diff options
Diffstat (limited to 'sys/netinet/ip_esp_old.c')
-rw-r--r-- | sys/netinet/ip_esp_old.c | 56 |
1 files changed, 29 insertions, 27 deletions
diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c index 64fcf013c8b..633d9b880c0 100644 --- a/sys/netinet/ip_esp_old.c +++ b/sys/netinet/ip_esp_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_old.c,v 1.8 1997/10/01 01:17:30 deraadt Exp $ */ +/* $OpenBSD: ip_esp_old.c,v 1.9 1997/10/02 02:31:05 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -106,7 +106,8 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_OLD_XENCAP_LEN) { - log(LOG_WARNING, "esp_old_init(): initialization failed\n"); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): initialization failed\n"); return EINVAL; } @@ -126,15 +127,16 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; default: - log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm); return EINVAL; } if (xenc.edx_ivlen + xenc.edx_keylen + EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN != em->em_msglen) { - log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", - em->em_msglen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", em->em_msglen); return EINVAL; } @@ -143,15 +145,17 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) case ALG_ENC_DES: if ((xenc.edx_ivlen != 4) && (xenc.edx_ivlen != 8)) { - log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", - xenc.edx_ivlen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", + xenc.edx_ivlen); return EINVAL; } if (xenc.edx_keylen != 8) { - log(LOG_WARNING, "esp_old_init(): bad key length\n", - xenc.edx_keylen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): bad key length\n", + xenc.edx_keylen); return EINVAL; } @@ -160,15 +164,17 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) case ALG_ENC_3DES: if ((xenc.edx_ivlen != 4) && (xenc.edx_ivlen != 8)) { - log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", - xenc.edx_ivlen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", + xenc.edx_ivlen); return EINVAL; } if (xenc.edx_keylen != 24) { - log(LOG_WARNING, "esp_old_init(): bad key length\n", - xenc.edx_keylen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): bad key length\n", + xenc.edx_keylen); return EINVAL; } @@ -263,9 +269,10 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) break; default: - log(LOG_ALERT, - "esp_old_input(): unsupported algorithm %d in SA %x/%08x\n", - xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "esp_old_input(): unsupported algorithm %d in SA %x/%08x\n", + xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -444,16 +451,10 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) * blk[7] contains the next protocol, and blk[6] contains the * amount of padding the original chain had. Chop off the * appropriate parts of the chain, and return. - * Verify correct decryption by checking the last padding bytes. + * We cannot verify the decryption here (as in ip_esp_new.c), since + * the padding may be random. */ - if ((blk[6] != blk[5]) && (blk[6] != 0)) - { - log(LOG_ALERT, "esp_old_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); - m_freem(m); - return NULL; - } - m_adj(m, -blk[6] - 2); m_adj(m, 4 + xd->edx_ivlen); @@ -549,9 +550,10 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, break; default: - log(LOG_ALERT, - "esp_old_output(): unsupported algorithm %d in SA %x/%08x\n", - xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "esp_old_output(): unsupported algorithm %d in SA %x/%08x\n", + xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } |