summaryrefslogtreecommitdiff
path: root/sbin/iked
diff options
context:
space:
mode:
authorMike Belopuhov <mikeb@cvs.openbsd.org>2015-11-04 12:40:50 +0000
committerMike Belopuhov <mikeb@cvs.openbsd.org>2015-11-04 12:40:50 +0000
commita06b39dddae68e415db32f86c5cd98e1138cc11e (patch)
tree469c8101c36ba71acd6952923b30f5056618d746 /sbin/iked
parent34171ed99a087acd5e7d7ff3aa08f5fe1ec3c79a (diff)
Support Chacha20-Poly1305 for Child SAs; ok reyk
Diffstat (limited to 'sbin/iked')
-rw-r--r--sbin/iked/iked.conf.512
-rw-r--r--sbin/iked/parse.y4
-rw-r--r--sbin/iked/pfkey.c3
3 files changed, 12 insertions, 7 deletions
diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5
index 04d1dcfd923..1e8e0bd5bd6 100644
--- a/sbin/iked/iked.conf.5
+++ b/sbin/iked/iked.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.42 2015/11/01 21:26:48 jmc Exp $
+.\" $OpenBSD: iked.conf.5,v 1.43 2015/11/04 12:40:49 mikeb Exp $
.\"
.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: November 1 2015 $
+.Dd $Mdocdate: November 4 2015 $
.Dt IKED.CONF 5
.Os
.Sh NAME
@@ -755,7 +755,7 @@ keyword:
The following cipher types are permitted with the
.Ic enc
keyword:
-.Bl -column "aes-128-gmac" "Key Length" "[ESP only]" -offset indent
+.Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent
.It Em "Cipher" Ta Em "Key Length" Ta ""
.It Li des Ta "56 bits" Ta "[ESP only]"
.It Li 3des Ta "168 bits" Ta ""
@@ -770,11 +770,12 @@ keyword:
.It Li aes-256-gcm Ta "288 bits" Ta "[ESP only]"
.It Li blowfish Ta "160 bits" Ta "[ESP only]"
.It Li cast Ta "128 bits" Ta "[ESP only]"
+.It Li chacha20-poly1305 Ta "288 bits" Ta "[ESP only]"
.El
.Pp
The following cipher types provide only authentication,
not encryption:
-.Bl -column "aes-128-gmac" "Key Length" "[ESP only]" -offset indent
+.Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent
.It Li aes-128-gmac Ta "160 bits" Ta "[ESP only]"
.It Li aes-192-gmac Ta "224 bits" Ta "[ESP only]"
.It Li aes-256-gmac Ta "288 bits" Ta "[ESP only]"
@@ -791,7 +792,8 @@ This is because the most significant bit of each byte is used for parity.
The keysize of AES-CTR is actually 128-bit.
However as well as the key, a 32-bit nonce has to be supplied.
Thus 160 bits of key material have to be supplied.
-The same applies to AES-GCM and AES-GMAC.
+The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305,
+however in the latter case the keysize is 256 bit.
.Pp
Using AES-GMAC or NULL with ESP will only provide authentication.
This is useful in setups where AH cannot be used, e.g. when NAT is involved.
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 5e66d6ef868..d525132ee7d 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.52 2015/10/31 19:28:19 naddy Exp $ */
+/* $OpenBSD: parse.y,v 1.53 2015/11/04 12:40:49 mikeb Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -194,6 +194,8 @@ const struct ipsec_xf ipsecencxfs[] = {
{ "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 32, 32, 4, 1 },
{ "blowfish", IKEV2_XFORMENCR_BLOWFISH, 20, 20 },
{ "cast", IKEV2_XFORMENCR_CAST, 16, 16 },
+ { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY1305,
+ 32, 32, 4, 1 },
{ "null", IKEV2_XFORMENCR_NULL, 0, 0 },
{ NULL }
};
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index b1a48b3d3ed..d04bbef4623 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.46 2015/10/15 18:40:38 mmcc Exp $ */
+/* $OpenBSD: pfkey.c,v 1.47 2015/11/04 12:40:49 mikeb Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -84,6 +84,7 @@ static const struct pfkey_constmap pfkey_encr[] = {
{ SADB_X_EALG_AESCTR, IKEV2_XFORMENCR_AES_CTR },
{ SADB_X_EALG_AESGCM16, IKEV2_XFORMENCR_AES_GCM_16 },
{ SADB_X_EALG_AESGMAC, IKEV2_XFORMENCR_NULL_AES_GMAC },
+ { SADB_X_EALG_CHACHA20POLY1305, IKEV2_XFORMENCR_CHACHA20_POLY1305 },
{ 0 }
};