diff options
Diffstat (limited to 'src/Cedar')
| -rw-r--r-- | src/Cedar/IPsec_IkePacket.c | 69 | ||||
| -rw-r--r-- | src/Cedar/IPsec_IkePacket.h | 14 | ||||
| -rw-r--r-- | src/Cedar/Interop_OpenVPN.h | 2 |
3 files changed, 75 insertions, 10 deletions
diff --git a/src/Cedar/IPsec_IkePacket.c b/src/Cedar/IPsec_IkePacket.c index 8475a456..0790403c 100644 --- a/src/Cedar/IPsec_IkePacket.c +++ b/src/Cedar/IPsec_IkePacket.c @@ -2558,6 +2558,8 @@ IKE_ENGINE *NewIkeEngine() {
IKE_ENGINE *e = ZeroMalloc(sizeof(IKE_ENGINE));
IKE_CRYPTO *des, *des3, *aes;
+ IKE_HASH *sha1, *md5, *sha2_256, *sha2_384, *sha2_512;
+ IKE_DH *dh1, *dh2, *dh5;
IKE_HASH *sha1, *md5;
IKE_DH *dh1, *dh2, *dh5, *dh2048, *dh3072, *dh4096;
UINT des_key_sizes[] =
@@ -2594,6 +2596,14 @@ IKE_ENGINE *NewIkeEngine() // SHA-1
sha1 = NewIkeHash(e, IKE_HASH_SHA1_ID, IKE_HASH_SHA1_STRING, 20);
+ // SHA-2
+ // sha2-256
+ sha2_256 = NewIkeHash(e, IKE_HASH_SHA2_256_ID, IKE_HASH_SHA2_256_STRING, 32);
+ // sha2-384
+ sha2_384 = NewIkeHash(e, IKE_HASH_SHA2_384_ID, IKE_HASH_SHA2_384_STRING, 48);
+ // sha2-512
+ sha2_512 = NewIkeHash(e, IKE_HASH_SHA2_512_ID, IKE_HASH_SHA2_512_STRING, 64);
+
// MD5
md5 = NewIkeHash(e, IKE_HASH_MD5_ID, IKE_HASH_MD5_STRING, 16);
@@ -2611,6 +2621,10 @@ IKE_ENGINE *NewIkeEngine() e->IkeCryptos[IKE_P1_CRYPTO_AES_CBC] = aes;
e->IkeHashes[IKE_P1_HASH_MD5] = md5;
e->IkeHashes[IKE_P1_HASH_SHA1] = sha1;
+ e->IkeHashes[IKE_P1_HASH_SHA2_256] = sha2_256;
+ e->IkeHashes[IKE_P1_HASH_SHA2_384] = sha2_384;
+ e->IkeHashes[IKE_P1_HASH_SHA2_512] = sha2_512;
+
// Definition of ESP algorithm
e->EspCryptos[IKE_TRANSFORM_ID_P2_ESP_DES] = des;
@@ -2931,6 +2945,15 @@ void IkeHash(IKE_HASH *h, void *dst, void *src, UINT size) // SHA-1
Sha1(dst, src, size);
break;
+ case IKE_HASH_SHA2_256_ID:
+ Sha2_256(dst, src, size);
+ break;
+ case IKE_HASH_SHA2_384_ID:
+ Sha2_384(dst, src, size);
+ break;
+ case IKE_HASH_SHA2_512_ID:
+ Sha2_512(dst, src, size);
+ break;
default:
// Unknown
@@ -2942,11 +2965,26 @@ void IkeHash(IKE_HASH *h, void *dst, void *src, UINT size) // Calculation of HMAC
void IkeHMac(IKE_HASH *h, void *dst, void *key, UINT key_size, void *data, UINT data_size)
{
- UCHAR k[HMAC_BLOCK_SIZE];
+ UINT hmac_block_size;
+ if (h == NULL) {
+ return;
+ }
+ switch (h->HashId) {
+ case IKE_HASH_SHA1_ID:
+ case IKE_HASH_SHA2_256_ID:
+ hmac_block_size = HMAC_BLOCK_SIZE;
+ break;
+ case IKE_HASH_SHA2_384_ID:
+ case IKE_HASH_SHA2_512_ID:
+ hmac_block_size = HMAC_BLOCK_SIZE_1024;
+ break;
+ default: return;
+ }
+ UCHAR k[hmac_block_size];
UCHAR *data1;
UCHAR hash1[IKE_MAX_HASH_SIZE];
UINT data1_size;
- UCHAR data2[IKE_MAX_HASH_SIZE + HMAC_BLOCK_SIZE];
+ UCHAR data2[IKE_MAX_HASH_SIZE + hmac_block_size];
UINT data2_size;
UCHAR tmp1600[1600];
bool no_free = false;
@@ -2963,6 +3001,21 @@ void IkeHMac(IKE_HASH *h, void *dst, void *key, UINT key_size, void *data, UINT HMacSha1(dst, key, key_size, data, data_size);
return;
}
+ else if (h->HashId == IKE_HASH_SHA2_256_ID)
+ {
+ HMacSha2_256(dst, key, key_size, data, data_size);
+ return;
+ }
+ else if (h->HashId == IKE_HASH_SHA2_384_ID)
+ {
+ HMacSha2_384(dst, key, key_size, data, data_size);
+ return;
+ }
+ else if (h->HashId == IKE_HASH_SHA2_512_ID)
+ {
+ HMacSha2_512(dst, key, key_size, data, data_size);
