src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2010-01-10 12:43:08 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2010-01-10 12:43:08 +0000
commit	e984d91179e6d0cd1106eb8a8f90cd3cdebf4ad2 (patch)
tree	bda04e5dbaef37b20c5c45e7c0dd7c34f727ff0d
parent	e86b036f8f31495d41041510999f7ece130f9cc9 (diff)

Fix two bugs in IPsec/HMAC-SHA2:

(1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt

Diffstat

-rw-r--r--

sys/arch/amd64/amd64/via.c

-rw-r--r--

sys/arch/i386/i386/via.c

-rw-r--r--

sys/arch/i386/pci/glxsb.c

-rw-r--r--

sys/crypto/cryptodev.h

-rw-r--r--

sys/crypto/cryptosoft.c

-rw-r--r--

sys/crypto/cryptosoft.h

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

sys/netinet/ip_ipsp.c

-rw-r--r--

sys/netinet/ip_ipsp.h

-rw-r--r--

sys/netinet/ipsec_output.c

17 files changed, 105 insertions, 95 deletions

diff --git a/sys/arch/amd64/amd64/via.c b/sys/arch/amd64/amd64/via.c
index 7bb25dc6a98..36e81f5b3ec 100644
--- a/sys/arch/amd64/amd64/via.c
+++ b/sys/arch/amd64/amd64/via.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: via.c,v 1.1 2009/05/31 03:20:10 matthieu Exp $ */

+/* $OpenBSD: via.c,v 1.2 2010/01/10 12:43:07 markus Exp $ */

/* $NetBSD: machdep.c,v 1.214 1996/11/10 03:16:17 thorpej Exp $ */

/*-

@@ -88,8 +88,8 @@ struct viac3_softc {

static struct viac3_softc *vc3_sc;

-extern const u_int8_t hmac_ipad_buffer[64];

-extern const u_int8_t hmac_opad_buffer[64];

+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];

+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];

void viac3_crypto_setup(void);

int viac3_crypto_newsession(u_int32_t *, struct cryptoini *);

@@ -219,13 +219,13 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)

axf = &auth_hash_hmac_ripemd_160_96;

goto authcommon;

case CRYPTO_SHA2_256_HMAC:

- axf = &auth_hash_hmac_sha2_256_96;

+ axf = &auth_hash_hmac_sha2_256_128;

goto authcommon;

case CRYPTO_SHA2_384_HMAC:

- axf = &auth_hash_hmac_sha2_384_96;

+ axf = &auth_hash_hmac_sha2_384_192;

goto authcommon;

case CRYPTO_SHA2_512_HMAC:

- axf = &auth_hash_hmac_sha2_512_96;

+ axf = &auth_hash_hmac_sha2_512_256;

authcommon:

swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,

M_NOWAIT|M_ZERO);

@@ -255,7 +255,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)

axf->Init(swd->sw_ictx);

axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);

axf->Update(swd->sw_ictx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (c->cri_klen / 8));

+ axf->blocksize - (c->cri_klen / 8));

for (i = 0; i < c->cri_klen / 8; i++)

c->cri_key[i] ^= (HMAC_IPAD_VAL ^

@@ -264,7 +264,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)

axf->Init(swd->sw_octx);

axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);

axf->Update(swd->sw_octx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (c->cri_klen / 8));

+ axf->blocksize - (c->cri_klen / 8));

for (i = 0; i < c->cri_klen / 8; i++)

c->cri_key[i] ^= HMAC_OPAD_VAL;

diff --git a/sys/arch/i386/i386/via.c b/sys/arch/i386/i386/via.c
index df4d40547d5..16d3d5388c8 100644
--- a/sys/arch/i386/i386/via.c
+++ b/sys/arch/i386/i386/via.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: via.c,v 1.19 2008/06/09 07:07:15 djm Exp $ */

+/* $OpenBSD: via.c,v 1.20 2010/01/10 12:43:07 markus Exp $ */

/* $NetBSD: machdep.c,v 1.214 1996/11/10 03:16:17 thorpej Exp $ */

/*-

@@ -89,8 +89,8 @@ struct viac3_softc {

static struct viac3_softc *vc3_sc;

extern int i386_has_xcrypt;

-extern const u_int8_t hmac_ipad_buffer[64];

-extern const u_int8_t hmac_opad_buffer[64];

+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];

