On Sun, Sep 05, 2010 at 19:28 +0200, Mike Belopuhov wrote: > On Sun, Sep 05, 2010 at 16:49 +0000, Christian Weisgerber wrote: > > Mike Belopuhov <m...@crypt.org.ru> wrote: > > > > > note that it defaults to AESGCM-256 (i did it this way because > > > linux picks largest key). > > > > I don't understand that rationale. > > > > A side effect of this is that you now get different key sizes if > > you specify "aes-gcm" in a manual SA (128) or an IKE rule (256). > > > > this is bad indeed. i propose the following: isakmpd always defaults > to 256 if keylength is not specified. ipsecctl looses "aes-gcm" and > "aes-gmac" specifications, so that you always have to specify key length. > > does that sound good?
ok, in fact isakmpd doesn't care what cipher it was told to use in the quick mode by the ipsecctl and proceeds with whatever client proposes, so there's no value in having these aliases. i decided to remove them. Index: conf.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/conf.c,v retrieving revision 1.98 diff -u -p -r1.98 conf.c --- conf.c 4 Aug 2010 18:09:45 -0000 1.98 +++ conf.c 6 Sep 2010 14:40:45 -0000 @@ -428,13 +428,19 @@ conf_load_defaults_qm(int tr, char *qme, if (strcmp(qme ,"BLOWFISH") == 0) conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, 1); - else if (strcmp(qme_p ,"-AES-128") == 0) + else if (strcmp(qme_p, "-AESGCM-128") == 0 || + strcmp(qme_p, "-AESGMAC-128") == 0 || + strcmp(qme_p, "-AES-128") == 0) conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1); - else if (strcmp(qme_p ,"-AES-192") == 0) + else if (strcmp(qme_p, "-AESGCM-192") == 0 || + strcmp(qme_p, "-AESGMAC-192") == 0 || + strcmp(qme_p, "-AES-192") == 0) conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1); - else if (strcmp(qme_p ,"-AES-256") == 0) - conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); - else if (strcmp(qme ,"AES") == 0) + else if (strcmp(qme_p, "-AESGCM-256") == 0 || + strcmp(qme_p, "-AESGMAC-256") == 0 || + strcmp(qme_p, "-AES-256") == 0) + conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); + else if (strcmp(qme, "AES") == 0) conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, 1); @@ -472,9 +478,13 @@ conf_load_defaults(int tr) char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", "-GRP15", 0}; char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", - "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0}; + "AES", "AES", "AES", "AES_128_CTR", "AES_GCM_16", + "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC", + "AES_GMAC", "NULL", "NONE", 0}; char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", - "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL", + "-AES-128", "-AES-192", "-AES-256", "-AESCTR", + "-AESGCM-128", "-AESGCM-192", "-AESGCM-256", + "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL", "", 0}; char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE", Index: ipsec.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/ipsec.c,v retrieving revision 1.135 diff -u -p -r1.135 ipsec.c --- ipsec.c 29 Jun 2010 19:50:16 -0000 1.135 +++ ipsec.c 30 Aug 2010 20:26:27 -0000 @@ -975,7 +975,7 @@ ipsec_validate_transform_id(u_int8_t pro transform_id > IPSEC_AH_RIPEMD ? -1 : 0; case IPSEC_PROTO_IPSEC_ESP: return transform_id < IPSEC_ESP_DES_IV64 || - (transform_id > IPSEC_ESP_AES_128_CTR && + (transform_id > IPSEC_ESP_AES_GMAC && transform_id < IPSEC_ESP_AES_MARS) || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0; case IPSEC_PROTO_IPCOMP: @@ -1788,6 +1788,11 @@ ipsec_esp_enckeylength(struct proto *pro return iproto->keylen / 8; case IPSEC_ESP_AES_128_CTR: return 20; + case IPSEC_ESP_AES_GCM_16: + case IPSEC_ESP_AES_GMAC: + if (!iproto->keylen) + return 20; + return iproto->keylen / 8 + 4; case IPSEC_ESP_AES: if (!iproto->keylen) return 16; Index: ipsec_num.cst =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/ipsec_num.cst,v retrieving revision 1.16 diff -u -p -r1.16 ipsec_num.cst --- ipsec_num.cst 14 Jun 2005 10:50:47 -0000 1.16 +++ ipsec_num.cst 30 Aug 2010 18:15:03 -0000 @@ -235,6 +235,8 @@ IPSEC_ESP NULL 11 AES 12 AES_128_CTR 13 + AES_GCM_16 20 + AES_GMAC 23 AES_MARS 249 AES_RC6 250 AES_RIJNDAEL 251 Index: isakmpd.conf.5 =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/isakmpd.conf.5,v retrieving revision 1.126 diff -u -p -r1.126 isakmpd.conf.5 --- isakmpd.conf.5 7 Jun 2010 08:38:09 -0000 1.126 +++ isakmpd.conf.5 6 Sep 2010 11:46:01 -0000 @@ -141,7 +141,9 @@ where: .It Ns { Ns Ar proto Ns } is either ESP or AH .It Ns { Ns Ar cipher Ns } -is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, or NULL +is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, +AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256 +or NULL .It Ns { Ns Ar hash Ns } is either MD5, SHA, RIPEMD, or SHA2-{256,384,512} .It Ns { Ns Ar group Ns } Index: pf_key_v2.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/pf_key_v2.c,v retrieving revision 1.185 diff -u -p -r1.185 pf_key_v2.c --- pf_key_v2.c 28 Jan 2009 17:57:15 -0000 1.185 +++ pf_key_v2.c 30 Aug 2010 18:15:16 -0000 @@ -939,6 +939,14 @@ pf_key_v2_set_spi(struct sa *sa, struct ssa.sadb_sa_encrypt = SADB_X_EALG_AESCTR; break; + case IPSEC_ESP_AES_GCM_16: + ssa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16; + break; + + case IPSEC_ESP_AES_GMAC: + ssa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC; + break; + case IPSEC_ESP_CAST: ssa.sadb_sa_encrypt = SADB_X_EALG_CAST; break; Index: policy.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/policy.c,v retrieving revision 1.91 diff -u -p -r1.91 policy.c --- policy.c 5 Aug 2007 09:43:09 -0000 1.91 +++ policy.c 23 Aug 2010 09:51:57 -0000 @@ -297,6 +297,8 @@ policy_callback(char *name) case IPSEC_ESP_AES: case IPSEC_ESP_AES_128_CTR: + case IPSEC_ESP_AES_GCM_16: + case IPSEC_ESP_AES_GMAC: esp_enc_alg = "aes"; break; Index: sa.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/sa.c,v retrieving revision 1.113 diff -u -p -r1.113 sa.c --- sa.c 2 Sep 2007 15:19:24 -0000 1.113 +++ sa.c 23 Aug 2010 09:51:35 -0000 @@ -519,6 +519,14 @@ report_proto(FILE *fd, struct proto *pro fprintf(fd, "AES-128 (CTR)\n"); break; + case IPSEC_ESP_AES_GCM_16: + fprintf(fd, "AES (GCM)\n"); + break; + + case IPSEC_ESP_AES_GMAC: + fprintf(fd, "AES (GMAC)\n"); + break; + case IPSEC_ESP_CAST: fprintf(fd, "Cast-128\n"); break;