diff --git a/sys/netkey/key.c b/sys/netkey/key.c index e743fabf4541..734b8386d7da 100644 --- a/sys/netkey/key.c +++ b/sys/netkey/key.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include @@ -124,9 +125,7 @@ * field hits 0 (= no external reference other than from SA header. */ -#ifdef IPSEC_DEBUG u_int32_t key_debug_level = 0; -#endif static u_int key_spi_trycnt = 1000; static u_int32_t key_spi_minval = 0x100; static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ @@ -220,10 +219,8 @@ static int ipsec_ah_keymin = 128; SYSCTL_DECL(_net_key); #endif -#ifdef IPSEC_DEBUG SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \ &key_debug_level, 0, ""); -#endif /* max count of trial for the decision of spi value */ SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \ @@ -253,6 +250,10 @@ SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \ SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \ &key_blockacq_lifetime, 0, ""); +/* ESP auth */ +SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \ + &ipsec_esp_auth, 0, ""); + /* minimum ESP key length */ SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \ &ipsec_esp_keymin, 0, ""); @@ -281,20 +282,20 @@ do {\ #define KEY_CHKSASTATE(head, sav, name) \ do { \ - if ((head) != (sav)) { \ - printf("%s: state mismatched (TREE=%d SA=%d)\n", \ - (name), (head), (sav)); \ - continue; \ - } \ + if ((head) != (sav)) { \ + ipseclog((LOG_DEBUG, "%s: state mismatched (TREE=%d SA=%d)\n", \ + (name), (head), (sav))); \ + continue; \ + } \ } while (0) #define KEY_CHKSPDIR(head, sp, name) \ do { \ - if ((head) != (sp)) { \ - printf("%s: direction mismatched (TREE=%d SP=%d), " \ - "anyway continue.\n", \ - (name), (head), (sp)); \ - } \ + if ((head) != (sp)) { \ + ipseclog((LOG_DEBUG, "%s: direction mismatched (TREE=%d SP=%d), " \ + "anyway continue.\n", \ + (name), (head), (sp))); \ + } \ } while (0) #if 1 @@ -571,8 +572,8 @@ key_gettunnel(osrc, odst, isrc, idst) struct secpolicyindex spidx; if (isrc->sa_family != idst->sa_family) { - printf("protocol family mismatched %d != %d\n.", - isrc->sa_family, idst->sa_family); + ipseclog((LOG_ERR, "protocol family mismatched %d != %d\n.", + isrc->sa_family, idst->sa_family)); return NULL; } @@ -592,8 +593,8 @@ key_gettunnel(osrc, odst, isrc, idst) return &ip6_def_policy; #endif default: - printf("invalid protocol family %d\n.", - isrc->sa_family); + ipseclog((LOG_ERR, "invalid protocol family %d\n.", + isrc->sa_family)); return NULL; } } @@ -729,11 +730,9 @@ key_checkrequest(isr, saidx) /* there is no SA */ if ((error = key_acquire(saidx, isr->sp)) != 0) { - /* XXX What I do ? */ -#ifdef IPSEC_DEBUG - printf("key_checkrequest: error %d returned " - "from key_acquire.\n", error); -#endif + /* XXX What should I do ? */ + ipseclog((LOG_DEBUG, "key_checkrequest: error %d returned " + "from key_acquire.\n", error)); return error; } @@ -920,8 +919,9 @@ key_allocsa(family, src, dst, proto, spi) continue; break; default: - printf("key_allocsa: unknown address family=%d.\n", - family); + ipseclog((LOG_DEBUG, "key_allocsa: " + "unknown address family=%d.\n", + family)); continue; } @@ -956,8 +956,9 @@ key_allocsa(family, src, dst, proto, spi) continue; break; default: - printf("key_allocsa: unknown address family=%d.\n", - family); + ipseclog((LOG_DEBUG, "key_allocsa: " + "unknown address family=%d.\n", + family)); continue; } @@ -1052,10 +1053,8 @@ key_freeso(so) break; #endif /* INET6 */ default: -#ifdef IPSEC_DEBUG - printf("key_freeso: unknown address family=%d.\n", - so->so_proto->pr_domain->dom_family); -#endif + ipseclog((LOG_DEBUG, "key_freeso: unknown address family=%d.\n", + so->so_proto->pr_domain->dom_family)); return; } @@ -1253,9 +1252,7 @@ key_msg2sp(xpl0, len, error) if (len < sizeof(*xpl0)) panic("key_msg2sp: invalid length.\n"); if (len != PFKEY_EXTLEN(xpl0)) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: Invalid msg length.\n"); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: Invalid msg length.\n")); *error = EINVAL; return NULL; } @@ -1285,9 +1282,8 @@ key_msg2sp(xpl0, len, error) /* validity check */ if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: Invalid msg length.\n"); -#endif + ipseclog((LOG_DEBUG, + "key_msg2sp: Invalid msg length.\n")); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1300,10 +1296,8 @@ key_msg2sp(xpl0, len, error) /* length check */ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: " - "invalid ipsecrequest length.\n"); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: " + "invalid ipsecrequest length.\n")); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1312,9 +1306,8 @@ key_msg2sp(xpl0, len, error) /* allocate request buffer */ KMALLOC(*p_isr, struct ipsecrequest *, sizeof(**p_isr)); if ((*p_isr) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, + "key_msg2sp: No more memory.\n")); key_freesp(newsp); *error = ENOBUFS; return NULL; @@ -1330,10 +1323,9 @@ key_msg2sp(xpl0, len, error) case IPPROTO_IPCOMP: break; default: -#ifdef IPSEC_DEBUG - printf("key_msg2sp: invalid proto type=%u\n", - xisr->sadb_x_ipsecrequest_proto); -#endif + ipseclog((LOG_DEBUG, + "key_msg2sp: invalid proto type=%u\n", + xisr->sadb_x_ipsecrequest_proto)); key_freesp(newsp); *error = EPROTONOSUPPORT; return NULL; @@ -1346,10 +1338,9 @@ key_msg2sp(xpl0, len, error) break; case IPSEC_MODE_ANY: default: -#ifdef IPSEC_DEBUG - printf("key_msg2sp: invalid mode=%u\n", - xisr->sadb_x_ipsecrequest_mode); -#endif + ipseclog((LOG_DEBUG, + "key_msg2sp: invalid mode=%u\n", + xisr->sadb_x_ipsecrequest_mode)); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1369,12 +1360,10 @@ key_msg2sp(xpl0, len, error) */ if (xisr->sadb_x_ipsecrequest_reqid > IPSEC_MANUAL_REQID_MAX) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: reqid=%d " - "range violation, " - "updated by kernel.