-/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.58 2021/07/05 12:01:20 tobhe Exp $ */
+/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.59 2021/07/08 15:13:14 bluhm Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
#endif
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
#define BITMAP_SA (1LL << SADB_EXT_SA)
bzero(headers, (SADB_EXT_MAX + 1) * sizeof(void *));
if (left < sizeof(struct sadb_msg)) {
- DPRINTF(("pfkeyv2_parsemessage: message too short\n"));
+ DPRINTF("message too short");
return (EINVAL);
}
headers[0] = p;
if (sadb_msg->sadb_msg_len * sizeof(uint64_t) != left) {
- DPRINTF(("pfkeyv2_parsemessage: length not a multiple of 64\n"));
+ DPRINTF("length not a multiple of 64");
return (EINVAL);
}
left -= sizeof(struct sadb_msg);
if (sadb_msg->sadb_msg_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: message header reserved "
- "field set\n"));
+ DPRINTF("message header reserved field set");
return (EINVAL);
}
if (sadb_msg->sadb_msg_type > SADB_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: message type > %d\n",
- SADB_MAX));
+ DPRINTF("message type > %d", SADB_MAX);
return (EINVAL);
}
if (!sadb_msg->sadb_msg_type) {
- DPRINTF(("pfkeyv2_parsemessage: message type unset\n"));
+ DPRINTF("message type unset");
return (EINVAL);
}
if (sadb_msg->sadb_msg_pid != curproc->p_p->ps_pid) {
- DPRINTF(("pfkeyv2_parsemessage: bad PID value\n"));
+ DPRINTF("bad PID value");
return (EINVAL);
}
if (sadb_msg->sadb_msg_errno) {
if (left) {
- DPRINTF(("pfkeyv2_parsemessage: too-large error message\n"));
+ DPRINTF("too-large error message");
return (EINVAL);
}
return (0);
}
if (sadb_msg->sadb_msg_type == SADB_X_PROMISC) {
- DPRINTF(("pfkeyv2_parsemessage: message type promiscuous\n"));
+ DPRINTF("message type promiscuous");
return (0);
}
while (left > 0) {
sadb_ext = (struct sadb_ext *)p;
if (left < sizeof(struct sadb_ext)) {
- DPRINTF(("pfkeyv2_parsemessage: extension header too "
- "short\n"));
+ DPRINTF("extension header too short");
return (EINVAL);
}
i = sadb_ext->sadb_ext_len * sizeof(uint64_t);
if (left < i) {
- DPRINTF(("pfkeyv2_parsemessage: extension header "
- "exceeds message length\n"));
+ DPRINTF("extension header exceeds message length");
return (EINVAL);
}
if (sadb_ext->sadb_ext_type > SADB_EXT_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown extension "
- "header %d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("unknown extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (!sadb_ext->sadb_ext_type) {
- DPRINTF(("pfkeyv2_parsemessage: unset extension "
- "header\n"));
+ DPRINTF("unset extension header");
return (EINVAL);
}
if (!(allow & (1LL << sadb_ext->sadb_ext_type))) {
- DPRINTF(("pfkeyv2_parsemessage: extension header %d "
- "not permitted on message type %d\n",
- sadb_ext->sadb_ext_type, sadb_msg->sadb_msg_type));
+ DPRINTF("extension header %d not permitted on message "
+ "type %d",
+ sadb_ext->sadb_ext_type, sadb_msg->sadb_msg_type);
return (EINVAL);
}
if (headers[sadb_ext->sadb_ext_type]) {
- DPRINTF(("pfkeyv2_parsemessage: duplicate extension "
- "header %d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("duplicate extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
struct sadb_sa *sadb_sa = (struct sadb_sa *)p;
if (i != sizeof(struct sadb_sa)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length for SA extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("bad header length for SA extension "
+ "header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_sa->sadb_sa_state > SADB_SASTATE_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown SA "
- "state %d in SA extension header %d\n",
+ DPRINTF("unknown SA state %d in SA extension "
+ "header %d",
sadb_sa->sadb_sa_state,
- sadb_ext->sadb_ext_type));
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_sa->sadb_sa_state == SADB_SASTATE_DEAD) {
- DPRINTF(("pfkeyv2_parsemessage: cannot set SA "
- "state to dead, SA extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("cannot set SA state to dead, "
+ "SA extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_sa->sadb_sa_encrypt > SADB_EALG_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown "
- "encryption algorithm %d in SA extension "
- "header %d\n", sadb_sa->sadb_sa_encrypt,
- sadb_ext->sadb_ext_type));
+ DPRINTF("unknown encryption algorithm %d "
+ "in SA extension header %d",
+ sadb_sa->sadb_sa_encrypt,
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_sa->sadb_sa_auth > SADB_AALG_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown "
- "authentication algorithm %d in SA "
- "extension header %d\n",
+ DPRINTF("unknown authentication algorithm %d "
+ "in SA extension header %d",
sadb_sa->sadb_sa_auth,
- sadb_ext->sadb_ext_type));
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_sa->sadb_sa_replay > 64) {
- DPRINTF(("pfkeyv2_parsemessage: unsupported "
- "replay window size %d in SA extension "
- "header %d\n", sadb_sa->sadb_sa_replay,
- sadb_ext->sadb_ext_type));
+ DPRINTF("unsupported replay window size %d "
+ "in SA extension header %d",
+ sadb_sa->sadb_sa_replay,
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
}
case SADB_X_EXT_FLOW_TYPE:
case SADB_X_EXT_SATYPE2:
if (i != sizeof(struct sadb_protocol)) {
- DPRINTF(("pfkeyv2_parsemessage: bad PROTOCOL/"
- "FLOW/SATYPE2 header length in extension "
- "header %d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("bad PROTOCOL/FLOW/SATYPE2 header "
+ "length in extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
break;
case SADB_X_EXT_POLICY:
if (i != sizeof(struct sadb_x_policy)) {
- DPRINTF(("pfkeyv2_parsemessage: bad POLICY "
- "header length\n"));
+ DPRINTF("bad POLICY header length");
return (EINVAL);
}
break;
case SADB_EXT_LIFETIME_SOFT:
case SADB_X_EXT_LIFETIME_LASTUSE:
if (i != sizeof(struct sadb_lifetime)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length for LIFETIME extension header "
- "%d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("bad header length for LIFETIME "
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
break;
if (i < sizeof(struct sadb_address) +
sizeof(struct sockaddr)) {
- DPRINTF(("pfkeyv2_parsemessage: bad ADDRESS "
- "extension header %d length\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("bad ADDRESS extension header %d "
+ "length",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_address->sadb_address_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: ADDRESS "
- "extension header %d reserved field set\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("ADDRESS extension header %d reserved "
+ "field set",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sa->sa_len &&
(i != sizeof(struct sadb_address) +
PADUP(sa->sa_len))) {
- DPRINTF(("pfkeyv2_parsemessage: bad sockaddr "
- "length field in ADDRESS extension "
- "header %d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("bad sockaddr length field in ADDRESS "
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
case AF_INET:
if (sizeof(struct sadb_address) +
PADUP(sizeof(struct sockaddr_in)) != i) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "invalid ADDRESS extension header "
- "%d length\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("invalid ADDRESS extension "
+ "header %d length",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sa->sa_len != sizeof(struct sockaddr_in)) {
- DPRINTF(("pfkeyv2_parsemessage: bad "
- "sockaddr_in length in ADDRESS "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("bad sockaddr_in length in "
+ "ADDRESS extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
default:
