Hide net.inet.ipsec.test_{replay,integrity} sysctls under #ifdef REGRESSION.

Requested by: sam, rwatson
2006-04-10 15:04:36 +00:00 · 2006-04-10 15:04:36 +00:00 · 6131838b7c
commit 6131838b7c
parent 8447156ce0
4 changed files with 12 additions and 0 deletions
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@ -148,6 +148,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
 SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
 	ipsecstats,	CTLFLAG_RD,	&newipsecstat,	newipsecstat, "");

+#ifdef REGRESSION
 /*
 * When set to 1, IPsec will send packets with the same sequence number.
 * This allows to verify if the other side has proper replay attacks detection.
@ -162,6 +163,7 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0,
 int ipsec_integrity = 0;
 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
    &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
+#endif

 #ifdef INET6
 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@ -330,8 +330,10 @@ struct ipsec_history {
 };

 extern int ipsec_debug;
+#ifdef REGRESSION
 extern int ipsec_replay;
 extern int ipsec_integrity;
+#endif

 extern struct newipsecstat newipsecstat;
 extern struct secpolicy ip4_def_policy;
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@ -998,8 +998,10 @@ ah_output(
 			error = EINVAL;
 			goto bad;
 		}
+#ifdef REGRESSION
 		/* Emulate replay attack when ipsec_replay is TRUE. */
 		if (!ipsec_replay)
+#endif
 			sav->replay->count++;
 		ah->ah_seq = htonl(sav->replay->count);
 	}
@ -1180,6 +1182,7 @@ ah_output_cb(struct cryptop *crp)
 	free(tc, M_XDATA);
 	crypto_freereq(crp);

+#ifdef REGRESSION
 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
 	if (ipsec_integrity) {
 		int alen;
@ -1191,6 +1194,7 @@ ah_output_cb(struct cryptop *crp)
 		alen = AUTHSIZE(sav);
 		m_copyback(m, m->m_pkthdr.len - alen, alen, ipseczeroes);
 	}
+#endif

 	/* NB: m is reclaimed by ipsec_process_done. */
 	err = ipsec_process_done(m, isr);
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -761,8 +761,10 @@ esp_output(
 	if (sav->replay) {
 		u_int32_t replay;

+#ifdef REGRESSION
 		/* Emulate replay attack when ipsec_replay is TRUE. */
 		if (!ipsec_replay)
+#endif
 			sav->replay->count++;
 		replay = htonl(sav->replay->count);
 		bcopy((caddr_t) &replay,
@ -947,6 +949,7 @@ esp_output_cb(struct cryptop *crp)
 	free(tc, M_XDATA);
 	crypto_freereq(crp);

+#ifdef REGRESSION
 	/* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */
 	if (ipsec_integrity) {
 		static unsigned char ipseczeroes[AH_HMAC_HASHLEN];
@ -962,6 +965,7 @@ esp_output_cb(struct cryptop *crp)
 			    AH_HMAC_HASHLEN, ipseczeroes);
 		}
 	}
+#endif

 	/* NB: m is reclaimed by ipsec_process_done. */
 	err = ipsec_process_done(m, isr);