Changeset View
Changeset View
Standalone View
Standalone View
head/sys/netipsec/xform_ah.c
Show First 20 Lines • Show All 102 Lines • ▼ Show 20 Lines | SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable, | ||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); | ||||
SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos, | SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos, | ||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); | ||||
SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat, | SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat, | ||||
ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)"); | ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)"); | ||||
#endif | #endif | ||||
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ | static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ | ||||
static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; | |||||
static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; | |||||
static int ah_input_cb(struct cryptop*); | static int ah_input_cb(struct cryptop*); | ||||
static int ah_output_cb(struct cryptop*); | static int ah_output_cb(struct cryptop*); | ||||
int | int | ||||
xform_ah_authsize(const struct auth_hash *esph) | xform_ah_authsize(const struct auth_hash *esph) | ||||
{ | { | ||||
int alen; | int alen; | ||||
▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) | ||||
int keylen; | int keylen; | ||||
thash = auth_algorithm_lookup(sav->alg_auth); | thash = auth_algorithm_lookup(sav->alg_auth); | ||||
if (thash == NULL) { | if (thash == NULL) { | ||||
DPRINTF(("%s: unsupported authentication algorithm %u\n", | DPRINTF(("%s: unsupported authentication algorithm %u\n", | ||||
__func__, sav->alg_auth)); | __func__, sav->alg_auth)); | ||||
return EINVAL; | return EINVAL; | ||||
} | } | ||||
switch (sav->alg_auth) { | |||||
case SADB_AALG_MD5HMAC: | |||||
if (ratecheck(&md5warn, &warninterval)) | |||||
gone_in(13, "MD5-HMAC authenticator for IPsec"); | |||||
break; | |||||
case SADB_X_AALG_RIPEMD160HMAC: | |||||
if (ratecheck(&ripewarn, &warninterval)) | |||||
gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); | |||||
break; | |||||
case SADB_X_AALG_MD5: | |||||
if (ratecheck(&kpdkmd5warn, &warninterval)) | |||||
gone_in(13, "Keyed-MD5 authenticator for IPsec"); | |||||
break; | |||||
case SADB_X_AALG_SHA: | |||||
if (ratecheck(&kpdksha1warn, &warninterval)) | |||||
gone_in(13, "Keyed-SHA1 authenticator for IPsec"); | |||||
break; | |||||
} | |||||
/* | /* | ||||
* Verify the replay state block allocation is consistent with | * Verify the replay state block allocation is consistent with | ||||
* the protocol type. We check here so we can make assumptions | * the protocol type. We check here so we can make assumptions | ||||
* later during protocol processing. | * later during protocol processing. | ||||
*/ | */ | ||||
/* NB: replay state is setup elsewhere (sigh) */ | /* NB: replay state is setup elsewhere (sigh) */ | ||||
if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { | if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { | ||||
DPRINTF(("%s: replay state block inconsistency, " | DPRINTF(("%s: replay state block inconsistency, " | ||||
▲ Show 20 Lines • Show All 977 Lines • Show Last 20 Lines |