if (((struct sockaddr_in *)sa)->sin_port) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": port field set in "
+ DPRINTF("port field set in "
"sockaddr_in of ADDRESS "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
break;
bzero(zero, sizeof(zero));
if (bcmp(&((struct sockaddr_in *)sa)->sin_zero, zero, sizeof(zero))) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": reserved sockaddr_in "
+ DPRINTF("reserved sockaddr_in "
"field non-zero'ed in "
"ADDRESS extension header "
- "%d\n",
- sadb_ext->sadb_ext_type));
+ "%d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
}
case AF_INET6:
if (i != sizeof(struct sadb_address) +
PADUP(sizeof(struct sockaddr_in6))) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "invalid sockaddr_in6 length in "
- "ADDRESS extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("invalid sockaddr_in6 length "
+ "in ADDRESS extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sa->sa_len !=
sizeof(struct sockaddr_in6)) {
- DPRINTF(("pfkeyv2_parsemessage: bad "
- "sockaddr_in6 length in ADDRESS "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("bad sockaddr_in6 length in "
+ "ADDRESS extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (((struct sockaddr_in6 *)sa)->sin6_flowinfo) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "flowinfo field set in "
+ DPRINTF("flowinfo field set in "
"sockaddr_in6 of ADDRESS "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
default:
if (((struct sockaddr_in6 *)sa)->sin6_port) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": port field set in "
+ DPRINTF("port field set in "
"sockaddr_in6 of ADDRESS "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
break;
SADB_X_SATYPE_TCPSIGNATURE &&
sa->sa_family == 0)
break;
- DPRINTF(("pfkeyv2_parsemessage: unknown "
- "address family %d in ADDRESS extension "
- "header %d\n",
- sa->sa_family, sadb_ext->sadb_ext_type));
+ DPRINTF("unknown address family %d in ADDRESS "
+ "extension header %d",
+ sa->sa_family, sadb_ext->sadb_ext_type);
return (EINVAL);
}
}
struct sadb_key *sadb_key = (struct sadb_key *)p;
if (i < sizeof(struct sadb_key)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length in KEY extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("bad header length in KEY extension "
+ "header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (!sadb_key->sadb_key_bits) {
- DPRINTF(("pfkeyv2_parsemessage: key length "
- "unset in KEY extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("key length unset in KEY extension "
+ "header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (((sadb_key->sadb_key_bits + 63) / 64) * sizeof(uint64_t) != i - sizeof(struct sadb_key)) {
- DPRINTF(("pfkeyv2_parsemessage: invalid key "
- "length in KEY extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("invalid key length in KEY extension "
+ "header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_key->sadb_key_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: reserved field"
- " set in KEY extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("reserved field set in KEY extension "
+ "header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
}
struct sadb_ident *sadb_ident = (struct sadb_ident *)p;
if (i < sizeof(struct sadb_ident)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length of IDENTITY extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("bad header length of IDENTITY "
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_ident->sadb_ident_type > SADB_IDENTTYPE_MAX) {
- DPRINTF(("pfkeyv2_parsemessage: unknown "
- "identity type %d in IDENTITY extension "
- "header %d\n",
+ DPRINTF("unknown identity type %d in IDENTITY "
+ "extension header %d",
sadb_ident->sadb_ident_type,
- sadb_ext->sadb_ext_type));
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_ident->sadb_ident_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: reserved "
- "field set in IDENTITY extension header "
- "%d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("reserved field set in IDENTITY "
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
int j;
if (*(char *)(p + i - 1)) {
- DPRINTF(("pfkeyv2_parsemessage: non "
- "NUL-terminated identity in "
- "IDENTITY extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("non NUL-terminated identity "
+ "in IDENTITY extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
sizeof(struct sadb_ident);
if (i != j) {
- DPRINTF(("pfkeyv2_parsemessage: actual"
- " identity length does not match "
- "expected length in identity "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("actual identity length does "
+ "not match expected length in "
+ "identity extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
}
struct sadb_sens *sadb_sens = (struct sadb_sens *)p;
if (i < sizeof(struct sadb_sens)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length for SENSITIVITY extension "
- "header\n"));
+ DPRINTF("bad header length for SENSITIVITY "
+ "extension header");
return (EINVAL);
}
sadb_sens->sadb_sens_integ_len) *
sizeof(uint64_t) +
sizeof(struct sadb_sens)) {
- DPRINTF(("pfkeyv2_parsemessage: bad payload "
- "length for SENSITIVITY extension "
- "header\n"));
+ DPRINTF("bad payload length for SENSITIVITY "
+ "extension header");
return (EINVAL);
}
}
struct sadb_prop *sadb_prop = (struct sadb_prop *)p;
if (i < sizeof(struct sadb_prop)) {
- DPRINTF(("pfkeyv2_parsemessage: bad PROPOSAL "
- "header length\n"));
+ DPRINTF("bad PROPOSAL header length");
return (EINVAL);
}
if (sadb_prop->sadb_prop_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: reserved field"
- "set in PROPOSAL extension header\n"));
+ DPRINTF("reserved fieldset in PROPOSAL "
+ "extension header");
return (EINVAL);
}
if ((i - sizeof(struct sadb_prop)) %
sizeof(struct sadb_comb)) {
- DPRINTF(("pfkeyv2_parsemessage: bad proposal "
- "length\n"));
+ DPRINTF("bad proposal length");
return (EINVAL);
}
j++) {
if (sadb_comb->sadb_comb_auth >
SADB_AALG_MAX) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": unknown authentication "
- "algorithm %d in "
- "PROPOSAL\n",
- sadb_comb->sadb_comb_auth));
+ DPRINTF("unknown "
+ "authentication algorithm "
+ "%d in PROPOSAL",
+ sadb_comb->sadb_comb_auth);
return (EINVAL);
}
if (sadb_comb->sadb_comb_encrypt >
SADB_EALG_MAX) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": unknown encryption "
- "algorithm %d in "
- "PROPOSAL\n",
- sadb_comb->sadb_comb_encrypt));
+ DPRINTF("unknown encryption "
+ "algorithm %d in PROPOSAL",
+ sadb_comb->
+ sadb_comb_encrypt);
return (EINVAL);
}
if (sadb_comb->sadb_comb_reserved) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": reserved field set in "
- "COMB header\n"));
+ DPRINTF("reserved field set "
+ "in COMB header");
return (EINVAL);
}
}
int j;
if (i < sizeof(struct sadb_supported)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length for SUPPORTED extension header "
- "%d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("bad header length for SUPPORTED " "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_supported->sadb_supported_reserved) {
- DPRINTF(("pfkeyv2_parsemessage: reserved "
- "field set in SUPPORTED extension "
- "header %d\n", sadb_ext->sadb_ext_type));
+ DPRINTF("reserved field set in SUPPORTED "
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
j < sadb_supported->sadb_supported_len - 1;
j++) {
if (sadb_alg->sadb_alg_id > max_alg) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": unknown algorithm %d "
+ DPRINTF("unknown algorithm %d "
"in SUPPORTED extension "
- "header %d\n",
+ "header %d",
sadb_alg->sadb_alg_id,
- sadb_ext->sadb_ext_type));
