Remove support for keyed MD5 and SHA1 authentication hashes.
They no longer have any in-tree consumers. Note that these are a different from MD5-HMAC and SHA1-HMAC and were only used with IPsec. Reviewed by: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24770
This commit is contained in:
parent
f54ab96def
commit
3a0b6a93a7
@ -107,14 +107,12 @@ The following authentication algorithms are supported:
|
||||
.It Dv CRYPTO_BLAKE2B
|
||||
.It Dv CRYPTO_BLAKE2S
|
||||
.It Dv CRYPTO_MD5_HMAC
|
||||
.It Dv CRYPTO_MD5_KPDK
|
||||
.It Dv CRYPTO_NULL_HMAC
|
||||
.It Dv CRYPTO_POLY1305
|
||||
.It Dv CRYPTO_RIPEMD160
|
||||
.It Dv CRYPTO_RIPEMD160_HMAC
|
||||
.It Dv CRYPTO_SHA1
|
||||
.It Dv CRYPTO_SHA1_HMAC
|
||||
.It Dv CRYPTO_SHA1_KPDK
|
||||
.It Dv CRYPTO_SHA2_224
|
||||
.It Dv CRYPTO_SHA2_224_HMAC
|
||||
.It Dv CRYPTO_SHA2_256
|
||||
|
@ -546,10 +546,6 @@ crypto_auth_hash(const struct crypto_session_params *csp)
|
||||
return (&auth_hash_null);
|
||||
case CRYPTO_RIPEMD160_HMAC:
|
||||
return (&auth_hash_hmac_ripemd_160);
|
||||
case CRYPTO_MD5_KPDK:
|
||||
return (&auth_hash_key_md5);
|
||||
case CRYPTO_SHA1_KPDK:
|
||||
return (&auth_hash_key_sha1);
|
||||
case CRYPTO_SHA1:
|
||||
return (&auth_hash_sha1);
|
||||
case CRYPTO_SHA2_224:
|
||||
@ -690,8 +686,6 @@ static enum alg_type {
|
||||
[CRYPTO_MD5_HMAC] = ALG_KEYED_DIGEST,
|
||||
[CRYPTO_SHA1_HMAC] = ALG_KEYED_DIGEST,
|
||||
[CRYPTO_RIPEMD160_HMAC] = ALG_KEYED_DIGEST,
|
||||
[CRYPTO_MD5_KPDK] = ALG_KEYED_DIGEST,
|
||||
[CRYPTO_SHA1_KPDK] = ALG_KEYED_DIGEST,
|
||||
[CRYPTO_AES_CBC] = ALG_CIPHER,
|
||||
[CRYPTO_ARC4] = ALG_CIPHER,
|
||||
[CRYPTO_SHA1] = ALG_DIGEST,
|
||||
|
@ -81,8 +81,6 @@
|
||||
#define SHA2_256_HASH_LEN 32
|
||||
#define SHA2_384_HASH_LEN 48
|
||||
#define SHA2_512_HASH_LEN 64
|
||||
#define MD5_KPDK_HASH_LEN 16
|
||||
#define SHA1_KPDK_HASH_LEN 20
|
||||
#define AES_GMAC_HASH_LEN 16
|
||||
#define POLY1305_HASH_LEN 16
|
||||
#define AES_CBC_MAC_HASH_LEN 16
|
||||
|
@ -64,7 +64,6 @@ struct swcr_auth {
|
||||
void *sw_octx;
|
||||
struct auth_hash *sw_axf;
|
||||
uint16_t sw_mlen;
|
||||
uint16_t sw_octx_len;
|
||||
};
|
||||
|
||||
struct swcr_encdec {
|
||||
@ -349,27 +348,6 @@ swcr_authprepare(struct auth_hash *axf, struct swcr_auth *sw,
|
||||
hmac_init_ipad(axf, key, klen, sw->sw_ictx);
|
||||
hmac_init_opad(axf, key, klen, sw->sw_octx);
|
||||
break;
|
||||
case CRYPTO_MD5_KPDK:
|
||||
case CRYPTO_SHA1_KPDK:
|
||||
{
|
||||
/*
|
||||
* We need a buffer that can hold an md5 and a sha1 result
|
||||
* just to throw it away.
|
||||
* What we do here is the initial part of:
|
||||
* ALGO( key, keyfill, .. )
|
||||
* adding the key to sw_ictx and abusing Final() to get the
|
||||
* "keyfill" padding.
|
||||
* In addition we abuse the sw_octx to save the key to have
|
||||
* it to be able to append it at the end in swcr_authcompute().
|
||||
*/
|
||||
u_char buf[SHA1_RESULTLEN];
|
||||
|
||||
bcopy(key, sw->sw_octx, klen);
|
||||
axf->Init(sw->sw_ictx);
|
||||
axf->Update(sw->sw_ictx, key, klen);
|
||||
axf->Final(buf, sw->sw_ictx);
|
||||
break;
|
||||
}
|
||||
case CRYPTO_POLY1305:
|
||||
case CRYPTO_BLAKE2B:
|
||||
case CRYPTO_BLAKE2S:
|
||||
@ -442,23 +420,6 @@ swcr_authcompute(struct swcr_session *ses, struct cryptop *crp)
|
||||
axf->Final(aalg, &ctx);
|
||||
break;
|
||||
|
||||
case CRYPTO_MD5_KPDK:
|
||||
case CRYPTO_SHA1_KPDK:
|
||||
/* If we have no key saved, return error. */
|
||||
if (sw->sw_octx == NULL)
|
||||
return EINVAL;
|
||||
|
||||
/*
|
||||
* Add the trailing copy of the key (see comment in
|
||||
* swcr_authprepare()) after the data:
|
||||
* ALGO( .., key, algofill )
|
||||
* and let Final() do the proper, natural "algofill"
|
||||
* padding.
