On Wed, Sep 08, 2010 at 19:30 +0200, Mike Belopuhov wrote: > changes: > > - don't allow other hashes with gcm. pointed out by naddy. >
fixed a segfault. spotted by naddy. Index: ike.c =================================================================== RCS file: /home/cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.67 diff -u -p -r1.67 ike.c --- ike.c 4 Oct 2009 11:39:32 -0000 1.67 +++ ike.c 6 Sep 2010 14:30:01 -0000 @@ -161,6 +161,7 @@ static int ike_section_p2(struct ipsec_rule *r, FILE *fd) { char *exchange_type, *sprefix; + int needauth = 1; switch (r->p2ie) { case IKE_QM: @@ -224,6 +225,30 @@ ike_section_p2(struct ipsec_rule *r, FIL case ENCXF_AESCTR: fprintf(fd, "AESCTR"); break; + case ENCXF_AES_128_GCM: + fprintf(fd, "AESGCM-128"); + needauth = 0; + break; + case ENCXF_AES_192_GCM: + fprintf(fd, "AESGCM-192"); + needauth = 0; + break; + case ENCXF_AES_256_GCM: + fprintf(fd, "AESGCM-256"); + needauth = 0; + break; + case ENCXF_AES_128_GMAC: + fprintf(fd, "AESGMAC-128"); + needauth = 0; + break; + case ENCXF_AES_192_GMAC: + fprintf(fd, "AESGMAC-192"); + needauth = 0; + break; + case ENCXF_AES_256_GMAC: + fprintf(fd, "AESGMAC-256"); + needauth = 0; + break; case ENCXF_BLOWFISH: fprintf(fd, "BLF"); break; @@ -232,6 +257,7 @@ ike_section_p2(struct ipsec_rule *r, FIL break; case ENCXF_NULL: fprintf(fd, "NULL"); + needauth = 0; break; default: warnx("illegal transform %s", @@ -270,43 +296,44 @@ ike_section_p2(struct ipsec_rule *r, FIL warnx("illegal transform %s", r->p2xfs->authxf->name); return (-1); } - } else - fprintf(fd, "SHA2-256"); + fprintf(fd, "-"); + } else if (needauth) + fprintf(fd, "SHA2-256-"); if (r->p2xfs && r->p2xfs->groupxf) { switch (r->p2xfs->groupxf->id) { case GROUPXF_NONE: break; case GROUPXF_768: - fprintf(fd, "-PFS-GRP1"); + fprintf(fd, "PFS-GRP1"); break; case GROUPXF_1024: - fprintf(fd, "-PFS-GRP2"); + fprintf(fd, "PFS-GRP2"); break; case GROUPXF_1536: - fprintf(fd, "-PFS-GRP5"); + fprintf(fd, "PFS-GRP5"); break; case GROUPXF_2048: - fprintf(fd, "-PFS-GRP14"); + fprintf(fd, "PFS-GRP14"); break; case GROUPXF_3072: - fprintf(fd, "-PFS-GRP15"); + fprintf(fd, "PFS-GRP15"); break; case GROUPXF_4096: - fprintf(fd, "-PFS-GRP16"); + fprintf(fd, "PFS-GRP16"); break; case GROUPXF_6144: - fprintf(fd, "-PFS-GRP17"); + fprintf(fd, "PFS-GRP17"); break; case GROUPXF_8192: - fprintf(fd, "-PFS-GRP18"); + fprintf(fd, "PFS-GRP18"); break; default: warnx("illegal group %s", r->p2xfs->groupxf->name); return (-1); }; } else - fprintf(fd, "-PFS"); + fprintf(fd, "PFS"); fprintf(fd, "-SUITE force\n"); return (0); Index: ipsec.conf.5 =================================================================== RCS file: /home/cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.126 diff -u -p -r1.126 ipsec.conf.5 --- ipsec.conf.5 7 Jun 2010 08:32:58 -0000 1.126 +++ ipsec.conf.5 6 Sep 2010 11:41:52 -0000 @@ -612,6 +612,12 @@ keyword: .It Li aes-192 Ta "192 bits" .It Li aes-256 Ta "256 bits" .It Li aesctr Ta "160 bits" Ta "[phase 2 only]" +.It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only]" +.It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only]" +.It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only]" +.It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only]" +.It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only]" +.It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only]" .It Li blowfish Ta "160 bits" .It Li cast Ta "128 bits" .It Li skipjack Ta "80 bits" @@ -630,6 +636,10 @@ This is because the most significant bit The keysize of AES-CTR is actually 128-bit. However as well as the key, a 32-bit nonce has to be supplied. Thus 160 bits of key material have to be supplied. +The same applies to AES-GCM and AES-GMAC. +.Pp +Please note that AES-GMAC performs no encryption and provides no +confidentiality. .Pp Using NULL with ESP will only provide authentication. This is useful in setups where AH can not be used, e.g. when NAT is involved. Index: ipsecctl.h =================================================================== RCS file: /home/cvs/src/sbin/ipsecctl/ipsecctl.h,v retrieving revision 1.59 diff -u -p -r1.59 ipsecctl.h --- ipsecctl.h 4 Aug 2009 15:05:50 -0000 1.59 +++ ipsecctl.h 6 Sep 2010 11:42:32 -0000 @@ -63,7 +63,9 @@ enum { }; enum { ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES, - ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR, + ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR, + ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM, + ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC, ENCXF_AES_256_GMAC, ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_NULL, ENCXF_SKIPJACK }; enum { @@ -140,6 +142,7 @@ struct ipsec_xf { u_int16_t id; size_t keymin; size_t keymax; + int noauth; }; struct ipsec_transforms { Index: parse.y =================================================================== RCS file: /home/cvs/src/sbin/ipsecctl/parse.y,v retrieving revision 1.148 diff -u -p -r1.148 parse.y --- parse.y 3 Aug 2010 18:42:40 -0000 1.148 +++ parse.y 9 Sep 2010 09:16:27 -0000 @@ -98,20 +98,26 @@ const struct ipsec_xf authxfs[] = { }; const struct ipsec_xf encxfs[] = { - { "unknown", ENCXF_UNKNOWN, 0, 0 }, - { "none", ENCXF_NONE, 0, 0 }, - { "3des-cbc", ENCXF_3DES_CBC, 24, 24 }, - { "des-cbc", ENCXF_DES_CBC, 8, 8 }, - { "aes", ENCXF_AES, 16, 32 }, - { "aes-128", ENCXF_AES_128, 16, 16 }, - { "aes-192", ENCXF_AES_192, 24, 24 }, - { "aes-256", ENCXF_AES_256, 32, 32 }, - { "aesctr", ENCXF_AESCTR, 16+4, 32+4 }, - { "blowfish", ENCXF_BLOWFISH, 5, 56 }, - { "cast128", ENCXF_CAST128, 5, 16 }, - { "null", ENCXF_NULL, 0, 0 }, - { "skipjack", ENCXF_SKIPJACK, 10, 10 }, - { NULL, 0, 0, 0 }, + { "unknown", ENCXF_UNKNOWN, 0, 0, 0 }, + { "none", ENCXF_NONE, 0, 0, 