summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/Makefile8
-rw-r--r--sbin/isakmpd/TO-DO4
-rw-r--r--sbin/isakmpd/conf.c6
-rw-r--r--sbin/isakmpd/crypto.c209
-rw-r--r--sbin/isakmpd/crypto.h75
-rw-r--r--sbin/isakmpd/isakmpd.conf.54
-rw-r--r--sbin/isakmpd/regress/crypto/Makefile5
-rw-r--r--sbin/isakmpd/regress/crypto/cryptotest.c4
8 files changed, 100 insertions, 215 deletions
diff --git a/sbin/isakmpd/Makefile b/sbin/isakmpd/Makefile
index d6bfd2d06ae..eaae2825d05 100644
--- a/sbin/isakmpd/Makefile
+++ b/sbin/isakmpd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.49 2003/06/03 14:28:16 ho Exp $
+# $OpenBSD: Makefile,v 1.50 2003/08/28 14:43:35 markus Exp $
# $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $
#
@@ -45,9 +45,11 @@ OS= openbsd
#OS= bsdi
# Compile-time configuration of otherwise optional features
-#FEATURES= tripledes des blowfish cast policy x509 ec aggressive debug gmp
+#FEATURES= tripledes des blowfish cast aes
+#FEATURES+= policy x509 ec aggressive debug gmp
#FEATURES+= rawkey isakmp_cfg dnssec privsep
-FEATURES= tripledes des blowfish cast policy x509 ec aggressive debug
+FEATURES= tripledes des blowfish cast aes
+FEATURES+= policy x509 ec aggressive debug
FEATURES+= rawkey isakmp_cfg
.PATH: ${.CURDIR}/sysdep/${OS}
diff --git a/sbin/isakmpd/TO-DO b/sbin/isakmpd/TO-DO
index b4ea0f08258..7e397e4135b 100644
--- a/sbin/isakmpd/TO-DO
+++ b/sbin/isakmpd/TO-DO
@@ -1,4 +1,4 @@
-$OpenBSD: TO-DO,v 1.25 2001/08/23 23:01:29 angelos Exp $
+$OpenBSD: TO-DO,v 1.26 2003/08/28 14:43:35 markus Exp $
$EOM: TO-DO,v 1.45 2000/04/07 22:47:38 niklas Exp $
This file mixes small nitpicks with large projects to be done.
@@ -138,7 +138,7 @@ This file mixes small nitpicks with large projects to be done.
* IPv6 [done]
-* AES in phase 1
+* AES in phase 1 [done]
* x509_certreq_validate needs implementing.
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 9c59c628ae6..84d63b54aec 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.c,v 1.57 2003/07/25 08:31:16 markus Exp $ */
+/* $OpenBSD: conf.c,v 1.58 2003/08/28 14:43:35 markus Exp $ */
/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */
/*
@@ -390,7 +390,7 @@ conf_load_defaults (int tr)
char *mm_auth[] = { "PRE_SHARED", "DSS", "RSA_SIG", 0 };
char *mm_hash[] = { "MD5", "SHA", 0 };
char *mm_enc[] = { "DES_CBC", "BLOWFISH_CBC", "3DES_CBC",
- "CAST_CBC", 0 };
+ "CAST_CBC", "AES_CBC", 0 };
char *dh_group[] = { "MODP_768", "MODP_1024", "MODP_1536", 0 };
char *qm_enc[] = { "DES", "3DES", "CAST", "BLOWFISH", "AES", 0 };
char *qm_hash[] = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
@@ -399,7 +399,7 @@ conf_load_defaults (int tr)
/* Abbreviations to make section names a bit shorter. */
char *mm_auth_p[] = { "", "-DSS", "-RSA_SIG", 0 };
- char *mm_enc_p[] = { "DES", "BLF", "3DES", "CAST", 0 };
+ char *mm_enc_p[] = { "DES", "BLF", "3DES", "CAST", "AES", 0 };
char *dh_group_p[]= { "-GRP1", "-GRP2", "-GRP5", "", 0 };
char *qm_enc_p[] = { "-DES", "-3DES", "-CAST", "-BLF", "-AES", 0 };
char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD",
diff --git a/sbin/isakmpd/crypto.c b/sbin/isakmpd/crypto.c
index a7b3690b480..54ce6104919 100644
--- a/sbin/isakmpd/crypto.c