\n", - xisr->sadb_x_ipsecrequest_reqid); -#endif + ipseclog((LOG_DEBUG, + "key_msg2sp: reqid=%d range " + "violation, updated by kernel.\n", + xisr->sadb_x_ipsecrequest_reqid)); xisr->sadb_x_ipsecrequest_reqid = 0; } @@ -1396,10 +1385,8 @@ key_msg2sp(xpl0, len, error) break; default: -#ifdef IPSEC_DEBUG - printf("key_msg2sp: invalid level=%u\n", - xisr->sadb_x_ipsecrequest_level); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: invalid level=%u\n", + xisr->sadb_x_ipsecrequest_level)); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1415,10 +1402,8 @@ key_msg2sp(xpl0, len, error) /* validity check */ if (paddr->sa_len > sizeof((*p_isr)->saidx.src)) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: invalid request " - "address length.\n"); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: invalid request " + "address length.\n")); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1432,10 +1417,8 @@ key_msg2sp(xpl0, len, error) /* validity check */ if (paddr->sa_len > sizeof((*p_isr)->saidx.dst)) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: invalid request " - "address length.\n"); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: invalid request " + "address length.\n")); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1453,9 +1436,7 @@ key_msg2sp(xpl0, len, error) /* validity check */ if (tlen < 0) { -#ifdef IPSEC_DEBUG - printf("key_msg2sp: becoming tlen < 0.\n"); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: becoming tlen < 0.\n")); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1467,9 +1448,7 @@ key_msg2sp(xpl0, len, error) } break; default: -#ifdef IPSEC_DEBUG - printf("key_msg2sp: invalid policy type.\n"); -#endif + ipseclog((LOG_DEBUG, "key_msg2sp: invalid policy type.\n")); key_freesp(newsp); *error = EINVAL; return NULL; @@ -1681,25 +1660,19 @@ key_spdadd(so, m, mhp) if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || mhp->ext[SADB_X_EXT_POLICY] == NULL) { -#ifdef IPSEC_DEBUG - printf("key_spdadd: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { -#ifdef IPSEC_DEBUG - printf("key_spdadd: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL) { if (mhp->extlen[SADB_EXT_LIFETIME_HARD] < sizeof(struct sadb_lifetime)) { -#ifdef IPSEC_DEBUG - printf("key_spdadd: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } lft = (struct sadb_lifetime *)mhp->ext[SADB_EXT_LIFETIME_HARD]; @@ -1725,9 +1698,7 @@ key_spdadd(so, m, mhp) case IPSEC_DIR_OUTBOUND: break; default: -#ifdef IPSEC_DEBUG - printf("key_spdadd: Invalid SP direction.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: Invalid SP direction.\n")); mhp->msg->sadb_msg_errno = EINVAL; return 0; } @@ -1736,9 +1707,7 @@ key_spdadd(so, m, mhp) /* key_spdadd() accepts DISCARD, NONE and IPSEC. */ if (xpl0->sadb_x_policy_type == IPSEC_POLICY_ENTRUST || xpl0->sadb_x_policy_type == IPSEC_POLICY_BYPASS) { -#ifdef IPSEC_DEBUG - printf("key_spdadd: Invalid policy type.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: Invalid policy type.\n")); return key_senderror(so, m, EINVAL); } @@ -1746,9 +1715,7 @@ key_spdadd(so, m, mhp) if (mhp->msg->sadb_msg_type != SADB_X_SPDSETIDX && xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC && mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) { -#ifdef IPSEC_DEBUG - printf("key_spdadd: some policy requests part required.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: some policy requests part required.\n")); return key_senderror(so, m, EINVAL); } @@ -1767,9 +1734,7 @@ key_spdadd(so, m, mhp) } else { if (newsp != NULL) { key_freesp(newsp); -#ifdef IPSEC_DEBUG - printf("key_spdadd: a SP entry exists already.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdadd: a SP entry exists already.\n")); return key_senderror(so, m, EEXIST); } } @@ -1914,9 +1879,7 @@ key_getnewspid() } if (count == 0 || newid == 0) { -#ifdef IPSEC_DEBUG - printf("key_getnewspid: to allocate policy id is failed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_getnewspid: to allocate policy id is failed.\n")); return 0; } @@ -1953,17 +1916,13 @@ key_spddelete(so, m, mhp) if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || mhp->ext[SADB_X_EXT_POLICY] == NULL) { -#ifdef IPSEC_DEBUG - printf("key_spddelete: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spddelete: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { -#ifdef IPSEC_DEBUG - printf("key_spddelete: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spddelete: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -1987,17 +1946,13 @@ key_spddelete(so, m, mhp) case IPSEC_DIR_OUTBOUND: break; default: -#ifdef IPSEC_DEBUG - printf("key_spddelete: Invalid SP direction.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spddelete: Invalid SP direction.\n")); return key_senderror(so, m, EINVAL); } /* Is there SP in SPD ? */ if ((sp = key_getsp(&spidx)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_spddelete: no SP found.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spddelete: no SP found.\n")); return key_senderror(so, m, EINVAL); } @@ -2053,9 +2008,7 @@ key_spddelete2(so, m, mhp) if (mhp->ext[SADB_X_EXT_POLICY] == NULL || mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { -#ifdef IPSEC_DEBUG - printf("key_spddelete2: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spddelete2: invalid message is passed.\n")); key_senderror(so, m, EINVAL); return 0; } @@ -2064,9 +2017,7 @@ key_spddelete2(so, m, mhp) /* Is there SP in SPD ? */ if ((sp = key_getspbyid(id)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_spddelete2: no SP found id:%u.\n", id); -#endif + ipseclog((LOG_DEBUG, "key_spddelete2: no SP found id:%u.