ipsecctl part.
Index: ike.c
===================================================================
RCS file: /home/cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.67
diff -u -p -r1.67 ike.c
--- ike.c 4 Oct 2009 11:39:32 -0000 1.67
+++ ike.c 30 Aug 2010 17:54:19 -0000
@@ -161,6 +161,7 @@ static int
ike_section_p2(struct ipsec_rule *r, FILE *fd)
{
char *exchange_type, *sprefix;
+ int needauth = 1;
switch (r->p2ie) {
case IKE_QM:
@@ -224,6 +225,38 @@ ike_section_p2(struct ipsec_rule *r, FIL
case ENCXF_AESCTR:
fprintf(fd, "AESCTR");
break;
+ case ENCXF_AES_GCM:
+ fprintf(fd, "AESGCM");
+ needauth = 0;
+ break;
+ case ENCXF_AES_128_GCM:
+ fprintf(fd, "AESGCM-128");
+ needauth = 0;
+ break;
+ case ENCXF_AES_192_GCM:
+ fprintf(fd, "AESGCM-192");
+ needauth = 0;
+ break;
+ case ENCXF_AES_256_GCM:
+ fprintf(fd, "AESGCM-256");
+ needauth = 0;
+ break;
+ case ENCXF_AES_GMAC:
+ fprintf(fd, "AESGMAC");
+ needauth = 0;
+ break;
+ case ENCXF_AES_128_GMAC:
+ fprintf(fd, "AESGMAC-128");
+ needauth = 0;
+ break;
+ case ENCXF_AES_192_GMAC:
+ fprintf(fd, "AESGMAC-192");
+ needauth = 0;
+ break;
+ case ENCXF_AES_256_GMAC:
+ fprintf(fd, "AESGMAC-256");
+ needauth = 0;
+ break;
case ENCXF_BLOWFISH:
fprintf(fd, "BLF");
break;
@@ -232,6 +265,7 @@ ike_section_p2(struct ipsec_rule *r, FIL
break;
case ENCXF_NULL:
fprintf(fd, "NULL");
+ needauth = 0;
break;
default:
warnx("illegal transform %s",
@@ -270,43 +304,44 @@ ike_section_p2(struct ipsec_rule *r, FIL
warnx("illegal transform %s", r->p2xfs->authxf->name);
return (-1);
}
- } else
- fprintf(fd, "SHA2-256");
+ fprintf(fd, "-");
+ } else if (needauth)
+ fprintf(fd, "SHA2-256-");
if (r->p2xfs && r->p2xfs->groupxf) {
switch (r->p2xfs->groupxf->id) {
case GROUPXF_NONE:
break;
case GROUPXF_768:
- fprintf(fd, "-PFS-GRP1");
+ fprintf(fd, "PFS-GRP1");
break;
case GROUPXF_1024:
- fprintf(fd, "-PFS-GRP2");
+ fprintf(fd, "PFS-GRP2");
break;
case GROUPXF_1536:
- fprintf(fd, "-PFS-GRP5");
+ fprintf(fd, "PFS-GRP5");
break;
case GROUPXF_2048:
- fprintf(fd, "-PFS-GRP14");
+ fprintf(fd, "PFS-GRP14");
break;
case GROUPXF_3072:
- fprintf(fd, "-PFS-GRP15");
+ fprintf(fd, "PFS-GRP15");
break;
case GROUPXF_4096:
- fprintf(fd, "-PFS-GRP16");
+ fprintf(fd, "PFS-GRP16");
break;
case GROUPXF_6144:
- fprintf(fd, "-PFS-GRP17");
+ fprintf(fd, "PFS-GRP17");
break;
case GROUPXF_8192:
- fprintf(fd, "-PFS-GRP18");
+ fprintf(fd, "PFS-GRP18");
break;
default:
warnx("illegal group %s", r->p2xfs->groupxf->name);
return (-1);
};
} else
- fprintf(fd, "-PFS");
+ fprintf(fd, "PFS");
fprintf(fd, "-SUITE force\n");
return (0);
Index: ipsec.conf.5
===================================================================
RCS file: /home/cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.126
diff -u -p -r1.126 ipsec.conf.5
--- ipsec.conf.5 7 Jun 2010 08:32:58 -0000 1.126
+++ ipsec.conf.5 30 Aug 2010 19:22:46 -0000
@@ -612,6 +612,14 @@ keyword:
.It Li aes-192 Ta "192 bits"
.It Li aes-256 Ta "256 bits"
.It Li aesctr Ta "160 bits" Ta "[phase 2 only]"
+.It Li aes-gcm Ta "160 bits" Ta "[phase 2 only]"
+.It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only]"
+.It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only]"
+.It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only]"
+.It Li aes-gmac Ta "160 bits" Ta "[phase 2 only]"
+.It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only]"
+.It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only]"
+.It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only]"
.It Li blowfish Ta "160 bits"
.It Li cast Ta "128 bits"
.It Li skipjack Ta "80 bits"
@@ -630,6 +638,9 @@ This is because the most significant bit
The keysize of AES-CTR is actually 128-bit.
