Define default configurations for AES-192 and AES-256. From Mitja Muzenic

<mitja at muzenic dot net>, diff provided already quite some time ago,
many many thanks.  This should have gone in months ago but I was slacking,
sorry for that.

2 files changed, 197 insertions, 12 deletions

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index a81f72b0260..5a687c0f08f 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.c,v 1.96 2007/06/01 10:27:17 moritz Exp $	 */
+/* $OpenBSD: conf.c,v 1.97 2008/02/17 10:36:32 hshoexer Exp $	 */
 /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $	 */
 
 /*
@@ -288,13 +288,13 @@ conf_parse(int trans, char *buf, size_t sz)
  *
  * Resulting section names can be:
  *  For main mode:
- *     {DES,BLF,3DES,CAST,AES}-{MD5,SHA,SHA2-{256,384,512}}[-GRP{1,2,5,14,15}] \
- *         [-{DSS,RSA_SIG}]
+ *     {DES,BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \
+ *         [-GRP{1,2,5,14,15}][-{DSS,RSA_SIG}]
  *  For quick mode:
  *     QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
  *     where
  *       {proto}  = ESP, AH
- *       {cipher} = DES, 3DES, CAST, BLF, AES, AESCTR
+ *       {cipher} = DES, 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR
  *       {hash}   = MD5, SHA, RIPEMD, SHA2-{256,384,512}
  *       {group}  = GRP1, GRP2, GRP5, GRP14, GRP15
  *
@@ -361,6 +361,12 @@ conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,
 	if (strcmp(mme, "BLOWFISH_CBC") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
 		    1);
+        else if (strcmp(mme_p, "AES-128") == 0)
+                conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
+        else if (strcmp(mme_p, "AES-192") == 0)
+                conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
+        else if (strcmp(mme_p, "AES-256") == 0)
+                conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
 	else if (strcmp(mme, "AES_CBC") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
 		    1);
@@ -422,9 +428,16 @@ conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
 	if (strcmp(qme ,"BLOWFISH") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
 			 1);
+	else if (strcmp(qme_p ,"-AES-128") == 0)
+		conf_set(tr, sect, "KEY_LENGTH", "128,192:128", 0, 1);
+	else if (strcmp(qme_p ,"-AES-192") == 0)
+		conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
+        else if (strcmp(qme_p ,"-AES-256") == 0)
+                conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
 	else if (strcmp(qme ,"AES") == 0)
 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
 			 1);
+
 	conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1);
 	if (strcmp(qmh, "NONE")) {
 		conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1);
@@ -451,16 +464,18 @@ conf_load_defaults(int tr)
 	char	*mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384",
 		    "-SHA2-512", "", 0 };
 	char	*mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC",
-		    "AES_CBC", 0};
-	char	*mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", 0};
+		    "AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0};
+	char	*mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", "AES-128",
+		    "AES-192", "AES-256", 0};
 	char	*dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024",
 		    "MODP_1536", "MODP_2048", "MODP_3072", 0};
 	char	*dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
 		    "-GRP15", 0};
 	char	*qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
-		    "AES_128_CTR", "NULL", "NONE", 0};
+		    "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0};
 	char	*qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
-		    "-AESCTR", "-NULL", "", 0};
+		    "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL",
+		    "", 0};
 	char	*qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
 		    "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
 		    0};
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 77fc636285b..706df3c15fb 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.124 2007/05/31 19:19:45 jmc Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.125 2008/02/17 10:36:32 hshoexer Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -28,7 +28,7 @@
 .\"
 .\" Manual page, using -mandoc macros
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: February 17 2008 $
 .Dt ISAKMPD.CONF 5
 .Os
 .Sh NAME
@@ -104,7 +104,7 @@ For Main Mode:
 where:
 .Bl -tag -width "{cipher}" -offset indent -compact
 .It Ns { Ns Ar cipher Ns }
-is either DES, BLF, 3DES, CAST, or AES
+is either DES, BLF, 3DES, CAST, AES, AES-128, AES-192 or AES-256
 .It Ns { Ns Ar hash Ns }
 is either MD5, SHA, or SHA2-{256,384,512}
 .It Ns { Ns Ar group Ns }
@@ -141,7 +141,7 @@ where:
 .It Ns { Ns Ar proto Ns }
 is either ESP or AH
 .It Ns { Ns Ar cipher Ns }
-is either DES, 3DES, CAST, BLF, AES, AESCTR, or NULL
+is either DES, 3DES, CAST, BLF, AES, AES-128, AES-192, AES-256, AESCTR, or NULL
 .It Ns { Ns Ar hash Ns }
 is either MD5, SHA, RIPEMD, or SHA2-{256,384,512}
 .It Ns { Ns Ar group Ns }
@@ -1057,6 +1057,36 @@ AUTHENTICATION_METHOD=	PRE_SHARED
 GROUP_DESCRIPTION=	MODP_1024
 Life=			LIFE_MAIN_MODE
 
