Module Name: src
Committed By: ryo
Date: Thu May 11 05:55:14 UTC 2017
Modified Files:
src/sys/netipsec: ipsec.c ipsec.h ipsec_input.c ipsec_output.c
xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c
Log Message:
Make ipsec_address() and ipsec_logsastr() mpsafe.
To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.46 -r1.47 src/sys/netipsec/ipsec.h \
src/sys/netipsec/ipsec_output.c
cvs rdiff -u -r1.41 -r1.42 src/sys/netipsec/ipsec_input.c
cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.54 -r1.55 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.37 -r1.38 src/sys/netipsec/xform_ipcomp.c
cvs rdiff -u -r1.48 -r1.49 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.87 src/sys/netipsec/ipsec.c:1.88
--- src/sys/netipsec/ipsec.c:1.87 Wed May 10 09:34:52 2017
+++ src/sys/netipsec/ipsec.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $ */
+/* $NetBSD: ipsec.c,v 1.88 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.88 2017/05/11 05:55:14 ryo Exp $");
/*
* IPsec controller part.
@@ -2101,6 +2101,7 @@ ipsec_updatereplay(u_int32_t seq, const
int fr;
u_int32_t wsizeb; /* constant: bits of window size */
int frlast; /* constant: last frame */
+ char buf[INET6_ADDRSTRLEN];
IPSEC_SPLASSERT_SOFTNET(__func__);
@@ -2177,7 +2178,7 @@ ok:
return 1;
ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
- replay->overflow, ipsec_logsastr(sav)));
+ replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf))));
}
replay->count++;
@@ -2210,37 +2211,21 @@ vshiftl(unsigned char *bitmap, int nbit,
return;
}
-/* Return a printable string for the IPv4 address. */
-static char *
-inet_ntoa4(struct in_addr ina)
-{
- static char buf[4][4 * sizeof "123" + 4];
- unsigned char *ucp = (unsigned char *) &ina;
- static int i = 3;
-
- i = (i + 1) % 4;
- snprintf(buf[i], sizeof(buf[i]), "%d.%d.%d.%d",
- ucp[0] & 0xff, ucp[1] & 0xff, ucp[2] & 0xff, ucp[3] & 0xff);
- return (buf[i]);
-}
-
/* Return a printable string for the address. */
const char *
-ipsec_address(const union sockaddr_union *sa)
+ipsec_address(const union sockaddr_union *sa, char *buf, size_t size)
{
-#if INET6
- static char ip6buf[INET6_ADDRSTRLEN]; /* XXX: NOMPSAFE */
-#endif
-
switch (sa->sa.sa_family) {
#if INET
case AF_INET:
- return inet_ntoa4(sa->sin.sin_addr);
+ in_print(buf, size, &sa->sin.sin_addr);
+ return buf;
#endif /* INET */
#if INET6
case AF_INET6:
- return IN6_PRINT(ip6buf, &sa->sin6.sin6_addr);
+ in6_print(buf, size, &sa->sin6.sin6_addr);
+ return buf;
#endif /* INET6 */
default:
@@ -2249,27 +2234,19 @@ ipsec_address(const union sockaddr_union
}
const char *
-ipsec_logsastr(const struct secasvar *sav)
+ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size)
{
- static char buf[256];
- char *p;
const struct secasindex *saidx = &sav->sah->saidx;
+ char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
"af family mismatch, src %u, dst %u",
saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
- p = buf;
- snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
- while (p && *p)
- p++;
- /* NB: only use ipsec_address on one address at a time */
- snprintf(p, sizeof (buf) - (p - buf), "src=%s ",
- ipsec_address(&saidx->src));
- while (p && *p)
- p++;
- snprintf(p, sizeof (buf) - (p - buf), "dst=%s)",
- ipsec_address(&saidx->dst));
+ snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)",
+ (u_int32_t)ntohl(sav->spi),
+ ipsec_address(&saidx->src, sbuf, sizeof(sbuf)),
+ ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)));
return buf;
}
Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.46 src/sys/netipsec/ipsec.h:1.47
--- src/sys/netipsec/ipsec.h:1.46 Wed May 10 09:34:52 2017
