diff options
author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-08-08 09:15:10 +0000 |
---|---|---|
committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2005-08-08 09:15:10 +0000 |
commit | 6c28c8a324a71c55a562e7a02f11c5f282ad80d4 (patch) | |
tree | 73171e213cf3d31f645896e501f80543694fec67 | |
parent | 1ed298baad8fd9e46b82688df22bd56e4cd21ae2 (diff) |
prepare for static keying
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 16 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 10 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 36 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkey.c | 10 |
4 files changed, 48 insertions, 24 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index 56e6b3923f0..465e2b85c18 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.22 2005/08/05 14:39:02 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.23 2005/08/08 09:15:09 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -64,11 +64,10 @@ static const char *showopt_list[] = { "flow", "sa", "all", NULL }; -static const char *ruletype[] = {"?", "flow", "tcpmd5"}; static const char *direction[] = {"?", "in", "out"}; static const char *flowtype[] = {"?", "use", "acquire", "require", "deny", "bypass", "dontacq"}; -static const char *proto[] = {"?", "esp", "ah"}; +static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5"}; static const char *auth[] = {"?", "psk", "rsa"}; int @@ -216,7 +215,7 @@ ipsecctl_print_key(struct ipsec_key *key) void ipsecctl_print_flow(struct ipsec_rule *r, int opts) { - printf(" %s %s", proto[r->proto], direction[r->direction]); + printf("flow %s %s", proto[r->proto], direction[r->direction]); printf(" from "); ipsecctl_print_addr(r->src); @@ -241,7 +240,8 @@ ipsecctl_print_flow(struct ipsec_rule *r, int opts) void ipsecctl_print_sa(struct ipsec_rule *r, int opts) { - printf(" from "); + printf("%s ", proto[r->proto]); + printf("from "); ipsecctl_print_addr(r->src); printf(" to "); ipsecctl_print_addr(r->dst); @@ -250,6 +250,10 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) printf(" authkey 0x"); ipsecctl_print_key(r->authkey); } + if (r->enckey) { + printf(" enckey 0x"); + ipsecctl_print_key(r->enckey); + } } void @@ -258,8 +262,6 @@ ipsecctl_print_rule(struct ipsec_rule *r, int opts) if (opts & IPSECCTL_OPT_VERBOSE2) printf("@%d ", r->nr); - printf("%s", ruletype[r->type]); - if (r->type & RULE_FLOW) ipsecctl_print_flow(r, opts); if (r->type & RULE_SA) diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 21fb2532862..e9a6eca54d1 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.13 2005/08/05 14:39:02 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.14 2005/08/08 09:15:09 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -35,7 +35,7 @@ enum { DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT }; enum { - PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP + PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP, IPSEC_TCPMD5 }; enum { AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA @@ -47,6 +47,12 @@ enum { TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY, TYPE_BYPASS, TYPE_DONTACQ }; +enum { + ENC_NONE +}; +enum { + AUTH_NONE +}; struct ipsec_addr { struct in_addr v4; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 15dad5789e0..dbc98420294 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.18 2005/08/05 15:44:57 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.19 2005/08/08 09:15:09 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -78,11 +78,11 @@ struct ipsec_key *parsekey(unsigned char *, size_t); struct ipsec_key *parsekeyfile(char *); struct ipsec_addr *host(const char *); struct ipsec_addr *copyhost(const struct ipsec_addr *); -struct ipsec_rule *create_sa(struct ipsec_addr *, struct ipsec_addr *, - u_int32_t, struct ipsec_key *); - +struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr *, + struct ipsec_addr *, u_int32_t, u_int16_t, + u_int16_t, struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, - struct ipsec_key *); + struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr *, struct ipsec_addr *, struct ipsec_addr *, u_int8_t, char *, char *, u_int16_t); @@ -174,7 +174,8 @@ number : STRING { tcpmd5rule : TCPMD5 hosts spispec authkeyspec { struct ipsec_rule *r; - r = create_sa($2.src, $2.dst, $3.spiout, $4.keyout); + r = create_sa(IPSEC_TCPMD5, $2.src, $2.dst, $3.spiout, + AUTH_NONE, ENC_NONE, $4.keyout, NULL); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -184,7 +185,7 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec { /* Create and add reverse SA rule. */ if ($3.spiin != 0 || $4.keyin != NULL) { - r = reverse_sa(r, $3.spiin, $4.keyin); + r = reverse_sa(r, $3.spiin, $4.keyin, NULL); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -866,12 +867,15 @@ copyhost(const struct ipsec_addr *src) } struct ipsec_rule * -create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi, - struct ipsec_key *authkey) +create_sa(u_int8_t protocol, struct ipsec_addr *src, struct ipsec_addr *dst, + u_int32_t spi, u_int16_t authxf, u_int16_t encxf, + struct ipsec_key *authkey, struct ipsec_key *enckey) { struct ipsec_rule *r; - if (spi == 0 || authkey == NULL) + if (spi == 0) + return (NULL); + if (protocol == IPSEC_TCPMD5 && authkey == NULL) return (NULL); r = calloc(1, sizeof(struct ipsec_rule)); @@ -879,21 +883,25 @@ create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi, err(1, "calloc"); r->type |= RULE_SA; - + r->proto = protocol; r->src = src; r->dst = dst; r->spi = spi; r->authkey = authkey; + r->enckey = enckey; return r; } struct ipsec_rule * -reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey) +reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, + struct ipsec_key *enckey) { struct ipsec_rule *reverse; - if (spi == 0 || authkey == NULL) + if (spi == 0) + return (NULL); + if (rule->proto == IPSEC_TCPMD5 && authkey == NULL) return (NULL); reverse = calloc(1, sizeof(struct ipsec_rule)); @@ -901,10 +909,12 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey) err(1, "calloc"); reverse->type |= RULE_SA; + reverse->proto = rule->proto; reverse->src = copyhost(rule->dst); reverse->dst = copyhost(rule->src); reverse->spi = spi; reverse->authkey = authkey; + reverse->enckey = enckey; return (reverse); } diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index 2a4b0314b75..b78d364620f 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.19 2005/08/05 14:39:02 hshoexer Exp $ */ +/* $OpenBSD: pfkey.c,v 1.20 2005/08/08 09:15:09 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -758,7 +758,13 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) return -1; } } else if (r->type == RULE_SA) { - satype = SADB_X_SATYPE_TCPSIGNATURE; + switch (r->proto) { + case IPSEC_TCPMD5: + satype = SADB_X_SATYPE_TCPSIGNATURE; + break; + default: + return -1; + } switch (action) { case PFK_ACTION_ADD: ret = pfkey_sa(fd, satype, SADB_ADD, r->spi, |