diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/include/net/sock.h linux-patched/include/net/sock.h --- linux/include/net/sock.h Wed Aug 27 15:52:54 2003 +++ linux-patched/include/net/sock.h Wed Aug 27 15:58:59 2003 @@ -245,6 +245,12 @@ __u32 end_seq; }; +#if 1 +struct udp_opt { + __u32 esp_in_udp; +}; +#endif + struct tcp_opt { int tcp_header_len; /* Bytes of tcp header to send */ @@ -584,6 +590,9 @@ #if defined(CONFIG_SPX) || defined (CONFIG_SPX_MODULE) struct spx_opt af_spx; #endif /* CONFIG_SPX */ +#if 1 + struct udp_opt af_udp; +#endif } tp_pinfo; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/Config.in linux-patched/net/Config.in --- linux/net/Config.in Wed Aug 27 15:52:58 2003 +++ linux-patched/net/Config.in Wed Aug 27 15:58:59 2003 @@ -88,4 +88,9 @@ #bool 'Network code profiler' CONFIG_NET_PROFILE endmenu +tristate 'IP Security Protocol (FreeS/WAN IPSEC)' CONFIG_IPSEC +if [ "$CONFIG_IPSEC" != "n" ]; then + source net/ipsec/Config.in +fi + endmenu diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/Makefile linux-patched/net/Makefile --- linux/net/Makefile Wed Aug 27 15:52:57 2003 +++ linux-patched/net/Makefile Wed Aug 27 15:58:59 2003 @@ -17,6 +17,7 @@ subdir-$(CONFIG_NET) += 802 sched subdir-$(CONFIG_INET) += ipv4 subdir-$(CONFIG_NETFILTER) += ipv4/netfilter +subdir-$(CONFIG_IPSEC) += ipsec subdir-$(CONFIG_UNIX) += unix subdir-$(CONFIG_IPV6) += ipv6 diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/Config.in linux-patched/net/ipsec/Config.in --- linux/net/ipsec/Config.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/Config.in Thu Sep 5 04:53:52 2002 @@ -0,0 +1,63 @@ +# +# IPSEC configuration +# Copyright (C) 1998, 1999, 2000,2001 Richard Guy Briggs. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + +comment 'IPSec options (FreeS/WAN)' + +bool ' IPSEC: IP-in-IP encapsulation (tunnel mode)' CONFIG_IPSEC_IPIP + +bool ' IPSEC: Authentication Header' CONFIG_IPSEC_AH +if [ "$CONFIG_IPSEC_AH" = "y" -o "$CONFIG_IPSEC_ESP" = "y" ]; then + bool ' HMAC-MD5 authentication algorithm' CONFIG_IPSEC_AUTH_HMAC_MD5 + bool ' HMAC-SHA1 authentication algorithm' CONFIG_IPSEC_AUTH_HMAC_SHA1 +fi + +bool ' IPSEC: Encapsulating Security Payload' CONFIG_IPSEC_ESP +if [ "$CONFIG_IPSEC_ESP" = "y" ]; then + bool ' 3DES encryption algorithm' CONFIG_IPSEC_ENC_3DES +fi + +bool ' IPSEC Modular Extensions' CONFIG_IPSEC_ALG +if [ "$CONFIG_IPSEC_ALG" != "n" ]; then + source net/ipsec/alg/Config.in +fi + +bool ' IPSEC: IP Compression' CONFIG_IPSEC_IPCOMP + +bool ' IPSEC Debugging Option' CONFIG_IPSEC_DEBUG + +bool ' IPSEC NAT-Traversal' CONFIG_IPSEC_NAT_TRAVERSAL + +# +# +# $Log: super-freeswan-1.99.8-delsol1.diff,v $ +# Revision 1.1 2003/09/09 09:20:34 john +# Initial import +# +# Revision 1.3 2002/09/05 03:53:52 ken +# Added NAT-T Patch +# +# Revision 1.2 2002/09/05 03:27:08 ken +# Applied freeswan-alg-0.8.0-BASE-klips.diff +# +# Revision 1.1.1.1 2002/09/05 03:13:17 ken +# 1.98b +# +# Revision 1.25 2002/02/21 19:55:12 mcr +# removed all traces of IPSEC_CONFIG_REGRESS because it +# screwed up 2.2's "make menuconfig" scripts. +# +# Revision 1.24 2002/01/28 20:24:31 mcr +# commented out IPSEC_REGRESS option from user visible config. +# +# + diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/Makefile linux-patched/net/ipsec/Makefile --- linux/net/ipsec/Makefile Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/Makefile Fri Feb 7 13:14:24 2003 @@ -0,0 +1,333 @@ +# Makefile for KLIPS kernel code +# Copyright (C) 1998, 1999, 2000,2001 Richard Guy Briggs. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ +# +# Note! Dependencies are done automagically by 'make dep', which also +# removes any old dependencies. DON'T put your own dependencies here +# unless it's something special (ie not a .c file). +# +# Note 2! The CFLAGS definition is now in the main makefile... + +ifndef TOPDIR +TOPDIR := /usr/src/linux +endif + +subdir- := +subdir-n := +subdir-y := +subdir-m := + +O_TARGET := ipsec.o +obj-y := ipsec_init.o ipsec_sa.o ipsec_radij.o radij.o +obj-y += ipsec_life.o ipsec_proc.o +obj-y += ipsec_tunnel.o ipsec_rcv.o sysctl_net_ipsec.o +obj-y += pfkey_v2.o pfkey_v2_parser.o + +export-objs := radij.o + +obj-$(CONFIG_IPSEC_ALG) +=ipsec_alg.o alg/ipsec_alg_static.o +export-objs += ipsec_alg.o +subdir-m += alg + +# 'override CFLAGS' should really be 'EXTRA_CFLAGS' +EXTRA_CFLAGS += -Ilibfreeswan -Ilibdes +ifeq ($(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION),2.4.2-2) +EXTRA_CFLAGS += -DREDHAT_BOGOSITY +endif +ifeq ($(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION),2.4.3-12) +EXTRA_CFLAGS += -DREDHAT_BOGOSITY +endif + +#ifeq ($(CONFIG_IPSEC_DEBUG),y) +#EXTRA_CFLAGS += -g +#endif + +EXTRA_CFLAGS += $(KLIPSCOMPILE) +EXTRA_CFLAGS += -Wall +#EXTRA_CFLAGS += -Werror +#EXTRA_CFLAGS += -Wconversion +#EXTRA_CFLAGS += -Wmissing-prototypes +EXTRA_CFLAGS += -Wpointer-arith +#EXTRA_CFLAGS += -Wcast-qual +#EXTRA_CFLAGS += -Wmissing-declarations +EXTRA_CFLAGS += -Wstrict-prototypes +#EXTRA_CFLAGS += -pedantic +#EXTRA_CFLAGS += -O3 +#EXTRA_CFLAGS += -W +#EXTRA_CFLAGS += -Wwrite-strings +#EXTRA_CFLAGS += -Wbad-function-cast + +obj-$(CONFIG_IPSEC_ENC_3DES) += libdes/libdes.a +obj-$(CONFIG_IPSEC_AUTH_HMAC_MD5) += ipsec_md5c.o +obj-$(CONFIG_IPSEC_AUTH_HMAC_SHA1) += ipsec_sha1.o +obj-$(CONFIG_IPSEC_IPCOMP) += ipcomp.o zlib/zlib.a +subdir-$(CONFIG_IPSEC_IPCOMP) += zlib +subdir-$(CONFIG_IPSEC) += libfreeswan +obj-y += libfreeswan/libkernel.a + +### +### Pre Rules.make +### +# undo O_TARGET, obj-y if no static +ifneq ($(CONFIG_IPSEC),y) +O_TARGET := +ipsec_obj-y := $(obj-y) +obj-y := +subdir-y := +endif + +# Define obj-m if modular ipsec +ifeq ($(CONFIG_IPSEC),m) +obj-m += ipsec.o +endif + + +# These rules translate from new to old makefile rules +# Translate to Rules.make lists. +multi-used := $(filter $(list-multi), $(obj-y) $(obj-m)) +multi-objs := $(foreach m, $(multi-used), $($(basename $(m))-objs)) +active-objs := $(sort $(multi-objs) $(obj-y) $(obj-m)) +O_OBJS := $(obj-y) +M_OBJS := $(obj-m) +MIX_OBJS := $(filter $(export-objs), $(active-objs)) +OX_OBJS := $(export-objs) +SUB_DIRS := $(subdir-y) +ALL_SUB_DIRS := $(subdir-y) $(subdir-m) +MOD_SUB_DIRS := $(subdir-m) + +# dunno why, but some 2.2 setups may need explicit -DEXPORT_SYMTAB +# uncomment next line if ipsec_alg.c compilation fails with +# "parse error before `EXPORT_SYMTAB_not_defined'" --Juanjo +# CFLAGS_ipsec_alg.o += -DEXPORT_SYMTAB +# + +include $(TOPDIR)/Rules.make + +### +### Post Rules.make +### +# for modular ipsec, no O_TARGET defined => define ipsec.o creation rules +ifeq ($(CONFIG_IPSEC),m) +ipsec.o : $(ipsec_obj-y) + rm -f $@ + $(LD) $(LD_EXTRAFLAGS) -r $(ipsec_obj-y) -o $@ +endif + +$(ipsec_obj-y) $(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h + +libdes/libdes.a: + ( cd libdes && \ + if test " `arch | sed 's/^i[3456]/x/'`" = " x86" ; \ + then $(MAKE) CC='$(CC)' CFLAG='$(CFLAGS)' TESTING='' x86-elf ; \ + else $(MAKE) CC='$(CC)' CFLAG='$(CFLAGS)' libdes.a ; \ + fi ) + +libfreeswan/libkernel.a: + $(MAKE) -C libfreeswan + +zlib/zlib.a: + $(MAKE) -C zlib + +alg/ipsec_alg_static.o: dummy + $(MAKE) -C alg CC='$(CC)' CFLAGS='$(CFLAGS)' ipsec_alg_static.o + +clean: + $(MAKE) -C alg clean + -rm -f *.o + +tags TAGS: *.c *.h libfreeswan/*.c libfreeswan/*.h + find . -name '*.[ch]' |xargs etags + find . -name '*.[ch]' |xargs ctags + +tar: + tar -cvf /dev/f1 . + +# +# $Log: super-freeswan-1.99.8-delsol1.diff,v $ +# Revision 1.1 2003/09/09 09:20:34 john +# Initial import +# +# Revision 1.3 2003/02/07 13:14:24 ken +# Pullin jjo's ALG 0.8.1rc branch +# +# Revision 1.2.2.1 2003/02/06 22:09:49 jjo +# sync to alg-0.8.1-rc4 +# +# Revision 1.2 2002/09/05 03:27:08 ken +# Applied freeswan-alg-0.8.0-BASE-klips.diff +# +# Revision 1.1.1.1 2002/09/05 03:13:17 ken +# 1.98b +# +# Revision 1.39 2002/01/17 04:39:40 rgb +# Take compile options from top level Makefile.inc +# +# Revision 1.38 2001/11/27 05:28:07 rgb +# Shut off -Werror until we figure out a graceful way of quieting down the +# pfkey_ops defined but not used complaint in the case of SMP in +# pfkey_v2.c. +# +# Revision 1.37 2001/11/27 05:10:15 rgb +# Added -Ilibdes and removed lib/des* symlinks. +# +# Revision 1.36 2001/11/26 09:23:47 rgb +# Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. +# +# Revision 1.35.2.1 2001/09/25 02:17:50 mcr +# added ipsec_sa, ipsec_life, ipsec_proc. +# added -Werror to compile flags (see fix for zlib/zutil.h) +# +# Revision 1.3 2001/09/21 04:41:26 mcr +# actually, ipsec_proc.c and ipsec_life.c were never actually compiled. +# +# Revision 1.2 2001/09/21 04:11:33 mcr +# first compilable version. +# +# Revision 1.1.1.2 2001/09/17 01:17:52 mcr +# snapshot 2001-09-16 +# +# Revision 1.35 2001/09/07 22:09:12 rgb +# Quiet down compilation. +# +# Revision 1.34 2001/08/11 17:10:23 henry +# update bogosity stuff to cover RH7.1 update +# +# Revision 1.33 2001/06/14 19:35:07 rgb +# Update copyright date. +# +# Revision 1.32 2001/06/13 21:00:50 rgb +# Added a kludge to get around RedHat kernel version bogosity... +# +# Revision 1.31 2001/01/29 22:19:06 rgb +# Convert to 2.4 new style with back compat. +# +# Revision 1.30 2000/09/29 19:51:57 rgb +# Moved klips/net/ipsec/ipcomp_* to zlib/* (Svenning). +# +# Revision 1.29 2000/09/15 11:37:01 rgb +# Merge in heavily modified Svenning Soerensen's +# IPCOMP zlib deflate code. +# +# Revision 1.28 2000/09/15 04:55:25 rgb +# Clean up pfkey object inclusion into the default object. +# +# Revision 1.27 2000/09/12 03:20:47 rgb +# Cleared out now unused pfkeyv2 switch. +# Enabled sysctl. +# +# Revision 1.26 2000/09/08 19:12:55 rgb +# Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. +# +# Revision 1.25 2000/06/16 03:09:16 rgb +# Shut up cast lost warning due to changes in 2.4.0-test1. +# +# Revision 1.24 2000/03/16 06:40:48 rgb +# Hardcode PF_KEYv2 support. +# +# Revision 1.23 2000/02/14 21:10:38 rgb +# Added gcc debug flag when KLIPS_DEBUG is swtiched on. +# +# Revision 1.22 2000/01/21 09:44:29 rgb +# Added compiler switches to be a lot more fussy. +# +# Revision 1.21 1999/11/25 23:35:20 rgb +# Removed quotes to fix Alpha compile issues. +# +# Revision 1.20 1999/11/17 15:49:34 rgb +# Changed all occurrences of ../../../lib in pathnames to libfreeswan, +# which refers to the /usr/src/linux/net/ipsec/lib directory setup by the +# klink target in the top-level Makefile; and libdeslite.o to +# libdes/libdes.a. +# Added SUB_DIRS := lib definition for the kernel libraries. +# +# Revision 1.19 1999/04/27 19:06:47 rgb +# dd libs and dependancies to tags generation. +# +# Revision 1.18 1999/04/16 16:28:12 rgb +# Minor bugfix to avoid including DES if only AH is used. +# +# Revision 1.17 1999/04/15 15:37:23 rgb +# Forward check changes from POST1_00 branch. +# +# Revision 1.14.2.1 1999/03/30 17:29:17 rgb +# Add support for pfkey. +# +# Revision 1.16 1999/04/11 00:28:56 henry +# GPL boilerplate +# +# Revision 1.15 1999/04/06 04:54:25 rgb +# Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes +# patch shell fixes. +# +# Revision 1.14 1999/02/18 16:50:45 henry +# update for new DES library +# +# Revision 1.13 1999/02/12 21:11:45 rgb +# Prepare for newer LIBDES (patch from P.Onion). +# +# Revision 1.12 1999/01/26 02:05:08 rgb +# Remove references to INET_GET_PROTOCOL. +# Removed CONFIG_IPSEC_ALGO_SWITCH macro. +# Change from transform switch to algorithm switch. +# +# Revision 1.11 1999/01/22 06:16:09 rgb +# Added algorithm switch code config option. +# +# Revision 1.10 1998/11/08 05:31:21 henry +# be a little fussier +# +# Revision 1.9 1998/11/08 05:29:41 henry +# revisions for new libdes handling +# +# Revision 1.8 1998/08/12 00:05:48 rgb +# Added new xforms to Makefile (moved des-cbc to des-old). +# +# Revision 1.7 1998/07/27 21:48:47 rgb +# Add libkernel. +# +# Revision 1.6 1998/07/14 15:50:47 rgb +# Add dependancies on linux config files. +# +# Revision 1.5 1998/07/09 17:44:06 rgb +# Added 'clean' and 'tags' targets. +# Added TOPDIR macro. +# Change module back from symbol exporting to not. +# +# Revision 1.3 1998/06/25 19:25:04 rgb +# Rearrange to support static linking and objects with exported symbol +# tables. +# +# Revision 1.1 1998/06/18 21:27:42 henry +# move sources from klips/src to klips/net/ipsec, to keep stupid +# kernel-build scripts happier in the presence of symlinks +# +# Revision 1.3 1998/04/15 23:18:43 rgb +# Unfixed the ../../libdes fix to avoid messing up Henry's script. +# +# Revision 1.2 1998/04/14 17:50:47 rgb +# Fixed to find the new location of libdes. +# +# Revision 1.1 1998/04/09 03:05:22 henry +# sources moved up from linux/net/ipsec +# modifications to centralize libdes code +# +# Revision 1.1.1.1 1998/04/08 05:35:02 henry +# RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 +# +# Revision 0.5 1997/06/03 04:24:48 ji +# Added ESP-3DES-MD5-96 +# +# Revision 0.4 1997/01/15 01:32:59 ji +# Added new transforms. +# +# Revision 0.3 1996/11/20 14:22:53 ji +# *** empty log message *** +# diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/Makefile.inc linux-patched/net/ipsec/Makefile.inc --- linux/net/ipsec/Makefile.inc Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/Makefile.inc Wed Aug 27 15:58:54 2003 @@ -0,0 +1,182 @@ +# FreeS/WAN pathnames and other master configuration +# Copyright (C) 2001, 2002 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + + + +# Variables in this file with names starting with INC_ are not for use +# by Makefiles which include it; they are subject to change without warning. +# +# "Final" and "finally" refer to where the files will end up on the +# running IPsec system, as opposed to where they get installed by our +# Makefiles. (The two are different for cross-compiles and the like, +# where our Makefiles are not the end of the installation process.) +# Paths with FINAL in their names are the only ones that the installed +# software itself depends on. (Very few things should know about the +# FINAL paths; think twice and consult Henry before making something new +# depend on them.) All other paths are install targets. +# See also DESTDIR, below. + + + +### boilerplate, do not change +SHELL=/bin/sh + + + +### install pathnames + +# DESTDIR can be used to supply a prefix to all install targets. +# (Note that "final" pathnames, signifying where files will eventually +# reside rather than where install puts them, are exempt from this.) +# The prefixing is done in this file, so as to have central control over +# it; DESTDIR itself should never appear in any other Makefile. +DESTDIR?