d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First steps towards IPSec cleanup.

Browse Source 
Make the kernel side of FAST_IPSEC not depend on the shared
structures defined in /usr/include/net/pfkeyv2.h  The kernel now
defines all the necessary in kernel structures in sys/netipsec/keydb.h
and does the proper massaging when moving messages around.

Sponsored By: Secure Computing
This commit is contained in:
George V. Neville-Neil 2006-03-25 13:38:52 +00:00
parent 90d1d883e9
commit a0196c3c89
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=157123
7 changed files with 257 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys/netipsec/ipsec.c
View File

@ -92,6 +92,7 @@
#include <machine/in_cksum.h>
#define IPSEC_DEBUG
#ifdef IPSEC_DEBUG
int ipsec_debug = 1;
#else

296
sys/netipsec/key.c
View File

@ -420,7 +420,10 @@ static struct mbuf *key_setsadbaddr __P((u_int16_t,
static struct mbuf *key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t));
static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t,
u_int32_t));
static void *key_dup(const void *, u_int, struct malloc_type *);
static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int,
struct malloc_type *);
static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
struct malloc_type *type);
#ifdef INET6
static int key_ismyaddr6 __P((struct sockaddr_in6 *));
#endif
@ -488,6 +491,10 @@ static int key_promisc __P((struct socket *, struct mbuf *,
static int key_senderror __P((struct socket *, struct mbuf *, int));
static int key_validate_ext __P((const struct sadb_ext *, int));
static int key_align __P((struct mbuf *, struct sadb_msghdr *));
static struct mbuf *key_setlifetime(struct seclifetime *src,
u_int16_t exttype);
static struct mbuf *key_setkey(struct seckey *src, u_int16_t exttype);
#if 0
static const char *key_getfqdn __P((void));
static const char *key_getuserfqdn __P((void));
@ -909,8 +916,8 @@ key_do_allocsa_policy(struct secashead *sah, u_int state)
/* What the best method is to compare ? */
if (key_preferred_oldsa) {
if (candidate->lft_c->sadb_lifetime_addtime >
sav->lft_c->sadb_lifetime_addtime) {
if (candidate->lft_c->addtime >
sav->lft_c->addtime) {
candidate = sav;
}
continue;
@ -918,8 +925,8 @@ key_do_allocsa_policy(struct secashead *sah, u_int state)
}
/* preferred new sa rather than old sa */
if (candidate->lft_c->sadb_lifetime_addtime <
sav->lft_c->sadb_lifetime_addtime) {
if (candidate->lft_c->addtime <
sav->lft_c->addtime) {
d = candidate;
candidate = sav;
} else
@ -930,7 +937,7 @@ key_do_allocsa_policy(struct secashead *sah, u_int state)
* suitable candidate and the lifetime of the SA is not
* permanent.
*/
if (d->lft_c->sadb_lifetime_addtime != 0) {
if (d->lft_c->addtime != 0) {
struct mbuf *m, *result;
u_int8_t satype;
@ -2787,15 +2794,19 @@ key_cleansav(struct secasvar *sav)
} else {
KASSERT(sav->iv == NULL, ("iv but no xform"));
if (sav->key_auth != NULL)
bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
if (sav->key_enc != NULL)
bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
}
if (sav->key_auth != NULL) {
if (sav->key_auth->key_data != NULL)
free(sav->key_auth->key_data, M_IPSEC_MISC);
free(sav->key_auth, M_IPSEC_MISC);
sav->key_auth = NULL;
}
if (sav->key_enc != NULL) {
if (sav->key_enc->key_data != NULL)
free(sav->key_enc->key_data, M_IPSEC_MISC);
free(sav->key_enc, M_IPSEC_MISC);
sav->key_enc = NULL;
}
@ -3038,9 +3049,11 @@ key_setsaval(sav, m, mhp)
goto fail;
}
sav->key_auth = key_dup(key0, len, M_IPSEC_MISC);
if (sav->key_auth == NULL) {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len,
M_IPSEC_MISC);
if (sav->key_auth == NULL ) {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
__func__));
error = ENOBUFS;
goto fail;
}
@ -3066,7 +3079,9 @@ key_setsaval(sav, m, mhp)
error = EINVAL;
break;
}
sav->key_enc = key_dup(key0, len, M_IPSEC_MISC);
