From owner-svn-src-all@freebsd.org Fri Jul 31 05:03:55 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DFB89AD646; Fri, 31 Jul 2015 05:03:55 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 091D21EAE; Fri, 31 Jul 2015 05:03:55 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by ioeg141 with SMTP id g141so74989893ioe.3; Thu, 30 Jul 2015 22:03:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=c3tgilxRuJfr7HYXSsX7lVuJHnbvg7d6Zw0gjo13Pio=; b=m8FjwjUD0k3y4Ftr9KcwXa5Skq1CT1MC16D/ugvdNKibCvDbRFVS6idsuqnqHW5VoP wWyPYcBZzy9VNAPVWAY0aCuSAP0/xWevDH5VDoRjlQBL6E2U8BxgVIMJnShmYPJ1v2ve zLd4Ek2rUqnfIuTfg5xQoKJZAMnaP3C2KofTM4G50u+YABEX3Vcvc1E7/ml93/yC/lDs bQAuSbNZw2LeI57aLBByTXCoz+6KM0s3C/0QPYrdGE/I1PDgy7Oi83GF0N15oSVajkDn LgFaaU97XvJc1GOTvwSigwqSJDljgXXrNae+HLGwg6LvjK3cOH3c/8l9ebtod3fKOCCZ rCZQ== MIME-Version: 1.0 X-Received: by 10.107.36.134 with SMTP id k128mr1328987iok.113.1438319034472; Thu, 30 Jul 2015 22:03:54 -0700 (PDT) Received: by 10.107.131.97 with HTTP; Thu, 30 Jul 2015 22:03:54 -0700 (PDT) Received: by 10.107.131.97 with HTTP; Thu, 30 Jul 2015 22:03:54 -0700 (PDT) In-Reply-To: <201507310023.t6V0NLVT013789@repo.freebsd.org> References: <201507310023.t6V0NLVT013789@repo.freebsd.org> Date: Fri, 31 Jul 2015 01:03:54 -0400 Message-ID: Subject: Re: svn commit: r286100 - in head/sys: net netipsec From: Ryan Stone To: John-Mark Gurney Cc: src-committers@freebsd.org, svn-src-head@freebsd.org, svn-src-all@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2015 05:03:55 -0000 You can't use CTASSERT in a header. You'll get a compile error if two different headers included in the same translation unit have a CTASSERT on the same line number. On Jul 30, 2015 5:23 PM, "John-Mark Gurney" wrote: > Author: jmg > Date: Fri Jul 31 00:23:21 2015 > New Revision: 286100 > URL: https://svnweb.freebsd.org/changeset/base/286100 > > Log: > Clean up this header file... > > use CTASSERTs now that we have them... > > Replace a draft w/ RFC that's over 10 years old. > > Note that _AALG and _EALG do not need to match what the IKE daemons > think they should be.. This is part of the KABI... I decided to > renumber AESCTR, but since we've never had working AESCTR mode, I'm > not really breaking anything.. and it shortens a loop by quite > a bit.. > > remove SKIPJACK IPsec support... SKIPJACK never made it out of draft > (in 1999), only has 80bit key, NIST recommended it stop being used > after 2010, and setkey nor any of the IKE daemons I checked supported > it... > > jmgurney/ipsecgcm: a357a33, c75808b, e008669, b27b6d6 > > Reviewed by: gnn (earlier version) > > Modified: > head/sys/net/pfkeyv2.h > head/sys/netipsec/xform_esp.c > > Modified: head/sys/net/pfkeyv2.h > > ============================================================================== > --- head/sys/net/pfkeyv2.h Fri Jul 31 00:21:40 2015 (r286099) > +++ head/sys/net/pfkeyv2.h Fri Jul 31 00:23:21 2015 (r286100) > @@ -218,7 +218,6 @@ struct sadb_x_sa2 { > }; > > /* XXX Policy Extension */ > -/* sizeof(struct sadb_x_policy) == 16 */ > struct sadb_x_policy { > u_int16_t sadb_x_policy_len; > u_int16_t sadb_x_policy_exttype; > @@ -228,6 +227,8 @@ struct sadb_x_policy { > u_int32_t sadb_x_policy_id; > u_int32_t sadb_x_policy_reserved2; > }; > +CTASSERT(sizeof(struct sadb_x_policy) == 16); > + > /* > * When policy_type == IPSEC, it is followed by some of > * the ipsec policy request. > @@ -256,31 +257,31 @@ struct sadb_x_ipsecrequest { > }; > > /* NAT-Traversal type, see RFC 3948 (and drafts). */ > -/* sizeof(struct sadb_x_nat_t_type) == 8 */ > struct sadb_x_nat_t_type { > u_int16_t sadb_x_nat_t_type_len; > u_int16_t sadb_x_nat_t_type_exttype; > u_int8_t sadb_x_nat_t_type_type; > u_int8_t sadb_x_nat_t_type_reserved[3]; > }; > +CTASSERT(sizeof(struct sadb_x_nat_t_type) == 8); > > /* NAT-Traversal source or