PSARC 2009/513 Changes to IPsec ESP to support Combined mode ciphers

6704686 IPsec/ESP needs to support Combined mode ciphers 6704682 IPsec/ESP should use AES-CCM 6884664 IPsec/ESP should support AES-GCM Mode 6840342 ipsecalgs out of memory error 6764184 tab instead of space in sadb.h
author: Mark Fenwick <Mark.Fenwick@Sun.COM> 2009-10-20 21:00:54 -0700
committer: Mark Fenwick <Mark.Fenwick@Sun.COM> 2009-10-20 21:00:54 -0700
commit: 628b0c67908adce18522d53bb2bf8d6c3b321579 (patch)
tree: ca21cb0bcc03afebed8e977007465ecb59b4d0e1 /usr/src/lib/libipsecutil/common
parent: 16a0c3c7f1d0e9dd3cab8e12e029b4468597a433 (diff)
download: illumos-joyent-628b0c67908adce18522d53bb2bf8d6c3b321579.tar.gz
3 files changed, 71 insertions, 18 deletions
diff --git a/usr/src/lib/libipsecutil/common/algs.c b/usr/src/lib/libipsecutil/common/algs.c
index d53cf227e7..2018b7f079 100644
--- a/usr/src/lib/libipsecutil/common/algs.c
+++ b/usr/src/lib/libipsecutil/common/algs.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <ipsec_util.h>
@@ -42,7 +40,16 @@ static char *preamble =
 "# DO NOT EDIT OR PARSE THIS FILE!\n"
 "#\n"
 "# Use the ipsecalgs(1m) command to change the contents of this file.\n"
-"\n";
+"# The algorithm descriptions contained in this file are synchronised to the\n"
+"# kernel with ipsecalgs -s, the kernel validates the entries at this point."
+"\n\n"
+"# PROTO|protocol-id|protocol-name|exec-mode\n"
+"##  NOTE:  Some protocol numbers are well-known and defined in <netdb.h>\n\n"
+"# ALG|protocol-id|alg-id|name,name,...|ef-id| \n"
+"#        {default/}{key,key..}or{key-key,inc}|block_size or MAC-size|\n"
+"#        [parameter,parameter..]|[flags]\n\n"
+"#\n"
+"## Note:   Parameters and flags only apply to certain algorithms.\n\n";
 
 #define	CFG_PERMS S_IRUSR | S_IRGRP | S_IROTH	/* Perms 0444. */
 #define	CFG_OWNER 0	/* root */
@@ -282,7 +289,23 @@ write_new_algfile(ipsec_proto_t *protos, int num_protos)
 				rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
 				goto bail;
 			}
-			FPUT_ERR(fputc('\n', f));
+			FPUT_ERR(fputc('|', f));
+
+			/*
+			 * Some algorithms require extra parameters, these
+			 * are stored in an array. For algorithms that don't
+			 * need these parameters, or flags (below), these
+			 * extra fields in the ipsecalgs file must contain a
+			 * zero. This fuction will get called if a algorithm
+			 * entry is added, at this point the extra fields will
+			 * be added to the file.
+			 */
+			if (list_ints(f, alg->a_mech_params) == -1) {
+				rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
+				goto bail;
+			}
+			/* flags */
+			FPRINTF_ERR(fprintf(f, "|%d\n", alg->a_alg_flags));
 		}
 	}
 
@@ -513,7 +536,7 @@ addipsecalg(struct ipsecalgent *newbie, uint_t flags)
 					    current_proto->proto_algs[i]);
 					current_proto->proto_algs[i] = clone;
 					return (write_new_algfile(protos,
-						    num_protos));
+					    num_protos));
 				} else {
 					_clean_trash(protos, num_protos);
 					return (LIBIPSEC_ALGS_DIAG_NOMEM);
diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.c b/usr/src/lib/libipsecutil/common/ipsec_util.c
index 46700b4680..d3f78a4d9f 100644
--- a/usr/src/lib/libipsecutil/common/ipsec_util.c
+++ b/usr/src/lib/libipsecutil/common/ipsec_util.c
@@ -221,17 +221,32 @@ dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
 }
 
