Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys pre-compute and cache intermediate crypto key. suggesti...



details:   https://anonhg.NetBSD.org/src/rev/cad80512d982
branches:  trunk
changeset: 495143:cad80512d982
user:      itojun <itojun%NetBSD.org@localhost>
date:      Sun Jul 23 05:23:04 2000 +0000

description:
pre-compute and cache intermediate crypto key.  suggestion from sommerfeld,
sync with kame.

loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)

diffstat:

 sys/netinet6/ah.h         |   10 +-
 sys/netinet6/esp.h        |   18 +-
 sys/netinet6/esp_core.c   |  510 ++++++++++++++++++++-------------------------
 sys/netinet6/esp_input.c  |   49 +++-
 sys/netinet6/esp_output.c |   38 +++-
 sys/netkey/key.c          |   20 +-
 sys/netkey/keydb.h        |    6 +-
 7 files changed, 336 insertions(+), 315 deletions(-)

diffs (truncated from 1234 to 300 lines):

diff -r 8fd62fa3e1fb -r cad80512d982 sys/netinet6/ah.h
--- a/sys/netinet6/ah.h Sun Jul 23 05:00:01 2000 +0000
+++ b/sys/netinet6/ah.h Sun Jul 23 05:23:04 2000 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: ah.h,v 1.11 2000/07/18 14:56:42 itojun Exp $   */
-/*     $KAME: ah.h,v 1.11 2000/07/15 16:07:47 itojun Exp $     */
+/*     $NetBSD: ah.h,v 1.12 2000/07/23 05:23:04 itojun Exp $   */
+/*     $KAME: ah.h,v 1.12 2000/07/20 17:41:01 itojun Exp $     */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -41,8 +41,6 @@
 #include "opt_inet.h"
 #endif
 
-struct secasvar;
-
 struct ah {
        u_int8_t        ah_nxt;         /* Next Header */
        u_int8_t        ah_len;         /* Length of data, in 32bit */
@@ -60,6 +58,9 @@
        /* variable size, 32bit bound*/ /* Authentication data */
 };
 
+#ifdef _KERNEL
+struct secasvar;
+
 struct ah_algorithm_state {
        struct secasvar *sav;
        void* foo;      /*per algorithm data - maybe*/
@@ -78,7 +79,6 @@
 
 #define        AH_MAXSUMSIZE   16
 
-#ifdef _KERNEL
 extern const struct ah_algorithm *ah_algorithm_lookup __P((int));
 
 /* cksum routines */
diff -r 8fd62fa3e1fb -r cad80512d982 sys/netinet6/esp.h
--- a/sys/netinet6/esp.h        Sun Jul 23 05:00:01 2000 +0000
+++ b/sys/netinet6/esp.h        Sun Jul 23 05:23:04 2000 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: esp.h,v 1.9 2000/07/18 14:56:42 itojun Exp $   */
-/*     $KAME: esp.h,v 1.9 2000/07/15 16:07:48 itojun Exp $     */
+/*     $NetBSD: esp.h,v 1.10 2000/07/23 05:23:04 itojun Exp $  */
+/*     $KAME: esp.h,v 1.10 2000/07/20 17:41:01 itojun Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -41,8 +41,6 @@
 #include "opt_inet.h"
 #endif
 
-struct secasvar;
-
 struct esp {
        u_int32_t       esp_spi;        /* ESP */
        /*variable size, 32bit bound*/  /* Initialization Vector */
@@ -71,26 +69,25 @@
        /*variable size, 32bit bound*/  /* Authentication data (new IPsec)*/
 };
 
-struct esp_algorithm_state {
-       struct secasvar *sav;
-       void* foo;      /*per algorithm data - maybe*/
-};
+#ifdef _KERNEL
+struct secasvar;
 
-/* XXX yet to be defined */
 struct esp_algorithm {
        size_t padbound;        /* pad boundary, in byte */
        int (*mature) __P((struct secasvar *));
        int keymin;     /* in bits */
        int keymax;     /* in bits */
+       size_t schedlen;
        const char *name;
        int (*ivlen) __P((struct secasvar *));
        int (*decrypt) __P((struct mbuf *, size_t,
                struct secasvar *, const struct esp_algorithm *, int));
        int (*encrypt) __P((struct mbuf *, size_t, size_t,
                struct secasvar *, const struct esp_algorithm *, int));
+       /* not supposed to be called directly */
+       int (*schedule) __P((const struct esp_algorithm *, struct secasvar *));
 };
 
-#ifdef _KERNEL
 extern const struct esp_algorithm *esp_algorithm_lookup __P((int));
 
