Changeset View
Changeset View
Standalone View
Standalone View
head/sys/netipsec/xform_esp.c
Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines | |||||
SYSCTL_DECL(_net_inet_esp); | SYSCTL_DECL(_net_inet_esp); | ||||
SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable, | SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable, | ||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); | ||||
SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, | SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, | ||||
struct espstat, espstat, | struct espstat, espstat, | ||||
"ESP statistics (struct espstat, netipsec/esp_var.h"); | "ESP statistics (struct espstat, netipsec/esp_var.h"); | ||||
static struct timeval deswarn, blfwarn, castwarn, camelliawarn; | |||||
static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; | |||||
static int esp_input_cb(struct cryptop *op); | static int esp_input_cb(struct cryptop *op); | ||||
static int esp_output_cb(struct cryptop *crp); | static int esp_output_cb(struct cryptop *crp); | ||||
size_t | size_t | ||||
esp_hdrsiz(struct secasvar *sav) | esp_hdrsiz(struct secasvar *sav) | ||||
{ | { | ||||
size_t size; | size_t size; | ||||
▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines | if (sav->key_enc == NULL) { | ||||
return EINVAL; | return EINVAL; | ||||
} | } | ||||
if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) == | if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) == | ||||
SADB_X_EXT_IV4B) { | SADB_X_EXT_IV4B) { | ||||
DPRINTF(("%s: 4-byte IV not supported with protocol\n", | DPRINTF(("%s: 4-byte IV not supported with protocol\n", | ||||
__func__)); | __func__)); | ||||
return EINVAL; | return EINVAL; | ||||
} | } | ||||
switch (sav->alg_enc) { | |||||
case SADB_EALG_DESCBC: | |||||
if (ratecheck(&deswarn, &warninterval)) | |||||
gone_in(13, "DES cipher for IPsec"); | |||||
break; | |||||
case SADB_X_EALG_BLOWFISHCBC: | |||||
if (ratecheck(&blfwarn, &warninterval)) | |||||
gone_in(13, "Blowfish cipher for IPsec"); | |||||
break; | |||||
case SADB_X_EALG_CAST128CBC: | |||||
if (ratecheck(&castwarn, &warninterval)) | |||||
gone_in(13, "CAST cipher for IPsec"); | |||||
break; | |||||
case SADB_X_EALG_CAMELLIACBC: | |||||
if (ratecheck(&camelliawarn, &warninterval)) | |||||
gone_in(13, "Camellia cipher for IPsec"); | |||||
break; | |||||
} | |||||
/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ | /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ | ||||
keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; | keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; | ||||
if (txform->minkey > keylen || keylen > txform->maxkey) { | if (txform->minkey > keylen || keylen > txform->maxkey) { | ||||
DPRINTF(("%s: invalid key length %u, must be in the range " | DPRINTF(("%s: invalid key length %u, must be in the range " | ||||
"[%u..%u] for algorithm %s\n", __func__, | "[%u..%u] for algorithm %s\n", __func__, | ||||
keylen, txform->minkey, txform->maxkey, | keylen, txform->minkey, txform->maxkey, | ||||
txform->name)); | txform->name)); | ||||
return EINVAL; | return EINVAL; | ||||
▲ Show 20 Lines • Show All 809 Lines • Show Last 20 Lines |