sav->key_enc = (struct seckey *)key_dup_keymsg(key0,
len,
M_IPSEC_MISC);
if (sav->key_enc == NULL) {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
__func__));
@ -3126,13 +3141,10 @@ key_setsaval(sav, m, mhp)
goto fail;
}
sav->lft_c->sadb_lifetime_len =
PFKEY_UNIT64(sizeof(struct sadb_lifetime));
sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
sav->lft_c->sadb_lifetime_allocations = 0;
sav->lft_c->sadb_lifetime_bytes = 0;
sav->lft_c->sadb_lifetime_addtime = time_second;
sav->lft_c->sadb_lifetime_usetime = 0;
sav->lft_c->allocations = 0;
sav->lft_c->bytes = 0;
sav->lft_c->addtime = time_second;
sav->lft_c->usetime = 0;
/* lifetimes for HARD and SOFT */
{
@ -3144,7 +3156,7 @@ key_setsaval(sav, m, mhp)
error = EINVAL;
goto fail;
}
sav->lft_h = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);
sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC);
if (sav->lft_h == NULL) {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
error = ENOBUFS;
@ -3159,7 +3171,7 @@ key_setsaval(sav, m, mhp)
error = EINVAL;
goto fail;
}
sav->lft_s = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC);
sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC);
if (sav->lft_s == NULL) {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__));
error = ENOBUFS;
@ -3271,9 +3283,7 @@ key_setdumpsa(sav, type, satype, seq, pid)
u_int32_t seq, pid;
{
struct mbuf *result = NULL, *tres = NULL, *m;
int l = 0;
int i;
void *p;
int dumporder[] = {
SADB_EXT_SA, SADB_X_EXT_SA2,
SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
@ -3290,7 +3300,6 @@ key_setdumpsa(sav, type, satype, seq, pid)
for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) {
m = NULL;
p = NULL;
switch (dumporder[i]) {
case SADB_EXT_SA:
m = key_setsadbsa(sav);
@ -3325,36 +3334,45 @@ key_setdumpsa(sav, type, satype, seq, pid)
case SADB_EXT_KEY_AUTH:
if (!sav->key_auth)
continue;
l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len);
p = sav->key_auth;
m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH);
if (!m)
goto fail;
break;
case SADB_EXT_KEY_ENCRYPT:
if (!sav->key_enc)
continue;
l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len);
p = sav->key_enc;
m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT);
if (!m)
goto fail;
break;
case SADB_EXT_LIFETIME_CURRENT:
if (!sav->lft_c)
continue;
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len);
p = sav->lft_c;
m = key_setlifetime(sav->lft_c,
SADB_EXT_LIFETIME_CURRENT);
if (!m)
goto fail;
break;
case SADB_EXT_LIFETIME_HARD:
if (!sav->lft_h)
continue;
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len);
p = sav->lft_h;
m = key_setlifetime(sav->lft_h,
SADB_EXT_LIFETIME_HARD);
if (!m)
goto fail;
break;
case SADB_EXT_LIFETIME_SOFT:
if (!sav->lft_s)
continue;
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len);
p = sav->lft_s;
m = key_setlifetime(sav->lft_h,
SADB_EXT_LIFETIME_SOFT);
if (!m)
goto fail;
break;
case SADB_EXT_ADDRESS_PROXY:
@ -3366,29 +3384,15 @@ key_setdumpsa(sav, type, satype, seq, pid)
continue;
}
if ((!m && !p) || (m && p))
if (!m)
goto fail;
if (p && tres) {
M_PREPEND(tres, l, M_DONTWAIT);
if (!tres)
goto fail;
bcopy(p, mtod(tres, caddr_t), l);
continue;
}
if (p) {
m = key_alloc_mbuf(l);
if (!m)
goto fail;
m_copyback(m, 0, l, p);
}
if (tres)
m_cat(m, tres);
tres = m;
}
m_cat(result, tres);
if (result->m_len < sizeof(struct sadb_msg)) {
result = m_pullup(result, sizeof(struct sadb_msg));
if (result == NULL)
@ -3609,21 +3613,63 @@ key_setsadbxpolicy(type, dir, id)
}
/* %%% utilities */
/*
* copy a buffer into the new buffer allocated.
/* Take a key message (sadb_key) from the socket and turn it into one
* of the kernel's key structures (seckey).
*
* IN: pointer to the src
* OUT: NULL no more memory
*/
static void *
key_dup(const void *src, u_int len, struct malloc_type *type)
struct seckey *
key_dup_keymsg(const struct sadb_key *src, u_int len,
