aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2009-12-01 18:17:37 +0100
committerTobias Brunner <tobias@strongswan.org>2010-02-12 10:57:39 +0100
commit71baf5a8f0f80fa3d2a03cfb597b6babe33394dd (patch)
tree6b0cb11fded48e7b3335a15d3fb73553c3b0b68a /src
parent2aa553d773ef1c6b39ba441ee56b407eda91e7b8 (diff)
downloadstrongswan-71baf5a8f0f80fa3d2a03cfb597b6babe33394dd.tar.bz2
strongswan-71baf5a8f0f80fa3d2a03cfb597b6babe33394dd.tar.xz
Adding support for AES GMAC (RFC4543).
Diffstat (limited to 'src')
-rw-r--r--src/charon/config/proposal.c1
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c3
-rw-r--r--src/charon/sa/keymat.c9
-rw-r--r--src/include/linux/pfkeyv2.h1
-rw-r--r--src/libfreeswan/pfkeyv2.h1
-rw-r--r--src/libstrongswan/crypto/proposal/proposal_keywords.txt181
-rw-r--r--src/pluto/alg_info.c3
-rw-r--r--src/pluto/constants.c3
-rw-r--r--src/pluto/constants.h7
-rw-r--r--src/pluto/crypto.c4
-rw-r--r--src/pluto/ipsec_doi.c7
-rw-r--r--src/pluto/kernel.c1
-rw-r--r--src/pluto/kernel_alg.c4
-rw-r--r--src/pluto/kernel_netlink.c2
14 files changed, 124 insertions, 103 deletions
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 6b3500b6e..f2a34f20e 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -269,6 +269,7 @@ static bool is_authenticated_encryption(u_int16_t alg)
case ENCR_CAMELLIA_CCM_ICV8:
case ENCR_CAMELLIA_CCM_ICV12:
case ENCR_CAMELLIA_CCM_ICV16:
+ case ENCR_NULL_AUTH_AES_GMAC:
return TRUE;
}
return FALSE;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 850876b9d..fa1d041fb 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -181,7 +181,7 @@ static kernel_algorithm_t encryption_algs[] = {
{ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
-/* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */
+ {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
{ENCR_CAMELLIA_CBC, "cbc(camellia)" },
/* {ENCR_CAMELLIA_CTR, "***" }, */
/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
@@ -1007,6 +1007,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
break;
case ENCR_AES_CCM_ICV16:
case ENCR_AES_GCM_ICV16:
+ case ENCR_NULL_AUTH_AES_GMAC:
case ENCR_CAMELLIA_CCM_ICV16:
icv_size += 32;
/* FALL */
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index e49626354..837cbe428 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -99,8 +99,8 @@ struct keylen_entry_t {
* Keylen for encryption algos
*/
keylen_entry_t keylen_enc[] = {
- {ENCR_DES, 64},
- {ENCR_3DES, 192},
+ {ENCR_DES, 64},
+ {ENCR_3DES, 192},
{END_OF_LIST, 0}
};
@@ -108,7 +108,7 @@ keylen_entry_t keylen_enc[] = {
* Keylen for integrity algos
*/
keylen_entry_t keylen_int[] = {
- {AUTH_HMAC_MD5_96, 128},
+ {AUTH_HMAC_MD5_96, 128},
{AUTH_HMAC_SHA1_96, 160},
{AUTH_HMAC_SHA2_256_96, 256},
{AUTH_HMAC_SHA2_256_128, 256},
@@ -414,7 +414,7 @@ static bool derive_child_keys(private_keymat_t *this,
/* to bytes */
enc_size /= 8;
- /* CCM/GCM/CTR needs additional bytes */
+ /* CCM/GCM/CTR/GMAC needs additional bytes */
switch (enc_alg)
{
case ENCR_AES_CCM_ICV8:
@@ -429,6 +429,7 @@ static bool derive_child_keys(private_keymat_t *this,
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
case ENCR_AES_CTR:
+ case ENCR_NULL_AUTH_AES_GMAC:
enc_size += 4;
break;
default:
diff --git a/src/include/linux/pfkeyv2.h b/src/include/linux/pfkeyv2.h
index b4b0712a4..7379d1a94 100644
--- a/src/include/linux/pfkeyv2.h
+++ b/src/include/linux/pfkeyv2.h
@@ -315,6 +315,7 @@ struct sadb_x_kmaddress {
#define SADB_X_EALG_AES_GCM_ICV12 19
#define SADB_X_EALG_AES_GCM_ICV16 20
#define SADB_X_EALG_CAMELLIACBC 22
+#define SADB_X_EALG_NULL_AES_GMAC 23
#define SADB_EALG_MAX 253 /* last EALG */
/* private allocations should use 249-255 (RFC2407) */
#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 685db1273..725997ebc 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -337,6 +337,7 @@ struct sadb_protocol {
#define SADB_X_EALG_AES_GCM_ICV12 19
#define SADB_X_EALG_AES_GCM_ICV16 20
#define SADB_X_EALG_CAMELLIACBC 22
+#define SADB_X_EALG_NULL_AES_GMAC 23
#define SADB_EALG_MAX 253 /* last EALG */
/* private allocations should use 249-255 (RFC2407) */
#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
index 139d689ca..0997c9316 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -29,92 +29,95 @@ struct proposal_token {
u_int16_t keysize;
};
%%
-null, ENCRYPTION_ALGORITHM, ENCR_NULL, 0
-des, ENCRYPTION_ALGORITHM, ENCR_DES, 0
-3des, ENCRYPTION_ALGORITHM, ENCR_3DES, 0
-aes, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128
-aes128, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128
-aes192, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192
-aes256, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256
-aes128ctr, ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128
-aes192ctr, ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192
-aes256ctr, ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256
-aes128ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128
-aes128ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128
-aes128ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128
-aes128ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128
-aes128ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128
-aes128ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128
-aes192ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192
-aes192ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192
-aes192ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192
-aes192ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192
-aes192ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192
-aes192ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192
-aes256ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256
-aes256ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256
-aes256ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256
-aes256ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256
-aes256ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256
-aes256ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256
-aes128gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128
-aes128gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128
-aes128gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128
-aes128gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128
-aes128gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128
-aes128gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128
-aes192gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192
-aes192gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192
-aes192gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192
-aes192gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192
-aes192gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192
-aes192gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192
-aes256gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256
