- The authsize field from auth_hash structure was removed.

- Define that we want to receive only 96 bits of HMAC. - Names of the structues have no longer _96 suffix. Reviewed by: sam
2006-05-17 18:30:28 +00:00 · 2006-05-17 18:30:28 +00:00 · 80e35494cc
commit 80e35494cc
parent f6c4bc3b91
2 changed files with 11 additions and 10 deletions
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@ -81,11 +81,11 @@
 		sizeof (struct ah) : sizeof (struct ah) + sizeof (u_int32_t))
 /* 
 * Return authenticator size in bytes.  The old protocol is known
- * to use a fixed 16-byte authenticator.  The new algorithm gets
- * this size from the xform but is (currently) always 12.
+ * to use a fixed 16-byte authenticator.  The new algorithm use 12-byte
+ * authenticator.
 */
 #define	AUTHSIZE(sav) \
-	((sav->flags & SADB_X_EXT_OLD) ? 16 : (sav)->tdb_authalgxform->authsize)
+	((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)

 int	ah_enable = 1;			/* control flow of packets with AH */
 int	ah_cleartos = 1;		/* clear ip_tos when doing AH calc */
@ -116,11 +116,11 @@ ah_algorithm_lookup(int alg)
 	case SADB_X_AALG_NULL:
 		return &auth_hash_null;
 	case SADB_AALG_MD5HMAC:
-		return &auth_hash_hmac_md5_96;
+		return &auth_hash_hmac_md5;
 	case SADB_AALG_SHA1HMAC:
-		return &auth_hash_hmac_sha1_96;
+		return &auth_hash_hmac_sha1;
 	case SADB_X_AALG_RIPEMD160HMAC:
-		return &auth_hash_hmac_ripemd_160_96;
+		return &auth_hash_hmac_ripemd_160;
 	case SADB_X_AALG_MD5:
 		return &auth_hash_key_md5;
 	case SADB_X_AALG_SHA:
@ -202,6 +202,7 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
 	cria->cri_alg = sav->tdb_authalgxform->type;
 	cria->cri_klen = _KEYBITS(sav->key_auth);
 	cria->cri_key = sav->key_auth->key_data;
+	cria->cri_mlen = AUTHSIZE(sav);

 	return 0;
 }
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -528,13 +528,13 @@ esp_input_cb(struct cryptop *crp)
 		ahstat.ahs_hist[sav->alg_auth]++;
 		if (mtag == NULL) {
 			/* Copy the authenticator from the packet */
-			m_copydata(m, m->m_pkthdr.len - esph->authsize,
-				esph->authsize, aalg);
+			m_copydata(m, m->m_pkthdr.len - AH_HMAC_HASHLEN,
+				AH_HMAC_HASHLEN, aalg);

 			ptr = (caddr_t) (tc + 1);

 			/* Verify authenticator */
-			if (bcmp(ptr, aalg, esph->authsize) != 0) {
+			if (bcmp(ptr, aalg, AH_HMAC_HASHLEN) != 0) {
 				DPRINTF(("%s: "
 		    "authentication hash mismatch for packet in SA %s/%08lx\n",
 				    __func__,
@ -547,7 +547,7 @@ esp_input_cb(struct cryptop *crp)
 		}

 		/* Remove trailing authenticator */
-		m_adj(m, -(esph->authsize));
+		m_adj(m, -AH_HMAC_HASHLEN);
 	}

 	/* Release the crypto descriptors */