svn commit: r310473 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Fri Dec 23 11:26:30 UTC 2016
Author: ae
Date: Fri Dec 23 11:26:28 2016
New Revision: 310473
URL: https://svnweb.freebsd.org/changeset/base/310473
Log:
Rework [ah|esp|ipcomp]_algorithm_lookup() functions.
Since these functions depend from crypto(4), move them into key.c.
Modified:
projects/ipsec/sys/netipsec/key.c
projects/ipsec/sys/netipsec/xform.h
projects/ipsec/sys/netipsec/xform_ah.c
projects/ipsec/sys/netipsec/xform_esp.c
projects/ipsec/sys/netipsec/xform_ipcomp.c
Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c Fri Dec 23 09:39:50 2016 (r310472)
+++ projects/ipsec/sys/netipsec/key.c Fri Dec 23 11:26:28 2016 (r310473)
@@ -509,6 +509,47 @@ struct sadb_msghdr {
int extlen[SADB_EXT_MAX + 1];
};
+static struct supported_ealgs {
+ int sadb_alg;
+ const struct enc_xform *xform;
+} supported_ealgs[] = {
+ { SADB_EALG_DESCBC, &enc_xform_des },
+ { SADB_EALG_3DESCBC, &enc_xform_3des },
+ { SADB_X_EALG_AES, &enc_xform_rijndael128 },
+ { SADB_X_EALG_BLOWFISHCBC, &enc_xform_blf },
+ { SADB_X_EALG_CAST128CBC, &enc_xform_cast5 },
+ { SADB_EALG_NULL, &enc_xform_null },
+ { SADB_X_EALG_CAMELLIACBC, &enc_xform_camellia },
+ { SADB_X_EALG_AESCTR, &enc_xform_aes_icm },
+ { SADB_X_EALG_AESGCM16, &enc_xform_aes_nist_gcm },
+ { SADB_X_EALG_AESGMAC, &enc_xform_aes_nist_gmac },
+};
+
+static struct supported_aalgs {
+ int sadb_alg;
+ const struct auth_hash *xform;
+} supported_aalgs[] = {
+ { SADB_X_AALG_NULL, &auth_hash_null },
+ { SADB_AALG_MD5HMAC, &auth_hash_hmac_md5 },
+ { SADB_AALG_SHA1HMAC, &auth_hash_hmac_sha1 },
+ { SADB_X_AALG_RIPEMD160HMAC, &auth_hash_hmac_ripemd_160 },
+ { SADB_X_AALG_MD5, &auth_hash_key_md5 },
+ { SADB_X_AALG_SHA, &auth_hash_key_sha1 },
+ { SADB_X_AALG_SHA2_256, &auth_hash_hmac_sha2_256 },
+ { SADB_X_AALG_SHA2_384, &auth_hash_hmac_sha2_384 },
+ { SADB_X_AALG_SHA2_512, &auth_hash_hmac_sha2_512 },
+ { SADB_X_AALG_AES128GMAC, &auth_hash_nist_gmac_aes_128 },
+ { SADB_X_AALG_AES192GMAC, &auth_hash_nist_gmac_aes_192 },
+ { SADB_X_AALG_AES256GMAC, &auth_hash_nist_gmac_aes_256 },
+};
+
+static struct supported_calgs {
+ int sadb_alg;
+ const struct comp_algo *xform;
+} supported_calgs[] = {
+ { SADB_X_CALG_DEFLATE, &comp_algo_deflate },
+};
+
#ifndef IPSEC_DEBUG2
static struct callout key_timer;
#endif
@@ -600,7 +641,7 @@ static int key_get(struct socket *, stru
const struct sadb_msghdr *);
static void key_getcomb_setlifetime(struct sadb_comb *);
-static struct mbuf *key_getcomb_esp(void);
+static struct mbuf *key_getcomb_ealg(void);
static struct mbuf *key_getcomb_ah(void);
static struct mbuf *key_getcomb_ipcomp(void);
static struct mbuf *key_getprop(const struct secasindex *);
@@ -5777,10 +5818,10 @@ key_getcomb_setlifetime(struct sadb_comb
* XXX no idea if the user wants ESP authentication or not
*/
static struct mbuf *
-key_getcomb_esp()
+key_getcomb_ealg(void)
{
struct sadb_comb *comb;
- struct enc_xform *algo;
+ const struct enc_xform *algo;
struct mbuf *result = NULL, *m, *n;
int encmin;
int i, off, o;
@@ -5789,7 +5830,7 @@ key_getcomb_esp()
m = NULL;
for (i = 1; i <= SADB_EALG_MAX; i++) {
