diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index b43989ac8ab3..c3c860949a08 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.49 2017/04/14 22:29:17 christos Exp $ */ +/* $NetBSD: xform_ah.c,v 1.50 2017/04/15 22:01:57 christos Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.49 2017/04/14 22:29:17 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.50 2017/04/15 22:01:57 christos Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -94,7 +94,7 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.49 2017/04/14 22:29:17 christos Exp $ */ #define HDRSIZE(sav) \ (((sav)->flags & SADB_X_EXT_OLD) ? \ - sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) + sizeof(struct ah) : sizeof(struct ah) + sizeof(uint32_t)) /* * Return authenticator size in bytes. The old protocol is known * to use a fixed 16-byte authenticator. The new algorithm gets @@ -121,8 +121,8 @@ SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS, static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ -static int ah_input_cb(struct cryptop*); -static int ah_output_cb(struct cryptop*); +static int ah_input_cb(struct cryptop *); +static int ah_output_cb(struct cryptop *); const uint8_t ah_stats[256] = { SADB_AALG_STATS_INIT }; @@ -169,10 +169,10 @@ ah_hdrsiz(const struct secasvar *sav) ("%s: null xform", __func__)); /*XXX not right for null algorithm--does it matter??*/ authsize = AUTHSIZE(sav); - size = roundup(authsize, sizeof (u_int32_t)) + HDRSIZE(sav); + size = roundup(authsize, sizeof(uint32_t)) + HDRSIZE(sav); } else { /* default guess */ - size = sizeof (struct ah) + sizeof (u_int32_t) + 16; + size = sizeof(struct ah) + sizeof(uint32_t) + 16; } return size; } @@ -223,7 +223,7 @@ ah_init0(struct secasvar *sav, const struct xformsw *xsp, sav->tdb_authalgxform = thash; /* Initialize crypto session. */ - memset(cria, 0, sizeof (*cria)); + memset(cria, 0, sizeof(*cria)); cria->cri_alg = sav->tdb_authalgxform->type; cria->cri_klen = _KEYBITS(sav->key_auth); cria->cri_key = _KEYBUF(sav->key_auth); @@ -284,6 +284,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) #ifdef INET6 struct ip6_ext *ip6e; struct ip6_hdr ip6; + struct ip6_rthdr *rh; int alloc, ad, nxt; #endif /* INET6 */ @@ -325,7 +326,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) #define TOHOST(x) (ntohs(x)) #endif if (!out) { - u_int16_t inlen = TOHOST(ip->ip_len); + uint16_t inlen = TOHOST(ip->ip_len); #ifdef __FreeBSD__ ip->ip_len = htons(inlen + skip); @@ -408,9 +409,10 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) * will look like. */ if (out) - bcopy(ptr + off + ptr[off + 1] - + memcpy(&ip->ip_dst, + ptr + off + ptr[off + 1] - sizeof(struct in_addr), - &(ip->ip_dst), sizeof(struct in_addr)); + sizeof(struct in_addr)); /* Fall through */ default: @@ -472,8 +474,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* Let's deal with the remaining headers (if any). */ if (skip - sizeof(struct ip6_hdr) > 0) { if (m->m_len <= skip) { - ptr = (unsigned char *) malloc( - skip - sizeof(struct ip6_hdr), + ptr = malloc(skip - sizeof(struct ip6_hdr), M_XDATA, M_NOWAIT); if (ptr == NULL) { DPRINTF(("%s: failed to allocate " @@ -561,48 +562,44 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) * Always include routing headers in * computation. */ - { - struct ip6_rthdr *rh; + ip6e = (struct ip6_ext *) (ptr + off); + rh = (struct ip6_rthdr *)(ptr + off); + /* + * must adjust content to make it look like + * its final form (as seen at the final + * destination). + * we only know how to massage type 0 routing + * header. + */ + if (out && rh->ip6r_type == IPV6_RTHDR_TYPE_0) { + struct ip6_rthdr0 *rh0; + struct in6_addr *addr, finaldst; + int i; - ip6e = (struct ip6_ext *) (ptr + off); - rh = (struct ip6_rthdr *)(ptr + off); - /* - * must adjust content to make it look like - * its final form (as seen at the final - * destination). - * we only know how to massage type 0 routing - * header. - */ - if (out && rh->ip6r_type == IPV6_RTHDR_TYPE_0) { - struct ip6_rthdr0 *rh0; - struct in6_addr *addr, finaldst; - int i; + rh0 = (struct ip6_rthdr0 *)rh; + addr = (struct in6_addr *)(rh0 + 1); - rh0 = (struct ip6_rthdr0 *)rh; - addr = (struct in6_addr *)(rh0 + 1); + for (i = 0; i < rh0->ip6r0_segleft; i++) + in6_clearscope(&addr[i]); - for (i = 0; i < rh0->ip6r0_segleft; i++) - in6_clearscope(&addr[i]); + finaldst = addr[rh0->ip6r0_segleft - 1]; + memmove(&addr[1], &addr[0], + sizeof(struct in6_addr) * + (rh0->ip6r0_segleft - 1)); - finaldst = addr[rh0->ip6r0_segleft - 1]; - memmove(&addr[1], &addr[0], - sizeof(struct in6_addr) * - (rh0->ip6r0_segleft - 1)); + m_copydata(m, 0, sizeof(ip6), &ip6); + addr[0] = ip6.ip6_dst; + ip6.ip6_dst = finaldst; + m_copyback(m, 0, sizeof(ip6), &ip6); - m_copydata(m, 0, sizeof(ip6), &ip6); - addr[0] = ip6.ip6_dst; - ip6.ip6_dst = finaldst; - m_copyback(m, 0, sizeof(ip6), &ip6); - - rh0->ip6r0_segleft = 0; - } - - /* advance */ - off += ((ip6e->ip6e_len + 1) << 3); - nxt = ip6e->ip6e_nxt; - break; + rh0->ip6r0_segleft = 0; } + /* advance */ + off += ((ip6e->ip6e_len + 1) << 3); + nxt = ip6e->ip6e_nxt; + break; + default: DPRINTF(("%s: unexpected IPv6 header type %d\n", __func__, off)); @@ -643,7 +640,7 @@ ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) struct cryptodesc *crda; struct cryptop *crp; - IPSEC_SPLASSERT_SOFTNET("ah_input"); + IPSEC_SPLASSERT_SOFTNET(__func__); IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); IPSEC_ASSERT(sav->key_auth != NULL, @@ -673,13 +670,13 @@ ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) } /* Verify AH header length. */ - hl = ah->ah_len * sizeof (u_int32_t); + hl = ah->ah_len * sizeof(uint32_t); ahx = sav->tdb_authalgxform; authsize = AUTHSIZE(sav); - if (hl != authsize + rplen - sizeof (struct ah)) { + if (hl != authsize + rplen - sizeof(struct ah)) { DPRINTF(("%s: bad authenticator length %u (expecting %lu)" " for packet in SA %s/%08lx\n", __func__, - hl, (u_long) (authsize + rplen - sizeof (struct ah)), + hl, (u_long) (authsize + rplen - sizeof(struct ah)), ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_BADAUTHL); @@ -717,7 +714,7 @@ ah_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) if (tdbi->proto == sav->sah->saidx.proto && tdbi->spi == sav->spi && !memcmp(&tdbi->dst, &sav->sah->saidx.dst, - sizeof (union sockaddr_union))) + sizeof(union sockaddr_union))) break; } @@ -822,20 +819,20 @@ ah_input_cb(struct cryptop *crp) struct m_tag *mtag; struct secasvar *sav; struct secasindex *saidx; - u_int8_t nxt; + uint8_t nxt; char *ptr; int s, authsize; - u_int16_t dport; - u_int16_t sport; + uint16_t dport; + uint16_t sport; - tc = (struct tdb_crypto *) crp->crp_opaque; + tc = crp->crp_opaque; IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!", __func__)); skip = tc->tc_skip; nxt = tc->tc_nxt; protoff = tc->tc_protoff; - mtag = (struct m_tag *) tc->tc_ptr; - m = (struct mbuf *) crp->crp_buf; + mtag = tc->tc_ptr; + m = crp->crp_buf; /* find the source port for NAT-T */ @@ -902,8 +899,8 @@ ah_input_cb(struct cryptop *crp) * it has been verified by an IPsec-aware NIC. */ if (mtag == NULL) { - ptr = (char *) (tc + 1); - const u_int8_t *pppp = ptr + skip + rplen; + ptr = (char *)(tc + 1); + const uint8_t *pppp = ptr + skip + rplen; /* Verify authenticator. */ if (!consttime_memequal(pppp, calc, authsize)) { @@ -928,13 +925,13 @@ ah_input_cb(struct cryptop *crp) } /* Fix the Next Protocol field. */ - ((u_int8_t *) ptr)[protoff] = nxt; + ptr[protoff] = nxt; /* Copyback the saved (uncooked) network headers. */ m_copyback(m, 0, skip, ptr); } else { /* Fix the Next Protocol field. */ - m_copyback(m, protoff, sizeof(u_int8_t), &nxt); + m_copyback(m, protoff, sizeof(uint8_t), &nxt); } free(tc, M_XDATA), tc = NULL; /* No longer needed */ @@ -948,10 +945,10 @@ ah_input_cb(struct cryptop *crp) * Update replay sequence number, if appropriate. */ if (sav->replay) { - u_int32_t seq; + uint32_t seq; m_copydata(m, skip + offsetof(struct newah, ah_seq), - sizeof (seq), &seq); + sizeof(seq), &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { AH_STATINC(AH_STAT_REPLAY); error = ENOBUFS; /*XXX as above*/ @@ -1014,7 +1011,7 @@ ah_output( uint8_t prot; struct newah *ah; - IPSEC_SPLASSERT_SOFTNET("ah_output"); + IPSEC_SPLASSERT_SOFTNET(__func__); sav = isr->sav; IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); @@ -1096,8 +1093,8 @@ ah_output( ah = (struct newah *)(mtod(mi, char *) + roff); /* Initialize the AH header. */ - m_copydata(m, protoff, sizeof(u_int8_t), &ah->ah_nxt); - ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(u_int32_t); + m_copydata(m, protoff, sizeof(uint8_t), &ah->ah_nxt); + ah->ah_len = (rplen + authsize - sizeof(struct ah)) / sizeof(uint32_t); ah->ah_reserve = 0; ah->ah_spi = sav->spi; @@ -1221,11 +1218,11 @@ ah_output_cb(struct cryptop *crp) void *ptr; int s, err; - tc = (struct tdb_crypto *) crp->crp_opaque; + tc = crp->crp_opaque; IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__)); skip = tc->tc_skip; ptr = (tc + 1); - m = (struct mbuf *) crp->crp_buf; + m = crp->crp_buf; s = splsoftnet(); mutex_enter(softnet_lock); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 033164d7c682..ef3a4850ad08 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.50 2017/04/13 16:38:32 christos Exp $ */ +/* $NetBSD: xform_esp.c,v 1.51 2017/04/15 22:01:57 christos Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.50 2017/04/13 16:38:32 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.51 2017/04/15 22:01:57 christos Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -154,11 +154,11 @@ esp_hdrsiz(const struct secasvar *sav) if (sav != NULL) { /*XXX not right for null algorithm--does it matter??*/ IPSEC_ASSERT(sav->tdb_encalgxform != NULL, - ("esp_hdrsiz: SA with null xform")); + ("%s: SA with null xform", __func__)); if (sav->flags & SADB_X_EXT_OLD) - size = sizeof (struct esp); + size = sizeof(struct esp); else - size = sizeof (struct newesp); + size = sizeof(struct newesp); size += sav->tdb_encalgxform->ivsize + 9; /*XXX need alg check???*/ if (sav->tdb_authalgxform != NULL && sav->replay) @@ -168,11 +168,11 @@ esp_hdrsiz(const struct secasvar *sav) * base header size * + max iv length for CBC mode * + max pad length - * + sizeof (pad length field) - * + sizeof (next header field) + * + sizeof(pad length field) + * + sizeof(next header field) * + max icv supported. */ - size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16; + size = sizeof(struct newesp) + esp_max_ivlen + 9 + 16; } return size; } @@ -259,7 +259,7 @@ esp_init(struct secasvar *sav, const struct xformsw *xsp) } /* Initialize crypto session. */ - memset(&crie, 0, sizeof (crie)); + memset(&crie, 0, sizeof(crie)); crie.cri_alg = sav->tdb_encalgxform->type; crie.cri_klen = _KEYBITS(sav->key_enc); crie.cri_key = _KEYBUF(sav->key_enc); @@ -316,26 +316,26 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) struct cryptodesc *crde; struct cryptop *crp; - IPSEC_SPLASSERT_SOFTNET("esp_input"); + IPSEC_SPLASSERT_SOFTNET(__func__); - IPSEC_ASSERT(sav != NULL, ("esp_input: null SA")); + IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); IPSEC_ASSERT(sav->tdb_encalgxform != NULL, - ("esp_input: null encoding xform")); + ("%s: null encoding xform", __func__)); IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, - ("esp_input: misaligned packet, skip %u pkt len %u", - skip, m->m_pkthdr.len)); + ("%s: misaligned packet, skip %u pkt len %u", __func__, + skip, m->m_pkthdr.len)); /* XXX don't pullup, just copy header */ - IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); + IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof(struct newesp)); esph = sav->tdb_authalgxform; espx = sav->tdb_encalgxform; /* Determine the ESP header length */ if (sav->flags & SADB_X_EXT_OLD) - hlen = sizeof (struct esp) + sav->ivlen; + hlen = sizeof(struct esp) + sav->ivlen; else - hlen = sizeof (struct newesp) + sav->ivlen; + hlen = sizeof(struct newesp) + sav->ivlen; /* Authenticator hash size */ alen = esph ? esph->authsize : 0; @@ -349,10 +349,8 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) */ plen = m->m_pkthdr.len - (skip + hlen + alen); if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { - DPRINTF(("esp_input: " - "payload of %d octets not a multiple of %d octets," - " SA %s/%08lx\n", - plen, espx->blocksize, + DPRINTF(("%s: payload of %d octets not a multiple of %d octets," + " SA %s/%08lx\n", __func__, plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_BADILEN); @@ -364,8 +362,8 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) * Check sequence number. */ if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { - DPRINTF(("esp_input: packet replay check for %s\n", - ipsec_logsastr(sav))); /*XXX*/ + DPRINTF(("%s: packet replay check for %s\n", + __func__, ipsec_logsastr(sav))); /*XXX*/ ESP_STATINC(ESP_STAT_REPLAY); m_freem(m); return ENOBUFS; /*XXX*/ @@ -389,35 +387,25 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) /* Get crypto descriptors */ crp = crypto_getreq(esph && espx ? 2 : 1); if (crp == NULL) { - DPRINTF(("esp_input: failed to acquire crypto descriptors\n")); - ESP_STATINC(ESP_STAT_CRYPTO); - m_freem(m); - return ENOBUFS; + DPRINTF(("%s: failed to acquire crypto descriptors\n", + __func__)); + error = ENOBUFS; + goto out; } /* Get IPsec-specific opaque pointer */ - if (esph == NULL || mtag != NULL) - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), - M_XDATA, M_NOWAIT|M_ZERO); - else - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto) + alen, - M_XDATA, M_NOWAIT|M_ZERO); + size_t extra = esph == NULL || mtag != NULL ? 0 : alen; + tc = malloc(sizeof(*tc) + extra, M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { - crypto_freereq(crp); - DPRINTF(("esp_input: failed to allocate tdb_crypto\n")); - ESP_STATINC(ESP_STAT_CRYPTO); - m_freem(m); - return ENOBUFS; + DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); + error = ENOBUFS; + goto out1; } error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT); if (error) { - m_freem(m); - free(tc, M_XDATA); - crypto_freereq(crp); - DPRINTF(("esp_input: m_makewritable failed\n")); - ESP_STATINC(ESP_STAT_CRYPTO); - return error; + DPRINTF(("%s: m_makewritable failed\n", __func__)); + goto out2; } tc->tc_ptr = mtag; @@ -425,7 +413,8 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) if (esph) { struct cryptodesc *crda = crp->crp_desc; - IPSEC_ASSERT(crda != NULL, ("esp_input: null ah crypto descriptor")); + IPSEC_ASSERT(crda != NULL, ("%s: null ah crypto descriptor", + __func__)); /* Authentication descriptor */ crda->crd_skip = skip; @@ -447,8 +436,7 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) /* Copy the authenticator */ if (mtag == NULL) - m_copydata(m, m->m_pkthdr.len - alen, alen, - (tc + 1)); + m_copydata(m, m->m_pkthdr.len - alen, alen, (tc + 1)); /* Chain authentication request */ crde = crda->crd_next; @@ -473,7 +461,8 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) /* Decryption descriptor */ if (espx) { - IPSEC_ASSERT(crde != NULL, ("esp_input: null esp crypto descriptor")); + IPSEC_ASSERT(crde != NULL, ("%s: null esp crypto descriptor", + __func__)); crde->crd_skip = skip + hlen; if (espx->type == CRYPTO_AES_GMAC) crde->crd_len = 0; @@ -491,6 +480,15 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) return crypto_dispatch(crp); else return esp_input_cb(crp); + +out2: + free(tc, M_XDATA); +out1: + crypto_freereq(crp); +out: + ESP_STATINC(ESP_STAT_CRYPTO); + m_freem(m); + return error; } #ifdef INET6 @@ -512,7 +510,7 @@ esp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) static int esp_input_cb(struct cryptop *crp) { - u_int8_t lastthree[3], aalg[AH_ALEN_MAX]; + uint8_t lastthree[3], aalg[AH_ALEN_MAX]; int s, hlen, skip, protoff, error; struct mbuf *m; struct cryptodesc *crd __diagused; @@ -522,18 +520,19 @@ esp_input_cb(struct cryptop *crp) struct secasvar *sav; struct secasindex *saidx; void *ptr; - u_int16_t dport; - u_int16_t sport; + uint16_t dport; + uint16_t sport; crd = crp->crp_desc; - IPSEC_ASSERT(crd != NULL, ("esp_input_cb: null crypto descriptor!")); + IPSEC_ASSERT(crd != NULL, ("%s: null crypto descriptor!", __func__)); - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("esp_input_cb: null opaque crypto data area!")); + tc = crp->crp_opaque; + IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!", + __func__)); skip = tc->tc_skip; protoff = tc->tc_protoff; - mtag = (struct m_tag *) tc->tc_ptr; - m = (struct mbuf *) crp->crp_buf; + mtag = tc->tc_ptr; + m = crp->crp_buf; /* find the source port for NAT-T */ nat_t_ports_get(m, &dport, &sport); @@ -544,8 +543,9 @@ esp_input_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { ESP_STATINC(ESP_STAT_NOTDB); - DPRINTF(("esp_input_cb: SA expired while in crypto " - "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst), + DPRINTF(("%s: SA expired while in crypto " + "(SA %s/%08lx proto %u)\n", __func__, + ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); error = ENOBUFS; /*XXX*/ goto bad; @@ -553,9 +553,9 @@ esp_input_cb(struct cryptop *crp) saidx = &sav->sah->saidx; IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || - saidx->dst.sa.sa_family == AF_INET6, - ("esp_input_cb: unexpected protocol family %u", - saidx->dst.sa.sa_family)); + saidx->dst.sa.sa_family == AF_INET6, + ("%s: unexpected protocol family %u", __func__, + saidx->dst.sa.sa_family)); esph = sav->tdb_authalgxform; @@ -573,7 +573,7 @@ esp_input_cb(struct cryptop *crp) } ESP_STATINC(ESP_STAT_NOXFORM); - DPRINTF(("esp_input_cb: crypto error %d\n", crp->crp_etype)); + DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } @@ -581,7 +581,7 @@ esp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { ESP_STATINC(ESP_STAT_CRYPTO); - DPRINTF(("esp_input_cb: bogus returned buffer from crypto\n")); + DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } @@ -604,8 +604,8 @@ esp_input_cb(struct cryptop *crp) /* Verify authenticator */ if (!consttime_memequal(ptr, aalg, esph->authsize)) { - DPRINTF(("esp_input_cb: " - "authentication hash mismatch for packet in SA %s/%08lx\n", + DPRINTF(("%s: authentication hash mismatch " + "for packet in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_BADAUTH); @@ -631,10 +631,10 @@ esp_input_cb(struct cryptop *crp) * Update replay sequence number, if appropriate. */ if (sav->replay) { - u_int32_t seq; + uint32_t seq; m_copydata(m, skip + offsetof(struct newesp, esp_seq), - sizeof (seq), &seq); + sizeof(seq), &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); @@ -646,15 +646,15 @@ esp_input_cb(struct cryptop *crp) /* Determine the ESP header length */ if (sav->flags & SADB_X_EXT_OLD) - hlen = sizeof (struct esp) + sav->ivlen; + hlen = sizeof(struct esp) + sav->ivlen; else - hlen = sizeof (struct newesp) + sav->ivlen; + hlen = sizeof(struct newesp) + sav->ivlen; /* Remove the ESP header and IV from the mbuf. */ error = m_striphdr(m, skip, hlen); if (error) { ESP_STATINC(ESP_STAT_HDROPS); - DPRINTF(("esp_input_cb: bad mbuf chain, SA %s/%08lx\n", + DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); goto bad; @@ -666,11 +666,11 @@ esp_input_cb(struct cryptop *crp) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { ESP_STATINC(ESP_STAT_BADILEN); - DPRINTF(("esp_input_cb: invalid padding length %d " - "for %u byte packet in SA %s/%08lx\n", - lastthree[1], m->m_pkthdr.len - skip, - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + DPRINTF(("%s: invalid padding length %d " + "for %u byte packet in SA %s/%08lx\n", __func__, + lastthree[1], m->m_pkthdr.len - skip, + ipsec_address(&sav->sah->saidx.dst), + (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; } @@ -679,11 +679,12 @@ esp_input_cb(struct cryptop *crp) if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { ESP_STATINC(ESP_STAT_BADENC); - DPRINTF(("esp_input_cb: decryption failed " - "for packet in SA %s/%08lx\n", - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); -DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1])); + DPRINTF(("%s: decryption failed for packet in SA " + "%s/%08lx\n", __func__, + ipsec_address(&sav->sah->saidx.dst), + (u_long) ntohl(sav->spi))); + DPRINTF(("%s: %x %x\n", __func__, lastthree[0], + lastthree[1])); error = EINVAL; goto bad; } @@ -693,7 +694,7 @@ DPRINTF(("esp_input_cb: %x %x\n", lastthree[0], lastthree[1])); m_adj(m, -(lastthree[1] + 2)); /* Restore the Next Protocol field */ - m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2); + m_copyback(m, protoff, sizeof(uint8_t), lastthree + 2); IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); @@ -735,24 +736,24 @@ esp_output( const struct secasvar *sav; struct secasindex *saidx; unsigned char *pad; - u_int8_t prot; + uint8_t prot; int error, maxpacketsize; struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp; - IPSEC_SPLASSERT_SOFTNET("esp_output"); + IPSEC_SPLASSERT_SOFTNET(__func__); sav = isr->sav; - IPSEC_ASSERT(sav != NULL, ("esp_output: null SA")); + IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); esph = sav->tdb_authalgxform; espx = sav->tdb_encalgxform; - IPSEC_ASSERT(espx != NULL, ("esp_output: null encoding xform")); + IPSEC_ASSERT(espx != NULL, ("%s: null encoding xform", __func__)); if (sav->flags & SADB_X_EXT_OLD) - hlen = sizeof (struct esp) + sav->ivlen; + hlen = sizeof(struct esp) + sav->ivlen; else - hlen = sizeof (struct newesp) + sav->ivlen; + hlen = sizeof(struct newesp) + sav->ivlen; rlen = m->m_pkthdr.len - skip; /* Raw payload length. */ /* @@ -785,18 +786,17 @@ esp_output( break; #endif /* INET6 */ default: - DPRINTF(("esp_output: unknown/unsupported protocol " - "family %d, SA %s/%08lx\n", - saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), - (u_long) ntohl(sav->spi))); + DPRINTF(("%s: unknown/unsupported protocol family %d, " + "SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family, + ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_NOPF); error = EPFNOSUPPORT; goto bad; } if (skip + hlen + rlen + padding + alen > maxpacketsize) { - DPRINTF(("esp_output: packet in SA %s/%08lx got too big " - "(len %u, max len %u)\n", - ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), + DPRINTF(("%s: packet in SA %s/%08lx got too big (len %u, " + "max len %u)\n", __func__, ipsec_address(&saidx->dst), + (u_long) ntohl(sav->spi), skip + hlen + rlen + padding + alen, maxpacketsize)); ESP_STATINC(ESP_STAT_TOOBIG); error = EMSGSIZE; @@ -808,7 +808,7 @@ esp_output( m = m_clone(m); if (m == NULL) { - DPRINTF(("esp_output: cannot clone mbuf chain, SA %s/%08lx\n", + DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_HDROPS); error = ENOBUFS; @@ -818,9 +818,8 @@ esp_output( /* Inject ESP header. */ mo = m_makespace(m, skip, hlen, &roff); if (mo == NULL) { - DPRINTF(("esp_output: failed to inject %u byte ESP hdr for SA " - "%s/%08lx\n", - hlen, ipsec_address(&saidx->dst), + DPRINTF(("%s: failed to inject %u byte ESP hdr for SA " + "%s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_HDROPS); /* XXX diffs from openbsd */ error = ENOBUFS; @@ -828,9 +827,9 @@ esp_output( } /* Initialize ESP header. */ - memcpy(mtod(mo, char *) + roff, &sav->spi, sizeof(u_int32_t)); + memcpy(mtod(mo, char *) + roff, &sav->spi, sizeof(uint32_t)); if (sav->replay) { - u_int32_t replay; + uint32_t replay; #ifdef IPSEC_DEBUG /* Emulate replay attack when ipsec_replay is TRUE. */ @@ -839,18 +838,17 @@ esp_output( sav->replay->count++; replay = htonl(sav->replay->count); - bcopy(&replay, - mtod(mo,char *) + roff + sizeof(u_int32_t), - sizeof(u_int32_t)); + memcpy(mtod(mo,char *) + roff + sizeof(uint32_t), &replay, + sizeof(uint32_t)); } /* * Add padding -- better to do it ourselves than use the crypto engine, * although if/when we support compression, we'd have to do that. */ - pad = (u_char *) m_pad(m, padding + alen); + pad = m_pad(m, padding + alen); if (pad == NULL) { - DPRINTF(("esp_output: m_pad failed for SA %s/%08lx\n", + DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); m = NULL; /* NB: free'd by m_pad */ error = ENOBUFS; @@ -876,16 +874,17 @@ esp_output( /* Fix padding length and Next Protocol in padding itself. */ pad[padding - 2] = padding - 2; - m_copydata(m, protoff, sizeof(u_int8_t), pad + padding - 1); + m_copydata(m, protoff, sizeof(uint8_t), pad + padding - 1); /* Fix Next Protocol in IPv4/IPv6 header. */ prot = IPPROTO_ESP; - m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); + m_copyback(m, protoff, sizeof(uint8_t), &prot); /* Get crypto descriptors. */ crp = crypto_getreq(esph && espx ? 2 : 1); if (crp == NULL) { - DPRINTF(("esp_output: failed to acquire crypto descriptors\n")); + DPRINTF(("%s: failed to acquire crypto descriptors\n", + __func__)); ESP_STATINC(ESP_STAT_CRYPTO); error = ENOBUFS; goto bad; @@ -913,11 +912,10 @@ esp_output( crda = crp->crp_desc; /* IPsec-specific opaque crypto info. */ - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), - M_XDATA, M_NOWAIT|M_ZERO); + tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { crypto_freereq(crp); - DPRINTF(("esp_output: failed to allocate tdb_crypto\n")); + DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); ESP_STATINC(ESP_STAT_CRYPTO); error = ENOBUFS; goto bad; @@ -977,9 +975,9 @@ esp_output_cb(struct cryptop *crp) struct mbuf *m; int s, err, error; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("esp_output_cb: null opaque data area!")); - m = (struct mbuf *) crp->crp_buf; + tc = crp->crp_opaque; + IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__)); + m = crp->crp_buf; s = splsoftnet(); mutex_enter(softnet_lock); @@ -988,14 +986,14 @@ esp_output_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { ESP_STATINC(ESP_STAT_NOTDB); - DPRINTF(("esp_output_cb: SA expired while in crypto " - "(SA %s/%08lx proto %u)\n", ipsec_address(&tc->tc_dst), + DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx " + "proto %u)\n", __func__, ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); error = ENOBUFS; /*XXX*/ goto bad; } IPSEC_ASSERT(isr->sav == sav, - ("esp_output_cb: SA changed was %p now %p\n", isr->sav, sav)); + ("%s: SA changed was %p now %p", __func__, isr->sav, sav)); /* Check for crypto errors. */ if (crp->crp_etype) { @@ -1011,7 +1009,7 @@ esp_output_cb(struct cryptop *crp) } ESP_STATINC(ESP_STAT_NOXFORM); - DPRINTF(("esp_output_cb: crypto error %d\n", crp->crp_etype)); + DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } @@ -1019,7 +1017,7 @@ esp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { ESP_STATINC(ESP_STAT_CRYPTO); - DPRINTF(("esp_output_cb: bogus returned buffer from crypto\n")); + DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 8ad878d8f264..c0595daad083 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.33 2017/04/13 16:38:32 christos Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.34 2017/04/15 22:01:57 christos Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.33 2017/04/13 16:38:32 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.34 2017/04/15 22:01:57 christos Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -116,8 +116,8 @@ ipcomp_init(struct secasvar *sav, const struct xformsw *xsp) /* NB: algorithm really comes in alg_enc and not alg_comp! */ tcomp = ipcomp_algorithm_lookup(sav->alg_enc); if (tcomp == NULL) { - DPRINTF(("ipcomp_init: unsupported compression algorithm %d\n", - sav->alg_comp)); + DPRINTF(("%s: unsupported compression algorithm %d\n", + __func__, sav->alg_comp)); return EINVAL; } sav->alg_comp = sav->alg_enc; /* set for doing histogram */ @@ -125,7 +125,7 @@ ipcomp_init(struct secasvar *sav, const struct xformsw *xsp) sav->tdb_compalgxform = tcomp; /* Initialize crypto session */ - memset(&cric, 0, sizeof (cric)); + memset(&cric, 0, sizeof(cric)); cric.cri_alg = sav->tdb_compalgxform->type; ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); @@ -156,29 +156,29 @@ ipcomp_input(struct mbuf *m, const struct secasvar *sav, int skip, int protoff) struct cryptop *crp; int error, hlen = IPCOMP_HLENGTH; - IPSEC_SPLASSERT_SOFTNET("ipcomp_input"); + IPSEC_SPLASSERT_SOFTNET(__func__); /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { m_freem(m); - DPRINTF(("ipcomp_input: no crypto descriptors\n")); + DPRINTF(("%s: no crypto descriptors\n", __func__)); IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return ENOBUFS; } /* Get IPsec-specific opaque pointer */ - tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO); + tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { m_freem(m); crypto_freereq(crp); - DPRINTF(("ipcomp_input: cannot allocate tdb_crypto\n")); + DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); return ENOBUFS; } error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT); if (error) { - DPRINTF(("ipcomp_input: m_makewritable failed\n")); + DPRINTF(("%s: m_makewritable failed\n", __func__)); m_freem(m); free(tc, M_XDATA); crypto_freereq(crp); @@ -241,16 +241,17 @@ ipcomp_input_cb(struct cryptop *crp) struct secasvar *sav; struct secasindex *saidx __diagused; int s, hlen = IPCOMP_HLENGTH, error, clen; - u_int8_t nproto; + uint8_t nproto; void *addr; - u_int16_t dport; - u_int16_t sport; + uint16_t dport; + uint16_t sport; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("ipcomp_input_cb: null opaque crypto data area!")); + tc = crp->crp_opaque; + IPSEC_ASSERT(tc != NULL, ("%s: null opaque crypto data area!", + __func__)); skip = tc->tc_skip; protoff = tc->tc_protoff; - m = (struct mbuf *) crp->crp_buf; + m = crp->crp_buf; /* find the source port for NAT-T */ nat_t_ports_get(m, &dport, &sport); @@ -261,7 +262,7 @@ ipcomp_input_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, sport, dport); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); - DPRINTF(("ipcomp_input_cb: SA expired while in crypto\n")); + DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } @@ -269,7 +270,7 @@ ipcomp_input_cb(struct cryptop *crp) saidx = &sav->sah->saidx; IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || saidx->dst.sa.sa_family == AF_INET6, - ("ipcomp_input_cb: unexpected protocol family %u", + ("%s: unexpected protocol family %u", __func__, saidx->dst.sa.sa_family)); /* Check for crypto errors */ @@ -286,14 +287,14 @@ ipcomp_input_cb(struct cryptop *crp) } IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); - DPRINTF(("ipcomp_input_cb: crypto error %d\n", crp->crp_etype)); + DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); - DPRINTF(("ipcomp_input_cb: null mbuf returned from crypto\n")); + DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); error = EINVAL; goto bad; } @@ -314,7 +315,7 @@ ipcomp_input_cb(struct cryptop *crp) if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); /*XXX*/ - DPRINTF(("ipcomp_input_cb: m_pullup failed\n")); + DPRINTF(("%s: m_pullup failed\n", __func__)); error = EINVAL; /*XXX*/ goto bad; } @@ -322,27 +323,32 @@ ipcomp_input_cb(struct cryptop *crp) /* Keep the next protocol field */ addr = (uint8_t*) mtod(m, struct ip *) + skip; nproto = ((struct ipcomp *) addr)->comp_nxt; - if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { + switch (nproto) { + case IPPROTO_IPCOMP: + case IPPROTO_AH: + case IPPROTO_ESP: IPCOMP_STATINC(IPCOMP_STAT_HDROPS); - DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, + ipsec_address(&sav->sah->saidx.dst), + (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; + default: + break; } /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen); if (error) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); - DPRINTF(("ipcomp_input_cb: bad mbuf chain, IPCA %s/%08lx\n", + DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); goto bad; } /* Restore the Next Protocol field */ - m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); + m_copyback(m, protoff, sizeof(uint8_t), (uint8_t *) &nproto); IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); @@ -383,11 +389,11 @@ ipcomp_output( struct cryptop *crp; struct tdb_crypto *tc; - IPSEC_SPLASSERT_SOFTNET("ipcomp_output"); + IPSEC_SPLASSERT_SOFTNET(__func__); sav = isr->sav; - IPSEC_ASSERT(sav != NULL, ("ipcomp_output: null SA")); + IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); ipcompx = sav->tdb_compalgxform; - IPSEC_ASSERT(ipcompx != NULL, ("ipcomp_output: null compression xform")); + IPSEC_ASSERT(ipcompx != NULL, ("%s: null compression xform", __func__)); ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ @@ -415,8 +421,8 @@ ipcomp_output( #endif /* INET6 */ default: IPCOMP_STATINC(IPCOMP_STAT_NOPF); - DPRINTF(("ipcomp_output: unknown/unsupported protocol family %d" - ", IPCA %s/%08lx\n", + DPRINTF(("%s: unknown/unsupported protocol family %d" + ", IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -425,8 +431,8 @@ ipcomp_output( } if (skip + hlen + ralen > maxpacketsize) { IPCOMP_STATINC(IPCOMP_STAT_TOOBIG); - DPRINTF(("ipcomp_output: packet in IPCA %s/%08lx got too big " - "(len %u, max len %u)\n", + DPRINTF(("%s: packet in IPCA %s/%08lx got too big " + "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), skip + hlen + ralen, maxpacketsize)); @@ -440,8 +446,8 @@ ipcomp_output( m = m_clone(m); if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); - DPRINTF(("ipcomp_output: cannot clone mbuf chain, IPCA %s/%08lx\n", - ipsec_address(&sav->sah->saidx.dst), + DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", + __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; @@ -453,7 +459,8 @@ ipcomp_output( crp = crypto_getreq(1); if (crp == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); - DPRINTF(("ipcomp_output: failed to acquire crypto descriptor\n")); + DPRINTF(("%s: failed to acquire crypto descriptor\n", + __func__)); error = ENOBUFS; goto bad; } @@ -469,11 +476,10 @@ ipcomp_output( crdc->crd_alg = ipcompx->type; /* IPsec-specific opaque crypto info */ - tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), - M_XDATA, M_NOWAIT|M_ZERO); + tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); - DPRINTF(("ipcomp_output: failed to allocate tdb_crypto\n")); + DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); crypto_freereq(crp); error = ENOBUFS; goto bad; @@ -512,14 +518,14 @@ ipcomp_output_cb(struct cryptop *crp) struct secasvar *sav; struct mbuf *m, *mo; int s, error, skip, rlen, roff; - u_int8_t prot; - u_int16_t cpi; + uint8_t prot; + uint16_t cpi; struct ipcomp * ipcomp; - tc = (struct tdb_crypto *) crp->crp_opaque; - IPSEC_ASSERT(tc != NULL, ("ipcomp_output_cb: null opaque data area!")); - m = (struct mbuf *) crp->crp_buf; + tc = crp->crp_opaque; + IPSEC_ASSERT(tc != NULL, ("%s: null opaque data area!", __func__)); + m = crp->crp_buf; skip = tc->tc_skip; rlen = crp->crp_ilen - skip; @@ -530,11 +536,11 @@ ipcomp_output_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { IPCOMP_STATINC(IPCOMP_STAT_NOTDB); - DPRINTF(("ipcomp_output_cb: SA expired while in crypto\n")); + DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } - IPSEC_ASSERT(isr->sav == sav, ("ipcomp_output_cb: SA changed\n")); + IPSEC_ASSERT(isr->sav == sav, ("%s: SA changed", __func__)); /* Check for crypto errors */ if (crp->crp_etype) { @@ -549,14 +555,14 @@ ipcomp_output_cb(struct cryptop *crp) return crypto_dispatch(crp); } IPCOMP_STATINC(IPCOMP_STAT_NOXFORM); - DPRINTF(("ipcomp_output_cb: crypto error %d\n", crp->crp_etype)); + DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_CRYPTO); - DPRINTF(("ipcomp_output_cb: bogus return buffer from crypto\n")); + DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); error = EINVAL; goto bad; } @@ -567,10 +573,10 @@ ipcomp_output_cb(struct cryptop *crp) mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { IPCOMP_STATINC(IPCOMP_STAT_WRAP); - DPRINTF(("ipcomp_output: failed to inject IPCOMP header for " - "IPCA %s/%08lx\n", - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + DPRINTF(("%s: failed to inject IPCOMP header for " + "IPCA %s/%08lx\n", __func__, + ipsec_address(&sav->sah->saidx.dst), + (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } @@ -600,7 +606,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Fix Next Protocol in IPv4/IPv6 header */ prot = IPPROTO_IPCOMP; - m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), (u_char *)&prot); + m_copyback(m, tc->tc_protoff, sizeof(uint8_t), (u_char *)&prot); /* Adjust the length in the IP header */ switch (sav->sah->saidx.dst.sa.sa_family) { diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index d5a796302a3c..160e05b6bdd8 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.44 2017/04/14 22:35:05 christos Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.45 2017/04/15 22:01:57 christos Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.44 2017/04/14 22:35:05 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.45 2017/04/15 22:01:57 christos Exp $"); /* * IP-inside-IP processing @@ -144,7 +144,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto) #if 0 /* If we do not accept IP-in-IP explicitly, drop. */ if (!ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) { - DPRINTF(("ip4_input6: dropped due to policy\n")); + DPRINTF(("%s: dropped due to policy\n", __func__)); IPIP_STATINC(IPIP_STAT_PDROPS); m_freem(*m); return IPPROTO_DONE; @@ -166,7 +166,7 @@ ip4_input(struct mbuf *m, int off, int proto) #if 0 /* If we do not accept IP-in-IP explicitly, drop. */ if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) { - DPRINTF(("ip4_input: dropped due to policy\n")); + DPRINTF(("%s: dropped due to policy\n", __func__)); IPIP_STATINC(IPIP_STAT_PDROPS); m_freem(m); return; @@ -195,10 +195,10 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) #ifdef INET6 register struct sockaddr_in6 *sin6; struct ip6_hdr *ip6 = NULL; - u_int8_t itos; + uint8_t itos; #endif - u_int8_t otos; - u_int8_t v; + uint8_t otos; + uint8_t v; int hlen; IPIP_STATINC(IPIP_STAT_IPACKETS); @@ -217,8 +217,8 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - DPRINTF(("_ipip_input: bad protocol version 0x%x (%u) " - "for outer header\n", v, v>>4)); + DPRINTF(("%s: bad protocol version 0x%x (%u) " + "for outer header\n", __func__, v, v>>4)); IPIP_STATINC(IPIP_STAT_FAMILY); m_freem(m); return /* EAFNOSUPPORT */; @@ -227,7 +227,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Bring the IP header in the first mbuf, if not there already */ if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { - DPRINTF(("ipip_input: m_pullup (1) failed\n")); + DPRINTF(("%s: m_pullup (1) failed\n", __func__)); IPIP_STATINC(IPIP_STAT_HDROPS); return; } @@ -257,7 +257,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - panic("ipip_input: unknown ip version %u (outer)", v>>4); + panic("%s: unknown ip version %u (outer)", __func__, v >> 4); } /* Remove outer IP header */ @@ -285,8 +285,8 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - DPRINTF(("_ipip_input: bad protocol version 0x%x (%u) " - "for inner header\n", v, v>>4)); + DPRINTF(("%s: bad protocol version %#x (%u) " + "for inner header\n", __func__, v, v >> 4)); IPIP_STATINC(IPIP_STAT_FAMILY); m_freem(m); return; /* EAFNOSUPPORT */ @@ -297,7 +297,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) */ if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { - DPRINTF(("ipip_input: m_pullup (2) failed\n")); + DPRINTF(("%s: m_pullup (2) failed\n", __func__)); IPIP_STATINC(IPIP_STAT_HDROPS); return; } @@ -323,11 +323,11 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); ip6->ip6_flow &= ~htonl(0xff << 20); - ip6->ip6_flow |= htonl((u_int32_t) itos << 20); + ip6->ip6_flow |= htonl((uint32_t) itos << 20); break; #endif default: - panic("ipip_input: unknown ip version %u (inner)", v>>4); + panic("%s: unknown ip version %u (inner)", __func__, v>>4); } /* Check for local address spoofing. */ @@ -400,7 +400,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - panic("ipip_input: should never reach here"); + panic("%s: should never reach here", __func__); } int s = splnet(); @@ -421,22 +421,22 @@ ipip_output( ) { const struct secasvar *sav; - u_int8_t tp, otos; + uint8_t tp, otos; struct secasindex *saidx; int error; #ifdef INET - u_int8_t itos; + uint8_t itos; struct ip *ipo; #endif /* INET */ #ifdef INET6 struct ip6_hdr *ip6, *ip6o; #endif /* INET6 */ - IPSEC_SPLASSERT_SOFTNET("ipip_output"); + IPSEC_SPLASSERT_SOFTNET(__func__); sav = isr->sav; - IPSEC_ASSERT(sav != NULL, ("ipip_output: null SA")); - IPSEC_ASSERT(sav->sah != NULL, ("ipip_output: null SAH")); + IPSEC_ASSERT(sav != NULL, ("%s: null SA", __func__)); + IPSEC_ASSERT(sav->sah != NULL, ("%s: null SAH", __func__)); /* XXX Deal with empty TDB source/destination addresses. */ @@ -450,8 +450,8 @@ ipip_output( if (saidx->src.sa.sa_family != AF_INET || saidx->src.sin.sin_addr.s_addr == INADDR_ANY || saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) { - DPRINTF(("ipip_output: unspecified tunnel endpoint " - "address in SA %s/%08lx\n", + DPRINTF(("%s: unspecified tunnel endpoint " + "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); IPIP_STATINC(IPIP_STAT_UNSPEC); @@ -461,7 +461,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); if (m == 0) { - DPRINTF(("ipip_output: M_PREPEND failed\n")); + DPRINTF(("%s: M_PREPEND failed\n", __func__)); IPIP_STATINC(IPIP_STAT_HDROPS); error = ENOBUFS; goto bad; @@ -490,7 +490,7 @@ ipip_output( /* Save ECN notification */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_tos), - sizeof(u_int8_t), &itos); + sizeof(uint8_t), &itos); ipo->ip_p = IPPROTO_IPIP; @@ -500,17 +500,17 @@ ipip_output( */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_off), - sizeof(u_int16_t), &ipo->ip_off); + sizeof(uint16_t), &ipo->ip_off); ipo->ip_off &= ~ IP_OFF_CONVERT(IP_DF | IP_MF | IP_OFFMASK); } #ifdef INET6 else if (tp == (IPV6_VERSION >> 4)) { - u_int32_t itos32; + uint32_t itos32; /* Save ECN notification. */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip6_hdr, ip6_flow), - sizeof(u_int32_t), &itos32); + sizeof(uint32_t), &itos32); itos = ntohl(itos32) >> 20; ipo->ip_p = IPPROTO_IPV6; ipo->ip_off = 0; @@ -531,8 +531,8 @@ ipip_output( if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) || saidx->src.sa.sa_family != AF_INET6 || IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) { - DPRINTF(("ipip_output: unspecified tunnel endpoint " - "address in SA %s/%08lx\n", + DPRINTF(("%s: unspecified tunnel endpoint " + "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); IPIP_STATINC(IPIP_STAT_UNSPEC); @@ -551,7 +551,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); if (m == 0) { - DPRINTF(("ipip_output: M_PREPEND failed\n")); + DPRINTF(("%s: M_PREPEND failed\n", __func__)); IPIP_STATINC(IPIP_STAT_HDROPS); error = ENOBUFS; goto bad; @@ -575,7 +575,7 @@ ipip_output( if (tp == IPVERSION) { /* Save ECN notification */ m_copydata(m, sizeof(struct ip6_hdr) + - offsetof(struct ip, ip_tos), sizeof(u_int8_t), + offsetof(struct ip, ip_tos), sizeof(uint8_t), &itos); /* This is really IPVERSION. */ @@ -583,12 +583,12 @@ ipip_output( } else #endif /* INET */ if (tp == (IPV6_VERSION >> 4)) { - u_int32_t itos32; + uint32_t itos32; /* Save ECN notification. */ m_copydata(m, sizeof(struct ip6_hdr) + offsetof(struct ip6_hdr, ip6_flow), - sizeof(u_int32_t), &itos32); + sizeof(uint32_t), &itos32); itos = ntohl(itos32) >> 20; ip6o->ip6_nxt = IPPROTO_IPV6; @@ -598,13 +598,13 @@ ipip_output( otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); - ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); + ip6o->ip6_flow |= htonl((uint32_t) otos << 20); break; #endif /* INET6 */ default: nofamily: - DPRINTF(("ipip_output: unsupported protocol family %u\n", + DPRINTF(("%s: unsupported protocol family %u\n", __func__, saidx->dst.sa.sa_family)); IPIP_STATINC(IPIP_STAT_FAMILY); error = EAFNOSUPPORT; /* XXX diffs from openbsd */ @@ -669,7 +669,7 @@ ipe4_input( ) { /* This is a rather serious mistake, so no conditional printing. */ - printf("ipe4_input: should never be called\n"); + printf("%s: should never be called\n", __func__); if (m) m_freem(m); return EOPNOTSUPP;