Changeset View
Changeset View
Standalone View
Standalone View
head/sys/netipsec/xform_ah.c
| Show First 20 Lines • Show All 102 Lines • ▼ Show 20 Lines | SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_enable, | ||||
| CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); | ||||
| SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos, | SYSCTL_INT(_net_inet_ah, OID_AUTO, ah_cleartos, | ||||
| CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); | ||||
| SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat, | SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat, | ||||
| ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)"); | ahstat, "AH statistics (struct ahstat, netipsec/ah_var.h)"); | ||||
| #endif | #endif | ||||
| static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ | static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ | ||||
| static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; | |||||
| static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; | |||||
| static int ah_input_cb(struct cryptop*); | static int ah_input_cb(struct cryptop*); | ||||
| static int ah_output_cb(struct cryptop*); | static int ah_output_cb(struct cryptop*); | ||||
| int | int | ||||
| xform_ah_authsize(const struct auth_hash *esph) | xform_ah_authsize(const struct auth_hash *esph) | ||||
| { | { | ||||
| int alen; | int alen; | ||||
| ▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) | ||||
| int keylen; | int keylen; | ||||
| thash = auth_algorithm_lookup(sav->alg_auth); | thash = auth_algorithm_lookup(sav->alg_auth); | ||||
| if (thash == NULL) { | if (thash == NULL) { | ||||
| DPRINTF(("%s: unsupported authentication algorithm %u\n", | DPRINTF(("%s: unsupported authentication algorithm %u\n", | ||||
| __func__, sav->alg_auth)); | __func__, sav->alg_auth)); | ||||
| return EINVAL; | return EINVAL; | ||||
| } | } | ||||
| switch (sav->alg_auth) { | |||||
| case SADB_AALG_MD5HMAC: | |||||
| if (ratecheck(&md5warn, &warninterval)) | |||||
| gone_in(13, "MD5-HMAC authenticator for IPsec"); | |||||
| break; | |||||
| case SADB_X_AALG_RIPEMD160HMAC: | |||||
| if (ratecheck(&ripewarn, &warninterval)) | |||||
| gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); | |||||
| break; | |||||
| case SADB_X_AALG_MD5: | |||||
| if (ratecheck(&kpdkmd5warn, &warninterval)) | |||||
| gone_in(13, "Keyed-MD5 authenticator for IPsec"); | |||||
| break; | |||||
| case SADB_X_AALG_SHA: | |||||
| if (ratecheck(&kpdksha1warn, &warninterval)) | |||||
| gone_in(13, "Keyed-SHA1 authenticator for IPsec"); | |||||
| break; | |||||
| } | |||||
| /* | /* | ||||
| * Verify the replay state block allocation is consistent with | * Verify the replay state block allocation is consistent with | ||||
| * the protocol type. We check here so we can make assumptions | * the protocol type. We check here so we can make assumptions | ||||
| * later during protocol processing. | * later during protocol processing. | ||||
| */ | */ | ||||
| /* NB: replay state is setup elsewhere (sigh) */ | /* NB: replay state is setup elsewhere (sigh) */ | ||||
| if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { | if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) { | ||||
| DPRINTF(("%s: replay state block inconsistency, " | DPRINTF(("%s: replay state block inconsistency, " | ||||
| ▲ Show 20 Lines • Show All 977 Lines • Show Last 20 Lines | |||||