Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 306757 Details for
Bug 441383
IPV6DOD: openswan should negotiate CCM algorithm.
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Add CCM support to Openswan
openswan-ccm.patch (text/plain), 11.91 KB, created by
Herbert Xu
on 2008-05-27 11:26:44 UTC
(
hide
)
Description:
Add CCM support to Openswan
Filename:
MIME Type:
Creator:
Herbert Xu
Created:
2008-05-27 11:26:44 UTC
Size:
11.91 KB
patch
obsolete
>Only in openswan-2.6.12: OBJ.linux.x86_64 >diff -ur openswan-2.6.12.orig/include/ietf_constants.h openswan-2.6.12/include/ietf_constants.h >--- openswan-2.6.12.orig/include/ietf_constants.h 2008-04-29 13:43:11.000000000 +0800 >+++ openswan-2.6.12/include/ietf_constants.h 2008-05-27 18:19:15.000000000 +0800 >@@ -456,6 +456,9 @@ > IKEv2_ENCR_AES_CCM_8 = 14, > IKEv2_ENCR_AES_CCM_12 = 15, > IKEv2_ENCR_AES_CCM_16 = 16, >+ IKEv2_ENCR_AES_GCM_8 = 18, >+ IKEv2_ENCR_AES_GCM_12 = 19, >+ IKEv2_ENCR_AES_GCM_16 = 20, > IKEv2_ENCR_INVALID = 65536 > }; > >diff -ur openswan-2.6.12.orig/include/linux/pfkeyv2.h openswan-2.6.12/include/linux/pfkeyv2.h >--- openswan-2.6.12.orig/include/linux/pfkeyv2.h 2008-04-22 11:55:38.000000000 +0800 >+++ openswan-2.6.12/include/linux/pfkeyv2.h 2008-05-27 16:10:11.000000000 +0800 >@@ -285,6 +285,14 @@ > #define SADB_X_EALG_BLOWFISHCBC 7 > #define SADB_EALG_NULL 11 > #define SADB_X_EALG_AESCBC 12 >+#define SADB_X_EALG_AESCTR 13 >+#define SADB_X_EALG_AES_CCM_ICV8 14 >+#define SADB_X_EALG_AES_CCM_ICV12 15 >+#define SADB_X_EALG_AES_CCM_ICV16 16 >+#define SADB_X_EALG_AES_GCM_ICV8 18 >+#define SADB_X_EALG_AES_GCM_ICV12 19 >+#define SADB_X_EALG_AES_GCM_ICV16 20 >+#define SADB_X_EALG_CAMELLIACBC 22 > #define SADB_EALG_MAX 253 /* last EALG */ > /* private allocations should use 249-255 (RFC2407) */ > #define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ >diff -ur openswan-2.6.12.orig/lib/libopenswan/constants.c openswan-2.6.12/lib/libopenswan/constants.c >--- openswan-2.6.12.orig/lib/libopenswan/constants.c 2008-04-29 13:43:11.000000000 +0800 >+++ openswan-2.6.12/lib/libopenswan/constants.c 2008-05-27 17:53:08.000000000 +0800 >@@ -286,7 +286,17 @@ > "ESP_DES_IV32", > "ESP_RC4", > "ESP_NULL", >- "ESP_AES" >+ "ESP_AES", >+ "ESP_AES_CTR", >+ "ESP_AES_CCM_A", >+ "ESP_AES_CCM_B", >+ "ESP_AES_CCM_C", >+ "ESP_ID17", >+ "ESP_AES_GCM_A", >+ "ESP_AES_GCM_B", >+ "ESP_AES_GCM_C", >+ "ESP_SEED_CBC", >+ "ESP_CAMELLIA", > }; > > /* >@@ -295,7 +305,7 @@ > */ > static const char *const esp_transform_name_high[] = { > /* id=248 */ "ESP_ID248","ESP_MARS","ESP_RC6","ESP_ID251", >- /* id=252 */ "ESP_SERPENT", "ESP_TWOFISH", "ESP_CAMELLIA", "ESP_ID255", >+ /* id=252 */ "ESP_SERPENT", "ESP_TWOFISH", "ESP_ID254", "ESP_ID255", > /* id=256 */ "ESP_ID256" > }; > >@@ -303,7 +313,7 @@ > { 248, 256, esp_transform_name_high, NULL }; > > enum_names esp_transformid_names = >- { ESP_DES_IV64, ESP_AES, esp_transform_name, &esp_transformid_names_high }; >+ { ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high }; > > /* IPCOMP transform values */ > >diff -ur openswan-2.6.12.orig/linux/include/openswan/ipsec_policy.h openswan-2.6.12/linux/include/openswan/ipsec_policy.h >--- openswan-2.6.12.orig/linux/include/openswan/ipsec_policy.h 