Index: sys/net/pfkeyv2.h =================================================================== RCS file: /cvsroot/src/sys/net/pfkeyv2.h,v retrieving revision 1.30 diff -u -u -r1.30 pfkeyv2.h --- sys/net/pfkeyv2.h 9 Jun 2011 19:54:18 -0000 1.30 +++ sys/net/pfkeyv2.h 13 Apr 2017 15:19:34 -0000 @@ -361,6 +361,42 @@ #define SADB_X_AALG_NULL 251 /* null authentication */ #define SADB_X_AALG_TCP_MD5 252 /* Keyed TCP-MD5 (RFC2385) */ +#define SADB_AALG_STATS_INIT \ + [SADB_AALG_NONE] = 1, \ + [SADB_AALG_MD5HMAC] = 2, \ + [SADB_AALG_SHA1HMAC] = 3, \ + [SADB_X_AALG_SHA2_256] = 4, \ + [SADB_X_AALG_SHA2_384] = 5, \ + [SADB_X_AALG_SHA2_512] = 6, \ + [SADB_X_AALG_RIPEMD160HMAC] = 7, \ + [SADB_X_AALG_AES_XCBC_MAC] = 8, \ + [SADB_X_AALG_AES128GMAC] = 9, \ + [SADB_X_AALG_AES192GMAC] = 10, \ + [SADB_X_AALG_AES256GMAC] = 11, \ + [SADB_X_AALG_MD5] = 12, \ + [SADB_X_AALG_SHA] = 13, \ + [SADB_X_AALG_NULL] = 14, \ + [SADB_X_AALG_TCP_MD5] = 15, + +#define SADB_AALG_STATS_NUM 16 +#define SADB_AALG_STATS_STR \ + "*unknown*", \ + "none", \ + "hmac-md5", \ + "hmac-sha1", \ + "hmac-sha2-256", \ + "hmac-sha2-384", \ + "hmac-sha2-512", \ + "hmac-ripe-md160", \ + "aes-xbc-mac", \ + "aes-128-mac", \ + "aes-192-mac", \ + "aes-256-mac", \ + "md5", \ + "sha", \ + "null", \ + "tcp-md5", + /* RFC2367 numbers - meets RFC2407 */ #define SADB_EALG_NONE 0 #define SADB_EALG_DESCBC 2 @@ -381,6 +417,40 @@ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_EALG_SKIPJACK 250 +#define SADB_EALG_STATS_INIT \ + [SADB_EALG_NONE] = 1, \ + [SADB_EALG_DESCBC] = 2, \ + [SADB_EALG_3DESCBC] = 3, \ + [SADB_EALG_NULL] = 4, \ + [SADB_X_EALG_CAST128CBC] = 5, \ + [SADB_X_EALG_BLOWFISHCBC] = 6, \ + [SADB_X_EALG_RIJNDAELCBC] = 7, \ + [SADB_X_EALG_AESCTR] = 8, \ + [SADB_X_EALG_AESGCM8] = 9, \ + [SADB_X_EALG_AESGCM12] = 10, \ + [SADB_X_EALG_AESGCM16] = 11, \ + [SADB_X_EALG_CAMELLIACBC] = 12, \ + [SADB_X_EALG_AESGMAC] = 13, \ + [SADB_X_EALG_SKIPJACK] = 14, + +#define SADB_EALG_STATS_NUM 15 +#define SADB_EALG_STATS_STR \ + "*unknown*", \ + "none", \ + "des-cbc", \ + "3des-cbc", \ + "null", \ + "cast128-cbc", \ + "blowfish-cbc", \ + "aes-cbc", \ + "aes-ctr", \ + "aes-gcm-8", \ + "aes-gcm-12", \ + "aes-gcm-16", \ + "camelia-cbc", \ + "aes-gmac", \ + "skipjack", + /* private allocations - based on RFC2407/IANA assignment */ #define SADB_X_CALG_NONE 0 #define SADB_X_CALG_OUI 1 @@ -388,6 +458,22 @@ #define SADB_X_CALG_LZS 3 #define SADB_X_CALG_MAX 4 +#define SADB_CALG_STATS_INIT \ + [SADB_X_CALG_NONE] = 1, \ + [SADB_X_CALG_OUI] = 2, \ + [SADB_X_CALG_DEFLATE] = 3, \ + [SADB_X_CALG_LZS] = 4, + +#define SADB_CALG_STATS_NUM 5 + +#define SADB_CALG_STATS_STR \ + "*unknown*", \ + "none", \ + "oui", \ + "deflate", \ + "lzs", + + #define SADB_IDENTTYPE_RESERVED 0 #define SADB_IDENTTYPE_PREFIX 1 #define SADB_IDENTTYPE_FQDN 2 Index: sys/netipsec/ah_var.h =================================================================== RCS file: /cvsroot/src/sys/netipsec/ah_var.h,v retrieving revision 1.4 diff -u -u -r1.4 ah_var.h --- sys/netipsec/ah_var.h 23 Apr 2008 06:09:05 -0000 1.4 +++ sys/netipsec/ah_var.h 13 Apr 2017 15:19:34 -0000 @@ -46,7 +46,6 @@ * they should be decoupled from the protocol at which time we can * pack them and reduce the size of the array to a minimum. */ -#define AH_ALG_MAX 16 #define AH_STAT_HDROPS 0 /* packet shorter than header shows */ #define AH_STAT_NOPF 