diff options
| -rw-r--r-- | sys/netipsec/ipsec.c | 1 | ||||
| -rw-r--r-- | sys/netipsec/key.c | 296 | ||||
| -rw-r--r-- | sys/netipsec/key_var.h | 4 | ||||
| -rw-r--r-- | sys/netipsec/keydb.h | 39 | ||||
| -rw-r--r-- | sys/netipsec/xform_ah.c | 8 | ||||
| -rw-r--r-- | sys/netipsec/xform_esp.c | 12 | ||||
| -rw-r--r-- | sys/netipsec/xform_tcp.c | 2 |
7 files changed, 257 insertions, 105 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 4038c00..74ac833 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -92,6 +92,7 @@ #include <machine/in_cksum.h> +#define IPSEC_DEBUG #ifdef IPSEC_DEBUG int ipsec_debug = 1; #else diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 72cd9d9..843e71c 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -420,7 +420,10 @@ static struct mbuf *key_setsadbaddr __P((u_int16_t, static struct mbuf *key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t)); static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t, u_int32_t)); -static void *key_dup(const void *, u_int, struct malloc_type *); +static struct seckey *key_dup_keymsg(const struct sadb_key *, u_int, + struct malloc_type *); +static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, + struct malloc_type *type); #ifdef INET6 static int key_ismyaddr6 __P((struct sockaddr_in6 *)); #endif @@ -488,6 +491,10 @@ static int key_promisc __P((struct socket *, struct mbuf *, static int key_senderror __P((struct socket *, struct mbuf *, int)); static int key_validate_ext __P((const struct sadb_ext *, int)); static int key_align __P((struct mbuf *, struct sadb_msghdr *)); +static struct mbuf *key_setlifetime(struct seclifetime *src, + u_int16_t exttype); +static struct mbuf *key_setkey(struct seckey *src, u_int16_t exttype); + #if 0 static const char *key_getfqdn __P((void)); static const char *key_getuserfqdn __P((void)); @@ -909,8 +916,8 @@ key_do_allocsa_policy(struct secashead *sah, u_int state) /* What the best method is to compare ? */ if (key_preferred_oldsa) { - if (candidate->lft_c->sadb_lifetime_addtime > - sav->lft_c->sadb_lifetime_addtime) { + if (candidate->lft_c->addtime > + sav->lft_c->addtime) { candidate = sav; } continue; @@ -918,8 +925,8 @@ key_do_allocsa_policy(struct secashead *sah, u_int state) } /* preferred new sa rather than old sa */ - if (candidate->lft_c->sadb_lifetime_addtime < - sav->lft_c->sadb_lifetime_addtime) { + if (candidate->lft_c->addtime < + sav->lft_c->addtime) { d = candidate; candidate = sav; } else @@ -930,7 +937,7 @@ key_do_allocsa_policy(struct secashead *sah, u_int state) * suitable candidate and the lifetime of the SA is not * permanent. */ - if (d->lft_c->sadb_lifetime_addtime != 0) { + if (d->lft_c->addtime != 0) { struct mbuf *m, *result; u_int8_t satype; @@ -2787,15 +2794,19 @@ key_cleansav(struct secasvar *sav) } else { KASSERT(sav->iv == NULL, ("iv but no xform")); if (sav->key_auth != NULL) - bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); + bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); if (sav->key_enc != NULL) - bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc)); + bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc)); } if (sav->key_auth != NULL) { + if (sav->key_auth->key_data != NULL) + free(sav->key_auth->key_data, M_IPSEC_MISC); free(sav->key_auth, M_IPSEC_MISC); sav->key_auth = NULL; } if (sav->key_enc != NULL) { + if (sav->key_enc->key_data != NULL) + free(sav->key_enc->key_data, M_IPSEC_MISC); free(sav->key_enc, M_IPSEC_MISC); sav->key_enc = NULL; } @@ -3038,9 +3049,11 @@ key_setsaval(sav, m, mhp) goto fail; } - sav->key_auth = key_dup(key0, len, M_IPSEC_MISC); - if (sav->key_auth == NULL) { - ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); + sav->key_auth = (struct seckey *)key_dup_keymsg(key0, len, + M_IPSEC_MISC); + if (sav->key_auth == NULL ) { + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); error = ENOBUFS; goto fail; } @@ -3066,7 +3079,9 @@ key_setsaval(sav, m, mhp) error = EINVAL; break; } - sav->key_enc = key_dup(key0, len, M_IPSEC_MISC); + sav->key_enc = (struct seckey *)key_dup_keymsg(key0, + len, + M_IPSEC_MISC); if (sav->key_enc == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); @@ -3126,13 +3141,10 @@ key_setsaval(sav, m, mhp) goto fail; } - sav->lft_c->sadb_lifetime_len = - PFKEY_UNIT64(sizeof(struct sadb_lifetime)); - sav->lft_c->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; - sav->lft_c->sadb_lifetime_allocations = 0; - sav->lft_c->sadb_lifetime_bytes = 0; - sav->lft_c->sadb_lifetime_addtime = time_second; - sav->lft_c->sadb_lifetime_usetime = 0; + sav->lft_c->allocations = 0; + sav->lft_c->bytes = 0; + sav->lft_c->addtime = time_second; + sav->lft_c->usetime = 0; /* lifetimes for HARD and SOFT */ { @@ -3144,7 +3156,7 @@ key_setsaval(sav, m, mhp) error = EINVAL; goto fail; } - sav->lft_h = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC); + sav->lft_h = key_dup_lifemsg(lft0, M_IPSEC_MISC); if (sav->lft_h == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); error = ENOBUFS; @@ -3159,7 +3171,7 @@ key_setsaval(sav, m, mhp) error = EINVAL; goto fail; } - sav->lft_s = key_dup(lft0, sizeof(*lft0), M_IPSEC_MISC); + sav->lft_s = key_dup_lifemsg(lft0, M_IPSEC_MISC); if (sav->lft_s == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n",__func__)); error = ENOBUFS; @@ -3271,9 +3283,7 @@ key_setdumpsa(sav, type, satype, seq, pid) u_int32_t seq, pid; { struct mbuf *result = NULL, *tres = NULL, *m; - int l = 0; int i; - void *p; int dumporder[] = { SADB_EXT_SA, SADB_X_EXT_SA2, SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT, @@ -3290,7 +3300,6 @@ key_setdumpsa(sav, type, satype, seq, pid) for (i = sizeof(dumporder)/sizeof(dumporder[0]) - 1; i >= 0; i--) { m = NULL; - p = NULL; switch (dumporder[i]) { case SADB_EXT_SA: m = key_setsadbsa(sav); @@ -3325,36 +3334,45 @@ key_setdumpsa(sav, type, satype, seq, pid) case SADB_EXT_KEY_AUTH: if (!sav->key_auth) continue; - l = PFKEY_UNUNIT64(sav->key_auth->sadb_key_len); - p = sav->key_auth; + m = key_setkey(sav->key_auth, SADB_EXT_KEY_AUTH); + if (!m) + goto fail; break; case SADB_EXT_KEY_ENCRYPT: if (!sav->key_enc) continue; - l = PFKEY_UNUNIT64(sav->key_enc->sadb_key_len); - p = sav->key_enc; + m = key_setkey(sav->key_enc, SADB_EXT_KEY_ENCRYPT); + if (!m) + goto fail; break; case SADB_EXT_LIFETIME_CURRENT: if (!sav->lft_c) continue; - l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len); - p = sav->lft_c; + m = key_setlifetime(sav->lft_c, + SADB_EXT_LIFETIME_CURRENT); + if (!m) + goto fail; break; case SADB_EXT_LIFETIME_HARD: if (!sav->lft_h) continue; - l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_h)->sadb_ext_len); - p = sav->lft_h; + m = key_setlifetime(sav->lft_h, + SADB_EXT_LIFETIME_HARD); + if (!m) + goto fail; break; case SADB_EXT_LIFETIME_SOFT: if (!sav->lft_s) continue; - l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_s)->sadb_ext_len); - p = sav->lft_s; + m = key_setlifetime(sav->lft_h, + SADB_EXT_LIFETIME_SOFT); + + if (!m) + goto fail; break; case SADB_EXT_ADDRESS_PROXY: @@ -3366,29 +3384,15 @@ key_setdumpsa(sav, type, satype, seq, pid) continue; } - if ((!m && !p) || (m && p)) + if (!m) goto fail; - if (p && tres) { - M_PREPEND(tres, l, M_DONTWAIT); - if (!tres) - goto fail; - bcopy(p, mtod(tres, caddr_t), l); - continue; - } - if (p) { - m = key_alloc_mbuf(l); - if (!m) - goto fail; - m_copyback(m, 0, l, p); - } - if (tres) m_cat(m, tres); tres = m; + } m_cat(result, tres); - if (result->m_len < sizeof(struct sadb_msg)) { result = m_pullup(result, sizeof(struct sadb_msg)); if (result == NULL) @@ -3609,21 +3613,63 @@ key_setsadbxpolicy(type, dir, id) } /* %%% utilities */ -/* - * copy a buffer into the new buffer allocated. +/* Take a key message (sadb_key) from the socket and turn it into one + * of the kernel's key structures (seckey). + * + * IN: pointer to the src + * OUT: NULL no more memory */ -static void * -key_dup(const void *src, u_int len, struct malloc_type *type) +struct seckey * +key_dup_keymsg(const struct sadb_key *src, u_int len, + struct malloc_type *type) { - void *copy; + struct seckey *dst; + dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); + if (dst != NULL) { + dst->bits = src->sadb_key_bits; + dst->key_data = (char *)malloc(len, type, M_NOWAIT); + if (dst->key_data != NULL) { + bcopy((const char *)src + sizeof(struct sadb_key), + dst->key_data, len); + } else { + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); + free(dst, type); + dst = NULL; + } + } else { + ipseclog((LOG_DEBUG, "%s: No more memory.\n", + __func__)); - copy = malloc(len, type, M_NOWAIT); - if (copy == NULL) { + } + return dst; +} + +/* Take a lifetime message (sadb_lifetime) passed in on a socket and + * turn it into one of the kernel's lifetime structures (seclifetime). + * + * IN: pointer to the destination, source and malloc type + * OUT: NULL, no more memory + */ + +static struct seclifetime * +key_dup_lifemsg(const struct sadb_lifetime *src, + struct malloc_type *type) +{ + struct seclifetime *dst = NULL; + + dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), + type, M_NOWAIT); + if (dst == NULL) { /* XXX counter */ ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); - } else - bcopy(src, copy, len); - return copy; + } else { + dst->allocations = src->sadb_lifetime_allocations; + dst->bytes = src->sadb_lifetime_bytes; + dst->addtime = src->sadb_lifetime_addtime; + dst->usetime = src->sadb_lifetime_usetime; + } + return dst; } /* compare my own address @@ -4071,13 +4117,13 @@ key_flush_sad(time_t now) } /* check SOFT lifetime */ - if (sav->lft_s->sadb_lifetime_addtime != 0 && - now - sav->created > sav->lft_s->sadb_lifetime_addtime) { + if (sav->lft_s->addtime != 0 && + now - sav->created > sav->lft_s->addtime) { /* * check SA to be used whether or not. * when SA hasn't been used, delete it. */ - if (sav->lft_c->sadb_lifetime_usetime == 0) { + if (sav->lft_c->usetime == 0) { key_sa_chgstate(sav, SADB_SASTATE_DEAD); KEY_FREESAV(&sav); } else { @@ -4096,8 +4142,8 @@ key_flush_sad(time_t now) * when new SA is installed. Caution when it's * installed too big lifetime by time. */ - else if (sav->lft_s->sadb_lifetime_bytes != 0 && - sav->lft_s->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) { + else if (sav->lft_s->bytes != 0 && + sav->lft_s->bytes < sav->lft_c->bytes) { key_sa_chgstate(sav, SADB_SASTATE_DYING); /* @@ -4122,15 +4168,15 @@ key_flush_sad(time_t now) continue; } - if (sav->lft_h->sadb_lifetime_addtime != 0 && - now - sav->created > sav->lft_h->sadb_lifetime_addtime) { + if (sav->lft_h->addtime != 0 && + now - sav->created > sav->lft_h->addtime) { key_sa_chgstate(sav, SADB_SASTATE_DEAD); KEY_FREESAV(&sav); } #if 0 /* XXX Should we keep to send expire message until HARD lifetime ? */ else if (sav->lft_s != NULL - && sav->lft_s->sadb_lifetime_addtime != 0 - && now - sav->created > sav->lft_s->sadb_lifetime_addtime) { + && sav->lft_s->addtime != 0 + && now - sav->created > sav->lft_s->addtime) { /* * XXX: should be checked to be * installed the valid SA. @@ -4144,8 +4190,8 @@ key_flush_sad(time_t now) } #endif /* check HARD lifetime by bytes */ - else if (sav->lft_h->sadb_lifetime_bytes != 0 && - sav->lft_h->sadb_lifetime_bytes < sav->lft_c->sadb_lifetime_bytes) { + else if (sav->lft_h->bytes != 0 && + sav->lft_h->bytes < sav->lft_c->bytes) { key_sa_chgstate(sav, SADB_SASTATE_DEAD); KEY_FREESAV(&sav); } @@ -4977,20 +5023,23 @@ key_setident(sah, m, mhp) } /* make structure */ - sah->idents = malloc(idsrclen, M_IPSEC_MISC, M_NOWAIT); + sah->idents = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); if (sah->idents == NULL) { ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); return ENOBUFS; } - sah->identd = malloc(iddstlen, M_IPSEC_MISC, M_NOWAIT); + sah->identd = malloc(sizeof(struct secident), M_IPSEC_MISC, M_NOWAIT); if (sah->identd == NULL) { free(sah->idents, M_IPSEC_MISC); sah->idents = NULL; ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__)); return ENOBUFS; } - bcopy(idsrc, sah->idents, idsrclen); - bcopy(iddst, sah->identd, iddstlen); + sah->idents->type = idsrc->sadb_ident_type; + sah->idents->id = idsrc->sadb_ident_id; + + sah->identd->type = iddst->sadb_ident_type; + sah->identd->id = iddst->sadb_ident_id; return 0; } @@ -6262,10 +6311,10 @@ key_expire(struct secasvar *sav) lt = mtod(m, struct sadb_lifetime *); lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime)); lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT; - lt->sadb_lifetime_allocations = sav->lft_c->sadb_lifetime_allocations; - lt->sadb_lifetime_bytes = sav->lft_c->sadb_lifetime_bytes; - lt->sadb_lifetime_addtime = sav->lft_c->sadb_lifetime_addtime; - lt->sadb_lifetime_usetime = sav->lft_c->sadb_lifetime_usetime; + lt->sadb_lifetime_allocations = sav->lft_c->allocations; + lt->sadb_lifetime_bytes = sav->lft_c->bytes; + lt->sadb_lifetime_addtime = sav->lft_c->addtime; + lt->sadb_lifetime_usetime = sav->lft_c->usetime; lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2); bcopy(sav->lft_s, lt, sizeof(*lt)); m_cat(result, m); @@ -7103,21 +7152,21 @@ key_sa_recordxfer(sav, m) * XXX Currently, there is a difference of bytes size * between inbound and outbound processing. */ - sav->lft_c->sadb_lifetime_bytes += m->m_pkthdr.len; + sav->lft_c->bytes += m->m_pkthdr.len; /* to check bytes lifetime is done in key_timehandler(). */ /* * We use the number of packets as the unit of - * sadb_lifetime_allocations. We increment the variable + * allocations. We increment the variable * whenever {esp,ah}_{in,out}put is called. */ - sav->lft_c->sadb_lifetime_allocations++; + sav->lft_c->allocations++; /* XXX check for expires? */ /* - * NOTE: We record CURRENT sadb_lifetime_usetime by using wall clock, + * NOTE: We record CURRENT usetime by using wall clock, * in seconds. HARD and SOFT lifetime are measured by the time - * difference (again in seconds) from sadb_lifetime_usetime. + * difference (again in seconds) from usetime. * * usetime * v expire expire @@ -7125,7 +7174,7 @@ key_sa_recordxfer(sav, m) * <--------------> HARD * <-----> SOFT */ - sav->lft_c->sadb_lifetime_usetime = time_second; + sav->lft_c->usetime = time_second; /* XXX check for expires? */ return; @@ -7214,3 +7263,80 @@ key_alloc_mbuf(l) return m; } + +/* + * Take one of the kernel's security keys and convert it into a PF_KEY + * structure within an mbuf, suitable for sending up to a waiting + * application in user land. + * + * IN: + * src: A pointer to a kernel security key. + * exttype: Which type of key this is. Refer to the PF_KEY data structures. + * OUT: + * a valid mbuf or NULL indicating an error + * + */ + +static struct mbuf * +key_setkey(struct seckey *src, u_int16_t exttype) +{ + struct mbuf *m; + struct sadb_key *p; + int len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src)); + + if (src == NULL) + return NULL; + + m = key_alloc_mbuf(len); + if (m == NULL) + return NULL; + p = mtod(m, struct sadb_key *); + bzero(p, len); + p->sadb_key_len = PFKEY_UNIT64(len); + p->sadb_key_exttype = exttype; + p->sadb_key_bits = src->bits; + bcopy(src->key_data, _KEYBUF(p), _KEYLEN(src)); + + return m; +} + +/* + * Take one of the kernel's lifetime data structures and convert it + * into a PF_KEY structure within an mbuf, suitable for sending up to + * a waiting application in user land. + * + * IN: + * src: A pointer to a kernel lifetime structure. + * exttype: Which type of lifetime this is. Refer to the PF_KEY + * data structures for more information. + * OUT: + * a valid mbuf or NULL indicating an error + * + */ + +static struct mbuf * +key_setlifetime(struct seclifetime *src, u_int16_t exttype) +{ + struct mbuf *m = NULL; + struct sadb_lifetime *p; + int len = PFKEY_ALIGN8(sizeof(struct sadb_lifetime)); + + if (src == NULL) + return NULL; + + m = key_alloc_mbuf(len); + if (m == NULL) + return m; + p = mtod(m, struct sadb_lifetime *); + + bzero(p, len); + p->sadb_lifetime_len = PFKEY_UNIT64(len); + p->sadb_lifetime_exttype = exttype; + p->sadb_lifetime_allocations = src->allocations; + p->sadb_lifetime_bytes = src->bytes; + p->sadb_lifetime_addtime = src->addtime; + p->sadb_lifetime_usetime = src->usetime; + + return m; + +} diff --git a/sys/netipsec/key_var.h b/sys/netipsec/key_var.h index e7d7005..edf232d 100644 --- a/sys/netipsec/key_var.h +++ b/sys/netipsec/key_var.h @@ -66,8 +66,8 @@ #ifdef _KERNEL #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0])) -#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3)) -#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits)) +#define _KEYLEN(key) ((u_int)((key)->bits >> 3)) +#define _KEYBITS(key) ((u_int)((key)->bits)) #define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key))) #endif /*_KERNEL*/ diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h index 6136c17..c9a37e3 100644 --- a/sys/netipsec/keydb.h +++ b/sys/netipsec/keydb.h @@ -60,14 +60,39 @@ struct secasindex { /* see IPSEC_MANUAL_REQID_MAX. */ }; +/* + * In order to split out the keydb implementation from that of the + * PF_KEY sockets we need to define a few structures that while they + * may seem common are likely to diverge over time. + */ + +/* sadb_identity */ +struct secident { + u_int16_t type; + u_int64_t id; +}; + +/* sadb_key */ +struct seckey { + u_int16_t bits; + char *key_data; +}; + +struct seclifetime { + u_int32_t allocations; + u_int64_t bytes; + u_int64_t addtime; + u_int64_t usetime; +}; + /* Security Association Data Base */ struct secashead { LIST_ENTRY(secashead) chain; struct secasindex saidx; - struct sadb_ident *idents; /* source identity */ - struct sadb_ident *identd; /* destination identity */ + struct secident *idents; /* source identity */ + struct secident *identd; /* destination identity */ /* XXX I don't know how to use them. */ u_int8_t state; /* MATURE or DEAD. */ @@ -97,8 +122,8 @@ struct secasvar { u_int32_t spi; /* SPI Value, network byte order */ u_int32_t flags; /* holder for SADB_KEY_FLAGS */ - struct sadb_key *key_auth; /* Key for Authentication */ - struct sadb_key *key_enc; /* Key for Encryption */ + struct seckey *key_auth; /* Key for Authentication */ + struct seckey *key_enc; /* Key for Encryption */ caddr_t iv; /* Initilization Vector */ u_int ivlen; /* length of IV */ void *sched; /* intermediate encryption key */ @@ -107,9 +132,9 @@ struct secasvar { struct secreplay *replay; /* replay prevention */ time_t created; /* for lifetime */ - struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */ - struct sadb_lifetime *lft_h; /* HARD lifetime */ - struct sadb_lifetime *lft_s; /* SOFT lifetime */ + struct seclifetime *lft_c; /* CURRENT lifetime, it's constant. */ + struct seclifetime *lft_h; /* HARD lifetime */ + struct seclifetime *lft_s; /* SOFT lifetime */ u_int32_t seq; /* sequence number */ pid_t pid; /* message's pid */ diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 862134f..e3da578 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -201,7 +201,7 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) bzero(cria, sizeof (*cria)); cria->cri_alg = sav->tdb_authalgxform->type; cria->cri_klen = _KEYBITS(sav->key_auth); - cria->cri_key = _KEYBUF(sav->key_auth); + cria->cri_key = sav->key_auth->key_data; return 0; } @@ -231,7 +231,7 @@ ah_zeroize(struct secasvar *sav) int err; if (sav->key_auth) - bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); + bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); err = crypto_freesession(sav->tdb_cryptoid); sav->tdb_cryptoid = 0; @@ -622,8 +622,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* Authentication operation. */ crda->crd_alg = ahx->type; - crda->crd_key = _KEYBUF(sav->key_auth); crda->crd_klen = _KEYBITS(sav->key_auth); + crda->crd_key = sav->key_auth->key_data; /* Find out if we've already done crypto. */ for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); @@ -1020,7 +1020,7 @@ ah_output( /* Authentication operation. */ crda->crd_alg = ahx->type; - crda->crd_key = _KEYBUF(sav->key_auth); + crda->crd_key = sav->key_auth->key_data; crda->crd_klen = _KEYBITS(sav->key_auth); /* Allocate IPsec-specific opaque crypto info. */ diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 107dccf..993ece6 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -215,7 +215,7 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) bzero(&crie, sizeof (crie)); crie.cri_alg = sav->tdb_encalgxform->type; crie.cri_klen = _KEYBITS(sav->key_enc); - crie.cri_key = _KEYBUF(sav->key_enc); + crie.cri_key = sav->key_enc->key_data; /* XXX Rounds ? */ if (sav->tdb_authalgxform && sav->tdb_encalgxform) { @@ -248,7 +248,7 @@ esp_zeroize(struct secasvar *sav) int error = ah_zeroize(sav); if (sav->key_enc) - bzero(_KEYBUF(sav->key_enc), _KEYLEN(sav->key_enc)); + bzero(sav->key_enc->key_data, _KEYLEN(sav->key_enc)); if (sav->iv) { free(sav->iv, M_XDATA); sav->iv = NULL; @@ -381,7 +381,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) crda->crd_inject = m->m_pkthdr.len - alen; crda->crd_alg = esph->type; - crda->crd_key = _KEYBUF(sav->key_auth); + crda->crd_key = sav->key_auth->key_data; crda->crd_klen = _KEYBITS(sav->key_auth); /* Copy the authenticator */ @@ -418,7 +418,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) crde->crd_inject = skip + hlen - sav->ivlen; crde->crd_alg = espx->type; - crde->crd_key = _KEYBUF(sav->key_enc); + crde->crd_key = sav->key_enc->key_data; crde->crd_klen = _KEYBITS(sav->key_enc); /* XXX Rounds ? */ } @@ -825,7 +825,7 @@ esp_output( /* Encryption operation. */ crde->crd_alg = espx->type; - crde->crd_key = _KEYBUF(sav->key_enc); + crde->crd_key = sav->key_enc->key_data; crde->crd_klen = _KEYBITS(sav->key_enc); /* XXX Rounds ? */ } else @@ -864,7 +864,7 @@ esp_output( /* Authentication operation. */ crda->crd_alg = esph->type; - crda->crd_key = _KEYBUF(sav->key_auth); + crda->crd_key = sav->key_auth->key_data; crda->crd_klen = _KEYBITS(sav->key_auth); } diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index c70d70a..a401548 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -117,7 +117,7 @@ tcpsignature_zeroize(struct secasvar *sav) { if (sav->key_auth) - bzero(_KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth)); + bzero(sav->key_auth->key_data, _KEYLEN(sav->key_auth)); sav->tdb_cryptoid = 0; sav->tdb_authalgxform = NULL; |
