d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFp4: portability work, general cleanup, locking fixes

Browse Source 
change 38496
o add ipsec_osdep.h that holds os-specific definitions for portability
o s/KASSERT/IPSEC_ASSERT/ for portability
o s/SPLASSERT/IPSEC_SPLASSERT/ for portability
o remove function names from ASSERT strings since line#+file pinpints
  the location
o use __func__ uniformly to reduce string storage
o convert some random #ifdef DIAGNOSTIC code to assertions
o remove some debuggging assertions no longer needed

change 38498
o replace numerous bogus panic's with equally bogus assertions
  that at least go away on a production system

change 38502 + 38530
o change explicit mtx operations to #defines to simplify
  future changes to a different lock type

change 38531
o hookup ipv4 ctlinput paths to a noop routine; we should be
  handling path mtu changes at least
o correct potential null pointer deref in ipsec4_common_input_cb

chnage 38685
o fix locking for bundled SA's and for when key exchange is required

change 38770
o eliminate recursion on the SAHTREE lock

change 38804
o cleanup some types: long -> time_t
o remove refrence to dead #define

change 38805
o correct some types: long -> time_t
o add scan generation # to secpolicy to deal with locking issues

change 38806
o use LIST_FOREACH_SAFE instead of handrolled code
o change key_flush_spd to drop the sptree lock before purging
  an entry to avoid lock recursion and to avoid holding the lock
  over a long-running operation
o misc cleanups of tangled and twisty code

There is still much to do here but for now things look to be
working again.

Supported by:	FreeBSD Foundation
This commit is contained in:
Sam Leffler 2003-09-29 22:57:43 +00:00
parent 1a920b1142
commit 9ffa96777e
13 changed files with 1277 additions and 1264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
sys/netipsec/ipsec.c
View File

