diff -u --new-file --recursive freeswan-1.8/klips/net/ipsec/ipsec_rcv.c freeswan-1.8-compatible/klips/net/ipsec/ipsec_rcv.c --- freeswan-1.8/klips/net/ipsec/ipsec_rcv.c Fri Nov 24 19:50:36 2000 +++ freeswan-1.8-compatible/klips/net/ipsec/ipsec_rcv.c Wed Aug 1 09:36:55 2001 @@ -1004,6 +1004,9 @@ #ifdef CONFIG_IPSEC_ESP case IPPROTO_ESP: switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: +#endif case ESP_3DES: iv[0] = *((__u32 *)(espp->esp_iv) ); iv[1] = *((__u32 *)(espp->esp_iv) + 1); @@ -1024,6 +1027,25 @@ ilen -= esphlen; switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + if ((ilen) % 8) { + printk("klips_error:ipsec_rcv: " + "got packet with esplen = %d from %s " + "-- should be on 8 octet boundary, packet dropped\n", + ilen, ipaddr_txt); + if(stats) { + stats->rx_errors++; + } + tdbp->tdb_encsize_errs += 1; + spin_unlock(&tdb_lock); + goto rcvleave; + } + des_cbc_encrypt(idat, idat, ilen, + tdbp->tdb_key_e, + (caddr_t)iv, 0); + break; +#endif case ESP_3DES: if ((ilen) % 8) { printk("klips_error:ipsec_rcv: " diff -u --new-file --recursive freeswan-1.8/klips/net/ipsec/ipsec_tunnel.c freeswan-1.8-compatible/klips/net/ipsec/ipsec_tunnel.c --- freeswan-1.8/klips/net/ipsec/ipsec_tunnel.c Thu Nov 9 12:52:15 2000 +++ freeswan-1.8-compatible/klips/net/ipsec/ipsec_tunnel.c Wed Aug 1 09:35:37 2001 @@ -929,6 +929,11 @@ #ifdef CONFIG_IPSEC_ESP case IPPROTO_ESP: switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + headroom += sizeof(struct esp); + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: headroom += sizeof(struct esp); @@ -1187,6 +1192,11 @@ #ifdef CONFIG_IPSEC_ESP case IPPROTO_ESP: switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + headroom += sizeof(struct esp); + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: headroom += sizeof(struct esp); @@ -1290,7 +1300,10 @@ espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq)); switch(tdbp->tdb_encalg) { -#if defined(CONFIG_IPSEC_ENC_3DES) +#if defined(USE_SINGLE_DES) || defined(CONFIG_IPSEC_ENC_3DES) +#ifdef USE_SINGLE_DES + case ESP_DES: +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: #endif /* CONFIG_IPSEC_ENC_3DES */ @@ -1325,6 +1338,13 @@ iph->protocol = IPPROTO_ESP; switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + des_cbc_encrypt(idat, idat, ilen, + (caddr_t)tdbp->tdb_key_e, + (caddr_t)iv, 1); + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: des_ede3_cbc_encrypt(idat, idat, ilen, @@ -1345,7 +1365,10 @@ } switch(tdbp->tdb_encalg) { -#if defined(CONFIG_IPSEC_ENC_3DES) +#if defined(USE_SINGLE_DES) || defined(CONFIG_IPSEC_ENC_3DES) +#ifdef USE_SINGLE_DES + case ESP_DES: +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: #endif /* CONFIG_IPSEC_ENC_3DES */ diff -u --new-file --recursive freeswan-1.8/klips/net/ipsec/ipsec_xform.c freeswan-1.8-compatible/klips/net/ipsec/ipsec_xform.c --- freeswan-1.8/klips/net/ipsec/ipsec_xform.c Sun Nov 5 20:32:08 2000 +++ freeswan-1.8-compatible/klips/net/ipsec/ipsec_xform.c Wed Aug 1 09:35:47 2001 @@ -69,6 +69,9 @@ { XF_IP4, 0, "IPv4_Encapsulation"}, { XF_AHHMACMD5, XFT_AUTH, "HMAC_MD5_Authentication"}, { XF_AHHMACSHA1, XFT_AUTH, "HMAC_SHA-1_Authentication"}, +{ XF_ESPDES, XFT_CONF, "DES_Encryption"}, +{ XF_ESPDESMD596, XFT_CONF, "DES-MD5-96_Encryption"}, +{ XF_ESPDESSHA196, XFT_CONF, "DES-SHA1-96_Encryption"}, { XF_ESP3DES, XFT_CONF, "3DES_Encryption"}, { XF_ESP3DESMD596, XFT_CONF, "3DES-MD5-96_Encryption"}, { XF_ESP3DESSHA196, XFT_CONF, "3DES-SHA1-96_Encryption"}, @@ -534,6 +537,15 @@ #endif /* CONFIG_IPSEC_AH */ #ifdef CONFIG_IPSEC_ESP +#ifdef USE_SINGLE_DES + case XF_ESPDES: +#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 + case XF_ESPDESMD596: +#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ +#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 + case XF_ESPDESSHA196: +#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case XF_ESP3DES: #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 @@ -578,8 +590,11 @@ tdbp->tdb_replaywin = ed->eme_ooowin; switch(alg) { + case XF_ESPDES: case XF_ESP3DES: + case XF_ESPDESMD596: case XF_ESP3DESMD596: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: if((tdbp->tdb_iv = (caddr_t) kmalloc((tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) { @@ -592,6 +607,39 @@ } switch(alg) { +#ifdef USE_SINGLE_DES + case XF_ESPDES: + case XF_ESPDESMD596: + case XF_ESPDESSHA196: + tdbp->tdb_encalg = ESP_DES; + + if (ed->eme_klen != EMT_ESPDES_KEY_SZ) { + KLIPS_PRINT(debug_esp, + "klips_debug:tdb_init: incorrect encryption " + "key size: %d -- must be %d octets (bytes)\n", + ed->eme_klen, EMT_ESPDES_KEY_SZ); + SENDERR(EINVAL); + } + + tdbp->tdb_key_bits_e = ed->eme_klen; + + if((tdbp->tdb_key_e = (caddr_t) + kmalloc((tdbp->tdb_key_e_size = sizeof(struct des_eks)), + GFP_ATOMIC)) == NULL) { + SENDERR(ENOMEM); + } + error = des_set_key((caddr_t)(ed->eme_key), (caddr_t)(tdbp->tdb_key_e)); + if (error == -1) + printk("klips_debug:tdb_init: parity error in des key\n"); + else if (error == -2) + printk("klips_debug:tdb_init: illegal weak des key\n"); + if (error) { + memset(tdbp->tdb_key_e, 0, sizeof (struct des_eks)); + kfree_s(tdbp->tdb_key_e, sizeof(struct des_eks)); + SENDERR(EINVAL); + } + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case XF_ESP3DES: case XF_ESP3DESMD596: @@ -643,6 +691,7 @@ switch(alg) { #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 + case XF_ESPDESMD596: case XF_ESP3DESMD596: case XF_ESPNULLMD596: { @@ -717,6 +766,7 @@ #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 case XF_ESPNULLSHA196: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: { SHA1_CTX *ictx; @@ -785,6 +835,7 @@ break; } #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ + case XF_ESPDES: case XF_ESP3DES: tdbp->tdb_authalg = AH_NONE; break; diff -u --new-file --recursive freeswan-1.8/klips/net/ipsec/ipsec_xform.h freeswan-1.8-compatible/klips/net/ipsec/ipsec_xform.h --- freeswan-1.8/klips/net/ipsec/ipsec_xform.h Sun Nov 5 20:30:40 2000 +++ freeswan-1.8-compatible/klips/net/ipsec/ipsec_xform.h Thu Jun 28 13:02:36 2001 @@ -22,16 +22,21 @@ #define XF_IP4 1 /* IPv4 inside IPv4 */ #define XF_AHMD5 2 /* AH MD5 */ #define XF_AHSHA 3 /* AH SHA */ +#define XF_ESPDESOLD 4 /* old ESP DES-CBC */ #define XF_ESP3DES 5 /* ESP DES3-CBC */ #define XF_AHHMACMD5 6 /* AH-HMAC-MD5 with opt replay prot */ #define XF_AHHMACSHA1 7 /* AH-HMAC-SHA1 with opt replay prot */ +#define XF_ESPDESMD5 8 /* DES, HMAC-MD-5 with 128-bits of authentication */ #define XF_ESP3DESMD5 9 /* triple DES, HMAC-MD-5, 128-bits of authentication */ #define XF_ESP3DESMD596 10 /* triple DES, HMAC-MD-5, 96-bits of authentication */ +#define XF_ESPDESMD596 11 /* DES, HMAC-MD-5 with 96-bits of authentication */ #define XF_ESPNULLMD596 12 /* NULL, HMAC-MD-5 with 96-bits of authentication */ #define XF_ESPNULLSHA196 