diff options
-rw-r--r-- | lib/libipsec/pfkey_dump.c | 3 | ||||
-rw-r--r-- | sbin/setkey/setkey.8 | 2 | ||||
-rw-r--r-- | sbin/setkey/token.l | 1 | ||||
-rw-r--r-- | share/doc/IPv6/IMPLEMENTATION | 2 | ||||
-rw-r--r-- | sys/conf/files | 1 | ||||
-rw-r--r-- | sys/netinet6/ah.h | 2 | ||||
-rw-r--r-- | sys/netinet6/ah_core.c | 390 | ||||
-rw-r--r-- | sys/netinet6/esp_core.c | 2 | ||||
-rw-r--r-- | usr.sbin/setkey/setkey.8 | 2 | ||||
-rw-r--r-- | usr.sbin/setkey/token.l | 1 |
10 files changed, 200 insertions, 206 deletions
diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c index af3db0eb47c6..67e62564c044 100644 --- a/lib/libipsec/pfkey_dump.c +++ b/lib/libipsec/pfkey_dump.c @@ -172,6 +172,9 @@ static struct val2str str_alg_auth[] = { #ifdef SADB_X_AALG_SHA2_512 { SADB_X_AALG_SHA2_512, "hmac-sha2-512", }, #endif +#ifdef SADB_X_AALG_RIPEMD160HMAC + { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, +#endif { -1, NULL, }, }; diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index 7c8cf38cb304..d11a6addcd9d 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -549,6 +549,8 @@ hmac-sha2-384 384 ah: 96bit ICV (no document) 384 ah-old: 128bit ICV (no document) hmac-sha2-512 512 ah: 96bit ICV (no document) 512 ah-old: 128bit ICV (no document) +hmac-ripemd160 160 ah: 96bit ICV (RFC2857) + ah-old: 128bit ICV (no document) .Ed .Pp Followings are the list of encryption algorithms that can be used as diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index 208196e3cdc8..eed519082a40 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -170,6 +170,7 @@ keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); } hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); } hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); } hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); } +hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); } null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); } /* encryption alogorithm */ diff --git a/share/doc/IPv6/IMPLEMENTATION b/share/doc/IPv6/IMPLEMENTATION index 1b663dc084ae..5bc6bd6d0bc1 100644 --- a/share/doc/IPv6/IMPLEMENTATION +++ b/share/doc/IPv6/IMPLEMENTATION @@ -1717,6 +1717,7 @@ Currently supported algorithms are: keyed SHA1 with 128bit crypto checksum (no document) HMAC MD5 with 128bit crypto checksum (rfc2085.txt) HMAC SHA1 with 128bit crypto checksum (no document) + HMAC RIPEMD160 with 128bit crypto checksum (no document) old IPsec ESP null encryption (no document, similar to rfc2410.txt) DES-CBC mode (rfc1829.txt) @@ -1729,6 +1730,7 @@ Currently supported algorithms are: HMAC SHA2-256 with 96bit crypto checksum (no document) HMAC SHA2-384 with 96bit crypto checksum (no document) HMAC SHA2-512 with 96bit crypto checksum (no document) + HMAC RIPEMD160 with 96bit crypto checksum (RFC2857) new IPsec ESP null encryption (rfc2410.txt) DES-CBC with derived IV diff --git a/sys/conf/files b/sys/conf/files index b65d279e4d5c..b46a38d34202 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -207,6 +207,7 @@ crypto/des/des_ecb.c optional ipsec ipsec_esp crypto/des/des_setkey.c optional ipsec ipsec_esp crypto/rijndael/rijndael-alg-fst.c optional ipsec ipsec_esp crypto/rijndael/rijndael-api-fst.c optional ipsec ipsec_esp +crypto/ripemd160/rmd160.c optional ipsec crypto/sha1.c optional ipsec crypto/sha2/sha2.c optional ipsec ddb/db_access.c optional ddb diff --git