From 9250186e6c38da580172d873c863932a401df593 Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Thu, 2 Oct 1997 02:31:08 +0000 Subject: conditional error logging --- sys/netinet/ip_ah.c | 32 +++++++++++-------- sys/netinet/ip_ah_new.c | 42 +++++++++++++++---------- sys/netinet/ip_ah_old.c | 26 ++++++++++------ sys/netinet/ip_esp.c | 30 +++++++++++------- sys/netinet/ip_esp_new.c | 80 +++++++++++++++++++++++++++++------------------- sys/netinet/ip_esp_old.c | 56 +++++++++++++++++---------------- sys/netinet/ip_ip4.c | 8 ++--- sys/netinet/ip_ipsp.c | 11 ++++--- sys/netinet/ip_output.c | 10 +++--- 9 files changed, 171 insertions(+), 124 deletions(-) (limited to 'sys/netinet') diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 1684b65e86a..8cf20865e54 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.11 1997/09/28 22:57:43 deraadt Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.12 1997/10/02 02:31:02 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -110,7 +110,8 @@ ah_input(register struct mbuf *m, int iphlen) tdbp = gettdb(ahp->ah_spi, ipo->ip_dst, IPPROTO_AH); if (tdbp == NULL) { - log(LOG_ERR, "ah_input(): could not find SA for AH packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(ahp->ah_spi)); + if (encdebug) + log(LOG_ERR, "ah_input(): could not find SA for AH packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(ahp->ah_spi)); m_freem(m); ahstat.ahs_notdb++; return; @@ -118,9 +119,8 @@ ah_input(register struct mbuf *m, int iphlen) if (tdbp->tdb_flags & TDBF_INVALID) { - log(LOG_ALERT, - "ah_input(): attempted to use invalid AH SA %08x, packet %x->%x\n", - ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst); + if (encdebug) + log(LOG_ALERT, "ah_input(): attempted to use invalid AH SA %08x, packet %x->%x\n", ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst); m_freem(m); ahstat.ahs_invalid++; return; @@ -128,7 +128,8 @@ ah_input(register struct mbuf *m, int iphlen) if (tdbp->tdb_xform == NULL) { - log(LOG_ALERT, "ah_input(): attempted to use uninitialized AH SA %08x, packet from %x to %x\n", ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst); + if (encdebug) + log(LOG_ALERT, "ah_input(): attempted to use uninitialized AH SA %08x, packet from %x to %x\n", ntohl(ahp->ah_spi), ipo->ip_src, ipo->ip_dst); m_freem(m); ahstat.ahs_noxform++; return; @@ -146,8 +147,9 @@ ah_input(register struct mbuf *m, int iphlen) exp = get_expiration(); if (exp == (struct expiration *) NULL) { - log(LOG_WARNING, - "ah_input(): out of memory for expiration timer\n"); + if (encdebug) + log(LOG_WARNING, + "ah_input(): out of memory for expiration timer\n"); ahstat.ahs_hdrops++; m_freem(m); return; @@ -167,8 +169,9 @@ ah_input(register struct mbuf *m, int iphlen) exp = get_expiration(); if (exp == (struct expiration *) NULL) { - log(LOG_WARNING, - "ah_input(): out of memory for expiration timer\n"); + if (encdebug) + log(LOG_WARNING, + "ah_input(): out of memory for expiration timer\n"); ahstat.ahs_hdrops++; m_freem(m); return; @@ -189,7 +192,8 @@ ah_input(register struct mbuf *m, int iphlen) m = (*(tdbp->tdb_xform->xf_input))(m, tdbp); if (m == NULL) { - log(LOG_ALERT, "ah_input(): authentication failed for AH packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(ahn.ah_spi)); + if (encdebug) + log(LOG_ALERT, "ah_input(): authentication failed for AH packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(ahn.ah_spi)); ahstat.ahs_badkcr++; return; } @@ -204,7 +208,8 @@ ah_input(register struct mbuf *m, int iphlen) if ((ipn.ip_src.s_addr != ipo->ip_src.s_addr) || (ipn.ip_dst.s_addr != ipo->ip_dst.s_addr)) { - log(LOG_ALERT, "ah_input(): AH-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst); + if (encdebug) + log(LOG_ALERT, "ah_input(): AH-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst); m_freem(m); ahstat.ahs_hdrops++; return; @@ -212,7 +217,8 @@ ah_input(register struct mbuf *m, int iphlen) } else /* So we're paranoid */ { - log(LOG_ALERT, "ah_input(): AH-tunnel used when expecting AH-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst); + if (encdebug) + log(LOG_ALERT, "ah_input(): AH-tunnel used when expecting AH-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst); m_freem(m); ahstat.ahs_hdrops++; return; diff --git a/sys/netinet/ip_ah_new.c b/sys/netinet/ip_ah_new.c index fd9c16cc9cd..55cc83a9713 