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
if (sadb_alg->sadb_alg_reserved) {
- DPRINTF(("pfkeyv2_parsemessage"
- ": reserved field set in "
- "supported algorithms "
+ DPRINTF("reserved field set "
+ "in supported algorithms "
"header inside SUPPORTED "
- "extension header %d\n",
- sadb_ext->sadb_ext_type));
+ "extension header %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
(struct sadb_spirange *)p;
if (i != sizeof(struct sadb_spirange)) {
- DPRINTF(("pfkeyv2_parsemessage: bad header "
- "length of SPIRANGE extension header\n"));
+ DPRINTF("bad header length of SPIRANGE "
+ "extension header");
return (EINVAL);
}
if (sadb_spirange->sadb_spirange_min >
sadb_spirange->sadb_spirange_max) {
- DPRINTF(("pfkeyv2_parsemessage: bad SPI "
- "range\n"));
+ DPRINTF("bad SPI range");
return (EINVAL);
}
}
break;
case SADB_X_EXT_UDPENCAP:
if (i != sizeof(struct sadb_x_udpencap)) {
- DPRINTF(("pfkeyv2_parsemessage: bad UDPENCAP "
- "header length\n"));
+ DPRINTF("bad UDPENCAP header length");
return (EINVAL);
}
break;
case SADB_X_EXT_RDOMAIN:
if (i != sizeof(struct sadb_x_rdomain)) {
- DPRINTF(("pfkeyv2_parsemessage: bad RDOMAIN "
- "header length\n"));
+ DPRINTF("bad RDOMAIN header length");
return (EINVAL);
}
break;
#if NPF > 0
case SADB_X_EXT_TAG:
if (i < sizeof(struct sadb_x_tag)) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "TAG extension header too small"));
+ DPRINTF("TAG extension header too small");
return (EINVAL);
}
if (i > (sizeof(struct sadb_x_tag) +
PF_TAG_NAME_SIZE)) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "TAG extension header too long"));
+ DPRINTF("TAG extension header too long");
return (EINVAL);
}
break;
case SADB_X_EXT_TAP:
if (i < sizeof(struct sadb_x_tap)) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "TAP extension header too small"));
+ DPRINTF("TAP extension header too small");
return (EINVAL);
}
if (i > sizeof(struct sadb_x_tap)) {
- DPRINTF(("pfkeyv2_parsemessage: "
- "TAP extension header too long"));
+ DPRINTF("TAP extension header too long");
return (EINVAL);
}
break;
#endif
default:
- DPRINTF(("pfkeyv2_parsemessage: unknown extension "
- "header type %d\n",
- sadb_ext->sadb_ext_type));
+ DPRINTF("unknown extension header type %d",
+ sadb_ext->sadb_ext_type);
return (EINVAL);
}
}
if (left) {
- DPRINTF(("pfkeyv2_parsemessage: message too long\n"));
+ DPRINTF("message too long");
return (EINVAL);
}
required = sadb_exts_required_in[sadb_msg->sadb_msg_type];
if ((seen & required) != required) {
- DPRINTF(("pfkeyv2_parsemessage: required fields "
- "missing\n"));
+ DPRINTF("required fields missing");
return (EINVAL);
}
}
case SADB_UPDATE:
if (((struct sadb_sa *)headers[SADB_EXT_SA])->sadb_sa_state !=
SADB_SASTATE_MATURE) {
- DPRINTF(("pfkeyv2_parsemessage: updating non-mature "
- "SA prohibited\n"));
+ DPRINTF("updating non-mature SA prohibited");
return (EINVAL);
}
break;
case SADB_ADD:
if (((struct sadb_sa *)headers[SADB_EXT_SA])->sadb_sa_state !=
SADB_SASTATE_MATURE) {
- DPRINTF(("pfkeyv2_parsemessage: adding non-mature "
- "SA prohibited\n"));
+ DPRINTF("adding non-mature SA prohibited");
return (EINVAL);
}
break;
-/* $OpenBSD: ip_ah.c,v 1.148 2021/07/08 09:22:30 bluhm Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.149 2021/07/08 15:13:14 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
#include "bpfilter.h"
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
int ah_massage_headers(struct mbuf **, int, int, int, int);
break;
default:
- DPRINTF(("%s: unsupported authentication algorithm %d"
- " specified\n", __func__, ii->ii_authalg));
+ DPRINTF("unsupported authentication algorithm %d specified",
+ ii->ii_authalg);
return EINVAL;
}
if (ii->ii_authkeylen != thash->keysize && thash->keysize != 0) {
- DPRINTF(("ah_init(): keylength %d doesn't match algorithm "
- "%s keysize (%d)\n", ii->ii_authkeylen, thash->name,
- thash->keysize));
+ DPRINTF("keylength %d doesn't match algorithm %s keysize (%d)",
+ ii->ii_authkeylen, thash->name, thash->keysize);
return EINVAL;
}
tdbp->tdb_authalgxform = thash;
tdbp->tdb_rpl = AH_HMAC_INITIAL_RPL;
- DPRINTF(("%s: initialized TDB with hash algorithm %s\n", __func__,
- thash->name));
+ DPRINTF("initialized TDB with hash algorithm %s", thash->name);
tdbp->tdb_amxkeylen = ii->ii_authkeylen;
tdbp->tdb_amxkey = malloc(tdbp->tdb_amxkeylen, M_XDATA, M_WAITOK);
*/
*m0 = m = m_pullup(m, skip);
if (m == NULL) {
- DPRINTF(("%s: m_pullup() failed\n", __func__));
+ DPRINTF("m_pullup() failed");
ahstat_inc(ahs_hdrops);
return ENOBUFS;
}
for (off = sizeof(struct ip); off < skip;) {
if (ptr[off] != IPOPT_EOL && ptr[off] != IPOPT_NOP &&
off + 1 >= skip) {
- DPRINTF(("%s: illegal IPv4 option length for"
- " option %d\n", __func__, ptr[off]));
-
+ DPRINTF("illegal IPv4 option length "
+ "for option %d",
+ ptr[off]);
ahstat_inc(ahs_hdrops);
m_freem(m);
return EINVAL;
case 0x95: /* RFC1770 */
/* Sanity check for option length. */
if (ptr[off + 1] < 2) {
- DPRINTF(("%s: illegal IPv4 option"
- " length for option %d\n", __func__,
- ptr[off]));
-
+ DPRINTF("illegal IPv4 option length "
+ "for option %d",
+ ptr[off]);
ahstat_inc(ahs_hdrops);
m_freem(m);
return EINVAL;
case IPOPT_SSRR:
/* Sanity check for option length. */
if (ptr[off + 1] < 2) {
- DPRINTF(("%s: illegal IPv4 option"
- " length for option %d\n", __func__,
- ptr[off]));
-
+ DPRINTF("illegal IPv4 option length "
+ "for option %d",
+ ptr[off]);
ahstat_inc(ahs_hdrops);
m_freem(m);
return EINVAL;
default:
/* Sanity check for option length. */
if (ptr[off + 1] < 2) {
- DPRINTF(("%s: illegal IPv4 option"
- " length for option %d\n", __func__,
- ptr[off]));
+ DPRINTF("illegal IPv4 option length "
+ "for option %d",
+ ptr[off]);
ahstat_inc(ahs_hdrops);
m_freem(m);
return EINVAL;
/* Sanity check. */
if (off > skip) {
- DPRINTF(("%s: malformed IPv4 options header\n",
- __func__));
-
+ DPRINTF("malformed IPv4 options header");
ahstat_inc(ahs_hdrops);
m_freem(m);
return EINVAL;
/* We don't do IPv6 Jumbograms. */
if (ip6.ip6_plen == 0) {
- DPRINTF(("%s: unsupported IPv6 jumbogram", __func__));
+ DPRINTF("unsupported IPv6 jumbogram");
ahstat_inc(ahs_hdrops);
m_freem(m);
return EMSGSIZE;
error = m_copyback(m, 0, sizeof(struct ip6_hdr), &ip6,
M_NOWAIT);
if (error) {
- DPRINTF(("%s: m_copyback no memory", __func__));
+ DPRINTF("m_copyback no memory");
ahstat_inc(ahs_hdrops);
m_freem(m);
return error;
ptr = malloc(skip - sizeof(struct ip6_hdr),
M_XDATA, M_NOWAIT);
if (ptr == NULL) {
- DPRINTF(("%s: failed to allocate memory"
- " for IPv6 headers\n", __func__));
+ DPRINTF("failed to allocate "
+ "memory for IPv6 headers");
ahstat_inc(ahs_hdrops);
m_freem(m);
return ENOBUFS;
}
default:
- DPRINTF(("%s: unexpected IPv6 header type %d\n",
- __func__, off));
+ DPRINTF("unexpected IPv6 header type %d", off);
error6:
if (alloc)
free(ptr, M_XDATA, 0);
case 0: /* All's well. */
break;
case 1:
- DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("replay counter wrapped for SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_wrap);
error = ENOBUFS;
goto drop;
case 2:
- DPRINTF(("%s: old packet received in SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("old packet received in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
error = ENOBUFS;
goto drop;
case 3:
- DPRINTF(("%s: duplicate packet received in SA "
- "%s/%08x\n", __func__,
- ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("duplicate packet received in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
error = ENOBUFS;
goto drop;
default:
- DPRINTF(("%s: bogus value from "
- "checkreplaywindow() in SA %s/%08x\n", __func__,
