CVS commit: src/crypto/dist/ipsec-tools/src

VANHULLEBUS Yvan Thu, 29 Nov 2012 07:30:51 -0800

Module Name:    src
Committed By:   vanhu
Date:           Thu Nov 29 15:31:25 UTC 2012


Modified Files:
        src/crypto/dist/ipsec-tools/src/racoon: algorithm.c algorithm.h
            cfparse.y cftoken.l crypto_openssl.c crypto_openssl.h ipsec_doi.c
            ipsec_doi.h pfkey.c racoon.conf.5 strnames.c
        src/crypto/dist/ipsec-tools/src/setkey: token.l

Log Message:
Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre 
/ NETASQ


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h
cvs rdiff -u -r1.47 -r1.48 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y \
    src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
cvs rdiff -u -r1.26 -r1.27 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.21 -r1.22 \
    src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
cvs rdiff -u -r1.7 -r1.8 \
    src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
cvs rdiff -u -r1.13 -r1.14 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
cvs rdiff -u -r1.58 -r1.59 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
cvs rdiff -u -r1.64 -r1.65 \
    src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/ipsec-tools/src/racoon/strnames.c
cvs rdiff -u -r1.17 -r1.18 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8 src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.9
--- src/crypto/dist/ipsec-tools/src/racoon/algorithm.c:1.8	Fri Oct  6 12:02:27 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.c	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $	*/
+/*	$NetBSD: algorithm.c,v 1.9 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */
 
@@ -165,6 +165,9 @@ static struct enc_algorithm ipsec_encdef
 { "aes",	algtype_aes,		IPSECDOI_ESP_AES,		16,
 		NULL,			NULL,
 		NULL,			eay_aes_keylen, },
+{ "aes_gcm_16",	algtype_aesgcm16,		IPSECDOI_ESP_AESGCM16,		16,
+		NULL,			NULL,
+		NULL,			eay_aesgcm_keylen, },
 { "twofish",	algtype_twofish,	IPSECDOI_ESP_TWOFISH,		16,
 		NULL,			NULL,
 		NULL,			eay_twofish_keylen, },
@@ -798,6 +801,7 @@ default_keylen(class, type)
 	case algtype_rc5:
 	case algtype_cast128:
 	case algtype_aes:
+	case algtype_aesgcm16:
 	case algtype_twofish:
 	case algtype_camellia:
 		return 128;
@@ -834,6 +838,7 @@ check_keylen(class, type, len)
 	case algtype_rc5:
 	case algtype_cast128:
 	case algtype_aes:
+	case algtype_aesgcm16:
 	case algtype_twofish:
 	case algtype_camellia:
 		if (len % 8 != 0) {
@@ -863,6 +868,10 @@ check_keylen(class, type, len)
 		if (!(len == 128 || len == 192 || len == 256))
 			badrange++;
 		break;
+	case algtype_aesgcm16:
+		if (!(len == 128 || len == 192 || len == 256))
+			badrange++;
+		break;
 	case algtype_twofish:
 		if (len < 40 || 256 < len)
 			badrange++;

Index: src/crypto/dist/ipsec-tools/src/racoon/algorithm.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5 src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.6
--- src/crypto/dist/ipsec-tools/src/racoon/algorithm.h:1.5	Fri Oct  6 12:02:27 2006
+++ src/crypto/dist/ipsec-tools/src/racoon/algorithm.h	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: algorithm.h,v 1.5 2006/10/06 12:02:27 manu Exp $	*/
+/*	$NetBSD: algorithm.h,v 1.6 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */
 
@@ -69,6 +69,7 @@ enum algtype {
 	algtype_rc4,
 	algtype_null_enc,
 	algtype_aes,
+	algtype_aesgcm16,
 	algtype_twofish,
 	algtype_camellia,
 

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.47	Sun Jan  1 16:14:11 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.47 2012/01/01 16:14:11 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1722,6 +1722,7 @@ algorithm
 	:	ALGORITHMTYPE keylength
 		{
 			int defklen;
+			int encklen_tmp;
 
 			$$ = newsainfoalg();
 			if ($$ == NULL) {
@@ -1754,9 +1755,35 @@ algorithm
 			else
 				$$->encklen = defklen;
 
