File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon / algorithm.c
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue Feb 21 22:39:10 2012 UTC (12 years, 10 months ago) by misho
Branches: ipsec-tools, MAIN
CVS tags: v0_8_2p2, v0_8_1p0, v0_8_1, v0_8_0p0, v0_8_0, HEAD
ipsec-tools

/*	$NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $	*/

/* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "config.h"

#include <sys/param.h>
#include <sys/types.h>
#include <stdlib.h>

#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "debug.h"

#include "crypto_openssl.h"
#include "dhgroup.h"
#include "algorithm.h"
#include "oakley.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
#include "gcmalloc.h"

static struct hash_algorithm oakley_hashdef[] = {
{ "md5",	algtype_md5,		OAKLEY_ATTR_HASH_ALG_MD5,
		eay_md5_init,		eay_md5_update,
		eay_md5_final,		eay_md5_hashlen,
		eay_md5_one, },
{ "sha1",	algtype_sha1,		OAKLEY_ATTR_HASH_ALG_SHA,
		eay_sha1_init,		eay_sha1_update,
		eay_sha1_final,		eay_sha1_hashlen,
		eay_sha1_one, },
#ifdef WITH_SHA2
{ "sha2_256",	algtype_sha2_256,	OAKLEY_ATTR_HASH_ALG_SHA2_256,
		eay_sha2_256_init,	eay_sha2_256_update,
		eay_sha2_256_final,	eay_sha2_256_hashlen,
		eay_sha2_256_one, },
{ "sha2_384",	algtype_sha2_384,	OAKLEY_ATTR_HASH_ALG_SHA2_384,
		eay_sha2_384_init,	eay_sha2_384_update,
		eay_sha2_384_final,	eay_sha2_384_hashlen,
		eay_sha2_384_one, },
{ "sha2_512",	algtype_sha2_512,	OAKLEY_ATTR_HASH_ALG_SHA2_512,
		eay_sha2_512_init,	eay_sha2_512_update,
		eay_sha2_512_final,	eay_sha2_512_hashlen,
		eay_sha2_512_one, },
#endif
};

static struct hmac_algorithm oakley_hmacdef[] = {
{ "hmac_md5",	algtype_md5,		OAKLEY_ATTR_HASH_ALG_MD5,
		eay_hmacmd5_init,	eay_hmacmd5_update,
		eay_hmacmd5_final,	NULL,
		eay_hmacmd5_one, },
{ "hmac_sha1",	algtype_sha1,		OAKLEY_ATTR_HASH_ALG_SHA,
		eay_hmacsha1_init,	eay_hmacsha1_update,
		eay_hmacsha1_final,	NULL,
		eay_hmacsha1_one, },
#ifdef WITH_SHA2
{ "hmac_sha2_256",	algtype_sha2_256,	OAKLEY_ATTR_HASH_ALG_SHA2_256,
		eay_hmacsha2_256_init,	eay_hmacsha2_256_update,
		eay_hmacsha2_256_final,	NULL,
		eay_hmacsha2_256_one, },
{ "hmac_sha2_384",	algtype_sha2_384,	OAKLEY_ATTR_HASH_ALG_SHA2_384,
		eay_hmacsha2_384_init,	eay_hmacsha2_384_update,
		eay_hmacsha2_384_final,	NULL,
		eay_hmacsha2_384_one, },
{ "hmac_sha2_512",	algtype_sha2_512,	OAKLEY_ATTR_HASH_ALG_SHA2_512,
		eay_hmacsha2_512_init,	eay_hmacsha2_512_update,
		eay_hmacsha2_512_final,	NULL,
		eay_hmacsha2_512_one, },
#endif
};