However as well as the key, a 32-bit nonce has to be supplied.
Thus 160 bits of key material have to be supplied.
+The same applies to GCM and GMAC.
+.Pp
+Please note that GMAC performs no encryption and provides no confidentiality.
.Pp
Using NULL with ESP will only provide authentication.
This is useful in setups where AH can not be used, e.g. when NAT is involved.
Index: ipsecctl.h
===================================================================
RCS file: /home/cvs/src/sbin/ipsecctl/ipsecctl.h,v
retrieving revision 1.59
diff -u -p -r1.59 ipsecctl.h
--- ipsecctl.h 4 Aug 2009 15:05:50 -0000 1.59
+++ ipsecctl.h 30 Aug 2010 17:34:29 -0000
@@ -63,8 +63,11 @@ enum {
};
enum {
ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES,
- ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
- ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_NULL, ENCXF_SKIPJACK
+ ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
+ ENCXF_AES_GCM, ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM,
+ ENCXF_AES_GMAC, ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC,
+ ENCXF_AES_256_GMAC, ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_NULL,
+ ENCXF_SKIPJACK
};
enum {
COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
@@ -140,6 +143,7 @@ struct ipsec_xf {
u_int16_t id;
size_t keymin;
size_t keymax;
+ int noauth;
};
struct ipsec_transforms {
Index: parse.y
===================================================================
RCS file: /home/cvs/src/sbin/ipsecctl/parse.y,v
retrieving revision 1.147
diff -u -p -r1.147 parse.y
--- parse.y 10 May 2010 02:00:50 -0000 1.147
+++ parse.y 30 Aug 2010 17:35:40 -0000
@@ -107,6 +107,14 @@ const struct ipsec_xf encxfs[] = {
{ "aes-192", ENCXF_AES_192, 24, 24 },
{ "aes-256", ENCXF_AES_256, 32, 32 },
{ "aesctr", ENCXF_AESCTR, 16+4, 32+4 },
+ { "aes-gcm", ENCXF_AES_GCM, 16+4, 32+4, 1 },
+ { "aes-128-gcm", ENCXF_AES_128_GCM, 16+4, 16+4, 1 },
+ { "aes-192-gcm", ENCXF_AES_192_GCM, 24+4, 24+4, 1 },
+ { "aes-256-gcm", ENCXF_AES_256_GCM, 32+4, 32+4, 1 },
+ { "aes-gmac", ENCXF_AES_GMAC, 16+4, 32+4, 1 },
+ { "aes-128-gmac", ENCXF_AES_128_GMAC, 16+4, 16+4, 1 },
+ { "aes-192-gmac", ENCXF_AES_192_GMAC, 24+4, 24+4, 1 },
+ { "aes-256-gmac", ENCXF_AES_256_GMAC, 32+4, 32+4 },
{ "blowfish", ENCXF_BLOWFISH, 5, 56 },
{ "cast128", ENCXF_CAST128, 5, 16 },
{ "null", ENCXF_NULL, 0, 0 },
@@ -2208,7 +2216,7 @@ validate_sa(u_int32_t spi, u_int8_t saty
yyerror("esp does not provide compression");
return (0);
}
- if (!xfs->authxf)
+ if (!xfs->authxf && (xfs->encxf && !xfs->encxf->noauth))
xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256];
if (!xfs->encxf)
xfs->encxf = &encxfs[ENCXF_AES];
Index: pfkdump.c
===================================================================
RCS file: /home/cvs/src/sbin/ipsecctl/pfkdump.c,v
retrieving revision 1.27
diff -u -p -r1.27 pfkdump.c
--- pfkdump.c 1 Jul 2010 02:11:35 -0000 1.27
+++ pfkdump.c 30 Aug 2010 17:38:56 -0000
@@ -153,6 +153,9 @@ struct idname auth_types[] = {
{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", NULL },
{ SADB_X_AALG_SHA2_384, "hmac-sha2-384", NULL },
{ SADB_X_AALG_SHA2_512, "hmac-sha2-512", NULL },
+ { SADB_X_AALG_AES128GMAC, "gmac-aes-128", NULL },
+ { SADB_X_AALG_AES192GMAC, "gmac-aes-192", NULL },
+ { SADB_X_AALG_AES256GMAC, "gmac-aes-256", NULL },
{ SADB_X_AALG_MD5, "md5", NULL },
{ SADB_X_AALG_SHA1, "sha1", NULL },
{ 0, NULL, NULL }
@@ -171,6 +174,8 @@ struct idname enc_types[] = {
{ SADB_X_EALG_3IDEA, "idea3", NULL },
{ SADB_X_EALG_AES, "aes", NULL },
{ SADB_X_EALG_AESCTR, "aesctr", NULL },
+ { SADB_X_EALG_AESGCM16, "aes-gcm", NULL },
+ { SADB_X_EALG_AESGMAC, "aes-gmac", NULL },
{ SADB_X_EALG_BLF, "blowfish", NULL },
{ SADB_X_EALG_CAST, "cast128", NULL },
{ SADB_X_EALG_DES_IV32, "des-iv32", NULL },
@@ -707,6 +712,32 @@ pfkey_print_sa(struct sadb_msg *msg, int
break;
case SADB_X_EALG_AESCTR:
xfs.encxf = &encxfs[ENCXF_AESCTR];
+ break;
+ case SADB_X_EALG_AESGCM16:
+ switch (r.enckey->len) {
+ case 28:
+ xfs.encxf = &encxfs[ENCXF_AES_192_GCM];
+ break;
+ case 36:
+ xfs.encxf = &encxfs[ENCXF_AES_256_GCM];
+ break;
+ default:
+ xfs.encxf = &encxfs[ENCXF_AES_128_GCM];
+ break;
+ }
+ break;
+ case SADB_X_EALG_AESGMAC:
+ switch (r.enckey->len) {
+ case 28:
+ xfs.encxf = &encxfs[ENCXF_AES_192_GMAC];
+ break;
+ case 36:
+ xfs.encxf = &encxfs[ENCXF_AES_256_GMAC];
+ break;
+ default:
+ xfs.encxf = &encxfs[ENCXF_AES_128_GMAC];
+ break;
+ }
break;
case SADB_X_EALG_BLF:
xfs.encxf = &encxfs[ENCXF_BLOWFISH];
Index: pfkey.c
===================================================================
RCS file: /home/cvs/src/sbin/ipsecctl/pfkey.c,v
retrieving revision 1.49
diff -u -p -r1.49 pfkey.c
--- pfkey.c 22 Dec 2008 17:00:37 -0000 1.49
+++ pfkey.c 23 Aug 2010 10:03:44 -0000
@@ -493,6 +493,12 @@ pfkey_sa(int sd, u_int8_t satype, u_int8
case ENCXF_AESCTR:
sa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
break;
+ case ENCXF_AES_GCM:
+ sa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
+ break;
+ case ENCXF_AES_GMAC:
+ sa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
+ break;
case ENCXF_BLOWFISH:
sa.sadb_sa_encrypt = SADB_X_EALG_BLF;
break;
