summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_ah_new.c58
-rw-r--r--sys/netinet/ip_ah_old.c49
-rw-r--r--sys/netinet/ip_esp_new.c87
-rw-r--r--sys/netinet/ip_esp_old.c57
-rw-r--r--sys/netinet/ip_ipsp.c29
5 files changed, 151 insertions, 129 deletions
diff --git a/sys/netinet/ip_ah_new.c b/sys/netinet/ip_ah_new.c
index 022deed2c2b..a6061bfc4d7 100644
--- a/sys/netinet/ip_ah_new.c
+++ b/sys/netinet/ip_ah_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah_new.c,v 1.20 1998/11/25 09:56:50 niklas Exp $ */
+/* $OpenBSD: ip_ah_new.c,v 1.21 1999/01/11 22:52:09 deraadt Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
@@ -69,7 +69,6 @@
#include <netinet/ip_ipsp.h>
#include <netinet/ip_ah.h>
-#include <sys/syslog.h>
#ifdef ENCDEBUG
#define DPRINTF(x) if (encdebug) printf x
@@ -142,8 +141,7 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= AH_NEW_XENCAP_LEN)
{
- if (encdebug)
- log(LOG_WARNING, "ah_new_init() initialization failed\n");
+ DPRINTF(("ah_new_init() initialization failed\n"));
return EINVAL;
}
@@ -156,8 +154,7 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
if (i < 0)
{
- if (encdebug)
- log(LOG_WARNING, "ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm);
+ DPRINTF(("ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm));
return EINVAL;
}
DPRINTF(("ah_new_init(): initalized TDB with hash algorithm %d: %s\n",
@@ -167,9 +164,8 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
if (txd.amx_keylen + EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN != em->em_msglen)
{
- if (encdebug)
- log(LOG_WARNING, "ah_new_init(): message length (%d) doesn't match\n",
- em->em_msglen);
+ DPRINTF(("ah_new_init(): message length (%d) doesn't match\n",
+ em->em_msglen));
return EINVAL;
}
@@ -330,15 +326,13 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
switch(errc)
{
case 1:
- if (encdebug)
- log(LOG_ERR, "ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
+ DPRINTF(("ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)));
ahstat.ahs_wrap++;
break;
case 2:
case 3:
- if (encdebug)
- log(LOG_WARNING, "ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
+ DPRINTF(("ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)));
ahstat.ahs_replay++;
break;
}
@@ -413,7 +407,12 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
while (off > 0)
{
if (m0 == 0)
- panic("ah_new_input(): m_copydata (off)");
+ {
+ DPRINTF(("ah_new_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return NULL;
+ }
if (off < m0->m_len)
break;
@@ -425,7 +424,12 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
while (len > 0)
{
if (m0 == 0)
- panic("ah_new_input(): m_copydata (copy)");
+ {
+ DPRINTF(("ah_new_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return NULL;
+ }
count = min(m0->m_len - off, len);
@@ -444,8 +448,7 @@ ah_new_input(struct mbuf *m, struct tdb *tdb)
if (bcmp(aho->ah_data, ah->ah_data, AH_HMAC_HASHLEN))
{
- if (encdebug)
- log(LOG_ALERT, "ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi));
+ DPRINTF(("ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)));
#ifdef ENCDEBUG
if (encdebug)
{
@@ -554,6 +557,7 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("ah_new_output(): m_pullup() failed, SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
return ENOBUFS;
}
@@ -584,10 +588,8 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
ohlen = AH_NEW_FLENGTH;
if (ohlen + ilen > IP_MAXPACKET) {
- if (encdebug)
- log(LOG_ALERT,
- "ah_new_output(): packet in SA %x/%0x8 got too big\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("ah_new_output(): packet in SA %x/%0x8 got too big\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_toobig++;
return EMSGSIZE;
@@ -614,9 +616,8 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
