Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src Added support for AES GCM 16 in ...
details: https://anonhg.NetBSD.org/src/rev/6e3e760d2c4c
branches: trunk
changeset: 782967:6e3e760d2c4c
user: vanhu <vanhu%NetBSD.org@localhost>
date: Thu Nov 29 15:31:24 2012 +0000
description:
Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre / NETASQ
diffstat:
crypto/dist/ipsec-tools/src/racoon/algorithm.c | 11 ++++++-
crypto/dist/ipsec-tools/src/racoon/algorithm.h | 3 +-
crypto/dist/ipsec-tools/src/racoon/cfparse.y | 31 +++++++++++++++++-
crypto/dist/ipsec-tools/src/racoon/cftoken.l | 3 +-
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c | 35 ++++++++++++++++++++-
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h | 5 ++-
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c | 3 +-
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h | 3 +-
crypto/dist/ipsec-tools/src/racoon/pfkey.c | 10 ++++-
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 | 4 +-
crypto/dist/ipsec-tools/src/racoon/strnames.c | 4 +-
crypto/dist/ipsec-tools/src/setkey/token.l | 12 ++++++-
12 files changed, 108 insertions(+), 16 deletions(-)
diffs (truncated from 329 to 300 lines):
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/algorithm.c
--- a/crypto/dist/ipsec-tools/src/racoon/algorithm.c Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/algorithm.c Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $ */
+/* $NetBSD: algorithm.c,v 1.9 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */
@@ -165,6 +165,9 @@
{ "aes", algtype_aes, IPSECDOI_ESP_AES, 16,
NULL, NULL,
NULL, eay_aes_keylen, },
+{ "aes_gcm_16", algtype_aesgcm16, IPSECDOI_ESP_AESGCM16, 16,
+ NULL, NULL,
+ NULL, eay_aesgcm_keylen, },
{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
NULL, NULL,
NULL, eay_twofish_keylen, },
@@ -798,6 +801,7 @@
case algtype_rc5:
case algtype_cast128:
case algtype_aes:
+ case algtype_aesgcm16:
case algtype_twofish:
case algtype_camellia:
return 128;
@@ -834,6 +838,7 @@
case algtype_rc5:
case algtype_cast128:
case algtype_aes:
+ case algtype_aesgcm16:
case algtype_twofish:
case algtype_camellia:
if (len % 8 != 0) {
@@ -863,6 +868,10 @@
if (!(len == 128 || len == 192 || len == 256))
badrange++;
break;
+ case algtype_aesgcm16:
+ if (!(len == 128 || len == 192 || len == 256))
+ badrange++;
+ break;
case algtype_twofish:
if (len < 40 || 256 < len)
badrange++;
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/algorithm.h
--- a/crypto/dist/ipsec-tools/src/racoon/algorithm.h Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/algorithm.h Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: algorithm.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */
+/* $NetBSD: algorithm.h,v 1.6 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */
@@ -69,6 +69,7 @@
algtype_rc4,
algtype_null_enc,
algtype_aes,
+ algtype_aesgcm16,
algtype_twofish,
algtype_camellia,
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/cfparse.y
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -1722,6 +1722,7 @@
: ALGORITHMTYPE keylength
{
int defklen;
+ int encklen_tmp;
$$ = newsainfoalg();
if ($$ == NULL) {
@@ -1754,9 +1755,35 @@
else
$$->encklen = defklen;
+ /* Check keymat size instead of "human" key size
+ * because kernel store keymat size instead of "human key size".
+ * For example, the keymat size of aes_gcm_16 128 is 160 bits
+ * (128 bits + 4 bytes) instead of 128 bits.
+ *
+ * Currently, it is only useful for aes_gcm_16 (ipsec_enc).
+ */
+ if (cur_algclass == algclass_ipsec_enc)
+ {
+ encklen_tmp = alg_ipsec_encdef_keylen($$->alg, $$->encklen);
+ if (encklen_tmp < 0)
+ {
+ yyerror("Failed to convert keylen %d to keymat len for alg %d",
+ $$->encklen, $$->alg);
+ racoon_free($$);
+ $$ = NULL;
+ return -1;
+ }
+ }
+ else
+ {
+ /* XXX Convert key size to keymat size for other algorithm ?
+ */
+ encklen_tmp = $$->encklen;
+ }
+
/* check if it's supported algorithm by kernel */
if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
- && pk_checkalg(cur_algclass, $1, $$->encklen)) {
+ && pk_checkalg(cur_algclass, $1, encklen_tmp)) {
int a = algclass2doi(cur_algclass);
int b = algtype2doi(cur_algclass, $1);
if (a == IPSECDOI_ATTR_AUTH)
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/cftoken.l
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.26 2012/01/01 15:29:28 tteras Exp $ */
+/* $NetBSD: cftoken.l,v 1.27 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -453,6 +453,7 @@
null_enc { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); }
null { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); }
aes { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); }
+aes_gcm_16 { YYD; yylval.num = algtype_aesgcm16; return(ALGORITHMTYPE); }
rijndael { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); }
twofish { YYD; yylval.num = algtype_twofish; return(ALGORITHMTYPE); }
camellia { YYD; yylval.num = algtype_camellia; return(ALGORITHMTYPE); }
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.21 2012/08/15 14:51:30 manu Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.22 2012/11/29 15:31:24 vanhu Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -1700,6 +1700,39 @@
return len;
}
+int
+eay_aesgcm_keylen(len)
+ int len;
+{
+ /* RFC 4106:
+ * The size of the KEYMAT for the AES-GCM-ESP MUST be four octets longer
+ * than is needed for the associated AES key. The keying material is
+ * used as follows:
+ *
+ * AES-GCM-ESP with a 128 bit key
+ * The KEYMAT requested for each AES-GCM key is 20 octets. The first
+ * 16 octets are the 128-bit AES key, and the remaining four octets
+ * are used as the salt value in the nonce.
