iked(8): Add ECDH groups and AEADs to defaults

Thu, 30 Apr 2020 11:13:14 -0700 

Hi,

I would like to modernize our crypto defaults a bit and add some of the
supported ECDH Diffie-Hellman groups to the default IKE crypto proposal.
There should be no downside to this, if they are not supported by the
other side one of the old MODP groups will be used.

The same for AEADs in the ESP proposal.  We have support for AES-GCM
and CHACHA20 for some time now but they never made it into the
defaults.

ok?

Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.98
diff -u -p -r1.98 parse.y
--- parse.y     29 Apr 2020 16:09:11 -0000      1.98
+++ parse.y     30 Apr 2020 18:08:03 -0000
@@ -145,6 +145,12 @@ struct iked_transform ikev2_default_ike_
        { IKEV2_XFORMTYPE_PRF,  IKEV2_XFORMPRF_HMAC_SHA1 },
        { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
        { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_CURVE25519 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_521 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_384 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_256 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_4096 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_3072 },
        { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_2048 },
        { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_1536 },
        { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_1024 },
@@ -154,6 +160,9 @@ size_t ikev2_default_nike_transforms = (
     sizeof(ikev2_default_ike_transforms[0])) - 1);
 
 struct iked_transform ikev2_default_esp_transforms[] = {
+       { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 192 },
+       { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 },
+       { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_CHACHA20_POLY1305 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },

Reply via email to