[Openswan dev] [PATCH 2/2] ESP_NULL support: add support for KLIPS (tested on 2.4)
JuanJo Ciarlante
jjo-ipsec at mendoza.gov.ar
Mon Sep 25 09:16:42 EDT 2006
Signed-off-by: JuanJo Ciarlante <jjo at mendoza.gov.ar>
---
linux/net/ipsec/Config.in.os2_4 | 1
linux/net/ipsec/Kconfig | 7 ++
linux/net/ipsec/Makefile.fs2_4 | 4 +
linux/net/ipsec/Makefile.fs2_6 | 2
linux/net/ipsec/defconfig | 1
linux/net/ipsec/ipsec_alg.c | 11 +++
linux/net/ipsec/null/ipsec_alg_null.c | 145 +++++++++++++++++++++++++++++++++
packaging/linus/config-all.h | 5 +
packaging/linus/config-all.hmodules | 5 +
9 files changed, 181 insertions(+), 0 deletions(-)
diff --git a/linux/net/ipsec/Config.in.os2_4 b/linux/net/ipsec/Config.in.os2_4
index eef186b..8a19617 100644
--- a/linux/net/ipsec/Config.in.os2_4
+++ b/linux/net/ipsec/Config.in.os2_4
@@ -27,6 +27,7 @@ comment ' IPsec algorithms to include'
if [ "$CONFIG_KLIPS_ESP" = "y" ]; then
bool ' 3DES encryption algorithm' CONFIG_KLIPS_ENC_3DES
bool ' AES encryption algorithm' CONFIG_KLIPS_ENC_AES
+ bool ' NULL encryption algorithm (WARN: non-ciphered, use at your own!)' CONFIG_KLIPS_ENC_NULL
fi
if [ "$CONFIG_KLIPS_AH" = "y" -o "$CONFIG_KLIPS_ESP" = "y" ]; then
diff --git a/linux/net/ipsec/Kconfig b/linux/net/ipsec/Kconfig
index 07b2c23..942f897 100644
--- a/linux/net/ipsec/Kconfig
+++ b/linux/net/ipsec/Kconfig
@@ -92,6 +92,13 @@ config KLIPS_ENC_AES
AES the NIST replacement for DES. AES is being widely analyzed,
and is very fast.
+config KLIPS_ENC_NULL
+ bool 'NULL NON-encryption algorithm'
+ default n
+ help
+ NON encryption algo , maybe useful for ESP auth only scenarios
+ (eg: with NAT-T), see RFC 2410.
+
config KLIPS_IPCOMP
bool 'IP compression'
default y
diff --git a/linux/net/ipsec/Makefile.fs2_4 b/linux/net/ipsec/Makefile.fs2_4
index 1a86c44..2f94d50 100644
--- a/linux/net/ipsec/Makefile.fs2_4
+++ b/linux/net/ipsec/Makefile.fs2_4
@@ -119,6 +119,10 @@ else
obj-$(CONFIG_KLIPS_ENC_3DES) += des_enc.o
endif
+# ESP_NULL support:
+VPATH+=${KLIPS_TOP}/net/ipsec/null
+obj-$(CONFIG_KLIPS_ENC_NULL) += ipsec_alg_null.o
+
obj-y += satot.o
obj-y += addrtot.o
obj-y += ultot.o
diff --git a/linux/net/ipsec/Makefile.fs2_6 b/linux/net/ipsec/Makefile.fs2_6
index d37c1f8..e187125 100644
--- a/linux/net/ipsec/Makefile.fs2_6
+++ b/linux/net/ipsec/Makefile.fs2_6
@@ -106,6 +106,8 @@ else
crypto-$(CONFIG_KLIPS_ENC_AES) += aes/aes.o
endif
+crypto-$(CONFIG_KLIPS_ENC_NULL) += null/ipsec_alg_null.o
+
ipsec-y += ${crypto-y}
ipsec-$(CONFIG_KLIPS_ENC_CRYPTOAPI) += ipsec_alg_cryptoapi.o
diff --git a/linux/net/ipsec/defconfig b/linux/net/ipsec/defconfig
index cc40024..dde6415 100644
--- a/linux/net/ipsec/defconfig
+++ b/linux/net/ipsec/defconfig
@@ -48,6 +48,7 @@ CONFIG_KLIPS_ALG=y
# Encryption algorithm(s):
CONFIG_KLIPS_ENC_3DES=y
CONFIG_KLIPS_ENC_AES=y
+#CONFIG_KLIPS_ENC_NULL=y
# Use CryptoAPI for ALG? - by default, no.
CONFIG_KLIPS_ENC_CRYPTOAPI=n
diff --git a/linux/net/ipsec/ipsec_alg.c b/linux/net/ipsec/ipsec_alg.c
index 57328cb..882c5f1 100644
--- a/linux/net/ipsec/ipsec_alg.c
+++ b/linux/net/ipsec/ipsec_alg.c
@@ -858,6 +858,17 @@ #endif
ipsec_3des_init();
}
#endif
+#if defined(CONFIG_KLIPS_ENC_NULL) && CONFIG_KLIPS_ENC_NULL && !defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI
+#warning "Using built-in null cipher rather than CryptoAPI null cipher"
+#endif
+#warning "Building with null cipher (ESP_NULL), blame on you :-)"
+ {
+ extern int ipsec_null_init(void);
+ ipsec_null_init();
+ }
+#endif
+
/* If we are doing CryptoAPI, then init */
#if defined(CONFIG_KLIPS_ENC_CRYPTOAPI) && CONFIG_KLIPS_ENC_CRYPTOAPI && !defined(CONFIG_KLIPS_ENC_CRYPTOAPI_MODULE)
diff --git a/linux/net/ipsec/null/ipsec_alg_null.c b/linux/net/ipsec/null/ipsec_alg_null.c
new file mode 100644
index 0000000..3134a84
--- /dev/null
+++ b/linux/net/ipsec/null/ipsec_alg_null.c
@@ -0,0 +1,145 @@
+/*
+ * ipsec_alg NULL cipher stubs
+ *
+ * Author: JuanJo Ciarlante <jjo-ipsec at mendoza.gov.ar>
+ *
+ * $Id: linux/net/ipsec/null/ipsec_alg_null.c git 2006-09-20 17:11:49.000000000 -0300 jjo Exp $
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ */
+#include <linux/config.h>
+#include <linux/version.h>
+
+/*
+ * special case: ipsec core modular with this static algo inside:
+ * must avoid MODULE magic for this file
+ */
+#if defined(CONFIG_KLIPS_MODULE) && defined(CONFIG_KLIPS_ENC_NULL)
+#undef MODULE
+#endif
+
+#include <linux/module.h>
+#include <linux/init.h>
+
+#include <linux/kernel.h> /* printk() */
+#include <linux/errno.h> /* error codes */
+#include <linux/types.h> /* size_t */
+#include <linux/string.h>
+
+/* Check if __exit is defined, if not null it */
+#ifndef __exit
+#define __exit
+#endif
+
+/* Low freeswan header coupling */
+#include "openswan/ipsec_alg.h"
+
+#define ESP_NULL 11 /* from ipsec drafts */
+#define ESP_NULL_BLK_LEN 1
+
+MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec at mendoza.gov.ar>");
+static int debug_null=0;
+static int test_null=0;
+#ifdef module_param
+module_param(debug_null, int, 0600);
+module_param(test_null, int, 0600);
+#else
+MODULE_PARM(debug_null, "i");
+MODULE_PARM(test_null, "i");
+#endif
+
+typedef int null_context;
+
+struct null_eks{
+ null_context null_ctx;
+};
+static int _null_set_key(struct ipsec_alg_enc *alg,
+ __u8 * key_e, const __u8 * key,
+ size_t keysize) {
+ null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
+ if (debug_null > 0)
+ printk(KERN_DEBUG "klips_debug:_null_set_key:"
