svn commit: r366753 - head/sys/opencrypto

Marcin Wojtas mw at FreeBSD.org
Fri Oct 16 11:18:13 UTC 2020 

Author: mw
Date: Fri Oct 16 11:18:13 2020
New Revision: 366753
URL: https://svnweb.freebsd.org/changeset/base/366753

Log:
  Add support for ESN in cryptosoft
  
  This patch adds support for IPsec ESN (Extended Sequence Numbers) in
  encrypt and authenticate mode (eg. AES-CBC and SHA256) and combined mode
  (eg. AES-GCM).
  
  For encrypt and authenticate mode the ESN is stored in separate crp_esn
  buffer because the high-order 32 bits of the sequence number are
  appended after the Next Header (RFC 4303).
  
  For combined modes the high-order 32 bits of the sequence number [e.g.
  RFC 4106, Chapter 5 AAD Construction] are part of crp_aad (prepared by
  netipsec layer in case of ESN support enabled), therefore non visible
  diff around combined modes.
  
  Submitted by:           Grzegorz Jaszczyk <jaz at semihalf.com>
                          Patryk Duda <pdk at semihalf.com>
  Reviewed by:            jhb
  Differential revision:  https://reviews.freebsd.org/D22364
  Obtained from:          Semihalf
  Sponsored by:           Stormshield

Modified:
  head/sys/opencrypto/cryptosoft.c

Modified: head/sys/opencrypto/cryptosoft.c
==============================================================================
--- head/sys/opencrypto/cryptosoft.c	Fri Oct 16 11:06:33 2020	(r366752)
+++ head/sys/opencrypto/cryptosoft.c	Fri Oct 16 11:18:13 2020	(r366753)
@@ -327,8 +327,8 @@ swcr_authcompute(struct swcr_session *ses, struct cryp
 
 	axf = sw->sw_axf;
 
+	csp = crypto_get_params(crp->crp_session);
 	if (crp->crp_auth_key != NULL) {
-		csp = crypto_get_params(crp->crp_session);
 		swcr_authprepare(axf, sw, crp->crp_auth_key,
 		    csp->csp_auth_klen);
 	}
@@ -354,6 +354,9 @@ swcr_authcompute(struct swcr_session *ses, struct cryp
 	if (err)
 		goto out;
 
+	if (csp->csp_flags & CSP_F_ESN)
+		axf->Update(&ctx, crp->crp_esn, 4);
+
 	axf->Final(aalg, &ctx);
 	if (sw->sw_octx != NULL) {
 		bcopy(sw->sw_octx, &ctx, axf->ctxsize);
@@ -1235,12 +1238,12 @@ swcr_cipher_supported(const struct crypto_session_para
 	return (true);
 }
 
+#define SUPPORTED_SES (CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD | CSP_F_ESN)
+
 static int
 swcr_probesession(device_t dev, const struct crypto_session_params *csp)
 {
-
-	if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) !=
-	    0)
+	if ((csp->csp_flags & ~(SUPPORTED_SES)) != 0)
 		return (EINVAL);
 	switch (csp->csp_mode) {
 	case CSP_MODE_COMPRESS:

More information about the svn-src-all mailing list