src - OpenBSD base system

diff options


context:
space:
mode:

author	Hakan Olsson <ho@cvs.openbsd.org>	2004-04-23 14:15:56 +0000
committer	Hakan Olsson <ho@cvs.openbsd.org>	2004-04-23 14:15:56 +0000
commit	7fd2d0ffd4a2997129f21ae535be8a2906d49531 (patch)
tree	29bf375c4045737b5b5381ef326f4a8545bb728c /sbin
parent	313794156794375489a1fb59c75a5e683aa1dfb5 (diff)

Make sure KEY_LENGTH attribute is present when checking AES proposals,

required when acting as responder to SafeNet peers. Also make conf_load_defaults() readable again (KNF). hshoexer@ ok.

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/isakmpd/conf.c

302

-rw-r--r--

sbin/isakmpd/conf.h

2 files changed, 132 insertions, 173 deletions

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 89b63e93300..6e6e66e87bc 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: conf.c,v 1.65 2004/04/15 20:20:55 deraadt Exp $ */

+/* $OpenBSD: conf.c,v 1.66 2004/04/23 14:15:55 ho Exp $ */

/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */

@@ -72,6 +72,8 @@ struct conf_trans {

int is_default;

};

+#define CONF_SECT_MAX 256

TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue;

@@ -361,54 +363,126 @@ conf_find_trans_xf(int phase, char *xf)

#endif

static void

-conf_load_defaults(int tr)

+conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,

+ char *mme_p, char *mma_p, char *dhg_p)

{

-#define CONF_MAX 256

- int enc, auth, hash, group, group_max, proto, mode,

- pfs;

- char sect[CONF_MAX], *dflt;

+ char sect[CONF_SECT_MAX];

- char *mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0};

- char *mm_hash[] = {"MD5", "SHA", 0};

- char *mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC",

- "CAST_CBC", "AES_CBC", 0};

- char *dh_group[] = {"MODP_768", "MODP_1024", "MODP_1536", "MODP_2048", 0};

- char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", 0};

- char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",

- "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512",

- "NONE", 0};

+ snprintf(sect, sizeof sect, "%s-%s%s%s", mme_p, mmh, dhg_p, mma_p);

- /* Abbreviations to make section names a bit shorter. */

- char *mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0};

- char *mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", 0};

- char *dh_group_p[] = {"-GRP1", "-GRP2", "-GRP5", "-GRP14", "", 0};

- char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", 0};

- char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD",

- "-SHA2-256", "-SHA2-384", "-SHA2-512",

- "", 0};

+ LOG_DBG((LOG_MISC, 90, "conf_load_defaults : main mode %s", sect));

+ conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1);

+ if (strcmp(mme, "BLOWFISH_CBC") == 0)

+ conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,

+ 1);

+ else if (strcmp(mme, "AES_CBC") == 0)

+ conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,

+ 1);

+ conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1);

+ conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1);

+ conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);

+ conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1);

+static void

+conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,

+ char *qmh_p, char *dhg_p, int proto, int mode, int pfs)

+ char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX];

/* Helper #defines, incl abbreviations. */

#define PROTO(x) ((x) ? "AH" : "ESP")

#define PFS(x) ((x) ? "-PFS" : "")

#define MODE(x) ((x) ? "TRANSPORT" : "TUNNEL")

#define MODE_p(x) ((x) ? "-TRP" : "")

- group_max = sizeof dh_group / sizeof *dh_group - 1;

+ if (proto == 1 && strcmp(qmh, "NONE") == 0) /* AH */

+ return;

+ snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),

+ MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);

+ strlcpy(sect, tmp, CONF_SECT_MAX);

+ strlcat(sect, "-SUITE", CONF_SECT_MAX);

+ LOG_DBG((LOG_MISC, 90, "conf_load_defaults : quick mode %s", sect));

+ conf_set(tr, sect, "Protocols", tmp, 0, 1);

+ snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto));

+ conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1);

+ strlcpy(sect, tmp, CONF_SECT_MAX);

+ strlcat(sect, "-XF", CONF_SECT_MAX);

+ conf_set(tr, tmp, "Transforms", sect, 0, 1);

+ /*

+ * XXX For now, defaults

+ * contain one xf per protocol.