+++ b/sbin/isakmpd/crypto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto.c,v 1.15 2003/08/06 21:08:06 millert Exp $ */
+/* $OpenBSD: crypto.c,v 1.16 2003/08/28 14:43:35 markus Exp $ */
/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */
/*
@@ -39,216 +39,151 @@
#include "crypto.h"
#include "log.h"
+enum cryptoerr evp_init (struct keystate *, u_int8_t *, u_int16_t,
+ const EVP_CIPHER *);
enum cryptoerr des1_init (struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr des3_init (struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr blf_init (struct keystate *, u_int8_t *, u_int16_t);
enum cryptoerr cast_init (struct keystate *, u_int8_t *, u_int16_t);
-void des1_encrypt (struct keystate *, u_int8_t *, u_int16_t);
-void des1_decrypt (struct keystate *, u_int8_t *, u_int16_t);
-void des3_encrypt (struct keystate *, u_int8_t *, u_int16_t);
-void des3_decrypt (struct keystate *, u_int8_t *, u_int16_t);
-void blf_encrypt (struct keystate *, u_int8_t *, u_int16_t);
-void blf_decrypt (struct keystate *, u_int8_t *, u_int16_t);
-void cast1_encrypt (struct keystate *, u_int8_t *, u_int16_t);
-void cast1_decrypt (struct keystate *, u_int8_t *, u_int16_t);
+enum cryptoerr aes_init (struct keystate *, u_int8_t *, u_int16_t);
+void evp_encrypt (struct keystate *, u_int8_t *, u_int16_t);
+void evp_decrypt (struct keystate *, u_int8_t *, u_int16_t);
struct crypto_xf transforms[] = {
#ifdef USE_DES
{
DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0,
des1_init,
- des1_encrypt, des1_decrypt
+ evp_encrypt, evp_decrypt
},
#endif
#ifdef USE_TRIPLEDES
{
TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0,
des3_init,
- des3_encrypt, des3_decrypt
+ evp_encrypt, evp_decrypt
},
#endif
#ifdef USE_BLOWFISH
{
BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, BLOCKSIZE, 0,
blf_init,
- blf_encrypt, blf_decrypt
+ evp_encrypt, evp_decrypt
},
#endif
#ifdef USE_CAST
{
CAST_CBC, "CAST (CBC-Mode)", 12, 16, BLOCKSIZE, 0,
cast_init,
- cast1_encrypt, cast1_decrypt
+ evp_encrypt, evp_decrypt
},
#endif
-};
-
-/* Hmm, the function prototypes for des are really dumb */
-#ifdef __OpenBSD__
-#define DC (des_cblock *)
-#else
-#define DC (void *)
+#ifdef USE_AES
+ {
+ AES_CBC, "AES (CBC-Mode)", 16, 32, 2*BLOCKSIZE, 0,
+ aes_init,
+ evp_encrypt, evp_decrypt
+ },
#endif
+};
+#ifdef USE_DES
enum cryptoerr
des1_init (struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- /* des_set_key returns -1 for parity problems, and -2 for weak keys */
- des_set_odd_parity (DC key);
- switch (des_set_key (DC key, ks->ks_des[0]))
- {
- case -2:
- return EWEAKKEY;
- default:
- return EOKAY;
- }
-}
+ const EVP_CIPHER *evp;
-void
-des1_encrypt (struct keystate *ks, u_int8_t *d, u_int16_t len)
-{
- des_cbc_encrypt (DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT);
-}
-
-void
-des1_decrypt (struct keystate *ks, u_int8_t *d, u_int16_t len)
-{
- des_cbc_encrypt (DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT);
+ evp = EVP_des_cbc();
+ return evp_init (ks, key, len, evp);
}
+#endif
#ifdef USE_TRIPLEDES
enum cryptoerr
des3_init (struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- des_set_odd_parity (DC key);
- des_set_odd_parity (DC (key + 8));
- des_set_odd_parity (DC (key + 16));
-
