From c65ee7c758bc6f2301eea90a350c234582b45a30 Mon Sep 17 00:00:00 2001 From: Hajimu UMEMOTO Date: Mon, 13 Oct 2003 04:54:51 +0000 Subject: [PATCH] - support AES XCBC MAC for AH - correct SADB_X_AALG_RIPEMD160HMAC to 8 Obtained from: KAME --- lib/libipsec/pfkey_dump.c | 3 +++ sbin/setkey/setkey.8 | 2 ++ sbin/setkey/token.l | 1 + sys/conf/files | 5 +++-- sys/net/pfkeyv2.h | 3 ++- sys/netinet6/ah_core.c | 7 +++++++ usr.sbin/setkey/setkey.8 | 2 ++ usr.sbin/setkey/token.l | 1 + 8 files changed, 21 insertions(+), 3 deletions(-) diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c index 67e62564c044..b2cddf2bac2c 100644 --- a/lib/libipsec/pfkey_dump.c +++ b/lib/libipsec/pfkey_dump.c @@ -174,6 +174,9 @@ static struct val2str str_alg_auth[] = { #endif #ifdef SADB_X_AALG_RIPEMD160HMAC { SADB_X_AALG_RIPEMD160HMAC, "hmac-ripemd160", }, +#endif +#ifdef SADB_X_AALG_AES_XCBC_MAC + { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, #endif { -1, NULL, }, }; diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index d11a6addcd9d..680803b08688 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -551,6 +551,8 @@ hmac-sha2-512 512 ah: 96bit ICV (no document) 512 ah-old: 128bit ICV (no document) hmac-ripemd160 160 ah: 96bit ICV (RFC2857) ah-old: 128bit ICV (no document) +aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) + 128 ah-old: 128bit ICV (no document) .Ed .Pp Followings are the list of encryption algorithms that can be used as diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index eed519082a40..312df4c3fbd3 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -171,6 +171,7 @@ hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); } hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); } hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); } hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); } +aes-xcbc-mac { PREPROC; yylval.num = SADB_X_AALG_AES_XCBC_MAC; return(ALG_AUTH); } null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); } /* encryption alogorithm */ diff --git a/sys/conf/files b/sys/conf/files index e99e52983ab0..84a88f5d45bf 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -205,8 +205,8 @@ crypto/blowfish/bf_skey.c optional ipsec ipsec_esp crypto/cast128/cast128.c optional ipsec ipsec_esp crypto/des/des_ecb.c optional ipsec ipsec_esp crypto/des/des_setkey.c optional ipsec ipsec_esp -crypto/rijndael/rijndael-alg-fst.c optional ipsec ipsec_esp -crypto/rijndael/rijndael-api-fst.c optional ipsec ipsec_esp +crypto/rijndael/rijndael-alg-fst.c optional ipsec +crypto/rijndael/rijndael-api-fst.c optional ipsec opencrypto/rmd160.c optional ipsec crypto/sha1.c optional ipsec crypto/sha2/sha2.c optional ipsec @@ -1436,6 +1436,7 @@ netinet/tcp_syncache.c optional inet netinet/tcp_timer.c optional inet netinet/tcp_usrreq.c optional inet netinet/udp_usrreq.c optional inet +netinet6/ah_aesxcbcmac.c optional ipsec netinet6/ah_core.c optional ipsec netinet6/ah_input.c optional ipsec netinet6/ah_output.c optional ipsec diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index 506cc44d2993..6fa8a2d3e945 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -307,7 +307,8 @@ struct sadb_x_ipsecrequest { #define SADB_X_AALG_SHA2_256 5 #define SADB_X_AALG_SHA2_384 6 #define SADB_X_AALG_SHA2_512 7 -#define SADB_X_AALG_RIPEMD160HMAC 9 /*8*/ +#define SADB_X_AALG_RIPEMD160HMAC 8 +#define SADB_X_AALG_AES_XCBC_MAC 9 /* draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_AALG_MD5 249 /* Keyed MD5 */ #define SADB_X_AALG_SHA 250 /* Keyed SHA */ diff --git a/sys/netinet6/ah_core.c b/sys/netinet6/ah_core.c index ce3cbcd99bbf..ef5a491e5547 100644 --- a/sys/netinet6/ah_core.c +++ b/sys/netinet6/ah_core.c @@ -74,6 +74,7 @@ #ifdef INET6 #include #endif +#include #ifdef IPSEC_ESP #include #ifdef INET6 @@ -188,6 +189,10 @@ ah_algorithm_lookup(idx) "hmac-ripemd160", ah_hmac_ripemd160_init, ah_hmac_ripemd160_loop, ah_hmac_ripemd160_result, }, + { ah_sumsiz_1216, ah_common_mature, 128, 128, + "aes-xcbc-mac", + ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop, + ah_aes_xcbc_mac_result, }, }; switch (idx) { @@ -209,6 +214,8 @@ ah_algorithm_lookup(idx) return &ah_algorithms[7]; case SADB_X_AALG_RIPEMD160HMAC: return &ah_algorithms[8]; + case SADB_X_AALG_AES_XCBC_MAC: + return &ah_algorithms[9]; default: return NULL; } diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index d11a6addcd9d..680803b08688 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -551,6 +551,8 @@ hmac-sha2-512 512 ah: 96bit ICV (no document) 512 ah-old: 128bit ICV (no document) hmac-ripemd160 160 ah: 96bit ICV (RFC2857) ah-old: 128bit ICV (no document) +aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) + 128 ah-old: 128bit ICV (no document) .Ed .Pp Followings are the list of encryption algorithms that can be used as diff --git a/usr.sbin/setkey/token.l b/usr.sbin/setkey/token.l index eed519082a40..312df4c3fbd3 100644 --- a/usr.sbin/setkey/token.l +++ b/usr.sbin/setkey/token.l @@ -171,6 +171,7 @@ hmac-sha2-256 { PREPROC; yylval.num = SADB_X_AALG_SHA2_256; return(ALG_AUTH); } hmac-sha2-384 { PREPROC; yylval.num = SADB_X_AALG_SHA2_384; return(ALG_AUTH); } hmac-sha2-512 { PREPROC; yylval.num = SADB_X_AALG_SHA2_512; return(ALG_AUTH); } hmac-ripemd160 { PREPROC; yylval.num = SADB_X_AALG_RIPEMD160HMAC; return(ALG_AUTH); } +aes-xcbc-mac { PREPROC; yylval.num = SADB_X_AALG_AES_XCBC_MAC; return(ALG_AUTH); } null { PREPROC; yylval.num = SADB_X_AALG_NULL; return(ALG_AUTH); } /* encryption alogorithm */