diff options
| author |   mikeb <mikeb@openbsd.org> | 2015-04-14 14:20:01 +0000 |
|---|---|---|
| committer | mikeb <mikeb@openbsd.org> | 2015-04-14 14:20:01 +0000 |
| commit | 3514aacb12cd53d08a534cba9ff3e1d3c10a51ed (patch) | |
| tree | 2df5a3e7c035a4f14f1383b3e55cfa7f646f1dad | |
| parent | ip6_sprintf is long gone; noticed by blambert (diff) | |
| download | wireguard-openbsd-3514aacb12cd53d08a534cba9ff3e1d3c10a51ed.tar.xz wireguard-openbsd-3514aacb12cd53d08a534cba9ff3e1d3c10a51ed.zip | |
make ipsp_address thread safe; ok mpi
| -rw-r--r-- | sys/netinet/ip_ah.c | 66 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 107 | ||||
| -rw-r--r-- | sys/netinet/ip_ipcomp.c | 40 | ||||
| -rw-r--r-- | sys/netinet/ip_ipip.c | 11 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 28 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 4 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 39 | ||||
| -rw-r--r-- | sys/netinet/ipsec_output.c | 17 |
8 files changed, 201 insertions, 111 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index f66ea31c495..64d6ee09832 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.114 2014/12/28 10:02:37 tedu Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.115 2015/04/14 14:20:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -533,6 +533,9 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) u_int32_t btsx, esn; u_int8_t hl; int rplen; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif struct cryptodesc *crda = NULL; struct cryptop *crp; @@ -555,29 +558,30 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) case 1: m_freem(m); DPRINTF(("ah_input(): replay counter wrapped for " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_wrap++; return ENOBUFS; case 2: m_freem(m); DPRINTF(("ah_input(): old packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; return ENOBUFS; case 3: m_freem(m); DPRINTF(("ah_input(): duplicate packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; return ENOBUFS; default: m_freem(m); DPRINTF(("ah_input(): bogus value from " "checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; return ENOBUFS; } @@ -585,9 +589,10 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Verify AH header length. */ if (hl * sizeof(u_int32_t) != ahx->authsize + rplen - AH_FLENGTH) { - DPRINTF(("ah_input(): bad authenticator length %d for packet " + DPRINTF(("ah_input(): bad authenticator length %ld for packet " "in SA %s/%08x\n", hl * sizeof(u_int32_t), - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_badauthl++; m_freem(m); @@ -738,6 +743,9 @@ ah_input_cb(void *op) u_int32_t btsx, esn; u_int8_t prot; caddr_t ptr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif crp = (struct cryptop *) op; @@ -807,7 +815,8 @@ ah_input_cb(void *op) DPRINTF(("ah_input(): authentication failed for " "packet in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_badauth++; error = EACCES; @@ -841,29 +850,30 @@ ah_input_cb(void *op) break; case 1: DPRINTF(("ah_input(): replay counter wrapped for " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_wrap++; error = ENOBUFS; goto baddone; case 2: DPRINTF(("ah_input_cb(): old packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; error = ENOBUFS; goto baddone; case 3: DPRINTF(("ah_input_cb(): duplicate packet received in " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; error = ENOBUFS; goto baddone; default: DPRINTF(("ah_input_cb(): bogus value from " "checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ahstat.ahs_replay++; error = ENOBUFS; goto baddone; @@ -878,7 +888,7 @@ ah_input_cb(void *op) m_freem(m); DPRINTF(("ah_input(): bad mbuf chain for packet in SA " - "%s/%08x\n", ipsp_address(tdb->tdb_dst), + "%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); return EINVAL; @@ -976,6 +986,9 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, struct ah *ah; #if NBPFILTER > 0 struct ifnet *encif; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) { encif->if_opackets++; @@ -1004,7 +1017,8 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, */ if ((tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0)) { DPRINTF(("ah_output(): SA %s/%08x should have expired\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_wrap++; return EINVAL; @@ -1018,7 +1032,8 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, if (rplen + ahx->authsize + m->m_pkthdr.len > IP_MAXPACKET) { DPRINTF(("ah_output(): packet in SA %s/%08x got too " "big\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_toobig++; return EMSGSIZE; @@ -1030,8 +1045,8 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Check for IPv6 maximum packet size violations. */ if (rplen + ahx->authsize + m->m_pkthdr.len > IPV6_MAXPACKET) { DPRINTF(("ah_output(): packet in SA %s/%08x " - "got too big\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "got too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_toobig++; return EMSGSIZE; @@ -1042,7 +1057,8 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, default: DPRINTF(("ah_output(): unknown/unsupported protocol " "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family, - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_nopf++; return EPFNOSUPPORT; @@ -1101,7 +1117,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, mi = m_inject(m, skip, rplen + ahx->authsize, M_DONTWAIT); if (mi == NULL) { DPRINTF(("ah_output(): failed to inject AH header for SA " - "%s/%08x\n", ipsp_address(tdb->tdb_dst), + "%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 69a23037d6a..863b2622da1 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.129 2014/12/19 17:14:40 tedu Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.130 2015/04/14 14:20:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -144,17 +144,22 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) break; default: - DPRINTF(("esp_init(): unsupported encryption algorithm %d specified\n", ii->ii_encalg)); + DPRINTF(("esp_init(): unsupported encryption " + "algorithm %d specified\n", ii->ii_encalg)); return EINVAL; } if (ii->ii_enckeylen < txform->minkey) { - DPRINTF(("esp_init(): keylength %d too small (min length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey, txform->name)); + DPRINTF(("esp_init(): keylength %d too small " + "(min length is %d) for algorithm %s\n", + ii->ii_enckeylen, txform->minkey, txform->name)); return EINVAL; } if (ii->ii_enckeylen > txform->maxkey) { - DPRINTF(("esp_init(): keylength %d too large (max length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey, txform->name)); + DPRINTF(("esp_init(): keylength %d too large " + "(max length is %d) for algorithm %s\n", + ii->ii_enckeylen, txform->maxkey, txform->name)); return EINVAL; } @@ -222,12 +227,15 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii) break; default: - DPRINTF(("esp_init(): unsupported authentication algorithm %d specified\n", ii->ii_authalg)); + DPRINTF(("esp_init(): unsupported authentication " + "algorithm %d specified\n", ii->ii_authalg)); return EINVAL; } if (ii->ii_authkeylen != thash->keysize) { - DPRINTF(("esp_init(): keylength %d doesn't match algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize)); + DPRINTF(("esp_init(): keylength %d doesn't match " + "algorithm %s keysize (%d)\n", ii->ii_authkeylen, + thash->name, thash->keysize)); return EINVAL; } @@ -328,6 +336,9 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) int plen, alen, hlen; struct m_tag *mtag; u_int32_t btsx, esn; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif /* Determine the ESP header length */ hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */ @@ -346,7 +357,10 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) * block size. */ if (plen & (espx->blocksize - 1)) { - DPRINTF(("esp_input(): payload of %d octets not a multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input(): payload of %d octets " + "not a multiple of %d octets, SA %s/%08x\n", + plen, espx->blocksize, ipsp_address(&tdb->tdb_dst, + buf, sizeof(buf)), ntohl(tdb->tdb_spi))); espstat.esps_badilen++; m_freem(m); return EINVAL; @@ -366,28 +380,32 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) m_freem(m); DPRINTF(("esp_input(): replay counter wrapped" " for SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_wrap++; return EACCES; case 2: m_freem(m); DPRINTF(("esp_input(): old packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; return EACCES; case 3: m_freem(m); DPRINTF(("esp_input(): duplicate packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; return EACCES; default: m_freem(m); DPRINTF(("esp_input(): bogus value from" " checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; return