@ -92,8 +92,6 @@
#include <machine/in_cksum.h>
#include <net/net_osdep.h>
#ifdef IPSEC_DEBUG
int ipsec_debug = 1;
#else
@ -249,14 +247,14 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir)
{
struct secpolicy *sp;
KASSERT(tdbi != NULL, ("ipsec_getpolicy: null tdbi"));
KASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("ipsec_getpolicy: invalid direction %u", dir));
IPSEC_ASSERT(tdbi != NULL, ("null tdbi"));
IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("invalid direction %u", dir));
sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir);
if (sp == NULL) /*XXX????*/
sp = KEY_ALLOCSP_DEFAULT();
KASSERT(sp != NULL, ("ipsec_getpolicy: null SP"));
IPSEC_ASSERT(sp != NULL, ("null SP"));
return sp;
}
@ -283,11 +281,11 @@ ipsec_getpolicybysock(m, dir, inp, error)
struct secpolicy *currsp = NULL; /* policy on socket */
struct secpolicy *sp;
KASSERT(m != NULL, ("ipsec_getpolicybysock: null mbuf"));
KASSERT(inp != NULL, ("ipsec_getpolicybysock: null inpcb"));
KASSERT(error != NULL, ("ipsec_getpolicybysock: null error"));
KASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("ipsec_getpolicybysock: invalid direction %u", dir));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(inp != NULL, ("null inpcb"));
IPSEC_ASSERT(error != NULL, ("null error"));
IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("invalid direction %u", dir));
/* set spidx in pcb */
if (inp->inp_vflag & INP_IPV6PROTO) {
@ -304,7 +302,7 @@ ipsec_getpolicybysock(m, dir, inp, error)
if (*error)
return NULL;
KASSERT(pcbsp != NULL, ("ipsec_getpolicybysock: null pcbsp"));
IPSEC_ASSERT(pcbsp != NULL, ("null pcbsp"));
switch (dir) {
case IPSEC_DIR_INBOUND:
currsp = pcbsp->sp_in;
@ -313,7 +311,7 @@ ipsec_getpolicybysock(m, dir, inp, error)
currsp = pcbsp->sp_out;
break;
}
KASSERT(currsp != NULL, ("ipsec_getpolicybysock: null currsp"));
IPSEC_ASSERT(currsp != NULL, ("null currsp"));
if (pcbsp->priv) { /* when privilieged socket */
switch (currsp->policy) {
@ -331,8 +329,8 @@ ipsec_getpolicybysock(m, dir, inp, error)
break;
default:
ipseclog((LOG_ERR, "ipsec_getpolicybysock: "
"Invalid policy for PCB %d\n", currsp->policy));
ipseclog((LOG_ERR, "%s: Invalid policy for PCB %d\n",
__func__, currsp->policy));
*error = EINVAL;
return NULL;
}
@ -341,9 +339,9 @@ ipsec_getpolicybysock(m, dir, inp, error)
if (sp == NULL) { /* no SP found */
switch (currsp->policy) {
case IPSEC_POLICY_BYPASS:
ipseclog((LOG_ERR, "ipsec_getpolicybysock: "
"Illegal policy for non-priviliged defined %d\n",
currsp->policy));
ipseclog((LOG_ERR, "%s: Illegal policy for "
"non-priviliged defined %d\n",
__func__, currsp->policy));
*error = EINVAL;
return NULL;
@ -357,20 +355,18 @@ ipsec_getpolicybysock(m, dir, inp, error)
break;
default:
ipseclog((LOG_ERR, "ipsec_getpolicybysock: "
"Invalid policy for PCB %d\n", currsp->policy));
ipseclog((LOG_ERR, "%s: Invalid policy for "
"PCB %d\n", __func__, currsp->policy));
*error = EINVAL;
return NULL;
}
}
}
KASSERT(sp != NULL,
("ipsec_getpolicybysock: null SP (priv %u policy %u",
pcbsp->priv, currsp->policy));
IPSEC_ASSERT(sp != NULL,
("null SP (priv %u policy %u", pcbsp->priv, currsp->policy));
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ipsec_getpolicybysock (priv %u policy %u) allocates "
"SP:%p (refcnt %u)\n", pcbsp->priv, currsp->policy,
sp, sp->refcnt));
printf("DP %s (priv %u policy %u) allocate SP:%p (refcnt %u)\n",
__func__, pcbsp->priv, currsp->policy, sp, sp->refcnt));
return sp;
}
@ -394,10 +390,10 @@ ipsec_getpolicybyaddr(m, dir, flag, error)
struct secpolicyindex spidx;
struct secpolicy *sp;
KASSERT(m != NULL, ("ipsec_getpolicybyaddr: null mbuf"));
KASSERT(error != NULL, ("ipsec_getpolicybyaddr: null error"));
KASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("ipsec4_getpolicybaddr: invalid direction %u", dir));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(error != NULL, ("null error"));
IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("invalid direction %u", dir));
sp = NULL;
if (key_havesp(dir)) {
@ -405,8 +401,8 @@ ipsec_getpolicybyaddr(m, dir, flag, error)
*error = ipsec_setspidx(m, &spidx,
(flag & IP_FORWARDING) ? 0 : 1);
if (*error != 0) {
DPRINTF(("ipsec_getpolicybyaddr: setpidx failed,"
" dir %u flag %u\n", dir, flag));
DPRINTF(("%s: setpidx failed, dir %u flag %u\n",
__func__, dir, flag));
bzero(&spidx, sizeof (spidx));
return NULL;
}
@ -416,7 +412,7 @@ ipsec_getpolicybyaddr(m, dir, flag, error)
}
if (sp == NULL) /* no SP found, use system default */
sp = KEY_ALLOCSP_DEFAULT();
KASSERT(sp != NULL, ("ipsec_getpolicybyaddr: null SP"));
IPSEC_ASSERT(sp != NULL, ("null SP"));
return sp;
}
@ -435,17 +431,15 @@ ipsec4_checkpolicy(m, dir, flag, error, inp)
else
sp = ipsec_getpolicybysock(m, dir, inp, error);
if (sp == NULL) {
KASSERT(*error != 0,
("ipsec4_checkpolicy: getpolicy failed w/o error"));
IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
newipsecstat.ips_out_inval++;
return NULL;
}
KASSERT(*error == 0,
("ipsec4_checkpolicy: sp w/ error set to %u", *error));
IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
switch (sp->policy) {
case IPSEC_POLICY_ENTRUST:
default:
printf("ipsec4_checkpolicy: invalid policy %u\n", sp->policy);
printf("%s: invalid policy %u\n", __func__, sp->policy);
/* fall thru... */
case IPSEC_POLICY_DISCARD:
newipsecstat.ips_out_polvio++;
@ -475,10 +469,10 @@ ipsec4_setspidx_inpcb(m, pcb)
{
int error;
KASSERT(pcb != NULL, ("ipsec4_setspidx_inpcb: null pcb"));
KASSERT(pcb->inp_sp != NULL, ("ipsec4_setspidx_inpcb: null inp_sp"));
KASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL,
("ipsec4_setspidx_inpcb: null sp_in || sp_out"));
IPSEC_ASSERT(pcb != NULL, ("null pcb"));
IPSEC_ASSERT(pcb->inp_sp != NULL, ("null inp_sp"));
IPSEC_ASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL,
("null sp_in || sp_out"));
error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1);
if (error == 0) {
@ -503,10 +497,10 @@ ipsec6_setspidx_in6pcb(m, pcb)
struct secpolicyindex *spidx;
int error;
KASSERT(pcb != NULL, ("ipsec6_setspidx_in6pcb: null pcb"));
KASSERT(pcb->in6p_sp != NULL, ("ipsec6_setspidx_in6pcb: null inp_sp"));
KASSERT(pcb->in6p_sp->sp_out != NULL && pcb->in6p_sp->sp_in != NULL,
("ipsec6_setspidx_in6pcb: null sp_in || sp_out"));
IPSEC_ASSERT(pcb != NULL, ("null pcb"));
IPSEC_ASSERT(pcb->in6p_sp != NULL, ("null inp_sp"));
IPSEC_ASSERT(pcb->in6p_sp->sp_out != NULL && pcb->in6p_sp->sp_in != NULL,
("null sp_in || sp_out"));
bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
@ -550,7 +544,7 @@ ipsec_setspidx(m, spidx, needport)
int len;
int error;
KASSERT(m != NULL, ("ipsec_setspidx: null mbuf"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
/*
* validate m->m_pkthdr.len. we see incorrect length if we
@ -562,18 +556,15 @@ ipsec_setspidx(m, spidx, needport)
len += n->m_len;
if (m->m_pkthdr.len != len) {
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_setspidx: "
"total of m_len(%d) != pkthdr.len(%d), "
"ignored.\n",
len, m->m_pkthdr.len));
printf("%s: pkthdr len(%d) mismatch (%d), ignored.\n",
__func__, len, m->m_pkthdr.len));
return EINVAL;
}
if (m->m_pkthdr.len < sizeof(struct ip)) {
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_setspidx: "
"pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
m->m_pkthdr.len));
printf("%s: pkthdr len(%d) too small (v4), ignored.\n",
__func__, m->m_pkthdr.len));
return EINVAL;
}
@ -599,9 +590,8 @@ ipsec_setspidx(m, spidx, needport)
case 6:
if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_setspidx: "
"pkthdr.len(%d) < sizeof(struct ip6_hdr), "
"ignored.\n", m->m_pkthdr.len));
printf("%s: pkthdr len(%d) too small (v6), "
"ignored\n", __func__, m->m_pkthdr.len));
return EINVAL;
}
error = ipsec6_setspidx_ipaddr(m, spidx);
@ -612,8 +602,8 @@ ipsec_setspidx(m, spidx, needport)
#endif
default:
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_setspidx: "
"unknown IP version %u, ignored.\n", v));
printf("%s: " "unknown IP version %u, ignored.\n",
__func__, v));
return EINVAL;
}
}
@ -625,9 +615,8 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
int off;
/* sanity check */
KASSERT(m != NULL, ("ipsec4_get_ulp: null mbuf"));
KASSERT(m->m_pkthdr.len >= sizeof(struct ip),
("ipsec4_get_ulp: packet too short"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short"));
/* NB: ip_input() flips it into host endian XXX need more checking */
if (m->m_len < sizeof (struct ip)) {
@ -747,10 +736,10 @@ ipsec6_get_ulp(m, spidx, needport)
/* sanity check */
if (m == NULL)
panic("ipsec6_get_ulp: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
printf("%s:\n", __func__); kdebug_mbuf(m));
/* set default */
spidx->ul_proto = IPSEC_ULPROTO_ANY;
@ -851,19 +840,16 @@ ipsec_init_policy(so, pcb_sp)
/* sanity check. */
if (so == NULL || pcb_sp == NULL)
panic("ipsec_init_policy: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
new = (struct inpcbpolicy *) malloc(sizeof(struct inpcbpolicy),
M_IPSEC_INPCB, M_NOWAIT|M_ZERO);
if (new == NULL) {
ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
return ENOBUFS;
}
if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
new->priv = 1;
else
new->priv = 0;
new->priv = IPSEC_IS_PRIVILEGED_SO(so);
if ((new->sp_in = KEY_NEWSP()) == NULL) {
ipsec_delpcbpolicy(new);
@ -918,14 +904,14 @@ ipsec_newisr(void)
p = malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, M_NOWAIT|M_ZERO);
if (p != NULL)
mtx_init(&p->lock, "ipsec request", NULL, MTX_DEF);
IPSECREQUEST_LOCK_INIT(p);
return p;
}
void
ipsec_delisr(struct ipsecrequest *p)
{
mtx_destroy(&p->lock);
IPSECREQUEST_LOCK_DESTROY(p);
free(p, M_IPSEC_SR);
}
@ -1005,7 +991,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv)
xpl = (struct sadb_x_policy *)request;
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_set_policy: passed policy\n");
printf("%s: passed policy\n", __func__);
kdebug_sadb_x_policy((struct sadb_ext *)xpl));
/* check policy type */
@ -1028,7 +1014,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv)
KEY_FREESP(pcb_sp);
*pcb_sp = newsp;
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_set_policy: new policy\n");
printf("%s: new policy\n", __func__);
kdebug_secpolicy(newsp));
return 0;
@ -1046,14 +1032,13 @@ ipsec_get_policy(pcb_sp, mp)
*mp = key_sp2msg(pcb_sp);
if (!*mp) {
ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
return ENOBUFS;
}
(*mp)->m_type = MT_DATA;
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_get_policy:\n");
kdebug_mbuf(*mp));
printf("%s:\n", __func__); kdebug_mbuf(*mp));
return 0;
}
@ -1085,7 +1070,7 @@ ipsec4_set_policy(inp, optname, request, len, priv)
pcb_sp = &inp->inp_sp->sp_out;
break;
default:
ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
xpl->sadb_x_policy_dir));
return EINVAL;
}
@ -1106,7 +1091,7 @@ ipsec4_get_policy(inp, request, len, mp)
/* sanity check. */
if (inp == NULL || request == NULL || mp == NULL)
return EINVAL;
KASSERT(inp->inp_sp != NULL, ("ipsec4_get_policy: null inp_sp"));
IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp"));
if (len < sizeof(*xpl))
return EINVAL;
xpl = (struct sadb_x_policy *)request;
@ -1120,7 +1105,7 @@ ipsec4_get_policy(inp, request, len, mp)
pcb_sp = inp->inp_sp->sp_out;
break;
default:
ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
xpl->sadb_x_policy_dir));
return EINVAL;
}
@ -1133,7 +1118,7 @@ int
ipsec4_delete_pcbpolicy(inp)
struct inpcb *inp;
{
KASSERT(inp != NULL, ("ipsec4_delete_pcbpolicy: null inp"));
IPSEC_ASSERT(inp != NULL, ("null inp"));
if (inp->inp_sp == NULL)
return 0;
@ -1178,7 +1163,7 @@ ipsec6_set_policy(in6p, optname, request, len, priv)
pcb_sp = &in6p->in6p_sp->sp_out;
break;
default:
ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
xpl->sadb_x_policy_dir));
return EINVAL;
}
@ -1199,7 +1184,7 @@ ipsec6_get_policy(in6p, request, len, mp)
/* sanity check. */
if (in6p == NULL || request == NULL || mp == NULL)
return EINVAL;
KASSERT(in6p->in6p_sp != NULL, ("ipsec6_get_policy: null in6p_sp"));
IPSEC_ASSERT(in6p->in6p_sp != NULL, ("null in6p_sp"));
if (len < sizeof(*xpl))
return EINVAL;
xpl = (struct sadb_x_policy *)request;
@ -1213,7 +1198,7 @@ ipsec6_get_policy(in6p, request, len, mp)
pcb_sp = in6p->in6p_sp->sp_out;
break;
default:
ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
xpl->sadb_x_policy_dir));
return EINVAL;
}
@ -1225,7 +1210,7 @@ int
ipsec6_delete_pcbpolicy(in6p)
struct in6pcb *in6p;
{
KASSERT(in6p != NULL, ("ipsec6_delete_pcbpolicy: null in6p"));
IPSEC_ASSERT(in6p != NULL, ("null in6p"));
if (in6p->in6p_sp == NULL)
return 0;
@ -1255,10 +1240,9 @@ ipsec_get_reqlevel(isr)
u_int esp_trans_deflev, esp_net_deflev;
u_int ah_trans_deflev, ah_net_deflev;
KASSERT(isr != NULL && isr->sp != NULL,
("ipsec_get_reqlevel: null argument"));
KASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
("ipsec_get_reqlevel: af family mismatch, src %u, dst %u",
IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("null argument"));
IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
("af family mismatch, src %u, dst %u",
isr->sp->spidx.src.sa.sa_family,
isr->sp->spidx.dst.sa.sa_family));
@ -1293,8 +1277,8 @@ ipsec_get_reqlevel(isr)
break;
#endif /* INET6 */
default:
panic("key_get_reqlevel: unknown af %u",
isr->sp->spidx.src.sa.sa_family);
panic("%s: unknown af %u",
__func__, isr->sp->spidx.src.sa.sa_family);
}
#undef IPSEC_CHECK_DEFAULT
@ -1322,8 +1306,7 @@ ipsec_get_reqlevel(isr)
level = IPSEC_LEVEL_USE;
break;
default:
panic("ipsec_get_reqlevel: "
"Illegal protocol defined %u\n",
panic("%s: Illegal protocol defined %u\n", __func__,
isr->saidx.proto);
}
break;
@ -1337,8 +1320,7 @@ ipsec_get_reqlevel(isr)
break;
default:
panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
isr->level);
panic("%s: Illegal IPsec level %u\n", __func__, isr->level);
}
return level;
@ -1361,8 +1343,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
int need_auth;
KEYDEBUG(KEYDEBUG_IPSEC_DATA,
printf("ipsec_in_reject: using SP\n");
kdebug_secpolicy(sp));
printf("%s: using SP\n", __func__); kdebug_secpolicy(sp));
/* check policy */
switch (sp->policy) {
@ -1373,8 +1354,8 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
return 0;
}
KASSERT(sp->policy == IPSEC_POLICY_IPSEC,
("ipsec_in_reject: invalid policy %u", sp->policy));
IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
("invalid policy %u", sp->policy));
/* XXX should compare policy against ipsec header history */
@ -1386,7 +1367,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
case IPPROTO_ESP:
if ((m->m_flags & M_DECRYPTED) == 0) {
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_in_reject: ESP m_flags:%x\n",
printf("%s: ESP m_flags:%x\n", __func__,
m->m_flags));
return 1;
}
@ -1396,7 +1377,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
isr->sav->tdb_authalgxform != NULL &&
(m->m_flags & M_AUTHIPDGM) == 0) {
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_in_reject: ESP/AH m_flags:%x\n",
printf("%s: ESP/AH m_flags:%x\n", __func__,
m->m_flags));
return 1;
}
@ -1405,7 +1386,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
need_auth = 1;
if ((m->m_flags & M_AUTHIPHDR) == 0) {
KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
printf("ipsec_in_reject: AH m_flags:%x\n",
printf("%s: AH m_flags:%x\n", __func__,
m->m_flags));
return 1;
}
@ -1437,7 +1418,7 @@ ipsec4_in_reject(m, inp)
int error;
int result;
KASSERT(m != NULL, ("ipsec4_in_reject_so: null mbuf"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
/* get SP for this packet.
* When we are called from ip_forward(), we call
@ -1512,8 +1493,7 @@ ipsec_hdrsiz(struct secpolicy *sp)
size_t siz;
KEYDEBUG(KEYDEBUG_IPSEC_DATA,
printf("ipsec_hdrsiz: using SP\n");
kdebug_secpolicy(sp));
printf("%s: using SP\n", __func__); kdebug_secpolicy(sp));
switch (sp->policy) {
case IPSEC_POLICY_DISCARD:
@ -1522,8 +1502,8 @@ ipsec_hdrsiz(struct secpolicy *sp)
return 0;
}
KASSERT(sp->policy == IPSEC_POLICY_IPSEC,
("ipsec_hdrsiz: invalid policy %u", sp->policy));
IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
("invalid policy %u", sp->policy));
siz = 0;
for (isr = sp->req; isr != NULL; isr = isr->next) {
@ -1552,8 +1532,8 @@ ipsec_hdrsiz(struct secpolicy *sp)
break;
#endif
default:
ipseclog((LOG_ERR, "ipsec_hdrsiz: "
"unknown AF %d in IPsec tunnel SA\n",
ipseclog((LOG_ERR, "%s: unknown AF %d in "
"IPsec tunnel SA\n", __func__,
((struct sockaddr *)&isr->saidx.dst)->sa_family));
break;
}
@ -1575,7 +1555,7 @@ ipsec4_hdrsiz(m, dir, inp)
int error;
size_t size;
KASSERT(m != NULL, ("ipsec4_hdrsiz: null mbuf"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
/* get SP for this packet.
* When we are called from ip_forward(), we call
@ -1589,7 +1569,7 @@ ipsec4_hdrsiz(m, dir, inp)
if (sp != NULL) {
size = ipsec_hdrsiz(sp);
KEYDEBUG(KEYDEBUG_IPSEC_DATA,
printf("ipsec4_hdrsiz: size:%lu.\n",
printf("%s: size:%lu.\n", __func__,
(unsigned long)size));
KEY_FREESP(&sp);
@ -1613,9 +1593,9 @@ ipsec6_hdrsiz(m, dir, in6p)
int error;
size_t size;
KASSERT(m != NULL, ("ipsec6_hdrsiz: null mbuf"));
KASSERT(in6p == NULL || in6p->in6p_socket != NULL,
("ipsec6_hdrsize: socket w/o inpcb"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(in6p == NULL || in6p->in6p_socket != NULL,
("socket w/o inpcb"));
/* get SP for this packet */
/* XXX Is it right to call with IP_FORWARDING. */
@ -1628,7 +1608,7 @@ ipsec6_hdrsiz(m, dir, in6p)
return 0;
size = ipsec_hdrsiz(sp);
KEYDEBUG(KEYDEBUG_IPSEC_DATA,
printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
printf("%s: size:%lu.\n", __func__, (unsigned long)size));
KEY_FREESP(&sp);
return size;
@ -1656,12 +1636,10 @@ ipsec_chkreplay(seq, sav)
u_int32_t wsizeb; /* constant: bits of window size */
int frlast; /* constant: last frame */
#if 0
SPLASSERT(net, "ipsec_chkreplay");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(sav != NULL, ("ipsec_chkreplay: Null SA"));
KASSERT(sav->replay != NULL, ("ipsec_chkreplay: Null replay state"));
IPSEC_ASSERT(sav != NULL, ("Null SA"));
IPSEC_ASSERT(sav->replay != NULL, ("Null replay state"));
replay = sav->replay;
@ -1718,12 +1696,10 @@ ipsec_updatereplay(seq, sav)
u_int32_t wsizeb; /* constant: bits of window size */
int frlast; /* constant: last frame */
#if 0
SPLASSERT(net, "ipsec_updatereplay");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(sav != NULL, ("ipsec_updatereplay: Null SA"));
KASSERT(sav->replay != NULL, ("ipsec_updatereplay: Null replay state"));
IPSEC_ASSERT(sav != NULL, ("Null SA"));
IPSEC_ASSERT(sav->replay != NULL, ("Null replay state"));
replay = sav->replay;
@ -1794,8 +1770,8 @@ ipsec_updatereplay(seq, sav)
if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
return 1;
ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
replay->overflow, ipsec_logsastr(sav)));
ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n",
__func__, replay->overflow, ipsec_logsastr(sav)));
}
replay->count++;
@ -1872,8 +1848,8 @@ ipsec_logsastr(sav)
char *p;
struct secasindex *saidx = &sav->sah->saidx;
KASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
("ipsec_logsastr: address family mismatch"));
IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
("address family mismatch"));
p = buf;
snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));

