diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2003-07-25 08:31:17 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2003-07-25 08:31:17 +0000 |
| commit | db6552c22aa727c02722a933d4b6559aa8925dc1 (patch) | |
| tree | 27fe851a0ac7d2db3c0844cd1f17fa503ffb7b56 | |
| parent | b2551cf2ad028fd667c0fcdd58ce07cf0809aa28 (diff) | |
add sha2 support; ok ho@
| -rw-r--r-- | sbin/isakmpd/conf.c | 12 | ||||
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 16 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 4 | ||||
| -rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 38 | ||||
| -rw-r--r-- | sbin/isakmpd/policy.c | 38 | ||||
| -rw-r--r-- | sbin/isakmpd/sa.c | 26 |
6 files changed, 123 insertions, 11 deletions
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index d5ebe918d71..9c59c628ae6 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.56 2003/06/10 16:41:29 deraadt Exp $ */ +/* $OpenBSD: conf.c,v 1.57 2003/07/25 08:31:16 markus Exp $ */ /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ /* @@ -327,7 +327,7 @@ conf_parse (int trans, char *buf, size_t sz) * where * {proto} = ESP, AH * {cipher} = DES, 3DES, CAST, BLF, AES - * {hash} = MD5, SHA, RIPEMD + * {hash} = MD5, SHA, RIPEMD, SHA2-{-256,384,512} * {group} = GRP1, GRP2, GRP5 * * DH group defaults to MODP_1024. @@ -393,14 +393,18 @@ conf_load_defaults (int tr) "CAST_CBC", 0 }; char *dh_group[] = { "MODP_768", "MODP_1024", "MODP_1536", 0 }; char *qm_enc[] = { "DES", "3DES", "CAST", "BLOWFISH", "AES", 0 }; - char *qm_hash[] = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", "NONE", 0 }; + char *qm_hash[] = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", + "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", + "NONE", 0 }; /* Abbreviations to make section names a bit shorter. */ char *mm_auth_p[] = { "", "-DSS", "-RSA_SIG", 0 }; char *mm_enc_p[] = { "DES", "BLF", "3DES", "CAST", 0 }; char *dh_group_p[]= { "-GRP1", "-GRP2", "-GRP5", "", 0 }; char *qm_enc_p[] = { "-DES", "-3DES", "-CAST", "-BLF", "-AES", 0 }; - char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD", "", 0 }; + char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD", + "-SHA2-256", "-SHA2-384", "-SHA2-512", + "", 0 }; /* Helper #defines, incl abbreviations. */ #define PROTO(x) ((x) ? "AH" : "ESP") diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 3809ba94a33..e929038a235 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.77 2003/06/10 12:21:29 ho Exp $ */ +/* $OpenBSD: ipsec.c,v 1.78 2003/07/25 08:31:16 markus Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -1226,7 +1226,7 @@ ipsec_is_attribute_incompatible (u_int16_t type, u_int8_t *value, || decode_16 (value) > IPSEC_ENCAP_TRANSPORT; case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: return decode_16 (value) < IPSEC_AUTH_HMAC_MD5 - || decode_16 (value) > IPSEC_AUTH_KPDK; + || decode_16 (value) > IPSEC_AUTH_HMAC_RIPEMD; case IPSEC_ATTR_KEY_LENGTH: /* XXX Blowfish needs '0'. Others appear to disregard this attr? */ return 0; @@ -1737,6 +1737,12 @@ ipsec_esp_authkeylength (struct proto *proto) case IPSEC_AUTH_HMAC_SHA: case IPSEC_AUTH_HMAC_RIPEMD: return 20; + case IPSEC_AUTH_HMAC_SHA2_256: + return 32; + case IPSEC_AUTH_HMAC_SHA2_384: + return 48; + case IPSEC_AUTH_HMAC_SHA2_512: + return 64; default: return 0; } @@ -1753,6 +1759,12 @@ ipsec_ah_keylength (struct proto *proto) case IPSEC_AH_SHA: case IPSEC_AH_RIPEMD: return 20; + case IPSEC_AH_SHA2_256: + return 32; + case IPSEC_AH_SHA2_384: + return 48; + case IPSEC_AH_SHA2_512: + return 64; default: return -1; } diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 1bc6d33d9d1..96e28343615 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.82 2003/07/09 08:16:44 jmc Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.83 2003/07/25 08:31:16 markus Exp $ .