Modular ALGO support version 0.7.2b Tested with 2.4.18, freeswan-1.96 (AES, Cast, Twofish, Serpent, Blowfish) (alternative) x509 pluto patch working ok. *** PLEASE read CHANGES.ipsec_ext file for updates *** Available from: http://www.irrigacion.gov.ar/juanjo/ipsec/ http://www.osep.mendoza.gov.ar/juanjo/ipsec/ READMe-ipsec_ext.txt --Juanjo 7/03/02 ==================== Linux IP Aliasing creator, IPMASQ 2.2 Maintainer * Highlights - _working_ modular ESP ciphers and authenticators patch (generic KLIPS hooks) - _working_ AES, Serpent, Twofish, Blowfish, CAST (and 3DES) implementations - _working_ SHA2, RIPEMD, SHA1, MD5 and (experimental) XCBC_MAC_AES - x509 coexistance (alternative pluto patch) - interop: patched/stock freeswan, OpenBSD 3.0 and SSH Sentinel * PLEASE READ AHEAD (TABLE) * - timing tests: modprobe ipsec_aes test=1; dmesg | tail -10 modprobe ipsec_3des test=1; dmesg | tail -10 - pluto patch to: . get informed of new runtime algos available (from kernel SADB_REGISTER) . create proposals from esp= config parameters (eg: esp=aes,3des ) ANDed with kernel algos actually present. . show status about algos (ipsec auto --status | egrep ESP) * KLIPS Changes: - generalized algo hook for ESP encrypt and auth - ipsec_ext object linked (pointed) from ipsec_sa - truely non-invasive patch - generic ESP algo [un]registration that dispatchs SADB_REGISTER msg with new algos info, which is fully parsed by patched pluto. - loaded modules will "override" stock ones (get linked and called first) - actual WORKING implemented algos: AES,Twofish,Serpent,Blowfish,CAST,3DES ; SHA2, SHA1, MD5, RIPEMD, XCBC_MAC_AES ************************************************************************ Interop TESTS (besides self-to-self) FSW : stock freeswan 1.96 OBSD : OpenBSD 3.0 SSHs : SSH Sentinel 1.2.0.16 -------------- ---------------------------------------------------------------- ESP auth algos: _Algorithm x86-asm module-name dotconf interop tests SHA2_256 n ipsec_sha2 esp=-sha2_256 - SHA2_512 n ipsec_sha2 esp=-sha2_512 - SHA1 y ipsec_sha1 esp=-sha1 FSW, OBSD, SSHs MD5 y ipsec_md5 esp=-md5 FSW, OBSD, SSHs RIPEMD y ipsec_ripemd esp=-ripemd FSW, OBSD (*1) XCBC_MAC_AES y ipsec_aes esp=-id9 - (*2) -------------- ESP enc algos: _Algorithm x86-asm module-name dotconf interop tests AES y ipsec_aes esp=aes OBSD, SSHs (*3)(*4) AES(-opt) y ipsec_aes-opt esp=aes OBSD, SSHs (*3)(*4) 3DES y ipsec_3des esp=3des FSW, OBSD, SSHs SERPENT n ipsec_serpent esp=serpent - NULL - ipsec_null esp=null - BLOWFISH y ipsec_blowfish esp=blowfish OBSD, SSHs (*3)(*5) CAST y ipsec_cast esp=cast OBSD, SSHs (*3) TWOFISH n ipsec_twofish esp=twofish SSHs -------------- ---------------------------------------------------------------- x86-asm : if arch==i586/i686 it uses optimized assembler you can disable with env NO_ASM=1 make ... (*1) only with OBSD as initiatior, fails if passive (*2) experimental (draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt), working Ok enable with: "modprobe ipsec_aes auth_id=" and n<=8, I privately test with n=9, and put "esp=aes-id9" in dotconf. (*3) only with SSHs as responder because SSHs makes a proposal with OAKLEY_ENCRYPTION_ALGORITHM=65289. SOLUTION: apply extras/patch-ssh-sentinel-IKE.diff to allow SSHs originated SAs (it justs make pluto know about 65289), of course, will still negotiate OAKLEY_3DES_CBC. (*4) for SSHs: specify "esp=aes128" in dotconf (*5) for OBSD: specify "esp=blowfish128" in dotconf _Algorithm sources taken from_: OpenSSL : sha1, md5, ripemd, blowfish, cast Brian Gladman: aes Crypto-API : twofish, serpent FreeSWAN : 3des Jari Ruusu : aes (gnu asm), sha2 Nigel Metheringham: aes-opt (asm) at libaes.sourceforge.net ************************************************************************