static struct enc_algorithm oakley_encdef[] = {
{ "des",	algtype_des,		OAKLEY_ATTR_ENC_ALG_DES,	8,
		eay_des_encrypt,	eay_des_decrypt,
		eay_des_weakkey,	eay_des_keylen, },
#ifdef HAVE_OPENSSL_IDEA_H
{ "idea",	algtype_idea,		OAKLEY_ATTR_ENC_ALG_IDEA,	8,
		eay_idea_encrypt,	eay_idea_decrypt,
		eay_idea_weakkey,	eay_idea_keylen, },
#endif
{ "blowfish",	algtype_blowfish,	OAKLEY_ATTR_ENC_ALG_BLOWFISH,	8,
		eay_bf_encrypt,		eay_bf_decrypt,
		eay_bf_weakkey,		eay_bf_keylen, },
#ifdef HAVE_OPENSSL_RC5_H
{ "rc5",	algtype_rc5,		OAKLEY_ATTR_ENC_ALG_RC5,	8,
		eay_rc5_encrypt,	eay_rc5_decrypt,
		eay_rc5_weakkey,	eay_rc5_keylen, },
#endif
{ "3des",	algtype_3des,		OAKLEY_ATTR_ENC_ALG_3DES,	8,
		eay_3des_encrypt,	eay_3des_decrypt,
		eay_3des_weakkey,	eay_3des_keylen, },
{ "cast",	algtype_cast128,	OAKLEY_ATTR_ENC_ALG_CAST,	8,
		eay_cast_encrypt,	eay_cast_decrypt,
		eay_cast_weakkey,	eay_cast_keylen, },
{ "aes",	algtype_aes,	OAKLEY_ATTR_ENC_ALG_AES,	16,
		eay_aes_encrypt,	eay_aes_decrypt,
		eay_aes_weakkey,	eay_aes_keylen, },
#ifdef HAVE_OPENSSL_CAMELLIA_H
{ "camellia",	algtype_camellia,	OAKLEY_ATTR_ENC_ALG_CAMELLIA,	16,
		eay_camellia_encrypt,	eay_camellia_decrypt,
		eay_camellia_weakkey,	eay_camellia_keylen, },
#endif
};

static struct enc_algorithm ipsec_encdef[] = {
{ "des-iv64",	algtype_des_iv64,	IPSECDOI_ESP_DES_IV64,		8,
		NULL,			NULL,
		NULL,			eay_des_keylen, },
{ "des",	algtype_des,		IPSECDOI_ESP_DES,		8,
		NULL,			NULL,
		NULL,			eay_des_keylen, },
{ "3des",	algtype_3des,		IPSECDOI_ESP_3DES,		8,
		NULL,			NULL,
		NULL,			eay_3des_keylen, },
#ifdef HAVE_OPENSSL_RC5_H
{ "rc5",	algtype_rc5,		IPSECDOI_ESP_RC5,		8,
		NULL,			NULL,
		NULL,			eay_rc5_keylen, },
#endif
{ "cast",	algtype_cast128,	IPSECDOI_ESP_CAST,		8,
		NULL,			NULL,
		NULL,			eay_cast_keylen, },
{ "blowfish",	algtype_blowfish,	IPSECDOI_ESP_BLOWFISH,		8,
		NULL,			NULL,
		NULL,			eay_bf_keylen, },
{ "des-iv32",	algtype_des_iv32,	IPSECDOI_ESP_DES_IV32,		8,
		NULL,			NULL,
		NULL,			eay_des_keylen, },
{ "null",	algtype_null_enc,	IPSECDOI_ESP_NULL,		8,
		NULL,			NULL,
		NULL,			eay_null_keylen, },
{ "aes",	algtype_aes,		IPSECDOI_ESP_AES,		16,
		NULL,			NULL,
		NULL,			eay_aes_keylen, },
{ "twofish",	algtype_twofish,	IPSECDOI_ESP_TWOFISH,		16,
		NULL,			NULL,
		NULL,			eay_twofish_keylen, },
#ifdef HAVE_OPENSSL_IDEA_H
{ "3idea",	algtype_3idea,		IPSECDOI_ESP_3IDEA,		8,
		NULL,			NULL,
		NULL,			NULL, },
{ "idea",	algtype_idea,		IPSECDOI_ESP_IDEA,		8,
		NULL,			NULL,
		NULL,			NULL, },
#endif
{ "rc4",	algtype_rc4,		IPSECDOI_ESP_RC4,		8,
		NULL,			NULL,
		NULL,			NULL, },
#ifdef HAVE_OPENSSL_CAMELLIA_H
{ "camellia",	algtype_camellia,	IPSECDOI_ESP_CAMELLIA,		16,
		NULL,			NULL,
		NULL,			eay_camellia_keylen, },
#endif
};

