freebsd-nq/sys/netipsec
John-Mark Gurney a2bc81bf7c Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec
defines the keys differently than NIST does, so we have to muck with
key lengths and nonce/IVs to be standard compliant...

Remove the iv from secasvar as it was unused...

Add a counter protected by a mutex to ensure that the counter for GCM
and ICM will never be repeated..  This is a requirement for security..
I would use atomics, but we don't have a 64bit one on all platforms..

Fix a bug where IPsec was depending upon the OCF to ensure that the
blocksize was always at least 4 bytes to maintain alignment... Move
this logic into IPsec so changes to OCF won't break IPsec...

In one place, espx was always non-NULL, so don't test that it's
non-NULL before doing work..

minor style cleanups...

drop setting key and klen as they were not used...

Enforce that OCF won't pass invalid key lengths to AES that would
panic the machine...

This was has been tested by others too...  I tested this against
NetBSD 6.1.5 using mini-test suite in
https://github.com/jmgurney/ipseccfgs and the only things that don't
pass are keyed md5 and sha1, and 3des-deriv (setkey syntax error),
all other modes listed in setkey's man page...  The nice thing is
that NetBSD uses setkey, so same config files were used on both...

Reviewed by:	gnn
2015-08-04 17:47:11 +00:00
..
ah_var.h
ah.h
esp_var.h
esp.h Summary: Remove spurious, extra, next header comments. 2015-05-15 18:04:49 +00:00
ipcomp_var.h
ipcomp.h
ipsec6.h
ipsec_input.c IPSEC, remove variable argument function its already due. 2015-07-21 21:46:24 +00:00
ipsec_mbuf.c
ipsec_output.c Correct IPSec SA statistic keeping 2015-07-30 20:56:27 +00:00
ipsec.c Reduce overhead of IPSEC for traffic generated from host 2015-07-03 15:31:56 +00:00
ipsec.h IPSEC, remove variable argument function its already due. 2015-07-21 21:46:24 +00:00
key_debug.c Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec 2015-08-04 17:47:11 +00:00
key_debug.h
key_var.h
key.c Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec 2015-08-04 17:47:11 +00:00
key.h drop key_sa_stir_iv as it isn't used... 2015-06-11 13:05:37 +00:00
keydb.h Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec 2015-08-04 17:47:11 +00:00
keysock.c Remove unneded mbuf length adjustment, M_PREPEND() already did that. 2015-05-19 17:14:27 +00:00
keysock.h
xform_ah.c these are comparing authenticators and need to be constant time... 2015-07-31 00:31:52 +00:00
xform_esp.c Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec 2015-08-04 17:47:11 +00:00
xform_ipcomp.c Fix possible use after free due to security policy deletion. 2015-04-27 00:55:56 +00:00
xform_tcp.c
xform.h RFC4868 section 2.3 requires that the output be half... This fixes 2015-07-29 07:15:16 +00:00