= + +# "local" part of tree, used in building other pathnames +INC_USRLOCAL=/usr/local + +# PUBDIR is where the "ipsec" command goes; beware, many things define PATH +# settings which are assumed to include it (or at least, to include *some* +# copy of the "ipsec" command). +PUBDIR=$(DESTDIR)$(INC_USRLOCAL)/sbin + +# BINDIR is where commands get put, FINALBINDIR is where the "ipsec" +# command will look for them when it is run. +FINALBINDIR=$(INC_USRLOCAL)/lib/ipsec +BINDIR=$(DESTDIR)$(FINALBINDIR) + +# where the appropriate manpage tree is located +# location within INC_USRLOCAL +INC_MANDIR=man +# the full pathname +MANTREE=$(DESTDIR)$(INC_USRLOCAL)/$(INC_MANDIR) +# all relevant subdirectories of MANTREE +MANPLACES=man3 man5 man8 + +# where configuration files go +FINALCONFDIR=/etc +CONFDIR=$(DESTDIR)$(FINALCONFDIR) + +# An attempt is made to automatically figure out where boot/shutdown scripts +# will finally go: the first directory in INC_RCDIRS which exists gets them. +# If none of those exists (or INC_RCDIRS is empty), INC_RCDEFAULT gets them. +# With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the +# INC_RCDIRS directories has been pre-created under DESTDIR. +INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d +INC_RCDEFAULT=/etc/rc.d/init.d + +# RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think +# will finally be (so utils/Makefile can create a symlink in BINDIR to the +# place where the boot/shutdown script will finally be, rather than the +# place where it is installed). +FINALRCDIR=$(shell for d in $(INC_RCDIRS) ; \ + do if test -d $(DESTDIR)/$$d ; \ + then echo $$d ; exit 0 ; \ + fi ; done ; echo $(INC_RCDEFAULT) ) +RCDIR=$(DESTDIR)$(FINALRCDIR) + + + +### kernel pathnames + +# Kernel location: where patches are inserted, where kernel builds are done. +KERNELSRC?=/usr/src/redhat/BUILD/kernel-2.4.9/linux-patched + +# things whose existence indicates what kernel version we have +DIRIN22=$(KERNELSRC)/net/netlink +FILIN24=$(KERNELSRC)/net/khttpd/main.c + +# where kernel configuration outputs are located +KCFILE=$(KERNELSRC)/.config +ACFILE=$(KERNELSRC)/include/linux/autoconf.h +VERFILE=$(KERNELSRC)/include/linux/version.h + + + +### misc installation stuff + +# what program to use when installing things +INSTALL=install + +# flags to the install program, for programs, manpages, and config files +# -b has install make backups (n.b., unlinks original), --suffix controls +# how backup names are composed. +# Note that the install procedures will never overwrite an existing config +# file, which is why -b is not specified for them. +INSTBINFLAGS=-b --suffix=.old +INSTMANFLAGS= +INSTCONFFLAGS= + + + +### misc configuration, included here in hopes that other files will not +### have to be changed for common customizations. + +# extra compile flags, for userland and kernel stuff, e.g. -g for debug info +# (caution, this stuff is still being sorted out, will change in future) +USERCOMPILE=-g -O3 +KLIPSCOMPILE=-O3 + +# command used to link/copy KLIPS into kernel source tree +# There are good reasons why this is "ln -s"; only people like distribution +# builders should ever change it. +KLIPSLINK=ln -s + +# extra options for use in kernel build +KERNMAKEOPTS= + +# kernel Makefile targets to be done before build +# Can be overridden if you are *sure* your kernel doesn't need them. (2.2.xx +# and later reportedly do not.) +KERNDEP=dep +KERNCLEAN=clean + +# kernel make name: zImage for 2.0.xx, bzImage for 2.2.xx and later, and +# boot on non-x86s (what ever happened to standards?) +INC_B=$(shell test -d $(DIRIN22) && echo b) +KERNEL=$(shell if expr " `uname -m`" : ' i.86' >/dev/null ; \ + then echo $(INC_B)zImage ; \ + else echo boot ; \ + fi) + +# temporary directory to be used when building RPMs, and where to put the +# resulting RPM tree +RPMKERNDIR := $(shell echo `pwd`/tmp.rpmkernel) +RPMTMPDIR := $(shell echo `pwd`/tmp.rpmbuild) +RPMDEST := $(shell echo `pwd`/rpms) +# Newer versions of RPM do not permit building of packages with the "rpm" +# command. For RedHat systems with older version of RPM, use: +# RPMBUILD=rpm +# instead. +RPMBUILD=rpmbuild + +# +# Set this to a RedHat kernel-sources RPM. This normally extracts into +# /usr/src/linux-2.4, but you might have extracted it elsewhere with +# rpm2cpio. +# +RH_KERNELSRC=/usr/src/linux-2.4 + +#RH_KERNELSRC=/a3/kernel_sources/linux-2.4.2 +#RH_KERNELSRC=/a3/kernel_sources/linux-2.4.9-13 +#RH_KERNELSRC=/c2/kernel/rh/linux-2.4.9-13 + +# the following is a list of symbols which will be used to construct +# the module goo to identify which module goes with each kernel. +MODULE_GOO_LIST=irq_stat netif_rx register_sysctl_table send_sig +MODULE_GOO_LIST+=kmalloc __kfree_skb __ip_select_ident alloc_skb +MODULE_GOO_LIST+=icmp_send ip_fragment sock_register + + diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/Makefile.ver linux-patched/net/ipsec/Makefile.ver --- linux/net/ipsec/Makefile.ver Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/Makefile.ver Tue Jul 8 20:02:03 2003 @@ -0,0 +1 @@ +IPSECVERSION=super-freeswan-1.99.8 diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_1des.in linux-patched/net/ipsec/alg/Config.alg_1des.in --- linux/net/ipsec/alg/Config.alg_1des.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_1des.in Fri Feb 7 14:39:36 2003 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' 1DES **INSECURE** encryption algorithm (modular alg)' CONFIG_IPSEC_ALG_1DES +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_3des.in linux-patched/net/ipsec/alg/Config.alg_3des.in --- linux/net/ipsec/alg/Config.alg_3des.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_3des.in Thu Sep 5 04:36:54 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' 3DES encryption algorithm (modular alg)' CONFIG_IPSEC_ALG_3DES +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_aes.in linux-patched/net/ipsec/alg/Config.alg_aes.in --- linux/net/ipsec/alg/Config.alg_aes.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_aes.in Thu Sep 5 04:38:06 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' AES encryption algorithm' CONFIG_IPSEC_ALG_AES +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_blowfish.in linux-patched/net/ipsec/alg/Config.alg_blowfish.in --- linux/net/ipsec/alg/Config.alg_blowfish.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_blowfish.in Thu Sep 5 04:39:46 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' BLOWFISH encryption algorithm' CONFIG_IPSEC_ALG_BLOWFISH +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_cast.in linux-patched/net/ipsec/alg/Config.alg_cast.in --- linux/net/ipsec/alg/Config.alg_cast.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_cast.in Thu Sep 5 04:48:04 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' CAST encryption algorithm' CONFIG_IPSEC_ALG_CAST +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_cryptoapi.in linux-patched/net/ipsec/alg/Config.alg_cryptoapi.in --- linux/net/ipsec/alg/Config.alg_cryptoapi.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_cryptoapi.in Fri Feb 21 23:23:03 2003 @@ -0,0 +1,6 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + dep_tristate ' CRYPTOAPI ciphers support (needs cryptoapi patch)' CONFIG_IPSEC_ALG_CRYPTOAPI $CONFIG_CRYPTO + if [ "$CONFIG_IPSEC_ALG_CRYPTOAPI" != "n" ]; then + bool ' CRYPTOAPI proprietary ciphers ' CONFIG_IPSEC_ALG_NON_LIBRE + fi +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_md5.in linux-patched/net/ipsec/alg/Config.alg_md5.in --- linux/net/ipsec/alg/Config.alg_md5.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_md5.in Thu Sep 5 04:31:27 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' HMAC_MD5 auth algorithm (modular alg)' CONFIG_IPSEC_ALG_MD5 +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_null.in linux-patched/net/ipsec/alg/Config.alg_null.in --- linux/net/ipsec/alg/Config.alg_null.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_null.in Thu Sep 5 04:49:06 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' NULL encryption algorithm' CONFIG_IPSEC_ALG_NULL +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_serpent.in linux-patched/net/ipsec/alg/Config.alg_serpent.in --- linux/net/ipsec/alg/Config.alg_serpent.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_serpent.in Thu Sep 5 04:43:55 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' SERPENT encryption algorithm' CONFIG_IPSEC_ALG_SERPENT +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_sha1.in linux-patched/net/ipsec/alg/Config.alg_sha1.in --- linux/net/ipsec/alg/Config.alg_sha1.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_sha1.in Thu Sep 5 04:34:24 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' HMAC_SHA1 auth algorithm (modular alg)' CONFIG_IPSEC_ALG_SHA1 +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_sha2.in linux-patched/net/ipsec/alg/Config.alg_sha2.in --- linux/net/ipsec/alg/Config.alg_sha2.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_sha2.in Thu Sep 5 04:34:24 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' HMAC_SHA2 auth algorithm' CONFIG_IPSEC_ALG_SHA2 +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.alg_twofish.in linux-patched/net/ipsec/alg/Config.alg_twofish.in --- linux/net/ipsec/alg/Config.alg_twofish.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.alg_twofish.in Thu Sep 5 04:41:17 2002 @@ -0,0 +1,3 @@ +if [ "$CONFIG_IPSEC_ALG" = "y" ]; then + tristate ' TWOFISH encryption algorithm' CONFIG_IPSEC_ALG_TWOFISH +fi diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Config.in linux-patched/net/ipsec/alg/Config.in --- linux/net/ipsec/alg/Config.in Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Config.in Tue May 20 02:12:35 2003 @@ -0,0 +1,13 @@ +#Placeholder +source net/ipsec/alg/Config.alg_md5.in +source net/ipsec/alg/Config.alg_sha1.in +source net/ipsec/alg/Config.alg_sha2.in +source net/ipsec/alg/Config.alg_3des.in +source net/ipsec/alg/Config.alg_aes.in +source net/ipsec/alg/Config.alg_blowfish.in +source net/ipsec/alg/Config.alg_twofish.in +source net/ipsec/alg/Config.alg_serpent.in +source net/ipsec/alg/Config.alg_cast.in +source net/ipsec/alg/Config.alg_null.in +source net/ipsec/alg/Config.alg_cryptoapi.in +source net/ipsec/alg/Config.alg_1des.in diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile linux-patched/net/ipsec/alg/Makefile --- linux/net/ipsec/alg/Makefile Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile Fri Feb 7 13:14:25 2003 @@ -0,0 +1,104 @@ +# $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ +KLIPSDIR:= $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi)/.. + +#LIBCRYPTO:=$(KLIPSDIR)/../../../libcrypto +LIBCRYPTO:=$(KLIPSDIR)/libcrypto +EXTRA_CFLAGS:=-I$(KLIPSDIR) -I$(KLIPSDIR)/libfreeswan -I$(LIBCRYPTO)/include -I$(LIBCRYPTO) +ifeq ($(CONFIG_IPSEC_DEBUG),y) +EXTRA_CFLAGS += -g +endif +EXTRA_CFLAGS += -Wall -Wpointer-arith -Wstrict-prototypes + +MOD_LIST_NAME := NET_MISC_MODULES + +#O_TARGET := ipsec_alg_static.o + +subdir- := +subdir-n := +subdir-y := +subdir-m := + +obj-y := ipsec_alg_static_init.o + +ARCH_ASM-y := +ARCH_ASM-$(CONFIG_M586) := i586 +ARCH_ASM-$(CONFIG_M586TSC) := i586 +ARCH_ASM-$(CONFIG_M586MMX) := i586 +ARCH_ASM-$(CONFIG_MK6) := i586 +ARCH_ASM-$(CONFIG_M686) := i686 +ARCH_ASM-$(CONFIG_MPENTIUMIII) := i686 +ARCH_ASM-$(CONFIG_MPENTIUM4) := i686 +ARCH_ASM-$(CONFIG_MK7) := i686 +ARCH_ASM-$(CONFIG_MCRUSOE) := i586 +ARCH_ASM-$(CONFIG_MWINCHIPC6) := i586 +ARCH_ASM-$(CONFIG_MWINCHIP2) := i586 +ARCH_ASM-$(CONFIG_MWINCHIP3D) := i586 +ARCH_ASM-$(CONFIG_USERMODE) := i586 + +ARCH_ASM :=$(ARCH_ASM-y) +ifdef NO_ASM +ARCH_ASM := +endif + +## debug: +#$(warning CONFIG_M586=$(CONFIG_M586)) +#$(warning CONFIG_M686=$(CONFIG_M686)) +#$(warning ARCH_ASM=$(ARCH_ASM)) +# The algorithm makefiles may put dependences, short-circuit them +null: + +makefiles=$(wildcard Makefile.alg_*) +ifneq ($(makefiles),) +#include Makefile.alg_aes +#include Makefile.alg_aes-opt +include $(makefiles) +endif + +# These rules translate from new to old makefile rules +# Translate to Rules.make lists. +multi-used := $(filter $(list-multi), $(obj-y) $(obj-m)) +multi-objs := $(foreach m, $(multi-used), $($(basename $(m))-objs)) +active-objs := $(sort $(multi-objs) $(obj-y) $(obj-m)) +O_OBJS := $(obj-y) +M_OBJS := $(obj-m) +MIX_OBJS := $(filter $(export-objs), $(active-objs)) +#OX_OBJS := $(export-objs) +SUB_DIRS := $(subdir-y) +ALL_SUB_DIRS := $(subdir-y) $(subdir-m) +MOD_SUB_DIRS := $(subdir-m) + + +ifdef TOPDIR +include $(TOPDIR)/Rules.make +endif + +ipsec_alg_static.o: $(obj-y) + rm -f $@ + $(LD) $(LD_EXTRAFLAGS) $(obj-y) -r -o $@ + +perlasm: $(LIBCRYPTO)/perlasm + ln -sf $? $@ + +$(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h ../ipsec_alg.h +$(alg_obj-y) $(alg_obj-m): perlasm $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h ../ipsec_alg.h + + +alg_modules: perlasm $(ALG_MODULES) + @echo "ALG_MODULES=$(ALG_MODULES)" + + +# +# Construct alg. init. function: call ipsec_ALGO_init() for every static algo +# Needed when there are static algos (with static or modular ipsec.o) +# +ipsec_alg_static_init.c: $(TOPDIR)/include/linux/autoconf.h Makefile $(makefiles) scripts/mk-static_init.c.sh + @echo "Re-creating $@" + $(SHELL) scripts/mk-static_init.c.sh $(static_init-func-y) > $@ + +clean: + @for i in $(ALG_SUBDIRS);do test -d $$i && make -C $$i clean;done;exit 0 + @find . -type l -exec rm -f {} \; + -rm -f perlasm + -rm -rf $(ALG_SUBDIRS) + -rm -f *.o ipsec_alg_static_init.c + diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_1des linux-patched/net/ipsec/alg/Makefile.alg_1des --- linux/net/ipsec/alg/Makefile.alg_1des Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_1des Fri Mar 28 13:56:19 2003 @@ -0,0 +1,20 @@ +MOD_1DES += ipsec_1des.o + +ALG_MODULES += $(MOD_1DES) +ALG_SUBDIRS += libdes + +obj-$(CONFIG_IPSEC_ALG_1DES) += $(MOD_1DES) +static_init-func-$(CONFIG_IPSEC_ALG_1DES)+= ipsec_1des_init +alg_obj-$(CONFIG_IPSEC_ALG_1DES) += ipsec_alg_1des.o + +DES_1DES_OBJS=ipsec_alg_1des.o ../libdes/libdes.a + +$(MOD_1DES): $(DES_1DES_OBJS) + $(LD) -r $(DES_1DES_OBJS) -o $@ + +# avoid multiple rules for libdes.a +ifeq ($(LIBDES),) +LIBDES:=../libdes/libdes.a +$(LIBDES): + $(MAKE) -C .. libdes/libdes.a +endif diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_3des linux-patched/net/ipsec/alg/Makefile.alg_3des --- linux/net/ipsec/alg/Makefile.alg_3des Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_3des Fri Mar 28 13:56:19 2003 @@ -0,0 +1,20 @@ +MOD_3DES += ipsec_3des.o + +ALG_MODULES += $(MOD_3DES) +ALG_SUBDIRS += libdes + +obj-$(CONFIG_IPSEC_ALG_3DES) += $(MOD_3DES) +static_init-func-$(CONFIG_IPSEC_ALG_3DES)+= ipsec_3des_init +alg_obj-$(CONFIG_IPSEC_ALG_3DES) += ipsec_alg_3des.o + +DES_3DES_OBJS=ipsec_alg_3des.o ../libdes/libdes.a + +$(MOD_3DES): $(DES_3DES_OBJS) + $(LD) -r $(DES_3DES_OBJS) -o $@ + +# avoid multiple rules for libdes.a +ifeq ($(LIBDES),) +LIBDES:=../libdes/libdes.a +$(LIBDES): + $(MAKE) -C .. libdes/libdes.a +endif diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_aes linux-patched/net/ipsec/alg/Makefile.alg_aes --- linux/net/ipsec/alg/Makefile.alg_aes Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_aes Thu Sep 5 04:38:06 2002 @@ -0,0 +1,23 @@ +MOD_AES := ipsec_aes.o + +ALG_MODULES += $(MOD_AES) +ALG_SUBDIRS += libaes + +obj-$(CONFIG_IPSEC_ALG_AES) += $(MOD_AES) +static_init-func-$(CONFIG_IPSEC_ALG_AES)+= ipsec_aes_init +alg_obj-$(CONFIG_IPSEC_ALG_AES) += ipsec_alg_aes.o + +AES_OBJS := ipsec_alg_aes.o libaes/libaes.a + +$(MOD_AES): libaes $(AES_OBJS) + $(LD) $(EXTRA_LDFLAGS) -r $(AES_OBJS) -o $@ + +libaes: $(LIBCRYPTO)/libaes + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + cd $@/asm && ln -sf $?/asm/*.S . + +libaes/libaes.a: libaes + ( cd libaes && \ + $(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libaes.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_blowfish linux-patched/net/ipsec/alg/Makefile.alg_blowfish --- linux/net/ipsec/alg/Makefile.alg_blowfish Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_blowfish Thu Sep 5 04:39:46 2002 @@ -0,0 +1,23 @@ +MOD_BLOWFISH := ipsec_blowfish.o + +ALG_MODULES += $(MOD_BLOWFISH) +ALG_SUBDIRS += libblowfish + +obj-$(CONFIG_IPSEC_ALG_BLOWFISH) += $(MOD_BLOWFISH) +static_init-func-$(CONFIG_IPSEC_ALG_BLOWFISH)+= ipsec_blowfish_init +alg_obj-$(CONFIG_IPSEC_ALG_BLOWFISH) += ipsec_alg_blowfish.o + +BLOWFISH_OBJS:= ipsec_alg_blowfish.o libblowfish/libblowfish.a + +$(MOD_BLOWFISH): libblowfish $(BLOWFISH_OBJS) + $(LD) -r $(BLOWFISH_OBJS) -o $@ + +libblowfish : $(LIBCRYPTO)/libblowfish + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + cd $@/asm && ln -sf $?/asm/*.pl . + +libblowfish/libblowfish.a: + ( cd libblowfish && \ + $(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libblowfish.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_cast linux-patched/net/ipsec/alg/Makefile.alg_cast --- linux/net/ipsec/alg/Makefile.alg_cast Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_cast Thu Sep 5 04:48:04 2002 @@ -0,0 +1,23 @@ +MOD_CAST := ipsec_cast.o + +ALG_MODULES += $(MOD_CAST) +ALG_SUBDIRS += libcast + +obj-$(CONFIG_IPSEC_ALG_CAST) += $(MOD_CAST) +static_init-func-$(CONFIG_IPSEC_ALG_CAST)+= ipsec_cast_init +alg_obj-$(CONFIG_IPSEC_ALG_CAST) += ipsec_alg_cast.o + +CAST_OBJS := ipsec_alg_cast.o libcast/libcast.a + +$(MOD_CAST): libcast $(CAST_OBJS) + $(LD) -r $(CAST_OBJS) -o $@ + +libcast : $(LIBCRYPTO)/libcast + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + cd $@/asm && ln -sf $?/asm/*.pl . + +libcast/libcast.a: + ( cd libcast && \ + $(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libcast.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_cryptoapi linux-patched/net/ipsec/alg/Makefile.alg_cryptoapi --- linux/net/ipsec/alg/Makefile.alg_cryptoapi Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_cryptoapi Fri Feb 7 14:39:36 2003 @@ -0,0 +1,11 @@ +MOD_CRYPTOAPI := ipsec_cryptoapi.o + +ALG_MODULES += $(MOD_CRYPTOAPI) + +obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI) +static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init +alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o + +CRYPTOAPI_OBJS := ipsec_alg_cryptoapi.o +$(MOD_CRYPTOAPI): $(CRYPTOAPI_OBJS) + $(LD) -r $(CRYPTOAPI_OBJS) -o $@ diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_md5 linux-patched/net/ipsec/alg/Makefile.alg_md5 --- linux/net/ipsec/alg/Makefile.alg_md5 Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_md5 Thu Sep 5 04:31:27 2002 @@ -0,0 +1,23 @@ +MOD_MD5 := ipsec_md5.o + +ALG_MODULES += $(MOD_MD5) +ALG_SUBDIRS += libmd5 + +obj-$(CONFIG_IPSEC_ALG_MD5) += $(MOD_MD5) +static_init-func-$(CONFIG_IPSEC_ALG_MD5)+= ipsec_md5_init +alg_obj-$(CONFIG_IPSEC_ALG_MD5) += ipsec_alg_md5.o + +MD5_OBJS :=ipsec_alg_md5.o libmd5/libmd5.a + +$(MOD_MD5): libmd5 $(MD5_OBJS) + $(LD) $(EXTRA_LDFLAGS) -r $(MD5_OBJS) -o $@ + +libmd5 : $(LIBCRYPTO)/libmd5 + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + cd $@/asm && ln -sf $?/asm/*.pl . + +libmd5/libmd5.a: + ( cd libmd5 && \ + $(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libmd5.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_null linux-patched/net/ipsec/alg/Makefile.alg_null --- linux/net/ipsec/alg/Makefile.alg_null Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_null Thu Sep 5 04:49:06 2002 @@ -0,0 +1,13 @@ +MOD_NULL := ipsec_null.o + +ALG_MODULES += $(MOD_NULL) +ALG_SUBDIRS += + +obj-$(CONFIG_IPSEC_ALG_NULL) += ipsec_null.o +static_init-func-$(CONFIG_IPSEC_ALG_NULL)+= ipsec_null_init +alg_obj-$(CONFIG_IPSEC_ALG_NULL) += ipsec_alg_null.o + +NULL_OBJS=ipsec_alg_null.o +ipsec_null.o: $(NULL_OBJS) + $(LD) -r $(NULL_OBJS) -o $@ + diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_serpent linux-patched/net/ipsec/alg/Makefile.alg_serpent --- linux/net/ipsec/alg/Makefile.alg_serpent Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_serpent Thu Sep 5 04:43:55 2002 @@ -0,0 +1,21 @@ +MOD_SERPENT := ipsec_serpent.o + +ALG_MODULES += $(MOD_SERPENT) +ALG_SUBDIRS += libserpent + +obj-$(CONFIG_IPSEC_ALG_SERPENT) += $(MOD_SERPENT) +static_init-func-$(CONFIG_IPSEC_ALG_SERPENT)+= ipsec_serpent_init +alg_obj-$(CONFIG_IPSEC_ALG_SERPENT) += ipsec_alg_serpent.o + +SERPENT_OBJS=ipsec_alg_serpent.o libserpent/libserpent.a +$(MOD_SERPENT) : libserpent $(SERPENT_OBJS) + $(LD) -r $(SERPENT_OBJS) -o $@ + +libserpent : $(LIBCRYPTO)/libserpent + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + +libserpent/libserpent.a: + ( cd libserpent && \ + $(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libserpent.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_sha1 linux-patched/net/ipsec/alg/Makefile.alg_sha1 --- linux/net/ipsec/alg/Makefile.alg_sha1 Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_sha1 Thu Sep 5 04:34:24 2002 @@ -0,0 +1,23 @@ +MOD_SHA1 := ipsec_sha1.o + +ALG_MODULES += $(MOD_SHA1) +ALG_SUBDIRS += libsha1 + +obj-$(CONFIG_IPSEC_ALG_SHA1) += $(MOD_SHA1) +static_init-func-$(CONFIG_IPSEC_ALG_SHA1)+= ipsec_sha1_init +alg_obj-$(CONFIG_IPSEC_ALG_SHA1) += ipsec_alg_sha1.o + +SHA1_OBJS :=ipsec_alg_sha1.o libsha1/libsha1.a + +$(MOD_SHA1): libsha1 $(SHA1_OBJS) + $(LD) $(EXTRA_LDFLAGS) -r $(SHA1_OBJS) -o $@ + +libsha1 : $(LIBCRYPTO)/libsha1 + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + cd $@/asm && ln -sf $?/asm/*.pl . + +libsha1/libsha1.a: + ( cd libsha1 && \ + $(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libsha1.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_sha2 linux-patched/net/ipsec/alg/Makefile.alg_sha2 --- linux/net/ipsec/alg/Makefile.alg_sha2 Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_sha2 Thu Sep 5 04:34:24 2002 @@ -0,0 +1,22 @@ +MOD_SHA2 := ipsec_sha2.o + +ALG_MODULES += $(MOD_SHA2) +ALG_SUBDIRS += libsha2 + +obj-$(CONFIG_IPSEC_ALG_SHA2) += $(MOD_SHA2) +static_init-func-$(CONFIG_IPSEC_ALG_SHA2)+= ipsec_sha2_init +alg_obj-$(CONFIG_IPSEC_ALG_SHA2) += ipsec_alg_sha2.o + +SHA2_OBJS := ipsec_alg_sha2.o libsha2/libsha2.a + +$(MOD_SHA2): libsha2 $(SHA2_OBJS) + $(LD) $(EXTRA_LDFLAGS) -r $(SHA2_OBJS) -o $@ + +libsha2 : $(LIBCRYPTO)/libsha2 + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + +libsha2/libsha2.a: + ( cd libsha2 && \ + $(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libsha2.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/Makefile.alg_twofish linux-patched/net/ipsec/alg/Makefile.alg_twofish --- linux/net/ipsec/alg/Makefile.alg_twofish Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/Makefile.alg_twofish Thu Sep 5 04:41:17 2002 @@ -0,0 +1,21 @@ +MOD_TWOFISH := ipsec_twofish.o + +ALG_MODULES += $(MOD_TWOFISH) +ALG_SUBDIRS += libtwofish + +obj-$(CONFIG_IPSEC_ALG_TWOFISH) += $(MOD_TWOFISH) +static_init-func-$(CONFIG_IPSEC_ALG_TWOFISH)+= ipsec_twofish_init +alg_obj-$(CONFIG_IPSEC_ALG_TWOFISH) += ipsec_alg_twofish.o + +TWOFISH_OBJS := ipsec_alg_twofish.o libtwofish/libtwofish.a +$(MOD_TWOFISH): libtwofish $(TWOFISH_OBJS) + $(LD) -r $(TWOFISH_OBJS) -o $@ + +libtwofish : $(LIBCRYPTO)/libtwofish + test -d $@ || mkdir $@ ;exit 0 + test -d $@/asm || mkdir $@/asm;exit 0 + cd $@ && ln -sf $?/Makefile $?/*.[chS] . + +libtwofish/libtwofish.a: + ( cd libtwofish && \ + $(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libtwofish.a ;) diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_1des.c linux-patched/net/ipsec/alg/ipsec_alg_1des.c --- linux/net/ipsec/alg/ipsec_alg_1des.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_1des.c Mon Mar 17 11:50:43 2003 @@ -0,0 +1,161 @@ +/* + * ipsec_alg 1DES cipher + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_1DES +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +#include +#include +#include "ipsec_param.h" +#include "ipsec_sa.h" +#include "ipsec_alg.h" +#include "../libdes/des.h" + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int I_know_des_is_insecure=0; +MODULE_PARM(I_know_des_is_insecure, "i"); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int esp_id=0; +MODULE_PARM(esp_id, "i"); + +#define ESP_DES 2 + +#define ESP_DES_CBC_BLKLEN 8 /* 64 bit blocks */ +#define ESP_DES_KEY_SZ 8 /* 56 bits keylen :P */ + +struct des1_eks{ + des_key_schedule ctx[1]; +}; +static int _1des_set_key(struct ipsec_alg_enc *alg,__u8 *key_e, const __u8 * key, size_t keysize) { + des_key_schedule *ctx=((struct des1_eks*)key_e)->ctx; + int error; + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _1des_set_key: " + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + if (!I_know_des_is_insecure) + printk(KERN_WARNING "You should NOT use 1DES except for testing purposes !