src - OpenBSD base system

diff options


context:
space:
mode:

author	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2006-05-27 17:21:41 +0000
committer	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2006-05-27 17:21:41 +0000
commit	0539e0af48cb342240e4f31544abc301de2b3c64 (patch)
tree	4873395db3e235384c4f70e83702346b865e9342 /sbin
parent	8213887efe887207cfa3c3eeba961109b03e1294 (diff)

allow to specify groups to be used IKE

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/ipsecctl/ike.c

-rw-r--r--

sbin/ipsecctl/ipsec.conf.5

-rw-r--r--

sbin/ipsecctl/ipsecctl.h

-rw-r--r--

sbin/ipsecctl/parse.y

4 files changed, 147 insertions, 10 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index be6527ae87e..84cb16f86d3 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ike.c,v 1.25 2006/05/15 07:50:26 deraadt Exp $ */

+/* $OpenBSD: ike.c,v 1.26 2006/05/27 17:21:40 hshoexer Exp $ */

@@ -203,7 +203,41 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

}

} else

fprintf(fd, "SHA2-256");

- fprintf(fd, "-PFS-SUITE force\n");

+ fprintf(fd, "-PFS-");

+ if (qmxfs->groupxf) {

+ switch (qmxfs->groupxf->id) {

+ case GROUPXF_768:

+ fprintf(fd, "GRP1");

+ break;

+ case GROUPXF_1024:

+ fprintf(fd, "GRP2");

+ break;

+ case GROUPXF_1536:

+ fprintf(fd, "GRP5");

+ break;

+ case GROUPXF_2048:

+ fprintf(fd, "GRP14");

+ break;

+ case GROUPXF_3072:

+ fprintf(fd, "GRP15");

+ break;

+ case GROUPXF_4096:

+ fprintf(fd, "GRP16");

+ break;

+ case GROUPXF_6144:

+ fprintf(fd, "GRP17");

+ break;

+ case GROUPXF_8192:

+ fprintf(fd, "GRP18");

+ break;

+ default:

+ warnx("illegal group %s", qmxfs->groupxf->name);

+ return (-1);

+ };

+ } else

+ fprintf(fd, "GRP15");

+ fprintf(fd, "-SUITE force\n");

return (0);

}

@@ -256,6 +290,40 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

}

} else

fprintf(fd, "SHA");

+ fprintf(fd, "-");

+ if (mmxfs->groupxf) {

+ switch (mmxfs->groupxf->id) {

+ case GROUPXF_768:

+ fprintf(fd, "GRP1");

+ break;

+ case GROUPXF_1024:

+ fprintf(fd, "GRP2");

+ break;

+ case GROUPXF_1536:

+ fprintf(fd, "GRP5");

+ break;

+ case GROUPXF_2048:

+ fprintf(fd, "GRP14");

+ break;

+ case GROUPXF_3072:

+ fprintf(fd, "GRP15");

+ break;

+ case GROUPXF_4096:

+ fprintf(fd, "GRP16");

+ break;

+ case GROUPXF_6144:

+ fprintf(fd, "GRP17");

+ break;

+ case GROUPXF_8192:

+ fprintf(fd, "GRP18");

+ break;

+ default:

+ warnx("illegal group %s", mmxfs->groupxf->name);

+ return (-1);

+ };

+ } else

+ fprintf(fd, "GRP15");

if (auth->type == IKE_AUTH_RSA)

fprintf(fd, "-RSA_SIG");

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 1ee787d68a7..a8aa09d7b49 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5

@@ -1,4 +1,4 @@

-.\" $OpenBSD: ipsec.conf.5,v 1.44 2006/05/26 09:26:07 jmc Exp $

+.\" $OpenBSD: ipsec.conf.5,v 1.45 2006/05/27 17:21:40 hshoexer Exp $

.\"

@@ -427,6 +427,8 @@ specification can be left out.

.Aq Ar algorithm

.Ar enc

.Aq Ar algorithm

+.Ar group

+.Aq group

.Xc

These parameters define the cryptographic transforms to be used for main mode.

Possible values for

@@ -445,17 +447,33 @@ the values

and

.Ar cast

are allowed.

+For

+.Aq Ar group

+the values

+.Ar modp768 ,

+.Ar modp1024 ,

+.Ar modp1536 ,

+.Ar modp2048 ,

+.Ar modp3072 ,

+.Ar modp4096 ,

+.Ar modp6144

+and

+.Ar modp8192

+are allowed.