+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];

void viac3_crypto_setup(void);

int viac3_crypto_newsession(u_int32_t *, struct cryptoini *);

@@ -220,13 +220,13 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)

axf = &auth_hash_hmac_ripemd_160_96;

goto authcommon;

case CRYPTO_SHA2_256_HMAC:

- axf = &auth_hash_hmac_sha2_256_96;

+ axf = &auth_hash_hmac_sha2_256_128;

goto authcommon;

case CRYPTO_SHA2_384_HMAC:

- axf = &auth_hash_hmac_sha2_384_96;

+ axf = &auth_hash_hmac_sha2_384_192;

goto authcommon;

case CRYPTO_SHA2_512_HMAC:

- axf = &auth_hash_hmac_sha2_512_96;

+ axf = &auth_hash_hmac_sha2_512_256;

authcommon:

swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,

M_NOWAIT|M_ZERO);

@@ -256,7 +256,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)

axf->Init(swd->sw_ictx);

axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);

axf->Update(swd->sw_ictx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (c->cri_klen / 8));

+ axf->blocksize - (c->cri_klen / 8));

for (i = 0; i < c->cri_klen / 8; i++)

c->cri_key[i] ^= (HMAC_IPAD_VAL ^

@@ -265,7 +265,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)

axf->Init(swd->sw_octx);

axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);

axf->Update(swd->sw_octx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (c->cri_klen / 8));

+ axf->blocksize - (c->cri_klen / 8));

for (i = 0; i < c->cri_klen / 8; i++)

c->cri_key[i] ^= HMAC_OPAD_VAL;

diff --git a/sys/arch/i386/pci/glxsb.c b/sys/arch/i386/pci/glxsb.c
index 4465fd73971..094483f1fbf 100644
--- a/sys/arch/i386/pci/glxsb.c
+++ b/sys/arch/i386/pci/glxsb.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: glxsb.c,v 1.17 2009/10/30 18:18:09 deraadt Exp $ */

+/* $OpenBSD: glxsb.c,v 1.18 2010/01/10 12:43:07 markus Exp $ */

@@ -411,13 +411,13 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)

axf = &auth_hash_hmac_ripemd_160_96;

goto authcommon;

case CRYPTO_SHA2_256_HMAC:

- axf = &auth_hash_hmac_sha2_256_96;

+ axf = &auth_hash_hmac_sha2_256_128;

goto authcommon;

case CRYPTO_SHA2_384_HMAC:

- axf = &auth_hash_hmac_sha2_384_96;

+ axf = &auth_hash_hmac_sha2_384_192;

goto authcommon;

case CRYPTO_SHA2_512_HMAC:

- axf = &auth_hash_hmac_sha2_512_96;

+ axf = &auth_hash_hmac_sha2_512_256;

authcommon:

swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,

M_NOWAIT|M_ZERO);

@@ -447,7 +447,7 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)

axf->Init(swd->sw_ictx);

axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);

axf->Update(swd->sw_ictx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (c->cri_klen / 8));

+ axf->blocksize - (c->cri_klen / 8));

for (i = 0; i < c->cri_klen / 8; i++)

c->cri_key[i] ^= (HMAC_IPAD_VAL ^

@@ -456,7 +456,7 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)

axf->Init(swd->sw_octx);

axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);

axf->Update(swd->sw_octx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (c->cri_klen / 8));

+ axf->blocksize - (c->cri_klen / 8));

for (i = 0; i < c->cri_klen / 8; i++)

c->cri_key[i] ^= HMAC_OPAD_VAL;

diff --git a/sys/crypto/cryptodev.h b/sys/crypto/cryptodev.h
index 1a736c985cc..c2418a04f03 100644
--- a/sys/crypto/cryptodev.h
+++ b/sys/crypto/cryptodev.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: cryptodev.h,v 1.48 2009/09/03 07:47:27 dlg Exp $ */

+/* $OpenBSD: cryptodev.h,v 1.49 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -60,7 +60,13 @@