2008-04-29 13:43:11.000000000 +0800 >+++ openswan-2.6.12/linux/include/openswan/ipsec_policy.h 2008-05-27 15:59:02.000000000 +0800 >@@ -104,6 +104,7 @@ > ESP_RC4=10, > ESP_NULL=11, > ESP_AES=12, /* 128 bit AES */ >+ ESP_CAMELLIA=22, > }; > > /* IPCOMP transform values >diff -ur openswan-2.6.12.orig/linux/include/openswan/ipsec_xform.h openswan-2.6.12/linux/include/openswan/ipsec_xform.h >--- openswan-2.6.12.orig/linux/include/openswan/ipsec_xform.h 2008-04-22 11:55:38.000000000 +0800 >+++ openswan-2.6.12/linux/include/openswan/ipsec_xform.h 2008-05-27 15:59:56.000000000 +0800 >@@ -67,6 +67,7 @@ > #define ESP_RC4 10 > #define ESP_NULL 11 > #define ESP_AES 12 >+#define ESP_CAMELLIA 22 > > /* as draft-ietf-ipsec-ciph-aes-cbc-02.txt */ > #define ESP_MARS 249 >diff -ur openswan-2.6.12.orig/linux/include/openswan/pfkeyv2.h openswan-2.6.12/linux/include/openswan/pfkeyv2.h >--- openswan-2.6.12.orig/linux/include/openswan/pfkeyv2.h 2008-04-22 11:55:38.000000000 +0800 >+++ openswan-2.6.12/linux/include/openswan/pfkeyv2.h 2008-05-27 16:30:54.000000000 +0800 >@@ -462,6 +462,14 @@ > #define SADB_X_EALG_BLOWFISHCBC 7 > #define SADB_EALG_NULL 11 > #define SADB_X_EALG_AESCBC 12 >+#define SADB_X_EALG_AESCTR 13 >+#define SADB_X_EALG_AES_CCM_ICV8 14 >+#define SADB_X_EALG_AES_CCM_ICV12 15 >+#define SADB_X_EALG_AES_CCM_ICV16 16 >+#define SADB_X_EALG_AES_GCM_ICV8 18 >+#define SADB_X_EALG_AES_GCM_ICV12 19 >+#define SADB_X_EALG_AES_GCM_ICV16 20 >+#define SADB_X_EALG_CAMELLIACBC 22 > #define SADB_EALG_MAX 255 > > enum sadb_ealg { >diff -ur openswan-2.6.12.orig/programs/pluto/kernel_netlink.c openswan-2.6.12/programs/pluto/kernel_netlink.c >--- openswan-2.6.12.orig/programs/pluto/kernel_netlink.c 2008-05-08 16:45:06.000000000 +0800 >+++ openswan-2.6.12/programs/pluto/kernel_netlink.c 2008-05-27 19:04:52.000000000 +0800 >@@ -47,6 +47,8 @@ > #include "log.h" > #include "whack.h" /* for RC_LOG_SERIOUS */ > #include "kernel_alg.h" >+#include "crypto/aes_cbc.h" >+#include "ike_alg.h" > > #ifdef XAUTH_USEPAM > #include <security/pam_appl.h> >@@ -55,6 +57,12 @@ > /* Minimum priority number in SPD used by pluto. */ > #define MIN_SPD_PRIORITY 1024 > >+struct aead_alg { >+ int id; >+ int icvlen; >+ const char *name; >+}; >+ > static int netlinkfd = NULL_FD; > static int netlink_bcast_fd = NULL_FD; > >@@ -108,6 +116,8 @@ > { SADB_X_EALG_CASTCBC, "cast128" }, > { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, > { SADB_X_EALG_AESCBC, "aes" }, >+ { SADB_X_EALG_AESCTR, "ctr(aes)" }, >+ { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, > { 0, sparse_end } > }; > >@@ -119,6 +129,27 @@ > { 0, sparse_end } > }; > >+static struct aead_alg aead_algs[] = >+{ >+ { .id = SADB_X_EALG_AES_CCM_ICV8, .icvlen = 8, .name = "rfc4309(ccm(aes))" }, >+ { .id = SADB_X_EALG_AES_CCM_ICV12, .icvlen = 12, .name = "rfc4309(ccm(aes))" }, >+ { .id = SADB_X_EALG_AES_CCM_ICV16, .icvlen = 16, .name = "rfc4309(ccm(aes))" }, >+ { .id = SADB_X_EALG_AES_GCM_ICV8, .icvlen = 8, .name = "rfc4106(gcm(aes))" }, >+ { .id = SADB_X_EALG_AES_GCM_ICV12, .icvlen = 12, .name = "rfc4106(gcm(aes))" }, >+ { .id = SADB_X_EALG_AES_GCM_ICV16, .icvlen = 16, .name = "rfc4106(gcm(aes))" }, >+}; >+ >+static