EACCES; } @@ -479,7 +497,8 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Copy the authenticator */ if (mtag == NULL) - m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t) (tc + 1)); + m_copydata(m, m->m_pkthdr.len - alen, alen, + (caddr_t)(tc + 1)); } else crde = crp->crp_desc; @@ -536,6 +555,9 @@ esp_input_cb(void *op) struct tdb *tdb; u_int32_t btsx, esn; caddr_t ptr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif crp = (struct cryptop *) op; @@ -586,8 +608,8 @@ esp_input_cb(void *op) /* If authentication was performed, check now. */ if (esph != NULL) { /* - * If we have a tag, it means an IPsec-aware NIC did the verification - * for us. + * If we have a tag, it means an IPsec-aware NIC did the + * verification for us. */ if (mtag == NULL) { /* Copy the authenticator from the packet */ @@ -599,7 +621,10 @@ esp_input_cb(void *op) /* Verify authenticator */ if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { free(tc, M_XDATA, 0); - DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input_cb(): authentication " + "failed for packet in SA %s/%08x\n", + ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); espstat.esps_badauth++; error = EACCES; goto baddone; @@ -627,28 +652,32 @@ esp_input_cb(void *op) case 1: DPRINTF(("esp_input_cb(): replay counter wrapped" " for SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_wrap++; error = EACCES; goto baddone; case 2: DPRINTF(("esp_input_cb(): old packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; error = EACCES; goto baddone; case 3: DPRINTF(("esp_input_cb(): duplicate packet received" " in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; error = EACCES; goto baddone; default: DPRINTF(("esp_input_cb(): bogus value from" " checkreplaywindow() in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_replay++; error = EACCES; goto baddone; @@ -667,7 +696,8 @@ esp_input_cb(void *op) espstat.esps_hdrops++; splx(s); DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); return EINVAL; } @@ -688,7 +718,7 @@ esp_input_cb(void *op) /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); - /* The second mbuf is guaranteed not to have a pkthdr... */ + /* The second mbuf is guaranteed not to have a pkthdr */ m->m_pkthdr.len -= (roff + hlen - m1->m_len); } @@ -722,7 +752,10 @@ esp_input_cb(void *op) if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { espstat.esps_badilen++; splx(s); - DPRINTF(("esp_input_cb(): invalid padding length %d for packet in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input_cb(): invalid padding length %d for " + "packet in SA %s/%08x\n", lastthree[1], + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); return EINVAL; } @@ -731,7 +764,9 @@ esp_input_cb(void *op) if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) { espstat.esps_badenc++; splx(s); - DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("esp_input(): decryption failed for packet in " + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); return EINVAL; } @@ -773,7 +808,9 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, struct tdb_crypto *tc; unsigned char *pad; u_int8_t prot; - +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp; #if NBPFILTER > 0 @@ -819,7 +856,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Check for IP maximum packet size violations. */ if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) { DPRINTF(("esp_output(): packet in SA %s/%08x got " - "too big\n", ipsp_address(tdb->tdb_dst), + "too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_toobig++; @@ -832,8 +870,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Check for IPv6 maximum packet size violations. */ if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) { DPRINTF(("esp_output(): packet in SA %s/%08x got too " - "big\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_toobig++; return EMSGSIZE; @@ -843,8 +881,9 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, default: DPRINTF(("esp_output(): unknown/unsupported protocol " - "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family - , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family, + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_nopf++; return EPFNOSUPPORT; @@ -887,7 +926,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, if (n == NULL) { DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); espstat.esps_hdrops++; m_freem(m); return ENOBUFS; @@ -905,8 +945,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, mo = m_inject(m, skip, hlen, M_DONTWAIT); if (mo == NULL) { DPRINTF(("esp_output(): failed to inject ESP header for " - "SA %s/%08x\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi))); + "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); espstat.esps_hdrops++; return ENOBUFS; @@ -930,7 +970,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, mo = m_inject(m, m->m_pkthdr.len, padding + alen, M_DONTWAIT); if (mo == NULL) { DPRINTF(("esp_output(): m_inject failed for SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); m_freem(m); return ENOBUFS; } diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index e9680c12ebb..8c75c7a34c3 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.40 2015/03/14 03:38:52 jsg Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.41 2015/04/14 14:20:01 mikeb Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -211,6 +211,9 @@ ipcomp_input_cb(op) struct tdb *tdb; struct ipcomp *ipcomp; caddr_t addr; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif crp = (struct cryptop *) op; @@ -293,7 +296,8 @@ ipcomp_input_cb(op) if (m1 == NULL) { ipcompstat.ipcomps_hdrops++; DPRINTF(("ipcomp_input_cb(): bad mbuf chain, IPCA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); error = EINVAL; goto baddone; } @@ -377,6 +381,9 @@ ipcomp_output(m, tdb, mp, skip, protoff) struct cryptop *crp; struct tdb_crypto *tc; struct mbuf *mi, *mo; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif #if NBPFILTER > 0 struct ifnet *encif; @@ -409,8 +416,9 @@ ipcomp_output(m, tdb, mp, skip, protoff) * worry */ if (m->m_pkthdr.len + hlen > IP_MAXPACKET) { - DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got too big\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x " + "got too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ipcompstat.ipcomps_toobig++; return EMSGSIZE; @@ -421,8 +429,9 @@ ipcomp_output(m, tdb, mp, skip, protoff) case AF_INET6: /* Check for IPv6 maximum packet size violations */ if (m->m_pkthdr.len + hlen > IPV6_MAXPACKET) { - DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got too big\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x " + "got too big\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ipcompstat.ipcomps_toobig++; return EMSGSIZE; @@ -430,8 +439,9 @@ ipcomp_output(m, tdb, mp, skip, protoff) #endif /* INET6 */ default: - DPRINTF(("ipcomp_output(): unknown/unsupported protocol family %d, IPCA %s/%08x\n", - tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst), + DPRINTF(("ipcomp_output(): unknown/unsupported protocol " + "family %d, IPCA %s/%08x\n", tdb->tdb_dst.sa.sa_family, + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); m_freem(m); ipcompstat.ipcomps_nopf++; @@ -474,7 +484,8 @@ ipcomp_output(m, tdb, mp, skip, protoff) if (n == NULL) { DPRINTF(("ipcomp_output(): bad mbuf chain, IPCA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ipcompstat.ipcomps_hdrops++; m_freem(m); return ENOBUFS; @@ -552,6 +563,9 @@ ipcomp_output_cb(cp) struct ip6_hdr *ip6; #endif struct ipcomp *ipcomp; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; @@ -610,8 +624,8 @@ ipcomp_output_cb(cp) mo = m_inject(m, skip, IPCOMP_HLENGTH, M_DONTWAIT); if (mo == NULL) { DPRINTF(("ipcomp_output_cb(): failed to inject IPCOMP header " - "for IPCA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + "for IPCA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi))); ipcompstat.ipcomps_wrap++; error = ENOBUFS; goto baddone; @@ -639,8 +653,8 @@ ipcomp_output_cb(cp) #endif default: DPRINTF(("ipcomp_output_cb(): unsupported protocol family %d, " - "IPCA %s/%08x\n", - tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst), + "IPCA %s/%08x\n", tdb->tdb_dst.sa.sa_family, + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi))); ipcompstat.ipcomps_nopf++; error = EPFNOSUPPORT; diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index 4128e3d3990..7f104257f66 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.57 2015/04/10 13:58:20 dlg Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.58 2015/04/14 14:20:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -391,6 +391,9 