diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-16 08:19:43 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 12:10:45 -0500 |
| commit | 29fb029f9904768263256d18602dd8cb2fff3191 (patch) | |
| tree | fc7f07354718a567fea5bdf0c900ac3f4f976199 | |
| parent | e71ac90f6c7e11b1abc0ef0380853dd16e6f80f4 (diff) | |
| download | FreeBSD-src-29fb029f9904768263256d18602dd8cb2fff3191.zip FreeBSD-src-29fb029f9904768263256d18602dd8cb2fff3191.tar.gz | |
MFC r286143:
Add support for keys that include 4 byte SALT values,
including GCM and ICM/CTR modes for AES.
Reviewed by: jmg
MFC after: 1 week
Sponsored by: Rubicon Communications (Netgate)
TAG: IPSEC-HEAD
Issue: #4841
| -rw-r--r-- | sbin/setkey/parse.y | 23 | ||||
| -rw-r--r-- | sbin/setkey/token.l | 4 |
2 files changed, 25 insertions, 2 deletions
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y index c551c35..60e779d 100644 --- a/sbin/setkey/parse.y +++ b/sbin/setkey/parse.y @@ -100,6 +100,7 @@ extern void yyerror(const char *); %token F_EXT EXTENSION NOCYCLICSEQ %token ALG_AUTH ALG_AUTH_NOKEY %token ALG_ENC ALG_ENC_NOKEY ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD +%token ALG_ENC_SALT %token ALG_COMP %token F_LIFETIME_HARD F_LIFETIME_SOFT %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY @@ -111,6 +112,7 @@ extern void yyerror(const char *); %type <num> prefix protocol_spec upper_spec %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY +%type <num> ALG_ENC_SALT %type <num> ALG_AUTH ALG_AUTH_NOKEY %type <num> ALG_COMP %type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP @@ -402,6 +404,27 @@ enc_alg return -1; } } + | ALG_ENC_SALT key_string + { + if ($1 < 0) { + yyerror("unsupported algorithm"); + return -1; + } + p_alg_enc = $1; + + p_key_enc_len = $2.len; + + p_key_enc = $2.buf; + /* + * Salted keys include a 4 byte value that is + * not part of the key. + */ + if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT, + p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len - 4)) < 0) { + yyerror(ipsec_strerror()); + return -1; + } + } ; auth_alg diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index 1b66719..7f30859 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -166,9 +166,9 @@ tcp { yylval.num = 0; return(PR_TCP); } <S_ENCALG>des-deriv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DESDERIV); } <S_ENCALG>des-32iv { yylval.num = SADB_EALG_DESCBC; BEGIN INITIAL; return(ALG_ENC_DES32IV); } <S_ENCALG>rijndael-cbc { yylval.num = SADB_X_EALG_RIJNDAELCBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC); } +<S_ENCALG>aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC_SALT); } <S_ENCALG>camellia-cbc { yylval.num = SADB_X_EALG_CAMELLIACBC; BEGIN INITIAL; return(ALG_ENC); } -<S_ENCALG>aes-gcm-16 { yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC); } +<S_ENCALG>aes-gcm-16 { yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC_SALT); } /* compression algorithms */ {hyphen}C { return(F_COMP); } |
