diff options
| author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2006-06-10 19:21:11 +0000 |
|---|---|---|
| committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2006-06-10 19:21:11 +0000 |
| commit | 8f9a6ec01674d81f1fb72d91b08461f11b7d082e (patch) | |
| tree | 88404f4680e8c7ca61d08b99ae22f86da9151de5 /sbin/ipsecctl | |
| parent | 39e7256a39843684d3c956cd56709ef2743a0e68 (diff) | |
switch back to original defaults regarding DH groups. modp3072 is to
heavyweight. Testing by Jason George, thanks!
Diffstat (limited to 'sbin/ipsecctl')
| -rw-r--r-- | sbin/ipsecctl/ike.c | 42 |
1 files changed, 19 insertions, 23 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 01601c06fdc..fa422c8604f 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.40 2006/06/08 22:34:30 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.41 2006/06/10 19:21:10 hshoexer Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -249,40 +249,38 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, } } else fprintf(fd, "SHA2-256"); - fprintf(fd, "-PFS-"); if (qmxfs && qmxfs->groupxf) { switch (qmxfs->groupxf->id) { case GROUPXF_768: - fprintf(fd, "GRP1"); + fprintf(fd, "-PFS-GRP1"); break; case GROUPXF_1024: - fprintf(fd, "GRP2"); + fprintf(fd, "-PFS-GRP2"); break; case GROUPXF_1536: - fprintf(fd, "GRP5"); + fprintf(fd, "-PFS-GRP5"); break; case GROUPXF_2048: - fprintf(fd, "GRP14"); + fprintf(fd, "-PFS-GRP14"); break; case GROUPXF_3072: - fprintf(fd, "GRP15"); + fprintf(fd, "-PFS-GRP15"); break; case GROUPXF_4096: - fprintf(fd, "GRP16"); + fprintf(fd, "-PFS-GRP16"); break; case GROUPXF_6144: - fprintf(fd, "GRP17"); + fprintf(fd, "-PFS-GRP17"); break; case GROUPXF_8192: - fprintf(fd, "GRP18"); + fprintf(fd, "-PFS-GRP18"); break; default: warnx("illegal group %s", qmxfs->groupxf->name); return (-1); }; - } else - fprintf(fd, "GRP15"); + } fprintf(fd, "-SUITE force\n"); return (0); @@ -343,40 +341,38 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, } } else fprintf(fd, "SHA"); - fprintf(fd, "-"); if (mmxfs && mmxfs->groupxf) { switch (mmxfs->groupxf->id) { case GROUPXF_768: - fprintf(fd, "GRP1"); + fprintf(fd, "-GRP1"); break; case GROUPXF_1024: - fprintf(fd, "GRP2"); + fprintf(fd, "-GRP2"); break; case GROUPXF_1536: - fprintf(fd, "GRP5"); + fprintf(fd, "-GRP5"); break; case GROUPXF_2048: - fprintf(fd, "GRP14"); + fprintf(fd, "-GRP14"); break; case GROUPXF_3072: - fprintf(fd, "GRP15"); + fprintf(fd, "-GRP15"); break; case GROUPXF_4096: - fprintf(fd, "GRP16"); + fprintf(fd, "-GRP16"); break; case GROUPXF_6144: - fprintf(fd, "GRP17"); + fprintf(fd, "-GRP17"); break; case GROUPXF_8192: - fprintf(fd, "GRP18"); + fprintf(fd, "-GRP18"); break; default: warnx("illegal group %s", mmxfs->groupxf->name); return (-1); }; - } else - fprintf(fd, "GRP15"); + } if (auth->type == IKE_AUTH_RSA) fprintf(fd, "-RSA_SIG"); |