- algo = esp_algorithm_lookup(i);
+ algo = enc_algorithm_lookup(i);
if (algo == NULL)
continue;
@@ -5882,8 +5923,8 @@ key_getsizes_ah(const struct auth_hash *
static struct mbuf *
key_getcomb_ah()
{
+ const struct auth_hash *algo;
struct sadb_comb *comb;
- struct auth_hash *algo;
struct mbuf *m;
u_int16_t minkeysize, maxkeysize;
int i;
@@ -5900,7 +5941,7 @@ key_getcomb_ah()
i != SADB_X_AALG_SHA2_512)
continue;
#endif
- algo = ah_algorithm_lookup(i);
+ algo = auth_algorithm_lookup(i);
if (!algo)
continue;
key_getsizes_ah(algo, i, &minkeysize, &maxkeysize);
@@ -5940,15 +5981,15 @@ key_getcomb_ah()
static struct mbuf *
key_getcomb_ipcomp()
{
+ const struct comp_algo *algo;
struct sadb_comb *comb;
- struct comp_algo *algo;
struct mbuf *m;
int i;
const int l = PFKEY_ALIGN8(sizeof(struct sadb_comb));
m = NULL;
for (i = 1; i <= SADB_X_CALG_MAX; i++) {
- algo = ipcomp_algorithm_lookup(i);
+ algo = comp_algorithm_lookup(i);
if (!algo)
continue;
@@ -5991,7 +6032,7 @@ key_getprop(const struct secasindex *sai
switch (saidx->proto) {
case IPPROTO_ESP:
- m = key_getcomb_esp();
+ m = key_getcomb_ealg();
break;
case IPPROTO_AH:
m = key_getcomb_ah();
@@ -6614,14 +6655,14 @@ key_register(struct socket *so, struct m
/* create new sadb_msg to reply. */
alen = 0;
for (i = 1; i <= SADB_AALG_MAX; i++) {
- if (ah_algorithm_lookup(i))
+ if (auth_algorithm_lookup(i))
alen += sizeof(struct sadb_alg);
}
if (alen)
alen += sizeof(struct sadb_supported);
elen = 0;
for (i = 1; i <= SADB_EALG_MAX; i++) {
- if (esp_algorithm_lookup(i))
+ if (enc_algorithm_lookup(i))
elen += sizeof(struct sadb_alg);
}
if (elen)
@@ -6660,10 +6701,10 @@ key_register(struct socket *so, struct m
off += PFKEY_ALIGN8(sizeof(*sup));
for (i = 1; i <= SADB_AALG_MAX; i++) {
- struct auth_hash *aalgo;
+ const struct auth_hash *aalgo;
u_int16_t minkeysize, maxkeysize;
- aalgo = ah_algorithm_lookup(i);
+ aalgo = auth_algorithm_lookup(i);
if (!aalgo)
continue;
alg = (struct sadb_alg *)(mtod(n, caddr_t) + off);
@@ -6684,9 +6725,9 @@ key_register(struct socket *so, struct m
off += PFKEY_ALIGN8(sizeof(*sup));
for (i = 1; i <= SADB_EALG_MAX; i++) {
- struct enc_xform *ealgo;
+ const struct enc_xform *ealgo;
- ealgo = esp_algorithm_lookup(i);
+ ealgo = enc_algorithm_lookup(i);
if (!ealgo)
continue;
alg = (struct sadb_alg *)(mtod(n, caddr_t) + off);
@@ -7900,6 +7941,39 @@ key_setlifetime(struct seclifetime *src,
}
+const struct enc_xform *
+enc_algorithm_lookup(int alg)
+{
+ int i;
+
+ for (i = 0; i < nitems(supported_ealgs); i++)
+ if (alg == supported_ealgs[i].sadb_alg)
+ return (supported_ealgs[i].xform);
+ return (NULL);
+}
+
+const struct auth_hash *
+auth_algorithm_lookup(int alg)
+{
+ int i;
+
+ for (i = 0; i < nitems(supported_aalgs); i++)
+ if (alg == supported_aalgs[i].sadb_alg)
+ return (supported_aalgs[i].xform);
+ return (NULL);
+}
+
+const struct comp_algo *
+comp_algorithm_lookup(int alg)
+{
+ int i;
+
+ for (i = 0; i < nitems(supported_calgs); i++)
+ if (alg == supported_calgs[i].sadb_alg)
+ return (supported_calgs[i].xform);
+ return (NULL);
+}
+
/*
* Register a transform; typically at system startup.
