; - else - res = ret; - } - else - res = ret; - - /* put in leading 0 bytes if the number is less than the - * length of the modulus */ - j=BN_num_bytes(res); - i=BN_bn2bin(res,&(to[num-j])); - for (k=0; k<(num-i); k++) - to[k]=0; - - r=num; -err: - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - if (buf != NULL) - { - OPENSSL_cleanse(buf,num); - OPENSSL_free(buf); - } - return(r); - } - -static int RSA_eay_private_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { - BIGNUM *f, *ret, *br; - int j,num=0,r= -1; - unsigned char *p; - unsigned char *buf=NULL; - BN_CTX *ctx=NULL; - int local_blinding = 0; - BN_BLINDING *blinding = NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_RSA_EAY_PRIVATE_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); - goto err; - } - - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); - return -1; - } - - if((ctx = BN_CTX_new()) == NULL) goto err; - BN_CTX_start(ctx); - f = BN_CTX_get(ctx); - br = BN_CTX_get(ctx); - ret = BN_CTX_get(ctx); - num = BN_num_bytes(rsa->n); - buf = OPENSSL_malloc(num); - if(!f || !ret || !buf) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); - goto err; - } - - /* This check was for equality but PGP does evil things - * and chops off the top '0' bytes */ - if (flen > num) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); - goto err; - } - - /* make data into a big number */ - if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; - - if (BN_ucmp(f, rsa->n) >= 0) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); - goto err; - } - - if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) - { - blinding = rsa_get_blinding(rsa, &local_blinding, ctx); - if (blinding == NULL) - { - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); - goto err; - } - } - - if (blinding != NULL) - if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) - goto err; - - /* do the decrypt */ - if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || - ((rsa->p != NULL) && - (rsa->q != NULL) && - (rsa->dmp1 != NULL) && - (rsa->dmq1 != NULL) && - (rsa->iqmp != NULL)) ) - { - if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; - } - else - { - BIGNUM local_d; - BIGNUM *d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } - else - d = rsa->d; - - MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, - rsa->_method_mod_n)) - goto err; - } - - if (blinding) - if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) - goto err; - - p=buf; - j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ - - switch (padding) - { - case RSA_PKCS1_PADDING: - r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num); - break; -#ifndef OPENSSL_NO_SHA - case RSA_PKCS1_OAEP_PADDING: - r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0); - break; -#endif - case RSA_SSLV23_PADDING: - r=RSA_padding_check_SSLv23(to,num,buf,j,num); - break; - case RSA_NO_PADDING: - r=RSA_padding_check_none(to,num,buf,j,num); - break; - default: - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); - goto err; - } - if (r < 0) - RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); - -err: - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - if (buf != NULL) - { - OPENSSL_cleanse(buf,num); - OPENSSL_free(buf); - } - return(r); - } - -/* signature verification */ -static int RSA_eay_public_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { - BIGNUM *f,*ret; - int i,num=0,r= -1; - unsigned char *p; - unsigned char *buf=NULL; - BN_CTX *ctx=NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_RSA_EAY_PUBLIC_DECRYPT,FIPS_R_FIPS_SELFTEST_FAILED); - goto err; - } - - if (FIPS_mode() && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); - return -1; - } - - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; - } - - if (BN_ucmp(rsa->n, rsa->e) <= 0) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); - return -1; - } - - /* for large moduli, enforce exponent limit */ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) - { - if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); - return -1; - } - } - - if((ctx = BN_CTX_new()) == NULL) goto err; - BN_CTX_start(ctx); - f = BN_CTX_get(ctx); - ret = BN_CTX_get(ctx); - num=BN_num_bytes(rsa->n); - buf = OPENSSL_malloc(num); - if(!f || !ret || !buf) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); - goto err; - } - - /* This check was for equality but PGP does evil things - * and chops off the top '0' bytes */ - if (flen > num) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_GREATER_THAN_MOD_LEN); - goto err; - } - - if (BN_bin2bn(from,flen,f) == NULL) goto err; - - if (BN_ucmp(f, rsa->n) >= 0) - { - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); - goto err; - } - - MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, - rsa->_method_mod_n)) goto err; - - if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) - BN_sub(ret, rsa->n, ret); - - p=buf; - i=BN_bn2bin(ret,p); - - switch (padding) - { - case RSA_PKCS1_PADDING: - r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); - break; - case RSA_X931_PADDING: - r=RSA_padding_check_X931(to,num,buf,i,num); - break; - case RSA_NO_PADDING: - r=RSA_padding_check_none(to,num,buf,i,num); - break; - default: - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_UNKNOWN_PADDING_TYPE); - goto err; - } - if (r < 0) - RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); - -err: - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - if (buf != NULL) - { - OPENSSL_cleanse(buf,num); - OPENSSL_free(buf); - } - return(r); - } - -static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) - { - BIGNUM *r1,*m1,*vrfy; - BIGNUM local_dmp1,local_dmq1,local_c,local_r1; - BIGNUM *dmp1,*dmq1,*c,*pr1; - int bn_flags; - int ret=0; - - BN_CTX_start(ctx); - r1 = BN_CTX_get(ctx); - m1 = BN_CTX_get(ctx); - vrfy = BN_CTX_get(ctx); - - /* Make sure mod_inverse in montgomerey intialization use correct - * BN_FLG_CONSTTIME flag. - */ - bn_flags = rsa->p->flags; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - rsa->p->flags |= BN_FLG_CONSTTIME; - } - MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); - /* We restore bn_flags back */ - rsa->p->flags = bn_flags; - - /* Make sure mod_inverse in montgomerey intialization use correct - * BN_FLG_CONSTTIME flag. - */ - bn_flags = rsa->q->flags; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - rsa->q->flags |= BN_FLG_CONSTTIME; - } - MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); - /* We restore bn_flags back */ - rsa->q->flags = bn_flags; - - MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - - /* compute I mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - c = &local_c; - BN_with_flags(c, I, BN_FLG_CONSTTIME); - if (!BN_mod(r1,c,rsa->q,ctx)) goto err; - } - else - { - if (!BN_mod(r1,I,rsa->q,ctx)) goto err; - } - - /* compute r1^dmq1 mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - dmq1 = &local_dmq1; - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); - } - else - dmq1 = rsa->dmq1; - if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, - rsa->_method_mod_q)) goto err; - - /* compute I mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - c = &local_c; - BN_with_flags(c, I, BN_FLG_CONSTTIME); - if (!BN_mod(r1,c,rsa->p,ctx)) goto err; - } - else - { - if (!BN_mod(r1,I,rsa->p,ctx)) goto err; - } - - /* compute r1^dmp1 mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - dmp1 = &local_dmp1; - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); - } - else - dmp1 = rsa->dmp1; - if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, - rsa->_method_mod_p)) goto err; - - if (!BN_sub(r0,r0,m1)) goto err; - /* This will help stop the size of r0 increasing, which does - * affect the multiply if it optimised for a power of 2 size */ - if (BN_is_negative(r0)) - if (!BN_add(r0,r0,rsa->p)) goto err; - - if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; - - /* Turn BN_FLG_CONSTTIME flag on before division operation */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - pr1 = &local_r1; - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); - } - else - pr1 = r1; - if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; - - /* If p < q it is occasionally possible for the correction of - * adding 'p' if r0 is negative above to leave the result still - * negative. This can break the private key operations: the following - * second correction should *always* correct this rare occurrence. - * This will *never* happen with OpenSSL generated keys because - * they ensure p > q [steve] - */ - if (BN_is_negative(r0)) - if (!BN_add(r0,r0,rsa->p)) goto err; - if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; - if (!BN_add(r0,r1,m1)) goto err; - - if (rsa->e && rsa->n) - { - if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; - /* If 'I' was greater than (or equal to) rsa->n, the operation - * will be equivalent to using 'I mod n'. However, the result of - * the verify will *always* be less than 'n' so we don't check - * for absolute equality, just congruency. */ - if (!BN_sub(vrfy, vrfy, I)) goto err; - if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; - if (BN_is_negative(vrfy)) - if (!BN_add(vrfy, vrfy, rsa->n)) goto err; - if (!BN_is_zero(vrfy)) - { - /* 'I' and 'vrfy' aren't congruent mod n. Don't leak - * miscalculated CRT output, just do a raw (slower) - * mod_exp and return that instead. */ - - BIGNUM local_d; - BIGNUM *d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } - else - d = rsa->d; - if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, - rsa->_method_mod_n)) goto err; - } - } - ret=1; -err: - BN_CTX_end(ctx); - return(ret); - } - -static int RSA_eay_init(RSA *rsa) - { - FIPS_selftest_check(); - rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; - return(1); - } - -static int RSA_eay_finish(RSA *rsa) - { - if (rsa->_method_mod_n != NULL) - BN_MONT_CTX_free(rsa->_method_mod_n); - if (rsa->_method_mod_p != NULL) - BN_MONT_CTX_free(rsa->_method_mod_p); - if (rsa->_method_mod_q != NULL) - BN_MONT_CTX_free(rsa->_method_mod_q); - return(1); - } - -#endif diff --git a/crypto/openssl/fips/rsa/fips_rsa_gen.c b/crypto/openssl/fips/rsa/fips_rsa_gen.c deleted file mode 100644 index 90aaa2f..0000000 --- a/crypto/openssl/fips/rsa/fips_rsa_gen.c +++ /dev/null @@ -1,310 +0,0 @@ -/* crypto/rsa/rsa_gen.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - - -/* NB: these functions have been "upgraded", the deprecated versions (which are - * compatibility wrappers using these functions) are in rsa_depr.c. - * - Geoff - */ - -#include <stdio.h> -#include <time.h> -#include <string.h> -#include <openssl/crypto.h> -#include <openssl/bn.h> -#include <openssl/rsa.h> -#include <openssl/err.h> -#include <openssl/evp.h> -#include <openssl/fips.h> -#include "fips_locl.h" - -#ifdef OPENSSL_FIPS - -static int fips_rsa_pairwise_fail = 0; - -void FIPS_corrupt_rsa_keygen(void) - { - fips_rsa_pairwise_fail = 1; - } - -int fips_check_rsa(RSA *rsa) - { - const unsigned char tbs[] = "RSA Pairwise Check Data"; - unsigned char *ctbuf = NULL, *ptbuf = NULL; - int len, ret = 0; - EVP_PKEY pk; - pk.type = EVP_PKEY_RSA; - pk.pkey.rsa = rsa; - - /* Perform pairwise consistency signature test */ - if (!fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) - || !fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, NULL) - || !fips_pkey_signature_test(&pk, tbs, -1, - NULL, 0, EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, NULL)) - goto err; - /* Now perform pairwise consistency encrypt/decrypt test */ - ctbuf = OPENSSL_malloc(RSA_size(rsa)); - if (!ctbuf) - goto err; - - len = RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, RSA_PKCS1_PADDING); - if (len <= 0) - goto err; - /* Check ciphertext doesn't match plaintext */ - if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) - goto err; - ptbuf = OPENSSL_malloc(RSA_size(rsa)); - - if (!ptbuf) - goto err; - len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); - if (len != (sizeof(tbs) - 1)) - goto err; - if (memcmp(ptbuf, tbs, len)) - goto err; - - ret = 1; - - if (!ptbuf) - goto err; - - err: - if (ret == 0) - { - fips_set_selftest_fail(); - FIPSerr(FIPS_F_FIPS_CHECK_RSA,FIPS_R_PAIRWISE_TEST_FAILED); - } - - if (ctbuf) - OPENSSL_free(ctbuf); - if (ptbuf) - OPENSSL_free(ptbuf); - - return ret; - } - -static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); - -/* NB: this wrapper would normally be placed in rsa_lib.c and the static - * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so - * that we don't introduce a new linker dependency. Eg. any application that - * wasn't previously linking object code related to key-generation won't have to - * now just because key-generation is part of RSA_METHOD. */ -int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - { - if(rsa->meth->rsa_keygen) - return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); - return rsa_builtin_keygen(rsa, bits, e_value, cb); - } - -static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - { - BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp; - BIGNUM local_r0,local_d,local_p; - BIGNUM *pr0,*d,*p; - int bitsp,bitsq,ok= -1,n=0; - BN_CTX *ctx=NULL; - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_FIPS_SELFTEST_FAILED); - return 0; - } - - if (FIPS_mode() && (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) - { - FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN,FIPS_R_KEY_TOO_SHORT); - return 0; - } - - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - BN_CTX_start(ctx); - r0 = BN_CTX_get(ctx); - r1 = BN_CTX_get(ctx); - r2 = BN_CTX_get(ctx); - r3 = BN_CTX_get(ctx); - if (r3 == NULL) goto err; - - bitsp=(bits+1)/2; - bitsq=bits-bitsp; - - /* We need the RSA components non-NULL */ - if(!rsa->n && ((rsa->n=BN_new()) == NULL)) goto err; - if(!rsa->d && ((rsa->d=BN_new()) == NULL)) goto err; - if(!rsa->e && ((rsa->e=BN_new()) == NULL)) goto err; - if(!rsa->p && ((rsa->p=BN_new()) == NULL)) goto err; - if(!rsa->q && ((rsa->q=BN_new()) == NULL)) goto err; - if(!rsa->dmp1 && ((rsa->dmp1=BN_new()) == NULL)) goto err; - if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err; - if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err; - - BN_copy(rsa->e, e_value); - - /* generate p and q */ - for (;;) - { - if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) - goto err; - if (!BN_sub(r2,rsa->p,BN_value_one())) goto err; - if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; - if (BN_is_one(r1)) break; - if(!BN_GENCB_call(cb, 2, n++)) - goto err; - } - if(!BN_GENCB_call(cb, 3, 0)) - goto err; - for (;;) - { - /* When generating ridiculously small keys, we can get stuck - * continually regenerating the same prime values. Check for - * this and bail if it happens 3 times. */ - unsigned int degenerate = 0; - do - { - if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) - goto err; - } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); - if(degenerate == 3) - { - ok = 0; /* we set our own err */ - RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,RSA_R_KEY_SIZE_TOO_SMALL); - goto err; - } - if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; - if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err; - if (BN_is_one(r1)) - break; - if(!BN_GENCB_call(cb, 2, n++)) - goto err; - } - if(!BN_GENCB_call(cb, 3, 1)) - goto err; - if (BN_cmp(rsa->p,rsa->q) < 0) - { - tmp=rsa->p; - rsa->p=rsa->q; - rsa->q=tmp; - } - - /* calculate n */ - if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) goto err; - - /* calculate d */ - if (!BN_sub(r1,rsa->p,BN_value_one())) goto err; /* p-1 */ - if (!BN_sub(r2,rsa->q,BN_value_one())) goto err; /* q-1 */ - if (!BN_mul(r0,r1,r2,ctx)) goto err; /* (p-1)(q-1) */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - pr0 = &local_r0; - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - } - else - pr0 = r0; - if (!BN_mod_inverse(rsa->d,rsa->e,pr0,ctx)) goto err; /* d */ - - /* set up d for correct BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } - else - d = rsa->d; - - /* calculate d mod (p-1) */ - if (!BN_mod(rsa->dmp1,d,r1,ctx)) goto err; - - /* calculate d mod (q-1) */ - if (!BN_mod(rsa->dmq1,d,r2,ctx)) goto err; - - /* calculate inverse of q mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) - { - p = &local_p; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - } - else - p = rsa->p; - if (!BN_mod_inverse(rsa->iqmp,rsa->q,p,ctx)) goto err; - - if (fips_rsa_pairwise_fail) - BN_add_word(rsa->n, 1); - - if(!fips_check_rsa(rsa)) - goto err; - - ok=1; -err: - if (ok == -1) - { - RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN); - ok=0; - } - if (ctx != NULL) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - - return ok; - } - -#endif diff --git a/crypto/openssl/fips/rsa/fips_rsa_lib.c b/crypto/openssl/fips/rsa/fips_rsa_lib.c deleted file mode 100644 index a37ad3e..0000000 --- a/crypto/openssl/fips/rsa/fips_rsa_lib.c +++ /dev/null @@ -1,101 +0,0 @@ -/* fips_rsa_sign.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2007. - */ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <string.h> -#include <openssl/evp.h> -#include <openssl/rsa.h> -#include <openssl/bn.h> -#include <openssl/err.h> - -/* Minimal FIPS versions of FIPS_rsa_new() and FIPS_rsa_free: to - * reduce external dependencies. - */ - -RSA *FIPS_rsa_new(void) - { - RSA *ret; - ret = OPENSSL_malloc(sizeof(RSA)); - if (!ret) - return NULL; - memset(ret, 0, sizeof(RSA)); - ret->meth = RSA_PKCS1_SSLeay(); - if (ret->meth->init) - ret->meth->init(ret); - return ret; - } - -void FIPS_rsa_free(RSA *r) - { - if (!r) - return; - if (r->meth->finish) - r->meth->finish(r); - if (r->n != NULL) BN_clear_free(r->n); - if (r->e != NULL) BN_clear_free(r->e); - if (r->d != NULL) BN_clear_free(r->d); - if (r->p != NULL) BN_clear_free(r->p); - if (r->q != NULL) BN_clear_free(r->q); - if (r->dmp1 != NULL) BN_clear_free(r->dmp1); - if (r->dmq1 != NULL) BN_clear_free(r->dmq1); - if (r->iqmp != NULL) BN_clear_free(r->iqmp); - if (r->blinding != NULL) BN_BLINDING_free(r->blinding); - if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding); - if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data); - OPENSSL_free(r); - } - diff --git a/crypto/openssl/fips/rsa/fips_rsa_selftest.c b/crypto/openssl/fips/rsa/fips_rsa_selftest.c deleted file mode 100644 index bead61f..0000000 --- a/crypto/openssl/fips/rsa/fips_rsa_selftest.c +++ /dev/null @@ -1,432 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <string.h> -#include <openssl/err.h> -#include <openssl/fips.h> -#include <openssl/rsa.h> -#include <openssl/evp.h> -#include <openssl/bn.h> -#include <openssl/opensslconf.h> - -#ifdef OPENSSL_FIPS - -static unsigned char n[] = -"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" -"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" -"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" -"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" -"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" -"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" -"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" -"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" -"\xCB"; - - -static int setrsakey(RSA *key) - { - static const unsigned char e[] = "\x11"; - - static const unsigned char d[] = -"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" -"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" -"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" -"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" -"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" -"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" -"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" -"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" -"\xC1"; - - static const unsigned char p[] = -"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" -"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" -"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" -"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" -"\x99"; - - static const unsigned char q[] = -"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" -"\x03"; - - static const unsigned char dmp1[] = -"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" -"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" -"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" -"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; - - static const unsigned char dmq1[] = -"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" -"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" -"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" -"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; - - static const unsigned char iqmp[] = -"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" -"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" -"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" -"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" -"\xF7"; - - key->n = BN_bin2bn(n, sizeof(n)-1, key->n); - key->e = BN_bin2bn(e, sizeof(e)-1, key->e); - key->d = BN_bin2bn(d, sizeof(d)-1, key->d); - key->p = BN_bin2bn(p, sizeof(p)-1, key->p); - key->q = BN_bin2bn(q, sizeof(q)-1, key->q); - key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); - key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); - key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); - return 1; - } - -void FIPS_corrupt_rsa() - { - n[0]++; - } - -/* Known Answer Test (KAT) data for the above RSA private key signing - * kat_tbs. - */ - -static const unsigned char kat_tbs[] = "OpenSSL FIPS 140-2 Public Key RSA KAT"; - -static const unsigned char kat_RSA_PSS_SHA1[] = { - 0x2D, 0xAF, 0x6E, 0xC2, 0x98, 0xFB, 0x8A, 0xA1, 0xB9, 0x46, 0xDA, 0x0F, - 0x01, 0x1E, 0x37, 0x93, 0xC2, 0x55, 0x27, 0xE4, 0x1D, 0xD2, 0x90, 0xBB, - 0xF4, 0xBF, 0x4A, 0x74, 0x39, 0x51, 0xBB, 0xE8, 0x0C, 0xB7, 0xF8, 0xD3, - 0xD1, 0xDF, 0xE7, 0xBE, 0x80, 0x05, 0xC3, 0xB5, 0xC7, 0x83, 0xD5, 0x4C, - 0x7F, 0x49, 0xFB, 0x3F, 0x29, 0x9B, 0xE1, 0x12, 0x51, 0x60, 0xD0, 0xA7, - 0x0D, 0xA9, 0x28, 0x56, 0x73, 0xD9, 0x07, 0xE3, 0x5E, 0x3F, 0x9B, 0xF5, - 0xB6, 0xF3, 0xF2, 0x5E, 0x74, 0xC9, 0x83, 0x81, 0x47, 0xF0, 0xC5, 0x45, - 0x0A, 0xE9, 0x8E, 0x38, 0xD7, 0x18, 0xC6, 0x2A, 0x0F, 0xF8, 0xB7, 0x31, - 0xD6, 0x55, 0xE4, 0x66, 0x78, 0x81, 0xD4, 0xE6, 0xDB, 0x9F, 0xBA, 0xE8, - 0x23, 0xB5, 0x7F, 0xDC, 0x08, 0xEA, 0xD5, 0x26, 0x1E, 0x20, 0x25, 0x84, - 0x26, 0xC6, 0x79, 0xC9, 0x9B, 0x3D, 0x7E, 0xA9 -}; - -static const unsigned char kat_RSA_PSS_SHA224[] = { - 0x39, 0x4A, 0x6A, 0x20, 0xBC, 0xE9, 0x33, 0xED, 0xEF, 0xC5, 0x58, 0xA7, - 0xFE, 0x81, 0xC4, 0x36, 0x50, 0x9A, 0x2C, 0x82, 0x98, 0x08, 0x95, 0xFA, - 0xB1, 0x9E, 0xD2, 0x55, 0x61, 0x87, 0x21, 0x59, 0x87, 0x7B, 0x1F, 0x57, - 0x30, 0x9D, 0x0D, 0x4A, 0x06, 0xEB, 0x52, 0x37, 0x55, 0x54, 0x1C, 0x89, - 0x83, 0x75, 0x59, 0x65, 0x64, 0x90, 0x2E, 0x16, 0xCC, 0x86, 0x05, 0xEE, - 0xB1, 0xE6, 0x7B, 0xBA, 0x16, 0x75, 0x0D, 0x0C, 0x64, 0x0B, 0xAB, 0x22, - 0x15, 0x78, 0x6B, 0x6F, 0xA4, 0xFB, 0x77, 0x40, 0x64, 0x62, 0xD1, 0xB5, - 0x37, 0x1E, 0xE0, 0x3D, 0xA8, 0xF9, 0xD2, 0xBD, 0xAA, 0x38, 0x24, 0x49, - 0x58, 0xD2, 0x74, 0x85, 0xF4, 0xB5, 0x93, 0x8E, 0xF5, 0x03, 0xEA, 0x2D, - 0xC8, 0x52, 0xFA, 0xCF, 0x7E, 0x35, 0xB0, 0x6A, 0xAF, 0x95, 0xC0, 0x00, - 0x54, 0x76, 0x3D, 0x0C, 0x9C, 0xB2, 0xEE, 0xC0 -}; - -static const unsigned char kat_RSA_PSS_SHA256[] = { - 0x6D, 0x3D, 0xBE, 0x8F, 0x60, 0x6D, 0x25, 0x14, 0xF0, 0x31, 0xE3, 0x89, - 0x00, 0x97, 0xFA, 0x99, 0x71, 0x28, 0xE5, 0x10, 0x25, 0x9A, 0xF3, 0x8F, - 0x7B, 0xC5, 0xA8, 0x4A, 0x74, 0x51, 0x36, 0xE2, 0x8D, 0x7D, 0x73, 0x28, - 0xC1, 0x77, 0xC6, 0x27, 0x97, 0x00, 0x8B, 0x00, 0xA3, 0x96, 0x73, 0x4E, - 0x7D, 0x2E, 0x2C, 0x34, 0x68, 0x8C, 0x8E, 0xDF, 0x9D, 0x49, 0x47, 0x05, - 0xAB, 0xF5, 0x01, 0xD6, 0x81, 0x47, 0x70, 0xF5, 0x1D, 0x6D, 0x26, 0xBA, - 0x2F, 0x7A, 0x54, 0x53, 0x4E, 0xED, 0x71, 0xD9, 0x5A, 0xF3, 0xDA, 0xB6, - 0x0B, 0x47, 0x34, 0xAF, 0x90, 0xDC, 0xC8, 0xD9, 0x6F, 0x56, 0xCD, 0x9F, - 0x21, 0xB7, 0x7E, 0xAD, 0x7C, 0x2F, 0x75, 0x50, 0x47, 0x12, 0xE4, 0x6D, - 0x5F, 0xB7, 0x01, 0xDF, 0xC3, 0x11, 0x6C, 0xA9, 0x9E, 0x49, 0xB9, 0xF6, - 0x72, 0xF4, 0xF6, 0xEF, 0x88, 0x1E, 0x2D, 0x1C -}; - -static const unsigned char kat_RSA_PSS_SHA384[] = { - 0x40, 0xFB, 0xA1, 0x21, 0xF4, 0xB2, 0x40, 0x9A, 0xB4, 0x31, 0xA8, 0xF2, - 0xEC, 0x1C, 0xC4, 0xC8, 0x7C, 0x22, 0x65, 0x9C, 0x57, 0x45, 0xCD, 0x5E, - 0x86, 0x00, 0xF7, 0x25, 0x78, 0xDE, 0xDC, 0x7A, 0x71, 0x44, 0x9A, 0xCD, - 0xAA, 0x25, 0xF4, 0xB2, 0xFC, 0xF0, 0x75, 0xD9, 0x2F, 0x78, 0x23, 0x7F, - 0x6F, 0x02, 0xEF, 0xC1, 0xAF, 0xA6, 0x28, 0x16, 0x31, 0xDC, 0x42, 0x6C, - 0xB2, 0x44, 0xE5, 0x4D, 0x66, 0xA2, 0xE6, 0x71, 0xF3, 0xAC, 0x4F, 0xFB, - 0x91, 0xCA, 0xF5, 0x70, 0xEF, 0x6B, 0x9D, 0xA4, 0xEF, 0xD9, 0x3D, 0x2F, - 0x3A, 0xBE, 0x89, 0x38, 0x59, 0x01, 0xBA, 0xDA, 0x32, 0xAD, 0x42, 0x89, - 0x98, 0x8B, 0x39, 0x44, 0xF0, 0xFC, 0x38, 0xAC, 0x87, 0x1F, 0xCA, 0x6F, - 0x48, 0xF6, 0xAE, 0xD7, 0x45, 0xEE, 0xAE, 0x88, 0x0E, 0x60, 0xF4, 0x55, - 0x48, 0x44, 0xEE, 0x1F, 0x90, 0x18, 0x4B, 0xF1 -}; - -static const unsigned char kat_RSA_PSS_SHA512[] = { - 0x07, 0x1E, 0xD8, 0xD5, 0x05, 0xE8, 0xE6, 0xE6, 0x57, 0xAE, 0x63, 0x8C, - 0xC6, 0x83, 0xB7, 0xA0, 0x59, 0xBB, 0xF2, 0xC6, 0x8F, 0x12, 0x53, 0x9A, - 0x9B, 0x54, 0x9E, 0xB3, 0xC1, 0x1D, 0x23, 0x4D, 0x51, 0xED, 0x9E, 0xDD, - 0x4B, 0xF3, 0x46, 0x9B, 0x6B, 0xF6, 0x7C, 0x24, 0x60, 0x79, 0x23, 0x39, - 0x01, 0x1C, 0x51, 0xCB, 0xD8, 0xE9, 0x9A, 0x01, 0x67, 0x5F, 0xFE, 0xD7, - 0x7C, 0xE3, 0x7F, 0xED, 0xDB, 0x87, 0xBB, 0xF0, 0x3D, 0x78, 0x55, 0x61, - 0x57, 0xE3, 0x0F, 0xE3, 0xD2, 0x9D, 0x0C, 0x2A, 0x20, 0xB0, 0x85, 0x13, - 0xC5, 0x47, 0x34, 0x0D, 0x32, 0x15, 0xC8, 0xAE, 0x9A, 0x6A, 0x39, 0x63, - 0x2D, 0x60, 0xF5, 0x4C, 0xDF, 0x8A, 0x48, 0x4B, 0xBF, 0xF4, 0xA8, 0xFE, - 0x76, 0xF2, 0x32, 0x1B, 0x9C, 0x7C, 0xCA, 0xFE, 0x7F, 0x80, 0xC2, 0x88, - 0x5C, 0x97, 0x70, 0xB4, 0x26, 0xC9, 0x14, 0x8B -}; - -static const unsigned char kat_RSA_SHA1[] = { - 0x71, 0xEE, 0x1A, 0xC0, 0xFE, 0x01, 0x93, 0x54, 0x79, 0x5C, 0xF2, 0x4C, - 0x4A, 0xFD, 0x1A, 0x05, 0x8F, 0x64, 0xB1, 0x6D, 0x61, 0x33, 0x8D, 0x9B, - 0xE7, 0xFD, 0x60, 0xA3, 0x83, 0xB5, 0xA3, 0x51, 0x55, 0x77, 0x90, 0xCF, - 0xDC, 0x22, 0x37, 0x8E, 0xD0, 0xE1, 0xAE, 0x09, 0xE3, 0x3D, 0x1E, 0xF8, - 0x80, 0xD1, 0x8B, 0xC2, 0xEC, 0x0A, 0xD7, 0x6B, 0x88, 0x8B, 0x8B, 0xA1, - 0x20, 0x22, 0xBE, 0x59, 0x5B, 0xE0, 0x23, 0x24, 0xA1, 0x49, 0x30, 0xBA, - 0xA9, 0x9E, 0xE8, 0xB1, 0x8A, 0x62, 0x16, 0xBF, 0x4E, 0xCA, 0x2E, 0x4E, - 0xBC, 0x29, 0xA8, 0x67, 0x13, 0xB7, 0x9F, 0x1D, 0x04, 0x44, 0xE5, 0x5F, - 0x35, 0x07, 0x11, 0xBC, 0xED, 0x19, 0x37, 0x21, 0xCF, 0x23, 0x48, 0x1F, - 0x72, 0x05, 0xDE, 0xE6, 0xE8, 0x7F, 0x33, 0x8A, 0x76, 0x4B, 0x2F, 0x95, - 0xDF, 0xF1, 0x5F, 0x84, 0x80, 0xD9, 0x46, 0xB4 -}; - -static const unsigned char kat_RSA_SHA224[] = { - 0x62, 0xAA, 0x79, 0xA9, 0x18, 0x0E, 0x5F, 0x8C, 0xBB, 0xB7, 0x15, 0xF9, - 0x25, 0xBB, 0xFA, 0xD4, 0x3A, 0x34, 0xED, 0x9E, 0xA0, 0xA9, 0x18, 0x8D, - 0x5B, 0x55, 0x9A, 0x7E, 0x1E, 0x08, 0x08, 0x60, 0xC5, 0x1A, 0xC5, 0x89, - 0x08, 0xE2, 0x1B, 0xBD, 0x62, 0x50, 0x17, 0x76, 0x30, 0x2C, 0x9E, 0xCD, - 0xA4, 0x02, 0xAD, 0xB1, 0x6D, 0x44, 0x6D, 0xD5, 0xC6, 0x45, 0x41, 0xE5, - 0xEE, 0x1F, 0x8D, 0x7E, 0x08, 0x16, 0xA6, 0xE1, 0x5E, 0x0B, 0xA9, 0xCC, - 0xDB, 0x59, 0x55, 0x87, 0x09, 0x25, 0x70, 0x86, 0x84, 0x02, 0xC6, 0x3B, - 0x0B, 0x44, 0x4C, 0x46, 0x95, 0xF4, 0xF8, 0x5A, 0x91, 0x28, 0x3E, 0xB2, - 0x58, 0x2E, 0x06, 0x45, 0x49, 0xE0, 0x92, 0xE2, 0xC0, 0x66, 0xE6, 0x35, - 0xD9, 0x79, 0x7F, 0x17, 0x5E, 0x02, 0x73, 0x04, 0x77, 0x82, 0xE6, 0xDC, - 0x40, 0x21, 0x89, 0x8B, 0x37, 0x3E, 0x1E, 0x8D -}; - -static const unsigned char kat_RSA_SHA256[] = { - 0x0D, 0x55, 0xE2, 0xAA, 0x81, 0xDB, 0x8E, 0x82, 0x05, 0x17, 0xA5, 0x23, - 0xE7, 0x3B, 0x1D, 0xAF, 0xFB, 0x8C, 0xD0, 0x81, 0x20, 0x7B, 0xAA, 0x23, - 0x92, 0x87, 0x8C, 0xD1, 0x53, 0x85, 0x16, 0xDC, 0xBE, 0xAD, 0x6F, 0x35, - 0x98, 0x2D, 0x69, 0x84, 0xBF, 0xD9, 0x8A, 0x01, 0x17, 0x58, 0xB2, 0x6E, - 0x2C, 0x44, 0x9B, 0x90, 0xF1, 0xFB, 0x51, 0xE8, 0x6A, 0x90, 0x2D, 0x18, - 0x0E, 0xC0, 0x90, 0x10, 0x24, 0xA9, 0x1D, 0xB3, 0x58, 0x7A, 0x91, 0x30, - 0xBE, 0x22, 0xC7, 0xD3, 0xEC, 0xC3, 0x09, 0x5D, 0xBF, 0xE2, 0x80, 0x3A, - 0x7C, 0x85, 0xB4, 0xBC, 0xD1, 0xE9, 0xF0, 0x5C, 0xDE, 0x81, 0xA6, 0x38, - 0xB8, 0x42, 0xBB, 0x86, 0xC5, 0x9D, 0xCE, 0x7C, 0x2C, 0xEE, 0xD1, 0xDA, - 0x27, 0x48, 0x2B, 0xF5, 0xAB, 0xB9, 0xF7, 0x80, 0xD1, 0x90, 0x27, 0x90, - 0xBD, 0x44, 0x97, 0x60, 0xCD, 0x57, 0xC0, 0x7A -}; - -static const unsigned char kat_RSA_SHA384[] = { - 0x1D, 0xE3, 0x6A, 0xDD, 0x27, 0x4C, 0xC0, 0xA5, 0x27, 0xEF, 0xE6, 0x1F, - 0xD2, 0x91, 0x68, 0x59, 0x04, 0xAE, 0xBD, 0x99, 0x63, 0x56, 0x47, 0xC7, - 0x6F, 0x22, 0x16, 0x48, 0xD0, 0xF9, 0x18, 0xA9, 0xCA, 0xFA, 0x5D, 0x5C, - 0xA7, 0x65, 0x52, 0x8A, 0xC8, 0x44, 0x7E, 0x86, 0x5D, 0xA9, 0xA6, 0x55, - 0x65, 0x3E, 0xD9, 0x2D, 0x02, 0x38, 0xA8, 0x79, 0x28, 0x7F, 0xB6, 0xCF, - 0x82, 0xDD, 0x7E, 0x55, 0xE1, 0xB1, 0xBC, 0xE2, 0x19, 0x2B, 0x30, 0xC2, - 0x1B, 0x2B, 0xB0, 0x82, 0x46, 0xAC, 0x4B, 0xD1, 0xE2, 0x7D, 0xEB, 0x8C, - 0xFF, 0x95, 0xE9, 0x6A, 0x1C, 0x3D, 0x4D, 0xBF, 0x8F, 0x8B, 0x9C, 0xCD, - 0xEA, 0x85, 0xEE, 0x00, 0xDC, 0x1C, 0xA7, 0xEB, 0xD0, 0x8F, 0x99, 0xF1, - 0x16, 0x28, 0x24, 0x64, 0x04, 0x39, 0x2D, 0x58, 0x1E, 0x37, 0xDC, 0x04, - 0xBD, 0x31, 0xA2, 0x2F, 0xB3, 0x35, 0x56, 0xBF -}; - -static const unsigned char kat_RSA_SHA512[] = { - 0x69, 0x52, 0x1B, 0x51, 0x5E, 0x06, 0xCA, 0x9B, 0x16, 0x51, 0x5D, 0xCF, - 0x49, 0x25, 0x4A, 0xA1, 0x6A, 0x77, 0x4C, 0x36, 0x40, 0xF8, 0xB2, 0x9A, - 0x15, 0xEA, 0x5C, 0xE5, 0xE6, 0x82, 0xE0, 0x86, 0x82, 0x6B, 0x32, 0xF1, - 0x04, 0xC1, 0x5A, 0x1A, 0xED, 0x1E, 0x9A, 0xB6, 0x4C, 0x54, 0x9F, 0xD8, - 0x8D, 0xCC, 0xAC, 0x8A, 0xBB, 0x9C, 0x82, 0x3F, 0xA6, 0x53, 0x62, 0xB5, - 0x80, 0xE2, 0xBC, 0xDD, 0x67, 0x2B, 0xD9, 0x3F, 0xE4, 0x75, 0x92, 0x6B, - 0xAF, 0x62, 0x7C, 0x52, 0xF0, 0xEE, 0x33, 0xDF, 0x1B, 0x1D, 0x47, 0xE6, - 0x59, 0x56, 0xA5, 0xB9, 0x5C, 0xE6, 0x77, 0x78, 0x16, 0x63, 0x84, 0x05, - 0x6F, 0x0E, 0x2B, 0x31, 0x9D, 0xF7, 0x7F, 0xB2, 0x64, 0x71, 0xE0, 0x2D, - 0x3E, 0x62, 0xCE, 0xB5, 0x3F, 0x88, 0xDF, 0x2D, 0xAB, 0x98, 0x65, 0x91, - 0xDF, 0x70, 0x14, 0xA5, 0x3F, 0x36, 0xAB, 0x84 -}; - -static const unsigned char kat_RSA_X931_SHA1[] = { - 0x86, 0xB4, 0x18, 0xBA, 0xD1, 0x80, 0xB6, 0x7C, 0x42, 0x45, 0x4D, 0xDF, - 0xE9, 0x2D, 0xE1, 0x83, 0x5F, 0xB5, 0x2F, 0xC9, 0xCD, 0xC4, 0xB2, 0x75, - 0x80, 0xA4, 0xF1, 0x4A, 0xE7, 0x83, 0x12, 0x1E, 0x1E, 0x14, 0xB8, 0xAC, - 0x35, 0xE2, 0xAA, 0x0B, 0x5C, 0xF8, 0x38, 0x4D, 0x04, 0xEE, 0xA9, 0x97, - 0x70, 0xFB, 0x5E, 0xE7, 0xB7, 0xE3, 0x62, 0x23, 0x4B, 0x38, 0xBE, 0xD6, - 0x53, 0x15, 0xF7, 0xDF, 0x87, 0xB4, 0x0E, 0xCC, 0xB1, 0x1A, 0x11, 0x19, - 0xEE, 0x51, 0xCC, 0x92, 0xDD, 0xBC, 0x63, 0x29, 0x63, 0x0C, 0x59, 0xD7, - 0x6F, 0x4C, 0x3C, 0x37, 0x5B, 0x37, 0x03, 0x61, 0x7D, 0x24, 0x1C, 0x99, - 0x48, 0xAF, 0x82, 0xFE, 0x32, 0x41, 0x9B, 0xB2, 0xDB, 0xEA, 0xED, 0x76, - 0x8E, 0x6E, 0xCA, 0x7E, 0x4E, 0x14, 0xBA, 0x30, 0x84, 0x1C, 0xB3, 0x67, - 0xA3, 0x29, 0x80, 0x70, 0x54, 0x68, 0x7D, 0x49 -}; - -static const unsigned char kat_RSA_X931_SHA256[] = { - 0x7E, 0xA2, 0x77, 0xFE, 0xB8, 0x54, 0x8A, 0xC7, 0x7F, 0x64, 0x54, 0x89, - 0xE5, 0x52, 0x15, 0x8E, 0x52, 0x96, 0x4E, 0xA6, 0x58, 0x92, 0x1C, 0xDD, - 0xEA, 0xA2, 0x2D, 0x5C, 0xD1, 0x62, 0x00, 0x49, 0x05, 0x95, 0x73, 0xCF, - 0x16, 0x76, 0x68, 0xF6, 0xC6, 0x5E, 0x80, 0xB8, 0xB8, 0x7B, 0xC8, 0x9B, - 0xC6, 0x53, 0x88, 0x26, 0x20, 0x88, 0x73, 0xB6, 0x13, 0xB8, 0xF0, 0x4B, - 0x00, 0x85, 0xF3, 0xDD, 0x07, 0x50, 0xEB, 0x20, 0xC4, 0x38, 0x0E, 0x98, - 0xAD, 0x4E, 0x49, 0x2C, 0xD7, 0x65, 0xA5, 0x19, 0x0E, 0x59, 0x01, 0xEC, - 0x7E, 0x75, 0x89, 0x69, 0x2E, 0x63, 0x76, 0x85, 0x46, 0x8D, 0xA0, 0x8C, - 0x33, 0x1D, 0x82, 0x8C, 0x03, 0xEA, 0x69, 0x88, 0x35, 0xA1, 0x42, 0xBD, - 0x21, 0xED, 0x8D, 0xBC, 0xBC, 0xDB, 0x30, 0xFF, 0x86, 0xF0, 0x5B, 0xDC, - 0xE3, 0xE2, 0xE8, 0x0A, 0x0A, 0x29, 0x94, 0x80 -}; - -static const unsigned char kat_RSA_X931_SHA384[] = { - 0x5C, 0x7D, 0x96, 0x35, 0xEC, 0x7E, 0x11, 0x38, 0xBB, 0x7B, 0xEC, 0x7B, - 0xF2, 0x82, 0x8E, 0x99, 0xBD, 0xEF, 0xD8, 0xAE, 0xD7, 0x39, 0x37, 0xCB, - 0xE6, 0x4F, 0x5E, 0x0A, 0x13, 0xE4, 0x2E, 0x40, 0xB9, 0xBE, 0x2E, 0xE3, - 0xEF, 0x78, 0x83, 0x18, 0x44, 0x35, 0x9C, 0x8E, 0xD7, 0x4A, 0x63, 0xF6, - 0x57, 0xC2, 0xB0, 0x08, 0x51, 0x73, 0xCF, 0xCA, 0x99, 0x66, 0xEE, 0x31, - 0xD8, 0x69, 0xE9, 0xAB, 0x13, 0x27, 0x7B, 0x41, 0x1E, 0x6D, 0x8D, 0xF1, - 0x3E, 0x9C, 0x35, 0x95, 0x58, 0xDD, 0x2B, 0xD5, 0xA0, 0x60, 0x41, 0x79, - 0x24, 0x22, 0xE4, 0xB7, 0xBF, 0x47, 0x53, 0xF6, 0x34, 0xD5, 0x7C, 0xFF, - 0x0E, 0x09, 0xEE, 0x2E, 0xE2, 0x37, 0xB9, 0xDE, 0xC5, 0x12, 0x44, 0x35, - 0xEF, 0x01, 0xE6, 0x5E, 0x39, 0x31, 0x2D, 0x71, 0xA5, 0xDC, 0xC6, 0x6D, - 0xE2, 0xCD, 0x85, 0xDB, 0x73, 0x82, 0x65, 0x28 -}; - -static const unsigned char kat_RSA_X931_SHA512[] = { - 0xA6, 0x65, 0xA2, 0x77, 0x4F, 0xB3, 0x86, 0xCB, 0x64, 0x3A, 0xC1, 0x63, - 0xFC, 0xA1, 0xAA, 0xCB, 0x9B, 0x79, 0xDD, 0x4B, 0xE1, 0xD9, 0xDA, 0xAC, - 0xE7, 0x47, 0x09, 0xB2, 0x11, 0x4B, 0x8A, 0xAA, 0x05, 0x9E, 0x77, 0xD7, - 0x3A, 0xBD, 0x5E, 0x53, 0x09, 0x4A, 0xE6, 0x0F, 0x5E, 0xF9, 0x14, 0x28, - 0xA0, 0x99, 0x74, 0x64, 0x70, 0x4E, 0xF2, 0xE3, 0xFA, 0xC7, 0xF8, 0xC5, - 0x6E, 0x2B, 0x79, 0x96, 0x0D, 0x0C, 0xC8, 0x10, 0x34, 0x53, 0xD2, 0xAF, - 0x17, 0x0E, 0xE0, 0xBF, 0x79, 0xF6, 0x04, 0x72, 0x10, 0xE0, 0xF6, 0xD0, - 0xCE, 0x8A, 0x6F, 0xA1, 0x95, 0x89, 0xBF, 0x58, 0x8F, 0x46, 0x5F, 0x09, - 0x9F, 0x09, 0xCA, 0x84, 0x15, 0x85, 0xE0, 0xED, 0x04, 0x2D, 0xFB, 0x7C, - 0x36, 0x35, 0x21, 0x31, 0xC3, 0xFD, 0x92, 0x42, 0x11, 0x30, 0x71, 0x1B, - 0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3 -}; - - -int FIPS_selftest_rsa() - { - int ret = 0; - RSA *key = NULL; - EVP_PKEY pk; - key=FIPS_rsa_new(); - setrsakey(key); - pk.type = EVP_PKEY_RSA; - pk.pkey.rsa = key; - - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA1, sizeof(kat_RSA_SHA1), - EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PKCS1, - "RSA SHA1 PKCS#1")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA224, sizeof(kat_RSA_SHA224), - EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PKCS1, - "RSA SHA224 PKCS#1")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA256, sizeof(kat_RSA_SHA256), - EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, - "RSA SHA256 PKCS#1")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA384, sizeof(kat_RSA_SHA384), - EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PKCS1, - "RSA SHA384 PKCS#1")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_SHA512, sizeof(kat_RSA_SHA512), - EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PKCS1, - "RSA SHA512 PKCS#1")) - goto err; - - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_PSS_SHA1, sizeof(kat_RSA_PSS_SHA1), - EVP_sha1(), EVP_MD_CTX_FLAG_PAD_PSS, - "RSA SHA1 PSS")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_PSS_SHA224, sizeof(kat_RSA_PSS_SHA224), - EVP_sha224(), EVP_MD_CTX_FLAG_PAD_PSS, - "RSA SHA224 PSS")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_PSS_SHA256, sizeof(kat_RSA_PSS_SHA256), - EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PSS, - "RSA SHA256 PSS")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_PSS_SHA384, sizeof(kat_RSA_PSS_SHA384), - EVP_sha384(), EVP_MD_CTX_FLAG_PAD_PSS, - "RSA SHA384 PSS")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_PSS_SHA512, sizeof(kat_RSA_PSS_SHA512), - EVP_sha512(), EVP_MD_CTX_FLAG_PAD_PSS, - "RSA SHA512 PSS")) - goto err; - - - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_X931_SHA1, sizeof(kat_RSA_X931_SHA1), - EVP_sha1(), EVP_MD_CTX_FLAG_PAD_X931, - "RSA SHA1 X931")) - goto err; - /* NB: SHA224 not supported in X9.31 */ - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_X931_SHA256, sizeof(kat_RSA_X931_SHA256), - EVP_sha256(), EVP_MD_CTX_FLAG_PAD_X931, - "RSA SHA256 X931")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_X931_SHA384, sizeof(kat_RSA_X931_SHA384), - EVP_sha384(), EVP_MD_CTX_FLAG_PAD_X931, - "RSA SHA384 X931")) - goto err; - if (!fips_pkey_signature_test(&pk, kat_tbs, sizeof(kat_tbs) - 1, - kat_RSA_X931_SHA512, sizeof(kat_RSA_X931_SHA512), - EVP_sha512(), EVP_MD_CTX_FLAG_PAD_X931, - "RSA SHA512 X931")) - goto err; - - - ret = 1; - - err: - FIPS_rsa_free(key); - return ret; - } - -#endif /* def OPENSSL_FIPS */ diff --git a/crypto/openssl/fips/rsa/fips_rsa_sign.c b/crypto/openssl/fips/rsa/fips_rsa_sign.c deleted file mode 100644 index 3736462..0000000 --- a/crypto/openssl/fips/rsa/fips_rsa_sign.c +++ /dev/null @@ -1,554 +0,0 @@ -/* fips_rsa_sign.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2007. - */ -/* ==================================================================== - * Copyright (c) 2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <string.h> -#include <openssl/evp.h> -#include <openssl/rsa.h> -#include <openssl/err.h> -#include <openssl/sha.h> - -#ifdef OPENSSL_FIPS - -/* FIPS versions of RSA_sign() and RSA_verify(). - * These will only have to deal with SHA* signatures and by including - * pregenerated encodings all ASN1 dependencies can be avoided - */ - -/* Standard encodings including NULL parameter */ - -static const unsigned char sha1_bin[] = { - 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, - 0x00, 0x04, 0x14 -}; - -static const unsigned char sha224_bin[] = { - 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c -}; - -static const unsigned char sha256_bin[] = { - 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 -}; - -static const unsigned char sha384_bin[] = { - 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30 -}; - -static const unsigned char sha512_bin[] = { - 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 -}; - -/* Alternate encodings with absent parameters. We don't generate signature - * using this format but do tolerate received signatures of this form. - */ - -static unsigned char sha1_nn_bin[] = { - 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, - 0x14 -}; - -static unsigned char sha224_nn_bin[] = { - 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x04, 0x04, 0x1c -}; - -static unsigned char sha256_nn_bin[] = { - 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x01, 0x04, 0x20 -}; - -static unsigned char sha384_nn_bin[] = { - 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x02, 0x04, 0x30 -}; - -static unsigned char sha512_nn_bin[] = { - 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x03, 0x04, 0x40 -}; - - -static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len) - { - switch (nid) - { - - case NID_sha1: - *len = sizeof(sha1_bin); - return sha1_bin; - - case NID_sha224: - *len = sizeof(sha224_bin); - return sha224_bin; - - case NID_sha256: - *len = sizeof(sha256_bin); - return sha256_bin; - - case NID_sha384: - *len = sizeof(sha384_bin); - return sha384_bin; - - case NID_sha512: - *len = sizeof(sha512_bin); - return sha512_bin; - - default: - return NULL; - - } - } - -static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len) - { - switch (nid) - { - - case NID_sha1: - *len = sizeof(sha1_nn_bin); - return sha1_nn_bin; - - case NID_sha224: - *len = sizeof(sha224_nn_bin); - return sha224_nn_bin; - - case NID_sha256: - *len = sizeof(sha256_nn_bin); - return sha256_nn_bin; - - case NID_sha384: - *len = sizeof(sha384_nn_bin); - return sha384_nn_bin; - - case NID_sha512: - *len = sizeof(sha512_nn_bin); - return sha512_nn_bin; - - default: - return NULL; - - } - } - -static int fips_rsa_sign(int type, const unsigned char *x, unsigned int y, - unsigned char *sigret, unsigned int *siglen, EVP_MD_SVCTX *sv) - { - int i=0,j,ret=0; - unsigned int dlen; - const unsigned char *der; - unsigned int m_len; - int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK; - int rsa_pad_mode = 0; - RSA *rsa = sv->key; - /* Largest DigestInfo: 19 (max encoding) + max MD */ - unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE]; - unsigned char md[EVP_MAX_MD_SIZE + 1]; - - EVP_DigestFinal_ex(sv->mctx, md, &m_len); - - if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) - { - ret = rsa->meth->rsa_sign(type, md, m_len, - sigret, siglen, rsa); - goto done; - } - - if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) - { - int hash_id; - memcpy(tmpdinfo, md, m_len); - hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx)); - if (hash_id == -1) - { - RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); - return 0; - } - tmpdinfo[m_len] = (unsigned char)hash_id; - i = m_len + 1; - rsa_pad_mode = RSA_X931_PADDING; - } - else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) - { - - der = fips_digestinfo_encoding(type, &dlen); - - if (!der) - { - RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE); - return 0; - } - memcpy(tmpdinfo, der, dlen); - memcpy(tmpdinfo + dlen, md, m_len); - - i = dlen + m_len; - rsa_pad_mode = RSA_PKCS1_PADDING; - - } - else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) - { - unsigned char *sbuf; - int saltlen; - i = RSA_size(rsa); - sbuf = OPENSSL_malloc(RSA_size(rsa)); - saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx); - if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) - saltlen = -1; - else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) - saltlen = -2; - if (!sbuf) - { - RSAerr(RSA_F_FIPS_RSA_SIGN,ERR_R_MALLOC_FAILURE); - goto psserr; - } - if (!RSA_padding_add_PKCS1_PSS(rsa, sbuf, md, - M_EVP_MD_CTX_md(sv->mctx), saltlen)) - goto psserr; - j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING); - if (j > 0) - { - ret=1; - *siglen=j; - } - psserr: - OPENSSL_cleanse(md,m_len); - OPENSSL_cleanse(sbuf, i); - OPENSSL_free(sbuf); - return ret; - } - - j=RSA_size(rsa); - if (i > (j-RSA_PKCS1_PADDING_SIZE)) - { - RSAerr(RSA_F_FIPS_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); - goto done; - } - /* NB: call underlying method directly to avoid FIPS blocking */ - j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode); - if (j > 0) - { - ret=1; - *siglen=j; - } - - done: - OPENSSL_cleanse(tmpdinfo,i); - OPENSSL_cleanse(md,m_len); - return ret; - } - -static int fips_rsa_verify(int dtype, - const unsigned char *x, unsigned int y, - unsigned char *sigbuf, unsigned int siglen, EVP_MD_SVCTX *sv) - { - int i,ret=0; - unsigned int dlen, diglen; - int pad_mode = sv->mctx->flags & EVP_MD_CTX_FLAG_PAD_MASK; - int rsa_pad_mode = 0; - unsigned char *s; - const unsigned char *der; - unsigned char dig[EVP_MAX_MD_SIZE]; - RSA *rsa = sv->key; - - if (siglen != (unsigned int)RSA_size(sv->key)) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); - return(0); - } - - EVP_DigestFinal_ex(sv->mctx, dig, &diglen); - - if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) - { - return rsa->meth->rsa_verify(dtype, dig, diglen, - sigbuf, siglen, rsa); - } - - - s= OPENSSL_malloc((unsigned int)siglen); - if (s == NULL) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,ERR_R_MALLOC_FAILURE); - goto err; - } - if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) - rsa_pad_mode = RSA_X931_PADDING; - else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) - rsa_pad_mode = RSA_PKCS1_PADDING; - else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) - rsa_pad_mode = RSA_NO_PADDING; - - /* NB: call underlying method directly to avoid FIPS blocking */ - i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_pad_mode); - - if (i <= 0) goto err; - - if (pad_mode == EVP_MD_CTX_FLAG_PAD_X931) - { - int hash_id; - if (i != (int)(diglen + 1)) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); - goto err; - } - hash_id = RSA_X931_hash_id(M_EVP_MD_CTX_type(sv->mctx)); - if (hash_id == -1) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE); - goto err; - } - if (s[diglen] != (unsigned char)hash_id) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); - goto err; - } - if (memcmp(s, dig, diglen)) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); - goto err; - } - ret = 1; - } - else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PKCS1) - { - - der = fips_digestinfo_encoding(dtype, &dlen); - - if (!der) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_UNKNOWN_ALGORITHM_TYPE); - return(0); - } - - /* Compare, DigestInfo length, DigestInfo header and finally - * digest value itself - */ - - /* If length mismatch try alternate encoding */ - if (i != (int)(dlen + diglen)) - der = fips_digestinfo_nn_encoding(dtype, &dlen); - - if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen) - || memcmp(s + dlen, dig, diglen)) - { - RSAerr(RSA_F_FIPS_RSA_VERIFY,RSA_R_BAD_SIGNATURE); - goto err; - } - ret = 1; - - } - else if (pad_mode == EVP_MD_CTX_FLAG_PAD_PSS) - { - int saltlen; - saltlen = M_EVP_MD_CTX_FLAG_PSS_SALT(sv->mctx); - if (saltlen == EVP_MD_CTX_FLAG_PSS_MDLEN) - saltlen = -1; - else if (saltlen == EVP_MD_CTX_FLAG_PSS_MREC) - saltlen = -2; - ret = RSA_verify_PKCS1_PSS(rsa, dig, M_EVP_MD_CTX_md(sv->mctx), - s, saltlen); - if (ret < 0) - ret = 0; - } -err: - if (s != NULL) - { - OPENSSL_cleanse(s, siglen); - OPENSSL_free(s); - } - return(ret); - } - -#define EVP_PKEY_RSA_fips_method \ - (evp_sign_method *)fips_rsa_sign, \ - (evp_verify_method *)fips_rsa_verify, \ - {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0} - -static int init(EVP_MD_CTX *ctx) - { return SHA1_Init(ctx->md_data); } - -static int update(EVP_MD_CTX *ctx,const void *data,size_t count) - { return SHA1_Update(ctx->md_data,data,count); } - -static int final(EVP_MD_CTX *ctx,unsigned char *md) - { return SHA1_Final(md,ctx->md_data); } - -static const EVP_MD sha1_md= - { - NID_sha1, - NID_sha1WithRSAEncryption, - SHA_DIGEST_LENGTH, - EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, - init, - update, - final, - NULL, - NULL, - EVP_PKEY_RSA_fips_method, - SHA_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA_CTX), - }; - -const EVP_MD *EVP_sha1(void) - { - return(&sha1_md); - } - -static int init224(EVP_MD_CTX *ctx) - { return SHA224_Init(ctx->md_data); } -static int init256(EVP_MD_CTX *ctx) - { return SHA256_Init(ctx->md_data); } -/* - * Even though there're separate SHA224_[Update|Final], we call - * SHA256 functions even in SHA224 context. This is what happens - * there anyway, so we can spare few CPU cycles:-) - */ -static int update256(EVP_MD_CTX *ctx,const void *data,size_t count) - { return SHA256_Update(ctx->md_data,data,count); } -static int final256(EVP_MD_CTX *ctx,unsigned char *md) - { return SHA256_Final(md,ctx->md_data); } - -static const EVP_MD sha224_md= - { - NID_sha224, - NID_sha224WithRSAEncryption, - SHA224_DIGEST_LENGTH, - EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, - init224, - update256, - final256, - NULL, - NULL, - EVP_PKEY_RSA_fips_method, - SHA256_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA256_CTX), - }; - -const EVP_MD *EVP_sha224(void) - { return(&sha224_md); } - -static const EVP_MD sha256_md= - { - NID_sha256, - NID_sha256WithRSAEncryption, - SHA256_DIGEST_LENGTH, - EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, - init256, - update256, - final256, - NULL, - NULL, - EVP_PKEY_RSA_fips_method, - SHA256_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA256_CTX), - }; - -const EVP_MD *EVP_sha256(void) - { return(&sha256_md); } - -static int init384(EVP_MD_CTX *ctx) - { return SHA384_Init(ctx->md_data); } -static int init512(EVP_MD_CTX *ctx) - { return SHA512_Init(ctx->md_data); } -/* See comment in SHA224/256 section */ -static int update512(EVP_MD_CTX *ctx,const void *data,size_t count) - { return SHA512_Update(ctx->md_data,data,count); } -static int final512(EVP_MD_CTX *ctx,unsigned char *md) - { return SHA512_Final(md,ctx->md_data); } - -static const EVP_MD sha384_md= - { - NID_sha384, - NID_sha384WithRSAEncryption, - SHA384_DIGEST_LENGTH, - EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, - init384, - update512, - final512, - NULL, - NULL, - EVP_PKEY_RSA_fips_method, - SHA512_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA512_CTX), - }; - -const EVP_MD *EVP_sha384(void) - { return(&sha384_md); } - -static const EVP_MD sha512_md= - { - NID_sha512, - NID_sha512WithRSAEncryption, - SHA512_DIGEST_LENGTH, - EVP_MD_FLAG_FIPS|EVP_MD_FLAG_SVCTX, - init512, - update512, - final512, - NULL, - NULL, - EVP_PKEY_RSA_fips_method, - SHA512_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA512_CTX), - }; - -const EVP_MD *EVP_sha512(void) - { return(&sha512_md); } - -#endif diff --git a/crypto/openssl/fips/rsa/fips_rsa_x931g.c b/crypto/openssl/fips/rsa/fips_rsa_x931g.c deleted file mode 100644 index d9f9a81..0000000 --- a/crypto/openssl/fips/rsa/fips_rsa_x931g.c +++ /dev/null @@ -1,280 +0,0 @@ -/* crypto/rsa/rsa_gen.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include <stdio.h> -#include <string.h> -#include <time.h> -#include <openssl/err.h> -#include <openssl/bn.h> -#include <openssl/rsa.h> -#include <openssl/fips.h> - -#ifdef OPENSSL_FIPS - -extern int fips_check_rsa(RSA *rsa); - - -/* X9.31 RSA key derivation and generation */ - -int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, - const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp, - const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq, - const BIGNUM *e, BN_GENCB *cb) - { - BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL; - BN_CTX *ctx=NULL,*ctx2=NULL; - - if (!rsa) - goto err; - - ctx = BN_CTX_new(); - BN_CTX_start(ctx); - if (!ctx) - goto err; - - r0 = BN_CTX_get(ctx); - r1 = BN_CTX_get(ctx); - r2 = BN_CTX_get(ctx); - r3 = BN_CTX_get(ctx); - - if (r3 == NULL) - goto err; - if (!rsa->e) - { - rsa->e = BN_dup(e); - if (!rsa->e) - goto err; - } - else - e = rsa->e; - - /* If not all parameters present only calculate what we can. - * This allows test programs to output selective parameters. - */ - - if (Xp && !rsa->p) - { - rsa->p = BN_new(); - if (!rsa->p) - goto err; - - if (!BN_X931_derive_prime_ex(rsa->p, p1, p2, - Xp, Xp1, Xp2, e, ctx, cb)) - goto err; - } - - if (Xq && !rsa->q) - { - rsa->q = BN_new(); - if (!rsa->q) - goto err; - if (!BN_X931_derive_prime_ex(rsa->q, q1, q2, - Xq, Xq1, Xq2, e, ctx, cb)) - goto err; - } - - if (!rsa->p || !rsa->q) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return 2; - } - - /* Since both primes are set we can now calculate all remaining - * components. - */ - - /* calculate n */ - rsa->n=BN_new(); - if (rsa->n == NULL) - goto err; - if (!BN_mul(rsa->n,rsa->p,rsa->q,ctx)) - goto err; - - /* calculate d */ - if (!BN_sub(r1,rsa->p,BN_value_one())) - goto err; /* p-1 */ - if (!BN_sub(r2,rsa->q,BN_value_one())) - goto err; /* q-1 */ - if (!BN_mul(r0,r1,r2,ctx)) - goto err; /* (p-1)(q-1) */ - - if (!BN_gcd(r3, r1, r2, ctx)) - goto err; - - if (!BN_div(r0, NULL, r0, r3, ctx)) - goto err; /* LCM((p-1)(q-1)) */ - - ctx2 = BN_CTX_new(); - if (!ctx2) - goto err; - - rsa->d=BN_mod_inverse(NULL,rsa->e,r0,ctx2); /* d */ - if (rsa->d == NULL) - goto err; - - /* calculate d mod (p-1) */ - rsa->dmp1=BN_new(); - if (rsa->dmp1 == NULL) - goto err; - if (!BN_mod(rsa->dmp1,rsa->d,r1,ctx)) - goto err; - - /* calculate d mod (q-1) */ - rsa->dmq1=BN_new(); - if (rsa->dmq1 == NULL) - goto err; - if (!BN_mod(rsa->dmq1,rsa->d,r2,ctx)) - goto err; - - /* calculate inverse of q mod p */ - rsa->iqmp=BN_mod_inverse(NULL,rsa->q,rsa->p,ctx2); - - err: - if (ctx) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - if (ctx2) - BN_CTX_free(ctx2); - /* If this is set all calls successful */ - if (rsa->iqmp != NULL) - return 1; - - return 0; - - } - -int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb) - { - int ok = 0; - BIGNUM *Xp = NULL, *Xq = NULL; - BN_CTX *ctx = NULL; - - if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) - { - FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_KEY_TOO_SHORT); - return 0; - } - - if (bits & 0xff) - { - FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_INVALID_KEY_LENGTH); - return 0; - } - - if(FIPS_selftest_failed()) - { - FIPSerr(FIPS_F_RSA_X931_GENERATE_KEY_EX,FIPS_R_FIPS_SELFTEST_FAILED); - return 0; - } - - ctx = BN_CTX_new(); - if (!ctx) - goto error; - - BN_CTX_start(ctx); - Xp = BN_CTX_get(ctx); - Xq = BN_CTX_get(ctx); - if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx)) - goto error; - - rsa->p = BN_new(); - rsa->q = BN_new(); - if (!rsa->p || !rsa->q) - goto error; - - /* Generate two primes from Xp, Xq */ - - if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp, - e, ctx, cb)) - goto error; - - if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq, - e, ctx, cb)) - goto error; - - /* Since rsa->p and rsa->q are valid this call will just derive - * remaining RSA components. - */ - - if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, e, cb)) - goto error; - - if(!fips_check_rsa(rsa)) - goto error; - - ok = 1; - - error: - if (ctx) - { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - - if (ok) - return 1; - - return 0; - - } - -#endif diff --git a/crypto/openssl/fips/rsa/fips_rsagtest.c b/crypto/openssl/fips/rsa/fips_rsagtest.c deleted file mode 100644 index 657e1b6..0000000 --- a/crypto/openssl/fips/rsa/fips_rsagtest.c +++ /dev/null @@ -1,390 +0,0 @@ -/* fips_rsagtest.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2005. - */ -/* ==================================================================== - * Copyright (c) 2005,2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include <openssl/bio.h> -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/err.h> -#include <openssl/bn.h> -#include <openssl/x509v3.h> - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS RSA support\n"); - return(0); -} - -#else - -#include <openssl/rsa.h> -#include "fips_utl.h" - -int rsa_test(FILE *out, FILE *in); -static int rsa_printkey1(FILE *out, RSA *rsa, - BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp, - BIGNUM *e); -static int rsa_printkey2(FILE *out, RSA *rsa, - BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq); - -int main(int argc, char **argv) - { - FILE *in = NULL, *out = NULL; - - int ret = 1; - - if(!FIPS_mode_set(1)) - { - do_print_errors(); - goto end; - } - - if (argc == 1) - in = stdin; - else - in = fopen(argv[1], "r"); - - if (argc < 2) - out = stdout; - else - out = fopen(argv[2], "w"); - - if (!in) - { - fprintf(stderr, "FATAL input initialization error\n"); - goto end; - } - - if (!out) - { - fprintf(stderr, "FATAL output initialization error\n"); - goto end; - } - - if (!rsa_test(out, in)) - { - fprintf(stderr, "FATAL RSAGTEST file processing error\n"); - goto end; - } - else - ret = 0; - - end: - - if (ret) - do_print_errors(); - - if (in && (in != stdin)) - fclose(in); - if (out && (out != stdout)) - fclose(out); - - return ret; - - } - -#define RSA_TEST_MAXLINELEN 10240 - -int rsa_test(FILE *out, FILE *in) - { - char *linebuf, *olinebuf, *p, *q; - char *keyword, *value; - RSA *rsa = NULL; - BIGNUM *Xp1 = NULL, *Xp2 = NULL, *Xp = NULL; - BIGNUM *Xq1 = NULL, *Xq2 = NULL, *Xq = NULL; - BIGNUM *e = NULL; - int ret = 0; - int lnum = 0; - - olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); - linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); - - if (!linebuf || !olinebuf) - goto error; - - while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) - { - lnum++; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no = or starts with [ (for [foo = bar] line) just copy */ - if (!p || *keyword=='[') - { - if (fputs(olinebuf, out) < 0) - goto error; - continue; - } - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - if (!strcmp(keyword, "xp1")) - { - if (Xp1 || !do_hex2bn(&Xp1,value)) - goto parse_error; - } - else if (!strcmp(keyword, "xp2")) - { - if (Xp2 || !do_hex2bn(&Xp2,value)) - goto parse_error; - } - else if (!strcmp(keyword, "Xp")) - { - if (Xp || !do_hex2bn(&Xp,value)) - goto parse_error; - } - else if (!strcmp(keyword, "xq1")) - { - if (Xq1 || !do_hex2bn(&Xq1,value)) - goto parse_error; - } - else if (!strcmp(keyword, "xq2")) - { - if (Xq2 || !do_hex2bn(&Xq2,value)) - goto parse_error; - } - else if (!strcmp(keyword, "Xq")) - { - if (Xq || !do_hex2bn(&Xq,value)) - goto parse_error; - } - else if (!strcmp(keyword, "e")) - { - if (e || !do_hex2bn(&e,value)) - goto parse_error; - } - else if (!strcmp(keyword, "p1")) - continue; - else if (!strcmp(keyword, "p2")) - continue; - else if (!strcmp(keyword, "p")) - continue; - else if (!strcmp(keyword, "q1")) - continue; - else if (!strcmp(keyword, "q2")) - continue; - else if (!strcmp(keyword, "q")) - continue; - else if (!strcmp(keyword, "n")) - continue; - else if (!strcmp(keyword, "d")) - continue; - else - goto parse_error; - - fputs(olinebuf, out); - - if (e && Xp1 && Xp2 && Xp) - { - rsa = FIPS_rsa_new(); - if (!rsa) - goto error; - if (!rsa_printkey1(out, rsa, Xp1, Xp2, Xp, e)) - goto error; - BN_free(Xp1); - Xp1 = NULL; - BN_free(Xp2); - Xp2 = NULL; - BN_free(Xp); - Xp = NULL; - BN_free(e); - e = NULL; - } - - if (rsa && Xq1 && Xq2 && Xq) - { - if (!rsa_printkey2(out, rsa, Xq1, Xq2, Xq)) - goto error; - BN_free(Xq1); - Xq1 = NULL; - BN_free(Xq2); - Xq2 = NULL; - BN_free(Xq); - Xq = NULL; - FIPS_rsa_free(rsa); - rsa = NULL; - } - } - - ret = 1; - - error: - - if (olinebuf) - OPENSSL_free(olinebuf); - if (linebuf) - OPENSSL_free(linebuf); - - if (Xp1) - BN_free(Xp1); - if (Xp2) - BN_free(Xp2); - if (Xp) - BN_free(Xp); - if (Xq1) - BN_free(Xq1); - if (Xq1) - BN_free(Xq1); - if (Xq2) - BN_free(Xq2); - if (Xq) - BN_free(Xq); - if (e) - BN_free(e); - if (rsa) - FIPS_rsa_free(rsa); - - return ret; - - parse_error: - - fprintf(stderr, "FATAL parse error processing line %d\n", lnum); - - goto error; - - } - -static int rsa_printkey1(FILE *out, RSA *rsa, - BIGNUM *Xp1, BIGNUM *Xp2, BIGNUM *Xp, - BIGNUM *e) - { - int ret = 0; - BIGNUM *p1 = NULL, *p2 = NULL; - p1 = BN_new(); - p2 = BN_new(); - if (!p1 || !p2) - goto error; - - if (!RSA_X931_derive_ex(rsa, p1, p2, NULL, NULL, Xp1, Xp2, Xp, - NULL, NULL, NULL, e, NULL)) - goto error; - - do_bn_print_name(out, "p1", p1); - do_bn_print_name(out, "p2", p2); - do_bn_print_name(out, "p", rsa->p); - - ret = 1; - - error: - if (p1) - BN_free(p1); - if (p2) - BN_free(p2); - - return ret; - } - -static int rsa_printkey2(FILE *out, RSA *rsa, - BIGNUM *Xq1, BIGNUM *Xq2, BIGNUM *Xq) - { - int ret = 0; - BIGNUM *q1 = NULL, *q2 = NULL; - q1 = BN_new(); - q2 = BN_new(); - if (!q1 || !q2) - goto error; - - if (!RSA_X931_derive_ex(rsa, NULL, NULL, q1, q2, NULL, NULL, NULL, - Xq1, Xq2, Xq, NULL, NULL)) - goto error; - - do_bn_print_name(out, "q1", q1); - do_bn_print_name(out, "q2", q2); - do_bn_print_name(out, "q", rsa->q); - do_bn_print_name(out, "n", rsa->n); - do_bn_print_name(out, "d", rsa->d); - - ret = 1; - - error: - if (q1) - BN_free(q1); - if (q2) - BN_free(q2); - - return ret; - } - -#endif diff --git a/crypto/openssl/fips/rsa/fips_rsastest.c b/crypto/openssl/fips/rsa/fips_rsastest.c deleted file mode 100644 index 452084f..0000000 --- a/crypto/openssl/fips/rsa/fips_rsastest.c +++ /dev/null @@ -1,370 +0,0 @@ -/* fips_rsastest.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2005. - */ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include <openssl/bio.h> -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/err.h> -#include <openssl/bn.h> -#include <openssl/x509v3.h> - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS RSA support\n"); - return(0); -} - -#else - -#include <openssl/rsa.h> -#include "fips_utl.h" - -static int rsa_stest(FILE *out, FILE *in, int Saltlen); -static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst, - unsigned char *Msg, long Msglen, int Saltlen); - -int main(int argc, char **argv) - { - FILE *in = NULL, *out = NULL; - - int ret = 1, Saltlen = -1; - - if(!FIPS_mode_set(1)) - { - do_print_errors(); - goto end; - } - - if ((argc > 2) && !strcmp("-saltlen", argv[1])) - { - Saltlen = atoi(argv[2]); - if (Saltlen < 0) - { - fprintf(stderr, "FATAL: Invalid salt length\n"); - goto end; - } - argc -= 2; - argv += 2; - } - else if ((argc > 1) && !strcmp("-x931", argv[1])) - { - Saltlen = -2; - argc--; - argv++; - } - - if (argc == 1) - in = stdin; - else - in = fopen(argv[1], "r"); - - if (argc < 2) - out = stdout; - else - out = fopen(argv[2], "w"); - - if (!in) - { - fprintf(stderr, "FATAL input initialization error\n"); - goto end; - } - - if (!out) - { - fprintf(stderr, "FATAL output initialization error\n"); - goto end; - } - - if (!rsa_stest(out, in, Saltlen)) - { - fprintf(stderr, "FATAL RSASTEST file processing error\n"); - goto end; - } - else - ret = 0; - - end: - - if (ret) - do_print_errors(); - - if (in && (in != stdin)) - fclose(in); - if (out && (out != stdout)) - fclose(out); - - return ret; - - } - -#define RSA_TEST_MAXLINELEN 10240 - -int rsa_stest(FILE *out, FILE *in, int Saltlen) - { - char *linebuf, *olinebuf, *p, *q; - char *keyword, *value; - RSA *rsa = NULL; - const EVP_MD *dgst = NULL; - unsigned char *Msg = NULL; - long Msglen = -1; - int keylen = -1, current_keylen = -1; - int ret = 0; - int lnum = 0; - - olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); - linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); - - if (!linebuf || !olinebuf) - goto error; - - while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) - { - lnum++; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no = just copy */ - if (!p) - { - if (fputs(olinebuf, out) < 0) - goto error; - continue; - } - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - /* Look for [mod = XXX] for key length */ - - if (!strcmp(keyword, "[mod")) - { - p = value + strlen(value) - 1; - if (*p != ']') - goto parse_error; - *p = 0; - keylen = atoi(value); - if (keylen < 0) - goto parse_error; - } - else if (!strcmp(keyword, "SHAAlg")) - { - if (!strcmp(value, "SHA1")) - dgst = EVP_sha1(); - else if (!strcmp(value, "SHA224")) - dgst = EVP_sha224(); - else if (!strcmp(value, "SHA256")) - dgst = EVP_sha256(); - else if (!strcmp(value, "SHA384")) - dgst = EVP_sha384(); - else if (!strcmp(value, "SHA512")) - dgst = EVP_sha512(); - else - { - fprintf(stderr, - "FATAL: unsupported algorithm \"%s\"\n", - value); - goto parse_error; - } - } - else if (!strcmp(keyword, "Msg")) - { - if (Msg) - goto parse_error; - if (strlen(value) & 1) - *(--value) = '0'; - Msg = hex2bin_m(value, &Msglen); - if (!Msg) - goto parse_error; - } - - fputs(olinebuf, out); - - /* If key length has changed, generate and output public - * key components of new RSA private key. - */ - - if (keylen != current_keylen) - { - BIGNUM *bn_e; - if (rsa) - FIPS_rsa_free(rsa); - rsa = FIPS_rsa_new(); - if (!rsa) - goto error; - bn_e = BN_new(); - if (!bn_e || !BN_set_word(bn_e, 0x1001)) - goto error; - if (!RSA_X931_generate_key_ex(rsa, keylen, bn_e, NULL)) - goto error; - BN_free(bn_e); - fputs("n = ", out); - do_bn_print(out, rsa->n); - fputs("\ne = ", out); - do_bn_print(out, rsa->e); - fputs("\n", out); - current_keylen = keylen; - } - - if (Msg && dgst) - { - if (!rsa_printsig(out, rsa, dgst, Msg, Msglen, - Saltlen)) - goto error; - OPENSSL_free(Msg); - Msg = NULL; - } - - } - - ret = 1; - - error: - - if (olinebuf) - OPENSSL_free(olinebuf); - if (linebuf) - OPENSSL_free(linebuf); - if (rsa) - FIPS_rsa_free(rsa); - - return ret; - - parse_error: - - fprintf(stderr, "FATAL parse error processing line %d\n", lnum); - - goto error; - - } - -static int rsa_printsig(FILE *out, RSA *rsa, const EVP_MD *dgst, - unsigned char *Msg, long Msglen, int Saltlen) - { - int ret = 0; - unsigned char *sigbuf = NULL; - int i, siglen; - /* EVP_PKEY structure */ - EVP_PKEY pk; - EVP_MD_CTX ctx; - pk.type = EVP_PKEY_RSA; - pk.pkey.rsa = rsa; - - siglen = RSA_size(rsa); - sigbuf = OPENSSL_malloc(siglen); - if (!sigbuf) - goto error; - - EVP_MD_CTX_init(&ctx); - - if (Saltlen >= 0) - { - M_EVP_MD_CTX_set_flags(&ctx, - EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16)); - } - else if (Saltlen == -2) - M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931); - if (!EVP_SignInit_ex(&ctx, dgst, NULL)) - goto error; - if (!EVP_SignUpdate(&ctx, Msg, Msglen)) - goto error; - if (!EVP_SignFinal(&ctx, sigbuf, (unsigned int *)&siglen, &pk)) - goto error; - - EVP_MD_CTX_cleanup(&ctx); - - fputs("S = ", out); - - for (i = 0; i < siglen; i++) - fprintf(out, "%02X", sigbuf[i]); - - fputs("\n", out); - - ret = 1; - - error: - - return ret; - } -#endif diff --git a/crypto/openssl/fips/rsa/fips_rsavtest.c b/crypto/openssl/fips/rsa/fips_rsavtest.c deleted file mode 100644 index aadab27..0000000 --- a/crypto/openssl/fips/rsa/fips_rsavtest.c +++ /dev/null @@ -1,378 +0,0 @@ -/* fips_rsavtest.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2005. - */ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include <openssl/bio.h> -#include <openssl/evp.h> -#include <openssl/hmac.h> -#include <openssl/err.h> -#include <openssl/x509v3.h> -#include <openssl/bn.h> - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS RSA support\n"); - return(0); -} - -#else - -#include <openssl/rsa.h> - -#include "fips_utl.h" - -int rsa_test(FILE *out, FILE *in, int saltlen); -static int rsa_printver(FILE *out, - BIGNUM *n, BIGNUM *e, - const EVP_MD *dgst, - unsigned char *Msg, long Msglen, - unsigned char *S, long Slen, int Saltlen); - -int main(int argc, char **argv) - { - FILE *in = NULL, *out = NULL; - - int ret = 1; - int Saltlen = -1; - - if(!FIPS_mode_set(1)) - { - do_print_errors(); - goto end; - } - - if ((argc > 2) && !strcmp("-saltlen", argv[1])) - { - Saltlen = atoi(argv[2]); - if (Saltlen < 0) - { - fprintf(stderr, "FATAL: Invalid salt length\n"); - goto end; - } - argc -= 2; - argv += 2; - } - else if ((argc > 1) && !strcmp("-x931", argv[1])) - { - Saltlen = -2; - argc--; - argv++; - } - - if (argc == 1) - in = stdin; - else - in = fopen(argv[1], "r"); - - if (argc < 2) - out = stdout; - else - out = fopen(argv[2], "w"); - - if (!in) - { - fprintf(stderr, "FATAL input initialization error\n"); - goto end; - } - - if (!out) - { - fprintf(stderr, "FATAL output initialization error\n"); - goto end; - } - - if (!rsa_test(out, in, Saltlen)) - { - fprintf(stderr, "FATAL RSAVTEST file processing error\n"); - goto end; - } - else - ret = 0; - - end: - - if (ret) - do_print_errors(); - - if (in && (in != stdin)) - fclose(in); - if (out && (out != stdout)) - fclose(out); - - return ret; - - } - -#define RSA_TEST_MAXLINELEN 10240 - -int rsa_test(FILE *out, FILE *in, int Saltlen) - { - char *linebuf, *olinebuf, *p, *q; - char *keyword, *value; - const EVP_MD *dgst = NULL; - BIGNUM *n = NULL, *e = NULL; - unsigned char *Msg = NULL, *S = NULL; - long Msglen, Slen; - int ret = 0; - int lnum = 0; - - olinebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); - linebuf = OPENSSL_malloc(RSA_TEST_MAXLINELEN); - - if (!linebuf || !olinebuf) - goto error; - - while (fgets(olinebuf, RSA_TEST_MAXLINELEN, in)) - { - lnum++; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no = or starts with [ (for [foo = bar] line) just copy */ - if (!p || *keyword=='[') - { - if (fputs(olinebuf, out) < 0) - goto error; - continue; - } - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - if (!strcmp(keyword, "n")) - { - if (!do_hex2bn(&n,value)) - goto parse_error; - } - else if (!strcmp(keyword, "e")) - { - if (!do_hex2bn(&e,value)) - goto parse_error; - } - else if (!strcmp(keyword, "SHAAlg")) - { - if (!strcmp(value, "SHA1")) - dgst = EVP_sha1(); - else if (!strcmp(value, "SHA224")) - dgst = EVP_sha224(); - else if (!strcmp(value, "SHA256")) - dgst = EVP_sha256(); - else if (!strcmp(value, "SHA384")) - dgst = EVP_sha384(); - else if (!strcmp(value, "SHA512")) - dgst = EVP_sha512(); - else - { - fprintf(stderr, - "FATAL: unsupported algorithm \"%s\"\n", - value); - goto parse_error; - } - } - else if (!strcmp(keyword, "Msg")) - { - if (Msg) - goto parse_error; - if (strlen(value) & 1) - *(--value) = '0'; - Msg = hex2bin_m(value, &Msglen); - if (!Msg) - goto parse_error; - } - else if (!strcmp(keyword, "S")) - { - if (S) - goto parse_error; - if (strlen(value) & 1) - *(--value) = '0'; - S = hex2bin_m(value, &Slen); - if (!S) - goto parse_error; - } - else if (!strcmp(keyword, "Result")) - continue; - else - goto parse_error; - - fputs(olinebuf, out); - - if (n && e && Msg && S && dgst) - { - if (!rsa_printver(out, n, e, dgst, - Msg, Msglen, S, Slen, Saltlen)) - goto error; - OPENSSL_free(Msg); - Msg = NULL; - OPENSSL_free(S); - S = NULL; - } - - } - - - ret = 1; - - - error: - - if (olinebuf) - OPENSSL_free(olinebuf); - if (linebuf) - OPENSSL_free(linebuf); - if (n) - BN_free(n); - if (e) - BN_free(e); - - return ret; - - parse_error: - - fprintf(stderr, "FATAL parse error processing line %d\n", lnum); - - goto error; - - } - -static int rsa_printver(FILE *out, - BIGNUM *n, BIGNUM *e, - const EVP_MD *dgst, - unsigned char *Msg, long Msglen, - unsigned char *S, long Slen, int Saltlen) - { - int ret = 0, r; - /* Setup RSA and EVP_PKEY structures */ - RSA *rsa_pubkey = NULL; - EVP_PKEY pk; - EVP_MD_CTX ctx; - unsigned char *buf = NULL; - rsa_pubkey = FIPS_rsa_new(); - if (!rsa_pubkey) - goto error; - rsa_pubkey->n = BN_dup(n); - rsa_pubkey->e = BN_dup(e); - if (!rsa_pubkey->n || !rsa_pubkey->e) - goto error; - pk.type = EVP_PKEY_RSA; - pk.pkey.rsa = rsa_pubkey; - - EVP_MD_CTX_init(&ctx); - - if (Saltlen >= 0) - { - M_EVP_MD_CTX_set_flags(&ctx, - EVP_MD_CTX_FLAG_PAD_PSS | (Saltlen << 16)); - } - else if (Saltlen == -2) - M_EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_PAD_X931); - if (!EVP_VerifyInit_ex(&ctx, dgst, NULL)) - goto error; - if (!EVP_VerifyUpdate(&ctx, Msg, Msglen)) - goto error; - - r = EVP_VerifyFinal(&ctx, S, Slen, &pk); - - - EVP_MD_CTX_cleanup(&ctx); - - if (r < 0) - goto error; - ERR_clear_error(); - - if (r == 0) - fputs("Result = F\n", out); - else - fputs("Result = P\n", out); - - ret = 1; - - error: - if (rsa_pubkey) - FIPS_rsa_free(rsa_pubkey); - if (buf) - OPENSSL_free(buf); - - return ret; - } -#endif diff --git a/crypto/openssl/fips/sha/Makefile b/crypto/openssl/fips/sha/Makefile deleted file mode 100644 index 0f8cca9..0000000 --- a/crypto/openssl/fips/sha/Makefile +++ /dev/null @@ -1,162 +0,0 @@ -# -# OpenSSL/fips/sha/Makefile -# - -DIR= sha -TOP= ../.. -CC= cc -INCLUDES= -CFLAG=-g -INSTALL_PREFIX= -OPENSSLDIR= /usr/local/ssl -INSTALLTOP=/usr/local/ssl -MAKEDEPPROG= makedepend -MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) -MAKEFILE= Makefile -AR= ar r -EXE_EXT= - -ASFLAGS= $(INCLUDES) $(ASFLAG) -AFLAGS= $(ASFLAGS) - -CFLAGS= $(INCLUDES) $(CFLAG) - -GENERAL=Makefile -TEST= fips_shatest.c -APPS= -EXE= fips_standalone_sha1$(EXE_EXT) - -LIB=$(TOP)/libcrypto.a -LIBSRC=fips_sha1_selftest.c -LIBOBJ=fips_sha1_selftest.o - -SRC= $(LIBSRC) fips_standalone_sha1.c - -EXHEADER= -HEADER= - -ALL= $(GENERAL) $(SRC) $(HEADER) - -top: - (cd $(TOP); $(MAKE) DIRS=fips SDIRS=$(DIR) sub_all) - -all: ../fips_standalone_sha1$(EXE_EXT) lib - -lib: $(LIBOBJ) - @echo $(LIBOBJ) > lib - -../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o - if [ -z "$(HOSTCC)" ] ; then \ - FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ - $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM ; \ - else \ - $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../../include -I../../crypto fips_standalone_sha1.c ../../crypto/sha/sha1dgst.c ; \ - fi - -files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO - -links: - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS) - -install: - @headerlist="$(EXHEADER)"; for i in $$headerlist; \ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done - -tags: - ctags $(SRC) - -tests: - -Q=../testvectors/sha/req -A=../testvectors/sha/rsp - -VECTORS = SHA1LongMsg \ - SHA1Monte \ - SHA1ShortMsg \ - SHA224LongMsg \ - SHA224Monte \ - SHA224ShortMsg \ - SHA256LongMsg \ - SHA256Monte \ - SHA256ShortMsg \ - SHA384LongMsg \ - SHA384Monte \ - SHA384ShortMsg \ - SHA512LongMsg \ - SHA512Monte \ - SHA512ShortMsg - -fips_test: - -rm -rf $(A) - mkdir $(A) - for file in $(VECTORS); do \ - if [ -f $(Q)/$$file.req ]; then \ - $(TOP)/util/shlib_wrap.sh $(TOP)/test/fips_shatest $(Q)/$$file.req $(A)/$$file.rsp; \ - fi; \ - done - -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - -depend: - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST) - -dclean: - $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new - mv -f Makefile.new $(MAKEFILE) - -clean: - rm -f *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) - -# DO NOT DELETE THIS LINE -- make depend depends on it. - -fips_sha1_selftest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_sha1_selftest.o: ../../include/openssl/crypto.h -fips_sha1_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -fips_sha1_selftest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h -fips_sha1_selftest.o: ../../include/openssl/lhash.h -fips_sha1_selftest.o: ../../include/openssl/obj_mac.h -fips_sha1_selftest.o: ../../include/openssl/objects.h -fips_sha1_selftest.o: ../../include/openssl/opensslconf.h -fips_sha1_selftest.o: ../../include/openssl/opensslv.h -fips_sha1_selftest.o: ../../include/openssl/ossl_typ.h -fips_sha1_selftest.o: ../../include/openssl/safestack.h -fips_sha1_selftest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -fips_sha1_selftest.o: ../../include/openssl/symhacks.h fips_sha1_selftest.c -fips_shatest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -fips_shatest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -fips_shatest.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -fips_shatest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -fips_shatest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -fips_shatest.o: ../../include/openssl/err.h ../../include/openssl/evp.h -fips_shatest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h -fips_shatest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -fips_shatest.o: ../../include/openssl/opensslconf.h -fips_shatest.o: ../../include/openssl/opensslv.h -fips_shatest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -fips_shatest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -fips_shatest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -fips_shatest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -fips_shatest.o: ../../include/openssl/x509v3.h ../fips_utl.h fips_shatest.c -fips_standalone_sha1.o: ../../include/openssl/asn1.h -fips_standalone_sha1.o: ../../include/openssl/bio.h -fips_standalone_sha1.o: ../../include/openssl/crypto.h -fips_standalone_sha1.o: ../../include/openssl/e_os2.h -fips_standalone_sha1.o: ../../include/openssl/evp.h -fips_standalone_sha1.o: ../../include/openssl/fips.h -fips_standalone_sha1.o: ../../include/openssl/hmac.h -fips_standalone_sha1.o: ../../include/openssl/obj_mac.h -fips_standalone_sha1.o: ../../include/openssl/objects.h -fips_standalone_sha1.o: ../../include/openssl/opensslconf.h -fips_standalone_sha1.o: ../../include/openssl/opensslv.h -fips_standalone_sha1.o: ../../include/openssl/ossl_typ.h -fips_standalone_sha1.o: ../../include/openssl/safestack.h -fips_standalone_sha1.o: ../../include/openssl/sha.h -fips_standalone_sha1.o: ../../include/openssl/stack.h -fips_standalone_sha1.o: ../../include/openssl/symhacks.h fips_standalone_sha1.c diff --git a/crypto/openssl/fips/sha/fips_sha1_selftest.c b/crypto/openssl/fips/sha/fips_sha1_selftest.c deleted file mode 100644 index 4c0d463..0000000 --- a/crypto/openssl/fips/sha/fips_sha1_selftest.c +++ /dev/null @@ -1,97 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <string.h> -#include <openssl/err.h> -#include <openssl/fips.h> -#include <openssl/evp.h> -#include <openssl/sha.h> - -#ifdef OPENSSL_FIPS -static char test[][60]= - { - "", - "abc", - "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - }; - -static const unsigned char ret[][SHA_DIGEST_LENGTH]= - { - { 0xda,0x39,0xa3,0xee,0x5e,0x6b,0x4b,0x0d,0x32,0x55, - 0xbf,0xef,0x95,0x60,0x18,0x90,0xaf,0xd8,0x07,0x09 }, - { 0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e, - 0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d }, - { 0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae, - 0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1 }, - }; - -void FIPS_corrupt_sha1() - { - test[2][0]++; - } - -int FIPS_selftest_sha1() - { - size_t n; - - for(n=0 ; n<sizeof(test)/sizeof(test[0]) ; ++n) - { - unsigned char md[SHA_DIGEST_LENGTH]; - - EVP_Digest(test[n],strlen(test[n]),md, NULL, EVP_sha1(), NULL); - if(memcmp(md,ret[n],sizeof md)) - { - FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1,FIPS_R_SELFTEST_FAILED); - return 0; - } - } - return 1; - } - -#endif diff --git a/crypto/openssl/fips/sha/fips_shatest.c b/crypto/openssl/fips/sha/fips_shatest.c deleted file mode 100644 index ae5ecdd..0000000 --- a/crypto/openssl/fips/sha/fips_shatest.c +++ /dev/null @@ -1,388 +0,0 @@ -/* fips_shatest.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2005. - */ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include <openssl/bio.h> -#include <openssl/evp.h> -#include <openssl/err.h> -#include <openssl/bn.h> -#include <openssl/x509v3.h> - -#ifndef OPENSSL_FIPS - -int main(int argc, char *argv[]) -{ - printf("No FIPS SHAXXX support\n"); - return(0); -} - -#else - -#include "fips_utl.h" - -static int dgst_test(FILE *out, FILE *in); -static int print_dgst(const EVP_MD *md, FILE *out, - unsigned char *Msg, int Msglen); -static int print_monte(const EVP_MD *md, FILE *out, - unsigned char *Seed, int SeedLen); - -int main(int argc, char **argv) - { - FILE *in = NULL, *out = NULL; - - int ret = 1; - - if(!FIPS_mode_set(1)) - { - do_print_errors(); - goto end; - } - - if (argc == 1) - in = stdin; - else - in = fopen(argv[1], "r"); - - if (argc < 2) - out = stdout; - else - out = fopen(argv[2], "w"); - - if (!in) - { - fprintf(stderr, "FATAL input initialization error\n"); - goto end; - } - - if (!out) - { - fprintf(stderr, "FATAL output initialization error\n"); - goto end; - } - - if (!dgst_test(out, in)) - { - fprintf(stderr, "FATAL digest file processing error\n"); - goto end; - } - else - ret = 0; - - end: - - if (ret) - do_print_errors(); - - if (in && (in != stdin)) - fclose(in); - if (out && (out != stdout)) - fclose(out); - - return ret; - - } - -#define SHA_TEST_MAX_BITS 102400 -#define SHA_TEST_MAXLINELEN (((SHA_TEST_MAX_BITS >> 3) * 2) + 100) - -int dgst_test(FILE *out, FILE *in) - { - const EVP_MD *md = NULL; - char *linebuf, *olinebuf, *p, *q; - char *keyword, *value; - unsigned char *Msg = NULL, *Seed = NULL; - long MsgLen = -1, Len = -1, SeedLen = -1; - int ret = 0; - int lnum = 0; - - olinebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN); - linebuf = OPENSSL_malloc(SHA_TEST_MAXLINELEN); - - if (!linebuf || !olinebuf) - goto error; - - - while (fgets(olinebuf, SHA_TEST_MAXLINELEN, in)) - { - lnum++; - strcpy(linebuf, olinebuf); - keyword = linebuf; - /* Skip leading space */ - while (isspace((unsigned char)*keyword)) - keyword++; - - /* Look for = sign */ - p = strchr(linebuf, '='); - - /* If no = or starts with [ (for [L=20] line) just copy */ - if (!p) - { - fputs(olinebuf, out); - continue; - } - - q = p - 1; - - /* Remove trailing space */ - while (isspace((unsigned char)*q)) - *q-- = 0; - - *p = 0; - value = p + 1; - - /* Remove leading space from value */ - while (isspace((unsigned char)*value)) - value++; - - /* Remove trailing space from value */ - p = value + strlen(value) - 1; - while (*p == '\n' || isspace((unsigned char)*p)) - *p-- = 0; - - if (!strcmp(keyword,"[L") && *p==']') - { - switch (atoi(value)) - { - case 20: md=EVP_sha1(); break; - case 28: md=EVP_sha224(); break; - case 32: md=EVP_sha256(); break; - case 48: md=EVP_sha384(); break; - case 64: md=EVP_sha512(); break; - default: goto parse_error; - } - } - else if (!strcmp(keyword, "Len")) - { - if (Len != -1) - goto parse_error; - Len = atoi(value); - if (Len < 0) - goto parse_error; - /* Only handle multiples of 8 bits */ - if (Len & 0x7) - goto parse_error; - if (Len > SHA_TEST_MAX_BITS) - goto parse_error; - MsgLen = Len >> 3; - } - - else if (!strcmp(keyword, "Msg")) - { - long tmplen; - if (strlen(value) & 1) - *(--value) = '0'; - if (Msg) - goto parse_error; - Msg = hex2bin_m(value, &tmplen); - if (!Msg) - goto parse_error; - } - else if (!strcmp(keyword, "Seed")) - { - if (strlen(value) & 1) - *(--value) = '0'; - if (Seed) - goto parse_error; - Seed = hex2bin_m(value, &SeedLen); - if (!Seed) - goto parse_error; - } - else if (!strcmp(keyword, "MD")) - continue; - else - goto parse_error; - - fputs(olinebuf, out); - - if (md && Msg && (MsgLen >= 0)) - { - if (!print_dgst(md, out, Msg, MsgLen)) - goto error; - OPENSSL_free(Msg); - Msg = NULL; - MsgLen = -1; - Len = -1; - } - else if (md && Seed && (SeedLen > 0)) - { - if (!print_monte(md, out, Seed, SeedLen)) - goto error; - OPENSSL_free(Seed); - Seed = NULL; - SeedLen = -1; - } - - - } - - - ret = 1; - - - error: - - if (olinebuf) - OPENSSL_free(olinebuf); - if (linebuf) - OPENSSL_free(linebuf); - if (Msg) - OPENSSL_free(Msg); - if (Seed) - OPENSSL_free(Seed); - - return ret; - - parse_error: - - fprintf(stderr, "FATAL parse error processing line %d\n", lnum); - - goto error; - - } - -static int print_dgst(const EVP_MD *emd, FILE *out, - unsigned char *Msg, int Msglen) - { - int i, mdlen; - unsigned char md[EVP_MAX_MD_SIZE]; - if (!EVP_Digest(Msg, Msglen, md, (unsigned int *)&mdlen, emd, NULL)) - { - fputs("Error calculating HASH\n", stderr); - return 0; - } - fputs("MD = ", out); - for (i = 0; i < mdlen; i++) - fprintf(out, "%02x", md[i]); - fputs("\n", out); - return 1; - } - -static int print_monte(const EVP_MD *md, FILE *out, - unsigned char *Seed, int SeedLen) - { - unsigned int i, j, k; - int ret = 0; - EVP_MD_CTX ctx; - unsigned char *m1, *m2, *m3, *p; - unsigned int mlen, m1len, m2len, m3len; - - EVP_MD_CTX_init(&ctx); - - if (SeedLen > EVP_MAX_MD_SIZE) - mlen = SeedLen; - else - mlen = EVP_MAX_MD_SIZE; - - m1 = OPENSSL_malloc(mlen); - m2 = OPENSSL_malloc(mlen); - m3 = OPENSSL_malloc(mlen); - - if (!m1 || !m2 || !m3) - goto mc_error; - - m1len = m2len = m3len = SeedLen; - memcpy(m1, Seed, SeedLen); - memcpy(m2, Seed, SeedLen); - memcpy(m3, Seed, SeedLen); - - fputs("\n", out); - - for (j = 0; j < 100; j++) - { - for (i = 0; i < 1000; i++) - { - EVP_DigestInit_ex(&ctx, md, NULL); - EVP_DigestUpdate(&ctx, m1, m1len); - EVP_DigestUpdate(&ctx, m2, m2len); - EVP_DigestUpdate(&ctx, m3, m3len); - p = m1; - m1 = m2; - m1len = m2len; - m2 = m3; - m2len = m3len; - m3 = p; - EVP_DigestFinal_ex(&ctx, m3, &m3len); - } - fprintf(out, "COUNT = %d\n", j); - fputs("MD = ", out); - for (k = 0; k < m3len; k++) - fprintf(out, "%02x", m3[k]); - fputs("\n\n", out); - memcpy(m1, m3, m3len); - memcpy(m2, m3, m3len); - m1len = m2len = m3len; - } - - ret = 1; - - mc_error: - if (m1) - OPENSSL_free(m1); - if (m2) - OPENSSL_free(m2); - if (m3) - OPENSSL_free(m3); - - EVP_MD_CTX_cleanup(&ctx); - - return ret; - } - -#endif diff --git a/crypto/openssl/fips/sha/fips_standalone_sha1.c b/crypto/openssl/fips/sha/fips_standalone_sha1.c deleted file mode 100644 index eec65dc..0000000 --- a/crypto/openssl/fips/sha/fips_standalone_sha1.c +++ /dev/null @@ -1,173 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <openssl/opensslconf.h> -#include <openssl/sha.h> -#include <openssl/hmac.h> - -#ifndef FIPSCANISTER_O -int FIPS_selftest_failed() { return 0; } -void FIPS_selftest_check() {} -void OPENSSL_cleanse(void *p,size_t len) {} -#endif - -#ifdef OPENSSL_FIPS - -static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, - const char *key) - { - size_t len=strlen(key); - int i; - unsigned char keymd[HMAC_MAX_MD_CBLOCK]; - unsigned char pad[HMAC_MAX_MD_CBLOCK]; - - if (len > SHA_CBLOCK) - { - SHA1_Init(md_ctx); - SHA1_Update(md_ctx,key,len); - SHA1_Final(keymd,md_ctx); - len=20; - } - else - memcpy(keymd,key,len); - memset(&keymd[len],'\0',HMAC_MAX_MD_CBLOCK-len); - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x36^keymd[i]; - SHA1_Init(md_ctx); - SHA1_Update(md_ctx,pad,SHA_CBLOCK); - - for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) - pad[i]=0x5c^keymd[i]; - SHA1_Init(o_ctx); - SHA1_Update(o_ctx,pad,SHA_CBLOCK); - } - -static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) - { - unsigned char buf[20]; - - SHA1_Final(buf,md_ctx); - SHA1_Update(o_ctx,buf,sizeof buf); - SHA1_Final(md,o_ctx); - } - -#endif - -int main(int argc,char **argv) - { -#ifdef OPENSSL_FIPS - static char key[]="etaonrishdlcupfm"; - int n,binary=0; - - if(argc < 2) - { - fprintf(stderr,"%s [<file>]+\n",argv[0]); - exit(1); - } - - n=1; - if (!strcmp(argv[n],"-binary")) - { - n++; - binary=1; /* emit binary fingerprint... */ - } - - for(; n < argc ; ++n) - { - FILE *f=fopen(argv[n],"rb"); - SHA_CTX md_ctx,o_ctx; - unsigned char md[20]; - int i; - - if(!f) - { - perror(argv[n]); - exit(2); - } - - hmac_init(&md_ctx,&o_ctx,key); - for( ; ; ) - { - char buf[1024]; - size_t l=fread(buf,1,sizeof buf,f); - - if(l == 0) - { - if(ferror(f)) - { - perror(argv[n]); - exit(3); - } - else - break; - } - SHA1_Update(&md_ctx,buf,l); - } - hmac_final(md,&md_ctx,&o_ctx); - - if (binary) - { - fwrite(md,20,1,stdout); - break; /* ... for single(!) file */ - } - - printf("HMAC-SHA1(%s)= ",argv[n]); - for(i=0 ; i < 20 ; ++i) - printf("%02x",md[i]); - printf("\n"); - } -#endif - return 0; - } - - diff --git a/gnu/lib/libstdc++/Makefile b/gnu/lib/libstdc++/Makefile index df64a50..1005b5d 100644 --- a/gnu/lib/libstdc++/Makefile +++ b/gnu/lib/libstdc++/Makefile @@ -626,9 +626,5 @@ CLEANFILES+= ${VERSION_MAP} .include <bsd.lib.mk> -.if ${MK_STAGING} == "yes" -CXXFLAGS+= -I${STAGE_OBJTOP}${CXXINCLUDEDIR}/backward -.endif - # Filter out libc++-specific flags, and -std= flags above c++98 or gnu++98. CXXFLAGS:= ${CXXFLAGS:N-stdlib=libc++:N-std=c++[01][13x]:N-std=gnu++[01][13x]} diff --git a/gnu/usr.bin/sort/Makefile b/gnu/usr.bin/sort/Makefile deleted file mode 100644 index bf193bc..0000000 --- a/gnu/usr.bin/sort/Makefile +++ /dev/null @@ -1,46 +0,0 @@ -# $FreeBSD$ - -SORTDIR= ${.CURDIR}/../../../contrib/gnu-sort -.PATH: ${SORTDIR}/lib ${SORTDIR}/src ${SORTDIR}/man - -.include <bsd.own.mk> - -.if ${MK_GNU_SORT} == "yes" -PROG= sort -.else -PROG= gnusort - -CLEANFILES+= gnusort.1 -gnusort.1: sort.1 - cp ${.ALLSRC} ${.TARGET} -.endif - -SRCS= sort.c \ - __fpending.c \ - argmatch.c \ - closeout.c \ - dup-safer.c \ - error.c \ - exitfail.c \ - fopen-safer.c \ - hard-locale.c \ - human.c \ - long-options.c \ - memcoll.c \ - physmem.c \ - posixver.c \ - quote.c \ - quotearg.c \ - strnlen.c \ - umaxtostr.c \ - version-etc.c \ - xalloc-die.c \ - xmalloc.c \ - xmemcoll.c \ - xstrtoul.c \ - xstrtoumax.c - -CFLAGS+=-DHAVE_CONFIG_H -DHAVE_LANGINFO_H=1 -DHAVE_NL_LANGINFO=1 \ - -I${.CURDIR} -I${SORTDIR}/lib - -.include <bsd.prog.mk> diff --git a/gnu/usr.bin/sort/Makefile.depend b/gnu/usr.bin/sort/Makefile.depend deleted file mode 100644 index a839545..0000000 --- a/gnu/usr.bin/sort/Makefile.depend +++ /dev/null @@ -1,19 +0,0 @@ -# Autogenerated - do NOT edit! - -DEP_RELDIR := ${_PARSEDIR:S,${SRCTOP}/,,} - -DEP_MACHINE := ${.PARSEFILE:E} - -DIRDEPS = \ - gnu/lib/libgcc \ - include \ - include/xlocale \ - lib/${CSU_DIR} \ - lib/libc \ - - -.include <dirdeps.mk> - -.if ${DEP_RELDIR} == ${_DEP_RELDIR} -# local dependencies - needed for -jN in clean tree -.endif diff --git a/gnu/usr.bin/sort/alloca.h b/gnu/usr.bin/sort/alloca.h deleted file mode 100644 index 59a1309..0000000 --- a/gnu/usr.bin/sort/alloca.h +++ /dev/null @@ -1,2 +0,0 @@ -/* $FreeBSD$ */ -extern void *alloca(size_t size); diff --git a/gnu/usr.bin/sort/config.h b/gnu/usr.bin/sort/config.h deleted file mode 100644 index 601b368..0000000 --- a/gnu/usr.bin/sort/config.h +++ /dev/null @@ -1,1519 +0,0 @@ -/* $FreeBSD$ */ -/* config.h. Generated by configure. */ -/* config.hin. Generated from configure.ac by autoheader. */ - -/* Define if you have the Andrew File System. */ -/* #undef AFS */ - -/* Define to the function xargmatch calls on failures. */ -#define ARGMATCH_DIE usage (1) - -/* Define to the declaration of the xargmatch failure function. */ -#define ARGMATCH_DIE_DECL extern void usage () - -/* Define to 1 if the `closedir' function returns void instead of `int'. */ -/* #undef CLOSEDIR_VOID */ - -/* Define to one of `_getb67', `GETB67', `getb67' for Cray-2 and Cray-YMP - systems. This function is required for `alloca.c' support on those systems. - */ -/* #undef CRAY_STACKSEG_END */ - -/* Define to 1 if using `alloca.c'. */ -/* #undef C_ALLOCA */ - -/* Define to 1 if using `getloadavg.c'. */ -/* #undef C_GETLOADAVG */ - -/* Define the default level of POSIX conformance. The value is of the form - YYYYMM, specifying the year and month the standard was adopted. If not - defined here, it defaults to the value of _POSIX2_VERSION in <unistd.h>. - Define to 199209 to default to POSIX 1003.2-1992, which makes standard - programs like `head', `tail', and `sort' accept obsolete options like `+10' - and `-10'. Define to 200112 to default to POSIX 1003.1-2001, which makes - these standard programs treat leading-`+' operands as file names and - require modern usages like `-n 10' instead of `-10'. Whether defined here - or not, the default can be overridden at run time via the _POSIX2_VERSION - environment variable. */ -/* #undef DEFAULT_POSIX2_VERSION */ - -/* Define to 1 for DGUX with <sys/dg_sys_info.h>. */ -/* #undef DGUX */ - -/* the name of the file descriptor member of DIR */ -/* #undef DIR_FD_MEMBER_NAME */ - -#ifdef DIR_FD_MEMBER_NAME -# define DIR_TO_FD(Dir_p) ((Dir_p)->DIR_FD_MEMBER_NAME) -#else -# define DIR_TO_FD(Dir_p) -1 -#endif - - - -/* Define if there is a member named d_ino in the struct describing directory - headers. */ -#define D_INO_IN_DIRENT 1 - -/* Define to 1 if translation of program messages to the user's native - language is requested. */ -/* #undef ENABLE_NLS */ - -/* Define on systems for which file names may have a so-called `drive letter' - prefix, define this to compute the length of that prefix, including the - colon. */ -#define FILESYSTEM_ACCEPTS_DRIVE_LETTER_PREFIX 0 - -/* Define if the backslash character may also serve as a file name component - separator. */ -#define FILESYSTEM_BACKSLASH_IS_FILE_NAME_SEPARATOR 0 - -#if FILESYSTEM_ACCEPTS_DRIVE_LETTER_PREFIX -# define FILESYSTEM_PREFIX_LEN(Filename) \ - ((Filename)[0] && (Filename)[1] == ':' ? 2 : 0) -#else -# define FILESYSTEM_PREFIX_LEN(Filename) 0 -#endif - -/* Define to the type of elements in the array set by `getgroups'. Usually - this is either `int' or `gid_t'. */ -#define GETGROUPS_T gid_t - -/* Define to 1 if the `getloadavg' function needs to be run setuid or setgid. - */ -/* #undef GETLOADAVG_PRIVILEGED */ - -/* Define if gettimeofday clobbers localtime's static buffer. */ -/* #undef GETTIMEOFDAY_CLOBBERS_LOCALTIME_BUFFER */ - -/* The concatenation of the strings `GNU ', and PACKAGE. */ -#define GNU_PACKAGE "GNU coreutils" - -/* Define if your system defines TIOCGWINSZ in sys/ioctl.h. */ -/* #undef GWINSZ_IN_SYS_IOCTL */ - -/* Define if your system defines TIOCGWINSZ in sys/pty.h. */ -/* #undef GWINSZ_IN_SYS_PTY */ - -/* Define to 1 if you have the `acl' function. */ -/* #undef HAVE_ACL */ - -/* Define to 1 if you have the `alarm' function. */ -#define HAVE_ALARM 1 - -/* Define to 1 if you have `alloca', as a function or macro. */ -#define HAVE_ALLOCA 1 - -/* Define to 1 if you have <alloca.h> and it should be used (not on Ultrix). - */ -/* #undef HAVE_ALLOCA_H */ - -/* Define to 1 if you have the <arpa/inet.h> header file. */ -#define HAVE_ARPA_INET_H 1 - -/* Define to 1 if you have the `atexit' function. */ -#define HAVE_ATEXIT 1 - -/* Define to 1 if you have the <bp-sym.h> header file. */ -/* #undef HAVE_BP_SYM_H */ - -/* Define to 1 if you have the `btowc' function. */ -#define HAVE_BTOWC 1 - -/* Define to 1 if your system has a working `chown' function. */ -#define HAVE_CHOWN 1 - -/* Define to 1 if you have the `chroot' function. */ -#define HAVE_CHROOT 1 - -/* Define to 1 if you have the `chsize' function. */ -/* #undef HAVE_CHSIZE */ - -/* Define to 1 if you have the `clock_gettime' function. */ -#define HAVE_CLOCK_GETTIME 1 - -/* Define to 1 if you have the `clock_settime' function. */ -#define HAVE_CLOCK_SETTIME 1 - -/* FIXME */ -/* #undef HAVE_C_LINE */ - -/* Define if the GNU dcgettext() function is already present or preinstalled. - */ -/* #undef HAVE_DCGETTEXT */ - -/* Define to 1 if you have the declaration of `clearerr_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_CLEARERR_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `dirfd', and to 0 if you don't. - */ -#define HAVE_DECL_DIRFD 1 - -/* Define to 1 if you have the declaration of `euidaccess', and to 0 if you - don't. */ -#define HAVE_DECL_EUIDACCESS 0 - -/* Define to 1 if you have the declaration of `feof_unlocked', and to 0 if you - don't. */ -#define HAVE_DECL_FEOF_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `ferror_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FERROR_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `fflush_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FFLUSH_UNLOCKED 0 - -/* Define to 1 if you have the declaration of `fgets_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FGETS_UNLOCKED 0 - -/* Define to 1 if you have the declaration of `fputc_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FPUTC_UNLOCKED 0 - -/* Define to 1 if you have the declaration of `fputs_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FPUTS_UNLOCKED 0 - -/* Define to 1 if you have the declaration of `fread_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FREAD_UNLOCKED 0 - -/* Define to 1 if you have the declaration of `free', and to 0 if you don't. - */ -#define HAVE_DECL_FREE 1 - -/* Define to 1 if you have the declaration of `fwrite_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_FWRITE_UNLOCKED 0 - -/* Define to 1 if you have the declaration of `getchar_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_GETCHAR_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `getcwd', and to 0 if you don't. - */ -#define HAVE_DECL_GETCWD 1 - -/* Define to 1 if you have the declaration of `getc_unlocked', and to 0 if you - don't. */ -#define HAVE_DECL_GETC_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `getenv', and to 0 if you don't. - */ -#define HAVE_DECL_GETENV 1 - -/* Define to 1 if you have the declaration of `geteuid', and to 0 if you - don't. */ -#define HAVE_DECL_GETEUID 1 - -/* Define to 1 if you have the declaration of `getgrgid', and to 0 if you - don't. */ -#define HAVE_DECL_GETGRGID 1 - -/* Define to 1 if you have the declaration of `getlogin', and to 0 if you - don't. */ -#define HAVE_DECL_GETLOGIN 1 - -/* Define to 1 if you have the declaration of `getpwuid', and to 0 if you - don't. */ -#define HAVE_DECL_GETPWUID 1 - -/* Define to 1 if you have the declaration of `getuid', and to 0 if you don't. - */ -#define HAVE_DECL_GETUID 1 - -/* Define to 1 if you have the declaration of `getutent', and to 0 if you - don't. */ -#define HAVE_DECL_GETUTENT 0 - -/* Define to 1 if you have the declaration of `lseek', and to 0 if you don't. - */ -#define HAVE_DECL_LSEEK 1 - -/* Define to 1 if you have the declaration of `malloc', and to 0 if you don't. - */ -#define HAVE_DECL_MALLOC 1 - -/* Define to 1 if you have the declaration of `memchr', and to 0 if you don't. - */ -#define HAVE_DECL_MEMCHR 1 - -/* Define to 1 if you have the declaration of `memrchr', and to 0 if you - don't. */ -#define HAVE_DECL_MEMRCHR 0 - -/* Define to 1 if you have the declaration of `nanosleep', and to 0 if you - don't. */ -#define HAVE_DECL_NANOSLEEP 1 - -/* Define to 1 if you have the declaration of `putchar_unlocked', and to 0 if - you don't. */ -#define HAVE_DECL_PUTCHAR_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `putc_unlocked', and to 0 if you - don't. */ -#define HAVE_DECL_PUTC_UNLOCKED 1 - -/* Define to 1 if you have the declaration of `realloc', and to 0 if you - don't. */ -#define HAVE_DECL_REALLOC 1 - -/* Define to 1 if you have the declaration of `stpcpy', and to 0 if you don't. - */ -#define HAVE_DECL_STPCPY 1 - -/* Define to 1 if you have the declaration of `strerror_r', and to 0 if you - don't. */ -#define HAVE_DECL_STRERROR_R 1 - -/* Define to 1 if you have the declaration of `strndup', and to 0 if you - don't. */ -#define HAVE_DECL_STRNDUP 0 - -/* Define to 1 if you have the declaration of `strnlen', and to 0 if you - don't. */ -#define HAVE_DECL_STRNLEN 0 - -/* Define to 1 if you have the declaration of `strsignal', and to 0 if you - don't. */ -#define HAVE_DECL_STRSIGNAL 1 - -/* Define to 1 if you have the declaration of `strstr', and to 0 if you don't. - */ -#define HAVE_DECL_STRSTR 1 - -/* Define to 1 if you have the declaration of `strtoimax', and to 0 if you - don't. */ -#define HAVE_DECL_STRTOIMAX 1 - -/* Define to 1 if you have the declaration of `strtoll', and to 0 if you - don't. */ -/* #undef HAVE_DECL_STRTOLL */ - -/* Define to 1 if you have the declaration of `strtoul', and to 0 if you - don't. */ -#define HAVE_DECL_STRTOUL 1 - -/* Define to 1 if you have the declaration of `strtoull', and to 0 if you - don't. */ -#define HAVE_DECL_STRTOULL 1 - -/* Define to 1 if you have the declaration of `strtoumax', and to 0 if you - don't. */ -#define HAVE_DECL_STRTOUMAX 1 - -/* Define to 1 if you have the declaration of `sys_siglist', and to 0 if you - don't. */ -#define HAVE_DECL_SYS_SIGLIST 1 - -/* Define to 1 if you have the declaration of `ttyname', and to 0 if you - don't. */ -#define HAVE_DECL_TTYNAME 1 - -/* Define to 1 if you have the declaration of wcwidth(), and to 0 otherwise. - */ -#define HAVE_DECL_WCWIDTH 1 - -/* Define to 1 if you have the declaration of `_sys_siglist', and to 0 if you - don't. */ -#define HAVE_DECL__SYS_SIGLIST 0 - -/* Define to 1 if you have the declaration of `__fpending', and to 0 if you - don't. */ -#define HAVE_DECL___FPENDING 0 - -/* Define to 1 if you have the declaration of `__sys_siglist', and to 0 if you - don't. */ -#define HAVE_DECL___SYS_SIGLIST 0 - -/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'. - */ -#define HAVE_DIRENT_H 1 - -/* Define to 1 if you have the `dirfd' function. */ -/* #undef HAVE_DIRFD */ - -/* Define to 1 if you have the `dup2' function. */ -#define HAVE_DUP2 1 - -/* Define to 1 if you have the <dustat.h> header file. */ -/* #undef HAVE_DUSTAT_H */ - -/* Define to 1 if you have the `endgrent' function. */ -#define HAVE_ENDGRENT 1 - -/* Define to 1 if you have the `endpwent' function. */ -#define HAVE_ENDPWENT 1 - -/* Define to 1 if you have the <errno.h> header file. */ -#define HAVE_ERRNO_H 1 - -/* Define to 1 if you have the `euidaccess' function. */ -/* #undef HAVE_EUIDACCESS */ - -/* Define to 1 if you have the `fchdir' function. */ -#define HAVE_FCHDIR 1 - -/* Define to 1 if you have the <fcntl.h> header file. */ -#define HAVE_FCNTL_H 1 - -/* Define to 1 if you have the `fdatasync' function. */ -/* #undef HAVE_FDATASYNC */ - -/* Define to 1 if you have the `fesetround' function. */ -/* #undef HAVE_FESETROUND */ - -/* Define to 1 if you have the <float.h> header file. */ -#define HAVE_FLOAT_H 1 - -/* Define to 1 if you have the `floor' function. */ -#define HAVE_FLOOR 1 - -/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */ -#define HAVE_FSEEKO 1 - -/* Define to 1 if you have the <fs_info.h> header file. */ -/* #undef HAVE_FS_INFO_H */ - -/* Define to 1 if you have the `fs_stat_dev' function. */ -/* #undef HAVE_FS_STAT_DEV */ - -/* Define to 1 if you have the `ftruncate' function. */ -#define HAVE_FTRUNCATE 1 - -/* Define if struct statfs has the f_fstypename member. */ -#define HAVE_F_FSTYPENAME_IN_STATFS 1 - -/* Define to 1 if you have the `getcwd' function. */ -#define HAVE_GETCWD 1 - -/* Define if getcwd (NULL, 0) allocates memory for result. */ -#define HAVE_GETCWD_NULL 1 - -/* Define to 1 if you have the `getdelim' function. */ -/* #undef HAVE_GETDELIM */ - -/* Define to 1 if your system has a working `getgroups' function. */ -#define HAVE_GETGROUPS 1 - -/* Define to 1 if you have the `gethostbyaddr' function. */ -#define HAVE_GETHOSTBYADDR 1 - -/* Define to 1 if you have the `gethostbyname' function. */ -#define HAVE_GETHOSTBYNAME 1 - -/* Define to 1 if you have the `gethostid' function. */ -#define HAVE_GETHOSTID 1 - -/* Define to 1 if you have the `gethostname' function. */ -#define HAVE_GETHOSTNAME 1 - -/* Define to 1 if you have the `gethrtime' function. */ -/* #undef HAVE_GETHRTIME */ - -/* Define to 1 if you have the `getloadavg' function. */ -#define HAVE_GETLOADAVG 1 - -/* Define to 1 if you have the `getmntent' function. */ -/* #undef HAVE_GETMNTENT */ - -/* Define to 1 if you have the `getmntinfo' function. */ -#define HAVE_GETMNTINFO 1 - -/* Define to 1 if you have the `getpagesize' function. */ -#define HAVE_GETPAGESIZE 1 - -/* Define to 1 if you have the `getpass' function. */ -#define HAVE_GETPASS 1 - -/* Define to 1 if you have the `getspnam' function. */ -/* #undef HAVE_GETSPNAM */ - -/* Define to 1 if you have the `getsysinfo' function. */ -/* #undef HAVE_GETSYSINFO */ - -/* Define if the GNU gettext() function is already present or preinstalled. */ -/* #undef HAVE_GETTEXT */ - -/* Define to 1 if you have the `gettimeofday' function. */ -#define HAVE_GETTIMEOFDAY 1 - -/* Define to 1 if you have the `getusershell' function. */ -#define HAVE_GETUSERSHELL 1 - -/* Define to 1 if you have the <grp.h> header file. */ -#define HAVE_GRP_H 1 - -/* Define to 1 if you have the `hasmntopt' function. */ -/* #undef HAVE_HASMNTOPT */ - -/* Define to 1 if you have the <hurd.h> header file. */ -/* #undef HAVE_HURD_H */ - -/* Define if you have the iconv() function. */ -/* #undef HAVE_ICONV */ - -/* Define to 1 if you have the `inet_ntoa' function. */ -#define HAVE_INET_NTOA 1 - -/* Define to 1 if you have the `initgroups' function. */ -#define HAVE_INITGROUPS 1 - -/* Define if you have the 'intmax_t' type in <stdint.h> or <inttypes.h>. */ -#define HAVE_INTMAX_T 1 - -/* Define if <inttypes.h> exists and doesn't clash with <sys/types.h>. */ -#define HAVE_INTTYPES_H 1 - -/* Define if <inttypes.h> exists, doesn't clash with <sys/types.h>, and - declares uintmax_t. */ -#define HAVE_INTTYPES_H_WITH_UINTMAX 1 - -/* Define to 1 if you have the `isascii' function. */ -#define HAVE_ISASCII 1 - -/* Define to 1 if you have the `iswcntrl' function. */ -#define HAVE_ISWCNTRL 1 - -/* Define to 1 if you have the `iswprint' function. */ -#define HAVE_ISWPRINT 1 - -/* Define to 1 if you have the `iswspace' function. */ -#define HAVE_ISWSPACE 1 - -/* Define if you have <langinfo.h> and nl_langinfo(CODESET). */ -#define HAVE_LANGINFO_CODESET 1 - -/* Define to 1 if you have the `lchown' function. */ -#define HAVE_LCHOWN 1 - -/* Define to 1 if you have the `dgc' library (-ldgc). */ -/* #undef HAVE_LIBDGC */ - -/* Define to 1 if you have the `kstat' library (-lkstat). */ -/* #undef HAVE_LIBKSTAT */ - -/* Define to 1 if you have the `ldgc' library (-lldgc). */ -/* #undef HAVE_LIBLDGC */ - -/* Define to 1 if you have the `os' library (-los). */ -/* #undef HAVE_LIBOS */ - -/* Define to 1 if you have the `ypsec' library (-lypsec). */ -/* #undef HAVE_LIBYPSEC */ - -/* Define to 1 if you have the <limits.h> header file. */ -#define HAVE_LIMITS_H 1 - -/* Define to 1 if you have the `listmntent' function. */ -/* #undef HAVE_LISTMNTENT */ - -/* Define to 1 if you have the `localeconv' function. */ -#define HAVE_LOCALECONV 1 - -/* Define to 1 if you have the <locale.h> header file. */ -#define HAVE_LOCALE_H 1 - -/* Define if you have the 'long double' type. */ -#define HAVE_LONG_DOUBLE 1 - -/* Define to 1 if you support file names longer than 14 characters. */ -#define HAVE_LONG_FILE_NAMES 1 - -/* Define if you have the 'long long' type. */ -#define HAVE_LONG_LONG 1 - -/* Define to 1 if `lstat' has the bug that it succeeds when given the - zero-length file name argument. */ -/* #undef HAVE_LSTAT_EMPTY_STRING_BUG */ - -/* Define to 1 if you have the <machine/hal_sysinfo.h> header file. */ -/* #undef HAVE_MACHINE_HAL_SYSINFO_H */ - -/* Define to 1 if you have the <mach/mach.h> header file. */ -/* #undef HAVE_MACH_MACH_H */ - -/* Define to 1 if your system has a GNU libc compatible `malloc' function, and - to 0 otherwise. */ -#define HAVE_MALLOC 1 - -/* Define to 1 if you have the `mblen' function. */ -#define HAVE_MBLEN 1 - -/* Define to 1 if you have the `mbrlen' function. */ -#define HAVE_MBRLEN 1 - -/* Define to 1 if mbrtowc and mbstate_t are properly declared. */ -#define HAVE_MBRTOWC 1 - -/* Define to 1 if you have the `mbsinit' function. */ -#define HAVE_MBSINIT 1 - -/* Define to 1 if you have the `mbsrtowcs' function. */ -#define HAVE_MBSRTOWCS 1 - -/* Define to 1 if <wchar.h> declares mbstate_t. */ -#define HAVE_MBSTATE_T 1 - -/* Define to 1 if you have the `memchr' function. */ -#define HAVE_MEMCHR 1 - -/* Define to 1 if you have the `memcpy' function. */ -#define HAVE_MEMCPY 1 - -/* Define to 1 if you have the `memmove' function. */ -#define HAVE_MEMMOVE 1 - -/* Define to 1 if you have the <memory.h> header file. */ -#define HAVE_MEMORY_H 1 - -/* Define to 1 if you have the `mempcpy' function. */ -/* #undef HAVE_MEMPCPY */ - -/* Define to 1 if you have the `memrchr' function. */ -/* #undef HAVE_MEMRCHR */ - -/* Define to 1 if you have the `memset' function. */ -#define HAVE_MEMSET 1 - -/* Define to 1 if you have the `mkfifo' function. */ -#define HAVE_MKFIFO 1 - -/* Define to 1 if you have the `mkstemp' function. */ -#define HAVE_MKSTEMP 1 - -/* Define to 1 if you have the <mntent.h> header file. */ -/* #undef HAVE_MNTENT_H */ - -/* Define to 1 if you have the <mnttab.h> header file. */ -/* #undef HAVE_MNTTAB_H */ - -/* Define to 1 if you have the `modf' function. */ -#define HAVE_MODF 1 - -/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */ -/* #undef HAVE_NDIR_H */ - -/* Define to 1 if you have the <netdb.h> header file. */ -#define HAVE_NETDB_H 1 - -/* Define to 1 if you have the <netinet/in.h> header file. */ -#define HAVE_NETINET_IN_H 1 - -/* Define to 1 if you have the `next_dev' function. */ -/* #undef HAVE_NEXT_DEV */ - -/* Define to 1 if you have the <nfs/nfs_clnt.h> header file. */ -/* #undef HAVE_NFS_NFS_CLNT_H */ - -/* Define to 1 if you have the <nfs/vfs.h> header file. */ -/* #undef HAVE_NFS_VFS_H */ - -/* Define to 1 if you have the <nlist.h> header file. */ -/* #undef HAVE_NLIST_H */ - -/* Define to 1 if libc includes obstacks. */ -/* #undef HAVE_OBSTACK */ - -/* Define to 1 if you have the <OS.h> header file. */ -/* #undef HAVE_OS_H */ - -/* Define to 1 if you have the `pathconf' function. */ -#define HAVE_PATHCONF 1 - -/* Define to 1 if you have the <paths.h> header file. */ -#define HAVE_PATHS_H 1 - -/* Define if your system has the /proc/uptime special file. */ -/* #undef HAVE_PROC_UPTIME */ - -/* Define to 1 if you have the `pstat_getdynamic' function. */ -/* #undef HAVE_PSTAT_GETDYNAMIC */ - -/* Define to 1 if you have the `pstat_getstatic' function. */ -/* #undef HAVE_PSTAT_GETSTATIC */ - -/* Define to 1 if the system has the type `ptrdiff_t'. */ -#define HAVE_PTRDIFF_T 1 - -/* Define to 1 if you have the <pwd.h> header file. */ -#define HAVE_PWD_H 1 - -/* Define to 1 if you have the `raise' function. */ -#define HAVE_RAISE 1 - -/* Define to 1 if you have the `readlink' function. */ -#define HAVE_READLINK 1 - -/* Define to 1 if your system has a GNU libc compatible `realloc' function, - and to 0 otherwise. */ -#define HAVE_REALLOC 1 - -/* Define to 1 if you have the `realpath' function. */ -#define HAVE_REALPATH 1 - -/* Define to 1 if you have the `resolvepath' function. */ -/* #undef HAVE_RESOLVEPATH */ - -/* Define to 1 if you have the `rint' function. */ -#define HAVE_RINT 1 - -/* Define to 1 if you have the `rmdir' function. */ -#define HAVE_RMDIR 1 - -/* Define to 1 if you have the `rpmatch' function. */ -/* #undef HAVE_RPMATCH */ - -/* Define to 1 if you have run the test for working tzset. */ -#define HAVE_RUN_TZSET_TEST 1 - -/* Define to 1 if you have the `sethostname' function. */ -#define HAVE_SETHOSTNAME 1 - -/* Define to 1 if you have the `setlocale' function. */ -#define HAVE_SETLOCALE 1 - -/* Define to 1 if you have the `setregid' function. */ -#define HAVE_SETREGID 1 - -/* Define to 1 if you have the `setreuid' function. */ -#define HAVE_SETREUID 1 - -/* Define to 1 if you have the <shadow.h> header file. */ -/* #undef HAVE_SHADOW_H */ - -/* Define to 1 if you have the `sig2str' function. */ -/* #undef HAVE_SIG2STR */ - -/* Define to 1 if you have the `snprintf' function. */ -#define HAVE_SNPRINTF 1 - -/* Define to 1 if you have the `sqrt' function. */ -/* #undef HAVE_SQRT */ - -/* Define to 1 if you have the `statvfs' function. */ -#define HAVE_STATVFS 1 - -/* Define to 1 if `stat' has the bug that it succeeds when given the - zero-length file name argument. */ -/* #undef HAVE_STAT_EMPTY_STRING_BUG */ - -/* Define to 1 if stdbool.h conforms to C99. */ -#define HAVE_STDBOOL_H 1 - -/* Define to 1 if you have the <stddef.h> header file. */ -#define HAVE_STDDEF_H 1 - -/* Define to 1 if you have the <stdint.h> header file. */ -#define HAVE_STDINT_H 1 - -/* Define if <stdint.h> exists, doesn't clash with <sys/types.h>, and declares - uintmax_t. */ -#define HAVE_STDINT_H_WITH_UINTMAX 1 - -/* Define to 1 if you have the <stdio_ext.h> header file. */ -/* #undef HAVE_STDIO_EXT_H */ - -/* Define to 1 if you have the <stdlib.h> header file. */ -#define HAVE_STDLIB_H 1 - -/* Define to 1 if you have the `stpcpy' function. */ -#define HAVE_STPCPY 1 - -/* Define to 1 if you have the `strcasecmp' function. */ -#define HAVE_STRCASECMP 1 - -/* Define to 1 if you have the `strchr' function. */ -#define HAVE_STRCHR 1 - -/* Define to 1 if you have the `strcoll' function and it is properly defined. - */ -#define HAVE_STRCOLL 1 - -/* Define to 1 if you have the `strcspn' function. */ -#define HAVE_STRCSPN 1 - -/* Define to 1 if you have the `strdup' function. */ -#define HAVE_STRDUP 1 - -/* Define to 1 if you have the `strerror' function. */ -#define HAVE_STRERROR 1 - -/* Define to 1 if you have the `strerror_r' function. */ -#define HAVE_STRERROR_R 1 - -/* Define to 1 if you have the `strftime' function. */ -#define HAVE_STRFTIME 1 - -/* Define to 1 if you have the <strings.h> header file. */ -#define HAVE_STRINGS_H 1 - -/* Define to 1 if you have the <string.h> header file. */ -#define HAVE_STRING_H 1 - -/* Define to 1 if you have the `strncasecmp' function. */ -#define HAVE_STRNCASECMP 1 - -/* Define to 1 if you have the `strndup' function. */ -#define HAVE_STRNDUP 1 - -/* Define to 1 if you have the `strpbrk' function. */ -#define HAVE_STRPBRK 1 - -/* Define to 1 if you have the `strrchr' function. */ -#define HAVE_STRRCHR 1 - -/* Define to 1 if you have the `strstr' function. */ -#define HAVE_STRSTR 1 - -/* Define to 1 if you have the `strtoimax' function. */ -#define HAVE_STRTOIMAX 1 - -/* Define to 1 if you have the `strtol' function. */ -#define HAVE_STRTOL 1 - -/* Define to 1 if you have the `strtoll' function. */ -#define HAVE_STRTOLL 1 - -/* Define to 1 if you have the `strtoul' function. */ -#define HAVE_STRTOUL 1 - -/* Define to 1 if you have the `strtoull' function. */ -#define HAVE_STRTOULL 1 - -/* Define to 1 if you have the `strtoumax' function. */ -#define HAVE_STRTOUMAX 1 - -/* Define if there is a member named d_type in the struct describing directory - headers. */ -#define HAVE_STRUCT_DIRENT_D_TYPE 1 - -/* Define to 1 if `f_fstypename' is member of `struct fsstat'. */ -/* #undef HAVE_STRUCT_FSSTAT_F_FSTYPENAME */ - -/* Define to 1 if `n_un.n_name' is member of `struct nlist'. */ -/* #undef HAVE_STRUCT_NLIST_N_UN_N_NAME */ - -/* Define to 1 if `sp_pwdp' is member of `struct spwd'. */ -/* #undef HAVE_STRUCT_SPWD_SP_PWDP */ - -/* Define to 1 if `f_basetype' is member of `struct statfs'. */ -/* #undef HAVE_STRUCT_STATFS_F_BASETYPE */ - -/* Define to 1 if `f_fsid.__val' is member of `struct statfs'. */ -/* #undef HAVE_STRUCT_STATFS_F_FSID___VAL */ - -/* Define to 1 if `f_fstypename' is member of `struct statfs'. */ -/* #undef HAVE_STRUCT_STATFS_F_FSTYPENAME */ - -/* Define to 1 if `f_namelen' is member of `struct statfs'. */ -/* #undef HAVE_STRUCT_STATFS_F_NAMELEN */ - -/* Define to 1 if `f_namemax' is member of `struct statfs'. */ -/* #undef HAVE_STRUCT_STATFS_F_NAMEMAX */ - -/* Define to 1 if `f_type' is member of `struct statfs'. */ -/* #undef HAVE_STRUCT_STATFS_F_TYPE */ - -/* Define to 1 if `f_basetype' is member of `struct statvfs'. */ -/* #undef HAVE_STRUCT_STATVFS_F_BASETYPE */ - -/* Define to 1 if `f_fsid.__val' is member of `struct statvfs'. */ -/* #undef HAVE_STRUCT_STATVFS_F_FSID___VAL */ - -/* Define to 1 if `f_namelen' is member of `struct statvfs'. */ -/* #undef HAVE_STRUCT_STATVFS_F_NAMELEN */ - -/* Define to 1 if `f_namemax' is member of `struct statvfs'. */ -#define HAVE_STRUCT_STATVFS_F_NAMEMAX 1 - -/* Define to 1 if `f_type' is member of `struct statvfs'. */ -/* #undef HAVE_STRUCT_STATVFS_F_TYPE */ - -/* Define to 1 if `st_author' is member of `struct stat'. */ -/* #undef HAVE_STRUCT_STAT_ST_AUTHOR */ - -/* Define to 1 if `st_blksize' is member of `struct stat'. */ -#define HAVE_STRUCT_STAT_ST_BLKSIZE 1 - -/* Define to 1 if `st_blocks' is member of `struct stat'. */ -#define HAVE_STRUCT_STAT_ST_BLOCKS 1 - -/* Define if struct timespec is declared in <time.h>. */ -#define HAVE_STRUCT_TIMESPEC 1 - -/* Define to 1 if `tm_zone' is member of `struct tm'. */ -#define HAVE_STRUCT_TM_TM_ZONE 1 - -/* Define if struct utimbuf is declared -- usually in <utime.h>. Some systems - have utime.h but don't declare the struct anywhere. */ -#define HAVE_STRUCT_UTIMBUF 1 - -/* Define to 1 if `ut_exit' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT */ - -/* Define to 1 if `ut_exit.e_exit' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT_E_EXIT */ - -/* Define to 1 if `ut_exit.e_termination' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT_E_TERMINATION */ - -/* Define to 1 if `ut_exit.ut_exit' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT_UT_EXIT */ - -/* Define to 1 if `ut_exit.ut_termination' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_EXIT_UT_TERMINATION */ - -/* Define to 1 if `ut_id' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_ID */ - -/* Define to 1 if `ut_name' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_NAME */ - -/* Define to 1 if `ut_pid' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_PID */ - -/* Define to 1 if `ut_type' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_TYPE */ - -/* Define to 1 if `ut_user' is member of `struct utmpx'. */ -/* #undef HAVE_STRUCT_UTMPX_UT_USER */ - -/* Define to 1 if `ut_exit' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_EXIT */ - -/* Define to 1 if `ut_exit.e_exit' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_EXIT_E_EXIT */ - -/* Define to 1 if `ut_exit.e_termination' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_EXIT_E_TERMINATION */ - -/* Define to 1 if `ut_exit.ut_exit' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_EXIT_UT_EXIT */ - -/* Define to 1 if `ut_exit.ut_termination' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_EXIT_UT_TERMINATION */ - -/* Define to 1 if `ut_id' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_ID */ - -/* Define to 1 if `ut_name' is member of `struct utmp'. */ -#define HAVE_STRUCT_UTMP_UT_NAME 1 - -/* Define to 1 if `ut_pid' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_PID */ - -/* Define to 1 if `ut_type' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_TYPE */ - -/* Define to 1 if `ut_user' is member of `struct utmp'. */ -/* #undef HAVE_STRUCT_UTMP_UT_USER */ - -/* Define to 1 if you have the `strverscmp' function. */ -/* #undef HAVE_STRVERSCMP */ - -/* Define to 1 if your `struct stat' has `st_blocks'. Deprecated, use - `HAVE_STRUCT_STAT_ST_BLOCKS' instead. */ -#define HAVE_ST_BLOCKS 1 - -/* Define if struct stat has an st_dm_mode member. */ -/* #undef HAVE_ST_DM_MODE */ - -/* Define to 1 if you have the `sysctl' function. */ -#define HAVE_SYSCTL 1 - -/* Define to 1 if you have the `sysinfo' function. */ -/* #undef HAVE_SYSINFO */ - -/* FIXME */ -#define HAVE_SYSLOG 1 - -/* Define to 1 if you have the <syslog.h> header file. */ -#define HAVE_SYSLOG_H 1 - -/* Define to 1 if you have the `sysmp' function. */ -/* #undef HAVE_SYSMP */ - -/* Define to 1 if you have the <sys/acl.h> header file. */ -#define HAVE_SYS_ACL_H 1 - -/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'. - */ -/* #undef HAVE_SYS_DIR_H */ - -/* Define to 1 if you have the <sys/filsys.h> header file. */ -/* #undef HAVE_SYS_FILSYS_H */ - -/* Define to 1 if you have the <sys/fstyp.h> header file. */ -/* #undef HAVE_SYS_FSTYP_H */ - -/* Define to 1 if you have the <sys/fs/s5param.h> header file. */ -/* #undef HAVE_SYS_FS_S5PARAM_H */ - -/* Define to 1 if you have the <sys/fs_types.h> header file. */ -/* #undef HAVE_SYS_FS_TYPES_H */ - -/* Define to 1 if you have the <sys/ioctl.h> header file. */ -#define HAVE_SYS_IOCTL_H 1 - -/* Define to 1 if you have the <sys/mntent.h> header file. */ -/* #undef HAVE_SYS_MNTENT_H */ - -/* Define to 1 if you have the <sys/mount.h> header file. */ -#define HAVE_SYS_MOUNT_H 1 - -/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'. - */ -/* #undef HAVE_SYS_NDIR_H */ - -/* Define to 1 if you have the <sys/param.h> header file. */ -#define HAVE_SYS_PARAM_H 1 - -/* Define to 1 if you have the <sys/pstat.h> header file. */ -/* #undef HAVE_SYS_PSTAT_H */ - -/* Define to 1 if you have the <sys/resource.h> header file. */ -#define HAVE_SYS_RESOURCE_H 1 - -/* Define to 1 if you have the <sys/socket.h> header file. */ -#define HAVE_SYS_SOCKET_H 1 - -/* Define to 1 if you have the <sys/statfs.h> header file. */ -/* #undef HAVE_SYS_STATFS_H */ - -/* Define to 1 if you have the <sys/statvfs.h> header file. */ -#define HAVE_SYS_STATVFS_H 1 - -/* Define to 1 if you have the <sys/stat.h> header file. */ -#define HAVE_SYS_STAT_H 1 - -/* Define to 1 if you have the <sys/sysctl.h> header file. */ -#define HAVE_SYS_SYSCTL_H 1 - -/* Define to 1 if you have the <sys/sysinfo.h> header file. */ -/* #undef HAVE_SYS_SYSINFO_H */ - -/* Define to 1 if you have the <sys/sysmacros.h> header file. */ -/* #undef HAVE_SYS_SYSMACROS_H */ - -/* Define to 1 if you have the <sys/sysmp.h> header file. */ -/* #undef HAVE_SYS_SYSMP_H */ - -/* Define to 1 if you have the <sys/systemcfg.h> header file. */ -/* #undef HAVE_SYS_SYSTEMCFG_H */ - -/* Define to 1 if you have the <sys/systeminfo.h> header file. */ -/* #undef HAVE_SYS_SYSTEMINFO_H */ - -/* Define to 1 if you have the <sys/table.h> header file. */ -/* #undef HAVE_SYS_TABLE_H */ - -/* Define to 1 if you have the <sys/timeb.h> header file. */ -#define HAVE_SYS_TIMEB_H 1 - -/* Define to 1 if you have the <sys/time.h> header file. */ -#define HAVE_SYS_TIME_H 1 - -/* Define to 1 if you have the <sys/types.h> header file. */ -#define HAVE_SYS_TYPES_H 1 - -/* Define to 1 if you have the <sys/ucred.h> header file. */ -/* #undef HAVE_SYS_UCRED_H */ - -/* Define to 1 if you have the <sys/vfs.h> header file. */ -/* #undef HAVE_SYS_VFS_H */ - -/* Define to 1 if you have the <sys/wait.h> header file. */ -#define HAVE_SYS_WAIT_H 1 - -/* Define to 1 if you have the `table' function. */ -/* #undef HAVE_TABLE */ - -/* Define to 1 if you have the <termios.h> header file. */ -#define HAVE_TERMIOS_H 1 - -/* Define if struct tm has the tm_gmtoff member. */ -#define HAVE_TM_GMTOFF 1 - -/* Define to 1 if your `struct tm' has `tm_zone'. Deprecated, use - `HAVE_STRUCT_TM_TM_ZONE' instead. */ -#define HAVE_TM_ZONE 1 - -/* Define to 1 if you don't have `tm_zone' but do have the external array - `tzname'. */ -/* #undef HAVE_TZNAME */ - -/* Define to 1 if you have the `tzset' function. */ -#define HAVE_TZSET 1 - -/* Define if you have the 'uintmax_t' type in <stdint.h> or <inttypes.h>. */ -#define HAVE_UINTMAX_T 1 - -/* Define to 1 if you have the `uname' function. */ -#define HAVE_UNAME 1 - -/* Define to 1 if you have the <unistd.h> header file. */ -#define HAVE_UNISTD_H 1 - -/* Define if you have the 'unsigned long long' type. */ -#define HAVE_UNSIGNED_LONG_LONG 1 - -/* Define if utimes accepts a null argument */ -/* #undef HAVE_UTIMES_NULL */ - -/* Define to 1 if you have the <utime.h> header file. */ -#define HAVE_UTIME_H 1 - -/* Define to 1 if `utime(file, NULL)' sets file's timestamp to the present. */ -#define HAVE_UTIME_NULL 1 - -/* Define to 1 if you have the `utmpname' function. */ -/* #undef HAVE_UTMPNAME */ - -/* Define to 1 if you have the `utmpxname' function. */ -/* #undef HAVE_UTMPXNAME */ - -/* FIXME */ -/* #undef HAVE_UTMPX_H */ - -/* Define to 1 if you have the <utmp.h> header file. */ -#define HAVE_UTMP_H 1 - -/* FIXME */ -#define HAVE_UT_HOST 1 - -/* Define to 1 if you have the <values.h> header file. */ -/* #undef HAVE_VALUES_H */ - -/* Define to 1 if you have the `vasnprintf' function. */ -/* #undef HAVE_VASNPRINTF */ - -/* Define to 1 if you have the `vasprintf' function. */ -#define HAVE_VASPRINTF 1 - -/* Define to 1 if you have the <wchar.h> header file. */ -#define HAVE_WCHAR_H 1 - -/* Define if you have the 'wchar_t' type. */ -#define HAVE_WCHAR_T 1 - -/* Define to 1 if you have the `wcrtomb' function. */ -#define HAVE_WCRTOMB 1 - -/* Define to 1 if you have the `wcslen' function. */ -#define HAVE_WCSLEN 1 - -/* Define to 1 if you have the <wctype.h> header file. */ -#define HAVE_WCTYPE_H 1 - -/* Define to 1 if you have the `wcwidth' function. */ -#define HAVE_WCWIDTH 1 - -/* Define if you have the 'wint_t' type. */ -#define HAVE_WINT_T 1 - -/* Define to 1 if you have the `wmempcpy' function. */ -/* #undef HAVE_WMEMPCPY */ - -/* Define if readdir is found to work properly in some unusual cases. */ -#define HAVE_WORKING_READDIR 1 - -/* Define if utimes works properly. */ -#define HAVE_WORKING_UTIMES 1 - -/* Define to 1 if the system has the type `_Bool'. */ -#define HAVE__BOOL 1 - -/* Define to 1 if you have the external variable, _system_configuration with a - member named physmem. */ -/* #undef HAVE__SYSTEM_CONFIGURATION */ - -/* Define to 1 if you have the `__fpending' function. */ -/* #undef HAVE___FPENDING */ - -/* Define to 1 if you have the `__secure_getenv' function. */ -/* #undef HAVE___SECURE_GETENV */ - -/* The host operating system. */ -#define HOST_OPERATING_SYSTEM "FreeBSD" - -/* Define as const if the declaration of iconv() needs const. */ -/* #undef ICONV_CONST */ - -#if FILESYSTEM_BACKSLASH_IS_FILE_NAME_SEPARATOR -# define ISSLASH(C) ((C) == '/' || (C) == '\\') -#else -# define ISSLASH(C) ((C) == '/') -#endif - -/* Define if `link(2)' dereferences symbolic links. */ -#define LINK_FOLLOWS_SYMLINKS 1 - -/* FIXME */ -#define LOCALTIME_CACHE 1 - -/* Define to 1 if `lstat' dereferences a symlink specified with a trailing - slash. */ -/* #undef LSTAT_FOLLOWS_SLASHED_SYMLINK */ - -/* Define to 1 if `major', `minor', and `makedev' are declared in <mkdev.h>. - */ -/* #undef MAJOR_IN_MKDEV */ - -/* Define to 1 if `major', `minor', and `makedev' are declared in - <sysmacros.h>. */ -/* #undef MAJOR_IN_SYSMACROS */ - -/* Define if there is no specific function for reading the list of mounted - filesystems. fread will be used to read /etc/mnttab. (SVR2) */ -/* #undef MOUNTED_FREAD */ - -/* Define if (like SVR2) there is no specific function for reading the list of - mounted filesystems, and your system has these header files: <sys/fstyp.h> - and <sys/statfs.h>. (SVR3) */ -/* #undef MOUNTED_FREAD_FSTYP */ - -/* Define if there are functions named next_dev and fs_stat_dev for reading - the list of mounted filesystems. (BeOS) */ -/* #undef MOUNTED_FS_STAT_DEV */ - -/* Define if there is a function named getfsstat for reading the list of - mounted filesystems. (DEC Alpha running OSF/1) */ -/* #undef MOUNTED_GETFSSTAT */ - -/* Define if there is a function named getmnt for reading the list of mounted - filesystems. (Ultrix) */ -/* #undef MOUNTED_GETMNT */ - -/* Define if there is a function named getmntent for reading the list of - mounted filesystems, and that function takes a single argument. (4.3BSD, - SunOS, HP-UX, Dynix, Irix) */ -/* #undef MOUNTED_GETMNTENT1 */ - -/* Define if there is a function named getmntent for reading the list of - mounted filesystems, and that function takes two arguments. (SVR4) */ -/* #undef MOUNTED_GETMNTENT2 */ - -/* Define if there is a function named getmntinfo for reading the list of - mounted filesystems. (4.4BSD, Darwin) */ -#define MOUNTED_GETMNTINFO 1 - -/* Define if there is a function named listmntent that can be used to list all - mounted filesystems. (UNICOS) */ -/* #undef MOUNTED_LISTMNTENT */ - -/* Define if there is a function named mntctl that can be used to read the - list of mounted filesystems, and there is a system header file that - declares `struct vmount.' (AIX) */ -/* #undef MOUNTED_VMOUNT */ - -/* Define to 1 if assertions should be disabled. */ -/* #undef NDEBUG */ - -/* FIXME */ -/* #undef NICE_PRIORITY */ - -/* Define to 1 if your `struct nlist' has an `n_un' member. Obsolete, depend - on `HAVE_STRUCT_NLIST_N_UN_N_NAME */ -/* #undef NLIST_NAME_UNION */ - -/* Name of package */ -#define PACKAGE "coreutils" - -/* Define to the address where bug reports for this package should be sent. */ -#define PACKAGE_BUGREPORT "bug-coreutils@gnu.org" - -/* Define to the full name of this package. */ -#define PACKAGE_NAME "GNU coreutils" - -/* Define to the full name and version of this package. */ -#define PACKAGE_STRING "GNU coreutils 5.3.0-20040812-FreeBSD" - -/* Define to the one symbol short name of this package. */ -#define PACKAGE_TARNAME "coreutils" - -/* Define to the version of this package. */ -#define PACKAGE_VERSION "5.3.0-20040812-FreeBSD" - -/* the number of pending output bytes on stream `fp' */ -#define PENDING_OUTPUT_N_BYTES fp->_p - fp->_bf._base - -/* Define if <inttypes.h> exists and defines unusable PRI* macros. */ -/* #undef PRI_MACROS_BROKEN */ - -/* Define to 1 if the C compiler supports function prototypes. */ -#define PROTOTYPES 1 - -/* Define if rename does not work for source paths with a trailing slash, like - the one from SunOS 4.1.1_U1. */ -/* #undef RENAME_TRAILING_SLASH_BUG */ - -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - -/* the value to which errno is set when rmdir fails on a nonempty directory */ -#define RMDIR_ERRNO_NOT_EMPTY 66 - -/* Define to 1 if the `setvbuf' function takes the buffering type as its - second argument and the buffer pointer as the third, as on System V before - release 3. */ -/* #undef SETVBUF_REVERSED */ - -/* If using the C implementation of alloca, define if you know the - direction of stack growth for your system; otherwise it will be - automatically deduced at run-time. - STACK_DIRECTION > 0 => grows toward higher addresses - STACK_DIRECTION < 0 => grows toward lower addresses - STACK_DIRECTION = 0 => direction of growth unknown */ -/* #undef STACK_DIRECTION */ - -/* Define if the block counts reported by statfs may be truncated to 2GB and - the correct values may be stored in the f_spare array. (SunOS 4.1.2, 4.1.3, - and 4.1.3_U1 are reported to have this problem. SunOS 4.1.1 seems not to be - affected.) */ -/* #undef STATFS_TRUNCATES_BLOCK_COUNTS */ - -/* Define to 1 if the `S_IS*' macros in <sys/stat.h> do not work properly. */ -/* #undef STAT_MACROS_BROKEN */ - -/* Define if there is no specific function for reading filesystems usage - information and you have the <sys/filsys.h> header file. (SVR2) */ -/* #undef STAT_READ_FILSYS */ - -/* Define if statfs takes 2 args and struct statfs has a field named f_bsize. - (4.3BSD, SunOS 4, HP-UX, AIX PS/2) */ -/* #undef STAT_STATFS2_BSIZE */ - -/* Define if statfs takes 2 args and struct statfs has a field named f_fsize. - (4.4BSD, NetBSD) */ -/* #undef STAT_STATFS2_FSIZE */ - -/* Define if statfs takes 2 args and the second argument has type struct - fs_data. (Ultrix) */ -/* #undef STAT_STATFS2_FS_DATA */ - -/* Define if statfs takes 3 args. (DEC Alpha running OSF/1) */ -/* #undef STAT_STATFS3_OSF1 */ - -/* Define if statfs takes 4 args. (SVR3, Dynix, Irix, Dolphin) */ -/* #undef STAT_STATFS4 */ - -/* Define if there is a function named statvfs. (SVR4) */ -#define STAT_STATVFS 1 - -/* Define to 1 if you have the ANSI C header files. */ -#define STDC_HEADERS 1 - -/* Define to 1 if strerror_r returns char *. */ -/* #undef STRERROR_R_CHAR_P */ - -/* Define to be the nanoseconds member of struct stat's st_mtim, if it exists. - */ -/* #undef ST_MTIM_NSEC */ - -/* Define to 1 on System V Release 4. */ -/* #undef SVR4 */ - -/* FIXME */ -/* #undef TERMIOS_NEEDS_XOPEN_SOURCE */ - -/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ -#define TIME_WITH_SYS_TIME 1 - -/* Define to 1 if your <sys/time.h> declares `struct tm'. */ -/* #undef TM_IN_SYS_TIME */ - -/* Define if tzset clobbers localtime's static buffer. */ -/* #undef TZSET_CLOBBERS_LOCALTIME_BUFFER */ - -/* Define to 1 for Encore UMAX. */ -/* #undef UMAX */ - -/* Define to 1 for Encore UMAX 4.3 that has <inq_status/cpustats.h> instead of - <sys/cpustats.h>. */ -/* #undef UMAX4_3 */ - -/* Version number of package */ -#define VERSION "5.3.0-20040812-FreeBSD" - -/* Define if sys/ptem.h is required for struct winsize. */ -/* #undef WINSIZE_IN_PTEM */ - -/* Define to 1 if your processor stores words with the most significant byte - first (like Motorola and SPARC, unlike Intel and VAX). */ -/* #undef WORDS_BIGENDIAN */ - -/* Define to 1 if on AIX 3. - System headers sometimes define this. - We just want to avoid a redefinition error message. */ -#ifndef _ALL_SOURCE -/* # undef _ALL_SOURCE */ -#endif - -/* Number of bits in a file offset, on hosts where this is settable. */ -/* #undef _FILE_OFFSET_BITS */ - -/* Enable GNU extensions on systems that have them. */ -#ifndef _GNU_SOURCE -# define _GNU_SOURCE 1 -#endif - -/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */ -/* #undef _LARGEFILE_SOURCE */ - -/* Define for large files, on AIX-style hosts. */ -/* #undef _LARGE_FILES */ - -/* Define to 1 if on MINIX. */ -/* #undef _MINIX */ - -/* Define to 2 if the system does not provide POSIX.1 features except with - this defined. */ -/* #undef _POSIX_1_SOURCE */ - -/* Define to 1 if you need to in order for `stat' and other things to work. */ -/* #undef _POSIX_SOURCE */ - -/* Enable extensions on Solaris. */ -#ifndef __EXTENSIONS__ -# define __EXTENSIONS__ 1 -#endif - -/* Define like PROTOTYPES; this can be used by system headers. */ -#define __PROTOTYPES 1 - -/* Define to rpl_chown if the replacement function should be used. */ -/* #undef chown */ - -/* Define to empty if `const' does not conform to ANSI C. */ -/* #undef const */ - -/* Define to a replacement function name for fnmatch(). */ -/* #undef fnmatch */ - -/* Define to rpl_free if the replacement function should be used. */ -/* #undef free */ - -/* Define to rpl_getcwd if the wrapper function should be used. */ -/* #undef getcwd */ - -/* Define as rpl_getgroups if getgroups doesn't work right. */ -/* #undef getgroups */ - -/* Define to a replacement function name for getline(). */ -/* #undef getline */ - -/* Define to rpl_gettimeofday if the replacement function should be used. */ -/* #undef gettimeofday */ - -/* Define to `int' if <sys/types.h> doesn't define. */ -/* #undef gid_t */ - -/* Define to rpl_gmtime if the replacement function should be used. */ -/* #undef gmtime */ - -/* Define to `__inline__' or `__inline' if that's what the C compiler - calls it, or to nothing if 'inline' is not supported under any name. */ -#ifndef __cplusplus -/* #undef inline */ -#endif - -/* Define to `unsigned long int' if <sys/types.h> does not define. */ -/* #undef ino_t */ - -/* Define to long or long long if <stdint.h> and <inttypes.h> don't define. */ -/* #undef intmax_t */ - -/* Define to rpl_localtime if the replacement function should be used. */ -/* #undef localtime */ - -/* Define to `unsigned int' if <sys/types.h> does not define. */ -#define major_t unsigned int - -/* Define to rpl_malloc if the replacement function should be used. */ -/* #undef malloc */ - -/* Define to a type if <wchar.h> does not define. */ -/* #undef mbstate_t */ - -/* Define to rpl_memcmp if the replacement function should be used. */ -/* #undef memcmp */ - -/* Define to `unsigned int' if <sys/types.h> does not define. */ -#define minor_t unsigned int - -/* Define to rpl_mkdir if the replacement function should be used. */ -/* #undef mkdir */ - -/* Define to rpl_mkstemp if the replacement function should be used. */ -/* #undef mkstemp */ - -/* Define to rpl_mktime if the replacement function should be used. */ -/* #undef mktime */ - -/* Define to `int' if <sys/types.h> does not define. */ -/* #undef mode_t */ - -/* Define to the name of the strftime replacement function. */ -#define my_strftime nstrftime - -/* Define to rpl_nanosleep if the replacement function should be used. */ -/* #undef nanosleep */ - -/* Define to `long' if <sys/types.h> does not define. */ -/* #undef off_t */ - -/* Define to `int' if <sys/types.h> does not define. */ -/* #undef pid_t */ - -/* Define to rpl_putenv if the replacement function should be used. */ -/* #undef putenv */ - -/* Define to rpl_realloc if the replacement function should be used. */ -/* #undef realloc */ - -/* Define to rpl_rename if the replacement function should be used. */ -/* #undef rename */ - -/* Define to equivalent of C99 restrict keyword, or to nothing if this is not - supported. Do not define if restrict is supported directly. */ -#define restrict __restrict - -/* Define to empty if the C compiler doesn't support this keyword. */ -/* #undef signed */ - -/* Define to `unsigned' if <sys/types.h> does not define. */ -/* #undef size_t */ - -/* Define as a signed type of the same size as size_t. */ -/* #undef ssize_t */ - -/* Define to rpl_strnlen if the replacement function should be used. */ -#define strnlen rpl_strnlen - -/* Define to rpl_strtod if the replacement function should be used. */ -/* #undef strtod */ - -/* Define to rpl_tzset if the wrapper function should be used. */ -/* #undef tzset */ - -/* Define to `int' if <sys/types.h> doesn't define. */ -/* #undef uid_t */ - -/* Define to unsigned long or unsigned long long if <stdint.h> and - <inttypes.h> don't define. */ -/* #undef uintmax_t */ - -/* Define to `size_t' if <sys/types.h> does not define. */ -/* #undef uintptr_t */ - -/* Define to rpl_utime if the replacement function should be used. */ -/* #undef utime */ - -/* Define to empty if the keyword `volatile' does not work. Warning: valid - code using `volatile' can become incorrect without. Disable with care. */ -/* #undef volatile */ diff --git a/gnu/usr.bin/sort/localedir.h b/gnu/usr.bin/sort/localedir.h deleted file mode 100644 index f119a5f..0000000 --- a/gnu/usr.bin/sort/localedir.h +++ /dev/null @@ -1,2 +0,0 @@ -/* $FreeBSD$ */ -#define LOCALEDIR "" diff --git a/gnu/usr.bin/sort/unlocked-io.h b/gnu/usr.bin/sort/unlocked-io.h deleted file mode 100644 index 3c7a476..0000000 --- a/gnu/usr.bin/sort/unlocked-io.h +++ /dev/null @@ -1,2 +0,0 @@ -/* $FreeBSD$ */ -/* Dummy file for trimmed down sort */ diff --git a/lib/libc/arm/Symbol.map b/lib/libc/arm/Symbol.map index 48f6747..b786afd 100644 --- a/lib/libc/arm/Symbol.map +++ b/lib/libc/arm/Symbol.map @@ -37,6 +37,10 @@ FBSD_1.3 { __flt_rounds; }; +FBSD_1.3 { + __flt_rounds; +}; + FBSDprivate_1.0 { /* PSEUDO syscalls */ __sys_getlogin; diff --git a/sys/contrib/pf/net/if_pflog.c b/sys/contrib/pf/net/if_pflog.c deleted file mode 100644 index 349930b..0000000 --- a/sys/contrib/pf/net/if_pflog.c +++ /dev/null @@ -1,435 +0,0 @@ -/* $OpenBSD: if_pflog.c,v 1.26 2007/10/18 21:58:18 mpf Exp $ */ -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * Copyright (c) 2001, Angelos D. Keromytis, Niels Provos. - * - * Permission to use, copy, and modify this software with or without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" -#include "opt_bpf.h" -#include "opt_pf.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#ifdef DEV_BPF -#define NBPFILTER DEV_BPF -#else -#define NBPFILTER 0 -#endif - -#ifdef DEV_PFLOG -#define NPFLOG DEV_PFLOG -#else -#define NPFLOG 0 -#endif - -#else /* ! __FreeBSD__ */ -#include "bpfilter.h" -#include "pflog.h" -#endif /* __FreeBSD__ */ - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> -#include <sys/proc.h> -#include <sys/socket.h> -#ifdef __FreeBSD__ -#include <sys/kernel.h> -#include <sys/limits.h> -#include <sys/malloc.h> -#include <sys/module.h> -#include <sys/sockio.h> -#else -#include <sys/ioctl.h> -#endif - -#include <net/if.h> -#ifdef __FreeBSD__ -#include <net/if_clone.h> -#endif -#include <net/if_types.h> -#include <net/route.h> -#include <net/bpf.h> - -#if defined(INET) || defined(INET6) -#include <netinet/in.h> -#endif -#ifdef INET -#include <netinet/in_var.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#endif - -#ifdef INET6 -#include <netinet6/in6_var.h> -#include <netinet6/nd6.h> -#endif /* INET6 */ - -#include <net/pfvar.h> -#include <net/if_pflog.h> - -#ifdef __FreeBSD__ -#ifdef INET -#include <machine/in_cksum.h> -#endif /* INET */ -#endif /* __FreeBSD__ */ - -#define PFLOGMTU (32768 + MHLEN + MLEN) - -#ifdef PFLOGDEBUG -#define DPRINTF(x) do { if (pflogdebug) printf x ; } while (0) -#else -#define DPRINTF(x) -#endif - -void pflogattach(int); -int pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *, -#ifdef __FreeBSD__ - struct route *); -#else - struct rtentry *); -#endif -int pflogioctl(struct ifnet *, u_long, caddr_t); -void pflogstart(struct ifnet *); -#ifdef __FreeBSD__ -static int pflog_clone_create(struct if_clone *, int, caddr_t); -static void pflog_clone_destroy(struct ifnet *); -#else -int pflog_clone_create(struct if_clone *, int); -int pflog_clone_destroy(struct ifnet *); -#endif - -LIST_HEAD(, pflog_softc) pflogif_list; -#ifdef __FreeBSD__ -IFC_SIMPLE_DECLARE(pflog, 1); -#else -struct if_clone pflog_cloner = - IF_CLONE_INITIALIZER("pflog", pflog_clone_create, pflog_clone_destroy); -#endif - -struct ifnet *pflogifs[PFLOGIFS_MAX]; /* for fast access */ - -void -pflogattach(int npflog) -{ - int i; - LIST_INIT(&pflogif_list); - for (i = 0; i < PFLOGIFS_MAX; i++) - pflogifs[i] = NULL; - if_clone_attach(&pflog_cloner); -} - -#ifdef __FreeBSD__ -static int -pflog_clone_create(struct if_clone *ifc, int unit, caddr_t param) -#else -int -pflog_clone_create(struct if_clone *ifc, int unit) -#endif -{ - struct ifnet *ifp; - struct pflog_softc *pflogif; - int s; - - if (unit >= PFLOGIFS_MAX) - return (EINVAL); - - if ((pflogif = malloc(sizeof(*pflogif), - M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) - return (ENOMEM); - - pflogif->sc_unit = unit; -#ifdef __FreeBSD__ - ifp = pflogif->sc_ifp = if_alloc(IFT_PFLOG); - if (ifp == NULL) { - free(pflogif, M_DEVBUF); - return (ENOSPC); - } - if_initname(ifp, ifc->ifc_name, unit); -#else - ifp = &pflogif->sc_if; - snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflog%d", unit); -#endif - ifp->if_softc = pflogif; - ifp->if_mtu = PFLOGMTU; - ifp->if_ioctl = pflogioctl; - ifp->if_output = pflogoutput; - ifp->if_start = pflogstart; -#ifndef __FreeBSD__ - ifp->if_type = IFT_PFLOG; -#endif - ifp->if_snd.ifq_maxlen = ifqmaxlen; - ifp->if_hdrlen = PFLOG_HDRLEN; - if_attach(ifp); -#ifndef __FreeBSD__ - if_alloc_sadl(ifp); -#endif - -#if NBPFILTER > 0 -#ifdef __FreeBSD__ - bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN); -#else - bpfattach(&pflogif->sc_if.if_bpf, ifp, DLT_PFLOG, PFLOG_HDRLEN); -#endif -#endif - - s = splnet(); -#ifdef __FreeBSD__ - /* XXX: Why pf(4) lock?! Better add a pflog lock?! */ - PF_LOCK(); -#endif - LIST_INSERT_HEAD(&pflogif_list, pflogif, sc_list); - pflogifs[unit] = ifp; -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (0); -} - -#ifdef __FreeBSD__ -static void -pflog_clone_destroy(struct ifnet *ifp) -#else -int -pflog_clone_destroy(struct ifnet *ifp) -#endif -{ - struct pflog_softc *pflogif = ifp->if_softc; - int s; - - s = splnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - pflogifs[pflogif->sc_unit] = NULL; - LIST_REMOVE(pflogif, sc_list); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - -#if NBPFILTER > 0 - bpfdetach(ifp); -#endif - if_detach(ifp); -#ifdef __FreeBSD__ - if_free(ifp); -#endif - free(pflogif, M_DEVBUF); -#ifndef __FreeBSD__ - return (0); -#endif -} - -/* - * Start output on the pflog interface. - */ -void -pflogstart(struct ifnet *ifp) -{ - struct mbuf *m; -#ifndef __FreeBSD__ - int s; -#endif - - for (;;) { -#ifdef __FreeBSD__ - IF_LOCK(&ifp->if_snd); - _IF_DROP(&ifp->if_snd); - _IF_DEQUEUE(&ifp->if_snd, m); - IF_UNLOCK(&ifp->if_snd); -#else - s = splnet(); - IF_DROP(&ifp->if_snd); - IF_DEQUEUE(&ifp->if_snd, m); - splx(s); -#endif - - if (m == NULL) - return; - else - m_freem(m); - } -} - -int -pflogoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, -#ifdef __FreeBSD__ - struct route *rt) -#else - struct rtentry *rt) -#endif -{ - m_freem(m); - return (0); -} - -/* ARGSUSED */ -int -pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) -{ - switch (cmd) { - case SIOCSIFFLAGS: -#ifdef __FreeBSD__ - if (ifp->if_flags & IFF_UP) - ifp->if_drv_flags |= IFF_DRV_RUNNING; - else - ifp->if_drv_flags &= ~IFF_DRV_RUNNING; -#else - if (ifp->if_flags & IFF_UP) - ifp->if_flags |= IFF_RUNNING; - else - ifp->if_flags &= ~IFF_RUNNING; -#endif - break; - default: - return (ENOTTY); - } - - return (0); -} - -int -pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, - u_int8_t reason, struct pf_rule *rm, struct pf_rule *am, - struct pf_ruleset *ruleset, struct pf_pdesc *pd) -{ -#if NBPFILTER > 0 - struct ifnet *ifn; - struct pfloghdr hdr; - - if (kif == NULL || m == NULL || rm == NULL || pd == NULL) - return ( 1); - - if ((ifn = pflogifs[rm->logif]) == NULL || !ifn->if_bpf) - return (0); - - bzero(&hdr, sizeof(hdr)); - hdr.length = PFLOG_REAL_HDRLEN; - hdr.af = af; - hdr.action = rm->action; - hdr.reason = reason; - memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname)); - - if (am == NULL) { - hdr.rulenr = htonl(rm->nr); - hdr.subrulenr = 1; - } else { - hdr.rulenr = htonl(am->nr); - hdr.subrulenr = htonl(rm->nr); - if (ruleset != NULL && ruleset->anchor != NULL) - strlcpy(hdr.ruleset, ruleset->anchor->name, - sizeof(hdr.ruleset)); - } - if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) -#ifdef __FreeBSD__ - /* - * XXX: This should not happen as we force an early lookup - * via debug.pfugidhack - */ - ; /* empty */ -#else - pd->lookup.done = pf_socket_lookup(dir, pd); -#endif - if (pd->lookup.done > 0) { - hdr.uid = pd->lookup.uid; - hdr.pid = pd->lookup.pid; - } else { - hdr.uid = UID_MAX; - hdr.pid = NO_PID; - } - hdr.rule_uid = rm->cuid; - hdr.rule_pid = rm->cpid; - hdr.dir = dir; - -#ifdef INET - if (af == AF_INET && dir == PF_OUT) { - struct ip *ip; - - ip = mtod(m, struct ip *); - ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); - } -#endif /* INET */ - - ifn->if_opackets++; - ifn->if_obytes += m->m_pkthdr.len; -#ifdef __FreeBSD__ - BPF_MTAP2(ifn, &hdr, PFLOG_HDRLEN, m); -#else - bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, PFLOG_HDRLEN, m, - BPF_DIRECTION_OUT); -#endif -#endif - - return (0); -} - -#ifdef __FreeBSD__ -static int -pflog_modevent(module_t mod, int type, void *data) -{ - int error = 0; - - switch (type) { - case MOD_LOAD: - pflogattach(1); - PF_LOCK(); - pflog_packet_ptr = pflog_packet; - PF_UNLOCK(); - break; - case MOD_UNLOAD: - PF_LOCK(); - pflog_packet_ptr = NULL; - PF_UNLOCK(); - if_clone_detach(&pflog_cloner); - break; - default: - error = EINVAL; - break; - } - - return error; -} - -static moduledata_t pflog_mod = { "pflog", pflog_modevent, 0 }; - -#define PFLOG_MODVER 1 - -DECLARE_MODULE(pflog, pflog_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); -MODULE_VERSION(pflog, PFLOG_MODVER); -MODULE_DEPEND(pflog, pf, PF_MODVER, PF_MODVER, PF_MODVER); -#endif /* __FreeBSD__ */ diff --git a/sys/contrib/pf/net/if_pflog.h b/sys/contrib/pf/net/if_pflog.h deleted file mode 100644 index 5f48f6c..0000000 --- a/sys/contrib/pf/net/if_pflog.h +++ /dev/null @@ -1,101 +0,0 @@ -/* $OpenBSD: if_pflog.h,v 1.13 2006/10/23 12:46:09 henning Exp $ */ -/* - * Copyright 2001 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _NET_IF_PFLOG_H_ -#define _NET_IF_PFLOG_H_ - -#define PFLOGIFS_MAX 16 - -struct pflog_softc { -#ifdef __FreeBSD__ - struct ifnet *sc_ifp; /* the interface pointer */ -#else - struct ifnet sc_if; /* the interface */ -#endif - int sc_unit; - LIST_ENTRY(pflog_softc) sc_list; -}; - -#define PFLOG_RULESET_NAME_SIZE 16 - -struct pfloghdr { - u_int8_t length; - sa_family_t af; - u_int8_t action; - u_int8_t reason; - char ifname[IFNAMSIZ]; - char ruleset[PFLOG_RULESET_NAME_SIZE]; - u_int32_t rulenr; - u_int32_t subrulenr; - uid_t uid; - pid_t pid; - uid_t rule_uid; - pid_t rule_pid; - u_int8_t dir; - u_int8_t pad[3]; -}; - -#define PFLOG_HDRLEN sizeof(struct pfloghdr) -/* minus pad, also used as a signature */ -#define PFLOG_REAL_HDRLEN offsetof(struct pfloghdr, pad) - -/* XXX remove later when old format logs are no longer needed */ -struct old_pfloghdr { - u_int32_t af; - char ifname[IFNAMSIZ]; - short rnr; - u_short reason; - u_short action; - u_short dir; -}; -#define OLD_PFLOG_HDRLEN sizeof(struct old_pfloghdr) - -#ifdef _KERNEL -#ifdef __FreeBSD__ -struct pf_rule; -struct pf_ruleset; -struct pfi_kif; -struct pf_pdesc; - -#if 0 -typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t, - u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *, - struct pf_ruleset *, struct pf_pdesc *); -extern pflog_packet_t *pflog_packet_ptr; -#endif -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) do { \ - if (pflog_packet_ptr != NULL) \ - pflog_packet_ptr(i,a,b,c,d,e,f,g,h); \ -} while (0) -#else /* ! __FreeBSD__ */ -#if NPFLOG > 0 -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) pflog_packet(i,a,b,c,d,e,f,g,h) -#else -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) ((void)0) -#endif /* NPFLOG > 0 */ -#endif -#endif /* _KERNEL */ -#endif /* _NET_IF_PFLOG_H_ */ diff --git a/sys/contrib/pf/net/if_pflow.h b/sys/contrib/pf/net/if_pflow.h deleted file mode 100644 index 35ccbeb..0000000 --- a/sys/contrib/pf/net/if_pflow.h +++ /dev/null @@ -1,126 +0,0 @@ -/* $OpenBSD: if_pflow.h,v 1.5 2009/02/27 11:09:36 gollo Exp $ */ - -/* - * Copyright (c) 2008 Henning Brauer <henning@openbsd.org> - * Copyright (c) 2008 Joerg Goltermann <jg@osn.de> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN - * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT - * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - * $FreeBSD$ - */ - -#ifndef _NET_IF_PFLOW_H_ -#define _NET_IF_PFLOW_H_ - -#define PFLOW_ID_LEN sizeof(u_int64_t) - -#define PFLOW_MAXFLOWS 30 -#define PFLOW_VERSION 5 -#define PFLOW_ENGINE_TYPE 42 -#define PFLOW_ENGINE_ID 42 -#define PFLOW_MAXBYTES 0xffffffff -#define PFLOW_TIMEOUT 30 - -struct pflow_flow { - u_int32_t src_ip; - u_int32_t dest_ip; - u_int32_t nexthop_ip; - u_int16_t if_index_in; - u_int16_t if_index_out; - u_int32_t flow_packets; - u_int32_t flow_octets; - u_int32_t flow_start; - u_int32_t flow_finish; - u_int16_t src_port; - u_int16_t dest_port; - u_int8_t pad1; - u_int8_t tcp_flags; - u_int8_t protocol; - u_int8_t tos; - u_int16_t src_as; - u_int16_t dest_as; - u_int8_t src_mask; - u_int8_t dest_mask; - u_int16_t pad2; -} __packed; - -#ifdef _KERNEL - -extern int pflow_ok; - -struct pflow_softc { - struct ifnet sc_if; - struct ifnet *sc_pflow_ifp; - - unsigned int sc_count; - unsigned int sc_maxcount; - u_int64_t sc_gcounter; - struct ip_moptions sc_imo; -#ifdef __FreeBSD__ - struct callout sc_tmo; -#else - struct timeout sc_tmo; -#endif - struct in_addr sc_sender_ip; - u_int16_t sc_sender_port; - struct in_addr sc_receiver_ip; - u_int16_t sc_receiver_port; - struct mbuf *sc_mbuf; /* current cumulative mbuf */ - SLIST_ENTRY(pflow_softc) sc_next; -}; - -extern struct pflow_softc *pflowif; - -#endif /* _KERNEL */ - -struct pflow_header { - u_int16_t version; - u_int16_t count; - u_int32_t uptime_ms; - u_int32_t time_sec; - u_int32_t time_nanosec; - u_int32_t flow_sequence; - u_int8_t engine_type; - u_int8_t engine_id; - u_int8_t reserved1; - u_int8_t reserved2; -} __packed; - -#define PFLOW_HDRLEN sizeof(struct pflow_header) - -struct pflowstats { - u_int64_t pflow_flows; - u_int64_t pflow_packets; - u_int64_t pflow_onomem; - u_int64_t pflow_oerrors; -}; - -/* - * Configuration structure for SIOCSETPFLOW SIOCGETPFLOW - */ -struct pflowreq { - struct in_addr sender_ip; - struct in_addr receiver_ip; - u_int16_t receiver_port; - u_int16_t addrmask; -#define PFLOW_MASK_SRCIP 0x01 -#define PFLOW_MASK_DSTIP 0x02 -#define PFLOW_MASK_DSTPRT 0x04 -}; - -#ifdef _KERNEL -int export_pflow(struct pf_state *); -int pflow_sysctl(int *, u_int, void *, size_t *, void *, size_t); -#endif /* _KERNEL */ - -#endif /* _NET_IF_PFLOW_H_ */ diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c deleted file mode 100644 index 7da6c2e..0000000 --- a/sys/contrib/pf/net/if_pfsync.c +++ /dev/null @@ -1,3474 +0,0 @@ -/* $OpenBSD: if_pfsync.c,v 1.110 2009/02/24 05:39:19 dlg Exp $ */ - -/* - * Copyright (c) 2002 Michael Shalayeff - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING - * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - * THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2009 David Gwynne <dlg@openbsd.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Revisions picked from OpenBSD after revision 1.110 import: - * 1.118, 1.124, 1.148, 1.149, 1.151, 1.171 - fixes to bulk updates - * 1.120, 1.175 - use monotonic time_uptime - * 1.122 - reduce number of updates for non-TCP sessions - * 1.128 - cleanups - * 1.146 - bzero() mbuf before sparsely filling it with data - * 1.170 - SIOCSIFMTU checks - * 1.126, 1.142 - deferred packets processing - * 1.173 - correct expire time processing - */ - -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" -#include "opt_pf.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#define NBPFILTER 1 -#endif /* __FreeBSD__ */ - -#include <sys/param.h> -#include <sys/kernel.h> -#ifdef __FreeBSD__ -#include <sys/bus.h> -#include <sys/interrupt.h> -#include <sys/priv.h> -#endif -#include <sys/proc.h> -#include <sys/systm.h> -#include <sys/time.h> -#include <sys/mbuf.h> -#include <sys/socket.h> -#ifdef __FreeBSD__ -#include <sys/endian.h> -#include <sys/malloc.h> -#include <sys/module.h> -#include <sys/sockio.h> -#include <sys/taskqueue.h> -#include <sys/lock.h> -#include <sys/mutex.h> -#include <sys/protosw.h> -#else -#include <sys/ioctl.h> -#include <sys/timeout.h> -#endif -#include <sys/sysctl.h> -#ifndef __FreeBSD__ -#include <sys/pool.h> -#endif - -#include <net/if.h> -#ifdef __FreeBSD__ -#include <net/if_clone.h> -#endif -#include <net/if_types.h> -#include <net/route.h> -#include <net/bpf.h> -#include <net/netisr.h> -#ifdef __FreeBSD__ -#include <net/vnet.h> -#endif - -#include <netinet/in.h> -#include <netinet/if_ether.h> -#include <netinet/tcp.h> -#include <netinet/tcp_seq.h> - -#ifdef INET -#include <netinet/in_systm.h> -#include <netinet/in_var.