Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.

ok visa@, markus@

4 files changed, 123 insertions, 40 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index c3bd21401a0..5c46877461a 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike.c,v 1.81 2015/12/09 21:41:50 naddy Exp $	*/
+/*	$OpenBSD: ike.c,v 1.82 2017/10/27 08:29:32 mpi Exp $	*/
 /*
  * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -330,30 +330,57 @@ ike_section_p2(struct ipsec_rule *r, FILE *fd)
 		switch (r->p2xfs->groupxf->id) {
 		case GROUPXF_NONE:
 			break;
-		case GROUPXF_768:
+		case GROUPXF_1:
 			group_desc = "MODP_768";
 			break;
-		case GROUPXF_1024:
+		case GROUPXF_2:
 			group_desc = "MODP_1024";
 			break;
-		case GROUPXF_1536:
+		case GROUPXF_5:
 			group_desc = "MODP_1536";
 			break;
-		case GROUPXF_2048:
+		case GROUPXF_14:
 			group_desc = "MODP_2048";
 			break;
-		case GROUPXF_3072:
+		case GROUPXF_15:
 			group_desc = "MODP_3072";
 			break;
-		case GROUPXF_4096:
+		case GROUPXF_16:
 			group_desc = "MODP_4096";
 			break;
-		case GROUPXF_6144:
+		case GROUPXF_17:
 			group_desc = "MODP_6144";
 			break;
-		case GROUPXF_8192:
+		case GROUPXF_18:
 			group_desc = "MODP_8192";
 			break;
+		case GROUPXF_19:
+			group_desc = "ECP_256";
+			break;
+		case GROUPXF_20:
+			group_desc = "ECP_384";
+			break;
+		case GROUPXF_21:
+			group_desc = "ECP_521";
+			break;
+		case GROUPXF_25:
+			group_desc = "ECP_192";
+			break;
+		case GROUPXF_26:
+			group_desc = "ECP_224";
+			break;
+		case GROUPXF_27:
+			group_desc = "BP_224";
+			break;
+		case GROUPXF_28:
+			group_desc = "BP_256";
+			break;
+		case GROUPXF_29:
+			group_desc = "BP_384";
+			break;
+		case GROUPXF_30:
+			group_desc = "BP_512";
+			break;
 		default:
 			warnx("illegal group %s", r->p2xfs->groupxf->name);
 			return (-1);
@@ -496,34 +523,61 @@ ike_section_p1(struct ipsec_rule *r, FILE *fd)
 
 	if (r->p1xfs && r->p1xfs->groupxf) {
 		switch (r->p1xfs->groupxf->id) {
-		case GROUPXF_768:
+		case GROUPXF_1:
 			group_desc = "MODP_768";
 			break;
-		case GROUPXF_1024:
+		case GROUPXF_2:
 			group_desc = "MODP_1024";
 			break;
-		case GROUPXF_1536:
+		case GROUPXF_5:
 			group_desc = "MODP_1536";
 			break;
-		case GROUPXF_2048:
+		case GROUPXF_14:
 			group_desc = "MODP_2048";
 			break;
-		case GROUPXF_3072:
+		case GROUPXF_15:
 			group_desc = "MODP_3072";
 			break;
-		case GROUPXF_4096:
+		case GROUPXF_16:
 			group_desc = "MODP_4096";
 			break;
-		case GROUPXF_6144:
+		case GROUPXF_17:
 			group_desc = "MODP_6144";
 			break;
-		case GROUPXF_8192:
+		case GROUPXF_18:
 			group_desc = "MODP_8192";
 			break;
+		case GROUPXF_19:
+			group_desc = "ECP_256";
+			break;
+		case GROUPXF_20:
+			group_desc = "ECP_384";
+			break;
+		case GROUPXF_21:
+			group_desc = "ECP_521";
+			break;
+		case GROUPXF_25:
+			group_desc = "ECP_192";
+			break;
+		case GROUPXF_26:
+			group_desc = "ECP_224";
+			break;
+		case GROUPXF_27:
+			group_desc = "BP_224";
+			break;
+		case GROUPXF_28:
+			group_desc = "BP_256";
+			break;
+		case GROUPXF_29:
+			group_desc = "BP_384";
+			break;
+		case GROUPXF_30:
+			group_desc = "BP_512";
+			break;
 		default:
 			warnx("illegal group %s", r->p1xfs->groupxf->name);
 			return (-1);
-		};
+		}
 	} else
 		group_desc = "MODP_3072";
 