100644 --- a/sys/netinet/ip_ah_new.c +++ b/sys/netinet/ip_ah_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah_new.c,v 1.9 1997/09/28 22:57:44 deraadt Exp $ */ +/* $OpenBSD: ip_ah_new.c,v 1.10 1997/10/02 02:31:03 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -107,7 +107,8 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= AH_NEW_XENCAP_LEN) { - log(LOG_WARNING, "ah_new_init() initialization failed\n"); + if (encdebug) + log(LOG_WARNING, "ah_new_init() initialization failed\n"); return EINVAL; } @@ -128,14 +129,16 @@ ah_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; default: - log(LOG_WARNING, "ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm); + if (encdebug) + log(LOG_WARNING, "ah_new_init(): unsupported authentication algorithm %d specified\n", txd.amx_hash_algorithm); return EINVAL; } if (txd.amx_keylen + EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN != em->em_msglen) { - log(LOG_WARNING, "ah_new_init(): message length (%d) doesn't match\n", - em->em_msglen); + if (encdebug) + log(LOG_WARNING, "ah_new_init(): message length (%d) doesn't match\n", + em->em_msglen); return EINVAL; } @@ -285,9 +288,10 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) break; default: - log(LOG_ALERT, - "ah_new_input(): unsupported algorithm %d in SA %x/%08x\n", - xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "ah_new_input(): unsupported algorithm %d in SA %x/%08x\n", + xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -361,13 +365,15 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) switch(errc) { case 1: - log(LOG_ERR, "ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); + if (encdebug) + log(LOG_ERR, "ah_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); ahstat.ahs_wrap++; break; case 2: case 3: - log(LOG_WARNING, "ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); + if (encdebug) + log(LOG_WARNING, "ah_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); ahstat.ahs_replay++; break; } @@ -552,8 +558,8 @@ ah_new_input(struct mbuf *m, struct tdb *tdb) if (bcmp(aho->ah_data, ah->ah_data, AH_HMAC_HASHLEN)) { - log(LOG_ALERT, - "ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); + if (encdebug) + log(LOG_ALERT, "ah_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(ah->ah_spi)); #ifdef ENCDEBUG if (encdebug) { @@ -698,9 +704,10 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, break; default: - log(LOG_ALERT, - "ah_new_output(): unsupported algorithm %d in SA %x/%08x\n", - xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "ah_new_output(): unsupported algorithm %d in SA %x/%08x\n", + xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -730,8 +737,9 @@ ah_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, if (xd->amx_rpl == 0) { - log(LOG_ALERT, "ah_new_output(): SA %x/%0x8 should have expired\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "ah_new_output(): SA %x/%0x8 should have expired\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); ahstat.ahs_wrap++; return NULL; diff --git a/sys/netinet/ip_ah_old.c b/sys/netinet/ip_ah_old.c index c847bcb582b..dcea2202f3f 100644 --- a/sys/netinet/ip_ah_old.c +++ b/sys/netinet/ip_ah_old.c @@ -102,7 +102,8 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= AH_OLD_XENCAP_LEN) { - log(LOG_WARNING, "ah_old_init(): initialization failed\n"); + if (encdebug) + log(LOG_WARNING, "ah_old_init(): initialization failed\n"); return EINVAL; } @@ -122,14 +123,16 @@ ah_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; default: - log(LOG_WARNING, "ah_old_init(): unsupported authentication algorithm %d specified\n", xenc.amx_hash_algorithm); + if (encdebug) + log(LOG_WARNING, "ah_old_init(): unsupported authentication algorithm %d specified\n", xenc.amx_hash_algorithm); m_freem(m); return EINVAL; } if (xenc.amx_keylen + EMT_SETSPI_FLEN + AH_OLD_XENCAP_LEN != em->em_msglen) { - log(LOG_WARNING, "ah_old_init(): message length (%d) doesn't match\n", + if (encdebug) + log(LOG_WARNING, "ah_old_init(): message length (%d) doesn't match\n", em->em_msglen); return EINVAL; } @@ -228,9 +231,10 @@ ah_old_input(struct mbuf *m, struct tdb *tdb) break; default: - log(LOG_ALERT, - "ah_old_input(): unsupported algorithm %d in SA %x/%08x\n", - xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "ah_old_input(): unsupported algorithm %d in SA %x/%08x\n", + xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -449,7 +453,8 @@ ah_old_input(struct mbuf *m, struct tdb *tdb) if (bcmp(aho->ah_data, ah->ah_data, alen)) { - log(LOG_ALERT, "ah_old_input(): authentication failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "ah_old_input(): authentication failed for packet from %x to %x, spi %08x\n", ipo.ip_src, ipo.ip_dst, ntohl(tdb->tdb_spi)); ahstat.ahs_badauth++; m_freem(m); return NULL; @@ -575,9 +580,10 @@ ah_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, break; default: - log(LOG_ALERT, - "ah_old_output(): unsupported algorithm %d in SA %x/%08x\n", - xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "ah_old_output(): unsupported algorithm %d in SA %x/%08x\n", + xd->amx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 85902ac9a42..b349c04636d 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.11 1997/09/28 22:57:46 deraadt Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.12 1997/10/02 02:31:04 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -109,7 +109,8 @@ esp_input(register struct mbuf *m, int iphlen) tdbp = gettdb(spi, ipo->ip_dst, IPPROTO_ESP); if (tdbp == NULL) { - log(LOG_ERR, "esp_input(): could not find SA for ESP packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(spi)); + if (encdebug) + log(LOG_ERR, "esp_input(): could not find SA for ESP packet from %x to %x, spi %08x\n", ipo->ip_src, ipo->ip_dst, ntohl(spi)); m_freem(m); espstat.esps_notdb++; return; @@ -117,7 +118,8 @@ esp_input(register struct mbuf *m, int iphlen) if (tdbp->tdb_flags & TDBF_INVALID) { - log(LOG_ALERT, "esp_input(): attempted to use invalid ESP SA %08x, packet %x->%x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst); + if (encdebug) + log(LOG_ALERT, "esp_input(): attempted to use invalid ESP SA %08x, packet %x->%x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst); m_freem(m); espstat.esps_invalid++; return; @@ -125,7 +127,8 @@ esp_input(register struct mbuf *m, int iphlen) if (tdbp->tdb_xform == NULL) { - log(LOG_ALERT, "esp_input(): attempted to use uninitialized ESP SA %08x, packet from %x to %x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst); + if (encdebug) + log(LOG_ALERT, "esp_input(): attempted to use uninitialized ESP SA %08x, packet from %x to %x\n", ntohl(spi), ipo->ip_src, ipo->ip_dst); m_freem(m); espstat.esps_noxform++; return; @@ -143,8 +146,9 @@ esp_input(register struct mbuf *m, int iphlen) exp = get_expiration(); if (exp == (struct expiration *) NULL) { - log(LOG_WARNING, - "esp_input(): out of memory for expiration timer\n"); + if (encdebug) + log(LOG_WARNING, + "esp_input(): out of memory for expiration timer\n"); espstat.esps_hdrops++; m_freem(m); return; @@ -164,8 +168,9 @@ esp_input(register struct mbuf *m, int iphlen) exp = get_expiration(); if (exp == (struct expiration *) NULL) { - log(LOG_WARNING, - "esp_input(): out of memory for expiration timer\n"); + if (encdebug) + log(LOG_WARNING, + "esp_input(): out of memory for expiration timer\n"); espstat.esps_hdrops++; m_freem(m); return; @@ -186,7 +191,8 @@ esp_input(register struct mbuf *m, int iphlen) if (m == NULL) { - log(LOG_ALERT, "esp_input(): processing failed for ESP packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(spi)); + if (encdebug) + log(LOG_ALERT, "esp_input(): processing failed for ESP packet from %x to %x, spi %08x\n", ipn.ip_src, ipn.ip_dst, ntohl(spi)); espstat.esps_badkcr++; return; } @@ -201,7 +207,8 @@ esp_input(register struct mbuf *m, int iphlen) if ((ipn.ip_src.s_addr != ipo->ip_src.s_addr) || (ipn.ip_dst.s_addr != ipo->ip_dst.s_addr)) { - log(LOG_ALERT, "esp_input(): ESP-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst); + if (encdebug) + log(LOG_ALERT, "esp_input(): ESP-tunnel with different internal addresses %x/%x, SA %08x/%x\n", ipo->ip_src, ipo->ip_dst, tdbp->tdb_spi, tdbp->tdb_dst); m_freem(m); espstat.esps_hdrops++; return; @@ -209,7 +216,8 @@ esp_input(register struct mbuf *m, int iphlen) } else /* So we're paranoid */ { - log(LOG_ALERT, "esp_input(): ESP-tunnel used when expecting ESP-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst); + if (encdebug) + log(LOG_ALERT, "esp_input(): ESP-tunnel used when expecting ESP-transport, SA %08x/%x\n", tdbp->tdb_spi, tdbp->tdb_dst); m_freem(m); espstat.esps_hdrops++; return; diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c