diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-03-17 10:25:24 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-03-17 10:25:24 +0000 |
| commit | 8e443bb412cd99bc42a06075e051d052fd4a22b3 (patch) | |
| tree | 247821026b0dff878f188e40d6daa0ea0597e0f3 /sys/net | |
| parent | fa4f02f39ae2b2603192374afd1fef211e15b3e3 (diff) | |
Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if_enc.c | 29 | ||||
| -rw-r--r-- | sys/net/pfkeyv2.c | 101 |
2 files changed, 99 insertions, 31 deletions
diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c index c944154cb5b..60a6d83145e 100644 --- a/sys/net/if_enc.c +++ b/sys/net/if_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_enc.c,v 1.20 2000/02/07 06:09:08 itojun Exp $ */ +/* $OpenBSD: if_enc.c,v 1.21 2000/03/17 10:25:21 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -263,32 +263,7 @@ struct ifnet *ifp; protoflag = tdb->tdb_dst.sa.sa_family; /* IPsec packet processing -- skip encapsulation */ - err = ipsp_process_packet(m, &mp, tdb, &protoflag, 1); - if ((mp == NULL) || err) - { - IF_DROP(&ifp->if_snd); - if (mp) - m_freem(mp); - continue; - } - else - { - m = mp; - mp = NULL; - } - -#ifdef INET - /* Send the packet on its way, no point checking for errors here */ - if (protoflag == AF_INET) - ip_output(m, NULL, NULL, IP_ENCAPSULATED | IP_RAWOUTPUT, NULL, NULL); -#endif /* INET */ - -#ifdef INET6 - /* Send the packet on its way, no point checking for errors here */ - if (protoflag == AF_INET6) - ip6_output(m, NULL, NULL, IP_ENCAPSULATED | IP_RAWOUTPUT, - NULL, NULL); -#endif /* INET6 */ + ipsp_process_packet(m, tdb, protoflag, 1); /* XXX Should find a way to avoid bridging-loops, some mbuf flag ? */ } diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 844d2493350..4e8a6018b26 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -31,6 +31,9 @@ you didn't get a copy, you may request one from <license@inner.net>. #include <netinet/ip_ipsp.h> #include <netinet/ip_ah.h> #include <netinet/ip_esp.h> +#include <crypto/blf.h> +#include <crypto/crypto.h> +#include <crypto/xform.h> #define PFKEYV2_PROTOCOL 2 #define GETSPI_TRIES 10 @@ -208,10 +211,56 @@ export_sa(void **p, struct tdb *tdb) sadb_sa->sadb_sa_state = SADB_SASTATE_LARVAL; if (tdb->tdb_authalgxform) - sadb_sa->sadb_sa_auth = tdb->tdb_authalgxform->type; + { + switch (tdb->tdb_authalgxform->type) + { + case CRYPTO_MD5_HMAC96: + sadb_sa->sadb_sa_auth = SADB_AALG_MD5HMAC96; + break; + + case CRYPTO_SHA1_HMAC96: + sadb_sa->sadb_sa_auth = SADB_AALG_SHA1HMAC96; + break; + + case CRYPTO_RIPEMD160_HMAC96: + sadb_sa->sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC96; + break; + + case CRYPTO_MD5_KPDK: + sadb_sa->sadb_sa_auth = SADB_X_AALG_MD5; + break; + + case CRYPTO_SHA1_KPDK: + sadb_sa->sadb_sa_auth = SADB_X_AALG_SHA1; + break; + } + } if (tdb->tdb_encalgxform) - sadb_sa->sadb_sa_encrypt = tdb->tdb_encalgxform->type; + { + switch (tdb->tdb_encalgxform->type) + { + case CRYPTO_DES_CBC: + sadb_sa->sadb_sa_encrypt = SADB_EALG_DESCBC; + break; + + case CRYPTO_3DES_CBC: + sadb_sa->sadb_sa_encrypt = SADB_EALG_3DESCBC; + break; + + case CRYPTO_CAST_CBC: + sadb_sa->sadb_sa_encrypt = SADB_X_EALG_BLF; + break; + + case CRYPTO_BLF_CBC: + sadb_sa->sadb_sa_encrypt = SADB_X_EALG_CAST; + break; + + case CRYPTO_SKIPJACK_CBC: + sadb_sa->sadb_sa_encrypt = SADB_X_EALG_SKIPJACK; + break; + } + } if (tdb->tdb_flags & TDBF_PFS) sadb_sa->sadb_sa_flags |= SADB_SAFLAGS_PFS; @@ -2042,7 +2091,29 @@ pfkeyv2_acquire(struct tdb *tdb, int rekey) if (tdb->tdb_authalgxform) { - sadb_comb->sadb_comb_auth = tdb->tdb_authalgxform->type; + switch (tdb->tdb_authalgxform->type) + { + case CRYPTO_MD5_HMAC96: + sadb_comb->sadb_comb_auth = SADB_AALG_MD5HMAC96; + break; + + case CRYPTO_SHA1_HMAC96: + sadb_comb->sadb_comb_auth = SADB_AALG_SHA1HMAC96; + break; + + case CRYPTO_RIPEMD160_HMAC96: + sadb_comb->sadb_comb_auth = SADB_X_AALG_RIPEMD160HMAC96; + break; + + case CRYPTO_MD5_KPDK: + sadb_comb->sadb_comb_auth = SADB_X_AALG_MD5; + break; + + case CRYPTO_SHA1_KPDK: + sadb_comb->sadb_comb_auth = SADB_X_AALG_SHA1; + break; + } + sadb_comb->sadb_comb_auth_minbits = tdb->tdb_authalgxform->keysize * 8; sadb_comb->sadb_comb_auth_maxbits = @@ -2057,7 +2128,29 @@ pfkeyv2_acquire(struct tdb *tdb, int rekey) if (tdb->tdb_encalgxform) { - sadb_comb->sadb_comb_encrypt = tdb->tdb_encalgxform->type; + switch (tdb->tdb_encalgxform->type) + { + case CRYPTO_DES_CBC: + sadb_comb->sadb_comb_encrypt = SADB_EALG_DESCBC; + break; + + case CRYPTO_3DES_CBC: + sadb_comb->sadb_comb_encrypt = SADB_EALG_3DESCBC; + break; + + case CRYPTO_CAST_CBC: + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_BLF; + break; + + case CRYPTO_BLF_CBC: + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_CAST; + break; + + case CRYPTO_SKIPJACK_CBC: + sadb_comb->sadb_comb_encrypt = SADB_X_EALG_SKIPJACK; + break; + } + sadb_comb->sadb_comb_encrypt_minbits = tdb->tdb_encalgxform->minkey * 8; sadb_comb->sadb_comb_encrypt_maxbits = |