diff options
author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-11-12 12:00:54 +0000 |
---|---|---|
committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-11-12 12:00:54 +0000 |
commit | 63ce3110ca26585d80f472054e98dc7773e807e7 (patch) | |
tree | 0d5e4df88a49c6d367c076097a29b54a66fcbe0b | |
parent | 02ffe946b7c40c8ecd5fac91ee755299fc2bacb9 (diff) |
handle transport/tunnel mode
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 6 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 6 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 50 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkdump.c | 12 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkey.c | 14 |
5 files changed, 60 insertions, 28 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index f8641570962..5704e78dfc0 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.31 2005/11/06 22:51:51 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.32 2005/11/12 12:00:53 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -70,6 +70,7 @@ static const char *direction[] = {"?", "in", "out"}; static const char *flowtype[] = {"?", "use", "acquire", "require", "deny", "bypass", "dontacq"}; static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5"}; +static const char *tmode[] = {"?", "transport", "tunnel"}; static const char *auth[] = {"?", "psk", "rsa"}; int @@ -255,6 +256,9 @@ void ipsecctl_print_sa(struct ipsec_rule *r, int opts) { printf("%s ", proto[r->proto]); + /* tunnel/transport is only meaningful esp/ah/ipcomp */ + if (r->proto != IPSEC_TCPMD5) + printf("%s ", tmode[r->tmode]); printf("from "); ipsecctl_print_addr(r->src); printf(" to "); diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index dbda9d40a75..e710d00495c 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.20 2005/11/06 22:51:51 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.21 2005/11/12 12:00:53 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -43,6 +43,9 @@ enum { PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5 }; enum { + MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL +}; +enum { AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA }; enum { @@ -134,6 +137,7 @@ struct ipsec_rule { struct ipsec_key *enckey; u_int8_t proto; + u_int8_t tmode; u_int8_t direction; u_int8_t flowtype; u_int8_t ikemode; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 91e8e0d34ad..7d29595909d 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.33 2005/11/06 22:51:51 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.34 2005/11/12 12:00:53 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -120,8 +120,8 @@ struct ipsec_transforms *transforms(const char *, const char *, const char *); struct ipsec_transforms *copytransforms(const struct ipsec_transforms *); int validate_sa(u_int32_t, u_int8_t, struct ipsec_transforms *, struct ipsec_key *, - struct ipsec_key *); -struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr_wrap *, + struct ipsec_key *, u_int8_t); +struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, u_int32_t, struct ipsec_transforms *, struct ipsec_key *, struct ipsec_key *); @@ -142,8 +142,9 @@ typedef struct { u_int32_t number; u_int8_t ikemode; u_int8_t dir; - char *string; u_int8_t protocol; + u_int8_t tmode; + char *string; struct { struct ipsec_addr_wrap *src; struct ipsec_addr_wrap *dst; @@ -183,10 +184,11 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE -%token ACTIVE ANY IPCOMP COMPXF +%token ACTIVE ANY IPCOMP COMPXF TUNNEL TRANSPORT %token <v.string> STRING %type <v.dir> dir %type <v.protocol> protocol +%type <v.tmode> tmode %type <v.number> number %type <v.hosts> hosts %type <v.peer> peer @@ -233,8 +235,8 @@ number : STRING { tcpmd5rule : TCPMD5 hosts spispec authkeyspec { struct ipsec_rule *r; - r = create_sa(IPSEC_TCPMD5, $2.src, $2.dst, $3.spiout, - NULL, $4.keyout, NULL); + r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, $2.src, + $2.dst, $3.spiout, NULL, $4.keyout, NULL); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -255,11 +257,12 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec { } ; -sarule : protocol hosts spispec transforms authkeyspec enckeyspec { +sarule : protocol tmode hosts spispec transforms authkeyspec + enckeyspec { struct ipsec_rule *r; - r = create_sa($1, $2.src, $2.dst, $3.spiout, $4, - $5.keyout, $6.keyout); + r = create_sa($1, $2, $3.src, $3.dst, $4.spiout, $5, + $6.keyout, $7.keyout); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -268,9 +271,9 @@ sarule : protocol hosts spispec transforms authkeyspec enckeyspec { errx(1, "sarule: ipsecctl_add_rule"); /* Create and add reverse SA rule. */ - if ($3.spiin != 0 || $5.keyin || $6.keyin) { - r = reverse_sa(r, $3.spiin, $5.keyin, - $6.keyin); + if ($4.spiin != 0 || $6.keyin || $7.keyin) { + r = reverse_sa(r, $4.spiin, $6.keyin, + $7.keyin); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -323,6 +326,11 @@ protocol : /* empty */ { $$ = IPSEC_ESP; } | IPCOMP { $$ = IPSEC_IPCOMP; } ; +tmode : /* empty */ { $$ = IPSEC_TUNNEL; } + | TUNNEL { $$ = IPSEC_TUNNEL; } + | TRANSPORT { $$ = IPSEC_TRANSPORT; } + ; + dir : /* empty */ { $$ = IPSEC_INOUT; } | IN { $$ = IPSEC_IN; } | OUT { $$ = IPSEC_OUT; } @@ -616,6 +624,8 @@ lookup(char *s) { "srcid", SRCID}, { "tcpmd5", TCPMD5}, { "to", TO}, + { "transport", TRANSPORT}, + { "tunnel", TUNNEL}, }; const struct keywords *p; @@ -1183,7 +1193,7 @@ copytransforms(const struct ipsec_transforms *xfs) int validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, - struct ipsec_key *authkey, struct ipsec_key *enckey) + struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode) { /* Sanity checks */ if (spi == 0) { @@ -1220,7 +1230,8 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, if (!xfs->compxf) xfs->compxf = &compxfs[COMPXF_DEFLATE]; } - if (protocol == IPSEC_TCPMD5 && authkey == NULL) { + if (protocol == IPSEC_TCPMD5 && authkey == NULL && tmode != + IPSEC_TRANSPORT) { yyerror("authentication key needed for tcpmd5"); return (0); } @@ -1258,13 +1269,13 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, } struct ipsec_rule * -create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct +create_sa(u_int8_t protocol, u_int8_t tmode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey, struct ipsec_key *enckey) { struct ipsec_rule *r; - if (validate_sa(spi, protocol, xfs, authkey, enckey) == 0) + if (validate_sa(spi, protocol, xfs, authkey, enckey, tmode) == 0) return (NULL); r = calloc(1, sizeof(struct ipsec_rule)); @@ -1273,6 +1284,7 @@ create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct r->type |= RULE_SA; r->proto = protocol; + r->tmode = tmode; r->src = src; r->dst = dst; r->spi = spi; @@ -1289,7 +1301,8 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, { struct ipsec_rule *reverse; - if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey) == 0) + if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey, + rule->tmode) == 0) return (NULL); reverse = calloc(1, sizeof(struct ipsec_rule)); @@ -1298,6 +1311,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, reverse->type |= RULE_SA; reverse->proto = rule->proto; + reverse->tmode = rule->tmode; reverse->src = copyhost(rule->dst); reverse->dst = copyhost(rule->src); reverse->spi = spi; diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index f2cb74f8ebb..1d930404a9d 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.6 2005/10/30 19:50:24 hshoexer Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.7 2005/11/12 12:00:53 hshoexer Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -211,6 +211,14 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg) { struct sadb_sa *sa = (struct sadb_sa *)ext; + /* tunnel/transport is only meaningful for esp/ah/ipcomp */ + if (msg->sadb_msg_satype != SADB_X_SATYPE_TCPSIGNATURE) { + if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) + printf("tunnel "); + else + printf("transport "); + } + if (extensions[SADB_EXT_ADDRESS_SRC]) { printf("from "); print_addr(extensions[SADB_EXT_ADDRESS_SRC], msg); @@ -231,8 +239,6 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg) printf(" auth %s", lookup_name(auth_types, sa->sadb_sa_auth)); } - if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) - printf(" tunnel"); printf("\n"); } diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index e6299ba0923..86ba2bf5768 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.28 2005/11/06 22:51:51 hshoexer Exp $ */ +/* $OpenBSD: pfkey.c,v 1.29 2005/11/12 12:00:53 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -47,7 +47,7 @@ static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t, static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_transforms *, struct ipsec_key *, - struct ipsec_key *); + struct ipsec_key *, u_int8_t); static int pfkey_reply(int); int pfkey_parse(struct sadb_msg *, struct ipsec_rule *); int pfkey_ipsec_flush(void); @@ -307,7 +307,7 @@ static int pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct ipsec_transforms *xfs, struct ipsec_key *authkey, - struct ipsec_key *enckey) + struct ipsec_key *enckey, u_int8_t tmode) { struct sadb_msg smsg; struct sadb_sa sa; @@ -358,6 +358,9 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, sa.sadb_sa_spi = htonl(spi); sa.sadb_sa_state = SADB_SASTATE_MATURE; + if (tmode == IPSEC_TUNNEL) + sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; + if (xfs && xfs->authxf) { switch (xfs->authxf->id) { case AUTHXF_NONE: @@ -886,11 +889,12 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) switch (action) { case ACTION_ADD: ret = pfkey_sa(fd, satype, SADB_ADD, r->spi, - r->src, r->dst, r->xfs, r->authkey, r->enckey); + r->src, r->dst, r->xfs, r->authkey, r->enckey, + r->tmode); break; case ACTION_DELETE: ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi, - r->src, r->dst, r->xfs, NULL, NULL); + r->src, r->dst, r->xfs, NULL, NULL, r->tmode); break; default: return -1; |