\n", id)); key_senderror(so, m, EINVAL); } @@ -2154,9 +2105,7 @@ key_spdget(so, m, mhp) if (mhp->ext[SADB_X_EXT_POLICY] == NULL || mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) { -#ifdef IPSEC_DEBUG - printf("key_spdget: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdget: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -2164,9 +2113,7 @@ key_spdget(so, m, mhp) /* Is there SP in SPD ? */ if ((sp = key_getspbyid(id)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_spdget: no SP found id:%u.\n", id); -#endif + ipseclog((LOG_DEBUG, "key_spdget: no SP found id:%u.\n", id)); return key_senderror(so, m, ENOENT); } @@ -2287,9 +2234,7 @@ key_spdflush(so, m, mhp) } if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { -#ifdef IPSEC_DEBUG - printf("key_spdflush: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_spdflush: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } @@ -2685,9 +2630,7 @@ key_newsav(m, mhp, sah, errp) KMALLOC(newsav, struct secasvar *, sizeof(struct secasvar)); if (newsav == NULL) { -#ifdef IPSEC_DEBUG - printf("key_newsa: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_newsa: No more memory.\n")); *errp = ENOBUFS; return NULL; } @@ -2711,9 +2654,7 @@ key_newsav(m, mhp, sah, errp) /* sanity check */ if (mhp->ext[SADB_EXT_SA] == NULL) { KFREE(newsav); -#ifdef IPSEC_DEBUG - printf("key_newsa: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_newsa: invalid message is passed.\n")); *errp = EINVAL; return NULL; } @@ -2853,9 +2794,7 @@ key_checkspidup(saidx, spi) /* check address family */ if (saidx->src.ss_family != saidx->dst.ss_family) { -#ifdef IPSEC_DEBUG - printf("key_checkspidup: address family mismatched.\n"); -#endif + ipseclog((LOG_DEBUG, "key_checkspidup: address family mismatched.\n")); return NULL; } @@ -2895,12 +2834,9 @@ key_getsavbyspi(sah, spi) /* sanity check */ if (sav->state != state) { -#ifdef IPSEC_DEBUG - printf("key_getsavbyspi: " - "invalid sav->state " - "(queue: %d SA: %d)\n", - state, sav->state); -#endif + ipseclog((LOG_DEBUG, "key_getsavbyspi: " + "invalid sav->state (queue: %d SA: %d)\n", + state, sav->state)); continue; } @@ -2965,9 +2901,7 @@ key_setsaval(sav, m, mhp) if ((sa0->sadb_sa_flags & SADB_X_EXT_OLD) == 0) { sav->replay = keydb_newsecreplay(sa0->sadb_sa_replay); if (sav->replay == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3000,17 +2934,13 @@ key_setsaval(sav, m, mhp) break; } if (error) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: invalid key_auth values.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: invalid key_auth values.\n")); goto fail; } sav->key_auth = (struct sadb_key *)key_newbuf(key0, len); if (sav->key_auth == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3038,9 +2968,7 @@ key_setsaval(sav, m, mhp) } sav->key_enc = (struct sadb_key *)key_newbuf(key0, len); if (sav->key_enc == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3056,9 +2984,7 @@ key_setsaval(sav, m, mhp) break; } if (error) { -#ifdef IPSEC_DEBUG - printf("key_setsatval: invalid key_enc value.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsatval: invalid key_enc value.\n")); goto fail; } } @@ -3076,9 +3002,7 @@ key_setsaval(sav, m, mhp) break; KMALLOC(sav->iv, caddr_t, sav->ivlen); if (sav->iv == 0) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3091,9 +3015,7 @@ key_setsaval(sav, m, mhp) case SADB_X_SATYPE_IPCOMP: break; default: -#ifdef IPSEC_DEBUG - printf("key_setsaval: invalid SA type.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: invalid SA type.\n")); error = EINVAL; goto fail; } @@ -3106,9 +3028,7 @@ key_setsaval(sav, m, mhp) KMALLOC(sav->lft_c, struct sadb_lifetime *, sizeof(struct sadb_lifetime)); if (sav->lft_c == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3136,9 +3056,7 @@ key_setsaval(sav, m, mhp) sav->lft_h = (struct sadb_lifetime *)key_newbuf(lft0, sizeof(*lft0)); if (sav->lft_h == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3154,9 +3072,7 @@ key_setsaval(sav, m, mhp) sav->lft_s = (struct sadb_lifetime *)key_newbuf(lft0, sizeof(*lft0)); if (sav->lft_s == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setsaval: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setsaval: No more memory.\n")); error = ENOBUFS; goto fail; } @@ -3224,10 +3140,9 @@ key_mature(sav) case IPPROTO_ESP: case IPPROTO_AH: if (ntohl(sav->spi) >= 0 && ntohl(sav->spi) <= 255) { -#ifdef IPSEC_DEBUG - printf("key_mature: illegal range of SPI %u.\n", - (u_int32_t)ntohl(sav->spi)); -#endif + ipseclog((LOG_DEBUG, + "key_mature: illegal range of SPI %u.\n", + (u_int32_t)ntohl(sav->spi))); return EINVAL; } break; @@ -3239,10 +3154,8 @@ key_mature(sav) /* check flags */ if ((sav->flags & SADB_X_EXT_OLD) && (sav->flags & SADB_X_EXT_DERIV)) { -#ifdef IPSEC_DEBUG - printf("key_mature: " - "invalid flag (derived) given to old-esp.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: " + "invalid flag (derived) given to old-esp.\n")); return EINVAL; } if (sav->alg_auth == SADB_AALG_NONE) @@ -3254,17 +3167,13 @@ key_mature(sav) case IPPROTO_AH: /* check flags */ if (sav->flags & SADB_X_EXT_DERIV) { -#ifdef IPSEC_DEBUG - printf("key_mature: " - "invalid flag (derived) given to AH SA.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: " + "invalid flag (derived) given to AH SA.\n")); return EINVAL; } if (sav->alg_enc != SADB_EALG_NONE) { -#ifdef IPSEC_DEBUG - printf("key_mature: " - "protocol and algorithm mismated.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: " + "protocol and algorithm mismated.\n")); return(EINVAL); } checkmask = 2; @@ -3272,26 +3181,20 @@ key_mature(sav) break; case IPPROTO_IPCOMP: if (sav->alg_auth != SADB_AALG_NONE) { -#ifdef IPSEC_DEBUG - printf("key_mature: " - "protocol and algorithm mismated.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: " + "protocol and algorithm mismated.