*/
Modified: projects/ipsec/sys/netipsec/xform.h
==============================================================================
--- projects/ipsec/sys/netipsec/xform.h Fri Dec 23 09:39:50 2016 (r310472)
+++ projects/ipsec/sys/netipsec/xform.h Fri Dec 23 11:26:28 2016 (r310473)
@@ -98,6 +98,10 @@ struct xformsw {
};
#ifdef _KERNEL
+const struct enc_xform * enc_algorithm_lookup(int);
+const struct auth_hash * auth_algorithm_lookup(int);
+const struct comp_algo * comp_algorithm_lookup(int);
+
extern void xform_register(struct xformsw*);
extern int xform_ah_authsize(struct auth_hash *esph);
@@ -106,15 +110,10 @@ struct cryptoini;
/* XF_AH */
extern int ah_init0(struct secasvar *, struct xformsw *, struct cryptoini *);
extern int ah_zeroize(struct secasvar *sav);
-extern struct auth_hash *ah_algorithm_lookup(int alg);
extern size_t ah_hdrsiz(struct secasvar *);
/* XF_ESP */
-extern struct enc_xform *esp_algorithm_lookup(int alg);
extern size_t esp_hdrsiz(struct secasvar *sav);
-/* XF_COMP */
-extern struct comp_algo *ipcomp_algorithm_lookup(int alg);
-
#endif /* _KERNEL */
#endif /* _NETIPSEC_XFORM_H_ */
Modified: projects/ipsec/sys/netipsec/xform_ah.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 09:39:50 2016 (r310472)
+++ projects/ipsec/sys/netipsec/xform_ah.c Fri Dec 23 11:26:28 2016 (r310473)
@@ -141,43 +141,6 @@ xform_ah_authsize(struct auth_hash *esph
return alen;
}
-/*
- * NB: this is public for use by the PF_KEY support.
- */
-struct auth_hash *
-ah_algorithm_lookup(int alg)
-{
- if (alg > SADB_AALG_MAX)
- return NULL;
- switch (alg) {
- case SADB_X_AALG_NULL:
- return &auth_hash_null;
- case SADB_AALG_MD5HMAC:
- return &auth_hash_hmac_md5;
- case SADB_AALG_SHA1HMAC:
- return &auth_hash_hmac_sha1;
- case SADB_X_AALG_RIPEMD160HMAC:
- return &auth_hash_hmac_ripemd_160;
- case SADB_X_AALG_MD5:
- return &auth_hash_key_md5;
- case SADB_X_AALG_SHA:
- return &auth_hash_key_sha1;
- case SADB_X_AALG_SHA2_256:
- return &auth_hash_hmac_sha2_256;
- case SADB_X_AALG_SHA2_384:
- return &auth_hash_hmac_sha2_384;
- case SADB_X_AALG_SHA2_512:
- return &auth_hash_hmac_sha2_512;
- case SADB_X_AALG_AES128GMAC:
- return &auth_hash_nist_gmac_aes_128;
- case SADB_X_AALG_AES192GMAC:
- return &auth_hash_nist_gmac_aes_192;
- case SADB_X_AALG_AES256GMAC:
- return &auth_hash_nist_gmac_aes_256;
- }
- return NULL;
-}
-
size_t
ah_hdrsiz(struct secasvar *sav)
{
@@ -202,10 +165,10 @@ ah_hdrsiz(struct secasvar *sav)
int
ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
{
- struct auth_hash *thash;
+ const struct auth_hash *thash;
int keylen;
- thash = ah_algorithm_lookup(sav->alg_auth);
+ thash = auth_algorithm_lookup(sav->alg_auth);
if (thash == NULL) {
DPRINTF(("%s: unsupported authentication algorithm %u\n",
__func__, sav->alg_auth));
Modified: projects/ipsec/sys/netipsec/xform_esp.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 09:39:50 2016 (r310472)
+++ projects/ipsec/sys/netipsec/xform_esp.c Fri Dec 23 11:26:28 2016 (r310473)
@@ -97,40 +97,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSE
static int esp_input_cb(struct cryptop *op);
static int esp_output_cb(struct cryptop *crp);
-/*
- * NB: this is public for use by the PF_KEY support.
