Add the (former) AES candidate ESP ciphers for IKE, as of

http://csrc.nist.gov/ipsec/papers/aes-draft.00.txt
In particular, recognize a Twofish proposal with cipher number 253, as used
by the SSH Sentinel.

2 files changed, 9 insertions, 3 deletions

diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 6aa86c860a6..dd74e5b4893 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec.c,v 1.62 2002/01/23 17:12:36 ho Exp $	*/
+/*	$OpenBSD: ipsec.c,v 1.63 2002/01/27 01:56:31 ho Exp $	*/
 /*	$EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $	*/
 
 /*
@@ -888,7 +888,8 @@ ipsec_validate_transform_id (u_int8_t proto, u_int8_t transform_id)
 	transform_id < IPSEC_AH_MD5 || transform_id > IPSEC_AH_DES ? -1 : 0;
     case IPSEC_PROTO_IPSEC_ESP:
       return transform_id < IPSEC_ESP_DES_IV64
-	|| transform_id > IPSEC_ESP_AES ? -1 : 0;
+	|| (transform_id > IPSEC_ESP_AES && transform_id < IPSEC_ESP_AES_MARS)
+	|| transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
     case IPSEC_PROTO_IPCOMP:
       return transform_id < IPSEC_IPCOMP_OUI
 	|| transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0;
diff --git a/sbin/isakmpd/ipsec_num.cst b/sbin/isakmpd/ipsec_num.cst
index 8b00cceb2b3..78c6433855c 100644
--- a/sbin/isakmpd/ipsec_num.cst
+++ b/sbin/isakmpd/ipsec_num.cst
@@ -1,4 +1,4 @@
-#	$OpenBSD: ipsec_num.cst,v 1.7 2000/10/16 23:27:55 niklas Exp $
+#	$OpenBSD: ipsec_num.cst,v 1.8 2002/01/27 01:56:31 ho Exp $
 #	$EOM: ipsec_num.cst,v 1.5 2000/10/13 17:56:52 angelos Exp $
 
 #
@@ -216,6 +216,11 @@ IPSEC_ESP
   RC4					10
   NULL					11
   AES                                   12
+  AES_MARS				249
+  AES_RC6				250
+  AES_RIJNDAEL				251
+  AES_SERPENT				252
+  AES_TWOFISH				253
 .
 
 # IPSEC IPCOMP transform IDs