\n"); + des_set_odd_parity((des_cblock *)key); + error = des_set_key((des_cblock *)key, ctx[0]); + if (debug > 0) + printk(KERN_DEBUG "klips_debug:des_set_key:" + "ctx[%d]=%p, error=%d \n", + 0, ctx[0], error); + if (error == -1) + printk("klips_debug: _1des_set_key: " + "parity error in 1des key\n"); + else if (error == -2) + printk("klips_debug: _1des_set_key: " + "illegal weak 1des key \n"); + if (error) + return error; + return 0; +} +void des_cbc_encrypt(des_cblock *input, des_cblock *output, + long length, des_key_schedule ks, + des_cblock *ivec, int enc); + +static int _1des_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + char iv_buf[ESP_DES_CBC_BLKLEN]; + des_key_schedule *ctx=((struct des1_eks*)key_e)->ctx; + *((__u32*)&(iv_buf)) = ((__u32*)(iv))[0]; + *((__u32*)&(iv_buf)+1) = ((__u32*)(iv))[1]; + if (debug > 1) { + printk(KERN_DEBUG "klips_debug:_1des_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + ctx, in, ilen, iv, encrypt); + } + des_cbc_encrypt((des_cblock*) in, (des_cblock*) in, ilen, ctx[0], (des_cblock *)iv_buf, encrypt); + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_1DES = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_name: "1des", + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_DES, + ixt_blocksize: ESP_DES_CBC_BLKLEN, + ixt_keyminbits: ESP_DES_KEY_SZ*7, /* 7bits key+1bit parity */ + ixt_keymaxbits: ESP_DES_KEY_SZ*7, /* 7bits key+1bit parity */ + ixt_e_keylen: ESP_DES_KEY_SZ, + ixt_e_ctx_size: sizeof(struct des1_eks), + ixt_e_set_key: _1des_set_key, + ixt_e_cbc_encrypt:_1des_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT(ipsec_1des_init) +{ + int ret, test_ret; + if (esp_id) + ipsec_alg_1DES.ixt_alg_id=esp_id; + if (excl) ipsec_alg_1DES.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_1DES); + printk("ipsec_1des_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_1DES.ixt_alg_type, + ipsec_alg_1DES.ixt_alg_id, + ipsec_alg_1DES.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_1DES.ixt_alg_type, + ipsec_alg_1DES.ixt_alg_id, + test); + printk("ipsec_1des_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_1DES.ixt_alg_type, + ipsec_alg_1DES.ixt_alg_id, + test_ret); + } + if (!I_know_des_is_insecure) + printk(KERN_WARNING "You should NOT load 1DES support except for testing purposes !\n"); + return ret; +} +IPSEC_ALG_MODULE_EXIT(ipsec_1des_fini) +{ + unregister_ipsec_alg_enc(&ipsec_alg_1DES); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_3des.c linux-patched/net/ipsec/alg/ipsec_alg_3des.c --- linux/net/ipsec/alg/ipsec_alg_3des.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_3des.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,160 @@ +/* + * ipsec_alg 3DES cipher + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_3DES +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +#include +#include +#include "ipsec_param.h" +#include "ipsec_sa.h" +#include "ipsec_alg.h" +#include "../libdes/des.h" + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int esp_id=0; +MODULE_PARM(esp_id, "i"); + +#define ESP_3DES 3 + +#define ESP_3DES_CBC_BLKLEN 8 /* 64 bit blocks */ +#define ESP_DES_KEY_SZ 8 +#define ESP_3DES_KEY_SZ 8*3 /* 3DES */ + +struct des3_eks{ + des_key_schedule ctx[3]; +}; +static int _3des_set_key(struct ipsec_alg_enc *alg,__u8 *key_e, const __u8 * key, size_t keysize) { + des_key_schedule *ctx=((struct des3_eks*)key_e)->ctx; + int i, error; + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _3des_set_key: " + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + for(i = 0; i < 3; i++) { + des_set_odd_parity((des_cblock *)(key+ESP_DES_KEY_SZ * i)); + error = des_set_key((des_cblock *)(key+ESP_DES_KEY_SZ * i), + ctx[i]); + if (debug > 0) + printk(KERN_DEBUG "klips_debug:des_set_key:" + "ctx[%d]=%p, error=%d \n", + i, ctx[i], error); + if (error == -1) + printk("klips_debug: _3des_set_key: " + "parity error in des key %d/3\n", + i + 1); + else if (error == -2) + printk("klips_debug: _3des_set_key: " + "illegal weak des key %d/3\n", i + 1); + if (error) + return error; + } + return 0; +} +void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, + long length, des_key_schedule ks1, des_key_schedule ks2, + des_key_schedule ks3, des_cblock *ivec, int enc); + +static int _3des_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + char iv_buf[ESP_3DES_CBC_BLKLEN]; + des_key_schedule *ctx=((struct des3_eks*)key_e)->ctx; + *((__u32*)&(iv_buf)) = ((__u32*)(iv))[0]; + *((__u32*)&(iv_buf)+1) = ((__u32*)(iv))[1]; + if (debug > 1) { + printk(KERN_DEBUG "klips_debug:_3des_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + ctx, in, ilen, iv, encrypt); + } + des_ede3_cbc_encrypt((des_cblock*) in, (des_cblock*) in, ilen, ctx[0], ctx[1], ctx[2], (des_cblock *)iv_buf, encrypt); + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_3DES = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_name: "3des", + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_3DES, + ixt_blocksize: ESP_3DES_CBC_BLKLEN, + ixt_keyminbits: ESP_3DES_KEY_SZ*7, /* 7bits key+1bit parity */ + ixt_keymaxbits: ESP_3DES_KEY_SZ*7, /* 7bits key+1bit parity */ + ixt_e_keylen: ESP_3DES_KEY_SZ, + ixt_e_ctx_size: sizeof(struct des3_eks), + ixt_e_set_key: _3des_set_key, + ixt_e_cbc_encrypt:_3des_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT(ipsec_3des_init) +{ + int ret, test_ret; + if (esp_id) + ipsec_alg_3DES.ixt_alg_id=esp_id; + if (excl) ipsec_alg_3DES.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_3DES); + printk("ipsec_3des_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_3DES.ixt_alg_type, + ipsec_alg_3DES.ixt_alg_id, + ipsec_alg_3DES.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_3DES.ixt_alg_type, + ipsec_alg_3DES.ixt_alg_id, + test); + printk("ipsec_3des_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_3DES.ixt_alg_type, + ipsec_alg_3DES.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT(ipsec_3des_fini) +{ + unregister_ipsec_alg_enc(&ipsec_alg_3DES); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_aes.c linux-patched/net/ipsec/alg/ipsec_alg_aes.c --- linux/net/ipsec/alg/ipsec_alg_aes.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_aes.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,253 @@ +/* + * ipsec_alg AES cipher stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * Fixes by: + * PK: Pawel Krawczyk + * Fixes list: + * PK: make XCBC comply with latest draft (keylength) + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_AES +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libaes/aes_cbc.h" + +#define CONFIG_IPSEC_ALG_AES_MAC 1 + +#define AES_CONTEXT_T aes_context +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int keyminbits=0; +MODULE_PARM(keyminbits, "i"); +static int keymaxbits=0; +MODULE_PARM(keymaxbits, "i"); + +#if CONFIG_IPSEC_ALG_AES_MAC +#include "libaes/aes_xcbc_mac.h" + +/* + * Not IANA number yet (draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt). + * We use 9 for non-modular algorithm and none for modular, thus + * forcing user to specify one on module load. -kravietz + */ +#ifdef MODULE +static int auth_id=0; +#else +static int auth_id=9; +#endif +MODULE_PARM(auth_id, "i"); +#endif + +#define ESP_AES 12 /* truely _constant_ :) */ + +/* 128, 192 or 256 */ +#define ESP_AES_KEY_SZ_MIN 16 /* 128 bit secret key */ +#define ESP_AES_KEY_SZ_MAX 32 /* 256 bit secret key */ +#define ESP_AES_CBC_BLK_LEN 16 /* AES-CBC block size */ + +/* Values according to draft-ietf-ipsec-ciph-aes-xcbc-mac-02.txt + * -kravietz + */ +#define ESP_AES_MAC_KEY_SZ 16 /* 128 bit MAC key */ +#define ESP_AES_MAC_BLK_LEN 16 /* 128 bit block */ + +static int _aes_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) { + int ret; + AES_CONTEXT_T *ctx=(AES_CONTEXT_T*)key_e; + ret=AES_set_key(ctx, key, keysize)!=0? 0: -EINVAL; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_aes_set_key:" + "ret=%d key_e=%p key=%p keysize=%d\n", + ret, key_e, key, keysize); + return ret; +} +static int _aes_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + AES_CONTEXT_T *ctx=(AES_CONTEXT_T*)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_aes_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + key_e, in, ilen, iv, encrypt); + return AES_cbc_encrypt(ctx, in, in, ilen, iv, encrypt); +} +#if CONFIG_IPSEC_ALG_AES_MAC +static int _aes_mac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) { + aes_context_mac *ctxm=(aes_context_mac *)key_a; + return AES_xcbc_mac_set_key(ctxm, key, keylen)? 0 : -EINVAL; +} +static int _aes_mac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) { + int ret; + char hash_buf[16]; + aes_context_mac *ctxm=(aes_context_mac *)key_a; + ret=AES_xcbc_mac_hash(ctxm, dat, len, hash_buf); + memcpy(hash, hash_buf, hashlen); + return ret; +} +static struct ipsec_alg_auth ipsec_alg_AES_MAC = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_AUTH, + ixt_alg_id: 0, + ixt_name: "aes_mac", + ixt_blocksize: ESP_AES_MAC_BLK_LEN, + ixt_keyminbits: ESP_AES_MAC_KEY_SZ*8, + ixt_keymaxbits: ESP_AES_MAC_KEY_SZ*8, + ixt_a_keylen: ESP_AES_MAC_KEY_SZ, + ixt_a_ctx_size: sizeof(aes_context_mac), + ixt_a_hmac_set_key: _aes_mac_set_key, + ixt_a_hmac_hash:_aes_mac_hash, +}; +#endif /* CONFIG_IPSEC_ALG_AES_MAC */ +static struct ipsec_alg_enc ipsec_alg_AES = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_AES, + ixt_name: "aes", + ixt_blocksize: ESP_AES_CBC_BLK_LEN, + ixt_keyminbits: ESP_AES_KEY_SZ_MIN*8, + ixt_keymaxbits: ESP_AES_KEY_SZ_MAX*8, + ixt_e_keylen: ESP_AES_KEY_SZ_MAX, + ixt_e_ctx_size: sizeof(AES_CONTEXT_T), + ixt_e_set_key: _aes_set_key, + ixt_e_cbc_encrypt:_aes_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT( ipsec_aes_init ) +{ + int ret, test_ret; + if (keyminbits) + ipsec_alg_AES.ixt_keyminbits=keyminbits; + if (keymaxbits) { + ipsec_alg_AES.ixt_keymaxbits=keymaxbits; + if (keymaxbits*8>ipsec_alg_AES.ixt_keymaxbits) + ipsec_alg_AES.ixt_e_keylen=keymaxbits*8; + } + if (excl) ipsec_alg_AES.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_AES); + printk("ipsec_aes_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_AES.ixt_alg_type, + ipsec_alg_AES.ixt_alg_id, + ipsec_alg_AES.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_AES.ixt_alg_type, + ipsec_alg_AES.ixt_alg_id, + test); + printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_AES.ixt_alg_type, + ipsec_alg_AES.ixt_alg_id, + test_ret); + } +#if CONFIG_IPSEC_ALG_AES_MAC + if (auth_id!=0){ + int ret; + ipsec_alg_AES_MAC.ixt_alg_id=auth_id; + ret=register_ipsec_alg_auth(&ipsec_alg_AES_MAC); + printk("ipsec_aes_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_AES_MAC.ixt_alg_type, + ipsec_alg_AES_MAC.ixt_alg_id, + ipsec_alg_AES_MAC.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_AES_MAC.ixt_alg_type, + ipsec_alg_AES_MAC.ixt_alg_id, + test); + printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_AES_MAC.ixt_alg_type, + ipsec_alg_AES_MAC.ixt_alg_id, + test_ret); + } + } else { + printk(KERN_DEBUG "klips_debug: experimental ipsec_alg_AES_MAC not registered [Ok] (auth_id=%d)\n", auth_id); + } +#endif /* CONFIG_IPSEC_ALG_AES_MAC */ + return ret; +} +IPSEC_ALG_MODULE_EXIT( ipsec_aes_fini ) +{ +#if CONFIG_IPSEC_ALG_AES_MAC + if (auth_id) unregister_ipsec_alg_auth(&ipsec_alg_AES_MAC); +#endif /* CONFIG_IPSEC_ALG_AES_MAC */ + unregister_ipsec_alg_enc(&ipsec_alg_AES); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +#if 0+NOT_YET +#ifndef MODULE +/* + * This is intended for static module setups, currently + * doesn't work for modular ipsec.o with static algos inside + */ +static int setup_keybits(const char *str) +{ + unsigned aux; + char *end; + + aux = simple_strtoul(str,&end,0); + if (aux != 128 && aux != 192 && aux != 256) + return 0; + keyminbits = aux; + + if (*end == 0 || *end != ',') + return 1; + str=end+1; + aux = simple_strtoul(str, NULL, 0); + if (aux != 128 && aux != 192 && aux != 256) + return 0; + if (aux >= keyminbits) + keymaxbits = aux; + return 1; +} +__setup("ipsec_aes_keybits=", setup_keybits); +#endif +#endif +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_blowfish.c linux-patched/net/ipsec/alg/ipsec_alg_blowfish.c --- linux/net/ipsec/alg/ipsec_alg_blowfish.