Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys pullup (approved by releng-1-5)
details: https://anonhg.NetBSD.org/src/rev/3245c888815b
branches: netbsd-1-5
changeset: 488799:3245c888815b
user: itojun <itojun%NetBSD.org@localhost>
date: Sun Jul 30 05:38:49 2000 +0000
description:
pullup (approved by releng-1-5)
esp encryption performance improvement, specifically for algorithms
with long key setup time (blowfish). KAME PR 229.
> pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
> sync with kame.
1.11 -> 1.12 syssrc/sys/netinet6/ah.h
1.9 -> 1.10 syssrc/sys/netinet6/esp.h
1.2 -> 1.3 syssrc/sys/netinet6/esp_core.c \
1.2 -> 1.3 syssrc/sys/netinet6/esp_input.c
1.3 -> 1.4 syssrc/sys/netinet6/esp_output.c
1.27 -> 1.28 syssrc/sys/netkey/key.c
1.6 -> 1.7 syssrc/sys/netkey/keydb.h
> clarify comment. from jhawk. sync with kame.
1.3 -> 1.4 syssrc/sys/netinet6/esp_input.c
1.4 -> 1.5 syssrc/sys/netinet6/esp_output.c
diffstat:
sys/netinet6/ah.h | 10 +-
sys/netinet6/esp.h | 16 +-
sys/netinet6/esp_core.c | 510 ++++++++++++++++++++-------------------------
sys/netinet6/esp_input.c | 51 +++-
sys/netinet6/esp_output.c | 39 +++-
sys/netkey/key.c | 20 +-
sys/netkey/keydb.h | 6 +-
7 files changed, 338 insertions(+), 314 deletions(-)
diffs (truncated from 1235 to 300 lines):
diff -r 8829f44ebe63 -r 3245c888815b sys/netinet6/ah.h
--- a/sys/netinet6/ah.h Sat Jul 29 20:43:20 2000 +0000
+++ b/sys/netinet6/ah.h Sun Jul 30 05:38:49 2000 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: ah.h,v 1.10.2.1 2000/07/25 04:24:46 itojun Exp $ */
-/* $KAME: ah.h,v 1.11 2000/07/15 16:07:47 itojun Exp $ */
+/* $NetBSD: ah.h,v 1.10.2.2 2000/07/30 05:38:49 itojun Exp $ */
+/* $KAME: ah.h,v 1.12 2000/07/20 17:41:01 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -41,8 +41,6 @@
#include "opt_inet.h"
#endif
-struct secasvar;
-
struct ah {
u_int8_t ah_nxt; /* Next Header */
u_int8_t ah_len; /* Length of data, in 32bit */
@@ -60,6 +58,9 @@
/* variable size, 32bit bound*/ /* Authentication data */
};
+#ifdef _KERNEL
+struct secasvar;
+
struct ah_algorithm_state {
struct secasvar *sav;
void* foo; /*per algorithm data - maybe*/
@@ -78,7 +79,6 @@
#define AH_MAXSUMSIZE 16
-#ifdef _KERNEL
extern const struct ah_algorithm *ah_algorithm_lookup __P((int));
/* cksum routines */
diff -r 8829f44ebe63 -r 3245c888815b sys/netinet6/esp.h
--- a/sys/netinet6/esp.h Sat Jul 29 20:43:20 2000 +0000
+++ b/sys/netinet6/esp.h Sun Jul 30 05:38:49 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: esp.h,v 1.8.2.1 2000/07/25 04:24:47 itojun Exp $ */
+/* $NetBSD: esp.h,v 1.8.2.2 2000/07/30 05:38:49 itojun Exp $ */
/* $KAME: esp.h,v 1.11 2000/07/23 08:23:29 itojun Exp $ */
/*
@@ -41,8 +41,6 @@
#include "opt_inet.h"
#endif
-struct secasvar;
-
struct esp {
u_int32_t esp_spi; /* ESP */
/*variable size, 32bit bound*/ /* Initialization Vector */
@@ -71,26 +69,25 @@
/*variable size, 32bit bound*/ /* Authentication data (new IPsec)*/
};
-struct esp_algorithm_state {
- struct secasvar *sav;
- void* foo; /*per algorithm data - maybe*/
-};
+#ifdef _KERNEL
+struct secasvar;
-/* XXX yet to be defined */
struct esp_algorithm {
size_t padbound; /* pad boundary, in byte */
int (*mature) __P((struct secasvar *));
int keymin; /* in bits */
int keymax; /* in bits */
+ size_t schedlen;
const char *name;
int (*ivlen) __P((struct secasvar *));
int (*decrypt) __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