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, #ifdef INET6 struct ip6_hdr *ip6, *ip6o; #endif /* INET6 */ +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif /* XXX Deal with empty TDB source/destination addresses. */ @@ -405,7 +408,8 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, DPRINTF(("ipip_output(): unspecified tunnel endpoind " "address in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ipipstat.ipips_unspec++; m_freem(m); @@ -490,7 +494,8 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, DPRINTF(("ipip_output(): unspecified tunnel endpoind " "address in SA %s/%08x\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi))); ipipstat.ipips_unspec++; m_freem(m); diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 0cf6b7148aa..a6923459502 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.209 2015/04/14 12:22:15 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.210 2015/04/14 14:20:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -845,6 +845,9 @@ tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) { struct xformsw *xsp; int err; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { if (xsp->xf_type == alg) { @@ -854,8 +857,8 @@ tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) } DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", - alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst), - tdbp->tdb_sproto)); + alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf, + sizeof(buf)), tdbp->tdb_sproto)); return EINVAL; } @@ -925,24 +928,17 @@ tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout) #ifdef ENCDEBUG /* Return a printable string for the address. */ const char * -ipsp_address(union sockaddr_union sa) +ipsp_address(union sockaddr_union *sa, char *buf, socklen_t size) { - static char ipspbuf[4][INET6_ADDRSTRLEN]; - static int ipspround = 0; - char *buf; - - ipspround = (ipspround + 1) % 4; - buf = ipspbuf[ipspround]; - - switch (sa.sa.sa_family) { + switch (sa->sa.sa_family) { case AF_INET: - return inet_ntop(AF_INET, &sa.sin.sin_addr, - buf, INET_ADDRSTRLEN); + return inet_ntop(AF_INET, &sa->sin.sin_addr, + buf, (size_t)size); #ifdef INET6 case AF_INET6: - return inet_ntop(AF_INET6, &sa.sin6.sin6_addr, - buf, INET6_ADDRSTRLEN); + return inet_ntop(AF_INET6, &sa->sin6.sin6_addr, + buf, (size_t)size); #endif /* INET6 */ default: diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 5c3e2665947..471ed45a1c9 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.164 2015/04/14 12:22:15 mikeb Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.165 2015/04/14 14:20:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -480,7 +480,7 @@ do { \ /* Misc. */ uint8_t get_sa_require(struct inpcb *); #ifdef ENCDEBUG -const char *ipsp_address(union sockaddr_union); +const char *ipsp_address(union sockaddr_union *, char *, socklen_t); #endif /* ENCDEBUG */ /* TDB management routines */ diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 498c940bd33..5e05a3a3213 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.128 2015/04/10 13:58:20 dlg Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.129 2015/04/14 14:20:01 mikeb Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -125,6 +125,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, u_int32_t spi; u_int16_t cpi; int s, error; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif IPSEC_ISTAT(espstat.esps_input, ahstat.ahs_input, ipcompstat.ipcomps_input); @@ -232,7 +235,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, splx(s); DPRINTF(("ipsec_common_input(): could not find SA for " "packet to %s, spi %08x\n", - ipsp_address(dst_address), ntohl(spi))); + ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); m_freem(m); IPSEC_ISTAT(espstat.esps_notdb, ahstat.ahs_notdb, ipcompstat.ipcomps_notdb); @@ -241,7 +244,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, if (tdbp->tdb_flags & TDBF_INVALID) { splx(s); - DPRINTF(("ipsec_common_input(): attempted to use invalid SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto)); + DPRINTF(("ipsec_common_input(): attempted to use invalid " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); IPSEC_ISTAT(espstat.esps_invalid, ahstat.ahs_invalid, ipcompstat.ipcomps_invalid); @@ -250,7 +255,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { splx(s); - DPRINTF(("ipsec_common_input(): attempted