summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-11-12 12:00:54 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-11-12 12:00:54 +0000
commit63ce3110ca26585d80f472054e98dc7773e807e7 (patch)
tree0d5e4df88a49c6d367c076097a29b54a66fcbe0b
parent02ffe946b7c40c8ecd5fac91ee755299fc2bacb9 (diff)
handle transport/tunnel mode
-rw-r--r--sbin/ipsecctl/ipsecctl.c6
-rw-r--r--sbin/ipsecctl/ipsecctl.h6
-rw-r--r--sbin/ipsecctl/parse.y50
-rw-r--r--sbin/ipsecctl/pfkdump.c12
-rw-r--r--sbin/ipsecctl/pfkey.c14
5 files changed, 60 insertions, 28 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index f8641570962..5704e78dfc0 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.31 2005/11/06 22:51:51 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.32 2005/11/12 12:00:53 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -70,6 +70,7 @@ static const char *direction[] = {"?", "in", "out"};
static const char *flowtype[] = {"?", "use", "acquire", "require", "deny",
"bypass", "dontacq"};
static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5"};
+static const char *tmode[] = {"?", "transport", "tunnel"};
static const char *auth[] = {"?", "psk", "rsa"};
int
@@ -255,6 +256,9 @@ void
ipsecctl_print_sa(struct ipsec_rule *r, int opts)
{
printf("%s ", proto[r->proto]);
+ /* tunnel/transport is only meaningful esp/ah/ipcomp */
+ if (r->proto != IPSEC_TCPMD5)
+ printf("%s ", tmode[r->tmode]);
printf("from ");
ipsecctl_print_addr(r->src);
printf(" to ");
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index dbda9d40a75..e710d00495c 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.20 2005/11/06 22:51:51 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.21 2005/11/12 12:00:53 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -43,6 +43,9 @@ enum {
PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5
};
enum {
+ MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
+};
+enum {
AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
};
enum {
@@ -134,6 +137,7 @@ struct ipsec_rule {
struct ipsec_key *enckey;
u_int8_t proto;
+ u_int8_t tmode;
u_int8_t direction;
u_int8_t flowtype;
u_int8_t ikemode;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 91e8e0d34ad..7d29595909d 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.33 2005/11/06 22:51:51 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.34 2005/11/12 12:00:53 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -120,8 +120,8 @@ struct ipsec_transforms *transforms(const char *, const char *, const char *);
struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);
int validate_sa(u_int32_t, u_int8_t,
struct ipsec_transforms *, struct ipsec_key *,
- struct ipsec_key *);
-struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr_wrap *,
+ struct ipsec_key *, u_int8_t);
+struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *,
struct ipsec_addr_wrap *, u_int32_t,
struct ipsec_transforms *, struct ipsec_key *,
struct ipsec_key *);
@@ -142,8 +142,9 @@ typedef struct {
u_int32_t number;
u_int8_t ikemode;
u_int8_t dir;
- char *string;
u_int8_t protocol;
+ u_int8_t tmode;
+ char *string;
struct {
struct ipsec_addr_wrap *src;
struct ipsec_addr_wrap *dst;
@@ -183,10 +184,11 @@ typedef struct {
%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI
%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE
-%token ACTIVE ANY IPCOMP COMPXF
+%token ACTIVE ANY IPCOMP COMPXF TUNNEL TRANSPORT
%token <v.string> STRING
%type <v.dir> dir
%type <v.protocol> protocol
+%type <v.tmode> tmode
%type <v.number> number
%type <v.hosts> hosts
%type <v.peer> peer
@@ -233,8 +235,8 @@ number : STRING {
tcpmd5rule : TCPMD5 hosts spispec authkeyspec {
struct ipsec_rule *r;
- r = create_sa(IPSEC_TCPMD5, $2.src, $2.dst, $3.spiout,
- NULL, $4.keyout, NULL);
+ r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, $2.src,
+ $2.dst, $3.spiout, NULL, $4.keyout, NULL);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -255,11 +257,12 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec {
}
;
-sarule : protocol hosts spispec transforms authkeyspec enckeyspec {
+sarule : protocol tmode hosts spispec transforms authkeyspec
+ enckeyspec {
struct ipsec_rule *r;
- r = create_sa($1, $2.src, $2.dst, $3.spiout, $4,
- $5.keyout, $6.keyout);
+ r = create_sa($1, $2, $3.src, $3.dst, $4.spiout, $5,
+ $6.keyout, $7.keyout);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -268,9 +271,9 @@ sarule : protocol hosts spispec transforms authkeyspec enckeyspec {
errx(1, "sarule: ipsecctl_add_rule");
/* Create and add reverse SA rule. */
- if ($3.spiin != 0 || $5.keyin || $6.keyin) {
- r = reverse_sa(r, $3.spiin, $5.keyin,
- $6.keyin);
+ if ($4.spiin != 0 || $6.keyin || $7.keyin) {
+ r = reverse_sa(r, $4.spiin, $6.keyin,
+ $7.keyin);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -323,6 +326,11 @@ protocol : /* empty */ { $$ = IPSEC_ESP; }
| IPCOMP { $$ = IPSEC_IPCOMP; }
;
+tmode : /* empty */ { $$ = IPSEC_TUNNEL; }
+ | TUNNEL { $$ = IPSEC_TUNNEL; }
+ | TRANSPORT { $$ = IPSEC_TRANSPORT; }