+ */

+ conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1);

+ if (strcmp(qme ,"BLOWFISH") == 0)

+ conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,

+ 1);

+ else if (strcmp(qme ,"AES") == 0)

+ conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,

+ 1);

+ conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1);

+ if (strcmp(qmh, "NONE")) {

+ conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1);

+ /* XXX Another shortcut to keep length down */

+ if (pfs)

+ conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);

+ }

+ /* XXX Lifetimes depending on enc/auth strength? */

+ conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1);

+static void

+conf_load_defaults(int tr)

+ int enc, auth, hash, group, proto, mode, pfs;

+ char *dflt;

+ char *mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0};

+ char *mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0};

+ char *mm_hash[] = {"MD5", "SHA", 0};

+ char *mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC",

+ "CAST_CBC", "AES_CBC", 0};

+ char *mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", 0};

+ char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024",

+ "MODP_1536", "MODP_2048", 0};

+ char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",

+ 0};

+ char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",

+ 0};

+ char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF",

+ "-AES", 0};

+ char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",

+ "HMAC_SHA2_256", "HMAC_SHA2_384",

+ "HMAC_SHA2_512", "NONE", 0};

+ char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256",

+ "-SHA2-384", "-SHA2-512", "", 0};

/* General and X509 defaults */

conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1);

- conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME, 0, 1);

+ conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME,

+ 0, 1);

conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1);

- conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0, 1);

+ conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0,

+ 1);

#ifdef USE_X509

- conf_set(tr, "X509-certificates", "CA-directory", CONF_DFLT_X509_CA_DIR, 0,

- 1);

- conf_set(tr, "X509-certificates", "Cert-directory", CONF_DFLT_X509_CERT_DIR,

- 0, 1);

- conf_set(tr, "X509-certificates", "Private-key", CONF_DFLT_X509_PRIVATE_KEY,

- 0, 1);

- conf_set(tr, "X509-certificates", "CRL-directory", CONF_DFLT_X509_CRL_DIR,

- 0, 1);

+ conf_set(tr, "X509-certificates", "CA-directory",

+ CONF_DFLT_X509_CA_DIR, 0, 1);

+ conf_set(tr, "X509-certificates", "Cert-directory",

+ CONF_DFLT_X509_CERT_DIR, 0, 1);

+ conf_set(tr, "X509-certificates", "Private-key",

+ CONF_DFLT_X509_PRIVATE_KEY, 0, 1);

+ conf_set(tr, "X509-certificates", "CRL-directory",

+ CONF_DFLT_X509_CRL_DIR, 0, 1);

#endif

#ifdef USE_KEYNOTE

@@ -436,156 +510,40 @@ conf_load_defaults(int tr)

CONF_DFLT_PHASE1_TRANSFORMS, 0, 1);

/* Main modes */

- for (enc = 0; mm_enc[enc]; enc++) {

- for (hash = 0; mm_hash[hash]; hash++) {

- for (auth = 0; mm_auth[auth]; auth++) {

- for (group = 0; dh_group_p[group]; group++) {

- /* special */

- snprintf(sect, sizeof sect, "%s-%s%s%s",

- mm_enc_p[enc], mm_hash[hash],

- dh_group_p[group], mm_auth_p[auth]);

-#if 0

- if (!conf_find_trans_xf(1, sect))

- continue;

-#endif

- LOG_DBG((LOG_MISC, 90,

- "conf_load_defaults : main mode %s",

- sect));

- conf_set(tr, sect, "ENCRYPTION_ALGORITHM",

- mm_enc[enc], 0, 1);

- if (strcmp(mm_enc[enc], "BLOWFISH_CBC") == 0)

- conf_set(tr, sect, "KEY_LENGTH",

- CONF_DFLT_VAL_BLF_KEYLEN, 0, 1);

- conf_set(tr, sect, "HASH_ALGORITHM",

- mm_hash[hash], 0, 1);

- conf_set(tr, sect, "AUTHENTICATION_METHOD",

- mm_auth[auth], 0, 1);

- /* XXX Always DH group 2 (MODP_1024) */

- conf_set(tr, sect, "GROUP_DESCRIPTION",

- dh_group[group < group_max ? group : 1],

- 0, 1);

- conf_set(tr, sect, "Life",

- CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1);

- }

+ for (enc = 0; mm_enc[enc]; enc++)

+ for (hash = 0; mm_hash[hash]; hash++)

+ for (auth = 0; mm_auth[auth]; auth++)

+ for (group = 0; dhgroup_p[group]; group++)

+ conf_load_defaults_mm (tr, mm_enc[enc],

+ mm_hash[hash], mm_auth[auth],

+ dhgroup[group], mm_enc_p[enc],

+ mm_auth_p[auth], dhgroup_p[group]);