 /*
- * Dump a key and bitlen
+ * Dump a key, any salt and bitlen.
+ * The key is made up of a stream of bits. If the algorithm requires a salt
+ * value, this will also be part of the dumped key. The last "saltbits" of the
+ * key string, reading left to right will be the salt value. To make it easier
+ * to see which bits make up the key, the salt value is enclosed in []'s.
+ * This function can also be called when ipseckey(1m) -s is run, this "saves"
+ * the SAs, including the key to a file. When this is the case, the []'s are
+ * not printed.
+ *
+ * The implementation allows the kernel to be told about the length of the salt
+ * in whole bytes only. If this changes, this function will need to be updated.
  */
 int
-dump_key(uint8_t *keyp, uint_t bitlen, FILE *where)
+dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
+    boolean_t separate_salt)
 {
-	int	numbytes;
+	int	numbytes, saltbytes;
 
 	numbytes = SADB_1TO8(bitlen);
+	saltbytes = SADB_1TO8(saltbits);
+	numbytes += saltbytes;
+
 	/* The & 0x7 is to check for leftover bits. */
 	if ((bitlen & 0x7) != 0)
 		numbytes++;
+
 	while (numbytes-- != 0) {
 		if (pflag) {
 			/* Print no keys if paranoid */
@@ -241,9 +256,21 @@ dump_key(uint8_t *keyp, uint_t bitlen, FILE *where)
 			if (fprintf(where, "%02x", *keyp++) < 0)
 				return (-1);
 		}
+		if (separate_salt && saltbytes != 0 &&
+		    numbytes == saltbytes) {
+			if (fprintf(where, "[") < 0)
+				return (-1);
+		}
 	}
-	if (fprintf(where, "/%u", bitlen) < 0)
-		return (-1);
+
+	if (separate_salt && saltbits != 0) {
+		if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
+			return (-1);
+	} else {
+		if (fprintf(where, "/%u", bitlen + saltbits) < 0)
+			return (-1);
+	}
+
 	return (0);
 }
 
@@ -1977,7 +2004,8 @@ print_key(FILE *file, char *prefix, struct sadb_key *key)
 	}
 
 	(void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
-	(void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits, file);
+	(void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
+	    key->sadb_key_reserved, file, B_TRUE);
 	(void) fprintf(file, "\n");
 }
 
@@ -2200,9 +2228,10 @@ print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
 			}
 
 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
-			    "  minbits=%u, maxbits=%u.\n"),
+			    "  minbits=%u, maxbits=%u, saltbits=%u\n"),
 			    algdesc->sadb_x_algdesc_minbits,
-			    algdesc->sadb_x_algdesc_maxbits);
+			    algdesc->sadb_x_algdesc_maxbits,
+			    algdesc->sadb_x_algdesc_reserved);
 
 			sofar = (uint64_t *)(++algdesc);
 		}
@@ -2246,9 +2275,9 @@ print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
 			break;
 		}
 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
-		    " minbits=%u, maxbits=%u, ivlen=%u"),
+		    " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
 		    algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
-		    algs[i].sadb_alg_ivlen);
+		    algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
 		if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
 			    ", increment=%u"), algs[i].sadb_x_alg_increment);
@@ -2618,7 +2647,8 @@ save_key(struct sadb_key *key, FILE *ofile)
 	if (fprintf(ofile, "%skey ", prefix) < 0)
 		return (B_FALSE);
 
-	if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits, ofile) == -1)
+	if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
+	    key->sadb_key_reserved, ofile, B_FALSE) == -1)
 		return (B_FALSE);
 
 	return (B_TRUE);
diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.h b/usr/src/lib/libipsecutil/common/ipsec_util.h
index d3b41b65d9..023f88e0c9 100644
--- a/usr/src/lib/libipsecutil/common/ipsec_util.h
+++ b/usr/src/lib/libipsecutil/common/ipsec_util.h
@@ -159,7 +159,7 @@ extern void bail_msg(char *, ...);
 extern int dump_sockaddr(struct sockaddr *, uint8_t, boolean_t, FILE *,
     boolean_t);
 
-extern int dump_key(uint8_t *, uint_t, FILE *);
+extern int dump_key(uint8_t *, uint_t, uint_t, FILE *, boolean_t);
 
 extern int dump_aalg(uint8_t, FILE *);
author	Mark Fenwick <Mark.Fenwick@Sun.COM>	2009-10-20 21:00:54 -0700
committer	Mark Fenwick <Mark.Fenwick@Sun.COM>	2009-10-20 21:00:54 -0700
commit	628b0c67908adce18522d53bb2bf8d6c3b321579 (patch)
tree	ca21cb0bcc03afebed8e977007465ecb59b4d0e1 /usr/src/lib/libipsecutil/common
parent	16a0c3c7f1d0e9dd3cab8e12e029b4468597a433 (diff)
download	illumos-joyent-628b0c67908adce18522d53bb2bf8d6c3b321579.tar.gz