1 /* protocol family not supported */ @@ -68,11 +67,14 @@ #define AH_STAT_CRYPTO 17 /* crypto processing failure */ #define AH_STAT_TUNNEL 18 /* tunnel sanity check failure */ #define AH_STAT_HIST 19 /* per-algorithm op count */ - /* space for AH_ALG_MAX (16) counters */ -#define AH_NSTATS 35 +/* space for SADB_AALG_STATS_NUM counters */ +#define AH_ALG_MAX SADB_AALG_STATS_NUM +#define AH_ALG_STR SADB_AALG_STATS_STR +#define AH_NSTATS (AH_STAT_HIST + AH_ALG_MAX) #ifdef _KERNEL +extern const uint8_t ah_stats[256]; extern int ah_enable; extern int ah_cleartos; #endif /* _KERNEL */ Index: sys/netipsec/esp_var.h =================================================================== RCS file: /cvsroot/src/sys/netipsec/esp_var.h,v retrieving revision 1.4 diff -u -u -r1.4 esp_var.h --- sys/netipsec/esp_var.h 23 Apr 2008 06:09:05 -0000 1.4 +++ sys/netipsec/esp_var.h 13 Apr 2017 15:19:34 -0000 @@ -46,8 +46,6 @@ * they should be decoupled from the protocol at which time we can * pack them and reduce the size of the array to a reasonable value. */ -#define ESP_ALG_MAX 256 /* NB: could be < but skipjack is 249 */ - #define ESP_STAT_HDROPS 0 /* packet shorter than header shows */ #define ESP_STAT_NOPF 1 /* protocol family not supported */ #define ESP_STAT_NOTDB 2 @@ -69,11 +67,14 @@ #define ESP_STAT_CRYPTO 18 /* crypto processing failure */ #define ESP_STAT_TUNNEL 19 /* tunnel sanity check failure */ #define ESP_STAT_HIST 20 /* per-algorithm op count */ - /* space for ESP_ALG_MAX (256) counters */ -#define ESP_NSTATS 276 +/* space for SADB_EALG_STATS_NUM counters */ +#define ESP_ALG_MAX SADB_EALG_STATS_NUM +#define ESP_ALG_STR SADB_EALG_STATS_STR +#define ESP_NSTATS (ESP_STAT_HIST + ESP_ALG_MAX) #ifdef _KERNEL +extern const uint8_t esp_stats[256]; extern int esp_enable; #endif /* _KERNEL */ #endif /* !_NETIPSEC_ESP_VAR_H_ */ Index: sys/netipsec/ipcomp_var.h =================================================================== RCS file: /cvsroot/src/sys/netipsec/ipcomp_var.h,v retrieving revision 1.6 diff -u -u -r1.6 ipcomp_var.h --- sys/netipsec/ipcomp_var.h 23 Apr 2008 06:09:05 -0000 1.6 +++ sys/netipsec/ipcomp_var.h 13 Apr 2017 15:19:34 -0000 @@ -40,7 +40,6 @@ * they should be decoupled from the protocol at which time we can * pack them and reduce the size of the array to a minimum. */ -#define IPCOMP_ALG_MAX 8 #define IPCOMP_STAT_HDROPS 0 /* packet shorter than header shows */ #define IPCOMP_STAT_NOPF 1 /* protocol family not supported */ @@ -60,11 +59,14 @@ #define IPCOMP_STAT_PDROPS 15 /* packet blocked due to policy */ #define IPCOMP_STAT_CRYPTO 16 /* crypto processing failure */ #define IPCOMP_STAT_HIST 17 /* per-algorithm op count */ - /* space for IPCOMP_ALG_MAX (8) counters */ -#define IPCOMP_NSTATS 25 +/* space for SADB_CALG_STATS_NUM counters */ +#define IPCOMP_ALG_MAX SADB_CALG_STATS_NUM +#define IPCOMP_ALG_STR SADB_CALG_STATS_STR +#define IPCOMP_NSTATS (IPCOMP_STAT_HIST + IPCOMP_ALG_MAX) #ifdef _KERNEL +extern const uint8_t ipcomp_stats[256]; extern int ipcomp_enable; #endif /* _KERNEL */ #endif /* !