+++ src/sys/netipsec/ipsec.h Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.46 2017/05/10 09:34:52 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.47 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -149,6 +149,11 @@ struct secspacq {
};
#endif /* _KERNEL */
+/* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */
+#define IPSEC_ADDRSTRLEN (INET6_ADDRSTRLEN + 11)
+/* buffer size for ipsec_logsastr() */
+#define IPSEC_LOGSASTRLEN 192
+
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY 0
#define IPSEC_ULPROTO_ANY 255
@@ -307,8 +312,8 @@ size_t ipsec4_hdrsiz_tcp (struct tcpcb *
#define ipsec4_getpolicybyaddr ipsec_getpolicybyaddr
union sockaddr_union;
-const char *ipsec_address(const union sockaddr_union* sa);
-const char *ipsec_logsastr (const struct secasvar *);
+const char *ipsec_address(const union sockaddr_union* sa, char *, size_t);
+const char *ipsec_logsastr(const struct secasvar *, char *, size_t);
void ipsec_dumpmbuf (struct mbuf *);
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.46 src/sys/netipsec/ipsec_output.c:1.47
--- src/sys/netipsec/ipsec_output.c:1.46 Mon May 8 06:39:23 2017
+++ src/sys/netipsec/ipsec_output.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.47 2017/05/11 05:55:14 ryo Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.47 2017/05/11 05:55:14 ryo Exp $");
/*
* IPsec output processing.
@@ -177,10 +177,11 @@ ipsec_process_done(struct mbuf *m, struc
mo = m_makespace(m, sizeof(struct ip), hlen, &roff);
if (mo == NULL) {
- DPRINTF(("ipsec_process_done : failed to inject"
- "%u byte UDP for SA %s/%08lx\n",
- hlen, ipsec_address(&saidx->dst),
- (u_long) ntohl(sav->spi)));
+ char buf[IPSEC_ADDRSTRLEN];
+ DPRINTF(("ipsec_process_done : failed to inject"
+ "%u byte UDP for SA %s/%08lx\n",
+ hlen, ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
}
Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.41 src/sys/netipsec/ipsec_input.c:1.42
--- src/sys/netipsec/ipsec_input.c:1.41 Wed Apr 19 03:39:14 2017
+++ src/sys/netipsec/ipsec_input.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.41 2017/04/19 03:39:14 ozaki-r Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.42 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.41 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.42 2017/05/11 05:55:14 ryo Exp $");
/*
* IPsec input processing.
@@ -122,6 +122,7 @@ do { \
static int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
+ char buf[IPSEC_ADDRSTRLEN];
union sockaddr_union dst_address;
struct secasvar *sav;
u_int32_t spi;
@@ -213,7 +214,7 @@ ipsec_common_input(struct mbuf *m, int s
if (sav == NULL) {
DPRINTF(("ipsec_common_input: no key association found for"
" SA %s/%08lx/%u/%u\n",
- ipsec_address(&dst_address),
+ ipsec_address(&dst_address, buf, sizeof(buf)),
(u_long) ntohl(spi), sproto, ntohs(dport)));
IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB,
IPCOMP_STAT_NOTDB);
@@ -225,7 +226,7 @@ ipsec_common_input(struct mbuf *m, int s
if (sav->tdb_xform == NULL) {
DPRINTF(("ipsec_common_input: attempted to use uninitialized"
" SA %s/%08lx/%u\n",
- ipsec_address(&dst_address),
+ ipsec_address(&dst_address, buf, sizeof(buf)),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, ESP_STAT_NOXFORM, AH_STAT_NOXFORM,
IPCOMP_STAT_NOXFORM);
@@ -305,9 +306,10 @@ ipsec4_common_input_cb(struct mbuf *m, s
/* Fix IPv4 header */
if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
+ char buf[IPSEC_ADDRSTRLEN];
DPRINTF(("ipsec4_common_input_cb: processing failed "
"for SA %s/%08lx\n",
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
IPCOMP_STAT_HDROPS);
@@ -340,10 +342,11 @@ ipsec4_common_input_cb(struct mbuf *m, s
(saidx->proxy.sa.sa_family != AF_INET &&
saidx->proxy.sa.sa_family != 0)) {
