Date: Fri, 16 Oct 2020 11:18:13 +0000 (UTC) From: Marcin Wojtas <mw@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r366753 - head/sys/opencrypto Message-ID: <202010161118.09GBIDSv067775@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mw Date: Fri Oct 16 11:18:13 2020 New Revision: 366753 URL: https://svnweb.freebsd.org/changeset/base/366753 Log: Add support for ESN in cryptosoft This patch adds support for IPsec ESN (Extended Sequence Numbers) in encrypt and authenticate mode (eg. AES-CBC and SHA256) and combined mode (eg. AES-GCM). For encrypt and authenticate mode the ESN is stored in separate crp_esn buffer because the high-order 32 bits of the sequence number are appended after the Next Header (RFC 4303). For combined modes the high-order 32 bits of the sequence number [e.g. RFC 4106, Chapter 5 AAD Construction] are part of crp_aad (prepared by netipsec layer in case of ESN support enabled), therefore non visible diff around combined modes. Submitted by: Grzegorz Jaszczyk <jaz@semihalf.com> Patryk Duda <pdk@semihalf.com> Reviewed by: jhb Differential revision: https://reviews.freebsd.org/D22364 Obtained from: Semihalf Sponsored by: Stormshield Modified: head/sys/opencrypto/cryptosoft.c Modified: head/sys/opencrypto/cryptosoft.c ============================================================================== --- head/sys/opencrypto/cryptosoft.c Fri Oct 16 11:06:33 2020 (r366752) +++ head/sys/opencrypto/cryptosoft.c Fri Oct 16 11:18:13 2020 (r366753) @@ -327,8 +327,8 @@ swcr_authcompute(struct swcr_session *ses, struct cryp axf = sw->sw_axf; + csp = crypto_get_params(crp->crp_session); if (crp->crp_auth_key != NULL) { - csp = crypto_get_params(crp->crp_session); swcr_authprepare(axf, sw, crp->crp_auth_key, csp->csp_auth_klen); } @@ -354,6 +354,9 @@ swcr_authcompute(struct swcr_session *ses, struct cryp if (err) goto out; + if (csp->csp_flags & CSP_F_ESN) + axf->Update(&ctx, crp->crp_esn, 4); + axf->Final(aalg, &ctx); if (sw->sw_octx != NULL) { bcopy(sw->sw_octx, &ctx, axf->ctxsize); @@ -1235,12 +1238,12 @@ swcr_cipher_supported(const struct crypto_session_para return (true); } +#define SUPPORTED_SES (CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD | CSP_F_ESN) + static int swcr_probesession(device_t dev, const struct crypto_session_params *csp) { - - if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) != - 0) + if ((csp->csp_flags & ~(SUPPORTED_SES)) != 0) return (EINVAL); switch (csp->csp_mode) { case CSP_MODE_COMPRESS:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010161118.09GBIDSv067775>