diff options
-rw-r--r-- | sys/netinet/ip_ah_new.c | 58 | ||||
-rw-r--r-- | sys/netinet/ip_ah_old.c | 49 | ||||
-rw-r--r-- | sys/netinet/ip_esp_new.c | 87 | ||||
-rw-r--r-- | sys/netinet/ip_esp_old.c | 57 | ||||
-rw-r--r-- | sys/netinet/ip_ipsp.c | 29 |
5 files changed, 151 insertions, 129 deletions
diff --git a/sys/netinet/ip_ah_new.c b/sys/netinet/ip_ah_new.c index 022deed2c2b..a6061bfc4d7 100644 --- a/sys/netinet/ip_ah_new.c +++ b/sys/netinet/ip_ah_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah_new.c,v 1.20 1998/11/25 09:56:50 niklas Exp $ */ +/* $OpenBSD: ip_ah_new.c,v 1.21 1999/01/11 22:52:09 deraadt Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -69,7 +69,6 @@ #include <netinet/ip_ipsp.h> #include <netinet/ip_ah.h> -#include <sys/syslog.h> #ifdef ENCDEBUG #define DPRINTF(x) if (encdebug) printf x @@ -142,8 +141,7 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= AH_NEW_XENCAP_LEN) { - if (encdebug) - log(LOG_WARNING, "ah_new_init() initialization failed\n"); + DPRINTF(("ah_new_init() initialization failed\n")); return EINVAL; } @@ -156,8 +154,7 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; if (i < 0) { - if (encdebug) - log(LOG_WARNING, "ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm); + DPRINTF(("ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm)); return EINVAL; } DPRINTF(("ah_new_init(): initalized TDB with hash algorithm %d: %s\n", @@ -167,9 +164,8 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) if (txd.amx_keylen + EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN != em->em_msglen) { - if (encdebug) - log(LOG_WARNING, "ah_new_init(): message length (%d) doesn't match\n", - em->em_msglen); + DPRINTF(("ah_new_init(): message length (%d) doesn't match\n", + em->em_msglen)); return EINVAL; } @@ -330,15 +326,13 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) switch(errc) { case 1: - if (encdebug) - log(LOG_ERR, "ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); + DPRINTF(("ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi))); ahstat.ahs_wrap++; break; case 2: case 3: - if (encdebug) - log(LOG_WARNING, "ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); + DPRINTF(("ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi))); ahstat.ahs_replay++; break; } @@ -413,7 +407,12 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) while (off > 0) { if (m0 == 0) - panic("ah_new_input(): m_copydata (off)"); + { + DPRINTF(("ah_new_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi))); + ahstat.ahs_hdrops++; + m_freem(m); + return NULL; + } if (off < m0->m_len) break; @@ -425,7 +424,12 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) while (len > 0) { if (m0 == 0) - panic("ah_new_input(): m_copydata (copy)"); + { + DPRINTF(("ah_new_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi))); + ahstat.ahs_hdrops++; + m_freem(m); + return NULL; + } count = min(m0->m_len - off, len); @@ -444,8 +448,7 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) if (bcmp(aho->ah_data, ah->ah_data, AH_HMAC_HASHLEN)) { - if (encdebug) - log(LOG_ALERT, "ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); + DPRINTF(("ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi))); #ifdef ENCDEBUG if (encdebug) { @@ -554,6 +557,7 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("ah_new_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; return ENOBUFS; } @@ -584,10 +588,8 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, ohlen = AH_NEW_FLENGTH; if (ohlen + ilen > IP_MAXPACKET) { - if (encdebug) - log(LOG_ALERT, - "ah_new_output(): packet in SA %x/%0x8 got too big\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("ah_new_output(): packet in SA %x/%0x8 got too big\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_toobig++; return EMSGSIZE; @@ -614,9 +616,8 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, if (xd->amx_rpl == 0) { - if (encdebug) - log(LOG_ALERT, "ah_new_output(): SA %x/%0x8 should have expired\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("ah_new_output(): SA %x/%0x8 should have expired\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_wrap++; return NULL; @@ -680,7 +681,13 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, while (len > 0) { if (m0 == 0) - panic("ah_new_output(): m_copydata"); + { + DPRINTF(("ah_new_output(): bad mbuf chain for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; + m_freem(m); + return EMSGSIZE; + } + count = min(m0->m_len - off, len); xd->amx_hash->Update(&ctx, mtod(m0, unsigned char *) + off, count); @@ -707,6 +714,7 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, if (m == NULL) { DPRINTF(("ah_new_output(): m_pullup() failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; return ENOBUFS; } diff --git a/sys/netinet/ip_ah_old.c b/sys/netinet/ip_ah_old.c index f9f8448b5e6..23ea072b899 100644 --- a/sys/netinet/ip_ah_old.c +++ b/sys/netinet/ip_ah_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah_old.c,v 1.17 1998/11/25 09:56:50 niklas Exp $ */ +/* $OpenBSD: ip_ah_old.c,v 1.18 1999/01/11 22:52:09 deraadt Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -68,7 +68,6 @@ #include <netinet/ip_ipsp.h> #include <netinet/ip_ah.h> -#include <sys/syslog.h> #ifdef ENCDEBUG #define DPRINTF(x) if (encdebug) printf x @@ -132,8 +131,7 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= AH_OLD_XENCAP_LEN) { - if (encdebug) - log(LOG_WARNING, "ah_old_init(): initialization failed\n"); + DPRINTF(("ah_old_init(): initialization failed\n")); return EINVAL; } @@ -146,21 +144,19 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; if (i < 0) { - if (encdebug) - log(LOG_WARNING, "ah_old_init(): unsupported authentication algorithm %d specified\n", - xenc.amx_hash_algorithm); + DPRINTF(("ah_old_init(): unsupported authentication algorithm %d specified\n", xenc.amx_hash_algorithm)); m_freem(m); return EINVAL; } + DPRINTF(("ah_old_init(): initalized TDB with hash algorithm %d: %s\n", xenc.amx_hash_algorithm, ah_old_hash[i].name)); thash = &ah_old_hash[i]; if (xenc.amx_keylen + EMT_SETSPI_FLEN + AH_OLD_XENCAP_LEN != em->em_msglen) { - if (encdebug) - log(LOG_WARNING, "ah_old_init(): message length (%d) doesn't match\n", - em->em_msglen); + DPRINTF(("ah_old_init(): message length (%d) doesn't match\n", + em->em_msglen)); return EINVAL; } @@ -336,7 +332,12 @@ ah_old_input(struct mbuf *m, struct tdb *tdb) while (off > 0) { if (m0 == 0) - panic("ah_old_input(): m_copydata (off)"); + { + DPRINTF(("ah_old_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; + m_freem(m); + return NULL; + } if (off < m0->m_len) break; @@ -348,8 +349,13 @@ ah_old_input(struct mbuf *m, struct tdb *tdb) while (len > 0) { if (m0 == 0) - panic("ah_old_input(): m_copydata (copy)"); - + { + DPRINTF(("ah_old_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; + m_freem(m); + return NULL; + } + count = min(m0->m_len - off, len); xd->amx_hash->Update(&ctx, mtod(m0, unsigned char *) + off, count); @@ -364,8 +370,6 @@ ah_old_input(struct mbuf *m, struct tdb *tdb) if (bcmp(aho->ah_data, ah->ah_data, alen)) { - if (encdebug) - log(LOG_ALERT, "ah_old_input(): authentication failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)); ahstat.ahs_badauth++; m_freem(m); return NULL; @@ -459,6 +463,7 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("ah_old_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; return ENOBUFS; } @@ -489,10 +494,8 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, ohlen = AH_OLD_FLENGTH + alen; if (ohlen + ilen > IP_MAXPACKET) { - if (encdebug) - log(LOG_ALERT, - "ah_old_output(): packet in SA %x/%0x8 got too big\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("ah_old_output(): packet in SA %x/%0x8 got too big\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_toobig++; return EMSGSIZE; @@ -573,7 +576,12 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, while (len > 0) { if (m0 == 0) - panic("ah_old_output(): m_copydata()"); + { + DPRINTF(("ah_old_output(): M_PREPEND() failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi))); + m_freem(m); + return NULL; + } + count = min(m0->m_len - off, len); xd->amx_hash->Update(&ctx, mtod(m0, unsigned char *) + off, count); @@ -602,6 +610,7 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, if (m == NULL) { DPRINTF(("ah_old_output(): m_pullup() failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi))); + ahstat.ahs_hdrops++; return ENOBUFS; } diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c index 50c627c2c29..5b3011a99e7 100644 --- a/sys/netinet/ip_esp_new.c +++ b/sys/netinet/ip_esp_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_new.c,v 1.29 1999/01/11 05:12:30 millert Exp $ */ +/* $OpenBSD: ip_esp_new.c,v 1.30 1999/01/11 22:52:09 deraadt Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -69,7 +69,6 @@ #include <netinet/ip_ipsp.h> #include <netinet/ip_esp.h> #include <netinet/ip_ah.h> -#include <sys/syslog.h> #ifdef ENCDEBUG #define