+ DPRINTF("bogus value from checkreplaywindow() "
+ "in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
error = ENOBUFS;
goto drop;
/* Verify AH header length. */
if (hl * sizeof(u_int32_t) != ahx->authsize + rplen - AH_FLENGTH) {
- DPRINTF(("%s: bad authenticator length %ld for packet "
- "in SA %s/%08x\n", __func__, hl * sizeof(u_int32_t),
+ DPRINTF("bad authenticator length %ld for packet in SA %s/%08x",
+ hl * sizeof(u_int32_t),
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_badauthl);
error = EACCES;
goto drop;
}
if (skip + ahx->authsize + rplen > m->m_pkthdr.len) {
- DPRINTF(("%s: bad mbuf length %d (expecting %d) "
- "for packet in SA %s/%08x\n", __func__,
+ DPRINTF("bad mbuf length %d (expecting %d) for packet "
+ "in SA %s/%08x",
m->m_pkthdr.len, skip + ahx->authsize + rplen,
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_badauthl);
error = EACCES;
goto drop;
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
- DPRINTF(("%s: failed to acquire crypto descriptors\n",
- __func__));
+ DPRINTF("failed to acquire crypto descriptors");
ahstat_inc(ahs_crypto);
error = ENOBUFS;
goto drop;
tc = malloc(sizeof(*tc) + skip + rplen + ahx->authsize, M_XDATA,
M_NOWAIT | M_ZERO);
if (tc == NULL) {
- DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
+ DPRINTF("failed to allocate tdb_crypto");
ahstat_inc(ahs_crypto);
error = ENOBUFS;
goto drop;
/* Verify authenticator. */
if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) {
- DPRINTF(("%s: authentication failed for packet in SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
-
+ DPRINTF("authentication failed for packet in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_badauth);
goto baddone;
}
#endif
break;
case 1:
- DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("replay counter wrapped for SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_wrap);
goto baddone;
case 2:
- DPRINTF(("%s: old packet received in SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("old packet received in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
goto baddone;
case 3:
- DPRINTF(("%s): duplicate packet received in "
- "SA %s/%08x\n", __func__,
- ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("duplicate packet received in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
goto baddone;
default:
- DPRINTF(("%s: bogus value from "
- "checkreplaywindow() in SA %s/%08x\n", __func__,
+ DPRINTF("bogus value from checkreplaywindow() "
+ "in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
goto baddone;
}
/* Record the beginning of the AH header. */
m1 = m_getptr(m, skip, &roff);
if (m1 == NULL) {
- DPRINTF(("%s: bad mbuf chain for packet in SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ DPRINTF("bad mbuf chain for packet in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_hdrops);
goto baddone;
}
* manual) keying.
*/
if ((tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0)) {
- DPRINTF(("%s: SA %s/%08x should have expired\n", __func__,
+ DPRINTF("SA %s/%08x should have expired",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_wrap);
error = EINVAL;
goto drop;
case AF_INET:
/* Check for IP maximum packet size violations. */
if (rplen + ahx->authsize + m->m_pkthdr.len > IP_MAXPACKET) {
- DPRINTF(("%s: packet in SA %s/%08x got too big\n",
- __func__,
+ DPRINTF("packet in SA %s/%08x got too big",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_toobig);
error = EMSGSIZE;
goto drop;
case AF_INET6:
/* Check for IPv6 maximum packet size violations. */
if (rplen + ahx->authsize + m->m_pkthdr.len > IPV6_MAXPACKET) {
- DPRINTF(("%s: packet in SA %s/%08x got too big\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("packet in SA %s/%08x got too big",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_toobig);
error = EMSGSIZE;
goto drop;
#endif /* INET6 */
default:
- DPRINTF(("%s: unknown/unsupported protocol family %d, "
- "SA %s/%08x\n", __func__, tdb->tdb_dst.sa.sa_family,
+ DPRINTF("unknown/unsupported protocol family %d, SA %s/%08x",
+ tdb->tdb_dst.sa.sa_family,
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_nopf);
error = EPFNOSUPPORT;
goto drop;
/* Inject AH header. */
mi = m_makespace(m, skip, rplen + ahx->authsize, &roff);
if (mi == NULL) {
- DPRINTF(("%s: failed to inject AH header for SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ DPRINTF("failed to inject AH header for SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ahstat_inc(ahs_hdrops);
error = ENOBUFS;
goto drop;
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
- DPRINTF(("%s: failed to acquire crypto descriptors\n",
- __func__));
+ DPRINTF("failed to acquire crypto descriptors");
ahstat_inc(ahs_crypto);
error = ENOBUFS;
goto drop;
/* Allocate IPsec-specific opaque crypto info. */
tc = malloc(sizeof(*tc) + skip, M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
- DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
+ DPRINTF("failed to allocate tdb_crypto");
ahstat_inc(ahs_crypto);
error = ENOBUFS;
goto drop;
-/* $OpenBSD: ip_esp.c,v 1.165 2021/07/08 09:22:30 bluhm Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.166 2021/07/08 15:13:14 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
#include "bpfilter.h"
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
/*
int error;
if (!ii->ii_encalg && !ii->ii_authalg) {
- DPRINTF(("esp_init(): neither authentication nor encryption "
- "algorithm given"));
+ DPRINTF("neither authentication nor encryption algorithm "
+ "given");
return EINVAL;
}
break;
default:
- DPRINTF(("esp_init(): unsupported encryption "
- "algorithm %d specified\n", ii->ii_encalg));
+ DPRINTF("unsupported encryption algorithm %d "
+ "specified",
+ ii->ii_encalg);
return EINVAL;
}
if (ii->ii_enckeylen < txform->minkey) {
- DPRINTF(("esp_init(): keylength %d too small "
- "(min length is %d) for algorithm %s\n",
- ii->ii_enckeylen, txform->minkey, txform->name));
+ DPRINTF("keylength %d too small (min length is %d) "
+ "for algorithm %s",
+ ii->ii_enckeylen, txform->minkey, txform->name);
return EINVAL;
}
if (ii->ii_enckeylen > txform->maxkey) {
- DPRINTF(("esp_init(): keylength %d too large "
- "(max length is %d) for algorithm %s\n",
- ii->ii_enckeylen, txform->maxkey, txform->name));
+ DPRINTF("keylength %d too large (max length is %d) "
+ "for algorithm %s",
+ ii->ii_enckeylen, txform->maxkey, txform->name);
return EINVAL;
}
tdbp->tdb_encalgxform = txform;
- DPRINTF(("esp_init(): initialized TDB with enc algorithm %s\n",
- txform->name));
+ DPRINTF("initialized TDB with enc algorithm %s", txform->name);
tdbp->tdb_ivlen = txform->ivsize;
}
break;
default:
- DPRINTF(("esp_init(): unsupported authentication "
- "algorithm %d specified\n", ii->ii_authalg));
+ DPRINTF("unsupported authentication algorithm %d "
+ "specified",
+ ii->ii_authalg);
return EINVAL;
}
if (ii->ii_authkeylen != thash->keysize) {
- DPRINTF(("esp_init(): keylength %d doesn't match "
- "algorithm %s keysize (%d)\n", ii->ii_authkeylen,
- thash->name, thash->keysize));
+ DPRINTF("keylength %d doesn't match algorithm %s "
+ "keysize (%d)",
+ ii->ii_authkeylen, thash->name, thash->keysize);
return EINVAL;
}
tdbp->tdb_authalgxform = thash;
- DPRINTF(("esp_init(): initialized TDB with hash algorithm %s\n",
- thash->name));
+ DPRINTF("initialized TDB with hash algorithm %s", thash->name);
}
tdbp->tdb_xform = xsp;
alen = esph ? esph->authsize : 0;
plen = m->m_pkthdr.len - (skip + hlen + alen);
if (plen <= 0) {
- DPRINTF(("%s: invalid payload length\n", __func__));
+ DPRINTF("invalid payload length");
espstat_inc(esps_badilen);
error = EINVAL;
goto drop;
* block size.