- /* As of the draft Tripe-DES does not check for weak keys */
- des_set_key (DC key, ks->ks_des[0]);
- des_set_key (DC (key + 8), ks->ks_des[1]);
- des_set_key (DC (key + 16), ks->ks_des[2]);
-
- return EOKAY;
-}
-
-void
-des3_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
-{
- u_int8_t iv[MAXBLK];
-
- memcpy (iv, ks->riv, ks->xf->blocksize);
- des_ede3_cbc_encrypt (DC data, DC data, len, ks->ks_des[0], ks->ks_des[1],
- ks->ks_des[2], DC iv, DES_ENCRYPT);
-}
-
-void
-des3_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
-{
- u_int8_t iv[MAXBLK];
+ const EVP_CIPHER *evp;
- memcpy (iv, ks->riv, ks->xf->blocksize);
- des_ede3_cbc_encrypt (DC data, DC data, len, ks->ks_des[0], ks->ks_des[1],
- ks->ks_des[2], DC iv, DES_DECRYPT);
+ evp = EVP_des_ede3_cbc();
+ return evp_init (ks, key, len, evp);
}
-#undef DC
-#endif /* USE_TRIPLEDES */
+#endif
#ifdef USE_BLOWFISH
enum cryptoerr
blf_init (struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- blf_key (&ks->ks_blf, key, len);
+ const EVP_CIPHER *evp;
- return EOKAY;
+ evp = EVP_bf_cbc();
+ return evp_init (ks, key, len, evp);
}
+#endif
-void
-blf_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
+#ifdef USE_CAST
+enum cryptoerr
+cast_init (struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- u_int16_t i, blocksize = ks->xf->blocksize;
- u_int8_t *iv = ks->liv;
- u_int32_t xl, xr;
+ const EVP_CIPHER *evp;
- memcpy (iv, ks->riv, blocksize);
-
- for (i = 0; i < len; data += blocksize, i += blocksize)
- {
- XOR64 (data, iv);
- xl = GET_32BIT_BIG (data);
- xr = GET_32BIT_BIG (data + 4);
- Blowfish_encipher (&ks->ks_blf, &xl, &xr);
- SET_32BIT_BIG (data, xl);
- SET_32BIT_BIG (data + 4, xr);
- SET64 (iv, data);
- }
+ evp = EVP_cast5_cbc();
+ return evp_init (ks, key, len, evp);
}
+#endif
-void
-blf_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
+#ifdef USE_AES
+enum cryptoerr
+aes_init (struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- u_int16_t i, blocksize = ks->xf->blocksize;
- u_int32_t xl, xr;
+ const EVP_CIPHER *evp;
- data += len - blocksize;
- for (i = len - blocksize; i >= blocksize; data -= blocksize, i -= blocksize)
+ switch (8 * len)
{
- xl = GET_32BIT_BIG (data);
- xr = GET_32BIT_BIG (data + 4);
- Blowfish_decipher (&ks->ks_blf, &xl, &xr);
- SET_32BIT_BIG (data, xl);
- SET_32BIT_BIG (data + 4, xr);
- XOR64 (data, data - blocksize);
-
+ case 128:
+ evp = EVP_aes_128_cbc();
+ break;
+ case 192:
+ evp = EVP_aes_192_cbc();
+ break;
+ case 256:
+ evp = EVP_aes_256_cbc();
+ break;
+ default:
+ return EKEYLEN;
}
- xl = GET_32BIT_BIG (data);
- xr = GET_32BIT_BIG (data + 4);
- Blowfish_decipher (&ks->ks_blf, &xl, &xr);
- SET_32BIT_BIG (data, xl);
- SET_32BIT_BIG (data + 4, xr);
- XOR64 (data, ks->riv);
+ return evp_init (ks, key, len, evp);
}
-#endif /* USE_BLOWFISH */
+#endif
-#ifdef USE_CAST
enum cryptoerr
-cast_init (struct keystate *ks, u_int8_t *key, u_int16_t len)
+evp_init (struct keystate *ks, u_int8_t *key, u_int16_t len, const EVP_CIPHER *evp)
{
- cast_setkey (&ks->ks_cast, key, len);
+ EVP_CIPHER_CTX_init(&ks->ks_evpenc);
+ EVP_CIPHER_CTX_init(&ks->ks_evpdec);
+
+ if (EVP_CIPHER_key_length(evp) != len
+ && !(EVP_CIPHER_flags(evp) & EVP_CIPH_VARIABLE_LENGTH))
+ return EKEYLEN;
