xform_ah.c (190909) | xform_ah.c (195699) |
---|---|
1/* $FreeBSD: head/sys/netipsec/xform_ah.c 190909 2009-04-11 05:58:58Z zec $ */ | 1/* $FreeBSD: head/sys/netipsec/xform_ah.c 195699 2009-07-14 22:48:30Z rwatson $ */ |
2/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. --- 34 unchanged lines hidden (view full) --- 44#include <sys/mbuf.h> 45#include <sys/socket.h> 46#include <sys/syslog.h> 47#include <sys/kernel.h> 48#include <sys/sysctl.h> 49#include <sys/vimage.h> 50 51#include <net/if.h> | 2/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. --- 34 unchanged lines hidden (view full) --- 44#include <sys/mbuf.h> 45#include <sys/socket.h> 46#include <sys/syslog.h> 47#include <sys/kernel.h> 48#include <sys/sysctl.h> 49#include <sys/vimage.h> 50 51#include <net/if.h> |
52#include <net/vnet.h> |
|
52 53#include <netinet/in.h> 54#include <netinet/in_systm.h> 55#include <netinet/ip.h> 56#include <netinet/ip_ecn.h> 57#include <netinet/ip6.h> 58 59#include <net/route.h> --- 8 unchanged lines hidden (view full) --- 68#include <netinet6/ip6_ecn.h> 69#endif 70 71#include <netipsec/key.h> 72#include <netipsec/key_debug.h> 73 74#include <opencrypto/cryptodev.h> 75 | 53 54#include <netinet/in.h> 55#include <netinet/in_systm.h> 56#include <netinet/ip.h> 57#include <netinet/ip_ecn.h> 58#include <netinet/ip6.h> 59 60#include <net/route.h> --- 8 unchanged lines hidden (view full) --- 69#include <netinet6/ip6_ecn.h> 70#endif 71 72#include <netipsec/key.h> 73#include <netipsec/key_debug.h> 74 75#include <opencrypto/cryptodev.h> 76 |
76static int ah_iattach(const void *); 77 78#ifndef VIMAGE_GLOBALS 79static const vnet_modinfo_t vnet_ah_modinfo = { 80 .vmi_id = VNET_MOD_AH, 81 .vmi_name = "ipsec_ah", 82 .vmi_dependson = VNET_MOD_IPSEC, 83 .vmi_iattach = ah_iattach 84}; 85#endif /* !VIMAGE_GLOBALS */ 86 | |
87/* 88 * Return header size in bytes. The old protocol did not support 89 * the replay counter; the new protocol always includes the counter. 90 */ 91#define HDRSIZE(sav) \ 92 (((sav)->flags & SADB_X_EXT_OLD) ? \ 93 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) 94/* 95 * Return authenticator size in bytes. The old protocol is known 96 * to use a fixed 16-byte authenticator. The new algorithm use 12-byte 97 * authenticator. 98 */ 99#define AUTHSIZE(sav) \ 100 ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) 101 | 77/* 78 * Return header size in bytes. The old protocol did not support 79 * the replay counter; the new protocol always includes the counter. 80 */ 81#define HDRSIZE(sav) \ 82 (((sav)->flags & SADB_X_EXT_OLD) ? \ 83 sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t)) 84/* 85 * Return authenticator size in bytes. The old protocol is known 86 * to use a fixed 16-byte authenticator. The new algorithm use 12-byte 87 * authenticator. 88 */ 89#define AUTHSIZE(sav) \ 90 ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) 91 |
102#ifdef VIMAGE_GLOBALS 103int ah_enable; 104int ah_cleartos; 105struct ahstat ahstat; 106#endif | 92VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ 93VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ 94VNET_DEFINE(struct ahstat, ahstat); |
107 108SYSCTL_DECL(_net_inet_ah); | 95 96SYSCTL_DECL(_net_inet_ah); |
109SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, 110 ah_enable, CTLFLAG_RW, ah_enable, 0, ""); 111SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, 112 ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, ""); 113SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS, 114 stats, CTLFLAG_RD, ahstat, ahstat, ""); | 97SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, 98 ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); 99SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, 100 ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); 101SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, 102 stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); |