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -94,7 +94,7 @@ For Quick Mode: where {proto} is either ESP or AH {cipher} is either DES, 3DES, CAST, BLF or AES - {hash} is either MD5, SHA or RIPEMD + {hash} is either MD5, SHA, RIPEMD, SHA2-{256,384,512} {group} is either GRP1, GRP2 or GRP5 .Ed .Pp diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index 6870d5db9c6..d21aa258f09 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.134 2003/07/24 09:59:03 itojun Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.135 2003/07/25 08:31:16 markus Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -971,6 +971,24 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, break; #endif +#ifdef SADB_X_AALG_SHA2_256 + case IPSEC_AUTH_HMAC_SHA2_256: + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; + break; +#endif + +#ifdef SADB_X_AALG_SHA2_384 + case IPSEC_AUTH_HMAC_SHA2_384: + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384; + break; +#endif + +#ifdef SADB_X_AALG_SHA2_512 + case IPSEC_AUTH_HMAC_SHA2_512: + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512; + break; +#endif + case IPSEC_AUTH_DES_MAC: case IPSEC_AUTH_KPDK: /* XXX We should be supporting KPDK */ @@ -1022,6 +1040,24 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming, break; #endif +#ifdef SADB_X_AALG_SHA2_256 + case IPSEC_AH_SHA2_256: + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; + break; +#endif + +#ifdef SADB_X_AALG_SHA2_384 + case IPSEC_AH_SHA2_384: + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384; + break; +#endif + +#ifdef SADB_X_AALG_SHA2_512 + case IPSEC_AH_SHA2_512: + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512; + break; +#endif + default: LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_set_spi: unknown authentication algorithm %d", diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index 505a606aa91..ddc856896c7 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.65 2003/06/10 16:41:29 deraadt Exp $ */ +/* $OpenBSD: policy.c,v 1.66 2003/07/25 08:31:16 markus Exp $ */ /* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ /* @@ -266,6 +266,18 @@ policy_callback (char *name) ah_hash_alg = "ripemd"; break; + case IPSEC_AH_SHA2_256: + ah_auth_alg = "sha2-256"; + break; + + case IPSEC_AH_SHA2_384: + ah_auth_alg = "sha2-384"; + break; + + case IPSEC_AH_SHA2_512: + ah_auth_alg = "sha2-512"; + break; + case IPSEC_AH_DES: ah_hash_alg = "des"; break; @@ -548,6 +560,18 @@ policy_callback (char *name) ah_auth_alg = "hmac-ripemd"; break; + case IPSEC_AUTH_HMAC_SHA2_256: + ah_auth_alg = "hmac-sha2-256"; + break; + + case IPSEC_AUTH_HMAC_SHA2_384: + ah_auth_alg = "hmac-sha2-384"; + break; + + case IPSEC_AUTH_HMAC_SHA2_512: + ah_auth_alg = "hmac-sha2-512"; + break; + case IPSEC_AUTH_DES_MAC: ah_auth_alg = "des-mac"; break; @@ -573,6 +597,18 @@ policy_callback (char *name) esp_auth_alg = "hmac-ripemd"; break; + case IPSEC_AUTH_HMAC_SHA2_256: + esp_auth_alg = "hmac-sha2-256"; + break; + + case IPSEC_AUTH_HMAC_SHA2_384: + esp_auth_alg = "hmac-sha2-384"; + break; + + case IPSEC_AUTH_HMAC_SHA2_512: + esp_auth_alg = "hmac-sha2-512"; + break; + case IPSEC_AUTH_DES_MAC: esp_auth_alg = "des-mac"; break; diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index 28275e1e830..f556243b1f5 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.72 2003/06/04 07:31:17 ho Exp $ */ +/* $OpenBSD: sa.c,v 1.73 2003/07/25 08:31:16 markus Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -566,6 +566,18 @@ report_proto (FILE *fd, struct proto *proto) fprintf (fd, "HMAC-RIPEMD-160\n"); break; + case IPSEC_AUTH_HMAC_SHA2_256: + fprintf (fd, "HMAC-SHA2-256\n"); + break; + + case IPSEC_AUTH_HMAC_SHA2_384: + fprintf (fd, "HMAC-SHA2-384\n"); + break; + + case IPSEC_AUTH_HMAC_SHA2_512: + fprintf (fd, "HMAC-SHA2-512\n"); + break; + case IPSEC_AUTH_DES_MAC: case IPSEC_AUTH_KPDK: /* XXX We should be supporting KPDK */ @@ -598,6 +610,18 @@ report_proto (FILE *fd, struct proto *proto) fprintf (fd, "HMAC-RIPEMD-160\n"); break; + case IPSEC_AH_SHA2_256: + fprintf (fd, "HMAC-SHA2-256\n"); + break; + + case IPSEC_AH_SHA2_384: + fprintf (fd, "HMAC-SHA2-384\n"); + break; + + case IPSEC_AH_SHA2_512: + fprintf (fd, "HMAC-SHA2-512\n"); + break; + default: fprintf (fd, "unknown (%d)", proto->id); } |