HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS366758

Add support for IPsec ESN and pass relevant information to crypto layer
rS366758
Actions

Description

Add support for IPsec ESN and pass relevant information to crypto layer

Implement support for including IPsec ESN (Extended Sequence Number) to
both encrypt and authenticate mode (eg. AES-CBC and SHA256) and combined
mode (eg. AES-GCM). Both ESP and AH protocols are updated. Additionally
pass relevant information about ESN to crypto layer.

For the ETA mode the ESN is stored in separate crp_esn buffer because
the high-order 32 bits of the sequence number are appended after the
Next Header (RFC 4303).

For the AEAD modes the high-order 32 bits of the sequence number
[e.g. RFC 4106, Chapter 5 AAD Construction] are included as part of
crp_aad (SPI + ESN (32 high order bits) + Seq nr (32 low order bits)).

Submitted by: Grzegorz Jaszczyk <jaz@semihalf.com>

Patryk Duda <pdk@semihalf.com>

Reviewed by: jhb, gnn
Differential revision: https://reviews.freebsd.org/D22369
Obtained from: Semihalf
Sponsored by: Stormshield

Details

Provenance
mwAuthored on
Reviewer
jhb
Differential Revision
D22369: Add support for IPSec ESN and pass relevant information to crypto layer
Parents
rS366757: Implement anti-replay algorithm with ESN support
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
head/
sys/
netipsec/

rS366758

View Options

head/sys/netipsec/keydb.h

Loading...
View Options

head/sys/netipsec/xform_ah.c

Loading...
View Options

head/sys/netipsec/xform_esp.c

Loading...