diff options
author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2006-06-18 18:18:02 +0000 |
---|---|---|
committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2006-06-18 18:18:02 +0000 |
commit | 9266cd05219113cfefd7ca3e149972a2f6e7e71b (patch) | |
tree | 47bf85671604c9394df22fad9c274d8b086fd0fb | |
parent | 16c2b85f0d49cbd90ca8297b869142aa21cac4c0 (diff) |
add group "none"; when choosen, pfs will be disabled.
ok david msf
-rw-r--r-- | sbin/ipsecctl/ike.c | 7 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 9 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 6 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 3 |
4 files changed, 17 insertions, 8 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index f908eefedc5..9478397946a 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.44 2006/06/16 18:46:26 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.45 2006/06/18 18:18:01 hshoexer Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -255,6 +255,8 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, if (qmxfs && qmxfs->groupxf) { switch (qmxfs->groupxf->id) { + case GROUPXF_NONE: + break; case GROUPXF_768: fprintf(fd, "-PFS-GRP1"); break; @@ -283,7 +285,8 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, warnx("illegal group %s", qmxfs->groupxf->name); return (-1); }; - } + } else + fprintf(fd, "-PFS"); fprintf(fd, "-SUITE force\n"); return (0); diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 908b28f041d..8dc75a1a43b 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.57 2006/06/14 19:04:26 naddy Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.58 2006/06/18 18:18:01 hshoexer Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -535,13 +535,18 @@ the values and .Ar modp8192 are allowed. +When a group is specified perfect forward security (PFS) will be used. +When the value +.Ar none +is used instead, PFS will be disabled. If omitted, .Xr ipsecctl 8 will use the default values .Ar hmac-sha1 and .Ar aes -and no specific group specified. +and PFS with the group +.Ar modp1024 . .It Xo .Ic quick auth .Aq Ar algorithm diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index d788dc908d3..3020155f241 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.48 2006/06/02 12:29:43 markus Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.49 2006/06/18 18:18:01 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -68,8 +68,8 @@ enum { COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS }; enum { - GROUPXF_UNKNOWN, GROUPXF_768, GROUPXF_1024, GROUPXF_1536, GROUPXF_2048, - GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192, + GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_768, GROUPXF_1024, GROUPXF_1536, + GROUPXF_2048, GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192, }; enum { IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index f1aca8825f0..791cd3c3ba2 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.107 2006/06/16 10:09:51 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.108 2006/06/18 18:18:01 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -90,6 +90,7 @@ const struct ipsec_xf compxfs[] = { const struct ipsec_xf groupxfs[] = { { "unknown", GROUPXF_UNKNOWN, 0, 0 }, + { "none", GROUPXF_NONE, 0, 0 }, { "modp768", GROUPXF_768, 768, 0 }, { "grp1", GROUPXF_768, 768, 0 }, { "modp1024", GROUPXF_1024, 1024, 0 }, |