Not sure it's worth the effort, but these printfs are sometimes useful. Anyone's willing to OK?
diff --git sys/netinet/ip_ah.c sys/netinet/ip_ah.c index f66ea31..d1e270c 100644 --- sys/netinet/ip_ah.c +++ sys/netinet/ip_ah.c @@ -531,10 +531,13 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) struct tdb_crypto *tc; struct m_tag *mtag; u_int32_t btsx, esn; u_int8_t hl; int rplen; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif struct cryptodesc *crda = NULL; struct cryptop *crp; rplen = AH_FLENGTH + sizeof(u_int32_t); @@ -553,43 +556,45 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) case 0: /* All's well. */ break; case 1: m_freem(m); DPRINTF(("ah_input(): replay counter wrapped for " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_wrap++; return ENOBUFS; case 2: m_freem(m); DPRINTF(("ah_input(): old packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; return ENOBUFS; case 3: m_freem(m); DPRINTF(("ah_input(): duplicate packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; return ENOBUFS; default: m_freem(m); DPRINTF(("ah_input(): bogus value from " "checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; return ENOBUFS; } } /* Verify AH header length. */ if (hl * sizeof(u_int32_t) != ahx->authsize + rplen - AH_FLENGTH) { - DPRINTF(("ah_input(): bad authenticator length %d for packet " + DPRINTF(("ah_input(): bad authenticator length %ld for packet " "in SA %s/%08x\n", hl * sizeof(u_int32_t), - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_badauthl++; m_freem(m); return EACCES; } @@ -736,10 +741,13 @@ ah_input_cb(void *op) struct m_tag *mtag; struct tdb *tdb; u_int32_t btsx, esn; u_int8_t prot; caddr_t ptr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif crp = (struct cryptop *) op; tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; @@ -805,11 +813,12 @@ ah_input_cb(void *op) if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) { free(tc, M_XDATA, 0); DPRINTF(("ah_input(): authentication failed for " "packet in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_badauth++; error = EACCES; goto baddone; } @@ -839,33 +848,34 @@ ah_input_cb(void *op) pfsync_update_tdb(tdb,0); #endif break; case 1: DPRINTF(("ah_input(): replay counter wrapped for " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_wrap++; error = ENOBUFS; goto baddone; case 2: DPRINTF(("ah_input_cb(): old packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; error = ENOBUFS; goto baddone; case 3: DPRINTF(("ah_input_cb(): duplicate packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; error = ENOBUFS; goto baddone; default: DPRINTF(("ah_input_cb(): bogus value from " "checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; error = ENOBUFS; goto baddone; } } @@ -876,11 +886,11 @@ ah_input_cb(void *op) ahstat.ahs_hdrops++; splx(s); m_freem(m); DPRINTF(("ah_input(): bad mbuf chain for packet in SA " - "%s/%08x\n", ipsp_address(tdb->tdb_dst), + "%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); return EINVAL; } @@ -974,10 +984,13 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, int len, rplen; u_int8_t prot; struct ah *ah; #if NBPFILTER > 0 struct ifnet *encif; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { encif->if_opackets++; encif->if_obytes += m->m_pkthdr.len; @@ -1002,11 +1015,12 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, * Check for replay counter wrap-around in automatic (not * manual) keying. */ if ((tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0)) { DPRINTF(("ah_output(): SA %s/%08x should have expired\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_wrap++; return EINVAL; } @@ -1016,11 +1030,12 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, case AF_INET: /* Check for IP maximum packet size violations. */ if (rplen + ahx->authsize + m->m_pkthdr.len > IP_MAXPACKET) { DPRINTF(("ah_output(): packet in SA %s/%08x got too " "big\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_toobig++; return EMSGSIZE; } break; @@ -1028,23 +1043,24 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, #ifdef INET6 case AF_INET6: /* Check for IPv6 maximum packet size violations. */ if (rplen + ahx->authsize + m->m_pkthdr.len > IPV6_MAXPACKET) { DPRINTF(("ah_output(): packet in SA %s/%08x " - "got too big\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "got too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_toobig++; return EMSGSIZE; } break; #endif /* INET6 */ default: DPRINTF(("ah_output(): unknown/unsupported protocol " "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family, - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_nopf++; return EPFNOSUPPORT; } @@ -1099,11 +1115,11 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Inject AH header. */ mi = m_inject(m, skip, rplen + ahx->authsize, M_DONTWAIT); if (mi == NULL) { DPRINTF(("ah_output(): failed to inject AH header for SA " - "%s/%08x\n", ipsp_address(tdb->tdb_dst), + "%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_hdrops++; return ENOBUFS; diff --git sys/netinet/ip_esp.c sys/netinet/ip_esp.c index 69a2303..a859a43 100644 --- sys/netinet/ip_esp.c +++ sys/netinet/ip_esp.c @@ -142,21 +142,26 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) case SADB_X_EALG_CAST: txform = &enc_xform_cast5; break; default: - DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg)); + DPRINTF(("esp_init(): unsupported encryption " + "algorithm %d specified\n", ii->ii_encalg)); return EINVAL; } if (ii->ii_enckeylen < txform->minkey) { - DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name)); + DPRINTF(("esp_init(): keylength %d too small " + "(min length is %d) for algorithm %s\n", + ii->ii_enckeylen, txform->minkey, txform->name)); return EINVAL; } if (ii->ii_enckeylen > txform->maxkey) { - DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name)); + DPRINTF(("esp_init(): keylength %d too large " + "(max length is %d) for algorithm %s\n", + ii->ii_enckeylen, txform->maxkey, txform->name)); return EINVAL; } if (ii->ii_encalg == SADB_X_EALG_AESGCM16 || ii->ii_encalg == SADB_X_EALG_AESGMAC) { @@ -220,16 +225,19 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) case SADB_X_AALG_AES256GMAC: thash = &auth_hash_gmac_aes_256; break; default: - DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg)); + DPRINTF(("esp_init(): unsupported authentication " + "algorithm %d specified\n", ii->ii_authalg)); return EINVAL; } if (ii->ii_authkeylen != thash->keysize) { - DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize)); + DPRINTF(("esp_init(): keylength %d doesn't match " + "algorithm %s keysize (%d)\n", ii->ii_authkeylen, + thash->name, thash->keysize)); return EINVAL; } tdbp->tdb_authalgxform = thash; @@ -326,10 +334,13 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) struct cryptop *crp; struct tdb_crypto *tc; int plen, alen, hlen; struct m_tag *mtag; u_int32_t btsx, esn; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif /* Determine the ESP header length */ hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ alen = esph ? esph->authsize : 0; plen = m->m_pkthdr.len - (skip + hlen + alen); @@ -344,11 +355,14 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* * Verify payload length is multiple of encryption algorithm * block size. */ if (plen & (espx->blocksize - 1)) { - DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input(): payload of %d octets " + "not a multiple of %d octets, SA %s/%08x\n", + plen, espx->blocksize, ipsp_address(&tdb->tdb_dst, + buf, sizeof(buf)), ntohl(tdb->tdb_spi))); espstat.esps_badilen++; m_freem(m); return EINVAL; } } @@ -364,32 +378,36 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) break; case 1: m_freem(m); DPRINTF(("esp_input(): replay counter wrapped" " for SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_wrap++; return EACCES; case 2: m_freem(m); DPRINTF(("esp_input(): old packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; return EACCES; case 3: m_freem(m); DPRINTF(("esp_input(): duplicate packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; return EACCES; default: m_freem(m); DPRINTF(("esp_input(): bogus value from" " checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; return EACCES; } } @@ -477,11 +495,12 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) else crda->crd_len = m->m_pkthdr.len - (skip + alen); /* Copy the authenticator */ if (mtag == NULL) - m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1)); + m_copydata(m, m->m_pkthdr.len - alen, alen, + (caddr_t)(tc + 1)); } else crde = crp->crp_desc; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ @@ -534,10 +553,13 @@ esp_input_cb(void *op) struct cryptop *crp; struct m_tag *mtag; struct tdb *tdb; u_int32_t btsx, esn; caddr_t ptr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif crp = (struct cryptop *) op; tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; @@ -584,12 +606,12 @@ esp_input_cb(void *op) } /* If authentication was performed, check now. */ if (esph != NULL) { /* - * If we have a tag, it means an IPsec-aware NIC did the verification - * for