#define CRYPTO_SW_SESSIONS 32

/* HMAC values */

-#define HMAC_BLOCK_LEN 64

+#define HMAC_MD5_BLOCK_LEN 64

+#define HMAC_SHA1_BLOCK_LEN 64

+#define HMAC_RIPEMD160_BLOCK_LEN 64

+#define HMAC_SHA2_256_BLOCK_LEN 64

+#define HMAC_SHA2_384_BLOCK_LEN 128

+#define HMAC_SHA2_512_BLOCK_LEN 128

+#define HMAC_MAX_BLOCK_LEN HMAC_SHA2_512_BLOCK_LEN /* keep in sync */

#define HMAC_IPAD_VAL 0x36

#define HMAC_OPAD_VAL 0x5C

diff --git a/sys/crypto/cryptosoft.c b/sys/crypto/cryptosoft.c
index b8303d54a0f..e392747d7c5 100644
--- a/sys/crypto/cryptosoft.c
+++ b/sys/crypto/cryptosoft.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: cryptosoft.c,v 1.51 2008/06/09 16:07:00 djm Exp $ */

+/* $OpenBSD: cryptosoft.c,v 1.52 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -38,7 +38,15 @@

#include <crypto/cryptosoft.h>

#include <crypto/xform.h>

-const u_int8_t hmac_ipad_buffer[64] = {

+const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN] = {

+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,

0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,

@@ -49,7 +57,15 @@ const u_int8_t hmac_ipad_buffer[64] = {

0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36

};

-const u_int8_t hmac_opad_buffer[64] = {

+const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN] = {

+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,

0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,

@@ -660,13 +676,13 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)

axf = &auth_hash_hmac_ripemd_160_96;

goto authcommon;

case CRYPTO_SHA2_256_HMAC:

- axf = &auth_hash_hmac_sha2_256_96;

+ axf = &auth_hash_hmac_sha2_256_128;

goto authcommon;

case CRYPTO_SHA2_384_HMAC:

- axf = &auth_hash_hmac_sha2_384_96;

+ axf = &auth_hash_hmac_sha2_384_192;

goto authcommon;

case CRYPTO_SHA2_512_HMAC:

- axf = &auth_hash_hmac_sha2_512_96;

+ axf = &auth_hash_hmac_sha2_512_256;

authcommon:

(*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,

M_NOWAIT);

@@ -689,7 +705,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)

axf->Update((*swd)->sw_ictx, cri->cri_key,

cri->cri_klen / 8);

axf->Update((*swd)->sw_ictx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (cri->cri_klen / 8));

+ axf->blocksize - (cri->cri_klen / 8));

for (k = 0; k < cri->cri_klen / 8; k++)

cri->cri_key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);

@@ -698,7 +714,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)

axf->Update((*swd)->sw_octx, cri->cri_key,

cri->cri_klen / 8);

axf->Update((*swd)->sw_octx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (cri->cri_klen / 8));

+ axf->blocksize - (cri->cri_klen / 8));

for (k = 0; k < cri->cri_klen / 8; k++)

cri->cri_key[k] ^= HMAC_OPAD_VAL;

diff --git a/sys/crypto/cryptosoft.h b/sys/crypto/cryptosoft.h
index b5764fc8830..d7133645a27 100644
--- a/sys/crypto/cryptosoft.h
+++ b/sys/crypto/cryptosoft.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: cryptosoft.h,v 1.11 2007/09/10 22:19:42 henric Exp $ */

+/* $OpenBSD: cryptosoft.h,v 1.12 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -57,8 +57,8 @@ struct swcr_data {

};

#ifdef _KERNEL

-extern const u_int8_t hmac_ipad_buffer[64];

-extern const u_int8_t hmac_opad_buffer[64];

+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];

+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];

int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);

int swcr_authcompute(struct cryptop *, struct cryptodesc *, struct swcr_data *,

diff --git a/sys/crypto/xform.c b/sys/crypto/xform.c
index 900b993ee3e..dd5bb9aa054 100644
--- a/sys/crypto/xform.c
+++ b/sys/crypto/xform.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: xform.c,v 1.36 2008/09/06 22:23:21 djm Exp $ */

+/* $OpenBSD: xform.c,v 1.37 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr),

