diff options
author | vanhu <vanhu@FreeBSD.org> | 2011-02-18 09:40:13 +0000 |
---|---|---|
committer | vanhu <vanhu@FreeBSD.org> | 2011-02-18 09:40:13 +0000 |
commit | b5386e15c14dd35dcd82a748b00a7a741b1238f9 (patch) | |
tree | 7caf902dec994fcea8dd9be967378950d398ba35 /sys/netipsec/xform_ah.c | |
parent | f9ba5edcb6ab519d38ac8a40899df85ba5713843 (diff) | |
download | FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.zip FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.tar.gz |
Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant.
This will break interoperability with all older versions of
FreeBSD for those algorithms.
Reviewed by: bz, gnn
Obtained from: NETASQ
MFC after: 1w
Diffstat (limited to 'sys/netipsec/xform_ah.c')
-rw-r--r-- | sys/netipsec/xform_ah.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index d77f246..5701f90 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -85,8 +85,7 @@ * to use a fixed 16-byte authenticator. The new algorithm use 12-byte * authenticator. */ -#define AUTHSIZE(sav) \ - ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) +#define AUTHSIZE(sav) ah_authsize(sav) VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ @@ -105,6 +104,27 @@ static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); +static int +ah_authsize(struct secasvar *sav) +{ + + IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__)); + + if (sav->flags & SADB_X_EXT_OLD) + return 16; + + switch (sav->alg_auth) { + case SADB_X_AALG_SHA2_256: + return 16; + case SADB_X_AALG_SHA2_384: + return 24; + case SADB_X_AALG_SHA2_512: + return 32; + default: + return AH_HMAC_HASHLEN; + } + /* NOTREACHED */ +} /* * NB: this is public for use by the PF_KEY support. */ |