Re: AES-GCM Part 3: isakmpd

Thu, 09 Sep 2010 04:09:49 -0700 

On Thu, Sep 09, 2010 at 12:30 +0200, Mike Belopuhov wrote:
> On Wed, Sep 08, 2010 at 19:29 +0200, Mike Belopuhov wrote:
> > changes:
> > 
> > made sure that we won't generate quick mode config strings
> > with gcm and other hashes (the very first hunk of the diff).
> > pointed out by naddy.
> > 
> 
> proper diff this time.  spotted by naddy.
> 

even better.  sorry for spam.

Index: conf.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/conf.c,v
retrieving revision 1.98
diff -u -p -r1.98 conf.c
--- conf.c      4 Aug 2010 18:09:45 -0000       1.98
+++ conf.c      9 Sep 2010 11:05:22 -0000
@@ -402,6 +402,11 @@ conf_load_defaults_qm(int tr, char *qme,
        if (pfs == 0 && strcmp(dhg_p, ""))
                return;
 
+       /* For GCM no additional authentication must be specified */
+       if (proto == 0 && strcmp(qmh, "NONE") != 0 &&
+           (strcmp(qme, "AES_GCM_16") == 0 || strcmp(qme, "AES_GMAC") == 0))
+               return;
+
        snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
            MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);
 
@@ -428,13 +433,19 @@ conf_load_defaults_qm(int tr, char *qme,
        if (strcmp(qme ,"BLOWFISH") == 0)
                conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
                         1);
-       else if (strcmp(qme_p ,"-AES-128") == 0)
+       else if (strcmp(qme_p, "-AES-128") == 0 ||
+           strcmp(qme_p, "-AESGCM-128") == 0 ||
+           strcmp(qme_p, "-AESGMAC-128") == 0)
                conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
-       else if (strcmp(qme_p ,"-AES-192") == 0)
+       else if (strcmp(qme_p, "-AES-192") == 0 ||
+           strcmp(qme_p, "-AESGCM-192") == 0 ||
+           strcmp(qme_p, "-AESGMAC-192") == 0)
                conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
-        else if (strcmp(qme_p ,"-AES-256") == 0)
-                conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
-       else if (strcmp(qme ,"AES") == 0)
+       else if (strcmp(qme_p, "-AES-256") == 0 ||
+           strcmp(qme_p, "-AESGCM-256") == 0 ||
+           strcmp(qme_p, "-AESGMAC-256") == 0)
+               conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
+       else if (strcmp(qme, "AES") == 0)
                conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
                         1);
 
@@ -472,9 +483,13 @@ conf_load_defaults(int tr)
        char    *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
                    "-GRP15", 0};
        char    *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
-                   "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0};
+                   "AES", "AES", "AES", "AES_128_CTR", "AES_GCM_16",
+                   "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC",
+                   "AES_GMAC", "NULL", "NONE", 0};
        char    *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
-                   "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL",
+                   "-AES-128", "-AES-192", "-AES-256", "-AESCTR",
+                   "-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
+                   "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL",
                    "", 0};
        char    *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
                    "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
Index: ipsec.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/ipsec.c,v
retrieving revision 1.135
diff -u -p -r1.135 ipsec.c
--- ipsec.c     29 Jun 2010 19:50:16 -0000      1.135
+++ ipsec.c     9 Sep 2010 10:19:58 -0000
@@ -975,7 +975,7 @@ ipsec_validate_transform_id(u_int8_t pro
                    transform_id > IPSEC_AH_RIPEMD ? -1 : 0;
        case IPSEC_PROTO_IPSEC_ESP:
                return transform_id < IPSEC_ESP_DES_IV64 ||
-                   (transform_id > IPSEC_ESP_AES_128_CTR &&
+                   (transform_id > IPSEC_ESP_AES_GMAC &&
                    transform_id < IPSEC_ESP_AES_MARS) ||
                    transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
        case IPSEC_PROTO_IPCOMP:
@@ -1788,6 +1788,11 @@ ipsec_esp_enckeylength(struct proto *pro
                return iproto->keylen / 8;
        case IPSEC_ESP_AES_128_CTR:
                return 20;
+       case IPSEC_ESP_AES_GCM_16:
+       case IPSEC_ESP_AES_GMAC:
+               if (!iproto->keylen)
+                       return 20;
+               return iproto->keylen / 8 + 4;
        case IPSEC_ESP_AES:
                if (!iproto->keylen)
                        return 16;
Index: ipsec_num.cst
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/ipsec_num.cst,v
retrieving revision 1.16
diff -u -p -r1.16 ipsec_num.cst
--- ipsec_num.cst       14 Jun 2005 10:50:47 -0000      1.16
+++ ipsec_num.cst       9 Sep 2010 10:19:58 -0000
@@ -235,6 +235,8 @@ IPSEC_ESP
   NULL                                 11
   AES                                  12
   AES_128_CTR                          13
+  AES_GCM_16                           20
+  AES_GMAC                             23
   AES_MARS                             249
   AES_RC6                              250
   AES_RIJNDAEL                         251
Index: isakmpd.conf.5
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/isakmpd.conf.5,v
retrieving revision 1.126
diff -u -p -r1.126 isakmpd.conf.5
--- isakmpd.conf.5      7 Jun 2010 08:38:09 -0000       1.126
+++ isakmpd.conf.5      9 Sep 2010 10:19:58 -0000
@@ -141,7 +141,9 @@ where:
 .It Ns { Ns Ar proto Ns }
 is either ESP or AH
 .It Ns { Ns Ar cipher Ns }
-is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, or NULL
+is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR,
+AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256
+or NULL
 .It Ns { Ns Ar hash Ns }
 is either MD5, SHA, RIPEMD, or SHA2-{256,384,512}
 .It Ns { Ns Ar group Ns }
Index: pf_key_v2.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/pf_key_v2.c,v
retrieving revision 1.185
diff -u -p -r1.185 pf_key_v2.c
--- pf_key_v2.c 28 Jan 2009 17:57:15 -0000      1.185
+++ pf_key_v2.c 9 Sep 2010 10:19:58 -0000
@@ -939,6 +939,14 @@ pf_key_v2_set_spi(struct sa *sa, struct 
                        ssa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
                        break;
 
+               case IPSEC_ESP_AES_GCM_16:
+                       ssa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
+                       break;
+
+               case IPSEC_ESP_AES_GMAC:
+                       ssa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
+                       break;
+
                case IPSEC_ESP_CAST:
                        ssa.sadb_sa_encrypt = SADB_X_EALG_CAST;
                        break;
Index: policy.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/policy.c,v
retrieving revision 1.91
diff -u -p -r1.91 policy.c
--- policy.c    5 Aug 2007 09:43:09 -0000       1.91
+++ policy.c    9 Sep 2010 10:19:58 -0000
@@ -297,6 +297,8 @@ policy_callback(char *name)
 
                                case IPSEC_ESP_AES:
                                case IPSEC_ESP_AES_128_CTR:
+                               case IPSEC_ESP_AES_GCM_16:
+                               case IPSEC_ESP_AES_GMAC:
                                        esp_enc_alg = "aes";
                                        break;
 
Index: sa.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/sa.c,v
retrieving revision 1.113
diff -u -p -r1.113 sa.c
--- sa.c        2 Sep 2007 15:19:24 -0000       1.113
+++ sa.c        9 Sep 2010 10:19:58 -0000
@@ -519,6 +519,14 @@ report_proto(FILE *fd, struct proto *pro
                        fprintf(fd, "AES-128 (CTR)\n");
                        break;
 
+               case IPSEC_ESP_AES_GCM_16:
+                       fprintf(fd, "AES (GCM)\n");
+                       break;
+
+               case IPSEC_ESP_AES_GMAC:
+                       fprintf(fd, "AES (GMAC)\n");
+                       break;
+
                case IPSEC_ESP_CAST:
                        fprintf(fd, "Cast-128\n");
                        break;

Reply via email to