summaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_ah.c32
-rw-r--r--sys/netinet/ip_ah_new.c42
-rw-r--r--sys/netinet/ip_ah_old.c26
-rw-r--r--sys/netinet/ip_esp.c30
-rw-r--r--sys/netinet/ip_esp_new.c80
-rw-r--r--sys/netinet/ip_esp_old.c56
-rw-r--r--sys/netinet/ip_ip4.c8
-rw-r--r--sys/netinet/ip_ipsp.c11
-rw-r--r--sys/netinet/ip_output.c10
9 files changed, 171 insertions, 124 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 1684b65e86a..8cf20865e54 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.c,v 1.11 1997/09/28 22:57:43 deraadt Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.12 1997/10/02 02:31:02 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -110,7 +110,8 @@ ah_input(register struct mbuf *m, int iphlen)
tdbp = gettdb(ahp->ah_spi, ipo->ip_dst, IPPROTO_AH);
if (tdbp == NULL)
{
- log(LOG_ERR, "ah_input(): could not find SA for AH packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(ahp->ah_spi));
+ if (encdebug)
+ log(LOG_ERR, "ah_input(): could not find SA for AH packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(ahp->ah_spi));
m_freem(m);
ahstat.ahs_notdb++;
return;
@@ -118,9 +119,8 @@ ah_input(register struct mbuf *m, int iphlen)
if (tdbp->tdb_flags & TDBF_INVALID)
{
- log(LOG_ALERT,
- "ah_input(): attempted to use invalid AH SA %08x, packet %x->%x\n",
- ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst);
+ if (encdebug)
+ log(LOG_ALERT, "ah_input(): attempted to use invalid AH SA %08x, packet %x->%x\n", ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst);
m_freem(m);
ahstat.ahs_invalid++;
return;
@@ -128,7 +128,8 @@ ah_input(register struct mbuf *m, int iphlen)
if (tdbp->tdb_xform == NULL)
{
- log(LOG_ALERT, "ah_input(): attempted to use uninitialized AH SA %08x, packet from %x to %x\n", ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst);
+ if (encdebug)
+ log(LOG_ALERT, "ah_input(): attempted to use uninitialized AH SA %08x, packet from %x to %x\n", ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst);
m_freem(m);
ahstat.ahs_noxform++;
return;
@@ -146,8 +147,9 @@ ah_input(register struct mbuf *m, int iphlen)
exp = get_expiration();
if (exp == (struct expiration *) NULL)
{
- log(LOG_WARNING,
- "ah_input(): out of memory for expiration timer\n");
+ if (encdebug)
+ log(LOG_WARNING,
+ "ah_input(): out of memory for expiration timer\n");
ahstat.ahs_hdrops++;
m_freem(m);
return;
@@ -167,8 +169,9 @@ ah_input(register struct mbuf *m, int iphlen)
exp = get_expiration();
if (exp == (struct expiration *) NULL)
{
- log(LOG_WARNING,
- "ah_input(): out of memory for expiration timer\n");
+ if (encdebug)
+ log(LOG_WARNING,
+ "ah_input(): out of memory for expiration timer\n");
ahstat.ahs_hdrops++;
m_freem(m);
return;
@@ -189,7 +192,8 @@ ah_input(register struct mbuf *m, int iphlen)
m = (*(tdbp->tdb_xform->xf_input))(m, tdbp);
if (m == NULL)
{
- log(LOG_ALERT, "ah_input(): authentication failed for AH packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(ahn.ah_spi));
+ if (encdebug)
+ log(LOG_ALERT, "ah_input(): authentication failed for AH packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(ahn.ah_spi));
ahstat.ahs_badkcr++;
return;
}
@@ -204,7 +208,8 @@ ah_input(register struct mbuf *m, int iphlen)
if ((ipn.ip_src.s_addr != ipo->ip_src.s_addr) ||
(ipn.ip_dst.s_addr != ipo->ip_dst.s_addr))
{
- log(LOG_ALERT, "ah_input(): AH-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst);
+ if (encdebug)
+ log(LOG_ALERT, "ah_input(): AH-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst);
m_freem(m);
ahstat.ahs_hdrops++;
return;
@@ -212,7 +217,8 @@ ah_input(register struct mbuf *m, int iphlen)
}
else /* So we're paranoid */
{
- log(LOG_ALERT, "ah_input(): AH-tunnel used when expecting AH-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst);
+ if (encdebug)
+ log(LOG_ALERT, "ah_input(): AH-tunnel used when expecting AH-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst);
m_freem(m);
ahstat.ahs_hdrops++;
return;
diff --git a/sys/netinet/ip_ah_new.c b/sys/netinet/ip_ah_new.c
index fd9c16cc9cd..55cc83a9713 100644
--- a/sys/netinet/ip_ah_new.c
+++ b/sys/netinet/ip_ah_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah_new.c,v 1.9 1997/09/28 22:57:44 deraadt Exp $ */
