summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/arch/amd64/amd64/via.c16
-rw-r--r--sys/arch/i386/i386/via.c16
-rw-r--r--sys/arch/i386/pci/glxsb.c12
-rw-r--r--sys/crypto/cryptodev.h10
-rw-r--r--sys/crypto/cryptosoft.c32
-rw-r--r--sys/crypto/cryptosoft.h6
-rw-r--r--sys/crypto/xform.c28
-rw-r--r--sys/crypto/xform.h9
-rw-r--r--sys/dev/pci/safe.c10
-rw-r--r--sys/dev/pci/ubsec.c10
-rw-r--r--sys/netinet/ip_ah.c8
-rw-r--r--sys/netinet/ip_ah.h5
-rw-r--r--sys/netinet/ip_esp.c22
-rw-r--r--sys/netinet/ip_esp.h4
-rw-r--r--sys/netinet/ip_ipsp.c4
-rw-r--r--sys/netinet/ip_ipsp.h4
-rw-r--r--sys/netinet/ipsec_output.c4
17 files changed, 105 insertions, 95 deletions
diff --git a/sys/arch/amd64/amd64/via.c b/sys/arch/amd64/amd64/via.c
index 7bb25dc6a98..36e81f5b3ec 100644
--- a/sys/arch/amd64/amd64/via.c
+++ b/sys/arch/amd64/amd64/via.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: via.c,v 1.1 2009/05/31 03:20:10 matthieu Exp $ */
+/* $OpenBSD: via.c,v 1.2 2010/01/10 12:43:07 markus Exp $ */
/* $NetBSD: machdep.c,v 1.214 1996/11/10 03:16:17 thorpej Exp $ */
/*-
@@ -88,8 +88,8 @@ struct viac3_softc {
static struct viac3_softc *vc3_sc;
-extern const u_int8_t hmac_ipad_buffer[64];
-extern const u_int8_t hmac_opad_buffer[64];
+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
void viac3_crypto_setup(void);
int viac3_crypto_newsession(u_int32_t *, struct cryptoini *);
@@ -219,13 +219,13 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)
axf = &auth_hash_hmac_ripemd_160_96;
goto authcommon;
case CRYPTO_SHA2_256_HMAC:
- axf = &auth_hash_hmac_sha2_256_96;
+ axf = &auth_hash_hmac_sha2_256_128;
goto authcommon;
case CRYPTO_SHA2_384_HMAC:
- axf = &auth_hash_hmac_sha2_384_96;
+ axf = &auth_hash_hmac_sha2_384_192;
goto authcommon;
case CRYPTO_SHA2_512_HMAC:
- axf = &auth_hash_hmac_sha2_512_96;
+ axf = &auth_hash_hmac_sha2_512_256;
authcommon:
swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,
M_NOWAIT|M_ZERO);
@@ -255,7 +255,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)
axf->Init(swd->sw_ictx);
axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_ictx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (c->cri_klen / 8));
+ axf->blocksize - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= (HMAC_IPAD_VAL ^
@@ -264,7 +264,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)
axf->Init(swd->sw_octx);
axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_octx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (c->cri_klen / 8));
+ axf->blocksize - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= HMAC_OPAD_VAL;
diff --git a/sys/arch/i386/i386/via.c b/sys/arch/i386/i386/via.c
index df4d40547d5..16d3d5388c8 100644
--- a/sys/arch/i386/i386/via.c
+++ b/sys/arch/i386/i386/via.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: via.c,v 1.19 2008/06/09 07:07:15 djm Exp $ */
+/* $OpenBSD: via.c,v 1.20 2010/01/10 12:43:07 markus Exp $ */
/* $NetBSD: machdep.c,v 1.214 1996/11/10 03:16:17 thorpej Exp $ */
/*-
@@ -89,8 +89,8 @@ struct viac3_softc {
static struct viac3_softc *vc3_sc;
extern int i386_has_xcrypt;
-extern const u_int8_t hmac_ipad_buffer[64];
-extern const u_int8_t hmac_opad_buffer[64];
+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
void viac3_crypto_setup(void);
int viac3_crypto_newsession(u_int32_t *, struct cryptoini *);
@@ -220,13 +220,13 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)
axf = &auth_hash_hmac_ripemd_160_96;
goto authcommon;
case CRYPTO_SHA2_256_HMAC:
- axf = &auth_hash_hmac_sha2_256_96;
+ axf = &auth_hash_hmac_sha2_256_128;
goto authcommon;
case CRYPTO_SHA2_384_HMAC:
- axf = &auth_hash_hmac_sha2_384_96;
+ axf = &auth_hash_hmac_sha2_384_192;
goto authcommon;
case CRYPTO_SHA2_512_HMAC:
- axf = &auth_hash_hmac_sha2_512_96;
+ axf = &auth_hash_hmac_sha2_512_256;
authcommon:
swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,
M_NOWAIT|M_ZERO);
@@ -256,7 +256,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)
axf->Init(swd->sw_ictx);
axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_ictx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (c->cri_klen / 8));
+ axf->blocksize - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= (HMAC_IPAD_VAL ^
@@ -265,7 +265,7 @@ viac3_crypto_newsession(u_int32_t *sidp, struct cryptoini *cri)
axf->Init(swd->sw_octx);
axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_octx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (c->cri_klen / 8));
+ axf->blocksize - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= HMAC_OPAD_VAL;
diff --git a/sys/arch/i386/pci/glxsb.c b/sys/arch/i386/pci/glxsb.c
index 4465fd73971..094483f1fbf 100644
--- a/sys/arch/i386/pci/glxsb.c
+++ b/sys/arch/i386/pci/glxsb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: glxsb.c,v 1.17 2009/10/30 18:18:09 deraadt Exp $ */
+/* $OpenBSD: glxsb.c,v 1.18 2010/01/10 12:43:07 markus Exp $ */
/*
* Copyright (c) 2006 Tom Cosgrove <tom@openbsd.org>
@@ -411,13 +411,13 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)
axf = &auth_hash_hmac_ripemd_160_96;
goto authcommon;
case CRYPTO_SHA2_256_HMAC:
- axf = &auth_hash_hmac_sha2_256_96;
+ axf = &auth_hash_hmac_sha2_256_128;
goto authcommon;
case CRYPTO_SHA2_384_HMAC:
- axf = &auth_hash_hmac_sha2_384_96;
+ axf = &auth_hash_hmac_sha2_384_192;
goto authcommon;
case CRYPTO_SHA2_512_HMAC:
- axf = &auth_hash_hmac_sha2_512_96;
+ axf = &auth_hash_hmac_sha2_512_256;
authcommon:
swd = malloc(sizeof(struct swcr_data), M_CRYPTO_DATA,
M_NOWAIT|M_ZERO);
@@ -447,7 +447,7 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)
axf->Init(swd->sw_ictx);
axf->Update(swd->sw_ictx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_ictx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (c->cri_klen / 8));
+ axf->blocksize - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= (HMAC_IPAD_VAL ^
@@ -456,7 +456,7 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri)
axf->Init(swd->sw_octx);
axf->Update(swd->sw_octx, c->cri_key, c->cri_klen / 8);
axf->Update(swd->sw_octx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (c->cri_klen / 8));
+ axf->blocksize - (c->cri_klen / 8));
for (i = 0; i < c->cri_klen / 8; i++)
c->cri_key[i] ^= HMAC_OPAD_VAL;
diff --git a/sys/crypto/cryptodev.h b/sys/crypto/cryptodev.h
index 1a736c985cc..c2418a04f03 100644
--- a/sys/crypto/cryptodev.h
+++ b/sys/crypto/cryptodev.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptodev.h,v 1.48 2009/09/03 07:47:27 dlg Exp $ */
+/* $OpenBSD: cryptodev.h,v 1.49 2010/01/10 12:43:07 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -60,7 +60,13 @@
#define CRYPTO_SW_SESSIONS 32
/* HMAC values */
-#define HMAC_BLOCK_LEN 64
+#define HMAC_MD5_BLOCK_LEN 64
+#define HMAC_SHA1_BLOCK_LEN 64
+#define HMAC_RIPEMD160_BLOCK_LEN 64
+#define HMAC_SHA2_256_BLOCK_LEN 64
+#define HMAC_SHA2_384_BLOCK_LEN 128
+#define HMAC_SHA2_512_BLOCK_LEN 128
+#define HMAC_MAX_BLOCK_LEN HMAC_SHA2_512_BLOCK_LEN /* keep in sync */
#define HMAC_IPAD_VAL 0x36
#define HMAC_OPAD_VAL 0x5C
diff --git a/sys/crypto/cryptosoft.c b/sys/crypto/cryptosoft.c
index b8303d54a0f..e392747d7c5 100644
--- a/sys/crypto/cryptosoft.c
+++ b/sys/crypto/cryptosoft.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptosoft.c,v 1.51 2008/06/09 16:07:00 djm Exp $ */
+/* $OpenBSD: cryptosoft.c,v 1.52 2010/01/10 12:43:07 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -38,7 +38,15 @@
#include <crypto/cryptosoft.h>
#include <crypto/xform.h>
-const u_int8_t hmac_ipad_buffer[64] = {