/* Setup a default Phase 1 entry */

conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1);

conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1);

conf_set(tr, "Default-phase-1", "Configuration",

- "Default-phase-1-configuration", 0, 1);

+ "Default-phase-1-configuration", 0, 1);

dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID");

if (dflt)

conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1);

/* Quick modes */

- for (enc = 0; qm_enc[enc]; enc++) {

- for (proto = 0; proto < 2; proto++) {

- for (mode = 0; mode < 2; mode++) {

- for (pfs = 0; pfs < 2; pfs++) {

- for (hash = 0; qm_hash[hash]; hash++) {

- for (group = 0; dh_group_p[group];

- group++) {

- char tmp[CONF_MAX];

- if ((proto == 1 &&

- strcmp(qm_hash[hash],

- "NONE") == 0)) /* AH */

- continue;

- snprintf(tmp, sizeof tmp,

- "QM-%s%s%s%s%s%s",

- PROTO(proto),

- MODE_p(mode),

+ for (enc = 0; qm_enc[enc]; enc++)

+ for (proto = 0; proto < 2; proto++)

+ for (mode = 0; mode < 2; mode++)

+ for (pfs = 0; pfs < 2; pfs++)

+ for (hash = 0; qm_hash[hash]; hash++)

+ for (group = 0;

+ dhgroup_p[group]; group++)

+ conf_load_defaults_qm(

+ tr, qm_enc[enc],

+ qm_hash[hash],

+ dhgroup[group],

qm_enc_p[enc],

qm_hash_p[hash],

- PFS(pfs),

- dh_group_p[group]);

- strlcpy(sect, tmp, CONF_MAX);

- strlcat(sect, "-SUITE",

- CONF_MAX);

-#if 0

- if (!conf_find_trans_xf(2, sect))

- continue;

-#endif

- LOG_DBG((LOG_MISC, 90,

- "conf_load_defaults : quick mode %s",

- sect));

- conf_set(tr, sect, "Protocols",

- tmp, 0, 1);

- snprintf(sect, sizeof sect,

- "IPSEC_%s", PROTO(proto));

- conf_set(tr, tmp, "PROTOCOL_ID",

- sect, 0, 1);

- strlcpy(sect, tmp, CONF_MAX);

- strlcat(sect, "-XF", CONF_MAX);

- conf_set(tr, tmp, "Transforms",

- sect, 0, 1);

- /*

- * XXX For now, defaults

- * contain one xf per protocol.

- */

- conf_set(tr, sect,

- "TRANSFORM_ID",

- qm_enc[enc], 0, 1);

- if (strcmp(qm_enc[enc],

- "BLOWFISH") == 0)

- conf_set(tr, sect,

- "KEY_LENGTH",

- CONF_DFLT_VAL_BLF_KEYLEN,

- 0, 1);

- conf_set(tr, sect,

- "ENCAPSULATION_MODE",

- MODE(mode), 0, 1);

- if (strcmp(qm_hash[hash], "NONE")) {

- conf_set(tr, sect, "AUTHENTICATION_ALGORITHM",

- qm_hash[hash], 0, 1);

- /*

- * XXX

- *

- * Another shortcut:

- * to keep length down

- */

- if (pfs)

- conf_set(tr, sect, "GROUP_DESCRIPTION",

- dh_group[group < group_max ? group : 1],

- 0, 1);

- }

- /*

- * XXX

- * Lifetimes depending

- * on enc/auth strength?

- */

- conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0,

- 1);

- }

+ dhgroup_p[group],

+ proto, mode, pfs);

}

void

diff --git a/sbin/isakmpd/conf.h b/sbin/isakmpd/conf.h
index b45d896ab60..2b3addbf8ca 100644
--- a/sbin/isakmpd/conf.h
+++ b/sbin/isakmpd/conf.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: conf.h,v 1.27 2004/04/15 18:39:25 deraadt Exp $ */

+/* $OpenBSD: conf.h,v 1.28 2004/04/23 14:15:55 ho Exp $ */

/* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */

@@ -52,6 +52,7 @@

#define CONF_DFLT_VAL_LIFE_QUICK_MODE "1200,60:86400"

#define CONF_DFLT_VAL_BLF_KEYLEN "128,96:192"

+#define CONF_DFLT_VAL_AES_KEYLEN "128,128:256"

#define CONF_DFLT_RETRANSMITS "3"

#define CONF_DFLT_EXCH_MAX_TIME "120"