if (xd->amx_rpl == 0)
{
- if (encdebug)
- log(LOG_ALERT, "ah_new_output(): SA %x/%0x8 should have expired\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("ah_new_output(): SA %x/%0x8 should have expired\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_wrap++;
return NULL;
@@ -680,7 +681,13 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
while (len > 0)
{
if (m0 == 0)
- panic("ah_new_output(): m_copydata");
+ {
+ DPRINTF(("ah_new_output(): bad mbuf chain for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return EMSGSIZE;
+ }
+
count = min(m0->m_len - off, len);
xd->amx_hash->Update(&ctx, mtod(m0, unsigned char *) + off, count);
@@ -707,6 +714,7 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
if (m == NULL)
{
DPRINTF(("ah_new_output(): m_pullup() failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
return ENOBUFS;
}
diff --git a/sys/netinet/ip_ah_old.c b/sys/netinet/ip_ah_old.c
index f9f8448b5e6..23ea072b899 100644
--- a/sys/netinet/ip_ah_old.c
+++ b/sys/netinet/ip_ah_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah_old.c,v 1.17 1998/11/25 09:56:50 niklas Exp $ */
+/* $OpenBSD: ip_ah_old.c,v 1.18 1999/01/11 22:52:09 deraadt Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
@@ -68,7 +68,6 @@
#include <netinet/ip_ipsp.h>
#include <netinet/ip_ah.h>
-#include <sys/syslog.h>
#ifdef ENCDEBUG
#define DPRINTF(x) if (encdebug) printf x
@@ -132,8 +131,7 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= AH_OLD_XENCAP_LEN)
{
- if (encdebug)
- log(LOG_WARNING, "ah_old_init(): initialization failed\n");
+ DPRINTF(("ah_old_init(): initialization failed\n"));
return EINVAL;
}
@@ -146,21 +144,19 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
if (i < 0)
{
- if (encdebug)
- log(LOG_WARNING, "ah_old_init(): unsupported authentication algorithm %d specified\n",
- xenc.amx_hash_algorithm);
+ DPRINTF(("ah_old_init(): unsupported authentication algorithm %d specified\n", xenc.amx_hash_algorithm));
m_freem(m);
return EINVAL;
}
+
DPRINTF(("ah_old_init(): initalized TDB with hash algorithm %d: %s\n",
xenc.amx_hash_algorithm, ah_old_hash[i].name));
thash = &ah_old_hash[i];
if (xenc.amx_keylen + EMT_SETSPI_FLEN + AH_OLD_XENCAP_LEN != em->em_msglen)
{
- if (encdebug)
- log(LOG_WARNING, "ah_old_init(): message length (%d) doesn't match\n",
- em->em_msglen);
+ DPRINTF(("ah_old_init(): message length (%d) doesn't match\n",
+ em->em_msglen));
return EINVAL;
}
@@ -336,7 +332,12 @@ ah_old_input(struct mbuf *m, struct tdb *tdb)
while (off > 0)
{
if (m0 == 0)
- panic("ah_old_input(): m_copydata (off)");
+ {
+ DPRINTF(("ah_old_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return NULL;
+ }
if (off < m0->m_len)
break;
@@ -348,8 +349,13 @@ ah_old_input(struct mbuf *m, struct tdb *tdb)
while (len > 0)
{
if (m0 == 0)
- panic("ah_old_input(): m_copydata (copy)");
-
+ {
+ DPRINTF(("ah_old_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
+ m_freem(m);
+ return NULL;
+ }
+
count = min(m0->m_len - off, len);
xd->amx_hash->Update(&ctx, mtod(m0, unsigned char *) + off, count);
@@ -364,8 +370,6 @@ ah_old_input(struct mbuf *m, struct tdb *tdb)
if (bcmp(aho->ah_data, ah->ah_data, alen))
{
- if (encdebug)
- log(LOG_ALERT, "ah_old_input(): authentication failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi));
ahstat.ahs_badauth++;
m_freem(m);
return NULL;
@@ -459,6 +463,7 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("ah_old_output(): m_pullup() failed, SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
return ENOBUFS;
}
@@ -489,10 +494,8 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
ohlen = AH_OLD_FLENGTH + alen;
if (ohlen + ilen > IP_MAXPACKET) {
- if (encdebug)
- log(LOG_ALERT,