+/* $OpenBSD: ip_ah_new.c,v 1.10 1997/10/02 02:31:03 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -107,7 +107,8 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= AH_NEW_XENCAP_LEN)
{
- log(LOG_WARNING, "ah_new_init() initialization failed\n");
+ if (encdebug)
+ log(LOG_WARNING, "ah_new_init() initialization failed\n");
return EINVAL;
}
@@ -128,14 +129,16 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
default:
- log(LOG_WARNING, "ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm);
+ if (encdebug)
+ log(LOG_WARNING, "ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm);
return EINVAL;
}
if (txd.amx_keylen + EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN != em->em_msglen)
{
- log(LOG_WARNING, "ah_new_init(): message length (%d) doesn't match\n",
- em->em_msglen);
+ if (encdebug)
+ log(LOG_WARNING, "ah_new_init(): message length (%d) doesn't match\n",
+ em->em_msglen);
return EINVAL;
}
@@ -285,9 +288,10 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
break;
default:
- log(LOG_ALERT,
- "ah_new_input(): unsupported algorithm %d in SA %x/%08x\n",
- xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "ah_new_input(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -361,13 +365,15 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
switch(errc)
{
case 1:
- log(LOG_ERR, "ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
+ if (encdebug)
+ log(LOG_ERR, "ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
ahstat.ahs_wrap++;
break;
case 2:
case 3:
- log(LOG_WARNING, "ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
+ if (encdebug)
+ log(LOG_WARNING, "ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
ahstat.ahs_replay++;
break;
}
@@ -552,8 +558,8 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
if (bcmp(aho->ah_data, ah->ah_data, AH_HMAC_HASHLEN))
{
- log(LOG_ALERT,
- "ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
+ if (encdebug)
+ log(LOG_ALERT, "ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
#ifdef ENCDEBUG
if (encdebug)
{
@@ -698,9 +704,10 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
break;
default:
- log(LOG_ALERT,
- "ah_new_output(): unsupported algorithm %d in SA %x/%08x\n",
- xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "ah_new_output(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -730,8 +737,9 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
if (xd->amx_rpl == 0)
{
- log(LOG_ALERT, "ah_new_output(): SA %x/%0x8 should have expired\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "ah_new_output(): SA %x/%0x8 should have expired\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
ahstat.ahs_wrap++;
return NULL;
diff --git a/sys/netinet/ip_ah_old.c b/sys/netinet/ip_ah_old.c
index c847bcb582b..dcea2202f3f 100644
--- a/sys/netinet/ip_ah_old.c
+++ b/sys/netinet/ip_ah_old.c
@@ -102,7 +102,8 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= AH_OLD_XENCAP_LEN)
{
- log(LOG_WARNING, "ah_old_init(): initialization failed\n");
+ if (encdebug)
+ log(LOG_WARNING, "ah_old_init(): initialization failed\n");
return EINVAL;
}
@@ -122,14 +123,16 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
default:
- log(LOG_WARNING, "ah_old_init(): unsupported authentication algorithm %d specified\n", xenc.amx_hash_algorithm);
+ if (encdebug)
+ log(LOG_WARNING, "ah_old_init(): unsupported authentication algorithm %d specified\n", xenc.amx_hash_algorithm);
m_freem(m);
return EINVAL;
}
if (xenc.amx_keylen + EMT_SETSPI_FLEN + AH_OLD_XENCAP_LEN != em->em_msglen)
{
- log(LOG_WARNING, "ah_old_init(): message length (%d) doesn't match\n",
+ if (encdebug)
+ log(LOG_WARNING, "ah_old_init(): message length (%d) doesn't match\n",
em->em_msglen);
return EINVAL;
}
@@ -228,9 +231,10 @@ ah_old_input(struct mbuf *m, struct tdb *tdb)
break;
default:
- log(LOG_ALERT,
- "ah_old_input(): unsupported algorithm %d in SA %x/%08x\n",
- xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "ah_old_input(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -449,7 +453,8 @@ ah_old_input(struct mbuf *m, struct tdb *tdb)
if (bcmp(aho->ah_data, ah->ah_data, alen))
{
- log(LOG_ALERT, "ah_old_input(): authentication failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "ah_old_input(): authentication failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi));
ahstat.ahs_badauth++;
m_freem(m);
