- RIPEMD160 support
- pass size arg to ah->result (avoid assuming result buffer size) Obtained from: KAME
This commit is contained in:
parent
5e6a487b36
commit
492528c051
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=121021
@ -171,6 +171,9 @@ static struct val2str str_alg_auth[] = {
|
|||||||
#endif
|
#endif
|
||||||
#ifdef SADB_X_AALG_SHA2_512
|
#ifdef SADB_X_AALG_SHA2_512
|
||||||
{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
|
{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
|
||||||
|
#endif
|
||||||
|
#ifdef SADB_X_AALG_RIPEMD160HMAC
|
||||||
|
{ SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", },
|
||||||
#endif
|
#endif
|
||||||
{ -1, NULL, },
|
{ -1, NULL, },
|
||||||
};
|
};
|
||||||
|
@ -549,6 +549,8 @@ hmac-sha2-384 384 ah: 96bit ICV (no document)
|
|||||||
384 ah-old: 128bit ICV (no document)
|
384 ah-old: 128bit ICV (no document)
|
||||||
hmac-sha2-512 512 ah: 96bit ICV (no document)
|
hmac-sha2-512 512 ah: 96bit ICV (no document)
|
||||||
512 ah-old: 128bit ICV (no document)
|
512 ah-old: 128bit ICV (no document)
|
||||||
|
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
||||||
|
ah-old: 128bit ICV (no document)
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Followings are the list of encryption algorithms that can be used as
|
Followings are the list of encryption algorithms that can be used as
|
||||||
|
@ -170,6 +170,7 @@ keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
|
|||||||
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
|
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
|
||||||
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
|
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
|
||||||
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
|
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
|
||||||
|
hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); }
|
||||||
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
|
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
|
||||||
|
|
||||||
/* encryption alogorithm */
|
/* encryption alogorithm */
|
||||||
|
@ -1717,6 +1717,7 @@ Currently supported algorithms are:
|
|||||||
keyed SHA1 with 128bit crypto checksum (no document)
|
keyed SHA1 with 128bit crypto checksum (no document)
|
||||||
HMAC MD5 with 128bit crypto checksum (rfc2085.txt)
|
HMAC MD5 with 128bit crypto checksum (rfc2085.txt)
|
||||||
HMAC SHA1 with 128bit crypto checksum (no document)
|
HMAC SHA1 with 128bit crypto checksum (no document)
|
||||||
|
HMAC RIPEMD160 with 128bit crypto checksum (no document)
|
||||||
old IPsec ESP
|
old IPsec ESP
|
||||||
null encryption (no document, similar to rfc2410.txt)
|
null encryption (no document, similar to rfc2410.txt)
|
||||||
DES-CBC mode (rfc1829.txt)
|
DES-CBC mode (rfc1829.txt)
|
||||||
@ -1729,6 +1730,7 @@ Currently supported algorithms are:
|
|||||||
HMAC SHA2-256 with 96bit crypto checksum (no document)
|
HMAC SHA2-256 with 96bit crypto checksum (no document)
|
||||||
HMAC SHA2-384 with 96bit crypto checksum (no document)
|
HMAC SHA2-384 with 96bit crypto checksum (no document)
|
||||||
HMAC SHA2-512 with 96bit crypto checksum (no document)
|
HMAC SHA2-512 with 96bit crypto checksum (no document)
|
||||||
|
HMAC RIPEMD160 with 96bit crypto checksum (RFC2857)
|
||||||
new IPsec ESP
|
new IPsec ESP
|
||||||
null encryption (rfc2410.txt)
|
null encryption (rfc2410.txt)
|
||||||
DES-CBC with derived IV
|
DES-CBC with derived IV
|
||||||
|
@ -207,6 +207,7 @@ crypto/des/des_ecb.c optional ipsec ipsec_esp
|
|||||||
crypto/des/des_setkey.c optional ipsec ipsec_esp
|
crypto/des/des_setkey.c optional ipsec ipsec_esp
|
||||||
crypto/rijndael/rijndael-alg-fst.c optional ipsec ipsec_esp
|
crypto/rijndael/rijndael-alg-fst.c optional ipsec ipsec_esp
|
||||||
crypto/rijndael/rijndael-api-fst.c optional ipsec ipsec_esp
|
crypto/rijndael/rijndael-api-fst.c optional ipsec ipsec_esp
|
||||||
|
crypto/ripemd160/rmd160.c optional ipsec
|
||||||
