Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys pullup (approved by releng-1-5)
details: https://anonhg.NetBSD.org/src/rev/78832ef527a8
branches: netbsd-1-5
changeset: 489577:78832ef527a8
user: itojun <itojun%NetBSD.org@localhost>
date: Fri Sep 29 06:42:42 2000 +0000
description:
pullup (approved by releng-1-5)
correct lifetime handling of IPsec keys, so that it won't wrongly
survive across suspend/resume session.
sys/netinet6/ipsec.h 1.15 -> 1.16
sys/netkey/keydb.h 1.7 -> 1.9
sys/netkey/key.c 1.35 -> 1.36
stabilize ipcomp packet handling (if we don't update this SEGV can happen).
sys/netinet6/ipcomp_output.c 1.10 -> 1.13
sys/netinet6/ipcomp_input.c 1.10 -> 1.13
sys/netinet6/ipcomp_core.c 1.9 -> 1.16
sys/netinet6/ipcomp.h 1.7 -> 1.8
sys/netkey/key.c 1.28 -> 1.29, 1.31 -> 1.35, 1.36 -> 1.37
avoid hardcoding IV length. new ESP engine (uses block cipher only,
easier to put per-arch *.S)
sys/netinet6/esp_output.c 1.5 -> 1.8
sys/netinet6/esp_input.c 1.5 -> 1.8
sys/netinet6/esp_core.c 1.7 -> 1.9
sys/netinet6/esp.h 1.11 -> 1.13
sys/netkey/key.c 1.30 -> 1.31
diffstat:
sys/netinet6/esp.h | 14 +-
sys/netinet6/esp_core.c | 1332 ++++++++++++++++++-----------------------
sys/netinet6/esp_input.c | 100 +-
sys/netinet6/esp_output.c | 47 +-
sys/netinet6/ipcomp.h | 9 +-
sys/netinet6/ipcomp_core.c | 239 ++++---
sys/netinet6/ipcomp_input.c | 147 +---
sys/netinet6/ipcomp_output.c | 63 +-
sys/netinet6/ipsec.h | 7 +-
sys/netkey/key.c | 363 ++++++----
sys/netkey/keydb.h | 13 +-
11 files changed, 1122 insertions(+), 1212 deletions(-)
diffs (truncated from 3486 to 300 lines):
diff -r 65dc4d0508c3 -r 78832ef527a8 sys/netinet6/esp.h
--- a/sys/netinet6/esp.h Fri Sep 29 06:32:43 2000 +0000
+++ b/sys/netinet6/esp.h Fri Sep 29 06:42:42 2000 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: esp.h,v 1.8.2.2 2000/07/30 05:38:49 itojun Exp $ */
-/* $KAME: esp.h,v 1.11 2000/07/23 08:23:29 itojun Exp $ */
+/* $NetBSD: esp.h,v 1.8.2.3 2000/09/29 06:42:42 itojun Exp $ */
+/* $KAME: esp.h,v 1.15 2000/09/20 18:15:22 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -74,21 +74,27 @@
struct esp_algorithm {
size_t padbound; /* pad boundary, in byte */
+ int ivlenval; /* iv length, in byte */
int (*mature) __P((struct secasvar *));
int keymin; /* in bits */
int keymax; /* in bits */
- size_t schedlen;
+ int (*schedlen) __P((const struct esp_algorithm *));
const char *name;
- int (*ivlen) __P((struct secasvar *));
+ int (*ivlen) __P((const struct esp_algorithm *, struct secasvar *));
int (*decrypt) __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
int (*encrypt) __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
/* not supposed to be called directly */
int (*schedule) __P((const struct esp_algorithm *, struct secasvar *));
+ int (*blockdecrypt) __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+ int (*blockencrypt) __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
};
extern const struct esp_algorithm *esp_algorithm_lookup __P((int));
+extern int esp_max_ivlen __P((void));
/* crypt routines */
extern int esp4_output __P((struct mbuf *, struct ipsecrequest *));
diff -r 65dc4d0508c3 -r 78832ef527a8 sys/netinet6/esp_core.c
--- a/sys/netinet6/esp_core.c Fri Sep 29 06:32:43 2000 +0000
+++ b/sys/netinet6/esp_core.c Fri Sep 29 06:42:42 2000 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: esp_core.c,v 1.1.1.1.2.3 2000/08/31 14:50:25 itojun Exp $ */
-/* $KAME: esp_core.c,v 1.20 2000/07/21 02:42:12 itojun Exp $ */
+/* $NetBSD: esp_core.c,v 1.1.1.1.2.4 2000/09/29 06:42:42 itojun Exp $ */
+/* $KAME: esp_core.c,v 1.44 2000/09/20 18:15:22 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -63,94 +63,85 @@
#include <crypto/des/des.h>
#include <crypto/blowfish/blowfish.h>
#include <crypto/cast128/cast128.h>
-#ifdef SADB_X_EALG_RC5CBC
-#include <crypto/rc5/rc5.h>
-#endif
#include <net/net_osdep.h>
-static int esp_crypto_sanity __P((const struct esp_algorithm *,
- struct secasvar *, int));
static int esp_null_mature __P((struct secasvar *));
