From 0a6c1d4242d4d23328bf77b152fe0864e2db7f35 Mon Sep 17 00:00:00 2001 From: sam Date: Mon, 29 Sep 2003 22:57:43 +0000 Subject: MFp4: portability work, general cleanup, locking fixes change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb chnage 38685 o fix locking for bundled SA's and for when key exchange is required change 38770 o eliminate recursion on the SAHTREE lock change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code There is still much to do here but for now things look to be working again. Supported by: FreeBSD Foundation --- sys/netipsec/ipsec.c | 234 +++++++++++++++++++++++---------------------------- 1 file changed, 105 insertions(+), 129 deletions(-) (limited to 'sys/netipsec/ipsec.c') diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 8bead8e..c250e60 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -92,8 +92,6 @@ #include -#include - #ifdef IPSEC_DEBUG int ipsec_debug = 1; #else @@ -249,14 +247,14 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir) { struct secpolicy *sp; - KASSERT(tdbi != NULL, ("ipsec_getpolicy: null tdbi")); - KASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("ipsec_getpolicy: invalid direction %u", dir)); + IPSEC_ASSERT(tdbi != NULL, ("null tdbi")); + IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, + ("invalid direction %u", dir)); sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir); if (sp == NULL) /*XXX????*/ sp = KEY_ALLOCSP_DEFAULT(); - KASSERT(sp != NULL, ("ipsec_getpolicy: null SP")); + IPSEC_ASSERT(sp != NULL, ("null SP")); return sp; } @@ -283,11 +281,11 @@ ipsec_getpolicybysock(m, dir, inp, error) struct secpolicy *currsp = NULL; /* policy on socket */ struct secpolicy *sp; - KASSERT(m != NULL, ("ipsec_getpolicybysock: null mbuf")); - KASSERT(inp != NULL, ("ipsec_getpolicybysock: null inpcb")); - KASSERT(error != NULL, ("ipsec_getpolicybysock: null error")); - KASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("ipsec_getpolicybysock: invalid direction %u", dir)); + IPSEC_ASSERT(m != NULL, ("null mbuf")); + IPSEC_ASSERT(inp != NULL, ("null inpcb")); + IPSEC_ASSERT(error != NULL, ("null error")); + IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, + ("invalid direction %u", dir)); /* set spidx in pcb */ if (inp->inp_vflag & INP_IPV6PROTO) { @@ -304,7 +302,7 @@ ipsec_getpolicybysock(m, dir, inp, error) if (*error) return NULL; - KASSERT(pcbsp != NULL, ("ipsec_getpolicybysock: null pcbsp")); + IPSEC_ASSERT(pcbsp != NULL, ("null pcbsp")); switch (dir) { case IPSEC_DIR_INBOUND: currsp = pcbsp->sp_in; @@ -313,7 +311,7 @@ ipsec_getpolicybysock(m, dir, inp, error) currsp = pcbsp->sp_out; break; } - KASSERT(currsp != NULL, ("ipsec_getpolicybysock: null currsp")); + IPSEC_ASSERT(currsp != NULL, ("null currsp")); if (pcbsp->priv) { /* when privilieged socket */ switch (currsp->policy) { @@ -331,8 +329,8 @@ ipsec_getpolicybysock(m, dir, inp, error) break; default: - ipseclog((LOG_ERR, "ipsec_getpolicybysock: " - "Invalid policy for PCB %d\n", currsp->policy)); + ipseclog((LOG_ERR, "%s: Invalid policy for PCB %d\n", + __func__, currsp->policy)); *error = EINVAL; return NULL; } @@ -341,9 +339,9 @@ ipsec_getpolicybysock(m, dir, inp, error) if (sp == NULL) { /* no SP found */ switch (currsp->policy) { case IPSEC_POLICY_BYPASS: - ipseclog((LOG_ERR, "ipsec_getpolicybysock: " - "Illegal policy for non-priviliged defined %d\n", - currsp->policy)); + ipseclog((LOG_ERR, "%s: Illegal policy for " + "non-priviliged defined %d\n", + __func__, currsp->policy)); *error = EINVAL; return NULL; @@ -357,20 +355,18 @@ ipsec_getpolicybysock(m, dir, inp, error) break; default: - ipseclog((LOG_ERR, "ipsec_getpolicybysock: " - "Invalid policy for PCB %d\n", currsp->policy)); + ipseclog((LOG_ERR, "%s: Invalid policy for " + "PCB %d\n", __func__, currsp->policy)); *error = EINVAL; return NULL; } } } - KASSERT(sp != NULL, - ("ipsec_getpolicybysock: null SP (priv %u policy %u", - pcbsp->priv, currsp->policy)); + IPSEC_ASSERT(sp != NULL, + ("null SP (priv %u policy %u", pcbsp->priv, currsp->policy)); KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ipsec_getpolicybysock (priv %u policy %u) allocates " - "SP:%p (refcnt %u)\n", pcbsp->priv, currsp->policy, - sp, sp->refcnt)); + printf("DP %s (priv %u policy %u) allocate SP:%p (refcnt %u)\n", + __func__, pcbsp->priv, currsp->policy, sp, sp->refcnt)); return sp; } @@ -394,10 +390,10 @@ ipsec_getpolicybyaddr(m, dir, flag, error) struct secpolicyindex spidx; struct secpolicy *sp; - KASSERT(m != NULL, ("ipsec_getpolicybyaddr: null mbuf")); - KASSERT(error != NULL, ("ipsec_getpolicybyaddr: null error")); - KASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, - ("ipsec4_getpolicybaddr: invalid direction %u", dir)); + IPSEC_ASSERT(m != NULL, ("null mbuf")); + IPSEC_ASSERT(error != NULL, ("null error")); + IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND, + ("invalid direction %u", dir)); sp = NULL; if (key_havesp(dir)) { @@ -405,8 +401,8 @@ ipsec_getpolicybyaddr(m, dir, flag, error) *error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? 0 : 1); if (*error != 0) { - DPRINTF(("ipsec_getpolicybyaddr: setpidx failed," - " dir %u flag %u\n", dir, flag)); + DPRINTF(("%s: setpidx failed, dir %u flag %u\n", + __func__, dir, flag)); bzero(&spidx, sizeof (spidx)); return NULL; } @@ -416,7 +412,7 @@ ipsec_getpolicybyaddr(m, dir, flag, error) } if (sp == NULL) /* no SP found, use system default */ sp = KEY_ALLOCSP_DEFAULT(); - KASSERT(sp != NULL, ("ipsec_getpolicybyaddr: null SP")); + IPSEC_ASSERT(sp != NULL, ("null SP")); return sp; } @@ -435,17 +431,15 @@ ipsec4_checkpolicy(m, dir, flag, error, inp) else sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { - KASSERT(*error != 0, - ("ipsec4_checkpolicy: getpolicy failed w/o error")); + IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); newipsecstat.ips_out_inval++; return NULL; } - KASSERT(*error == 0, - ("ipsec4_checkpolicy: sp w/ error set to %u", *error)); + IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); switch (sp->policy) { case IPSEC_POLICY_ENTRUST: default: - printf("ipsec4_checkpolicy: invalid policy %u\n", sp->policy); + printf("%s: invalid policy %u\n", __func__, sp->policy); /* fall thru... */ case IPSEC_POLICY_DISCARD: newipsecstat.ips_out_polvio++; @@ -475,10 +469,10 @@ ipsec4_setspidx_inpcb(m, pcb) { int error; - KASSERT(pcb != NULL, ("ipsec4_setspidx_inpcb: null pcb")); - KASSERT(pcb->inp_sp != NULL, ("ipsec4_setspidx_inpcb: null inp_sp")); - KASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL, - ("ipsec4_setspidx_inpcb: null sp_in || sp_out")); + IPSEC_ASSERT(pcb != NULL, ("null pcb")); + IPSEC_ASSERT(pcb->inp_sp != NULL, ("null inp_sp")); + IPSEC_ASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL, + ("null sp_in || sp_out")); error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1); if (error == 0) { @@ -503,10 +497,10 @@ ipsec6_setspidx_in6pcb(m, pcb) struct secpolicyindex *spidx; int error; - KASSERT(pcb != NULL, ("ipsec6_setspidx_in6pcb: null