Changeset View
Changeset View
Standalone View
Standalone View
head/sys/netipsec/xform_esp.c
Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines | |||||
SYSCTL_DECL(_net_inet_esp); | SYSCTL_DECL(_net_inet_esp); | ||||
SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable, | SYSCTL_INT(_net_inet_esp, OID_AUTO, esp_enable, | ||||
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); | CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(esp_enable), 0, ""); | ||||
SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, | SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, | ||||
struct espstat, espstat, | struct espstat, espstat, | ||||
"ESP statistics (struct espstat, netipsec/esp_var.h"); | "ESP statistics (struct espstat, netipsec/esp_var.h"); | ||||
static struct timeval deswarn, blfwarn, castwarn, camelliawarn, tdeswarn; | |||||
static int esp_input_cb(struct cryptop *op); | static int esp_input_cb(struct cryptop *op); | ||||
static int esp_output_cb(struct cryptop *crp); | static int esp_output_cb(struct cryptop *crp); | ||||
size_t | size_t | ||||
esp_hdrsiz(struct secasvar *sav) | esp_hdrsiz(struct secasvar *sav) | ||||
{ | { | ||||
size_t size; | size_t size; | ||||
▲ Show 20 Lines • Show All 45 Lines • ▼ Show 20 Lines | DPRINTF(("%s: no encoding key for %s algorithm\n", | ||||
__func__, txform->name)); | __func__, txform->name)); | ||||
return EINVAL; | return EINVAL; | ||||
} | } | ||||
if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) == | if ((sav->flags & (SADB_X_EXT_OLD | SADB_X_EXT_IV4B)) == | ||||
SADB_X_EXT_IV4B) { | SADB_X_EXT_IV4B) { | ||||
DPRINTF(("%s: 4-byte IV not supported with protocol\n", | DPRINTF(("%s: 4-byte IV not supported with protocol\n", | ||||
__func__)); | __func__)); | ||||
return EINVAL; | return EINVAL; | ||||
} | |||||
switch (sav->alg_enc) { | |||||
case SADB_EALG_DESCBC: | |||||
if (ratecheck(&deswarn, &ipsec_warn_interval)) | |||||
gone_in(13, "DES cipher for IPsec"); | |||||
break; | |||||
case SADB_EALG_3DESCBC: | |||||
if (ratecheck(&tdeswarn, &ipsec_warn_interval)) | |||||
gone_in(13, "3DES cipher for IPsec"); | |||||
break; | |||||
case SADB_X_EALG_BLOWFISHCBC: | |||||
if (ratecheck(&blfwarn, &ipsec_warn_interval)) | |||||
gone_in(13, "Blowfish cipher for IPsec"); | |||||
break; | |||||
case SADB_X_EALG_CAST128CBC: | |||||
if (ratecheck(&castwarn, &ipsec_warn_interval)) | |||||
gone_in(13, "CAST cipher for IPsec"); | |||||
break; | |||||
case SADB_X_EALG_CAMELLIACBC: | |||||
if (ratecheck(&camelliawarn, &ipsec_warn_interval)) | |||||
gone_in(13, "Camellia cipher for IPsec"); | |||||
break; | |||||
} | } | ||||
/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ | /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ | ||||
keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; | keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; | ||||
if (txform->minkey > keylen || keylen > txform->maxkey) { | if (txform->minkey > keylen || keylen > txform->maxkey) { | ||||
DPRINTF(("%s: invalid key length %u, must be in the range " | DPRINTF(("%s: invalid key length %u, must be in the range " | ||||
"[%u..%u] for algorithm %s\n", __func__, | "[%u..%u] for algorithm %s\n", __func__, | ||||
keylen, txform->minkey, txform->maxkey, | keylen, txform->minkey, txform->maxkey, | ||||
▲ Show 20 Lines • Show All 802 Lines • Show Last 20 Lines |