diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-10-08 20:13:44 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:54:52 -0400 |
commit | 4b7137ff8fb49d7bf22dfa248baa0d02ace2c43d (patch) | |
tree | 6a9571d7d5a3d43ec9cd8c661900fe78f89db6b6 | |
parent | f0703c80e5156406ad947cb67fe277725b48080f (diff) |
[IPSEC] esp: Remove keys from esp_data structure
The keys are only used during initialisation so we don't need to carry them
in esp_data. Since we don't have to allocate them again, there is no need
to place a limit on the authentication key length anymore.
This patch also kills the unused auth.icv member.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/esp.h | 7 | ||||
-rw-r--r-- | net/ipv4/esp4.c | 16 | ||||
-rw-r--r-- | net/ipv6/esp6.c | 15 |
3 files changed, 9 insertions, 29 deletions
diff --git a/include/net/esp.h b/include/net/esp.h index d05d8d2c78f4..e793d769430e 100644 --- a/include/net/esp.h +++ b/include/net/esp.h | |||
@@ -13,8 +13,6 @@ struct esp_data | |||
13 | 13 | ||
14 | /* Confidentiality */ | 14 | /* Confidentiality */ |
15 | struct { | 15 | struct { |
16 | u8 *key; /* Key */ | ||
17 | int key_len; /* Key length */ | ||
18 | int padlen; /* 0..255 */ | 16 | int padlen; /* 0..255 */ |
19 | /* ivlen is offset from enc_data, where encrypted data start. | 17 | /* ivlen is offset from enc_data, where encrypted data start. |
20 | * It is logically different of crypto_tfm_alg_ivsize(tfm). | 18 | * It is logically different of crypto_tfm_alg_ivsize(tfm). |
@@ -28,14 +26,9 @@ struct esp_data | |||
28 | 26 | ||
29 | /* Integrity. It is active when icv_full_len != 0 */ | 27 | /* Integrity. It is active when icv_full_len != 0 */ |
30 | struct { | 28 | struct { |
31 | u8 *key; /* Key */ | ||
32 | int key_len; /* Length of the key */ | ||
33 | u8 *work_icv; | 29 | u8 *work_icv; |
34 | int icv_full_len; | 30 | int icv_full_len; |
35 | int icv_trunc_len; | 31 | int icv_trunc_len; |
36 | void (*icv)(struct esp_data*, | ||
37 | struct sk_buff *skb, | ||
38 | int offset, int len, u8 *icv); | ||
39 | struct crypto_hash *tfm; | 32 | struct crypto_hash *tfm; |
40 | } auth; | 33 | } auth; |
41 | }; | 34 | }; |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 98767a4f1185..d233e2e62500 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
@@ -343,11 +343,6 @@ static int esp_init_state(struct xfrm_state *x) | |||
343 | struct crypto_blkcipher *tfm; | 343 | struct crypto_blkcipher *tfm; |
344 | u32 align; | 344 | u32 align; |
345 | 345 | ||
346 | /* null auth and encryption can have zero length keys */ | ||
347 | if (x->aalg) { | ||
348 | if (x->aalg->alg_key_len > 512) | ||
349 | goto error; | ||
350 | } | ||
351 | if (x->ealg == NULL) | 346 | if (x->ealg == NULL) |
352 | goto error; | 347 | goto error; |
353 | 348 | ||
@@ -359,15 +354,14 @@ static int esp_init_state(struct xfrm_state *x) | |||
359 | struct xfrm_algo_desc *aalg_desc; | 354 | struct xfrm_algo_desc *aalg_desc; |
360 | struct crypto_hash *hash; | 355 | struct crypto_hash *hash; |
361 | 356 | ||
362 | esp->auth.key = x->aalg->alg_key; | ||
363 | esp->auth.key_len = (x->aalg->alg_key_len+7)/8; | ||
364 | hash = crypto_alloc_hash(x->aalg->alg_name, 0, | 357 | hash = crypto_alloc_hash(x->aalg->alg_name, 0, |
365 | CRYPTO_ALG_ASYNC); | 358 | CRYPTO_ALG_ASYNC); |
366 | if (IS_ERR(hash)) | 359 | if (IS_ERR(hash)) |
367 | goto error; | 360 | goto error; |
368 | 361 | ||
369 | esp->auth.tfm = hash; | 362 | esp->auth.tfm = hash; |
370 | if (crypto_hash_setkey(hash, esp->auth.key, esp->auth.key_len)) | 363 | if (crypto_hash_setkey(hash, x->aalg->alg_key, |
364 | (x->aalg->alg_key_len + 7) / 8)) | ||
371 | goto error; | 365 | goto error; |
372 | 366 | ||
373 | aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); | 367 | aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); |
@@ -389,8 +383,7 @@ static int esp_init_state(struct xfrm_state *x) | |||
389 | if (!esp->auth.work_icv) | 383 | if (!esp->auth.work_icv) |