-aes256gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256
-aes256gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256
-aes256gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256
-aes256gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256
-aes256gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256
-blowfish, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128
-blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128
-blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192
-blowfish256, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256
-camellia, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128
-camellia128, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128
-camellia192, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192
-camellia256, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256
-cast128, ENCRYPTION_ALGORITHM, ENCR_CAST, 128
-serpent, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128
-serpent128, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128
-serpent192, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192
-serpent256, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256
-twofish, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128
-twofish128, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128
-twofish192, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192
-twofish256, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256
-sha, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0
-sha1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0
-sha256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0
-sha2_256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0
-sha256_96, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0
-sha2_256_96, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0
-sha384, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0
-sha2_384, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0
-sha512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0
-sha2_512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0
-md5, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0
-aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0
-modpnull, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0
-modp768, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0
-modp1024, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0
-modp1536, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0
-modp2048, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0
-modp3072, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0
-modp4096, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0
-modp6144, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0
-modp8192, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0
-ecp192, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0
-ecp224, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0
-ecp256, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0
-ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0
-ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0
+null, ENCRYPTION_ALGORITHM, ENCR_NULL, 0
+des, ENCRYPTION_ALGORITHM, ENCR_DES, 0
+3des, ENCRYPTION_ALGORITHM, ENCR_3DES, 0
+aes, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128
+aes128, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128
+aes192, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192
+aes256, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256
+aes128ctr, ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128
+aes192ctr, ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192
+aes256ctr, ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256
+aes128ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128
+aes128ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128
+aes128ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128
+aes128ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128
+aes128ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128
+aes128ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128
+aes192ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192
+aes192ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192
+aes192ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192
+aes192ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192
+aes192ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192
+aes192ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192
+aes256ccm8, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256
+aes256ccm64, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256
+aes256ccm12, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256
+aes256ccm96, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256
+aes256ccm16, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256
+aes256ccm128, ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256
+aes128gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128
+aes128gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128
+aes128gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128
+aes128gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128
+aes128gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128
+aes128gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128
+aes192gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192
+aes192gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192
+aes192gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192
+aes192gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192
+aes192gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192
+aes192gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192
+aes256gcm8, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256
+aes256gcm64, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256
+aes256gcm12, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256
+aes256gcm96, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256
+aes256gcm16, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256
+aes256gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256
+aes128gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128
+aes192gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192
+aes256gmac, ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256
+blowfish, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128
+blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128
+blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192
+blowfish256, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256
+camellia, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128
+camellia128, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128
+camellia192, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192
+camellia256, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256
+cast128, ENCRYPTION_ALGORITHM, ENCR_CAST, 128
+serpent, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128
