summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-08-29 08:51:29 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-08-29 08:51:29 +0000
commit6fed63cbba222fe192ec3cf6c601e7cdca609d3b (patch)
treeac2bd2e51d8cde3cbc73cdca3f81011cdfeef19c
parent8f22c0e107257b7c916e7833c3b63856478c8619 (diff)
Properly define quick mode suites for AH. With naddy.
ok ho
-rw-r--r--sbin/isakmpd/conf.c28
1 files changed, 22 insertions, 6 deletions
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 1b951229705..2dc97bfefad 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.c,v 1.91 2006/06/10 21:15:45 hshoexer Exp $ */
+/* $OpenBSD: conf.c,v 1.92 2006/08/29 08:51:28 hshoexer Exp $ */
/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */
/*
@@ -382,7 +382,7 @@ conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,
static void
conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
- char *qmh_p, char *dhg_p, int proto, int mode, int pfs)
+ char *qmh_p, char *qm_ah_id, char *dhg_p, int proto, int mode, int pfs)
{
char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX];
@@ -392,7 +392,17 @@ conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
#define MODE(x) ((x) ? "TRANSPORT" : "TUNNEL")
#define MODE_p(x) ((x) ? "-TRP" : "")
- if (proto == 1 && strcmp(qmh, "NONE") == 0) /* AH */
+ /* For AH a hash must be present and no encryption is allowed */
+ if (proto == 1 && (strcmp(qmh, "NONE") == 0 ||
+ strcmp(qme, "NONE") != 0))
+ return;
+
+ /* For ESP encryption must be provided, an empty hash is ok. */
+ if (proto == 0 && strcmp(qme, "NONE") == 0)
+ return;
+
+ /* When PFS is disabled no DH group must be specified. */
+ if (pfs == 0 && strcmp(dhg_p, ""))
return;
snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
@@ -414,7 +424,10 @@ conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
* XXX For now, defaults
* contain one xf per protocol.
*/
- conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1);
+ if (proto == 0)
+ conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1);
+ else
+ conf_set(tr, sect, "TRANSFORM_ID", qm_ah_id, 0, 1);
if (strcmp(qme ,"BLOWFISH") == 0)
conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
1);
@@ -454,14 +467,16 @@ conf_load_defaults(int tr)
char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
"-GRP15", 0};
char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
- "AES_128_CTR", 0};
+ "AES_128_CTR", "NONE", 0};
char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
- "-AESCTR", 0};
+ "-AESCTR", "", 0};
char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
"HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
0};
char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256",
"-SHA2-384", "-SHA2-512", "", 0};
+ char *qm_ah_id[] = {"MD5", "SHA", "RIPEMD", "SHA2_256", "SHA2_384",
+ "SHA2_512", "", 0};
/* General and X509 defaults */
conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1);
@@ -541,6 +556,7 @@ conf_load_defaults(int tr)
dhgroup[group],
qm_enc_p[enc],
qm_hash_p[hash],
+ qm_ah_id[hash],
dhgroup_p[group],
proto, mode, pfs);
}