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index c5bed67d203..995dde1ecf7 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.152 2017/04/14 18:06:28 bluhm Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.153 2017/10/27 08:29:32 mpi Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 14 2017 $
+.Dd $Mdocdate: October 27 2017 $
 .Dt IPSEC.CONF 5
 .Os
 .Sh NAME
@@ -668,6 +668,15 @@ keyword:
 .It Li modp4096 Ta 4096 Ta "[DH group 16]"
 .It Li modp6144 Ta 6144 Ta "[DH group 17]"
 .It Li modp8192 Ta 8192 Ta "[DH group 18]"
+.It Li ecp256 Ta 256 Ta "[DH group 19]"
+.It Li ecp384 Ta 384 Ta "[DH group 20]"
+.It Li ecp521 Ta 512 Ta "[DH group 21]"
+.It Li ecp192 Ta 192 Ta "[DH group 25]"
+.It Li ecp224 Ta 224 Ta "[DH group 26]"
+.It Li bp224 Ta 224 Ta "[DH group 27]"
+.It Li bp256 Ta 256 Ta "[DH group 28]"
+.It Li bp384 Ta 384 Ta "[DH group 29]"
+.It Li bp512 Ta 512 Ta "[DH group 30]"
 .It Li none Ta 0 Ta "[phase 2 only]"
 .El
 .Sh MANUAL FLOWS
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 680ed1a7d92..796ddf4545b 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.h,v 1.71 2017/04/19 15:59:38 bluhm Exp $	*/
+/*	$OpenBSD: ipsecctl.h,v 1.72 2017/10/27 08:29:32 mpi Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -73,8 +73,10 @@ enum {
 	COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
 };
 enum {
-	GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_768, GROUPXF_1024, GROUPXF_1536,
-	GROUPXF_2048, GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192,
+	GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_1, GROUPXF_2, GROUPXF_5,
+	GROUPXF_14, GROUPXF_15, GROUPXF_16, GROUPXF_17, GROUPXF_18,
+	GROUPXF_19, GROUPXF_20, GROUPXF_21, GROUPXF_25, GROUPXF_26,
+	GROUPXF_27, GROUPXF_28, GROUPXF_29, GROUPXF_30
 };
 enum {
 	IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 64016a22172..d5ba39ee185 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.168 2017/04/19 15:59:38 bluhm Exp $	*/
+/*	$OpenBSD: parse.y,v 1.169 2017/10/27 08:29:32 mpi Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -136,22 +136,40 @@ const struct ipsec_xf compxfs[] = {
 const struct ipsec_xf groupxfs[] = {
 	{ "unknown",		GROUPXF_UNKNOWN,	0,	0 },
 	{ "none",		GROUPXF_NONE,		0,	0 },
-	{ "modp768",		GROUPXF_768,		768,	0 },
-	{ "grp1",		GROUPXF_768,		768,	0 },
-	{ "modp1024",		GROUPXF_1024,		1024,	0 },
-	{ "grp2",		GROUPXF_1024,		1024,	0 },
-	{ "modp1536",		GROUPXF_1536,		1536,	0 },
-	{ "grp5",		GROUPXF_1536,		1536,	0 },
-	{ "modp2048",		GROUPXF_2048,		2048,	0 },
-	{ "grp14",		GROUPXF_2048,		2048,	0 },
-	{ "modp3072",		GROUPXF_3072,		3072,	0 },
-	{ "grp15",		GROUPXF_3072,		3072,	0 },
-	{ "modp4096",		GROUPXF_4096,		4096,	0 },
-	{ "grp16",		GROUPXF_4096,		4096,	0 },
-	{ "modp6144",		GROUPXF_6144,		6144,	0 },
-	{ "grp17",		GROUPXF_6144,		6144,	0 },
-	{ "modp8192",		GROUPXF_8192,		8192,	0 },
-	{ "grp18",		GROUPXF_8192,		8192,	0 },
+	{ "modp768",		GROUPXF_1,		768,	0 },
+	{ "grp1",		GROUPXF_1,		768,	0 },
+	{ "modp1024",		GROUPXF_2,		1024,	0 },
+	{ "grp2",		GROUPXF_2,		1024,	0 },
+	{ "modp1536",		GROUPXF_5,		1536,	0 },
+	{ "grp5",		GROUPXF_5,		1536,	0 },
+	{ "modp2048",		GROUPXF_14,		2048,	0 },
+	{ "grp14",		GROUPXF_14,		2048,	0 },
+	{ "modp3072",		GROUPXF_15,		3072,	0 },
+	{ "grp15",		GROUPXF_15,		3072,	0 },
+	{ "modp4096",		GROUPXF_16,		4096,	0 },
+	{ "grp16",		GROUPXF_16,		4096,	0 },
+	{ "modp6144",		GROUPXF_17,		6144,	0 },
+	{ "grp17",		GROUPXF_17,		6144,	0 },
+	{ "modp8192",		GROUPXF_18,		8192,	0 },
+	{ "grp18",		GROUPXF_18,		8192,	0 },
+	{ "ecp256",		GROUPXF_19,		256,	0 },
+	{ "grp19",		GROUPXF_19,		256,	0 },
+	{ "ecp384",		GROUPXF_20,		384,	0 },
+	{ "grp20",		GROUPXF_20,		384,	0 },
+	{ "ecp521",		GROUPXF_21,		521,	0 },
+	{ "grp21",		GROUPXF_21,		521,	0 },
+	{ "ecp192",		GROUPXF_25,		192,	0 },
+	{ "grp25",		GROUPXF_25,		192,	0 },
+	{ "ecp224",		GROUPXF_26,		224,	0 },
+	{ "grp26",		GROUPXF_26,		224,	0 },
+	{ "bp224",		GROUPXF_27,		224,	0 },
+	{ "grp27",		GROUPXF_27,		224,	0 },
+	{ "bp256",		GROUPXF_28,		256,	0 },
+	{ "grp28",		GROUPXF_28,		256,	0 },
+	{ "bp384",		GROUPXF_29,		384,	0 },
+	{ "grp29",		GROUPXF_29,		384,	0 },
+	{ "bp512",		GROUPXF_30,		512,	0 },
+	{ "grp30",		GROUPXF_30,		512,	0 },
 	{ NULL,			0,			0,	0 },
 };