struct malloc_type *type)
{
void *copy;
struct seckey *dst;
dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
if (dst != NULL) {
dst->bits = src->sadb_key_bits;
dst->key_data = (char *)malloc(len, type, M_NOWAIT);
if (dst->key_data != NULL) {
bcopy((const char *)src + sizeof(struct sadb_key),
dst->key_data, len);
} else {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
__func__));
free(dst, type);
dst = NULL;
}
} else {
ipseclog((LOG_DEBUG, "%s: No more memory.\n",
__func__));
copy = malloc(len, type, M_NOWAIT);
if (copy == NULL) {
}
return dst;
}
/* Take a lifetime message (sadb_lifetime) passed in on a socket and
* turn it into one of the kernel's lifetime structures (seclifetime).
*
* IN: pointer to the destination, source and malloc type
* OUT: NULL, no more memory
*/
static struct seclifetime *
key_dup_lifemsg(const struct sadb_lifetime *src,
struct malloc_type *type)
{
struct seclifetime *dst = NULL;
dst = (struct seclifetime *)malloc(sizeof(struct seclifetime),
type, M_NOWAIT);
if (dst == NULL) {
/* XXX counter */
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
} else
bcopy(src, copy, len);
return copy;
} else {
dst->allocations = src->sadb_lifetime_allocations;
dst->bytes = src->sadb_lifetime_bytes;
dst->addtime = src->sadb_lifetime_addtime;
dst->usetime = src->sadb_lifetime_usetime;
}
return dst;
}
/* compare my own address
@ -4071,13 +4117,13 @@ key_flush_sad(time_t now)
}
/* check SOFT lifetime */
if (sav->lft_s->sadb_lifetime_addtime != 0 &&
now - sav->created > sav->lft_s->sadb_lifetime_addtime) {
if (sav->lft_s->addtime != 0 &&
now - sav->created > sav->lft_s->addtime) {
/*
* check SA to be used whether or not.
* when SA hasn't been used, delete it.
*/
if (sav->lft_c->sadb_lifetime_usetime == 0) {
if (sav->lft_c->usetime == 0) {
key_sa_chgstate(sav, SADB_SASTATE_DEAD);
KEY_FREESAV(&sav);
} else {
@ -4096,8 +4142,8 @@ key_flush_sad(time_t now)
* when new SA is installed. Caution when it's
* installed too big lifetime by time.
*/
else if (sav->lft_s->sadb_lifetime_bytes != 0 &&
sav->lft_s->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
else if (sav->lft_s->bytes != 0 &&
sav->lft_s->bytes < sav->lft_c->bytes) {
key_sa_chgstate(sav, SADB_SASTATE_DYING);
/*
@ -4122,15 +4168,15 @@ key_flush_sad(time_t now)
continue;
}
if (sav->lft_h->sadb_lifetime_addtime != 0 &&
now - sav->created > sav->lft_h->sadb_lifetime_addtime) {
if (sav->lft_h->addtime != 0 &&
now - sav->created > sav->lft_h->addtime) {
key_sa_chgstate(sav, SADB_SASTATE_DEAD);
KEY_FREESAV(&sav);
}
#if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */
else if (sav->lft_s != NULL
&& sav->lft_s->sadb_lifetime_addtime != 0
&& now - sav->created > sav->lft_s->sadb_lifetime_addtime) {
&& sav->lft_s->addtime != 0
&& now - sav->created > sav->lft_s->addtime) {
/*
* XXX: should be checked to be
* installed the valid SA.
@ -4144,8 +4190,8 @@ key_flush_sad(time_t now)
}
#endif
/* check HARD lifetime by bytes */
else if (sav->lft_h->sadb_lifetime_bytes != 0 &&
sav->lft_h->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) {
else if (sav->lft_h->bytes != 0 &&
sav->lft_h->bytes < sav->lft_c->bytes) {
key_sa_chgstate(sav, SADB_SASTATE_DEAD);
KEY_FREESAV(&sav);
}
@ -4977,20 +5023,23 @@ key_setident(sah, m, mhp)
}
/* make structure */
sah->idents = malloc(idsrclen, M_IPSEC_MISC, M_NOWAIT);
sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
if (sah->idents == NULL) {
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
return ENOBUFS;
}
sah->identd = malloc(iddstlen, M_IPSEC_MISC, M_NOWAIT);
sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT);
if (sah->identd == NULL) {
free(sah->idents, M_IPSEC_MISC);
sah->idents = NULL;
ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
return ENOBUFS;
}
bcopy(idsrc, sah->idents, idsrclen);
bcopy(iddst, sah->identd, iddstlen);
