From db6552c22aa727c02722a933d4b6559aa8925dc1 Mon Sep 17 00:00:00 2001
From: Markus Friedl <markus@cvs.openbsd.org>
Date: Fri, 25 Jul 2003 08:31:17 +0000
Subject: add sha2 support; ok ho@

---
 sbin/isakmpd/conf.c         | 12 ++++++++----
 sbin/isakmpd/ipsec.c        | 16 ++++++++++++++--
 sbin/isakmpd/isakmpd.conf.5 |  4 ++--
 sbin/isakmpd/pf_key_v2.c    | 38 +++++++++++++++++++++++++++++++++++++-
 sbin/isakmpd/policy.c       | 38 +++++++++++++++++++++++++++++++++++++-
 sbin/isakmpd/sa.c           | 26 +++++++++++++++++++++++++-
 6 files changed, 123 insertions(+), 11 deletions(-)

(limited to 'sbin/isakmpd')

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index d5ebe918d71..9c59c628ae6 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.56 2003/06/10 16:41:29 deraadt Exp $	*/
+/*	$OpenBSD: conf.c,v 1.57 2003/07/25 08:31:16 markus Exp $	*/
 /*	$EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $	*/
 
 /*
@@ -327,7 +327,7 @@ conf_parse (int trans, char *buf, size_t sz)
  *     where
  *       {proto}  = ESP, AH
  *       {cipher} = DES, 3DES, CAST, BLF, AES
- *       {hash}   = MD5, SHA, RIPEMD
+ *       {hash}   = MD5, SHA, RIPEMD, SHA2-{-256,384,512}
  *       {group}  = GRP1, GRP2, GRP5
  *
  * DH group defaults to MODP_1024.
@@ -393,14 +393,18 @@ conf_load_defaults (int tr)
 			"CAST_CBC", 0 };
   char *dh_group[]  = { "MODP_768", "MODP_1024", "MODP_1536", 0 };
   char *qm_enc[]    = { "DES", "3DES", "CAST", "BLOWFISH", "AES", 0 };
-  char *qm_hash[]   = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", "NONE", 0 };
+  char *qm_hash[]   = { "HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
+			"HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512",
+			"NONE", 0 };
 
   /* Abbreviations to make section names a bit shorter.  */
   char *mm_auth_p[] = { "", "-DSS", "-RSA_SIG", 0 };
   char *mm_enc_p[]  = { "DES", "BLF", "3DES", "CAST", 0 };
   char *dh_group_p[]= { "-GRP1", "-GRP2", "-GRP5", "", 0 };
   char *qm_enc_p[]  = { "-DES", "-3DES", "-CAST", "-BLF", "-AES", 0 };
-  char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD", "", 0 };
+  char *qm_hash_p[] = { "-MD5", "-SHA", "-RIPEMD",
+                        "-SHA2-256", "-SHA2-384", "-SHA2-512",
+                        "", 0 };
 
   /* Helper #defines, incl abbreviations.  */
 #define PROTO(x)  ((x) ? "AH" : "ESP")
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 3809ba94a33..e929038a235 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec.c,v 1.77 2003/06/10 12:21:29 ho Exp $	*/
+/*	$OpenBSD: ipsec.c,v 1.78 2003/07/25 08:31:16 markus Exp $	*/
 /*	$EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $	*/
 
 /*
@@ -1226,7 +1226,7 @@ ipsec_is_attribute_incompatible (u_int16_t type, u_int8_t *value,
 	    || decode_16 (value) > IPSEC_ENCAP_TRANSPORT;
 	case IPSEC_ATTR_AUTHENTICATION_ALGORITHM:
 	  return decode_16 (value) < IPSEC_AUTH_HMAC_MD5
-	    || decode_16 (value) > IPSEC_AUTH_KPDK;
+	    || decode_16 (value) > IPSEC_AUTH_HMAC_RIPEMD;
 	case IPSEC_ATTR_KEY_LENGTH:
 	  /* XXX Blowfish needs '0'. Others appear to disregard this attr?  */
 	  return 0;
@@ -1737,6 +1737,12 @@ ipsec_esp_authkeylength (struct proto *proto)
     case IPSEC_AUTH_HMAC_SHA:
     case IPSEC_AUTH_HMAC_RIPEMD:
       return 20;
+    case IPSEC_AUTH_HMAC_SHA2_256:
+      return 32;
+    case IPSEC_AUTH_HMAC_SHA2_384:
+      return 48;
+    case IPSEC_AUTH_HMAC_SHA2_512:
+      return 64;
     default:
       return 0;
     }
@@ -1753,6 +1759,12 @@ ipsec_ah_keylength (struct proto *proto)
     case IPSEC_AH_SHA:
     case IPSEC_AH_RIPEMD:
       return 20;
+    case IPSEC_AH_SHA2_256:
+      return 32;
+    case IPSEC_AH_SHA2_384:
+      return 48;
+    case IPSEC_AH_SHA2_512:
+      return 64;
     default:
       return -1;
     }
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 1bc6d33d9d1..96e28343615 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.82 2003/07/09 08:16:44 jmc Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.83 2003/07/25 08:31:16 markus Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -94,7 +94,7 @@ For Quick Mode:
   where
     {proto}  is either ESP or AH
     {cipher} is either DES, 3DES, CAST, BLF or AES
-    {hash}   is either MD5, SHA or RIPEMD
+    {hash}   is either MD5, SHA, RIPEMD, SHA2-{256,384,512}
     {group}  is either GRP1, GRP2 or GRP5
 .Ed
 .Pp
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index 6870d5db9c6..d21aa258f09 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: pf_key_v2.c,v 1.134 2003/07/24 09:59:03 itojun Exp $  */
+/*      $OpenBSD: pf_key_v2.c,v 1.135 2003/07/25 08:31:16 markus Exp $  */
 /*	$EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $	*/
 