crypto/sha1.c optional ipsec
|
crypto/sha1.c optional ipsec
|
||||||
crypto/sha2/sha2.c optional ipsec
|
crypto/sha2/sha2.c optional ipsec
|
||||||
ddb/db_access.c optional ddb
|
ddb/db_access.c optional ddb
|
||||||
|
@ -74,7 +74,7 @@ struct ah_algorithm {
|
|||||||
const char *name;
|
const char *name;
|
||||||
int (*init) __P((struct ah_algorithm_state *, struct secasvar *));
|
int (*init) __P((struct ah_algorithm_state *, struct secasvar *));
|
||||||
void (*update) __P((struct ah_algorithm_state *, caddr_t, size_t));
|
void (*update) __P((struct ah_algorithm_state *, caddr_t, size_t));
|
||||||
void (*result) __P((struct ah_algorithm_state *, caddr_t));
|
void (*result) __P((struct ah_algorithm_state *, caddr_t, size_t));
|
||||||
};
|
};
|
||||||
|
|
||||||
#define AH_MAXSUMSIZE 16
|
#define AH_MAXSUMSIZE 16
|
||||||
|
@ -85,6 +85,8 @@
|
|||||||
#include <sys/md5.h>
|
#include <sys/md5.h>
|
||||||
#include <crypto/sha1.h>
|
#include <crypto/sha1.h>
|
||||||
#include <crypto/sha2/sha2.h>
|
#include <crypto/sha2/sha2.h>
|
||||||
|
#include <crypto/ripemd160/rmd160.h>
|
||||||
|
#define RIPEMD160_RESULTLEN 20
|
||||||
|
|
||||||
#include <net/net_osdep.h>
|
#include <net/net_osdep.h>
|
||||||
|
|
||||||
@ -92,52 +94,60 @@
|
|||||||
|
|
||||||
static int ah_sumsiz_1216 __P((struct secasvar *));
|
static int ah_sumsiz_1216 __P((struct secasvar *));
|
||||||
static int ah_sumsiz_zero __P((struct secasvar *));
|
static int ah_sumsiz_zero __P((struct secasvar *));
|
||||||
|
static int ah_common_mature __P((struct secasvar *));
|
||||||
static int ah_none_mature __P((struct secasvar *));
|
static int ah_none_mature __P((struct secasvar *));
|
||||||
static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *));
|
static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *));
|
||||||
static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t));
|
static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t));
|
||||||
static void ah_none_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_none_result __P((struct ah_algorithm_state *, caddr_t, size_t));
|
||||||
static int ah_keyed_md5_mature __P((struct secasvar *));
|
static int ah_keyed_md5_mature __P((struct secasvar *));
|
||||||
static int ah_keyed_md5_init __P((struct ah_algorithm_state *,
|
static int ah_keyed_md5_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_keyed_md5_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_keyed_md5_result __P((struct ah_algorithm_state *,
|
||||||
static int ah_keyed_sha1_mature __P((struct secasvar *));
|
caddr_t, size_t));
|
||||||
static int ah_keyed_sha1_init __P((struct ah_algorithm_state *,
|
static int ah_keyed_sha1_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t,
|
||||||
static int ah_hmac_md5_mature __P((struct secasvar *));
|
size_t));
|
||||||
static int ah_hmac_md5_init __P((struct ah_algorithm_state *,
|
static int ah_hmac_md5_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_hmac_md5_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_hmac_md5_result __P((struct ah_algorithm_state *,
|
||||||
static int ah_hmac_sha1_mature __P((struct secasvar *));
|
caddr_t, size_t));
|
||||||
static int ah_hmac_sha1_init __P((struct ah_algorithm_state *,
|
static int ah_hmac_sha1_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_hmac_sha1_result __P((struct ah_algorithm_state *,
|
||||||
static int ah_hmac_sha2_256_mature __P((struct secasvar *));
|
caddr_t, size_t));
|
||||||
static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *,
|
static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *,
|
||||||
static int ah_hmac_sha2_384_mature __P((struct secasvar *));
|
caddr_t, size_t));
|
||||||
static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *,
|
static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *,
|
||||||
static int ah_hmac_sha2_512_mature __P((struct secasvar *));
|
caddr_t, size_t));
|
||||||
static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *,
|
