summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-10-30 19:50:25 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2005-10-30 19:50:25 +0000
commit91398d4504c457003e896acbf5f781048215dafc (patch)
treea95971356f9032bcc6fb44fbb48e03b8128c9050
parentca05097b98440835495e82aa7e6818085ab4e93e (diff)
add support for ipcomp.
-rw-r--r--sbin/ipsecctl/ipsecctl.c4
-rw-r--r--sbin/ipsecctl/ipsecctl.h10
-rw-r--r--sbin/ipsecctl/parse.y49
-rw-r--r--sbin/ipsecctl/pfkdump.c17
-rw-r--r--sbin/ipsecctl/pfkey.c27
5 files changed, 82 insertions, 25 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index eb9abd39854..80ad8e7c81f 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.28 2005/10/28 07:18:47 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.29 2005/10/30 19:50:23 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -268,6 +268,8 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts)
printf(" auth %s", r->xfs->authxf->name);
if (r->xfs && r->xfs->encxf)
printf(" enc %s", r->xfs->encxf->name);
+ if (r->xfs && r->xfs->compxf)
+ printf(" comp %s", r->xfs->compxf->name);
}
if (r->authkey) {
if (r->proto == IPSEC_TCPMD5)
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 1d005f1e9b4..88725c879ee 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.17 2005/08/22 17:26:46 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.18 2005/10/30 19:50:23 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -40,7 +40,7 @@ enum {
DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
};
enum {
- PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP, IPSEC_TCPMD5
+ PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5
};
enum {
AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
@@ -58,10 +58,13 @@ enum {
AUTHXF_HMAC_SHA2_512, AUTHXF_MD5, AUTHXF_SHA1
};
enum {
- ENCXF_UNKNOWN,ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES,
+ ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES,
ENCXF_AESCTR, ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_NULL, ENCXF_SKIPJACK
};
enum {
+ COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
+};
+enum {
IKE_ACTIVE, IKE_PASSIVE
};
@@ -98,6 +101,7 @@ struct ipsec_xf {
struct ipsec_transforms {
const struct ipsec_xf *authxf;
const struct ipsec_xf *encxf;
+ const struct ipsec_xf *compxf;
};
extern const struct ipsec_xf authxfs[];
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 72c44251029..aefada102e8 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.29 2005/10/28 07:18:47 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.30 2005/10/30 19:50:23 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -78,6 +78,13 @@ const struct ipsec_xf encxfs[] = {
{NULL, 0, 0, 0},
};
+const struct ipsec_xf compxfs[] = {
+ {"unknown", COMPXF_UNKNOWN, 0, 0},
+ {"deflate", COMPXF_DEFLATE, 0, 0},
+ {"lzs", COMPXF_LZS, 0, 0},
+ {NULL, 0, 0, 0},
+};
+
int yyerror(const char *, ...);
int yyparse(void);
int kw_cmp(const void *, const void *);
@@ -106,9 +113,12 @@ struct ipsec_key *parsekey(unsigned char *, size_t);
struct ipsec_key *parsekeyfile(char *);
struct ipsec_addr *host(const char *);
struct ipsec_addr *host_v4(const char *, int);
+#if 0
+struct ipsec_addr *host_if(const char *, int);
+#endif
struct ipsec_addr *copyhost(const struct ipsec_addr *);
const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *);
-struct ipsec_transforms *transforms(const char *, const char *);
+struct ipsec_transforms *transforms(const char *, const char *, const char *);
struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);