+ char ipbuf[INET_ADDRSTRLEN];
DPRINTF(("ipsec4_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
- inet_ntoa4(ipn.ip_src),
+ IN_PRINT(ipbuf, ipn.ip_src),
ipsp_address(saidx->proxy),
ipsp_address(saidx->dst),
(u_long) ntohl(sav->spi)));
@@ -377,12 +380,13 @@ ipsec4_common_input_cb(struct mbuf *m, s
saidx->proxy.sa.sa_family != 0)) {
char ip6buf[INET6_ADDRSTRLEN];
+ char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
DPRINTF(("ipsec4_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
ip6_sprintf(ip6buf, &ip6n.ip6_src),
- ipsec_address(&saidx->proxy),
- ipsec_address(&saidx->dst),
+ ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
+ ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
@@ -537,9 +541,10 @@ ipsec6_common_input_cb(struct mbuf *m, s
if (m->m_len < sizeof(struct ip6_hdr) &&
(m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
+ char buf[IPSEC_ADDRSTRLEN];
DPRINTF(("ipsec6_common_input_cb: processing failed "
- "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst),
- (u_long) ntohl(sav->spi)));
+ "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst,
+ buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
IPCOMP_STAT_HDROPS);
@@ -572,12 +577,14 @@ ipsec6_common_input_cb(struct mbuf *m, s
(saidx->proxy.sa.sa_family != AF_INET &&
saidx->proxy.sa.sa_family != 0)) {
+ char ipbuf[INET_ADDRSTRLEN];
+ char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
DPRINTF(("ipsec6_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
- inet_ntoa4(ipn.ip_src),
- ipsec_address(&saidx->proxy),
- ipsec_address(&saidx->dst),
+ IN_PRINT(ipbuf, ipn.ip_src),
+ ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
+ ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
@@ -609,12 +616,13 @@ ipsec6_common_input_cb(struct mbuf *m, s
saidx->proxy.sa.sa_family != 0)) {
char ip6buf[INET6_ADDRSTRLEN];
+ char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
DPRINTF(("ipsec6_common_input_cb: inner "
"source address %s doesn't correspond to "
"expected proxy source %s, SA %s/%08lx\n",
ip6_sprintf(ip6buf, &ip6n.ip6_src),
- ipsec_address(&saidx->proxy),
- ipsec_address(&saidx->dst),
+ ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
+ ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.53 src/sys/netipsec/xform_ah.c:1.54
--- src/sys/netipsec/xform_ah.c:1.53 Wed Apr 19 03:39:14 2017
+++ src/sys/netipsec/xform_ah.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.53 2017/04/19 03:39:14 ozaki-r Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.53 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54 2017/05/11 05:55:14 ryo Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -643,9 +643,10 @@ ah_input(struct mbuf *m, const struct se
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
+ char buf[IPSEC_LOGSASTRLEN];
AH_STATINC(AH_STAT_REPLAY);
DPRINTF(("%s: packet replay failure: %s\n", __func__,
- ipsec_logsastr(sav)));
+ ipsec_logsastr(sav, buf, sizeof(buf))));
m_freem(m);
return ENOBUFS;
}
@@ -655,10 +656,11 @@ ah_input(struct mbuf *m, const struct se
ahx = sav->tdb_authalgxform;
authsize = AUTHSIZE(sav);
if (hl != authsize + rplen - sizeof(struct ah)) {
+ char buf[IPSEC_ADDRSTRLEN];
DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
" for packet in SA %s/%08lx\n", __func__,
hl, (u_long) (authsize + rplen - sizeof(struct ah)),
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AH_STATINC(AH_STAT_BADAUTHL);
m_freem(m);
@@ -793,6 +795,7 @@ ah_input(struct mbuf *m, const struct se
static int
ah_input_cb(struct cryptop *crp)
{
+ char buf[IPSEC_ADDRSTRLEN];
int rplen, error, skip, protoff;
unsigned char calc[AH_ALEN_MAX];
struct mbuf *m;
@@ -889,7 +892,7 @@ ah_input_cb(struct cryptop *crp)