struct aead_alg *get_aead_alg(int algid) >+{ >+ unsigned int i; >+ >+ for (i = 0; i < sizeof(aead_algs) / sizeof(aead_algs[0]); i++) >+ if (aead_algs[i].id == algid) >+ return aead_algs + i; >+ >+ return NULL; >+} >+ > /** ip2xfrm - Take an IP address and convert to an xfrm. > * > * @param addr ip_address >@@ -591,6 +622,7 @@ > char data[1024]; > } req; > struct rtattr *attr; >+ struct aead_alg *aead; > > memset(&req, 0, sizeof(req)); > req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; >@@ -640,6 +672,26 @@ > attr = (struct rtattr *)((char *)attr + attr->rta_len); > } > >+ aead = get_aead_alg(sa->encalg); >+ if (aead) >+ { >+ struct xfrm_algo_aead algo; >+ >+ strcpy(algo.alg_name, aead->name); >+ algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE; >+ algo.alg_icv_len = aead->icvlen * BITS_PER_BYTE; >+ >+ attr->rta_type = XFRMA_ALG_AEAD; >+ attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen); >+ >+ memcpy(RTA_DATA(attr), &algo, sizeof(algo)); >+ memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey >+ , sa->enckeylen); >+ >+ req.n.nlmsg_len += attr->rta_len; >+ attr = (struct rtattr *)((char *)attr + attr->rta_len); >+ } >+ else > { > struct xfrm_algo algo; > const char *name; >@@ -741,6 +793,124 @@ > return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said); > } > >+#define AES_KEY_MIN_LEN 128 >+#define AES_KEY_DEF_LEN 128 >+#define AES_KEY_MAX_LEN 256 >+ >+struct encrypt_desc algo_aes_ccm_8 = >+{ >+ common: { >+ name: "aes_ccm_8", >+ officname: "aes_ccm_8", >+ algo_type: IKE_ALG_ENCRYPT, >+ algo_v2id: IKEv2_ENCR_AES_CCM_8, >+ algo_next: NULL, }, >+ enc_blocksize: AES_CBC_BLOCK_SIZE, >+ keyminlen: AES_KEY_MIN_LEN + 3, >+ keydeflen: AES_KEY_DEF_LEN + 3, >+ keymaxlen: AES_KEY_MAX_LEN + 3, >+}; >+ >+struct encrypt_desc algo_aes_ccm_12 = >+{ >+ common: { >+ name: "aes_ccm_12", >+ officname: "aes_ccm_12", >+ algo_type: IKE_ALG_ENCRYPT, >+ algo_v2id: IKEv2_ENCR_AES_CCM_12, >+ algo_next: NULL, }, >+ enc_blocksize: AES_CBC_BLOCK_SIZE, >+ keyminlen: AES_KEY_MIN_LEN + 3, >+ keydeflen: AES_KEY_DEF_LEN + 3, >+ keymaxlen: AES_KEY_MAX_LEN + 3, >+}; >+ >+struct encrypt_desc algo_aes_ccm_16 = >+{ >+ common: { >+ name: "aes_ccm_16", >+ officname: "aes_ccm_16", >+ algo_type: IKE_ALG_ENCRYPT, >+ algo_v2id: IKEv2_ENCR_AES_CCM_16, >+ algo_next: NULL, }, >+ enc_blocksize: AES_CBC_BLOCK_SIZE, >+ keyminlen: AES_KEY_MIN_LEN + 3, >+ keydeflen: AES_KEY_DEF_LEN + 3, >+ keymaxlen: AES_KEY_MAX_LEN + 3, >+}; >+ >+struct encrypt_desc algo_aes_gcm_8 = >+{ >+ common: { >+ name: "aes_gcm_8", >+ officname: "aes_gcm_8", >+ algo_type: IKE_ALG_ENCRYPT, >+ algo_v2id: IKEv2_ENCR_AES_GCM_8, >+ algo_next: NULL, }, >+ enc_blocksize: AES_CBC_BLOCK_SIZE, >+ keyminlen: AES_KEY_MIN_LEN + 3, >+ keydeflen: AES_KEY_DEF_LEN + 3, >+ keymaxlen: AES_KEY_MAX_LEN + 3, >+}; >+ >+struct encrypt_desc algo_aes_gcm_12 = >+{ >+ common: { >+ name: "aes_gcm_12", >+ officname: "aes_gcm_12", >+ algo_type: IKE_ALG_ENCRYPT, >+ algo_v2id: IKEv2_ENCR_AES_GCM_12, >+ algo_next: NULL, }, >+ enc_blocksize: AES_CBC_BLOCK_SIZE, >+ keyminlen: AES_KEY_MIN_LEN + 3, >+ keydeflen: AES_KEY_DEF_LEN + 3, >+ keymaxlen: AES_KEY_MAX_LEN + 3, >+}; >+ >+struct encrypt_desc algo_aes_gcm_16 = >+{ >+ common: { >+ name: "aes_gcm_16", >+ officname: "aes_gcm_16", >+ algo_type: IKE_ALG_ENCRYPT, >+ algo_v2id: IKEv2_ENCR_AES_GCM_16, >+ algo_next: NULL, }, >+ enc_blocksize: AES_CBC_BLOCK_SIZE, >+ keyminlen: AES_KEY_MIN_LEN + 3, >+ keydeflen: AES_KEY_DEF_LEN + 3, >+ keymaxlen: AES_KEY_MAX_LEN + 3, >+}; >+ >+static void >+linux_pfkey_add_aead(void) >+{ >+ struct sadb_alg alg; >+ >+ alg.sadb_alg_ivlen = 8; >+ alg.sadb_alg_minbits = 128; >+ alg.sadb_alg_maxbits = 256; >+ >+ alg.sadb_alg_id = SADB_X_EALG_AES_GCM_ICV8; >+ kernel_alg_add(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, &alg); >+ alg.sadb_alg_id = SADB_X_EALG_AES_GCM_ICV12; >+ kernel_alg_add(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, &alg); >+ alg.sadb_alg_id = SADB_X_EALG_AES_GCM_ICV16; >+ kernel_alg_add(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, &alg); >+ alg.sadb_alg_id = SADB_X_EALG_AES_CCM_ICV8; >+ kernel_alg_add(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, &alg); >+ alg.sadb_alg_id = SADB_X_EALG_AES_CCM_ICV12; >+ kernel_alg_add(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, &alg); >+ alg.sadb_alg_id = SADB_X_EALG_AES_CCM_ICV16; >+ kernel_alg_add(SADB_SATYPE_ESP, SADB_EXT_SUPPORTED_ENCRYPT, &alg); >+ >+ ike_alg_register_enc(&algo_aes_ccm_8); >+ ike_alg_register_enc(&algo_aes_ccm_12); >+ ike_alg_register_enc(&algo_aes_ccm_16); >+ ike_alg_register_enc(&algo_aes_gcm_8); >+ ike_alg_register_enc(&algo_aes_gcm_12); >+ ike_alg_register_enc(&algo_aes_gcm_16); >+} >+ > static void > linux_pfkey_register_response(const struct sadb_msg *msg) > { >@@ -750,6 +920,8 @@ > #ifdef KERNEL_ALG > kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN); > #endif >+ /* XXX Need to grab list from the kernel. */ >+ linux_pfkey_add_aead(); > break; > case SADB_X_SATYPE_IPCOMP: > can_do_IPcomp = TRUE; >diff -ur openswan-2.6.12.orig/programs/pluto/linux26/xfrm.h openswan-2.6.12/programs/pluto/linux26/xfrm.h >--- openswan-2.6.12.orig/programs/pluto/linux26/xfrm.h 2008-04-22 11:55:38.000000000 +0800 >+++ openswan-2.6.12/programs/pluto/linux26/xfrm.h 2008-05-27 18:31:13.000000000 +0800 >@@ -80,6 +80,13 @@ > char alg_key[0]; > }; > >+struct xfrm_algo_aead { >+ char alg_name[64]; >+ int alg_key_len; /* in bits */ >+ int alg_icv_len; /* in bits */ >+ char alg_key[0]; >+}; >+ > struct xfrm_stats { > uint32_t replay_window; > uint32_t replay; >@@ -152,8 +159,22 @@ > XFRMA_ALG_COMP, /* struct xfrm_algo */ > XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ > XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ >+ XFRMA_SA, >+ XFRMA_POLICY, >+ XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ >+ XFRMA_LTIME_VAL, >+ XFRMA_REPLAY_VAL, >+ XFRMA_REPLAY_THRESH, >+ XFRMA_ETIMER_THRESH, >+ XFRMA_SRCADDR, /* xfrm_address_t */ >+ XFRMA_COADDR, /* xfrm_address_t */ >+ XFRMA_LASTUSED, >+ XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ >+ XFRMA_MIGRATE, >+ XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ >+ __XFRMA_MAX > >-#define XFRMA_MAX XFRMA_TMPL >+#define XFRMA_MAX (__XFRMA_MAX - 1) > }; > > struct xfrm_usersa_info {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=306757">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 441383
: 306757 |
307268
|
307319