-static int esp_null_ivlen __P((struct secasvar *));
static int esp_null_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
static int esp_null_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
static int esp_descbc_mature __P((struct secasvar *));
-static int esp_descbc_ivlen __P((struct secasvar *));
-static int esp_descbc_decrypt __P((struct mbuf *, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_descbc_encrypt __P((struct mbuf *, size_t, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_descbc_schedule __P((const struct esp_algorithm *,
+static int esp_descbc_ivlen __P((const struct esp_algorithm *,
+ struct secasvar *));
+static int esp_des_schedule __P((const struct esp_algorithm *,
struct secasvar *));
+static int esp_des_schedlen __P((const struct esp_algorithm *));
+static int esp_des_blockdecrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_des_blockencrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
static int esp_cbc_mature __P((struct secasvar *));
-static int esp_blowfish_cbc_decrypt __P((struct mbuf *, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_blowfish_cbc_encrypt __P((struct mbuf *, size_t,
- size_t, struct secasvar *, const struct esp_algorithm *, int));
-static int esp_blowfish_cbc_schedule __P((const struct esp_algorithm *,
+static int esp_blowfish_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
+static int esp_blowfish_schedlen __P((const struct esp_algorithm *));
+static int esp_blowfish_blockdecrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_blowfish_blockencrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_cast128_schedule __P((const struct esp_algorithm *,
struct secasvar *));
-static int esp_blowfish_cbc_ivlen __P((struct secasvar *));
-static int esp_cast128cbc_ivlen __P((struct secasvar *));
-static int esp_cast128cbc_decrypt __P((struct mbuf *, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_cast128cbc_encrypt __P((struct mbuf *, size_t, size_t,
+static int esp_cast128_schedlen __P((const struct esp_algorithm *));
+static int esp_cast128_blockdecrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_cast128_blockencrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_3des_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
+static int esp_3des_schedlen __P((const struct esp_algorithm *));
+static int esp_3des_blockdecrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_3des_blockencrypt __P((const struct esp_algorithm *,
+ struct secasvar *, u_int8_t *, u_int8_t *));
+static int esp_common_ivlen __P((const struct esp_algorithm *,
+ struct secasvar *));
+static int esp_cbc_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
-static int esp_cast128cbc_schedule __P((const struct esp_algorithm *,
- struct secasvar *));
-static int esp_3descbc_ivlen __P((struct secasvar *));
-static int esp_3descbc_decrypt __P((struct mbuf *, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_3descbc_encrypt __P((struct mbuf *, size_t, size_t,
+static int esp_cbc_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
-static int esp_3descbc_schedule __P((const struct esp_algorithm *,
- struct secasvar *));
-#ifdef SADB_X_EALG_RC5CBC
-static int esp_rc5cbc_ivlen __P((struct secasvar *));
-static int esp_rc5cbc_decrypt __P((struct mbuf *, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_rc5cbc_encrypt __P((struct mbuf *, size_t, size_t,
- struct secasvar *, const struct esp_algorithm *, int));
-static int esp_rc5cbc_schedule __P((const struct esp_algorithm *,
- struct secasvar *));
-#endif
static void esp_increment_iv __P((struct secasvar *));
-static caddr_t mbuf_find_offset __P((struct mbuf *, size_t, size_t));
+
+#define MAXIVLEN 16
+
+static const struct esp_algorithm esp_algorithms[] = {
+ { 8, -1, esp_descbc_mature, 64, 64, esp_des_schedlen,
+ "des-cbc",
+ esp_descbc_ivlen, esp_cbc_decrypt,
+ esp_cbc_encrypt, esp_des_schedule,
+ esp_des_blockdecrypt, esp_des_blockencrypt, },
