diff options
Diffstat (limited to 'sys/netipsec/xform_ah.c')
-rw-r--r-- | sys/netipsec/xform_ah.c | 63 |
1 files changed, 32 insertions, 31 deletions
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 2424b4a..4f87db6f 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -46,6 +46,7 @@ #include <sys/syslog.h> #include <sys/kernel.h> #include <sys/sysctl.h> +#include <sys/vimage.h> #include <net/if.h> @@ -218,7 +219,7 @@ ah_init(struct secasvar *sav, struct xformsw *xsp) error = ah_init0(sav, xsp, &cria); return error ? error : - crypto_newsession(&sav->tdb_cryptoid, &cria, crypto_support); + crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support); } /* @@ -277,7 +278,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* Fix the IP header */ ip = mtod(m, struct ip *); - if (ah_cleartos) + if (V_ah_cleartos) ip->ip_tos = 0; ip->ip_ttl = 0; ip->ip_sum = 0; @@ -573,14 +574,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { DPRINTF(("ah_input: cannot pullup header\n")); - ahstat.ahs_hdrops++; /*XXX*/ + V_ahstat.ahs_hdrops++; /*XXX*/ m_freem(m); return ENOBUFS; } /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { - ahstat.ahs_replay++; + V_ahstat.ahs_replay++; DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav))); m_freem(m); @@ -597,17 +598,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) hl, (u_long) (authsize + rplen - sizeof (struct ah)), ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_badauthl++; + V_ahstat.ahs_badauthl++; m_freem(m); return EACCES; } - ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; + V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; /* Get crypto descriptors. */ crp = crypto_getreq(1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; m_freem(m); return ENOBUFS; } @@ -647,7 +648,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) } if (tc == NULL) { DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; crypto_freereq(crp); m_freem(m); return ENOBUFS; @@ -671,7 +672,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) skip, ahx->type, 0); if (error != 0) { /* NB: mbuf is free'd by ah_massage_headers */ - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; free(tc, M_XDATA); crypto_freereq(crp); return error; @@ -745,7 +746,7 @@ ah_input_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ahstat.ahs_notdb++; + V_ahstat.ahs_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -768,19 +769,19 @@ ah_input_cb(struct cryptop *crp) return error; } - ahstat.ahs_noxform++; + V_ahstat.ahs_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } else { - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; crypto_freereq(crp); /* No longer needed. */ crp = NULL; } /* Shouldn't happen... */ if (m == NULL) { - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; @@ -806,7 +807,7 @@ ah_input_cb(struct cryptop *crp) "in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_badauth++; + V_ahstat.ahs_badauth++; error = EACCES; goto bad; } @@ -837,7 +838,7 @@ ah_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newah, ah_seq), sizeof (seq), (caddr_t) &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { - ahstat.ahs_replay++; + V_ahstat.ahs_replay++; error = ENOBUFS; /*XXX as above*/ goto bad; } @@ -851,7 +852,7 @@ ah_input_cb(struct cryptop *crp) DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; goto bad; } @@ -898,7 +899,7 @@ ah_output( ahx = sav->tdb_authalgxform; IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); - ahstat.ahs_output++; + V_ahstat.ahs_output++; /* Figure out header size. */ rplen = HDRSIZE(sav); @@ -921,7 +922,7 @@ ah_output( sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_nopf++; + V_ahstat.ahs_nopf++; error = EPFNOSUPPORT; goto bad; } @@ -932,20 +933,20 @@ ah_output( ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), rplen + authsize + m->m_pkthdr.len, maxpacketsize)); - ahstat.ahs_toobig++; + V_ahstat.ahs_toobig++; error = EMSGSIZE; goto bad; } /* Update the counters. */ - ahstat.ahs_obytes += m->m_pkthdr.len - skip; + V_ahstat.ahs_obytes += m->m_pkthdr.len - skip; m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; error = ENOBUFS; goto bad; } @@ -958,7 +959,7 @@ ah_output( rplen + authsize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; /*XXX differs from openbsd */ + V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */ error = ENOBUFS; goto bad; } @@ -986,13 +987,13 @@ ah_output( __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_wrap++; + V_ahstat.ahs_wrap++; error = EINVAL; goto bad; } #ifdef REGRESSION /* Emulate replay attack when ipsec_replay is TRUE. */ - if (!ipsec_replay) + if (!V_ipsec_replay) #endif sav->replay->count++; ah->ah_seq = htonl(sav->replay->count); @@ -1003,7 +1004,7 @@ ah_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; error = ENOBUFS; goto bad; } @@ -1025,7 +1026,7 @@ ah_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; error = ENOBUFS; goto bad; } @@ -1127,7 +1128,7 @@ ah_output_cb(struct cryptop *crp) IPSECREQUEST_LOCK(isr); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ahstat.ahs_notdb++; + V_ahstat.ahs_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -1146,7 +1147,7 @@ ah_output_cb(struct cryptop *crp) return error; } - ahstat.ahs_noxform++; + V_ahstat.ahs_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -1154,12 +1155,12 @@ ah_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; /* * Copy original headers (with the new protocol number) back @@ -1173,7 +1174,7 @@ ah_output_cb(struct cryptop *crp) #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ - if (ipsec_integrity) { + if (V_ipsec_integrity) { int alen; /* |