+serpent128, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128
+serpent192, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192
+serpent256, ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256
+twofish, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128
+twofish128, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128
+twofish192, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192
+twofish256, ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256
+sha, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0
+sha1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0
+sha256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0
+sha2_256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0
+sha256_96, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0
+sha2_256_96, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0
+sha384, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0
+sha2_384, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0
+sha512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0
+sha2_512, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0
+md5, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0
+aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0
+modpnull, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0
+modp768, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0
+modp1024, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0
+modp1536, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0
+modp2048, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0
+modp3072, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0
+modp4096, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0
+modp6144, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0
+modp8192, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0
+ecp192, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0
+ecp224, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0
+ecp256, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0
+ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0
+ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index edecf14c6..32fd46ef4 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -139,6 +139,7 @@ static bool is_authenticated_encryption(int ealg_id)
case ESP_AES_GCM_8:
case ESP_AES_GCM_12:
case ESP_AES_GCM_16:
+ case ESP_AES_GMAC:
return TRUE;
}
return FALSE;
@@ -474,7 +475,7 @@ struct alg_info_ike *alg_info_ike_create_from_str(char *alg_str)
if (alg_info_parse_str((struct alg_info *)alg_info_ike, alg_str) == SUCCESS)
{
- alg_info_ike->ref_cnt = 1;
+ alg_info_ike->ref_cnt = 1;
return alg_info_ike;
}
else
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 6f991fd69..7823abe93 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -392,7 +392,8 @@ static const char *const esp_transform_name[] = {
"AES_GCM_12",
"AES_GCM_16",
"SEED_CBC",
- "CAMELLIA_CBC"
+ "CAMELLIA_CBC",
+ "AES_GMAC"
};
static const char *const esp_transform_name_high[] = {
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 8c574ebc5..e9567c07a 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -125,10 +125,10 @@ extern const char sparse_end[];
#define MAX_DIGEST_LEN HASH_SIZE_SHA512
/* RFC 2404 "HMAC-SHA-1-96" section 3 */
-#define HMAC_SHA1_KEY_LEN HASH_SIZE_SHA1
+#define HMAC_SHA1_KEY_LEN HASH_SIZE_SHA1
/* RFC 2403 "HMAC-MD5-96" section 3 */
-#define HMAC_MD5_KEY_LEN HASH_SIZE_MD5
+#define HMAC_MD5_KEY_LEN HASH_SIZE_MD5
#define IKE_UDP_PORT 500
@@ -150,7 +150,7 @@ enum ipsec_authentication_algo {
AH_AES_128_GMAC = 11,
AH_AES_192_GMAC = 12,
AH_AES_256_GMAC = 13,
- AH_SHA2_256_96 = 252
+ AH_SHA2_256_96 = 252
};
extern enum_names ah_transform_names;
@@ -184,6 +184,7 @@ enum ipsec_cipher_algo {
ESP_AES_GCM_16 = 20,
ESP_SEED_CBC = 21,
ESP_CAMELLIA = 22,
+ ESP_AES_GMAC = 23,
ESP_SERPENT = 252,
ESP_TWOFISH = 253
};
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 2113cecbc..fb0cff7b4 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -580,9 +580,11 @@ int esp_from_encryption_algorithm(encryption_algorithm_t alg)
return ESP_AES_GCM_16;
case ENCR_CAMELLIA_CBC:
return ESP_CAMELLIA;
+ case ENCR_NULL_AUTH_AES_GMAC:
+ return ESP_AES_GMAC;
case ENCR_SERPENT_CBC:
return ESP_SERPENT;
- case ENCR_TWOFISH_CBC:
+ case ENCR_TWOFISH_CBC:
return ESP_TWOFISH;
default:
return 0;
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 1f8917d79..797ac6d01 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -2753,6 +2753,7 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
case ESP_AES_GCM_12:
case ESP_AES_GCM_16:
case ESP_AES_CTR:
+ case ESP_AES_GMAC:
needed_len += 4;
break;
default:
@@ -3620,7 +3621,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
if (send_cert)
{
bool success;
- chunk_t cert_encoding;
+ chunk_t cert_encoding;
pb_stream cert_pbs;
struct isakmp_cert cert_hd;
@@ -3634,7 +3635,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
cert_encoding = mycert->cert->get_encoding(mycert->cert);
success = out_chunk(cert_encoding, &cert_pbs, "CERT");
free(cert_encoding.ptr);
- if (!success)
+ if (!success)
{
return STF_INTERNAL_ERROR;
}
@@ -4076,7 +4077,7 @@ main_inI3_outR3_tail(struct msg_digest *md
success = out_chunk(cert_encoding, &cert_pbs, "CERT");
free(cert_encoding.ptr);
if (!success)
- {
+ {
return STF_INTERNAL_ERROR;
}
close_output_pbs(&cert_pbs);
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index fe4655d3f..ee22fb55e 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1993,6 +1993,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
case ESP_AES_GCM_12:
case ESP_AES_GCM_16:
case ESP_AES_CTR:
+ case ESP_AES_GMAC:
key_len += 4;
break;
default:
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index bf67315e6..7c2855edc 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -395,6 +395,10 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
kernel_alg_add(satype, supp_exttype, &alg);
}
}
+
+ /* also register AES_GMAC */
+ alg.sadb_alg_id = SADB_X_EALG_NULL_AES_GMAC;
+ kernel_alg_add(satype, supp_exttype, &alg);
}
/* if SHA2_256 is registered then also register SHA2_256_96 */
if (satype == SADB_SATYPE_ESP &&
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index 289714b50..75d0c98d3 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -112,6 +112,7 @@ static sparse_names ealg_list = {
{ SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
{ SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
{ SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_NULL_AES_GMAC, "rfc4543(gcm(aes))" },
{ SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
{ SADB_X_EALG_SERPENTCBC, "serpent" },
{ SADB_X_EALG_TWOFISHCBC, "twofish" },
@@ -687,6 +688,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
break;
case SADB_X_EALG_AES_CCM_ICV16:
case SADB_X_EALG_AES_GCM_ICV16:
+ case SADB_X_EALG_NULL_AES_GMAC:
icv_size += 32;
/* FALL */
case SADB_X_EALG_AES_CCM_ICV12: