summaryrefslogtreecommitdiff
path: root/sbin/iked
diff options
context:
space:
mode:
authorChristian Weisgerber <naddy@cvs.openbsd.org>2015-12-09 21:41:51 +0000
committerChristian Weisgerber <naddy@cvs.openbsd.org>2015-12-09 21:41:51 +0000
commit269c53634d852828f364f2ab5d2c0c602014d455 (patch)
tree65177662c39722e3ec8d8a560bfb037d2d35dcee /sbin/iked
parentc1d2897d759ec008f27fea1f8e5c398a6562b3e4 (diff)
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Diffstat (limited to 'sbin/iked')
-rw-r--r--sbin/iked/iked.conf.511
-rw-r--r--sbin/iked/parse.y3
-rw-r--r--sbin/iked/pfkey.c3
3 files changed, 5 insertions, 12 deletions
diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5
index 1e8e0bd5bd6..d98ced36d7a 100644
--- a/sbin/iked/iked.conf.5
+++ b/sbin/iked/iked.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.43 2015/11/04 12:40:49 mikeb Exp $
+.\" $OpenBSD: iked.conf.5,v 1.44 2015/12/09 21:41:49 naddy Exp $
.\"
.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: November 4 2015 $
+.Dd $Mdocdate: December 9 2015 $
.Dt IKED.CONF 5
.Os
.Sh NAME
@@ -757,7 +757,6 @@ The following cipher types are permitted with the
keyword:
.Bl -column "chacha20-poly1305" "Key Length" "[ESP only]" -offset indent
.It Em "Cipher" Ta Em "Key Length" Ta ""
-.It Li des Ta "56 bits" Ta "[ESP only]"
.It Li 3des Ta "168 bits" Ta ""
.It Li aes-128 Ta "128 bits" Ta ""
.It Li aes-192 Ta "192 bits" Ta ""
@@ -782,11 +781,7 @@ not encryption:
.It Li null Ta "" Ta "[ESP only]"
.El
.Pp
-Use of DES as an encryption algorithm is considered to be insecure
-since brute force attacks are practical due its short key length.
-.Pp
-DES requires 8 bytes to form a 56-bit key and 3DES requires 24 bytes
-to form its 168-bit key.
+3DES requires 24 bytes to form its 168-bit key.
This is because the most significant bit of each byte is used for parity.
.Pp
The keysize of AES-CTR is actually 128-bit.
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index d525132ee7d..958e51ae235 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.53 2015/11/04 12:40:49 mikeb Exp $ */
+/* $OpenBSD: parse.y,v 1.54 2015/12/09 21:41:49 naddy Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -177,7 +177,6 @@ const struct ipsec_xf ikeencxfs[] = {
};
const struct ipsec_xf ipsecencxfs[] = {
- { "des", IKEV2_XFORMENCR_DES, 8 },
{ "3des", IKEV2_XFORMENCR_3DES, 24 },
{ "3des-cbc", IKEV2_XFORMENCR_3DES, 24 },
{ "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 },
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index 85b773a524c..3118f41e723 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.48 2015/12/02 12:43:59 naddy Exp $ */
+/* $OpenBSD: pfkey.c,v 1.49 2015/12/09 21:41:49 naddy Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -69,7 +69,6 @@ struct pfkey_constmap {
};
static const struct pfkey_constmap pfkey_encr[] = {
- { SADB_EALG_DESCBC, IKEV2_XFORMENCR_DES },
{ SADB_EALG_3DESCBC, IKEV2_XFORMENCR_3DES },
{ SADB_X_EALG_CAST, IKEV2_XFORMENCR_CAST },
{ SADB_X_EALG_BLF, IKEV2_XFORMENCR_BLOWFISH },
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 10:58:34 +0000