static struct hmac_algorithm ipsec_hmacdef[] = {
{ "md5",	algtype_hmac_md5,	IPSECDOI_ATTR_AUTH_HMAC_MD5,
		NULL,			NULL,
		NULL,			eay_md5_hashlen,
		NULL, },
{ "sha1",	algtype_hmac_sha1,	IPSECDOI_ATTR_AUTH_HMAC_SHA1,
		NULL,			NULL,
		NULL,			eay_sha1_hashlen,
		NULL, },
{ "kpdk",	algtype_kpdk,		IPSECDOI_ATTR_AUTH_KPDK,
		NULL,			NULL,
		NULL,			eay_kpdk_hashlen,
		NULL, },
{ "null",	algtype_non_auth,	IPSECDOI_ATTR_AUTH_NONE,
		NULL,			NULL,
		NULL,			eay_null_hashlen,
		NULL, },
#ifdef WITH_SHA2
{ "hmac_sha2_256",	algtype_hmac_sha2_256,IPSECDOI_ATTR_AUTH_HMAC_SHA2_256,
		NULL,			NULL,
		NULL,			eay_sha2_256_hashlen,
		NULL, },
{ "hmac_sha2_384",	algtype_hmac_sha2_384,IPSECDOI_ATTR_AUTH_HMAC_SHA2_384,
		NULL,			NULL,
		NULL,			eay_sha2_384_hashlen,
		NULL, },
{ "hmac_sha2_512",	algtype_hmac_sha2_512,IPSECDOI_ATTR_AUTH_HMAC_SHA2_512,
		NULL,			NULL,
		NULL,			eay_sha2_512_hashlen,
		NULL, },
#endif
};

static struct misc_algorithm ipsec_compdef[] = {
{ "oui",	algtype_oui,		IPSECDOI_IPCOMP_OUI, },
{ "deflate",	algtype_deflate,	IPSECDOI_IPCOMP_DEFLATE, },
{ "lzs",	algtype_lzs,		IPSECDOI_IPCOMP_LZS, },
};

/*
 * In case of asymetric modes (hybrid xauth), what's racoon mode of
 * operations ; it seems that the proposal should always use the
 * initiator half (unless a server initiates a connection, which is
 * not handled, and probably not useful).
 */
static struct misc_algorithm oakley_authdef[] = {
{ "pre_shared_key",	algtype_psk,	OAKLEY_ATTR_AUTH_METHOD_PSKEY, },
{ "dsssig",		algtype_dsssig,	OAKLEY_ATTR_AUTH_METHOD_DSSSIG, },
{ "rsasig",		algtype_rsasig,	OAKLEY_ATTR_AUTH_METHOD_RSASIG, },
{ "rsaenc",		algtype_rsaenc,	OAKLEY_ATTR_AUTH_METHOD_RSAENC, },
{ "rsarev",		algtype_rsarev,	OAKLEY_ATTR_AUTH_METHOD_RSAREV, },

{ "gssapi_krb",		algtype_gssapikrb,
    OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, },

#ifdef ENABLE_HYBRID
{ "hybrid_rsa_server",	algtype_hybrid_rsa_s,	
    OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, },