- * NB: if you add support here; be sure to add code to esp_attach below!
- */
-struct enc_xform *
-esp_algorithm_lookup(int alg)
-{
- if (alg >= ESP_ALG_MAX)
- return NULL;
- switch (alg) {
- case SADB_EALG_DESCBC:
- return &enc_xform_des;
- case SADB_EALG_3DESCBC:
- return &enc_xform_3des;
- case SADB_X_EALG_AES:
- return &enc_xform_rijndael128;
- case SADB_X_EALG_BLOWFISHCBC:
- return &enc_xform_blf;
- case SADB_X_EALG_CAST128CBC:
- return &enc_xform_cast5;
- case SADB_EALG_NULL:
- return &enc_xform_null;
- case SADB_X_EALG_CAMELLIACBC:
- return &enc_xform_camellia;
- case SADB_X_EALG_AESCTR:
- return &enc_xform_aes_icm;
- case SADB_X_EALG_AESGCM16:
- return &enc_xform_aes_nist_gcm;
- case SADB_X_EALG_AESGMAC:
- return &enc_xform_aes_nist_gmac;
- }
- return NULL;
-}
-
size_t
esp_hdrsiz(struct secasvar *sav)
{
@@ -168,12 +134,12 @@ esp_hdrsiz(struct secasvar *sav)
static int
esp_init(struct secasvar *sav, struct xformsw *xsp)
{
- struct enc_xform *txform;
+ const struct enc_xform *txform;
struct cryptoini cria, crie;
int keylen;
int error;
- txform = esp_algorithm_lookup(sav->alg_enc);
+ txform = enc_algorithm_lookup(sav->alg_enc);
if (txform == NULL) {
DPRINTF(("%s: unsupported encryption algorithm %d\n",
__func__, sav->alg_enc));
Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 09:39:50 2016 (r310472)
+++ projects/ipsec/sys/netipsec/xform_ipcomp.c Fri Dec 23 11:26:28 2016 (r310473)
@@ -87,18 +87,6 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, I
static int ipcomp_input_cb(struct cryptop *crp);
static int ipcomp_output_cb(struct cryptop *crp);
-struct comp_algo *
-ipcomp_algorithm_lookup(int alg)
-{
- if (alg >= IPCOMP_ALG_MAX)
- return NULL;
- switch (alg) {
- case SADB_X_CALG_DEFLATE:
- return &comp_algo_deflate;
- }
- return NULL;
-}
-
/*
* RFC 3173 p 2.2. Non-Expansion Policy:
* If the total size of a compressed payload and the IPComp header, as
@@ -160,11 +148,11 @@ ipcomp_nonexp_input(struct mbuf **mp, in
static int
ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
{
- struct comp_algo *tcomp;
+ const struct comp_algo *tcomp;
struct cryptoini cric;
/* NB: algorithm really comes in alg_enc and not alg_comp! */
- tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
+ tcomp = comp_algorithm_lookup(sav->alg_enc);
if (tcomp == NULL) {
DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
sav->alg_comp));
More information about the svn-src-projects
mailing list