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#endif - -#ifdef INET6 -#include <netinet6/nd6.h> -#endif /* INET6 */ - -#ifdef __FreeBSD__ -#include <netinet/ip_carp.h> -#else -#include "carp.h" -#if NCARP > 0 -#include <netinet/ip_carp.h> -#endif -#endif - -#include <net/pfvar.h> -#include <net/if_pfsync.h> - -#ifndef __FreeBSD__ -#include "bpfilter.h" -#include "pfsync.h" -#endif - -#define PFSYNC_MINPKT ( \ - sizeof(struct ip) + \ - sizeof(struct pfsync_header) + \ - sizeof(struct pfsync_subheader) + \ - sizeof(struct pfsync_eof)) - -struct pfsync_pkt { - struct ip *ip; - struct in_addr src; - u_int8_t flags; -}; - -int pfsync_input_hmac(struct mbuf *, int); - -int pfsync_upd_tcp(struct pf_state *, struct pfsync_state_peer *, - struct pfsync_state_peer *); - -int pfsync_in_clr(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_ins(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_iack(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_upd(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_upd_c(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_ureq(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_del(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_del_c(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_bus(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_tdb(struct pfsync_pkt *, struct mbuf *, int, int); -int pfsync_in_eof(struct pfsync_pkt *, struct mbuf *, int, int); - -int pfsync_in_error(struct pfsync_pkt *, struct mbuf *, int, int); - -int (*pfsync_acts[])(struct pfsync_pkt *, struct mbuf *, int, int) = { - pfsync_in_clr, /* PFSYNC_ACT_CLR */ - pfsync_in_ins, /* PFSYNC_ACT_INS */ - pfsync_in_iack, /* PFSYNC_ACT_INS_ACK */ - pfsync_in_upd, /* PFSYNC_ACT_UPD */ - pfsync_in_upd_c, /* PFSYNC_ACT_UPD_C */ - pfsync_in_ureq, /* PFSYNC_ACT_UPD_REQ */ - pfsync_in_del, /* PFSYNC_ACT_DEL */ - pfsync_in_del_c, /* PFSYNC_ACT_DEL_C */ - pfsync_in_error, /* PFSYNC_ACT_INS_F */ - pfsync_in_error, /* PFSYNC_ACT_DEL_F */ - pfsync_in_bus, /* PFSYNC_ACT_BUS */ - pfsync_in_tdb, /* PFSYNC_ACT_TDB */ - pfsync_in_eof /* PFSYNC_ACT_EOF */ -}; - -struct pfsync_q { - int (*write)(struct pf_state *, struct mbuf *, int); - size_t len; - u_int8_t action; -}; - -/* we have one of these for every PFSYNC_S_ */ -int pfsync_out_state(struct pf_state *, struct mbuf *, int); -int pfsync_out_iack(struct pf_state *, struct mbuf *, int); -int pfsync_out_upd_c(struct pf_state *, struct mbuf *, int); -int pfsync_out_del(struct pf_state *, struct mbuf *, int); - -struct pfsync_q pfsync_qs[] = { - { pfsync_out_state, sizeof(struct pfsync_state), PFSYNC_ACT_INS }, - { pfsync_out_iack, sizeof(struct pfsync_ins_ack), PFSYNC_ACT_INS_ACK }, - { pfsync_out_state, sizeof(struct pfsync_state), PFSYNC_ACT_UPD }, - { pfsync_out_upd_c, sizeof(struct pfsync_upd_c), PFSYNC_ACT_UPD_C }, - { pfsync_out_del, sizeof(struct pfsync_del_c), PFSYNC_ACT_DEL_C } -}; - -void pfsync_q_ins(struct pf_state *, int); -void pfsync_q_del(struct pf_state *); - -struct pfsync_upd_req_item { - TAILQ_ENTRY(pfsync_upd_req_item) ur_entry; - struct pfsync_upd_req ur_msg; -}; -TAILQ_HEAD(pfsync_upd_reqs, pfsync_upd_req_item); - -struct pfsync_deferral { - TAILQ_ENTRY(pfsync_deferral) pd_entry; - struct pf_state *pd_st; - struct mbuf *pd_m; -#ifdef __FreeBSD__ - struct callout pd_tmo; -#else - struct timeout pd_tmo; -#endif -}; -TAILQ_HEAD(pfsync_deferrals, pfsync_deferral); - -#define PFSYNC_PLSIZE MAX(sizeof(struct pfsync_upd_req_item), \ - sizeof(struct pfsync_deferral)) - -#ifdef notyet -int pfsync_out_tdb(struct tdb *, struct mbuf *, int); -#endif - -struct pfsync_softc { -#ifdef __FreeBSD__ - struct ifnet *sc_ifp; -#else - struct ifnet sc_if; -#endif - struct ifnet *sc_sync_if; - -#ifdef __FreeBSD__ - uma_zone_t sc_pool; -#else - struct pool sc_pool; -#endif - - struct ip_moptions sc_imo; - - struct in_addr sc_sync_peer; - u_int8_t sc_maxupdates; -#ifdef __FreeBSD__ - int pfsync_sync_ok; -#endif - - struct ip sc_template; - - struct pf_state_queue sc_qs[PFSYNC_S_COUNT]; - size_t sc_len; - - struct pfsync_upd_reqs sc_upd_req_list; - - int sc_defer; - struct pfsync_deferrals sc_deferrals; - u_int sc_deferred; - - void *sc_plus; - size_t sc_pluslen; - - u_int32_t sc_ureq_sent; - int sc_bulk_tries; -#ifdef __FreeBSD__ - struct callout sc_bulkfail_tmo; -#else - struct timeout sc_bulkfail_tmo; -#endif - - u_int32_t sc_ureq_received; - struct pf_state *sc_bulk_next; - struct pf_state *sc_bulk_last; -#ifdef __FreeBSD__ - struct callout sc_bulk_tmo; -#else - struct timeout sc_bulk_tmo; -#endif - - TAILQ_HEAD(, tdb) sc_tdb_q; - -#ifdef __FreeBSD__ - struct callout sc_tmo; -#else - struct timeout sc_tmo; -#endif -}; - -#ifdef __FreeBSD__ -static MALLOC_DEFINE(M_PFSYNC, "pfsync", "pfsync data"); -static VNET_DEFINE(struct pfsync_softc *, pfsyncif) = NULL; -#define V_pfsyncif VNET(pfsyncif) -static VNET_DEFINE(void *, pfsync_swi_cookie) = NULL; -#define V_pfsync_swi_cookie VNET(pfsync_swi_cookie) -static VNET_DEFINE(struct pfsyncstats, pfsyncstats); -#define V_pfsyncstats VNET(pfsyncstats) -static VNET_DEFINE(int, pfsync_carp_adj) = CARP_MAXSKEW; -#define V_pfsync_carp_adj VNET(pfsync_carp_adj) - -static void pfsyncintr(void *); -static int pfsync_multicast_setup(struct pfsync_softc *); -static void pfsync_multicast_cleanup(struct pfsync_softc *); -static int pfsync_init(void); -static void pfsync_uninit(void); -static void pfsync_sendout1(int); - -#define schednetisr(NETISR_PFSYNC) swi_sched(V_pfsync_swi_cookie, 0) - -SYSCTL_NODE(_net, OID_AUTO, pfsync, CTLFLAG_RW, 0, "PFSYNC"); -SYSCTL_VNET_STRUCT(_net_pfsync, OID_AUTO, stats, CTLFLAG_RW, - &VNET_NAME(pfsyncstats), pfsyncstats, - "PFSYNC statistics (struct pfsyncstats, net/if_pfsync.h)"); -SYSCTL_INT(_net_pfsync, OID_AUTO, carp_demotion_factor, CTLFLAG_RW, - &VNET_NAME(pfsync_carp_adj), 0, "pfsync's CARP demotion factor adjustment"); -#else -struct pfsync_softc *pfsyncif = NULL; -struct pfsyncstats pfsyncstats; -#define V_pfsyncstats pfsyncstats -#endif - -void pfsyncattach(int); -#ifdef __FreeBSD__ -int pfsync_clone_create(struct if_clone *, int, caddr_t); -void pfsync_clone_destroy(struct ifnet *); -#else -int pfsync_clone_create(struct if_clone *, int); -int pfsync_clone_destroy(struct ifnet *); -#endif -int pfsync_alloc_scrub_memory(struct pfsync_state_peer *, - struct pf_state_peer *); -void pfsync_update_net_tdb(struct pfsync_tdb *); -int pfsyncoutput(struct ifnet *, struct mbuf *, struct sockaddr *, -#ifdef __FreeBSD__ - struct route *); -#else - struct rtentry *); -#endif -int pfsyncioctl(struct ifnet *, u_long, caddr_t); -void pfsyncstart(struct ifnet *); - -struct mbuf *pfsync_if_dequeue(struct ifnet *); - -void pfsync_deferred(struct pf_state *, int); -void pfsync_undefer(struct pfsync_deferral *, int); -void pfsync_defer_tmo(void *); - -void pfsync_request_update(u_int32_t, u_int64_t); -void pfsync_update_state_req(struct pf_state *); - -void pfsync_drop(struct pfsync_softc *); -void pfsync_sendout(void); -void pfsync_send_plus(void *, size_t); -void pfsync_timeout(void *); -void pfsync_tdb_timeout(void *); - -void pfsync_bulk_start(void); -void pfsync_bulk_status(u_int8_t); -void pfsync_bulk_update(void *); -void pfsync_bulk_fail(void *); - -#ifdef __FreeBSD__ -/* XXX: ugly */ -#define betoh64 (unsigned long long)be64toh -#define timeout_del callout_stop -#endif - -#define PFSYNC_MAX_BULKTRIES 12 -#ifndef __FreeBSD__ -int pfsync_sync_ok; -#endif - -#ifdef __FreeBSD__ -VNET_DEFINE(struct ifc_simple_data, pfsync_cloner_data); -VNET_DEFINE(struct if_clone, pfsync_cloner); -#define V_pfsync_cloner_data VNET(pfsync_cloner_data) -#define V_pfsync_cloner VNET(pfsync_cloner) -IFC_SIMPLE_DECLARE(pfsync, 1); -#else -struct if_clone pfsync_cloner = - IF_CLONE_INITIALIZER("pfsync", pfsync_clone_create, pfsync_clone_destroy); -#endif - -void -pfsyncattach(int npfsync) -{ - if_clone_attach(&pfsync_cloner); -} -int -#ifdef __FreeBSD__ -pfsync_clone_create(struct if_clone *ifc, int unit, caddr_t param) -#else -pfsync_clone_create(struct if_clone *ifc, int unit) -#endif -{ - struct pfsync_softc *sc; - struct ifnet *ifp; - int q; - - if (unit != 0) - return (EINVAL); - -#ifdef __FreeBSD__ - sc = malloc(sizeof(struct pfsync_softc), M_PFSYNC, M_WAITOK | M_ZERO); - sc->pfsync_sync_ok = 1; -#else - pfsync_sync_ok = 1; - sc = malloc(sizeof(*pfsyncif), M_DEVBUF, M_NOWAIT | M_ZERO); -#endif - - for (q = 0; q < PFSYNC_S_COUNT; q++) - TAILQ_INIT(&sc->sc_qs[q]); - -#ifdef __FreeBSD__ - sc->sc_pool = uma_zcreate("pfsync", PFSYNC_PLSIZE, NULL, NULL, NULL, - NULL, UMA_ALIGN_PTR, 0); -#else - pool_init(&sc->sc_pool, PFSYNC_PLSIZE, 0, 0, 0, "pfsync", NULL); -#endif - TAILQ_INIT(&sc->sc_upd_req_list); - TAILQ_INIT(&sc->sc_deferrals); - sc->sc_deferred = 0; - - TAILQ_INIT(&sc->sc_tdb_q); - - sc->sc_len = PFSYNC_MINPKT; - sc->sc_maxupdates = 128; - -#ifndef __FreeBSD__ - sc->sc_imo.imo_membership = (struct in_multi **)malloc( - (sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_IPMOPTS, - M_WAITOK | M_ZERO); - sc->sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS; -#endif - -#ifdef __FreeBSD__ - ifp = sc->sc_ifp = if_alloc(IFT_PFSYNC); - if (ifp == NULL) { - uma_zdestroy(sc->sc_pool); - free(sc, M_PFSYNC); - return (ENOSPC); - } - if_initname(ifp, ifc->ifc_name, unit); -#else - ifp = &sc->sc_if; - snprintf(ifp->if_xname, sizeof ifp->if_xname, "pfsync%d", unit); -#endif - ifp->if_softc = sc; - ifp->if_ioctl = pfsyncioctl; - ifp->if_output = pfsyncoutput; - ifp->if_start = pfsyncstart; - ifp->if_type = IFT_PFSYNC; - ifp->if_snd.ifq_maxlen = ifqmaxlen; - ifp->if_hdrlen = sizeof(struct pfsync_header); - ifp->if_mtu = ETHERMTU; -#ifdef __FreeBSD__ - callout_init(&sc->sc_tmo, CALLOUT_MPSAFE); - callout_init_mtx(&sc->sc_bulk_tmo, &pf_task_mtx, 0); - callout_init(&sc->sc_bulkfail_tmo, CALLOUT_MPSAFE); -#else - timeout_set(&sc->sc_tmo, pfsync_timeout, sc); - timeout_set(&sc->sc_bulk_tmo, pfsync_bulk_update, sc); - timeout_set(&sc->sc_bulkfail_tmo, pfsync_bulk_fail, sc); -#endif - - if_attach(ifp); -#ifndef __FreeBSD__ - if_alloc_sadl(ifp); - -#if NCARP > 0 - if_addgroup(ifp, "carp"); -#endif -#endif - -#if NBPFILTER > 0 -#ifdef __FreeBSD__ - bpfattach(ifp, DLT_PFSYNC, PFSYNC_HDRLEN); -#else - bpfattach(&sc->sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN); -#endif -#endif - -#ifdef __FreeBSD__ - V_pfsyncif = sc; -#else - pfsyncif = sc; -#endif - - return (0); -} - -#ifdef __FreeBSD__ -void -#else -int -#endif -pfsync_clone_destroy(struct ifnet *ifp) -{ - struct pfsync_softc *sc = ifp->if_softc; - -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - timeout_del(&sc->sc_bulkfail_tmo); - timeout_del(&sc->sc_bulk_tmo); - timeout_del(&sc->sc_tmo); -#ifdef __FreeBSD__ - PF_UNLOCK(); - if (!sc->pfsync_sync_ok && carp_demote_adj_p) - (*carp_demote_adj_p)(-V_pfsync_carp_adj, "pfsync destroy"); -#else -#if NCARP > 0 - if (!pfsync_sync_ok) - carp_group_demote_adj(&sc->sc_if, -1); -#endif -#endif -#if NBPFILTER > 0 - bpfdetach(ifp); -#endif - if_detach(ifp); - - pfsync_drop(sc); - - while (sc->sc_deferred > 0) - pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0); - -#ifdef __FreeBSD__ - UMA_DESTROY(sc->sc_pool); -#else - pool_destroy(&sc->sc_pool); -#endif -#ifdef __FreeBSD__ - if_free(ifp); - if (sc->sc_imo.imo_membership) - pfsync_multicast_cleanup(sc); - free(sc, M_PFSYNC); -#else - free(sc->sc_imo.imo_membership, M_IPMOPTS); - free(sc, M_DEVBUF); -#endif - -#ifdef __FreeBSD__ - V_pfsyncif = NULL; -#else - pfsyncif = NULL; -#endif - -#ifndef __FreeBSD__ - return (0); -#endif -} - -struct mbuf * -pfsync_if_dequeue(struct ifnet *ifp) -{ - struct mbuf *m; -#ifndef __FreeBSD__ - int s; -#endif - -#ifdef __FreeBSD__ - IF_LOCK(&ifp->if_snd); - _IF_DROP(&ifp->if_snd); - _IF_DEQUEUE(&ifp->if_snd, m); - IF_UNLOCK(&ifp->if_snd); -#else - s = splnet(); - IF_DEQUEUE(&ifp->if_snd, m); - splx(s); -#endif - - return (m); -} - -/* - * Start output on the pfsync interface. - */ -void -pfsyncstart(struct ifnet *ifp) -{ - struct mbuf *m; - - while ((m = pfsync_if_dequeue(ifp)) != NULL) { -#ifndef __FreeBSD__ - IF_DROP(&ifp->if_snd); -#endif - m_freem(m); - } -} - -int -pfsync_alloc_scrub_memory(struct pfsync_state_peer *s, - struct pf_state_peer *d) -{ - if (s->scrub.scrub_flag && d->scrub == NULL) { -#ifdef __FreeBSD__ - d->scrub = pool_get(&V_pf_state_scrub_pl, PR_NOWAIT | PR_ZERO); -#else - d->scrub = pool_get(&pf_state_scrub_pl, PR_NOWAIT | PR_ZERO); -#endif - if (d->scrub == NULL) - return (ENOMEM); - } - - return (0); -} - -#ifndef __FreeBSD__ -void -pfsync_state_export(struct pfsync_state *sp, struct pf_state *st) -{ - bzero(sp, sizeof(struct pfsync_state)); - - /* copy from state key */ - sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0]; - sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1]; - sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0]; - sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1]; - sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0]; - sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1]; - sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0]; - sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1]; - sp->proto = st->key[PF_SK_WIRE]->proto; - sp->af = st->key[PF_SK_WIRE]->af; - - /* copy from state */ - strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname)); - bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr)); - sp->creation = htonl(time_uptime - st->creation); - sp->expire = pf_state_expires(st); - if (sp->expire <= time_second) - sp->expire = htonl(0); - else - sp->expire = htonl(sp->expire - time_second); - - sp->direction = st->direction; - sp->log = st->log; - sp->timeout = st->timeout; - sp->state_flags = st->state_flags; - if (st->src_node) - sp->sync_flags |= PFSYNC_FLAG_SRCNODE; - if (st->nat_src_node) - sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE; - - bcopy(&st->id, &sp->id, sizeof(sp->id)); - sp->creatorid = st->creatorid; - pf_state_peer_hton(&st->src, &sp->src); - pf_state_peer_hton(&st->dst, &sp->dst); - - if (st->rule.ptr == NULL) - sp->rule = htonl(-1); - else - sp->rule = htonl(st->rule.ptr->nr); - if (st->anchor.ptr == NULL) - sp->anchor = htonl(-1); - else - sp->anchor = htonl(st->anchor.ptr->nr); - if (st->nat_rule.ptr == NULL) - sp->nat_rule = htonl(-1); - else - sp->nat_rule = htonl(st->nat_rule.ptr->nr); - - pf_state_counter_hton(st->packets[0], sp->packets[0]); - pf_state_counter_hton(st->packets[1], sp->packets[1]); - pf_state_counter_hton(st->bytes[0], sp->bytes[0]); - pf_state_counter_hton(st->bytes[1], sp->bytes[1]); - -} -#endif - -int -pfsync_state_import(struct pfsync_state *sp, u_int8_t flags) -{ - struct pf_state *st = NULL; - struct pf_state_key *skw = NULL, *sks = NULL; - struct pf_rule *r = NULL; - struct pfi_kif *kif; - int pool_flags; - int error; - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); - - if (sp->creatorid == 0 && V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (sp->creatorid == 0 && pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pfsync_state_import: invalid creator id:" - " %08x\n", ntohl(sp->creatorid)); - return (EINVAL); - } - - if ((kif = pfi_kif_get(sp->ifname)) == NULL) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync_state_import: " - "unknown interface: %s\n", sp->ifname); - if (flags & PFSYNC_SI_IOCTL) - return (EINVAL); - return (0); /* skip this state */ - } - - /* - * If the ruleset checksums match or the state is coming from the ioctl, - * it's safe to associate the state with the rule of that number. - */ - if (sp->rule != htonl(-1) && sp->anchor == htonl(-1) && - (flags & (PFSYNC_SI_IOCTL | PFSYNC_SI_CKSUM)) && ntohl(sp->rule) < - pf_main_ruleset.rules[PF_RULESET_FILTER].active.rcount) - r = pf_main_ruleset.rules[ - PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)]; - else -#ifdef __FreeBSD__ - r = &V_pf_default_rule; -#else - r = &pf_default_rule; -#endif - - if ((r->max_states && r->states_cur >= r->max_states)) - goto cleanup; - -#ifdef __FreeBSD__ - if (flags & PFSYNC_SI_IOCTL) - pool_flags = PR_WAITOK | PR_ZERO; - else - pool_flags = PR_NOWAIT | PR_ZERO; - - if ((st = pool_get(&V_pf_state_pl, pool_flags)) == NULL) - goto cleanup; -#else - if (flags & PFSYNC_SI_IOCTL) - pool_flags = PR_WAITOK | PR_LIMITFAIL | PR_ZERO; - else - pool_flags = PR_LIMITFAIL | PR_ZERO; - - if ((st = pool_get(&pf_state_pl, pool_flags)) == NULL) - goto cleanup; -#endif - - if ((skw = pf_alloc_state_key(pool_flags)) == NULL) - goto cleanup; - - if (PF_ANEQ(&sp->key[PF_SK_WIRE].addr[0], - &sp->key[PF_SK_STACK].addr[0], sp->af) || - PF_ANEQ(&sp->key[PF_SK_WIRE].addr[1], - &sp->key[PF_SK_STACK].addr[1], sp->af) || - sp->key[PF_SK_WIRE].port[0] != sp->key[PF_SK_STACK].port[0] || - sp->key[PF_SK_WIRE].port[1] != sp->key[PF_SK_STACK].port[1]) { - if ((sks = pf_alloc_state_key(pool_flags)) == NULL) - goto cleanup; - } else - sks = skw; - - /* allocate memory for scrub info */ - if (pfsync_alloc_scrub_memory(&sp->src, &st->src) || - pfsync_alloc_scrub_memory(&sp->dst, &st->dst)) - goto cleanup; - - /* copy to state key(s) */ - skw->addr[0] = sp->key[PF_SK_WIRE].addr[0]; - skw->addr[1] = sp->key[PF_SK_WIRE].addr[1]; - skw->port[0] = sp->key[PF_SK_WIRE].port[0]; - skw->port[1] = sp->key[PF_SK_WIRE].port[1]; - skw->proto = sp->proto; - skw->af = sp->af; - if (sks != skw) { - sks->addr[0] = sp->key[PF_SK_STACK].addr[0]; - sks->addr[1] = sp->key[PF_SK_STACK].addr[1]; - sks->port[0] = sp->key[PF_SK_STACK].port[0]; - sks->port[1] = sp->key[PF_SK_STACK].port[1]; - sks->proto = sp->proto; - sks->af = sp->af; - } - - /* copy to state */ - bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr)); - st->creation = time_uptime - ntohl(sp->creation); - st->expire = time_second; - if (sp->expire) { - uint32_t timeout; - - timeout = r->timeout[sp->timeout]; - if (!timeout) -#ifdef __FreeBSD__ - timeout = V_pf_default_rule.timeout[sp->timeout]; -#else - timeout = pf_default_rule.timeout[sp->timeout]; -#endif - - /* sp->expire may have been adaptively scaled by export. */ - st->expire -= timeout - ntohl(sp->expire); - } - - st->direction = sp->direction; - st->log = sp->log; - st->timeout = sp->timeout; - st->state_flags = sp->state_flags; - - bcopy(sp->id, &st->id, sizeof(st->id)); - st->creatorid = sp->creatorid; - pf_state_peer_ntoh(&sp->src, &st->src); - pf_state_peer_ntoh(&sp->dst, &st->dst); - - st->rule.ptr = r; - st->nat_rule.ptr = NULL; - st->anchor.ptr = NULL; - st->rt_kif = NULL; - - st->pfsync_time = time_uptime; - st->sync_state = PFSYNC_S_NONE; - - /* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */ - r->states_cur++; - r->states_tot++; - - if (!ISSET(flags, PFSYNC_SI_IOCTL)) - SET(st->state_flags, PFSTATE_NOSYNC); - - if ((error = pf_state_insert(kif, skw, sks, st)) != 0) { - /* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */ - r->states_cur--; - goto cleanup_state; - } - - if (!ISSET(flags, PFSYNC_SI_IOCTL)) { - CLR(st->state_flags, PFSTATE_NOSYNC); - if (ISSET(st->state_flags, PFSTATE_ACK)) { - pfsync_q_ins(st, PFSYNC_S_IACK); - schednetisr(NETISR_PFSYNC); - } - } - CLR(st->state_flags, PFSTATE_ACK); - - return (0); - -cleanup: - error = ENOMEM; - if (skw == sks) - sks = NULL; -#ifdef __FreeBSD__ - if (skw != NULL) - pool_put(&V_pf_state_key_pl, skw); - if (sks != NULL) - pool_put(&V_pf_state_key_pl, sks); -#else - if (skw != NULL) - pool_put(&pf_state_key_pl, skw); - if (sks != NULL) - pool_put(&pf_state_key_pl, sks); -#endif - -cleanup_state: /* pf_state_insert frees the state keys */ - if (st) { -#ifdef __FreeBSD__ - if (st->dst.scrub) - pool_put(&V_pf_state_scrub_pl, st->dst.scrub); - if (st->src.scrub) - pool_put(&V_pf_state_scrub_pl, st->src.scrub); - pool_put(&V_pf_state_pl, st); -#else - if (st->dst.scrub) - pool_put(&pf_state_scrub_pl, st->dst.scrub); - if (st->src.scrub) - pool_put(&pf_state_scrub_pl, st->src.scrub); - pool_put(&pf_state_pl, st); -#endif - } - return (error); -} - -void -#ifdef __FreeBSD__ -pfsync_input(struct mbuf *m, __unused int off) -#else -pfsync_input(struct mbuf *m, ...) -#endif -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - struct pfsync_pkt pkt; - struct ip *ip = mtod(m, struct ip *); - struct pfsync_header *ph; - struct pfsync_subheader subh; - - int offset; - int rv; - - V_pfsyncstats.pfsyncs_ipackets++; - - /* verify that we have a sync interface configured */ -#ifdef __FreeBSD__ - if (!sc || !sc->sc_sync_if || !V_pf_status.running) -#else - if (!sc || !sc->sc_sync_if || !pf_status.running) -#endif - goto done; - - /* verify that the packet came in on the right interface */ - if (sc->sc_sync_if != m->m_pkthdr.rcvif) { - V_pfsyncstats.pfsyncs_badif++; - goto done; - } - -#ifdef __FreeBSD__ - sc->sc_ifp->if_ipackets++; - sc->sc_ifp->if_ibytes += m->m_pkthdr.len; -#else - sc->sc_if.if_ipackets++; - sc->sc_if.if_ibytes += m->m_pkthdr.len; -#endif - /* verify that the IP TTL is 255. */ - if (ip->ip_ttl != PFSYNC_DFLTTL) { - V_pfsyncstats.pfsyncs_badttl++; - goto done; - } - - offset = ip->ip_hl << 2; - if (m->m_pkthdr.len < offset + sizeof(*ph)) { - V_pfsyncstats.pfsyncs_hdrops++; - goto done; - } - - if (offset + sizeof(*ph) > m->m_len) { - if (m_pullup(m, offset + sizeof(*ph)) == NULL) { - V_pfsyncstats.pfsyncs_hdrops++; - return; - } - ip = mtod(m, struct ip *); - } - ph = (struct pfsync_header *)((char *)ip + offset); - - /* verify the version */ - if (ph->version != PFSYNC_VERSION) { - V_pfsyncstats.pfsyncs_badver++; - goto done; - } - -#if 0 - if (pfsync_input_hmac(m, offset) != 0) { - /* XXX stats */ - goto done; - } -#endif - - /* Cheaper to grab this now than having to mess with mbufs later */ - pkt.ip = ip; - pkt.src = ip->ip_src; - pkt.flags = 0; - -#ifdef __FreeBSD__ - if (!bcmp(&ph->pfcksum, &V_pf_status.pf_chksum, PF_MD5_DIGEST_LENGTH)) -#else - if (!bcmp(&ph->pfcksum, &pf_status.pf_chksum, PF_MD5_DIGEST_LENGTH)) -#endif - pkt.flags |= PFSYNC_SI_CKSUM; - - offset += sizeof(*ph); - for (;;) { - m_copydata(m, offset, sizeof(subh), (caddr_t)&subh); - offset += sizeof(subh); - - if (subh.action >= PFSYNC_ACT_MAX) { - V_pfsyncstats.pfsyncs_badact++; - goto done; - } - - rv = (*pfsync_acts[subh.action])(&pkt, m, offset, - ntohs(subh.count)); - if (rv == -1) - return; - - offset += rv; - } - -done: - m_freem(m); -} - -int -pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct pfsync_clr *clr; - struct mbuf *mp; - int len = sizeof(*clr) * count; - int i, offp; - - struct pf_state *st, *nexts; - struct pf_state_key *sk, *nextsk; - struct pf_state_item *si; - u_int32_t creatorid; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - clr = (struct pfsync_clr *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - creatorid = clr[i].creatorid; - - if (clr[i].ifname[0] == '\0') { -#ifdef __FreeBSD__ - for (st = RB_MIN(pf_state_tree_id, &V_tree_id); - st; st = nexts) { - nexts = RB_NEXT(pf_state_tree_id, &V_tree_id, st); -#else - for (st = RB_MIN(pf_state_tree_id, &tree_id); - st; st = nexts) { - nexts = RB_NEXT(pf_state_tree_id, &tree_id, st); -#endif - if (st->creatorid == creatorid) { - SET(st->state_flags, PFSTATE_NOSYNC); - pf_unlink_state(st); - } - } - } else { - if (pfi_kif_get(clr[i].ifname) == NULL) - continue; - - /* XXX correct? */ -#ifdef __FreeBSD__ - for (sk = RB_MIN(pf_state_tree, &V_pf_statetbl); -#else - for (sk = RB_MIN(pf_state_tree, &pf_statetbl); -#endif - sk; sk = nextsk) { - nextsk = RB_NEXT(pf_state_tree, -#ifdef __FreeBSD__ - &V_pf_statetbl, sk); -#else - &pf_statetbl, sk); -#endif - TAILQ_FOREACH(si, &sk->states, entry) { - if (si->s->creatorid == creatorid) { - SET(si->s->state_flags, - PFSTATE_NOSYNC); - pf_unlink_state(si->s); - } - } - } - } - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (len); -} - -int -pfsync_in_ins(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct mbuf *mp; - struct pfsync_state *sa, *sp; - int len = sizeof(*sp) * count; - int i, offp; - - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - sa = (struct pfsync_state *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - sp = &sa[i]; - - /* check for invalid values */ - if (sp->timeout >= PFTM_MAX || - sp->src.state > PF_TCPS_PROXY_DST || - sp->dst.state > PF_TCPS_PROXY_DST || - sp->direction > PF_OUT || - (sp->af != AF_INET && sp->af != AF_INET6)) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pfsync_input: PFSYNC5_ACT_INS: " - "invalid value\n"); - } - V_pfsyncstats.pfsyncs_badval++; - continue; - } - - if (pfsync_state_import(sp, pkt->flags) == ENOMEM) { - /* drop out, but process the rest of the actions */ - break; - } - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (len); -} - -int -pfsync_in_iack(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct pfsync_ins_ack *ia, *iaa; - struct pf_state_cmp id_key; - struct pf_state *st; - - struct mbuf *mp; - int len = count * sizeof(*ia); - int offp, i; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - iaa = (struct pfsync_ins_ack *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - ia = &iaa[i]; - - bcopy(&ia->id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = ia->creatorid; - - st = pf_find_state_byid(&id_key); - if (st == NULL) - continue; - - if (ISSET(st->state_flags, PFSTATE_ACK)) - pfsync_deferred(st, 0); - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - /* - * XXX this is not yet implemented, but we know the size of the - * message so we can skip it. - */ - - return (count * sizeof(struct pfsync_ins_ack)); -} - -int -pfsync_upd_tcp(struct pf_state *st, struct pfsync_state_peer *src, - struct pfsync_state_peer *dst) -{ - int sfail = 0; - - /* - * The state should never go backwards except - * for syn-proxy states. Neither should the - * sequence window slide backwards. - */ - if (st->src.state > src->state && - (st->src.state < PF_TCPS_PROXY_SRC || - src->state >= PF_TCPS_PROXY_SRC)) - sfail = 1; - else if (SEQ_GT(st->src.seqlo, ntohl(src->seqlo))) - sfail = 3; - else if (st->dst.state > dst->state) { - /* There might still be useful - * information about the src state here, - * so import that part of the update, - * then "fail" so we send the updated - * state back to the peer who is missing - * our what we know. */ - pf_state_peer_ntoh(src, &st->src); - /* XXX do anything with timeouts? */ - sfail = 7; - } else if (st->dst.state >= TCPS_SYN_SENT && - SEQ_GT(st->dst.seqlo, ntohl(dst->seqlo))) - sfail = 4; - - return (sfail); -} - -int -pfsync_in_upd(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct pfsync_state *sa, *sp; - struct pf_state_cmp id_key; - struct pf_state_key *sk; - struct pf_state *st; - int sfail; - - struct mbuf *mp; - int len = count * sizeof(*sp); - int offp, i; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - sa = (struct pfsync_state *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - sp = &sa[i]; - - /* check for invalid values */ - if (sp->timeout >= PFTM_MAX || - sp->src.state > PF_TCPS_PROXY_DST || - sp->dst.state > PF_TCPS_PROXY_DST) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pfsync_input: PFSYNC_ACT_UPD: " - "invalid value\n"); - } - V_pfsyncstats.pfsyncs_badval++; - continue; - } - - bcopy(sp->id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = sp->creatorid; - - st = pf_find_state_byid(&id_key); - if (st == NULL) { - /* insert the update */ - if (pfsync_state_import(sp, 0)) - V_pfsyncstats.pfsyncs_badstate++; - continue; - } - - if (ISSET(st->state_flags, PFSTATE_ACK)) - pfsync_deferred(st, 1); - - sk = st->key[PF_SK_WIRE]; /* XXX right one? */ - sfail = 0; - if (sk->proto == IPPROTO_TCP) - sfail = pfsync_upd_tcp(st, &sp->src, &sp->dst); - else { - /* - * Non-TCP protocol state machine always go - * forwards - */ - if (st->src.state > sp->src.state) - sfail = 5; - else if (st->dst.state > sp->dst.state) - sfail = 6; - } - - if (sfail) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pfsync: %s stale update (%d)" - " id: %016llx creatorid: %08x\n", - (sfail < 7 ? "ignoring" : "partial"), - sfail, betoh64(st->id), - ntohl(st->creatorid)); - } - V_pfsyncstats.pfsyncs_stale++; - - pfsync_update_state(st); - schednetisr(NETISR_PFSYNC); - continue; - } - pfsync_alloc_scrub_memory(&sp->dst, &st->dst); - pf_state_peer_ntoh(&sp->src, &st->src); - pf_state_peer_ntoh(&sp->dst, &st->dst); - st->expire = time_second; - st->timeout = sp->timeout; - st->pfsync_time = time_uptime; - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (len); -} - -int -pfsync_in_upd_c(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct pfsync_upd_c *ua, *up; - struct pf_state_key *sk; - struct pf_state_cmp id_key; - struct pf_state *st; - - int len = count * sizeof(*up); - int sfail; - - struct mbuf *mp; - int offp, i; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - ua = (struct pfsync_upd_c *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - up = &ua[i]; - - /* check for invalid values */ - if (up->timeout >= PFTM_MAX || - up->src.state > PF_TCPS_PROXY_DST || - up->dst.state > PF_TCPS_PROXY_DST) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pfsync_input: " - "PFSYNC_ACT_UPD_C: " - "invalid value\n"); - } - V_pfsyncstats.pfsyncs_badval++; - continue; - } - - bcopy(&up->id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = up->creatorid; - - st = pf_find_state_byid(&id_key); - if (st == NULL) { - /* We don't have this state. Ask for it. */ - pfsync_request_update(id_key.creatorid, id_key.id); - continue; - } - - if (ISSET(st->state_flags, PFSTATE_ACK)) - pfsync_deferred(st, 1); - - sk = st->key[PF_SK_WIRE]; /* XXX right one? */ - sfail = 0; - if (sk->proto == IPPROTO_TCP) - sfail = pfsync_upd_tcp(st, &up->src, &up->dst); - else { - /* - * Non-TCP protocol state machine always go forwards - */ - if (st->src.state > up->src.state) - sfail = 5; - else if (st->dst.state > up->dst.state) - sfail = 6; - } - - if (sfail) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pfsync: ignoring stale update " - "(%d) id: %016llx " - "creatorid: %08x\n", sfail, - betoh64(st->id), - ntohl(st->creatorid)); - } - V_pfsyncstats.pfsyncs_stale++; - - pfsync_update_state(st); - schednetisr(NETISR_PFSYNC); - continue; - } - pfsync_alloc_scrub_memory(&up->dst, &st->dst); - pf_state_peer_ntoh(&up->src, &st->src); - pf_state_peer_ntoh(&up->dst, &st->dst); - st->expire = time_second; - st->timeout = up->timeout; - st->pfsync_time = time_uptime; - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (len); -} - -int -pfsync_in_ureq(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct pfsync_upd_req *ur, *ura; - struct mbuf *mp; - int len = count * sizeof(*ur); - int i, offp; - - struct pf_state_cmp id_key; - struct pf_state *st; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - ura = (struct pfsync_upd_req *)(mp->m_data + offp); - -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - ur = &ura[i]; - - bcopy(&ur->id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = ur->creatorid; - - if (id_key.id == 0 && id_key.creatorid == 0) - pfsync_bulk_start(); - else { - st = pf_find_state_byid(&id_key); - if (st == NULL) { - V_pfsyncstats.pfsyncs_badstate++; - continue; - } - if (ISSET(st->state_flags, PFSTATE_NOSYNC)) - continue; - - pfsync_update_state_req(st); - } - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - - return (len); -} - -int -pfsync_in_del(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct mbuf *mp; - struct pfsync_state *sa, *sp; - struct pf_state_cmp id_key; - struct pf_state *st; - int len = count * sizeof(*sp); - int offp, i; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - sa = (struct pfsync_state *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - sp = &sa[i]; - - bcopy(sp->id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = sp->creatorid; - - st = pf_find_state_byid(&id_key); - if (st == NULL) { - V_pfsyncstats.pfsyncs_badstate++; - continue; - } - SET(st->state_flags, PFSTATE_NOSYNC); - pf_unlink_state(st); - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (len); -} - -int -pfsync_in_del_c(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - struct mbuf *mp; - struct pfsync_del_c *sa, *sp; - struct pf_state_cmp id_key; - struct pf_state *st; - int len = count * sizeof(*sp); - int offp, i; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - sa = (struct pfsync_del_c *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) { - sp = &sa[i]; - - bcopy(&sp->id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = sp->creatorid; - - st = pf_find_state_byid(&id_key); - if (st == NULL) { - V_pfsyncstats.pfsyncs_badstate++; - continue; - } - - SET(st->state_flags, PFSTATE_NOSYNC); - pf_unlink_state(st); - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - return (len); -} - -int -pfsync_in_bus(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - struct pfsync_bus *bus; - struct mbuf *mp; - int len = count * sizeof(*bus); - int offp; - - /* If we're not waiting for a bulk update, who cares. */ - if (sc->sc_ureq_sent == 0) - return (len); - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - bus = (struct pfsync_bus *)(mp->m_data + offp); - - switch (bus->status) { - case PFSYNC_BUS_START: -#ifdef __FreeBSD__ - callout_reset(&sc->sc_bulkfail_tmo, 4 * hz + - V_pf_pool_limits[PF_LIMIT_STATES].limit / - ((sc->sc_ifp->if_mtu - PFSYNC_MINPKT) / - sizeof(struct pfsync_state)), - pfsync_bulk_fail, V_pfsyncif); -#else - timeout_add(&sc->sc_bulkfail_tmo, 4 * hz + - pf_pool_limits[PF_LIMIT_STATES].limit / - ((sc->sc_if.if_mtu - PFSYNC_MINPKT) / - sizeof(struct pfsync_state))); -#endif -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync: received bulk update start\n"); - break; - - case PFSYNC_BUS_END: - if (time_uptime - ntohl(bus->endtime) >= - sc->sc_ureq_sent) { - /* that's it, we're happy */ - sc->sc_ureq_sent = 0; - sc->sc_bulk_tries = 0; - timeout_del(&sc->sc_bulkfail_tmo); -#ifdef __FreeBSD__ - if (!sc->pfsync_sync_ok && carp_demote_adj_p) - (*carp_demote_adj_p)(-V_pfsync_carp_adj, - "pfsync bulk done"); - sc->pfsync_sync_ok = 1; -#else -#if NCARP > 0 - if (!pfsync_sync_ok) - carp_group_demote_adj(&sc->sc_if, -1); -#endif - pfsync_sync_ok = 1; -#endif -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync: received valid " - "bulk update end\n"); - } else { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync: received invalid " - "bulk update end: bad timestamp\n"); - } - break; - } - - return (len); -} - -int -pfsync_in_tdb(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - int len = count * sizeof(struct pfsync_tdb); - -#if defined(IPSEC) - struct pfsync_tdb *tp; - struct mbuf *mp; - int offp; - int i; - int s; - - mp = m_pulldown(m, offset, len, &offp); - if (mp == NULL) { - V_pfsyncstats.pfsyncs_badlen++; - return (-1); - } - tp = (struct pfsync_tdb *)(mp->m_data + offp); - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < count; i++) - pfsync_update_net_tdb(&tp[i]); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); -#endif - - return (len); -} - -#if defined(IPSEC) -/* Update an in-kernel tdb. Silently fail if no tdb is found. */ -void -pfsync_update_net_tdb(struct pfsync_tdb *pt) -{ - struct tdb *tdb; - int s; - - /* check for invalid values */ - if (ntohl(pt->spi) <= SPI_RESERVED_MAX || - (pt->dst.sa.sa_family != AF_INET && - pt->dst.sa.sa_family != AF_INET6)) - goto bad; - - s = spltdb(); - tdb = gettdb(pt->spi, &pt->dst, pt->sproto); - if (tdb) { - pt->rpl = ntohl(pt->rpl); - pt->cur_bytes = betoh64(pt->cur_bytes); - - /* Neither replay nor byte counter should ever decrease. */ - if (pt->rpl < tdb->tdb_rpl || - pt->cur_bytes < tdb->tdb_cur_bytes) { - splx(s); - goto bad; - } - - tdb->tdb_rpl = pt->rpl; - tdb->tdb_cur_bytes = pt->cur_bytes; - } - splx(s); - return; - -bad: -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync_insert: PFSYNC_ACT_TDB_UPD: " - "invalid value\n"); - V_pfsyncstats.pfsyncs_badstate++; - return; -} -#endif - - -int -pfsync_in_eof(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - /* check if we are at the right place in the packet */ - if (offset != m->m_pkthdr.len - sizeof(struct pfsync_eof)) - V_pfsyncstats.pfsyncs_badact++; - - /* we're done. free and let the caller return */ - m_freem(m); - return (-1); -} - -int -pfsync_in_error(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) -{ - V_pfsyncstats.pfsyncs_badact++; - - m_freem(m); - return (-1); -} - -int -pfsyncoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, -#ifdef __FreeBSD__ - struct route *rt) -#else - struct rtentry *rt) -#endif -{ - m_freem(m); - return (0); -} - -/* ARGSUSED */ -int -pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data) -{ -#ifndef __FreeBSD__ - struct proc *p = curproc; -#endif - struct pfsync_softc *sc = ifp->if_softc; - struct ifreq *ifr = (struct ifreq *)data; - struct ip_moptions *imo = &sc->sc_imo; - struct pfsyncreq pfsyncr; - struct ifnet *sifp; - struct ip *ip; - int s, error; - - switch (cmd) { -#if 0 - case SIOCSIFADDR: - case SIOCAIFADDR: - case SIOCSIFDSTADDR: -#endif - case SIOCSIFFLAGS: -#ifdef __FreeBSD__ - if (ifp->if_flags & IFF_UP) - ifp->if_drv_flags |= IFF_DRV_RUNNING; - else - ifp->if_drv_flags &= ~IFF_DRV_RUNNING; -#else - if (ifp->if_flags & IFF_UP) - ifp->if_flags |= IFF_RUNNING; - else - ifp->if_flags &= ~IFF_RUNNING; -#endif - break; - case SIOCSIFMTU: - if (!sc->sc_sync_if || - ifr->ifr_mtu <= PFSYNC_MINPKT || - ifr->ifr_mtu > sc->sc_sync_if->if_mtu) - return (EINVAL); - if (ifr->ifr_mtu < ifp->if_mtu) { - s = splnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - pfsync_sendout(); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - } - ifp->if_mtu = ifr->ifr_mtu; - break; - case SIOCGETPFSYNC: - bzero(&pfsyncr, sizeof(pfsyncr)); - if (sc->sc_sync_if) { - strlcpy(pfsyncr.pfsyncr_syncdev, - sc->sc_sync_if->if_xname, IFNAMSIZ); - } - pfsyncr.pfsyncr_syncpeer = sc->sc_sync_peer; - pfsyncr.pfsyncr_maxupdates = sc->sc_maxupdates; - pfsyncr.pfsyncr_defer = sc->sc_defer; - return (copyout(&pfsyncr, ifr->ifr_data, sizeof(pfsyncr))); - - case SIOCSETPFSYNC: -#ifdef __FreeBSD__ - if ((error = priv_check(curthread, PRIV_NETINET_PF)) != 0) -#else - if ((error = suser(p, p->p_acflag)) != 0) -#endif - return (error); - if ((error = copyin(ifr->ifr_data, &pfsyncr, sizeof(pfsyncr)))) - return (error); - -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - if (pfsyncr.pfsyncr_syncpeer.s_addr == 0) -#ifdef __FreeBSD__ - sc->sc_sync_peer.s_addr = htonl(INADDR_PFSYNC_GROUP); -#else - sc->sc_sync_peer.s_addr = INADDR_PFSYNC_GROUP; -#endif - else - sc->sc_sync_peer.s_addr = - pfsyncr.pfsyncr_syncpeer.s_addr; - - if (pfsyncr.pfsyncr_maxupdates > 255) -#ifdef __FreeBSD__ - { - PF_UNLOCK(); -#endif - return (EINVAL); -#ifdef __FreeBSD__ - } -#endif - sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates; - sc->sc_defer = pfsyncr.pfsyncr_defer; - - if (pfsyncr.pfsyncr_syncdev[0] == 0) { - sc->sc_sync_if = NULL; -#ifdef __FreeBSD__ - PF_UNLOCK(); - if (imo->imo_membership) - pfsync_multicast_cleanup(sc); -#else - if (imo->imo_num_memberships > 0) { - in_delmulti(imo->imo_membership[ - --imo->imo_num_memberships]); - imo->imo_multicast_ifp = NULL; - } -#endif - break; - } - -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - if ((sifp = ifunit(pfsyncr.pfsyncr_syncdev)) == NULL) - return (EINVAL); - -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - s = splnet(); -#ifdef __FreeBSD__ - if (sifp->if_mtu < sc->sc_ifp->if_mtu || -#else - if (sifp->if_mtu < sc->sc_if.if_mtu || -#endif - (sc->sc_sync_if != NULL && - sifp->if_mtu < sc->sc_sync_if->if_mtu) || - sifp->if_mtu < MCLBYTES - sizeof(struct ip)) - pfsync_sendout(); - sc->sc_sync_if = sifp; - -#ifdef __FreeBSD__ - if (imo->imo_membership) { - PF_UNLOCK(); - pfsync_multicast_cleanup(sc); - PF_LOCK(); - } -#else - if (imo->imo_num_memberships > 0) { - in_delmulti(imo->imo_membership[--imo->imo_num_memberships]); - imo->imo_multicast_ifp = NULL; - } -#endif - -#ifdef __FreeBSD__ - if (sc->sc_sync_if && - sc->sc_sync_peer.s_addr == htonl(INADDR_PFSYNC_GROUP)) { - PF_UNLOCK(); - error = pfsync_multicast_setup(sc); - if (error) - return (error); - PF_LOCK(); - } -#else - if (sc->sc_sync_if && - sc->sc_sync_peer.s_addr == INADDR_PFSYNC_GROUP) { - struct in_addr addr; - - if (!(sc->sc_sync_if->if_flags & IFF_MULTICAST)) { - sc->sc_sync_if = NULL; - splx(s); - return (EADDRNOTAVAIL); - } - - addr.s_addr = INADDR_PFSYNC_GROUP; - - if ((imo->imo_membership[0] = - in_addmulti(&addr, sc->sc_sync_if)) == NULL) { - sc->sc_sync_if = NULL; - splx(s); - return (ENOBUFS); - } - imo->imo_num_memberships++; - imo->imo_multicast_ifp = sc->sc_sync_if; - imo->imo_multicast_ttl = PFSYNC_DFLTTL; - imo->imo_multicast_loop = 0; - } -#endif /* !__FreeBSD__ */ - - ip = &sc->sc_template; - bzero(ip, sizeof(*ip)); - ip->ip_v = IPVERSION; - ip->ip_hl = sizeof(sc->sc_template) >> 2; - ip->ip_tos = IPTOS_LOWDELAY; - /* len and id are set later */ -#ifdef __FreeBSD__ - ip->ip_off = IP_DF; -#else - ip->ip_off = htons(IP_DF); -#endif - ip->ip_ttl = PFSYNC_DFLTTL; - ip->ip_p = IPPROTO_PFSYNC; - ip->ip_src.s_addr = INADDR_ANY; - ip->ip_dst.s_addr = sc->sc_sync_peer.s_addr; - - if (sc->sc_sync_if) { - /* Request a full state table update. */ - sc->sc_ureq_sent = time_uptime; -#ifdef __FreeBSD__ - if (sc->pfsync_sync_ok && carp_demote_adj_p) - (*carp_demote_adj_p)(V_pfsync_carp_adj, - "pfsync bulk start"); - sc->pfsync_sync_ok = 0; -#else -#if NCARP > 0 - if (pfsync_sync_ok) - carp_group_demote_adj(&sc->sc_if, 1); -#endif - pfsync_sync_ok = 0; -#endif -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync: requesting bulk update\n"); -#ifdef __FreeBSD__ - callout_reset(&sc->sc_bulkfail_tmo, 5 * hz, - pfsync_bulk_fail, V_pfsyncif); -#else - timeout_add_sec(&sc->sc_bulkfail_tmo, 5); -#endif - pfsync_request_update(0, 0); - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - - break; - - default: - return (ENOTTY); - } - - return (0); -} - -int -pfsync_out_state(struct pf_state *st, struct mbuf *m, int offset) -{ - struct pfsync_state *sp = (struct pfsync_state *)(m->m_data + offset); - - pfsync_state_export(sp, st); - - return (sizeof(*sp)); -} - -int -pfsync_out_iack(struct pf_state *st, struct mbuf *m, int offset) -{ - struct pfsync_ins_ack *iack = - (struct pfsync_ins_ack *)(m->m_data + offset); - - iack->id = st->id; - iack->creatorid = st->creatorid; - - return (sizeof(*iack)); -} - -int -pfsync_out_upd_c(struct pf_state *st, struct mbuf *m, int offset) -{ - struct pfsync_upd_c *up = (struct pfsync_upd_c *)(m->m_data + offset); - - bzero(up, sizeof(*up)); - up->id = st->id; - pf_state_peer_hton(&st->src, &up->src); - pf_state_peer_hton(&st->dst, &up->dst); - up->creatorid = st->creatorid; - up->timeout = st->timeout; - - return (sizeof(*up)); -} - -int -pfsync_out_del(struct pf_state *st, struct mbuf *m, int offset) -{ - struct pfsync_del_c *dp = (struct pfsync_del_c *)(m->m_data + offset); - - dp->id = st->id; - dp->creatorid = st->creatorid; - - SET(st->state_flags, PFSTATE_NOSYNC); - - return (sizeof(*dp)); -} - -void -pfsync_drop(struct pfsync_softc *sc) -{ - struct pf_state *st; - struct pfsync_upd_req_item *ur; -#ifdef notyet - struct tdb *t; -#endif - int q; - - for (q = 0; q < PFSYNC_S_COUNT; q++) { - if (TAILQ_EMPTY(&sc->sc_qs[q])) - continue; - - TAILQ_FOREACH(st, &sc->sc_qs[q], sync_list) { -#ifdef PFSYNC_DEBUG -#ifdef __FreeBSD__ - KASSERT(st->sync_state == q, - ("%s: st->sync_state == q", - __FUNCTION__)); -#else - KASSERT(st->sync_state == q); -#endif -#endif - st->sync_state = PFSYNC_S_NONE; - } - TAILQ_INIT(&sc->sc_qs[q]); - } - - while ((ur = TAILQ_FIRST(&sc->sc_upd_req_list)) != NULL) { - TAILQ_REMOVE(&sc->sc_upd_req_list, ur, ur_entry); - pool_put(&sc->sc_pool, ur); - } - - sc->sc_plus = NULL; - -#ifdef notyet - if (!TAILQ_EMPTY(&sc->sc_tdb_q)) { - TAILQ_FOREACH(t, &sc->sc_tdb_q, tdb_sync_entry) - CLR(t->tdb_flags, TDBF_PFSYNC); - - TAILQ_INIT(&sc->sc_tdb_q); - } -#endif - - sc->sc_len = PFSYNC_MINPKT; -} - -#ifdef __FreeBSD__ -void pfsync_sendout() -{ - pfsync_sendout1(1); -} - -static void -pfsync_sendout1(int schedswi) -{ - struct pfsync_softc *sc = V_pfsyncif; -#else -void -pfsync_sendout(void) -{ - struct pfsync_softc *sc = pfsyncif; -#endif -#if NBPFILTER > 0 -#ifdef __FreeBSD__ - struct ifnet *ifp = sc->sc_ifp; -#else - struct ifnet *ifp = &sc->sc_if; -#endif -#endif - struct mbuf *m; - struct ip *ip; - struct pfsync_header *ph; - struct pfsync_subheader *subh; - struct pf_state *st; - struct pfsync_upd_req_item *ur; -#ifdef notyet - struct tdb *t; -#endif - int offset; - int q, count = 0; - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_NET); -#endif - - if (sc == NULL || sc->sc_len == PFSYNC_MINPKT) - return; - -#if NBPFILTER > 0 - if (ifp->if_bpf == NULL && sc->sc_sync_if == NULL) { -#else - if (sc->sc_sync_if == NULL) { -#endif - pfsync_drop(sc); - return; - } - -#ifdef __FreeBSD__ - m = m_get2(M_NOWAIT, MT_DATA, M_PKTHDR, max_linkhdr + sc->sc_len); - if (m == NULL) { - sc->sc_ifp->if_oerrors++; - V_pfsyncstats.pfsyncs_onomem++; - return; - } -#else - MGETHDR(m, M_DONTWAIT, MT_DATA); - if (m == NULL) { - sc->sc_if.if_oerrors++; - pfsyncstats.pfsyncs_onomem++; - pfsync_drop(sc); - return; - } - - if (max_linkhdr + sc->sc_len > MHLEN) { - MCLGETI(m, M_DONTWAIT, NULL, max_linkhdr + sc->sc_len); - if (!ISSET(m->m_flags, M_EXT)) { - m_free(m); - sc->sc_if.if_oerrors++; - pfsyncstats.pfsyncs_onomem++; - pfsync_drop(sc); - return; - } - } -#endif - m->m_data += max_linkhdr; - m->m_len = m->m_pkthdr.len = sc->sc_len; - - /* build the ip header */ - ip = (struct ip *)m->m_data; - bcopy(&sc->sc_template, ip, sizeof(*ip)); - offset = sizeof(*ip); - -#ifdef __FreeBSD__ - ip->ip_len = m->m_pkthdr.len; -#else - ip->ip_len = htons(m->m_pkthdr.len); -#endif - ip->ip_id = htons(ip_randomid()); - - /* build the pfsync header */ - ph = (struct pfsync_header *)(m->m_data + offset); - bzero(ph, sizeof(*ph)); - offset += sizeof(*ph); - - ph->version = PFSYNC_VERSION; - ph->len = htons(sc->sc_len - sizeof(*ip)); -#ifdef __FreeBSD__ - bcopy(V_pf_status.pf_chksum, ph->pfcksum, PF_MD5_DIGEST_LENGTH); -#else - bcopy(pf_status.pf_chksum, ph->pfcksum, PF_MD5_DIGEST_LENGTH); -#endif - - /* walk the queues */ - for (q = 0; q < PFSYNC_S_COUNT; q++) { - if (TAILQ_EMPTY(&sc->sc_qs[q])) - continue; - - subh = (struct pfsync_subheader *)(m->m_data + offset); - offset += sizeof(*subh); - - count = 0; - TAILQ_FOREACH(st, &sc->sc_qs[q], sync_list) { -#ifdef PFSYNC_DEBUG -#ifdef __FreeBSD__ - KASSERT(st->sync_state == q, - ("%s: st->sync_state == q", - __FUNCTION__)); -#else - KASSERT(st->sync_state == q); -#endif -#endif - - offset += pfsync_qs[q].write(st, m, offset); - st->sync_state = PFSYNC_S_NONE; - count++; - } - TAILQ_INIT(&sc->sc_qs[q]); - - bzero(subh, sizeof(*subh)); - subh->action = pfsync_qs[q].action; - subh->count = htons(count); - } - - if (!TAILQ_EMPTY(&sc->sc_upd_req_list)) { - subh = (struct pfsync_subheader *)(m->m_data + offset); - offset += sizeof(*subh); - - count = 0; - while ((ur = TAILQ_FIRST(&sc->sc_upd_req_list)) != NULL) { - TAILQ_REMOVE(&sc->sc_upd_req_list, ur, ur_entry); - - bcopy(&ur->ur_msg, m->m_data + offset, - sizeof(ur->ur_msg)); - offset += sizeof(ur->ur_msg); - - pool_put(&sc->sc_pool, ur); - - count++; - } - - bzero(subh, sizeof(*subh)); - subh->action = PFSYNC_ACT_UPD_REQ; - subh->count = htons(count); - } - - /* has someone built a custom region for us to add? */ - if (sc->sc_plus != NULL) { - bcopy(sc->sc_plus, m->m_data + offset, sc->sc_pluslen); - offset += sc->sc_pluslen; - - sc->sc_plus = NULL; - } - -#ifdef notyet - if (!TAILQ_EMPTY(&sc->sc_tdb_q)) { - subh = (struct pfsync_subheader *)(m->m_data + offset); - offset += sizeof(*subh); - - count = 0; - TAILQ_FOREACH(t, &sc->sc_tdb_q, tdb_sync_entry) { - offset += pfsync_out_tdb(t, m, offset); - CLR(t->tdb_flags, TDBF_PFSYNC); - - count++; - } - TAILQ_INIT(&sc->sc_tdb_q); - - bzero(subh, sizeof(*subh)); - subh->action = PFSYNC_ACT_TDB; - subh->count = htons(count); - } -#endif - - subh = (struct pfsync_subheader *)(m->m_data + offset); - offset += sizeof(*subh); - - bzero(subh, sizeof(*subh)); - subh->action = PFSYNC_ACT_EOF; - subh->count = htons(1); - - /* XXX write checksum in EOF here */ - - /* we're done, let's put it on the wire */ -#if NBPFILTER > 0 - if (ifp->if_bpf) { - m->m_data += sizeof(*ip); - m->m_len = m->m_pkthdr.len = sc->sc_len - sizeof(*ip); -#ifdef __FreeBSD__ - BPF_MTAP(ifp, m); -#else - bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT); -#endif - m->m_data -= sizeof(*ip); - m->m_len = m->m_pkthdr.len = sc->sc_len; - } - - if (sc->sc_sync_if == NULL) { - sc->sc_len = PFSYNC_MINPKT; - m_freem(m); - return; - } -#endif - -#ifdef __FreeBSD__ - sc->sc_ifp->if_opackets++; - sc->sc_ifp->if_obytes += m->m_pkthdr.len; - sc->sc_len = PFSYNC_MINPKT; - - if (!_IF_QFULL(&sc->sc_ifp->if_snd)) - _IF_ENQUEUE(&sc->sc_ifp->if_snd, m); - else { - m_freem(m); - sc->sc_ifp->if_snd.ifq_drops++; - } - if (schedswi) - swi_sched(V_pfsync_swi_cookie, 0); -#else - sc->sc_if.if_opackets++; - sc->sc_if.if_obytes += m->m_pkthdr.len; - - if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL) == 0) - pfsyncstats.pfsyncs_opackets++; - else - pfsyncstats.pfsyncs_oerrors++; - - /* start again */ - sc->sc_len = PFSYNC_MINPKT; -#endif -} - -void -pfsync_insert_state(struct pf_state *st) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_SOFTNET); -#endif - - if (ISSET(st->rule.ptr->rule_flag, PFRULE_NOSYNC) || - st->key[PF_SK_WIRE]->proto == IPPROTO_PFSYNC) { - SET(st->state_flags, PFSTATE_NOSYNC); - return; - } - - if (sc == NULL || ISSET(st->state_flags, PFSTATE_NOSYNC)) - return; - -#ifdef PFSYNC_DEBUG -#ifdef __FreeBSD__ - KASSERT(st->sync_state == PFSYNC_S_NONE, - ("%s: st->sync_state == PFSYNC_S_NONE", __FUNCTION__)); -#else - KASSERT(st->sync_state == PFSYNC_S_NONE); -#endif -#endif - - if (sc->sc_len == PFSYNC_MINPKT) -#ifdef __FreeBSD__ - callout_reset(&sc->sc_tmo, 1 * hz, pfsync_timeout, - V_pfsyncif); -#else - timeout_add_sec(&sc->sc_tmo, 1); -#endif - - pfsync_q_ins(st, PFSYNC_S_INS); - - st->sync_updates = 0; -} - -int defer = 10; - -int -pfsync_defer(struct pf_state *st, struct mbuf *m) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - struct pfsync_deferral *pd; - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_SOFTNET); -#endif - - if (!sc->sc_defer || m->m_flags & (M_BCAST|M_MCAST)) - return (0); - - if (sc->sc_deferred >= 128) - pfsync_undefer(TAILQ_FIRST(&sc->sc_deferrals), 0); - - pd = pool_get(&sc->sc_pool, M_NOWAIT); - if (pd == NULL) - return (0); - sc->sc_deferred++; - -#ifdef __FreeBSD__ - m->m_flags |= M_SKIP_FIREWALL; -#else - m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; -#endif - SET(st->state_flags, PFSTATE_ACK); - - pd->pd_st = st; - pd->pd_m = m; - - TAILQ_INSERT_TAIL(&sc->sc_deferrals, pd, pd_entry); -#ifdef __FreeBSD__ - callout_init(&pd->pd_tmo, CALLOUT_MPSAFE); - callout_reset(&pd->pd_tmo, defer, pfsync_defer_tmo, - pd); -#else - timeout_set(&pd->pd_tmo, pfsync_defer_tmo, pd); - timeout_add(&pd->pd_tmo, defer); -#endif - - swi_sched(V_pfsync_swi_cookie, 0); - - return (1); -} - -void -pfsync_undefer(struct pfsync_deferral *pd, int drop) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - int s; - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_SOFTNET); -#endif - - TAILQ_REMOVE(&sc->sc_deferrals, pd, pd_entry); - sc->sc_deferred--; - - CLR(pd->pd_st->state_flags, PFSTATE_ACK); - timeout_del(&pd->pd_tmo); /* bah */ - if (drop) - m_freem(pd->pd_m); - else { - s = splnet(); -#ifdef __FreeBSD__ - /* XXX: use pf_defered?! */ - PF_UNLOCK(); -#endif - ip_output(pd->pd_m, (void *)NULL, (void *)NULL, 0, - (void *)NULL, (void *)NULL); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - splx(s); - } - - pool_put(&sc->sc_pool, pd); -} - -void -pfsync_defer_tmo(void *arg) -{ -#if defined(__FreeBSD__) && defined(VIMAGE) - struct pfsync_deferral *pd = arg; -#endif - int s; - - s = splsoftnet(); -#ifdef __FreeBSD__ - CURVNET_SET(pd->pd_m->m_pkthdr.rcvif->if_vnet); /* XXX */ - PF_LOCK(); -#endif - pfsync_undefer(arg, 0); -#ifdef __FreeBSD__ - PF_UNLOCK(); - CURVNET_RESTORE(); -#endif - splx(s); -} - -void -pfsync_deferred(struct pf_state *st, int drop) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - struct pfsync_deferral *pd; - - TAILQ_FOREACH(pd, &sc->sc_deferrals, pd_entry) { - if (pd->pd_st == st) { - pfsync_undefer(pd, drop); - return; - } - } - - panic("pfsync_send_deferred: unable to find deferred state"); -} - -u_int pfsync_upds = 0; - -void -pfsync_update_state(struct pf_state *st) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - int sync = 0; - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_SOFTNET); -#endif - - if (sc == NULL) - return; - - if (ISSET(st->state_flags, PFSTATE_ACK)) - pfsync_deferred(st, 0); - if (ISSET(st->state_flags, PFSTATE_NOSYNC)) { - if (st->sync_state != PFSYNC_S_NONE) - pfsync_q_del(st); - return; - } - - if (sc->sc_len == PFSYNC_MINPKT) -#ifdef __FreeBSD__ - callout_reset(&sc->sc_tmo, 1 * hz, pfsync_timeout, - V_pfsyncif); -#else - timeout_add_sec(&sc->sc_tmo, 1); -#endif - - switch (st->sync_state) { - case PFSYNC_S_UPD_C: - case PFSYNC_S_UPD: - case PFSYNC_S_INS: - /* we're already handling it */ - - if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) { - st->sync_updates++; - if (st->sync_updates >= sc->sc_maxupdates) - sync = 1; - } - break; - - case PFSYNC_S_IACK: - pfsync_q_del(st); - case PFSYNC_S_NONE: - pfsync_q_ins(st, PFSYNC_S_UPD_C); - st->sync_updates = 0; - break; - - default: - panic("pfsync_update_state: unexpected sync state %d", - st->sync_state); - } - - if (sync || (time_uptime - st->pfsync_time) < 2) { - pfsync_upds++; - schednetisr(NETISR_PFSYNC); - } -} - -void -pfsync_request_update(u_int32_t creatorid, u_int64_t id) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - struct pfsync_upd_req_item *item; - size_t nlen = sizeof(struct pfsync_upd_req); - int s; - - PF_LOCK_ASSERT(); - - /* - * this code does nothing to prevent multiple update requests for the - * same state being generated. - */ - - item = pool_get(&sc->sc_pool, PR_NOWAIT); - if (item == NULL) { - /* XXX stats */ - return; - } - - item->ur_msg.id = id; - item->ur_msg.creatorid = creatorid; - - if (TAILQ_EMPTY(&sc->sc_upd_req_list)) - nlen += sizeof(struct pfsync_subheader); - -#ifdef __FreeBSD__ - if (sc->sc_len + nlen > sc->sc_ifp->if_mtu) { -#else - if (sc->sc_len + nlen > sc->sc_if.if_mtu) { -#endif - s = splnet(); - pfsync_sendout(); - splx(s); - - nlen = sizeof(struct pfsync_subheader) + - sizeof(struct pfsync_upd_req); - } - - TAILQ_INSERT_TAIL(&sc->sc_upd_req_list, item, ur_entry); - sc->sc_len += nlen; - - schednetisr(NETISR_PFSYNC); -} - -void -pfsync_update_state_req(struct pf_state *st) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - - PF_LOCK_ASSERT(); - - if (sc == NULL) - panic("pfsync_update_state_req: nonexistant instance"); - - if (ISSET(st->state_flags, PFSTATE_NOSYNC)) { - if (st->sync_state != PFSYNC_S_NONE) - pfsync_q_del(st); - return; - } - - switch (st->sync_state) { - case PFSYNC_S_UPD_C: - case PFSYNC_S_IACK: - pfsync_q_del(st); - case PFSYNC_S_NONE: - pfsync_q_ins(st, PFSYNC_S_UPD); - schednetisr(NETISR_PFSYNC); - return; - - case PFSYNC_S_INS: - case PFSYNC_S_UPD: - case PFSYNC_S_DEL: - /* we're already handling it */ - return; - - default: - panic("pfsync_update_state_req: unexpected sync state %d", - st->sync_state); - } -} - -void -pfsync_delete_state(struct pf_state *st) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_SOFTNET); -#endif - - if (sc == NULL) - return; - - if (ISSET(st->state_flags, PFSTATE_ACK)) - pfsync_deferred(st, 1); - if (ISSET(st->state_flags, PFSTATE_NOSYNC)) { - if (st->sync_state != PFSYNC_S_NONE) - pfsync_q_del(st); - return; - } - - if (sc->sc_len == PFSYNC_MINPKT) -#ifdef __FreeBSD__ - callout_reset(&sc->sc_tmo, 1 * hz, pfsync_timeout, - V_pfsyncif); -#else - timeout_add_sec(&sc->sc_tmo, 1); -#endif - - switch (st->sync_state) { - case PFSYNC_S_INS: - /* we never got to tell the world so just forget about it */ - pfsync_q_del(st); - return; - - case PFSYNC_S_UPD_C: - case PFSYNC_S_UPD: - case PFSYNC_S_IACK: - pfsync_q_del(st); - /* FALLTHROUGH to putting it on the del list */ - - case PFSYNC_S_NONE: - pfsync_q_ins(st, PFSYNC_S_DEL); - return; - - default: - panic("pfsync_delete_state: unexpected sync state %d", - st->sync_state); - } -} - -void -pfsync_clear_states(u_int32_t creatorid, const char *ifname) -{ - struct { - struct pfsync_subheader subh; - struct pfsync_clr clr; - } __packed r; - -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#else - splassert(IPL_SOFTNET); -#endif - - if (sc == NULL) - return; - - bzero(&r, sizeof(r)); - - r.subh.action = PFSYNC_ACT_CLR; - r.subh.count = htons(1); - - strlcpy(r.clr.ifname, ifname, sizeof(r.clr.ifname)); - r.clr.creatorid = creatorid; - - pfsync_send_plus(&r, sizeof(r)); -} - -void -pfsync_q_ins(struct pf_state *st, int q) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - size_t nlen = pfsync_qs[q].len; - int s; - - PF_LOCK_ASSERT(); - -#ifdef __FreeBSD__ - KASSERT(st->sync_state == PFSYNC_S_NONE, - ("%s: st->sync_state == PFSYNC_S_NONE", __FUNCTION__)); -#else - KASSERT(st->sync_state == PFSYNC_S_NONE); -#endif - -#if 1 || defined(PFSYNC_DEBUG) - if (sc->sc_len < PFSYNC_MINPKT) -#ifdef __FreeBSD__ - panic("pfsync pkt len is too low %zu", sc->sc_len); -#else - panic("pfsync pkt len is too low %d", sc->sc_len); -#endif -#endif - if (TAILQ_EMPTY(&sc->sc_qs[q])) - nlen += sizeof(struct pfsync_subheader); - -#ifdef __FreeBSD__ - if (sc->sc_len + nlen > sc->sc_ifp->if_mtu) { -#else - if (sc->sc_len + nlen > sc->sc_if.if_mtu) { -#endif - s = splnet(); - pfsync_sendout(); - splx(s); - - nlen = sizeof(struct pfsync_subheader) + pfsync_qs[q].len; - } - - sc->sc_len += nlen; - TAILQ_INSERT_TAIL(&sc->sc_qs[q], st, sync_list); - st->sync_state = q; -} - -void -pfsync_q_del(struct pf_state *st) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - int q = st->sync_state; - -#ifdef __FreeBSD__ - KASSERT(st->sync_state != PFSYNC_S_NONE, - ("%s: st->sync_state != PFSYNC_S_NONE", __FUNCTION__)); -#else - KASSERT(st->sync_state != PFSYNC_S_NONE); -#endif - - sc->sc_len -= pfsync_qs[q].len; - TAILQ_REMOVE(&sc->sc_qs[q], st, sync_list); - st->sync_state = PFSYNC_S_NONE; - - if (TAILQ_EMPTY(&sc->sc_qs[q])) - sc->sc_len -= sizeof(struct pfsync_subheader); -} - -#ifdef notyet -void -pfsync_update_tdb(struct tdb *t, int output) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - size_t nlen = sizeof(struct pfsync_tdb); - int s; - - if (sc == NULL) - return; - - if (!ISSET(t->tdb_flags, TDBF_PFSYNC)) { - if (TAILQ_EMPTY(&sc->sc_tdb_q)) - nlen += sizeof(struct pfsync_subheader); - - if (sc->sc_len + nlen > sc->sc_if.if_mtu) { - s = splnet(); - PF_LOCK(); - pfsync_sendout(); - PF_UNLOCK(); - splx(s); - - nlen = sizeof(struct pfsync_subheader) + - sizeof(struct pfsync_tdb); - } - - sc->sc_len += nlen; - TAILQ_INSERT_TAIL(&sc->sc_tdb_q, t, tdb_sync_entry); - SET(t->tdb_flags, TDBF_PFSYNC); - t->tdb_updates = 0; - } else { - if (++t->tdb_updates >= sc->sc_maxupdates) - schednetisr(NETISR_PFSYNC); - } - - if (output) - SET(t->tdb_flags, TDBF_PFSYNC_RPL); - else - CLR(t->tdb_flags, TDBF_PFSYNC_RPL); -} - -void -pfsync_delete_tdb(struct tdb *t) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - - if (sc == NULL || !ISSET(t->tdb_flags, TDBF_PFSYNC)) - return; - - sc->sc_len -= sizeof(struct pfsync_tdb); - TAILQ_REMOVE(&sc->sc_tdb_q, t, tdb_sync_entry); - CLR(t->tdb_flags, TDBF_PFSYNC); - - if (TAILQ_EMPTY(&sc->sc_tdb_q)) - sc->sc_len -= sizeof(struct pfsync_subheader); -} - -int -pfsync_out_tdb(struct tdb *t, struct mbuf *m, int offset) -{ - struct pfsync_tdb *ut = (struct pfsync_tdb *)(m->m_data + offset); - - bzero(ut, sizeof(*ut)); - ut->spi = t->tdb_spi; - bcopy(&t->tdb_dst, &ut->dst, sizeof(ut->dst)); - /* - * When a failover happens, the master's rpl is probably above - * what we see here (we may be up to a second late), so - * increase it a bit for outbound tdbs to manage most such - * situations. - * - * For now, just add an offset that is likely to be larger - * than the number of packets we can see in one second. The RFC - * just says the next packet must have a higher seq value. - * - * XXX What is a good algorithm for this? We could use - * a rate-determined increase, but to know it, we would have - * to extend struct tdb. - * XXX pt->rpl can wrap over MAXINT, but if so the real tdb - * will soon be replaced anyway. For now, just don't handle - * this edge case. - */ -#define RPL_INCR 16384 - ut->rpl = htonl(t->tdb_rpl + (ISSET(t->tdb_flags, TDBF_PFSYNC_RPL) ? - RPL_INCR : 0)); - ut->cur_bytes = htobe64(t->tdb_cur_bytes); - ut->sproto = t->tdb_sproto; - - return (sizeof(*ut)); -} -#endif - -void -pfsync_bulk_start(void) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync: received bulk update request\n"); - -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); - if (TAILQ_EMPTY(&V_state_list)) -#else - if (TAILQ_EMPTY(&state_list)) -#endif - pfsync_bulk_status(PFSYNC_BUS_END); - else { - sc->sc_ureq_received = time_uptime; - if (sc->sc_bulk_next == NULL) -#ifdef __FreeBSD__ - sc->sc_bulk_next = TAILQ_FIRST(&V_state_list); -#else - sc->sc_bulk_next = TAILQ_FIRST(&state_list); -#endif - sc->sc_bulk_last = sc->sc_bulk_next; - - pfsync_bulk_status(PFSYNC_BUS_START); - callout_reset(&sc->sc_bulk_tmo, 1, pfsync_bulk_update, sc); - } -} - -void -pfsync_bulk_update(void *arg) -{ - struct pfsync_softc *sc = arg; - struct pf_state *st = sc->sc_bulk_next; - int i = 0; - int s; - - PF_LOCK_ASSERT(); - - s = splsoftnet(); -#ifdef __FreeBSD__ - CURVNET_SET(sc->sc_ifp->if_vnet); -#endif - for (;;) { - if (st->sync_state == PFSYNC_S_NONE && - st->timeout < PFTM_MAX && - st->pfsync_time <= sc->sc_ureq_received) { - pfsync_update_state_req(st); - i++; - } - - st = TAILQ_NEXT(st, entry_list); - if (st == NULL) -#ifdef __FreeBSD__ - st = TAILQ_FIRST(&V_state_list); -#else - st = TAILQ_FIRST(&state_list); -#endif - - if (st == sc->sc_bulk_last) { - /* we're done */ - sc->sc_bulk_next = NULL; - sc->sc_bulk_last = NULL; - pfsync_bulk_status(PFSYNC_BUS_END); - break; - } - -#ifdef __FreeBSD__ - if (i > 1 && (sc->sc_ifp->if_mtu - sc->sc_len) < -#else - if (i > 1 && (sc->sc_if.if_mtu - sc->sc_len) < -#endif - sizeof(struct pfsync_state)) { - /* we've filled a packet */ - sc->sc_bulk_next = st; -#ifdef __FreeBSD__ - callout_reset(&sc->sc_bulk_tmo, 1, - pfsync_bulk_update, sc); -#else - timeout_add(&sc->sc_bulk_tmo, 1); -#endif - break; - } - } - -#ifdef __FreeBSD__ - CURVNET_RESTORE(); -#endif - splx(s); -} - -void -pfsync_bulk_status(u_int8_t status) -{ - struct { - struct pfsync_subheader subh; - struct pfsync_bus bus; - } __packed r; - -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - - PF_LOCK_ASSERT(); - - bzero(&r, sizeof(r)); - - r.subh.action = PFSYNC_ACT_BUS; - r.subh.count = htons(1); - -#ifdef __FreeBSD__ - r.bus.creatorid = V_pf_status.hostid; -#else - r.bus.creatorid = pf_status.hostid; -#endif - r.bus.endtime = htonl(time_uptime - sc->sc_ureq_received); - r.bus.status = status; - - pfsync_send_plus(&r, sizeof(r)); -} - -void -pfsync_bulk_fail(void *arg) -{ - struct pfsync_softc *sc = arg; - -#ifdef __FreeBSD__ - CURVNET_SET(sc->sc_ifp->if_vnet); -#endif - - if (sc->sc_bulk_tries++ < PFSYNC_MAX_BULKTRIES) { - /* Try again */ -#ifdef __FreeBSD__ - callout_reset(&sc->sc_bulkfail_tmo, 5 * hz, - pfsync_bulk_fail, V_pfsyncif); -#else - timeout_add_sec(&sc->sc_bulkfail_tmo, 5); -#endif - PF_LOCK(); - pfsync_request_update(0, 0); - PF_UNLOCK(); - } else { - /* Pretend like the transfer was ok */ - sc->sc_ureq_sent = 0; - sc->sc_bulk_tries = 0; -#ifdef __FreeBSD__ - if (!sc->pfsync_sync_ok && carp_demote_adj_p) - (*carp_demote_adj_p)(-V_pfsync_carp_adj, - "pfsync bulk fail"); - sc->pfsync_sync_ok = 1; -#else -#if NCARP > 0 - if (!pfsync_sync_ok) - carp_group_demote_adj(&sc->sc_if, -1); -#endif - pfsync_sync_ok = 1; -#endif -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("pfsync: failed to receive bulk update\n"); - } - -#ifdef __FreeBSD__ - CURVNET_RESTORE(); -#endif -} - -void -pfsync_send_plus(void *plus, size_t pluslen) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - int s; - - PF_LOCK_ASSERT(); - -#ifdef __FreeBSD__ - if (sc->sc_len + pluslen > sc->sc_ifp->if_mtu) { -#else - if (sc->sc_len + pluslen > sc->sc_if.if_mtu) { -#endif - s = splnet(); - pfsync_sendout(); - splx(s); - } - - sc->sc_plus = plus; - sc->sc_len += (sc->sc_pluslen = pluslen); - - s = splnet(); - pfsync_sendout(); - splx(s); -} - -int -pfsync_up(void) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - -#ifdef __FreeBSD__ - if (sc == NULL || !ISSET(sc->sc_ifp->if_flags, IFF_DRV_RUNNING)) -#else - if (sc == NULL || !ISSET(sc->sc_if.if_flags, IFF_RUNNING)) -#endif - return (0); - - return (1); -} - -int -pfsync_state_in_use(struct pf_state *st) -{ -#ifdef __FreeBSD__ - struct pfsync_softc *sc = V_pfsyncif; -#else - struct pfsync_softc *sc = pfsyncif; -#endif - - if (sc == NULL) - return (0); - - if (st->sync_state != PFSYNC_S_NONE || - st == sc->sc_bulk_next || - st == sc->sc_bulk_last) - return (1); - - return (0); -} - -u_int pfsync_ints; -u_int pfsync_tmos; - -void -pfsync_timeout(void *arg) -{ -#if defined(__FreeBSD__) && defined(VIMAGE) - struct pfsync_softc *sc = arg; -#endif - int s; - -#ifdef __FreeBSD__ - CURVNET_SET(sc->sc_ifp->if_vnet); -#endif - - pfsync_tmos++; - - s = splnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - pfsync_sendout(); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); - -#ifdef __FreeBSD__ - CURVNET_RESTORE(); -#endif -} - -/* this is a softnet/netisr handler */ -void -#ifdef __FreeBSD__ -pfsyncintr(void *arg) -{ - struct pfsync_softc *sc = arg; - struct mbuf *m, *n; - - CURVNET_SET(sc->sc_ifp->if_vnet); - pfsync_ints++; - - PF_LOCK(); - if (sc->sc_len > PFSYNC_MINPKT) - pfsync_sendout1(0); - _IF_DEQUEUE_ALL(&sc->sc_ifp->if_snd, m); - PF_UNLOCK(); - - for (; m != NULL; m = n) { - - n = m->m_nextpkt; - m->m_nextpkt = NULL; - if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL) - == 0) - V_pfsyncstats.pfsyncs_opackets++; - else - V_pfsyncstats.pfsyncs_oerrors++; - } - CURVNET_RESTORE(); -} -#else -pfsyncintr(void) -{ - int s; - - pfsync_ints++; - - s = splnet(); - pfsync_sendout(); - splx(s); -} -#endif - -int -pfsync_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, - size_t newlen) -{ - -#ifdef notyet - /* All sysctl names at this level are terminal. */ - if (namelen != 1) - return (ENOTDIR); - - switch (name[0]) { - case PFSYNCCTL_STATS: - if (newp != NULL) - return (EPERM); - return (sysctl_struct(oldp, oldlenp, newp, newlen, - &V_pfsyncstats, sizeof(V_pfsyncstats))); - } -#endif - return (ENOPROTOOPT); -} - -#ifdef __FreeBSD__ -static int -pfsync_multicast_setup(struct pfsync_softc *sc) -{ - struct ip_moptions *imo = &sc->sc_imo; - int error; - - if (!(sc->sc_sync_if->if_flags & IFF_MULTICAST)) { - sc->sc_sync_if = NULL; - return (EADDRNOTAVAIL); - } - - imo->imo_membership = (struct in_multi **)malloc( - (sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_PFSYNC, - M_WAITOK | M_ZERO); - imo->imo_max_memberships = IP_MIN_MEMBERSHIPS; - imo->imo_multicast_vif = -1; - - if ((error = in_joingroup(sc->sc_sync_if, &sc->sc_sync_peer, NULL, - &imo->imo_membership[0])) != 0) { - free(imo->imo_membership, M_PFSYNC); - return (error); - } - imo->imo_num_memberships++; - imo->imo_multicast_ifp = sc->sc_sync_if; - imo->imo_multicast_ttl = PFSYNC_DFLTTL; - imo->imo_multicast_loop = 0; - - return (0); -} - -static void -pfsync_multicast_cleanup(struct pfsync_softc *sc) -{ - struct ip_moptions *imo = &sc->sc_imo; - - in_leavegroup(imo->imo_membership[0], NULL); - free(imo->imo_membership, M_PFSYNC); - imo->imo_membership = NULL; - imo->imo_multicast_ifp = NULL; -} - -#ifdef INET -extern struct domain inetdomain; -static struct protosw in_pfsync_protosw = { - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_PFSYNC, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = pfsync_input, - .pr_output = (pr_output_t *)rip_output, - .pr_ctloutput = rip_ctloutput, - .pr_usrreqs = &rip_usrreqs -}; -#endif - -static int -pfsync_init() -{ - VNET_ITERATOR_DECL(vnet_iter); - int error = 0; - - VNET_LIST_RLOCK(); - VNET_FOREACH(vnet_iter) { - CURVNET_SET(vnet_iter); - V_pfsync_cloner = pfsync_cloner; - V_pfsync_cloner_data = pfsync_cloner_data; - V_pfsync_cloner.ifc_data = &V_pfsync_cloner_data; - if_clone_attach(&V_pfsync_cloner); - error = swi_add(NULL, "pfsync", pfsyncintr, V_pfsyncif, - SWI_NET, INTR_MPSAFE, &V_pfsync_swi_cookie); - CURVNET_RESTORE(); - if (error) - goto fail_locked; - } - VNET_LIST_RUNLOCK(); -#ifdef INET - error = pf_proto_register(PF_INET, &in_pfsync_protosw); - if (error) - goto fail; - error = ipproto_register(IPPROTO_PFSYNC); - if (error) { - pf_proto_unregister(PF_INET, IPPROTO_PFSYNC, SOCK_RAW); - goto fail; - } -#endif - PF_LOCK(); - pfsync_state_import_ptr = pfsync_state_import; - pfsync_up_ptr = pfsync_up; - pfsync_insert_state_ptr = pfsync_insert_state; - pfsync_update_state_ptr = pfsync_update_state; - pfsync_delete_state_ptr = pfsync_delete_state; - pfsync_clear_states_ptr = pfsync_clear_states; - pfsync_state_in_use_ptr = pfsync_state_in_use; - pfsync_defer_ptr = pfsync_defer; - PF_UNLOCK(); - - return (0); - -fail: - VNET_LIST_RLOCK(); -fail_locked: - VNET_FOREACH(vnet_iter) { - CURVNET_SET(vnet_iter); - if (V_pfsync_swi_cookie) { - swi_remove(V_pfsync_swi_cookie); - if_clone_detach(&V_pfsync_cloner); - } - CURVNET_RESTORE(); - } - VNET_LIST_RUNLOCK(); - - return (error); -} - -static void -pfsync_uninit() -{ - VNET_ITERATOR_DECL(vnet_iter); - - PF_LOCK(); - pfsync_state_import_ptr = NULL; - pfsync_up_ptr = NULL; - pfsync_insert_state_ptr = NULL; - pfsync_update_state_ptr = NULL; - pfsync_delete_state_ptr = NULL; - pfsync_clear_states_ptr = NULL; - pfsync_state_in_use_ptr = NULL; - pfsync_defer_ptr = NULL; - PF_UNLOCK(); - - ipproto_unregister(IPPROTO_PFSYNC); - pf_proto_unregister(PF_INET, IPPROTO_PFSYNC, SOCK_RAW); - VNET_LIST_RLOCK(); - VNET_FOREACH(vnet_iter) { - CURVNET_SET(vnet_iter); - swi_remove(V_pfsync_swi_cookie); - if_clone_detach(&V_pfsync_cloner); - CURVNET_RESTORE(); - } - VNET_LIST_RUNLOCK(); -} - -static int -pfsync_modevent(module_t mod, int type, void *data) -{ - int error = 0; - - switch (type) { - case MOD_LOAD: - error = pfsync_init(); - break; - case MOD_QUIESCE: - /* - * Module should not be unloaded due to race conditions. - */ - error = EPERM; - break; - case MOD_UNLOAD: - pfsync_uninit(); - break; - default: - error = EINVAL; - break; - } - - return (error); -} - -static moduledata_t pfsync_mod = { - "pfsync", - pfsync_modevent, - 0 -}; - -#define PFSYNC_MODVER 1 - -DECLARE_MODULE(pfsync, pfsync_mod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY); -MODULE_VERSION(pfsync, PFSYNC_MODVER); -MODULE_DEPEND(pfsync, pf, PF_MODVER, PF_MODVER, PF_MODVER); -#endif /* __FreeBSD__ */ diff --git a/sys/contrib/pf/net/if_pfsync.h b/sys/contrib/pf/net/if_pfsync.h deleted file mode 100644 index 3f34038..0000000 --- a/sys/contrib/pf/net/if_pfsync.h +++ /dev/null @@ -1,324 +0,0 @@ -/* $OpenBSD: if_pfsync.h,v 1.35 2008/06/29 08:42:15 mcbride Exp $ */ - -/* - * Copyright (c) 2001 Michael Shalayeff - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING - * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - * THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (c) 2008 David Gwynne <dlg@openbsd.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef _NET_IF_PFSYNC_H_ -#define _NET_IF_PFSYNC_H_ - -#define PFSYNC_VERSION 5 -#define PFSYNC_DFLTTL 255 - -#define PFSYNC_ACT_CLR 0 /* clear all states */ -#define PFSYNC_ACT_INS 1 /* insert state */ -#define PFSYNC_ACT_INS_ACK 2 /* ack of insterted state */ -#define PFSYNC_ACT_UPD 3 /* update state */ -#define PFSYNC_ACT_UPD_C 4 /* "compressed" update state */ -#define PFSYNC_ACT_UPD_REQ 5 /* request "uncompressed" state */ -#define PFSYNC_ACT_DEL 6 /* delete state */ -#define PFSYNC_ACT_DEL_C 7 /* "compressed" delete state */ -#define PFSYNC_ACT_INS_F 8 /* insert fragment */ -#define PFSYNC_ACT_DEL_F 9 /* delete fragments */ -#define PFSYNC_ACT_BUS 10 /* bulk update status */ -#define PFSYNC_ACT_TDB 11 /* TDB replay counter update */ -#define PFSYNC_ACT_EOF 12 /* end of frame */ -#define PFSYNC_ACT_MAX 13 - -#define PFSYNC_ACTIONS "CLR ST", \ - "INS ST", \ - "INS ST ACK", \ - "UPD ST", \ - "UPD ST COMP", \ - "UPD ST REQ", \ - "DEL ST", \ - "DEL ST COMP", \ - "INS FR", \ - "DEL FR", \ - "BULK UPD STAT", \ - "TDB UPD", \ - "EOF" - -#define PFSYNC_HMAC_LEN 20 - -/* - * A pfsync frame is built from a header followed by several sections which - * are all prefixed with their own subheaders. Frames must be terminated with - * an EOF subheader. - * - * | ... | - * | IP header | - * +============================+ - * | pfsync_header | - * +----------------------------+ - * | pfsync_subheader | - * +----------------------------+ - * | first action fields | - * | ... | - * +----------------------------+ - * | pfsync_subheader | - * +----------------------------+ - * | second action fields | - * | ... | - * +----------------------------+ - * | EOF pfsync_subheader | - * +----------------------------+ - * | HMAC | - * +============================+ - */ - -/* - * Frame header - */ - -struct pfsync_header { - u_int8_t version; - u_int8_t _pad; - u_int16_t len; - u_int8_t pfcksum[PF_MD5_DIGEST_LENGTH]; -} __packed; - -/* - * Frame region subheader - */ - -struct pfsync_subheader { - u_int8_t action; - u_int8_t _pad; - u_int16_t count; -} __packed; - -/* - * CLR - */ - -struct pfsync_clr { - char ifname[IFNAMSIZ]; - u_int32_t creatorid; -} __packed; - -/* - * INS, UPD, DEL - */ - -/* these use struct pfsync_state in pfvar.h */ - -/* - * INS_ACK - */ - -struct pfsync_ins_ack { - u_int64_t id; - u_int32_t creatorid; -} __packed; - -/* - * UPD_C - */ - -struct pfsync_upd_c { - u_int64_t id; - struct pfsync_state_peer src; - struct pfsync_state_peer dst; - u_int32_t creatorid; - u_int32_t expire; - u_int8_t timeout; - u_int8_t _pad[3]; -} __packed; - -/* - * UPD_REQ - */ - -struct pfsync_upd_req { - u_int64_t id; - u_int32_t creatorid; -} __packed; - -/* - * DEL_C - */ - -struct pfsync_del_c { - u_int64_t id; - u_int32_t creatorid; -} __packed; - -/* - * INS_F, DEL_F - */ - -/* not implemented (yet) */ - -/* - * BUS - */ - -struct pfsync_bus { - u_int32_t creatorid; - u_int32_t endtime; - u_int8_t status; -#define PFSYNC_BUS_START 1 -#define PFSYNC_BUS_END 2 - u_int8_t _pad[3]; -} __packed; - -/* - * TDB - */ - -struct pfsync_tdb { - u_int32_t spi; - union sockaddr_union dst; - u_int32_t rpl; - u_int64_t cur_bytes; - u_int8_t sproto; - u_int8_t updates; - u_int8_t _pad[2]; -} __packed; - -/* - * EOF - */ - -struct pfsync_eof { - u_int8_t hmac[PFSYNC_HMAC_LEN]; -} __packed; - -#define PFSYNC_HDRLEN sizeof(struct pfsync_header) - - - -/* - * Names for PFSYNC sysctl objects - */ -#define PFSYNCCTL_STATS 1 /* PFSYNC stats */ -#define PFSYNCCTL_MAXID 2 - -#define PFSYNCCTL_NAMES { \ - { 0, 0 }, \ - { "stats", CTLTYPE_STRUCT }, \ -} - -struct pfsyncstats { - u_int64_t pfsyncs_ipackets; /* total input packets, IPv4 */ - u_int64_t pfsyncs_ipackets6; /* total input packets, IPv6 */ - u_int64_t pfsyncs_badif; /* not the right interface */ - u_int64_t pfsyncs_badttl; /* TTL is not PFSYNC_DFLTTL */ - u_int64_t pfsyncs_hdrops; /* packets shorter than hdr */ - u_int64_t pfsyncs_badver; /* bad (incl unsupp) version */ - u_int64_t pfsyncs_badact; /* bad action */ - u_int64_t pfsyncs_badlen; /* data length does not match */ - u_int64_t pfsyncs_badauth; /* bad authentication */ - u_int64_t pfsyncs_stale; /* stale state */ - u_int64_t pfsyncs_badval; /* bad values */ - u_int64_t pfsyncs_badstate; /* insert/lookup failed */ - - u_int64_t pfsyncs_opackets; /* total output packets, IPv4 */ - u_int64_t pfsyncs_opackets6; /* total output packets, IPv6 */ - u_int64_t pfsyncs_onomem; /* no memory for an mbuf */ - u_int64_t pfsyncs_oerrors; /* ip output error */ -}; - -/* - * Configuration structure for SIOCSETPFSYNC SIOCGETPFSYNC - */ -struct pfsyncreq { - char pfsyncr_syncdev[IFNAMSIZ]; - struct in_addr pfsyncr_syncpeer; - int pfsyncr_maxupdates; - int pfsyncr_defer; -}; - -#ifdef __FreeBSD__ -#define SIOCSETPFSYNC _IOW('i', 247, struct ifreq) -#define SIOCGETPFSYNC _IOWR('i', 248, struct ifreq) -#endif - -#ifdef _KERNEL - -/* - * this shows where a pf state is with respect to the syncing. - */ -#define PFSYNC_S_INS 0x00 -#define PFSYNC_S_IACK 0x01 -#define PFSYNC_S_UPD 0x02 -#define PFSYNC_S_UPD_C 0x03 -#define PFSYNC_S_DEL 0x04 -#define PFSYNC_S_COUNT 0x05 - -#define PFSYNC_S_DEFER 0xfe -#define PFSYNC_S_NONE 0xff - -#ifdef __FreeBSD__ -void pfsync_input(struct mbuf *, __unused int); -#else -void pfsync_input(struct mbuf *, ...); -#endif -int pfsync_sysctl(int *, u_int, void *, size_t *, - void *, size_t); - -#define PFSYNC_SI_IOCTL 0x01 -#define PFSYNC_SI_CKSUM 0x02 -#define PFSYNC_SI_ACK 0x04 -int pfsync_state_import(struct pfsync_state *, u_int8_t); -#ifndef __FreeBSD__ -void pfsync_state_export(struct pfsync_state *, - struct pf_state *); -#endif - -void pfsync_insert_state(struct pf_state *); -void pfsync_update_state(struct pf_state *); -void pfsync_delete_state(struct pf_state *); -void pfsync_clear_states(u_int32_t, const char *); - -#ifdef notyet -void pfsync_update_tdb(struct tdb *, int); -void pfsync_delete_tdb(struct tdb *); -#endif - -int pfsync_defer(struct pf_state *, struct mbuf *); - -int pfsync_up(void); -int pfsync_state_in_use(struct pf_state *); -#endif - -#endif /* _NET_IF_PFSYNC_H_ */ diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c deleted file mode 100644 index ac51282..0000000 --- a/sys/contrib/pf/net/pf.c +++ /dev/null @@ -1,7620 +0,0 @@ -/* $OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $ */ - -/* - * Copyright (c) 2001 Daniel Hartmeier - * Copyright (c) 2002 - 2008 Henning Brauer - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * Effort sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F30602-01-2-0537. - * - */ - -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); -#endif - -#ifdef __FreeBSD__ -#include "opt_bpf.h" -#include "opt_pf.h" - -#define NPFSYNC 1 - -#ifdef DEV_PFLOW -#define NPFLOW DEV_PFLOW -#else -#define NPFLOW 0 -#endif - -#else -#include "bpfilter.h" -#include "pflog.h" -#include "pfsync.h" -#include "pflow.h" -#endif - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> -#include <sys/filio.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/time.h> -#ifdef __FreeBSD__ -#include <sys/random.h> -#include <sys/sysctl.h> -#include <sys/endian.h> -#define betoh64 be64toh -#else -#include <sys/pool.h> -#endif -#include <sys/proc.h> -#ifdef __FreeBSD__ -#include <sys/kthread.h> -#include <sys/lock.h> -#include <sys/sx.h> -#else -#include <sys/rwlock.h> -#endif - -#ifdef __FreeBSD__ -#include <sys/md5.h> -#else -#include <crypto/md5.h> -#endif - -#include <net/if.h> -#include <net/if_types.h> -#include <net/bpf.h> -#include <net/route.h> -#ifdef __FreeBSD__ -#ifdef RADIX_MPATH -#include <net/radix_mpath.h> -#endif -#else -#include <net/radix_mpath.h> -#endif - -#include <netinet/in.h> -#include <netinet/in_var.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/tcp.h> -#include <netinet/tcp_seq.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/in_pcb.h> -#include <netinet/tcp_timer.h> -#include <netinet/tcp_var.h> -#include <netinet/udp_var.h> -#include <netinet/icmp_var.h> -#include <netinet/if_ether.h> -#ifdef __FreeBSD__ -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> /* XXX: only for DIR_IN/DIR_OUT */ -#endif - -#ifndef __FreeBSD__ -#include <dev/rndvar.h> -#endif -#include <net/pfvar.h> -#include <net/if_pflog.h> -#include <net/if_pflow.h> -#include <net/if_pfsync.h> - -#ifdef INET6 -#include <netinet/ip6.h> -#include <netinet/in_pcb.h> -#include <netinet/icmp6.h> -#include <netinet6/nd6.h> -#ifdef __FreeBSD__ -#include <netinet6/ip6_var.h> -#include <netinet6/in6_pcb.h> -#endif -#endif /* INET6 */ - -#ifdef __FreeBSD__ -#include <machine/in_cksum.h> -#include <sys/limits.h> -#include <sys/ucred.h> -#include <security/mac/mac_framework.h> - -extern int ip_optcopy(struct ip *, struct ip *); -#endif - -#ifdef __FreeBSD__ -#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x -#else -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x -#endif - -/* - * Global variables - */ - -/* state tables */ -#ifdef __FreeBSD__ -VNET_DEFINE(struct pf_state_tree, pf_statetbl); - -VNET_DEFINE(struct pf_altqqueue, pf_altqs[2]); -VNET_DEFINE(struct pf_palist, pf_pabuf); -VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active); -VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive); -VNET_DEFINE(struct pf_status, pf_status); - -VNET_DEFINE(u_int32_t, ticket_altqs_active); -VNET_DEFINE(u_int32_t, ticket_altqs_inactive); -VNET_DEFINE(int, altqs_inactive_open); -VNET_DEFINE(u_int32_t, ticket_pabuf); - -VNET_DEFINE(MD5_CTX, pf_tcp_secret_ctx); -#define V_pf_tcp_secret_ctx VNET(pf_tcp_secret_ctx) -VNET_DEFINE(u_char, pf_tcp_secret[16]); -#define V_pf_tcp_secret VNET(pf_tcp_secret) -VNET_DEFINE(int, pf_tcp_secret_init); -#define V_pf_tcp_secret_init VNET(pf_tcp_secret_init) -VNET_DEFINE(int, pf_tcp_iss_off); -#define V_pf_tcp_iss_off VNET(pf_tcp_iss_off) - -struct pf_anchor_stackframe { - struct pf_ruleset *rs; - struct pf_rule *r; - struct pf_anchor_node *parent; - struct pf_anchor *child; -}; -VNET_DEFINE(struct pf_anchor_stackframe, pf_anchor_stack[64]); -#define V_pf_anchor_stack VNET(pf_anchor_stack) - -VNET_DEFINE(uma_zone_t, pf_src_tree_pl); -VNET_DEFINE(uma_zone_t, pf_rule_pl); -VNET_DEFINE(uma_zone_t, pf_pooladdr_pl); -VNET_DEFINE(uma_zone_t, pf_state_pl); -VNET_DEFINE(uma_zone_t, pf_state_key_pl); -VNET_DEFINE(uma_zone_t, pf_state_item_pl); -VNET_DEFINE(uma_zone_t, pf_altq_pl); -#else -struct pf_state_tree pf_statetbl; - -struct pf_altqqueue pf_altqs[2]; -struct pf_palist pf_pabuf; -struct pf_altqqueue *pf_altqs_active; -struct pf_altqqueue *pf_altqs_inactive; -struct pf_status pf_status; - -u_int32_t ticket_altqs_active; -u_int32_t ticket_altqs_inactive; -int altqs_inactive_open; -u_int32_t ticket_pabuf; - -MD5_CTX pf_tcp_secret_ctx; -u_char pf_tcp_secret[16]; -int pf_tcp_secret_init; -int pf_tcp_iss_off; - -struct pf_anchor_stackframe { - struct pf_ruleset *rs; - struct pf_rule *r; - struct pf_anchor_node *parent; - struct pf_anchor *child; -} pf_anchor_stack[64]; - -struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl; -struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl; -struct pool pf_altq_pl; -#endif - -void pf_init_threshold(struct pf_threshold *, u_int32_t, - u_int32_t); -void pf_add_threshold(struct pf_threshold *); -int pf_check_threshold(struct pf_threshold *); - -void pf_change_ap(struct pf_addr *, u_int16_t *, - u_int16_t *, u_int16_t *, struct pf_addr *, - u_int16_t, u_int8_t, sa_family_t); -int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, - struct tcphdr *, struct pf_state_peer *); -#ifdef INET6 -void pf_change_a6(struct pf_addr *, u_int16_t *, - struct pf_addr *, u_int8_t); -#endif /* INET6 */ -void pf_change_icmp(struct pf_addr *, u_int16_t *, - struct pf_addr *, struct pf_addr *, u_int16_t, - u_int16_t *, u_int16_t *, u_int16_t *, - u_int16_t *, u_int8_t, sa_family_t); -#ifdef __FreeBSD__ -void pf_send_tcp(struct mbuf *, - const struct pf_rule *, sa_family_t, -#else -void pf_send_tcp(const struct pf_rule *, sa_family_t, -#endif - const struct pf_addr *, const struct pf_addr *, - u_int16_t, u_int16_t, u_int32_t, u_int32_t, - u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, - u_int16_t, struct ether_header *, struct ifnet *); -static void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, - sa_family_t, struct pf_rule *); -void pf_detach_state(struct pf_state *); -void pf_state_key_detach(struct pf_state *, int); -u_int32_t pf_tcp_iss(struct pf_pdesc *); -int pf_test_rule(struct pf_rule **, struct pf_state **, - int, struct pfi_kif *, struct mbuf *, int, - void *, struct pf_pdesc *, struct pf_rule **, -#ifdef __FreeBSD__ - struct pf_ruleset **, struct ifqueue *, - struct inpcb *); -#else - struct pf_ruleset **, struct ifqueue *); -#endif -static __inline int pf_create_state(struct pf_rule *, struct pf_rule *, - struct pf_rule *, struct pf_pdesc *, - struct pf_src_node *, struct pf_state_key *, - struct pf_state_key *, struct pf_state_key *, - struct pf_state_key *, struct mbuf *, int, - u_int16_t, u_int16_t, int *, struct pfi_kif *, - struct pf_state **, int, u_int16_t, u_int16_t, - int); -int pf_test_fragment(struct pf_rule **, int, - struct pfi_kif *, struct mbuf *, void *, - struct pf_pdesc *, struct pf_rule **, - struct pf_ruleset **); -int pf_tcp_track_full(struct pf_state_peer *, - struct pf_state_peer *, struct pf_state **, - struct pfi_kif *, struct mbuf *, int, - struct pf_pdesc *, u_short *, int *); -int pf_tcp_track_sloppy(struct pf_state_peer *, - struct pf_state_peer *, struct pf_state **, - struct pf_pdesc *, u_short *); -int pf_test_state_tcp(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, int, - void *, struct pf_pdesc *, u_short *); -int pf_test_state_udp(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, int, - void *, struct pf_pdesc *); -int pf_test_state_icmp(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, int, - void *, struct pf_pdesc *, u_short *); -int pf_test_state_other(struct pf_state **, int, - struct pfi_kif *, struct mbuf *, struct pf_pdesc *); -void pf_route(struct mbuf **, struct pf_rule *, int, - struct ifnet *, struct pf_state *, - struct pf_pdesc *); -void pf_route6(struct mbuf **, struct pf_rule *, int, - struct ifnet *, struct pf_state *, - struct pf_pdesc *); -#ifndef __FreeBSD__ -int pf_socket_lookup(int, struct pf_pdesc *); -#endif -u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, - sa_family_t); -u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, - sa_family_t); -u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, - int, u_int16_t); -void pf_set_rt_ifp(struct pf_state *, - struct pf_addr *); -int pf_check_proto_cksum(struct mbuf *, int, int, - u_int8_t, sa_family_t); -#ifndef __FreeBSD__ -struct pf_divert *pf_get_divert(struct mbuf *); -#endif -void pf_print_state_parts(struct pf_state *, - struct pf_state_key *, struct pf_state_key *); -int pf_addr_wrap_neq(struct pf_addr_wrap *, - struct pf_addr_wrap *); -int pf_compare_state_keys(struct pf_state_key *, - struct pf_state_key *, struct pfi_kif *, u_int); -#ifdef __FreeBSD__ -struct pf_state *pf_find_state(struct pfi_kif *, - struct pf_state_key_cmp *, u_int, struct mbuf *, - struct pf_mtag *); -#else -struct pf_state *pf_find_state(struct pfi_kif *, - struct pf_state_key_cmp *, u_int, struct mbuf *); -#endif -int pf_src_connlimit(struct pf_state **); -int pf_check_congestion(struct ifqueue *); - -#ifdef __FreeBSD__ -int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); - -VNET_DECLARE(int, pf_end_threads); - -VNET_DEFINE(struct pf_pool_limit, pf_pool_limits[PF_LIMIT_MAX]); -#else -extern struct pool pfr_ktable_pl; -extern struct pool pfr_kentry_pl; - -struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { - { &pf_state_pl, PFSTATE_HIWAT }, - { &pf_src_tree_pl, PFSNODE_HIWAT }, - { &pf_frent_pl, PFFRAG_FRENT_HIWAT }, - { &pfr_ktable_pl, PFR_KTABLE_HIWAT }, - { &pfr_kentry_pl, PFR_KENTRY_HIWAT } -}; -#endif - -#ifdef __FreeBSD__ -#define PPACKET_LOOPED() \ - (pd->pf_mtag->flags & PF_PACKET_LOOPED) - -#define PACKET_LOOPED() \ - (pd.pf_mtag->flags & PF_PACKET_LOOPED) - -#define STATE_LOOKUP(i, k, d, s, m, pt) \ - do { \ - s = pf_find_state(i, k, d, m, pt); \ - if (s == NULL || (s)->timeout == PFTM_PURGE) \ - return (PF_DROP); \ - if (PPACKET_LOOPED()) \ - return (PF_PASS); \ - if (d == PF_OUT && \ - (((s)->rule.ptr->rt == PF_ROUTETO && \ - (s)->rule.ptr->direction == PF_OUT) || \ - ((s)->rule.ptr->rt == PF_REPLYTO && \ - (s)->rule.ptr->direction == PF_IN)) && \ - (s)->rt_kif != NULL && \ - (s)->rt_kif != i) \ - return (PF_PASS); \ - } while (0) -#else -#define STATE_LOOKUP(i, k, d, s, m) \ - do { \ - s = pf_find_state(i, k, d, m); \ - if (s == NULL || (s)->timeout == PFTM_PURGE) \ - return (PF_DROP); \ - if (d == PF_OUT && \ - (((s)->rule.ptr->rt == PF_ROUTETO && \ - (s)->rule.ptr->direction == PF_OUT) || \ - ((s)->rule.ptr->rt == PF_REPLYTO && \ - (s)->rule.ptr->direction == PF_IN)) && \ - (s)->rt_kif != NULL && \ - (s)->rt_kif != i) \ - return (PF_PASS); \ - } while (0) -#endif - -#ifdef __FreeBSD__ -#define BOUND_IFACE(r, k) \ - ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : V_pfi_all -#else -#define BOUND_IFACE(r, k) \ - ((r)->rule_flag & PFRULE_IFBOUND) ? (k) : pfi_all -#endif - -#define STATE_INC_COUNTERS(s) \ - do { \ - s->rule.ptr->states_cur++; \ - s->rule.ptr->states_tot++; \ - if (s->anchor.ptr != NULL) { \ - s->anchor.ptr->states_cur++; \ - s->anchor.ptr->states_tot++; \ - } \ - if (s->nat_rule.ptr != NULL) { \ - s->nat_rule.ptr->states_cur++; \ - s->nat_rule.ptr->states_tot++; \ - } \ - } while (0) - -#define STATE_DEC_COUNTERS(s) \ - do { \ - if (s->nat_rule.ptr != NULL) \ - s->nat_rule.ptr->states_cur--; \ - if (s->anchor.ptr != NULL) \ - s->anchor.ptr->states_cur--; \ - s->rule.ptr->states_cur--; \ - } while (0) - -static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *); -static __inline int pf_state_compare_key(struct pf_state_key *, - struct pf_state_key *); -static __inline int pf_state_compare_id(struct pf_state *, - struct pf_state *); - -#ifdef __FreeBSD__ -VNET_DEFINE(struct pf_src_tree, tree_src_tracking); - -VNET_DEFINE(struct pf_state_tree_id, tree_id); -VNET_DEFINE(struct pf_state_queue, state_list); -#else -struct pf_src_tree tree_src_tracking; - -struct pf_state_tree_id tree_id; -struct pf_state_queue state_list; -#endif - -RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); -RB_GENERATE(pf_state_tree, pf_state_key, entry, pf_state_compare_key); -RB_GENERATE(pf_state_tree_id, pf_state, - entry_id, pf_state_compare_id); - -static __inline int -pf_src_compare(struct pf_src_node *a, struct pf_src_node *b) -{ - int diff; - - if (a->rule.ptr > b->rule.ptr) - return (1); - if (a->rule.ptr < b->rule.ptr) - return (-1); - if ((diff = a->af - b->af) != 0) - return (diff); - switch (a->af) { -#ifdef INET - case AF_INET: - if (a->addr.addr32[0] > b->addr.addr32[0]) - return (1); - if (a->addr.addr32[0] < b->addr.addr32[0]) - return (-1); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (a->addr.addr32[3] > b->addr.addr32[3]) - return (1); - if (a->addr.addr32[3] < b->addr.addr32[3]) - return (-1); - if (a->addr.addr32[2] > b->addr.addr32[2]) - return (1); - if (a->addr.addr32[2] < b->addr.addr32[2]) - return (-1); - if (a->addr.addr32[1] > b->addr.addr32[1]) - return (1); - if (a->addr.addr32[1] < b->addr.addr32[1]) - return (-1); - if (a->addr.addr32[0] > b->addr.addr32[0]) - return (1); - if (a->addr.addr32[0] < b->addr.addr32[0]) - return (-1); - break; -#endif /* INET6 */ - } - return (0); -} - -#ifdef INET6 -void -pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: - dst->addr32[0] = src->addr32[0]; - break; -#endif /* INET */ - case AF_INET6: - dst->addr32[0] = src->addr32[0]; - dst->addr32[1] = src->addr32[1]; - dst->addr32[2] = src->addr32[2]; - dst->addr32[3] = src->addr32[3]; - break; - } -} -#endif /* INET6 */ - -void -pf_init_threshold(struct pf_threshold *threshold, - u_int32_t limit, u_int32_t seconds) -{ - threshold->limit = limit * PF_THRESHOLD_MULT; - threshold->seconds = seconds; - threshold->count = 0; - threshold->last = time_second; -} - -void -pf_add_threshold(struct pf_threshold *threshold) -{ - u_int32_t t = time_second, diff = t - threshold->last; - - if (diff >= threshold->seconds) - threshold->count = 0; - else - threshold->count -= threshold->count * diff / - threshold->seconds; - threshold->count += PF_THRESHOLD_MULT; - threshold->last = t; -} - -int -pf_check_threshold(struct pf_threshold *threshold) -{ - return (threshold->count > threshold->limit); -} - -int -pf_src_connlimit(struct pf_state **state) -{ - int bad = 0; - - (*state)->src_node->conn++; - (*state)->src.tcp_est = 1; - pf_add_threshold(&(*state)->src_node->conn_rate); - - if ((*state)->rule.ptr->max_src_conn && - (*state)->rule.ptr->max_src_conn < - (*state)->src_node->conn) { -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_SRCCONN]++; -#else - pf_status.lcounters[LCNT_SRCCONN]++; -#endif - bad++; - } - - if ((*state)->rule.ptr->max_src_conn_rate.limit && - pf_check_threshold(&(*state)->src_node->conn_rate)) { -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_SRCCONNRATE]++; -#else - pf_status.lcounters[LCNT_SRCCONNRATE]++; -#endif - bad++; - } - - if (!bad) - return (0); - - if ((*state)->rule.ptr->overload_tbl) { - struct pfr_addr p; - u_int32_t killed = 0; - -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf_src_connlimit: blocking address "); - pf_print_host(&(*state)->src_node->addr, 0, - (*state)->key[PF_SK_WIRE]->af); - } - - bzero(&p, sizeof(p)); - p.pfra_af = (*state)->key[PF_SK_WIRE]->af; - switch ((*state)->key[PF_SK_WIRE]->af) { -#ifdef INET - case AF_INET: - p.pfra_net = 32; - p.pfra_ip4addr = (*state)->src_node->addr.v4; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - p.pfra_net = 128; - p.pfra_ip6addr = (*state)->src_node->addr.v6; - break; -#endif /* INET6 */ - } - - pfr_insert_kentry((*state)->rule.ptr->overload_tbl, - &p, time_second); - - /* kill existing states if that's required. */ - if ((*state)->rule.ptr->flush) { - struct pf_state_key *sk; - struct pf_state *st; - -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; - RB_FOREACH(st, pf_state_tree_id, &V_tree_id) { -#else - pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; - RB_FOREACH(st, pf_state_tree_id, &tree_id) { -#endif - sk = st->key[PF_SK_WIRE]; - /* - * Kill states from this source. (Only those - * from the same rule if PF_FLUSH_GLOBAL is not - * set) - */ - if (sk->af == - (*state)->key[PF_SK_WIRE]->af && - (((*state)->direction == PF_OUT && - PF_AEQ(&(*state)->src_node->addr, - &sk->addr[1], sk->af)) || - ((*state)->direction == PF_IN && - PF_AEQ(&(*state)->src_node->addr, - &sk->addr[0], sk->af))) && - ((*state)->rule.ptr->flush & - PF_FLUSH_GLOBAL || - (*state)->rule.ptr == st->rule.ptr)) { - st->timeout = PFTM_PURGE; - st->src.state = st->dst.state = - TCPS_CLOSED; - killed++; - } - } -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf(", %u states killed", killed); - } -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) -#else - if (pf_status.debug >= PF_DEBUG_MISC) -#endif - printf("\n"); - } - - /* kill this state */ - (*state)->timeout = PFTM_PURGE; - (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; - return (1); -} - -int -pf_insert_src_node(struct pf_src_node **sn, struct pf_rule *rule, - struct pf_addr *src, sa_family_t af) -{ - struct pf_src_node k; - - if (*sn == NULL) { - k.af = af; - PF_ACPY(&k.addr, src, af); - if (rule->rule_flag & PFRULE_RULESRCTRACK || - rule->rpool.opts & PF_POOL_STICKYADDR) - k.rule.ptr = rule; - else - k.rule.ptr = NULL; -#ifdef __FreeBSD__ - V_pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; - *sn = RB_FIND(pf_src_tree, &V_tree_src_tracking, &k); -#else - pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; - *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); -#endif - } - if (*sn == NULL) { - if (!rule->max_src_nodes || - rule->src_nodes < rule->max_src_nodes) -#ifdef __FreeBSD__ - (*sn) = pool_get(&V_pf_src_tree_pl, PR_NOWAIT | PR_ZERO); -#else - (*sn) = pool_get(&pf_src_tree_pl, PR_NOWAIT | PR_ZERO); -#endif - else -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_SRCNODES]++; -#else - pf_status.lcounters[LCNT_SRCNODES]++; -#endif - if ((*sn) == NULL) - return (-1); - - pf_init_threshold(&(*sn)->conn_rate, - rule->max_src_conn_rate.limit, - rule->max_src_conn_rate.seconds); - - (*sn)->af = af; - if (rule->rule_flag & PFRULE_RULESRCTRACK || - rule->rpool.opts & PF_POOL_STICKYADDR) - (*sn)->rule.ptr = rule; - else - (*sn)->rule.ptr = NULL; - PF_ACPY(&(*sn)->addr, src, af); - if (RB_INSERT(pf_src_tree, -#ifdef __FreeBSD__ - &V_tree_src_tracking, *sn) != NULL) { - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - &tree_src_tracking, *sn) != NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: src_tree insert failed: "); - pf_print_host(&(*sn)->addr, 0, af); - printf("\n"); - } -#ifdef __FreeBSD__ - pool_put(&V_pf_src_tree_pl, *sn); -#else - pool_put(&pf_src_tree_pl, *sn); -#endif - return (-1); - } - (*sn)->creation = time_second; - (*sn)->ruletype = rule->action; - if ((*sn)->rule.ptr != NULL) - (*sn)->rule.ptr->src_nodes++; -#ifdef __FreeBSD__ - V_pf_status.scounters[SCNT_SRC_NODE_INSERT]++; - V_pf_status.src_nodes++; -#else - pf_status.scounters[SCNT_SRC_NODE_INSERT]++; - pf_status.src_nodes++; -#endif - } else { - if (rule->max_src_states && - (*sn)->states >= rule->max_src_states) { -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_SRCSTATES]++; -#else - pf_status.lcounters[LCNT_SRCSTATES]++; -#endif - return (-1); - } - } - return (0); -} - -/* state table stuff */ - -static __inline int -pf_state_compare_key(struct pf_state_key *a, struct pf_state_key *b) -{ - int diff; - - if ((diff = a->proto - b->proto) != 0) - return (diff); - if ((diff = a->af - b->af) != 0) - return (diff); - switch (a->af) { -#ifdef INET - case AF_INET: - if (a->addr[0].addr32[0] > b->addr[0].addr32[0]) - return (1); - if (a->addr[0].addr32[0] < b->addr[0].addr32[0]) - return (-1); - if (a->addr[1].addr32[0] > b->addr[1].addr32[0]) - return (1); - if (a->addr[1].addr32[0] < b->addr[1].addr32[0]) - return (-1); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (a->addr[0].addr32[3] > b->addr[0].addr32[3]) - return (1); - if (a->addr[0].addr32[3] < b->addr[0].addr32[3]) - return (-1); - if (a->addr[1].addr32[3] > b->addr[1].addr32[3]) - return (1); - if (a->addr[1].addr32[3] < b->addr[1].addr32[3]) - return (-1); - if (a->addr[0].addr32[2] > b->addr[0].addr32[2]) - return (1); - if (a->addr[0].addr32[2] < b->addr[0].addr32[2]) - return (-1); - if (a->addr[1].addr32[2] > b->addr[1].addr32[2]) - return (1); - if (a->addr[1].addr32[2] < b->addr[1].addr32[2]) - return (-1); - if (a->addr[0].addr32[1] > b->addr[0].addr32[1]) - return (1); - if (a->addr[0].addr32[1] < b->addr[0].addr32[1]) - return (-1); - if (a->addr[1].addr32[1] > b->addr[1].addr32[1]) - return (1); - if (a->addr[1].addr32[1] < b->addr[1].addr32[1]) - return (-1); - if (a->addr[0].addr32[0] > b->addr[0].addr32[0]) - return (1); - if (a->addr[0].addr32[0] < b->addr[0].addr32[0]) - return (-1); - if (a->addr[1].addr32[0] > b->addr[1].addr32[0]) - return (1); - if (a->addr[1].addr32[0] < b->addr[1].addr32[0]) - return (-1); - break; -#endif /* INET6 */ - } - - if ((diff = a->port[0] - b->port[0]) != 0) - return (diff); - if ((diff = a->port[1] - b->port[1]) != 0) - return (diff); - - return (0); -} - -static __inline int -pf_state_compare_id(struct pf_state *a, struct pf_state *b) -{ - if (a->id > b->id) - return (1); - if (a->id < b->id) - return (-1); - if (a->creatorid > b->creatorid) - return (1); - if (a->creatorid < b->creatorid) - return (-1); - - return (0); -} - -int -pf_state_key_attach(struct pf_state_key *sk, struct pf_state *s, int idx) -{ - struct pf_state_item *si; - struct pf_state_key *cur; - struct pf_state *olds = NULL; - -#ifdef __FreeBSD__ - KASSERT(s->key[idx] == NULL, ("%s: key is null!", __FUNCTION__)); -#else - KASSERT(s->key[idx] == NULL); /* XXX handle this? */ -#endif - -#ifdef __FreeBSD__ - if ((cur = RB_INSERT(pf_state_tree, &V_pf_statetbl, sk)) != NULL) { -#else - if ((cur = RB_INSERT(pf_state_tree, &pf_statetbl, sk)) != NULL) { -#endif - /* key exists. check for same kif, if none, add to key */ - TAILQ_FOREACH(si, &cur->states, entry) - if (si->s->kif == s->kif && - si->s->direction == s->direction) { - if (sk->proto == IPPROTO_TCP && - si->s->src.state >= TCPS_FIN_WAIT_2 && - si->s->dst.state >= TCPS_FIN_WAIT_2) { - si->s->src.state = si->s->dst.state = - TCPS_CLOSED; - /* unlink late or sks can go away */ - olds = si->s; - } else { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: %s key attach " - "failed on %s: ", - (idx == PF_SK_WIRE) ? - "wire" : "stack", - s->kif->pfik_name); - pf_print_state_parts(s, - (idx == PF_SK_WIRE) ? - sk : NULL, - (idx == PF_SK_STACK) ? - sk : NULL); - printf(", existing: "); - pf_print_state_parts(si->s, - (idx == PF_SK_WIRE) ? - sk : NULL, - (idx == PF_SK_STACK) ? - sk : NULL); - printf("\n"); - } -#ifdef __FreeBSD__ - pool_put(&V_pf_state_key_pl, sk); -#else - pool_put(&pf_state_key_pl, sk); -#endif - return (-1); /* collision! */ - } - } -#ifdef __FreeBSD__ - pool_put(&V_pf_state_key_pl, sk); -#else - pool_put(&pf_state_key_pl, sk); -#endif - s->key[idx] = cur; - } else - s->key[idx] = sk; - -#ifdef __FreeBSD__ - if ((si = pool_get(&V_pf_state_item_pl, PR_NOWAIT)) == NULL) { -#else - if ((si = pool_get(&pf_state_item_pl, PR_NOWAIT)) == NULL) { -#endif - pf_state_key_detach(s, idx); - return (-1); - } - si->s = s; - - /* list is sorted, if-bound states before floating */ -#ifdef __FreeBSD__ - if (s->kif == V_pfi_all) -#else - if (s->kif == pfi_all) -#endif - TAILQ_INSERT_TAIL(&s->key[idx]->states, si, entry); - else - TAILQ_INSERT_HEAD(&s->key[idx]->states, si, entry); - - if (olds) - pf_unlink_state(olds); - - return (0); -} - -void -pf_detach_state(struct pf_state *s) -{ - if (s->key[PF_SK_WIRE] == s->key[PF_SK_STACK]) - s->key[PF_SK_WIRE] = NULL; - - if (s->key[PF_SK_STACK] != NULL) - pf_state_key_detach(s, PF_SK_STACK); - - if (s->key[PF_SK_WIRE] != NULL) - pf_state_key_detach(s, PF_SK_WIRE); -} - -void -pf_state_key_detach(struct pf_state *s, int idx) -{ - struct pf_state_item *si; - - si = TAILQ_FIRST(&s->key[idx]->states); - while (si && si->s != s) - si = TAILQ_NEXT(si, entry); - - if (si) { - TAILQ_REMOVE(&s->key[idx]->states, si, entry); -#ifdef __FreeBSD__ - pool_put(&V_pf_state_item_pl, si); -#else - pool_put(&pf_state_item_pl, si); -#endif - } - - if (TAILQ_EMPTY(&s->key[idx]->states)) { -#ifdef __FreeBSD__ - RB_REMOVE(pf_state_tree, &V_pf_statetbl, s->key[idx]); -#else - RB_REMOVE(pf_state_tree, &pf_statetbl, s->key[idx]); -#endif - if (s->key[idx]->reverse) - s->key[idx]->reverse->reverse = NULL; -#ifdef __FreeBSD__ - /* XXX: implement this */ -#else - if (s->key[idx]->inp) - s->key[idx]->inp->inp_pf_sk = NULL; -#endif -#ifdef __FreeBSD__ - pool_put(&V_pf_state_key_pl, s->key[idx]); -#else - pool_put(&pf_state_key_pl, s->key[idx]); -#endif - } - s->key[idx] = NULL; -} - -struct pf_state_key * -pf_alloc_state_key(int pool_flags) -{ - struct pf_state_key *sk; - -#ifdef __FreeBSD__ - if ((sk = pool_get(&V_pf_state_key_pl, pool_flags)) == NULL) -#else - if ((sk = pool_get(&pf_state_key_pl, pool_flags)) == NULL) -#endif - return (NULL); - TAILQ_INIT(&sk->states); - - return (sk); -} - -int -pf_state_key_setup(struct pf_pdesc *pd, struct pf_rule *nr, - struct pf_state_key **skw, struct pf_state_key **sks, - struct pf_state_key **skp, struct pf_state_key **nkp, - struct pf_addr *saddr, struct pf_addr *daddr, - u_int16_t sport, u_int16_t dport) -{ -#ifdef __FreeBSD__ - KASSERT((*skp == NULL && *nkp == NULL), - ("%s: skp == NULL && nkp == NULL", __FUNCTION__)); -#else - KASSERT((*skp == NULL && *nkp == NULL)); -#endif - - if ((*skp = pf_alloc_state_key(PR_NOWAIT | PR_ZERO)) == NULL) - return (ENOMEM); - - PF_ACPY(&(*skp)->addr[pd->sidx], saddr, pd->af); - PF_ACPY(&(*skp)->addr[pd->didx], daddr, pd->af); - (*skp)->port[pd->sidx] = sport; - (*skp)->port[pd->didx] = dport; - (*skp)->proto = pd->proto; - (*skp)->af = pd->af; - - if (nr != NULL) { - if ((*nkp = pf_alloc_state_key(PR_NOWAIT | PR_ZERO)) == NULL) - return (ENOMEM); /* caller must handle cleanup */ - - /* XXX maybe just bcopy and TAILQ_INIT(&(*nkp)->states) */ - PF_ACPY(&(*nkp)->addr[0], &(*skp)->addr[0], pd->af); - PF_ACPY(&(*nkp)->addr[1], &(*skp)->addr[1], pd->af); - (*nkp)->port[0] = (*skp)->port[0]; - (*nkp)->port[1] = (*skp)->port[1]; - (*nkp)->proto = pd->proto; - (*nkp)->af = pd->af; - } else - *nkp = *skp; - - if (pd->dir == PF_IN) { - *skw = *skp; - *sks = *nkp; - } else { - *sks = *skp; - *skw = *nkp; - } - return (0); -} - - -int -pf_state_insert(struct pfi_kif *kif, struct pf_state_key *skw, - struct pf_state_key *sks, struct pf_state *s) -{ -#ifndef __FreeBSD__ - splassert(IPL_SOFTNET); -#endif - - s->kif = kif; - - if (skw == sks) { - if (pf_state_key_attach(skw, s, PF_SK_WIRE)) - return (-1); - s->key[PF_SK_STACK] = s->key[PF_SK_WIRE]; - } else { - if (pf_state_key_attach(skw, s, PF_SK_WIRE)) { -#ifdef __FreeBSD__ - pool_put(&V_pf_state_key_pl, sks); -#else - pool_put(&pf_state_key_pl, sks); -#endif - return (-1); - } - if (pf_state_key_attach(sks, s, PF_SK_STACK)) { - pf_state_key_detach(s, PF_SK_WIRE); - return (-1); - } - } - - if (s->id == 0 && s->creatorid == 0) { -#ifdef __FreeBSD__ - s->id = htobe64(V_pf_status.stateid++); - s->creatorid = V_pf_status.hostid; -#else - s->id = htobe64(pf_status.stateid++); - s->creatorid = pf_status.hostid; -#endif - } -#ifdef __FreeBSD__ - if (RB_INSERT(pf_state_tree_id, &V_tree_id, s) != NULL) { - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (RB_INSERT(pf_state_tree_id, &tree_id, s) != NULL) { - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: state insert failed: " - "id: %016llx creatorid: %08x", -#ifdef __FreeBSD__ - (unsigned long long)betoh64(s->id), ntohl(s->creatorid)); -#else - betoh64(s->id), ntohl(s->creatorid)); -#endif - printf("\n"); - } - pf_detach_state(s); - return (-1); - } -#ifdef __FreeBSD__ - TAILQ_INSERT_TAIL(&V_state_list, s, entry_list); - V_pf_status.fcounters[FCNT_STATE_INSERT]++; - V_pf_status.states++; -#else - TAILQ_INSERT_TAIL(&state_list, s, entry_list); - pf_status.fcounters[FCNT_STATE_INSERT]++; - pf_status.states++; -#endif - pfi_kif_ref(kif, PFI_KIF_REF_STATE); -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_insert_state_ptr != NULL) - pfsync_insert_state_ptr(s); -#else - pfsync_insert_state(s); -#endif -#endif - return (0); -} - -struct pf_state * -pf_find_state_byid(struct pf_state_cmp *key) -{ -#ifdef __FreeBSD__ - V_pf_status.fcounters[FCNT_STATE_SEARCH]++; - - return (RB_FIND(pf_state_tree_id, &V_tree_id, (struct pf_state *)key)); -#else - pf_status.fcounters[FCNT_STATE_SEARCH]++; - - return (RB_FIND(pf_state_tree_id, &tree_id, (struct pf_state *)key)); -#endif -} - -/* XXX debug function, intended to be removed one day */ -int -pf_compare_state_keys(struct pf_state_key *a, struct pf_state_key *b, - struct pfi_kif *kif, u_int dir) -{ - /* a (from hdr) and b (new) must be exact opposites of each other */ - if (a->af == b->af && a->proto == b->proto && - PF_AEQ(&a->addr[0], &b->addr[1], a->af) && - PF_AEQ(&a->addr[1], &b->addr[0], a->af) && - a->port[0] == b->port[1] && - a->port[1] == b->port[0]) - return (0); - else { - /* mismatch. must not happen. */ - printf("pf: state key linking mismatch! dir=%s, " - "if=%s, stored af=%u, a0: ", - dir == PF_OUT ? "OUT" : "IN", kif->pfik_name, a->af); - pf_print_host(&a->addr[0], a->port[0], a->af); - printf(", a1: "); - pf_print_host(&a->addr[1], a->port[1], a->af); - printf(", proto=%u", a->proto); - printf(", found af=%u, a0: ", b->af); - pf_print_host(&b->addr[0], b->port[0], b->af); - printf(", a1: "); - pf_print_host(&b->addr[1], b->port[1], b->af); - printf(", proto=%u", b->proto); - printf(".\n"); - return (-1); - } -} - -struct pf_state * -#ifdef __FreeBSD__ -pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, - struct mbuf *m, struct pf_mtag *pftag) -#else -pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, - struct mbuf *m) -#endif -{ - struct pf_state_key *sk; - struct pf_state_item *si; - -#ifdef __FreeBSD__ - V_pf_status.fcounters[FCNT_STATE_SEARCH]++; -#else - pf_status.fcounters[FCNT_STATE_SEARCH]++; -#endif - -#ifdef __FreeBSD__ - if (dir == PF_OUT && pftag->statekey && - ((struct pf_state_key *)pftag->statekey)->reverse) - sk = ((struct pf_state_key *)pftag->statekey)->reverse; - else { -#ifdef __FreeBSD__ - if ((sk = RB_FIND(pf_state_tree, &V_pf_statetbl, -#else - if ((sk = RB_FIND(pf_state_tree, &pf_statetbl, -#endif - (struct pf_state_key *)key)) == NULL) - return (NULL); - if (dir == PF_OUT && pftag->statekey && - pf_compare_state_keys(pftag->statekey, sk, - kif, dir) == 0) { - ((struct pf_state_key *) - pftag->statekey)->reverse = sk; - sk->reverse = pftag->statekey; - } - } -#else - if (dir == PF_OUT && m->m_pkthdr.pf.statekey && - ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse) - sk = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse; - else { -#ifdef __FreeBSD__ - if ((sk = RB_FIND(pf_state_tree, &V_pf_statetbl, -#else - if ((sk = RB_FIND(pf_state_tree, &pf_statetbl, -#endif - (struct pf_state_key *)key)) == NULL) - return (NULL); - if (dir == PF_OUT && m->m_pkthdr.pf.statekey && - pf_compare_state_keys(m->m_pkthdr.pf.statekey, sk, - kif, dir) == 0) { - ((struct pf_state_key *) - m->m_pkthdr.pf.statekey)->reverse = sk; - sk->reverse = m->m_pkthdr.pf.statekey; - } - } -#endif - - if (dir == PF_OUT) -#ifdef __FreeBSD__ - pftag->statekey = NULL; -#else - m->m_pkthdr.pf.statekey = NULL; -#endif - - /* list is sorted, if-bound states before floating ones */ - TAILQ_FOREACH(si, &sk->states, entry) -#ifdef __FreeBSD__ - if ((si->s->kif == V_pfi_all || si->s->kif == kif) && -#else - if ((si->s->kif == pfi_all || si->s->kif == kif) && -#endif - sk == (dir == PF_IN ? si->s->key[PF_SK_WIRE] : - si->s->key[PF_SK_STACK])) - return (si->s); - - return (NULL); -} - -struct pf_state * -pf_find_state_all(struct pf_state_key_cmp *key, u_int dir, int *more) -{ - struct pf_state_key *sk; - struct pf_state_item *si, *ret = NULL; - -#ifdef __FreeBSD__ - V_pf_status.fcounters[FCNT_STATE_SEARCH]++; -#else - pf_status.fcounters[FCNT_STATE_SEARCH]++; -#endif - -#ifdef __FreeBSD__ - sk = RB_FIND(pf_state_tree, &V_pf_statetbl, (struct pf_state_key *)key); -#else - sk = RB_FIND(pf_state_tree, &pf_statetbl, (struct pf_state_key *)key); -#endif - if (sk != NULL) { - TAILQ_FOREACH(si, &sk->states, entry) - if (dir == PF_INOUT || - (sk == (dir == PF_IN ? si->s->key[PF_SK_WIRE] : - si->s->key[PF_SK_STACK]))) { - if (more == NULL) - return (si->s); - - if (ret) - (*more)++; - else - ret = si; - } - } - return (ret ? ret->s : NULL); -} - -/* END state table stuff */ - - -void -pf_purge_thread(void *v) -{ - int nloops = 0, s; -#ifdef __FreeBSD__ - int locked; -#endif - - CURVNET_SET((struct vnet *)v); - - for (;;) { - tsleep(pf_purge_thread, PWAIT, "pftm", 1 * hz); - -#ifdef __FreeBSD__ - sx_slock(&V_pf_consistency_lock); - PF_LOCK(); - locked = 0; - - if (V_pf_end_threads) { - PF_UNLOCK(); - sx_sunlock(&V_pf_consistency_lock); - sx_xlock(&V_pf_consistency_lock); - PF_LOCK(); - - pf_purge_expired_states(V_pf_status.states, 1); - pf_purge_expired_fragments(); - pf_purge_expired_src_nodes(1); - V_pf_end_threads++; - - sx_xunlock(&V_pf_consistency_lock); - PF_UNLOCK(); - wakeup(pf_purge_thread); - kproc_exit(0); - } -#endif - s = splsoftnet(); - - /* process a fraction of the state table every second */ -#ifdef __FreeBSD__ - if (!pf_purge_expired_states(1 + (V_pf_status.states / - V_pf_default_rule.timeout[PFTM_INTERVAL]), 0)) { - PF_UNLOCK(); - sx_sunlock(&V_pf_consistency_lock); - sx_xlock(&V_pf_consistency_lock); - PF_LOCK(); - locked = 1; - - pf_purge_expired_states(1 + (V_pf_status.states / - V_pf_default_rule.timeout[PFTM_INTERVAL]), 1); - } -#else - pf_purge_expired_states(1 + (pf_status.states - / pf_default_rule.timeout[PFTM_INTERVAL])); -#endif - - /* purge other expired types every PFTM_INTERVAL seconds */ -#ifdef __FreeBSD__ - if (++nloops >= V_pf_default_rule.timeout[PFTM_INTERVAL]) { -#else - if (++nloops >= pf_default_rule.timeout[PFTM_INTERVAL]) { -#endif - pf_purge_expired_fragments(); - pf_purge_expired_src_nodes(0); - nloops = 0; - } - - splx(s); -#ifdef __FreeBSD__ - PF_UNLOCK(); - if (locked) - sx_xunlock(&V_pf_consistency_lock); - else - sx_sunlock(&V_pf_consistency_lock); -#endif - } - CURVNET_RESTORE(); -} - -u_int32_t -pf_state_expires(const struct pf_state *state) -{ - u_int32_t timeout; - u_int32_t start; - u_int32_t end; - u_int32_t states; - - /* handle all PFTM_* > PFTM_MAX here */ - if (state->timeout == PFTM_PURGE) - return (time_second); - if (state->timeout == PFTM_UNTIL_PACKET) - return (0); -#ifdef __FreeBSD__ - KASSERT(state->timeout != PFTM_UNLINKED, - ("pf_state_expires: timeout == PFTM_UNLINKED")); - KASSERT((state->timeout < PFTM_MAX), - ("pf_state_expires: timeout > PFTM_MAX")); -#else - KASSERT(state->timeout != PFTM_UNLINKED); - KASSERT(state->timeout < PFTM_MAX); -#endif - timeout = state->rule.ptr->timeout[state->timeout]; - if (!timeout) -#ifdef __FreeBSD__ - timeout = V_pf_default_rule.timeout[state->timeout]; -#else - timeout = pf_default_rule.timeout[state->timeout]; -#endif - start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; - if (start) { - end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; - states = state->rule.ptr->states_cur; - } else { -#ifdef __FreeBSD__ - start = V_pf_default_rule.timeout[PFTM_ADAPTIVE_START]; - end = V_pf_default_rule.timeout[PFTM_ADAPTIVE_END]; - states = V_pf_status.states; -#else - start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; - end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; - states = pf_status.states; -#endif - } - if (end && states > start && start < end) { - if (states < end) - return (state->expire + timeout * (end - states) / - (end - start)); - else - return (time_second); - } - return (state->expire + timeout); -} - -#ifdef __FreeBSD__ -int -pf_purge_expired_src_nodes(int waslocked) -#else -void -pf_purge_expired_src_nodes(int waslocked) -#endif -{ - struct pf_src_node *cur, *next; - int locked = waslocked; - -#ifdef __FreeBSD__ - for (cur = RB_MIN(pf_src_tree, &V_tree_src_tracking); cur; cur = next) { - next = RB_NEXT(pf_src_tree, &V_tree_src_tracking, cur); -#else - for (cur = RB_MIN(pf_src_tree, &tree_src_tracking); cur; cur = next) { - next = RB_NEXT(pf_src_tree, &tree_src_tracking, cur); -#endif - - if (cur->states <= 0 && cur->expire <= time_second) { - if (! locked) { -#ifdef __FreeBSD__ - if (!sx_try_upgrade(&V_pf_consistency_lock)) - return (0); -#else - rw_enter_write(&pf_consistency_lock); -#endif - next = RB_NEXT(pf_src_tree, -#ifdef __FreeBSD__ - &V_tree_src_tracking, cur); -#else - &tree_src_tracking, cur); -#endif - locked = 1; - } - if (cur->rule.ptr != NULL) { - cur->rule.ptr->src_nodes--; - if (cur->rule.ptr->states_cur <= 0 && - cur->rule.ptr->max_src_nodes <= 0) - pf_rm_rule(NULL, cur->rule.ptr); - } -#ifdef __FreeBSD__ - RB_REMOVE(pf_src_tree, &V_tree_src_tracking, cur); - V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - V_pf_status.src_nodes--; - pool_put(&V_pf_src_tree_pl, cur); -#else - RB_REMOVE(pf_src_tree, &tree_src_tracking, cur); - pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - pf_status.src_nodes--; - pool_put(&pf_src_tree_pl, cur); -#endif - } - } - - if (locked && !waslocked) -#ifdef __FreeBSD__ - { - sx_downgrade(&V_pf_consistency_lock); - } - return (1); -#else - rw_exit_write(&pf_consistency_lock); -#endif -} - -void -pf_src_tree_remove_state(struct pf_state *s) -{ - u_int32_t timeout; - - if (s->src_node != NULL) { - if (s->src.tcp_est) - --s->src_node->conn; - if (--s->src_node->states <= 0) { - timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; - if (!timeout) - timeout = -#ifdef __FreeBSD__ - V_pf_default_rule.timeout[PFTM_SRC_NODE]; -#else - pf_default_rule.timeout[PFTM_SRC_NODE]; -#endif - s->src_node->expire = time_second + timeout; - } - } - if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) { - if (--s->nat_src_node->states <= 0) { - timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; - if (!timeout) - timeout = -#ifdef __FreeBSD__ - V_pf_default_rule.timeout[PFTM_SRC_NODE]; -#else - pf_default_rule.timeout[PFTM_SRC_NODE]; -#endif - s->nat_src_node->expire = time_second + timeout; - } - } - s->src_node = s->nat_src_node = NULL; -} - -/* callers should be at splsoftnet */ -void -pf_unlink_state(struct pf_state *cur) -{ -#ifdef __FreeBSD__ - if (cur->local_flags & PFSTATE_EXPIRING) - return; - cur->local_flags |= PFSTATE_EXPIRING; -#else - splassert(IPL_SOFTNET); -#endif - - if (cur->src.state == PF_TCPS_PROXY_DST) { - /* XXX wire key the right one? */ -#ifdef __FreeBSD__ - pf_send_tcp(NULL, cur->rule.ptr, cur->key[PF_SK_WIRE]->af, -#else - pf_send_tcp(cur->rule.ptr, cur->key[PF_SK_WIRE]->af, -#endif - &cur->key[PF_SK_WIRE]->addr[1], - &cur->key[PF_SK_WIRE]->addr[0], - cur->key[PF_SK_WIRE]->port[1], - cur->key[PF_SK_WIRE]->port[0], - cur->src.seqhi, cur->src.seqlo + 1, - TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL); - } -#ifdef __FreeBSD__ - RB_REMOVE(pf_state_tree_id, &V_tree_id, cur); -#else - RB_REMOVE(pf_state_tree_id, &tree_id, cur); -#endif -#if NPFLOW > 0 - if (cur->state_flags & PFSTATE_PFLOW) -#ifdef __FreeBSD__ - if (export_pflow_ptr != NULL) - export_pflow_ptr(cur); -#else - export_pflow(cur); -#endif -#endif -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_delete_state_ptr != NULL) - pfsync_delete_state_ptr(cur); -#else - pfsync_delete_state(cur); -#endif -#endif - cur->timeout = PFTM_UNLINKED; - pf_src_tree_remove_state(cur); - pf_detach_state(cur); -} - -/* callers should be at splsoftnet and hold the - * write_lock on pf_consistency_lock */ -void -pf_free_state(struct pf_state *cur) -{ -#ifndef __FreeBSD__ - splassert(IPL_SOFTNET); -#endif - -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_state_in_use_ptr != NULL && - pfsync_state_in_use_ptr(cur)) -#else - if (pfsync_state_in_use(cur)) -#endif - return; -#endif -#ifdef __FreeBSD__ - KASSERT(cur->timeout == PFTM_UNLINKED, - ("pf_free_state: cur->timeout != PFTM_UNLINKED")); -#else - KASSERT(cur->timeout == PFTM_UNLINKED); -#endif - if (--cur->rule.ptr->states_cur <= 0 && - cur->rule.ptr->src_nodes <= 0) - pf_rm_rule(NULL, cur->rule.ptr); - if (cur->nat_rule.ptr != NULL) - if (--cur->nat_rule.ptr->states_cur <= 0 && - cur->nat_rule.ptr->src_nodes <= 0) - pf_rm_rule(NULL, cur->nat_rule.ptr); - if (cur->anchor.ptr != NULL) - if (--cur->anchor.ptr->states_cur <= 0) - pf_rm_rule(NULL, cur->anchor.ptr); - pf_normalize_tcp_cleanup(cur); - pfi_kif_unref(cur->kif, PFI_KIF_REF_STATE); -#ifdef __FreeBSD__ - TAILQ_REMOVE(&V_state_list, cur, entry_list); -#else - TAILQ_REMOVE(&state_list, cur, entry_list); -#endif - if (cur->tag) - pf_tag_unref(cur->tag); -#ifdef __FreeBSD__ - pool_put(&V_pf_state_pl, cur); - V_pf_status.fcounters[FCNT_STATE_REMOVALS]++; - V_pf_status.states--; -#else - pool_put(&pf_state_pl, cur); - pf_status.fcounters[FCNT_STATE_REMOVALS]++; - pf_status.states--; -#endif -} - -#ifdef __FreeBSD__ -int -pf_purge_expired_states(u_int32_t maxcheck, int waslocked) -#else -void -pf_purge_expired_states(u_int32_t maxcheck) -#endif -{ - static struct pf_state *cur = NULL; - struct pf_state *next; -#ifdef __FreeBSD__ - int locked = waslocked; -#else - int locked = 0; -#endif - - while (maxcheck--) { - /* wrap to start of list when we hit the end */ - if (cur == NULL) { -#ifdef __FreeBSD__ - cur = TAILQ_FIRST(&V_state_list); -#else - cur = TAILQ_FIRST(&state_list); -#endif - if (cur == NULL) - break; /* list empty */ - } - - /* get next state, as cur may get deleted */ - next = TAILQ_NEXT(cur, entry_list); - - if (cur->timeout == PFTM_UNLINKED) { - /* free unlinked state */ - if (! locked) { -#ifdef __FreeBSD__ - if (!sx_try_upgrade(&V_pf_consistency_lock)) - return (0); -#else - rw_enter_write(&pf_consistency_lock); -#endif - locked = 1; - } - pf_free_state(cur); - } else if (pf_state_expires(cur) <= time_second) { - /* unlink and free expired state */ - pf_unlink_state(cur); - if (! locked) { -#ifdef __FreeBSD__ - if (!sx_try_upgrade(&V_pf_consistency_lock)) - return (0); -#else - rw_enter_write(&pf_consistency_lock); -#endif - locked = 1; - } - pf_free_state(cur); - } - cur = next; - } - -#ifdef __FreeBSD__ - if (!waslocked && locked) - sx_downgrade(&V_pf_consistency_lock); - - return (1); -#else - if (locked) - rw_exit_write(&pf_consistency_lock); -#endif -} - -int -pf_tbladdr_setup(struct pf_ruleset *rs, struct pf_addr_wrap *aw) -{ - if (aw->type != PF_ADDR_TABLE) - return (0); - if ((aw->p.tbl = pfr_attach_table(rs, aw->v.tblname, 1)) == NULL) - return (1); - return (0); -} - -void -pf_tbladdr_remove(struct pf_addr_wrap *aw) -{ - if (aw->type != PF_ADDR_TABLE || aw->p.tbl == NULL) - return; - pfr_detach_table(aw->p.tbl); - aw->p.tbl = NULL; -} - -void -pf_tbladdr_copyout(struct pf_addr_wrap *aw) -{ - struct pfr_ktable *kt = aw->p.tbl; - - if (aw->type != PF_ADDR_TABLE || kt == NULL) - return; - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) - kt = kt->pfrkt_root; - aw->p.tbl = NULL; - aw->p.tblcnt = (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) ? - kt->pfrkt_cnt : -1; -} - -void -pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: { - u_int32_t a = ntohl(addr->addr32[0]); - printf("%u.%u.%u.%u", (a>>24)&255, (a>>16)&255, - (a>>8)&255, a&255); - if (p) { - p = ntohs(p); - printf(":%u", p); - } - break; - } -#endif /* INET */ -#ifdef INET6 - case AF_INET6: { - u_int16_t b; - u_int8_t i, curstart, curend, maxstart, maxend; - curstart = curend = maxstart = maxend = 255; - for (i = 0; i < 8; i++) { - if (!addr->addr16[i]) { - if (curstart == 255) - curstart = i; - curend = i; - } else { - if ((curend - curstart) > - (maxend - maxstart)) { - maxstart = curstart; - maxend = curend; - } - curstart = curend = 255; - } - } - if ((curend - curstart) > - (maxend - maxstart)) { - maxstart = curstart; - maxend = curend; - } - for (i = 0; i < 8; i++) { - if (i >= maxstart && i <= maxend) { - if (i == 0) - printf(":"); - if (i == maxend) - printf(":"); - } else { - b = ntohs(addr->addr16[i]); - printf("%x", b); - if (i < 7) - printf(":"); - } - } - if (p) { - p = ntohs(p); - printf("[%u]", p); - } - break; - } -#endif /* INET6 */ - } -} - -void -pf_print_state(struct pf_state *s) -{ - pf_print_state_parts(s, NULL, NULL); -} - -void -pf_print_state_parts(struct pf_state *s, - struct pf_state_key *skwp, struct pf_state_key *sksp) -{ - struct pf_state_key *skw, *sks; - u_int8_t proto, dir; - - /* Do our best to fill these, but they're skipped if NULL */ - skw = skwp ? skwp : (s ? s->key[PF_SK_WIRE] : NULL); - sks = sksp ? sksp : (s ? s->key[PF_SK_STACK] : NULL); - proto = skw ? skw->proto : (sks ? sks->proto : 0); - dir = s ? s->direction : 0; - - switch (proto) { - case IPPROTO_IPV4: - printf("IPv4"); - break; - case IPPROTO_IPV6: - printf("IPv6"); - break; - case IPPROTO_TCP: - printf("TCP"); - break; - case IPPROTO_UDP: - printf("UDP"); - break; - case IPPROTO_ICMP: - printf("ICMP"); - break; - case IPPROTO_ICMPV6: - printf("ICMPv6"); - break; - default: - printf("%u", skw->proto); - break; - } - switch (dir) { - case PF_IN: - printf(" in"); - break; - case PF_OUT: - printf(" out"); - break; - } - if (skw) { - printf(" wire: "); - pf_print_host(&skw->addr[0], skw->port[0], skw->af); - printf(" "); - pf_print_host(&skw->addr[1], skw->port[1], skw->af); - } - if (sks) { - printf(" stack: "); - if (sks != skw) { - pf_print_host(&sks->addr[0], sks->port[0], sks->af); - printf(" "); - pf_print_host(&sks->addr[1], sks->port[1], sks->af); - } else - printf("-"); - } - if (s) { - if (proto == IPPROTO_TCP) { - printf(" [lo=%u high=%u win=%u modulator=%u", - s->src.seqlo, s->src.seqhi, - s->src.max_win, s->src.seqdiff); - if (s->src.wscale && s->dst.wscale) - printf(" wscale=%u", - s->src.wscale & PF_WSCALE_MASK); - printf("]"); - printf(" [lo=%u high=%u win=%u modulator=%u", - s->dst.seqlo, s->dst.seqhi, - s->dst.max_win, s->dst.seqdiff); - if (s->src.wscale && s->dst.wscale) - printf(" wscale=%u", - s->dst.wscale & PF_WSCALE_MASK); - printf("]"); - } - printf(" %u:%u", s->src.state, s->dst.state); - } -} - -void -pf_print_flags(u_int8_t f) -{ - if (f) - printf(" "); - if (f & TH_FIN) - printf("F"); - if (f & TH_SYN) - printf("S"); - if (f & TH_RST) - printf("R"); - if (f & TH_PUSH) - printf("P"); - if (f & TH_ACK) - printf("A"); - if (f & TH_URG) - printf("U"); - if (f & TH_ECE) - printf("E"); - if (f & TH_CWR) - printf("W"); -} - -#define PF_SET_SKIP_STEPS(i) \ - do { \ - while (head[i] != cur) { \ - head[i]->skip[i].ptr = cur; \ - head[i] = TAILQ_NEXT(head[i], entries); \ - } \ - } while (0) - -void -pf_calc_skip_steps(struct pf_rulequeue *rules) -{ - struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT]; - int i; - - cur = TAILQ_FIRST(rules); - prev = cur; - for (i = 0; i < PF_SKIP_COUNT; ++i) - head[i] = cur; - while (cur != NULL) { - - if (cur->kif != prev->kif || cur->ifnot != prev->ifnot) - PF_SET_SKIP_STEPS(PF_SKIP_IFP); - if (cur->direction != prev->direction) - PF_SET_SKIP_STEPS(PF_SKIP_DIR); - if (cur->af != prev->af) - PF_SET_SKIP_STEPS(PF_SKIP_AF); - if (cur->proto != prev->proto) - PF_SET_SKIP_STEPS(PF_SKIP_PROTO); - if (cur->src.neg != prev->src.neg || - pf_addr_wrap_neq(&cur->src.addr, &prev->src.addr)) - PF_SET_SKIP_STEPS(PF_SKIP_SRC_ADDR); - if (cur->src.port[0] != prev->src.port[0] || - cur->src.port[1] != prev->src.port[1] || - cur->src.port_op != prev->src.port_op) - PF_SET_SKIP_STEPS(PF_SKIP_SRC_PORT); - if (cur->dst.neg != prev->dst.neg || - pf_addr_wrap_neq(&cur->dst.addr, &prev->dst.addr)) - PF_SET_SKIP_STEPS(PF_SKIP_DST_ADDR); - if (cur->dst.port[0] != prev->dst.port[0] || - cur->dst.port[1] != prev->dst.port[1] || - cur->dst.port_op != prev->dst.port_op) - PF_SET_SKIP_STEPS(PF_SKIP_DST_PORT); - - prev = cur; - cur = TAILQ_NEXT(cur, entries); - } - for (i = 0; i < PF_SKIP_COUNT; ++i) - PF_SET_SKIP_STEPS(i); -} - -int -pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct pf_addr_wrap *aw2) -{ - if (aw1->type != aw2->type) - return (1); - switch (aw1->type) { - case PF_ADDR_ADDRMASK: - case PF_ADDR_RANGE: - if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) - return (1); - if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) - return (1); - return (0); - case PF_ADDR_DYNIFTL: - return (aw1->p.dyn->pfid_kt != aw2->p.dyn->pfid_kt); - case PF_ADDR_NOROUTE: - case PF_ADDR_URPFFAILED: - return (0); - case PF_ADDR_TABLE: - return (aw1->p.tbl != aw2->p.tbl); - case PF_ADDR_RTLABEL: - return (aw1->v.rtlabel != aw2->v.rtlabel); - default: - printf("invalid address type: %d\n", aw1->type); - return (1); - } -} - -u_int16_t -pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp) -{ - u_int32_t l; - - if (udp && !cksum) - return (0x0000); - l = cksum + old - new; - l = (l >> 16) + (l & 65535); - l = l & 65535; - if (udp && !l) - return (0xFFFF); - return (l); -} - -void -pf_change_ap(struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, - struct pf_addr *an, u_int16_t pn, u_int8_t u, sa_family_t af) -{ - struct pf_addr ao; - u_int16_t po = *p; - - PF_ACPY(&ao, a, af); - PF_ACPY(a, an, af); - - *p = pn; - - switch (af) { -#ifdef INET - case AF_INET: - *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, - ao.addr16[0], an->addr16[0], 0), - ao.addr16[1], an->addr16[1], 0); - *p = pn; - *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, - ao.addr16[0], an->addr16[0], u), - ao.addr16[1], an->addr16[1], u), - po, pn, u); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - *pc = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup(*pc, - ao.addr16[0], an->addr16[0], u), - ao.addr16[1], an->addr16[1], u), - ao.addr16[2], an->addr16[2], u), - ao.addr16[3], an->addr16[3], u), - ao.addr16[4], an->addr16[4], u), - ao.addr16[5], an->addr16[5], u), - ao.addr16[6], an->addr16[6], u), - ao.addr16[7], an->addr16[7], u), - po, pn, u); - break; -#endif /* INET6 */ - } -} - - -/* Changes a u_int32_t. Uses a void * so there are no align restrictions */ -void -pf_change_a(void *a, u_int16_t *c, u_int32_t an, u_int8_t u) -{ - u_int32_t ao; - - memcpy(&ao, a, sizeof(ao)); - memcpy(a, &an, sizeof(u_int32_t)); - *c = pf_cksum_fixup(pf_cksum_fixup(*c, ao / 65536, an / 65536, u), - ao % 65536, an % 65536, u); -} - -#ifdef INET6 -void -pf_change_a6(struct pf_addr *a, u_int16_t *c, struct pf_addr *an, u_int8_t u) -{ - struct pf_addr ao; - - PF_ACPY(&ao, a, AF_INET6); - PF_ACPY(a, an, AF_INET6); - - *c = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(*c, - ao.addr16[0], an->addr16[0], u), - ao.addr16[1], an->addr16[1], u), - ao.addr16[2], an->addr16[2], u), - ao.addr16[3], an->addr16[3], u), - ao.addr16[4], an->addr16[4], u), - ao.addr16[5], an->addr16[5], u), - ao.addr16[6], an->addr16[6], u), - ao.addr16[7], an->addr16[7], u); -} -#endif /* INET6 */ - -void -pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, - struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, - u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) -{ - struct pf_addr oia, ooa; - - PF_ACPY(&oia, ia, af); - if (oa) - PF_ACPY(&ooa, oa, af); - - /* Change inner protocol port, fix inner protocol checksum. */ - if (ip != NULL) { - u_int16_t oip = *ip; - u_int32_t opc; - - if (pc != NULL) - opc = *pc; - *ip = np; - if (pc != NULL) - *pc = pf_cksum_fixup(*pc, oip, *ip, u); - *ic = pf_cksum_fixup(*ic, oip, *ip, 0); - if (pc != NULL) - *ic = pf_cksum_fixup(*ic, opc, *pc, 0); - } - /* Change inner ip address, fix inner ip and icmp checksums. */ - PF_ACPY(ia, na, af); - switch (af) { -#ifdef INET - case AF_INET: { - u_int32_t oh2c = *h2c; - - *h2c = pf_cksum_fixup(pf_cksum_fixup(*h2c, - oia.addr16[0], ia->addr16[0], 0), - oia.addr16[1], ia->addr16[1], 0); - *ic = pf_cksum_fixup(pf_cksum_fixup(*ic, - oia.addr16[0], ia->addr16[0], 0), - oia.addr16[1], ia->addr16[1], 0); - *ic = pf_cksum_fixup(*ic, oh2c, *h2c, 0); - break; - } -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(*ic, - oia.addr16[0], ia->addr16[0], u), - oia.addr16[1], ia->addr16[1], u), - oia.addr16[2], ia->addr16[2], u), - oia.addr16[3], ia->addr16[3], u), - oia.addr16[4], ia->addr16[4], u), - oia.addr16[5], ia->addr16[5], u), - oia.addr16[6], ia->addr16[6], u), - oia.addr16[7], ia->addr16[7], u); - break; -#endif /* INET6 */ - } - /* Outer ip address, fix outer ip or icmpv6 checksum, if necessary. */ - if (oa) { - PF_ACPY(oa, na, af); - switch (af) { -#ifdef INET - case AF_INET: - *hc = pf_cksum_fixup(pf_cksum_fixup(*hc, - ooa.addr16[0], oa->addr16[0], 0), - ooa.addr16[1], oa->addr16[1], 0); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - *ic = pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(pf_cksum_fixup( - pf_cksum_fixup(pf_cksum_fixup(*ic, - ooa.addr16[0], oa->addr16[0], u), - ooa.addr16[1], oa->addr16[1], u), - ooa.addr16[2], oa->addr16[2], u), - ooa.addr16[3], oa->addr16[3], u), - ooa.addr16[4], oa->addr16[4], u), - ooa.addr16[5], oa->addr16[5], u), - ooa.addr16[6], oa->addr16[6], u), - ooa.addr16[7], oa->addr16[7], u); - break; -#endif /* INET6 */ - } - } -} - - -/* - * Need to modulate the sequence numbers in the TCP SACK option - * (credits to Krzysztof Pfaff for report and patch) - */ -int -pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd, - struct tcphdr *th, struct pf_state_peer *dst) -{ - int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen; -#ifdef __FreeBSD__ - u_int8_t opts[TCP_MAXOLEN], *opt = opts; -#else - u_int8_t opts[MAX_TCPOPTLEN], *opt = opts; -#endif - int copyback = 0, i, olen; - struct sackblk sack; - -#define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) - if (hlen < TCPOLEN_SACKLEN || - !pf_pull_hdr(m, off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) - return 0; - - while (hlen >= TCPOLEN_SACKLEN) { - olen = opt[1]; - switch (*opt) { - case TCPOPT_EOL: /* FALLTHROUGH */ - case TCPOPT_NOP: - opt++; - hlen--; - break; - case TCPOPT_SACK: - if (olen > hlen) - olen = hlen; - if (olen >= TCPOLEN_SACKLEN) { - for (i = 2; i + TCPOLEN_SACK <= olen; - i += TCPOLEN_SACK) { - memcpy(&sack, &opt[i], sizeof(sack)); - pf_change_a(&sack.start, &th->th_sum, - htonl(ntohl(sack.start) - - dst->seqdiff), 0); - pf_change_a(&sack.end, &th->th_sum, - htonl(ntohl(sack.end) - - dst->seqdiff), 0); - memcpy(&opt[i], &sack, sizeof(sack)); - } - copyback = 1; - } - /* FALLTHROUGH */ - default: - if (olen < 2) - olen = 2; - hlen -= olen; - opt += olen; - } - } - - if (copyback) -#ifdef __FreeBSD__ - m_copyback(m, off + sizeof(*th), thoptlen, (caddr_t)opts); -#else - m_copyback(m, off + sizeof(*th), thoptlen, opts); -#endif - return (copyback); -} - -void -#ifdef __FreeBSD__ -pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, -#else -pf_send_tcp(const struct pf_rule *r, sa_family_t af, -#endif - const struct pf_addr *saddr, const struct pf_addr *daddr, - u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, - u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, - u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp) -{ - struct mbuf *m; - int len, tlen; -#ifdef INET - struct ip *h; -#endif /* INET */ -#ifdef INET6 - struct ip6_hdr *h6; -#endif /* INET6 */ - struct tcphdr *th; - char *opt; -#ifdef __FreeBSD__ - struct pf_mtag *pf_mtag; - - KASSERT( -#ifdef INET - af == AF_INET -#else - 0 -#endif - || -#ifdef INET6 - af == AF_INET6 -#else - 0 -#endif - , ("Unsupported AF %d", af)); - len = 0; - th = NULL; -#ifdef INET - h = NULL; -#endif -#ifdef INET6 - h6 = NULL; -#endif -#endif /* __FreeBSD__ */ - - /* maximum segment size tcp option */ - tlen = sizeof(struct tcphdr); - if (mss) - tlen += 4; - - switch (af) { -#ifdef INET - case AF_INET: - len = sizeof(struct ip) + tlen; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - len = sizeof(struct ip6_hdr) + tlen; - break; -#endif /* INET6 */ - } - - /* create outgoing mbuf */ - m = m_gethdr(M_DONTWAIT, MT_HEADER); - if (m == NULL) - return; -#ifdef __FreeBSD__ -#ifdef MAC - mac_netinet_firewall_send(m); -#endif - if ((pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - return; - } -#endif - if (tag) -#ifdef __FreeBSD__ - m->m_flags |= M_SKIP_FIREWALL; - pf_mtag->tag = rtag; -#else - m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; - m->m_pkthdr.pf.tag = rtag; -#endif - - if (r != NULL && r->rtableid >= 0) -#ifdef __FreeBSD__ - { - M_SETFIB(m, r->rtableid); - pf_mtag->rtableid = r->rtableid; -#else - m->m_pkthdr.pf.rtableid = r->rtableid; -#endif -#ifdef __FreeBSD__ - } -#endif - -#ifdef ALTQ - if (r != NULL && r->qid) { -#ifdef __FreeBSD__ - pf_mtag->qid = r->qid; - - /* add hints for ecn */ - pf_mtag->hdr = mtod(m, struct ip *); -#else - m->m_pkthdr.pf.qid = r->qid; - /* add hints for ecn */ - m->m_pkthdr.pf.hdr = mtod(m, struct ip *); -#endif - } -#endif /* ALTQ */ - m->m_data += max_linkhdr; - m->m_pkthdr.len = m->m_len = len; - m->m_pkthdr.rcvif = NULL; - bzero(m->m_data, len); - switch (af) { -#ifdef INET - case AF_INET: - h = mtod(m, struct ip *); - - /* IP header fields included in the TCP checksum */ - h->ip_p = IPPROTO_TCP; - h->ip_len = htons(tlen); - h->ip_src.s_addr = saddr->v4.s_addr; - h->ip_dst.s_addr = daddr->v4.s_addr; - - th = (struct tcphdr *)((caddr_t)h + sizeof(struct ip)); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - h6 = mtod(m, struct ip6_hdr *); - - /* IP header fields included in the TCP checksum */ - h6->ip6_nxt = IPPROTO_TCP; - h6->ip6_plen = htons(tlen); - memcpy(&h6->ip6_src, &saddr->v6, sizeof(struct in6_addr)); - memcpy(&h6->ip6_dst, &daddr->v6, sizeof(struct in6_addr)); - - th = (struct tcphdr *)((caddr_t)h6 + sizeof(struct ip6_hdr)); - break; -#endif /* INET6 */ - } - - /* TCP header */ - th->th_sport = sport; - th->th_dport = dport; - th->th_seq = htonl(seq); - th->th_ack = htonl(ack); - th->th_off = tlen >> 2; - th->th_flags = flags; - th->th_win = htons(win); - - if (mss) { - opt = (char *)(th + 1); - opt[0] = TCPOPT_MAXSEG; - opt[1] = 4; - HTONS(mss); - bcopy((caddr_t)&mss, (caddr_t)(opt + 2), 2); - } - - switch (af) { -#ifdef INET - case AF_INET: - /* TCP checksum */ - th->th_sum = in_cksum(m, len); - - /* Finish the IP header */ - h->ip_v = 4; - h->ip_hl = sizeof(*h) >> 2; - h->ip_tos = IPTOS_LOWDELAY; -#ifdef __FreeBSD__ - h->ip_off = V_path_mtu_discovery ? IP_DF : 0; - h->ip_len = len; - h->ip_ttl = ttl ? ttl : V_ip_defttl; -#else - h->ip_len = htons(len); - h->ip_off = htons(ip_mtudisc ? IP_DF : 0); - h->ip_ttl = ttl ? ttl : ip_defttl; -#endif - h->ip_sum = 0; - if (eh == NULL) { -#ifdef __FreeBSD__ - PF_UNLOCK(); - ip_output(m, (void *)NULL, (void *)NULL, 0, - (void *)NULL, (void *)NULL); - PF_LOCK(); -#else /* ! __FreeBSD__ */ - ip_output(m, (void *)NULL, (void *)NULL, 0, - (void *)NULL, (void *)NULL); -#endif - } else { - struct route ro; - struct rtentry rt; - struct ether_header *e = (void *)ro.ro_dst.sa_data; - - if (ifp == NULL) { - m_freem(m); - return; - } - rt.rt_ifp = ifp; - ro.ro_rt = &rt; - ro.ro_dst.sa_len = sizeof(ro.ro_dst); - ro.ro_dst.sa_family = pseudo_AF_HDRCMPLT; - bcopy(eh->ether_dhost, e->ether_shost, ETHER_ADDR_LEN); - bcopy(eh->ether_shost, e->ether_dhost, ETHER_ADDR_LEN); - e->ether_type = eh->ether_type; -#ifdef __FreeBSD__ - PF_UNLOCK(); - /* XXX_IMPORT: later */ - ip_output(m, (void *)NULL, &ro, 0, - (void *)NULL, (void *)NULL); - PF_LOCK(); -#else /* ! __FreeBSD__ */ - ip_output(m, (void *)NULL, &ro, IP_ROUTETOETHER, - (void *)NULL, (void *)NULL); -#endif - } - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - /* TCP checksum */ - th->th_sum = in6_cksum(m, IPPROTO_TCP, - sizeof(struct ip6_hdr), tlen); - - h6->ip6_vfc |= IPV6_VERSION; - h6->ip6_hlim = IPV6_DEFHLIM; - -#ifdef __FreeBSD__ - PF_UNLOCK(); - ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); - PF_LOCK(); -#else - ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); -#endif - break; -#endif /* INET6 */ - } -} - -static void -pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, - struct pf_rule *r) -{ - struct mbuf *m0; -#ifdef __FreeBSD__ -#ifdef INET - struct ip *ip; -#endif - struct pf_mtag *pf_mtag; -#endif - -#ifdef __FreeBSD__ - m0 = m_copypacket(m, M_DONTWAIT); - if (m0 == NULL) - return; -#else - if ((m0 = m_copy(m, 0, M_COPYALL)) == NULL) - return; -#endif - -#ifdef __FreeBSD__ - if ((pf_mtag = pf_get_mtag(m0)) == NULL) - return; - /* XXX: revisit */ - m0->m_flags |= M_SKIP_FIREWALL; -#else - m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; -#endif - - if (r->rtableid >= 0) -#ifdef __FreeBSD__ - { - M_SETFIB(m0, r->rtableid); - pf_mtag->rtableid = r->rtableid; -#else - m0->m_pkthdr.pf.rtableid = r->rtableid; -#endif -#ifdef __FreeBSD__ - } -#endif - -#ifdef ALTQ - if (r->qid) { -#ifdef __FreeBSD__ - pf_mtag->qid = r->qid; - /* add hints for ecn */ - pf_mtag->hdr = mtod(m0, struct ip *); -#else - m0->m_pkthdr.pf.qid = r->qid; - /* add hints for ecn */ - m0->m_pkthdr.pf.hdr = mtod(m0, struct ip *); -#endif - } -#endif /* ALTQ */ - - switch (af) { -#ifdef INET - case AF_INET: -#ifdef __FreeBSD__ - /* icmp_error() expects host byte ordering */ - ip = mtod(m0, struct ip *); - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); - PF_UNLOCK(); - icmp_error(m0, type, code, 0, 0); - PF_LOCK(); -#else - icmp_error(m0, type, code, 0, 0); -#endif - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - icmp6_error(m0, type, code, 0); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - break; -#endif /* INET6 */ - } -} - -/* - * Return 1 if the addresses a and b match (with mask m), otherwise return 0. - * If n is 0, they match if they are equal. If n is != 0, they match if they - * are different. - */ -int -pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, - struct pf_addr *b, sa_family_t af) -{ - int match = 0; - - switch (af) { -#ifdef INET - case AF_INET: - if ((a->addr32[0] & m->addr32[0]) == - (b->addr32[0] & m->addr32[0])) - match++; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (((a->addr32[0] & m->addr32[0]) == - (b->addr32[0] & m->addr32[0])) && - ((a->addr32[1] & m->addr32[1]) == - (b->addr32[1] & m->addr32[1])) && - ((a->addr32[2] & m->addr32[2]) == - (b->addr32[2] & m->addr32[2])) && - ((a->addr32[3] & m->addr32[3]) == - (b->addr32[3] & m->addr32[3]))) - match++; - break; -#endif /* INET6 */ - } - if (match) { - if (n) - return (0); - else - return (1); - } else { - if (n) - return (1); - else - return (0); - } -} - -/* - * Return 1 if b <= a <= e, otherwise return 0. - */ -int -pf_match_addr_range(struct pf_addr *b, struct pf_addr *e, - struct pf_addr *a, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: - if ((a->addr32[0] < b->addr32[0]) || - (a->addr32[0] > e->addr32[0])) - return (0); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: { - int i; - - /* check a >= b */ - for (i = 0; i < 4; ++i) - if (a->addr32[i] > b->addr32[i]) - break; - else if (a->addr32[i] < b->addr32[i]) - return (0); - /* check a <= e */ - for (i = 0; i < 4; ++i) - if (a->addr32[i] < e->addr32[i]) - break; - else if (a->addr32[i] > e->addr32[i]) - return (0); - break; - } -#endif /* INET6 */ - } - return (1); -} - -int -pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) -{ - switch (op) { - case PF_OP_IRG: - return ((p > a1) && (p < a2)); - case PF_OP_XRG: - return ((p < a1) || (p > a2)); - case PF_OP_RRG: - return ((p >= a1) && (p <= a2)); - case PF_OP_EQ: - return (p == a1); - case PF_OP_NE: - return (p != a1); - case PF_OP_LT: - return (p < a1); - case PF_OP_LE: - return (p <= a1); - case PF_OP_GT: - return (p > a1); - case PF_OP_GE: - return (p >= a1); - } - return (0); /* never reached */ -} - -int -pf_match_port(u_int8_t op, u_int16_t a1, u_int16_t a2, u_int16_t p) -{ - NTOHS(a1); - NTOHS(a2); - NTOHS(p); - return (pf_match(op, a1, a2, p)); -} - -int -pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u) -{ - if (u == UID_MAX && op != PF_OP_EQ && op != PF_OP_NE) - return (0); - return (pf_match(op, a1, a2, u)); -} - -int -pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) -{ - if (g == GID_MAX && op != PF_OP_EQ && op != PF_OP_NE) - return (0); - return (pf_match(op, a1, a2, g)); -} - -int -#ifdef __FreeBSD__ -pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, - struct pf_mtag *pf_mtag) -#else -pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag) -#endif -{ - if (*tag == -1) -#ifdef __FreeBSD__ - *tag = pf_mtag->tag; -#else - *tag = m->m_pkthdr.pf.tag; -#endif - - return ((!r->match_tag_not && r->match_tag == *tag) || - (r->match_tag_not && r->match_tag != *tag)); -} - -int -#ifdef __FreeBSD__ -pf_tag_packet(struct mbuf *m, int tag, int rtableid, - struct pf_mtag *pf_mtag) -#else -pf_tag_packet(struct mbuf *m, int tag, int rtableid) -#endif -{ - if (tag <= 0 && rtableid < 0) - return (0); - - if (tag > 0) -#ifdef __FreeBSD__ - pf_mtag->tag = tag; -#else - m->m_pkthdr.pf.tag = tag; -#endif - if (rtableid >= 0) -#ifdef __FreeBSD__ - { - M_SETFIB(m, rtableid); - } -#else - m->m_pkthdr.pf.rtableid = rtableid; -#endif - - return (0); -} - -void -pf_step_into_anchor(int *depth, struct pf_ruleset **rs, int n, - struct pf_rule **r, struct pf_rule **a, int *match) -{ - struct pf_anchor_stackframe *f; - - (*r)->anchor->match = 0; - if (match) - *match = 0; -#ifdef __FreeBSD__ - if (*depth >= sizeof(V_pf_anchor_stack) / - sizeof(V_pf_anchor_stack[0])) { -#else - if (*depth >= sizeof(pf_anchor_stack) / - sizeof(pf_anchor_stack[0])) { -#endif - printf("pf_step_into_anchor: stack overflow\n"); - *r = TAILQ_NEXT(*r, entries); - return; - } else if (*depth == 0 && a != NULL) - *a = *r; -#ifdef __FreeBSD__ - f = V_pf_anchor_stack + (*depth)++; -#else - f = pf_anchor_stack + (*depth)++; -#endif - f->rs = *rs; - f->r = *r; - if ((*r)->anchor_wildcard) { - f->parent = &(*r)->anchor->children; - if ((f->child = RB_MIN(pf_anchor_node, f->parent)) == - NULL) { - *r = NULL; - return; - } - *rs = &f->child->ruleset; - } else { - f->parent = NULL; - f->child = NULL; - *rs = &(*r)->anchor->ruleset; - } - *r = TAILQ_FIRST((*rs)->rules[n].active.ptr); -} - -int -pf_step_out_of_anchor(int *depth, struct pf_ruleset **rs, int n, - struct pf_rule **r, struct pf_rule **a, int *match) -{ - struct pf_anchor_stackframe *f; - int quick = 0; - - do { - if (*depth <= 0) - break; -#ifdef __FreeBSD__ - f = V_pf_anchor_stack + *depth - 1; -#else - f = pf_anchor_stack + *depth - 1; -#endif - if (f->parent != NULL && f->child != NULL) { - if (f->child->match || - (match != NULL && *match)) { - f->r->anchor->match = 1; - *match = 0; - } - f->child = RB_NEXT(pf_anchor_node, f->parent, f->child); - if (f->child != NULL) { - *rs = &f->child->ruleset; - *r = TAILQ_FIRST((*rs)->rules[n].active.ptr); - if (*r == NULL) - continue; - else - break; - } - } - (*depth)--; - if (*depth == 0 && a != NULL) - *a = NULL; - *rs = f->rs; - if (f->r->anchor->match || (match != NULL && *match)) - quick = f->r->quick; - *r = TAILQ_NEXT(f->r, entries); - } while (*r == NULL); - - return (quick); -} - -#ifdef INET6 -void -pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, - struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: - naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | - ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); - break; -#endif /* INET */ - case AF_INET6: - naddr->addr32[0] = (raddr->addr32[0] & rmask->addr32[0]) | - ((rmask->addr32[0] ^ 0xffffffff ) & saddr->addr32[0]); - naddr->addr32[1] = (raddr->addr32[1] & rmask->addr32[1]) | - ((rmask->addr32[1] ^ 0xffffffff ) & saddr->addr32[1]); - naddr->addr32[2] = (raddr->addr32[2] & rmask->addr32[2]) | - ((rmask->addr32[2] ^ 0xffffffff ) & saddr->addr32[2]); - naddr->addr32[3] = (raddr->addr32[3] & rmask->addr32[3]) | - ((rmask->addr32[3] ^ 0xffffffff ) & saddr->addr32[3]); - break; - } -} - -void -pf_addr_inc(struct pf_addr *addr, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: - addr->addr32[0] = htonl(ntohl(addr->addr32[0]) + 1); - break; -#endif /* INET */ - case AF_INET6: - if (addr->addr32[3] == 0xffffffff) { - addr->addr32[3] = 0; - if (addr->addr32[2] == 0xffffffff) { - addr->addr32[2] = 0; - if (addr->addr32[1] == 0xffffffff) { - addr->addr32[1] = 0; - addr->addr32[0] = - htonl(ntohl(addr->addr32[0]) + 1); - } else - addr->addr32[1] = - htonl(ntohl(addr->addr32[1]) + 1); - } else - addr->addr32[2] = - htonl(ntohl(addr->addr32[2]) + 1); - } else - addr->addr32[3] = - htonl(ntohl(addr->addr32[3]) + 1); - break; - } -} -#endif /* INET6 */ - -int -#ifdef __FreeBSD__ -pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg) -#else -pf_socket_lookup(int direction, struct pf_pdesc *pd) -#endif -{ - struct pf_addr *saddr, *daddr; - u_int16_t sport, dport; -#ifdef __FreeBSD__ - struct inpcbinfo *pi; -#else - struct inpcbtable *tb; -#endif - struct inpcb *inp; - - if (pd == NULL) - return (-1); - pd->lookup.uid = UID_MAX; - pd->lookup.gid = GID_MAX; - pd->lookup.pid = NO_PID; - -#ifdef __FreeBSD__ - if (inp_arg != NULL) { - INP_LOCK_ASSERT(inp_arg); - pd->lookup.uid = inp_arg->inp_cred->cr_uid; - pd->lookup.gid = inp_arg->inp_cred->cr_groups[0]; - return (1); - } -#endif - - switch (pd->proto) { - case IPPROTO_TCP: - if (pd->hdr.tcp == NULL) - return (-1); - sport = pd->hdr.tcp->th_sport; - dport = pd->hdr.tcp->th_dport; -#ifdef __FreeBSD__ - pi = &V_tcbinfo; -#else - tb = &tcbtable; -#endif - break; - case IPPROTO_UDP: - if (pd->hdr.udp == NULL) - return (-1); - sport = pd->hdr.udp->uh_sport; - dport = pd->hdr.udp->uh_dport; -#ifdef __FreeBSD__ - pi = &V_udbinfo; -#else - tb = &udbtable; -#endif - break; - default: - return (-1); - } - if (direction == PF_IN) { - saddr = pd->src; - daddr = pd->dst; - } else { - u_int16_t p; - - p = sport; - sport = dport; - dport = p; - saddr = pd->dst; - daddr = pd->src; - } - switch (pd->af) { -#ifdef INET - case AF_INET: -#ifdef __FreeBSD__ - /* - * XXXRW: would be nice if we had an mbuf here so that we - * could use in_pcblookup_mbuf(). - */ - inp = in_pcblookup(pi, saddr->v4, sport, daddr->v4, - dport, INPLOOKUP_RLOCKPCB, NULL); - if (inp == NULL) { - inp = in_pcblookup(pi, saddr->v4, sport, - daddr->v4, dport, INPLOOKUP_WILDCARD | - INPLOOKUP_RLOCKPCB, NULL); - if (inp == NULL) - return (-1); - } -#else - inp = in_pcbhashlookup(tb, saddr->v4, sport, daddr->v4, dport); - if (inp == NULL) { - inp = in_pcblookup_listen(tb, daddr->v4, dport, 0, - NULL); - if (inp == NULL) - return (-1); - } -#endif - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: -#ifdef __FreeBSD__ - /* - * XXXRW: would be nice if we had an mbuf here so that we - * could use in6_pcblookup_mbuf(). - */ - inp = in6_pcblookup(pi, &saddr->v6, sport, - &daddr->v6, dport, INPLOOKUP_RLOCKPCB, NULL); - if (inp == NULL) { - inp = in6_pcblookup(pi, &saddr->v6, sport, - &daddr->v6, dport, INPLOOKUP_WILDCARD | - INPLOOKUP_RLOCKPCB, NULL); - if (inp == NULL) - return (-1); - } -#else - inp = in6_pcbhashlookup(tb, &saddr->v6, sport, &daddr->v6, - dport); - if (inp == NULL) { - inp = in6_pcblookup_listen(tb, &daddr->v6, dport, 0, - NULL); - if (inp == NULL) - return (-1); - } -#endif - break; -#endif /* INET6 */ - - default: - return (-1); - } -#ifdef __FreeBSD__ - INP_RLOCK_ASSERT(inp); - pd->lookup.uid = inp->inp_cred->cr_uid; - pd->lookup.gid = inp->inp_cred->cr_groups[0]; - INP_RUNLOCK(inp); -#else - pd->lookup.uid = inp->inp_socket->so_euid; - pd->lookup.gid = inp->inp_socket->so_egid; - pd->lookup.pid = inp->inp_socket->so_cpid; -#endif - return (1); -} - -u_int8_t -pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) -{ - int hlen; - u_int8_t hdr[60]; - u_int8_t *opt, optlen; - u_int8_t wscale = 0; - - hlen = th_off << 2; /* hlen <= sizeof(hdr) */ - if (hlen <= sizeof(struct tcphdr)) - return (0); - if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) - return (0); - opt = hdr + sizeof(struct tcphdr); - hlen -= sizeof(struct tcphdr); - while (hlen >= 3) { - switch (*opt) { - case TCPOPT_EOL: - case TCPOPT_NOP: - ++opt; - --hlen; - break; - case TCPOPT_WINDOW: - wscale = opt[2]; - if (wscale > TCP_MAX_WINSHIFT) - wscale = TCP_MAX_WINSHIFT; - wscale |= PF_WSCALE_FLAG; - /* FALLTHROUGH */ - default: - optlen = opt[1]; - if (optlen < 2) - optlen = 2; - hlen -= optlen; - opt += optlen; - break; - } - } - return (wscale); -} - -u_int16_t -pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) -{ - int hlen; - u_int8_t hdr[60]; - u_int8_t *opt, optlen; -#ifdef __FreeBSD__ - u_int16_t mss = V_tcp_mssdflt; -#else - u_int16_t mss = tcp_mssdflt; -#endif - - hlen = th_off << 2; /* hlen <= sizeof(hdr) */ - if (hlen <= sizeof(struct tcphdr)) - return (0); - if (!pf_pull_hdr(m, off, hdr, hlen, NULL, NULL, af)) - return (0); - opt = hdr + sizeof(struct tcphdr); - hlen -= sizeof(struct tcphdr); - while (hlen >= TCPOLEN_MAXSEG) { - switch (*opt) { - case TCPOPT_EOL: - case TCPOPT_NOP: - ++opt; - --hlen; - break; - case TCPOPT_MAXSEG: - bcopy((caddr_t)(opt + 2), (caddr_t)&mss, 2); - NTOHS(mss); - /* FALLTHROUGH */ - default: - optlen = opt[1]; - if (optlen < 2) - optlen = 2; - hlen -= optlen; - opt += optlen; - break; - } - } - return (mss); -} - -u_int16_t -pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer) -{ -#ifdef INET - struct sockaddr_in *dst; - struct route ro; -#endif /* INET */ -#ifdef INET6 - struct sockaddr_in6 *dst6; - struct route_in6 ro6; -#endif /* INET6 */ - struct rtentry *rt = NULL; -#ifdef __FreeBSD__ - int hlen = 0; - u_int16_t mss = V_tcp_mssdflt; -#else - int hlen; - u_int16_t mss = tcp_mssdflt; -#endif - - switch (af) { -#ifdef INET - case AF_INET: - hlen = sizeof(struct ip); - bzero(&ro, sizeof(ro)); - dst = (struct sockaddr_in *)&ro.ro_dst; - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = addr->v4; -#ifdef __FreeBSD__ - in_rtalloc_ign(&ro, 0, rtableid); -#else /* ! __FreeBSD__ */ - rtalloc_noclone(&ro, NO_CLONING); -#endif - rt = ro.ro_rt; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - hlen = sizeof(struct ip6_hdr); - bzero(&ro6, sizeof(ro6)); - dst6 = (struct sockaddr_in6 *)&ro6.ro_dst; - dst6->sin6_family = AF_INET6; - dst6->sin6_len = sizeof(*dst6); - dst6->sin6_addr = addr->v6; -#ifdef __FreeBSD__ - in6_rtalloc_ign(&ro6, 0, rtableid); -#else /* ! __FreeBSD__ */ - rtalloc_noclone((struct route *)&ro6, NO_CLONING); -#endif - rt = ro6.ro_rt; - break; -#endif /* INET6 */ - } - - if (rt && rt->rt_ifp) { - mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); -#ifdef __FreeBSD__ - mss = max(V_tcp_mssdflt, mss); -#else - mss = max(tcp_mssdflt, mss); -#endif - RTFREE(rt); - } - mss = min(mss, offer); - mss = max(mss, 64); /* sanity - at least max opt space */ - return (mss); -} - -void -pf_set_rt_ifp(struct pf_state *s, struct pf_addr *saddr) -{ - struct pf_rule *r = s->rule.ptr; - struct pf_src_node *sn = NULL; - - s->rt_kif = NULL; - if (!r->rt || r->rt == PF_FASTROUTE) - return; - switch (s->key[PF_SK_WIRE]->af) { -#ifdef INET - case AF_INET: - pf_map_addr(AF_INET, r, saddr, &s->rt_addr, NULL, &sn); - s->rt_kif = r->rpool.cur->kif; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - pf_map_addr(AF_INET6, r, saddr, &s->rt_addr, NULL, &sn); - s->rt_kif = r->rpool.cur->kif; - break; -#endif /* INET6 */ - } -} - -u_int32_t -pf_tcp_iss(struct pf_pdesc *pd) -{ - MD5_CTX ctx; - u_int32_t digest[4]; - -#ifdef __FreeBSD__ - if (V_pf_tcp_secret_init == 0) { - read_random(&V_pf_tcp_secret, sizeof(V_pf_tcp_secret)); - MD5Init(&V_pf_tcp_secret_ctx); - MD5Update(&V_pf_tcp_secret_ctx, V_pf_tcp_secret, - sizeof(V_pf_tcp_secret)); - V_pf_tcp_secret_init = 1; - } - - ctx = V_pf_tcp_secret_ctx; -#else - if (pf_tcp_secret_init == 0) { - arc4random_buf(pf_tcp_secret, sizeof(pf_tcp_secret)); - MD5Init(&pf_tcp_secret_ctx); - MD5Update(&pf_tcp_secret_ctx, pf_tcp_secret, - sizeof(pf_tcp_secret)); - pf_tcp_secret_init = 1; - } - - ctx = pf_tcp_secret_ctx; -#endif - - MD5Update(&ctx, (char *)&pd->hdr.tcp->th_sport, sizeof(u_short)); - MD5Update(&ctx, (char *)&pd->hdr.tcp->th_dport, sizeof(u_short)); - if (pd->af == AF_INET6) { - MD5Update(&ctx, (char *)&pd->src->v6, sizeof(struct in6_addr)); - MD5Update(&ctx, (char *)&pd->dst->v6, sizeof(struct in6_addr)); - } else { - MD5Update(&ctx, (char *)&pd->src->v4, sizeof(struct in_addr)); - MD5Update(&ctx, (char *)&pd->dst->v4, sizeof(struct in_addr)); - } - MD5Final((u_char *)digest, &ctx); -#ifdef __FreeBSD__ - V_pf_tcp_iss_off += 4096; -#define ISN_RANDOM_INCREMENT (4096 - 1) - return (digest[0] + (arc4random() & ISN_RANDOM_INCREMENT) + - V_pf_tcp_iss_off); -#undef ISN_RANDOM_INCREMENT -#else - pf_tcp_iss_off += 4096; - return (digest[0] + tcp_iss + pf_tcp_iss_off); -#endif -} - -int -pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, - struct pfi_kif *kif, struct mbuf *m, int off, void *h, - struct pf_pdesc *pd, struct pf_rule **am, struct pf_ruleset **rsm, -#ifdef __FreeBSD__ - struct ifqueue *ifq, struct inpcb *inp) -#else - struct ifqueue *ifq) -#endif -{ - struct pf_rule *nr = NULL; - struct pf_addr *saddr = pd->src, *daddr = pd->dst; - sa_family_t af = pd->af; - struct pf_rule *r, *a = NULL; - struct pf_ruleset *ruleset = NULL; - struct pf_src_node *nsn = NULL; - struct tcphdr *th = pd->hdr.tcp; - struct pf_state_key *skw = NULL, *sks = NULL; - struct pf_state_key *sk = NULL, *nk = NULL; - u_short reason; - int rewrite = 0, hdrlen = 0; - int tag = -1, rtableid = -1; - int asd = 0; - int match = 0; - int state_icmp = 0; -#ifdef __FreeBSD__ - u_int16_t sport = 0, dport = 0; - u_int16_t bproto_sum = 0, bip_sum = 0; -#else - u_int16_t sport, dport; - u_int16_t bproto_sum = 0, bip_sum; -#endif - u_int8_t icmptype = 0, icmpcode = 0; - - - if (direction == PF_IN && pf_check_congestion(ifq)) { - REASON_SET(&reason, PFRES_CONGEST); - return (PF_DROP); - } - -#ifdef __FreeBSD__ - if (inp != NULL) - pd->lookup.done = pf_socket_lookup(direction, pd, inp); - else if (V_debug_pfugidhack) { - PF_UNLOCK(); - DPFPRINTF(PF_DEBUG_MISC, ("pf: unlocked lookup\n")); - pd->lookup.done = pf_socket_lookup(direction, pd, inp); - PF_LOCK(); - } -#endif - - switch (pd->proto) { - case IPPROTO_TCP: - sport = th->th_sport; - dport = th->th_dport; - hdrlen = sizeof(*th); - break; - case IPPROTO_UDP: - sport = pd->hdr.udp->uh_sport; - dport = pd->hdr.udp->uh_dport; - hdrlen = sizeof(*pd->hdr.udp); - break; -#ifdef INET - case IPPROTO_ICMP: - if (pd->af != AF_INET) - break; - sport = dport = pd->hdr.icmp->icmp_id; - hdrlen = sizeof(*pd->hdr.icmp); - icmptype = pd->hdr.icmp->icmp_type; - icmpcode = pd->hdr.icmp->icmp_code; - - if (icmptype == ICMP_UNREACH || - icmptype == ICMP_SOURCEQUENCH || - icmptype == ICMP_REDIRECT || - icmptype == ICMP_TIMXCEED || - icmptype == ICMP_PARAMPROB) - state_icmp++; - break; -#endif /* INET */ -#ifdef INET6 - case IPPROTO_ICMPV6: - if (af != AF_INET6) - break; - sport = dport = pd->hdr.icmp6->icmp6_id; - hdrlen = sizeof(*pd->hdr.icmp6); - icmptype = pd->hdr.icmp6->icmp6_type; - icmpcode = pd->hdr.icmp6->icmp6_code; - - if (icmptype == ICMP6_DST_UNREACH || - icmptype == ICMP6_PACKET_TOO_BIG || - icmptype == ICMP6_TIME_EXCEEDED || - icmptype == ICMP6_PARAM_PROB) - state_icmp++; - break; -#endif /* INET6 */ - default: - sport = dport = hdrlen = 0; - break; - } - - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); - - /* check packet for BINAT/NAT/RDR */ - if ((nr = pf_get_translation(pd, m, off, direction, kif, &nsn, - &skw, &sks, &sk, &nk, saddr, daddr, sport, dport)) != NULL) { - if (nk == NULL || sk == NULL) { - REASON_SET(&reason, PFRES_MEMORY); - goto cleanup; - } - - if (pd->ip_sum) - bip_sum = *pd->ip_sum; - - switch (pd->proto) { - case IPPROTO_TCP: - bproto_sum = th->th_sum; - pd->proto_sum = &th->th_sum; - - if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) || - nk->port[pd->sidx] != sport) { - pf_change_ap(saddr, &th->th_sport, pd->ip_sum, - &th->th_sum, &nk->addr[pd->sidx], - nk->port[pd->sidx], 0, af); - pd->sport = &th->th_sport; - sport = th->th_sport; - } - - if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) || - nk->port[pd->didx] != dport) { - pf_change_ap(daddr, &th->th_dport, pd->ip_sum, - &th->th_sum, &nk->addr[pd->didx], - nk->port[pd->didx], 0, af); - dport = th->th_dport; - pd->dport = &th->th_dport; - } - rewrite++; - break; - case IPPROTO_UDP: - bproto_sum = pd->hdr.udp->uh_sum; - pd->proto_sum = &pd->hdr.udp->uh_sum; - - if (PF_ANEQ(saddr, &nk->addr[pd->sidx], af) || - nk->port[pd->sidx] != sport) { - pf_change_ap(saddr, &pd->hdr.udp->uh_sport, - pd->ip_sum, &pd->hdr.udp->uh_sum, - &nk->addr[pd->sidx], - nk->port[pd->sidx], 1, af); - sport = pd->hdr.udp->uh_sport; - pd->sport = &pd->hdr.udp->uh_sport; - } - - if (PF_ANEQ(daddr, &nk->addr[pd->didx], af) || - nk->port[pd->didx] != dport) { - pf_change_ap(daddr, &pd->hdr.udp->uh_dport, - pd->ip_sum, &pd->hdr.udp->uh_sum, - &nk->addr[pd->didx], - nk->port[pd->didx], 1, af); - dport = pd->hdr.udp->uh_dport; - pd->dport = &pd->hdr.udp->uh_dport; - } - rewrite++; - break; -#ifdef INET - case IPPROTO_ICMP: - nk->port[0] = nk->port[1]; - if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET)) - pf_change_a(&saddr->v4.s_addr, pd->ip_sum, - nk->addr[pd->sidx].v4.s_addr, 0); - - if (PF_ANEQ(daddr, &nk->addr[pd->didx], AF_INET)) - pf_change_a(&daddr->v4.s_addr, pd->ip_sum, - nk->addr[pd->didx].v4.s_addr, 0); - - if (nk->port[1] != pd->hdr.icmp->icmp_id) { - pd->hdr.icmp->icmp_cksum = pf_cksum_fixup( - pd->hdr.icmp->icmp_cksum, sport, - nk->port[1], 0); - pd->hdr.icmp->icmp_id = nk->port[1]; - pd->sport = &pd->hdr.icmp->icmp_id; - } - m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp); - break; -#endif /* INET */ -#ifdef INET6 - case IPPROTO_ICMPV6: - nk->port[0] = nk->port[1]; - if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET6)) - pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, - &nk->addr[pd->sidx], 0); - - if (PF_ANEQ(daddr, &nk->addr[pd->didx], AF_INET6)) - pf_change_a6(daddr, &pd->hdr.icmp6->icmp6_cksum, - &nk->addr[pd->didx], 0); - rewrite++; - break; -#endif /* INET */ - default: - switch (af) { -#ifdef INET - case AF_INET: - if (PF_ANEQ(saddr, - &nk->addr[pd->sidx], AF_INET)) - pf_change_a(&saddr->v4.s_addr, - pd->ip_sum, - nk->addr[pd->sidx].v4.s_addr, 0); - - if (PF_ANEQ(daddr, - &nk->addr[pd->didx], AF_INET)) - pf_change_a(&daddr->v4.s_addr, - pd->ip_sum, - nk->addr[pd->didx].v4.s_addr, 0); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (PF_ANEQ(saddr, - &nk->addr[pd->sidx], AF_INET6)) - PF_ACPY(saddr, &nk->addr[pd->sidx], af); - - if (PF_ANEQ(daddr, - &nk->addr[pd->didx], AF_INET6)) - PF_ACPY(saddr, &nk->addr[pd->didx], af); - break; -#endif /* INET */ - } - break; - } - if (nr->natpass) - r = NULL; - pd->nat_rule = nr; - } - - while (r != NULL) { - r->evaluations++; - if (pfi_kif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != direction) - r = r->skip[PF_SKIP_DIR].ptr; - else if (r->af && r->af != af) - r = r->skip[PF_SKIP_AF].ptr; - else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, saddr, af, - r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; - /* tcp/udp only. port_op always 0 in other cases */ - else if (r->src.port_op && !pf_match_port(r->src.port_op, - r->src.port[0], r->src.port[1], sport)) - r = r->skip[PF_SKIP_SRC_PORT].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, - r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; - /* tcp/udp only. port_op always 0 in other cases */ - else if (r->dst.port_op && !pf_match_port(r->dst.port_op, - r->dst.port[0], r->dst.port[1], dport)) - r = r->skip[PF_SKIP_DST_PORT].ptr; - /* icmp only. type always 0 in other cases */ - else if (r->type && r->type != icmptype + 1) - r = TAILQ_NEXT(r, entries); - /* icmp only. type always 0 in other cases */ - else if (r->code && r->code != icmpcode + 1) - r = TAILQ_NEXT(r, entries); - else if (r->tos && !(r->tos == pd->tos)) - r = TAILQ_NEXT(r, entries); - else if (r->rule_flag & PFRULE_FRAGMENT) - r = TAILQ_NEXT(r, entries); - else if (pd->proto == IPPROTO_TCP && - (r->flagset & th->th_flags) != r->flags) - r = TAILQ_NEXT(r, entries); - /* tcp/udp only. uid.op always 0 in other cases */ - else if (r->uid.op && (pd->lookup.done || (pd->lookup.done = -#ifdef __FreeBSD__ - pf_socket_lookup(direction, pd, inp), 1)) && -#else - pf_socket_lookup(direction, pd), 1)) && -#endif - !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], - pd->lookup.uid)) - r = TAILQ_NEXT(r, entries); - /* tcp/udp only. gid.op always 0 in other cases */ - else if (r->gid.op && (pd->lookup.done || (pd->lookup.done = -#ifdef __FreeBSD__ - pf_socket_lookup(direction, pd, inp), 1)) && -#else - pf_socket_lookup(direction, pd), 1)) && -#endif - !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], - pd->lookup.gid)) - r = TAILQ_NEXT(r, entries); - else if (r->prob && -#ifdef __FreeBSD__ - r->prob <= arc4random()) -#else - r->prob <= arc4random_uniform(UINT_MAX - 1) + 1) -#endif - r = TAILQ_NEXT(r, entries); -#ifdef __FreeBSD__ - else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag)) -#else - else if (r->match_tag && !pf_match_tag(m, r, &tag)) -#endif - r = TAILQ_NEXT(r, entries); - else if (r->os_fingerprint != PF_OSFP_ANY && - (pd->proto != IPPROTO_TCP || !pf_osfp_match( - pf_osfp_fingerprint(pd, m, off, th), - r->os_fingerprint))) - r = TAILQ_NEXT(r, entries); - else { - if (r->tag) - tag = r->tag; - if (r->rtableid >= 0) - rtableid = r->rtableid; - if (r->anchor == NULL) { - match = 1; - *rm = r; - *am = a; - *rsm = ruleset; - if ((*rm)->quick) - break; - r = TAILQ_NEXT(r, entries); - } else - pf_step_into_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match); - } - if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match)) - break; - } - r = *rm; - a = *am; - ruleset = *rsm; - - REASON_SET(&reason, PFRES_MATCH); - - if (r->log || (nr != NULL && nr->log)) { - if (rewrite) - m_copyback(m, off, hdrlen, pd->hdr.any); - PFLOG_PACKET(kif, h, m, af, direction, reason, r->log ? r : nr, - a, ruleset, pd); - } - - if ((r->action == PF_DROP) && - ((r->rule_flag & PFRULE_RETURNRST) || - (r->rule_flag & PFRULE_RETURNICMP) || - (r->rule_flag & PFRULE_RETURN))) { - /* undo NAT changes, if they have taken place */ - if (nr != NULL) { - PF_ACPY(saddr, &sk->addr[pd->sidx], af); - PF_ACPY(daddr, &sk->addr[pd->didx], af); - if (pd->sport) - *pd->sport = sk->port[pd->sidx]; - if (pd->dport) - *pd->dport = sk->port[pd->didx]; - if (pd->proto_sum) - *pd->proto_sum = bproto_sum; - if (pd->ip_sum) - *pd->ip_sum = bip_sum; - m_copyback(m, off, hdrlen, pd->hdr.any); - } - if (pd->proto == IPPROTO_TCP && - ((r->rule_flag & PFRULE_RETURNRST) || - (r->rule_flag & PFRULE_RETURN)) && - !(th->th_flags & TH_RST)) { - u_int32_t ack = ntohl(th->th_seq) + pd->p_len; - int len = 0; -#ifdef INET - struct ip *h4; -#endif -#ifdef INET6 - struct ip6_hdr *h6; -#endif - - switch (af) { -#ifdef INET - case AF_INET: - h4 = mtod(m, struct ip *); - len = ntohs(h4->ip_len) - off; - break; -#endif -#ifdef INET6 - case AF_INET6: - h6 = mtod(m, struct ip6_hdr *); - len = ntohs(h6->ip6_plen) - (off - sizeof(*h6)); - break; -#endif - } - - if (pf_check_proto_cksum(m, off, len, IPPROTO_TCP, af)) - REASON_SET(&reason, PFRES_PROTCKSUM); - else { - if (th->th_flags & TH_SYN) - ack++; - if (th->th_flags & TH_FIN) - ack++; -#ifdef __FreeBSD__ - pf_send_tcp(m, r, af, pd->dst, -#else - pf_send_tcp(r, af, pd->dst, -#endif - pd->src, th->th_dport, th->th_sport, - ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, - r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp); - } - } else if (pd->proto != IPPROTO_ICMP && af == AF_INET && - r->return_icmp) - pf_send_icmp(m, r->return_icmp >> 8, - r->return_icmp & 255, af, r); - else if (pd->proto != IPPROTO_ICMPV6 && af == AF_INET6 && - r->return_icmp6) - pf_send_icmp(m, r->return_icmp6 >> 8, - r->return_icmp6 & 255, af, r); - } - - if (r->action == PF_DROP) - goto cleanup; - -#ifdef __FreeBSD__ - if (pf_tag_packet(m, tag, rtableid, pd->pf_mtag)) { -#else - if (pf_tag_packet(m, tag, rtableid)) { -#endif - REASON_SET(&reason, PFRES_MEMORY); - goto cleanup; - } - - if (!state_icmp && (r->keep_state || nr != NULL || - (pd->flags & PFDESC_TCP_NORM))) { - int action; - action = pf_create_state(r, nr, a, pd, nsn, skw, sks, nk, sk, m, - off, sport, dport, &rewrite, kif, sm, tag, bproto_sum, - bip_sum, hdrlen); - if (action != PF_PASS) - return (action); - } else { -#ifdef __FreeBSD__ - if (sk != NULL) - pool_put(&V_pf_state_key_pl, sk); - if (nk != NULL) - pool_put(&V_pf_state_key_pl, nk); -#else - if (sk != NULL) - pool_put(&pf_state_key_pl, sk); - if (nk != NULL) - pool_put(&pf_state_key_pl, nk); -#endif - } - - /* copy back packet headers if we performed NAT operations */ - if (rewrite) - m_copyback(m, off, hdrlen, pd->hdr.any); - -#if NPFSYNC > 0 - if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) && -#ifdef __FreeBSD__ - direction == PF_OUT && pfsync_up_ptr != NULL && pfsync_up_ptr()) { -#else - direction == PF_OUT && pfsync_up()) { -#endif - /* - * We want the state created, but we dont - * want to send this in case a partner - * firewall has to know about it to allow - * replies through it. - */ -#ifdef __FreeBSD__ - if (pfsync_defer_ptr != NULL && - pfsync_defer_ptr(*sm, m)) -#else - if (pfsync_defer(*sm, m)) -#endif - return (PF_DEFER); - } -#endif - - return (PF_PASS); - -cleanup: -#ifdef __FreeBSD__ - if (sk != NULL) - pool_put(&V_pf_state_key_pl, sk); - if (nk != NULL) - pool_put(&V_pf_state_key_pl, nk); -#else - if (sk != NULL) - pool_put(&pf_state_key_pl, sk); - if (nk != NULL) - pool_put(&pf_state_key_pl, nk); -#endif - return (PF_DROP); -} - -static __inline int -pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a, - struct pf_pdesc *pd, struct pf_src_node *nsn, struct pf_state_key *skw, - struct pf_state_key *sks, struct pf_state_key *nk, struct pf_state_key *sk, - struct mbuf *m, int off, u_int16_t sport, u_int16_t dport, int *rewrite, - struct pfi_kif *kif, struct pf_state **sm, int tag, u_int16_t bproto_sum, - u_int16_t bip_sum, int hdrlen) -{ - struct pf_state *s = NULL; - struct pf_src_node *sn = NULL; - struct tcphdr *th = pd->hdr.tcp; -#ifdef __FreeBSD__ - u_int16_t mss = V_tcp_mssdflt; -#else - u_int16_t mss = tcp_mssdflt; -#endif - u_short reason; - - /* check maximums */ - if (r->max_states && (r->states_cur >= r->max_states)) { -#ifdef __FreeBSD__ - V_pf_status.lcounters[LCNT_STATES]++; -#else - pf_status.lcounters[LCNT_STATES]++; -#endif - REASON_SET(&reason, PFRES_MAXSTATES); - return (PF_DROP); - } - /* src node for filter rule */ - if ((r->rule_flag & PFRULE_SRCTRACK || - r->rpool.opts & PF_POOL_STICKYADDR) && - pf_insert_src_node(&sn, r, pd->src, pd->af) != 0) { - REASON_SET(&reason, PFRES_SRCLIMIT); - goto csfailed; - } - /* src node for translation rule */ - if (nr != NULL && (nr->rpool.opts & PF_POOL_STICKYADDR) && - pf_insert_src_node(&nsn, nr, &sk->addr[pd->sidx], pd->af)) { - REASON_SET(&reason, PFRES_SRCLIMIT); - goto csfailed; - } -#ifdef __FreeBSD__ - s = pool_get(&V_pf_state_pl, PR_NOWAIT | PR_ZERO); -#else - s = pool_get(&pf_state_pl, PR_NOWAIT | PR_ZERO); -#endif - if (s == NULL) { - REASON_SET(&reason, PFRES_MEMORY); - goto csfailed; - } - s->rule.ptr = r; - s->nat_rule.ptr = nr; - s->anchor.ptr = a; - STATE_INC_COUNTERS(s); - if (r->allow_opts) - s->state_flags |= PFSTATE_ALLOWOPTS; - if (r->rule_flag & PFRULE_STATESLOPPY) - s->state_flags |= PFSTATE_SLOPPY; - if (r->rule_flag & PFRULE_PFLOW) - s->state_flags |= PFSTATE_PFLOW; - s->log = r->log & PF_LOG_ALL; - s->sync_state = PFSYNC_S_NONE; - if (nr != NULL) - s->log |= nr->log & PF_LOG_ALL; - switch (pd->proto) { - case IPPROTO_TCP: - s->src.seqlo = ntohl(th->th_seq); - s->src.seqhi = s->src.seqlo + pd->p_len + 1; - if ((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN && - r->keep_state == PF_STATE_MODULATE) { - /* Generate sequence number modulator */ - if ((s->src.seqdiff = pf_tcp_iss(pd) - s->src.seqlo) == - 0) - s->src.seqdiff = 1; - pf_change_a(&th->th_seq, &th->th_sum, - htonl(s->src.seqlo + s->src.seqdiff), 0); - *rewrite = 1; - } else - s->src.seqdiff = 0; - if (th->th_flags & TH_SYN) { - s->src.seqhi++; - s->src.wscale = pf_get_wscale(m, off, - th->th_off, pd->af); - } - s->src.max_win = MAX(ntohs(th->th_win), 1); - if (s->src.wscale & PF_WSCALE_MASK) { - /* Remove scale factor from initial window */ - int win = s->src.max_win; - win += 1 << (s->src.wscale & PF_WSCALE_MASK); - s->src.max_win = (win - 1) >> - (s->src.wscale & PF_WSCALE_MASK); - } - if (th->th_flags & TH_FIN) - s->src.seqhi++; - s->dst.seqhi = 1; - s->dst.max_win = 1; - s->src.state = TCPS_SYN_SENT; - s->dst.state = TCPS_CLOSED; - s->timeout = PFTM_TCP_FIRST_PACKET; - break; - case IPPROTO_UDP: - s->src.state = PFUDPS_SINGLE; - s->dst.state = PFUDPS_NO_TRAFFIC; - s->timeout = PFTM_UDP_FIRST_PACKET; - break; - case IPPROTO_ICMP: -#ifdef INET6 - case IPPROTO_ICMPV6: -#endif - s->timeout = PFTM_ICMP_FIRST_PACKET; - break; - default: - s->src.state = PFOTHERS_SINGLE; - s->dst.state = PFOTHERS_NO_TRAFFIC; - s->timeout = PFTM_OTHER_FIRST_PACKET; - } - - s->creation = time_second; - s->expire = time_second; - - if (sn != NULL) { - s->src_node = sn; - s->src_node->states++; - } - if (nsn != NULL) { - /* XXX We only modify one side for now. */ - PF_ACPY(&nsn->raddr, &nk->addr[1], pd->af); - s->nat_src_node = nsn; - s->nat_src_node->states++; - } - if (pd->proto == IPPROTO_TCP) { - if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, - off, pd, th, &s->src, &s->dst)) { - REASON_SET(&reason, PFRES_MEMORY); - pf_src_tree_remove_state(s); - STATE_DEC_COUNTERS(s); -#ifdef __FreeBSD__ - pool_put(&V_pf_state_pl, s); -#else - pool_put(&pf_state_pl, s); -#endif - return (PF_DROP); - } - if ((pd->flags & PFDESC_TCP_NORM) && s->src.scrub && - pf_normalize_tcp_stateful(m, off, pd, &reason, th, s, - &s->src, &s->dst, rewrite)) { - /* This really shouldn't happen!!! */ - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_normalize_tcp_stateful failed on first pkt")); - pf_normalize_tcp_cleanup(s); - pf_src_tree_remove_state(s); - STATE_DEC_COUNTERS(s); -#ifdef __FreeBSD__ - pool_put(&V_pf_state_pl, s); -#else - pool_put(&pf_state_pl, s); -#endif - return (PF_DROP); - } - } - s->direction = pd->dir; - - if (sk == NULL && pf_state_key_setup(pd, nr, &skw, &sks, &sk, &nk, - pd->src, pd->dst, sport, dport)) - goto csfailed; - - if (pf_state_insert(BOUND_IFACE(r, kif), skw, sks, s)) { - if (pd->proto == IPPROTO_TCP) - pf_normalize_tcp_cleanup(s); - REASON_SET(&reason, PFRES_STATEINS); - pf_src_tree_remove_state(s); - STATE_DEC_COUNTERS(s); -#ifdef __FreeBSD__ - pool_put(&V_pf_state_pl, s); -#else - pool_put(&pf_state_pl, s); -#endif - return (PF_DROP); - } else - *sm = s; - - pf_set_rt_ifp(s, pd->src); /* needs s->state_key set */ - if (tag > 0) { - pf_tag_ref(tag); - s->tag = tag; - } - if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) == - TH_SYN && r->keep_state == PF_STATE_SYNPROXY) { - s->src.state = PF_TCPS_PROXY_SRC; - /* undo NAT changes, if they have taken place */ - if (nr != NULL) { - struct pf_state_key *skt = s->key[PF_SK_WIRE]; - if (pd->dir == PF_OUT) - skt = s->key[PF_SK_STACK]; - PF_ACPY(pd->src, &skt->addr[pd->sidx], pd->af); - PF_ACPY(pd->dst, &skt->addr[pd->didx], pd->af); - if (pd->sport) - *pd->sport = skt->port[pd->sidx]; - if (pd->dport) - *pd->dport = skt->port[pd->didx]; - if (pd->proto_sum) - *pd->proto_sum = bproto_sum; - if (pd->ip_sum) - *pd->ip_sum = bip_sum; - m_copyback(m, off, hdrlen, pd->hdr.any); - } - s->src.seqhi = htonl(arc4random()); - /* Find mss option */ - int rtid = M_GETFIB(m); - mss = pf_get_mss(m, off, th->th_off, pd->af); - mss = pf_calc_mss(pd->src, pd->af, rtid, mss); - mss = pf_calc_mss(pd->dst, pd->af, rtid, mss); - s->src.mss = mss; -#ifdef __FreeBSD__ - pf_send_tcp(NULL, r, pd->af, pd->dst, pd->src, th->th_dport, -#else - pf_send_tcp(r, pd->af, pd->dst, pd->src, th->th_dport, -#endif - th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, - TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL); - REASON_SET(&reason, PFRES_SYNPROXY); - return (PF_SYNPROXY_DROP); - } - - return (PF_PASS); - -csfailed: -#ifdef __FreeBSD__ - if (sk != NULL) - pool_put(&V_pf_state_key_pl, sk); - if (nk != NULL) - pool_put(&V_pf_state_key_pl, nk); -#else - if (sk != NULL) - pool_put(&pf_state_key_pl, sk); - if (nk != NULL) - pool_put(&pf_state_key_pl, nk); -#endif - - if (sn != NULL && sn->states == 0 && sn->expire == 0) { -#ifdef __FreeBSD__ - RB_REMOVE(pf_src_tree, &V_tree_src_tracking, sn); - V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - V_pf_status.src_nodes--; - pool_put(&V_pf_src_tree_pl, sn); -#else - RB_REMOVE(pf_src_tree, &tree_src_tracking, sn); - pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - pf_status.src_nodes--; - pool_put(&pf_src_tree_pl, sn); -#endif - } - if (nsn != sn && nsn != NULL && nsn->states == 0 && nsn->expire == 0) { -#ifdef __FreeBSD__ - RB_REMOVE(pf_src_tree, &V_tree_src_tracking, nsn); - V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - V_pf_status.src_nodes--; - pool_put(&V_pf_src_tree_pl, nsn); -#else - RB_REMOVE(pf_src_tree, &tree_src_tracking, nsn); - pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - pf_status.src_nodes--; - pool_put(&pf_src_tree_pl, nsn); -#endif - } - return (PF_DROP); -} - -int -pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, - struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am, - struct pf_ruleset **rsm) -{ - struct pf_rule *r, *a = NULL; - struct pf_ruleset *ruleset = NULL; - sa_family_t af = pd->af; - u_short reason; - int tag = -1; - int asd = 0; - int match = 0; - - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); - while (r != NULL) { - r->evaluations++; - if (pfi_kif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != direction) - r = r->skip[PF_SKIP_DIR].ptr; - else if (r->af && r->af != af) - r = r->skip[PF_SKIP_AF].ptr; - else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, - r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, - r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; - else if (r->tos && !(r->tos == pd->tos)) - r = TAILQ_NEXT(r, entries); - else if (r->os_fingerprint != PF_OSFP_ANY) - r = TAILQ_NEXT(r, entries); - else if (pd->proto == IPPROTO_UDP && - (r->src.port_op || r->dst.port_op)) - r = TAILQ_NEXT(r, entries); - else if (pd->proto == IPPROTO_TCP && - (r->src.port_op || r->dst.port_op || r->flagset)) - r = TAILQ_NEXT(r, entries); - else if ((pd->proto == IPPROTO_ICMP || - pd->proto == IPPROTO_ICMPV6) && - (r->type || r->code)) - r = TAILQ_NEXT(r, entries); - else if (r->prob && r->prob <= - (arc4random() % (UINT_MAX - 1) + 1)) - r = TAILQ_NEXT(r, entries); -#ifdef __FreeBSD__ - else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag)) -#else - else if (r->match_tag && !pf_match_tag(m, r, &tag)) -#endif - r = TAILQ_NEXT(r, entries); - else { - if (r->anchor == NULL) { - match = 1; - *rm = r; - *am = a; - *rsm = ruleset; - if ((*rm)->quick) - break; - r = TAILQ_NEXT(r, entries); - } else - pf_step_into_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match); - } - if (r == NULL && pf_step_out_of_anchor(&asd, &ruleset, - PF_RULESET_FILTER, &r, &a, &match)) - break; - } - r = *rm; - a = *am; - ruleset = *rsm; - - REASON_SET(&reason, PFRES_MATCH); - - if (r->log) - PFLOG_PACKET(kif, h, m, af, direction, reason, r, a, ruleset, - pd); - - if (r->action != PF_PASS) - return (PF_DROP); - -#ifdef __FreeBSD__ - if (pf_tag_packet(m, tag, -1, pd->pf_mtag)) { -#else - if (pf_tag_packet(m, tag, -1)) { -#endif - REASON_SET(&reason, PFRES_MEMORY); - return (PF_DROP); - } - - return (PF_PASS); -} - -int -pf_tcp_track_full(struct pf_state_peer *src, struct pf_state_peer *dst, - struct pf_state **state, struct pfi_kif *kif, struct mbuf *m, int off, - struct pf_pdesc *pd, u_short *reason, int *copyback) -{ - struct tcphdr *th = pd->hdr.tcp; - u_int16_t win = ntohs(th->th_win); - u_int32_t ack, end, seq, orig_seq; - u_int8_t sws, dws; - int ackskew; - - if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) { - sws = src->wscale & PF_WSCALE_MASK; - dws = dst->wscale & PF_WSCALE_MASK; - } else - sws = dws = 0; - - /* - * Sequence tracking algorithm from Guido van Rooij's paper: - * http://www.madison-gurkha.com/publications/tcp_filtering/ - * tcp_filtering.ps - */ - - orig_seq = seq = ntohl(th->th_seq); - if (src->seqlo == 0) { - /* First packet from this end. Set its state */ - - if ((pd->flags & PFDESC_TCP_NORM || dst->scrub) && - src->scrub == NULL) { - if (pf_normalize_tcp_init(m, off, pd, th, src, dst)) { - REASON_SET(reason, PFRES_MEMORY); - return (PF_DROP); - } - } - - /* Deferred generation of sequence number modulator */ - if (dst->seqdiff && !src->seqdiff) { - /* use random iss for the TCP server */ - while ((src->seqdiff = arc4random() - seq) == 0) - ; - ack = ntohl(th->th_ack) - dst->seqdiff; - pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + - src->seqdiff), 0); - pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); - *copyback = 1; - } else { - ack = ntohl(th->th_ack); - } - - end = seq + pd->p_len; - if (th->th_flags & TH_SYN) { - end++; - if (dst->wscale & PF_WSCALE_FLAG) { - src->wscale = pf_get_wscale(m, off, th->th_off, - pd->af); - if (src->wscale & PF_WSCALE_FLAG) { - /* Remove scale factor from initial - * window */ - sws = src->wscale & PF_WSCALE_MASK; - win = ((u_int32_t)win + (1 << sws) - 1) - >> sws; - dws = dst->wscale & PF_WSCALE_MASK; - } else { - /* fixup other window */ - dst->max_win <<= dst->wscale & - PF_WSCALE_MASK; - /* in case of a retrans SYN|ACK */ - dst->wscale = 0; - } - } - } - if (th->th_flags & TH_FIN) - end++; - - src->seqlo = seq; - if (src->state < TCPS_SYN_SENT) - src->state = TCPS_SYN_SENT; - - /* - * May need to slide the window (seqhi may have been set by - * the crappy stack check or if we picked up the connection - * after establishment) - */ - if (src->seqhi == 1 || - SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) - src->seqhi = end + MAX(1, dst->max_win << dws); - if (win > src->max_win) - src->max_win = win; - - } else { - ack = ntohl(th->th_ack) - dst->seqdiff; - if (src->seqdiff) { - /* Modulate sequence numbers */ - pf_change_a(&th->th_seq, &th->th_sum, htonl(seq + - src->seqdiff), 0); - pf_change_a(&th->th_ack, &th->th_sum, htonl(ack), 0); - *copyback = 1; - } - end = seq + pd->p_len; - if (th->th_flags & TH_SYN) - end++; - if (th->th_flags & TH_FIN) - end++; - } - - if ((th->th_flags & TH_ACK) == 0) { - /* Let it pass through the ack skew check */ - ack = dst->seqlo; - } else if ((ack == 0 && - (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) || - /* broken tcp stacks do not set ack */ - (dst->state < TCPS_SYN_SENT)) { - /* - * Many stacks (ours included) will set the ACK number in an - * FIN|ACK if the SYN times out -- no sequence to ACK. - */ - ack = dst->seqlo; - } - - if (seq == end) { - /* Ease sequencing restrictions on no data packets */ - seq = src->seqlo; - end = seq; - } - - ackskew = dst->seqlo - ack; - - - /* - * Need to demodulate the sequence numbers in any TCP SACK options - * (Selective ACK). We could optionally validate the SACK values - * against the current ACK window, either forwards or backwards, but - * I'm not confident that SACK has been implemented properly - * everywhere. It wouldn't surprise me if several stacks accidently - * SACK too far backwards of previously ACKed data. There really aren't - * any security implications of bad SACKing unless the target stack - * doesn't validate the option length correctly. Someone trying to - * spoof into a TCP connection won't bother blindly sending SACK - * options anyway. - */ - if (dst->seqdiff && (th->th_off << 2) > sizeof(struct tcphdr)) { - if (pf_modulate_sack(m, off, pd, th, dst)) - *copyback = 1; - } - - -#define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ - if (SEQ_GEQ(src->seqhi, end) && - /* Last octet inside other's window space */ - SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) && - /* Retrans: not more than one window back */ - (ackskew >= -MAXACKWINDOW) && - /* Acking not more than one reassembled fragment backwards */ - (ackskew <= (MAXACKWINDOW << sws)) && - /* Acking not more than one window forward */ - ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || - (pd->flags & PFDESC_IP_REAS) == 0)) { - /* Require an exact/+1 sequence match on resets when possible */ - - if (dst->scrub || src->scrub) { - if (pf_normalize_tcp_stateful(m, off, pd, reason, th, - *state, src, dst, copyback)) - return (PF_DROP); - } - - /* update max window */ - if (src->max_win < win) - src->max_win = win; - /* synchronize sequencing */ - if (SEQ_GT(end, src->seqlo)) - src->seqlo = end; - /* slide the window of what the other end can send */ - if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) - dst->seqhi = ack + MAX((win << sws), 1); - - - /* update states */ - if (th->th_flags & TH_SYN) - if (src->state < TCPS_SYN_SENT) - src->state = TCPS_SYN_SENT; - if (th->th_flags & TH_FIN) - if (src->state < TCPS_CLOSING) - src->state = TCPS_CLOSING; - if (th->th_flags & TH_ACK) { - if (dst->state == TCPS_SYN_SENT) { - dst->state = TCPS_ESTABLISHED; - if (src->state == TCPS_ESTABLISHED && - (*state)->src_node != NULL && - pf_src_connlimit(state)) { - REASON_SET(reason, PFRES_SRCLIMIT); - return (PF_DROP); - } - } else if (dst->state == TCPS_CLOSING) - dst->state = TCPS_FIN_WAIT_2; - } - if (th->th_flags & TH_RST) - src->state = dst->state = TCPS_TIME_WAIT; - - /* update expire time */ - (*state)->expire = time_second; - if (src->state >= TCPS_FIN_WAIT_2 && - dst->state >= TCPS_FIN_WAIT_2) - (*state)->timeout = PFTM_TCP_CLOSED; - else if (src->state >= TCPS_CLOSING && - dst->state >= TCPS_CLOSING) - (*state)->timeout = PFTM_TCP_FIN_WAIT; - else if (src->state < TCPS_ESTABLISHED || - dst->state < TCPS_ESTABLISHED) - (*state)->timeout = PFTM_TCP_OPENING; - else if (src->state >= TCPS_CLOSING || - dst->state >= TCPS_CLOSING) - (*state)->timeout = PFTM_TCP_CLOSING; - else - (*state)->timeout = PFTM_TCP_ESTABLISHED; - - /* Fall through to PASS packet */ - - } else if ((dst->state < TCPS_SYN_SENT || - dst->state >= TCPS_FIN_WAIT_2 || - src->state >= TCPS_FIN_WAIT_2) && - SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && - /* Within a window forward of the originating packet */ - SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { - /* Within a window backward of the originating packet */ - - /* - * This currently handles three situations: - * 1) Stupid stacks will shotgun SYNs before their peer - * replies. - * 2) When PF catches an already established stream (the - * firewall rebooted, the state table was flushed, routes - * changed...) - * 3) Packets get funky immediately after the connection - * closes (this should catch Solaris spurious ACK|FINs - * that web servers like to spew after a close) - * - * This must be a little more careful than the above code - * since packet floods will also be caught here. We don't - * update the TTL here to mitigate the damage of a packet - * flood and so the same code can handle awkward establishment - * and a loosened connection close. - * In the establishment case, a correct peer response will - * validate the connection, go through the normal state code - * and keep updating the state TTL. - */ - -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: loose state match: "); - pf_print_state(*state); - pf_print_flags(th->th_flags); - printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " - "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, -#ifdef __FreeBSD__ - pd->p_len, ackskew, (unsigned long long)(*state)->packets[0], - (unsigned long long)(*state)->packets[1], -#else - pd->p_len, ackskew, (*state)->packets[0], - (*state)->packets[1], -#endif - pd->dir == PF_IN ? "in" : "out", - pd->dir == (*state)->direction ? "fwd" : "rev"); - } - - if (dst->scrub || src->scrub) { - if (pf_normalize_tcp_stateful(m, off, pd, reason, th, - *state, src, dst, copyback)) - return (PF_DROP); - } - - /* update max window */ - if (src->max_win < win) - src->max_win = win; - /* synchronize sequencing */ - if (SEQ_GT(end, src->seqlo)) - src->seqlo = end; - /* slide the window of what the other end can send */ - if (SEQ_GEQ(ack + (win << sws), dst->seqhi)) - dst->seqhi = ack + MAX((win << sws), 1); - - /* - * Cannot set dst->seqhi here since this could be a shotgunned - * SYN and not an already established connection. - */ - - if (th->th_flags & TH_FIN) - if (src->state < TCPS_CLOSING) - src->state = TCPS_CLOSING; - if (th->th_flags & TH_RST) - src->state = dst->state = TCPS_TIME_WAIT; - - /* Fall through to PASS packet */ - - } else { - if ((*state)->dst.state == TCPS_SYN_SENT && - (*state)->src.state == TCPS_SYN_SENT) { - /* Send RST for state mismatches during handshake */ - if (!(th->th_flags & TH_RST)) -#ifdef __FreeBSD__ - pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, -#else - pf_send_tcp((*state)->rule.ptr, pd->af, -#endif - pd->dst, pd->src, th->th_dport, - th->th_sport, ntohl(th->th_ack), 0, - TH_RST, 0, 0, - (*state)->rule.ptr->return_ttl, 1, 0, - pd->eh, kif->pfik_ifp); - src->seqlo = 0; - src->seqhi = 1; - src->max_win = 1; -#ifdef __FreeBSD__ - } else if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - } else if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: BAD state: "); - pf_print_state(*state); - pf_print_flags(th->th_flags); - printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " - "pkts=%llu:%llu dir=%s,%s\n", - seq, orig_seq, ack, pd->p_len, ackskew, -#ifdef __FreeBSD__ - (unsigned long long)(*state)->packets[0], - (unsigned long long)(*state)->packets[1], -#else - (*state)->packets[0], (*state)->packets[1], -#endif - pd->dir == PF_IN ? "in" : "out", - pd->dir == (*state)->direction ? "fwd" : "rev"); - printf("pf: State failure on: %c %c %c %c | %c %c\n", - SEQ_GEQ(src->seqhi, end) ? ' ' : '1', - SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? - ' ': '2', - (ackskew >= -MAXACKWINDOW) ? ' ' : '3', - (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', - SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', - SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); - } - REASON_SET(reason, PFRES_BADSTATE); - return (PF_DROP); - } - - return (PF_PASS); -} - -int -pf_tcp_track_sloppy(struct pf_state_peer *src, struct pf_state_peer *dst, - struct pf_state **state, struct pf_pdesc *pd, u_short *reason) -{ - struct tcphdr *th = pd->hdr.tcp; - - if (th->th_flags & TH_SYN) - if (src->state < TCPS_SYN_SENT) - src->state = TCPS_SYN_SENT; - if (th->th_flags & TH_FIN) - if (src->state < TCPS_CLOSING) - src->state = TCPS_CLOSING; - if (th->th_flags & TH_ACK) { - if (dst->state == TCPS_SYN_SENT) { - dst->state = TCPS_ESTABLISHED; - if (src->state == TCPS_ESTABLISHED && - (*state)->src_node != NULL && - pf_src_connlimit(state)) { - REASON_SET(reason, PFRES_SRCLIMIT); - return (PF_DROP); - } - } else if (dst->state == TCPS_CLOSING) { - dst->state = TCPS_FIN_WAIT_2; - } else if (src->state == TCPS_SYN_SENT && - dst->state < TCPS_SYN_SENT) { - /* - * Handle a special sloppy case where we only see one - * half of the connection. If there is a ACK after - * the initial SYN without ever seeing a packet from - * the destination, set the connection to established. - */ - dst->state = src->state = TCPS_ESTABLISHED; - if ((*state)->src_node != NULL && - pf_src_connlimit(state)) { - REASON_SET(reason, PFRES_SRCLIMIT); - return (PF_DROP); - } - } else if (src->state == TCPS_CLOSING && - dst->state == TCPS_ESTABLISHED && - dst->seqlo == 0) { - /* - * Handle the closing of half connections where we - * don't see the full bidirectional FIN/ACK+ACK - * handshake. - */ - dst->state = TCPS_CLOSING; - } - } - if (th->th_flags & TH_RST) - src->state = dst->state = TCPS_TIME_WAIT; - - /* update expire time */ - (*state)->expire = time_second; - if (src->state >= TCPS_FIN_WAIT_2 && - dst->state >= TCPS_FIN_WAIT_2) - (*state)->timeout = PFTM_TCP_CLOSED; - else if (src->state >= TCPS_CLOSING && - dst->state >= TCPS_CLOSING) - (*state)->timeout = PFTM_TCP_FIN_WAIT; - else if (src->state < TCPS_ESTABLISHED || - dst->state < TCPS_ESTABLISHED) - (*state)->timeout = PFTM_TCP_OPENING; - else if (src->state >= TCPS_CLOSING || - dst->state >= TCPS_CLOSING) - (*state)->timeout = PFTM_TCP_CLOSING; - else - (*state)->timeout = PFTM_TCP_ESTABLISHED; - - return (PF_PASS); -} - -int -pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, - struct mbuf *m, int off, void *h, struct pf_pdesc *pd, - u_short *reason) -{ - struct pf_state_key_cmp key; - struct tcphdr *th = pd->hdr.tcp; - int copyback = 0; - struct pf_state_peer *src, *dst; - struct pf_state_key *sk; - - key.af = pd->af; - key.proto = IPPROTO_TCP; - if (direction == PF_IN) { /* wire side, straight */ - PF_ACPY(&key.addr[0], pd->src, key.af); - PF_ACPY(&key.addr[1], pd->dst, key.af); - key.port[0] = th->th_sport; - key.port[1] = th->th_dport; - } else { /* stack side, reverse */ - PF_ACPY(&key.addr[1], pd->src, key.af); - PF_ACPY(&key.addr[0], pd->dst, key.af); - key.port[1] = th->th_sport; - key.port[0] = th->th_dport; - } - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - if (direction == (*state)->direction) { - src = &(*state)->src; - dst = &(*state)->dst; - } else { - src = &(*state)->dst; - dst = &(*state)->src; - } - - sk = (*state)->key[pd->didx]; - - if ((*state)->src.state == PF_TCPS_PROXY_SRC) { - if (direction != (*state)->direction) { - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_SYNPROXY_DROP); - } - if (th->th_flags & TH_SYN) { - if (ntohl(th->th_seq) != (*state)->src.seqlo) { - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_DROP); - } -#ifdef __FreeBSD__ - pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, -#else - pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, -#endif - pd->src, th->th_dport, th->th_sport, - (*state)->src.seqhi, ntohl(th->th_seq) + 1, - TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, - 0, NULL, NULL); - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_SYNPROXY_DROP); - } else if (!(th->th_flags & TH_ACK) || - (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || - (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_DROP); - } else if ((*state)->src_node != NULL && - pf_src_connlimit(state)) { - REASON_SET(reason, PFRES_SRCLIMIT); - return (PF_DROP); - } else - (*state)->src.state = PF_TCPS_PROXY_DST; - } - if ((*state)->src.state == PF_TCPS_PROXY_DST) { - if (direction == (*state)->direction) { - if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || - (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || - (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_DROP); - } - (*state)->src.max_win = MAX(ntohs(th->th_win), 1); - if ((*state)->dst.seqhi == 1) - (*state)->dst.seqhi = htonl(arc4random()); -#ifdef __FreeBSD__ - pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, -#else - pf_send_tcp((*state)->rule.ptr, pd->af, -#endif - &sk->addr[pd->sidx], &sk->addr[pd->didx], - sk->port[pd->sidx], sk->port[pd->didx], - (*state)->dst.seqhi, 0, TH_SYN, 0, - (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL); - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_SYNPROXY_DROP); - } else if (((th->th_flags & (TH_SYN|TH_ACK)) != - (TH_SYN|TH_ACK)) || - (ntohl(th->th_ack) != (*state)->dst.seqhi + 1)) { - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_DROP); - } else { - (*state)->dst.max_win = MAX(ntohs(th->th_win), 1); - (*state)->dst.seqlo = ntohl(th->th_seq); -#ifdef __FreeBSD__ - pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, -#else - pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, -#endif - pd->src, th->th_dport, th->th_sport, - ntohl(th->th_ack), ntohl(th->th_seq) + 1, - TH_ACK, (*state)->src.max_win, 0, 0, 0, - (*state)->tag, NULL, NULL); -#ifdef __FreeBSD__ - pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, -#else - pf_send_tcp((*state)->rule.ptr, pd->af, -#endif - &sk->addr[pd->sidx], &sk->addr[pd->didx], - sk->port[pd->sidx], sk->port[pd->didx], - (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, - TH_ACK, (*state)->dst.max_win, 0, 0, 1, - 0, NULL, NULL); - (*state)->src.seqdiff = (*state)->dst.seqhi - - (*state)->src.seqlo; - (*state)->dst.seqdiff = (*state)->src.seqhi - - (*state)->dst.seqlo; - (*state)->src.seqhi = (*state)->src.seqlo + - (*state)->dst.max_win; - (*state)->dst.seqhi = (*state)->dst.seqlo + - (*state)->src.max_win; - (*state)->src.wscale = (*state)->dst.wscale = 0; - (*state)->src.state = (*state)->dst.state = - TCPS_ESTABLISHED; - REASON_SET(reason, PFRES_SYNPROXY); - return (PF_SYNPROXY_DROP); - } - } - - if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && - dst->state >= TCPS_FIN_WAIT_2 && - src->state >= TCPS_FIN_WAIT_2) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: state reuse "); - pf_print_state(*state); - pf_print_flags(th->th_flags); - printf("\n"); - } - /* XXX make sure it's the same direction ?? */ - (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; - pf_unlink_state(*state); - *state = NULL; - return (PF_DROP); - } - - if ((*state)->state_flags & PFSTATE_SLOPPY) { - if (pf_tcp_track_sloppy(src, dst, state, pd, reason) == PF_DROP) - return (PF_DROP); - } else { - if (pf_tcp_track_full(src, dst, state, kif, m, off, pd, reason, - ©back) == PF_DROP) - return (PF_DROP); - } - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = (*state)->key[pd->didx]; - - if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || - nk->port[pd->sidx] != th->th_sport) - pf_change_ap(pd->src, &th->th_sport, pd->ip_sum, - &th->th_sum, &nk->addr[pd->sidx], - nk->port[pd->sidx], 0, pd->af); - - if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || - nk->port[pd->didx] != th->th_dport) - pf_change_ap(pd->dst, &th->th_dport, pd->ip_sum, - &th->th_sum, &nk->addr[pd->didx], - nk->port[pd->didx], 0, pd->af); - copyback = 1; - } - - /* Copyback sequence modulation or stateful scrub changes if needed */ - if (copyback) -#ifdef __FreeBSD__ - m_copyback(m, off, sizeof(*th), (caddr_t)th); -#else - m_copyback(m, off, sizeof(*th), th); -#endif - - return (PF_PASS); -} - -int -pf_test_state_udp(struct pf_state **state, int direction, struct pfi_kif *kif, - struct mbuf *m, int off, void *h, struct pf_pdesc *pd) -{ - struct pf_state_peer *src, *dst; - struct pf_state_key_cmp key; - struct udphdr *uh = pd->hdr.udp; - - key.af = pd->af; - key.proto = IPPROTO_UDP; - if (direction == PF_IN) { /* wire side, straight */ - PF_ACPY(&key.addr[0], pd->src, key.af); - PF_ACPY(&key.addr[1], pd->dst, key.af); - key.port[0] = uh->uh_sport; - key.port[1] = uh->uh_dport; - } else { /* stack side, reverse */ - PF_ACPY(&key.addr[1], pd->src, key.af); - PF_ACPY(&key.addr[0], pd->dst, key.af); - key.port[1] = uh->uh_sport; - key.port[0] = uh->uh_dport; - } - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - if (direction == (*state)->direction) { - src = &(*state)->src; - dst = &(*state)->dst; - } else { - src = &(*state)->dst; - dst = &(*state)->src; - } - - /* update states */ - if (src->state < PFUDPS_SINGLE) - src->state = PFUDPS_SINGLE; - if (dst->state == PFUDPS_SINGLE) - dst->state = PFUDPS_MULTIPLE; - - /* update expire time */ - (*state)->expire = time_second; - if (src->state == PFUDPS_MULTIPLE && dst->state == PFUDPS_MULTIPLE) - (*state)->timeout = PFTM_UDP_MULTIPLE; - else - (*state)->timeout = PFTM_UDP_SINGLE; - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = (*state)->key[pd->didx]; - - if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af) || - nk->port[pd->sidx] != uh->uh_sport) - pf_change_ap(pd->src, &uh->uh_sport, pd->ip_sum, - &uh->uh_sum, &nk->addr[pd->sidx], - nk->port[pd->sidx], 1, pd->af); - - if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af) || - nk->port[pd->didx] != uh->uh_dport) - pf_change_ap(pd->dst, &uh->uh_dport, pd->ip_sum, - &uh->uh_sum, &nk->addr[pd->didx], - nk->port[pd->didx], 1, pd->af); -#ifdef __FreeBSD__ - m_copyback(m, off, sizeof(*uh), (caddr_t)uh); -#else - m_copyback(m, off, sizeof(*uh), uh); -#endif - } - - return (PF_PASS); -} - -int -pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, - struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason) -{ - struct pf_addr *saddr = pd->src, *daddr = pd->dst; -#ifdef __FreeBSD__ - u_int16_t icmpid = 0, *icmpsum; -#else - u_int16_t icmpid, *icmpsum; -#endif - u_int8_t icmptype; - int state_icmp = 0; - struct pf_state_key_cmp key; - - switch (pd->proto) { -#ifdef INET - case IPPROTO_ICMP: - icmptype = pd->hdr.icmp->icmp_type; - icmpid = pd->hdr.icmp->icmp_id; - icmpsum = &pd->hdr.icmp->icmp_cksum; - - if (icmptype == ICMP_UNREACH || - icmptype == ICMP_SOURCEQUENCH || - icmptype == ICMP_REDIRECT || - icmptype == ICMP_TIMXCEED || - icmptype == ICMP_PARAMPROB) - state_icmp++; - break; -#endif /* INET */ -#ifdef INET6 - case IPPROTO_ICMPV6: - icmptype = pd->hdr.icmp6->icmp6_type; - icmpid = pd->hdr.icmp6->icmp6_id; - icmpsum = &pd->hdr.icmp6->icmp6_cksum; - - if (icmptype == ICMP6_DST_UNREACH || - icmptype == ICMP6_PACKET_TOO_BIG || - icmptype == ICMP6_TIME_EXCEEDED || - icmptype == ICMP6_PARAM_PROB) - state_icmp++; - break; -#endif /* INET6 */ - } - - if (!state_icmp) { - - /* - * ICMP query/reply message not related to a TCP/UDP packet. - * Search for an ICMP state. - */ - key.af = pd->af; - key.proto = pd->proto; - key.port[0] = key.port[1] = icmpid; - if (direction == PF_IN) { /* wire side, straight */ - PF_ACPY(&key.addr[0], pd->src, key.af); - PF_ACPY(&key.addr[1], pd->dst, key.af); - } else { /* stack side, reverse */ - PF_ACPY(&key.addr[1], pd->src, key.af); - PF_ACPY(&key.addr[0], pd->dst, key.af); - } - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - (*state)->expire = time_second; - (*state)->timeout = PFTM_ICMP_ERROR_REPLY; - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = (*state)->key[pd->didx]; - - switch (pd->af) { -#ifdef INET - case AF_INET: - if (PF_ANEQ(pd->src, - &nk->addr[pd->sidx], AF_INET)) - pf_change_a(&saddr->v4.s_addr, - pd->ip_sum, - nk->addr[pd->sidx].v4.s_addr, 0); - - if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], - AF_INET)) - pf_change_a(&daddr->v4.s_addr, - pd->ip_sum, - nk->addr[pd->didx].v4.s_addr, 0); - - if (nk->port[0] != - pd->hdr.icmp->icmp_id) { - pd->hdr.icmp->icmp_cksum = - pf_cksum_fixup( - pd->hdr.icmp->icmp_cksum, icmpid, - nk->port[pd->sidx], 0); - pd->hdr.icmp->icmp_id = - nk->port[pd->sidx]; - } - - m_copyback(m, off, ICMP_MINLEN, -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (PF_ANEQ(pd->src, - &nk->addr[pd->sidx], AF_INET6)) - pf_change_a6(saddr, - &pd->hdr.icmp6->icmp6_cksum, - &nk->addr[pd->sidx], 0); - - if (PF_ANEQ(pd->dst, - &nk->addr[pd->didx], AF_INET6)) - pf_change_a6(daddr, - &pd->hdr.icmp6->icmp6_cksum, - &nk->addr[pd->didx], 0); - - m_copyback(m, off, - sizeof(struct icmp6_hdr), -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp6); - break; -#endif /* INET6 */ - } - } - return (PF_PASS); - - } else { - /* - * ICMP error message in response to a TCP/UDP packet. - * Extract the inner TCP/UDP header and search for that state. - */ - - struct pf_pdesc pd2; -#ifdef __FreeBSD__ - bzero(&pd2, sizeof pd2); -#endif -#ifdef INET - struct ip h2; -#endif /* INET */ -#ifdef INET6 - struct ip6_hdr h2_6; - int terminal = 0; -#endif /* INET6 */ -#ifdef __FreeBSD__ - int ipoff2 = 0; - int off2 = 0; -#else - int ipoff2; - int off2; -#endif - - pd2.af = pd->af; - /* Payload packet is from the opposite direction. */ - pd2.sidx = (direction == PF_IN) ? 1 : 0; - pd2.didx = (direction == PF_IN) ? 0 : 1; - switch (pd->af) { -#ifdef INET - case AF_INET: - /* offset of h2 in mbuf chain */ - ipoff2 = off + ICMP_MINLEN; - - if (!pf_pull_hdr(m, ipoff2, &h2, sizeof(h2), - NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(ip)\n")); - return (PF_DROP); - } - /* - * ICMP error messages don't refer to non-first - * fragments - */ - if (h2.ip_off & htons(IP_OFFMASK)) { - REASON_SET(reason, PFRES_FRAG); - return (PF_DROP); - } - - /* offset of protocol header that follows h2 */ - off2 = ipoff2 + (h2.ip_hl << 2); - - pd2.proto = h2.ip_p; - pd2.src = (struct pf_addr *)&h2.ip_src; - pd2.dst = (struct pf_addr *)&h2.ip_dst; - pd2.ip_sum = &h2.ip_sum; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - ipoff2 = off + sizeof(struct icmp6_hdr); - - if (!pf_pull_hdr(m, ipoff2, &h2_6, sizeof(h2_6), - NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(ip6)\n")); - return (PF_DROP); - } - pd2.proto = h2_6.ip6_nxt; - pd2.src = (struct pf_addr *)&h2_6.ip6_src; - pd2.dst = (struct pf_addr *)&h2_6.ip6_dst; - pd2.ip_sum = NULL; - off2 = ipoff2 + sizeof(h2_6); - do { - switch (pd2.proto) { - case IPPROTO_FRAGMENT: - /* - * ICMPv6 error messages for - * non-first fragments - */ - REASON_SET(reason, PFRES_FRAG); - return (PF_DROP); - case IPPROTO_AH: - case IPPROTO_HOPOPTS: - case IPPROTO_ROUTING: - case IPPROTO_DSTOPTS: { - /* get next header and header length */ - struct ip6_ext opt6; - - if (!pf_pull_hdr(m, off2, &opt6, - sizeof(opt6), NULL, reason, - pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMPv6 short opt\n")); - return (PF_DROP); - } - if (pd2.proto == IPPROTO_AH) - off2 += (opt6.ip6e_len + 2) * 4; - else - off2 += (opt6.ip6e_len + 1) * 8; - pd2.proto = opt6.ip6e_nxt; - /* goto the next header */ - break; - } - default: - terminal++; - break; - } - } while (!terminal); - break; -#endif /* INET6 */ - } - - switch (pd2.proto) { - case IPPROTO_TCP: { - struct tcphdr th; - u_int32_t seq; - struct pf_state_peer *src, *dst; - u_int8_t dws; - int copyback = 0; - - /* - * Only the first 8 bytes of the TCP header can be - * expected. Don't access any TCP header fields after - * th_seq, an ackskew test is not possible. - */ - if (!pf_pull_hdr(m, off2, &th, 8, NULL, reason, - pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(tcp)\n")); - return (PF_DROP); - } - - key.af = pd2.af; - key.proto = IPPROTO_TCP; - PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af); - PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); - key.port[pd2.sidx] = th.th_sport; - key.port[pd2.didx] = th.th_dport; - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - if (direction == (*state)->direction) { - src = &(*state)->dst; - dst = &(*state)->src; - } else { - src = &(*state)->src; - dst = &(*state)->dst; - } - - if (src->wscale && dst->wscale) - dws = dst->wscale & PF_WSCALE_MASK; - else - dws = 0; - - /* Demodulate sequence number */ - seq = ntohl(th.th_seq) - src->seqdiff; - if (src->seqdiff) { - pf_change_a(&th.th_seq, icmpsum, - htonl(seq), 0); - copyback = 1; - } - - if (!((*state)->state_flags & PFSTATE_SLOPPY) && - (!SEQ_GEQ(src->seqhi, seq) || - !SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)))) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: BAD ICMP %d:%d ", - icmptype, pd->hdr.icmp->icmp_code); - pf_print_host(pd->src, 0, pd->af); - printf(" -> "); - pf_print_host(pd->dst, 0, pd->af); - printf(" state: "); - pf_print_state(*state); - printf(" seq=%u\n", seq); - } - REASON_SET(reason, PFRES_BADSTATE); - return (PF_DROP); - } else { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf: OK ICMP %d:%d ", - icmptype, pd->hdr.icmp->icmp_code); - pf_print_host(pd->src, 0, pd->af); - printf(" -> "); - pf_print_host(pd->dst, 0, pd->af); - printf(" state: "); - pf_print_state(*state); - printf(" seq=%u\n", seq); - } - } - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != - (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = - (*state)->key[pd->didx]; - - if (PF_ANEQ(pd2.src, - &nk->addr[pd2.sidx], pd2.af) || - nk->port[pd2.sidx] != th.th_sport) - pf_change_icmp(pd2.src, &th.th_sport, - daddr, &nk->addr[pd2.sidx], - nk->port[pd2.sidx], NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, pd2.af); - - if (PF_ANEQ(pd2.dst, - &nk->addr[pd2.didx], pd2.af) || - nk->port[pd2.didx] != th.th_dport) - pf_change_icmp(pd2.dst, &th.th_dport, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], - nk->port[pd2.didx], NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, pd2.af); - copyback = 1; - } - - if (copyback) { - switch (pd2.af) { -#ifdef INET - case AF_INET: - m_copyback(m, off, ICMP_MINLEN, -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), -#ifdef __FreeBSD__ - (caddr_t) -#endif - &h2); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - m_copyback(m, off, - sizeof(struct icmp6_hdr), -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), -#ifdef __FreeBSD__ - (caddr_t) -#endif - &h2_6); - break; -#endif /* INET6 */ - } -#ifdef __FreeBSD__ - m_copyback(m, off2, 8, (caddr_t)&th); -#else - m_copyback(m, off2, 8, &th); -#endif - } - - return (PF_PASS); - break; - } - case IPPROTO_UDP: { - struct udphdr uh; - - if (!pf_pull_hdr(m, off2, &uh, sizeof(uh), - NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(udp)\n")); - return (PF_DROP); - } - - key.af = pd2.af; - key.proto = IPPROTO_UDP; - PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af); - PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); - key.port[pd2.sidx] = uh.uh_sport; - key.port[pd2.didx] = uh.uh_dport; - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != - (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = - (*state)->key[pd->didx]; - - if (PF_ANEQ(pd2.src, - &nk->addr[pd2.sidx], pd2.af) || - nk->port[pd2.sidx] != uh.uh_sport) - pf_change_icmp(pd2.src, &uh.uh_sport, - daddr, &nk->addr[pd2.sidx], - nk->port[pd2.sidx], &uh.uh_sum, - pd2.ip_sum, icmpsum, - pd->ip_sum, 1, pd2.af); - - if (PF_ANEQ(pd2.dst, - &nk->addr[pd2.didx], pd2.af) || - nk->port[pd2.didx] != uh.uh_dport) - pf_change_icmp(pd2.dst, &uh.uh_dport, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], - nk->port[pd2.didx], &uh.uh_sum, - pd2.ip_sum, icmpsum, - pd->ip_sum, 1, pd2.af); - - switch (pd2.af) { -#ifdef INET - case AF_INET: - m_copyback(m, off, ICMP_MINLEN, -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp); -#ifdef __FreeBSD__ - m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); -#else - m_copyback(m, ipoff2, sizeof(h2), &h2); -#endif - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - m_copyback(m, off, - sizeof(struct icmp6_hdr), -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), -#ifdef __FreeBSD__ - (caddr_t) -#endif - &h2_6); - break; -#endif /* INET6 */ - } -#ifdef __FreeBSD__ - m_copyback(m, off2, sizeof(uh), (caddr_t)&uh); -#else - m_copyback(m, off2, sizeof(uh), &uh); -#endif - } - return (PF_PASS); - break; - } -#ifdef INET - case IPPROTO_ICMP: { - struct icmp iih; - - if (!pf_pull_hdr(m, off2, &iih, ICMP_MINLEN, - NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short i" - "(icmp)\n")); - return (PF_DROP); - } - - key.af = pd2.af; - key.proto = IPPROTO_ICMP; - PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af); - PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); - key.port[0] = key.port[1] = iih.icmp_id; - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != - (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = - (*state)->key[pd->didx]; - - if (PF_ANEQ(pd2.src, - &nk->addr[pd2.sidx], pd2.af) || - nk->port[pd2.sidx] != iih.icmp_id) - pf_change_icmp(pd2.src, &iih.icmp_id, - daddr, &nk->addr[pd2.sidx], - nk->port[pd2.sidx], NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, AF_INET); - - if (PF_ANEQ(pd2.dst, - &nk->addr[pd2.didx], pd2.af) || - nk->port[pd2.didx] != iih.icmp_id) - pf_change_icmp(pd2.dst, &iih.icmp_id, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], - nk->port[pd2.didx], NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, AF_INET); - -#ifdef __FreeBSD__ - m_copyback(m, off, ICMP_MINLEN, (caddr_t)pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); - m_copyback(m, off2, ICMP_MINLEN, (caddr_t)&iih); -#else - m_copyback(m, off, ICMP_MINLEN, pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), &h2); - m_copyback(m, off2, ICMP_MINLEN, &iih); -#endif - } - return (PF_PASS); - break; - } -#endif /* INET */ -#ifdef INET6 - case IPPROTO_ICMPV6: { - struct icmp6_hdr iih; - - if (!pf_pull_hdr(m, off2, &iih, - sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: ICMP error message too short " - "(icmp6)\n")); - return (PF_DROP); - } - - key.af = pd2.af; - key.proto = IPPROTO_ICMPV6; - PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af); - PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); - key.port[0] = key.port[1] = iih.icmp6_id; - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != - (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = - (*state)->key[pd->didx]; - - if (PF_ANEQ(pd2.src, - &nk->addr[pd2.sidx], pd2.af) || - nk->port[pd2.sidx] != iih.icmp6_id) - pf_change_icmp(pd2.src, &iih.icmp6_id, - daddr, &nk->addr[pd2.sidx], - nk->port[pd2.sidx], NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, AF_INET6); - - if (PF_ANEQ(pd2.dst, - &nk->addr[pd2.didx], pd2.af) || - nk->port[pd2.didx] != iih.icmp6_id) - pf_change_icmp(pd2.dst, &iih.icmp6_id, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], - nk->port[pd2.didx], NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, AF_INET6); - -#ifdef __FreeBSD__ - m_copyback(m, off, sizeof(struct icmp6_hdr), - (caddr_t)pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), (caddr_t)&h2_6); - m_copyback(m, off2, sizeof(struct icmp6_hdr), - (caddr_t)&iih); -#else - m_copyback(m, off, sizeof(struct icmp6_hdr), - pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), &h2_6); - m_copyback(m, off2, sizeof(struct icmp6_hdr), - &iih); -#endif - } - return (PF_PASS); - break; - } -#endif /* INET6 */ - default: { - key.af = pd2.af; - key.proto = pd2.proto; - PF_ACPY(&key.addr[pd2.sidx], pd2.src, key.af); - PF_ACPY(&key.addr[pd2.didx], pd2.dst, key.af); - key.port[0] = key.port[1] = 0; - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != - (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = - (*state)->key[pd->didx]; - - if (PF_ANEQ(pd2.src, - &nk->addr[pd2.sidx], pd2.af)) - pf_change_icmp(pd2.src, NULL, daddr, - &nk->addr[pd2.sidx], 0, NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, pd2.af); - - if (PF_ANEQ(pd2.dst, - &nk->addr[pd2.didx], pd2.af)) - pf_change_icmp(pd2.src, NULL, - NULL, /* XXX Inbound NAT? */ - &nk->addr[pd2.didx], 0, NULL, - pd2.ip_sum, icmpsum, - pd->ip_sum, 0, pd2.af); - - switch (pd2.af) { -#ifdef INET - case AF_INET: -#ifdef __FreeBSD__ - m_copyback(m, off, ICMP_MINLEN, - (caddr_t)pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), (caddr_t)&h2); -#else - m_copyback(m, off, ICMP_MINLEN, - pd->hdr.icmp); - m_copyback(m, ipoff2, sizeof(h2), &h2); -#endif - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - m_copyback(m, off, - sizeof(struct icmp6_hdr), -#ifdef __FreeBSD__ - (caddr_t) -#endif - pd->hdr.icmp6); - m_copyback(m, ipoff2, sizeof(h2_6), -#ifdef __FreeBSD__ - (caddr_t) -#endif - &h2_6); - break; -#endif /* INET6 */ - } - } - return (PF_PASS); - break; - } - } - } -} - -int -pf_test_state_other(struct pf_state **state, int direction, struct pfi_kif *kif, - struct mbuf *m, struct pf_pdesc *pd) -{ - struct pf_state_peer *src, *dst; - struct pf_state_key_cmp key; - - key.af = pd->af; - key.proto = pd->proto; - if (direction == PF_IN) { - PF_ACPY(&key.addr[0], pd->src, key.af); - PF_ACPY(&key.addr[1], pd->dst, key.af); - key.port[0] = key.port[1] = 0; - } else { - PF_ACPY(&key.addr[1], pd->src, key.af); - PF_ACPY(&key.addr[0], pd->dst, key.af); - key.port[1] = key.port[0] = 0; - } - -#ifdef __FreeBSD__ - STATE_LOOKUP(kif, &key, direction, *state, m, pd->pf_mtag); -#else - STATE_LOOKUP(kif, &key, direction, *state, m); -#endif - - if (direction == (*state)->direction) { - src = &(*state)->src; - dst = &(*state)->dst; - } else { - src = &(*state)->dst; - dst = &(*state)->src; - } - - /* update states */ - if (src->state < PFOTHERS_SINGLE) - src->state = PFOTHERS_SINGLE; - if (dst->state == PFOTHERS_SINGLE) - dst->state = PFOTHERS_MULTIPLE; - - /* update expire time */ - (*state)->expire = time_second; - if (src->state == PFOTHERS_MULTIPLE && dst->state == PFOTHERS_MULTIPLE) - (*state)->timeout = PFTM_OTHER_MULTIPLE; - else - (*state)->timeout = PFTM_OTHER_SINGLE; - - /* translate source/destination address, if necessary */ - if ((*state)->key[PF_SK_WIRE] != (*state)->key[PF_SK_STACK]) { - struct pf_state_key *nk = (*state)->key[pd->didx]; - -#ifdef __FreeBSD__ - KASSERT(nk, ("%s: nk is null", __FUNCTION__)); - KASSERT(pd, ("%s: pd is null", __FUNCTION__)); - KASSERT(pd->src, ("%s: pd->src is null", __FUNCTION__)); - KASSERT(pd->dst, ("%s: pd->dst is null", __FUNCTION__)); -#else - KASSERT(nk); - KASSERT(pd); - KASSERT(pd->src); - KASSERT(pd->dst); -#endif - switch (pd->af) { -#ifdef INET - case AF_INET: - if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET)) - pf_change_a(&pd->src->v4.s_addr, - pd->ip_sum, - nk->addr[pd->sidx].v4.s_addr, - 0); - - - if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET)) - pf_change_a(&pd->dst->v4.s_addr, - pd->ip_sum, - nk->addr[pd->didx].v4.s_addr, - 0); - - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], AF_INET)) - PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); - - if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], AF_INET)) - PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); -#endif /* INET6 */ - } - } - return (PF_PASS); -} - -/* - * ipoff and off are measured from the start of the mbuf chain. - * h must be at "ipoff" on the mbuf chain. - */ -void * -pf_pull_hdr(struct mbuf *m, int off, void *p, int len, - u_short *actionp, u_short *reasonp, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: { - struct ip *h = mtod(m, struct ip *); - u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; - - if (fragoff) { - if (fragoff >= len) - ACTION_SET(actionp, PF_PASS); - else { - ACTION_SET(actionp, PF_DROP); - REASON_SET(reasonp, PFRES_FRAG); - } - return (NULL); - } - if (m->m_pkthdr.len < off + len || - ntohs(h->ip_len) < off + len) { - ACTION_SET(actionp, PF_DROP); - REASON_SET(reasonp, PFRES_SHORT); - return (NULL); - } - break; - } -#endif /* INET */ -#ifdef INET6 - case AF_INET6: { - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); - - if (m->m_pkthdr.len < off + len || - (ntohs(h->ip6_plen) + sizeof(struct ip6_hdr)) < - (unsigned)(off + len)) { - ACTION_SET(actionp, PF_DROP); - REASON_SET(reasonp, PFRES_SHORT); - return (NULL); - } - break; - } -#endif /* INET6 */ - } - m_copydata(m, off, len, p); - return (p); -} - -int -pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif, - int rtableid) -{ -#ifdef __FreeBSD__ -#ifdef RADIX_MPATH - struct radix_node_head *rnh; -#endif -#endif - struct sockaddr_in *dst; - int ret = 1; - int check_mpath; -#ifndef __FreeBSD__ - extern int ipmultipath; -#endif -#ifdef INET6 -#ifndef __FreeBSD__ - extern int ip6_multipath; -#endif - struct sockaddr_in6 *dst6; - struct route_in6 ro; -#else - struct route ro; -#endif - struct radix_node *rn; - struct rtentry *rt; - struct ifnet *ifp; - - check_mpath = 0; -#ifdef __FreeBSD__ -#ifdef RADIX_MPATH - /* XXX: stick to table 0 for now */ - rnh = rt_tables_get_rnh(0, af); - if (rnh != NULL && rn_mpath_capable(rnh)) - check_mpath = 1; -#endif -#endif - bzero(&ro, sizeof(ro)); - switch (af) { - case AF_INET: - dst = satosin(&ro.ro_dst); - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = addr->v4; -#ifndef __FreeBSD__ - if (ipmultipath) - check_mpath = 1; -#endif - break; -#ifdef INET6 - case AF_INET6: - /* - * Skip check for addresses with embedded interface scope, - * as they would always match anyway. - */ - if (IN6_IS_SCOPE_EMBED(&addr->v6)) - goto out; - dst6 = (struct sockaddr_in6 *)&ro.ro_dst; - dst6->sin6_family = AF_INET6; - dst6->sin6_len = sizeof(*dst6); - dst6->sin6_addr = addr->v6; -#ifndef __FreeBSD__ - if (ip6_multipath) - check_mpath = 1; -#endif - break; -#endif /* INET6 */ - default: - return (0); - } - - /* Skip checks for ipsec interfaces */ - if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC) - goto out; - -#ifdef __FreeBSD__ - switch (af) { -#ifdef INET6 - case AF_INET6: - in6_rtalloc_ign(&ro, 0, rtableid); - break; -#endif -#ifdef INET - case AF_INET: - in_rtalloc_ign((struct route *)&ro, 0, rtableid); - break; -#endif - default: - rtalloc_ign((struct route *)&ro, 0); /* No/default FIB. */ - break; - } -#else /* ! __FreeBSD__ */ - rtalloc_noclone((struct route *)&ro, NO_CLONING); -#endif - - if (ro.ro_rt != NULL) { - /* No interface given, this is a no-route check */ - if (kif == NULL) - goto out; - - if (kif->pfik_ifp == NULL) { - ret = 0; - goto out; - } - - /* Perform uRPF check if passed input interface */ - ret = 0; - rn = (struct radix_node *)ro.ro_rt; - do { - rt = (struct rtentry *)rn; -#ifndef __FreeBSD__ /* CARPDEV */ - if (rt->rt_ifp->if_type == IFT_CARP) - ifp = rt->rt_ifp->if_carpdev; - else -#endif - ifp = rt->rt_ifp; - - if (kif->pfik_ifp == ifp) - ret = 1; -#ifdef __FreeBSD__ -#ifdef RADIX_MPATH - rn = rn_mpath_next(rn); -#endif -#else - rn = rn_mpath_next(rn, 0); -#endif - } while (check_mpath == 1 && rn != NULL && ret == 0); - } else - ret = 0; -out: - if (ro.ro_rt != NULL) - RTFREE(ro.ro_rt); - return (ret); -} - -int -pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw, - int rtableid) -{ - struct sockaddr_in *dst; -#ifdef INET6 - struct sockaddr_in6 *dst6; - struct route_in6 ro; -#else - struct route ro; -#endif - int ret = 0; - - bzero(&ro, sizeof(ro)); - switch (af) { - case AF_INET: - dst = satosin(&ro.ro_dst); - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = addr->v4; - break; -#ifdef INET6 - case AF_INET6: - dst6 = (struct sockaddr_in6 *)&ro.ro_dst; - dst6->sin6_family = AF_INET6; - dst6->sin6_len = sizeof(*dst6); - dst6->sin6_addr = addr->v6; - break; -#endif /* INET6 */ - default: - return (0); - } - -#ifdef __FreeBSD__ - switch (af) { -#ifdef INET6 - case AF_INET6: - in6_rtalloc_ign(&ro, 0, rtableid); - break; -#endif -#ifdef INET - case AF_INET: - in_rtalloc_ign((struct route *)&ro, 0, rtableid); - break; -#endif - default: - rtalloc_ign((struct route *)&ro, 0); - break; - } -#else /* ! __FreeBSD__ */ - rtalloc_noclone((struct route *)&ro, NO_CLONING); -#endif - - if (ro.ro_rt != NULL) { -#ifdef __FreeBSD__ - /* XXX_IMPORT: later */ -#else - if (ro.ro_rt->rt_labelid == aw->v.rtlabel) - ret = 1; -#endif - RTFREE(ro.ro_rt); - } - - return (ret); -} - -#ifdef INET -void -pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, - struct pf_state *s, struct pf_pdesc *pd) -{ - struct mbuf *m0, *m1; - struct route iproute; - struct route *ro = NULL; - struct sockaddr_in *dst; - struct ip *ip; - struct ifnet *ifp = NULL; - struct pf_addr naddr; - struct pf_src_node *sn = NULL; - int error = 0; -#ifdef __FreeBSD__ - int sw_csum; -#endif -#ifdef IPSEC - struct m_tag *mtag; -#endif /* IPSEC */ - - if (m == NULL || *m == NULL || r == NULL || - (dir != PF_IN && dir != PF_OUT) || oifp == NULL) - panic("pf_route: invalid parameters"); - -#ifdef __FreeBSD__ - if (pd->pf_mtag->routed++ > 3) { -#else - if ((*m)->m_pkthdr.pf.routed++ > 3) { -#endif - m0 = *m; - *m = NULL; - goto bad; - } - - if (r->rt == PF_DUPTO) { -#ifdef __FreeBSD__ - if ((m0 = m_dup(*m, M_DONTWAIT)) == NULL) -#else - if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL) -#endif - return; - } else { - if ((r->rt == PF_REPLYTO) == (r->direction == dir)) - return; - m0 = *m; - } - - if (m0->m_len < sizeof(struct ip)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); - goto bad; - } - - ip = mtod(m0, struct ip *); - - ro = &iproute; - bzero((caddr_t)ro, sizeof(*ro)); - dst = satosin(&ro->ro_dst); - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = ip->ip_dst; - - if (r->rt == PF_FASTROUTE) { -#ifdef __FreeBSD__ - in_rtalloc_ign(ro, 0, M_GETFIB(m0)); -#else - rtalloc(ro); -#endif - if (ro->ro_rt == 0) { -#ifdef __FreeBSD__ - KMOD_IPSTAT_INC(ips_noroute); -#else - ipstat.ips_noroute++; -#endif - goto bad; - } - - ifp = ro->ro_rt->rt_ifp; - ro->ro_rt->rt_use++; - - if (ro->ro_rt->rt_flags & RTF_GATEWAY) - dst = satosin(ro->ro_rt->rt_gateway); - } else { - if (TAILQ_EMPTY(&r->rpool.list)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: TAILQ_EMPTY(&r->rpool.list)\n")); - goto bad; - } - if (s == NULL) { - pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, - &naddr, NULL, &sn); - if (!PF_AZERO(&naddr, AF_INET)) - dst->sin_addr.s_addr = naddr.v4.s_addr; - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; - } else { - if (!PF_AZERO(&s->rt_addr, AF_INET)) - dst->sin_addr.s_addr = - s->rt_addr.v4.s_addr; - ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; - } - } - if (ifp == NULL) - goto bad; - - if (oifp != ifp) { -#ifdef __FreeBSD__ - PF_UNLOCK(); - if (pf_test(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) { - PF_LOCK(); - goto bad; - } else if (m0 == NULL) { - PF_LOCK(); - goto done; - } - PF_LOCK(); -#else - if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) - goto bad; - else if (m0 == NULL) - goto done; -#endif - if (m0->m_len < sizeof(struct ip)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route: m0->m_len < sizeof(struct ip)\n")); - goto bad; - } - ip = mtod(m0, struct ip *); - } - -#ifdef __FreeBSD__ - /* Copied from FreeBSD 5.1-CURRENT ip_output. */ - m0->m_pkthdr.csum_flags |= CSUM_IP; - sw_csum = m0->m_pkthdr.csum_flags & ~ifp->if_hwassist; - if (sw_csum & CSUM_DELAY_DATA) { - /* - * XXX: in_delayed_cksum assumes HBO for ip->ip_len (at least) - */ - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); /* XXX: needed? */ - in_delayed_cksum(m0); - HTONS(ip->ip_len); - HTONS(ip->ip_off); - sw_csum &= ~CSUM_DELAY_DATA; - } - m0->m_pkthdr.csum_flags &= ifp->if_hwassist; - - if (ntohs(ip->ip_len) <= ifp->if_mtu || - (ifp->if_hwassist & CSUM_FRAGMENT && - ((ip->ip_off & htons(IP_DF)) == 0))) { - /* - * ip->ip_len = htons(ip->ip_len); - * ip->ip_off = htons(ip->ip_off); - */ - ip->ip_sum = 0; - if (sw_csum & CSUM_DELAY_IP) { - /* From KAME */ - if (ip->ip_v == IPVERSION && - (ip->ip_hl << 2) == sizeof(*ip)) { - ip->ip_sum = in_cksum_hdr(ip); - } else { - ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); - } - } - PF_UNLOCK(); - error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro); - PF_LOCK(); - goto done; - } -#else - /* Copied from ip_output. */ -#ifdef IPSEC - /* - * If deferred crypto processing is needed, check that the - * interface supports it. - */ - if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) - != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { - /* Notify IPsec to do its own crypto. */ - ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); - goto bad; - } -#endif /* IPSEC */ - - /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ - if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) { - if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || - ifp->if_bridge != NULL) { - in_delayed_cksum(m0); - m0->m_pkthdr.csum_flags &= ~M_TCPV4_CSUM_OUT; /* Clr */ - } - } else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) { - if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || - ifp->if_bridge != NULL) { - in_delayed_cksum(m0); - m0->m_pkthdr.csum_flags &= ~M_UDPV4_CSUM_OUT; /* Clr */ - } - } - - if (ntohs(ip->ip_len) <= ifp->if_mtu) { - ip->ip_sum = 0; - if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && - ifp->if_bridge == NULL) { - m0->m_pkthdr.csum_flags |= M_IPV4_CSUM_OUT; -#ifdef __FreeBSD__ - KMOD_IPSTAT_INC(ips_outhwcsum); -#else - ipstat.ips_outhwcsum++; -#endif - } else - ip->ip_sum = in_cksum(m0, ip->ip_hl << 2); - /* Update relevant hardware checksum stats for TCP/UDP */ - if (m0->m_pkthdr.csum_flags & M_TCPV4_CSUM_OUT) - KMOD_TCPSTAT_INC(tcps_outhwcsum); - else if (m0->m_pkthdr.csum_flags & M_UDPV4_CSUM_OUT) - KMOD_UDPSTAT_INC(udps_outhwcsum); - error = (*ifp->if_output)(ifp, m0, sintosa(dst), NULL); - goto done; - } -#endif - - /* - * Too large for interface; fragment if possible. - * Must be able to put at least 8 bytes per fragment. - */ - if (ip->ip_off & htons(IP_DF)) { -#ifdef __FreeBSD__ - KMOD_IPSTAT_INC(ips_cantfrag); -#else - ipstat.ips_cantfrag++; -#endif - if (r->rt != PF_DUPTO) { -#ifdef __FreeBSD__ - /* icmp_error() expects host byte ordering */ - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); - PF_UNLOCK(); - icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, - ifp->if_mtu); - PF_LOCK(); -#else - icmp_error(m0, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 0, - ifp->if_mtu); -#endif - goto done; - } else - goto bad; - } - - m1 = m0; -#ifdef __FreeBSD__ - /* - * XXX: is cheaper + less error prone than own function - */ - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); - error = ip_fragment(ip, &m0, ifp->if_mtu, ifp->if_hwassist, sw_csum); -#else - error = ip_fragment(m0, ifp, ifp->if_mtu); -#endif - if (error) { -#ifndef __FreeBSD__ /* ip_fragment does not do m_freem() on FreeBSD */ - m0 = NULL; -#endif - goto bad; - } - - for (m0 = m1; m0; m0 = m1) { - m1 = m0->m_nextpkt; - m0->m_nextpkt = 0; -#ifdef __FreeBSD__ - if (error == 0) { - PF_UNLOCK(); - error = (*ifp->if_output)(ifp, m0, sintosa(dst), - NULL); - PF_LOCK(); - } else -#else - if (error == 0) - error = (*ifp->if_output)(ifp, m0, sintosa(dst), - NULL); - else -#endif - m_freem(m0); - } - - if (error == 0) -#ifdef __FreeBSD__ - KMOD_IPSTAT_INC(ips_fragmented); -#else - ipstat.ips_fragmented++; -#endif - -done: - if (r->rt != PF_DUPTO) - *m = NULL; - if (ro == &iproute && ro->ro_rt) - RTFREE(ro->ro_rt); - return; - -bad: - m_freem(m0); - goto done; -} -#endif /* INET */ - -#ifdef INET6 -void -pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, - struct pf_state *s, struct pf_pdesc *pd) -{ - struct mbuf *m0; - struct route_in6 ip6route; - struct route_in6 *ro; - struct sockaddr_in6 *dst; - struct ip6_hdr *ip6; - struct ifnet *ifp = NULL; - struct pf_addr naddr; - struct pf_src_node *sn = NULL; - - if (m == NULL || *m == NULL || r == NULL || - (dir != PF_IN && dir != PF_OUT) || oifp == NULL) - panic("pf_route6: invalid parameters"); - -#ifdef __FreeBSD__ - if (pd->pf_mtag->routed++ > 3) { -#else - if ((*m)->m_pkthdr.pf.routed++ > 3) { -#endif - m0 = *m; - *m = NULL; - goto bad; - } - - if (r->rt == PF_DUPTO) { -#ifdef __FreeBSD__ - if ((m0 = m_dup(*m, M_DONTWAIT)) == NULL) -#else - if ((m0 = m_copym2(*m, 0, M_COPYALL, M_NOWAIT)) == NULL) -#endif - return; - } else { - if ((r->rt == PF_REPLYTO) == (r->direction == dir)) - return; - m0 = *m; - } - - if (m0->m_len < sizeof(struct ip6_hdr)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); - goto bad; - } - ip6 = mtod(m0, struct ip6_hdr *); - - ro = &ip6route; - bzero((caddr_t)ro, sizeof(*ro)); - dst = (struct sockaddr_in6 *)&ro->ro_dst; - dst->sin6_family = AF_INET6; - dst->sin6_len = sizeof(*dst); - dst->sin6_addr = ip6->ip6_dst; - - /* Cheat. XXX why only in the v6 case??? */ - if (r->rt == PF_FASTROUTE) { -#ifdef __FreeBSD__ - m0->m_flags |= M_SKIP_FIREWALL; - PF_UNLOCK(); - ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); -#else - m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; - ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); -#endif - return; - } - - if (TAILQ_EMPTY(&r->rpool.list)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: TAILQ_EMPTY(&r->rpool.list)\n")); - goto bad; - } - if (s == NULL) { - pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, - &naddr, NULL, &sn); - if (!PF_AZERO(&naddr, AF_INET6)) - PF_ACPY((struct pf_addr *)&dst->sin6_addr, - &naddr, AF_INET6); - ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; - } else { - if (!PF_AZERO(&s->rt_addr, AF_INET6)) - PF_ACPY((struct pf_addr *)&dst->sin6_addr, - &s->rt_addr, AF_INET6); - ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; - } - if (ifp == NULL) - goto bad; - - if (oifp != ifp) { -#ifdef __FreeBSD__ - PF_UNLOCK(); - if (pf_test6(PF_OUT, ifp, &m0, NULL, NULL) != PF_PASS) { - PF_LOCK(); - goto bad; - } else if (m0 == NULL) { - PF_LOCK(); - goto done; - } - PF_LOCK(); -#else - if (pf_test6(PF_OUT, ifp, &m0, NULL) != PF_PASS) - goto bad; - else if (m0 == NULL) - goto done; -#endif - if (m0->m_len < sizeof(struct ip6_hdr)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_route6: m0->m_len < sizeof(struct ip6_hdr)\n")); - goto bad; - } - ip6 = mtod(m0, struct ip6_hdr *); - } - - /* - * If the packet is too large for the outgoing interface, - * send back an icmp6 error. - */ - if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr)) - dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); - if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - nd6_output(ifp, ifp, m0, dst, NULL); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - } else { - in6_ifstat_inc(ifp, ifs6_in_toobig); -#ifdef __FreeBSD__ - if (r->rt != PF_DUPTO) { - PF_UNLOCK(); - icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); - PF_LOCK(); - } else -#else - if (r->rt != PF_DUPTO) - icmp6_error(m0, ICMP6_PACKET_TOO_BIG, 0, ifp->if_mtu); - else -#endif - goto bad; - } - -done: - if (r->rt != PF_DUPTO) - *m = NULL; - return; - -bad: - m_freem(m0); - goto done; -} -#endif /* INET6 */ - -#ifdef __FreeBSD__ -/* - * FreeBSD supports cksum offloads for the following drivers. - * em(4), fxp(4), ixgb(4), lge(4), ndis(4), nge(4), re(4), - * ti(4), txp(4), xl(4) - * - * CSUM_DATA_VALID | CSUM_PSEUDO_HDR : - * network driver performed cksum including pseudo header, need to verify - * csum_data - * CSUM_DATA_VALID : - * network driver performed cksum, needs to additional pseudo header - * cksum computation with partial csum_data(i.e. lack of H/W support for - * pseudo header, for instance hme(4), sk(4) and possibly gem(4)) - * - * After validating the cksum of packet, set both flag CSUM_DATA_VALID and - * CSUM_PSEUDO_HDR in order to avoid recomputation of the cksum in upper - * TCP/UDP layer. - * Also, set csum_data to 0xffff to force cksum validation. - */ -int -pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af) -{ - u_int16_t sum = 0; - int hw_assist = 0; - struct ip *ip; - - if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) - return (1); - if (m->m_pkthdr.len < off + len) - return (1); - - switch (p) { - case IPPROTO_TCP: - if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { - if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { - sum = m->m_pkthdr.csum_data; - } else { - ip = mtod(m, struct ip *); - sum = in_pseudo(ip->ip_src.s_addr, - ip->ip_dst.s_addr, htonl((u_short)len + - m->m_pkthdr.csum_data + IPPROTO_TCP)); - } - sum ^= 0xffff; - ++hw_assist; - } - break; - case IPPROTO_UDP: - if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) { - if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR) { - sum = m->m_pkthdr.csum_data; - } else { - ip = mtod(m, struct ip *); - sum = in_pseudo(ip->ip_src.s_addr, - ip->ip_dst.s_addr, htonl((u_short)len + - m->m_pkthdr.csum_data + IPPROTO_UDP)); - } - sum ^= 0xffff; - ++hw_assist; - } - break; - case IPPROTO_ICMP: -#ifdef INET6 - case IPPROTO_ICMPV6: -#endif /* INET6 */ - break; - default: - return (1); - } - - if (!hw_assist) { - switch (af) { - case AF_INET: - if (p == IPPROTO_ICMP) { - if (m->m_len < off) - return (1); - m->m_data += off; - m->m_len -= off; - sum = in_cksum(m, len); - m->m_data -= off; - m->m_len += off; - } else { - if (m->m_len < sizeof(struct ip)) - return (1); - sum = in4_cksum(m, p, off, len); - } - break; -#ifdef INET6 - case AF_INET6: - if (m->m_len < sizeof(struct ip6_hdr)) - return (1); - sum = in6_cksum(m, p, off, len); - break; -#endif /* INET6 */ - default: - return (1); - } - } - if (sum) { - switch (p) { - case IPPROTO_TCP: - { - KMOD_TCPSTAT_INC(tcps_rcvbadsum); - break; - } - case IPPROTO_UDP: - { - KMOD_UDPSTAT_INC(udps_badsum); - break; - } -#ifdef INET - case IPPROTO_ICMP: - { - KMOD_ICMPSTAT_INC(icps_checksum); - break; - } -#endif -#ifdef INET6 - case IPPROTO_ICMPV6: - { - KMOD_ICMP6STAT_INC(icp6s_checksum); - break; - } -#endif /* INET6 */ - } - return (1); - } else { - if (p == IPPROTO_TCP || p == IPPROTO_UDP) { - m->m_pkthdr.csum_flags |= - (CSUM_DATA_VALID | CSUM_PSEUDO_HDR); - m->m_pkthdr.csum_data = 0xffff; - } - } - return (0); -} -#else /* !__FreeBSD__ */ - -/* - * check protocol (tcp/udp/icmp/icmp6) checksum and set mbuf flag - * off is the offset where the protocol header starts - * len is the total length of protocol header plus payload - * returns 0 when the checksum is valid, otherwise returns 1. - */ -int -pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, - sa_family_t af) -{ - u_int16_t flag_ok, flag_bad; - u_int16_t sum; - - switch (p) { - case IPPROTO_TCP: - flag_ok = M_TCP_CSUM_IN_OK; - flag_bad = M_TCP_CSUM_IN_BAD; - break; - case IPPROTO_UDP: - flag_ok = M_UDP_CSUM_IN_OK; - flag_bad = M_UDP_CSUM_IN_BAD; - break; - case IPPROTO_ICMP: -#ifdef INET6 - case IPPROTO_ICMPV6: -#endif /* INET6 */ - flag_ok = flag_bad = 0; - break; - default: - return (1); - } - if (m->m_pkthdr.csum_flags & flag_ok) - return (0); - if (m->m_pkthdr.csum_flags & flag_bad) - return (1); - if (off < sizeof(struct ip) || len < sizeof(struct udphdr)) - return (1); - if (m->m_pkthdr.len < off + len) - return (1); - switch (af) { -#ifdef INET - case AF_INET: - if (p == IPPROTO_ICMP) { - if (m->m_len < off) - return (1); - m->m_data += off; - m->m_len -= off; - sum = in_cksum(m, len); - m->m_data -= off; - m->m_len += off; - } else { - if (m->m_len < sizeof(struct ip)) - return (1); - sum = in4_cksum(m, p, off, len); - } - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (m->m_len < sizeof(struct ip6_hdr)) - return (1); - sum = in6_cksum(m, p, off, len); - break; -#endif /* INET6 */ - default: - return (1); - } - if (sum) { - m->m_pkthdr.csum_flags |= flag_bad; - switch (p) { - case IPPROTO_TCP: - KMOD_TCPSTAT_INC(tcps_rcvbadsum); - break; - case IPPROTO_UDP: - KMOD_UDPSTAT_INC(udps_badsum); - break; -#ifdef INET - case IPPROTO_ICMP: - KMOD_ICMPSTAT_INC(icps_checksum); - break; -#endif -#ifdef INET6 - case IPPROTO_ICMPV6: - KMOD_ICMP6STAT_INC(icp6s_checksum); - break; -#endif /* INET6 */ - } - return (1); - } - m->m_pkthdr.csum_flags |= flag_ok; - return (0); -} -#endif - -#ifndef __FreeBSD__ -struct pf_divert * -pf_find_divert(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF_DIVERT, NULL)) == NULL) - return (NULL); - - return ((struct pf_divert *)(mtag + 1)); -} - -struct pf_divert * -pf_get_divert(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF_DIVERT, NULL)) == NULL) { - mtag = m_tag_get(PACKET_TAG_PF_DIVERT, sizeof(struct pf_divert), - M_NOWAIT); - if (mtag == NULL) - return (NULL); - bzero(mtag + 1, sizeof(struct pf_divert)); - m_tag_prepend(m, mtag); - } - - return ((struct pf_divert *)(mtag + 1)); -} -#endif - -#ifdef INET -int -#ifdef __FreeBSD__ -pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, - struct ether_header *eh, struct inpcb *inp) -#else -pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, - struct ether_header *eh) -#endif -{ - struct pfi_kif *kif; - u_short action, reason = 0, log = 0; - struct mbuf *m = *m0; -#ifdef __FreeBSD__ - struct ip *h = NULL; - struct m_tag *ipfwtag; - struct pf_rule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; -#else - struct ip *h; - struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; -#endif - struct pf_state *s = NULL; - struct pf_ruleset *ruleset = NULL; - struct pf_pdesc pd; - int off, dirndx, pqid = 0; - -#ifdef __FreeBSD__ - PF_LOCK(); - if (!V_pf_status.running) - { - PF_UNLOCK(); - return (PF_PASS); - } -#else - if (!pf_status.running) - return (PF_PASS); -#endif - - memset(&pd, 0, sizeof(pd)); -#ifdef __FreeBSD__ - if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) { - PF_UNLOCK(); - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: pf_get_mtag returned NULL\n")); - return (PF_DROP); - } -#endif -#ifndef __FreeBSD__ - if (ifp->if_type == IFT_CARP && ifp->if_carpdev) - kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; - else -#endif - kif = (struct pfi_kif *)ifp->if_pf_kif; - - if (kif == NULL) { -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: kif == NULL, if_xname %s\n", ifp->if_xname)); - return (PF_DROP); - } - if (kif->pfik_flags & PFI_IFLAG_SKIP) -#ifdef __FreeBSD__ - { - PF_UNLOCK(); -#endif - return (PF_PASS); -#ifdef __FreeBSD__ - } -#endif - -#ifdef __FreeBSD__ - M_ASSERTPKTHDR(m); -#else -#ifdef DIAGNOSTIC - if ((m->m_flags & M_PKTHDR) == 0) - panic("non-M_PKTHDR is passed to pf_test"); -#endif /* DIAGNOSTIC */ -#endif - - if (m->m_pkthdr.len < (int)sizeof(*h)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_SHORT); - log = 1; - goto done; - } - -#ifdef __FreeBSD__ - if (m->m_flags & M_SKIP_FIREWALL) { - PF_UNLOCK(); - return (PF_PASS); - } -#else - if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) - return (PF_PASS); -#endif - -#ifdef __FreeBSD__ - if (ip_divert_ptr != NULL && - ((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) { - struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1); - if (rr->info & IPFW_IS_DIVERT && rr->rulenum == 0) { - pd.pf_mtag->flags |= PF_PACKET_LOOPED; - m_tag_delete(m, ipfwtag); - } - if (pd.pf_mtag->flags & PF_FASTFWD_OURS_PRESENT) { - m->m_flags |= M_FASTFWD_OURS; - pd.pf_mtag->flags &= ~PF_FASTFWD_OURS_PRESENT; - } - } else -#endif - /* We do IP header normalization and packet reassembly here */ - if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { - action = PF_DROP; - goto done; - } - m = *m0; /* pf_normalize messes with m0 */ - h = mtod(m, struct ip *); - - off = h->ip_hl << 2; - if (off < (int)sizeof(*h)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_SHORT); - log = 1; - goto done; - } - - pd.src = (struct pf_addr *)&h->ip_src; - pd.dst = (struct pf_addr *)&h->ip_dst; - pd.sport = pd.dport = NULL; - pd.ip_sum = &h->ip_sum; - pd.proto_sum = NULL; - pd.proto = h->ip_p; - pd.dir = dir; - pd.sidx = (dir == PF_IN) ? 0 : 1; - pd.didx = (dir == PF_IN) ? 1 : 0; - pd.af = AF_INET; - pd.tos = h->ip_tos; - pd.tot_len = ntohs(h->ip_len); - pd.eh = eh; - - /* handle fragments that didn't get reassembled by normalization */ - if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { - action = pf_test_fragment(&r, dir, kif, m, h, - &pd, &a, &ruleset); - goto done; - } - - switch (h->ip_p) { - - case IPPROTO_TCP: { - struct tcphdr th; - - pd.hdr.tcp = &th; - if (!pf_pull_hdr(m, off, &th, sizeof(th), - &action, &reason, AF_INET)) { - log = action != PF_PASS; - goto done; - } - pd.p_len = pd.tot_len - off - (th.th_off << 2); - if ((th.th_flags & TH_ACK) && pd.p_len == 0) - pqid = 1; - action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); - if (action == PF_DROP) - goto done; - action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, - &reason); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, &ipintrq); -#endif - break; - } - - case IPPROTO_UDP: { - struct udphdr uh; - - pd.hdr.udp = &uh; - if (!pf_pull_hdr(m, off, &uh, sizeof(uh), - &action, &reason, AF_INET)) { - log = action != PF_PASS; - goto done; - } - if (uh.uh_dport == 0 || - ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || - ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_SHORT); - goto done; - } - action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, &ipintrq); -#endif - break; - } - - case IPPROTO_ICMP: { - struct icmp ih; - - pd.hdr.icmp = &ih; - if (!pf_pull_hdr(m, off, &ih, ICMP_MINLEN, - &action, &reason, AF_INET)) { - log = action != PF_PASS; - goto done; - } - action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, - &reason); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, &ipintrq); -#endif - break; - } - -#ifdef INET6 - case IPPROTO_ICMPV6: { - action = PF_DROP; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping IPv4 packet with ICMPv6 payload\n")); - goto done; - } -#endif - - default: - action = pf_test_state_other(&s, dir, kif, m, &pd); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, m, off, h, - &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, m, off, h, - &pd, &a, &ruleset, &ipintrq); -#endif - break; - } - -done: - if (action == PF_PASS && h->ip_hl > 5 && - !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping packet with ip options\n")); - } - - if ((s && s->tag) || r->rtableid >= 0) -#ifdef __FreeBSD__ - pf_tag_packet(m, s ? s->tag : 0, r->rtableid, pd.pf_mtag); -#else - pf_tag_packet(m, s ? s->tag : 0, r->rtableid); -#endif - - if (dir == PF_IN && s && s->key[PF_SK_STACK]) -#ifdef __FreeBSD__ - pd.pf_mtag->statekey = s->key[PF_SK_STACK]; -#else - m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; -#endif - -#ifdef ALTQ - if (action == PF_PASS && r->qid) { -#ifdef __FreeBSD__ - if (pqid || (pd.tos & IPTOS_LOWDELAY)) - pd.pf_mtag->qid = r->pqid; - else - pd.pf_mtag->qid = r->qid; - /* add hints for ecn */ - pd.pf_mtag->hdr = h; - -#else - if (pqid || (pd.tos & IPTOS_LOWDELAY)) - m->m_pkthdr.pf.qid = r->pqid; - else - m->m_pkthdr.pf.qid = r->qid; - /* add hints for ecn */ - m->m_pkthdr.pf.hdr = h; -#endif - } -#endif /* ALTQ */ - - /* - * connections redirected to loopback should not match sockets - * bound specifically to loopback due to security implications, - * see tcp_input() and in_pcblookup_listen(). - */ - if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || - pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && - (s->nat_rule.ptr->action == PF_RDR || - s->nat_rule.ptr->action == PF_BINAT) && - (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) -#ifdef __FreeBSD__ - m->m_flags |= M_SKIP_FIREWALL; -#else - m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; -#endif - -#ifdef __FreeBSD__ - if (action == PF_PASS && r->divert.port && - ip_divert_ptr != NULL && !PACKET_LOOPED()) { - - ipfwtag = m_tag_alloc(MTAG_IPFW_RULE, 0, - sizeof(struct ipfw_rule_ref), M_NOWAIT | M_ZERO); - if (ipfwtag != NULL) { - ((struct ipfw_rule_ref *)(ipfwtag+1))->info = - ntohs(r->divert.port); - ((struct ipfw_rule_ref *)(ipfwtag+1))->rulenum = dir; - - m_tag_prepend(m, ipfwtag); - - PF_UNLOCK(); - - if (m->m_flags & M_FASTFWD_OURS) { - pd.pf_mtag->flags |= PF_FASTFWD_OURS_PRESENT; - m->m_flags &= ~M_FASTFWD_OURS; - } - - ip_divert_ptr(*m0, - dir == PF_IN ? DIR_IN : DIR_OUT); - *m0 = NULL; - return (action); - } else { - /* XXX: ipfw has the same behaviour! */ - action = PF_DROP; - REASON_SET(&reason, PFRES_MEMORY); - log = 1; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: failed to allocate divert tag\n")); - } - } -#else - if (dir == PF_IN && action == PF_PASS && r->divert.port) { - struct pf_divert *divert; - - if ((divert = pf_get_divert(m))) { - m->m_pkthdr.pf.flags |= PF_TAG_DIVERTED; - divert->port = r->divert.port; - divert->addr.ipv4 = r->divert.addr.v4; - } - } -#endif - - if (log) { - struct pf_rule *lr; - - if (s != NULL && s->nat_rule.ptr != NULL && - s->nat_rule.ptr->log & PF_LOG_ALL) - lr = s->nat_rule.ptr; - else - lr = r; - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a, ruleset, - &pd); - } - - kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; - kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; - - if (action == PF_PASS || r->action == PF_DROP) { - dirndx = (dir == PF_OUT); - r->packets[dirndx]++; - r->bytes[dirndx] += pd.tot_len; - if (a != NULL) { - a->packets[dirndx]++; - a->bytes[dirndx] += pd.tot_len; - } - if (s != NULL) { - if (s->nat_rule.ptr != NULL) { - s->nat_rule.ptr->packets[dirndx]++; - s->nat_rule.ptr->bytes[dirndx] += pd.tot_len; - } - if (s->src_node != NULL) { - s->src_node->packets[dirndx]++; - s->src_node->bytes[dirndx] += pd.tot_len; - } - if (s->nat_src_node != NULL) { - s->nat_src_node->packets[dirndx]++; - s->nat_src_node->bytes[dirndx] += pd.tot_len; - } - dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; - } - tr = r; - nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; -#ifdef __FreeBSD__ - if (nr != NULL && r == &V_pf_default_rule) -#else - if (nr != NULL && r == &pf_default_rule) -#endif - tr = nr; - if (tr->src.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->src.addr.p.tbl, - (s == NULL) ? pd.src : - &s->key[(s->direction == PF_IN)]-> - addr[(s->direction == PF_OUT)], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->src.neg); - if (tr->dst.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->dst.addr.p.tbl, - (s == NULL) ? pd.dst : - &s->key[(s->direction == PF_IN)]-> - addr[(s->direction == PF_IN)], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->dst.neg); - } - - switch (action) { - case PF_SYNPROXY_DROP: - m_freem(*m0); - case PF_DEFER: - *m0 = NULL; - action = PF_PASS; - break; - default: - /* pf_route can free the mbuf causing *m0 to become NULL */ - if (r->rt) - pf_route(m0, r, dir, kif->pfik_ifp, s, &pd); - break; - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - return (action); -} -#endif /* INET */ - -#ifdef INET6 -int -#ifdef __FreeBSD__ -pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, - struct ether_header *eh, struct inpcb *inp) -#else -pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, - struct ether_header *eh) -#endif -{ - struct pfi_kif *kif; - u_short action, reason = 0, log = 0; - struct mbuf *m = *m0, *n = NULL; -#ifdef __FreeBSD__ - struct ip6_hdr *h = NULL; - struct pf_rule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; -#else - struct ip6_hdr *h; - struct pf_rule *a = NULL, *r = &pf_default_rule, *tr, *nr; -#endif - struct pf_state *s = NULL; - struct pf_ruleset *ruleset = NULL; - struct pf_pdesc pd; - int off, terminal = 0, dirndx, rh_cnt = 0; - -#ifdef __FreeBSD__ - PF_LOCK(); - if (!V_pf_status.running) { - PF_UNLOCK(); - return (PF_PASS); - } -#else - if (!pf_status.running) - return (PF_PASS); -#endif - - memset(&pd, 0, sizeof(pd)); -#ifdef __FreeBSD__ - if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) { - PF_UNLOCK(); - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: pf_get_mtag returned NULL\n")); - return (PF_DROP); - } -#endif -#ifndef __FreeBSD__ - if (ifp->if_type == IFT_CARP && ifp->if_carpdev) - kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; - else -#endif - kif = (struct pfi_kif *)ifp->if_pf_kif; - - if (kif == NULL) { -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test6: kif == NULL, if_xname %s\n", ifp->if_xname)); - return (PF_DROP); - } - if (kif->pfik_flags & PFI_IFLAG_SKIP) -#ifdef __FreeBSD__ - { - PF_UNLOCK(); -#endif - return (PF_PASS); -#ifdef __FreeBSD__ - } -#endif - -#ifdef __FreeBSD__ - M_ASSERTPKTHDR(m); -#else -#ifdef DIAGNOSTIC - if ((m->m_flags & M_PKTHDR) == 0) - panic("non-M_PKTHDR is passed to pf_test6"); -#endif /* DIAGNOSTIC */ -#endif - - if (m->m_pkthdr.len < (int)sizeof(*h)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_SHORT); - log = 1; - goto done; - } - -#ifdef __FreeBSD__ - if (pd.pf_mtag->flags & PF_TAG_GENERATED) { - PF_UNLOCK(); -#else - if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) -#endif - return (PF_PASS); -#ifdef __FreeBSD__ - } -#endif - - /* We do IP header normalization and packet reassembly here */ - if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { - action = PF_DROP; - goto done; - } - m = *m0; /* pf_normalize messes with m0 */ - h = mtod(m, struct ip6_hdr *); - -#if 1 - /* - * we do not support jumbogram yet. if we keep going, zero ip6_plen - * will do something bad, so drop the packet for now. - */ - if (htons(h->ip6_plen) == 0) { - action = PF_DROP; - REASON_SET(&reason, PFRES_NORM); /*XXX*/ - goto done; - } -#endif - - pd.src = (struct pf_addr *)&h->ip6_src; - pd.dst = (struct pf_addr *)&h->ip6_dst; - pd.sport = pd.dport = NULL; - pd.ip_sum = NULL; - pd.proto_sum = NULL; - pd.dir = dir; - pd.sidx = (dir == PF_IN) ? 0 : 1; - pd.didx = (dir == PF_IN) ? 1 : 0; - pd.af = AF_INET6; - pd.tos = 0; - pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); - pd.eh = eh; - - off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); - pd.proto = h->ip6_nxt; - do { - switch (pd.proto) { - case IPPROTO_FRAGMENT: - action = pf_test_fragment(&r, dir, kif, m, h, - &pd, &a, &ruleset); - if (action == PF_DROP) - REASON_SET(&reason, PFRES_FRAG); - goto done; - case IPPROTO_ROUTING: { - struct ip6_rthdr rthdr; - - if (rh_cnt++) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 more than one rthdr\n")); - action = PF_DROP; - REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; - goto done; - } - if (!pf_pull_hdr(m, off, &rthdr, sizeof(rthdr), NULL, - &reason, pd.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 short rthdr\n")); - action = PF_DROP; - REASON_SET(&reason, PFRES_SHORT); - log = 1; - goto done; - } - if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 rthdr0\n")); - action = PF_DROP; - REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; - goto done; - } - /* FALLTHROUGH */ - } - case IPPROTO_AH: - case IPPROTO_HOPOPTS: - case IPPROTO_DSTOPTS: { - /* get next header and header length */ - struct ip6_ext opt6; - - if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), - NULL, &reason, pd.af)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: IPv6 short opt\n")); - action = PF_DROP; - log = 1; - goto done; - } - if (pd.proto == IPPROTO_AH) - off += (opt6.ip6e_len + 2) * 4; - else - off += (opt6.ip6e_len + 1) * 8; - pd.proto = opt6.ip6e_nxt; - /* goto the next header */ - break; - } - default: - terminal++; - break; - } - } while (!terminal); - - /* if there's no routing header, use unmodified mbuf for checksumming */ - if (!n) - n = m; - - switch (pd.proto) { - - case IPPROTO_TCP: { - struct tcphdr th; - - pd.hdr.tcp = &th; - if (!pf_pull_hdr(m, off, &th, sizeof(th), - &action, &reason, AF_INET6)) { - log = action != PF_PASS; - goto done; - } - pd.p_len = pd.tot_len - off - (th.th_off << 2); - action = pf_normalize_tcp(dir, kif, m, 0, off, h, &pd); - if (action == PF_DROP) - goto done; - action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, - &reason); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, &ip6intrq); -#endif - break; - } - - case IPPROTO_UDP: { - struct udphdr uh; - - pd.hdr.udp = &uh; - if (!pf_pull_hdr(m, off, &uh, sizeof(uh), - &action, &reason, AF_INET6)) { - log = action != PF_PASS; - goto done; - } - if (uh.uh_dport == 0 || - ntohs(uh.uh_ulen) > m->m_pkthdr.len - off || - ntohs(uh.uh_ulen) < sizeof(struct udphdr)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_SHORT); - goto done; - } - action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, &ip6intrq); -#endif - break; - } - - case IPPROTO_ICMP: { - action = PF_DROP; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping IPv6 packet with ICMPv4 payload\n")); - goto done; - } - - case IPPROTO_ICMPV6: { - struct icmp6_hdr ih; - - pd.hdr.icmp6 = &ih; - if (!pf_pull_hdr(m, off, &ih, sizeof(ih), - &action, &reason, AF_INET6)) { - log = action != PF_PASS; - goto done; - } - action = pf_test_state_icmp(&s, dir, kif, - m, off, h, &pd, &reason); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, - m, off, h, &pd, &a, &ruleset, &ip6intrq); -#endif - break; - } - - default: - action = pf_test_state_other(&s, dir, kif, m, &pd); - if (action == PF_PASS) { -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); -#else - pfsync_update_state(s); -#endif -#endif /* NPFSYNC */ - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; - } else if (s == NULL) -#ifdef __FreeBSD__ - action = pf_test_rule(&r, &s, dir, kif, m, off, h, - &pd, &a, &ruleset, NULL, inp); -#else - action = pf_test_rule(&r, &s, dir, kif, m, off, h, - &pd, &a, &ruleset, &ip6intrq); -#endif - break; - } - -done: - if (n != m) { - m_freem(n); - n = NULL; - } - - /* handle dangerous IPv6 extension headers. */ - if (action == PF_PASS && rh_cnt && - !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { - action = PF_DROP; - REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: dropping packet with dangerous v6 headers\n")); - } - - if ((s && s->tag) || r->rtableid >= 0) -#ifdef __FreeBSD__ - pf_tag_packet(m, s ? s->tag : 0, r->rtableid, pd.pf_mtag); -#else - pf_tag_packet(m, s ? s->tag : 0, r->rtableid); -#endif - - if (dir == PF_IN && s && s->key[PF_SK_STACK]) -#ifdef __FreeBSD__ - pd.pf_mtag->statekey = s->key[PF_SK_STACK]; -#else - m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; -#endif - -#ifdef ALTQ - if (action == PF_PASS && r->qid) { -#ifdef __FreeBSD__ - if (pd.tos & IPTOS_LOWDELAY) - pd.pf_mtag->qid = r->pqid; - else - pd.pf_mtag->qid = r->qid; - /* add hints for ecn */ - pd.pf_mtag->hdr = h; -#else - if (pd.tos & IPTOS_LOWDELAY) - m->m_pkthdr.pf.qid = r->pqid; - else - m->m_pkthdr.pf.qid = r->qid; - /* add hints for ecn */ - m->m_pkthdr.pf.hdr = h; -#endif - } -#endif /* ALTQ */ - - if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || - pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && - (s->nat_rule.ptr->action == PF_RDR || - s->nat_rule.ptr->action == PF_BINAT) && - IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) -#ifdef __FreeBSD__ - m->m_flags |= M_SKIP_FIREWALL; -#else - m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; -#endif - -#ifdef __FreeBSD__ - /* XXX: Anybody working on it?! */ - if (r->divert.port) - printf("pf: divert(9) is not supported for IPv6\n"); -#else - if (dir == PF_IN && action == PF_PASS && r->divert.port) { - struct pf_divert *divert; - - if ((divert = pf_get_divert(m))) { - m->m_pkthdr.pf.flags |= PF_TAG_DIVERTED; - divert->port = r->divert.port; - divert->addr.ipv6 = r->divert.addr.v6; - } - } -#endif - - if (log) { - struct pf_rule *lr; - - if (s != NULL && s->nat_rule.ptr != NULL && - s->nat_rule.ptr->log & PF_LOG_ALL) - lr = s->nat_rule.ptr; - else - lr = r; - PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset, - &pd); - } - - kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len; - kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++; - - if (action == PF_PASS || r->action == PF_DROP) { - dirndx = (dir == PF_OUT); - r->packets[dirndx]++; - r->bytes[dirndx] += pd.tot_len; - if (a != NULL) { - a->packets[dirndx]++; - a->bytes[dirndx] += pd.tot_len; - } - if (s != NULL) { - if (s->nat_rule.ptr != NULL) { - s->nat_rule.ptr->packets[dirndx]++; - s->nat_rule.ptr->bytes[dirndx] += pd.tot_len; - } - if (s->src_node != NULL) { - s->src_node->packets[dirndx]++; - s->src_node->bytes[dirndx] += pd.tot_len; - } - if (s->nat_src_node != NULL) { - s->nat_src_node->packets[dirndx]++; - s->nat_src_node->bytes[dirndx] += pd.tot_len; - } - dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; - } - tr = r; - nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; -#ifdef __FreeBSD__ - if (nr != NULL && r == &V_pf_default_rule) -#else - if (nr != NULL && r == &pf_default_rule) -#endif - tr = nr; - if (tr->src.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->src.addr.p.tbl, - (s == NULL) ? pd.src : - &s->key[(s->direction == PF_IN)]->addr[0], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->src.neg); - if (tr->dst.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->dst.addr.p.tbl, - (s == NULL) ? pd.dst : - &s->key[(s->direction == PF_IN)]->addr[1], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->dst.neg); - } - - switch (action) { - case PF_SYNPROXY_DROP: - m_freem(*m0); - case PF_DEFER: - *m0 = NULL; - action = PF_PASS; - break; - default: - /* pf_route6 can free the mbuf causing *m0 to become NULL */ - if (r->rt) - pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd); - break; - } - -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - return (action); -} -#endif /* INET6 */ - -int -pf_check_congestion(struct ifqueue *ifq) -{ -#ifdef __FreeBSD__ - /* XXX_IMPORT: later */ - return (0); -#else - if (ifq->ifq_congestion) - return (1); - else - return (0); -#endif -} - -/* - * must be called whenever any addressing information such as - * address, port, protocol has changed - */ -void -pf_pkt_addr_changed(struct mbuf *m) -{ -#ifdef __FreeBSD__ - struct pf_mtag *pf_tag; - - if ((pf_tag = pf_find_mtag(m)) != NULL) - pf_tag->statekey = NULL; -#else - m->m_pkthdr.pf.statekey = NULL; -#endif -} diff --git a/sys/contrib/pf/net/pf_if.c b/sys/contrib/pf/net/pf_if.c deleted file mode 100644 index 6336c79..0000000 --- a/sys/contrib/pf/net/pf_if.c +++ /dev/null @@ -1,1111 +0,0 @@ -/* $OpenBSD: pf_if.c,v 1.54 2008/06/14 16:55:28 mk Exp $ */ - -/* - * Copyright 2005 Henning Brauer <henning@openbsd.org> - * Copyright 2005 Ryan McBride <mcbride@openbsd.org> - * Copyright (c) 2001 Daniel Hartmeier - * Copyright (c) 2003 Cedric Berger - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#if defined(__FreeBSD__) -#include "opt_inet.h" -#include "opt_inet6.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); -#endif - -#include <sys/param.h> -#include <sys/systm.h> -#ifdef __FreeBSD__ -#include <sys/malloc.h> -#endif -#include <sys/mbuf.h> -#include <sys/filio.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#ifndef __FreeBSD__ -#include <sys/device.h> -#endif -#include <sys/time.h> -#ifndef __FreeBSD__ -#include <sys/pool.h> -#endif - -#include <net/if.h> -#include <net/if_types.h> -#ifdef __FreeBSD__ -#include <net/vnet.h> -#endif - -#include <netinet/in.h> -#include <netinet/in_var.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> - -#include <net/pfvar.h> - -#ifdef INET6 -#include <netinet/ip6.h> -#endif /* INET6 */ - -#ifdef __FreeBSD__ -VNET_DEFINE(struct pfi_kif *, pfi_all); -VNET_DEFINE(uma_zone_t, pfi_addr_pl); -VNET_DEFINE(struct pfi_ifhead, pfi_ifs); -#define V_pfi_ifs VNET(pfi_ifs) -VNET_DEFINE(long, pfi_update); -#define V_pfi_update VNET(pfi_update) -VNET_DEFINE(struct pfr_addr *, pfi_buffer); -#define V_pfi_buffer VNET(pfi_buffer) -VNET_DEFINE(int, pfi_buffer_cnt); -#define V_pfi_buffer_cnt VNET(pfi_buffer_cnt) -VNET_DEFINE(int, pfi_buffer_max); -#define V_pfi_buffer_max VNET(pfi_buffer_max) -#else -struct pfi_kif *pfi_all = NULL; -struct pool pfi_addr_pl; -struct pfi_ifhead pfi_ifs; -long pfi_update = 1; -struct pfr_addr *pfi_buffer; -int pfi_buffer_cnt; -int pfi_buffer_max; -#endif -#ifdef __FreeBSD__ -eventhandler_tag pfi_attach_cookie; -eventhandler_tag pfi_detach_cookie; -eventhandler_tag pfi_attach_group_cookie; -eventhandler_tag pfi_change_group_cookie; -eventhandler_tag pfi_detach_group_cookie; -eventhandler_tag pfi_ifaddr_event_cookie; -#endif - -void pfi_kif_update(struct pfi_kif *); -void pfi_dynaddr_update(struct pfi_dynaddr *dyn); -void pfi_table_update(struct pfr_ktable *, struct pfi_kif *, - int, int); -void pfi_kifaddr_update(void *); -void pfi_instance_add(struct ifnet *, int, int); -void pfi_address_add(struct sockaddr *, int, int); -int pfi_if_compare(struct pfi_kif *, struct pfi_kif *); -int pfi_skip_if(const char *, struct pfi_kif *); -int pfi_unmask(void *); -#ifdef __FreeBSD__ -void pfi_attach_ifnet_event(void * __unused, struct ifnet *); -void pfi_detach_ifnet_event(void * __unused, struct ifnet *); -void pfi_attach_group_event(void *, struct ifg_group *); -void pfi_change_group_event(void *, char *); -void pfi_detach_group_event(void *, struct ifg_group *); -void pfi_ifaddr_event(void * __unused, struct ifnet *); -#endif - -RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); -RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); - -#define PFI_BUFFER_MAX 0x10000 -#define PFI_MTYPE M_IFADDR - -void -pfi_initialize(void) -{ -#ifdef __FreeBSD__ - if (V_pfi_all != NULL) /* already initialized */ -#else - if (pfi_all != NULL) /* already initialized */ -#endif - return; - -#ifndef __FreeBSD__ - pool_init(&V_pfi_addr_pl, sizeof(struct pfi_dynaddr), 0, 0, 0, - "pfiaddrpl", &pool_allocator_nointr); -#endif -#ifdef __FreeBSD__ - V_pfi_buffer_max = 64; - V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer), - PFI_MTYPE, M_WAITOK); - - if ((V_pfi_all = pfi_kif_get(IFG_ALL)) == NULL) -#else - pfi_buffer_max = 64; - pfi_buffer = malloc(pfi_buffer_max * sizeof(*pfi_buffer), - PFI_MTYPE, M_WAITOK); - - if ((pfi_all = pfi_kif_get(IFG_ALL)) == NULL) -#endif - panic("pfi_kif_get for pfi_all failed"); -#ifdef __FreeBSD__ - struct ifg_group *ifg; - struct ifnet *ifp; - - IFNET_RLOCK(); - TAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) - pfi_attach_ifgroup(ifg); - TAILQ_FOREACH(ifp, &V_ifnet, if_link) - pfi_attach_ifnet(ifp); - IFNET_RUNLOCK(); - - pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event, - pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); - pfi_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event, - pfi_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); - pfi_attach_group_cookie = EVENTHANDLER_REGISTER(group_attach_event, - pfi_attach_group_event, curvnet, EVENTHANDLER_PRI_ANY); - pfi_change_group_cookie = EVENTHANDLER_REGISTER(group_change_event, - pfi_change_group_event, curvnet, EVENTHANDLER_PRI_ANY); - pfi_detach_group_cookie = EVENTHANDLER_REGISTER(group_detach_event, - pfi_detach_group_event, curvnet, EVENTHANDLER_PRI_ANY); - pfi_ifaddr_event_cookie = EVENTHANDLER_REGISTER(ifaddr_event, - pfi_ifaddr_event, NULL, EVENTHANDLER_PRI_ANY); -#endif -} - -#ifdef __FreeBSD__ -void -pfi_cleanup(void) -{ - struct pfi_kif *p; - - PF_UNLOCK(); - EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie); - EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie); - EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie); - EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie); - EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie); - EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); - PF_LOCK(); - - V_pfi_all = NULL; - while ((p = RB_MIN(pfi_ifhead, &V_pfi_ifs))) { - if (p->pfik_rules || p->pfik_states) { - printf("pfi_cleanup: dangling refs for %s\n", - p->pfik_name); - } - - RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p); - free(p, PFI_MTYPE); - } - - free(V_pfi_buffer, PFI_MTYPE); -} -#endif - -struct pfi_kif * -pfi_kif_get(const char *kif_name) -{ - struct pfi_kif *kif; - struct pfi_kif_cmp s; - - bzero(&s, sizeof(s)); - strlcpy(s.pfik_name, kif_name, sizeof(s.pfik_name)); -#ifdef __FreeBSD__ - if ((kif = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&s)) != NULL) -#else - if ((kif = RB_FIND(pfi_ifhead, &pfi_ifs, (struct pfi_kif *)&s)) != NULL) -#endif - return (kif); - - /* create new one */ -#ifdef __FreeBSD__ - if ((kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT | M_ZERO)) == NULL) -#else - if ((kif = malloc(sizeof(*kif), PFI_MTYPE, M_DONTWAIT|M_ZERO)) == NULL) -#endif - return (NULL); - - strlcpy(kif->pfik_name, kif_name, sizeof(kif->pfik_name)); -#ifdef __FreeBSD__ - /* - * It seems that the value of time_second is in unintialzied state - * when pf sets interface statistics clear time in boot phase if pf - * was statically linked to kernel. Instead of setting the bogus - * time value have pfi_get_ifaces handle this case. In - * pfi_get_ifaces it uses boottime.tv_sec if it sees the time is 0. - */ - kif->pfik_tzero = time_second > 1 ? time_second : 0; -#else - kif->pfik_tzero = time_second; -#endif - TAILQ_INIT(&kif->pfik_dynaddrs); - -#ifdef __FreeBSD__ - RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif); -#else - RB_INSERT(pfi_ifhead, &pfi_ifs, kif); -#endif - - return (kif); -} - -void -pfi_kif_ref(struct pfi_kif *kif, enum pfi_kif_refs what) -{ - switch (what) { - case PFI_KIF_REF_RULE: - kif->pfik_rules++; - break; - case PFI_KIF_REF_STATE: - kif->pfik_states++; - break; - default: - panic("pfi_kif_ref with unknown type"); - } -} - -void -pfi_kif_unref(struct pfi_kif *kif, enum pfi_kif_refs what) -{ - if (kif == NULL) - return; - - switch (what) { - case PFI_KIF_REF_NONE: - break; - case PFI_KIF_REF_RULE: - if (kif->pfik_rules <= 0) { - printf("pfi_kif_unref: rules refcount <= 0\n"); - return; - } - kif->pfik_rules--; - break; - case PFI_KIF_REF_STATE: - if (kif->pfik_states <= 0) { - printf("pfi_kif_unref: state refcount <= 0\n"); - return; - } - kif->pfik_states--; - break; - default: - panic("pfi_kif_unref with unknown type"); - } - -#ifdef __FreeBSD__ - if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif == V_pfi_all) -#else - if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif == pfi_all) -#endif - return; - - if (kif->pfik_rules || kif->pfik_states) - return; - -#ifdef __FreeBSD__ - RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif); -#else - RB_REMOVE(pfi_ifhead, &pfi_ifs, kif); -#endif - free(kif, PFI_MTYPE); -} - -int -pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif) -{ - struct ifg_list *p; - - if (rule_kif == NULL || rule_kif == packet_kif) - return (1); - - if (rule_kif->pfik_group != NULL) - TAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next) - if (p->ifgl_group == rule_kif->pfik_group) - return (1); - - return (0); -} - -void -pfi_attach_ifnet(struct ifnet *ifp) -{ - struct pfi_kif *kif; - int s; - - pfi_initialize(); - s = splsoftnet(); -#ifdef __FreeBSD__ - V_pfi_update++; -#else - pfi_update++; -#endif - if ((kif = pfi_kif_get(ifp->if_xname)) == NULL) - panic("pfi_kif_get failed"); - - kif->pfik_ifp = ifp; - ifp->if_pf_kif = (caddr_t)kif; - -#ifndef __FreeBSD__ - if ((kif->pfik_ah_cookie = hook_establish(ifp->if_addrhooks, 1, - pfi_kifaddr_update, kif)) == NULL) - panic("pfi_attach_ifnet: cannot allocate '%s' address hook", - ifp->if_xname); -#endif - - pfi_kif_update(kif); - - splx(s); -} - -void -pfi_detach_ifnet(struct ifnet *ifp) -{ - int s; - struct pfi_kif *kif; - - if ((kif = (struct pfi_kif *)ifp->if_pf_kif) == NULL) - return; - - s = splsoftnet(); -#ifdef __FreeBSD__ - V_pfi_update++; -#else - pfi_update++; -#endif -#ifndef __FreeBSD__ - hook_disestablish(ifp->if_addrhooks, kif->pfik_ah_cookie); -#endif - pfi_kif_update(kif); - - kif->pfik_ifp = NULL; - ifp->if_pf_kif = NULL; - pfi_kif_unref(kif, PFI_KIF_REF_NONE); - splx(s); -} - -void -pfi_attach_ifgroup(struct ifg_group *ifg) -{ - struct pfi_kif *kif; - int s; - - pfi_initialize(); - s = splsoftnet(); -#ifdef __FreeBSD__ - V_pfi_update++; -#else - pfi_update++; -#endif - if ((kif = pfi_kif_get(ifg->ifg_group)) == NULL) - panic("pfi_kif_get failed"); - - kif->pfik_group = ifg; - ifg->ifg_pf_kif = (caddr_t)kif; - - splx(s); -} - -void -pfi_detach_ifgroup(struct ifg_group *ifg) -{ - int s; - struct pfi_kif *kif; - - if ((kif = (struct pfi_kif *)ifg->ifg_pf_kif) == NULL) - return; - - s = splsoftnet(); -#ifdef __FreeBSD__ - V_pfi_update++; -#else - pfi_update++; -#endif - - kif->pfik_group = NULL; - ifg->ifg_pf_kif = NULL; - pfi_kif_unref(kif, PFI_KIF_REF_NONE); - splx(s); -} - -void -pfi_group_change(const char *group) -{ - struct pfi_kif *kif; - int s; - - s = splsoftnet(); -#ifdef __FreeBSD__ - V_pfi_update++; -#else - pfi_update++; -#endif - if ((kif = pfi_kif_get(group)) == NULL) - panic("pfi_kif_get failed"); - - pfi_kif_update(kif); - - splx(s); -} - -int -pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af) -{ - switch (af) { -#ifdef INET - case AF_INET: - switch (dyn->pfid_acnt4) { - case 0: - return (0); - case 1: - return (PF_MATCHA(0, &dyn->pfid_addr4, - &dyn->pfid_mask4, a, AF_INET)); - default: - return (pfr_match_addr(dyn->pfid_kt, a, AF_INET)); - } - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - switch (dyn->pfid_acnt6) { - case 0: - return (0); - case 1: - return (PF_MATCHA(0, &dyn->pfid_addr6, - &dyn->pfid_mask6, a, AF_INET6)); - default: - return (pfr_match_addr(dyn->pfid_kt, a, AF_INET6)); - } - break; -#endif /* INET6 */ - default: - return (0); - } -} - -int -pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) -{ - struct pfi_dynaddr *dyn; - char tblname[PF_TABLE_NAME_SIZE]; - struct pf_ruleset *ruleset = NULL; - int s, rv = 0; - - if (aw->type != PF_ADDR_DYNIFTL) - return (0); -#ifdef __FreeBSD__ - /* XXX: revisit! */ - if ((dyn = pool_get(&V_pfi_addr_pl, PR_WAITOK | PR_ZERO)) -#else - if ((dyn = pool_get(&pfi_addr_pl, PR_WAITOK | PR_LIMITFAIL | PR_ZERO)) -#endif - == NULL) - return (1); - - s = splsoftnet(); - if (!strcmp(aw->v.ifname, "self")) - dyn->pfid_kif = pfi_kif_get(IFG_ALL); - else - dyn->pfid_kif = pfi_kif_get(aw->v.ifname); - if (dyn->pfid_kif == NULL) { - rv = 1; - goto _bad; - } - pfi_kif_ref(dyn->pfid_kif, PFI_KIF_REF_RULE); - - dyn->pfid_net = pfi_unmask(&aw->v.a.mask); - if (af == AF_INET && dyn->pfid_net == 32) - dyn->pfid_net = 128; - strlcpy(tblname, aw->v.ifname, sizeof(tblname)); - if (aw->iflags & PFI_AFLAG_NETWORK) - strlcat(tblname, ":network", sizeof(tblname)); - if (aw->iflags & PFI_AFLAG_BROADCAST) - strlcat(tblname, ":broadcast", sizeof(tblname)); - if (aw->iflags & PFI_AFLAG_PEER) - strlcat(tblname, ":peer", sizeof(tblname)); - if (aw->iflags & PFI_AFLAG_NOALIAS) - strlcat(tblname, ":0", sizeof(tblname)); - if (dyn->pfid_net != 128) - snprintf(tblname + strlen(tblname), - sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net); - if ((ruleset = pf_find_or_create_ruleset(PF_RESERVED_ANCHOR)) == NULL) { - rv = 1; - goto _bad; - } - - if ((dyn->pfid_kt = pfr_attach_table(ruleset, tblname, 1)) == NULL) { - rv = 1; - goto _bad; - } - - dyn->pfid_kt->pfrkt_flags |= PFR_TFLAG_ACTIVE; - dyn->pfid_iflags = aw->iflags; - dyn->pfid_af = af; - - TAILQ_INSERT_TAIL(&dyn->pfid_kif->pfik_dynaddrs, dyn, entry); - aw->p.dyn = dyn; - pfi_kif_update(dyn->pfid_kif); - splx(s); - return (0); - -_bad: - if (dyn->pfid_kt != NULL) - pfr_detach_table(dyn->pfid_kt); - if (ruleset != NULL) - pf_remove_if_empty_ruleset(ruleset); - if (dyn->pfid_kif != NULL) - pfi_kif_unref(dyn->pfid_kif, PFI_KIF_REF_RULE); -#ifdef __FreeBSD__ - pool_put(&V_pfi_addr_pl, dyn); -#else - pool_put(&pfi_addr_pl, dyn); -#endif - splx(s); - return (rv); -} - -void -pfi_kif_update(struct pfi_kif *kif) -{ - struct ifg_list *ifgl; - struct pfi_dynaddr *p; - - /* update all dynaddr */ - TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry) - pfi_dynaddr_update(p); - - /* again for all groups kif is member of */ - if (kif->pfik_ifp != NULL) - TAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next) - pfi_kif_update((struct pfi_kif *) - ifgl->ifgl_group->ifg_pf_kif); -} - -void -pfi_dynaddr_update(struct pfi_dynaddr *dyn) -{ - struct pfi_kif *kif; - struct pfr_ktable *kt; - - if (dyn == NULL || dyn->pfid_kif == NULL || dyn->pfid_kt == NULL) - panic("pfi_dynaddr_update"); - - kif = dyn->pfid_kif; - kt = dyn->pfid_kt; - -#ifdef __FreeBSD__ - if (kt->pfrkt_larg != V_pfi_update) { -#else - if (kt->pfrkt_larg != pfi_update) { -#endif - /* this table needs to be brought up-to-date */ - pfi_table_update(kt, kif, dyn->pfid_net, dyn->pfid_iflags); -#ifdef __FreeBSD__ - kt->pfrkt_larg = V_pfi_update; -#else - kt->pfrkt_larg = pfi_update; -#endif - } - pfr_dynaddr_update(kt, dyn); -} - -void -pfi_table_update(struct pfr_ktable *kt, struct pfi_kif *kif, int net, int flags) -{ - int e, size2 = 0; - struct ifg_member *ifgm; - -#ifdef __FreeBSD__ - V_pfi_buffer_cnt = 0; -#else - pfi_buffer_cnt = 0; -#endif - - if (kif->pfik_ifp != NULL) - pfi_instance_add(kif->pfik_ifp, net, flags); - else if (kif->pfik_group != NULL) - TAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, ifgm_next) - pfi_instance_add(ifgm->ifgm_ifp, net, flags); - -#ifdef __FreeBSD__ - if ((e = pfr_set_addrs(&kt->pfrkt_t, V_pfi_buffer, V_pfi_buffer_cnt, &size2, - NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) - printf("pfi_table_update: cannot set %d new addresses " - "into table %s: %d\n", V_pfi_buffer_cnt, kt->pfrkt_name, e); -#else - if ((e = pfr_set_addrs(&kt->pfrkt_t, pfi_buffer, pfi_buffer_cnt, &size2, - NULL, NULL, NULL, 0, PFR_TFLAG_ALLMASK))) - printf("pfi_table_update: cannot set %d new addresses " - "into table %s: %d\n", pfi_buffer_cnt, kt->pfrkt_name, e); -#endif -} - -void -pfi_instance_add(struct ifnet *ifp, int net, int flags) -{ - struct ifaddr *ia; - int got4 = 0, got6 = 0; - int net2, af; - - if (ifp == NULL) - return; - TAILQ_FOREACH(ia, &ifp->if_addrlist, ifa_list) { - if (ia->ifa_addr == NULL) - continue; - af = ia->ifa_addr->sa_family; - if (af != AF_INET && af != AF_INET6) - continue; -#ifdef __FreeBSD__ - /* - * XXX: For point-to-point interfaces, (ifname:0) and IPv4, - * jump over addresses without a proper route to work - * around a problem with ppp not fully removing the - * address used during IPCP. - */ - if ((ifp->if_flags & IFF_POINTOPOINT) && - !(ia->ifa_flags & IFA_ROUTE) && - (flags & PFI_AFLAG_NOALIAS) && (af == AF_INET)) - continue; -#endif - if ((flags & PFI_AFLAG_BROADCAST) && af == AF_INET6) - continue; - if ((flags & PFI_AFLAG_BROADCAST) && - !(ifp->if_flags & IFF_BROADCAST)) - continue; - if ((flags & PFI_AFLAG_PEER) && - !(ifp->if_flags & IFF_POINTOPOINT)) - continue; - if ((flags & PFI_AFLAG_NETWORK) && af == AF_INET6 && - IN6_IS_ADDR_LINKLOCAL( - &((struct sockaddr_in6 *)ia->ifa_addr)->sin6_addr)) - continue; - if (flags & PFI_AFLAG_NOALIAS) { - if (af == AF_INET && got4) - continue; - if (af == AF_INET6 && got6) - continue; - } - if (af == AF_INET) - got4 = 1; - else if (af == AF_INET6) - got6 = 1; - net2 = net; - if (net2 == 128 && (flags & PFI_AFLAG_NETWORK)) { - if (af == AF_INET) - net2 = pfi_unmask(&((struct sockaddr_in *) - ia->ifa_netmask)->sin_addr); - else if (af == AF_INET6) - net2 = pfi_unmask(&((struct sockaddr_in6 *) - ia->ifa_netmask)->sin6_addr); - } - if (af == AF_INET && net2 > 32) - net2 = 32; - if (flags & PFI_AFLAG_BROADCAST) - pfi_address_add(ia->ifa_broadaddr, af, net2); - else if (flags & PFI_AFLAG_PEER) - pfi_address_add(ia->ifa_dstaddr, af, net2); - else - pfi_address_add(ia->ifa_addr, af, net2); - } -} - -void -pfi_address_add(struct sockaddr *sa, int af, int net) -{ - struct pfr_addr *p; - int i; - -#ifdef __FreeBSD__ - if (V_pfi_buffer_cnt >= V_pfi_buffer_max) { - int new_max = V_pfi_buffer_max * 2; -#else - if (pfi_buffer_cnt >= pfi_buffer_max) { - int new_max = pfi_buffer_max * 2; -#endif - - if (new_max > PFI_BUFFER_MAX) { - printf("pfi_address_add: address buffer full (%d/%d)\n", -#ifdef __FreeBSD__ - V_pfi_buffer_cnt, PFI_BUFFER_MAX); -#else - pfi_buffer_cnt, PFI_BUFFER_MAX); -#endif - return; - } - p = malloc(new_max * sizeof(*V_pfi_buffer), PFI_MTYPE, -#ifdef __FreeBSD__ - M_NOWAIT); -#else - M_DONTWAIT); -#endif - if (p == NULL) { - printf("pfi_address_add: no memory to grow buffer " -#ifdef __FreeBSD__ - "(%d/%d)\n", V_pfi_buffer_cnt, PFI_BUFFER_MAX); -#else - "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX); -#endif - return; - } -#ifdef __FreeBSD__ - memcpy(V_pfi_buffer, p, V_pfi_buffer_cnt * sizeof(*V_pfi_buffer)); - /* no need to zero buffer */ - free(V_pfi_buffer, PFI_MTYPE); - V_pfi_buffer = p; - V_pfi_buffer_max = new_max; -#else - memcpy(pfi_buffer, p, pfi_buffer_cnt * sizeof(*pfi_buffer)); - /* no need to zero buffer */ - free(pfi_buffer, PFI_MTYPE); - pfi_buffer = p; - pfi_buffer_max = new_max; -#endif - } - if (af == AF_INET && net > 32) - net = 128; -#ifdef __FreeBSD__ - p = V_pfi_buffer + V_pfi_buffer_cnt++; -#else - p = pfi_buffer + pfi_buffer_cnt++; -#endif - bzero(p, sizeof(*p)); - p->pfra_af = af; - p->pfra_net = net; - if (af == AF_INET) - p->pfra_ip4addr = ((struct sockaddr_in *)sa)->sin_addr; - else if (af == AF_INET6) { - p->pfra_ip6addr = ((struct sockaddr_in6 *)sa)->sin6_addr; - if (IN6_IS_SCOPE_EMBED(&p->pfra_ip6addr)) - p->pfra_ip6addr.s6_addr16[1] = 0; - } - /* mask network address bits */ - if (net < 128) - ((caddr_t)p)[p->pfra_net/8] &= ~(0xFF >> (p->pfra_net%8)); - for (i = (p->pfra_net+7)/8; i < sizeof(p->pfra_u); i++) - ((caddr_t)p)[i] = 0; -} - -void -pfi_dynaddr_remove(struct pf_addr_wrap *aw) -{ - int s; - - if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL || - aw->p.dyn->pfid_kif == NULL || aw->p.dyn->pfid_kt == NULL) - return; - - s = splsoftnet(); - TAILQ_REMOVE(&aw->p.dyn->pfid_kif->pfik_dynaddrs, aw->p.dyn, entry); - pfi_kif_unref(aw->p.dyn->pfid_kif, PFI_KIF_REF_RULE); - aw->p.dyn->pfid_kif = NULL; - pfr_detach_table(aw->p.dyn->pfid_kt); - aw->p.dyn->pfid_kt = NULL; -#ifdef __FreeBSD__ - pool_put(&V_pfi_addr_pl, aw->p.dyn); -#else - pool_put(&pfi_addr_pl, aw->p.dyn); -#endif - aw->p.dyn = NULL; - splx(s); -} - -void -pfi_dynaddr_copyout(struct pf_addr_wrap *aw) -{ - if (aw->type != PF_ADDR_DYNIFTL || aw->p.dyn == NULL || - aw->p.dyn->pfid_kif == NULL) - return; - aw->p.dyncnt = aw->p.dyn->pfid_acnt4 + aw->p.dyn->pfid_acnt6; -} - -void -pfi_kifaddr_update(void *v) -{ - int s; - struct pfi_kif *kif = (struct pfi_kif *)v; - - s = splsoftnet(); -#ifdef __FreeBSD__ - V_pfi_update++; -#else - pfi_update++; -#endif - pfi_kif_update(kif); - splx(s); -} - -int -pfi_if_compare(struct pfi_kif *p, struct pfi_kif *q) -{ - return (strncmp(p->pfik_name, q->pfik_name, IFNAMSIZ)); -} - -void -pfi_update_status(const char *name, struct pf_status *pfs) -{ - struct pfi_kif *p; - struct pfi_kif_cmp key; - struct ifg_member p_member, *ifgm; - TAILQ_HEAD(, ifg_member) ifg_members; - int i, j, k, s; - - strlcpy(key.pfik_name, name, sizeof(key.pfik_name)); - s = splsoftnet(); -#ifdef __FreeBSD__ - p = RB_FIND(pfi_ifhead, &V_pfi_ifs, (struct pfi_kif *)&key); -#else - p = RB_FIND(pfi_ifhead, &pfi_ifs, (struct pfi_kif *)&key); -#endif - if (p == NULL) { - splx(s); - return; - } - if (p->pfik_group != NULL) { - bcopy(&p->pfik_group->ifg_members, &ifg_members, - sizeof(ifg_members)); - } else { - /* build a temporary list for p only */ - bzero(&p_member, sizeof(p_member)); - p_member.ifgm_ifp = p->pfik_ifp; - TAILQ_INIT(&ifg_members); - TAILQ_INSERT_TAIL(&ifg_members, &p_member, ifgm_next); - } - if (pfs) { - bzero(pfs->pcounters, sizeof(pfs->pcounters)); - bzero(pfs->bcounters, sizeof(pfs->bcounters)); - } - TAILQ_FOREACH(ifgm, &ifg_members, ifgm_next) { - if (ifgm->ifgm_ifp == NULL) - continue; - p = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif; - - /* just clear statistics */ - if (pfs == NULL) { - bzero(p->pfik_packets, sizeof(p->pfik_packets)); - bzero(p->pfik_bytes, sizeof(p->pfik_bytes)); - p->pfik_tzero = time_second; - continue; - } - for (i = 0; i < 2; i++) - for (j = 0; j < 2; j++) - for (k = 0; k < 2; k++) { - pfs->pcounters[i][j][k] += - p->pfik_packets[i][j][k]; - pfs->bcounters[i][j] += - p->pfik_bytes[i][j][k]; - } - } - splx(s); -} - -int -pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size) -{ - struct pfi_kif *p, *nextp; - int s, n = 0; -#ifdef __FreeBSD__ - int error; -#endif - - s = splsoftnet(); -#ifdef __FreeBSD__ - for (p = RB_MIN(pfi_ifhead, &V_pfi_ifs); p; p = nextp) { - nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); -#else - for (p = RB_MIN(pfi_ifhead, &pfi_ifs); p; p = nextp) { - nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p); -#endif - if (pfi_skip_if(name, p)) - continue; - if (*size > n++) { - if (!p->pfik_tzero) - p->pfik_tzero = time_second; - pfi_kif_ref(p, PFI_KIF_REF_RULE); -#ifdef __FreeBSD__ - PF_COPYOUT(p, buf++, sizeof(*buf), error); - if (error) { -#else - if (copyout(p, buf++, sizeof(*buf))) { -#endif - pfi_kif_unref(p, PFI_KIF_REF_RULE); - splx(s); - return (EFAULT); - } -#ifdef __FreeBSD__ - nextp = RB_NEXT(pfi_ifhead, &V_pfi_ifs, p); -#else - nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p); -#endif - pfi_kif_unref(p, PFI_KIF_REF_RULE); - } - } - splx(s); - *size = n; - return (0); -} - -int -pfi_skip_if(const char *filter, struct pfi_kif *p) -{ - int n; - - if (filter == NULL || !*filter) - return (0); - if (!strcmp(p->pfik_name, filter)) - return (0); /* exact match */ - n = strlen(filter); - if (n < 1 || n >= IFNAMSIZ) - return (1); /* sanity check */ - if (filter[n-1] >= '0' && filter[n-1] <= '9') - return (1); /* only do exact match in that case */ - if (strncmp(p->pfik_name, filter, n)) - return (1); /* prefix doesn't match */ - return (p->pfik_name[n] < '0' || p->pfik_name[n] > '9'); -} - -int -pfi_set_flags(const char *name, int flags) -{ - struct pfi_kif *p; - int s; - - s = splsoftnet(); -#ifdef __FreeBSD__ - RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) { -#else - RB_FOREACH(p, pfi_ifhead, &pfi_ifs) { -#endif - if (pfi_skip_if(name, p)) - continue; - p->pfik_flags |= flags; - } - splx(s); - return (0); -} - -int -pfi_clear_flags(const char *name, int flags) -{ - struct pfi_kif *p; - int s; - - s = splsoftnet(); -#ifdef __FreeBSD__ - RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) { -#else - RB_FOREACH(p, pfi_ifhead, &pfi_ifs) { -#endif - if (pfi_skip_if(name, p)) - continue; - p->pfik_flags &= ~flags; - } - splx(s); - return (0); -} - -/* from pf_print_state.c */ -int -pfi_unmask(void *addr) -{ - struct pf_addr *m = addr; - int i = 31, j = 0, b = 0; - u_int32_t tmp; - - while (j < 4 && m->addr32[j] == 0xffffffff) { - b += 32; - j++; - } - if (j < 4) { - tmp = ntohl(m->addr32[j]); - for (i = 31; tmp & (1 << i); --i) - b++; - } - return (b); -} - -#ifdef __FreeBSD__ -void -pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) -{ - - CURVNET_SET(ifp->if_vnet); - PF_LOCK(); - pfi_attach_ifnet(ifp); -#ifdef ALTQ - pf_altq_ifnet_event(ifp, 0); -#endif - PF_UNLOCK(); - CURVNET_RESTORE(); -} - -void -pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) -{ - - CURVNET_SET(ifp->if_vnet); - PF_LOCK(); - pfi_detach_ifnet(ifp); -#ifdef ALTQ - pf_altq_ifnet_event(ifp, 1); -#endif - PF_UNLOCK(); - CURVNET_RESTORE(); -} - -void -pfi_attach_group_event(void *arg , struct ifg_group *ifg) -{ - - CURVNET_SET((struct vnet *)arg); - PF_LOCK(); - pfi_attach_ifgroup(ifg); - PF_UNLOCK(); - CURVNET_RESTORE(); -} - -void -pfi_change_group_event(void *arg, char *gname) -{ - - CURVNET_SET((struct vnet *)arg); - PF_LOCK(); - pfi_group_change(gname); - PF_UNLOCK(); - CURVNET_RESTORE(); -} - -void -pfi_detach_group_event(void *arg, struct ifg_group *ifg) -{ - - CURVNET_SET((struct vnet *)arg); - PF_LOCK(); - pfi_detach_ifgroup(ifg); - PF_UNLOCK(); - CURVNET_RESTORE(); -} - -void -pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp) -{ - - CURVNET_SET(ifp->if_vnet); - PF_LOCK(); - if (ifp && ifp->if_pf_kif) - pfi_kifaddr_update(ifp->if_pf_kif); - PF_UNLOCK(); - CURVNET_RESTORE(); -} -#endif /* __FreeBSD__ */ diff --git a/sys/contrib/pf/net/pf_ioctl.c b/sys/contrib/pf/net/pf_ioctl.c deleted file mode 100644 index 6b5d8f5..0000000 --- a/sys/contrib/pf/net/pf_ioctl.c +++ /dev/null @@ -1,4420 +0,0 @@ -/* $OpenBSD: pf_ioctl.c,v 1.213 2009/02/15 21:46:12 mbalmer Exp $ */ - -/* - * Copyright (c) 2001 Daniel Hartmeier - * Copyright (c) 2002,2003 Henning Brauer - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * Effort sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F30602-01-2-0537. - * - */ - -#ifdef __FreeBSD__ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include "opt_inet.h" -#include "opt_inet6.h" -#include "opt_bpf.h" -#include "opt_pf.h" - -#define NPFSYNC 1 - -#ifdef DEV_PFLOG -#define NPFLOG DEV_PFLOG -#else -#define NPFLOG 0 -#endif - -#else /* !__FreeBSD__ */ -#include "pfsync.h" -#include "pflog.h" -#endif /* __FreeBSD__ */ - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> -#include <sys/filio.h> -#include <sys/fcntl.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/time.h> -#ifdef __FreeBSD__ -#include <sys/ucred.h> -#include <sys/jail.h> -#include <sys/module.h> -#include <sys/conf.h> -#include <sys/proc.h> -#include <sys/sysctl.h> -#else -#include <sys/timeout.h> -#include <sys/pool.h> -#endif -#include <sys/proc.h> -#include <sys/malloc.h> -#include <sys/kthread.h> -#ifndef __FreeBSD__ -#include <sys/rwlock.h> -#include <uvm/uvm_extern.h> -#endif - -#include <net/if.h> -#include <net/if_types.h> -#ifdef __FreeBSD__ -#include <net/vnet.h> -#endif -#include <net/route.h> - -#include <netinet/in.h> -#include <netinet/in_var.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/ip_icmp.h> - -#ifdef __FreeBSD__ -#include <sys/md5.h> -#else -#include <dev/rndvar.h> -#include <crypto/md5.h> -#endif -#include <net/pfvar.h> - -#include <net/if_pfsync.h> - -#if NPFLOG > 0 -#include <net/if_pflog.h> -#endif /* NPFLOG > 0 */ - -#ifdef INET6 -#include <netinet/ip6.h> -#include <netinet/in_pcb.h> -#endif /* INET6 */ - -#ifdef ALTQ -#include <altq/altq.h> -#endif - -#ifdef __FreeBSD__ -#include <sys/limits.h> -#include <sys/lock.h> -#include <sys/mutex.h> -#include <net/pfil.h> -#endif /* __FreeBSD__ */ - -#ifdef __FreeBSD__ -void init_zone_var(void); -void cleanup_pf_zone(void); -int pfattach(void); -#else -void pfattach(int); -void pf_thread_create(void *); -int pfopen(dev_t, int, int, struct proc *); -int pfclose(dev_t, int, int, struct proc *); -#endif -struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t, - u_int8_t, u_int8_t, u_int8_t); - -void pf_mv_pool(struct pf_palist *, struct pf_palist *); -void pf_empty_pool(struct pf_palist *); -#ifdef __FreeBSD__ -int pfioctl(struct cdev *, u_long, caddr_t, int, struct thread *); -#else -int pfioctl(dev_t, u_long, caddr_t, int, struct proc *); -#endif -#ifdef ALTQ -int pf_begin_altq(u_int32_t *); -int pf_rollback_altq(u_int32_t); -int pf_commit_altq(u_int32_t); -int pf_enable_altq(struct pf_altq *); -int pf_disable_altq(struct pf_altq *); -#endif /* ALTQ */ -int pf_begin_rules(u_int32_t *, int, const char *); -int pf_rollback_rules(u_int32_t, int, char *); -int pf_setup_pfsync_matching(struct pf_ruleset *); -void pf_hash_rule(MD5_CTX *, struct pf_rule *); -void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *); -int pf_commit_rules(u_int32_t, int, char *); -int pf_addr_setup(struct pf_ruleset *, - struct pf_addr_wrap *, sa_family_t); -void pf_addr_copyout(struct pf_addr_wrap *); - -#define TAGID_MAX 50000 - -#ifdef __FreeBSD__ -VNET_DEFINE(struct pf_rule, pf_default_rule); -VNET_DEFINE(struct sx, pf_consistency_lock); - -#ifdef ALTQ -static VNET_DEFINE(int, pf_altq_running); -#define V_pf_altq_running VNET(pf_altq_running) -#endif - -TAILQ_HEAD(pf_tags, pf_tagname); - -#define V_pf_tags VNET(pf_tags) -VNET_DEFINE(struct pf_tags, pf_tags); -#define V_pf_qids VNET(pf_qids) -VNET_DEFINE(struct pf_tags, pf_qids); - -#else /* !__FreeBSD__ */ -struct pf_rule pf_default_rule; -struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk"); -#ifdef ALTQ -static int pf_altq_running; -#endif - -TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags), - pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids); -#endif /* __FreeBSD__ */ - -#if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE) -#error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE -#endif - -u_int16_t tagname2tag(struct pf_tags *, char *); -void tag2tagname(struct pf_tags *, u_int16_t, char *); -void tag_unref(struct pf_tags *, u_int16_t); -int pf_rtlabel_add(struct pf_addr_wrap *); -void pf_rtlabel_remove(struct pf_addr_wrap *); -void pf_rtlabel_copyout(struct pf_addr_wrap *); - -#ifdef __FreeBSD__ -#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x -#else -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x -#endif - -#ifdef __FreeBSD__ -struct cdev *pf_dev; - -/* - * XXX - These are new and need to be checked when moveing to a new version - */ -static void pf_clear_states(void); -static int pf_clear_tables(void); -static void pf_clear_srcnodes(void); -/* - * XXX - These are new and need to be checked when moveing to a new version - */ - -/* - * Wrapper functions for pfil(9) hooks - */ -#ifdef INET -static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); -static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); -#endif -#ifdef INET6 -static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); -static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); -#endif - -static int hook_pf(void); -static int dehook_pf(void); -static int shutdown_pf(void); -static int pf_load(void); -static int pf_unload(void); - -static struct cdevsw pf_cdevsw = { - .d_ioctl = pfioctl, - .d_name = PF_NAME, - .d_version = D_VERSION, -}; - -static volatile VNET_DEFINE(int, pf_pfil_hooked); -#define V_pf_pfil_hooked VNET(pf_pfil_hooked) -VNET_DEFINE(int, pf_end_threads); -struct mtx pf_task_mtx; - -/* pfsync */ -pfsync_state_import_t *pfsync_state_import_ptr = NULL; -pfsync_insert_state_t *pfsync_insert_state_ptr = NULL; -pfsync_update_state_t *pfsync_update_state_ptr = NULL; -pfsync_delete_state_t *pfsync_delete_state_ptr = NULL; -pfsync_clear_states_t *pfsync_clear_states_ptr = NULL; -pfsync_state_in_use_t *pfsync_state_in_use_ptr = NULL; -pfsync_defer_t *pfsync_defer_ptr = NULL; -pfsync_up_t *pfsync_up_ptr = NULL; -/* pflow */ -export_pflow_t *export_pflow_ptr = NULL; -/* pflog */ -pflog_packet_t *pflog_packet_ptr = NULL; - -VNET_DEFINE(int, debug_pfugidhack); -SYSCTL_VNET_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, - &VNET_NAME(debug_pfugidhack), 0, - "Enable/disable pf user/group rules mpsafe hack"); - -static void -init_pf_mutex(void) -{ - - mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF); -} - -static void -destroy_pf_mutex(void) -{ - - mtx_destroy(&pf_task_mtx); -} -void -init_zone_var(void) -{ - V_pf_src_tree_pl = V_pf_rule_pl = NULL; - V_pf_state_pl = V_pf_state_key_pl = V_pf_state_item_pl = NULL; - V_pf_altq_pl = V_pf_pooladdr_pl = NULL; - V_pf_frent_pl = V_pf_frag_pl = V_pf_cache_pl = V_pf_cent_pl = NULL; - V_pf_state_scrub_pl = NULL; - V_pfr_ktable_pl = V_pfr_kentry_pl = V_pfr_kcounters_pl = NULL; -} - -void -cleanup_pf_zone(void) -{ - UMA_DESTROY(V_pf_src_tree_pl); - UMA_DESTROY(V_pf_rule_pl); - UMA_DESTROY(V_pf_state_pl); - UMA_DESTROY(V_pf_state_key_pl); - UMA_DESTROY(V_pf_state_item_pl); - UMA_DESTROY(V_pf_altq_pl); - UMA_DESTROY(V_pf_pooladdr_pl); - UMA_DESTROY(V_pf_frent_pl); - UMA_DESTROY(V_pf_frag_pl); - UMA_DESTROY(V_pf_cache_pl); - UMA_DESTROY(V_pf_cent_pl); - UMA_DESTROY(V_pfr_ktable_pl); - UMA_DESTROY(V_pfr_kentry_pl); - UMA_DESTROY(V_pfr_kcounters_pl); - UMA_DESTROY(V_pf_state_scrub_pl); - UMA_DESTROY(V_pfi_addr_pl); -} - -int -pfattach(void) -{ - u_int32_t *my_timeout = V_pf_default_rule.timeout; - int error = 1; - - do { - UMA_CREATE(V_pf_src_tree_pl, struct pf_src_node, "pfsrctrpl"); - UMA_CREATE(V_pf_rule_pl, struct pf_rule, "pfrulepl"); - UMA_CREATE(V_pf_state_pl, struct pf_state, "pfstatepl"); - UMA_CREATE(V_pf_state_key_pl, struct pf_state, "pfstatekeypl"); - UMA_CREATE(V_pf_state_item_pl, struct pf_state, "pfstateitempl"); - UMA_CREATE(V_pf_altq_pl, struct pf_altq, "pfaltqpl"); - UMA_CREATE(V_pf_pooladdr_pl, struct pf_pooladdr, "pfpooladdrpl"); - UMA_CREATE(V_pfr_ktable_pl, struct pfr_ktable, "pfrktable"); - UMA_CREATE(V_pfr_kentry_pl, struct pfr_kentry, "pfrkentry"); - UMA_CREATE(V_pfr_kcounters_pl, struct pfr_kcounters, "pfrkcounters"); - UMA_CREATE(V_pf_frent_pl, struct pf_frent, "pffrent"); - UMA_CREATE(V_pf_frag_pl, struct pf_fragment, "pffrag"); - UMA_CREATE(V_pf_cache_pl, struct pf_fragment, "pffrcache"); - UMA_CREATE(V_pf_cent_pl, struct pf_frcache, "pffrcent"); - UMA_CREATE(V_pf_state_scrub_pl, struct pf_state_scrub, - "pfstatescrub"); - UMA_CREATE(V_pfi_addr_pl, struct pfi_dynaddr, "pfiaddrpl"); - error = 0; - } while(0); - if (error) { - cleanup_pf_zone(); - return (error); - } - pfr_initialize(); - pfi_initialize(); - if ( (error = pf_osfp_initialize()) ) { - cleanup_pf_zone(); - pf_osfp_cleanup(); - return (error); - } - - V_pf_pool_limits[PF_LIMIT_STATES].pp = V_pf_state_pl; - V_pf_pool_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT; - V_pf_pool_limits[PF_LIMIT_SRC_NODES].pp = V_pf_src_tree_pl; - V_pf_pool_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT; - V_pf_pool_limits[PF_LIMIT_FRAGS].pp = V_pf_frent_pl; - V_pf_pool_limits[PF_LIMIT_FRAGS].limit = PFFRAG_FRENT_HIWAT; - V_pf_pool_limits[PF_LIMIT_TABLES].pp = V_pfr_ktable_pl; - V_pf_pool_limits[PF_LIMIT_TABLES].limit = PFR_KTABLE_HIWAT; - V_pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].pp = V_pfr_kentry_pl; - V_pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT; - uma_zone_set_max(V_pf_pool_limits[PF_LIMIT_STATES].pp, - V_pf_pool_limits[PF_LIMIT_STATES].limit); - - RB_INIT(&V_tree_src_tracking); - RB_INIT(&V_pf_anchors); - pf_init_ruleset(&pf_main_ruleset); - - TAILQ_INIT(&V_pf_altqs[0]); - TAILQ_INIT(&V_pf_altqs[1]); - TAILQ_INIT(&V_pf_pabuf); - V_pf_altqs_active = &V_pf_altqs[0]; - V_pf_altqs_inactive = &V_pf_altqs[1]; - TAILQ_INIT(&V_state_list); - - /* default rule should never be garbage collected */ - V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; - V_pf_default_rule.action = PF_PASS; - V_pf_default_rule.nr = -1; - V_pf_default_rule.rtableid = -1; - - /* initialize default timeouts */ - my_timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; - my_timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL; - my_timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; - my_timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; - my_timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; - my_timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; - my_timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; - my_timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; - my_timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL; - my_timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL; - my_timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL; - my_timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL; - my_timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL; - my_timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL; - my_timeout[PFTM_FRAG] = PFTM_FRAG_VAL; - my_timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL; - my_timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; - my_timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL; - my_timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START; - my_timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END; - - pf_normalize_init(); - - bzero(&V_pf_status, sizeof(V_pf_status)); - V_pf_status.debug = PF_DEBUG_URGENT; - - V_pf_pfil_hooked = 0; - - /* XXX do our best to avoid a conflict */ - V_pf_status.hostid = arc4random(); - - if (kproc_create(pf_purge_thread, curvnet, NULL, 0, 0, "pfpurge")) - return (ENXIO); - - m_addr_chg_pf_p = pf_pkt_addr_changed; - - return (error); -} -#else /* !__FreeBSD__ */ - -void -pfattach(int num) -{ - u_int32_t *timeout = pf_default_rule.timeout; - - pool_init(&pf_rule_pl, sizeof(struct pf_rule), 0, 0, 0, "pfrulepl", - &pool_allocator_nointr); - pool_init(&pf_src_tree_pl, sizeof(struct pf_src_node), 0, 0, 0, - "pfsrctrpl", NULL); - pool_init(&pf_state_pl, sizeof(struct pf_state), 0, 0, 0, "pfstatepl", - NULL); - pool_init(&pf_state_key_pl, sizeof(struct pf_state_key), 0, 0, 0, - "pfstatekeypl", NULL); - pool_init(&pf_state_item_pl, sizeof(struct pf_state_item), 0, 0, 0, - "pfstateitempl", NULL); - pool_init(&pf_altq_pl, sizeof(struct pf_altq), 0, 0, 0, "pfaltqpl", - &pool_allocator_nointr); - pool_init(&pf_pooladdr_pl, sizeof(struct pf_pooladdr), 0, 0, 0, - "pfpooladdrpl", &pool_allocator_nointr); - pfr_initialize(); - pfi_initialize(); - pf_osfp_initialize(); - - pool_sethardlimit(pf_pool_limits[PF_LIMIT_STATES].pp, - pf_pool_limits[PF_LIMIT_STATES].limit, NULL, 0); - - if (physmem <= atop(100*1024*1024)) - pf_pool_limits[PF_LIMIT_TABLE_ENTRIES].limit = - PFR_KENTRY_HIWAT_SMALL; - - RB_INIT(&tree_src_tracking); - RB_INIT(&pf_anchors); - pf_init_ruleset(&pf_main_ruleset); - TAILQ_INIT(&pf_altqs[0]); - TAILQ_INIT(&pf_altqs[1]); - TAILQ_INIT(&pf_pabuf); - pf_altqs_active = &pf_altqs[0]; - pf_altqs_inactive = &pf_altqs[1]; - TAILQ_INIT(&state_list); - - /* default rule should never be garbage collected */ - pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next; - pf_default_rule.action = PF_PASS; - pf_default_rule.nr = -1; - pf_default_rule.rtableid = -1; - - /* initialize default timeouts */ - timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; - timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL; - timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL; - timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL; - timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL; - timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL; - timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL; - timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL; - timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL; - timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL; - timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL; - timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL; - timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL; - timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL; - timeout[PFTM_FRAG] = PFTM_FRAG_VAL; - timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL; - timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; - timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL; - timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START; - timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END; - - pf_normalize_init(); - bzero(&pf_status, sizeof(pf_status)); - pf_status.debug = PF_DEBUG_URGENT; - - /* XXX do our best to avoid a conflict */ - pf_status.hostid = arc4random(); - - /* require process context to purge states, so perform in a thread */ - kthread_create_deferred(pf_thread_create, NULL); -} - -void -pf_thread_create(void *v) -{ - if (kthread_create(pf_purge_thread, NULL, NULL, "pfpurge")) - panic("pfpurge thread"); -} - -int -pfopen(dev_t dev, int flags, int fmt, struct proc *p) -{ - if (minor(dev) >= 1) - return (ENXIO); - return (0); -} - -int -pfclose(dev_t dev, int flags, int fmt, struct proc *p) -{ - if (minor(dev) >= 1) - return (ENXIO); - return (0); -} -#endif - -struct pf_pool * -pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action, - u_int32_t rule_number, u_int8_t r_last, u_int8_t active, - u_int8_t check_ticket) -{ - struct pf_ruleset *ruleset; - struct pf_rule *rule; - int rs_num; - - ruleset = pf_find_ruleset(anchor); - if (ruleset == NULL) - return (NULL); - rs_num = pf_get_ruleset_number(rule_action); - if (rs_num >= PF_RULESET_MAX) - return (NULL); - if (active) { - if (check_ticket && ticket != - ruleset->rules[rs_num].active.ticket) - return (NULL); - if (r_last) - rule = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, - pf_rulequeue); - else - rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); - } else { - if (check_ticket && ticket != - ruleset->rules[rs_num].inactive.ticket) - return (NULL); - if (r_last) - rule = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, - pf_rulequeue); - else - rule = TAILQ_FIRST(ruleset->rules[rs_num].inactive.ptr); - } - if (!r_last) { - while ((rule != NULL) && (rule->nr != rule_number)) - rule = TAILQ_NEXT(rule, entries); - } - if (rule == NULL) - return (NULL); - - return (&rule->rpool); -} - -void -pf_mv_pool(struct pf_palist *poola, struct pf_palist *poolb) -{ - struct pf_pooladdr *mv_pool_pa; - - while ((mv_pool_pa = TAILQ_FIRST(poola)) != NULL) { - TAILQ_REMOVE(poola, mv_pool_pa, entries); - TAILQ_INSERT_TAIL(poolb, mv_pool_pa, entries); - } -} - -void -pf_empty_pool(struct pf_palist *poola) -{ - struct pf_pooladdr *empty_pool_pa; - - while ((empty_pool_pa = TAILQ_FIRST(poola)) != NULL) { - pfi_dynaddr_remove(&empty_pool_pa->addr); - pf_tbladdr_remove(&empty_pool_pa->addr); - pfi_kif_unref(empty_pool_pa->kif, PFI_KIF_REF_RULE); - TAILQ_REMOVE(poola, empty_pool_pa, entries); -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, empty_pool_pa); -#else - pool_put(&pf_pooladdr_pl, empty_pool_pa); -#endif - } -} - -void -pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) -{ - if (rulequeue != NULL) { - if (rule->states_cur <= 0) { - /* - * XXX - we need to remove the table *before* detaching - * the rule to make sure the table code does not delete - * the anchor under our feet. - */ - pf_tbladdr_remove(&rule->src.addr); - pf_tbladdr_remove(&rule->dst.addr); - if (rule->overload_tbl) - pfr_detach_table(rule->overload_tbl); - } - TAILQ_REMOVE(rulequeue, rule, entries); - rule->entries.tqe_prev = NULL; - rule->nr = -1; - } - - if (rule->states_cur > 0 || rule->src_nodes > 0 || - rule->entries.tqe_prev != NULL) - return; - pf_tag_unref(rule->tag); - pf_tag_unref(rule->match_tag); -#ifdef ALTQ - if (rule->pqid != rule->qid) - pf_qid_unref(rule->pqid); - pf_qid_unref(rule->qid); -#endif - pf_rtlabel_remove(&rule->src.addr); - pf_rtlabel_remove(&rule->dst.addr); - pfi_dynaddr_remove(&rule->src.addr); - pfi_dynaddr_remove(&rule->dst.addr); - if (rulequeue == NULL) { - pf_tbladdr_remove(&rule->src.addr); - pf_tbladdr_remove(&rule->dst.addr); - if (rule->overload_tbl) - pfr_detach_table(rule->overload_tbl); - } - pfi_kif_unref(rule->kif, PFI_KIF_REF_RULE); - pf_anchor_remove(rule); - pf_empty_pool(&rule->rpool.list); -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, rule); -#else - pool_put(&pf_rule_pl, rule); -#endif -} - -u_int16_t -tagname2tag(struct pf_tags *head, char *tagname) -{ - struct pf_tagname *tag, *p = NULL; - u_int16_t new_tagid = 1; - - TAILQ_FOREACH(tag, head, entries) - if (strcmp(tagname, tag->name) == 0) { - tag->ref++; - return (tag->tag); - } - - /* - * to avoid fragmentation, we do a linear search from the beginning - * and take the first free slot we find. if there is none or the list - * is empty, append a new entry at the end. - */ - - /* new entry */ - if (!TAILQ_EMPTY(head)) - for (p = TAILQ_FIRST(head); p != NULL && - p->tag == new_tagid; p = TAILQ_NEXT(p, entries)) - new_tagid = p->tag + 1; - - if (new_tagid > TAGID_MAX) - return (0); - - /* allocate and fill new struct pf_tagname */ - tag = malloc(sizeof(*tag), M_TEMP, M_NOWAIT|M_ZERO); - if (tag == NULL) - return (0); - strlcpy(tag->name, tagname, sizeof(tag->name)); - tag->tag = new_tagid; - tag->ref++; - - if (p != NULL) /* insert new entry before p */ - TAILQ_INSERT_BEFORE(p, tag, entries); - else /* either list empty or no free slot in between */ - TAILQ_INSERT_TAIL(head, tag, entries); - - return (tag->tag); -} - -void -tag2tagname(struct pf_tags *head, u_int16_t tagid, char *p) -{ - struct pf_tagname *tag; - - TAILQ_FOREACH(tag, head, entries) - if (tag->tag == tagid) { - strlcpy(p, tag->name, PF_TAG_NAME_SIZE); - return; - } -} - -void -tag_unref(struct pf_tags *head, u_int16_t tag) -{ - struct pf_tagname *p, *next; - - if (tag == 0) - return; - - for (p = TAILQ_FIRST(head); p != NULL; p = next) { - next = TAILQ_NEXT(p, entries); - if (tag == p->tag) { - if (--p->ref == 0) { - TAILQ_REMOVE(head, p, entries); - free(p, M_TEMP); - } - break; - } - } -} - -u_int16_t -pf_tagname2tag(char *tagname) -{ -#ifdef __FreeBSD__ - return (tagname2tag(&V_pf_tags, tagname)); -#else - return (tagname2tag(&pf_tags, tagname)); -#endif -} - -void -pf_tag2tagname(u_int16_t tagid, char *p) -{ -#ifdef __FreeBSD__ - tag2tagname(&V_pf_tags, tagid, p); -#else - tag2tagname(&pf_tags, tagid, p); -#endif -} - -void -pf_tag_ref(u_int16_t tag) -{ - struct pf_tagname *t; - -#ifdef __FreeBSD__ - TAILQ_FOREACH(t, &V_pf_tags, entries) -#else - TAILQ_FOREACH(t, &pf_tags, entries) -#endif - if (t->tag == tag) - break; - if (t != NULL) - t->ref++; -} - -void -pf_tag_unref(u_int16_t tag) -{ -#ifdef __FreeBSD__ - tag_unref(&V_pf_tags, tag); -#else - tag_unref(&pf_tags, tag); -#endif -} - -int -pf_rtlabel_add(struct pf_addr_wrap *a) -{ -#ifdef __FreeBSD__ - /* XXX_IMPORT: later */ - return (0); -#else - if (a->type == PF_ADDR_RTLABEL && - (a->v.rtlabel = rtlabel_name2id(a->v.rtlabelname)) == 0) - return (-1); - return (0); -#endif -} - -void -pf_rtlabel_remove(struct pf_addr_wrap *a) -{ -#ifdef __FreeBSD__ - /* XXX_IMPORT: later */ -#else - if (a->type == PF_ADDR_RTLABEL) - rtlabel_unref(a->v.rtlabel); -#endif -} - -void -pf_rtlabel_copyout(struct pf_addr_wrap *a) -{ -#ifdef __FreeBSD__ - /* XXX_IMPORT: later */ - if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel) - strlcpy(a->v.rtlabelname, "?", sizeof(a->v.rtlabelname)); -#else - const char *name; - - if (a->type == PF_ADDR_RTLABEL && a->v.rtlabel) { - if ((name = rtlabel_id2name(a->v.rtlabel)) == NULL) - strlcpy(a->v.rtlabelname, "?", - sizeof(a->v.rtlabelname)); - else - strlcpy(a->v.rtlabelname, name, - sizeof(a->v.rtlabelname)); - } -#endif -} - -#ifdef ALTQ -u_int32_t -pf_qname2qid(char *qname) -{ -#ifdef __FreeBSD__ - return ((u_int32_t)tagname2tag(&V_pf_qids, qname)); -#else - return ((u_int32_t)tagname2tag(&pf_qids, qname)); -#endif -} - -void -pf_qid2qname(u_int32_t qid, char *p) -{ -#ifdef __FreeBSD__ - tag2tagname(&V_pf_qids, (u_int16_t)qid, p); -#else - tag2tagname(&pf_qids, (u_int16_t)qid, p); -#endif -} - -void -pf_qid_unref(u_int32_t qid) -{ -#ifdef __FreeBSD__ - tag_unref(&V_pf_qids, (u_int16_t)qid); -#else - tag_unref(&pf_qids, (u_int16_t)qid); -#endif -} - -int -pf_begin_altq(u_int32_t *ticket) -{ - struct pf_altq *altq; - int error = 0; - - /* Purge the old altq list */ -#ifdef __FreeBSD__ - while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) { - TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0 && - (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) { -#else - while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) { - TAILQ_REMOVE(pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0) { -#endif - /* detach and destroy the discipline */ - error = altq_remove(altq); - } else - pf_qid_unref(altq->qid); -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, altq); -#else - pool_put(&pf_altq_pl, altq); -#endif - } - if (error) - return (error); -#ifdef __FreeBSD__ - *ticket = ++V_ticket_altqs_inactive; - V_altqs_inactive_open = 1; -#else - *ticket = ++ticket_altqs_inactive; - altqs_inactive_open = 1; -#endif - return (0); -} - -int -pf_rollback_altq(u_int32_t ticket) -{ - struct pf_altq *altq; - int error = 0; - -#ifdef __FreeBSD__ - if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive) - return (0); - /* Purge the old altq list */ - while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) { - TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0 && - (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) { -#else - if (!altqs_inactive_open || ticket != ticket_altqs_inactive) - return (0); - /* Purge the old altq list */ - while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) { - TAILQ_REMOVE(pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0) { -#endif - /* detach and destroy the discipline */ - error = altq_remove(altq); - } else - pf_qid_unref(altq->qid); -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, altq); -#else - pool_put(&pf_altq_pl, altq); -#endif - } -#ifdef __FreeBSD__ - V_altqs_inactive_open = 0; -#else - altqs_inactive_open = 0; -#endif - return (error); -} - -int -pf_commit_altq(u_int32_t ticket) -{ - struct pf_altqqueue *old_altqs; - struct pf_altq *altq; - int s, err, error = 0; - -#ifdef __FreeBSD__ - if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive) -#else - if (!altqs_inactive_open || ticket != ticket_altqs_inactive) -#endif - return (EBUSY); - - /* swap altqs, keep the old. */ - s = splsoftnet(); -#ifdef __FreeBSD__ - old_altqs = V_pf_altqs_active; - V_pf_altqs_active = V_pf_altqs_inactive; - V_pf_altqs_inactive = old_altqs; - V_ticket_altqs_active = V_ticket_altqs_inactive; -#else - old_altqs = pf_altqs_active; - pf_altqs_active = pf_altqs_inactive; - pf_altqs_inactive = old_altqs; - ticket_altqs_active = ticket_altqs_inactive; -#endif - - /* Attach new disciplines */ -#ifdef __FreeBSD__ - TAILQ_FOREACH(altq, V_pf_altqs_active, entries) { - if (altq->qname[0] == 0 && - (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) { -#else - TAILQ_FOREACH(altq, pf_altqs_active, entries) { - if (altq->qname[0] == 0) { -#endif - /* attach the discipline */ - error = altq_pfattach(altq); -#ifdef __FreeBSD__ - if (error == 0 && V_pf_altq_running) -#else - if (error == 0 && pf_altq_running) -#endif - error = pf_enable_altq(altq); - if (error != 0) { - splx(s); - return (error); - } - } - } - - /* Purge the old altq list */ -#ifdef __FreeBSD__ - while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) { - TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0 && - (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) { -#else - while ((altq = TAILQ_FIRST(pf_altqs_inactive)) != NULL) { - TAILQ_REMOVE(pf_altqs_inactive, altq, entries); - if (altq->qname[0] == 0) { -#endif - /* detach and destroy the discipline */ -#ifdef __FreeBSD__ - if (V_pf_altq_running) -#else - if (pf_altq_running) -#endif - error = pf_disable_altq(altq); - err = altq_pfdetach(altq); - if (err != 0 && error == 0) - error = err; - err = altq_remove(altq); - if (err != 0 && error == 0) - error = err; - } else - pf_qid_unref(altq->qid); -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, altq); -#else - pool_put(&pf_altq_pl, altq); -#endif - } - splx(s); - -#ifdef __FreeBSD__ - V_altqs_inactive_open = 0; -#else - altqs_inactive_open = 0; -#endif - return (error); -} - -int -pf_enable_altq(struct pf_altq *altq) -{ - struct ifnet *ifp; - struct tb_profile tb; - int s, error = 0; - - if ((ifp = ifunit(altq->ifname)) == NULL) - return (EINVAL); - - if (ifp->if_snd.altq_type != ALTQT_NONE) - error = altq_enable(&ifp->if_snd); - - /* set tokenbucket regulator */ - if (error == 0 && ifp != NULL && ALTQ_IS_ENABLED(&ifp->if_snd)) { - tb.rate = altq->ifbandwidth; - tb.depth = altq->tbrsize; - s = splnet(); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - error = tbr_set(&ifp->if_snd, &tb); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - splx(s); - } - - return (error); -} - -int -pf_disable_altq(struct pf_altq *altq) -{ - struct ifnet *ifp; - struct tb_profile tb; - int s, error; - - if ((ifp = ifunit(altq->ifname)) == NULL) - return (EINVAL); - - /* - * when the discipline is no longer referenced, it was overridden - * by a new one. if so, just return. - */ - if (altq->altq_disc != ifp->if_snd.altq_disc) - return (0); - - error = altq_disable(&ifp->if_snd); - - if (error == 0) { - /* clear tokenbucket regulator */ - tb.rate = 0; - s = splnet(); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - error = tbr_set(&ifp->if_snd, &tb); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - splx(s); - } - - return (error); -} - -#ifdef __FreeBSD__ -void -pf_altq_ifnet_event(struct ifnet *ifp, int remove) -{ - struct ifnet *ifp1; - struct pf_altq *a1, *a2, *a3; - u_int32_t ticket; - int error = 0; - - /* Interrupt userland queue modifications */ -#ifdef __FreeBSD__ - if (V_altqs_inactive_open) - pf_rollback_altq(V_ticket_altqs_inactive); -#else - if (altqs_inactive_open) - pf_rollback_altq(ticket_altqs_inactive); -#endif - - /* Start new altq ruleset */ - if (pf_begin_altq(&ticket)) - return; - - /* Copy the current active set */ -#ifdef __FreeBSD__ - TAILQ_FOREACH(a1, V_pf_altqs_active, entries) { - a2 = pool_get(&V_pf_altq_pl, PR_NOWAIT); -#else - TAILQ_FOREACH(a1, pf_altqs_active, entries) { - a2 = pool_get(&pf_altq_pl, PR_NOWAIT); -#endif - if (a2 == NULL) { - error = ENOMEM; - break; - } - bcopy(a1, a2, sizeof(struct pf_altq)); - - if (a2->qname[0] != 0) { - if ((a2->qid = pf_qname2qid(a2->qname)) == 0) { - error = EBUSY; -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, a2); -#else - pool_put(&pf_altq_pl, a2); -#endif - break; - } - a2->altq_disc = NULL; -#ifdef __FreeBSD__ - TAILQ_FOREACH(a3, V_pf_altqs_inactive, entries) { -#else - TAILQ_FOREACH(a3, pf_altqs_inactive, entries) { -#endif - if (strncmp(a3->ifname, a2->ifname, - IFNAMSIZ) == 0 && a3->qname[0] == 0) { - a2->altq_disc = a3->altq_disc; - break; - } - } - } - /* Deactivate the interface in question */ - a2->local_flags &= ~PFALTQ_FLAG_IF_REMOVED; - if ((ifp1 = ifunit(a2->ifname)) == NULL || - (remove && ifp1 == ifp)) { - a2->local_flags |= PFALTQ_FLAG_IF_REMOVED; - } else { - PF_UNLOCK(); - error = altq_add(a2); - PF_LOCK(); - -#ifdef __FreeBSD__ - if (ticket != V_ticket_altqs_inactive) -#else - if (ticket != ticket_altqs_inactive) -#endif - error = EBUSY; - - if (error) { -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, a2); -#else - pool_put(&pf_altq_pl, a2); -#endif - break; - } - } - -#ifdef __FreeBSD__ - TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries); -#else - TAILQ_INSERT_TAIL(pf_altqs_inactive, a2, entries); -#endif - } - - if (error != 0) - pf_rollback_altq(ticket); - else - pf_commit_altq(ticket); - } -#endif -#endif /* ALTQ */ - -int -pf_begin_rules(u_int32_t *ticket, int rs_num, const char *anchor) -{ - struct pf_ruleset *rs; - struct pf_rule *rule; - - if (rs_num < 0 || rs_num >= PF_RULESET_MAX) - return (EINVAL); - rs = pf_find_or_create_ruleset(anchor); - if (rs == NULL) - return (EINVAL); - while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { - pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); - rs->rules[rs_num].inactive.rcount--; - } - *ticket = ++rs->rules[rs_num].inactive.ticket; - rs->rules[rs_num].inactive.open = 1; - return (0); -} - -int -pf_rollback_rules(u_int32_t ticket, int rs_num, char *anchor) -{ - struct pf_ruleset *rs; - struct pf_rule *rule; - - if (rs_num < 0 || rs_num >= PF_RULESET_MAX) - return (EINVAL); - rs = pf_find_ruleset(anchor); - if (rs == NULL || !rs->rules[rs_num].inactive.open || - rs->rules[rs_num].inactive.ticket != ticket) - return (0); - while ((rule = TAILQ_FIRST(rs->rules[rs_num].inactive.ptr)) != NULL) { - pf_rm_rule(rs->rules[rs_num].inactive.ptr, rule); - rs->rules[rs_num].inactive.rcount--; - } - rs->rules[rs_num].inactive.open = 0; - return (0); -} - -#define PF_MD5_UPD(st, elm) \ - MD5Update(ctx, (u_int8_t *) &(st)->elm, sizeof((st)->elm)) - -#define PF_MD5_UPD_STR(st, elm) \ - MD5Update(ctx, (u_int8_t *) (st)->elm, strlen((st)->elm)) - -#define PF_MD5_UPD_HTONL(st, elm, stor) do { \ - (stor) = htonl((st)->elm); \ - MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int32_t));\ -} while (0) - -#define PF_MD5_UPD_HTONS(st, elm, stor) do { \ - (stor) = htons((st)->elm); \ - MD5Update(ctx, (u_int8_t *) &(stor), sizeof(u_int16_t));\ -} while (0) - -void -pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr) -{ - PF_MD5_UPD(pfr, addr.type); - switch (pfr->addr.type) { - case PF_ADDR_DYNIFTL: - PF_MD5_UPD(pfr, addr.v.ifname); - PF_MD5_UPD(pfr, addr.iflags); - break; - case PF_ADDR_TABLE: - PF_MD5_UPD(pfr, addr.v.tblname); - break; - case PF_ADDR_ADDRMASK: - /* XXX ignore af? */ - PF_MD5_UPD(pfr, addr.v.a.addr.addr32); - PF_MD5_UPD(pfr, addr.v.a.mask.addr32); - break; - case PF_ADDR_RTLABEL: - PF_MD5_UPD(pfr, addr.v.rtlabelname); - break; - } - - PF_MD5_UPD(pfr, port[0]); - PF_MD5_UPD(pfr, port[1]); - PF_MD5_UPD(pfr, neg); - PF_MD5_UPD(pfr, port_op); -} - -void -pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule) -{ - u_int16_t x; - u_int32_t y; - - pf_hash_rule_addr(ctx, &rule->src); - pf_hash_rule_addr(ctx, &rule->dst); - PF_MD5_UPD_STR(rule, label); - PF_MD5_UPD_STR(rule, ifname); - PF_MD5_UPD_STR(rule, match_tagname); - PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ - PF_MD5_UPD_HTONL(rule, os_fingerprint, y); - PF_MD5_UPD_HTONL(rule, prob, y); - PF_MD5_UPD_HTONL(rule, uid.uid[0], y); - PF_MD5_UPD_HTONL(rule, uid.uid[1], y); - PF_MD5_UPD(rule, uid.op); - PF_MD5_UPD_HTONL(rule, gid.gid[0], y); - PF_MD5_UPD_HTONL(rule, gid.gid[1], y); - PF_MD5_UPD(rule, gid.op); - PF_MD5_UPD_HTONL(rule, rule_flag, y); - PF_MD5_UPD(rule, action); - PF_MD5_UPD(rule, direction); - PF_MD5_UPD(rule, af); - PF_MD5_UPD(rule, quick); - PF_MD5_UPD(rule, ifnot); - PF_MD5_UPD(rule, match_tag_not); - PF_MD5_UPD(rule, natpass); - PF_MD5_UPD(rule, keep_state); - PF_MD5_UPD(rule, proto); - PF_MD5_UPD(rule, type); - PF_MD5_UPD(rule, code); - PF_MD5_UPD(rule, flags); - PF_MD5_UPD(rule, flagset); - PF_MD5_UPD(rule, allow_opts); - PF_MD5_UPD(rule, rt); - PF_MD5_UPD(rule, tos); -} - -int -pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) -{ - struct pf_ruleset *rs; - struct pf_rule *rule, **old_array; - struct pf_rulequeue *old_rules; - int s, error; - u_int32_t old_rcount; - - if (rs_num < 0 || rs_num >= PF_RULESET_MAX) - return (EINVAL); - rs = pf_find_ruleset(anchor); - if (rs == NULL || !rs->rules[rs_num].inactive.open || - ticket != rs->rules[rs_num].inactive.ticket) - return (EBUSY); - - /* Calculate checksum for the main ruleset */ - if (rs == &pf_main_ruleset) { - error = pf_setup_pfsync_matching(rs); - if (error != 0) - return (error); - } - - /* Swap rules, keep the old. */ - s = splsoftnet(); - old_rules = rs->rules[rs_num].active.ptr; - old_rcount = rs->rules[rs_num].active.rcount; - old_array = rs->rules[rs_num].active.ptr_array; - - rs->rules[rs_num].active.ptr = - rs->rules[rs_num].inactive.ptr; - rs->rules[rs_num].active.ptr_array = - rs->rules[rs_num].inactive.ptr_array; - rs->rules[rs_num].active.rcount = - rs->rules[rs_num].inactive.rcount; - rs->rules[rs_num].inactive.ptr = old_rules; - rs->rules[rs_num].inactive.ptr_array = old_array; - rs->rules[rs_num].inactive.rcount = old_rcount; - - rs->rules[rs_num].active.ticket = - rs->rules[rs_num].inactive.ticket; - pf_calc_skip_steps(rs->rules[rs_num].active.ptr); - - - /* Purge the old rule list. */ - while ((rule = TAILQ_FIRST(old_rules)) != NULL) - pf_rm_rule(old_rules, rule); - if (rs->rules[rs_num].inactive.ptr_array) - free(rs->rules[rs_num].inactive.ptr_array, M_TEMP); - rs->rules[rs_num].inactive.ptr_array = NULL; - rs->rules[rs_num].inactive.rcount = 0; - rs->rules[rs_num].inactive.open = 0; - pf_remove_if_empty_ruleset(rs); - splx(s); - return (0); -} - -int -pf_setup_pfsync_matching(struct pf_ruleset *rs) -{ - MD5_CTX ctx; - struct pf_rule *rule; - int rs_cnt; - u_int8_t digest[PF_MD5_DIGEST_LENGTH]; - - MD5Init(&ctx); - for (rs_cnt = 0; rs_cnt < PF_RULESET_MAX; rs_cnt++) { - /* XXX PF_RULESET_SCRUB as well? */ - if (rs_cnt == PF_RULESET_SCRUB) - continue; - - if (rs->rules[rs_cnt].inactive.ptr_array) - free(rs->rules[rs_cnt].inactive.ptr_array, M_TEMP); - rs->rules[rs_cnt].inactive.ptr_array = NULL; - - if (rs->rules[rs_cnt].inactive.rcount) { - rs->rules[rs_cnt].inactive.ptr_array = - malloc(sizeof(caddr_t) * - rs->rules[rs_cnt].inactive.rcount, - M_TEMP, M_NOWAIT); - - if (!rs->rules[rs_cnt].inactive.ptr_array) - return (ENOMEM); - } - - TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr, - entries) { - pf_hash_rule(&ctx, rule); - (rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule; - } - } - - MD5Final(digest, &ctx); -#ifdef __FreeBSD__ - memcpy(V_pf_status.pf_chksum, digest, sizeof(V_pf_status.pf_chksum)); -#else - memcpy(pf_status.pf_chksum, digest, sizeof(pf_status.pf_chksum)); -#endif - return (0); -} - -int -pf_addr_setup(struct pf_ruleset *ruleset, struct pf_addr_wrap *addr, - sa_family_t af) -{ - if (pfi_dynaddr_setup(addr, af) || - pf_tbladdr_setup(ruleset, addr)) - return (EINVAL); - - return (0); -} - -void -pf_addr_copyout(struct pf_addr_wrap *addr) -{ - pfi_dynaddr_copyout(addr); - pf_tbladdr_copyout(addr); - pf_rtlabel_copyout(addr); -} - -int -#ifdef __FreeBSD__ -pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td) -#else -pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) -#endif -{ - struct pf_pooladdr *pa = NULL; - struct pf_pool *pool = NULL; -#ifndef __FreeBSD__ - int s; -#endif - int error = 0; - - CURVNET_SET(TD_TO_VNET(td)); - - /* XXX keep in sync with switch() below */ -#ifdef __FreeBSD__ - if (securelevel_gt(td->td_ucred, 2)) -#else - if (securelevel > 1) -#endif - switch (cmd) { - case DIOCGETRULES: - case DIOCGETRULE: - case DIOCGETADDRS: - case DIOCGETADDR: - case DIOCGETSTATE: - case DIOCSETSTATUSIF: - case DIOCGETSTATUS: - case DIOCCLRSTATUS: - case DIOCNATLOOK: - case DIOCSETDEBUG: - case DIOCGETSTATES: - case DIOCGETTIMEOUT: - case DIOCCLRRULECTRS: - case DIOCGETLIMIT: - case DIOCGETALTQS: - case DIOCGETALTQ: - case DIOCGETQSTATS: - case DIOCGETRULESETS: - case DIOCGETRULESET: - case DIOCRGETTABLES: - case DIOCRGETTSTATS: - case DIOCRCLRTSTATS: - case DIOCRCLRADDRS: - case DIOCRADDADDRS: - case DIOCRDELADDRS: - case DIOCRSETADDRS: - case DIOCRGETADDRS: - case DIOCRGETASTATS: - case DIOCRCLRASTATS: - case DIOCRTSTADDRS: - case DIOCOSFPGET: - case DIOCGETSRCNODES: - case DIOCCLRSRCNODES: - case DIOCIGETIFACES: -#ifdef __FreeBSD__ - case DIOCGIFSPEED: -#endif - case DIOCSETIFFLAG: - case DIOCCLRIFFLAG: - break; - case DIOCRCLRTABLES: - case DIOCRADDTABLES: - case DIOCRDELTABLES: - case DIOCRSETTFLAGS: - if (((struct pfioc_table *)addr)->pfrio_flags & - PFR_FLAG_DUMMY) - break; /* dummy operation ok */ - return (EPERM); - default: - return (EPERM); - } - - if (!