{ "hybrid_dss_server",	algtype_hybrid_dss_s,	
    OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, },

{ "xauth_psk_server", 	algtype_xauth_psk_s,	
    OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R, },

{ "xauth_rsa_server", 	algtype_xauth_rsa_s,	
    OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R, },

{ "hybrid_rsa_client",	algtype_hybrid_rsa_c,	
    OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I, },

{ "hybrid_dss_client",	algtype_hybrid_dss_c,	
    OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I, },

{ "xauth_psk_client",	algtype_xauth_psk_c,	
    OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I, },

{ "xauth_rsa_client",	algtype_xauth_rsa_c,	
    OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I, },
#endif
};

static struct dh_algorithm oakley_dhdef[] = {
{ "modp768",	algtype_modp768,	OAKLEY_ATTR_GRP_DESC_MODP768,
		&dh_modp768, },
{ "modp1024",	algtype_modp1024,	OAKLEY_ATTR_GRP_DESC_MODP1024,
		&dh_modp1024, },
{ "modp1536",	algtype_modp1536,	OAKLEY_ATTR_GRP_DESC_MODP1536,
		&dh_modp1536, },
{ "modp2048",	algtype_modp2048,	OAKLEY_ATTR_GRP_DESC_MODP2048,
		&dh_modp2048, },
{ "modp3072",	algtype_modp3072,	OAKLEY_ATTR_GRP_DESC_MODP3072,
		&dh_modp3072, },
{ "modp4096",	algtype_modp4096,	OAKLEY_ATTR_GRP_DESC_MODP4096,
		&dh_modp4096, },
{ "modp6144",	algtype_modp6144,	OAKLEY_ATTR_GRP_DESC_MODP6144,
		&dh_modp6144, },
{ "modp8192",	algtype_modp8192,	OAKLEY_ATTR_GRP_DESC_MODP8192,
		&dh_modp8192, },
};

static struct hash_algorithm *alg_oakley_hashdef __P((int));
static struct hmac_algorithm *alg_oakley_hmacdef __P((int));
static struct enc_algorithm *alg_oakley_encdef __P((int));
static struct enc_algorithm *alg_ipsec_encdef __P((int));
static struct hmac_algorithm *alg_ipsec_hmacdef __P((int));
static struct dh_algorithm *alg_oakley_dhdef __P((int));

/* oakley hash algorithm */
static struct hash_algorithm *
alg_oakley_hashdef(doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(oakley_hashdef); i++)
		if (doi == oakley_hashdef[i].doi) {
			plog(LLV_DEBUG, LOCATION, NULL, "hash(%s)\n",
				oakley_hashdef[i].name);
			return &oakley_hashdef[i];
		}
	return NULL;
}

int
alg_oakley_hashdef_ok(doi)
	int doi;
{
	struct hash_algorithm *f;

	f = alg_oakley_hashdef(doi);
	if (f == NULL)
		return 0;

	return 1;
}

int
alg_oakley_hashdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(oakley_hashdef); i++)
		if (type == oakley_hashdef[i].type) {
			res = oakley_hashdef[i].doi;
			break;
		}
	return res;
}

int
alg_oakley_hashdef_hashlen(doi)
	int doi;
{
	struct hash_algorithm *f;

	f = alg_oakley_hashdef(doi);
	if (f == NULL || f->hashlen == NULL)
		return 0;

	return (f->hashlen)();
}

const char *
alg_oakley_hashdef_name (doi)
	int doi;
{
	struct hash_algorithm *f;

	f = alg_oakley_hashdef(doi);
	if (f == NULL)
		return "*UNKNOWN*";

	return f->name;
}

vchar_t *
alg_oakley_hashdef_one(doi, buf)
	int doi;
	vchar_t *buf;
{
	struct hash_algorithm *f;

	f = alg_oakley_hashdef(doi);
	if (f == NULL || f->hashlen == NULL)
		return NULL;

