xform_esp.c (228014) | xform_esp.c (252028) |
---|---|
1/* $FreeBSD: head/sys/netipsec/xform_esp.c 228014 2011-11-26 23:57:03Z pjd $ */ | 1/* $FreeBSD: head/sys/netipsec/xform_esp.c 252028 2013-06-20 11:44:16Z ae $ */ |
2/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. --- 264 unchanged lines hidden (view full) --- 274 275 IPSEC_ASSERT(sav != NULL, ("null SA")); 276 IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); 277 278 /* Valid IP Packet length ? */ 279 if ( (skip&3) || (m->m_pkthdr.len&3) ){ 280 DPRINTF(("%s: misaligned packet, skip %u pkt len %u", 281 __func__, skip, m->m_pkthdr.len)); | 2/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. --- 264 unchanged lines hidden (view full) --- 274 275 IPSEC_ASSERT(sav != NULL, ("null SA")); 276 IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); 277 278 /* Valid IP Packet length ? */ 279 if ( (skip&3) || (m->m_pkthdr.len&3) ){ 280 DPRINTF(("%s: misaligned packet, skip %u pkt len %u", 281 __func__, skip, m->m_pkthdr.len)); |
282 V_espstat.esps_badilen++; | 282 ESPSTAT_INC(esps_badilen); |
283 m_freem(m); 284 return EINVAL; 285 } 286 287 /* XXX don't pullup, just copy header */ 288 IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); 289 290 esph = sav->tdb_authalgxform; --- 29 unchanged lines hidden (view full) --- 320 */ 321 plen = m->m_pkthdr.len - (skip + hlen + alen); 322 if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { 323 DPRINTF(("%s: payload of %d octets not a multiple of %d octets," 324 " SA %s/%08lx\n", __func__, 325 plen, espx->blocksize, 326 ipsec_address(&sav->sah->saidx.dst), 327 (u_long) ntohl(sav->spi))); | 283 m_freem(m); 284 return EINVAL; 285 } 286 287 /* XXX don't pullup, just copy header */ 288 IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); 289 290 esph = sav->tdb_authalgxform; --- 29 unchanged lines hidden (view full) --- 320 */ 321 plen = m->m_pkthdr.len - (skip + hlen + alen); 322 if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { 323 DPRINTF(("%s: payload of %d octets not a multiple of %d octets," 324 " SA %s/%08lx\n", __func__, 325 plen, espx->blocksize, 326 ipsec_address(&sav->sah->saidx.dst), 327 (u_long) ntohl(sav->spi))); |
328 V_espstat.esps_badilen++; | 328 ESPSTAT_INC(esps_badilen); |
329 m_freem(m); 330 return EINVAL; 331 } 332 333 /* 334 * Check sequence number. 335 */ 336 if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { 337 DPRINTF(("%s: packet replay check for %s\n", __func__, 338 ipsec_logsastr(sav))); /*XXX*/ | 329 m_freem(m); 330 return EINVAL; 331 } 332 333 /* 334 * Check sequence number. 335 */ 336 if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { 337 DPRINTF(("%s: packet replay check for %s\n", __func__, 338 ipsec_logsastr(sav))); /*XXX*/ |
339 V_espstat.esps_replay++; | 339 ESPSTAT_INC(esps_replay); |
340 m_freem(m); 341 return ENOBUFS; /*XXX*/ 342 } 343 344 /* Update the counters */ | 340 m_freem(m); 341 return ENOBUFS; /*XXX*/ 342 } 343 344 /* Update the counters */ |
345 V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen); | 345 ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen)); |