(flags & FWRITE)) - switch (cmd) { - case DIOCGETRULES: - case DIOCGETADDRS: - case DIOCGETADDR: - case DIOCGETSTATE: - case DIOCGETSTATUS: - case DIOCGETSTATES: - case DIOCGETTIMEOUT: - case DIOCGETLIMIT: - case DIOCGETALTQS: - case DIOCGETALTQ: - case DIOCGETQSTATS: - case DIOCGETRULESETS: - case DIOCGETRULESET: - case DIOCNATLOOK: - case DIOCRGETTABLES: - case DIOCRGETTSTATS: - case DIOCRGETADDRS: - case DIOCRGETASTATS: - case DIOCRTSTADDRS: - case DIOCOSFPGET: - case DIOCGETSRCNODES: - case DIOCIGETIFACES: -#ifdef __FreeBSD__ - case DIOCGIFSPEED: -#endif - break; - case DIOCRCLRTABLES: - case DIOCRADDTABLES: - case DIOCRDELTABLES: - case DIOCRCLRTSTATS: - case DIOCRCLRADDRS: - case DIOCRADDADDRS: - case DIOCRDELADDRS: - case DIOCRSETADDRS: - case DIOCRSETTFLAGS: - if (((struct pfioc_table *)addr)->pfrio_flags & - PFR_FLAG_DUMMY) { - flags |= FWRITE; /* need write lock for dummy */ - break; /* dummy operation ok */ - } - return (EACCES); - case DIOCGETRULE: - if (((struct pfioc_rule *)addr)->action == - PF_GET_CLR_CNTR) - return (EACCES); - break; - default: - return (EACCES); - } - - if (flags & FWRITE) -#ifdef __FreeBSD__ - sx_xlock(&V_pf_consistency_lock); - else - sx_slock(&V_pf_consistency_lock); -#else - rw_enter_write(&pf_consistency_lock); - else - rw_enter_read(&pf_consistency_lock); -#endif - -#ifdef __FreeBSD__ - PF_LOCK(); -#else - s = splsoftnet(); -#endif - switch (cmd) { - - case DIOCSTART: -#ifdef __FreeBSD__ - if (V_pf_status.running) -#else - if (pf_status.running) -#endif - error = EEXIST; - else { -#ifdef __FreeBSD__ - PF_UNLOCK(); - error = hook_pf(); - PF_LOCK(); - if (error) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: pfil registeration fail\n")); - break; - } - V_pf_status.running = 1; - V_pf_status.since = time_second; - - if (V_pf_status.stateid == 0) { - V_pf_status.stateid = time_second; - V_pf_status.stateid = V_pf_status.stateid << 32; - } -#else - pf_status.running = 1; - pf_status.since = time_second; - - if (pf_status.stateid == 0) { - pf_status.stateid = time_second; - pf_status.stateid = pf_status.stateid << 32; - } -#endif - DPFPRINTF(PF_DEBUG_MISC, ("pf: started\n")); - } - break; - - case DIOCSTOP: -#ifdef __FreeBSD__ - if (!V_pf_status.running) - error = ENOENT; - else { - V_pf_status.running = 0; - PF_UNLOCK(); - error = dehook_pf(); - PF_LOCK(); - if (error) { - V_pf_status.running = 1; - DPFPRINTF(PF_DEBUG_MISC, - ("pf: pfil unregisteration failed\n")); - } - V_pf_status.since = time_second; -#else - if (!pf_status.running) - error = ENOENT; - else { - pf_status.running = 0; - pf_status.since = time_second; -#endif - DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n")); - } - break; - - case DIOCADDRULE: { - struct pfioc_rule *pr = (struct pfioc_rule *)addr; - struct pf_ruleset *ruleset; - struct pf_rule *rule, *tail; - struct pf_pooladdr *pa; - int rs_num; - - pr->anchor[sizeof(pr->anchor) - 1] = 0; - ruleset = pf_find_ruleset(pr->anchor); - if (ruleset == NULL) { - error = EINVAL; - break; - } - rs_num = pf_get_ruleset_number(pr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } - if (pr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { - error = EINVAL; - break; - } - if (pr->ticket != ruleset->rules[rs_num].inactive.ticket) { -#ifdef __FreeBSD__ - DPFPRINTF(PF_DEBUG_MISC, - ("ticket: %d != [%d]%d\n", pr->ticket, rs_num, - ruleset->rules[rs_num].inactive.ticket)); -#endif - error = EBUSY; - break; - } -#ifdef __FreeBSD__ - if (pr->pool_ticket != V_ticket_pabuf) { - DPFPRINTF(PF_DEBUG_MISC, - ("pool_ticket: %d != %d\n", pr->pool_ticket, - V_ticket_pabuf)); -#else - if (pr->pool_ticket != ticket_pabuf) { -#endif - error = EBUSY; - break; - } -#ifdef __FreeBSD__ - rule = pool_get(&V_pf_rule_pl, PR_NOWAIT); -#else - rule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL); -#endif - if (rule == NULL) { - error = ENOMEM; - break; - } - bcopy(&pr->rule, rule, sizeof(struct pf_rule)); -#ifdef __FreeBSD__ - rule->cuid = td->td_ucred->cr_ruid; - rule->cpid = td->td_proc ? td->td_proc->p_pid : 0; -#else - rule->cuid = p->p_cred->p_ruid; - rule->cpid = p->p_pid; -#endif - rule->anchor = NULL; - rule->kif = NULL; - TAILQ_INIT(&rule->rpool.list); - /* initialize refcounting */ - rule->states_cur = 0; - rule->src_nodes = 0; - rule->entries.tqe_prev = NULL; -#ifndef INET - if (rule->af == AF_INET) { -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, rule); -#else - pool_put(&pf_rule_pl, rule); -#endif - error = EAFNOSUPPORT; - break; - } -#endif /* INET */ -#ifndef INET6 - if (rule->af == AF_INET6) { -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, rule); -#else - pool_put(&pf_rule_pl, rule); -#endif - error = EAFNOSUPPORT; - break; - } -#endif /* INET6 */ - tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr, - pf_rulequeue); - if (tail) - rule->nr = tail->nr + 1; - else - rule->nr = 0; - if (rule->ifname[0]) { - rule->kif = pfi_kif_get(rule->ifname); - if (rule->kif == NULL) { -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, rule); -#else - pool_put(&pf_rule_pl, rule); -#endif - error = EINVAL; - break; - } - pfi_kif_ref(rule->kif, PFI_KIF_REF_RULE); - } - -#ifdef __FreeBSD__ /* ROUTING */ - if (rule->rtableid > 0 && rule->rtableid >= rt_numfibs) -#else - if (rule->rtableid > 0 && !rtable_exists(rule->rtableid)) -#endif - error = EBUSY; - -#ifdef ALTQ - /* set queue IDs */ - if (rule->qname[0] != 0) { - if ((rule->qid = pf_qname2qid(rule->qname)) == 0) - error = EBUSY; - else if (rule->pqname[0] != 0) { - if ((rule->pqid = - pf_qname2qid(rule->pqname)) == 0) - error = EBUSY; - } else - rule->pqid = rule->qid; - } -#endif - if (rule->tagname[0]) - if ((rule->tag = pf_tagname2tag(rule->tagname)) == 0) - error = EBUSY; - if (rule->match_tagname[0]) - if ((rule->match_tag = - pf_tagname2tag(rule->match_tagname)) == 0) - error = EBUSY; - if (rule->rt && !rule->direction) - error = EINVAL; -#if NPFLOG > 0 - if (!rule->log) - rule->logif = 0; - if (rule->logif >= PFLOGIFS_MAX) - error = EINVAL; -#endif - if (pf_rtlabel_add(&rule->src.addr) || - pf_rtlabel_add(&rule->dst.addr)) - error = EBUSY; - if (pf_addr_setup(ruleset, &rule->src.addr, rule->af)) - error = EINVAL; - if (pf_addr_setup(ruleset, &rule->dst.addr, rule->af)) - error = EINVAL; - if (pf_anchor_setup(rule, ruleset, pr->anchor_call)) - error = EINVAL; -#ifdef __FreeBSD__ - TAILQ_FOREACH(pa, &V_pf_pabuf, entries) -#else - TAILQ_FOREACH(pa, &pf_pabuf, entries) -#endif - if (pf_tbladdr_setup(ruleset, &pa->addr)) - error = EINVAL; - - if (rule->overload_tblname[0]) { - if ((rule->overload_tbl = pfr_attach_table(ruleset, - rule->overload_tblname, 0)) == NULL) - error = EINVAL; - else - rule->overload_tbl->pfrkt_flags |= - PFR_TFLAG_ACTIVE; - } - -#ifdef __FreeBSD__ - pf_mv_pool(&V_pf_pabuf, &rule->rpool.list); -#else - pf_mv_pool(&pf_pabuf, &rule->rpool.list); -#endif - if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || - (rule->action == PF_BINAT)) && rule->anchor == NULL) || - (rule->rt > PF_FASTROUTE)) && - (TAILQ_FIRST(&rule->rpool.list) == NULL)) - error = EINVAL; - - if (error) { - pf_rm_rule(NULL, rule); - break; - } - -#ifdef __FreeBSD__ - if (!V_debug_pfugidhack && (rule->uid.op || rule->gid.op || - rule->log & PF_LOG_SOCKET_LOOKUP)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: debug.pfugidhack enabled\n")); - V_debug_pfugidhack = 1; - } -#endif - rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); - rule->evaluations = rule->packets[0] = rule->packets[1] = - rule->bytes[0] = rule->bytes[1] = 0; - TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, - rule, entries); - ruleset->rules[rs_num].inactive.rcount++; - break; - } - - case DIOCGETRULES: { - struct pfioc_rule *pr = (struct pfioc_rule *)addr; - struct pf_ruleset *ruleset; - struct pf_rule *tail; - int rs_num; - - pr->anchor[sizeof(pr->anchor) - 1] = 0; - ruleset = pf_find_ruleset(pr->anchor); - if (ruleset == NULL) { - error = EINVAL; - break; - } - rs_num = pf_get_ruleset_number(pr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } - tail = TAILQ_LAST(ruleset->rules[rs_num].active.ptr, - pf_rulequeue); - if (tail) - pr->nr = tail->nr + 1; - else - pr->nr = 0; - pr->ticket = ruleset->rules[rs_num].active.ticket; - break; - } - - case DIOCGETRULE: { - struct pfioc_rule *pr = (struct pfioc_rule *)addr; - struct pf_ruleset *ruleset; - struct pf_rule *rule; - int rs_num, i; - - pr->anchor[sizeof(pr->anchor) - 1] = 0; - ruleset = pf_find_ruleset(pr->anchor); - if (ruleset == NULL) { - error = EINVAL; - break; - } - rs_num = pf_get_ruleset_number(pr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } - if (pr->ticket != ruleset->rules[rs_num].active.ticket) { - error = EBUSY; - break; - } - rule = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr); - while ((rule != NULL) && (rule->nr != pr->nr)) - rule = TAILQ_NEXT(rule, entries); - if (rule == NULL) { - error = EBUSY; - break; - } - bcopy(rule, &pr->rule, sizeof(struct pf_rule)); - if (pf_anchor_copyout(ruleset, rule, pr)) { - error = EBUSY; - break; - } - pf_addr_copyout(&pr->rule.src.addr); - pf_addr_copyout(&pr->rule.dst.addr); - for (i = 0; i < PF_SKIP_COUNT; ++i) - if (rule->skip[i].ptr == NULL) - pr->rule.skip[i].nr = -1; - else - pr->rule.skip[i].nr = - rule->skip[i].ptr->nr; - - if (pr->action == PF_GET_CLR_CNTR) { - rule->evaluations = 0; - rule->packets[0] = rule->packets[1] = 0; - rule->bytes[0] = rule->bytes[1] = 0; - rule->states_tot = 0; - } - break; - } - - case DIOCCHANGERULE: { - struct pfioc_rule *pcr = (struct pfioc_rule *)addr; - struct pf_ruleset *ruleset; - struct pf_rule *oldrule = NULL, *newrule = NULL; - u_int32_t nr = 0; - int rs_num; - - if (!(pcr->action == PF_CHANGE_REMOVE || - pcr->action == PF_CHANGE_GET_TICKET) && -#ifdef __FreeBSD__ - pcr->pool_ticket != V_ticket_pabuf) { -#else - pcr->pool_ticket != ticket_pabuf) { -#endif - error = EBUSY; - break; - } - - if (pcr->action < PF_CHANGE_ADD_HEAD || - pcr->action > PF_CHANGE_GET_TICKET) { - error = EINVAL; - break; - } - ruleset = pf_find_ruleset(pcr->anchor); - if (ruleset == NULL) { - error = EINVAL; - break; - } - rs_num = pf_get_ruleset_number(pcr->rule.action); - if (rs_num >= PF_RULESET_MAX) { - error = EINVAL; - break; - } - - if (pcr->action == PF_CHANGE_GET_TICKET) { - pcr->ticket = ++ruleset->rules[rs_num].active.ticket; - break; - } else { - if (pcr->ticket != - ruleset->rules[rs_num].active.ticket) { - error = EINVAL; - break; - } - if (pcr->rule.return_icmp >> 8 > ICMP_MAXTYPE) { - error = EINVAL; - break; - } - } - - if (pcr->action != PF_CHANGE_REMOVE) { -#ifdef __FreeBSD__ - newrule = pool_get(&V_pf_rule_pl, PR_NOWAIT); -#else - newrule = pool_get(&pf_rule_pl, PR_WAITOK|PR_LIMITFAIL); -#endif - if (newrule == NULL) { - error = ENOMEM; - break; - } - bcopy(&pcr->rule, newrule, sizeof(struct pf_rule)); -#ifdef __FreeBSD__ - newrule->cuid = td->td_ucred->cr_ruid; - newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0; -#else - newrule->cuid = p->p_cred->p_ruid; - newrule->cpid = p->p_pid; -#endif - TAILQ_INIT(&newrule->rpool.list); - /* initialize refcounting */ - newrule->states_cur = 0; - newrule->entries.tqe_prev = NULL; -#ifndef INET - if (newrule->af == AF_INET) { -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, newrule); -#else - pool_put(&pf_rule_pl, newrule); -#endif - error = EAFNOSUPPORT; - break; - } -#endif /* INET */ -#ifndef INET6 - if (newrule->af == AF_INET6) { -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, newrule); -#else - pool_put(&pf_rule_pl, newrule); -#endif - error = EAFNOSUPPORT; - break; - } -#endif /* INET6 */ - if (newrule->ifname[0]) { - newrule->kif = pfi_kif_get(newrule->ifname); - if (newrule->kif == NULL) { -#ifdef __FreeBSD__ - pool_put(&V_pf_rule_pl, newrule); -#else - pool_put(&pf_rule_pl, newrule); -#endif - error = EINVAL; - break; - } - pfi_kif_ref(newrule->kif, PFI_KIF_REF_RULE); - } else - newrule->kif = NULL; - - if (newrule->rtableid > 0 && -#ifdef __FreeBSD__ /* ROUTING */ - newrule->rtableid >= rt_numfibs) -#else - !rtable_exists(newrule->rtableid)) -#endif - error = EBUSY; - -#ifdef ALTQ - /* set queue IDs */ - if (newrule->qname[0] != 0) { - if ((newrule->qid = - pf_qname2qid(newrule->qname)) == 0) - error = EBUSY; - else if (newrule->pqname[0] != 0) { - if ((newrule->pqid = - pf_qname2qid(newrule->pqname)) == 0) - error = EBUSY; - } else - newrule->pqid = newrule->qid; - } -#endif /* ALTQ */ - if (newrule->tagname[0]) - if ((newrule->tag = - pf_tagname2tag(newrule->tagname)) == 0) - error = EBUSY; - if (newrule->match_tagname[0]) - if ((newrule->match_tag = pf_tagname2tag( - newrule->match_tagname)) == 0) - error = EBUSY; - if (newrule->rt && !newrule->direction) - error = EINVAL; -#if NPFLOG > 0 - if (!newrule->log) - newrule->logif = 0; - if (newrule->logif >= PFLOGIFS_MAX) - error = EINVAL; -#endif - if (pf_rtlabel_add(&newrule->src.addr) || - pf_rtlabel_add(&newrule->dst.addr)) - error = EBUSY; - if (pf_addr_setup(ruleset, &newrule->src.addr, newrule->af)) - error = EINVAL; - if (pf_addr_setup(ruleset, &newrule->dst.addr, newrule->af)) - error = EINVAL; - if (pf_anchor_setup(newrule, ruleset, pcr->anchor_call)) - error = EINVAL; -#ifdef __FreeBSD__ - TAILQ_FOREACH(pa, &V_pf_pabuf, entries) -#else - TAILQ_FOREACH(pa, &pf_pabuf, entries) -#endif - if (pf_tbladdr_setup(ruleset, &pa->addr)) - error = EINVAL; - - if (newrule->overload_tblname[0]) { - if ((newrule->overload_tbl = pfr_attach_table( - ruleset, newrule->overload_tblname, 0)) == - NULL) - error = EINVAL; - else - newrule->overload_tbl->pfrkt_flags |= - PFR_TFLAG_ACTIVE; - } - -#ifdef __FreeBSD__ - pf_mv_pool(&V_pf_pabuf, &newrule->rpool.list); -#else - pf_mv_pool(&pf_pabuf, &newrule->rpool.list); -#endif - if (((((newrule->action == PF_NAT) || - (newrule->action == PF_RDR) || - (newrule->action == PF_BINAT) || - (newrule->rt > PF_FASTROUTE)) && - !newrule->anchor)) && - (TAILQ_FIRST(&newrule->rpool.list) == NULL)) - error = EINVAL; - - if (error) { - pf_rm_rule(NULL, newrule); - break; - } - -#ifdef __FreeBSD__ - if (!V_debug_pfugidhack && (newrule->uid.op || - newrule->gid.op || - newrule->log & PF_LOG_SOCKET_LOOKUP)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: debug.pfugidhack enabled\n")); - V_debug_pfugidhack = 1; - } -#endif - - newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list); - newrule->evaluations = 0; - newrule->packets[0] = newrule->packets[1] = 0; - newrule->bytes[0] = newrule->bytes[1] = 0; - } -#ifdef __FreeBSD__ - pf_empty_pool(&V_pf_pabuf); -#else - pf_empty_pool(&pf_pabuf); -#endif - - if (pcr->action == PF_CHANGE_ADD_HEAD) - oldrule = TAILQ_FIRST( - ruleset->rules[rs_num].active.ptr); - else if (pcr->action == PF_CHANGE_ADD_TAIL) - oldrule = TAILQ_LAST( - ruleset->rules[rs_num].active.ptr, pf_rulequeue); - else { - oldrule = TAILQ_FIRST( - ruleset->rules[rs_num].active.ptr); - while ((oldrule != NULL) && (oldrule->nr != pcr->nr)) - oldrule = TAILQ_NEXT(oldrule, entries); - if (oldrule == NULL) { - if (newrule != NULL) - pf_rm_rule(NULL, newrule); - error = EINVAL; - break; - } - } - - if (pcr->action == PF_CHANGE_REMOVE) { - pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule); - ruleset->rules[rs_num].active.rcount--; - } else { - if (oldrule == NULL) - TAILQ_INSERT_TAIL( - ruleset->rules[rs_num].active.ptr, - newrule, entries); - else if (pcr->action == PF_CHANGE_ADD_HEAD || - pcr->action == PF_CHANGE_ADD_BEFORE) - TAILQ_INSERT_BEFORE(oldrule, newrule, entries); - else - TAILQ_INSERT_AFTER( - ruleset->rules[rs_num].active.ptr, - oldrule, newrule, entries); - ruleset->rules[rs_num].active.rcount++; - } - - nr = 0; - TAILQ_FOREACH(oldrule, - ruleset->rules[rs_num].active.ptr, entries) - oldrule->nr = nr++; - - ruleset->rules[rs_num].active.ticket++; - - pf_calc_skip_steps(ruleset->rules[rs_num].active.ptr); - pf_remove_if_empty_ruleset(ruleset); - - break; - } - - case DIOCCLRSTATES: { - struct pf_state *s, *nexts; - struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; - u_int killed = 0; - -#ifdef __FreeBSD__ - for (s = RB_MIN(pf_state_tree_id, &V_tree_id); s; s = nexts) { - nexts = RB_NEXT(pf_state_tree_id, &V_tree_id, s); -#else - for (s = RB_MIN(pf_state_tree_id, &tree_id); s; s = nexts) { - nexts = RB_NEXT(pf_state_tree_id, &tree_id, s); -#endif - - if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname, - s->kif->pfik_name)) { -#if NPFSYNC > 0 - /* don't send out individual delete messages */ - SET(s->state_flags, PFSTATE_NOSYNC); -#endif - pf_unlink_state(s); - killed++; - } - } - psk->psk_killed = killed; -#if NPFSYNC > 0 -#ifdef __FreeBSD__ - if (pfsync_clear_states_ptr != NULL) - pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname); -#else - pfsync_clear_states(pf_status.hostid, psk->psk_ifname); -#endif -#endif - break; - } - - case DIOCKILLSTATES: { - struct pf_state *s, *nexts; - struct pf_state_key *sk; - struct pf_addr *srcaddr, *dstaddr; - u_int16_t srcport, dstport; - struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; - u_int killed = 0; - - if (psk->psk_pfcmp.id) { - if (psk->psk_pfcmp.creatorid == 0) -#ifdef __FreeBSD__ - psk->psk_pfcmp.creatorid = V_pf_status.hostid; -#else - psk->psk_pfcmp.creatorid = pf_status.hostid; -#endif - if ((s = pf_find_state_byid(&psk->psk_pfcmp))) { - pf_unlink_state(s); - psk->psk_killed = 1; - } - break; - } - -#ifdef __FreeBSD__ - for (s = RB_MIN(pf_state_tree_id, &V_tree_id); s; - s = nexts) { - nexts = RB_NEXT(pf_state_tree_id, &V_tree_id, s); -#else - for (s = RB_MIN(pf_state_tree_id, &tree_id); s; - s = nexts) { - nexts = RB_NEXT(pf_state_tree_id, &tree_id, s); -#endif - sk = s->key[PF_SK_WIRE]; - - if (s->direction == PF_OUT) { - srcaddr = &sk->addr[1]; - dstaddr = &sk->addr[0]; - srcport = sk->port[0]; - dstport = sk->port[0]; - } else { - srcaddr = &sk->addr[0]; - dstaddr = &sk->addr[1]; - srcport = sk->port[0]; - dstport = sk->port[0]; - } - if ((!psk->psk_af || sk->af == psk->psk_af) - && (!psk->psk_proto || psk->psk_proto == - sk->proto) && - PF_MATCHA(psk->psk_src.neg, - &psk->psk_src.addr.v.a.addr, - &psk->psk_src.addr.v.a.mask, - srcaddr, sk->af) && - PF_MATCHA(psk->psk_dst.neg, - &psk->psk_dst.addr.v.a.addr, - &psk->psk_dst.addr.v.a.mask, - dstaddr, sk->af) && - (psk->psk_src.port_op == 0 || - pf_match_port(psk->psk_src.port_op, - psk->psk_src.port[0], psk->psk_src.port[1], - srcport)) && - (psk->psk_dst.port_op == 0 || - pf_match_port(psk->psk_dst.port_op, - psk->psk_dst.port[0], psk->psk_dst.port[1], - dstport)) && - (!psk->psk_label[0] || (s->rule.ptr->label[0] && - !strcmp(psk->psk_label, s->rule.ptr->label))) && - (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname, - s->kif->pfik_name))) { - pf_unlink_state(s); - killed++; - } - } - psk->psk_killed = killed; - break; - } - - case DIOCADDSTATE: { - struct pfioc_state *ps = (struct pfioc_state *)addr; - struct pfsync_state *sp = &ps->state; - - if (sp->timeout >= PFTM_MAX && - sp->timeout != PFTM_UNTIL_PACKET) { - error = EINVAL; - break; - } -#ifdef __FreeBSD__ - if (pfsync_state_import_ptr != NULL) - error = pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL); -#else - error = pfsync_state_import(sp, PFSYNC_SI_IOCTL); -#endif - break; - } - - case DIOCGETSTATE: { - struct pfioc_state *ps = (struct pfioc_state *)addr; - struct pf_state *s; - struct pf_state_cmp id_key; - - bcopy(ps->state.id, &id_key.id, sizeof(id_key.id)); - id_key.creatorid = ps->state.creatorid; - - s = pf_find_state_byid(&id_key); - if (s == NULL) { - error = ENOENT; - break; - } - - pfsync_state_export(&ps->state, s); - break; - } - - case DIOCGETSTATES: { - struct pfioc_states *ps = (struct pfioc_states *)addr; - struct pf_state *state; - struct pfsync_state *p, *pstore; - u_int32_t nr = 0; - - if (ps->ps_len == 0) { -#ifdef __FreeBSD__ - nr = V_pf_status.states; -#else - nr = pf_status.states; -#endif - ps->ps_len = sizeof(struct pfsync_state) * nr; - break; - } - -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - pstore = malloc(sizeof(*pstore), M_TEMP, M_WAITOK); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - - p = ps->ps_states; - -#ifdef __FreeBSD__ - state = TAILQ_FIRST(&V_state_list); -#else - state = TAILQ_FIRST(&state_list); -#endif - while (state) { - if (state->timeout != PFTM_UNLINKED) { - if ((nr+1) * sizeof(*p) > (unsigned)ps->ps_len) - break; - pfsync_state_export(pstore, state); -#ifdef __FreeBSD__ - PF_COPYOUT(pstore, p, sizeof(*p), error); -#else - error = copyout(pstore, p, sizeof(*p)); -#endif - if (error) { - free(pstore, M_TEMP); - goto fail; - } - p++; - nr++; - } - state = TAILQ_NEXT(state, entry_list); - } - - ps->ps_len = sizeof(struct pfsync_state) * nr; - - free(pstore, M_TEMP); - break; - } - - case DIOCGETSTATUS: { - struct pf_status *s = (struct pf_status *)addr; -#ifdef __FreeBSD__ - bcopy(&V_pf_status, s, sizeof(struct pf_status)); -#else - bcopy(&pf_status, s, sizeof(struct pf_status)); -#endif - pfi_update_status(s->ifname, s); - break; - } - - case DIOCSETSTATUSIF: { - struct pfioc_if *pi = (struct pfioc_if *)addr; - - if (pi->ifname[0] == 0) { -#ifdef __FreeBSD__ - bzero(V_pf_status.ifname, IFNAMSIZ); -#else - bzero(pf_status.ifname, IFNAMSIZ); -#endif - break; - } -#ifdef __FreeBSD__ - strlcpy(V_pf_status.ifname, pi->ifname, IFNAMSIZ); -#else - strlcpy(pf_status.ifname, pi->ifname, IFNAMSIZ); -#endif - break; - } - - case DIOCCLRSTATUS: { -#ifdef __FreeBSD__ - bzero(V_pf_status.counters, sizeof(V_pf_status.counters)); - bzero(V_pf_status.fcounters, sizeof(V_pf_status.fcounters)); - bzero(V_pf_status.scounters, sizeof(V_pf_status.scounters)); - V_pf_status.since = time_second; - if (*V_pf_status.ifname) - pfi_update_status(V_pf_status.ifname, NULL); -#else - bzero(pf_status.counters, sizeof(pf_status.counters)); - bzero(pf_status.fcounters, sizeof(pf_status.fcounters)); - bzero(pf_status.scounters, sizeof(pf_status.scounters)); - pf_status.since = time_second; - if (*pf_status.ifname) - pfi_update_status(pf_status.ifname, NULL); -#endif - break; - } - - case DIOCNATLOOK: { - struct pfioc_natlook *pnl = (struct pfioc_natlook *)addr; - struct pf_state_key *sk; - struct pf_state *state; - struct pf_state_key_cmp key; - int m = 0, direction = pnl->direction; - int sidx, didx; - - /* NATLOOK src and dst are reversed, so reverse sidx/didx */ - sidx = (direction == PF_IN) ? 1 : 0; - didx = (direction == PF_IN) ? 0 : 1; - - if (!pnl->proto || - PF_AZERO(&pnl->saddr, pnl->af) || - PF_AZERO(&pnl->daddr, pnl->af) || - ((pnl->proto == IPPROTO_TCP || - pnl->proto == IPPROTO_UDP) && - (!pnl->dport || !pnl->sport))) - error = EINVAL; - else { - key.af = pnl->af; - key.proto = pnl->proto; - PF_ACPY(&key.addr[sidx], &pnl->saddr, pnl->af); - key.port[sidx] = pnl->sport; - PF_ACPY(&key.addr[didx], &pnl->daddr, pnl->af); - key.port[didx] = pnl->dport; - - state = pf_find_state_all(&key, direction, &m); - - if (m > 1) - error = E2BIG; /* more than one state */ - else if (state != NULL) { - sk = state->key[sidx]; - PF_ACPY(&pnl->rsaddr, &sk->addr[sidx], sk->af); - pnl->rsport = sk->port[sidx]; - PF_ACPY(&pnl->rdaddr, &sk->addr[didx], sk->af); - pnl->rdport = sk->port[didx]; - } else - error = ENOENT; - } - break; - } - - case DIOCSETTIMEOUT: { - struct pfioc_tm *pt = (struct pfioc_tm *)addr; - int old; - - if (pt->timeout < 0 || pt->timeout >= PFTM_MAX || - pt->seconds < 0) { - error = EINVAL; - goto fail; - } -#ifdef __FreeBSD__ - old = V_pf_default_rule.timeout[pt->timeout]; -#else - old = pf_default_rule.timeout[pt->timeout]; -#endif - if (pt->timeout == PFTM_INTERVAL && pt->seconds == 0) - pt->seconds = 1; -#ifdef __FreeBSD__ - V_pf_default_rule.timeout[pt->timeout] = pt->seconds; -#else - pf_default_rule.timeout[pt->timeout] = pt->seconds; -#endif - if (pt->timeout == PFTM_INTERVAL && pt->seconds < old) - wakeup(pf_purge_thread); - pt->seconds = old; - break; - } - - case DIOCGETTIMEOUT: { - struct pfioc_tm *pt = (struct pfioc_tm *)addr; - - if (pt->timeout < 0 || pt->timeout >= PFTM_MAX) { - error = EINVAL; - goto fail; - } -#ifdef __FreeBSD__ - pt->seconds = V_pf_default_rule.timeout[pt->timeout]; -#else - pt->seconds = pf_default_rule.timeout[pt->timeout]; -#endif - break; - } - - case DIOCGETLIMIT: { - struct pfioc_limit *pl = (struct pfioc_limit *)addr; - - if (pl->index < 0 || pl->index >= PF_LIMIT_MAX) { - error = EINVAL; - goto fail; - } -#ifdef __FreeBSD__ - pl->limit = V_pf_pool_limits[pl->index].limit; -#else - pl->limit = pf_pool_limits[pl->index].limit; -#endif - break; - } - - case DIOCSETLIMIT: { - struct pfioc_limit *pl = (struct pfioc_limit *)addr; - int old_limit; - - if (pl->index < 0 || pl->index >= PF_LIMIT_MAX || -#ifdef __FreeBSD__ - V_pf_pool_limits[pl->index].pp == NULL) { -#else - pf_pool_limits[pl->index].pp == NULL) { -#endif - error = EINVAL; - goto fail; - } -#ifdef __FreeBSD__ - uma_zone_set_max(V_pf_pool_limits[pl->index].pp, pl->limit); - old_limit = V_pf_pool_limits[pl->index].limit; - V_pf_pool_limits[pl->index].limit = pl->limit; - pl->limit = old_limit; -#else - if (pool_sethardlimit(pf_pool_limits[pl->index].pp, - pl->limit, NULL, 0) != 0) { - error = EBUSY; - goto fail; - } - old_limit = pf_pool_limits[pl->index].limit; - pf_pool_limits[pl->index].limit = pl->limit; - pl->limit = old_limit; -#endif - break; - } - - case DIOCSETDEBUG: { - u_int32_t *level = (u_int32_t *)addr; - -#ifdef __FreeBSD__ - V_pf_status.debug = *level; -#else - pf_status.debug = *level; -#endif - break; - } - - case DIOCCLRRULECTRS: { - /* obsoleted by DIOCGETRULE with action=PF_GET_CLR_CNTR */ - struct pf_ruleset *ruleset = &pf_main_ruleset; - struct pf_rule *rule; - - TAILQ_FOREACH(rule, - ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) { - rule->evaluations = 0; - rule->packets[0] = rule->packets[1] = 0; - rule->bytes[0] = rule->bytes[1] = 0; - } - break; - } - -#ifdef __FreeBSD__ - case DIOCGIFSPEED: { - struct pf_ifspeed *psp = (struct pf_ifspeed *)addr; - struct pf_ifspeed ps; - struct ifnet *ifp; - - if (psp->ifname[0] != 0) { - /* Can we completely trust user-land? */ - strlcpy(ps.ifname, psp->ifname, IFNAMSIZ); - ifp = ifunit(ps.ifname); - if (ifp != NULL) - psp->baudrate = ifp->if_baudrate; - else - error = EINVAL; - } else - error = EINVAL; - break; - } -#endif /* __FreeBSD__ */ - -#ifdef ALTQ - case DIOCSTARTALTQ: { - struct pf_altq *altq; - - /* enable all altq interfaces on active list */ -#ifdef __FreeBSD__ - TAILQ_FOREACH(altq, V_pf_altqs_active, entries) { - if (altq->qname[0] == 0 && (altq->local_flags & - PFALTQ_FLAG_IF_REMOVED) == 0) { -#else - TAILQ_FOREACH(altq, pf_altqs_active, entries) { - if (altq->qname[0] == 0) { -#endif - error = pf_enable_altq(altq); - if (error != 0) - break; - } - } - if (error == 0) -#ifdef __FreeBSD__ - V_pf_altq_running = 1; -#else - pf_altq_running = 1; -#endif - DPFPRINTF(PF_DEBUG_MISC, ("altq: started\n")); - break; - } - - case DIOCSTOPALTQ: { - struct pf_altq *altq; - - /* disable all altq interfaces on active list */ -#ifdef __FreeBSD__ - TAILQ_FOREACH(altq, V_pf_altqs_active, entries) { - if (altq->qname[0] == 0 && (altq->local_flags & - PFALTQ_FLAG_IF_REMOVED) == 0) { -#else - TAILQ_FOREACH(altq, pf_altqs_active, entries) { - if (altq->qname[0] == 0) { -#endif - error = pf_disable_altq(altq); - if (error != 0) - break; - } - } - if (error == 0) -#ifdef __FreeBSD__ - V_pf_altq_running = 0; -#else - pf_altq_running = 0; -#endif - DPFPRINTF(PF_DEBUG_MISC, ("altq: stopped\n")); - break; - } - - case DIOCADDALTQ: { - struct pfioc_altq *pa = (struct pfioc_altq *)addr; - struct pf_altq *altq, *a; - -#ifdef __FreeBSD__ - if (pa->ticket != V_ticket_altqs_inactive) { -#else - if (pa->ticket != ticket_altqs_inactive) { -#endif - error = EBUSY; - break; - } -#ifdef __FreeBSD__ - altq = pool_get(&V_pf_altq_pl, PR_NOWAIT); -#else - altq = pool_get(&pf_altq_pl, PR_WAITOK|PR_LIMITFAIL); -#endif - if (altq == NULL) { - error = ENOMEM; - break; - } - bcopy(&pa->altq, altq, sizeof(struct pf_altq)); -#ifdef __FreeBSD__ - altq->local_flags = 0; -#endif - - /* - * if this is for a queue, find the discipline and - * copy the necessary fields - */ - if (altq->qname[0] != 0) { - if ((altq->qid = pf_qname2qid(altq->qname)) == 0) { - error = EBUSY; -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, altq); -#else - pool_put(&pf_altq_pl, altq); -#endif - break; - } - altq->altq_disc = NULL; -#ifdef __FreeBSD__ - TAILQ_FOREACH(a, V_pf_altqs_inactive, entries) { -#else - TAILQ_FOREACH(a, pf_altqs_inactive, entries) { -#endif - if (strncmp(a->ifname, altq->ifname, - IFNAMSIZ) == 0 && a->qname[0] == 0) { - altq->altq_disc = a->altq_disc; - break; - } - } - } - -#ifdef __FreeBSD__ - struct ifnet *ifp; - - if ((ifp = ifunit(altq->ifname)) == NULL) { - altq->local_flags |= PFALTQ_FLAG_IF_REMOVED; - } else { - PF_UNLOCK(); -#endif - error = altq_add(altq); -#ifdef __FreeBSD__ - PF_LOCK(); - } -#endif - if (error) { -#ifdef __FreeBSD__ - pool_put(&V_pf_altq_pl, altq); -#else - pool_put(&pf_altq_pl, altq); -#endif - break; - } - -#ifdef __FreeBSD__ - TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries); -#else - TAILQ_INSERT_TAIL(pf_altqs_inactive, altq, entries); -#endif - bcopy(altq, &pa->altq, sizeof(struct pf_altq)); - break; - } - - case DIOCGETALTQS: { - struct pfioc_altq *pa = (struct pfioc_altq *)addr; - struct pf_altq *altq; - - pa->nr = 0; -#ifdef __FreeBSD__ - TAILQ_FOREACH(altq, V_pf_altqs_active, entries) - pa->nr++; - pa->ticket = V_ticket_altqs_active; -#else - TAILQ_FOREACH(altq, pf_altqs_active, entries) - pa->nr++; - pa->ticket = ticket_altqs_active; -#endif - break; - } - - case DIOCGETALTQ: { - struct pfioc_altq *pa = (struct pfioc_altq *)addr; - struct pf_altq *altq; - u_int32_t nr; - -#ifdef __FreeBSD__ - if (pa->ticket != V_ticket_altqs_active) { -#else - if (pa->ticket != ticket_altqs_active) { -#endif - error = EBUSY; - break; - } - nr = 0; -#ifdef __FreeBSD__ - altq = TAILQ_FIRST(V_pf_altqs_active); -#else - altq = TAILQ_FIRST(pf_altqs_active); -#endif - while ((altq != NULL) && (nr < pa->nr)) { - altq = TAILQ_NEXT(altq, entries); - nr++; - } - if (altq == NULL) { - error = EBUSY; - break; - } - bcopy(altq, &pa->altq, sizeof(struct pf_altq)); - break; - } - - case DIOCCHANGEALTQ: - /* CHANGEALTQ not supported yet! */ - error = ENODEV; - break; - - case DIOCGETQSTATS: { - struct pfioc_qstats *pq = (struct pfioc_qstats *)addr; - struct pf_altq *altq; - u_int32_t nr; - int nbytes; - -#ifdef __FreeBSD__ - if (pq->ticket != V_ticket_altqs_active) { -#else - if (pq->ticket != ticket_altqs_active) { -#endif - error = EBUSY; - break; - } - nbytes = pq->nbytes; - nr = 0; -#ifdef __FreeBSD__ - altq = TAILQ_FIRST(V_pf_altqs_active); -#else - altq = TAILQ_FIRST(pf_altqs_active); -#endif - while ((altq != NULL) && (nr < pq->nr)) { - altq = TAILQ_NEXT(altq, entries); - nr++; - } - if (altq == NULL) { - error = EBUSY; - break; - } - -#ifdef __FreeBSD__ - if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) != 0) { - error = ENXIO; - break; - } - PF_UNLOCK(); -#endif - error = altq_getqstats(altq, pq->buf, &nbytes); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - if (error == 0) { - pq->scheduler = altq->scheduler; - pq->nbytes = nbytes; - } - break; - } -#endif /* ALTQ */ - - case DIOCBEGINADDRS: { - struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; - -#ifdef __FreeBSD__ - pf_empty_pool(&V_pf_pabuf); - pp->ticket = ++V_ticket_pabuf; -#else - pf_empty_pool(&pf_pabuf); - pp->ticket = ++ticket_pabuf; -#endif - break; - } - - case DIOCADDADDR: { - struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; - -#ifdef __FreeBSD__ - if (pp->ticket != V_ticket_pabuf) { -#else - if (pp->ticket != ticket_pabuf) { -#endif - error = EBUSY; - break; - } -#ifndef INET - if (pp->af == AF_INET) { - error = EAFNOSUPPORT; - break; - } -#endif /* INET */ -#ifndef INET6 - if (pp->af == AF_INET6) { - error = EAFNOSUPPORT; - break; - } -#endif /* INET6 */ - if (pp->addr.addr.type != PF_ADDR_ADDRMASK && - pp->addr.addr.type != PF_ADDR_DYNIFTL && - pp->addr.addr.type != PF_ADDR_TABLE) { - error = EINVAL; - break; - } -#ifdef __FreeBSD__ - pa = pool_get(&V_pf_pooladdr_pl, PR_NOWAIT); -#else - pa = pool_get(&pf_pooladdr_pl, PR_WAITOK|PR_LIMITFAIL); -#endif - if (pa == NULL) { - error = ENOMEM; - break; - } - bcopy(&pp->addr, pa, sizeof(struct pf_pooladdr)); - if (pa->ifname[0]) { - pa->kif = pfi_kif_get(pa->ifname); - if (pa->kif == NULL) { -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, pa); -#else - pool_put(&pf_pooladdr_pl, pa); -#endif - error = EINVAL; - break; - } - pfi_kif_ref(pa->kif, PFI_KIF_REF_RULE); - } - if (pfi_dynaddr_setup(&pa->addr, pp->af)) { - pfi_dynaddr_remove(&pa->addr); - pfi_kif_unref(pa->kif, PFI_KIF_REF_RULE); -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, pa); -#else - pool_put(&pf_pooladdr_pl, pa); -#endif - error = EINVAL; - break; - } -#ifdef __FreeBSD__ - TAILQ_INSERT_TAIL(&V_pf_pabuf, pa, entries); -#else - TAILQ_INSERT_TAIL(&pf_pabuf, pa, entries); -#endif - break; - } - - case DIOCGETADDRS: { - struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; - - pp->nr = 0; - pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action, - pp->r_num, 0, 1, 0); - if (pool == NULL) { - error = EBUSY; - break; - } - TAILQ_FOREACH(pa, &pool->list, entries) - pp->nr++; - break; - } - - case DIOCGETADDR: { - struct pfioc_pooladdr *pp = (struct pfioc_pooladdr *)addr; - u_int32_t nr = 0; - - pool = pf_get_pool(pp->anchor, pp->ticket, pp->r_action, - pp->r_num, 0, 1, 1); - if (pool == NULL) { - error = EBUSY; - break; - } - pa = TAILQ_FIRST(&pool->list); - while ((pa != NULL) && (nr < pp->nr)) { - pa = TAILQ_NEXT(pa, entries); - nr++; - } - if (pa == NULL) { - error = EBUSY; - break; - } - bcopy(pa, &pp->addr, sizeof(struct pf_pooladdr)); - pf_addr_copyout(&pp->addr.addr); - break; - } - - case DIOCCHANGEADDR: { - struct pfioc_pooladdr *pca = (struct pfioc_pooladdr *)addr; - struct pf_pooladdr *oldpa = NULL, *newpa = NULL; - struct pf_ruleset *ruleset; - - if (pca->action < PF_CHANGE_ADD_HEAD || - pca->action > PF_CHANGE_REMOVE) { - error = EINVAL; - break; - } - if (pca->addr.addr.type != PF_ADDR_ADDRMASK && - pca->addr.addr.type != PF_ADDR_DYNIFTL && - pca->addr.addr.type != PF_ADDR_TABLE) { - error = EINVAL; - break; - } - - ruleset = pf_find_ruleset(pca->anchor); - if (ruleset == NULL) { - error = EBUSY; - break; - } - pool = pf_get_pool(pca->anchor, pca->ticket, pca->r_action, - pca->r_num, pca->r_last, 1, 1); - if (pool == NULL) { - error = EBUSY; - break; - } - if (pca->action != PF_CHANGE_REMOVE) { -#ifdef __FreeBSD__ - newpa = pool_get(&V_pf_pooladdr_pl, - PR_NOWAIT); -#else - newpa = pool_get(&pf_pooladdr_pl, - PR_WAITOK|PR_LIMITFAIL); -#endif - if (newpa == NULL) { - error = ENOMEM; - break; - } - bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr)); -#ifndef INET - if (pca->af == AF_INET) { -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, newpa); -#else - pool_put(&pf_pooladdr_pl, newpa); -#endif - error = EAFNOSUPPORT; - break; - } -#endif /* INET */ -#ifndef INET6 - if (pca->af == AF_INET6) { -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, newpa); -#else - pool_put(&pf_pooladdr_pl, newpa); -#endif - error = EAFNOSUPPORT; - break; - } -#endif /* INET6 */ - if (newpa->ifname[0]) { - newpa->kif = pfi_kif_get(newpa->ifname); - if (newpa->kif == NULL) { -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, newpa); -#else - pool_put(&pf_pooladdr_pl, newpa); -#endif - error = EINVAL; - break; - } - pfi_kif_ref(newpa->kif, PFI_KIF_REF_RULE); - } else - newpa->kif = NULL; - if (pfi_dynaddr_setup(&newpa->addr, pca->af) || - pf_tbladdr_setup(ruleset, &newpa->addr)) { - pfi_dynaddr_remove(&newpa->addr); - pfi_kif_unref(newpa->kif, PFI_KIF_REF_RULE); -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, newpa); -#else - pool_put(&pf_pooladdr_pl, newpa); -#endif - error = EINVAL; - break; - } - } - - if (pca->action == PF_CHANGE_ADD_HEAD) - oldpa = TAILQ_FIRST(&pool->list); - else if (pca->action == PF_CHANGE_ADD_TAIL) - oldpa = TAILQ_LAST(&pool->list, pf_palist); - else { - int i = 0; - - oldpa = TAILQ_FIRST(&pool->list); - while ((oldpa != NULL) && (i < pca->nr)) { - oldpa = TAILQ_NEXT(oldpa, entries); - i++; - } - if (oldpa == NULL) { - error = EINVAL; - break; - } - } - - if (pca->action == PF_CHANGE_REMOVE) { - TAILQ_REMOVE(&pool->list, oldpa, entries); - pfi_dynaddr_remove(&oldpa->addr); - pf_tbladdr_remove(&oldpa->addr); - pfi_kif_unref(oldpa->kif, PFI_KIF_REF_RULE); -#ifdef __FreeBSD__ - pool_put(&V_pf_pooladdr_pl, oldpa); -#else - pool_put(&pf_pooladdr_pl, oldpa); -#endif - } else { - if (oldpa == NULL) - TAILQ_INSERT_TAIL(&pool->list, newpa, entries); - else if (pca->action == PF_CHANGE_ADD_HEAD || - pca->action == PF_CHANGE_ADD_BEFORE) - TAILQ_INSERT_BEFORE(oldpa, newpa, entries); - else - TAILQ_INSERT_AFTER(&pool->list, oldpa, - newpa, entries); - } - - pool->cur = TAILQ_FIRST(&pool->list); - PF_ACPY(&pool->counter, &pool->cur->addr.v.a.addr, - pca->af); - break; - } - - case DIOCGETRULESETS: { - struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr; - struct pf_ruleset *ruleset; - struct pf_anchor *anchor; - - pr->path[sizeof(pr->path) - 1] = 0; - if ((ruleset = pf_find_ruleset(pr->path)) == NULL) { - error = EINVAL; - break; - } - pr->nr = 0; - if (ruleset->anchor == NULL) { - /* XXX kludge for pf_main_ruleset */ -#ifdef __FreeBSD__ - RB_FOREACH(anchor, pf_anchor_global, &V_pf_anchors) -#else - RB_FOREACH(anchor, pf_anchor_global, &pf_anchors) -#endif - if (anchor->parent == NULL) - pr->nr++; - } else { - RB_FOREACH(anchor, pf_anchor_node, - &ruleset->anchor->children) - pr->nr++; - } - break; - } - - case DIOCGETRULESET: { - struct pfioc_ruleset *pr = (struct pfioc_ruleset *)addr; - struct pf_ruleset *ruleset; - struct pf_anchor *anchor; - u_int32_t nr = 0; - - pr->path[sizeof(pr->path) - 1] = 0; - if ((ruleset = pf_find_ruleset(pr->path)) == NULL) { - error = EINVAL; - break; - } - pr->name[0] = 0; - if (ruleset->anchor == NULL) { - /* XXX kludge for pf_main_ruleset */ -#ifdef __FreeBSD__ - RB_FOREACH(anchor, pf_anchor_global, &V_pf_anchors) -#else - RB_FOREACH(anchor, pf_anchor_global, &pf_anchors) -#endif - if (anchor->parent == NULL && nr++ == pr->nr) { - strlcpy(pr->name, anchor->name, - sizeof(pr->name)); - break; - } - } else { - RB_FOREACH(anchor, pf_anchor_node, - &ruleset->anchor->children) - if (nr++ == pr->nr) { - strlcpy(pr->name, anchor->name, - sizeof(pr->name)); - break; - } - } - if (!pr->name[0]) - error = EBUSY; - break; - } - - case DIOCRCLRTABLES: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != 0) { - error = ENODEV; - break; - } - error = pfr_clr_tables(&io->pfrio_table, &io->pfrio_ndel, - io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRADDTABLES: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_table)) { - error = ENODEV; - break; - } - error = pfr_add_tables(io->pfrio_buffer, io->pfrio_size, - &io->pfrio_nadd, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRDELTABLES: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_table)) { - error = ENODEV; - break; - } - error = pfr_del_tables(io->pfrio_buffer, io->pfrio_size, - &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRGETTABLES: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_table)) { - error = ENODEV; - break; - } - error = pfr_get_tables(&io->pfrio_table, io->pfrio_buffer, - &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRGETTSTATS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_tstats)) { - error = ENODEV; - break; - } - error = pfr_get_tstats(&io->pfrio_table, io->pfrio_buffer, - &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRCLRTSTATS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_table)) { - error = ENODEV; - break; - } - error = pfr_clr_tstats(io->pfrio_buffer, io->pfrio_size, - &io->pfrio_nzero, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRSETTFLAGS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_table)) { - error = ENODEV; - break; - } - error = pfr_set_tflags(io->pfrio_buffer, io->pfrio_size, - io->pfrio_setflag, io->pfrio_clrflag, &io->pfrio_nchange, - &io->pfrio_ndel, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRCLRADDRS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != 0) { - error = ENODEV; - break; - } - error = pfr_clr_addrs(&io->pfrio_table, &io->pfrio_ndel, - io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRADDADDRS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_add_addrs(&io->pfrio_table, io->pfrio_buffer, - io->pfrio_size, &io->pfrio_nadd, io->pfrio_flags | - PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRDELADDRS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_del_addrs(&io->pfrio_table, io->pfrio_buffer, - io->pfrio_size, &io->pfrio_ndel, io->pfrio_flags | - PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRSETADDRS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_set_addrs(&io->pfrio_table, io->pfrio_buffer, - io->pfrio_size, &io->pfrio_size2, &io->pfrio_nadd, - &io->pfrio_ndel, &io->pfrio_nchange, io->pfrio_flags | - PFR_FLAG_USERIOCTL, 0); - break; - } - - case DIOCRGETADDRS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_get_addrs(&io->pfrio_table, io->pfrio_buffer, - &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRGETASTATS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_astats)) { - error = ENODEV; - break; - } - error = pfr_get_astats(&io->pfrio_table, io->pfrio_buffer, - &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRCLRASTATS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_clr_astats(&io->pfrio_table, io->pfrio_buffer, - io->pfrio_size, &io->pfrio_nzero, io->pfrio_flags | - PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRTSTADDRS: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_tst_addrs(&io->pfrio_table, io->pfrio_buffer, - io->pfrio_size, &io->pfrio_nmatch, io->pfrio_flags | - PFR_FLAG_USERIOCTL); - break; - } - - case DIOCRINADEFINE: { - struct pfioc_table *io = (struct pfioc_table *)addr; - - if (io->pfrio_esize != sizeof(struct pfr_addr)) { - error = ENODEV; - break; - } - error = pfr_ina_define(&io->pfrio_table, io->pfrio_buffer, - io->pfrio_size, &io->pfrio_nadd, &io->pfrio_naddr, - io->pfrio_ticket, io->pfrio_flags | PFR_FLAG_USERIOCTL); - break; - } - - case DIOCOSFPADD: { - struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr; - error = pf_osfp_add(io); - break; - } - - case DIOCOSFPGET: { - struct pf_osfp_ioctl *io = (struct pf_osfp_ioctl *)addr; - error = pf_osfp_get(io); - break; - } - - case DIOCXBEGIN: { - struct pfioc_trans *io = (struct pfioc_trans *)addr; - struct pfioc_trans_e *ioe; - struct pfr_table *table; - int i; - - if (io->esize != sizeof(*ioe)) { - error = ENODEV; - goto fail; - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - ioe = malloc(sizeof(*ioe), M_TEMP, M_WAITOK); - table = malloc(sizeof(*table), M_TEMP, M_WAITOK); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < io->size; i++) { -#ifdef __FreeBSD__ - PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error); - if (error) { -#else - if (copyin(io->array+i, ioe, sizeof(*ioe))) { -#endif - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EFAULT; - goto fail; - } - switch (ioe->rs_num) { -#ifdef ALTQ - case PF_RULESET_ALTQ: - if (ioe->anchor[0]) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EINVAL; - goto fail; - } - if ((error = pf_begin_altq(&ioe->ticket))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; - } - break; -#endif /* ALTQ */ - case PF_RULESET_TABLE: - bzero(table, sizeof(*table)); - strlcpy(table->pfrt_anchor, ioe->anchor, - sizeof(table->pfrt_anchor)); - if ((error = pfr_ina_begin(table, - &ioe->ticket, NULL, 0))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; - } - break; - default: - if ((error = pf_begin_rules(&ioe->ticket, - ioe->rs_num, ioe->anchor))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; - } - break; - } -#ifdef __FreeBSD__ - PF_COPYOUT(ioe, io->array+i, sizeof(io->array[i]), - error); - if (error) { -#else - if (copyout(ioe, io->array+i, sizeof(io->array[i]))) { -#endif - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EFAULT; - goto fail; - } - } - free(table, M_TEMP); - free(ioe, M_TEMP); - break; - } - - case DIOCXROLLBACK: { - struct pfioc_trans *io = (struct pfioc_trans *)addr; - struct pfioc_trans_e *ioe; - struct pfr_table *table; - int i; - - if (io->esize != sizeof(*ioe)) { - error = ENODEV; - goto fail; - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - ioe = malloc(sizeof(*ioe), M_TEMP, M_WAITOK); - table = malloc(sizeof(*table), M_TEMP, M_WAITOK); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - for (i = 0; i < io->size; i++) { -#ifdef __FreeBSD__ - PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error); - if (error) { -#else - if (copyin(io->array+i, ioe, sizeof(*ioe))) { -#endif - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EFAULT; - goto fail; - } - switch (ioe->rs_num) { -#ifdef ALTQ - case PF_RULESET_ALTQ: - if (ioe->anchor[0]) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EINVAL; - goto fail; - } - if ((error = pf_rollback_altq(ioe->ticket))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; /* really bad */ - } - break; -#endif /* ALTQ */ - case PF_RULESET_TABLE: - bzero(table, sizeof(*table)); - strlcpy(table->pfrt_anchor, ioe->anchor, - sizeof(table->pfrt_anchor)); - if ((error = pfr_ina_rollback(table, - ioe->ticket, NULL, 0))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; /* really bad */ - } - break; - default: - if ((error = pf_rollback_rules(ioe->ticket, - ioe->rs_num, ioe->anchor))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; /* really bad */ - } - break; - } - } - free(table, M_TEMP); - free(ioe, M_TEMP); - break; - } - - case DIOCXCOMMIT: { - struct pfioc_trans *io = (struct pfioc_trans *)addr; - struct pfioc_trans_e *ioe; - struct pfr_table *table; - struct pf_ruleset *rs; - int i; - - if (io->esize != sizeof(*ioe)) { - error = ENODEV; - goto fail; - } -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - ioe = malloc(sizeof(*ioe), M_TEMP, M_WAITOK); - table = malloc(sizeof(*table), M_TEMP, M_WAITOK); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - /* first makes sure everything will succeed */ - for (i = 0; i < io->size; i++) { -#ifdef __FreeBSD__ - PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error); - if (error) { -#else - if (copyin(io->array+i, ioe, sizeof(*ioe))) { -#endif - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EFAULT; - goto fail; - } - switch (ioe->rs_num) { -#ifdef ALTQ - case PF_RULESET_ALTQ: - if (ioe->anchor[0]) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EINVAL; - goto fail; - } -#ifdef __FreeBSD__ - if (!V_altqs_inactive_open || ioe->ticket != - V_ticket_altqs_inactive) { -#else - if (!altqs_inactive_open || ioe->ticket != - ticket_altqs_inactive) { -#endif - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EBUSY; - goto fail; - } - break; -#endif /* ALTQ */ - case PF_RULESET_TABLE: - rs = pf_find_ruleset(ioe->anchor); - if (rs == NULL || !rs->topen || ioe->ticket != - rs->tticket) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EBUSY; - goto fail; - } - break; - default: - if (ioe->rs_num < 0 || ioe->rs_num >= - PF_RULESET_MAX) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EINVAL; - goto fail; - } - rs = pf_find_ruleset(ioe->anchor); - if (rs == NULL || - !rs->rules[ioe->rs_num].inactive.open || - rs->rules[ioe->rs_num].inactive.ticket != - ioe->ticket) { - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EBUSY; - goto fail; - } - break; - } - } - /* now do the commit - no errors should happen here */ - for (i = 0; i < io->size; i++) { -#ifdef __FreeBSD__ - PF_COPYIN(io->array+i, ioe, sizeof(*ioe), error); - if (error) { -#else - if (copyin(io->array+i, ioe, sizeof(*ioe))) { -#endif - free(table, M_TEMP); - free(ioe, M_TEMP); - error = EFAULT; - goto fail; - } - switch (ioe->rs_num) { -#ifdef ALTQ - case PF_RULESET_ALTQ: - if ((error = pf_commit_altq(ioe->ticket))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; /* really bad */ - } - break; -#endif /* ALTQ */ - case PF_RULESET_TABLE: - bzero(table, sizeof(*table)); - strlcpy(table->pfrt_anchor, ioe->anchor, - sizeof(table->pfrt_anchor)); - if ((error = pfr_ina_commit(table, ioe->ticket, - NULL, NULL, 0))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; /* really bad */ - } - break; - default: - if ((error = pf_commit_rules(ioe->ticket, - ioe->rs_num, ioe->anchor))) { - free(table, M_TEMP); - free(ioe, M_TEMP); - goto fail; /* really bad */ - } - break; - } - } - free(table, M_TEMP); - free(ioe, M_TEMP); - break; - } - - case DIOCGETSRCNODES: { - struct pfioc_src_nodes *psn = (struct pfioc_src_nodes *)addr; - struct pf_src_node *n, *p, *pstore; - u_int32_t nr = 0; - int space = psn->psn_len; - - if (space == 0) { -#ifdef __FreeBSD__ - RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) -#else - RB_FOREACH(n, pf_src_tree, &tree_src_tracking) -#endif - nr++; - psn->psn_len = sizeof(struct pf_src_node) * nr; - break; - } - -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - pstore = malloc(sizeof(*pstore), M_TEMP, M_WAITOK); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - p = psn->psn_src_nodes; -#ifdef __FreeBSD__ - RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) { -#else - RB_FOREACH(n, pf_src_tree, &tree_src_tracking) { -#endif - int secs = time_second, diff; - - if ((nr + 1) * sizeof(*p) > (unsigned)psn->psn_len) - break; - - bcopy(n, pstore, sizeof(*pstore)); - if (n->rule.ptr != NULL) - pstore->rule.nr = n->rule.ptr->nr; - pstore->creation = secs - pstore->creation; - if (pstore->expire > secs) - pstore->expire -= secs; - else - pstore->expire = 0; - - /* adjust the connection rate estimate */ - diff = secs - n->conn_rate.last; - if (diff >= n->conn_rate.seconds) - pstore->conn_rate.count = 0; - else - pstore->conn_rate.count -= - n->conn_rate.count * diff / - n->conn_rate.seconds; - -#ifdef __FreeBSD__ - PF_COPYOUT(pstore, p, sizeof(*p), error); -#else - error = copyout(pstore, p, sizeof(*p)); -#endif - if (error) { - free(pstore, M_TEMP); - goto fail; - } - p++; - nr++; - } - psn->psn_len = sizeof(struct pf_src_node) * nr; - - free(pstore, M_TEMP); - break; - } - - case DIOCCLRSRCNODES: { - struct pf_src_node *n; - struct pf_state *state; - -#ifdef __FreeBSD__ - RB_FOREACH(state, pf_state_tree_id, &V_tree_id) { -#else - RB_FOREACH(state, pf_state_tree_id, &tree_id) { -#endif - state->src_node = NULL; - state->nat_src_node = NULL; - } -#ifdef __FreeBSD__ - RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) { -#else - RB_FOREACH(n, pf_src_tree, &tree_src_tracking) { -#endif - n->expire = 1; - n->states = 0; - } - pf_purge_expired_src_nodes(1); -#ifdef __FreeBSD__ - V_pf_status.src_nodes = 0; -#else - pf_status.src_nodes = 0; -#endif - break; - } - - case DIOCKILLSRCNODES: { - struct pf_src_node *sn; - struct pf_state *s; - struct pfioc_src_node_kill *psnk = - (struct pfioc_src_node_kill *)addr; - u_int killed = 0; - -#ifdef __FreeBSD__ - RB_FOREACH(sn, pf_src_tree, &V_tree_src_tracking) { -#else - RB_FOREACH(sn, pf_src_tree, &tree_src_tracking) { -#endif - if (PF_MATCHA(psnk->psnk_src.neg, - &psnk->psnk_src.addr.v.a.addr, - &psnk->psnk_src.addr.v.a.mask, - &sn->addr, sn->af) && - PF_MATCHA(psnk->psnk_dst.neg, - &psnk->psnk_dst.addr.v.a.addr, - &psnk->psnk_dst.addr.v.a.mask, - &sn->raddr, sn->af)) { - /* Handle state to src_node linkage */ - if (sn->states != 0) { - RB_FOREACH(s, pf_state_tree_id, -#ifdef __FreeBSD__ - &V_tree_id) { -#else - &tree_id) { -#endif - if (s->src_node == sn) - s->src_node = NULL; - if (s->nat_src_node == sn) - s->nat_src_node = NULL; - } - sn->states = 0; - } - sn->expire = 1; - killed++; - } - } - - if (killed > 0) - pf_purge_expired_src_nodes(1); - - psnk->psnk_killed = killed; - break; - } - - case DIOCSETHOSTID: { - u_int32_t *hostid = (u_int32_t *)addr; - -#ifdef __FreeBSD__ - if (*hostid == 0) - V_pf_status.hostid = arc4random(); - else - V_pf_status.hostid = *hostid; -#else - if (*hostid == 0) - pf_status.hostid = arc4random(); - else - pf_status.hostid = *hostid; -#endif - break; - } - - case DIOCOSFPFLUSH: - pf_osfp_flush(); - break; - - case DIOCIGETIFACES: { - struct pfioc_iface *io = (struct pfioc_iface *)addr; - - if (io->pfiio_esize != sizeof(struct pfi_kif)) { - error = ENODEV; - break; - } - error = pfi_get_ifaces(io->pfiio_name, io->pfiio_buffer, - &io->pfiio_size); - break; - } - - case DIOCSETIFFLAG: { - struct pfioc_iface *io = (struct pfioc_iface *)addr; - - error = pfi_set_flags(io->pfiio_name, io->pfiio_flags); - break; - } - - case DIOCCLRIFFLAG: { - struct pfioc_iface *io = (struct pfioc_iface *)addr; - - error = pfi_clear_flags(io->pfiio_name, io->pfiio_flags); - break; - } - - default: - error = ENODEV; - break; - } -fail: -#ifdef __FreeBSD__ - PF_UNLOCK(); - - if (flags & FWRITE) - sx_xunlock(&V_pf_consistency_lock); - else - sx_sunlock(&V_pf_consistency_lock); -#else - splx(s); - if (flags & FWRITE) - rw_exit_write(&pf_consistency_lock); - else - rw_exit_read(&pf_consistency_lock); -#endif - - CURVNET_RESTORE(); - - return (error); -} - -#ifdef __FreeBSD__ -void -pfsync_state_export(struct pfsync_state *sp, struct pf_state *st) -{ - bzero(sp, sizeof(struct pfsync_state)); - - /* copy from state key */ - sp->key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0]; - sp->key[PF_SK_WIRE].addr[1] = st->key[PF_SK_WIRE]->addr[1]; - sp->key[PF_SK_WIRE].port[0] = st->key[PF_SK_WIRE]->port[0]; - sp->key[PF_SK_WIRE].port[1] = st->key[PF_SK_WIRE]->port[1]; - sp->key[PF_SK_STACK].addr[0] = st->key[PF_SK_STACK]->addr[0]; - sp->key[PF_SK_STACK].addr[1] = st->key[PF_SK_STACK]->addr[1]; - sp->key[PF_SK_STACK].port[0] = st->key[PF_SK_STACK]->port[0]; - sp->key[PF_SK_STACK].port[1] = st->key[PF_SK_STACK]->port[1]; - sp->proto = st->key[PF_SK_WIRE]->proto; - sp->af = st->key[PF_SK_WIRE]->af; - - /* copy from state */ - strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname)); - bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr)); - sp->creation = htonl(time_second - st->creation); - sp->expire = pf_state_expires(st); - if (sp->expire <= time_second) - sp->expire = htonl(0); - else - sp->expire = htonl(sp->expire - time_second); - - sp->direction = st->direction; - sp->log = st->log; - sp->timeout = st->timeout; - sp->state_flags = st->state_flags; - if (st->src_node) - sp->sync_flags |= PFSYNC_FLAG_SRCNODE; - if (st->nat_src_node) - sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE; - - bcopy(&st->id, &sp->id, sizeof(sp->id)); - sp->creatorid = st->creatorid; - pf_state_peer_hton(&st->src, &sp->src); - pf_state_peer_hton(&st->dst, &sp->dst); - - if (st->rule.ptr == NULL) - sp->rule = htonl(-1); - else - sp->rule = htonl(st->rule.ptr->nr); - if (st->anchor.ptr == NULL) - sp->anchor = htonl(-1); - else - sp->anchor = htonl(st->anchor.ptr->nr); - if (st->nat_rule.ptr == NULL) - sp->nat_rule = htonl(-1); - else - sp->nat_rule = htonl(st->nat_rule.ptr->nr); - - pf_state_counter_hton(st->packets[0], sp->packets[0]); - pf_state_counter_hton(st->packets[1], sp->packets[1]); - pf_state_counter_hton(st->bytes[0], sp->bytes[0]); - pf_state_counter_hton(st->bytes[1], sp->bytes[1]); - -} - -/* - * XXX - Check for version missmatch!!! - */ -static void -pf_clear_states(void) -{ - struct pf_state *state; - -#ifdef __FreeBSD__ - RB_FOREACH(state, pf_state_tree_id, &V_tree_id) { -#else - RB_FOREACH(state, pf_state_tree_id, &tree_id) { -#endif - state->timeout = PFTM_PURGE; -#if NPFSYNC - /* don't send out individual delete messages */ - state->sync_state = PFSTATE_NOSYNC; -#endif - pf_unlink_state(state); - } - -#if 0 /* NPFSYNC */ -/* - * XXX This is called on module unload, we do not want to sync that over? */ - */ - pfsync_clear_states(V_pf_status.hostid, psk->psk_ifname); -#endif -} - -static int -pf_clear_tables(void) -{ - struct pfioc_table io; - int error; - - bzero(&io, sizeof(io)); - - error = pfr_clr_tables(&io.pfrio_table, &io.pfrio_ndel, - io.pfrio_flags); - - return (error); -} - -static void -pf_clear_srcnodes(void) -{ - struct pf_src_node *n; - struct pf_state *state; - -#ifdef __FreeBSD__ - RB_FOREACH(state, pf_state_tree_id, &V_tree_id) { -#else - RB_FOREACH(state, pf_state_tree_id, &tree_id) { -#endif - state->src_node = NULL; - state->nat_src_node = NULL; - } -#ifdef __FreeBSD__ - RB_FOREACH(n, pf_src_tree, &V_tree_src_tracking) { -#else - RB_FOREACH(n, pf_src_tree, &tree_src_tracking) { -#endif - n->expire = 1; - n->states = 0; - } -} -/* - * XXX - Check for version missmatch!!! - */ - -/* - * Duplicate pfctl -Fa operation to get rid of as much as we can. - */ -static int -shutdown_pf(void) -{ - int error = 0; - u_int32_t t[5]; - char nn = '\0'; - - V_pf_status.running = 0; - do { - if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn)) - != 0) { - DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: SCRUB\n")); - break; - } - if ((error = pf_begin_rules(&t[1], PF_RULESET_FILTER, &nn)) - != 0) { - DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: FILTER\n")); - break; /* XXX: rollback? */ - } - if ((error = pf_begin_rules(&t[2], PF_RULESET_NAT, &nn)) - != 0) { - DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: NAT\n")); - break; /* XXX: rollback? */ - } - if ((error = pf_begin_rules(&t[3], PF_RULESET_BINAT, &nn)) - != 0) { - DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: BINAT\n")); - break; /* XXX: rollback? */ - } - if ((error = pf_begin_rules(&t[4], PF_RULESET_RDR, &nn)) - != 0) { - DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: RDR\n")); - break; /* XXX: rollback? */ - } - - /* XXX: these should always succeed here */ - pf_commit_rules(t[0], PF_RULESET_SCRUB, &nn); - pf_commit_rules(t[1], PF_RULESET_FILTER, &nn); - pf_commit_rules(t[2], PF_RULESET_NAT, &nn); - pf_commit_rules(t[3], PF_RULESET_BINAT, &nn); - pf_commit_rules(t[4], PF_RULESET_RDR, &nn); - - if ((error = pf_clear_tables()) != 0) - break; - - #ifdef ALTQ - if ((error = pf_begin_altq(&t[0])) != 0) { - DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n")); - break; - } - pf_commit_altq(t[0]); - #endif - - pf_clear_states(); - - pf_clear_srcnodes(); - - /* status does not use malloced mem so no need to cleanup */ - /* fingerprints and interfaces have thier own cleanup code */ - } while(0); - - return (error); -} - -#ifdef INET -static int -pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) -{ - /* - * XXX Wed Jul 9 22:03:16 2003 UTC - * OpenBSD has changed its byte ordering convention on ip_len/ip_off - * in network stack. OpenBSD's network stack have converted - * ip_len/ip_off to host byte order frist as FreeBSD. - * Now this is not true anymore , so we should convert back to network - * byte order. - */ - struct ip *h = NULL; - int chk; - - if ((*m)->m_pkthdr.len >= (int)sizeof(struct ip)) { - /* if m_pkthdr.len is less than ip header, pf will handle. */ - h = mtod(*m, struct ip *); - HTONS(h->ip_len); - HTONS(h->ip_off); - } - CURVNET_SET(ifp->if_vnet); - chk = pf_test(PF_IN, ifp, m, NULL, inp); - CURVNET_RESTORE(); - if (chk && *m) { - m_freem(*m); - *m = NULL; - } - if (*m != NULL) { - /* pf_test can change ip header location */ - h = mtod(*m, struct ip *); - NTOHS(h->ip_len); - NTOHS(h->ip_off); - } - return chk; -} - -static int -pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) -{ - /* - * XXX Wed Jul 9 22:03:16 2003 UTC - * OpenBSD has changed its byte ordering convention on ip_len/ip_off - * in network stack. OpenBSD's network stack have converted - * ip_len/ip_off to host byte order frist as FreeBSD. - * Now this is not true anymore , so we should convert back to network - * byte order. - */ - struct ip *h = NULL; - int chk; - - /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */ - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { - in_delayed_cksum(*m); - (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } - if ((*m)->m_pkthdr.len >= (int)sizeof(*h)) { - /* if m_pkthdr.len is less than ip header, pf will handle. */ - h = mtod(*m, struct ip *); - HTONS(h->ip_len); - HTONS(h->ip_off); - } - CURVNET_SET(ifp->if_vnet); - chk = pf_test(PF_OUT, ifp, m, NULL, inp); - CURVNET_RESTORE(); - if (chk && *m) { - m_freem(*m); - *m = NULL; - } - if (*m != NULL) { - /* pf_test can change ip header location */ - h = mtod(*m, struct ip *); - NTOHS(h->ip_len); - NTOHS(h->ip_off); - } - return chk; -} -#endif - -#ifdef INET6 -static int -pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) -{ - - /* - * IPv6 is not affected by ip_len/ip_off byte order changes. - */ - int chk; - - /* - * In case of loopback traffic IPv6 uses the real interface in - * order to support scoped addresses. In order to support stateful - * filtering we have change this to lo0 as it is the case in IPv4. - */ - CURVNET_SET(ifp->if_vnet); - chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, - NULL, inp); - CURVNET_RESTORE(); - if (chk && *m) { - m_freem(*m); - *m = NULL; - } - return chk; -} - -static int -pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) -{ - /* - * IPv6 does not affected ip_len/ip_off byte order changes. - */ - int chk; - - /* We need a proper CSUM before we start (s. OpenBSD ip_output) */ - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { -#ifdef INET - /* XXX-BZ copy&paste error from r126261? */ - in_delayed_cksum(*m); -#endif - (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } - CURVNET_SET(ifp->if_vnet); - chk = pf_test6(PF_OUT, ifp, m, NULL, inp); - CURVNET_RESTORE(); - if (chk && *m) { - m_freem(*m); - *m = NULL; - } - return chk; -} -#endif /* INET6 */ - -static int -hook_pf(void) -{ -#ifdef INET - struct pfil_head *pfh_inet; -#endif -#ifdef INET6 - struct pfil_head *pfh_inet6; -#endif - - PF_UNLOCK_ASSERT(); - - if (V_pf_pfil_hooked) - return (0); - -#ifdef INET - pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); - if (pfh_inet == NULL) - return (ESRCH); /* XXX */ - pfil_add_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); - pfil_add_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); -#endif -#ifdef INET6 - pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); - if (pfh_inet6 == NULL) { -#ifdef INET - pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, - pfh_inet); - pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, - pfh_inet); -#endif - return (ESRCH); /* XXX */ - } - pfil_add_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); - pfil_add_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); -#endif - - V_pf_pfil_hooked = 1; - return (0); -} - -static int -dehook_pf(void) -{ -#ifdef INET - struct pfil_head *pfh_inet; -#endif -#ifdef INET6 - struct pfil_head *pfh_inet6; -#endif - - PF_UNLOCK_ASSERT(); - - if (V_pf_pfil_hooked == 0) - return (0); - -#ifdef INET - pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); - if (pfh_inet == NULL) - return (ESRCH); /* XXX */ - pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, - pfh_inet); - pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, - pfh_inet); -#endif -#ifdef INET6 - pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); - if (pfh_inet6 == NULL) - return (ESRCH); /* XXX */ - pfil_remove_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, - pfh_inet6); - pfil_remove_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, - pfh_inet6); -#endif - - V_pf_pfil_hooked = 0; - return (0); -} - -static int -pf_load(void) -{ - VNET_ITERATOR_DECL(vnet_iter); - - VNET_LIST_RLOCK(); - VNET_FOREACH(vnet_iter) { - CURVNET_SET(vnet_iter); - V_pf_pfil_hooked = 0; - V_pf_end_threads = 0; - V_debug_pfugidhack = 0; - TAILQ_INIT(&V_pf_tags); - TAILQ_INIT(&V_pf_qids); - CURVNET_RESTORE(); - } - VNET_LIST_RUNLOCK(); - - init_pf_mutex(); - pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME); - init_zone_var(); - sx_init(&V_pf_consistency_lock, "pf_statetbl_lock"); - if (pfattach() < 0) - return (ENOMEM); - - return (0); -} - -static int -pf_unload(void) -{ - int error = 0; - - PF_LOCK(); - V_pf_status.running = 0; - PF_UNLOCK(); - m_addr_chg_pf_p = NULL; - error = dehook_pf(); - if (error) { - /* - * Should not happen! - * XXX Due to error code ESRCH, kldunload will show - * a message like 'No such process'. - */ - printf("%s : pfil unregisteration fail\n", __FUNCTION__); - return error; - } - PF_LOCK(); - shutdown_pf(); - V_pf_end_threads = 1; - while (V_pf_end_threads < 2) { - wakeup_one(pf_purge_thread); - msleep(pf_purge_thread, &pf_task_mtx, 0, "pftmo", hz); - } - pfi_cleanup(); - pf_osfp_flush(); - pf_osfp_cleanup(); - cleanup_pf_zone(); - PF_UNLOCK(); - destroy_dev(pf_dev); - destroy_pf_mutex(); - sx_destroy(&V_pf_consistency_lock); - return error; -} - -static int -pf_modevent(module_t mod, int type, void *data) -{ - int error = 0; - - switch(type) { - case MOD_LOAD: - error = pf_load(); - break; - case MOD_QUIESCE: - /* - * Module should not be unloaded due to race conditions. - */ - error = EPERM; - break; - case MOD_UNLOAD: - error = pf_unload(); - break; - default: - error = EINVAL; - break; - } - return error; -} - -static moduledata_t pf_mod = { - "pf", - pf_modevent, - 0 -}; - -DECLARE_MODULE(pf, pf_mod, SI_SUB_PSEUDO, SI_ORDER_FIRST); -MODULE_VERSION(pf, PF_MODVER); -#endif /* __FreeBSD__ */ diff --git a/sys/contrib/pf/net/pf_lb.c b/sys/contrib/pf/net/pf_lb.c deleted file mode 100644 index 4adc6f0..0000000 --- a/sys/contrib/pf/net/pf_lb.c +++ /dev/null @@ -1,793 +0,0 @@ -/* $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ */ - -/* - * Copyright (c) 2001 Daniel Hartmeier - * Copyright (c) 2002 - 2008 Henning Brauer - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * Effort sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F30602-01-2-0537. - * - */ - -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); -#endif - -#ifdef __FreeBSD__ -#include "opt_bpf.h" -#include "opt_pf.h" - -#ifdef DEV_BPF -#define NBPFILTER DEV_BPF -#else -#define NBPFILTER 0 -#endif - -#ifdef DEV_PFLOG -#define NPFLOG DEV_PFLOG -#else -#define NPFLOG 0 -#endif - -#ifdef DEV_PFSYNC -#define NPFSYNC DEV_PFSYNC -#else -#define NPFSYNC 0 -#endif - -#ifdef DEV_PFLOW -#define NPFLOW DEV_PFLOW -#else -#define NPFLOW 0 -#endif - -#else -#include "bpfilter.h" -#include "pflog.h" -#include "pfsync.h" -#include "pflow.h" -#endif - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> -#include <sys/filio.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/time.h> -#ifdef __FreeBSD__ -#include <sys/sysctl.h> -#endif -#ifndef __FreeBSD__ -#include <sys/pool.h> -#endif -#include <sys/proc.h> -#ifdef __FreeBSD__ -#include <sys/kthread.h> -#include <sys/lock.h> -#include <sys/sx.h> -#else -#include <sys/rwlock.h> -#endif - -#ifdef __FreeBSD__ -#include <sys/md5.h> -#else -#include <crypto/md5.h> -#endif - -#include <net/if.h> -#include <net/if_types.h> -#include <net/bpf.h> -#include <net/route.h> -#include <net/radix_mpath.h> - -#include <netinet/in.h> -#include <netinet/in_var.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/tcp.h> -#include <netinet/tcp_seq.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/in_pcb.h> -#include <netinet/tcp_timer.h> -#include <netinet/tcp_var.h> -#include <netinet/udp_var.h> -#include <netinet/icmp_var.h> -#include <netinet/if_ether.h> - -#ifndef __FreeBSD__ -#include <dev/rndvar.h> -#endif -#include <net/pfvar.h> -#include <net/if_pflog.h> -#include <net/if_pflow.h> - -#if NPFSYNC > 0 -#include <net/if_pfsync.h> -#endif /* NPFSYNC > 0 */ - -#ifdef INET6 -#include <netinet/ip6.h> -#include <netinet/in_pcb.h> -#include <netinet/icmp6.h> -#include <netinet6/nd6.h> -#endif /* INET6 */ - - -#ifdef __FreeBSD__ -#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x -#else -#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x -#endif - -/* - * Global variables - */ - -void pf_hash(struct pf_addr *, struct pf_addr *, - struct pf_poolhashkey *, sa_family_t); -struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *, - int, int, struct pfi_kif *, - struct pf_addr *, u_int16_t, struct pf_addr *, - u_int16_t, int); -int pf_get_sport(sa_family_t, u_int8_t, struct pf_rule *, - struct pf_addr *, struct pf_addr *, u_int16_t, - struct pf_addr *, u_int16_t*, u_int16_t, u_int16_t, - struct pf_src_node **); - -#define mix(a,b,c) \ - do { \ - a -= b; a -= c; a ^= (c >> 13); \ - b -= c; b -= a; b ^= (a << 8); \ - c -= a; c -= b; c ^= (b >> 13); \ - a -= b; a -= c; a ^= (c >> 12); \ - b -= c; b -= a; b ^= (a << 16); \ - c -= a; c -= b; c ^= (b >> 5); \ - a -= b; a -= c; a ^= (c >> 3); \ - b -= c; b -= a; b ^= (a << 10); \ - c -= a; c -= b; c ^= (b >> 15); \ - } while (0) - -/* - * hash function based on bridge_hash in if_bridge.c - */ -void -pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, - struct pf_poolhashkey *key, sa_family_t af) -{ - u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; - - switch (af) { -#ifdef INET - case AF_INET: - a += inaddr->addr32[0]; - b += key->key32[1]; - mix(a, b, c); - hash->addr32[0] = c + key->key32[2]; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - a += inaddr->addr32[0]; - b += inaddr->addr32[2]; - mix(a, b, c); - hash->addr32[0] = c; - a += inaddr->addr32[1]; - b += inaddr->addr32[3]; - c += key->key32[1]; - mix(a, b, c); - hash->addr32[1] = c; - a += inaddr->addr32[2]; - b += inaddr->addr32[1]; - c += key->key32[2]; - mix(a, b, c); - hash->addr32[2] = c; - a += inaddr->addr32[3]; - b += inaddr->addr32[0]; - c += key->key32[3]; - mix(a, b, c); - hash->addr32[3] = c; - break; -#endif /* INET6 */ - } -} - -struct pf_rule * -pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, - int direction, struct pfi_kif *kif, struct pf_addr *saddr, u_int16_t sport, - struct pf_addr *daddr, u_int16_t dport, int rs_num) -{ - struct pf_rule *r, *rm = NULL; - struct pf_ruleset *ruleset = NULL; - int tag = -1; - int rtableid = -1; - int asd = 0; - - r = TAILQ_FIRST(pf_main_ruleset.rules[rs_num].active.ptr); - while (r && rm == NULL) { - struct pf_rule_addr *src = NULL, *dst = NULL; - struct pf_addr_wrap *xdst = NULL; - - if (r->action == PF_BINAT && direction == PF_IN) { - src = &r->dst; - if (r->rpool.cur != NULL) - xdst = &r->rpool.cur->addr; - } else { - src = &r->src; - dst = &r->dst; - } - - r->evaluations++; - if (pfi_kif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != direction) - r = r->skip[PF_SKIP_DIR].ptr; - else if (r->af && r->af != pd->af) - r = r->skip[PF_SKIP_AF].ptr; - else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&src->addr, saddr, pd->af, - src->neg, kif, M_GETFIB(m))) - r = r->skip[src == &r->src ? PF_SKIP_SRC_ADDR : - PF_SKIP_DST_ADDR].ptr; - else if (src->port_op && !pf_match_port(src->port_op, - src->port[0], src->port[1], sport)) - r = r->skip[src == &r->src ? PF_SKIP_SRC_PORT : - PF_SKIP_DST_PORT].ptr; - else if (dst != NULL && - PF_MISMATCHAW(&dst->addr, daddr, pd->af, dst->neg, NULL, - M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; - else if (xdst != NULL && PF_MISMATCHAW(xdst, daddr, pd->af, - 0, NULL, M_GETFIB(m))) - r = TAILQ_NEXT(r, entries); - else if (dst != NULL && dst->port_op && - !pf_match_port(dst->port_op, dst->port[0], - dst->port[1], dport)) - r = r->skip[PF_SKIP_DST_PORT].ptr; -#ifdef __FreeBSD__ - else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag)) -#else - else if (r->match_tag && !pf_match_tag(m, r, &tag)) -#endif - r = TAILQ_NEXT(r, entries); - else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != - IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, - off, pd->hdr.tcp), r->os_fingerprint))) - r = TAILQ_NEXT(r, entries); - else { - if (r->tag) - tag = r->tag; - if (r->rtableid >= 0) - rtableid = r->rtableid; - if (r->anchor == NULL) { - rm = r; - } else - pf_step_into_anchor(&asd, &ruleset, rs_num, - &r, NULL, NULL); - } - if (r == NULL) - pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r, - NULL, NULL); - } -#ifdef __FreeBSD__ - if (pf_tag_packet(m, tag, rtableid, pd->pf_mtag)) -#else - if (pf_tag_packet(m, tag, rtableid)) -#endif - return (NULL); - if (rm != NULL && (rm->action == PF_NONAT || - rm->action == PF_NORDR || rm->action == PF_NOBINAT)) - return (NULL); - return (rm); -} - -int -pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, - struct pf_addr *saddr, struct pf_addr *daddr, u_int16_t dport, - struct pf_addr *naddr, u_int16_t *nport, u_int16_t low, u_int16_t high, - struct pf_src_node **sn) -{ - struct pf_state_key_cmp key; - struct pf_addr init_addr; - u_int16_t cut; - - bzero(&init_addr, sizeof(init_addr)); - if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) - return (1); - - if (proto == IPPROTO_ICMP) { - low = 1; - high = 65535; - } - - do { - key.af = af; - key.proto = proto; - PF_ACPY(&key.addr[1], daddr, key.af); - PF_ACPY(&key.addr[0], naddr, key.af); - key.port[1] = dport; - - /* - * port search; start random, step; - * similar 2 portloop in in_pcbbind - */ - if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP || - proto == IPPROTO_ICMP)) { - key.port[0] = dport; - if (pf_find_state_all(&key, PF_IN, NULL) == NULL) - return (0); - } else if (low == 0 && high == 0) { - key.port[0] = *nport; - if (pf_find_state_all(&key, PF_IN, NULL) == NULL) - return (0); - } else if (low == high) { - key.port[0] = htons(low); - if (pf_find_state_all(&key, PF_IN, NULL) == NULL) { - *nport = htons(low); - return (0); - } - } else { - u_int16_t tmp; - - if (low > high) { - tmp = low; - low = high; - high = tmp; - } - /* low < high */ -#ifdef __FreeBSD__ - cut = htonl(arc4random()) % (1 + high - low) + low; -#else - cut = arc4random_uniform(1 + high - low) + low; -#endif - /* low <= cut <= high */ - for (tmp = cut; tmp <= high; ++(tmp)) { - key.port[0] = htons(tmp); - if (pf_find_state_all(&key, PF_IN, NULL) == -#ifdef __FreeBSD__ - NULL) { -#else - NULL && !in_baddynamic(tmp, proto)) { -#endif - *nport = htons(tmp); - return (0); - } - } - for (tmp = cut - 1; tmp >= low; --(tmp)) { - key.port[0] = htons(tmp); - if (pf_find_state_all(&key, PF_IN, NULL) == -#ifdef __FreeBSD__ - NULL) { -#else - NULL && !in_baddynamic(tmp, proto)) { -#endif - *nport = htons(tmp); - return (0); - } - } - } - - switch (r->rpool.opts & PF_POOL_TYPEMASK) { - case PF_POOL_RANDOM: - case PF_POOL_ROUNDROBIN: - if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) - return (1); - break; - case PF_POOL_NONE: - case PF_POOL_SRCHASH: - case PF_POOL_BITMASK: - default: - return (1); - } - } while (! PF_AEQ(&init_addr, naddr, af) ); - return (1); /* none available */ -} - -int -pf_map_addr(sa_family_t af, struct pf_rule *r, struct pf_addr *saddr, - struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_src_node **sn) -{ - unsigned char hash[16]; - struct pf_pool *rpool = &r->rpool; - struct pf_addr *raddr = &rpool->cur->addr.v.a.addr; - struct pf_addr *rmask = &rpool->cur->addr.v.a.mask; - struct pf_pooladdr *acur = rpool->cur; - struct pf_src_node k; - - if (*sn == NULL && r->rpool.opts & PF_POOL_STICKYADDR && - (r->rpool.opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { - k.af = af; - PF_ACPY(&k.addr, saddr, af); - if (r->rule_flag & PFRULE_RULESRCTRACK || - r->rpool.opts & PF_POOL_STICKYADDR) - k.rule.ptr = r; - else - k.rule.ptr = NULL; -#ifdef __FreeBSD__ - V_pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; - *sn = RB_FIND(pf_src_tree, &V_tree_src_tracking, &k); -#else - pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; - *sn = RB_FIND(pf_src_tree, &tree_src_tracking, &k); -#endif - if (*sn != NULL && !PF_AZERO(&(*sn)->raddr, af)) { - PF_ACPY(naddr, &(*sn)->raddr, af); -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - printf("pf_map_addr: src tracking maps "); - pf_print_host(&k.addr, 0, af); - printf(" to "); - pf_print_host(naddr, 0, af); - printf("\n"); - } - return (0); - } - } - - if (rpool->cur->addr.type == PF_ADDR_NOROUTE) - return (1); - if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { - switch (af) { -#ifdef INET - case AF_INET: - if (rpool->cur->addr.p.dyn->pfid_acnt4 < 1 && - (rpool->opts & PF_POOL_TYPEMASK) != - PF_POOL_ROUNDROBIN) - return (1); - raddr = &rpool->cur->addr.p.dyn->pfid_addr4; - rmask = &rpool->cur->addr.p.dyn->pfid_mask4; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (rpool->cur->addr.p.dyn->pfid_acnt6 < 1 && - (rpool->opts & PF_POOL_TYPEMASK) != - PF_POOL_ROUNDROBIN) - return (1); - raddr = &rpool->cur->addr.p.dyn->pfid_addr6; - rmask = &rpool->cur->addr.p.dyn->pfid_mask6; - break; -#endif /* INET6 */ - } - } else if (rpool->cur->addr.type == PF_ADDR_TABLE) { - if ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN) - return (1); /* unsupported */ - } else { - raddr = &rpool->cur->addr.v.a.addr; - rmask = &rpool->cur->addr.v.a.mask; - } - - switch (rpool->opts & PF_POOL_TYPEMASK) { - case PF_POOL_NONE: - PF_ACPY(naddr, raddr, af); - break; - case PF_POOL_BITMASK: - PF_POOLMASK(naddr, raddr, rmask, saddr, af); - break; - case PF_POOL_RANDOM: - if (init_addr != NULL && PF_AZERO(init_addr, af)) { - switch (af) { -#ifdef INET - case AF_INET: - rpool->counter.addr32[0] = htonl(arc4random()); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (rmask->addr32[3] != 0xffffffff) - rpool->counter.addr32[3] = - htonl(arc4random()); - else - break; - if (rmask->addr32[2] != 0xffffffff) - rpool->counter.addr32[2] = - htonl(arc4random()); - else - break; - if (rmask->addr32[1] != 0xffffffff) - rpool->counter.addr32[1] = - htonl(arc4random()); - else - break; - if (rmask->addr32[0] != 0xffffffff) - rpool->counter.addr32[0] = - htonl(arc4random()); - break; -#endif /* INET6 */ - } - PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); - PF_ACPY(init_addr, naddr, af); - - } else { - PF_AINC(&rpool->counter, af); - PF_POOLMASK(naddr, raddr, rmask, &rpool->counter, af); - } - break; - case PF_POOL_SRCHASH: - pf_hash(saddr, (struct pf_addr *)&hash, &rpool->key, af); - PF_POOLMASK(naddr, raddr, rmask, (struct pf_addr *)&hash, af); - break; - case PF_POOL_ROUNDROBIN: - if (rpool->cur->addr.type == PF_ADDR_TABLE) { - if (!pfr_pool_get(rpool->cur->addr.p.tbl, - &rpool->tblidx, &rpool->counter, - &raddr, &rmask, af)) - goto get_addr; - } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { - if (!pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, - &rpool->tblidx, &rpool->counter, - &raddr, &rmask, af)) - goto get_addr; - } else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af)) - goto get_addr; - - try_next: - if ((rpool->cur = TAILQ_NEXT(rpool->cur, entries)) == NULL) - rpool->cur = TAILQ_FIRST(&rpool->list); - if (rpool->cur->addr.type == PF_ADDR_TABLE) { - rpool->tblidx = -1; - if (pfr_pool_get(rpool->cur->addr.p.tbl, - &rpool->tblidx, &rpool->counter, - &raddr, &rmask, af)) { - /* table contains no address of type 'af' */ - if (rpool->cur != acur) - goto try_next; - return (1); - } - } else if (rpool->cur->addr.type == PF_ADDR_DYNIFTL) { - rpool->tblidx = -1; - if (pfr_pool_get(rpool->cur->addr.p.dyn->pfid_kt, - &rpool->tblidx, &rpool->counter, - &raddr, &rmask, af)) { - /* table contains no address of type 'af' */ - if (rpool->cur != acur) - goto try_next; - return (1); - } - } else { - raddr = &rpool->cur->addr.v.a.addr; - rmask = &rpool->cur->addr.v.a.mask; - PF_ACPY(&rpool->counter, raddr, af); - } - - get_addr: - PF_ACPY(naddr, &rpool->counter, af); - if (init_addr != NULL && PF_AZERO(init_addr, af)) - PF_ACPY(init_addr, naddr, af); - PF_AINC(&rpool->counter, af); - break; - } - if (*sn != NULL) - PF_ACPY(&(*sn)->raddr, naddr, af); - -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC && -#else - if (pf_status.debug >= PF_DEBUG_MISC && -#endif - (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { - printf("pf_map_addr: selected address "); - pf_print_host(naddr, 0, af); - printf("\n"); - } - - return (0); -} - -struct pf_rule * -pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, - struct pfi_kif *kif, struct pf_src_node **sn, - struct pf_state_key **skw, struct pf_state_key **sks, - struct pf_state_key **skp, struct pf_state_key **nkp, - struct pf_addr *saddr, struct pf_addr *daddr, - u_int16_t sport, u_int16_t dport) -{ - struct pf_rule *r = NULL; - - - if (direction == PF_OUT) { - r = pf_match_translation(pd, m, off, direction, kif, saddr, - sport, daddr, dport, PF_RULESET_BINAT); - if (r == NULL) - r = pf_match_translation(pd, m, off, direction, kif, - saddr, sport, daddr, dport, PF_RULESET_NAT); - } else { - r = pf_match_translation(pd, m, off, direction, kif, saddr, - sport, daddr, dport, PF_RULESET_RDR); - if (r == NULL) - r = pf_match_translation(pd, m, off, direction, kif, - saddr, sport, daddr, dport, PF_RULESET_BINAT); - } - - if (r != NULL) { - struct pf_addr *naddr; - u_int16_t *nport; - - if (pf_state_key_setup(pd, r, skw, sks, skp, nkp, - saddr, daddr, sport, dport)) - return r; - - /* XXX We only modify one side for now. */ - naddr = &(*nkp)->addr[1]; - nport = &(*nkp)->port[1]; - - switch (r->action) { - case PF_NONAT: - case PF_NOBINAT: - case PF_NORDR: - return (NULL); - case PF_NAT: - if (pf_get_sport(pd->af, pd->proto, r, saddr, - daddr, dport, naddr, nport, r->rpool.proxy_port[0], - r->rpool.proxy_port[1], sn)) { - DPFPRINTF(PF_DEBUG_MISC, - ("pf: NAT proxy port allocation " - "(%u-%u) failed\n", - r->rpool.proxy_port[0], - r->rpool.proxy_port[1])); - return (NULL); - } - break; - case PF_BINAT: - switch (direction) { - case PF_OUT: - if (r->rpool.cur->addr.type == PF_ADDR_DYNIFTL){ - switch (pd->af) { -#ifdef INET - case AF_INET: - if (r->rpool.cur->addr.p.dyn-> - pfid_acnt4 < 1) - return (NULL); - PF_POOLMASK(naddr, - &r->rpool.cur->addr.p.dyn-> - pfid_addr4, - &r->rpool.cur->addr.p.dyn-> - pfid_mask4, - saddr, AF_INET); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (r->rpool.cur->addr.p.dyn-> - pfid_acnt6 < 1) - return (NULL); - PF_POOLMASK(naddr, - &r->rpool.cur->addr.p.dyn-> - pfid_addr6, - &r->rpool.cur->addr.p.dyn-> - pfid_mask6, - saddr, AF_INET6); - break; -#endif /* INET6 */ - } - } else - PF_POOLMASK(naddr, - &r->rpool.cur->addr.v.a.addr, - &r->rpool.cur->addr.v.a.mask, - saddr, pd->af); - break; - case PF_IN: - if (r->src.addr.type == PF_ADDR_DYNIFTL) { - switch (pd->af) { -#ifdef INET - case AF_INET: - if (r->src.addr.p.dyn-> - pfid_acnt4 < 1) - return (NULL); - PF_POOLMASK(naddr, - &r->src.addr.p.dyn-> - pfid_addr4, - &r->src.addr.p.dyn-> - pfid_mask4, - daddr, AF_INET); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (r->src.addr.p.dyn-> - pfid_acnt6 < 1) - return (NULL); - PF_POOLMASK(naddr, - &r->src.addr.p.dyn-> - pfid_addr6, - &r->src.addr.p.dyn-> - pfid_mask6, - daddr, AF_INET6); - break; -#endif /* INET6 */ - } - } else - PF_POOLMASK(naddr, - &r->src.addr.v.a.addr, - &r->src.addr.v.a.mask, daddr, - pd->af); - break; - } - break; - case PF_RDR: { - if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) - return (NULL); - if ((r->rpool.opts & PF_POOL_TYPEMASK) == - PF_POOL_BITMASK) - PF_POOLMASK(naddr, naddr, - &r->rpool.cur->addr.v.a.mask, daddr, - pd->af); - - if (r->rpool.proxy_port[1]) { - u_int32_t tmp_nport; - - tmp_nport = ((ntohs(dport) - - ntohs(r->dst.port[0])) % - (r->rpool.proxy_port[1] - - r->rpool.proxy_port[0] + 1)) + - r->rpool.proxy_port[0]; - - /* wrap around if necessary */ - if (tmp_nport > 65535) - tmp_nport -= 65535; - *nport = htons((u_int16_t)tmp_nport); - } else if (r->rpool.proxy_port[0]) - *nport = htons(r->rpool.proxy_port[0]); - break; - } - default: - return (NULL); - } - /* - * Translation was a NOP. - * Pretend there was no match. - */ - if (!bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) { -#ifdef __FreeBSD__ - pool_put(&V_pf_state_key_pl, *nkp); - pool_put(&V_pf_state_key_pl, *skp); -#else - pool_put(&pf_state_key_pl, *nkp); - pool_put(&pf_state_key_pl, *skp); -#endif - *skw = *sks = *nkp = *skp = NULL; - return (NULL); - } - } - - return (r); -} - diff --git a/sys/contrib/pf/net/pf_mtag.h b/sys/contrib/pf/net/pf_mtag.h deleted file mode 100644 index 141a867..0000000 --- a/sys/contrib/pf/net/pf_mtag.h +++ /dev/null @@ -1,84 +0,0 @@ -/* $FreeBSD$ */ -/* - * Copyright (c) 2001 Daniel Hartmeier - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef _NET_PF_MTAG_H_ -#define _NET_PF_MTAG_H_ - -#ifdef _KERNEL - -#define PF_TAG_GENERATED 0x01 -#define PF_TAG_FRAGCACHE 0x02 -#define PF_TAG_TRANSLATE_LOCALHOST 0x04 -#define PF_PACKET_LOOPED 0x08 -#define PF_FASTFWD_OURS_PRESENT 0x10 - -struct pf_mtag { - void *hdr; /* saved hdr pos in mbuf, for ECN */ - void *statekey; /* pf stackside statekey */ - u_int32_t qid; /* queue id */ - u_int rtableid; /* alternate routing table id */ - u_int16_t tag; /* tag id */ - u_int8_t flags; - u_int8_t routed; -}; - -static __inline struct pf_mtag *pf_find_mtag(struct mbuf *); -static __inline struct pf_mtag *pf_get_mtag(struct mbuf *); - -static __inline struct pf_mtag * -pf_find_mtag(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) - return (NULL); - - return ((struct pf_mtag *)(mtag + 1)); -} - -static __inline struct pf_mtag * -pf_get_mtag(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) { - mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag), - M_NOWAIT); - if (mtag == NULL) - return (NULL); - bzero(mtag + 1, sizeof(struct pf_mtag)); - m_tag_prepend(m, mtag); - } - - return ((struct pf_mtag *)(mtag + 1)); -} -#endif /* _KERNEL */ -#endif /* _NET_PF_MTAG_H_ */ diff --git a/sys/contrib/pf/net/pf_norm.c b/sys/contrib/pf/net/pf_norm.c deleted file mode 100644 index 2b20c85..0000000 --- a/sys/contrib/pf/net/pf_norm.c +++ /dev/null @@ -1,2359 +0,0 @@ -/* $OpenBSD: pf_norm.c,v 1.114 2009/01/29 14:11:45 henning Exp $ */ - -/* - * Copyright 2001 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" -#include "opt_pf.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#ifdef DEV_PFLOG -#define NPFLOG DEV_PFLOG -#else -#define NPFLOG 0 -#endif -#else -#include "pflog.h" -#endif - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> -#include <sys/filio.h> -#include <sys/fcntl.h> -#include <sys/socket.h> -#include <sys/kernel.h> -#include <sys/time.h> -#ifndef __FreeBSD__ -#include <sys/pool.h> - -#include <dev/rndvar.h> -#endif -#include <net/if.h> -#include <net/if_types.h> -#include <net/bpf.h> -#include <net/route.h> -#include <net/if_pflog.h> - -#include <netinet/in.h> -#include <netinet/in_var.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/tcp.h> -#include <netinet/tcp_seq.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> - -#ifdef INET6 -#include <netinet/ip6.h> -#endif /* INET6 */ - -#include <net/pfvar.h> - -#ifndef __FreeBSD__ -struct pf_frent { - LIST_ENTRY(pf_frent) fr_next; - struct ip *fr_ip; - struct mbuf *fr_m; -}; - -struct pf_frcache { - LIST_ENTRY(pf_frcache) fr_next; - uint16_t fr_off; - uint16_t fr_end; -}; -#endif - -#define PFFRAG_SEENLAST 0x0001 /* Seen the last fragment for this */ -#define PFFRAG_NOBUFFER 0x0002 /* Non-buffering fragment cache */ -#define PFFRAG_DROP 0x0004 /* Drop all fragments */ -#define BUFFER_FRAGMENTS(fr) (!((fr)->fr_flags & PFFRAG_NOBUFFER)) - -#ifndef __FreeBSD__ -struct pf_fragment { - RB_ENTRY(pf_fragment) fr_entry; - TAILQ_ENTRY(pf_fragment) frag_next; - struct in_addr fr_src; - struct in_addr fr_dst; - u_int8_t fr_p; /* protocol of this fragment */ - u_int8_t fr_flags; /* status flags */ - u_int16_t fr_id; /* fragment id for reassemble */ - u_int16_t fr_max; /* fragment data max */ - u_int32_t fr_timeout; -#define fr_queue fr_u.fru_queue -#define fr_cache fr_u.fru_cache - union { - LIST_HEAD(pf_fragq, pf_frent) fru_queue; /* buffering */ - LIST_HEAD(pf_cacheq, pf_frcache) fru_cache; /* non-buf */ - } fr_u; -}; -#endif - -#ifdef __FreeBSD__ -TAILQ_HEAD(pf_fragqueue, pf_fragment); -TAILQ_HEAD(pf_cachequeue, pf_fragment); -VNET_DEFINE(struct pf_fragqueue, pf_fragqueue); -#define V_pf_fragqueue VNET(pf_fragqueue) -VNET_DEFINE(struct pf_cachequeue, pf_cachequeue); -#define V_pf_cachequeue VNET(pf_cachequeue) -#else -TAILQ_HEAD(pf_fragqueue, pf_fragment) pf_fragqueue; -TAILQ_HEAD(pf_cachequeue, pf_fragment) pf_cachequeue; -#endif - -#ifndef __FreeBSD__ -static __inline int pf_frag_compare(struct pf_fragment *, - struct pf_fragment *); -#else -static int pf_frag_compare(struct pf_fragment *, - struct pf_fragment *); -#endif - -#ifdef __FreeBSD__ -RB_HEAD(pf_frag_tree, pf_fragment); -VNET_DEFINE(struct pf_frag_tree, pf_frag_tree); -#define V_pf_frag_tree VNET(pf_frag_tree) -VNET_DEFINE(struct pf_frag_tree, pf_cache_tree); -#define V_pf_cache_tree VNET(pf_cache_tree) -#else -RB_HEAD(pf_frag_tree, pf_fragment) pf_frag_tree, pf_cache_tree; -#endif -RB_PROTOTYPE(pf_frag_tree, pf_fragment, fr_entry, pf_frag_compare); -RB_GENERATE(pf_frag_tree, pf_fragment, fr_entry, pf_frag_compare); - -/* Private prototypes */ -void pf_ip2key(struct pf_fragment *, struct ip *); -void pf_remove_fragment(struct pf_fragment *); -void pf_flush_fragments(void); -void pf_free_fragment(struct pf_fragment *); -struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *); -struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **, - struct pf_frent *, int); -struct mbuf *pf_fragcache(struct mbuf **, struct ip*, - struct pf_fragment **, int, int, int *); -int pf_normalize_tcpopt(struct pf_rule *, struct mbuf *, - struct tcphdr *, int, sa_family_t); -void pf_scrub_ip(struct mbuf **, u_int32_t, u_int8_t, - u_int8_t); -#ifdef INET6 -void pf_scrub_ip6(struct mbuf **, u_int8_t); -#endif -#ifdef __FreeBSD__ -#define DPFPRINTF(x) do { \ - if (V_pf_status.debug >= PF_DEBUG_MISC) { \ - printf("%s: ", __func__); \ - printf x ; \ - } \ -} while(0) -#else -#define DPFPRINTF(x) do { \ - if (pf_status.debug >= PF_DEBUG_MISC) { \ - printf("%s: ", __func__); \ - printf x ; \ - } \ -} while(0) -#endif - -/* Globals */ -#ifdef __FreeBSD__ -VNET_DEFINE(uma_zone_t, pf_frent_pl); -VNET_DEFINE(uma_zone_t, pf_frag_pl); -VNET_DEFINE(uma_zone_t, pf_cache_pl); -VNET_DEFINE(uma_zone_t, pf_cent_pl); -VNET_DEFINE(uma_zone_t, pf_state_scrub_pl); - -VNET_DEFINE(int, pf_nfrents); -#define V_pf_nfrents VNET(pf_nfrents) -VNET_DEFINE(int, pf_ncache); -#define V_pf_ncache VNET(pf_ncache) -#else -struct pool pf_frent_pl, pf_frag_pl, pf_cache_pl, pf_cent_pl; -struct pool pf_state_scrub_pl; -int pf_nfrents, pf_ncache; -#endif - -void -pf_normalize_init(void) -{ -#ifdef __FreeBSD__ - /* - * XXX - * No high water mark support(It's hint not hard limit). - * uma_zone_set_max(pf_frag_pl, PFFRAG_FRAG_HIWAT); - */ - uma_zone_set_max(V_pf_frent_pl, PFFRAG_FRENT_HIWAT); - uma_zone_set_max(V_pf_cache_pl, PFFRAG_FRCACHE_HIWAT); - uma_zone_set_max(V_pf_cent_pl, PFFRAG_FRCENT_HIWAT); -#else - pool_init(&pf_frent_pl, sizeof(struct pf_frent), 0, 0, 0, "pffrent", - NULL); - pool_init(&pf_frag_pl, sizeof(struct pf_fragment), 0, 0, 0, "pffrag", - NULL); - pool_init(&pf_cache_pl, sizeof(struct pf_fragment), 0, 0, 0, - "pffrcache", NULL); - pool_init(&pf_cent_pl, sizeof(struct pf_frcache), 0, 0, 0, "pffrcent", - NULL); - pool_init(&pf_state_scrub_pl, sizeof(struct pf_state_scrub), 0, 0, 0, - "pfstscr", NULL); - - pool_sethiwat(&pf_frag_pl, PFFRAG_FRAG_HIWAT); - pool_sethardlimit(&pf_frent_pl, PFFRAG_FRENT_HIWAT, NULL, 0); - pool_sethardlimit(&pf_cache_pl, PFFRAG_FRCACHE_HIWAT, NULL, 0); - pool_sethardlimit(&pf_cent_pl, PFFRAG_FRCENT_HIWAT, NULL, 0); -#endif - -#ifdef __FreeBSD__ - TAILQ_INIT(&V_pf_fragqueue); - TAILQ_INIT(&V_pf_cachequeue); -#else - TAILQ_INIT(&pf_fragqueue); - TAILQ_INIT(&pf_cachequeue); -#endif -} - -#ifdef __FreeBSD__ -static int -#else -static __inline int -#endif -pf_frag_compare(struct pf_fragment *a, struct pf_fragment *b) -{ - int diff; - - if ((diff = a->fr_id - b->fr_id)) - return (diff); - else if ((diff = a->fr_p - b->fr_p)) - return (diff); - else if (a->fr_src.s_addr < b->fr_src.s_addr) - return (-1); - else if (a->fr_src.s_addr > b->fr_src.s_addr) - return (1); - else if (a->fr_dst.s_addr < b->fr_dst.s_addr) - return (-1); - else if (a->fr_dst.s_addr > b->fr_dst.s_addr) - return (1); - return (0); -} - -void -pf_purge_expired_fragments(void) -{ - struct pf_fragment *frag; -#ifdef __FreeBSD__ - u_int32_t expire = time_second - - V_pf_default_rule.timeout[PFTM_FRAG]; -#else - u_int32_t expire = time_second - - pf_default_rule.timeout[PFTM_FRAG]; -#endif - -#ifdef __FreeBSD__ - while ((frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) != NULL) { - KASSERT((BUFFER_FRAGMENTS(frag)), - ("BUFFER_FRAGMENTS(frag) == 0: %s", __FUNCTION__)); -#else - while ((frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue)) != NULL) { - KASSERT(BUFFER_FRAGMENTS(frag)); -#endif - if (frag->fr_timeout > expire) - break; - - DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); - pf_free_fragment(frag); - } - -#ifdef __FreeBSD__ - while ((frag = TAILQ_LAST(&V_pf_cachequeue, pf_cachequeue)) != NULL) { - KASSERT((!BUFFER_FRAGMENTS(frag)), - ("BUFFER_FRAGMENTS(frag) != 0: %s", __FUNCTION__)); -#else - while ((frag = TAILQ_LAST(&pf_cachequeue, pf_cachequeue)) != NULL) { - KASSERT(!BUFFER_FRAGMENTS(frag)); -#endif - if (frag->fr_timeout > expire) - break; - - DPFPRINTF(("expiring %d(%p)\n", frag->fr_id, frag)); - pf_free_fragment(frag); -#ifdef __FreeBSD__ - KASSERT((TAILQ_EMPTY(&V_pf_cachequeue) || - TAILQ_LAST(&V_pf_cachequeue, pf_cachequeue) != frag), - ("!(TAILQ_EMPTY() || TAILQ_LAST() == farg): %s", - __FUNCTION__)); -#else - KASSERT(TAILQ_EMPTY(&pf_cachequeue) || - TAILQ_LAST(&pf_cachequeue, pf_cachequeue) != frag); -#endif - } -} - -/* - * Try to flush old fragments to make space for new ones - */ - -void -pf_flush_fragments(void) -{ - struct pf_fragment *frag; - int goal; - -#ifdef __FreeBSD__ - goal = V_pf_nfrents * 9 / 10; - DPFPRINTF(("trying to free > %d frents\n", - V_pf_nfrents - goal)); - while (goal < V_pf_nfrents) { -#else - goal = pf_nfrents * 9 / 10; - DPFPRINTF(("trying to free > %d frents\n", - pf_nfrents - goal)); - while (goal < pf_nfrents) { -#endif -#ifdef __FreeBSD__ - frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue); -#else - frag = TAILQ_LAST(&pf_fragqueue, pf_fragqueue); -#endif - if (frag == NULL) - break; - pf_free_fragment(frag); - } - - -#ifdef __FreeBSD__ - goal = V_pf_ncache * 9 / 10; - DPFPRINTF(("trying to free > %d cache entries\n", - V_pf_ncache - goal)); - while (goal < V_pf_ncache) { -#else - goal = pf_ncache * 9 / 10; - DPFPRINTF(("trying to free > %d cache entries\n", - pf_ncache - goal)); - while (goal < pf_ncache) { -#endif -#ifdef __FreeBSD__ - frag = TAILQ_LAST(&V_pf_cachequeue, pf_cachequeue); -#else - frag = TAILQ_LAST(&pf_cachequeue, pf_cachequeue); -#endif - if (frag == NULL) - break; - pf_free_fragment(frag); - } -} - -/* Frees the fragments and all associated entries */ - -void -pf_free_fragment(struct pf_fragment *frag) -{ - struct pf_frent *frent; - struct pf_frcache *frcache; - - /* Free all fragments */ - if (BUFFER_FRAGMENTS(frag)) { - for (frent = LIST_FIRST(&frag->fr_queue); frent; - frent = LIST_FIRST(&frag->fr_queue)) { - LIST_REMOVE(frent, fr_next); - - m_freem(frent->fr_m); -#ifdef __FreeBSD__ - pool_put(&V_pf_frent_pl, frent); - V_pf_nfrents--; -#else - pool_put(&pf_frent_pl, frent); - pf_nfrents--; -#endif - } - } else { - for (frcache = LIST_FIRST(&frag->fr_cache); frcache; - frcache = LIST_FIRST(&frag->fr_cache)) { - LIST_REMOVE(frcache, fr_next); - -#ifdef __FreeBSD__ - KASSERT((LIST_EMPTY(&frag->fr_cache) || - LIST_FIRST(&frag->fr_cache)->fr_off > - frcache->fr_end), - ("! (LIST_EMPTY() || LIST_FIRST()->fr_off >" - " frcache->fr_end): %s", __FUNCTION__)); - - pool_put(&V_pf_cent_pl, frcache); - V_pf_ncache--; -#else - KASSERT(LIST_EMPTY(&frag->fr_cache) || - LIST_FIRST(&frag->fr_cache)->fr_off > - frcache->fr_end); - - pool_put(&pf_cent_pl, frcache); - pf_ncache--; -#endif - } - } - - pf_remove_fragment(frag); -} - -void -pf_ip2key(struct pf_fragment *key, struct ip *ip) -{ - key->fr_p = ip->ip_p; - key->fr_id = ip->ip_id; - key->fr_src.s_addr = ip->ip_src.s_addr; - key->fr_dst.s_addr = ip->ip_dst.s_addr; -} - -struct pf_fragment * -pf_find_fragment(struct ip *ip, struct pf_frag_tree *tree) -{ - struct pf_fragment key; - struct pf_fragment *frag; - - pf_ip2key(&key, ip); - - frag = RB_FIND(pf_frag_tree, tree, &key); - if (frag != NULL) { - /* XXX Are we sure we want to update the timeout? */ - frag->fr_timeout = time_second; - if (BUFFER_FRAGMENTS(frag)) { -#ifdef __FreeBSD__ - TAILQ_REMOVE(&V_pf_fragqueue, frag, frag_next); - TAILQ_INSERT_HEAD(&V_pf_fragqueue, frag, frag_next); -#else - TAILQ_REMOVE(&pf_fragqueue, frag, frag_next); - TAILQ_INSERT_HEAD(&pf_fragqueue, frag, frag_next); -#endif - } else { -#ifdef __FreeBSD__ - TAILQ_REMOVE(&V_pf_cachequeue, frag, frag_next); - TAILQ_INSERT_HEAD(&V_pf_cachequeue, frag, frag_next); -#else - TAILQ_REMOVE(&pf_cachequeue, frag, frag_next); - TAILQ_INSERT_HEAD(&pf_cachequeue, frag, frag_next); -#endif - } - } - - return (frag); -} - -/* Removes a fragment from the fragment queue and frees the fragment */ - -void -pf_remove_fragment(struct pf_fragment *frag) -{ - if (BUFFER_FRAGMENTS(frag)) { -#ifdef __FreeBSD__ - RB_REMOVE(pf_frag_tree, &V_pf_frag_tree, frag); - TAILQ_REMOVE(&V_pf_fragqueue, frag, frag_next); - pool_put(&V_pf_frag_pl, frag); -#else - RB_REMOVE(pf_frag_tree, &pf_frag_tree, frag); - TAILQ_REMOVE(&pf_fragqueue, frag, frag_next); - pool_put(&pf_frag_pl, frag); -#endif - } else { -#ifdef __FreeBSD__ - RB_REMOVE(pf_frag_tree, &V_pf_cache_tree, frag); - TAILQ_REMOVE(&V_pf_cachequeue, frag, frag_next); - pool_put(&V_pf_cache_pl, frag); -#else - RB_REMOVE(pf_frag_tree, &pf_cache_tree, frag); - TAILQ_REMOVE(&pf_cachequeue, frag, frag_next); - pool_put(&pf_cache_pl, frag); -#endif - } -} - -#define FR_IP_OFF(fr) ((ntohs((fr)->fr_ip->ip_off) & IP_OFFMASK) << 3) -struct mbuf * -pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, - struct pf_frent *frent, int mff) -{ - struct mbuf *m = *m0, *m2; - struct pf_frent *frea, *next; - struct pf_frent *frep = NULL; - struct ip *ip = frent->fr_ip; - int hlen = ip->ip_hl << 2; - u_int16_t off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3; - u_int16_t ip_len = ntohs(ip->ip_len) - ip->ip_hl * 4; - u_int16_t max = ip_len + off; - -#ifdef __FreeBSD__ - KASSERT((*frag == NULL || BUFFER_FRAGMENTS(*frag)), - ("! (*frag == NULL || BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__)); -#else - KASSERT(*frag == NULL || BUFFER_FRAGMENTS(*frag)); -#endif - - /* Strip off ip header */ - m->m_data += hlen; - m->m_len -= hlen; - - /* Create a new reassembly queue for this packet */ - if (*frag == NULL) { -#ifdef __FreeBSD__ - *frag = pool_get(&V_pf_frag_pl, PR_NOWAIT); -#else - *frag = pool_get(&pf_frag_pl, PR_NOWAIT); -#endif - if (*frag == NULL) { - pf_flush_fragments(); -#ifdef __FreeBSD__ - *frag = pool_get(&V_pf_frag_pl, PR_NOWAIT); -#else - *frag = pool_get(&pf_frag_pl, PR_NOWAIT); -#endif - if (*frag == NULL) - goto drop_fragment; - } - - (*frag)->fr_flags = 0; - (*frag)->fr_max = 0; - (*frag)->fr_src = frent->fr_ip->ip_src; - (*frag)->fr_dst = frent->fr_ip->ip_dst; - (*frag)->fr_p = frent->fr_ip->ip_p; - (*frag)->fr_id = frent->fr_ip->ip_id; - (*frag)->fr_timeout = time_second; - LIST_INIT(&(*frag)->fr_queue); - -#ifdef __FreeBSD__ - RB_INSERT(pf_frag_tree, &V_pf_frag_tree, *frag); - TAILQ_INSERT_HEAD(&V_pf_fragqueue, *frag, frag_next); -#else - RB_INSERT(pf_frag_tree, &pf_frag_tree, *frag); - TAILQ_INSERT_HEAD(&pf_fragqueue, *frag, frag_next); -#endif - - /* We do not have a previous fragment */ - frep = NULL; - goto insert; - } - - /* - * Find a fragment after the current one: - * - off contains the real shifted offset. - */ - LIST_FOREACH(frea, &(*frag)->fr_queue, fr_next) { - if (FR_IP_OFF(frea) > off) - break; - frep = frea; - } - -#ifdef __FreeBSD__ - KASSERT((frep != NULL || frea != NULL), - ("!(frep != NULL || frea != NULL): %s", __FUNCTION__));; -#else - KASSERT(frep != NULL || frea != NULL); -#endif - - if (frep != NULL && - FR_IP_OFF(frep) + ntohs(frep->fr_ip->ip_len) - frep->fr_ip->ip_hl * - 4 > off) - { - u_int16_t precut; - - precut = FR_IP_OFF(frep) + ntohs(frep->fr_ip->ip_len) - - frep->fr_ip->ip_hl * 4 - off; - if (precut >= ip_len) - goto drop_fragment; - m_adj(frent->fr_m, precut); - DPFPRINTF(("overlap -%d\n", precut)); - /* Enforce 8 byte boundaries */ - ip->ip_off = htons(ntohs(ip->ip_off) + (precut >> 3)); - off = (ntohs(ip->ip_off) & IP_OFFMASK) << 3; - ip_len -= precut; - ip->ip_len = htons(ip_len); - } - - for (; frea != NULL && ip_len + off > FR_IP_OFF(frea); - frea = next) - { - u_int16_t aftercut; - - aftercut = ip_len + off - FR_IP_OFF(frea); - DPFPRINTF(("adjust overlap %d\n", aftercut)); - if (aftercut < ntohs(frea->fr_ip->ip_len) - frea->fr_ip->ip_hl - * 4) - { - frea->fr_ip->ip_len = - htons(ntohs(frea->fr_ip->ip_len) - aftercut); - frea->fr_ip->ip_off = htons(ntohs(frea->fr_ip->ip_off) + - (aftercut >> 3)); - m_adj(frea->fr_m, aftercut); - break; - } - - /* This fragment is completely overlapped, lose it */ - next = LIST_NEXT(frea, fr_next); - m_freem(frea->fr_m); - LIST_REMOVE(frea, fr_next); -#ifdef __FreeBSD__ - pool_put(&V_pf_frent_pl, frea); - V_pf_nfrents--; -#else - pool_put(&pf_frent_pl, frea); - pf_nfrents--; -#endif - } - - insert: - /* Update maximum data size */ - if ((*frag)->fr_max < max) - (*frag)->fr_max = max; - /* This is the last segment */ - if (!mff) - (*frag)->fr_flags |= PFFRAG_SEENLAST; - - if (frep == NULL) - LIST_INSERT_HEAD(&(*frag)->fr_queue, frent, fr_next); - else - LIST_INSERT_AFTER(frep, frent, fr_next); - - /* Check if we are completely reassembled */ - if (!((*frag)->fr_flags & PFFRAG_SEENLAST)) - return (NULL); - - /* Check if we have all the data */ - off = 0; - for (frep = LIST_FIRST(&(*frag)->fr_queue); frep; frep = next) { - next = LIST_NEXT(frep, fr_next); - - off += ntohs(frep->fr_ip->ip_len) - frep->fr_ip->ip_hl * 4; - if (off < (*frag)->fr_max && - (next == NULL || FR_IP_OFF(next) != off)) - { - DPFPRINTF(("missing fragment at %d, next %d, max %d\n", - off, next == NULL ? -1 : FR_IP_OFF(next), - (*frag)->fr_max)); - return (NULL); - } - } - DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max)); - if (off < (*frag)->fr_max) - return (NULL); - - /* We have all the data */ - frent = LIST_FIRST(&(*frag)->fr_queue); -#ifdef __FreeBSD__ - KASSERT((frent != NULL), ("frent == NULL: %s", __FUNCTION__)); -#else - KASSERT(frent != NULL); -#endif - if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) { - DPFPRINTF(("drop: too big: %d\n", off)); - pf_free_fragment(*frag); - *frag = NULL; - return (NULL); - } - next = LIST_NEXT(frent, fr_next); - - /* Magic from ip_input */ - ip = frent->fr_ip; - m = frent->fr_m; - m2 = m->m_next; - m->m_next = NULL; - m_cat(m, m2); -#ifdef __FreeBSD__ - pool_put(&V_pf_frent_pl, frent); - V_pf_nfrents--; -#else - pool_put(&pf_frent_pl, frent); - pf_nfrents--; -#endif - for (frent = next; frent != NULL; frent = next) { - next = LIST_NEXT(frent, fr_next); - - m2 = frent->fr_m; -#ifdef __FreeBSD__ - pool_put(&V_pf_frent_pl, frent); - V_pf_nfrents--; -#else - pool_put(&pf_frent_pl, frent); - pf_nfrents--; -#endif -#ifdef __FreeBSD__ - m->m_pkthdr.csum_flags &= m2->m_pkthdr.csum_flags; - m->m_pkthdr.csum_data += m2->m_pkthdr.csum_data; -#endif - m_cat(m, m2); - } - -#ifdef __FreeBSD__ - while (m->m_pkthdr.csum_data & 0xffff0000) - m->m_pkthdr.csum_data = (m->m_pkthdr.csum_data & 0xffff) + - (m->m_pkthdr.csum_data >> 16); -#endif - ip->ip_src = (*frag)->fr_src; - ip->ip_dst = (*frag)->fr_dst; - - /* Remove from fragment queue */ - pf_remove_fragment(*frag); - *frag = NULL; - - hlen = ip->ip_hl << 2; - ip->ip_len = htons(off + hlen); - m->m_len += hlen; - m->m_data -= hlen; - - /* some debugging cruft by sklower, below, will go away soon */ - /* XXX this should be done elsewhere */ - if (m->m_flags & M_PKTHDR) { - int plen = 0; - for (m2 = m; m2; m2 = m2->m_next) - plen += m2->m_len; - m->m_pkthdr.len = plen; - } - - DPFPRINTF(("complete: %p(%d)\n", m, ntohs(ip->ip_len))); - return (m); - - drop_fragment: - /* Oops - fail safe - drop packet */ -#ifdef __FreeBSD__ - pool_put(&V_pf_frent_pl, frent); - V_pf_nfrents--; -#else - pool_put(&pf_frent_pl, frent); - pf_nfrents--; -#endif - m_freem(m); - return (NULL); -} - -struct mbuf * -pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff, - int drop, int *nomem) -{ - struct mbuf *m = *m0; - struct pf_frcache *frp, *fra, *cur = NULL; - int ip_len = ntohs(h->ip_len) - (h->ip_hl << 2); - u_int16_t off = ntohs(h->ip_off) << 3; - u_int16_t max = ip_len + off; - int hosed = 0; - -#ifdef __FreeBSD__ - KASSERT((*frag == NULL || !BUFFER_FRAGMENTS(*frag)), - ("!(*frag == NULL || !BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__)); -#else - KASSERT(*frag == NULL || !BUFFER_FRAGMENTS(*frag)); -#endif - - /* Create a new range queue for this packet */ - if (*frag == NULL) { -#ifdef __FreeBSD__ - *frag = pool_get(&V_pf_cache_pl, PR_NOWAIT); -#else - *frag = pool_get(&pf_cache_pl, PR_NOWAIT); -#endif - if (*frag == NULL) { - pf_flush_fragments(); -#ifdef __FreeBSD__ - *frag = pool_get(&V_pf_cache_pl, PR_NOWAIT); -#else - *frag = pool_get(&pf_cache_pl, PR_NOWAIT); -#endif - if (*frag == NULL) - goto no_mem; - } - - /* Get an entry for the queue */ -#ifdef __FreeBSD__ - cur = pool_get(&V_pf_cent_pl, PR_NOWAIT); - if (cur == NULL) { - pool_put(&V_pf_cache_pl, *frag); -#else - cur = pool_get(&pf_cent_pl, PR_NOWAIT); - if (cur == NULL) { - pool_put(&pf_cache_pl, *frag); -#endif - *frag = NULL; - goto no_mem; - } -#ifdef __FreeBSD__ - V_pf_ncache++; -#else - pf_ncache++; -#endif - - (*frag)->fr_flags = PFFRAG_NOBUFFER; - (*frag)->fr_max = 0; - (*frag)->fr_src = h->ip_src; - (*frag)->fr_dst = h->ip_dst; - (*frag)->fr_p = h->ip_p; - (*frag)->fr_id = h->ip_id; - (*frag)->fr_timeout = time_second; - - cur->fr_off = off; - cur->fr_end = max; - LIST_INIT(&(*frag)->fr_cache); - LIST_INSERT_HEAD(&(*frag)->fr_cache, cur, fr_next); - -#ifdef __FreeBSD__ - RB_INSERT(pf_frag_tree, &V_pf_cache_tree, *frag); - TAILQ_INSERT_HEAD(&V_pf_cachequeue, *frag, frag_next); -#else - RB_INSERT(pf_frag_tree, &pf_cache_tree, *frag); - TAILQ_INSERT_HEAD(&pf_cachequeue, *frag, frag_next); -#endif - - DPFPRINTF(("fragcache[%d]: new %d-%d\n", h->ip_id, off, max)); - - goto pass; - } - - /* - * Find a fragment after the current one: - * - off contains the real shifted offset. - */ - frp = NULL; - LIST_FOREACH(fra, &(*frag)->fr_cache, fr_next) { - if (fra->fr_off > off) - break; - frp = fra; - } - -#ifdef __FreeBSD__ - KASSERT((frp != NULL || fra != NULL), - ("!(frp != NULL || fra != NULL): %s", __FUNCTION__)); -#else - KASSERT(frp != NULL || fra != NULL); -#endif - - if (frp != NULL) { - int precut; - - precut = frp->fr_end - off; - if (precut >= ip_len) { - /* Fragment is entirely a duplicate */ - DPFPRINTF(("fragcache[%d]: dead (%d-%d) %d-%d\n", - h->ip_id, frp->fr_off, frp->fr_end, off, max)); - goto drop_fragment; - } - if (precut == 0) { - /* They are adjacent. Fixup cache entry */ - DPFPRINTF(("fragcache[%d]: adjacent (%d-%d) %d-%d\n", - h->ip_id, frp->fr_off, frp->fr_end, off, max)); - frp->fr_end = max; - } else if (precut > 0) { - /* The first part of this payload overlaps with a - * fragment that has already been passed. - * Need to trim off the first part of the payload. - * But to do so easily, we need to create another - * mbuf to throw the original header into. - */ - - DPFPRINTF(("fragcache[%d]: chop %d (%d-%d) %d-%d\n", - h->ip_id, precut, frp->fr_off, frp->fr_end, off, - max)); - - off += precut; - max -= precut; - /* Update the previous frag to encompass this one */ - frp->fr_end = max; - - if (!drop) { - /* XXX Optimization opportunity - * This is a very heavy way to trim the payload. - * we could do it much faster by diddling mbuf - * internals but that would be even less legible - * than this mbuf magic. For my next trick, - * I'll pull a rabbit out of my laptop. - */ -#ifdef __FreeBSD__ - *m0 = m_dup(m, M_DONTWAIT); -#else - *m0 = m_copym2(m, 0, h->ip_hl << 2, M_NOWAIT); -#endif - if (*m0 == NULL) - goto no_mem; -#ifdef __FreeBSD__ - /* From KAME Project : We have missed this! */ - m_adj(*m0, (h->ip_hl << 2) - - (*m0)->m_pkthdr.len); - - KASSERT(((*m0)->m_next == NULL), - ("(*m0)->m_next != NULL: %s", - __FUNCTION__)); -#else - KASSERT((*m0)->m_next == NULL); -#endif - m_adj(m, precut + (h->ip_hl << 2)); - m_cat(*m0, m); - m = *m0; - if (m->m_flags & M_PKTHDR) { - int plen = 0; - struct mbuf *t; - for (t = m; t; t = t->m_next) - plen += t->m_len; - m->m_pkthdr.len = plen; - } - - - h = mtod(m, struct ip *); - -#ifdef __FreeBSD__ - KASSERT(((int)m->m_len == - ntohs(h->ip_len) - precut), - ("m->m_len != ntohs(h->ip_len) - precut: %s", - __FUNCTION__)); -#else - KASSERT((int)m->m_len == - ntohs(h->ip_len) - precut); -#endif - h->ip_off = htons(ntohs(h->ip_off) + - (precut >> 3)); - h->ip_len = htons(ntohs(h->ip_len) - precut); - } else { - hosed++; - } - } else { - /* There is a gap between fragments */ - - DPFPRINTF(("fragcache[%d]: gap %d (%d-%d) %d-%d\n", - h->ip_id, -precut, frp->fr_off, frp->fr_end, off, - max)); - -#ifdef __FreeBSD__ - cur = pool_get(&V_pf_cent_pl, PR_NOWAIT); -#else - cur = pool_get(&pf_cent_pl, PR_NOWAIT); -#endif - if (cur == NULL) - goto no_mem; -#ifdef __FreeBSD__ - V_pf_ncache++; -#else - pf_ncache++; -#endif - - cur->fr_off = off; - cur->fr_end = max; - LIST_INSERT_AFTER(frp, cur, fr_next); - } - } - - if (fra != NULL) { - int aftercut; - int merge = 0; - - aftercut = max - fra->fr_off; - if (aftercut == 0) { - /* Adjacent fragments */ - DPFPRINTF(("fragcache[%d]: adjacent %d-%d (%d-%d)\n", - h->ip_id, off, max, fra->fr_off, fra->fr_end)); - fra->fr_off = off; - merge = 1; - } else if (aftercut > 0) { - /* Need to chop off the tail of this fragment */ - DPFPRINTF(("fragcache[%d]: chop %d %d-%d (%d-%d)\n", - h->ip_id, aftercut, off, max, fra->fr_off, - fra->fr_end)); - fra->fr_off = off; - max -= aftercut; - - merge = 1; - - if (!drop) { - m_adj(m, -aftercut); - if (m->m_flags & M_PKTHDR) { - int plen = 0; - struct mbuf *t; - for (t = m; t; t = t->m_next) - plen += t->m_len; - m->m_pkthdr.len = plen; - } - h = mtod(m, struct ip *); -#ifdef __FreeBSD__ - KASSERT(((int)m->m_len == ntohs(h->ip_len) - aftercut), - ("m->m_len != ntohs(h->ip_len) - aftercut: %s", - __FUNCTION__)); -#else - KASSERT((int)m->m_len == - ntohs(h->ip_len) - aftercut); -#endif - h->ip_len = htons(ntohs(h->ip_len) - aftercut); - } else { - hosed++; - } - } else if (frp == NULL) { - /* There is a gap between fragments */ - DPFPRINTF(("fragcache[%d]: gap %d %d-%d (%d-%d)\n", - h->ip_id, -aftercut, off, max, fra->fr_off, - fra->fr_end)); - -#ifdef __FreeBSD__ - cur = pool_get(&V_pf_cent_pl, PR_NOWAIT); -#else - cur = pool_get(&pf_cent_pl, PR_NOWAIT); -#endif - if (cur == NULL) - goto no_mem; -#ifdef __FreeBSD__ - V_pf_ncache++; -#else - pf_ncache++; -#endif - - cur->fr_off = off; - cur->fr_end = max; - LIST_INSERT_BEFORE(fra, cur, fr_next); - } - - - /* Need to glue together two separate fragment descriptors */ - if (merge) { - if (cur && fra->fr_off <= cur->fr_end) { - /* Need to merge in a previous 'cur' */ - DPFPRINTF(("fragcache[%d]: adjacent(merge " - "%d-%d) %d-%d (%d-%d)\n", - h->ip_id, cur->fr_off, cur->fr_end, off, - max, fra->fr_off, fra->fr_end)); - fra->fr_off = cur->fr_off; - LIST_REMOVE(cur, fr_next); -#ifdef __FreeBSD__ - pool_put(&V_pf_cent_pl, cur); - V_pf_ncache--; -#else - pool_put(&pf_cent_pl, cur); - pf_ncache--; -#endif - cur = NULL; - - } else if (frp && fra->fr_off <= frp->fr_end) { - /* Need to merge in a modified 'frp' */ -#ifdef __FreeBSD__ - KASSERT((cur == NULL), ("cur != NULL: %s", - __FUNCTION__)); -#else - KASSERT(cur == NULL); -#endif - DPFPRINTF(("fragcache[%d]: adjacent(merge " - "%d-%d) %d-%d (%d-%d)\n", - h->ip_id, frp->fr_off, frp->fr_end, off, - max, fra->fr_off, fra->fr_end)); - fra->fr_off = frp->fr_off; - LIST_REMOVE(frp, fr_next); -#ifdef __FreeBSD__ - pool_put(&V_pf_cent_pl, frp); - V_pf_ncache--; -#else - pool_put(&pf_cent_pl, frp); - pf_ncache--; -#endif - frp = NULL; - - } - } - } - - if (hosed) { - /* - * We must keep tracking the overall fragment even when - * we're going to drop it anyway so that we know when to - * free the overall descriptor. Thus we drop the frag late. - */ - goto drop_fragment; - } - - - pass: - /* Update maximum data size */ - if ((*frag)->fr_max < max) - (*frag)->fr_max = max; - - /* This is the last segment */ - if (!mff) - (*frag)->fr_flags |= PFFRAG_SEENLAST; - - /* Check if we are completely reassembled */ - if (((*frag)->fr_flags & PFFRAG_SEENLAST) && - LIST_FIRST(&(*frag)->fr_cache)->fr_off == 0 && - LIST_FIRST(&(*frag)->fr_cache)->fr_end == (*frag)->fr_max) { - /* Remove from fragment queue */ - DPFPRINTF(("fragcache[%d]: done 0-%d\n", h->ip_id, - (*frag)->fr_max)); - pf_free_fragment(*frag); - *frag = NULL; - } - - return (m); - - no_mem: - *nomem = 1; - - /* Still need to pay attention to !IP_MF */ - if (!mff && *frag != NULL) - (*frag)->fr_flags |= PFFRAG_SEENLAST; - - m_freem(m); - return (NULL); - - drop_fragment: - - /* Still need to pay attention to !IP_MF */ - if (!mff && *frag != NULL) - (*frag)->fr_flags |= PFFRAG_SEENLAST; - - if (drop) { - /* This fragment has been deemed bad. Don't reass */ - if (((*frag)->fr_flags & PFFRAG_DROP) == 0) - DPFPRINTF(("fragcache[%d]: dropping overall fragment\n", - h->ip_id)); - (*frag)->fr_flags |= PFFRAG_DROP; - } - - m_freem(m); - return (NULL); -} - -#ifdef INET -int -pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, - struct pf_pdesc *pd) -{ - struct mbuf *m = *m0; - struct pf_rule *r; - struct pf_frent *frent; - struct pf_fragment *frag = NULL; - struct ip *h = mtod(m, struct ip *); - int mff = (ntohs(h->ip_off) & IP_MF); - int hlen = h->ip_hl << 2; - u_int16_t fragoff = (ntohs(h->ip_off) & IP_OFFMASK) << 3; - u_int16_t max; - int ip_len; - int ip_off; - int tag = -1; - - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); - while (r != NULL) { - r->evaluations++; - if (pfi_kif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != dir) - r = r->skip[PF_SKIP_DIR].ptr; - else if (r->af && r->af != AF_INET) - r = r->skip[PF_SKIP_AF].ptr; - else if (r->proto && r->proto != h->ip_p) - r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, - (struct pf_addr *)&h->ip_src.s_addr, AF_INET, - r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, - (struct pf_addr *)&h->ip_dst.s_addr, AF_INET, - r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; -#ifdef __FreeBSD__ - else if (r->match_tag && !pf_match_tag(m, r, &tag, pd->pf_mtag)) -#else - else if (r->match_tag && !pf_match_tag(m, r, &tag)) -#endif - r = TAILQ_NEXT(r, entries); - else - break; - } - - if (r == NULL || r->action == PF_NOSCRUB) - return (PF_PASS); - else { - r->packets[dir == PF_OUT]++; - r->bytes[dir == PF_OUT] += pd->tot_len; - } - - /* Check for illegal packets */ - if (hlen < (int)sizeof(struct ip)) - goto drop; - - if (hlen > ntohs(h->ip_len)) - goto drop; - - /* Clear IP_DF if the rule uses the no-df option */ - if (r->rule_flag & PFRULE_NODF && h->ip_off & htons(IP_DF)) { - u_int16_t ip_off = h->ip_off; - - h->ip_off &= htons(~IP_DF); - h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0); - } - - /* We will need other tests here */ - if (!fragoff && !mff) - goto no_fragment; - - /* We're dealing with a fragment now. Don't allow fragments - * with IP_DF to enter the cache. If the flag was cleared by - * no-df above, fine. Otherwise drop it. - */ - if (h->ip_off & htons(IP_DF)) { - DPFPRINTF(("IP_DF\n")); - goto bad; - } - - ip_len = ntohs(h->ip_len) - hlen; - ip_off = (ntohs(h->ip_off) & IP_OFFMASK) << 3; - - /* All fragments are 8 byte aligned */ - if (mff && (ip_len & 0x7)) { - DPFPRINTF(("mff and %d\n", ip_len)); - goto bad; - } - - /* Respect maximum length */ - if (fragoff + ip_len > IP_MAXPACKET) { - DPFPRINTF(("max packet %d\n", fragoff + ip_len)); - goto bad; - } - max = fragoff + ip_len; - - if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0) { - /* Fully buffer all of the fragments */ - -#ifdef __FreeBSD__ - frag = pf_find_fragment(h, &V_pf_frag_tree); -#else - frag = pf_find_fragment(h, &pf_frag_tree); -#endif - - /* Check if we saw the last fragment already */ - if (frag != NULL && (frag->fr_flags & PFFRAG_SEENLAST) && - max > frag->fr_max) - goto bad; - - /* Get an entry for the fragment queue */ -#ifdef __FreeBSD__ - frent = pool_get(&V_pf_frent_pl, PR_NOWAIT); -#else - frent = pool_get(&pf_frent_pl, PR_NOWAIT); -#endif - if (frent == NULL) { - REASON_SET(reason, PFRES_MEMORY); - return (PF_DROP); - } -#ifdef __FreeBSD__ - V_pf_nfrents++; -#else - pf_nfrents++; -#endif - frent->fr_ip = h; - frent->fr_m = m; - - /* Might return a completely reassembled mbuf, or NULL */ - DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max)); - *m0 = m = pf_reassemble(m0, &frag, frent, mff); - - if (m == NULL) - return (PF_DROP); - - /* use mtag from concatenated mbuf chain */ - pd->pf_mtag = pf_find_mtag(m); -#ifdef DIAGNOSTIC - if (pd->pf_mtag == NULL) { - printf("%s: pf_find_mtag returned NULL(1)\n", __func__); - if ((pd->pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - *m0 = NULL; - goto no_mem; - } - } -#endif - if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) - goto drop; - - h = mtod(m, struct ip *); - } else { - /* non-buffering fragment cache (drops or masks overlaps) */ - int nomem = 0; - -#ifdef __FreeBSD__ - if (dir == PF_OUT && pd->pf_mtag->flags & PF_TAG_FRAGCACHE) { -#else - if (dir == PF_OUT && m->m_pkthdr.pf.flags & PF_TAG_FRAGCACHE) { -#endif - /* - * Already passed the fragment cache in the - * input direction. If we continued, it would - * appear to be a dup and would be dropped. - */ - goto fragment_pass; - } - -#ifdef __FreeBSD__ - frag = pf_find_fragment(h, &V_pf_cache_tree); -#else - frag = pf_find_fragment(h, &pf_cache_tree); -#endif - - /* Check if we saw the last fragment already */ - if (frag != NULL && (frag->fr_flags & PFFRAG_SEENLAST) && - max > frag->fr_max) { - if (r->rule_flag & PFRULE_FRAGDROP) - frag->fr_flags |= PFFRAG_DROP; - goto bad; - } - - *m0 = m = pf_fragcache(m0, h, &frag, mff, - (r->rule_flag & PFRULE_FRAGDROP) ? 1 : 0, &nomem); - if (m == NULL) { - if (nomem) - goto no_mem; - goto drop; - } - - /* use mtag from copied and trimmed mbuf chain */ - pd->pf_mtag = pf_find_mtag(m); -#ifdef DIAGNOSTIC - if (pd->pf_mtag == NULL) { - printf("%s: pf_find_mtag returned NULL(2)\n", __func__); - if ((pd->pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - *m0 = NULL; - goto no_mem; - } - } -#endif - if (dir == PF_IN) -#ifdef __FreeBSD__ - pd->pf_mtag->flags |= PF_TAG_FRAGCACHE; -#else - m->m_pkthdr.pf.flags |= PF_TAG_FRAGCACHE; -#endif - - if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) - goto drop; - goto fragment_pass; - } - - no_fragment: - /* At this point, only IP_DF is allowed in ip_off */ - if (h->ip_off & ~htons(IP_DF)) { - u_int16_t ip_off = h->ip_off; - - h->ip_off &= htons(IP_DF); - h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0); - } - - /* not missing a return here */ - - fragment_pass: - pf_scrub_ip(&m, r->rule_flag, r->min_ttl, r->set_tos); - - if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0) - pd->flags |= PFDESC_IP_REAS; - return (PF_PASS); - - no_mem: - REASON_SET(reason, PFRES_MEMORY); - if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL, pd); - return (PF_DROP); - - drop: - REASON_SET(reason, PFRES_NORM); - if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL, pd); - return (PF_DROP); - - bad: - DPFPRINTF(("dropping bad fragment\n")); - - /* Free associated fragments */ - if (frag != NULL) - pf_free_fragment(frag); - - REASON_SET(reason, PFRES_FRAG); - if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, *reason, r, NULL, NULL, pd); - - return (PF_DROP); -} -#endif - -#ifdef INET6 -int -pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif, - u_short *reason, struct pf_pdesc *pd) -{ - struct mbuf *m = *m0; - struct pf_rule *r; - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); - int off; - struct ip6_ext ext; - struct ip6_opt opt; - struct ip6_opt_jumbo jumbo; - struct ip6_frag frag; - u_int32_t jumbolen = 0, plen; - u_int16_t fragoff = 0; - int optend; - int ooff; - u_int8_t proto; - int terminal; - - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); - while (r != NULL) { - r->evaluations++; - if (pfi_kif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != dir) - r = r->skip[PF_SKIP_DIR].ptr; - else if (r->af && r->af != AF_INET6) - r = r->skip[PF_SKIP_AF].ptr; -#if 0 /* header chain! */ - else if (r->proto && r->proto != h->ip6_nxt) - r = r->skip[PF_SKIP_PROTO].ptr; -#endif - else if (PF_MISMATCHAW(&r->src.addr, - (struct pf_addr *)&h->ip6_src, AF_INET6, - r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, - (struct pf_addr *)&h->ip6_dst, AF_INET6, - r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; - else - break; - } - - if (r == NULL || r->action == PF_NOSCRUB) - return (PF_PASS); - else { - r->packets[dir == PF_OUT]++; - r->bytes[dir == PF_OUT] += pd->tot_len; - } - - /* Check for illegal packets */ - if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) - goto drop; - - off = sizeof(struct ip6_hdr); - proto = h->ip6_nxt; - terminal = 0; - do { - switch (proto) { - case IPPROTO_FRAGMENT: - goto fragment; - break; - case IPPROTO_AH: - case IPPROTO_ROUTING: - case IPPROTO_DSTOPTS: - if (!pf_pull_hdr(m, off, &ext, sizeof(ext), NULL, - NULL, AF_INET6)) - goto shortpkt; - if (proto == IPPROTO_AH) - off += (ext.ip6e_len + 2) * 4; - else - off += (ext.ip6e_len + 1) * 8; - proto = ext.ip6e_nxt; - break; - case IPPROTO_HOPOPTS: - if (!pf_pull_hdr(m, off, &ext, sizeof(ext), NULL, - NULL, AF_INET6)) - goto shortpkt; - optend = off + (ext.ip6e_len + 1) * 8; - ooff = off + sizeof(ext); - do { - if (!pf_pull_hdr(m, ooff, &opt.ip6o_type, - sizeof(opt.ip6o_type), NULL, NULL, - AF_INET6)) - goto shortpkt; - if (opt.ip6o_type == IP6OPT_PAD1) { - ooff++; - continue; - } - if (!pf_pull_hdr(m, ooff, &opt, sizeof(opt), - NULL, NULL, AF_INET6)) - goto shortpkt; - if (ooff + sizeof(opt) + opt.ip6o_len > optend) - goto drop; - switch (opt.ip6o_type) { - case IP6OPT_JUMBO: - if (h->ip6_plen != 0) - goto drop; - if (!pf_pull_hdr(m, ooff, &jumbo, - sizeof(jumbo), NULL, NULL, - AF_INET6)) - goto shortpkt; - memcpy(&jumbolen, jumbo.ip6oj_jumbo_len, - sizeof(jumbolen)); - jumbolen = ntohl(jumbolen); - if (jumbolen <= IPV6_MAXPACKET) - goto drop; - if (sizeof(struct ip6_hdr) + jumbolen != - m->m_pkthdr.len) - goto drop; - break; - default: - break; - } - ooff += sizeof(opt) + opt.ip6o_len; - } while (ooff < optend); - - off = optend; - proto = ext.ip6e_nxt; - break; - default: - terminal = 1; - break; - } - } while (!terminal); - - /* jumbo payload option must be present, or plen > 0 */ - if (ntohs(h->ip6_plen) == 0) - plen = jumbolen; - else - plen = ntohs(h->ip6_plen); - if (plen == 0) - goto drop; - if (sizeof(struct ip6_hdr) + plen > m->m_pkthdr.len) - goto shortpkt; - - pf_scrub_ip6(&m, r->min_ttl); - - return (PF_PASS); - - fragment: - if (ntohs(h->ip6_plen) == 0 || jumbolen) - goto drop; - plen = ntohs(h->ip6_plen); - - if (!pf_pull_hdr(m, off, &frag, sizeof(frag), NULL, NULL, AF_INET6)) - goto shortpkt; - fragoff = ntohs(frag.ip6f_offlg & IP6F_OFF_MASK); - if (fragoff + (plen - off - sizeof(frag)) > IPV6_MAXPACKET) - goto badfrag; - - /* do something about it */ - /* remember to set pd->flags |= PFDESC_IP_REAS */ - return (PF_PASS); - - shortpkt: - REASON_SET(reason, PFRES_SHORT); - if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL, pd); - return (PF_DROP); - - drop: - REASON_SET(reason, PFRES_NORM); - if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL, pd); - return (PF_DROP); - - badfrag: - REASON_SET(reason, PFRES_FRAG); - if (r != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET6, dir, *reason, r, NULL, NULL, pd); - return (PF_DROP); -} -#endif /* INET6 */ - -int -pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff, - int off, void *h, struct pf_pdesc *pd) -{ - struct pf_rule *r, *rm = NULL; - struct tcphdr *th = pd->hdr.tcp; - int rewrite = 0; - u_short reason; - u_int8_t flags; - sa_family_t af = pd->af; - - r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); - while (r != NULL) { - r->evaluations++; - if (pfi_kif_match(r->kif, kif) == r->ifnot) - r = r->skip[PF_SKIP_IFP].ptr; - else if (r->direction && r->direction != dir) - r = r->skip[PF_SKIP_DIR].ptr; - else if (r->af && r->af != af) - r = r->skip[PF_SKIP_AF].ptr; - else if (r->proto && r->proto != pd->proto) - r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, - r->src.neg, kif, M_GETFIB(m))) - r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (r->src.port_op && !pf_match_port(r->src.port_op, - r->src.port[0], r->src.port[1], th->th_sport)) - r = r->skip[PF_SKIP_SRC_PORT].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, - r->dst.neg, NULL, M_GETFIB(m))) - r = r->skip[PF_SKIP_DST_ADDR].ptr; - else if (r->dst.port_op && !pf_match_port(r->dst.port_op, - r->dst.port[0], r->dst.port[1], th->th_dport)) - r = r->skip[PF_SKIP_DST_PORT].ptr; - else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( - pf_osfp_fingerprint(pd, m, off, th), - r->os_fingerprint)) - r = TAILQ_NEXT(r, entries); - else { - rm = r; - break; - } - } - - if (rm == NULL || rm->action == PF_NOSCRUB) - return (PF_PASS); - else { - r->packets[dir == PF_OUT]++; - r->bytes[dir == PF_OUT] += pd->tot_len; - } - - if (rm->rule_flag & PFRULE_REASSEMBLE_TCP) - pd->flags |= PFDESC_TCP_NORM; - - flags = th->th_flags; - if (flags & TH_SYN) { - /* Illegal packet */ - if (flags & TH_RST) - goto tcp_drop; - - if (flags & TH_FIN) - flags &= ~TH_FIN; - } else { - /* Illegal packet */ - if (!(flags & (TH_ACK|TH_RST))) - goto tcp_drop; - } - - if (!(flags & TH_ACK)) { - /* These flags are only valid if ACK is set */ - if ((flags & TH_FIN) || (flags & TH_PUSH) || (flags & TH_URG)) - goto tcp_drop; - } - - /* Check for illegal header length */ - if (th->th_off < (sizeof(struct tcphdr) >> 2)) - goto tcp_drop; - - /* If flags changed, or reserved data set, then adjust */ - if (flags != th->th_flags || th->th_x2 != 0) { - u_int16_t ov, nv; - - ov = *(u_int16_t *)(&th->th_ack + 1); - th->th_flags = flags; - th->th_x2 = 0; - nv = *(u_int16_t *)(&th->th_ack + 1); - - th->th_sum = pf_cksum_fixup(th->th_sum, ov, nv, 0); - rewrite = 1; - } - - /* Remove urgent pointer, if TH_URG is not set */ - if (!(flags & TH_URG) && th->th_urp) { - th->th_sum = pf_cksum_fixup(th->th_sum, th->th_urp, 0, 0); - th->th_urp = 0; - rewrite = 1; - } - - /* Process options */ - if (r->max_mss && pf_normalize_tcpopt(r, m, th, off, pd->af)) - rewrite = 1; - - /* copy back packet headers if we sanitized */ - if (rewrite) -#ifdef __FreeBSD__ - m_copyback(m, off, sizeof(*th), (caddr_t)th); -#else - m_copyback(m, off, sizeof(*th), th); -#endif - - return (PF_PASS); - - tcp_drop: - REASON_SET(&reason, PFRES_NORM); - if (rm != NULL && r->log) - PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, NULL, NULL, pd); - return (PF_DROP); -} - -int -pf_normalize_tcp_init(struct mbuf *m, int off, struct pf_pdesc *pd, - struct tcphdr *th, struct pf_state_peer *src, struct pf_state_peer *dst) -{ - u_int32_t tsval, tsecr; - u_int8_t hdr[60]; - u_int8_t *opt; - -#ifdef __FreeBSD__ - KASSERT((src->scrub == NULL), - ("pf_normalize_tcp_init: src->scrub != NULL")); - - src->scrub = pool_get(&V_pf_state_scrub_pl, PR_NOWAIT); -#else - KASSERT(src->scrub == NULL); - - src->scrub = pool_get(&pf_state_scrub_pl, PR_NOWAIT); -#endif - if (src->scrub == NULL) - return (1); - bzero(src->scrub, sizeof(*src->scrub)); - - switch (pd->af) { -#ifdef INET - case AF_INET: { - struct ip *h = mtod(m, struct ip *); - src->scrub->pfss_ttl = h->ip_ttl; - break; - } -#endif /* INET */ -#ifdef INET6 - case AF_INET6: { - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); - src->scrub->pfss_ttl = h->ip6_hlim; - break; - } -#endif /* INET6 */ - } - - - /* - * All normalizations below are only begun if we see the start of - * the connections. They must all set an enabled bit in pfss_flags - */ - if ((th->th_flags & TH_SYN) == 0) - return (0); - - - if (th->th_off > (sizeof(struct tcphdr) >> 2) && src->scrub && - pf_pull_hdr(m, off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { - /* Diddle with TCP options */ - int hlen; - opt = hdr + sizeof(struct tcphdr); - hlen = (th->th_off << 2) - sizeof(struct tcphdr); - while (hlen >= TCPOLEN_TIMESTAMP) { - switch (*opt) { - case TCPOPT_EOL: /* FALLTHROUGH */ - case TCPOPT_NOP: - opt++; - hlen--; - break; - case TCPOPT_TIMESTAMP: - if (opt[1] >= TCPOLEN_TIMESTAMP) { - src->scrub->pfss_flags |= - PFSS_TIMESTAMP; - src->scrub->pfss_ts_mod = - htonl(arc4random()); - - /* note PFSS_PAWS not set yet */ - memcpy(&tsval, &opt[2], - sizeof(u_int32_t)); - memcpy(&tsecr, &opt[6], - sizeof(u_int32_t)); - src->scrub->pfss_tsval0 = ntohl(tsval); - src->scrub->pfss_tsval = ntohl(tsval); - src->scrub->pfss_tsecr = ntohl(tsecr); - getmicrouptime(&src->scrub->pfss_last); - } - /* FALLTHROUGH */ - default: - hlen -= MAX(opt[1], 2); - opt += MAX(opt[1], 2); - break; - } - } - } - - return (0); -} - -void -pf_normalize_tcp_cleanup(struct pf_state *state) -{ -#ifdef __FreeBSD__ - if (state->src.scrub) - pool_put(&V_pf_state_scrub_pl, state->src.scrub); - if (state->dst.scrub) - pool_put(&V_pf_state_scrub_pl, state->dst.scrub); -#else - if (state->src.scrub) - pool_put(&pf_state_scrub_pl, state->src.scrub); - if (state->dst.scrub) - pool_put(&pf_state_scrub_pl, state->dst.scrub); -#endif - - /* Someday... flush the TCP segment reassembly descriptors. */ -} - -int -pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd, - u_short *reason, struct tcphdr *th, struct pf_state *state, - struct pf_state_peer *src, struct pf_state_peer *dst, int *writeback) -{ - struct timeval uptime; - u_int32_t tsval, tsecr; - u_int tsval_from_last; - u_int8_t hdr[60]; - u_int8_t *opt; - int copyback = 0; - int got_ts = 0; - -#ifdef __FreeBSD__ - KASSERT((src->scrub || dst->scrub), - ("pf_normalize_tcp_statefull: src->scrub && dst->scrub!")); -#else - KASSERT(src->scrub || dst->scrub); -#endif - - /* - * Enforce the minimum TTL seen for this connection. Negate a common - * technique to evade an intrusion detection system and confuse - * firewall state code. - */ - switch (pd->af) { -#ifdef INET - case AF_INET: { - if (src->scrub) { - struct ip *h = mtod(m, struct ip *); - if (h->ip_ttl > src->scrub->pfss_ttl) - src->scrub->pfss_ttl = h->ip_ttl; - h->ip_ttl = src->scrub->pfss_ttl; - } - break; - } -#endif /* INET */ -#ifdef INET6 - case AF_INET6: { - if (src->scrub) { - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); - if (h->ip6_hlim > src->scrub->pfss_ttl) - src->scrub->pfss_ttl = h->ip6_hlim; - h->ip6_hlim = src->scrub->pfss_ttl; - } - break; - } -#endif /* INET6 */ - } - - if (th->th_off > (sizeof(struct tcphdr) >> 2) && - ((src->scrub && (src->scrub->pfss_flags & PFSS_TIMESTAMP)) || - (dst->scrub && (dst->scrub->pfss_flags & PFSS_TIMESTAMP))) && - pf_pull_hdr(m, off, hdr, th->th_off << 2, NULL, NULL, pd->af)) { - /* Diddle with TCP options */ - int hlen; - opt = hdr + sizeof(struct tcphdr); - hlen = (th->th_off << 2) - sizeof(struct tcphdr); - while (hlen >= TCPOLEN_TIMESTAMP) { - switch (*opt) { - case TCPOPT_EOL: /* FALLTHROUGH */ - case TCPOPT_NOP: - opt++; - hlen--; - break; - case TCPOPT_TIMESTAMP: - /* Modulate the timestamps. Can be used for - * NAT detection, OS uptime determination or - * reboot detection. - */ - - if (got_ts) { - /* Huh? Multiple timestamps!? */ -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - DPFPRINTF(("multiple TS??")); - pf_print_state(state); - printf("\n"); - } - REASON_SET(reason, PFRES_TS); - return (PF_DROP); - } - if (opt[1] >= TCPOLEN_TIMESTAMP) { - memcpy(&tsval, &opt[2], - sizeof(u_int32_t)); - if (tsval && src->scrub && - (src->scrub->pfss_flags & - PFSS_TIMESTAMP)) { - tsval = ntohl(tsval); - pf_change_a(&opt[2], - &th->th_sum, - htonl(tsval + - src->scrub->pfss_ts_mod), - 0); - copyback = 1; - } - - /* Modulate TS reply iff valid (!0) */ - memcpy(&tsecr, &opt[6], - sizeof(u_int32_t)); - if (tsecr && dst->scrub && - (dst->scrub->pfss_flags & - PFSS_TIMESTAMP)) { - tsecr = ntohl(tsecr) - - dst->scrub->pfss_ts_mod; - pf_change_a(&opt[6], - &th->th_sum, htonl(tsecr), - 0); - copyback = 1; - } - got_ts = 1; - } - /* FALLTHROUGH */ - default: - hlen -= MAX(opt[1], 2); - opt += MAX(opt[1], 2); - break; - } - } - if (copyback) { - /* Copyback the options, caller copys back header */ - *writeback = 1; - m_copyback(m, off + sizeof(struct tcphdr), - (th->th_off << 2) - sizeof(struct tcphdr), hdr + - sizeof(struct tcphdr)); - } - } - - - /* - * Must invalidate PAWS checks on connections idle for too long. - * The fastest allowed timestamp clock is 1ms. That turns out to - * be about 24 days before it wraps. XXX Right now our lowerbound - * TS echo check only works for the first 12 days of a connection - * when the TS has exhausted half its 32bit space - */ -#define TS_MAX_IDLE (24*24*60*60) -#define TS_MAX_CONN (12*24*60*60) /* XXX remove when better tsecr check */ - - getmicrouptime(&uptime); - if (src->scrub && (src->scrub->pfss_flags & PFSS_PAWS) && - (uptime.tv_sec - src->scrub->pfss_last.tv_sec > TS_MAX_IDLE || - time_second - state->creation > TS_MAX_CONN)) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - DPFPRINTF(("src idled out of PAWS\n")); - pf_print_state(state); - printf("\n"); - } - src->scrub->pfss_flags = (src->scrub->pfss_flags & ~PFSS_PAWS) - | PFSS_PAWS_IDLED; - } - if (dst->scrub && (dst->scrub->pfss_flags & PFSS_PAWS) && - uptime.tv_sec - dst->scrub->pfss_last.tv_sec > TS_MAX_IDLE) { -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - DPFPRINTF(("dst idled out of PAWS\n")); - pf_print_state(state); - printf("\n"); - } - dst->scrub->pfss_flags = (dst->scrub->pfss_flags & ~PFSS_PAWS) - | PFSS_PAWS_IDLED; - } - - if (got_ts && src->scrub && dst->scrub && - (src->scrub->pfss_flags & PFSS_PAWS) && - (dst->scrub->pfss_flags & PFSS_PAWS)) { - /* Validate that the timestamps are "in-window". - * RFC1323 describes TCP Timestamp options that allow - * measurement of RTT (round trip time) and PAWS - * (protection against wrapped sequence numbers). PAWS - * gives us a set of rules for rejecting packets on - * long fat pipes (packets that were somehow delayed - * in transit longer than the time it took to send the - * full TCP sequence space of 4Gb). We can use these - * rules and infer a few others that will let us treat - * the 32bit timestamp and the 32bit echoed timestamp - * as sequence numbers to prevent a blind attacker from - * inserting packets into a connection. - * - * RFC1323 tells us: - * - The timestamp on this packet must be greater than - * or equal to the last value echoed by the other - * endpoint. The RFC says those will be discarded - * since it is a dup that has already been acked. - * This gives us a lowerbound on the timestamp. - * timestamp >= other last echoed timestamp - * - The timestamp will be less than or equal to - * the last timestamp plus the time between the - * last packet and now. The RFC defines the max - * clock rate as 1ms. We will allow clocks to be - * up to 10% fast and will allow a total difference - * or 30 seconds due to a route change. And this - * gives us an upperbound on the timestamp. - * timestamp <= last timestamp + max ticks - * We have to be careful here. Windows will send an - * initial timestamp of zero and then initialize it - * to a random value after the 3whs; presumably to - * avoid a DoS by having to call an expensive RNG - * during a SYN flood. Proof MS has at least one - * good security geek. - * - * - The TCP timestamp option must also echo the other - * endpoints timestamp. The timestamp echoed is the - * one carried on the earliest unacknowledged segment - * on the left edge of the sequence window. The RFC - * states that the host will reject any echoed - * timestamps that were larger than any ever sent. - * This gives us an upperbound on the TS echo. - * tescr <= largest_tsval - * - The lowerbound on the TS echo is a little more - * tricky to determine. The other endpoint's echoed - * values will not decrease. But there may be - * network conditions that re-order packets and - * cause our view of them to decrease. For now the - * only lowerbound we can safely determine is that - * the TS echo will never be less than the original - * TS. XXX There is probably a better lowerbound. - * Remove TS_MAX_CONN with better lowerbound check. - * tescr >= other original TS - * - * It is also important to note that the fastest - * timestamp clock of 1ms will wrap its 32bit space in - * 24 days. So we just disable TS checking after 24 - * days of idle time. We actually must use a 12d - * connection limit until we can come up with a better - * lowerbound to the TS echo check. - */ - struct timeval delta_ts; - int ts_fudge; - - - /* - * PFTM_TS_DIFF is how many seconds of leeway to allow - * a host's timestamp. This can happen if the previous - * packet got delayed in transit for much longer than - * this packet. - */ - if ((ts_fudge = state->rule.ptr->timeout[PFTM_TS_DIFF]) == 0) -#ifdef __FreeBSD__ - ts_fudge = V_pf_default_rule.timeout[PFTM_TS_DIFF]; -#else - ts_fudge = pf_default_rule.timeout[PFTM_TS_DIFF]; -#endif - - - /* Calculate max ticks since the last timestamp */ -#define TS_MAXFREQ 1100 /* RFC max TS freq of 1Khz + 10% skew */ -#define TS_MICROSECS 1000000 /* microseconds per second */ -#ifdef __FreeBSD__ -#ifndef timersub -#define timersub(tvp, uvp, vvp) \ - do { \ - (vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \ - (vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \ - if ((vvp)->tv_usec < 0) { \ - (vvp)->tv_sec--; \ - (vvp)->tv_usec += 1000000; \ - } \ - } while (0) -#endif -#endif - timersub(&uptime, &src->scrub->pfss_last, &delta_ts); - tsval_from_last = (delta_ts.tv_sec + ts_fudge) * TS_MAXFREQ; - tsval_from_last += delta_ts.tv_usec / (TS_MICROSECS/TS_MAXFREQ); - - - if ((src->state >= TCPS_ESTABLISHED && - dst->state >= TCPS_ESTABLISHED) && - (SEQ_LT(tsval, dst->scrub->pfss_tsecr) || - SEQ_GT(tsval, src->scrub->pfss_tsval + tsval_from_last) || - (tsecr && (SEQ_GT(tsecr, dst->scrub->pfss_tsval) || - SEQ_LT(tsecr, dst->scrub->pfss_tsval0))))) { - /* Bad RFC1323 implementation or an insertion attack. - * - * - Solaris 2.6 and 2.7 are known to send another ACK - * after the FIN,FIN|ACK,ACK closing that carries - * an old timestamp. - */ - - DPFPRINTF(("Timestamp failed %c%c%c%c\n", - SEQ_LT(tsval, dst->scrub->pfss_tsecr) ? '0' : ' ', - SEQ_GT(tsval, src->scrub->pfss_tsval + - tsval_from_last) ? '1' : ' ', - SEQ_GT(tsecr, dst->scrub->pfss_tsval) ? '2' : ' ', - SEQ_LT(tsecr, dst->scrub->pfss_tsval0)? '3' : ' ')); -#ifdef __FreeBSD__ - DPFPRINTF((" tsval: %u tsecr: %u +ticks: %u " - "idle: %jus %lums\n", - tsval, tsecr, tsval_from_last, - (uintmax_t)delta_ts.tv_sec, - delta_ts.tv_usec / 1000)); - DPFPRINTF((" src->tsval: %u tsecr: %u\n", - src->scrub->pfss_tsval, src->scrub->pfss_tsecr)); - DPFPRINTF((" dst->tsval: %u tsecr: %u tsval0: %u" - "\n", dst->scrub->pfss_tsval, - dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0)); -#else - DPFPRINTF((" tsval: %lu tsecr: %lu +ticks: %lu " - "idle: %lus %lums\n", - tsval, tsecr, tsval_from_last, delta_ts.tv_sec, - delta_ts.tv_usec / 1000)); - DPFPRINTF((" src->tsval: %lu tsecr: %lu\n", - src->scrub->pfss_tsval, src->scrub->pfss_tsecr)); - DPFPRINTF((" dst->tsval: %lu tsecr: %lu tsval0: %lu" - "\n", dst->scrub->pfss_tsval, - dst->scrub->pfss_tsecr, dst->scrub->pfss_tsval0)); -#endif -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - pf_print_state(state); - pf_print_flags(th->th_flags); - printf("\n"); - } - REASON_SET(reason, PFRES_TS); - return (PF_DROP); - } - - /* XXX I'd really like to require tsecr but it's optional */ - - } else if (!got_ts && (th->th_flags & TH_RST) == 0 && - ((src->state == TCPS_ESTABLISHED && dst->state == TCPS_ESTABLISHED) - || pd->p_len > 0 || (th->th_flags & TH_SYN)) && - src->scrub && dst->scrub && - (src->scrub->pfss_flags & PFSS_PAWS) && - (dst->scrub->pfss_flags & PFSS_PAWS)) { - /* Didn't send a timestamp. Timestamps aren't really useful - * when: - * - connection opening or closing (often not even sent). - * but we must not let an attacker to put a FIN on a - * data packet to sneak it through our ESTABLISHED check. - * - on a TCP reset. RFC suggests not even looking at TS. - * - on an empty ACK. The TS will not be echoed so it will - * probably not help keep the RTT calculation in sync and - * there isn't as much danger when the sequence numbers - * got wrapped. So some stacks don't include TS on empty - * ACKs :-( - * - * To minimize the disruption to mostly RFC1323 conformant - * stacks, we will only require timestamps on data packets. - * - * And what do ya know, we cannot require timestamps on data - * packets. There appear to be devices that do legitimate - * TCP connection hijacking. There are HTTP devices that allow - * a 3whs (with timestamps) and then buffer the HTTP request. - * If the intermediate device has the HTTP response cache, it - * will spoof the response but not bother timestamping its - * packets. So we can look for the presence of a timestamp in - * the first data packet and if there, require it in all future - * packets. - */ - - if (pd->p_len > 0 && (src->scrub->pfss_flags & PFSS_DATA_TS)) { - /* - * Hey! Someone tried to sneak a packet in. Or the - * stack changed its RFC1323 behavior?!?! - */ -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC) { -#else - if (pf_status.debug >= PF_DEBUG_MISC) { -#endif - DPFPRINTF(("Did not receive expected RFC1323 " - "timestamp\n")); - pf_print_state(state); - pf_print_flags(th->th_flags); - printf("\n"); - } - REASON_SET(reason, PFRES_TS); - return (PF_DROP); - } - } - - - /* - * We will note if a host sends his data packets with or without - * timestamps. And require all data packets to contain a timestamp - * if the first does. PAWS implicitly requires that all data packets be - * timestamped. But I think there are middle-man devices that hijack - * TCP streams immediately after the 3whs and don't timestamp their - * packets (seen in a WWW accelerator or cache). - */ - if (pd->p_len > 0 && src->scrub && (src->scrub->pfss_flags & - (PFSS_TIMESTAMP|PFSS_DATA_TS|PFSS_DATA_NOTS)) == PFSS_TIMESTAMP) { - if (got_ts) - src->scrub->pfss_flags |= PFSS_DATA_TS; - else { - src->scrub->pfss_flags |= PFSS_DATA_NOTS; -#ifdef __FreeBSD__ - if (V_pf_status.debug >= PF_DEBUG_MISC && dst->scrub && -#else - if (pf_status.debug >= PF_DEBUG_MISC && dst->scrub && -#endif - (dst->scrub->pfss_flags & PFSS_TIMESTAMP)) { - /* Don't warn if other host rejected RFC1323 */ - DPFPRINTF(("Broken RFC1323 stack did not " - "timestamp data packet. Disabled PAWS " - "security.