svn commit: r286100 - in head/sys: net netipsec
Ryan Stone
rysto32 at gmail.com
Fri Jul 31 05:03:55 UTC 2015
You can't use CTASSERT in a header. You'll get a compile error if two
different headers included in the same translation unit have a CTASSERT on
the same line number.
On Jul 30, 2015 5:23 PM, "John-Mark Gurney" <jmg at freebsd.org> wrote:
> Author: jmg
> Date: Fri Jul 31 00:23:21 2015
> New Revision: 286100
> URL: https://svnweb.freebsd.org/changeset/base/286100
>
> Log:
> Clean up this header file...
>
> use CTASSERTs now that we have them...
>
> Replace a draft w/ RFC that's over 10 years old.
>
> Note that _AALG and _EALG do not need to match what the IKE daemons
> think they should be.. This is part of the KABI... I decided to
> renumber AESCTR, but since we've never had working AESCTR mode, I'm
> not really breaking anything.. and it shortens a loop by quite
> a bit..
>
> remove SKIPJACK IPsec support... SKIPJACK never made it out of draft
> (in 1999), only has 80bit key, NIST recommended it stop being used
> after 2010, and setkey nor any of the IKE daemons I checked supported
> it...
>
> jmgurney/ipsecgcm: a357a33, c75808b, e008669, b27b6d6
>
> Reviewed by: gnn (earlier version)
>
> Modified:
> head/sys/net/pfkeyv2.h
> head/sys/netipsec/xform_esp.c
>
> Modified: head/sys/net/pfkeyv2.h
>
> ==============================================================================
> --- head/sys/net/pfkeyv2.h Fri Jul 31 00:21:40 2015 (r286099)
> +++ head/sys/net/pfkeyv2.h Fri Jul 31 00:23:21 2015 (r286100)
> @@ -218,7 +218,6 @@ struct sadb_x_sa2 {
> };
>
> /* XXX Policy Extension */
> -/* sizeof(struct sadb_x_policy) == 16 */
> struct sadb_x_policy {
> u_int16_t sadb_x_policy_len;
> u_int16_t sadb_x_policy_exttype;
> @@ -228,6 +227,8 @@ struct sadb_x_policy {
> u_int32_t sadb_x_policy_id;
> u_int32_t sadb_x_policy_reserved2;
> };
> +CTASSERT(sizeof(struct sadb_x_policy) == 16);
> +
> /*
> * When policy_type == IPSEC, it is followed by some of
> * the ipsec policy request.
> @@ -256,31 +257,31 @@ struct sadb_x_ipsecrequest {
> };
>
> /* NAT-Traversal type, see RFC 3948 (and drafts). */
> -/* sizeof(struct sadb_x_nat_t_type) == 8 */
> struct sadb_x_nat_t_type {
> u_int16_t sadb_x_nat_t_type_len;
> u_int16_t sadb_x_nat_t_type_exttype;
> u_int8_t sadb_x_nat_t_type_type;
> u_int8_t sadb_x_nat_t_type_reserved[3];
> };
> +CTASSERT(sizeof(struct sadb_x_nat_t_type) == 8);
>
> /* NAT-Traversal source or destination port. */
> -/* sizeof(struct sadb_x_nat_t_port) == 8 */
> struct sadb_x_nat_t_port {
> u_int16_t sadb_x_nat_t_port_len;
> u_int16_t sadb_x_nat_t_port_exttype;
> u_int16_t sadb_x_nat_t_port_port;
> u_int16_t sadb_x_nat_t_port_reserved;
> };
> +CTASSERT(sizeof(struct sadb_x_nat_t_port) == 8);
>
> /* ESP fragmentation size. */
> -/* sizeof(struct sadb_x_nat_t_frag) == 8 */
> struct sadb_x_nat_t_frag {
> u_int16_t sadb_x_nat_t_frag_len;
> u_int16_t sadb_x_nat_t_frag_exttype;
> u_int16_t sadb_x_nat_t_frag_fraglen;
> u_int16_t sadb_x_nat_t_frag_reserved;
> };
> +CTASSERT(sizeof(struct sadb_x_nat_t_frag) == 8);
>
>
> #define SADB_EXT_RESERVED 0
> @@ -332,46 +333,47 @@ struct sadb_x_nat_t_frag {
>
> #define SADB_SAFLAGS_PFS 1
>
> -/* RFC2367 numbers - meets RFC2407 */
> +/*
> + * Though some of these numbers (both _AALG and _EALG) appear to be
> + * IKEv2 numbers and others original IKE numbers, they have no meaning.