us. + * If we have a tag, it means an IPsec-aware NIC did the + * verification for us. */ if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - esph->authsize, esph->authsize, aalg); @@ -597,11 +619,14 @@ esp_input_cb(void *op) ptr = (caddr_t) (tc + 1); /* Verify authenticator */ if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { free(tc, M_XDATA, 0); - DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input_cb(): authentication " + "failed for packet in SA %s/%08x\n", + ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); espstat.esps_badauth++; error = EACCES; goto baddone; } } @@ -625,32 +650,36 @@ esp_input_cb(void *op) break; case 1: DPRINTF(("esp_input_cb(): replay counter wrapped" " for SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_wrap++; error = EACCES; goto baddone; case 2: DPRINTF(("esp_input_cb(): old packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; error = EACCES; goto baddone; case 3: DPRINTF(("esp_input_cb(): duplicate packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; error = EACCES; goto baddone; default: DPRINTF(("esp_input_cb(): bogus value from" " checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; error = EACCES; goto baddone; } } @@ -665,11 +694,12 @@ esp_input_cb(void *op) m1 = m_getptr(m, skip, &roff); if (m1 == NULL) { espstat.esps_hdrops++; splx(s); DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); return EINVAL; } /* Remove the ESP header and IV from the mbuf. */ @@ -686,11 +716,11 @@ esp_input_cb(void *op) */ if (roff + hlen > m1->m_len) { /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); - /* The second mbuf is guaranteed not to have a pkthdr... */ + /* The second mbuf is guaranteed not to have a pkthdr */ m->m_pkthdr.len -= (roff + hlen - m1->m_len); } /* Now, let's unlink the mbuf chain for a second...*/ mo = m1->m_next; @@ -720,20 +750,25 @@ esp_input_cb(void *op) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { espstat.esps_badilen++; splx(s); - DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input_cb(): invalid padding length %d for " + "packet in SA %s/%08x\n", lastthree[1], + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); return EINVAL; } /* Verify correct decryption by checking the last padding bytes */ if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { espstat.esps_badenc++; splx(s); - DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input(): decryption failed for packet in " + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); return EINVAL; } /* Trim the mbuf chain to remove the trailing authenticator and padding */ @@ -771,11 +806,13 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, u_int32_t replay; struct mbuf *mi, *mo = (struct mbuf *) NULL; struct tdb_crypto *tc; unsigned char *pad; u_int8_t prot; - +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp; #if NBPFILTER > 0 struct ifnet *encif; @@ -817,11 +854,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, switch (tdb->tdb_dst.sa.sa_family) { case AF_INET: /* Check for IP maximum packet size violations. */ if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { DPRINTF(("esp_output(): packet in SA %s/%08x got " - "too big\n", ipsp_address(tdb->tdb_dst), + "too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_toobig++; return EMSGSIZE; } @@ -830,23 +868,24 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, #ifdef INET6 case AF_INET6: /* Check for IPv6 maximum packet size violations. */ if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { DPRINTF(("esp_output(): packet in SA %s/%08x got too " - "big\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_toobig++; return EMSGSIZE; } break; #endif /* INET6 */ default: DPRINTF(("esp_output(): unknown/unsupported protocol " - "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family - , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family, + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_nopf++; return EPFNOSUPPORT; } @@ -885,11 +924,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Replace the rest of the mbuf chain. */ struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT); if (n == NULL) { DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_hdrops++; m_freem(m); return ENOBUFS; } @@ -903,12 +943,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Inject ESP header. */ mo = m_inject(m, skip, hlen, M_DONTWAIT); if (mo == NULL) { DPRINTF(("esp_output(): failed to inject ESP header for " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_hdrops++; return ENOBUFS; } @@ -928,11 +968,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, * although if/when we support compression, we'd have to do that. */ mo = m_inject(m, m->m_pkthdr.len, padding + alen, M_DONTWAIT); if (mo == NULL) { DPRINTF(("esp_output(): m_inject failed for SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); return ENOBUFS; } pad = mtod(mo, u_char *); diff --git sys/netinet/ip_ipcomp.c sys/netinet/ip_ipcomp.c index e9680c1..a2f3e26 100644 --- sys/netinet/ip_ipcomp.c +++ sys/netinet/ip_ipcomp.c @@ -209,10 +209,13 @@ ipcomp_input_cb(op) struct tdb_crypto *tc; struct cryptop *crp; struct tdb *tdb; struct ipcomp *ipcomp; caddr_t addr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif crp = (struct cryptop *) op; tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; @@ -291,11 +294,12 @@ ipcomp_input_cb(op) /* Find the beginning of the IPCOMP header */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL) { ipcompstat.ipcomps_hdrops++; DPRINTF(("ipcomp_input_cb(): bad mbuf chain, IPCA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); error = EINVAL; goto baddone; } /* Keep the next protocol field */ addr = (caddr_t) mtod(m, struct ip *) + skip; @@ -375,10 +379,13 @@ ipcomp_output(m, tdb, mp, skip, protoff) int hlen; struct cryptodesc *crdc = NULL; struct cryptop *crp; struct tdb_crypto *tc; struct mbuf *mi, *mo; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif #if NBPFILTER > 0 struct ifnet *encif; if ((encif = enc_getif(0, tdb->tdb_tap)) != NULL) { encif->if_opackets++; @@ -407,33 +414,36 @@ ipcomp_output(m, tdb, mp, skip, protoff) /* * Since compression is going to reduce the size, no need to * worry */ if (m->m_pkthdr.len + hlen > IP_MAXPACKET) { - DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got too big\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x " + "got too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ipcompstat.ipcomps_toobig++; return EMSGSIZE; } break; #ifdef INET6 case AF_INET6: /* Check for IPv6 maximum packet size violations */ if (m->m_pkthdr.len + hlen > IPV6_MAXPACKET) { - DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got too big\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x " + "got too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ipcompstat.ipcomps_toobig++; return EMSGSIZE; } #endif /* INET6 */ default: - DPRINTF(("ipcomp_output(): unknown/unsupported protocol family %d, IPCA %s/%08x\n", - tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst), + DPRINTF(("ipcomp_output(): unknown/unsupported protocol " + "family %d, IPCA %s/%08x\n", tdb->tdb_dst.sa.sa_family, + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ipcompstat.ipcomps_nopf++; return EPFNOSUPPORT; } @@ -472,11 +482,12 @@ ipcomp_output(m, tdb, mp, skip, protoff) /* Replace the rest of the mbuf chain. */ struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT); if (n == NULL) { DPRINTF(("ipcomp_output(): bad mbuf chain, IPCA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ipcompstat.ipcomps_hdrops++; m_freem(m); return ENOBUFS; } if (mo != NULL) @@ -550,10 +561,13 @@ ipcomp_output_cb(cp) struct ip *ip; #ifdef INET6 struct ip6_hdr *ip6; #endif struct ipcomp *ipcomp; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; rlen = crp->crp_ilen - skip; @@ -608,12 +622,12 @@ ipcomp_output_cb(cp) /* Inject IPCOMP header */ mo = m_inject(m, skip, IPCOMP_HLENGTH, M_DONTWAIT); if (mo == NULL) { DPRINTF(("ipcomp_output_cb(): failed to inject IPCOMP header " - "for IPCA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + "for IPCA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ipcompstat.ipcomps_wrap++; error = ENOBUFS; goto baddone; } @@ -637,12 +651,12 @@ ipcomp_output_cb(cp) ip6->ip6_nxt = IPPROTO_IPCOMP; break; #endif default: DPRINTF(("ipcomp_output_cb(): unsupported protocol family %d, " - "IPCA %s/%08x\n", - tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst), + "IPCA %s/%08x\n", tdb->tdb_dst.sa.sa_family, + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); ipcompstat.ipcomps_nopf++; error = EPFNOSUPPORT; goto baddone; break; diff --git sys/netinet/ip_ipip.c sys/netinet/ip_ipip.c index 4128e3d..db0e3f6 100644 --- sys/netinet/ip_ipip.c +++ sys/netinet/ip_ipip.c @@ -389,10 +389,13 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, struct ip *ipo; #ifdef INET6 struct ip6_hdr *ip6, *ip6o; #endif /* INET6 */ +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif /* XXX Deal with empty TDB source/destination addresses. */ m_copydata(m, 0, 1, &tp); tp = (tp >> 4) & 