390 | goto error; | 384 | goto error; |
391 | } | 385 | } |
392 | esp->conf.key = x->ealg->alg_key; | 386 | |
393 | esp->conf.key_len = (x->ealg->alg_key_len+7)/8; | ||
394 | tfm = crypto_alloc_blkcipher(x->ealg->alg_name, 0, CRYPTO_ALG_ASYNC); | 387 | tfm = crypto_alloc_blkcipher(x->ealg->alg_name, 0, CRYPTO_ALG_ASYNC); |
395 | if (IS_ERR(tfm)) | 388 | if (IS_ERR(tfm)) |
396 | goto error; | 389 | goto error; |
@@ -403,7 +396,8 @@ static int esp_init_state(struct xfrm_state *x) | |||
403 | goto error; | 396 | goto error; |
404 | esp->conf.ivinitted = 0; | 397 | esp->conf.ivinitted = 0; |
405 | } | 398 | } |
406 | if (crypto_blkcipher_setkey(tfm, esp->conf.key, esp->conf.key_len)) | 399 | if (crypto_blkcipher_setkey(tfm, x->ealg->alg_key, |
400 | (x->ealg->alg_key_len + 7) / 8)) | ||
407 | goto error; | 401 | goto error; |
408 | x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen; | 402 | x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen; |
409 | if (x->props.mode == XFRM_MODE_TUNNEL) | 403 | if (x->props.mode == XFRM_MODE_TUNNEL) |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 2db31ce3c7e6..77281068d0f9 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
@@ -297,11 +297,6 @@ static int esp6_init_state(struct xfrm_state *x) | |||
297 | struct esp_data *esp = NULL; | 297 | struct esp_data *esp = NULL; |
298 | struct crypto_blkcipher *tfm; | 298 | struct crypto_blkcipher *tfm; |
299 | 299 | ||
300 | /* null auth and encryption can have zero length keys */ | ||
301 | if (x->aalg) { | ||
302 | if (x->aalg->alg_key_len > 512) | ||
303 | goto error; | ||
304 | } | ||
305 | if (x->ealg == NULL) | 300 | if (x->ealg == NULL) |
306 | goto error; | 301 | goto error; |
307 | 302 | ||
@@ -316,15 +311,14 @@ static int esp6_init_state(struct xfrm_state *x) | |||
316 | struct xfrm_algo_desc *aalg_desc; | 311 | struct xfrm_algo_desc *aalg_desc; |
317 | struct crypto_hash *hash; | 312 | struct crypto_hash *hash; |
318 | 313 | ||
319 | esp->auth.key = x->aalg->alg_key; | ||
320 | esp->auth.key_len = (x->aalg->alg_key_len+7)/8; | ||
321 | hash = crypto_alloc_hash(x->aalg->alg_name, 0, | 314 | hash = crypto_alloc_hash(x->aalg->alg_name, 0, |
322 | CRYPTO_ALG_ASYNC); | 315 | CRYPTO_ALG_ASYNC); |
323 | if (IS_ERR(hash)) | 316 | if (IS_ERR(hash)) |
324 | goto error; | 317 | goto error; |
325 | 318 | ||
326 | esp->auth.tfm = hash; | 319 | esp->auth.tfm = hash; |
327 | if (crypto_hash_setkey(hash, esp->auth.key, esp->auth.key_len)) | 320 | if (crypto_hash_setkey(hash, x->aalg->alg_key, |
321 | (x->aalg->alg_key_len + 7) / 8)) | ||
328 | goto error; | 322 | goto error; |
329 | 323 | ||
330 | aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); | 324 | aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); |
@@ -346,8 +340,6 @@ static int esp6_init_state(struct xfrm_state *x) | |||
346 | if (!esp->auth.work_icv) | 340 | if (!esp->auth.work_icv) |
347 | goto error; | 341 | goto error; |
348 | } | 342 | } |
349 | esp->conf.key = x->ealg->alg_key; | ||
350 | esp->conf.key_len = (x->ealg->alg_key_len+7)/8; | ||
351 | tfm = crypto_alloc_blkcipher(x->ealg->alg_name, 0, CRYPTO_ALG_ASYNC); | 343 | tfm = crypto_alloc_blkcipher(x->ealg->alg_name, 0, CRYPTO_ALG_ASYNC); |
352 | if (IS_ERR(tfm)) | 344 | if (IS_ERR(tfm)) |
353 | goto error; | 345 | goto error; |
@@ -360,7 +352,8 @@ static int esp6_init_state(struct xfrm_state *x) | |||
360 | goto error; | 352 | goto error; |
361 | esp->conf.ivinitted = 0; | 353 | esp->conf.ivinitted = 0; |
362 | } | 354 | } |
363 | if (crypto_blkcipher_setkey(tfm, esp->conf.key, esp->conf.key_len)) | 355 | if (crypto_blkcipher_setkey(tfm, x->ealg->alg_key, |
356 | (x->ealg->alg_key_len + 7) / 8)) | ||
364 | goto error; | 357 | goto error; |
365 | x->props.header_len = sizeof(struct ipv6_esp_hdr) + esp->conf.ivlen; | 358 | x->props.header_len = sizeof(struct ipv6_esp_hdr) + esp->conf.ivlen; |
366 | if (x->props.mode == XFRM_MODE_TUNNEL) | 359 | if (x->props.mode == XFRM_MODE_TUNNEL) |