diff options
Diffstat (limited to 'freebsd/sys/netipsec/xform_esp.c')
-rw-r--r-- | freebsd/sys/netipsec/xform_esp.c | 95 |
1 files changed, 51 insertions, 44 deletions
diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c index 9d4df589..20790d0d 100644 --- a/freebsd/sys/netipsec/xform_esp.c +++ b/freebsd/sys/netipsec/xform_esp.c @@ -283,9 +283,15 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); - IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, - ("misaligned packet, skip %u pkt len %u", - skip, m->m_pkthdr.len)); + + /* Valid IP Packet length ? */ + if ( (skip&3) || (m->m_pkthdr.len&3) ){ + DPRINTF(("%s: misaligned packet, skip %u pkt len %u", + __func__, skip, m->m_pkthdr.len)); + ESPSTAT_INC(esps_badilen); + m_freem(m); + return EINVAL; + } /* XXX don't pullup, just copy header */ IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); @@ -328,7 +334,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); m_freem(m); return EINVAL; } @@ -339,13 +345,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); /*XXX*/ - V_espstat.esps_replay++; + ESPSTAT_INC(esps_replay); m_freem(m); return ENOBUFS; /*XXX*/ } /* Update the counters */ - V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen); + ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen)); /* Find out if we've already done crypto */ for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); @@ -364,7 +370,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); m_freem(m); return ENOBUFS; } @@ -379,7 +385,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); m_freem(m); return ENOBUFS; } @@ -447,19 +453,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return esp_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * ESP input callback from the crypto driver. */ @@ -510,7 +503,7 @@ esp_input_cb(struct cryptop *crp) return error; } - V_espstat.esps_noxform++; + ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -518,12 +511,12 @@ esp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_espstat.esps_hist[sav->alg_enc]++; + ESPSTAT_INC(esps_hist[sav->alg_enc]); /* If authentication was performed, check now. */ if (esph != NULL) { @@ -542,7 +535,7 @@ esp_input_cb(struct cryptop *crp) * the verification for us. Otherwise we need to * check the authentication calculation. */ - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - alen, @@ -557,7 +550,7 @@ esp_input_cb(struct cryptop *crp) __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_badauth++; + ESPSTAT_INC(esps_badauth); error = EACCES; goto bad; } @@ -587,7 +580,7 @@ esp_input_cb(struct cryptop *crp) if (ipsec_updatereplay(ntohl(seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); - V_espstat.esps_replay++; + ESPSTAT_INC(esps_replay); error = ENOBUFS; goto bad; } @@ -602,7 +595,7 @@ esp_input_cb(struct cryptop *crp) /* Remove the ESP header and IV from the mbuf. */ error = m_striphdr(m, skip, hlen); if (error) { - V_espstat.esps_hdrops++; + ESPSTAT_INC(esps_hdrops); DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -614,7 +607,7 @@ esp_input_cb(struct cryptop *crp) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); DPRINTF(("%s: invalid padding length %d for %u byte packet " "in SA %s/%08lx\n", __func__, lastthree[1], m->m_pkthdr.len - skip, @@ -627,7 +620,7 @@ esp_input_cb(struct cryptop *crp) /* Verify correct decryption by checking the last padding bytes */ if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { - V_espstat.esps_badenc++; + ESPSTAT_INC(esps_badenc); DPRINTF(("%s: decryption failed for packet in " "SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -643,7 +636,21 @@ esp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; @@ -721,7 +728,7 @@ esp_output( else alen = 0; - V_espstat.esps_output++; + ESPSTAT_INC(esps_output); saidx = &sav->sah->saidx; /* Check for maximum packet size violations. */ @@ -741,7 +748,7 @@ esp_output( "family %d, SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_nopf++; + ESPSTAT_INC(esps_nopf); error = EPFNOSUPPORT; goto bad; } @@ -750,19 +757,19 @@ esp_output( "(len %u, max len %u)\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), skip + hlen + rlen + padding + alen, maxpacketsize)); - V_espstat.esps_toobig++; + ESPSTAT_INC(esps_toobig); error = EMSGSIZE; goto bad; } /* Update the counters. */ - V_espstat.esps_obytes += m->m_pkthdr.len - skip; + ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_hdrops++; + ESPSTAT_INC(esps_hdrops); error = ENOBUFS; goto bad; } @@ -773,7 +780,7 @@ esp_output( DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_hdrops++; /* XXX diffs from openbsd */ + ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */ error = ENOBUFS; goto bad; } @@ -837,7 +844,7 @@ esp_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; } @@ -866,7 +873,7 @@ esp_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; } @@ -927,7 +934,7 @@ esp_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_espstat.esps_notdb++; + ESPSTAT_INC(esps_notdb); DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", __func__, ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); @@ -947,7 +954,7 @@ esp_output_cb(struct cryptop *crp) return error; } - V_espstat.esps_noxform++; + ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -955,14 +962,14 @@ esp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_espstat.esps_hist[sav->alg_enc]++; + ESPSTAT_INC(esps_hist[sav->alg_enc]); if (sav->tdb_authalgxform != NULL) - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); /* Release crypto descriptors. */ free(tc, M_XDATA); |