int (*encrypt) __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
+ /* not supposed to be called directly */
+ int (*schedule) __P((const struct esp_algorithm *, struct secasvar *));
};
-#ifdef _KERNEL
extern const struct esp_algorithm *esp_algorithm_lookup __P((int));
/* crypt routines */
@@ -104,6 +101,7 @@
extern int esp6_input __P((struct mbuf **, int *, int));
#endif /* INET6 */
+extern int esp_schedule __P((const struct esp_algorithm *, struct secasvar *));
extern int esp_auth __P((struct mbuf *, size_t, size_t,
struct secasvar *, u_char *));
#endif /*_KERNEL*/
diff -r 8829f44ebe63 -r 3245c888815b sys/netinet6/esp_core.c
--- a/sys/netinet6/esp_core.c Sat Jul 29 20:43:20 2000 +0000
+++ b/sys/netinet6/esp_core.c Sun Jul 30 05:38:49 2000 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: esp_core.c,v 1.1.1.1.2.1 2000/07/25 04:24:47 itojun Exp $ */
-/* $KAME: esp_core.c,v 1.18 2000/07/16 08:44:24 itojun Exp $ */
+/* $NetBSD: esp_core.c,v 1.1.1.1.2.2 2000/07/30 05:38:49 itojun Exp $ */
+/* $KAME: esp_core.c,v 1.20 2000/07/21 02:42:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -69,6 +69,8 @@
#include <net/net_osdep.h>
+static int esp_crypto_sanity __P((const struct esp_algorithm *,
+ struct secasvar *, int));
static int esp_null_mature __P((struct secasvar *));
static int esp_null_ivlen __P((struct secasvar *));
static int esp_null_decrypt __P((struct mbuf *, size_t,
@@ -81,28 +83,38 @@
struct secasvar *, const struct esp_algorithm *, int));
static int esp_descbc_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
+static int esp_descbc_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
static int esp_cbc_mature __P((struct secasvar *));
static int esp_blowfish_cbc_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
static int esp_blowfish_cbc_encrypt __P((struct mbuf *, size_t,
size_t, struct secasvar *, const struct esp_algorithm *, int));
+static int esp_blowfish_cbc_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
static int esp_blowfish_cbc_ivlen __P((struct secasvar *));
static int esp_cast128cbc_ivlen __P((struct secasvar *));
static int esp_cast128cbc_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
static int esp_cast128cbc_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
+static int esp_cast128cbc_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
static int esp_3descbc_ivlen __P((struct secasvar *));
static int esp_3descbc_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
static int esp_3descbc_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
+static int esp_3descbc_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
#ifdef SADB_X_EALG_RC5CBC
static int esp_rc5cbc_ivlen __P((struct secasvar *));
static int esp_rc5cbc_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
static int esp_rc5cbc_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
+static int esp_rc5cbc_schedule __P((const struct esp_algorithm *,
+ struct secasvar *));
#endif
static void esp_increment_iv __P((struct secasvar *));
static caddr_t mbuf_find_offset __P((struct mbuf *, size_t, size_t));
@@ -112,26 +124,31 @@
int idx;
{
static struct esp_algorithm esp_algorithms[] = {
- { 8, esp_descbc_mature, 64, 64, "des-cbc",
+ { 8, esp_descbc_mature, 64, 64, sizeof(des_key_schedule),
+ "des-cbc",
esp_descbc_ivlen, esp_descbc_decrypt,
- esp_descbc_encrypt, },