to use non-udpencap SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto)); + DPRINTF(("ipsec_common_input(): attempted to use non-udpencap " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); espstat.esps_udpinval++; return EINVAL; @@ -258,7 +265,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, if (tdbp->tdb_xform == NULL) { splx(s); - DPRINTF(("ipsec_common_input(): attempted to use uninitialized SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto)); + DPRINTF(("ipsec_common_input(): attempted to use uninitialized " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); IPSEC_ISTAT(espstat.esps_noxform, ahstat.ahs_noxform, ipcompstat.ipcomps_noxform); @@ -271,8 +280,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, splx(s); DPRINTF(("ipsec_common_input(): " "no enc%u interface for SA %s/%08x/%u\n", - tdbp->tdb_tap, ipsp_address(dst_address), - ntohl(spi), tdbp->tdb_sproto)); + tdbp->tdb_tap, ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); m_freem(m); IPSEC_ISTAT(espstat.esps_pdrops, @@ -332,6 +341,10 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, struct m_tag *mtag; struct tdb_ident *tdbi; +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif + af = tdbp->tdb_dst.sa.sa_family; sproto = tdbp->tdb_sproto; @@ -349,8 +362,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, if (af == AF_INET) { if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { DPRINTF(("ipsec_common_input_cb(): processing failed " - "for SA %s/%08x\n", ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); + "for SA %s/%08x\n", ipsp_address(&tdbp->tdb_dst, + buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); return ENOBUFS; @@ -401,8 +414,8 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { DPRINTF(("ipsec_common_input_cb(): processing failed " - "for SA %s/%08x\n", ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); + "for SA %s/%08x\n", ipsp_address(&tdbp->tdb_dst, + buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); @@ -856,7 +869,7 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout; DPRINTF(("ipsec_common_ctlinput: " - "spi %08x mtu %d adjust %d\n", + "spi %08x mtu %d adjust %ld\n", ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust)); } @@ -915,7 +928,7 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout; DPRINTF(("udpencap_ctlinput: " - "spi %08x mtu %d adjust %d\n", + "spi %08x mtu %d adjust %ld\n", ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust)); } diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index 95717a3627b..2814ec0327a 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.56 2015/01/24 00:29:06 deraadt Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.57 2015/04/14 14:20:01 mikeb Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -80,6 +80,10 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) struct ip6_hdr *ip6; #endif /* INET6 */ +#ifdef ENCDEBUG + char buf[INET6_ADDRSTRLEN]; +#endif + /* Check that the transform is allowed by the administrator. */ if ((tdb->tdb_sproto == IPPROTO_ESP && !esp_enable) || (tdb->tdb_sproto == IPPROTO_AH && !ah_enable) || @@ -100,8 +104,8 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) /* Check if the SPI is invalid. */ if (tdb->tdb_flags & TDBF_INVALID) { DPRINTF(("ipsp_process_packet(): attempt to use invalid " - "SA %s/%08x/%u\n", ipsp_address(tdb->tdb_dst), - ntohl(tdb->tdb_spi), tdb->tdb_sproto)); + "SA %s/%08x/%u\n", ipsp_address(&tdb->tdb_dst, buf, + sizeof(buf)), ntohl(tdb->tdb_spi), tdb->tdb_sproto)); m_freem(m); return ENXIO; } @@ -119,8 +123,9 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) default: DPRINTF(("ipsp_process_packet(): attempt to use " "SA %s/%08x/%u for protocol family %d\n", - ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi), - tdb->tdb_sproto, tdb->tdb_dst.sa.sa_family)); + ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), + ntohl(tdb->tdb_spi), tdb->tdb_sproto, + tdb->tdb_dst.sa.sa_family)); m_freem(m); return ENXIO; } @@ -576,7 +581,7 @@ ipsec_adjust_mtu(struct mbuf *m, u_int32_t mtu) tdbp->tdb_mtu = mtu; tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout; DPRINTF(("ipsec_adjust_mtu: " - "spi %08x mtu %d adjust %d mbuf %p\n", + "spi %08x mtu %d adjust %ld mbuf %p\n", ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust, m)); } |