+ { 8, 8, esp_cbc_mature, 192, 192, esp_3des_schedlen,
+ "3des-cbc",
+ esp_common_ivlen, esp_cbc_decrypt,
+ esp_cbc_encrypt, esp_3des_schedule,
+ esp_3des_blockdecrypt, esp_3des_blockencrypt, },
+ { 1, 0, esp_null_mature, 0, 2048, 0, "null",
+ esp_common_ivlen, esp_null_decrypt,
+ esp_null_encrypt, NULL, },
+ { 8, 8, esp_cbc_mature, 40, 448, esp_blowfish_schedlen, "blowfish-cbc",
+ esp_common_ivlen, esp_cbc_decrypt,
+ esp_cbc_encrypt, esp_blowfish_schedule,
+ esp_blowfish_blockdecrypt, esp_blowfish_blockencrypt, },
+ { 8, 8, esp_cbc_mature, 40, 128, esp_cast128_schedlen,
+ "cast128-cbc",
+ esp_common_ivlen, esp_cbc_decrypt,
+ esp_cbc_encrypt, esp_cast128_schedule,
+ esp_cast128_blockdecrypt, esp_cast128_blockencrypt, },
+};
const struct esp_algorithm *
esp_algorithm_lookup(idx)
int idx;
{
- static struct esp_algorithm esp_algorithms[] = {
- { 8, esp_descbc_mature, 64, 64, sizeof(des_key_schedule),
- "des-cbc",
- esp_descbc_ivlen, esp_descbc_decrypt,
- esp_descbc_encrypt, esp_descbc_schedule, },
- { 8, esp_cbc_mature, 192, 192, sizeof(des_key_schedule) * 3,
- "3des-cbc",
- esp_3descbc_ivlen, esp_3descbc_decrypt,
- esp_3descbc_encrypt, esp_3descbc_schedule, },
- { 1, esp_null_mature, 0, 2048, 0, "null",
- esp_null_ivlen, esp_null_decrypt,
- esp_null_encrypt, NULL, },
- { 8, esp_cbc_mature, 40, 448, sizeof(BF_KEY), "blowfish-cbc",
- esp_blowfish_cbc_ivlen, esp_blowfish_cbc_decrypt,
- esp_blowfish_cbc_encrypt, esp_blowfish_cbc_schedule, },
- { 8, esp_cbc_mature, 40, 128, sizeof(u_int32_t) * 32,
- "cast128-cbc",
- esp_cast128cbc_ivlen, esp_cast128cbc_decrypt,
- esp_cast128cbc_encrypt, esp_cast128cbc_schedule, },
-#ifdef SADB_X_EALG_RC5CBC
- { 8, esp_cbc_mature, 40, 2040, sizeof(RC5_WORD) * 34, "rc5-cbc",
- esp_rc5cbc_ivlen, esp_rc5cbc_decrypt,
- esp_rc5cbc_encrypt, esp_rc5cbc_schedule, },
-#else
- { 8, NULL, 40, 2040, 0, "rc5-cbc dummy",
- NULL, NULL, NULL, NULL, },
-#endif
- };
switch (idx) {
case SADB_EALG_DESCBC:
@@ -163,21 +154,35 @@
return &esp_algorithms[3];
case SADB_X_EALG_CAST128CBC:
return &esp_algorithms[4];
-#ifdef SADB_X_EALG_RC5CBC
- case SADB_X_EALG_RC5CBC:
- return &esp_algorithms[5];
-#endif
default:
return NULL;
}
}
int
+esp_max_ivlen()
+{
+ int idx;
+ int ivlen;
+
+ ivlen = 0;
+ for (idx = 0; idx < sizeof(esp_algorithms)/sizeof(esp_algorithms[0]);
+ idx++) {
+ if (esp_algorithms[idx].ivlenval > ivlen)
+ ivlen = esp_algorithms[idx].ivlenval;
+ }
+
+ return ivlen;
+}
+
+int
esp_schedule(algo, sav)
const struct esp_algorithm *algo;
struct secasvar *sav;
{
+ int error;
+ /* check for key length */
if (_KEYBITS(sav->key_enc) < algo->keymin ||
_KEYBITS(sav->key_enc) > algo->keymax) {
ipseclog((LOG_ERR,
@@ -187,42 +192,33 @@
return EINVAL;
}
- if (!algo->schedule || algo->schedlen == 0)
+ /* already allocated */
+ if (sav->sched && sav->schedlen != 0)
return 0;
- if (!sav->sched || sav->schedlen != algo->schedlen)
- panic("invalid sav->schedlen in esp_schedule");
- return (*algo->schedule)(algo, sav);
-}
+ /* no schedule necessary */
+ if (!algo->schedule || !algo->schedlen)
+ return 0;
-/*
- * default sanity check for algo->{de,en}crypt
- */
-static int
-esp_crypto_sanity(algo, sav, ivlen)
- const struct esp_algorithm *algo;
- struct secasvar *sav;
- int ivlen;
-{
-
- if (sav->ivlen != ivlen) {
- ipseclog((LOG_ERR, "esp_decrypt %s: bad ivlen %d/%d\n",
- algo->name, ivlen, sav->ivlen));
+ sav->schedlen = (*algo->schedlen)(algo);
+ if (sav->schedlen < 0)
return EINVAL;
- }
- if (!sav->sched || sav->schedlen != algo->schedlen) {
- ipseclog((LOG_ERR,
- "esp_decrypt %s: no intermediate key\n", algo->name));
- return EINVAL;
+ sav->sched = malloc(sav->schedlen, M_SECA, M_DONTWAIT);
+ if (!sav->sched) {
+ sav->schedlen = 0;
+ return ENOBUFS;
}
- return 0;
+ error = (*algo->schedule)(algo, sav);
+ if (error) {
+ ipseclog((LOG_ERR, "esp_schedule %s: error %d\n",
+ algo->name, error));
+ free(sav->sched, M_SECA);
+ sav->sched = NULL;
+ sav->schedlen = 0;
+ }
+ return error;
}
Home |
Main Index |
Thread Index |
Old Index