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_blowfish.c Thu May 8 14:48:39 2003 @@ -0,0 +1,143 @@ +/* + * ipsec_alg BLOWFISH cipher stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_BLOWFISH +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libblowfish/blowfish.h" +#define blowfish_context BF_KEY + +#define ESP_BLOWFISH 7 /* truely _constant_ :) */ + +#define ESP_BLOWFISH_KEY_SZ_MIN 12 /* 96 bit secret key min */ +#define ESP_BLOWFISH_KEY_SZ 16 /* 128 bit secret key */ +#define ESP_BLOWFISH_KEY_SZ_MAX 56 /* 448 bit secret key */ +#define ESP_BLOWFISH_CBC_BLK_LEN 8 /* block size */ + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int keyminbits=0; +MODULE_PARM(keyminbits, "i"); +static int keymaxbits=0; +MODULE_PARM(keymaxbits, "i"); + +static int _blowfish_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) { + blowfish_context *ctx=(blowfish_context*)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_blowfish_set_key:" + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + BF_set_key(ctx, keysize, (unsigned char *)key); + return 0; +} +static int _blowfish_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 *iv, int encrypt) { + /* blowfish toasts passed IV */ + __u8 iv_buf[ESP_BLOWFISH_CBC_BLK_LEN]; + blowfish_context *ctx=(blowfish_context*)key_e; + *((__u32*)&(iv_buf)) = ((__u32*)(iv))[0]; + *((__u32*)&(iv_buf)+1) = ((__u32*)(iv))[1]; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_blowfish_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + key_e, in, ilen, iv_buf, encrypt); + BF_cbc_encrypt(in, in, ilen, ctx, iv_buf, encrypt); + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_BLOWFISH = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_BLOWFISH, + ixt_name: "blowfish", + ixt_blocksize: ESP_BLOWFISH_CBC_BLK_LEN, + ixt_keyminbits: ESP_BLOWFISH_KEY_SZ_MIN*8, + ixt_keymaxbits: ESP_BLOWFISH_KEY_SZ_MAX*8, + ixt_e_keylen: ESP_BLOWFISH_KEY_SZ, + ixt_e_ctx_size: sizeof(blowfish_context), + ixt_e_set_key: _blowfish_set_key, + ixt_e_cbc_encrypt:_blowfish_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT(ipsec_blowfish_init) +{ + int ret, test_ret; + if (keyminbits) + ipsec_alg_BLOWFISH.ixt_keyminbits=keyminbits; + if (keymaxbits) { + ipsec_alg_BLOWFISH.ixt_keymaxbits=keymaxbits; + if (keymaxbits*8>ipsec_alg_BLOWFISH.ixt_keymaxbits) + ipsec_alg_BLOWFISH.ixt_e_keylen=keymaxbits*8; + } + if (excl) ipsec_alg_BLOWFISH.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_BLOWFISH); + printk("ipsec_blowfish_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_BLOWFISH.ixt_alg_type, + ipsec_alg_BLOWFISH.ixt_alg_id, + ipsec_alg_BLOWFISH.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_BLOWFISH.ixt_alg_type, + ipsec_alg_BLOWFISH.ixt_alg_id, + test); + printk("ipsec_blowfish_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_BLOWFISH.ixt_alg_type, + ipsec_alg_BLOWFISH.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT(ipsec_blowfish_fini) +{ + unregister_ipsec_alg_enc(&ipsec_alg_BLOWFISH); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_cast.c linux-patched/net/ipsec/alg/ipsec_alg_cast.c --- linux/net/ipsec/alg/ipsec_alg_cast.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_cast.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,144 @@ +/* + * ipsec_alg CAST cipher stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_CAST +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#define cast_context cast_key +#include "libcast/cast.h" + +#define ESP_CAST 6 /* quite constant :) */ + +#define ESP_CAST_KEY_SZ_MIN 5 +#define ESP_CAST_KEY_SZ 16 /* 128 bit secret key */ +#define ESP_CAST_CBC_BLK_LEN 8 /* CAST-CBC block size */ + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int keyminbits=0; +MODULE_PARM(keyminbits, "i"); +static int keymaxbits=0; +MODULE_PARM(keymaxbits, "i"); + +#undef cast_context +#define cast_context CAST_KEY +static int _cast_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) { + cast_context *ctx=(cast_context *)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_cast_set_key:" + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + CAST_set_key(ctx, keysize, (u_int8_t *)key); + return 0; +} +static int _cast_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + /* cast toasts passed IV */ + __u8 iv_buf[ESP_CAST_CBC_BLK_LEN]; + cast_context *ctx=(cast_context *)key_e; + *((__u32*)&(iv_buf)) = ((__u32*)(iv))[0]; + *((__u32*)&(iv_buf)+1) = ((__u32*)(iv))[1]; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_cast_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + key_e, in, ilen, iv, encrypt); + CAST_cbc_encrypt(in, in, ilen, ctx, iv_buf, encrypt); + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_CAST = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_CAST, + ixt_name: "cast", + ixt_blocksize: ESP_CAST_CBC_BLK_LEN, + ixt_keyminbits: ESP_CAST_KEY_SZ_MIN*8, + ixt_keymaxbits: ESP_CAST_KEY_SZ*8, + ixt_e_keylen: ESP_CAST_KEY_SZ, + ixt_e_ctx_size: sizeof(cast_context), + ixt_e_set_key: _cast_set_key, + ixt_e_cbc_encrypt:_cast_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT(ipsec_cast_init) +{ + int ret, test_ret; + if (keyminbits) + ipsec_alg_CAST.ixt_keyminbits=keyminbits; + if (keymaxbits) { + ipsec_alg_CAST.ixt_keymaxbits=keymaxbits; + if (keymaxbits*8>ipsec_alg_CAST.ixt_keymaxbits) + ipsec_alg_CAST.ixt_e_keylen=keymaxbits*8; + } + if (excl) ipsec_alg_CAST.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_CAST); + printk("ipsec_cast_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_CAST.ixt_alg_type, + ipsec_alg_CAST.ixt_alg_id, + ipsec_alg_CAST.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_CAST.ixt_alg_type, + ipsec_alg_CAST.ixt_alg_id, + test); + printk("ipsec_cast_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_CAST.ixt_alg_type, + ipsec_alg_CAST.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT(ipsec_cast_fini) +{ + unregister_ipsec_alg_enc(&ipsec_alg_CAST); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_cryptoapi.c linux-patched/net/ipsec/alg/ipsec_alg_cryptoapi.c --- linux/net/ipsec/alg/ipsec_alg_cryptoapi.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_cryptoapi.c Fri Feb 7 14:39:36 2003 @@ -0,0 +1,556 @@ +/* + * ipsec_alg to linux cryptoapi GLUE + * + * Authors: CODE.ar TEAM + * Harpo MAxx + * JuanJo Ciarlante + * Luciano Ruete + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * Example usage: + * modinfo -p ipsec_cryptoapi (quite useful info, including supported algos) + * modprobe ipsec_cryptoapi + * modprobe ipsec_cryptoapi test=1 + * modprobe ipsec_cryptoapi excl=1 (exclusive cipher/algo) + * modprobe ipsec_cryptoapi latebind=1 (defer cipher binding) + * modprobe ipsec_cryptoapi noauto=1 aes=1 twofish=1 (only these ciphers) + * modprobe ipsec_cryptoapi aes=128,128 (force these keylens) + * modprobe ipsec_cryptoapi des_ede3=0 (everything but 3DES) + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_CRYPTOAPI +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* warn the innocent */ +#if !defined (CONFIG_CRYPTO) && !defined (CONFIG_CRYPTO_MODULE) +#warning "No linux cryptoapi setup found... you *MUST* install it ! (www.kerneli.org)" +#endif +/* Low freeswan header coupling */ +#include +#include + +#ifndef CRYPTO_API_VERSION_CODE +#error "you *MUST* install linux cryptoapi ! (www.kerneli.org)" +#endif +#define ESP_3DES 3 +#define CIPHERNAME_3DES "des_ede3-cbc" + +#define ESP_AES 12 +#define CIPHERNAME_AES "aes-cbc" + +#define ESP_BLOWFISH 7 /* truely _constant_ :) */ +#define CIPHERNAME_BLOWFISH "blowfish-cbc" + +#define ESP_CAST 6 /* quite constant :) */ +#define CIPHERNAME_CAST "cast5-cbc" + +#define ESP_SERPENT 252 /* from ipsec drafts */ +#define CIPHERNAME_SERPENT "serpent-cbc" + +#define ESP_TWOFISH 253 /* from ipsec drafts */ +#define CIPHERNAME_TWOFISH "twofish-cbc" + +#define AH_MD5 2 +#define DIGESTNAME_MD5 "md5" + +#define AH_SHA 3 +#define DIGESTNAME_SHA1 "sha1" + + +#ifdef CONFIG_IPSEC_ALG_NON_LIBRE +#define ESP_MARS 249 /* from ipsec drafts */ +#define CIPHERNAME_MARS "mars-cbc" + +#define ESP_RC6 250 /* from ipsec drafts */ +#define CIPHERNAME_RC6 "rc6-cbc" +#endif /* CONFIG_IPSEC_ALG_NON_LIBRE */ + +MODULE_AUTHOR("CODE.ar team: Harpo MAxx, Juanjo Ciarlante, Luciano Ruete"); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); + +static int noauto = 0; +MODULE_PARM(noauto,"i"); +MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones"); + +static int latebind = 0; +MODULE_PARM(latebind,"i"); +MODULE_PARM_DESC(latebind, "Bind cryptoapi ciphers at SA creation time"); + +static int des_ede3[] = {-1, -1}; +static int aes[] = {-1, -1}; +static int blowfish[] = {-1, -1}; +static int cast[] = {-1, -1}; +static int serpent[] = {-1, -1}; +static int twofish[] = {-1, -1}; +#ifdef CONFIG_IPSEC_ALG_NON_LIBRE +static int mars[] = {-1, -1}; +static int rc6[] = {-1, -1}; +#endif /* CONFIG_IPSEC_ALG_NON_LIBRE */ + +MODULE_PARM(des_ede3,"1-2i"); +MODULE_PARM(aes,"1-2i"); +MODULE_PARM(blowfish,"1-2i"); +MODULE_PARM(cast,"1-2i"); +MODULE_PARM(serpent,"1-2i"); +MODULE_PARM(twofish,"1-2i"); +#ifdef CONFIG_IPSEC_ALG_NON_LIBRE +MODULE_PARM(mars,"1-2i"); +MODULE_PARM(rc6,"1-2i"); +#endif /* CONFIG_IPSEC_ALG_NON_LIBRE */ +MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse"); +MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens"); +MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens"); +MODULE_PARM_DESC(cast, "0: disable | 1: force_enable | min,max: keybitlens"); +MODULE_PARM_DESC(serpent, "0: disable | 1: force_enable | min,max: keybitlens"); +MODULE_PARM_DESC(twofish, "0: disable | 1: force_enable | min,max: keybitlens"); +#ifdef CONFIG_IPSEC_ALG_NON_LIBRE +MODULE_PARM_DESC(mars, "0: disable | 1: force_enable | min,max: keybitlens"); +MODULE_PARM_DESC(rc6, "0: disable | 1: force_enable | min,max: keybitlens"); +#endif /* CONFIG_IPSEC_ALG_NON_LIBRE */ + +struct ipsec_alg_capi_cipher { + const char *ciphername; /* cryptoapi's ciphername */ + int *parm; /* lkm param for this cipher */ + struct cipher_implementation *ci; /* actual ci */ + struct ipsec_alg_enc alg; /* note it's not a pointer */ + atomic_t ci_usecnt; /* ci use count */ +}; +static struct ipsec_alg_capi_cipher alg_capi_carray[] = { + { CIPHERNAME_AES, aes , NULL, { ixt_alg_id: ESP_AES, }}, + { CIPHERNAME_TWOFISH, twofish, NULL, { ixt_alg_id: ESP_TWOFISH, }}, + { CIPHERNAME_SERPENT, serpent, NULL, { ixt_alg_id: ESP_SERPENT, }}, + { CIPHERNAME_CAST, cast , NULL, { ixt_alg_id: ESP_CAST, }}, + { CIPHERNAME_BLOWFISH,blowfish,NULL, { ixt_alg_id: ESP_BLOWFISH, }}, + { CIPHERNAME_3DES, des_ede3,NULL, { ixt_alg_id: ESP_3DES, }}, +#ifdef CONFIG_IPSEC_ALG_NON_LIBRE + { CIPHERNAME_MARS, mars , NULL, { ixt_alg_id: ESP_MARS, }}, + { CIPHERNAME_RC6, rc6 , NULL, { ixt_alg_id: ESP_RC6, }}, +#endif /* CONFIG_IPSEC_ALG_NON_LIBRE */ + { NULL, NULL, NULL, {} } +}; +#ifdef NOT_YET +struct ipsec_alg_capi_digest { + const char *digestname; /* cryptoapi's digestname */ + struct digest_implementation *di; + struct ipsec_alg_auth alg; /* note it's not a pointer */ +}; +static struct ipsec_alg_capi_cipher alg_capi_darray[] = { + { DIGESTNAME_MD5, NULL, { ixt_alg_id: AH_MD5, }}, + { DIGESTNAME_SHA1, NULL, { ixt_alg_id: AH_SHA, }}, + { NULL, NULL, {} } +}; +#endif +/* + * "generic" linux cryptoapi setup_cipher() function + */ +static struct cipher_implementation * +setup_cipher (const char *ciphername) +{ + struct cipher_implementation *ci; + /* 1: atomic */ + ci = find_cipher_by_name (ciphername, 1); + if (debug > 0) + printk(KERN_DEBUG "klips_debug:setup_cipher():" + "ciphername=%s ci=%p\n" + , ciphername, ci); + if (!ci) { + printk (KERN_INFO "cipher \"%s\" not found\n", ciphername); + return NULL; + } + return ci; +} + +/* + * map cryptoapi's bitmaps to KLIPS min,max bitlens, + * considering user passed parms for forced bitlens. + * smells quite heuristic ... + */ +static void +setup_keylens(struct ipsec_alg_capi_cipher *cptr, struct cipher_implementation *ci, int *keyminbitsp, int *keymaxbitsp) +{ + struct capi_keysz { + int mask; + int len; + }; + struct capi_keysz *kz; + struct capi_keysz capi_keysz_array[] = { + { CIPHER_KEYSIZE_40 , 40 }, + { CIPHER_KEYSIZE_56 , 56 }, + { CIPHER_KEYSIZE_64 , 64 }, + { CIPHER_KEYSIZE_80 , 80 }, + { CIPHER_KEYSIZE_96 , 96 }, + { CIPHER_KEYSIZE_112 , 112 }, + { CIPHER_KEYSIZE_128 , 128 }, + { CIPHER_KEYSIZE_160 , 160 }, + { CIPHER_KEYSIZE_168 , 168 }, + { CIPHER_KEYSIZE_192 , 192 }, + { CIPHER_KEYSIZE_256 , 256 }, + { 0 , 0 } + }; + if (cptr->parm[0] > 1 && cptr->parm[1] > 1) { + *keyminbitsp=cptr->parm[0]; + *keymaxbitsp=cptr->parm[1]; + } else { + *keyminbitsp=*keymaxbitsp=0; + for (kz=capi_keysz_array; kz->mask; kz++) { + if (kz->mask & ci->key_size_mask) { + if (!