774 ipsec_alg_reg(ipsec_algtype_t algtype, ipsec_alginfo_t *alg, netstack_t *ns)
780 	ASSERT(ipss->ipsec_alglists[algtype][alg->alg_id] == NULL);
781 	ipsec_alg_fix_min_max(alg, algtype, ns);
782 	ipss->ipsec_alglists[algtype][alg->alg_id] = alg;
785 	alg_insert_sortlist(algtype, alg->alg_id, ns);
1264 #define	SET_EXP_MINMAX(type, wild, alg, min, max, ipss)		\
1267 		if (ipss->ipsec_alglists[type][alg] != NULL)	\
1642 				*reason = "unacceptable ah alg";
1670 				*reason = "unacceptable esp alg";
1683 					*reason = "unacceptable esp auth alg";
4693 ipsec_alg_fix_min_max(ipsec_alginfo_t *alg, ipsec_algtype_t alg_type,
4715 	alg->alg_default_bits = alg->alg_key_sizes[0];
4716 	alg->alg_default = 0;
4717 	if (alg->alg_increment != 0) {
4719 		alg->alg_minbits = alg->alg_key_sizes[1];
4720 		alg->alg_maxbits = alg->alg_key_sizes[2];
4721 	} else if (alg->alg_nkey_sizes == 0) {
4723 		alg->alg_minbits = alg->alg_maxbits = 0;
4726 		alg->alg_minbits = (uint16_t)-1;
4727 		alg->alg_maxbits = 0;
4729 		for (i = 0; i < alg->alg_nkey_sizes; i++) {
4730 			if (alg->alg_key_sizes[i] < alg->alg_minbits)
4731 				alg->alg_minbits = alg->alg_key_sizes[i];
4732 			if (alg->alg_key_sizes[i] > alg->alg_maxbits)
4733 				alg->alg_maxbits = alg->alg_key_sizes[i];
4737 	if (!(alg->alg_flags & ALG_FLAG_VALID))
4744 	if (alg->alg_id == SADB_EALG_NULL)
4753 	crypto_rc = crypto_get_all_mech_info(alg->alg_mech_type,
4756 		alg->alg_flags &= ~ALG_FLAG_VALID;
4805 		alg->alg_flags &= ~ALG_FLAG_VALID;
4814 	alg->alg_ef_default_bits = alg->alg_key_sizes[0];
4820 	alg->alg_ivlen = alg->alg_datalen;
4827 	for (i = 0; i < alg->alg_nparams; i++) {
4831 			alg->alg_ivlen =  alg->alg_params[0];
4835 			alg->alg_icvlen = alg->alg_params[1];
4839 			alg->alg_saltlen = (uint8_t)alg->alg_params[2];
4847 	if (alg_type == IPSEC_ALG_ENCR && alg->alg_ivlen == 0)
4848 		alg->alg_ivlen = alg->alg_datalen;
4850 	alg_flag_check(alg);
4852 	if (alg->alg_increment != 0) {
4854 		crypto_min = ALGBITS_ROUND_UP(crypto_min, alg->alg_increment);
4855 		crypto_max = ALGBITS_ROUND_DOWN(crypto_max, alg->alg_increment);
4857 		alg->alg_ef_minbits = MAX(alg->alg_minbits,
4859 		alg->alg_ef_maxbits = MIN(alg->alg_maxbits,
4868 		if (alg->alg_ef_minbits > alg->alg_ef_maxbits) {
4869 			alg->alg_flags &= ~ALG_FLAG_VALID;
4872 		if (alg->alg_ef_default_bits < alg->alg_ef_minbits)
4873 			alg->alg_ef_default_bits = alg->alg_ef_minbits;
4874 		if (alg->alg_ef_default_bits > alg->alg_ef_maxbits)
4875 			alg->alg_ef_default_bits = alg->alg_ef_maxbits;
4876 	} else if (alg->alg_nkey_sizes == 0) {
4878 		alg->alg_ef_minbits = alg->alg_ef_maxbits = 0;
4881 		alg->alg_ef_minbits = (uint16_t)-1;
4882 		alg->alg_ef_maxbits = 0;
4884 		for (i = 0, is_valid = B_FALSE; i < alg->alg_nkey_sizes; i++) {
