summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>1997-11-04 09:13:43 +0000
committerNiels Provos <provos@cvs.openbsd.org>1997-11-04 09:13:43 +0000
commitd42e3047843eb3c5107c670e412fb72788d876ee (patch)
tree3166a7a958660ca0cbc16eed2901096e00223f3a /sbin
parent99655e667eb6f6f401a446b7c40091b28014ae9b (diff)
support for blowfish and cast. add -authkey to seperate key material
for encryption and authentication which is needed for variable key length ciphers.
Diffstat (limited to 'sbin')
-rw-r--r--sbin/ipsec/ipsecadm/ipsecadm.127
-rw-r--r--sbin/ipsec/ipsecadm/ipsecadm.c29
-rw-r--r--sbin/ipsec/ipsecadm/xf_esp_new.c22
3 files changed, 58 insertions, 20 deletions
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1
index e41d2f9aa71..eb26cb4871d 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.1
+++ b/sbin/ipsec/ipsecadm/ipsecadm.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.1,v 1.3 1997/09/24 18:39:42 angelos Exp $
+.\" $OpenBSD: ipsecadm.1,v 1.4 1997/11/04 09:13:41 provos Exp $
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -65,6 +65,7 @@ modifiers are:
.Fl auth ,
.Fl iv ,
.Fl oldpadding ,
+.Fl authkey ,
and
.Fl key .
.It old esp
@@ -119,7 +120,7 @@ and
.El
.Pp
The modifiers have the following meanings:
-.Bl -tag -width proto2 -offset indent
+.Bl -tag -width oldpadding -offset indent
.It src
The source IP address for the SPI.
.It dst
@@ -133,10 +134,15 @@ For new ESP, specify old style self-describing padding should be used. Ignored e
.It enc
The encryption algorithm to be used with the SPI. Possible values
are:
-.Nm des
+.Nm des
and
.Nm 3des
for both old and new esp.
+Blowfish encryption
+.Nm blf
+and
+.Nm cast
+can only be used with new esp.
.It auth
The authentication algorithm to be used with the SPI. Possible values
are:
@@ -150,8 +156,17 @@ for
.Nm des
and
.Nm 3des
-is fixed to 8 and 24 respectivly. If you also use authentication in new
-esp mode the key has to be longer.
+is fixed to 8 and 24 respectivly. For other ciphers like
+.Nm cast
+or
+.Nm blf
+the key length can be variable.
+.It authkey
+The secret key material used for authentication
+if additional authentication in new esp mode is required. For
+old or new ah the key material for authentication is passed with the
+.Nm key
+option.
.It iv
The initialization vector used for encryption. In old esp mode you need
to specify it as either four or eight byte long value, in new esp mode
@@ -181,7 +196,7 @@ Setup a SPI which uses new esp with 3des encryption and HMAC-SHA1
authentication:
.Pp
ipsecadm -enc 3des -auth sha1 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3
--key 6380638063806380638063806380638063806380638063806380638063806380
+-key 638063806380638063806380638063806380638063806380 -authp 1234123412341234
.Pp
Setup a SPI for authentication with old ah only:
.Pp
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c
index 906203e4451..de459a99f10 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.c
+++ b/sbin/ipsec/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.10 1997/09/24 18:45:26 angelos Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.11 1997/11/04 09:13:41 provos Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
* (except when noted otherwise).
@@ -73,7 +73,8 @@ typedef struct {
} transform;
int xf_esp_new __P((struct in_addr, struct in_addr, u_int32_t, int, int,
- u_char *, u_char *, struct in_addr, struct in_addr, int));
+ u_char *, u_char *, u_char *, struct in_addr,
+ struct in_addr, int));
int xf_esp_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
u_char *, struct in_addr, struct in_addr));
int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
@@ -87,6 +88,8 @@ int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int))
transform xf[] = {
{"des", ALG_ENC_DES, XF_ENC |ESP_OLD|ESP_NEW},
{"3des", ALG_ENC_3DES, XF_ENC |ESP_OLD|ESP_NEW},
+ {"blf", ALG_ENC_BLF, XF_ENC | ESP_NEW},
+ {"cast", ALG_ENC_CAST, XF_ENC | ESP_NEW},
{"md5", ALG_AUTH_MD5, XF_AUTH|AH_OLD|AH_NEW|ESP_NEW},
{"sha1", ALG_AUTH_SHA1,XF_AUTH|AH_OLD|AH_NEW|ESP_NEW},
};
@@ -132,10 +135,11 @@ usage()
"\t\t-dst <ip>\t destination address to be used\n"