static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *,
|
||||||
struct secasvar *));
|
struct secasvar *));
|
||||||
static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, caddr_t,
|
static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
size_t));
|
size_t));
|
||||||
static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *, caddr_t));
|
static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *,
|
||||||
|
caddr_t, size_t));
|
||||||
|
static int ah_hmac_ripemd160_init __P((struct ah_algorithm_state *,
|
||||||
|
struct secasvar *));
|
||||||
|
static void ah_hmac_ripemd160_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||||
|
size_t));
|
||||||
|
static void ah_hmac_ripemd160_result __P((struct ah_algorithm_state *,
|
||||||
|
caddr_t, size_t));
|
||||||
|
|
||||||
static void ah_update_mbuf __P((struct mbuf *, int, int,
|
static void ah_update_mbuf __P((struct mbuf *, int, int,
|
||||||
const struct ah_algorithm *, struct ah_algorithm_state *));
|
const struct ah_algorithm *, struct ah_algorithm_state *));
|
||||||
@ -148,32 +158,36 @@ ah_algorithm_lookup(idx)
|
|||||||
{
|
{
|
||||||
/* checksum algorithms */
|
/* checksum algorithms */
|
||||||
static struct ah_algorithm ah_algorithms[] = {
|
static struct ah_algorithm ah_algorithms[] = {
|
||||||
{ ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5",
|
{ ah_sumsiz_1216, ah_common_mature, 128, 128, "hmac-md5",
|
||||||
ah_hmac_md5_init, ah_hmac_md5_loop,
|
ah_hmac_md5_init, ah_hmac_md5_loop,
|
||||||
ah_hmac_md5_result, },
|
ah_hmac_md5_result, },
|
||||||
{ ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1",
|
{ ah_sumsiz_1216, ah_common_mature, 160, 160, "hmac-sha1",
|
||||||
ah_hmac_sha1_init, ah_hmac_sha1_loop,
|
ah_hmac_sha1_init, ah_hmac_sha1_loop,
|
||||||
ah_hmac_sha1_result, },
|
ah_hmac_sha1_result, },
|
||||||
{ ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
|
{ ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5",
|
||||||
ah_keyed_md5_init, ah_keyed_md5_loop,
|
ah_keyed_md5_init, ah_keyed_md5_loop,
|
||||||
ah_keyed_md5_result, },
|
ah_keyed_md5_result, },
|
||||||
{ ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1",
|
{ ah_sumsiz_1216, ah_common_mature, 160, 160, "keyed-sha1",
|
||||||
ah_keyed_sha1_init, ah_keyed_sha1_loop,
|
ah_keyed_sha1_init, ah_keyed_sha1_loop,
|
||||||
ah_keyed_sha1_result, },
|
ah_keyed_sha1_result, },
|
||||||
{ ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
|
{ ah_sumsiz_zero, ah_none_mature, 0, 2048, "none",
|
||||||
ah_none_init, ah_none_loop, ah_none_result, },
|
ah_none_init, ah_none_loop, ah_none_result, },
|
||||||
{ ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256,
|
{ ah_sumsiz_1216, ah_common_mature, 256, 256,
|
||||||
"hmac-sha2-256",
|
"hmac-sha2-256",
|
||||||
ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
|
ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop,
|
||||||
ah_hmac_sha2_256_result, },
|
ah_hmac_sha2_256_result, },
|
||||||
{ ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384,
|
{ ah_sumsiz_1216, ah_common_mature, 384, 384,
|
||||||
"hmac-sha2-384",
|
"hmac-sha2-384",
|
||||||
ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
|
ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop,
|
||||||
ah_hmac_sha2_384_result, },
|
ah_hmac_sha2_384_result, },
|
||||||
{ ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512,
|
{ ah_sumsiz_1216, ah_common_mature, 512, 512,
|
||||||
"hmac-sha2-512",
|
"hmac-sha2-512",
|
||||||
ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
|
ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop,
|
||||||
ah_hmac_sha2_512_result, },
|
ah_hmac_sha2_512_result, },
|
||||||
|
{ ah_sumsiz_1216, ah_common_mature, 160, 160,
|
||||||
|
"hmac-ripemd160",
|
||||||
|
ah_hmac_ripemd160_init, ah_hmac_ripemd160_loop,
|
||||||
|
ah_hmac_ripemd160_result, },
|
||||||
};
|
};
|
||||||
|
|
||||||
switch (idx) {
|
switch (idx) {
|
||||||
@ -193,6 +207,8 @@ ah_algorithm_lookup(idx)