+			/* Check keymat size instead of "human" key size
+			 * because kernel store keymat size instead of "human key size".
+			 * For example, the keymat size of aes_gcm_16 128 is 160 bits
+			 * (128 bits + 4 bytes) instead of 128 bits.
+			 *
+			 * Currently, it is only useful for aes_gcm_16 (ipsec_enc).
+			 */
+			if (cur_algclass == algclass_ipsec_enc)
+			{
+				encklen_tmp = alg_ipsec_encdef_keylen($$->alg, $$->encklen);
+				if (encklen_tmp < 0)
+				{
+					yyerror("Failed to convert keylen %d to keymat len for alg %d",
+						$$->encklen, $$->alg);
+					racoon_free($$);
+					$$ = NULL;
+					return -1;
+				}
+			}
+			else
+			{
+				/* XXX Convert key size to keymat size for other algorithm ?
+				 */
+				encklen_tmp = $$->encklen;
+			}
+
 			/* check if it's supported algorithm by kernel */
 			if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
-			 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
+			 && pk_checkalg(cur_algclass, $1, encklen_tmp)) {
 				int a = algclass2doi(cur_algclass);
 				int b = algtype2doi(cur_algclass, $1);
 				if (a == IPSECDOI_ATTR_AUTH)
Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.47 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.48
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c:1.47	Sun Jan  1 15:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c	Thu Nov 29 15:31:25 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.47 2012/01/01 15:29:28 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.48 2012/11/29 15:31:25 vanhu Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -1973,6 +1973,7 @@ check_trns_esp(t_id)
 	case IPSECDOI_ESP_CAST:
 	case IPSECDOI_ESP_BLOWFISH:
 	case IPSECDOI_ESP_AES:
+	case IPSECDOI_ESP_AESGCM16:
 	case IPSECDOI_ESP_TWOFISH:
 	case IPSECDOI_ESP_CAMELLIA:
 		return 0;

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.26 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.26	Sun Jan  1 15:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.26 2012/01/01 15:29:28 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.27 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -453,6 +453,7 @@ rc4 		{ YYD; yylval.num = algtype_rc4;	r
 null_enc	{ YYD; yylval.num = algtype_null_enc;	return(ALGORITHMTYPE); }
 null		{ YYD; yylval.num = algtype_null_enc;	return(ALGORITHMTYPE); }
 aes		{ YYD; yylval.num = algtype_aes;	return(ALGORITHMTYPE); }
+aes_gcm_16		{ YYD; yylval.num = algtype_aesgcm16;	return(ALGORITHMTYPE); }
 rijndael	{ YYD; yylval.num = algtype_aes;	return(ALGORITHMTYPE); }
 twofish		{ YYD; yylval.num = algtype_twofish;	return(ALGORITHMTYPE); }
 camellia	{ YYD; yylval.num = algtype_camellia;	return(ALGORITHMTYPE); }

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.21 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.22
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c:1.21	Wed Aug 15 14:51:30 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c	Thu Nov 29 15:31:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.c,v 1.21 2012/08/15 14:51:30 manu Exp $	*/
+/*	$NetBSD: crypto_openssl.c,v 1.22 2012/11/29 15:31:24 vanhu Exp $	*/
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -1700,6 +1700,39 @@ eay_aes_keylen(len)
 	return len;
 }
 
+int
+eay_aesgcm_keylen(len)
+	int len;
+{
+	/* RFC 4106:
+	 * The size of the KEYMAT for the AES-GCM-ESP MUST be four octets longer
+	 * than is needed for the associated AES key.  The keying material is
+	 * used as follows:
+	 *
+	 * AES-GCM-ESP with a 128 bit key
+	 * The KEYMAT requested for each AES-GCM key is 20 octets.  The first
+	 * 16 octets are the 128-bit AES key, and the remaining four octets
+	 * are used as the salt value in the nonce.
+	 *
+	 * AES-GCM-ESP with a 192 bit key
+	 * The KEYMAT requested for each AES-GCM key is 28 octets.  The first
+	 * 24 octets are the 192-bit AES key, and the remaining four octets
+	 * are used as the salt value in the nonce.
+	 *
+	 * AES-GCM-ESP with a 256 bit key
+	 * The KEYMAT requested for each AES GCM key is 36 octets.  The first
+	 * 32 octets are the 256-bit AES key, and the remaining four octets
+	 * are used as the salt value in the nonce.
+	 */
+	if (len == 0)
+		len = 128;
+
+	if (len != 128 && len != 192 && len != 256)
+		return -1;
+
+	return len + 32;
+}
+
 #if defined(HAVE_OPENSSL_CAMELLIA_H)
 /*
  * CAMELLIA-CBC

Index: src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.7 src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h:1.7	Mon Aug 17 11:59:10 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h	Thu Nov 29 15:31:25 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto_openssl.h,v 1.7 2009/08/17 11:59:10 vanhu Exp $	*/
+/*	$NetBSD: crypto_openssl.h,v 1.8 2012/11/29 15:31:25 vanhu Exp $	*/
 
 /* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */
 
@@ -124,6 +124,9 @@ extern vchar_t *eay_aes_decrypt __P((vch
 extern int eay_aes_weakkey __P((vchar_t *));
 extern int eay_aes_keylen __P((int));
 
+/* AES GCM 16*/
+extern int eay_aesgcm_keylen __P((int));
+
 #if defined(HAVE_OPENSSL_CAMELLIA_H)
 /* Camellia */
 extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));

Index: src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h:1.13 src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h:1.14
--- src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h:1.13	Sun Jan  1 15:29:28 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.h	Thu Nov 29 15:31:25 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.h,v 1.13 2012/01/01 15:29:28 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.h,v 1.14 2012/11/29 15:31:25 vanhu Exp $	*/
 
