Re: AES-GCM Part 3: isakmpd

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Mike Belopuhov

Date: Thursday, September 9, 2010 - 4:08 am

On Thu, Sep 09, 2010 at 12:30 +0200, Mike Belopuhov wrote:
quoted text> On Wed, Sep 08, 2010 at 19:29 +0200, Mike Belopuhov wrote:
> > changes:
> > 
> > made sure that we won't generate quick mode config strings
> > with gcm and other hashes (the very first hunk of the diff).
> > pointed out by naddy.
> > 
> 
> proper diff this time.  spotted by naddy.
> 

even better.  sorry for spam.

Index: conf.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/conf.c,v
retrieving revision 1.98
diff -u -p -r1.98 conf.c
--- conf.c	4 Aug 2010 18:09:45 -0000	1.98
+++ conf.c	9 Sep 2010 11:05:22 -0000
@@ -402,6 +402,11 @@ conf_load_defaults_qm(int tr, char *qme,
 	if (pfs == 0 && strcmp(dhg_p, ""))
 		return;
 
+	/* For GCM no additional authentication must be specified */
+	if (proto == 0 && strcmp(qmh, "NONE") != 0 &&
+	    (strcmp(qme, "AES_GCM_16") == 0 || strcmp(qme, "AES_GMAC") == 0))
+		return;
+
 	snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
 	    MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);
 
@@ -428,13 +433,19 @@ conf_load_defaults_qm(int tr, char *qme,
 	if (strcmp(qme ,"BLOWFISH") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
 			 1);
-	else if (strcmp(qme_p ,"-AES-128") == 0)
+	else if (strcmp(qme_p, "-AES-128") == 0 ||
+	    strcmp(qme_p, "-AESGCM-128") == 0 ||
+	    strcmp(qme_p, "-AESGMAC-128") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
-	else if (strcmp(qme_p ,"-AES-192") == 0)
+	else if (strcmp(qme_p, "-AES-192") == 0 ||
+	    strcmp(qme_p, "-AESGCM-192") == 0 ||
+	    strcmp(qme_p, "-AESGMAC-192") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
-        else if (strcmp(qme_p ,"-AES-256") == 0)
-                conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
-	else if (strcmp(qme ,"AES") == 0)
+	else if (strcmp(qme_p, "-AES-256") == 0 ||
+	    strcmp(qme_p, "-AESGCM-256") == 0 ||
+	    strcmp(qme_p, "-AESGMAC-256") == 0)
+		conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
+	else if	(strcmp(qme, "AES") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
 			 1);
 
@@ -472,9 +483,13 @@ conf_load_defaults(int tr)
 	char	*dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
 		    "-GRP15", 0};
 	char	*qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
-		    "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0};
+		    "AES", "AES", "AES", "AES_128_CTR", "AES_GCM_16",
+		    "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC",
+		    "AES_GMAC", "NULL", "NONE", 0};
 	char	*qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
-		    "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL",
+		    "-AES-128", "-AES-192", "-AES-256", "-AESCTR",
+		    "-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
+		    "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL",
 		    "", 0};
 	char	*qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
 		    "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
Index: ipsec.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/ipsec.c,v
retrieving revision 1.135
diff -u -p -r1.135 ipsec.c
--- ipsec.c	29 Jun 2010 19:50:16 -0000	1.135
+++ ipsec.c	9 Sep 2010 10:19:58 -0000
@@ -975,7 +975,7 @@ ipsec_validate_transform_id(u_int8_t pro
 		    transform_id > IPSEC_AH_RIPEMD ? -1 : 0;
 	case IPSEC_PROTO_IPSEC_ESP:
 		return transform_id < IPSEC_ESP_DES_IV64 ||
-		    (transform_id > IPSEC_ESP_AES_128_CTR &&
+		    (transform_id > IPSEC_ESP_AES_GMAC &&
 		    transform_id < IPSEC_ESP_AES_MARS) ||
 		    transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
 	case IPSEC_PROTO_IPCOMP:
@@ -1788,6 +1788,11 @@ ipsec_esp_enckeylength(struct proto *pro
 		return iproto->keylen / 8;
 	case IPSEC_ESP_AES_128_CTR:
 		return 20;
+	case IPSEC_ESP_AES_GCM_16:
+	case IPSEC_ESP_AES_GMAC:
+		if (!iproto->keylen)
+			return 20;
+		return iproto->keylen / 8 + 4;
 	case IPSEC_ESP_AES:
 		if (!iproto->keylen)
 			return 16;
Index: ipsec_num.cst
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/ipsec_num.cst,v
retrieving revision 1.16
diff -u -p -r1.16 ipsec_num.cst
--- ipsec_num.cst	14 Jun 2005 10:50:47 -0000	1.16
+++ ipsec_num.cst	9 Sep 2010 10:19:58 -0000
@@ -235,6 +235,8 @@ IPSEC_ESP
   NULL					11
   AES					12
   AES_128_CTR				13
+  AES_GCM_16				20
+  AES_GMAC				23
   AES_MARS				249
   AES_RC6				250
   AES_RIJNDAEL				251
Index: isakmpd.conf.5
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/isakmpd.conf.5,v
retrieving revision 1.126
diff -u -p -r1.126 isakmpd.conf.5
--- isakmpd.conf.5	7 Jun 2010 08:38:09 -0000	1.126
+++ isakmpd.conf.5	9 Sep 2010 10:19:58 -0000
@@ -141,7 +141,9 @@ where:
 .It Ns { Ns Ar proto Ns }
 is either ESP or AH
 .It Ns { Ns Ar cipher Ns }
-is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, or NULL
+is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR,
+AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256
+or NULL
 .It Ns { Ns Ar hash Ns }
 is either MD5, SHA, RIPEMD, or SHA2-{256,384,512}
 .It Ns { Ns Ar group Ns }
Index: pf_key_v2.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/pf_key_v2.c,v
retrieving revision 1.185
diff -u -p -r1.185 pf_key_v2.c
--- pf_key_v2.c	28 Jan 2009 17:57:15 -0000	1.185
+++ pf_key_v2.c	9 Sep 2010 10:19:58 -0000
@@ -939,6 +939,14 @@ pf_key_v2_set_spi(struct sa *sa, struct 
 			ssa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
 			break;
 