115 116static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ 117 118static int ah_input_cb(struct cryptop*); 119static int ah_output_cb(struct cryptop*); 120 121/* 122 * NB: this is public for use by the PF_KEY support. --- 45 unchanged lines hidden (view full) --- 168} 169 170/* 171 * NB: public for use by esp_init. 172 */ 173int 174ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) 175{ | 103 104static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ 105 106static int ah_input_cb(struct cryptop*); 107static int ah_output_cb(struct cryptop*); 108 109/* 110 * NB: this is public for use by the PF_KEY support. --- 45 unchanged lines hidden (view full) --- 156} 157 158/* 159 * NB: public for use by esp_init. 160 */ 161int 162ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) 163{ |
176 INIT_VNET_IPSEC(curvnet); | |
177 struct auth_hash *thash; 178 int keylen; 179 180 thash = ah_algorithm_lookup(sav->alg_auth); 181 if (thash == NULL) { 182 DPRINTF(("%s: unsupported authentication algorithm %u\n", 183 __func__, sav->alg_auth)); 184 return EINVAL; --- 38 unchanged lines hidden (view full) --- 223} 224 225/* 226 * ah_init() is called when an SPI is being set up. 227 */ 228static int 229ah_init(struct secasvar *sav, struct xformsw *xsp) 230{ | 164 struct auth_hash *thash; 165 int keylen; 166 167 thash = ah_algorithm_lookup(sav->alg_auth); 168 if (thash == NULL) { 169 DPRINTF(("%s: unsupported authentication algorithm %u\n", 170 __func__, sav->alg_auth)); 171 return EINVAL; --- 38 unchanged lines hidden (view full) --- 210} 211 212/* 213 * ah_init() is called when an SPI is being set up. 214 */ 215static int 216ah_init(struct secasvar *sav, struct xformsw *xsp) 217{ |
231 INIT_VNET_IPSEC(curvnet); | |
232 struct cryptoini cria; 233 int error; 234 235 error = ah_init0(sav, xsp, &cria); 236 return error ? error : 237 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support); 238} 239 --- 18 unchanged lines hidden (view full) --- 258} 259 260/* 261 * Massage IPv4/IPv6 headers for AH processing. 262 */ 263static int 264ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) 265{ | 218 struct cryptoini cria; 219 int error; 220 221 error = ah_init0(sav, xsp, &cria); 222 return error ? error : 223 crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support); 224} 225 --- 18 unchanged lines hidden (view full) --- 244} 245 246/* 247 * Massage IPv4/IPv6 headers for AH processing. 248 */ 249static int 250ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) 251{ |
266 INIT_VNET_IPSEC(curvnet); | |
267 struct mbuf *m = *m0; 268 unsigned char *ptr; 269 int off, count; 270 271#ifdef INET 272 struct ip *ip; 273#endif /* INET */ 274 --- 288 unchanged lines hidden (view full) --- 563 564/* 565 * ah_input() gets called to verify that an input packet 566 * passes authentication. 567 */ 568static int 569ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 570{ | 252 struct mbuf *m = *m0; 253 unsigned char *ptr; 254 int off, count; 255 256#ifdef INET 257 struct ip *ip; 258#endif /* INET */ 259 --- 288 unchanged lines hidden (view full) --- 548 549/* 550 * ah_input() gets called to verify that an input packet 551 * passes authentication. 552 */ 553static int 554ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) 555{ |
571 INIT_VNET_IPSEC(curvnet); | |
