diff options
| author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2000-10-09 23:27:32 +0000 |
|---|---|---|
| committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2000-10-09 23:27:32 +0000 |
| commit | 3842a1e9b95d710ee955343ebeccb900e11841b6 (patch) | |
| tree | 953e6251c0ede61b98b9a375c37a355242116020 /sbin | |
| parent | bc95c273aef5629e3028841e49878206312c31fe (diff) | |
samples/VPN-3way-template.conf: Merge with EOM 1.8
samples/VPN-east.conf: Merge with EOM 1.12
samples/VPN-west.conf: Merge with EOM 1.13
samples/policy: Merge with EOM 1.6
samples/singlehost-west.conf: Merge with EOM 1.9
samples/singlehost-east.conf: Merge with EOM 1.9
conf.c: Merge with EOM 1.37
ipsec.c: Merge with EOM 1.133
ipsec_num.cst: Merge with EOM 1.4
isakmpd.conf.5: Merge with EOM 1.48
isakmpd.policy.5: Merge with EOM 1.21
policy.c: Merge with EOM 1.46
author: angelos
AES support.
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/isakmpd/conf.c | 10 | ||||
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 8 | ||||
| -rw-r--r-- | sbin/isakmpd/ipsec_num.cst | 12 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.conf.5 | 49 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.policy.5 | 7 | ||||
| -rw-r--r-- | sbin/isakmpd/policy.c | 8 | ||||
| -rw-r--r-- | sbin/isakmpd/samples/VPN-3way-template.conf | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/samples/VPN-east.conf | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/samples/VPN-west.conf | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/samples/policy | 8 | ||||
| -rw-r--r-- | sbin/isakmpd/samples/singlehost-east.conf | 6 | ||||
| -rw-r--r-- | sbin/isakmpd/samples/singlehost-west.conf | 7 |
12 files changed, 97 insertions, 36 deletions
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index b61ae27e58d..11ab157a81d 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: conf.c,v 1.17 2000/10/07 06:59:05 niklas Exp $ */ -/* $EOM: conf.c,v 1.36 2000/10/06 23:19:49 niklas Exp $ */ +/* $OpenBSD: conf.c,v 1.18 2000/10/09 23:27:30 niklas Exp $ */ +/* $EOM: conf.c,v 1.37 2000/10/09 22:08:29 angelos Exp $ */ /* * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -307,7 +307,7 @@ conf_parse (int trans, char *buf, size_t sz) * For main mode: * {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}] * For quick mode: - * QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF}[-{MD5,SHA}][-PFS]-SUITE + * QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA}][-PFS]-SUITE * DH groups; currently always MODP_768 for MD5, and MODP_1024 for SHA. * * XXX We may want to support USE_BLOWFISH, USE_TRIPLEDES, etc... @@ -347,13 +347,13 @@ conf_load_defaults (int tr) char *mm_enc[] = { "DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC", NULL }; char *dh_group[] = { "MODP_768", "MODP_1024", "MODP_1536", NULL }; - char *qm_enc[] = { "DES", "3DES", "CAST", "BLOWFISH", NULL }; + char *qm_enc[] = { "DES", "3DES", "CAST", "BLOWFISH", "AES", NULL }; char *qm_hash[] = { "HMAC_MD5", "HMAC_SHA", "NONE", NULL }; /* Abbreviations to make section names a bit shorter. */ char *mm_auth_p[] = { "", "-DSS", "-RSA_SIG", NULL }; char *mm_enc_p[] = { "DES", "BLF", "3DES", "CAST", NULL }; - char *qm_enc_p[] = { "-DES", "-3DES", "-CAST", "-BLF", NULL }; + char *qm_enc_p[] = { "-DES", "-3DES", "-CAST", "-BLF", "-AES", NULL }; char *qm_hash_p[] = { "-MD5", "-SHA", "", NULL }; /* Helper #defines, incl abbreviations. */ diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index dc416e73cbc..bdd4e04344e 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,5 +1,5 @@ -/* $OpenBSD: ipsec.c,v 1.28 2000/10/07 06:58:47 niklas Exp $ */ -/* $EOM: ipsec.c,v 1.132 2000/10/06 23:49:39 niklas Exp $ */ +/* $OpenBSD: ipsec.c,v 1.29 2000/10/09 23:27:30 niklas Exp $ */ +/* $EOM: ipsec.c,v 1.133 2000/10/09 22:08:29 angelos Exp $ */ /* * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. @@ -1328,6 +1328,10 @@ ipsec_esp_enckeylength (struct proto *proto) return 24; case IPSEC_ESP_CAST: if (!iproto->keylen) + return 32; + return iproto->keylen / 8; + case IPSEC_ESP_AES: + if (!iproto->keylen) return 16; /* Fallthrough */ default: diff --git a/sbin/isakmpd/ipsec_num.cst b/sbin/isakmpd/ipsec_num.cst index 1eace289740..8dee8ca79bc 100644 --- a/sbin/isakmpd/ipsec_num.cst +++ b/sbin/isakmpd/ipsec_num.cst @@ -1,5 +1,5 @@ -# $OpenBSD: ipsec_num.cst,v 1.5 1999/06/02 06:32:06 niklas Exp $ -# $EOM: ipsec_num.cst,v 1.3 1999/05/27 15:17:54 niklas Exp $ +# $OpenBSD: ipsec_num.cst,v 1.6 2000/10/09 23:27:31 niklas Exp $ +# $EOM: ipsec_num.cst,v 1.4 2000/10/09 22:08:29 angelos Exp $ # # Copyright (c) 1998 Niklas Hallqvist. All rights reserved. @@ -120,6 +120,7 @@ IKE_ENCRYPT RC5_R16_B64_CBC 4 3DES_CBC 5 CAST_CBC 6 + AES_CBC 7 . # IKE hash algorithm. @@ -127,6 +128,9 @@ IKE_HASH MD5 1 SHA 2 TIGER 3 + SHA2_256 4 + SHA2_384 5 + SHA2_512 6 . # IKE authentication method. @@ -188,6 +192,9 @@ IPSEC_AH MD5 2 SHA 3 DES 4 + SHA2_256 5 + SHA2_384 6 + SHA2_512 7 . # IPSEC ESP transform IDs. @@ -203,6 +210,7 @@ IPSEC_ESP DES_IV32 9 RC4 10 NULL 11 + AES 12 . # IPSEC IPCOMP transform IDs diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5 index 26a49c0182b..c26f526992d 100644 --- a/sbin/isakmpd/isakmpd.conf.5 +++ b/sbin/isakmpd/isakmpd.conf.5 @@ -1,5 +1,5 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.40 2000/10/07 07:00:08 niklas Exp $ -.\" $EOM: isakmpd.conf.5,v 1.47 2000/09/18 00:01:47 ho Exp $ +.\" $OpenBSD: isakmpd.conf.5,v 1.41 2000/10/09 23:27:31 niklas Exp $ +.\" $EOM: isakmpd.conf.5,v 1.48 2000/10/09 22:08:29 angelos Exp $ .\" .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. .\" Copyright (c) 2000 Håkan Olsson. All rights reserved. @@ -88,7 +88,7 @@ For Main Mode: .Pp For Quick Mode: .Bd -filled -offset indent -compact -.Ar QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF}[-{MD5,SHA}][-PFS]-SUITE +.Ar QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA}][-PFS]-SUITE .Ed .Pp Example 1: 3DES-SHA means; 3DES encryption, SHA hash, and authorization by @@ -701,6 +701,14 @@ Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS +# AES + +[QM-ESP-AES-SHA-SUITE] +Protocols= QM-ESP-AES-SHA + +[QM-ESP-3DES-SHA-PFS-SUITE] +Protocols= QM-ESP-AES-SHA-PFS + # AH [QM-AH-MD5-SUITE] @@ -754,6 +762,20 @@ Transforms= QM-ESP-3DES-SHA-PFS-XF PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-SHA-TRP-XF +# AES + +[QM-ESP-AES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-XF + +[QM-ESP-AES-SHA-PFS] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-PFS-XF + +[QM-ESP-AES-SHA-TRP] +PROTOCOL_ID= IPSEC_ESP +Transforms= QM-ESP-AES-SHA-TRP-XF + # AH MD5 [QM-AH-MD5] @@ -813,6 +835,27 @@ ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_SHA Life= LIFE_600_SECS +# AES + +[QM-ESP-AES-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_600_SECS + +[QM-ESP-AES-SHA-PFS-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_600_SECS + +[QM-ESP-AES-SHA-TRP-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_600_SECS + # AH [QM-AH-MD5-XF] diff --git a/sbin/isakmpd/isakmpd.policy.5 b/sbin/isakmpd/isakmpd.policy.5 index a02e95cee7b..db8e3e6ea0f 100644 --- a/sbin/isakmpd/isakmpd.policy.5 +++ b/sbin/isakmpd/isakmpd.policy.5 @@ -1,5 +1,5 @@ -.\" $OpenBSD: isakmpd.policy.5,v 1.11 2000/08/03 07:24:37 niklas Exp $ -.\" $EOM: isakmpd.policy.5,v 1.20 2000/07/26 05:26:31 angelos Exp $ +.\" $OpenBSD: isakmpd.policy.5,v 1.12 2000/10/09 23:27:31 niklas Exp $ +.\" $EOM: isakmpd.policy.5,v 1.21 2000/10/09 22:08:29 angelos Exp $ .\" .\" Copyright (c) 1999, Angelos D. Keromytis. All rights reserved. .\" @@ -317,8 +317,9 @@ One of .Va 3idea , .Va des-iv32 , .Va rc4 , -or .Va null , +or +.Va aes , based on the encryption algorithm specified in the ESP proposal. .It comp_alg One of diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c index 2abdba5da45..b097d377b0a 100644 --- a/sbin/isakmpd/policy.c +++ b/sbin/isakmpd/policy.c @@ -1,5 +1,5 @@ -/* $OpenBSD: policy.c,v 1.15 2000/10/07 06:59:56 niklas Exp $ */ -/* $EOM: policy.c,v 1.45 2000/10/02 03:23:25 angelos Exp $ */ +/* $OpenBSD: policy.c,v 1.16 2000/10/09 23:27:31 niklas Exp $ */ +/* $EOM: policy.c,v 1.46 2000/10/09 22:08:29 angelos Exp $ */ /* * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. @@ -313,6 +313,10 @@ policy_callback (char *name) esp_enc_alg = "3des"; break; + case IPSEC_ESP_AES: + esp_enc_alg = "aes"; + break; + case IPSEC_ESP_RC5: esp_enc_alg = "rc5"; break; diff --git a/sbin/isakmpd/samples/VPN-3way-template.conf b/sbin/isakmpd/samples/VPN-3way-template.conf index f1cab8b2bed..72e7d25cad1 100644 --- a/sbin/isakmpd/samples/VPN-3way-template.conf +++ b/sbin/isakmpd/samples/VPN-3way-template.conf @@ -1,5 +1,5 @@ -# $OpenBSD: VPN-3way-template.conf,v 1.6 2000/05/02 14:37:06 niklas Exp $ -# $EOM: VPN-3way-template.conf,v 1.7 2000/05/01 22:58:44 ho Exp $ +# $OpenBSD: VPN-3way-template.conf,v 1.7 2000/10/09 23:27:29 niklas Exp $ +# $EOM: VPN-3way-template.conf,v 1.8 2000/10/09 22:08:30 angelos Exp $ # # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. # @@ -106,7 +106,7 @@ Transforms= BLF-SHA-M1024 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE +Suites= QM-ESP-AES-SHA-PFS-SUITE [Blowfish-quick-mode] DOI= IPSEC diff --git a/sbin/isakmpd/samples/VPN-east.conf b/sbin/isakmpd/samples/VPN-east.conf index e174cfe801b..475e9ae2e75 100644 --- a/sbin/isakmpd/samples/VPN-east.conf +++ b/sbin/isakmpd/samples/VPN-east.conf @@ -1,5 +1,5 @@ -# $OpenBSD: VPN-east.conf,v 1.10 2000/05/02 14:35:19 niklas