+# AES-128
+
+[AES-128-SHA]
+ENCRYPTION_ALGORITHM=   AES_CBC
+KEY_LENGTH=             128,128:128
+HASH_ALGORITHM=         SHA
+AUTHENTICATION_METHOD=  PRE_SHARED
+GROUP_DESCRIPTION=      MODP_1024
+Life=                   LIFE_MAIN_MODE
+
+# AES-192
+
+[AES-192-SHA]
+ENCRYPTION_ALGORITHM=   AES_CBC
+KEY_LENGTH=             192,192:192
+HASH_ALGORITHM=         SHA
+AUTHENTICATION_METHOD=  PRE_SHARED
+GROUP_DESCRIPTION=      MODP_1024
+Life=                   LIFE_MAIN_MODE
+
+# AES-256
+
+[AES-256-SHA]
+ENCRYPTION_ALGORITHM=   AES_CBC
+KEY_LENGTH=             256,256:256
+HASH_ALGORITHM=         SHA
+AUTHENTICATION_METHOD=  PRE_SHARED
+GROUP_DESCRIPTION=      MODP_1024
+Life=                   LIFE_MAIN_MODE
+
 # Blowfish
 
 [BLF-SHA]
@@ -1115,6 +1145,30 @@ Protocols=              QM-ESP-AES-SHA
 [QM-ESP-AES-SHA-PFS-SUITE]
 Protocols=              QM-ESP-AES-SHA-PFS
 
+# AES-128
+
+[QM-ESP-AES-128-SHA-SUITE]
+Protocols=              QM-ESP-AES-128-SHA
+
+[QM-ESP-AES-128-SHA-PFS-SUITE]
+Protocols=              QM-ESP-AES-128-SHA-PFS
+
+# AES-192
+
+[QM-ESP-AES-192-SHA-SUITE]
+Protocols=              QM-ESP-AES-192-SHA
+
+[QM-ESP-AES-192-SHA-PFS-SUITE]
+Protocols=              QM-ESP-AES-192-SHA-PFS
+
+# AES-256
+
+[QM-ESP-AES-256-SHA-SUITE]
+Protocols=              QM-ESP-AES-256-SHA
+
+[QM-ESP-AES-256-SHA-PFS-SUITE]
+Protocols=              QM-ESP-AES-256-SHA-PFS
+
 # AH
 
 [QM-AH-MD5-SUITE]
@@ -1182,6 +1236,49 @@ Transforms=		QM-ESP-AES-SHA-PFS-XF
 PROTOCOL_ID=		IPSEC_ESP
 Transforms=		QM-ESP-AES-SHA-TRP-XF
 
+# AES-128
+
+[QM-ESP-AES-128-SHA]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-128-SHA-XF
+
+[QM-ESP-AES-128-SHA-PFS]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-128-SHA-PFS-XF
+
+[QM-ESP-AES-128-SHA-TRP]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-128-SHA-TRP-XF
+
+# AES-192
+
+[QM-ESP-AES-192-SHA]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-192-SHA-XF
+
+[QM-ESP-AES-192-SHA-PFS]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-192-SHA-PFS-XF
+
+[QM-ESP-AES-192-SHA-TRP]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-192-SHA-TRP-XF
+
+# AES-256
+
+[QM-ESP-AES-256-SHA]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-256-SHA-XF
+
+[QM-ESP-AES-256-SHA-PFS]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-256-SHA-PFS-XF
+
+[QM-ESP-AES-256-SHA-TRP]
+PROTOCOL_ID=            IPSEC_ESP
+Transforms=             QM-ESP-AES-256-SHA-TRP-XF
+
+
 # AH MD5
 
 [QM-AH-MD5]
@@ -1265,6 +1362,79 @@ AUTHENTICATION_ALGORITHM=	HMAC_SHA
 KEY_LENGTH=		128
 Life=			LIFE_QUICK_MODE
 
+# AES-128
+
+[QM-ESP-AES-128-SHA-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TUNNEL
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+KEY_LENGTH=             128
+Life=                   LIFE_QUICK_MODE
+
+[QM-ESP-AES-128-SHA-PFS-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TUNNEL
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+GROUP_DESCRIPTION=      MODP_1024
+KEY_LENGTH=             128
+Life=                   LIFE_QUICK_MODE
+
+[QM-ESP-AES-128-SHA-TRP-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TRANSPORT
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+KEY_LENGTH=             128
+Life=                   LIFE_QUICK_MODE
+
+# AES-192
+
+[QM-ESP-AES-192-SHA-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TUNNEL
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+KEY_LENGTH=             192
+Life=                   LIFE_QUICK_MODE
+
+[QM-ESP-AES-192-SHA-PFS-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TUNNEL
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+GROUP_DESCRIPTION=      MODP_1024
+KEY_LENGTH=             192
+Life=                   LIFE_QUICK_MODE
+
+[QM-ESP-AES-192-SHA-TRP-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TRANSPORT
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+KEY_LENGTH=             192
+Life=                   LIFE_QUICK_MODE
+
+# AES-256
+
+[QM-ESP-AES-256-SHA-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TUNNEL
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+KEY_LENGTH=             256
+Life=                   LIFE_QUICK_MODE
+
+[QM-ESP-AES-256-SHA-PFS-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TUNNEL
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+GROUP_DESCRIPTION=      MODP_1024
+KEY_LENGTH=             256
+Life=                   LIFE_QUICK_MODE
+
+[QM-ESP-AES-256-SHA-TRP-XF]
+TRANSFORM_ID=           AES
+ENCAPSULATION_MODE=     TRANSPORT
+AUTHENTICATION_ALGORITHM=       HMAC_SHA
+KEY_LENGTH=             256
+Life=                   LIFE_QUICK_MODE
+
+
 # AH
 
 [QM-AH-MD5-XF]