346 347 /* Find out if we've already done crypto */ 348 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 349 mtag != NULL; 350 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 351 tdbi = (struct tdb_ident *) (mtag + 1); 352 if (tdbi->proto == sav->sah->saidx.proto && 353 tdbi->spi == sav->spi && 354 !bcmp(&tdbi->dst, &sav->sah->saidx.dst, 355 sizeof(union sockaddr_union))) 356 break; 357 } 358 359 /* Get crypto descriptors */ 360 crp = crypto_getreq(esph && espx ? 2 : 1); 361 if (crp == NULL) { 362 DPRINTF(("%s: failed to acquire crypto descriptors\n", 363 __func__)); | 346 347 /* Find out if we've already done crypto */ 348 for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); 349 mtag != NULL; 350 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, mtag)) { 351 tdbi = (struct tdb_ident *) (mtag + 1); 352 if (tdbi->proto == sav->sah->saidx.proto && 353 tdbi->spi == sav->spi && 354 !bcmp(&tdbi->dst, &sav->sah->saidx.dst, 355 sizeof(union sockaddr_union))) 356 break; 357 } 358 359 /* Get crypto descriptors */ 360 crp = crypto_getreq(esph && espx ? 2 : 1); 361 if (crp == NULL) { 362 DPRINTF(("%s: failed to acquire crypto descriptors\n", 363 __func__)); |
364 V_espstat.esps_crypto++; | 364 ESPSTAT_INC(esps_crypto); |
365 m_freem(m); 366 return ENOBUFS; 367 } 368 369 /* Get IPsec-specific opaque pointer */ 370 if (esph == NULL || mtag != NULL) 371 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 372 M_XDATA, M_NOWAIT|M_ZERO); 373 else 374 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen, 375 M_XDATA, M_NOWAIT|M_ZERO); 376 if (tc == NULL) { 377 crypto_freereq(crp); 378 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); | 365 m_freem(m); 366 return ENOBUFS; 367 } 368 369 /* Get IPsec-specific opaque pointer */ 370 if (esph == NULL || mtag != NULL) 371 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 372 M_XDATA, M_NOWAIT|M_ZERO); 373 else 374 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen, 375 M_XDATA, M_NOWAIT|M_ZERO); 376 if (tc == NULL) { 377 crypto_freereq(crp); 378 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); |
379 V_espstat.esps_crypto++; | 379 ESPSTAT_INC(esps_crypto); |
380 m_freem(m); 381 return ENOBUFS; 382 } 383 384 tc->tc_ptr = (caddr_t) mtag; 385 386 if (esph) { 387 struct cryptodesc *crda = crp->crp_desc; --- 99 unchanged lines hidden (view full) --- 487 if (crp->crp_etype) { 488 /* Reset the session ID */ 489 if (sav->tdb_cryptoid != 0) 490 sav->tdb_cryptoid = crp->crp_sid; 491 492 if (crp->crp_etype == EAGAIN) 493 return (crypto_dispatch(crp)); 494 | 380 m_freem(m); 381 return ENOBUFS; 382 } 383 384 tc->tc_ptr = (caddr_t) mtag; 385 386 if (esph) { 387 struct cryptodesc *crda = crp->crp_desc; --- 99 unchanged lines hidden (view full) --- 487 if (crp->crp_etype) { 488 /* Reset the session ID */ 489 if (sav->tdb_cryptoid != 0) 490 sav->tdb_cryptoid = crp->crp_sid; 491 492 if (crp->crp_etype == EAGAIN) 493 return (crypto_dispatch(crp)); 494 |
495 V_espstat.esps_noxform++; | 495 ESPSTAT_INC(esps_noxform); |
496 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 497 error = crp->crp_etype; 498 goto bad; 499 } 500 501 /* Shouldn't happen... */ 502 if (m == NULL) { | 496 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 497 error = crp->crp_etype; 498 goto bad; 499 } 500 501 /* Shouldn't happen... */ 502 if (m == NULL) { |
503 V_espstat.esps_crypto++; | 503 ESPSTAT_INC(esps_crypto); |
504 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 505 error = EINVAL; 506 goto bad; 507 } | 504 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 505 error = EINVAL; 506 goto bad; 507 } |
508 V_espstat.esps_hist[sav->alg_enc]++; | 508 ESPSTAT_INC(esps_hist[sav->alg_enc]); |