+ return;
+ }
else if (h->HashId == IKE_HASH_MD5_ID)
{
// Use the special function (fast) in the case of MD5
@@ -2972,7 +3025,7 @@ void IkeHMac(IKE_HASH *h, void *dst, void *key, UINT key_size, void *data, UINT // Creating a K
Zero(k, sizeof(k));
- if (key_size <= HMAC_BLOCK_SIZE)
+ if (key_size <= hmac_block_size)
{
Copy(k, key, key_size);
}
@@ -2982,7 +3035,7 @@ void IkeHMac(IKE_HASH *h, void *dst, void *key, UINT key_size, void *data, UINT }
// Generation of data 1
- data1_size = data_size + HMAC_BLOCK_SIZE;
+ data1_size = data_size + hmac_block_size;
if (data1_size > sizeof(tmp1600))
{
@@ -2994,12 +3047,12 @@ void IkeHMac(IKE_HASH *h, void *dst, void *key, UINT key_size, void *data, UINT no_free = true;
}
- for (i = 0;i < HMAC_BLOCK_SIZE;i++)
+ for (i = 0;i < hmac_block_size;i++)
{
data1[i] = k[i] ^ 0x36;
}
- Copy(data1 + HMAC_BLOCK_SIZE, data, data_size);
+ Copy(data1 + hmac_block_size, data, data_size);
// Calculate the hash value
IkeHash(h, hash1, data1, data1_size);
@@ -3010,14 +3063,14 @@ void IkeHMac(IKE_HASH *h, void *dst, void *key, UINT key_size, void *data, UINT }
// Generation of data 2
- data2_size = h->HashSize + HMAC_BLOCK_SIZE;
+ data2_size = h->HashSize + hmac_block_size;
for (i = 0;i < HMAC_BLOCK_SIZE;i++)
{
data2[i] = k[i] ^ 0x5c;
}
- Copy(data2 + HMAC_BLOCK_SIZE, hash1, h->HashSize);
+ Copy(data2 + hmac_block_size, hash1, h->HashSize);
// Calculate the hash value
IkeHash(h, dst, data2, data2_size);
diff --git a/src/Cedar/IPsec_IkePacket.h b/src/Cedar/IPsec_IkePacket.h index 6f714377..e82925b6 100644 --- a/src/Cedar/IPsec_IkePacket.h +++ b/src/Cedar/IPsec_IkePacket.h @@ -120,7 +120,7 @@ #endif // OS_WIN32
// Maximum hash size
-#define IKE_MAX_HASH_SIZE 20 // Size of SHA-1 is the maximum for now
+#define IKE_MAX_HASH_SIZE 64 // Size of SHA-2-512 is the maximum for now
// Maximum block size
#define IKE_MAX_BLOCK_SIZE 16 // Size of AES is maximum at the moment
@@ -250,6 +250,9 @@ struct IKE_TRANSFORM_VALUE // Phase 1: The hash algorithm in IKE transform value
#define IKE_P1_HASH_MD5 1
#define IKE_P1_HASH_SHA1 2
+#define IKE_P1_HASH_SHA2_256 4
+#define IKE_P1_HASH_SHA2_384 5
+#define IKE_P1_HASH_SHA2_512 6
// Phase 1: The authentication method in the IKE transform value
#define IKE_P1_AUTH_METHOD_PRESHAREDKEY 1
@@ -536,6 +539,15 @@ struct IKE_P1_KEYSET #define IKE_HASH_SHA1_ID 1
#define IKE_HASH_SHA1_STRING "SHA-1"
+#define IKE_HASH_SHA2_256_ID 2
+#define IKE_HASH_SHA2_256_STRING "SHA-2-256"
+
+#define IKE_HASH_SHA2_384_ID 3
+#define IKE_HASH_SHA2_384_STRING "SHA-2-384"
+
+#define IKE_HASH_SHA2_512_ID 4
+#define IKE_HASH_SHA2_512_STRING "SHA-2-512"
+
// Number and name of DH algorithm for IKE
#define IKE_DH_1_ID 0
#define IKE_DH_1_STRING "MODP 768 (Group 1)"
diff --git a/src/Cedar/Interop_OpenVPN.h b/src/Cedar/Interop_OpenVPN.h index 20e53bb8..7ff8f5fc 100644 --- a/src/Cedar/Interop_OpenVPN.h +++ b/src/Cedar/Interop_OpenVPN.h @@ -155,7 +155,7 @@ #define OPENVPN_CIPHER_LIST "[NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC RC2-40-CBC RC2-64-CBC RC2-CBC"
// List of the supported hash algorithm
-#define OPENVPN_MD_LIST "SHA SHA1 MD5 MD4 RMD160"
+#define OPENVPN_MD_LIST "SHA SHA1 SHA256 SHA384 SHA512 MD5 MD4 RMD160"
// MTU
#define OPENVPN_MTU_LINK 1514 // Ethernet MTU
|