*/
if (plen & (espx->blocksize - 1)) {
- DPRINTF(("%s: payload of %d octets not a multiple of %d"
- " octets, SA %s/%08x\n", __func__,
- plen, espx->blocksize, ipsp_address(&tdb->tdb_dst,
- buf, sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("payload of %d octets not a multiple "
+ "of %d octets, SA %s/%08x",
+ plen, espx->blocksize,
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_badilen);
error = EINVAL;
goto drop;
case 0: /* All's well */
break;
case 1:
- DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n",
- __func__,
+ DPRINTF("replay counter wrapped for SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_wrap);
error = EACCES;
goto drop;
case 2:
- DPRINTF(("%s: old packet received in SA %s/%08x\n",
- __func__,
+ DPRINTF("old packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
error = EACCES;
goto drop;
case 3:
- DPRINTF(("%s: duplicate packet received"
- " in SA %s/%08x\n", __func__,
+ DPRINTF("duplicate packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
error = EACCES;
goto drop;
default:
- DPRINTF(("%s: bogus value from"
- " checkreplaywindow() in SA %s/%08x\n",
- __func__,
+ DPRINTF("bogus value from checkreplaywindow() "
+ "in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
error = EACCES;
goto drop;
/* Get crypto descriptors */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
- DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__));
+ DPRINTF("failed to acquire crypto descriptors");
espstat_inc(esps_crypto);
error = ENOBUFS;
goto drop;
else
tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
- DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
+ DPRINTF("failed to allocate tdb_crypto");
espstat_inc(esps_crypto);
error = ENOBUFS;
goto drop;
/* Verify authenticator */
if (timingsafe_bcmp(ptr, aalg, esph->authsize)) {
- DPRINTF(("%s: authentication "
- "failed for packet in SA %s/%08x\n", __func__,
- ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("authentication failed for packet "
+ "in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_badauth);
goto baddone;
}
break;
case 1:
- DPRINTF(("%s: replay counter wrapped for SA %s/%08x\n",
- __func__,
+ DPRINTF("replay counter wrapped for SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_wrap);
goto baddone;
case 2:
- DPRINTF(("%s: old packet received in SA %s/%08x\n",
- __func__,
+ DPRINTF("old packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
goto baddone;
case 3:
- DPRINTF(("%s: duplicate packet received"
- " in SA %s/%08x\n", __func__,
+ DPRINTF("duplicate packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
goto baddone;
default:
- DPRINTF(("%s: bogus value from"
- " checkreplaywindow() in SA %s/%08x\n", __func__,
+ DPRINTF("bogus value from checkreplaywindow() "
+ "in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
goto baddone;
}
/* Find beginning of ESP header */
m1 = m_getptr(m, skip, &roff);
if (m1 == NULL) {
- DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__,
+ DPRINTF("bad mbuf chain, SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_hdrops);
goto baddone;
}
/* Verify pad length */
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
- DPRINTF(("%s: invalid padding length %d for packet in "
- "SA %s/%08x\n", __func__, lastthree[1],
+ DPRINTF("invalid padding length %d for packet in SA %s/%08x",
+ lastthree[1],
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_badilen);
goto baddone;
}
/* Verify correct decryption by checking the last padding bytes */
if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) {
- DPRINTF(("%s: decryption failed for packet in SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("decryption failed for packet in SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_badenc);
goto baddone;
}
case AF_INET:
/* Check for IP maximum packet size violations. */
if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) {
- DPRINTF(("%s: packet in SA %s/%08x got too big\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ DPRINTF("packet in SA %s/%08x got too big",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_toobig);
error = EMSGSIZE;
goto drop;
case AF_INET6:
/* Check for IPv6 maximum packet size violations. */
if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) {
- DPRINTF(("%s: packet in SA %s/%08x got too big\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("acket in SA %s/%08x got too big",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_toobig);
error = EMSGSIZE;
goto drop;
#endif /* INET6 */
default:
- DPRINTF(("%s: unknown/unsupported protocol family %d, "
- "SA %s/%08x\n", __func__, tdb->tdb_dst.sa.sa_family,
+ DPRINTF("unknown/unsupported protocol family %d, SA %s/%08x",
+ tdb->tdb_dst.sa.sa_family,
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_nopf);
error = EPFNOSUPPORT;
goto drop;
struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT);
if (n == NULL) {
- DPRINTF(("%s: bad mbuf chain, SA %s/%08x\n", __func__,
+ DPRINTF("bad mbuf chain, SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_hdrops);
error = ENOBUFS;
goto drop;
/* Inject ESP header. */
mo = m_makespace(m, skip, hlen, &roff);
if (mo == NULL) {
- DPRINTF(("%s: failed to inject ESP header for SA %s/%08x\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("failed to inject ESP header for SA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_hdrops);
error = ENOBUFS;
goto drop;
*/
mo = m_makespace(m, m->m_pkthdr.len, padding + alen, &roff);
if (mo == NULL) {
- DPRINTF(("%s: m_makespace() failed for SA %s/%08x\n", __func__,
+ DPRINTF("m_makespace() failed for SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
espstat_inc(esps_hdrops);
error = ENOBUFS;
goto drop;
/* Get crypto descriptors. */
crp = crypto_getreq(esph && espx ? 2 : 1);
if (crp == NULL) {
- DPRINTF(("%s: failed to acquire crypto descriptors\n",
- __func__));
+ DPRINTF("failed to acquire crypto descriptors");
espstat_inc(esps_crypto);
error = ENOBUFS;
goto drop;
/* IPsec-specific opaque crypto info. */
tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
- DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
+ DPRINTF("failed to allocate tdb_crypto");
espstat_inc(esps_crypto);
error = ENOBUFS;
goto drop;
-/* $OpenBSD: ip_ipcomp.c,v 1.69 2021/07/08 09:22:30 bluhm Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.70 2021/07/08 15:13:14 bluhm Exp $ */
/*
* Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
#include "bpfilter.h"
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
/*
break;
default:
- DPRINTF(("%s: unsupported compression algorithm %d specified\n",
- __func__, ii->ii_compalg));
+ DPRINTF("unsupported compression algorithm %d specified",
+ ii->ii_compalg);
return EINVAL;
}
tdbp->tdb_compalgxform = tcomp;
- DPRINTF(("%s: initialized TDB with ipcomp algorithm %s\n", __func__,
- tcomp->name));
+ DPRINTF("initialized TDB with ipcomp algorithm %s", tcomp->name);
tdbp->tdb_xform = xsp;
crp = crypto_getreq(1);
if (crp == NULL) {
m_freem(m);
- DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__));
+ DPRINTF("failed to acquire crypto descriptors");
ipcompstat_inc(ipcomps_crypto);
return ENOBUFS;
}
if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
- DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
+ DPRINTF("failed to allocate tdb_crypto");
ipcompstat_inc(ipcomps_crypto);
return ENOBUFS;
}
/* Find the beginning of the IPCOMP header */
m1 = m_getptr(m, skip, &roff);
if (m1 == NULL) {