*keyminbitsp) *keyminbitsp=kz->len; + *keymaxbitsp=kz->len; + } + } + } +} +/* + * setups ipsec_alg_capi_cipher "hyper" struct components, calling + * register_ipsec_alg for cointaned ipsec_alg object + */ +static void _capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e); +static __u8 * _capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen); +static int _capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt); + +static int +setup_ipsec_alg_capi_cipher(struct ipsec_alg_capi_cipher *cptr, struct cipher_implementation *ci) +{ + int ret; + int keyminbits, keymaxbits; + cptr->ci = NULL; + atomic_set (& cptr->ci_usecnt, 0); + cptr->alg.ixt_version = IPSEC_ALG_VERSION; + cptr->alg.ixt_module = THIS_MODULE; + atomic_set (& cptr->alg.ixt_refcnt, 0); + strncpy (cptr->alg.ixt_name , cptr->ciphername, sizeof (cptr->alg.ixt_name)); + + cptr->alg.ixt_blocksize=ci->blocksize; + setup_keylens(cptr, ci, &keyminbits, &keymaxbits); + cptr->alg.ixt_state = 0; + if (excl) cptr->alg.ixt_state |= IPSEC_ALG_ST_EXCL; + cptr->alg.ixt_keyminbits=keyminbits; + cptr->alg.ixt_keymaxbits=keymaxbits; + cptr->alg.ixt_e_keylen=cptr->alg.ixt_keymaxbits/8; + cptr->alg.ixt_e_ctx_size = 0; + cptr->alg.ixt_alg_type = IPSEC_ALG_TYPE_ENCRYPT; + cptr->alg.ixt_e_new_key = _capi_new_key; + cptr->alg.ixt_e_destroy_key = _capi_destroy_key; + cptr->alg.ixt_e_cbc_encrypt = _capi_cbc_encrypt; + cptr->alg.ixt_data = cptr; + + ret=register_ipsec_alg_enc(&cptr->alg); + printk("setup_ipsec_alg_capi_cipher(): " + "alg_type=%d alg_id=%d name=%s " + "keyminbits=%d keymaxbits=%d, ret=%d\n", + cptr->alg.ixt_alg_type, + cptr->alg.ixt_alg_id, + cptr->alg.ixt_name, + cptr->alg.ixt_keyminbits, + cptr->alg.ixt_keymaxbits, + ret); + return ret; +} +/* + * bind cryptoapi cipher to ipsec_alg_capi_cipher "hyper" struct + * it will also create 1 lock() inside cipher + */ +static struct cipher_implementation * +_capi_ci_bind(struct ipsec_alg_capi_cipher *cptr, struct cipher_implementation *ci) +{ + if (atomic_read(&cptr->ci_usecnt) == 0) { + cptr->ci=ci? ci : setup_cipher(cptr->ciphername); + } + if (cptr->ci) { + atomic_inc(&cptr->ci_usecnt); + cptr->ci->lock(); + } + return cptr->ci; +} +/* + * unbind cryptoapi cipher from ipsec_alg_capi_cipher "hyper" struct, + * will do 1 unlock() + */ +static void +_capi_ci_unbind(struct ipsec_alg_capi_cipher *cptr) +{ + struct cipher_implementation *ci = cptr->ci; + if (ci) { + if (atomic_dec_and_test(&cptr->ci_usecnt) ) { + cptr->ci = NULL; + } + ci->unlock(); + } +} +/* + * called in ipsec_sa_wipe() time, will destroy key contexts + * and do 1 unbind() + */ +static void +_capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e) +{ + struct cipher_context *cx = (struct cipher_context *)key_e; + struct cipher_implementation* ci=cx->ci; + struct ipsec_alg_capi_cipher *cptr = alg->ixt_data; + + + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _capi_destroy_key:" + "name=%s key_e=%p ci=%p\n", + alg->ixt_name, key_e, ci); + if (!cx) { + printk(KERN_ERR "klips_debug: _capi_destroy_key:" + "name=%s NULL key_e!\n", + alg->ixt_name); + return; + } + + ci->wipe_context(cx); + ci->free_context(cx); + /* ci->unlock(); */ + _capi_ci_unbind(cptr); +} + +/* + * create new key context, need alg->ixt_data to know which + * (of many) cipher inside this module is the target + */ +static __u8 * +_capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen) +{ + struct cipher_context *cx = NULL; + struct ipsec_alg_capi_cipher *cptr; + struct cipher_implementation *ci; + + cptr = alg->ixt_data; + if (!cptr) { + printk(KERN_ERR "_capi_new_key(): " + "NULL ixt_data (?!) for \"%s\" algo\n" + , alg->ixt_name); + goto err; + } + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_capi_new_key:" + "name=%s cptr=%p key=%p keysize=%d\n", + alg->ixt_name, cptr, key, keylen); + + /* + * sortof "cache": try to bind the cipher (will be noop if + * already in use); if 1st SA using this cipher will + * end doing find_cipher_by_name() + * + * this logic is needed to support "latebind" + */ + if (!(ci=_capi_ci_bind(cptr, NULL))) + goto err; + /* ci->lock (); */ + + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_capi_new_key (after setup):" + "name=%s ci=%p\n", + alg->ixt_name, ci); + /* + * alloc cipher context for this key + */ + cx = ci->realloc_context (NULL, ci, keylen); + if (!cx) { + printk(KERN_ERR "_capi_new_key(): " + "NULL cx for \"%s\" cryptoapi algo\n" + , alg->ixt_name); + /* ci->unlock (); */ + goto err; + } + if (ci->set_key (cx, key, keylen) < 0) { + printk(KERN_ERR "_capi_new_key(): " + "failed new_key() for \"%s\" cryptoapi algo\n" + , alg->ixt_name); + ci->wipe_context (cx); + ci->free_context (cx); + /* ci->unlock (); */ + cx=NULL; + } +err: + /* + * unbind 1 lease if failed (bad key, ENOMEM, etc ...) + */ + if (!cx) + _capi_ci_unbind(cptr); + + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_capi_new_key:" + "name=%s key=%p keylen=%d cx=%p\n", + alg->ixt_name, key, keylen, cx); + return (__u8 *) cx; +} +/* + * core encryption function: will use cx->ci to call actual cipher's + * cbc function + */ +static int +_capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + int error; + struct cipher_context *cx=(struct cipher_context *)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:" + "cx=%p key_e=%p " + "in=%p out=%p ilen=%d iv=%p encrypt=%d\n" + , cx , key_e + , in, in, ilen, iv, encrypt); + /* this _iv() functions seems to appear AFTER 2.4.18.1 */ + if (encrypt) + error = cx->ci->encrypt_atomic_iv (cx, in, in, ilen, iv); + else + error = cx->ci->decrypt_atomic_iv (cx, in, in, ilen, iv); + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:" + "error=%d\n" + , error); + return (error<0)? error : ilen; +} +/* + * main initialization loop: for each cipher in list, do + * 1) setup cryptoapi cipher else continue + * 2) register ipsec_alg object + * dont bind (lock) cipher if latebind specified, it will + * get re-searched and locked at SA creation time (_new_key()) + */ +static int +setup_cipher_list (struct ipsec_alg_capi_cipher* clist) +{ + struct ipsec_alg_capi_cipher *cptr; + struct cipher_implementation *ci; + /* foreach cipher in list ... */ + for (cptr=clist;cptr->ciphername;cptr++) { + /* + * see if cipher has been disabled (0) or + * if noauto set and not enabled (1) + */ + if (cptr->parm[0] == 0 || (noauto && cptr->parm[0] < 0)) { + if (debug>0) + printk(KERN_INFO "setup_cipher_list(): " + "ciphername=%s skipped at user request: " + "noauto=%d parm[0]=%d parm[1]=%d\n" + , cptr->ciphername + , noauto + , cptr->parm[0] + , cptr->parm[1]); + continue; + } + /* + * use a temp ci to avoid touching cptr->ci, + * if register ipsec_alg success then bind cipher + */ + ci = setup_cipher(cptr->ciphername); + if (ci) { + ci->lock(); + if (debug > 0) + printk(KERN_DEBUG "klips_debug:" + "setup_cipher_list():" + "ciphername=%s found\n" + , cptr->ciphername); + if (setup_ipsec_alg_capi_cipher(cptr, ci) == 0) { + if (latebind==0) + _capi_ci_bind(cptr, ci); + } else { + printk(KERN_ERR "klips_debug:" + "setup_cipher_list():" + "ciphername=%s failed ipsec_alg_register\n" + , cptr->ciphername); + } + ci->unlock(); + } + } + return 0; +} +/* + * deregister ipsec_alg objects and unbind ciphers + */ +static int +unsetup_cipher_list (struct ipsec_alg_capi_cipher* clist) +{ + struct ipsec_alg_capi_cipher *cptr; + /* foreach cipher in list ... */ + for (cptr=clist;cptr->ciphername;cptr++) { + if (cptr->alg.ixt_state & IPSEC_ALG_ST_REGISTERED) { + unregister_ipsec_alg_enc(&cptr->alg); + if (latebind==0) + _capi_ci_unbind(cptr); + } + } + return 0; +} +/* + * test loop for registered algos + */ +static int +test_cipher_list (struct ipsec_alg_capi_cipher* clist) +{ + int test_ret; + struct ipsec_alg_capi_cipher *cptr; + /* foreach cipher in list ... */ + for (cptr=clist;cptr->ciphername;cptr++) { + if (cptr->alg.ixt_state & IPSEC_ALG_ST_REGISTERED) { + test_ret=ipsec_alg_test( + cptr->alg.ixt_alg_type, + cptr->alg.ixt_alg_id, + test); + printk("test_cipher_list(alg_type=%d alg_id=%d): test_ret=%d\n", + cptr->alg.ixt_alg_type, + cptr->alg.ixt_alg_id, + test_ret); + } + } + return 0; +} + +IPSEC_ALG_MODULE_INIT( ipsec_cryptoapi_init ) +{ + int ret, test_ret; + if ((ret=setup_cipher_list(alg_capi_carray)) < 0) + return -EPROTONOSUPPORT; + if (ret==0 && test) { + test_ret=test_cipher_list(alg_capi_carray); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT( ipsec_cryptoapi_fini ) +{ + unsetup_cipher_list(alg_capi_carray); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_md5.c linux-patched/net/ipsec/alg/ipsec_alg_md5.c --- linux/net/ipsec/alg/ipsec_alg_md5.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_md5.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,122 @@ +/* + * ipsec_alg MD5 hash stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_MD5 +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libmd5/md5.h" +#include "libmd5/hmac_md5.h" + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); + +#define AH_MD5 2 + +static int _md5_hmac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) { + md5_hmac_context *hctx=(md5_hmac_context*)(key_a); + md5_hmac_set_key(hctx, key, keylen); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _md5_hmac_set_key(): " + "key_a=%p key=%p keysize=%d\n", + key_a, key, keylen); + return 0; +} +static int _md5_hmac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) { + md5_hmac_context *hctx=(md5_hmac_context*)(key_a); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _md5_hmac_hash(): " + "key_a=%p dat=%p len=%d hash=%p hashlen=%d\n", + key_a, dat, len, hash, hashlen); + md5_hmac_hash(hctx, dat, len, hash, hashlen); + return 0; +} +static struct ipsec_alg_auth ipsec_alg_MD5 = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_AUTH, + ixt_alg_id: AH_MD5, + ixt_name: "md5", + ixt_blocksize: MD5_BLOCKSIZE, + ixt_keyminbits: 128, + ixt_keymaxbits: 128, + ixt_a_keylen: 128/8, + ixt_a_ctx_size: sizeof(md5_hmac_context), + ixt_a_hmac_set_key: _md5_hmac_set_key, + ixt_a_hmac_hash: _md5_hmac_hash, +}; +IPSEC_ALG_MODULE_INIT( ipsec_md5_init ) +{ + int ret, test_ret; + if (excl) ipsec_alg_MD5.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_auth(&ipsec_alg_MD5); + printk("ipsec_md5_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_MD5.ixt_alg_type, + ipsec_alg_MD5.ixt_alg_id, + ipsec_alg_MD5.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_MD5.ixt_alg_type, + ipsec_alg_MD5.ixt_alg_id, + test); + printk("ipsec_md5_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_MD5.ixt_alg_type, + ipsec_alg_MD5.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT( ipsec_md5_fini ) +{ + unregister_ipsec_alg_auth(&ipsec_alg_MD5); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_null.c linux-patched/net/ipsec/alg/ipsec_alg_null.c --- linux/net/ipsec/alg/ipsec_alg_null.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_null.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,133 @@ +/* + * ipsec_alg NULL cipher stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * Fixes by: + * DDR: David De Reu + * Fixes: + * DDR: comply to RFC2410 and make it interop with other impl. + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_NULL +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" + +#define ESP_NULL 11 /* from ipsec drafts */ +#define ESP_NULL_BLK_LEN 1 /* from RFC 2410 */ +#define ESP_NULL_IV_LEN 0 /* from RFC 2410 */ + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); + +typedef int null_context; + +struct null_eks{ + null_context null_ctx; +}; +static int _null_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) { + null_context *ctx=&((struct null_eks*)key_e)->null_ctx; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_null_set_key:" + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + *ctx = 1; + return 0; +} +static int _null_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + null_context *ctx=&((struct null_eks*)key_e)->null_ctx; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_null_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + key_e, in, ilen, iv, encrypt); + (*ctx)++; + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_NULL = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_NULL, + ixt_name: "null", + ixt_blocksize: ESP_NULL_BLK_LEN, + ixt_ivlen: ESP_NULL_IV_LEN, + ixt_keyminbits: 0, + ixt_keymaxbits: 0, + ixt_e_keylen: 0, + ixt_e_ctx_size: sizeof(null_context), + ixt_e_set_key: _null_set_key, + ixt_e_cbc_encrypt:_null_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT(ipsec_null_init) +{ + int ret, test_ret; + if (excl) ipsec_alg_NULL.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_NULL); + printk("ipsec_null_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_NULL.ixt_alg_type, + ipsec_alg_NULL.ixt_alg_id, + ipsec_alg_NULL.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_NULL.ixt_alg_type, + ipsec_alg_NULL.ixt_alg_id, + test); + printk("ipsec_null_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_NULL.ixt_alg_type, + ipsec_alg_NULL.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT(ipsec_null_fini) +{ + unregister_ipsec_alg_enc(&ipsec_alg_NULL); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_serpent.c linux-patched/net/ipsec/alg/ipsec_alg_serpent.c --- linux/net/ipsec/alg/ipsec_alg_serpent.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_serpent.