return NULL;
@@ -575,9 +580,10 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
break;
default:
- log(LOG_ALERT,
- "ah_old_output(): unsupported algorithm %d in SA %x/%08x\n",
- xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "ah_old_output(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 85902ac9a42..b349c04636d 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.c,v 1.11 1997/09/28 22:57:46 deraadt Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.12 1997/10/02 02:31:04 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -109,7 +109,8 @@ esp_input(register struct mbuf *m, int iphlen)
tdbp = gettdb(spi, ipo->ip_dst, IPPROTO_ESP);
if (tdbp == NULL)
{
- log(LOG_ERR, "esp_input(): could not find SA for ESP packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(spi));
+ if (encdebug)
+ log(LOG_ERR, "esp_input(): could not find SA for ESP packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(spi));
m_freem(m);
espstat.esps_notdb++;
return;
@@ -117,7 +118,8 @@ esp_input(register struct mbuf *m, int iphlen)
if (tdbp->tdb_flags & TDBF_INVALID)
{
- log(LOG_ALERT, "esp_input(): attempted to use invalid ESP SA %08x, packet %x->%x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst);
+ if (encdebug)
+ log(LOG_ALERT, "esp_input(): attempted to use invalid ESP SA %08x, packet %x->%x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst);
m_freem(m);
espstat.esps_invalid++;
return;
@@ -125,7 +127,8 @@ esp_input(register struct mbuf *m, int iphlen)
if (tdbp->tdb_xform == NULL)
{
- log(LOG_ALERT, "esp_input(): attempted to use uninitialized ESP SA %08x, packet from %x to %x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst);
+ if (encdebug)
+ log(LOG_ALERT, "esp_input(): attempted to use uninitialized ESP SA %08x, packet from %x to %x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst);
m_freem(m);
espstat.esps_noxform++;
return;
@@ -143,8 +146,9 @@ esp_input(register struct mbuf *m, int iphlen)
exp = get_expiration();
if (exp == (struct expiration *) NULL)
{
- log(LOG_WARNING,
- "esp_input(): out of memory for expiration timer\n");
+ if (encdebug)
+ log(LOG_WARNING,
+ "esp_input(): out of memory for expiration timer\n");
espstat.esps_hdrops++;
m_freem(m);
return;
@@ -164,8 +168,9 @@ esp_input(register struct mbuf *m, int iphlen)
exp = get_expiration();
if (exp == (struct expiration *) NULL)
{
- log(LOG_WARNING,
- "esp_input(): out of memory for expiration timer\n");
+ if (encdebug)
+ log(LOG_WARNING,
+ "esp_input(): out of memory for expiration timer\n");
espstat.esps_hdrops++;
m_freem(m);
return;
@@ -186,7 +191,8 @@ esp_input(register struct mbuf *m, int iphlen)
if (m == NULL)
{
- log(LOG_ALERT, "esp_input(): processing failed for ESP packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_input(): processing failed for ESP packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(spi));
espstat.esps_badkcr++;
return;
}
@@ -201,7 +207,8 @@ esp_input(register struct mbuf *m, int iphlen)
if ((ipn.ip_src.s_addr != ipo->ip_src.s_addr) ||
(ipn.ip_dst.s_addr != ipo->ip_dst.s_addr))
{
- log(LOG_ALERT, "esp_input(): ESP-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst);
+ if (encdebug)
+ log(LOG_ALERT, "esp_input(): ESP-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst);
m_freem(m);
espstat.esps_hdrops++;
return;
@@ -209,7 +216,8 @@ esp_input(register struct mbuf *m, int iphlen)
}
else /* So we're paranoid */
{
- log(LOG_ALERT, "esp_input(): ESP-tunnel used when expecting ESP-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst);
+ if (encdebug)
+ log(LOG_ALERT, "esp_input(): ESP-tunnel used when expecting ESP-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst);
m_freem(m);
espstat.esps_hdrops++;
return;
diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c
index 4d5db810178..53fe1a8b454 100644
--- a/sys/netinet/ip_esp_new.c
+++ b/sys/netinet/ip_esp_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_new.c,v 1.8 1997/09/30 03:18:04 deraadt Exp $ */
+/* $OpenBSD: ip_esp_new.c,v 1.9 1997/10/02 02:31:04 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -112,7 +112,8 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_NEW_XENCAP_LEN)
{
- log(LOG_WARNING, "esp_new_init(): initialization failed\n");
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): initialization failed\n");
