At the moment af_key code responds with -ENOBUFS (No buffer space available) not only when it really got no buffer for something, but also when kernel module for some crypto algorithm or encapsulation mode (esp4, ipcomp6, ...) is not available. This leads to situation where userspace tools can only pass this misleading diagnostic to user.
Bellow is a patch, which tries to discriminate causes of failed pf_key messages. RFC 2367 par 3.1 in part states "Note that any standard error could be returned for any message.", so returning standard error codes do not break it. Testing on a box where esp4 module was necessary but not loaded made racoon to produce the following to logs:
Mar 6 23:13:20 test racoon: ERROR: pfkey.c:210:pfkey_handler(): pfkey ADD failed: Protocol not available
Error codes were selected based on description in .h file. Therefore, if my selection is wrong please correct them, or point to the docs where I could learn how to choose them right.
-- Aidas Kasparas IT administrator GM Consult Group, UAB
--- net/key/af_key.c.R 2004-03-06 18:05:57.000000000 +0200
+++ net/key/af_key.c 2004-03-06 18:14:39.000000000 +0200
@@ -901,6 +901,7 @@
struct sadb_sa *sa;
struct sadb_key *key;
uint16_t proto;
+ int err;
sa = (struct sadb_sa *) ext_hdrs[SADB_EXT_SA-1]; @@ -922,6 +923,9 @@ if (proto == 0) return ERR_PTR(-EINVAL);
+ /* default error is no buffer space */
+ err = -ENOBUFS;
+
/* RFC2367:Only SADB_SASTATE_MATURE SAs may be submitted in an SADB_ADD message.
@@ -980,8 +984,10 @@
if (sa->sadb_sa_auth) {
int keysize = 0;
struct xfrm_algo_desc *a = xfrm_aalg_get_byid(sa->sadb_sa_auth);
- if (!a)
+ if (!a) {
+ err = -ENOSYS;
goto out;
+ }
if (key)
keysize = (key->sadb_key_bits + 7) / 8;
x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL);
@@ -999,8 +1005,10 @@
if (sa->sadb_sa_encrypt) {
if (hdr->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
struct xfrm_algo_desc *a = xfrm_calg_get_byid(sa->sadb_sa_encrypt);
- if (!a)
+ if (!a) {
+ err = -ENOSYS;
goto out;
+ }
x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL);
if (!x->calg)
goto out;
@@ -1009,8 +1017,10 @@
} else {
int keysize = 0;
struct xfrm_algo_desc *a = xfrm_ealg_get_byid(sa->sadb_sa_encrypt);
- if (!a)
+ if (!a) {
+ err = -ENOSYS;
goto out;
+ }
key = (struct sadb_key*) ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
if (key)
keysize = (key->sadb_key_bits + 7) / 8;
@@ -1030,8 +1040,10 @@
x->props.family = pfkey_sadb_addr2xfrm_addr((struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
&x->props.saddr);
- if (!x->props.family)
+ if (!x->props.family) {
+ err = -EAFNOSUPPORT;
goto out;
+ }
pfkey_sadb_addr2xfrm_addr((struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_DST-1],
&x->id.daddr);
@@ -1076,10 +1088,14 @@
} x->type = xfrm_get_type(proto, x->props.family);
- if (x->type == NULL)
+ if (x->type == NULL) {
+ err = -ENOPROTOOPT;
goto out;
- if (x->type->init_state(x, NULL))
+ }
+ if (x->type->init_state(x, NULL)) {
+ err = -EINVAL;
goto out;
+ }
x->km.seq = hdr->sadb_msg_seq;
x->km.state = XFRM_STATE_VALID;
return x;
@@ -1087,7 +1103,7 @@
out:
x->km.state = XFRM_STATE_DEAD;
xfrm_state_put(x);
- return ERR_PTR(-ENOBUFS);
+ return ERR_PTR(err);
}static int pfkey_reserved(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