32
sys/netipsec/ipsec.h
View File

@ -44,6 +44,7 @@
#include <net/pfkeyv2.h>
#include <netipsec/keydb.h>
#include <netipsec/ipsec_osdep.h>
#ifdef _KERNEL
@ -79,8 +80,8 @@ struct secpolicy {
u_int state; /* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD 0
#define IPSEC_SPSTATE_ALIVE 1
u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
u_int16_t policy; /* policy_type per pfkeyv2.h */
u_int16_t scangen; /* scan generation # */
struct ipsecrequest *req;
/* pointer to the ipsec request tree, */
/* if policy == IPSEC else this value == NULL.*/
@ -92,12 +93,19 @@ struct secpolicy {
* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
*/
long created; /* time created the policy */
long lastused; /* updated every when kernel sends a packet */
time_t created; /* time created the policy */
time_t lastused; /* updated every when kernel sends a packet */
long lifetime; /* duration of the lifetime of this policy */
long validtime; /* duration this policy is valid without use */
};
#define SECPOLICY_LOCK_INIT(_sp) \
mtx_init(&(_sp)->lock, "ipsec policy", NULL, MTX_DEF)
#define SECPOLICY_LOCK(_sp) mtx_lock(&(_sp)->lock)
#define SECPOLICY_UNLOCK(_sp) mtx_unlock(&(_sp)->lock)
#define SECPOLICY_LOCK_DESTROY(_sp) mtx_destroy(&(_sp)->lock)
#define SECPOLICY_LOCK_ASSERT(_sp) mtx_assert(&(_sp)->lock, MA_OWNED)
/* Request for IPsec */
struct ipsecrequest {
struct ipsecrequest *next;
@ -112,6 +120,18 @@ struct ipsecrequest {
struct mtx lock; /* to interlock updates */
};
/*
* Need recursion for when crypto callbacks happen directly,
* as in the case of software crypto. Need to look at how
* hard it is to remove this...
*/
#define IPSECREQUEST_LOCK_INIT(_isr) \
mtx_init(&(_isr)->lock, "ipsec request", NULL, MTX_DEF | MTX_RECURSE)
#define IPSECREQUEST_LOCK(_isr) mtx_lock(&(_isr)->lock)
#define IPSECREQUEST_UNLOCK(_isr) mtx_unlock(&(_isr)->lock)
#define IPSECREQUEST_LOCK_DESTROY(_isr) mtx_destroy(&(_isr)->lock)
#define IPSECREQUEST_LOCK_ASSERT(_isr) mtx_assert(&(_isr)->lock, MA_OWNED)
/* security policy in PCB */
struct inpcbpolicy {
struct secpolicy *sp_in;
@ -125,7 +145,7 @@ struct secspacq {
struct secpolicyindex spidx;
long created; /* for lifetime */
time_t created; /* for lifetime */
int count; /* for lifetime */
/* XXX: here is mbuf place holder to be sent ? */
};
@ -367,7 +387,9 @@ extern void ipsec_dumpmbuf __P((struct mbuf *));
struct m_tag;
extern void ah4_input(struct mbuf *m, int off);
extern void ah4_ctlinput(int cmd, struct sockaddr *sa, void *);
extern void esp4_input(struct mbuf *m, int off);
extern void esp4_ctlinput(int cmd, struct sockaddr *sa, void *);
extern void ipcomp4_input(struct mbuf *m, int off);
extern int ipsec4_common_input(struct mbuf *m, ...);
extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,

535
sys/netipsec/ipsec_input.c
View File

@ -91,11 +91,11 @@
#include <machine/in_cksum.h>
#include <machine/stdarg.h>
#include <net/net_osdep.h>
#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
(p) == IPPROTO_AH ? (y)++ : (z)++)
static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
/*
* ipsec_common_input gets called when an IPsec-protected packet
* is received by IPv4 or IPv6. It's job is to find the right SA
@ -113,7 +113,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input,
ipcompstat.ipcomps_input);
KASSERT(m != NULL, ("ipsec_common_input: null packet"));
IPSEC_ASSERT(m != NULL, ("null packet"));
if ((sproto == IPPROTO_ESP && !esp_enable) ||
(sproto == IPPROTO_AH && !ah_enable) ||
@ -128,7 +128,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
m_freem(m);
IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
DPRINTF(("ipsec_common_input: packet too small\n"));
DPRINTF(("%s: packet too small\n", __func__));
return EINVAL;
}
@ -170,8 +170,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
break;
#endif /* INET6 */
default:
DPRINTF(("ipsec_common_input: unsupported protocol "
"family %u\n", af));
DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
m_freem(m);
IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf,
ipcompstat.ipcomps_nopf);
@ -181,9 +180,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
/* NB: only pass dst since key_allocsa follows RFC2401 */
sav = KEY_ALLOCSA(&dst_address, sproto, spi);
if (sav == NULL) {
DPRINTF(("ipsec_common_input: no key association found for"
" SA %s/%08lx/%u\n",
ipsec_address(&dst_address),
DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb,
ipcompstat.ipcomps_notdb);
@ -192,9 +190,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
}
if (sav->tdb_xform == NULL) {
DPRINTF(("ipsec_common_input: attempted to use uninitialized"
" SA %s/%08lx/%u\n",
ipsec_address(&dst_address),
DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform,
ipcompstat.ipcomps_noxform);
@ -236,12 +233,26 @@ ah4_input(struct mbuf *m, int off)
{
ipsec4_common_input(m, off, IPPROTO_AH);
}
void
ah4_ctlinput(int cmd, struct sockaddr *sa, void *v)
{
if (sa->sa_family == AF_INET &&
sa->sa_len == sizeof(struct sockaddr_in))
ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_AH);
}
void
esp4_input(struct mbuf *m, int off)
{
ipsec4_common_input(m, off, IPPROTO_ESP);
}
void
esp4_ctlinput(int cmd, struct sockaddr *sa, void *v)
{
if (sa->sa_family == AF_INET &&
sa->sa_len == sizeof(struct sockaddr_in))
ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_ESP);
}
void
ipcomp4_input(struct mbuf *m, int off)
@ -266,25 +277,22 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
struct secasindex *saidx;
int error;
#if 0
SPLASSERT(net, "ipsec4_common_input_cb");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf"));
KASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA"));
KASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
saidx = &sav->sah->saidx;
af = saidx->dst.sa.sa_family;
KASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af));
IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
sproto = saidx->proto;
KASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
sproto == IPPROTO_IPCOMP,
("ipsec4_common_input_cb: unexpected security protocol %u",
sproto));
("unexpected security protocol %u", sproto));
/* Sanity check */
if (m == NULL) {
DPRINTF(("ipsec4_common_input_cb: null mbuf"));
DPRINTF(("%s: null mbuf", __func__));
IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
KEY_FREESAV(&sav);
@ -294,9 +302,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
if (skip != 0) {
/* Fix IPv4 header */
if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
DPRINTF(("ipsec4_common_input_cb: processing failed "
"for SA %s/%08lx\n",
ipsec_address(&sav->sah->saidx.dst),
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
@ -343,9 +350,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
(saidx->proxy.sa.sa_family != AF_INET &&
saidx->proxy.sa.sa_family != 0)) {
DPRINTF(("ipsec4_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
DPRINTF(("%s: inner source address %s doesn't "
"correspond to expected proxy source %s, "
"SA %s/%08lx\n", __func__,
inet_ntoa4(ipn.ip_src),
ipsp_address(saidx->proxy),
ipsp_address(saidx->dst),
@ -387,9 +394,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
(saidx->proxy.sa.sa_family != AF_INET6 &&
saidx->proxy.sa.sa_family != 0)) {
DPRINTF(("ipsec4_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
DPRINTF(("%s: inner source address %s doesn't "
"correspond to expected proxy source %s, "
"SA %s/%08lx\n", __func__,
ip6_sprintf(&ip6n.ip6_src),
ipsec_address(&saidx->proxy),
ipsec_address(&saidx->dst),
@ -417,7 +424,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("ipsec4_common_input_cb: failed to get tag\n"));
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
@ -444,8 +451,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull,
ipcompstat.ipcomps_qfull);
DPRINTF(("ipsec4_common_input_cb: queue full; "
"proto %u packet dropped\n", sproto));
DPRINTF(("%s: queue full; proto %u packet dropped\n",
__func__, sproto));
return ENOBUFS;
}
return 0;
@ -453,6 +460,12 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
m_freem(m);
return error;
}
void
ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto)
{
/* XXX nothing just yet */
}
#endif /* INET */
#ifdef INET6
@ -465,7 +478,7 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
struct ip6_ext ip6e;
if (*offp < sizeof(struct ip6_hdr)) {
DPRINTF(("ipsec6_common_input: bad offset %u\n", *offp));
DPRINTF(("%s: bad offset %u\n", __func__, *offp));
return IPPROTO_DONE;
} else if (*offp == sizeof(struct ip6_hdr)) {
protoff = offsetof(struct ip6_hdr, ip6_nxt);
@ -482,13 +495,13 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
l = (ip6e.ip6e_len + 2) << 2;
else
l = (ip6e.ip6e_len + 1) << 3;
KASSERT(l > 0, ("ah6_input: l went zero or negative"));
IPSEC_ASSERT(l > 0, ("l went zero or negative"));
} while (protoff + l < *offp);
/* Malformed packet check */
if (protoff + l != *offp) {
DPRINTF(("ipsec6_common_input: bad packet header chain, "
"protoff %u, l %u, off %u\n", protoff, l, *offp));
DPRINTF(("%s: bad packet header chain, protoff %u, "
"l %u, off %u\n", __func__, protoff, l, *offp));
IPSEC_ISTAT(proto, espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
@ -502,6 +515,227 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
return IPPROTO_DONE;
}
/*
* IPsec input callback, called by the transform callback. Takes care of
* filtering and other sanity checks on the processed packet.
*/
int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
struct m_tag *mt)
{
int prot, af, sproto;
struct ip6_hdr *ip6;
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secasindex *saidx;
int nxt;
u_int8_t nxt8;
int error, nest;
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
saidx = &sav->sah->saidx;
af = saidx->dst.sa.sa_family;
IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
sproto = saidx->proto;
IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
sproto == IPPROTO_IPCOMP,
("unexpected security protocol %u", sproto));
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
error = EINVAL;
goto bad;
}
/* Fix IPv6 header */
if (m->m_len < sizeof(struct ip6_hdr) &&
(m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EACCES;
goto bad;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
/* Save protocol */
m_copydata(m, protoff, 1, (unsigned char *) &prot);
#ifdef INET
/* IP-in-IP encapsulation */
if (prot == IPPROTO_IPIP) {
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
/* ipn will now contain the inner IPv4 header */
m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn);
#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
*/
if ((saidx->proxy.sa.sa_family == AF_INET &&
saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
(saidx->proxy.sa.sa_family != AF_INET &&
saidx->proxy.sa.sa_family != 0)) {
DPRINTF(("%s: inner source address %s doesn't "
"correspond to expected proxy source %s, "
"SA %s/%08lx\n", __func__,
inet_ntoa4(ipn.ip_src),
ipsec_address(&saidx->proxy),
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTATsproto, (espstat.esps_pdrops,
ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
#endif /*XXX*/
}
#endif /* INET */
/* IPv6-in-IP encapsulation */
if (prot == IPPROTO_IPV6) {
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
/* ip6n will now contain the inner IPv6 header. */
m_copydata(m, skip, sizeof(struct ip6_hdr),
(caddr_t) &ip6n);
#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
*/
if ((saidx->proxy.sa.sa_family == AF_INET6 &&
!IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
!IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
&saidx->proxy.sin6.sin6_addr)) ||
(saidx->proxy.sa.sa_family != AF_INET6 &&
saidx->proxy.sa.sa_family != 0)) {
DPRINTF(("%s: inner source address %s doesn't "
"correspond to expected proxy source %s, "
"SA %s/%08lx\n", __func__,
ip6_sprintf(&ip6n.ip6_src),
ipsec_address(&saidx->proxy),
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, espstat.esps_pdrops,
ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
#endif /*XXX*/
}
/*
* Record what we've done to the packet (under what SA it was
* processed). If we've been passed an mtag, it means the packet
* was already processed by an ethernet/crypto combo card and
* thus has a tag attached with all the right information, but
* with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
* PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
*/
if (mt == NULL && sproto != IPPROTO_IPCOMP) {
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
}
tdbi = (struct tdb_ident *)(mtag + 1);
bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union));
tdbi->proto = sproto;
tdbi->spi = sav->spi;
m_tag_prepend(m, mtag);
} else {
if (mt != NULL)
mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
/* XXX do we need to mark m_flags??? */
}
key_sa_recordxfer(sav, m);
/* Retrieve new protocol */
m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8);
/*
* See the end of ip6_input for this logic.
* IPPROTO_IPV[46] case will be processed just like other ones
*/
nest = 0;
nxt = nxt8;
while (nxt != IPPROTO_DONE) {
if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
ip6stat.ip6s_toomanyhdr++;
error = EINVAL;
goto bad;
}
/*
* Protection against faulty packet - there should be
* more sanity checks in header chain processing.
*/
if (m->m_pkthdr.len < skip) {
ip6stat.ip6s_tooshort++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
error = EINVAL;
goto bad;
}
/*
* Enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
error = EINVAL;
goto bad;
}
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
}
return 0;
bad:
if (m)
m_freem(m);
return error;
}
void
esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
{
@ -577,227 +811,4 @@ esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
/* we normally notify any pcb here */
}
}
/*
* IPsec input callback, called by the transform callback. Takes care of
* filtering and other sanity checks on the processed packet.
*/
int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
struct m_tag *mt)
{
int prot, af, sproto;
struct ip6_hdr *ip6;
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secasindex *saidx;
int nxt;
u_int8_t nxt8;
int error, nest;
KASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf"));
KASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA"));
KASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH"));
saidx = &sav->sah->saidx;
af = saidx->dst.sa.sa_family;
KASSERT(af == AF_INET6,
("ipsec6_common_input_cb: unexpected af %u", af));
sproto = saidx->proto;
KASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
sproto == IPPROTO_IPCOMP,
("ipsec6_common_input_cb: unexpected security protocol %u",
sproto));
/* Sanity check */
if (m == NULL) {
DPRINTF(("ipsec4_common_input_cb: null mbuf"));
IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
error = EINVAL;
goto bad;
}
/* Fix IPv6 header */
if (m->m_len < sizeof(struct ip6_hdr) &&
(m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
DPRINTF(("ipsec_common_input_cb: processing failed "
"for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EACCES;
goto bad;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
/* Save protocol */
m_copydata(m, protoff, 1, (unsigned char *) &prot);
#ifdef INET
/* IP-in-IP encapsulation */
if (prot == IPPROTO_IPIP) {
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
/* ipn will now contain the inner IPv4 header */
m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn);
#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
*/
if ((saidx->proxy.sa.sa_family == AF_INET &&
saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
(saidx->proxy.sa.sa_family != AF_INET &&
saidx->proxy.sa.sa_family != 0)) {
DPRINTF(("ipsec_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
inet_ntoa4(ipn.ip_src),
ipsec_address(&saidx->proxy),
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTATsproto, (espstat.esps_pdrops,
ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
#endif /*XXX*/
}
#endif /* INET */
/* IPv6-in-IP encapsulation */
if (prot == IPPROTO_IPV6) {
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
/* ip6n will now contain the inner IPv6 header. */
m_copydata(m, skip, sizeof(struct ip6_hdr),
(caddr_t) &ip6n);
#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
*/
if ((saidx->proxy.sa.sa_family == AF_INET6 &&
!IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
!IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
&saidx->proxy.sin6.sin6_addr)) ||
(saidx->proxy.sa.sa_family != AF_INET6 &&
saidx->proxy.sa.sa_family != 0)) {
DPRINTF(("ipsec_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
ip6_sprintf(&ip6n.ip6_src),
ipsec_address(&saidx->proxy),
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, espstat.esps_pdrops,
ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
#endif /*XXX*/
}
/*
* Record what we've done to the packet (under what SA it was
* processed). If we've been passed an mtag, it means the packet
* was already processed by an ethernet/crypto combo card and
* thus has a tag attached with all the right information, but
* with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
* PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
*/
if (mt == NULL && sproto != IPPROTO_IPCOMP) {
mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("ipsec_common_input_cb: failed to "
"get tag\n"));
IPSEC_ISTAT(sproto, espstat.esps_hdrops,
ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
}
tdbi = (struct tdb_ident *)(mtag + 1);
bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union));
tdbi->proto = sproto;
tdbi->spi = sav->spi;
m_tag_prepend(m, mtag);
} else {
mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
/* XXX do we need to mark m_flags??? */
}
key_sa_recordxfer(sav, m);
/* Retrieve new protocol */
m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8);
/*
* See the end of ip6_input for this logic.
* IPPROTO_IPV[46] case will be processed just like other ones
*/
nest = 0;
nxt = nxt8;
while (nxt != IPPROTO_DONE) {
if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
ip6stat.ip6s_toomanyhdr++;
error = EINVAL;
goto bad;
}
/*
* Protection against faulty packet - there should be
* more sanity checks in header chain processing.
*/
if (m->m_pkthdr.len < skip) {
ip6stat.ip6s_tooshort++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
error = EINVAL;
goto bad;
}
/*
* Enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
error = EINVAL;
goto bad;
}
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
}
return 0;
bad:
if (m)
m_freem(m);
return error;
}
#endif /* INET6 */