sah->idents->type = idsrc->sadb_ident_type;
sah->idents->id = idsrc->sadb_ident_id;
sah->identd->type = iddst->sadb_ident_type;
sah->identd->id = iddst->sadb_ident_id;
return 0;
}
@ -6262,10 +6311,10 @@ key_expire(struct secasvar *sav)
lt = mtod(m, struct sadb_lifetime *);
lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
lt->sadb_lifetime_allocations = sav->lft_c->sadb_lifetime_allocations;
lt->sadb_lifetime_bytes = sav->lft_c->sadb_lifetime_bytes;
lt->sadb_lifetime_addtime = sav->lft_c->sadb_lifetime_addtime;
lt->sadb_lifetime_usetime = sav->lft_c->sadb_lifetime_usetime;
lt->sadb_lifetime_allocations = sav->lft_c->allocations;
lt->sadb_lifetime_bytes = sav->lft_c->bytes;
lt->sadb_lifetime_addtime = sav->lft_c->addtime;
lt->sadb_lifetime_usetime = sav->lft_c->usetime;
lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
bcopy(sav->lft_s, lt, sizeof(*lt));
m_cat(result, m);
@ -7103,21 +7152,21 @@ key_sa_recordxfer(sav, m)
* XXX Currently, there is a difference of bytes size
* between inbound and outbound processing.
*/
sav->lft_c->sadb_lifetime_bytes += m->m_pkthdr.len;
sav->lft_c->bytes += m->m_pkthdr.len;
/* to check bytes lifetime is done in key_timehandler(). */
/*
* We use the number of packets as the unit of
* sadb_lifetime_allocations. We increment the variable
* allocations. We increment the variable
* whenever {esp,ah}_{in,out}put is called.
*/
sav->lft_c->sadb_lifetime_allocations++;
sav->lft_c->allocations++;
/* XXX check for expires? */
/*
* NOTE: We record CURRENT sadb_lifetime_usetime by using wall clock,
* NOTE: We record CURRENT usetime by using wall clock,
* in seconds. HARD and SOFT lifetime are measured by the time
* difference (again in seconds) from sadb_lifetime_usetime.
* difference (again in seconds) from usetime.
*
* usetime
* v expire expire
@ -7125,7 +7174,7 @@ key_sa_recordxfer(sav, m)
* <--------------> HARD
* <-----> SOFT
*/
sav->lft_c->sadb_lifetime_usetime = time_second;
sav->lft_c->usetime = time_second;
/* XXX check for expires? */
return;
@ -7214,3 +7263,80 @@ key_alloc_mbuf(l)
return m;
}
/*
* Take one of the kernel's security keys and convert it into a PF_KEY
* structure within an mbuf, suitable for sending up to a waiting
* application in user land.
*
* IN:
* src: A pointer to a kernel security key.
* exttype: Which type of key this is. Refer to the PF_KEY data structures.
* OUT:
* a valid mbuf or NULL indicating an error
*
*/
static struct mbuf *
key_setkey(struct seckey *src, u_int16_t exttype)
{
struct mbuf *m;
struct sadb_key *p;
int len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src));
if (src == NULL)
return NULL;
m = key_alloc_mbuf(len);
if (m == NULL)
return NULL;
p = mtod(m, struct sadb_key *);
bzero(p, len);
p->sadb_key_len = PFKEY_UNIT64(len);
p->sadb_key_exttype = exttype;
p->sadb_key_bits = src->bits;
bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src));
return m;
}
/*
* Take one of the kernel's lifetime data structures and convert it
* into a PF_KEY structure within an mbuf, suitable for sending up to
* a waiting application in user land.
*
* IN:
* src: A pointer to a kernel lifetime structure.
* exttype: Which type of lifetime this is. Refer to the PF_KEY
* data structures for more information.
* OUT:
* a valid mbuf or NULL indicating an error
*
*/
static struct mbuf *
key_setlifetime(struct seclifetime *src, u_int16_t exttype)
{
struct mbuf *m = NULL;
struct sadb_lifetime *p;
int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime));
if (src == NULL)
return NULL;
m = key_alloc_mbuf(len);
if (m == NULL)
return m;
p = mtod(m, struct sadb_lifetime *);
bzero(p, len);
p->sadb_lifetime_len = PFKEY_UNIT64(len);
p->sadb_lifetime_exttype = exttype;
p->sadb_lifetime_allocations = src->allocations;
p->sadb_lifetime_bytes = src->bytes;
p->sadb_lifetime_addtime = src->addtime;
p->sadb_lifetime_usetime = src->usetime;
return m;
}