return EINVAL;
}
@@ -132,7 +133,8 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
default:
- log(LOG_WARNING, "esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm);
return EINVAL;
}
@@ -150,15 +152,16 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
default:
- log(LOG_WARNING, "esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_enc_algorithm);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_enc_algorithm);
return EINVAL;
}
if (txd.edx_ivlen + txd.edx_keylen + EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN
!= em->em_msglen)
{
- log(LOG_WARNING, "esp_new_init(): message length (%d) doesn't match\n",
- em->em_msglen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): message length (%d) doesn't match\n", em->em_msglen);
return EINVAL;
}
@@ -167,15 +170,17 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
case ALG_ENC_DES:
if ((txd.edx_ivlen != 0) && (txd.edx_ivlen != 8))
{
- log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n",
- txd.edx_ivlen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n",
+ txd.edx_ivlen);
return EINVAL;
}
if (txd.edx_keylen < 8)
{
- log(LOG_WARNING, "esp_new_init(): bad key length\n",
- txd.edx_keylen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): bad key length\n",
+ txd.edx_keylen);
return EINVAL;
}
@@ -185,15 +190,17 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
case ALG_ENC_3DES:
if ((txd.edx_ivlen != 0) && (txd.edx_ivlen != 8))
{
- log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n",
- txd.edx_ivlen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n",
+ txd.edx_ivlen);
return EINVAL;
}
if (txd.edx_keylen < 24)
{
- log(LOG_WARNING, "esp_new_init(): bad key length\n",
- txd.edx_keylen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_init(): bad key length\n",
+ txd.edx_keylen);
return EINVAL;
}
@@ -390,9 +397,10 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
break;
default:
- log(LOG_ALERT,
- "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n",
- xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -407,8 +415,8 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
break;
default:
- log(LOG_ALERT, "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst,
- ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -472,13 +480,15 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
switch(errc)
{
case 1:
- log(LOG_ERR, "esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
+ if (encdebug)
+ log(LOG_ERR, "esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
espstat.esps_wrap++;
break;
case 2:
case 3:
- log(LOG_WARNING, "esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
+ if (encdebug)
+ log(LOG_WARNING, "esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
espstat.esps_replay++;
break;
}
@@ -590,8 +600,8 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
if (bcmp(buf2, buf, AH_HMAC_HASHLEN))
{
- log(LOG_ALERT,
- "esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
espstat.esps_badauth++;
m_freem(m);
return NULL;
@@ -711,7 +721,8 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
{
if ((blk[6] != blk[5]) && (blk[6] != 0))
{
- log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -722,14 +733,16 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
{
if (blk[6] == 0)
{
- log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
else
if (blk[6] != blk[5] + 1)
{
- log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -845,9 +858,10 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
break;
default:
- log(LOG_ALERT,
- "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n",
- xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -867,7 +881,8 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
break;
default:
- log(LOG_ALERT, "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -890,8 +905,9 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
if (xd->edx_rpl == 0)
{
- log(LOG_ALERT, "esp_new_output(): SA %x/%0x8 should have expired\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT, "esp_new_output(): SA %x/%0x8 should have expired\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
espstat.esps_wrap++;
return NULL;
diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c
index 64fcf013c8b..633d9b880c0 100644
