没有合适的资源?快使用搜索试试~ 我知道了~
ipsec openswan 内核(klips)算法管理分析
1 下载量 21 浏览量
2023-04-11
20:42:01
上传
评论 1
收藏 299KB DOCX 举报
温馨提示
试读
114页
本文章从代码层面分析了 openswan 内核模块klips的算法管理。文章中重要数据结构和代码逻辑都标有中文注释,能够快速帮助不熟悉的人了解openswan 内核部分的算法管理架构
资源推荐
资源详情
资源评论
《Klips 算法管理解析》
目录
1 前言 ...............................................................................................................................1
2 相关数据结构类型.......................................................................................................1
2.1 算法基础结构类型 .................................................................................................1
2.1.1 ipsec_alg_supported ..........................................................................................1
2.1.2 ipsec_alg ............................................................................................................1
2.2 加解密算法结构类型 .............................................................................................2
2.2.1 ipsec_alg_enc.....................................................................................................2
2.3 认证算法结构类型 .................................................................................................2
2.3.1 ipsec_alg_auth ...................................................................................................2
3 算法管理初始化...........................................................................................................3
3.1 IPSEC_ALG_INIT().....................................................................................................3
3.2 IPSEC_ALG_HASH_INIT() ..........................................................................................4
4 算法注册过程 ...............................................................................................................5
4.1 注册接口 .................................................................................................................8
4.1.1 register_ipsec_alg()............................................................................................8
4.1.1.1 ipsec_alg_insert()........................................................................................................10
4.1.1.2 pfkey_list_insert_supported() .....................................................................................11
5 算法注销过程 .............................................................................................................12
5.1 注销接口 ...............................................................................................................12
5.1.1 unregister_ipsec_alg()......................................................................................13
5.1.1.1 ipsec_alg_delete() .......................................................................................................14
5.1.1.2 pfkey_list_remove_supported() ..................................................................................14
6 算法的使用 .................................................................................................................15
6.1 与 SA 的关系........................................................................................................15
6.1.1 pfkey_sa_process() ..........................................................................................21
6.1.2 ipsec_alg_enc_key_create().............................................................................23
6.1.3 ipsec_alg_auth_key_create() ...........................................................................26
6.1.3.1 ipsec_alg_get()............................................................................................................28
6.2 与解密过程的关系 ...............................................................................................29
6.2.1 ipsec_rcv() .......................................................................................................30
6.2.1.1 ipsec_rsm()..................................................................................................................32
6.2.1.1.1 ipsec_rcv_init().......................................................................................................36
6.2.1.1.2 ipsec_rcv_decap_init() ...........................................................................................42
6.2.1.1.3 ipsec_rcv_decap_lookup()......................................................................................44
6.2.1.1.3.1 ipsec_rcv_esp_checks()....................................................................................45
6.2.1.1.4 ipsec_rcv_auth_init()..............................................................................................46
6.2.1.1.5 ipsec_rcv_auth_decap()..........................................................................................50
6.2.1.1.5.1 ipsec_rcv_esp_decrypt_setup() ........................................................................55
6.2.1.1.6 ipsec_rcv_auth_calc() ............................................................................................56
6.2.1.1.6.1 ipsec_rcv_esp_authcalc() .................................................................................57
6.2.1.1.6.1.1 ipsec_alg_sa_esp_hash()............................................................................58
6.2.1.1.7 ipsec_rcv_auth_chk()..............................................................................................59
6.2.1.1.8 ipsec_rcv_decrypt() ................................................................................................61
6.2.1.1.8.1 ipsec_rcv_esp_decrypt() ..................................................................................62
6.2.1.1.8.1.1 ipsec_alg_esp_encrypt() ............................................................................63
6.2.1.1.9 ipsec_rcv_decap_cont()..........................................................................................64
6.2.1.1.10 ipsec_rcv_cleanup()..............................................................................................68
6.2.1.1.11 ipsec_rcv_complete() ............................................................................................71