\n")); - pf_print_state(state); - pf_print_flags(th->th_flags); - printf("\n"); - } - } - } - - - /* - * Update PAWS values - */ - if (got_ts && src->scrub && PFSS_TIMESTAMP == (src->scrub->pfss_flags & - (PFSS_PAWS_IDLED|PFSS_TIMESTAMP))) { - getmicrouptime(&src->scrub->pfss_last); - if (SEQ_GEQ(tsval, src->scrub->pfss_tsval) || - (src->scrub->pfss_flags & PFSS_PAWS) == 0) - src->scrub->pfss_tsval = tsval; - - if (tsecr) { - if (SEQ_GEQ(tsecr, src->scrub->pfss_tsecr) || - (src->scrub->pfss_flags & PFSS_PAWS) == 0) - src->scrub->pfss_tsecr = tsecr; - - if ((src->scrub->pfss_flags & PFSS_PAWS) == 0 && - (SEQ_LT(tsval, src->scrub->pfss_tsval0) || - src->scrub->pfss_tsval0 == 0)) { - /* tsval0 MUST be the lowest timestamp */ - src->scrub->pfss_tsval0 = tsval; - } - - /* Only fully initialized after a TS gets echoed */ - if ((src->scrub->pfss_flags & PFSS_PAWS) == 0) - src->scrub->pfss_flags |= PFSS_PAWS; - } - } - - /* I have a dream.... TCP segment reassembly.... */ - return (0); -} - -int -pf_normalize_tcpopt(struct pf_rule *r, struct mbuf *m, struct tcphdr *th, - int off, sa_family_t af) -{ - u_int16_t *mss; - int thoff; - int opt, cnt, optlen = 0; - int rewrite = 0; -#ifdef __FreeBSD__ - u_char opts[TCP_MAXOLEN]; -#else - u_char opts[MAX_TCPOPTLEN]; -#endif - u_char *optp = opts; - - thoff = th->th_off << 2; - cnt = thoff - sizeof(struct tcphdr); - - if (cnt > 0 && !pf_pull_hdr(m, off + sizeof(*th), opts, cnt, - NULL, NULL, af)) - return (rewrite); - - for (; cnt > 0; cnt -= optlen, optp += optlen) { - opt = optp[0]; - if (opt == TCPOPT_EOL) - break; - if (opt == TCPOPT_NOP) - optlen = 1; - else { - if (cnt < 2) - break; - optlen = optp[1]; - if (optlen < 2 || optlen > cnt) - break; - } - switch (opt) { - case TCPOPT_MAXSEG: - mss = (u_int16_t *)(optp + 2); - if ((ntohs(*mss)) > r->max_mss) { - th->th_sum = pf_cksum_fixup(th->th_sum, - *mss, htons(r->max_mss), 0); - *mss = htons(r->max_mss); - rewrite = 1; - } - break; - default: - break; - } - } - - if (rewrite) - m_copyback(m, off + sizeof(*th), thoff - sizeof(*th), opts); - - return (rewrite); -} - -void -pf_scrub_ip(struct mbuf **m0, u_int32_t flags, u_int8_t min_ttl, u_int8_t tos) -{ - struct mbuf *m = *m0; - struct ip *h = mtod(m, struct ip *); - - /* Clear IP_DF if no-df was requested */ - if (flags & PFRULE_NODF && h->ip_off & htons(IP_DF)) { - u_int16_t ip_off = h->ip_off; - - h->ip_off &= htons(~IP_DF); - h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_off, h->ip_off, 0); - } - - /* Enforce a minimum ttl, may cause endless packet loops */ - if (min_ttl && h->ip_ttl < min_ttl) { - u_int16_t ip_ttl = h->ip_ttl; - - h->ip_ttl = min_ttl; - h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_ttl, h->ip_ttl, 0); - } - - /* Enforce tos */ - if (flags & PFRULE_SET_TOS) { - u_int16_t ov, nv; - - ov = *(u_int16_t *)h; - h->ip_tos = tos; - nv = *(u_int16_t *)h; - - h->ip_sum = pf_cksum_fixup(h->ip_sum, ov, nv, 0); - } - - /* random-id, but not for fragments */ - if (flags & PFRULE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) { - u_int16_t ip_id = h->ip_id; - - h->ip_id = ip_randomid(); - h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0); - } -} - -#ifdef INET6 -void -pf_scrub_ip6(struct mbuf **m0, u_int8_t min_ttl) -{ - struct mbuf *m = *m0; - struct ip6_hdr *h = mtod(m, struct ip6_hdr *); - - /* Enforce a minimum ttl, may cause endless packet loops */ - if (min_ttl && h->ip6_hlim < min_ttl) - h->ip6_hlim = min_ttl; -} -#endif diff --git a/sys/contrib/pf/net/pf_osfp.c b/sys/contrib/pf/net/pf_osfp.c deleted file mode 100644 index dcd8af7..0000000 --- a/sys/contrib/pf/net/pf_osfp.c +++ /dev/null @@ -1,698 +0,0 @@ -/* $OpenBSD: pf_osfp.c,v 1.14 2008/06/12 18:17:01 henning Exp $ */ - -/* - * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - */ - -#ifdef __FreeBSD__ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); -#endif - -#include <sys/param.h> -#include <sys/socket.h> -#ifdef _KERNEL -#include <sys/systm.h> -#ifndef __FreeBSD__ -#include <sys/pool.h> -#endif -#endif /* _KERNEL */ -#include <sys/mbuf.h> - -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> - -#include <net/if.h> -#include <net/pfvar.h> - -#include <netinet/ip6.h> -#ifdef _KERNEL -#include <netinet6/in6_var.h> -#endif - - -#ifdef _KERNEL -#ifdef __FreeBSD__ -#define DPFPRINTF(format, x...) \ - if (V_pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) -#else -#define DPFPRINTF(format, x...) \ - if (pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) -#endif -#ifdef __FreeBSD__ -typedef uma_zone_t pool_t; -#else -typedef struct pool pool_t; -#endif - -#else -/* Userland equivalents so we can lend code to tcpdump et al. */ - -#include <arpa/inet.h> -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <netdb.h> -#define pool_t int -#define pool_get(pool, flags) malloc(*(pool)) -#define pool_put(pool, item) free(item) -#define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size) - -#ifdef __FreeBSD__ -#define NTOHS(x) (x) = ntohs((u_int16_t)(x)) -#endif - -#ifdef PFDEBUG -#include <sys/stdarg.h> -#define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) -#else -#define DPFPRINTF(format, x...) ((void)0) -#endif /* PFDEBUG */ -#endif /* _KERNEL */ - - -#ifdef __FreeBSD__ -SLIST_HEAD(pf_osfp_list, pf_os_fingerprint); -VNET_DEFINE(struct pf_osfp_list, pf_osfp_list); -#define V_pf_osfp_list VNET(pf_osfp_list) -VNET_DEFINE(pool_t, pf_osfp_entry_pl); -#define pf_osfp_entry_pl VNET(pf_osfp_entry_pl) -VNET_DEFINE(pool_t, pf_osfp_pl); -#define pf_osfp_pl VNET(pf_osfp_pl) -#else -SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list; -pool_t pf_osfp_entry_pl; -pool_t pf_osfp_pl; -#endif - -struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *, - struct pf_os_fingerprint *, u_int8_t); -struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *, - struct pf_os_fingerprint *); -void pf_osfp_insert(struct pf_osfp_list *, - struct pf_os_fingerprint *); - - -#ifdef _KERNEL -/* - * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only) - * Returns the list of possible OSes. - */ -struct pf_osfp_enlist * -pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off, - const struct tcphdr *tcp) -{ - struct ip *ip; - struct ip6_hdr *ip6; - char hdr[60]; - - if ((pd->af != PF_INET && pd->af != PF_INET6) || - pd->proto != IPPROTO_TCP || (tcp->th_off << 2) < sizeof(*tcp)) - return (NULL); - - if (pd->af == PF_INET) { - ip = mtod(m, struct ip *); - ip6 = (struct ip6_hdr *)NULL; - } else { - ip = (struct ip *)NULL; - ip6 = mtod(m, struct ip6_hdr *); - } - if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL, - pd->af)) return (NULL); - - return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr)); -} -#endif /* _KERNEL */ - -struct pf_osfp_enlist * -pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcp) -{ - struct pf_os_fingerprint fp, *fpresult; - int cnt, optlen = 0; - const u_int8_t *optp; -#ifdef _KERNEL - char srcname[128]; -#else - char srcname[NI_MAXHOST]; -#endif - - if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN) - return (NULL); - if (ip) { - if ((ip->ip_off & htons(IP_OFFMASK)) != 0) - return (NULL); - } - - memset(&fp, 0, sizeof(fp)); - - if (ip) { -#ifndef _KERNEL - struct sockaddr_in sin; -#endif - - fp.fp_psize = ntohs(ip->ip_len); - fp.fp_ttl = ip->ip_ttl; - if (ip->ip_off & htons(IP_DF)) - fp.fp_flags |= PF_OSFP_DF; -#ifdef _KERNEL - strlcpy(srcname, inet_ntoa(ip->ip_src), sizeof(srcname)); -#else - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_len = sizeof(struct sockaddr_in); - sin.sin_addr = ip->ip_src; - (void)getnameinfo((struct sockaddr *)&sin, - sizeof(struct sockaddr_in), srcname, sizeof(srcname), - NULL, 0, NI_NUMERICHOST); -#endif - } -#ifdef INET6 - else if (ip6) { -#ifndef _KERNEL - struct sockaddr_in6 sin6; -#endif - - /* jumbo payload? */ - fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen); - fp.fp_ttl = ip6->ip6_hlim; - fp.fp_flags |= PF_OSFP_DF; - fp.fp_flags |= PF_OSFP_INET6; -#ifdef _KERNEL - strlcpy(srcname, ip6_sprintf((struct in6_addr *)&ip6->ip6_src), - sizeof(srcname)); -#else - memset(&sin6, 0, sizeof(sin6)); - sin6.sin6_family = AF_INET6; - sin6.sin6_len = sizeof(struct sockaddr_in6); - sin6.sin6_addr = ip6->ip6_src; - (void)getnameinfo((struct sockaddr *)&sin6, - sizeof(struct sockaddr_in6), srcname, sizeof(srcname), - NULL, 0, NI_NUMERICHOST); -#endif - } -#endif - else - return (NULL); - fp.fp_wsize = ntohs(tcp->th_win); - - - cnt = (tcp->th_off << 2) - sizeof(*tcp); - optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp)); - for (; cnt > 0; cnt -= optlen, optp += optlen) { - if (*optp == TCPOPT_EOL) - break; - - fp.fp_optcnt++; - if (*optp == TCPOPT_NOP) { - fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) | - PF_OSFP_TCPOPT_NOP; - optlen = 1; - } else { - if (cnt < 2) - return (NULL); - optlen = optp[1]; - if (optlen > cnt || optlen < 2) - return (NULL); - switch (*optp) { - case TCPOPT_MAXSEG: - if (optlen >= TCPOLEN_MAXSEG) - memcpy(&fp.fp_mss, &optp[2], - sizeof(fp.fp_mss)); - fp.fp_tcpopts = (fp.fp_tcpopts << - PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS; - NTOHS(fp.fp_mss); - break; - case TCPOPT_WINDOW: - if (optlen >= TCPOLEN_WINDOW) - memcpy(&fp.fp_wscale, &optp[2], - sizeof(fp.fp_wscale)); - NTOHS(fp.fp_wscale); - fp.fp_tcpopts = (fp.fp_tcpopts << - PF_OSFP_TCPOPT_BITS) | - PF_OSFP_TCPOPT_WSCALE; - break; - case TCPOPT_SACK_PERMITTED: - fp.fp_tcpopts = (fp.fp_tcpopts << - PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK; - break; - case TCPOPT_TIMESTAMP: - if (optlen >= TCPOLEN_TIMESTAMP) { - u_int32_t ts; - memcpy(&ts, &optp[2], sizeof(ts)); - if (ts == 0) - fp.fp_flags |= PF_OSFP_TS0; - - } - fp.fp_tcpopts = (fp.fp_tcpopts << - PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS; - break; - default: - return (NULL); - } - } - optlen = MAX(optlen, 1); /* paranoia */ - } - - DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " - "(TS=%s,M=%s%d,W=%s%d)\n", - srcname, ntohs(tcp->th_sport), - fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0, - fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt, - (fp.fp_flags & PF_OSFP_TS0) ? "0" : "", - (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" : - (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "", - fp.fp_mss, - (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" : - (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", - fp.fp_wscale); - -#ifdef __FreeBSD__ - if ((fpresult = pf_osfp_find(&V_pf_osfp_list, &fp, -#else - if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp, -#endif - PF_OSFP_MAXTTL_OFFSET))) - return (&fpresult->fp_oses); - return (NULL); -} - -/* Match a fingerprint ID against a list of OSes */ -int -pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) -{ - struct pf_osfp_entry *entry; - int os_class, os_version, os_subtype; - int en_class, en_version, en_subtype; - - if (os == PF_OSFP_ANY) - return (1); - if (list == NULL) { - DPFPRINTF("osfp no match against %x\n", os); - return (os == PF_OSFP_UNKNOWN); - } - PF_OSFP_UNPACK(os, os_class, os_version, os_subtype); - SLIST_FOREACH(entry, list, fp_entry) { - PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype); - if ((os_class == PF_OSFP_ANY || en_class == os_class) && - (os_version == PF_OSFP_ANY || en_version == os_version) && - (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) { - DPFPRINTF("osfp matched %s %s %s %x==%x\n", - entry->fp_class_nm, entry->fp_version_nm, - entry->fp_subtype_nm, os, entry->fp_os); - return (1); - } - } - DPFPRINTF("fingerprint 0x%x didn't match\n", os); - return (0); -} - -/* Initialize the OS fingerprint system */ -#ifdef __FreeBSD__ -int -#else -void -#endif -pf_osfp_initialize(void) -{ -#if defined(__FreeBSD__) && defined(_KERNEL) - int error = ENOMEM; - - do { - pf_osfp_entry_pl = pf_osfp_pl = NULL; - UMA_CREATE(pf_osfp_entry_pl, struct pf_osfp_entry, "pfospfen"); - UMA_CREATE(pf_osfp_pl, struct pf_os_fingerprint, "pfosfp"); - error = 0; - } while(0); - - SLIST_INIT(&V_pf_osfp_list); -#else - pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0, - "pfosfpen", &pool_allocator_nointr); - pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0, - "pfosfp", &pool_allocator_nointr); - SLIST_INIT(&pf_osfp_list); -#endif - -#ifdef __FreeBSD__ -#ifdef _KERNEL - return (error); -#else - return (0); -#endif -#endif -} - -#if defined(__FreeBSD__) && (_KERNEL) -void -pf_osfp_cleanup(void) -{ - - UMA_DESTROY(pf_osfp_entry_pl); - UMA_DESTROY(pf_osfp_pl); -} -#endif - -/* Flush the fingerprint list */ -void -pf_osfp_flush(void) -{ - struct pf_os_fingerprint *fp; - struct pf_osfp_entry *entry; - -#ifdef __FreeBSD__ - while ((fp = SLIST_FIRST(&V_pf_osfp_list))) { - SLIST_REMOVE_HEAD(&V_pf_osfp_list, fp_next); -#else - while ((fp = SLIST_FIRST(&pf_osfp_list))) { - SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next); -#endif - while ((entry = SLIST_FIRST(&fp->fp_oses))) { - SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry); - pool_put(&pf_osfp_entry_pl, entry); - } - pool_put(&pf_osfp_pl, fp); - } -} - - -/* Add a fingerprint */ -int -pf_osfp_add(struct pf_osfp_ioctl *fpioc) -{ - struct pf_os_fingerprint *fp, fpadd; - struct pf_osfp_entry *entry; - - memset(&fpadd, 0, sizeof(fpadd)); - fpadd.fp_tcpopts = fpioc->fp_tcpopts; - fpadd.fp_wsize = fpioc->fp_wsize; - fpadd.fp_psize = fpioc->fp_psize; - fpadd.fp_mss = fpioc->fp_mss; - fpadd.fp_flags = fpioc->fp_flags; - fpadd.fp_optcnt = fpioc->fp_optcnt; - fpadd.fp_wscale = fpioc->fp_wscale; - fpadd.fp_ttl = fpioc->fp_ttl; - -#if 0 /* XXX RYAN wants to fix logging */ - DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " - "(TS=%s,M=%s%d,W=%s%d) %x\n", - fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm, - fpioc->fp_os.fp_subtype_nm, - (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" : - (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" : - (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" : - (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "", - fpadd.fp_wsize, - fpadd.fp_ttl, - (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0, - (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" : - (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "", - fpadd.fp_psize, - (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt, - (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "", - (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" : - (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "", - fpadd.fp_mss, - (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" : - (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", - fpadd.fp_wscale, - fpioc->fp_os.fp_os); -#endif - -#ifdef __FreeBSD__ - if ((fp = pf_osfp_find_exact(&V_pf_osfp_list, &fpadd))) { -#else - if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) { -#endif - SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { - if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os)) - return (EEXIST); - } - if ((entry = pool_get(&pf_osfp_entry_pl, -#ifdef __FreeBSD__ - PR_NOWAIT)) == NULL) -#else - PR_WAITOK|PR_LIMITFAIL)) == NULL) -#endif - return (ENOMEM); - } else { - if ((fp = pool_get(&pf_osfp_pl, -#ifdef __FreeBSD__ - PR_NOWAIT)) == NULL) -#else - PR_WAITOK|PR_LIMITFAIL)) == NULL) -#endif - return (ENOMEM); - memset(fp, 0, sizeof(*fp)); - fp->fp_tcpopts = fpioc->fp_tcpopts; - fp->fp_wsize = fpioc->fp_wsize; - fp->fp_psize = fpioc->fp_psize; - fp->fp_mss = fpioc->fp_mss; - fp->fp_flags = fpioc->fp_flags; - fp->fp_optcnt = fpioc->fp_optcnt; - fp->fp_wscale = fpioc->fp_wscale; - fp->fp_ttl = fpioc->fp_ttl; - SLIST_INIT(&fp->fp_oses); - if ((entry = pool_get(&pf_osfp_entry_pl, -#ifdef __FreeBSD__ - PR_NOWAIT)) == NULL) { -#else - PR_WAITOK|PR_LIMITFAIL)) == NULL) { -#endif - pool_put(&pf_osfp_pl, fp); - return (ENOMEM); - } -#ifdef __FreeBSD__ - pf_osfp_insert(&V_pf_osfp_list, fp); -#else - pf_osfp_insert(&pf_osfp_list, fp); -#endif - } - memcpy(entry, &fpioc->fp_os, sizeof(*entry)); - - /* Make sure the strings are NUL terminated */ - entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0'; - entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0'; - entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0'; - - SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry); - -#ifdef PFDEBUG - if ((fp = pf_osfp_validate())) - printf("Invalid fingerprint list\n"); -#endif /* PFDEBUG */ - return (0); -} - - -/* Find a fingerprint in the list */ -struct pf_os_fingerprint * -pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find, - u_int8_t ttldiff) -{ - struct pf_os_fingerprint *f; - -#define MATCH_INT(_MOD, _DC, _field) \ - if ((f->fp_flags & _DC) == 0) { \ - if ((f->fp_flags & _MOD) == 0) { \ - if (f->_field != find->_field) \ - continue; \ - } else { \ - if (f->_field == 0 || find->_field % f->_field) \ - continue; \ - } \ - } - - SLIST_FOREACH(f, list, fp_next) { - if (f->fp_tcpopts != find->fp_tcpopts || - f->fp_optcnt != find->fp_optcnt || - f->fp_ttl < find->fp_ttl || - f->fp_ttl - find->fp_ttl > ttldiff || - (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) != - (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0))) - continue; - - MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize) - MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss) - MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale) - if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) { - if (f->fp_flags & PF_OSFP_WSIZE_MSS) { - if (find->fp_mss == 0) - continue; - -/* - * Some "smart" NAT devices and DSL routers will tweak the MSS size and - * will set it to whatever is suitable for the link type. - */ -#define SMART_MSS 1460 - if ((find->fp_wsize % find->fp_mss || - find->fp_wsize / find->fp_mss != - f->fp_wsize) && - (find->fp_wsize % SMART_MSS || - find->fp_wsize / SMART_MSS != - f->fp_wsize)) - continue; - } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) { - if (find->fp_mss == 0) - continue; - -#define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr)) -#define SMART_MTU (SMART_MSS + MTUOFF) - if ((find->fp_wsize % (find->fp_mss + MTUOFF) || - find->fp_wsize / (find->fp_mss + MTUOFF) != - f->fp_wsize) && - (find->fp_wsize % SMART_MTU || - find->fp_wsize / SMART_MTU != - f->fp_wsize)) - continue; - } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) { - if (f->fp_wsize == 0 || find->fp_wsize % - f->fp_wsize) - continue; - } else { - if (f->fp_wsize != find->fp_wsize) - continue; - } - } - return (f); - } - - return (NULL); -} - -/* Find an exact fingerprint in the list */ -struct pf_os_fingerprint * -pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find) -{ - struct pf_os_fingerprint *f; - - SLIST_FOREACH(f, list, fp_next) { - if (f->fp_tcpopts == find->fp_tcpopts && - f->fp_wsize == find->fp_wsize && - f->fp_psize == find->fp_psize && - f->fp_mss == find->fp_mss && - f->fp_flags == find->fp_flags && - f->fp_optcnt == find->fp_optcnt && - f->fp_wscale == find->fp_wscale && - f->fp_ttl == find->fp_ttl) - return (f); - } - - return (NULL); -} - -/* Insert a fingerprint into the list */ -void -pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins) -{ - struct pf_os_fingerprint *f, *prev = NULL; - - /* XXX need to go semi tree based. can key on tcp options */ - - SLIST_FOREACH(f, list, fp_next) - prev = f; - if (prev) - SLIST_INSERT_AFTER(prev, ins, fp_next); - else - SLIST_INSERT_HEAD(list, ins, fp_next); -} - -/* Fill a fingerprint by its number (from an ioctl) */ -int -pf_osfp_get(struct pf_osfp_ioctl *fpioc) -{ - struct pf_os_fingerprint *fp; - struct pf_osfp_entry *entry; - int num = fpioc->fp_getnum; - int i = 0; - - - memset(fpioc, 0, sizeof(*fpioc)); -#ifdef __FreeBSD__ - SLIST_FOREACH(fp, &V_pf_osfp_list, fp_next) { -#else - SLIST_FOREACH(fp, &pf_osfp_list, fp_next) { -#endif - SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { - if (i++ == num) { - fpioc->fp_mss = fp->fp_mss; - fpioc->fp_wsize = fp->fp_wsize; - fpioc->fp_flags = fp->fp_flags; - fpioc->fp_psize = fp->fp_psize; - fpioc->fp_ttl = fp->fp_ttl; - fpioc->fp_wscale = fp->fp_wscale; - fpioc->fp_getnum = num; - memcpy(&fpioc->fp_os, entry, - sizeof(fpioc->fp_os)); - return (0); - } - } - } - - return (EBUSY); -} - - -/* Validate that each signature is reachable */ -struct pf_os_fingerprint * -pf_osfp_validate(void) -{ - struct pf_os_fingerprint *f, *f2, find; - -#ifdef __FreeBSD__ - SLIST_FOREACH(f, &V_pf_osfp_list, fp_next) { -#else - SLIST_FOREACH(f, &pf_osfp_list, fp_next) { -#endif - memcpy(&find, f, sizeof(find)); - - /* We do a few MSS/th_win percolations to make things unique */ - if (find.fp_mss == 0) - find.fp_mss = 128; - if (f->fp_flags & PF_OSFP_WSIZE_MSS) - find.fp_wsize *= find.fp_mss; - else if (f->fp_flags & PF_OSFP_WSIZE_MTU) - find.fp_wsize *= (find.fp_mss + 40); - else if (f->fp_flags & PF_OSFP_WSIZE_MOD) - find.fp_wsize *= 2; -#ifdef __FreeBSD__ - if (f != (f2 = pf_osfp_find(&V_pf_osfp_list, &find, 0))) { -#else - if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) { -#endif - if (f2) - printf("Found \"%s %s %s\" instead of " - "\"%s %s %s\"\n", - SLIST_FIRST(&f2->fp_oses)->fp_class_nm, - SLIST_FIRST(&f2->fp_oses)->fp_version_nm, - SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm, - SLIST_FIRST(&f->fp_oses)->fp_class_nm, - SLIST_FIRST(&f->fp_oses)->fp_version_nm, - SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); - else - printf("Couldn't find \"%s %s %s\"\n", - SLIST_FIRST(&f->fp_oses)->fp_class_nm, - SLIST_FIRST(&f->fp_oses)->fp_version_nm, - SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); - return (f); - } - } - return (NULL); -} diff --git a/sys/contrib/pf/net/pf_ruleset.c b/sys/contrib/pf/net/pf_ruleset.c deleted file mode 100644 index ca8667c..0000000 --- a/sys/contrib/pf/net/pf_ruleset.c +++ /dev/null @@ -1,457 +0,0 @@ -/* $OpenBSD: pf_ruleset.c,v 1.2 2008/12/18 15:31:37 dhill Exp $ */ - -/* - * Copyright (c) 2001 Daniel Hartmeier - * Copyright (c) 2002,2003 Henning Brauer - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * Effort sponsored in part by the Defense Advanced Research Projects - * Agency (DARPA) and Air Force Research Laboratory, Air Force - * Materiel Command, USAF, under agreement number F30602-01-2-0537. - * - */ - -#ifdef __FreeBSD__ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); -#endif - -#include <sys/param.h> -#include <sys/socket.h> -#ifdef _KERNEL -# include <sys/systm.h> -#endif /* _KERNEL */ -#include <sys/mbuf.h> - -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> - -#include <net/if.h> -#include <net/pfvar.h> - -#ifdef INET6 -#include <netinet/ip6.h> -#endif /* INET6 */ - - -#ifdef _KERNEL -#ifdef __FreeBSD__ -#define DPFPRINTF(format, x...) \ - if (V_pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) -#else -#define DPFPRINTF(format, x...) \ - if (pf_status.debug >= PF_DEBUG_NOISY) \ - printf(format , ##x) -#endif -#ifdef __FreeBSD__ -#define rs_malloc(x) malloc(x, M_TEMP, M_NOWAIT|M_ZERO) -#else -#define rs_malloc(x) malloc(x, M_TEMP, M_WAITOK|M_CANFAIL|M_ZERO) -#endif -#define rs_free(x) free(x, M_TEMP) - -#else -/* Userland equivalents so we can lend code to pfctl et al. */ - -#include <arpa/inet.h> -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#define rs_malloc(x) calloc(1, x) -#define rs_free(x) free(x) - -#ifdef PFDEBUG -#include <sys/stdarg.h> -#define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) -#else -#define DPFPRINTF(format, x...) ((void)0) -#endif /* PFDEBUG */ -#endif /* _KERNEL */ - -#if defined(__FreeBSD__) && !defined(_KERNEL) -#undef V_pf_anchors -#define V_pf_anchors pf_anchors - -#undef pf_main_ruleset -#define pf_main_ruleset pf_main_anchor.ruleset -#endif - -#if defined(__FreeBSD__) && defined(_KERNEL) -VNET_DEFINE(struct pf_anchor_global, pf_anchors); -VNET_DEFINE(struct pf_anchor, pf_main_anchor); -#else -struct pf_anchor_global pf_anchors; -struct pf_anchor pf_main_anchor; -#endif - -static __inline int pf_anchor_compare(struct pf_anchor *, struct pf_anchor *); - -RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); -RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); - -static __inline int -pf_anchor_compare(struct pf_anchor *a, struct pf_anchor *b) -{ - int c = strcmp(a->path, b->path); - - return (c ? (c < 0 ? -1 : 1) : 0); -} - -int -pf_get_ruleset_number(u_int8_t action) -{ - switch (action) { - case PF_SCRUB: - case PF_NOSCRUB: - return (PF_RULESET_SCRUB); - break; - case PF_PASS: - case PF_DROP: - return (PF_RULESET_FILTER); - break; - case PF_NAT: - case PF_NONAT: - return (PF_RULESET_NAT); - break; - case PF_BINAT: - case PF_NOBINAT: - return (PF_RULESET_BINAT); - break; - case PF_RDR: - case PF_NORDR: - return (PF_RULESET_RDR); - break; - default: - return (PF_RULESET_MAX); - break; - } -} - -void -pf_init_ruleset(struct pf_ruleset *ruleset) -{ - int i; - - memset(ruleset, 0, sizeof(struct pf_ruleset)); - for (i = 0; i < PF_RULESET_MAX; i++) { - TAILQ_INIT(&ruleset->rules[i].queues[0]); - TAILQ_INIT(&ruleset->rules[i].queues[1]); - ruleset->rules[i].active.ptr = &ruleset->rules[i].queues[0]; - ruleset->rules[i].inactive.ptr = &ruleset->rules[i].queues[1]; - } -} - -struct pf_anchor * -pf_find_anchor(const char *path) -{ - struct pf_anchor *key, *found; - - key = (struct pf_anchor *)rs_malloc(sizeof(*key)); - if (key == NULL) - return (NULL); - strlcpy(key->path, path, sizeof(key->path)); -#ifdef __FreeBSD__ - found = RB_FIND(pf_anchor_global, &V_pf_anchors, key); -#else - found = RB_FIND(pf_anchor_global, &pf_anchors, key); -#endif - rs_free(key); - return (found); -} - -struct pf_ruleset * -pf_find_ruleset(const char *path) -{ - struct pf_anchor *anchor; - - while (*path == '/') - path++; - if (!*path) - return (&pf_main_ruleset); - anchor = pf_find_anchor(path); - if (anchor == NULL) - return (NULL); - else - return (&anchor->ruleset); -} - -struct pf_ruleset * -pf_find_or_create_ruleset(const char *path) -{ - char *p, *q, *r; - struct pf_ruleset *ruleset; -#ifdef __FreeBSD__ - struct pf_anchor *anchor = NULL, *dup, *parent = NULL; -#else - struct pf_anchor *anchor, *dup, *parent = NULL; -#endif - - if (path[0] == 0) - return (&pf_main_ruleset); - while (*path == '/') - path++; - ruleset = pf_find_ruleset(path); - if (ruleset != NULL) - return (ruleset); - p = (char *)rs_malloc(MAXPATHLEN); - if (p == NULL) - return (NULL); - strlcpy(p, path, MAXPATHLEN); - while (parent == NULL && (q = strrchr(p, '/')) != NULL) { - *q = 0; - if ((ruleset = pf_find_ruleset(p)) != NULL) { - parent = ruleset->anchor; - break; - } - } - if (q == NULL) - q = p; - else - q++; - strlcpy(p, path, MAXPATHLEN); - if (!*q) { - rs_free(p); - return (NULL); - } - while ((r = strchr(q, '/')) != NULL || *q) { - if (r != NULL) - *r = 0; - if (!*q || strlen(q) >= PF_ANCHOR_NAME_SIZE || - (parent != NULL && strlen(parent->path) >= - MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 1)) { - rs_free(p); - return (NULL); - } - anchor = (struct pf_anchor *)rs_malloc(sizeof(*anchor)); - if (anchor == NULL) { - rs_free(p); - return (NULL); - } - RB_INIT(&anchor->children); - strlcpy(anchor->name, q, sizeof(anchor->name)); - if (parent != NULL) { - strlcpy(anchor->path, parent->path, - sizeof(anchor->path)); - strlcat(anchor->path, "/", sizeof(anchor->path)); - } - strlcat(anchor->path, anchor->name, sizeof(anchor->path)); -#ifdef __FreeBSD__ - if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) != -#else - if ((dup = RB_INSERT(pf_anchor_global, &pf_anchors, anchor)) != -#endif - NULL) { - printf("pf_find_or_create_ruleset: RB_INSERT1 " - "'%s' '%s' collides with '%s' '%s'\n", - anchor->path, anchor->name, dup->path, dup->name); - rs_free(anchor); - rs_free(p); - return (NULL); - } - if (parent != NULL) { - anchor->parent = parent; - if ((dup = RB_INSERT(pf_anchor_node, &parent->children, - anchor)) != NULL) { - printf("pf_find_or_create_ruleset: " - "RB_INSERT2 '%s' '%s' collides with " - "'%s' '%s'\n", anchor->path, anchor->name, - dup->path, dup->name); -#ifdef __FreeBSD__ - RB_REMOVE(pf_anchor_global, &V_pf_anchors, -#else - RB_REMOVE(pf_anchor_global, &pf_anchors, -#endif - anchor); - rs_free(anchor); - rs_free(p); - return (NULL); - } - } - pf_init_ruleset(&anchor->ruleset); - anchor->ruleset.anchor = anchor; - parent = anchor; - if (r != NULL) - q = r + 1; - else - *q = 0; - } - rs_free(p); - return (&anchor->ruleset); -} - -void -pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset) -{ - struct pf_anchor *parent; - int i; - - while (ruleset != NULL) { - if (ruleset == &pf_main_ruleset || ruleset->anchor == NULL || - !RB_EMPTY(&ruleset->anchor->children) || - ruleset->anchor->refcnt > 0 || ruleset->tables > 0 || - ruleset->topen) - return; - for (i = 0; i < PF_RULESET_MAX; ++i) - if (!TAILQ_EMPTY(ruleset->rules[i].active.ptr) || - !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) || - ruleset->rules[i].inactive.open) - return; -#ifdef __FreeBSD__ - RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor); -#else - RB_REMOVE(pf_anchor_global, &pf_anchors, ruleset->anchor); -#endif - if ((parent = ruleset->anchor->parent) != NULL) - RB_REMOVE(pf_anchor_node, &parent->children, - ruleset->anchor); - rs_free(ruleset->anchor); - if (parent == NULL) - return; - ruleset = &parent->ruleset; - } -} - -int -pf_anchor_setup(struct pf_rule *r, const struct pf_ruleset *s, - const char *name) -{ - char *p, *path; - struct pf_ruleset *ruleset; - - r->anchor = NULL; - r->anchor_relative = 0; - r->anchor_wildcard = 0; - if (!name[0]) - return (0); - path = (char *)rs_malloc(MAXPATHLEN); - if (path == NULL) - return (1); - if (name[0] == '/') - strlcpy(path, name + 1, MAXPATHLEN); - else { - /* relative path */ - r->anchor_relative = 1; - if (s->anchor == NULL || !s->anchor->path[0]) - path[0] = 0; - else - strlcpy(path, s->anchor->path, MAXPATHLEN); - while (name[0] == '.' && name[1] == '.' && name[2] == '/') { - if (!path[0]) { - printf("pf_anchor_setup: .. beyond root\n"); - rs_free(path); - return (1); - } - if ((p = strrchr(path, '/')) != NULL) - *p = 0; - else - path[0] = 0; - r->anchor_relative++; - name += 3; - } - if (path[0]) - strlcat(path, "/", MAXPATHLEN); - strlcat(path, name, MAXPATHLEN); - } - if ((p = strrchr(path, '/')) != NULL && !strcmp(p, "/*")) { - r->anchor_wildcard = 1; - *p = 0; - } - ruleset = pf_find_or_create_ruleset(path); - rs_free(path); - if (ruleset == NULL || ruleset->anchor == NULL) { - printf("pf_anchor_setup: ruleset\n"); - return (1); - } - r->anchor = ruleset->anchor; - r->anchor->refcnt++; - return (0); -} - -int -pf_anchor_copyout(const struct pf_ruleset *rs, const struct pf_rule *r, - struct pfioc_rule *pr) -{ - pr->anchor_call[0] = 0; - if (r->anchor == NULL) - return (0); - if (!r->anchor_relative) { - strlcpy(pr->anchor_call, "/", sizeof(pr->anchor_call)); - strlcat(pr->anchor_call, r->anchor->path, - sizeof(pr->anchor_call)); - } else { - char *a, *p; - int i; - - a = (char *)rs_malloc(MAXPATHLEN); - if (a == NULL) - return (1); - if (rs->anchor == NULL) - a[0] = 0; - else - strlcpy(a, rs->anchor->path, MAXPATHLEN); - for (i = 1; i < r->anchor_relative; ++i) { - if ((p = strrchr(a, '/')) == NULL) - p = a; - *p = 0; - strlcat(pr->anchor_call, "../", - sizeof(pr->anchor_call)); - } - if (strncmp(a, r->anchor->path, strlen(a))) { - printf("pf_anchor_copyout: '%s' '%s'\n", a, - r->anchor->path); - rs_free(a); - return (1); - } - if (strlen(r->anchor->path) > strlen(a)) - strlcat(pr->anchor_call, r->anchor->path + (a[0] ? - strlen(a) + 1 : 0), sizeof(pr->anchor_call)); - rs_free(a); - } - if (r->anchor_wildcard) - strlcat(pr->anchor_call, pr->anchor_call[0] ? "/*" : "*", - sizeof(pr->anchor_call)); - return (0); -} - -void -pf_anchor_remove(struct pf_rule *r) -{ - if (r->anchor == NULL) - return; - if (r->anchor->refcnt <= 0) { - printf("pf_anchor_remove: broken refcount\n"); - r->anchor = NULL; - return; - } - if (!--r->anchor->refcnt) - pf_remove_if_empty_ruleset(&r->anchor->ruleset); - r->anchor = NULL; -} diff --git a/sys/contrib/pf/net/pf_table.c b/sys/contrib/pf/net/pf_table.c deleted file mode 100644 index ea77e31..0000000 --- a/sys/contrib/pf/net/pf_table.c +++ /dev/null @@ -1,2516 +0,0 @@ -/* $OpenBSD: pf_table.c,v 1.79 2008/10/08 06:24:50 mcbride Exp $ */ - -/* - * Copyright (c) 2002 Cedric Berger - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); -#endif - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/socket.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#ifdef __FreeBSD__ -#include <sys/malloc.h> -#else -#include <sys/pool.h> -#endif - -#include <net/if.h> -#include <net/route.h> -#include <netinet/in.h> -#ifndef __FreeBSD__ -#include <netinet/ip_ipsp.h> -#endif -#include <net/pfvar.h> - -#define ACCEPT_FLAGS(flags, oklist) \ - do { \ - if ((flags & ~(oklist)) & \ - PFR_FLAG_ALLMASK) \ - return (EINVAL); \ - } while (0) - -#ifdef __FreeBSD__ -static inline int -_copyin(const void *uaddr, void *kaddr, size_t len) -{ - int r; - - PF_UNLOCK(); - r = copyin(uaddr, kaddr, len); - PF_LOCK(); - - return (r); -} - -static inline int -_copyout(const void *uaddr, void *kaddr, size_t len) -{ - int r; - - PF_UNLOCK(); - r = copyout(uaddr, kaddr, len); - PF_LOCK(); - - return (r); -} - -#define COPYIN(from, to, size, flags) \ - ((flags & PFR_FLAG_USERIOCTL) ? \ - _copyin((from), (to), (size)) : \ - (bcopy((from), (to), (size)), 0)) - -#define COPYOUT(from, to, size, flags) \ - ((flags & PFR_FLAG_USERIOCTL) ? \ - _copyout((from), (to), (size)) : \ - (bcopy((from), (to), (size)), 0)) - -#else -#define COPYIN(from, to, size, flags) \ - ((flags & PFR_FLAG_USERIOCTL) ? \ - copyin((from), (to), (size)) : \ - (bcopy((from), (to), (size)), 0)) - -#define COPYOUT(from, to, size, flags) \ - ((flags & PFR_FLAG_USERIOCTL) ? \ - copyout((from), (to), (size)) : \ - (bcopy((from), (to), (size)), 0)) -#endif - -#define FILLIN_SIN(sin, addr) \ - do { \ - (sin).sin_len = sizeof(sin); \ - (sin).sin_family = AF_INET; \ - (sin).sin_addr = (addr); \ - } while (0) - -#define FILLIN_SIN6(sin6, addr) \ - do { \ - (sin6).sin6_len = sizeof(sin6); \ - (sin6).sin6_family = AF_INET6; \ - (sin6).sin6_addr = (addr); \ - } while (0) - -#define SWAP(type, a1, a2) \ - do { \ - type tmp = a1; \ - a1 = a2; \ - a2 = tmp; \ - } while (0) - -#define SUNION2PF(su, af) (((af)==AF_INET) ? \ - (struct pf_addr *)&(su)->sin.sin_addr : \ - (struct pf_addr *)&(su)->sin6.sin6_addr) - -#define AF_BITS(af) (((af)==AF_INET)?32:128) -#define ADDR_NETWORK(ad) ((ad)->pfra_net < AF_BITS((ad)->pfra_af)) -#define KENTRY_NETWORK(ke) ((ke)->pfrke_net < AF_BITS((ke)->pfrke_af)) -#define KENTRY_RNF_ROOT(ke) \ - ((((struct radix_node *)(ke))->rn_flags & RNF_ROOT) != 0) - -#define NO_ADDRESSES (-1) -#define ENQUEUE_UNMARKED_ONLY (1) -#define INVERT_NEG_FLAG (1) - -struct pfr_walktree { - enum pfrw_op { - PFRW_MARK, - PFRW_SWEEP, - PFRW_ENQUEUE, - PFRW_GET_ADDRS, - PFRW_GET_ASTATS, - PFRW_POOL_GET, - PFRW_DYNADDR_UPDATE - } pfrw_op; - union { - struct pfr_addr *pfrw1_addr; - struct pfr_astats *pfrw1_astats; - struct pfr_kentryworkq *pfrw1_workq; - struct pfr_kentry *pfrw1_kentry; - struct pfi_dynaddr *pfrw1_dyn; - } pfrw_1; - int pfrw_free; - int pfrw_flags; -}; -#define pfrw_addr pfrw_1.pfrw1_addr -#define pfrw_astats pfrw_1.pfrw1_astats -#define pfrw_workq pfrw_1.pfrw1_workq -#define pfrw_kentry pfrw_1.pfrw1_kentry -#define pfrw_dyn pfrw_1.pfrw1_dyn -#define pfrw_cnt pfrw_free - -#define senderr(e) do { rv = (e); goto _bad; } while (0) - -#ifdef __FreeBSD__ -VNET_DEFINE(uma_zone_t, pfr_ktable_pl); -VNET_DEFINE(uma_zone_t, pfr_kentry_pl); -VNET_DEFINE(uma_zone_t, pfr_kcounters_pl); -VNET_DEFINE(struct sockaddr_in, pfr_sin); -#define V_pfr_sin VNET(pfr_sin) -VNET_DEFINE(struct sockaddr_in6, pfr_sin6); -#define V_pfr_sin6 VNET(pfr_sin6) -VNET_DEFINE(union sockaddr_union, pfr_mask); -#define V_pfr_mask VNET(pfr_mask) -VNET_DEFINE(struct pf_addr, pfr_ffaddr); -#define V_pfr_ffaddr VNET(pfr_ffaddr) -#else -struct pool pfr_ktable_pl; -struct pool pfr_kentry_pl; -struct pool pfr_kcounters_pl; -struct sockaddr_in pfr_sin; -struct sockaddr_in6 pfr_sin6; -union sockaddr_union pfr_mask; -struct pf_addr pfr_ffaddr; -#endif - -void pfr_copyout_addr(struct pfr_addr *, - struct pfr_kentry *ke); -int pfr_validate_addr(struct pfr_addr *); -void pfr_enqueue_addrs(struct pfr_ktable *, - struct pfr_kentryworkq *, int *, int); -void pfr_mark_addrs(struct pfr_ktable *); -struct pfr_kentry *pfr_lookup_addr(struct pfr_ktable *, - struct pfr_addr *, int); -struct pfr_kentry *pfr_create_kentry(struct pfr_addr *, int); -void pfr_destroy_kentries(struct pfr_kentryworkq *); -void pfr_destroy_kentry(struct pfr_kentry *); -void pfr_insert_kentries(struct pfr_ktable *, - struct pfr_kentryworkq *, long); -void pfr_remove_kentries(struct pfr_ktable *, - struct pfr_kentryworkq *); -void pfr_clstats_kentries(struct pfr_kentryworkq *, long, - int); -void pfr_reset_feedback(struct pfr_addr *, int, int); -void pfr_prepare_network(union sockaddr_union *, int, int); -int pfr_route_kentry(struct pfr_ktable *, - struct pfr_kentry *); -int pfr_unroute_kentry(struct pfr_ktable *, - struct pfr_kentry *); -int pfr_walktree(struct radix_node *, void *); -int pfr_validate_table(struct pfr_table *, int, int); -int pfr_fix_anchor(char *); -void pfr_commit_ktable(struct pfr_ktable *, long); -void pfr_insert_ktables(struct pfr_ktableworkq *); -void pfr_insert_ktable(struct pfr_ktable *); -void pfr_setflags_ktables(struct pfr_ktableworkq *); -void pfr_setflags_ktable(struct pfr_ktable *, int); -void pfr_clstats_ktables(struct pfr_ktableworkq *, long, - int); -void pfr_clstats_ktable(struct pfr_ktable *, long, int); -struct pfr_ktable *pfr_create_ktable(struct pfr_table *, long, int, int); -void pfr_destroy_ktables(struct pfr_ktableworkq *, int); -void pfr_destroy_ktable(struct pfr_ktable *, int); -int pfr_ktable_compare(struct pfr_ktable *, - struct pfr_ktable *); -struct pfr_ktable *pfr_lookup_table(struct pfr_table *); -void pfr_clean_node_mask(struct pfr_ktable *, - struct pfr_kentryworkq *); -int pfr_table_count(struct pfr_table *, int); -int pfr_skip_table(struct pfr_table *, - struct pfr_ktable *, int); -struct pfr_kentry *pfr_kentry_byidx(struct pfr_ktable *, int, int); - -RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare); -RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare); - -struct pfr_ktablehead pfr_ktables; -struct pfr_table pfr_nulltable; -int pfr_ktable_cnt; - -void -pfr_initialize(void) -{ -#ifndef __FreeBSD__ - pool_init(&pfr_ktable_pl, sizeof(struct pfr_ktable), 0, 0, 0, - "pfrktable", NULL); - pool_init(&pfr_kentry_pl, sizeof(struct pfr_kentry), 0, 0, 0, - "pfrkentry", NULL); - pool_init(&pfr_kcounters_pl, sizeof(struct pfr_kcounters), 0, 0, 0, - "pfrkcounters", NULL); - - pfr_sin.sin_len = sizeof(pfr_sin); - pfr_sin.sin_family = AF_INET; - pfr_sin6.sin6_len = sizeof(pfr_sin6); - pfr_sin6.sin6_family = AF_INET6; - - memset(&pfr_ffaddr, 0xff, sizeof(pfr_ffaddr)); -#else - V_pfr_sin.sin_len = sizeof(V_pfr_sin); - V_pfr_sin.sin_family = AF_INET; - V_pfr_sin6.sin6_len = sizeof(V_pfr_sin6); - V_pfr_sin6.sin6_family = AF_INET6; - - memset(&V_pfr_ffaddr, 0xff, sizeof(V_pfr_ffaddr)); -#endif -} - -int -pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags) -{ - struct pfr_ktable *kt; - struct pfr_kentryworkq workq; - int s; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY); - if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - if (kt->pfrkt_flags & PFR_TFLAG_CONST) - return (EPERM); - pfr_enqueue_addrs(kt, &workq, ndel, 0); - - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_remove_kentries(kt, &workq); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - if (kt->pfrkt_cnt) { - printf("pfr_clr_addrs: corruption detected (%d).\n", - kt->pfrkt_cnt); - kt->pfrkt_cnt = 0; - } - } - return (0); -} - -int -pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size, - int *nadd, int flags) -{ - struct pfr_ktable *kt, *tmpkt; - struct pfr_kentryworkq workq; - struct pfr_kentry *p, *q; - struct pfr_addr ad; - int i, rv, s, xadd = 0; - long tzero = time_second; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY | - PFR_FLAG_FEEDBACK); - if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - if (kt->pfrkt_flags & PFR_TFLAG_CONST) - return (EPERM); - tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0, - !(flags & PFR_FLAG_USERIOCTL)); - if (tmpkt == NULL) - return (ENOMEM); - SLIST_INIT(&workq); - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - senderr(EFAULT); - if (pfr_validate_addr(&ad)) - senderr(EINVAL); - p = pfr_lookup_addr(kt, &ad, 1); - q = pfr_lookup_addr(tmpkt, &ad, 1); - if (flags & PFR_FLAG_FEEDBACK) { - if (q != NULL) - ad.pfra_fback = PFR_FB_DUPLICATE; - else if (p == NULL) - ad.pfra_fback = PFR_FB_ADDED; - else if (p->pfrke_not != ad.pfra_not) - ad.pfra_fback = PFR_FB_CONFLICT; - else - ad.pfra_fback = PFR_FB_NONE; - } - if (p == NULL && q == NULL) { - p = pfr_create_kentry(&ad, - !(flags & PFR_FLAG_USERIOCTL)); - if (p == NULL) - senderr(ENOMEM); - if (pfr_route_kentry(tmpkt, p)) { - pfr_destroy_kentry(p); - ad.pfra_fback = PFR_FB_NONE; - } else { - SLIST_INSERT_HEAD(&workq, p, pfrke_workq); - xadd++; - } - } - if (flags & PFR_FLAG_FEEDBACK) - if (COPYOUT(&ad, addr+i, sizeof(ad), flags)) - senderr(EFAULT); - } - pfr_clean_node_mask(tmpkt, &workq); - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_insert_kentries(kt, &workq, tzero); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } else - pfr_destroy_kentries(&workq); - if (nadd != NULL) - *nadd = xadd; - pfr_destroy_ktable(tmpkt, 0); - return (0); -_bad: - pfr_clean_node_mask(tmpkt, &workq); - pfr_destroy_kentries(&workq); - if (flags & PFR_FLAG_FEEDBACK) - pfr_reset_feedback(addr, size, flags); - pfr_destroy_ktable(tmpkt, 0); - return (rv); -} - -int -pfr_del_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size, - int *ndel, int flags) -{ - struct pfr_ktable *kt; - struct pfr_kentryworkq workq; - struct pfr_kentry *p; - struct pfr_addr ad; - int i, rv, s, xdel = 0, log = 1; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY | - PFR_FLAG_FEEDBACK); - if (pfr_validate_table(tbl, 0, flags & PFR_FLAG_USERIOCTL)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - if (kt->pfrkt_flags & PFR_TFLAG_CONST) - return (EPERM); - /* - * there are two algorithms to choose from here. - * with: - * n: number of addresses to delete - * N: number of addresses in the table - * - * one is O(N) and is better for large 'n' - * one is O(n*LOG(N)) and is better for small 'n' - * - * following code try to decide which one is best. - */ - for (i = kt->pfrkt_cnt; i > 0; i >>= 1) - log++; - if (size > kt->pfrkt_cnt/log) { - /* full table scan */ - pfr_mark_addrs(kt); - } else { - /* iterate over addresses to delete */ - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - return (EFAULT); - if (pfr_validate_addr(&ad)) - return (EINVAL); - p = pfr_lookup_addr(kt, &ad, 1); - if (p != NULL) - p->pfrke_mark = 0; - } - } - SLIST_INIT(&workq); - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - senderr(EFAULT); - if (pfr_validate_addr(&ad)) - senderr(EINVAL); - p = pfr_lookup_addr(kt, &ad, 1); - if (flags & PFR_FLAG_FEEDBACK) { - if (p == NULL) - ad.pfra_fback = PFR_FB_NONE; - else if (p->pfrke_not != ad.pfra_not) - ad.pfra_fback = PFR_FB_CONFLICT; - else if (p->pfrke_mark) - ad.pfra_fback = PFR_FB_DUPLICATE; - else - ad.pfra_fback = PFR_FB_DELETED; - } - if (p != NULL && p->pfrke_not == ad.pfra_not && - !p->pfrke_mark) { - p->pfrke_mark = 1; - SLIST_INSERT_HEAD(&workq, p, pfrke_workq); - xdel++; - } - if (flags & PFR_FLAG_FEEDBACK) - if (COPYOUT(&ad, addr+i, sizeof(ad), flags)) - senderr(EFAULT); - } - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_remove_kentries(kt, &workq); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } - if (ndel != NULL) - *ndel = xdel; - return (0); -_bad: - if (flags & PFR_FLAG_FEEDBACK) - pfr_reset_feedback(addr, size, flags); - return (rv); -} - -int -pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size, - int *size2, int *nadd, int *ndel, int *nchange, int flags, - u_int32_t ignore_pfrt_flags) -{ - struct pfr_ktable *kt, *tmpkt; - struct pfr_kentryworkq addq, delq, changeq; - struct pfr_kentry *p, *q; - struct pfr_addr ad; - int i, rv, s, xadd = 0, xdel = 0, xchange = 0; - long tzero = time_second; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY | - PFR_FLAG_FEEDBACK); - if (pfr_validate_table(tbl, ignore_pfrt_flags, flags & - PFR_FLAG_USERIOCTL)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - if (kt->pfrkt_flags & PFR_TFLAG_CONST) - return (EPERM); - tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0, - !(flags & PFR_FLAG_USERIOCTL)); - if (tmpkt == NULL) - return (ENOMEM); - pfr_mark_addrs(kt); - SLIST_INIT(&addq); - SLIST_INIT(&delq); - SLIST_INIT(&changeq); - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - senderr(EFAULT); - if (pfr_validate_addr(&ad)) - senderr(EINVAL); - ad.pfra_fback = PFR_FB_NONE; - p = pfr_lookup_addr(kt, &ad, 1); - if (p != NULL) { - if (p->pfrke_mark) { - ad.pfra_fback = PFR_FB_DUPLICATE; - goto _skip; - } - p->pfrke_mark = 1; - if (p->pfrke_not != ad.pfra_not) { - SLIST_INSERT_HEAD(&changeq, p, pfrke_workq); - ad.pfra_fback = PFR_FB_CHANGED; - xchange++; - } - } else { - q = pfr_lookup_addr(tmpkt, &ad, 1); - if (q != NULL) { - ad.pfra_fback = PFR_FB_DUPLICATE; - goto _skip; - } - p = pfr_create_kentry(&ad, - !(flags & PFR_FLAG_USERIOCTL)); - if (p == NULL) - senderr(ENOMEM); - if (pfr_route_kentry(tmpkt, p)) { - pfr_destroy_kentry(p); - ad.pfra_fback = PFR_FB_NONE; - } else { - SLIST_INSERT_HEAD(&addq, p, pfrke_workq); - ad.pfra_fback = PFR_FB_ADDED; - xadd++; - } - } -_skip: - if (flags & PFR_FLAG_FEEDBACK) - if (COPYOUT(&ad, addr+i, sizeof(ad), flags)) - senderr(EFAULT); - } - pfr_enqueue_addrs(kt, &delq, &xdel, ENQUEUE_UNMARKED_ONLY); - if ((flags & PFR_FLAG_FEEDBACK) && *size2) { - if (*size2 < size+xdel) { - *size2 = size+xdel; - senderr(0); - } - i = 0; - SLIST_FOREACH(p, &delq, pfrke_workq) { - pfr_copyout_addr(&ad, p); - ad.pfra_fback = PFR_FB_DELETED; - if (COPYOUT(&ad, addr+size+i, sizeof(ad), flags)) - senderr(EFAULT); - i++; - } - } - pfr_clean_node_mask(tmpkt, &addq); - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_insert_kentries(kt, &addq, tzero); - pfr_remove_kentries(kt, &delq); - pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } else - pfr_destroy_kentries(&addq); - if (nadd != NULL) - *nadd = xadd; - if (ndel != NULL) - *ndel = xdel; - if (nchange != NULL) - *nchange = xchange; - if ((flags & PFR_FLAG_FEEDBACK) && size2) - *size2 = size+xdel; - pfr_destroy_ktable(tmpkt, 0); - return (0); -_bad: - pfr_clean_node_mask(tmpkt, &addq); - pfr_destroy_kentries(&addq); - if (flags & PFR_FLAG_FEEDBACK) - pfr_reset_feedback(addr, size, flags); - pfr_destroy_ktable(tmpkt, 0); - return (rv); -} - -int -pfr_tst_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size, - int *nmatch, int flags) -{ - struct pfr_ktable *kt; - struct pfr_kentry *p; - struct pfr_addr ad; - int i, xmatch = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_REPLACE); - if (pfr_validate_table(tbl, 0, 0)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - return (EFAULT); - if (pfr_validate_addr(&ad)) - return (EINVAL); - if (ADDR_NETWORK(&ad)) - return (EINVAL); - p = pfr_lookup_addr(kt, &ad, 0); - if (flags & PFR_FLAG_REPLACE) - pfr_copyout_addr(&ad, p); - ad.pfra_fback = (p == NULL) ? PFR_FB_NONE : - (p->pfrke_not ? PFR_FB_NOTMATCH : PFR_FB_MATCH); - if (p != NULL && !p->pfrke_not) - xmatch++; - if (COPYOUT(&ad, addr+i, sizeof(ad), flags)) - return (EFAULT); - } - if (nmatch != NULL) - *nmatch = xmatch; - return (0); -} - -int -pfr_get_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int *size, - int flags) -{ - struct pfr_ktable *kt; - struct pfr_walktree w; - int rv; - - ACCEPT_FLAGS(flags, 0); - if (pfr_validate_table(tbl, 0, 0)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - if (kt->pfrkt_cnt > *size) { - *size = kt->pfrkt_cnt; - return (0); - } - - bzero(&w, sizeof(w)); - w.pfrw_op = PFRW_GET_ADDRS; - w.pfrw_addr = addr; - w.pfrw_free = kt->pfrkt_cnt; - w.pfrw_flags = flags; -#ifdef __FreeBSD__ - rv = kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#else - rv = rn_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#endif - if (!rv) -#ifdef __FreeBSD__ - rv = kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, - &w); -#else - rv = rn_walktree(kt->pfrkt_ip6, pfr_walktree, &w); -#endif - if (rv) - return (rv); - - if (w.pfrw_free) { - printf("pfr_get_addrs: corruption detected (%d).\n", - w.pfrw_free); - return (ENOTTY); - } - *size = kt->pfrkt_cnt; - return (0); -} - -int -pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size, - int flags) -{ - struct pfr_ktable *kt; - struct pfr_walktree w; - struct pfr_kentryworkq workq; - int rv, s; - long tzero = time_second; - - /* XXX PFR_FLAG_CLSTATS disabled */ - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC); - if (pfr_validate_table(tbl, 0, 0)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - if (kt->pfrkt_cnt > *size) { - *size = kt->pfrkt_cnt; - return (0); - } - - bzero(&w, sizeof(w)); - w.pfrw_op = PFRW_GET_ASTATS; - w.pfrw_astats = addr; - w.pfrw_free = kt->pfrkt_cnt; - w.pfrw_flags = flags; - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); -#ifdef __FreeBSD__ - rv = kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#else - rv = rn_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#endif - if (!rv) -#ifdef __FreeBSD__ - rv = kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, - &w); -#else - rv = rn_walktree(kt->pfrkt_ip6, pfr_walktree, &w); -#endif - if (!rv && (flags & PFR_FLAG_CLSTATS)) { - pfr_enqueue_addrs(kt, &workq, NULL, 0); - pfr_clstats_kentries(&workq, tzero, 0); - } - if (flags & PFR_FLAG_ATOMIC) - splx(s); - if (rv) - return (rv); - - if (w.pfrw_free) { - printf("pfr_get_astats: corruption detected (%d).\n", - w.pfrw_free); - return (ENOTTY); - } - *size = kt->pfrkt_cnt; - return (0); -} - -int -pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size, - int *nzero, int flags) -{ - struct pfr_ktable *kt; - struct pfr_kentryworkq workq; - struct pfr_kentry *p; - struct pfr_addr ad; - int i, rv, s, xzero = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY | - PFR_FLAG_FEEDBACK); - if (pfr_validate_table(tbl, 0, 0)) - return (EINVAL); - kt = pfr_lookup_table(tbl); - if (kt == NULL || !(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (ESRCH); - SLIST_INIT(&workq); - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - senderr(EFAULT); - if (pfr_validate_addr(&ad)) - senderr(EINVAL); - p = pfr_lookup_addr(kt, &ad, 1); - if (flags & PFR_FLAG_FEEDBACK) { - ad.pfra_fback = (p != NULL) ? - PFR_FB_CLEARED : PFR_FB_NONE; - if (COPYOUT(&ad, addr+i, sizeof(ad), flags)) - senderr(EFAULT); - } - if (p != NULL) { - SLIST_INSERT_HEAD(&workq, p, pfrke_workq); - xzero++; - } - } - - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_clstats_kentries(&workq, 0, 0); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } - if (nzero != NULL) - *nzero = xzero; - return (0); -_bad: - if (flags & PFR_FLAG_FEEDBACK) - pfr_reset_feedback(addr, size, flags); - return (rv); -} - -int -pfr_validate_addr(struct pfr_addr *ad) -{ - int i; - - switch (ad->pfra_af) { -#ifdef INET - case AF_INET: - if (ad->pfra_net > 32) - return (-1); - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - if (ad->pfra_net > 128) - return (-1); - break; -#endif /* INET6 */ - default: - return (-1); - } - if (ad->pfra_net < 128 && - (((caddr_t)ad)[ad->pfra_net/8] & (0xFF >> (ad->pfra_net%8)))) - return (-1); - for (i = (ad->pfra_net+7)/8; i < sizeof(ad->pfra_u); i++) - if (((caddr_t)ad)[i]) - return (-1); - if (ad->pfra_not && ad->pfra_not != 1) - return (-1); - if (ad->pfra_fback) - return (-1); - return (0); -} - -void -pfr_enqueue_addrs(struct pfr_ktable *kt, struct pfr_kentryworkq *workq, - int *naddr, int sweep) -{ - struct pfr_walktree w; - - SLIST_INIT(workq); - bzero(&w, sizeof(w)); - w.pfrw_op = sweep ? PFRW_SWEEP : PFRW_ENQUEUE; - w.pfrw_workq = workq; - if (kt->pfrkt_ip4 != NULL) -#ifdef __FreeBSD__ - if (kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, - &w)) -#else - if (rn_walktree(kt->pfrkt_ip4, pfr_walktree, &w)) -#endif - printf("pfr_enqueue_addrs: IPv4 walktree failed.\n"); - if (kt->pfrkt_ip6 != NULL) -#ifdef __FreeBSD__ - if (kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, - &w)) -#else - if (rn_walktree(kt->pfrkt_ip6, pfr_walktree, &w)) -#endif - printf("pfr_enqueue_addrs: IPv6 walktree failed.\n"); - if (naddr != NULL) - *naddr = w.pfrw_cnt; -} - -void -pfr_mark_addrs(struct pfr_ktable *kt) -{ - struct pfr_walktree w; - - bzero(&w, sizeof(w)); - w.pfrw_op = PFRW_MARK; -#ifdef __FreeBSD__ - if (kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w)) -#else - if (rn_walktree(kt->pfrkt_ip4, pfr_walktree, &w)) -#endif - printf("pfr_mark_addrs: IPv4 walktree failed.\n"); -#ifdef __FreeBSD__ - if (kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w)) -#else - if (rn_walktree(kt->pfrkt_ip6, pfr_walktree, &w)) -#endif - printf("pfr_mark_addrs: IPv6 walktree failed.\n"); -} - - -struct pfr_kentry * -pfr_lookup_addr(struct pfr_ktable *kt, struct pfr_addr *ad, int exact) -{ - union sockaddr_union sa, mask; -#ifdef __FreeBSD__ - struct radix_node_head *head = NULL; -#else - struct radix_node_head *head; -#endif - struct pfr_kentry *ke; - int s; - - bzero(&sa, sizeof(sa)); - if (ad->pfra_af == AF_INET) { - FILLIN_SIN(sa.sin, ad->pfra_ip4addr); - head = kt->pfrkt_ip4; - } else if ( ad->pfra_af == AF_INET6 ) { - FILLIN_SIN6(sa.sin6, ad->pfra_ip6addr); - head = kt->pfrkt_ip6; - } - if (ADDR_NETWORK(ad)) { - pfr_prepare_network(&mask, ad->pfra_af, ad->pfra_net); - s = splsoftnet(); /* rn_lookup makes use of globals */ -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#endif - ke = (struct pfr_kentry *)rn_lookup(&sa, &mask, head); - splx(s); - if (ke && KENTRY_RNF_ROOT(ke)) - ke = NULL; - } else { - ke = (struct pfr_kentry *)rn_match(&sa, head); - if (ke && KENTRY_RNF_ROOT(ke)) - ke = NULL; - if (exact && ke && KENTRY_NETWORK(ke)) - ke = NULL; - } - return (ke); -} - -struct pfr_kentry * -pfr_create_kentry(struct pfr_addr *ad, int intr) -{ - struct pfr_kentry *ke; - -#ifdef __FreeBSD__ - ke = pool_get(&V_pfr_kentry_pl, PR_NOWAIT | PR_ZERO); -#else - if (intr) - ke = pool_get(&pfr_kentry_pl, PR_NOWAIT | PR_ZERO); - else - ke = pool_get(&pfr_kentry_pl, PR_WAITOK|PR_ZERO|PR_LIMITFAIL); -#endif - if (ke == NULL) - return (NULL); - - if (ad->pfra_af == AF_INET) - FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr); - else if (ad->pfra_af == AF_INET6) - FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr); - ke->pfrke_af = ad->pfra_af; - ke->pfrke_net = ad->pfra_net; - ke->pfrke_not = ad->pfra_not; - return (ke); -} - -void -pfr_destroy_kentries(struct pfr_kentryworkq *workq) -{ - struct pfr_kentry *p, *q; - - for (p = SLIST_FIRST(workq); p != NULL; p = q) { - q = SLIST_NEXT(p, pfrke_workq); - pfr_destroy_kentry(p); - } -} - -void -pfr_destroy_kentry(struct pfr_kentry *ke) -{ - if (ke->pfrke_counters) -#ifdef __FreeBSD__ - pool_put(&V_pfr_kcounters_pl, ke->pfrke_counters); - pool_put(&V_pfr_kentry_pl, ke); -#else - pool_put(&pfr_kcounters_pl, ke->pfrke_counters); - pool_put(&pfr_kentry_pl, ke); -#endif -} - -void -pfr_insert_kentries(struct pfr_ktable *kt, - struct pfr_kentryworkq *workq, long tzero) -{ - struct pfr_kentry *p; - int rv, n = 0; - - SLIST_FOREACH(p, workq, pfrke_workq) { - rv = pfr_route_kentry(kt, p); - if (rv) { - printf("pfr_insert_kentries: cannot route entry " - "(code=%d).\n", rv); - break; - } - p->pfrke_tzero = tzero; - n++; - } - kt->pfrkt_cnt += n; -} - -int -pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero) -{ - struct pfr_kentry *p; - int rv; - - p = pfr_lookup_addr(kt, ad, 1); - if (p != NULL) - return (0); - p = pfr_create_kentry(ad, 1); - if (p == NULL) - return (EINVAL); - - rv = pfr_route_kentry(kt, p); - if (rv) - return (rv); - - p->pfrke_tzero = tzero; - kt->pfrkt_cnt++; - - return (0); -} - -void -pfr_remove_kentries(struct pfr_ktable *kt, - struct pfr_kentryworkq *workq) -{ - struct pfr_kentry *p; - int n = 0; - - SLIST_FOREACH(p, workq, pfrke_workq) { - pfr_unroute_kentry(kt, p); - n++; - } - kt->pfrkt_cnt -= n; - pfr_destroy_kentries(workq); -} - -void -pfr_clean_node_mask(struct pfr_ktable *kt, - struct pfr_kentryworkq *workq) -{ - struct pfr_kentry *p; - - SLIST_FOREACH(p, workq, pfrke_workq) - pfr_unroute_kentry(kt, p); -} - -void -pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange) -{ - struct pfr_kentry *p; - int s; - - SLIST_FOREACH(p, workq, pfrke_workq) { - s = splsoftnet(); - if (negchange) - p->pfrke_not = !p->pfrke_not; - if (p->pfrke_counters) { -#ifdef __FreeBSD__ - pool_put(&V_pfr_kcounters_pl, p->pfrke_counters); -#else - pool_put(&pfr_kcounters_pl, p->pfrke_counters); -#endif - p->pfrke_counters = NULL; - } - splx(s); - p->pfrke_tzero = tzero; - } -} - -void -pfr_reset_feedback(struct pfr_addr *addr, int size, int flags) -{ - struct pfr_addr ad; - int i; - - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - break; - ad.pfra_fback = PFR_FB_NONE; - if (COPYOUT(&ad, addr+i, sizeof(ad), flags)) - break; - } -} - -void -pfr_prepare_network(union sockaddr_union *sa, int af, int net) -{ - int i; - - bzero(sa, sizeof(*sa)); - if (af == AF_INET) { - sa->sin.sin_len = sizeof(sa->sin); - sa->sin.sin_family = AF_INET; - sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0; - } else if (af == AF_INET6) { - sa->sin6.sin6_len = sizeof(sa->sin6); - sa->sin6.sin6_family = AF_INET6; - for (i = 0; i < 4; i++) { - if (net <= 32) { - sa->sin6.sin6_addr.s6_addr32[i] = - net ? htonl(-1 << (32-net)) : 0; - break; - } - sa->sin6.sin6_addr.s6_addr32[i] = 0xFFFFFFFF; - net -= 32; - } - } -} - -int -pfr_route_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke) -{ - union sockaddr_union mask; - struct radix_node *rn; -#ifdef __FreeBSD__ - struct radix_node_head *head = NULL; -#else - struct radix_node_head *head; -#endif - int s; - - bzero(ke->pfrke_node, sizeof(ke->pfrke_node)); - if (ke->pfrke_af == AF_INET) - head = kt->pfrkt_ip4; - else if (ke->pfrke_af == AF_INET6) - head = kt->pfrkt_ip6; - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#endif - if (KENTRY_NETWORK(ke)) { - pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net); -#ifdef __FreeBSD__ - rn = rn_addroute(&ke->pfrke_sa, &mask, head, ke->pfrke_node); -#else - rn = rn_addroute(&ke->pfrke_sa, &mask, head, ke->pfrke_node, 0); -#endif - } else -#ifdef __FreeBSD__ - rn = rn_addroute(&ke->pfrke_sa, NULL, head, ke->pfrke_node); -#else - rn = rn_addroute(&ke->pfrke_sa, NULL, head, ke->pfrke_node, 0); -#endif - splx(s); - - return (rn == NULL ? -1 : 0); -} - -int -pfr_unroute_kentry(struct pfr_ktable *kt, struct pfr_kentry *ke) -{ - union sockaddr_union mask; - struct radix_node *rn; -#ifdef __FreeBSD__ - struct radix_node_head *head = NULL; -#else - struct radix_node_head *head; -#endif - int s; - - if (ke->pfrke_af == AF_INET) - head = kt->pfrkt_ip4; - else if (ke->pfrke_af == AF_INET6) - head = kt->pfrkt_ip6; - - s = splsoftnet(); -#ifdef __FreeBSD__ - PF_LOCK_ASSERT(); -#endif - if (KENTRY_NETWORK(ke)) { - pfr_prepare_network(&mask, ke->pfrke_af, ke->pfrke_net); -#ifdef __FreeBSD__ - rn = rn_delete(&ke->pfrke_sa, &mask, head); -#else - rn = rn_delete(&ke->pfrke_sa, &mask, head, NULL); -#endif - } else -#ifdef __FreeBSD__ - rn = rn_delete(&ke->pfrke_sa, NULL, head); -#else - rn = rn_delete(&ke->pfrke_sa, NULL, head, NULL); -#endif - splx(s); - - if (rn == NULL) { - printf("pfr_unroute_kentry: delete failed.\n"); - return (-1); - } - return (0); -} - -void -pfr_copyout_addr(struct pfr_addr *ad, struct pfr_kentry *ke) -{ - bzero(ad, sizeof(*ad)); - if (ke == NULL) - return; - ad->pfra_af = ke->pfrke_af; - ad->pfra_net = ke->pfrke_net; - ad->pfra_not = ke->pfrke_not; - if (ad->pfra_af == AF_INET) - ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr; - else if (ad->pfra_af == AF_INET6) - ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr; -} - -int -pfr_walktree(struct radix_node *rn, void *arg) -{ - struct pfr_kentry *ke = (struct pfr_kentry *)rn; - struct pfr_walktree *w = arg; - int s, flags = w->pfrw_flags; - - switch (w->pfrw_op) { - case PFRW_MARK: - ke->pfrke_mark = 0; - break; - case PFRW_SWEEP: - if (ke->pfrke_mark) - break; - /* FALLTHROUGH */ - case PFRW_ENQUEUE: - SLIST_INSERT_HEAD(w->pfrw_workq, ke, pfrke_workq); - w->pfrw_cnt++; - break; - case PFRW_GET_ADDRS: - if (w->pfrw_free-- > 0) { - struct pfr_addr ad; - - pfr_copyout_addr(&ad, ke); - if (copyout(&ad, w->pfrw_addr, sizeof(ad))) - return (EFAULT); - w->pfrw_addr++; - } - break; - case PFRW_GET_ASTATS: - if (w->pfrw_free-- > 0) { - struct pfr_astats as; - - pfr_copyout_addr(&as.pfras_a, ke); - - s = splsoftnet(); - if (ke->pfrke_counters) { - bcopy(ke->pfrke_counters->pfrkc_packets, - as.pfras_packets, sizeof(as.pfras_packets)); - bcopy(ke->pfrke_counters->pfrkc_bytes, - as.pfras_bytes, sizeof(as.pfras_bytes)); - } else { - bzero(as.pfras_packets, sizeof(as.pfras_packets)); - bzero(as.pfras_bytes, sizeof(as.pfras_bytes)); - as.pfras_a.pfra_fback = PFR_FB_NOCOUNT; - } - splx(s); - as.pfras_tzero = ke->pfrke_tzero; - - if (COPYOUT(&as, w->pfrw_astats, sizeof(as), flags)) - return (EFAULT); - w->pfrw_astats++; - } - break; - case PFRW_POOL_GET: - if (ke->pfrke_not) - break; /* negative entries are ignored */ - if (!w->pfrw_cnt--) { - w->pfrw_kentry = ke; - return (1); /* finish search */ - } - break; - case PFRW_DYNADDR_UPDATE: - if (ke->pfrke_af == AF_INET) { - if (w->pfrw_dyn->pfid_acnt4++ > 0) - break; -#ifdef __FreeBSD__ - pfr_prepare_network(&V_pfr_mask, AF_INET, ke->pfrke_net); -#else - pfr_prepare_network(&pfr_mask, AF_INET, ke->pfrke_net); -#endif - w->pfrw_dyn->pfid_addr4 = *SUNION2PF( - &ke->pfrke_sa, AF_INET); - w->pfrw_dyn->pfid_mask4 = *SUNION2PF( -#ifdef __FreeBSD__ - &V_pfr_mask, AF_INET); -#else - &pfr_mask, AF_INET); -#endif - } else if (ke->pfrke_af == AF_INET6){ - if (w->pfrw_dyn->pfid_acnt6++ > 0) - break; -#ifdef __FreeBSD__ - pfr_prepare_network(&V_pfr_mask, AF_INET6, ke->pfrke_net); -#else - pfr_prepare_network(&pfr_mask, AF_INET6, ke->pfrke_net); -#endif - w->pfrw_dyn->pfid_addr6 = *SUNION2PF( - &ke->pfrke_sa, AF_INET6); - w->pfrw_dyn->pfid_mask6 = *SUNION2PF( -#ifdef __FreeBSD__ - &V_pfr_mask, AF_INET6); -#else - &pfr_mask, AF_INET6); -#endif - } - break; - } - return (0); -} - -int -pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags) -{ - struct pfr_ktableworkq workq; - struct pfr_ktable *p; - int s, xdel = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY | - PFR_FLAG_ALLRSETS); - if (pfr_fix_anchor(filter->pfrt_anchor)) - return (EINVAL); - if (pfr_table_count(filter, flags) < 0) - return (ENOENT); - - SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { - if (pfr_skip_table(filter, p, flags)) - continue; - if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR)) - continue; - if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) - continue; - p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE; - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - xdel++; - } - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_setflags_ktables(&workq); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } - if (ndel != NULL) - *ndel = xdel; - return (0); -} - -int -pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags) -{ - struct pfr_ktableworkq addq, changeq; - struct pfr_ktable *p, *q, *r, key; - int i, rv, s, xadd = 0; - long tzero = time_second; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY); - SLIST_INIT(&addq); - SLIST_INIT(&changeq); - for (i = 0; i < size; i++) { - if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags)) - senderr(EFAULT); - if (pfr_validate_table(&key.pfrkt_t, PFR_TFLAG_USRMASK, - flags & PFR_FLAG_USERIOCTL)) - senderr(EINVAL); - key.pfrkt_flags |= PFR_TFLAG_ACTIVE; - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); - if (p == NULL) { - p = pfr_create_ktable(&key.pfrkt_t, tzero, 1, - !(flags & PFR_FLAG_USERIOCTL)); - if (p == NULL) - senderr(ENOMEM); - SLIST_FOREACH(q, &addq, pfrkt_workq) { - if (!pfr_ktable_compare(p, q)) - goto _skip; - } - SLIST_INSERT_HEAD(&addq, p, pfrkt_workq); - xadd++; - if (!key.pfrkt_anchor[0]) - goto _skip; - - /* find or create root table */ - bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor)); - r = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); - if (r != NULL) { - p->pfrkt_root = r; - goto _skip; - } - SLIST_FOREACH(q, &addq, pfrkt_workq) { - if (!pfr_ktable_compare(&key, q)) { - p->pfrkt_root = q; - goto _skip; - } - } - key.pfrkt_flags = 0; - r = pfr_create_ktable(&key.pfrkt_t, 0, 1, - !(flags & PFR_FLAG_USERIOCTL)); - if (r == NULL) - senderr(ENOMEM); - SLIST_INSERT_HEAD(&addq, r, pfrkt_workq); - p->pfrkt_root = r; - } else if (!(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) { - SLIST_FOREACH(q, &changeq, pfrkt_workq) - if (!pfr_ktable_compare(&key, q)) - goto _skip; - p->pfrkt_nflags = (p->pfrkt_flags & - ~PFR_TFLAG_USRMASK) | key.pfrkt_flags; - SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq); - xadd++; - } -_skip: - ; - } - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_insert_ktables(&addq); - pfr_setflags_ktables(&changeq); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } else - pfr_destroy_ktables(&addq, 0); - if (nadd != NULL) - *nadd = xadd; - return (0); -_bad: - pfr_destroy_ktables(&addq, 0); - return (rv); -} - -int -pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags) -{ - struct pfr_ktableworkq workq; - struct pfr_ktable *p, *q, key; - int i, s, xdel = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY); - SLIST_INIT(&workq); - for (i = 0; i < size; i++) { - if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags)) - return (EFAULT); - if (pfr_validate_table(&key.pfrkt_t, 0, - flags & PFR_FLAG_USERIOCTL)) - return (EINVAL); - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); - if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) { - SLIST_FOREACH(q, &workq, pfrkt_workq) - if (!pfr_ktable_compare(p, q)) - goto _skip; - p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_ACTIVE; - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - xdel++; - } -_skip: - ; - } - - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_setflags_ktables(&workq); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } - if (ndel != NULL) - *ndel = xdel; - return (0); -} - -int -pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size, - int flags) -{ - struct pfr_ktable *p; - int n, nn; - - ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS); - if (pfr_fix_anchor(filter->pfrt_anchor)) - return (EINVAL); - n = nn = pfr_table_count(filter, flags); - if (n < 0) - return (ENOENT); - if (n > *size) { - *size = n; - return (0); - } - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { - if (pfr_skip_table(filter, p, flags)) - continue; - if (n-- <= 0) - continue; - if (COPYOUT(&p->pfrkt_t, tbl++, sizeof(*tbl), flags)) - return (EFAULT); - } - if (n) { - printf("pfr_get_tables: corruption detected (%d).\n", n); - return (ENOTTY); - } - *size = nn; - return (0); -} - -int -pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size, - int flags) -{ - struct pfr_ktable *p; - struct pfr_ktableworkq workq; - int s, n, nn; - long tzero = time_second; - - /* XXX PFR_FLAG_CLSTATS disabled */ - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_ALLRSETS); - if (pfr_fix_anchor(filter->pfrt_anchor)) - return (EINVAL); - n = nn = pfr_table_count(filter, flags); - if (n < 0) - return (ENOENT); - if (n > *size) { - *size = n; - return (0); - } - SLIST_INIT(&workq); - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { - if (pfr_skip_table(filter, p, flags)) - continue; - if (n-- <= 0) - continue; - if (!(flags & PFR_FLAG_ATOMIC)) - s = splsoftnet(); - if (COPYOUT(&p->pfrkt_ts, tbl++, sizeof(*tbl), flags)) { - splx(s); - return (EFAULT); - } - if (!(flags & PFR_FLAG_ATOMIC)) - splx(s); - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - } - if (flags & PFR_FLAG_CLSTATS) - pfr_clstats_ktables(&workq, tzero, - flags & PFR_FLAG_ADDRSTOO); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - if (n) { - printf("pfr_get_tstats: corruption detected (%d).\n", n); - return (ENOTTY); - } - *size = nn; - return (0); -} - -int -pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags) -{ - struct pfr_ktableworkq workq; - struct pfr_ktable *p, key; - int i, s, xzero = 0; - long tzero = time_second; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY | - PFR_FLAG_ADDRSTOO); - SLIST_INIT(&workq); - for (i = 0; i < size; i++) { - if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags)) - return (EFAULT); - if (pfr_validate_table(&key.pfrkt_t, 0, 0)) - return (EINVAL); - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); - if (p != NULL) { - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - xzero++; - } - } - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_clstats_ktables(&workq, tzero, flags & PFR_FLAG_ADDRSTOO); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } - if (nzero != NULL) - *nzero = xzero; - return (0); -} - -int -pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag, - int *nchange, int *ndel, int flags) -{ - struct pfr_ktableworkq workq; - struct pfr_ktable *p, *q, key; - int i, s, xchange = 0, xdel = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY); - if ((setflag & ~PFR_TFLAG_USRMASK) || - (clrflag & ~PFR_TFLAG_USRMASK) || - (setflag & clrflag)) - return (EINVAL); - SLIST_INIT(&workq); - for (i = 0; i < size; i++) { - if (COPYIN(tbl+i, &key.pfrkt_t, sizeof(key.pfrkt_t), flags)) - return (EFAULT); - if (pfr_validate_table(&key.pfrkt_t, 0, - flags & PFR_FLAG_USERIOCTL)) - return (EINVAL); - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); - if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) { - p->pfrkt_nflags = (p->pfrkt_flags | setflag) & - ~clrflag; - if (p->pfrkt_nflags == p->pfrkt_flags) - goto _skip; - SLIST_FOREACH(q, &workq, pfrkt_workq) - if (!pfr_ktable_compare(p, q)) - goto _skip; - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - if ((p->pfrkt_flags & PFR_TFLAG_PERSIST) && - (clrflag & PFR_TFLAG_PERSIST) && - !(p->pfrkt_flags & PFR_TFLAG_REFERENCED)) - xdel++; - else - xchange++; - } -_skip: - ; - } - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - pfr_setflags_ktables(&workq); - if (flags & PFR_FLAG_ATOMIC) - splx(s); - } - if (nchange != NULL) - *nchange = xchange; - if (ndel != NULL) - *ndel = xdel; - return (0); -} - -int -pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags) -{ - struct pfr_ktableworkq workq; - struct pfr_ktable *p; - struct pf_ruleset *rs; - int xdel = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY); - rs = pf_find_or_create_ruleset(trs->pfrt_anchor); - if (rs == NULL) - return (ENOMEM); - SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { - if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) || - pfr_skip_table(trs, p, 0)) - continue; - p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE; - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - xdel++; - } - if (!(flags & PFR_FLAG_DUMMY)) { - pfr_setflags_ktables(&workq); - if (ticket != NULL) - *ticket = ++rs->tticket; - rs->topen = 1; - } else - pf_remove_if_empty_ruleset(rs); - if (ndel != NULL) - *ndel = xdel; - return (0); -} - -int -pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size, - int *nadd, int *naddr, u_int32_t ticket, int flags) -{ - struct pfr_ktableworkq tableq; - struct pfr_kentryworkq addrq; - struct pfr_ktable *kt, *rt, *shadow, key; - struct pfr_kentry *p; - struct pfr_addr ad; - struct pf_ruleset *rs; - int i, rv, xadd = 0, xaddr = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY | PFR_FLAG_ADDRSTOO); - if (size && !(flags & PFR_FLAG_ADDRSTOO)) - return (EINVAL); - if (pfr_validate_table(tbl, PFR_TFLAG_USRMASK, - flags & PFR_FLAG_USERIOCTL)) - return (EINVAL); - rs = pf_find_ruleset(tbl->pfrt_anchor); - if (rs == NULL || !rs->topen || ticket != rs->tticket) - return (EBUSY); - tbl->pfrt_flags |= PFR_TFLAG_INACTIVE; - SLIST_INIT(&tableq); - kt = RB_FIND(pfr_ktablehead, &pfr_ktables, (struct pfr_ktable *)tbl); - if (kt == NULL) { - kt = pfr_create_ktable(tbl, 0, 1, - !(flags & PFR_FLAG_USERIOCTL)); - if (kt == NULL) - return (ENOMEM); - SLIST_INSERT_HEAD(&tableq, kt, pfrkt_workq); - xadd++; - if (!tbl->pfrt_anchor[0]) - goto _skip; - - /* find or create root table */ - bzero(&key, sizeof(key)); - strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name)); - rt = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); - if (rt != NULL) { - kt->pfrkt_root = rt; - goto _skip; - } - rt = pfr_create_ktable(&key.pfrkt_t, 0, 1, - !(flags & PFR_FLAG_USERIOCTL)); - if (rt == NULL) { - pfr_destroy_ktables(&tableq, 0); - return (ENOMEM); - } - SLIST_INSERT_HEAD(&tableq, rt, pfrkt_workq); - kt->pfrkt_root = rt; - } else if (!(kt->pfrkt_flags & PFR_TFLAG_INACTIVE)) - xadd++; -_skip: - shadow = pfr_create_ktable(tbl, 0, 0, !(flags & PFR_FLAG_USERIOCTL)); - if (shadow == NULL) { - pfr_destroy_ktables(&tableq, 0); - return (ENOMEM); - } - SLIST_INIT(&addrq); - for (i = 0; i < size; i++) { - if (COPYIN(addr+i, &ad, sizeof(ad), flags)) - senderr(EFAULT); - if (pfr_validate_addr(&ad)) - senderr(EINVAL); - if (pfr_lookup_addr(shadow, &ad, 1) != NULL) - continue; - p = pfr_create_kentry(&ad, 0); - if (p == NULL) - senderr(ENOMEM); - if (pfr_route_kentry(shadow, p)) { - pfr_destroy_kentry(p); - continue; - } - SLIST_INSERT_HEAD(&addrq, p, pfrke_workq); - xaddr++; - } - if (!(flags & PFR_FLAG_DUMMY)) { - if (kt->pfrkt_shadow != NULL) - pfr_destroy_ktable(kt->pfrkt_shadow, 1); - kt->pfrkt_flags |= PFR_TFLAG_INACTIVE; - pfr_insert_ktables(&tableq); - shadow->pfrkt_cnt = (flags & PFR_FLAG_ADDRSTOO) ? - xaddr : NO_ADDRESSES; - kt->pfrkt_shadow = shadow; - } else { - pfr_clean_node_mask(shadow, &addrq); - pfr_destroy_ktable(shadow, 0); - pfr_destroy_ktables(&tableq, 0); - pfr_destroy_kentries(&addrq); - } - if (nadd != NULL) - *nadd = xadd; - if (naddr != NULL) - *naddr = xaddr; - return (0); -_bad: - pfr_destroy_ktable(shadow, 0); - pfr_destroy_ktables(&tableq, 0); - pfr_destroy_kentries(&addrq); - return (rv); -} - -int -pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags) -{ - struct pfr_ktableworkq workq; - struct pfr_ktable *p; - struct pf_ruleset *rs; - int xdel = 0; - - ACCEPT_FLAGS(flags, PFR_FLAG_DUMMY); - rs = pf_find_ruleset(trs->pfrt_anchor); - if (rs == NULL || !rs->topen || ticket != rs->tticket) - return (0); - SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { - if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) || - pfr_skip_table(trs, p, 0)) - continue; - p->pfrkt_nflags = p->pfrkt_flags & ~PFR_TFLAG_INACTIVE; - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - xdel++; - } - if (!(flags & PFR_FLAG_DUMMY)) { - pfr_setflags_ktables(&workq); - rs->topen = 0; - pf_remove_if_empty_ruleset(rs); - } - if (ndel != NULL) - *ndel = xdel; - return (0); -} - -int -pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd, - int *nchange, int flags) -{ - struct pfr_ktable *p, *q; - struct pfr_ktableworkq workq; - struct pf_ruleset *rs; - int s, xadd = 0, xchange = 0; - long tzero = time_second; - - ACCEPT_FLAGS(flags, PFR_FLAG_ATOMIC | PFR_FLAG_DUMMY); - rs = pf_find_ruleset(trs->pfrt_anchor); - if (rs == NULL || !rs->topen || ticket != rs->tticket) - return (EBUSY); - - SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { - if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) || - pfr_skip_table(trs, p, 0)) - continue; - SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); - if (p->pfrkt_flags & PFR_TFLAG_ACTIVE) - xchange++; - else - xadd++; - } - - if (!(flags & PFR_FLAG_DUMMY)) { - if (flags & PFR_FLAG_ATOMIC) - s = splsoftnet(); - for (p = SLIST_FIRST(&workq); p != NULL; p = q) { - q = SLIST_NEXT(p, pfrkt_workq); - pfr_commit_ktable(p, tzero); - } - if (flags & PFR_FLAG_ATOMIC) - splx(s); - rs->topen = 0; - pf_remove_if_empty_ruleset(rs); - } - if (nadd != NULL) - *nadd = xadd; - if (nchange != NULL) - *nchange = xchange; - - return (0); -} - -void -pfr_commit_ktable(struct pfr_ktable *kt, long tzero) -{ - struct pfr_ktable *shadow = kt->pfrkt_shadow; - int nflags; - - if (shadow->pfrkt_cnt == NO_ADDRESSES) { - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - pfr_clstats_ktable(kt, tzero, 1); - } else if (kt->pfrkt_flags & PFR_TFLAG_ACTIVE) { - /* kt might contain addresses */ - struct pfr_kentryworkq addrq, addq, changeq, delq, garbageq; - struct pfr_kentry *p, *q, *next; - struct pfr_addr ad; - - pfr_enqueue_addrs(shadow, &addrq, NULL, 0); - pfr_mark_addrs(kt); - SLIST_INIT(&addq); - SLIST_INIT(&changeq); - SLIST_INIT(&delq); - SLIST_INIT(&garbageq); - pfr_clean_node_mask(shadow, &addrq); - for (p = SLIST_FIRST(&addrq); p != NULL; p = next) { - next = SLIST_NEXT(p, pfrke_workq); /* XXX */ - pfr_copyout_addr(&ad, p); - q = pfr_lookup_addr(kt, &ad, 1); - if (q != NULL) { - if (q->pfrke_not != p->pfrke_not) - SLIST_INSERT_HEAD(&changeq, q, - pfrke_workq); - q->pfrke_mark = 1; - SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq); - } else { - p->pfrke_tzero = tzero; - SLIST_INSERT_HEAD(&addq, p, pfrke_workq); - } - } - pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY); - pfr_insert_kentries(kt, &addq, tzero); - pfr_remove_kentries(kt, &delq); - pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG); - pfr_destroy_kentries(&garbageq); - } else { - /* kt cannot contain addresses */ - SWAP(struct radix_node_head *, kt->pfrkt_ip4, - shadow->pfrkt_ip4); - SWAP(struct radix_node_head *, kt->pfrkt_ip6, - shadow->pfrkt_ip6); - SWAP(int, kt->pfrkt_cnt, shadow->pfrkt_cnt); - pfr_clstats_ktable(kt, tzero, 1); - } - nflags = ((shadow->pfrkt_flags & PFR_TFLAG_USRMASK) | - (kt->pfrkt_flags & PFR_TFLAG_SETMASK) | PFR_TFLAG_ACTIVE) - & ~PFR_TFLAG_INACTIVE; - pfr_destroy_ktable(shadow, 0); - kt->pfrkt_shadow = NULL; - pfr_setflags_ktable(kt, nflags); -} - -int -pfr_validate_table(struct pfr_table *tbl, int allowedflags, int no_reserved) -{ - int i; - - if (!tbl->pfrt_name[0]) - return (-1); - if (no_reserved && !strcmp(tbl->pfrt_anchor, PF_RESERVED_ANCHOR)) - return (-1); - if (tbl->pfrt_name[PF_TABLE_NAME_SIZE-1]) - return (-1); - for (i = strlen(tbl->pfrt_name); i < PF_TABLE_NAME_SIZE; i++) - if (tbl->pfrt_name[i]) - return (-1); - if (pfr_fix_anchor(tbl->pfrt_anchor)) - return (-1); - if (tbl->pfrt_flags & ~allowedflags) - return (-1); - return (0); -} - -/* - * Rewrite anchors referenced by tables to remove slashes - * and check for validity. - */ -int -pfr_fix_anchor(char *anchor) -{ - size_t siz = MAXPATHLEN; - int i; - - if (anchor[0] == '/') { - char *path; - int off; - - path = anchor; - off = 1; - while (*++path == '/') - off++; - bcopy(path, anchor, siz - off); - memset(anchor + siz - off, 0, off); - } - if (anchor[siz - 1]) - return (-1); - for (i = strlen(anchor); i < siz; i++) - if (anchor[i]) - return (-1); - return (0); -} - -int -pfr_table_count(struct pfr_table *filter, int flags) -{ - struct pf_ruleset *rs; - - if (flags & PFR_FLAG_ALLRSETS) - return (pfr_ktable_cnt); - if (filter->pfrt_anchor[0]) { - rs = pf_find_ruleset(filter->pfrt_anchor); - return ((rs != NULL) ? rs->tables : -1); - } - return (pf_main_ruleset.tables); -} - -int -pfr_skip_table(struct pfr_table *filter, struct pfr_ktable *kt, int flags) -{ - if (flags & PFR_FLAG_ALLRSETS) - return (0); - if (strcmp(filter->pfrt_anchor, kt->pfrkt_anchor)) - return (1); - return (0); -} - -void -pfr_insert_ktables(struct pfr_ktableworkq *workq) -{ - struct pfr_ktable *p; - - SLIST_FOREACH(p, workq, pfrkt_workq) - pfr_insert_ktable(p); -} - -void -pfr_insert_ktable(struct pfr_ktable *kt) -{ - RB_INSERT(pfr_ktablehead, &pfr_ktables, kt); - pfr_ktable_cnt++; - if (kt->pfrkt_root != NULL) - if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++) - pfr_setflags_ktable(kt->pfrkt_root, - kt->pfrkt_root->pfrkt_flags|PFR_TFLAG_REFDANCHOR); -} - -void -pfr_setflags_ktables(struct pfr_ktableworkq *workq) -{ - struct pfr_ktable *p, *q; - - for (p = SLIST_FIRST(workq); p; p = q) { - q = SLIST_NEXT(p, pfrkt_workq); - pfr_setflags_ktable(p, p->pfrkt_nflags); - } -} - -void -pfr_setflags_ktable(struct pfr_ktable *kt, int newf) -{ - struct pfr_kentryworkq addrq; - - if (!(newf & PFR_TFLAG_REFERENCED) && - !(newf & PFR_TFLAG_PERSIST)) - newf &= ~PFR_TFLAG_ACTIVE; - if (!(newf & PFR_TFLAG_ACTIVE)) - newf &= ~PFR_TFLAG_USRMASK; - if (!(newf & PFR_TFLAG_SETMASK)) { - RB_REMOVE(pfr_ktablehead, &pfr_ktables, kt); - if (kt->pfrkt_root != NULL) - if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]) - pfr_setflags_ktable(kt->pfrkt_root, - kt->pfrkt_root->pfrkt_flags & - ~PFR_TFLAG_REFDANCHOR); - pfr_destroy_ktable(kt, 1); - pfr_ktable_cnt--; - return; - } - if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) { - pfr_enqueue_addrs(kt, &addrq, NULL, 0); - pfr_remove_kentries(kt, &addrq); - } - if (!(newf & PFR_TFLAG_INACTIVE) && kt->pfrkt_shadow != NULL) { - pfr_destroy_ktable(kt->pfrkt_shadow, 1); - kt->pfrkt_shadow = NULL; - } - kt->pfrkt_flags = newf; -} - -void -pfr_clstats_ktables(struct pfr_ktableworkq *workq, long tzero, int recurse) -{ - struct pfr_ktable *p; - - SLIST_FOREACH(p, workq, pfrkt_workq) - pfr_clstats_ktable(p, tzero, recurse); -} - -void -pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse) -{ - struct pfr_kentryworkq addrq; - int s; - - if (recurse) { - pfr_enqueue_addrs(kt, &addrq, NULL, 0); - pfr_clstats_kentries(&addrq, tzero, 0); - } - s = splsoftnet(); - bzero(kt->pfrkt_packets, sizeof(kt->pfrkt_packets)); - bzero(kt->pfrkt_bytes, sizeof(kt->pfrkt_bytes)); - kt->pfrkt_match = kt->pfrkt_nomatch = 0; - splx(s); - kt->pfrkt_tzero = tzero; -} - -struct pfr_ktable * -pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset, - int intr) -{ - struct pfr_ktable *kt; - struct pf_ruleset *rs; - -#ifdef __FreeBSD__ - kt = pool_get(&V_pfr_ktable_pl, PR_NOWAIT|PR_ZERO); -#else - if (intr) - kt = pool_get(&pfr_ktable_pl, PR_NOWAIT|PR_ZERO|PR_LIMITFAIL); - else - kt = pool_get(&pfr_ktable_pl, PR_WAITOK|PR_ZERO|PR_LIMITFAIL); -#endif - if (kt == NULL) - return (NULL); - kt->pfrkt_t = *tbl; - - if (attachruleset) { - rs = pf_find_or_create_ruleset(tbl->pfrt_anchor); - if (!rs) { - pfr_destroy_ktable(kt, 0); - return (NULL); - } - kt->pfrkt_rs = rs; - rs->tables++; - } - - if (!rn_inithead((void **)&kt->pfrkt_ip4, - offsetof(struct sockaddr_in, sin_addr) * 8) || - !rn_inithead((void **)&kt->pfrkt_ip6, - offsetof(struct sockaddr_in6, sin6_addr) * 8)) { - pfr_destroy_ktable(kt, 0); - return (NULL); - } - kt->pfrkt_tzero = tzero; - - return (kt); -} - -void -pfr_destroy_ktables(struct pfr_ktableworkq *workq, int flushaddr) -{ - struct pfr_ktable *p, *q; - - for (p = SLIST_FIRST(workq); p; p = q) { - q = SLIST_NEXT(p, pfrkt_workq); - pfr_destroy_ktable(p, flushaddr); - } -} - -void -pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr) -{ - struct pfr_kentryworkq addrq; - - if (flushaddr) { - pfr_enqueue_addrs(kt, &addrq, NULL, 0); - pfr_clean_node_mask(kt, &addrq); - pfr_destroy_kentries(&addrq); - } -#if defined(__FreeBSD__) && (__FreeBSD_version >= 500100) - if (kt->pfrkt_ip4 != NULL) { - RADIX_NODE_HEAD_DESTROY(kt->pfrkt_ip4); - free((caddr_t)kt->pfrkt_ip4, M_RTABLE); - } - if (kt->pfrkt_ip6 != NULL) { - RADIX_NODE_HEAD_DESTROY(kt->pfrkt_ip6); - free((caddr_t)kt->pfrkt_ip6, M_RTABLE); - } -#else - if (kt->pfrkt_ip4 != NULL) - free((caddr_t)kt->pfrkt_ip4, M_RTABLE); - if (kt->pfrkt_ip6 != NULL) - free((caddr_t)kt->pfrkt_ip6, M_RTABLE); -#endif - if (kt->pfrkt_shadow != NULL) - pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr); - if (kt->pfrkt_rs != NULL) { - kt->pfrkt_rs->tables--; - pf_remove_if_empty_ruleset(kt->pfrkt_rs); - } -#ifdef __FreeBSD__ - pool_put(&V_pfr_ktable_pl, kt); -#else - pool_put(&pfr_ktable_pl, kt); -#endif -} - -int -pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q) -{ - int d; - - if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE))) - return (d); - return (strcmp(p->pfrkt_anchor, q->pfrkt_anchor)); -} - -struct pfr_ktable * -pfr_lookup_table(struct pfr_table *tbl) -{ - /* struct pfr_ktable start like a struct pfr_table */ - return (RB_FIND(pfr_ktablehead, &pfr_ktables, - (struct pfr_ktable *)tbl)); -} - -int -pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af) -{ - struct pfr_kentry *ke = NULL; - int match; - - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) - kt = kt->pfrkt_root; - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (0); - - switch (af) { -#ifdef INET - case AF_INET: -#ifdef __FreeBSD__ - V_pfr_sin.sin_addr.s_addr = a->addr32[0]; - ke = (struct pfr_kentry *)rn_match(&V_pfr_sin, kt->pfrkt_ip4); -#else - pfr_sin.sin_addr.s_addr = a->addr32[0]; - ke = (struct pfr_kentry *)rn_match(&pfr_sin, kt->pfrkt_ip4); -#endif - if (ke && KENTRY_RNF_ROOT(ke)) - ke = NULL; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: -#ifdef __FreeBSD__ - bcopy(a, &V_pfr_sin6.sin6_addr, sizeof(V_pfr_sin6.sin6_addr)); - ke = (struct pfr_kentry *)rn_match(&V_pfr_sin6, kt->pfrkt_ip6); -#else - bcopy(a, &pfr_sin6.sin6_addr, sizeof(pfr_sin6.sin6_addr)); - ke = (struct pfr_kentry *)rn_match(&pfr_sin6, kt->pfrkt_ip6); -#endif - if (ke && KENTRY_RNF_ROOT(ke)) - ke = NULL; - break; -#endif /* INET6 */ - } - match = (ke && !ke->pfrke_not); - if (match) - kt->pfrkt_match++; - else - kt->pfrkt_nomatch++; - return (match); -} - -void -pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af, - u_int64_t len, int dir_out, int op_pass, int notrule) -{ - struct pfr_kentry *ke = NULL; - - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) - kt = kt->pfrkt_root; - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return; - - switch (af) { -#ifdef INET - case AF_INET: -#ifdef __FreeBSD__ - V_pfr_sin.sin_addr.s_addr = a->addr32[0]; - ke = (struct pfr_kentry *)rn_match(&V_pfr_sin, kt->pfrkt_ip4); -#else - pfr_sin.sin_addr.s_addr = a->addr32[0]; - ke = (struct pfr_kentry *)rn_match(&pfr_sin, kt->pfrkt_ip4); -#endif - if (ke && KENTRY_RNF_ROOT(ke)) - ke = NULL; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: -#ifdef __FreeBSD__ - bcopy(a, &V_pfr_sin6.sin6_addr, sizeof(V_pfr_sin6.sin6_addr)); - ke = (struct pfr_kentry *)rn_match(&V_pfr_sin6, kt->pfrkt_ip6); -#else - bcopy(a, &pfr_sin6.sin6_addr, sizeof(pfr_sin6.sin6_addr)); - ke = (struct pfr_kentry *)rn_match(&pfr_sin6, kt->pfrkt_ip6); -#endif - if (ke && KENTRY_RNF_ROOT(ke)) - ke = NULL; - break; -#endif /* INET6 */ - default: - ; - } - if ((ke == NULL || ke->pfrke_not) != notrule) { - if (op_pass != PFR_OP_PASS) - printf("pfr_update_stats: assertion failed.\n"); - op_pass = PFR_OP_XPASS; - } - kt->pfrkt_packets[dir_out][op_pass]++; - kt->pfrkt_bytes[dir_out][op_pass] += len; - if (ke != NULL && op_pass != PFR_OP_XPASS && - (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) { - if (ke->pfrke_counters == NULL) -#ifdef __FreeBSD__ - ke->pfrke_counters = pool_get(&V_pfr_kcounters_pl, -#else - ke->pfrke_counters = pool_get(&pfr_kcounters_pl, -#endif - PR_NOWAIT | PR_ZERO); - if (ke->pfrke_counters != NULL) { - ke->pfrke_counters->pfrkc_packets[dir_out][op_pass]++; - ke->pfrke_counters->pfrkc_bytes[dir_out][op_pass] += len; - } - } -} - -struct pfr_ktable * -pfr_attach_table(struct pf_ruleset *rs, char *name, int intr) -{ - struct pfr_ktable *kt, *rt; - struct pfr_table tbl; - struct pf_anchor *ac = rs->anchor; - - bzero(&tbl, sizeof(tbl)); - strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name)); - if (ac != NULL) - strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor)); - kt = pfr_lookup_table(&tbl); - if (kt == NULL) { - kt = pfr_create_ktable(&tbl, time_second, 1, intr); - if (kt == NULL) - return (NULL); - if (ac != NULL) { - bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor)); - rt = pfr_lookup_table(&tbl); - if (rt == NULL) { - rt = pfr_create_ktable(&tbl, 0, 1, intr); - if (rt == NULL) { - pfr_destroy_ktable(kt, 0); - return (NULL); - } - pfr_insert_ktable(rt); - } - kt->pfrkt_root = rt; - } - pfr_insert_ktable(kt); - } - if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++) - pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED); - return (kt); -} - -void -pfr_detach_table(struct pfr_ktable *kt) -{ - if (kt->pfrkt_refcnt[PFR_REFCNT_RULE] <= 0) - printf("pfr_detach_table: refcount = %d.\n", - kt->pfrkt_refcnt[PFR_REFCNT_RULE]); - else if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE]) - pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED); -} - -int -pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter, - struct pf_addr **raddr, struct pf_addr **rmask, sa_family_t af) -{ -#ifdef __FreeBSD__ - struct pfr_kentry *ke, *ke2 = NULL; - struct pf_addr *addr = NULL; -#else - struct pfr_kentry *ke, *ke2; - struct pf_addr *addr; -#endif - union sockaddr_union mask; - int idx = -1, use_counter = 0; - -#ifdef __FreeBSD__ - if (af == AF_INET) - addr = (struct pf_addr *)&V_pfr_sin.sin_addr; - else if (af == AF_INET6) - addr = (struct pf_addr *)&V_pfr_sin6.sin6_addr; -#else - if (af == AF_INET) - addr = (struct pf_addr *)&pfr_sin.sin_addr; - else if (af == AF_INET6) - addr = (struct pf_addr *)&pfr_sin6.sin6_addr; -#endif - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL) - kt = kt->pfrkt_root; - if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE)) - return (-1); - - if (pidx != NULL) - idx = *pidx; - if (counter != NULL && idx >= 0) - use_counter = 1; - if (idx < 0) - idx = 0; - -_next_block: - ke = pfr_kentry_byidx(kt, idx, af); - if (ke == NULL) { - kt->pfrkt_nomatch++; - return (1); - } -#ifdef __FreeBSD__ - pfr_prepare_network(&V_pfr_mask, af, ke->pfrke_net); -#else - pfr_prepare_network(&pfr_mask, af, ke->pfrke_net); -#endif - *raddr = SUNION2PF(&ke->pfrke_sa, af); -#ifdef __FreeBSD__ - *rmask = SUNION2PF(&V_pfr_mask, af); -#else - *rmask = SUNION2PF(&pfr_mask, af); -#endif - - if (use_counter) { - /* is supplied address within block? */ - if (!PF_MATCHA(0, *raddr, *rmask, counter, af)) { - /* no, go to next block in table */ - idx++; - use_counter = 0; - goto _next_block; - } - PF_ACPY(addr, counter, af); - } else { - /* use first address of block */ - PF_ACPY(addr, *raddr, af); - } - - if (!KENTRY_NETWORK(ke)) { - /* this is a single IP address - no possible nested block */ - PF_ACPY(counter, addr, af); - *pidx = idx; - kt->pfrkt_match++; - return (0); - } - for (;;) { - /* we don't want to use a nested block */ -#ifdef __FreeBSD__ - if (af == AF_INET) - ke2 = (struct pfr_kentry *)rn_match(&V_pfr_sin, - kt->pfrkt_ip4); - else if (af == AF_INET6) - ke2 = (struct pfr_kentry *)rn_match(&V_pfr_sin6, - kt->pfrkt_ip6); -#else - if (af == AF_INET) - ke2 = (struct pfr_kentry *)rn_match(&pfr_sin, - kt->pfrkt_ip4); - else if (af == AF_INET6) - ke2 = (struct pfr_kentry *)rn_match(&pfr_sin6, - kt->pfrkt_ip6); -#endif - /* no need to check KENTRY_RNF_ROOT() here */ - if (ke2 == ke) { - /* lookup return the same block - perfect */ - PF_ACPY(counter, addr, af); - *pidx = idx; - kt->pfrkt_match++; - return (0); - } - - /* we need to increase the counter past the nested block */ - pfr_prepare_network(&mask, AF_INET, ke2->pfrke_net); -#ifdef __FreeBSD__ - PF_POOLMASK(addr, addr, SUNION2PF(&mask, af), &V_pfr_ffaddr, af); -#else - PF_POOLMASK(addr, addr, SUNION2PF(&mask, af), &pfr_ffaddr, af); -#endif - PF_AINC(addr, af); - if (!PF_MATCHA(0, *raddr, *rmask, addr, af)) { - /* ok, we reached the end of our main block */ - /* go to next block in table */ - idx++; - use_counter = 0; - goto _next_block; - } - } -} - -struct pfr_kentry * -pfr_kentry_byidx(struct pfr_ktable *kt, int idx, int af) -{ - struct pfr_walktree w; - - bzero(&w, sizeof(w)); - w.pfrw_op = PFRW_POOL_GET; - w.pfrw_cnt = idx; - - switch (af) { -#ifdef INET - case AF_INET: -#ifdef __FreeBSD__ - kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#else - rn_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#endif - return (w.pfrw_kentry); -#endif /* INET */ -#ifdef INET6 - case AF_INET6: -#ifdef __FreeBSD__ - kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w); -#else - rn_walktree(kt->pfrkt_ip6, pfr_walktree, &w); -#endif - return (w.pfrw_kentry); -#endif /* INET6 */ - default: - return (NULL); - } -} - -void -pfr_dynaddr_update(struct pfr_ktable *kt, struct pfi_dynaddr *dyn) -{ - struct pfr_walktree w; - int s; - - bzero(&w, sizeof(w)); - w.pfrw_op = PFRW_DYNADDR_UPDATE; - w.pfrw_dyn = dyn; - - s = splsoftnet(); - dyn->pfid_acnt4 = 0; - dyn->pfid_acnt6 = 0; - if (!dyn->pfid_af || dyn->pfid_af == AF_INET) -#ifdef __FreeBSD__ - kt->pfrkt_ip4->rnh_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#else - rn_walktree(kt->pfrkt_ip4, pfr_walktree, &w); -#endif - if (!dyn->pfid_af || dyn->pfid_af == AF_INET6) -#ifdef __FreeBSD__ - kt->pfrkt_ip6->rnh_walktree(kt->pfrkt_ip6, pfr_walktree, &w); -#else - rn_walktree(kt->pfrkt_ip6, pfr_walktree, &w); -#endif - splx(s); -} diff --git a/sys/contrib/pf/net/pfvar.h b/sys/contrib/pf/net/pfvar.h deleted file mode 100644 index dab70c5..0000000 --- a/sys/contrib/pf/net/pfvar.h +++ /dev/null @@ -1,2234 +0,0 @@ -/* $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ */ - -/* - * Copyright (c) 2001 Daniel Hartmeier - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * - Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER - * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN - * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - */ - -#ifndef _NET_PFVAR_H_ -#define _NET_PFVAR_H_ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/queue.h> -#include <sys/tree.h> -#ifdef __FreeBSD__ -#include <sys/lock.h> -#include <sys/sx.h> -#else -#include <sys/rwlock.h> -#endif - -#include <net/radix.h> -#include <net/route.h> -#ifdef __FreeBSD__ -#include <net/if_clone.h> -#include <net/pf_mtag.h> -#include <vm/uma.h> -#else -#include <netinet/ip_ipsp.h> -#endif - -#ifdef __FreeBSD__ -#include <netinet/in.h> -#endif - -#include <netinet/tcp_fsm.h> - -struct ip; -struct ip6_hdr; -#ifdef __FreeBSD__ -struct inpcb; -#endif - -#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) -#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) - -#define PF_MD5_DIGEST_LENGTH 16 -#ifdef MD5_DIGEST_LENGTH -#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH -#error -#endif -#endif - -enum { PF_INOUT, PF_IN, PF_OUT }; -enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, - PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER }; -enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, - PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; -enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, - PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; -enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; -enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, - PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, - PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; -enum { PF_GET_NONE, PF_GET_CLR_CNTR }; -enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; - -/* - * Note about PFTM_*: real indices into pf_rule.timeout[] come before - * PFTM_MAX, special cases afterwards. See pf_state_expires(). - */ -enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, - PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, - PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, - PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, - PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, - PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, - PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, - PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED, - PFTM_UNTIL_PACKET }; - -/* PFTM default values */ -#define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ -#define PFTM_TCP_OPENING_VAL 30 /* No response yet */ -#define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ -#define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ -#define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ -#define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ -#define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ -#define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ -#define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ -#define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ -#define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ -#define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ -#define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ -#define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ -#define PFTM_FRAG_VAL 30 /* Fragment expire */ -#define PFTM_INTERVAL_VAL 10 /* Expire interval */ -#define PFTM_SRC_NODE_VAL 0 /* Source tracking */ -#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ - -enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; -enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, - PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; -#define PF_POOL_IDMASK 0x0f -enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, - PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; -enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, - PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED, - PF_ADDR_RANGE }; -#define PF_POOL_TYPEMASK 0x0f -#define PF_POOL_STICKYADDR 0x20 -#define PF_WSCALE_FLAG 0x80 -#define PF_WSCALE_MASK 0x0f - -#define PF_LOG 0x01 -#define PF_LOG_ALL 0x02 -#define PF_LOG_SOCKET_LOOKUP 0x04 - -struct pf_addr { - union { - struct in_addr v4; - struct in6_addr v6; - u_int8_t addr8[16]; - u_int16_t addr16[8]; - u_int32_t addr32[4]; - } pfa; /* 128-bit address */ -#define v4 pfa.v4 -#define v6 pfa.v6 -#define addr8 pfa.addr8 -#define addr16 pfa.addr16 -#define addr32 pfa.addr32 -}; - -#define PF_TABLE_NAME_SIZE 32 - -#define PFI_AFLAG_NETWORK 0x01 -#define PFI_AFLAG_BROADCAST 0x02 -#define PFI_AFLAG_PEER 0x04 -#define PFI_AFLAG_MODEMASK 0x07 -#define PFI_AFLAG_NOALIAS 0x08 - -struct pf_addr_wrap { - union { - struct { - struct pf_addr addr; - struct pf_addr mask; - } a; - char ifname[IFNAMSIZ]; - char tblname[PF_TABLE_NAME_SIZE]; -#ifdef __FreeBSD__ -#define RTLABEL_LEN 32 -#endif - char rtlabelname[RTLABEL_LEN]; - u_int32_t rtlabel; - } v; - union { - struct pfi_dynaddr *dyn; - struct pfr_ktable *tbl; - int dyncnt; - int tblcnt; - } p; - u_int8_t type; /* PF_ADDR_* */ - u_int8_t iflags; /* PFI_AFLAG_* */ -}; - -#ifdef _KERNEL - -struct pfi_dynaddr { - TAILQ_ENTRY(pfi_dynaddr) entry; - struct pf_addr pfid_addr4; - struct pf_addr pfid_mask4; - struct pf_addr pfid_addr6; - struct pf_addr pfid_mask6; - struct pfr_ktable *pfid_kt; - struct pfi_kif *pfid_kif; - void *pfid_hook_cookie; - int pfid_net; /* mask or 128 */ - int pfid_acnt4; /* address count IPv4 */ - int pfid_acnt6; /* address count IPv6 */ - sa_family_t pfid_af; /* rule af */ - u_int8_t pfid_iflags; /* PFI_AFLAG_* */ -}; - -/* - * Address manipulation macros - */ - -#ifdef __FreeBSD__ -#define splsoftnet() splnet() - -#define HTONL(x) (x) = htonl((__uint32_t)(x)) -#define HTONS(x) (x) = htons((__uint16_t)(x)) -#define NTOHL(x) (x) = ntohl((__uint32_t)(x)) -#define NTOHS(x) (x) = ntohs((__uint16_t)(x)) - -#define PF_NAME "pf" - -#define PR_NOWAIT M_NOWAIT -#define PR_WAITOK M_WAITOK -#define PR_ZERO M_ZERO -#define pool_get(p, f) uma_zalloc(*(p), (f)) -#define pool_put(p, o) uma_zfree(*(p), (o)) - -#define UMA_CREATE(var, type, desc) \ - var = uma_zcreate(desc, sizeof(type), \ - NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); \ - if (var == NULL) \ - break -#define UMA_DESTROY(var) \ - if (var) \ - uma_zdestroy(var) - -#ifdef __FreeBSD__ -extern struct mtx pf_task_mtx; - -#define PF_LOCK_ASSERT() mtx_assert(&pf_task_mtx, MA_OWNED) -#define PF_UNLOCK_ASSERT() mtx_assert(&pf_task_mtx, MA_NOTOWNED) -#define PF_LOCK() mtx_lock(&pf_task_mtx) -#define PF_UNLOCK() mtx_unlock(&pf_task_mtx) -#else -#define PF_LOCK_ASSERT() -#define PF_UNLOCK_ASSERT() -#define PF_LOCK() -#define PF_UNLOCK() -#endif /* __FreeBSD__ */ - -#define PF_COPYIN(uaddr, kaddr, len, r) do { \ - PF_UNLOCK(); \ - r = copyin((uaddr), (kaddr), (len)); \ - PF_LOCK(); \ -} while(0) - -#define PF_COPYOUT(kaddr, uaddr, len, r) do { \ - PF_UNLOCK(); \ - r = copyout((kaddr), (uaddr), (len)); \ - PF_LOCK(); \ -} while(0) - -#define PF_MODVER 1 -#define PFLOG_MODVER 1 -#define PFSYNC_MODVER 1 - -#define PFLOG_MINVER 1 -#define PFLOG_PREFVER PFLOG_MODVER -#define PFLOG_MAXVER 1 -#define PFSYNC_MINVER 1 -#define PFSYNC_PREFVER PFSYNC_MODVER -#define PFSYNC_MAXVER 1 -#endif /* __FreeBSD__ */ -#ifdef INET -#ifndef INET6 -#define PF_INET_ONLY -#endif /* ! INET6 */ -#endif /* INET */ - -#ifdef INET6 -#ifndef INET -#define PF_INET6_ONLY -#endif /* ! INET */ -#endif /* INET6 */ - -#ifdef INET -#ifdef INET6 -#define PF_INET_INET6 -#endif /* INET6 */ -#endif /* INET */ - -#else - -#define PF_INET_INET6 - -#endif /* _KERNEL */ - -/* Both IPv4 and IPv6 */ -#ifdef PF_INET_INET6 - -#define PF_AEQ(a, b, c) \ - ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \ - ((a)->addr32[3] == (b)->addr32[3] && \ - (a)->addr32[2] == (b)->addr32[2] && \ - (a)->addr32[1] == (b)->addr32[1] && \ - (a)->addr32[0] == (b)->addr32[0])) \ - -#define PF_ANEQ(a, b, c) \ - ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ - ((a)->addr32[3] != (b)->addr32[3] || \ - (a)->addr32[2] != (b)->addr32[2] || \ - (a)->addr32[1] != (b)->addr32[1] || \ - (a)->addr32[0] != (b)->addr32[0])) \ - -#define PF_AZERO(a, c) \ - ((c == AF_INET && !(a)->addr32[0]) || \ - (!(a)->addr32[0] && !(a)->addr32[1] && \ - !(a)->addr32[2] && !(a)->addr32[3] )) \ - -#define PF_MATCHA(n, a, m, b, f) \ - pf_match_addr(n, a, m, b, f) - -#define PF_ACPY(a, b, f) \ - pf_addrcpy(a, b, f) - -#define PF_AINC(a, f) \ - pf_addr_inc(a, f) - -#define PF_POOLMASK(a, b, c, d, f) \ - pf_poolmask(a, b, c, d, f) - -#else - -/* Just IPv6 */ - -#ifdef PF_INET6_ONLY - -#define PF_AEQ(a, b, c) \ - ((a)->addr32[3] == (b)->addr32[3] && \ - (a)->addr32[2] == (b)->addr32[2] && \ - (a)->addr32[1] == (b)->addr32[1] && \ - (a)->addr32[0] == (b)->addr32[0]) \ - -#define PF_ANEQ(a, b, c) \ - ((a)->addr32[3] != (b)->addr32[3] || \ - (a)->addr32[2] != (b)->addr32[2] || \ - (a)->addr32[1] != (b)->addr32[1] || \ - (a)->addr32[0] != (b)->addr32[0]) \ - -#define PF_AZERO(a, c) \ - (!(a)->addr32[0] && \ - !(a)->addr32[1] && \ - !(a)->addr32[2] && \ - !(a)->addr32[3] ) \ - -#define PF_MATCHA(n, a, m, b, f) \ - pf_match_addr(n, a, m, b, f) - -#define PF_ACPY(a, b, f) \ - pf_addrcpy(a, b, f) - -#define PF_AINC(a, f) \ - pf_addr_inc(a, f) - -#define PF_POOLMASK(a, b, c, d, f) \ - pf_poolmask(a, b, c, d, f) - -#else - -/* Just IPv4 */ -#ifdef PF_INET_ONLY - -#define PF_AEQ(a, b, c) \ - ((a)->addr32[0] == (b)->addr32[0]) - -#define PF_ANEQ(a, b, c) \ - ((a)->addr32[0] != (b)->addr32[0]) - -#define PF_AZERO(a, c) \ - (!(a)->addr32[0]) - -#define PF_MATCHA(n, a, m, b, f) \ - pf_match_addr(n, a, m, b, f) - -#define PF_ACPY(a, b, f) \ - (a)->v4.s_addr = (b)->v4.s_addr - -#define PF_AINC(a, f) \ - do { \ - (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \ - } while (0) - -#define PF_POOLMASK(a, b, c, d, f) \ - do { \ - (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \ - (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \ - } while (0) - -#endif /* PF_INET_ONLY */ -#endif /* PF_INET6_ONLY */ -#endif /* PF_INET_INET6 */ - -/* - * XXX callers not FIB-aware in our version of pf yet. - * OpenBSD fixed it later it seems, 2010/05/07 13:33:16 claudio. - */ -#define PF_MISMATCHAW(aw, x, af, neg, ifp, rtid) \ - ( \ - (((aw)->type == PF_ADDR_NOROUTE && \ - pf_routable((x), (af), NULL, (rtid))) || \ - (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \ - pf_routable((x), (af), (ifp), (rtid))) || \ - ((aw)->type == PF_ADDR_RTLABEL && \ - !pf_rtlabel_match((x), (af), (aw), (rtid))) || \ - ((aw)->type == PF_ADDR_TABLE && \ - !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ - ((aw)->type == PF_ADDR_DYNIFTL && \ - !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ - ((aw)->type == PF_ADDR_RANGE && \ - !pf_match_addr_range(&(aw)->v.a.addr, \ - &(aw)->v.a.mask, (x), (af))) || \ - ((aw)->type == PF_ADDR_ADDRMASK && \ - !PF_AZERO(&(aw)->v.a.mask, (af)) && \ - !PF_MATCHA(0, &(aw)->v.a.addr, \ - &(aw)->v.a.mask, (x), (af))))) != \ - (neg) \ - ) - - -struct pf_rule_uid { - uid_t uid[2]; - u_int8_t op; -}; - -struct pf_rule_gid { - uid_t gid[2]; - u_int8_t op; -}; - -struct pf_rule_addr { - struct pf_addr_wrap addr; - u_int16_t port[2]; - u_int8_t neg; - u_int8_t port_op; -}; - -struct pf_pooladdr { - struct pf_addr_wrap addr; - TAILQ_ENTRY(pf_pooladdr) entries; - char ifname[IFNAMSIZ]; - struct pfi_kif *kif; -}; - -TAILQ_HEAD(pf_palist, pf_pooladdr); - -struct pf_poolhashkey { - union { - u_int8_t key8[16]; - u_int16_t key16[8]; - u_int32_t key32[4]; - } pfk; /* 128-bit hash key */ -#define key8 pfk.key8 -#define key16 pfk.key16 -#define key32 pfk.key32 -}; - -struct pf_pool { - struct pf_palist list; - struct pf_pooladdr *cur; - struct pf_poolhashkey key; - struct pf_addr counter; - int tblidx; - u_int16_t proxy_port[2]; - u_int8_t port_op; - u_int8_t opts; -}; - - -/* A packed Operating System description for fingerprinting */ -typedef u_int32_t pf_osfp_t; -#define PF_OSFP_ANY ((pf_osfp_t)0) -#define PF_OSFP_UNKNOWN ((pf_osfp_t)-1) -#define PF_OSFP_NOMATCH ((pf_osfp_t)-2) - -struct pf_osfp_entry { - SLIST_ENTRY(pf_osfp_entry) fp_entry; - pf_osfp_t fp_os; - int fp_enflags; -#define PF_OSFP_EXPANDED 0x001 /* expanded entry */ -#define PF_OSFP_GENERIC 0x002 /* generic signature */ -#define PF_OSFP_NODETAIL 0x004 /* no p0f details */ -#define PF_OSFP_LEN 32 - char fp_class_nm[PF_OSFP_LEN]; - char fp_version_nm[PF_OSFP_LEN]; - char fp_subtype_nm[PF_OSFP_LEN]; -}; -#define PF_OSFP_ENTRY_EQ(a, b) \ - ((a)->fp_os == (b)->fp_os && \ - memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \ - memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \ - memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0) - -/* handle pf_osfp_t packing */ -#define _FP_RESERVED_BIT 1 /* For the special negative #defines */ -#define _FP_UNUSED_BITS 1 -#define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */ -#define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */ -#define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */ -#define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \ - (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \ - ((1 << _FP_CLASS_BITS) - 1); \ - (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \ - ((1 << _FP_VERSION_BITS) - 1);\ - (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \ -} while(0) -#define PF_OSFP_PACK(osfp, class, version, subtype) do { \ - (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \ - + _FP_SUBTYPE_BITS); \ - (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \ - _FP_SUBTYPE_BITS; \ - (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \ -} while(0) - -/* the fingerprint of an OSes TCP SYN packet */ -typedef u_int64_t pf_tcpopts_t; -struct pf_os_fingerprint { - SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */ - pf_tcpopts_t fp_tcpopts; /* packed TCP options */ - u_int16_t fp_wsize; /* TCP window size */ - u_int16_t fp_psize; /* ip->ip_len */ - u_int16_t fp_mss; /* TCP MSS */ - u_int16_t fp_flags; -#define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */ -#define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */ -#define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */ -#define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */ -#define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */ -#define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */ -#define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */ -#define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */ -#define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */ -#define PF_OSFP_MSS 0x0200 /* TCP MSS */ -#define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */ -#define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */ -#define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */ -#define PF_OSFP_TS0 0x2000 /* Zero timestamp */ -#define PF_OSFP_INET6 0x4000 /* IPv6 */ - u_int8_t fp_optcnt; /* TCP option count */ - u_int8_t fp_wscale; /* TCP window scaling */ - u_int8_t fp_ttl; /* IPv4 TTL */ -#define PF_OSFP_MAXTTL_OFFSET 40 -/* TCP options packing */ -#define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */ -#define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */ -#define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */ -#define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */ -#define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */ -#define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */ -#define PF_OSFP_MAX_OPTS \ - (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \ - / PF_OSFP_TCPOPT_BITS - - SLIST_ENTRY(pf_os_fingerprint) fp_next; -}; - -struct pf_osfp_ioctl { - struct pf_osfp_entry fp_os; - pf_tcpopts_t fp_tcpopts; /* packed TCP options */ - u_int16_t fp_wsize; /* TCP window size */ - u_int16_t fp_psize; /* ip->ip_len */ - u_int16_t fp_mss; /* TCP MSS */ - u_int16_t fp_flags; - u_int8_t fp_optcnt; /* TCP option count */ - u_int8_t fp_wscale; /* TCP window scaling */ - u_int8_t fp_ttl; /* IPv4 TTL */ - - int fp_getnum; /* DIOCOSFPGET number */ -}; - - -union pf_rule_ptr { - struct pf_rule *ptr; - u_int32_t nr; -}; - -#define PF_ANCHOR_NAME_SIZE 64 - -struct pf_rule { - struct pf_rule_addr src; - struct pf_rule_addr dst; -#define PF_SKIP_IFP 0 -#define PF_SKIP_DIR 1 -#define PF_SKIP_AF 2 -#define PF_SKIP_PROTO 3 -#define PF_SKIP_SRC_ADDR 4 -#define PF_SKIP_SRC_PORT 5 -#define PF_SKIP_DST_ADDR 6 -#define PF_SKIP_DST_PORT 7 -#define PF_SKIP_COUNT 8 - union pf_rule_ptr skip[PF_SKIP_COUNT]; -#define PF_RULE_LABEL_SIZE 64 - char label[PF_RULE_LABEL_SIZE]; -#define PF_QNAME_SIZE 64 - char ifname[IFNAMSIZ]; - char qname[PF_QNAME_SIZE]; - char pqname[PF_QNAME_SIZE]; -#define PF_TAG_NAME_SIZE 64 - char tagname[PF_TAG_NAME_SIZE]; - char match_tagname[PF_TAG_NAME_SIZE]; - - char overload_tblname[PF_TABLE_NAME_SIZE]; - - TAILQ_ENTRY(pf_rule) entries; - struct pf_pool rpool; - - u_int64_t evaluations; - u_int64_t packets[2]; - u_int64_t bytes[2]; - - struct pfi_kif *kif; - struct pf_anchor *anchor; - struct pfr_ktable *overload_tbl; - - pf_osfp_t os_fingerprint; - - int rtableid; - u_int32_t timeout[PFTM_MAX]; - u_int32_t states_cur; - u_int32_t states_tot; - u_int32_t max_states; - u_int32_t src_nodes; - u_int32_t max_src_nodes; - u_int32_t max_src_states; - u_int32_t spare1; /* netgraph */ - u_int32_t max_src_conn; - struct { - u_int32_t limit; - u_int32_t seconds; - } max_src_conn_rate; - u_int32_t qid; - u_int32_t pqid; - u_int32_t rt_listid; - u_int32_t nr; - u_int32_t prob; - uid_t cuid; - pid_t cpid; - - u_int16_t return_icmp; - u_int16_t return_icmp6; - u_int16_t max_mss; - u_int16_t tag; - u_int16_t match_tag; - u_int16_t spare2; /* netgraph */ - - struct pf_rule_uid uid; - struct pf_rule_gid gid; - - u_int32_t rule_flag; - u_int8_t action; - u_int8_t direction; - u_int8_t log; - u_int8_t logif; - u_int8_t quick; - u_int8_t ifnot; - u_int8_t match_tag_not; - u_int8_t natpass; - -#define PF_STATE_NORMAL 0x1 -#define PF_STATE_MODULATE 0x2 -#define PF_STATE_SYNPROXY 0x3 - u_int8_t keep_state; - sa_family_t af; - u_int8_t proto; - u_int8_t type; - u_int8_t code; - u_int8_t flags; - u_int8_t flagset; - u_int8_t min_ttl; - u_int8_t allow_opts; - u_int8_t rt; - u_int8_t return_ttl; - u_int8_t tos; - u_int8_t set_tos; - u_int8_t anchor_relative; - u_int8_t anchor_wildcard; - -#define PF_FLUSH 0x01 -#define PF_FLUSH_GLOBAL 0x02 - u_int8_t flush; - - struct { - struct pf_addr addr; - u_int16_t port; - } divert; -}; - -/* rule flags */ -#define PFRULE_DROP 0x0000 -#define PFRULE_RETURNRST 0x0001 -#define PFRULE_FRAGMENT 0x0002 -#define PFRULE_RETURNICMP 0x0004 -#define PFRULE_RETURN 0x0008 -#define PFRULE_NOSYNC 0x0010 -#define PFRULE_SRCTRACK 0x0020 /* track source states */ -#define PFRULE_RULESRCTRACK 0x0040 /* per rule */ - -/* scrub flags */ -#define PFRULE_NODF 0x0100 -#define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ -#define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ -#define PFRULE_RANDOMID 0x0800 -#define PFRULE_REASSEMBLE_TCP 0x1000 -#define PFRULE_SET_TOS 0x2000 - -/* rule flags again */ -#define PFRULE_IFBOUND 0x00010000 /* if-bound */ -#define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ -#define PFRULE_PFLOW 0x00040000 - -#define PFSTATE_HIWAT 10000 /* default state table size */ -#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */ -#define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */ - - -struct pf_threshold { - u_int32_t limit; -#define PF_THRESHOLD_MULT 1000 -#define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT - u_int32_t seconds; - u_int32_t count; - u_int32_t last; -}; - -struct pf_src_node { - RB_ENTRY(pf_src_node) entry; - struct pf_addr addr; - struct pf_addr raddr; - union pf_rule_ptr rule; - struct pfi_kif *kif; - u_int64_t bytes[2]; - u_int64_t packets[2]; - u_int32_t states; - u_int32_t conn; - struct pf_threshold conn_rate; - u_int32_t creation; - u_int32_t expire; - sa_family_t af; - u_int8_t ruletype; -}; - -#define PFSNODE_HIWAT 10000 /* default source node table size */ - -struct pf_state_scrub { - struct timeval pfss_last; /* time received last packet */ - u_int32_t pfss_tsecr; /* last echoed timestamp */ - u_int32_t pfss_tsval; /* largest timestamp */ - u_int32_t pfss_tsval0; /* original timestamp */ - u_int16_t pfss_flags; -#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ -#define PFSS_PAWS 0x0010 /* stricter PAWS checks */ -#define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */ -#define PFSS_DATA_TS 0x0040 /* timestamp on data packets */ -#define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ - u_int8_t pfss_ttl; /* stashed TTL */ - u_int8_t pad; - u_int32_t pfss_ts_mod; /* timestamp modulation */ -}; - -struct pf_state_host { - struct pf_addr addr; - u_int16_t port; - u_int16_t pad; -}; - -struct pf_state_peer { - struct pf_state_scrub *scrub; /* state is scrubbed */ - u_int32_t seqlo; /* Max sequence number sent */ - u_int32_t seqhi; /* Max the other end ACKd + win */ - u_int32_t seqdiff; /* Sequence number modulator */ - u_int16_t max_win; /* largest window (pre scaling) */ - u_int16_t mss; /* Maximum segment size option */ - u_int8_t state; /* active state level */ - u_int8_t wscale; /* window scaling factor */ - u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */ - u_int8_t pad[1]; -}; - -TAILQ_HEAD(pf_state_queue, pf_state); - -/* keep synced with struct pf_state_key, used in RB_FIND */ -struct pf_state_key_cmp { - struct pf_addr addr[2]; - u_int16_t port[2]; - sa_family_t af; - u_int8_t proto; - u_int8_t pad[2]; -}; - -struct pf_state_item { - TAILQ_ENTRY(pf_state_item) entry; - struct pf_state *s; -}; - -TAILQ_HEAD(pf_statelisthead, pf_state_item); - -struct pf_state_key { - struct pf_addr addr[2]; - u_int16_t port[2]; - sa_family_t af; - u_int8_t proto; - u_int8_t pad[2]; - - RB_ENTRY(pf_state_key) entry; - struct pf_statelisthead states; - struct pf_state_key *reverse; - struct inpcb *inp; -}; - -/* keep synced with struct pf_state, used in RB_FIND */ -struct pf_state_cmp { - u_int64_t id; - u_int32_t creatorid; - u_int8_t direction; - u_int8_t pad[3]; -}; - -struct pf_state { - u_int64_t id; - u_int32_t creatorid; - u_int8_t direction; -#ifdef __FreeBSD__ - u_int8_t pad[2]; - u_int8_t local_flags; -#define PFSTATE_EXPIRING 0x01 -#else - u_int8_t pad[3]; -#endif - - TAILQ_ENTRY(pf_state) sync_list; - TAILQ_ENTRY(pf_state) entry_list; - RB_ENTRY(pf_state) entry_id; - struct pf_state_peer src; - struct pf_state_peer dst; - union pf_rule_ptr rule; - union pf_rule_ptr anchor; - union pf_rule_ptr nat_rule; - struct pf_addr rt_addr; - struct pf_state_key *key[2]; /* addresses stack and wire */ - struct pfi_kif *kif; - struct pfi_kif *rt_kif; - struct pf_src_node *src_node; - struct pf_src_node *nat_src_node; - u_int64_t packets[2]; - u_int64_t bytes[2]; - u_int32_t creation; - u_int32_t expire; - u_int32_t pfsync_time; - u_int16_t tag; - u_int8_t log; - u_int8_t state_flags; -#define PFSTATE_ALLOWOPTS 0x01 -#define PFSTATE_SLOPPY 0x02 -#define PFSTATE_PFLOW 0x04 -#define PFSTATE_NOSYNC 0x08 -#define PFSTATE_ACK 0x10 - u_int8_t timeout; - u_int8_t sync_state; /* PFSYNC_S_x */ - - /* XXX */ - u_int8_t sync_updates; - u_int8_t _tail[3]; -}; - -/* - * Unified state structures for pulling states out of the kernel - * used by pfsync(4) and the pf(4) ioctl. - */ -struct pfsync_state_scrub { - u_int16_t pfss_flags; - u_int8_t pfss_ttl; /* stashed TTL */ -#define PFSYNC_SCRUB_FLAG_VALID 0x01 - u_int8_t scrub_flag; - u_int32_t pfss_ts_mod; /* timestamp modulation */ -} __packed; - -struct pfsync_state_peer { - struct pfsync_state_scrub scrub; /* state is scrubbed */ - u_int32_t seqlo; /* Max sequence number sent */ - u_int32_t seqhi; /* Max the other end ACKd + win */ - u_int32_t seqdiff; /* Sequence number modulator */ - u_int16_t max_win; /* largest window (pre scaling) */ - u_int16_t mss; /* Maximum segment size option */ - u_int8_t state; /* active state level */ - u_int8_t wscale; /* window scaling factor */ - u_int8_t pad[6]; -} __packed; - -struct pfsync_state_key { - struct pf_addr addr[2]; - u_int16_t port[2]; -}; - -struct pfsync_state { - u_int32_t id[2]; - char ifname[IFNAMSIZ]; - struct pfsync_state_key key[2]; - struct pfsync_state_peer src; - struct pfsync_state_peer dst; - struct pf_addr rt_addr; - u_int32_t rule; - u_int32_t anchor; - u_int32_t nat_rule; - u_int32_t creation; - u_int32_t expire; - u_int32_t packets[2][2]; - u_int32_t bytes[2][2]; - u_int32_t creatorid; - sa_family_t af; - u_int8_t proto; - u_int8_t direction; -#ifdef __FreeBSD__ - u_int8_t local_flags; -#define PFSTATE_EXPIRING 0x01 - u_int8_t pad; -#endif - u_int8_t log; - u_int8_t state_flags; - u_int8_t timeout; - u_int8_t sync_flags; - u_int8_t updates; -} __packed; - -#ifdef __FreeBSD__ -#ifdef _KERNEL -/* pfsync */ -typedef int pfsync_state_import_t(struct pfsync_state *, u_int8_t); -typedef void pfsync_insert_state_t(struct pf_state *); -typedef void pfsync_update_state_t(struct pf_state *); -typedef void pfsync_delete_state_t(struct pf_state *); -typedef void pfsync_clear_states_t(u_int32_t, const char *); -typedef int pfsync_state_in_use_t(struct pf_state *); -typedef int pfsync_defer_t(struct pf_state *, struct mbuf *); -typedef int pfsync_up_t(void); - -extern pfsync_state_import_t *pfsync_state_import_ptr; -extern pfsync_insert_state_t *pfsync_insert_state_ptr; -extern pfsync_update_state_t *pfsync_update_state_ptr; -extern pfsync_delete_state_t *pfsync_delete_state_ptr; -extern pfsync_clear_states_t *pfsync_clear_states_ptr; -extern pfsync_state_in_use_t *pfsync_state_in_use_ptr; -extern pfsync_defer_t *pfsync_defer_ptr; -extern pfsync_up_t *pfsync_up_ptr; - -void pfsync_state_export(struct pfsync_state *, - struct pf_state *); - -/* pflow */ -typedef int export_pflow_t(struct pf_state *); - -extern export_pflow_t *export_pflow_ptr; - -/* pflog */ -struct pf_ruleset; -struct pf_pdesc; -typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t, - u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *, - struct pf_ruleset *, struct pf_pdesc *); - -extern pflog_packet_t *pflog_packet_ptr; - -/* pf uid hack */ -VNET_DECLARE(int, debug_pfugidhack); -#define V_debug_pfugidhack VNET(debug_pfugidhack) - -#define V_pf_end_threads VNET(pf_end_threads) -#endif - -/* Macros to set/clear/test flags. */ -#ifdef _KERNEL -#define SET(t, f) ((t) |= (f)) -#define CLR(t, f) ((t) &= ~(f)) -#define ISSET(t, f) ((t) & (f)) -#endif -#endif - -#define PFSYNC_FLAG_SRCNODE 0x04 -#define PFSYNC_FLAG_NATSRCNODE 0x08 - -/* for copies to/from network byte order */ -/* ioctl interface also uses network byte order */ -#define pf_state_peer_hton(s,d) do { \ - (d)->seqlo = htonl((s)->seqlo); \ - (d)->seqhi = htonl((s)->seqhi); \ - (d)->seqdiff = htonl((s)->seqdiff); \ - (d)->max_win = htons((s)->max_win); \ - (d)->mss = htons((s)->mss); \ - (d)->state = (s)->state; \ - (d)->wscale = (s)->wscale; \ - if ((s)->scrub) { \ - (d)->scrub.pfss_flags = \ - htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \ - (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \ - (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\ - (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \ - } \ -} while (0) - -#define pf_state_peer_ntoh(s,d) do { \ - (d)->seqlo = ntohl((s)->seqlo); \ - (d)->seqhi = ntohl((s)->seqhi); \ - (d)->seqdiff = ntohl((s)->seqdiff); \ - (d)->max_win = ntohs((s)->max_win); \ - (d)->mss = ntohs((s)->mss); \ - (d)->state = (s)->state; \ - (d)->wscale = (s)->wscale; \ - if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \ - (d)->scrub != NULL) { \ - (d)->scrub->pfss_flags = \ - ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \ - (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \ - (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\ - } \ -} while (0) - -#define pf_state_counter_hton(s,d) do { \ - d[0] = htonl((s>>32)&0xffffffff); \ - d[1] = htonl(s&0xffffffff); \ -} while (0) - -#define pf_state_counter_from_pfsync(s) \ - (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1])) - -#define pf_state_counter_ntoh(s,d) do { \ - d = ntohl(s[0]); \ - d = d<<32; \ - d += ntohl(s[1]); \ -} while (0) - -TAILQ_HEAD(pf_rulequeue, pf_rule); - -struct pf_anchor; - -struct pf_ruleset { - struct { - struct pf_rulequeue queues[2]; - struct { - struct pf_rulequeue *ptr; - struct pf_rule **ptr_array; - u_int32_t rcount; - u_int32_t ticket; - int open; - } active, inactive; - } rules[PF_RULESET_MAX]; - struct pf_anchor *anchor; - u_int32_t tticket; - int tables; - int topen; -}; - -RB_HEAD(pf_anchor_global, pf_anchor); -RB_HEAD(pf_anchor_node, pf_anchor); -struct pf_anchor { - RB_ENTRY(pf_anchor) entry_global; - RB_ENTRY(pf_anchor) entry_node; - struct pf_anchor *parent; - struct pf_anchor_node children; - char name[PF_ANCHOR_NAME_SIZE]; - char path[MAXPATHLEN]; - struct pf_ruleset ruleset; - int refcnt; /* anchor rules */ - int match; -}; -RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); -RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); - -#define PF_RESERVED_ANCHOR "_pf" - -#define PFR_TFLAG_PERSIST 0x00000001 -#define PFR_TFLAG_CONST 0x00000002 -#define PFR_TFLAG_ACTIVE 0x00000004 -#define PFR_TFLAG_INACTIVE 0x00000008 -#define PFR_TFLAG_REFERENCED 0x00000010 -#define PFR_TFLAG_REFDANCHOR 0x00000020 -#define PFR_TFLAG_COUNTERS 0x00000040 -/* Adjust masks below when adding flags. */ -#define PFR_TFLAG_USRMASK 0x00000043 -#define PFR_TFLAG_SETMASK 0x0000003C -#define PFR_TFLAG_ALLMASK 0x0000007F - -struct pfr_table { - char pfrt_anchor[MAXPATHLEN]; - char pfrt_name[PF_TABLE_NAME_SIZE]; - u_int32_t pfrt_flags; - u_int8_t pfrt_fback; -}; - -enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED, - PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE, - PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_NOCOUNT, PFR_FB_MAX }; - -struct pfr_addr { - union { - struct in_addr _pfra_ip4addr; - struct in6_addr _pfra_ip6addr; - } pfra_u; - u_int8_t pfra_af; - u_int8_t pfra_net; - u_int8_t pfra_not; - u_int8_t pfra_fback; -}; -#define pfra_ip4addr pfra_u._pfra_ip4addr -#define pfra_ip6addr pfra_u._pfra_ip6addr - -enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX }; -enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX }; -#define PFR_OP_XPASS PFR_OP_ADDR_MAX - -struct pfr_astats { - struct pfr_addr pfras_a; - u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; - u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; - long pfras_tzero; -}; - -enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX }; - -struct pfr_tstats { - struct pfr_table pfrts_t; - u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; - u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; - u_int64_t pfrts_match; - u_int64_t pfrts_nomatch; - long pfrts_tzero; - int pfrts_cnt; - int pfrts_refcnt[PFR_REFCNT_MAX]; -}; -#define pfrts_name pfrts_t.pfrt_name -#define pfrts_flags pfrts_t.pfrt_flags - -#ifndef _SOCKADDR_UNION_DEFINED -#define _SOCKADDR_UNION_DEFINED -union sockaddr_union { - struct sockaddr sa; - struct sockaddr_in sin; - struct sockaddr_in6 sin6; -}; -#endif /* _SOCKADDR_UNION_DEFINED */ - -struct pfr_kcounters { - u_int64_t pfrkc_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; - u_int64_t pfrkc_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; -}; - -SLIST_HEAD(pfr_kentryworkq, pfr_kentry); -struct pfr_kentry { - struct radix_node pfrke_node[2]; - union sockaddr_union pfrke_sa; - SLIST_ENTRY(pfr_kentry) pfrke_workq; - union { - - struct pfr_kcounters *pfrke_counters; -#if 0 - struct pfr_kroute *pfrke_route; -#endif - } u; - long pfrke_tzero; - u_int8_t pfrke_af; - u_int8_t pfrke_net; - u_int8_t pfrke_not; - u_int8_t pfrke_mark; -}; -#define pfrke_counters u.pfrke_counters -#define pfrke_route u.pfrke_route - - -SLIST_HEAD(pfr_ktableworkq, pfr_ktable); -RB_HEAD(pfr_ktablehead, pfr_ktable); -struct pfr_ktable { - struct pfr_tstats pfrkt_ts; - RB_ENTRY(pfr_ktable) pfrkt_tree; - SLIST_ENTRY(pfr_ktable) pfrkt_workq; - struct radix_node_head *pfrkt_ip4; - struct radix_node_head *pfrkt_ip6; - struct pfr_ktable *pfrkt_shadow; - struct pfr_ktable *pfrkt_root; - struct pf_ruleset *pfrkt_rs; - long pfrkt_larg; - int pfrkt_nflags; -}; -#define pfrkt_t pfrkt_ts.pfrts_t -#define pfrkt_name pfrkt_t.pfrt_name -#define pfrkt_anchor pfrkt_t.pfrt_anchor -#define pfrkt_ruleset pfrkt_t.pfrt_ruleset -#define pfrkt_flags pfrkt_t.pfrt_flags -#define pfrkt_cnt pfrkt_ts.pfrts_cnt -#define pfrkt_refcnt pfrkt_ts.pfrts_refcnt -#define pfrkt_packets pfrkt_ts.pfrts_packets -#define pfrkt_bytes pfrkt_ts.pfrts_bytes -#define pfrkt_match pfrkt_ts.pfrts_match -#define pfrkt_nomatch pfrkt_ts.pfrts_nomatch -#define pfrkt_tzero pfrkt_ts.pfrts_tzero - -RB_HEAD(pf_state_tree, pf_state_key); -RB_PROTOTYPE(pf_state_tree, pf_state_key, entry, pf_state_compare_key); - -RB_HEAD(pf_state_tree_ext_gwy, pf_state_key); -RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key, - entry_ext_gwy, pf_state_compare_ext_gwy); - -RB_HEAD(pfi_ifhead, pfi_kif); - -/* state tables */ -#ifdef __FreeBSD__ -#ifdef _KERNEL -VNET_DECLARE(struct pf_state_tree, pf_statetbl); -#define V_pf_statetbl VNET(pf_statetbl) -#endif -#else -extern struct pf_state_tree pf_statetbl; -#endif - -/* keep synced with pfi_kif, used in RB_FIND */ -struct pfi_kif_cmp { - char pfik_name[IFNAMSIZ]; -}; - -struct pfi_kif { - char pfik_name[IFNAMSIZ]; - RB_ENTRY(pfi_kif) pfik_tree; - u_int64_t pfik_packets[2][2][2]; - u_int64_t pfik_bytes[2][2][2]; - u_int32_t pfik_tzero; - int pfik_flags; - void *pfik_ah_cookie; - struct ifnet *pfik_ifp; - struct ifg_group *pfik_group; - int pfik_states; - int pfik_rules; - TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; -}; - -enum pfi_kif_refs { - PFI_KIF_REF_NONE, - PFI_KIF_REF_STATE, - PFI_KIF_REF_RULE -}; - -#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ - -struct pf_pdesc { - struct { - int done; - uid_t uid; - gid_t gid; - pid_t pid; - } lookup; - u_int64_t tot_len; /* Make Mickey money */ - union { - struct tcphdr *tcp; - struct udphdr *udp; - struct icmp *icmp; -#ifdef INET6 - struct icmp6_hdr *icmp6; -#endif /* INET6 */ - void *any; - } hdr; - - struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */ - struct ether_header - *eh; - struct pf_addr *src; /* src address */ - struct pf_addr *dst; /* dst address */ - u_int16_t *sport; - u_int16_t *dport; -#ifdef __FreeBSD__ - struct pf_mtag *pf_mtag; -#endif - - u_int32_t p_len; /* total length of payload */ - - u_int16_t *ip_sum; - u_int16_t *proto_sum; - u_int16_t flags; /* Let SCRUB trigger behavior in - * state code. Easier than tags */ -#define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ -#define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */ - sa_family_t af; - u_int8_t proto; - u_int8_t tos; - u_int8_t dir; /* direction */ - u_int8_t sidx; /* key index for source */ - u_int8_t didx; /* key index for destination */ -}; - -/* flags for RDR options */ -#define PF_DPORT_RANGE 0x01 /* Dest port uses range */ -#define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ - -/* Reasons code for passing/dropping a packet */ -#define PFRES_MATCH 0 /* Explicit match of a rule */ -#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ -#define PFRES_FRAG 2 /* Dropping following fragment */ -#define PFRES_SHORT 3 /* Dropping short packet */ -#define PFRES_NORM 4 /* Dropping by normalizer */ -#define PFRES_MEMORY 5 /* Dropped due to lacking mem */ -#define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ -#define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ -#define PFRES_IPOPTIONS 8 /* IP option */ -#define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ -#define PFRES_BADSTATE 10 /* State mismatch */ -#define PFRES_STATEINS 11 /* State insertion failure */ -#define PFRES_MAXSTATES 12 /* State limit */ -#define PFRES_SRCLIMIT 13 /* Source node/conn limit */ -#define PFRES_SYNPROXY 14 /* SYN proxy */ -#define PFRES_MAX 15 /* total+1 */ - -#define PFRES_NAMES { \ - "match", \ - "bad-offset", \ - "fragment", \ - "short", \ - "normalize", \ - "memory", \ - "bad-timestamp", \ - "congestion", \ - "ip-option", \ - "proto-cksum", \ - "state-mismatch", \ - "state-insert", \ - "state-limit", \ - "src-limit", \ - "synproxy", \ - NULL \ -} - -/* Counters for other things we want to keep track of */ -#define LCNT_STATES 0 /* states */ -#define LCNT_SRCSTATES 1 /* max-src-states */ -#define LCNT_SRCNODES 2 /* max-src-nodes */ -#define LCNT_SRCCONN 3 /* max-src-conn */ -#define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ -#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ -#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ -#define LCNT_MAX 7 /* total+1 */ - -#define LCNT_NAMES { \ - "max states per rule", \ - "max-src-states", \ - "max-src-nodes", \ - "max-src-conn", \ - "max-src-conn-rate", \ - "overload table insertion", \ - "overload flush states", \ - NULL \ -} - -/* UDP state enumeration */ -#define PFUDPS_NO_TRAFFIC 0 -#define PFUDPS_SINGLE 1 -#define PFUDPS_MULTIPLE 2 - -#define PFUDPS_NSTATES 3 /* number of state levels */ - -#define PFUDPS_NAMES { \ - "NO_TRAFFIC", \ - "SINGLE", \ - "MULTIPLE", \ - NULL \ -} - -/* Other protocol state enumeration */ -#define PFOTHERS_NO_TRAFFIC 0 -#define PFOTHERS_SINGLE 1 -#define PFOTHERS_MULTIPLE 2 - -#define PFOTHERS_NSTATES 3 /* number of state levels */ - -#define PFOTHERS_NAMES { \ - "NO_TRAFFIC", \ - "SINGLE", \ - "MULTIPLE", \ - NULL \ -} - -#define FCNT_STATE_SEARCH 0 -#define FCNT_STATE_INSERT 1 -#define FCNT_STATE_REMOVALS 2 -#define FCNT_MAX 3 - -#define SCNT_SRC_NODE_SEARCH 0 -#define SCNT_SRC_NODE_INSERT 1 -#define SCNT_SRC_NODE_REMOVALS 2 -#define SCNT_MAX 3 - -#define ACTION_SET(a, x) \ - do { \ - if ((a) != NULL) \ - *(a) = (x); \ - } while (0) - -#ifdef __FreeBSD__ -#define REASON_SET(a, x) \ - do { \ - if ((a) != NULL) \ - *(a) = (x); \ - if (x < PFRES_MAX) \ - V_pf_status.counters[x]++; \ - } while (0) -#else -#define REASON_SET(a, x) \ - do { \ - if ((a) != NULL) \ - *(a) = (x); \ - if (x < PFRES_MAX) \ - pf_status.counters[x]++; \ - } while (0) -#endif - -struct pf_status { - u_int64_t counters[PFRES_MAX]; - u_int64_t lcounters[LCNT_MAX]; /* limit counters */ - u_int64_t fcounters[FCNT_MAX]; - u_int64_t scounters[SCNT_MAX]; - u_int64_t pcounters[2][2][3]; - u_int64_t bcounters[2][2]; - u_int64_t stateid; - u_int32_t running; - u_int32_t states; - u_int32_t src_nodes; - u_int32_t since; - u_int32_t debug; - u_int32_t hostid; - char ifname[IFNAMSIZ]; - u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; -}; - -struct cbq_opts { - u_int minburst; - u_int maxburst; - u_int pktsize; - u_int maxpktsize; - u_int ns_per_byte; - u_int maxidle; - int minidle; - u_int offtime; - int flags; -}; - -struct priq_opts { - int flags; -}; - -struct hfsc_opts { - /* real-time service curve */ - u_int rtsc_m1; /* slope of the 1st segment in bps */ - u_int rtsc_d; /* the x-projection of m1 in msec */ - u_int rtsc_m2; /* slope of the 2nd segment in bps */ - /* link-sharing service curve */ - u_int lssc_m1; - u_int lssc_d; - u_int lssc_m2; - /* upper-limit service curve */ - u_int ulsc_m1; - u_int ulsc_d; - u_int ulsc_m2; - int flags; -}; - -struct pf_altq { - char ifname[IFNAMSIZ]; - - void *altq_disc; /* discipline-specific state */ - TAILQ_ENTRY(pf_altq) entries; - - /* scheduler spec */ - u_int8_t scheduler; /* scheduler type */ - u_int16_t tbrsize; /* tokenbucket regulator size */ - u_int32_t ifbandwidth; /* interface bandwidth */ - - /* queue spec */ - char qname[PF_QNAME_SIZE]; /* queue name */ - char parent[PF_QNAME_SIZE]; /* parent name */ - u_int32_t parent_qid; /* parent queue id */ - u_int32_t bandwidth; /* queue bandwidth */ - u_int8_t priority; /* priority */ -#ifdef __FreeBSD__ - u_int8_t local_flags; /* dynamic interface */ -#define PFALTQ_FLAG_IF_REMOVED 0x01 -#endif - u_int16_t qlimit; /* queue size limit */ - u_int16_t flags; /* misc flags */ - union { - struct cbq_opts cbq_opts; - struct priq_opts priq_opts; - struct hfsc_opts hfsc_opts; - } pq_u; - - u_int32_t qid; /* return value */ -}; - -struct pf_tagname { - TAILQ_ENTRY(pf_tagname) entries; - char name[PF_TAG_NAME_SIZE]; - u_int16_t tag; - int ref; -}; - -struct pf_divert { - union { - struct in_addr ipv4; - struct in6_addr ipv6; - } addr; - u_int16_t port; -}; - -#define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */ -#define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */ -#define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */ -#define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */ - -#define PFR_KTABLE_HIWAT 1000 /* Number of tables */ -#define PFR_KENTRY_HIWAT 200000 /* Number of table entries */ -#define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */ - -/* - * ioctl parameter structures - */ - -struct pfioc_pooladdr { - u_int32_t action; - u_int32_t ticket; - u_int32_t nr; - u_int32_t r_num; - u_int8_t r_action; - u_int8_t r_last; - u_int8_t af; - char anchor[MAXPATHLEN]; - struct pf_pooladdr addr; -}; - -struct pfioc_rule { - u_int32_t action; - u_int32_t ticket; - u_int32_t pool_ticket; - u_int32_t nr; - char anchor[MAXPATHLEN]; - char anchor_call[MAXPATHLEN]; - struct pf_rule rule; -}; - -struct pfioc_natlook { - struct pf_addr saddr; - struct pf_addr daddr; - struct pf_addr rsaddr; - struct pf_addr rdaddr; - u_int16_t sport; - u_int16_t dport; - u_int16_t rsport; - u_int16_t rdport; - sa_family_t af; - u_int8_t proto; - u_int8_t direction; -}; - -struct pfioc_state { - struct pfsync_state state; -}; - -struct pfioc_src_node_kill { - sa_family_t psnk_af; - struct pf_rule_addr psnk_src; - struct pf_rule_addr psnk_dst; - u_int psnk_killed; -}; - -struct pfioc_state_kill { - struct pf_state_cmp psk_pfcmp; - sa_family_t psk_af; - int psk_proto; - struct pf_rule_addr psk_src; - struct pf_rule_addr psk_dst; - char psk_ifname[IFNAMSIZ]; - char psk_label[PF_RULE_LABEL_SIZE]; - u_int psk_killed; -}; - -struct pfioc_states { - int ps_len; - union { - caddr_t psu_buf; - struct pfsync_state *psu_states; - } ps_u; -#define ps_buf ps_u.psu_buf -#define ps_states ps_u.psu_states -}; - -struct pfioc_src_nodes { - int psn_len; - union { - caddr_t psu_buf; - struct pf_src_node *psu_src_nodes; - } psn_u; -#define psn_buf psn_u.psu_buf -#define psn_src_nodes psn_u.psu_src_nodes -}; - -struct pfioc_if { - char ifname[IFNAMSIZ]; -}; - -struct pfioc_tm { - int timeout; - int seconds; -}; - -struct pfioc_limit { - int index; - unsigned limit; -}; - -struct pfioc_altq { - u_int32_t action; - u_int32_t ticket; - u_int32_t nr; - struct pf_altq altq; -}; - -struct pfioc_qstats { - u_int32_t ticket; - u_int32_t nr; - void *buf; - int nbytes; - u_int8_t scheduler; -}; - -struct pfioc_ruleset { - u_int32_t nr; - char path[MAXPATHLEN]; - char name[PF_ANCHOR_NAME_SIZE]; -}; - -#define PF_RULESET_ALTQ (PF_RULESET_MAX) -#define PF_RULESET_TABLE (PF_RULESET_MAX+1) -struct pfioc_trans { - int size; /* number of elements */ - int esize; /* size of each element in bytes */ - struct pfioc_trans_e { - int rs_num; - char anchor[MAXPATHLEN]; - u_int32_t ticket; - } *array; -}; - -#define PFR_FLAG_ATOMIC 0x00000001 -#define PFR_FLAG_DUMMY 0x00000002 -#define PFR_FLAG_FEEDBACK 0x00000004 -#define PFR_FLAG_CLSTATS 0x00000008 -#define PFR_FLAG_ADDRSTOO 0x00000010 -#define PFR_FLAG_REPLACE 0x00000020 -#define PFR_FLAG_ALLRSETS 0x00000040 -#define PFR_FLAG_ALLMASK 0x0000007F -#ifdef _KERNEL -#define PFR_FLAG_USERIOCTL 0x10000000 -#endif - -struct pfioc_table { - struct pfr_table pfrio_table; - void *pfrio_buffer; - int pfrio_esize; - int pfrio_size; - int pfrio_size2; - int pfrio_nadd; - int pfrio_ndel; - int pfrio_nchange; - int pfrio_flags; - u_int32_t pfrio_ticket; -}; -#define pfrio_exists pfrio_nadd -#define pfrio_nzero pfrio_nadd -#define pfrio_nmatch pfrio_nadd -#define pfrio_naddr pfrio_size2 -#define pfrio_setflag pfrio_size2 -#define pfrio_clrflag pfrio_nadd - -struct pfioc_iface { - char pfiio_name[IFNAMSIZ]; - void *pfiio_buffer; - int pfiio_esize; - int pfiio_size; - int pfiio_nzero; - int pfiio_flags; -}; - - -/* - * ioctl operations - */ - -#define DIOCSTART _IO ('D', 1) -#define DIOCSTOP _IO ('D', 2) -#define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) -#define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) -#define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) -/* XXX cut 8 - 17 */ -#define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) -#define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) -#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) -#define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) -#define DIOCCLRSTATUS _IO ('D', 22) -#define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) -#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) -#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) -#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) -/* XXX cut 26 - 28 */ -#define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm) -#define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm) -#define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state) -#define DIOCCLRRULECTRS _IO ('D', 38) -#define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit) -#define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit) -#define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill) -#define DIOCSTARTALTQ _IO ('D', 42) -#define DIOCSTOPALTQ _IO ('D', 43) -#define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq) -#define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq) -#define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq) -#define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq) -#define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats) -#define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr) -#define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr) -#define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr) -#define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr) -#define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr) -/* XXX cut 55 - 57 */ -#define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset) -#define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset) -#define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table) -#define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table) -#define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table) -#define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table) -#define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table) -#define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table) -#define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table) -#define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table) -#define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table) -#define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table) -#define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table) -#define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table) -#define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table) -#define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) -#define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) -#define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) -#define DIOCOSFPFLUSH _IO('D', 78) -#define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) -#define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) -#define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans) -#define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans) -#define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans) -#define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes) -#define DIOCCLRSRCNODES _IO('D', 85) -#define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) -#define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) -#define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) -#define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) -#define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill) -#ifdef __FreeBSD__ -struct pf_ifspeed { - char ifname[IFNAMSIZ]; - u_int32_t baudrate; -}; -#define DIOCGIFSPEED _IOWR('D', 92, struct pf_ifspeed) -#endif - -#ifdef _KERNEL -RB_HEAD(pf_src_tree, pf_src_node); -RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare); -#ifdef __FreeBSD__ -VNET_DECLARE(struct pf_src_tree, tree_src_tracking); -#define V_tree_src_tracking VNET(tree_src_tracking) -#else -extern struct pf_src_tree tree_src_tracking; -#endif - -RB_HEAD(pf_state_tree_id, pf_state); -RB_PROTOTYPE(pf_state_tree_id, pf_state, - entry_id, pf_state_compare_id); -#ifdef __FreeBSD__ -VNET_DECLARE(struct pf_state_tree_id, tree_id); -#define V_tree_id VNET(tree_id) -VNET_DECLARE(struct pf_state_queue, state_list); -#define V_state_list VNET(state_list) -#else -extern struct pf_state_tree_id tree_id; -extern struct pf_state_queue state_list; -#endif - -TAILQ_HEAD(pf_poolqueue, pf_pool); -#ifdef __FreeBSD__ -VNET_DECLARE(struct pf_poolqueue, pf_pools[2]); -#define V_pf_pools VNET(pf_pools) -#else -extern struct pf_poolqueue pf_pools[2]; -#endif -TAILQ_HEAD(pf_altqqueue, pf_altq); -#ifdef __FreeBSD__ -VNET_DECLARE(struct pf_altqqueue, pf_altqs[2]); -#define V_pf_altqs VNET(pf_altqs) -VNET_DECLARE(struct pf_palist, pf_pabuf); -#define V_pf_pabuf VNET(pf_pabuf) -#else -extern struct pf_altqqueue pf_altqs[2]; -extern struct pf_palist pf_pabuf; -#endif - -#ifdef __FreeBSD__ -VNET_DECLARE(u_int32_t, ticket_altqs_active); -#define V_ticket_altqs_active VNET(ticket_altqs_active) -VNET_DECLARE(u_int32_t, ticket_altqs_inactive); -#define V_ticket_altqs_inactive VNET(ticket_altqs_inactive) -VNET_DECLARE(int, altqs_inactive_open); -#define V_altqs_inactive_open VNET(altqs_inactive_open) -VNET_DECLARE(u_int32_t, ticket_pabuf); -#define V_ticket_pabuf VNET(ticket_pabuf) -VNET_DECLARE(struct pf_altqqueue *, pf_altqs_active); -#define V_pf_altqs_active VNET(pf_altqs_active) -VNET_DECLARE(struct pf_altqqueue *, pf_altqs_inactive); -#define V_pf_altqs_inactive VNET(pf_altqs_inactive) -VNET_DECLARE(struct pf_poolqueue *, pf_pools_active); -#define V_pf_pools_active VNET(pf_pools_active) -VNET_DECLARE(struct pf_poolqueue *, pf_pools_inactive); -#define V_pf_pools_inactive VNET(pf_pools_inactive) -#else -extern u_int32_t ticket_altqs_active; -extern u_int32_t ticket_altqs_inactive; -extern int altqs_inactive_open; -extern u_int32_t ticket_pabuf; -extern struct pf_altqqueue *pf_altqs_active; -extern struct pf_altqqueue *pf_altqs_inactive; -extern struct pf_poolqueue *pf_pools_active; -extern struct pf_poolqueue *pf_pools_inactive; -#endif -extern int pf_tbladdr_setup(struct pf_ruleset *, - struct pf_addr_wrap *); -extern void pf_tbladdr_remove(struct pf_addr_wrap *); -extern void pf_tbladdr_copyout(struct pf_addr_wrap *); -extern void pf_calc_skip_steps(struct pf_rulequeue *); -#ifdef __FreeBSD__ -#ifdef ALTQ -extern void pf_altq_ifnet_event(struct ifnet *, int); -#endif -VNET_DECLARE(uma_zone_t, pf_src_tree_pl); -#define V_pf_src_tree_pl VNET(pf_src_tree_pl) -VNET_DECLARE(uma_zone_t, pf_rule_pl); -#define V_pf_rule_pl VNET(pf_rule_pl) -VNET_DECLARE(uma_zone_t, pf_state_pl); -#define V_pf_state_pl VNET(pf_state_pl) -VNET_DECLARE(uma_zone_t, pf_state_key_pl); -#define V_pf_state_key_pl VNET(pf_state_key_pl) -VNET_DECLARE(uma_zone_t, pf_state_item_pl); -#define V_pf_state_item_pl VNET(pf_state_item_pl) -VNET_DECLARE(uma_zone_t, pf_altq_pl); -#define V_pf_altq_pl VNET(pf_altq_pl) -VNET_DECLARE(uma_zone_t, pf_pooladdr_pl); -#define V_pf_pooladdr_pl VNET(pf_pooladdr_pl) -VNET_DECLARE(uma_zone_t, pfr_ktable_pl); -#define V_pfr_ktable_pl VNET(pfr_ktable_pl) -VNET_DECLARE(uma_zone_t, pfr_kentry_pl); -#define V_pfr_kentry_pl VNET(pfr_kentry_pl) -VNET_DECLARE(uma_zone_t, pfr_kcounters_pl); -#define V_pfr_kcounters_pl VNET(pfr_kcounters_pl) -VNET_DECLARE(uma_zone_t, pf_cache_pl); -#define V_pf_cache_pl VNET(pf_cache_pl) -VNET_DECLARE(uma_zone_t, pf_cent_pl); -#define V_pf_cent_pl VNET(pf_cent_pl) -VNET_DECLARE(uma_zone_t, pf_state_scrub_pl); -#define V_pf_state_scrub_pl VNET(pf_state_scrub_pl) -VNET_DECLARE(uma_zone_t, pfi_addr_pl); -#define V_pfi_addr_pl VNET(pfi_addr_pl) -#else -extern struct pool pf_src_tree_pl, pf_rule_pl; -extern struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl, - pf_altq_pl, pf_pooladdr_pl; -extern struct pool pf_state_scrub_pl; -#endif -extern void pf_purge_thread(void *); -#ifdef __FreeBSD__ -extern int pf_purge_expired_src_nodes(int); -extern int pf_purge_expired_states(u_int32_t , int); -#else -extern void pf_purge_expired_src_nodes(int); -extern void pf_purge_expired_states(u_int32_t); -#endif -extern void pf_unlink_state(struct pf_state *); -extern void pf_free_state(struct pf_state *); -extern int pf_state_insert(struct pfi_kif *, - struct pf_state_key *, - struct pf_state_key *, - struct pf_state *); -extern int pf_insert_src_node(struct pf_src_node **, - struct pf_rule *, struct pf_addr *, - sa_family_t); -void pf_src_tree_remove_state(struct pf_state *); -extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *); -extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *, - u_int, int *); -extern void pf_print_state(struct pf_state *); -extern void pf_print_flags(u_int8_t); -extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, - u_int8_t); - -#ifdef __FreeBSD__ -VNET_DECLARE(struct ifnet *, sync_ifp); -#define V_sync_ifp VNET(sync_ifp); -VNET_DECLARE(struct pf_rule, pf_default_rule); -#define V_pf_default_rule VNET(pf_default_rule) -#else -extern struct ifnet *sync_ifp; -extern struct pf_rule pf_default_rule; -#endif -extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, - u_int8_t); -void pf_rm_rule(struct pf_rulequeue *, - struct pf_rule *); -#ifndef __FreeBSD__ -struct pf_divert *pf_find_divert(struct mbuf *); -#endif - -#ifdef INET -#ifdef __FreeBSD__ -int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *, - struct inpcb *); -#else -int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *); -#endif -#endif /* INET */ - -#ifdef INET6 -#ifdef __FreeBSD__ -int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *, - struct inpcb *); -#else -int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *); -#endif -void pf_poolmask(struct pf_addr *, struct pf_addr*, - struct pf_addr *, struct pf_addr *, u_int8_t); -void pf_addr_inc(struct pf_addr *, sa_family_t); -#endif /* INET6 */ - -#ifdef __FreeBSD__ -u_int32_t pf_new_isn(struct pf_state *); -#endif -void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, - sa_family_t); -void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); -int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, - u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *, - struct pf_pdesc *); -void pf_send_deferred_syn(struct pf_state *); -int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, - struct pf_addr *, sa_family_t); -int pf_match_addr_range(struct pf_addr *, struct pf_addr *, - struct pf_addr *, sa_family_t); -int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); -int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); -int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); -int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); - -void pf_normalize_init(void); -int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *, - struct pf_pdesc *); -int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *, - struct pf_pdesc *); -int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, - struct pf_pdesc *); -void pf_normalize_tcp_cleanup(struct pf_state *); -int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, - struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); -int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, - u_short *, struct tcphdr *, struct pf_state *, - struct pf_state_peer *, struct pf_state_peer *, int *); -u_int32_t - pf_state_expires(const struct pf_state *); -void pf_purge_expired_fragments(void); -int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *, - int); -int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *, - int); -#ifdef __FreeBSD__ -int pf_socket_lookup(int, struct pf_pdesc *, struct inpcb *); -#else -int pf_socket_lookup(int, struct pf_pdesc *); -#endif -struct pf_state_key *pf_alloc_state_key(int); -void pf_pkt_addr_changed(struct mbuf *); -int pf_state_key_attach(struct pf_state_key *, struct pf_state *, int); -void pfr_initialize(void); -int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); -void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, - u_int64_t, int, int, int); -int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, - struct pf_addr **, struct pf_addr **, sa_family_t); -void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); -struct pfr_ktable * - pfr_attach_table(struct pf_ruleset *, char *, int); -void pfr_detach_table(struct pfr_ktable *); -int pfr_clr_tables(struct pfr_table *, int *, int); -int pfr_add_tables(struct pfr_table *, int, int *, int); -int pfr_del_tables(struct pfr_table *, int, int *, int); -int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); -int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); -int pfr_clr_tstats(struct pfr_table *, int, int *, int); -int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int); -int pfr_clr_addrs(struct pfr_table *, int *, int); -int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long); -int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, - int); -int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, - int); -int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *, - int *, int *, int *, int, u_int32_t); -int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); -int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); -int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, - int); -int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, - int); -int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); -int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int); -int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); -int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, - int *, u_int32_t, int); - -#ifdef __FreeBSD__ -VNET_DECLARE(struct pfi_kif *, pfi_all); -#define V_pfi_all VNET(pfi_all) -#else -extern struct pfi_kif *pfi_all; -#endif - -void pfi_initialize(void); -#ifdef __FreeBSD__ -void pfi_cleanup(void); -#endif -struct pfi_kif *pfi_kif_get(const char *); -void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs); -void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs); -int pfi_kif_match(struct pfi_kif *, struct pfi_kif *); -void pfi_attach_ifnet(struct ifnet *); -void pfi_detach_ifnet(struct ifnet *); -void pfi_attach_ifgroup(struct ifg_group *); -void pfi_detach_ifgroup(struct ifg_group *); -void pfi_group_change(const char *); -int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, - sa_family_t); -int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); -void pfi_dynaddr_remove(struct pf_addr_wrap *); -void pfi_dynaddr_copyout(struct pf_addr_wrap *); -void pfi_update_status(const char *, struct pf_status *); -int pfi_get_ifaces(const char *, struct pfi_kif *, int *); -int pfi_set_flags(const char *, int); -int pfi_clear_flags(const char *, int); - -#ifdef __FreeBSD__ -int pf_match_tag(struct mbuf *, struct pf_rule *, int *, - struct pf_mtag *); -#else -int pf_match_tag(struct mbuf *, struct pf_rule *, int *); -#endif -u_int16_t pf_tagname2tag(char *); -void pf_tag2tagname(u_int16_t, char *); -void pf_tag_ref(u_int16_t); -void pf_tag_unref(u_int16_t); -#ifdef __FreeBSD__ -int pf_tag_packet(struct mbuf *, int, int, struct pf_mtag *); -#else -int pf_tag_packet(struct mbuf *, int, int); -#endif -u_int32_t pf_qname2qid(char *); -void pf_qid2qname(u_int32_t, char *); -void pf_qid_unref(u_int32_t); - -#ifdef __FreeBSD__ -VNET_DECLARE(struct pf_status, pf_status); -#define V_pf_status VNET(pf_status) -#else -extern struct pf_status pf_status; -#endif - -#ifdef __FreeBSD__ -VNET_DECLARE(uma_zone_t, pf_frent_pl); -#define V_pf_frent_pl VNET(pf_frent_pl) -VNET_DECLARE(uma_zone_t, pf_frag_pl); -#define V_pf_frag_pl VNET(pf_frag_pl) -VNET_DECLARE(struct sx, pf_consistency_lock); -#define V_pf_consistency_lock VNET(pf_consistency_lock) -#else -extern struct pool pf_frent_pl, pf_frag_pl; -extern struct rwlock pf_consistency_lock; -#endif - -struct pf_pool_limit { - void *pp; - unsigned limit; -}; -#ifdef __FreeBSD__ -VNET_DECLARE(struct pf_pool_limit, pf_pool_limits[PF_LIMIT_MAX]); -#define V_pf_pool_limits VNET(pf_pool_limits) -#else -extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; -#endif - -#ifdef __FreeBSD__ -struct pf_frent { - LIST_ENTRY(pf_frent) fr_next; - struct ip *fr_ip; - struct mbuf *fr_m; -}; - -struct pf_frcache { - LIST_ENTRY(pf_frcache) fr_next; - uint16_t fr_off; - uint16_t fr_end; -}; - -struct pf_fragment { - RB_ENTRY(pf_fragment) fr_entry; - TAILQ_ENTRY(pf_fragment) frag_next; - struct in_addr fr_src; - struct in_addr fr_dst; - u_int8_t fr_p; /* protocol of this fragment */ - u_int8_t fr_flags; /* status flags */ - u_int16_t fr_id; /* fragment id for reassemble */ - u_int16_t fr_max; /* fragment data max */ - u_int32_t fr_timeout; -#define fr_queue fr_u.fru_queue -#define fr_cache fr_u.fru_cache - union { - LIST_HEAD(pf_fragq, pf_frent) fru_queue; /* buffering */ - LIST_HEAD(pf_cacheq, pf_frcache) fru_cache; /* non-buf */ - } fr_u; -}; -#endif /* (__FreeBSD__) */ - -#endif /* _KERNEL */ - -#ifdef __FreeBSD__ -#ifdef _KERNEL -VNET_DECLARE(struct pf_anchor_global, pf_anchors); -#define V_pf_anchors VNET(pf_anchors) -VNET_DECLARE(struct pf_anchor, pf_main_anchor); -#define V_pf_main_anchor VNET(pf_main_anchor) -#define pf_main_ruleset V_pf_main_anchor.ruleset -#endif -#else -extern struct pf_anchor_global pf_anchors; -extern struct pf_anchor pf_main_anchor; -#define pf_main_ruleset pf_main_anchor.ruleset -#endif - -/* these ruleset functions can be linked into userland programs (pfctl) */ -int pf_get_ruleset_number(u_int8_t); -void pf_init_ruleset(struct pf_ruleset *); -int pf_anchor_setup(struct pf_rule *, - const struct pf_ruleset *, const char *); -int pf_anchor_copyout(const struct pf_ruleset *, - const struct pf_rule *, struct pfioc_rule *); -void pf_anchor_remove(struct pf_rule *); -void pf_remove_if_empty_ruleset(struct pf_ruleset *); -struct pf_anchor *pf_find_anchor(const char *); -struct pf_ruleset *pf_find_ruleset(const char *); -struct pf_ruleset *pf_find_or_create_ruleset(const char *); -void pf_rs_initialize(void); - -#ifndef __FreeBSD__ -#ifdef _KERNEL -int pf_anchor_copyout(const struct pf_ruleset *, - const struct pf_rule *, struct pfioc_rule *); -void pf_anchor_remove(struct pf_rule *); - -#endif /* _KERNEL */ -#endif - -/* The fingerprint functions can be linked into userland programs (tcpdump) */ -int pf_osfp_add(struct pf_osfp_ioctl *); -#ifdef _KERNEL -struct pf_osfp_enlist * - pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int, - const struct tcphdr *); -#endif /* _KERNEL */ -struct pf_osfp_enlist * - pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *, - const struct tcphdr *); -void pf_osfp_flush(void); -int pf_osfp_get(struct pf_osfp_ioctl *); -#ifdef __FreeBSD__ -int pf_osfp_initialize(void); -void pf_osfp_cleanup(void); -#else -void pf_osfp_initialize(void); -#endif -int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); -struct pf_os_fingerprint * - pf_osfp_validate(void); - -#ifdef _KERNEL -void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); - -void pf_step_into_anchor(int *, struct pf_ruleset **, int, - struct pf_rule **, struct pf_rule **, int *); -int pf_step_out_of_anchor(int *, struct pf_ruleset **, - int, struct pf_rule **, struct pf_rule **, - int *); - -int pf_map_addr(u_int8_t, struct pf_rule *, - struct pf_addr *, struct pf_addr *, - struct pf_addr *, struct pf_src_node **); -struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, - int, int, struct pfi_kif *, struct pf_src_node **, - struct pf_state_key **, struct pf_state_key **, - struct pf_state_key **, struct pf_state_key **, - struct pf_addr *, struct pf_addr *, - u_int16_t, u_int16_t); - -int pf_state_key_setup(struct pf_pdesc *, struct pf_rule *, - struct pf_state_key **, struct pf_state_key **, - struct pf_state_key **, struct pf_state_key **, - struct pf_addr *, struct pf_addr *, - u_int16_t, u_int16_t); -#endif /* _KERNEL */ - - -#endif /* _NET_PFVAR_H_ */ diff --git a/sys/contrib/pf/netinet/in4_cksum.c b/sys/contrib/pf/netinet/in4_cksum.c deleted file mode 100644 index bf25baf..0000000 --- a/sys/contrib/pf/netinet/in4_cksum.c +++ /dev/null @@ -1,120 +0,0 @@ -/* $FreeBSD$ */ -/* $OpenBSD: in4_cksum.c,v 1.7 2003/06/02 23:28:13 millert Exp $ */ -/* $KAME: in4_cksum.c,v 1.10 2001/11/30 10:06:15 itojun Exp $ */ -/* $NetBSD: in_cksum.c,v 1.13 1996/10/13 02:03:03 christos Exp $ */ - -/* - * Copyright (C) 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Copyright (c) 1988, 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)in_cksum.c 8.1 (Berkeley) 6/10/93 - */ - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> - -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> - -#include <machine/in_cksum.h> - -#define ADDCARRY(x) (x > 65535 ? x -= 65535 : x) -#define REDUCE {l_util.l = sum; sum = l_util.s[0] + l_util.s[1]; (void)ADDCARRY(sum);} - -int in4_cksum(struct mbuf *, u_int8_t, int, int); - -int -in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len) -{ - union { - struct ipovly ipov; - u_int16_t w[10]; - } u; - union { - u_int16_t s[2]; - u_int32_t l; - } l_util; - - u_int16_t *w; - int psum; - int sum = 0; - - if (nxt != 0) { - /* pseudo header */ - if (off < sizeof(struct ipovly)) - panic("in4_cksum: offset too short"); - if (m->m_len < sizeof(struct ip)) - panic("in4_cksum: bad mbuf chain"); - bzero(&u.ipov, sizeof(u.ipov)); - u.ipov.ih_len = htons(len); - u.ipov.ih_pr = nxt; - u.ipov.ih_src = mtod(m, struct ip *)->ip_src; - u.ipov.ih_dst = mtod(m, struct ip *)->ip_dst; - w = u.w; - /* assumes sizeof(ipov) == 20 */ - sum += w[0]; sum += w[1]; sum += w[2]; sum += w[3]; sum += w[4]; - sum += w[5]; sum += w[6]; sum += w[7]; sum += w[8]; sum += w[9]; - } - - psum = in_cksum_skip(m, len + off, off); - psum = ~psum & 0xffff; - sum += psum; - REDUCE; - return (~sum & 0xffff); -} diff --git a/sys/netinet/ipfw/dn_heap.c b/sys/netinet/ipfw/dn_heap.c deleted file mode 100644 index 3bdfd9d..0000000 --- a/sys/netinet/ipfw/dn_heap.c +++ /dev/null @@ -1,552 +0,0 @@ -/*- - * Copyright (c) 1998-2002,2010 Luigi Rizzo, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Binary heap and hash tables, used in dummynet - * - * $FreeBSD$ - */ - -#include <sys/cdefs.h> -#include <sys/param.h> -#ifdef _KERNEL -__FBSDID("$FreeBSD$"); -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/kernel.h> -#include <netinet/ipfw/dn_heap.h> -#ifndef log -#define log(x, arg...) -#endif - -#else /* !