 /*
@@ -971,6 +971,24 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
 	  break;
 #endif
 
+#ifdef SADB_X_AALG_SHA2_256
+	case IPSEC_AUTH_HMAC_SHA2_256:
+	  ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
+	  break;
+#endif
+
+#ifdef SADB_X_AALG_SHA2_384
+	case IPSEC_AUTH_HMAC_SHA2_384:
+	  ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384;
+	  break;
+#endif
+
+#ifdef SADB_X_AALG_SHA2_512
+	case IPSEC_AUTH_HMAC_SHA2_512:
+	  ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512;
+	  break;
+#endif
+
 	case IPSEC_AUTH_DES_MAC:
 	case IPSEC_AUTH_KPDK:
 	  /* XXX We should be supporting KPDK */
@@ -1022,6 +1040,24 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
 	  break;
 #endif
 
+#ifdef SADB_X_AALG_SHA2_256
+	case IPSEC_AH_SHA2_256:
+	  ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256;
+	  break;
+#endif
+
+#ifdef SADB_X_AALG_SHA2_384
+	case IPSEC_AH_SHA2_384:
+	  ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384;
+	  break;
+#endif
+
+#ifdef SADB_X_AALG_SHA2_512
+	case IPSEC_AH_SHA2_512:
+	  ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512;
+	  break;
+#endif
+
 	default:
 	  LOG_DBG ((LOG_SYSDEP, 50,
 		    "pf_key_v2_set_spi: unknown authentication algorithm %d",
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index 505a606aa91..ddc856896c7 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.65 2003/06/10 16:41:29 deraadt Exp $	*/
+/*	$OpenBSD: policy.c,v 1.66 2003/07/25 08:31:16 markus Exp $	*/
 /*	$EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
 
 /*
@@ -266,6 +266,18 @@ policy_callback (char *name)
 		  ah_hash_alg = "ripemd";
 		  break;
 
+		case IPSEC_AH_SHA2_256:
+		  ah_auth_alg = "sha2-256";
+		  break;
+
+		case IPSEC_AH_SHA2_384:
+		  ah_auth_alg = "sha2-384";
+		  break;
+
+		case IPSEC_AH_SHA2_512:
+		  ah_auth_alg = "sha2-512";
+		  break;
+
 		case IPSEC_AH_DES:
 		  ah_hash_alg = "des";
 		  break;
@@ -548,6 +560,18 @@ policy_callback (char *name)
 			  ah_auth_alg = "hmac-ripemd";
 			  break;
 
+			case IPSEC_AUTH_HMAC_SHA2_256:
+			  ah_auth_alg = "hmac-sha2-256";
+			  break;
+
+			case IPSEC_AUTH_HMAC_SHA2_384:
+			  ah_auth_alg = "hmac-sha2-384";
+			  break;
+
+			case IPSEC_AUTH_HMAC_SHA2_512:
+			  ah_auth_alg = "hmac-sha2-512";
+			  break;
+
 			case IPSEC_AUTH_DES_MAC:
 			  ah_auth_alg = "des-mac";
 			  break;
@@ -573,6 +597,18 @@ policy_callback (char *name)
 			  esp_auth_alg = "hmac-ripemd";
 			  break;
 
+			case IPSEC_AUTH_HMAC_SHA2_256:
+			  esp_auth_alg = "hmac-sha2-256";
+			  break;
+
+			case IPSEC_AUTH_HMAC_SHA2_384:
+			  esp_auth_alg = "hmac-sha2-384";
+			  break;
+
+			case IPSEC_AUTH_HMAC_SHA2_512:
+			  esp_auth_alg = "hmac-sha2-512";
+			  break;
+
 			case IPSEC_AUTH_DES_MAC:
 			  esp_auth_alg = "des-mac";
 			  break;
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index 28275e1e830..f556243b1f5 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sa.c,v 1.72 2003/06/04 07:31:17 ho Exp $	*/
+/*	$OpenBSD: sa.c,v 1.73 2003/07/25 08:31:16 markus Exp $	*/
 /*	$EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $	*/
 
 /*
@@ -566,6 +566,18 @@ report_proto (FILE *fd, struct proto *proto)
 	  fprintf (fd, "HMAC-RIPEMD-160\n");
 	  break;
 
+	case IPSEC_AUTH_HMAC_SHA2_256:
+	  fprintf (fd, "HMAC-SHA2-256\n");
+	  break;
+
+	case IPSEC_AUTH_HMAC_SHA2_384:
+	  fprintf (fd, "HMAC-SHA2-384\n");
+	  break;
+
+	case IPSEC_AUTH_HMAC_SHA2_512:
+	  fprintf (fd, "HMAC-SHA2-512\n");
+	  break;
+
 	case IPSEC_AUTH_DES_MAC:
 	case IPSEC_AUTH_KPDK:
 	  /* XXX We should be supporting KPDK */
@@ -598,6 +610,18 @@ report_proto (FILE *fd, struct proto *proto)
 	  fprintf (fd, "HMAC-RIPEMD-160\n");
 	  break;
 
+	case IPSEC_AH_SHA2_256:
+	  fprintf (fd, "HMAC-SHA2-256\n");
+	  break;
+
+	case IPSEC_AH_SHA2_384:
+	  fprintf (fd, "HMAC-SHA2-384\n");
+	  break;
+
+	case IPSEC_AH_SHA2_512:
+	  fprintf (fd, "HMAC-SHA2-512\n");
+	  break;
+
 	default:
 	  fprintf (fd, "unknown (%d)", proto->id);
 	}
-- 
cgit v1.2.3