CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2010/09/22 08:04:09
Modified files:
sbin/ipsecctl : ike.c ipsec.conf.5 ipsecctl.h parse.y pfkdump.c
pfkey.c
Log message:
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