|
|||||||
return &ah_algorithms[6];
|
return &ah_algorithms[6];
|
||||||
case SADB_X_AALG_SHA2_512:
|
case SADB_X_AALG_SHA2_512:
|
||||||
return &ah_algorithms[7];
|
return &ah_algorithms[7];
|
||||||
|
case SADB_X_AALG_RIPEMD160HMAC:
|
||||||
|
return &ah_algorithms[8];
|
||||||
default:
|
default:
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -220,6 +236,34 @@ ah_sumsiz_zero(sav)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
ah_common_mature(sav)
|
||||||
|
struct secasvar *sav;
|
||||||
|
{
|
||||||
|
const struct ah_algorithm *algo;
|
||||||
|
|
||||||
|
if (!sav->key_auth) {
|
||||||
|
ipseclog((LOG_ERR, "ah_common_mature: no key is given.\n"));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
algo = ah_algorithm_lookup(sav->alg_auth);
|
||||||
|
if (!algo) {
|
||||||
|
ipseclog((LOG_ERR, "ah_common_mature: unsupported algorithm.\n"));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sav->key_auth->sadb_key_bits < algo->keymin ||
|
||||||
|
algo->keymax < sav->key_auth->sadb_key_bits) {
|
||||||
|
ipseclog((LOG_ERR,
|
||||||
|
"ah_common_mature: invalid key length %d for %s.\n",
|
||||||
|
sav->key_auth->sadb_key_bits, algo->name));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_none_mature(sav)
|
ah_none_mature(sav)
|
||||||
struct secasvar *sav;
|
struct secasvar *sav;
|
||||||
@ -250,9 +294,10 @@ ah_none_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_none_result(state, addr)
|
ah_none_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -335,9 +380,10 @@ ah_keyed_md5_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_keyed_md5_result(state, addr)
|
ah_keyed_md5_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[16];
|
u_char digest[16];
|
||||||
|
|
||||||
@ -354,34 +400,6 @@ ah_keyed_md5_result(state, addr)
|
|||||||
bcopy(&digest[0], (void *)addr, sizeof(digest));
|
bcopy(&digest[0], (void *)addr, sizeof(digest));
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ah_keyed_sha1_mature(sav)
|
|
||||||
struct secasvar *sav;
|
|
||||||
{
|
|
||||||
const struct ah_algorithm *algo;
|
|
||||||
|
|
||||||
if (!sav->key_auth) {
|
|
||||||
ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
algo = ah_algorithm_lookup(sav->alg_auth);
|
|
||||||
if (!algo) {
|
|
||||||
ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sav->key_auth->sadb_key_bits < algo->keymin
|
|
||||||
|| algo->keymax < sav->key_auth->sadb_key_bits) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_keyed_sha1_mature: invalid key length %d.\n",
|
|
||||||
sav->key_auth->sadb_key_bits));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_keyed_sha1_init(state, sav)
|
ah_keyed_sha1_init(state, sav)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
@ -456,9 +474,10 @@ ah_keyed_sha1_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_keyed_sha1_result(state, addr)
|
ah_keyed_sha1_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
|
u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
|
||||||
SHA1_CTX *ctxt;
|
SHA1_CTX *ctxt;
|
||||||
@ -477,34 +496,6 @@ ah_keyed_sha1_result(state, addr)
|
|||||||
free(state->foo, M_TEMP);
|
free(state->foo, M_TEMP);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ah_hmac_md5_mature(sav)
|
|
||||||
struct secasvar *sav;
|
|
||||||
{
|
|
||||||
const struct ah_algorithm *algo;
|
|
||||||
|
|
||||||
if (!sav->key_auth) {
|
|
||||||
ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
algo = ah_algorithm_lookup(sav->alg_auth);
|
|
||||||
if (!algo) {
|
|
||||||
ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sav->key_auth->sadb_key_bits < algo->keymin
|
|
||||||
|| algo->keymax < sav->key_auth->sadb_key_bits) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_md5_mature: invalid key length %d.\n",
|
|
||||||
sav->key_auth->sadb_key_bits));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_hmac_md5_init(state, sav)
|
ah_hmac_md5_init(state, sav)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