- "ah_old_output(): packet in SA %x/%0x8 got too big\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("ah_old_output(): packet in SA %x/%0x8 got too big\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_toobig++;
return EMSGSIZE;
@@ -573,7 +576,12 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
while (len > 0)
{
if (m0 == 0)
- panic("ah_old_output(): m_copydata()");
+ {
+ DPRINTF(("ah_old_output(): M_PREPEND() failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)));
+ m_freem(m);
+ return NULL;
+ }
+
count = min(m0->m_len - off, len);
xd->amx_hash->Update(&ctx, mtod(m0, unsigned char *) + off, count);
@@ -602,6 +610,7 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
if (m == NULL)
{
DPRINTF(("ah_old_output(): m_pullup() failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)));
+ ahstat.ahs_hdrops++;
return ENOBUFS;
}
diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c
index 50c627c2c29..5b3011a99e7 100644
--- a/sys/netinet/ip_esp_new.c
+++ b/sys/netinet/ip_esp_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_new.c,v 1.29 1999/01/11 05:12:30 millert Exp $ */
+/* $OpenBSD: ip_esp_new.c,v 1.30 1999/01/11 22:52:09 deraadt Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
@@ -69,7 +69,6 @@
#include <netinet/ip_ipsp.h>
#include <netinet/ip_esp.h>
#include <netinet/ip_ah.h>
-#include <sys/syslog.h>
#ifdef ENCDEBUG
#define DPRINTF(x) if (encdebug) printf x
@@ -246,8 +245,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_NEW_XENCAP_LEN)
{
- if (encdebug)
- log(LOG_WARNING, "esp_new_init(): initialization failed\n");
+ DPRINTF(("esp_new_init(): initialization failed\n"));
return EINVAL;
}
@@ -260,8 +258,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
if (i < 0)
{
- if (encdebug)
- log(LOG_WARNING, "esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm);
+ DPRINTF(("esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm));
return EINVAL;
}
@@ -278,8 +275,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
if (i < 0)
{
- if (encdebug)
- log(LOG_WARNING, "esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_hash_algorithm);
+ DPRINTF(("esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_hash_algorithm));
return EINVAL;
}
@@ -293,7 +289,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN != em->em_msglen)
{
if (encdebug)
- log(LOG_WARNING, "esp_new_init(): message length (%d) doesn't match\n", em->em_msglen);
+ DPRINTF(("esp_new_init(): message length (%d) doesn't match\n", em->em_msglen));
return EINVAL;
}
@@ -303,9 +299,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
!(txd.edx_ivlen & txform->ivmask) ||
(txd.edx_ivlen & (txd.edx_ivlen - 1)))))
{
- if (encdebug)
- log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n",
- txd.edx_ivlen);
+ DPRINTF(("esp_new_init(): unsupported IV length %d\n", txd.edx_ivlen));
return EINVAL;
}
@@ -313,9 +307,7 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
if (txd.edx_confkeylen < txform->minkey ||
txd.edx_confkeylen > txform->maxkey)
{
- if (encdebug)
- log(LOG_WARNING, "esp_new_init(): bad key length %d\n",
- txd.edx_confkeylen);
+ DPRINTF(("esp_new_init(): bad key length %d\n", txd.edx_confkeylen));
return EINVAL;
}
@@ -494,7 +486,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
if ((m = m_pullup(m, ohlen + blks)) == NULL)
{
DPRINTF(("esp_new_input(): m_pullup() failed\n"));
- espstat.esps_hdrops++;
+ espstat.esps_hdrops++;
return NULL;
}
@@ -514,15 +506,13 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
switch(errc)
{
case 1:
- if (encdebug)
- log(LOG_ERR, "esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
+ DPRINTF(("esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)));
espstat.esps_wrap++;
break;
case 2:
case 3:
- if (encdebug)
