diff options
| author | pjd <pjd@FreeBSD.org> | 2006-04-10 15:04:36 +0000 |
|---|---|---|
| committer | pjd <pjd@FreeBSD.org> | 2006-04-10 15:04:36 +0000 |
| commit | 98fc9938afbd40dd139657197f8c385fd792ad71 (patch) | |
| tree | 90fcabf580a6c3dc6c206a2d8fb27221ee66d0c9 | |
| parent | 7fd1474b9c2e989b87a761b3e8d1bee795283543 (diff) | |
| download | FreeBSD-src-98fc9938afbd40dd139657197f8c385fd792ad71.zip FreeBSD-src-98fc9938afbd40dd139657197f8c385fd792ad71.tar.gz | |
Hide net.inet.ipsec.test_{replay,integrity} sysctls under #ifdef REGRESSION.
Requested by: sam, rwatson
| -rw-r--r-- | sys/netipsec/ipsec.c | 2 | ||||
| -rw-r--r-- | sys/netipsec/ipsec.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/xform_ah.c | 4 | ||||
| -rw-r--r-- | sys/netipsec/xform_esp.c | 4 |
4 files changed, 12 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 76bd99e..4d1376f 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -148,6 +148,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, ""); +#ifdef REGRESSION /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. @@ -162,6 +163,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0, int ipsec_integrity = 0; SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); +#endif #ifdef INET6 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 1d1fa0b..7dfe1ac 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -330,8 +330,10 @@ struct ipsec_history { }; extern int ipsec_debug; +#ifdef REGRESSION extern int ipsec_replay; extern int ipsec_integrity; +#endif extern struct newipsecstat newipsecstat; extern struct secpolicy ip4_def_policy; diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index cd23fe3..24320ce 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -998,8 +998,10 @@ ah_output( error = EINVAL; goto bad; } +#ifdef REGRESSION /* Emulate replay attack when ipsec_replay is TRUE. */ if (!ipsec_replay) +#endif sav->replay->count++; ah->ah_seq = htonl(sav->replay->count); } @@ -1180,6 +1182,7 @@ ah_output_cb(struct cryptop *crp) free(tc, M_XDATA); crypto_freereq(crp); +#ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ if (ipsec_integrity) { int alen; @@ -1191,6 +1194,7 @@ ah_output_cb(struct cryptop *crp) alen = AUTHSIZE(sav); m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes); } +#endif /* NB: m is reclaimed by ipsec_process_done. */ err = ipsec_process_done(m, isr); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index a556167..cd9c312 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -761,8 +761,10 @@ esp_output( if (sav->replay) { u_int32_t replay; +#ifdef REGRESSION /* Emulate replay attack when ipsec_replay is TRUE. */ if (!ipsec_replay) +#endif sav->replay->count++; replay = htonl(sav->replay->count); bcopy((caddr_t) &replay, @@ -947,6 +949,7 @@ esp_output_cb(struct cryptop *crp) free(tc, M_XDATA); crypto_freereq(crp); +#ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ if (ipsec_integrity) { static unsigned char ipseczeroes[AH_HMAC_HASHLEN]; @@ -962,6 +965,7 @@ esp_output_cb(struct cryptop *crp) AH_HMAC_HASHLEN, ipseczeroes); } } +#endif /* NB: m is reclaimed by ipsec_process_done. */ err = ipsec_process_done(m, isr); |
