summaryrefslogtreecommitdiff
path: root/freebsd/sys/netipsec/xform_esp.c
diff options
context:
space:
mode:
Diffstat (limited to 'freebsd/sys/netipsec/xform_esp.c')
-rw-r--r--freebsd/sys/netipsec/xform_esp.c95
1 files changed, 51 insertions, 44 deletions
diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c
index 9d4df589..20790d0d 100644
--- a/freebsd/sys/netipsec/xform_esp.c
+++ b/freebsd/sys/netipsec/xform_esp.c
@@ -283,9 +283,15 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
- IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
- ("misaligned packet, skip %u pkt len %u",
- skip, m->m_pkthdr.len));
+
+ /* Valid IP Packet length ? */
+ if ( (skip&3) || (m->m_pkthdr.len&3) ){
+ DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
+ __func__, skip, m->m_pkthdr.len));
+ ESPSTAT_INC(esps_badilen);
+ m_freem(m);
+ return EINVAL;
+ }
/* XXX don't pullup, just copy header */
IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
@@ -328,7 +334,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
plen, espx->blocksize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_badilen++;
+ ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
}
@@ -339,13 +345,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav))); /*XXX*/
- V_espstat.esps_replay++;
+ ESPSTAT_INC(esps_replay);
m_freem(m);
return ENOBUFS; /*XXX*/
}
/* Update the counters */
- V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen);
+ ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen));
/* Find out if we've already done crypto */
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
@@ -364,7 +370,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
}
@@ -379,7 +385,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
}
@@ -447,19 +453,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
return esp_input_cb(crp);
}
-#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
- if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
- } else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
- } \
-} while (0)
-#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
/*
* ESP input callback from the crypto driver.
*/
@@ -510,7 +503,7 @@ esp_input_cb(struct cryptop *crp)
return error;
}
- V_espstat.esps_noxform++;
+ ESPSTAT_INC(esps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@@ -518,12 +511,12 @@ esp_input_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_espstat.esps_hist[sav->alg_enc]++;
+ ESPSTAT_INC(esps_hist[sav->alg_enc]);
/* If authentication was performed, check now. */
if (esph != NULL) {
@@ -542,7 +535,7 @@ esp_input_cb(struct cryptop *crp)
* the verification for us. Otherwise we need to
* check the authentication calculation.
*/
- V_ahstat.ahs_hist[sav->alg_auth]++;
+ AHSTAT_INC(ahs_hist[sav->alg_auth]);
if (mtag == NULL) {
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - alen,
@@ -557,7 +550,7 @@ esp_input_cb(struct cryptop *crp)
__func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_badauth++;
+ ESPSTAT_INC(esps_badauth);
error = EACCES;
goto bad;
}
@@ -587,7 +580,7 @@ esp_input_cb(struct cryptop *crp)
if (ipsec_updatereplay(ntohl(seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav)));
- V_espstat.esps_replay++;
+ ESPSTAT_INC(esps_replay);
error = ENOBUFS;
goto bad;
}
@@ -602,7 +595,7 @@ esp_input_cb(struct cryptop *crp)
/* Remove the ESP header and IV from the mbuf. */
error = m_striphdr(m, skip, hlen);
if (error) {
- V_espstat.esps_hdrops++;
+ ESPSTAT_INC(esps_hdrops);
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -614,7 +607,7 @@ esp_input_cb(struct cryptop *crp)
/* Verify pad length */
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
- V_espstat.esps_badilen++;
+ ESPSTAT_INC(esps_badilen);
DPRINTF(("%s: invalid padding length %d for %u byte packet "
"in SA %s/%08lx\n", __func__,
lastthree[1], m->m_pkthdr.len - skip,
@@ -627,7 +620,7 @@ esp_input_cb(struct cryptop *crp)
/* Verify correct decryption by checking the last padding bytes */
if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) {
if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
- V_espstat.esps_badenc++;
+ ESPSTAT_INC(esps_badenc);
DPRINTF(("%s: decryption failed for packet in "
"SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
@@ -643,7 +636,21 @@ esp_input_cb(struct cryptop *crp)
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+ switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+ case AF_INET6:
+ error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
+ break;
+#endif
+#ifdef INET
+ case AF_INET:
+ error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
+ break;
+#endif
+ default:
+ panic("%s: Unexpected address family: %d saidx=%p", __func__,
+ saidx->dst.sa.sa_family, saidx);
+ }
KEY_FREESAV(&sav);
return error;
@@ -721,7 +728,7 @@ esp_output(
else
alen = 0;
- V_espstat.esps_output++;
+ ESPSTAT_INC(esps_output);
saidx = &sav->sah->saidx;
/* Check for maximum packet size violations. */
@@ -741,7 +748,7 @@ esp_output(
"family %d, SA %s/%08lx\n", __func__,
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_nopf++;
+ ESPSTAT_INC(esps_nopf);
error = EPFNOSUPPORT;
goto bad;
}
@@ -750,19 +757,19 @@ esp_output(
"(len %u, max len %u)\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
skip + hlen + rlen + padding + alen, maxpacketsize));
- V_espstat.esps_toobig++;
+ ESPSTAT_INC(esps_toobig);
error = EMSGSIZE;
goto bad;
}
/* Update the counters. */
- V_espstat.esps_obytes += m->m_pkthdr.len - skip;
+ ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip);
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
- V_espstat.esps_hdrops++;
+ ESPSTAT_INC(esps_hdrops);
error = ENOBUFS;
goto bad;
}
@@ -773,7 +780,7 @@ esp_output(
DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
__func__, hlen, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- V_espstat.esps_hdrops++; /* XXX diffs from openbsd */
+ ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */
error = ENOBUFS;
goto bad;
}
@@ -837,7 +844,7 @@ esp_output(
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
error = ENOBUFS;
goto bad;
}
@@ -866,7 +873,7 @@ esp_output(
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
error = ENOBUFS;
goto bad;
}
@@ -927,7 +934,7 @@ esp_output_cb(struct cryptop *crp)
sav = tc->tc_sav;
/* With the isr lock released SA pointer can be updated. */
if (sav != isr->sav) {
- V_espstat.esps_notdb++;
+ ESPSTAT_INC(esps_notdb);
DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n",
__func__, ipsec_address(&tc->tc_dst),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
@@ -947,7 +954,7 @@ esp_output_cb(struct cryptop *crp)
return error;
}
- V_espstat.esps_noxform++;
+ ESPSTAT_INC(esps_noxform);
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@@ -955,14 +962,14 @@ esp_output_cb(struct cryptop *crp)
/* Shouldn't happen... */
if (m == NULL) {
- V_espstat.esps_crypto++;
+ ESPSTAT_INC(esps_crypto);
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- V_espstat.esps_hist[sav->alg_enc]++;
+ ESPSTAT_INC(esps_hist[sav->alg_enc]);
if (sav->tdb_authalgxform != NULL)
- V_ahstat.ahs_hist[sav->alg_auth]++;
+ AHSTAT_INC(ahs_hist[sav->alg_auth]);
/* Release crypto descriptors. */
free(tc, M_XDATA);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 17:08:19 +0000