30
sys/netipsec/ipsec_mbuf.c
View File

@ -60,7 +60,7 @@ m_clone(struct mbuf *m0)
struct mbuf *n, *mfirst, *mlast;
int len, off;
KASSERT(m0 != NULL, ("m_clone: null mbuf"));
IPSEC_ASSERT(m0 != NULL, ("null mbuf"));
mprev = NULL;
for (m = m0; m != NULL; m = mprev->m_next) {
@ -105,8 +105,7 @@ m_clone(struct mbuf *m0)
* it anyway, we try to reduce the number of mbufs and
* clusters so that future work is easier).
*/
KASSERT(m->m_flags & M_EXT,
("m_clone: m_flags 0x%x", m->m_flags));
IPSEC_ASSERT(m->m_flags & M_EXT, ("m_flags 0x%x", m->m_flags));
/* NB: we only coalesce into a cluster or larger */
if (mprev != NULL && (mprev->m_flags & M_EXT) &&
m->m_len <= M_TRAILINGSPACE(mprev)) {
@ -208,8 +207,8 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
struct mbuf *m;
unsigned remain;
KASSERT(m0 != NULL, ("m_dmakespace: null mbuf"));
KASSERT(hlen < MHLEN, ("m_makespace: hlen too big: %u", hlen));
IPSEC_ASSERT(m0 != NULL, ("null mbuf"));
IPSEC_ASSERT(hlen < MHLEN, ("hlen too big: %u", hlen));
for (m = m0; m && skip > m->m_len; m = m->m_next)
skip -= m->m_len;
@ -228,8 +227,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
struct mbuf *n;
/* XXX code doesn't handle clusters XXX */
KASSERT(remain < MLEN,
("m_makespace: remainder too big: %u", remain));
IPSEC_ASSERT(remain < MLEN, ("remainder too big: %u", remain));
/*
* Not enough space in m, split the contents
* of m, inserting new mbufs as required.
@ -313,7 +311,7 @@ m_pad(struct mbuf *m, int n)
caddr_t retval;
if (n <= 0) { /* No stupid arguments. */
DPRINTF(("m_pad: pad length invalid (%d)\n", n));
DPRINTF(("%s: pad length invalid (%d)\n", __func__, n));
m_freem(m);
return NULL;
}
@ -323,14 +321,14 @@ m_pad(struct mbuf *m, int n)
m0 = m;
while (m0->m_len < len) {
KASSERT(m0->m_next != NULL, ("m_pad: m0 null, len %u m_len %u", len, m0->m_len));/*XXX*/
len -= m0->m_len;
m0 = m0->m_next;
}
if (m0->m_len != len) {
DPRINTF(("m_pad: length mismatch (should be %d instead of %d)\n",
m->m_pkthdr.len, m->m_pkthdr.len + m0->m_len - len));
DPRINTF(("%s: length mismatch (should be %d instead of %d)\n",
__func__, m->m_pkthdr.len,
m->m_pkthdr.len + m0->m_len - len));
m_freem(m);
return NULL;
@ -339,10 +337,10 @@ KASSERT(m0->m_next != NULL, ("m_pad: m0 null, len %u m_len %u", len, m0->m_len))
/* Check for zero-length trailing mbufs, and find the last one. */
for (m1 = m0; m1->m_next; m1 = m1->m_next) {
if (m1->m_next->m_len != 0) {
DPRINTF(("m_pad: length mismatch (should be %d "
"instead of %d)\n",
m->m_pkthdr.len,
m->m_pkthdr.len + m1->m_next->m_len));
DPRINTF(("%s: length mismatch (should be %d instead "
"of %d)\n", __func__,
m->m_pkthdr.len,
m->m_pkthdr.len + m1->m_next->m_len));
m_freem(m);
return NULL;
@ -356,7 +354,7 @@ KASSERT(m0->m_next != NULL, ("m_pad: m0 null, len %u m_len %u", len, m0->m_len))
MGET(m1, M_DONTWAIT, MT_DATA);
if (m1 == 0) {
m_freem(m0);
DPRINTF(("m_pad: unable to get extra mbuf\n"));
DPRINTF(("%s: unable to get extra mbuf\n", __func__));
return NULL;
}

