D24838.diff
No OneTemporary
Actions

Size

3 KB

Referenced Files

None

Subscribers

None

D24838.diff
View Options

	Index: head/share/man/man9/crypto_request.9
	===================================================================
	--- head/share/man/man9/crypto_request.9
	+++ head/share/man/man9/crypto_request.9
	@@ -302,6 +302,24 @@
	In either case,
	.Fa crp_aad_length
	always indicates the amount of AAD in bytes.
	+.Ss Request ESN
	+IPsec requests may optionally include Extended Sequence Numbers (ESN).
	+ESN may either be supplied in
	+.Fa crp_esn
	+or as part of the AAD pointed to by
	+.Fa crp_aad .
	+.Pp
	+If the ESN is stored in
	+.Fa crp_esn ,
	+.Dv CSP_F_ESN
	+should be set in
	+.Fa csp_flags .
	+This use case is dedicated for encrypt and authenticate mode, since the
	+high-order 32 bits of the sequence number are appended after the Next Header
	+(RFC 4303).
	+.Pp
	+AEAD modes supply the ESN in a separate AAD buffer (see e.g. RFC 4106, Chapter 5
	+AAD Construction).
	.Ss Request IV and/or Nonce
	Some cryptographic operations require an IV or nonce as an input.
	An IV may be stored either in the IV region of the data buffer or in
	Index: head/share/man/man9/crypto_session.9
	===================================================================
	--- head/share/man/man9/crypto_session.9
	+++ head/share/man/man9/crypto_session.9
	@@ -201,6 +201,15 @@
	a region of the input buffer or in a single, virtually-contiguous buffer.
	Sessions without this flag only permit requests with AAD passed in as
	a region in the input buffer.
	+.It Dv CSP_F_ESN
	+Support requests that use a separate buffer for IPsec ESN (Extended Sequence
	+Numbers).
	+.Pp
	+Sessions with this flag set permit requests with IPsec ESN passed in special
	+buffer.
	+It is required for IPsec ESN support of encrypt and authenticate mode where
	+the high-order 32 bits of the sequence number are appended after the Next
	+Header (RFC 4303).
	.El
	.It Fa csp_ivlen
	If either the cipher or authentication algorithms require an explicit
	Index: head/sys/opencrypto/crypto.c
	===================================================================
	--- head/sys/opencrypto/crypto.c
	+++ head/sys/opencrypto/crypto.c
	@@ -743,6 +743,8 @@
	return (alg_type(alg) == ALG_AEAD);
	}

	+#define SUPPORTED_SES (CSP_F_SEPARATE_OUTPUT \| CSP_F_SEPARATE_AAD \| CSP_F_ESN)
	+
	/* Various sanity checks on crypto session parameters. */
	static bool
	check_csp(const struct crypto_session_params *csp)
	@@ -750,8 +752,7 @@
	struct auth_hash *axf;

	/* Mode-independent checks. */
	- if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT \| CSP_F_SEPARATE_AAD)) !=
	- 0)
	+ if ((csp->csp_flags & ~(SUPPORTED_SES)) != 0)
	return (false);
	if (csp->csp_ivlen < 0 \|\| csp->csp_cipher_klen < 0 \|\|
	csp->csp_auth_klen < 0 \|\| csp->csp_auth_mlen < 0)
	Index: head/sys/opencrypto/cryptodev.h
	===================================================================
	--- head/sys/opencrypto/cryptodev.h
	+++ head/sys/opencrypto/cryptodev.h
	@@ -377,6 +377,7 @@

	#define CSP_F_SEPARATE_OUTPUT 0x0001 /* Requests can use separate output */
	#define CSP_F_SEPARATE_AAD 0x0002 /* Requests can use separate AAD */
	+#define CSP_F_ESN 0x0004 /* Requests can use seperate ESN field */

	int csp_ivlen; /* IV length in bytes. */

	@@ -485,6 +486,8 @@
	void crp_aad; / AAD buffer. */
	int crp_aad_start; /* Location of AAD. */
	int crp_aad_length; /* 0 => no AAD. */
	+ uint8_t crp_esn[4]; /* high-order ESN */
	+
	int crp_iv_start; /* Location of IV. IV length is from
	* the session.
	*/

File Metadata

Mime Type: text/plain
Expires: Mon, Apr 28, 4:06 AM (14 h, 30 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 17825480
Default Alt Text: D24838.diff (3 KB)

D24838.diffNo OneTemporaryActions

D24838.diffView Options

File Metadata

Event Timeline

D24838.diff
No OneTemporary
Actions

D24838.diff
View Options