	return (f->one)(buf);
}

/* oakley hmac algorithm */
static struct hmac_algorithm *
alg_oakley_hmacdef(doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++)
		if (doi == oakley_hmacdef[i].doi) {
			plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
				oakley_hmacdef[i].name);
			return &oakley_hmacdef[i];
		}
	return NULL;
}

int
alg_oakley_hmacdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++)
		if (type == oakley_hmacdef[i].type) {
			res = oakley_hmacdef[i].doi;
			break;
		}
	return res;
}

vchar_t *
alg_oakley_hmacdef_one(doi, key, buf)
	int doi;
	vchar_t *key, *buf;
{
	struct hmac_algorithm *f;
	vchar_t *res;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	f = alg_oakley_hmacdef(doi);
	if (f == NULL || f->one == NULL)
		return NULL;

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif

	res = (f->one)(key, buf);

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s size=%zu): %8.6f", __func__,
		f->name, buf->l, timedelta(&start, &end));
#endif

	return res;
}

/* oakley encryption algorithm */
static struct enc_algorithm *
alg_oakley_encdef(doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(oakley_encdef); i++)
		if (doi == oakley_encdef[i].doi) {
			plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n",
				oakley_encdef[i].name);
			return &oakley_encdef[i];
		}
	return NULL;
}

int
alg_oakley_encdef_ok(doi)
	int doi;
{
	struct enc_algorithm *f;

	f = alg_oakley_encdef(doi);
	if (f == NULL)
		return 0;

	return 1;
}

int
alg_oakley_encdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(oakley_encdef); i++)
		if (type == oakley_encdef[i].type) {
			res = oakley_encdef[i].doi;
			break;
		}
	return res;
}

int
alg_oakley_encdef_keylen(doi, len)
	int doi, len;
{
	struct enc_algorithm *f;

	f = alg_oakley_encdef(doi);
	if (f == NULL || f->keylen == NULL)
		return -1;

	return (f->keylen)(len);
}

int
alg_oakley_encdef_blocklen(doi)
	int doi;
{
	struct enc_algorithm *f;

	f = alg_oakley_encdef(doi);
	if (f == NULL)
		return -1;

	return f->blocklen;
}

const char *
alg_oakley_encdef_name (doi)
	int doi;
{
	struct enc_algorithm *f;

	f = alg_oakley_encdef(doi);
	if (f == NULL)
		return "*UNKNOWN*";

	return f->name;
}

vchar_t *
alg_oakley_encdef_decrypt(doi, buf, key, iv)
	int doi;
	vchar_t *buf, *key, *iv;
{
	vchar_t *res;
	struct enc_algorithm *f;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	f = alg_oakley_encdef(doi);
	if (f == NULL || f->decrypt == NULL)
		return NULL;

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif

	res = (f->decrypt)(buf, key, iv);

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__,
		f->name, key->l << 3, buf->l, timedelta(&start, &end));
#endif
	return res;
}

vchar_t *
alg_oakley_encdef_encrypt(doi, buf, key, iv)
	int doi;
	vchar_t *buf, *key, *iv;
{
	vchar_t *res;
	struct enc_algorithm *f;
#ifdef ENABLE_STATS
	struct timeval start, end;
#endif

	f = alg_oakley_encdef(doi);
	if (f == NULL || f->encrypt == NULL)
		return NULL;

#ifdef ENABLE_STATS
	gettimeofday(&start, NULL);
#endif

	res = (f->encrypt)(buf, key, iv);

#ifdef ENABLE_STATS
	gettimeofday(&end, NULL);
	syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__,
		f->name, key->l << 3, buf->l, timedelta(&start, &end));
#endif
	return res;
}

