From: angelos Date: Wed, 29 Mar 2000 07:09:57 +0000 (+0000) Subject: Conform to crypto framework changes for IVs. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=850706167c9490a91bb42c2351ac20a1d4b3c9fd;p=openbsd Conform to crypto framework changes for IVs. --- diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 2abebc3285f..1d43ea408bb 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.36 2000/03/28 07:04:02 angelos Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.37 2000/03/29 07:09:57 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -418,8 +418,18 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff) crde->crd_skip = skip + hlen; crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); crde->crd_inject = skip + hlen - tdb->tdb_ivlen; + if (tdb->tdb_flags & TDBF_HALFIV) - crde->crd_flags |= CRD_F_HALFIV; + { + /* Copy half-IV from packet */ + m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv); + + /* Cook IV */ + for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++) + crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx]; + + crde->crd_flags |= CRD_F_IV_EXPLICIT; + } crde->crd_alg = espx->type; crde->crd_key = tdb->tdb_emxkey; @@ -888,10 +898,21 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, crde->crd_skip = skip + hlen; crde->crd_len = m->m_pkthdr.len - (skip + hlen + alen); crde->crd_flags = CRD_F_ENCRYPT; - if (tdb->tdb_flags & TDBF_HALFIV) - crde->crd_flags |= CRD_F_HALFIV; crde->crd_inject = skip + hlen - tdb->tdb_ivlen; + if (tdb->tdb_flags & TDBF_HALFIV) + { + /* Copy half-iv in the packet */ + m_copyback(m, crde->crd_inject, tdb->tdb_ivlen, tdb->tdb_iv); + + /* Cook half-iv */ + bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen); + for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++) + crde->crd_iv[tdb->tdb_ivlen + ilen] = ~crde->crd_iv[ilen]; + + crde->crd_flags |= CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT; + } + /* Encryption operation */ crde->crd_alg = espx->type; crde->crd_key = tdb->tdb_emxkey; @@ -989,6 +1010,15 @@ esp_output_cb(void *op) /* Release crypto descriptors */ crypto_freereq(crp); + /* + * If we're doing half-iv, keep a copy of the last few bytes of the + * encrypted part, for use as the next IV. Note that HALF-IV is only + * supposed to be used without authentication (the old ESP specs). + */ + if (tdb->tdb_flags & TDBF_HALFIV) + m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen, + tdb->tdb_iv); + /* Call the IPsec input callback */ return ipsp_process_done(m, tdb); diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 5695fc19692..98fafc21b10 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.62 2000/03/17 10:25:22 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.63 2000/03/29 07:09:57 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -299,6 +299,8 @@ struct tdb /* tunnel descriptor block */ u_int16_t tdb_srcid_type; u_int16_t tdb_dstid_type; + u_int8_t tdb_iv[4]; /* Used for HALF-IV ESP */ + caddr_t tdb_interface; struct flow *tdb_flow; /* Which outboind flows use this SA */ struct flow *tdb_access; /* Ingress access control */