diff -u --recursive freeswan-1.91-orig/klips/net/ipsec/ipsec_rcv.c freeswan-1.91/klips/net/ipsec/ipsec_rcv.c --- freeswan-1.91-orig/klips/net/ipsec/ipsec_rcv.c Wed Jun 13 13:58:40 2001 +++ freeswan-1.91/klips/net/ipsec/ipsec_rcv.c Wed Aug 1 11:27:57 2001 @@ -1026,6 +1026,9 @@ #ifdef CONFIG_IPSEC_ESP case IPPROTO_ESP: switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: +#endif case ESP_3DES: iv[0] = *((__u32 *)(espp->esp_iv) ); iv[1] = *((__u32 *)(espp->esp_iv) + 1); @@ -1043,6 +1046,25 @@ ilen -= esphlen; switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + if ((ilen) % 8) { + printk("klips_error:ipsec_rcv: " + "got packet with esplen = %d from %s " + "-- should be on 8 octet boundary, packet dropped\n", + ilen, ipaddr_txt); + if(stats) { + stats->rx_errors++; + } + tdbp->tdb_encsize_errs += 1; + spin_unlock(&tdb_lock); + goto rcvleave; + } + des_cbc_encrypt(idat, idat, ilen, + tdbp->tdb_key_e, + (caddr_t)iv, 0); + break; +#endif case ESP_3DES: if ((ilen) % 8) { tdbp->tdb_encsize_errs += 1; diff -u --recursive freeswan-1.91-orig/klips/net/ipsec/ipsec_tunnel.c freeswan-1.91/klips/net/ipsec/ipsec_tunnel.c --- freeswan-1.91-orig/klips/net/ipsec/ipsec_tunnel.c Thu Jun 14 12:35:10 2001 +++ freeswan-1.91/klips/net/ipsec/ipsec_tunnel.c Thu Aug 2 10:41:32 2001 @@ -1065,6 +1065,11 @@ #ifdef CONFIG_IPSEC_ESP case IPPROTO_ESP: switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + headroom += sizeof(struct esp); + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: headroom += sizeof(struct esp); @@ -1350,6 +1355,11 @@ #ifdef CONFIG_IPSEC_ESP case IPPROTO_ESP: switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + headroom += sizeof(struct esp); + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: headroom += sizeof(struct esp); @@ -1447,7 +1457,10 @@ espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq)); switch(tdbp->tdb_encalg) { -#if defined(CONFIG_IPSEC_ENC_3DES) +#if defined(USE_SINGLE_DES) || defined(CONFIG_IPSEC_ENC_3DES) +#ifdef USE_SINGLE_DES + case ESP_DES: +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: #endif /* CONFIG_IPSEC_ENC_3DES */ @@ -1478,6 +1491,13 @@ iph->protocol = IPPROTO_ESP; switch(tdbp->tdb_encalg) { +#ifdef USE_SINGLE_DES + case ESP_DES: + des_cbc_encrypt(idat, idat, ilen, + (caddr_t)tdbp->tdb_key_e, + (caddr_t)iv, 1); + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: des_ede3_cbc_encrypt(idat, idat, ilen, @@ -1494,7 +1514,10 @@ } switch(tdbp->tdb_encalg) { -#if defined(CONFIG_IPSEC_ENC_3DES) +#if defined(USE_SINGLE_DES) || defined(CONFIG_IPSEC_ENC_3DES) +#ifdef USE_SINGLE_DES + case ESP_DES: +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: #endif /* CONFIG_IPSEC_ENC_3DES */ diff -u --recursive freeswan-1.91-orig/klips/net/ipsec/ipsec_xform.c freeswan-1.91/klips/net/ipsec/ipsec_xform.c --- freeswan-1.91-orig/klips/net/ipsec/ipsec_xform.c Thu Jun 14 12:35:11 2001 +++ freeswan-1.91/klips/net/ipsec/ipsec_xform.c Wed Aug 1 11:27:57 2001 @@ -69,6 +69,9 @@ { XF_IP4, 0, "IPv4_Encapsulation"}, { XF_AHHMACMD5, XFT_AUTH, "HMAC_MD5_Authentication"}, { XF_AHHMACSHA1, XFT_AUTH, "HMAC_SHA-1_Authentication"}, +{ XF_ESPDES, XFT_CONF, "DES_Encryption"}, +{ XF_ESPDESMD596, XFT_CONF, "DES-MD5-96_Encryption"}, +{ XF_ESPDESSHA196, XFT_CONF, "DES-SHA1-96_Encryption"}, { XF_ESP3DES, XFT_CONF, "3DES_Encryption"}, { XF_ESP3DESMD596, XFT_CONF, "3DES-MD5-96_Encryption"}, { XF_ESP3DESSHA196, XFT_CONF, "3DES-SHA1-96_Encryption"}, @@ -568,6 +571,15 @@ #endif /* CONFIG_IPSEC_AH */ #ifdef CONFIG_IPSEC_ESP +#ifdef USE_SINGLE_DES + case XF_ESPDES: +#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 + case XF_ESPDESMD596: +#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ +#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 + case XF_ESPDESSHA196: +#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case XF_ESP3DES: #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 @@ -604,8 +616,11 @@ tdbp->tdb_replaywin = ed->eme_ooowin; switch(alg) { + case XF_ESPDES: case XF_ESP3DES: + case XF_ESPDESMD596: case XF_ESP3DESMD596: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: if((tdbp->tdb_iv = (caddr_t) kmalloc((tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) { @@ -618,6 +633,39 @@ } switch(alg) { +#ifdef USE_SINGLE_DES + case XF_ESPDES: + case XF_ESPDESMD596: + case XF_ESPDESSHA196: + tdbp->tdb_encalg = ESP_DES; + + if (ed->eme_klen != EMT_ESPDES_KEY_SZ) { + KLIPS_PRINT(debug_esp, + "klips_debug:tdb_init: incorrect encryption " + "key size: %d -- must be %d octets (bytes)\n", + ed->eme_klen, EMT_ESPDES_KEY_SZ); + SENDERR(EINVAL); + } + + tdbp->tdb_key_bits_e = ed->eme_klen; + + if((tdbp->tdb_key_e = (caddr_t) + kmalloc((tdbp->tdb_key_e_size = sizeof(struct des_eks)), + GFP_ATOMIC)) == NULL) { + SENDERR(ENOMEM); + } + error = des_set_key((caddr_t)(ed->eme_key), (caddr_t)(tdbp->tdb_key_e)); + if (error == -1) + printk("klips_debug:tdb_init: parity error in des key\n"); + else if (error == -2) + printk("klips_debug:tdb_init: illegal weak des key\n"); + if (error) { + memset(tdbp->tdb_key_e, 0, sizeof (struct des_eks)); + kfree_s(tdbp->tdb_key_e, sizeof(struct des_eks)); + SENDERR(EINVAL); + } + break; +#endif /* USE_SINGLE_DES */ #ifdef CONFIG_IPSEC_ENC_3DES case XF_ESP3DES: case XF_ESP3DESMD596: @@ -672,6 +720,7 @@ switch(alg) { #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 + case XF_ESPDESMD596: case XF_ESP3DESMD596: case XF_ESPNULLMD596: { @@ -747,6 +796,7 @@ #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 case XF_ESPNULLSHA196: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: { SHA1_CTX *ictx; @@ -816,6 +866,7 @@ break; } #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ + case XF_ESPDES: case XF_ESP3DES: tdbp->tdb_authalg = AH_NONE; break; diff -u --recursive freeswan-1.91-orig/klips/net/ipsec/ipsec_xform.h freeswan-1.91/klips/net/ipsec/ipsec_xform.h --- freeswan-1.91-orig/klips/net/ipsec/ipsec_xform.h Thu Jun 14 12:35:11 2001 +++ freeswan-1.91/klips/net/ipsec/ipsec_xform.h Wed Aug 1 11:27:57 2001 @@ -22,16 +22,21 @@ #define XF_IP4 1 /* IPv4 inside IPv4 */ #define XF_AHMD5 2 /* AH MD5 */ #define XF_AHSHA 3 /* AH SHA */ +#define XF_ESPDESOLD 4 /* old ESP DES-CBC */ #define XF_ESP3DES 5 /* ESP DES3-CBC */ #define XF_AHHMACMD5 6 /* AH-HMAC-MD5 with opt replay prot */ #define XF_AHHMACSHA1 7 /* AH-HMAC-SHA1 with opt replay prot */ +#define XF_ESPDESMD5 8 /* DES, HMAC-MD-5 with 128-bits of authentication */ #define XF_ESP3DESMD5 9 /* triple DES, HMAC-MD-5, 128-bits of authentication */ #define XF_ESP3DESMD596 10 /* triple DES, HMAC-MD-5, 96-bits of authentication */ +#define XF_ESPDESMD596 11 /* DES, HMAC-MD-5 with 96-bits of authentication */ #define XF_ESPNULLMD596 12 /* NULL, HMAC-MD-5 with 96-bits of authentication */ #define XF_ESPNULLSHA196 13 /* NULL, HMAC-SHA-1 with 96-bits of authentication */ #define XF_ESP3DESSHA196 14 /* triple DES, HMAC-SHA-1, 96-bits of authentication */ #define XF_IP6 15 /* IPv6 inside IPv6 */ #define XF_COMPDEFLATE 16 /* IPCOMP deflate */ +#define XF_ESPDESSHA196 17 /* DES, HMAC-SHA-1 with 96-bits of authentication */ +#define XF_ESPDES 18 /* ESP DES */ #define XF_CLR 126 /* Clear SA table */ #define XF_DEL 127 /* Delete SA */ @@ -44,16 +49,20 @@ #define AH_NONE 0 #define AH_MD5 2 #define AH_SHA 3 +#define AH_DES 4 /* IPsec ESP transform values */ #define ESP_NONE 0 +#define ESP_DES_IV64 1 +#define ESP_DES 2 #define ESP_3DES 3 #define ESP_RC5 4 #define ESP_IDEA 5 #define ESP_CAST 6 #define ESP_BLOWFISH 7 #define ESP_3IDEA 8 +#define ESP_DES_IV32 9 #define ESP_RC4 10 #define ESP_NULL 11 @@ -179,6 +188,7 @@ ((x)->tdb_encalg == SADB_X_CALG_DEFLATE ? \ "_DEFLATE" : "_UNKNOWN_comp") : \ (x)->tdb_encalg == ESP_NONE ? "" : \ + (x)->tdb_encalg == ESP_DES ? "_DES" : \ (x)->tdb_encalg == ESP_3DES ? "_3DES" : \ "_UNKNOWN_encr", \ (x)->tdb_authalg == AH_NONE ? "" : \ diff -u --recursive freeswan-1.91-orig/klips/net/ipsec/pfkey_v2.c freeswan-1.91/klips/net/ipsec/pfkey_v2.c --- freeswan-1.91-orig/klips/net/ipsec/pfkey_v2.c Thu Jun 14 12:35:12 2001 +++ freeswan-1.91/klips/net/ipsec/pfkey_v2.c Thu Aug 2 11:32:46 2001 @@ -1616,6 +1616,7 @@ static struct supported supported_init_esp[] = { {SADB_EXT_SUPPORTED_AUTH, SADB_AALG_MD5HMAC, 0, 128, 128}, {SADB_EXT_SUPPORTED_AUTH, SADB_AALG_SHA1HMAC, 0, 160, 160}, + {SADB_EXT_SUPPORTED_ENCRYPT, SADB_EALG_DESCBC, 128, 56, 56}, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_EALG_3DESCBC, 128, 168, 168} }; static struct supported supported_init_ipip[] = { diff -u --recursive freeswan-1.91-orig/klips/net/ipsec/pfkey_v2_parser.c freeswan-1.91/klips/net/ipsec/pfkey_v2_parser.c --- freeswan-1.91-orig/klips/net/ipsec/pfkey_v2_parser.c Thu Jun 14 21:57:02 2001 +++ freeswan-1.91/klips/net/ipsec/pfkey_v2_parser.c Thu Aug 2 11:04:13 2001 @@ -1049,10 +1049,13 @@ unsigned int aks, eks; switch(tdbp->tdb_encalg) { +# ifdef USE_SINGLE_DES + case ESP_DES: +# endif /* USE_SINGLE_DES */ # ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: # endif /* CONFIG_IPSEC_ENC_3DES */ -# if defined(CONFIG_IPSEC_ENC_3DES) +# if defined(USE_SINGLE_DES) || defined(CONFIG_IPSEC_ENC_3DES) if((tdbp->tdb_iv = (caddr_t) kmalloc((tdbp->tdb_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) { SENDERR(ENOMEM); @@ -1072,6 +1075,42 @@ } switch(tdbp->tdb_encalg) { +# ifdef USE_SINGLE_DES + case ESP_DES: + if(tdbp->tdb_key_bits_e != (EMT_ESPDES_KEY_SZ * 8)) { + KLIPS_PRINT(debug_pfkey, + "klips_debug:pfkey_tdb_init: incorrect encryption" + "key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/, + tdbp->tdb_key_bits_e, EMT_ESPDES_KEY_SZ * 8); + SENDERR(EINVAL); + } + + /* save encryption key pointer */ + ekp = tdbp->tdb_key_e; + eks = tdbp->tdb_key_e_size; + + if((tdbp->tdb_key_e = (caddr_t) + kmalloc((tdbp->tdb_key_e_size = sizeof(struct des_eks)), + GFP_ATOMIC)) == NULL) { + tdbp->tdb_key_e = ekp; + SENDERR(ENOMEM); + } + + error = des_set_key((caddr_t)ekp, (caddr_t)(tdbp->tdb_key_e)); + if (error == -1) + printk("klips_debug:pfkey_tdb_init: parity error in des key\n"); + else if (error == -2) + printk("klips_debug:pfkey_tdb_init: illegal weak des key\n"); + if (error) { + memset(ekp, 0, eks); + kfree(ekp); + SENDERR(EINVAL); + } + memset(ekp, 0, eks); + kfree(ekp); + + break; +# endif /* USE_SINGLE_DES */ # ifdef CONFIG_IPSEC_ENC_3DES case ESP_3DES: if(tdbp->tdb_key_bits_e != (EMT_ESP3DES_KEY_SZ * 8)) { @@ -3247,6 +3286,15 @@ /* auth_minbits; auth_maxbits; encrypt_minbits; encrypt_maxbits; */ /* reserved; soft_allocations; hard_allocations; soft_bytes; hard_bytes; */ /* soft_addtime; hard_addtime; soft_usetime; hard_usetime; */ + + { SADB_AALG_MD5HMAC, SADB_EALG_DESCBC, SADB_SAFLAGS_PFS, + 128, 128, 56, 56, + 0, 0, 0, 0, 0, + 57600, 86400, 57600, 86400 }, + { SADB_AALG_SHA1HMAC, SADB_EALG_DESCBC, SADB_SAFLAGS_PFS, + 160, 160, 56, 56, + 0, 0, 0, 0, 0, + 57600, 86400, 57600, 86400 }, { SADB_AALG_MD5HMAC, SADB_EALG_3DESCBC, SADB_SAFLAGS_PFS, 128, 128, 168, 168, 0, 0, 0, 0, 0, diff -u --recursive freeswan-1.91-orig/klips/utils/spi.c freeswan-1.91/klips/utils/spi.c --- freeswan-1.91-orig/klips/utils/spi.c Thu Jun 14 12:35:14 2001 +++ freeswan-1.91/klips/utils/spi.c Thu Aug 2 11:10:41 2001 @@ -94,9 +94,9 @@ spi --ah [ --replay_window ] --authkey \n\ where is one of: hmac-md5-96 | hmac-sha1-96\n\ spi --esp [ --replay_window ] --enckey --authkey \n\ - where is one of: 3des-md5-96 | 3des-sha1-96\n\ + where is one of: des-md5-96 | des-sha1-96 | 3des-md5-96 | 3des-sha1-96\n\ spi --esp [ --replay_window ] --enckey \n\ - where is: 3des\n\ + where is: des | 3des\n\ spi --comp \n\ where is: deflate\n\ [ --debug ] is optional to any spi command.\n\ @@ -373,10 +373,16 @@ program_name); exit(1); } - if (!strcmp(optarg, "3des-md5-96")) { + if (!strcmp(optarg, "des-md5-96")) { + alg = XF_ESPDESMD596; + } else if (!strcmp(optarg, "3des-md5-96")) { alg = XF_ESP3DESMD596; + } else if(!strcmp(optarg, "des-sha1-96")) { + alg = XF_ESPDESSHA196; } else if(!strcmp(optarg, "3des-sha1-96")) { alg = XF_ESP3DESSHA196; + } else if(!strcmp(optarg, "des")) { + alg = XF_ESPDES; } else if(!strcmp(optarg, "3des")) { alg = XF_ESP3DES; } else { @@ -771,8 +777,11 @@ case XF_DEL: case XF_AHHMACMD5: case XF_AHHMACSHA1: + case XF_ESPDESMD596: case XF_ESP3DESMD596: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: + case XF_ESPDES: case XF_ESP3DES: case XF_COMPDEFLATE: if(!said_opt) { @@ -823,8 +832,11 @@ case XF_IP6: case XF_AHHMACMD5: case XF_AHHMACSHA1: + case XF_ESPDESMD596: case XF_ESP3DESMD596: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: + case XF_ESPDES: case XF_ESP3DES: case XF_COMPDEFLATE: break; @@ -1068,18 +1080,26 @@ switch(alg) { case XF_AHHMACMD5: + case XF_ESPDESMD596: case XF_ESP3DESMD596: authalg = SADB_AALG_MD5HMAC; break; case XF_AHHMACSHA1: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: authalg = SADB_AALG_SHA1HMAC; break; case XF_ESP3DESMD5: + case XF_ESPDESMD5: default: authalg = SADB_AALG_NONE; } switch(alg) { + case XF_ESPDES: + case XF_ESPDESMD596: + case XF_ESPDESSHA196: + encryptalg = SADB_EALG_DESCBC; + break; case XF_ESP3DES: case XF_ESP3DESMD596: case XF_ESP3DESSHA196: @@ -1249,8 +1269,10 @@ switch(alg) { case XF_AHHMACMD5: + case XF_ESPDESMD596: case XF_ESP3DESMD596: case XF_AHHMACSHA1: + case XF_ESPDESSHA196: case XF_ESP3DESSHA196: if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH], SADB_EXT_KEY_AUTH, @@ -1270,6 +1292,9 @@ } switch(alg) { + case XF_ESPDES: + case XF_ESPDESMD596: + case XF_ESPDESSHA196: case XF_ESP3DES: case XF_ESP3DESMD596: case XF_ESP3DESSHA196: diff -u --recursive freeswan-1.91-orig/lib/freeswan.h freeswan-1.91/lib/freeswan.h --- freeswan-1.91-orig/lib/freeswan.h Thu Jun 14 12:35:15 2001 +++ freeswan-1.91/lib/freeswan.h Wed Aug 1 11:27:57 2001 @@ -91,7 +91,7 @@ #define net_device_stats enet_statistics #endif - +#define USE_SINGLE_DES /* * We've just got to have some datatypes defined... And annoyingly, just diff -u --recursive freeswan-1.91-orig/pluto/crypto.c freeswan-1.91/pluto/crypto.c --- freeswan-1.91-orig/pluto/crypto.c Mon Oct 2 20:31:05 2000 +++ freeswan-1.91/pluto/crypto.c Wed Aug 1 11:27:57 2001 @@ -36,9 +36,13 @@ static MP_INT +#ifdef USE_SINGLE_DES + modp768_modulus, +#else #if 0 /* modp768 not sufficiently strong */ modp768_modulus, #endif +#endif modp1024_modulus, modp1536_modulus; @@ -48,9 +52,13 @@ init_crypto(void) { if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0 +#ifdef USE_SINGLE_DES + || mpz_init_set_str(&modp768_modulus, MODP768_MODULUS, 16) != 0 +#else #if 0 /* modp768 not sufficiently strong */ || mpz_init_set_str(&modp768_modulus, MODP768_MODULUS, 16) != 0 #endif +#endif || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0 || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0) exit_log("mpz_init_set_str() failed in init_crypto()"); @@ -65,8 +73,12 @@ static const struct oakley_group_desc oakley_group[] = { # define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE) +#ifdef USE_SINGLE_DES + { OAKLEY_GROUP_MODP768, &modp768_modulus, BYTES(768) }, +#else #if 0 /* modp768 not sufficiently strong */ { OAKLEY_GROUP_MODP768, &modp768_modulus, BYTES(768) }, +#endif #endif { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) }, { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) }, diff -u --recursive freeswan-1.91-orig/pluto/demux.c freeswan-1.91/pluto/demux.c --- freeswan-1.91-orig/pluto/demux.c Sat Jun 16 09:31:40 2001 +++ freeswan-1.91/pluto/demux.c Thu Aug 2 11:11:39 2001 @@ -806,8 +806,11 @@ { /* XXX we should handle this, whatever it means */ log("IKE message has the Commit Flag set but Pluto doesn't implement this feature"); +/* WIN2K sets this.. just ignore it */ +#if 0 free_md(&md); return; +#endif } switch (md.hdr.isa_xchg) diff -u --recursive freeswan-1.91-orig/pluto/spdb.c freeswan-1.91/pluto/spdb.c --- freeswan-1.91-orig/pluto/spdb.c Mon Apr 9 12:48:43 2001 +++ freeswan-1.91/pluto/spdb.c Thu Aug 2 11:23:16 2001 @@ -74,6 +74,65 @@ { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, }; +#ifdef USE_SINGLE_DES +static struct db_attr otpsk768des3md5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk768des3sha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk768desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk1024desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 }, + }; + +static struct db_attr otpsk1536desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, + }; + +static struct db_attr otpsk768dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otpsk1024dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 }, + }; + +static struct db_attr otpsk1536dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, + }; + +#endif /* USE_SINGLE_DES */ + /* arrays of attributes for transforms, RSA signatures */ static struct db_attr otrsasig1024des3md5[] = { @@ -104,6 +163,65 @@ { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, }; +#ifdef USE_SINGLE_DES +static struct db_attr otrsasig768desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otrsasig1024desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 }, + }; + +static struct db_attr otrsasig1536desmd5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, + }; + +static struct db_attr otrsasig768dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otrsasig1024dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 }, + }; + +static struct db_attr otrsasig1536dessha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 }, + }; + +static struct db_attr otrsasig768des3md5[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +static struct db_attr otrsasig768des3sha[] = { + { OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC }, + { OAKLEY_HASH_ALGORITHM, OAKLEY_SHA }, + { OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG }, + { OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP768 }, + }; + +#endif /* USE_SINGLE_DES */ + /* We won't accept this, but by proposing it, we get to test * our rejection. We better not propose it to an IKE daemon * that will accept it! @@ -127,6 +245,16 @@ { KEY_IKE, AD(otpsk1024des3md5) }, { KEY_IKE, AD(otpsk1536des3md5) }, { KEY_IKE, AD(otpsk1536des3sha) }, +#ifdef USE_SINGLE_DES + { KEY_IKE, AD(otpsk768des3md5) }, + { KEY_IKE, AD(otpsk768des3sha) }, + { KEY_IKE, AD(otpsk1536desmd5) }, + { KEY_IKE, AD(otpsk1024desmd5) }, + { KEY_IKE, AD(otpsk768desmd5) }, + { KEY_IKE, AD(otpsk1536dessha) }, + { KEY_IKE, AD(otpsk1024dessha) }, + { KEY_IKE, AD(otpsk768dessha) }, +#endif /* USE_SINGLE_DES */ }; static struct db_trans oakley_trans_rsasig[] = { @@ -134,6 +262,16 @@ { KEY_IKE, AD(otrsasig1024des3md5) }, { KEY_IKE, AD(otrsasig1536des3md5) }, { KEY_IKE, AD(otrsasig1536des3sha) }, +#ifdef USE_SINGLE_DES + { KEY_IKE, AD(otrsasig768des3md5) }, + { KEY_IKE, AD(otrsasig768des3sha) }, + { KEY_IKE, AD(otrsasig1536desmd5) }, + { KEY_IKE, AD(otrsasig1024desmd5) }, + { KEY_IKE, AD(otrsasig768desmd5) }, + { KEY_IKE, AD(otrsasig1536dessha) }, + { KEY_IKE, AD(otrsasig1024dessha) }, + { KEY_IKE, AD(otrsasig768dessha) }, +#endif /* USE_SINGLE_DES */ }; /* In this table, either PSK or RSA sig is accepted. @@ -151,6 +289,24 @@ { KEY_IKE, AD(otpsk1536des3md5) }, { KEY_IKE, AD(otrsasig1536des3sha) }, { KEY_IKE, AD(otpsk1536des3sha) }, +#ifdef USE_SINGLE_DES + { KEY_IKE, AD(otrsasig768des3sha) }, + { KEY_IKE, AD(otpsk768des3sha) }, + { KEY_IKE, AD(otrsasig768des3md5) }, + { KEY_IKE, AD(otpsk768des3md5) }, + { KEY_IKE, AD(otrsasig1536dessha) }, + { KEY_IKE, AD(otpsk1536dessha) }, + { KEY_IKE, AD(otrsasig1536desmd5) }, + { KEY_IKE, AD(otpsk1536desmd5) }, + { KEY_IKE, AD(otrsasig1024dessha) }, + { KEY_IKE, AD(otpsk1024dessha) }, + { KEY_IKE, AD(otrsasig1024desmd5) }, + { KEY_IKE, AD(otpsk1024desmd5) }, + { KEY_IKE, AD(otrsasig768dessha) }, + { KEY_IKE, AD(otpsk768dessha) }, + { KEY_IKE, AD(otrsasig768desmd5) }, + { KEY_IKE, AD(otpsk768desmd5) }, +#endif }; /* array of proposals to be conjoined (can only be one for Oakley) */ @@ -205,10 +361,17 @@ static struct db_trans espa_trans[] = { { ESP_3DES, AD(espmd5_attr) }, { ESP_3DES, AD(espsha1_attr) }, +#ifdef USE_SINGLE_DES + { ESP_DES, AD(espmd5_attr) }, + { ESP_DES, AD(espsha1_attr) }, +#endif }; static struct db_trans esp_trans[] = { { ESP_3DES, AD_NULL }, +#ifdef USE_SINGLE_DES + { ESP_DES, AD_NULL }, +#endif }; #ifdef SUPPORT_ESP_NULL @@ -859,9 +1022,13 @@ case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV: switch (val) { +#ifdef USE_SINGLE_DES + case OAKLEY_DES_CBC: +#else #if 0 /* we don't feel DES is safe */ case OAKLEY_DES_CBC: #endif +#endif case OAKLEY_3DES_CBC: ta.encrypt = val; ta.encrypter = &oakley_encrypter[val]; @@ -955,7 +1122,7 @@ ta.group = lookup_group(val); if (ta.group == NULL) { - ugh = "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported"; + ugh = "only OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported"; break; } break; @@ -1313,7 +1480,7 @@ pfs_group = lookup_group(val); if (pfs_group == NULL) { - loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS"); + loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS"); return FALSE; } break; @@ -1802,9 +1969,13 @@ switch (esp_attrs.transid) { +#ifdef USE_SINGLE_DES + case ESP_DES: +#else #if 0 /* we don't feel single DES is safe */ case ESP_DES: #endif +#endif /* ifdef USE_SINGLE_DES */ case ESP_3DES: break;