|
||||
*/
|
||||
axf->Update(&ctx, sw->sw_octx, sw->sw_octx_len);
|
||||
axf->Final(aalg, &ctx);
|
||||
break;
|
||||
|
||||
case CRYPTO_BLAKE2B:
|
||||
case CRYPTO_BLAKE2S:
|
||||
case CRYPTO_NULL_HMAC:
|
||||
@ -947,8 +908,7 @@ swcr_setup_auth(struct swcr_session *ses,
|
||||
case CRYPTO_SHA2_512_HMAC:
|
||||
case CRYPTO_NULL_HMAC:
|
||||
case CRYPTO_RIPEMD160_HMAC:
|
||||
swa->sw_octx_len = axf->ctxsize;
|
||||
swa->sw_octx = malloc(swa->sw_octx_len, M_CRYPTO_DATA,
|
||||
swa->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA,
|
||||
M_NOWAIT);
|
||||
if (swa->sw_octx == NULL)
|
||||
return (ENOBUFS);
|
||||
@ -958,23 +918,6 @@ swcr_setup_auth(struct swcr_session *ses,
|
||||
csp->csp_auth_klen);
|
||||
}
|
||||
|
||||
if (csp->csp_mode == CSP_MODE_DIGEST)
|
||||
ses->swcr_process = swcr_authcompute;
|
||||
break;
|
||||
case CRYPTO_MD5_KPDK:
|
||||
case CRYPTO_SHA1_KPDK:
|
||||
swa->sw_octx_len = csp->csp_auth_klen;
|
||||
swa->sw_octx = malloc(swa->sw_octx_len, M_CRYPTO_DATA,
|
||||
M_NOWAIT);
|
||||
if (swa->sw_octx == NULL)
|
||||
return (ENOBUFS);
|
||||
|
||||
/* Store the key so we can "append" it to the payload */
|
||||
if (csp->csp_auth_key != NULL) {
|
||||
swcr_authprepare(axf, swa, csp->csp_auth_key,
|
||||
csp->csp_auth_klen);
|
||||
}
|
||||
|
||||
if (csp->csp_mode == CSP_MODE_DIGEST)
|
||||
ses->swcr_process = swcr_authcompute;
|
||||
break;
|
||||
@ -1151,8 +1094,6 @@ swcr_auth_supported(const struct crypto_session_params *csp)
|
||||
case CRYPTO_SHA2_512_HMAC:
|
||||
case CRYPTO_NULL_HMAC:
|
||||
case CRYPTO_RIPEMD160_HMAC:
|
||||
case CRYPTO_MD5_KPDK:
|
||||
case CRYPTO_SHA1_KPDK:
|
||||
break;
|
||||
case CRYPTO_AES_NIST_GMAC:
|
||||
switch (csp->csp_auth_klen * 8) {
|
||||
@ -1399,7 +1340,7 @@ swcr_freesession(device_t dev, crypto_session_t cses)
|
||||
free(swa->sw_ictx, M_CRYPTO_DATA);
|
||||
}
|
||||
if (swa->sw_octx != NULL) {
|
||||
explicit_bzero(swa->sw_octx, swa->sw_octx_len);
|
||||
explicit_bzero(swa->sw_octx, axf->ctxsize);
|
||||
free(swa->sw_octx, M_CRYPTO_DATA);
|
||||
}
|
||||
}
|
||||
|
@ -66,8 +66,6 @@ struct auth_hash {
|
||||
};
|
||||
|
||||
extern struct auth_hash auth_hash_null;
|
||||
extern struct auth_hash auth_hash_key_md5;
|
||||
extern struct auth_hash auth_hash_key_sha1;
|
||||
extern struct auth_hash auth_hash_hmac_md5;
|
||||
extern struct auth_hash auth_hash_hmac_sha1;
|
||||
extern struct auth_hash auth_hash_hmac_ripemd_160;
|
||||
|
@ -68,18 +68,6 @@ struct auth_hash auth_hash_hmac_md5 = {
|
||||
.Final = (void (*) (u_int8_t *, void *)) MD5Final,
|
||||
};
|
||||
|
||||
struct auth_hash auth_hash_key_md5 = {
|
||||
.type = CRYPTO_MD5_KPDK,
|
||||
.name = "Keyed MD5",
|
||||
.keysize = 0,
|
||||
.hashsize = MD5_KPDK_HASH_LEN,
|
||||
.ctxsize = sizeof(MD5_CTX),
|
||||
.blocksize = 0,
|
||||
.Init = (void (*)(void *)) MD5Init,
|
||||
.Update = MD5Update_int,
|
||||
.Final = (void (*)(u_int8_t *, void *)) MD5Final,
|
||||
};
|
||||
|
||||
/*
|
||||
* And now for auth.
|
||||
*/
|
||||
|
@ -82,18 +82,6 @@ struct auth_hash auth_hash_hmac_sha1 = {
|
||||
.Final = SHA1Final_int,
|
||||
};
|
||||
|
||||
struct auth_hash auth_hash_key_sha1 = {
|
||||
.type = CRYPTO_SHA1_KPDK,
|
||||
.name = "Keyed SHA1",
|
||||
.keysize = 0,
|
||||
.hashsize = SHA1_KPDK_HASH_LEN,
|
||||
.ctxsize = sizeof(SHA1_CTX),
|
||||
.blocksize = 0,
|
||||
.Init = SHA1Init_int,
|
||||
.Update = SHA1Update_int,
|
||||
.Final = SHA1Final_int,
|
||||
};
|
||||
|
||||
/*
|
||||
* And now for auth.
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user