"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \
"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n",
__func__, authsize,
- ipsec_address(&saidx->dst),
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
calc[0], calc[1], calc[2], calc[3],
calc[4], calc[5], calc[6], calc[7],
@@ -941,7 +944,8 @@ ah_input_cb(struct cryptop *crp)
error = m_striphdr(m, skip, rplen + authsize);
if (error) {
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
AH_STATINC(AH_STAT_HDROPS);
goto bad;
@@ -979,6 +983,7 @@ ah_output(
int protoff
)
{
+ char buf[IPSEC_ADDRSTRLEN];
const struct secasvar *sav;
const struct auth_hash *ahx;
struct cryptodesc *crda;
@@ -1021,7 +1026,7 @@ ah_output(
DPRINTF(("%s: unknown/unsupported protocol "
"family %u, SA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AH_STATINC(AH_STAT_NOPF);
error = EPFNOSUPPORT;
@@ -1031,7 +1036,7 @@ ah_output(
if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
DPRINTF(("%s: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
rplen + authsize + m->m_pkthdr.len, maxpacketsize));
AH_STATINC(AH_STAT_TOOBIG);
@@ -1045,7 +1050,7 @@ ah_output(
m = m_clone(m);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AH_STATINC(AH_STAT_HDROPS);
error = ENOBUFS;
@@ -1058,7 +1063,7 @@ ah_output(
DPRINTF(("%s: failed to inject %u byte AH header for SA "
"%s/%08lx\n", __func__,
rplen + authsize,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AH_STATINC(AH_STAT_HDROPS); /*XXX differs from openbsd */
error = ENOBUFS;
@@ -1085,8 +1090,8 @@ ah_output(
if (sav->replay->count == ~0 &&
(sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
- __func__, ipsec_address(&sav->sah->saidx.dst),
- (u_long) ntohl(sav->spi)));
+ __func__, ipsec_address(&sav->sah->saidx.dst, buf,
+ sizeof(buf)), (u_long) ntohl(sav->spi)));
AH_STATINC(AH_STAT_WRAP);
error = EINVAL;
goto bad;
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.54 src/sys/netipsec/xform_esp.c:1.55
--- src/sys/netipsec/xform_esp.c:1.54 Wed Apr 19 03:39:14 2017
+++ src/sys/netipsec/xform_esp.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.54 2017/04/19 03:39:14 ozaki-r Exp $ */
+/* $NetBSD: xform_esp.c,v 1.55 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.54 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.55 2017/05/11 05:55:14 ryo Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -339,9 +339,10 @@ esp_input(struct mbuf *m, const struct s
*/
plen = m->m_pkthdr.len - (skip + hlen + alen);
if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
+ char buf[IPSEC_ADDRSTRLEN];
DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
" SA %s/%08lx\n", __func__, plen, espx->blocksize,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
ESP_STATINC(ESP_STAT_BADILEN);
m_freem(m);
@@ -352,8 +353,9 @@ esp_input(struct mbuf *m, const struct s
* Check sequence number.
*/
if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
- DPRINTF(("%s: packet replay check for %s\n",
- __func__, ipsec_logsastr(sav))); /*XXX*/
+ char logbuf[IPSEC_LOGSASTRLEN];
+ DPRINTF(("%s: packet replay check for %s\n", __func__,
+ ipsec_logsastr(sav, logbuf, sizeof(logbuf)))); /*XXX*/
ESP_STATINC(ESP_STAT_REPLAY);
m_freem(m);
return ENOBUFS; /*XXX*/
@@ -499,6 +501,7 @@ out:
static int
esp_input_cb(struct cryptop *crp)
{
+ char buf[IPSEC_ADDRSTRLEN];
uint8_t lastthree[3], aalg[AH_ALEN_MAX];
int s, hlen, skip, protoff, error;
struct mbuf *m;
@@ -531,7 +534,7 @@ esp_input_cb(struct cryptop *crp)
ESP_STATINC(ESP_STAT_NOTDB);
DPRINTF(("%s: SA expired while in crypto "
"(SA %s/%08lx proto %u)\n", __func__,
- ipsec_address(&tc->tc_dst),
+ ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -591,8 +594,8 @@ esp_input_cb(struct cryptop *crp)