@ -573,9 +564,10 @@ ah_hmac_md5_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_hmac_md5_result(state, addr)
|
ah_hmac_md5_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[16];
|
u_char digest[16];
|
||||||
u_char *ipad;
|
u_char *ipad;
|
||||||
@ -601,34 +593,6 @@ ah_hmac_md5_result(state, addr)
|
|||||||
free(state->foo, M_TEMP);
|
free(state->foo, M_TEMP);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ah_hmac_sha1_mature(sav)
|
|
||||||
struct secasvar *sav;
|
|
||||||
{
|
|
||||||
const struct ah_algorithm *algo;
|
|
||||||
|
|
||||||
if (!sav->key_auth) {
|
|
||||||
ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
algo = ah_algorithm_lookup(sav->alg_auth);
|
|
||||||
if (!algo) {
|
|
||||||
ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sav->key_auth->sadb_key_bits < algo->keymin
|
|
||||||
|| algo->keymax < sav->key_auth->sadb_key_bits) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha1_mature: invalid key length %d.\n",
|
|
||||||
sav->key_auth->sadb_key_bits));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_hmac_sha1_init(state, sav)
|
ah_hmac_sha1_init(state, sav)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
@ -699,9 +663,10 @@ ah_hmac_sha1_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_hmac_sha1_result(state, addr)
|
ah_hmac_sha1_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
|
u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */
|
||||||
u_char *ipad;
|
u_char *ipad;
|
||||||
@ -727,36 +692,6 @@ ah_hmac_sha1_result(state, addr)
|
|||||||
free(state->foo, M_TEMP);
|
free(state->foo, M_TEMP);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ah_hmac_sha2_256_mature(sav)
|
|
||||||
struct secasvar *sav;
|
|
||||||
{
|
|
||||||
const struct ah_algorithm *algo;
|
|
||||||
|
|
||||||
if (!sav->key_auth) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_256_mature: no key is given.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
algo = ah_algorithm_lookup(sav->alg_auth);
|
|
||||||
if (!algo) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_256_mature: unsupported algorithm.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sav->key_auth->sadb_key_bits < algo->keymin ||
|
|
||||||
algo->keymax < sav->key_auth->sadb_key_bits) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_256_mature: invalid key length %d.\n",
|
|
||||||
sav->key_auth->sadb_key_bits));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_hmac_sha2_256_init(state, sav)
|
ah_hmac_sha2_256_init(state, sav)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
@ -830,9 +765,10 @@ ah_hmac_sha2_256_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_hmac_sha2_256_result(state, addr)
|
ah_hmac_sha2_256_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[SHA256_DIGEST_LENGTH];
|
u_char digest[SHA256_DIGEST_LENGTH];
|
||||||
u_char *ipad;
|
u_char *ipad;
|
||||||
@ -859,36 +795,6 @@ ah_hmac_sha2_256_result(state, addr)
|
|||||||
free(state->foo, M_TEMP);
|
free(state->foo, M_TEMP);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ah_hmac_sha2_384_mature(sav)
|
|
||||||
struct secasvar *sav;
|
|
||||||
{
|
|
||||||
const struct ah_algorithm *algo;
|
|
||||||
|
|
||||||
if (!sav->key_auth) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_384_mature: no key is given.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
algo = ah_algorithm_lookup(sav->alg_auth);
|
|
||||||
if (!algo) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_384_mature: unsupported algorithm.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sav->key_auth->sadb_key_bits < algo->keymin ||
|
|
||||||
algo->keymax < sav->key_auth->sadb_key_bits) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_384_mature: invalid key length %d.\n",
|
|
||||||
sav->key_auth->sadb_key_bits));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_hmac_sha2_384_init(state, sav)
|
ah_hmac_sha2_384_init(state, sav)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
