On Tue, Nov 12, 2019 at 04:07:51PM +0100, Tobias Heider wrote: > Makes sense. Here is the updated diff including a fix for bluhms > comment.
OK bluhm@ > Index: iked.conf.5 > =================================================================== > RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.57 > diff -u -p -r1.57 iked.conf.5 > --- iked.conf.5 24 Aug 2019 13:24:49 -0000 1.57 > +++ iked.conf.5 12 Nov 2019 13:49:37 -0000 > @@ -409,6 +409,7 @@ multiple crypto transforms. > .Ic auth Ar algorithm > .Ic enc Ar algorithm > .Ic group Ar group > +.Ic esn > .Xc > These parameters define the cryptographic transforms to be used for > the Child SA negotiation, also known as phase 2. > @@ -421,6 +422,7 @@ Possible values for > .Ic auth , > .Ic enc , > .Ic group , > +.Ic esn , > and the default proposals are described below in > .Sx CRYPTO TRANSFORMS . > If omitted, > @@ -849,6 +851,17 @@ not encryption: > .It Li aes-192-gmac Ta "224 bits" Ta "[ESP only]" > .It Li aes-256-gmac Ta "288 bits" Ta "[ESP only]" > .It Li null Ta "" Ta "[ESP only]" > +.El > +.Pp > +The Extended Sequence Numbers option can be enabled or disabled with the > +.Ic esn > +or > +.Ic noesn > +keywords: > +.Bl -column "noesn" "[ESP only]" -offset indent > +.It Em ESN > +.It Li esn Ta "[ESP only]" > +.It Li noesn Ta "[ESP only]" > .El > .Pp > Transforms followed by > Index: parse.y > =================================================================== > RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v > retrieving revision 1.84 > diff -u -p -r1.84 parse.y > --- parse.y 26 Sep 2019 07:33:36 -0000 1.84 > +++ parse.y 12 Nov 2019 13:54:04 -0000 > @@ -127,6 +127,8 @@ struct ipsec_transforms { > unsigned int nencxf; > const struct ipsec_xf **groupxf; > unsigned int ngroupxf; > + const struct ipsec_xf **esnxf; > + unsigned int nesnxf; > }; > > struct ipsec_mode { > @@ -259,6 +261,12 @@ const struct ipsec_xf groupxfs[] = { > { NULL } > }; > > +const struct ipsec_xf esnxfs[] = { > + { "esn", IKEV2_XFORMESN_ESN }, > + { "noesn", IKEV2_XFORMESN_NONE }, > + { NULL } > +}; > + > const struct ipsec_xf methodxfs[] = { > { "none", IKEV2_AUTH_NONE }, > { "rsa", IKEV2_AUTH_RSA_SIG }, > @@ -395,7 +403,7 @@ typedef struct { > %} > > %token FROM ESP AH IN PEER ON OUT TO SRCID DSTID PSK PORT > -%token FILENAME AUTHXF PRFXF ENCXF ERROR IKEV2 IKESA CHILDSA > +%token FILENAME AUTHXF PRFXF ENCXF ERROR IKEV2 IKESA CHILDSA ESN NOESN > %token PASSIVE ACTIVE ANY TAG TAP PROTO LOCAL GROUP NAME CONFIG EAP > USER > %token IKEV1 FLOW SA TCPMD5 TUNNEL TRANSPORT COUPLE DECOUPLE SET > %token INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT > @@ -425,6 +433,7 @@ typedef struct { > %type <v.number> byte_spec time_spec ikelifetime > %type <v.string> name > %type <v.cfg> cfg ikecfg ikecfgvals > +%type <v.string> transform_esn > %% > > grammar : /* empty */ > @@ -802,6 +811,24 @@ transform : AUTHXF STRING { > ipsec_transforms->groupxf = xfs; > ipsec_transforms->ngroupxf++; > } > + | transform_esn { > + const struct ipsec_xf **xfs = ipsec_transforms->esnxf; > + size_t nxfs = ipsec_transforms->nesnxf; > + xfs = recallocarray(xfs, nxfs, nxfs + 1, > + sizeof(struct ipsec_xf *)); > + if (xfs == NULL) > + err(1, "transform: recallocarray"); > + if ((xfs[nxfs] = parse_xf($1, 0, esnxfs)) == NULL) { > + yyerror("%s not a valid transform", $1); > + YYERROR; > + } > + ipsec_transforms->esnxf = xfs; > + ipsec_transforms->nesnxf++; > + } > + ; > + > +transform_esn : ESN { $$ = "esn"; } > + | NOESN { $$ = "noesn"; } > ; > > ike_sas : { > @@ -1180,6 +1207,7 @@ lookup(char *s) > { "dstid", DSTID }, > { "eap", EAP }, > { "enc", ENCXF }, > + { "esn", ESN }, > { "esp", ESP }, > { "file", FILENAME }, > { "flow", FLOW }, > @@ -1198,6 +1226,7 @@ lookup(char *s) > { "local", LOCAL }, > { "mobike", MOBIKE }, > { "name", NAME }, > + { "noesn", NOESN }, > { "nofragmentation", NOFRAGMENTATION }, > { "nomobike", NOMOBIKE }, > { "ocsp", OCSP }, > @@ -2578,6 +2607,10 @@ print_policy(struct iked_policy *pol) > print_verbose(" group "); > xfs = groupxfs; > break; > + case IKEV2_XFORMTYPE_ESN: > + print_verbose(" "); > + xfs = esnxfs; > + break; > default: > continue; > } > @@ -2830,6 +2863,11 @@ create_ike(char *name, int af, uint8_t i > pol.pol_nproposals++; > } else { > for (i = 0; i < ike_sa->nxfs; i++) { > + if (ike_sa->xfs[i]->nesnxf) { > + yyerror("cannot use ESN with ikesa."); > + goto done; > + } > + > if ((p = calloc(1, sizeof(*p))) == NULL) > err(1, "%s", __func__); > > @@ -2914,7 +2952,8 @@ create_ike(char *name, int af, uint8_t i > ikev2_default_esp_transforms, > ikev2_default_nesp_transforms); > copy_transforms(IKEV2_XFORMTYPE_ESN, > - NULL, 0, &xf, &xfi, > + ipsec_sa->xfs[i]->esnxf, > + ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, > ikev2_default_esp_transforms, > ikev2_default_nesp_transforms); >