\n")); return(EINVAL); } if ((sav->flags & SADB_X_EXT_RAWCPI) == 0 && ntohl(sav->spi) >= 0x10000) { -#ifdef IPSEC_DEBUG - printf("key_mature: invalid cpi for IPComp.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: invalid cpi for IPComp.\n")); return(EINVAL); } checkmask = 4; mustmask = 4; break; default: -#ifdef IPSEC_DEBUG - printf("key_mature: Invalid satype.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: Invalid satype.\n")); return EPROTONOSUPPORT; } @@ -3302,10 +3205,8 @@ key_mature(sav) algo = ah_algorithm_lookup(sav->alg_auth); if (!algo) { -#ifdef IPSEC_DEBUG - printf("key_mature: " - "unknown authentication algorithm.\n"); -#endif + ipseclog((LOG_DEBUG,"key_mature: " + "unknown authentication algorithm.\n")); return EINVAL; } @@ -3315,11 +3216,10 @@ key_mature(sav) else keylen = 0; if (keylen < algo->keymin || algo->keymax < keylen) { -#ifdef IPSEC_DEBUG - printf("key_mature: invalid AH key length %d " - "(%d-%d allowed)\n", keylen, - algo->keymin, algo->keymax); -#endif + ipseclog((LOG_DEBUG, + "key_mature: invalid AH key length %d " + "(%d-%d allowed)\n", + keylen, algo->keymin, algo->keymax)); return EINVAL; } @@ -3332,9 +3232,7 @@ key_mature(sav) } if ((mustmask & 2) != 0 && mature != SADB_SATYPE_AH) { -#ifdef IPSEC_DEBUG - printf("key_mature: no satisfy algorithm for AH\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: no satisfy algorithm for AH\n")); return EINVAL; } } @@ -3347,9 +3245,7 @@ key_mature(sav) algo = esp_algorithm_lookup(sav->alg_enc); if (!algo) { -#ifdef IPSEC_DEBUG - printf("key_mature: unknown encryption algorithm.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: unknown encryption algorithm.\n")); return EINVAL; } @@ -3359,11 +3255,10 @@ key_mature(sav) else keylen = 0; if (keylen < algo->keymin || algo->keymax < keylen) { -#ifdef IPSEC_DEBUG - printf("key_mature: invalid ESP key length %d " - "(%d-%d allowed)\n", keylen, - algo->keymin, algo->keymax); -#endif + ipseclog((LOG_DEBUG, + "key_mature: invalid ESP key length %d " + "(%d-%d allowed)\n", + keylen, algo->keymin, algo->keymax)); return EINVAL; } @@ -3376,15 +3271,11 @@ key_mature(sav) } if ((mustmask & 1) != 0 && mature != SADB_SATYPE_ESP) { -#ifdef IPSEC_DEBUG - printf("key_mature: no satisfy algorithm for ESP\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: no satisfy algorithm for ESP\n")); return EINVAL; } #else /*IPSEC_ESP*/ -#ifdef IPSEC_DEBUG - printf("key_mature: ESP not supported in this configuration\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: ESP not supported in this configuration\n")); return EINVAL; #endif } @@ -3396,9 +3287,7 @@ key_mature(sav) /* algorithm-dependent check */ algo = ipcomp_algorithm_lookup(sav->alg_enc); if (!algo) { -#ifdef IPSEC_DEBUG - printf("key_mature: unknown compression algorithm.\n"); -#endif + ipseclog((LOG_DEBUG, "key_mature: unknown compression algorithm.\n")); return EINVAL; } } @@ -3808,9 +3697,7 @@ key_newbuf(src, len) KMALLOC(new, caddr_t, len); if (new == NULL) { -#ifdef IPSEC_DEBUG - printf("key_newbuf: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_newbuf: No more memory.\n")); return NULL; } bcopy(src, new, len); @@ -4288,10 +4175,8 @@ key_timehandler(void) /* sanity check */ if (sav->lft_c == NULL) { -#ifdef IPSEC_DEBUG - printf("key_timehandler: " - "There is no CURRENT time, why?\n"); -#endif + ipseclog((LOG_DEBUG,"key_timehandler: " + "There is no CURRENT time, why?\n")); continue; } @@ -4348,10 +4233,8 @@ key_timehandler(void) /* sanity check */ if (sav->lft_c == NULL) { -#ifdef IPSEC_DEBUG - printf("key_timehandler: " - "There is no CURRENT time, why?\n"); -#endif + ipseclog((LOG_DEBUG, "key_timehandler: " + "There is no CURRENT time, why?\n")); continue; } @@ -4395,13 +4278,11 @@ key_timehandler(void) /* sanity check */ if (sav->state != SADB_SASTATE_DEAD) { -#ifdef IPSEC_DEBUG - printf("key_timehandler: " + ipseclog((LOG_DEBUG, "key_timehandler: " "invalid sav->state " "(queue: %d SA: %d): " "kill it anyway\n", - SADB_SASTATE_DEAD, sav->state); -#endif + SADB_SASTATE_DEAD, sav->state)); } /* @@ -4601,16 +4482,12 @@ key_getspi(so, m, mhp) if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { -#ifdef IPSEC_DEBUG - printf("key_getspi: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_getspi: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { -#ifdef IPSEC_DEBUG - printf("key_getspi: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_getspi: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->ext[SADB_X_EXT_SA2] != NULL) { @@ -4626,9 +4503,7 @@ key_getspi(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_getspi: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_getspi: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -4679,9 +4554,7 @@ key_getspi(so, m, mhp) if ((newsah = key_getsah(&saidx)) == NULL) { /* create a new SA index */ if ((newsah = key_newsah(&saidx)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_getspi: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_getspi: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } } @@ -4817,9 +4690,7 @@ key_do_getnewspi(spirange, saidx) if (min == max) { if (key_checkspidup(saidx, min) != NULL) { -#ifdef IPSEC_DEBUG - printf("key_do_getnewspi: SPI %u exists already.\n", min); -#endif + ipseclog((LOG_DEBUG, "key_do_getnewspi: SPI %u exists already.\n", min)); return 0; } @@ -4841,9 +4712,7 @@ key_do_getnewspi(spirange, saidx) } if (count == 0 || newspi == 0) { -#ifdef IPSEC_DEBUG - printf("key_do_getnewspi: to allocate spi is failed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_do_getnewspi: to allocate spi is failed.