if (!consttime_memequal(ptr, aalg, esph->authsize)) {
DPRINTF(("%s: authentication hash mismatch "
"for packet in SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst),
- (u_long) ntohl(sav->spi)));
+ ipsec_address(&saidx->dst, buf,
+ sizeof(buf)), (u_long) ntohl(sav->spi)));
ESP_STATINC(ESP_STAT_BADAUTH);
error = EACCES;
goto bad;
@@ -621,8 +624,9 @@ esp_input_cb(struct cryptop *crp)
m_copydata(m, skip + offsetof(struct newesp, esp_seq),
sizeof(seq), &seq);
if (ipsec_updatereplay(ntohl(seq), sav)) {
+ char logbuf[IPSEC_LOGSASTRLEN];
DPRINTF(("%s: packet replay check for %s\n", __func__,
- ipsec_logsastr(sav)));
+ ipsec_logsastr(sav, logbuf, sizeof(logbuf))));
ESP_STATINC(ESP_STAT_REPLAY);
error = ENOBUFS;
goto bad;
@@ -640,7 +644,7 @@ esp_input_cb(struct cryptop *crp)
if (error) {
ESP_STATINC(ESP_STAT_HDROPS);
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
goto bad;
}
@@ -654,7 +658,7 @@ esp_input_cb(struct cryptop *crp)
DPRINTF(("%s: invalid padding length %d "
"for %u byte packet in SA %s/%08lx\n", __func__,
lastthree[1], m->m_pkthdr.len - skip,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = EINVAL;
goto bad;
@@ -666,8 +670,8 @@ esp_input_cb(struct cryptop *crp)
ESP_STATINC(ESP_STAT_BADENC);
DPRINTF(("%s: decryption failed for packet in SA "
"%s/%08lx\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
- (u_long) ntohl(sav->spi)));
+ ipsec_address(&sav->sah->saidx.dst, buf,
+ sizeof(buf)), (u_long) ntohl(sav->spi)));
DPRINTF(("%s: %x %x\n", __func__, lastthree[0],
lastthree[1]));
error = EINVAL;
@@ -713,6 +717,7 @@ esp_output(
int protoff
)
{
+ char buf[IPSEC_ADDRSTRLEN];
const struct enc_xform *espx;
const struct auth_hash *esph;
int hlen, rlen, padding, blks, alen, i, roff;
@@ -773,14 +778,16 @@ esp_output(
default:
DPRINTF(("%s: unknown/unsupported protocol family %d, "
"SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family,
- ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ (u_long)ntohl(sav->spi)));
ESP_STATINC(ESP_STAT_NOPF);
error = EPFNOSUPPORT;
goto bad;
}
if (skip + hlen + rlen + padding + alen > maxpacketsize) {
DPRINTF(("%s: packet in SA %s/%08lx got too big (len %u, "
- "max len %u)\n", __func__, ipsec_address(&saidx->dst),
+ "max len %u)\n", __func__,
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
skip + hlen + rlen + padding + alen, maxpacketsize));
ESP_STATINC(ESP_STAT_TOOBIG);
@@ -794,7 +801,8 @@ esp_output(
m = m_clone(m);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
ESP_STATINC(ESP_STAT_HDROPS);
error = ENOBUFS;
goto bad;
@@ -804,7 +812,8 @@ esp_output(
mo = m_makespace(m, skip, hlen, &roff);
if (mo == NULL) {
DPRINTF(("%s: failed to inject %u byte ESP hdr for SA "
- "%s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst),
+ "%s/%08lx\n", __func__, hlen,
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
ESP_STATINC(ESP_STAT_HDROPS); /* XXX diffs from openbsd */
error = ENOBUFS;
@@ -834,7 +843,8 @@ esp_output(
pad = m_pad(m, padding + alen);
if (pad == NULL) {
DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
m = NULL; /* NB: free'd by m_pad */
error = ENOBUFS;
goto bad;
@@ -970,9 +980,11 @@ esp_output_cb(struct cryptop *crp)
isr = tc->tc_isr;
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
if (sav == NULL) {
+ char buf[IPSEC_ADDRSTRLEN];
ESP_STATINC(ESP_STAT_NOTDB);
DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx "
- "proto %u)\n", __func__, ipsec_address(&tc->tc_dst),
+ "proto %u)\n", __func__,
+ ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
error = ENOBUFS; /*XXX*/
goto bad;
Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.37 src/sys/netipsec/xform_ipcomp.c:1.38
--- src/sys/netipsec/xform_ipcomp.c:1.37 Wed Apr 19 03:39:14 2017
