[Swan-dev] supported ESP/AH algorithms
Andrew Cagney
andrew.cagney at gmail.com
Sat Jan 14 01:39:39 UTC 2017
FYI,
I finished filling in the missing algorithms (as identified by the
testsuite, ripemd surprised a few people) and added code to reject
invalid ESP algorithm-suites before they can be proposed. For
instance:
- unknown (missing from ike_alg DB because FIPS disabled it)
- AEAD + INTEG
- wrong key length according to ike_alg db
Andrew
For reference, here's the list:
ENCRYPT aes_ccm_16: IKEv1: ESP IKEv2: ESP FIPS
(aes_ccm aes_ccm_c)
ENCRYPT aes_ccm_12: IKEv1: ESP IKEv2: ESP FIPS (aes_ccm_b)
ENCRYPT aes_ccm_8: IKEv1: ESP IKEv2: ESP FIPS (aes_ccm_a)
ENCRYPT 3des_cbc: IKEv1: IKE ESP IKEv2: IKE ESP FIPS (3des)
ENCRYPT camellia_ctr: IKEv1: ESP IKEv2: ESP
ENCRYPT camellia: IKEv1: IKE ESP IKEv2: IKE ESP
(camellia_cbc)
ENCRYPT aes_gcm_16: IKEv1: IKE ESP IKEv2: IKE ESP FIPS
(aes_gcm aes_gcm_c)
ENCRYPT aes_gcm_12: IKEv1: IKE ESP IKEv2: IKE ESP FIPS (aes_gcm_b)
ENCRYPT aes_gcm_8: IKEv1: IKE ESP IKEv2: IKE ESP FIPS (aes_gcm_a)
ENCRYPT aes_ctr: IKEv1: IKE ESP IKEv2: IKE ESP FIPS (aesctr)
ENCRYPT aes: IKEv1: IKE ESP IKEv2: IKE ESP FIPS (aes_cbc)
ENCRYPT serpent: IKEv1: IKE ESP IKEv2: IKE ESP (serpent_cbc)
ENCRYPT twofish: IKEv1: IKE ESP IKEv2: IKE ESP (twofish_cbc)
ENCRYPT twofish_ssh: IKEv1: IKE IKEv2: IKE ESP
(twofish_cbc_ssh)
ENCRYPT cast: IKEv1: ESP IKEv2: ESP (cast_cbc)
ENCRYPT null: IKEv1: ESP IKEv2: ESP
HASH md5: IKEv1: IKE IKEv2:
HASH sha: IKEv1: IKE IKEv2: FIPS (sha1)
HASH sha2_256: IKEv1: IKE IKEv2: FIPS (sha2 sha256)
HASH sha2_384: IKEv1: IKE IKEv2: FIPS (sha384)
HASH sha2_512: IKEv1: IKE IKEv2: FIPS (sha512)
PRF md5: IKEv1: IKE IKEv2: IKE (hmac_md5)
PRF sha: IKEv1: IKE IKEv2: IKE FIPS
(sha1 hmac_sha1)
PRF sha2_256: IKEv1: IKE IKEv2: IKE FIPS
(sha2 sha256 hmac_sha2_256)
PRF sha2_384: IKEv1: IKE IKEv2: IKE FIPS
(sha384 hmac_sha2_384)
PRF sha2_512: IKEv1: IKE IKEv2: IKE FIPS
(sha512 hmac_sha2_512)
INTEG md5: IKEv1: IKE ESP AH IKEv2: IKE ESP AH
(hmac_md5 hmac_md5_96)
INTEG sha: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
(sha1 sha1_96 hmac_sha1 hmac_sha1_96)
INTEG sha2_512: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
(sha512 hmac_sha2_512 hmac_sha2_512_256)
INTEG sha2_384: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
(sha384 hmac_sha2_384 hmac_sha2_384_192)
INTEG sha2_256: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
(sha2 sha256 hmac_sha2_256 hmac_sha2_256_128)
INTEG aes_xcbc: IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc_96)
INTEG aes_cmac: IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac_96)
INTEG ripemd: IKEv1: ESP AH IKEv2:
(hmac_ripemd hmac_ripemd_160_96)
On 8 December 2016 at 11:13, Andrew Cagney <andrew.cagney at gmail.com> wrote:
> Does anyone know what ESP/AH (i.e., ENCR and INTEG) algorithms pluto
> supports? My guess is:
>
> ENCRYPT:
>
> &ike_alg_encrypt_aes_ccm_16,
> &ike_alg_encrypt_aes_ccm_12,
> &ike_alg_encrypt_aes_ccm_8,
> &ike_alg_encrypt_3des_cbc,
> &ike_alg_encrypt_camellia_ctr,
> &ike_alg_encrypt_camellia_cbc,
> &ike_alg_encrypt_aes_gcm_16,
> &ike_alg_encrypt_aes_gcm_12,
> &ike_alg_encrypt_aes_gcm_8,
> &ike_alg_encrypt_aes_ctr,
> &ike_alg_encrypt_aes_cbc,
> &ike_alg_encrypt_serpent_cbc,
> &ike_alg_encrypt_twofish_cbc,
> &ike_alg_encrypt_twofish_ssh,
>
> which is seemingly missing:
>
> ESP/AH ENCRYPT algorithm ESP_CAST=6 not found
> ESP/AH ENCRYPT algorithm ESP_ID255=255 not found
> ESP/AH ENCRYPT algorithm ESP_NULL=11 not found
>
> INTEG:
>
> &ike_alg_integ_md5,
> &ike_alg_integ_sha1,
> &ike_alg_integ_sha2_512,
> &ike_alg_integ_sha2_384,
> &ike_alg_integ_sha2_256,
> &ike_alg_integ_aes_xcbc,
> &ike_alg_integ_aes_cmac,
>
> which is seemingly missing:
>
> ESP/AH INTEG algorithm AUTH_ALGORITHM_HMAC_RIPEMD=8 not found
> ESP/AH INTEG algorithm AUTH_ALGORITHM_NONE=0 not found
>
> Andrew
More information about the Swan-dev
mailing list