 /* crypt routines */
@@ -105,6 +102,7 @@
 #endif /* INET6 */
 #endif /*_KERNEL*/
 
+extern int esp_schedule __P((const struct esp_algorithm *, struct secasvar *));
 extern int esp_auth __P((struct mbuf *, size_t, size_t,
        struct secasvar *, u_char *));
 
diff -r 8fd62fa3e1fb -r cad80512d982 sys/netinet6/esp_core.c
--- a/sys/netinet6/esp_core.c   Sun Jul 23 05:00:01 2000 +0000
+++ b/sys/netinet6/esp_core.c   Sun Jul 23 05:23:04 2000 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: esp_core.c,v 1.2 2000/07/18 14:56:42 itojun Exp $      */
-/*     $KAME: esp_core.c,v 1.18 2000/07/16 08:44:24 itojun Exp $       */
+/*     $NetBSD: esp_core.c,v 1.3 2000/07/23 05:23:04 itojun Exp $      */
+/*     $KAME: esp_core.c,v 1.20 2000/07/21 02:42:12 itojun Exp $       */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -69,6 +69,8 @@
 
 #include <net/net_osdep.h>
 
+static int esp_crypto_sanity __P((const struct esp_algorithm *,
+       struct secasvar *, int));
 static int esp_null_mature __P((struct secasvar *));
 static int esp_null_ivlen __P((struct secasvar *));
 static int esp_null_decrypt __P((struct mbuf *, size_t,
@@ -81,28 +83,38 @@
        struct secasvar *, const struct esp_algorithm *, int));
 static int esp_descbc_encrypt __P((struct mbuf *, size_t, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
+static int esp_descbc_schedule __P((const struct esp_algorithm *,
+       struct secasvar *));
 static int esp_cbc_mature __P((struct secasvar *));
 static int esp_blowfish_cbc_decrypt __P((struct mbuf *, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
 static int esp_blowfish_cbc_encrypt __P((struct mbuf *, size_t,
        size_t, struct secasvar *, const struct esp_algorithm *, int));
+static int esp_blowfish_cbc_schedule __P((const struct esp_algorithm *,
+       struct secasvar *));
 static int esp_blowfish_cbc_ivlen __P((struct secasvar *));
 static int esp_cast128cbc_ivlen __P((struct secasvar *));
 static int esp_cast128cbc_decrypt __P((struct mbuf *, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
 static int esp_cast128cbc_encrypt __P((struct mbuf *, size_t, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
+static int esp_cast128cbc_schedule __P((const struct esp_algorithm *,
+       struct secasvar *));
 static int esp_3descbc_ivlen __P((struct secasvar *));
 static int esp_3descbc_decrypt __P((struct mbuf *, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
 static int esp_3descbc_encrypt __P((struct mbuf *, size_t, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
+static int esp_3descbc_schedule __P((const struct esp_algorithm *,
+       struct secasvar *));
 #ifdef SADB_X_EALG_RC5CBC
 static int esp_rc5cbc_ivlen __P((struct secasvar *));
 static int esp_rc5cbc_decrypt __P((struct mbuf *, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
 static int esp_rc5cbc_encrypt __P((struct mbuf *, size_t, size_t,
        struct secasvar *, const struct esp_algorithm *, int));
+static int esp_rc5cbc_schedule __P((const struct esp_algorithm *,
+       struct secasvar *));
 #endif
 static void esp_increment_iv __P((struct secasvar *));
 static caddr_t mbuf_find_offset __P((struct mbuf *, size_t, size_t));
@@ -112,26 +124,31 @@
        int idx;
 {
        static struct esp_algorithm esp_algorithms[] = {
-               { 8, esp_descbc_mature, 64, 64, "des-cbc",
+               { 8, esp_descbc_mature, 64, 64, sizeof(des_key_schedule),
+                       "des-cbc",
                        esp_descbc_ivlen, esp_descbc_decrypt,
-                       esp_descbc_encrypt, },
-               { 8, esp_cbc_mature, 192, 192, "3des-cbc",
+                       esp_descbc_encrypt, esp_descbc_schedule, },
+               { 8, esp_cbc_mature, 192, 192, sizeof(des_key_schedule) * 3,
+                       "3des-cbc",
                        esp_3descbc_ivlen, esp_3descbc_decrypt,
-                       esp_3descbc_encrypt, },
-               { 1, esp_null_mature, 0, 2048, "null",
-                       esp_null_ivlen, esp_null_decrypt, esp_null_encrypt, },
-               { 8, esp_cbc_mature, 40, 448, "blowfish-cbc",
+                       esp_3descbc_encrypt, esp_3descbc_schedule, },
+               { 1, esp_null_mature, 0, 2048, 0, "null",
+                       esp_null_ivlen, esp_null_decrypt,
+                       esp_null_encrypt, NULL, },
+               { 8, esp_cbc_mature, 40, 448, sizeof(BF_KEY), "blowfish-cbc",
                        esp_blowfish_cbc_ivlen, esp_blowfish_cbc_decrypt,
-                       esp_blowfish_cbc_encrypt, },
-               { 8, esp_cbc_mature, 40, 128, "cast128-cbc",
+                       esp_blowfish_cbc_encrypt, esp_blowfish_cbc_schedule, },
+               { 8, esp_cbc_mature, 40, 128, sizeof(u_int32_t) * 32,
+                       "cast128-cbc",
                        esp_cast128cbc_ivlen, esp_cast128cbc_decrypt,
-                       esp_cast128cbc_encrypt, },
+                       esp_cast128cbc_encrypt, esp_cast128cbc_schedule, },
 #ifdef SADB_X_EALG_RC5CBC
-               { 8, esp_cbc_mature, 40, 2040, "rc5-cbc",
+               { 8, esp_cbc_mature, 40, 2040, sizeof(RC5_WORD) * 34, "rc5-cbc",
                        esp_rc5cbc_ivlen, esp_rc5cbc_decrypt,
-                       esp_rc5cbc_encrypt, },
+                       esp_rc5cbc_encrypt, esp_rc5cbc_schedule, },
 #else
-               { 8, NULL, 40, 2040, "rc5-cbc dummy", NULL, NULL, NULL, },
+               { 8, NULL, 40, 2040, 0, "rc5-cbc dummy",
+                       NULL, NULL, NULL, NULL, },
 #endif
        };
 