@ -963,9 +869,10 @@ ah_hmac_sha2_384_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_hmac_sha2_384_result(state, addr)
|
ah_hmac_sha2_384_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[SHA384_DIGEST_LENGTH];
|
u_char digest[SHA384_DIGEST_LENGTH];
|
||||||
u_char *ipad;
|
u_char *ipad;
|
||||||
@ -992,36 +899,6 @@ ah_hmac_sha2_384_result(state, addr)
|
|||||||
free(state->foo, M_TEMP);
|
free(state->foo, M_TEMP);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
ah_hmac_sha2_512_mature(sav)
|
|
||||||
struct secasvar *sav;
|
|
||||||
{
|
|
||||||
const struct ah_algorithm *algo;
|
|
||||||
|
|
||||||
if (!sav->key_auth) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_512_mature: no key is given.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
algo = ah_algorithm_lookup(sav->alg_auth);
|
|
||||||
if (!algo) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_512_mature: unsupported algorithm.\n"));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sav->key_auth->sadb_key_bits < algo->keymin ||
|
|
||||||
algo->keymax < sav->key_auth->sadb_key_bits) {
|
|
||||||
ipseclog((LOG_ERR,
|
|
||||||
"ah_hmac_sha2_512_mature: invalid key length %d.\n",
|
|
||||||
sav->key_auth->sadb_key_bits));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ah_hmac_sha2_512_init(state, sav)
|
ah_hmac_sha2_512_init(state, sav)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
@ -1096,9 +973,10 @@ ah_hmac_sha2_512_loop(state, addr, len)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
ah_hmac_sha2_512_result(state, addr)
|
ah_hmac_sha2_512_result(state, addr, l)
|
||||||
struct ah_algorithm_state *state;
|
struct ah_algorithm_state *state;
|
||||||
caddr_t addr;
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
{
|
{
|
||||||
u_char digest[SHA512_DIGEST_LENGTH];
|
u_char digest[SHA512_DIGEST_LENGTH];
|
||||||
u_char *ipad;
|
u_char *ipad;
|
||||||
@ -1125,6 +1003,110 @@ ah_hmac_sha2_512_result(state, addr)
|
|||||||
free(state->foo, M_TEMP);
|
free(state->foo, M_TEMP);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
ah_hmac_ripemd160_init(state, sav)
|
||||||
|
struct ah_algorithm_state *state;
|
||||||
|
struct secasvar *sav;
|
||||||
|
{
|
||||||
|
u_char *ipad;
|
||||||
|
u_char *opad;
|
||||||
|
RMD160_CTX *ctxt;
|
||||||
|
u_char tk[RIPEMD160_RESULTLEN];
|
||||||
|
u_char *key;
|
||||||
|
size_t keylen;
|
||||||
|
size_t i;
|
||||||
|
|
||||||
|
if (!state)
|
||||||
|
panic("ah_hmac_ripemd160_init: what?");
|
||||||
|
|
||||||
|
state->sav = sav;
|
||||||
|
state->foo = (void *)malloc(64 + 64 + sizeof(RMD160_CTX),
|
||||||
|
M_TEMP, M_NOWAIT);
|
||||||
|
if (!state->foo)
|
||||||
|
return ENOBUFS;
|
||||||
|
bzero(state->foo, 64 + 64 + sizeof(RMD160_CTX));
|
||||||
|
|
||||||
|
ipad = (u_char *)state->foo;
|
||||||
|
opad = (u_char *)(ipad + 64);
|
||||||
|
ctxt = (RMD160_CTX *)(opad + 64);
|
||||||
|
|
||||||
|
/* compress the key if necessery */
|
||||||
|
if (64 < _KEYLEN(state->sav->key_auth)) {
|
||||||
|
bzero(tk, sizeof(tk));
|
||||||
|
bzero(ctxt, sizeof(*ctxt));
|
||||||
|
RMD160Init(ctxt);
|
||||||
|
RMD160Update(ctxt, _KEYBUF(state->sav->key_auth),
|
||||||
|
_KEYLEN(state->sav->key_auth));
|
||||||
|
RMD160Final(&tk[0], ctxt);
|
||||||
|
key = &tk[0];
|
||||||
|
keylen = sizeof(tk) < 64 ? sizeof(tk) : 64;
|
||||||
|
} else {
|
||||||
|
key = _KEYBUF(state->sav->key_auth);
|
||||||
|
keylen = _KEYLEN(state->sav->key_auth);
|
||||||
|
}
|
||||||
|
|
||||||
|
bzero(ipad, 64);
|
||||||
|
bzero(opad, 64);
|
||||||
|
bcopy(key, ipad, keylen);
|
||||||
|
bcopy(key, opad, keylen);
|
||||||
|
for (i = 0; i < 64; i++) {
|
||||||
|
ipad[i] ^= 0x36;
|
||||||
|
opad[i] ^= 0x5c;
|
||||||
|
}
|
||||||
|
|
||||||
|
bzero(ctxt, sizeof(*ctxt));
|
||||||
|
RMD160Init(ctxt);
|
||||||
|
RMD160Update(ctxt, ipad, 64);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
ah_hmac_ripemd160_loop(state, addr, len)
|
||||||
|
struct ah_algorithm_state *state;
|
||||||
|
caddr_t addr;
|
||||||
|
size_t len;
|
||||||
|
{
|
||||||
|