509 510 /* If authentication was performed, check now. */ 511 if (esph != NULL) { 512 switch (esph->type) { 513 case CRYPTO_SHA2_256_HMAC: 514 case CRYPTO_SHA2_384_HMAC: 515 case CRYPTO_SHA2_512_HMAC: 516 alen = esph->hashsize/2; 517 break; 518 default: 519 alen = AH_HMAC_HASHLEN; 520 break; 521 } 522 /* 523 * If we have a tag, it means an IPsec-aware NIC did 524 * the verification for us. Otherwise we need to 525 * check the authentication calculation. 526 */ | 509 510 /* If authentication was performed, check now. */ 511 if (esph != NULL) { 512 switch (esph->type) { 513 case CRYPTO_SHA2_256_HMAC: 514 case CRYPTO_SHA2_384_HMAC: 515 case CRYPTO_SHA2_512_HMAC: 516 alen = esph->hashsize/2; 517 break; 518 default: 519 alen = AH_HMAC_HASHLEN; 520 break; 521 } 522 /* 523 * If we have a tag, it means an IPsec-aware NIC did 524 * the verification for us. Otherwise we need to 525 * check the authentication calculation. 526 */ |
527 V_ahstat.ahs_hist[sav->alg_auth]++; | 527 AHSTAT_INC(ahs_hist[sav->alg_auth]); |
528 if (mtag == NULL) { 529 /* Copy the authenticator from the packet */ 530 m_copydata(m, m->m_pkthdr.len - alen, 531 alen, aalg); 532 533 ptr = (caddr_t) (tc + 1); 534 535 /* Verify authenticator */ 536 if (bcmp(ptr, aalg, alen) != 0) { 537 DPRINTF(("%s: " 538 "authentication hash mismatch for packet in SA %s/%08lx\n", 539 __func__, 540 ipsec_address(&saidx->dst), 541 (u_long) ntohl(sav->spi))); | 528 if (mtag == NULL) { 529 /* Copy the authenticator from the packet */ 530 m_copydata(m, m->m_pkthdr.len - alen, 531 alen, aalg); 532 533 ptr = (caddr_t) (tc + 1); 534 535 /* Verify authenticator */ 536 if (bcmp(ptr, aalg, alen) != 0) { 537 DPRINTF(("%s: " 538 "authentication hash mismatch for packet in SA %s/%08lx\n", 539 __func__, 540 ipsec_address(&saidx->dst), 541 (u_long) ntohl(sav->spi))); |
542 V_espstat.esps_badauth++; | 542 ESPSTAT_INC(esps_badauth); |
543 error = EACCES; 544 goto bad; 545 } 546 } 547 548 /* Remove trailing authenticator */ 549 m_adj(m, -alen); 550 } --- 13 unchanged lines hidden (view full) --- 564 if (sav->replay) { 565 u_int32_t seq; 566 567 m_copydata(m, skip + offsetof(struct newesp, esp_seq), 568 sizeof (seq), (caddr_t) &seq); 569 if (ipsec_updatereplay(ntohl(seq), sav)) { 570 DPRINTF(("%s: packet replay check for %s\n", __func__, 571 ipsec_logsastr(sav))); | 543 error = EACCES; 544 goto bad; 545 } 546 } 547 548 /* Remove trailing authenticator */ 549 m_adj(m, -alen); 550 } --- 13 unchanged lines hidden (view full) --- 564 if (sav->replay) { 565 u_int32_t seq; 566 567 m_copydata(m, skip + offsetof(struct newesp, esp_seq), 568 sizeof (seq), (caddr_t) &seq); 569 if (ipsec_updatereplay(ntohl(seq), sav)) { 570 DPRINTF(("%s: packet replay check for %s\n", __func__, 571 ipsec_logsastr(sav))); |
572 V_espstat.esps_replay++; | 572 ESPSTAT_INC(esps_replay); |
573 error = ENOBUFS; 574 goto bad; 575 } 576 } 577 578 /* Determine the ESP header length */ 579 if (sav->flags & SADB_X_EXT_OLD) 580 hlen = sizeof (struct esp) + sav->ivlen; 581 else 582 hlen = sizeof (struct newesp) + sav->ivlen; 583 584 /* Remove the ESP header and IV from the mbuf. */ 585 error = m_striphdr(m, skip, hlen); 586 if (error) { | 573 error = ENOBUFS; 574 goto bad; 575 } 576 } 577 578 /* Determine the ESP header length */ 579 if (sav->flags & SADB_X_EXT_OLD) 580 hlen = sizeof (struct esp) + sav->ivlen; 581 else 582 hlen = sizeof (struct newesp) + sav->ivlen; 583 584 /* Remove the ESP header and IV from the mbuf. */ 585 error = m_striphdr(m, skip, hlen); 586 if (error) { |
587 V_espstat.esps_hdrops++; | 587 ESPSTAT_INC(esps_hdrops); |
