changes: made sure that we won't generate quick mode config strings with gcm and other hashes (the very first hunk of the diff). pointed out by naddy.
Index: conf.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/conf.c,v retrieving revision 1.98 diff -u -p -r1.98 conf.c --- conf.c 4 Aug 2010 18:09:45 -0000 1.98 +++ conf.c 8 Sep 2010 17:04:57 -0000 @@ -402,6 +402,11 @@ conf_load_defaults_qm(int tr, char *qme, if (pfs == 0 && strcmp(dhg_p, "")) return; + /* For GCM no additional authentication must be specified */ + if (proto == 0 && strcmp(qmh, "NONE") != 0 && + (strcmp(qme, "AESGCM") == 0 || strcmp(qme, "AESGMAC") == 0)) + return; + snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto), MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p); @@ -428,13 +433,19 @@ conf_load_defaults_qm(int tr, char *qme, if (strcmp(qme ,"BLOWFISH") == 0) conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, 1); - else if (strcmp(qme_p ,"-AES-128") == 0) + else if (strcmp(qme_p, "-AES-128") == 0 || + strcmp(qme_p, "-AESGCM-128") == 0 || + strcmp(qme_p, "-AESGMAC-128") == 0) conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1); - else if (strcmp(qme_p ,"-AES-192") == 0) + else if (strcmp(qme_p, "-AES-192") == 0 || + strcmp(qme_p, "-AESGCM-192") == 0 || + strcmp(qme_p, "-AESGMAC-192")) conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1); - else if (strcmp(qme_p ,"-AES-256") == 0) - conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); - else if (strcmp(qme ,"AES") == 0) + else if (strcmp(qme_p, "-AES-256") == 0 || + strcmp(qme_p, "-AESGCM-256") == 0 || + strcmp(qme_p, "-AESGMAC-256") == 0) + conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); + else if (strcmp(qme, "AES") == 0) conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, 1); @@ -472,9 +483,13 @@ conf_load_defaults(int tr) char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", "-GRP15", 0}; char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", - "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0}; + "AES", "AES", "AES", "AESCTR", "AESGCM", "AESGCM", + "AESGCM", "AESGMAC", "AESGMAC", "AESGMAC", "NULL", + "NONE", 0}; char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", - "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL", + "-AES-128", "-AES-192", "-AES-256", "-AESCTR", + "-AESGCM-128", "-AESGCM-192", "-AESGCM-256", + "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL", "", 0}; char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE", Index: ipsec.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/ipsec.c,v retrieving revision 1.135 diff -u -p -r1.135 ipsec.c --- ipsec.c 29 Jun 2010 19:50:16 -0000 1.135 +++ ipsec.c 6 Sep 2010 14:48:49 -0000 @@ -975,7 +975,7 @@ ipsec_validate_transform_id(u_int8_t pro transform_id > IPSEC_AH_RIPEMD ? -1 : 0; case IPSEC_PROTO_IPSEC_ESP: return transform_id < IPSEC_ESP_DES_IV64 || - (transform_id > IPSEC_ESP_AES_128_CTR && + (transform_id > IPSEC_ESP_AES_GMAC && transform_id < IPSEC_ESP_AES_MARS) || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0; case IPSEC_PROTO_IPCOMP: @@ -1788,6 +1788,11 @@ ipsec_esp_enckeylength(struct proto *pro return iproto->keylen / 8; case IPSEC_ESP_AES_128_CTR: return 20; + case IPSEC_ESP_AES_GCM_16: + case IPSEC_ESP_AES_GMAC: + if (!iproto->keylen) + return 20; + return iproto->keylen / 8 + 4; case IPSEC_ESP_AES: if (!iproto->keylen) return 16; Index: ipsec_num.cst =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/ipsec_num.cst,v retrieving revision 1.16 diff -u -p -r1.16 ipsec_num.cst --- ipsec_num.cst 14 Jun 2005 10:50:47 -0000 1.16 +++ ipsec_num.cst 30 Aug 2010 18:15:03 -0000 @@ -235,6 +235,8 @@ IPSEC_ESP NULL 11 AES 12 AES_128_CTR 13 + AES_GCM_16 20 + AES_GMAC 23 AES_MARS 249 AES_RC6 250 AES_RIJNDAEL 251 Index: isakmpd.conf.5 =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/isakmpd.conf.5,v retrieving revision 1.126 diff -u -p -r1.126 isakmpd.conf.5 --- isakmpd.conf.5 7 Jun 2010 08:38:09 -0000 1.126 +++ isakmpd.conf.5 6 Sep 2010 11:46:01 -0000 @@ -141,7 +141,9 @@ where: .It Ns { Ns Ar proto Ns } is either ESP or AH .It Ns { Ns Ar cipher Ns } -is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, or NULL +is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, +AESGCM-128, AESGCM-192, AESGCM-256, AESGMAC-128, AESGMAC-192, AESGMAC-256 +or NULL .It Ns { Ns Ar hash Ns } is either MD5, SHA, RIPEMD, or SHA2-{256,384,512} .It Ns { Ns Ar group Ns } Index: pf_key_v2.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/pf_key_v2.c,v retrieving revision 1.185 diff -u -p -r1.185 pf_key_v2.c --- pf_key_v2.c 28 Jan 2009 17:57:15 -0000 1.185 +++ pf_key_v2.c 30 Aug 2010 18:15:16 -0000 @@ -939,6 +939,14 @@ pf_key_v2_set_spi(struct sa *sa, struct ssa.sadb_sa_encrypt = SADB_X_EALG_AESCTR; break; + case IPSEC_ESP_AES_GCM_16: + ssa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16; + break; + + case IPSEC_ESP_AES_GMAC: + ssa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC; + break; + case IPSEC_ESP_CAST: ssa.sadb_sa_encrypt = SADB_X_EALG_CAST; break; Index: policy.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/policy.c,v retrieving revision 1.91 diff -u -p -r1.91 policy.c --- policy.c 5 Aug 2007 09:43:09 -0000 1.91 +++ policy.c 23 Aug 2010 09:51:57 -0000 @@ -297,6 +297,8 @@ policy_callback(char *name) case IPSEC_ESP_AES: case IPSEC_ESP_AES_128_CTR: + case IPSEC_ESP_AES_GCM_16: + case IPSEC_ESP_AES_GMAC: esp_enc_alg = "aes"; break; Index: sa.c =================================================================== RCS file: /home/cvs/src/sbin/isakmpd/sa.c,v retrieving revision 1.113 diff -u -p -r1.113 sa.c --- sa.c 2 Sep 2007 15:19:24 -0000 1.113 +++ sa.c 23 Aug 2010 09:51:35 -0000 @@ -519,6 +519,14 @@ report_proto(FILE *fd, struct proto *pro fprintf(fd, "AES-128 (CTR)\n"); break; + case IPSEC_ESP_AES_GCM_16: + fprintf(fd, "AES (GCM)\n"); + break; + + case IPSEC_ESP_AES_GMAC: + fprintf(fd, "AES (GMAC)\n"); + break; + case IPSEC_ESP_CAST: fprintf(fd, "Cast-128\n"); break;