- log(LOG_WARNING, "esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
+ DPRINTF(("esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)));
espstat.esps_replay++;
break;
}
@@ -560,7 +550,12 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
while (oplen > 0)
{
if (mo == 0)
- panic("esp_new_input(): m_copydata (copy)");
+ {
+ DPRINTF(("esp_new_input(): bad mbuf chain for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)));
+ espstat.esps_hdrops++;
+ m_freem(m);
+ return NULL;
+ }
count = min(mo->m_len - off, oplen);
xd->edx_hash->Update(&ctx, mtod(mo, unsigned char *) + off, count);
@@ -576,8 +571,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
if (bcmp(buf2, buf, AH_HMAC_HASHLEN))
{
- if (encdebug)
- log(LOG_ALERT, "esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi));
+ DPRINTF(("esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)));
espstat.esps_badauth++;
m_freem(m);
return NULL;
@@ -637,15 +631,20 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
do {
mi = (mo = mi)->m_next;
if (mi == NULL)
- panic("esp_new_input(): bad chain (i)");
+ {
+ DPRINTF(("esp_new_input(): bad mbuf chain, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
+ m_freem(m);
+ return NULL;
+ }
} while (mi->m_len == 0);
if (mi->m_len < blks - rest)
{
if ((mi = m_pullup(mi, blks - rest)) == NULL)
{
- DPRINTF(("esp_new_input(): m_pullup() failed, SA %x/%08x\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_new_input(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ m_freem(m);
espstat.esps_hdrops++;
return NULL;
}
@@ -731,8 +730,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
}
if ((blk[blks - 2] != blk[blks - 3]) && (blk[blks - 2] != 0))
{
- if (encdebug)
- log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
return NULL;
}
@@ -750,16 +748,14 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
}
if (blk[blks - 2] == 0)
{
- if (encdebug)
- log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
return NULL;
}
else
if (blk[blks - 2] != blk[blks - 3] + 1)
{
- if (encdebug)
- log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
return NULL;
}
@@ -775,6 +771,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
if (m == NULL)
{
DPRINTF(("esp_new_input(): m_pullup() failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return NULL;
}
}
@@ -885,14 +882,14 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return ENOBUFS;
}
if (xd->edx_rpl == 0)
{
- if (encdebug)
- log(LOG_ALERT, "esp_new_output(): SA %x/%0x8 should have expired\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("esp_new_output(): SA %x/%0x8 should have expired\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_wrap++;
return ENOBUFS;
@@ -914,6 +911,7 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("esp_new_input(): m_pullup() failed for SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return ENOBUFS;
}
@@ -934,10 +932,8 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
rlen = ilen - iphlen;
padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
if (iphlen + ohlen + rlen + padding + alen > IP_MAXPACKET) {
- if (encdebug)
- log(LOG_ALERT,
- "esp_new_output(): packet in SA %x/%0x8 got too big\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("esp_new_output(): packet in SA %x/%0x8 got too big\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_toobig++;
return EMSGSIZE;
@@ -1012,15 +1008,21 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
do {
mi = (mo = mi)->m_next;
if (mi == NULL)
- panic("esp_new_output(): bad chain (i)");
+ {
+ DPRINTF(("esp_new_output(): bad mbuf chain, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
+ m_freem(m);
+ return EINVAL;
+ }
} while (mi->m_len == 0);
if (mi->m_len < blks - rest)
{
