Frist one, I need to understand openswan how to communicate with kernel SA:
So I found it is through PF_KEYv2 socket family to interface key engine, see RFC2367
Then I found a open source sample from svn repository:
http://xbq-code-repository.googlecode.com/svn/trunk/unpcode
This is come from sample code that famous "UNIX netorking programming" v1, 3rd.
The only thing you need to modify is the header file path is from net/pfkeyv2.h to linux/pfkeyv2.h
I only compile lib and libfree subdirecotry within unpcodoe.
You can use the 「register」program to get cipher support list from kernel throught PF_KEYv2 protocol.
/tmp/rootfs # ./register -t esp------------------------------------------------------------------------------------------
Sending register message:
SADB Message Register, errno 0, satype IPsec ESP, seq 0, pid 17534
Reply returned:
SADB Message Register, errno 0, satype IPsec ESP, seq 0, pid 17534
Supported authentication algorithms:
Null ivlen 0 bits 0-0
HMAC-MD5 ivlen 0 bits 128-128
HMAC-SHA-1 ivlen 0 bits 160-160
Supported encryption algorithms:
Null ivlen 0 bits 0-0
DES-CBC ivlen 8 bits 64-64
3DES-CBC ivlen 8 bits 192-192
[Unknown encryption algorithm 12] ivlen 8 bits 128-256
Now, I still can not get blowfish, twofish, etc.. cipher support from PF_KEYv2, even I get list form /proc/crypto
/tmp/rootfs # cat /proc/crypto |grep driverSo the next step is to get understand the kernel layers of crypto, xfrm and af_keyv2.
driver : authenc(hmac(sha1-ubicom32),cbc-aes-ubicom32)
....
driver : michael_mic-generic
driver : ecb(arc4-generic)
driver : krng
driver : seed-generic
driver : arc4-generic
driver : cast6-generic
driver : cast5-generic
driver : tnepres-generic
driver : serpent-generic
driver : twofish-generic
driver : blowfish-generic
driver : sha1-generic
...
net/key/af_key.c: An implamentation of AF_KEYv2
The AF_KEYv2 type 'REGISTER' will call
static int pfkey_register(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
then it call
static struct sk_buff *compose_sadb_supported(struct sadb_msg *orig,
gfp_t allocation)
Of course, the main task of compose_sadb_supported is to compose auth and crypto supported list into skb.
The important subfounctions called by compose_sadb_supported are
- xfrm_count_auth_supported: to get the number of auth algs supported
- xfrm_count_enc_supported: to get the number of crypto algs supported
- if auth present, for each xfrm_aalg_get_byidx
- if crypto present, for each xfrm_ealg_get_byidx
It probes/init internal static lists of xfrm layer :aalg_list, ealg_list, calg_list,
by crypto_has_hash(), crypto_has_blkcipher(), crypto_has_comp().
and the crypto_has_xxx() defined on include/linux/crypto.h eg:
static inline int crypto_has_blkcipher(const char *alg_name, u32 type, u32 mask)
{
type &= ~CRYPTO_ALG_TYPE_MASK;
type |= CRYPTO_ALG_TYPE_BLKCIPHER;
mask |= CRYPTO_ALG_TYPE_MASK;
return crypto_has_alg(alg_name, type, mask);
}
crypto_has_blkcipher() inital cipher mask for block cipher then look for by crypto API. Now let us trace them
crypto/api.c,
int crypto_has_alg(const char *name, u32 type, u32 mask)
{
int ret = 0;
struct crypto_alg *alg = crypto_alg_mod_lookup(name, type, mask);
if (!IS_ERR(alg)) {
crypto_mod_put(alg);
ret = 1;
}
return ret;
}
struct crypto_alg *crypto_alg_mod_lookup(const char *name, u32 type, u32 mask)
{
struct crypto_alg *alg;
struct crypto_alg *larval;
int ok;
if (!(mask & CRYPTO_ALG_TESTED)) {
type |= CRYPTO_ALG_TESTED;
mask |= CRYPTO_ALG_TESTED;
}
