support of AES_XCBC and CAMELLIA ESP cipher by pluto

2008-04-18 17:01:45 +00:00 · 2008-04-18 17:01:45 +00:00 · 1da277f045
parent 855c9a9089
commit 1da277f045
4 changed files with 65 additions and 72 deletions
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@ -312,49 +312,39 @@ struct sadb_protocol {
 #define SADB_X_SAFLAGS_CLEARFLOW	4
 #define SADB_X_SAFLAGS_INFLOW		8

-/* not obvious, but these are the same values as used in isakmp,
- * and in freeswan/ipsec_policy.h. If you need to add any, they
- * should be added as according to
- *   http://www.iana.org/assignments/isakmp-registry
- *
- * and if not, then please try to use a private-use value, and
- * consider asking IANA to assign a value.
- */
-#define SADB_AALG_NONE                  0
-#define SADB_AALG_MD5_HMAC		2
-#define SADB_AALG_SHA1_HMAC		3
-#define SADB_AALG_DES_MAC		4
-#define SADB_AALG_SHA2_256_HMAC		5
-#define SADB_AALG_SHA2_384_HMAC		6
-#define SADB_AALG_SHA2_512_HMAC		7
-#define SADB_AALG_RIPEMD_160_HMAC	8
-#define SADB_AALG_AES_XCBC_MAC		9
+/* Authentication algorithms */
+#define SADB_AALG_NONE			0
+#define SADB_AALG_MD5HMAC		2
+#define SADB_AALG_SHA1HMAC		3
+#define SADB_X_AALG_SHA2_256HMAC	5
+#define SADB_X_AALG_SHA2_384HMAC	6
+#define SADB_X_AALG_SHA2_512HMAC	7
+#define SADB_X_AALG_RIPEMD160HMAC	8
+#define SADB_X_AALG_AES_XCBC_MAC	9
 #define SADB_X_AALG_NULL		251	/* kame */
 #define SADB_AALG_MAX			251

+/* Encryption algorithms */
 #define SADB_EALG_NONE			0
-#define SADB_EALG_DES_CBC		2
-#define SADB_EALG_3DES_CBC		3
-#define SADB_EALG_RC5_CBC		4
-#define SADB_EALG_IDEA_CBC		5
-#define SADB_EALG_CAST_CBC		6
-#define SADB_EALG_BLOWFISH_CBC		7
+#define SADB_EALG_DESCBC		2
+#define SADB_EALG_3DESCBC		3
+#define SADB_X_EALG_CASTCBC		6
+#define SADB_X_EALG_BLOWFISHCBC		7
 #define SADB_EALG_NULL			11
-#define SADB_EALG_AES_CBC		12
-#define SADB_EALG_AES_CTR		13
-#define SADB_X_EALG_SERPENT_CBC		252
-#define SADB_X_EALG_TWOFISH_CBC		253
-#define SADB_EALG_MAX			253
+#define SADB_X_EALG_AESCBC		12
+#define SADB_X_EALG_CAMELLIACBC		22
+#define SADB_EALG_MAX                   253 /* last EALG */
+/* private allocations should use 249-255 (RFC2407) */
+#define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
+#define SADB_X_EALG_TWOFISHCBC  253     /* draft-ietf-ipsec-ciph-aes-cbc-00 */

-#define SADB_X_CALG_NONE          0
-#define SADB_X_CALG_OUI           1
-#define SADB_X_CALG_DEFLATE       2
-#define SADB_X_CALG_LZS           3
-#define SADB_X_CALG_V42BIS        4
-#ifdef KERNEL26_HAS_KAME_DUPLICATES
-#define SADB_X_CALG_LZJH          4
-#endif
-#define SADB_X_CALG_MAX           4
+/* Compression algorithms */
+#define SADB_X_CALG_NONE		0
+#define SADB_X_CALG_OUI			1
+#define SADB_X_CALG_DEFLATE		2
+#define SADB_X_CALG_LZS			3
+#define SADB_X_CALG_LZJH		4
+#define SADB_X_CALG_MAX			4

 #define SADB_X_TALG_NONE          0
 #define SADB_X_TALG_IPv4_in_IPv4  1
@ -363,13 +353,11 @@ struct sadb_protocol {
 #define SADB_X_TALG_IPv6_in_IPv6  4
 #define SADB_X_TALG_MAX           4

+/* Identity Extension values */
+#define SADB_IDENTTYPE_RESERVED	0
+#define SADB_IDENTTYPE_PREFIX	1
+#define SADB_IDENTTYPE_FQDN	2
+#define SADB_IDENTTYPE_USERFQDN	3
+#define SADB_IDENTTYPE_MAX	3

-#define SADB_IDENTTYPE_RESERVED   0
-#define SADB_IDENTTYPE_PREFIX     1
-#define SADB_IDENTTYPE_FQDN       2
-#define SADB_IDENTTYPE_USERFQDN   3
-#define SADB_X_IDENTTYPE_CONNECTION 4
-#define SADB_IDENTTYPE_MAX        4
-
-#define SADB_KEY_FLAGS_MAX     0
 #endif /* __PFKEY_V2_H */
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@ -96,8 +96,8 @@ alg_info_esp_sadb2aa(int sadb_aalg)
    int auth = 0;

    switch(sadb_aalg) {
-	case SADB_AALG_MD5_HMAC:
-	case SADB_AALG_SHA1_HMAC:
+	case SADB_AALG_MD5HMAC:
+	case SADB_AALG_SHA1HMAC:
 	    auth = sadb_aalg - 1;
 	    break;
 	/* since they are the same ...  :)  */
@ -195,7 +195,11 @@ aalg_getbyname_esp(const char *const str, int len)