588 DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, 589 ipsec_address(&sav->sah->saidx.dst), 590 (u_long) ntohl(sav->spi))); 591 goto bad; 592 } 593 594 /* Save the last three bytes of decrypted data */ 595 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 596 597 /* Verify pad length */ 598 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { | 588 DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, 589 ipsec_address(&sav->sah->saidx.dst), 590 (u_long) ntohl(sav->spi))); 591 goto bad; 592 } 593 594 /* Save the last three bytes of decrypted data */ 595 m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree); 596 597 /* Verify pad length */ 598 if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { |
599 V_espstat.esps_badilen++; | 599 ESPSTAT_INC(esps_badilen); |
600 DPRINTF(("%s: invalid padding length %d for %u byte packet " 601 "in SA %s/%08lx\n", __func__, 602 lastthree[1], m->m_pkthdr.len - skip, 603 ipsec_address(&sav->sah->saidx.dst), 604 (u_long) ntohl(sav->spi))); 605 error = EINVAL; 606 goto bad; 607 } 608 609 /* Verify correct decryption by checking the last padding bytes */ 610 if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { 611 if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { | 600 DPRINTF(("%s: invalid padding length %d for %u byte packet " 601 "in SA %s/%08lx\n", __func__, 602 lastthree[1], m->m_pkthdr.len - skip, 603 ipsec_address(&sav->sah->saidx.dst), 604 (u_long) ntohl(sav->spi))); 605 error = EINVAL; 606 goto bad; 607 } 608 609 /* Verify correct decryption by checking the last padding bytes */ 610 if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { 611 if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { |
612 V_espstat.esps_badenc++; | 612 ESPSTAT_INC(esps_badenc); |
613 DPRINTF(("%s: decryption failed for packet in " 614 "SA %s/%08lx\n", __func__, 615 ipsec_address(&sav->sah->saidx.dst), 616 (u_long) ntohl(sav->spi))); 617 error = EINVAL; 618 goto bad; 619 } 620 } --- 90 unchanged lines hidden (view full) --- 711 break; 712 default: 713 alen = AH_HMAC_HASHLEN; 714 break; 715 } 716 else 717 alen = 0; 718 | 613 DPRINTF(("%s: decryption failed for packet in " 614 "SA %s/%08lx\n", __func__, 615 ipsec_address(&sav->sah->saidx.dst), 616 (u_long) ntohl(sav->spi))); 617 error = EINVAL; 618 goto bad; 619 } 620 } --- 90 unchanged lines hidden (view full) --- 711 break; 712 default: 713 alen = AH_HMAC_HASHLEN; 714 break; 715 } 716 else 717 alen = 0; 718 |
719 V_espstat.esps_output++; | 719 ESPSTAT_INC(esps_output); |
720 721 saidx = &sav->sah->saidx; 722 /* Check for maximum packet size violations. */ 723 switch (saidx->dst.sa.sa_family) { 724#ifdef INET 725 case AF_INET: 726 maxpacketsize = IP_MAXPACKET; 727 break; 728#endif /* INET */ 729#ifdef INET6 730 case AF_INET6: 731 maxpacketsize = IPV6_MAXPACKET; 732 break; 733#endif /* INET6 */ 734 default: 735 DPRINTF(("%s: unknown/unsupported protocol " 736 "family %d, SA %s/%08lx\n", __func__, 737 saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), 738 (u_long) ntohl(sav->spi))); | 720 721 saidx = &sav->sah->saidx; 722 /* Check for maximum packet size violations. */ 723 switch (saidx->dst.sa.sa_family) { 724#ifdef INET 725 case AF_INET: 726 maxpacketsize = IP_MAXPACKET; 727 break; 728#endif /* INET */ 729#ifdef INET6 730 case AF_INET6: 731 maxpacketsize = IPV6_MAXPACKET; 732 break; 733#endif /* INET6 */ 734 default: 735 DPRINTF(("%s: unknown/unsupported protocol " 736 "family %d, SA %s/%08lx\n", __func__, 737 saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), 738 (u_long) ntohl(sav->spi))); |
739 V_espstat.esps_nopf++; | 739 ESPSTAT_INC(esps_nopf); |