0 }, + { "3des-cbc", ENCXF_3DES_CBC, 24, 24, 0 }, + { "des-cbc", ENCXF_DES_CBC, 8, 8, 0 }, + { "aes", ENCXF_AES, 16, 32, 0 }, + { "aes-128", ENCXF_AES_128, 16, 16, 0 }, + { "aes-192", ENCXF_AES_192, 24, 24, 0 }, + { "aes-256", ENCXF_AES_256, 32, 32, 0 }, + { "aesctr", ENCXF_AESCTR, 16+4, 32+4, 0 }, + { "aes-128-gcm", ENCXF_AES_128_GCM, 16+4, 16+4, 1 }, + { "aes-192-gcm", ENCXF_AES_192_GCM, 24+4, 24+4, 1 }, + { "aes-256-gcm", ENCXF_AES_256_GCM, 32+4, 32+4, 1 }, + { "aes-128-gmac", ENCXF_AES_128_GMAC, 16+4, 16+4, 1 }, + { "aes-192-gmac", ENCXF_AES_192_GMAC, 24+4, 24+4, 1 }, + { "aes-256-gmac", ENCXF_AES_256_GMAC, 32+4, 32+4, 1 }, + { "blowfish", ENCXF_BLOWFISH, 5, 56, 0 }, + { "cast128", ENCXF_CAST128, 5, 16, 0 }, + { "null", ENCXF_NULL, 0, 0, 0 }, + { "skipjack", ENCXF_SKIPJACK, 10, 10, 0 }, + { NULL, 0, 0, 0, 0 }, }; const struct ipsec_xf compxfs[] = { @@ -2209,10 +2215,14 @@ validate_sa(u_int32_t spi, u_int8_t saty yyerror("esp does not provide compression"); return (0); } - if (!xfs->authxf) - xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; if (!xfs->encxf) xfs->encxf = &encxfs[ENCXF_AES]; + if (xfs->encxf->noauth && xfs->authxf) { + yyerror("authentication is implicit for %s", + xfs->encxf->name); + return (0); + } else if (!xfs->encxf->noauth && !xfs->authxf) + xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; } if (satype == IPSEC_IPCOMP) { if (!xfs) { @@ -2694,28 +2704,7 @@ create_ike(u_int8_t proto, struct ipsec_ if ((hosts->sport != 0 || hosts->dport != 0) && (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { yyerror("no protocol supplied with source/destination ports"); - free(r); - free(hosts->src); - hosts->src = NULL; - free(hosts->dst); - hosts->dst = NULL; - if (phase1mode) { - free(phase1mode->xfs); - phase1mode->xfs = NULL; - free(phase1mode->life); - phase1mode->life = NULL; - } - if (phase2mode) { - free(phase2mode->xfs); - phase2mode->xfs = NULL; - free(phase2mode->life); - phase2mode->life = NULL; - } - if (srcid) - free(srcid); - if (dstid) - free(dstid); - return NULL; + goto errout; } r->satype = satype; @@ -2729,6 +2718,13 @@ create_ike(u_int8_t proto, struct ipsec_ r->p1ie = IKE_MM; } if (phase2mode) { + if (phase2mode->xfs && phase2mode->xfs->encxf && + phase2mode->xfs->encxf->noauth && + phase2mode->xfs->authxf) { + yyerror("authentication is implicit for %s", + phase2mode->xfs->encxf->name); + goto errout; + } r->p2xfs = phase2mode->xfs; r->p2life = phase2mode->life; r->p2ie = phase2mode->ike_exch; @@ -2751,4 +2747,28 @@ create_ike(u_int8_t proto, struct ipsec_ r->tag = tag; return (r); + +errout: + free(r); + free(hosts->src); + hosts->src = NULL; + free(hosts->dst); + hosts->dst = NULL; + if (phase1mode) { + free(phase1mode->xfs); + phase1mode->xfs = NULL; + free(phase1mode->life); + phase1mode->life = NULL; + } + if (phase2mode) { + free(phase2mode->xfs); + phase2mode->xfs = NULL; + free(phase2mode->life); + phase2mode->life = NULL; + } + if (srcid) + free(srcid); + if (dstid) + free(dstid); + return NULL; } Index: pfkdump.c =================================================================== RCS file: /home/cvs/src/sbin/ipsecctl/pfkdump.c,v retrieving revision 1.27 diff -u -p -r1.27 pfkdump.c --- pfkdump.c 1 Jul 2010 02:11:35 -0000 1.27 +++ pfkdump.c 1 Sep 2010 16:20:32 -0000 @@ -153,6 +153,9 @@ struct idname auth_types[] = { { SADB_X_AALG_SHA2_256, "hmac-sha2-256", NULL }, { SADB_X_AALG_SHA2_384, "hmac-sha2-384", NULL }, { SADB_X_AALG_SHA2_512, "hmac-sha2-512", NULL }, + { SADB_X_AALG_AES128GMAC, "gmac-aes-128", NULL }, + { SADB_X_AALG_AES192GMAC, "gmac-aes-192", NULL }, + { SADB_X_AALG_AES256GMAC, "gmac-aes-256", NULL }, { SADB_X_AALG_MD5, "md5", NULL }, { SADB_X_AALG_SHA1, "sha1", NULL }, { 0, NULL, NULL } @@ -171,6 +174,8 @@ struct idname enc_types[] = { { SADB_X_EALG_3IDEA, "idea3", NULL }, { SADB_X_EALG_AES, "aes", NULL }, { SADB_X_EALG_AESCTR, "aesctr", NULL }, + { SADB_X_EALG_AESGCM16, "aes-gcm", NULL }, + { SADB_X_EALG_AESGMAC, "aes-gmac", NULL }, { SADB_X_EALG_BLF, "blowfish", NULL }, { SADB_X_EALG_CAST, "cast128", NULL }, { SADB_X_EALG_DES_IV32, "des-iv32", NULL }, @@ -707,6 +712,32 @@ pfkey_print_sa(struct sadb_msg *msg, int break; case SADB_X_EALG_AESCTR: xfs.encxf = &encxfs[ENCXF_AESCTR]; + break; + case SADB_X_EALG_AESGCM16: + switch (r.enckey->len) { + case 28: + xfs.encxf = &encxfs[ENCXF_AES_192_GCM]; + break; + case 36: + xfs.encxf = &encxfs[ENCXF_AES_256_GCM]; + break; + default: + xfs.encxf = &encxfs[ENCXF_AES_128_GCM]; + break; + } + break; + case SADB_X_EALG_AESGMAC: + switch (r.enckey->len) { + case 28: + xfs.encxf = &encxfs[ENCXF_AES_192_GMAC]; + break; + case 36: + xfs.encxf = &encxfs[ENCXF_AES_256_GMAC]; + break; + default: + xfs.encxf = &encxfs[ENCXF_AES_128_GMAC]; + break; + } break; case SADB_X_EALG_BLF: xfs.encxf = &encxfs[ENCXF_BLOWFISH]; Index: pfkey.c =================================================================== RCS file: /home/cvs/src/sbin/ipsecctl/pfkey.c,v retrieving revision 1.49 diff -u -p -r1.49 pfkey.c --- pfkey.c 22 Dec 2008 17:00:37 -0000 1.49 +++ pfkey.c 6 Sep 2010 11:43:28 -0000 @@ -488,10 +488,23 @@ pfkey_sa(int sd, u_int8_t satype, u_int8 sa.sadb_sa_encrypt = SADB_EALG_DESCBC; break; case ENCXF_AES: + case ENCXF_AES_128: + case ENCXF_AES_192: + case ENCXF_AES_256: sa.sadb_sa_encrypt = SADB_X_EALG_AES; break; case ENCXF_AESCTR: sa.sadb_sa_encrypt = SADB_X_EALG_AESCTR; + break; + case ENCXF_AES_128_GCM: + case ENCXF_AES_192_GCM: + case ENCXF_AES_256_GCM: + sa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16; + break; + case ENCXF_AES_128_GMAC: + case ENCXF_AES_192_GMAC: + case ENCXF_AES_256_GMAC: + sa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC; break; case ENCXF_BLOWFISH: sa.sadb_sa_encrypt = SADB_X_EALG_BLF;