- DPRINTF(("%s: bad mbuf chain, IPCA %s/%08x\n", __func__,
+ DPRINTF("bad mbuf chain, IPCA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_hdrops);
goto baddone;
}
* worry
*/
if (m->m_pkthdr.len + hlen > IP_MAXPACKET) {
- DPRINTF(("%s: packet in IPCA %s/%08x got too big\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("packet in IPCA %s/%08x got too big",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_toobig);
error = EMSGSIZE;
goto drop;
case AF_INET6:
/* Check for IPv6 maximum packet size violations */
if (m->m_pkthdr.len + hlen > IPV6_MAXPACKET) {
- DPRINTF(("%s: packet in IPCA %s/%08x got too big\n",
- __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("packet in IPCA %s/%08x got too big",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_toobig);
error = EMSGSIZE;
goto drop;
#endif /* INET6 */
default:
- DPRINTF(("%s: unknown/unsupported protocol family %d, "
- "IPCA %s/%08x\n", __func__, tdb->tdb_dst.sa.sa_family,
+ DPRINTF("unknown/unsupported protocol family %d, IPCA %s/%08x",
+ tdb->tdb_dst.sa.sa_family,
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_nopf);
error = EPFNOSUPPORT;
goto drop;
struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT);
if (n == NULL) {
- DPRINTF(("%s: bad mbuf chain, IPCA %s/%08x\n", __func__,
+ DPRINTF("bad mbuf chain, IPCA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_hdrops);
error = ENOBUFS;
goto drop;
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
- DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__));
+ DPRINTF("failed to acquire crypto descriptors");
ipcompstat_inc(ipcomps_crypto);
error = ENOBUFS;
goto drop;
/* IPsec-specific opaque crypto info */
tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
if (tc == NULL) {
- DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
+ DPRINTF("failed to allocate tdb_crypto");
ipcompstat_inc(ipcomps_crypto);
error = ENOBUFS;
goto drop;
/* Inject IPCOMP header */
mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
if (mo == NULL) {
- DPRINTF(("%s: failed to inject IPCOMP header for "
- "IPCA %s/%08x\n", __func__, ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi)));
+ DPRINTF("ailed to inject IPCOMP header for IPCA %s/%08x",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_wrap);
goto baddone;
}
break;
#endif
default:
- DPRINTF(("%s: unsupported protocol family %d, IPCA %s/%08x\n",
- __func__, tdb->tdb_dst.sa.sa_family,
+ DPRINTF("unsupported protocol family %d, IPCA %s/%08x",
+ tdb->tdb_dst.sa.sa_family,
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_nopf);
goto baddone;
}
-/* $OpenBSD: ip_ipip.c,v 1.91 2021/07/07 18:03:46 bluhm Exp $ */
+/* $OpenBSD: ip_ipip.c,v 1.92 2021/07/08 15:13:14 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
#endif
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
/*
/* If we do not accept IP-in-IP explicitly, drop. */
if (!ipip_allow && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) {
- DPRINTF(("%s: dropped due to policy\n", __func__));
+ DPRINTF("dropped due to policy");
ipipstat_inc(ipips_pdrops);
m_freemp(mp);
return IPPROTO_DONE;
/* Bring the IP header in the first mbuf, if not there already */
if (m->m_len < hlen) {
if ((m = *mp = m_pullup(m, hlen)) == NULL) {
- DPRINTF(("%s: m_pullup() failed\n", __func__));
+ DPRINTF("m_pullup() failed");
ipipstat_inc(ipips_hdrops);
goto bad;
}
*/
if (m->m_len < hlen) {
if ((m = *mp = m_pullup(m, hlen)) == NULL) {
- DPRINTF(("%s: m_pullup() failed\n", __func__));
+ DPRINTF("m_pullup() failed");
ipipstat_inc(ipips_hdrops);
goto bad;
}
mode = m->m_flags & (M_AUTH|M_CONF) ?
ECN_ALLOWED_IPSEC : ECN_ALLOWED;
if (!ip_ecn_egress(mode, &otos, &itos)) {
- DPRINTF(("%s: ip_ecn_egress() failed\n", __func__));
+ DPRINTF("ip_ecn_egress() failed");
ipipstat_inc(ipips_pdrops);
goto bad;
}
ip6 = mtod(m, struct ip6_hdr *);
itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
if (!ip_ecn_egress(ECN_ALLOWED, &otos, &itos)) {
- DPRINTF(("%s: ip_ecn_egress() failed\n", __func__));
+ DPRINTF("ip_ecn_egress() failed");
ipipstat_inc(ipips_pdrops);
goto bad;
}
tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY ||
tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) {
- DPRINTF(("%s: unspecified tunnel endpoind "
- "address in SA %s/%08x\n", __func__,
+ DPRINTF("unspecified tunnel endpoind address "
+ "in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ipipstat_inc(ipips_unspec);
m_freem(m);
M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
if (m == NULL) {
- DPRINTF(("%s: M_PREPEND failed\n", __func__));
+ DPRINTF("M_PREPEND failed");
ipipstat_inc(ipips_hdrops);
*mp = NULL;
return ENOBUFS;
tdb->tdb_src.sa.sa_family != AF_INET6 ||
IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) {
- DPRINTF(("%s: unspecified tunnel endpoind "
- "address in SA %s/%08x\n", __func__,
+ DPRINTF("unspecified tunnel endpoind address "
+ "in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
- ntohl(tdb->tdb_spi)));
+ ntohl(tdb->tdb_spi));
ipipstat_inc(ipips_unspec);
m_freem(m);
M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT);
if (m == NULL) {
- DPRINTF(("%s: M_PREPEND failed\n", __func__));
+ DPRINTF("M_PREPEND failed");
ipipstat_inc(ipips_hdrops);
*mp = NULL;
return ENOBUFS;
#endif /* INET6 */
default:
- DPRINTF(("%s: unsupported protocol family %d\n", __func__,
- tdb->tdb_dst.sa.sa_family));
+ DPRINTF("unsupported protocol family %d",
+ tdb->tdb_dst.sa.sa_family);
m_freem(m);
*mp = NULL;
ipipstat_inc(ipips_family);
ipe4_input(struct mbuf *m, struct tdb *tdb, int hlen, int proto)
{
/* This is a rather serious mistake, so no conditional printing. */
- printf("ipe4_input(): should never be called\n");
+ printf("%s: should never be called\n", __func__);
m_freem(m);
return EINVAL;
}
-/* $OpenBSD: ip_ipsp.c,v 1.238 2021/03/10 10:21:49 jsg Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.239 2021/07/08 15:13:14 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
#endif
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
void tdb_rehash(void);
}
}
- DPRINTF(("%s: no alg %d for spi %08x, addr %s, proto %d\n", __func__,
- alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf,
- sizeof(buf)), tdbp->tdb_sproto));
+ DPRINTF("no alg %d for spi %08x, addr %s, proto %d",
+ alg, ntohl(tdbp->tdb_spi),
+ ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)),
+ tdbp->tdb_sproto);
return EINVAL;
}
/* if refcount was zero, then timeout is running */
if (found->id_refcount++ == 0)
timeout_del(&found->id_timeout);
- DPRINTF(("%s: ids %p count %d\n", __func__,
- found, found->id_refcount));
+ DPRINTF("ids %p count %d",
+ found, found->id_refcount);
return found;
}
ids->id_flow = start_flow = ipsec_ids_next_flow;
if (++ipsec_ids_next_flow == 0)
ipsec_ids_next_flow = 1;
if (ipsec_ids_next_flow == start_flow) {
- DPRINTF(("ipsec_ids_next_flow exhausted %u\n",
- ipsec_ids_next_flow));
+ DPRINTF("psec_ids_next_flow exhausted %u",
+ ipsec_ids_next_flow);
return NULL;
}
}
ids->id_refcount = 1;
- DPRINTF(("%s: new ids %p flow %u\n", __func__, ids, ids->id_flow));
+ DPRINTF("new ids %p flow %u", ids, ids->id_flow);
timeout_set_proc(&ids->id_timeout, ipsp_ids_timeout, ids);
return ids;
}
{
struct ipsec_ids *ids = arg;
- DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount));
+ DPRINTF("ids %p count %d", ids, ids->id_refcount);
KASSERT(ids->id_refcount == 0);
NET_LOCK();
* If the refcount becomes zero, then a timeout is started. This
* timeout must be cancelled if refcount is increased from zero.
