Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec merge duplicated code, more informative debugging.



details:   https://anonhg.NetBSD.org/src/rev/b47dec5a3ee7
branches:  trunk
changeset: 324461:b47dec5a3ee7
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Jul 04 19:20:25 2018 +0000

description:
merge duplicated code, more informative debugging.

diffstat:

 sys/netipsec/key.c |  125 ++++++++++++++++++++++++++++++----------------------
 1 files changed, 73 insertions(+), 52 deletions(-)

diffs (248 lines):

diff -r 1ef1986342d0 -r b47dec5a3ee7 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Wed Jul 04 18:15:27 2018 +0000
+++ b/sys/netipsec/key.c        Wed Jul 04 19:20:25 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.255 2018/04/28 15:45:16 maxv Exp $   */
+/*     $NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $       */
 /*     $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.255 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.256 2018/07/04 19:20:25 christos Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -113,7 +113,7 @@
 #include <netipsec/xform.h>
 #include <netipsec/ipcomp.h>
 
-#define FULLMASK       0xff
+#define FULLMASK       0xffu
 #define        _BITS(bytes)    ((bytes) << 3)
 
 #define PORT_NONE      0
@@ -994,7 +994,8 @@
        KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
 
        if (isrc->sa_family != idst->sa_family) {
-               IPSECLOG(LOG_ERR, "protocol family mismatched %d != %d\n.",
+               IPSECLOG(LOG_ERR,
+                   "address family mismatched src %u, dst %u.\n",
                    isrc->sa_family, idst->sa_family);
                sp = NULL;
                goto done;
@@ -1185,14 +1186,14 @@
 
        /* set sadb_address for saidx's. */
        m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sav->sah->saidx.src.sa,
-           sav->sah->saidx.src.sa.sa_len << 3, IPSEC_ULPROTO_ANY);
+           _BITS(sav->sah->saidx.src.sa.sa_len), IPSEC_ULPROTO_ANY);
        if (m == NULL)
                goto msgfail;
        m_cat(result, m);
 
        /* set sadb_address for saidx's. */
        m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sav->sah->saidx.src.sa,
-           sav->sah->saidx.src.sa.sa_len << 3, IPSEC_ULPROTO_ANY);
+           _BITS(sav->sah->saidx.src.sa.sa_len), IPSEC_ULPROTO_ANY);
        if (m == NULL)
                goto msgfail;
        m_cat(result, m);
@@ -3458,7 +3459,9 @@
 
        /* check address family */
        if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) {
-               IPSECLOG(LOG_DEBUG, "address family mismatched.\n");
+               IPSECLOG(LOG_DEBUG,
+                   "address family mismatched src %u, dst %u.\n",
+                   saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
                return false;
        }
 
@@ -3764,6 +3767,31 @@
                break;
        }
 
+       /* check algo */
+       switch (sav->sah->saidx.proto) {
+       case IPPROTO_AH:
+       case IPPROTO_TCP:
+               if (sav->alg_enc != SADB_EALG_NONE) {
+                       IPSECLOG(LOG_DEBUG,
+                           "protocol %u and algorithm mismatched %u != %u.\n",
+                           sav->sah->saidx.proto,
+                           sav->alg_enc, SADB_EALG_NONE);
+                       return EINVAL;
+               }
+               break;
+       case IPPROTO_IPCOMP:
+               if (sav->alg_auth != SADB_AALG_NONE) {
+                       IPSECLOG(LOG_DEBUG,
+                           "protocol %u and algorithm mismatched %d != %d.\n",
+                           sav->sah->saidx.proto,
+                           sav->alg_auth, SADB_AALG_NONE);
+                       return(EINVAL);
+               }
+               break;
+       default:
+               break;
+       }
+
        /* check satype */
        switch (sav->sah->saidx.proto) {
        case IPPROTO_ESP:
@@ -3783,32 +3811,17 @@
                            "invalid flag (derived) given to AH SA.\n");
                        return EINVAL;
                }
-               if (sav->alg_enc != SADB_EALG_NONE) {
-                       IPSECLOG(LOG_DEBUG,
-                           "protocol and algorithm mismated.\n");
-                       return(EINVAL);
-               }
                error = xform_init(sav, XF_AH);
                break;
        case IPPROTO_IPCOMP:
-               if (sav->alg_auth != SADB_AALG_NONE) {
-                       IPSECLOG(LOG_DEBUG,
-                           "protocol and algorithm mismated.\n");
-                       return(EINVAL);
-               }
                if ((sav->flags & SADB_X_EXT_RAWCPI) == 0
-                && ntohl(sav->spi) >= 0x10000) {
+                   && ntohl(sav->spi) >= 0x10000) {
                        IPSECLOG(LOG_DEBUG, "invalid cpi for IPComp.\n");
                        return(EINVAL);
                }
                error = xform_init(sav, XF_IPCOMP);
                break;
        case IPPROTO_TCP:
-               if (sav->alg_enc != SADB_EALG_NONE) {
-                       IPSECLOG(LOG_DEBUG,
-                           "protocol and algorithm mismated.\n");
-                       return(EINVAL);
-               }
                error = xform_init(sav, XF_TCPSIGNATURE);
                break;
        default:
@@ -4217,6 +4230,19 @@
        return m;
 }
 