13 /* NULL, HMAC-SHA-1 with 96-bits of authentication */ #define XF_ESP3DESSHA196 14 /* triple DES, HMAC-SHA-1, 96-bits of authentication */ #define XF_IP6 15 /* IPv6 inside IPv6 */ #define XF_COMPDEFLATE 16 /* IPCOMP deflate */ +#define XF_ESPDESSHA196 17 /* DES, HMAC-SHA-1 with 96-bits of authentication */ +#define XF_ESPDES 18 /* ESP DES */ #define XF_CLR 126 /* Clear SA table */ #define XF_DEL 127 /* Delete SA */ @@ -44,16 +49,20 @@ #define AH_NONE 0 #define AH_MD5 2 #define AH_SHA 3 +#define AH_DES 4 /* IPsec ESP transform values */ #define ESP_NONE 0 +#define ESP_DES_IV64 1 +#define ESP_DES 2 #define ESP_3DES 3 #define ESP_RC5 4 #define ESP_IDEA 5 #define ESP_CAST 6 #define ESP_BLOWFISH 7 #define ESP_3IDEA 8 +#define ESP_DES_IV32 9 #define ESP_RC4 10 #define ESP_NULL 11 @@ -179,6 +188,7 @@ ((x)->tdb_encalg == SADB_X_CALG_DEFLATE ? \ "_DEFLATE" : "_UNKNOWN_comp") : \ (x)->tdb_encalg == ESP_NONE ? "" : \ + (x)->tdb_encalg == ESP_DES ? "_DES" : \ (x)->tdb_encalg == ESP_3DES ? "_3DES" : \ (x)->tdb_encalg == ESP_NULL ? "_NULL_encr" : \ "_UNKNOWN_encr", \ diff -u --new-file --recursive freeswan-1.8/klips/net/ipsec/pfkey_v2_parser.c freeswan-1.8-compatible/klips/net/ipsec/pfkey_v2_parser.c --- freeswan-1.8/klips/net/ipsec/pfkey_v2_parser.c Thu Nov 30 13:47:51 2000 +++ freeswan-1.8-compatible/klips/net/ipsec/pfkey_v2_parser.c Wed Aug 1 09:36:05 2001 @@ -987,10 +987,13 @@ unsigned char *akp, *ekp; switch(tdbp->tdb_encalg) { +# ifdef USE_SINGLE_DES + case ESP_DES: +# endif /* USE_SINGLE_DES */ # ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: # endif /* CONFIG_IPSEC_ENC_3DES */ -# if defined(CONFIG_IPSEC_ENC_3DES) +# if defined(USE_SINGLE_DES) || defined(CONFIG_IPSEC_ENC_3DES) if((tdbp->tdb_iv = (caddr_t) kmalloc((tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) { SENDERR(ENOMEM); @@ -1013,6 +1016,38 @@ } switch(tdbp->tdb_encalg) { +# ifdef USE_SINGLE_DES + case ESP_DES: + if(tdbp->tdb_key_bits_e != (EMT_ESPDES_KEY_SZ * 8)) { + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_tdb_init: incorrect encryption" + "key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/, + tdbp->tdb_key_bits_e, EMT_ESPDES_KEY_SZ * 8); + SENDERR(EINVAL); + } + + /* save encryption key pointer */ + ekp = tdbp->tdb_key_e; + + if((tdbp->tdb_key_e = (caddr_t) + kmalloc((tdbp->tdb_key_e_size = sizeof(struct des_eks)), + GFP_ATOMIC)) == NULL) { + SENDERR(ENOMEM); + } + error = des_set_key((caddr_t)ekp, (caddr_t)(tdbp->tdb_key_e)); + if (error == -1) + printk("klips_debug:pfkey_tdb_init: parity error in des key\n"); + else if (error == -2) + printk("klips_debug:pfkey_tdb_init: illegal weak des key\n"); + if (error) { + memset(tdbp->tdb_key_e, 0, sizeof(struct des_eks)); + kfree_s(tdbp->tdb_key_e, sizeof(struct des_eks)); + memset(ekp, 0, DIVUP(tdbp->tdb_key_bits_e, BITS_PER_OCTET)); + SENDERR(EINVAL); + } + memset(ekp, 0, DIVUP(tdbp->tdb_key_bits_e, BITS_PER_OCTET)); + break; +# endif /* USE_SINGLE_DES */ # ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: if(tdbp->tdb_key_bits_e != (EMT_ESP3DES_KEY_SZ * 8)) { diff -u --new-file --recursive freeswan-1.8/klips/utils/spi.c freeswan-1.8-compatible/klips/utils/spi.c --- freeswan-1.8/klips/utils/spi.c Sun Nov 5 20:36:57 2000 +++ freeswan-1.8-compatible/klips/utils/spi.c Thu Jun 28 12:53:39 2001 @@ -363,14 +363,20 @@ program_name); exit(1); } - if (!strcmp(optarg, "3des-md5-96")) { + if (!strcmp(optarg, "des-md5-96")) { + alg = XF_ESPDESMD596; + } else if(!strcmp(optarg, "3des-md5-96")) { alg = XF_ESP3DESMD596; } else if(!strcmp(optarg, "null-md5-96")) { alg = XF_ESPNULLMD596; } else if(!strcmp(optarg, "null-sha1-96")) { alg = XF_ESPNULLSHA196; + } else if(!strcmp(optarg, "des-sha1-96")) { + alg = XF_ESPDESSHA196; } else if(!strcmp(optarg, "3des-sha1-96")) { alg = XF_ESP3DESSHA196; + } else if(!strcmp(optarg, "des")) { + alg = XF_ESPDES; } else if(!strcmp(optarg, "3des")) { alg = XF_ESP3DES; } else { @@ -766,10 +772,13 @@ case XF_DEL: case XF_AHHMACMD5: case XF_AHHMACSHA1: + case XF_ESPDESMD596: case XF_ESP3DESMD596: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: case XF_ESPNULLMD596: case XF_ESPNULLSHA196: + case XF_ESPDES: case XF_ESP3DES: case XF_COMPDEFLATE: if(!said_opt) { @@ -820,10 +829,13 @@ case XF_IP6: case XF_AHHMACMD5: case XF_AHHMACSHA1: + case XF_ESPDESMD596: case XF_ESP3DESMD596: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: case XF_ESPNULLMD596: case XF_ESPNULLSHA196: + case XF_ESPDES: case XF_ESP3DES: case XF_COMPDEFLATE: break; @@ -1067,20 +1079,28 @@ switch(alg) { case XF_AHHMACMD5: + case XF_ESPDESMD596: case XF_ESP3DESMD596: case XF_ESPNULLMD596: authalg = SADB_AALG_MD5HMAC; break; case XF_AHHMACSHA1: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: case XF_ESPNULLSHA196: authalg = SADB_AALG_SHA1HMAC; break; + case XF_ESPDESMD5: case XF_ESP3DESMD5: default: authalg = SADB_AALG_NONE; } switch(alg) { + case XF_ESPDES: + case XF_ESPDESMD596: + case XF_ESPDESSHA196: + encryptalg = SADB_EALG_DESCBC; + break; case XF_ESP3DES: case XF_ESP3DESMD596: case XF_ESP3DESSHA196: @@ -1254,9 +1274,11 @@ switch(alg) { case XF_AHHMACMD5: + case XF_ESPDESMD596: case XF_ESP3DESMD596: case XF_ESPNULLMD596: case XF_AHHMACSHA1: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: case XF_ESPNULLSHA196: if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH], @@ -1277,6 +1299,9 @@ } switch(alg) { + case XF_ESPDES: + case XF_ESPDESMD596: + case XF_ESPDESSHA196: case XF_ESP3DES: case XF_ESP3DESMD596: case XF_ESP3DESSHA196: diff -u --new-file --recursive freeswan-1.8/lib/freeswan.h freeswan-1.8-compatible/lib/freeswan.h --- freeswan-1.8/lib/freeswan.h Sun Nov 5 20:37:12 2000 +++ freeswan-1.8-compatible/lib/freeswan.h Wed Aug 1 09:34:13 2001 @@ -75,7 +75,7 @@ #define net_device_stats enet_statistics #endif - +#define USE_SINGLE_DES /* * We've just got to have some datatypes defined... And annoyingly, just diff -u --new-file --recursive freeswan-1.8/pluto/crypto.c freeswan-1.8-compatible/pluto/crypto.c --- freeswan-1.8/pluto/crypto.c Mon Oct 2 20:31:05 2000 +++ freeswan-1.8-compatible/pluto/crypto.c Wed Aug 1 09:33:12 2001 @@ -36,9 +36,13 @@ static MP_INT +#ifdef USE_SINGLE_DES + modp768_modulus, +#else #if 0 /* modp768 not sufficiently strong */ modp768_modulus, #endif +#endif modp1024_modulus, modp1536_modulus; @@ -48,9 +52,13 @@ init_crypto(void) { if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0 +#ifdef USE_SINGLE_DES + || mpz_init_set_str(&modp768_modulus, MODP768_MODULUS, 16) != 0 +#else #if 0 /* modp768 not sufficiently strong */ || mpz_init_set_str(&modp768_modulus, MODP768_MODULUS, 16) != 0 #endif +#endif || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0 || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0) exit_log("mpz_init_set_str() failed in init_crypto()"); @@ -65,8 +73,12 @@ static const struct oakley_group_desc oakley_group[] = { # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE) +#ifdef USE_SINGLE_DES + { OAKLEY_GROUP_MODP768, &modp768_modulus, BYTES(768) }, +#else #if 0 /* modp768 not sufficiently strong */ { OAKLEY_GROUP_MODP768, &modp768_modulus, BYTES(768) }, +#endif #endif { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) }, { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) }, diff -u --new-file --recursive freeswan-1.8/pluto/spdb.c freeswan-1.8-compatible/pluto/spdb.c --- freeswan-1.8/pluto/spdb.c Mon Oct 30 12:04:37 2000 +++ freeswan-1.8-compatible/pluto/spdb.c Wed Aug 1 09:35:03 2001 @@ -74,6 +74,65 @@ { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, }; +#ifdef USE_SINGLE_DES +static struct db_attr otpsk768des3md5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk768des3sha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk768desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk1024desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 }, + }; + +static struct db_attr otpsk1536desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, + }; + +static struct db_attr otpsk768dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk1024dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 }, + }; + +static struct db_attr otpsk1536dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, + }; + +#endif + /* arrays of attributes for transforms, RSA signatures */ static struct db_attr otrsasig1024des3md5[] = { @@ -127,6 +186,16 @@ { KEY_IKE, AD(otpsk1024des3md5) }, { KEY_IKE, AD(otpsk1536des3md5) }, { KEY_IKE, AD(otpsk1536des3sha) }, +#ifdef USE_SINGLE_DES + { KEY_IKE, AD(otpsk768des3md5) }, + { KEY_IKE, AD(otpsk768des3sha) }, + { KEY_IKE, AD(otpsk768desmd5) }, + { KEY_IKE, AD(otpsk1024desmd5) }, + { KEY_IKE, AD(otpsk1536desmd5) }, + { KEY_IKE, AD(otpsk768dessha) }, + { KEY_IKE, AD(otpsk1024dessha) }, + { KEY_IKE, AD(otpsk1536dessha) }, +#endif }; static struct db_trans oakley_trans_rsasig[] = { @@ -151,6 +220,16 @@ { KEY_IKE, AD(otpsk1536des3md5) }, { KEY_IKE, AD(otrsasig1536des3sha) }, { KEY_IKE, AD(otpsk1536des3sha) }, +#ifdef USE_SINGLE_DES + { KEY_IKE, AD(otpsk768des3md5) }, + { KEY_IKE, AD(otpsk768des3sha) }, + { KEY_IKE, AD(otpsk768desmd5) }, + { KEY_IKE, AD(otpsk1024desmd5) }, + { KEY_IKE, AD(otpsk1536desmd5) }, + { KEY_IKE, AD(otpsk768dessha) }, + { KEY_IKE, AD(otpsk1024dessha) }, + { KEY_IKE, AD(otpsk1536dessha) }, +#endif }; /* array of proposals to be conjoined (can only be one for Oakley) */ @@ -205,10 +284,17 @@ static struct db_trans espa_trans[] = { { ESP_3DES, AD(espmd5_attr) }, { ESP_3DES, AD(espsha1_attr) }, +#ifdef USE_SINGLE_DES + { ESP_DES, AD(espmd5_attr) }, + { ESP_DES, AD(espsha1_attr) }, +#endif }; static struct db_trans esp_trans[] = { { ESP_3DES, AD_NULL }, +#ifdef USE_SINGLE_DES + { ESP_DES, AD_NULL }, +#endif }; #ifdef SUPPORT_ESP_NULL @@ -865,9 +951,13 @@ case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV: switch (val) { +#ifdef USE_SINGLE_DES + case OAKLEY_DES_CBC: +#else #if 0 /* we don't feel DES is safe */ case OAKLEY_DES_CBC: #endif +#endif case OAKLEY_3DES_CBC: ta.encrypt = val; ta.encrypter = &oakley_encrypter[val]; @@ -1781,9 +1871,13 @@ switch (esp_attrs.transid) { +#ifdef USE_SINGLE_DES + case ESP_DES: +#else #if 0 /* we don't feel single DES is safe */ case ESP_DES: #endif +#endif /* ifdef USE_SINGLE_DES */ case ESP_3DES: break;