a/sys/netinet6/ah.h b/sys/netinet6/ah.h index 1934569e1258..79435a386595 100644 --- a/sys/netinet6/ah.h +++ b/sys/netinet6/ah.h @@ -74,7 +74,7 @@ struct ah_algorithm { const char *name; int (*init) __P((struct ah_algorithm_state *, struct secasvar *)); void (*update) __P((struct ah_algorithm_state *, caddr_t, size_t)); - void (*result) __P((struct ah_algorithm_state *, caddr_t)); + void (*result) __P((struct ah_algorithm_state *, caddr_t, size_t)); }; #define AH_MAXSUMSIZE 16 diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index 2785fa0277bf..a456926fa954 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -85,6 +85,8 @@ #include <sys/md5.h> #include <crypto/sha1.h> #include <crypto/sha2/sha2.h> +#include <crypto/ripemd160/rmd160.h> +#define RIPEMD160_RESULTLEN 20 #include <net/net_osdep.h> @@ -92,52 +94,60 @@ static int ah_sumsiz_1216 __P((struct secasvar *)); static int ah_sumsiz_zero __P((struct secasvar *)); +static int ah_common_mature __P((struct secasvar *)); static int ah_none_mature __P((struct secasvar *)); static int ah_none_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_none_result __P((struct ah_algorithm_state *, caddr_t)); +static void ah_none_result __P((struct ah_algorithm_state *, caddr_t, size_t)); static int ah_keyed_md5_mature __P((struct secasvar *)); static int ah_keyed_md5_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_keyed_md5_result __P((struct ah_algorithm_state *, caddr_t)); -static int ah_keyed_sha1_mature __P((struct secasvar *)); +static void ah_keyed_md5_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); static int ah_keyed_sha1_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t)); -static int ah_hmac_md5_mature __P((struct secasvar *)); +static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t, + size_t)); static int ah_hmac_md5_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_hmac_md5_result __P((struct ah_algorithm_state *, caddr_t)); -static int ah_hmac_sha1_mature __P((struct secasvar *)); +static void ah_hmac_md5_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); static int ah_hmac_sha1_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, caddr_t)); -static int ah_hmac_sha2_256_mature __P((struct secasvar *)); +static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); static int ah_hmac_sha2_256_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_hmac_sha2_256_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *, caddr_t)); -static int ah_hmac_sha2_384_mature __P((struct secasvar *)); +static void ah_hmac_sha2_256_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); static int ah_hmac_sha2_384_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_hmac_sha2_384_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *, caddr_t)); -static int ah_hmac_sha2_512_mature __P((struct secasvar *)); +static void ah_hmac_sha2_384_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); static int ah_hmac_sha2_512_init __P((struct ah_algorithm_state *, struct secasvar *)); static void ah_hmac_sha2_512_loop __P((struct ah_algorithm_state *, caddr_t, size_t)); -static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *, caddr_t)); +static void ah_hmac_sha2_512_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); +static int ah_hmac_ripemd160_init __P((struct ah_algorithm_state *, + struct secasvar *)); +static void ah_hmac_ripemd160_loop __P((struct