\n")); return 0; } } @@ -4890,9 +4759,7 @@ key_update(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_update: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_update: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -4907,17 +4774,13 @@ key_update(so, m, mhp) mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) || (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL && mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) { -#ifdef IPSEC_DEBUG - printf("key_update: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_update: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { -#ifdef IPSEC_DEBUG - printf("key_update: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_update: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->ext[SADB_X_EXT_SA2] != NULL) { @@ -4938,9 +4801,7 @@ key_update(so, m, mhp) /* get a SA header */ if ((sah = key_getsah(&saidx)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_update: no SA index found.\n"); -#endif + ipseclog((LOG_DEBUG, "key_update: no SA index found.\n")); return key_senderror(so, m, ENOENT); } @@ -4954,45 +4815,40 @@ key_update(so, m, mhp) #ifdef IPSEC_DOSEQCHECK if (mhp->msg->sadb_msg_seq != 0 && (sav = key_getsavbyseq(sah, mhp->msg->sadb_msg_seq)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_update: no larval SA with sequence %u exists.\n", - mhp->msg->sadb_msg_seq); -#endif + ipseclog((LOG_DEBUG, + "key_update: no larval SA with sequence %u exists.\n", + mhp->msg->sadb_msg_seq)); return key_senderror(so, m, ENOENT); } #else if ((sav = key_getsavbyspi(sah, sa0->sadb_sa_spi)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_update: no such a SA found (spi:%u)\n", - (u_int32_t)ntohl(sa0->sadb_sa_spi)); -#endif + ipseclog((LOG_DEBUG, + "key_update: no such a SA found (spi:%u)\n", + (u_int32_t)ntohl(sa0->sadb_sa_spi))); return key_senderror(so, m, EINVAL); } #endif /* validity check */ if (sav->sah->saidx.proto != proto) { -#ifdef IPSEC_DEBUG - printf("key_update: protocol mismatched (DB=%u param=%u)\n", - sav->sah->saidx.proto, proto); -#endif + ipseclog((LOG_DEBUG, + "key_update: protocol mismatched (DB=%u param=%u)\n", + sav->sah->saidx.proto, proto)); return key_senderror(so, m, EINVAL); } #ifdef IPSEC_DOSEQCHECK if (sav->spi != sa0->sadb_sa_spi) { -#ifdef IPSEC_DEBUG - printf("key_update: SPI mismatched (DB:%u param:%u)\n", - (u_int32_t)ntohl(sav->spi), - (u_int32_t)ntohl(sa0->sadb_sa_spi)); -#endif + ipseclog((LOG_DEBUG, + "key_update: SPI mismatched (DB:%u param:%u)\n", + (u_int32_t)ntohl(sav->spi), + (u_int32_t)ntohl(sa0->sadb_sa_spi))); return key_senderror(so, m, EINVAL); } #endif if (sav->pid != mhp->msg->sadb_msg_pid) { -#ifdef IPSEC_DEBUG - printf("key_update: pid mismatched (DB:%u param:%u)\n", - sav->pid, mhp->msg->sadb_msg_pid); -#endif + ipseclog((LOG_DEBUG, + "key_update: pid mismatched (DB:%u param:%u)\n", + sav->pid, mhp->msg->sadb_msg_pid)); return key_senderror(so, m, EINVAL); } @@ -5015,9 +4871,7 @@ key_update(so, m, mhp) /* set msg buf from mhp */ n = key_getmsgbuf_x1(m, mhp); if (n == NULL) { -#ifdef IPSEC_DEBUG - printf("key_update: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_update: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } @@ -5100,9 +4954,7 @@ key_add(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_add: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_add: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -5117,18 +4969,14 @@ key_add(so, m, mhp) mhp->ext[SADB_EXT_LIFETIME_SOFT] == NULL) || (mhp->ext[SADB_EXT_LIFETIME_HARD] == NULL && mhp->ext[SADB_EXT_LIFETIME_SOFT] != NULL)) { -#ifdef IPSEC_DEBUG - printf("key_add: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_add: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { /* XXX need more */ -#ifdef IPSEC_DEBUG - printf("key_add: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_add: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->ext[SADB_X_EXT_SA2] != NULL) { @@ -5150,9 +4998,7 @@ key_add(so, m, mhp) if ((newsah = key_getsah(&saidx)) == NULL) { /* create a new SA header */ if ((newsah = key_newsah(&saidx)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_add: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_add: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } } @@ -5167,9 +5013,7 @@ key_add(so, m, mhp) /* create new SA entry. */ /* We can create new SA only if SPI is differenct. */ if (key_getsavbyspi(newsah, sa0->sadb_sa_spi)) { -#ifdef IPSEC_DEBUG - printf("key_add: SA already exists.\n"); -#endif + ipseclog((LOG_DEBUG, "key_add: SA already exists.\n")); return key_senderror(so, m, EEXIST); } newsav = key_newsav(m, mhp, newsah, &error); @@ -5194,9 +5038,7 @@ key_add(so, m, mhp) /* set msg buf from mhp */ n = key_getmsgbuf_x1(m, mhp); if (n == NULL) { -#ifdef IPSEC_DEBUG - printf("key_update: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_update: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } @@ -5229,9 +5071,7 @@ key_setident(sah, m, mhp) if (mhp->ext[SADB_EXT_IDENTITY_SRC] == NULL || mhp->ext[SADB_EXT_IDENTITY_DST] == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setident: invalid identity.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setident: invalid identity.\n")); return EINVAL; } @@ -5242,9 +5082,7 @@ key_setident(sah, m, mhp) /* validity check */ if (idsrc->sadb_ident_type != iddst->sadb_ident_type) { -#ifdef IPSEC_DEBUG - printf("key_setident: ident type mismatch.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setident: ident type mismatch.\n")); return EINVAL; } @@ -5262,18 +5100,14 @@ key_setident(sah, m, mhp) /* make structure */ KMALLOC(sah->idents, struct sadb_ident *, idsrclen); if (sah->idents == NULL) { -#ifdef IPSEC_DEBUG - printf("key_setident: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setident: No more memory.\n")); return ENOBUFS; } KMALLOC(sah->identd, struct sadb_ident *, iddstlen); if (sah->identd == NULL) { KFREE(sah->idents); sah->idents = NULL; -#ifdef IPSEC_DEBUG - printf("key_setident: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_setident: No more memory.