diff options
author | Niels Provos <provos@cvs.openbsd.org> | 1997-11-04 09:13:43 +0000 |
---|---|---|
committer | Niels Provos <provos@cvs.openbsd.org> | 1997-11-04 09:13:43 +0000 |
commit | d42e3047843eb3c5107c670e412fb72788d876ee (patch) | |
tree | 3166a7a958660ca0cbc16eed2901096e00223f3a /sbin | |
parent | 99655e667eb6f6f401a446b7c40091b28014ae9b (diff) |
support for blowfish and cast. add -authkey to seperate key material
for encryption and authentication which is needed for variable key length
ciphers.
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/ipsec/ipsecadm/ipsecadm.1 | 27 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/ipsecadm.c | 29 | ||||
-rw-r--r-- | sbin/ipsec/ipsecadm/xf_esp_new.c | 22 |
3 files changed, 58 insertions, 20 deletions
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1 index e41d2f9aa71..eb26cb4871d 100644 --- a/sbin/ipsec/ipsecadm/ipsecadm.1 +++ b/sbin/ipsec/ipsecadm/ipsecadm.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecadm.1,v 1.3 1997/09/24 18:39:42 angelos Exp $ +.\" $OpenBSD: ipsecadm.1,v 1.4 1997/11/04 09:13:41 provos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -65,6 +65,7 @@ modifiers are: .Fl auth , .Fl iv , .Fl oldpadding , +.Fl authkey , and .Fl key . .It old esp @@ -119,7 +120,7 @@ and .El .Pp The modifiers have the following meanings: -.Bl -tag -width proto2 -offset indent +.Bl -tag -width oldpadding -offset indent .It src The source IP address for the SPI. .It dst @@ -133,10 +134,15 @@ For new ESP, specify old style self-describing padding should be used. Ignored e .It enc The encryption algorithm to be used with the SPI. Possible values are: -.Nm des +.Nm des and .Nm 3des for both old and new esp. +Blowfish encryption +.Nm blf +and +.Nm cast +can only be used with new esp. .It auth The authentication algorithm to be used with the SPI. Possible values are: @@ -150,8 +156,17 @@ for .Nm des and .Nm 3des -is fixed to 8 and 24 respectivly. If you also use authentication in new -esp mode the key has to be longer. +is fixed to 8 and 24 respectivly. For other ciphers like +.Nm cast +or +.Nm blf +the key length can be variable. +.It authkey +The secret key material used for authentication +if additional authentication in new esp mode is required. For +old or new ah the key material for authentication is passed with the +.Nm key +option. .It iv The initialization vector used for encryption. In old esp mode you need to specify it as either four or eight byte long value, in new esp mode @@ -181,7 +196,7 @@ Setup a SPI which uses new esp with 3des encryption and HMAC-SHA1 authentication: .Pp ipsecadm -enc 3des -auth sha1 -spi 1001 -dst 169.20.12.2 -src 169.20.12.3 --key 6380638063806380638063806380638063806380638063806380638063806380 +-key 638063806380638063806380638063806380638063806380 -authp 1234123412341234 .Pp Setup a SPI for authentication with old ah only: .Pp diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c index 906203e4451..de459a99f10 100644 --- a/sbin/ipsec/ipsecadm/ipsecadm.c +++ b/sbin/ipsec/ipsecadm/ipsecadm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecadm.c,v 1.10 1997/09/24 18:45:26 angelos Exp $ */ +/* $OpenBSD: ipsecadm.c,v 1.11 1997/11/04 09:13:41 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, * (except when noted otherwise). @@ -73,7 +73,8 @@ typedef struct { } transform; int xf_esp_new __P((struct in_addr, struct in_addr, u_int32_t, int, int, - u_char *, u_char *, struct in_addr, struct in_addr, int)); + u_char *, u_char *, u_char *, struct in_addr, + struct in_addr, int)); int xf_esp_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, u_char *, struct in_addr, struct in_addr)); int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *, @@ -87,6 +88,8 @@ int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int)) transform xf[] = { {"des", ALG_ENC_DES, XF_ENC |ESP_OLD|ESP_NEW}, {"3des", ALG_ENC_3DES, XF_ENC |ESP_OLD|ESP_NEW}, + {"blf", ALG_ENC_BLF, XF_ENC | ESP_NEW}, + {"cast", ALG_ENC_CAST, XF_ENC | ESP_NEW}, {"md5", ALG_AUTH_MD5, XF_AUTH|AH_OLD|AH_NEW|ESP_NEW}, {"sha1", ALG_AUTH_SHA1,XF_AUTH|AH_OLD|AH_NEW|ESP_NEW}, }; @@ -132,10 +135,11 @@ usage() "\t\t-dst <ip>\t destination address to be used\n" "\t\t-spi <val>\t SPI to be used\n" "\t\t-key <val>\t key material to be used\n" + "\t\t-authkey <val>\t key material for auth in new esp\n" "\t\t-iv <val>\t iv to be used\n" "\t\t-proto <val>\t security protocol\n" "\t\t-chain\t\t SPI chain delete\n" - "\t\t-oldpadding\told style padding for new ESP\n" + "\t\t-oldpadding\t old style padding for new ESP\n" "\talso: dst2, spi2, proto2\n" ); } @@ -147,12 +151,12 @@ main(argc, argv) { int i; int mode = ESP_NEW, new = 1, flag = 0, oldpadding = 0; - int auth = 0, enc = 0, ivlen = 0, klen = 0; + int auth = 0, enc = 0, ivlen = 0, klen = 0, alen = 0; int proto = IPPROTO_ESP, proto2 = IPPROTO_AH; int chain = 0; u_int32_t spi = 0, spi2 = 0; struct in_addr src, dst, dst2, osrc, odst; - u_char *ivp = NULL, *keyp = NULL; + u_char *ivp = NULL, *keyp = NULL, *authp = NULL; osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0; @@ -210,6 +214,14 @@ main(argc, argv) } else if (!strcmp(argv[i]+1, "key") && keyp == NULL && i+1 < argc) { keyp = argv[++i]; klen = strlen(keyp); + } else if (!strcmp(argv[i]+1, "authkey") && authp == NULL && i+1 < argc) { + if (!(mode & ESP_NEW)) { + fprintf(stderr, "%s: Invalid option %s for selected mode\n", + argv[0], argv[i]); + exit(1); + } + authp = argv[++i]; + alen = strlen(keyp); } else if (!strcmp(argv[i]+1, "iv") && ivp == NULL && i+1 < argc) { if (mode & (AH_OLD|AH_NEW)) { fprintf(stderr, "%s: Invalid option %s with auth\n", @@ -279,6 +291,9 @@ main(argc, argv) } else if (isencauth(mode) && keyp == NULL) { fprintf(stderr, "%s: No key material specified\n", argv[0]); exit(1); + } else if ((mode & ESP_NEW) && auth & authp == NULL) { + fprintf(stderr, "%s: No auth key material specified\n", argv[0]); + exit(1); } else if (spi == 0) { fprintf(stderr, "%s: No SPI specified\n", argv[0]); exit(1); @@ -309,8 +324,8 @@ main(argc, argv) if (isencauth(mode)) { switch(mode) { case ESP_NEW: - xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, osrc, odst, - oldpadding); + xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp, + osrc, odst, oldpadding); break; case ESP_OLD: xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst); diff --git a/sbin/ipsec/ipsecadm/xf_esp_new.c b/sbin/ipsec/ipsecadm/xf_esp_new.c index bbd57b898db..ddf0b2d98ab 100644 --- a/sbin/ipsec/ipsecadm/xf_esp_new.c +++ b/sbin/ipsec/ipsecadm/xf_esp_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xf_esp_new.c,v 1.3 1997/09/24 18:39:44 angelos Exp $ */ +/* $OpenBSD: xf_esp_new.c,v 1.4 1997/11/04 09:13:42 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, * (except when noted otherwise). @@ -58,25 +58,29 @@ int xf_set __P(( struct encap_msghdr *)); int x2i __P((char *)); int -xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, osrc, odst, oldpadding) +xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp, + osrc, odst, oldpadding) struct in_addr src, dst; u_int32_t spi; int enc, auth; -u_char *ivp, *keyp; +u_char *ivp, *keyp, *authp; struct in_addr osrc, odst; int oldpadding; { - int i, klen, ivlen; + int i, klen, alen, ivlen; struct encap_msghdr *em; struct esp_new_xencap *xd; klen = strlen(keyp)/2; + alen = authp == NULL ? 0 : strlen(authp)/2; ivlen = ivp == NULL ? 0 : strlen(ivp)/2; em = (struct encap_msghdr *)&buf[0]; - em->em_msglen = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN + ivlen + klen; + em->em_msglen = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN + + ivlen + klen + alen; + em->em_version = PFENCAP_VERSION_1; em->em_type = EMT_SETSPI; em->em_spi = spi; @@ -92,7 +96,8 @@ int oldpadding; xd->edx_enc_algorithm = enc; xd->edx_hash_algorithm = auth; xd->edx_ivlen = ivlen; - xd->edx_keylen = klen; + xd->edx_confkeylen = klen; + xd->edx_authkeylen = alen; xd->edx_wnd = -1; /* Manual keying -- no seq */ xd->edx_flags = auth ? ESP_NEW_FLAG_AUTH : 0; @@ -102,9 +107,12 @@ int oldpadding; for (i = 0; i < ivlen; i++) xd->edx_data[i] = x2i(ivp+2*i); - for (i = 0; i < xd->edx_keylen; i++) + for (i = 0; i < klen; i++) xd->edx_data[i+ivlen] = x2i(keyp+2*i); + for (i = 0; i < alen; i++) + xd->edx_data[i+ivlen+klen] = x2i(keyp+2*i); + return xf_set(em); } |