+const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN] = {
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
@@ -49,7 +57,15 @@ const u_int8_t hmac_ipad_buffer[64] = {
0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
};
-const u_int8_t hmac_opad_buffer[64] = {
+const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN] = {
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,
@@ -660,13 +676,13 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)
axf = &auth_hash_hmac_ripemd_160_96;
goto authcommon;
case CRYPTO_SHA2_256_HMAC:
- axf = &auth_hash_hmac_sha2_256_96;
+ axf = &auth_hash_hmac_sha2_256_128;
goto authcommon;
case CRYPTO_SHA2_384_HMAC:
- axf = &auth_hash_hmac_sha2_384_96;
+ axf = &auth_hash_hmac_sha2_384_192;
goto authcommon;
case CRYPTO_SHA2_512_HMAC:
- axf = &auth_hash_hmac_sha2_512_96;
+ axf = &auth_hash_hmac_sha2_512_256;
authcommon:
(*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
M_NOWAIT);
@@ -689,7 +705,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)
axf->Update((*swd)->sw_ictx, cri->cri_key,
cri->cri_klen / 8);
axf->Update((*swd)->sw_ictx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (cri->cri_klen / 8));
+ axf->blocksize - (cri->cri_klen / 8));
for (k = 0; k < cri->cri_klen / 8; k++)
cri->cri_key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);
@@ -698,7 +714,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)
axf->Update((*swd)->sw_octx, cri->cri_key,
cri->cri_klen / 8);
axf->Update((*swd)->sw_octx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (cri->cri_klen / 8));
+ axf->blocksize - (cri->cri_klen / 8));
for (k = 0; k < cri->cri_klen / 8; k++)
cri->cri_key[k] ^= HMAC_OPAD_VAL;
diff --git a/sys/crypto/cryptosoft.h b/sys/crypto/cryptosoft.h
index b5764fc8830..d7133645a27 100644
--- a/sys/crypto/cryptosoft.h
+++ b/sys/crypto/cryptosoft.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptosoft.h,v 1.11 2007/09/10 22:19:42 henric Exp $ */
+/* $OpenBSD: cryptosoft.h,v 1.12 2010/01/10 12:43:07 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -57,8 +57,8 @@ struct swcr_data {
};
#ifdef _KERNEL
-extern const u_int8_t hmac_ipad_buffer[64];
-extern const u_int8_t hmac_opad_buffer[64];
+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];
+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];
int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
int swcr_authcompute(struct cryptop *, struct cryptodesc *, struct swcr_data *,
diff --git a/sys/crypto/xform.c b/sys/crypto/xform.c
index 900b993ee3e..dd5bb9aa054 100644
--- a/sys/crypto/xform.c
+++ b/sys/crypto/xform.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xform.c,v 1.36 2008/09/06 22:23:21 djm Exp $ */
+/* $OpenBSD: xform.c,v 1.37 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -228,70 +228,70 @@ struct enc_xform enc_xform_null = {
/* Authentication instances */
struct auth_hash auth_hash_hmac_md5_96 = {
CRYPTO_MD5_HMAC, "HMAC-MD5",
- 16, 16, 12, sizeof(MD5_CTX),
+ 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN,
(void (*) (void *)) MD5Init, MD5Update_int,
(void (*) (u_int8_t *, void *)) MD5Final
};
struct auth_hash auth_hash_hmac_sha1_96 = {
CRYPTO_SHA1_HMAC, "HMAC-SHA1",
- 20, 20, 12, sizeof(SHA1_CTX),
+ 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN,
(void (*) (void *)) SHA1Init, SHA1Update_int,
(void (*) (u_int8_t *, void *)) SHA1Final
};
struct auth_hash auth_hash_hmac_ripemd_160_96 = {
CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
- 20, 20, 12, sizeof(RMD160_CTX),
+ 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN,
(void (*)(void *)) RMD160Init, RMD160Update_int,
(void (*)(u_int8_t *, void *)) RMD160Final
};
-struct auth_hash auth_hash_hmac_sha2_256_96 = {