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,139 @@ +/* + * ipsec_alg SERPENT cipher stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_SERPENT +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libserpent/serpent.h" +#include "libserpent/serpent_cbc.h" + +#define ESP_SERPENT 252 /* from ipsec drafts */ + +/* 128, 192 or 256 */ +#define ESP_SERPENT_KEY_SZ_MIN 16 /* 128 bit secret key */ +#define ESP_SERPENT_KEY_SZ_MAX 32 /* 256 bit secret key */ +#define ESP_SERPENT_CBC_BLK_LEN 16 /* SERPENT-CBC block size */ + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int keyminbits=0; +MODULE_PARM(keyminbits, "i"); +static int keymaxbits=0; +MODULE_PARM(keymaxbits, "i"); + +static int _serpent_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) { + serpent_context *ctx=(serpent_context *)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_serpent_set_key:" + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + serpent_set_key(ctx, key, keysize); + return 0; +} +static int _serpent_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + serpent_context *ctx=(serpent_context *)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_serpent_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + key_e, in, ilen, iv, encrypt); + serpent_cbc_encrypt(ctx, in, in, ilen, iv, encrypt); + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_SERPENT = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_SERPENT, + ixt_name: "serpent", + ixt_blocksize: ESP_SERPENT_CBC_BLK_LEN, + ixt_keyminbits: ESP_SERPENT_KEY_SZ_MIN * 8, + ixt_keymaxbits: ESP_SERPENT_KEY_SZ_MAX * 8, + ixt_e_keylen: ESP_SERPENT_KEY_SZ_MAX, + ixt_e_ctx_size: sizeof(serpent_context), + ixt_e_set_key: _serpent_set_key, + ixt_e_cbc_encrypt:_serpent_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT(ipsec_serpent_init) +{ + int ret, test_ret; + if (keyminbits) + ipsec_alg_SERPENT.ixt_keyminbits=keyminbits; + if (keymaxbits) { + ipsec_alg_SERPENT.ixt_keymaxbits=keymaxbits; + if (keymaxbits*8>ipsec_alg_SERPENT.ixt_keymaxbits) + ipsec_alg_SERPENT.ixt_e_keylen=keymaxbits*8; + } + if (excl) ipsec_alg_SERPENT.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_SERPENT); + printk("ipsec_serpent_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_SERPENT.ixt_alg_type, + ipsec_alg_SERPENT.ixt_alg_id, + ipsec_alg_SERPENT.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_SERPENT.ixt_alg_type, + ipsec_alg_SERPENT.ixt_alg_id, + test); + printk("ipsec_serpent_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_SERPENT.ixt_alg_type, + ipsec_alg_SERPENT.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT(ipsec_serpent_fini) +{ + unregister_ipsec_alg_enc(&ipsec_alg_SERPENT); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_sha1.c linux-patched/net/ipsec/alg/ipsec_alg_sha1.c --- linux/net/ipsec/alg/ipsec_alg_sha1.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_sha1.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,122 @@ +/* + * ipsec_alg SHA1 hash stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_SHA1 +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libsha1/sha.h" +#include "libsha1/hmac_sha1.h" + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); + +#define AH_SHA 3 + +static int _sha1_hmac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) { + sha1_hmac_context *hctx=(sha1_hmac_context*)(key_a); + sha1_hmac_set_key(hctx, key, keylen); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _sha1_hmac_set_key(): " + "key_a=%p key=%p keysize=%d\n", + key_a, key, keylen); + return 0; +} +static int _sha1_hmac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) { + sha1_hmac_context *hctx=(sha1_hmac_context*)(key_a); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _sha1_hmac_hash(): " + "key_a=%p dat=%p len=%d hash=%p hashlen=%d\n", + key_a, dat, len, hash, hashlen); + sha1_hmac_hash(hctx, dat, len, hash, hashlen); + return 0; +} +static struct ipsec_alg_auth ipsec_alg_SHA1 = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_AUTH, + ixt_alg_id: AH_SHA, + ixt_name: "sha1", + ixt_blocksize: SHA1_BLOCKSIZE, + ixt_keyminbits: 160, + ixt_keymaxbits: 160, + ixt_a_keylen: 160/8, + ixt_a_ctx_size: sizeof(sha1_hmac_context), + ixt_a_hmac_set_key: _sha1_hmac_set_key, + ixt_a_hmac_hash: _sha1_hmac_hash, +}; +IPSEC_ALG_MODULE_INIT( ipsec_sha1_init ) +{ + int ret, test_ret; + if (excl) ipsec_alg_SHA1.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_auth(&ipsec_alg_SHA1); + printk("ipsec_sha1_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_SHA1.ixt_alg_type, + ipsec_alg_SHA1.ixt_alg_id, + ipsec_alg_SHA1.ixt_name, + ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_SHA1.ixt_alg_type, + ipsec_alg_SHA1.ixt_alg_id, + test); + printk("ipsec_sha1_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_SHA1.ixt_alg_type, + ipsec_alg_SHA1.ixt_alg_id, + test_ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT( ipsec_sha1_fini ) +{ + unregister_ipsec_alg_auth(&ipsec_alg_SHA1); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_sha2.c linux-patched/net/ipsec/alg/ipsec_alg_sha2.c --- linux/net/ipsec/alg/ipsec_alg_sha2.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_sha2.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,185 @@ +/* + * ipsec_alg SHA2 hash stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_SHA2 +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libsha2/sha2.h" +#include "libsha2/hmac_sha2.h" + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); + +/* almost constants ...: draft-ietf-ipsec-ciph-aes-cbc-03.txt */ +#define AH_SHA2_256 5 +#define AH_SHA2_384 6 +#define AH_SHA2_512 7 + +static int _sha256_hmac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) { + sha256_hmac_context *hctx=(sha256_hmac_context*)(key_a); + sha256_hmac_set_key(hctx, key, keylen); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _sha256_hmac_set_key(): " + "key_a=%p key=%p keysize=%d\n", + key_a, key, keylen); + return 0; +} +static int _sha256_hmac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) { + sha256_hmac_context *hctx=(sha256_hmac_context*)(key_a); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _sha256_hmac_hash(): " + "key_a=%p dat=%p len=%d hash=%p hashlen=%d\n", + key_a, dat, len, hash, hashlen); + sha256_hmac_hash(hctx, dat, len, hash, hashlen); + return 0; +} +static int _sha512_hmac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) { + sha512_hmac_context *hctx=(sha512_hmac_context*)(key_a); + sha512_hmac_set_key(hctx, key, keylen); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _sha512_hmac_set_key(): " + "key_a=%p key=%p keysize=%d\n", + key_a, key, keylen); + return 0; +} +static int _sha512_hmac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) { + sha512_hmac_context *hctx=(sha512_hmac_context*)(key_a); + if (debug > 0) + printk(KERN_DEBUG "klips_debug: _sha512_hmac_hash(): " + "key_a=%p dat=%p len=%d hash=%p hashlen=%d\n", + key_a, dat, len, hash, hashlen); + sha512_hmac_hash(hctx, dat, len, hash, hashlen); + return 0; +} +static struct ipsec_alg_auth ipsec_alg_SHA2_256 = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_AUTH, + ixt_alg_id: AH_SHA2_256, + ixt_name: "sha2_256", + ixt_blocksize: SHA256_BLOCKSIZE, + ixt_keyminbits: 256, + ixt_keymaxbits: 256, + ixt_a_keylen: 256/8, + ixt_a_ctx_size: sizeof(sha256_hmac_context), + ixt_a_hmac_set_key: _sha256_hmac_set_key, + ixt_a_hmac_hash: _sha256_hmac_hash, +}; +static struct ipsec_alg_auth ipsec_alg_SHA2_512 = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_AUTH, + ixt_alg_id: AH_SHA2_512, + ixt_name: "sha2_512", + ixt_blocksize: SHA512_BLOCKSIZE, + ixt_keyminbits: 512, + ixt_keymaxbits: 512, + ixt_a_keylen: 512/8, + ixt_a_ctx_size: sizeof(sha512_hmac_context), + ixt_a_hmac_set_key: _sha512_hmac_set_key, + ixt_a_hmac_hash: _sha512_hmac_hash, +}; + +IPSEC_ALG_MODULE_INIT( ipsec_sha2_init ) +{ + int ret, test_ret; + if (excl) ipsec_alg_SHA2_256.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_auth(&ipsec_alg_SHA2_256); + printk("ipsec_sha2_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_SHA2_256.ixt_alg_type, + ipsec_alg_SHA2_256.ixt_alg_id, + ipsec_alg_SHA2_256.ixt_name, + ret); + if (ret != 0) + goto out; + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_SHA2_256.ixt_alg_type, + ipsec_alg_SHA2_256.ixt_alg_id, + test); + printk("ipsec_sha2_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_SHA2_256.ixt_alg_type, + ipsec_alg_SHA2_256.ixt_alg_id, + test_ret); + } + if (excl) ipsec_alg_SHA2_512.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_auth(&ipsec_alg_SHA2_512); + printk("ipsec_sha2_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_SHA2_512.ixt_alg_type, + ipsec_alg_SHA2_512.ixt_alg_id, + ipsec_alg_SHA2_512.ixt_name, + ret); + if (ret != 0) + goto out_256; + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_SHA2_512.ixt_alg_type, + ipsec_alg_SHA2_512.ixt_alg_id, + test); + printk("ipsec_sha2_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_SHA2_512.ixt_alg_type, + ipsec_alg_SHA2_512.ixt_alg_id, + test_ret); + } + goto out; +out_256: + unregister_ipsec_alg_auth(&ipsec_alg_SHA2_256); +out: + return ret; +} +IPSEC_ALG_MODULE_EXIT( ipsec_sha2_fini ) +{ + unregister_ipsec_alg_auth(&ipsec_alg_SHA2_512); + unregister_ipsec_alg_auth(&ipsec_alg_SHA2_256); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); +#endif + +EXPORT_NO_SYMBOLS; diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/ipsec_alg_twofish.c linux-patched/net/ipsec/alg/ipsec_alg_twofish.c --- linux/net/ipsec/alg/ipsec_alg_twofish.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/ipsec_alg_twofish.c Fri Feb 7 13:14:25 2003 @@ -0,0 +1,138 @@ +/* + * ipsec_alg TWOFISH cipher stubs + * + * Author: JuanJo Ciarlante + * + * $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + */ +#include +#include + +/* + * special case: ipsec core modular with this static algo inside: + * must avoid MODULE magic for this file + */ +#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_TWOFISH +#undef MODULE +#endif + +#include +#include + +#include /* printk() */ +#include /* error codes */ +#include /* size_t */ +#include + +/* Check if __exit is defined, if not null it */ +#ifndef __exit +#define __exit +#endif + +/* Low freeswan header coupling */ +#include "ipsec_alg.h" +#include "libtwofish/twofish.h" +#include "libtwofish/twofish_cbc.h" + +#define ESP_TWOFISH 253 /* from ipsec drafts */ + +/* 128, 192 or 256 */ +#define ESP_TWOFISH_KEY_SZ_MIN 16 /* 128 bit secret key */ +#define ESP_TWOFISH_KEY_SZ_MAX 32 /* 256 bit secret key */ +#define ESP_TWOFISH_CBC_BLK_LEN 16 /* TWOFISH-CBC block size */ + +MODULE_AUTHOR("JuanJo Ciarlante "); +static int debug=0; +MODULE_PARM(debug, "i"); +static int test=0; +MODULE_PARM(test, "i"); +static int excl=0; +MODULE_PARM(excl, "i"); +static int keyminbits=0; +MODULE_PARM(keyminbits, "i"); +static int keymaxbits=0; +MODULE_PARM(keymaxbits, "i"); + +static int _twofish_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) { + twofish_context *ctx=(twofish_context *)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_twofish_set_key:" + "key_e=%p key=%p keysize=%d\n", + key_e, key, keysize); + twofish_set_key(ctx, key, keysize); + return 0; +} +static int _twofish_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) { + twofish_context *ctx=(twofish_context *)key_e; + if (debug > 0) + printk(KERN_DEBUG "klips_debug:_twofish_cbc_encrypt:" + "key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n", + key_e, in, ilen, iv, encrypt); + twofish_cbc_encrypt(ctx, in, in, ilen, iv, encrypt); + return ilen; +} +static struct ipsec_alg_enc ipsec_alg_TWOFISH = { + ixt_version: IPSEC_ALG_VERSION, + ixt_module: THIS_MODULE, + ixt_refcnt: ATOMIC_INIT(0), + ixt_alg_type: IPSEC_ALG_TYPE_ENCRYPT, + ixt_alg_id: ESP_TWOFISH, + ixt_name: "twofish", + ixt_blocksize: ESP_TWOFISH_CBC_BLK_LEN, + ixt_keyminbits: ESP_TWOFISH_KEY_SZ_MIN * 8, + ixt_keymaxbits: ESP_TWOFISH_KEY_SZ_MAX * 8, + ixt_e_keylen: ESP_TWOFISH_KEY_SZ_MAX, + ixt_e_ctx_size: sizeof(twofish_context), + ixt_e_set_key: _twofish_set_key, + ixt_e_cbc_encrypt:_twofish_cbc_encrypt, +}; + +IPSEC_ALG_MODULE_INIT( ipsec_twofish_init ) +{ + int ret, test_ret; + if (keyminbits) + ipsec_alg_TWOFISH.ixt_keyminbits=keyminbits; + if (keymaxbits) { + ipsec_alg_TWOFISH.ixt_keymaxbits=keymaxbits; + if (keymaxbits*8>ipsec_alg_TWOFISH.ixt_keymaxbits) + ipsec_alg_TWOFISH.ixt_e_keylen=keymaxbits*8; + } + if (excl) ipsec_alg_TWOFISH.ixt_state |= IPSEC_ALG_ST_EXCL; + ret=register_ipsec_alg_enc(&ipsec_alg_TWOFISH); + printk("ipsec_twofish_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", + ipsec_alg_TWOFISH.ixt_alg_type, + ipsec_alg_TWOFISH.ixt_alg_id, + ipsec_alg_TWOFISH.ixt_name, ret); + if (ret==0 && test) { + test_ret=ipsec_alg_test( + ipsec_alg_TWOFISH.ixt_alg_type, + ipsec_alg_TWOFISH.ixt_alg_id, + test); + printk("ipsec_twofish_init(alg_type=%d alg_id=%d): test_ret=%d\n", + ipsec_alg_TWOFISH.ixt_alg_type, + ipsec_alg_TWOFISH.ixt_alg_id, + ret); + } + return ret; +} +IPSEC_ALG_MODULE_EXIT( ipsec_twofish_fini ) +{ + unregister_ipsec_alg_enc(&ipsec_alg_TWOFISH); + return; +} +#ifdef MODULE_LICENSE +MODULE_LICENSE("GPL"); + +EXPORT_NO_SYMBOLS; +#endif diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/alg/scripts/mk-static_init.c.sh linux-patched/net/ipsec/alg/scripts/mk-static_init.c.sh --- linux/net/ipsec/alg/scripts/mk-static_init.c.sh Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/alg/scripts/mk-static_init.c.sh Thu Sep 5 04:36:54 2002 @@ -0,0 +1,17 @@ +#!