\n")); return ENOBUFS; } bcopy(idsrc, sah->idents, idsrclen); @@ -5351,25 +5185,19 @@ key_delete(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_delete: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_delete: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { -#ifdef IPSEC_DEBUG - printf("key_delete: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_delete: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { -#ifdef IPSEC_DEBUG - printf("key_delete: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_delete: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -5379,14 +5207,10 @@ key_delete(so, m, mhp) * that match the src/dst. This is used during * IKE INITIAL-CONTACT. */ -#ifdef IPSEC_DEBUG - printf("key_delete: doing delete all.\n"); -#endif + ipseclog((LOG_DEBUG, "key_delete: doing delete all.\n")); return key_delete_all(so, m, mhp, proto); } else if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa)) { -#ifdef IPSEC_DEBUG - printf("key_delete: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_delete: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -5410,9 +5234,7 @@ key_delete(so, m, mhp) break; } if (sah == NULL) { -#ifdef IPSEC_DEBUG - printf("key_delete: no SA found.\n"); -#endif + ipseclog((LOG_DEBUG, "key_delete: no SA found.\n")); return key_senderror(so, m, ENOENT); } @@ -5484,12 +5306,10 @@ key_delete_all(so, m, mhp, proto) nextsav = LIST_NEXT(sav, chain); /* sanity check */ if (sav->state != state) { -#ifdef IPSEC_DEBUG - printf("key_delete_all: " + ipseclog((LOG_DEBUG, "key_delete_all: " "invalid sav->state " "(queue: %d SA: %d)\n", - state, sav->state); -#endif + state, sav->state)); continue; } @@ -5553,26 +5373,20 @@ key_get(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_get: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_get: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->ext[SADB_EXT_SA] == NULL || mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL || mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) { -#ifdef IPSEC_DEBUG - printf("key_get: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_get: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa) || mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) { -#ifdef IPSEC_DEBUG - printf("key_get: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_get: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -5596,9 +5410,7 @@ key_get(so, m, mhp) break; } if (sah == NULL) { -#ifdef IPSEC_DEBUG - printf("key_get: no SA found.\n"); -#endif + ipseclog((LOG_DEBUG, "key_get: no SA found.\n")); return key_senderror(so, m, ENOENT); } @@ -5608,9 +5420,7 @@ key_get(so, m, mhp) /* map proto to satype */ if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_get: there was invalid proto in SAD.\n"); -#endif + ipseclog((LOG_DEBUG, "key_get: there was invalid proto in SAD.\n")); return key_senderror(so, m, EINVAL); } @@ -6088,9 +5898,7 @@ key_newacq(saidx) /* get new entry */ KMALLOC(newacq, struct secacq *, sizeof(struct secacq)); if (newacq == NULL) { -#ifdef IPSEC_DEBUG - printf("key_newacq: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_newacq: No more memory.\n")); return NULL; } bzero(newacq, sizeof(*newacq)); @@ -6144,9 +5952,7 @@ key_newspacq(spidx) /* get new entry */ KMALLOC(acq, struct secspacq *, sizeof(struct secspacq)); if (acq == NULL) { -#ifdef IPSEC_DEBUG - printf("key_newspacq: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_newspacq: No more memory.\n")); return NULL; } bzero(acq, sizeof(*acq)); @@ -6217,9 +6023,7 @@ key_acquire2(so, m, mhp) /* check sequence number */ if (mhp->msg->sadb_msg_seq == 0) { -#ifdef IPSEC_DEBUG - printf("key_acquire2: must specify sequence number.\n"); -#endif + ipseclog((LOG_DEBUG, "key_acquire2: must specify sequence number.\n")); m_freem(m); return 0; } @@ -6248,9 +6052,7 @@ key_acquire2(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_acquire2: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_acquire2: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -6258,18 +6060,14 @@ key_acquire2(so, m, mhp) mhp->ext[SADB_EXT_ADDRESS_DST] == NULL || mhp->ext[SADB_EXT_PROPOSAL] == NULL) { /* error */ -#ifdef IPSEC_DEBUG - printf("key_acquire2: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_acquire2: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) || mhp->extlen[SADB_EXT_PROPOSAL] < sizeof(struct sadb_prop)) { /* error */ -#ifdef IPSEC_DEBUG - printf("key_acquire2: invalid message is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_acquire2: invalid message is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -6287,18 +6085,14 @@ key_acquire2(so, m, mhp) break; } if (sah != NULL) { -#ifdef IPSEC_DEBUG - printf("key_acquire2: a SA exists already.\n"); -#endif + ipseclog((LOG_DEBUG, "key_acquire2: a SA exists already.\n")); return key_senderror(so, m, EEXIST); } error = key_acquire(&saidx, NULL); if (error != 0) { -#ifdef IPSEC_DEBUG - printf("key_acquire2: error %d returned " - "from key_acquire.\n", mhp->msg->sadb_msg_errno); -#endif + ipseclog((LOG_DEBUG, "key_acquire2: error %d returned " + "from key_acquire.\n", mhp->msg->sadb_msg_errno)); return key_senderror(so, m, error); } @@ -6341,9 +6135,7 @@ key_register(so, m, mhp) /* check whether existing or not */ LIST_FOREACH(reg, ®tree[mhp->msg->sadb_msg_satype], chain) { if (reg->so == so) { -#ifdef IPSEC_DEBUG - printf("key_register: socket exists already.\n"); -#endif + ipseclog((LOG_DEBUG, "key_register: socket exists already.