6.3 与加密过程的关系 ...............................................................................................73
6.3.1 ipsec_tunnel_start_xmit() ................................................................................75
6.3.1.1 ipsec_xsm().................................................................................................................77
6.3.1.1.1 ipsec_xmit_init1() ...................................................................................................80
6.3.1.1.2 ipsec_xmit_init2() ...................................................................................................81
6.3.1.1.3 ipsec_xmit_encap_init()..........................................................................................83
6.3.1.1.4 ipsec_xmit_encap_select()......................................................................................86
6.3.1.1.5 ipsec_xmit_esp() .....................................................................................................87
6.3.1.1.5.1 ipsec_alg_esp_encrypt()...................................................................................89
6.3.1.1.6 ipsec_xmit_esp_ah() ...............................................................................................90
6.3.1.1.7 ipsec_xmit_cont()....................................................................................................93
6.3.1.1.8 ipsec_tunnel_xsm_complete().................................................................................94
6.3.1.1.8.1 ipsec_tunnel_send()..........................................................................................96
6.3.1.1.8.1.1 ipsec_xmit_send()......................................................................................96
6.3.1.1.8.1.1.1 ipsec_xmit_send2() .............................................................................98
6.3.1.1.8.1.1.1.1 dst_output()...................................................................................99
7 算法实现接口分析.....................................................................................................99
7.1 加解密 ...................................................................................................................99
7.1.1 _aes_set_key() ...............................................................................................100
7.1.1.1 AES_set_key() ..........................................................................................................100
7.1.1.1.1 aes_set_key() ........................................................................................................101
7.1.2 _aes_cbc_encrypt() ........................................................................................103
7.1.2.1 AES_cbc_encrypt()...................................................................................................104
7.1.2.1.1 aes_encrypt() ........................................................................................................105
7.1.2.1.2 aes_decrypt() ........................................................................................................107
7.2 认证 .....................................................................................................................108
7.2.1 _aes_mac_set_key().......................................................................................109
7.2.1.1 AES_xcbc_mac_set_key()........................................................................................109
7.2.2 _aes_mac_hash()............................................................................................110
7.2.2.1 AES_xcbc_mac_hash().............................................................................................111
1
openswan (Klips)算法管理解析
1 前言
Klips 是开源项目 libreswan 实现的 ipsec 协议栈,libreswan 项目的前身是 openswan,它
们都是基于 FreeS / WAN 发展而来的。其主要作用是:实现 IP 数据包的安全接受或发送的
进程,负责控制管理 SA 及密钥,同时处理数据包的加密和解密工作。klips 主要由以下模块
组成:通信接口 socket PF_KEY,负责注册和初始化模块,数据包处理和转发模块,数据包
的接收和处理模块,SA 的管理模块,SP 的管理模块,算法管理模块,PF_KEY2 协议实现
模块,其它一些相关子模块。
本文主要介绍 klips 中的算法管理部分,包括算法的使用和加解密部分的内容,本文内
容是基于 libreswan-3.29。
2 相关数据结构类型
2.1 算法基础结构类型
2.1.1 ipsec_alg_supported
pfkey_supported_list[]数据的每一个成员为此结构体。用于记录支持的算法。
struct ipsec_alg_supported {
uint16_t ias_exttype; //算法类型:加密或认证,IPSEC_ALG_TYPE_*
uint8_t ias_id; //算法 ID,比如 3des 为 3,aes 为 12。
uint8_t ias_ivlen; //IV 长度,单位是 bit,比如 SM4 的 IV 长度为 128bit
uint16_t ias_keyminbits; //密钥支持最小位数。
uint16_t ias_keymaxbits; //密钥支持最大位数。
const char *ias_name; //算法名称
};
2.1.2 ipsec_alg
struct ipsec_alg {
unsigned ixt_version; /* only allow this version (or 'near')*/
struct list_head ixt_list; /* 挂在 ipsec_alg_hash_tablel[]下*/
struct module *ixt_module; /* THIS_MODULE */
unsigned ixt_state; /* 算法状态 IPSEC_ALG_ST_* 三种 */
atomic_t ixt_refcnt; /* 被 sa 引用的次数 */
2
char ixt_name[16]; /* 算法名字,比如"3des" */
void *ixt_data; /* private for algo implementation */
uint8_t ixt_blocksize; /* CBC 模式分块大小,比如 3des 为 8;SM4 为 16
*/
struct ipsec_alg_supported ixt_support;
};
算法基础数据结构struct ipsec_alg,其信息也是放在哈希表list_head
ipsec_alg_hash_table中管理:
#define IPSEC_ALG_HASHSZ 16 /* must be power of 2, even 2^0=1 */
static struct list_head ipsec_alg_hash_table[IPSEC_ALG_HASHSZ];
2.2 加解密算法结构类型
2.2.1 ipsec_alg_enc
struct ipsec_alg_enc {
struct ipsec_alg ixt_common; /* 算法管理基础结构,必须为第一个成员*/
unsigned ixt_e_keylen; /* 原始密钥长度,单位为字节*/
unsigned ixt_e_ctx_size; /* sa_p->key_e_size */
//设置密钥函数指针,alg:算法描述结构体,key_e:存储加解密算法密钥地址,key:设
置对称加密秘钥地址,keysize:秘钥长度
int (*ixt_e_set_key)(struct ipsec_alg_enc *alg, __u8 *key_e,
const __u8 *key, size_t keysize);
__u8 *(*ixt_e_new_key)(struct ipsec_alg_enc *alg, const __u8 *key,
size_t keysize);
//销毁密钥函数指针
void (*ixt_e_destroy_key)(struct ipsec_alg_enc *alg, __u8 *key_e);
//加密函数指针针,alg:算法描述结构体,key_e:算法加解密密钥地址,in:待加密数据,
ilen:数据长度,iv:数据块迭代加解密密码块,encrypt:是加密还是解密
int (*ixt_e_cbc_encrypt)(struct ipsec_alg_enc *alg, __u8 *key_e,
__u8 *in, int ilen, __u8 *iv, int encrypt);
};
2.3 认证算法结构类型
2.3.1 ipsec_alg_auth
struct ipsec_alg_auth {
剩余113页未读,继续阅读
资源评论
一叶知秋yyds
- 粉丝: 679
- 资源: 41
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功