1 files changed, 32 insertions, 31 deletions
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 2424b4a..4f87db6f 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -46,6 +46,7 @@
 #include <sys/syslog.h>
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
+#include <sys/vimage.h>
 
 #include <net/if.h>
 
@@ -218,7 +219,7 @@ ah_init(struct secasvar *sav, struct xformsw *xsp)
 
 	error = ah_init0(sav, xsp, &cria);
 	return error ? error :
-		 crypto_newsession(&sav->tdb_cryptoid, &cria, crypto_support);
+		 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support);
 }
 
 /*
@@ -277,7 +278,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
 
 		/* Fix the IP header */
 		ip = mtod(m, struct ip *);
-		if (ah_cleartos)
+		if (V_ah_cleartos)
 			ip->ip_tos = 0;
 		ip->ip_ttl = 0;
 		ip->ip_sum = 0;
@@ -573,14 +574,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
 	if (ah == NULL) {
 		DPRINTF(("ah_input: cannot pullup header\n"));
-		ahstat.ahs_hdrops++;		/*XXX*/
+		V_ahstat.ahs_hdrops++;		/*XXX*/
 		m_freem(m);
 		return ENOBUFS;
 	}
 
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
-		ahstat.ahs_replay++;
+		V_ahstat.ahs_replay++;
 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
 			  ipsec_logsastr(sav)));
 		m_freem(m);
@@ -597,17 +598,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 			hl, (u_long) (authsize + rplen - sizeof (struct ah)),
 			ipsec_address(&sav->sah->saidx.dst),
 			(u_long) ntohl(sav->spi)));
-		ahstat.ahs_badauthl++;
+		V_ahstat.ahs_badauthl++;
 		m_freem(m);
 		return EACCES;
 	}
-	ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
+	V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
 
 	/* Get crypto descriptors. */
 	crp = crypto_getreq(1);
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		m_freem(m);
 		return ENOBUFS;
 	}
@@ -647,7 +648,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	}
 	if (tc == NULL) {
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		crypto_freereq(crp);
 		m_freem(m);
 		return ENOBUFS;
@@ -671,7 +672,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		    skip, ahx->type, 0);
 		if (error != 0) {
 			/* NB: mbuf is free'd by ah_massage_headers */
-			ahstat.ahs_hdrops++;
+			V_ahstat.ahs_hdrops++;
 			free(tc, M_XDATA);
 			crypto_freereq(crp);
 			return error;
@@ -745,7 +746,7 @@ ah_input_cb(struct cryptop *crp)
 
 	sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
 	if (sav == NULL) {
-		ahstat.ahs_notdb++;
+		V_ahstat.ahs_notdb++;
 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
@@ -768,19 +769,19 @@ ah_input_cb(struct cryptop *crp)
 			return error;
 		}
 
-		ahstat.ahs_noxform++;
+		V_ahstat.ahs_noxform++;
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
 	} else {
-		ahstat.ahs_hist[sav->alg_auth]++;
+		V_ahstat.ahs_hist[sav->alg_auth]++;
 		crypto_freereq(crp);		/* No longer needed. */
 		crp = NULL;
 	}
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
@@ -806,7 +807,7 @@ ah_input_cb(struct cryptop *crp)
 			    "in SA %s/%08lx\n", __func__,
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
-			ahstat.ahs_badauth++;
+			V_ahstat.ahs_badauth++;
 			error = EACCES;
 			goto bad;
 		}
@@ -837,7 +838,7 @@ ah_input_cb(struct cryptop *crp)
 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
 			   sizeof (seq), (caddr_t) &seq);
 		if (ipsec_updatereplay(ntohl(seq), sav)) {
-			ahstat.ahs_replay++;
+			V_ahstat.ahs_replay++;
 			error = ENOBUFS;			/*XXX as above*/
 			goto bad;
 		}
@@ -851,7 +852,7 @@ ah_input_cb(struct cryptop *crp)
 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
 
-		ahstat.ahs_hdrops++;
+		V_ahstat.ahs_hdrops++;
 		goto bad;
 	}
 
@@ -898,7 +899,7 @@ ah_output(
 	ahx = sav->tdb_authalgxform;
 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
 
-	ahstat.ahs_output++;
+	V_ahstat.ahs_output++;
 
 	/* Figure out header size. */
 	rplen = HDRSIZE(sav);
@@ -921,7 +922,7 @@ ah_output(
 		    sav->sah->saidx.dst.sa.sa_family,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		ahstat.ahs_nopf++;
+		V_ahstat.ahs_nopf++;
 		error = EPFNOSUPPORT;
 		goto bad;
 	}
@@ -932,20 +933,20 @@ ah_output(
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi),
 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
-		ahstat.ahs_toobig++;
+		V_ahstat.ahs_toobig++;
 		error = EMSGSIZE;
 		goto bad;
 	}
 
 	/* Update the counters. */
-	ahstat.ahs_obytes += m->m_pkthdr.len - skip;
+	V_ahstat.ahs_obytes += m->m_pkthdr.len - skip;
 
 	m = m_unshare(m, M_NOWAIT);
 	if (m == NULL) {
 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		ahstat.ahs_hdrops++;
+		V_ahstat.ahs_hdrops++;
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -958,7 +959,7 @@ ah_output(
 		    rplen + authsize,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		ahstat.ahs_hdrops++;		/*XXX differs from openbsd */
+		V_ahstat.ahs_hdrops++;		/*XXX differs from openbsd */
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -986,13 +987,13 @@ ah_output(
 				__func__,
 				ipsec_address(&sav->sah->saidx.dst),
 				(u_long) ntohl(sav->spi)));
-			ahstat.ahs_wrap++;
+			V_ahstat.ahs_wrap++;
 			error = EINVAL;
 			goto bad;
 		}
 #ifdef REGRESSION
 		/* Emulate replay attack when ipsec_replay is TRUE. */
-		if (!ipsec_replay)
+		if (!V_ipsec_replay)
 #endif
 			sav->replay->count++;
 		ah->ah_seq = htonl(sav->replay->count);
@@ -1003,7 +1004,7 @@ ah_output(
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
 			__func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1025,7 +1026,7 @@ ah_output(
 	if (tc == NULL) {
 		crypto_freereq(crp);
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1127,7 +1128,7 @@ ah_output_cb(struct cryptop *crp)
 	IPSECREQUEST_LOCK(isr);
 	sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
 	if (sav == NULL) {
-		ahstat.ahs_notdb++;
+		V_ahstat.ahs_notdb++;
 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
@@ -1146,7 +1147,7 @@ ah_output_cb(struct cryptop *crp)
 			return error;
 		}
 
-		ahstat.ahs_noxform++;
+		V_ahstat.ahs_noxform++;
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
@@ -1154,12 +1155,12 @@ ah_output_cb(struct cryptop *crp)
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
 	}
-	ahstat.ahs_hist[sav->alg_auth]++;
+	V_ahstat.ahs_hist[sav->alg_auth]++;
 
 	/*
 	 * Copy original headers (with the new protocol number) back
@@ -1173,7 +1174,7 @@ ah_output_cb(struct cryptop *crp)
 
 #ifdef REGRESSION
 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
-	if (ipsec_integrity) {
+	if (V_ipsec_integrity) {
 		int alen;
 
 		/*