From owner-svn-src-head@freebsd.org Fri Jul 3 20:09:16 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 964FC994D05; Fri, 3 Jul 2015 20:09:16 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 871321B0A; Fri, 3 Jul 2015 20:09:16 +0000 (UTC) (envelope-from gnn@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t63K9GlL015343; Fri, 3 Jul 2015 20:09:16 GMT (envelope-from gnn@FreeBSD.org) Received: (from gnn@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t63K9FW1015338; Fri, 3 Jul 2015 20:09:15 GMT (envelope-from gnn@FreeBSD.org) Message-Id: <201507032009.t63K9FW1015338@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gnn set sender to gnn@FreeBSD.org using -f From: "George V. Neville-Neil" Date: Fri, 3 Jul 2015 20:09:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r285108 - in head: lib/libipsec sbin/setkey sys/net usr.bin/netstat X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2015 20:09:16 -0000 Author: gnn Date: Fri Jul 3 20:09:14 2015 New Revision: 285108 URL: https://svnweb.freebsd.org/changeset/base/285108 Log: New AES modes for IPSec, user space components. Update setkey and libipsec to understand aes-gcm-16 as an encryption method. A partial commit of the work in review D2936. Submitted by: eri Reviewed by: jmg MFC after: 2 weeks Sponsored by: Rubicon Communications (Netgate) Modified: head/lib/libipsec/pfkey_dump.c head/sbin/setkey/setkey.8 head/sbin/setkey/token.l head/sys/net/pfkeyv2.h head/usr.bin/netstat/ipsec.c Modified: head/lib/libipsec/pfkey_dump.c ============================================================================== --- head/lib/libipsec/pfkey_dump.c Fri Jul 3 19:01:38 2015 (r285107) +++ head/lib/libipsec/pfkey_dump.c Fri Jul 3 20:09:14 2015 (r285108) @@ -187,6 +187,9 @@ static struct val2str str_alg_enc[] = { #ifdef SADB_X_EALG_AESCTR { SADB_X_EALG_AESCTR, "aes-ctr", }, #endif +#ifdef SADB_X_EALG_AESGCM16 + { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, +#endif #ifdef SADB_X_EALG_CAMELLIACBC { SADB_X_EALG_CAMELLIACBC, "camellia-cbc", }, #endif Modified: head/sbin/setkey/setkey.8 ============================================================================== --- head/sbin/setkey/setkey.8 Fri Jul 3 19:01:38 2015 (r285107) +++ head/sbin/setkey/setkey.8 Fri Jul 3 20:09:14 2015 (r285108) @@ -627,11 +627,12 @@ des-deriv 64 ipsec-ciph-des-derived-01 3des-deriv 192 no document rijndael-cbc 128/192/256 rfc3602 aes-ctr 160/224/288 draft-ietf-ipsec-ciph-aes-ctr-03 +aes-gcm-16 160/224/288 rfc4106 camellia-cbc 128/192/256 rfc4312 .Ed .Pp Note that the first 128/192/256 bits of a key for -.Li aes-ctr +.Li aes-ctr or aes-gcm-16 will be used as AES key, and remaining 32 bits will be used as nonce. .Pp The following are the list of compression algorithms that can be used Modified: head/sbin/setkey/token.l ============================================================================== --- head/sbin/setkey/token.l Fri Jul 3 19:01:38 2015 (r285107) +++ head/sbin/setkey/token.l Fri Jul 3 20:09:14 2015 (r285108) @@ -168,6 +168,7 @@ tcp { yylval.num = 0; return(PR_TCP); } rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); } aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); } camellia-cbc { yylval.num = SADB_X_EALG_CAMELLIACBC; BEGIN INITIAL; return(ALG_ENC); } +aes-gcm-16 { yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC); } /* compression algorithms */ {hyphen}C { return(F_COMP); } Modified: head/sys/net/pfkeyv2.h ============================================================================== --- head/sys/net/pfkeyv2.h Fri Jul 3 19:01:38 2015 (r285107) +++ head/sys/net/pfkeyv2.h Fri Jul 3 20:09:14 2015 (r285108) @@ -343,6 +343,9 @@ struct sadb_x_nat_t_frag { #define SADB_X_AALG_SHA2_512 7 #define SADB_X_AALG_RIPEMD160HMAC 8 #define SADB_X_AALG_AES_XCBC_MAC 9 /* draft-ietf-ipsec-ciph-aes-xcbc-mac-04 */ +#define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */ +#define SADB_X_AALG_AES192GMAC 12 +#define SADB_X_AALG_AES256GMAC 13 /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_AALG_MD5 249 /* Keyed MD5 */ #define SADB_X_AALG_SHA 250 /* Keyed SHA */ @@ -360,8 +363,12 @@ struct sadb_x_nat_t_frag { #define SADB_X_EALG_BLOWFISHCBC 7 #define SADB_X_EALG_RIJNDAELCBC 12 #define SADB_X_EALG_AES 12 +#define SADB_X_EALG_AESGCM8 18 /* RFC4106 */ +#define SADB_X_EALG_AESGCM12 19 +#define SADB_X_EALG_AESGCM16 20 /* private allocations - based on RFC4312/IANA assignment */ #define SADB_X_EALG_CAMELLIACBC 22 +#define SADB_X_EALG_AESGMAC 23 /* RFC4543 + Errata1821 */ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for IPSEC */ #define SADB_X_EALG_AESCTR 250 /*249*/ /* draft-ietf-ipsec-ciph-aes-ctr-03 */ Modified: head/usr.bin/netstat/ipsec.c ============================================================================== --- head/usr.bin/netstat/ipsec.c Fri Jul 3 19:01:38 2015 (r285107) +++ head/usr.bin/netstat/ipsec.c Fri Jul 3 20:09:14 2015 (r285108) @@ -157,6 +157,9 @@ static struct val2str ipsec_espnames[] = #ifdef SADB_X_EALG_AESCTR { SADB_X_EALG_AESCTR, "aes-ctr", }, #endif +#ifdef SADB_X_EALG_AESGCM16 + { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, +#endif { -1, NULL }, };