--- a/sys/netinet/ip_esp_old.c
+++ b/sys/netinet/ip_esp_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_old.c,v 1.8 1997/10/01 01:17:30 deraadt Exp $ */
+/* $OpenBSD: ip_esp_old.c,v 1.9 1997/10/02 02:31:05 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -106,7 +106,8 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_OLD_XENCAP_LEN)
{
- log(LOG_WARNING, "esp_old_init(): initialization failed\n");
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): initialization failed\n");
return EINVAL;
}
@@ -126,15 +127,16 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
default:
- log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm);
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm);
return EINVAL;
}
if (xenc.edx_ivlen + xenc.edx_keylen + EMT_SETSPI_FLEN +
ESP_OLD_XENCAP_LEN != em->em_msglen)
{
- log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n",
- em->em_msglen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", em->em_msglen);
return EINVAL;
}
@@ -143,15 +145,17 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
case ALG_ENC_DES:
if ((xenc.edx_ivlen != 4) && (xenc.edx_ivlen != 8))
{
- log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n",
- xenc.edx_ivlen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n",
+ xenc.edx_ivlen);
return EINVAL;
}
if (xenc.edx_keylen != 8)
{
- log(LOG_WARNING, "esp_old_init(): bad key length\n",
- xenc.edx_keylen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): bad key length\n",
+ xenc.edx_keylen);
return EINVAL;
}
@@ -160,15 +164,17 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
case ALG_ENC_3DES:
if ((xenc.edx_ivlen != 4) && (xenc.edx_ivlen != 8))
{
- log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n",
- xenc.edx_ivlen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n",
+ xenc.edx_ivlen);
return EINVAL;
}
if (xenc.edx_keylen != 24)
{
- log(LOG_WARNING, "esp_old_init(): bad key length\n",
- xenc.edx_keylen);
+ if (encdebug)
+ log(LOG_WARNING, "esp_old_init(): bad key length\n",
+ xenc.edx_keylen);
return EINVAL;
}
@@ -263,9 +269,10 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
break;
default:
- log(LOG_ALERT,
- "esp_old_input(): unsupported algorithm %d in SA %x/%08x\n",
- xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "esp_old_input(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
@@ -444,16 +451,10 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
* blk[7] contains the next protocol, and blk[6] contains the
* amount of padding the original chain had. Chop off the
* appropriate parts of the chain, and return.
- * Verify correct decryption by checking the last padding bytes.
+ * We cannot verify the decryption here (as in ip_esp_new.c), since
+ * the padding may be random.
*/
- if ((blk[6] != blk[5]) && (blk[6] != 0))
- {
- log(LOG_ALERT, "esp_old_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
- m_freem(m);
- return NULL;
- }
-
m_adj(m, -blk[6] - 2);
m_adj(m, 4 + xd->edx_ivlen);
@@ -549,9 +550,10 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
break;
default:
- log(LOG_ALERT,
- "esp_old_output(): unsupported algorithm %d in SA %x/%08x\n",
- xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ if (encdebug)
+ log(LOG_ALERT,
+ "esp_old_output(): unsupported algorithm %d in SA %x/%08x\n",
+ xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi));
m_freem(m);
return NULL;
}
diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c
index e0254e17172..69770687979 100644
--- a/sys/netinet/ip_ip4.c
+++ b/sys/netinet/ip_ip4.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ip4.c,v 1.13 1997/09/28 23:09:57 deraadt Exp $ */
+/* $OpenBSD: ip_ip4.c,v 1.14 1997/10/02 02:31:05 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -131,9 +131,8 @@ ip4_input(register struct mbuf *m, int iphlen)
if (ipi->ip_v != IPVERSION)
{
- log(LOG_WARNING,
- "ip4_input(): wrong version %d on IP packet from %x to %x (%x->%x)\n",
- ipi->ip_v, ipo->ip_src, ipo->ip_dst, ipi->ip_src, ipi->ip_dst);
+ if (encdebug)
+ log(LOG_WARNING, "ip4_input(): wrong version %d on IP packet from %x to %x (%x->%x)\n", ipi->ip_v, ipo->ip_src, ipo->ip_dst, ipi->ip_src, ipi->ip_dst);
ip4stat.ip4s_notip4++;
return;
}
@@ -281,6 +280,7 @@ ipe4_zeroize(struct tdb *tdbp)
void
ipe4_input(struct mbuf *m, ...)