0xff; /* Get the IP version number. */ @@ -403,11 +406,12 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY || tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) { DPRINTF(("ipip_output(): unspecified tunnel endpoind " "address in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ipipstat.ipips_unspec++; m_freem(m); *mp = NULL; return EINVAL; @@ -488,11 +492,12 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, tdb->tdb_src.sa.sa_family != AF_INET6 || IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) { DPRINTF(("ipip_output(): unspecified tunnel endpoind " "address in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ipipstat.ipips_unspec++; m_freem(m); *mp = NULL; return ENOBUFS; diff --git sys/netinet/ip_ipsp.c sys/netinet/ip_ipsp.c index 0c93cf6..7efc946 100644 --- sys/netinet/ip_ipsp.c +++ sys/netinet/ip_ipsp.c @@ -876,21 +876,24 @@ tdb_free(struct tdb *tdbp) int tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) { struct xformsw *xsp; int err; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { if (xsp->xf_type == alg) { err = (*(xsp->xf_init))(tdbp, xsp, ii); return err; } } DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", - alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst), - tdbp->tdb_sproto)); + alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf, + sizeof(buf)), tdbp->tdb_sproto)); return EINVAL; } /* @@ -956,28 +959,21 @@ tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout) } #ifdef ENCDEBUG /* Return a printable string for the address. */ const char * -ipsp_address(union sockaddr_union sa) +ipsp_address(union sockaddr_union *sa, char *buf, socklen_t size) { - static char ipspbuf[4][INET6_ADDRSTRLEN]; - static int ipspround = 0; - char *buf; - - ipspround = (ipspround + 1) % 4; - buf = ipspbuf[ipspround]; - - switch (sa.sa.sa_family) { + switch (sa->sa.sa_family) { case AF_INET: - return inet_ntop(AF_INET, &sa.sin.sin_addr, - buf, INET_ADDRSTRLEN); + return inet_ntop(AF_INET, &sa->sin.sin_addr, + buf, (size_t)size); #ifdef INET6 case AF_INET6: - return inet_ntop(AF_INET6, &sa.sin6.sin6_addr, - buf, INET6_ADDRSTRLEN); + return inet_ntop(AF_INET6, &sa->sin6.sin6_addr, + buf, (size_t)size); #endif /* INET6 */ default: return "(unknown address family)"; } diff --git sys/netinet/ip_ipsp.h sys/netinet/ip_ipsp.h index f436e49..19b4b23 100644 --- sys/netinet/ip_ipsp.h +++ sys/netinet/ip_ipsp.h @@ -494,11 +494,11 @@ do { \ } while (/* CONSTCOND */ 0) /* Misc. */ uint8_t get_sa_require(struct inpcb *); #ifdef ENCDEBUG -const char *ipsp_address(union sockaddr_union); +const char *ipsp_address(union sockaddr_union *, char *, socklen_t); #endif /* ENCDEBUG */ /* TDB management routines */ void tdb_add_inp(struct tdb *, struct inpcb *, int); uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *, diff --git sys/netinet/ipsec_input.c sys/netinet/ipsec_input.c index 498c940..89b27c8 100644 --- sys/netinet/ipsec_input.c +++ sys/netinet/ipsec_input.c @@ -123,10 +123,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, struct tdb *tdbp; struct ifnet *encif; u_int32_t spi; u_int16_t cpi; int s, error; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif IPSEC_ISTAT(espstat.esps_input, ahstat.ahs_input, ipcompstat.ipcomps_input); if (m == 0) { @@ -230,37 +233,43 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, spi, &dst_address, sproto); if (tdbp == NULL) { splx(s); DPRINTF(("ipsec_common_input(): could not find SA for " "packet to %s, spi %08x\n", - ipsp_address(dst_address), ntohl(spi))); + ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); m_freem(m); IPSEC_ISTAT(espstat.esps_notdb, ahstat.ahs_notdb, ipcompstat.ipcomps_notdb); return ENOENT; } if (tdbp->tdb_flags & TDBF_INVALID) { splx(s); - DPRINTF(("ipsec_common_input(): attempted to use invalid SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto)); + DPRINTF(("ipsec_common_input(): attempted to use invalid " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); IPSEC_ISTAT(espstat.esps_invalid, ahstat.ahs_invalid, ipcompstat.ipcomps_invalid); return EINVAL; } if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { splx(s); - DPRINTF(("ipsec_common_input(): attempted to use non-udpencap SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto)); + DPRINTF(("ipsec_common_input(): attempted to use non-udpencap " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); espstat.esps_udpinval++; return EINVAL; } if (tdbp->tdb_xform == NULL) { splx(s); - DPRINTF(("ipsec_common_input(): attempted to use uninitialized SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto)); + DPRINTF(("ipsec_common_input(): attempted to use uninitialized " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); IPSEC_ISTAT(espstat.esps_noxform, ahstat.ahs_noxform, ipcompstat.ipcomps_noxform); return ENXIO; } @@ -269,12 +278,12 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, if ((encif = enc_getif(tdbp->tdb_rdomain, tdbp->tdb_tap)) == NULL) { splx(s); DPRINTF(("ipsec_common_input(): " "no enc%u interface for SA %s/%08x/%u\n", - tdbp->tdb_tap, ipsp_address(dst_address), - ntohl(spi), tdbp->tdb_sproto)); + tdbp->tdb_tap, ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); IPSEC_ISTAT(espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); @@ -330,10 +339,14 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, struct ip6_hdr *ip6, ip6n; #endif /* INET6 */ struct m_tag *mtag; struct tdb_ident *tdbi; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif + af = tdbp->tdb_dst.sa.sa_family; sproto = tdbp->tdb_sproto; tdbp->tdb_last_used = time_second; @@ -347,12 +360,12 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* Fix IPv4 header */ if (af == AF_INET) { if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { DPRINTF(("ipsec_common_input_cb(): processing failed " - "for SA %s/%08x\n", ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); + "for SA %s/%08x\n", ipsp_address(&tdbp->tdb_dst, + buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); return ENOBUFS; } @@ -399,12 +412,12 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, { if (m->m_len < sizeof(struct ip6_hdr) && (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { DPRINTF(("ipsec_common_input_cb(): processing failed " - "for SA %s/%08x\n", ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); + "for SA %s/%08x\n", ipsp_address(&tdbp->tdb_dst, + buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); return EACCES; } @@ -854,11 +867,11 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, /* Store adjusted MTU in tdb */ tdbp->tdb_mtu = mtu; tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout; DPRINTF(("ipsec_common_ctlinput: " - "spi %08x mtu %d adjust %d\n", + "spi %08x mtu %d adjust %ld\n", ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust)); } splx(s); return (NULL); @@ -913,11 +926,11 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) /* Store adjusted MTU in tdb */ tdbp->tdb_mtu = mtu - adjust; tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout; DPRINTF(("udpencap_ctlinput: " - "spi %08x mtu %d adjust %d\n", + "spi %08x mtu %d adjust %ld\n", ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust)); } } } diff --git sys/netinet/ipsec_output.c sys/netinet/ipsec_output.c index 95717a3..40de7c1 100644 --- sys/netinet/ipsec_output.c +++ sys/netinet/ipsec_output.c @@ -78,10 +78,14 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) struct ip *ip; #ifdef INET6 struct ip6_hdr *ip6; #endif /* INET6 */ +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif + /* Check that the transform is allowed by the administrator. */ if ((tdb->tdb_sproto == IPPROTO_ESP && !esp_enable) || (tdb->tdb_sproto == IPPROTO_AH && !ah_enable) || (tdb->tdb_sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { DPRINTF(("ipsp_process_packet(): IPsec outbound packet " @@ -98,12 +102,12 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) } /* Check if the SPI is invalid. */ if (tdb->tdb_flags & TDBF_INVALID) { DPRINTF(("ipsp_process_packet(): attempt to use invalid " - "SA %s/%08x/%u\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi), tdb->tdb_sproto)); + "SA %s/%08x/%u\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi), tdb->tdb_sproto)); m_freem(m); return ENXIO; } /* Check that the network protocol is supported */ @@ -117,12 +121,13 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) #endif /* INET6 */ default: DPRINTF(("ipsp_process_packet(): attempt to use " "SA %s/%08x/%u for protocol family %d\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi), - tdb->tdb_sproto, tdb->tdb_dst.sa.sa_family)); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi), tdb->tdb_sproto, + tdb->tdb_dst.sa.sa_family)); m_freem(m); return ENXIO; } /* @@ -574,11 +579,11 @@ ipsec_adjust_mtu(struct mbuf *m, u_int32_t mtu) mtu -= adjust; tdbp->tdb_mtu = mtu; tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout; DPRINTF(("ipsec_adjust_mtu: " - "spi %08x mtu %d adjust %d mbuf %p\n", + "spi %08x mtu %d adjust %ld mbuf %p\n", ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust, m)); } splx(s);