"\t\t-spi <val>\t SPI to be used\n"
"\t\t-key <val>\t key material to be used\n"
+ "\t\t-authkey <val>\t key material for auth in new esp\n"
"\t\t-iv <val>\t iv to be used\n"
"\t\t-proto <val>\t security protocol\n"
"\t\t-chain\t\t SPI chain delete\n"
- "\t\t-oldpadding\told style padding for new ESP\n"
+ "\t\t-oldpadding\t old style padding for new ESP\n"
"\talso: dst2, spi2, proto2\n"
);
}
@@ -147,12 +151,12 @@ main(argc, argv)
{
int i;
int mode = ESP_NEW, new = 1, flag = 0, oldpadding = 0;
- int auth = 0, enc = 0, ivlen = 0, klen = 0;
+ int auth = 0, enc = 0, ivlen = 0, klen = 0, alen = 0;
int proto = IPPROTO_ESP, proto2 = IPPROTO_AH;
int chain = 0;
u_int32_t spi = 0, spi2 = 0;
struct in_addr src, dst, dst2, osrc, odst;
- u_char *ivp = NULL, *keyp = NULL;
+ u_char *ivp = NULL, *keyp = NULL, *authp = NULL;
osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0;
@@ -210,6 +214,14 @@ main(argc, argv)
} else if (!strcmp(argv[i]+1, "key") && keyp == NULL && i+1 < argc) {
keyp = argv[++i];
klen = strlen(keyp);
+ } else if (!strcmp(argv[i]+1, "authkey") && authp == NULL && i+1 < argc) {
+ if (!(mode & ESP_NEW)) {
+ fprintf(stderr, "%s: Invalid option %s for selected mode\n",
+ argv[0], argv[i]);
+ exit(1);
+ }
+ authp = argv[++i];
+ alen = strlen(keyp);
} else if (!strcmp(argv[i]+1, "iv") && ivp == NULL && i+1 < argc) {
if (mode & (AH_OLD|AH_NEW)) {
fprintf(stderr, "%s: Invalid option %s with auth\n",
@@ -279,6 +291,9 @@ main(argc, argv)
} else if (isencauth(mode) && keyp == NULL) {
fprintf(stderr, "%s: No key material specified\n", argv[0]);
exit(1);
+ } else if ((mode & ESP_NEW) && auth & authp == NULL) {
+ fprintf(stderr, "%s: No auth key material specified\n", argv[0]);
+ exit(1);
} else if (spi == 0) {
fprintf(stderr, "%s: No SPI specified\n", argv[0]);
exit(1);
@@ -309,8 +324,8 @@ main(argc, argv)
if (isencauth(mode)) {
switch(mode) {
case ESP_NEW:
- xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, osrc, odst,
- oldpadding);
+ xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp,
+ osrc, odst, oldpadding);
break;
case ESP_OLD:
xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst);
diff --git a/sbin/ipsec/ipsecadm/xf_esp_new.c b/sbin/ipsec/ipsecadm/xf_esp_new.c
index bbd57b898db..ddf0b2d98ab 100644
--- a/sbin/ipsec/ipsecadm/xf_esp_new.c
+++ b/sbin/ipsec/ipsecadm/xf_esp_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xf_esp_new.c,v 1.3 1997/09/24 18:39:44 angelos Exp $ */
+/* $OpenBSD: xf_esp_new.c,v 1.4 1997/11/04 09:13:42 provos Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
* (except when noted otherwise).
@@ -58,25 +58,29 @@ int xf_set __P(( struct encap_msghdr *));
int x2i __P((char *));
int
-xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, osrc, odst, oldpadding)
+xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp,
+ osrc, odst, oldpadding)
struct in_addr src, dst;
u_int32_t spi;
int enc, auth;
-u_char *ivp, *keyp;
+u_char *ivp, *keyp, *authp;
struct in_addr osrc, odst;
int oldpadding;
{
- int i, klen, ivlen;
+ int i, klen, alen, ivlen;
struct encap_msghdr *em;
struct esp_new_xencap *xd;
klen = strlen(keyp)/2;
+ alen = authp == NULL ? 0 : strlen(authp)/2;
ivlen = ivp == NULL ? 0 : strlen(ivp)/2;
em = (struct encap_msghdr *)&buf[0];
- em->em_msglen = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN + ivlen + klen;
+ em->em_msglen = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN +
+ ivlen + klen + alen;
+
em->em_version = PFENCAP_VERSION_1;
em->em_type = EMT_SETSPI;
em->em_spi = spi;
@@ -92,7 +96,8 @@ int oldpadding;
xd->edx_enc_algorithm = enc;
xd->edx_hash_algorithm = auth;
xd->edx_ivlen = ivlen;
- xd->edx_keylen = klen;
+ xd->edx_confkeylen = klen;
+ xd->edx_authkeylen = alen;
xd->edx_wnd = -1; /* Manual keying -- no seq */
xd->edx_flags = auth ? ESP_NEW_FLAG_AUTH : 0;
@@ -102,9 +107,12 @@ int oldpadding;
for (i = 0; i < ivlen; i++)
xd->edx_data[i] = x2i(ivp+2*i);
- for (i = 0; i < xd->edx_keylen; i++)
+ for (i = 0; i < klen; i++)
xd->edx_data[i+ivlen] = x2i(keyp+2*i);
+ for (i = 0; i < alen; i++)
+ xd->edx_data[i+ivlen+klen] = x2i(keyp+2*i);
+
return xf_set(em);
}