 /* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
 
@@ -75,6 +75,7 @@
 #define   IPSECDOI_ESP_RC4				10
 #define   IPSECDOI_ESP_NULL				11
 #define   IPSECDOI_ESP_AES				12
+#define   IPSECDOI_ESP_AESGCM16				20
 #define   IPSECDOI_ESP_CAMELLIA				22
 #if 1
   /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */

Index: src/crypto/dist/ipsec-tools/src/racoon/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.58 src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.59
--- src/crypto/dist/ipsec-tools/src/racoon/pfkey.c:1.58	Sun Jan  1 15:57:31 2012
+++ src/crypto/dist/ipsec-tools/src/racoon/pfkey.c	Thu Nov 29 15:31:25 2012
@@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $	*/
 
-/* $Id: pfkey.c,v 1.58 2012/01/01 15:57:31 tteras Exp $ */
+/* $Id: pfkey.c,v 1.59 2012/11/29 15:31:25 vanhu Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -587,6 +587,10 @@ ipsecdoi2pfkey_ealg(t_id)
 	case IPSECDOI_ESP_AES:
 		return SADB_X_EALG_AESCBC;
 #endif
+#ifdef SADB_X_EALG_AESGCM16
+	case IPSECDOI_ESP_AESGCM16:
+		return SADB_X_EALG_AESGCM16;
+#endif
 #ifdef SADB_X_EALG_TWOFISHCBC
 	case IPSECDOI_ESP_TWOFISH:
 		return SADB_X_EALG_TWOFISHCBC;

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.64 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.65
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.64	Tue Nov 15 19:15:58 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Thu Nov 29 15:31:25 2012
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.64 2011/11/15 19:15:58 wiz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.65 2012/11/29 15:31:25 vanhu Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -1102,7 +1102,7 @@ Note that the kernel may not support the
 .Ic des , 3des , des_iv64 , des_iv32 ,
 .Ic rc5 , rc4 , idea , 3idea ,
 .Ic cast128 , blowfish , null_enc ,
-.Ic twofish , rijndael , aes , camellia
+.Ic twofish , rijndael , aes , camellia , aes_gcm_16
 .Pq used with ESP
 .\"
 .It Ic authentication_algorithm Ar algorithms ;

Index: src/crypto/dist/ipsec-tools/src/racoon/strnames.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/strnames.c:1.9 src/crypto/dist/ipsec-tools/src/racoon/strnames.c:1.10
--- src/crypto/dist/ipsec-tools/src/racoon/strnames.c:1.9	Mon Jul 14 05:40:13 2008
+++ src/crypto/dist/ipsec-tools/src/racoon/strnames.c	Thu Nov 29 15:31:25 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: strnames.c,v 1.9 2008/07/14 05:40:13 tteras Exp $	*/
+/*	$NetBSD: strnames.c,v 1.10 2012/11/29 15:31:25 vanhu Exp $	*/
 
 /*	$KAME: strnames.c,v 1.25 2003/11/13 10:53:26 itojun Exp $	*/
 
@@ -471,6 +471,7 @@ static struct ksmap name_ipsecdoi_trns_e
 { IPSECDOI_ESP_RC4,		"RC4",		NULL },
 { IPSECDOI_ESP_NULL,		"NULL",		NULL },
 { IPSECDOI_ESP_AES,		"AES",		NULL },
+{ IPSECDOI_ESP_AESGCM16,	"AES_GCM_16",	NULL },
 { IPSECDOI_ESP_TWOFISH,		"TWOFISH",	NULL },
 { IPSECDOI_ESP_CAMELLIA,	"CAMELLIA",	NULL },
 };
@@ -583,6 +584,7 @@ static struct ksmap name_attr_ipsec_auth
 { IPSECDOI_ATTR_AUTH_HMAC_SHA2_512,	"hmac-sha512",	NULL },
 { IPSECDOI_ATTR_AUTH_DES_MAC,		"des-mac",	NULL },
 { IPSECDOI_ATTR_AUTH_KPDK,		"kpdk",		NULL },
+{ IPSECDOI_ATTR_AUTH_NONE,		"non_auth",		NULL },
 };
 
 char *

Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.17 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.18
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.17	Mon Jan  9 15:25:13 2012
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l	Thu Nov 29 15:31:25 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.17 2012/01/09 15:25:13 drochner Exp $	*/
+/*	$NetBSD: token.l,v 1.18 2012/11/29 15:31:25 vanhu Exp $	*/
 
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
@@ -233,6 +233,16 @@ tcp		{ 
 	yylval.num = SADB_X_EALG_AESGMAC; BEGIN INITIAL; return(ALG_ENC);
 #endif
 }
+<S_ENCALG>aes-gcm-16   {
+#ifdef SADB_X_EALG_AESGCM16
+	yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC);
+#endif
+}
+<S_ENCALG>aes-gmac     {
+#ifdef SADB_X_EALG_AESGMAC
+	yylval.num = SADB_X_EALG_AESGMAC; BEGIN INITIAL; return(ALG_ENC);
+#endif
+}
 
 	/* compression algorithms */
 {hyphen}C	{ return(F_COMP); }

CVS commit: src/crypto/dist/ipsec-tools/src

Reply via email to