+struct auth_hash auth_hash_hmac_sha2_256_128 = {
CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
- 32, 32, 12, sizeof(SHA2_CTX),
+ 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN,
(void (*)(void *)) SHA256Init, SHA256Update_int,
(void (*)(u_int8_t *, void *)) SHA256Final
};
-struct auth_hash auth_hash_hmac_sha2_384_96 = {
+struct auth_hash auth_hash_hmac_sha2_384_192 = {
CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
- 48, 48, 12, sizeof(SHA2_CTX),
+ 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN,
(void (*)(void *)) SHA384Init, SHA384Update_int,
(void (*)(u_int8_t *, void *)) SHA384Final
};
-struct auth_hash auth_hash_hmac_sha2_512_96 = {
+struct auth_hash auth_hash_hmac_sha2_512_256 = {
CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
- 64, 64, 12, sizeof(SHA2_CTX),
+ 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN,
(void (*)(void *)) SHA512Init, SHA512Update_int,
(void (*)(u_int8_t *, void *)) SHA512Final
};
struct auth_hash auth_hash_key_md5 = {
CRYPTO_MD5_KPDK, "Keyed MD5",
- 0, 16, 16, sizeof(MD5_CTX),
+ 0, 16, 16, sizeof(MD5_CTX), 0,
(void (*)(void *)) MD5Init, MD5Update_int,
(void (*)(u_int8_t *, void *)) MD5Final
};
struct auth_hash auth_hash_key_sha1 = {
CRYPTO_SHA1_KPDK, "Keyed SHA1",
- 0, 20, 20, sizeof(SHA1_CTX),
+ 0, 20, 20, sizeof(SHA1_CTX), 0,
(void (*)(void *)) SHA1Init, SHA1Update_int,
(void (*)(u_int8_t *, void *)) SHA1Final
};
struct auth_hash auth_hash_md5 = {
CRYPTO_MD5, "MD5",
- 0, 16, 16, sizeof(MD5_CTX),
+ 0, 16, 16, sizeof(MD5_CTX), 0,
(void (*) (void *)) MD5Init, MD5Update_int,
(void (*) (u_int8_t *, void *)) MD5Final
};
struct auth_hash auth_hash_sha1 = {
CRYPTO_SHA1, "SHA1",
- 0, 20, 20, sizeof(SHA1_CTX),
+ 0, 20, 20, sizeof(SHA1_CTX), 0,
(void (*)(void *)) SHA1Init, SHA1Update_int,
(void (*)(u_int8_t *, void *)) SHA1Final
};
diff --git a/sys/crypto/xform.h b/sys/crypto/xform.h
index aed3ec6678c..d7abcf4c36d 100644
--- a/sys/crypto/xform.h
+++ b/sys/crypto/xform.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: xform.h,v 1.19 2008/09/06 22:23:21 djm Exp $ */
+/* $OpenBSD: xform.h,v 1.20 2010/01/10 12:43:07 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -37,6 +37,7 @@ struct auth_hash {
u_int16_t hashsize;
u_int16_t authsize;
u_int16_t ctxsize;
+ u_int16_t blocksize;
void (*Init) (void *);
int (*Update) (void *, const u_int8_t *, u_int16_t);
void (*Final) (u_int8_t *, void *);
@@ -87,9 +88,9 @@ extern struct auth_hash auth_hash_key_sha1;
extern struct auth_hash auth_hash_hmac_md5_96;
extern struct auth_hash auth_hash_hmac_sha1_96;
extern struct auth_hash auth_hash_hmac_ripemd_160_96;
-extern struct auth_hash auth_hash_hmac_sha2_256_96;
-extern struct auth_hash auth_hash_hmac_sha2_384_96;
-extern struct auth_hash auth_hash_hmac_sha2_512_96;
+extern struct auth_hash auth_hash_hmac_sha2_256_128;
+extern struct auth_hash auth_hash_hmac_sha2_384_192;
+extern struct auth_hash auth_hash_hmac_sha2_512_256;
extern struct comp_algo comp_algo_deflate;
extern struct comp_algo comp_algo_lzs;
diff --git a/sys/dev/pci/safe.c b/sys/dev/pci/safe.c
index 62fff55053c..953f64cd52f 100644
--- a/sys/dev/pci/safe.c
+++ b/sys/dev/pci/safe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: safe.c,v 1.26 2009/09/13 14:42:52 krw Exp $ */
+/* $OpenBSD: safe.c,v 1.27 2010/01/10 12:43:07 markus Exp $ */
/*-
* Copyright (c) 2003 Sam Leffler, Errno Consulting
@@ -1382,7 +1382,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)
MD5Update(&md5ctx, macini->cri_key,
macini->cri_klen / 8);
MD5Update(&md5ctx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(md5ctx.state, ses->ses_hminner,
sizeof(md5ctx.state));
} else {
@@ -1390,7 +1390,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)
SHA1Update(&sha1ctx, macini->cri_key,
