summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-06-18 18:18:02 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-06-18 18:18:02 +0000
commit9266cd05219113cfefd7ca3e149972a2f6e7e71b (patch)
tree47bf85671604c9394df22fad9c274d8b086fd0fb
parent16c2b85f0d49cbd90ca8297b869142aa21cac4c0 (diff)
add group "none"; when choosen, pfs will be disabled.
ok david msf
-rw-r--r--sbin/ipsecctl/ike.c7
-rw-r--r--sbin/ipsecctl/ipsec.conf.59
-rw-r--r--sbin/ipsecctl/ipsecctl.h6
-rw-r--r--sbin/ipsecctl/parse.y3
4 files changed, 17 insertions, 8 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index f908eefedc5..9478397946a 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.44 2006/06/16 18:46:26 hshoexer Exp $ */
+/* $OpenBSD: ike.c,v 1.45 2006/06/18 18:18:01 hshoexer Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -255,6 +255,8 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
if (qmxfs && qmxfs->groupxf) {
switch (qmxfs->groupxf->id) {
+ case GROUPXF_NONE:
+ break;
case GROUPXF_768:
fprintf(fd, "-PFS-GRP1");
break;
@@ -283,7 +285,8 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
warnx("illegal group %s", qmxfs->groupxf->name);
return (-1);
};
- }
+ } else
+ fprintf(fd, "-PFS");
fprintf(fd, "-SUITE force\n");
return (0);
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 908b28f041d..8dc75a1a43b 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.conf.5,v 1.57 2006/06/14 19:04:26 naddy Exp $
+.\" $OpenBSD: ipsec.conf.5,v 1.58 2006/06/18 18:18:01 hshoexer Exp $
.\"
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\"
@@ -535,13 +535,18 @@ the values
and
.Ar modp8192
are allowed.
+When a group is specified perfect forward security (PFS) will be used.
+When the value
+.Ar none
+is used instead, PFS will be disabled.
If omitted,
.Xr ipsecctl 8
will use the default values
.Ar hmac-sha1
and
.Ar aes
-and no specific group specified.
+and PFS with the group
+.Ar modp1024 .
.It Xo
.Ic quick auth
.Aq Ar algorithm
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index d788dc908d3..3020155f241 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.48 2006/06/02 12:29:43 markus Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.49 2006/06/18 18:18:01 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -68,8 +68,8 @@ enum {
COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
};
enum {
- GROUPXF_UNKNOWN, GROUPXF_768, GROUPXF_1024, GROUPXF_1536, GROUPXF_2048,
- GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192,
+ GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_768, GROUPXF_1024, GROUPXF_1536,
+ GROUPXF_2048, GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192,
};
enum {
IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index f1aca8825f0..791cd3c3ba2 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.107 2006/06/16 10:09:51 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.108 2006/06/18 18:18:01 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -90,6 +90,7 @@ const struct ipsec_xf compxfs[] = {
const struct ipsec_xf groupxfs[] = {
{ "unknown", GROUPXF_UNKNOWN, 0, 0 },
+ { "none", GROUPXF_NONE, 0, 0 },
{ "modp768", GROUPXF_768, 768, 0 },
{ "grp1", GROUPXF_768, 768, 0 },
{ "modp1024", GROUPXF_1024, 1024, 0 },