/* ipsec encryption algorithm */
static struct enc_algorithm *
alg_ipsec_encdef(doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(ipsec_encdef); i++)
		if (doi == ipsec_encdef[i].doi) {
			plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n",
				ipsec_encdef[i].name);
			return &ipsec_encdef[i];
		}
	return NULL;
}

int
alg_ipsec_encdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(ipsec_encdef); i++)
		if (type == ipsec_encdef[i].type) {
			res = ipsec_encdef[i].doi;
			break;
		}
	return res;
}

int
alg_ipsec_encdef_keylen(doi, len)
	int doi, len;
{
	struct enc_algorithm *f;

	f = alg_ipsec_encdef(doi);
	if (f == NULL || f->keylen == NULL)
		return -1;

	return (f->keylen)(len);
}

/* ipsec hmac algorithm */
static struct hmac_algorithm *
alg_ipsec_hmacdef(doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
		if (doi == ipsec_hmacdef[i].doi) {
			plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
				ipsec_hmacdef[i].name);
			return &ipsec_hmacdef[i];
		}
	return NULL;
}

int
alg_ipsec_hmacdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
		if (type == ipsec_hmacdef[i].type) {
			res = ipsec_hmacdef[i].doi;
			break;
		}
	return res;
}

int
alg_ipsec_hmacdef_hashlen(doi)
	int doi;
{
	struct hmac_algorithm *f;

	f = alg_ipsec_hmacdef(doi);
	if (f == NULL || f->hashlen == NULL)
		return -1;

	return (f->hashlen)();
}

/* ip compression */
int
alg_ipsec_compdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(ipsec_compdef); i++)
		if (type == ipsec_compdef[i].type) {
			res = ipsec_compdef[i].doi;
			break;
		}
	return res;
}

/* dh algorithm */
static struct dh_algorithm *
alg_oakley_dhdef(doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(oakley_dhdef); i++)
		if (doi == oakley_dhdef[i].doi) {
			plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
				oakley_dhdef[i].name);
			return &oakley_dhdef[i];
		}
	return NULL;
}

int
alg_oakley_dhdef_ok(doi)
	int doi;
{
	struct dh_algorithm *f;

	f = alg_oakley_dhdef(doi);
	if (f == NULL)
		return 0;

	return 1;
}

int
alg_oakley_dhdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(oakley_dhdef); i++)
		if (type == oakley_dhdef[i].type) {
			res = oakley_dhdef[i].doi;
			break;
		}
	return res;
}

struct dhgroup *
alg_oakley_dhdef_group(doi)
	int doi;
{
	struct dh_algorithm *f;

	f = alg_oakley_dhdef(doi);
	if (f == NULL || f->dhgroup == NULL)
		return NULL;

	return f->dhgroup;
}

const char *
alg_oakley_dhdef_name (doi)
	int doi;
{
	struct dh_algorithm *f;
	
	f = alg_oakley_dhdef(doi);
	if (f == NULL)
		return "*UNKNOWN*";
	return f->name;
}

/* authentication method */
int
alg_oakley_authdef_doi(type)
	int type;
{
	int i, res = -1;

	for (i = 0; i < ARRAYLEN(oakley_authdef); i++)
		if (type == oakley_authdef[i].type) {
			res = oakley_authdef[i].doi;
			break;
		}
	return res;
}

const char *
alg_oakley_authdef_name (doi)
	int doi;
{
	int i;

	for (i = 0; i < ARRAYLEN(oakley_authdef); i++)
		if (doi == oakley_authdef[i].doi) {
			return oakley_authdef[i].name;
		}
	return "*UNKNOWN*";
}

/*
 * give the default key length
 * OUT:	-1:		NG
 *	0:		fixed key cipher, key length not allowed
 *	positive:	default key length
 */
int
default_keylen(class, type)
	int class, type;
{

	switch (class) {
	case algclass_isakmp_enc:
	case algclass_ipsec_enc:
		break;
	default:
		return 0;
	}

	switch (type) {
	case algtype_blowfish:
	case algtype_rc5:
	case algtype_cast128:
	case algtype_aes:
	case algtype_twofish:
	case algtype_camellia:
		return 128;
	default:
		return 0;
	}
}

