Changeset View
Changeset View
Standalone View
Standalone View
head/sys/netipsec/xform_esp.c
| Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines | |||||
| SYSCTL_DECL(_net_inet_esp); | SYSCTL_DECL(_net_inet_esp); | ||||
| SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable, | SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable, | ||||
| CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); | ||||
| SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, | SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, | ||||
| struct espstat, espstat, | struct espstat, espstat, | ||||
| "ESP statistics (struct espstat, netipsec/esp_var.h"); | "ESP statistics (struct espstat, netipsec/esp_var.h"); | ||||
| static struct timeval deswarn, blfwarn, castwarn, camelliawarn; | |||||
| static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; | |||||
| static int esp_input_cb(struct cryptop *op); | static int esp_input_cb(struct cryptop *op); | ||||
| static int esp_output_cb(struct cryptop *crp); | static int esp_output_cb(struct cryptop *crp); | ||||
| size_t | size_t | ||||
| esp_hdrsiz(struct secasvar *sav) | esp_hdrsiz(struct secasvar *sav) | ||||
| { | { | ||||
| size_t size; | size_t size; | ||||
| ▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines | if (sav->key_enc == NULL) { | ||||
| return EINVAL; | return EINVAL; | ||||
| } | } | ||||
| if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) == | if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) == | ||||
| SADB_X_EXT_IV4B) { | SADB_X_EXT_IV4B) { | ||||
| DPRINTF(("%s: 4-byte IV not supported with protocol\n", | DPRINTF(("%s: 4-byte IV not supported with protocol\n", | ||||
| __func__)); | __func__)); | ||||
| return EINVAL; | return EINVAL; | ||||
| } | } | ||||
| switch (sav->alg_enc) { | |||||
| case SADB_EALG_DESCBC: | |||||
| if (ratecheck(&deswarn, &warninterval)) | |||||
| gone_in(13, "DES cipher for IPsec"); | |||||
| break; | |||||
| case SADB_X_EALG_BLOWFISHCBC: | |||||
| if (ratecheck(&blfwarn, &warninterval)) | |||||
| gone_in(13, "Blowfish cipher for IPsec"); | |||||
| break; | |||||
| case SADB_X_EALG_CAST128CBC: | |||||
| if (ratecheck(&castwarn, &warninterval)) | |||||
| gone_in(13, "CAST cipher for IPsec"); | |||||
| break; | |||||
| case SADB_X_EALG_CAMELLIACBC: | |||||
| if (ratecheck(&camelliawarn, &warninterval)) | |||||
| gone_in(13, "Camellia cipher for IPsec"); | |||||
| break; | |||||
| } | |||||
| /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ | /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ | ||||
| keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; | keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; | ||||
| if (txform->minkey > keylen || keylen > txform->maxkey) { | if (txform->minkey > keylen || keylen > txform->maxkey) { | ||||
| DPRINTF(("%s: invalid key length %u, must be in the range " | DPRINTF(("%s: invalid key length %u, must be in the range " | ||||
| "[%u..%u] for algorithm %s\n", __func__, | "[%u..%u] for algorithm %s\n", __func__, | ||||
| keylen, txform->minkey, txform->maxkey, | keylen, txform->minkey, txform->maxkey, | ||||
| txform->name)); | txform->name)); | ||||
| return EINVAL; | return EINVAL; | ||||
| ▲ Show 20 Lines • Show All 809 Lines • Show Last 20 Lines | |||||