Sync with recent KAME.

This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
  - The definitions of SADB_* in sys/net/pfkeyv2.h are still different
    from RFC2407/IANA assignment because of binary compatibility
    issue.  It should be fixed under 5-CURRENT.
  - ip6po_m member of struct ip6_pktopts is no longer used.  But, it
    is still there because of binary compatibility issue.  It should
    be removed under 5-CURRENT.

Reviewed by:	itojun
Obtained from:	KAME
MFC after:	3 weeks

1 files changed, 32 insertions, 10 deletions

diff --git a/sys/netinet6/ah_output.c b/sys/netinet6/ah_output.c
index 59263cd..983ecab 100644
--- a/sys/netinet6/ah_output.c
+++ b/sys/netinet6/ah_output.c
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$KAME: ah_output.c,v 1.22 2000/07/03 13:23:28 itojun Exp $	*/
+/*	$KAME: ah_output.c,v 1.30 2001/02/21 00:50:53 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -76,7 +76,9 @@
 
 #include <net/net_osdep.h>
 
+#ifdef INET
 static struct in_addr *ah4_finaldst __P((struct mbuf *));
+#endif
 
 /*
  * compute AH header size.
@@ -87,7 +89,7 @@ size_t
 ah_hdrsiz(isr)
 	struct ipsecrequest *isr;
 {
-	struct ah_algorithm *algo;
+	const struct ah_algorithm *algo;
 	size_t hdrsiz;
 
 	/* sanity check */
@@ -104,7 +106,7 @@ ah_hdrsiz(isr)
 		goto estimate;
 
 	/* we need transport mode AH. */
-	algo = &ah_algorithms[isr->sav->alg_auth];
+	algo = ah_algorithm_lookup(isr->sav->alg_auth);
 	if (!algo)
 		goto estimate;
 
@@ -131,6 +133,7 @@ ah_hdrsiz(isr)
 	return sizeof(struct newah) + 16;
 }
 
+#ifdef INET
 /*
  * Modify the packet so that it includes the authentication data.
  * The mbuf passed must start with IPv4 header.
@@ -144,7 +147,7 @@ ah4_output(m, isr)
 	struct ipsecrequest *isr;
 {
 	struct secasvar *sav = isr->sav;
-	struct ah_algorithm *algo;
+	const struct ah_algorithm *algo;
 	u_int32_t spi;
 	u_char *ahdrpos;
 	u_char *ahsumpos = NULL;
@@ -171,7 +174,14 @@ ah4_output(m, isr)
 		return EINVAL;
 	}
 
-	algo = &ah_algorithms[sav->alg_auth];
+	algo = ah_algorithm_lookup(sav->alg_auth);
+	if (!algo) {
+		ipseclog((LOG_ERR, "ah4_output: unsupported algorithm: "
+		    "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
+		ipsecstat.out_inval++;
+		m_freem(m);
+		return EINVAL;
+	}
 	spi = sav->spi;
 
 	/*
@@ -314,16 +324,19 @@ ah4_output(m, isr)
 
 	return 0;
 }
+#endif
 
 /* Calculate AH length */
 int
 ah_hdrlen(sav)
 	struct secasvar *sav;
 {
-	struct ah_algorithm *algo;
+	const struct ah_algorithm *algo;
 	int plen, ahlen;
 	
-	algo = &ah_algorithms[sav->alg_auth];
+	algo = ah_algorithm_lookup(sav->alg_auth);
+	if (!algo)
+		return 0;
 	if (sav->flags & SADB_X_EXT_OLD) {
 		/* RFC 1826 */
 		plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1);	/*XXX pad to 8byte?*/
@@ -351,7 +364,7 @@ ah6_output(m, nexthdrp, md, isr)
 	struct mbuf *mprev;
 	struct mbuf *mah;
 	struct secasvar *sav = isr->sav;
-	struct ah_algorithm *algo;
+	const struct ah_algorithm *algo;
 	u_int32_t spi;
 	u_char *ahsumpos = NULL;
 	size_t plen;	/*AH payload size in bytes*/
@@ -414,7 +427,14 @@ ah6_output(m, nexthdrp, md, isr)
 		return EINVAL;
 	}
 
-	algo = &ah_algorithms[sav->alg_auth];
+	algo = ah_algorithm_lookup(sav->alg_auth);
+	if (!algo) {
+		ipseclog((LOG_ERR, "ah6_output: unsupported algorithm: "
+		    "SPI=%u\n", (u_int32_t)ntohl(sav->spi)));
+		ipsec6stat.out_inval++;
+		m_freem(m);
+		return EINVAL;
+	}
 	spi = sav->spi;
 
 	/*
@@ -447,7 +467,7 @@ ah6_output(m, nexthdrp, md, isr)
 				ipseclog((LOG_WARNING,
 				    "replay counter overflowed. %s\n",
 				    ipsec_logsastr(sav)));
-				ipsecstat.out_inval++;
+				ipsec6stat.out_inval++;
 				m_freem(m);
 				return EINVAL;
 			}
@@ -479,6 +499,7 @@ ah6_output(m, nexthdrp, md, isr)
 }
 #endif
 
+#ifdef INET
 /*
  * Find the final destination if there is loose/strict source routing option.
  * Returns NULL if there's no source routing options.
@@ -564,3 +585,4 @@ ah4_finaldst(m)
 	}
 	return NULL;
 }
+#endif