{
+ /* This is a rather serious mistake, so no conditional printing */
log(LOG_ALERT, "ipe4_input(): should never be called\n");
if (m)
m_freem(m);
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index d5d4e0d0462..22fc2f0b51e 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.c,v 1.21 1997/10/01 02:34:06 deraadt Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.22 1997/10/02 02:31:06 deraadt Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -510,8 +510,9 @@ tdb_init(struct tdb *tdbp, struct mbuf *m)
if (xsp->xf_type == alg)
return (*(xsp->xf_init))(tdbp, xsp, m);
- log(LOG_ERR, "tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n",
- alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto);
+ if (encdebug)
+ log(LOG_ERR, "tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n",
+ alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto);
return EINVAL;
}
@@ -566,10 +567,10 @@ ipsp_kern(int off, char **bufp, int len)
inet_ntoa(tdb->tdb_odst), tdb->tdb_ttl);
if (tdb->tdb_onext)
- l += sprintf(buffer + l, "\tNext (on output) SA: SPI = %08x, Destination = %s, Sproto = %u\n", tdb->tdb_onext->tdb_spi, inet_ntoa(tdb->tdb_onext->tdb_dst), tdb->tdb_onext->tdb_sproto);
+ l += sprintf(buffer + l, "\tNext (on output) SA: SPI = %08x, Destination = %s, Sproto = %u\n", ntohl(tdb->tdb_onext->tdb_spi), inet_ntoa(tdb->tdb_onext->tdb_dst), tdb->tdb_onext->tdb_sproto);
if (tdb->tdb_inext)
- l += sprintf(buffer + l, "\tNext (on input) SA: SPI = %08x, Destination = %s, Sproto = %u\n", tdb->tdb_inext->tdb_spi, inet_ntoa(tdb->tdb_inext->tdb_dst), tdb->tdb_inext->tdb_sproto);
+ l += sprintf(buffer + l, "\tNext (on input) SA: SPI = %08x, Destination = %s, Sproto = %u\n", ntohl(tdb->tdb_inext->tdb_spi), inet_ntoa(tdb->tdb_inext->tdb_dst), tdb->tdb_inext->tdb_sproto);
/* XXX We can reuse variable i, we're not going to loop again */
for (i = 0, fl = tdb->tdb_flow; fl; fl = fl->flow_next)
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index eef35d2cbb5..29c0913c45b 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.23 1997/09/28 22:57:50 deraadt Exp $ */
+/* $OpenBSD: ip_output.c,v 1.24 1997/10/02 02:31:07 deraadt Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -262,9 +262,8 @@ ip_output(m0, va_alist)
/* Check if the SPI is invalid */
if (tdb->tdb_flags & TDBF_INVALID) {
- log(LOG_ALERT,
- "ip_output(): attempt to use invalid SA %08x/%x/%x\n",
- ntohl(tdb->tdb_spi), tdb->tdb_dst,
+ if (encdebug)
+ log(LOG_ALERT, "ip_output(): attempt to use invalid SA %08x/%x/%x\n", ntohl(tdb->tdb_spi), tdb->tdb_dst,
tdb->tdb_sproto);
m_freem(m);
RTFREE(re->re_rt);
@@ -358,7 +357,8 @@ ip_output(m0, va_alist)
exp = get_expiration();
if (exp == NULL) {
expbail:
- log(LOG_WARNING, "ip_output(): no memory for exp timer\n");
+ if (encdebug)
+ log(LOG_WARNING, "ip_output(): no memory for exp timer\n");
m_freem(m);
RTFREE(re->re_rt);
return ENOBUFS;