_NETIPSEC_IPCOMP_VAR_H_ */ Index: sys/netipsec/xform_ah.c =================================================================== RCS file: /cvsroot/src/sys/netipsec/xform_ah.c,v retrieving revision 1.46 diff -u -u -r1.46 xform_ah.c --- sys/netipsec/xform_ah.c 13 Apr 2017 01:32:57 -0000 1.46 +++ sys/netipsec/xform_ah.c 13 Apr 2017 15:19:34 -0000 @@ -124,6 +124,8 @@ static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); +const uint8_t ah_stats[256] = { SADB_AALG_STATS_INIT }; + /* * NB: this is public for use by the PF_KEY support. */ @@ -875,7 +877,7 @@ error = crp->crp_etype; goto bad; } else { - AH_STATINC(AH_STAT_HIST + sav->alg_auth); + AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]); crypto_freereq(crp); /* No longer needed. */ crp = NULL; } @@ -1283,7 +1285,7 @@ error = EINVAL; goto bad; } - AH_STATINC(AH_STAT_HIST + sav->alg_auth); + AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]); /* * Copy original headers (with the new protocol number) back Index: sys/netipsec/xform_esp.c =================================================================== RCS file: /cvsroot/src/sys/netipsec/xform_esp.c,v retrieving revision 1.49 diff -u -u -r1.49 xform_esp.c --- sys/netipsec/xform_esp.c 13 Apr 2017 01:32:57 -0000 1.49 +++ sys/netipsec/xform_esp.c 13 Apr 2017 15:19:34 -0000 @@ -109,6 +109,8 @@ static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); +const uint8_t esp_stats[256] = { SADB_EALG_STATS_INIT }; + /* * NB: this is public for use by the PF_KEY support. * NB: if you add support here; be sure to add code to esp_attach below! @@ -583,7 +585,7 @@ error = EINVAL; goto bad; } - ESP_STATINC(ESP_STAT_HIST + sav->alg_enc); + ESP_STATINC(ESP_STAT_HIST + esp_stats[sav->alg_enc]); /* If authentication was performed, check now. */ if (esph != NULL) { @@ -592,7 +594,7 @@ * the verification for us. Otherwise we need to * check the authentication calculation. */ - AH_STATINC(AH_STAT_HIST + sav->alg_auth); + AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]); if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - esph->authsize, @@ -1021,9 +1023,9 @@ error = EINVAL; goto bad; } - ESP_STATINC(ESP_STAT_HIST + sav->alg_enc); + ESP_STATINC(ESP_STAT_HIST + esp_stats[sav->alg_enc]); if (sav->tdb_authalgxform != NULL) - AH_STATINC(AH_STAT_HIST + sav->alg_auth); + AH_STATINC(AH_STAT_HIST + ah_stats[sav->alg_auth]); /* Release crypto descriptors. */ free(tc, M_XDATA); Index: sys/netipsec/xform_ipcomp.c =================================================================== RCS file: /cvsroot/src/sys/netipsec/xform_ipcomp.c,v retrieving revision 1.32 diff -u -u -r1.32 xform_ipcomp.c --- sys/netipsec/xform_ipcomp.c 6 Apr 2017 09:20:07 -0000 1.32 +++ sys/netipsec/xform_ipcomp.c 13 Apr 2017 15:19:34 -0000 @@ -91,11 +91,11 @@ static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); +const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT }; + const struct comp_algo * ipcomp_algorithm_lookup(int alg) { - if (alg >= IPCOMP_ALG_MAX) - return NULL; switch (alg) { case SADB_X_CALG_DEFLATE: return &comp_algo_deflate_nogrow; @@ -297,7 +297,7 @@ error = EINVAL; goto bad; } - IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); + IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); /* Update the counters */ IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen); @@ -560,7 +560,7 @@ error = EINVAL; goto bad; } - IPCOMP_STATINC(IPCOMP_STAT_HIST + sav->alg_comp); + IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]); if (rlen > crp->crp_olen) { /* Inject IPCOMP header */ Index: usr.bin/netstat/fast_ipsec.c =================================================================== RCS