RMD160_CTX *ctxt;
|
||||||
|
|
||||||
|
if (!state || !state->foo)
|
||||||
|
panic("ah_hmac_ripemd160_loop: what?");
|
||||||
|
|
||||||
|
ctxt = (RMD160_CTX *)(((u_char *)state->foo) + 128);
|
||||||
|
RMD160Update(ctxt, (caddr_t)addr, (size_t)len);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
ah_hmac_ripemd160_result(state, addr, l)
|
||||||
|
struct ah_algorithm_state *state;
|
||||||
|
caddr_t addr;
|
||||||
|
size_t l;
|
||||||
|
{
|
||||||
|
u_char digest[RIPEMD160_RESULTLEN];
|
||||||
|
u_char *ipad;
|
||||||
|
u_char *opad;
|
||||||
|
RMD160_CTX *ctxt;
|
||||||
|
|
||||||
|
if (!state || !state->foo)
|
||||||
|
panic("ah_hmac_ripemd160_result: what?");
|
||||||
|
|
||||||
|
ipad = (u_char *)state->foo;
|
||||||
|
opad = (u_char *)(ipad + 64);
|
||||||
|
ctxt = (RMD160_CTX *)(opad + 64);
|
||||||
|
|
||||||
|
RMD160Final((caddr_t)digest, ctxt);
|
||||||
|
|
||||||
|
bzero(ctxt, sizeof(*ctxt));
|
||||||
|
RMD160Init(ctxt);
|
||||||
|
RMD160Update(ctxt, opad, 64);
|
||||||
|
RMD160Update(ctxt, (caddr_t)digest, sizeof(digest));
|
||||||
|
RMD160Final((caddr_t)digest, ctxt);
|
||||||
|
|
||||||
|
bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest));
|
||||||
|
|
||||||
|
free(state->foo, M_TEMP);
|
||||||
|
}
|
||||||
|
|
||||||
/*------------------------------------------------------------*/
|
/*------------------------------------------------------------*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1401,7 +1383,7 @@ ah4_calccksum(m, ahdat, len, algo, sav)
|
|||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
(algo->result)(&algos, &sumbuf[0]);
|
(algo->result)(&algos, sumbuf, sizeof(sumbuf));
|
||||||
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
|
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
|
||||||
|
|
||||||
if (n)
|
if (n)
|
||||||
@ -1628,7 +1610,7 @@ ah6_calccksum(m, ahdat, len, algo, sav)
|
|||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
(algo->result)(&algos, &sumbuf[0]);
|
(algo->result)(&algos, sumbuf, sizeof(sumbuf));
|
||||||
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
|
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
|
||||||
|
|
||||||
/* just in case */
|
/* just in case */
|
||||||
|
@ -1122,7 +1122,7 @@ esp_auth(m0, skip, length, sav, sum)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
(*algo->result)(&s, sumbuf);
|
(*algo->result)(&s, sumbuf, sizeof(sumbuf));
|
||||||
bcopy(sumbuf, sum, siz); /* XXX */
|
bcopy(sumbuf, sum, siz); /* XXX */
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -549,6 +549,8 @@ hmac-sha2-384 384 ah: 96bit ICV (no document)
|
|||||||
384 ah-old: 128bit ICV (no document)
|
384 ah-old: 128bit ICV (no document)
|
||||||
hmac-sha2-512 512 ah: 96bit ICV (no document)
|
hmac-sha2-512 512 ah: 96bit ICV (no document)
|
||||||
512 ah-old: 128bit ICV (no document)
|
512 ah-old: 128bit ICV (no document)
|
||||||
|
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
|
||||||
|
ah-old: 128bit ICV (no document)
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
Followings are the list of encryption algorithms that can be used as
|
Followings are the list of encryption algorithms that can be used as
|
||||||
|
@ -170,6 +170,7 @@ keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); }
|
|||||||
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
|
hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); }
|
||||||
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
|
hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); }
|
||||||
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
|
hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); }
|
||||||
|
hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); }
|
||||||
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
|
null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); }
|
||||||
|
|
||||||
/* encryption alogorithm */
|
/* encryption alogorithm */
|
||||||
|
Loading…
Reference in New Issue
Block a user