4889 			if (alg->alg_key_sizes[i] < crypto_min ||
4890 			    alg->alg_key_sizes[i] > crypto_max)
4892 			if (alg->alg_key_sizes[i] < alg->alg_ef_minbits)
4893 				alg->alg_ef_minbits = alg->alg_key_sizes[i];
4894 			if (alg->alg_key_sizes[i] > alg->alg_ef_maxbits)
4895 				alg->alg_ef_maxbits = alg->alg_key_sizes[i];
4900 			alg->alg_flags &= ~ALG_FLAG_VALID;
4903 		alg->alg_ef_default = 0;
4914 alg_flag_check(ipsec_alginfo_t *alg)
4916 	alg->alg_flags &= ~ALG_FLAG_VALID;
4923 	if ((alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) ==
4926 	if (alg->alg_flags & (ALG_FLAG_CCM|ALG_FLAG_GCM)) {
4927 		if (!(alg->alg_flags & ALG_FLAG_COUNTERMODE))
4929 		if (!(alg->alg_flags & ALG_FLAG_COMBINED))
4937 	if (alg->alg_flags & ALG_FLAG_COUNTERMODE) {
4938 		if (alg->alg_ivlen != sizeof (((ipsec_nonce_t *)NULL)->iv))
4940 		if (alg->alg_saltlen > sizeof (((ipsec_nonce_t *)NULL)->salt))
4943 	if ((alg->alg_flags & ALG_FLAG_COMBINED) &&
4944 	    (alg->alg_icvlen == 0))
4948 	alg->alg_flags |= ALG_FLAG_VALID;
4955 ipsec_alg_free(ipsec_alginfo_t *alg)
4957 	if (alg == NULL)
4960 	if (alg->alg_key_sizes != NULL) {
4961 		kmem_free(alg->alg_key_sizes,
4962 		    (alg->alg_nkey_sizes + 1) * sizeof (uint16_t));
4963 		alg->alg_key_sizes = NULL;
4965 	if (alg->alg_block_sizes != NULL) {
4966 		kmem_free(alg->alg_block_sizes,
4967 		    (alg->alg_nblock_sizes + 1) * sizeof (uint16_t));
4968 		alg->alg_block_sizes = NULL;
4970 	if (alg->alg_params != NULL) {
4971 		kmem_free(alg->alg_params,
4972 		    (alg->alg_nparams + 1) * sizeof (uint16_t));
4973 		alg->alg_params = NULL;
4975 	kmem_free(alg, sizeof (*alg));
4983 ipsec_valid_key_size(uint16_t key_size, ipsec_alginfo_t *alg)
4985 	if (key_size < alg->alg_ef_minbits || key_size > alg->alg_ef_maxbits)
4988 	if (alg->alg_increment == 0 && alg->alg_nkey_sizes != 0) {
4995 		for (i = 0; i < alg->alg_nkey_sizes; i++)
4996 			if (key_size == alg->alg_key_sizes[i])
4998 		if (i == alg->alg_nkey_sizes)
5036 	ipsec_alginfo_t *alg;
5064 			alg = ipss->ipsec_alglists[algtype][algid];
5065 			ASSERT(alg != NULL);
5071 			if (strncmp(alg->alg_mech_name,
5082 				if (strncmp(alg->alg_mech_name,
5086 			    alg->alg_flags & ALG_FLAG_VALID) {
5087 				alg->alg_flags &= ~ALG_FLAG_VALID;
5090 			    !(alg->alg_flags & ALG_FLAG_VALID)) {
5091 				alg->alg_flags |= ALG_FLAG_VALID;
5100 			oalg = *alg;
5101 			ipsec_alg_fix_min_max(alg, algtype, ns);
5103 			    alg->alg_ef_minbits != oalg.alg_ef_minbits ||
5104 			    alg->alg_ef_maxbits != oalg.alg_ef_maxbits ||
5105 			    alg->alg_ef_default != oalg.alg_ef_default ||
5106 			    alg->alg_ef_default_bits !=
5116 				sadb_alg_update(algtype, alg->alg_id,

Indexes created Tue Jul 24 14:28:13 CEST 2018