file: /cvsroot/src/usr.bin/netstat/fast_ipsec.c,v retrieving revision 1.20 diff -u -u -r1.20 fast_ipsec.c --- usr.bin/netstat/fast_ipsec.c 15 Apr 2013 21:20:39 -0000 1.20 +++ usr.bin/netstat/fast_ipsec.c 13 Apr 2017 15:19:34 -0000 @@ -70,52 +70,19 @@ int a; const char *name; }; -static const struct alg aalgs[] = { - { SADB_AALG_NONE, "none", }, - { SADB_AALG_MD5HMAC, "hmac-md5", }, - { SADB_AALG_SHA1HMAC, "hmac-sha1", }, - { SADB_X_AALG_MD5, "md5", }, - { SADB_X_AALG_SHA, "sha", }, - { SADB_X_AALG_NULL, "null", }, - { SADB_X_AALG_SHA2_256, "hmac-sha2-256", }, - { SADB_X_AALG_SHA2_384, "hmac-sha2-384", }, - { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, - { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, - { SADB_X_AALG_AES128GMAC, "aes-128-gmac", }, - { SADB_X_AALG_AES192GMAC, "aes-192-gmac", }, - { SADB_X_AALG_AES256GMAC, "aes-256-gmac", }, -}; -static const struct alg espalgs[] = { - { SADB_EALG_NONE, "none", }, - { SADB_EALG_DESCBC, "des-cbc", }, - { SADB_EALG_3DESCBC, "3des-cbc", }, - { SADB_EALG_NULL, "null", }, - { SADB_X_EALG_CAST128CBC, "cast128-cbc", }, - { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", }, - { SADB_X_EALG_RIJNDAELCBC, "aes-cbc", }, - { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", }, - { SADB_X_EALG_AESCTR, "aes-ctr", }, - { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, - { SADB_X_EALG_AESGMAC, "aes-gmac", }, -}; -static const struct alg ipcompalgs[] = { - { SADB_X_CALG_NONE, "none", }, - { SADB_X_CALG_OUI, "oui", }, - { SADB_X_CALG_DEFLATE, "deflate", }, - { SADB_X_CALG_LZS, "lzs", }, -}; -#define N(a) (sizeof(a)/sizeof(a[0])) -static const char* -algname(int a, const struct alg algs[], int nalgs) +static const char *ahalgs[] = { AH_ALG_STR }; +static const char *espalgs[] = { ESP_ALG_STR }; +static const char *ipcompalgs[] = { IPCOMP_ALG_STR }; + +static const char * +algname(size_t a, const char *algs[], size_t nalgs) { static char buf[80]; - int i; - for (i = 0; i < nalgs; i++) - if (algs[i].a == a) - return algs[i].name; - snprintf(buf, sizeof(buf), "alg#%u", a); + if (a < nalgs) + return algs[a]; + snprintf(buf, sizeof(buf), "alg#%zu", a); return buf; } @@ -135,8 +102,7 @@ uint64_t ipcs[IPCOMP_NSTATS]; uint64_t ipips[IPIP_NSTATS]; int status; - size_t slen; - int i; + size_t slen, i; if (! use_sysctl) { warnx("IPsec stats not available via KVM."); @@ -220,7 +186,7 @@ for (i = 0; i < AH_ALG_MAX; i++) if (ahstats[AH_STAT_HIST + i]) printf("\t\tah packets with %s: %"PRIu64"\n" - , algname(i, aalgs, N(aalgs)) + , algname(i, ahalgs, __arraycount(ahalgs)) , ahstats[AH_STAT_HIST + i] ); AHSTAT(ahstats[AH_STAT_IBYTES], "bytes received"); @@ -252,7 +218,7 @@ for (i = 0; i < ESP_ALG_MAX; i++) if (espstats[ESP_STAT_HIST + i]) printf("\t\tesp packets with %s: %"PRIu64"\n" - , algname(i, espalgs, N(espalgs)) + , algname(i, espalgs, __arraycount(espalgs)) , espstats[ESP_STAT_HIST + i] ); ESPSTAT(espstats[ESP_STAT_IBYTES], "bytes received"); @@ -298,8 +264,8 @@ for (i = 0; i < IPCOMP_ALG_MAX; i++) if (ipcs[IPCOMP_STAT_HIST + i]) printf("\t\tIPcomp packets with %s: %"PRIu64"\n" - , algname(i, ipcompalgs, N(ipcompalgs)) - , ipcs[IPCOMP_STAT_HIST + i] + , algname(i, ipcompalgs, __arraycount(ipcompalgs)) + , ipcs[IPCOMP_STAT_HIST + i] ); IPCOMP(ipcs[IPCOMP_STAT_IBYTES],"input bytes"); IPCOMP(ipcs[IPCOMP_STAT_OBYTES],"output bytes");