index 4d5db810178..53fe1a8b454 100644 --- a/sys/netinet/ip_esp_new.c +++ b/sys/netinet/ip_esp_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_new.c,v 1.8 1997/09/30 03:18:04 deraadt Exp $ */ +/* $OpenBSD: ip_esp_new.c,v 1.9 1997/10/02 02:31:04 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -112,7 +112,8 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_NEW_XENCAP_LEN) { - log(LOG_WARNING, "esp_new_init(): initialization failed\n"); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): initialization failed\n"); return EINVAL; } @@ -132,7 +133,8 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; default: - log(LOG_WARNING, "esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): unsupported encryption algorithm %d specified\n", txd.edx_enc_algorithm); return EINVAL; } @@ -150,15 +152,16 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; default: - log(LOG_WARNING, "esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_enc_algorithm); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): unsupported authentication algorithm %d specified\n", txd.edx_enc_algorithm); return EINVAL; } if (txd.edx_ivlen + txd.edx_keylen + EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN != em->em_msglen) { - log(LOG_WARNING, "esp_new_init(): message length (%d) doesn't match\n", - em->em_msglen); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): message length (%d) doesn't match\n", em->em_msglen); return EINVAL; } @@ -167,15 +170,17 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) case ALG_ENC_DES: if ((txd.edx_ivlen != 0) && (txd.edx_ivlen != 8)) { - log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n", - txd.edx_ivlen); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n", + txd.edx_ivlen); return EINVAL; } if (txd.edx_keylen < 8) { - log(LOG_WARNING, "esp_new_init(): bad key length\n", - txd.edx_keylen); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): bad key length\n", + txd.edx_keylen); return EINVAL; } @@ -185,15 +190,17 @@ esp_new_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) case ALG_ENC_3DES: if ((txd.edx_ivlen != 0) && (txd.edx_ivlen != 8)) { - log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n", - txd.edx_ivlen); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): unsupported IV length %d\n", + txd.edx_ivlen); return EINVAL; } if (txd.edx_keylen < 24) { - log(LOG_WARNING, "esp_new_init(): bad key length\n", - txd.edx_keylen); + if (encdebug) + log(LOG_WARNING, "esp_new_init(): bad key length\n", + txd.edx_keylen); return EINVAL; } @@ -390,9 +397,10 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) break; default: - log(LOG_ALERT, - "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n", - xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n", + xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -407,8 +415,8 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) break; default: - log(LOG_ALERT, "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, - ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_input(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -472,13 +480,15 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) switch(errc) { case 1: - log(LOG_ERR, "esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); + if (encdebug) + log(LOG_ERR, "esp_new_input(): replay counter wrapped for packets from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); espstat.esps_wrap++; break; case 2: case 3: - log(LOG_WARNING, "esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); + if (encdebug) + log(LOG_WARNING, "esp_new_input(): duplicate packet received, %x->%x spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); espstat.esps_replay++; break; } @@ -590,8 +600,8 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) if (bcmp(buf2, buf, AH_HMAC_HASHLEN)) { - log(LOG_ALERT, - "esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_input(): authentication failed for packet from %x to %x, spi %08x\n", ip->ip_src, ip->ip_dst, ntohl(esp->esp_spi)); espstat.esps_badauth++; m_freem(m); return NULL; @@ -711,7 +721,8 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) { if ((blk[6] != blk[5]) && (blk[6] != 0)) { - log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -722,14 +733,16 