If omitted,

.Xr ipsecctl 8

will use the default values

-.Ar hmac-sha1

+.Ar hmac-sha1 ,

+.Ar aes

and

-.Ar aes .

+.Ar modp3072 .

.It Xo

.Ar quick auth

.Aq Ar algorithm

.Ar enc

.Aq Ar algorithm

+.Ar group

+.Aq Ar group

.Xc

Similar to

.Ar main ,

@@ -480,11 +498,25 @@ valid values are again

.Ar blowfish

and

.Ar cast .

+For

+.Aq Ar group

+the values

+.Ar modp768 ,

+.Ar modp1024 ,

+.Ar modp1536 ,

+.Ar modp2048 ,

+.Ar modp3072 ,

+.Ar modp4096 ,

+.Ar modp6144

+and

+.Ar modp8192

+are allowed.

If no quick mode transforms are specified,

the default values

-.Ar hmac-sha2-256

-and

+.Ar hmac-sha2-256 ,

.Ar aes

+and

+.Ar modp3072

are chosen.

.It Xo

.Ar srcid

diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 1738fe719a5..b354bd5a18a 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.h,v 1.31 2006/03/31 13:13:51 markus Exp $ */

+/* $OpenBSD: ipsecctl.h,v 1.32 2006/05/27 17:21:40 hshoexer Exp $ */

@@ -66,6 +66,10 @@ enum {

COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS

};

enum {

+ GROUPXF_UNKNOWN, GROUPXF_768, GROUPXF_1024, GROUPXF_1536, GROUPXF_2048,

+ GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192,

+};

+enum {

IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC

};

enum {

@@ -123,6 +127,7 @@ struct ipsec_transforms {

const struct ipsec_xf *authxf;

const struct ipsec_xf *encxf;

const struct ipsec_xf *compxf;

+ const struct ipsec_xf *groupxf;

};

extern const struct ipsec_xf authxfs[];

diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index cc2a8fdf689..e7fbebd8871 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.66 2006/05/26 01:06:11 deraadt Exp $ */

+/* $OpenBSD: parse.y,v 1.67 2006/05/27 17:21:40 hshoexer Exp $ */

@@ -88,6 +88,27 @@ const struct ipsec_xf compxfs[] = {

{ NULL, 0, 0, 0 },

};

+const struct ipsec_xf groupxfs[] = {

+ { "unknown", GROUPXF_UNKNOWN, 0, 0 },

+ { "modp768", GROUPXF_768, 768, 0 },

+ { "grp1", GROUPXF_768, 768, 0 },

+ { "modp1024", GROUPXF_1024, 1024, 0 },

+ { "grp2", GROUPXF_1024, 1024, 0 },

+ { "modp1536", GROUPXF_1536, 1536, 0 },

+ { "grp5", GROUPXF_1536, 1536, 0 },

+ { "modp2048", GROUPXF_2048, 2048, 0 },

+ { "grp14", GROUPXF_2048, 2048, 0 },

+ { "modp3072", GROUPXF_3072, 3072, 0 },

+ { "grp15", GROUPXF_3072, 3072, 0 },

+ { "modp4096", GROUPXF_4096, 4096, 0 },

+ { "grp16", GROUPXF_4096, 4096, 0 },

+ { "modp6144", GROUPXF_6144, 6144, 0 },

+ { "grp18", GROUPXF_6144, 6144, 0 },

+ { "modp8192", GROUPXF_8192, 8192, 0 },

+ { "grp18", GROUPXF_8192, 8192, 0 },

+ { NULL, 0, 0, 0 },

+};

int yyerror(const char *, ...);

int yyparse(void);

int kw_cmp(const void *, const void *);

@@ -203,7 +224,7 @@ typedef struct {

%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI

%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE

%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC

-%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ

+%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP

%token <v.string> STRING

%type <v.string> string

%type <v.dir> dir

@@ -579,6 +600,16 @@ transform : AUTHXF STRING {

yyerror("%s not a valid transform", $2);

}

+ | GROUP STRING {

+ if (ipsec_transforms->groupxf)

+ yyerror("group already set");

+ else {

+ ipsec_transforms->groupxf = parse_xf($2,

+ groupxfs);

+ if (!ipsec_transforms->groupxf)

+ yyerror("%s not a valid transform", $2);

+ }

;

mmxfs : /* empty */ {

@@ -749,6 +780,7 @@ lookup(char *s)

{ "file", FILENAME },

{ "flow", FLOW },

{ "from", FROM },

+ { "group", GROUP },

{ "ike", IKE },

{ "in", IN },

{ "ipcomp", IPCOMP },