diff --git a/crypto/dist/ipsec-tools/ChangeLog b/crypto/dist/ipsec-tools/ChangeLog index b6102bd04f67..406018e524f2 100644 --- a/crypto/dist/ipsec-tools/ChangeLog +++ b/crypto/dist/ipsec-tools/ChangeLog @@ -1,3 +1,9 @@ +2006-12-05 Yvan Vanhullebus + * src/racoon/proposal.[ch]: Check keys length regarding + pcheck_level in cmpsatrns(). + * src/racoon/racoon.conf.5: updated man page about what is + impacted by proposal_check level. + 2006-11-12 Matthew Grooms * src/racoon/sainfo.c: fix anonymous sainfo selection. diff --git a/crypto/dist/ipsec-tools/src/racoon/proposal.c b/crypto/dist/ipsec-tools/src/racoon/proposal.c index 638da35f1846..7c625d04bf07 100644 --- a/crypto/dist/ipsec-tools/src/racoon/proposal.c +++ b/crypto/dist/ipsec-tools/src/racoon/proposal.c @@ -1,6 +1,6 @@ -/* $NetBSD: proposal.c,v 1.11 2006/10/09 06:32:59 manu Exp $ */ +/* $NetBSD: proposal.c,v 1.12 2006/12/05 13:38:40 vanhu Exp $ */ -/* $Id: proposal.c,v 1.11 2006/10/09 06:32:59 manu Exp $ */ +/* $Id: proposal.c,v 1.12 2006/12/05 13:38:40 vanhu Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -427,7 +427,7 @@ cmpsaprop_alloc(ph1, pp1, pp2, side) for (tr1 = pr1->head; tr1; tr1 = tr1->next) { for (tr2 = pr2->head; tr2; tr2 = tr2->next) { - if (cmpsatrns(pr1->proto_id, tr1, tr2) == 0) + if (cmpsatrns(pr1->proto_id, tr1, tr2, ph1->rmconf->pcheck_level) == 0) goto found; } } @@ -529,9 +529,10 @@ cmpsaprop(pp1, pp2) * tr2: my satrns */ int -cmpsatrns(proto_id, tr1, tr2) +cmpsatrns(proto_id, tr1, tr2, check_level) int proto_id; const struct satrns *tr1, *tr2; + int check_level; { if (tr1->trns_id != tr2->trns_id) { plog(LLV_WARNING, LOCATION, NULL, @@ -551,16 +552,34 @@ cmpsatrns(proto_id, tr1, tr2) return 1; } - /* XXX - * At this moment for interoperability, the responder obey - * the initiator. It should be defined a notify message. + /* Check key length regarding checkmode + * XXX Shall we send some kind of notify message when key length rejected ? */ - if (tr1->encklen > tr2->encklen) { + switch(check_level){ + case PROP_CHECK_OBEY: + return 0; + break; + + case PROP_CHECK_STRICT: + /* FALLTHROUGH */ + case PROP_CHECK_CLAIM: + if (tr1->encklen < tr2->encklen) { plog(LLV_WARNING, LOCATION, NULL, - "less key length proposed, " - "mine:%d peer:%d. Use initiaotr's one.\n", + "low key length proposed, " + "mine:%d peer:%d.\n", tr2->encklen, tr1->encklen); - /* FALLTHRU */ + return 1; + } + break; + case PROP_CHECK_EXACT: + if (tr1->encklen != tr2->encklen) { + plog(LLV_WARNING, LOCATION, NULL, + "key length mismatched, " + "mine:%d peer:%d.\n", + tr2->encklen, tr1->encklen); + return 1; + } + break; } return 0; diff --git a/crypto/dist/ipsec-tools/src/racoon/proposal.h b/crypto/dist/ipsec-tools/src/racoon/proposal.h index a2e80c00a617..c690f2796d43 100644 --- a/crypto/dist/ipsec-tools/src/racoon/proposal.h +++ b/crypto/dist/ipsec-tools/src/racoon/proposal.h @@ -1,4 +1,4 @@ -/* $NetBSD: proposal.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */ +/* $NetBSD: proposal.h,v 1.5 2006/12/05 13:38:40 vanhu Exp $ */ /* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ @@ -192,7 +192,7 @@ extern void inssatrns __P((struct saproto *, struct satrns *)); extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *, const struct saprop *, const struct saprop *, int)); extern int cmpsaprop __P((const struct saprop *, const struct saprop *)); -extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *)); +extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int)); extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *)); extern struct saprop *aproppair2saprop __P((struct prop_pair *)); extern void free_proppair __P((struct prop_pair **)); diff --git a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 index 5ad469087a36..73ed0cf810d2 100644 --- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 +++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 @@ -1,4 +1,4 @@ -.\" $NetBSD: racoon.conf.5,v 1.32 2006/10/06 12:02:27 manu Exp $ +.\" $NetBSD: racoon.conf.5,v 1.33 2006/12/05 13:38:40 vanhu Exp $ .\" .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp .\" @@ -667,7 +667,7 @@ The default value is It is useful for a server. .\" .It Ic proposal_check Ar level ; -specifies the action of lifetime length and PFS of the phase 2 +specifies the action of lifetime length, key length and PFS of the phase 2 selection on the responder side, and the action of lifetime check in phase 1. The default level is @@ -679,14 +679,16 @@ is: .It Ic obey the responder will obey the initiator anytime. .It Ic strict -If the responder's length is longer than the initiator's one, the +If the responder's lifetime length is longer than the initiator's one, +or if responder's key length is shorter than the initiator's one, the responder uses the initiator's one. Otherwise it rejects the proposal. If PFS is not required by the responder, the responder will obey the proposal. If PFS is required by both sides and if the responder's group is not equal to the initiator's one, then the responder will reject the proposal. .It Ic claim -If the responder's length is longer than the initiator's one, the +If the responder's length is longer than the initiator's one, +or if responder's key length is shorter than the initiator's one, the responder will use the initiator's one. If the responder's length is shorter than the initiator's one, the responder uses its own length @@ -695,8 +697,8 @@ case of lifetime (phase 2 only). For PFS, this directive behaves the same as .Ic strict . .It Ic exact -If the initiator's length is not equal to the responder's one, the -responder will reject the proposal. +If the initiator's lifetime or key length is not equal to the responder's one, +the responder will reject the proposal. If PFS is required by both sides and if the responder's group is not equal to the initiator's one, then the responder will reject the proposal. .El