_KERNEL */ - -#include <stdio.h> -#include <dn_test.h> -#include <strings.h> -#include <stdlib.h> - -#include "dn_heap.h" -#define log(x, arg...) fprintf(stderr, ## arg) -#define panic(x...) fprintf(stderr, ## x), exit(1) -#define MALLOC_DEFINE(a, b, c) -static void *my_malloc(int s) { return malloc(s); } -static void my_free(void *p) { free(p); } -#define malloc(s, t, w) my_malloc(s) -#define free(p, t) my_free(p) -#endif /* !_KERNEL */ - -static MALLOC_DEFINE(M_DN_HEAP, "dummynet", "dummynet heap"); - -/* - * Heap management functions. - * - * In the heap, first node is element 0. Children of i are 2i+1 and 2i+2. - * Some macros help finding parent/children so we can optimize them. - * - * heap_init() is called to expand the heap when needed. - * Increment size in blocks of 16 entries. - * Returns 1 on error, 0 on success - */ -#define HEAP_FATHER(x) ( ( (x) - 1 ) / 2 ) -#define HEAP_LEFT(x) ( (x)+(x) + 1 ) -#define HEAP_SWAP(a, b, buffer) { buffer = a ; a = b ; b = buffer ; } -#define HEAP_INCREMENT 15 - -static int -heap_resize(struct dn_heap *h, unsigned int new_size) -{ - struct dn_heap_entry *p; - - if (h->size >= new_size ) /* have enough room */ - return 0; -#if 1 /* round to the next power of 2 */ - new_size |= new_size >> 1; - new_size |= new_size >> 2; - new_size |= new_size >> 4; - new_size |= new_size >> 8; - new_size |= new_size >> 16; -#else - new_size = (new_size + HEAP_INCREMENT ) & ~HEAP_INCREMENT; -#endif - p = malloc(new_size * sizeof(*p), M_DN_HEAP, M_NOWAIT); - if (p == NULL) { - printf("--- %s, resize %d failed\n", __func__, new_size ); - return 1; /* error */ - } - if (h->size > 0) { - bcopy(h->p, p, h->size * sizeof(*p) ); - free(h->p, M_DN_HEAP); - } - h->p = p; - h->size = new_size; - return 0; -} - -int -heap_init(struct dn_heap *h, int size, int ofs) -{ - if (heap_resize(h, size)) - return 1; - h->elements = 0; - h->ofs = ofs; - return 0; -} - -/* - * Insert element in heap. Normally, p != NULL, we insert p in - * a new position and bubble up. If p == NULL, then the element is - * already in place, and key is the position where to start the - * bubble-up. - * Returns 1 on failure (cannot allocate new heap entry) - * - * If ofs > 0 the position (index, int) of the element in the heap is - * also stored in the element itself at the given offset in bytes. - */ -#define SET_OFFSET(h, i) do { \ - if (h->ofs > 0) \ - *((int32_t *)((char *)(h->p[i].object) + h->ofs)) = i; \ - } while (0) -/* - * RESET_OFFSET is used for sanity checks. It sets ofs - * to an invalid value. - */ -#define RESET_OFFSET(h, i) do { \ - if (h->ofs > 0) \ - *((int32_t *)((char *)(h->p[i].object) + h->ofs)) = -16; \ - } while (0) - -int -heap_insert(struct dn_heap *h, uint64_t key1, void *p) -{ - int son = h->elements; - - //log("%s key %llu p %p\n", __FUNCTION__, key1, p); - if (p == NULL) { /* data already there, set starting point */ - son = key1; - } else { /* insert new element at the end, possibly resize */ - son = h->elements; - if (son == h->size) /* need resize... */ - // XXX expand by 16 or so - if (heap_resize(h, h->elements+16) ) - return 1; /* failure... */ - h->p[son].object = p; - h->p[son].key = key1; - h->elements++; - } - /* make sure that son >= father along the path */ - while (son > 0) { - int father = HEAP_FATHER(son); - struct dn_heap_entry tmp; - - if (DN_KEY_LT( h->p[father].key, h->p[son].key ) ) - break; /* found right position */ - /* son smaller than father, swap and repeat */ - HEAP_SWAP(h->p[son], h->p[father], tmp); - SET_OFFSET(h, son); - son = father; - } - SET_OFFSET(h, son); - return 0; -} - -/* - * remove top element from heap, or obj if obj != NULL - */ -void -heap_extract(struct dn_heap *h, void *obj) -{ - int child, father, max = h->elements - 1; - - if (max < 0) { - printf("--- %s: empty heap 0x%p\n", __FUNCTION__, h); - return; - } - if (obj == NULL) - father = 0; /* default: move up smallest child */ - else { /* extract specific element, index is at offset */ - if (h->ofs <= 0) - panic("%s: extract from middle not set on %p\n", - __FUNCTION__, h); - father = *((int *)((char *)obj + h->ofs)); - if (father < 0 || father >= h->elements) { - panic("%s: father %d out of bound 0..%d\n", - __FUNCTION__, father, h->elements); - } - } - /* - * below, father is the index of the empty element, which - * we replace at each step with the smallest child until we - * reach the bottom level. - */ - // XXX why removing RESET_OFFSET increases runtime by 10% ? - RESET_OFFSET(h, father); - while ( (child = HEAP_LEFT(father)) <= max ) { - if (child != max && - DN_KEY_LT(h->p[child+1].key, h->p[child].key) ) - child++; /* take right child, otherwise left */ - h->p[father] = h->p[child]; - SET_OFFSET(h, father); - father = child; - } - h->elements--; - if (father != max) { - /* - * Fill hole with last entry and bubble up, - * reusing the insert code - */ - h->p[father] = h->p[max]; - heap_insert(h, father, NULL); - } -} - -#if 0 -/* - * change object position and update references - * XXX this one is never used! - */ -static void -heap_move(struct dn_heap *h, uint64_t new_key, void *object) -{ - int temp, i, max = h->elements-1; - struct dn_heap_entry *p, buf; - - if (h->ofs <= 0) - panic("cannot move items on this heap"); - p = h->p; /* shortcut */ - - i = *((int *)((char *)object + h->ofs)); - if (DN_KEY_LT(new_key, p[i].key) ) { /* must move up */ - p[i].key = new_key; - for (; i>0 && - DN_KEY_LT(new_key, p[(temp = HEAP_FATHER(i))].key); - i = temp ) { /* bubble up */ - HEAP_SWAP(p[i], p[temp], buf); - SET_OFFSET(h, i); - } - } else { /* must move down */ - p[i].key = new_key; - while ( (temp = HEAP_LEFT(i)) <= max ) { - /* found left child */ - if (temp != max && - DN_KEY_LT(p[temp+1].key, p[temp].key)) - temp++; /* select child with min key */ - if (DN_KEY_LT(>p[temp].key, new_key)) { - /* go down */ - HEAP_SWAP(p[i], p[temp], buf); - SET_OFFSET(h, i); - } else - break; - i = temp; - } - } - SET_OFFSET(h, i); -} -#endif /* heap_move, unused */ - -/* - * heapify() will reorganize data inside an array to maintain the - * heap property. It is needed when we delete a bunch of entries. - */ -static void -heapify(struct dn_heap *h) -{ - int i; - - for (i = 0; i < h->elements; i++ ) - heap_insert(h, i , NULL); -} - -int -heap_scan(struct dn_heap *h, int (*fn)(void *, uintptr_t), - uintptr_t arg) -{ - int i, ret, found; - - for (i = found = 0 ; i < h->elements ;) { - ret = fn(h->p[i].object, arg); - if (ret & HEAP_SCAN_DEL) { - h->elements-- ; - h->p[i] = h->p[h->elements] ; - found++ ; - } else - i++ ; - if (ret & HEAP_SCAN_END) - break; - } - if (found) - heapify(h); - return found; -} - -/* - * cleanup the heap and free data structure - */ -void -heap_free(struct dn_heap *h) -{ - if (h->size >0 ) - free(h->p, M_DN_HEAP); - bzero(h, sizeof(*h) ); -} - -/* - * hash table support. - */ - -struct dn_ht { - int buckets; /* how many buckets, really buckets - 1*/ - int entries; /* how many entries */ - int ofs; /* offset of link field */ - uint32_t (*hash)(uintptr_t, int, void *arg); - int (*match)(void *_el, uintptr_t key, int, void *); - void *(*newh)(uintptr_t, int, void *); - void **ht; /* bucket heads */ -}; -/* - * Initialize, allocating bucket pointers inline. - * Recycle previous record if possible. - * If the 'newh' function is not supplied, we assume that the - * key passed to ht_find is the same object to be stored in. - */ -struct dn_ht * -dn_ht_init(struct dn_ht *ht, int buckets, int ofs, - uint32_t (*h)(uintptr_t, int, void *), - int (*match)(void *, uintptr_t, int, void *), - void *(*newh)(uintptr_t, int, void *)) -{ - int l; - - /* - * Notes about rounding bucket size to a power of two. - * Given the original bucket size, we compute the nearest lower and - * higher power of two, minus 1 (respectively b_min and b_max) because - * this value will be used to do an AND with the index returned - * by hash function. - * To choice between these two values, the original bucket size is - * compared with b_min. If the original size is greater than 4/3 b_min, - * we round the bucket size to b_max, else to b_min. - * This ratio try to round to the nearest power of two, advantaging - * the greater size if the different between two power is relatively - * big. - * Rounding the bucket size to a power of two avoid the use of - * module when calculating the correct bucket. - * The ht->buckets variable store the bucket size - 1 to simply - * do an AND between the index returned by hash function and ht->bucket - * instead of a module. - */ - int b_min; /* min buckets */ - int b_max; /* max buckets */ - int b_ori; /* original buckets */ - - if (h == NULL || match == NULL) { - printf("--- missing hash or match function"); - return NULL; - } - if (buckets < 1 || buckets > 65536) - return NULL; - - b_ori = buckets; - /* calculate next power of 2, - 1*/ - buckets |= buckets >> 1; - buckets |= buckets >> 2; - buckets |= buckets >> 4; - buckets |= buckets >> 8; - buckets |= buckets >> 16; - - b_max = buckets; /* Next power */ - b_min = buckets >> 1; /* Previous power */ - - /* Calculate the 'nearest' bucket size */ - if (b_min * 4000 / 3000 < b_ori) - buckets = b_max; - else - buckets = b_min; - - if (ht) { /* see if we can reuse */ - if (buckets <= ht->buckets) { - ht->buckets = buckets; - } else { - /* free pointers if not allocated inline */ - if (ht->ht != (void *)(ht + 1)) - free(ht->ht, M_DN_HEAP); - free(ht, M_DN_HEAP); - ht = NULL; - } - } - if (ht == NULL) { - /* Allocate buckets + 1 entries because buckets is use to - * do the AND with the index returned by hash function - */ - l = sizeof(*ht) + (buckets + 1) * sizeof(void **); - ht = malloc(l, M_DN_HEAP, M_NOWAIT | M_ZERO); - } - if (ht) { - ht->ht = (void **)(ht + 1); - ht->buckets = buckets; - ht->ofs = ofs; - ht->hash = h; - ht->match = match; - ht->newh = newh; - } - return ht; -} - -/* dummy callback for dn_ht_free to unlink all */ -static int -do_del(void *obj, void *arg) -{ - return DNHT_SCAN_DEL; -} - -void -dn_ht_free(struct dn_ht *ht, int flags) -{ - if (ht == NULL) - return; - if (flags & DNHT_REMOVE) { - (void)dn_ht_scan(ht, do_del, NULL); - } else { - if (ht->ht && ht->ht != (void *)(ht + 1)) - free(ht->ht, M_DN_HEAP); - free(ht, M_DN_HEAP); - } -} - -int -dn_ht_entries(struct dn_ht *ht) -{ - return ht ? ht->entries : 0; -} - -/* lookup and optionally create or delete element */ -void * -dn_ht_find(struct dn_ht *ht, uintptr_t key, int flags, void *arg) -{ - int i; - void **pp, *p; - - if (ht == NULL) /* easy on an empty hash */ - return NULL; - i = (ht->buckets == 1) ? 0 : - (ht->hash(key, flags, arg) & ht->buckets); - - for (pp = &ht->ht[i]; (p = *pp); pp = (void **)((char *)p + ht->ofs)) { - if (flags & DNHT_MATCH_PTR) { - if (key == (uintptr_t)p) - break; - } else if (ht->match(p, key, flags, arg)) /* found match */ - break; - } - if (p) { - if (flags & DNHT_REMOVE) { - /* link in the next element */ - *pp = *(void **)((char *)p + ht->ofs); - *(void **)((char *)p + ht->ofs) = NULL; - ht->entries--; - } - } else if (flags & DNHT_INSERT) { - // printf("%s before calling new, bucket %d ofs %d\n", - // __FUNCTION__, i, ht->ofs); - p = ht->newh ? ht->newh(key, flags, arg) : (void *)key; - // printf("%s newh returns %p\n", __FUNCTION__, p); - if (p) { - ht->entries++; - *(void **)((char *)p + ht->ofs) = ht->ht[i]; - ht->ht[i] = p; - } - } - return p; -} - -/* - * do a scan with the option to delete the object. Extract next before - * running the callback because the element may be destroyed there. - */ -int -dn_ht_scan(struct dn_ht *ht, int (*fn)(void *, void *), void *arg) -{ - int i, ret, found = 0; - void **curp, *cur, *next; - - if (ht == NULL || fn == NULL) - return 0; - for (i = 0; i <= ht->buckets; i++) { - curp = &ht->ht[i]; - while ( (cur = *curp) != NULL) { - next = *(void **)((char *)cur + ht->ofs); - ret = fn(cur, arg); - if (ret & DNHT_SCAN_DEL) { - found++; - ht->entries--; - *curp = next; - } else { - curp = (void **)((char *)cur + ht->ofs); - } - if (ret & DNHT_SCAN_END) - return found; - } - } - return found; -} - -/* - * Similar to dn_ht_scan(), except that the scan is performed only - * in the bucket 'bucket'. The function returns a correct bucket number if - * the original is invalid. - * If the callback returns DNHT_SCAN_END, the function move the ht->ht[i] - * pointer to the last entry processed. Moreover, the bucket number passed - * by caller is decremented, because usually the caller increment it. - */ -int -dn_ht_scan_bucket(struct dn_ht *ht, int *bucket, int (*fn)(void *, void *), - void *arg) -{ - int i, ret, found = 0; - void **curp, *cur, *next; - - if (ht == NULL || fn == NULL) - return 0; - if (*bucket > ht->buckets) - *bucket = 0; - i = *bucket; - - curp = &ht->ht[i]; - while ( (cur = *curp) != NULL) { - next = *(void **)((char *)cur + ht->ofs); - ret = fn(cur, arg); - if (ret & DNHT_SCAN_DEL) { - found++; - ht->entries--; - *curp = next; - } else { - curp = (void **)((char *)cur + ht->ofs); - } - if (ret & DNHT_SCAN_END) - return found; - } - return found; -} diff --git a/sys/netinet/ipfw/dn_heap.h b/sys/netinet/ipfw/dn_heap.h deleted file mode 100644 index c95473a..0000000 --- a/sys/netinet/ipfw/dn_heap.h +++ /dev/null @@ -1,191 +0,0 @@ -/*- - * Copyright (c) 1998-2010 Luigi Rizzo, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Binary heap and hash tables, header file - * - * $FreeBSD$ - */ - -#ifndef _IP_DN_HEAP_H -#define _IP_DN_HEAP_H - -#define DN_KEY_LT(a,b) ((int64_t)((a)-(b)) < 0) -#define DN_KEY_LEQ(a,b) ((int64_t)((a)-(b)) <= 0) - -/* - * This module implements a binary heap supporting random extraction. - * - * A heap entry contains an uint64_t key and a pointer to object. - * DN_KEY_LT(a,b) returns true if key 'a' is smaller than 'b' - * - * The heap is a struct dn_heap plus a dynamically allocated - * array of dn_heap_entry entries. 'size' represents the size of - * the array, 'elements' count entries in use. The topmost - * element has the smallest key. - * The heap supports ordered insert, and extract from the top. - * To extract an object from the middle of the heap, we the object - * must reserve an 'int32_t' to store the position of the object - * in the heap itself, and the location of this field must be - * passed as an argument to heap_init() -- use -1 if the feature - * is not used. - */ -struct dn_heap_entry { - uint64_t key; /* sorting key, smallest comes first */ - void *object; /* object pointer */ -}; - -struct dn_heap { - int size; /* the size of the array */ - int elements; /* elements in use */ - int ofs; /* offset in the object of heap index */ - struct dn_heap_entry *p; /* array of "size" entries */ -}; - -enum { - HEAP_SCAN_DEL = 1, - HEAP_SCAN_END = 2, -}; - -/* - * heap_init() reinitializes the heap setting the size and the offset - * of the index for random extraction (use -1 if not used). - * The 'elements' counter is set to 0. - * - * SET_HEAP_OFS() indicates where, in the object, is stored the index - * for random extractions from the heap. - * - * heap_free() frees the memory associated to a heap. - * - * heap_insert() adds a key-pointer pair to the heap - * - * HEAP_TOP() returns a pointer to the top element of the heap, - * but makes no checks on its existance (XXX should we change ?) - * - * heap_extract() removes the entry at the top, returing the pointer. - * (the key should have been read before). - * - * heap_scan() invokes a callback on each entry of the heap. - * The callback can return a combination of HEAP_SCAN_DEL and - * HEAP_SCAN_END. HEAP_SCAN_DEL means the current element must - * be removed, and HEAP_SCAN_END means to terminate the scan. - * heap_scan() returns the number of elements removed. - * Because the order is not guaranteed, we should use heap_scan() - * only as a last resort mechanism. - */ -#define HEAP_TOP(h) ((h)->p) -#define SET_HEAP_OFS(h, n) do { (h)->ofs = n; } while (0) -int heap_init(struct dn_heap *h, int size, int ofs); -int heap_insert(struct dn_heap *h, uint64_t key1, void *p); -void heap_extract(struct dn_heap *h, void *obj); -void heap_free(struct dn_heap *h); -int heap_scan(struct dn_heap *, int (*)(void *, uintptr_t), uintptr_t); - -/*------------------------------------------------------ - * This module implements a generic hash table with support for - * running callbacks on the entire table. To avoid allocating - * memory during hash table operations, objects must reserve - * space for a link field. XXX if the heap is moderately full, - * an SLIST suffices, and we can tolerate the cost of a hash - * computation on each removal. - * - * dn_ht_init() initializes the table, setting the number of - * buckets, the offset of the link field, the main callbacks. - * Callbacks are: - * - * hash(key, flags, arg) called to return a bucket index. - * match(obj, key, flags, arg) called to determine if key - * matches the current 'obj' in the heap - * newh(key, flags, arg) optional, used to allocate a new - * object during insertions. - * - * dn_ht_free() frees the heap or unlink elements. - * DNHT_REMOVE unlink elements, 0 frees the heap. - * You need two calls to do both. - * - * dn_ht_find() is the main lookup function, which can also be - * used to insert or delete elements in the hash table. - * The final 'arg' is passed to all callbacks. - * - * dn_ht_scan() is used to invoke a callback on all entries of - * the heap, or possibly on just one bucket. The callback - * is invoked with a pointer to the object, and must return - * one of DNHT_SCAN_DEL or DNHT_SCAN_END to request the - * removal of the object from the heap and the end of the - * scan, respectively. - * - * dn_ht_scan_bucket() is similar to dn_ht_scan(), except that it scans - * only the specific bucket of the table. The bucket is a in-out - * parameter and return a valid bucket number if the original - * is invalid. - * - * A combination of flags can be used to modify the operation - * of the dn_ht_find(), and of the callbacks: - * - * DNHT_KEY_IS_OBJ means the key is the object pointer. - * It is usally of interest for the hash and match functions. - * - * DNHT_MATCH_PTR during a lookup, match pointers instead - * of calling match(). Normally used when removing specific - * entries. Does not imply KEY_IS_OBJ as the latter _is_ used - * by the match function. - * - * DNHT_INSERT insert the element if not found. - * Calls new() to allocates a new object unless - * DNHT_KEY_IS_OBJ is set. - * - * DNHT_UNIQUE only insert if object not found. - * XXX should it imply DNHT_INSERT ? - * - * DNHT_REMOVE remove objects if we find them. - */ -struct dn_ht; /* should be opaque */ - -struct dn_ht *dn_ht_init(struct dn_ht *, int buckets, int ofs, - uint32_t (*hash)(uintptr_t, int, void *), - int (*match)(void *, uintptr_t, int, void *), - void *(*newh)(uintptr_t, int, void *)); -void dn_ht_free(struct dn_ht *, int flags); - -void *dn_ht_find(struct dn_ht *, uintptr_t, int, void *); -int dn_ht_scan(struct dn_ht *, int (*)(void *, void *), void *); -int dn_ht_scan_bucket(struct dn_ht *, int * , int (*)(void *, void *), void *); -int dn_ht_entries(struct dn_ht *); - -enum { /* flags values. - * first two are returned by the scan callback to indicate - * to delete the matching element or to end the scan - */ - DNHT_SCAN_DEL = 0x0001, - DNHT_SCAN_END = 0x0002, - DNHT_KEY_IS_OBJ = 0x0004, /* key is the obj pointer */ - DNHT_MATCH_PTR = 0x0008, /* match by pointer, not match() */ - DNHT_INSERT = 0x0010, /* insert if not found */ - DNHT_UNIQUE = 0x0020, /* report error if already there */ - DNHT_REMOVE = 0x0040, /* remove on find or dn_ht_free */ -}; - -#endif /* _IP_DN_HEAP_H */ diff --git a/sys/netinet/ipfw/dn_sched.h b/sys/netinet/ipfw/dn_sched.h deleted file mode 100644 index ab823fe..0000000 --- a/sys/netinet/ipfw/dn_sched.h +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (c) 2010 Riccardo Panicucci, Luigi Rizzo, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * The API to write a packet scheduling algorithm for dummynet. - * - * $FreeBSD$ - */ - -#ifndef _DN_SCHED_H -#define _DN_SCHED_H - -#define DN_MULTIQUEUE 0x01 -/* - * Descriptor for a scheduling algorithm. - * Contains all function pointers for a given scheduler - * This is typically created when a module is loaded, and stored - * in a global list of schedulers. - */ -struct dn_alg { - uint32_t type; /* the scheduler type */ - const char *name; /* scheduler name */ - uint32_t flags; /* DN_MULTIQUEUE if supports multiple queues */ - - /* - * The following define the size of 3 optional data structures - * that may need to be allocated at runtime, and are appended - * to each of the base data structures: scheduler, sched.inst, - * and queue. We don't have a per-flowset structure. - */ - /* + parameters attached to the template, e.g. - * default queue sizes, weights, quantum size, and so on; - */ - size_t schk_datalen; - - /* + per-instance parameters, such as timestamps, - * containers for queues, etc; - */ - size_t si_datalen; - - size_t q_datalen; /* per-queue parameters (e.g. S,F) */ - - /* - * Methods implemented by the scheduler: - * enqueue enqueue packet 'm' on scheduler 's', queue 'q'. - * q is NULL for !MULTIQUEUE. - * Return 0 on success, 1 on drop (packet consumed anyways). - * Note that q should be interpreted only as a hint - * on the flow that the mbuf belongs to: while a - * scheduler will normally enqueue m into q, it is ok - * to leave q alone and put the mbuf elsewhere. - * This function is called in two cases: - * - when a new packet arrives to the scheduler; - * - when a scheduler is reconfigured. In this case the - * call is issued by the new_queue callback, with a - * non empty queue (q) and m pointing to the first - * mbuf in the queue. For this reason, the function - * should internally check for (m != q->mq.head) - * before calling dn_enqueue(). - * - * dequeue Called when scheduler instance 's' can - * dequeue a packet. Return NULL if none are available. - * XXX what about non work-conserving ? - * - * config called on 'sched X config ...', normally writes - * in the area of size sch_arg - * - * destroy called on 'sched delete', frees everything - * in sch_arg (other parts are handled by more specific - * functions) - * - * new_sched called when a new instance is created, e.g. - * to create the local queue for !MULTIQUEUE, set V or - * copy parameters for WFQ, and so on. - * - * free_sched called when deleting an instance, cleans - * extra data in the per-instance area. - * - * new_fsk called when a flowset is linked to a scheduler, - * e.g. to validate parameters such as weights etc. - * free_fsk when a flowset is unlinked from a scheduler. - * (probably unnecessary) - * - * new_queue called to set the per-queue parameters, - * e.g. S and F, adjust sum of weights in the parent, etc. - * - * The new_queue callback is normally called from when - * creating a new queue. In some cases (such as a - * scheduler change or reconfiguration) it can be called - * with a non empty queue. In this case, the queue - * In case of non empty queue, the new_queue callback could - * need to call the enqueue function. In this case, - * the callback should eventually call enqueue() passing - * as m the first element in the queue. - * - * free_queue actions related to a queue removal, e.g. undo - * all the above. If the queue has data in it, also remove - * from the scheduler. This can e.g. happen during a reconfigure. - */ - int (*enqueue)(struct dn_sch_inst *, struct dn_queue *, - struct mbuf *); - struct mbuf * (*dequeue)(struct dn_sch_inst *); - - int (*config)(struct dn_schk *); - int (*destroy)(struct dn_schk*); - int (*new_sched)(struct dn_sch_inst *); - int (*free_sched)(struct dn_sch_inst *); - int (*new_fsk)(struct dn_fsk *f); - int (*free_fsk)(struct dn_fsk *f); - int (*new_queue)(struct dn_queue *q); - int (*free_queue)(struct dn_queue *q); - - /* run-time fields */ - int ref_count; /* XXX number of instances in the system */ - SLIST_ENTRY(dn_alg) next; /* Next scheduler in the list */ -}; - -/* MSVC does not support initializers so we need this ugly macro */ -#ifdef _WIN32 -#define _SI(fld) -#else -#define _SI(fld) fld -#endif - -/* - * Additionally, dummynet exports some functions and macros - * to be used by schedulers: - */ - -void dn_free_pkts(struct mbuf *mnext); -int dn_enqueue(struct dn_queue *q, struct mbuf* m, int drop); -/* bound a variable between min and max */ -int ipdn_bound_var(int *v, int dflt, int lo, int hi, const char *msg); - -/* - * Extract the head of a queue, update stats. Must be the very last - * thing done on a dequeue as the queue itself may go away. - */ -static __inline struct mbuf* -dn_dequeue(struct dn_queue *q) -{ - struct mbuf *m = q->mq.head; - if (m == NULL) - return NULL; - q->mq.head = m->m_nextpkt; - - /* Update stats for the queue */ - q->ni.length--; - q->ni.len_bytes -= m->m_pkthdr.len; - if (q->_si) { - q->_si->ni.length--; - q->_si->ni.len_bytes -= m->m_pkthdr.len; - } - if (q->ni.length == 0) /* queue is now idle */ - q->q_time = dn_cfg.curr_time; - return m; -} - -int dn_sched_modevent(module_t mod, int cmd, void *arg); - -#define DECLARE_DNSCHED_MODULE(name, dnsched) \ - static moduledata_t name##_mod = { \ - #name, dn_sched_modevent, dnsched \ - }; \ - DECLARE_MODULE(name, name##_mod, \ - SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); \ - MODULE_DEPEND(name, dummynet, 3, 3, 3); -#endif /* _DN_SCHED_H */ diff --git a/sys/netinet/ipfw/dn_sched_fifo.c b/sys/netinet/ipfw/dn_sched_fifo.c deleted file mode 100644 index 0bb3800..0000000 --- a/sys/netinet/ipfw/dn_sched_fifo.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (c) 2010 Riccardo Panicucci, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $FreeBSD$ - */ - -#ifdef _KERNEL -#include <sys/malloc.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/mbuf.h> -#include <sys/module.h> -#include <net/if.h> /* IFNAMSIZ */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ipfw_rule_ref */ -#include <netinet/ip_fw.h> /* flow_id */ -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> -#else -#include <dn_test.h> -#endif - -/* - * This file implements a FIFO scheduler for a single queue. - * The queue is allocated as part of the scheduler instance, - * and there is a single flowset is in the template which stores - * queue size and policy. - * Enqueue and dequeue use the default library functions. - */ -static int -fifo_enqueue(struct dn_sch_inst *si, struct dn_queue *q, struct mbuf *m) -{ - /* XXX if called with q != NULL and m=NULL, this is a - * re-enqueue from an existing scheduler, which we should - * handle. - */ - return dn_enqueue((struct dn_queue *)(si+1), m, 0); -} - -static struct mbuf * -fifo_dequeue(struct dn_sch_inst *si) -{ - return dn_dequeue((struct dn_queue *)(si + 1)); -} - -static int -fifo_new_sched(struct dn_sch_inst *si) -{ - /* This scheduler instance contains the queue */ - struct dn_queue *q = (struct dn_queue *)(si + 1); - - set_oid(&q->ni.oid, DN_QUEUE, sizeof(*q)); - q->_si = si; - q->fs = si->sched->fs; - return 0; -} - -static int -fifo_free_sched(struct dn_sch_inst *si) -{ - struct dn_queue *q = (struct dn_queue *)(si + 1); - dn_free_pkts(q->mq.head); - bzero(q, sizeof(*q)); - return 0; -} - -/* - * FIFO scheduler descriptor - * contains the type of the scheduler, the name, the size of extra - * data structures, and function pointers. - */ -static struct dn_alg fifo_desc = { - _SI( .type = ) DN_SCHED_FIFO, - _SI( .name = ) "FIFO", - _SI( .flags = ) 0, - - _SI( .schk_datalen = ) 0, - _SI( .si_datalen = ) sizeof(struct dn_queue), - _SI( .q_datalen = ) 0, - - _SI( .enqueue = ) fifo_enqueue, - _SI( .dequeue = ) fifo_dequeue, - _SI( .config = ) NULL, - _SI( .destroy = ) NULL, - _SI( .new_sched = ) fifo_new_sched, - _SI( .free_sched = ) fifo_free_sched, - _SI( .new_fsk = ) NULL, - _SI( .free_fsk = ) NULL, - _SI( .new_queue = ) NULL, - _SI( .free_queue = ) NULL, -}; - -DECLARE_DNSCHED_MODULE(dn_fifo, &fifo_desc); diff --git a/sys/netinet/ipfw/dn_sched_prio.c b/sys/netinet/ipfw/dn_sched_prio.c deleted file mode 100644 index 28f6006..0000000 --- a/sys/netinet/ipfw/dn_sched_prio.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 2010 Riccardo Panicucci, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $FreeBSD$ - */ -#ifdef _KERNEL -#include <sys/malloc.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/mbuf.h> -#include <sys/module.h> -#include <net/if.h> /* IFNAMSIZ */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ipfw_rule_ref */ -#include <netinet/ip_fw.h> /* flow_id */ -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> -#else -#include <dn_test.h> -#endif - -#define DN_SCHED_PRIO 5 //XXX - -#if !defined(_KERNEL) || !defined(__linux__) -#define test_bit(ix, pData) ((*pData) & (1<<(ix))) -#define __set_bit(ix, pData) (*pData) |= (1<<(ix)) -#define __clear_bit(ix, pData) (*pData) &= ~(1<<(ix)) -#endif - -#ifdef __MIPSEL__ -#define __clear_bit(ix, pData) (*pData) &= ~(1<<(ix)) -#endif - -/* Size of the array of queues pointers. */ -#define BITMAP_T unsigned long -#define MAXPRIO (sizeof(BITMAP_T) * 8) - -/* - * The scheduler instance contains an array of pointers to queues, - * one for each priority, and a bitmap listing backlogged queues. - */ -struct prio_si { - BITMAP_T bitmap; /* array bitmap */ - struct dn_queue *q_array[MAXPRIO]; /* Array of queues pointers */ -}; - -/* - * If a queue with the same priority is already backlogged, use - * that one instead of the queue passed as argument. - */ -static int -prio_enqueue(struct dn_sch_inst *_si, struct dn_queue *q, struct mbuf *m) -{ - struct prio_si *si = (struct prio_si *)(_si + 1); - int prio = q->fs->fs.par[0]; - - if (test_bit(prio, &si->bitmap) == 0) { - /* No queue with this priority, insert */ - __set_bit(prio, &si->bitmap); - si->q_array[prio] = q; - } else { /* use the existing queue */ - q = si->q_array[prio]; - } - if (dn_enqueue(q, m, 0)) - return 1; - return 0; -} - -/* - * Packets are dequeued only from the highest priority queue. - * The function ffs() return the lowest bit in the bitmap that rapresent - * the array index (-1) which contains the pointer to the highest priority - * queue. - * After the dequeue, if this queue become empty, it is index is removed - * from the bitmap. - * Scheduler is idle if the bitmap is empty - * - * NOTE: highest priority is 0, lowest is sched->max_prio_q - */ -static struct mbuf * -prio_dequeue(struct dn_sch_inst *_si) -{ - struct prio_si *si = (struct prio_si *)(_si + 1); - struct mbuf *m; - struct dn_queue *q; - int prio; - - if (si->bitmap == 0) /* scheduler idle */ - return NULL; - - prio = ffs(si->bitmap) - 1; - - /* Take the highest priority queue in the scheduler */ - q = si->q_array[prio]; - // assert(q) - - m = dn_dequeue(q); - if (q->mq.head == NULL) { - /* Queue is now empty, remove from scheduler - * and mark it - */ - si->q_array[prio] = NULL; - __clear_bit(prio, &si->bitmap); - } - return m; -} - -static int -prio_new_sched(struct dn_sch_inst *_si) -{ - struct prio_si *si = (struct prio_si *)(_si + 1); - - bzero(si->q_array, sizeof(si->q_array)); - si->bitmap = 0; - - return 0; -} - -static int -prio_new_fsk(struct dn_fsk *fs) -{ - /* Check if the prioritiy is between 0 and MAXPRIO-1 */ - ipdn_bound_var(&fs->fs.par[0], 0, 0, MAXPRIO - 1, "PRIO priority"); - return 0; -} - -static int -prio_new_queue(struct dn_queue *q) -{ - struct prio_si *si = (struct prio_si *)(q->_si + 1); - int prio = q->fs->fs.par[0]; - struct dn_queue *oldq; - - q->ni.oid.subtype = DN_SCHED_PRIO; - - if (q->mq.head == NULL) - return 0; - - /* Queue already full, must insert in the scheduler or append - * mbufs to existing queue. This partly duplicates prio_enqueue - */ - if (test_bit(prio, &si->bitmap) == 0) { - /* No queue with this priority, insert */ - __set_bit(prio, &si->bitmap); - si->q_array[prio] = q; - } else if ( (oldq = si->q_array[prio]) != q) { - /* must append to the existing queue. - * can simply append q->mq.head to q2->... - * and add the counters to those of q2 - */ - oldq->mq.tail->m_nextpkt = q->mq.head; - oldq->mq.tail = q->mq.tail; - oldq->ni.length += q->ni.length; - q->ni.length = 0; - oldq->ni.len_bytes += q->ni.len_bytes; - q->ni.len_bytes = 0; - q->mq.tail = q->mq.head = NULL; - } - return 0; -} - -static int -prio_free_queue(struct dn_queue *q) -{ - int prio = q->fs->fs.par[0]; - struct prio_si *si = (struct prio_si *)(q->_si + 1); - - if (si->q_array[prio] == q) { - si->q_array[prio] = NULL; - __clear_bit(prio, &si->bitmap); - } - return 0; -} - - -static struct dn_alg prio_desc = { - _SI( .type = ) DN_SCHED_PRIO, - _SI( .name = ) "PRIO", - _SI( .flags = ) DN_MULTIQUEUE, - - /* we need extra space in the si and the queue */ - _SI( .schk_datalen = ) 0, - _SI( .si_datalen = ) sizeof(struct prio_si), - _SI( .q_datalen = ) 0, - - _SI( .enqueue = ) prio_enqueue, - _SI( .dequeue = ) prio_dequeue, - - _SI( .config = ) NULL, - _SI( .destroy = ) NULL, - _SI( .new_sched = ) prio_new_sched, - _SI( .free_sched = ) NULL, - - _SI( .new_fsk = ) prio_new_fsk, - _SI( .free_fsk = ) NULL, - - _SI( .new_queue = ) prio_new_queue, - _SI( .free_queue = ) prio_free_queue, -}; - - -DECLARE_DNSCHED_MODULE(dn_prio, &prio_desc); diff --git a/sys/netinet/ipfw/dn_sched_qfq.c b/sys/netinet/ipfw/dn_sched_qfq.c deleted file mode 100644 index be7fba3..0000000 --- a/sys/netinet/ipfw/dn_sched_qfq.c +++ /dev/null @@ -1,864 +0,0 @@ -/* - * Copyright (c) 2010 Fabio Checconi, Luigi Rizzo, Paolo Valente - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $FreeBSD$ - */ - -#ifdef _KERNEL -#include <sys/malloc.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/mbuf.h> -#include <sys/module.h> -#include <net/if.h> /* IFNAMSIZ */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ipfw_rule_ref */ -#include <netinet/ip_fw.h> /* flow_id */ -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> -#else -#include <dn_test.h> -#endif - -#ifdef QFQ_DEBUG -struct qfq_sched; -static void dump_sched(struct qfq_sched *q, const char *msg); -#define NO(x) x -#else -#define NO(x) -#endif -#define DN_SCHED_QFQ 4 // XXX Where? -typedef unsigned long bitmap; - -/* - * bitmaps ops are critical. Some linux versions have __fls - * and the bitmap ops. Some machines have ffs - */ -#if defined(_WIN32) || (defined(__MIPSEL__) && defined(LINUX_24)) -int fls(unsigned int n) -{ - int i = 0; - for (i = 0; n > 0; n >>= 1, i++) - ; - return i; -} -#endif - -#if !defined(_KERNEL) || defined( __FreeBSD__ ) || defined(_WIN32) || (defined(__MIPSEL__) && defined(LINUX_24)) -static inline unsigned long __fls(unsigned long word) -{ - return fls(word) - 1; -} -#endif - -#if !defined(_KERNEL) || !defined(__linux__) -#ifdef QFQ_DEBUG -int test_bit(int ix, bitmap *p) -{ - if (ix < 0 || ix > 31) - D("bad index %d", ix); - return *p & (1<<ix); -} -void __set_bit(int ix, bitmap *p) -{ - if (ix < 0 || ix > 31) - D("bad index %d", ix); - *p |= (1<<ix); -} -void __clear_bit(int ix, bitmap *p) -{ - if (ix < 0 || ix > 31) - D("bad index %d", ix); - *p &= ~(1<<ix); -} -#else /* !QFQ_DEBUG */ -/* XXX do we have fast version, or leave it to the compiler ? */ -#define test_bit(ix, pData) ((*pData) & (1<<(ix))) -#define __set_bit(ix, pData) (*pData) |= (1<<(ix)) -#define __clear_bit(ix, pData) (*pData) &= ~(1<<(ix)) -#endif /* !QFQ_DEBUG */ -#endif /* !__linux__ */ - -#ifdef __MIPSEL__ -#define __clear_bit(ix, pData) (*pData) &= ~(1<<(ix)) -#endif - -/*-------------------------------------------*/ -/* - -Virtual time computations. - -S, F and V are all computed in fixed point arithmetic with -FRAC_BITS decimal bits. - - QFQ_MAX_INDEX is the maximum index allowed for a group. We need - one bit per index. - QFQ_MAX_WSHIFT is the maximum power of two supported as a weight. - The layout of the bits is as below: - - [ MTU_SHIFT ][ FRAC_BITS ] - [ MAX_INDEX ][ MIN_SLOT_SHIFT ] - ^.__grp->index = 0 - *.__grp->slot_shift - - where MIN_SLOT_SHIFT is derived by difference from the others. - -The max group index corresponds to Lmax/w_min, where -Lmax=1<<MTU_SHIFT, w_min = 1 . -From this, and knowing how many groups (MAX_INDEX) we want, -we can derive the shift corresponding to each group. - -Because we often need to compute - F = S + len/w_i and V = V + len/wsum -instead of storing w_i store the value - inv_w = (1<<FRAC_BITS)/w_i -so we can do F = S + len * inv_w * wsum. -We use W_TOT in the formulas so we can easily move between -static and adaptive weight sum. - -The per-scheduler-instance data contain all the data structures -for the scheduler: bitmaps and bucket lists. - - */ -/* - * Maximum number of consecutive slots occupied by backlogged classes - * inside a group. This is approx lmax/lmin + 5. - * XXX check because it poses constraints on MAX_INDEX - */ -#define QFQ_MAX_SLOTS 32 -/* - * Shifts used for class<->group mapping. Class weights are - * in the range [1, QFQ_MAX_WEIGHT], we to map each class i to the - * group with the smallest index that can support the L_i / r_i - * configured for the class. - * - * grp->index is the index of the group; and grp->slot_shift - * is the shift for the corresponding (scaled) sigma_i. - * - * When computing the group index, we do (len<<FP_SHIFT)/weight, - * then compute an FLS (which is like a log2()), and if the result - * is below the MAX_INDEX region we use 0 (which is the same as - * using a larger len). - */ -#define QFQ_MAX_INDEX 19 -#define QFQ_MAX_WSHIFT 16 /* log2(max_weight) */ - -#define QFQ_MAX_WEIGHT (1<<QFQ_MAX_WSHIFT) -#define QFQ_MAX_WSUM (2*QFQ_MAX_WEIGHT) -//#define IWSUM (q->i_wsum) -#define IWSUM ((1<<FRAC_BITS)/QFQ_MAX_WSUM) - -#define FRAC_BITS 30 /* fixed point arithmetic */ -#define ONE_FP (1UL << FRAC_BITS) - -#define QFQ_MTU_SHIFT 11 /* log2(max_len) */ -#define QFQ_MIN_SLOT_SHIFT (FRAC_BITS + QFQ_MTU_SHIFT - QFQ_MAX_INDEX) - -/* - * Possible group states, also indexes for the bitmaps array in - * struct qfq_queue. We rely on ER, IR, EB, IB being numbered 0..3 - */ -enum qfq_state { ER, IR, EB, IB, QFQ_MAX_STATE }; - -struct qfq_group; -/* - * additional queue info. Some of this info should come from - * the flowset, we copy them here for faster processing. - * This is an overlay of the struct dn_queue - */ -struct qfq_class { - struct dn_queue _q; - uint64_t S, F; /* flow timestamps (exact) */ - struct qfq_class *next; /* Link for the slot list. */ - - /* group we belong to. In principle we would need the index, - * which is log_2(lmax/weight), but we never reference it - * directly, only the group. - */ - struct qfq_group *grp; - - /* these are copied from the flowset. */ - uint32_t inv_w; /* ONE_FP/weight */ - uint32_t lmax; /* Max packet size for this flow. */ -}; - -/* Group descriptor, see the paper for details. - * Basically this contains the bucket lists - */ -struct qfq_group { - uint64_t S, F; /* group timestamps (approx). */ - unsigned int slot_shift; /* Slot shift. */ - unsigned int index; /* Group index. */ - unsigned int front; /* Index of the front slot. */ - bitmap full_slots; /* non-empty slots */ - - /* Array of lists of active classes. */ - struct qfq_class *slots[QFQ_MAX_SLOTS]; -}; - -/* scheduler instance descriptor. */ -struct qfq_sched { - uint64_t V; /* Precise virtual time. */ - uint32_t wsum; /* weight sum */ - NO(uint32_t i_wsum; /* ONE_FP/w_sum */ - uint32_t _queued; /* debugging */ - uint32_t loops; /* debugging */) - bitmap bitmaps[QFQ_MAX_STATE]; /* Group bitmaps. */ - struct qfq_group groups[QFQ_MAX_INDEX + 1]; /* The groups. */ -}; - -/*---- support functions ----------------------------*/ - -/* Generic comparison function, handling wraparound. */ -static inline int qfq_gt(uint64_t a, uint64_t b) -{ - return (int64_t)(a - b) > 0; -} - -/* Round a precise timestamp to its slotted value. */ -static inline uint64_t qfq_round_down(uint64_t ts, unsigned int shift) -{ - return ts & ~((1ULL << shift) - 1); -} - -/* return the pointer to the group with lowest index in the bitmap */ -static inline struct qfq_group *qfq_ffs(struct qfq_sched *q, - unsigned long bitmap) -{ - int index = ffs(bitmap) - 1; // zero-based - return &q->groups[index]; -} - -/* - * Calculate a flow index, given its weight and maximum packet length. - * index = log_2(maxlen/weight) but we need to apply the scaling. - * This is used only once at flow creation. - */ -static int qfq_calc_index(uint32_t inv_w, unsigned int maxlen) -{ - uint64_t slot_size = (uint64_t)maxlen *inv_w; - unsigned long size_map; - int index = 0; - - size_map = (unsigned long)(slot_size >> QFQ_MIN_SLOT_SHIFT); - if (!size_map) - goto out; - - index = __fls(size_map) + 1; // basically a log_2() - index -= !(slot_size - (1ULL << (index + QFQ_MIN_SLOT_SHIFT - 1))); - - if (index < 0) - index = 0; - -out: - ND("W = %d, L = %d, I = %d\n", ONE_FP/inv_w, maxlen, index); - return index; -} -/*---- end support functions ----*/ - -/*-------- API calls --------------------------------*/ -/* - * Validate and copy parameters from flowset. - */ -static int -qfq_new_queue(struct dn_queue *_q) -{ - struct qfq_sched *q = (struct qfq_sched *)(_q->_si + 1); - struct qfq_class *cl = (struct qfq_class *)_q; - int i; - uint32_t w; /* approximated weight */ - - /* import parameters from the flowset. They should be correct - * already. - */ - w = _q->fs->fs.par[0]; - cl->lmax = _q->fs->fs.par[1]; - if (!w || w > QFQ_MAX_WEIGHT) { - w = 1; - D("rounding weight to 1"); - } - cl->inv_w = ONE_FP/w; - w = ONE_FP/cl->inv_w; - if (q->wsum + w > QFQ_MAX_WSUM) - return EINVAL; - - i = qfq_calc_index(cl->inv_w, cl->lmax); - cl->grp = &q->groups[i]; - q->wsum += w; - // XXX cl->S = q->V; ? - // XXX compute q->i_wsum - return 0; -} - -/* remove an empty queue */ -static int -qfq_free_queue(struct dn_queue *_q) -{ - struct qfq_sched *q = (struct qfq_sched *)(_q->_si + 1); - struct qfq_class *cl = (struct qfq_class *)_q; - if (cl->inv_w) { - q->wsum -= ONE_FP/cl->inv_w; - cl->inv_w = 0; /* reset weight to avoid run twice */ - } - return 0; -} - -/* Calculate a mask to mimic what would be ffs_from(). */ -static inline unsigned long -mask_from(unsigned long bitmap, int from) -{ - return bitmap & ~((1UL << from) - 1); -} - -/* - * The state computation relies on ER=0, IR=1, EB=2, IB=3 - * First compute eligibility comparing grp->S, q->V, - * then check if someone is blocking us and possibly add EB - */ -static inline unsigned int -qfq_calc_state(struct qfq_sched *q, struct qfq_group *grp) -{ - /* if S > V we are not eligible */ - unsigned int state = qfq_gt(grp->S, q->V); - unsigned long mask = mask_from(q->bitmaps[ER], grp->index); - struct qfq_group *next; - - if (mask) { - next = qfq_ffs(q, mask); - if (qfq_gt(grp->F, next->F)) - state |= EB; - } - - return state; -} - -/* - * In principle - * q->bitmaps[dst] |= q->bitmaps[src] & mask; - * q->bitmaps[src] &= ~mask; - * but we should make sure that src != dst - */ -static inline void -qfq_move_groups(struct qfq_sched *q, unsigned long mask, int src, int dst) -{ - q->bitmaps[dst] |= q->bitmaps[src] & mask; - q->bitmaps[src] &= ~mask; -} - -static inline void -qfq_unblock_groups(struct qfq_sched *q, int index, uint64_t old_finish) -{ - unsigned long mask = mask_from(q->bitmaps[ER], index + 1); - struct qfq_group *next; - - if (mask) { - next = qfq_ffs(q, mask); - if (!qfq_gt(next->F, old_finish)) - return; - } - - mask = (1UL << index) - 1; - qfq_move_groups(q, mask, EB, ER); - qfq_move_groups(q, mask, IB, IR); -} - -/* - * perhaps - * - old_V ^= q->V; - old_V >>= QFQ_MIN_SLOT_SHIFT; - if (old_V) { - ... - } - * - */ -static inline void -qfq_make_eligible(struct qfq_sched *q, uint64_t old_V) -{ - unsigned long mask, vslot, old_vslot; - - vslot = q->V >> QFQ_MIN_SLOT_SHIFT; - old_vslot = old_V >> QFQ_MIN_SLOT_SHIFT; - - if (vslot != old_vslot) { - mask = (2UL << (__fls(vslot ^ old_vslot))) - 1; - qfq_move_groups(q, mask, IR, ER); - qfq_move_groups(q, mask, IB, EB); - } -} - -/* - * XXX we should make sure that slot becomes less than 32. - * This is guaranteed by the input values. - * roundedS is always cl->S rounded on grp->slot_shift bits. - */ -static inline void -qfq_slot_insert(struct qfq_group *grp, struct qfq_class *cl, uint64_t roundedS) -{ - uint64_t slot = (roundedS - grp->S) >> grp->slot_shift; - unsigned int i = (grp->front + slot) % QFQ_MAX_SLOTS; - - cl->next = grp->slots[i]; - grp->slots[i] = cl; - __set_bit(slot, &grp->full_slots); -} - -/* - * remove the entry from the slot - */ -static inline void -qfq_front_slot_remove(struct qfq_group *grp) -{ - struct qfq_class **h = &grp->slots[grp->front]; - - *h = (*h)->next; - if (!*h) - __clear_bit(0, &grp->full_slots); -} - -/* - * Returns the first full queue in a group. As a side effect, - * adjust the bucket list so the first non-empty bucket is at - * position 0 in full_slots. - */ -static inline struct qfq_class * -qfq_slot_scan(struct qfq_group *grp) -{ - int i; - - ND("grp %d full %x", grp->index, grp->full_slots); - if (!grp->full_slots) - return NULL; - - i = ffs(grp->full_slots) - 1; // zero-based - if (i > 0) { - grp->front = (grp->front + i) % QFQ_MAX_SLOTS; - grp->full_slots >>= i; - } - - return grp->slots[grp->front]; -} - -/* - * adjust the bucket list. When the start time of a group decreases, - * we move the index down (modulo QFQ_MAX_SLOTS) so we don't need to - * move the objects. The mask of occupied slots must be shifted - * because we use ffs() to find the first non-empty slot. - * This covers decreases in the group's start time, but what about - * increases of the start time ? - * Here too we should make sure that i is less than 32 - */ -static inline void -qfq_slot_rotate(struct qfq_sched *q, struct qfq_group *grp, uint64_t roundedS) -{ - unsigned int i = (grp->S - roundedS) >> grp->slot_shift; - - grp->full_slots <<= i; - grp->front = (grp->front - i) % QFQ_MAX_SLOTS; -} - - -static inline void -qfq_update_eligible(struct qfq_sched *q, uint64_t old_V) -{ - bitmap ineligible; - - ineligible = q->bitmaps[IR] | q->bitmaps[IB]; - if (ineligible) { - if (!q->bitmaps[ER]) { - struct qfq_group *grp; - grp = qfq_ffs(q, ineligible); - if (qfq_gt(grp->S, q->V)) - q->V = grp->S; - } - qfq_make_eligible(q, old_V); - } -} - -/* - * Updates the class, returns true if also the group needs to be updated. - */ -static inline int -qfq_update_class(struct qfq_sched *q, struct qfq_group *grp, - struct qfq_class *cl) -{ - - cl->S = cl->F; - if (cl->_q.mq.head == NULL) { - qfq_front_slot_remove(grp); - } else { - unsigned int len; - uint64_t roundedS; - - len = cl->_q.mq.head->m_pkthdr.len; - cl->F = cl->S + (uint64_t)len * cl->inv_w; - roundedS = qfq_round_down(cl->S, grp->slot_shift); - if (roundedS == grp->S) - return 0; - - qfq_front_slot_remove(grp); - qfq_slot_insert(grp, cl, roundedS); - } - return 1; -} - -static struct mbuf * -qfq_dequeue(struct dn_sch_inst *si) -{ - struct qfq_sched *q = (struct qfq_sched *)(si + 1); - struct qfq_group *grp; - struct qfq_class *cl; - struct mbuf *m; - uint64_t old_V; - - NO(q->loops++;) - if (!q->bitmaps[ER]) { - NO(if (q->queued) - dump_sched(q, "start dequeue");) - return NULL; - } - - grp = qfq_ffs(q, q->bitmaps[ER]); - - cl = grp->slots[grp->front]; - /* extract from the first bucket in the bucket list */ - m = dn_dequeue(&cl->_q); - - if (!m) { - D("BUG/* non-workconserving leaf */"); - return NULL; - } - NO(q->queued--;) - old_V = q->V; - q->V += (uint64_t)m->m_pkthdr.len * IWSUM; - ND("m is %p F 0x%llx V now 0x%llx", m, cl->F, q->V); - - if (qfq_update_class(q, grp, cl)) { - uint64_t old_F = grp->F; - cl = qfq_slot_scan(grp); - if (!cl) { /* group gone, remove from ER */ - __clear_bit(grp->index, &q->bitmaps[ER]); - // grp->S = grp->F + 1; // XXX debugging only - } else { - uint64_t roundedS = qfq_round_down(cl->S, grp->slot_shift); - unsigned int s; - - if (grp->S == roundedS) - goto skip_unblock; - grp->S = roundedS; - grp->F = roundedS + (2ULL << grp->slot_shift); - /* remove from ER and put in the new set */ - __clear_bit(grp->index, &q->bitmaps[ER]); - s = qfq_calc_state(q, grp); - __set_bit(grp->index, &q->bitmaps[s]); - } - /* we need to unblock even if the group has gone away */ - qfq_unblock_groups(q, grp->index, old_F); - } - -skip_unblock: - qfq_update_eligible(q, old_V); - NO(if (!q->bitmaps[ER] && q->queued) - dump_sched(q, "end dequeue");) - - return m; -} - -/* - * Assign a reasonable start time for a new flow k in group i. - * Admissible values for \hat(F) are multiples of \sigma_i - * no greater than V+\sigma_i . Larger values mean that - * we had a wraparound so we consider the timestamp to be stale. - * - * If F is not stale and F >= V then we set S = F. - * Otherwise we should assign S = V, but this may violate - * the ordering in ER. So, if we have groups in ER, set S to - * the F_j of the first group j which would be blocking us. - * We are guaranteed not to move S backward because - * otherwise our group i would still be blocked. - */ -static inline void -qfq_update_start(struct qfq_sched *q, struct qfq_class *cl) -{ - unsigned long mask; - uint64_t limit, roundedF; - int slot_shift = cl->grp->slot_shift; - - roundedF = qfq_round_down(cl->F, slot_shift); - limit = qfq_round_down(q->V, slot_shift) + (1UL << slot_shift); - - if (!qfq_gt(cl->F, q->V) || qfq_gt(roundedF, limit)) { - /* timestamp was stale */ - mask = mask_from(q->bitmaps[ER], cl->grp->index); - if (mask) { - struct qfq_group *next = qfq_ffs(q, mask); - if (qfq_gt(roundedF, next->F)) { - cl->S = next->F; - return; - } - } - cl->S = q->V; - } else { /* timestamp is not stale */ - cl->S = cl->F; - } -} - -static int -qfq_enqueue(struct dn_sch_inst *si, struct dn_queue *_q, struct mbuf *m) -{ - struct qfq_sched *q = (struct qfq_sched *)(si + 1); - struct qfq_group *grp; - struct qfq_class *cl = (struct qfq_class *)_q; - uint64_t roundedS; - int s; - - NO(q->loops++;) - DX(4, "len %d flow %p inv_w 0x%x grp %d", m->m_pkthdr.len, - _q, cl->inv_w, cl->grp->index); - /* XXX verify that the packet obeys the parameters */ - if (m != _q->mq.head) { - if (dn_enqueue(_q, m, 0)) /* packet was dropped */ - return 1; - NO(q->queued++;) - if (m != _q->mq.head) - return 0; - } - /* If reach this point, queue q was idle */ - grp = cl->grp; - qfq_update_start(q, cl); /* adjust start time */ - /* compute new finish time and rounded start. */ - cl->F = cl->S + (uint64_t)(m->m_pkthdr.len) * cl->inv_w; - roundedS = qfq_round_down(cl->S, grp->slot_shift); - - /* - * insert cl in the correct bucket. - * If cl->S >= grp->S we don't need to adjust the - * bucket list and simply go to the insertion phase. - * Otherwise grp->S is decreasing, we must make room - * in the bucket list, and also recompute the group state. - * Finally, if there were no flows in this group and nobody - * was in ER make sure to adjust V. - */ - if (grp->full_slots) { - if (!qfq_gt(grp->S, cl->S)) - goto skip_update; - /* create a slot for this cl->S */ - qfq_slot_rotate(q, grp, roundedS); - /* group was surely ineligible, remove */ - __clear_bit(grp->index, &q->bitmaps[IR]); - __clear_bit(grp->index, &q->bitmaps[IB]); - } else if (!q->bitmaps[ER] && qfq_gt(roundedS, q->V)) - q->V = roundedS; - - grp->S = roundedS; - grp->F = roundedS + (2ULL << grp->slot_shift); // i.e. 2\sigma_i - s = qfq_calc_state(q, grp); - __set_bit(grp->index, &q->bitmaps[s]); - ND("new state %d 0x%x", s, q->bitmaps[s]); - ND("S %llx F %llx V %llx", cl->S, cl->F, q->V); -skip_update: - qfq_slot_insert(grp, cl, roundedS); - - return 0; -} - - -#if 0 -static inline void -qfq_slot_remove(struct qfq_sched *q, struct qfq_group *grp, - struct qfq_class *cl, struct qfq_class **pprev) -{ - unsigned int i, offset; - uint64_t roundedS; - - roundedS = qfq_round_down(cl->S, grp->slot_shift); - offset = (roundedS - grp->S) >> grp->slot_shift; - i = (grp->front + offset) % QFQ_MAX_SLOTS; - -#ifdef notyet - if (!pprev) { - pprev = &grp->slots[i]; - while (*pprev && *pprev != cl) - pprev = &(*pprev)->next; - } -#endif - - *pprev = cl->next; - if (!grp->slots[i]) - __clear_bit(offset, &grp->full_slots); -} - -/* - * called to forcibly destroy a queue. - * If the queue is not in the front bucket, or if it has - * other queues in the front bucket, we can simply remove - * the queue with no other side effects. - * Otherwise we must propagate the event up. - * XXX description to be completed. - */ -static void -qfq_deactivate_class(struct qfq_sched *q, struct qfq_class *cl, - struct qfq_class **pprev) -{ - struct qfq_group *grp = &q->groups[cl->index]; - unsigned long mask; - uint64_t roundedS; - int s; - - cl->F = cl->S; // not needed if the class goes away. - qfq_slot_remove(q, grp, cl, pprev); - - if (!grp->full_slots) { - /* nothing left in the group, remove from all sets. - * Do ER last because if we were blocking other groups - * we must unblock them. - */ - __clear_bit(grp->index, &q->bitmaps[IR]); - __clear_bit(grp->index, &q->bitmaps[EB]); - __clear_bit(grp->index, &q->bitmaps[IB]); - - if (test_bit(grp->index, &q->bitmaps[ER]) && - !(q->bitmaps[ER] & ~((1UL << grp->index) - 1))) { - mask = q->bitmaps[ER] & ((1UL << grp->index) - 1); - if (mask) - mask = ~((1UL << __fls(mask)) - 1); - else - mask = ~0UL; - qfq_move_groups(q, mask, EB, ER); - qfq_move_groups(q, mask, IB, IR); - } - __clear_bit(grp->index, &q->bitmaps[ER]); - } else if (!grp->slots[grp->front]) { - cl = qfq_slot_scan(grp); - roundedS = qfq_round_down(cl->S, grp->slot_shift); - if (grp->S != roundedS) { - __clear_bit(grp->index, &q->bitmaps[ER]); - __clear_bit(grp->index, &q->bitmaps[IR]); - __clear_bit(grp->index, &q->bitmaps[EB]); - __clear_bit(grp->index, &q->bitmaps[IB]); - grp->S = roundedS; - grp->F = roundedS + (2ULL << grp->slot_shift); - s = qfq_calc_state(q, grp); - __set_bit(grp->index, &q->bitmaps[s]); - } - } - qfq_update_eligible(q, q->V); -} -#endif - -static int -qfq_new_fsk(struct dn_fsk *f) -{ - ipdn_bound_var(&f->fs.par[0], 1, 1, QFQ_MAX_WEIGHT, "qfq weight"); - ipdn_bound_var(&f->fs.par[1], 1500, 1, 2000, "qfq maxlen"); - ND("weight %d len %d\n", f->fs.par[0], f->fs.par[1]); - return 0; -} - -/* - * initialize a new scheduler instance - */ -static int -qfq_new_sched(struct dn_sch_inst *si) -{ - struct qfq_sched *q = (struct qfq_sched *)(si + 1); - struct qfq_group *grp; - int i; - - for (i = 0; i <= QFQ_MAX_INDEX; i++) { - grp = &q->groups[i]; - grp->index = i; - grp->slot_shift = QFQ_MTU_SHIFT + FRAC_BITS - - (QFQ_MAX_INDEX - i); - } - return 0; -} - -/* - * QFQ scheduler descriptor - */ -static struct dn_alg qfq_desc = { - _SI( .type = ) DN_SCHED_QFQ, - _SI( .name = ) "QFQ", - _SI( .flags = ) DN_MULTIQUEUE, - - _SI( .schk_datalen = ) 0, - _SI( .si_datalen = ) sizeof(struct qfq_sched), - _SI( .q_datalen = ) sizeof(struct qfq_class) - sizeof(struct dn_queue), - - _SI( .enqueue = ) qfq_enqueue, - _SI( .dequeue = ) qfq_dequeue, - - _SI( .config = ) NULL, - _SI( .destroy = ) NULL, - _SI( .new_sched = ) qfq_new_sched, - _SI( .free_sched = ) NULL, - _SI( .new_fsk = ) qfq_new_fsk, - _SI( .free_fsk = ) NULL, - _SI( .new_queue = ) qfq_new_queue, - _SI( .free_queue = ) qfq_free_queue, -}; - -DECLARE_DNSCHED_MODULE(dn_qfq, &qfq_desc); - -#ifdef QFQ_DEBUG -static void -dump_groups(struct qfq_sched *q, uint32_t mask) -{ - int i, j; - - for (i = 0; i < QFQ_MAX_INDEX + 1; i++) { - struct qfq_group *g = &q->groups[i]; - - if (0 == (mask & (1<<i))) - continue; - for (j = 0; j < QFQ_MAX_SLOTS; j++) { - if (g->slots[j]) - D(" bucket %d %p", j, g->slots[j]); - } - D("full_slots 0x%x", g->full_slots); - D(" %2d S 0x%20llx F 0x%llx %c", i, - g->S, g->F, - mask & (1<<i) ? '1' : '0'); - } -} - -static void -dump_sched(struct qfq_sched *q, const char *msg) -{ - D("--- in %s: ---", msg); - ND("loops %d queued %d V 0x%llx", q->loops, q->queued, q->V); - D(" ER 0x%08x", q->bitmaps[ER]); - D(" EB 0x%08x", q->bitmaps[EB]); - D(" IR 0x%08x", q->bitmaps[IR]); - D(" IB 0x%08x", q->bitmaps[IB]); - dump_groups(q, 0xffffffff); -}; -#endif /* QFQ_DEBUG */ diff --git a/sys/netinet/ipfw/dn_sched_rr.c b/sys/netinet/ipfw/dn_sched_rr.c deleted file mode 100644 index 1bbd800..0000000 --- a/sys/netinet/ipfw/dn_sched_rr.c +++ /dev/null @@ -1,307 +0,0 @@ -/* - * Copyright (c) 2010 Riccardo Panicucci, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $FreeBSD$ - */ - -#ifdef _KERNEL -#include <sys/malloc.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/mbuf.h> -#include <sys/module.h> -#include <net/if.h> /* IFNAMSIZ */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ipfw_rule_ref */ -#include <netinet/ip_fw.h> /* flow_id */ -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> -#else -#include <dn_test.h> -#endif - -#define DN_SCHED_RR 3 // XXX Where? - -struct rr_queue { - struct dn_queue q; /* Standard queue */ - int status; /* 1: queue is in the list */ - int credit; /* Number of bytes to transmit */ - int quantum; /* quantum * C */ - struct rr_queue *qnext; /* */ -}; - -/* struct rr_schk contains global config parameters - * and is right after dn_schk - */ -struct rr_schk { - int min_q; /* Min quantum */ - int max_q; /* Max quantum */ - int q_bytes; /* Bytes per quantum */ -}; - -/* per-instance round robin list, right after dn_sch_inst */ -struct rr_si { - struct rr_queue *head, *tail; /* Pointer to current queue */ -}; - -/* Append a queue to the rr list */ -static inline void -rr_append(struct rr_queue *q, struct rr_si *si) -{ - q->status = 1; /* mark as in-rr_list */ - q->credit = q->quantum; /* initialize credit */ - - /* append to the tail */ - if (si->head == NULL) - si->head = q; - else - si->tail->qnext = q; - si->tail = q; /* advance the tail pointer */ - q->qnext = si->head; /* make it circular */ -} - -/* Remove the head queue from circular list. */ -static inline void -rr_remove_head(struct rr_si *si) -{ - if (si->head == NULL) - return; /* empty queue */ - si->head->status = 0; - - if (si->head == si->tail) { - si->head = si->tail = NULL; - return; - } - - si->head = si->head->qnext; - si->tail->qnext = si->head; -} - -/* Remove a queue from circular list. - * XXX see if ti can be merge with remove_queue() - */ -static inline void -remove_queue_q(struct rr_queue *q, struct rr_si *si) -{ - struct rr_queue *prev; - - if (q->status != 1) - return; - if (q == si->head) { - rr_remove_head(si); - return; - } - - for (prev = si->head; prev; prev = prev->qnext) { - if (prev->qnext != q) - continue; - prev->qnext = q->qnext; - if (q == si->tail) - si->tail = prev; - q->status = 0; - break; - } -} - - -static inline void -next_pointer(struct rr_si *si) -{ - if (si->head == NULL) - return; /* empty queue */ - - si->head = si->head->qnext; - si->tail = si->tail->qnext; -} - -static int -rr_enqueue(struct dn_sch_inst *_si, struct dn_queue *q, struct mbuf *m) -{ - struct rr_si *si; - struct rr_queue *rrq; - - if (m != q->mq.head) { - if (dn_enqueue(q, m, 0)) /* packet was dropped */ - return 1; - if (m != q->mq.head) - return 0; - } - - /* If reach this point, queue q was idle */ - si = (struct rr_si *)(_si + 1); - rrq = (struct rr_queue *)q; - - if (rrq->status == 1) /* Queue is already in the queue list */ - return 0; - - /* Insert the queue in the queue list */ - rr_append(rrq, si); - - return 0; -} - -static struct mbuf * -rr_dequeue(struct dn_sch_inst *_si) -{ - /* Access scheduler instance private data */ - struct rr_si *si = (struct rr_si *)(_si + 1); - struct rr_queue *rrq; - uint64_t len; - - while ( (rrq = si->head) ) { - struct mbuf *m = rrq->q.mq.head; - if ( m == NULL) { - /* empty queue, remove from list */ - rr_remove_head(si); - continue; - } - len = m->m_pkthdr.len; - - if (len > rrq->credit) { - /* Packet too big */ - rrq->credit += rrq->quantum; - /* Try next queue */ - next_pointer(si); - } else { - rrq->credit -= len; - return dn_dequeue(&rrq->q); - } - } - - /* no packet to dequeue*/ - return NULL; -} - -static int -rr_config(struct dn_schk *_schk) -{ - struct rr_schk *schk = (struct rr_schk *)(_schk + 1); - ND("called"); - - /* use reasonable quantums (64..2k bytes, default 1500) */ - schk->min_q = 64; - schk->max_q = 2048; - schk->q_bytes = 1500; /* quantum */ - - return 0; -} - -static int -rr_new_sched(struct dn_sch_inst *_si) -{ - struct rr_si *si = (struct rr_si *)(_si + 1); - - ND("called"); - si->head = si->tail = NULL; - - return 0; -} - -static int -rr_free_sched(struct dn_sch_inst *_si) -{ - ND("called"); - /* Nothing to do? */ - return 0; -} - -static int -rr_new_fsk(struct dn_fsk *fs) -{ - struct rr_schk *schk = (struct rr_schk *)(fs->sched + 1); - /* par[0] is the weight, par[1] is the quantum step */ - ipdn_bound_var(&fs->fs.par[0], 1, - 1, 65536, "RR weight"); - ipdn_bound_var(&fs->fs.par[1], schk->q_bytes, - schk->min_q, schk->max_q, "RR quantum"); - return 0; -} - -static int -rr_new_queue(struct dn_queue *_q) -{ - struct rr_queue *q = (struct rr_queue *)_q; - - _q->ni.oid.subtype = DN_SCHED_RR; - - q->quantum = _q->fs->fs.par[0] * _q->fs->fs.par[1]; - ND("called, q->quantum %d", q->quantum); - q->credit = q->quantum; - q->status = 0; - - if (_q->mq.head != NULL) { - /* Queue NOT empty, insert in the queue list */ - rr_append(q, (struct rr_si *)(_q->_si + 1)); - } - return 0; -} - -static int -rr_free_queue(struct dn_queue *_q) -{ - struct rr_queue *q = (struct rr_queue *)_q; - - ND("called"); - if (q->status == 1) { - struct rr_si *si = (struct rr_si *)(_q->_si + 1); - remove_queue_q(q, si); - } - return 0; -} - -/* - * RR scheduler descriptor - * contains the type of the scheduler, the name, the size of the - * structures and function pointers. - */ -static struct dn_alg rr_desc = { - _SI( .type = ) DN_SCHED_RR, - _SI( .name = ) "RR", - _SI( .flags = ) DN_MULTIQUEUE, - - _SI( .schk_datalen = ) 0, - _SI( .si_datalen = ) sizeof(struct rr_si), - _SI( .q_datalen = ) sizeof(struct rr_queue) - sizeof(struct dn_queue), - - _SI( .enqueue = ) rr_enqueue, - _SI( .dequeue = ) rr_dequeue, - - _SI( .config = ) rr_config, - _SI( .destroy = ) NULL, - _SI( .new_sched = ) rr_new_sched, - _SI( .free_sched = ) rr_free_sched, - _SI( .new_fsk = ) rr_new_fsk, - _SI( .free_fsk = ) NULL, - _SI( .new_queue = ) rr_new_queue, - _SI( .free_queue = ) rr_free_queue, -}; - - -DECLARE_DNSCHED_MODULE(dn_rr, &rr_desc); diff --git a/sys/netinet/ipfw/dn_sched_wf2q.c b/sys/netinet/ipfw/dn_sched_wf2q.c deleted file mode 100644 index 7f16719..0000000 --- a/sys/netinet/ipfw/dn_sched_wf2q.c +++ /dev/null @@ -1,373 +0,0 @@ -/* - * Copyright (c) 2010 Riccardo Panicucci, Universita` di Pisa - * Copyright (c) 2000-2002 Luigi Rizzo, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $FreeBSD$ - */ - -#ifdef _KERNEL -#include <sys/malloc.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/kernel.h> -#include <sys/mbuf.h> -#include <sys/module.h> -#include <net/if.h> /* IFNAMSIZ */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ipfw_rule_ref */ -#include <netinet/ip_fw.h> /* flow_id */ -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> -#else -#include <dn_test.h> -#endif - -#ifndef MAX64 -#define MAX64(x,y) (( (int64_t) ( (y)-(x) )) > 0 ) ? (y) : (x) -#endif - -/* - * timestamps are computed on 64 bit using fixed point arithmetic. - * LMAX_BITS, WMAX_BITS are the max number of bits for the packet len - * and sum of weights, respectively. FRAC_BITS is the number of - * fractional bits. We want FRAC_BITS >> WMAX_BITS to avoid too large - * errors when computing the inverse, FRAC_BITS < 32 so we can do 1/w - * using an unsigned 32-bit division, and to avoid wraparounds we need - * LMAX_BITS + WMAX_BITS + FRAC_BITS << 64 - * As an example - * FRAC_BITS = 26, LMAX_BITS=14, WMAX_BITS = 19 - */ -#ifndef FRAC_BITS -#define FRAC_BITS 28 /* shift for fixed point arithmetic */ -#define ONE_FP (1UL << FRAC_BITS) -#endif - -/* - * Private information for the scheduler instance: - * sch_heap (key is Finish time) returns the next queue to serve - * ne_heap (key is Start time) stores not-eligible queues - * idle_heap (key=start/finish time) stores idle flows. It must - * support extract-from-middle. - * A flow is only in 1 of the three heaps. - * XXX todo: use a more efficient data structure, e.g. a tree sorted - * by F with min_subtree(S) in each node - */ -struct wf2qp_si { - struct dn_heap sch_heap; /* top extract - key Finish time */ - struct dn_heap ne_heap; /* top extract - key Start time */ - struct dn_heap idle_heap; /* random extract - key Start=Finish time */ - uint64_t V; /* virtual time */ - uint32_t inv_wsum; /* inverse of sum of weights */ - uint32_t wsum; /* sum of weights */ -}; - -struct wf2qp_queue { - struct dn_queue _q; - uint64_t S, F; /* start time, finish time */ - uint32_t inv_w; /* ONE_FP / weight */ - int32_t heap_pos; /* position (index) of struct in heap */ -}; - -/* - * This file implements a WF2Q+ scheduler as it has been in dummynet - * since 2000. - * The scheduler supports per-flow queues and has O(log N) complexity. - * - * WF2Q+ needs to drain entries from the idle heap so that we - * can keep the sum of weights up to date. We can do it whenever - * we get a chance, or periodically, or following some other - * strategy. The function idle_check() drains at most N elements - * from the idle heap. - */ -static void -idle_check(struct wf2qp_si *si, int n, int force) -{ - struct dn_heap *h = &si->idle_heap; - while (n-- > 0 && h->elements > 0 && - (force || DN_KEY_LT(HEAP_TOP(h)->key, si->V))) { - struct dn_queue *q = HEAP_TOP(h)->object; - struct wf2qp_queue *alg_fq = (struct wf2qp_queue *)q; - - heap_extract(h, NULL); - /* XXX to let the flowset delete the queue we should - * mark it as 'unused' by the scheduler. - */ - alg_fq->S = alg_fq->F + 1; /* Mark timestamp as invalid. */ - si->wsum -= q->fs->fs.par[0]; /* adjust sum of weights */ - if (si->wsum > 0) - si->inv_wsum = ONE_FP/si->wsum; - } -} - -static int -wf2qp_enqueue(struct dn_sch_inst *_si, struct dn_queue *q, struct mbuf *m) -{ - struct dn_fsk *fs = q->fs; - struct wf2qp_si *si = (struct wf2qp_si *)(_si + 1); - struct wf2qp_queue *alg_fq; - uint64_t len = m->m_pkthdr.len; - - if (m != q->mq.head) { - if (dn_enqueue(q, m, 0)) /* packet was dropped */ - return 1; - if (m != q->mq.head) /* queue was already busy */ - return 0; - } - - /* If reach this point, queue q was idle */ - alg_fq = (struct wf2qp_queue *)q; - - if (DN_KEY_LT(alg_fq->F, alg_fq->S)) { - /* F<S means timestamps are invalid ->brand new queue. */ - alg_fq->S = si->V; /* init start time */ - si->wsum += fs->fs.par[0]; /* add weight of new queue. */ - si->inv_wsum = ONE_FP/si->wsum; - } else { /* if it was idle then it was in the idle heap */ - heap_extract(&si->idle_heap, q); - alg_fq->S = MAX64(alg_fq->F, si->V); /* compute new S */ - } - alg_fq->F = alg_fq->S + len * alg_fq->inv_w; - - /* if nothing is backlogged, make sure this flow is eligible */ - if (si->ne_heap.elements == 0 && si->sch_heap.elements == 0) - si->V = MAX64(alg_fq->S, si->V); - - /* - * Look at eligibility. A flow is not eligibile if S>V (when - * this happens, it means that there is some other flow already - * scheduled for the same pipe, so the sch_heap cannot be - * empty). If the flow is not eligible we just store it in the - * ne_heap. Otherwise, we store in the sch_heap. - * Note that for all flows in sch_heap (SCH), S_i <= V, - * and for all flows in ne_heap (NEH), S_i > V. - * So when we need to compute max(V, min(S_i)) forall i in - * SCH+NEH, we only need to look into NEH. - */ - if (DN_KEY_LT(si->V, alg_fq->S)) { - /* S>V means flow Not eligible. */ - if (si->sch_heap.elements == 0) - D("++ ouch! not eligible but empty scheduler!"); - heap_insert(&si->ne_heap, alg_fq->S, q); - } else { - heap_insert(&si->sch_heap, alg_fq->F, q); - } - return 0; -} - -/* XXX invariant: sch > 0 || V >= min(S in neh) */ -static struct mbuf * -wf2qp_dequeue(struct dn_sch_inst *_si) -{ - /* Access scheduler instance private data */ - struct wf2qp_si *si = (struct wf2qp_si *)(_si + 1); - struct mbuf *m; - struct dn_queue *q; - struct dn_heap *sch = &si->sch_heap; - struct dn_heap *neh = &si->ne_heap; - struct wf2qp_queue *alg_fq; - - if (sch->elements == 0 && neh->elements == 0) { - /* we have nothing to do. We could kill the idle heap - * altogether and reset V - */ - idle_check(si, 0x7fffffff, 1); - si->V = 0; - si->wsum = 0; /* should be set already */ - return NULL; /* quick return if nothing to do */ - } - idle_check(si, 1, 0); /* drain something from the idle heap */ - - /* make sure at least one element is eligible, bumping V - * and moving entries that have become eligible. - * We need to repeat the first part twice, before and - * after extracting the candidate, or enqueue() will - * find the data structure in a wrong state. - */ - m = NULL; - for(;;) { - /* - * Compute V = max(V, min(S_i)). Remember that all elements - * in sch have by definition S_i <= V so if sch is not empty, - * V is surely the max and we must not update it. Conversely, - * if sch is empty we only need to look at neh. - * We don't need to move the queues, as it will be done at the - * next enqueue - */ - if (sch->elements == 0 && neh->elements > 0) { - si->V = MAX64(si->V, HEAP_TOP(neh)->key); - } - while (neh->elements > 0 && - DN_KEY_LEQ(HEAP_TOP(neh)->key, si->V)) { - q = HEAP_TOP(neh)->object; - alg_fq = (struct wf2qp_queue *)q; - heap_extract(neh, NULL); - heap_insert(sch, alg_fq->F, q); - } - if (m) /* pkt found in previous iteration */ - break; - /* ok we have at least one eligible pkt */ - q = HEAP_TOP(sch)->object; - alg_fq = (struct wf2qp_queue *)q; - m = dn_dequeue(q); - heap_extract(sch, NULL); /* Remove queue from heap. */ - si->V += (uint64_t)(m->m_pkthdr.len) * si->inv_wsum; - alg_fq->S = alg_fq->F; /* Update start time. */ - if (q->mq.head == 0) { /* not backlogged any more. */ - heap_insert(&si->idle_heap, alg_fq->F, q); - } else { /* Still backlogged. */ - /* Update F, store in neh or sch */ - uint64_t len = q->mq.head->m_pkthdr.len; - alg_fq->F += len * alg_fq->inv_w; - if (DN_KEY_LEQ(alg_fq->S, si->V)) { - heap_insert(sch, alg_fq->F, q); - } else { - heap_insert(neh, alg_fq->S, q); - } - } - } - return m; -} - -static int -wf2qp_new_sched(struct dn_sch_inst *_si) -{ - struct wf2qp_si *si = (struct wf2qp_si *)(_si + 1); - int ofs = offsetof(struct wf2qp_queue, heap_pos); - - /* all heaps support extract from middle */ - if (heap_init(&si->idle_heap, 16, ofs) || - heap_init(&si->sch_heap, 16, ofs) || - heap_init(&si->ne_heap, 16, ofs)) { - heap_free(&si->ne_heap); - heap_free(&si->sch_heap); - heap_free(&si->idle_heap); - return ENOMEM; - } - return 0; -} - -static int -wf2qp_free_sched(struct dn_sch_inst *_si) -{ - struct wf2qp_si *si = (struct wf2qp_si *)(_si + 1); - - heap_free(&si->sch_heap); - heap_free(&si->ne_heap); - heap_free(&si->idle_heap); - - return 0; -} - -static int -wf2qp_new_fsk(struct dn_fsk *fs) -{ - ipdn_bound_var(&fs->fs.par[0], 1, - 1, 100, "WF2Q+ weight"); - return 0; -} - -static int -wf2qp_new_queue(struct dn_queue *_q) -{ - struct wf2qp_queue *q = (struct wf2qp_queue *)_q; - - _q->ni.oid.subtype = DN_SCHED_WF2QP; - q->F = 0; /* not strictly necessary */ - q->S = q->F + 1; /* mark timestamp as invalid. */ - q->inv_w = ONE_FP / _q->fs->fs.par[0]; - if (_q->mq.head != NULL) { - wf2qp_enqueue(_q->_si, _q, _q->mq.head); - } - return 0; -} - -/* - * Called when the infrastructure removes a queue (e.g. flowset - * is reconfigured). Nothing to do if we did not 'own' the queue, - * otherwise remove it from the right heap and adjust the sum - * of weights. - */ -static int -wf2qp_free_queue(struct dn_queue *q) -{ - struct wf2qp_queue *alg_fq = (struct wf2qp_queue *)q; - struct wf2qp_si *si = (struct wf2qp_si *)(q->_si + 1); - - if (alg_fq->S >= alg_fq->F + 1) - return 0; /* nothing to do, not in any heap */ - si->wsum -= q->fs->fs.par[0]; - if (si->wsum > 0) - si->inv_wsum = ONE_FP/si->wsum; - - /* extract from the heap. XXX TODO we may need to adjust V - * to make sure the invariants hold. - */ - if (q->mq.head == NULL) { - heap_extract(&si->idle_heap, q); - } else if (DN_KEY_LT(si->V, alg_fq->S)) { - heap_extract(&si->ne_heap, q); - } else { - heap_extract(&si->sch_heap, q); - } - return 0; -} - -/* - * WF2Q+ scheduler descriptor - * contains the type of the scheduler, the name, the size of the - * structures and function pointers. - */ -static struct dn_alg wf2qp_desc = { - _SI( .type = ) DN_SCHED_WF2QP, - _SI( .name = ) "WF2Q+", - _SI( .flags = ) DN_MULTIQUEUE, - - /* we need extra space in the si and the queue */ - _SI( .schk_datalen = ) 0, - _SI( .si_datalen = ) sizeof(struct wf2qp_si), - _SI( .q_datalen = ) sizeof(struct wf2qp_queue) - - sizeof(struct dn_queue), - - _SI( .enqueue = ) wf2qp_enqueue, - _SI( .dequeue = ) wf2qp_dequeue, - - _SI( .config = ) NULL, - _SI( .destroy = ) NULL, - _SI( .new_sched = ) wf2qp_new_sched, - _SI( .free_sched = ) wf2qp_free_sched, - - _SI( .new_fsk = ) wf2qp_new_fsk, - _SI( .free_fsk = ) NULL, - - _SI( .new_queue = ) wf2qp_new_queue, - _SI( .free_queue = ) wf2qp_free_queue, -}; - - -DECLARE_DNSCHED_MODULE(dn_wf2qp, &wf2qp_desc); diff --git a/sys/netinet/ipfw/dummynet.txt b/sys/netinet/ipfw/dummynet.txt deleted file mode 100644 index e4f3075..0000000 --- a/sys/netinet/ipfw/dummynet.txt +++ /dev/null @@ -1,860 +0,0 @@ -# -# $FreeBSD$ -# - -Notes on the internal structure of dummynet (2010 version) -by Riccardo Panicucci and Luigi Rizzo -Work supported by the EC project ONELAB2 - - -********* -* INDEX * -********* -Implementation of new dummynet - Internal structure - Files -Packet arrival - The reconfiguration routine -dummynet_task() -Configuration - Add a pipe - Add a scheduler - Add a flowset -Listing object -Delete of object - Delete a pipe - Delete a flowset - Delete a scheduler -Compatibility with FreeBSD7.2 and FreeBSD 8 ipfw binary - ip_dummynet_glue.c - ip_fw_glue.c -How to configure dummynet -How to implement a new scheduler - - - -OPEN ISSUES ------------------------------- -20100131 deleting RR causes infinite loop - presumably in the rr_free_queue() call -- seems to hang - forever when deleting a live flow ------------------------------- - -Dummynet is a traffic shaper and network emulator. Packets are -selected by an external filter such as ipfw, and passed to the emulator -with a tag such as "pipe 10" or "queue 5" which tells what to -do with the packet. As an example - - ipfw add queue 5 icmp from 10.0.0.2 to all - -All packets with the same tag belong to a "flowset", or a set -of flows which can be further partitioned according to a mask. -Flowsets are then passed to a scheduler for processing. The -association of flowsets and schedulers is configurable e.g. - - ipfw queue 5 config sched 10 weight 3 flow_mask xxxx - ipfw queue 8 config sched 10 weight 1 ... - ipfw queue 3 config sched 20 weight 1 ... - -"sched 10" represents one or more scheduler instances, -selected through a mask on the 5-tuple itself. - - ipfw sched 20 config type FIFO sched_mask yyy ... - -There are in fact two masks applied to each packet: -+ the "sched_mask" sends packets arriving to a scheduler_id to - one of many instances. -+ the "flow_mask" together with the flowset_id is used to - collect packets into independent flows on each scheduler. - -As an example, we can have - ipfw queue 5 config sched 10 flow_mask src-ip 0x000000ff - ipfw sched 10 config type WF2Q+ sched_mask src-ip 0xffffff00 - -means that sched 10 will have one instance per /24 source subnet, -and within that, each individual source will be a flow. - -Internal structure ------------------ -Dummynet-related data is split into several data structures, -part of them constituting the userland-kernel API, and others -specific to the kernel. -NOTE: for up-to-date details please look at the relevant source - headers (ip_dummynet.h, ip_dn_private.h, dn_sched.h) - -USERLAND-KERNEL API (ip_dummynet.h) - - struct dn_link: - contains data about the physical link such as - bandwith, delay, burst size; - - struct dn_fs: - describes a flowset, i.e. a template for queues. - Main parameters are the scheduler we attach to, a flow_mask, - buckets, queue size, plr, weight, and other scheduler-specific - parameters. - - struct dn_flow - contains information on a flow, including masks and - statistics - - struct dn_sch: - defines a scheduler (and a link attached to it). - Parameters include scheduler type, sched_mask, number of - buckets, and possibly other scheduler-specific parameters, - - struct dn_profile: - fields to simulate a delay profile - - -KERNEL REPRESENTATION (ip_dn_private.h) - - struct mq - a queue of mbufs with head and tail. - - struct dn_queue - individual queue of packets, created by a flowset using - flow_mask and attached to a scheduler instance selected - through sched_mask. - A dn_queue has a pointer to the dn_fsk (which in turn counts - how many queues point to it), a pointer to the - dn_sch_inst it attaches to, and is in a hash table in the - flowset. scheduler instances also should store queues in - their own containers used for scheduling (lists, trees, etc.) - CREATE: done on packet arrivals when a flow matches a flowset. - DELETE: done only when deleting the parent dn_sch_inst - or draining memory. - - struct dn_fsk - includes a dn_fs; a pointer to the dn_schk; a link field - for the list of dn_fsk attached to the same scheduler, - or for the unlinked list; - a refcount for the number of queues pointing to it; - The dn_fsk is in a hash table, fshash. - CREATE: done on configuration commands. - DELETE: on configuration commands. - - struct dn_sch_inst - a scheduler instance, created from a dn_schk applying sched_mask. - Contains a delay line, a reference to the parent, and scheduler- - specific info. Both dn_sch_inst and its delay line can be in the - evheap if they have events to be processed. - CREATE: created from a dn_schk applying sched_mask - DELETE: configuration command delete a scheduler which in turn - sweeps the hash table of instances deleting them - - struct dn_schk - includes dn_sch, dn_link, a pointer to dn_profile, - a hash table of dn_sch_inst, a list of dn_fsk - attached to it. - CREATE: configuration command. If there are flowsets that - refer to this number, they are attached and moved - to the hash table - DELETE: manual, see dn_sch_inst - - - fshash schedhash - +---------------+ sched +--------------+ - | sched-------------------->| NEW_SCHK| - -<----*sch_chain |<-----------------*fsk_list | - |NEW_FSK |<----. | [dn_link] | - +---------------+ | +--------------+ - |qht (hash) | | | siht(hash) | - | [dn_queue] | | | [dn_si] | - | [dn_queue] | | | [dn_si] | - | ... | | | ... | - | +--------+ | | | +---------+ | - | |dn_queue| | | | |dn_si | | - | | fs *----------' | | | | - | | si *---------------------->| | | - | +---------+ | | +---------+ | - +---------------+ +--------------+ - -The following global data structures contain all -schedulers and flowsets. - -- schedhash[x]: contains all scheduler templates in the system. - Looked up only on manual configurations, where flowsets - are attached to matching schedulers. - We have one entry per 'sched X config' command - (plus one for each 'pipe X config'). - -- fshash[x]: contains all flowsets. - We do a lookup on this for each packet. - We have one entry for each 'queue X config' - (plus one for each 'pipe X config'). - -Additionally, a list that contains all unlinked flowset: -- fsu: contains flowset that are not linked with any scheduler. - Flowset are put in this list when they refer to a non - existing scheduler. - We don't need an efficient data structure as we never search - here on a packet arrivals. - -Scheduler instances and the delay lines associated with each scheduler -instance need to be woken up at certain times. Because we have many -such objects, we keep them in a priority heap (system_heap). - -Almost all objects in this implementation are preceded by a structure -(struct dn_id) which makes it easier to identify them. - - -Files ------ -The dummynet code is split in several files. -All kernel code is in sys/netinet/ipfw except ip_dummynet.h -All userland code is in sbin/ipfw. -Files are -- sys/netinet/ip_dummynet.h defines the kernel-userland API -- ip_dn_private.h contains the kernel-specific APIs - and data structures -- dn_sched.h defines the scheduler API -- ip_dummynet.c cointains module glue and sockopt handlers, with all - functions to configure and list objects. -- ip_dn_io.c contains the functions directly related to packet processing, - and run in the critical path. It also contains some functions - exported to the schedulers. -- dn_heap.[ch] implement a binary heap and a generic hash table -- dn_sched_* implement the various scheduler modules - -- dummynet.c is the file used to implement the user side of dummynet. - It contains the function to parsing command line, and functions to - show the output of dummynet objects. -Moreover, there are two new file (ip_dummynet_glue.c and ip_fw_glue.c) that -are used to allow compatibility with the "ipfw" binary from FreeBSD 7.2 and -FreeBSD 8. - -LOCKING -======= -At the moment the entire processing occurs under a single lock -which is expected to be acquired in exclusive mode -DN_BH_WLOCK() / DN_BH_WUNLOCK(). - -In perspective we aim at the following: -- the 'busy' flag, 'pending' list and all structures modified by packet - arrivals and departures are protected by the BH_WLOCK. - This is normally acquired in exclusive mode by the packet processing - functions for short sections of code (exception -- the timer). - If 'busy' is not set, we can do regular packet processing. - If 'busy' is set, no pieces can be accessed. - We must enqueue the packet on 'pending' and return immediately. - -- the 'busy' flag is set/cleared by long sections of code as follows: - UH_WLOCK(); KASSERT(busy == 0); - BH_WLOCK(); busy=1; BH_WUNLOCK(); - ... do processing ... - BH_WLOCK(); busy=0; drain_queue(pending); BH_WUNLOCK(); - UH_WUNLOCK(); - this normally happens when the upper half has something heavy - to do. The prologue and epilogue are not in the critical path. - -- the main containers (fshash, schedhash, ...) are protected by - UH_WLOCK. - -Packet processing -================= -A packet enters dummynet through dummynet_io(). We first lookup -the flowset number in fshash using dn_ht_find(), then find the scheduler -instance using ipdn_si_find(), then possibly identify the correct -queue with ipdn_q_find(). -If successful, we call the scheduler's enqueue function(), and -if needed start I/O on the link calling serve_sched(). -If the packet can be returned immediately, this is done by -leaving *m0 set. Otherwise, the packet is absorbed by dummynet -and we simply return, possibly with some appropriate error code. - -Reconfiguration ---------------- -Reconfiguration is the complex part of the system because we need to -keep track of the various objects and containers. -At the moment we do not use reference counts for objects so all -processing must be done under a lock. - -The main entry points for configuration is the ip_dn_ctl() handler -for the IP_DUMMYNET3 sockopt (others are provided only for backward -compatibility). Modifications to the configuration call do_config(). -The argument is a sequence of blocks each starting with a struct dn_id -which specifies its content. -The first dn_id must contain as obj.id the DN_API_VERSION -The obj.type is DN_CMD_CONFIG (followed by actual objects), -DN_CMD_DELETE (with the correct subtype and list of objects), or -DN_CMD_FLUSH. - -DN_CMD_CONFIG is followed by objects to add/reconfigure. In general, -if an object already exists it is reconfigured, otherwise it is -created in a way that keeps the structure consistent. -We have the following objects in the system, normally numbered with -an identifier N between 1 and 65535. For certain objects we have -"shadow" copies numbered I+NMAX and I+ 2*NMAX which are used to -implement certain backward compatibility features. - -In general we have the following linking - - TRADITIONAL DUMMYNET QUEUES "queue N config ... pipe M ..." - corresponds to a dn_fs object numbered N - - TRADITIONAL DUMMYNET PIPES "pipe N config ..." - dn_fs N+2*NMAX --> dn_sch N+NMAX type FIFO --> dn_link N+NMAX - - GENERIC SCHEDULER "sched N config ... " - [dn_fs N+NMAX] --> dn_sch N --> dn_link N - The flowset N+NMAX is created only if the scheduler is not - of type MULTIQUEUE. - - DELAY PROFILE "pipe N config profile ..." - it is always attached to an existing dn_link N - -Because traditional dummynet pipes actually configure both a -'standalone' instance and one that can be used by queues, -we do the following: - - "pipe N config ..." configures: - dn_sched N type WF2Q+ - dn_sched N+NMAX type FIFO - dn_fs N+2NMAX attached to dn_sched N+NMAX - dn_pipe N - dn_pipe N+NMAX - - "queue N config" configures - dn_fs N - - "sched N config" configures - dn_sched N type as desired - dn_fs N+NMAX attached to dn_sched N - - -dummynet_task() -=============== -The dummynet_task() function is the main dummynet processing function and is -called every tick. This function first calculate the new current time, then -it checks if it is the time to wake up object from the system_heap comparing -the current time and the key of the heap. Two types of object (really the -heap contains pointer to objects) are in the -system_heap: - -- scheduler instance: if a scheduler instance is waked up, the dequeue() - function is called until it has credit. If the dequeue() returns packets, - the scheduler instance is inserted in the heap with a new key depending of - the data that will be send out. If the scheduler instance remains with - some credit, it means that is hasn't other packet to send and so the - instance is no longer inserted in the heap. - - If the scheduler instance extracted from the heap has the DELETE flag set, - the dequeue() is not called and the instance is destroyed now. - -- delay line: when extracting a delay line, the function transmit_event() is - called to send out packet from delay line. - - If the scheduler instance associated with this delay line doesn't exists, - the delay line will be delete now. - -Configuration -============= -To create a pipe, queue or scheduler, the user should type commands like: -"ipfw pipe x config" -"ipfw queue y config pipe x" -"ipfw pipe x config sched <type>" - -The userland side of dummynet will prepare a buffer contains data to pass to -kernel side. -The buffer contains all struct needed to configure an object. In more detail, -to configure a pipe all three structs (dn_link, dn_sch, dn_fs) are needed, -plus the delay profile struct if the pipe has a delay profile. - -If configuring a scheduler only the struct dn_sch is wrote in the buffer, -while if configuring a flowset only the dn_fs struct is wrote. - -The first struct in the buffer contains the type of command request, that is -if it is configuring a pipe, a queue, or a scheduler. Then there are structs -need to configure the object, and finally there is the struct that mark -the end of the buffer. - -To support the insertion of pipe and queue using the old syntax, when adding -a pipe it's necessary to create a FIFO flowset and a FIFO scheduler, which -have a number x + DN_PIPEOFFSET. - -Add a pipe ----------- -A pipe is only a template for a link. -If the pipe already exists, parameters are updated. If a delay profile exists -it is deleted and a new one is created. -If the pipe doesn't exist a new one is created. After the creation, the -flowset unlinked list is scanned to see if there are some flowset that would -be linked with this pipe. If so, these flowset will be of wf2q+ type (for -compatibility) and a new wf2q+ scheduler is created now. - -Add a scheduler ---------------- -If the scheduler already exists, and the type and the mask are the same, the -scheduler is simply reconfigured calling the config_scheduler() scheduler -function with the RECONFIGURE flag active. -If the type or the mask differ, it is necessary to delete the old scheduler -and create a new one. -If the scheduler doesn't exists, a new one is created. If the scheduler has -a mask, the hash table is created to store pointers to scheduler instances. -When a new scheduler is created, it is necessary to scan the unlinked -flowset list to search eventually flowset that would be linked with this -scheduler number. If some are found, flowsets became of the type of this -scheduler and they are configured properly. - -Add a flowset -------------- -Flowset pointers are store in the system in two list. The unlinked flowset list -contains all flowset that aren't linked with a scheduler, the flowset list -contains flowset linked to a scheduler, and so they have a type. -When adding a new flowset, first it is checked if the flowset exists (that is, -it is in the flowset list) and if it doesn't exists a new flowset is created -and added to unlinked flowset list if the scheduler which the flowset would be -linked doesn't exists, or added in the flowset list and configured properly if -the scheduler exists. If the flowset (before to be created) was in the -unlinked flowset list, it is removed and deleted, and then recreated. -If the flowset exists, to allow reconfiguration of this flowset, the -scheduler number and types must match with the one in memory. If this isn't -so, the flowset is deleted and a new one will be created. Really, the flowset -it isn't deleted now, but it is removed from flowset list and it will be -deleted later because there could be some queues that are using it. - -Listing of object -================= -The user can request a list of object present in dummynet through the command -"ipfw [-v] pipe|queue [x] list|show" -The kernel side of dummynet send a buffer to user side that contains all -pipe, all scheduler, all flowset, plus all scheduler instances and all queues. -The dummynet user land will format the output and show only the relevant -information. -The buffer sent start with all pipe from the system. The entire struct dn_link -is passed, except the delay_profile struct that is useless in user space. -After pipes, all flowset are wrote in the buffer. The struct contains -scheduler flowset specific data is linked with the flowset writing the -'obj' id of the extension into the 'alg_fs' pointer. -Then schedulers are wrote. If a scheduler has one or more scheduler instance, -these are linked to the parent scheduler writing the id of the parent in the -'ptr_sched' pointer. If a scheduler instance has queues, there are wrote in -the buffer and linked thorugh the 'obj' and 'sched_inst' pointer. -Finally, flowsets in the unlinked flowset list are write in the buffer, and -then a struct gen in saved in the buffer to mark the last struct in the buffer. - - -Delete of object -================ -An object is usually removed by user through a command like -"ipfw pipe|queue x delete". XXX sched? -ipfw pass to the kernel a struct gen that contains the type and the number -of the object to remove - -Delete of pipe x ----------------- -A pipe can be deleted by the user throught the command 'ipfw pipe x delete'. -To delete a pipe, the pipe is removed from the pipe list, and then deleted. -Also the scheduler associated with this pipe should be deleted. -For compatibility with old dummynet syntax, the associated FIFO scheduler and -FIFO flowset must be deleted. - -Delete of flowset x -------------------- -To remove a flowset, we must be sure that is no loger referenced by any object. -If the flowset to remove is in the unlinked flowset list, there is not any -issue, the flowset can be safely removed calling a free() (the flowset -extension is not yet created if the flowset is in this list). -If the flowset is in the flowset list, first we remove from it so new packet -are discarded when arrive. Next, the flowset is marked as delete. -Now we must check if some queue is using this flowset. -To do this, a counter (active_f) is provided. This counter indicate how many -queues exist using this flowset. -The active_f counter is automatically incremented when a queue is created -and decremented when a queue is deleted. -If the counter is 0, the flowset can be safely deleted, and the delete_alg_fs() -scheduler function is called before deallocate memory. -If the counter is not 0, the flowset remain in memory until the counter become -zero. When a queue is delete (by dn_delete_queue() function) it is checked if -the linked flowset is deleting and if so the counter is decrementing. If the -counter reaches 0, the flowset is deleted. -The deletion of a queue can be done only by the scheduler, or when the scheduler -is destroyed. - -Delete of scheduler x ---------------------- -To delete a scheduler we must be sure that any scheduler instance of this type -are in the system_heap. To do so, a counter (inst_counter) is provided. -This counter is managed by the system: it is incremented every time it is -inserted in the system_heap, and decremented every time it is extracted from it. -To delete the scheduler, first we remove it from the scheduler list, so new -packet are discarded when they arrive, and mark the scheduler as deleting. - -If the counter is 0, we can remove the scheduler safely calling the -really_deletescheduler() function. This function will scan all scheduler -instances and call the delete_scheduler_instance() function that will delete -the instance. When all instance are deleted, the scheduler template is -deleted calling the delete_scheduler_template(). If the delay line associate -with the scheduler is empty, it is deleted now, else it will be deleted when -it will became empy. -If the counter was not 0, we wait for it. Every time the dummynet_task() -function extract a scheduler from the system_heap, the counter is decremented. -If the scheduler has the delete flag enabled the dequeue() is not called and -delete_scheduler_instance() is called to delete the instance. -Obviously this scheduler instance is no loger inserted in the system_heap. -If the counter reaches 0, the delete_scheduler_template() function is called -all memory is released. -NOTE: Flowsets that belong to this scheduler are not deleted, so if a new - scheduler with the same number is inserted will use these flowsets. - To do so, the best approach would be insert these flowset in the - unlinked flowset list, but doing this now will be very expensive. - So flowsets will remain in memory and linked with a scheduler that no - longer exists until a packet belonging to this flowset arrives. When - this packet arrives, the reconfigure() function is called because the - generation number mismatch with one contains in the flowset and so - the flowset will be moved into the flowset unlinked list, or will be - linked with the new scheduler if a new one was created. - - -COMPATIBILITY WITH FREEBSD 7.2 AND FREEBSD 8 'IPFW' BINARY -========================================================== -Dummynet is not compatible with old ipfw binary because internal structs are -changed. Moreover, the old ipfw binary is not compatible with new kernels -because the struct that represents a firewall rule has changed. So, if a user -install a new kernel on a FreeBSD 7.2, the ipfw (and possibly many other -commands) will not work. -New dummynet uses a new socket option: IP_DUMMYNET3, used for both set and get. -The old option can be used to allow compatibility with the 'ipfw' binary of -older version (tested with 7.2 and 8.0) of FreeBSD. -Two file are provided for this purpose: -- ip_dummynet_glue.c translates old dummynet requests to the new ones, -- ip_fw_glue.c converts the rule format between 7.2 and 8 versions. -Let see in detail these two files. - -IP_DUMMYNET_GLUE.C ------------------- -The internal structs of new dummynet are very different from the original. -Because of there are some difference from between dummynet in FreeBSD 7.2 and -dummynet in FreeBSD 8 (the FreeBSD 8 version includes support to pipe delay -profile and burst option), I have to include both header files. I copied -the revision 191715 (for version 7.2) and the revision 196045 (for version 8) -and I appended a number to each struct to mark them. - -The main function of this file is ip_dummynet_compat() that is called by -ip_dn_ctl() when it receive a request of old socket option. - -A global variabile ('is7') store the version of 'ipfw' that FreeBSD is using. -This variable is set every time a request of configuration is done, because -with this request we receive a buffer of which size depending of ipfw version. -Because of in general the first action is a configuration, this variable is -usually set accordly. If the first action is a request of listing of pipes -or queues, the system cannot know the version of ipfw, and we suppose that -version 7.2 is used. If version is wrong, the output can be senseless, but -the application should not crash. - -There are four request for old dummynet: -- IP_DUMMYNET_FLUSH: the flush options have no parameter, so simply the - dummynet_flush() function is called; -- IP_DUMMYNET_DEL: the delete option need to be translate. - It is only necessary to extract the number and the type of the object - (pipe or queue) to delete from the buffer received and build a new struct - gen contains the right parameters, then call the delete_object() function; -- IP_DUMMYNET_CONFIGURE: the configure command receive a buffer depending of - the ipfw version. After the properly extraction of all data, that depends - by the ipfw version used, new structures are filled and then the dummynet - config_link() function is properly called. Note that the 7.2 version does - not support some parameter as burst or delay profile. -- IP_DUMMYNET_GET: The get command should send to the ipfw the correct buffer - depending of its version. There are two function that build the - corrected buffer, ip_dummynet_get7() and ip_dummynet_get8(). These - functions reproduce the buffer exactly as 'ipfw' expect. The only difference - is that the weight parameter for a queue is no loger sent by dummynet and so - it is set to 0. - Moreover, because of the internal structure has changed, the bucket size - of a queue could not be correct, because now all flowset share the hash - table. - If the version of ipfw is wrong, the output could be senseless or truncated, - but the application should not crash. - -IP_FW_GLUE.C ------------- -The ipfw binary also is used to add rules to FreeBSD firewall. Because of the -struct ip_fw is changed from FreeBsd 7.2 to FreeBSD 8, it is necessary -to write some glue code to allow use ipfw from FreeBSD 7.2 with the kernel -provided with FreeBSD 8. -This file contains two functions to convert a rule from FreeBSD 7.2 format to -FreeBSD 8 format, and viceversa. -The conversion should be done when a rule passes from userspace to kernel space -and viceversa. -I have to modify the ip_fw2.c file to manage these two case, and added a -variable (is7) to store the ipfw version used, using an approach like the -previous file: -- when a new rule is added (option IP_FW_ADD) the is7 variable is set if the - size of the rule received corrispond to FreeBSD 7.2 ipfw version. If so, the - rule is converted to version 8 calling the function convert_rule_to_8(). - Moreover, after the insertion of the rule, the rule is now reconverted to - version 7 because the ipfw binary will print it. -- when the user request a list of rules (option IP_FW_GET) the is7 variable - should be set correctly because we suppose that a configure command was done, - else we suppose that the FreeBSD version is 8. The function ipfw_getrules() - in ip_fw2.c file return all rules, eventually converted to version 7 (if - the is7 is set) to the ipfw binary. -The conversion of a rule is quite simple. The only difference between the -two structures (struct ip_fw) is that in the new there is a new field -(uint32_t id). So, I copy the entire rule in a buffer and the copy the rule in -the right position in the new (or old) struct. The size of commands are not -changed, and the copy is done into a cicle. - -How to configure dummynet -========================= -It is possible to configure dummynet through two main commands: -'ipfw pipe' and 'ipfw queue'. -To allow compatibility with old version, it is possible configure dummynet -using the old command syntax. Doing so, obviously, it is only possible to -configure a FIFO scheduler or a wf2q+ scheduler. -A new command, 'ipfw pipe x config sched <type>' is supported to add a new -scheduler to the system. - -- ipfw pipe x config ... - create a new pipe with the link parameters - create a new scheduler fifo (x + offset) - create a new flowset fifo (x + offset) - the mask is eventually stored in the FIFO scheduler - -- ipfw queue y config pipe x ... - create a new flowset y linked to sched x. - The type of flowset depends by the specified scheduler. - If the scheduler does not exist, this flowset is inserted in a special - list and will be not active. - If pipe x exists and sched does not exist, a new wf2q+ scheduler is - created and the flowset will be linked to this new scheduler (this is - done for compatibility with old syntax). - -- ipfw pipe x config sched <type> ... - create a new scheduler x of type <type>. - Search into the flowset unlinked list if there are some flowset that - should be linked with this new scheduler. - -- ipfw pipe x delete - delete the pipe x - delete the scheduler fifo (x + offset) - delete the scheduler x - delete the flowset fifo (x + offset) - -- ipfw queue x delete - delete the flowset x - -- ipfw sched x delete ///XXX - delete the scheduler x - -Follow now some examples to how configure dummynet: -- Ex1: - ipfw pipe 10 config bw 1M delay 15 // create a pipe with band and delay - A FIFO flowset and scheduler is - also created - ipfw queue 5 config pipe 10 weight 56 // create a flowset. This flowset - will be of wf2q+ because a pipe 10 - exists. Moreover, the wf2q+ - scheduler is created now. -- Ex2: - ipfw queue 5 config pipe 10 weight 56 // Create a flowset. Scheduler 10 - does not exist, so this flowset - is inserted in the unlinked - flowset list. - ipfw pipe 10 config bw... // Create a pipe, a FIFO flowset and scheduler. - Because of a flowset with 'pipe 10' exists, - a wf2q+ scheduler is created now and that - flowset is linked with this sceduler. - -- Ex3: - ipfw pipe 10 config bw... // Create a pipe, a FIFO flowset and scheduler. - ipfw pipe 10 config sched rr // Create a scheduler of type RR, linked to - pipe 10 - ipfw queue 5 config pipe 10 weight 56 // Create a flowset 5. This flowset - will belong to scheduler 10 and - it is of type RR - -- Ex4: - ipfw pipe 10 config sched rr // Create a scheduler of type RR, linked to - pipe 10 (not exist yet) - ipfw pipe 10 config bw... // Create a pipe, a FIFO flowset and scheduler. - ipfw queue 5 config pipe 10 weight 56 // Create a flowset 5.This flowset - will belong to scheduler 10 and - it is of type RR - ipfw pipe 10 config sched wf2q+ // Modify the type of scheduler 10. It - becomes a wf2q+ scheduler. - When a new packet of flowset 5 arrives, - the flowset 5 becomes to wf2q+ type. - -How to implement a new scheduler -================================ -In dummynet, a scheduler algorithm is represented by two main structs, some -functions and other minor structs. -- A struct dn_sch_xyz (where xyz is the 'type' of scheduler algorithm - implemented) contains data relative to scheduler, as global parameter that - are common to all instances of the scheduler -- A struct dn_sch_inst_xyz contains data relative to a single scheduler - instance, as local status variable depending for example by flows that - are linked with the scheduler, and so on. -To add a scheduler to dummynet, the user should type a command like: -'ipfw pipe x config sched <type> [mask ... ...]' -This command creates a new struct dn_sch_xyz of type <type>, and -store the optional parameter in that struct. - -The parameter mask determines how many scheduler instance of this -scheduler may exist. For example, it is possible to divide traffic -depending on the source port (or destination, or ip address...), -so that every scheduler instance act as an independent scheduler. -If the mask is not set, all traffic goes to the same instance. - -When a packet arrives to a scheduler, the system search the corrected -scheduler instance, and if it does not exist it is created now (the -struct dn_sch_inst_xyz is allocated by the system, and the scheduler -fills the field correctly). It is a task of the scheduler to create -the struct that contains all queues for a scheduler instance. -Dummynet provides some function to create an hash table to store -queues, but the schedule algorithm can choice the own struct. - -To link a flow to a scheduler, the user should type a command like: -'ipfw queue z config pipe x [mask... ...]' - -This command creates a new 'dn_fs' struct that will be inserted -in the system. If the scheduler x exists, this flowset will be -linked to that scheduler and the flowset type become the same as -the scheduler type. At this point, the function create_alg_fs_xyz() -is called to allow store eventually parameter for the flowset that -depend by scheduler (for example the 'weight' parameter for a wf2q+ -scheduler, or some priority...). A parameter mask can be used for -a flowset. If the mask parameter is set, the scheduler instance can -separate packet according to its flow id (src and dst ip, ports...) -and assign it to a separate queue. This is done by the scheduler, -so it can ignore the mask if it wants. - -See now the two main structs: -struct dn_sch_xyz { - struct gen g; /* important the name g */ - /* global params */ -}; -struct dn_sch_inst_xyz { - struct gen g; /* important the name g */ - /* params of the instance */ -}; -It is important to embed the struct gen as first parameter. The struct gen -contains some values that the scheduler instance must fill (the 'type' of -scheduler, the 'len' of the struct...) -The function create_scheduler_xyz() should be implemented to initialize global -parameters in the first struct, and if memory allocation is done it is -mandatory to implement the delete_scheduler_template() function to free that -memory. -The function create_scheduler_instance_xyz() must be implemented even if the -scheduler instance does not use extra parameters. In this function the struct -gen fields must be filled with corrected infos. The -delete_scheduler_instance_xyz() function must bu implemented if the instance -has allocated some memory in the previous function. - -To store data belonging to a flowset the follow struct is used: -struct alg_fs_xyz { - struct gen g; - /* fill correctly the gen struct - g.subtype = DN_XYZ; - g.len = sizeof(struct alg_fs_xyz) - ... - */ - /* params for the flow */ -}; -The create_alg_fs_xyz() function is mandatory, because it must fill the struct -gen, but the delete_alg_fs_xyz() is mandatory only if the previous function -has allocated some memory. - -A struct dn_queue contains packets belonging to a queue and some statistical -data. The scheduler could have to store data in this struct, so it must define -a dn_queue_xyz struct: -struct dn_queue_xyz { - struct dn_queue q; - /* parameter for a queue */ -} - -All structures are allocated by the system. To do so, the scheduler must -set the size of its structs in the scheduler descriptor: -scheduler_size: sizeof(dn_sch_xyz) -scheduler_i_size: sizeof(dn_sch_inst_xyz) -flowset_size: sizeof(alg_fs_xyz) -queue_size: sizeof(dn_queue_xyz); -The scheduler_size could be 0, but other struct must have at least a struct gen. - - -After the definition of structs, it is necessary to implement the -scheduler functions. - -- int (*config_scheduler)(char *command, void *sch, int reconfigure); - Configure a scheduler, or reconfigure if 'reconfigure' == 1. - This function performs additional allocation and initialization of global - parameter for this scheduler. - If memory is allocated here, the delete_scheduler_template() function - should be implemented to remove this memory. -- int (*delete_scheduler_template)(void* sch); - Delete a scheduler template. This function is mandatory if the scheduler - uses extra data respect the struct dn_sch. -- int (*create_scheduler_instance)(void *s); - Create a new scheduler instance. The system allocate the necessary memory - and the schedulet can access it using the 's' pointer. - The scheduler instance stores all queues, and to do this can use the - hash table provided by the system. -- int (*delete_scheduler_instance)(void *s); - Delete a scheduler instance. It is important to free memory allocated - by create_scheduler_instance() function. The memory allocated by system - is freed by the system itself. The struct contains all queue also has - to be deleted. -- int (*enqueue)(void *s, struct gen *f, struct mbuf *m, - struct ipfw_flow_id *id); - Called when a packet arrives. The packet 'm' belongs to the scheduler - instance 's', has a flowset 'f' and the flowid 'id' has already been - masked. The enqueue() must call dn_queue_packet(q, m) function to really - enqueue packet in the queue q. The queue 'q' is chosen by the scheduler - and if it does not exist should be created calling the dn_create_queue() - function. If the schedule want to drop the packet, it must call the - dn_drop_packet() function and then return 1. -- struct mbuf * (*dequeue)(void *s); - Called when the timer expires (or when a packet arrives and the scheduler - instance is idle). - This function is called when at least a packet can be send out. The - scheduler choices the packet and returns it; if no packet are in the - schedulerinstance, the function must return NULL. - Before return a packet, it is important to call the function - dn_return_packet() to update some statistic of the queue and update the - queue counters. -- int (*drain_queue)(void *s, int flag); - The system request to scheduler to delete all queues that is not using - to free memory. The flag parameter indicate if a queue must be deleted - even if it is active. - -- int (*create_alg_fs)(char *command, struct gen *g, int reconfigure); - It is called when a flowset is linked with a scheduler. This is done - when the scheduler is defined, so we can know the type of flowset. - The function initialize the flowset paramenter parsing the command - line. The parameter will be stored in the g struct that have the right - size allocated by the system. If the reconfigure flag is set, it means - that the flowset is reconfiguring -- int (*delete_alg_fs)(struct gen *f); - It is called when a flowset is deleting. Must remove the memory allocate - by the create_alg_fs() function. - -- int (*create_queue_alg)(struct dn_queue *q, struct gen *f); - Called when a queue is created. The function should link the queue - to the struct used by the scheduler instance to store all queues. -- int (*delete_queue_alg)(struct dn_queue *q); - Called when a queue is deleting. The function should remove extra data - and update the struct contains all queues in the scheduler instance. - -The struct scheduler represent the scheduler descriptor that is passed to -dummynet when a scheduler module is loaded. -This struct contains the type of scheduler, the lenght of all structs and -all function pointers. -If a function is not implemented should be initialize to NULL. Some functions -are mandatory, other are mandatory if some memory should be freed. -Mandatory functions: -- create_scheduler_instance() -- enqueue() -- dequeue() -- create_alg_fs() -- drain_queue() -Optional functions: -- config_scheduler() -- create_queue_alg() -Mandatory functions if the corresponding create...() has allocated memory: -- delete_scheduler_template() -- delete_scheduler_instance() -- delete_alg_fs() -- delete_queue_alg() - diff --git a/sys/netinet/ipfw/ip_dn_glue.c b/sys/netinet/ipfw/ip_dn_glue.c deleted file mode 100644 index 9fc6b23..0000000 --- a/sys/netinet/ipfw/ip_dn_glue.c +++ /dev/null @@ -1,845 +0,0 @@ -/*- - * Copyright (c) 2010 Riccardo Panicucci, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * $FreeBSD$ - * - * Binary compatibility support for /sbin/ipfw RELENG_7 and RELENG_8 - */ - -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/module.h> -#include <sys/priv.h> -#include <sys/proc.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/time.h> -#include <sys/taskqueue.h> -#include <net/if.h> /* IFNAMSIZ, struct ifaddr, ifq head, lock.h mutex.h */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ip_output(), IP_FORWARDING */ -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> - -/* FREEBSD7.2 ip_dummynet.h r191715*/ - -struct dn_heap_entry7 { - int64_t key; /* sorting key. Topmost element is smallest one */ - void *object; /* object pointer */ -}; - -struct dn_heap7 { - int size; - int elements; - int offset; /* XXX if > 0 this is the offset of direct ptr to obj */ - struct dn_heap_entry7 *p; /* really an array of "size" entries */ -}; - -/* Common to 7.2 and 8 */ -struct dn_flow_set { - SLIST_ENTRY(dn_flow_set) next; /* linked list in a hash slot */ - - u_short fs_nr ; /* flow_set number */ - u_short flags_fs; -#define DNOLD_HAVE_FLOW_MASK 0x0001 -#define DNOLD_IS_RED 0x0002 -#define DNOLD_IS_GENTLE_RED 0x0004 -#define DNOLD_QSIZE_IS_BYTES 0x0008 /* queue size is measured in bytes */ -#define DNOLD_NOERROR 0x0010 /* do not report ENOBUFS on drops */ -#define DNOLD_HAS_PROFILE 0x0020 /* the pipe has a delay profile. */ -#define DNOLD_IS_PIPE 0x4000 -#define DNOLD_IS_QUEUE 0x8000 - - struct dn_pipe7 *pipe ; /* pointer to parent pipe */ - u_short parent_nr ; /* parent pipe#, 0 if local to a pipe */ - - int weight ; /* WFQ queue weight */ - int qsize ; /* queue size in slots or bytes */ - int plr ; /* pkt loss rate (2^31-1 means 100%) */ - - struct ipfw_flow_id flow_mask ; - - /* hash table of queues onto this flow_set */ - int rq_size ; /* number of slots */ - int rq_elements ; /* active elements */ - struct dn_flow_queue7 **rq; /* array of rq_size entries */ - - u_int32_t last_expired ; /* do not expire too frequently */ - int backlogged ; /* #active queues for this flowset */ - - /* RED parameters */ -#define SCALE_RED 16 -#define SCALE(x) ( (x) << SCALE_RED ) -#define SCALE_VAL(x) ( (x) >> SCALE_RED ) -#define SCALE_MUL(x,y) ( ( (x) * (y) ) >> SCALE_RED ) - int w_q ; /* queue weight (scaled) */ - int max_th ; /* maximum threshold for queue (scaled) */ - int min_th ; /* minimum threshold for queue (scaled) */ - int max_p ; /* maximum value for p_b (scaled) */ - u_int c_1 ; /* max_p/(max_th-min_th) (scaled) */ - u_int c_2 ; /* max_p*min_th/(max_th-min_th) (scaled) */ - u_int c_3 ; /* for GRED, (1-max_p)/max_th (scaled) */ - u_int c_4 ; /* for GRED, 1 - 2*max_p (scaled) */ - u_int * w_q_lookup ; /* lookup table for computing (1-w_q)^t */ - u_int lookup_depth ; /* depth of lookup table */ - int lookup_step ; /* granularity inside the lookup table */ - int lookup_weight ; /* equal to (1-w_q)^t / (1-w_q)^(t+1) */ - int avg_pkt_size ; /* medium packet size */ - int max_pkt_size ; /* max packet size */ -}; -SLIST_HEAD(dn_flow_set_head, dn_flow_set); - -#define DN_IS_PIPE 0x4000 -#define DN_IS_QUEUE 0x8000 -struct dn_flow_queue7 { - struct dn_flow_queue7 *next ; - struct ipfw_flow_id id ; - - struct mbuf *head, *tail ; /* queue of packets */ - u_int len ; - u_int len_bytes ; - - u_long numbytes; - - u_int64_t tot_pkts ; /* statistics counters */ - u_int64_t tot_bytes ; - u_int32_t drops ; - - int hash_slot ; /* debugging/diagnostic */ - - /* RED parameters */ - int avg ; /* average queue length est. (scaled) */ - int count ; /* arrivals since last RED drop */ - int random ; /* random value (scaled) */ - u_int32_t q_time; /* start of queue idle time */ - - /* WF2Q+ support */ - struct dn_flow_set *fs ; /* parent flow set */ - int heap_pos ; /* position (index) of struct in heap */ - int64_t sched_time ; /* current time when queue enters ready_heap */ - - int64_t S,F ; /* start time, finish time */ -}; - -struct dn_pipe7 { /* a pipe */ - SLIST_ENTRY(dn_pipe7) next; /* linked list in a hash slot */ - - int pipe_nr ; /* number */ - int bandwidth; /* really, bytes/tick. */ - int delay ; /* really, ticks */ - - struct mbuf *head, *tail ; /* packets in delay line */ - - /* WF2Q+ */ - struct dn_heap7 scheduler_heap ; /* top extract - key Finish time*/ - struct dn_heap7 not_eligible_heap; /* top extract- key Start time */ - struct dn_heap7 idle_heap ; /* random extract - key Start=Finish time */ - - int64_t V ; /* virtual time */ - int sum; /* sum of weights of all active sessions */ - - int numbytes; - - int64_t sched_time ; /* time pipe was scheduled in ready_heap */ - - /* - * When the tx clock come from an interface (if_name[0] != '\0'), its name - * is stored below, whereas the ifp is filled when the rule is configured. - */ - char if_name[IFNAMSIZ]; - struct ifnet *ifp ; - int ready ; /* set if ifp != NULL and we got a signal from it */ - - struct dn_flow_set fs ; /* used with fixed-rate flows */ -}; -SLIST_HEAD(dn_pipe_head7, dn_pipe7); - - -/* FREEBSD8 ip_dummynet.h r196045 */ -struct dn_flow_queue8 { - struct dn_flow_queue8 *next ; - struct ipfw_flow_id id ; - - struct mbuf *head, *tail ; /* queue of packets */ - u_int len ; - u_int len_bytes ; - - uint64_t numbytes ; /* credit for transmission (dynamic queues) */ - int64_t extra_bits; /* extra bits simulating unavailable channel */ - - u_int64_t tot_pkts ; /* statistics counters */ - u_int64_t tot_bytes ; - u_int32_t drops ; - - int hash_slot ; /* debugging/diagnostic */ - - /* RED parameters */ - int avg ; /* average queue length est. (scaled) */ - int count ; /* arrivals since last RED drop */ - int random ; /* random value (scaled) */ - int64_t idle_time; /* start of queue idle time */ - - /* WF2Q+ support */ - struct dn_flow_set *fs ; /* parent flow set */ - int heap_pos ; /* position (index) of struct in heap */ - int64_t sched_time ; /* current time when queue enters ready_heap */ - - int64_t S,F ; /* start time, finish time */ -}; - -struct dn_pipe8 { /* a pipe */ - SLIST_ENTRY(dn_pipe8) next; /* linked list in a hash slot */ - - int pipe_nr ; /* number */ - int bandwidth; /* really, bytes/tick. */ - int delay ; /* really, ticks */ - - struct mbuf *head, *tail ; /* packets in delay line */ - - /* WF2Q+ */ - struct dn_heap7 scheduler_heap ; /* top extract - key Finish time*/ - struct dn_heap7 not_eligible_heap; /* top extract- key Start time */ - struct dn_heap7 idle_heap ; /* random extract - key Start=Finish time */ - - int64_t V ; /* virtual time */ - int sum; /* sum of weights of all active sessions */ - - /* Same as in dn_flow_queue, numbytes can become large */ - int64_t numbytes; /* bits I can transmit (more or less). */ - uint64_t burst; /* burst size, scaled: bits * hz */ - - int64_t sched_time ; /* time pipe was scheduled in ready_heap */ - int64_t idle_time; /* start of pipe idle time */ - - char if_name[IFNAMSIZ]; - struct ifnet *ifp ; - int ready ; /* set if ifp != NULL and we got a signal from it */ - - struct dn_flow_set fs ; /* used with fixed-rate flows */ - - /* fields to simulate a delay profile */ -#define ED_MAX_NAME_LEN 32 - char name[ED_MAX_NAME_LEN]; - int loss_level; - int samples_no; - int *samples; -}; - -#define ED_MAX_SAMPLES_NO 1024 -struct dn_pipe_max8 { - struct dn_pipe8 pipe; - int samples[ED_MAX_SAMPLES_NO]; -}; -SLIST_HEAD(dn_pipe_head8, dn_pipe8); - -/* - * Changes from 7.2 to 8: - * dn_pipe: - * numbytes from int to int64_t - * add burst (int64_t) - * add idle_time (int64_t) - * add profile - * add struct dn_pipe_max - * add flag DN_HAS_PROFILE - * - * dn_flow_queue - * numbytes from u_long to int64_t - * add extra_bits (int64_t) - * q_time from u_int32_t to int64_t and name idle_time - * - * dn_flow_set unchanged - * - */ - -/* NOTE:XXX copied from dummynet.c */ -#define O_NEXT(p, len) ((void *)((char *)p + len)) -static void -oid_fill(struct dn_id *oid, int len, int type, uintptr_t id) -{ - oid->len = len; - oid->type = type; - oid->subtype = 0; - oid->id = id; -} -/* make room in the buffer and move the pointer forward */ -static void * -o_next(struct dn_id **o, int len, int type) -{ - struct dn_id *ret = *o; - oid_fill(ret, len, type, 0); - *o = O_NEXT(*o, len); - return ret; -} - - -static size_t pipesize7 = sizeof(struct dn_pipe7); -static size_t pipesize8 = sizeof(struct dn_pipe8); -static size_t pipesizemax8 = sizeof(struct dn_pipe_max8); - -/* Indicate 'ipfw' version - * 1: from FreeBSD 7.2 - * 0: from FreeBSD 8 - * -1: unknow (for now is unused) - * - * It is update when a IP_DUMMYNET_DEL or IP_DUMMYNET_CONFIGURE request arrives - * NOTE: if a IP_DUMMYNET_GET arrives and the 'ipfw' version is unknow, - * it is suppose to be the FreeBSD 8 version. - */ -static int is7 = 0; - -static int -convertflags2new(int src) -{ - int dst = 0; - - if (src & DNOLD_HAVE_FLOW_MASK) - dst |= DN_HAVE_MASK; - if (src & DNOLD_QSIZE_IS_BYTES) - dst |= DN_QSIZE_BYTES; - if (src & DNOLD_NOERROR) - dst |= DN_NOERROR; - if (src & DNOLD_IS_RED) - dst |= DN_IS_RED; - if (src & DNOLD_IS_GENTLE_RED) - dst |= DN_IS_GENTLE_RED; - if (src & DNOLD_HAS_PROFILE) - dst |= DN_HAS_PROFILE; - - return dst; -} - -static int -convertflags2old(int src) -{ - int dst = 0; - - if (src & DN_HAVE_MASK) - dst |= DNOLD_HAVE_FLOW_MASK; - if (src & DN_IS_RED) - dst |= DNOLD_IS_RED; - if (src & DN_IS_GENTLE_RED) - dst |= DNOLD_IS_GENTLE_RED; - if (src & DN_NOERROR) - dst |= DNOLD_NOERROR; - if (src & DN_HAS_PROFILE) - dst |= DNOLD_HAS_PROFILE; - if (src & DN_QSIZE_BYTES) - dst |= DNOLD_QSIZE_IS_BYTES; - - return dst; -} - -static int -dn_compat_del(void *v) -{ - struct dn_pipe7 *p = (struct dn_pipe7 *) v; - struct dn_pipe8 *p8 = (struct dn_pipe8 *) v; - struct { - struct dn_id oid; - uintptr_t a[1]; /* add more if we want a list */ - } cmd; - - /* XXX DN_API_VERSION ??? */ - oid_fill((void *)&cmd, sizeof(cmd), DN_CMD_DELETE, DN_API_VERSION); - - if (is7) { - if (p->pipe_nr == 0 && p->fs.fs_nr == 0) - return EINVAL; - if (p->pipe_nr != 0 && p->fs.fs_nr != 0) - return EINVAL; - } else { - if (p8->pipe_nr == 0 && p8->fs.fs_nr == 0) - return EINVAL; - if (p8->pipe_nr != 0 && p8->fs.fs_nr != 0) - return EINVAL; - } - - if (p->pipe_nr != 0) { /* pipe x delete */ - cmd.a[0] = p->pipe_nr; - cmd.oid.subtype = DN_LINK; - } else { /* queue x delete */ - cmd.oid.subtype = DN_FS; - cmd.a[0] = (is7) ? p->fs.fs_nr : p8->fs.fs_nr; - } - - return do_config(&cmd, cmd.oid.len); -} - -static int -dn_compat_config_queue(struct dn_fs *fs, void* v) -{ - struct dn_pipe7 *p7 = (struct dn_pipe7 *)v; - struct dn_pipe8 *p8 = (struct dn_pipe8 *)v; - struct dn_flow_set *f; - - if (is7) - f = &p7->fs; - else - f = &p8->fs; - - fs->fs_nr = f->fs_nr; - fs->sched_nr = f->parent_nr; - fs->flow_mask = f->flow_mask; - fs->buckets = f->rq_size; - fs->qsize = f->qsize; - fs->plr = f->plr; - fs->par[0] = f->weight; - fs->flags = convertflags2new(f->flags_fs); - if (fs->flags & DN_IS_GENTLE_RED || fs->flags & DN_IS_RED) { - fs->w_q = f->w_q; - fs->max_th = f->max_th; - fs->min_th = f->min_th; - fs->max_p = f->max_p; - } - - return 0; -} - -static int -dn_compat_config_pipe(struct dn_sch *sch, struct dn_link *p, - struct dn_fs *fs, void* v) -{ - struct dn_pipe7 *p7 = (struct dn_pipe7 *)v; - struct dn_pipe8 *p8 = (struct dn_pipe8 *)v; - int i = p7->pipe_nr; - - sch->sched_nr = i; - sch->oid.subtype = 0; - p->link_nr = i; - fs->fs_nr = i + 2*DN_MAX_ID; - fs->sched_nr = i + DN_MAX_ID; - - /* Common to 7 and 8 */ - p->bandwidth = p7->bandwidth; - p->delay = p7->delay; - if (!is7) { - /* FreeBSD 8 has burst */ - p->burst = p8->burst; - } - - /* fill the fifo flowset */ - dn_compat_config_queue(fs, v); - fs->fs_nr = i + 2*DN_MAX_ID; - fs->sched_nr = i + DN_MAX_ID; - - /* Move scheduler related parameter from fs to sch */ - sch->buckets = fs->buckets; /*XXX*/ - fs->buckets = 0; - if (fs->flags & DN_HAVE_MASK) { - sch->flags |= DN_HAVE_MASK; - fs->flags &= ~DN_HAVE_MASK; - sch->sched_mask = fs->flow_mask; - bzero(&fs->flow_mask, sizeof(struct ipfw_flow_id)); - } - - return 0; -} - -static int -dn_compat_config_profile(struct dn_profile *pf, struct dn_link *p, - void *v) -{ - struct dn_pipe8 *p8 = (struct dn_pipe8 *)v; - - p8->samples = &(((struct dn_pipe_max8 *)p8)->samples[0]); - - pf->link_nr = p->link_nr; - pf->loss_level = p8->loss_level; -// pf->bandwidth = p->bandwidth; //XXX bandwidth redundant? - pf->samples_no = p8->samples_no; - strncpy(pf->name, p8->name,sizeof(pf->name)); - bcopy(p8->samples, pf->samples, sizeof(pf->samples)); - - return 0; -} - -/* - * If p->pipe_nr != 0 the command is 'pipe x config', so need to create - * the three main struct, else only a flowset is created - */ -static int -dn_compat_configure(void *v) -{ - struct dn_id *buf = NULL, *base; - struct dn_sch *sch = NULL; - struct dn_link *p = NULL; - struct dn_fs *fs = NULL; - struct dn_profile *pf = NULL; - int lmax; - int error; - - struct dn_pipe7 *p7 = (struct dn_pipe7 *)v; - struct dn_pipe8 *p8 = (struct dn_pipe8 *)v; - - int i; /* number of object to configure */ - - lmax = sizeof(struct dn_id); /* command header */ - lmax += sizeof(struct dn_sch) + sizeof(struct dn_link) + - sizeof(struct dn_fs) + sizeof(struct dn_profile); - - base = buf = malloc(lmax, M_DUMMYNET, M_WAIT|M_ZERO); - o_next(&buf, sizeof(struct dn_id), DN_CMD_CONFIG); - base->id = DN_API_VERSION; - - /* pipe_nr is the same in p7 and p8 */ - i = p7->pipe_nr; - if (i != 0) { /* pipe config */ - sch = o_next(&buf, sizeof(*sch), DN_SCH); - p = o_next(&buf, sizeof(*p), DN_LINK); - fs = o_next(&buf, sizeof(*fs), DN_FS); - - error = dn_compat_config_pipe(sch, p, fs, v); - if (error) { - free(buf, M_DUMMYNET); - return error; - } - if (!is7 && p8->samples_no > 0) { - /* Add profiles*/ - pf = o_next(&buf, sizeof(*pf), DN_PROFILE); - error = dn_compat_config_profile(pf, p, v); - if (error) { - free(buf, M_DUMMYNET); - return error; - } - } - } else { /* queue config */ - fs = o_next(&buf, sizeof(*fs), DN_FS); - error = dn_compat_config_queue(fs, v); - if (error) { - free(buf, M_DUMMYNET); - return error; - } - } - error = do_config(base, (char *)buf - (char *)base); - - if (buf) - free(buf, M_DUMMYNET); - return error; -} - -int -dn_compat_calc_size(void) -{ - int need = 0; - /* XXX use FreeBSD 8 struct size */ - /* NOTE: - * - half scheduler: schk_count/2 - * - all flowset: fsk_count - * - all flowset queues: queue_count - * - all pipe queue: si_count - */ - need += dn_cfg.schk_count * sizeof(struct dn_pipe8) / 2; - need += dn_cfg.fsk_count * sizeof(struct dn_flow_set); - need += dn_cfg.si_count * sizeof(struct dn_flow_queue8); - need += dn_cfg.queue_count * sizeof(struct dn_flow_queue8); - - return need; -} - -int -dn_c_copy_q (void *_ni, void *arg) -{ - struct copy_args *a = arg; - struct dn_flow_queue7 *fq7 = (struct dn_flow_queue7 *)*a->start; - struct dn_flow_queue8 *fq8 = (struct dn_flow_queue8 *)*a->start; - struct dn_flow *ni = (struct dn_flow *)_ni; - int size = 0; - - /* XXX hash slot not set */ - /* No difference between 7.2/8 */ - fq7->len = ni->length; - fq7->len_bytes = ni->len_bytes; - fq7->id = ni->fid; - - if (is7) { - size = sizeof(struct dn_flow_queue7); - fq7->tot_pkts = ni->tot_pkts; - fq7->tot_bytes = ni->tot_bytes; - fq7->drops = ni->drops; - } else { - size = sizeof(struct dn_flow_queue8); - fq8->tot_pkts = ni->tot_pkts; - fq8->tot_bytes = ni->tot_bytes; - fq8->drops = ni->drops; - } - - *a->start += size; - return 0; -} - -int -dn_c_copy_pipe(struct dn_schk *s, struct copy_args *a, int nq) -{ - struct dn_link *l = &s->link; - struct dn_fsk *f = s->fs; - - struct dn_pipe7 *pipe7 = (struct dn_pipe7 *)*a->start; - struct dn_pipe8 *pipe8 = (struct dn_pipe8 *)*a->start; - struct dn_flow_set *fs; - int size = 0; - - if (is7) { - fs = &pipe7->fs; - size = sizeof(struct dn_pipe7); - } else { - fs = &pipe8->fs; - size = sizeof(struct dn_pipe8); - } - - /* These 4 field are the same in pipe7 and pipe8 */ - pipe7->next.sle_next = (struct dn_pipe7 *)DN_IS_PIPE; - pipe7->bandwidth = l->bandwidth; - pipe7->delay = l->delay * 1000 / hz; - pipe7->pipe_nr = l->link_nr - DN_MAX_ID; - - if (!is7) { - if (s->profile) { - struct dn_profile *pf = s->profile; - strncpy(pipe8->name, pf->name, sizeof(pf->name)); - pipe8->loss_level = pf->loss_level; - pipe8->samples_no = pf->samples_no; - } - pipe8->burst = div64(l->burst , 8 * hz); - } - - fs->flow_mask = s->sch.sched_mask; - fs->rq_size = s->sch.buckets ? s->sch.buckets : 1; - - fs->parent_nr = l->link_nr - DN_MAX_ID; - fs->qsize = f->fs.qsize; - fs->plr = f->fs.plr; - fs->w_q = f->fs.w_q; - fs->max_th = f->max_th; - fs->min_th = f->min_th; - fs->max_p = f->fs.max_p; - fs->rq_elements = nq; - - fs->flags_fs = convertflags2old(f->fs.flags); - - *a->start += size; - return 0; -} - - -int -dn_compat_copy_pipe(struct copy_args *a, void *_o) -{ - int have = a->end - *a->start; - int need = 0; - int pipe_size = sizeof(struct dn_pipe8); - int queue_size = sizeof(struct dn_flow_queue8); - int n_queue = 0; /* number of queues */ - - struct dn_schk *s = (struct dn_schk *)_o; - /* calculate needed space: - * - struct dn_pipe - * - if there are instances, dn_queue * n_instances - */ - n_queue = (s->sch.flags & DN_HAVE_MASK ? dn_ht_entries(s->siht) : - (s->siht ? 1 : 0)); - need = pipe_size + queue_size * n_queue; - if (have < need) { - D("have %d < need %d", have, need); - return 1; - } - /* copy pipe */ - dn_c_copy_pipe(s, a, n_queue); - - /* copy queues */ - if (s->sch.flags & DN_HAVE_MASK) - dn_ht_scan(s->siht, dn_c_copy_q, a); - else if (s->siht) - dn_c_copy_q(s->siht, a); - return 0; -} - -int -dn_c_copy_fs(struct dn_fsk *f, struct copy_args *a, int nq) -{ - struct dn_flow_set *fs = (struct dn_flow_set *)*a->start; - - fs->next.sle_next = (struct dn_flow_set *)DN_IS_QUEUE; - fs->fs_nr = f->fs.fs_nr; - fs->qsize = f->fs.qsize; - fs->plr = f->fs.plr; - fs->w_q = f->fs.w_q; - fs->max_th = f->max_th; - fs->min_th = f->min_th; - fs->max_p = f->fs.max_p; - fs->flow_mask = f->fs.flow_mask; - fs->rq_elements = nq; - fs->rq_size = (f->fs.buckets ? f->fs.buckets : 1); - fs->parent_nr = f->fs.sched_nr; - fs->weight = f->fs.par[0]; - - fs->flags_fs = convertflags2old(f->fs.flags); - *a->start += sizeof(struct dn_flow_set); - return 0; -} - -int -dn_compat_copy_queue(struct copy_args *a, void *_o) -{ - int have = a->end - *a->start; - int need = 0; - int fs_size = sizeof(struct dn_flow_set); - int queue_size = sizeof(struct dn_flow_queue8); - - struct dn_fsk *fs = (struct dn_fsk *)_o; - int n_queue = 0; /* number of queues */ - - n_queue = (fs->fs.flags & DN_HAVE_MASK ? dn_ht_entries(fs->qht) : - (fs->qht ? 1 : 0)); - - need = fs_size + queue_size * n_queue; - if (have < need) { - D("have < need"); - return 1; - } - - /* copy flowset */ - dn_c_copy_fs(fs, a, n_queue); - - /* copy queues */ - if (fs->fs.flags & DN_HAVE_MASK) - dn_ht_scan(fs->qht, dn_c_copy_q, a); - else if (fs->qht) - dn_c_copy_q(fs->qht, a); - - return 0; -} - -int -copy_data_helper_compat(void *_o, void *_arg) -{ - struct copy_args *a = _arg; - - if (a->type == DN_COMPAT_PIPE) { - struct dn_schk *s = _o; - if (s->sch.oid.subtype != 1 || s->sch.sched_nr <= DN_MAX_ID) { - return 0; /* not old type */ - } - /* copy pipe parameters, and if instance exists, copy - * other parameters and eventually queues. - */ - if(dn_compat_copy_pipe(a, _o)) - return DNHT_SCAN_END; - } else if (a->type == DN_COMPAT_QUEUE) { - struct dn_fsk *fs = _o; - if (fs->fs.fs_nr >= DN_MAX_ID) - return 0; - if (dn_compat_copy_queue(a, _o)) - return DNHT_SCAN_END; - } - return 0; -} - -/* Main function to manage old requests */ -int -ip_dummynet_compat(struct sockopt *sopt) -{ - int error=0; - void *v = NULL; - struct dn_id oid; - - /* Lenght of data, used to found ipfw version... */ - int len = sopt->sopt_valsize; - - /* len can be 0 if command was dummynet_flush */ - if (len == pipesize7) { - D("setting compatibility with FreeBSD 7.2"); - is7 = 1; - } - else if (len == pipesize8 || len == pipesizemax8) { - D("setting compatibility with FreeBSD 8"); - is7 = 0; - } - - switch (sopt->sopt_name) { - default: - printf("dummynet: -- unknown option %d", sopt->sopt_name); - error = EINVAL; - break; - - case IP_DUMMYNET_FLUSH: - oid_fill(&oid, sizeof(oid), DN_CMD_FLUSH, DN_API_VERSION); - do_config(&oid, oid.len); - break; - - case IP_DUMMYNET_DEL: - v = malloc(len, M_TEMP, M_WAITOK); - error = sooptcopyin(sopt, v, len, len); - if (error) - break; - error = dn_compat_del(v); - free(v, M_TEMP); - break; - - case IP_DUMMYNET_CONFIGURE: - v = malloc(len, M_TEMP, M_WAITOK); - error = sooptcopyin(sopt, v, len, len); - if (error) - break; - error = dn_compat_configure(v); - free(v, M_TEMP); - break; - - case IP_DUMMYNET_GET: { - void *buf; - int ret; - int original_size = sopt->sopt_valsize; - int size; - - ret = dummynet_get(sopt, &buf); - if (ret) - return 0;//XXX ? - size = sopt->sopt_valsize; - sopt->sopt_valsize = original_size; - D("size=%d, buf=%p", size, buf); - ret = sooptcopyout(sopt, buf, size); - if (ret) - printf(" %s ERROR sooptcopyout\n", __FUNCTION__); - if (buf) - free(buf, M_DUMMYNET); - } - } - - return error; -} - - diff --git a/sys/netinet/ipfw/ip_dn_io.c b/sys/netinet/ipfw/ip_dn_io.c deleted file mode 100644 index a39f169..0000000 --- a/sys/netinet/ipfw/ip_dn_io.c +++ /dev/null @@ -1,851 +0,0 @@ -/*- - * Copyright (c) 2010 Luigi Rizzo, Riccardo Panicucci, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Dummynet portions related to packet handling. - */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/module.h> -#include <sys/priv.h> -#include <sys/proc.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <sys/time.h> -#include <sys/sysctl.h> - -#include <net/if.h> /* IFNAMSIZ, struct ifaddr, ifq head, lock.h mutex.h */ -#include <net/netisr.h> -#include <net/vnet.h> - -#include <netinet/in.h> -#include <netinet/ip.h> /* ip_len, ip_off */ -#include <netinet/ip_var.h> /* ip_output(), IP_FORWARDING */ -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> - -#include <netinet/if_ether.h> /* various ether_* routines */ - -#include <netinet/ip6.h> /* for ip6_input, ip6_output prototypes */ -#include <netinet6/ip6_var.h> - -/* - * We keep a private variable for the simulation time, but we could - * probably use an existing one ("softticks" in sys/kern/kern_timeout.c) - * instead of dn_cfg.curr_time - */ - -struct dn_parms dn_cfg; -//VNET_DEFINE(struct dn_parms, _base_dn_cfg); - -static long tick_last; /* Last tick duration (usec). */ -static long tick_delta; /* Last vs standard tick diff (usec). */ -static long tick_delta_sum; /* Accumulated tick difference (usec).*/ -static long tick_adjustment; /* Tick adjustments done. */ -static long tick_lost; /* Lost(coalesced) ticks number. */ -/* Adjusted vs non-adjusted curr_time difference (ticks). */ -static long tick_diff; - -static unsigned long io_pkt; -static unsigned long io_pkt_fast; -static unsigned long io_pkt_drop; - -/* - * We use a heap to store entities for which we have pending timer events. - * The heap is checked at every tick and all entities with expired events - * are extracted. - */ - -MALLOC_DEFINE(M_DUMMYNET, "dummynet", "dummynet heap"); - -extern void (*bridge_dn_p)(struct mbuf *, struct ifnet *); - -#ifdef SYSCTL_NODE - -SYSBEGIN(f4) - -SYSCTL_DECL(_net_inet); -SYSCTL_DECL(_net_inet_ip); -static SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, "Dummynet"); - -/* wrapper to pass dn_cfg fields to SYSCTL_* */ -//#define DC(x) (&(VNET_NAME(_base_dn_cfg).x)) -#define DC(x) (&(dn_cfg.x)) -/* parameters */ - -static int -sysctl_hash_size(SYSCTL_HANDLER_ARGS) -{ - int error, value; - - value = dn_cfg.hash_size; - error = sysctl_handle_int(oidp, &value, 0, req); - if (error != 0 || req->newptr == NULL) - return (error); - if (value < 16 || value > 65536) - return (EINVAL); - dn_cfg.hash_size = value; - return (0); -} - -SYSCTL_PROC(_net_inet_ip_dummynet, OID_AUTO, hash_size, - CTLTYPE_INT | CTLFLAG_RW, 0, 0, sysctl_hash_size, - "I", "Default hash table size"); - -static int -sysctl_limits(SYSCTL_HANDLER_ARGS) -{ - int error; - long value; - - if (arg2 != 0) - value = dn_cfg.slot_limit; - else - value = dn_cfg.byte_limit; - error = sysctl_handle_long(oidp, &value, 0, req); - - if (error != 0 || req->newptr == NULL) - return (error); - if (arg2 != 0) { - if (value < 1) - return (EINVAL); - dn_cfg.slot_limit = value; - } else { - if (value < 1500) - return (EINVAL); - dn_cfg.byte_limit = value; - } - return (0); -} - -SYSCTL_PROC(_net_inet_ip_dummynet, OID_AUTO, pipe_slot_limit, - CTLTYPE_LONG | CTLFLAG_RW, 0, 1, sysctl_limits, - "L", "Upper limit in slots for pipe queue."); -SYSCTL_PROC(_net_inet_ip_dummynet, OID_AUTO, pipe_byte_limit, - CTLTYPE_LONG | CTLFLAG_RW, 0, 0, sysctl_limits, - "L", "Upper limit in bytes for pipe queue."); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, io_fast, - CTLFLAG_RW, DC(io_fast), 0, "Enable fast dummynet io."); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, debug, - CTLFLAG_RW, DC(debug), 0, "Dummynet debug level"); - -/* RED parameters */ -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_lookup_depth, - CTLFLAG_RD, DC(red_lookup_depth), 0, "Depth of RED lookup table"); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_avg_pkt_size, - CTLFLAG_RD, DC(red_avg_pkt_size), 0, "RED Medium packet size"); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_max_pkt_size, - CTLFLAG_RD, DC(red_max_pkt_size), 0, "RED Max packet size"); - -/* time adjustment */ -SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_delta, - CTLFLAG_RD, &tick_delta, 0, "Last vs standard tick difference (usec)."); -SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_delta_sum, - CTLFLAG_RD, &tick_delta_sum, 0, "Accumulated tick difference (usec)."); -SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_adjustment, - CTLFLAG_RD, &tick_adjustment, 0, "Tick adjustments done."); -SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_diff, - CTLFLAG_RD, &tick_diff, 0, - "Adjusted vs non-adjusted curr_time difference (ticks)."); -SYSCTL_LONG(_net_inet_ip_dummynet, OID_AUTO, tick_lost, - CTLFLAG_RD, &tick_lost, 0, - "Number of ticks coalesced by dummynet taskqueue."); - -/* Drain parameters */ -SYSCTL_UINT(_net_inet_ip_dummynet, OID_AUTO, expire, - CTLFLAG_RW, DC(expire), 0, "Expire empty queues/pipes"); -SYSCTL_UINT(_net_inet_ip_dummynet, OID_AUTO, expire_cycle, - CTLFLAG_RD, DC(expire_cycle), 0, "Expire cycle for queues/pipes"); - -/* statistics */ -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, schk_count, - CTLFLAG_RD, DC(schk_count), 0, "Number of schedulers"); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, si_count, - CTLFLAG_RD, DC(si_count), 0, "Number of scheduler instances"); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, fsk_count, - CTLFLAG_RD, DC(fsk_count), 0, "Number of flowsets"); -SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, queue_count, - CTLFLAG_RD, DC(queue_count), 0, "Number of queues"); -SYSCTL_ULONG(_net_inet_ip_dummynet, OID_AUTO, io_pkt, - CTLFLAG_RD, &io_pkt, 0, - "Number of packets passed to dummynet."); -SYSCTL_ULONG(_net_inet_ip_dummynet, OID_AUTO, io_pkt_fast, - CTLFLAG_RD, &io_pkt_fast, 0, - "Number of packets bypassed dummynet scheduler."); -SYSCTL_ULONG(_net_inet_ip_dummynet, OID_AUTO, io_pkt_drop, - CTLFLAG_RD, &io_pkt_drop, 0, - "Number of packets dropped by dummynet."); -#undef DC -SYSEND - -#endif - -static void dummynet_send(struct mbuf *); - -/* - * Packets processed by dummynet have an mbuf tag associated with - * them that carries their dummynet state. - * Outside dummynet, only the 'rule' field is relevant, and it must - * be at the beginning of the structure. - */ -struct dn_pkt_tag { - struct ipfw_rule_ref rule; /* matching rule */ - - /* second part, dummynet specific */ - int dn_dir; /* action when packet comes out.*/ - /* see ip_fw_private.h */ - uint64_t output_time; /* when the pkt is due for delivery*/ - struct ifnet *ifp; /* interface, for ip_output */ - struct _ip6dn_args ip6opt; /* XXX ipv6 options */ -}; - -/* - * Return the mbuf tag holding the dummynet state (it should - * be the first one on the list). - */ -static struct dn_pkt_tag * -dn_tag_get(struct mbuf *m) -{ - struct m_tag *mtag = m_tag_first(m); - KASSERT(mtag != NULL && - mtag->m_tag_cookie == MTAG_ABI_COMPAT && - mtag->m_tag_id == PACKET_TAG_DUMMYNET, - ("packet on dummynet queue w/o dummynet tag!")); - return (struct dn_pkt_tag *)(mtag+1); -} - -static inline void -mq_append(struct mq *q, struct mbuf *m) -{ - if (q->head == NULL) - q->head = m; - else - q->tail->m_nextpkt = m; - q->tail = m; - m->m_nextpkt = NULL; -} - -/* - * Dispose a list of packet. Use a functions so if we need to do - * more work, this is a central point to do it. - */ -void dn_free_pkts(struct mbuf *mnext) -{ - struct mbuf *m; - - while ((m = mnext) != NULL) { - mnext = m->m_nextpkt; - FREE_PKT(m); - } -} - -static int -red_drops (struct dn_queue *q, int len) -{ - /* - * RED algorithm - * - * RED calculates the average queue size (avg) using a low-pass filter - * with an exponential weighted (w_q) moving average: - * avg <- (1-w_q) * avg + w_q * q_size - * where q_size is the queue length (measured in bytes or * packets). - * - * If q_size == 0, we compute the idle time for the link, and set - * avg = (1 - w_q)^(idle/s) - * where s is the time needed for transmitting a medium-sized packet. - * - * Now, if avg < min_th the packet is enqueued. - * If avg > max_th the packet is dropped. Otherwise, the packet is - * dropped with probability P function of avg. - */ - - struct dn_fsk *fs = q->fs; - int64_t p_b = 0; - - /* Queue in bytes or packets? */ - uint32_t q_size = (fs->fs.flags & DN_QSIZE_BYTES) ? - q->ni.len_bytes : q->ni.length; - - /* Average queue size estimation. */ - if (q_size != 0) { - /* Queue is not empty, avg <- avg + (q_size - avg) * w_q */ - int diff = SCALE(q_size) - q->avg; - int64_t v = SCALE_MUL((int64_t)diff, (int64_t)fs->w_q); - - q->avg += (int)v; - } else { - /* - * Queue is empty, find for how long the queue has been - * empty and use a lookup table for computing - * (1 - * w_q)^(idle_time/s) where s is the time to send a - * (small) packet. - * XXX check wraps... - */ - if (q->avg) { - u_int t = div64((dn_cfg.curr_time - q->q_time), fs->lookup_step); - - q->avg = (t < fs->lookup_depth) ? - SCALE_MUL(q->avg, fs->w_q_lookup[t]) : 0; - } - } - - /* Should i drop? */ - if (q->avg < fs->min_th) { - q->count = -1; - return (0); /* accept packet */ - } - if (q->avg >= fs->max_th) { /* average queue >= max threshold */ - if (fs->fs.flags & DN_IS_GENTLE_RED) { - /* - * According to Gentle-RED, if avg is greater than - * max_th the packet is dropped with a probability - * p_b = c_3 * avg - c_4 - * where c_3 = (1 - max_p) / max_th - * c_4 = 1 - 2 * max_p - */ - p_b = SCALE_MUL((int64_t)fs->c_3, (int64_t)q->avg) - - fs->c_4; - } else { - q->count = -1; - return (1); - } - } else if (q->avg > fs->min_th) { - /* - * We compute p_b using the linear dropping function - * p_b = c_1 * avg - c_2 - * where c_1 = max_p / (max_th - min_th) - * c_2 = max_p * min_th / (max_th - min_th) - */ - p_b = SCALE_MUL((int64_t)fs->c_1, (int64_t)q->avg) - fs->c_2; - } - - if (fs->fs.flags & DN_QSIZE_BYTES) - p_b = div64((p_b * len) , fs->max_pkt_size); - if (++q->count == 0) - q->random = random() & 0xffff; - else { - /* - * q->count counts packets arrived since last drop, so a greater - * value of q->count means a greater packet drop probability. - */ - if (SCALE_MUL(p_b, SCALE((int64_t)q->count)) > q->random) { - q->count = 0; - /* After a drop we calculate a new random value. */ - q->random = random() & 0xffff; - return (1); /* drop */ - } - } - /* End of RED algorithm. */ - - return (0); /* accept */ - -} - -/* - * Enqueue a packet in q, subject to space and queue management policy - * (whose parameters are in q->fs). - * Update stats for the queue and the scheduler. - * Return 0 on success, 1 on drop. The packet is consumed anyways. - */ -int -dn_enqueue(struct dn_queue *q, struct mbuf* m, int drop) -{ - struct dn_fs *f; - struct dn_flow *ni; /* stats for scheduler instance */ - uint64_t len; - - if (q->fs == NULL || q->_si == NULL) { - printf("%s fs %p si %p, dropping\n", - __FUNCTION__, q->fs, q->_si); - FREE_PKT(m); - return 1; - } - f = &(q->fs->fs); - ni = &q->_si->ni; - len = m->m_pkthdr.len; - /* Update statistics, then check reasons to drop pkt. */ - q->ni.tot_bytes += len; - q->ni.tot_pkts++; - ni->tot_bytes += len; - ni->tot_pkts++; - if (drop) - goto drop; - if (f->plr && random() < f->plr) - goto drop; - if (f->flags & DN_IS_RED && red_drops(q, m->m_pkthdr.len)) - goto drop; - if (f->flags & DN_QSIZE_BYTES) { - if (q->ni.len_bytes > f->qsize) - goto drop; - } else if (q->ni.length >= f->qsize) { - goto drop; - } - mq_append(&q->mq, m); - q->ni.length++; - q->ni.len_bytes += len; - ni->length++; - ni->len_bytes += len; - return 0; - -drop: - io_pkt_drop++; - q->ni.drops++; - ni->drops++; - FREE_PKT(m); - return 1; -} - -/* - * Fetch packets from the delay line which are due now. If there are - * leftover packets, reinsert the delay line in the heap. - * Runs under scheduler lock. - */ -static void -transmit_event(struct mq *q, struct delay_line *dline, uint64_t now) -{ - struct mbuf *m; - struct dn_pkt_tag *pkt = NULL; - - dline->oid.subtype = 0; /* not in heap */ - while ((m = dline->mq.head) != NULL) { - pkt = dn_tag_get(m); - if (!DN_KEY_LEQ(pkt->output_time, now)) - break; - dline->mq.head = m->m_nextpkt; - mq_append(q, m); - } - if (m != NULL) { - dline->oid.subtype = 1; /* in heap */ - heap_insert(&dn_cfg.evheap, pkt->output_time, dline); - } -} - -/* - * Convert the additional MAC overheads/delays into an equivalent - * number of bits for the given data rate. The samples are - * in milliseconds so we need to divide by 1000. - */ -static uint64_t -extra_bits(struct mbuf *m, struct dn_schk *s) -{ - int index; - uint64_t bits; - struct dn_profile *pf = s->profile; - - if (!pf || pf->samples_no == 0) - return 0; - index = random() % pf->samples_no; - bits = div64((uint64_t)pf->samples[index] * s->link.bandwidth, 1000); - if (index >= pf->loss_level) { - struct dn_pkt_tag *dt = dn_tag_get(m); - if (dt) - dt->dn_dir = DIR_DROP; - } - return bits; -} - -/* - * Send traffic from a scheduler instance due by 'now'. - * Return a pointer to the head of the queue. - */ -static struct mbuf * -serve_sched(struct mq *q, struct dn_sch_inst *si, uint64_t now) -{ - struct mq def_q; - struct dn_schk *s = si->sched; - struct mbuf *m = NULL; - int delay_line_idle = (si->dline.mq.head == NULL); - int done, bw; - - if (q == NULL) { - q = &def_q; - q->head = NULL; - } - - bw = s->link.bandwidth; - si->kflags &= ~DN_ACTIVE; - - if (bw > 0) - si->credit += (now - si->sched_time) * bw; - else - si->credit = 0; - si->sched_time = now; - done = 0; - while (si->credit >= 0 && (m = s->fp->dequeue(si)) != NULL) { - uint64_t len_scaled; - - done++; - len_scaled = (bw == 0) ? 