/bin/sh +cat << EOF +#include +#include "../ipsec_alg.h" +$(for i in $*; do + test -z "$i" && continue + echo "extern int $i(void);" +done) +void ipsec_alg_static_init(void){ + int __attribute__ ((unused)) err=0; +$(for i in $*; do + test -z "$i" && continue + echo " if ((err=$i()) < 0)" + echo " printk(KERN_WARNING \"$i() returned %d\", err);" +done) +} +EOF diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/defconfig linux-patched/net/ipsec/defconfig --- linux/net/ipsec/defconfig Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/defconfig Fri Jul 4 20:07:34 2003 @@ -0,0 +1,132 @@ + +# +# RCSID $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $ +# + +# +# FreeS/WAN IPSec implementation, KLIPS kernel config defaults +# + +# +# First, lets override stuff already set or not in the kernel config. +# +# We can't even think about leaving this off... +CONFIG_INET=y + +# +# This must be on for subnet protection. +CONFIG_IP_FORWARD=y + +# Shut off IPSEC masquerading if it has been enabled, since it will +# break the compile. IPPROTO_ESP and IPPROTO_AH were included in +# net/ipv4/ip_masq.c when they should have gone into include/linux/in.h. +CONFIG_IP_MASQUERADE_IPSEC=n + +# +# Next, lets set the recommended FreeS/WAN configuration. +# + +# To config as static (preferred), 'y'. To config as module, 'm'. +CONFIG_IPSEC=m + +# To do tunnel mode IPSec, this must be enabled. +CONFIG_IPSEC_IPIP=y + +# To enable authentication, say 'y'. (Highly recommended) +CONFIG_IPSEC_AH=y + +# Authentication algorithm(s): +CONFIG_IPSEC_AUTH_HMAC_MD5=y +CONFIG_IPSEC_AUTH_HMAC_SHA1=y + +# To enable encryption, say 'y'. (Highly recommended) +CONFIG_IPSEC_ESP=y + +# Encryption algorithm(s): +CONFIG_IPSEC_ENC_3DES=y + +# IP Compression: new, probably still has minor bugs. +CONFIG_IPSEC_IPCOMP=y + +# To enable userspace-switchable KLIPS debugging, say 'y'. +CONFIG_IPSEC_DEBUG=y + +# modular algo extensions (and new ALGOs) +CONFIG_IPSEC_ALG=y +CONFIG_IPSEC_ALG_AES=m +CONFIG_IPSEC_ALG_TWOFISH=m +CONFIG_IPSEC_ALG_SERPENT=m + +# NAT Traversal +CONFIG_IPSEC_NAT_TRAVERSAL=y + +# Use CryptoAPI for ALG? +CONFIG_IPSEC_ALG_CRYPTOAPI=n + +# NAT Traversal +CONFIG_IPSEC_NAT_TRAVERSAL=y + +# +# +# $Log: super-freeswan-1.99.8-delsol1.diff,v $ +# Revision 1.1 2003/09/09 09:20:34 john +# Initial import +# +# Revision 1.5 2003/07/04 19:07:34 ken +# Added NAT-T 0.6 diff/patch from Tuomo +# +# Revision 1.4 2003/02/21 22:59:21 ken +# Set default for CONFIG_IPSEC_ALG_CRYPTOAPI=n +# +# Revision 1.3 2002/09/05 16:50:58 ken +# Enabled NAT-T by default +# +# Revision 1.2 2002/09/05 03:27:08 ken +# Applied freeswan-alg-0.8.0-BASE-klips.diff +# +# Revision 1.1.1.1 2002/09/05 03:13:17 ken +# 1.98b +# +# Revision 1.20 2002/04/02 04:07:40 mcr +# default build is now 'm'odule for KLIPS +# +# Revision 1.19 2002/03/08 18:57:17 rgb +# Added a blank line at the beginning of the file to make it easier for +# other projects to patch ./arch/i386/defconfig, for example +# LIDS+grSecurity requested by Jason Pattie. +# +# Revision 1.18 2000/11/30 17:26:56 rgb +# Cleaned out unused options and enabled ipcomp by default. +# +# Revision 1.17 2000/09/15 11:37:01 rgb +# Merge in heavily modified Svenning Soerensen's +# IPCOMP zlib deflate code. +# +# Revision 1.16 2000/09/08 19:12:55 rgb +# Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. +# +# Revision 1.15 2000/05/24 19:37:13 rgb +# *** empty log message *** +# +# Revision 1.14 2000/05/11 21:14:57 henry +# just commenting the FOOBAR=y lines out is not enough +# +# Revision 1.13 2000/05/10 20:17:58 rgb +# Comment out netlink defaults, which are no longer needed. +# +# Revision 1.12 2000/05/10 19:13:38 rgb +# Added configure option to shut off no eroute passthrough. +# +# Revision 1.11 2000/03/16 07:09:46 rgb +# Hardcode PF_KEYv2 support. +# Disable IPSEC_ICMP by default. +# Remove DES config option from defaults file. +# +# Revision 1.10 2000/01/11 03:09:42 rgb +# Added a default of 'y' to PF_KEYv2 keying I/F. +# +# Revision 1.9 1999/05/08 21:23:12 rgb +# Added support for 2.2.x kernels. +# +# Revision 1.8 1999/04/06 04:54:25 rgb +# Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes +# patch shell fixes. +# +# diff -Nru -x '*.ipsecmd5' -x '*.preipsec' -x '*.ipsecmd5' -x '*.wipsec' linux/net/ipsec/ipcomp.c linux-patched/net/ipsec/ipcomp.c --- linux/net/ipsec/ipcomp.c Thu Jan 1 01:00:00 1970 +++ linux-patched/net/ipsec/ipcomp.c Thu Sep 5 04:13:17 2002 @@ -0,0 +1,742 @@ +/* + * IPCOMP zlib interface code. + * Copyright (C) 2000 Svenning Soerensen + * Copyright (C) 2000, 2001 Richard Guy Briggs + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +char ipcomp_c_version[] = "RCSID $Id: super-freeswan-1.99.8-delsol1.diff,v 1.1 2003/09/09 09:20:34 john Exp $"; + +/* SSS */ + +#include +#include + +#define __NO_VERSION__ +#include +#include /* printk() */ + +#define IPSEC_KLIPS1_COMPAT +#include "ipsec_param.h" + +#ifdef MALLOC_SLAB +# include /* kmalloc() */ +#else /* MALLOC_SLAB */ +# include /* kmalloc() */ +#endif /* MALLOC_SLAB */ +#include /* error codes */ +#include +#include +#include +#include + +#include /* struct device, and other headers */ +#include /* eth_type_trans */ +#include /* struct iphdr */ +#include + +#include +#ifdef NET_21 +# include +# include +# include +# define proto_priv cb +#endif /* NET21 */ +#include +#include + +#include "radij.h" +#include "ipsec_encap.h" +#include "ipsec_sa.h" + +#include "ipsec_netlink.h" +#include "ipsec_xform.h" +#include "ipsec_tunnel.h" +#include "ipsec_rcv.h" /* sysctl_ipsec_inbound_policy_check */ +#include "ipcomp.h" +#include "zlib/zlib.h" +#include "zlib/zutil.h" + +#include /* SADB_X_CALG_DEFLATE */ + +#ifdef CONFIG_IPSEC_DEBUG +int sysctl_ipsec_debug_ipcomp = 0; +#endif /* CONFIG_IPSEC_DEBUG */ + +static +struct sk_buff *skb_copy_ipcomp(struct sk_buff *skb, int data_growth, int gfp_mask); + +static +voidpf my_zcalloc(voidpf opaque, uInt items, uInt size) +{ + return (voidpf) kmalloc(items*size, GFP_ATOMIC); +} + +static +void my_zfree(voidpf opaque, voidpf address) +{ + kfree(address); +} + +struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *tdb, unsigned int *flags) +{ + struct iphdr *iph; + unsigned int iphlen, pyldsz, cpyldsz; + unsigned char *buffer; + z_stream zs; + int zresult; + + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: .\n"); + + if(!skb) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "passed in NULL skb, returning ERROR.\n"); + if (flags) *flags |= IPCOMP_PARMERROR; + return skb; + } + + if(!tdb) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "passed in NULL tdb needed for cpi, returning ERROR.\n"); + if (flags) *flags |= IPCOMP_PARMERROR; + return skb; + } + + if (!flags) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "passed in NULL flags, returning ERROR.\n"); +#ifdef NET_21 + kfree_skb(skb); +#else /* NET_21 */ + dev_kfree_skb(skb, FREE_WRITE); +#endif /* NET_21 */ + return NULL; + } + +#ifdef NET_21 + iph = skb->nh.iph; +#else /* NET_21 */ + iph = skb->ip_hdr; +#endif /* NET_21 */ + + switch (iph->protocol) { + case IPPROTO_COMP: + case IPPROTO_AH: + case IPPROTO_ESP: + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "skipping compression of packet with ip protocol %d.\n", + iph->protocol); + *flags |= IPCOMP_UNCOMPRESSABLE; + return skb; + } + + /* Don't compress packets already fragmented */ + if (iph->frag_off & __constant_htons(IP_MF | IP_OFFSET)) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "skipping compression of fragmented packet.\n"); + *flags |= IPCOMP_UNCOMPRESSABLE; + return skb; + } + + iphlen = iph->ihl << 2; + pyldsz = ntohs(iph->tot_len) - iphlen; + + /* Don't compress less than 90 bytes (rfc 2394) */ + if (pyldsz < 90) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "skipping compression of tiny packet, len=%d.\n", + pyldsz); + *flags |= IPCOMP_UNCOMPRESSABLE; + return skb; + } + + /* Adaptive decision */ + if (tdb->tdb_comp_adapt_skip) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "skipping compression: tdb_comp_adapt_skip=%d.\n", + tdb->tdb_comp_adapt_skip); + tdb->tdb_comp_adapt_skip--; + *flags |= IPCOMP_UNCOMPRESSABLE; + return skb; + } + + zs.zalloc = my_zcalloc; + zs.zfree = my_zfree; + zs.opaque = 0; + + /* We want to use deflateInit2 because we don't want the adler + header. */ + zresult = deflateInit2(&zs, Z_DEFAULT_COMPRESSION, Z_DEFLATED, -11, + DEF_MEM_LEVEL, Z_DEFAULT_STRATEGY); + if (zresult != Z_OK) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_error:skb_compress: " + "deflateInit2() returned error %d (%s), " + "skipping compression.\n", + zresult, + zs.msg ? zs.msg : zError(zresult)); + *flags |= IPCOMP_COMPRESSIONERROR; + return skb; + } + + + /* Max output size. Result should be max this size. + * Implementation specific tweak: + * If it's not at least 32 bytes and 6.25% smaller than + * the original packet, it's probably not worth wasting + * the receiver's CPU cycles decompressing it. + * Your mileage may vary. + */ + cpyldsz = pyldsz - sizeof(struct ipcomphdr) - (pyldsz <= 512 ? 32 : pyldsz >> 4); + + buffer = kmalloc(cpyldsz, GFP_ATOMIC); + if (!buffer) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_error:skb_compress: " + "unable to kmalloc(%d, GFP_ATOMIC), " + "skipping compression.\n", + cpyldsz); + *flags |= IPCOMP_COMPRESSIONERROR; + deflateEnd(&zs); + return skb; + } + +#ifdef CONFIG_IPSEC_DEBUG + if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) { + __u8 *c; + int i; + + c = (__u8*)iph + iphlen; + for(i = 0; i < pyldsz; i++, c++) { + if(!(i % 16)) { + printk(KERN_INFO "skb_compress: before:"); + } + printk("%02x ", *c); + if(!((i + 1) % 16)) { + printk("\n"); + } + } + if(i % 16) { + printk("\n"); + } + } +#endif /* CONFIG_IPSEC_DEBUG */ + + zs.next_in = (char *) iph + iphlen; /* start of payload */ + zs.avail_in = pyldsz; + zs.next_out = buffer; /* start of compressed payload */ + zs.avail_out = cpyldsz; + + /* Finish compression in one step */ + zresult = deflate(&zs, Z_FINISH); + + /* Free all dynamically allocated buffers */ + deflateEnd(&zs); + if (zresult != Z_STREAM_END) { + *flags |= IPCOMP_UNCOMPRESSABLE; + kfree(buffer); + + /* Adjust adaptive counters */ + if (++(tdb->tdb_comp_adapt_tries) == IPCOMP_ADAPT_INITIAL_TRIES) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "first %d packets didn't compress, " + "skipping next %d\n", + IPCOMP_ADAPT_INITIAL_TRIES, + IPCOMP_ADAPT_INITIAL_SKIP); + tdb->tdb_comp_adapt_skip = IPCOMP_ADAPT_INITIAL_SKIP; + } + else if (tdb->tdb_comp_adapt_tries == IPCOMP_ADAPT_INITIAL_TRIES + IPCOMP_ADAPT_SUBSEQ_TRIES) { + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "next %d packets didn't compress, " + "skipping next %d\n", + IPCOMP_ADAPT_SUBSEQ_TRIES, + IPCOMP_ADAPT_SUBSEQ_SKIP); + tdb->tdb_comp_adapt_skip = IPCOMP_ADAPT_SUBSEQ_SKIP; + tdb->tdb_comp_adapt_tries = IPCOMP_ADAPT_INITIAL_TRIES; + } + + return skb; + } + + /* resulting compressed size */ + cpyldsz -= zs.avail_out; + + /* Insert IPCOMP header */ + ((struct ipcomphdr*) ((char*) iph + iphlen))->ipcomp_nh = iph->protocol; + ((struct ipcomphdr*) ((char*) iph + iphlen))->ipcomp_flags = 0; + /* use the bottom 16 bits of the spi for the cpi. The top 16 bits are + for internal reference only. */ + ((struct ipcomphdr*) (((char*)iph) + iphlen))->ipcomp_cpi = htons((__u16)(ntohl(tdb->tdb_said.spi) & 0x0000ffff)); + KLIPS_PRINT(sysctl_ipsec_debug_ipcomp, + "klips_debug:skb_compress: " + "spi=%08x, spi&0xffff=%04x, cpi=%04x, payload size: raw=%d, comp=%d.\n", + ntohl(tdb->tdb_said.spi), + ntohl(tdb->tdb_said.spi) & 0x0000ffff, + ntohs(((struct ipcomphdr*)(((char*)iph)+iphlen))->ipcomp_cpi), + pyldsz, + cpyldsz); + + /* Update IP header */ + iph->protocol = IPPROTO_COMP; + iph->tot_len = htons(iphlen + sizeof(struct ipcomphdr) + cpyldsz); +#if 1 /* XXX checksum is done by ipsec_tunnel ? */ + iph->check = 0; + iph->check = ip_fast_csum((char *) iph, iph->ihl); +#endif + + /* Copy compressed payload */ + memcpy((char *) iph + iphlen + sizeof(struct ipcomphdr), + buffer, + cpyldsz); + kfree(buffer); + + /* Update skb length/tail by "unputting" the shrinkage */ + skb_put(skb, + cpyldsz + sizeof(struct ipcomphdr) - pyldsz); + +#ifdef CONFIG_IPSEC_DEBUG + if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) { + __u8 *c; + int i; + + c = (__u8*)iph + iphlen + sizeof(struct ipcomphdr); + for(i = 0; i < cpyldsz; i++,