+ ;
+
dir : /* empty */ { $$ = IPSEC_INOUT; }
| IN { $$ = IPSEC_IN; }
| OUT { $$ = IPSEC_OUT; }
@@ -616,6 +624,8 @@ lookup(char *s)
{ "srcid", SRCID},
{ "tcpmd5", TCPMD5},
{ "to", TO},
+ { "transport", TRANSPORT},
+ { "tunnel", TUNNEL},
};
const struct keywords *p;
@@ -1183,7 +1193,7 @@ copytransforms(const struct ipsec_transforms *xfs)
int
validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,
- struct ipsec_key *authkey, struct ipsec_key *enckey)
+ struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode)
{
/* Sanity checks */
if (spi == 0) {
@@ -1220,7 +1230,8 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,
if (!xfs->compxf)
xfs->compxf = &compxfs[COMPXF_DEFLATE];
}
- if (protocol == IPSEC_TCPMD5 && authkey == NULL) {
+ if (protocol == IPSEC_TCPMD5 && authkey == NULL && tmode !=
+ IPSEC_TRANSPORT) {
yyerror("authentication key needed for tcpmd5");
return (0);
}
@@ -1258,13 +1269,13 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,
}
struct ipsec_rule *
-create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct
+create_sa(u_int8_t protocol, u_int8_t tmode, struct ipsec_addr_wrap *src, struct
ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs,
struct ipsec_key *authkey, struct ipsec_key *enckey)
{
struct ipsec_rule *r;
- if (validate_sa(spi, protocol, xfs, authkey, enckey) == 0)
+ if (validate_sa(spi, protocol, xfs, authkey, enckey, tmode) == 0)
return (NULL);
r = calloc(1, sizeof(struct ipsec_rule));
@@ -1273,6 +1284,7 @@ create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct
r->type |= RULE_SA;
r->proto = protocol;
+ r->tmode = tmode;
r->src = src;
r->dst = dst;
r->spi = spi;
@@ -1289,7 +1301,8 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
{
struct ipsec_rule *reverse;
- if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey) == 0)
+ if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey,
+ rule->tmode) == 0)
return (NULL);
reverse = calloc(1, sizeof(struct ipsec_rule));
@@ -1298,6 +1311,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
reverse->type |= RULE_SA;
reverse->proto = rule->proto;
+ reverse->tmode = rule->tmode;
reverse->src = copyhost(rule->dst);
reverse->dst = copyhost(rule->src);
reverse->spi = spi;
diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index f2cb74f8ebb..1d930404a9d 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkdump.c,v 1.6 2005/10/30 19:50:24 hshoexer Exp $ */
+/* $OpenBSD: pfkdump.c,v 1.7 2005/11/12 12:00:53 hshoexer Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
@@ -211,6 +211,14 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg)
{
struct sadb_sa *sa = (struct sadb_sa *)ext;
+ /* tunnel/transport is only meaningful for esp/ah/ipcomp */
+ if (msg->sadb_msg_satype != SADB_X_SATYPE_TCPSIGNATURE) {
+ if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
+ printf("tunnel ");
+ else
+ printf("transport ");
+ }
+
if (extensions[SADB_EXT_ADDRESS_SRC]) {
printf("from ");
print_addr(extensions[SADB_EXT_ADDRESS_SRC], msg);
@@ -231,8 +239,6 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg)
printf(" auth %s", lookup_name(auth_types,
sa->sadb_sa_auth));
}
- if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
- printf(" tunnel");
printf("\n");
}
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index e6299ba0923..86ba2bf5768 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.28 2005/11/06 22:51:51 hshoexer Exp $ */
+/* $OpenBSD: pfkey.c,v 1.29 2005/11/12 12:00:53 hshoexer Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -47,7 +47,7 @@ static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t,
static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,
struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
struct ipsec_transforms *, struct ipsec_key *,
- struct ipsec_key *);
+ struct ipsec_key *, u_int8_t);
static int pfkey_reply(int);
int pfkey_parse(struct sadb_msg *, struct ipsec_rule *);
int pfkey_ipsec_flush(void);
@@ -307,7 +307,7 @@ static int
pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,
struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
struct ipsec_transforms *xfs, struct ipsec_key *authkey,
- struct ipsec_key *enckey)
+ struct ipsec_key *enckey, u_int8_t tmode)
{
struct sadb_msg smsg;
struct sadb_sa sa;
@@ -358,6 +358,9 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,
sa.sadb_sa_spi = htonl(spi);
sa.sadb_sa_state = SADB_SASTATE_MATURE;
+ if (tmode == IPSEC_TUNNEL)
+ sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
+
if (xfs && xfs->authxf) {
switch (xfs->authxf->id) {
case AUTHXF_NONE:
@@ -886,11 +889,12 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)
switch (action) {
case ACTION_ADD:
ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,
- r->src, r->dst, r->xfs, r->authkey, r->enckey);
+ r->src, r->dst, r->xfs, r->authkey, r->enckey,
+ r->tmode);
break;
case ACTION_DELETE:
ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi,
- r->src, r->dst, r->xfs, NULL, NULL);
+ r->src, r->dst, r->xfs, NULL, NULL, r->tmode);
break;
default:
return -1;