Here's a tentative diff to disable AES-CTR/-GCM/-GMAC for manual
security associations, in accordance with RFC 3686/4106/4543 that
explicitly forbid the use of these algorithms with static keys.
Should this be better handled in the grammar?
For ipsec.conf.5, it also includes a tweak to the key length section
I've been going over with jmc@, but maybe the whole paragraph should
be dropped now?
Index: ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.138
diff -u -p -r1.138 ipsec.conf.5
--- ipsec.conf.5 30 Jun 2012 14:51:31 -0000 1.138
+++ ipsec.conf.5 8 Jul 2012 08:54:26 -0000
@@ -614,16 +614,16 @@ keyword:
.It Li aes-128 Ta "128 bits" Ta ""
.It Li aes-192 Ta "192 bits" Ta ""
.It Li aes-256 Ta "256 bits" Ta ""
-.It Li aesctr Ta "160 bits" Ta "[phase 2 only]"
-.It Li aes-128-ctr Ta "160 bits" Ta "[phase 2 only]"
-.It Li aes-192-ctr Ta "224 bits" Ta "[phase 2 only]"
-.It Li aes-256-ctr Ta "288 bits" Ta "[phase 2 only]"
-.It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only]"
-.It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only]"
-.It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only]"
-.It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only]"
-.It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only]"
-.It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only]"
+.It Li aesctr Ta "160 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-128-ctr Ta "160 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-192-ctr Ta "224 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-256-ctr Ta "288 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only, IKE only]"
+.It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only, IKE only]"
.It Li blowfish Ta "160 bits" Ta ""
.It Li cast Ta "128 bits" Ta ""
.It Li null Ta "(none)" Ta "[phase 2 only]"
@@ -636,9 +636,9 @@ DES requires 8 bytes to form a 56-bit ke
to form its 168-bit key.
This is because the most significant bit of each byte is used for parity.
.Pp
-The keysize of AES-CTR is actually 128-bit.
+The keysize of AES-CTR can be 128, 192, or 256 bits.
However as well as the key, a 32-bit nonce has to be supplied.
-Thus 160 bits of key material have to be supplied.
+Thus 160, 224, or 288 bits of key material, respectively, have to be supplied.
The same applies to AES-GCM and AES-GMAC.
.Pp
Using AES-GMAC or NULL with ESP will only provide authentication.
Index: pfkey.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/pfkey.c,v
retrieving revision 1.53
diff -u -p -r1.53 pfkey.c
--- pfkey.c 30 Jun 2012 14:51:31 -0000 1.53
+++ pfkey.c 8 Jul 2012 09:12:28 -0000
@@ -493,30 +493,28 @@ pfkey_sa(int sd, u_int8_t satype, u_int8
case ENCXF_AES_256:
sa.sadb_sa_encrypt = SADB_X_EALG_AES;
break;
+ case ENCXF_BLOWFISH:
+ sa.sadb_sa_encrypt = SADB_X_EALG_BLF;
+ break;
+ case ENCXF_CAST128:
+ sa.sadb_sa_encrypt = SADB_X_EALG_CAST;
+ break;
+ case ENCXF_NULL:
+ sa.sadb_sa_encrypt = SADB_EALG_NULL;
+ break;
case ENCXF_AESCTR:
case ENCXF_AES_128_CTR:
case ENCXF_AES_192_CTR:
case ENCXF_AES_256_CTR:
- sa.sadb_sa_encrypt = SADB_X_EALG_AESCTR;
- break;
case ENCXF_AES_128_GCM:
case ENCXF_AES_192_GCM:
case ENCXF_AES_256_GCM:
- sa.sadb_sa_encrypt = SADB_X_EALG_AESGCM16;
- break;
case ENCXF_AES_128_GMAC:
case ENCXF_AES_192_GMAC:
case ENCXF_AES_256_GMAC:
- sa.sadb_sa_encrypt = SADB_X_EALG_AESGMAC;
- break;
- case ENCXF_BLOWFISH:
- sa.sadb_sa_encrypt = SADB_X_EALG_BLF;
- break;
- case ENCXF_CAST128:
- sa.sadb_sa_encrypt = SADB_X_EALG_CAST;
- break;
- case ENCXF_NULL:
- sa.sadb_sa_encrypt = SADB_EALG_NULL;
+ warnx("algorithm %s disallowed for static keys",
+ xfs->encxf->name);
+ return -1;
break;
default:
warnx("unsupported encryption algorithm %d",
--
Christian "naddy" Weisgerber [email protected]