+		case IPSEC_ESP_AES_GCM_16:
+			ssa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
+			break;
+
+		case IPSEC_ESP_AES_GMAC:
+			ssa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
+			break;
+
 		case IPSEC_ESP_CAST:
 			ssa.sadb_sa_encrypt = SADB_X_EALG_CAST;
 			break;
Index: policy.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/policy.c,v
retrieving revision 1.91
diff -u -p -r1.91 policy.c
--- policy.c	5 Aug 2007 09:43:09 -0000	1.91
+++ policy.c	9 Sep 2010 10:19:58 -0000
@@ -297,6 +297,8 @@ policy_callback(char *name)
 
 				case IPSEC_ESP_AES:
 				case IPSEC_ESP_AES_128_CTR:
+				case IPSEC_ESP_AES_GCM_16:
+				case IPSEC_ESP_AES_GMAC:
 					esp_enc_alg = "aes";
 					break;
 
Index: sa.c
===================================================================
RCS file: /home/cvs/src/sbin/isakmpd/sa.c,v
retrieving revision 1.113
diff -u -p -r1.113 sa.c
--- sa.c	2 Sep 2007 15:19:24 -0000	1.113
+++ sa.c	9 Sep 2010 10:19:58 -0000
@@ -519,6 +519,14 @@ report_proto(FILE *fd, struct proto *pro
 			fprintf(fd, "AES-128 (CTR)\n");
 			break;
 
+		case IPSEC_ESP_AES_GCM_16:
+			fprintf(fd, "AES (GCM)\n");
+			break;
+
+		case IPSEC_ESP_AES_GMAC:
+			fprintf(fd, "AES (GMAC)\n");
+			break;
+
 		case IPSEC_ESP_CAST:
 			fprintf(fd, "Cast-128\n");
 			break;

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

AES-GCM Part 3: isakmpd, Mike Belopuhov, (Mon Aug 30, 1:27 pm)

Re: AES-GCM Part 3: isakmpd, Christian Weisgerber, (Sun Sep 5, 9:49 am)

Re: AES-GCM Part 3: isakmpd, Mike Belopuhov, (Sun Sep 5, 10:28 am)

Re: AES-GCM Part 3: isakmpd, Mike Belopuhov, (Mon Sep 6, 7:50 am)

Re: AES-GCM Part 3: isakmpd, Mike Belopuhov, (Wed Sep 8, 10:29 am)

Re: AES-GCM Part 3: isakmpd, Mike Belopuhov, (Thu Sep 9, 3:30 am)

Re: AES-GCM Part 3: isakmpd, Mike Belopuhov, (Thu Sep 9, 4:08 am)


linux-kernel:
Russell King	Re: ARM defconfig files
Jesse Barnes	Re: PCI MSI breaks when booting with nosmp
James Morris	Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Philip Langdale	[PATCH 2.6.19] mmc: Add support for SDHC cards (Take 4)
Oren Laadan	[PATCH v21 073/100] c/r: Add AF_UNIX support (v12)
git:
Felipe Contreras	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
Paolo Ciarrocchi	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
Johannes Schindelin	[PATCH] fetch: refuse to fetch into the current branch in a non-bare repository
Johannes Schindelin	Re: [PATCH] Fix install-doc-quick target
Peter Oberndorfer	Subject: [PATCH] fix stg edit command
linux-netdev:
Ursula Braun	[patch 2/8] [PATCH] af_iucv: sync sk shutdown flag if iucv path is quiesced
Andi Kleen	Re: RFC: Nagle latency tuning
David Miller	Re: [RFC 0/5] generic rx recycling
Gary Thomas	Re: Marvell 88E609x switch?
Chuck Lever	Re: [RFC] ipv6: Change %pI6 format to output compacted addresses?
git-commits-head:
Linux Kernel Mailing List	New device ID for sc92031 [1088:2031]
Linux Kernel Mailing List	e1000e: Expose MDI-X status via ethtool change
Linux Kernel Mailing List	arm/imx/gpio: GPIO_INT_{HIGH,LOW}_LEV are not necessarily constant
Linux Kernel Mailing List	powerpc/kexec: Add support for FSL-BookE
Linux Kernel Mailing List	trivial: fix comment typo in fs/compat.c
openbsd-misc:
Theo de Raadt	Re: RES: OpenBSD on IBM System X3550 7879
Bret S. Lambert	Re: any web management gui for pf ?
Rob Shepherd	x86 hardware for router system
Flickr Photo Map for iPad and iPhone	Thanks for the Great Launch of Flickr Photo Map for iPad + iPhone
Nick Holland	Re: Install OpenBSD from USB ?