4
sys/netipsec/key_var.h
View File

@ -66,8 +66,8 @@
#ifdef _KERNEL
#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
#define _KEYLEN(key) ((u_int)((key)->bits >> 3))
#define _KEYBITS(key) ((u_int)((key)->bits))
#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
#endif /*_KERNEL*/

39
sys/netipsec/keydb.h
View File

@ -60,14 +60,39 @@ struct secasindex {
/* see IPSEC_MANUAL_REQID_MAX. */
};
/*
* In order to split out the keydb implementation from that of the
* PF_KEY sockets we need to define a few structures that while they
* may seem common are likely to diverge over time.
*/
/* sadb_identity */
struct secident {
u_int16_t type;
u_int64_t id;
};
/* sadb_key */
struct seckey {
u_int16_t bits;
char *key_data;
};
struct seclifetime {
u_int32_t allocations;
u_int64_t bytes;
u_int64_t addtime;
u_int64_t usetime;
};
/* Security Association Data Base */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secasindex saidx;
struct sadb_ident *idents; /* source identity */
struct sadb_ident *identd; /* destination identity */
struct secident *idents; /* source identity */
struct secident *identd; /* destination identity */
/* XXX I don't know how to use them. */
u_int8_t state; /* MATURE or DEAD. */
@ -97,8 +122,8 @@ struct secasvar {
u_int32_t spi; /* SPI Value, network byte order */
u_int32_t flags; /* holder for SADB_KEY_FLAGS */
struct sadb_key *key_auth; /* Key for Authentication */
struct sadb_key *key_enc; /* Key for Encryption */
struct seckey *key_auth; /* Key for Authentication */
struct seckey *key_enc; /* Key for Encryption */
caddr_t iv; /* Initilization Vector */
u_int ivlen; /* length of IV */
void *sched; /* intermediate encryption key */
@ -107,9 +132,9 @@ struct secasvar {
struct secreplay *replay; /* replay prevention */
time_t created; /* for lifetime */
struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
struct sadb_lifetime *lft_h; /* HARD lifetime */
struct sadb_lifetime *lft_s; /* SOFT lifetime */
struct seclifetime *lft_c; /* CURRENT lifetime, it's constant. */
struct seclifetime *lft_h; /* HARD lifetime */
struct seclifetime *lft_s; /* SOFT lifetime */
u_int32_t seq; /* sequence number */
pid_t pid; /* message's pid */