*/
- DPRINTF(("%s: ids %p count %d\n", __func__, ids, ids->id_refcount));
+ DPRINTF("ids %p count %d", ids, ids->id_refcount);
KASSERT(ids->id_refcount > 0);
if (--ids->id_refcount == 0)
timeout_add_sec(&ids->id_timeout, ipsec_ids_idle);
-/* $OpenBSD: ip_output.c,v 1.371 2021/05/12 08:09:33 mvs Exp $ */
+/* $OpenBSD: ip_output.c,v 1.372 2021/07/08 15:13:14 bluhm Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
#ifdef IPSEC
#ifdef ENCDEBUG
-#define DPRINTF(x) do { if (encdebug) printf x ; } while (0)
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
#endif /* IPSEC */
m->m_pkthdr.ph_rtableid, 1);
rt_mtucloned = 1;
}
- DPRINTF(("%s: spi %08x mtu %d rt %p cloned %d\n", __func__,
- ntohl(tdb->tdb_spi), tdb->tdb_mtu, rt, rt_mtucloned));
+ DPRINTF("spi %08x mtu %d rt %p cloned %d",
+ ntohl(tdb->tdb_spi), tdb->tdb_mtu, rt, rt_mtucloned);
if (rt != NULL) {
rt->rt_mtu = tdb->tdb_mtu;
if (ro != NULL && ro->ro_rt != NULL) {
-/* $OpenBSD: ipsec_input.c,v 1.174 2021/06/18 15:34:21 bluhm Exp $ */
+/* $OpenBSD: ipsec_input.c,v 1.175 2021/07/08 15:13:14 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int);
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
/* sysctl variables */
IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input);
if (m == NULL) {
- DPRINTF(("%s: NULL packet received\n", __func__));
+ DPRINTF("NULL packet received");
IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
return EINVAL;
}
if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) {
- DPRINTF(("%s: repeated decompression\n", __func__));
+ DPRINTF("repeated decompression");
ipcompstat_inc(ipcomps_pdrops);
error = EINVAL;
goto drop;
}
if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) {
- DPRINTF(("%s: packet too small\n", __func__));
+ DPRINTF("packet too small");
IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
error = EINVAL;
goto drop;
#endif /* INET6 */
default:
- DPRINTF(("%s: unsupported protocol family %d\n", __func__, af));
+ DPRINTF("unsupported protocol family %d", af);
IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf);
error = EPFNOSUPPORT;
goto drop;
tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid),
spi, &dst_address, sproto);
if (tdbp == NULL) {
- DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n",
- __func__,
- ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)));
+ DPRINTF("could not find SA for packet to %s, spi %08x",
+ ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi));
IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb);
error = ENOENT;
goto drop;
}
if (tdbp->tdb_flags & TDBF_INVALID) {
- DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n",
- __func__, ipsp_address(&dst_address, buf,
- sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF("attempted to use invalid SA %s/%08x/%u",
+ ipsp_address(&dst_address, buf, sizeof(buf)),
+ ntohl(spi), tdbp->tdb_sproto);
IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid);
error = EINVAL;
goto drop;
}
if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) {
- DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n",
- __func__, ipsp_address(&dst_address, buf,
- sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF("attempted to use non-udpencap SA %s/%08x/%u",
+ ipsp_address(&dst_address, buf, sizeof(buf)),
+ ntohl(spi), tdbp->tdb_sproto);
espstat_inc(esps_udpinval);
error = EINVAL;
goto drop;
}
if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) {
- DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n",
- __func__, ipsp_address(&dst_address, buf,
- sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF("attempted to use udpencap SA %s/%08x/%u",
+ ipsp_address(&dst_address, buf, sizeof(buf)),
+ ntohl(spi), tdbp->tdb_sproto);
espstat_inc(esps_udpneeded);
error = EINVAL;
goto drop;
}
if (tdbp->tdb_xform == NULL) {
- DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n",
- __func__, ipsp_address(&dst_address, buf,
- sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF("attempted to use uninitialized SA %s/%08x/%u",
+ ipsp_address(&dst_address, buf, sizeof(buf)),
+ ntohl(spi), tdbp->tdb_sproto);
IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform);
error = ENXIO;
goto drop;
if (sproto != IPPROTO_IPCOMP) {
if ((encif = enc_getif(tdbp->tdb_rdomain_post,
tdbp->tdb_tap)) == NULL) {
- DPRINTF(("%s: no enc%u interface for SA %s/%08x/%u\n",
- __func__,
- tdbp->tdb_tap, ipsp_address(&dst_address, buf,
- sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF("no enc%u interface for SA %s/%08x/%u",
+ tdbp->tdb_tap,
+ ipsp_address(&dst_address, buf, sizeof(buf)),
+ ntohl(spi), tdbp->tdb_sproto);
IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops);
error = EACCES;
goto drop;
KERNEL_ASSERT_LOCKED();
if (m == NULL) {
- DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
+ DPRINTF("bogus returned buffer from crypto");
ipsecstat_inc(ipsec_crypto);
goto droponly;
}
NET_LOCK();
tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto);
if (tdb == NULL) {
- DPRINTF(("%s: TDB is expired while in crypto", __func__));
+ DPRINTF("TDB is expired while in crypto");
ipsecstat_inc(ipsec_notdb);
goto baddone;
}
crypto_dispatch(crp);
return;
}
- DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
+ DPRINTF("crypto error %d", crp->crp_etype);
ipsecstat_inc(ipsec_noxform);
goto baddone;
}
/* Fix IPv4 header */
if (af == AF_INET) {
if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) {
- DPRINTF(("%s: processing failed for SA %s/%08x\n",
- __func__, ipsp_address(&tdbp->tdb_dst,
- buf, sizeof(buf)), ntohl(tdbp->tdb_spi)));
+ DPRINTF("processing failed for SA %s/%08x",
+ ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdbp->tdb_spi));
IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
return -1;
}
if (m->m_len < sizeof(struct ip6_hdr) &&
(m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
- DPRINTF(("%s: processing failed for SA %s/%08x\n",
- __func__, ipsp_address(&tdbp->tdb_dst,
- buf, sizeof(buf)), ntohl(tdbp->tdb_spi)));
-
+ DPRINTF("processing failed for SA %s/%08x",
+ ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdbp->tdb_spi));
IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
return -1;
}
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
m_freem(m);