740 error = EPFNOSUPPORT; 741 goto bad; 742 } 743 if (skip + hlen + rlen + padding + alen > maxpacketsize) { 744 DPRINTF(("%s: packet in SA %s/%08lx got too big " 745 "(len %u, max len %u)\n", __func__, 746 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), 747 skip + hlen + rlen + padding + alen, maxpacketsize)); | 740 error = EPFNOSUPPORT; 741 goto bad; 742 } 743 if (skip + hlen + rlen + padding + alen > maxpacketsize) { 744 DPRINTF(("%s: packet in SA %s/%08lx got too big " 745 "(len %u, max len %u)\n", __func__, 746 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), 747 skip + hlen + rlen + padding + alen, maxpacketsize)); |
748 V_espstat.esps_toobig++; | 748 ESPSTAT_INC(esps_toobig); |
749 error = EMSGSIZE; 750 goto bad; 751 } 752 753 /* Update the counters. */ | 749 error = EMSGSIZE; 750 goto bad; 751 } 752 753 /* Update the counters. */ |
754 V_espstat.esps_obytes += m->m_pkthdr.len - skip; | 754 ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip); |
755 756 m = m_unshare(m, M_NOWAIT); 757 if (m == NULL) { 758 DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, 759 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); | 755 756 m = m_unshare(m, M_NOWAIT); 757 if (m == NULL) { 758 DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, 759 ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); |
760 V_espstat.esps_hdrops++; | 760 ESPSTAT_INC(esps_hdrops); |
761 error = ENOBUFS; 762 goto bad; 763 } 764 765 /* Inject ESP header. */ 766 mo = m_makespace(m, skip, hlen, &roff); 767 if (mo == NULL) { 768 DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", 769 __func__, hlen, ipsec_address(&saidx->dst), 770 (u_long) ntohl(sav->spi))); | 761 error = ENOBUFS; 762 goto bad; 763 } 764 765 /* Inject ESP header. */ 766 mo = m_makespace(m, skip, hlen, &roff); 767 if (mo == NULL) { 768 DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", 769 __func__, hlen, ipsec_address(&saidx->dst), 770 (u_long) ntohl(sav->spi))); |
771 V_espstat.esps_hdrops++; /* XXX diffs from openbsd */ | 771 ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */ |
772 error = ENOBUFS; 773 goto bad; 774 } 775 776 /* Initialize ESP header. */ 777 bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff, sizeof(u_int32_t)); 778 if (sav->replay) { 779 u_int32_t replay; --- 47 unchanged lines hidden (view full) --- 827 prot = IPPROTO_ESP; 828 m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); 829 830 /* Get crypto descriptors. */ 831 crp = crypto_getreq(esph && espx ? 2 : 1); 832 if (crp == NULL) { 833 DPRINTF(("%s: failed to acquire crypto descriptors\n", 834 __func__)); | 772 error = ENOBUFS; 773 goto bad; 774 } 775 776 /* Initialize ESP header. */ 777 bcopy((caddr_t) &sav->spi, mtod(mo, caddr_t) + roff, sizeof(u_int32_t)); 778 if (sav->replay) { 779 u_int32_t replay; --- 47 unchanged lines hidden (view full) --- 827 prot = IPPROTO_ESP; 828 m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); 829 830 /* Get crypto descriptors. */ 831 crp = crypto_getreq(esph && espx ? 2 : 1); 832 if (crp == NULL) { 833 DPRINTF(("%s: failed to acquire crypto descriptors\n", 834 __func__)); |
835 V_espstat.esps_crypto++; | 835 ESPSTAT_INC(esps_crypto); |
836 error = ENOBUFS; 837 goto bad; 838 } 839 840 if (espx) { 841 crde = crp->crp_desc; 842 crda = crde->crd_next; 843 --- 12 unchanged lines hidden (view full) --- 856 crda = crp->crp_desc; 857 858 /* IPsec-specific opaque crypto info. */ 859 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 860 M_XDATA, M_NOWAIT|M_ZERO); 861 if (tc == NULL) { 862 crypto_freereq(crp); 863 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); | 836 error = ENOBUFS; 837 goto bad; 838 } 839 840 if (espx) { 841 crde = crp->crp_desc; 842 crda = crde->crd_next; 843 --- 12 unchanged lines hidden (view full) --- 856 crda = crp->crp_desc; 857 858 /* IPsec-specific opaque crypto info. */ 859 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), 860 M_XDATA, M_NOWAIT|M_ZERO); 861 if (tc == NULL) { 862 crypto_freereq(crp); 863 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); |