/*
 * check key length
 * OUT:	-1:	NG
 *	0:	OK
 */
int
check_keylen(class, type, len)
	int class, type, len;
{
	int badrange;

	switch (class) {
	case algclass_isakmp_enc:
	case algclass_ipsec_enc:
		break;
	default:
		/* unknown class, punt */
		plog(LLV_ERROR, LOCATION, NULL,
			"unknown algclass %d\n", class);
		return -1;
	}

	/* key length must be multiple of 8 bytes - RFC2451 2.2 */
	switch (type) {
	case algtype_blowfish:
	case algtype_rc5:
	case algtype_cast128:
	case algtype_aes:
	case algtype_twofish:
	case algtype_camellia:
		if (len % 8 != 0) {
			plog(LLV_ERROR, LOCATION, NULL,
				"key length %d is not multiple of 8\n", len);
			return -1;
		}
		break;
	}

	/* key length range */
	badrange = 0;
	switch (type) {
	case algtype_blowfish:
		if (len < 40 || 448 < len)
			badrange++;
		break;
	case algtype_rc5:
		if (len < 40 || 2040 < len)
			badrange++;
		break;
	case algtype_cast128:
		if (len < 40 || 128 < len)
			badrange++;
		break;
	case algtype_aes:
		if (!(len == 128 || len == 192 || len == 256))
			badrange++;
		break;
	case algtype_twofish:
		if (len < 40 || 256 < len)
			badrange++;
		break;
	case algtype_camellia:
		if (!(len == 128 || len == 192 || len == 256))
			badrange++;
		break;
	default:
		if (len) {
			plog(LLV_ERROR, LOCATION, NULL,
				"key length is not allowed");
			return -1;
		}
		break;
	}
	if (badrange) {
		plog(LLV_ERROR, LOCATION, NULL,
			"key length out of range\n");
		return -1;
	}

	return 0;
}

/*
 * convert algorithm type to DOI value.
 * OUT	-1   : NG
 *	other: converted.
 */
int
algtype2doi(class, type)
	int class, type;
{
	int res = -1;

	switch (class) {
	case algclass_ipsec_enc:
		res = alg_ipsec_encdef_doi(type);
		break;
	case algclass_ipsec_auth:
		res = alg_ipsec_hmacdef_doi(type);
		break;
	case algclass_ipsec_comp:
		res = alg_ipsec_compdef_doi(type);
		break;
	case algclass_isakmp_enc:
		res =  alg_oakley_encdef_doi(type);
		break;
	case algclass_isakmp_hash:
		res = alg_oakley_hashdef_doi(type);
		break;
	case algclass_isakmp_dh:
		res = alg_oakley_dhdef_doi(type);
		break;
	case algclass_isakmp_ameth:
		res = alg_oakley_authdef_doi(type);
		break;
	}
	return res;
}

/*
 * convert algorithm class to DOI value.
 * OUT	-1   : NG
 *	other: converted.
 */
int
algclass2doi(class)
	int class;
{
	switch (class) {
	case algclass_ipsec_enc:
		return IPSECDOI_PROTO_IPSEC_ESP;
	case algclass_ipsec_auth:
		return IPSECDOI_ATTR_AUTH;
	case algclass_ipsec_comp:
		return IPSECDOI_PROTO_IPCOMP;
	case algclass_isakmp_enc:
		return OAKLEY_ATTR_ENC_ALG;
	case algclass_isakmp_hash:
		return OAKLEY_ATTR_HASH_ALG;
	case algclass_isakmp_dh:
		return OAKLEY_ATTR_GRP_DESC;
	case algclass_isakmp_ameth:
		return OAKLEY_ATTR_AUTH_METHOD;
	default:
		return -1;
	}
	/*NOTREACHED*/
	return -1;
}

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>