1/* $FreeBSD: head/sys/netipsec/xform_ah.c 195699 2009-07-14 22:48:30Z rwatson $ */ |
2/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. --- 34 unchanged lines hidden (view full) --- 44#include <sys/mbuf.h> 45#include <sys/socket.h> 46#include <sys/syslog.h> 47#include <sys/kernel.h> 48#include <sys/sysctl.h> 49#include <sys/vimage.h> 50 51#include <net/if.h> |
52#include <net/vnet.h> |
53 54#include <netinet/in.h> 55#include <netinet/in_systm.h> 56#include <netinet/ip.h> 57#include <netinet/ip_ecn.h> 58#include <netinet/ip6.h> 59 60#include <net/route.h> --- 8 unchanged lines hidden (view full) --- 69#include <netinet6/ip6_ecn.h> 70#endif 71 72#include <netipsec/key.h> 73#include <netipsec/key_debug.h> 74 75#include <opencrypto/cryptodev.h> 76 |
77/* 78 * Return header size in bytes. The old protocol did not support 79 * the replay counter; the new protocol always includes the counter. 80 */ 81#define HDRSIZE(sav) \ 82 (((sav)->flags & SADB_X_EXT_OLD) ? \ 83 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) 84/* 85 * Return authenticator size in bytes. The old protocol is known 86 * to use a fixed 16-byte authenticator. The new algorithm use 12-byte 87 * authenticator. 88 */ 89#define AUTHSIZE(sav) \ 90 ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) 91 |
92VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ 93VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ 94VNET_DEFINE(struct ahstat, ahstat); |
95 96SYSCTL_DECL(_net_inet_ah); |
97SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, 98 ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); 99SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, 100 ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); 101SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, 102 stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); |
103 104static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ 105 106static int ah_input_cb(struct cryptop*); 107static int ah_output_cb(struct cryptop*); 108 109/* 110 * NB: this is public for use by the PF_KEY support. --- 45 unchanged lines hidden (view full) --- 156} 157 158/* 159 * NB: public for use by esp_init. 160 */ 161int 162ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) 163{ |
164 struct auth_hash *thash; 165 int keylen; 166 167 thash = ah_algorithm_lookup(sav->alg_auth); 168 if (thash == NULL) { 169 DPRINTF(("%s: unsupported authentication algorithm %u\n", 170 __func__, sav->alg_auth)); 171 return EINVAL; --- 38 unchanged lines hidden (view full) --- 210} 211 212/* 213 * ah_init() is called when an SPI is being set up. 214 */ 215static int 216ah_init(struct secasvar *sav, struct xformsw *xsp) 217{ |
218 struct cryptoini cria; 219 int error; 220 221 error = ah_init0(sav, xsp, &cria); 222 return error ? error : 223 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support); 224} 225 --- 18 unchanged lines hidden (view full) --- 244} 245 246/* 247 * Massage IPv4/IPv6 headers for AH processing. 248 */ 249static int 250ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) 251{ |
252 struct mbuf *m = *m0; 253 unsigned char *ptr; 254 int off, count; 255 256#ifdef INET 257 struct ip *ip; 258#endif /* INET */ 259 --- 288 unchanged lines hidden (view full) --- 548 549/* 550 * ah_input() gets called to verify that an input packet 551 * passes authentication. 552 */ 553static int 554ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 555{ |
556 struct auth_hash *ahx; 557 struct tdb_ident *tdbi; 558 struct tdb_crypto *tc; 559 struct m_tag *mtag; 560 struct newah *ah; 561 int hl, rplen, authsize; 562 563 struct cryptodesc *crda; --- 153 unchanged lines hidden (view full) --- 717#endif 718 719/* 720 * AH input callback from the crypto driver. 721 */ 722static int 723ah_input_cb(struct cryptop *crp) 724{ |
725 int rplen, error, skip, protoff; 726 unsigned char calc[AH_ALEN_MAX]; 727 struct mbuf *m; 728 struct cryptodesc *crd; 729 struct auth_hash *ahx; 730 struct tdb_crypto *tc; 731 struct m_tag *mtag; 732 struct secasvar *sav; --- 146 unchanged lines hidden (view full) --- 879static int 880ah_output( 881 struct mbuf *m, 882 struct ipsecrequest *isr, 883 struct mbuf **mp, 884 int skip, 885 int protoff) 886{ |
887 struct secasvar *sav; 888 struct auth_hash *ahx; 889 struct cryptodesc *crda; 890 struct tdb_crypto *tc; 891 struct mbuf *mi; 892 struct cryptop *crp; 893 u_int16_t iplen; 894 int error, rplen, authsize, maxpacketsize, roff; --- 210 unchanged lines hidden (view full) --- 1105} 1106 1107/* 1108 * AH output callback from the crypto driver. 1109 */ 1110static int 1111ah_output_cb(struct cryptop *crp) 1112{ |
1113 int skip, protoff, error; 1114 struct tdb_crypto *tc; 1115 struct ipsecrequest *isr; 1116 struct secasvar *sav; 1117 struct mbuf *m; 1118 caddr_t ptr; 1119 int err; 1120 --- 87 unchanged lines hidden (view full) --- 1208 ah_init, ah_zeroize, ah_input, ah_output, 1209}; 1210 1211static void 1212ah_attach(void) 1213{ 1214 1215 xform_register(&ah_xformsw); |
1216} 1217 |
1218SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); |