    /* interpret 'SHA' as 'SHA1' */
    if (strncasecmp("SHA", str, len) == 0)
-	return enum_search(&auth_alg_names, "AUTH_ALGORITHM_HMAC_SHA1");
+	return AUTH_ALGORITHM_HMAC_SHA1;
+
+    /* interpret 'AESXCBC' as 'AES_XCBC_MAC' */
+    if (strncasecmp("AESXCBC", str, len) == 0)
+	return AUTH_ALGORITHM_AES_XCBC_MAC;

    ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_HMAC_", str ,len);
    if (ret >= 0)
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@ -1827,30 +1827,30 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 	static const struct esp_info esp_info[] = {
 	    { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
 		0, HMAC_MD5_KEY_LEN,
-		SADB_EALG_NULL, SADB_AALG_MD5_HMAC },
+		SADB_EALG_NULL, SADB_AALG_MD5HMAC },
 	    { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
 		0, HMAC_SHA1_KEY_LEN,
-		SADB_EALG_NULL, SADB_AALG_SHA1_HMAC },
+		SADB_EALG_NULL, SADB_AALG_SHA1HMAC },

 	    { ESP_DES, AUTH_ALGORITHM_NONE,
 		DES_CBC_BLOCK_SIZE, 0,
-		SADB_EALG_DES_CBC, SADB_AALG_NONE },
+		SADB_EALG_DESCBC, SADB_AALG_NONE },
 	    { ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
 		DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
-		SADB_EALG_DES_CBC, SADB_AALG_MD5_HMAC },
+		SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
 	    { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
 		DES_CBC_BLOCK_SIZE,
-		HMAC_SHA1_KEY_LEN, SADB_EALG_DES_CBC, SADB_AALG_SHA1_HMAC },
+		HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },

 	    { ESP_3DES, AUTH_ALGORITHM_NONE,
 		DES_CBC_BLOCK_SIZE * 3, 0,
-		SADB_EALG_3DES_CBC, SADB_AALG_NONE },
+		SADB_EALG_3DESCBC, SADB_AALG_NONE },
 	    { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
 		DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
-		SADB_EALG_3DES_CBC, SADB_AALG_MD5_HMAC },
+		SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
 	    { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
 		DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
-		SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
+		SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
 	};

 	u_int8_t natt_type = 0;
@ -1976,11 +1976,11 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 	switch (st->st_ah.attrs.auth)
 	{
 	case AUTH_ALGORITHM_HMAC_MD5:
-	    authalg = SADB_AALG_MD5_HMAC;
+	    authalg = SADB_AALG_MD5HMAC;
 	    break;

 	case AUTH_ALGORITHM_HMAC_SHA1:
-	    authalg = SADB_AALG_SHA1_HMAC;
+	    authalg = SADB_AALG_SHA1HMAC;
 	    break;

 	default:
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@ -83,12 +83,13 @@ static sparse_names xfrm_type_names = {
 /* Authentication algorithms */
 static sparse_names aalg_list = {
 	{ SADB_X_AALG_NULL, "digest_null" },
-	{ SADB_AALG_MD5_HMAC, "md5" },
-	{ SADB_AALG_SHA1_HMAC, "sha1" },
-	{ SADB_AALG_SHA2_256_HMAC, "sha256" },
-	{ SADB_AALG_SHA2_384_HMAC, "sha384" },
-	{ SADB_AALG_SHA2_512_HMAC, "sha512" },
-	{ SADB_AALG_RIPEMD_160_HMAC, "ripemd160" },
+	{ SADB_AALG_MD5HMAC, "md5" },
+	{ SADB_AALG_SHA1HMAC, "sha1" },
+	{ SADB_X_AALG_SHA2_256HMAC, "sha256" },
+	{ SADB_X_AALG_SHA2_384HMAC, "sha384" },
+	{ SADB_X_AALG_SHA2_512HMAC, "sha512" },
+	{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+	{ SADB_X_AALG_AES_XCBC_MAC, "aesxcbc"},
 	{ SADB_X_AALG_NULL, "null" },
 	{ 0, sparse_end }
 };
@ -96,14 +97,14 @@ static sparse_names aalg_list = {
 /* Encryption algorithms */
 static sparse_names ealg_list = {
 	{ SADB_EALG_NULL, "cipher_null" },
-	{ SADB_EALG_DES_CBC, "des" },
-	{ SADB_EALG_3DES_CBC, "des3_ede" },
-	{ SADB_EALG_IDEA_CBC, "idea" },
-	{ SADB_EALG_CAST_CBC, "cast128" },
-	{ SADB_EALG_BLOWFISH_CBC, "blowfish" },
-	{ SADB_EALG_AES_CBC, "aes" },
-	{ SADB_X_EALG_SERPENT_CBC, "serpent" },
-	{ SADB_X_EALG_TWOFISH_CBC, "twofish" },
+	{ SADB_EALG_DESCBC, "des" },
+	{ SADB_EALG_3DESCBC, "des3_ede" },
+	{ SADB_X_EALG_CASTCBC, "cast128" },
+	{ SADB_X_EALG_BLOWFISHCBC, "blowfish" },
+	{ SADB_X_EALG_AESCBC, "aes" },
+	{ SADB_X_EALG_CAMELLIACBC, "camellia" },
+	{ SADB_X_EALG_SERPENTCBC, "serpent" },
+	{ SADB_X_EALG_TWOFISHCBC, "twofish" },
 	{ 0, sparse_end }
 };