pcb")); - KASSERT(pcb->in6p_sp != NULL, ("ipsec6_setspidx_in6pcb: null inp_sp")); - KASSERT(pcb->in6p_sp->sp_out != NULL && pcb->in6p_sp->sp_in != NULL, - ("ipsec6_setspidx_in6pcb: null sp_in || sp_out")); + IPSEC_ASSERT(pcb != NULL, ("null pcb")); + IPSEC_ASSERT(pcb->in6p_sp != NULL, ("null inp_sp")); + IPSEC_ASSERT(pcb->in6p_sp->sp_out != NULL && pcb->in6p_sp->sp_in != NULL, + ("null sp_in || sp_out")); bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx)); bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx)); @@ -550,7 +544,7 @@ ipsec_setspidx(m, spidx, needport) int len; int error; - KASSERT(m != NULL, ("ipsec_setspidx: null mbuf")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* * validate m->m_pkthdr.len. we see incorrect length if we @@ -562,18 +556,15 @@ ipsec_setspidx(m, spidx, needport) len += n->m_len; if (m->m_pkthdr.len != len) { KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_setspidx: " - "total of m_len(%d) != pkthdr.len(%d), " - "ignored.\n", - len, m->m_pkthdr.len)); + printf("%s: pkthdr len(%d) mismatch (%d), ignored.\n", + __func__, len, m->m_pkthdr.len)); return EINVAL; } if (m->m_pkthdr.len < sizeof(struct ip)) { KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_setspidx: " - "pkthdr.len(%d) < sizeof(struct ip), ignored.\n", - m->m_pkthdr.len)); + printf("%s: pkthdr len(%d) too small (v4), ignored.\n", + __func__, m->m_pkthdr.len)); return EINVAL; } @@ -599,9 +590,8 @@ ipsec_setspidx(m, spidx, needport) case 6: if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_setspidx: " - "pkthdr.len(%d) < sizeof(struct ip6_hdr), " - "ignored.\n", m->m_pkthdr.len)); + printf("%s: pkthdr len(%d) too small (v6), " + "ignored\n", __func__, m->m_pkthdr.len)); return EINVAL; } error = ipsec6_setspidx_ipaddr(m, spidx); @@ -612,8 +602,8 @@ ipsec_setspidx(m, spidx, needport) #endif default: KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_setspidx: " - "unknown IP version %u, ignored.\n", v)); + printf("%s: " "unknown IP version %u, ignored.\n", + __func__, v)); return EINVAL; } } @@ -625,9 +615,8 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) int off; /* sanity check */ - KASSERT(m != NULL, ("ipsec4_get_ulp: null mbuf")); - KASSERT(m->m_pkthdr.len >= sizeof(struct ip), - ("ipsec4_get_ulp: packet too short")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); + IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); /* NB: ip_input() flips it into host endian XXX need more checking */ if (m->m_len < sizeof (struct ip)) { @@ -747,10 +736,10 @@ ipsec6_get_ulp(m, spidx, needport) /* sanity check */ if (m == NULL) - panic("ipsec6_get_ulp: NULL pointer was passed.\n"); + panic("%s: NULL pointer was passed.\n", __func__); KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m)); + printf("%s:\n", __func__); kdebug_mbuf(m)); /* set default */ spidx->ul_proto = IPSEC_ULPROTO_ANY; @@ -851,19 +840,16 @@ ipsec_init_policy(so, pcb_sp) /* sanity check. */ if (so == NULL || pcb_sp == NULL) - panic("ipsec_init_policy: NULL pointer was passed.\n"); + panic("%s: NULL pointer was passed.