freebsd-skq/sys/netipsec
cem 0c65f5254f opencrypto: Loosen restriction on HMAC key sizes
Theoretically, HMACs do not actually have any limit on key sizes.
Transforms should compact input keys larger than the HMAC block size by
using the transform (hash) on the input key.

(Short input keys are padded out with zeros to the HMAC block size.)

Still, not all FreeBSD crypto drivers that provide HMAC functionality
handle longer-than-blocksize keys appropriately, so enforce a "maximum" key
length in the crypto API for auth_hashes that previously expressed a
requirement.  (The "maximum" is the size of a single HMAC block for the
given transform.)  Unconstrained auth_hashes are left as-is.

I believe the previous hardcoded sizes were committed in the original
import of opencrypto from OpenBSD and are due to specific protocol
details of IPSec.  Note that none of the previous sizes actually matched
the appropriate HMAC block size.

The previous hardcoded sizes made the SHA tests in cryptotest.py
useless for testing FreeBSD crypto drivers; none of the NIST-KAT example
inputs had keys sized to the previous expectations.

The following drivers were audited to check that they handled keys up to
the block size of the HMAC safely:

  Software HMAC:
    * padlock(4)
    * cesa
    * glxsb
    * safe(4)
    * ubsec(4)

  Hardware accelerated HMAC:
    * ccr(4)
    * hifn(4)
    * sec(4) (Only supports up to 64 byte keys despite claiming to
      support SHA2 HMACs, but validates input key sizes)
    * cryptocteon (MIPS)
    * nlmsec (MIPS)
    * rmisec (MIPS) (Amusingly, does not appear to use key material at
      all -- presumed broken)

Reviewed by:	jhb (previous version), rlibby (previous version)
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12437
2017-09-26 16:18:10 +00:00
..
ah_var.h
ah.h
esp_var.h
esp.h
ipcomp_var.h
ipcomp.h
ipsec6.h Fix the regression introduced in r275710. 2017-08-21 13:52:21 +00:00
ipsec_input.c Add inpcb pointer to struct ipsec_ctx_data and pass it to the pfil hook 2017-07-31 11:04:35 +00:00
ipsec_mbuf.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00
ipsec_mod.c
ipsec_output.c Fix the regression introduced in r275710. 2017-08-21 13:52:21 +00:00
ipsec_pcb.c Fix SP refcount leak. 2017-04-26 00:34:05 +00:00
ipsec_support.h
ipsec.c Remove stale comments. 2017-08-21 13:54:29 +00:00
ipsec.h Fix the regression introduced in r275710. 2017-08-21 13:52:21 +00:00
key_debug.c Build kdebug_secreplay() function only when IPSEC_DEBUG is defined. 2017-06-01 10:04:12 +00:00
key_debug.h Disable IPsec debugging code by default when IPSEC_DEBUG kernel option 2017-05-29 09:30:38 +00:00
key_var.h
key.c Make user supplied data checks a bit stricter. 2017-08-09 19:58:38 +00:00
key.h
keydb.h
keysock.c
keysock.h
subr_ipsec.c
udpencap.c Fix possible double releasing for SA reference. 2017-09-01 11:51:07 +00:00
xform_ah.c opencrypto: Loosen restriction on HMAC key sizes 2017-09-26 16:18:10 +00:00
xform_esp.c Disable IPsec debugging code by default when IPSEC_DEBUG kernel option 2017-05-29 09:30:38 +00:00
xform_ipcomp.c Disable IPsec debugging code by default when IPSEC_DEBUG kernel option 2017-05-29 09:30:38 +00:00
xform_tcp.c
xform.h