90
sys/netipsec/ipsec_output.c
View File

@ -89,15 +89,13 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
struct secasindex *saidx;
int error;
#if 0
SPLASSERT(net, "ipsec_process_done");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(m != NULL, ("ipsec_process_done: null mbuf"));
KASSERT(isr != NULL, ("ipsec_process_done: null ISR"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(isr != NULL, ("null ISR"));
sav = isr->sav;
KASSERT(sav != NULL, ("ipsec_process_done: null SA"));
KASSERT(sav->sah != NULL, ("ipsec_process_done: null SAH"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
saidx = &sav->sah->saidx;
switch (saidx->dst.sa.sa_family) {
@ -124,7 +122,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
break;
#endif /* INET6 */
default:
DPRINTF(("ipsec_process_done: unknown protocol family %u\n",
DPRINTF(("%s: unknown protocol family %u\n", __func__,
saidx->dst.sa.sa_family));
error = ENXIO;
goto bad;
@ -137,7 +135,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE,
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("ipsec_process_done: could not get packet tag\n"));
DPRINTF(("%s: could not get packet tag\n", __func__));
error = ENOMEM;
goto bad;
}
@ -205,11 +203,11 @@ ipsec_nextisr(
isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
struct secasvar *sav;
#if 0
SPLASSERT(net, "ipsec_nextisr");
#endif
KASSERT(af == AF_INET || af == AF_INET6,
("ipsec_nextisr: invalid address family %u", af));
IPSEC_SPLASSERT_SOFTNET(__func__);
IPSECREQUEST_LOCK_ASSERT(isr);
IPSEC_ASSERT(af == AF_INET || af == AF_INET6,
("invalid address family %u", af));
again:
/*
* Craft SA index to search for proper SA. Note that
@ -287,15 +285,17 @@ ipsec_nextisr(
}
sav = isr->sav;
if (sav == NULL) { /* XXX valid return */
KASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
("ipsec_nextisr: no SA found, but required; level %u",
IPSEC_ASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
("no SA found, but required; level %u",
ipsec_get_reqlevel(isr)));
IPSECREQUEST_UNLOCK(isr);
isr = isr->next;
if (isr == NULL) {
/*XXXstatistic??*/
*error = EINVAL; /*XXX*/
return isr;
}
IPSECREQUEST_LOCK(isr);
goto again;
}
@ -305,8 +305,8 @@ ipsec_nextisr(
if ((isr->saidx.proto == IPPROTO_ESP && !esp_enable) ||
(isr->saidx.proto == IPPROTO_AH && !ah_enable) ||
(isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) {
DPRINTF(("ipsec_nextisr: IPsec outbound packet dropped due"
" to policy (check your sysctls)\n"));
DPRINTF(("%s: IPsec outbound packet dropped due"
" to policy (check your sysctls)\n", __func__));
IPSEC_OSTAT(espstat.esps_pdrops, ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
*error = EHOSTUNREACH;
@ -318,7 +318,7 @@ ipsec_nextisr(
* before they invoke the xform output method.
*/
if (sav->tdb_xform == NULL) {
DPRINTF(("ipsec_nextisr: no transform for SA\n"));
DPRINTF(("%s: no transform for SA\n", __func__));
IPSEC_OSTAT(espstat.esps_noxform, ahstat.ahs_noxform,
ipcompstat.ipcomps_noxform);
*error = EHOSTUNREACH;
@ -326,7 +326,8 @@ ipsec_nextisr(
}
return isr;
bad:
KASSERT(*error != 0, ("ipsec_nextisr: error return w/ no error code"));
IPSEC_ASSERT(*error != 0, ("error return w/ no error code"));
IPSECREQUEST_UNLOCK(isr);
return NULL;
#undef IPSEC_OSTAT
}
@ -347,10 +348,10 @@ ipsec4_process_packet(
struct ip *ip;
int error, i, off;
KASSERT(m != NULL, ("ipsec4_process_packet: null mbuf"));
KASSERT(isr != NULL, ("ipsec4_process_packet: null isr"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(isr != NULL, ("null isr"));
mtx_lock(&isr->lock); /* insure SA contents don't change */
IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */
isr = ipsec_nextisr(m, isr, AF_INET, &saidx, &error);
if (isr == NULL)
@ -420,8 +421,8 @@ ipsec4_process_packet(
error = ipip_output(m, isr, &mp, 0, 0);
if (mp == NULL && !error) {
/* Should never happen. */
DPRINTF(("ipsec4_process_packet: ipip_output "
"returns no mbuf and no error!"));
DPRINTF(("%s: ipip_output returns no mbuf and "
"no error!", __func__));
error = EFAULT;
}
if (error) {
@ -469,10 +470,11 @@ ipsec4_process_packet(
} else {
error = ipsec_process_done(m, isr);
}
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return error;
bad:
mtx_unlock(&isr->lock);
if (isr)
IPSECREQUEST_UNLOCK(isr);
if (m)
m_freem(m);
return error;
@ -490,8 +492,8 @@ ipsec6_splithdr(struct mbuf *m)
struct ip6_hdr *ip6;
int hlen;
KASSERT(m->m_len >= sizeof (struct ip6_hdr),
("ipsec6_splithdr: first mbuf too short, len %u", m->m_len));
IPSEC_ASSERT(m->m_len >= sizeof (struct ip6_hdr),
("first mbuf too short, len %u", m->m_len));
ip6 = mtod(m, struct ip6_hdr *);
hlen = sizeof(struct ip6_hdr);
if (m->m_len > hlen) {
@ -533,15 +535,15 @@ ipsec6_output_trans(
int error = 0;
struct mbuf *m;
KASSERT(state != NULL, ("ipsec6_output: null state"));
KASSERT(state->m != NULL, ("ipsec6_output: null m"));
KASSERT(nexthdrp != NULL, ("ipsec6_output: null nexthdrp"));
KASSERT(mprev != NULL, ("ipsec6_output: null mprev"));
KASSERT(sp != NULL, ("ipsec6_output: null sp"));
KASSERT(tun != NULL, ("ipsec6_output: null tun"));
IPSEC_ASSERT(state != NULL, ("null state"));
IPSEC_ASSERT(state->m != NULL, ("null m"));
IPSEC_ASSERT(nexthdrp != NULL, ("null nexthdrp"));
IPSEC_ASSERT(mprev != NULL, ("null mprev"));
IPSEC_ASSERT(sp != NULL, ("null sp"));
IPSEC_ASSERT(tun != NULL, ("null tun"));
KEYDEBUG(KEYDEBUG_IPSEC_DATA,
printf("ipsec6_output_trans: applyed SP\n");
printf("%s: applyed SP\n", __func__);
kdebug_secpolicy(sp));
isr = sp->req;
@ -596,8 +598,8 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
m_freem(m);
return EINVAL;
}
KASSERT(m->m_len != sizeof (struct ip6_hdr),
("ipsec6_encapsulate: mbuf wrong size; len %u", m->m_len));
IPSEC_ASSERT(m->m_len != sizeof (struct ip6_hdr),
("mbuf wrong size; len %u", m->m_len));
/*
@ -662,12 +664,12 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
struct sockaddr_in6* dst6;
struct mbuf *m;
KASSERT(state != NULL, ("ipsec6_output: null state"));
KASSERT(state->m != NULL, ("ipsec6_output: null m"));
KASSERT(sp != NULL, ("ipsec6_output: null sp"));
IPSEC_ASSERT(state != NULL, ("null state"));
IPSEC_ASSERT(state->m != NULL, ("null m"));
IPSEC_ASSERT(sp != NULL, ("null sp"));
KEYDEBUG(KEYDEBUG_IPSEC_DATA,
printf("ipsec6_output_tunnel: applyed SP\n");
printf("%s: applyed SP\n", __func__);
kdebug_secpolicy(sp));
m = state->m;
@ -693,8 +695,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
*/
/* XXX should be processed with other familiy */
if (isr->sav->sah->saidx.src.sa.sa_family != AF_INET6) {
ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
"family mismatched between inner and outer, spi=%u\n",
ipseclog((LOG_ERR, "%s: family mismatched between "
"inner and outer, spi=%u\n", __func__,
ntohl(isr->sav->spi)));
newipsecstat.ips_out_inval++;
error = EAFNOSUPPORT;

1138
sys/netipsec/key.c
View File

File diff suppressed because it is too large Load Diff

53
sys/netipsec/key_debug.c
View File

@ -88,7 +88,7 @@ kdebug_sadb(base)
/* sanity check */
if (base == NULL)
panic("kdebug_sadb: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
base->sadb_msg_version, base->sadb_msg_type,
@ -105,11 +105,12 @@ kdebug_sadb(base)
ext->sadb_ext_len, ext->sadb_ext_type);
if (ext->sadb_ext_len == 0) {
printf("kdebug_sadb: invalid ext_len=0 was passed.\n");
printf("%s: invalid ext_len=0 was passed.\n", __func__);
return;
}
if (ext->sadb_ext_len > tlen) {
printf("kdebug_sadb: ext_len exceeds end of buffer.\n");
printf("%s: ext_len too big (%u > %u).\n",
__func__, ext->sadb_ext_len, tlen);
return;
}
@ -154,7 +155,7 @@ kdebug_sadb(base)
kdebug_sadb_x_sa2(ext);
break;
default:
printf("kdebug_sadb: invalid ext_type %u was passed.\n",
printf("%s: invalid ext_type %u\n", __func__,
ext->sadb_ext_type);
return;
}
@ -177,7 +178,7 @@ kdebug_sadb_prop(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_prop: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop))
/ sizeof(*comb);
@ -226,7 +227,7 @@ kdebug_sadb_identity(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_identity: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
printf("sadb_ident_%s{",
@ -270,7 +271,7 @@ kdebug_sadb_supported(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_supported: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup))
/ sizeof(*alg);
@ -295,7 +296,7 @@ kdebug_sadb_lifetime(ext)
/* sanity check */
if (ext == NULL)
printf("kdebug_sadb_lifetime: NULL pointer was passed.\n");
printf("%s: NULL pointer was passed.\n", __func__);
printf("sadb_lifetime{ alloc=%u, bytes=%u\n",
lft->sadb_lifetime_allocations,
@ -315,7 +316,7 @@ kdebug_sadb_sa(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_sa: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_sa{ spi=%u replay=%u state=%u\n",
(u_int32_t)ntohl(sa->sadb_sa_spi), sa->sadb_sa_replay,
@ -334,7 +335,7 @@ kdebug_sadb_address(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_address: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n",
addr->sadb_address_proto, addr->sadb_address_prefixlen,
@ -354,7 +355,7 @@ kdebug_sadb_key(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_key: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_key{ bits=%u reserved=%u\n",
key->sadb_key_bits, key->sadb_key_reserved);
@ -363,7 +364,8 @@ kdebug_sadb_key(ext)
/* sanity check 2 */
if ((key->sadb_key_bits >> 3) >
(PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) {
printf("kdebug_sadb_key: key length mismatch, bit:%d len:%ld.\n",
printf("%s: key length mismatch, bit:%d len:%ld.\n",
__func__,
key->sadb_key_bits >> 3,
(long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
}
@ -382,7 +384,7 @@ kdebug_sadb_x_sa2(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_sa2: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_x_sa2{ mode=%u reqid=%u\n",
sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reqid);
@ -402,7 +404,7 @@ kdebug_sadb_x_policy(ext)
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_x_policy{ type=%u dir=%u id=%x }\n",
xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
@ -435,12 +437,14 @@ kdebug_sadb_x_policy(ext)
/* prevent infinite loop */
if (xisr->sadb_x_ipsecrequest_len <= 0) {
printf("kdebug_sadb_x_policy: wrong policy struct.\n");
printf("%s: wrong policy struct.\n", __func__);
return;
}
/* prevent overflow */
if (xisr->sadb_x_ipsecrequest_len > tlen) {
printf("invalid ipsec policy length\n");
printf("%s: invalid ipsec policy length "
"(%u > %u)\n", __func__,
xisr->sadb_x_ipsecrequest_len, tlen);
return;
}
@ -451,7 +455,7 @@ kdebug_sadb_x_policy(ext)
}
if (tlen != 0)
panic("kdebug_sadb_x_policy: wrong policy struct.\n");
panic("%s: wrong policy struct.\n", __func__);
}
return;
@ -465,7 +469,7 @@ kdebug_secpolicy(sp)
{
/* sanity check */
if (sp == NULL)
panic("kdebug_secpolicy: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("secpolicy{ refcnt=%u state=%u policy=%u\n",
sp->refcnt, sp->state, sp->policy);
@ -500,8 +504,7 @@ kdebug_secpolicy(sp)
printf(" type=entrust }\n");
break;
default:
printf("kdebug_secpolicy: Invalid policy found. %d\n",
sp->policy);
printf("%s: Invalid policy found. %d\n", __func__, sp->policy);
break;
}
@ -514,7 +517,7 @@ kdebug_secpolicyindex(spidx)
{
/* sanity check */
if (spidx == NULL)
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
@ -535,7 +538,7 @@ kdebug_secasindex(saidx)
{
/* sanity check */
if (saidx == NULL)
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("secasindex{ mode=%u proto=%u\n",
saidx->mode, saidx->proto);
@ -556,7 +559,7 @@ kdebug_secasv(sav)
{
/* sanity check */
if (sav == NULL)
panic("kdebug_secasv: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf("secas{");
kdebug_secasindex(&sav->sah->saidx);
@ -600,7 +603,7 @@ kdebug_secreplay(rpl)
/* sanity check */
if (rpl == NULL)
panic("kdebug_secreplay: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
printf(" secreplay{ count=%u wsize=%u seq=%u lastseq=%u",
rpl->count, rpl->wsize, rpl->seq, rpl->lastseq);
@ -685,7 +688,7 @@ kdebug_sockaddr(addr)
/* sanity check */
if (addr == NULL)
panic("kdebug_sockaddr: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
/* NOTE: We deal with port number as host byte order. */
printf("sockaddr{ len=%u family=%u", addr->sa_len, addr->sa_family);

13
sys/netipsec/keydb.h
View File

@ -102,7 +102,7 @@ struct secasvar {
size_t schedlen;
struct secreplay *replay; /* replay prevention */
long created; /* for lifetime */
time_t created; /* for lifetime */
struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
struct sadb_lifetime *lft_h; /* HARD lifetime */
@ -125,6 +125,13 @@ struct secasvar {
u_int64_t tdb_cryptoid; /* crypto session id */
};
#define SECASVAR_LOCK_INIT(_sav) \
mtx_init(&(_sav)->lock, "ipsec association", NULL, MTX_DEF)
#define SECASVAR_LOCK(_sav) mtx_lock(&(_sav)->lock)
#define SECASVAR_UNLOCK(_sav) mtx_unlock(&(_sav)->lock)
#define SECASVAR_LOCK_DESTROY(_sav) mtx_destroy(&(_sav)->lock)
#define SECASVAR_LOCK_ASSERT(_sav) mtx_assert(&(_sav)->lock, MA_OWNED)
/* replay prevention */
struct secreplay {
u_int32_t count;
@ -142,7 +149,6 @@ struct secreg {
struct socket *so;
};
#ifndef IPSEC_NONBLOCK_ACQUIRE
/* acquiring list table. */
struct secacq {
LIST_ENTRY(secacq) chain;
@ -150,10 +156,9 @@ struct secacq {
struct secasindex saidx;
u_int32_t seq; /* sequence number */
long created; /* for lifetime */
time_t created; /* for lifetime */
int count; /* for lifetime */
};
#endif
/* Sensitivity Level Specification */
/* nothing */