+ if (EVP_CipherInit(&ks->ks_evpenc, evp, key, NULL, 1) <= 0)
+ return EKEYLEN;
+ if (EVP_CipherInit(&ks->ks_evpdec, evp, key, NULL, 0) <= 0)
+ return EKEYLEN;
return EOKAY;
}
void
-cast1_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
+evp_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
{
- u_int16_t i, blocksize = ks->xf->blocksize;
- u_int8_t *iv = ks->liv;
-
- memcpy (iv, ks->riv, blocksize);
-
- for (i = 0; i < len; data += blocksize, i += blocksize)
- {
- XOR64 (data, iv);
- cast_encrypt (&ks->ks_cast, data, data);
- SET64 (iv, data);
- }
+ (void) EVP_CipherInit(&ks->ks_evpenc, NULL, NULL, ks->riv, -1);
+ EVP_Cipher(&ks->ks_evpenc, data, data, len);
}
void
-cast1_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
+evp_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len)
{
- u_int16_t i, blocksize = ks->xf->blocksize;
-
- data += len - blocksize;
- for (i = len - blocksize; i >= blocksize; data -= blocksize, i -= blocksize)
- {
- cast_decrypt (&ks->ks_cast, data, data);
- XOR64 (data, data - blocksize);
- }
- cast_decrypt (&ks->ks_cast, data, data);
- XOR64 (data, ks->riv);
+ (void) EVP_CipherInit(&ks->ks_evpdec, NULL, NULL, ks->riv, -1);
+ EVP_Cipher(&ks->ks_evpdec, data, data, len);
}
-#endif /* USE_CAST */
struct crypto_xf *
crypto_get (enum transform id)
diff --git a/sbin/isakmpd/crypto.h b/sbin/isakmpd/crypto.h
index 760e8c6cb71..6cce31f19e7 100644
--- a/sbin/isakmpd/crypto.h
+++ b/sbin/isakmpd/crypto.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto.h,v 1.8 2003/06/03 14:28:16 ho Exp $ */
+/* $OpenBSD: crypto.h,v 1.9 2003/08/28 14:43:35 markus Exp $ */
/* $EOM: crypto.h,v 1.12 2000/10/15 21:56:41 niklas Exp $ */
/*
@@ -32,56 +32,7 @@
#ifndef _CRYPTO_H_
#define _CRYPTO_H_
-#if defined (__APPLE__)
-
-#include <openssl/des.h>
-#ifdef USE_BLOWFISH
-#include <openssl/blowfish.h>
-#endif
-#ifdef USE_CAST
-#include <openssl/cast.h>
-#endif
-
-#else
-
-#include <des.h>
-#ifdef USE_BLOWFISH
-#include <blf.h>
-#endif
-#ifdef USE_CAST
-#include <cast.h>
-#endif
-
-#endif /* __APPLE__ */
-
-#define USE_32BIT
-#if defined (USE_64BIT)
-
-#define XOR64(x,y) *(u_int64_t *)(x) ^= *(u_int64_t *)(y);
-#define SET64(x,y) *(u_int64_t *)(x) = *(u_int64_t *)(y);
-
-#elif defined (USE_32BIT)
-
-#define XOR64(x,y) *(u_int32_t *)(x) ^= *(u_int32_t *)(y); \
- *(u_int32_t *)((u_int8_t *)(x) + 4) ^= *(u_int32_t *)((u_int8_t *)(y) + 4);
-#define SET64(x,y) *(u_int32_t *)(x) = *(u_int32_t *)(y); \
- *(u_int32_t *)((u_int8_t *)(x) + 4) = *(u_int32_t *)((u_int8_t *)(y) + 4);
-
-#else
-
-#define XOR8(x,y,i) (x)[i] ^= (y)[i];
-#define XOR64(x,y) XOR8(x,y,0); XOR8(x,y,1); XOR8(x,y,2); XOR8(x,y,3); \
- XOR8(x,y,4); XOR8(x,y,5); XOR8(x,y,6); XOR8(x,y,7);
-#define SET8(x,y,i) (x)[i] = (y)[i];
-#define SET64(x,y) SET8(x,y,0); SET8(x,y,1); SET8(x,y,2); SET8(x,y,3); \
- SET8(x,y,4); SET8(x,y,5); SET8(x,y,6); SET8(x,y,7);
-
-#endif /* USE_64BIT */
-
-#define SET_32BIT_BIG(x,y) (x)[3]= (y); (x)[2]= (y) >> 8; \
- (x)[1] = (y) >> 16; (x)[0]= (y) >> 24;
-#define GET_32BIT_BIG(x) (u_int32_t)(x)[3] | ((u_int32_t)(x)[2] << 8) | \
- ((u_int32_t)(x)[1] << 16)| ((u_int32_t)(x)[0] << 24);
+#include <openssl/evp.h>
/*
* This is standard for all block ciphers we use at the moment.