@@ -228,70 +228,70 @@ struct enc_xform enc_xform_null = {

/* Authentication instances */

struct auth_hash auth_hash_hmac_md5_96 = {

CRYPTO_MD5_HMAC, "HMAC-MD5",

- 16, 16, 12, sizeof(MD5_CTX),

+ 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN,

(void (*) (void *)) MD5Init, MD5Update_int,

(void (*) (u_int8_t *, void *)) MD5Final

};

struct auth_hash auth_hash_hmac_sha1_96 = {

CRYPTO_SHA1_HMAC, "HMAC-SHA1",

- 20, 20, 12, sizeof(SHA1_CTX),

+ 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN,

(void (*) (void *)) SHA1Init, SHA1Update_int,

(void (*) (u_int8_t *, void *)) SHA1Final

};

struct auth_hash auth_hash_hmac_ripemd_160_96 = {

CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",

- 20, 20, 12, sizeof(RMD160_CTX),

+ 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN,

(void (*)(void *)) RMD160Init, RMD160Update_int,

(void (*)(u_int8_t *, void *)) RMD160Final

};

-struct auth_hash auth_hash_hmac_sha2_256_96 = {

+struct auth_hash auth_hash_hmac_sha2_256_128 = {

CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",

- 32, 32, 12, sizeof(SHA2_CTX),

+ 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN,

(void (*)(void *)) SHA256Init, SHA256Update_int,

(void (*)(u_int8_t *, void *)) SHA256Final

};

-struct auth_hash auth_hash_hmac_sha2_384_96 = {

+struct auth_hash auth_hash_hmac_sha2_384_192 = {

CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",

- 48, 48, 12, sizeof(SHA2_CTX),

+ 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN,

(void (*)(void *)) SHA384Init, SHA384Update_int,

(void (*)(u_int8_t *, void *)) SHA384Final

};

-struct auth_hash auth_hash_hmac_sha2_512_96 = {

+struct auth_hash auth_hash_hmac_sha2_512_256 = {

CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",

- 64, 64, 12, sizeof(SHA2_CTX),

+ 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN,

(void (*)(void *)) SHA512Init, SHA512Update_int,

(void (*)(u_int8_t *, void *)) SHA512Final

};

struct auth_hash auth_hash_key_md5 = {

CRYPTO_MD5_KPDK, "Keyed MD5",

- 0, 16, 16, sizeof(MD5_CTX),

+ 0, 16, 16, sizeof(MD5_CTX), 0,

(void (*)(void *)) MD5Init, MD5Update_int,

(void (*)(u_int8_t *, void *)) MD5Final

};

struct auth_hash auth_hash_key_sha1 = {

CRYPTO_SHA1_KPDK, "Keyed SHA1",

- 0, 20, 20, sizeof(SHA1_CTX),

+ 0, 20, 20, sizeof(SHA1_CTX), 0,

(void (*)(void *)) SHA1Init, SHA1Update_int,

(void (*)(u_int8_t *, void *)) SHA1Final

};

struct auth_hash auth_hash_md5 = {

CRYPTO_MD5, "MD5",

- 0, 16, 16, sizeof(MD5_CTX),

+ 0, 16, 16, sizeof(MD5_CTX), 0,

(void (*) (void *)) MD5Init, MD5Update_int,

(void (*) (u_int8_t *, void *)) MD5Final

};

struct auth_hash auth_hash_sha1 = {

CRYPTO_SHA1, "SHA1",

- 0, 20, 20, sizeof(SHA1_CTX),

+ 0, 20, 20, sizeof(SHA1_CTX), 0,

(void (*)(void *)) SHA1Init, SHA1Update_int,

(void (*)(u_int8_t *, void *)) SHA1Final

};

diff --git a/sys/crypto/xform.h b/sys/crypto/xform.h
index aed3ec6678c..d7abcf4c36d 100644
--- a/sys/crypto/xform.h
+++ b/sys/crypto/xform.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: xform.h,v 1.19 2008/09/06 22:23:21 djm Exp $ */

+/* $OpenBSD: xform.h,v 1.20 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -37,6 +37,7 @@ struct auth_hash {

u_int16_t hashsize;

u_int16_t authsize;

u_int16_t ctxsize;

+ u_int16_t blocksize;

void (*Init) (void *);

int (*Update) (void *, const u_int8_t *, u_int16_t);

void (*Final) (u_int8_t *, void *);

@@ -87,9 +88,9 @@ extern struct auth_hash auth_hash_key_sha1;

extern struct auth_hash auth_hash_hmac_md5_96;

extern struct auth_hash auth_hash_hmac_sha1_96;

extern struct auth_hash auth_hash_hmac_ripemd_160_96;

-extern struct auth_hash auth_hash_hmac_sha2_256_96;

-extern struct auth_hash auth_hash_hmac_sha2_384_96;