> + * These are constants that the various IKE daemons use to tell the kernel
> + * what cipher to use.
> + *
> + * Do not use these constants directly to decide which Transformation ID
> + * to send. You are responsible for mapping them yourself.
> + */
> #define SADB_AALG_NONE 0
> #define SADB_AALG_MD5HMAC 2
> #define SADB_AALG_SHA1HMAC 3
> #define SADB_AALG_MAX 252
> -/* private allocations - based on RFC2407/IANA assignment */
> #define SADB_X_AALG_SHA2_256 5
> #define SADB_X_AALG_SHA2_384 6
> #define SADB_X_AALG_SHA2_512 7
> #define SADB_X_AALG_RIPEMD160HMAC 8
> -#define SADB_X_AALG_AES_XCBC_MAC 9 /*
> draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */
> +#define SADB_X_AALG_AES_XCBC_MAC 9 /* RFC3566 */
> #define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */
> #define SADB_X_AALG_AES192GMAC 12
> #define SADB_X_AALG_AES256GMAC 13
> -/* private allocations should use 249-255 (RFC2407) */
> #define SADB_X_AALG_MD5 249 /* Keyed MD5 */
> #define SADB_X_AALG_SHA 250 /* Keyed SHA */
> #define SADB_X_AALG_NULL 251 /* null authentication */
> #define SADB_X_AALG_TCP_MD5 252 /* Keyed TCP-MD5 (RFC2385) */
>
> -/* RFC2367 numbers - meets RFC2407 */
> #define SADB_EALG_NONE 0
> #define SADB_EALG_DESCBC 2
> #define SADB_EALG_3DESCBC 3
> -#define SADB_EALG_NULL 11
> -#define SADB_EALG_MAX 250
> -/* private allocations - based on RFC2407/IANA assignment */
> #define SADB_X_EALG_CAST128CBC 6
> #define SADB_X_EALG_BLOWFISHCBC 7
> +#define SADB_EALG_NULL 11
> #define SADB_X_EALG_RIJNDAELCBC 12
> #define SADB_X_EALG_AES 12
> +#define SADB_X_EALG_AESCTR 13
> #define SADB_X_EALG_AESGCM8 18 /* RFC4106 */
> #define SADB_X_EALG_AESGCM12 19
> #define SADB_X_EALG_AESGCM16 20
> -/* private allocations - based on RFC4312/IANA assignment */
> -#define SADB_X_EALG_CAMELLIACBC 22
> -#define SADB_X_EALG_AESGMAC 23 /* RFC4543 + Errata1821
> */
> -/* private allocations should use 249-255 (RFC2407) */
> -#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for IPSEC */
> -#define SADB_X_EALG_AESCTR 250 /*249*/ /*
> draft-ietf-ipsec-ciph-aes-ctr-03 */
> +#define SADB_X_EALG_CAMELLIACBC 22
> +#define SADB_X_EALG_AESGMAC 23 /* RFC4543 + Errata1821 */
> +#define SADB_EALG_MAX 23 /* !!! keep updated !!! */
>
> /* private allocations - based on RFC2407/IANA assignment */
> #define SADB_X_CALG_NONE 0
>
> Modified: head/sys/netipsec/xform_esp.c
>
> ==============================================================================
> --- head/sys/netipsec/xform_esp.c Fri Jul 31 00:21:40 2015
> (r286099)
> +++ head/sys/netipsec/xform_esp.c Fri Jul 31 00:23:21 2015
> (r286100)
> @@ -115,8 +115,6 @@ esp_algorithm_lookup(int alg)
> return &enc_xform_blf;
> case SADB_X_EALG_CAST128CBC:
> return &enc_xform_cast5;
> - case SADB_X_EALG_SKIPJACK:
> - return &enc_xform_skipjack;
> case SADB_EALG_NULL:
> return &enc_xform_null;
> case SADB_X_EALG_CAMELLIACBC:
>
>
More information about the svn-src-all
mailing list