0 : hz * - (m->m_pkthdr.len * 8 + extra_bits(m, s)); - si->credit -= len_scaled; - /* Move packet in the delay line */ - dn_tag_get(m)->output_time = dn_cfg.curr_time + s->link.delay ; - mq_append(&si->dline.mq, m); - } - - /* - * If credit >= 0 the instance is idle, mark time. - * Otherwise put back in the heap, and adjust the output - * time of the last inserted packet, m, which was too early. - */ - if (si->credit >= 0) { - si->idle_time = now; - } else { - uint64_t t; - KASSERT (bw > 0, ("bw=0 and credit<0 ?")); - t = div64(bw - 1 - si->credit, bw); - if (m) - dn_tag_get(m)->output_time += t; - si->kflags |= DN_ACTIVE; - heap_insert(&dn_cfg.evheap, now + t, si); - } - if (delay_line_idle && done) - transmit_event(q, &si->dline, now); - return q->head; -} - -/* - * The timer handler for dummynet. Time is computed in ticks, but - * but the code is tolerant to the actual rate at which this is called. - * Once complete, the function reschedules itself for the next tick. - */ -void -dummynet_task(void *context, int pending) -{ - struct timeval t; - struct mq q = { NULL, NULL }; /* queue to accumulate results */ - - CURVNET_SET((struct vnet *)context); - - DN_BH_WLOCK(); - - /* Update number of lost(coalesced) ticks. */ - tick_lost += pending - 1; - - getmicrouptime(&t); - /* Last tick duration (usec). */ - tick_last = (t.tv_sec - dn_cfg.prev_t.tv_sec) * 1000000 + - (t.tv_usec - dn_cfg.prev_t.tv_usec); - /* Last tick vs standard tick difference (usec). */ - tick_delta = (tick_last * hz - 1000000) / hz; - /* Accumulated tick difference (usec). */ - tick_delta_sum += tick_delta; - - dn_cfg.prev_t = t; - - /* - * Adjust curr_time if the accumulated tick difference is - * greater than the 'standard' tick. Since curr_time should - * be monotonically increasing, we do positive adjustments - * as required, and throttle curr_time in case of negative - * adjustment. - */ - dn_cfg.curr_time++; - if (tick_delta_sum - tick >= 0) { - int diff = tick_delta_sum / tick; - - dn_cfg.curr_time += diff; - tick_diff += diff; - tick_delta_sum %= tick; - tick_adjustment++; - } else if (tick_delta_sum + tick <= 0) { - dn_cfg.curr_time--; - tick_diff--; - tick_delta_sum += tick; - tick_adjustment++; - } - - /* serve pending events, accumulate in q */ - for (;;) { - struct dn_id *p; /* generic parameter to handler */ - - if (dn_cfg.evheap.elements == 0 || - DN_KEY_LT(dn_cfg.curr_time, HEAP_TOP(&dn_cfg.evheap)->key)) - break; - p = HEAP_TOP(&dn_cfg.evheap)->object; - heap_extract(&dn_cfg.evheap, NULL); - - if (p->type == DN_SCH_I) { - serve_sched(&q, (struct dn_sch_inst *)p, dn_cfg.curr_time); - } else { /* extracted a delay line */ - transmit_event(&q, (struct delay_line *)p, dn_cfg.curr_time); - } - } - if (dn_cfg.expire && ++dn_cfg.expire_cycle >= dn_cfg.expire) { - dn_cfg.expire_cycle = 0; - dn_drain_scheduler(); - dn_drain_queue(); - } - - DN_BH_WUNLOCK(); - dn_reschedule(); - if (q.head != NULL) - dummynet_send(q.head); - CURVNET_RESTORE(); -} - -/* - * forward a chain of packets to the proper destination. - * This runs outside the dummynet lock. - */ -static void -dummynet_send(struct mbuf *m) -{ - struct mbuf *n; - - for (; m != NULL; m = n) { - struct ifnet *ifp = NULL; /* gcc 3.4.6 complains */ - struct m_tag *tag; - int dst; - - n = m->m_nextpkt; - m->m_nextpkt = NULL; - tag = m_tag_first(m); - if (tag == NULL) { /* should not happen */ - dst = DIR_DROP; - } else { - struct dn_pkt_tag *pkt = dn_tag_get(m); - /* extract the dummynet info, rename the tag - * to carry reinject info. - */ - dst = pkt->dn_dir; - ifp = pkt->ifp; - tag->m_tag_cookie = MTAG_IPFW_RULE; - tag->m_tag_id = 0; - } - - switch (dst) { - case DIR_OUT: - SET_HOST_IPLEN(mtod(m, struct ip *)); - ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); - break ; - - case DIR_IN : - /* put header in network format for ip_input() */ - //SET_NET_IPLEN(mtod(m, struct ip *)); - netisr_dispatch(NETISR_IP, m); - break; - -#ifdef INET6 - case DIR_IN | PROTO_IPV6: - netisr_dispatch(NETISR_IPV6, m); - break; - - case DIR_OUT | PROTO_IPV6: - ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL); - break; -#endif - - case DIR_FWD | PROTO_IFB: /* DN_TO_IFB_FWD: */ - if (bridge_dn_p != NULL) - ((*bridge_dn_p)(m, ifp)); - else - printf("dummynet: if_bridge not loaded\n"); - - break; - - case DIR_IN | PROTO_LAYER2: /* DN_TO_ETH_DEMUX: */ - /* - * The Ethernet code assumes the Ethernet header is - * contiguous in the first mbuf header. - * Insure this is true. - */ - if (m->m_len < ETHER_HDR_LEN && - (m = m_pullup(m, ETHER_HDR_LEN)) == NULL) { - printf("dummynet/ether: pullup failed, " - "dropping packet\n"); - break; - } - ether_demux(m->m_pkthdr.rcvif, m); - break; - - case DIR_OUT | PROTO_LAYER2: /* N_TO_ETH_OUT: */ - ether_output_frame(ifp, m); - break; - - case DIR_DROP: - /* drop the packet after some time */ - FREE_PKT(m); - break; - - default: - printf("dummynet: bad switch %d!\n", dst); - FREE_PKT(m); - break; - } - } -} - -static inline int -tag_mbuf(struct mbuf *m, int dir, struct ip_fw_args *fwa) -{ - struct dn_pkt_tag *dt; - struct m_tag *mtag; - - mtag = m_tag_get(PACKET_TAG_DUMMYNET, - sizeof(*dt), M_NOWAIT | M_ZERO); - if (mtag == NULL) - return 1; /* Cannot allocate packet header. */ - m_tag_prepend(m, mtag); /* Attach to mbuf chain. */ - dt = (struct dn_pkt_tag *)(mtag + 1); - dt->rule = fwa->rule; - dt->rule.info &= IPFW_ONEPASS; /* only keep this info */ - dt->dn_dir = dir; - dt->ifp = fwa->oif; - /* dt->output tame is updated as we move through */ - dt->output_time = dn_cfg.curr_time; - return 0; -} - - -/* - * dummynet hook for packets. - * We use the argument to locate the flowset fs and the sched_set sch - * associated to it. The we apply flow_mask and sched_mask to - * determine the queue and scheduler instances. - * - * dir where shall we send the packet after dummynet. - * *m0 the mbuf with the packet - * ifp the 'ifp' parameter from the caller. - * NULL in ip_input, destination interface in ip_output, - */ -int -dummynet_io(struct mbuf **m0, int dir, struct ip_fw_args *fwa) -{ - struct mbuf *m = *m0; - struct dn_fsk *fs = NULL; - struct dn_sch_inst *si; - struct dn_queue *q = NULL; /* default */ - - int fs_id = (fwa->rule.info & IPFW_INFO_MASK) + - ((fwa->rule.info & IPFW_IS_PIPE) ? 2*DN_MAX_ID : 0); - DN_BH_WLOCK(); - io_pkt++; - /* we could actually tag outside the lock, but who cares... */ - if (tag_mbuf(m, dir, fwa)) - goto dropit; - if (dn_cfg.busy) { - /* if the upper half is busy doing something expensive, - * lets queue the packet and move forward - */ - mq_append(&dn_cfg.pending, m); - m = *m0 = NULL; /* consumed */ - goto done; /* already active, nothing to do */ - } - /* XXX locate_flowset could be optimised with a direct ref. */ - fs = dn_ht_find(dn_cfg.fshash, fs_id, 0, NULL); - if (fs == NULL) - goto dropit; /* This queue/pipe does not exist! */ - if (fs->sched == NULL) /* should not happen */ - goto dropit; - /* find scheduler instance, possibly applying sched_mask */ - si = ipdn_si_find(fs->sched, &(fwa->f_id)); - if (si == NULL) - goto dropit; - /* - * If the scheduler supports multiple queues, find the right one - * (otherwise it will be ignored by enqueue). - */ - if (fs->sched->fp->flags & DN_MULTIQUEUE) { - q = ipdn_q_find(fs, si, &(fwa->f_id)); - if (q == NULL) - goto dropit; - } - if (fs->sched->fp->enqueue(si, q, m)) { - /* packet was dropped by enqueue() */ - m = *m0 = NULL; - goto dropit; - } - - if (si->kflags & DN_ACTIVE) { - m = *m0 = NULL; /* consumed */ - goto done; /* already active, nothing to do */ - } - - /* compute the initial allowance */ - if (si->idle_time < dn_cfg.curr_time) { - /* Do this only on the first packet on an idle pipe */ - struct dn_link *p = &fs->sched->link; - - si->sched_time = dn_cfg.curr_time; - si->credit = dn_cfg.io_fast ? p->bandwidth : 0; - if (p->burst) { - uint64_t burst = (dn_cfg.curr_time - si->idle_time) * p->bandwidth; - if (burst > p->burst) - burst = p->burst; - si->credit += burst; - } - } - /* pass through scheduler and delay line */ - m = serve_sched(NULL, si, dn_cfg.curr_time); - - /* optimization -- pass it back to ipfw for immediate send */ - /* XXX Don't call dummynet_send() if scheduler return the packet - * just enqueued. This avoid a lock order reversal. - * - */ - if (/*dn_cfg.io_fast &&*/ m == *m0 && (dir & PROTO_LAYER2) == 0 ) { - /* fast io, rename the tag * to carry reinject info. */ - struct m_tag *tag = m_tag_first(m); - - tag->m_tag_cookie = MTAG_IPFW_RULE; - tag->m_tag_id = 0; - io_pkt_fast++; - if (m->m_nextpkt != NULL) { - printf("dummynet: fast io: pkt chain detected!\n"); - m->m_nextpkt = NULL; - } - m = NULL; - } else { - *m0 = NULL; - } -done: - DN_BH_WUNLOCK(); - if (m) - dummynet_send(m); - return 0; - -dropit: - io_pkt_drop++; - DN_BH_WUNLOCK(); - if (m) - FREE_PKT(m); - *m0 = NULL; - return (fs && (fs->fs.flags & DN_NOERROR)) ? 0 : ENOBUFS; -} diff --git a/sys/netinet/ipfw/ip_dn_private.h b/sys/netinet/ipfw/ip_dn_private.h deleted file mode 100644 index 159ddc9..0000000 --- a/sys/netinet/ipfw/ip_dn_private.h +++ /dev/null @@ -1,403 +0,0 @@ -/*- - * Copyright (c) 2010 Luigi Rizzo, Riccardo Panicucci, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * internal dummynet APIs. - * - * $FreeBSD$ - */ - -#ifndef _IP_DN_PRIVATE_H -#define _IP_DN_PRIVATE_H - -/* debugging support - * use ND() to remove debugging, D() to print a line, - * DX(level, ...) to print above a certain level - * If you redefine D() you are expected to redefine all. - */ -#ifndef D -#define ND(fmt, ...) do {} while (0) -#define D1(fmt, ...) do {} while (0) -#define D(fmt, ...) printf("%-10s " fmt "\n", \ - __FUNCTION__, ## __VA_ARGS__) -#define DX(lev, fmt, ...) do { \ - if (dn_cfg.debug > lev) D(fmt, ## __VA_ARGS__); } while (0) -#endif - -MALLOC_DECLARE(M_DUMMYNET); - -#ifndef __linux__ -#define div64(a, b) ((int64_t)(a) / (int64_t)(b)) -#endif - -#define DN_LOCK_INIT() do { \ - mtx_init(&dn_cfg.uh_mtx, "dn_uh", NULL, MTX_DEF); \ - mtx_init(&dn_cfg.bh_mtx, "dn_bh", NULL, MTX_DEF); \ - } while (0) -#define DN_LOCK_DESTROY() do { \ - mtx_destroy(&dn_cfg.uh_mtx); \ - mtx_destroy(&dn_cfg.bh_mtx); \ - } while (0) -#if 0 /* not used yet */ -#define DN_UH_RLOCK() mtx_lock(&dn_cfg.uh_mtx) -#define DN_UH_RUNLOCK() mtx_unlock(&dn_cfg.uh_mtx) -#define DN_UH_WLOCK() mtx_lock(&dn_cfg.uh_mtx) -#define DN_UH_WUNLOCK() mtx_unlock(&dn_cfg.uh_mtx) -#define DN_UH_LOCK_ASSERT() mtx_assert(&dn_cfg.uh_mtx, MA_OWNED) -#endif - -#define DN_BH_RLOCK() mtx_lock(&dn_cfg.uh_mtx) -#define DN_BH_RUNLOCK() mtx_unlock(&dn_cfg.uh_mtx) -#define DN_BH_WLOCK() mtx_lock(&dn_cfg.uh_mtx) -#define DN_BH_WUNLOCK() mtx_unlock(&dn_cfg.uh_mtx) -#define DN_BH_LOCK_ASSERT() mtx_assert(&dn_cfg.uh_mtx, MA_OWNED) - -SLIST_HEAD(dn_schk_head, dn_schk); -SLIST_HEAD(dn_sch_inst_head, dn_sch_inst); -SLIST_HEAD(dn_fsk_head, dn_fsk); -SLIST_HEAD(dn_queue_head, dn_queue); -SLIST_HEAD(dn_alg_head, dn_alg); - -struct mq { /* a basic queue of packets*/ - struct mbuf *head, *tail; -}; - -static inline void -set_oid(struct dn_id *o, int type, int len) -{ - o->type = type; - o->len = len; - o->subtype = 0; -}; - -/* - * configuration and global data for a dummynet instance - * - * When a configuration is modified from userland, 'id' is incremented - * so we can use the value to check for stale pointers. - */ -struct dn_parms { - uint32_t id; /* configuration version */ - - /* defaults (sysctl-accessible) */ - int red_lookup_depth; - int red_avg_pkt_size; - int red_max_pkt_size; - int hash_size; - int max_hash_size; - long byte_limit; /* max queue sizes */ - long slot_limit; - - int io_fast; - int debug; - - /* timekeeping */ - struct timeval prev_t; /* last time dummynet_tick ran */ - struct dn_heap evheap; /* scheduled events */ - - /* counters of objects -- used for reporting space */ - int schk_count; - int si_count; - int fsk_count; - int queue_count; - - /* ticks and other stuff */ - uint64_t curr_time; - /* flowsets and schedulers are in hash tables, with 'hash_size' - * buckets. fshash is looked up at every packet arrival - * so better be generous if we expect many entries. - */ - struct dn_ht *fshash; - struct dn_ht *schedhash; - /* list of flowsets without a scheduler -- use sch_chain */ - struct dn_fsk_head fsu; /* list of unlinked flowsets */ - struct dn_alg_head schedlist; /* list of algorithms */ - - /* Store the fs/sch to scan when draining. The value is the - * bucket number of the hash table. Expire can be disabled - * with net.inet.ip.dummynet.expire=0, or it happens every - * expire ticks. - **/ - int drain_fs; - int drain_sch; - uint32_t expire; - uint32_t expire_cycle; /* tick count */ - - int init_done; - - /* if the upper half is busy doing something long, - * can set the busy flag and we will enqueue packets in - * a queue for later processing. - */ - int busy; - struct mq pending; - -#ifdef _KERNEL - /* - * This file is normally used in the kernel, unless we do - * some userland tests, in which case we do not need a mtx. - * uh_mtx arbitrates between system calls and also - * protects fshash, schedhash and fsunlinked. - * These structures are readonly for the lower half. - * bh_mtx protects all other structures which may be - * modified upon packet arrivals - */ -#if defined( __linux__ ) || defined( _WIN32 ) - spinlock_t uh_mtx; - spinlock_t bh_mtx; -#else - struct mtx uh_mtx; - struct mtx bh_mtx; -#endif - -#endif /* _KERNEL */ -}; - -/* - * Delay line, contains all packets on output from a link. - * Every scheduler instance has one. - */ -struct delay_line { - struct dn_id oid; - struct dn_sch_inst *si; - struct mq mq; -}; - -/* - * The kernel side of a flowset. It is linked in a hash table - * of flowsets, and in a list of children of their parent scheduler. - * qht is either the queue or (if HAVE_MASK) a hash table queues. - * Note that the mask to use is the (flow_mask|sched_mask), which - * changes as we attach/detach schedulers. So we store it here. - * - * XXX If we want to add scheduler-specific parameters, we need to - * put them in external storage because the scheduler may not be - * available when the fsk is created. - */ -struct dn_fsk { /* kernel side of a flowset */ - struct dn_fs fs; - SLIST_ENTRY(dn_fsk) fsk_next; /* hash chain for fshash */ - - struct ipfw_flow_id fsk_mask; - - /* qht is a hash table of queues, or just a single queue - * a bit in fs.flags tells us which one - */ - struct dn_ht *qht; - struct dn_schk *sched; /* Sched we are linked to */ - SLIST_ENTRY(dn_fsk) sch_chain; /* list of fsk attached to sched */ - - /* bucket index used by drain routine to drain queues for this - * flowset - */ - int drain_bucket; - /* Parameter realted to RED / GRED */ - /* original values are in dn_fs*/ - int w_q ; /* queue weight (scaled) */ - int max_th ; /* maximum threshold for queue (scaled) */ - int min_th ; /* minimum threshold for queue (scaled) */ - int max_p ; /* maximum value for p_b (scaled) */ - - u_int c_1 ; /* max_p/(max_th-min_th) (scaled) */ - u_int c_2 ; /* max_p*min_th/(max_th-min_th) (scaled) */ - u_int c_3 ; /* for GRED, (1-max_p)/max_th (scaled) */ - u_int c_4 ; /* for GRED, 1 - 2*max_p (scaled) */ - u_int * w_q_lookup ; /* lookup table for computing (1-w_q)^t */ - u_int lookup_depth ; /* depth of lookup table */ - int lookup_step ; /* granularity inside the lookup table */ - int lookup_weight ; /* equal to (1-w_q)^t / (1-w_q)^(t+1) */ - int avg_pkt_size ; /* medium packet size */ - int max_pkt_size ; /* max packet size */ -}; - -/* - * A queue is created as a child of a flowset unless it belongs to - * a !MULTIQUEUE scheduler. It is normally in a hash table in the - * flowset. fs always points to the parent flowset. - * si normally points to the sch_inst, unless the flowset has been - * detached from the scheduler -- in this case si == NULL and we - * should not enqueue. - */ -struct dn_queue { - struct dn_flow ni; /* oid, flow_id, stats */ - struct mq mq; /* packets queue */ - struct dn_sch_inst *_si; /* owner scheduler instance */ - SLIST_ENTRY(dn_queue) q_next; /* hash chain list for qht */ - struct dn_fsk *fs; /* parent flowset. */ - - /* RED parameters */ - int avg; /* average queue length est. (scaled) */ - int count; /* arrivals since last RED drop */ - int random; /* random value (scaled) */ - uint64_t q_time; /* start of queue idle time */ - -}; - -/* - * The kernel side of a scheduler. Contains the userland config, - * a link, pointer to extra config arguments from command line, - * kernel flags, and a pointer to the scheduler methods. - * It is stored in a hash table, and holds a list of all - * flowsets and scheduler instances. - * XXX sch must be at the beginning, see schk_hash(). - */ -struct dn_schk { - struct dn_sch sch; - struct dn_alg *fp; /* Pointer to scheduler functions */ - struct dn_link link; /* The link, embedded */ - struct dn_profile *profile; /* delay profile, if any */ - struct dn_id *cfg; /* extra config arguments */ - - SLIST_ENTRY(dn_schk) schk_next; /* hash chain for schedhash */ - - struct dn_fsk_head fsk_list; /* all fsk linked to me */ - struct dn_fsk *fs; /* Flowset for !MULTIQUEUE */ - - /* bucket index used by the drain routine to drain the scheduler - * instance for this flowset. - */ - int drain_bucket; - - /* Hash table of all instances (through sch.sched_mask) - * or single instance if no mask. Always valid. - */ - struct dn_ht *siht; -}; - - -/* - * Scheduler instance. - * Contains variables and all queues relative to a this instance. - * This struct is created a runtime. - */ -struct dn_sch_inst { - struct dn_flow ni; /* oid, flowid and stats */ - SLIST_ENTRY(dn_sch_inst) si_next; /* hash chain for siht */ - struct delay_line dline; - struct dn_schk *sched; /* the template */ - int kflags; /* DN_ACTIVE */ - - int64_t credit; /* bits I can transmit (more or less). */ - uint64_t sched_time; /* time link was scheduled in ready_heap */ - uint64_t idle_time; /* start of scheduler instance idle time */ - - /* q_count is the number of queues that this instance is using. - * The counter is incremented or decremented when - * a reference from the queue is created or deleted. - * It is used to make sure that a scheduler instance can be safely - * deleted by the drain routine. See notes below. - */ - int q_count; - -}; - -/* - * NOTE about object drain. - * The system will automatically (XXX check when) drain queues and - * scheduler instances when they are idle. - * A queue is idle when it has no packets; an instance is idle when - * it is not in the evheap heap, and the corresponding delay line is empty. - * A queue can be safely deleted when it is idle because of the scheduler - * function xxx_free_queue() will remove any references to it. - * An instance can be only deleted when no queues reference it. To be sure - * of that, a counter (q_count) stores the number of queues that are pointing - * to the instance. - * - * XXX - * Order of scan: - * - take all flowset in a bucket for the flowset hash table - * - take all queues in a bucket for the flowset - * - increment the queue bucket - * - scan next flowset bucket - * Nothing is done if a bucket contains no entries. - * - * The same schema is used for sceduler instances - */ - - -/* kernel-side flags. Linux has DN_DELETE in fcntl.h - */ -enum { - /* 1 and 2 are reserved for the SCAN flags */ - DN_DESTROY = 0x0004, /* destroy */ - DN_DELETE_FS = 0x0008, /* destroy flowset */ - DN_DETACH = 0x0010, - DN_ACTIVE = 0x0020, /* object is in evheap */ - DN_F_DLINE = 0x0040, /* object is a delay line */ - DN_DEL_SAFE = 0x0080, /* delete a queue only if no longer needed - * by scheduler */ - DN_QHT_IS_Q = 0x0100, /* in flowset, qht is a single queue */ -}; - -extern struct dn_parms dn_cfg; -//VNET_DECLARE(struct dn_parms, _base_dn_cfg); -//#define dn_cfg VNET(_base_dn_cfg) - -int dummynet_io(struct mbuf **, int , struct ip_fw_args *); -void dummynet_task(void *context, int pending); -void dn_reschedule(void); - -struct dn_queue *ipdn_q_find(struct dn_fsk *, struct dn_sch_inst *, - struct ipfw_flow_id *); -struct dn_sch_inst *ipdn_si_find(struct dn_schk *, struct ipfw_flow_id *); - -/* - * copy_range is a template for requests for ranges of pipes/queues/scheds. - * The number of ranges is variable and can be derived by o.len. - * As a default, we use a small number of entries so that the struct - * fits easily on the stack and is sufficient for most common requests. - */ -#define DEFAULT_RANGES 5 -struct copy_range { - struct dn_id o; - uint32_t r[ 2 * DEFAULT_RANGES ]; -}; - -struct copy_args { - char **start; - char *end; - int flags; - int type; - struct copy_range *extra; /* extra filtering */ -}; - -struct sockopt; -int ip_dummynet_compat(struct sockopt *sopt); -int dummynet_get(struct sockopt *sopt, void **compat); -int dn_c_copy_q (void *_ni, void *arg); -int dn_c_copy_pipe(struct dn_schk *s, struct copy_args *a, int nq); -int dn_c_copy_fs(struct dn_fsk *f, struct copy_args *a, int nq); -int dn_compat_copy_queue(struct copy_args *a, void *_o); -int dn_compat_copy_pipe(struct copy_args *a, void *_o); -int copy_data_helper_compat(void *_o, void *_arg); -int dn_compat_calc_size(void); -int do_config(void *p, int l); - -/* function to drain idle object */ -void dn_drain_scheduler(void); -void dn_drain_queue(void); - -#endif /* _IP_DN_PRIVATE_H */ diff --git a/sys/netinet/ipfw/ip_dummynet.c b/sys/netinet/ipfw/ip_dummynet.c deleted file mode 100644 index 928176e..0000000 --- a/sys/netinet/ipfw/ip_dummynet.c +++ /dev/null @@ -1,2313 +0,0 @@ -/*- - * Copyright (c) 1998-2002,2010 Luigi Rizzo, Universita` di Pisa - * Portions Copyright (c) 2000 Akamba Corp. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -/* - * Configuration and internal object management for dummynet. - */ - -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/module.h> -#include <sys/priv.h> -#include <sys/proc.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/time.h> -#include <sys/taskqueue.h> -#include <net/if.h> /* IFNAMSIZ, struct ifaddr, ifq head, lock.h mutex.h */ -#include <netinet/in.h> -#include <netinet/ip_var.h> /* ip_output(), IP_FORWARDING */ -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/ipfw/dn_heap.h> -#include <netinet/ip_dummynet.h> -#include <netinet/ipfw/ip_dn_private.h> -#include <netinet/ipfw/dn_sched.h> - -/* which objects to copy */ -#define DN_C_LINK 0x01 -#define DN_C_SCH 0x02 -#define DN_C_FLOW 0x04 -#define DN_C_FS 0x08 -#define DN_C_QUEUE 0x10 - -/* we use this argument in case of a schk_new */ -struct schk_new_arg { - struct dn_alg *fp; - struct dn_sch *sch; -}; - -/*---- callout hooks. ----*/ -static struct callout dn_timeout; -static struct task dn_task; -static struct taskqueue *dn_tq = NULL; - -static void -dummynet(void * __unused unused) -{ - - taskqueue_enqueue(dn_tq, &dn_task); -} - -void -dn_reschedule(void) -{ - callout_reset(&dn_timeout, 1, dummynet, NULL); -} -/*----- end of callout hooks -----*/ - -/* Return a scheduler descriptor given the type or name. */ -static struct dn_alg * -find_sched_type(int type, char *name) -{ - struct dn_alg *d; - - SLIST_FOREACH(d, &dn_cfg.schedlist, next) { - if (d->type == type || (name && !strcasecmp(d->name, name))) - return d; - } - return NULL; /* not found */ -} - -int -ipdn_bound_var(int *v, int dflt, int lo, int hi, const char *msg) -{ - int oldv = *v; - const char *op = NULL; - if (dflt < lo) - dflt = lo; - if (dflt > hi) - dflt = hi; - if (oldv < lo) { - *v = dflt; - op = "Bump"; - } else if (oldv > hi) { - *v = hi; - op = "Clamp"; - } else - return *v; - if (op && msg) - printf("%s %s to %d (was %d)\n", op, msg, *v, oldv); - return *v; -} - -/*---- flow_id mask, hash and compare functions ---*/ -/* - * The flow_id includes the 5-tuple, the queue/pipe number - * which we store in the extra area in host order, - * and for ipv6 also the flow_id6. - * XXX see if we want the tos byte (can store in 'flags') - */ -static struct ipfw_flow_id * -flow_id_mask(struct ipfw_flow_id *mask, struct ipfw_flow_id *id) -{ - int is_v6 = IS_IP6_FLOW_ID(id); - - id->dst_port &= mask->dst_port; - id->src_port &= mask->src_port; - id->proto &= mask->proto; - id->extra &= mask->extra; - if (is_v6) { - APPLY_MASK(&id->dst_ip6, &mask->dst_ip6); - APPLY_MASK(&id->src_ip6, &mask->src_ip6); - id->flow_id6 &= mask->flow_id6; - } else { - id->dst_ip &= mask->dst_ip; - id->src_ip &= mask->src_ip; - } - return id; -} - -/* computes an OR of two masks, result in dst and also returned */ -static struct ipfw_flow_id * -flow_id_or(struct ipfw_flow_id *src, struct ipfw_flow_id *dst) -{ - int is_v6 = IS_IP6_FLOW_ID(dst); - - dst->dst_port |= src->dst_port; - dst->src_port |= src->src_port; - dst->proto |= src->proto; - dst->extra |= src->extra; - if (is_v6) { -#define OR_MASK(_d, _s) \ - (_d)->__u6_addr.__u6_addr32[0] |= (_s)->__u6_addr.__u6_addr32[0]; \ - (_d)->__u6_addr.__u6_addr32[1] |= (_s)->__u6_addr.__u6_addr32[1]; \ - (_d)->__u6_addr.__u6_addr32[2] |= (_s)->__u6_addr.__u6_addr32[2]; \ - (_d)->__u6_addr.__u6_addr32[3] |= (_s)->__u6_addr.__u6_addr32[3]; - OR_MASK(&dst->dst_ip6, &src->dst_ip6); - OR_MASK(&dst->src_ip6, &src->src_ip6); -#undef OR_MASK - dst->flow_id6 |= src->flow_id6; - } else { - dst->dst_ip |= src->dst_ip; - dst->src_ip |= src->src_ip; - } - return dst; -} - -static int -nonzero_mask(struct ipfw_flow_id *m) -{ - if (m->dst_port || m->src_port || m->proto || m->extra) - return 1; - if (IS_IP6_FLOW_ID(m)) { - return - m->dst_ip6.__u6_addr.__u6_addr32[0] || - m->dst_ip6.__u6_addr.__u6_addr32[1] || - m->dst_ip6.__u6_addr.__u6_addr32[2] || - m->dst_ip6.__u6_addr.__u6_addr32[3] || - m->src_ip6.__u6_addr.__u6_addr32[0] || - m->src_ip6.__u6_addr.__u6_addr32[1] || - m->src_ip6.__u6_addr.__u6_addr32[2] || - m->src_ip6.__u6_addr.__u6_addr32[3] || - m->flow_id6; - } else { - return m->dst_ip || m->src_ip; - } -} - -/* XXX we may want a better hash function */ -static uint32_t -flow_id_hash(struct ipfw_flow_id *id) -{ - uint32_t i; - - if (IS_IP6_FLOW_ID(id)) { - uint32_t *d = (uint32_t *)&id->dst_ip6; - uint32_t *s = (uint32_t *)&id->src_ip6; - i = (d[0] ) ^ (d[1]) ^ - (d[2] ) ^ (d[3]) ^ - (d[0] >> 15) ^ (d[1] >> 15) ^ - (d[2] >> 15) ^ (d[3] >> 15) ^ - (s[0] << 1) ^ (s[1] << 1) ^ - (s[2] << 1) ^ (s[3] << 1) ^ - (s[0] << 16) ^ (s[1] << 16) ^ - (s[2] << 16) ^ (s[3] << 16) ^ - (id->dst_port << 1) ^ (id->src_port) ^ - (id->extra) ^ - (id->proto ) ^ (id->flow_id6); - } else { - i = (id->dst_ip) ^ (id->dst_ip >> 15) ^ - (id->src_ip << 1) ^ (id->src_ip >> 16) ^ - (id->extra) ^ - (id->dst_port << 1) ^ (id->src_port) ^ (id->proto); - } - return i; -} - -/* Like bcmp, returns 0 if ids match, 1 otherwise. */ -static int -flow_id_cmp(struct ipfw_flow_id *id1, struct ipfw_flow_id *id2) -{ - int is_v6 = IS_IP6_FLOW_ID(id1); - - if (!is_v6) { - if (IS_IP6_FLOW_ID(id2)) - return 1; /* different address families */ - - return (id1->dst_ip == id2->dst_ip && - id1->src_ip == id2->src_ip && - id1->dst_port == id2->dst_port && - id1->src_port == id2->src_port && - id1->proto == id2->proto && - id1->extra == id2->extra) ? 0 : 1; - } - /* the ipv6 case */ - return ( - !bcmp(&id1->dst_ip6,&id2->dst_ip6, sizeof(id1->dst_ip6)) && - !bcmp(&id1->src_ip6,&id2->src_ip6, sizeof(id1->src_ip6)) && - id1->dst_port == id2->dst_port && - id1->src_port == id2->src_port && - id1->proto == id2->proto && - id1->extra == id2->extra && - id1->flow_id6 == id2->flow_id6) ? 0 : 1; -} -/*--------- end of flow-id mask, hash and compare ---------*/ - -/*--- support functions for the qht hashtable ---- - * Entries are hashed by flow-id - */ -static uint32_t -q_hash(uintptr_t key, int flags, void *arg) -{ - /* compute the hash slot from the flow id */ - struct ipfw_flow_id *id = (flags & DNHT_KEY_IS_OBJ) ? - &((struct dn_queue *)key)->ni.fid : - (struct ipfw_flow_id *)key; - - return flow_id_hash(id); -} - -static int -q_match(void *obj, uintptr_t key, int flags, void *arg) -{ - struct dn_queue *o = (struct dn_queue *)obj; - struct ipfw_flow_id *id2; - - if (flags & DNHT_KEY_IS_OBJ) { - /* compare pointers */ - id2 = &((struct dn_queue *)key)->ni.fid; - } else { - id2 = (struct ipfw_flow_id *)key; - } - return (0 == flow_id_cmp(&o->ni.fid, id2)); -} - -/* - * create a new queue instance for the given 'key'. - */ -static void * -q_new(uintptr_t key, int flags, void *arg) -{ - struct dn_queue *q, *template = arg; - struct dn_fsk *fs = template->fs; - int size = sizeof(*q) + fs->sched->fp->q_datalen; - - q = malloc(size, M_DUMMYNET, M_NOWAIT | M_ZERO); - if (q == NULL) { - D("no memory for new queue"); - return NULL; - } - - set_oid(&q->ni.oid, DN_QUEUE, size); - if (fs->fs.flags & DN_QHT_HASH) - q->ni.fid = *(struct ipfw_flow_id *)key; - q->fs = fs; - q->_si = template->_si; - q->_si->q_count++; - - if (fs->sched->fp->new_queue) - fs->sched->fp->new_queue(q); - dn_cfg.queue_count++; - return q; -} - -/* - * Notify schedulers that a queue is going away. - * If (flags & DN_DESTROY), also free the packets. - * The version for callbacks is called q_delete_cb(). - */ -static void -dn_delete_queue(struct dn_queue *q, int flags) -{ - struct dn_fsk *fs = q->fs; - - // D("fs %p si %p\n", fs, q->_si); - /* notify the parent scheduler that the queue is going away */ - if (fs && fs->sched->fp->free_queue) - fs->sched->fp->free_queue(q); - q->_si->q_count--; - q->_si = NULL; - if (flags & DN_DESTROY) { - if (q->mq.head) - dn_free_pkts(q->mq.head); - bzero(q, sizeof(*q)); // safety - free(q, M_DUMMYNET); - dn_cfg.queue_count--; - } -} - -static int -q_delete_cb(void *q, void *arg) -{ - int flags = (int)(uintptr_t)arg; - dn_delete_queue(q, flags); - return (flags & DN_DESTROY) ? DNHT_SCAN_DEL : 0; -} - -/* - * calls dn_delete_queue/q_delete_cb on all queues, - * which notifies the parent scheduler and possibly drains packets. - * flags & DN_DESTROY: drains queues and destroy qht; - */ -static void -qht_delete(struct dn_fsk *fs, int flags) -{ - ND("fs %d start flags %d qht %p", - fs->fs.fs_nr, flags, fs->qht); - if (!fs->qht) - return; - if (fs->fs.flags & DN_QHT_HASH) { - dn_ht_scan(fs->qht, q_delete_cb, (void *)(uintptr_t)flags); - if (flags & DN_DESTROY) { - dn_ht_free(fs->qht, 0); - fs->qht = NULL; - } - } else { - dn_delete_queue((struct dn_queue *)(fs->qht), flags); - if (flags & DN_DESTROY) - fs->qht = NULL; - } -} - -/* - * Find and possibly create the queue for a MULTIQUEUE scheduler. - * We never call it for !MULTIQUEUE (the queue is in the sch_inst). - */ -struct dn_queue * -ipdn_q_find(struct dn_fsk *fs, struct dn_sch_inst *si, - struct ipfw_flow_id *id) -{ - struct dn_queue template; - - template._si = si; - template.fs = fs; - - if (fs->fs.flags & DN_QHT_HASH) { - struct ipfw_flow_id masked_id; - if (fs->qht == NULL) { - fs->qht = dn_ht_init(NULL, fs->fs.buckets, - offsetof(struct dn_queue, q_next), - q_hash, q_match, q_new); - if (fs->qht == NULL) - return NULL; - } - masked_id = *id; - flow_id_mask(&fs->fsk_mask, &masked_id); - return dn_ht_find(fs->qht, (uintptr_t)&masked_id, - DNHT_INSERT, &template); - } else { - if (fs->qht == NULL) - fs->qht = q_new(0, 0, &template); - return (struct dn_queue *)fs->qht; - } -} -/*--- end of queue hash table ---*/ - -/*--- support functions for the sch_inst hashtable ---- - * - * These are hashed by flow-id - */ -static uint32_t -si_hash(uintptr_t key, int flags, void *arg) -{ - /* compute the hash slot from the flow id */ - struct ipfw_flow_id *id = (flags & DNHT_KEY_IS_OBJ) ? - &((struct dn_sch_inst *)key)->ni.fid : - (struct ipfw_flow_id *)key; - - return flow_id_hash(id); -} - -static int -si_match(void *obj, uintptr_t key, int flags, void *arg) -{ - struct dn_sch_inst *o = obj; - struct ipfw_flow_id *id2; - - id2 = (flags & DNHT_KEY_IS_OBJ) ? - &((struct dn_sch_inst *)key)->ni.fid : - (struct ipfw_flow_id *)key; - return flow_id_cmp(&o->ni.fid, id2) == 0; -} - -/* - * create a new instance for the given 'key' - * Allocate memory for instance, delay line and scheduler private data. - */ -static void * -si_new(uintptr_t key, int flags, void *arg) -{ - struct dn_schk *s = arg; - struct dn_sch_inst *si; - int l = sizeof(*si) + s->fp->si_datalen; - - si = malloc(l, M_DUMMYNET, M_NOWAIT | M_ZERO); - if (si == NULL) - goto error; - - /* Set length only for the part passed up to userland. */ - set_oid(&si->ni.oid, DN_SCH_I, sizeof(struct dn_flow)); - set_oid(&(si->dline.oid), DN_DELAY_LINE, - sizeof(struct delay_line)); - /* mark si and dline as outside the event queue */ - si->ni.oid.id = si->dline.oid.id = -1; - - si->sched = s; - si->dline.si = si; - - if (s->fp->new_sched && s->fp->new_sched(si)) { - D("new_sched error"); - goto error; - } - if (s->sch.flags & DN_HAVE_MASK) - si->ni.fid = *(struct ipfw_flow_id *)key; - - dn_cfg.si_count++; - return si; - -error: - if (si) { - bzero(si, sizeof(*si)); // safety - free(si, M_DUMMYNET); - } - return NULL; -} - -/* - * Callback from siht to delete all scheduler instances. Remove - * si and delay line from the system heap, destroy all queues. - * We assume that all flowset have been notified and do not - * point to us anymore. - */ -static int -si_destroy(void *_si, void *arg) -{ - struct dn_sch_inst *si = _si; - struct dn_schk *s = si->sched; - struct delay_line *dl = &si->dline; - - if (dl->oid.subtype) /* remove delay line from event heap */ - heap_extract(&dn_cfg.evheap, dl); - dn_free_pkts(dl->mq.head); /* drain delay line */ - if (si->kflags & DN_ACTIVE) /* remove si from event heap */ - heap_extract(&dn_cfg.evheap, si); - if (s->fp->free_sched) - s->fp->free_sched(si); - bzero(si, sizeof(*si)); /* safety */ - free(si, M_DUMMYNET); - dn_cfg.si_count--; - return DNHT_SCAN_DEL; -} - -/* - * Find the scheduler instance for this packet. If we need to apply - * a mask, do on a local copy of the flow_id to preserve the original. - * Assume siht is always initialized if we have a mask. - */ -struct dn_sch_inst * -ipdn_si_find(struct dn_schk *s, struct ipfw_flow_id *id) -{ - - if (s->sch.flags & DN_HAVE_MASK) { - struct ipfw_flow_id id_t = *id; - flow_id_mask(&s->sch.sched_mask, &id_t); - return dn_ht_find(s->siht, (uintptr_t)&id_t, - DNHT_INSERT, s); - } - if (!s->siht) - s->siht = si_new(0, 0, s); - return (struct dn_sch_inst *)s->siht; -} - -/* callback to flush credit for the scheduler instance */ -static int -si_reset_credit(void *_si, void *arg) -{ - struct dn_sch_inst *si = _si; - struct dn_link *p = &si->sched->link; - - si->credit = p->burst + (dn_cfg.io_fast ? p->bandwidth : 0); - return 0; -} - -static void -schk_reset_credit(struct dn_schk *s) -{ - if (s->sch.flags & DN_HAVE_MASK) - dn_ht_scan(s->siht, si_reset_credit, NULL); - else if (s->siht) - si_reset_credit(s->siht, NULL); -} -/*---- end of sch_inst hashtable ---------------------*/ - -/*------------------------------------------------------- - * flowset hash (fshash) support. Entries are hashed by fs_nr. - * New allocations are put in the fsunlinked list, from which - * they are removed when they point to a specific scheduler. - */ -static uint32_t -fsk_hash(uintptr_t key, int flags, void *arg) -{ - uint32_t i = !(flags & DNHT_KEY_IS_OBJ) ? key : - ((struct dn_fsk *)key)->fs.fs_nr; - - return ( (i>>8)^(i>>4)^i ); -} - -static int -fsk_match(void *obj, uintptr_t key, int flags, void *arg) -{ - struct dn_fsk *fs = obj; - int i = !(flags & DNHT_KEY_IS_OBJ) ? key : - ((struct dn_fsk *)key)->fs.fs_nr; - - return (fs->fs.fs_nr == i); -} - -static void * -fsk_new(uintptr_t key, int flags, void *arg) -{ - struct dn_fsk *fs; - - fs = malloc(sizeof(*fs), M_DUMMYNET, M_NOWAIT | M_ZERO); - if (fs) { - set_oid(&fs->fs.oid, DN_FS, sizeof(fs->fs)); - dn_cfg.fsk_count++; - fs->drain_bucket = 0; - SLIST_INSERT_HEAD(&dn_cfg.fsu, fs, sch_chain); - } - return fs; -} - -/* - * detach flowset from its current scheduler. Flags as follows: - * DN_DETACH removes from the fsk_list - * DN_DESTROY deletes individual queues - * DN_DELETE_FS destroys the flowset (otherwise goes in unlinked). - */ -static void -fsk_detach(struct dn_fsk *fs, int flags) -{ - if (flags & DN_DELETE_FS) - flags |= DN_DESTROY; - ND("fs %d from sched %d flags %s %s %s", - fs->fs.fs_nr, fs->fs.sched_nr, - (flags & DN_DELETE_FS) ? "DEL_FS":"", - (flags & DN_DESTROY) ? "DEL":"", - (flags & DN_DETACH) ? "DET":""); - if (flags & DN_DETACH) { /* detach from the list */ - struct dn_fsk_head *h; - h = fs->sched ? &fs->sched->fsk_list : &dn_cfg.fsu; - SLIST_REMOVE(h, fs, dn_fsk, sch_chain); - } - /* Free the RED parameters, they will be recomputed on - * subsequent attach if needed. - */ - if (fs->w_q_lookup) - free(fs->w_q_lookup, M_DUMMYNET); - fs->w_q_lookup = NULL; - qht_delete(fs, flags); - if (fs->sched && fs->sched->fp->free_fsk) - fs->sched->fp->free_fsk(fs); - fs->sched = NULL; - if (flags & DN_DELETE_FS) { - bzero(fs, sizeof(fs)); /* safety */ - free(fs, M_DUMMYNET); - dn_cfg.fsk_count--; - } else { - SLIST_INSERT_HEAD(&dn_cfg.fsu, fs, sch_chain); - } -} - -/* - * Detach or destroy all flowsets in a list. - * flags specifies what to do: - * DN_DESTROY: flush all queues - * DN_DELETE_FS: DN_DESTROY + destroy flowset - * DN_DELETE_FS implies DN_DESTROY - */ -static void -fsk_detach_list(struct dn_fsk_head *h, int flags) -{ - struct dn_fsk *fs; - int n = 0; /* only for stats */ - - ND("head %p flags %x", h, flags); - while ((fs = SLIST_FIRST(h))) { - SLIST_REMOVE_HEAD(h, sch_chain); - n++; - fsk_detach(fs, flags); - } - ND("done %d flowsets", n); -} - -/* - * called on 'queue X delete' -- removes the flowset from fshash, - * deletes all queues for the flowset, and removes the flowset. - */ -static int -delete_fs(int i, int locked) -{ - struct dn_fsk *fs; - int err = 0; - - if (!locked) - DN_BH_WLOCK(); - fs = dn_ht_find(dn_cfg.fshash, i, DNHT_REMOVE, NULL); - ND("fs %d found %p", i, fs); - if (fs) { - fsk_detach(fs, DN_DETACH | DN_DELETE_FS); - err = 0; - } else - err = EINVAL; - if (!locked) - DN_BH_WUNLOCK(); - return err; -} - -/*----- end of flowset hashtable support -------------*/ - -/*------------------------------------------------------------ - * Scheduler hash. When searching by index we pass sched_nr, - * otherwise we pass struct dn_sch * which is the first field in - * struct dn_schk so we can cast between the two. We use this trick - * because in the create phase (but it should be fixed). - */ -static uint32_t -schk_hash(uintptr_t key, int flags, void *_arg) -{ - uint32_t i = !(flags & DNHT_KEY_IS_OBJ) ? key : - ((struct dn_schk *)key)->sch.sched_nr; - return ( (i>>8)^(i>>4)^i ); -} - -static int -schk_match(void *obj, uintptr_t key, int flags, void *_arg) -{ - struct dn_schk *s = (struct dn_schk *)obj; - int i = !(flags & DNHT_KEY_IS_OBJ) ? key : - ((struct dn_schk *)key)->sch.sched_nr; - return (s->sch.sched_nr == i); -} - -/* - * Create the entry and intialize with the sched hash if needed. - * Leave s->fp unset so we can tell whether a dn_ht_find() returns - * a new object or a previously existing one. - */ -static void * -schk_new(uintptr_t key, int flags, void *arg) -{ - struct schk_new_arg *a = arg; - struct dn_schk *s; - int l = sizeof(*s) +a->fp->schk_datalen; - - s = malloc(l, M_DUMMYNET, M_NOWAIT | M_ZERO); - if (s == NULL) - return NULL; - set_oid(&s->link.oid, DN_LINK, sizeof(s->link)); - s->sch = *a->sch; // copy initial values - s->link.link_nr = s->sch.sched_nr; - SLIST_INIT(&s->fsk_list); - /* initialize the hash table or create the single instance */ - s->fp = a->fp; /* si_new needs this */ - s->drain_bucket = 0; - if (s->sch.flags & DN_HAVE_MASK) { - s->siht = dn_ht_init(NULL, s->sch.buckets, - offsetof(struct dn_sch_inst, si_next), - si_hash, si_match, si_new); - if (s->siht == NULL) { - free(s, M_DUMMYNET); - return NULL; - } - } - s->fp = NULL; /* mark as a new scheduler */ - dn_cfg.schk_count++; - return s; -} - -/* - * Callback for sched delete. Notify all attached flowsets to - * detach from the scheduler, destroy the internal flowset, and - * all instances. The scheduler goes away too. - * arg is 0 (only detach flowsets and destroy instances) - * DN_DESTROY (detach & delete queues, delete schk) - * or DN_DELETE_FS (delete queues and flowsets, delete schk) - */ -static int -schk_delete_cb(void *obj, void *arg) -{ - struct dn_schk *s = obj; -#if 0 - int a = (int)arg; - ND("sched %d arg %s%s", - s->sch.sched_nr, - a&DN_DESTROY ? "DEL ":"", - a&DN_DELETE_FS ? "DEL_FS":""); -#endif - fsk_detach_list(&s->fsk_list, arg ? DN_DESTROY : 0); - /* no more flowset pointing to us now */ - if (s->sch.flags & DN_HAVE_MASK) { - dn_ht_scan(s->siht, si_destroy, NULL); - dn_ht_free(s->siht, 0); - } else if (s->siht) - si_destroy(s->siht, NULL); - if (s->profile) { - free(s->profile, M_DUMMYNET); - s->profile = NULL; - } - s->siht = NULL; - if (s->fp->destroy) - s->fp->destroy(s); - bzero(s, sizeof(*s)); // safety - free(obj, M_DUMMYNET); - dn_cfg.schk_count--; - return DNHT_SCAN_DEL; -} - -/* - * called on a 'sched X delete' command. Deletes a single scheduler. - * This is done by removing from the schedhash, unlinking all - * flowsets and deleting their traffic. - */ -static int -delete_schk(int i) -{ - struct dn_schk *s; - - s = dn_ht_find(dn_cfg.schedhash, i, DNHT_REMOVE, NULL); - ND("%d %p", i, s); - if (!s) - return EINVAL; - delete_fs(i + DN_MAX_ID, 1); /* first delete internal fs */ - /* then detach flowsets, delete traffic */ - schk_delete_cb(s, (void*)(uintptr_t)DN_DESTROY); - return 0; -} -/*--- end of schk hashtable support ---*/ - -static int -copy_obj(char **start, char *end, void *_o, const char *msg, int i) -{ - struct dn_id *o = _o; - int have = end - *start; - - if (have < o->len || o->len == 0 || o->type == 0) { - D("(WARN) type %d %s %d have %d need %d", - o->type, msg, i, have, o->len); - return 1; - } - ND("type %d %s %d len %d", o->type, msg, i, o->len); - bcopy(_o, *start, o->len); - if (o->type == DN_LINK) { - /* Adjust burst parameter for link */ - struct dn_link *l = (struct dn_link *)*start; - l->burst = div64(l->burst, 8 * hz); - l->delay = l->delay * 1000 / hz; - } else if (o->type == DN_SCH) { - /* Set id->id to the number of instances */ - struct dn_schk *s = _o; - struct dn_id *id = (struct dn_id *)(*start); - id->id = (s->sch.flags & DN_HAVE_MASK) ? - dn_ht_entries(s->siht) : (s->siht ? 1 : 0); - } - *start += o->len; - return 0; -} - -/* Specific function to copy a queue. - * Copies only the user-visible part of a queue (which is in - * a struct dn_flow), and sets len accordingly. - */ -static int -copy_obj_q(char **start, char *end, void *_o, const char *msg, int i) -{ - struct dn_id *o = _o; - int have = end - *start; - int len = sizeof(struct dn_flow); /* see above comment */ - - if (have < len || o->len == 0 || o->type != DN_QUEUE) { - D("ERROR type %d %s %d have %d need %d", - o->type, msg, i, have, len); - return 1; - } - ND("type %d %s %d len %d", o->type, msg, i, len); - bcopy(_o, *start, len); - ((struct dn_id*)(*start))->len = len; - *start += len; - return 0; -} - -static int -copy_q_cb(void *obj, void *arg) -{ - struct dn_queue *q = obj; - struct copy_args *a = arg; - struct dn_flow *ni = (struct dn_flow *)(*a->start); - if (copy_obj_q(a->start, a->end, &q->ni, "queue", -1)) - return DNHT_SCAN_END; - ni->oid.type = DN_FLOW; /* override the DN_QUEUE */ - ni->oid.id = si_hash((uintptr_t)&ni->fid, 0, NULL); - return 0; -} - -static int -copy_q(struct copy_args *a, struct dn_fsk *fs, int flags) -{ - if (!fs->qht) - return 0; - if (fs->fs.flags & DN_QHT_HASH) - dn_ht_scan(fs->qht, copy_q_cb, a); - else - copy_q_cb(fs->qht, a); - return 0; -} - -/* - * This routine only copies the initial part of a profile ? XXX - */ -static int -copy_profile(struct copy_args *a, struct dn_profile *p) -{ - int have = a->end - *a->start; - /* XXX here we check for max length */ - int profile_len = sizeof(struct dn_profile) - - ED_MAX_SAMPLES_NO*sizeof(int); - - if (p == NULL) - return 0; - if (have < profile_len) { - D("error have %d need %d", have, profile_len); - return 1; - } - bcopy(p, *a->start, profile_len); - ((struct dn_id *)(*a->start))->len = profile_len; - *a->start += profile_len; - return 0; -} - -static int -copy_flowset(struct copy_args *a, struct dn_fsk *fs, int flags) -{ - struct dn_fs *ufs = (struct dn_fs *)(*a->start); - if (!fs) - return 0; - ND("flowset %d", fs->fs.fs_nr); - if (copy_obj(a->start, a->end, &fs->fs, "flowset", fs->fs.fs_nr)) - return DNHT_SCAN_END; - ufs->oid.id = (fs->fs.flags & DN_QHT_HASH) ? - dn_ht_entries(fs->qht) : (fs->qht ? 1 : 0); - if (flags) { /* copy queues */ - copy_q(a, fs, 0); - } - return 0; -} - -static int -copy_si_cb(void *obj, void *arg) -{ - struct dn_sch_inst *si = obj; - struct copy_args *a = arg; - struct dn_flow *ni = (struct dn_flow *)(*a->start); - if (copy_obj(a->start, a->end, &si->ni, "inst", - si->sched->sch.sched_nr)) - return DNHT_SCAN_END; - ni->oid.type = DN_FLOW; /* override the DN_SCH_I */ - ni->oid.id = si_hash((uintptr_t)si, DNHT_KEY_IS_OBJ, NULL); - return 0; -} - -static int -copy_si(struct copy_args *a, struct dn_schk *s, int flags) -{ - if (s->sch.flags & DN_HAVE_MASK) - dn_ht_scan(s->siht, copy_si_cb, a); - else if (s->siht) - copy_si_cb(s->siht, a); - return 0; -} - -/* - * compute a list of children of a scheduler and copy up - */ -static int -copy_fsk_list(struct copy_args *a, struct dn_schk *s, int flags) -{ - struct dn_fsk *fs; - struct dn_id *o; - uint32_t *p; - - int n = 0, space = sizeof(*o); - SLIST_FOREACH(fs, &s->fsk_list, sch_chain) { - if (fs->fs.fs_nr < DN_MAX_ID) - n++; - } - space += n * sizeof(uint32_t); - DX(3, "sched %d has %d flowsets", s->sch.sched_nr, n); - if (a->end - *(a->start) < space) - return DNHT_SCAN_END; - o = (struct dn_id *)(*(a->start)); - o->len = space; - *a->start += o->len; - o->type = DN_TEXT; - p = (uint32_t *)(o+1); - SLIST_FOREACH(fs, &s->fsk_list, sch_chain) - if (fs->fs.fs_nr < DN_MAX_ID) - *p++ = fs->fs.fs_nr; - return 0; -} - -static int -copy_data_helper(void *_o, void *_arg) -{ - struct copy_args *a = _arg; - uint32_t *r = a->extra->r; /* start of first range */ - uint32_t *lim; /* first invalid pointer */ - int n; - - lim = (uint32_t *)((char *)(a->extra) + a->extra->o.len); - - if (a->type == DN_LINK || a->type == DN_SCH) { - /* pipe|sched show, we receive a dn_schk */ - struct dn_schk *s = _o; - - n = s->sch.sched_nr; - if (a->type == DN_SCH && n >= DN_MAX_ID) - return 0; /* not a scheduler */ - if (a->type == DN_LINK && n <= DN_MAX_ID) - return 0; /* not a pipe */ - - /* see if the object is within one of our ranges */ - for (;r < lim; r += 2) { - if (n < r[0] || n > r[1]) - continue; - /* Found a valid entry, copy and we are done */ - if (a->flags & DN_C_LINK) { - if (copy_obj(a->start, a->end, - &s->link, "link", n)) - return DNHT_SCAN_END; - if (copy_profile(a, s->profile)) - return DNHT_SCAN_END; - if (copy_flowset(a, s->fs, 0)) - return DNHT_SCAN_END; - } - if (a->flags & DN_C_SCH) { - if (copy_obj(a->start, a->end, - &s->sch, "sched", n)) - return DNHT_SCAN_END; - /* list all attached flowsets */ - if (copy_fsk_list(a, s, 0)) - return DNHT_SCAN_END; - } - if (a->flags & DN_C_FLOW) - copy_si(a, s, 0); - break; - } - } else if (a->type == DN_FS) { - /* queue show, skip internal flowsets */ - struct dn_fsk *fs = _o; - - n = fs->fs.fs_nr; - if (n >= DN_MAX_ID) - return 0; - /* see if the object is within one of our ranges */ - for (;r < lim; r += 2) { - if (n < r[0] || n > r[1]) - continue; - if (copy_flowset(a, fs, 0)) - return DNHT_SCAN_END; - copy_q(a, fs, 0); - break; /* we are done */ - } - } - return 0; -} - -static inline struct dn_schk * -locate_scheduler(int i) -{ - return dn_ht_find(dn_cfg.schedhash, i, 0, NULL); -} - -/* - * red parameters are in fixed point arithmetic. - */ -static int -config_red(struct dn_fsk *fs) -{ - int64_t s, idle, weight, w0; - int t, i; - - fs->w_q = fs->fs.w_q; - fs->max_p = fs->fs.max_p; - ND("called"); - /* Doing stuff that was in userland */ - i = fs->sched->link.bandwidth; - s = (i <= 0) ? 0 : - hz * dn_cfg.red_avg_pkt_size * 8 * SCALE(1) / i; - - idle = div64((s * 3) , fs->w_q); /* s, fs->w_q scaled; idle not scaled */ - fs->lookup_step = div64(idle , dn_cfg.red_lookup_depth); - /* fs->lookup_step not scaled, */ - if (!fs->lookup_step) - fs->lookup_step = 1; - w0 = weight = SCALE(1) - fs->w_q; //fs->w_q scaled - - for (t = fs->lookup_step; t > 1; --t) - weight = SCALE_MUL(weight, w0); - fs->lookup_weight = (int)(weight); // scaled - - /* Now doing stuff that was in kerneland */ - fs->min_th = SCALE(fs->fs.min_th); - fs->max_th = SCALE(fs->fs.max_th); - - fs->c_1 = fs->max_p / (fs->fs.max_th - fs->fs.min_th); - fs->c_2 = SCALE_MUL(fs->c_1, SCALE(fs->fs.min_th)); - - if (fs->fs.flags & DN_IS_GENTLE_RED) { - fs->c_3 = (SCALE(1) - fs->max_p) / fs->fs.max_th; - fs->c_4 = SCALE(1) - 2 * fs->max_p; - } - - /* If the lookup table already exist, free and create it again. */ - if (fs->w_q_lookup) { - free(fs->w_q_lookup, M_DUMMYNET); - fs->w_q_lookup = NULL; - } - if (dn_cfg.red_lookup_depth == 0) { - printf("\ndummynet: net.inet.ip.dummynet.red_lookup_depth" - "must be > 0\n"); - fs->fs.flags &= ~DN_IS_RED; - fs->fs.flags &= ~DN_IS_GENTLE_RED; - return (EINVAL); - } - fs->lookup_depth = dn_cfg.red_lookup_depth; - fs->w_q_lookup = (u_int *)malloc(fs->lookup_depth * sizeof(int), - M_DUMMYNET, M_NOWAIT); - if (fs->w_q_lookup == NULL) { - printf("dummynet: sorry, cannot allocate red lookup table\n"); - fs->fs.flags &= ~DN_IS_RED; - fs->fs.flags &= ~DN_IS_GENTLE_RED; - return(ENOSPC); - } - - /* Fill the lookup table with (1 - w_q)^x */ - fs->w_q_lookup[0] = SCALE(1) - fs->w_q; - - for (i = 1; i < fs->lookup_depth; i++) - fs->w_q_lookup[i] = - SCALE_MUL(fs->w_q_lookup[i - 1], fs->lookup_weight); - - if (dn_cfg.red_avg_pkt_size < 1) - dn_cfg.red_avg_pkt_size = 512; - fs->avg_pkt_size = dn_cfg.red_avg_pkt_size; - if (dn_cfg.red_max_pkt_size < 1) - dn_cfg.red_max_pkt_size = 1500; - fs->max_pkt_size = dn_cfg.red_max_pkt_size; - ND("exit"); - return 0; -} - -/* Scan all flowset attached to this scheduler and update red */ -static void -update_red(struct dn_schk *s) -{ - struct dn_fsk *fs; - SLIST_FOREACH(fs, &s->fsk_list, sch_chain) { - if (fs && (fs->fs.flags & DN_IS_RED)) - config_red(fs); - } -} - -/* attach flowset to scheduler s, possibly requeue */ -static void -fsk_attach(struct dn_fsk *fs, struct dn_schk *s) -{ - ND("remove fs %d from fsunlinked, link to sched %d", - fs->fs.fs_nr, s->sch.sched_nr); - SLIST_REMOVE(&dn_cfg.fsu, fs, dn_fsk, sch_chain); - fs->sched = s; - SLIST_INSERT_HEAD(&s->fsk_list, fs, sch_chain); - if (s->fp->new_fsk) - s->fp->new_fsk(fs); - /* XXX compute fsk_mask */ - fs->fsk_mask = fs->fs.flow_mask; - if (fs->sched->sch.flags & DN_HAVE_MASK) - flow_id_or(&fs->sched->sch.sched_mask, &fs->fsk_mask); - if (fs->qht) { - /* - * we must drain qht according to the old - * type, and reinsert according to the new one. - * The requeue is complex -- in general we need to - * reclassify every single packet. - * For the time being, let's hope qht is never set - * when we reach this point. - */ - D("XXX TODO requeue from fs %d to sch %d", - fs->fs.fs_nr, s->sch.sched_nr); - fs->qht = NULL; - } - /* set the new type for qht */ - if (nonzero_mask(&fs->fsk_mask)) - fs->fs.flags |= DN_QHT_HASH; - else - fs->fs.flags &= ~DN_QHT_HASH; - - /* XXX config_red() can fail... */ - if (fs->fs.flags & DN_IS_RED) - config_red(fs); -} - -/* update all flowsets which may refer to this scheduler */ -static void -update_fs(struct dn_schk *s) -{ - struct dn_fsk *fs, *tmp; - - SLIST_FOREACH_SAFE(fs, &dn_cfg.fsu, sch_chain, tmp) { - if (s->sch.sched_nr != fs->fs.sched_nr) { - D("fs %d for sch %d not %d still unlinked", - fs->fs.fs_nr, fs->fs.sched_nr, - s->sch.sched_nr); - continue; - } - fsk_attach(fs, s); - } -} - -/* - * Configuration -- to preserve backward compatibility we use - * the following scheme (N is 65536) - * NUMBER SCHED LINK FLOWSET - * 1 .. N-1 (1)WFQ (2)WFQ (3)queue - * N+1 .. 2N-1 (4)FIFO (5)FIFO (6)FIFO for sched 1..N-1 - * 2N+1 .. 3N-1 -- -- (7)FIFO for sched N+1..2N-1 - * - * "pipe i config" configures #1, #2 and #3 - * "sched i config" configures #1 and possibly #6 - * "queue i config" configures #3 - * #1 is configured with 'pipe i config' or 'sched i config' - * #2 is configured with 'pipe i config', and created if not - * existing with 'sched i config' - * #3 is configured with 'queue i config' - * #4 is automatically configured after #1, can only be FIFO - * #5 is automatically configured after #2 - * #6 is automatically created when #1 is !MULTIQUEUE, - * and can be updated. - * #7 is automatically configured after #2 - */ - -/* - * configure a link (and its FIFO instance) - */ -static int -config_link(struct dn_link *p, struct dn_id *arg) -{ - int i; - - if (p->oid.len != sizeof(*p)) { - D("invalid pipe len %d", p->oid.len); - return EINVAL; - } - i = p->link_nr; - if (i <= 0 || i >= DN_MAX_ID) - return EINVAL; - /* - * The config program passes parameters as follows: - * bw = bits/second (0 means no limits), - * delay = ms, must be translated into ticks. - * qsize = slots/bytes - * burst ??? - */ - p->delay = (p->delay * hz) / 1000; - /* Scale burst size: bytes -> bits * hz */ - p->burst *= 8 * hz; - - DN_BH_WLOCK(); - /* do it twice, base link and FIFO link */ - for (; i < 2*DN_MAX_ID; i += DN_MAX_ID) { - struct dn_schk *s = locate_scheduler(i); - if (s == NULL) { - DN_BH_WUNLOCK(); - D("sched %d not found", i); - return EINVAL; - } - /* remove profile if exists */ - if (s->profile) { - free(s->profile, M_DUMMYNET); - s->profile = NULL; - } - /* copy all parameters */ - s->link.oid = p->oid; - s->link.link_nr = i; - s->link.delay = p->delay; - if (s->link.bandwidth != p->bandwidth) { - /* XXX bandwidth changes, need to update red params */ - s->link.bandwidth = p->bandwidth; - update_red(s); - } - s->link.burst = p->burst; - schk_reset_credit(s); - } - dn_cfg.id++; - DN_BH_WUNLOCK(); - return 0; -} - -/* - * configure a flowset. Can be called from inside with locked=1, - */ -static struct dn_fsk * -config_fs(struct dn_fs *nfs, struct dn_id *arg, int locked) -{ - int i; - struct dn_fsk *fs; - - if (nfs->oid.len != sizeof(*nfs)) { - D("invalid flowset len %d", nfs->oid.len); - return NULL; - } - i = nfs->fs_nr; - if (i <= 0 || i >= 3*DN_MAX_ID) - return NULL; - ND("flowset %d", i); - /* XXX other sanity checks */ - if (nfs->flags & DN_QSIZE_BYTES) { - ipdn_bound_var(&nfs->qsize, 16384, - 1500, dn_cfg.byte_limit, NULL); // "queue byte size"); - } else { - ipdn_bound_var(&nfs->qsize, 50, - 1, dn_cfg.slot_limit, NULL); // "queue slot size"); - } - if (nfs->flags & DN_HAVE_MASK) { - /* make sure we have some buckets */ - ipdn_bound_var(&nfs->buckets, dn_cfg.hash_size, - 1, dn_cfg.max_hash_size, "flowset buckets"); - } else { - nfs->buckets = 1; /* we only need 1 */ - } - if (!locked) - DN_BH_WLOCK(); - do { /* exit with break when done */ - struct dn_schk *s; - int flags = nfs->sched_nr ? DNHT_INSERT : 0; - int j; - int oldc = dn_cfg.fsk_count; - fs = dn_ht_find(dn_cfg.fshash, i, flags, NULL); - if (fs == NULL) { - D("missing sched for flowset %d", i); - break; - } - /* grab some defaults from the existing one */ - if (nfs->sched_nr == 0) /* reuse */ - nfs->sched_nr = fs->fs.sched_nr; - for (j = 0; j < sizeof(nfs->par)/sizeof(nfs->par[0]); j++) { - if (nfs->par[j] == -1) /* reuse */ - nfs->par[j] = fs->fs.par[j]; - } - if (bcmp(&fs->fs, nfs, sizeof(*nfs)) == 0) { - ND("flowset %d unchanged", i); - break; /* no change, nothing to do */ - } - if (oldc != dn_cfg.fsk_count) /* new item */ - dn_cfg.id++; - s = locate_scheduler(nfs->sched_nr); - /* detach from old scheduler if needed, preserving - * queues if we need to reattach. Then update the - * configuration, and possibly attach to the new sched. - */ - DX(2, "fs %d changed sched %d@%p to %d@%p", - fs->fs.fs_nr, - fs->fs.sched_nr, fs->sched, nfs->sched_nr, s); - if (fs->sched) { - int flags = s ? DN_DETACH : (DN_DETACH | DN_DESTROY); - flags |= DN_DESTROY; /* XXX temporary */ - fsk_detach(fs, flags); - } - fs->fs = *nfs; /* copy configuration */ - if (s != NULL) - fsk_attach(fs, s); - } while (0); - if (!locked) - DN_BH_WUNLOCK(); - return fs; -} - -/* - * config/reconfig a scheduler and its FIFO variant. - * For !MULTIQUEUE schedulers, also set up the flowset. - * - * On reconfigurations (detected because s->fp is set), - * detach existing flowsets preserving traffic, preserve link, - * and delete the old scheduler creating a new one. - */ -static int -config_sched(struct dn_sch *_nsch, struct dn_id *arg) -{ - struct dn_schk *s; - struct schk_new_arg a; /* argument for schk_new */ - int i; - struct dn_link p; /* copy of oldlink */ - struct dn_profile *pf = NULL; /* copy of old link profile */ - /* Used to preserv mask parameter */ - struct ipfw_flow_id new_mask; - int new_buckets = 0; - int new_flags = 0; - int pipe_cmd; - int err = ENOMEM; - - a.sch = _nsch; - if (a.sch->oid.len != sizeof(*a.sch)) { - D("bad sched len %d", a.sch->oid.len); - return EINVAL; - } - i = a.sch->sched_nr; - if (i <= 0 || i >= DN_MAX_ID) - return EINVAL; - /* make sure we have some buckets */ - if (a.sch->flags & DN_HAVE_MASK) - ipdn_bound_var(&a.sch->buckets, dn_cfg.hash_size, - 1, dn_cfg.max_hash_size, "sched buckets"); - /* XXX other sanity checks */ - bzero(&p, sizeof(p)); - - pipe_cmd = a.sch->flags & DN_PIPE_CMD; - a.sch->flags &= ~DN_PIPE_CMD; //XXX do it even if is not set? - if (pipe_cmd) { - /* Copy mask parameter */ - new_mask = a.sch->sched_mask; - new_buckets = a.sch->buckets; - new_flags = a.sch->flags; - } - DN_BH_WLOCK(); -again: /* run twice, for wfq and fifo */ - /* - * lookup the type. If not supplied, use the previous one - * or default to WF2Q+. Otherwise, return an error. - */ - dn_cfg.id++; - a.fp = find_sched_type(a.sch->oid.subtype, a.sch->name); - if (a.fp != NULL) { - /* found. Lookup or create entry */ - s = dn_ht_find(dn_cfg.schedhash, i, DNHT_INSERT, &a); - } else if (a.sch->oid.subtype == 0 && !a.sch->name[0]) { - /* No type. search existing s* or retry with WF2Q+ */ - s = dn_ht_find(dn_cfg.schedhash, i, 0, &a); - if (s != NULL) { - a.fp = s->fp; - /* Scheduler exists, skip to FIFO scheduler - * if command was pipe config... - */ - if (pipe_cmd) - goto next; - } else { - /* New scheduler, create a wf2q+ with no mask - * if command was pipe config... - */ - if (pipe_cmd) { - /* clear mask parameter */ - bzero(&a.sch->sched_mask, sizeof(new_mask)); - a.sch->buckets = 0; - a.sch->flags &= ~DN_HAVE_MASK; - } - a.sch->oid.subtype = DN_SCHED_WF2QP; - goto again; - } - } else { - D("invalid scheduler type %d %s", - a.sch->oid.subtype, a.sch->name); - err = EINVAL; - goto error; - } - /* normalize name and subtype */ - a.sch->oid.subtype = a.fp->type; - bzero(a.sch->name, sizeof(a.sch->name)); - strlcpy(a.sch->name, a.fp->name, sizeof(a.sch->name)); - if (s == NULL) { - D("cannot allocate scheduler %d", i); - goto error; - } - /* restore existing link if any */ - if (p.link_nr) { - s->link = p; - if (!pf || pf->link_nr != p.link_nr) { /* no saved value */ - s->profile = NULL; /* XXX maybe not needed */ - } else { - s->profile = malloc(sizeof(struct dn_profile), - M_DUMMYNET, M_NOWAIT | M_ZERO); - if (s->profile == NULL) { - D("cannot allocate profile"); - goto error; //XXX - } - bcopy(pf, s->profile, sizeof(*pf)); - } - } - p.link_nr = 0; - if (s->fp == NULL) { - DX(2, "sched %d new type %s", i, a.fp->name); - } else if (s->fp != a.fp || - bcmp(a.sch, &s->sch, sizeof(*a.sch)) ) { - /* already existing. */ - DX(2, "sched %d type changed from %s to %s", - i, s->fp->name, a.fp->name); - DX(4, " type/sub %d/%d -> %d/%d", - s->sch.oid.type, s->sch.oid.subtype, - a.sch->oid.type, a.sch->oid.subtype); - if (s->link.link_nr == 0) - D("XXX WARNING link 0 for sched %d", i); - p = s->link; /* preserve link */ - if (s->profile) {/* preserve profile */ - if (!pf) - pf = malloc(sizeof(*pf), - M_DUMMYNET, M_NOWAIT | M_ZERO); - if (pf) /* XXX should issue a warning otherwise */ - bcopy(s->profile, pf, sizeof(*pf)); - } - /* remove from the hash */ - dn_ht_find(dn_cfg.schedhash, i, DNHT_REMOVE, NULL); - /* Detach flowsets, preserve queues. */ - // schk_delete_cb(s, NULL); - // XXX temporarily, kill queues - schk_delete_cb(s, (void *)DN_DESTROY); - goto again; - } else { - DX(4, "sched %d unchanged type %s", i, a.fp->name); - } - /* complete initialization */ - s->sch = *a.sch; - s->fp = a.fp; - s->cfg = arg; - // XXX schk_reset_credit(s); - /* create the internal flowset if needed, - * trying to reuse existing ones if available - */ - if (!(s->fp->flags & DN_MULTIQUEUE) && !s->fs) { - s->fs = dn_ht_find(dn_cfg.fshash, i, 0, NULL); - if (!s->fs) { - struct dn_fs fs; - bzero(&fs, sizeof(fs)); - set_oid(&fs.oid, DN_FS, sizeof(fs)); - fs.fs_nr = i + DN_MAX_ID; - fs.sched_nr = i; - s->fs = config_fs(&fs, NULL, 1 /* locked */); - } - if (!s->fs) { - schk_delete_cb(s, (void *)DN_DESTROY); - D("error creating internal fs for %d", i); - goto error; - } - } - /* call init function after the flowset is created */ - if (s->fp->config) - s->fp->config(s); - update_fs(s); -next: - if (i < DN_MAX_ID) { /* now configure the FIFO instance */ - i += DN_MAX_ID; - if (pipe_cmd) { - /* Restore mask parameter for FIFO */ - a.sch->sched_mask = new_mask; - a.sch->buckets = new_buckets; - a.sch->flags = new_flags; - } else { - /* sched config shouldn't modify the FIFO scheduler */ - if (dn_ht_find(dn_cfg.schedhash, i, 0, &a) != NULL) { - /* FIFO already exist, don't touch it */ - err = 0; /* and this is not an error */ - goto error; - } - } - a.sch->sched_nr = i; - a.sch->oid.subtype = DN_SCHED_FIFO; - bzero(a.sch->name, sizeof(a.sch->name)); - goto again; - } - err = 0; -error: - DN_BH_WUNLOCK(); - if (pf) - free(pf, M_DUMMYNET); - return err; -} - -/* - * attach a profile to a link - */ -static int -config_profile(struct dn_profile *pf, struct dn_id *arg) -{ - struct dn_schk *s; - int i, olen, err = 0; - - if (pf->oid.len < sizeof(*pf)) { - D("short profile len %d", pf->oid.len); - return EINVAL; - } - i = pf->link_nr; - if (i <= 0 || i >= DN_MAX_ID) - return EINVAL; - /* XXX other sanity checks */ - DN_BH_WLOCK(); - for (; i < 2*DN_MAX_ID; i += DN_MAX_ID) { - s = locate_scheduler(i); - - if (s == NULL) { - err = EINVAL; - break; - } - dn_cfg.id++; - /* - * If we had a profile and the new one does not fit, - * or it is deleted, then we need to free memory. - */ - if (s->profile && (pf->samples_no == 0 || - s->profile->oid.len < pf->oid.len)) { - free(s->profile, M_DUMMYNET); - s->profile = NULL; - } - if (pf->samples_no == 0) - continue; - /* - * new profile, possibly allocate memory - * and copy data. - */ - if (s->profile == NULL) - s->profile = malloc(pf->oid.len, - M_DUMMYNET, M_NOWAIT | M_ZERO); - if (s->profile == NULL) { - D("no memory for profile %d", i); - err = ENOMEM; - break; - } - /* preserve larger length XXX double check */ - olen = s->profile->oid.len; - if (olen < pf->oid.len) - olen = pf->oid.len; - bcopy(pf, s->profile, pf->oid.len); - s->profile->oid.len = olen; - } - DN_BH_WUNLOCK(); - return err; -} - -/* - * Delete all objects: - */ -static void -dummynet_flush(void) -{ - - /* delete all schedulers and related links/queues/flowsets */ - dn_ht_scan(dn_cfg.schedhash, schk_delete_cb, - (void *)(uintptr_t)DN_DELETE_FS); - /* delete all remaining (unlinked) flowsets */ - DX(4, "still %d unlinked fs", dn_cfg.fsk_count); - dn_ht_free(dn_cfg.fshash, DNHT_REMOVE); - fsk_detach_list(&dn_cfg.fsu, DN_DELETE_FS); - /* Reinitialize system heap... */ - heap_init(&dn_cfg.evheap, 16, offsetof(struct dn_id, id)); -} - -/* - * Main handler for configuration. We are guaranteed to be called - * with an oid which is at least a dn_id. - * - the first object is the command (config, delete, flush, ...) - * - config_link must be issued after the corresponding config_sched - * - parameters (DN_TXT) for an object must preceed the object - * processed on a config_sched. - */ -int -do_config(void *p, int l) -{ - struct dn_id *next, *o; - int err = 0, err2 = 0; - struct dn_id *arg = NULL; - uintptr_t *a; - - o = p; - if (o->id != DN_API_VERSION) { - D("invalid api version got %d need %d", - o->id, DN_API_VERSION); - return EINVAL; - } - for (; l >= sizeof(*o); o = next) { - struct dn_id *prev = arg; - if (o->len < sizeof(*o) || l < o->len) { - D("bad len o->len %d len %d", o->len, l); - err = EINVAL; - break; - } - l -= o->len; - next = (struct dn_id *)((char *)o + o->len); - err = 0; - switch (o->type) { - default: - D("cmd %d not implemented", o->type); - break; - -#ifdef EMULATE_SYSCTL - /* sysctl emulation. - * if we recognize the command, jump to the correct - * handler and return - */ - case DN_SYSCTL_SET: - err = kesysctl_emu_set(p, l); - return err; -#endif - - case DN_CMD_CONFIG: /* simply a header */ - break; - - case DN_CMD_DELETE: - /* the argument is in the first uintptr_t after o */ - a = (uintptr_t *)(o+1); - if (o->len < sizeof(*o) + sizeof(*a)) { - err = EINVAL; - break; - } - switch (o->subtype) { - case DN_LINK: - /* delete base and derived schedulers */ - DN_BH_WLOCK(); - err = delete_schk(*a); - err2 = delete_schk(*a + DN_MAX_ID); - DN_BH_WUNLOCK(); - if (!err) - err = err2; - break; - - default: - D("invalid delete type %d", - o->subtype); - err = EINVAL; - break; - - case DN_FS: - err = (*a <1 || *a >= DN_MAX_ID) ? - EINVAL : delete_fs(*a, 0) ; - break; - } - break; - - case DN_CMD_FLUSH: - DN_BH_WLOCK(); - dummynet_flush(); - DN_BH_WUNLOCK(); - break; - case DN_TEXT: /* store argument the next block */ - prev = NULL; - arg = o; - break; - case DN_LINK: - err = config_link((struct dn_link *)o, arg); - break; - case DN_PROFILE: - err = config_profile((struct dn_profile *)o, arg); - break; - case DN_SCH: - err = config_sched((struct dn_sch *)o, arg); - break; - case DN_FS: - err = (NULL==config_fs((struct dn_fs *)o, arg, 0)); - break; - } - if (prev) - arg = NULL; - if (err != 0) - break; - } - return err; -} - -static int -compute_space(struct dn_id *cmd, struct copy_args *a) -{ - int x = 0, need = 0; - int profile_size = sizeof(struct dn_profile) - - ED_MAX_SAMPLES_NO*sizeof(int); - - /* NOTE about compute space: - * NP = dn_cfg.schk_count - * NSI = dn_cfg.si_count - * NF = dn_cfg.fsk_count - * NQ = dn_cfg.queue_count - * - ipfw pipe show - * (NP/2)*(dn_link + dn_sch + dn_id + dn_fs) only half scheduler - * link, scheduler template, flowset - * integrated in scheduler and header - * for flowset list - * (NSI)*(dn_flow) all scheduler instance (includes - * the queue instance) - * - ipfw sched show - * (NP/2)*(dn_link + dn_sch + dn_id + dn_fs) only half scheduler - * link, scheduler template, flowset - * integrated in scheduler and header - * for flowset list - * (NSI * dn_flow) all scheduler instances - * (NF * sizeof(uint_32)) space for flowset list linked to scheduler - * (NQ * dn_queue) all queue [XXXfor now not listed] - * - ipfw queue show - * (NF * dn_fs) all flowset - * (NQ * dn_queue) all queues - */ - switch (cmd->subtype) { - default: - return -1; - /* XXX where do LINK and SCH differ ? */ - /* 'ipfw sched show' could list all queues associated to - * a scheduler. This feature for now is disabled - */ - case DN_LINK: /* pipe show */ - x = DN_C_LINK | DN_C_SCH | DN_C_FLOW; - need += dn_cfg.schk_count * - (sizeof(struct dn_fs) + profile_size) / 2; - need += dn_cfg.fsk_count * sizeof(uint32_t); - break; - case DN_SCH: /* sched show */ - need += dn_cfg.schk_count * - (sizeof(struct dn_fs) + profile_size) / 2; - need += dn_cfg.fsk_count * sizeof(uint32_t); - x = DN_C_SCH | DN_C_LINK | DN_C_FLOW; - break; - case DN_FS: /* queue show */ - x = DN_C_FS | DN_C_QUEUE; - break; - case DN_GET_COMPAT: /* compatibility mode */ - need = dn_compat_calc_size(); - break; - } - a->flags = x; - if (x & DN_C_SCH) { - need += dn_cfg.schk_count * sizeof(struct dn_sch) / 2; - /* NOT also, each fs might be attached to a sched */ - need += dn_cfg.schk_count * sizeof(struct dn_id) / 2; - } - if (x & DN_C_FS) - need += dn_cfg.fsk_count * sizeof(struct dn_fs); - if (x & DN_C_LINK) { - need += dn_cfg.schk_count * sizeof(struct dn_link) / 2; - } - /* - * When exporting a queue to userland, only pass up the - * struct dn_flow, which is the only visible part. - */ - - if (x & DN_C_QUEUE) - need += dn_cfg.queue_count * sizeof(struct dn_flow); - if (x & DN_C_FLOW) - need += dn_cfg.si_count * (sizeof(struct dn_flow)); - return need; -} - -/* - * If compat != NULL dummynet_get is called in compatibility mode. - * *compat will be the pointer to the buffer to pass to ipfw - */ -int -dummynet_get(struct sockopt *sopt, void **compat) -{ - int have, i, need, error; - char *start = NULL, *buf; - size_t sopt_valsize; - struct dn_id *cmd; - struct copy_args a; - struct copy_range r; - int l = sizeof(struct dn_id); - - bzero(&a, sizeof(a)); - bzero(&r, sizeof(r)); - - /* save and restore original sopt_valsize around copyin */ - sopt_valsize = sopt->sopt_valsize; - - cmd = &r.o; - - if (!compat) { - /* copy at least an oid, and possibly a full object */ - error = sooptcopyin(sopt, cmd, sizeof(r), sizeof(*cmd)); - sopt->sopt_valsize = sopt_valsize; - if (error) - goto done; - l = cmd->len; -#ifdef EMULATE_SYSCTL - /* sysctl emulation. */ - if (cmd->type == DN_SYSCTL_GET) - return kesysctl_emu_get(sopt); -#endif - if (l > sizeof(r)) { - /* request larger than default, allocate buffer */ - cmd = malloc(l, M_DUMMYNET, M_WAITOK); - error = sooptcopyin(sopt, cmd, l, l); - sopt->sopt_valsize = sopt_valsize; - if (error) - goto done; - } - } else { /* compatibility */ - error = 0; - cmd->type = DN_CMD_GET; - cmd->len = sizeof(struct dn_id); - cmd->subtype = DN_GET_COMPAT; - // cmd->id = sopt_valsize; - D("compatibility mode"); - } - a.extra = (struct copy_range *)cmd; - if (cmd->len == sizeof(*cmd)) { /* no range, create a default */ - uint32_t *rp = (uint32_t *)(cmd + 1); - cmd->len += 2* sizeof(uint32_t); - rp[0] = 1; - rp[1] = DN_MAX_ID - 1; - if (cmd->subtype == DN_LINK) { - rp[0] += DN_MAX_ID; - rp[1] += DN_MAX_ID; - } - } - /* Count space (under lock) and allocate (outside lock). - * Exit with lock held if we manage to get enough buffer. - * Try a few times then give up. - */ - for (have = 0, i = 0; i < 10; i++) { - DN_BH_WLOCK(); - need = compute_space(cmd, &a); - - /* if there is a range, ignore value from compute_space() */ - if (l > sizeof(*cmd)) - need = sopt_valsize - sizeof(*cmd); - - if (need < 0) { - DN_BH_WUNLOCK(); - error = EINVAL; - goto done; - } - need += sizeof(*cmd); - cmd->id = need; - if (have >= need) - break; - - DN_BH_WUNLOCK(); - if (start) - free(start, M_DUMMYNET); - start = NULL; - if (need > sopt_valsize) - break; - - have = need; - start = malloc(have, M_DUMMYNET, M_WAITOK | M_ZERO); - } - - if (start == NULL) { - if (compat) { - *compat = NULL; - error = 1; // XXX - } else { - error = sooptcopyout(sopt, cmd, sizeof(*cmd)); - } - goto done; - } - ND("have %d:%d sched %d, %d:%d links %d, %d:%d flowsets %d, " - "%d:%d si %d, %d:%d queues %d", - dn_cfg.schk_count, sizeof(struct dn_sch), DN_SCH, - dn_cfg.schk_count, sizeof(struct dn_link), DN_LINK, - dn_cfg.fsk_count, sizeof(struct dn_fs), DN_FS, - dn_cfg.si_count, sizeof(struct dn_flow), DN_SCH_I, - dn_cfg.queue_count, sizeof(struct dn_queue), DN_QUEUE); - sopt->sopt_valsize = sopt_valsize; - a.type = cmd->subtype; - - if (compat == NULL) { - bcopy(cmd, start, sizeof(*cmd)); - ((struct dn_id*)(start))->len = sizeof(struct dn_id); - buf = start + sizeof(*cmd); - } else - buf = start; - a.start = &buf; - a.end = start + have; - /* start copying other objects */ - if (compat) { - a.type = DN_COMPAT_PIPE; - dn_ht_scan(dn_cfg.schedhash, copy_data_helper_compat, &a); - a.type = DN_COMPAT_QUEUE; - dn_ht_scan(dn_cfg.fshash, copy_data_helper_compat, &a); - } else if (a.type == DN_FS) { - dn_ht_scan(dn_cfg.fshash, copy_data_helper, &a); - } else { - dn_ht_scan(dn_cfg.schedhash, copy_data_helper, &a); - } - DN_BH_WUNLOCK(); - - if (compat) { - *compat = start; - sopt->sopt_valsize = buf - start; - /* free() is done by ip_dummynet_compat() */ - start = NULL; //XXX hack - } else { - error = sooptcopyout(sopt, start, buf - start); - } -done: - if (cmd && cmd != &r.o) - free(cmd, M_DUMMYNET); - if (start) - free(start, M_DUMMYNET); - return error; -} - -/* Callback called on scheduler instance to delete it if idle */ -static int -drain_scheduler_cb(void *_si, void *arg) -{ - struct dn_sch_inst *si = _si; - - if ((si->kflags & DN_ACTIVE) || si->dline.mq.head != NULL) - return 0; - - if (si->sched->fp->flags & DN_MULTIQUEUE) { - if (si->q_count == 0) - return si_destroy(si, NULL); - else - return 0; - } else { /* !DN_MULTIQUEUE */ - if ((si+1)->ni.length == 0) - return si_destroy(si, NULL); - else - return 0; - } - return 0; /* unreachable */ -} - -/* Callback called on scheduler to check if it has instances */ -static int -drain_scheduler_sch_cb(void *_s, void *arg) -{ - struct dn_schk *s = _s; - - if (s->sch.flags & DN_HAVE_MASK) { - dn_ht_scan_bucket(s->siht, &s->drain_bucket, - drain_scheduler_cb, NULL); - s->drain_bucket++; - } else { - if (s->siht) { - if (drain_scheduler_cb(s->siht, NULL) == DNHT_SCAN_DEL) - s->siht = NULL; - } - } - return 0; -} - -/* Called every tick, try to delete a 'bucket' of scheduler */ -void -dn_drain_scheduler(void) -{ - dn_ht_scan_bucket(dn_cfg.schedhash, &dn_cfg.drain_sch, - drain_scheduler_sch_cb, NULL); - dn_cfg.drain_sch++; -} - -/* Callback called on queue to delete if it is idle */ -static int -drain_queue_cb(void *_q, void *arg) -{ - struct dn_queue *q = _q; - - if (q->ni.length == 0) { - dn_delete_queue(q, DN_DESTROY); - return DNHT_SCAN_DEL; /* queue is deleted */ - } - - return 0; /* queue isn't deleted */ -} - -/* Callback called on flowset used to check if it has queues */ -static int -drain_queue_fs_cb(void *_fs, void *arg) -{ - struct dn_fsk *fs = _fs; - - if (fs->fs.flags & DN_QHT_HASH) { - /* Flowset has a hash table for queues */ - dn_ht_scan_bucket(fs->qht, &fs->drain_bucket, - drain_queue_cb, NULL); - fs->drain_bucket++; - } else { - /* No hash table for this flowset, null the pointer - * if the queue is deleted - */ - if (fs->qht) { - if (drain_queue_cb(fs->qht, NULL) == DNHT_SCAN_DEL) - fs->qht = NULL; - } - } - return 0; -} - -/* Called every tick, try to delete a 'bucket' of queue */ -void -dn_drain_queue(void) -{ - /* scan a bucket of flowset */ - dn_ht_scan_bucket(dn_cfg.fshash, &dn_cfg.drain_fs, - drain_queue_fs_cb, NULL); - dn_cfg.drain_fs++; -} - -/* - * Handler for the various dummynet socket options - */ -static int -ip_dn_ctl(struct sockopt *sopt) -{ - void *p = NULL; - int error, l; - - error = priv_check(sopt->sopt_td, PRIV_NETINET_DUMMYNET); - if (error) - return (error); - - /* Disallow sets in really-really secure mode. */ - if (sopt->sopt_dir == SOPT_SET) { - error = securelevel_ge(sopt->sopt_td->td_ucred, 3); - if (error) - return (error); - } - - switch (sopt->sopt_name) { - default : - D("dummynet: unknown option %d", sopt->sopt_name); - error = EINVAL; - break; - - case IP_DUMMYNET_FLUSH: - case IP_DUMMYNET_CONFIGURE: - case IP_DUMMYNET_DEL: /* remove a pipe or queue */ - case IP_DUMMYNET_GET: - D("dummynet: compat option %d", sopt->sopt_name); - error = ip_dummynet_compat(sopt); - break; - - case IP_DUMMYNET3 : - if (sopt->sopt_dir == SOPT_GET) { - error = dummynet_get(sopt, NULL); - break; - } - l = sopt->sopt_valsize; - if (l < sizeof(struct dn_id) || l > 12000) { - D("argument len %d invalid", l); - break; - } - p = malloc(l, M_TEMP, M_WAITOK); // XXX can it fail ? - error = sooptcopyin(sopt, p, l, l); - if (error) - break ; - error = do_config(p, l); - break; - } - - if (p != NULL) - free(p, M_TEMP); - - return error ; -} - - -static void -ip_dn_init(void) -{ - if (dn_cfg.init_done) - return; - printf("DUMMYNET %p with IPv6 initialized (100409)\n", curvnet); - dn_cfg.init_done = 1; - /* Set defaults here. MSVC does not accept initializers, - * and this is also useful for vimages - */ - /* queue limits */ - dn_cfg.slot_limit = 100; /* Foot shooting limit for queues. */ - dn_cfg.byte_limit = 1024 * 1024; - dn_cfg.expire = 1; - - /* RED parameters */ - dn_cfg.red_lookup_depth = 256; /* default lookup table depth */ - dn_cfg.red_avg_pkt_size = 512; /* default medium packet size */ - dn_cfg.red_max_pkt_size = 1500; /* default max packet size */ - - /* hash tables */ - dn_cfg.max_hash_size = 65536; /* max in the hash tables */ - dn_cfg.hash_size = 64; /* default hash size */ - - /* create hash tables for schedulers and flowsets. - * In both we search by key and by pointer. - */ - dn_cfg.schedhash = dn_ht_init(NULL, dn_cfg.hash_size, - offsetof(struct dn_schk, schk_next), - schk_hash, schk_match, schk_new); - dn_cfg.fshash = dn_ht_init(NULL, dn_cfg.hash_size, - offsetof(struct dn_fsk, fsk_next), - fsk_hash, fsk_match, fsk_new); - - /* bucket index to drain object */ - dn_cfg.drain_fs = 0; - dn_cfg.drain_sch = 0; - - heap_init(&dn_cfg.evheap, 16, offsetof(struct dn_id, id)); - SLIST_INIT(&dn_cfg.fsu); - SLIST_INIT(&dn_cfg.schedlist); - - DN_LOCK_INIT(); - - TASK_INIT(&dn_task, 0, dummynet_task, curvnet); - dn_tq = taskqueue_create("dummynet", M_WAITOK, - taskqueue_thread_enqueue, &dn_tq); - taskqueue_start_threads(&dn_tq, 1, PI_NET, "dummynet"); - - callout_init(&dn_timeout, CALLOUT_MPSAFE); - callout_reset(&dn_timeout, 1, dummynet, NULL); - - /* Initialize curr_time adjustment mechanics. */ - getmicrouptime(&dn_cfg.prev_t); -} - -#ifdef KLD_MODULE -static void -ip_dn_destroy(int last) -{ - callout_drain(&dn_timeout); - - DN_BH_WLOCK(); - if (last) { - ND("removing last instance\n"); - ip_dn_ctl_ptr = NULL; - ip_dn_io_ptr = NULL; - } - - dummynet_flush(); - DN_BH_WUNLOCK(); - taskqueue_drain(dn_tq, &dn_task); - taskqueue_free(dn_tq); - - dn_ht_free(dn_cfg.schedhash, 0); - dn_ht_free(dn_cfg.fshash, 0); - heap_free(&dn_cfg.evheap); - - DN_LOCK_DESTROY(); -} -#endif /* KLD_MODULE */ - -static int -dummynet_modevent(module_t mod, int type, void *data) -{ - - if (type == MOD_LOAD) { - if (ip_dn_io_ptr) { - printf("DUMMYNET already loaded\n"); - return EEXIST ; - } - ip_dn_init(); - ip_dn_ctl_ptr = ip_dn_ctl; - ip_dn_io_ptr = dummynet_io; - return 0; - } else if (type == MOD_UNLOAD) { -#if !defined(KLD_MODULE) - printf("dummynet statically compiled, cannot unload\n"); - return EINVAL ; -#else - ip_dn_destroy(1 /* last */); - return 0; -#endif - } else - return EOPNOTSUPP; -} - -/* modevent helpers for the modules */ -static int -load_dn_sched(struct dn_alg *d) -{ - struct dn_alg *s; - - if (d == NULL) - return 1; /* error */ - ip_dn_init(); /* just in case, we need the lock */ - - /* Check that mandatory funcs exists */ - if (d->enqueue == NULL || d->dequeue == NULL) { - D("missing enqueue or dequeue for %s", d->name); - return 1; - } - - /* Search if scheduler already exists */ - DN_BH_WLOCK(); - SLIST_FOREACH(s, &dn_cfg.schedlist, next) { - if (strcmp(s->name, d->name) == 0) { - D("%s already loaded", d->name); - break; /* scheduler already exists */ - } - } - if (s == NULL) - SLIST_INSERT_HEAD(&dn_cfg.schedlist, d, next); - DN_BH_WUNLOCK(); - D("dn_sched %s %sloaded", d->name, s ? "not ":""); - return s ? 1 : 0; -} - -static int -unload_dn_sched(struct dn_alg *s) -{ - struct dn_alg *tmp, *r; - int err = EINVAL; - - ND("called for %s", s->name); - - DN_BH_WLOCK(); - SLIST_FOREACH_SAFE(r, &dn_cfg.schedlist, next, tmp) { - if (strcmp(s->name, r->name) != 0) - continue; - ND("ref_count = %d", r->ref_count); - err = (r->ref_count != 0) ? EBUSY : 0; - if (err == 0) - SLIST_REMOVE(&dn_cfg.schedlist, r, dn_alg, next); - break; - } - DN_BH_WUNLOCK(); - D("dn_sched %s %sunloaded", s->name, err ? "not ":""); - return err; -} - -int -dn_sched_modevent(module_t mod, int cmd, void *arg) -{ - struct dn_alg *sch = arg; - - if (cmd == MOD_LOAD) - return load_dn_sched(sch); - else if (cmd == MOD_UNLOAD) - return unload_dn_sched(sch); - else - return EINVAL; -} - -static moduledata_t dummynet_mod = { - "dummynet", dummynet_modevent, NULL -}; - -#define DN_SI_SUB SI_SUB_PROTO_IFATTACHDOMAIN -#define DN_MODEV_ORD (SI_ORDER_ANY - 128) /* after ipfw */ -DECLARE_MODULE(dummynet, dummynet_mod, DN_SI_SUB, DN_MODEV_ORD); -MODULE_DEPEND(dummynet, ipfw, 2, 2, 2); -MODULE_VERSION(dummynet, 3); - -/* - * Starting up. Done in order after dummynet_modevent() has been called. - * VNET_SYSINIT is also called for each existing vnet and each new vnet. - */ -//VNET_SYSINIT(vnet_dn_init, DN_SI_SUB, DN_MODEV_ORD+2, ip_dn_init, NULL); - -/* - * Shutdown handlers up shop. These are done in REVERSE ORDER, but still - * after dummynet_modevent() has been called. Not called on reboot. - * VNET_SYSUNINIT is also called for each exiting vnet as it exits. - * or when the module is unloaded. - */ -//VNET_SYSUNINIT(vnet_dn_uninit, DN_SI_SUB, DN_MODEV_ORD+2, ip_dn_destroy, NULL); - -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c deleted file mode 100644 index 21a00bb..0000000 --- a/sys/netinet/ipfw/ip_fw2.c +++ /dev/null @@ -1,2783 +0,0 @@ -/*- - * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -/* - * The FreeBSD IP packet firewall, main file - */ - -#include "opt_ipfw.h" -#include "opt_ipdivert.h" -#include "opt_inet.h" -#ifndef INET -#error "IPFIREWALL requires INET" -#endif /* INET */ -#include "opt_inet6.h" -#include "opt_ipsec.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/condvar.h> -#include <sys/eventhandler.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/jail.h> -#include <sys/module.h> -#include <sys/priv.h> -#include <sys/proc.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/sysctl.h> -#include <sys/syslog.h> -#include <sys/ucred.h> -#include <net/ethernet.h> /* for ETHERTYPE_IP */ -#include <net/if.h> -#include <net/route.h> -#include <net/pf_mtag.h> -#include <net/vnet.h> - -#include <netinet/in.h> -#include <netinet/in_var.h> -#include <netinet/in_pcb.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/ip_carp.h> -#include <netinet/pim.h> -#include <netinet/tcp_var.h> -#include <netinet/udp.h> -#include <netinet/udp_var.h> -#include <netinet/sctp.h> - -#include <netinet/ip6.h> -#include <netinet/icmp6.h> -#ifdef INET6 -#include <netinet6/in6_pcb.h> -#include <netinet6/scope6_var.h> -#include <netinet6/ip6_var.h> -#endif - -#include <machine/in_cksum.h> /* XXX for in_cksum */ - -#ifdef MAC -#include <security/mac/mac_framework.h> -#endif - -/* - * static variables followed by global ones. - * All ipfw global variables are here. - */ - -/* ipfw_vnet_ready controls when we are open for business */ -static VNET_DEFINE(int, ipfw_vnet_ready) = 0; -#define V_ipfw_vnet_ready VNET(ipfw_vnet_ready) - -static VNET_DEFINE(int, fw_deny_unknown_exthdrs); -#define V_fw_deny_unknown_exthdrs VNET(fw_deny_unknown_exthdrs) - -static VNET_DEFINE(int, fw_permit_single_frag6) = 1; -#define V_fw_permit_single_frag6 VNET(fw_permit_single_frag6) - -#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT -static int default_to_accept = 1; -#else -static int default_to_accept; -#endif - -VNET_DEFINE(int, autoinc_step); -VNET_DEFINE(int, fw_one_pass) = 1; - -VNET_DEFINE(unsigned int, fw_tables_max); -/* Use 128 tables by default */ -static unsigned int default_fw_tables = IPFW_TABLES_DEFAULT; - -/* - * Each rule belongs to one of 32 different sets (0..31). - * The variable set_disable contains one bit per set. - * If the bit is set, all rules in the corresponding set - * are disabled. Set RESVD_SET(31) is reserved for the default rule - * and rules that are not deleted by the flush command, - * and CANNOT be disabled. - * Rules in set RESVD_SET can only be deleted individually. - */ -VNET_DEFINE(u_int32_t, set_disable); -#define V_set_disable VNET(set_disable) - -VNET_DEFINE(int, fw_verbose); -/* counter for ipfw_log(NULL...) */ -VNET_DEFINE(u_int64_t, norule_counter); -VNET_DEFINE(int, verbose_limit); - -/* layer3_chain contains the list of rules for layer 3 */ -VNET_DEFINE(struct ip_fw_chain, layer3_chain); - -ipfw_nat_t *ipfw_nat_ptr = NULL; -struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); -ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; -ipfw_nat_cfg_t *ipfw_nat_del_ptr; -ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; -ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; - -#ifdef SYSCTL_NODE -uint32_t dummy_def = IPFW_DEFAULT_RULE; -static int sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS); - -SYSBEGIN(f3) - -SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass, - CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0, - "Only do a single pass through ipfw when using dummynet(4)"); -SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, - CTLFLAG_RW, &VNET_NAME(autoinc_step), 0, - "Rule number auto-increment step"); -SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose, - CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_verbose), 0, - "Log matches to ipfw rules"); -SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, - CTLFLAG_RW, &VNET_NAME(verbose_limit), 0, - "Set upper limit of matches of ipfw rules logged"); -SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD, - &dummy_def, 0, - "The default/max possible rule number."); -SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, tables_max, - CTLTYPE_UINT|CTLFLAG_RW, 0, 0, sysctl_ipfw_table_num, "IU", - "Maximum number of tables"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN, - &default_to_accept, 0, - "Make the default rule accept all packets."); -TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept); -TUNABLE_INT("net.inet.ip.fw.tables_max", &default_fw_tables); -SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count, - CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0, - "Number of static rules"); - -#ifdef INET6 -SYSCTL_DECL(_net_inet6_ip6); -SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, - CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0, - "Deny packets with unknown IPv6 Extension Headers"); -SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, permit_single_frag6, - CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_permit_single_frag6), 0, - "Permit single packet IPv6 fragments"); -#endif /* INET6 */ - -SYSEND - -#endif /* SYSCTL_NODE */ - - -/* - * Some macros used in the various matching options. - * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T - * Other macros just cast void * into the appropriate type - */ -#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) -#define TCP(p) ((struct tcphdr *)(p)) -#define SCTP(p) ((struct sctphdr *)(p)) -#define UDP(p) ((struct udphdr *)(p)) -#define ICMP(p) ((struct icmphdr *)(p)) -#define ICMP6(p) ((struct icmp6_hdr *)(p)) - -static __inline int -icmptype_match(struct icmphdr *icmp, ipfw_insn_u32 *cmd) -{ - int type = icmp->icmp_type; - - return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) ); -} - -#define TT ( (1 << ICMP_ECHO) | (1 << ICMP_ROUTERSOLICIT) | \ - (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) ) - -static int -is_icmp_query(struct icmphdr *icmp) -{ - int type = icmp->icmp_type; - - return (type <= ICMP_MAXTYPE && (TT & (1<<type)) ); -} -#undef TT - -/* - * The following checks use two arrays of 8 or 16 bits to store the - * bits that we want set or clear, respectively. They are in the - * low and high half of cmd->arg1 or cmd->d[0]. - * - * We scan options and store the bits we find set. We succeed if - * - * (want_set & ~bits) == 0 && (want_clear & ~bits) == want_clear - * - * The code is sometimes optimized not to store additional variables. - */ - -static int -flags_match(ipfw_insn *cmd, u_int8_t bits) -{ - u_char want_clear; - bits = ~bits; - - if ( ((cmd->arg1 & 0xff) & bits) != 0) - return 0; /* some bits we want set were clear */ - want_clear = (cmd->arg1 >> 8) & 0xff; - if ( (want_clear & bits) != want_clear) - return 0; /* some bits we want clear were set */ - return 1; -} - -static int -ipopts_match(struct ip *ip, ipfw_insn *cmd) -{ - int optlen, bits = 0; - u_char *cp = (u_char *)(ip + 1); - int x = (ip->ip_hl << 2) - sizeof (struct ip); - - for (; x > 0; x -= optlen, cp += optlen) { - int opt = cp[IPOPT_OPTVAL]; - - if (opt == IPOPT_EOL) - break; - if (opt == IPOPT_NOP) - optlen = 1; - else { - optlen = cp[IPOPT_OLEN]; - if (optlen <= 0 || optlen > x) - return 0; /* invalid or truncated */ - } - switch (opt) { - - default: - break; - - case IPOPT_LSRR: - bits |= IP_FW_IPOPT_LSRR; - break; - - case IPOPT_SSRR: - bits |= IP_FW_IPOPT_SSRR; - break; - - case IPOPT_RR: - bits |= IP_FW_IPOPT_RR; - break; - - case IPOPT_TS: - bits |= IP_FW_IPOPT_TS; - break; - } - } - return (flags_match(cmd, bits)); -} - -static int -tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd) -{ - int optlen, bits = 0; - u_char *cp = (u_char *)(tcp + 1); - int x = (tcp->th_off << 2) - sizeof(struct tcphdr); - - for (; x > 0; x -= optlen, cp += optlen) { - int opt = cp[0]; - if (opt == TCPOPT_EOL) - break; - if (opt == TCPOPT_NOP) - optlen = 1; - else { - optlen = cp[1]; - if (optlen <= 0) - break; - } - - switch (opt) { - - default: - break; - - case TCPOPT_MAXSEG: - bits |= IP_FW_TCPOPT_MSS; - break; - - case TCPOPT_WINDOW: - bits |= IP_FW_TCPOPT_WINDOW; - break; - - case TCPOPT_SACK_PERMITTED: - case TCPOPT_SACK: - bits |= IP_FW_TCPOPT_SACK; - break; - - case TCPOPT_TIMESTAMP: - bits |= IP_FW_TCPOPT_TS; - break; - - } - } - return (flags_match(cmd, bits)); -} - -static int -iface_match(struct ifnet *ifp, ipfw_insn_if *cmd, struct ip_fw_chain *chain, uint32_t *tablearg) -{ - if (ifp == NULL) /* no iface with this packet, match fails */ - return 0; - /* Check by name or by IP address */ - if (cmd->name[0] != '\0') { /* match by name */ - if (cmd->name[0] == '\1') /* use tablearg to match */ - return ipfw_lookup_table_extended(chain, cmd->p.glob, - ifp->if_xname, tablearg, IPFW_TABLE_INTERFACE); - /* Check name */ - if (cmd->p.glob) { - if (fnmatch(cmd->name, ifp->if_xname, 0) == 0) - return(1); - } else { - if (strncmp(ifp->if_xname, cmd->name, IFNAMSIZ) == 0) - return(1); - } - } else { -#ifdef __FreeBSD__ /* and OSX too ? */ - struct ifaddr *ia; - - if_addr_rlock(ifp); - TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { - if (ia->ifa_addr->sa_family != AF_INET) - continue; - if (cmd->p.ip.s_addr == ((struct sockaddr_in *) - (ia->ifa_addr))->sin_addr.s_addr) { - if_addr_runlock(ifp); - return(1); /* match */ - } - } - if_addr_runlock(ifp); -#endif /* __FreeBSD__ */ - } - return(0); /* no match, fail ... */ -} - -/* - * The verify_path function checks if a route to the src exists and - * if it is reachable via ifp (when provided). - * - * The 'verrevpath' option checks that the interface that an IP packet - * arrives on is the same interface that traffic destined for the - * packet's source address would be routed out of. - * The 'versrcreach' option just checks that the source address is - * reachable via any route (except default) in the routing table. - * These two are a measure to block forged packets. This is also - * commonly known as "anti-spoofing" or Unicast Reverse Path - * Forwarding (Unicast RFP) in Cisco-ese. The name of the knobs - * is purposely reminiscent of the Cisco IOS command, - * - * ip verify unicast reverse-path - * ip verify unicast source reachable-via any - * - * which implements the same functionality. But note that the syntax - * is misleading, and the check may be performed on all IP packets - * whether unicast, multicast, or broadcast. - */ -static int -verify_path(struct in_addr src, struct ifnet *ifp, u_int fib) -{ -#ifndef __FreeBSD__ - return 0; -#else - struct route ro; - struct sockaddr_in *dst; - - bzero(&ro, sizeof(ro)); - - dst = (struct sockaddr_in *)&(ro.ro_dst); - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = src; - in_rtalloc_ign(&ro, 0, fib); - - if (ro.ro_rt == NULL) - return 0; - - /* - * If ifp is provided, check for equality with rtentry. - * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp, - * in order to pass packets injected back by if_simloop(): - * if useloopback == 1 routing entry (via lo0) for our own address - * may exist, so we need to handle routing assymetry. - */ - if (ifp != NULL && ro.ro_rt->rt_ifa->ifa_ifp != ifp) { - RTFREE(ro.ro_rt); - return 0; - } - - /* if no ifp provided, check if rtentry is not default route */ - if (ifp == NULL && - satosin(rt_key(ro.ro_rt))->sin_addr.s_addr == INADDR_ANY) { - RTFREE(ro.ro_rt); - return 0; - } - - /* or if this is a blackhole/reject route */ - if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { - RTFREE(ro.ro_rt); - return 0; - } - - /* found valid route */ - RTFREE(ro.ro_rt); - return 1; -#endif /* __FreeBSD__ */ -} - -#ifdef INET6 -/* - * ipv6 specific rules here... - */ -static __inline int -icmp6type_match (int type, ipfw_insn_u32 *cmd) -{ - return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) ); -} - -static int -flow6id_match( int curr_flow, ipfw_insn_u32 *cmd ) -{ - int i; - for (i=0; i <= cmd->o.arg1; ++i ) - if (curr_flow == cmd->d[i] ) - return 1; - return 0; -} - -/* support for IP6_*_ME opcodes */ -static int -search_ip6_addr_net (struct in6_addr * ip6_addr) -{ - struct ifnet *mdc; - struct ifaddr *mdc2; - struct in6_ifaddr *fdm; - struct in6_addr copia; - - TAILQ_FOREACH(mdc, &V_ifnet, if_link) { - if_addr_rlock(mdc); - TAILQ_FOREACH(mdc2, &mdc->if_addrhead, ifa_link) { - if (mdc2->ifa_addr->sa_family == AF_INET6) { - fdm = (struct in6_ifaddr *)mdc2; - copia = fdm->ia_addr.sin6_addr; - /* need for leaving scope_id in the sock_addr */ - in6_clearscope(&copia); - if (IN6_ARE_ADDR_EQUAL(ip6_addr, &copia)) { - if_addr_runlock(mdc); - return 1; - } - } - } - if_addr_runlock(mdc); - } - return 0; -} - -static int -verify_path6(struct in6_addr *src, struct ifnet *ifp, u_int fib) -{ - struct route_in6 ro; - struct sockaddr_in6 *dst; - - bzero(&ro, sizeof(ro)); - - dst = (struct sockaddr_in6 * )&(ro.ro_dst); - dst->sin6_family = AF_INET6; - dst->sin6_len = sizeof(*dst); - dst->sin6_addr = *src; - - in6_rtalloc_ign(&ro, 0, fib); - if (ro.ro_rt == NULL) - return 0; - - /* - * if ifp is provided, check for equality with rtentry - * We should use rt->rt_ifa->ifa_ifp, instead of rt->rt_ifp, - * to support the case of sending packets to an address of our own. - * (where the former interface is the first argument of if_simloop() - * (=ifp), the latter is lo0) - */ - if (ifp != NULL && ro.ro_rt->rt_ifa->ifa_ifp != ifp) { - RTFREE(ro.ro_rt); - return 0; - } - - /* if no ifp provided, check if rtentry is not default route */ - if (ifp == NULL && - IN6_IS_ADDR_UNSPECIFIED(&satosin6(rt_key(ro.ro_rt))->sin6_addr)) { - RTFREE(ro.ro_rt); - return 0; - } - - /* or if this is a blackhole/reject route */ - if (ifp == NULL && ro.ro_rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) { - RTFREE(ro.ro_rt); - return 0; - } - - /* found valid route */ - RTFREE(ro.ro_rt); - return 1; - -} - -static int -is_icmp6_query(int icmp6_type) -{ - if ((icmp6_type <= ICMP6_MAXTYPE) && - (icmp6_type == ICMP6_ECHO_REQUEST || - icmp6_type == ICMP6_MEMBERSHIP_QUERY || - icmp6_type == ICMP6_WRUREQUEST || - icmp6_type == ICMP6_FQDN_QUERY || - icmp6_type == ICMP6_NI_QUERY)) - return (1); - - return (0); -} - -static void -send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6) -{ - struct mbuf *m; - - m = args->m; - if (code == ICMP6_UNREACH_RST && args->f_id.proto == IPPROTO_TCP) { - struct tcphdr *tcp; - tcp = (struct tcphdr *)((char *)ip6 + hlen); - - if ((tcp->th_flags & TH_RST) == 0) { - struct mbuf *m0; - m0 = ipfw_send_pkt(args->m, &(args->f_id), - ntohl(tcp->th_seq), ntohl(tcp->th_ack), - tcp->th_flags | TH_RST); - if (m0 != NULL) - ip6_output(m0, NULL, NULL, 0, NULL, NULL, - NULL); - } - FREE_PKT(m); - } else if (code != ICMP6_UNREACH_RST) { /* Send an ICMPv6 unreach. */ -#if 0 - /* - * Unlike above, the mbufs need to line up with the ip6 hdr, - * as the contents are read. We need to m_adj() the - * needed amount. - * The mbuf will however be thrown away so we can adjust it. - * Remember we did an m_pullup on it already so we - * can make some assumptions about contiguousness. - */ - if (args->L3offset) - m_adj(m, args->L3offset); -#endif - icmp6_error(m, ICMP6_DST_UNREACH, code, 0); - } else - FREE_PKT(m); - - args->m = NULL; -} - -#endif /* INET6 */ - - -/* - * sends a reject message, consuming the mbuf passed as an argument. - */ -static void -send_reject(struct ip_fw_args *args, int code, int iplen, struct ip *ip) -{ - -#if 0 - /* XXX When ip is not guaranteed to be at mtod() we will - * need to account for this */ - * The mbuf will however be thrown away so we can adjust it. - * Remember we did an m_pullup on it already so we - * can make some assumptions about contiguousness. - */ - if (args->L3offset) - m_adj(m, args->L3offset); -#endif - if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */ - /* We need the IP header in host order for icmp_error(). */ - SET_HOST_IPLEN(ip); - icmp_error(args->m, ICMP_UNREACH, code, 0L, 0); - } else if (args->f_id.proto == IPPROTO_TCP) { - struct tcphdr *const tcp = - L3HDR(struct tcphdr, mtod(args->m, struct ip *)); - if ( (tcp->th_flags & TH_RST) == 0) { - struct mbuf *m; - m = ipfw_send_pkt(args->m, &(args->f_id), - ntohl(tcp->th_seq), ntohl(tcp->th_ack), - tcp->th_flags | TH_RST); - if (m != NULL) - ip_output(m, NULL, NULL, 0, NULL, NULL); - } - FREE_PKT(args->m); - } else - FREE_PKT(args->m); - args->m = NULL; -} - -/* - * Support for uid/gid/jail lookup. These tests are expensive - * (because we may need to look into the list of active sockets) - * so we cache the results. ugid_lookupp is 0 if we have not - * yet done a lookup, 1 if we succeeded, and -1 if we tried - * and failed. The function always returns the match value. - * We could actually spare the variable and use *uc, setting - * it to '(void *)check_uidgid if we have no info, NULL if - * we tried and failed, or any other value if successful. - */ -static int -check_uidgid(ipfw_insn_u32 *insn, struct ip_fw_args *args, int *ugid_lookupp, - struct ucred **uc) -{ -#ifndef __FreeBSD__ - /* XXX */ - return cred_check(insn, proto, oif, - dst_ip, dst_port, src_ip, src_port, - (struct bsd_ucred *)uc, ugid_lookupp, ((struct mbuf *)inp)->m_skb); -#else /* FreeBSD */ - struct in_addr src_ip, dst_ip; - struct inpcbinfo *pi; - struct ipfw_flow_id *id; - struct inpcb *pcb, *inp; - struct ifnet *oif; - int lookupflags; - int match; - - id = &args->f_id; - inp = args->inp; - oif = args->oif; - - /* - * Check to see if the UDP or TCP stack supplied us with - * the PCB. If so, rather then holding a lock and looking - * up the PCB, we can use the one that was supplied. - */ - if (inp && *ugid_lookupp == 0) { - INP_LOCK_ASSERT(inp); - if (inp->inp_socket != NULL) { - *uc = crhold(inp->inp_cred); - *ugid_lookupp = 1; - } else - *ugid_lookupp = -1; - } - /* - * If we have already been here and the packet has no - * PCB entry associated with it, then we can safely - * assume that this is a no match. - */ - if (*ugid_lookupp == -1) - return (0); - if (id->proto == IPPROTO_TCP) { - lookupflags = 0; - pi = &V_tcbinfo; - } else if (id->proto == IPPROTO_UDP) { - lookupflags = INPLOOKUP_WILDCARD; - pi = &V_udbinfo; - } else - return 0; - lookupflags |= INPLOOKUP_RLOCKPCB; - match = 0; - if (*ugid_lookupp == 0) { - if (id->addr_type == 6) { -#ifdef INET6 - if (oif == NULL) - pcb = in6_pcblookup_mbuf(pi, - &id->src_ip6, htons(id->src_port), - &id->dst_ip6, htons(id->dst_port), - lookupflags, oif, args->m); - else - pcb = in6_pcblookup_mbuf(pi, - &id->dst_ip6, htons(id->dst_port), - &id->src_ip6, htons(id->src_port), - lookupflags, oif, args->m); -#else - *ugid_lookupp = -1; - return (0); -#endif - } else { - src_ip.s_addr = htonl(id->src_ip); - dst_ip.s_addr = htonl(id->dst_ip); - if (oif == NULL) - pcb = in_pcblookup_mbuf(pi, - src_ip, htons(id->src_port), - dst_ip, htons(id->dst_port), - lookupflags, oif, args->m); - else - pcb = in_pcblookup_mbuf(pi, - dst_ip, htons(id->dst_port), - src_ip, htons(id->src_port), - lookupflags, oif, args->m); - } - if (pcb != NULL) { - INP_RLOCK_ASSERT(pcb); - *uc = crhold(pcb->inp_cred); - *ugid_lookupp = 1; - INP_RUNLOCK(pcb); - } - if (*ugid_lookupp == 0) { - /* - * We tried and failed, set the variable to -1 - * so we will not try again on this packet. - */ - *ugid_lookupp = -1; - return (0); - } - } - if (insn->o.opcode == O_UID) - match = ((*uc)->cr_uid == (uid_t)insn->d[0]); - else if (insn->o.opcode == O_GID) - match = groupmember((gid_t)insn->d[0], *uc); - else if (insn->o.opcode == O_JAIL) - match = ((*uc)->cr_prison->pr_id == (int)insn->d[0]); - return (match); -#endif /* __FreeBSD__ */ -} - -/* - * Helper function to set args with info on the rule after the matching - * one. slot is precise, whereas we guess rule_id as they are - * assigned sequentially. - */ -static inline void -set_match(struct ip_fw_args *args, int slot, - struct ip_fw_chain *chain) -{ - args->rule.chain_id = chain->id; - args->rule.slot = slot + 1; /* we use 0 as a marker */ - args->rule.rule_id = 1 + chain->map[slot]->id; - args->rule.rulenum = chain->map[slot]->rulenum; -} - -/* - * The main check routine for the firewall. - * - * All arguments are in args so we can modify them and return them - * back to the caller. - * - * Parameters: - * - * args->m (in/out) The packet; we set to NULL when/if we nuke it. - * Starts with the IP header. - * args->eh (in) Mac header if present, NULL for layer3 packet. - * args->L3offset Number of bytes bypassed if we came from L2. - * e.g. often sizeof(eh) ** NOTYET ** - * args->oif Outgoing interface, NULL if packet is incoming. - * The incoming interface is in the mbuf. (in) - * args->divert_rule (in/out) - * Skip up to the first rule past this rule number; - * upon return, non-zero port number for divert or tee. - * - * args->rule Pointer to the last matching rule (in/out) - * args->next_hop Socket we are forwarding to (out). - * args->next_hop6 IPv6 next hop we are forwarding to (out). - * args->f_id Addresses grabbed from the packet (out) - * args->rule.info a cookie depending on rule action - * - * Return value: - * - * IP_FW_PASS the packet must be accepted - * IP_FW_DENY the packet must be dropped - * IP_FW_DIVERT divert packet, port in m_tag - * IP_FW_TEE tee packet, port in m_tag - * IP_FW_DUMMYNET to dummynet, pipe in args->cookie - * IP_FW_NETGRAPH into netgraph, cookie args->cookie - * args->rule contains the matching rule, - * args->rule.info has additional information. - * - */ -int -ipfw_chk(struct ip_fw_args *args) -{ - - /* - * Local variables holding state while processing a packet: - * - * IMPORTANT NOTE: to speed up the processing of rules, there - * are some assumption on the values of the variables, which - * are documented here. Should you change them, please check - * the implementation of the various instructions to make sure - * that they still work. - * - * args->eh The MAC header. It is non-null for a layer2 - * packet, it is NULL for a layer-3 packet. - * **notyet** - * args->L3offset Offset in the packet to the L3 (IP or equiv.) header. - * - * m | args->m Pointer to the mbuf, as received from the caller. - * It may change if ipfw_chk() does an m_pullup, or if it - * consumes the packet because it calls send_reject(). - * XXX This has to change, so that ipfw_chk() never modifies - * or consumes the buffer. - * ip is the beginning of the ip(4 or 6) header. - * Calculated by adding the L3offset to the start of data. - * (Until we start using L3offset, the packet is - * supposed to start with the ip header). - */ - struct mbuf *m = args->m; - struct ip *ip = mtod(m, struct ip *); - - /* - * For rules which contain uid/gid or jail constraints, cache - * a copy of the users credentials after the pcb lookup has been - * executed. This will speed up the processing of rules with - * these types of constraints, as well as decrease contention - * on pcb related locks. - */ -#ifndef __FreeBSD__ - struct bsd_ucred ucred_cache; -#else - struct ucred *ucred_cache = NULL; -#endif - int ucred_lookup = 0; - - /* - * oif | args->oif If NULL, ipfw_chk has been called on the - * inbound path (ether_input, ip_input). - * If non-NULL, ipfw_chk has been called on the outbound path - * (ether_output, ip_output). - */ - struct ifnet *oif = args->oif; - - int f_pos = 0; /* index of current rule in the array */ - int retval = 0; - - /* - * hlen The length of the IP header. - */ - u_int hlen = 0; /* hlen >0 means we have an IP pkt */ - - /* - * offset The offset of a fragment. offset != 0 means that - * we have a fragment at this offset of an IPv4 packet. - * offset == 0 means that (if this is an IPv4 packet) - * this is the first or only fragment. - * For IPv6 offset|ip6f_mf == 0 means there is no Fragment Header - * or there is a single packet fragement (fragement header added - * without needed). We will treat a single packet fragment as if - * there was no fragment header (or log/block depending on the - * V_fw_permit_single_frag6 sysctl setting). - */ - u_short offset = 0; - u_short ip6f_mf = 0; - - /* - * Local copies of addresses. They are only valid if we have - * an IP packet. - * - * proto The protocol. Set to 0 for non-ip packets, - * or to the protocol read from the packet otherwise. - * proto != 0 means that we have an IPv4 packet. - * - * src_port, dst_port port numbers, in HOST format. Only - * valid for TCP and UDP packets. - * - * src_ip, dst_ip ip addresses, in NETWORK format. - * Only valid for IPv4 packets. - */ - uint8_t proto; - uint16_t src_port = 0, dst_port = 0; /* NOTE: host format */ - struct in_addr src_ip, dst_ip; /* NOTE: network format */ - uint16_t iplen=0; - int pktlen; - uint16_t etype = 0; /* Host order stored ether type */ - - /* - * dyn_dir = MATCH_UNKNOWN when rules unchecked, - * MATCH_NONE when checked and not matched (q = NULL), - * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL) - */ - int dyn_dir = MATCH_UNKNOWN; - ipfw_dyn_rule *q = NULL; - struct ip_fw_chain *chain = &V_layer3_chain; - - /* - * We store in ulp a pointer to the upper layer protocol header. - * In the ipv4 case this is easy to determine from the header, - * but for ipv6 we might have some additional headers in the middle. - * ulp is NULL if not found. - */ - void *ulp = NULL; /* upper layer protocol pointer. */ - - /* XXX ipv6 variables */ - int is_ipv6 = 0; - uint8_t icmp6_type = 0; - uint16_t ext_hd = 0; /* bits vector for extension header filtering */ - /* end of ipv6 variables */ - - int is_ipv4 = 0; - - int done = 0; /* flag to exit the outer loop */ - - if (m->m_flags & M_SKIP_FIREWALL || (! V_ipfw_vnet_ready)) - return (IP_FW_PASS); /* accept */ - - dst_ip.s_addr = 0; /* make sure it is initialized */ - src_ip.s_addr = 0; /* make sure it is initialized */ - pktlen = m->m_pkthdr.len; - args->f_id.fib = M_GETFIB(m); /* note mbuf not altered) */ - proto = args->f_id.proto = 0; /* mark f_id invalid */ - /* XXX 0 is a valid proto: IP/IPv6 Hop-by-Hop Option */ - -/* - * PULLUP_TO(len, p, T) makes sure that len + sizeof(T) is contiguous, - * then it sets p to point at the offset "len" in the mbuf. WARNING: the - * pointer might become stale after other pullups (but we never use it - * this way). - */ -#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) -#define PULLUP_LEN(_len, p, T) \ -do { \ - int x = (_len) + T; \ - if ((m)->m_len < x) { \ - args->m = m = m_pullup(m, x); \ - if (m == NULL) \ - goto pullup_failed; \ - } \ - p = (mtod(m, char *) + (_len)); \ -} while (0) - - /* - * if we have an ether header, - */ - if (args->eh) - etype = ntohs(args->eh->ether_type); - - /* Identify IP packets and fill up variables. */ - if (pktlen >= sizeof(struct ip6_hdr) && - (args->eh == NULL || etype == ETHERTYPE_IPV6) && ip->ip_v == 6) { - struct ip6_hdr *ip6 = (struct ip6_hdr *)ip; - is_ipv6 = 1; - args->f_id.addr_type = 6; - hlen = sizeof(struct ip6_hdr); - proto = ip6->ip6_nxt; - - /* Search extension headers to find upper layer protocols */ - while (ulp == NULL && offset == 0) { - switch (proto) { - case IPPROTO_ICMPV6: - PULLUP_TO(hlen, ulp, struct icmp6_hdr); - icmp6_type = ICMP6(ulp)->icmp6_type; - break; - - case IPPROTO_TCP: - PULLUP_TO(hlen, ulp, struct tcphdr); - dst_port = TCP(ulp)->th_dport; - src_port = TCP(ulp)->th_sport; - /* save flags for dynamic rules */ - args->f_id._flags = TCP(ulp)->th_flags; - break; - - case IPPROTO_SCTP: - PULLUP_TO(hlen, ulp, struct sctphdr); - src_port = SCTP(ulp)->src_port; - dst_port = SCTP(ulp)->dest_port; - break; - - case IPPROTO_UDP: - PULLUP_TO(hlen, ulp, struct udphdr); - dst_port = UDP(ulp)->uh_dport; - src_port = UDP(ulp)->uh_sport; - break; - - case IPPROTO_HOPOPTS: /* RFC 2460 */ - PULLUP_TO(hlen, ulp, struct ip6_hbh); - ext_hd |= EXT_HOPOPTS; - hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; - proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; - ulp = NULL; - break; - - case IPPROTO_ROUTING: /* RFC 2460 */ - PULLUP_TO(hlen, ulp, struct ip6_rthdr); - switch (((struct ip6_rthdr *)ulp)->ip6r_type) { - case 0: - ext_hd |= EXT_RTHDR0; - break; - case 2: - ext_hd |= EXT_RTHDR2; - break; - default: - if (V_fw_verbose) - printf("IPFW2: IPV6 - Unknown " - "Routing Header type(%d)\n", - ((struct ip6_rthdr *) - ulp)->ip6r_type); - if (V_fw_deny_unknown_exthdrs) - return (IP_FW_DENY); - break; - } - ext_hd |= EXT_ROUTING; - hlen += (((struct ip6_rthdr *)ulp)->ip6r_len + 1) << 3; - proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt; - ulp = NULL; - break; - - case IPPROTO_FRAGMENT: /* RFC 2460 */ - PULLUP_TO(hlen, ulp, struct ip6_frag); - ext_hd |= EXT_FRAGMENT; - hlen += sizeof (struct ip6_frag); - proto = ((struct ip6_frag *)ulp)->ip6f_nxt; - offset = ((struct ip6_frag *)ulp)->ip6f_offlg & - IP6F_OFF_MASK; - ip6f_mf = ((struct ip6_frag *)ulp)->ip6f_offlg & - IP6F_MORE_FRAG; - if (V_fw_permit_single_frag6 == 0 && - offset == 0 && ip6f_mf == 0) { - if (V_fw_verbose) - printf("IPFW2: IPV6 - Invalid " - "Fragment Header\n"); - if (V_fw_deny_unknown_exthdrs) - return (IP_FW_DENY); - break; - } - args->f_id.extra = - ntohl(((struct ip6_frag *)ulp)->ip6f_ident); - ulp = NULL; - break; - - case IPPROTO_DSTOPTS: /* RFC 2460 */ - PULLUP_TO(hlen, ulp, struct ip6_hbh); - ext_hd |= EXT_DSTOPTS; - hlen += (((struct ip6_hbh *)ulp)->ip6h_len + 1) << 3; - proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; - ulp = NULL; - break; - - case IPPROTO_AH: /* RFC 2402 */ - PULLUP_TO(hlen, ulp, struct ip6_ext); - ext_hd |= EXT_AH; - hlen += (((struct ip6_ext *)ulp)->ip6e_len + 2) << 2; - proto = ((struct ip6_ext *)ulp)->ip6e_nxt; - ulp = NULL; - break; - - case IPPROTO_ESP: /* RFC 2406 */ - PULLUP_TO(hlen, ulp, uint32_t); /* SPI, Seq# */ - /* Anything past Seq# is variable length and - * data past this ext. header is encrypted. */ - ext_hd |= EXT_ESP; - break; - - case IPPROTO_NONE: /* RFC 2460 */ - /* - * Packet ends here, and IPv6 header has - * already been pulled up. If ip6e_len!=0 - * then octets must be ignored. - */ - ulp = ip; /* non-NULL to get out of loop. */ - break; - - case IPPROTO_OSPFIGP: - /* XXX OSPF header check? */ - PULLUP_TO(hlen, ulp, struct ip6_ext); - break; - - case IPPROTO_PIM: - /* XXX PIM header check? */ - PULLUP_TO(hlen, ulp, struct pim); - break; - - case IPPROTO_CARP: - PULLUP_TO(hlen, ulp, struct carp_header); - if (((struct carp_header *)ulp)->carp_version != - CARP_VERSION) - return (IP_FW_DENY); - if (((struct carp_header *)ulp)->carp_type != - CARP_ADVERTISEMENT) - return (IP_FW_DENY); - break; - - case IPPROTO_IPV6: /* RFC 2893 */ - PULLUP_TO(hlen, ulp, struct ip6_hdr); - break; - - case IPPROTO_IPV4: /* RFC 2893 */ - PULLUP_TO(hlen, ulp, struct ip); - break; - - default: - if (V_fw_verbose) - printf("IPFW2: IPV6 - Unknown " - "Extension Header(%d), ext_hd=%x\n", - proto, ext_hd); - if (V_fw_deny_unknown_exthdrs) - return (IP_FW_DENY); - PULLUP_TO(hlen, ulp, struct ip6_ext); - break; - } /*switch */ - } - ip = mtod(m, struct ip *); - ip6 = (struct ip6_hdr *)ip; - args->f_id.src_ip6 = ip6->ip6_src; - args->f_id.dst_ip6 = ip6->ip6_dst; - args->f_id.src_ip = 0; - args->f_id.dst_ip = 0; - args->f_id.flow_id6 = ntohl(ip6->ip6_flow); - } else if (pktlen >= sizeof(struct ip) && - (args->eh == NULL || etype == ETHERTYPE_IP) && ip->ip_v == 4) { - is_ipv4 = 1; - hlen = ip->ip_hl << 2; - args->f_id.addr_type = 4; - - /* - * Collect parameters into local variables for faster matching. - */ - proto = ip->ip_p; - src_ip = ip->ip_src; - dst_ip = ip->ip_dst; - offset = ntohs(ip->ip_off) & IP_OFFMASK; - iplen = ntohs(ip->ip_len); - pktlen = iplen < pktlen ? iplen : pktlen; - - if (offset == 0) { - switch (proto) { - case IPPROTO_TCP: - PULLUP_TO(hlen, ulp, struct tcphdr); - dst_port = TCP(ulp)->th_dport; - src_port = TCP(ulp)->th_sport; - /* save flags for dynamic rules */ - args->f_id._flags = TCP(ulp)->th_flags; - break; - - case IPPROTO_SCTP: - PULLUP_TO(hlen, ulp, struct sctphdr); - src_port = SCTP(ulp)->src_port; - dst_port = SCTP(ulp)->dest_port; - break; - - case IPPROTO_UDP: - PULLUP_TO(hlen, ulp, struct udphdr); - dst_port = UDP(ulp)->uh_dport; - src_port = UDP(ulp)->uh_sport; - break; - - case IPPROTO_ICMP: - PULLUP_TO(hlen, ulp, struct icmphdr); - //args->f_id.flags = ICMP(ulp)->icmp_type; - break; - - default: - break; - } - } - - ip = mtod(m, struct ip *); - args->f_id.src_ip = ntohl(src_ip.s_addr); - args->f_id.dst_ip = ntohl(dst_ip.s_addr); - } -#undef PULLUP_TO - if (proto) { /* we may have port numbers, store them */ - args->f_id.proto = proto; - args->f_id.src_port = src_port = ntohs(src_port); - args->f_id.dst_port = dst_port = ntohs(dst_port); - } - - IPFW_RLOCK(chain); - if (! V_ipfw_vnet_ready) { /* shutting down, leave NOW. */ - IPFW_RUNLOCK(chain); - return (IP_FW_PASS); /* accept */ - } - if (args->rule.slot) { - /* - * Packet has already been tagged as a result of a previous - * match on rule args->rule aka args->rule_id (PIPE, QUEUE, - * REASS, NETGRAPH, DIVERT/TEE...) - * Validate the slot and continue from the next one - * if still present, otherwise do a lookup. - */ - f_pos = (args->rule.chain_id == chain->id) ? - args->rule.slot : - ipfw_find_rule(chain, args->rule.rulenum, - args->rule.rule_id); - } else { - f_pos = 0; - } - - /* - * Now scan the rules, and parse microinstructions for each rule. - * We have two nested loops and an inner switch. Sometimes we - * need to break out of one or both loops, or re-enter one of - * the loops with updated variables. Loop variables are: - * - * f_pos (outer loop) points to the current rule. - * On output it points to the matching rule. - * done (outer loop) is used as a flag to break the loop. - * l (inner loop) residual length of current rule. - * cmd points to the current microinstruction. - * - * We break the inner loop by setting l=0 and possibly - * cmdlen=0 if we don't want to advance cmd. - * We break the outer loop by setting done=1 - * We can restart the inner loop by setting l>0 and f_pos, f, cmd - * as needed. - */ - for (; f_pos < chain->n_rules; f_pos++) { - ipfw_insn *cmd; - uint32_t tablearg = 0; - int l, cmdlen, skip_or; /* skip rest of OR block */ - struct ip_fw *f; - - f = chain->map[f_pos]; - if (V_set_disable & (1 << f->set) ) - continue; - - skip_or = 0; - for (l = f->cmd_len, cmd = f->cmd ; l > 0 ; - l -= cmdlen, cmd += cmdlen) { - int match; - - /* - * check_body is a jump target used when we find a - * CHECK_STATE, and need to jump to the body of - * the target rule. - */ - -/* check_body: */ - cmdlen = F_LEN(cmd); - /* - * An OR block (insn_1 || .. || insn_n) has the - * F_OR bit set in all but the last instruction. - * The first match will set "skip_or", and cause - * the following instructions to be skipped until - * past the one with the F_OR bit clear. - */ - if (skip_or) { /* skip this instruction */ - if ((cmd->len & F_OR) == 0) - skip_or = 0; /* next one is good */ - continue; - } - match = 0; /* set to 1 if we succeed */ - - switch (cmd->opcode) { - /* - * The first set of opcodes compares the packet's - * fields with some pattern, setting 'match' if a - * match is found. At the end of the loop there is - * logic to deal with F_NOT and F_OR flags associated - * with the opcode. - */ - case O_NOP: - match = 1; - break; - - case O_FORWARD_MAC: - printf("ipfw: opcode %d unimplemented\n", - cmd->opcode); - break; - - case O_GID: - case O_UID: - case O_JAIL: - /* - * We only check offset == 0 && proto != 0, - * as this ensures that we have a - * packet with the ports info. - */ - if (offset != 0) - break; - if (proto == IPPROTO_TCP || - proto == IPPROTO_UDP) - match = check_uidgid( - (ipfw_insn_u32 *)cmd, - args, &ucred_lookup, -#ifdef __FreeBSD__ - &ucred_cache); -#else - (void *)&ucred_cache); -#endif - break; - - case O_RECV: - match = iface_match(m->m_pkthdr.rcvif, - (ipfw_insn_if *)cmd, chain, &tablearg); - break; - - case O_XMIT: - match = iface_match(oif, (ipfw_insn_if *)cmd, - chain, &tablearg); - break; - - case O_VIA: - match = iface_match(oif ? oif : - m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, - chain, &tablearg); - break; - - case O_MACADDR2: - if (args->eh != NULL) { /* have MAC header */ - u_int32_t *want = (u_int32_t *) - ((ipfw_insn_mac *)cmd)->addr; - u_int32_t *mask = (u_int32_t *) - ((ipfw_insn_mac *)cmd)->mask; - u_int32_t *hdr = (u_int32_t *)args->eh; - - match = - ( want[0] == (hdr[0] & mask[0]) && - want[1] == (hdr[1] & mask[1]) && - want[2] == (hdr[2] & mask[2]) ); - } - break; - - case O_MAC_TYPE: - if (args->eh != NULL) { - u_int16_t *p = - ((ipfw_insn_u16 *)cmd)->ports; - int i; - - for (i = cmdlen - 1; !match && i>0; - i--, p += 2) - match = (etype >= p[0] && - etype <= p[1]); - } - break; - - case O_FRAG: - match = (offset != 0); - break; - - case O_IN: /* "out" is "not in" */ - match = (oif == NULL); - break; - - case O_LAYER2: - match = (args->eh != NULL); - break; - - case O_DIVERTED: - { - /* For diverted packets, args->rule.info - * contains the divert port (in host format) - * reason and direction. - */ - uint32_t i = args->rule.info; - match = (i&IPFW_IS_MASK) == IPFW_IS_DIVERT && - cmd->arg1 & ((i & IPFW_INFO_IN) ? 1 : 2); - } - break; - - case O_PROTO: - /* - * We do not allow an arg of 0 so the - * check of "proto" only suffices. - */ - match = (proto == cmd->arg1); - break; - - case O_IP_SRC: - match = is_ipv4 && - (((ipfw_insn_ip *)cmd)->addr.s_addr == - src_ip.s_addr); - break; - - case O_IP_SRC_LOOKUP: - case O_IP_DST_LOOKUP: - if (is_ipv4) { - uint32_t key = - (cmd->opcode == O_IP_DST_LOOKUP) ? - dst_ip.s_addr : src_ip.s_addr; - uint32_t v = 0; - - if (cmdlen > F_INSN_SIZE(ipfw_insn_u32)) { - /* generic lookup. The key must be - * in 32bit big-endian format. - */ - v = ((ipfw_insn_u32 *)cmd)->d[1]; - if (v == 0) - key = dst_ip.s_addr; - else if (v == 1) - key = src_ip.s_addr; - else if (v == 6) /* dscp */ - key = (ip->ip_tos >> 2) & 0x3f; - else if (offset != 0) - break; - else if (proto != IPPROTO_TCP && - proto != IPPROTO_UDP) - break; - else if (v == 2) - key = htonl(dst_port); - else if (v == 3) - key = htonl(src_port); - else if (v == 4 || v == 5) { - check_uidgid( - (ipfw_insn_u32 *)cmd, - args, &ucred_lookup, -#ifdef __FreeBSD__ - &ucred_cache); - if (v == 4 /* O_UID */) - key = ucred_cache->cr_uid; - else if (v == 5 /* O_JAIL */) - key = ucred_cache->cr_prison->pr_id; -#else /* !__FreeBSD__ */ - (void *)&ucred_cache); - if (v ==4 /* O_UID */) - key = ucred_cache.uid; - else if (v == 5 /* O_JAIL */) - key = ucred_cache.xid; -#endif /* !__FreeBSD__ */ - key = htonl(key); - } else - break; - } - match = ipfw_lookup_table(chain, - cmd->arg1, key, &v); - if (!match) - break; - if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = - ((ipfw_insn_u32 *)cmd)->d[0] == v; - else - tablearg = v; - } else if (is_ipv6) { - uint32_t v = 0; - void *pkey = (cmd->opcode == O_IP_DST_LOOKUP) ? - &args->f_id.dst_ip6: &args->f_id.src_ip6; - match = ipfw_lookup_table_extended(chain, - cmd->arg1, pkey, &v, - IPFW_TABLE_CIDR); - if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) - match = ((ipfw_insn_u32 *)cmd)->d[0] == v; - if (match) - tablearg = v; - } - break; - - case O_IP_SRC_MASK: - case O_IP_DST_MASK: - if (is_ipv4) { - uint32_t a = - (cmd->opcode == O_IP_DST_MASK) ? - dst_ip.s_addr : src_ip.s_addr; - uint32_t *p = ((ipfw_insn_u32 *)cmd)->d; - int i = cmdlen-1; - - for (; !match && i>0; i-= 2, p+= 2) - match = (p[0] == (a & p[1])); - } - break; - - case O_IP_SRC_ME: - if (is_ipv4) { - struct ifnet *tif; - - INADDR_TO_IFP(src_ip, tif); - match = (tif != NULL); - break; - } -#ifdef INET6 - /* FALLTHROUGH */ - case O_IP6_SRC_ME: - match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6); -#endif - break; - - case O_IP_DST_SET: - case O_IP_SRC_SET: - if (is_ipv4) { - u_int32_t *d = (u_int32_t *)(cmd+1); - u_int32_t addr = - cmd->opcode == O_IP_DST_SET ? - args->f_id.dst_ip : - args->f_id.src_ip; - - if (addr < d[0]) - break; - addr -= d[0]; /* subtract base */ - match = (addr < cmd->arg1) && - ( d[ 1 + (addr>>5)] & - (1<<(addr & 0x1f)) ); - } - break; - - case O_IP_DST: - match = is_ipv4 && - (((ipfw_insn_ip *)cmd)->addr.s_addr == - dst_ip.s_addr); - break; - - case O_IP_DST_ME: - if (is_ipv4) { - struct ifnet *tif; - - INADDR_TO_IFP(dst_ip, tif); - match = (tif != NULL); - break; - } -#ifdef INET6 - /* FALLTHROUGH */ - case O_IP6_DST_ME: - match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6); -#endif - break; - - - case O_IP_SRCPORT: - case O_IP_DSTPORT: - /* - * offset == 0 && proto != 0 is enough - * to guarantee that we have a - * packet with port info. - */ - if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP) - && offset == 0) { - u_int16_t x = - (cmd->opcode == O_IP_SRCPORT) ? - src_port : dst_port ; - u_int16_t *p = - ((ipfw_insn_u16 *)cmd)->ports; - int i; - - for (i = cmdlen - 1; !match && i>0; - i--, p += 2) - match = (x>=p[0] && x<=p[1]); - } - break; - - case O_ICMPTYPE: - match = (offset == 0 && proto==IPPROTO_ICMP && - icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) ); - break; - -#ifdef INET6 - case O_ICMP6TYPE: - match = is_ipv6 && offset == 0 && - proto==IPPROTO_ICMPV6 && - icmp6type_match( - ICMP6(ulp)->icmp6_type, - (ipfw_insn_u32 *)cmd); - break; -#endif /* INET6 */ - - case O_IPOPT: - match = (is_ipv4 && - ipopts_match(ip, cmd) ); - break; - - case O_IPVER: - match = (is_ipv4 && - cmd->arg1 == ip->ip_v); - break; - - case O_IPID: - case O_IPLEN: - case O_IPTTL: - if (is_ipv4) { /* only for IP packets */ - uint16_t x; - uint16_t *p; - int i; - - if (cmd->opcode == O_IPLEN) - x = iplen; - else if (cmd->opcode == O_IPTTL) - x = ip->ip_ttl; - else /* must be IPID */ - x = ntohs(ip->ip_id); - if (cmdlen == 1) { - match = (cmd->arg1 == x); - break; - } - /* otherwise we have ranges */ - p = ((ipfw_insn_u16 *)cmd)->ports; - i = cmdlen - 1; - for (; !match && i>0; i--, p += 2) - match = (x >= p[0] && x <= p[1]); - } - break; - - case O_IPPRECEDENCE: - match = (is_ipv4 && - (cmd->arg1 == (ip->ip_tos & 0xe0)) ); - break; - - case O_IPTOS: - match = (is_ipv4 && - flags_match(cmd, ip->ip_tos)); - break; - - case O_TCPDATALEN: - if (proto == IPPROTO_TCP && offset == 0) { - struct tcphdr *tcp; - uint16_t x; - uint16_t *p; - int i; - - tcp = TCP(ulp); - x = iplen - - ((ip->ip_hl + tcp->th_off) << 2); - if (cmdlen == 1) { - match = (cmd->arg1 == x); - break; - } - /* otherwise we have ranges */ - p = ((ipfw_insn_u16 *)cmd)->ports; - i = cmdlen - 1; - for (; !match && i>0; i--, p += 2) - match = (x >= p[0] && x <= p[1]); - } - break; - - case O_TCPFLAGS: - match = (proto == IPPROTO_TCP && offset == 0 && - flags_match(cmd, TCP(ulp)->th_flags)); - break; - - case O_TCPOPTS: - PULLUP_LEN(hlen, ulp, (TCP(ulp)->th_off << 2)); - match = (proto == IPPROTO_TCP && offset == 0 && - tcpopts_match(TCP(ulp), cmd)); - break; - - case O_TCPSEQ: - match = (proto == IPPROTO_TCP && offset == 0 && - ((ipfw_insn_u32 *)cmd)->d[0] == - TCP(ulp)->th_seq); - break; - - case O_TCPACK: - match = (proto == IPPROTO_TCP && offset == 0 && - ((ipfw_insn_u32 *)cmd)->d[0] == - TCP(ulp)->th_ack); - break; - - case O_TCPWIN: - if (proto == IPPROTO_TCP && offset == 0) { - uint16_t x; - uint16_t *p; - int i; - - x = ntohs(TCP(ulp)->th_win); - if (cmdlen == 1) { - match = (cmd->arg1 == x); - break; - } - /* Otherwise we have ranges. */ - p = ((ipfw_insn_u16 *)cmd)->ports; - i = cmdlen - 1; - for (; !match && i > 0; i--, p += 2) - match = (x >= p[0] && x <= p[1]); - } - break; - - case O_ESTAB: - /* reject packets which have SYN only */ - /* XXX should i also check for TH_ACK ? */ - match = (proto == IPPROTO_TCP && offset == 0 && - (TCP(ulp)->th_flags & - (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); - break; - - case O_ALTQ: { - struct pf_mtag *at; - ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; - - match = 1; - at = pf_find_mtag(m); - if (at != NULL && at->qid != 0) - break; - at = pf_get_mtag(m); - if (at == NULL) { - /* - * Let the packet fall back to the - * default ALTQ. - */ - break; - } - at->qid = altq->qid; - at->hdr = ip; - break; - } - - case O_LOG: - ipfw_log(f, hlen, args, m, - oif, offset | ip6f_mf, tablearg, ip); - match = 1; - break; - - case O_PROB: - match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); - break; - - case O_VERREVPATH: - /* Outgoing packets automatically pass/match */ - match = ((oif != NULL) || - (m->m_pkthdr.rcvif == NULL) || - ( -#ifdef INET6 - is_ipv6 ? - verify_path6(&(args->f_id.src_ip6), - m->m_pkthdr.rcvif, args->f_id.fib) : -#endif - verify_path(src_ip, m->m_pkthdr.rcvif, - args->f_id.fib))); - break; - - case O_VERSRCREACH: - /* Outgoing packets automatically pass/match */ - match = (hlen > 0 && ((oif != NULL) || -#ifdef INET6 - is_ipv6 ? - verify_path6(&(args->f_id.src_ip6), - NULL, args->f_id.fib) : -#endif - verify_path(src_ip, NULL, args->f_id.fib))); - break; - - case O_ANTISPOOF: - /* Outgoing packets automatically pass/match */ - if (oif == NULL && hlen > 0 && - ( (is_ipv4 && in_localaddr(src_ip)) -#ifdef INET6 - || (is_ipv6 && - in6_localaddr(&(args->f_id.src_ip6))) -#endif - )) - match = -#ifdef INET6 - is_ipv6 ? verify_path6( - &(args->f_id.src_ip6), - m->m_pkthdr.rcvif, - args->f_id.fib) : -#endif - verify_path(src_ip, - m->m_pkthdr.rcvif, - args->f_id.fib); - else - match = 1; - break; - - case O_IPSEC: -#ifdef IPSEC - match = (m_tag_find(m, - PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); -#endif - /* otherwise no match */ - break; - -#ifdef INET6 - case O_IP6_SRC: - match = is_ipv6 && - IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6, - &((ipfw_insn_ip6 *)cmd)->addr6); - break; - - case O_IP6_DST: - match = is_ipv6 && - IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6, - &((ipfw_insn_ip6 *)cmd)->addr6); - break; - case O_IP6_SRC_MASK: - case O_IP6_DST_MASK: - if (is_ipv6) { - int i = cmdlen - 1; - struct in6_addr p; - struct in6_addr *d = - &((ipfw_insn_ip6 *)cmd)->addr6; - - for (; !match && i > 0; d += 2, - i -= F_INSN_SIZE(struct in6_addr) - * 2) { - p = (cmd->opcode == - O_IP6_SRC_MASK) ? - args->f_id.src_ip6: - args->f_id.dst_ip6; - APPLY_MASK(&p, &d[1]); - match = - IN6_ARE_ADDR_EQUAL(&d[0], - &p); - } - } - break; - - case O_FLOW6ID: - match = is_ipv6 && - flow6id_match(args->f_id.flow_id6, - (ipfw_insn_u32 *) cmd); - break; - - case O_EXT_HDR: - match = is_ipv6 && - (ext_hd & ((ipfw_insn *) cmd)->arg1); - break; - - case O_IP6: - match = is_ipv6; - break; -#endif - - case O_IP4: - match = is_ipv4; - break; - - case O_TAG: { - struct m_tag *mtag; - uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - - /* Packet is already tagged with this tag? */ - mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL); - - /* We have `untag' action when F_NOT flag is - * present. And we must remove this mtag from - * mbuf and reset `match' to zero (`match' will - * be inversed later). - * Otherwise we should allocate new mtag and - * push it into mbuf. - */ - if (cmd->len & F_NOT) { /* `untag' action */ - if (mtag != NULL) - m_tag_delete(m, mtag); - match = 0; - } else { - if (mtag == NULL) { - mtag = m_tag_alloc( MTAG_IPFW, - tag, 0, M_NOWAIT); - if (mtag != NULL) - m_tag_prepend(m, mtag); - } - match = 1; - } - break; - } - - case O_FIB: /* try match the specified fib */ - if (args->f_id.fib == cmd->arg1) - match = 1; - break; - - case O_SOCKARG: { - struct inpcb *inp = args->inp; - struct inpcbinfo *pi; - - if (is_ipv6) /* XXX can we remove this ? */ - break; - - if (proto == IPPROTO_TCP) - pi = &V_tcbinfo; - else if (proto == IPPROTO_UDP) - pi = &V_udbinfo; - else - break; - - /* - * XXXRW: so_user_cookie should almost - * certainly be inp_user_cookie? - */ - - /* For incomming packet, lookup up the - inpcb using the src/dest ip/port tuple */ - if (inp == NULL) { - inp = in_pcblookup(pi, - src_ip, htons(src_port), - dst_ip, htons(dst_port), - INPLOOKUP_RLOCKPCB, NULL); - if (inp != NULL) { - tablearg = - inp->inp_socket->so_user_cookie; - if (tablearg) - match = 1; - INP_RUNLOCK(inp); - } - } else { - if (inp->inp_socket) { - tablearg = - inp->inp_socket->so_user_cookie; - if (tablearg) - match = 1; - } - } - break; - } - - case O_TAGGED: { - struct m_tag *mtag; - uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - - if (cmdlen == 1) { - match = m_tag_locate(m, MTAG_IPFW, - tag, NULL) != NULL; - break; - } - - /* we have ranges */ - for (mtag = m_tag_first(m); - mtag != NULL && !match; - mtag = m_tag_next(m, mtag)) { - uint16_t *p; - int i; - - if (mtag->m_tag_cookie != MTAG_IPFW) - continue; - - p = ((ipfw_insn_u16 *)cmd)->ports; - i = cmdlen - 1; - for(; !match && i > 0; i--, p += 2) - match = - mtag->m_tag_id >= p[0] && - mtag->m_tag_id <= p[1]; - } - break; - } - - /* - * The second set of opcodes represents 'actions', - * i.e. the terminal part of a rule once the packet - * matches all previous patterns. - * Typically there is only one action for each rule, - * and the opcode is stored at the end of the rule - * (but there are exceptions -- see below). - * - * In general, here we set retval and terminate the - * outer loop (would be a 'break 3' in some language, - * but we need to set l=0, done=1) - * - * Exceptions: - * O_COUNT and O_SKIPTO actions: - * instead of terminating, we jump to the next rule - * (setting l=0), or to the SKIPTO target (setting - * f/f_len, cmd and l as needed), respectively. - * - * O_TAG, O_LOG and O_ALTQ action parameters: - * perform some action and set match = 1; - * - * O_LIMIT and O_KEEP_STATE: these opcodes are - * not real 'actions', and are stored right - * before the 'action' part of the rule. - * These opcodes try to install an entry in the - * state tables; if successful, we continue with - * the next opcode (match=1; break;), otherwise - * the packet must be dropped (set retval, - * break loops with l=0, done=1) - * - * O_PROBE_STATE and O_CHECK_STATE: these opcodes - * cause a lookup of the state table, and a jump - * to the 'action' part of the parent rule - * if an entry is found, or - * (CHECK_STATE only) a jump to the next rule if - * the entry is not found. - * The result of the lookup is cached so that - * further instances of these opcodes become NOPs. - * The jump to the next rule is done by setting - * l=0, cmdlen=0. - */ - case O_LIMIT: - case O_KEEP_STATE: - if (ipfw_install_state(f, - (ipfw_insn_limit *)cmd, args, tablearg)) { - /* error or limit violation */ - retval = IP_FW_DENY; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - } - match = 1; - break; - - case O_PROBE_STATE: - case O_CHECK_STATE: - /* - * dynamic rules are checked at the first - * keep-state or check-state occurrence, - * with the result being stored in dyn_dir. - * The compiler introduces a PROBE_STATE - * instruction for us when we have a - * KEEP_STATE (because PROBE_STATE needs - * to be run first). - */ - if (dyn_dir == MATCH_UNKNOWN && - (q = ipfw_lookup_dyn_rule(&args->f_id, - &dyn_dir, proto == IPPROTO_TCP ? - TCP(ulp) : NULL)) - != NULL) { - /* - * Found dynamic entry, update stats - * and jump to the 'action' part of - * the parent rule by setting - * f, cmd, l and clearing cmdlen. - */ - q->pcnt++; - q->bcnt += pktlen; - /* XXX we would like to have f_pos - * readily accessible in the dynamic - * rule, instead of having to - * lookup q->rule. - */ - f = q->rule; - f_pos = ipfw_find_rule(chain, - f->rulenum, f->id); - cmd = ACTION_PTR(f); - l = f->cmd_len - f->act_ofs; - ipfw_dyn_unlock(); - cmdlen = 0; - match = 1; - break; - } - /* - * Dynamic entry not found. If CHECK_STATE, - * skip to next rule, if PROBE_STATE just - * ignore and continue with next opcode. - */ - if (cmd->opcode == O_CHECK_STATE) - l = 0; /* exit inner loop */ - match = 1; - break; - - case O_ACCEPT: - retval = 0; /* accept */ - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - - case O_PIPE: - case O_QUEUE: - set_match(args, f_pos, chain); - args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - if (cmd->opcode == O_PIPE) - args->rule.info |= IPFW_IS_PIPE; - if (V_fw_one_pass) - args->rule.info |= IPFW_ONEPASS; - retval = IP_FW_DUMMYNET; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - - case O_DIVERT: - case O_TEE: - if (args->eh) /* not on layer 2 */ - break; - /* otherwise this is terminal */ - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - retval = (cmd->opcode == O_DIVERT) ? - IP_FW_DIVERT : IP_FW_TEE; - set_match(args, f_pos, chain); - args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - break; - - case O_COUNT: - f->pcnt++; /* update stats */ - f->bcnt += pktlen; - f->timestamp = time_uptime; - l = 0; /* exit inner loop */ - break; - - case O_SKIPTO: - f->pcnt++; /* update stats */ - f->bcnt += pktlen; - f->timestamp = time_uptime; - /* If possible use cached f_pos (in f->next_rule), - * whose version is written in f->next_rule - * (horrible hacks to avoid changing the ABI). - */ - if (cmd->arg1 != IP_FW_TABLEARG && - (uintptr_t)f->x_next == chain->id) { - f_pos = (uintptr_t)f->next_rule; - } else { - int i = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - /* make sure we do not jump backward */ - if (i <= f->rulenum) - i = f->rulenum + 1; - f_pos = ipfw_find_rule(chain, i, 0); - /* update the cache */ - if (cmd->arg1 != IP_FW_TABLEARG) { - f->next_rule = - (void *)(uintptr_t)f_pos; - f->x_next = - (void *)(uintptr_t)chain->id; - } - } - /* - * Skip disabled rules, and re-enter - * the inner loop with the correct - * f_pos, f, l and cmd. - * Also clear cmdlen and skip_or - */ - for (; f_pos < chain->n_rules - 1 && - (V_set_disable & - (1 << chain->map[f_pos]->set)); - f_pos++) - ; - /* Re-enter the inner loop at the skipto rule. */ - f = chain->map[f_pos]; - l = f->cmd_len; - cmd = f->cmd; - match = 1; - cmdlen = 0; - skip_or = 0; - continue; - break; /* not reached */ - - case O_CALLRETURN: { - /* - * Implementation of `subroutine' call/return, - * in the stack carried in an mbuf tag. This - * is different from `skipto' in that any call - * address is possible (`skipto' must prevent - * backward jumps to avoid endless loops). - * We have `return' action when F_NOT flag is - * present. The `m_tag_id' field is used as - * stack pointer. - */ - struct m_tag *mtag; - uint16_t jmpto, *stack; - -#define IS_CALL ((cmd->len & F_NOT) == 0) -#define IS_RETURN ((cmd->len & F_NOT) != 0) - /* - * Hand-rolled version of m_tag_locate() with - * wildcard `type'. - * If not already tagged, allocate new tag. - */ - mtag = m_tag_first(m); - while (mtag != NULL) { - if (mtag->m_tag_cookie == - MTAG_IPFW_CALL) - break; - mtag = m_tag_next(m, mtag); - } - if (mtag == NULL && IS_CALL) { - mtag = m_tag_alloc(MTAG_IPFW_CALL, 0, - IPFW_CALLSTACK_SIZE * - sizeof(uint16_t), M_NOWAIT); - if (mtag != NULL) - m_tag_prepend(m, mtag); - } - - /* - * On error both `call' and `return' just - * continue with next rule. - */ - if (IS_RETURN && (mtag == NULL || - mtag->m_tag_id == 0)) { - l = 0; /* exit inner loop */ - break; - } - if (IS_CALL && (mtag == NULL || - mtag->m_tag_id >= IPFW_CALLSTACK_SIZE)) { - printf("ipfw: call stack error, " - "go to next rule\n"); - l = 0; /* exit inner loop */ - break; - } - - f->pcnt++; /* update stats */ - f->bcnt += pktlen; - f->timestamp = time_uptime; - stack = (uint16_t *)(mtag + 1); - - /* - * The `call' action may use cached f_pos - * (in f->next_rule), whose version is written - * in f->next_rule. - * The `return' action, however, doesn't have - * fixed jump address in cmd->arg1 and can't use - * cache. - */ - if (IS_CALL) { - stack[mtag->m_tag_id] = f->rulenum; - mtag->m_tag_id++; - if (cmd->arg1 != IP_FW_TABLEARG && - (uintptr_t)f->x_next == chain->id) { - f_pos = (uintptr_t)f->next_rule; - } else { - jmpto = (cmd->arg1 == - IP_FW_TABLEARG) ? tablearg: - cmd->arg1; - f_pos = ipfw_find_rule(chain, - jmpto, 0); - /* update the cache */ - if (cmd->arg1 != - IP_FW_TABLEARG) { - f->next_rule = - (void *)(uintptr_t) - f_pos; - f->x_next = - (void *)(uintptr_t) - chain->id; - } - } - } else { /* `return' action */ - mtag->m_tag_id--; - jmpto = stack[mtag->m_tag_id] + 1; - f_pos = ipfw_find_rule(chain, jmpto, 0); - } - - /* - * Skip disabled rules, and re-enter - * the inner loop with the correct - * f_pos, f, l and cmd. - * Also clear cmdlen and skip_or - */ - for (; f_pos < chain->n_rules - 1 && - (V_set_disable & - (1 << chain->map[f_pos]->set)); f_pos++) - ; - /* Re-enter the inner loop at the dest rule. */ - f = chain->map[f_pos]; - l = f->cmd_len; - cmd = f->cmd; - cmdlen = 0; - skip_or = 0; - continue; - break; /* NOTREACHED */ - } -#undef IS_CALL -#undef IS_RETURN - - case O_REJECT: - /* - * Drop the packet and send a reject notice - * if the packet is not ICMP (or is an ICMP - * query), and it is not multicast/broadcast. - */ - if (hlen > 0 && is_ipv4 && offset == 0 && - (proto != IPPROTO_ICMP || - is_icmp_query(ICMP(ulp))) && - !(m->m_flags & (M_BCAST|M_MCAST)) && - !IN_MULTICAST(ntohl(dst_ip.s_addr))) { - send_reject(args, cmd->arg1, iplen, ip); - m = args->m; - } - /* FALLTHROUGH */ -#ifdef INET6 - case O_UNREACH6: - if (hlen > 0 && is_ipv6 && - ((offset & IP6F_OFF_MASK) == 0) && - (proto != IPPROTO_ICMPV6 || - (is_icmp6_query(icmp6_type) == 1)) && - !(m->m_flags & (M_BCAST|M_MCAST)) && - !IN6_IS_ADDR_MULTICAST(&args->f_id.dst_ip6)) { - send_reject6( - args, cmd->arg1, hlen, - (struct ip6_hdr *)ip); - m = args->m; - } - /* FALLTHROUGH */ -#endif - case O_DENY: - retval = IP_FW_DENY; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - - case O_FORWARD_IP: - if (args->eh) /* not valid on layer2 pkts */ - break; - if (q == NULL || q->rule != f || - dyn_dir == MATCH_FORWARD) { - struct sockaddr_in *sa; - sa = &(((ipfw_insn_sa *)cmd)->sa); - if (sa->sin_addr.s_addr == INADDR_ANY) { - bcopy(sa, &args->hopstore, - sizeof(*sa)); - args->hopstore.sin_addr.s_addr = - htonl(tablearg); - args->next_hop = &args->hopstore; - } else { - args->next_hop = sa; - } - } - retval = IP_FW_PASS; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - -#ifdef INET6 - case O_FORWARD_IP6: - if (args->eh) /* not valid on layer2 pkts */ - break; - if (q == NULL || q->rule != f || - dyn_dir == MATCH_FORWARD) { - struct sockaddr_in6 *sin6; - - sin6 = &(((ipfw_insn_sa6 *)cmd)->sa); - args->next_hop6 = sin6; - } - retval = IP_FW_PASS; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; -#endif - - case O_NETGRAPH: - case O_NGTEE: - set_match(args, f_pos, chain); - args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - if (V_fw_one_pass) - args->rule.info |= IPFW_ONEPASS; - retval = (cmd->opcode == O_NETGRAPH) ? - IP_FW_NETGRAPH : IP_FW_NGTEE; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - - case O_SETFIB: { - uint32_t fib; - - f->pcnt++; /* update stats */ - f->bcnt += pktlen; - f->timestamp = time_uptime; - fib = (cmd->arg1 == IP_FW_TABLEARG) ? tablearg: - cmd->arg1; - if (fib >= rt_numfibs) - fib = 0; - M_SETFIB(m, fib); - args->f_id.fib = fib; - l = 0; /* exit inner loop */ - break; - } - - case O_NAT: - if (!IPFW_NAT_LOADED) { - retval = IP_FW_DENY; - } else { - struct cfg_nat *t; - int nat_id; - - set_match(args, f_pos, chain); - /* Check if this is 'global' nat rule */ - if (cmd->arg1 == 0) { - retval = ipfw_nat_ptr(args, NULL, m); - l = 0; - done = 1; - break; - } - t = ((ipfw_insn_nat *)cmd)->nat; - if (t == NULL) { - nat_id = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - t = (*lookup_nat_ptr)(&chain->nat, nat_id); - - if (t == NULL) { - retval = IP_FW_DENY; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - } - if (cmd->arg1 != IP_FW_TABLEARG) - ((ipfw_insn_nat *)cmd)->nat = t; - } - retval = ipfw_nat_ptr(args, t, m); - } - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ - break; - - case O_REASS: { - int ip_off; - - f->pcnt++; - f->bcnt += pktlen; - l = 0; /* in any case exit inner loop */ - ip_off = ntohs(ip->ip_off); - - /* if not fragmented, go to next rule */ - if ((ip_off & (IP_MF | IP_OFFMASK)) == 0) - break; - /* - * ip_reass() expects len & off in host - * byte order. - */ - SET_HOST_IPLEN(ip); - - args->m = m = ip_reass(m); - - /* - * do IP header checksum fixup. - */ - if (m == NULL) { /* fragment got swallowed */ - retval = IP_FW_DENY; - } else { /* good, packet complete */ - int hlen; - - ip = mtod(m, struct ip *); - hlen = ip->ip_hl << 2; - SET_NET_IPLEN(ip); - ip->ip_sum = 0; - if (hlen == sizeof(struct ip)) - ip->ip_sum = in_cksum_hdr(ip); - else - ip->ip_sum = in_cksum(m, hlen); - retval = IP_FW_REASS; - set_match(args, f_pos, chain); - } - done = 1; /* exit outer loop */ - break; - } - - default: - panic("-- unknown opcode %d\n", cmd->opcode); - } /* end of switch() on opcodes */ - /* - * if we get here with l=0, then match is irrelevant. - */ - - if (cmd->len & F_NOT) - match = !match; - - if (match) { - if (cmd->len & F_OR) - skip_or = 1; - } else { - if (!(cmd->len & F_OR)) /* not an OR block, */ - break; /* try next rule */ - } - - } /* end of inner loop, scan opcodes */ -#undef PULLUP_LEN - - if (done) - break; - -/* next_rule:; */ /* try next rule */ - - } /* end of outer for, scan rules */ - - if (done) { - struct ip_fw *rule = chain->map[f_pos]; - /* Update statistics */ - rule->pcnt++; - rule->bcnt += pktlen; - rule->timestamp = time_uptime; - } else { - retval = IP_FW_DENY; - printf("ipfw: ouch!, skip past end of rules, denying packet\n"); - } - IPFW_RUNLOCK(chain); -#ifdef __FreeBSD__ - if (ucred_cache != NULL) - crfree(ucred_cache); -#endif - return (retval); - -pullup_failed: - if (V_fw_verbose) - printf("ipfw: pullup failed\n"); - return (IP_FW_DENY); -} - -/* - * Set maximum number of tables that can be used in given VNET ipfw instance. - */ -#ifdef SYSCTL_NODE -static int -sysctl_ipfw_table_num(SYSCTL_HANDLER_ARGS) -{ - int error; - unsigned int ntables; - - ntables = V_fw_tables_max; - - error = sysctl_handle_int(oidp, &ntables, 0, req); - /* Read operation or some error */ - if ((error != 0) || (req->newptr == NULL)) - return (error); - - return (ipfw_resize_tables(&V_layer3_chain, ntables)); -} -#endif -/* - * Module and VNET glue - */ - -/* - * Stuff that must be initialised only on boot or module load - */ -static int -ipfw_init(void) -{ - int error = 0; - - ipfw_dyn_attach(); - /* - * Only print out this stuff the first time around, - * when called from the sysinit code. - */ - printf("ipfw2 " -#ifdef INET6 - "(+ipv6) " -#endif - "initialized, divert %s, nat %s, " - "rule-based forwarding " -#ifdef IPFIREWALL_FORWARD - "enabled, " -#else - "disabled, " -#endif - "default to %s, logging ", -#ifdef IPDIVERT - "enabled", -#else - "loadable", -#endif -#ifdef IPFIREWALL_NAT - "enabled", -#else - "loadable", -#endif - default_to_accept ? "accept" : "deny"); - - /* - * Note: V_xxx variables can be accessed here but the vnet specific - * initializer may not have been called yet for the VIMAGE case. - * Tuneables will have been processed. We will print out values for - * the default vnet. - * XXX This should all be rationalized AFTER 8.0 - */ - if (V_fw_verbose == 0) - printf("disabled\n"); - else if (V_verbose_limit == 0) - printf("unlimited\n"); - else - printf("limited to %d packets/entry by default\n", - V_verbose_limit); - - /* Check user-supplied table count for validness */ - if (default_fw_tables > IPFW_TABLES_MAX) - default_fw_tables = IPFW_TABLES_MAX; - - ipfw_log_bpf(1); /* init */ - return (error); -} - -/* - * Called for the removal of the last instance only on module unload. - */ -static void -ipfw_destroy(void) -{ - - ipfw_log_bpf(0); /* uninit */ - ipfw_dyn_detach(); - printf("IP firewall unloaded\n"); -} - -/* - * Stuff that must be initialized for every instance - * (including the first of course). - */ -static int -vnet_ipfw_init(const void *unused) -{ - int error; - struct ip_fw *rule = NULL; - struct ip_fw_chain *chain; - - chain = &V_layer3_chain; - - /* First set up some values that are compile time options */ - V_autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ - V_fw_deny_unknown_exthdrs = 1; -#ifdef IPFIREWALL_VERBOSE - V_fw_verbose = 1; -#endif -#ifdef IPFIREWALL_VERBOSE_LIMIT - V_verbose_limit = IPFIREWALL_VERBOSE_LIMIT; -#endif -#ifdef IPFIREWALL_NAT - LIST_INIT(&chain->nat); -#endif - - /* insert the default rule and create the initial map */ - chain->n_rules = 1; - chain->static_len = sizeof(struct ip_fw); - chain->map = malloc(sizeof(struct ip_fw *), M_IPFW, M_WAITOK | M_ZERO); - if (chain->map) - rule = malloc(chain->static_len, M_IPFW, M_WAITOK | M_ZERO); - - /* Set initial number of tables */ - V_fw_tables_max = default_fw_tables; - error = ipfw_init_tables(chain); - if (error) { - printf("ipfw2: setting up tables failed\n"); - free(chain->map, M_IPFW); - free(rule, M_IPFW); - return (ENOSPC); - } - - /* fill and insert the default rule */ - rule->act_ofs = 0; - rule->rulenum = IPFW_DEFAULT_RULE; - rule->cmd_len = 1; - rule->set = RESVD_SET; - rule->cmd[0].len = 1; - rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; - chain->rules = chain->default_rule = chain->map[0] = rule; - chain->id = rule->id = 1; - - IPFW_LOCK_INIT(chain); - ipfw_dyn_init(); - - /* First set up some values that are compile time options */ - V_ipfw_vnet_ready = 1; /* Open for business */ - - /* - * Hook the sockopt handler, and the layer2 (V_ip_fw_chk_ptr) - * and pfil hooks for ipv4 and ipv6. Even if the latter two fail - * we still keep the module alive because the sockopt and - * layer2 paths are still useful. - * ipfw[6]_hook return 0 on success, ENOENT on failure, - * so we can ignore the exact return value and just set a flag. - * - * Note that V_fw[6]_enable are manipulated by a SYSCTL_PROC so - * changes in the underlying (per-vnet) variables trigger - * immediate hook()/unhook() calls. - * In layer2 we have the same behaviour, except that V_ether_ipfw - * is checked on each packet because there are no pfil hooks. - */ - V_ip_fw_ctl_ptr = ipfw_ctl; - V_ip_fw_chk_ptr = ipfw_chk; - error = ipfw_attach_hooks(1); - return (error); -} - -/* - * Called for the removal of each instance. - */ -static int -vnet_ipfw_uninit(const void *unused) -{ - struct ip_fw *reap, *rule; - struct ip_fw_chain *chain = &V_layer3_chain; - int i; - - V_ipfw_vnet_ready = 0; /* tell new callers to go away */ - /* - * disconnect from ipv4, ipv6, layer2 and sockopt. - * Then grab, release and grab again the WLOCK so we make - * sure the update is propagated and nobody will be in. - */ - (void)ipfw_attach_hooks(0 /* detach */); - V_ip_fw_chk_ptr = NULL; - V_ip_fw_ctl_ptr = NULL; - IPFW_UH_WLOCK(chain); - IPFW_UH_WUNLOCK(chain); - IPFW_UH_WLOCK(chain); - - IPFW_WLOCK(chain); - ipfw_dyn_uninit(0); /* run the callout_drain */ - IPFW_WUNLOCK(chain); - - ipfw_destroy_tables(chain); - reap = NULL; - IPFW_WLOCK(chain); - for (i = 0; i < chain->n_rules; i++) { - rule = chain->map[i]; - rule->x_next = reap; - reap = rule; - } - if (chain->map) - free(chain->map, M_IPFW); - IPFW_WUNLOCK(chain); - IPFW_UH_WUNLOCK(chain); - if (reap != NULL) - ipfw_reap_rules(reap); - IPFW_LOCK_DESTROY(chain); - ipfw_dyn_uninit(1); /* free the remaining parts */ - return 0; -} - -/* - * Module event handler. - * In general we have the choice of handling most of these events by the - * event handler or by the (VNET_)SYS(UN)INIT handlers. I have chosen to - * use the SYSINIT handlers as they are more capable of expressing the - * flow of control during module and vnet operations, so this is just - * a skeleton. Note there is no SYSINIT equivalent of the module - * SHUTDOWN handler, but we don't have anything to do in that case anyhow. - */ -static int -ipfw_modevent(module_t mod, int type, void *unused) -{ - int err = 0; - - switch (type) { - case MOD_LOAD: - /* Called once at module load or - * system boot if compiled in. */ - break; - case MOD_QUIESCE: - /* Called before unload. May veto unloading. */ - break; - case MOD_UNLOAD: - /* Called during unload. */ - break; - case MOD_SHUTDOWN: - /* Called during system shutdown. */ - break; - default: - err = EOPNOTSUPP; - break; - } - return err; -} - -static moduledata_t ipfwmod = { - "ipfw", - ipfw_modevent, - 0 -}; - -/* Define startup order. */ -#define IPFW_SI_SUB_FIREWALL SI_SUB_PROTO_IFATTACHDOMAIN -#define IPFW_MODEVENT_ORDER (SI_ORDER_ANY - 255) /* On boot slot in here. */ -#define IPFW_MODULE_ORDER (IPFW_MODEVENT_ORDER + 1) /* A little later. */ -#define IPFW_VNET_ORDER (IPFW_MODEVENT_ORDER + 2) /* Later still. */ - -DECLARE_MODULE(ipfw, ipfwmod, IPFW_SI_SUB_FIREWALL, IPFW_MODEVENT_ORDER); -MODULE_VERSION(ipfw, 2); -/* should declare some dependencies here */ - -/* - * Starting up. Done in order after ipfwmod() has been called. - * VNET_SYSINIT is also called for each existing vnet and each new vnet. - */ -SYSINIT(ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER, - ipfw_init, NULL); -VNET_SYSINIT(vnet_ipfw_init, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER, - vnet_ipfw_init, NULL); - -/* - * Closing up shop. These are done in REVERSE ORDER, but still - * after ipfwmod() has been called. Not called on reboot. - * VNET_SYSUNINIT is also called for each exiting vnet as it exits. - * or when the module is unloaded. - */ -SYSUNINIT(ipfw_destroy, IPFW_SI_SUB_FIREWALL, IPFW_MODULE_ORDER, - ipfw_destroy, NULL); -VNET_SYSUNINIT(vnet_ipfw_uninit, IPFW_SI_SUB_FIREWALL, IPFW_VNET_ORDER, - vnet_ipfw_uninit, NULL); -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_dynamic.c b/sys/netinet/ipfw/ip_fw_dynamic.c deleted file mode 100644 index 7cff94f..0000000 --- a/sys/netinet/ipfw/ip_fw_dynamic.c +++ /dev/null @@ -1,1242 +0,0 @@ -/*- - * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#define DEB(x) -#define DDB(x) x - -/* - * Dynamic rule support for ipfw - */ - -#include "opt_ipfw.h" -#include "opt_inet.h" -#ifndef INET -#error IPFIREWALL requires INET. -#endif /* INET */ -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/socket.h> -#include <sys/sysctl.h> -#include <sys/syslog.h> -#include <net/ethernet.h> /* for ETHERTYPE_IP */ -#include <net/if.h> -#include <net/vnet.h> - -#include <netinet/in.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> /* ip_defttl */ -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/tcp_var.h> -#include <netinet/udp.h> - -#include <netinet/ip6.h> /* IN6_ARE_ADDR_EQUAL */ -#ifdef INET6 -#include <netinet6/in6_var.h> -#include <netinet6/ip6_var.h> -#endif - -#include <machine/in_cksum.h> /* XXX for in_cksum */ - -#ifdef MAC -#include <security/mac/mac_framework.h> -#endif - -/* - * Description of dynamic rules. - * - * Dynamic rules are stored in lists accessed through a hash table - * (ipfw_dyn_v) whose size is curr_dyn_buckets. This value can - * be modified through the sysctl variable dyn_buckets which is - * updated when the table becomes empty. - * - * XXX currently there is only one list, ipfw_dyn. - * - * When a packet is received, its address fields are first masked - * with the mask defined for the rule, then hashed, then matched - * against the entries in the corresponding list. - * Dynamic rules can be used for different purposes: - * + stateful rules; - * + enforcing limits on the number of sessions; - * + in-kernel NAT (not implemented yet) - * - * The lifetime of dynamic rules is regulated by dyn_*_lifetime, - * measured in seconds and depending on the flags. - * - * The total number of dynamic rules is stored in dyn_count. - * The max number of dynamic rules is dyn_max. When we reach - * the maximum number of rules we do not create anymore. This is - * done to avoid consuming too much memory, but also too much - * time when searching on each packet (ideally, we should try instead - * to put a limit on the length of the list on each bucket...). - * - * Each dynamic rule holds a pointer to the parent ipfw rule so - * we know what action to perform. Dynamic rules are removed when - * the parent rule is deleted. XXX we should make them survive. - * - * There are some limitations with dynamic rules -- we do not - * obey the 'randomized match', and we do not do multiple - * passes through the firewall. XXX check the latter!!! - */ - -/* - * Static variables followed by global ones - */ -static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); -static VNET_DEFINE(u_int32_t, dyn_buckets); -static VNET_DEFINE(u_int32_t, curr_dyn_buckets); -static VNET_DEFINE(struct callout, ipfw_timeout); -#define V_ipfw_dyn_v VNET(ipfw_dyn_v) -#define V_dyn_buckets VNET(dyn_buckets) -#define V_curr_dyn_buckets VNET(curr_dyn_buckets) -#define V_ipfw_timeout VNET(ipfw_timeout) - -static uma_zone_t ipfw_dyn_rule_zone; -#ifndef __FreeBSD__ -DEFINE_SPINLOCK(ipfw_dyn_mtx); -#else -static struct mtx ipfw_dyn_mtx; /* mutex guarding dynamic rules */ -#endif - -#define IPFW_DYN_LOCK_INIT() \ - mtx_init(&ipfw_dyn_mtx, "IPFW dynamic rules", NULL, MTX_DEF) -#define IPFW_DYN_LOCK_DESTROY() mtx_destroy(&ipfw_dyn_mtx) -#define IPFW_DYN_LOCK() mtx_lock(&ipfw_dyn_mtx) -#define IPFW_DYN_UNLOCK() mtx_unlock(&ipfw_dyn_mtx) -#define IPFW_DYN_LOCK_ASSERT() mtx_assert(&ipfw_dyn_mtx, MA_OWNED) - -void -ipfw_dyn_unlock(void) -{ - IPFW_DYN_UNLOCK(); -} - -/* - * Timeouts for various events in handing dynamic rules. - */ -static VNET_DEFINE(u_int32_t, dyn_ack_lifetime); -static VNET_DEFINE(u_int32_t, dyn_syn_lifetime); -static VNET_DEFINE(u_int32_t, dyn_fin_lifetime); -static VNET_DEFINE(u_int32_t, dyn_rst_lifetime); -static VNET_DEFINE(u_int32_t, dyn_udp_lifetime); -static VNET_DEFINE(u_int32_t, dyn_short_lifetime); - -#define V_dyn_ack_lifetime VNET(dyn_ack_lifetime) -#define V_dyn_syn_lifetime VNET(dyn_syn_lifetime) -#define V_dyn_fin_lifetime VNET(dyn_fin_lifetime) -#define V_dyn_rst_lifetime VNET(dyn_rst_lifetime) -#define V_dyn_udp_lifetime VNET(dyn_udp_lifetime) -#define V_dyn_short_lifetime VNET(dyn_short_lifetime) - -/* - * Keepalives are sent if dyn_keepalive is set. They are sent every - * dyn_keepalive_period seconds, in the last dyn_keepalive_interval - * seconds of lifetime of a rule. - * dyn_rst_lifetime and dyn_fin_lifetime should be strictly lower - * than dyn_keepalive_period. - */ - -static VNET_DEFINE(u_int32_t, dyn_keepalive_interval); -static VNET_DEFINE(u_int32_t, dyn_keepalive_period); -static VNET_DEFINE(u_int32_t, dyn_keepalive); - -#define V_dyn_keepalive_interval VNET(dyn_keepalive_interval) -#define V_dyn_keepalive_period VNET(dyn_keepalive_period) -#define V_dyn_keepalive VNET(dyn_keepalive) - -static VNET_DEFINE(u_int32_t, dyn_count); /* # of dynamic rules */ -static VNET_DEFINE(u_int32_t, dyn_max); /* max # of dynamic rules */ - -#define V_dyn_count VNET(dyn_count) -#define V_dyn_max VNET(dyn_max) - -#ifdef SYSCTL_NODE - -SYSBEGIN(f2) - -SYSCTL_DECL(_net_inet_ip_fw); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, - CTLFLAG_RW, &VNET_NAME(dyn_buckets), 0, - "Number of dyn. buckets"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, - CTLFLAG_RD, &VNET_NAME(curr_dyn_buckets), 0, - "Current Number of dyn. buckets"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_count, - CTLFLAG_RD, &VNET_NAME(dyn_count), 0, - "Number of dyn. rules"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_max, - CTLFLAG_RW, &VNET_NAME(dyn_max), 0, - "Max number of dyn. rules"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, - CTLFLAG_RW, &VNET_NAME(dyn_ack_lifetime), 0, - "Lifetime of dyn. rules for acks"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, - CTLFLAG_RW, &VNET_NAME(dyn_syn_lifetime), 0, - "Lifetime of dyn. rules for syn"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, - CTLFLAG_RW, &VNET_NAME(dyn_fin_lifetime), 0, - "Lifetime of dyn. rules for fin"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, - CTLFLAG_RW, &VNET_NAME(dyn_rst_lifetime), 0, - "Lifetime of dyn. rules for rst"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, - CTLFLAG_RW, &VNET_NAME(dyn_udp_lifetime), 0, - "Lifetime of dyn. rules for UDP"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, - CTLFLAG_RW, &VNET_NAME(dyn_short_lifetime), 0, - "Lifetime of dyn. rules for other situations"); -SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, - CTLFLAG_RW, &VNET_NAME(dyn_keepalive), 0, - "Enable keepalives for dyn. rules"); - -SYSEND - -#endif /* SYSCTL_NODE */ - - -static __inline int -hash_packet6(struct ipfw_flow_id *id) -{ - u_int32_t i; - i = (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ - (id->dst_ip6.