-extern struct auth_hash auth_hash_hmac_sha2_512_96;

+extern struct auth_hash auth_hash_hmac_sha2_256_128;

+extern struct auth_hash auth_hash_hmac_sha2_384_192;

+extern struct auth_hash auth_hash_hmac_sha2_512_256;

extern struct comp_algo comp_algo_deflate;

extern struct comp_algo comp_algo_lzs;

diff --git a/sys/dev/pci/safe.c b/sys/dev/pci/safe.c
index 62fff55053c..953f64cd52f 100644
--- a/sys/dev/pci/safe.c
+++ b/sys/dev/pci/safe.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: safe.c,v 1.26 2009/09/13 14:42:52 krw Exp $ */

+/* $OpenBSD: safe.c,v 1.27 2010/01/10 12:43:07 markus Exp $ */

/*-

@@ -1382,7 +1382,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)

MD5Update(&md5ctx, macini->cri_key,

macini->cri_klen / 8);

MD5Update(&md5ctx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(md5ctx.state, ses->ses_hminner,

sizeof(md5ctx.state));

} else {

@@ -1390,7 +1390,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)

SHA1Update(&sha1ctx, macini->cri_key,

macini->cri_klen / 8);

SHA1Update(&sha1ctx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(sha1ctx.state, ses->ses_hminner,

sizeof(sha1ctx.state));

}

@@ -1403,7 +1403,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)

MD5Update(&md5ctx, macini->cri_key,

macini->cri_klen / 8);

MD5Update(&md5ctx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(md5ctx.state, ses->ses_hmouter,

sizeof(md5ctx.state));

} else {

@@ -1411,7 +1411,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)

SHA1Update(&sha1ctx, macini->cri_key,

macini->cri_klen / 8);

SHA1Update(&sha1ctx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(sha1ctx.state, ses->ses_hmouter,

sizeof(sha1ctx.state));

}

diff --git a/sys/dev/pci/ubsec.c b/sys/dev/pci/ubsec.c
index 08ab6c98db9..bd34bfc485a 100644
--- a/sys/dev/pci/ubsec.c
+++ b/sys/dev/pci/ubsec.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ubsec.c,v 1.144 2009/09/13 14:42:52 krw Exp $ */

+/* $OpenBSD: ubsec.c,v 1.145 2010/01/10 12:43:07 markus Exp $ */

@@ -744,7 +744,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)

MD5Update(&md5ctx, macini->cri_key,

macini->cri_klen / 8);

MD5Update(&md5ctx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(md5ctx.state, ses->ses_hminner,

sizeof(md5ctx.state));

} else {

@@ -752,7 +752,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)

SHA1Update(&sha1ctx, macini->cri_key,

macini->cri_klen / 8);

SHA1Update(&sha1ctx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(sha1ctx.state, ses->ses_hminner,

sizeof(sha1ctx.state));

}

@@ -765,7 +765,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)

MD5Update(&md5ctx, macini->cri_key,

macini->cri_klen / 8);

MD5Update(&md5ctx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(md5ctx.state, ses->ses_hmouter,

sizeof(md5ctx.state));

} else {

@@ -773,7 +773,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)

SHA1Update(&sha1ctx, macini->cri_key,

macini->cri_klen / 8);

SHA1Update(&sha1ctx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (macini->cri_klen / 8));

+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));

bcopy(sha1ctx.state, ses->ses_hmouter,

sizeof(sha1ctx.state));

}

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 0ea057e42bf..3fc1ac425a7 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.c,v 1.92 2008/09/15 21:46:01 chl Exp $ */

+/* $OpenBSD: ip_ah.c,v 1.93 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -116,15 +116,15 @@ ah_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)

break;

case SADB_X_AALG_SHA2_256:

- thash = &auth_hash_hmac_sha2_256_96;

+ thash = &auth_hash_hmac_sha2_256_128;

break;

case SADB_X_AALG_SHA2_384:

- thash = &auth_hash_hmac_sha2_384_96;

+ thash = &auth_hash_hmac_sha2_384_192;

break;

case SADB_X_AALG_SHA2_512:

- thash = &auth_hash_hmac_sha2_512_96;

+ thash = &auth_hash_hmac_sha2_512_256;

break;

case SADB_X_AALG_MD5:

diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h
index 8d6fe54bcd7..c920cc19dc2 100644
--- a/sys/netinet/ip_ah.h
+++ b/sys/netinet/ip_ah.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.h,v 1.32 2007/12/14 18:33:40 deraadt Exp $ */