macini->cri_klen / 8);
SHA1Update(&sha1ctx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(sha1ctx.state, ses->ses_hminner,
sizeof(sha1ctx.state));
}
@@ -1403,7 +1403,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)
MD5Update(&md5ctx, macini->cri_key,
macini->cri_klen / 8);
MD5Update(&md5ctx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(md5ctx.state, ses->ses_hmouter,
sizeof(md5ctx.state));
} else {
@@ -1411,7 +1411,7 @@ safe_newsession(u_int32_t *sidp, struct cryptoini *cri)
SHA1Update(&sha1ctx, macini->cri_key,
macini->cri_klen / 8);
SHA1Update(&sha1ctx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(sha1ctx.state, ses->ses_hmouter,
sizeof(sha1ctx.state));
}
diff --git a/sys/dev/pci/ubsec.c b/sys/dev/pci/ubsec.c
index 08ab6c98db9..bd34bfc485a 100644
--- a/sys/dev/pci/ubsec.c
+++ b/sys/dev/pci/ubsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ubsec.c,v 1.144 2009/09/13 14:42:52 krw Exp $ */
+/* $OpenBSD: ubsec.c,v 1.145 2010/01/10 12:43:07 markus Exp $ */
/*
* Copyright (c) 2000 Jason L. Wright (jason@thought.net)
@@ -744,7 +744,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)
MD5Update(&md5ctx, macini->cri_key,
macini->cri_klen / 8);
MD5Update(&md5ctx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(md5ctx.state, ses->ses_hminner,
sizeof(md5ctx.state));
} else {
@@ -752,7 +752,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)
SHA1Update(&sha1ctx, macini->cri_key,
macini->cri_klen / 8);
SHA1Update(&sha1ctx, hmac_ipad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(sha1ctx.state, ses->ses_hminner,
sizeof(sha1ctx.state));
}
@@ -765,7 +765,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)
MD5Update(&md5ctx, macini->cri_key,
macini->cri_klen / 8);
MD5Update(&md5ctx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_MD5_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(md5ctx.state, ses->ses_hmouter,
sizeof(md5ctx.state));
} else {
@@ -773,7 +773,7 @@ ubsec_newsession(u_int32_t *sidp, struct cryptoini *cri)
SHA1Update(&sha1ctx, macini->cri_key,
macini->cri_klen / 8);
SHA1Update(&sha1ctx, hmac_opad_buffer,
- HMAC_BLOCK_LEN - (macini->cri_klen / 8));
+ HMAC_SHA1_BLOCK_LEN - (macini->cri_klen / 8));
bcopy(sha1ctx.state, ses->ses_hmouter,
sizeof(sha1ctx.state));
}
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 0ea057e42bf..3fc1ac425a7 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.c,v 1.92 2008/09/15 21:46:01 chl Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.93 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -116,15 +116,15 @@ ah_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
break;
case SADB_X_AALG_SHA2_256:
- thash = &auth_hash_hmac_sha2_256_96;
+ thash = &auth_hash_hmac_sha2_256_128;
break;
case SADB_X_AALG_SHA2_384:
- thash = &auth_hash_hmac_sha2_384_96;
+ thash = &auth_hash_hmac_sha2_384_192;
break;
case SADB_X_AALG_SHA2_512:
- thash = &auth_hash_hmac_sha2_512_96;
+ thash = &auth_hash_hmac_sha2_512_256;
break;
case SADB_X_AALG_MD5:
diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h
index 8d6fe54bcd7..c920cc19dc2 100644
--- a/sys/netinet/ip_ah.h
+++ b/sys/netinet/ip_ah.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.h,v 1.32 2007/12/14 18:33:40 deraadt Exp $ */
+/* $OpenBSD: ip_ah.h,v 1.33 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -72,9 +72,6 @@ struct ah
/* Length of base AH header */
#define AH_FLENGTH 8
-/* Size of the largest hash function output used in AH-new, in bytes */
-#define AH_MAX_HASHLEN 20
-
/*
* Names for AH sysctl objects
*/
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index c5d179518b7..b009a7742bb 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.c,v 1.105 2008/06/09 07:07:17 djm Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.106 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -183,15 +183,15 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