\n")); return key_senderror(so, m, EEXIST); } } @@ -6351,9 +6143,7 @@ key_register(so, m, mhp) /* create regnode */ KMALLOC(newreg, struct secreg *, sizeof(*newreg)); if (newreg == NULL) { -#ifdef IPSEC_DEBUG - printf("key_register: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_register: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } bzero((caddr_t)newreg, sizeof(*newreg)); @@ -6675,9 +6465,7 @@ key_flush(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_flush: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_flush: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -6711,9 +6499,7 @@ key_flush(so, m, mhp) if (m->m_len < sizeof(struct sadb_msg) || sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) { -#ifdef IPSEC_DEBUG - printf("key_flush: No more memory.\n"); -#endif + ipseclog((LOG_DEBUG, "key_flush: No more memory.\n")); return key_senderror(so, m, ENOBUFS); } @@ -6762,9 +6548,7 @@ key_dump(so, m, mhp) /* map satype to proto */ if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_dump: invalid satype is passed.\n"); -#endif + ipseclog((LOG_DEBUG, "key_dump: invalid satype is passed.\n")); return key_senderror(so, m, EINVAL); } @@ -6797,9 +6581,7 @@ key_dump(so, m, mhp) /* map proto to satype */ if ((satype = key_proto2satype(sah->saidx.proto)) == 0) { -#ifdef IPSEC_DEBUG - printf("key_dump: there was invalid proto in SAD.\n"); -#endif + ipseclog((LOG_DEBUG, "key_dump: there was invalid proto in SAD.\n")); return key_senderror(so, m, EINVAL); } @@ -6932,7 +6714,7 @@ key_parse(m, so) #if 0 /*kdebug_sadb assumes msg in linear buffer*/ KEYDEBUG(KEYDEBUG_KEY_DUMP, - printf("key_parse: passed sadb_msg\n"); + ipseclog((LOG_DEBUG, "key_parse: passed sadb_msg\n")); kdebug_sadb(msg)); #endif @@ -6947,29 +6729,24 @@ key_parse(m, so) if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != m->m_pkthdr.len) { -#ifdef IPSEC_DEBUG - printf("key_parse: invalid message length.\n"); -#endif + ipseclog((LOG_DEBUG, "key_parse: invalid message length.\n")); pfkeystat.out_invlen++; error = EINVAL; goto senderror; } if (msg->sadb_msg_version != PF_KEY_V2) { -#ifdef IPSEC_DEBUG - printf("key_parse: PF_KEY version %u is mismatched.\n", - msg->sadb_msg_version); -#endif + ipseclog((LOG_DEBUG, + "key_parse: PF_KEY version %u is mismatched.\n", + msg->sadb_msg_version)); pfkeystat.out_invver++; error = EINVAL; goto senderror; } if (msg->sadb_msg_type > SADB_MAX) { -#ifdef IPSEC_DEBUG - printf("key_parse: invalid type %u is passed.\n", - msg->sadb_msg_type); -#endif + ipseclog((LOG_DEBUG, "key_parse: invalid type %u is passed.\n", + msg->sadb_msg_type)); pfkeystat.out_invmsgtype++; error = EINVAL; goto senderror; @@ -7025,11 +6802,8 @@ key_parse(m, so) case SADB_GET: case SADB_ACQUIRE: case SADB_EXPIRE: -#ifdef IPSEC_DEBUG - printf("key_parse: must specify satype " - "when msg type=%u.\n", - msg->sadb_msg_type); -#endif + ipseclog((LOG_DEBUG, "key_parse: must specify satype " + "when msg type=%u.\n", msg->sadb_msg_type)); pfkeystat.out_invsatype++; error = EINVAL; goto senderror; @@ -7047,10 +6821,8 @@ key_parse(m, so) case SADB_X_SPDSETIDX: case SADB_X_SPDUPDATE: case SADB_X_SPDDELETE2: -#ifdef IPSEC_DEBUG - printf("key_parse: illegal satype=%u\n", - msg->sadb_msg_type); -#endif + ipseclog((LOG_DEBUG, "key_parse: illegal satype=%u\n", + msg->sadb_msg_type)); pfkeystat.out_invsatype++; error = EINVAL; goto senderror; @@ -7060,10 +6832,8 @@ key_parse(m, so) case SADB_SATYPE_OSPFV2: case SADB_SATYPE_RIPV2: case SADB_SATYPE_MIP: -#ifdef IPSEC_DEBUG - printf("key_parse: type %u isn't supported.\n", - msg->sadb_msg_satype); -#endif + ipseclog((LOG_DEBUG, "key_parse: type %u isn't supported.\n", + msg->sadb_msg_satype)); pfkeystat.out_invsatype++; error = EOPNOTSUPP; goto senderror; @@ -7072,10 +6842,8 @@ key_parse(m, so) break; /*FALLTHROUGH*/ default: -#ifdef IPSEC_DEBUG - printf("key_parse: invalid type %u is passed.\n", - msg->sadb_msg_satype); -#endif + ipseclog((LOG_DEBUG, "key_parse: invalid type %u is passed.\n", + msg->sadb_msg_satype)); pfkeystat.out_invsatype++; error = EINVAL; goto senderror; @@ -7092,9 +6860,7 @@ key_parse(m, so) /* check upper layer protocol */ if (src0->sadb_address_proto != dst0->sadb_address_proto) { -#ifdef IPSEC_DEBUG - printf("key_parse: upper layer protocol mismatched.\n"); -#endif + ipseclog((LOG_DEBUG, "key_parse: upper layer protocol mismatched.\n")); pfkeystat.out_invaddr++; error = EINVAL; goto senderror; @@ -7103,18 +6869,15 @@ key_parse(m, so) /* check family */ if (PFKEY_ADDR_SADDR(src0)->sa_family != PFKEY_ADDR_SADDR(dst0)->sa_family) { -#ifdef IPSEC_DEBUG - printf("key_parse: address family mismatched.\n"); -#endif + ipseclog((LOG_DEBUG, "key_parse: address family mismatched.\n")); pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } if (PFKEY_ADDR_SADDR(src0)->sa_len != PFKEY_ADDR_SADDR(dst0)->sa_len) { -#ifdef IPSEC_DEBUG - printf("key_parse: address struct size mismatched.\n"); -#endif + ipseclog((LOG_DEBUG, + "key_parse: address struct size mismatched.\n")); pfkeystat.out_invaddr++; error = EINVAL; goto senderror; @@ -7138,9 +6901,8 @@ key_parse(m, so) } break; default: -#ifdef IPSEC_DEBUG - printf("key_parse: unsupported address family.\n"); -#endif + ipseclog((LOG_DEBUG, + "key_parse: unsupported address family.\n")); pfkeystat.out_invaddr++; error = EAFNOSUPPORT; goto senderror; @@ -7161,9 +6923,8 @@ key_parse(m, so) /* check max prefix length */ if (src0->sadb_address_prefixlen > plen || dst0->sadb_address_prefixlen > plen) { -#ifdef IPSEC_DEBUG - printf("key_parse: illegal prefixlen.\n"); -#endif + ipseclog((LOG_DEBUG, + "key_parse: illegal prefixlen.\n")); pfkeystat.out_invaddr++; error = EINVAL; goto senderror; @@ -7269,21 +7030,18 @@ key_align(m, mhp) * KEY_AUTH or KEY_ENCRYPT ? */ if (mhp->ext[ext->sadb_ext_type] != NULL) { -#ifdef IPSEC_DEBUG - printf("key_align: duplicate ext_type %u " - "is passed.\n", - ext->sadb_ext_type); -#endif + ipseclog((LOG_DEBUG, + "key_align: duplicate ext_type %u " + "is passed.