8
sys/netipsec/xform_ah.c
View File

@ -201,7 +201,7 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
bzero(cria, sizeof (*cria));
cria->cri_alg = sav->tdb_authalgxform->type;
cria->cri_klen = _KEYBITS(sav->key_auth);
cria->cri_key = _KEYBUF(sav->key_auth);
cria->cri_key = sav->key_auth->key_data;
return 0;
}
@ -231,7 +231,7 @@ ah_zeroize(struct secasvar *sav)
int err;
if (sav->key_auth)
bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
err = crypto_freesession(sav->tdb_cryptoid);
sav->tdb_cryptoid = 0;
@ -622,8 +622,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
/* Authentication operation. */
crda->crd_alg = ahx->type;
crda->crd_key = _KEYBUF(sav->key_auth);
crda->crd_klen = _KEYBITS(sav->key_auth);
crda->crd_key = sav->key_auth->key_data;
/* Find out if we've already done crypto. */
for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL);
@ -1020,7 +1020,7 @@ ah_output(
/* Authentication operation. */
crda->crd_alg = ahx->type;
crda->crd_key = _KEYBUF(sav->key_auth);
crda->crd_key = sav->key_auth->key_data;
crda->crd_klen = _KEYBITS(sav->key_auth);
/* Allocate IPsec-specific opaque crypto info. */

12
sys/netipsec/xform_esp.c
View File

@ -215,7 +215,7 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
bzero(&crie, sizeof (crie));
crie.cri_alg = sav->tdb_encalgxform->type;
crie.cri_klen = _KEYBITS(sav->key_enc);
crie.cri_key = _KEYBUF(sav->key_enc);
crie.cri_key = sav->key_enc->key_data;
/* XXX Rounds ? */
if (sav->tdb_authalgxform && sav->tdb_encalgxform) {
@ -248,7 +248,7 @@ esp_zeroize(struct secasvar *sav)
int error = ah_zeroize(sav);
if (sav->key_enc)
bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc));
bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc));
if (sav->iv) {
free(sav->iv, M_XDATA);
sav->iv = NULL;
@ -381,7 +381,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
crda->crd_inject = m->m_pkthdr.len - alen;
crda->crd_alg = esph->type;
crda->crd_key = _KEYBUF(sav->key_auth);
crda->crd_key = sav->key_auth->key_data;
crda->crd_klen = _KEYBITS(sav->key_auth);
/* Copy the authenticator */
@ -418,7 +418,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
crde->crd_inject = skip + hlen - sav->ivlen;
crde->crd_alg = espx->type;
crde->crd_key = _KEYBUF(sav->key_enc);
crde->crd_key = sav->key_enc->key_data;
crde->crd_klen = _KEYBITS(sav->key_enc);
/* XXX Rounds ? */
}
@ -825,7 +825,7 @@ esp_output(
/* Encryption operation. */
crde->crd_alg = espx->type;
crde->crd_key = _KEYBUF(sav->key_enc);
crde->crd_key = sav->key_enc->key_data;
crde->crd_klen = _KEYBITS(sav->key_enc);
/* XXX Rounds ? */
} else
@ -864,7 +864,7 @@ esp_output(
/* Authentication operation. */
crda->crd_alg = esph->type;
crda->crd_key = _KEYBUF(sav->key_auth);
crda->crd_key = sav->key_auth->key_data;
crda->crd_klen = _KEYBITS(sav->key_auth);
}

2
sys/netipsec/xform_tcp.c
View File

@ -117,7 +117,7 @@ tcpsignature_zeroize(struct secasvar *sav)
{
if (sav->key_auth)
bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth));
sav->tdb_cryptoid = 0;
sav->tdb_authalgxform = NULL;