572 struct auth_hash *ahx; 573 struct tdb_ident *tdbi; 574 struct tdb_crypto *tc; 575 struct m_tag *mtag; 576 struct newah *ah; 577 int hl, rplen, authsize; 578 579 struct cryptodesc *crda; --- 153 unchanged lines hidden (view full) --- 733#endif 734 735/* 736 * AH input callback from the crypto driver. 737 */ 738static int 739ah_input_cb(struct cryptop *crp) 740{ | 556 struct auth_hash *ahx; 557 struct tdb_ident *tdbi; 558 struct tdb_crypto *tc; 559 struct m_tag *mtag; 560 struct newah *ah; 561 int hl, rplen, authsize; 562 563 struct cryptodesc *crda; --- 153 unchanged lines hidden (view full) --- 717#endif 718 719/* 720 * AH input callback from the crypto driver. 721 */ 722static int 723ah_input_cb(struct cryptop *crp) 724{ |
741 INIT_VNET_IPSEC(curvnet); | |
742 int rplen, error, skip, protoff; 743 unsigned char calc[AH_ALEN_MAX]; 744 struct mbuf *m; 745 struct cryptodesc *crd; 746 struct auth_hash *ahx; 747 struct tdb_crypto *tc; 748 struct m_tag *mtag; 749 struct secasvar *sav; --- 146 unchanged lines hidden (view full) --- 896static int 897ah_output( 898 struct mbuf *m, 899 struct ipsecrequest *isr, 900 struct mbuf **mp, 901 int skip, 902 int protoff) 903{ | 725 int rplen, error, skip, protoff; 726 unsigned char calc[AH_ALEN_MAX]; 727 struct mbuf *m; 728 struct cryptodesc *crd; 729 struct auth_hash *ahx; 730 struct tdb_crypto *tc; 731 struct m_tag *mtag; 732 struct secasvar *sav; --- 146 unchanged lines hidden (view full) --- 879static int 880ah_output( 881 struct mbuf *m, 882 struct ipsecrequest *isr, 883 struct mbuf **mp, 884 int skip, 885 int protoff) 886{ |
904 INIT_VNET_IPSEC(curvnet); | |
905 struct secasvar *sav; 906 struct auth_hash *ahx; 907 struct cryptodesc *crda; 908 struct tdb_crypto *tc; 909 struct mbuf *mi; 910 struct cryptop *crp; 911 u_int16_t iplen; 912 int error, rplen, authsize, maxpacketsize, roff; --- 210 unchanged lines hidden (view full) --- 1123} 1124 1125/* 1126 * AH output callback from the crypto driver. 1127 */ 1128static int 1129ah_output_cb(struct cryptop *crp) 1130{ | 887 struct secasvar *sav; 888 struct auth_hash *ahx; 889 struct cryptodesc *crda; 890 struct tdb_crypto *tc; 891 struct mbuf *mi; 892 struct cryptop *crp; 893 u_int16_t iplen; 894 int error, rplen, authsize, maxpacketsize, roff; --- 210 unchanged lines hidden (view full) --- 1105} 1106 1107/* 1108 * AH output callback from the crypto driver. 1109 */ 1110static int 1111ah_output_cb(struct cryptop *crp) 1112{ |
1131 INIT_VNET_IPSEC(curvnet); | |
1132 int skip, protoff, error; 1133 struct tdb_crypto *tc; 1134 struct ipsecrequest *isr; 1135 struct secasvar *sav; 1136 struct mbuf *m; 1137 caddr_t ptr; 1138 int err; 1139 --- 87 unchanged lines hidden (view full) --- 1227 ah_init, ah_zeroize, ah_input, ah_output, 1228}; 1229 1230static void 1231ah_attach(void) 1232{ 1233 1234 xform_register(&ah_xformsw); | 1113 int skip, protoff, error; 1114 struct tdb_crypto *tc; 1115 struct ipsecrequest *isr; 1116 struct secasvar *sav; 1117 struct mbuf *m; 1118 caddr_t ptr; 1119 int err; 1120 --- 87 unchanged lines hidden (view full) --- 1208 ah_init, ah_zeroize, ah_input, ah_output, 1209}; 1210 1211static void 1212ah_attach(void) 1213{ 1214 1215 xform_register(&ah_xformsw); |
1235#ifndef VIMAGE_GLOBALS 1236 vnet_mod_register(&vnet_ah_modinfo); 1237#else 1238 ah_iattach(NULL); 1239#endif | |
1240} 1241 | 1216} 1217 |
1242static int 1243ah_iattach(const void *unused __unused) 1244{ 1245 INIT_VNET_IPSEC(curvnet); 1246 1247 V_ah_enable = 1; /* control flow of packets with AH */ 1248 V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ 1249 1250 return (0); 1251} | |
1252SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); | 1218SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); |