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) { if (blk[6] == 0) { - log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } else if (blk[6] != blk[5] + 1) { - log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -845,9 +858,10 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, break; default: - log(LOG_ALERT, - "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n", - xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n", + xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -867,7 +881,8 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, break; default: - log(LOG_ALERT, "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_output(): unsupported algorithm %d in SA %x/%08x\n", xd->edx_hash_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -890,8 +905,9 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, if (xd->edx_rpl == 0) { - log(LOG_ALERT, "esp_new_output(): SA %x/%0x8 should have expired\n", - tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, "esp_new_output(): SA %x/%0x8 should have expired\n", + tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); espstat.esps_wrap++; return NULL; diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c index 64fcf013c8b..633d9b880c0 100644 --- a/sys/netinet/ip_esp_old.c +++ b/sys/netinet/ip_esp_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_old.c,v 1.8 1997/10/01 01:17:30 deraadt Exp $ */ +/* $OpenBSD: ip_esp_old.c,v 1.9 1997/10/02 02:31:05 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -106,7 +106,8 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) em = mtod(m, struct encap_msghdr *); if (em->em_msglen - EMT_SETSPI_FLEN <= ESP_OLD_XENCAP_LEN) { - log(LOG_WARNING, "esp_old_init(): initialization failed\n"); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): initialization failed\n"); return EINVAL; } @@ -126,15 +127,16 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) break; default: - log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): unsupported encryption algorithm %d specified\n", xenc.edx_enc_algorithm); return EINVAL; } if (xenc.edx_ivlen + xenc.edx_keylen + EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN != em->em_msglen) { - log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", - em->em_msglen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): message length (%d) doesn't match\n", em->em_msglen); return EINVAL; } @@ -143,15 +145,17 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) case ALG_ENC_DES: if ((xenc.edx_ivlen != 4) && (xenc.edx_ivlen != 8)) { - log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", - xenc.edx_ivlen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", + xenc.edx_ivlen); return EINVAL; } if (xenc.edx_keylen != 8) { - log(LOG_WARNING, "esp_old_init(): bad key length\n", - xenc.edx_keylen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): bad key length\n", + xenc.edx_keylen); return EINVAL; } @@ -160,15 +164,17 @@ esp_old_init(struct tdb *tdbp, struct xformsw *xsp, struct mbuf *m) case ALG_ENC_3DES: if ((xenc.edx_ivlen != 4) && (xenc.edx_ivlen != 8)) { - log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", - xenc.edx_ivlen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): unsupported IV length %d\n", + xenc.edx_ivlen); return EINVAL; } if (xenc.edx_keylen != 24) { - log(LOG_WARNING, "esp_old_init(): bad key length\n", - xenc.edx_keylen); + if (encdebug) + log(LOG_WARNING, "esp_old_init(): bad key length\n", + xenc.edx_keylen); return EINVAL; } @@ -263,9 +269,10 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) break; default: - log(LOG_ALERT, - "esp_old_input(): unsupported algorithm %d in SA %x/%08x\n", - xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "esp_old_input(): unsupported algorithm %d in SA %x/%08x\n", + xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } @@ -444,16 +451,10 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) * blk[7] contains the next protocol, and blk[6] contains the * amount of padding the original chain had. Chop off the * appropriate parts of the chain, and return. - * Verify correct decryption by checking the last padding bytes. + * We cannot verify the decryption here (as in ip_esp_new.c), since + * the padding may be random. */ - if ((blk[6] != blk[5]) && (blk[6] != 