if ((mi = m_pullup(mi, blks - rest)) == NULL)
{
- DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ m_freem(m);
+ espstat.esps_hdrops++;
return ENOBUFS;
}
/*
@@ -1106,6 +1108,7 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("esp_new_output(): m_pullup() failed, SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return ENOBUFS;
}
diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c
index f7a294b0db7..76d2a3d8311 100644
--- a/sys/netinet/ip_esp_old.c
+++ b/sys/netinet/ip_esp_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_old.c,v 1.25 1999/01/11 05:12:30 millert Exp $ */
+/* $OpenBSD: ip_esp_old.c,v 1.26 1999/01/11 22:52:10 deraadt Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
@@ -69,7 +69,6 @@
#include <netinet/ip_ipsp.h>
#include <netinet/ip_esp.h>
#include <dev/rndvar.h>
-#include <sys/syslog.h>
#ifdef ENCDEBUG
#define DPRINTF(x) if (encdebug) printf x
@@ -170,8 +169,7 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
em = mtod(m, struct encap_msghdr *);
if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_OLD_XENCAP_LEN)
{
- if (encdebug)
- log(LOG_WARNING, "esp_old_init(): initialization failed\n");
+ DPRINTF(("esp_old_init(): initialization failed\n"));
return EINVAL;
}
@@ -184,8 +182,7 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
break;
if (i < 0)
{
- if (encdebug)
- log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm);
+ DPRINTF(("esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm));
return EINVAL;
}
@@ -196,8 +193,8 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
if (xenc.edx_ivlen + xenc.edx_keylen + EMT_SETSPI_FLEN +
ESP_OLD_XENCAP_LEN != em->em_msglen)
{
- if (encdebug)
- log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", em->em_msglen);
+ DPRINTF(("esp_old_init(): message length (%d) doesn't match\n",
+ em->em_msglen));
return EINVAL;
}
@@ -207,18 +204,15 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m)
!(xenc.edx_ivlen & txform->ivmask) ||
(xenc.edx_ivlen & (xenc.edx_ivlen-1)))))
{
- if (encdebug)
- log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n",
- xenc.edx_ivlen);
+ DPRINTF(("esp_old_init(): unsupported IV length %d\n",
+ xenc.edx_ivlen));
return EINVAL;
}
/* Check the key length */
if (xenc.edx_keylen < txform->minkey || xenc.edx_keylen > txform->maxkey)
{
- if (encdebug)
- log(LOG_WARNING, "esp_old_init(): bad key length %d\n",
- xenc.edx_keylen);
+ DPRINTF(("esp_old_init(): bad key length %d\n", xenc.edx_keylen));
return EINVAL;
}
@@ -321,7 +315,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
if ((m = m_pullup(m, ohlen + blks)) == NULL)
{
DPRINTF(("esp_old_input(): m_pullup() failed\n"));
- espstat.esps_hdrops++;
+ espstat.esps_hdrops++;
return NULL;
}
@@ -404,15 +398,20 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
do {
mi = (mo = mi)->m_next;
if (mi == NULL)
- panic("esp_old_input(): bad chain (i)");
+ {
+ DPRINTF(("esp_old_input(): bad mbuf chain, SA %x/%08x\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ m_freem(m);
+ espstat.esps_hdrops++;
+ return NULL;
+ }
} while (mi->m_len == 0);
if (mi->m_len < blks - rest)
{
if ((mi = m_pullup(mi, blks - rest)) == NULL)
{
- DPRINTF(("esp_old_input(): m_pullup() failed, SA %x/%08x\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_old_input(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi)));
espstat.esps_hdrops++;
return NULL;
}
@@ -506,6 +505,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
if (m == NULL)
{
DPRINTF(("esp_old_input(): m_pullup() failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return NULL;
}
}
@@ -593,6 +593,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("esp_old_output(): m_pullup() failed for SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return ENOBUFS;