Exp $ -# $EOM: VPN-east.conf,v 1.11 2000/05/01 20:57:54 niklas Exp $ +# $OpenBSD: VPN-east.conf,v 1.11 2000/10/09 23:27:29 niklas Exp $ +# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. # @@ -47,4 +47,4 @@ Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/sbin/isakmpd/samples/VPN-west.conf b/sbin/isakmpd/samples/VPN-west.conf index 99e0d9a5c07..a5240e9fdcb 100644 --- a/sbin/isakmpd/samples/VPN-west.conf +++ b/sbin/isakmpd/samples/VPN-west.conf @@ -1,5 +1,5 @@ -# $OpenBSD: VPN-west.conf,v 1.10 2000/05/02 14:37:12 niklas Exp $ -# $EOM: VPN-west.conf,v 1.12 2000/05/01 23:49:35 niklas Exp $ +# $OpenBSD: VPN-west.conf,v 1.11 2000/10/09 23:27:29 niklas Exp $ +# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. # @@ -47,4 +47,4 @@ Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/sbin/isakmpd/samples/policy b/sbin/isakmpd/samples/policy index 96548543edb..7ae8e94c4ff 100644 --- a/sbin/isakmpd/samples/policy +++ b/sbin/isakmpd/samples/policy @@ -1,8 +1,10 @@ KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password - $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $ - $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $ + $OpenBSD: policy,v 1.5 2000/10/09 23:27:29 niklas Exp $ + $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $ Authorizer: "POLICY" Licensees: "passphrase:mekmitasdigoat" Conditions: app_domain == "IPsec policy" && - esp_present == "yes" -> "true"; + esp_present == "yes" && + esp_enc_alg == "aes" && + esp_auth_alg == "sha" -> "true"; diff --git a/sbin/isakmpd/samples/singlehost-east.conf b/sbin/isakmpd/samples/singlehost-east.conf index 7e27a288164..3551233ea94 100644 --- a/sbin/isakmpd/samples/singlehost-east.conf +++ b/sbin/isakmpd/samples/singlehost-east.conf @@ -1,5 +1,5 @@ -# $OpenBSD: singlehost-east.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $ -# $EOM: singlehost-east.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $ +# $OpenBSD: singlehost-east.conf,v 1.9 2000/10/09 23:27:30 niklas Exp $ +# $EOM: singlehost-east.conf,v 1.9 2000/10/09 22:08:30 angelos Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. @@ -60,4 +60,4 @@ Transforms= 3DES-SHA-RSA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE +Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/sbin/isakmpd/samples/singlehost-west.conf b/sbin/isakmpd/samples/singlehost-west.conf index ee1d91bc48e..94e5b720a69 100644 --- a/sbin/isakmpd/samples/singlehost-west.conf +++ b/sbin/isakmpd/samples/singlehost-west.conf @@ -1,5 +1,5 @@ -# $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $ -# $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $ +# $OpenBSD: singlehost-west.conf,v 1.9 2000/10/09 23:27:30 niklas Exp $ +# $EOM: singlehost-west.conf,v 1.9 2000/10/09 22:08:30 angelos Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. @@ -29,7 +29,6 @@ Transport= udp Local-address= 10.1.0.1 Address= 10.1.0.2 Configuration= Default-aggressive-mode -Identification= FQDN/diego.niklas.hallqvist.se Authentication= mekmitasdigoat [IPsec-west-east] @@ -62,4 +61,4 @@ Transforms= 3DES-SHA-RSA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE +Suites= QM-ESP-AES-SHA-PFS-SUITE |