0)) - { - log(LOG_ALERT, "esp_old_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); - m_freem(m); - return NULL; - } - m_adj(m, -blk[6] - 2); m_adj(m, 4 + xd->edx_ivlen); @@ -549,9 +550,10 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, break; default: - log(LOG_ALERT, - "esp_old_output(): unsupported algorithm %d in SA %x/%08x\n", - xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + if (encdebug) + log(LOG_ALERT, + "esp_old_output(): unsupported algorithm %d in SA %x/%08x\n", + xd->edx_enc_algorithm, tdb->tdb_dst, ntohl(tdb->tdb_spi)); m_freem(m); return NULL; } diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c index e0254e17172..69770687979 100644 --- a/sys/netinet/ip_ip4.c +++ b/sys/netinet/ip_ip4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.c,v 1.13 1997/09/28 23:09:57 deraadt Exp $ */ +/* $OpenBSD: ip_ip4.c,v 1.14 1997/10/02 02:31:05 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -131,9 +131,8 @@ ip4_input(register struct mbuf *m, int iphlen) if (ipi->ip_v != IPVERSION) { - log(LOG_WARNING, - "ip4_input(): wrong version %d on IP packet from %x to %x (%x->%x)\n", - ipi->ip_v, ipo->ip_src, ipo->ip_dst, ipi->ip_src, ipi->ip_dst); + if (encdebug) + log(LOG_WARNING, "ip4_input(): wrong version %d on IP packet from %x to %x (%x->%x)\n", ipi->ip_v, ipo->ip_src, ipo->ip_dst, ipi->ip_src, ipi->ip_dst); ip4stat.ip4s_notip4++; return; } @@ -281,6 +280,7 @@ ipe4_zeroize(struct tdb *tdbp) void ipe4_input(struct mbuf *m, ...) { + /* This is a rather serious mistake, so no conditional printing */ log(LOG_ALERT, "ipe4_input(): should never be called\n"); if (m) m_freem(m); diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index d5d4e0d0462..22fc2f0b51e 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.21 1997/10/01 02:34:06 deraadt Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.22 1997/10/02 02:31:06 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -510,8 +510,9 @@ tdb_init(struct tdb *tdbp, struct mbuf *m) if (xsp->xf_type == alg) return (*(xsp->xf_init))(tdbp, xsp, m); - log(LOG_ERR, "tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n", - alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto); + if (encdebug) + log(LOG_ERR, "tdb_init(): no alg %d for spi %08x, addr %x, proto %d\n", + alg, ntohl(tdbp->tdb_spi), tdbp->tdb_dst.s_addr, tdbp->tdb_sproto); return EINVAL; } @@ -566,10 +567,10 @@ ipsp_kern(int off, char **bufp, int len) inet_ntoa(tdb->tdb_odst), tdb->tdb_ttl); if (tdb->tdb_onext) - l += sprintf(buffer + l, "\tNext (on output) SA: SPI = %08x, Destination = %s, Sproto = %u\n", tdb->tdb_onext->tdb_spi, inet_ntoa(tdb->tdb_onext->tdb_dst), tdb->tdb_onext->tdb_sproto); + l += sprintf(buffer + l, "\tNext (on output) SA: SPI = %08x, Destination = %s, Sproto = %u\n", ntohl(tdb->tdb_onext->tdb_spi), inet_ntoa(tdb->tdb_onext->tdb_dst), tdb->tdb_onext->tdb_sproto); if (tdb->tdb_inext) - l += sprintf(buffer + l, "\tNext (on input) SA: SPI = %08x, Destination = %s, Sproto = %u\n", tdb->tdb_inext->tdb_spi, inet_ntoa(tdb->tdb_inext->tdb_dst), tdb->tdb_inext->tdb_sproto); + l += sprintf(buffer + l, "\tNext (on input) SA: SPI = %08x, Destination = %s, Sproto = %u\n", ntohl(tdb->tdb_inext->tdb_spi), inet_ntoa(tdb->tdb_inext->tdb_dst), tdb->tdb_inext->tdb_sproto); /* XXX We can reuse variable i, we're not going to loop again */ for (i = 0, fl = tdb->tdb_flow; fl; fl = fl->flow_next) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index eef35d2cbb5..29c0913c45b 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.23 1997/09/28 22:57:50 deraadt Exp $ */ +/* $OpenBSD: ip_output.c,v 1.24 1997/10/02 02:31:07 deraadt Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -262,9 +262,8 @@ ip_output(m0, va_alist) /* Check if the SPI is invalid */ if (tdb->tdb_flags & TDBF_INVALID) { - log(LOG_ALERT, - "ip_output(): attempt to use invalid SA %08x/%x/%x\n", - ntohl(tdb->tdb_spi), tdb->tdb_dst, + if (encdebug) + log(LOG_ALERT, "ip_output(): attempt to use invalid SA %08x/%x/%x\n", ntohl(tdb->tdb_spi), tdb->tdb_dst, tdb->tdb_sproto); m_freem(m); RTFREE(re->re_rt); @@ -358,7 +357,8 @@ ip_output(m0, va_alist) exp = get_expiration(); if (exp == NULL) { expbail: - log(LOG_WARNING, "ip_output(): no memory for exp timer\n"); + if (encdebug) + log(LOG_WARNING, "ip_output(): no memory for exp timer\n"); m_freem(m); RTFREE(re->re_rt); return ENOBUFS; -- cgit v1.2.3