- { 8, esp_cbc_mature, 192, 192, "3des-cbc",
+ esp_descbc_encrypt, esp_descbc_schedule, },
+ { 8, esp_cbc_mature, 192, 192, sizeof(des_key_schedule) * 3,
+ "3des-cbc",
esp_3descbc_ivlen, esp_3descbc_decrypt,
- esp_3descbc_encrypt, },
- { 1, esp_null_mature, 0, 2048, "null",
- esp_null_ivlen, esp_null_decrypt, esp_null_encrypt, },
- { 8, esp_cbc_mature, 40, 448, "blowfish-cbc",
+ esp_3descbc_encrypt, esp_3descbc_schedule, },
+ { 1, esp_null_mature, 0, 2048, 0, "null",
+ esp_null_ivlen, esp_null_decrypt,
+ esp_null_encrypt, NULL, },
+ { 8, esp_cbc_mature, 40, 448, sizeof(BF_KEY), "blowfish-cbc",
esp_blowfish_cbc_ivlen, esp_blowfish_cbc_decrypt,
- esp_blowfish_cbc_encrypt, },
- { 8, esp_cbc_mature, 40, 128, "cast128-cbc",
+ esp_blowfish_cbc_encrypt, esp_blowfish_cbc_schedule, },
+ { 8, esp_cbc_mature, 40, 128, sizeof(u_int32_t) * 32,
+ "cast128-cbc",
esp_cast128cbc_ivlen, esp_cast128cbc_decrypt,
- esp_cast128cbc_encrypt, },
+ esp_cast128cbc_encrypt, esp_cast128cbc_schedule, },
#ifdef SADB_X_EALG_RC5CBC
- { 8, esp_cbc_mature, 40, 2040, "rc5-cbc",
+ { 8, esp_cbc_mature, 40, 2040, sizeof(RC5_WORD) * 34, "rc5-cbc",
esp_rc5cbc_ivlen, esp_rc5cbc_decrypt,
- esp_rc5cbc_encrypt, },
+ esp_rc5cbc_encrypt, esp_rc5cbc_schedule, },
#else
- { 8, NULL, 40, 2040, "rc5-cbc dummy", NULL, NULL, NULL, },
+ { 8, NULL, 40, 2040, 0, "rc5-cbc dummy",
+ NULL, NULL, NULL, NULL, },
#endif
};
@@ -155,6 +172,52 @@
}
}
+int
+esp_schedule(algo, sav)
+ const struct esp_algorithm *algo;
+ struct secasvar *sav;
+{
+
+ if (_KEYBITS(sav->key_enc) < algo->keymin ||
+ _KEYBITS(sav->key_enc) > algo->keymax) {
+ ipseclog((LOG_ERR,
+ "esp_schedule %s: unsupported key length %d: "
+ "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
+ algo->keymin, algo->keymax));
+ return EINVAL;
+ }
+
+ if (!algo->schedule || algo->schedlen == 0)
+ return 0;
+ if (!sav->sched || sav->schedlen != algo->schedlen)
+ panic("invalid sav->schedlen in esp_schedule");
+ return (*algo->schedule)(algo, sav);
+}
+
+/*
+ * default sanity check for algo->{de,en}crypt
+ */
+static int
+esp_crypto_sanity(algo, sav, ivlen)
+ const struct esp_algorithm *algo;
+ struct secasvar *sav;
+ int ivlen;
+{
+
+ if (sav->ivlen != ivlen) {
+ ipseclog((LOG_ERR, "esp_decrypt %s: bad ivlen %d/%d\n",
+ algo->name, ivlen, sav->ivlen));
+ return EINVAL;
+ }
+ if (!sav->sched || sav->schedlen != algo->schedlen) {
+ ipseclog((LOG_ERR,
+ "esp_decrypt %s: no intermediate key\n", algo->name));
+ return EINVAL;
+ }
+
+ return 0;
+}
+
/*
* mbuf assumption: foo_encrypt() assumes that IV part is placed in a single
* mbuf, not across multiple mbufs.
@@ -164,6 +227,7 @@
esp_null_mature(sav)
struct secasvar *sav;
{
+
/* anything is okay */
return 0;
}
@@ -172,6 +236,7 @@
esp_null_ivlen(sav)
struct secasvar *sav;
{
+
return 0;
}
@@ -183,6 +248,7 @@
const struct esp_algorithm *algo;
int ivlen;
{
+
return 0; /* do nothing */
}
@@ -195,6 +261,7 @@
const struct esp_algorithm *algo;
int ivlen;
{
+
return 0; /* do nothing */
}
@@ -222,8 +289,8 @@
return 1;
}
- if (_KEYBITS(sav->key_enc) < algo->keymin
- || algo->keymax < _KEYBITS(sav->key_enc)) {
+ if (_KEYBITS(sav->key_enc) < algo->keymin ||
+ _KEYBITS(sav->key_enc) > algo->keymax) {
ipseclog((LOG_ERR,
"esp_descbc_mature: invalid key length %d.\n",
_KEYBITS(sav->key_enc)));
@@ -244,13 +311,14 @@
esp_descbc_ivlen(sav)
struct secasvar *sav;
{
Home |
Main Index |
Thread Index |
Old Index