8
sys/netipsec/keysock.c
View File

@ -94,7 +94,7 @@ key_output(m, va_alist)
va_end(ap);
if (m == 0)
panic("key_output: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
pfkeystat.out_total++;
pfkeystat.out_bytes += m->m_pkthdr.len;
@ -195,10 +195,10 @@ key_sendup(so, msg, len, target)
/* sanity check */
if (so == 0 || msg == 0)
panic("key_sendup: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
KEYDEBUG(KEYDEBUG_KEY_DUMP,
printf("key_sendup: \n");
printf("%s: \n", __func__);
kdebug_sadb(msg));
/*
@ -283,7 +283,7 @@ key_sendup_mbuf(so, m, target)
if (m == NULL)
panic("key_sendup_mbuf: NULL pointer was passed.\n");
if (so == NULL && target == KEY_SENDUP_ONE)
panic("key_sendup_mbuf: NULL pointer was passed.\n");
panic("%s: NULL pointer was passed.\n", __func__);
pfkeystat.in_total++;
pfkeystat.in_bytes += m->m_pkthdr.len;

152
sys/netipsec/xform_ah.c
View File

@ -142,8 +142,7 @@ ah_hdrsiz(struct secasvar *sav)
if (sav != NULL) {
int authsize;
KASSERT(sav->tdb_authalgxform != NULL,
("ah_hdrsiz: null xform"));
IPSEC_ASSERT(sav->tdb_authalgxform != NULL, ("null xform"));
/*XXX not right for null algorithm--does it matter??*/
authsize = AUTHSIZE(sav);
size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav);
@ -165,8 +164,8 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
thash = ah_algorithm_lookup(sav->alg_auth);
if (thash == NULL) {
DPRINTF(("ah_init: unsupported authentication algorithm %u\n",
sav->alg_auth));
DPRINTF(("%s: unsupported authentication algorithm %u\n",
__func__, sav->alg_auth));
return EINVAL;
}
/*
@ -176,21 +175,21 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
*/
/* NB: replay state is setup elsewhere (sigh) */
if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
DPRINTF(("ah_init: replay state block inconsistency, "
"%s algorithm %s replay state\n",
DPRINTF(("%s: replay state block inconsistency, "
"%s algorithm %s replay state\n", __func__,
(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
sav->replay == NULL ? "without" : "with"));
return EINVAL;
}
if (sav->key_auth == NULL) {
DPRINTF(("ah_init: no authentication key for %s "
"algorithm\n", thash->name));
DPRINTF(("%s: no authentication key for %s algorithm\n",
__func__, thash->name));
return EINVAL;
}
keylen = _KEYLEN(sav->key_auth);
if (keylen != thash->keysize && thash->keysize != 0) {
DPRINTF(("ah_init: invalid keylength %d, algorithm "
"%s requires keysize %d\n",
DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
"keysize %d\n", __func__,
keylen, thash->name, thash->keysize));
return EINVAL;
}
@ -271,7 +270,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
*/
*m0 = m = m_pullup(m, skip);
if (m == NULL) {
DPRINTF(("ah_massage_headers: m_pullup failed\n"));
DPRINTF(("%s: m_pullup failed\n", __func__));
return ENOBUFS;
}
@ -308,9 +307,8 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
off + 1 < skip)
;
else {
DPRINTF(("ah_massage_headers: illegal IPv4 "
"option length for option %d\n",
ptr[off]));
DPRINTF(("%s: illegal IPv4 option length for "
"option %d\n", __func__, ptr[off]));
m_freem(m);
return EINVAL;
@ -332,9 +330,9 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
case 0x95: /* RFC1770 */
/* Sanity check for option length. */
if (ptr[off + 1] < 2) {
DPRINTF(("ah_massage_headers: "
"illegal IPv4 option length for "
"option %d\n", ptr[off]));
DPRINTF(("%s: illegal IPv4 option "
"length for option %d\n",
__func__, ptr[off]));
m_freem(m);
return EINVAL;
@ -347,9 +345,9 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
case IPOPT_SSRR:
/* Sanity check for option length. */
if (ptr[off + 1] < 2) {
DPRINTF(("ah_massage_headers: "
"illegal IPv4 option length for "
"option %d\n", ptr[off]));
DPRINTF(("%s: illegal IPv4 option "
"length for option %d\n",
__func__, ptr[off]));
m_freem(m);
return EINVAL;
@ -373,9 +371,9 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
default:
/* Sanity check for option length. */
if (ptr[off + 1] < 2) {
DPRINTF(("ah_massage_headers: "
"illegal IPv4 option length for "
"option %d\n", ptr[off]));
DPRINTF(("%s: illegal IPv4 option "
"length for option %d\n",
__func__, ptr[off]));
m_freem(m);
return EINVAL;
}
@ -389,8 +387,8 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
/* Sanity check. */
if (off > skip) {
DPRINTF(("ah_massage_headers(): malformed "
"IPv4 options header\n"));
DPRINTF(("%s: malformed IPv4 options header\n",
__func__));
m_freem(m);
return EINVAL;
@ -407,7 +405,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
/* We don't do IPv6 Jumbograms. */
if (ip6.ip6_plen == 0) {
DPRINTF(("ah_massage_headers: unsupported IPv6 jumbogram\n"));
DPRINTF(("%s: unsupported IPv6 jumbogram\n", __func__));
m_freem(m);
return EMSGSIZE;
}
@ -433,9 +431,8 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
skip - sizeof(struct ip6_hdr),
M_XDATA, M_NOWAIT);
if (ptr == NULL) {
DPRINTF(("ah_massage_headers: failed "
"to allocate memory for IPv6 "
"headers\n"));
DPRINTF(("%s: failed to allocate memory"
"for IPv6 headers\n",__func__));
m_freem(m);
return ENOBUFS;
}
@ -524,8 +521,8 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
break;
default:
DPRINTF(("ah_massage_headers: unexpected "
"IPv6 header type %d", off));
DPRINTF(("%s: unexpected IPv6 header type %d",
__func__, off));
if (alloc)
FREE(ptr, M_XDATA);
m_freem(m);
@ -563,15 +560,12 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct cryptodesc *crda;
struct cryptop *crp;
#if 0
SPLASSERT(net, "ah_input");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(sav != NULL, ("ah_input: null SA"));
KASSERT(sav->key_auth != NULL,
("ah_input: null authentication key"));
KASSERT(sav->tdb_authalgxform != NULL,
("ah_input: null authentication xform"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->key_auth != NULL, ("null authentication key"));
IPSEC_ASSERT(sav->tdb_authalgxform != NULL,
("null authentication xform"));
/* Figure out header size. */
rplen = HDRSIZE(sav);
@ -588,7 +582,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
ahstat.ahs_replay++;
DPRINTF(("ah_input: packet replay failure: %s\n",
DPRINTF(("%s: packet replay failure: %s\n", __func__,
ipsec_logsastr(sav)));
m_freem(m);
return ENOBUFS;
@ -599,8 +593,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
ahx = sav->tdb_authalgxform;
authsize = AUTHSIZE(sav);
if (hl != authsize + rplen - sizeof (struct ah)) {
DPRINTF(("ah_input: bad authenticator length %u (expecting %lu)"
" for packet in SA %s/%08lx\n",
DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
" for packet in SA %s/%08lx\n", __func__,
hl, (u_long) (authsize + rplen - sizeof (struct ah)),
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -613,14 +607,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
DPRINTF(("ah_input: failed to acquire crypto descriptor\n"));
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
ahstat.ahs_crypto++;
m_freem(m);
return ENOBUFS;
}
crda = crp->crp_desc;
KASSERT(crda != NULL, ("ah_input: null crypto descriptor"));
IPSEC_ASSERT(crda != NULL, ("null crypto descriptor"));
crda->crd_skip = 0;
crda->crd_len = m->m_pkthdr.len;
@ -653,7 +647,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
M_XDATA, M_NOWAIT|M_ZERO);
}
if (tc == NULL) {
DPRINTF(("ah_input: failed to allocate tdb_crypto\n"));
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
ahstat.ahs_crypto++;
crypto_freereq(crp);
m_freem(m);
@ -743,7 +737,7 @@ ah_input_cb(struct cryptop *crp)
crd = crp->crp_desc;
tc = (struct tdb_crypto *) crp->crp_opaque;
KASSERT(tc != NULL, ("ah_input_cb: null opaque crypto data area!"));
IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
skip = tc->tc_skip;
nxt = tc->tc_nxt;
protoff = tc->tc_protoff;
@ -753,16 +747,15 @@ ah_input_cb(struct cryptop *crp)
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
ahstat.ahs_notdb++;
DPRINTF(("ah_input_cb: SA expired while in crypto\n"));
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
}
saidx = &sav->sah->saidx;
KASSERT(saidx->dst.sa.sa_family == AF_INET ||
IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
saidx->dst.sa.sa_family == AF_INET6,
("ah_input_cb: unexpected protocol family %u",
saidx->dst.sa.sa_family));
("unexpected protocol family %u", saidx->dst.sa.sa_family));
ahx = (struct auth_hash *) sav->tdb_authalgxform;
@ -775,7 +768,7 @@ ah_input_cb(struct cryptop *crp)
return crypto_dispatch(crp);
ahstat.ahs_noxform++;
DPRINTF(("ah_input_cb: crypto error %d\n", crp->crp_etype));
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
} else {
@ -787,7 +780,7 @@ ah_input_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
ahstat.ahs_crypto++;
DPRINTF(("ah_input_cb: bogus returned buffer from crypto\n"));
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
@ -808,8 +801,8 @@ ah_input_cb(struct cryptop *crp)
/* Verify authenticator. */
if (bcmp(ptr + skip + rplen, calc, authsize)) {
DPRINTF(("ah_input: authentication hash mismatch "
"for packet in SA %s/%08lx\n",
DPRINTF(("%s: authentication hash mismatch for packet "
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
ahstat.ahs_badauth++;
@ -854,7 +847,7 @@ ah_input_cb(struct cryptop *crp)
*/
error = m_striphdr(m, skip, rplen + authsize);
if (error) {
DPRINTF(("ah_input_cb: mangled mbuf chain for SA %s/%08lx\n",
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
ahstat.ahs_hdrops++;
@ -900,14 +893,12 @@ ah_output(
u_int8_t prot;
struct newah *ah;
#if 0
SPLASSERT(net, "ah_output");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
sav = isr->sav;
KASSERT(sav != NULL, ("ah_output: null SA"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
ahx = sav->tdb_authalgxform;
KASSERT(ahx != NULL, ("ah_output: null authentication xform"));
IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
ahstat.ahs_output++;
@ -927,8 +918,8 @@ ah_output(
break;
#endif /* INET6 */
default:
DPRINTF(("ah_output: unknown/unsupported protocol "
"family %u, SA %s/%08lx\n",
DPRINTF(("%s: unknown/unsupported protocol family %u, "
"SA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -938,8 +929,8 @@ ah_output(
}
authsize = AUTHSIZE(sav);
if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
DPRINTF(("ah_output: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n",
DPRINTF(("%s: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi),
rplen + authsize + m->m_pkthdr.len, maxpacketsize));
@ -953,7 +944,7 @@ ah_output(
m = m_clone(m);
if (m == NULL) {
DPRINTF(("ah_output: cannot clone mbuf chain, SA %s/%08lx\n",
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
ahstat.ahs_hdrops++;
@ -964,8 +955,8 @@ ah_output(
/* Inject AH header. */
mi = m_makespace(m, skip, rplen + authsize, &roff);
if (mi == NULL) {
DPRINTF(("ah_output: failed to inject %u byte AH header for SA "
"%s/%08lx\n",
DPRINTF(("%s: failed to inject %u byte AH header for SA "
"%s/%08lx\n", __func__,
rplen + authsize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -993,8 +984,8 @@ ah_output(
if (sav->replay) {
if (sav->replay->count == ~0 &&
(sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
DPRINTF(("ah_output: replay counter wrapped for SA "
"%s/%08lx\n",
DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
__func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
ahstat.ahs_wrap++;
@ -1008,7 +999,8 @@ ah_output(
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
DPRINTF(("ah_output: failed to acquire crypto descriptors\n"));
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
ahstat.ahs_crypto++;
error = ENOBUFS;
goto bad;
@ -1030,7 +1022,7 @@ ah_output(
sizeof(struct tdb_crypto) + skip, M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("ah_output: failed to allocate tdb_crypto\n"));
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
ahstat.ahs_crypto++;
error = ENOBUFS;
goto bad;
@ -1123,22 +1115,22 @@ ah_output_cb(struct cryptop *crp)
int err;
tc = (struct tdb_crypto *) crp->crp_opaque;
KASSERT(tc != NULL, ("ah_output_cb: null opaque data area!"));
IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
skip = tc->tc_skip;
protoff = tc->tc_protoff;
ptr = (caddr_t) (tc + 1);
m = (struct mbuf *) crp->crp_buf;
isr = tc->tc_isr;
mtx_lock(&isr->lock);
IPSECREQUEST_LOCK(isr);
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
ahstat.ahs_notdb++;
DPRINTF(("ah_output_cb: SA expired while in crypto\n"));
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
}
KASSERT(isr->sav == sav, ("ah_output_cb: SA changed\n"));
IPSEC_ASSERT(isr->sav == sav, ("SA changed\n"));
/* Check for crypto errors. */
if (crp->crp_etype) {
@ -1147,12 +1139,12 @@ ah_output_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN) {
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return crypto_dispatch(crp);
}
ahstat.ahs_noxform++;
DPRINTF(("ah_output_cb: crypto error %d\n", crp->crp_etype));
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
@ -1160,7 +1152,7 @@ ah_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
ahstat.ahs_crypto++;
DPRINTF(("ah_output_cb: bogus returned buffer from crypto\n"));
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
@ -1179,13 +1171,13 @@ ah_output_cb(struct cryptop *crp)
/* NB: m is reclaimed by ipsec_process_done. */
err = ipsec_process_done(m, isr);
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return err;
bad:
if (sav)
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
if (m)
m_freem(m);
free(tc, M_XDATA);