\n", __func__); new = (struct inpcbpolicy *) malloc(sizeof(struct inpcbpolicy), M_IPSEC_INPCB, M_NOWAIT|M_ZERO); if (new == NULL) { - ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n")); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); return ENOBUFS; } - if (so->so_cred != 0 && so->so_cred->cr_uid == 0) - new->priv = 1; - else - new->priv = 0; + new->priv = IPSEC_IS_PRIVILEGED_SO(so); if ((new->sp_in = KEY_NEWSP()) == NULL) { ipsec_delpcbpolicy(new); @@ -918,14 +904,14 @@ ipsec_newisr(void) p = malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, M_NOWAIT|M_ZERO); if (p != NULL) - mtx_init(&p->lock, "ipsec request", NULL, MTX_DEF); + IPSECREQUEST_LOCK_INIT(p); return p; } void ipsec_delisr(struct ipsecrequest *p) { - mtx_destroy(&p->lock); + IPSECREQUEST_LOCK_DESTROY(p); free(p, M_IPSEC_SR); } @@ -1005,7 +991,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv) xpl = (struct sadb_x_policy *)request; KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_set_policy: passed policy\n"); + printf("%s: passed policy\n", __func__); kdebug_sadb_x_policy((struct sadb_ext *)xpl)); /* check policy type */ @@ -1028,7 +1014,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv) KEY_FREESP(pcb_sp); *pcb_sp = newsp; KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_set_policy: new policy\n"); + printf("%s: new policy\n", __func__); kdebug_secpolicy(newsp)); return 0; @@ -1046,14 +1032,13 @@ ipsec_get_policy(pcb_sp, mp) *mp = key_sp2msg(pcb_sp); if (!*mp) { - ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n")); + ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); return ENOBUFS; } (*mp)->m_type = MT_DATA; KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_get_policy:\n"); - kdebug_mbuf(*mp)); + printf("%s:\n", __func__); kdebug_mbuf(*mp)); return 0; } @@ -1085,7 +1070,7 @@ ipsec4_set_policy(inp, optname, request, len, priv) pcb_sp = &inp->inp_sp->sp_out; break; default: - ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", + ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, xpl->sadb_x_policy_dir)); return EINVAL; } @@ -1106,7 +1091,7 @@ ipsec4_get_policy(inp, request, len, mp) /* sanity check. */ if (inp == NULL || request == NULL || mp == NULL) return EINVAL; - KASSERT(inp->inp_sp != NULL, ("ipsec4_get_policy: null inp_sp")); + IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp")); if (len < sizeof(*xpl)) return EINVAL; xpl = (struct sadb_x_policy *)request; @@ -1120,7 +1105,7 @@ ipsec4_get_policy(inp, request, len, mp) pcb_sp = inp->inp_sp->sp_out; break; default: - ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n", + ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, xpl->sadb_x_policy_dir)); return EINVAL; } @@ -1133,7 +1118,7 @@ int ipsec4_delete_pcbpolicy(inp) struct inpcb *inp; { - KASSERT(inp != NULL, ("ipsec4_delete_pcbpolicy: null inp")); + IPSEC_ASSERT(inp != NULL, ("null inp")); if (inp->inp_sp == NULL) return 0; @@ -1178,7 +1163,7 @@ ipsec6_set_policy(in6p, optname, request, len, priv) pcb_sp = &in6p->in6p_sp->sp_out; break; default: - ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", + ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, xpl->sadb_x_policy_dir)); return EINVAL; } @@ -1199,7 +1184,7 @@ ipsec6_get_policy(in6p, request, len, mp) /* sanity check. */ if (in6p == NULL || request == NULL || mp == NULL) return EINVAL; - KASSERT(in6p->in6p_sp != NULL, ("ipsec6_get_policy: null in6p_sp")); + IPSEC_ASSERT(in6p->in6p_sp != NULL, ("null in6p_sp")); if (len < sizeof(*xpl)) return EINVAL; xpl = (struct sadb_x_policy *)request; @@ -1213,7 +1198,7 @@ ipsec6_get_policy(in6p, request, len, mp) pcb_sp = in6p->in6p_sp->sp_out; break; default: - ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n", + ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__, xpl->sadb_x_policy_dir)); return EINVAL; } @@ -1225,7 +1210,7 @@ int ipsec6_delete_pcbpolicy(in6p) struct in6pcb *in6p; { - KASSERT(in6p != NULL, ("ipsec6_delete_pcbpolicy: null in6p")); + IPSEC_ASSERT(in6p != NULL, ("null in6p")); if (in6p->in6p_sp == NULL) return 0; @@ -1255,10 +1240,9 @@ ipsec_get_reqlevel(isr) u_int esp_trans_deflev, esp_net_deflev; u_int ah_trans_deflev, ah_net_deflev; - KASSERT(isr != NULL && isr->sp != NULL, - ("ipsec_get_reqlevel: null argument")); - KASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family, - ("ipsec_get_reqlevel: af family mismatch, src %u, dst %u", + IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("null argument")); + IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family, + ("af family mismatch, src %u, dst %u", isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family)); @@ -1293,8 +1277,8 @@ ipsec_get_reqlevel(isr) break; #endif /* INET6 */ default: - panic("key_get_reqlevel: unknown af %u", - isr->sp->spidx.src.sa.sa_family); + panic("%s: unknown af %u", + __func__, isr->sp->spidx.src.sa.sa_family); } #undef IPSEC_CHECK_DEFAULT @@ -1322,8 +1306,7 @@ ipsec_get_reqlevel(isr) level = IPSEC_LEVEL_USE; break; default: - panic("ipsec_get_reqlevel: " - "Illegal protocol defined %u\n", + panic("%s: Illegal protocol defined %u\n", __func__, isr->saidx.proto); } break; @@ -1337,8 +1320,7 @@ ipsec_get_reqlevel(isr) break; default: - panic("ipsec_get_reqlevel: Illegal IPsec level %u\n", - isr->level); + panic("%s: Illegal IPsec level %u\n", __func__, isr->level); } return level; @@ -1361,8 +1343,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) int need_auth; KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("ipsec_in_reject: using SP\n"); - kdebug_secpolicy(sp)); + printf("%s: using SP\n", __func__); kdebug_secpolicy(sp)); /* check policy */ switch (sp->policy) { @@ -1373,8 +1354,8 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) return 0; } - KASSERT(sp->policy == IPSEC_POLICY_IPSEC, - ("ipsec_in_reject: invalid policy %u", sp->policy)); + IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, + ("invalid policy %u", sp->policy)); /* XXX should compare policy against ipsec header history */ @@ -1386,7 +1367,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) case IPPROTO_ESP: if ((m->m_flags & M_DECRYPTED) == 0) { KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_in_reject: ESP m_flags:%x\n", + printf("%s: ESP m_flags:%x\n", __func__, m->m_flags)); return 1; } @@ -1396,7 +1377,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) isr->sav->tdb_authalgxform != NULL && (m->m_flags & M_AUTHIPDGM) == 0) { KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_in_reject: ESP/AH m_flags:%x\n", + printf("%s: ESP/AH m_flags:%x\n", __func__, m->m_flags)); return 1; } @@ -1405,7 +1386,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) need_auth = 1; if ((m->m_flags & M_AUTHIPHDR) == 0) { KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("ipsec_in_reject: AH m_flags:%x\n", + printf("%s: AH m_flags:%x\n", __func__, m->m_flags)); return 1; } @@ -1437,7 +1418,7 @@ ipsec4_in_reject(m, inp) int error; int result; - KASSERT(m != NULL, ("ipsec4_in_reject_so: null mbuf")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* get SP for this packet. * When we are called from ip_forward(), we call @@ -1512,8 +1493,7 @@ ipsec_hdrsiz(struct secpolicy *sp) size_t siz; KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("ipsec_hdrsiz: using SP\n"); - kdebug_secpolicy(sp)); + printf("%s: using SP\n", __func__); kdebug_secpolicy(sp)); switch (sp->policy) { case IPSEC_POLICY_DISCARD: @@ -1522,8 +1502,8 @@ ipsec_hdrsiz(struct secpolicy *sp) return 0; } - KASSERT(sp->policy == IPSEC_POLICY_IPSEC, - ("ipsec_hdrsiz: invalid policy %u", sp->policy)); + IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC, + ("invalid policy %u", sp->policy)); siz = 0; for (isr = sp->req; isr != NULL; isr = isr->next) { @@ -1552,8 +1532,8 @@ ipsec_hdrsiz(struct secpolicy *sp) break; #endif default: - ipseclog((LOG_ERR, "ipsec_hdrsiz: " - "unknown AF %d in IPsec tunnel SA\n", + ipseclog((LOG_ERR, "%s: unknown AF %d in " + "IPsec tunnel SA\n", __func__, ((struct sockaddr *)&isr->saidx.dst)->sa_family)); break; } @@ -1575,7 +1555,7 @@ ipsec4_hdrsiz(m, dir, inp) int error; size_t size; - KASSERT(m != NULL, ("ipsec4_hdrsiz: null mbuf")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); /* get SP for this packet. * When we are called from ip_forward(), we call @@ -1589,7 +1569,7 @@ ipsec4_hdrsiz(m, dir, inp) if (sp != NULL) { size = ipsec_hdrsiz(sp); KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("ipsec4_hdrsiz: size:%lu.\n", + printf("%s: size:%lu.\n", __func__, (unsigned long)size)); KEY_FREESP(&sp); @@ -1613,9 +1593,9 @@ ipsec6_hdrsiz(m, dir, in6p) int error; size_t size; - KASSERT(m != NULL, ("ipsec6_hdrsiz: null mbuf")); - KASSERT(in6p == NULL || in6p->in6p_socket != NULL, - ("ipsec6_hdrsize: socket w/o inpcb")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); + IPSEC_ASSERT(in6p == NULL || in6p->in6p_socket != NULL, + ("socket w/o inpcb")); /* get SP for this packet */ /* XXX Is it right to call with IP_FORWARDING. */ @@ -1628,7 +1608,7 @@ ipsec6_hdrsiz(m, dir, in6p) return 0; size = ipsec_hdrsiz(sp); KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size)); + printf("%s: size:%lu.\n", __func__, (unsigned long)size)); KEY_FREESP(&sp); return size; @@ -1656,12 +1636,10 @@ ipsec_chkreplay(seq, sav) u_int32_t wsizeb; /* constant: bits of window size */ int frlast; /* constant: last frame */ -#if 0 - SPLASSERT(net, "ipsec_chkreplay"); -#endif + IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(sav != NULL, ("ipsec_chkreplay: Null SA")); - KASSERT(sav->replay != NULL, ("ipsec_chkreplay: Null replay state")); + IPSEC_ASSERT(sav != NULL, ("Null SA")); + IPSEC_ASSERT(sav->replay != NULL, ("Null replay state")); replay = sav->replay; @@ -1718,12 +1696,10 @@ ipsec_updatereplay(seq, sav) u_int32_t wsizeb; /* constant: bits of window size */ int frlast; /* constant: last frame */ -#if 0 - SPLASSERT(net, "ipsec_updatereplay"); -#endif + IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(sav != NULL, ("ipsec_updatereplay: Null SA")); - KASSERT(sav->replay != NULL, ("ipsec_updatereplay: Null replay state")); + IPSEC_ASSERT(sav != NULL, ("Null SA")); + IPSEC_ASSERT(sav->replay != NULL, ("Null replay state")); replay = sav->replay; @@ -1794,8 +1770,8 @@ ok: if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) return 1; - ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", - replay->overflow, ipsec_logsastr(sav))); + ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n", + __func__, replay->overflow, ipsec_logsastr(sav))); } replay->count++; @@ -1872,8 +1848,8 @@ ipsec_logsastr(sav) char *p; struct secasindex *saidx = &sav->sah->saidx; - KASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family, - ("ipsec_logsastr: address family mismatch")); + IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family, + ("address family mismatch")); p = buf; snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); -- cgit v1.1