ah_algorithm_state *, caddr_t, + size_t)); +static void ah_hmac_ripemd160_result __P((struct ah_algorithm_state *, + caddr_t, size_t)); static void ah_update_mbuf __P((struct mbuf *, int, int, const struct ah_algorithm *, struct ah_algorithm_state *)); @@ -148,32 +158,36 @@ ah_algorithm_lookup(idx) { /* checksum algorithms */ static struct ah_algorithm ah_algorithms[] = { - { ah_sumsiz_1216, ah_hmac_md5_mature, 128, 128, "hmac-md5", + { ah_sumsiz_1216, ah_common_mature, 128, 128, "hmac-md5", ah_hmac_md5_init, ah_hmac_md5_loop, ah_hmac_md5_result, }, - { ah_sumsiz_1216, ah_hmac_sha1_mature, 160, 160, "hmac-sha1", + { ah_sumsiz_1216, ah_common_mature, 160, 160, "hmac-sha1", ah_hmac_sha1_init, ah_hmac_sha1_loop, ah_hmac_sha1_result, }, { ah_sumsiz_1216, ah_keyed_md5_mature, 128, 128, "keyed-md5", ah_keyed_md5_init, ah_keyed_md5_loop, ah_keyed_md5_result, }, - { ah_sumsiz_1216, ah_keyed_sha1_mature, 160, 160, "keyed-sha1", + { ah_sumsiz_1216, ah_common_mature, 160, 160, "keyed-sha1", ah_keyed_sha1_init, ah_keyed_sha1_loop, ah_keyed_sha1_result, }, { ah_sumsiz_zero, ah_none_mature, 0, 2048, "none", ah_none_init, ah_none_loop, ah_none_result, }, - { ah_sumsiz_1216, ah_hmac_sha2_256_mature, 256, 256, + { ah_sumsiz_1216, ah_common_mature, 256, 256, "hmac-sha2-256", ah_hmac_sha2_256_init, ah_hmac_sha2_256_loop, ah_hmac_sha2_256_result, }, - { ah_sumsiz_1216, ah_hmac_sha2_384_mature, 384, 384, + { ah_sumsiz_1216, ah_common_mature, 384, 384, "hmac-sha2-384", ah_hmac_sha2_384_init, ah_hmac_sha2_384_loop, ah_hmac_sha2_384_result, }, - { ah_sumsiz_1216, ah_hmac_sha2_512_mature, 512, 512, + { ah_sumsiz_1216, ah_common_mature, 512, 512, "hmac-sha2-512", ah_hmac_sha2_512_init, ah_hmac_sha2_512_loop, ah_hmac_sha2_512_result, }, + { ah_sumsiz_1216, ah_common_mature, 160, 160, + "hmac-ripemd160", + ah_hmac_ripemd160_init, ah_hmac_ripemd160_loop, + ah_hmac_ripemd160_result, }, }; switch (idx) { @@ -193,6 +207,8 @@ ah_algorithm_lookup(idx) return &ah_algorithms[6]; case SADB_X_AALG_SHA2_512: return &ah_algorithms[7]; + case SADB_X_AALG_RIPEMD160HMAC: + return &ah_algorithms[8]; default: return NULL; } @@ -221,6 +237,34 @@ ah_sumsiz_zero(sav) } static int +ah_common_mature(sav) + struct secasvar *sav; +{ + const struct ah_algorithm *algo; + + if (!sav->key_auth) { + ipseclog((LOG_ERR, "ah_common_mature: no key is given.\n")); + return 1; + } + + algo = ah_algorithm_lookup(sav->alg_auth); + if (!algo) { + ipseclog((LOG_ERR, "ah_common_mature: unsupported algorithm.\n")); + return 1; + } + + if (sav->key_auth->sadb_key_bits < algo->keymin || + algo->keymax < sav->key_auth->sadb_key_bits) { + ipseclog((LOG_ERR, + "ah_common_mature: invalid key length %d for %s.\n", + sav->key_auth->sadb_key_bits, algo->name)); + return 1; + } + + return 0; +} + +static int ah_none_mature(sav) struct secasvar *sav; { @@ -250,9 +294,10 @@ ah_none_loop(state, addr, len) } static void -ah_none_result(state, addr) +ah_none_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { } @@ -335,9 +380,10 @@ ah_keyed_md5_loop(state, addr, len) } static void -ah_keyed_md5_result(state, addr) +ah_keyed_md5_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[16]; @@ -355,34 +401,6 @@ ah_keyed_md5_result(state, addr) } static int -ah_keyed_sha1_mature(sav) - struct secasvar *sav; -{ - const struct ah_algorithm *algo; - - if (!sav->key_auth) { - ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n")); - return 1; - } - - algo = ah_algorithm_lookup(sav->alg_auth); - if (!algo) { - ipseclog((LOG_ERR, "ah_keyed_sha1_mature: unsupported algorithm.\n")); - return 1; - } - - if (sav->key_auth->sadb_key_bits < algo->keymin - || algo->keymax < sav->key_auth->sadb_key_bits) { - ipseclog((LOG_ERR, - "ah_keyed_sha1_mature: invalid key length %d.\n", - sav->key_auth->sadb_key_bits)); - return 1; - } - - return 0; -} - -static int ah_keyed_sha1_init(state, sav) struct ah_algorithm_state *state; struct secasvar *sav; @@ -456,9 +474,10 @@ ah_keyed_sha1_loop(state, addr, len) } static void -ah_keyed_sha1_result(state, addr) +ah_keyed_sha1_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */ SHA1_CTX *ctxt; @@ -478,34 +497,6 @@ ah_keyed_sha1_result(state, addr) } static int -ah_hmac_md5_mature(sav) - struct secasvar *sav; -{ - const struct ah_algorithm *algo; - - if (!sav->key_auth) { - ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n")); - return 1; - } - - algo = ah_algorithm_lookup(sav->alg_auth); - if (!algo) { - ipseclog((LOG_ERR, "ah_hmac_md5_mature: unsupported algorithm.\n")); - return 1; - } - - if (sav->key_auth->sadb_key_bits < algo->keymin - || algo->keymax < sav->key_auth->sadb_key_bits) { - ipseclog((LOG_ERR, - "ah_hmac_md5_mature: invalid key length %d.\n", - sav->key_auth->sadb_key_bits)); - return 1; - } - - return 0; -} - -static int ah_hmac_md5_init(state, sav) struct ah_algorithm_state *state; struct secasvar *sav; @@ -573,9 +564,10 @@ ah_hmac_md5_loop(state, addr, len) } static void -ah_hmac_md5_result(state, addr) +ah_hmac_md5_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[16]; u_char *ipad; @@ -602,34 +594,6 @@ ah_hmac_md5_result(state, addr) } static int -ah_hmac_sha1_mature(sav) - struct secasvar *sav; -{ - const struct ah_algorithm *algo; - - if (!sav->key_auth) { - ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n")); - return 1; - } - - algo = ah_algorithm_lookup(sav->alg_auth); - if (!algo) { - ipseclog((LOG_ERR, "ah_hmac_sha1_mature: unsupported algorithm.\n")); - return 1; - } - - if (sav->key_auth->sadb_key_bits < algo->keymin - || algo->keymax < sav->key_auth->sadb_key_bits) { - ipseclog((LOG_ERR, - "ah_hmac_sha1_mature: invalid key length %d.\n", - sav->key_auth->sadb_key_bits)); - return 1; - } - - return 0; -} - -static int ah_hmac_sha1_init(state, sav) struct ah_algorithm_state *state; struct secasvar *sav; @@ -699,9 +663,10 @@ ah_hmac_sha1_loop(state, addr, len) } static void -ah_hmac_sha1_result(state, addr) +ah_hmac_sha1_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[SHA1_RESULTLEN]; /* SHA-1 generates 160 bits */ u_char *ipad; @@ -728,36 +693,6 @@ ah_hmac_sha1_result(state, addr) } static int -ah_hmac_sha2_256_mature(sav) - struct secasvar *sav; -{ - const struct ah_algorithm *algo; - - if (!sav->key_auth) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_256_mature: no key is given.\n")); - return 1; - } - - algo = ah_algorithm_lookup(sav->alg_auth); - if (!algo) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_256_mature: unsupported algorithm.\n")); - return 1; - } - - if (sav->key_auth->sadb_key_bits < algo->keymin || - algo->keymax < sav->key_auth->sadb_key_bits) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_256_mature: invalid key length %d.\n", - sav->key_auth->sadb_key_bits)); - return 1; - } - - return 0; -} - -static int ah_hmac_sha2_256_init(state, sav) struct ah_algorithm_state *state; struct secasvar *sav; @@ -830,9 +765,10 @@ ah_hmac_sha2_256_loop(state, addr, len) } static void -ah_hmac_sha2_256_result(state, addr) +ah_hmac_sha2_256_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[SHA256_DIGEST_LENGTH]; u_char *ipad; @@ -860,36 +796,6 @@ ah_hmac_sha2_256_result(state, addr) } static int -ah_hmac_sha2_384_mature(sav) - struct secasvar *sav; -{ - const struct ah_algorithm *algo; - - if (!sav->key_auth) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_384_mature: no key is given.\n")); - return 1; - } - - algo = ah_algorithm_lookup(sav->alg_auth); - if (!algo) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_384_mature: unsupported algorithm.\n")); - return 1; - } - - if (sav->key_auth->sadb_key_bits < algo->keymin || - algo->keymax < sav->key_auth->sadb_key_bits) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_384_mature: invalid key length %d.\n", - sav->key_auth->sadb_key_bits)); - return 1; - } - - return 0; -} - -static int ah_hmac_sha2_384_init(state, sav) struct ah_algorithm_state *state; struct secasvar *sav; @@ -963,9 +869,10 @@ ah_hmac_sha2_384_loop(state, addr, len) } static void -ah_hmac_sha2_384_result(state, addr) +ah_hmac_sha2_384_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[SHA384_DIGEST_LENGTH]; u_char *ipad; @@ -993,36 +900,6 @@ ah_hmac_sha2_384_result(state, addr) } static int -ah_hmac_sha2_512_mature(sav) - struct secasvar *sav; -{ - const struct ah_algorithm *algo; - - if (!sav->key_auth) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_512_mature: no key is given.\n")); - return 1; - } - - algo = ah_algorithm_lookup(sav->alg_auth); - if (!algo) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_512_mature: unsupported algorithm.\n")); - return 1; - } - - if (sav->key_auth->sadb_key_bits < algo->keymin || - algo->keymax < sav->key_auth->sadb_key_bits) { - ipseclog((LOG_ERR, - "ah_hmac_sha2_512_mature: invalid key length %d.\n", - sav->key_auth->sadb_key_bits)); - return 1; - } - - return 0; -} - -static int ah_hmac_sha2_512_init(state, sav) struct ah_algorithm_state *state; struct secasvar *sav; @@ -1096,9 +973,10 @@ ah_hmac_sha2_512_loop(state, addr, len) } static void -ah_hmac_sha2_512_result(state, addr) +ah_hmac_sha2_512_result(state, addr, l) struct ah_algorithm_state *state; caddr_t addr; + size_t l; { u_char digest[SHA512_DIGEST_LENGTH]; u_char *ipad; @@ -1125,6 +1003,110 @@ ah_hmac_sha2_512_result(state, addr) free(state->foo, M_TEMP); } +static int +ah_hmac_ripemd160_init(state, sav) + struct ah_algorithm_state *state; + struct secasvar *sav; +{ + u_char *ipad; + u_char *opad; + RMD160_CTX *ctxt; + u_char tk[RIPEMD160_RESULTLEN]; + u_char *key; + size_t keylen; + size_t i; + + if (!state) + panic("ah_hmac_ripemd160_init: what?"); + + state->sav = sav; + state->foo = (void *)malloc(64 + 64 + sizeof(RMD160_CTX), + M_TEMP, M_NOWAIT); + if (!state->foo) + return ENOBUFS; + bzero(state->foo, 64 + 64 + sizeof(RMD160_CTX)); + + ipad = (u_char *)state->foo; + opad = (u_char *)(ipad + 64); + ctxt = (RMD160_CTX *)(opad + 64); + + /* compress the key if necessery */ + if (64 < _KEYLEN(state->sav->key_auth)) { + bzero(tk, sizeof(tk)); + bzero(ctxt, sizeof(*ctxt)); + RMD160Init(ctxt); + RMD160Update(ctxt, _KEYBUF(state->sav->key_auth), + _KEYLEN(state->sav->key_auth)); + RMD160Final(&tk[0], ctxt); + key = &tk[0]; + keylen = sizeof(tk) < 64 ? sizeof(tk) : 64; + } else { + key = _KEYBUF(state->sav->key_auth); + keylen = _KEYLEN(state->sav->key_auth); + } + + bzero(ipad, 64); + bzero(opad, 64); + bcopy(key, ipad, keylen); + bcopy(key, opad, keylen); + for (i = 0; i < 64; i++) { + ipad[i] ^= 0x36; + opad[i] ^= 0x5c; + } + + bzero(ctxt, sizeof(*ctxt)); + RMD160Init(ctxt); + RMD160Update(ctxt, ipad, 64); + + return 0; +} + +static void +ah_hmac_ripemd160_loop(state, addr, len) + struct ah_algorithm_state *state; + caddr_t addr; + size_t len; +{ + RMD160_CTX *ctxt; + + if (!state || !state->foo) + panic("ah_hmac_ripemd160_loop: what?"); + + ctxt = (RMD160_CTX *)(((u_char *)state->foo) + 128); + RMD160Update(ctxt, (caddr_t)addr, (size_t)len); +} + +static void +ah_hmac_ripemd160_result(state, addr, l) + struct ah_algorithm_state *state; + caddr_t addr; + size_t l; +{ + u_char digest[RIPEMD160_RESULTLEN]; + u_char *ipad; + u_char *opad; + RMD160_CTX *ctxt; + + if (!state || !state->foo) + panic("ah_hmac_ripemd160_result: what?"); + + ipad = (u_char *)state->foo; + opad = (u_char *)(ipad + 64); + ctxt = (RMD160_CTX *)(opad + 64); + + RMD160Final((caddr_t)digest, ctxt); + + bzero(ctxt, sizeof(*ctxt)); + RMD160Init(ctxt); + RMD160Update(ctxt, opad, 64); + RMD160Update(ctxt, (caddr_t)digest, sizeof(digest)); + RMD160Final((caddr_t)digest, ctxt); + + bcopy(digest, addr, sizeof(digest) > l ? l : sizeof(digest)); + + free(state->foo, M_TEMP); +} + /*------------------------------------------------------------*/ /* @@ -1401,7 +1383,7 @@ again: goto fail; } - (algo->result)(&algos, &sumbuf[0]); + (algo->result)(&algos, sumbuf, sizeof(sumbuf)); bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav)); if (n) @@ -1628,7 +1610,7 @@ ah6_calccksum(m, ahdat, len, algo, sav) goto fail; } - (algo->result)(&algos, &sumbuf[0]); + (algo->result)(&algos, sumbuf, sizeof(sumbuf)); bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav)); /* just in case */ diff --git a/sys/netinet6/esp_core.c b/sys/netinet6/esp_core.c index 3f63d699615f..148d9c42f96f 100644 --- a/sys/netinet6/esp_core.c +++ b/sys/netinet6/esp_core.c @@ -1122,7 +1122,7 @@ esp_auth(m0, skip, length, sav, sum) break; } } - (*algo->result)(&s, sumbuf); + (*algo->result)(&s, sumbuf, sizeof(sumbuf)); bcopy(sumbuf, sum, siz); /* XXX */ return 0; diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index 7c8cf38cb304..d11a6addcd9d 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -549,6 +549,8 @@ hmac-sha2-384 384 ah: 96bit ICV (no document) 384 ah-old: 128bit ICV (no document) hmac-sha2-512 512 ah: 96bit ICV (no document) 512 ah-old: 128bit ICV (no document) +hmac-ripemd160 160 ah: 96bit ICV (RFC2857) + ah-old: 128bit ICV (no document) .Ed .Pp Followings are the list of encryption algorithms that can be used as diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l index 208196e3cdc8..eed519082a40 100644 --- a/usr.sbin/setkey/token.l +++ b/usr.sbin/setkey/token.l @@ -170,6 +170,7 @@ keyed-sha1 { PREPROC; yylval.num = SADB_X_AALG_SHA; return(ALG_AUTH); } hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); } hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); } hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); } +hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); } null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); } /* encryption alogorithm */ |