141
sys/netipsec/xform_esp.c
View File

@ -124,8 +124,8 @@ esp_hdrsiz(struct secasvar *sav)
if (sav != NULL) {
/*XXX not right for null algorithm--does it matter??*/
KASSERT(sav->tdb_encalgxform != NULL,
("esp_hdrsiz: SA with null xform"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
("SA with null xform"));
if (sav->flags & SADB_X_EXT_OLD)
size = sizeof (struct esp);
else
@ -161,23 +161,24 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
txform = esp_algorithm_lookup(sav->alg_enc);
if (txform == NULL) {
DPRINTF(("esp_init: unsupported encryption algorithm %d\n",
sav->alg_enc));
DPRINTF(("%s: unsupported encryption algorithm %d\n",
__func__, sav->alg_enc));
return EINVAL;
}
if (sav->key_enc == NULL) {
DPRINTF(("esp_init: no encoding key for %s algorithm\n",
txform->name));
DPRINTF(("%s: no encoding key for %s algorithm\n",
__func__, txform->name));
return EINVAL;
}
if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) {
DPRINTF(("esp_init: 4-byte IV not supported with protocol\n"));
DPRINTF(("%s: 4-byte IV not supported with protocol\n",
__func__));
return EINVAL;
}
keylen = _KEYLEN(sav->key_enc);
if (txform->minkey > keylen || keylen > txform->maxkey) {
DPRINTF(("esp_init: invalid key length %u, must be in "
"the range [%u..%u] for algorithm %s\n",
DPRINTF(("%s: invalid key length %u, must be in the range "
"[%u..%u] for algorithm %s\n", __func__,
keylen, txform->minkey, txform->maxkey,
txform->name));
return EINVAL;
@ -192,7 +193,7 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
sav->ivlen = (txform == &enc_xform_null ? 0 : txform->blocksize);
sav->iv = (caddr_t) malloc(sav->ivlen, M_XDATA, M_WAITOK);
if (sav->iv == NULL) {
DPRINTF(("esp_init: no memory for IV\n"));
DPRINTF(("%s: no memory for IV\n", __func__));
return EINVAL;
}
key_randomfill(sav->iv, sav->ivlen); /*XXX*/
@ -230,7 +231,8 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
&cria, crypto_support);
} else {
/* XXX cannot happen? */
DPRINTF(("esp_init: no encoding OR authentication xform!\n"));
DPRINTF(("%s: no encoding OR authentication xform!\n",
__func__));
error = EINVAL;
}
return error;
@ -247,7 +249,10 @@ esp_zeroize(struct secasvar *sav)
if (sav->key_enc)
bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
/* NB: sav->iv is freed elsewhere, even though we malloc it! */
if (sav->iv) {
free(sav->iv, M_XDATA);
sav->iv = NULL;
}
sav->tdb_encalgxform = NULL;
sav->tdb_xform = NULL;
return error;
@ -270,15 +275,12 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct cryptodesc *crde;
struct cryptop *crp;
#if 0
SPLASSERT(net, "esp_input");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
KASSERT(sav != NULL, ("esp_input: null SA"));
KASSERT(sav->tdb_encalgxform != NULL,
("esp_input: null encoding xform"));
KASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
("esp_input: misaligned packet, skip %u pkt len %u",
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
("misaligned packet, skip %u pkt len %u",
skip, m->m_pkthdr.len));
/* XXX don't pullup, just copy header */
@ -305,9 +307,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
*/
plen = m->m_pkthdr.len - (skip + hlen + alen);
if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
DPRINTF(("esp_input: "
"payload of %d octets not a multiple of %d octets,"
" SA %s/%08lx\n",
DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
" SA %s/%08lx\n", __func__,
plen, espx->blocksize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -320,7 +321,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
* Check sequence number.
*/
if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
DPRINTF(("esp_input: packet replay check for %s\n",
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav))); /*XXX*/
espstat.esps_replay++;
m_freem(m);
@ -345,7 +346,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/* Get crypto descriptors */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
DPRINTF(("esp_input: failed to acquire crypto descriptors\n"));
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
espstat.esps_crypto++;
m_freem(m);
return ENOBUFS;
@ -360,7 +362,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("esp_input: failed to allocate tdb_crypto\n"));
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
espstat.esps_crypto++;
m_freem(m);
return ENOBUFS;
@ -371,7 +373,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (esph) {
struct cryptodesc *crda = crp->crp_desc;
KASSERT(crda != NULL, ("esp_input: null ah crypto descriptor"));
IPSEC_ASSERT(crda != NULL, ("null ah crypto descriptor"));
/* Authentication descriptor */
crda->crd_skip = skip;
@ -410,7 +412,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/* Decryption descriptor */
if (espx) {
KASSERT(crde != NULL, ("esp_input: null esp crypto descriptor"));
IPSEC_ASSERT(crde != NULL, ("null esp crypto descriptor"));
crde->crd_skip = skip + hlen;
crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
crde->crd_inject = skip + hlen - sav->ivlen;
@ -459,10 +461,10 @@ esp_input_cb(struct cryptop *crp)
caddr_t ptr;
crd = crp->crp_desc;
KASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!"));
IPSEC_ASSERT(crd != NULL, ("null crypto descriptor!"));
tc = (struct tdb_crypto *) crp->crp_opaque;
KASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!"));
IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
skip = tc->tc_skip;
protoff = tc->tc_protoff;
mtag = (struct m_tag *) tc->tc_ptr;
@ -471,18 +473,17 @@ esp_input_cb(struct cryptop *crp)
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
espstat.esps_notdb++;
DPRINTF(("esp_input_cb: SA expired while in crypto "
"(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n",
__func__, ipsec_address(&tc->tc_dst),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
error = ENOBUFS; /*XXX*/
goto bad;
}
saidx = &sav->sah->saidx;
KASSERT(saidx->dst.sa.sa_family == AF_INET ||
IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
saidx->dst.sa.sa_family == AF_INET6,
("ah_input_cb: unexpected protocol family %u",
saidx->dst.sa.sa_family));
("unexpected protocol family %u", saidx->dst.sa.sa_family));
esph = sav->tdb_authalgxform;
espx = sav->tdb_encalgxform;
@ -499,7 +500,7 @@ esp_input_cb(struct cryptop *crp)
}
espstat.esps_noxform++;
DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype));
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
@ -507,7 +508,7 @@ esp_input_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
espstat.esps_crypto++;
DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n"));
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
@ -530,8 +531,9 @@ esp_input_cb(struct cryptop *crp)
/* Verify authenticator */
if (bcmp(ptr, aalg, esph->authsize) != 0) {
DPRINTF(("esp_input_cb: "
DPRINTF(("%s: "
"authentication hash mismatch for packet in SA %s/%08lx\n",
__func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
espstat.esps_badauth++;
@ -563,7 +565,7 @@ esp_input_cb(struct cryptop *crp)
error = m_striphdr(m, skip, hlen);
if (error) {
espstat.esps_hdrops++;
DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n",
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
goto bad;
@ -575,8 +577,8 @@ esp_input_cb(struct cryptop *crp)
/* Verify pad length */
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
espstat.esps_badilen++;
DPRINTF(("esp_input_cb: invalid padding length %d "
"for %u byte packet in SA %s/%08lx\n",
DPRINTF(("%s: invalid padding length %d for %u byte packet "
"in SA %s/%08lx\n", __func__,
lastthree[1], m->m_pkthdr.len - skip,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -588,11 +590,10 @@ esp_input_cb(struct cryptop *crp)
if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
espstat.esps_badenc++;
DPRINTF(("esp_input_cb: decryption failed "
"for packet in SA %s/%08lx\n",
DPRINTF(("%s: decryption failed for packet in "
"SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1]));
error = EINVAL;
goto bad;
}
@ -646,15 +647,13 @@ esp_output(
struct cryptodesc *crde = NULL, *crda = NULL;
struct cryptop *crp;
#if 0
SPLASSERT(net, "esp_output");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
sav = isr->sav;
KASSERT(sav != NULL, ("esp_output: null SA"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
esph = sav->tdb_authalgxform;
espx = sav->tdb_encalgxform;
KASSERT(espx != NULL, ("esp_output: null encoding xform"));
IPSEC_ASSERT(espx != NULL, ("null encoding xform"));
if (sav->flags & SADB_X_EXT_OLD)
hlen = sizeof (struct esp) + sav->ivlen;
@ -693,8 +692,8 @@ esp_output(
break;
#endif /* INET6 */
default:
DPRINTF(("esp_output: unknown/unsupported protocol "
"family %d, SA %s/%08lx\n",
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, SA %s/%08lx\n", __func__,
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
espstat.esps_nopf++;
@ -702,8 +701,8 @@ esp_output(
goto bad;
}
if (skip + hlen + rlen + padding + alen > maxpacketsize) {
DPRINTF(("esp_output: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n",
DPRINTF(("%s: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
skip + hlen + rlen + padding + alen, maxpacketsize));
espstat.esps_toobig++;
@ -716,7 +715,7 @@ esp_output(
m = m_clone(m);
if (m == NULL) {
DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n",
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
espstat.esps_hdrops++;
error = ENOBUFS;
@ -726,9 +725,8 @@ esp_output(
/* Inject ESP header. */
mo = m_makespace(m, skip, hlen, &roff);
if (mo == NULL) {
DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA "
"%s/%08lx\n",
hlen, ipsec_address(&saidx->dst),
DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
__func__, hlen, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
espstat.esps_hdrops++; /* XXX diffs from openbsd */
error = ENOBUFS;
@ -750,7 +748,7 @@ esp_output(
*/
pad = (u_char *) m_pad(m, padding + alen);
if (pad == NULL) {
DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n",
DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
m = NULL; /* NB: free'd by m_pad */
error = ENOBUFS;
@ -785,7 +783,8 @@ esp_output(
/* Get crypto descriptors. */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
DPRINTF(("esp_output: failed to acquire crypto descriptors\n"));
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
espstat.esps_crypto++;
error = ENOBUFS;
goto bad;
@ -814,7 +813,7 @@ esp_output(
M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("esp_output: failed to allocate tdb_crypto\n"));
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
espstat.esps_crypto++;
error = ENOBUFS;
goto bad;
@ -866,22 +865,22 @@ esp_output_cb(struct cryptop *crp)
int err, error;
tc = (struct tdb_crypto *) crp->crp_opaque;
KASSERT(tc != NULL, ("esp_output_cb: null opaque data area!"));
IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
m = (struct mbuf *) crp->crp_buf;
isr = tc->tc_isr;
mtx_lock(&isr->lock);
IPSECREQUEST_LOCK(isr);
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
espstat.esps_notdb++;
DPRINTF(("esp_output_cb: SA expired while in crypto "
"(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst),
DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n",
__func__, ipsec_address(&tc->tc_dst),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
error = ENOBUFS; /*XXX*/
goto bad;
}
KASSERT(isr->sav == sav,
("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav));
IPSEC_ASSERT(isr->sav == sav,
("SA changed was %p now %p\n", isr->sav, sav));
/* Check for crypto errors. */
if (crp->crp_etype) {
@ -891,12 +890,12 @@ esp_output_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN) {
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return crypto_dispatch(crp);
}
espstat.esps_noxform++;
DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype));
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
@ -904,7 +903,7 @@ esp_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
espstat.esps_crypto++;
DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n"));
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
@ -919,13 +918,13 @@ esp_output_cb(struct cryptop *crp)
/* NB: m is reclaimed by ipsec_process_done. */
err = ipsec_process_done(m, isr);
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return err;
bad:
if (sav)
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
if (m)
m_freem(m);
free(tc, M_XDATA);