864 V_espstat.esps_crypto++; | 864 ESPSTAT_INC(esps_crypto); |
865 error = ENOBUFS; 866 goto bad; 867 } 868 869 /* Callback parameters */ 870 tc->tc_isr = isr; 871 KEY_ADDREFSA(sav); 872 tc->tc_sav = sav; --- 44 unchanged lines hidden (view full) --- 917 IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); 918 m = (struct mbuf *) crp->crp_buf; 919 920 isr = tc->tc_isr; 921 IPSECREQUEST_LOCK(isr); 922 sav = tc->tc_sav; 923 /* With the isr lock released SA pointer can be updated. */ 924 if (sav != isr->sav) { | 865 error = ENOBUFS; 866 goto bad; 867 } 868 869 /* Callback parameters */ 870 tc->tc_isr = isr; 871 KEY_ADDREFSA(sav); 872 tc->tc_sav = sav; --- 44 unchanged lines hidden (view full) --- 917 IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); 918 m = (struct mbuf *) crp->crp_buf; 919 920 isr = tc->tc_isr; 921 IPSECREQUEST_LOCK(isr); 922 sav = tc->tc_sav; 923 /* With the isr lock released SA pointer can be updated. */ 924 if (sav != isr->sav) { |
925 V_espstat.esps_notdb++; | 925 ESPSTAT_INC(esps_notdb); |
926 DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", 927 __func__, ipsec_address(&tc->tc_dst), 928 (u_long) ntohl(tc->tc_spi), tc->tc_proto)); 929 error = ENOBUFS; /*XXX*/ 930 goto bad; 931 } 932 933 /* Check for crypto errors. */ 934 if (crp->crp_etype) { 935 /* Reset session ID. */ 936 if (sav->tdb_cryptoid != 0) 937 sav->tdb_cryptoid = crp->crp_sid; 938 939 if (crp->crp_etype == EAGAIN) { 940 IPSECREQUEST_UNLOCK(isr); 941 return (crypto_dispatch(crp)); 942 } 943 | 926 DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", 927 __func__, ipsec_address(&tc->tc_dst), 928 (u_long) ntohl(tc->tc_spi), tc->tc_proto)); 929 error = ENOBUFS; /*XXX*/ 930 goto bad; 931 } 932 933 /* Check for crypto errors. */ 934 if (crp->crp_etype) { 935 /* Reset session ID. */ 936 if (sav->tdb_cryptoid != 0) 937 sav->tdb_cryptoid = crp->crp_sid; 938 939 if (crp->crp_etype == EAGAIN) { 940 IPSECREQUEST_UNLOCK(isr); 941 return (crypto_dispatch(crp)); 942 } 943 |
944 V_espstat.esps_noxform++; | 944 ESPSTAT_INC(esps_noxform); |
945 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 946 error = crp->crp_etype; 947 goto bad; 948 } 949 950 /* Shouldn't happen... */ 951 if (m == NULL) { | 945 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 946 error = crp->crp_etype; 947 goto bad; 948 } 949 950 /* Shouldn't happen... */ 951 if (m == NULL) { |
952 V_espstat.esps_crypto++; | 952 ESPSTAT_INC(esps_crypto); |
953 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 954 error = EINVAL; 955 goto bad; 956 } | 953 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 954 error = EINVAL; 955 goto bad; 956 } |
957 V_espstat.esps_hist[sav->alg_enc]++; | 957 ESPSTAT_INC(esps_hist[sav->alg_enc]); |
958 if (sav->tdb_authalgxform != NULL) | 958 if (sav->tdb_authalgxform != NULL) |
959 V_ahstat.ahs_hist[sav->alg_auth]++; | 959 AHSTAT_INC(ahs_hist[sav->alg_auth]); |
960 961 /* Release crypto descriptors. */ 962 free(tc, M_XDATA); 963 crypto_freereq(crp); 964 965#ifdef REGRESSION 966 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ 967 if (V_ipsec_integrity) { --- 56 unchanged lines hidden --- | 960 961 /* Release crypto descriptors. */ 962 free(tc, M_XDATA); 963 crypto_freereq(crp); 964 965#ifdef REGRESSION 966 /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ 967 if (V_ipsec_integrity) { --- 56 unchanged lines hidden --- |