Prepare crypto framework for IPsec ESN support
This permits requests (netipsec ESP and AH protocol) to provide the IPsec ESN (Extended Sequence Numbers) in a separate buffer. As with separate output buffer and separate AAD buffer not all drivers support this feature. Consumer must request use of this feature via new session flag. Submitted by: Grzegorz Jaszczyk <jaz@semihalf.com> Patryk Duda <pdk@semihalf.com> Reviewed by: jhb Differential revision: https://reviews.freebsd.org/D24838 Obtained from: Semihalf Sponsored by: Stormshield
This commit is contained in:
@@ -302,6 +302,24 @@ as a single buffer pointed to by
|
|||||||
In either case,
|
In either case,
|
||||||
.Fa crp_aad_length
|
.Fa crp_aad_length
|
||||||
always indicates the amount of AAD in bytes.
|
always indicates the amount of AAD in bytes.
|
||||||
|
.Ss Request ESN
|
||||||
|
IPsec requests may optionally include Extended Sequence Numbers (ESN).
|
||||||
|
ESN may either be supplied in
|
||||||
|
.Fa crp_esn
|
||||||
|
or as part of the AAD pointed to by
|
||||||
|
.Fa crp_aad .
|
||||||
|
.Pp
|
||||||
|
If the ESN is stored in
|
||||||
|
.Fa crp_esn ,
|
||||||
|
.Dv CSP_F_ESN
|
||||||
|
should be set in
|
||||||
|
.Fa csp_flags .
|
||||||
|
This use case is dedicated for encrypt and authenticate mode, since the
|
||||||
|
high-order 32 bits of the sequence number are appended after the Next Header
|
||||||
|
(RFC 4303).
|
||||||
|
.Pp
|
||||||
|
AEAD modes supply the ESN in a separate AAD buffer (see e.g. RFC 4106, Chapter 5
|
||||||
|
AAD Construction).
|
||||||
.Ss Request IV and/or Nonce
|
.Ss Request IV and/or Nonce
|
||||||
Some cryptographic operations require an IV or nonce as an input.
|
Some cryptographic operations require an IV or nonce as an input.
|
||||||
An IV may be stored either in the IV region of the data buffer or in
|
An IV may be stored either in the IV region of the data buffer or in
|
||||||
|
|||||||
@@ -201,6 +201,15 @@ Sessions with this flag set permit requests with AAD passed in either in
|
|||||||
a region of the input buffer or in a single, virtually-contiguous buffer.
|
a region of the input buffer or in a single, virtually-contiguous buffer.
|
||||||
Sessions without this flag only permit requests with AAD passed in as
|
Sessions without this flag only permit requests with AAD passed in as
|
||||||
a region in the input buffer.
|
a region in the input buffer.
|
||||||
|
.It Dv CSP_F_ESN
|
||||||
|
Support requests that use a separate buffer for IPsec ESN (Extended Sequence
|
||||||
|
Numbers).
|
||||||
|
.Pp
|
||||||
|
Sessions with this flag set permit requests with IPsec ESN passed in special
|
||||||
|
buffer.
|
||||||
|
It is required for IPsec ESN support of encrypt and authenticate mode where
|
||||||
|
the high-order 32 bits of the sequence number are appended after the Next
|
||||||
|
Header (RFC 4303).
|
||||||
.El
|
.El
|
||||||
.It Fa csp_ivlen
|
.It Fa csp_ivlen
|
||||||
If either the cipher or authentication algorithms require an explicit
|
If either the cipher or authentication algorithms require an explicit
|
||||||
|
|||||||
@@ -743,6 +743,8 @@ alg_is_aead(int alg)
|
|||||||
return (alg_type(alg) == ALG_AEAD);
|
return (alg_type(alg) == ALG_AEAD);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define SUPPORTED_SES (CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD | CSP_F_ESN)
|
||||||
|
|
||||||
/* Various sanity checks on crypto session parameters. */
|
/* Various sanity checks on crypto session parameters. */
|
||||||
static bool
|
static bool
|
||||||
check_csp(const struct crypto_session_params *csp)
|
check_csp(const struct crypto_session_params *csp)
|
||||||
@@ -750,8 +752,7 @@ check_csp(const struct crypto_session_params *csp)
|
|||||||
struct auth_hash *axf;
|
struct auth_hash *axf;
|
||||||
|
|
||||||
/* Mode-independent checks. */
|
/* Mode-independent checks. */
|
||||||
if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) !=
|
if ((csp->csp_flags & ~(SUPPORTED_SES)) != 0)
|
||||||
0)
|
|
||||||
return (false);
|
return (false);
|
||||||
if (csp->csp_ivlen < 0 || csp->csp_cipher_klen < 0 ||
|
if (csp->csp_ivlen < 0 || csp->csp_cipher_klen < 0 ||
|
||||||
csp->csp_auth_klen < 0 || csp->csp_auth_mlen < 0)
|
csp->csp_auth_klen < 0 || csp->csp_auth_mlen < 0)
|
||||||
|
|||||||
@@ -377,6 +377,7 @@ struct crypto_session_params {
|
|||||||
|
|
||||||
#define CSP_F_SEPARATE_OUTPUT 0x0001 /* Requests can use separate output */
|
#define CSP_F_SEPARATE_OUTPUT 0x0001 /* Requests can use separate output */
|
||||||
#define CSP_F_SEPARATE_AAD 0x0002 /* Requests can use separate AAD */
|
#define CSP_F_SEPARATE_AAD 0x0002 /* Requests can use separate AAD */
|
||||||
|
#define CSP_F_ESN 0x0004 /* Requests can use seperate ESN field */
|
||||||
|
|
||||||
int csp_ivlen; /* IV length in bytes. */
|
int csp_ivlen; /* IV length in bytes. */
|
||||||
|
|
||||||
@@ -485,6 +486,8 @@ struct cryptop {
|
|||||||
void *crp_aad; /* AAD buffer. */
|
void *crp_aad; /* AAD buffer. */
|
||||||
int crp_aad_start; /* Location of AAD. */
|
int crp_aad_start; /* Location of AAD. */
|
||||||
int crp_aad_length; /* 0 => no AAD. */
|
int crp_aad_length; /* 0 => no AAD. */
|
||||||
|
uint8_t crp_esn[4]; /* high-order ESN */
|
||||||
|
|
||||||
int crp_iv_start; /* Location of IV. IV length is from
|
int crp_iv_start; /* Location of IV. IV length is from
|
||||||
* the session.
|
* the session.
|
||||||
*/
|
*/
|
||||||
|
|||||||
Reference in New Issue
Block a user