break;
case SADB_X_AALG_SHA2_256:
- thash = &auth_hash_hmac_sha2_256_96;
+ thash = &auth_hash_hmac_sha2_256_128;
break;
case SADB_X_AALG_SHA2_384:
- thash = &auth_hash_hmac_sha2_384_96;
+ thash = &auth_hash_hmac_sha2_384_192;
break;
case SADB_X_AALG_SHA2_512:
- thash = &auth_hash_hmac_sha2_512_96;
+ thash = &auth_hash_hmac_sha2_512_256;
break;
default:
@@ -304,11 +304,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
else
hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
- if (esph)
- alen = AH_HMAC_HASHLEN;
- else
- alen = 0;
-
+ alen = esph ? esph->authsize : 0;
plen = m->m_pkthdr.len - (skip + hlen + alen);
if (plen <= 0) {
DPRINTF(("esp_input: invalid payload length\n"));
@@ -490,7 +486,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
int
esp_input_cb(void *op)
{
- u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN];
+ u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN];
int s, hlen, roff, skip, protoff, error;
struct mbuf *m1, *mo, *m;
struct auth_hash *esph;
@@ -770,11 +766,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
padding = ((blks - ((rlen + 2) % blks)) % blks) + 2;
- if (esph)
- alen = AH_HMAC_HASHLEN;
- else
- alen = 0;
-
+ alen = esph ? esph->authsize : 0;
espstat.esps_output++;
switch (tdb->tdb_dst.sa.sa_family) {
diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h
index 42a66386a44..97c18b50fe5 100644
--- a/sys/netinet/ip_esp.h
+++ b/sys/netinet/ip_esp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.h,v 1.41 2007/12/14 18:33:41 deraadt Exp $ */
+/* $OpenBSD: ip_esp.h,v 1.42 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -38,8 +38,6 @@
#ifndef _NETINET_IP_ESP_H_
#define _NETINET_IP_ESP_H_
-#define ESP_ALEN 12 /* 96-bit authenticator */
-
struct espstat
{
u_int32_t esps_hdrops; /* Packet shorter than header shows */
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 8edd1642bdb..f506ad50e36 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.c,v 1.178 2009/08/12 00:13:43 martynas Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.179 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -1230,7 +1230,7 @@ ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto)
/* Update the length of trailing ESP authenticators. */
if (tdb->tdb_authalgxform)
- trail += AH_HMAC_HASHLEN;
+ trail += tdb->tdb_authalgxform->authsize;
splx(s);
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 9b214c4ea5c..05a2d4d8d73 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.139 2009/11/13 20:54:05 claudio Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.140 2010/01/10 12:43:07 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -61,7 +61,7 @@ union sockaddr_union {
#define SHA2_384HMAC96_KEYSIZE 48
#define SHA2_512HMAC96_KEYSIZE 64
-#define AH_HMAC_HASHLEN 12 /* 96 bits of authenticator */
+#define AH_HMAC_MAX_HASHLEN 32 /* 256 bits of authenticator for SHA512 */
#define AH_HMAC_RPLENGTH 4 /* 32 bits of replay counter */
#define AH_HMAC_INITIAL_RPL 1 /* Replay counter initial value */
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 24f7654e105..232f3e4d438 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_output.c,v 1.41 2008/08/26 12:19:01 henning Exp $ */
+/* $OpenBSD: ipsec_output.c,v 1.42 2010/01/10 12:43:07 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -551,7 +551,7 @@ ipsec_hdrsz(struct tdb *tdbp)
adjust += sizeof(struct udphdr);
/* Authenticator */
if (tdbp->tdb_authalgxform != NULL)
- adjust += AH_HMAC_HASHLEN;
+ adjust += tdbp->tdb_authalgxform->authsize;
/* Padding */
adjust += tdbp->tdb_encalgxform->blocksize;
break;