On Sun, Sep 05, 2010 at 19:28 +0200, Mike Belopuhov wrote:
> On Sun, Sep 05, 2010 at 16:49 +0000, Christian Weisgerber wrote:
> > Mike Belopuhov <[email protected]> wrote:
> >
> > > note that it defaults to AESGCM-256 (i did it this way because
> > > linux picks largest key).
> >
> > I don't understand that rationale.
> >
> > A side effect of this is that you now get different key sizes if
> > you specify "aes-gcm" in a manual SA (128) or an IKE rule (256).
> >
>
> this is bad indeed. i propose the following: isakmpd always defaults
> to 256 if keylength is not specified. ipsecctl looses "aes-gcm" and
> "aes-gmac" specifications, so that you always have to specify key length.
>
> does that sound good?
ok, in fact isakmpd doesn't care what cipher it was told to use
in the quick mode by the ipsecctl and proceeds with whatever
client proposes, so there's no value in having these aliases.
i decided to remove them.
Index: conf.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/conf.c,v
retrieving revision 1.98
diff -u -p -r1.98 conf.c
--- conf.c 4 Aug 2010 18:09:45 -0000 1.98
+++ conf.c 6 Sep 2010 14:40:45 -0000
@@ -428,13 +428,19 @@ conf_load_defaults_qm(int tr, char *qme,
if (strcmp(qme ,"BLOWFISH") == 0)
conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
1);
- else if (strcmp(qme_p ,"-AES-128") == 0)
+ else if (strcmp(qme_p, "-AESGCM-128") == 0 ||
+ strcmp(qme_p, "-AESGMAC-128") == 0 ||
+ strcmp(qme_p, "-AES-128") == 0)
conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
- else if (strcmp(qme_p ,"-AES-192") == 0)
+ else if (strcmp(qme_p, "-AESGCM-192") == 0 ||
+ strcmp(qme_p, "-AESGMAC-192") == 0 ||
+ strcmp(qme_p, "-AES-192") == 0)
conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
- else if (strcmp(qme_p ,"-AES-256") == 0)
- conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
- else if (strcmp(qme ,"AES") == 0)
+ else if (strcmp(qme_p, "-AESGCM-256") == 0 ||
+ strcmp(qme_p, "-AESGMAC-256") == 0 ||
+ strcmp(qme_p, "-AES-256") == 0)
+ conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
+ else if (strcmp(qme, "AES") == 0)
conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
1);
@@ -472,9 +478,13 @@ conf_load_defaults(int tr)
char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
"-GRP15", 0};
char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
- "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0};
+ "AES", "AES", "AES", "AES_128_CTR", "AES_GCM_16",
+ "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC",
+ "AES_GMAC", "NULL", "NONE", 0};
char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
- "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL",
+ "-AES-128", "-AES-192", "-AES-256", "-AESCTR",
+ "-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
+ "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL",
"", 0};
char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
"HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
Index: ipsec.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/ipsec.c,v
retrieving revision 1.135
diff -u -p -r1.135 ipsec.c
--- ipsec.c 29 Jun 2010 19:50:16 -0000 1.135
+++ ipsec.c 30 Aug 2010 20:26:27 -0000
@@ -975,7 +975,7 @@ ipsec_validate_transform_id(u_int8_t pro
transform_id > IPSEC_AH_RIPEMD ? -1 : 0;
case IPSEC_PROTO_IPSEC_ESP:
return transform_id < IPSEC_ESP_DES_IV64 ||
- (transform_id > IPSEC_ESP_AES_128_CTR &&
+ (transform_id > IPSEC_ESP_AES_GMAC &&
transform_id < IPSEC_ESP_AES_MARS) ||
transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
case IPSEC_PROTO_IPCOMP:
@@ -1788,6 +1788,11 @@ ipsec_esp_enckeylength(struct proto *pro
return iproto->keylen / 8;
case IPSEC_ESP_AES_128_CTR:
return 20;
+ case IPSEC_ESP_AES_GCM_16:
+ case IPSEC_ESP_AES_GMAC:
+ if (!iproto->keylen)
+ return 20;
+ return iproto->keylen / 8 + 4;
case IPSEC_ESP_AES:
if (!iproto->keylen)
return 16;
Index: ipsec_num.cst
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/ipsec_num.cst,v
retrieving revision 1.16
diff -u -p -r1.16 ipsec_num.cst
--- ipsec_num.cst 14 Jun 2005 10:50:47 -0000 1.16
+++ ipsec_num.cst 30 Aug 2010 18:15:03 -0000
@@ -235,6 +235,8 @@ IPSEC_ESP
NULL 11
AES 12
AES_128_CTR 13
+ AES_GCM_16 20
+ AES_GMAC 23
AES_MARS 249
AES_RC6 250
AES_RIJNDAEL 251
Index: isakmpd.conf.5
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/isakmpd.conf.5,v
retrieving revision 1.126
diff -u -p -r1.126 isakmpd.conf.5
--- isakmpd.conf.5 7 Jun 2010 08:38:09 -0000 1.126
+++ isakmpd.conf.5 6 Sep 2010 11:46:01 -0000
@@ -141,7 +141,9 @@ where:
.It Ns { Ns Ar proto Ns }
is either ESP or AH
.It Ns { Ns Ar cipher Ns }
-is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, or NULL
+is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR,
+AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256
+or NULL
.It Ns { Ns Ar hash Ns }
is either MD5, SHA, RIPEMD, or SHA2-{256,384,512}
.It Ns { Ns Ar group Ns }
Index: pf_key_v2.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/pf_key_v2.c,v
retrieving revision 1.185
diff -u -p -r1.185 pf_key_v2.c
--- pf_key_v2.c 28 Jan 2009 17:57:15 -0000 1.185
+++ pf_key_v2.c 30 Aug 2010 18:15:16 -0000
@@ -939,6 +939,14 @@ pf_key_v2_set_spi(struct sa *sa, struct
ssa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
break;
+ case IPSEC_ESP_AES_GCM_16:
+ ssa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
+ break;
+
+ case IPSEC_ESP_AES_GMAC:
+ ssa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
+ break;
+
case IPSEC_ESP_CAST:
ssa.sadb_sa_encrypt = SADB_X_EALG_CAST;
break;
Index: policy.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/policy.c,v
retrieving revision 1.91
diff -u -p -r1.91 policy.c
--- policy.c 5 Aug 2007 09:43:09 -0000 1.91
+++ policy.c 23 Aug 2010 09:51:57 -0000
@@ -297,6 +297,8 @@ policy_callback(char *name)
case IPSEC_ESP_AES:
case IPSEC_ESP_AES_128_CTR:
+ case IPSEC_ESP_AES_GCM_16:
+ case IPSEC_ESP_AES_GMAC:
esp_enc_alg = "aes";
break;
Index: sa.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/sa.c,v
retrieving revision 1.113
diff -u -p -r1.113 sa.c
--- sa.c 2 Sep 2007 15:19:24 -0000 1.113
+++ sa.c 23 Aug 2010 09:51:35 -0000
@@ -519,6 +519,14 @@ report_proto(FILE *fd, struct proto *pro
fprintf(fd, "AES-128 (CTR)\n");
break;
+ case IPSEC_ESP_AES_GCM_16:
+ fprintf(fd, "AES (GCM)\n");
+ break;
+
+ case IPSEC_ESP_AES_GMAC:
+ fprintf(fd, "AES (GMAC)\n");
+ break;
+
case IPSEC_ESP_CAST:
fprintf(fd, "Cast-128\n");
break;