@@ -155,6 +172,52 @@
        }
 }
 
+int
+esp_schedule(algo, sav)
+       const struct esp_algorithm *algo;
+       struct secasvar *sav;
+{
+
+       if (_KEYBITS(sav->key_enc) < algo->keymin ||
+           _KEYBITS(sav->key_enc) > algo->keymax) {
+               ipseclog((LOG_ERR,
+                   "esp_schedule %s: unsupported key length %d: "
+                   "needs %d to %d bits\n", algo->name, _KEYBITS(sav->key_enc),
+                   algo->keymin, algo->keymax));
+               return EINVAL;
+       }
+
+       if (!algo->schedule || algo->schedlen == 0)
+               return 0;
+       if (!sav->sched || sav->schedlen != algo->schedlen)
+               panic("invalid sav->schedlen in esp_schedule");
+       return (*algo->schedule)(algo, sav);
+}
+
+/*
+ * default sanity check for algo->{de,en}crypt
+ */
+static int
+esp_crypto_sanity(algo, sav, ivlen)
+       const struct esp_algorithm *algo;
+       struct secasvar *sav;
+       int ivlen;
+{
+
+       if (sav->ivlen != ivlen) {
+               ipseclog((LOG_ERR, "esp_decrypt %s: bad ivlen %d/%d\n",
+                   algo->name, ivlen, sav->ivlen));
+               return EINVAL;
+       }
+       if (!sav->sched || sav->schedlen != algo->schedlen) {
+               ipseclog((LOG_ERR,
+                   "esp_decrypt %s: no intermediate key\n", algo->name));
+               return EINVAL;
+       }
+
+       return 0;
+}
+
 /*
  * mbuf assumption: foo_encrypt() assumes that IV part is placed in a single
  * mbuf, not across multiple mbufs.
@@ -164,6 +227,7 @@
 esp_null_mature(sav)
        struct secasvar *sav;
 {
+
        /* anything is okay */
        return 0;
 }
@@ -172,6 +236,7 @@
 esp_null_ivlen(sav)
        struct secasvar *sav;
 {
+
        return 0;
 }
 
@@ -183,6 +248,7 @@
        const struct esp_algorithm *algo;
        int ivlen;
 {
+
        return 0; /* do nothing */
 }
 
@@ -195,6 +261,7 @@
        const struct esp_algorithm *algo;
        int ivlen;
 {
+
        return 0; /* do nothing */
 }
 
@@ -222,8 +289,8 @@
                return 1;
        }
 
-       if (_KEYBITS(sav->key_enc) < algo->keymin
-        || algo->keymax < _KEYBITS(sav->key_enc)) {
+       if (_KEYBITS(sav->key_enc) < algo->keymin ||
+           _KEYBITS(sav->key_enc) > algo->keymax) {
                ipseclog((LOG_ERR,
                    "esp_descbc_mature: invalid key length %d.\n",
                    _KEYBITS(sav->key_enc)));
@@ -244,13 +311,14 @@
 esp_descbc_ivlen(sav)



Home | Main Index | Thread Index | Old Index