78
sys/netipsec/xform_ipcomp.c
View File

@ -102,7 +102,7 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
/* NB: algorithm really comes in alg_enc and not alg_comp! */
tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
if (tcomp == NULL) {
DPRINTF(("ipcomp_init: unsupported compression algorithm %d\n",
DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
sav->alg_comp));
return EINVAL;
}
@ -141,15 +141,13 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct cryptop *crp;
int hlen = IPCOMP_HLENGTH;
#if 0
SPLASSERT(net, "ipcomp_input");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
m_freem(m);
DPRINTF(("ipcomp_input: no crypto descriptors\n"));
DPRINTF(("%s: no crypto descriptors\n", __func__));
ipcompstat.ipcomps_crypto++;
return ENOBUFS;
}
@ -158,7 +156,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
DPRINTF(("ipcomp_input: cannot allocate tdb_crypto\n"));
DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
ipcompstat.ipcomps_crypto++;
return ENOBUFS;
}
@ -224,7 +222,7 @@ ipcomp_input_cb(struct cryptop *crp)
crd = crp->crp_desc;
tc = (struct tdb_crypto *) crp->crp_opaque;
KASSERT(tc != NULL, ("ipcomp_input_cb: null opaque crypto data area!"));
IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
skip = tc->tc_skip;
protoff = tc->tc_protoff;
mtag = (struct mtag *) tc->tc_ptr;
@ -233,16 +231,15 @@ ipcomp_input_cb(struct cryptop *crp)
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
ipcompstat.ipcomps_notdb++;
DPRINTF(("ipcomp_input_cb: SA expired while in crypto\n"));
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
}
saidx = &sav->sah->saidx;
KASSERT(saidx->dst.sa.sa_family == AF_INET ||
IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
saidx->dst.sa.sa_family == AF_INET6,
("ah_input_cb: unexpected protocol family %u",
saidx->dst.sa.sa_family));
("unexpected protocol family %u", saidx->dst.sa.sa_family));
/* Check for crypto errors */
if (crp->crp_etype) {
@ -256,14 +253,14 @@ ipcomp_input_cb(struct cryptop *crp)
}
ipcompstat.ipcomps_noxform++;
DPRINTF(("ipcomp_input_cb: crypto error %d\n", crp->crp_etype));
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_input_cb: null mbuf returned from crypto\n"));
DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
error = EINVAL;
goto bad;
}
@ -280,7 +277,7 @@ ipcomp_input_cb(struct cryptop *crp)
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
ipcompstat.ipcomps_hdrops++; /*XXX*/
DPRINTF(("ipcomp_input_cb: m_pullup failed\n"));
DPRINTF(("%s: m_pullup failed\n", __func__));
error = EINVAL; /*XXX*/
goto bad;
}
@ -293,7 +290,7 @@ ipcomp_input_cb(struct cryptop *crp)
error = m_striphdr(m, skip, hlen);
if (error) {
ipcompstat.ipcomps_hdrops++;
DPRINTF(("ipcomp_input_cb: bad mbuf chain, IPCA %s/%08lx\n",
DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
goto bad;
@ -340,14 +337,12 @@ ipcomp_output(
struct mbuf *mo;
struct ipcomp *ipcomp;
#if 0
SPLASSERT(net, "ipcomp_output");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
sav = isr->sav;
KASSERT(sav != NULL, ("ipcomp_output: null SA"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
ipcompx = sav->tdb_compalgxform;
KASSERT(ipcompx != NULL, ("ipcomp_output: null compression xform"));
IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
hlen = IPCOMP_HLENGTH;
@ -368,8 +363,8 @@ ipcomp_output(
#endif /* INET6 */
default:
ipcompstat.ipcomps_nopf++;
DPRINTF(("ipcomp_output: unknown/unsupported protocol family %d"
", IPCA %s/%08lx\n",
DPRINTF(("%s: unknown/unsupported protocol family %d, "
"IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -378,8 +373,8 @@ ipcomp_output(
}
if (skip + hlen + ralen > maxpacketsize) {
ipcompstat.ipcomps_toobig++;
DPRINTF(("ipcomp_output: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n",
DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi),
skip + hlen + ralen, maxpacketsize));
@ -393,8 +388,8 @@ ipcomp_output(
m = m_clone(m);
if (m == NULL) {
ipcompstat.ipcomps_hdrops++;
DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n",
ipsec_address(&sav->sah->saidx.dst),
DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
@ -404,9 +399,8 @@ ipcomp_output(
mo = m_makespace(m, skip, hlen, &roff);
if (mo == NULL) {
ipcompstat.ipcomps_wrap++;
DPRINTF(("ipcomp_output: failed to inject IPCOMP header for "
"IPCA %s/%08lx\n",
ipsec_address(&sav->sah->saidx.dst),
DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
@ -440,7 +434,7 @@ ipcomp_output(
crp = crypto_getreq(1);
if (crp == NULL) {
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_output: failed to acquire crypto descriptor\n"));
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
error = ENOBUFS;
goto bad;
}
@ -460,7 +454,7 @@ ipcomp_output(
M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_output: failed to allocate tdb_crypto\n"));
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
crypto_freereq(crp);
error = ENOBUFS;
goto bad;
@ -500,21 +494,21 @@ ipcomp_output_cb(struct cryptop *crp)
int error, skip, rlen;
tc = (struct tdb_crypto *) crp->crp_opaque;
KASSERT(tc != NULL, ("ipcomp_output_cb: null opaque data area!"));
IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
m = (struct mbuf *) crp->crp_buf;
skip = tc->tc_skip;
rlen = crp->crp_ilen - skip;
isr = tc->tc_isr;
mtx_lock(&isr->lock);
IPSECREQUEST_LOCK(isr);
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
ipcompstat.ipcomps_notdb++;
DPRINTF(("ipcomp_output_cb: SA expired while in crypto\n"));
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
}
KASSERT(isr->sav == sav, ("ipcomp_output_cb: SA changed\n"));
IPSEC_ASSERT(isr->sav == sav, ("SA changed\n"));
/* Check for crypto errors */
if (crp->crp_etype) {
@ -524,18 +518,18 @@ ipcomp_output_cb(struct cryptop *crp)
if (crp->crp_etype == EAGAIN) {
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return crypto_dispatch(crp);
}
ipcompstat.ipcomps_noxform++;
DPRINTF(("ipcomp_output_cb: crypto error %d\n", crp->crp_etype));
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_output_cb: bogus return buffer from crypto\n"));
DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
@ -557,8 +551,8 @@ ipcomp_output_cb(struct cryptop *crp)
#endif /* INET6 */
default:
ipcompstat.ipcomps_nopf++;
DPRINTF(("ipcomp_output: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n",
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@ -577,13 +571,13 @@ ipcomp_output_cb(struct cryptop *crp)
/* NB: m is reclaimed by ipsec_process_done. */
error = ipsec_process_done(m, isr);
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
return error;
bad:
if (sav)
KEY_FREESAV(&sav);
mtx_unlock(&isr->lock);
IPSECREQUEST_UNLOCK(isr);
if (m)
m_freem(m);
free(tc, M_XDATA);

37
sys/netipsec/xform_ipip.c
View File

@ -114,7 +114,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto)
#if 0
/* If we do not accept IP-in-IP explicitly, drop. */
if (!ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
DPRINTF(("ip4_input6: dropped due to policy\n"));
DPRINTF(("%s: dropped due to policy\n", __func__));
ipipstat.ipips_pdrops++;
m_freem(*m);
return IPPROTO_DONE;
@ -138,7 +138,7 @@ ip4_input(struct mbuf *m, ...)
#if 0
/* If we do not accept IP-in-IP explicitly, drop. */
if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) {
DPRINTF(("ip4_input: dropped due to policy\n"));
DPRINTF(("%s: dropped due to policy\n", __func__));
ipipstat.ipips_pdrops++;
m_freem(m);
return;
@ -201,7 +201,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
/* Bring the IP header in the first mbuf, if not there already */
if (m->m_len < hlen) {
if ((m = m_pullup(m, hlen)) == NULL) {
DPRINTF(("ipip_input: m_pullup (1) failed\n"));
DPRINTF(("%s: m_pullup (1) failed\n", __func__));
ipipstat.ipips_hdrops++;
return;
}
@ -269,7 +269,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
*/
if (m->m_len < hlen) {
if ((m = m_pullup(m, hlen)) == NULL) {
DPRINTF(("ipip_input: m_pullup (2) failed\n"));
DPRINTF(("%s: m_pullup (2) failed\n", __func__));
ipipstat.ipips_hdrops++;
return;
}
@ -376,12 +376,13 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
break;
#endif
default:
panic("ipip_input: should never reach here");
panic("%s: bogus ip version %u", __func__, v>>4);
}
if (!netisr_queue(isr, m)) {
ipipstat.ipips_qfull++;
DPRINTF(("ipip_input: packet dropped because of full queue\n"));
DPRINTF(("%s: packet dropped because of full queue\n",
__func__));
}
}
@ -406,13 +407,11 @@ ipip_output(
struct ip6_hdr *ip6, *ip6o;
#endif /* INET6 */
#if 0
SPLASSERT(net, "ipip_output");
#endif
IPSEC_SPLASSERT_SOFTNET(__func__);
sav = isr->sav;
KASSERT(sav != NULL, ("ipip_output: null SA"));
KASSERT(sav->sah != NULL, ("ipip_output: null SAH"));
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
/* XXX Deal with empty TDB source/destination addresses. */
@ -426,8 +425,8 @@ ipip_output(
if (saidx->src.sa.sa_family != AF_INET ||
saidx->src.sin.sin_addr.s_addr == INADDR_ANY ||
saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) {
DPRINTF(("ipip_output: unspecified tunnel endpoint "
"address in SA %s/%08lx\n",
DPRINTF(("%s: unspecified tunnel endpoint "
"address in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
ipipstat.ipips_unspec++;
@ -437,7 +436,7 @@ ipip_output(
M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
if (m == 0) {
DPRINTF(("ipip_output: M_PREPEND failed\n"));
DPRINTF(("%s: M_PREPEND failed\n", __func__));
ipipstat.ipips_hdrops++;
error = ENOBUFS;
goto bad;
@ -507,8 +506,8 @@ ipip_output(
if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) ||
saidx->src.sa.sa_family != AF_INET6 ||
IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) {
DPRINTF(("ipip_output: unspecified tunnel endpoint "
"address in SA %s/%08lx\n",
DPRINTF(("%s: unspecified tunnel endpoint "
"address in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
ipipstat.ipips_unspec++;
@ -525,7 +524,7 @@ ipip_output(
M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT);
if (m == 0) {
DPRINTF(("ipip_output: M_PREPEND failed\n"));
DPRINTF(("%s: M_PREPEND failed\n", __func__));
ipipstat.ipips_hdrops++;
*mp = NULL;
error = ENOBUFS;
@ -575,7 +574,7 @@ ipip_output(
default:
nofamily:
DPRINTF(("ipip_output: unsupported protocol family %u\n",
DPRINTF(("%s: unsupported protocol family %u\n", __func__,
saidx->dst.sa.sa_family));
ipipstat.ipips_family++;
error = EAFNOSUPPORT; /* XXX diffs from openbsd */
@ -634,7 +633,7 @@ static int
ipe4_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
/* This is a rather serious mistake, so no conditional printing. */
printf("ipe4_input: should never be called\n");
printf("%s: should never be called\n", __func__);
if (m)
m_freem(m);
return EOPNOTSUPP;