DPRINTF(x) if (encdebug) printf x @@ -246,8 +245,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_NEW_XENCAP_LEN) { - if (encdebug) - log(LOG_WARNING, "esp_new_init(): initialization failed\n"); + DPRINTF(("esp_new_init(): initialization failed\n")); return EINVAL; } @@ -260,8 +258,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; if (i < 0) { - if (encdebug) - log(LOG_WARNING, "esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm); + DPRINTF(("esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm)); return EINVAL; } @@ -278,8 +275,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; if (i < 0) { - if (encdebug) - log(LOG_WARNING, "esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_hash_algorithm); + DPRINTF(("esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_hash_algorithm)); return EINVAL; } @@ -293,7 +289,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN != em->em_msglen) { if (encdebug) - log(LOG_WARNING, "esp_new_init(): message length (%d) doesn't match\n", em->em_msglen); + DPRINTF(("esp_new_init(): message length (%d) doesn't match\n", em->em_msglen)); return EINVAL; } @@ -303,9 +299,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) !(txd.edx_ivlen & txform->ivmask) || (txd.edx_ivlen & (txd.edx_ivlen - 1))))) { - if (encdebug) - log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n", - txd.edx_ivlen); + DPRINTF(("esp_new_init(): unsupported IV length %d\n", txd.edx_ivlen)); return EINVAL; } @@ -313,9 +307,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) if (txd.edx_confkeylen < txform->minkey || txd.edx_confkeylen > txform->maxkey) { - if (encdebug) - log(LOG_WARNING, "esp_new_init(): bad key length %d\n", - txd.edx_confkeylen); + DPRINTF(("esp_new_init(): bad key length %d\n", txd.edx_confkeylen)); return EINVAL; } @@ -494,7 +486,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) if ((m = m_pullup(m, ohlen + blks)) == NULL) { DPRINTF(("esp_new_input(): m_pullup() failed\n")); - espstat.esps_hdrops++; + espstat.esps_hdrops++; return NULL; } @@ -514,15 +506,13 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) switch(errc) { case 1: - if (encdebug) - log(LOG_ERR, "esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); + DPRINTF(("esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi))); espstat.esps_wrap++; break; case 2: case 3: - if (encdebug) - log(LOG_WARNING, "esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); + DPRINTF(("esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi))); espstat.esps_replay++; break; } @@ -560,7 +550,12 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) while (oplen > 0) { if (mo == 0) - panic("esp_new_input(): m_copydata (copy)"); + { + DPRINTF(("esp_new_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi))); + espstat.esps_hdrops++; + m_freem(m); + return NULL; + } count = min(mo->m_len - off, oplen); xd->edx_hash->Update(&ctx, mtod(mo, unsigned char *) + off, count); @@ -576,8 +571,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) if (bcmp(buf2, buf, AH_HMAC_HASHLEN)) { - if (encdebug) - log(LOG_ALERT, "esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); + DPRINTF(("esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi))); espstat.esps_badauth++; m_freem(m); return NULL; @@ -637,15 +631,20 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) do { mi = (mo = mi)->m_next; if (mi == NULL) - panic("esp_new_input(): bad chain (i)"); + { + DPRINTF(("esp_new_input(): bad mbuf chain, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; + m_freem(m); + return NULL; + } } while (mi->m_len == 0); if (mi->m_len < blks - rest) { if ((mi = m_pullup(mi, blks - rest)) == NULL) { - DPRINTF(("esp_new_input(): m_pullup() failed, SA %x/%08x\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi))); + DPRINTF(("esp_new_input(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + m_freem(m); espstat.esps_hdrops++; return NULL; } @@ -731,8 +730,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) } if ((blk[blks - 2] != blk[blks - 3]) && (blk[blks - 2] != 0)) { - if (encdebug) - log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); return NULL; } @@ -750,16 +748,14 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) } if (blk[blks - 2] == 0) { - if (encdebug) - log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); return NULL; } else if (blk[blks - 2] != blk[blks - 3] + 1) { - if (encdebug) - log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); return