destination port. */ > -/* sizeof(struct sadb_x_nat_t_port) == 8 */ > struct sadb_x_nat_t_port { > u_int16_t sadb_x_nat_t_port_len; > u_int16_t sadb_x_nat_t_port_exttype; > u_int16_t sadb_x_nat_t_port_port; > u_int16_t sadb_x_nat_t_port_reserved; > }; > +CTASSERT(sizeof(struct sadb_x_nat_t_port) == 8); > > /* ESP fragmentation size. */ > -/* sizeof(struct sadb_x_nat_t_frag) == 8 */ > struct sadb_x_nat_t_frag { > u_int16_t sadb_x_nat_t_frag_len; > u_int16_t sadb_x_nat_t_frag_exttype; > u_int16_t sadb_x_nat_t_frag_fraglen; > u_int16_t sadb_x_nat_t_frag_reserved; > }; > +CTASSERT(sizeof(struct sadb_x_nat_t_frag) == 8); > > > #define SADB_EXT_RESERVED 0 > @@ -332,46 +333,47 @@ struct sadb_x_nat_t_frag { > > #define SADB_SAFLAGS_PFS 1 > > -/* RFC2367 numbers - meets RFC2407 */ > +/* > + * Though some of these numbers (both _AALG and _EALG) appear to be > + * IKEv2 numbers and others original IKE numbers, they have no meaning. > + * These are constants that the various IKE daemons use to tell the kernel > + * what cipher to use. > + * > + * Do not use these constants directly to decide which Transformation ID > + * to send. You are responsible for mapping them yourself. > + */ > #define SADB_AALG_NONE 0 > #define SADB_AALG_MD5HMAC 2 > #define SADB_AALG_SHA1HMAC 3 > #define SADB_AALG_MAX 252 > -/* private allocations - based on RFC2407/IANA assignment */ > #define SADB_X_AALG_SHA2_256 5 > #define SADB_X_AALG_SHA2_384 6 > #define SADB_X_AALG_SHA2_512 7 > #define SADB_X_AALG_RIPEMD160HMAC 8 > -#define SADB_X_AALG_AES_XCBC_MAC 9 /* > draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */ > +#define SADB_X_AALG_AES_XCBC_MAC 9 /* RFC3566 */ > #define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */ > #define SADB_X_AALG_AES192GMAC 12 > #define SADB_X_AALG_AES256GMAC 13 > -/* private allocations should use 249-255 (RFC2407) */ > #define SADB_X_AALG_MD5 249 /* Keyed MD5 */ > #define SADB_X_AALG_SHA 250 /* Keyed SHA */ > #define SADB_X_AALG_NULL 251 /* null authentication */ > #define SADB_X_AALG_TCP_MD5 252 /* Keyed TCP-MD5 (RFC2385) */ > > -/* RFC2367 numbers - meets RFC2407 */ > #define SADB_EALG_NONE 0 > #define SADB_EALG_DESCBC 2 > #define SADB_EALG_3DESCBC 3 > -#define SADB_EALG_NULL 11 > -#define SADB_EALG_MAX 250 > -/* private allocations - based on RFC2407/IANA assignment */ > #define SADB_X_EALG_CAST128CBC 6 > #define SADB_X_EALG_BLOWFISHCBC 7 > +#define SADB_EALG_NULL 11 > #define SADB_X_EALG_RIJNDAELCBC 12 > #define SADB_X_EALG_AES 12 > +#define SADB_X_EALG_AESCTR 13 > #define SADB_X_EALG_AESGCM8 18 /* RFC4106 */ > #define SADB_X_EALG_AESGCM12 19 > #define SADB_X_EALG_AESGCM16 20 > -/* private allocations - based on RFC4312/IANA assignment */ > -#define SADB_X_EALG_CAMELLIACBC 22 > -#define SADB_X_EALG_AESGMAC 23 /* RFC4543 + Errata1821 > */ > -/* private allocations should use 249-255 (RFC2407) */ > -#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for IPSEC */ > -#define SADB_X_EALG_AESCTR 250 /*249*/ /* > draft-ietf-ipsec-ciph-aes-ctr-03 */ > +#define SADB_X_EALG_CAMELLIACBC 22 > +#define SADB_X_EALG_AESGMAC 23 /* RFC4543 + Errata1821 */ > +#define SADB_EALG_MAX 23 /* !!! keep updated !!! */ > > /* private allocations - based on RFC2407/IANA assignment */ > #define SADB_X_CALG_NONE 0 > > Modified: head/sys/netipsec/xform_esp.c > > ============================================================================== > --- head/sys/netipsec/xform_esp.c Fri Jul 31 00:21:40 2015 > (r286099) > +++ head/sys/netipsec/xform_esp.c Fri Jul 31 00:23:21 2015 > (r286100) > @@ -115,8 +115,6 @@ esp_algorithm_lookup(int alg) > return &enc_xform_blf; > case SADB_X_EALG_CAST128CBC: > return &enc_xform_cast5; > - case SADB_X_EALG_SKIPJACK: > - return &enc_xform_skipjack; > case SADB_EALG_NULL: > return &enc_xform_null; > case SADB_X_EALG_CAMELLIACBC: > >