Conform to crypto framework changes for IVs.

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 2abebc3..1d43ea4 100644 (file)
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_esp.c,v 1.36 2000/03/28 07:04:02 angelos Exp $ */
+/*     $OpenBSD: ip_esp.c,v 1.37 2000/03/29 07:09:57 angelos Exp $ */
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -418,8 +418,18 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        crde->crd_skip = skip + hlen;
        crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
        crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
+
         if (tdb->tdb_flags & TDBF_HALFIV)
-         crde->crd_flags |= CRD_F_HALFIV;
+       {
+           /* Copy half-IV from packet */
+           m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv);
+
+           /* Cook IV */
+           for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++)
+             crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx];
+
+           crde->crd_flags |= CRD_F_IV_EXPLICIT;
+       }
 
        crde->crd_alg = espx->type;
        crde->crd_key = tdb->tdb_emxkey;
@@ -888,10 +898,21 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
        crde->crd_skip = skip + hlen;
        crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen);
        crde->crd_flags = CRD_F_ENCRYPT;
-        if (tdb->tdb_flags & TDBF_HALFIV)
-         crde->crd_flags |= CRD_F_HALFIV;
        crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
 
+        if (tdb->tdb_flags & TDBF_HALFIV)
+       {
+           /* Copy half-iv in the packet */
+           m_copyback(m, crde->crd_inject, tdb->tdb_ivlen, tdb->tdb_iv);
+
+           /* Cook half-iv */
+           bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen);
+           for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++)
+             crde->crd_iv[tdb->tdb_ivlen + ilen] = ~crde->crd_iv[ilen];
+
+           crde->crd_flags |= CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT;
+       }
+
        /* Encryption operation */
        crde->crd_alg = espx->type;
        crde->crd_key = tdb->tdb_emxkey;
@@ -989,6 +1010,15 @@ esp_output_cb(void *op)
     /* Release crypto descriptors */
     crypto_freereq(crp);
 
+    /*
+     * If we're doing half-iv, keep a copy of the last few bytes of the
+     * encrypted part, for use as the next IV. Note that HALF-IV is only
+     * supposed to be used without authentication (the old ESP specs).
+     */
+    if (tdb->tdb_flags & TDBF_HALFIV)
+      m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen,
+                tdb->tdb_iv);
+
     /* Call the IPsec input callback */
     return ipsp_process_done(m, tdb);
 

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 5695fc1..98fafc2 100644 (file)
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ipsp.h,v 1.62 2000/03/17 10:25:22 angelos Exp $    */
+/*     $OpenBSD: ip_ipsp.h,v 1.63 2000/03/29 07:09:57 angelos Exp $    */
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -299,6 +299,8 @@ struct tdb                          /* tunnel descriptor block */
     u_int16_t         tdb_srcid_type;
     u_int16_t         tdb_dstid_type;
 
+    u_int8_t          tdb_iv[4];        /* Used for HALF-IV ESP */
+
     caddr_t           tdb_interface;
     struct flow             *tdb_flow;         /* Which outboind flows use this SA */
     struct flow             *tdb_access;       /* Ingress access control */