NULL; } @@ -775,6 +771,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) if (m == NULL) { DPRINTF(("esp_new_input(): m_pullup() failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return NULL; } } @@ -885,14 +882,14 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return ENOBUFS; } if (xd->edx_rpl == 0) { - if (encdebug) - log(LOG_ALERT, "esp_new_output(): SA %x/%0x8 should have expired\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("esp_new_output(): SA %x/%0x8 should have expired\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_wrap++; return ENOBUFS; @@ -914,6 +911,7 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("esp_new_input(): m_pullup() failed for SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return ENOBUFS; } @@ -934,10 +932,8 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, rlen = ilen - iphlen; padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; if (iphlen + ohlen + rlen + padding + alen > IP_MAXPACKET) { - if (encdebug) - log(LOG_ALERT, - "esp_new_output(): packet in SA %x/%0x8 got too big\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("esp_new_output(): packet in SA %x/%0x8 got too big\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_toobig++; return EMSGSIZE; @@ -1012,15 +1008,21 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, do { mi = (mo = mi)->m_next; if (mi == NULL) - panic("esp_new_output(): bad chain (i)"); + { + DPRINTF(("esp_new_output(): bad mbuf chain, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; + m_freem(m); + return EINVAL; + } } while (mi->m_len == 0); if (mi->m_len < blks - rest) { if ((mi = m_pullup(mi, blks - rest)) == NULL) { - DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi))); + DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + m_freem(m); + espstat.esps_hdrops++; return ENOBUFS; } /* @@ -1106,6 +1108,7 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return ENOBUFS; } diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c index f7a294b0db7..76d2a3d8311 100644 --- a/sys/netinet/ip_esp_old.c +++ b/sys/netinet/ip_esp_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_old.c,v 1.25 1999/01/11 05:12:30 millert Exp $ */ +/* $OpenBSD: ip_esp_old.c,v 1.26 1999/01/11 22:52:10 deraadt Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -69,7 +69,6 @@ #include <netinet/ip_ipsp.h> #include <netinet/ip_esp.h> #include <dev/rndvar.h> -#include <sys/syslog.h> #ifdef ENCDEBUG #define DPRINTF(x) if (encdebug) printf x @@ -170,8 +169,7 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_OLD_XENCAP_LEN) { - if (encdebug) - log(LOG_WARNING, "esp_old_init(): initialization failed\n"); + DPRINTF(("esp_old_init(): initialization failed\n")); return EINVAL; } @@ -184,8 +182,7 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; if (i < 0) { - if (encdebug) - log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm); + DPRINTF(("esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm)); return EINVAL; } @@ -196,8 +193,8 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) if (xenc.edx_ivlen + xenc.edx_keylen + EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN != em->em_msglen) { - if (encdebug) - log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", em->em_msglen); + DPRINTF(("esp_old_init(): message length (%d) doesn't match\n", + em->em_msglen)); return EINVAL; } @@ -207,18 +204,15 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) !(xenc.edx_ivlen & txform->ivmask) || (xenc.edx_ivlen & (xenc.edx_ivlen-1))))) { - if (encdebug) - log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", - xenc.edx_ivlen); + DPRINTF(("esp_old_init(): unsupported IV length %d\n", + xenc.edx_ivlen)); return EINVAL; } /* Check the key length */ if (xenc.edx_keylen < txform->minkey || xenc.edx_keylen > txform->maxkey) { - if (encdebug) - log(LOG_WARNING, "esp_old_init(): bad key length %d\n", - xenc.edx_keylen); + DPRINTF(("esp_old_init(): bad key length %d\n", xenc.edx_keylen)); return EINVAL; } @@ -321,7 +315,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) if ((m = m_pullup(m, ohlen + blks)) == NULL) { DPRINTF(("esp_old_input(): m_pullup() failed\n")); - espstat.esps_hdrops++; + espstat.esps_hdrops++; return NULL; } @@ -404,15 +398,20 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) do { mi = (mo = mi)->m_next; if (mi == NULL) - panic("esp_old_input(): bad chain (i)"); + { + DPRINTF(("esp_old_input(): bad mbuf chain, SA %x/%08x\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); + m_freem(m); + espstat.esps_hdrops++; + return NULL; + } } while (mi->m_len == 0); if (mi->m_len < blks - rest) { if ((mi = m_pullup(mi, blks - rest)) == NULL) { - DPRINTF(("esp_old_input(): m_pullup() failed, SA %x/%08x\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi))); + DPRINTF(("esp_old_input(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); espstat.esps_hdrops++; return NULL; } @@ -506,6 +505,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) if (m == NULL) { DPRINTF(("esp_old_input(): m_pullup() failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return NULL; } } @@ -593,6 +593,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("esp_old_output(): m_pullup() failed for SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return ENOBUFS; } @@ -610,6 +611,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("esp_old_output(): m_pullup() failed for SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return ENOBUFS; } @@ -630,10 +632,8 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, rlen = ilen - iphlen; padding = ((blks - ((rlen + 2) % blks)) % blks) + 2; if (iphlen + ohlen + rlen + padding > IP_MAXPACKET) { - if (encdebug) - log(LOG_ALERT, - "esp_old_output(): packet in SA %x/%0x8 got too big\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + DPRINTF(("esp_old_output(): packet in SA %x/%0x8 got too big\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_toobig++; return EMSGSIZE; @@ -700,15 +700,21 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, do { mi = (mo = mi)->m_next; if (mi == NULL) - panic("esp_old_output(): bad chain (i)"); + { + DPRINTF(("esp_old_output(): bad mbuf chain, SA %x/%08x\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi))); + m_freem(m); + return EINVAL; + } } while (mi->m_len == 0); if (mi->m_len < blks - rest) { if ((mi = m_pullup(mi, blks - rest)) == NULL) { - DPRINTF(("esp_old_output(): m_pullup() failed, SA %x/%08x\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi))); + DPRINTF(("esp_old_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + m_freem(m); + espstat.esps_hdrops++; return ENOBUFS; } /* @@ -775,6 +781,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, { DPRINTF(("esp_old_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi))); + espstat.esps_hdrops++; return ENOBUFS; } diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index c05014cc9b1..76f1397020d 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.30 1998/11/16 08:02:59 niklas Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.31 1999/01/11 22:52:10 deraadt Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -71,6 +71,12 @@ #include <dev/rndvar.h> #include <sys/syslog.h> +#ifdef ENCDEBUG +#define DPRINTF(x) if (encdebug) printf x +#else +#define DPRINTF(x) +#endif + int tdb_init __P((struct tdb *, struct mbuf *)); int ipsp_kern __P((int, char **, int)); u_int8_t get_sa_require __P((struct inpcb *)); @@ -216,11 +222,7 @@ check_ipsec_policy(struct inpcb *inp, u_int32_t daddr) /* If necessary try to notify keymanagement three times */ while (i < 3) { -#ifdef ENCDEBUG - if (encdebug) - printf("ipsec: send SA request (%d), remote ip: %0x, SA type: %d\n", - i+1, dst->sen_ip_dst, sa_require); -#endif /* ENCDEBUG */ + DPRINTF(("ipsec: send SA request (%d), remote ip: %0x, SA type: %d\n", i+1, dst->sen_ip_dst, sa_require)); /* Send notify */ bzero((caddr_t) &tmptdb, sizeof(tmptdb)); @@ -242,10 +244,7 @@ check_ipsec_policy(struct inpcb *inp, u_int32_t daddr) */ error = tsleep((caddr_t)inp, PSOCK|PCATCH, "ipsecnotify", 30*hz); -#ifdef ENCDEBUG - if (encdebug) - printf("check_ipsec: sleep %d\n", error); -#endif /* ENCDEBUG */ + DPRINTF(("check_ipsec: sleep %d\n", error)); if (error && error != EWOULDBLOCK) break; @@ -481,10 +480,7 @@ put_expiration(struct expiration *exp) if (exp == (struct expiration *) NULL) { -#ifdef ENCDEBUG - if (encdebug) - log(LOG_WARNING, "put_expiration(): NULL argument\n"); -#endif /* ENCDEBUG */ + DPRINTF(("put_expiration(): NULL argument\n")); return; } @@ -690,9 +686,8 @@ tdb_init(struct tdb *tdbp, struct mbuf *m) if (xsp->xf_type == alg) return (*(xsp->xf_init))(tdbp, xsp, m); - if (encdebug) - log(LOG_ERR, "tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n", - alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto); + DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n", + alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto)); return EINVAL; } |