larval = crypto_larval_lookup(name, type, mask);
if (IS_ERR(larval) || !crypto_is_larval(larval))
return larval;
ok = crypto_probing_notify(CRYPTO_MSG_ALG_REQUEST, larval);
if (ok == NOTIFY_STOP)
alg = crypto_larval_wait(larval);
else {
crypto_mod_put(larval);
alg = ERR_PTR(-ENOENT);
}
crypto_larval_kill(larval);
return alg;
}
struct crypto_alg *crypto_larval_lookup(const char *name, u32 type, u32 mask)
{
struct crypto_alg *alg;
if (!name)
return ERR_PTR(-ENOENT);
mask &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);
type &= mask;
alg = try_then_request_module(crypto_alg_lookup(name, type, mask),
name);
if (alg)
return crypto_is_larval(alg) ? crypto_larval_wait(alg) : alg;
return crypto_larval_add(name, type, mask);
}
int crypto_probing_notify(unsigned long val, void *v)
{
int ok;
ok = blocking_notifier_call_chain(&crypto_chain, val, v);
if (ok == NOTIFY_DONE) {
request_module("cryptomgr");
ok = blocking_notifier_call_chain(&crypto_chain, val, v);
}
return ok;
}
crypto/internal.h
static inline int crypto_is_larval(struct crypto_alg *alg)
{
return alg->cra_flags & CRYPTO_ALG_LARVAL;
}
int xfrm_count_enc_supported(void)
{
int i, n;
for (i = 0, n = 0; i < ealg_entries(); i++)
if (ealg_list[i].available)
n++;
return n;
}
struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx)
{
if (idx >= ealg_entries())
return NULL;
return &ealg_list[idx];
}
EXPORT_SYMBOL_GPL(xfrm_ealg_get_byidx);
The static struct xfrm_algo_desc ealg_list and aalg_list are static array to
describe algs of auth,crypto, compress, eg:
net/xfrm/xfrm_algo.c
static struct xfrm_algo_desc ealg_list[] = {
{
.name = "ecb(cipher_null)",
.compat = "cipher_null",
.uinfo = {
.encr = {
.blockbits = 8,
.defkeybits = 0,
}
},
.desc = {
.sadb_alg_id = SADB_EALG_NULL,
.sadb_alg_ivlen = 0,
.sadb_alg_minbits = 0,
.sadb_alg_maxbits = 0
}
},
{
.name = "cbc(des)",
.compat = "des",
.uinfo = {
.encr = {
.blockbits = 64,
.defkeybits = 64,
}
},
.desc = {
.sadb_alg_id = SADB_EALG_DESCBC,
.sadb_alg_ivlen = 8,
.sadb_alg_minbits = 64,
.sadb_alg_maxbits = 64
}
},
{
.name = "cbc(des3_ede)",
.compat = "des3_ede", .....
...
--------------------------------------------------------------------------------
For now, I change trace toward from AF_KEYv2 to crpyto layer.
For example, in NULL cipher common support
crypto/crypto_null.c
crypto_register_alg(&cipher_null) called in module initial.
crypto/algapi.c:
__crypto_register_alg was called finially, it will add to list by below if anything ok.
o Check cipher is registered before for anything.
o alloc "struct crypto_larval *larval" by crypto_larval_alloc
o Call crypto_mod_get to requset module if need, and add a referance count,
then retuen to larval->adult.
larval->adult = crypto_mod_get(alg);
o Now anything is ready, add to list chain.
list_add(&alg->cra_list, &crypto_alg_list);
list_add(&larval->alg.cra_list, &crypto_alg_list);
crpyto/api.c
LIST_HEAD(crypto_alg_list);
EXPORT_SYMBOL_GPL(crypto_alg_list);
DECLARE_RWSEM(crypto_alg_sem);It is interest to know about
EXPORT_SYMBOL_GPL(crypto_alg_sem);
BLOCKING_NOTIFIER_HEAD(crypto_chain);
EXPORT_SYMBOL_GPL(crypto_chain);
static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
{
atomic_inc(&alg->cra_refcnt);
return alg;
}
struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
{
return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
}
crpyto/internal.h
struct crypto_larval {
struct crypto_alg alg;
struct crypto_alg *adult;
struct completion completion;
u32 mask;
};
__crypto_register_alg待續
沒有留言:
張貼留言