+ *
+ * AES-GCM-ESP with a 192 bit key
+ * The KEYMAT requested for each AES-GCM key is 28 octets. The first
+ * 24 octets are the 192-bit AES key, and the remaining four octets
+ * are used as the salt value in the nonce.
+ *
+ * AES-GCM-ESP with a 256 bit key
+ * The KEYMAT requested for each AES GCM key is 36 octets. The first
+ * 32 octets are the 256-bit AES key, and the remaining four octets
+ * are used as the salt value in the nonce.
+ */
+ if (len == 0)
+ len = 128;
+
+ if (len != 128 && len != 192 && len != 256)
+ return -1;
+
+ return len + 32;
+}
+
#if defined(HAVE_OPENSSL_CAMELLIA_H)
/*
* CAMELLIA-CBC
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.h,v 1.7 2009/08/17 11:59:10 vanhu Exp $ */
+/* $NetBSD: crypto_openssl.h,v 1.8 2012/11/29 15:31:25 vanhu Exp $ */
/* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */
@@ -124,6 +124,9 @@
extern int eay_aes_weakkey __P((vchar_t *));
extern int eay_aes_keylen __P((int));
+/* AES GCM 16*/
+extern int eay_aesgcm_keylen __P((int));
+
#if defined(HAVE_OPENSSL_CAMELLIA_H)
/* Camellia */
extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_doi.c,v 1.47 2012/01/01 15:29:28 tteras Exp $ */
+/* $NetBSD: ipsec_doi.c,v 1.48 2012/11/29 15:31:25 vanhu Exp $ */
/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
@@ -1973,6 +1973,7 @@
case IPSECDOI_ESP_CAST:
case IPSECDOI_ESP_BLOWFISH:
case IPSECDOI_ESP_AES:
+ case IPSECDOI_ESP_AESGCM16:
case IPSECDOI_ESP_TWOFISH:
case IPSECDOI_ESP_CAMELLIA:
return 0;
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_doi.h,v 1.13 2012/01/01 15:29:28 tteras Exp $ */
+/* $NetBSD: ipsec_doi.h,v 1.14 2012/11/29 15:31:25 vanhu Exp $ */
/* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
@@ -75,6 +75,7 @@
#define IPSECDOI_ESP_RC4 10
#define IPSECDOI_ESP_NULL 11
#define IPSECDOI_ESP_AES 12
+#define IPSECDOI_ESP_AESGCM16 20
#define IPSECDOI_ESP_CAMELLIA 22
#if 1
/* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/pfkey.c
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c Thu Nov 29 15:31:24 2012 +0000
@@ -1,6 +1,6 @@
-/* $NetBSD: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
-
-/* $Id: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $ */
+
+/* $Id: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -587,6 +587,10 @@
case IPSECDOI_ESP_AES:
return SADB_X_EALG_AESCBC;
#endif
+#ifdef SADB_X_EALG_AESGCM16
+ case IPSECDOI_ESP_AESGCM16:
+ return SADB_X_EALG_AESGCM16;
+#endif
#ifdef SADB_X_EALG_TWOFISHCBC
case IPSECDOI_ESP_TWOFISH:
return SADB_X_EALG_TWOFISHCBC;
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.64 2011/11/15 19:15:58 wiz Exp $
+.\" $NetBSD: racoon.conf.5,v 1.65 2012/11/29 15:31:25 vanhu Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -1102,7 +1102,7 @@
.Ic des , 3des , des_iv64 , des_iv32 ,
.Ic rc5 , rc4 , idea , 3idea ,
.Ic cast128 , blowfish , null_enc ,
-.Ic twofish , rijndael , aes , camellia
+.Ic twofish , rijndael , aes , camellia , aes_gcm_16
.Pq used with ESP
.\"
.It Ic authentication_algorithm Ar algorithms ;
diff -r 8e0da3cd32bc -r 6e3e760d2c4c crypto/dist/ipsec-tools/src/racoon/strnames.c
--- a/crypto/dist/ipsec-tools/src/racoon/strnames.c Thu Nov 29 11:58:49 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/strnames.c Thu Nov 29 15:31:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: strnames.c,v 1.9 2008/07/14 05:40:13 tteras Exp $ */
+/* $NetBSD: strnames.c,v 1.10 2012/11/29 15:31:25 vanhu Exp $ */
/* $KAME: strnames.c,v 1.25 2003/11/13 10:53:26 itojun Exp $ */
@@ -471,6 +471,7 @@
{ IPSECDOI_ESP_RC4, "RC4", NULL },
{ IPSECDOI_ESP_NULL, "NULL", NULL },
{ IPSECDOI_ESP_AES, "AES", NULL },
+{ IPSECDOI_ESP_AESGCM16, "AES_GCM_16", NULL },
{ IPSECDOI_ESP_TWOFISH, "TWOFISH", NULL },
{ IPSECDOI_ESP_CAMELLIA, "CAMELLIA", NULL },
};
@@ -583,6 +584,7 @@
{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_512, "hmac-sha512", NULL },
{ IPSECDOI_ATTR_AUTH_DES_MAC, "des-mac", NULL },
{ IPSECDOI_ATTR_AUTH_KPDK, "kpdk", NULL },
+{ IPSECDOI_ATTR_AUTH_NONE, "non_auth", NULL },
Home |
Main Index |
Thread Index |
Old Index