__u6_addr.__u6_addr32[3]) ^ - (id->src_ip6.__u6_addr.__u6_addr32[2]) ^ - (id->src_ip6.__u6_addr.__u6_addr32[3]) ^ - (id->dst_port) ^ (id->src_port); - return i; -} - -/* - * IMPORTANT: the hash function for dynamic rules must be commutative - * in source and destination (ip,port), because rules are bidirectional - * and we want to find both in the same bucket. - */ -static __inline int -hash_packet(struct ipfw_flow_id *id) -{ - u_int32_t i; - -#ifdef INET6 - if (IS_IP6_FLOW_ID(id)) - i = hash_packet6(id); - else -#endif /* INET6 */ - i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port); - i &= (V_curr_dyn_buckets - 1); - return i; -} - -static __inline void -unlink_dyn_rule_print(struct ipfw_flow_id *id) -{ - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN], dst[INET6_ADDRSTRLEN]; -#else - char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; -#endif - -#ifdef INET6 - if (IS_IP6_FLOW_ID(id)) { - ip6_sprintf(src, &id->src_ip6); - ip6_sprintf(dst, &id->dst_ip6); - } else -#endif - { - da.s_addr = htonl(id->src_ip); - inet_ntoa_r(da, src); - da.s_addr = htonl(id->dst_ip); - inet_ntoa_r(da, dst); - } - printf("ipfw: unlink entry %s %d -> %s %d, %d left\n", - src, id->src_port, dst, id->dst_port, V_dyn_count - 1); -} - -/** - * unlink a dynamic rule from a chain. prev is a pointer to - * the previous one, q is a pointer to the rule to delete, - * head is a pointer to the head of the queue. - * Modifies q and potentially also head. - */ -#define UNLINK_DYN_RULE(prev, head, q) { \ - ipfw_dyn_rule *old_q = q; \ - \ - /* remove a refcount to the parent */ \ - if (q->dyn_type == O_LIMIT) \ - q->parent->count--; \ - DEB(unlink_dyn_rule_print(&q->id);) \ - if (prev != NULL) \ - prev->next = q = q->next; \ - else \ - head = q = q->next; \ - V_dyn_count--; \ - uma_zfree(ipfw_dyn_rule_zone, old_q); } - -#define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0) - -/** - * Remove dynamic rules pointing to "rule", or all of them if rule == NULL. - * - * If keep_me == NULL, rules are deleted even if not expired, - * otherwise only expired rules are removed. - * - * The value of the second parameter is also used to point to identify - * a rule we absolutely do not want to remove (e.g. because we are - * holding a reference to it -- this is the case with O_LIMIT_PARENT - * rules). The pointer is only used for comparison, so any non-null - * value will do. - */ -static void -remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me) -{ - static u_int32_t last_remove = 0; - -#define FORCE (keep_me == NULL) - - ipfw_dyn_rule *prev, *q; - int i, pass = 0, max_pass = 0; - - IPFW_DYN_LOCK_ASSERT(); - - if (V_ipfw_dyn_v == NULL || V_dyn_count == 0) - return; - /* do not expire more than once per second, it is useless */ - if (!FORCE && last_remove == time_uptime) - return; - last_remove = time_uptime; - - /* - * because O_LIMIT refer to parent rules, during the first pass only - * remove child and mark any pending LIMIT_PARENT, and remove - * them in a second pass. - */ -next_pass: - for (i = 0 ; i < V_curr_dyn_buckets ; i++) { - for (prev=NULL, q = V_ipfw_dyn_v[i] ; q ; ) { - /* - * Logic can become complex here, so we split tests. - */ - if (q == keep_me) - goto next; - if (rule != NULL && rule != q->rule) - goto next; /* not the one we are looking for */ - if (q->dyn_type == O_LIMIT_PARENT) { - /* - * handle parent in the second pass, - * record we need one. - */ - max_pass = 1; - if (pass == 0) - goto next; - if (FORCE && q->count != 0 ) { - /* XXX should not happen! */ - printf("ipfw: OUCH! cannot remove rule," - " count %d\n", q->count); - } - } else { - if (!FORCE && - !TIME_LEQ( q->expire, time_uptime )) - goto next; - } - if (q->dyn_type != O_LIMIT_PARENT || !q->count) { - UNLINK_DYN_RULE(prev, V_ipfw_dyn_v[i], q); - continue; - } -next: - prev=q; - q=q->next; - } - } - if (pass++ < max_pass) - goto next_pass; -} - -void -ipfw_remove_dyn_children(struct ip_fw *rule) -{ - IPFW_DYN_LOCK(); - remove_dyn_rule(rule, NULL /* force removal */); - IPFW_DYN_UNLOCK(); -} - -/* - * Lookup a dynamic rule, locked version. - */ -static ipfw_dyn_rule * -lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, - struct tcphdr *tcp) -{ - /* - * Stateful ipfw extensions. - * Lookup into dynamic session queue. - */ -#define MATCH_REVERSE 0 -#define MATCH_FORWARD 1 -#define MATCH_NONE 2 -#define MATCH_UNKNOWN 3 - int i, dir = MATCH_NONE; - ipfw_dyn_rule *prev, *q = NULL; - - IPFW_DYN_LOCK_ASSERT(); - - if (V_ipfw_dyn_v == NULL) - goto done; /* not found */ - i = hash_packet(pkt); - for (prev = NULL, q = V_ipfw_dyn_v[i]; q != NULL;) { - if (q->dyn_type == O_LIMIT_PARENT && q->count) - goto next; - if (TIME_LEQ(q->expire, time_uptime)) { /* expire entry */ - UNLINK_DYN_RULE(prev, V_ipfw_dyn_v[i], q); - continue; - } - if (pkt->proto != q->id.proto || q->dyn_type == O_LIMIT_PARENT) - goto next; - - if (IS_IP6_FLOW_ID(pkt)) { - if (IN6_ARE_ADDR_EQUAL(&pkt->src_ip6, &q->id.src_ip6) && - IN6_ARE_ADDR_EQUAL(&pkt->dst_ip6, &q->id.dst_ip6) && - pkt->src_port == q->id.src_port && - pkt->dst_port == q->id.dst_port) { - dir = MATCH_FORWARD; - break; - } - if (IN6_ARE_ADDR_EQUAL(&pkt->src_ip6, &q->id.dst_ip6) && - IN6_ARE_ADDR_EQUAL(&pkt->dst_ip6, &q->id.src_ip6) && - pkt->src_port == q->id.dst_port && - pkt->dst_port == q->id.src_port) { - dir = MATCH_REVERSE; - break; - } - } else { - if (pkt->src_ip == q->id.src_ip && - pkt->dst_ip == q->id.dst_ip && - pkt->src_port == q->id.src_port && - pkt->dst_port == q->id.dst_port) { - dir = MATCH_FORWARD; - break; - } - if (pkt->src_ip == q->id.dst_ip && - pkt->dst_ip == q->id.src_ip && - pkt->src_port == q->id.dst_port && - pkt->dst_port == q->id.src_port) { - dir = MATCH_REVERSE; - break; - } - } -next: - prev = q; - q = q->next; - } - if (q == NULL) - goto done; /* q = NULL, not found */ - - if (prev != NULL) { /* found and not in front */ - prev->next = q->next; - q->next = V_ipfw_dyn_v[i]; - V_ipfw_dyn_v[i] = q; - } - if (pkt->proto == IPPROTO_TCP) { /* update state according to flags */ - uint32_t ack; - u_char flags = pkt->_flags & (TH_FIN | TH_SYN | TH_RST); - -#define BOTH_SYN (TH_SYN | (TH_SYN << 8)) -#define BOTH_FIN (TH_FIN | (TH_FIN << 8)) -#define TCP_FLAGS (TH_FLAGS | (TH_FLAGS << 8)) -#define ACK_FWD 0x10000 /* fwd ack seen */ -#define ACK_REV 0x20000 /* rev ack seen */ - - q->state |= (dir == MATCH_FORWARD) ? flags : (flags << 8); - switch (q->state & TCP_FLAGS) { - case TH_SYN: /* opening */ - q->expire = time_uptime + V_dyn_syn_lifetime; - break; - - case BOTH_SYN: /* move to established */ - case BOTH_SYN | TH_FIN: /* one side tries to close */ - case BOTH_SYN | (TH_FIN << 8): -#define _SEQ_GE(a,b) ((int)(a) - (int)(b) >= 0) - if (tcp == NULL) - break; - - ack = ntohl(tcp->th_ack); - if (dir == MATCH_FORWARD) { - if (q->ack_fwd == 0 || - _SEQ_GE(ack, q->ack_fwd)) { - q->ack_fwd = ack; - q->state |= ACK_FWD; - } - } else { - if (q->ack_rev == 0 || - _SEQ_GE(ack, q->ack_rev)) { - q->ack_rev = ack; - q->state |= ACK_REV; - } - } - if ((q->state & (ACK_FWD | ACK_REV)) == - (ACK_FWD | ACK_REV)) { - q->expire = time_uptime + V_dyn_ack_lifetime; - q->state &= ~(ACK_FWD | ACK_REV); - } - break; - - case BOTH_SYN | BOTH_FIN: /* both sides closed */ - if (V_dyn_fin_lifetime >= V_dyn_keepalive_period) - V_dyn_fin_lifetime = V_dyn_keepalive_period - 1; - q->expire = time_uptime + V_dyn_fin_lifetime; - break; - - default: -#if 0 - /* - * reset or some invalid combination, but can also - * occur if we use keep-state the wrong way. - */ - if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0) - printf("invalid state: 0x%x\n", q->state); -#endif - if (V_dyn_rst_lifetime >= V_dyn_keepalive_period) - V_dyn_rst_lifetime = V_dyn_keepalive_period - 1; - q->expire = time_uptime + V_dyn_rst_lifetime; - break; - } - } else if (pkt->proto == IPPROTO_UDP) { - q->expire = time_uptime + V_dyn_udp_lifetime; - } else { - /* other protocols */ - q->expire = time_uptime + V_dyn_short_lifetime; - } -done: - if (match_direction != NULL) - *match_direction = dir; - return (q); -} - -ipfw_dyn_rule * -ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, - struct tcphdr *tcp) -{ - ipfw_dyn_rule *q; - - IPFW_DYN_LOCK(); - q = lookup_dyn_rule_locked(pkt, match_direction, tcp); - if (q == NULL) - IPFW_DYN_UNLOCK(); - /* NB: return table locked when q is not NULL */ - return q; -} - -static void -realloc_dynamic_table(void) -{ - IPFW_DYN_LOCK_ASSERT(); - - /* - * Try reallocation, make sure we have a power of 2 and do - * not allow more than 64k entries. In case of overflow, - * default to 1024. - */ - - if (V_dyn_buckets > 65536) - V_dyn_buckets = 1024; - if ((V_dyn_buckets & (V_dyn_buckets-1)) != 0) { /* not a power of 2 */ - V_dyn_buckets = V_curr_dyn_buckets; /* reset */ - return; - } - V_curr_dyn_buckets = V_dyn_buckets; - if (V_ipfw_dyn_v != NULL) - free(V_ipfw_dyn_v, M_IPFW); - for (;;) { - V_ipfw_dyn_v = malloc(V_curr_dyn_buckets * sizeof(ipfw_dyn_rule *), - M_IPFW, M_NOWAIT | M_ZERO); - if (V_ipfw_dyn_v != NULL || V_curr_dyn_buckets <= 2) - break; - V_curr_dyn_buckets /= 2; - } -} - -/** - * Install state of type 'type' for a dynamic session. - * The hash table contains two type of rules: - * - regular rules (O_KEEP_STATE) - * - rules for sessions with limited number of sess per user - * (O_LIMIT). When they are created, the parent is - * increased by 1, and decreased on delete. In this case, - * the third parameter is the parent rule and not the chain. - * - "parent" rules for the above (O_LIMIT_PARENT). - */ -static ipfw_dyn_rule * -add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule) -{ - ipfw_dyn_rule *r; - int i; - - IPFW_DYN_LOCK_ASSERT(); - - if (V_ipfw_dyn_v == NULL || - (V_dyn_count == 0 && V_dyn_buckets != V_curr_dyn_buckets)) { - realloc_dynamic_table(); - if (V_ipfw_dyn_v == NULL) - return NULL; /* failed ! */ - } - i = hash_packet(id); - - r = uma_zalloc(ipfw_dyn_rule_zone, M_NOWAIT | M_ZERO); - if (r == NULL) { - printf ("ipfw: sorry cannot allocate state\n"); - return NULL; - } - - /* increase refcount on parent, and set pointer */ - if (dyn_type == O_LIMIT) { - ipfw_dyn_rule *parent = (ipfw_dyn_rule *)rule; - if ( parent->dyn_type != O_LIMIT_PARENT) - panic("invalid parent"); - parent->count++; - r->parent = parent; - rule = parent->rule; - } - - r->id = *id; - r->expire = time_uptime + V_dyn_syn_lifetime; - r->rule = rule; - r->dyn_type = dyn_type; - r->pcnt = r->bcnt = 0; - r->count = 0; - - r->bucket = i; - r->next = V_ipfw_dyn_v[i]; - V_ipfw_dyn_v[i] = r; - V_dyn_count++; - DEB({ - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN]; - char dst[INET6_ADDRSTRLEN]; -#else - char src[INET_ADDRSTRLEN]; - char dst[INET_ADDRSTRLEN]; -#endif - -#ifdef INET6 - if (IS_IP6_FLOW_ID(&(r->id))) { - ip6_sprintf(src, &r->id.src_ip6); - ip6_sprintf(dst, &r->id.dst_ip6); - } else -#endif - { - da.s_addr = htonl(r->id.src_ip); - inet_ntoa_r(da, src); - da.s_addr = htonl(r->id.dst_ip); - inet_ntoa_r(da, dst); - } - printf("ipfw: add dyn entry ty %d %s %d -> %s %d, total %d\n", - dyn_type, src, r->id.src_port, dst, r->id.dst_port, - V_dyn_count); - }) - return r; -} - -/** - * lookup dynamic parent rule using pkt and rule as search keys. - * If the lookup fails, then install one. - */ -static ipfw_dyn_rule * -lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule) -{ - ipfw_dyn_rule *q; - int i; - - IPFW_DYN_LOCK_ASSERT(); - - if (V_ipfw_dyn_v) { - int is_v6 = IS_IP6_FLOW_ID(pkt); - i = hash_packet( pkt ); - for (q = V_ipfw_dyn_v[i] ; q != NULL ; q=q->next) - if (q->dyn_type == O_LIMIT_PARENT && - rule== q->rule && - pkt->proto == q->id.proto && - pkt->src_port == q->id.src_port && - pkt->dst_port == q->id.dst_port && - ( - (is_v6 && - IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), - &(q->id.src_ip6)) && - IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), - &(q->id.dst_ip6))) || - (!is_v6 && - pkt->src_ip == q->id.src_ip && - pkt->dst_ip == q->id.dst_ip) - ) - ) { - q->expire = time_uptime + V_dyn_short_lifetime; - DEB(printf("ipfw: lookup_dyn_parent found 0x%p\n",q);) - return q; - } - } - return add_dyn_rule(pkt, O_LIMIT_PARENT, rule); -} - -/** - * Install dynamic state for rule type cmd->o.opcode - * - * Returns 1 (failure) if state is not installed because of errors or because - * session limitations are enforced. - */ -int -ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, - struct ip_fw_args *args, uint32_t tablearg) -{ - static int last_log; - ipfw_dyn_rule *q; - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; -#else - char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; -#endif - - src[0] = '\0'; - dst[0] = '\0'; - - IPFW_DYN_LOCK(); - - DEB( -#ifdef INET6 - if (IS_IP6_FLOW_ID(&(args->f_id))) { - ip6_sprintf(src, &args->f_id.src_ip6); - ip6_sprintf(dst, &args->f_id.dst_ip6); - } else -#endif - { - da.s_addr = htonl(args->f_id.src_ip); - inet_ntoa_r(da, src); - da.s_addr = htonl(args->f_id.dst_ip); - inet_ntoa_r(da, dst); - } - printf("ipfw: %s: type %d %s %u -> %s %u\n", - __func__, cmd->o.opcode, src, args->f_id.src_port, - dst, args->f_id.dst_port); - src[0] = '\0'; - dst[0] = '\0'; - ) - - q = lookup_dyn_rule_locked(&args->f_id, NULL, NULL); - - if (q != NULL) { /* should never occur */ - DEB( - if (last_log != time_uptime) { - last_log = time_uptime; - printf("ipfw: %s: entry already present, done\n", - __func__); - }) - IPFW_DYN_UNLOCK(); - return (0); - } - - if (V_dyn_count >= V_dyn_max) - /* Run out of slots, try to remove any expired rule. */ - remove_dyn_rule(NULL, (ipfw_dyn_rule *)1); - - if (V_dyn_count >= V_dyn_max) { - if (last_log != time_uptime) { - last_log = time_uptime; - printf("ipfw: %s: Too many dynamic rules\n", __func__); - } - IPFW_DYN_UNLOCK(); - return (1); /* cannot install, notify caller */ - } - - switch (cmd->o.opcode) { - case O_KEEP_STATE: /* bidir rule */ - add_dyn_rule(&args->f_id, O_KEEP_STATE, rule); - break; - - case O_LIMIT: { /* limit number of sessions */ - struct ipfw_flow_id id; - ipfw_dyn_rule *parent; - uint32_t conn_limit; - uint16_t limit_mask = cmd->limit_mask; - - conn_limit = (cmd->conn_limit == IP_FW_TABLEARG) ? - tablearg : cmd->conn_limit; - - DEB( - if (cmd->conn_limit == IP_FW_TABLEARG) - printf("ipfw: %s: O_LIMIT rule, conn_limit: %u " - "(tablearg)\n", __func__, conn_limit); - else - printf("ipfw: %s: O_LIMIT rule, conn_limit: %u\n", - __func__, conn_limit); - ) - - id.dst_ip = id.src_ip = id.dst_port = id.src_port = 0; - id.proto = args->f_id.proto; - id.addr_type = args->f_id.addr_type; - id.fib = M_GETFIB(args->m); - - if (IS_IP6_FLOW_ID (&(args->f_id))) { - if (limit_mask & DYN_SRC_ADDR) - id.src_ip6 = args->f_id.src_ip6; - if (limit_mask & DYN_DST_ADDR) - id.dst_ip6 = args->f_id.dst_ip6; - } else { - if (limit_mask & DYN_SRC_ADDR) - id.src_ip = args->f_id.src_ip; - if (limit_mask & DYN_DST_ADDR) - id.dst_ip = args->f_id.dst_ip; - } - if (limit_mask & DYN_SRC_PORT) - id.src_port = args->f_id.src_port; - if (limit_mask & DYN_DST_PORT) - id.dst_port = args->f_id.dst_port; - if ((parent = lookup_dyn_parent(&id, rule)) == NULL) { - printf("ipfw: %s: add parent failed\n", __func__); - IPFW_DYN_UNLOCK(); - return (1); - } - - if (parent->count >= conn_limit) { - /* See if we can remove some expired rule. */ - remove_dyn_rule(rule, parent); - if (parent->count >= conn_limit) { - if (V_fw_verbose && last_log != time_uptime) { - last_log = time_uptime; -#ifdef INET6 - /* - * XXX IPv6 flows are not - * supported yet. - */ - if (IS_IP6_FLOW_ID(&(args->f_id))) { - char ip6buf[INET6_ADDRSTRLEN]; - snprintf(src, sizeof(src), - "[%s]", ip6_sprintf(ip6buf, - &args->f_id.src_ip6)); - snprintf(dst, sizeof(dst), - "[%s]", ip6_sprintf(ip6buf, - &args->f_id.dst_ip6)); - } else -#endif - { - da.s_addr = - htonl(args->f_id.src_ip); - inet_ntoa_r(da, src); - da.s_addr = - htonl(args->f_id.dst_ip); - inet_ntoa_r(da, dst); - } - log(LOG_SECURITY | LOG_DEBUG, - "ipfw: %d %s %s:%u -> %s:%u, %s\n", - parent->rule->rulenum, - "drop session", - src, (args->f_id.src_port), - dst, (args->f_id.dst_port), - "too many entries"); - } - IPFW_DYN_UNLOCK(); - return (1); - } - } - add_dyn_rule(&args->f_id, O_LIMIT, (struct ip_fw *)parent); - break; - } - default: - printf("ipfw: %s: unknown dynamic rule type %u\n", - __func__, cmd->o.opcode); - IPFW_DYN_UNLOCK(); - return (1); - } - - /* XXX just set lifetime */ - lookup_dyn_rule_locked(&args->f_id, NULL, NULL); - - IPFW_DYN_UNLOCK(); - return (0); -} - -/* - * Generate a TCP packet, containing either a RST or a keepalive. - * When flags & TH_RST, we are sending a RST packet, because of a - * "reset" action matched the packet. - * Otherwise we are sending a keepalive, and flags & TH_ - * The 'replyto' mbuf is the mbuf being replied to, if any, and is required - * so that MAC can label the reply appropriately. - */ -struct mbuf * -ipfw_send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, - u_int32_t ack, int flags) -{ - struct mbuf *m = NULL; /* stupid compiler */ - int len, dir; - struct ip *h = NULL; /* stupid compiler */ -#ifdef INET6 - struct ip6_hdr *h6 = NULL; -#endif - struct tcphdr *th = NULL; - - MGETHDR(m, M_DONTWAIT, MT_DATA); - if (m == NULL) - return (NULL); - - M_SETFIB(m, id->fib); -#ifdef MAC - if (replyto != NULL) - mac_netinet_firewall_reply(replyto, m); - else - mac_netinet_firewall_send(m); -#else - (void)replyto; /* don't warn about unused arg */ -#endif - - switch (id->addr_type) { - case 4: - len = sizeof(struct ip) + sizeof(struct tcphdr); - break; -#ifdef INET6 - case 6: - len = sizeof(struct ip6_hdr) + sizeof(struct tcphdr); - break; -#endif - default: - /* XXX: log me?!? */ - FREE_PKT(m); - return (NULL); - } - dir = ((flags & (TH_SYN | TH_RST)) == TH_SYN); - - m->m_data += max_linkhdr; - m->m_flags |= M_SKIP_FIREWALL; - m->m_pkthdr.len = m->m_len = len; - m->m_pkthdr.rcvif = NULL; - bzero(m->m_data, len); - - switch (id->addr_type) { - case 4: - h = mtod(m, struct ip *); - - /* prepare for checksum */ - h->ip_p = IPPROTO_TCP; - h->ip_len = htons(sizeof(struct tcphdr)); - if (dir) { - h->ip_src.s_addr = htonl(id->src_ip); - h->ip_dst.s_addr = htonl(id->dst_ip); - } else { - h->ip_src.s_addr = htonl(id->dst_ip); - h->ip_dst.s_addr = htonl(id->src_ip); - } - - th = (struct tcphdr *)(h + 1); - break; -#ifdef INET6 - case 6: - h6 = mtod(m, struct ip6_hdr *); - - /* prepare for checksum */ - h6->ip6_nxt = IPPROTO_TCP; - h6->ip6_plen = htons(sizeof(struct tcphdr)); - if (dir) { - h6->ip6_src = id->src_ip6; - h6->ip6_dst = id->dst_ip6; - } else { - h6->ip6_src = id->dst_ip6; - h6->ip6_dst = id->src_ip6; - } - - th = (struct tcphdr *)(h6 + 1); - break; -#endif - } - - if (dir) { - th->th_sport = htons(id->src_port); - th->th_dport = htons(id->dst_port); - } else { - th->th_sport = htons(id->dst_port); - th->th_dport = htons(id->src_port); - } - th->th_off = sizeof(struct tcphdr) >> 2; - - if (flags & TH_RST) { - if (flags & TH_ACK) { - th->th_seq = htonl(ack); - th->th_flags = TH_RST; - } else { - if (flags & TH_SYN) - seq++; - th->th_ack = htonl(seq); - th->th_flags = TH_RST | TH_ACK; - } - } else { - /* - * Keepalive - use caller provided sequence numbers - */ - th->th_seq = htonl(seq); - th->th_ack = htonl(ack); - th->th_flags = TH_ACK; - } - - switch (id->addr_type) { - case 4: - th->th_sum = in_cksum(m, len); - - /* finish the ip header */ - h->ip_v = 4; - h->ip_hl = sizeof(*h) >> 2; - h->ip_tos = IPTOS_LOWDELAY; - h->ip_off = 0; - /* ip_len must be in host format for ip_output */ - h->ip_len = len; - h->ip_ttl = V_ip_defttl; - h->ip_sum = 0; - break; -#ifdef INET6 - case 6: - th->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(*h6), - sizeof(struct tcphdr)); - - /* finish the ip6 header */ - h6->ip6_vfc |= IPV6_VERSION; - h6->ip6_hlim = IPV6_DEFHLIM; - break; -#endif - } - - return (m); -} - -/* - * This procedure is only used to handle keepalives. It is invoked - * every dyn_keepalive_period - */ -static void -ipfw_tick(void * vnetx) -{ - struct mbuf *m0, *m, *mnext, **mtailp; -#ifdef INET6 - struct mbuf *m6, **m6_tailp; -#endif - int i; - ipfw_dyn_rule *q; -#ifdef VIMAGE - struct vnet *vp = vnetx; -#endif - - CURVNET_SET(vp); - if (V_dyn_keepalive == 0 || V_ipfw_dyn_v == NULL || V_dyn_count == 0) - goto done; - - /* - * We make a chain of packets to go out here -- not deferring - * until after we drop the IPFW dynamic rule lock would result - * in a lock order reversal with the normal packet input -> ipfw - * call stack. - */ - m0 = NULL; - mtailp = &m0; -#ifdef INET6 - m6 = NULL; - m6_tailp = &m6; -#endif - IPFW_DYN_LOCK(); - for (i = 0 ; i < V_curr_dyn_buckets ; i++) { - for (q = V_ipfw_dyn_v[i] ; q ; q = q->next ) { - if (q->dyn_type == O_LIMIT_PARENT) - continue; - if (q->id.proto != IPPROTO_TCP) - continue; - if ( (q->state & BOTH_SYN) != BOTH_SYN) - continue; - if (TIME_LEQ(time_uptime + V_dyn_keepalive_interval, - q->expire)) - continue; /* too early */ - if (TIME_LEQ(q->expire, time_uptime)) - continue; /* too late, rule expired */ - - m = (q->state & ACK_REV) ? NULL : - ipfw_send_pkt(NULL, &(q->id), q->ack_rev - 1, - q->ack_fwd, TH_SYN); - mnext = (q->state & ACK_FWD) ? NULL : - ipfw_send_pkt(NULL, &(q->id), q->ack_fwd - 1, - q->ack_rev, 0); - - switch (q->id.addr_type) { - case 4: - if (m != NULL) { - *mtailp = m; - mtailp = &(*mtailp)->m_nextpkt; - } - if (mnext != NULL) { - *mtailp = mnext; - mtailp = &(*mtailp)->m_nextpkt; - } - break; -#ifdef INET6 - case 6: - if (m != NULL) { - *m6_tailp = m; - m6_tailp = &(*m6_tailp)->m_nextpkt; - } - if (mnext != NULL) { - *m6_tailp = mnext; - m6_tailp = &(*m6_tailp)->m_nextpkt; - } - break; -#endif - } - } - } - IPFW_DYN_UNLOCK(); - for (m = m0; m != NULL; m = mnext) { - mnext = m->m_nextpkt; - m->m_nextpkt = NULL; - ip_output(m, NULL, NULL, 0, NULL, NULL); - } -#ifdef INET6 - for (m = m6; m != NULL; m = mnext) { - mnext = m->m_nextpkt; - m->m_nextpkt = NULL; - ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); - } -#endif -done: - callout_reset_on(&V_ipfw_timeout, V_dyn_keepalive_period * hz, - ipfw_tick, vnetx, 0); - CURVNET_RESTORE(); -} - -void -ipfw_dyn_attach(void) -{ - ipfw_dyn_rule_zone = uma_zcreate("IPFW dynamic rule", - sizeof(ipfw_dyn_rule), NULL, NULL, NULL, NULL, - UMA_ALIGN_PTR, 0); - - IPFW_DYN_LOCK_INIT(); -} - -void -ipfw_dyn_detach(void) -{ - uma_zdestroy(ipfw_dyn_rule_zone); - IPFW_DYN_LOCK_DESTROY(); -} - -void -ipfw_dyn_init(void) -{ - V_ipfw_dyn_v = NULL; - V_dyn_buckets = 256; /* must be power of 2 */ - V_curr_dyn_buckets = 256; /* must be power of 2 */ - - V_dyn_ack_lifetime = 300; - V_dyn_syn_lifetime = 20; - V_dyn_fin_lifetime = 1; - V_dyn_rst_lifetime = 1; - V_dyn_udp_lifetime = 10; - V_dyn_short_lifetime = 5; - - V_dyn_keepalive_interval = 20; - V_dyn_keepalive_period = 5; - V_dyn_keepalive = 1; /* do send keepalives */ - - V_dyn_max = 4096; /* max # of dynamic rules */ - callout_init(&V_ipfw_timeout, CALLOUT_MPSAFE); - callout_reset_on(&V_ipfw_timeout, hz, ipfw_tick, curvnet, 0); -} - -void -ipfw_dyn_uninit(int pass) -{ - if (pass == 0) - callout_drain(&V_ipfw_timeout); - else { - if (V_ipfw_dyn_v != NULL) - free(V_ipfw_dyn_v, M_IPFW); - } -} - -int -ipfw_dyn_len(void) -{ - return (V_ipfw_dyn_v == NULL) ? 0 : - (V_dyn_count * sizeof(ipfw_dyn_rule)); -} - -void -ipfw_get_dynamic(char **pbp, const char *ep) -{ - ipfw_dyn_rule *p, *last = NULL; - char *bp; - int i; - - if (V_ipfw_dyn_v == NULL) - return; - bp = *pbp; - - IPFW_DYN_LOCK(); - for (i = 0 ; i < V_curr_dyn_buckets; i++) - for (p = V_ipfw_dyn_v[i] ; p != NULL; p = p->next) { - if (bp + sizeof *p <= ep) { - ipfw_dyn_rule *dst = - (ipfw_dyn_rule *)bp; - bcopy(p, dst, sizeof *p); - bcopy(&(p->rule->rulenum), &(dst->rule), - sizeof(p->rule->rulenum)); - /* - * store set number into high word of - * dst->rule pointer. - */ - bcopy(&(p->rule->set), - (char *)&dst->rule + - sizeof(p->rule->rulenum), - sizeof(p->rule->set)); - /* - * store a non-null value in "next". - * The userland code will interpret a - * NULL here as a marker - * for the last dynamic rule. - */ - bcopy(&dst, &dst->next, sizeof(dst)); - last = dst; - dst->expire = - TIME_LEQ(dst->expire, time_uptime) ? - 0 : dst->expire - time_uptime ; - bp += sizeof(ipfw_dyn_rule); - } - } - IPFW_DYN_UNLOCK(); - if (last != NULL) /* mark last dynamic rule */ - bzero(&last->next, sizeof(last)); - *pbp = bp; -} -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_log.c b/sys/netinet/ipfw/ip_fw_log.c deleted file mode 100644 index b9ed6b3..0000000 --- a/sys/netinet/ipfw/ip_fw_log.c +++ /dev/null @@ -1,469 +0,0 @@ -/*- - * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -/* - * Logging support for ipfw - */ - -#include "opt_ipfw.h" -#include "opt_inet.h" -#ifndef INET -#error IPFIREWALL requires INET. -#endif /* INET */ -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/mbuf.h> -#include <sys/kernel.h> -#include <sys/socket.h> -#include <sys/sysctl.h> -#include <sys/syslog.h> -#include <net/ethernet.h> /* for ETHERTYPE_IP */ -#include <net/if.h> -#include <net/vnet.h> -#include <net/if_types.h> /* for IFT_ETHER */ -#include <net/bpf.h> /* for BPF */ - -#include <netinet/in.h> -#include <netinet/ip.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_var.h> -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/tcp_var.h> -#include <netinet/udp.h> - -#include <netinet/ip6.h> -#include <netinet/icmp6.h> -#ifdef INET6 -#include <netinet6/in6_var.h> /* ip6_sprintf() */ -#endif - -#ifdef MAC -#include <security/mac/mac_framework.h> -#endif - -/* - * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T - * Other macros just cast void * into the appropriate type - */ -#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) -#define TCP(p) ((struct tcphdr *)(p)) -#define SCTP(p) ((struct sctphdr *)(p)) -#define UDP(p) ((struct udphdr *)(p)) -#define ICMP(p) ((struct icmphdr *)(p)) -#define ICMP6(p) ((struct icmp6_hdr *)(p)) - -#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 -#define SNP(buf) buf, sizeof(buf) - -#ifdef WITHOUT_BPF -void -ipfw_log_bpf(int onoff) -{ -} -#else /* !WITHOUT_BPF */ -static struct ifnet *log_if; /* hook to attach to bpf */ - -/* we use this dummy function for all ifnet callbacks */ -static int -log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) -{ - return EINVAL; -} - -static int -ipfw_log_output(struct ifnet *ifp, struct mbuf *m, - struct sockaddr *dst, struct route *ro) -{ - if (m != NULL) - m_freem(m); - return EINVAL; -} - -static void -ipfw_log_start(struct ifnet* ifp) -{ - panic("ipfw_log_start() must not be called"); -} - -static const u_char ipfwbroadcastaddr[6] = - { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - -void -ipfw_log_bpf(int onoff) -{ - struct ifnet *ifp; - - if (onoff) { - if (log_if) - return; - ifp = if_alloc(IFT_ETHER); - if (ifp == NULL) - return; - if_initname(ifp, "ipfw", 0); - ifp->if_mtu = 65536; - ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; - ifp->if_init = (void *)log_dummy; - ifp->if_ioctl = log_dummy; - ifp->if_start = ipfw_log_start; - ifp->if_output = ipfw_log_output; - ifp->if_addrlen = 6; - ifp->if_hdrlen = 14; - if_attach(ifp); - ifp->if_broadcastaddr = ipfwbroadcastaddr; - ifp->if_baudrate = IF_Mbps(10); - bpfattach(ifp, DLT_EN10MB, 14); - log_if = ifp; - } else { - if (log_if) { - ether_ifdetach(log_if); - if_free(log_if); - } - log_if = NULL; - } -} -#endif /* !WITHOUT_BPF */ - -/* - * We enter here when we have a rule with O_LOG. - * XXX this function alone takes about 2Kbytes of code! - */ -void -ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, - struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, - struct ip *ip) -{ - char *action; - int limit_reached = 0; - char action2[92], proto[128], fragment[32]; - - if (V_fw_verbose == 0) { -#ifndef WITHOUT_BPF - - if (log_if == NULL || log_if->if_bpf == NULL) - return; - - if (args->eh) /* layer2, use orig hdr */ - BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m); - else - /* Add fake header. Later we will store - * more info in the header. - */ - BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m); -#endif /* !WITHOUT_BPF */ - return; - } - /* the old 'log' function */ - fragment[0] = '\0'; - proto[0] = '\0'; - - if (f == NULL) { /* bogus pkt */ - if (V_verbose_limit != 0 && V_norule_counter >= V_verbose_limit) - return; - V_norule_counter++; - if (V_norule_counter == V_verbose_limit) - limit_reached = V_verbose_limit; - action = "Refuse"; - } else { /* O_LOG is the first action, find the real one */ - ipfw_insn *cmd = ACTION_PTR(f); - ipfw_insn_log *l = (ipfw_insn_log *)cmd; - - if (l->max_log != 0 && l->log_left == 0) - return; - l->log_left--; - if (l->log_left == 0) - limit_reached = l->max_log; - cmd += F_LEN(cmd); /* point to first action */ - if (cmd->opcode == O_ALTQ) { - ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; - - snprintf(SNPARGS(action2, 0), "Altq %d", - altq->qid); - cmd += F_LEN(cmd); - } - if (cmd->opcode == O_PROB) - cmd += F_LEN(cmd); - - if (cmd->opcode == O_TAG) - cmd += F_LEN(cmd); - - action = action2; - switch (cmd->opcode) { - case O_DENY: - action = "Deny"; - break; - - case O_REJECT: - if (cmd->arg1==ICMP_REJECT_RST) - action = "Reset"; - else if (cmd->arg1==ICMP_UNREACH_HOST) - action = "Reject"; - else - snprintf(SNPARGS(action2, 0), "Unreach %d", - cmd->arg1); - break; - - case O_UNREACH6: - if (cmd->arg1==ICMP6_UNREACH_RST) - action = "Reset"; - else - snprintf(SNPARGS(action2, 0), "Unreach %d", - cmd->arg1); - break; - - case O_ACCEPT: - action = "Accept"; - break; - case O_COUNT: - action = "Count"; - break; - case O_DIVERT: - snprintf(SNPARGS(action2, 0), "Divert %d", - cmd->arg1); - break; - case O_TEE: - snprintf(SNPARGS(action2, 0), "Tee %d", - cmd->arg1); - break; - case O_SETFIB: - snprintf(SNPARGS(action2, 0), "SetFib %d", - cmd->arg1); - break; - case O_SKIPTO: - snprintf(SNPARGS(action2, 0), "SkipTo %d", - cmd->arg1); - break; - case O_PIPE: - snprintf(SNPARGS(action2, 0), "Pipe %d", - cmd->arg1); - break; - case O_QUEUE: - snprintf(SNPARGS(action2, 0), "Queue %d", - cmd->arg1); - break; - case O_FORWARD_IP: { - ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd; - int len; - struct in_addr dummyaddr; - if (sa->sa.sin_addr.s_addr == INADDR_ANY) - dummyaddr.s_addr = htonl(tablearg); - else - dummyaddr.s_addr = sa->sa.sin_addr.s_addr; - - len = snprintf(SNPARGS(action2, 0), "Forward to %s", - inet_ntoa(dummyaddr)); - - if (sa->sa.sin_port) - snprintf(SNPARGS(action2, len), ":%d", - sa->sa.sin_port); - } - break; -#ifdef INET6 - case O_FORWARD_IP6: { - char buf[INET6_ADDRSTRLEN]; - ipfw_insn_sa6 *sa = (ipfw_insn_sa6 *)cmd; - int len; - - len = snprintf(SNPARGS(action2, 0), "Forward to [%s]", - ip6_sprintf(buf, &sa->sa.sin6_addr)); - - if (sa->sa.sin6_port) - snprintf(SNPARGS(action2, len), ":%u", - sa->sa.sin6_port); - } - break; -#endif - case O_NETGRAPH: - snprintf(SNPARGS(action2, 0), "Netgraph %d", - cmd->arg1); - break; - case O_NGTEE: - snprintf(SNPARGS(action2, 0), "Ngtee %d", - cmd->arg1); - break; - case O_NAT: - action = "Nat"; - break; - case O_REASS: - action = "Reass"; - break; - case O_CALLRETURN: - if (cmd->len & F_NOT) - action = "Return"; - else - snprintf(SNPARGS(action2, 0), "Call %d", - cmd->arg1); - break; - default: - action = "UNKNOWN"; - break; - } - } - - if (hlen == 0) { /* non-ip */ - snprintf(SNPARGS(proto, 0), "MAC"); - - } else { - int len; -#ifdef INET6 - char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; -#else - char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; -#endif - struct icmphdr *icmp; - struct tcphdr *tcp; - struct udphdr *udp; -#ifdef INET6 - struct ip6_hdr *ip6 = NULL; - struct icmp6_hdr *icmp6; - u_short ip6f_mf; -#endif - src[0] = '\0'; - dst[0] = '\0'; -#ifdef INET6 - ip6f_mf = offset & IP6F_MORE_FRAG; - offset &= IP6F_OFF_MASK; - - if (IS_IP6_FLOW_ID(&(args->f_id))) { - char ip6buf[INET6_ADDRSTRLEN]; - snprintf(src, sizeof(src), "[%s]", - ip6_sprintf(ip6buf, &args->f_id.src_ip6)); - snprintf(dst, sizeof(dst), "[%s]", - ip6_sprintf(ip6buf, &args->f_id.dst_ip6)); - - ip6 = (struct ip6_hdr *)ip; - tcp = (struct tcphdr *)(((char *)ip) + hlen); - udp = (struct udphdr *)(((char *)ip) + hlen); - } else -#endif - { - tcp = L3HDR(struct tcphdr, ip); - udp = L3HDR(struct udphdr, ip); - - inet_ntoa_r(ip->ip_src, src); - inet_ntoa_r(ip->ip_dst, dst); - } - - switch (args->f_id.proto) { - case IPPROTO_TCP: - len = snprintf(SNPARGS(proto, 0), "TCP %s", src); - if (offset == 0) - snprintf(SNPARGS(proto, len), ":%d %s:%d", - ntohs(tcp->th_sport), - dst, - ntohs(tcp->th_dport)); - else - snprintf(SNPARGS(proto, len), " %s", dst); - break; - - case IPPROTO_UDP: - len = snprintf(SNPARGS(proto, 0), "UDP %s", src); - if (offset == 0) - snprintf(SNPARGS(proto, len), ":%d %s:%d", - ntohs(udp->uh_sport), - dst, - ntohs(udp->uh_dport)); - else - snprintf(SNPARGS(proto, len), " %s", dst); - break; - - case IPPROTO_ICMP: - icmp = L3HDR(struct icmphdr, ip); - if (offset == 0) - len = snprintf(SNPARGS(proto, 0), - "ICMP:%u.%u ", - icmp->icmp_type, icmp->icmp_code); - else - len = snprintf(SNPARGS(proto, 0), "ICMP "); - len += snprintf(SNPARGS(proto, len), "%s", src); - snprintf(SNPARGS(proto, len), " %s", dst); - break; -#ifdef INET6 - case IPPROTO_ICMPV6: - icmp6 = (struct icmp6_hdr *)(((char *)ip) + hlen); - if (offset == 0) - len = snprintf(SNPARGS(proto, 0), - "ICMPv6:%u.%u ", - icmp6->icmp6_type, icmp6->icmp6_code); - else - len = snprintf(SNPARGS(proto, 0), "ICMPv6 "); - len += snprintf(SNPARGS(proto, len), "%s", src); - snprintf(SNPARGS(proto, len), " %s", dst); - break; -#endif - default: - len = snprintf(SNPARGS(proto, 0), "P:%d %s", - args->f_id.proto, src); - snprintf(SNPARGS(proto, len), " %s", dst); - break; - } - -#ifdef INET6 - if (IS_IP6_FLOW_ID(&(args->f_id))) { - if (offset & (IP6F_OFF_MASK | IP6F_MORE_FRAG)) - snprintf(SNPARGS(fragment, 0), - " (frag %08x:%d@%d%s)", - args->f_id.extra, - ntohs(ip6->ip6_plen) - hlen, - ntohs(offset) << 3, ip6f_mf ? "+" : ""); - } else -#endif - { - int ipoff, iplen; - ipoff = ntohs(ip->ip_off); - iplen = ntohs(ip->ip_len); - if (ipoff & (IP_MF | IP_OFFMASK)) - snprintf(SNPARGS(fragment, 0), - " (frag %d:%d@%d%s)", - ntohs(ip->ip_id), iplen - (ip->ip_hl << 2), - offset << 3, - (ipoff & IP_MF) ? "+" : ""); - } - } -#ifdef __FreeBSD__ - if (oif || m->m_pkthdr.rcvif) - log(LOG_SECURITY | LOG_INFO, - "ipfw: %d %s %s %s via %s%s\n", - f ? f->rulenum : -1, - action, proto, oif ? "out" : "in", - oif ? oif->if_xname : m->m_pkthdr.rcvif->if_xname, - fragment); - else -#endif - log(LOG_SECURITY | LOG_INFO, - "ipfw: %d %s %s [no if info]%s\n", - f ? f->rulenum : -1, - action, proto, fragment); - if (limit_reached) - log(LOG_SECURITY | LOG_NOTICE, - "ipfw: limit %d reached on entry %d\n", - limit_reached, f ? f->rulenum : -1); -} -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_nat.c b/sys/netinet/ipfw/ip_fw_nat.c deleted file mode 100644 index dbeb254..0000000 --- a/sys/netinet/ipfw/ip_fw_nat.c +++ /dev/null @@ -1,661 +0,0 @@ -/*- - * Copyright (c) 2008 Paolo Pisati - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/eventhandler.h> -#include <sys/malloc.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/module.h> -#include <sys/rwlock.h> - -#define IPFW_INTERNAL /* Access to protected data structures in ip_fw.h. */ - -#include <netinet/libalias/alias.h> -#include <netinet/libalias/alias_local.h> - -#include <net/if.h> -#include <netinet/in.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> - -#include <machine/in_cksum.h> /* XXX for in_cksum */ - -static VNET_DEFINE(eventhandler_tag, ifaddr_event_tag); -#define V_ifaddr_event_tag VNET(ifaddr_event_tag) - -static void -ifaddr_change(void *arg __unused, struct ifnet *ifp) -{ - struct cfg_nat *ptr; - struct ifaddr *ifa; - struct ip_fw_chain *chain; - - chain = &V_layer3_chain; - IPFW_WLOCK(chain); - /* Check every nat entry... */ - LIST_FOREACH(ptr, &chain->nat, _next) { - /* ...using nic 'ifp->if_xname' as dynamic alias address. */ - if (strncmp(ptr->if_name, ifp->if_xname, IF_NAMESIZE) != 0) - continue; - if_addr_rlock(ifp); - TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { - if (ifa->ifa_addr == NULL) - continue; - if (ifa->ifa_addr->sa_family != AF_INET) - continue; - ptr->ip = ((struct sockaddr_in *) - (ifa->ifa_addr))->sin_addr; - LibAliasSetAddress(ptr->lib, ptr->ip); - } - if_addr_runlock(ifp); - } - IPFW_WUNLOCK(chain); -} - -/* - * delete the pointers for nat entry ix, or all of them if ix < 0 - */ -static void -flush_nat_ptrs(struct ip_fw_chain *chain, const int ix) -{ - int i; - ipfw_insn_nat *cmd; - - IPFW_WLOCK_ASSERT(chain); - for (i = 0; i < chain->n_rules; i++) { - cmd = (ipfw_insn_nat *)ACTION_PTR(chain->map[i]); - /* XXX skip log and the like ? */ - if (cmd->o.opcode == O_NAT && cmd->nat != NULL && - (ix < 0 || cmd->nat->id == ix)) - cmd->nat = NULL; - } -} - -static void -del_redir_spool_cfg(struct cfg_nat *n, struct redir_chain *head) -{ - struct cfg_redir *r, *tmp_r; - struct cfg_spool *s, *tmp_s; - int i, num; - - LIST_FOREACH_SAFE(r, head, _next, tmp_r) { - num = 1; /* Number of alias_link to delete. */ - switch (r->mode) { - case REDIR_PORT: - num = r->pport_cnt; - /* FALLTHROUGH */ - case REDIR_ADDR: - case REDIR_PROTO: - /* Delete all libalias redirect entry. */ - for (i = 0; i < num; i++) - LibAliasRedirectDelete(n->lib, r->alink[i]); - /* Del spool cfg if any. */ - LIST_FOREACH_SAFE(s, &r->spool_chain, _next, tmp_s) { - LIST_REMOVE(s, _next); - free(s, M_IPFW); - } - free(r->alink, M_IPFW); - LIST_REMOVE(r, _next); - free(r, M_IPFW); - break; - default: - printf("unknown redirect mode: %u\n", r->mode); - /* XXX - panic?!?!? */ - break; - } - } -} - -static void -add_redir_spool_cfg(char *buf, struct cfg_nat *ptr) -{ - struct cfg_redir *r, *ser_r; - struct cfg_spool *s, *ser_s; - int cnt, off, i; - - for (cnt = 0, off = 0; cnt < ptr->redir_cnt; cnt++) { - ser_r = (struct cfg_redir *)&buf[off]; - r = malloc(SOF_REDIR, M_IPFW, M_WAITOK | M_ZERO); - memcpy(r, ser_r, SOF_REDIR); - LIST_INIT(&r->spool_chain); - off += SOF_REDIR; - r->alink = malloc(sizeof(struct alias_link *) * r->pport_cnt, - M_IPFW, M_WAITOK | M_ZERO); - switch (r->mode) { - case REDIR_ADDR: - r->alink[0] = LibAliasRedirectAddr(ptr->lib, r->laddr, - r->paddr); - break; - case REDIR_PORT: - for (i = 0 ; i < r->pport_cnt; i++) { - /* If remotePort is all ports, set it to 0. */ - u_short remotePortCopy = r->rport + i; - if (r->rport_cnt == 1 && r->rport == 0) - remotePortCopy = 0; - r->alink[i] = LibAliasRedirectPort(ptr->lib, - r->laddr, htons(r->lport + i), r->raddr, - htons(remotePortCopy), r->paddr, - htons(r->pport + i), r->proto); - if (r->alink[i] == NULL) { - r->alink[0] = NULL; - break; - } - } - break; - case REDIR_PROTO: - r->alink[0] = LibAliasRedirectProto(ptr->lib ,r->laddr, - r->raddr, r->paddr, r->proto); - break; - default: - printf("unknown redirect mode: %u\n", r->mode); - break; - } - /* XXX perhaps return an error instead of panic ? */ - if (r->alink[0] == NULL) - panic("LibAliasRedirect* returned NULL"); - /* LSNAT handling. */ - for (i = 0; i < r->spool_cnt; i++) { - ser_s = (struct cfg_spool *)&buf[off]; - s = malloc(SOF_REDIR, M_IPFW, M_WAITOK | M_ZERO); - memcpy(s, ser_s, SOF_SPOOL); - LibAliasAddServer(ptr->lib, r->alink[0], - s->addr, htons(s->port)); - off += SOF_SPOOL; - /* Hook spool entry. */ - LIST_INSERT_HEAD(&r->spool_chain, s, _next); - } - /* And finally hook this redir entry. */ - LIST_INSERT_HEAD(&ptr->redir_chain, r, _next); - } -} - -static int -ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) -{ - struct mbuf *mcl; - struct ip *ip; - /* XXX - libalias duct tape */ - int ldt, retval, found; - struct ip_fw_chain *chain; - char *c; - - ldt = 0; - retval = 0; - mcl = m_megapullup(m, m->m_pkthdr.len); - if (mcl == NULL) { - args->m = NULL; - return (IP_FW_DENY); - } - ip = mtod(mcl, struct ip *); - - /* - * XXX - Libalias checksum offload 'duct tape': - * - * locally generated packets have only pseudo-header checksum - * calculated and libalias will break it[1], so mark them for - * later fix. Moreover there are cases when libalias modifies - * tcp packet data[2], mark them for later fix too. - * - * [1] libalias was never meant to run in kernel, so it does - * not have any knowledge about checksum offloading, and - * expects a packet with a full internet checksum. - * Unfortunately, packets generated locally will have just the - * pseudo header calculated, and when libalias tries to adjust - * the checksum it will actually compute a wrong value. - * - * [2] when libalias modifies tcp's data content, full TCP - * checksum has to be recomputed: the problem is that - * libalias does not have any idea about checksum offloading. - * To work around this, we do not do checksumming in LibAlias, - * but only mark the packets in th_x2 field. If we receive a - * marked packet, we calculate correct checksum for it - * aware of offloading. Why such a terrible hack instead of - * recalculating checksum for each packet? - * Because the previous checksum was not checked! - * Recalculating checksums for EVERY packet will hide ALL - * transmission errors. Yes, marked packets still suffer from - * this problem. But, sigh, natd(8) has this problem, too. - * - * TODO: -make libalias mbuf aware (so - * it can handle delayed checksum and tso) - */ - - if (mcl->m_pkthdr.rcvif == NULL && - mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) - ldt = 1; - - c = mtod(mcl, char *); - - /* Check if this is 'global' instance */ - if (t == NULL) { - if (args->oif == NULL) { - /* Wrong direction, skip processing */ - args->m = mcl; - return (IP_FW_NAT); - } - - found = 0; - chain = &V_layer3_chain; - IPFW_RLOCK(chain); - /* Check every nat entry... */ - LIST_FOREACH(t, &chain->nat, _next) { - if ((t->mode & PKT_ALIAS_SKIP_GLOBAL) != 0) - continue; - retval = LibAliasOutTry(t->lib, c, - mcl->m_len + M_TRAILINGSPACE(mcl), 0); - if (retval == PKT_ALIAS_OK) { - /* Nat instance recognises state */ - found = 1; - break; - } - } - IPFW_RUNLOCK(chain); - if (found != 1) { - /* No instance found, return ignore */ - args->m = mcl; - return (IP_FW_NAT); - } - } else { - if (args->oif == NULL) - retval = LibAliasIn(t->lib, c, - mcl->m_len + M_TRAILINGSPACE(mcl)); - else - retval = LibAliasOut(t->lib, c, - mcl->m_len + M_TRAILINGSPACE(mcl)); - } - - /* - * We drop packet when: - * 1. libalias returns PKT_ALIAS_ERROR; - * 2. For incoming packets: - * a) for unresolved fragments; - * b) libalias returns PKT_ALIAS_IGNORED and - * PKT_ALIAS_DENY_INCOMING flag is set. - */ - if (retval == PKT_ALIAS_ERROR || - (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || - (retval == PKT_ALIAS_IGNORED && - (t->mode & PKT_ALIAS_DENY_INCOMING) != 0)))) { - /* XXX - should i add some logging? */ - m_free(mcl); - args->m = NULL; - return (IP_FW_DENY); - } - - if (retval == PKT_ALIAS_RESPOND) - mcl->m_flags |= M_SKIP_FIREWALL; - mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); - - /* - * XXX - libalias checksum offload - * 'duct tape' (see above) - */ - - if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && - ip->ip_p == IPPROTO_TCP) { - struct tcphdr *th; - - th = (struct tcphdr *)(ip + 1); - if (th->th_x2) - ldt = 1; - } - - if (ldt) { - struct tcphdr *th; - struct udphdr *uh; - u_short cksum; - - ip->ip_len = ntohs(ip->ip_len); - cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, - htons(ip->ip_p + ip->ip_len - (ip->ip_hl << 2))); - - switch (ip->ip_p) { - case IPPROTO_TCP: - th = (struct tcphdr *)(ip + 1); - /* - * Maybe it was set in - * libalias... - */ - th->th_x2 = 0; - th->th_sum = cksum; - mcl->m_pkthdr.csum_data = - offsetof(struct tcphdr, th_sum); - break; - case IPPROTO_UDP: - uh = (struct udphdr *)(ip + 1); - uh->uh_sum = cksum; - mcl->m_pkthdr.csum_data = - offsetof(struct udphdr, uh_sum); - break; - } - /* No hw checksum offloading: do it ourselves */ - if ((mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) == 0) { - in_delayed_cksum(mcl); - mcl->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } - ip->ip_len = htons(ip->ip_len); - } - args->m = mcl; - return (IP_FW_NAT); -} - -static struct cfg_nat * -lookup_nat(struct nat_list *l, int nat_id) -{ - struct cfg_nat *res; - - LIST_FOREACH(res, l, _next) { - if (res->id == nat_id) - break; - } - return res; -} - -static int -ipfw_nat_cfg(struct sockopt *sopt) -{ - struct cfg_nat *cfg, *ptr; - char *buf; - struct ip_fw_chain *chain = &V_layer3_chain; - size_t len; - int gencnt, error = 0; - - len = sopt->sopt_valsize; - buf = malloc(len, M_TEMP, M_WAITOK | M_ZERO); - if ((error = sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat))) != 0) - goto out; - - cfg = (struct cfg_nat *)buf; - if (cfg->id < 0) { - error = EINVAL; - goto out; - } - - /* - * Find/create nat rule. - */ - IPFW_WLOCK(chain); - gencnt = chain->gencnt; - ptr = lookup_nat(&chain->nat, cfg->id); - if (ptr == NULL) { - IPFW_WUNLOCK(chain); - /* New rule: allocate and init new instance. */ - ptr = malloc(sizeof(struct cfg_nat), M_IPFW, M_WAITOK | M_ZERO); - ptr->lib = LibAliasInit(NULL); - LIST_INIT(&ptr->redir_chain); - } else { - /* Entry already present: temporarily unhook it. */ - LIST_REMOVE(ptr, _next); - flush_nat_ptrs(chain, cfg->id); - IPFW_WUNLOCK(chain); - } - - /* - * Basic nat configuration. - */ - ptr->id = cfg->id; - /* - * XXX - what if this rule doesn't nat any ip and just - * redirect? - * do we set aliasaddress to 0.0.0.0? - */ - ptr->ip = cfg->ip; - ptr->redir_cnt = cfg->redir_cnt; - ptr->mode = cfg->mode; - LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode); - LibAliasSetAddress(ptr->lib, ptr->ip); - memcpy(ptr->if_name, cfg->if_name, IF_NAMESIZE); - - /* - * Redir and LSNAT configuration. - */ - /* Delete old cfgs. */ - del_redir_spool_cfg(ptr, &ptr->redir_chain); - /* Add new entries. */ - add_redir_spool_cfg(&buf[(sizeof(struct cfg_nat))], ptr); - - IPFW_WLOCK(chain); - /* Extra check to avoid race with another ipfw_nat_cfg() */ - if (gencnt != chain->gencnt && - ((cfg = lookup_nat(&chain->nat, ptr->id)) != NULL)) - LIST_REMOVE(cfg, _next); - LIST_INSERT_HEAD(&chain->nat, ptr, _next); - chain->gencnt++; - IPFW_WUNLOCK(chain); - -out: - free(buf, M_TEMP); - return (error); -} - -static int -ipfw_nat_del(struct sockopt *sopt) -{ - struct cfg_nat *ptr; - struct ip_fw_chain *chain = &V_layer3_chain; - int i; - - sooptcopyin(sopt, &i, sizeof i, sizeof i); - /* XXX validate i */ - IPFW_WLOCK(chain); - ptr = lookup_nat(&chain->nat, i); - if (ptr == NULL) { - IPFW_WUNLOCK(chain); - return (EINVAL); - } - LIST_REMOVE(ptr, _next); - flush_nat_ptrs(chain, i); - IPFW_WUNLOCK(chain); - del_redir_spool_cfg(ptr, &ptr->redir_chain); - LibAliasUninit(ptr->lib); - free(ptr, M_IPFW); - return (0); -} - -static int -ipfw_nat_get_cfg(struct sockopt *sopt) -{ - struct ip_fw_chain *chain = &V_layer3_chain; - struct cfg_nat *n; - struct cfg_redir *r; - struct cfg_spool *s; - char *data; - int gencnt, nat_cnt, len, error; - - nat_cnt = 0; - len = sizeof(nat_cnt); - - IPFW_RLOCK(chain); -retry: - gencnt = chain->gencnt; - /* Estimate memory amount */ - LIST_FOREACH(n, &chain->nat, _next) { - nat_cnt++; - len += sizeof(struct cfg_nat); - LIST_FOREACH(r, &n->redir_chain, _next) { - len += sizeof(struct cfg_redir); - LIST_FOREACH(s, &r->spool_chain, _next) - len += sizeof(struct cfg_spool); - } - } - IPFW_RUNLOCK(chain); - - data = malloc(len, M_TEMP, M_WAITOK | M_ZERO); - bcopy(&nat_cnt, data, sizeof(nat_cnt)); - - nat_cnt = 0; - len = sizeof(nat_cnt); - - IPFW_RLOCK(chain); - if (gencnt != chain->gencnt) { - free(data, M_TEMP); - goto retry; - } - /* Serialize all the data. */ - LIST_FOREACH(n, &chain->nat, _next) { - bcopy(n, &data[len], sizeof(struct cfg_nat)); - len += sizeof(struct cfg_nat); - LIST_FOREACH(r, &n->redir_chain, _next) { - bcopy(r, &data[len], sizeof(struct cfg_redir)); - len += sizeof(struct cfg_redir); - LIST_FOREACH(s, &r->spool_chain, _next) { - bcopy(s, &data[len], sizeof(struct cfg_spool)); - len += sizeof(struct cfg_spool); - } - } - } - IPFW_RUNLOCK(chain); - - error = sooptcopyout(sopt, data, len); - free(data, M_TEMP); - - return (error); -} - -static int -ipfw_nat_get_log(struct sockopt *sopt) -{ - uint8_t *data; - struct cfg_nat *ptr; - int i, size; - struct ip_fw_chain *chain; - - chain = &V_layer3_chain; - - IPFW_RLOCK(chain); - /* one pass to count, one to copy the data */ - i = 0; - LIST_FOREACH(ptr, &chain->nat, _next) { - if (ptr->lib->logDesc == NULL) - continue; - i++; - } - size = i * (LIBALIAS_BUF_SIZE + sizeof(int)); - data = malloc(size, M_IPFW, M_NOWAIT | M_ZERO); - if (data == NULL) { - IPFW_RUNLOCK(chain); - return (ENOSPC); - } - i = 0; - LIST_FOREACH(ptr, &chain->nat, _next) { - if (ptr->lib->logDesc == NULL) - continue; - bcopy(&ptr->id, &data[i], sizeof(int)); - i += sizeof(int); - bcopy(ptr->lib->logDesc, &data[i], LIBALIAS_BUF_SIZE); - i += LIBALIAS_BUF_SIZE; - } - IPFW_RUNLOCK(chain); - sooptcopyout(sopt, data, size); - free(data, M_IPFW); - return(0); -} - -static void -ipfw_nat_init(void) -{ - - IPFW_WLOCK(&V_layer3_chain); - /* init ipfw hooks */ - ipfw_nat_ptr = ipfw_nat; - lookup_nat_ptr = lookup_nat; - ipfw_nat_cfg_ptr = ipfw_nat_cfg; - ipfw_nat_del_ptr = ipfw_nat_del; - ipfw_nat_get_cfg_ptr = ipfw_nat_get_cfg; - ipfw_nat_get_log_ptr = ipfw_nat_get_log; - IPFW_WUNLOCK(&V_layer3_chain); - V_ifaddr_event_tag = EVENTHANDLER_REGISTER( - ifaddr_event, ifaddr_change, - NULL, EVENTHANDLER_PRI_ANY); -} - -static void -ipfw_nat_destroy(void) -{ - struct cfg_nat *ptr, *ptr_temp; - struct ip_fw_chain *chain; - - chain = &V_layer3_chain; - IPFW_WLOCK(chain); - LIST_FOREACH_SAFE(ptr, &chain->nat, _next, ptr_temp) { - LIST_REMOVE(ptr, _next); - del_redir_spool_cfg(ptr, &ptr->redir_chain); - LibAliasUninit(ptr->lib); - free(ptr, M_IPFW); - } - EVENTHANDLER_DEREGISTER(ifaddr_event, V_ifaddr_event_tag); - flush_nat_ptrs(chain, -1 /* flush all */); - /* deregister ipfw_nat */ - ipfw_nat_ptr = NULL; - lookup_nat_ptr = NULL; - ipfw_nat_cfg_ptr = NULL; - ipfw_nat_del_ptr = NULL; - ipfw_nat_get_cfg_ptr = NULL; - ipfw_nat_get_log_ptr = NULL; - IPFW_WUNLOCK(chain); -} - -static int -ipfw_nat_modevent(module_t mod, int type, void *unused) -{ - int err = 0; - - switch (type) { - case MOD_LOAD: - ipfw_nat_init(); - break; - - case MOD_UNLOAD: - ipfw_nat_destroy(); - break; - - default: - return EOPNOTSUPP; - break; - } - return err; -} - -static moduledata_t ipfw_nat_mod = { - "ipfw_nat", - ipfw_nat_modevent, - 0 -}; - -DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); -MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); -MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2); -MODULE_VERSION(ipfw_nat, 1); -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_pfil.c b/sys/netinet/ipfw/ip_fw_pfil.c deleted file mode 100644 index 695613d..0000000 --- a/sys/netinet/ipfw/ip_fw_pfil.c +++ /dev/null @@ -1,460 +0,0 @@ -/*- - * Copyright (c) 2004 Andre Oppermann, Internet Business Solutions AG - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include "opt_ipfw.h" -#include "opt_inet.h" -#include "opt_inet6.h" -#ifndef INET -#error IPFIREWALL requires INET. -#endif /* INET */ - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> -#include <sys/module.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/pfil.h> -#include <net/vnet.h> - -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/ip_fw.h> -#ifdef INET6 -#include <netinet/ip6.h> -#include <netinet6/ip6_var.h> -#endif -#include <netinet/ipfw/ip_fw_private.h> -#include <netgraph/ng_ipfw.h> - -#include <machine/in_cksum.h> - -static VNET_DEFINE(int, fw_enable) = 1; -#define V_fw_enable VNET(fw_enable) - -#ifdef INET6 -static VNET_DEFINE(int, fw6_enable) = 1; -#define V_fw6_enable VNET(fw6_enable) -#endif - -int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); - -/* Forward declarations. */ -static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int); - -#ifdef SYSCTL_NODE - -SYSBEGIN(f1) - -SYSCTL_DECL(_net_inet_ip_fw); -SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, - ipfw_chg_hook, "I", "Enable ipfw"); -#ifdef INET6 -SYSCTL_DECL(_net_inet6_ip6_fw); -SYSCTL_VNET_PROC(_net_inet6_ip6_fw, OID_AUTO, enable, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw6_enable), 0, - ipfw_chg_hook, "I", "Enable ipfw+6"); -#endif /* INET6 */ - -SYSEND - -#endif /* SYSCTL_NODE */ - -/* - * The pfilter hook to pass packets to ipfw_chk and then to - * dummynet, divert, netgraph or other modules. - * The packet may be consumed. - */ -int -ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, - struct inpcb *inp) -{ - struct ip_fw_args args; - struct m_tag *tag; - int ipfw; - int ret; - - /* all the processing now uses ip_len in net format */ - if (mtod(*m0, struct ip *)->ip_v == 4) - SET_NET_IPLEN(mtod(*m0, struct ip *)); - - /* convert dir to IPFW values */ - dir = (dir == PFIL_IN) ? DIR_IN : DIR_OUT; - bzero(&args, sizeof(args)); - -again: - /* - * extract and remove the tag if present. If we are left - * with onepass, optimize the outgoing path. - */ - tag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL); - if (tag != NULL) { - args.rule = *((struct ipfw_rule_ref *)(tag+1)); - m_tag_delete(*m0, tag); - if (args.rule.info & IPFW_ONEPASS) { - if (mtod(*m0, struct ip *)->ip_v == 4) - SET_HOST_IPLEN(mtod(*m0, struct ip *)); - return (0); - } - } - - args.m = *m0; - args.oif = dir == DIR_OUT ? ifp : NULL; - args.inp = inp; - - ipfw = ipfw_chk(&args); - *m0 = args.m; - - KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL", - __func__)); - - /* breaking out of the switch means drop */ - ret = 0; /* default return value for pass */ - switch (ipfw) { - case IP_FW_PASS: - /* next_hop may be set by ipfw_chk */ - if (args.next_hop == NULL && args.next_hop6 == NULL) - break; /* pass */ -#if !defined(IPFIREWALL_FORWARD) || (!defined(INET6) && !defined(INET)) - ret = EACCES; -#else - { - struct m_tag *fwd_tag; - size_t len; - - KASSERT(args.next_hop == NULL || args.next_hop6 == NULL, - ("%s: both next_hop=%p and next_hop6=%p not NULL", __func__, - args.next_hop, args.next_hop6)); -#ifdef INET6 - if (args.next_hop6 != NULL) - len = sizeof(struct sockaddr_in6); -#endif -#ifdef INET - if (args.next_hop != NULL) - len = sizeof(struct sockaddr_in); -#endif - - /* Incoming packets should not be tagged so we do not - * m_tag_find. Outgoing packets may be tagged, so we - * reuse the tag if present. - */ - fwd_tag = (dir == DIR_IN) ? NULL : - m_tag_find(*m0, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { - m_tag_unlink(*m0, fwd_tag); - } else { - fwd_tag = m_tag_get(PACKET_TAG_IPFORWARD, len, - M_NOWAIT); - if (fwd_tag == NULL) { - ret = EACCES; - break; /* i.e. drop */ - } - } -#ifdef INET6 - if (args.next_hop6 != NULL) { - bcopy(args.next_hop6, (fwd_tag+1), len); - if (in6_localip(&args.next_hop6->sin6_addr)) - (*m0)->m_flags |= M_FASTFWD_OURS; - } -#endif -#ifdef INET - if (args.next_hop != NULL) { - bcopy(args.next_hop, (fwd_tag+1), len); - if (in_localip(args.next_hop->sin_addr)) - (*m0)->m_flags |= M_FASTFWD_OURS; - } -#endif - m_tag_prepend(*m0, fwd_tag); - } -#endif /* IPFIREWALL_FORWARD */ - break; - - case IP_FW_DENY: - ret = EACCES; - break; /* i.e. drop */ - - case IP_FW_DUMMYNET: - ret = EACCES; - if (ip_dn_io_ptr == NULL) - break; /* i.e. drop */ - if (mtod(*m0, struct ip *)->ip_v == 4) - ret = ip_dn_io_ptr(m0, dir, &args); - else if (mtod(*m0, struct ip *)->ip_v == 6) - ret = ip_dn_io_ptr(m0, dir | PROTO_IPV6, &args); - else - break; /* drop it */ - /* - * XXX should read the return value. - * dummynet normally eats the packet and sets *m0=NULL - * unless the packet can be sent immediately. In this - * case args is updated and we should re-run the - * check without clearing args. - */ - if (*m0 != NULL) - goto again; - break; - - case IP_FW_TEE: - case IP_FW_DIVERT: - if (ip_divert_ptr == NULL) { - ret = EACCES; - break; /* i.e. drop */ - } - ret = ipfw_divert(m0, dir, &args.rule, - (ipfw == IP_FW_TEE) ? 1 : 0); - /* continue processing for the original packet (tee). */ - if (*m0) - goto again; - break; - - case IP_FW_NGTEE: - case IP_FW_NETGRAPH: - if (ng_ipfw_input_p == NULL) { - ret = EACCES; - break; /* i.e. drop */ - } - ret = ng_ipfw_input_p(m0, dir, &args, - (ipfw == IP_FW_NGTEE) ? 1 : 0); - if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */ - goto again; /* continue with packet */ - break; - - case IP_FW_NAT: - /* honor one-pass in case of successful nat */ - if (V_fw_one_pass) - break; /* ret is already 0 */ - goto again; - - case IP_FW_REASS: - goto again; /* continue with packet */ - - default: - KASSERT(0, ("%s: unknown retval", __func__)); - } - - if (ret != 0) { - if (*m0) - FREE_PKT(*m0); - *m0 = NULL; - } - if (*m0 && mtod(*m0, struct ip *)->ip_v == 4) - SET_HOST_IPLEN(mtod(*m0, struct ip *)); - return ret; -} - -/* do the divert, return 1 on error 0 on success */ -static int -ipfw_divert(struct mbuf **m0, int incoming, struct ipfw_rule_ref *rule, - int tee) -{ - /* - * ipfw_chk() has already tagged the packet with the divert tag. - * If tee is set, copy packet and return original. - * If not tee, consume packet and send it to divert socket. - */ - struct mbuf *clone; - struct ip *ip = mtod(*m0, struct ip *); - struct m_tag *tag; - - /* Cloning needed for tee? */ - if (tee == 0) { - clone = *m0; /* use the original mbuf */ - *m0 = NULL; - } else { - clone = m_dup(*m0, M_DONTWAIT); - /* If we cannot duplicate the mbuf, we sacrifice the divert - * chain and continue with the tee-ed packet. - */ - if (clone == NULL) - return 1; - } - - /* - * Divert listeners can normally handle non-fragmented packets, - * but we can only reass in the non-tee case. - * This means that listeners on a tee rule may get fragments, - * and have to live with that. - * Note that we now have the 'reass' ipfw option so if we care - * we can do it before a 'tee'. - */ - if (!tee) switch (ip->ip_v) { - case IPVERSION: - if (ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { - int hlen; - struct mbuf *reass; - - SET_HOST_IPLEN(ip); /* ip_reass wants host order */ - reass = ip_reass(clone); /* Reassemble packet. */ - if (reass == NULL) - return 0; /* not an error */ - /* if reass = NULL then it was consumed by ip_reass */ - /* - * IP header checksum fixup after reassembly and leave header - * in network byte order. - */ - ip = mtod(reass, struct ip *); - hlen = ip->ip_hl << 2; - SET_NET_IPLEN(ip); - ip->ip_sum = 0; - if (hlen == sizeof(struct ip)) - ip->ip_sum = in_cksum_hdr(ip); - else - ip->ip_sum = in_cksum(reass, hlen); - clone = reass; - } - break; -#ifdef INET6 - case IPV6_VERSION >> 4: - { - struct ip6_hdr *const ip6 = mtod(clone, struct ip6_hdr *); - - if (ip6->ip6_nxt == IPPROTO_FRAGMENT) { - int nxt, off; - - off = sizeof(struct ip6_hdr); - nxt = frag6_input(&clone, &off, 0); - if (nxt == IPPROTO_DONE) - return (0); - } - break; - } -#endif - } - - /* attach a tag to the packet with the reinject info */ - tag = m_tag_alloc(MTAG_IPFW_RULE, 0, - sizeof(struct ipfw_rule_ref), M_NOWAIT); - if (tag == NULL) { - FREE_PKT(clone); - return 1; - } - *((struct ipfw_rule_ref *)(tag+1)) = *rule; - m_tag_prepend(clone, tag); - - /* Do the dirty job... */ - ip_divert_ptr(clone, incoming); - return 0; -} - -/* - * attach or detach hooks for a given protocol family - */ -static int -ipfw_hook(int onoff, int pf) -{ - struct pfil_head *pfh; - - pfh = pfil_head_get(PFIL_TYPE_AF, pf); - if (pfh == NULL) - return ENOENT; - - (void) (onoff ? pfil_add_hook : pfil_remove_hook) - (ipfw_check_hook, NULL, PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh); - - return 0; -} - -int -ipfw_attach_hooks(int arg) -{ - int error = 0; - - if (arg == 0) /* detach */ - ipfw_hook(0, AF_INET); - else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) { - error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ - printf("ipfw_hook() error\n"); - } -#ifdef INET6 - if (arg == 0) /* detach */ - ipfw_hook(0, AF_INET6); - else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) { - error = ENOENT; - printf("ipfw6_hook() error\n"); - } -#endif - return error; -} - -int -ipfw_chg_hook(SYSCTL_HANDLER_ARGS) -{ - int enable; - int oldenable; - int error; - int af; - - if (arg1 == &VNET_NAME(fw_enable)) { - enable = V_fw_enable; - af = AF_INET; - } -#ifdef INET6 - else if (arg1 == &VNET_NAME(fw6_enable)) { - enable = V_fw6_enable; - af = AF_INET6; - } -#endif - else - return (EINVAL); - - oldenable = enable; - - error = sysctl_handle_int(oidp, &enable, 0, req); - - if (error) - return (error); - - enable = (enable) ? 1 : 0; - - if (enable == oldenable) - return (0); - - error = ipfw_hook(enable, af); - if (error) - return (error); - if (af == AF_INET) - V_fw_enable = enable; -#ifdef INET6 - else if (af == AF_INET6) - V_fw6_enable = enable; -#endif - - return (0); -} -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_private.h b/sys/netinet/ipfw/ip_fw_private.h deleted file mode 100644 index 7f65c41..0000000 --- a/sys/netinet/ipfw/ip_fw_private.h +++ /dev/null @@ -1,313 +0,0 @@ -/*- - * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#ifndef _IPFW2_PRIVATE_H -#define _IPFW2_PRIVATE_H - -/* - * Internal constants and data structures used by ipfw components - * and not meant to be exported outside the kernel. - */ - -#ifdef _KERNEL - -/* - * For platforms that do not have SYSCTL support, we wrap the - * SYSCTL_* into a function (one per file) to collect the values - * into an array at module initialization. The wrapping macros, - * SYSBEGIN() and SYSEND, are empty in the default case. - */ -#ifndef SYSBEGIN -#define SYSBEGIN(x) -#endif -#ifndef SYSEND -#define SYSEND -#endif - -/* Return values from ipfw_chk() */ -enum { - IP_FW_PASS = 0, - IP_FW_DENY, - IP_FW_DIVERT, - IP_FW_TEE, - IP_FW_DUMMYNET, - IP_FW_NETGRAPH, - IP_FW_NGTEE, - IP_FW_NAT, - IP_FW_REASS, -}; - -/* - * Structure for collecting parameters to dummynet for ip6_output forwarding - */ -struct _ip6dn_args { - struct ip6_pktopts *opt_or; - struct route_in6 ro_or; - int flags_or; - struct ip6_moptions *im6o_or; - struct ifnet *origifp_or; - struct ifnet *ifp_or; - struct sockaddr_in6 dst_or; - u_long mtu_or; - struct route_in6 ro_pmtu_or; -}; - - -/* - * Arguments for calling ipfw_chk() and dummynet_io(). We put them - * all into a structure because this way it is easier and more - * efficient to pass variables around and extend the interface. - */ -struct ip_fw_args { - struct mbuf *m; /* the mbuf chain */ - struct ifnet *oif; /* output interface */ - struct sockaddr_in *next_hop; /* forward address */ - struct sockaddr_in6 *next_hop6; /* ipv6 forward address */ - - /* - * On return, it points to the matching rule. - * On entry, rule.slot > 0 means the info is valid and - * contains the starting rule for an ipfw search. - * If chain_id == chain->id && slot >0 then jump to that slot. - * Otherwise, we locate the first rule >= rulenum:rule_id - */ - struct ipfw_rule_ref rule; /* match/restart info */ - - struct ether_header *eh; /* for bridged packets */ - - struct ipfw_flow_id f_id; /* grabbed from IP header */ - //uint32_t cookie; /* a cookie depending on rule action */ - struct inpcb *inp; - - struct _ip6dn_args dummypar; /* dummynet->ip6_output */ - struct sockaddr_in hopstore; /* store here if cannot use a pointer */ -}; - -MALLOC_DECLARE(M_IPFW); - -/* - * Hooks sometime need to know the direction of the packet - * (divert, dummynet, netgraph, ...) - * We use a generic definition here, with bit0-1 indicating the - * direction, bit 2 indicating layer2 or 3, bit 3-4 indicating the - * specific protocol - * indicating the protocol (if necessary) - */ -enum { - DIR_MASK = 0x3, - DIR_OUT = 0, - DIR_IN = 1, - DIR_FWD = 2, - DIR_DROP = 3, - PROTO_LAYER2 = 0x4, /* set for layer 2 */ - /* PROTO_DEFAULT = 0, */ - PROTO_IPV4 = 0x08, - PROTO_IPV6 = 0x10, - PROTO_IFB = 0x0c, /* layer2 + ifbridge */ - /* PROTO_OLDBDG = 0x14, unused, old bridge */ -}; - -/* wrapper for freeing a packet, in case we need to do more work */ -#ifndef FREE_PKT -#if defined(__linux__) || defined(_WIN32) -#define FREE_PKT(m) netisr_dispatch(-1, m) -#else -#define FREE_PKT(m) m_freem(m) -#endif -#endif /* !FREE_PKT */ - -/* - * Function definitions. - */ - -/* attach (arg = 1) or detach (arg = 0) hooks */ -int ipfw_attach_hooks(int); -#ifdef NOTYET -void ipfw_nat_destroy(void); -#endif - -/* In ip_fw_log.c */ -struct ip; -void ipfw_log_bpf(int); -void ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, - struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, - struct ip *ip); -VNET_DECLARE(u_int64_t, norule_counter); -#define V_norule_counter VNET(norule_counter) -VNET_DECLARE(int, verbose_limit); -#define V_verbose_limit VNET(verbose_limit) - -/* In ip_fw_dynamic.c */ - -enum { /* result for matching dynamic rules */ - MATCH_REVERSE = 0, - MATCH_FORWARD, - MATCH_NONE, - MATCH_UNKNOWN, -}; - -/* - * The lock for dynamic rules is only used once outside the file, - * and only to release the result of lookup_dyn_rule(). - * Eventually we may implement it with a callback on the function. - */ -void ipfw_dyn_unlock(void); - -struct tcphdr; -struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, - u_int32_t, u_int32_t, int); -int ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, - struct ip_fw_args *args, uint32_t tablearg); -ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, - int *match_direction, struct tcphdr *tcp); -void ipfw_remove_dyn_children(struct ip_fw *rule); -void ipfw_get_dynamic(char **bp, const char *ep); - -void ipfw_dyn_attach(void); /* uma_zcreate .... */ -void ipfw_dyn_detach(void); /* uma_zdestroy ... */ -void ipfw_dyn_init(void); /* per-vnet initialization */ -void ipfw_dyn_uninit(int); /* per-vnet deinitialization */ -int ipfw_dyn_len(void); - -/* common variables */ -VNET_DECLARE(int, fw_one_pass); -#define V_fw_one_pass VNET(fw_one_pass) - -VNET_DECLARE(int, fw_verbose); -#define V_fw_verbose VNET(fw_verbose) - -VNET_DECLARE(struct ip_fw_chain, layer3_chain); -#define V_layer3_chain VNET(layer3_chain) - -VNET_DECLARE(u_int32_t, set_disable); -#define V_set_disable VNET(set_disable) - -VNET_DECLARE(int, autoinc_step); -#define V_autoinc_step VNET(autoinc_step) - -VNET_DECLARE(unsigned int, fw_tables_max); -#define V_fw_tables_max VNET(fw_tables_max) - -struct ip_fw_chain { - struct ip_fw *rules; /* list of rules */ - struct ip_fw *reap; /* list of rules to reap */ - struct ip_fw *default_rule; - int n_rules; /* number of static rules */ - int static_len; /* total len of static rules */ - struct ip_fw **map; /* array of rule ptrs to ease lookup */ - LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */ - struct radix_node_head **tables; /* IPv4 tables */ - struct radix_node_head **xtables; /* extended tables */ - uint8_t *tabletype; /* Array of table types */ -#if defined( __linux__ ) || defined( _WIN32 ) - spinlock_t rwmtx; - spinlock_t uh_lock; -#else - struct rwlock rwmtx; - struct rwlock uh_lock; /* lock for upper half */ -#endif - uint32_t id; /* ruleset id */ - uint32_t gencnt; /* generation count */ -}; - -struct sockopt; /* used by tcp_var.h */ - -/* - * The lock is heavily used by ip_fw2.c (the main file) and ip_fw_nat.c - * so the variable and the macros must be here. - */ - -#define IPFW_LOCK_INIT(_chain) do { \ - rw_init(&(_chain)->rwmtx, "IPFW static rules"); \ - rw_init(&(_chain)->uh_lock, "IPFW UH lock"); \ - } while (0) - -#define IPFW_LOCK_DESTROY(_chain) do { \ - rw_destroy(&(_chain)->rwmtx); \ - rw_destroy(&(_chain)->uh_lock); \ - } while (0) - -#define IPFW_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_WLOCKED) - -#define IPFW_RLOCK(p) rw_rlock(&(p)->rwmtx) -#define IPFW_RUNLOCK(p) rw_runlock(&(p)->rwmtx) -#define IPFW_WLOCK(p) rw_wlock(&(p)->rwmtx) -#define IPFW_WUNLOCK(p) rw_wunlock(&(p)->rwmtx) - -#define IPFW_UH_RLOCK(p) rw_rlock(&(p)->uh_lock) -#define IPFW_UH_RUNLOCK(p) rw_runlock(&(p)->uh_lock) -#define IPFW_UH_WLOCK(p) rw_wlock(&(p)->uh_lock) -#define IPFW_UH_WUNLOCK(p) rw_wunlock(&(p)->uh_lock) - -/* In ip_fw_sockopt.c */ -int ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id); -int ipfw_add_rule(struct ip_fw_chain *chain, struct ip_fw *input_rule); -int ipfw_ctl(struct sockopt *sopt); -int ipfw_chk(struct ip_fw_args *args); -void ipfw_reap_rules(struct ip_fw *head); - -/* In ip_fw_pfil */ -int ipfw_check_hook(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, - struct inpcb *inp); - -/* In ip_fw_table.c */ -struct radix_node; -int ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, - uint32_t *val); -int ipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, - uint32_t *val, int type); -int ipfw_init_tables(struct ip_fw_chain *ch); -void ipfw_destroy_tables(struct ip_fw_chain *ch); -int ipfw_flush_table(struct ip_fw_chain *ch, uint16_t tbl); -int ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, - uint8_t plen, uint8_t mlen, uint8_t type, uint32_t value); -int ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, - uint8_t plen, uint8_t mlen, uint8_t type); -int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); -int ipfw_dump_table_entry(struct radix_node *rn, void *arg); -int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl); -int ipfw_count_xtable(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); -int ipfw_dump_xtable(struct ip_fw_chain *ch, ipfw_xtable *tbl); -int ipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables); - -/* In ip_fw_nat.c -- XXX to be moved to ip_var.h */ - -extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); - -typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); -typedef int ipfw_nat_cfg_t(struct sockopt *); - -extern ipfw_nat_t *ipfw_nat_ptr; -#define IPFW_NAT_LOADED (ipfw_nat_ptr != NULL) - -extern ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; -extern ipfw_nat_cfg_t *ipfw_nat_del_ptr; -extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; -extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; - -#endif /* _KERNEL */ -#endif /* _IPFW2_PRIVATE_H */ diff --git a/sys/netinet/ipfw/ip_fw_sockopt.c b/sys/netinet/ipfw/ip_fw_sockopt.c deleted file mode 100644 index 2a5f4e7..0000000 --- a/sys/netinet/ipfw/ip_fw_sockopt.c +++ /dev/null @@ -1,1448 +0,0 @@ -/*- - * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa - * - * Supported by: Valeria Paoli - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -/* - * Sockopt support for ipfw. The routines here implement - * the upper half of the ipfw code. - */ - -#include "opt_ipfw.h" -#include "opt_inet.h" -#ifndef INET -#error IPFIREWALL requires INET. -#endif /* INET */ -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/mbuf.h> /* struct m_tag used by nested headers */ -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/priv.h> -#include <sys/proc.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/sysctl.h> -#include <sys/syslog.h> -#include <net/if.h> -#include <net/route.h> -#include <net/vnet.h> - -#include <netinet/in.h> -#include <netinet/ip_var.h> /* hooks */ -#include <netinet/ip_fw.h> -#include <netinet/ipfw/ip_fw_private.h> - -#ifdef MAC -#include <security/mac/mac_framework.h> -#endif - -MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); - -/* - * static variables followed by global ones (none in this file) - */ - -/* - * Find the smallest rule >= key, id. - * We could use bsearch but it is so simple that we code it directly - */ -int -ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id) -{ - int i, lo, hi; - struct ip_fw *r; - - for (lo = 0, hi = chain->n_rules - 1; lo < hi;) { - i = (lo + hi) / 2; - r = chain->map[i]; - if (r->rulenum < key) - lo = i + 1; /* continue from the next one */ - else if (r->rulenum > key) - hi = i; /* this might be good */ - else if (r->id < id) - lo = i + 1; /* continue from the next one */ - else /* r->id >= id */ - hi = i; /* this might be good */ - }; - return hi; -} - -/* - * allocate a new map, returns the chain locked. extra is the number - * of entries to add or delete. - */ -static struct ip_fw ** -get_map(struct ip_fw_chain *chain, int extra, int locked) -{ - - for (;;) { - struct ip_fw **map; - int i; - - i = chain->n_rules + extra; - map = malloc(i * sizeof(struct ip_fw *), M_IPFW, - locked ? M_NOWAIT : M_WAITOK); - if (map == NULL) { - printf("%s: cannot allocate map\n", __FUNCTION__); - return NULL; - } - if (!locked) - IPFW_UH_WLOCK(chain); - if (i >= chain->n_rules + extra) /* good */ - return map; - /* otherwise we lost the race, free and retry */ - if (!locked) - IPFW_UH_WUNLOCK(chain); - free(map, M_IPFW); - } -} - -/* - * swap the maps. It is supposed to be called with IPFW_UH_WLOCK - */ -static struct ip_fw ** -swap_map(struct ip_fw_chain *chain, struct ip_fw **new_map, int new_len) -{ - struct ip_fw **old_map; - - IPFW_WLOCK(chain); - chain->id++; - chain->n_rules = new_len; - old_map = chain->map; - chain->map = new_map; - IPFW_WUNLOCK(chain); - return old_map; -} - -/* - * Add a new rule to the list. Copy the rule into a malloc'ed area, then - * possibly create a rule number and add the rule to the list. - * Update the rule_number in the input struct so the caller knows it as well. - * XXX DO NOT USE FOR THE DEFAULT RULE. - * Must be called without IPFW_UH held - */ -int -ipfw_add_rule(struct ip_fw_chain *chain, struct ip_fw *input_rule) -{ - struct ip_fw *rule; - int i, l, insert_before; - struct ip_fw **map; /* the new array of pointers */ - - if (chain->rules == NULL || input_rule->rulenum > IPFW_DEFAULT_RULE-1) - return (EINVAL); - - l = RULESIZE(input_rule); - rule = malloc(l, M_IPFW, M_WAITOK | M_ZERO); - /* get_map returns with IPFW_UH_WLOCK if successful */ - map = get_map(chain, 1, 0 /* not locked */); - if (map == NULL) { - free(rule, M_IPFW); - return ENOSPC; - } - - bcopy(input_rule, rule, l); - /* clear fields not settable from userland */ - rule->x_next = NULL; - rule->next_rule = NULL; - rule->pcnt = 0; - rule->bcnt = 0; - rule->timestamp = 0; - - if (V_autoinc_step < 1) - V_autoinc_step = 1; - else if (V_autoinc_step > 1000) - V_autoinc_step = 1000; - /* find the insertion point, we will insert before */ - insert_before = rule->rulenum ? rule->rulenum + 1 : IPFW_DEFAULT_RULE; - i = ipfw_find_rule(chain, insert_before, 0); - /* duplicate first part */ - if (i > 0) - bcopy(chain->map, map, i * sizeof(struct ip_fw *)); - map[i] = rule; - /* duplicate remaining part, we always have the default rule */ - bcopy(chain->map + i, map + i + 1, - sizeof(struct ip_fw *) *(chain->n_rules - i)); - if (rule->rulenum == 0) { - /* write back the number */ - rule->rulenum = i > 0 ? map[i-1]->rulenum : 0; - if (rule->rulenum < IPFW_DEFAULT_RULE - V_autoinc_step) - rule->rulenum += V_autoinc_step; - input_rule->rulenum = rule->rulenum; - } - - rule->id = chain->id + 1; - map = swap_map(chain, map, chain->n_rules + 1); - chain->static_len += l; - IPFW_UH_WUNLOCK(chain); - if (map) - free(map, M_IPFW); - return (0); -} - -/* - * Reclaim storage associated with a list of rules. This is - * typically the list created using remove_rule. - * A NULL pointer on input is handled correctly. - */ -void -ipfw_reap_rules(struct ip_fw *head) -{ - struct ip_fw *rule; - - while ((rule = head) != NULL) { - head = head->x_next; - free(rule, M_IPFW); - } -} - -/* - * Used by del_entry() to check if a rule should be kept. - * Returns 1 if the rule must be kept, 0 otherwise. - * - * Called with cmd = {0,1,5}. - * cmd == 0 matches on rule numbers, excludes rules in RESVD_SET if n == 0 ; - * cmd == 1 matches on set numbers only, rule numbers are ignored; - * cmd == 5 matches on rule and set numbers. - * - * n == 0 is a wildcard for rule numbers, there is no wildcard for sets. - * - * Rules to keep are - * (default || reserved || !match_set || !match_number) - * where - * default ::= (rule->rulenum == IPFW_DEFAULT_RULE) - * // the default rule is always protected - * - * reserved ::= (cmd == 0 && n == 0 && rule->set == RESVD_SET) - * // RESVD_SET is protected only if cmd == 0 and n == 0 ("ipfw flush") - * - * match_set ::= (cmd == 0 || rule->set == set) - * // set number is ignored for cmd == 0 - * - * match_number ::= (cmd == 1 || n == 0 || n == rule->rulenum) - * // number is ignored for cmd == 1 or n == 0 - * - */ -static int -keep_rule(struct ip_fw *rule, uint8_t cmd, uint8_t set, uint32_t n) -{ - return - (rule->rulenum == IPFW_DEFAULT_RULE) || - (cmd == 0 && n == 0 && rule->set == RESVD_SET) || - !(cmd == 0 || rule->set == set) || - !(cmd == 1 || n == 0 || n == rule->rulenum); -} - -/** - * Remove all rules with given number, or do set manipulation. - * Assumes chain != NULL && *chain != NULL. - * - * The argument is an uint32_t. The low 16 bit are the rule or set number; - * the next 8 bits are the new set; the top 8 bits indicate the command: - * - * 0 delete rules numbered "rulenum" - * 1 delete rules in set "rulenum" - * 2 move rules "rulenum" to set "new_set" - * 3 move rules from set "rulenum" to set "new_set" - * 4 swap sets "rulenum" and "new_set" - * 5 delete rules "rulenum" and set "new_set" - */ -static int -del_entry(struct ip_fw_chain *chain, uint32_t arg) -{ - struct ip_fw *rule; - uint32_t num; /* rule number or old_set */ - uint8_t cmd, new_set; - int start, end, i, ofs, n; - struct ip_fw **map = NULL; - int error = 0; - - num = arg & 0xffff; - cmd = (arg >> 24) & 0xff; - new_set = (arg >> 16) & 0xff; - - if (cmd > 5 || new_set > RESVD_SET) - return EINVAL; - if (cmd == 0 || cmd == 2 || cmd == 5) { - if (num >= IPFW_DEFAULT_RULE) - return EINVAL; - } else { - if (num > RESVD_SET) /* old_set */ - return EINVAL; - } - - IPFW_UH_WLOCK(chain); /* arbitrate writers */ - chain->reap = NULL; /* prepare for deletions */ - - switch (cmd) { - case 0: /* delete rules "num" (num == 0 matches all) */ - case 1: /* delete all rules in set N */ - case 5: /* delete rules with number N and set "new_set". */ - - /* - * Locate first rule to delete (start), the rule after - * the last one to delete (end), and count how many - * rules to delete (n). Always use keep_rule() to - * determine which rules to keep. - */ - n = 0; - if (cmd == 1) { - /* look for a specific set including RESVD_SET. - * Must scan the entire range, ignore num. - */ - new_set = num; - for (start = -1, end = i = 0; i < chain->n_rules; i++) { - if (keep_rule(chain->map[i], cmd, new_set, 0)) - continue; - if (start < 0) - start = i; - end = i; - n++; - } - end++; /* first non-matching */ - } else { - /* Optimized search on rule numbers */ - start = ipfw_find_rule(chain, num, 0); - for (end = start; end < chain->n_rules; end++) { - rule = chain->map[end]; - if (num > 0 && rule->rulenum != num) - break; - if (!keep_rule(rule, cmd, new_set, num)) - n++; - } - } - - if (n == 0) { - /* A flush request (arg == 0 or cmd == 1) on empty - * ruleset returns with no error. On the contrary, - * if there is no match on a specific request, - * we return EINVAL. - */ - if (arg != 0 && cmd != 1) - error = EINVAL; - break; - } - - /* We have something to delete. Allocate the new map */ - map = get_map(chain, -n, 1 /* locked */); - if (map == NULL) { - error = EINVAL; - break; - } - - /* 1. bcopy the initial part of the map */ - if (start > 0) - bcopy(chain->map, map, start * sizeof(struct ip_fw *)); - /* 2. copy active rules between start and end */ - for (i = ofs = start; i < end; i++) { - rule = chain->map[i]; - if (keep_rule(rule, cmd, new_set, num)) - map[ofs++] = rule; - } - /* 3. copy the final part of the map */ - bcopy(chain->map + end, map + ofs, - (chain->n_rules - end) * sizeof(struct ip_fw *)); - /* 4. swap the maps (under BH_LOCK) */ - map = swap_map(chain, map, chain->n_rules - n); - /* 5. now remove the rules deleted from the old map */ - for (i = start; i < end; i++) { - int l; - rule = map[i]; - if (keep_rule(rule, cmd, new_set, num)) - continue; - l = RULESIZE(rule); - chain->static_len -= l; - ipfw_remove_dyn_children(rule); - rule->x_next = chain->reap; - chain->reap = rule; - } - break; - - /* - * In the next 3 cases the loop stops at (n_rules - 1) - * because the default rule is never eligible.. - */ - - case 2: /* move rules with given RULE number to new set */ - for (i = 0; i < chain->n_rules - 1; i++) { - rule = chain->map[i]; - if (rule->rulenum == num) - rule->set = new_set; - } - break; - - case 3: /* move rules with given SET number to new set */ - for (i = 0; i < chain->n_rules - 1; i++) { - rule = chain->map[i]; - if (rule->set == num) - rule->set = new_set; - } - break; - - case 4: /* swap two sets */ - for (i = 0; i < chain->n_rules - 1; i++) { - rule = chain->map[i]; - if (rule->set == num) - rule->set = new_set; - else if (rule->set == new_set) - rule->set = num; - } - break; - } - - rule = chain->reap; - chain->reap = NULL; - IPFW_UH_WUNLOCK(chain); - ipfw_reap_rules(rule); - if (map) - free(map, M_IPFW); - return error; -} - -/* - * Clear counters for a specific rule. - * Normally run under IPFW_UH_RLOCK, but these are idempotent ops - * so we only care that rules do not disappear. - */ -static void -clear_counters(struct ip_fw *rule, int log_only) -{ - ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule); - - if (log_only == 0) { - rule->bcnt = rule->pcnt = 0; - rule->timestamp = 0; - } - if (l->o.opcode == O_LOG) - l->log_left = l->max_log; -} - -/** - * Reset some or all counters on firewall rules. - * The argument `arg' is an u_int32_t. The low 16 bit are the rule number, - * the next 8 bits are the set number, the top 8 bits are the command: - * 0 work with rules from all set's; - * 1 work with rules only from specified set. - * Specified rule number is zero if we want to clear all entries. - * log_only is 1 if we only want to reset logs, zero otherwise. - */ -static int -zero_entry(struct ip_fw_chain *chain, u_int32_t arg, int log_only) -{ - struct ip_fw *rule; - char *msg; - int i; - - uint16_t rulenum = arg & 0xffff; - uint8_t set = (arg >> 16) & 0xff; - uint8_t cmd = (arg >> 24) & 0xff; - - if (cmd > 1) - return (EINVAL); - if (cmd == 1 && set > RESVD_SET) - return (EINVAL); - - IPFW_UH_RLOCK(chain); - if (rulenum == 0) { - V_norule_counter = 0; - for (i = 0; i < chain->n_rules; i++) { - rule = chain->map[i]; - /* Skip rules not in our set. */ - if (cmd == 1 && rule->set != set) - continue; - clear_counters(rule, log_only); - } - msg = log_only ? "All logging counts reset" : - "Accounting cleared"; - } else { - int cleared = 0; - for (i = 0; i < chain->n_rules; i++) { - rule = chain->map[i]; - if (rule->rulenum == rulenum) { - if (cmd == 0 || rule->set == set) - clear_counters(rule, log_only); - cleared = 1; - } - if (rule->rulenum > rulenum) - break; - } - if (!cleared) { /* we did not find any matching rules */ - IPFW_UH_RUNLOCK(chain); - return (EINVAL); - } - msg = log_only ? "logging count reset" : "cleared"; - } - IPFW_UH_RUNLOCK(chain); - - if (V_fw_verbose) { - int lev = LOG_SECURITY | LOG_NOTICE; - - if (rulenum) - log(lev, "ipfw: Entry %d %s.\n", rulenum, msg); - else - log(lev, "ipfw: %s.\n", msg); - } - return (0); -} - -/* - * Check validity of the structure before insert. - * Rules are simple, so this mostly need to check rule sizes. - */ -static int -check_ipfw_struct(struct ip_fw *rule, int size) -{ - int l, cmdlen = 0; - int have_action=0; - ipfw_insn *cmd; - - if (size < sizeof(*rule)) { - printf("ipfw: rule too short\n"); - return (EINVAL); - } - /* first, check for valid size */ - l = RULESIZE(rule); - if (l != size) { - printf("ipfw: size mismatch (have %d want %d)\n", size, l); - return (EINVAL); - } - if (rule->act_ofs >= rule->cmd_len) { - printf("ipfw: bogus action offset (%u > %u)\n", - rule->act_ofs, rule->cmd_len - 1); - return (EINVAL); - } - /* - * Now go for the individual checks. Very simple ones, basically only - * instruction sizes. - */ - for (l = rule->cmd_len, cmd = rule->cmd ; - l > 0 ; l -= cmdlen, cmd += cmdlen) { - cmdlen = F_LEN(cmd); - if (cmdlen > l) { - printf("ipfw: opcode %d size truncated\n", - cmd->opcode); - return EINVAL; - } - switch (cmd->opcode) { - case O_PROBE_STATE: - case O_KEEP_STATE: - case O_PROTO: - case O_IP_SRC_ME: - case O_IP_DST_ME: - case O_LAYER2: - case O_IN: - case O_FRAG: - case O_DIVERTED: - case O_IPOPT: - case O_IPTOS: - case O_IPPRECEDENCE: - case O_IPVER: - case O_SOCKARG: - case O_TCPFLAGS: - case O_TCPOPTS: - case O_ESTAB: - case O_VERREVPATH: - case O_VERSRCREACH: - case O_ANTISPOOF: - case O_IPSEC: -#ifdef INET6 - case O_IP6_SRC_ME: - case O_IP6_DST_ME: - case O_EXT_HDR: - case O_IP6: -#endif - case O_IP4: - case O_TAG: - if (cmdlen != F_INSN_SIZE(ipfw_insn)) - goto bad_size; - break; - - case O_FIB: - if (cmdlen != F_INSN_SIZE(ipfw_insn)) - goto bad_size; - if (cmd->arg1 >= rt_numfibs) { - printf("ipfw: invalid fib number %d\n", - cmd->arg1); - return EINVAL; - } - break; - - case O_SETFIB: - if (cmdlen != F_INSN_SIZE(ipfw_insn)) - goto bad_size; - if ((cmd->arg1 != IP_FW_TABLEARG) && - (cmd->arg1 >= rt_numfibs)) { - printf("ipfw: invalid fib number %d\n", - cmd->arg1); - return EINVAL; - } - goto check_action; - - case O_UID: - case O_GID: - case O_JAIL: - case O_IP_SRC: - case O_IP_DST: - case O_TCPSEQ: - case O_TCPACK: - case O_PROB: - case O_ICMPTYPE: - if (cmdlen != F_INSN_SIZE(ipfw_insn_u32)) - goto bad_size; - break; - - case O_LIMIT: - if (cmdlen != F_INSN_SIZE(ipfw_insn_limit)) - goto bad_size; - break; - - case O_LOG: - if (cmdlen != F_INSN_SIZE(ipfw_insn_log)) - goto bad_size; - - ((ipfw_insn_log *)cmd)->log_left = - ((ipfw_insn_log *)cmd)->max_log; - - break; - - case O_IP_SRC_MASK: - case O_IP_DST_MASK: - /* only odd command lengths */ - if ( !(cmdlen & 1) || cmdlen > 31) - goto bad_size; - break; - - case O_IP_SRC_SET: - case O_IP_DST_SET: - if (cmd->arg1 == 0 || cmd->arg1 > 256) { - printf("ipfw: invalid set size %d\n", - cmd->arg1); - return EINVAL; - } - if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + - (cmd->arg1+31)/32 ) - goto bad_size; - break; - - case O_IP_SRC_LOOKUP: - case O_IP_DST_LOOKUP: - if (cmd->arg1 >= IPFW_TABLES_MAX) { - printf("ipfw: invalid table number %d\n", - cmd->arg1); - return (EINVAL); - } - if (cmdlen != F_INSN_SIZE(ipfw_insn) && - cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1 && - cmdlen != F_INSN_SIZE(ipfw_insn_u32)) - goto bad_size; - break; - case O_MACADDR2: - if (cmdlen != F_INSN_SIZE(ipfw_insn_mac)) - goto bad_size; - break; - - case O_NOP: - case O_IPID: - case O_IPTTL: - case O_IPLEN: - case O_TCPDATALEN: - case O_TCPWIN: - case O_TAGGED: - if (cmdlen < 1 || cmdlen > 31) - goto bad_size; - break; - - case O_MAC_TYPE: - case O_IP_SRCPORT: - case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */ - if (cmdlen < 2 || cmdlen > 31) - goto bad_size; - break; - - case O_RECV: - case O_XMIT: - case O_VIA: - if (cmdlen != F_INSN_SIZE(ipfw_insn_if)) - goto bad_size; - break; - - case O_ALTQ: - if (cmdlen != F_INSN_SIZE(ipfw_insn_altq)) - goto bad_size; - break; - - case O_PIPE: - case O_QUEUE: - if (cmdlen != F_INSN_SIZE(ipfw_insn)) - goto bad_size; - goto check_action; - - case O_FORWARD_IP: -#ifdef IPFIREWALL_FORWARD - if (cmdlen != F_INSN_SIZE(ipfw_insn_sa)) - goto bad_size; - goto check_action; -#else - return EINVAL; -#endif - -#ifdef INET6 - case O_FORWARD_IP6: -#ifdef IPFIREWALL_FORWARD - if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6)) - goto bad_size; - goto check_action; -#else - return (EINVAL); -#endif -#endif /* INET6 */ - - case O_DIVERT: - case O_TEE: - if (ip_divert_ptr == NULL) - return EINVAL; - else - goto check_size; - case O_NETGRAPH: - case O_NGTEE: - if (ng_ipfw_input_p == NULL) - return EINVAL; - else - goto check_size; - case O_NAT: - if (!IPFW_NAT_LOADED) - return EINVAL; - if (cmdlen != F_INSN_SIZE(ipfw_insn_nat)) - goto bad_size; - goto check_action; - case O_FORWARD_MAC: /* XXX not implemented yet */ - case O_CHECK_STATE: - case O_COUNT: - case O_ACCEPT: - case O_DENY: - case O_REJECT: -#ifdef INET6 - case O_UNREACH6: -#endif - case O_SKIPTO: - case O_REASS: - case O_CALLRETURN: -check_size: - if (cmdlen != F_INSN_SIZE(ipfw_insn)) - goto bad_size; -check_action: - if (have_action) { - printf("ipfw: opcode %d, multiple actions" - " not allowed\n", - cmd->opcode); - return EINVAL; - } - have_action = 1; - if (l != cmdlen) { - printf("ipfw: opcode %d, action must be" - " last opcode\n", - cmd->opcode); - return EINVAL; - } - break; -#ifdef INET6 - case O_IP6_SRC: - case O_IP6_DST: - if (cmdlen != F_INSN_SIZE(struct in6_addr) + - F_INSN_SIZE(ipfw_insn)) - goto bad_size; - break; - - case O_FLOW6ID: - if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + - ((ipfw_insn_u32 *)cmd)->o.arg1) - goto bad_size; - break; - - case O_IP6_SRC_MASK: - case O_IP6_DST_MASK: - if ( !(cmdlen & 1) || cmdlen > 127) - goto bad_size; - break; - case O_ICMP6TYPE: - if( cmdlen != F_INSN_SIZE( ipfw_insn_icmp6 ) ) - goto bad_size; - break; -#endif - - default: - switch (cmd->opcode) { -#ifndef INET6 - case O_IP6_SRC_ME: - case O_IP6_DST_ME: - case O_EXT_HDR: - case O_IP6: - case O_UNREACH6: - case O_IP6_SRC: - case O_IP6_DST: - case O_FLOW6ID: - case O_IP6_SRC_MASK: - case O_IP6_DST_MASK: - case O_ICMP6TYPE: - printf("ipfw: no IPv6 support in kernel\n"); - return EPROTONOSUPPORT; -#endif - default: - printf("ipfw: opcode %d, unknown opcode\n", - cmd->opcode); - return EINVAL; - } - } - } - if (have_action == 0) { - printf("ipfw: missing action\n"); - return EINVAL; - } - return 0; - -bad_size: - printf("ipfw: opcode %d size %d wrong\n", - cmd->opcode, cmdlen); - return EINVAL; -} - - -/* - * Translation of requests for compatibility with FreeBSD 7.2/8. - * a static variable tells us if we have an old client from userland, - * and if necessary we translate requests and responses between the - * two formats. - */ -static int is7 = 0; - -struct ip_fw7 { - struct ip_fw7 *next; /* linked list of rules */ - struct ip_fw7 *next_rule; /* ptr to next [skipto] rule */ - /* 'next_rule' is used to pass up 'set_disable' status */ - - uint16_t act_ofs; /* offset of action in 32-bit units */ - uint16_t cmd_len; /* # of 32-bit words in cmd */ - uint16_t rulenum; /* rule number */ - uint8_t set; /* rule set (0..31) */ - // #define RESVD_SET 31 /* set for default and persistent rules */ - uint8_t _pad; /* padding */ - // uint32_t id; /* rule id, only in v.8 */ - /* These fields are present in all rules. */ - uint64_t pcnt; /* Packet counter */ - uint64_t bcnt; /* Byte counter */ - uint32_t timestamp; /* tv_sec of last match */ - - ipfw_insn cmd[1]; /* storage for commands */ -}; - - int convert_rule_to_7(struct ip_fw *rule); -int convert_rule_to_8(struct ip_fw *rule); - -#ifndef RULESIZE7 -#define RULESIZE7(rule) (sizeof(struct ip_fw7) + \ - ((struct ip_fw7 *)(rule))->cmd_len * 4 - 4) -#endif - - -/* - * Copy the static and dynamic rules to the supplied buffer - * and return the amount of space actually used. - * Must be run under IPFW_UH_RLOCK - */ -static size_t -ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space) -{ - char *bp = buf; - char *ep = bp + space; - struct ip_fw *rule, *dst; - int l, i; - time_t boot_seconds; - - boot_seconds = boottime.tv_sec; - for (i = 0; i < chain->n_rules; i++) { - rule = chain->map[i]; - - if (is7) { - /* Convert rule to FreeBSd 7.2 format */ - l = RULESIZE7(rule); - if (bp + l + sizeof(uint32_t) <= ep) { - int error; - bcopy(rule, bp, l + sizeof(uint32_t)); - error = convert_rule_to_7((struct ip_fw *) bp); - if (error) - return 0; /*XXX correct? */ - /* - * XXX HACK. Store the disable mask in the "next" - * pointer in a wild attempt to keep the ABI the same. - * Why do we do this on EVERY rule? - */ - bcopy(&V_set_disable, - &(((struct ip_fw7 *)bp)->next_rule), - sizeof(V_set_disable)); - if (((struct ip_fw7 *)bp)->timestamp) - ((struct ip_fw7 *)bp)->timestamp += boot_seconds; - bp += l; - } - continue; /* go to next rule */ - } - - /* normal mode, don't touch rules */ - l = RULESIZE(rule); - if (bp + l > ep) { /* should not happen */ - printf("overflow dumping static rules\n"); - break; - } - dst = (struct ip_fw *)bp; - bcopy(rule, dst, l); - /* - * XXX HACK. Store the disable mask in the "next" - * pointer in a wild attempt to keep the ABI the same. - * Why do we do this on EVERY rule? - */ - bcopy(&V_set_disable, &dst->next_rule, sizeof(V_set_disable)); - if (dst->timestamp) - dst->timestamp += boot_seconds; - bp += l; - } - ipfw_get_dynamic(&bp, ep); /* protected by the dynamic lock */ - return (bp - (char *)buf); -} - - -#define IP_FW3_OPLENGTH(x) ((x)->sopt_valsize - sizeof(ip_fw3_opheader)) -/** - * {set|get}sockopt parser. - */ -int -ipfw_ctl(struct sockopt *sopt) -{ -#define RULE_MAXSIZE (256*sizeof(u_int32_t)) - int error; - size_t size, len, valsize; - struct ip_fw *buf, *rule; - struct ip_fw_chain *chain; - u_int32_t rulenum[2]; - uint32_t opt; - char xbuf[128]; - ip_fw3_opheader *op3 = NULL; - - error = priv_check(sopt->sopt_td, PRIV_NETINET_IPFW); - if (error) - return (error); - - /* - * Disallow modifications in really-really secure mode, but still allow - * the logging counters to be reset. - */ - if (sopt->sopt_name == IP_FW_ADD || - (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) { - error = securelevel_ge(sopt->sopt_td->td_ucred, 3); - if (error) - return (error); - } - - chain = &V_layer3_chain; - error = 0; - - /* Save original valsize before it is altered via sooptcopyin() */ - valsize = sopt->sopt_valsize; - if ((opt = sopt->sopt_name) == IP_FW3) { - /* - * Copy not less than sizeof(ip_fw3_opheader). - * We hope any IP_FW3 command will fit into 128-byte buffer. - */ - if ((error = sooptcopyin(sopt, xbuf, sizeof(xbuf), - sizeof(ip_fw3_opheader))) != 0) - return (error); - op3 = (ip_fw3_opheader *)xbuf; - opt = op3->opcode; - } - - switch (opt) { - case IP_FW_GET: - /* - * pass up a copy of the current rules. Static rules - * come first (the last of which has number IPFW_DEFAULT_RULE), - * followed by a possibly empty list of dynamic rule. - * The last dynamic rule has NULL in the "next" field. - * - * Note that the calculated size is used to bound the - * amount of data returned to the user. The rule set may - * change between calculating the size and returning the - * data in which case we'll just return what fits. - */ - for (;;) { - int len = 0, want; - - size = chain->static_len; - size += ipfw_dyn_len(); - if (size >= sopt->sopt_valsize) - break; - buf = malloc(size, M_TEMP, M_WAITOK); - IPFW_UH_RLOCK(chain); - /* check again how much space we need */ - want = chain->static_len + ipfw_dyn_len(); - if (size >= want) - len = ipfw_getrules(chain, buf, size); - IPFW_UH_RUNLOCK(chain); - if (size >= want) - error = sooptcopyout(sopt, buf, len); - free(buf, M_TEMP); - if (size >= want) - break; - } - break; - - case IP_FW_FLUSH: - /* locking is done within del_entry() */ - error = del_entry(chain, 0); /* special case, rule=0, cmd=0 means all */ - break; - - case IP_FW_ADD: - rule = malloc(RULE_MAXSIZE, M_TEMP, M_WAITOK); - error = sooptcopyin(sopt, rule, RULE_MAXSIZE, - sizeof(struct ip_fw7) ); - - /* - * If the size of commands equals RULESIZE7 then we assume - * a FreeBSD7.2 binary is talking to us (set is7=1). - * is7 is persistent so the next 'ipfw list' command - * will use this format. - * NOTE: If wrong version is guessed (this can happen if - * the first ipfw command is 'ipfw [pipe] list') - * the ipfw binary may crash or loop infinitly... - */ - if (sopt->sopt_valsize == RULESIZE7(rule)) { - is7 = 1; - error = convert_rule_to_8(rule); - if (error) - return error; - if (error == 0) - error = check_ipfw_struct(rule, RULESIZE(rule)); - } else { - is7 = 0; - if (error == 0) - error = check_ipfw_struct(rule, sopt->sopt_valsize); - } - if (error == 0) { - /* locking is done within ipfw_add_rule() */ - error = ipfw_add_rule(chain, rule); - size = RULESIZE(rule); - if (!error && sopt->sopt_dir == SOPT_GET) { - if (is7) { - error = convert_rule_to_7(rule); - size = RULESIZE7(rule); - if (error) - return error; - } - error = sooptcopyout(sopt, rule, size); - } - } - free(rule, M_TEMP); - break; - - case IP_FW_DEL: - /* - * IP_FW_DEL is used for deleting single rules or sets, - * and (ab)used to atomically manipulate sets. Argument size - * is used to distinguish between the two: - * sizeof(u_int32_t) - * delete single rule or set of rules, - * or reassign rules (or sets) to a different set. - * 2*sizeof(u_int32_t) - * atomic disable/enable sets. - * first u_int32_t contains sets to be disabled, - * second u_int32_t contains sets to be enabled. - */ - error = sooptcopyin(sopt, rulenum, - 2*sizeof(u_int32_t), sizeof(u_int32_t)); - if (error) - break; - size = sopt->sopt_valsize; - if (size == sizeof(u_int32_t) && rulenum[0] != 0) { - /* delete or reassign, locking done in del_entry() */ - error = del_entry(chain, rulenum[0]); - } else if (size == 2*sizeof(u_int32_t)) { /* set enable/disable */ - IPFW_UH_WLOCK(chain); - V_set_disable = - (V_set_disable | rulenum[0]) & ~rulenum[1] & - ~(1<<RESVD_SET); /* set RESVD_SET always enabled */ - IPFW_UH_WUNLOCK(chain); - } else - error = EINVAL; - break; - - case IP_FW_ZERO: - case IP_FW_RESETLOG: /* argument is an u_int_32, the rule number */ - rulenum[0] = 0; - if (sopt->sopt_val != 0) { - error = sooptcopyin(sopt, rulenum, - sizeof(u_int32_t), sizeof(u_int32_t)); - if (error) - break; - } - error = zero_entry(chain, rulenum[0], - sopt->sopt_name == IP_FW_RESETLOG); - break; - - /*--- TABLE manipulations are protected by the IPFW_LOCK ---*/ - case IP_FW_TABLE_ADD: - { - ipfw_table_entry ent; - - error = sooptcopyin(sopt, &ent, - sizeof(ent), sizeof(ent)); - if (error) - break; - error = ipfw_add_table_entry(chain, ent.tbl, - &ent.addr, sizeof(ent.addr), ent.masklen, - IPFW_TABLE_CIDR, ent.value); - } - break; - - case IP_FW_TABLE_DEL: - { - ipfw_table_entry ent; - - error = sooptcopyin(sopt, &ent, - sizeof(ent), sizeof(ent)); - if (error) - break; - error = ipfw_del_table_entry(chain, ent.tbl, - &ent.addr, sizeof(ent.addr), ent.masklen, IPFW_TABLE_CIDR); - } - break; - - case IP_FW_TABLE_XADD: /* IP_FW3 */ - case IP_FW_TABLE_XDEL: /* IP_FW3 */ - { - ipfw_table_xentry *xent = (ipfw_table_xentry *)(op3 + 1); - - /* Check minimum header size */ - if (IP_FW3_OPLENGTH(sopt) < offsetof(ipfw_table_xentry, k)) { - error = EINVAL; - break; - } - - /* Check if len field is valid */ - if (xent->len > sizeof(ipfw_table_xentry)) { - error = EINVAL; - break; - } - - len = xent->len - offsetof(ipfw_table_xentry, k); - - error = (opt == IP_FW_TABLE_XADD) ? - ipfw_add_table_entry(chain, xent->tbl, &xent->k, - len, xent->masklen, xent->type, xent->value) : - ipfw_del_table_entry(chain, xent->tbl, &xent->k, - len, xent->masklen, xent->type); - } - break; - - case IP_FW_TABLE_FLUSH: - { - u_int16_t tbl; - - error = sooptcopyin(sopt, &tbl, - sizeof(tbl), sizeof(tbl)); - if (error) - break; - error = ipfw_flush_table(chain, tbl); - } - break; - - case IP_FW_TABLE_GETSIZE: - { - u_int32_t tbl, cnt; - - if ((error = sooptcopyin(sopt, &tbl, sizeof(tbl), - sizeof(tbl)))) - break; - IPFW_RLOCK(chain); - error = ipfw_count_table(chain, tbl, &cnt); - IPFW_RUNLOCK(chain); - if (error) - break; - error = sooptcopyout(sopt, &cnt, sizeof(cnt)); - } - break; - - case IP_FW_TABLE_LIST: - { - ipfw_table *tbl; - - if (sopt->sopt_valsize < sizeof(*tbl)) { - error = EINVAL; - break; - } - size = sopt->sopt_valsize; - tbl = malloc(size, M_TEMP, M_WAITOK); - error = sooptcopyin(sopt, tbl, size, sizeof(*tbl)); - if (error) { - free(tbl, M_TEMP); - break; - } - tbl->size = (size - sizeof(*tbl)) / - sizeof(ipfw_table_entry); - IPFW_RLOCK(chain); - error = ipfw_dump_table(chain, tbl); - IPFW_RUNLOCK(chain); - if (error) { - free(tbl, M_TEMP); - break; - } - error = sooptcopyout(sopt, tbl, size); - free(tbl, M_TEMP); - } - break; - - case IP_FW_TABLE_XGETSIZE: /* IP_FW3 */ - { - uint32_t *tbl; - - if (IP_FW3_OPLENGTH(sopt) < sizeof(uint32_t)) { - error = EINVAL; - break; - } - - tbl = (uint32_t *)(op3 + 1); - - IPFW_RLOCK(chain); - error = ipfw_count_xtable(chain, *tbl, tbl); - IPFW_RUNLOCK(chain); - if (error) - break; - error = sooptcopyout(sopt, op3, sopt->sopt_valsize); - } - break; - - case IP_FW_TABLE_XLIST: /* IP_FW3 */ - { - ipfw_xtable *tbl; - - if ((size = valsize) < sizeof(ipfw_xtable)) { - error = EINVAL; - break; - } - - tbl = malloc(size, M_TEMP, M_ZERO | M_WAITOK); - memcpy(tbl, op3, sizeof(ipfw_xtable)); - - /* Get maximum number of entries we can store */ - tbl->size = (size - sizeof(ipfw_xtable)) / - sizeof(ipfw_table_xentry); - IPFW_RLOCK(chain); - error = ipfw_dump_xtable(chain, tbl); - IPFW_RUNLOCK(chain); - if (error) { - free(tbl, M_TEMP); - break; - } - - /* Revert size field back to bytes */ - tbl->size = tbl->size * sizeof(ipfw_table_xentry) + - sizeof(ipfw_table); - /* - * Since we call sooptcopyin() with small buffer, sopt_valsize is - * decreased to reflect supplied buffer size. Set it back to original value - */ - sopt->sopt_valsize = valsize; - error = sooptcopyout(sopt, tbl, size); - free(tbl, M_TEMP); - } - break; - - /*--- NAT operations are protected by the IPFW_LOCK ---*/ - case IP_FW_NAT_CFG: - if (IPFW_NAT_LOADED) - error = ipfw_nat_cfg_ptr(sopt); - else { - printf("IP_FW_NAT_CFG: %s\n", - "ipfw_nat not present, please load it"); - error = EINVAL; - } - break; - - case IP_FW_NAT_DEL: - if (IPFW_NAT_LOADED) - error = ipfw_nat_del_ptr(sopt); - else { - printf("IP_FW_NAT_DEL: %s\n", - "ipfw_nat not present, please load it"); - error = EINVAL; - } - break; - - case IP_FW_NAT_GET_CONFIG: - if (IPFW_NAT_LOADED) - error = ipfw_nat_get_cfg_ptr(sopt); - else { - printf("IP_FW_NAT_GET_CFG: %s\n", - "ipfw_nat not present, please load it"); - error = EINVAL; - } - break; - - case IP_FW_NAT_GET_LOG: - if (IPFW_NAT_LOADED) - error = ipfw_nat_get_log_ptr(sopt); - else { - printf("IP_FW_NAT_GET_LOG: %s\n", - "ipfw_nat not present, please load it"); - error = EINVAL; - } - break; - - default: - printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name); - error = EINVAL; - } - - return (error); -#undef RULE_MAXSIZE -} - - -#define RULE_MAXSIZE (256*sizeof(u_int32_t)) - -/* Functions to convert rules 7.2 <==> 8.0 */ -int -convert_rule_to_7(struct ip_fw *rule) -{ - /* Used to modify original rule */ - struct ip_fw7 *rule7 = (struct ip_fw7 *)rule; - /* copy of original rule, version 8 */ - struct ip_fw *tmp; - - /* Used to copy commands */ - ipfw_insn *ccmd, *dst; - int ll = 0, ccmdlen = 0; - - tmp = malloc(RULE_MAXSIZE, M_TEMP, M_NOWAIT | M_ZERO); - if (tmp == NULL) { - return 1; //XXX error - } - bcopy(rule, tmp, RULE_MAXSIZE); - - /* Copy fields */ - rule7->_pad = tmp->_pad; - rule7->set = tmp->set; - rule7->rulenum = tmp->rulenum; - rule7->cmd_len = tmp->cmd_len; - rule7->act_ofs = tmp->act_ofs; - rule7->next_rule = (struct ip_fw7 *)tmp->next_rule; - rule7->next = (struct ip_fw7 *)tmp->x_next; - rule7->cmd_len = tmp->cmd_len; - rule7->pcnt = tmp->pcnt; - rule7->bcnt = tmp->bcnt; - rule7->timestamp = tmp->timestamp; - - /* Copy commands */ - for (ll = tmp->cmd_len, ccmd = tmp->cmd, dst = rule7->cmd ; - ll > 0 ; ll -= ccmdlen, ccmd += ccmdlen, dst += ccmdlen) { - ccmdlen = F_LEN(ccmd); - - bcopy(ccmd, dst, F_LEN(ccmd)*sizeof(uint32_t)); - - if (dst->opcode > O_NAT) - /* O_REASS doesn't exists in 7.2 version, so - * decrement opcode if it is after O_REASS - */ - dst->opcode--; - - if (ccmdlen > ll) { - printf("ipfw: opcode %d size truncated\n", - ccmd->opcode); - return EINVAL; - } - } - free(tmp, M_TEMP); - - return 0; -} - -int -convert_rule_to_8(struct ip_fw *rule) -{ - /* Used to modify original rule */ - struct ip_fw7 *rule7 = (struct ip_fw7 *) rule; - - /* Used to copy commands */ - ipfw_insn *ccmd, *dst; - int ll = 0, ccmdlen = 0; - - /* Copy of original rule */ - struct ip_fw7 *tmp = malloc(RULE_MAXSIZE, M_TEMP, M_NOWAIT | M_ZERO); - if (tmp == NULL) { - return 1; //XXX error - } - - bcopy(rule7, tmp, RULE_MAXSIZE); - - for (ll = tmp->cmd_len, ccmd = tmp->cmd, dst = rule->cmd ; - ll > 0 ; ll -= ccmdlen, ccmd += ccmdlen, dst += ccmdlen) { - ccmdlen = F_LEN(ccmd); - - bcopy(ccmd, dst, F_LEN(ccmd)*sizeof(uint32_t)); - - if (dst->opcode > O_NAT) - /* O_REASS doesn't exists in 7.2 version, so - * increment opcode if it is after O_REASS - */ - dst->opcode++; - - if (ccmdlen > ll) { - printf("ipfw: opcode %d size truncated\n", - ccmd->opcode); - return EINVAL; - } - } - - rule->_pad = tmp->_pad; - rule->set = tmp->set; - rule->rulenum = tmp->rulenum; - rule->cmd_len = tmp->cmd_len; - rule->act_ofs = tmp->act_ofs; - rule->next_rule = (struct ip_fw *)tmp->next_rule; - rule->x_next = (struct ip_fw *)tmp->next; - rule->cmd_len = tmp->cmd_len; - rule->id = 0; /* XXX see if is ok = 0 */ - rule->pcnt = tmp->pcnt; - rule->bcnt = tmp->bcnt; - rule->timestamp = tmp->timestamp; - - free (tmp, M_TEMP); - return 0; -} - -/* end of file */ diff --git a/sys/netinet/ipfw/ip_fw_table.c b/sys/netinet/ipfw/ip_fw_table.c deleted file mode 100644 index 597817b..0000000 --- a/sys/netinet/ipfw/ip_fw_table.c +++ /dev/null @@ -1,758 +0,0 @@ -/*- - * Copyright (c) 2004 Ruslan Ermilov and Vsevolod Lobko. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -/* - * Lookup table support for ipfw - * - * Lookup tables are implemented (at the moment) using the radix - * tree used for routing tables. Tables store key-value entries, where - * keys are network prefixes (addr/masklen), and values are integers. - * As a degenerate case we can interpret keys as 32-bit integers - * (with a /32 mask). - * - * The table is protected by the IPFW lock even for manipulation coming - * from userland, because operations are typically fast. - */ - -#include "opt_ipfw.h" -#include "opt_inet.h" -#ifndef INET -#error IPFIREWALL requires INET. -#endif /* INET */ -#include "opt_inet6.h" - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/malloc.h> -#include <sys/kernel.h> -#include <sys/lock.h> -#include <sys/rwlock.h> -#include <sys/socket.h> -#include <net/if.h> /* ip_fw.h requires IFNAMSIZ */ -#include <net/radix.h> -#include <net/route.h> -#include <net/vnet.h> - -#include <netinet/in.h> -#include <netinet/ip_var.h> /* struct ipfw_rule_ref */ -#include <netinet/ip_fw.h> -#include <sys/queue.h> /* LIST_HEAD */ -#include <netinet/ipfw/ip_fw_private.h> - -#ifdef MAC -#include <security/mac/mac_framework.h> -#endif - -static MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables"); - -struct table_entry { - struct radix_node rn[2]; - struct sockaddr_in addr, mask; - u_int32_t value; -}; - -struct xaddr_iface { - uint8_t if_len; /* length of this struct */ - uint8_t pad[7]; /* Align name */ - char ifname[IF_NAMESIZE]; /* Interface name */ -}; - -struct table_xentry { - struct radix_node rn[2]; - union { -#ifdef INET6 - struct sockaddr_in6 addr6; -#endif - struct xaddr_iface iface; - } a; - union { -#ifdef INET6 - struct sockaddr_in6 mask6; -#endif - struct xaddr_iface ifmask; - } m; - u_int32_t value; -}; - -/* - * The radix code expects addr and mask to be array of bytes, - * with the first byte being the length of the array. rn_inithead - * is called with the offset in bits of the lookup key within the - * array. If we use a sockaddr_in as the underlying type, - * sin_len is conveniently located at offset 0, sin_addr is at - * offset 4 and normally aligned. - * But for portability, let's avoid assumption and make the code explicit - */ -#define KEY_LEN(v) *((uint8_t *)&(v)) -#define KEY_OFS (8*offsetof(struct sockaddr_in, sin_addr)) -/* - * Do not require radix to compare more than actual IPv4/IPv6 address - */ -#define KEY_LEN_INET (offsetof(struct sockaddr_in, sin_addr) + sizeof(in_addr_t)) -#define KEY_LEN_INET6 (offsetof(struct sockaddr_in6, sin6_addr) + sizeof(struct in6_addr)) -#define KEY_LEN_IFACE (offsetof(struct xaddr_iface, ifname)) - -#define OFF_LEN_INET (8 * offsetof(struct sockaddr_in, sin_addr)) -#define OFF_LEN_INET6 (8 * offsetof(struct sockaddr_in6, sin6_addr)) -#define OFF_LEN_IFACE (8 * offsetof(struct xaddr_iface, ifname)) - - -static inline void -ipv6_writemask(struct in6_addr *addr6, uint8_t mask) -{ - uint32_t *cp; - - for (cp = (uint32_t *)addr6; mask >= 32; mask -= 32) - *cp++ = 0xFFFFFFFF; - *cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0); -} - -int -ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, - uint8_t plen, uint8_t mlen, uint8_t type, uint32_t value) -{ - struct radix_node_head *rnh, **rnh_ptr; - struct table_entry *ent; - struct table_xentry *xent; - struct radix_node *rn; - in_addr_t addr; - int offset; - void *ent_ptr; - struct sockaddr *addr_ptr, *mask_ptr; - char c; - - if (tbl >= V_fw_tables_max) - return (EINVAL); - - switch (type) { - case IPFW_TABLE_CIDR: - if (plen == sizeof(in_addr_t)) { -#ifdef INET - /* IPv4 case */ - if (mlen > 32) - return (EINVAL); - ent = malloc(sizeof(*ent), M_IPFW_TBL, M_WAITOK | M_ZERO); - ent->value = value; - /* Set 'total' structure length */ - KEY_LEN(ent->addr) = KEY_LEN_INET; - KEY_LEN(ent->mask) = KEY_LEN_INET; - /* Set offset of IPv4 address in bits */ - offset = OFF_LEN_INET; - ent->mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0); - addr = *((in_addr_t *)paddr); - ent->addr.sin_addr.s_addr = addr & ent->mask.sin_addr.s_addr; - /* Set pointers */ - rnh_ptr = &ch->tables[tbl]; - ent_ptr = ent; - addr_ptr = (struct sockaddr *)&ent->addr; - mask_ptr = (struct sockaddr *)&ent->mask; -#endif -#ifdef INET6 - } else if (plen == sizeof(struct in6_addr)) { - /* IPv6 case */ - if (mlen > 128) - return (EINVAL); - xent = malloc(sizeof(*xent), M_IPFW_TBL, M_WAITOK | M_ZERO); - xent->value = value; - /* Set 'total' structure length */ - KEY_LEN(xent->a.addr6) = KEY_LEN_INET6; - KEY_LEN(xent->m.mask6) = KEY_LEN_INET6; - /* Set offset of IPv6 address in bits */ - offset = OFF_LEN_INET6; - ipv6_writemask(&xent->m.mask6.sin6_addr, mlen); - memcpy(&xent->a.addr6.sin6_addr, paddr, sizeof(struct in6_addr)); - APPLY_MASK(&xent->a.addr6.sin6_addr, &xent->m.mask6.sin6_addr); - /* Set pointers */ - rnh_ptr = &ch->xtables[tbl]; - ent_ptr = xent; - addr_ptr = (struct sockaddr *)&xent->a.addr6; - mask_ptr = (struct sockaddr *)&xent->m.mask6; -#endif - } else { - /* Unknown CIDR type */ - return (EINVAL); - } - break; - - case IPFW_TABLE_INTERFACE: - /* Check if string is terminated */ - c = ((char *)paddr)[IF_NAMESIZE - 1]; - ((char *)paddr)[IF_NAMESIZE - 1] = '\0'; - if (((mlen = strlen((char *)paddr)) == IF_NAMESIZE - 1) && (c != '\0')) - return (EINVAL); - - /* Include last \0 into comparison */ - mlen++; - - xent = malloc(sizeof(*xent), M_IPFW_TBL, M_WAITOK | M_ZERO); - xent->value = value; - /* Set 'total' structure length */ - KEY_LEN(xent->a.iface) = KEY_LEN_IFACE + mlen; - KEY_LEN(xent->m.ifmask) = KEY_LEN_IFACE + mlen; - /* Set offset of interface name in bits */ - offset = OFF_LEN_IFACE; - memcpy(xent->a.iface.ifname, paddr, mlen); - /* Assume direct match */ - /* TODO: Add interface pattern matching */ -#if 0 - memset(xent->m.ifmask.ifname, 0xFF, IF_NAMESIZE); - mask_ptr = (struct sockaddr *)&xent->m.ifmask; -#endif - /* Set pointers */ - rnh_ptr = &ch->xtables[tbl]; - ent_ptr = xent; - addr_ptr = (struct sockaddr *)&xent->a.iface; - mask_ptr = NULL; - break; - - default: - return (EINVAL); - } - - IPFW_WLOCK(ch); - - /* Check if tabletype is valid */ - if ((ch->tabletype[tbl] != 0) && (ch->tabletype[tbl] != type)) { - IPFW_WUNLOCK(ch); - free(ent_ptr, M_IPFW_TBL); - return (EINVAL); - } - - /* Check if radix tree exists */ - if ((rnh = *rnh_ptr) == NULL) { - IPFW_WUNLOCK(ch); - /* Create radix for a new table */ - if (!rn_inithead((void **)&rnh, offset)) { - free(ent_ptr, M_IPFW_TBL); - return (ENOMEM); - } - - IPFW_WLOCK(ch); - if (*rnh_ptr != NULL) { - /* Tree is already attached by other thread */ - rn_detachhead((void **)&rnh); - rnh = *rnh_ptr; - /* Check table type another time */ - if (ch->tabletype[tbl] != type) { - IPFW_WUNLOCK(ch); - free(ent_ptr, M_IPFW_TBL); - return (EINVAL); - } - } else { - *rnh_ptr = rnh; - /* - * Set table type. It can be set already - * (if we have IPv6-only table) but setting - * it another time does not hurt - */ - ch->tabletype[tbl] = type; - } - } - - rn = rnh->rnh_addaddr(addr_ptr, mask_ptr, rnh, ent_ptr); - IPFW_WUNLOCK(ch); - - if (rn == NULL) { - free(ent_ptr, M_IPFW_TBL); - return (EEXIST); - } - return (0); -} - -int -ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, - uint8_t plen, uint8_t mlen, uint8_t type) -{ - struct radix_node_head *rnh, **rnh_ptr; - struct table_entry *ent; - in_addr_t addr; - struct sockaddr_in sa, mask; - struct sockaddr *sa_ptr, *mask_ptr; - char c; - - if (tbl >= V_fw_tables_max) - return (EINVAL); - - switch (type) { - case IPFW_TABLE_CIDR: - if (plen == sizeof(in_addr_t)) { - /* Set 'total' structure length */ - KEY_LEN(sa) = KEY_LEN_INET; - KEY_LEN(mask) = KEY_LEN_INET; - mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0); - addr = *((in_addr_t *)paddr); - sa.sin_addr.s_addr = addr & mask.sin_addr.s_addr; - rnh_ptr = &ch->tables[tbl]; - sa_ptr = (struct sockaddr *)&sa; - mask_ptr = (struct sockaddr *)&mask; -#ifdef INET6 - } else if (plen == sizeof(struct in6_addr)) { - /* IPv6 case */ - if (mlen > 128) - return (EINVAL); - struct sockaddr_in6 sa6, mask6; - memset(&sa6, 0, sizeof(struct sockaddr_in6)); - memset(&mask6, 0, sizeof(struct sockaddr_in6)); - /* Set 'total' structure length */ - KEY_LEN(sa6) = KEY_LEN_INET6; - KEY_LEN(mask6) = KEY_LEN_INET6; - ipv6_writemask(&mask6.sin6_addr, mlen); - memcpy(&sa6.sin6_addr, paddr, sizeof(struct in6_addr)); - APPLY_MASK(&sa6.sin6_addr, &mask6.sin6_addr); - rnh_ptr = &ch->xtables[tbl]; - sa_ptr = (struct sockaddr *)&sa6; - mask_ptr = (struct sockaddr *)&mask6; -#endif - } else { - /* Unknown CIDR type */ - return (EINVAL); - } - break; - - case IPFW_TABLE_INTERFACE: - /* Check if string is terminated */ - c = ((char *)paddr)[IF_NAMESIZE - 1]; - ((char *)paddr)[IF_NAMESIZE - 1] = '\0'; - if (((mlen = strlen((char *)paddr)) == IF_NAMESIZE - 1) && (c != '\0')) - return (EINVAL); - - struct xaddr_iface ifname, ifmask; - memset(&ifname, 0, sizeof(ifname)); - - /* Set 'total' structure length */ - KEY_LEN(ifname) = mlen; - KEY_LEN(ifmask) = mlen; - /* Assume direct match */ - /* FIXME: Add interface pattern matching */ -#if 0 - memset(ifmask.ifname, 0xFF, IF_NAMESIZE); - mask_ptr = (struct sockaddr *)&ifmask; -#endif - mask_ptr = NULL; - memcpy(ifname.ifname, paddr, mlen); - /* Set pointers */ - rnh_ptr = &ch->xtables[tbl]; - sa_ptr = (struct sockaddr *)&ifname; - - break; - - default: - return (EINVAL); - } - - IPFW_WLOCK(ch); - if ((rnh = *rnh_ptr) == NULL) { - IPFW_WUNLOCK(ch); - return (ESRCH); - } - - if (ch->tabletype[tbl] != type) { - IPFW_WUNLOCK(ch); - return (EINVAL); - } - - ent = (struct table_entry *)rnh->rnh_deladdr(sa_ptr, mask_ptr, rnh); - IPFW_WUNLOCK(ch); - - if (ent == NULL) - return (ESRCH); - - free(ent, M_IPFW_TBL); - return (0); -} - -static int -flush_table_entry(struct radix_node *rn, void *arg) -{ - struct radix_node_head * const rnh = arg; - struct table_entry *ent; - - ent = (struct table_entry *) - rnh->rnh_deladdr(rn->rn_key, rn->rn_mask, rnh); - if (ent != NULL) - free(ent, M_IPFW_TBL); - return (0); -} - -int -ipfw_flush_table(struct ip_fw_chain *ch, uint16_t tbl) -{ - struct radix_node_head *rnh, *xrnh; - - if (tbl >= V_fw_tables_max) - return (EINVAL); - - /* - * We free both (IPv4 and extended) radix trees and - * clear table type here to permit table to be reused - * for different type without module reload - */ - - IPFW_WLOCK(ch); - /* Set IPv4 table pointer to zero */ - if ((rnh = ch->tables[tbl]) != NULL) - ch->tables[tbl] = NULL; - /* Set extended table pointer to zero */ - if ((xrnh = ch->xtables[tbl]) != NULL) - ch->xtables[tbl] = NULL; - /* Zero table type */ - ch->tabletype[tbl] = 0; - IPFW_WUNLOCK(ch); - - if (rnh != NULL) { - rnh->rnh_walktree(rnh, flush_table_entry, rnh); - rn_detachhead((void **)&rnh); - } - - if (xrnh != NULL) { - xrnh->rnh_walktree(xrnh, flush_table_entry, xrnh); - rn_detachhead((void **)&xrnh); - } - - return (0); -} - -void -ipfw_destroy_tables(struct ip_fw_chain *ch) -{ - uint16_t tbl; - - /* Flush all tables */ - for (tbl = 0; tbl < V_fw_tables_max; tbl++) - ipfw_flush_table(ch, tbl); - - /* Free pointers itself */ - free(ch->tables, M_IPFW); - free(ch->xtables, M_IPFW); - free(ch->tabletype, M_IPFW); -} - -int -ipfw_init_tables(struct ip_fw_chain *ch) -{ - /* Allocate pointers */ - ch->tables = malloc(V_fw_tables_max * sizeof(void *), M_IPFW, M_WAITOK | M_ZERO); - ch->xtables = malloc(V_fw_tables_max * sizeof(void *), M_IPFW, M_WAITOK | M_ZERO); - ch->tabletype = malloc(V_fw_tables_max * sizeof(uint8_t), M_IPFW, M_WAITOK | M_ZERO); - return (0); -} - -int -ipfw_resize_tables(struct ip_fw_chain *ch, unsigned int ntables) -{ - struct radix_node_head **tables, **xtables, *rnh; - struct radix_node_head **tables_old, **xtables_old; - uint8_t *tabletype, *tabletype_old; - unsigned int ntables_old, tbl; - - /* Check new value for validity */ - if (ntables > IPFW_TABLES_MAX) - ntables = IPFW_TABLES_MAX; - - /* Allocate new pointers */ - tables = malloc(ntables * sizeof(void *), M_IPFW, M_WAITOK | M_ZERO); - xtables = malloc(ntables * sizeof(void *), M_IPFW, M_WAITOK | M_ZERO); - tabletype = malloc(ntables * sizeof(uint8_t), M_IPFW, M_WAITOK | M_ZERO); - - IPFW_WLOCK(ch); - - tbl = (ntables >= V_fw_tables_max) ? V_fw_tables_max : ntables; - - /* Copy old table pointers */ - memcpy(tables, ch->tables, sizeof(void *) * tbl); - memcpy(xtables, ch->xtables, sizeof(void *) * tbl); - memcpy(tabletype, ch->tabletype, sizeof(uint8_t) * tbl); - - /* Change pointers and number of tables */ - tables_old = ch->tables; - xtables_old = ch->xtables; - tabletype_old = ch->tabletype; - ch->tables = tables; - ch->xtables = xtables; - ch->tabletype = tabletype; - - ntables_old = V_fw_tables_max; - V_fw_tables_max = ntables; - - IPFW_WUNLOCK(ch); - - /* Check if we need to destroy radix trees */ - if (ntables < ntables_old) { - for (tbl = ntables; tbl < ntables_old; tbl++) { - if ((rnh = tables_old[tbl]) != NULL) { - rnh->rnh_walktree(rnh, flush_table_entry, rnh); - rn_detachhead((void **)&rnh); - } - - if ((rnh = xtables_old[tbl]) != NULL) { - rnh->rnh_walktree(rnh, flush_table_entry, rnh); - rn_detachhead((void **)&rnh); - } - } - } - - /* Free old pointers */ - free(tables_old, M_IPFW); - free(xtables_old, M_IPFW); - free(tabletype_old, M_IPFW); - - return (0); -} - -int -ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, - uint32_t *val) -{ - struct radix_node_head *rnh; - struct table_entry *ent; - struct sockaddr_in sa; - - if (tbl >= V_fw_tables_max) - return (0); - if ((rnh = ch->tables[tbl]) == NULL) - return (0); - KEY_LEN(sa) = KEY_LEN_INET; - sa.sin_addr.s_addr = addr; - ent = (struct table_entry *)(rnh->rnh_lookup(&sa, NULL, rnh)); - if (ent != NULL) { - *val = ent->value; - return (1); - } - return (0); -} - -int -ipfw_lookup_table_extended(struct ip_fw_chain *ch, uint16_t tbl, void *paddr, - uint32_t *val, int type) -{ - struct radix_node_head *rnh; - struct table_xentry *xent; - struct sockaddr_in6 sa6; - struct xaddr_iface iface; - - if (tbl >= V_fw_tables_max) - return (0); - if ((rnh = ch->xtables[tbl]) == NULL) - return (0); - - switch (type) { - case IPFW_TABLE_CIDR: - KEY_LEN(sa6) = KEY_LEN_INET6; - memcpy(&sa6.sin6_addr, paddr, sizeof(struct in6_addr)); - xent = (struct table_xentry *)(rnh->rnh_lookup(&sa6, NULL, rnh)); - break; - - case IPFW_TABLE_INTERFACE: - KEY_LEN(iface) = KEY_LEN_IFACE + - strlcpy(iface.ifname, (char *)paddr, IF_NAMESIZE); - /* Assume direct match */ - /* FIXME: Add interface pattern matching */ - xent = (struct table_xentry *)(rnh->rnh_lookup(&iface, NULL, rnh)); - break; - - default: - return (0); - } - - if (xent != NULL) { - *val = xent->value; - return (1); - } - return (0); -} - -static int -count_table_entry(struct radix_node *rn, void *arg) -{ - u_int32_t * const cnt = arg; - - (*cnt)++; - return (0); -} - -int -ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt) -{ - struct radix_node_head *rnh; - - if (tbl >= V_fw_tables_max) - return (EINVAL); - *cnt = 0; - if ((rnh = ch->tables[tbl]) == NULL) - return (0); - rnh->rnh_walktree(rnh, count_table_entry, cnt); - return (0); -} - -static int -dump_table_entry(struct radix_node *rn, void *arg) -{ - struct table_entry * const n = (struct table_entry *)rn; - ipfw_table * const tbl = arg; - ipfw_table_entry *ent; - - if (tbl->cnt == tbl->size) - return (1); - ent = &tbl->ent[tbl->cnt]; - ent->tbl = tbl->tbl; - if (in_nullhost(n->mask.sin_addr)) - ent->masklen = 0; - else - ent->masklen = 33 - ffs(ntohl(n->mask.sin_addr.s_addr)); - ent->addr = n->addr.sin_addr.s_addr; - ent->value = n->value; - tbl->cnt++; - return (0); -} - -int -ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl) -{ - struct radix_node_head *rnh; - - if (tbl->tbl >= V_fw_tables_max) - return (EINVAL); - tbl->cnt = 0; - if ((rnh = ch->tables[tbl->tbl]) == NULL) - return (0); - rnh->rnh_walktree(rnh, dump_table_entry, tbl); - return (0); -} - -static int -count_table_xentry(struct radix_node *rn, void *arg) -{ - uint32_t * const cnt = arg; - - (*cnt) += sizeof(ipfw_table_xentry); - return (0); -} - -int -ipfw_count_xtable(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt) -{ - struct radix_node_head *rnh; - - if (tbl >= V_fw_tables_max) - return (EINVAL); - *cnt = 0; - if ((rnh = ch->tables[tbl]) != NULL) - rnh->rnh_walktree(rnh, count_table_xentry, cnt); - if ((rnh = ch->xtables[tbl]) != NULL) - rnh->rnh_walktree(rnh, count_table_xentry, cnt); - /* Return zero if table is empty */ - if (*cnt > 0) - (*cnt) += sizeof(ipfw_xtable); - return (0); -} - - -static int -dump_table_xentry_base(struct radix_node *rn, void *arg) -{ - struct table_entry * const n = (struct table_entry *)rn; - ipfw_xtable * const tbl = arg; - ipfw_table_xentry *xent; - - /* Out of memory, returning */ - if (tbl->cnt == tbl->size) - return (1); - xent = &tbl->xent[tbl->cnt]; - xent->len = sizeof(ipfw_table_xentry); - xent->tbl = tbl->tbl; - if (in_nullhost(n->mask.sin_addr)) - xent->masklen = 0; - else - xent->masklen = 33 - ffs(ntohl(n->mask.sin_addr.s_addr)); - /* Save IPv4 address as deprecated IPv6 compatible */ - xent->k.addr6.s6_addr32[3] = n->addr.sin_addr.s_addr; - xent->value = n->value; - tbl->cnt++; - return (0); -} - -static int -dump_table_xentry_extended(struct radix_node *rn, void *arg) -{ - struct table_xentry * const n = (struct table_xentry *)rn; - ipfw_xtable * const tbl = arg; - ipfw_table_xentry *xent; -#ifdef INET6 - int i; - uint32_t *v; -#endif - /* Out of memory, returning */ - if (tbl->cnt == tbl->size) - return (1); - xent = &tbl->xent[tbl->cnt]; - xent->len = sizeof(ipfw_table_xentry); - xent->tbl = tbl->tbl; - - switch (tbl->type) { -#ifdef INET6 - case IPFW_TABLE_CIDR: - /* Count IPv6 mask */ - v = (uint32_t *)&n->m.mask6.sin6_addr; - for (i = 0; i < sizeof(struct in6_addr) / 4; i++, v++) - xent->masklen += bitcount32(*v); - memcpy(&xent->k, &n->a.addr6.sin6_addr, sizeof(struct in6_addr)); - break; -#endif - case IPFW_TABLE_INTERFACE: - /* Assume exact mask */ - xent->masklen = 8 * IF_NAMESIZE; - memcpy(&xent->k, &n->a.iface.ifname, IF_NAMESIZE); - break; - - default: - /* unknown, skip entry */ - return (0); - } - - xent->value = n->value; - tbl->cnt++; - return (0); -} - -int -ipfw_dump_xtable(struct ip_fw_chain *ch, ipfw_xtable *tbl) -{ - struct radix_node_head *rnh; - - if (tbl->tbl >= V_fw_tables_max) - return (EINVAL); - tbl->cnt = 0; - tbl->type = ch->tabletype[tbl->tbl]; - if ((rnh = ch->tables[tbl->tbl]) != NULL) - rnh->rnh_walktree(rnh, dump_table_xentry_base, tbl); - if ((rnh = ch->xtables[tbl->tbl]) != NULL) - rnh->rnh_walktree(rnh, dump_table_xentry_extended, tbl); - return (0); -} - -/* end of file */ diff --git a/sys/netinet/ipfw/test/Makefile b/sys/netinet/ipfw/test/Makefile deleted file mode 100644 index c556a4b..0000000 --- a/sys/netinet/ipfw/test/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# -# $FreeBSD$ -# -# Makefile for building userland tests -# this is written in a form compatible with gmake - -SCHED_SRCS = test_dn_sched.c -SCHED_SRCS += dn_sched_fifo.c -SCHED_SRCS += dn_sched_prio.c -SCHED_SRCS += dn_sched_qfq.c -SCHED_SRCS += dn_sched_rr.c -SCHED_SRCS += dn_sched_wf2q.c -SCHED_SRCS += dn_heap.c -SCHED_SRCS += main.c - -SCHED_OBJS=$(SCHED_SRCS:.c=.o) - -HEAP_SRCS = dn_heap.c test_dn_heap.c -HEAP_OBJS=$(HEAP_SRCS:.c=.o) - -VPATH= .:.. - -CFLAGS = -I.. -I. -Wall -Werror -O3 -DIPFW -TARGETS= test_sched # no test_heap by default - -all: $(TARGETS) - -test_heap : $(HEAP_OBJS) - $(CC) -o $@ $(HEAP_OBJS) - -test_sched : $(SCHED_OBJS) - $(CC) -o $@ $(SCHED_OBJS) - -$(SCHED_OBJS): dn_test.h -main.o: mylist.h - -clean: - - rm *.o $(TARGETS) *.core - -ALLSRCS = $(SCHED_SRCS) dn_test.h mylist.h \ - dn_sched.h dn_heap.h ip_dn_private.h Makefile -TMPBASE = /tmp/testXYZ -TMPDIR = $(TMPBASE)/test - -tgz: - -rm -rf $(TMPDIR) - mkdir -p $(TMPDIR) - -cp -p $(ALLSRCS) $(TMPDIR) - -(cd ..; cp -p $(ALLSRCS) $(TMPDIR)) - ls -la $(TMPDIR) - (cd $(TMPBASE); tar cvzf /tmp/test.tgz test) diff --git a/sys/netinet/ipfw/test/dn_test.h b/sys/netinet/ipfw/test/dn_test.h deleted file mode 100644 index 4e079bc..0000000 --- a/sys/netinet/ipfw/test/dn_test.h +++ /dev/null @@ -1,175 +0,0 @@ -/* - * $FreeBSD$ - * - * userspace compatibility code for dummynet schedulers - */ - -#ifndef _DN_TEST_H -#define _DN_TEST_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include <inttypes.h> -#include <stdio.h> -#include <stdlib.h> -#include <strings.h> /* bzero, ffs, ... */ -#include <string.h> /* strcmp */ -#include <errno.h> -#include <sys/queue.h> -#include <sys/time.h> - -extern int debug; -#define ND(fmt, args...) do {} while (0) -#define D1(fmt, args...) do {} while (0) -#define D(fmt, args...) fprintf(stderr, "%-8s " fmt "\n", \ - __FUNCTION__, ## args) -#define DX(lev, fmt, args...) do { \ - if (debug > lev) D(fmt, ## args); } while (0) - - -#ifndef offsetof -#define offsetof(t,m) (int)((&((t *)0L)->m)) -#endif - -#include <mylist.h> - -/* prevent include of other system headers */ -#define _NETINET_IP_VAR_H_ /* ip_fw_args */ -#define _IPFW2_H -#define _SYS_MBUF_H_ - -enum { - DN_QUEUE, -}; - -enum { - DN_SCHED_FIFO, - DN_SCHED_WF2QP, -}; - -struct dn_id { - int type, subtype, len, id; -}; - -struct dn_fs { - int par[4]; /* flowset parameters */ - - /* simulation entries. - * 'index' is not strictly necessary - * y is used for the inverse mapping , - */ - int index; - int y; /* inverse mapping */ - int base_y; /* inverse mapping */ - int next_y; /* inverse mapping */ - int n_flows; - int first_flow; - int next_flow; /* first_flow + n_flows */ - /* - * when generating, let 'cur' go from 0 to n_flows-1, - * then point to flow first_flow + cur - */ - int cur; -}; - -struct dn_sch { -}; - -struct dn_flow { - struct dn_id oid; - int length; - int len_bytes; - int drops; - uint64_t tot_bytes; - uint32_t flow_id; - struct list_head h; /* used by the generator */ -}; - -struct dn_link { -}; - -struct ip_fw_args { -}; - -struct mbuf { - struct { - int len; - } m_pkthdr; - struct mbuf *m_nextpkt; - int flow_id; /* for testing, index of a flow */ - //int flowset_id; /* for testing, index of a flowset */ - void *cfg; /* config args */ -}; - -#define MALLOC_DECLARE(x) -#define KASSERT(x, y) do { if (!(x)) printf y ; exit(0); } while (0) -struct ipfw_flow_id { -}; - -typedef void * module_t; - -struct _md_t { - const char *name; - int (*f)(module_t, int, void *); - void *p; -}; - -typedef struct _md_t moduledata_t; - -#define DECLARE_MODULE(name, b, c, d) \ - moduledata_t *_g_##name = & b -#define MODULE_DEPEND(a, b, c, d, e) - -#ifdef IPFW -#include <dn_heap.h> -#include <ip_dn_private.h> -#include <dn_sched.h> -#else -struct dn_queue { - struct dn_fsk *fs; /* parent flowset. */ - struct dn_sch_inst *_si; /* parent sched instance. */ -}; -struct dn_schk { -}; -struct dn_fsk { - struct dn_fs fs; - struct dn_schk *sched; -}; -struct dn_sch_inst { - struct dn_schk *sched; -}; -struct dn_alg { - int type; - const char *name; - void *enqueue, *dequeue; - int q_datalen, si_datalen, schk_datalen; - int (*config)(struct dn_schk *); - int (*new_sched)(struct dn_sch_inst *); - int (*new_fsk)(struct dn_fsk *); - int (*new_queue)(struct dn_queue *q); -}; - -#endif - -#ifndef __FreeBSD__ -int fls(int); -#endif - -static inline void -mq_append(struct mq *q, struct mbuf *m) -{ - if (q->head == NULL) - q->head = m; - else - q->tail->m_nextpkt = m; - q->tail = m; - m->m_nextpkt = NULL; -} - -#ifdef __cplusplus -} -#endif - -#endif /* _DN_TEST_H */ diff --git a/sys/netinet/ipfw/test/main.c b/sys/netinet/ipfw/test/main.c deleted file mode 100644 index be9fdf5..0000000 --- a/sys/netinet/ipfw/test/main.c +++ /dev/null @@ -1,636 +0,0 @@ -/* - * $FreeBSD$ - * - * Testing program for schedulers - * - * The framework include a simple controller which, at each - * iteration, decides whether we can enqueue and/or dequeue. - * Then the mainloop runs the required number of tests, - * keeping track of statistics. - */ - -#include "dn_test.h" - -struct q_list { - struct list_head h; -}; - -struct cfg_s { - int ac; - char * const *av; - - const char *name; - int loops; - struct timeval time; - - /* running counters */ - uint32_t _enqueue; - uint32_t drop; - uint32_t pending; - uint32_t dequeue; - - /* generator parameters */ - int th_min, th_max; - int maxburst; - int lmin, lmax; /* packet len */ - int flows; /* number of flows */ - int flowsets; /* number of flowsets */ - int wsum; /* sum of weights of all flows */ - int max_y; /* max random number in the generation */ - int cur_y, cur_fs; /* used in generation, between 0 and max_y - 1 */ - const char *fs_config; /* flowset config */ - int can_dequeue; - int burst; /* count of packets sent in a burst */ - struct mbuf *tosend; /* packet to send -- also flag to enqueue */ - - struct mbuf *freelist; - - struct mbuf *head, *tail; /* a simple tailq */ - - /* scheduler hooks */ - int (*enq)(struct dn_sch_inst *, struct dn_queue *, - struct mbuf *); - struct mbuf * (*deq)(struct dn_sch_inst *); - /* size of the three fields including sched-specific areas */ - int schk_len; - int q_len; /* size of a queue including sched-fields */ - int si_len; /* size of a sch_inst including sched-fields */ - char *q; /* array of flow queues */ - /* use a char* because size is variable */ - struct dn_fsk *fs; /* array of flowsets */ - struct dn_sch_inst *si; - struct dn_schk *sched; - - /* generator state */ - int state; /* 0 = going up, 1: going down */ - - /* - * We keep lists for each backlog level, and always serve - * the one with shortest backlog. llmask contains a bitmap - * of lists, and ll are the heads of the lists. The last - * entry (BACKLOG) contains all entries considered 'full' - * XXX to optimize things, entry i could contain queues with - * 2^{i-1}+1 .. 2^i entries. - */ -#define BACKLOG 30 - uint32_t llmask; - struct list_head ll[BACKLOG + 10]; -}; - -/* FI2Q and Q2FI converts from flow_id to dn_queue and back. - * We cannot easily use pointer arithmetic because it is variable size. - */ -#define FI2Q(c, i) ((struct dn_queue *)((c)->q + (c)->q_len * (i))) -#define Q2FI(c, q) (((char *)(q) - (c)->q)/(c)->q_len) - -int debug = 0; - -struct dn_parms dn_cfg; - -static void controller(struct cfg_s *c); - -/* release a packet: put the mbuf in the freelist, and the queue in - * the bucket. - */ -int -drop(struct cfg_s *c, struct mbuf *m) -{ - struct dn_queue *q; - int i; - - c->drop++; - q = FI2Q(c, m->flow_id); - i = q->ni.length; // XXX or ffs... - - ND("q %p id %d current length %d", q, m->flow_id, i); - if (i < BACKLOG) { - struct list_head *h = &q->ni.h; - c->llmask &= ~(1<<(i+1)); - c->llmask |= (1<<(i)); - list_del(h); - list_add_tail(h, &c->ll[i]); - } - m->m_nextpkt = c->freelist; - c->freelist = m; - return 0; -} - -/* dequeue returns NON-NULL when a packet is dropped */ -static int -enqueue(struct cfg_s *c, void *_m) -{ - struct mbuf *m = _m; - if (c->enq) - return c->enq(c->si, FI2Q(c, m->flow_id), m); - if (c->head == NULL) - c->head = m; - else - c->tail->m_nextpkt = m; - c->tail = m; - return 0; /* default - success */ -} - -/* dequeue returns NON-NULL when a packet is available */ -static void * -dequeue(struct cfg_s *c) -{ - struct mbuf *m; - if (c->deq) - return c->deq(c->si); - if ((m = c->head)) { - m = c->head; - c->head = m->m_nextpkt; - m->m_nextpkt = NULL; - } - return m; -} - -static int -mainloop(struct cfg_s *c) -{ - int i; - struct mbuf *m; - - for (i=0; i < c->loops; i++) { - /* implement histeresis */ - controller(c); - DX(3, "loop %d enq %d send %p rx %d", - i, c->_enqueue, c->tosend, c->can_dequeue); - if ( (m = c->tosend) ) { - c->_enqueue++; - if (enqueue(c, m)) { - drop(c, m); - ND("loop %d enqueue fail", i ); - } else { - ND("enqueue ok"); - c->pending++; - } - } - if (c->can_dequeue) { - c->dequeue++; - if ((m = dequeue(c))) { - c->pending--; - drop(c, m); - c->drop--; /* compensate */ - } - } - } - DX(1, "mainloop ends %d", i); - return 0; -} - -int -dump(struct cfg_s *c) -{ - int i; - struct dn_queue *q; - - for (i=0; i < c->flows; i++) { - q = FI2Q(c, i); - DX(1, "queue %4d tot %10lld", i, q->ni.tot_bytes); - } - DX(1, "done %d loops\n", c->loops); - return 0; -} - -/* interpret a number in human form */ -static long -getnum(const char *s, char **next, const char *key) -{ - char *end = NULL; - long l; - - if (next) /* default */ - *next = NULL; - if (s && *s) { - DX(3, "token is <%s> %s", s, key ? key : "-"); - l = strtol(s, &end, 0); - } else { - DX(3, "empty string"); - l = -1; - } - if (l < 0) { - DX(2, "invalid %s for %s", s ? s : "NULL", (key ? key : "") ); - return 0; // invalid - } - if (!end || !*end) - return l; - if (*end == 'n') - l = -l; /* multiply by n */ - else if (*end == 'K') - l = l*1000; - else if (*end == 'M') - l = l*1000000; - else if (*end == 'k') - l = l*1024; - else if (*end == 'm') - l = l*1024*1024; - else if (*end == 'w') - ; - else {/* not recognized */ - D("suffix %s for %s, next %p", end, key, next); - end--; - } - end++; - DX(3, "suffix now %s for %s, next %p", end, key, next); - if (next && *end) { - DX(3, "setting next to %s for %s", end, key); - *next = end; - } - return l; -} - -/* - * flowsets are a comma-separated list of - * weight:maxlen:flows - * indicating how many flows are hooked to that fs. - * Both weight and range can be min-max-steps. - * In a first pass we just count the number of flowsets and flows, - * in a second pass we complete the setup. - */ -static void -parse_flowsets(struct cfg_s *c, const char *fs, int pass) -{ - char *s, *cur, *next; - int n_flows = 0, n_fs = 0, wsum = 0; - int i, j; - struct dn_fs *prev = NULL; - - DX(3, "--- pass %d flows %d flowsets %d", pass, c->flows, c->flowsets); - if (pass == 0) - c->fs_config = fs; - s = c->fs_config ? strdup(c->fs_config) : NULL; - if (s == NULL) { - if (pass == 0) - D("no fsconfig"); - return; - } - for (next = s; (cur = strsep(&next, ","));) { - char *p = NULL; - int w, w_h, w_steps, wi; - int len, len_h, l_steps, li; - int flows; - - w = getnum(strsep(&cur, ":"), &p, "weight"); - if (w <= 0) - w = 1; - w_h = p ? getnum(p+1, &p, "weight_max") : w; - w_steps = p ? getnum(p+1, &p, "w_steps") : (w_h == w ?1:2); - len = getnum(strsep(&cur, ":"), &p, "len"); - if (len <= 0) - len = 1000; - len_h = p ? getnum(p+1, &p, "len_max") : len; - l_steps = p ? getnum(p+1, &p, "l_steps") : (len_h == len ? 1 : 2); - flows = getnum(strsep(&cur, ":"), NULL, "flows"); - if (flows == 0) - flows = 1; - DX(4, "weight %d..%d (%d) len %d..%d (%d) flows %d", - w, w_h, w_steps, len, len_h, l_steps, flows); - if (w == 0 || w_h < w || len == 0 || len_h < len || - flows == 0) { - DX(4,"wrong parameters %s", fs); - return; - } - n_flows += flows * w_steps * l_steps; - for (i = 0; i < w_steps; i++) { - wi = w + ((w_h - w)* i)/(w_steps == 1 ? 1 : (w_steps-1)); - for (j = 0; j < l_steps; j++, n_fs++) { - struct dn_fs *fs = &c->fs[n_fs].fs; // tentative - int x; - - li = len + ((len_h - len)* j)/(l_steps == 1 ? 1 : (l_steps-1)); - x = (wi*2048)/li; - DX(3, "----- fs %4d weight %4d lmax %4d X %4d flows %d", - n_fs, wi, li, x, flows); - if (pass == 0) - continue; - if (c->fs == NULL || c->flowsets <= n_fs) { - D("error in number of flowsets"); - return; - } - wsum += wi * flows; - fs->par[0] = wi; - fs->par[1] = li; - fs->index = n_fs; - fs->n_flows = flows; - fs->cur = fs->first_flow = prev==NULL ? 0 : prev->next_flow; - fs->next_flow = fs->first_flow + fs->n_flows; - fs->y = x * flows; - fs->base_y = (prev == NULL) ? 0 : prev->next_y; - fs->next_y = fs->base_y + fs->y; - prev = fs; - } - } - } - c->max_y = prev ? prev->base_y + prev->y : 0; - c->flows = n_flows; - c->flowsets = n_fs; - c->wsum = wsum; - if (pass == 0) - return; - - /* now link all flows to their parent flowsets */ - DX(1,"%d flows on %d flowsets max_y %d", c->flows, c->flowsets, c->max_y); - for (i=0; i < c->flowsets; i++) { - struct dn_fs *fs = &c->fs[i].fs; - DX(1, "fs %3d w %5d l %4d flow %5d .. %5d y %6d .. %6d", - i, fs->par[0], fs->par[1], - fs->first_flow, fs->next_flow, - fs->base_y, fs->next_y); - for (j = fs->first_flow; j < fs->next_flow; j++) { - struct dn_queue *q = FI2Q(c, j); - q->fs = &c->fs[i]; - } - } -} - -static int -init(struct cfg_s *c) -{ - int i; - int ac = c->ac; - char * const *av = c->av; - - c->si_len = sizeof(struct dn_sch_inst); - c->q_len = sizeof(struct dn_queue); - moduledata_t *mod = NULL; - struct dn_alg *p = NULL; - - c->th_min = 0; - c->th_max = -20;/* 20 packets per flow */ - c->lmin = c->lmax = 1280; /* packet len */ - c->flows = 1; - c->flowsets = 1; - c->name = "null"; - ac--; av++; - while (ac > 1) { - if (!strcmp(*av, "-n")) { - c->loops = getnum(av[1], NULL, av[0]); - } else if (!strcmp(*av, "-d")) { - debug = atoi(av[1]); - } else if (!strcmp(*av, "-alg")) { - extern moduledata_t *_g_dn_fifo; - extern moduledata_t *_g_dn_wf2qp; - extern moduledata_t *_g_dn_rr; - extern moduledata_t *_g_dn_qfq; -#ifdef WITH_KPS - extern moduledata_t *_g_dn_kps; -#endif - if (!strcmp(av[1], "rr")) - mod = _g_dn_rr; - else if (!strcmp(av[1], "wf2qp")) - mod = _g_dn_wf2qp; - else if (!strcmp(av[1], "fifo")) - mod = _g_dn_fifo; - else if (!strcmp(av[1], "qfq")) - mod = _g_dn_qfq; -#ifdef WITH_KPS - else if (!strcmp(av[1], "kps")) - mod = _g_dn_kps; -#endif - else - mod = NULL; - c->name = mod ? mod->name : "NULL"; - DX(3, "using scheduler %s", c->name); - } else if (!strcmp(*av, "-len")) { - c->lmin = getnum(av[1], NULL, av[0]); - c->lmax = c->lmin; - DX(3, "setting max to %d", c->th_max); - } else if (!strcmp(*av, "-burst")) { - c->maxburst = getnum(av[1], NULL, av[0]); - DX(3, "setting max to %d", c->th_max); - } else if (!strcmp(*av, "-qmax")) { - c->th_max = getnum(av[1], NULL, av[0]); - DX(3, "setting max to %d", c->th_max); - } else if (!strcmp(*av, "-qmin")) { - c->th_min = getnum(av[1], NULL, av[0]); - DX(3, "setting min to %d", c->th_min); - } else if (!strcmp(*av, "-flows")) { - c->flows = getnum(av[1], NULL, av[0]); - DX(3, "setting flows to %d", c->flows); - } else if (!strcmp(*av, "-flowsets")) { - parse_flowsets(c, av[1], 0); - DX(3, "setting flowsets to %d", c->flowsets); - } else { - D("option %s not recognised, ignore", *av); - } - ac -= 2; av += 2; - } - if (c->maxburst <= 0) - c->maxburst = 1; - if (c->loops <= 0) - c->loops = 1; - if (c->flows <= 0) - c->flows = 1; - if (c->flowsets <= 0) - c->flowsets = 1; - if (c->lmin <= 0) - c->lmin = 1; - if (c->lmax <= 0) - c->lmax = 1; - /* multiply by N */ - if (c->th_min < 0) - c->th_min = c->flows * -c->th_min; - if (c->th_max < 0) - c->th_max = c->flows * -c->th_max; - if (c->th_max <= c->th_min) - c->th_max = c->th_min + 1; - if (mod) { - p = mod->p; - DX(3, "using module %s f %p p %p", mod->name, mod->f, mod->p); - DX(3, "modname %s ty %d", p->name, p->type); - c->enq = p->enqueue; - c->deq = p->dequeue; - c->si_len += p->si_datalen; - c->q_len += p->q_datalen; - c->schk_len += p->schk_datalen; - } - /* allocate queues, flowsets and one scheduler */ - c->q = calloc(c->flows, c->q_len); - c->fs = calloc(c->flowsets, sizeof(struct dn_fsk)); - c->si = calloc(1, c->si_len); - c->sched = calloc(c->flows, c->schk_len); - if (c->q == NULL || c->fs == NULL) { - D("error allocating memory for flows"); - exit(1); - } - c->si->sched = c->sched; - if (p) { - if (p->config) - p->config(c->sched); - if (p->new_sched) - p->new_sched(c->si); - } - /* parse_flowsets links queues to their flowsets */ - parse_flowsets(c, av[1], 1); - /* complete the work calling new_fsk */ - for (i = 0; i < c->flowsets; i++) { - if (c->fs[i].fs.par[1] == 0) - c->fs[i].fs.par[1] = 1000; /* default pkt len */ - c->fs[i].sched = c->sched; - if (p && p->new_fsk) - p->new_fsk(&c->fs[i]); - } - - /* initialize the lists for the generator, and put - * all flows in the list for backlog = 0 - */ - for (i=0; i <= BACKLOG+5; i++) - INIT_LIST_HEAD(&c->ll[i]); - - for (i = 0; i < c->flows; i++) { - struct dn_queue *q = FI2Q(c, i); - if (q->fs == NULL) - q->fs = &c->fs[0]; /* XXX */ - q->_si = c->si; - if (p && p->new_queue) - p->new_queue(q); - INIT_LIST_HEAD(&q->ni.h); - list_add_tail(&q->ni.h, &c->ll[0]); - } - c->llmask = 1; - return 0; -} - - -int -main(int ac, char *av[]) -{ - struct cfg_s c; - struct timeval end; - double ll; - int i; - char msg[40]; - - bzero(&c, sizeof(c)); - c.ac = ac; - c.av = av; - init(&c); - gettimeofday(&c.time, NULL); - mainloop(&c); - gettimeofday(&end, NULL); - end.tv_sec -= c.time.tv_sec; - end.tv_usec -= c.time.tv_usec; - if (end.tv_usec < 0) { - end.tv_usec += 1000000; - end.tv_sec--; - } - c.time = end; - ll = end.tv_sec*1000000 + end.tv_usec; - ll *= 1000; /* convert to nanoseconds */ - ll /= c._enqueue; - sprintf(msg, "1::%d", c.flows); - D("%-8s n %d %d time %d.%06d %8.3f qlen %d %d flows %s drops %d", - c.name, c._enqueue, c.loops, - (int)c.time.tv_sec, (int)c.time.tv_usec, ll, - c.th_min, c.th_max, - c.fs_config ? c.fs_config : msg, c.drop); - dump(&c); - DX(1, "done ac %d av %p", ac, av); - for (i=0; i < ac; i++) - DX(1, "arg %d %s", i, av[i]); - return 0; -} - -/* - * The controller decides whether in this iteration we should send - * (the packet is in c->tosend) and/or receive (flag c->can_dequeue) - */ -static void -controller(struct cfg_s *c) -{ - struct mbuf *m; - struct dn_fs *fs; - int flow_id; - - /* histeresis between max and min */ - if (c->state == 0 && c->pending >= c->th_max) - c->state = 1; - else if (c->state == 1 && c->pending <= c->th_min) - c->state = 0; - ND(1, "state %d pending %2d", c->state, c->pending); - c->can_dequeue = c->state; - c->tosend = NULL; - if (c->state) - return; - - if (1) { - int i; - struct dn_queue *q; - struct list_head *h; - - i = ffs(c->llmask) - 1; - if (i < 0) { - DX(2, "no candidate"); - c->can_dequeue = 1; - return; - } - h = &c->ll[i]; - ND(1, "backlog %d p %p prev %p next %p", i, h, h->prev, h->next); - q = list_first_entry(h, struct dn_queue, ni.h); - list_del(&q->ni.h); - flow_id = Q2FI(c, q); - DX(2, "extracted flow %p %d backlog %d", q, flow_id, i); - if (list_empty(h)) { - ND(2, "backlog %d empty", i); - c->llmask &= ~(1<<i); - } - ND(1, "before %d p %p prev %p next %p", i+1, h+1, h[1].prev, h[1].next); - list_add_tail(&q->ni.h, h+1); - ND(1, " after %d p %p prev %p next %p", i+1, h+1, h[1].prev, h[1].next); - if (i < BACKLOG) { - ND(2, "backlog %d full", i+1); - c->llmask |= 1<<(1+i); - } - fs = &q->fs->fs; - c->cur_fs = q->fs - c->fs; - fs->cur = flow_id; - } else { - /* XXX this does not work ? */ - /* now decide whom to send the packet, and the length */ - /* lookup in the flow table */ - if (c->cur_y >= c->max_y) { /* handle wraparound */ - c->cur_y = 0; - c->cur_fs = 0; - } - fs = &c->fs[c->cur_fs].fs; - flow_id = fs->cur++; - if (fs->cur >= fs->next_flow) - fs->cur = fs->first_flow; - c->cur_y++; - if (c->cur_y >= fs->next_y) - c->cur_fs++; - } - - /* construct a packet */ - if (c->freelist) { - m = c->tosend = c->freelist; - c->freelist = c->freelist->m_nextpkt; - } else { - m = c->tosend = calloc(1, sizeof(struct mbuf)); - } - if (m == NULL) - return; - - m->cfg = c; - m->m_nextpkt = NULL; - m->m_pkthdr.len = fs->par[1]; // XXX maxlen - m->flow_id = flow_id; - - ND(2,"y %6d flow %5d fs %3d weight %4d len %4d", - c->cur_y, m->flow_id, c->cur_fs, - fs->par[0], m->m_pkthdr.len); - -} - -/* -Packet allocation: -to achieve a distribution that matches weights, for each X=w/lmax class -we should generate a number of packets proportional to Y = X times the number -of flows in the class. -So we construct an array with the cumulative distribution of Y's, -and use it to identify the flow via inverse mapping (if the Y's are -not too many we can use an array for the lookup). In practice, -each flow will have X entries [virtually] pointing to it. - -*/ diff --git a/sys/netinet/ipfw/test/mylist.h b/sys/netinet/ipfw/test/mylist.h deleted file mode 100644 index 6247f32..0000000 --- a/sys/netinet/ipfw/test/mylist.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * $FreeBSD$ - * - * linux-like bidirectional lists - */ - -#ifndef _MYLIST_H -#define _MYLIST_H -struct list_head { - struct list_head *prev, *next; -}; - -#define INIT_LIST_HEAD(l) do { (l)->prev = (l)->next = (l); } while (0) -#define list_empty(l) ( (l)->next == l ) -static inline void -__list_add(struct list_head *o, struct list_head *prev, - struct list_head *next) -{ - next->prev = o; - o->next = next; - o->prev = prev; - prev->next = o; -} - -static inline void -list_add_tail(struct list_head *o, struct list_head *head) -{ - __list_add(o, head->prev, head); -} - -#define list_first_entry(pL, ty, member) \ - (ty *)((char *)((pL)->next) - offsetof(ty, member)) - -static inline void -__list_del(struct list_head *prev, struct list_head *next) -{ - next->prev = prev; - prev->next = next; -} - -static inline void -list_del(struct list_head *entry) -{ - ND("called on %p", entry); - __list_del(entry->prev, entry->next); - entry->next = entry->prev = NULL; -} - -#endif /* _MYLIST_H */ diff --git a/sys/netinet/ipfw/test/test_dn_heap.c b/sys/netinet/ipfw/test/test_dn_heap.c deleted file mode 100644 index d460cf2..0000000 --- a/sys/netinet/ipfw/test/test_dn_heap.c +++ /dev/null @@ -1,162 +0,0 @@ -/*- - * Copyright (c) 1998-2002,2010 Luigi Rizzo, Universita` di Pisa - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Userland code for testing binary heaps and hash tables - * - * $FreeBSD$ - */ - -#include <sys/cdefs.h> -#include <sys/param.h> - -#include <stdio.h> -#include <strings.h> -#include <stdlib.h> - -#include "dn_heap.h" -#define log(x, arg...) fprintf(stderr, ## arg) -#define panic(x...) fprintf(stderr, ## x), exit(1) - -#include <string.h> - -struct x { - struct x *ht_link; - char buf[0]; -}; - -uint32_t hf(uintptr_t key, int flags, void *arg) -{ - return (flags & DNHT_KEY_IS_OBJ) ? - ((struct x *)key)->buf[0] : *(char *)key; -} - -int matchf(void *obj, uintptr_t key, int flags, void *arg) -{ - char *s = (flags & DNHT_KEY_IS_OBJ) ? - ((struct x *)key)->buf : (char *)key; - return (strcmp(((struct x *)obj)->buf, s) == 0); -} - -void *newfn(uintptr_t key, int flags, void *arg) -{ - char *s = (char *)key; - struct x *p = malloc(sizeof(*p) + 1 + strlen(s)); - if (p) - strcpy(p->buf, s); - return p; -} - -char *strings[] = { - "undici", "unico", "doppio", "devoto", - "uno", "due", "tre", "quattro", "cinque", "sei", - "uno", "due", "tre", "quattro", "cinque", "sei", - NULL, -}; - -int doprint(void *_x, void *arg) -{ - struct x *x = _x; - printf("found element <%s>\n", x->buf); - return (int)arg; -} - -static void -test_hash() -{ - char **p; - struct dn_ht *h; - uintptr_t x = 0; - uintptr_t x1 = 0; - - /* first, find and allocate */ - h = dn_ht_init(NULL, 10, 0, hf, matchf, newfn); - - for (p = strings; *p; p++) { - dn_ht_find(h, (uintptr_t)*p, DNHT_INSERT, NULL); - } - dn_ht_scan(h, doprint, 0); - printf("/* second -- find without allocate */\n"); - h = dn_ht_init(NULL, 10, 0, hf, matchf, NULL); - for (p = strings; *p; p++) { - void **y = newfn((uintptr_t)*p, 0, NULL); - if (x == 0) - x = (uintptr_t)y; - else { - if (x1 == 0) - x1 = (uintptr_t)*p; - } - dn_ht_find(h, (uintptr_t)y, DNHT_INSERT | DNHT_KEY_IS_OBJ, NULL); - } - dn_ht_scan(h, doprint, 0); - printf("remove %p gives %p\n", (void *)x, - dn_ht_find(h, x, DNHT_KEY_IS_OBJ | DNHT_REMOVE, NULL)); - printf("remove %p gives %p\n", (void *)x, - dn_ht_find(h, x, DNHT_KEY_IS_OBJ | DNHT_REMOVE, NULL)); - printf("remove %p gives %p\n", (void *)x, - dn_ht_find(h, x1, DNHT_REMOVE, NULL)); - printf("remove %p gives %p\n", (void *)x, - dn_ht_find(h, x1, DNHT_REMOVE, NULL)); - dn_ht_scan(h, doprint, 0); -} - -int -main(int argc, char *argv[]) -{ - struct dn_heap h; - int i, n, n2, n3; - - test_hash(); - return 0; - - /* n = elements, n2 = cycles */ - n = (argc > 1) ? atoi(argv[1]) : 0; - if (n <= 0 || n > 1000000) - n = 100; - n2 = (argc > 2) ? atoi(argv[2]) : 0; - if (n2 <= 0) - n = 1000000; - n3 = (argc > 3) ? atoi(argv[3]) : 0; - bzero(&h, sizeof(h)); - heap_init(&h, n, -1); - while (n2-- > 0) { - uint64_t prevk = 0; - for (i=0; i < n; i++) - heap_insert(&h, n3 ? n-i: random(), (void *)(100+i)); - - for (i=0; h.elements > 0; i++) { - uint64_t k = h.p[0].key; - if (k < prevk) - panic("wrong sequence\n"); - prevk = k; - if (0) - printf("%d key %llu, val %p\n", - i, h.p[0].key, h.p[0].object); - heap_extract(&h, NULL); - } - } - return 0; -} diff --git a/sys/netinet/ipfw/test/test_dn_sched.c b/sys/netinet/ipfw/test/test_dn_sched.c deleted file mode 100644 index ee46c95..0000000 --- a/sys/netinet/ipfw/test/test_dn_sched.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * $FreeBSD$ - * - * library functions for userland testing of dummynet schedulers - */ - -#include "dn_test.h" - -void -m_freem(struct mbuf *m) -{ - printf("free %p\n", m); -} - -int -dn_sched_modevent(module_t mod, int cmd, void *arg) -{ - return 0; -} - -void -dn_free_pkts(struct mbuf *m) -{ - struct mbuf *x; - while ( (x = m) ) { - m = m->m_nextpkt; - m_freem(x); - } -} - -int -dn_delete_queue(void *_q, void *do_free) -{ - struct dn_queue *q = _q; - if (q->mq.head) - dn_free_pkts(q->mq.head); - free(q); - return 0; -} - -/* - * This is a simplified function for testing purposes, which does - * not implement statistics or random loss. - * Enqueue a packet in q, subject to space and queue management policy - * (whose parameters are in q->fs). - * Update stats for the queue and the scheduler. - * Return 0 on success, 1 on drop. The packet is consumed anyways. - */ -int -dn_enqueue(struct dn_queue *q, struct mbuf* m, int drop) -{ - if (drop) - goto drop; - if (q->ni.length >= 200) - goto drop; - mq_append(&q->mq, m); - q->ni.length++; - q->ni.tot_bytes += m->m_pkthdr.len; - return 0; - -drop: - q->ni.drops++; - return 1; -} - -int -ipdn_bound_var(int *v, int dflt, int lo, int hi, const char *msg) -{ - if (*v < lo) { - *v = dflt; - } else if (*v > hi) { - *v = hi; - } - return *v; -} - -#ifndef __FreeBSD__ -int -fls(int mask) -{ - int bit; - - if (mask == 0) - return (0); - for (bit = 1; mask != 1; bit++) - mask = (unsigned int)mask >> 1; - return (bit); -} -#endif |