+++ src/sys/netipsec/xform_ipcomp.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#if defined(_KERNEL_OPT)
@@ -230,6 +230,7 @@ ipcomp_input(struct mbuf *m, const struc
static int
ipcomp_input_cb(struct cryptop *crp)
{
+ char buf[IPSEC_ADDRSTRLEN];
struct tdb_crypto *tc;
int skip, protoff;
struct mbuf *m;
@@ -322,7 +323,7 @@ ipcomp_input_cb(struct cryptop *crp)
case IPPROTO_ESP:
IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = EINVAL;
goto bad;
@@ -335,8 +336,8 @@ ipcomp_input_cb(struct cryptop *crp)
if (error) {
IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
- (u_long) ntohl(sav->spi)));
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
goto bad;
}
@@ -375,6 +376,7 @@ ipcomp_output(
int protoff
)
{
+ char buf[IPSEC_ADDRSTRLEN];
const struct secasvar *sav;
const struct comp_algo *ipcompx;
int error, ralen, hlen, maxpacketsize;
@@ -417,7 +419,7 @@ ipcomp_output(
DPRINTF(("%s: unknown/unsupported protocol family %d"
", IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = EPFNOSUPPORT;
goto bad;
@@ -426,7 +428,7 @@ ipcomp_output(
IPCOMP_STATINC(IPCOMP_STAT_TOOBIG);
DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
skip + hlen + ralen, maxpacketsize));
error = EMSGSIZE;
@@ -440,7 +442,8 @@ ipcomp_output(
if (m == NULL) {
IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
- __func__, ipsec_address(&sav->sah->saidx.dst),
+ __func__,
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
@@ -506,6 +509,7 @@ bad:
static int
ipcomp_output_cb(struct cryptop *crp)
{
+ char buf[IPSEC_ADDRSTRLEN];
struct tdb_crypto *tc;
struct ipsecrequest *isr;
struct secasvar *sav;
@@ -567,8 +571,8 @@ ipcomp_output_cb(struct cryptop *crp)
IPCOMP_STATINC(IPCOMP_STAT_WRAP);
DPRINTF(("%s: failed to inject IPCOMP header for "
"IPCA %s/%08lx\n", __func__,
- ipsec_address(&sav->sah->saidx.dst),
- (u_long) ntohl(sav->spi)));
+ ipsec_address(&sav->sah->saidx.dst, buf,
+ sizeof(buf)), (u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
}
@@ -618,8 +622,8 @@ ipcomp_output_cb(struct cryptop *crp)
DPRINTF(("ipcomp_output: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n",
sav->sah->saidx.dst.sa.sa_family,
- ipsec_address(&sav->sah->saidx.dst),
- (u_long) ntohl(sav->spi)));
+ ipsec_address(&sav->sah->saidx.dst, buf,
+ sizeof(buf)), (u_long) ntohl(sav->spi)));
error = EPFNOSUPPORT;
goto bad;
}
Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.48 src/sys/netipsec/xform_ipip.c:1.49
--- src/sys/netipsec/xform_ipip.c:1.48 Wed Apr 19 03:39:14 2017
+++ src/sys/netipsec/xform_ipip.c Thu May 11 05:55:14 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipip.c,v 1.48 2017/04/19 03:39:14 ozaki-r Exp $ */
+/* $NetBSD: xform_ipip.c,v 1.49 2017/05/11 05:55:14 ryo Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.48 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.49 2017/05/11 05:55:14 ryo Exp $");
/*
* IP-inside-IP processing
@@ -402,6 +402,7 @@ ipip_output(
int protoff
)
{
+ char buf[IPSEC_ADDRSTRLEN];
const struct secasvar *sav;
uint8_t tp, otos;
struct secasindex *saidx;
@@ -434,7 +435,7 @@ ipip_output(
saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) {
DPRINTF(("%s: unspecified tunnel endpoint "
"address in SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst),
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
IPIP_STATINC(IPIP_STAT_UNSPEC);
error = EINVAL;
@@ -508,7 +509,7 @@ ipip_output(
IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) {
DPRINTF(("%s: unspecified tunnel endpoint "
"address in SA %s/%08lx\n", __func__,
- ipsec_address(&saidx->dst),
+ ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
IPIP_STATINC(IPIP_STAT_UNSPEC);
error = ENOBUFS;