}
@@ -610,6 +611,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("esp_old_output(): m_pullup() failed for SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return ENOBUFS;
}
@@ -630,10 +632,8 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
rlen = ilen - iphlen;
padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
if (iphlen + ohlen + rlen + padding > IP_MAXPACKET) {
- if (encdebug)
- log(LOG_ALERT,
- "esp_old_output(): packet in SA %x/%0x8 got too big\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ DPRINTF(("esp_old_output(): packet in SA %x/%0x8 got too big\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_toobig++;
return EMSGSIZE;
@@ -700,15 +700,21 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
do {
mi = (mo = mi)->m_next;
if (mi == NULL)
- panic("esp_old_output(): bad chain (i)");
+ {
+ DPRINTF(("esp_old_output(): bad mbuf chain, SA %x/%08x\n",
+ tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ m_freem(m);
+ return EINVAL;
+ }
} while (mi->m_len == 0);
if (mi->m_len < blks - rest)
{
if ((mi = m_pullup(mi, blks - rest)) == NULL)
{
- DPRINTF(("esp_old_output(): m_pullup() failed, SA %x/%08x\n",
- tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_old_output(): m_pullup() failed, SA %x/%08x\n", tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ m_freem(m);
+ espstat.esps_hdrops++;
return ENOBUFS;
}
/*
@@ -775,6 +781,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
{
DPRINTF(("esp_old_output(): m_pullup() failed, SA %x/%08x\n",
tdb->tdb_dst, ntohl(tdb->tdb_spi)));
+ espstat.esps_hdrops++;
return ENOBUFS;
}
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index c05014cc9b1..76f1397020d 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.c,v 1.30 1998/11/16 08:02:59 niklas Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.31 1999/01/11 22:52:10 deraadt Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
@@ -71,6 +71,12 @@
#include <dev/rndvar.h>
#include <sys/syslog.h>
+#ifdef ENCDEBUG
+#define DPRINTF(x) if (encdebug) printf x
+#else
+#define DPRINTF(x)
+#endif
+
int tdb_init __P((struct tdb *, struct mbuf *));
int ipsp_kern __P((int, char **, int));
u_int8_t get_sa_require __P((struct inpcb *));
@@ -216,11 +222,7 @@ check_ipsec_policy(struct inpcb *inp, u_int32_t daddr)
/* If necessary try to notify keymanagement three times */
while (i < 3) {
-#ifdef ENCDEBUG
- if (encdebug)
- printf("ipsec: send SA request (%d), remote ip: %0x, SA type: %d\n",
- i+1, dst->sen_ip_dst, sa_require);
-#endif /* ENCDEBUG */
+ DPRINTF(("ipsec: send SA request (%d), remote ip: %0x, SA type: %d\n", i+1, dst->sen_ip_dst, sa_require));
/* Send notify */
bzero((caddr_t) &tmptdb, sizeof(tmptdb));
@@ -242,10 +244,7 @@ check_ipsec_policy(struct inpcb *inp, u_int32_t daddr)
*/
error = tsleep((caddr_t)inp, PSOCK|PCATCH, "ipsecnotify", 30*hz);
-#ifdef ENCDEBUG
- if (encdebug)
- printf("check_ipsec: sleep %d\n", error);
-#endif /* ENCDEBUG */
+ DPRINTF(("check_ipsec: sleep %d\n", error));
if (error && error != EWOULDBLOCK)
break;
@@ -481,10 +480,7 @@ put_expiration(struct expiration *exp)
if (exp == (struct expiration *) NULL)
{
-#ifdef ENCDEBUG
- if (encdebug)
- log(LOG_WARNING, "put_expiration(): NULL argument\n");
-#endif /* ENCDEBUG */
+ DPRINTF(("put_expiration(): NULL argument\n"));
return;
}
@@ -690,9 +686,8 @@ tdb_init(struct tdb *tdbp, struct mbuf *m)
if (xsp->xf_type == alg)
return (*(xsp->xf_init))(tdbp, xsp, m);
- if (encdebug)
- log(LOG_ERR, "tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n",
- alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto);
+ DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n",
+ alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto));
return EINVAL;
}