@@ -90,7 +41,7 @@
*/
#define BLOCKSIZE 8
-#define MAXBLK BLOCKSIZE
+#define MAXBLK (2*BLOCKSIZE)
struct keystate {
struct crypto_xf *xf; /* Back pointer */
@@ -100,20 +51,13 @@ struct keystate {
u_int8_t iv[MAXBLK]; /* Next IV to use */
u_int8_t iv2[MAXBLK];
u_int8_t *riv, *liv;
- union {
- des_key_schedule desks[3];
-#ifdef USE_BLOWFISH
- blf_ctx blfks;
-#endif
-#ifdef USE_CAST
- cast_key castks;
-#endif
- } keydata;
+ struct {
+ EVP_CIPHER_CTX enc, dec;
+ } evp;
};
-#define ks_des keydata.desks
-#define ks_blf keydata.blfks
-#define ks_cast keydata.castks
+#define ks_evpenc evp.enc
+#define ks_evpdec evp.dec
/*
* Information about the cryptotransform.
@@ -130,7 +74,8 @@ enum transform {
BLOWFISH_CBC=3,
RC5_R16_B64_CBC=4, /* Licensed, DONT use */
TRIPLEDES_CBC=5, /* This is a SHOULD */
- CAST_CBC=6
+ CAST_CBC=6,
+ AES_CBC=7
};
enum cryptoerr {
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 4f22cd2d912..a61eaf8fbca 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.84 2003/08/09 08:45:58 jmc Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.85 2003/08/28 14:43:35 markus Exp $
.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
.\"
.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved.
@@ -85,7 +85,7 @@ and transforms.
.Pp
For Main Mode:
.Bd -filled -compact
-.Ar {DES,BLF,3DES,CAST}-{MD5,SHA}[-GRP{1,2,5}][-{DSS,RSA_SIG}]
+.Ar {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5}][-{DSS,RSA_SIG}]
.Ed
.Pp
For Quick Mode:
diff --git a/sbin/isakmpd/regress/crypto/Makefile b/sbin/isakmpd/regress/crypto/Makefile
index c4f9548984c..48739dbdc67 100644
--- a/sbin/isakmpd/regress/crypto/Makefile
+++ b/sbin/isakmpd/regress/crypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.9 2002/03/05 00:11:08 deraadt Exp $
+# $OpenBSD: Makefile,v 1.10 2003/08/28 14:43:35 markus Exp $
# $EOM: Makefile,v 1.7 2000/03/28 21:22:06 ho Exp $
# Test Crypto:
@@ -10,7 +10,8 @@ TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile
.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall \
- -DUSE_TRIPLEDES -DUSE_CAST -DUSE_BLOWFISH -DUSE_DES
+ -DUSE_TRIPLEDES -DUSE_CAST -DUSE_BLOWFISH -DUSE_DES \
+ -DUSE_AES
LDADD+= -lcrypto -ldes
DPADD+= ${LIBCRYPTO} ${LIBDES}
NOMAN=
diff --git a/sbin/isakmpd/regress/crypto/cryptotest.c b/sbin/isakmpd/regress/crypto/cryptotest.c
index fbdaeae2a4f..6a9940f84f6 100644
--- a/sbin/isakmpd/regress/crypto/cryptotest.c
+++ b/sbin/isakmpd/regress/crypto/cryptotest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptotest.c,v 1.8 2003/06/03 14:39:50 ho Exp $ */
+/* $OpenBSD: cryptotest.c,v 1.9 2003/08/28 14:43:35 markus Exp $ */
/* $EOM: cryptotest.c,v 1.5 1998/10/07 16:40:49 niklas Exp $ */
/*
@@ -125,6 +125,8 @@ main (void)
test_crypto (CAST_CBC);
+ test_crypto (AES_CBC);
+
special_test_blf ();
return 1;