\n", ext->sadb_ext_type)); m_freem(m); pfkeystat.out_dupext++; return EINVAL; } break; default: -#ifdef IPSEC_DEBUG - printf("key_align: invalid ext_type %u is passed.\n", - ext->sadb_ext_type); -#endif + ipseclog((LOG_DEBUG, + "key_align: invalid ext_type %u is passed.\n", + ext->sadb_ext_type)); m_freem(m); pfkeystat.out_invexttype++; return EINVAL; diff --git a/sys/netkey/key_debug.c b/sys/netkey/key_debug.c index 52a1b8d7d720..816d57dc98e7 100644 --- a/sys/netkey/key_debug.c +++ b/sys/netkey/key_debug.c @@ -59,8 +59,6 @@ #include #endif /* !_KERNEL */ -#if !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG)) - static void kdebug_sadb_prop __P((struct sadb_ext *)); static void kdebug_sadb_identity __P((struct sadb_ext *)); static void kdebug_sadb_supported __P((struct sadb_ext *)); @@ -747,5 +745,3 @@ ipsec_hexdump(buf, len) return; } - -#endif /* !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG)) */ diff --git a/sys/netkey/key_debug.h b/sys/netkey/key_debug.h index f75a5353692a..eaa9dd040143 100644 --- a/sys/netkey/key_debug.h +++ b/sys/netkey/key_debug.h @@ -1,5 +1,5 @@ /* $FreeBSD$ */ -/* $KAME: key_debug.h,v 1.7 2000/07/04 04:08:16 itojun Exp $ */ +/* $KAME: key_debug.h,v 1.10 2001/08/05 08:37:52 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -33,8 +33,7 @@ #ifndef _NETKEY_KEY_DEBUG_H_ #define _NETKEY_KEY_DEBUG_H_ -#if !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG)) - +#ifdef _KERNEL /* debug flags */ #define KEYDEBUG_STAMP 0x00000001 /* path */ #define KEYDEBUG_DATA 0x00000002 /* data */ @@ -54,9 +53,9 @@ #define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA) #define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP) -#define KEYDEBUG(lev,arg) if ((key_debug_level & (lev)) == (lev)) { arg; } +#define KEYDEBUG(lev,arg) \ + do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (0) -#ifdef _KERNEL extern u_int32_t key_debug_level; #endif /*_KERNEL*/ @@ -86,10 +85,4 @@ extern void kdebug_sockaddr __P((struct sockaddr *)); extern void ipsec_hexdump __P((caddr_t, int)); extern void ipsec_bindump __P((caddr_t, int)); -#else - -#define KEYDEBUG(lev,arg) - -#endif /*!defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))*/ - #endif /* _NETKEY_KEY_DEBUG_H_ */ diff --git a/sys/netkey/key_var.h b/sys/netkey/key_var.h index 4043a0385c49..3bd65f93b525 100644 --- a/sys/netkey/key_var.h +++ b/sys/netkey/key_var.h @@ -1,5 +1,5 @@ /* $FreeBSD$ */ -/* $KAME: key_var.h,v 1.9 2000/10/04 11:13:57 itojun Exp $ */ +/* $KAME: key_var.h,v 1.10 2001/07/27 04:14:12 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -58,39 +58,10 @@ { "blockacq_count", CTLTYPE_INT }, \ { "blockacq_lifetime", CTLTYPE_INT }, \ { "esp_keymin", CTLTYPE_INT }, \ + { "esp_auth", CTLTYPE_INT }, \ { "ah_keymin", CTLTYPE_INT }, \ } -#ifdef IPSEC_DEBUG -#define KEYCTL_VARS { \ - 0, \ - &key_debug_level, \ - &key_spi_trycnt, \ - &key_spi_minval, \ - &key_spi_maxval, \ - &key_int_random, \ - &key_larval_lifetime, \ - &key_blockacq_count, \ - &key_blockacq_lifetime, \ - &ipsec_esp_keymin, \ - &ipsec_ah_keymin, \ -} -#else -#define KEYCTL_VARS { \ - 0, \ - 0, \ - &key_spi_trycnt, \ - &key_spi_minval, \ - &key_spi_maxval, \ - &key_int_random, \ - &key_larval_lifetime, \ - &key_blockacq_count, \ - &key_blockacq_lifetime, \ - &ipsec_esp_keymin, \ - &ipsec_ah_keymin, \ -} -#endif - #ifdef _KERNEL #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0])) #define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3)) diff --git a/sys/netkey/keysock.c b/sys/netkey/keysock.c index 76f64820d0e7..db074bebe5a9 100644 --- a/sys/netkey/keysock.c +++ b/sys/netkey/keysock.c @@ -1,5 +1,5 @@ /* $FreeBSD$ */ -/* $KAME: keysock.c,v 1.24 2000/12/03 00:41:48 itojun Exp $ */ +/* $KAME: keysock.c,v 1.25 2001/08/13 20:07:41 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -97,9 +97,6 @@ key_output(m, va_alist) len = m->m_pkthdr.len; if (len < sizeof(struct sadb_msg)) { -#ifdef IPSEC_DEBUG - printf("key_output: Invalid message length.\n"); -#endif pfkeystat.out_tooshort++; error = EINVAL; goto end; @@ -107,9 +104,6 @@ key_output(m, va_alist) if (m->m_len < sizeof(struct sadb_msg)) { if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) { -#ifdef IPSEC_DEBUG - printf("key_output: can't pullup mbuf\n"); -#endif pfkeystat.out_nomem++; error = ENOBUFS; goto end; @@ -119,16 +113,11 @@ key_output(m, va_alist) if ((m->m_flags & M_PKTHDR) == 0) panic("key_output: not M_PKTHDR ??"); -#ifdef IPSEC_DEBUG KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m)); -#endif msg = mtod(m, struct sadb_msg *); pfkeystat.out_msgtype[msg->sadb_msg_type]++; if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) { -#ifdef IPSEC_DEBUG - printf("key_output: Invalid message length.\n"); -#endif pfkeystat.out_invlen++; error = EINVAL; goto end; @@ -163,9 +152,6 @@ key_sendup0(rp, m, promisc) if (m && m->m_len < sizeof(struct sadb_msg)) m = m_pullup(m, sizeof(struct sadb_msg)); if (!m) { -#ifdef IPSEC_DEBUG - printf("key_sendup0: cannot pullup\n"); -#endif pfkeystat.in_nomem++; m_freem(m); return ENOBUFS; @@ -184,9 +170,6 @@ key_sendup0(rp, m, promisc) if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src, m, NULL)) { -#ifdef IPSEC_DEBUG - printf("key_sendup0: sbappendaddr failed\n"); -#endif pfkeystat.in_nomem++; m_freem(m); error = ENOBUFS; @@ -366,9 +349,6 @@ key_sendup_mbuf(so, m, target) continue; if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) { -#ifdef IPSEC_DEBUG - printf("key_sendup: m_copy fail\n"); -#endif m_freem(m); pfkeystat.in_nomem++; return ENOBUFS; @@ -438,7 +418,6 @@ key_attach(struct socket *so, int proto, struct thread *td) free(kp, M_PCB); so->so_pcb = (caddr_t) 0; splx(s); - printf("key_usrreq: key_usrreq results %d\n", error); return error; }