+/* $OpenBSD: ip_ah.h,v 1.33 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -72,9 +72,6 @@ struct ah

/* Length of base AH header */

#define AH_FLENGTH 8

-/* Size of the largest hash function output used in AH-new, in bytes */

-#define AH_MAX_HASHLEN 20

* Names for AH sysctl objects

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index c5d179518b7..b009a7742bb 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.c,v 1.105 2008/06/09 07:07:17 djm Exp $ */

+/* $OpenBSD: ip_esp.c,v 1.106 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -183,15 +183,15 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)

break;

case SADB_X_AALG_SHA2_256:

- thash = &auth_hash_hmac_sha2_256_96;

+ thash = &auth_hash_hmac_sha2_256_128;

break;

case SADB_X_AALG_SHA2_384:

- thash = &auth_hash_hmac_sha2_384_96;

+ thash = &auth_hash_hmac_sha2_384_192;

break;

case SADB_X_AALG_SHA2_512:

- thash = &auth_hash_hmac_sha2_512_96;

+ thash = &auth_hash_hmac_sha2_512_256;

break;

default:

@@ -304,11 +304,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)

else

hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */

- if (esph)

- alen = AH_HMAC_HASHLEN;

- else

- alen = 0;

+ alen = esph ? esph->authsize : 0;

plen = m->m_pkthdr.len - (skip + hlen + alen);

if (plen <= 0) {

DPRINTF(("esp_input: invalid payload length\n"));

@@ -490,7 +486,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)

int

esp_input_cb(void *op)

{

- u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];

+ u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN];

int s, hlen, roff, skip, protoff, error;

struct mbuf *m1, *mo, *m;

struct auth_hash *esph;

@@ -770,11 +766,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,

padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;

- if (esph)

- alen = AH_HMAC_HASHLEN;

- else

- alen = 0;

+ alen = esph ? esph->authsize : 0;

espstat.esps_output++;

switch (tdb->tdb_dst.sa.sa_family) {

diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h
index 42a66386a44..97c18b50fe5 100644
--- a/sys/netinet/ip_esp.h
+++ b/sys/netinet/ip_esp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.h,v 1.41 2007/12/14 18:33:41 deraadt Exp $ */

+/* $OpenBSD: ip_esp.h,v 1.42 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr) and

@@ -38,8 +38,6 @@

#ifndef _NETINET_IP_ESP_H_

#define _NETINET_IP_ESP_H_

-#define ESP_ALEN 12 /* 96-bit authenticator */

struct espstat

{

u_int32_t esps_hdrops; /* Packet shorter than header shows */

diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 8edd1642bdb..f506ad50e36 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipsp.c,v 1.178 2009/08/12 00:13:43 martynas Exp $ */

+/* $OpenBSD: ip_ipsp.c,v 1.179 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr),

@@ -1230,7 +1230,7 @@ ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto)

/* Update the length of trailing ESP authenticators. */

if (tdb->tdb_authalgxform)

- trail += AH_HMAC_HASHLEN;

+ trail += tdb->tdb_authalgxform->authsize;

splx(s);

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 9b214c4ea5c..05a2d4d8d73 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipsp.h,v 1.139 2009/11/13 20:54:05 claudio Exp $ */

+/* $OpenBSD: ip_ipsp.h,v 1.140 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr),

@@ -61,7 +61,7 @@ union sockaddr_union {

#define SHA2_384HMAC96_KEYSIZE 48

#define SHA2_512HMAC96_KEYSIZE 64

-#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */

+#define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */

#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */

#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */

diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 24f7654e105..232f3e4d438 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsec_output.c,v 1.41 2008/08/26 12:19:01 henning Exp $ */

+/* $OpenBSD: ipsec_output.c,v 1.42 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -551,7 +551,7 @@ ipsec_hdrsz(struct tdb *tdbp)

adjust += sizeof(struct udphdr);

/* Authenticator */

if (tdbp->tdb_authalgxform != NULL)

- adjust += AH_HMAC_HASHLEN;

+ adjust += tdbp->tdb_authalgxform->authsize;

/* Padding */

adjust += tdbp->tdb_encalgxform->blocksize;

break;