+static uint8_t
+key_sabits(const struct sockaddr *saddr)
+{
+       switch (saddr->sa_family) {
+       case AF_INET:
+               return _BITS(sizeof(struct in_addr));
+       case AF_INET6:
+               return _BITS(sizeof(struct in6_addr));
+       default:
+               return FULLMASK;
+       }
+}
+
 /*
  * set data into sadb_address.
  */
@@ -4244,16 +4270,7 @@
        p->sadb_address_exttype = exttype;
        p->sadb_address_proto = ul_proto;
        if (prefixlen == FULLMASK) {
-               switch (saddr->sa_family) {
-               case AF_INET:
-                       prefixlen = sizeof(struct in_addr) << 3;
-                       break;
-               case AF_INET6:
-                       prefixlen = sizeof(struct in6_addr) << 3;
-                       break;
-               default:
-                       ; /*XXX*/
-               }
+               prefixlen = key_sabits(saddr);
        }
        p->sadb_address_prefixlen = prefixlen;
        p->sadb_address_reserved = 0;
@@ -6020,7 +6037,8 @@
 
        /* validity check */
        if (idsrc->sadb_ident_type != iddst->sadb_ident_type) {
-               IPSECLOG(LOG_DEBUG, "ident type mismatch.\n");
+               IPSECLOG(LOG_DEBUG, "ident type mismatched src %u, dst %u.\n",
+                   idsrc->sadb_ident_type, iddst->sadb_ident_type);
                return EINVAL;
        }
 
@@ -7842,47 +7860,50 @@
                /* check upper layer protocol */
                if (src0->sadb_address_proto != dst0->sadb_address_proto) {
                        IPSECLOG(LOG_DEBUG,
-                           "upper layer protocol mismatched.\n");
+                           "upper layer protocol mismatched src %u, dst %u.\n",
+                           src0->sadb_address_proto, dst0->sadb_address_proto);
+
                        goto invaddr;
                }
 
                /* check family */
                if (sa0->sa_family != da0->sa_family) {
-                       IPSECLOG(LOG_DEBUG, "address family mismatched.\n");
+                       IPSECLOG(LOG_DEBUG,
+                           "address family mismatched src %u, dst %u.\n",
+                           sa0->sa_family, da0->sa_family);
                        goto invaddr;
                }
                if (sa0->sa_len != da0->sa_len) {
                        IPSECLOG(LOG_DEBUG,
-                           "address struct size mismatched.\n");
+                           "address size mismatched src %u, dst %u.\n",
+                           sa0->sa_len, da0->sa_len);
                        goto invaddr;
                }
 
                switch (sa0->sa_family) {
                case AF_INET:
-                       if (sa0->sa_len != sizeof(struct sockaddr_in))
+                       if (sa0->sa_len != sizeof(struct sockaddr_in)) {
+                               IPSECLOG(LOG_DEBUG,
+                                   "address size mismatched %u != %zu.\n",
+                                   sa0->sa_len, sizeof(struct sockaddr_in));
                                goto invaddr;
+                       }
                        break;
                case AF_INET6:
-                       if (sa0->sa_len != sizeof(struct sockaddr_in6))
+                       if (sa0->sa_len != sizeof(struct sockaddr_in6)) {
+                               IPSECLOG(LOG_DEBUG,
+                                   "address size mismatched %u != %zu.\n",
+                                   sa0->sa_len, sizeof(struct sockaddr_in6));
                                goto invaddr;
+                       }
                        break;
                default:
-                       IPSECLOG(LOG_DEBUG, "unsupported address family.\n");
+                       IPSECLOG(LOG_DEBUG, "unsupported address family %u.\n",
+                           sa0->sa_family);
                        error = EAFNOSUPPORT;
                        goto senderror;
                }
-
-               switch (sa0->sa_family) {
-               case AF_INET:
-                       plen = sizeof(struct in_addr) << 3;
-                       break;
-               case AF_INET6:
-                       plen = sizeof(struct in6_addr) << 3;
-                       break;
-               default:
-                       plen = 0;       /*fool gcc*/
-                       break;
-               }
+               plen = key_sabits(sa0);
 
                /* check max prefix length */
                if (src0->sadb_address_prefixlen > plen ||



Home | Main Index | Thread Index | Old Index