- DPRINTF(("%s: failed to get tag\n", __func__));
+ DPRINTF("failed to get tag");
IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
return -1;
}
tdbp->tdb_mtu = mtu;
tdbp->tdb_mtutimeout = gettime() +
ip_mtudisc_timeout;
- DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", __func__,
- ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
- adjust));
+ DPRINTF("spi %08x mtu %d adjust %ld",
+ ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust);
}
}
}
tdbp->tdb_mtu = mtu - adjust;
tdbp->tdb_mtutimeout = gettime() +
ip_mtudisc_timeout;
- DPRINTF(("%s: spi %08x mtu %d adjust %ld\n",
- __func__,
+ DPRINTF("spi %08x mtu %d adjust %ld",
ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
- adjust));
+ adjust);
}
}
}
return rip6_input(mp, offp, proto, af);
if (*offp < sizeof(struct ip6_hdr)) {
- DPRINTF(("%s: bad offset\n", __func__));
+ DPRINTF("bad offset");
ahstat_inc(ahs_hdrops);
m_freemp(mp);
return IPPROTO_DONE;
/* Malformed packet check */
if (protoff + l != *offp) {
- DPRINTF(("%s: bad packet header chain\n", __func__));
+ DPRINTF("bad packet header chain");
ahstat_inc(ahs_hdrops);
m_freemp(mp);
return IPPROTO_DONE;
return rip6_input(mp, offp, proto, af);
if (*offp < sizeof(struct ip6_hdr)) {
- DPRINTF(("%s: bad offset\n", __func__));
+ DPRINTF("bad offset");
espstat_inc(esps_hdrops);
m_freemp(mp);
return IPPROTO_DONE;
/* Malformed packet check */
if (protoff + l != *offp) {
- DPRINTF(("%s: bad packet header chain\n", __func__));
+ DPRINTF("bad packet header chain");
espstat_inc(esps_hdrops);
m_freemp(mp);
return IPPROTO_DONE;
return rip6_input(mp, offp, proto, af);
if (*offp < sizeof(struct ip6_hdr)) {
- DPRINTF(("%s: bad offset\n", __func__));
+ DPRINTF("bad offset");
ipcompstat_inc(ipcomps_hdrops);
m_freemp(mp);
return IPPROTO_DONE;
/* Malformed packet check */
if (protoff + l != *offp) {
- DPRINTF(("%s: bad packet header chain\n", __func__));
+ DPRINTF("bad packet header chain");
ipcompstat_inc(ipcomps_hdrops);
m_freemp(mp);
return IPPROTO_DONE;
-/* $OpenBSD: ipsec_output.c,v 1.81 2021/07/07 18:03:46 bluhm Exp $ */
+/* $OpenBSD: ipsec_output.c,v 1.82 2021/07/08 15:13:14 bluhm Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
#include <crypto/xform.h>
#ifdef ENCDEBUG
-#define DPRINTF(x) if (encdebug) printf x
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
int udpencap_enable = 1; /* enabled by default */
if ((tdb->tdb_sproto == IPPROTO_ESP && !esp_enable) ||
(tdb->tdb_sproto == IPPROTO_AH && !ah_enable) ||
(tdb->tdb_sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
- DPRINTF(("ipsp_process_packet(): IPsec outbound packet "
- "dropped due to policy (check your sysctls)\n"));
+ DPRINTF("IPsec outbound packet dropped due to policy "
+ "(check your sysctls)");
error = EHOSTUNREACH;
goto drop;
}
/* Sanity check. */
if (!tdb->tdb_xform) {
- DPRINTF(("%s: uninitialized TDB\n", __func__));
+ DPRINTF("uninitialized TDB");
error = EHOSTUNREACH;
goto drop;
}
/* Check if the SPI is invalid. */
if (tdb->tdb_flags & TDBF_INVALID) {
- DPRINTF(("ipsp_process_packet(): attempt to use invalid "
- "SA %s/%08x/%u\n", ipsp_address(&tdb->tdb_dst, buf,
- sizeof(buf)), ntohl(tdb->tdb_spi), tdb->tdb_sproto));
+ DPRINTF("attempt to use invalid SA %s/%08x/%u",
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi), tdb->tdb_sproto);
error = ENXIO;
goto drop;
}
#endif /* INET6 */
default:
- DPRINTF(("ipsp_process_packet(): attempt to use "
- "SA %s/%08x/%u for protocol family %d\n",
+ DPRINTF("attempt to use SA %s/%08x/%u for protocol family %d",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi), tdb->tdb_sproto,
- tdb->tdb_dst.sa.sa_family));
+ tdb->tdb_dst.sa.sa_family);
error = ENXIO;
goto drop;
}
KERNEL_ASSERT_LOCKED();
if (m == NULL) {
- DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
+ DPRINTF("bogus returned buffer from crypto");
ipsecstat_inc(ipsec_crypto);
goto droponly;
}
NET_LOCK();
tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto);
if (tdb == NULL) {
- DPRINTF(("%s: TDB is expired while in crypto\n", __func__));
+ DPRINTF("TDB is expired while in crypto");
ipsecstat_inc(ipsec_notdb);
goto baddone;
}
crypto_dispatch(crp);
return;
}
- DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
+ DPRINTF("crypto error %d", crp->crp_etype);
ipsecstat_inc(ipsec_noxform);
goto baddone;
}
break;
#endif /* INET6 */
default:
- DPRINTF(("ipsp_process_done(): unknown protocol family "
- "(%d)\n", tdb->tdb_dst.sa.sa_family));
+ DPRINTF("unknown protocol family (%d)",
+ tdb->tdb_dst.sa.sa_family);
error = ENXIO;
goto drop;
}
#endif /* INET6 */
default:
- DPRINTF(("ipsp_process_done(): unknown protocol family (%d)\n",
- tdb->tdb_dst.sa.sa_family));
+ DPRINTF("unknown protocol family (%d)",
+ tdb->tdb_dst.sa.sa_family);
error = ENXIO;
goto drop;
}
mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(struct tdb_ident),
M_NOWAIT);
if (mtag == NULL) {
- DPRINTF(("ipsp_process_done(): could not allocate packet "
- "tag\n"));
+ DPRINTF("could not allocate packet tag");
error = ENOMEM;
goto drop;
}
mtu -= adjust;
tdbp->tdb_mtu = mtu;
tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout;
- DPRINTF(("ipsec_adjust_mtu: "
- "spi %08x mtu %d adjust %ld mbuf %p\n",
- ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
- adjust, m));
+ DPRINTF("spi %08x mtu %d adjust %ld mbuf %p",
+ ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust, m);
}
}
-/* $OpenBSD: ip6_output.c,v 1.257 2021/05/12 08:09:33 mvs Exp $ */
+/* $OpenBSD: ip6_output.c,v 1.258 2021/07/08 15:13:14 bluhm Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
#include <netinet/ip_esp.h>
#ifdef ENCDEBUG
-#define DPRINTF(x) do { if (encdebug) printf x ; } while (0)
+#define DPRINTF(fmt, args...) \
+ do { \
+ if (encdebug) \
+ printf("%s: " fmt "\n", __func__, ## args); \
+ } while (0)
#else
-#define DPRINTF(x)
+#define DPRINTF(fmt, args...) \
+ do { } while (0)
#endif
#endif /* IPSEC */
m->m_pkthdr.ph_rtableid, 1);
rt_mtucloned = 1;
}
- DPRINTF(("%s: spi %08x mtu %d rt %p cloned %d\n", __func__,
- ntohl(tdb->tdb_spi), tdb->tdb_mtu, rt, rt_mtucloned));
+ DPRINTF("spi %08x mtu %d rt %p cloned %d",
+ ntohl(tdb->tdb_spi), tdb->tdb_mtu, rt, rt_mtucloned);
if (rt != NULL) {
rt->rt_mtu = tdb->tdb_mtu;
if (ro != NULL && ro->ro_rt != NULL) {
projects / openbsd / commitdiff