summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-08-08 09:15:10 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-08-08 09:15:10 +0000
commit6c28c8a324a71c55a562e7a02f11c5f282ad80d4 (patch)
tree73171e213cf3d31f645896e501f80543694fec67
parent1ed298baad8fd9e46b82688df22bd56e4cd21ae2 (diff)
prepare for static keying
-rw-r--r--sbin/ipsecctl/ipsecctl.c16
-rw-r--r--sbin/ipsecctl/ipsecctl.h10
-rw-r--r--sbin/ipsecctl/parse.y36
-rw-r--r--sbin/ipsecctl/pfkey.c10
4 files changed, 48 insertions, 24 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index 56e6b3923f0..465e2b85c18 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.22 2005/08/05 14:39:02 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.23 2005/08/08 09:15:09 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -64,11 +64,10 @@ static const char *showopt_list[] = {
"flow", "sa", "all", NULL
};
-static const char *ruletype[] = {"?", "flow", "tcpmd5"};
static const char *direction[] = {"?", "in", "out"};
static const char *flowtype[] = {"?", "use", "acquire", "require", "deny",
"bypass", "dontacq"};
-static const char *proto[] = {"?", "esp", "ah"};
+static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5"};
static const char *auth[] = {"?", "psk", "rsa"};
int
@@ -216,7 +215,7 @@ ipsecctl_print_key(struct ipsec_key *key)
void
ipsecctl_print_flow(struct ipsec_rule *r, int opts)
{
- printf(" %s %s", proto[r->proto], direction[r->direction]);
+ printf("flow %s %s", proto[r->proto], direction[r->direction]);
printf(" from ");
ipsecctl_print_addr(r->src);
@@ -241,7 +240,8 @@ ipsecctl_print_flow(struct ipsec_rule *r, int opts)
void
ipsecctl_print_sa(struct ipsec_rule *r, int opts)
{
- printf(" from ");
+ printf("%s ", proto[r->proto]);
+ printf("from ");
ipsecctl_print_addr(r->src);
printf(" to ");
ipsecctl_print_addr(r->dst);
@@ -250,6 +250,10 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts)
printf(" authkey 0x");
ipsecctl_print_key(r->authkey);
}
+ if (r->enckey) {
+ printf(" enckey 0x");
+ ipsecctl_print_key(r->enckey);
+ }
}
void
@@ -258,8 +262,6 @@ ipsecctl_print_rule(struct ipsec_rule *r, int opts)
if (opts & IPSECCTL_OPT_VERBOSE2)
printf("@%d ", r->nr);
- printf("%s", ruletype[r->type]);
-
if (r->type & RULE_FLOW)
ipsecctl_print_flow(r, opts);
if (r->type & RULE_SA)
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 21fb2532862..e9a6eca54d1 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.13 2005/08/05 14:39:02 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.14 2005/08/08 09:15:09 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -35,7 +35,7 @@ enum {
DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
};
enum {
- PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP
+ PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP, IPSEC_TCPMD5
};
enum {
AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
@@ -47,6 +47,12 @@ enum {
TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
TYPE_BYPASS, TYPE_DONTACQ
};
+enum {
+ ENC_NONE
+};
+enum {
+ AUTH_NONE
+};
struct ipsec_addr {
struct in_addr v4;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 15dad5789e0..dbc98420294 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.18 2005/08/05 15:44:57 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.19 2005/08/08 09:15:09 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -78,11 +78,11 @@ struct ipsec_key *parsekey(unsigned char *, size_t);
struct ipsec_key *parsekeyfile(char *);
struct ipsec_addr *host(const char *);
struct ipsec_addr *copyhost(const struct ipsec_addr *);
-struct ipsec_rule *create_sa(struct ipsec_addr *, struct ipsec_addr *,
- u_int32_t, struct ipsec_key *);
-
+struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr *,
+ struct ipsec_addr *, u_int32_t, u_int16_t,
+ u_int16_t, struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t,
- struct ipsec_key *);
+ struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr *, struct
ipsec_addr *, struct ipsec_addr *, u_int8_t,
char *, char *, u_int16_t);
@@ -174,7 +174,8 @@ number : STRING {
tcpmd5rule : TCPMD5 hosts spispec authkeyspec {
struct ipsec_rule *r;
- r = create_sa($2.src, $2.dst, $3.spiout, $4.keyout);
+ r = create_sa(IPSEC_TCPMD5, $2.src, $2.dst, $3.spiout,
+ AUTH_NONE, ENC_NONE, $4.keyout, NULL);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -184,7 +185,7 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec {
/* Create and add reverse SA rule. */
if ($3.spiin != 0 || $4.keyin != NULL) {
- r = reverse_sa(r, $3.spiin, $4.keyin);
+ r = reverse_sa(r, $3.spiin, $4.keyin, NULL);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -866,12 +867,15 @@ copyhost(const struct ipsec_addr *src)
}
struct ipsec_rule *
-create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi,
- struct ipsec_key *authkey)
+create_sa(u_int8_t protocol, struct ipsec_addr *src, struct ipsec_addr *dst,
+ u_int32_t spi, u_int16_t authxf, u_int16_t encxf,
+ struct ipsec_key *authkey, struct ipsec_key *enckey)
{
struct ipsec_rule *r;
- if (spi == 0 || authkey == NULL)
+ if (spi == 0)
+ return (NULL);
+ if (protocol == IPSEC_TCPMD5 && authkey == NULL)
return (NULL);
r = calloc(1, sizeof(struct ipsec_rule));
@@ -879,21 +883,25 @@ create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi,
err(1, "calloc");
r->type |= RULE_SA;
-
+ r->proto = protocol;
r->src = src;
r->dst = dst;
r->spi = spi;
r->authkey = authkey;
+ r->enckey = enckey;
return r;
}
struct ipsec_rule *
-reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey)
+reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
+ struct ipsec_key *enckey)
{
struct ipsec_rule *reverse;
- if (spi == 0 || authkey == NULL)
+ if (spi == 0)
+ return (NULL);
+ if (rule->proto == IPSEC_TCPMD5 && authkey == NULL)
return (NULL);
reverse = calloc(1, sizeof(struct ipsec_rule));
@@ -901,10 +909,12 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey)
err(1, "calloc");
reverse->type |= RULE_SA;
+ reverse->proto = rule->proto;
reverse->src = copyhost(rule->dst);
reverse->dst = copyhost(rule->src);
reverse->spi = spi;
reverse->authkey = authkey;
+ reverse->enckey = enckey;
return (reverse);
}
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 2a4b0314b75..b78d364620f 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.19 2005/08/05 14:39:02 hshoexer Exp $ */
+/* $OpenBSD: pfkey.c,v 1.20 2005/08/08 09:15:09 hshoexer Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -758,7 +758,13 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)
return -1;
}
} else if (r->type == RULE_SA) {
- satype = SADB_X_SATYPE_TCPSIGNATURE;
+ switch (r->proto) {
+ case IPSEC_TCPMD5:
+ satype = SADB_X_SATYPE_TCPSIGNATURE;
+ break;
+ default:
+ return -1;
+ }
switch (action) {
case PFK_ACTION_ADD:
ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,