+ "key_e=%p key=%p keysize=%d\n",
+ key_e, key, keysize);
+ *ctx = 1;
+ return 0;
+}
+static int _null_cbc_encrypt(struct ipsec_alg_enc *alg,
+ __u8 * key_e, __u8 * in, int ilen, const __u8 * iv,
+ int encrypt) {
+ null_context *ctx=&((struct null_eks*)key_e)->null_ctx;
+ if (debug_null > 0)
+ printk(KERN_DEBUG "klips_debug:_null_cbc_encrypt:"
+ "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
+ key_e, in, ilen, iv, encrypt);
+ (*ctx)++;
+ return ilen;
+}
+static struct ipsec_alg_enc ipsec_alg_NULL = {
+ ixt_common: { ixt_version: IPSEC_ALG_VERSION,
+ ixt_refcnt: ATOMIC_INIT(0),
+ ixt_name: "null",
+ ixt_blocksize: ESP_NULL_BLK_LEN,
+ ixt_support: {
+ ias_exttype: IPSEC_ALG_TYPE_ENCRYPT,
+ ias_id: ESP_NULL,
+ ias_ivlen: 0,
+ ias_keyminbits: 0,
+ ias_keymaxbits: 0,
+ },
+ },
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+ ixt_module: THIS_MODULE,
+#endif
+ ixt_e_keylen: 0,
+ ixt_e_ctx_size: sizeof(null_context),
+ ixt_e_set_key: _null_set_key,
+ ixt_e_cbc_encrypt:_null_cbc_encrypt,
+};
+
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+IPSEC_ALG_MODULE_INIT_MOD( ipsec_null_init )
+#else
+IPSEC_ALG_MODULE_INIT_STATIC( ipsec_null_init )
+#endif
+{
+ int ret, test_ret;
+ ret=register_ipsec_alg_enc(&ipsec_alg_NULL);
+ printk("ipsec_null_init(alg_type=%d alg_id=%d name=%s): ret=%d\n",
+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+ ipsec_alg_NULL.ixt_common.ixt_name,
+ ret);
+ if (ret==0 && test_null) {
+ test_ret=ipsec_alg_test(
+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+ test_null);
+ printk("ipsec_null_init(alg_type=%d alg_id=%d): test_ret=%d\n",
+ ipsec_alg_NULL.ixt_common.ixt_support.ias_exttype,
+ ipsec_alg_NULL.ixt_common.ixt_support.ias_id,
+ test_ret);
+ }
+ return ret;
+}
+#if defined(CONFIG_KLIPS_ENC_NULL_MODULE)
+IPSEC_ALG_MODULE_EXIT_MOD( ipsec_null_fini )
+#else
+IPSEC_ALG_MODULE_EXIT_STATIC( ipsec_null_fini )
+#endif
+{
+ unregister_ipsec_alg_enc(&ipsec_alg_NULL);
+ return;
+}
+#ifdef MODULE_LICENSE
+MODULE_LICENSE("GPL");
+#endif
diff --git a/packaging/linus/config-all.h b/packaging/linus/config-all.h
index e4d17bb..b794600 100644
--- a/packaging/linus/config-all.h
+++ b/packaging/linus/config-all.h
@@ -64,6 +64,11 @@ #ifndef CONFIG_KLIPS_ENC_AES
#define CONFIG_KLIPS_ENC_AES 1
#endif
+/* jjo: ESP_NULL support: you applied this patch => you wanted enabled => don't cry 4this :) */
+#ifndef CONFIG_KLIPS_ENC_NULL
+#define CONFIG_KLIPS_ENC_NULL 1
+#endif
+
/* off by default for now */
#ifndef CONFIG_KLIPS_ENC_CRYPTOAPI
#define CONFIG_KLIPS_ENC_CRYPTOAPI 0
diff --git a/packaging/linus/config-all.hmodules b/packaging/linus/config-all.hmodules
index c874034..8226a33 100644
--- a/packaging/linus/config-all.hmodules
+++ b/packaging/linus/config-all.hmodules
@@ -66,6 +66,11 @@ #ifndef CONFIG_KLIPS_ENC_AES
#define CONFIG_KLIPS_ENC_AES 1
#endif
+/* jjo: ESP_NULL support: you applied this patch => you wanted enabled => don't cry 4this :) */
+#ifndef CONFIG_KLIPS_ENC_NULL
+#define CONFIG_KLIPS_ENC_NULL 1
+#endif
+
/* off by default for now */
#ifndef CONFIG_KLIPS_ENC_CRYPTOAPI
#define CONFIG_KLIPS_ENC_CRYPTOAPI 0
--
1.4.2
--
--Juanjo
# Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
# GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
# Key fingerprint: 0D2F 3E5D 8B5C 729E 0560 F453 A3F7 E249 6672 7177 #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20060925/6f5e5185/attachment.bin
More information about the Dev
mailing list