int validate_sa(u_int32_t, u_int8_t,
struct ipsec_transforms *, struct ipsec_key *,
@@ -174,7 +184,7 @@ typedef struct {
%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI
%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE
-%token ACTIVE ANY
+%token ACTIVE ANY IPCOMP COMPXF
%token <v.string> STRING
%type <v.dir> dir
%type <v.protocol> protocol
@@ -220,7 +230,6 @@ number : STRING {
$$ = (u_int32_t)ulval;
free($1);
}
- ;
tcpmd5rule : TCPMD5 hosts spispec authkeyspec {
struct ipsec_rule *r;
@@ -312,6 +321,7 @@ ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids {
protocol : /* empty */ { $$ = IPSEC_ESP; }
| ESP { $$ = IPSEC_ESP; }
| AH { $$ = IPSEC_AH; }
+ | IPCOMP { $$ = IPSEC_IPCOMP; }
;
dir : /* empty */ { $$ = IPSEC_INOUT; }
@@ -434,7 +444,7 @@ transforms : /* empty */ {
$$ = xfs;
}
| AUTHXF STRING ENCXF STRING {
- if (($$ = transforms($2, $4)) == NULL) {
+ if (($$ = transforms($2, $4, NULL)) == NULL) {
free($2);
free($4);
yyerror("could not parse transforms");
@@ -444,7 +454,7 @@ transforms : /* empty */ {
free($4);
}
| AUTHXF STRING {
- if (($$ = transforms($2, NULL)) == NULL) {
+ if (($$ = transforms($2, NULL, NULL)) == NULL) {
free($2);
yyerror("could not parse transforms");
YYERROR;
@@ -452,7 +462,15 @@ transforms : /* empty */ {
free($2);
}
| ENCXF STRING {
- if (($$ = transforms(NULL, $2)) == NULL) {
+ if (($$ = transforms(NULL, $2, NULL)) == NULL) {
+ free($2);
+ yyerror("could not parse transforms");
+ YYERROR;
+ }
+ free($2);
+ }
+ | COMPXF STRING {
+ if (($$ = transforms(NULL, NULL, $2)) == NULL) {
free($2);
yyerror("could not parse transforms");
YYERROR;
@@ -577,6 +595,7 @@ lookup(char *s)
{ "any", ANY},
{ "auth", AUTHXF},
{ "authkey", AUTHKEY},
+ { "comp", COMPXF},
{ "dstid", DSTID},
{ "enc", ENCXF},
{ "enckey", ENCKEY},
@@ -586,6 +605,7 @@ lookup(char *s)
{ "from", FROM},
{ "ike", IKE},
{ "in", IN},
+ { "ipcomp", IPCOMP},
{ "main", MAIN},
{ "out", OUT},
{ "passive", PASSIVE},
@@ -1095,7 +1115,7 @@ parse_xf(const char *name, const struct ipsec_xf xfs[])
}
struct ipsec_transforms *
-transforms(const char *authname, const char *encname)
+transforms(const char *authname, const char *encname, const char *compname)
{
struct ipsec_transforms *xfs;
@@ -1113,6 +1133,11 @@ transforms(const char *authname, const char *encname)
if (xfs->encxf == NULL)
yyerror("%s not a valid transform", encname);
}
+ if (compname) {
+ xfs->compxf = parse_xf(compname, compxfs);
+ if (xfs->compxf == NULL)
+ yyerror("%s not a valid transform", compname);
+ }
return (xfs);
}
@@ -1164,6 +1189,14 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,
if (!xfs->encxf)
xfs->encxf = &encxfs[ENCXF_AESCTR];
}
+ if (protocol == IPSEC_IPCOMP) {
+ if (!xfs) {
+ yyerror("no transform specified");
+ return (0);
+ }
+ if (!xfs->compxf)
+ xfs->compxf = &compxfs[COMPXF_DEFLATE];
+ }
if (protocol == IPSEC_TCPMD5 && authkey == NULL) {
yyerror("authentication key needed for tcpmd5");
return (0);
diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index 301d0f6b5b3..f2cb74f8ebb 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkdump.c,v 1.5 2005/07/09 21:54:12 hshoexer Exp $ */
+/* $OpenBSD: pfkdump.c,v 1.6 2005/10/30 19:50:24 hshoexer Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
@@ -219,18 +219,17 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg)
printf(" to ");
print_addr(extensions[SADB_EXT_ADDRESS_DST], msg);
}
+ printf(" spi 0x%08x", ntohl(sa->sadb_sa_spi));
if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP)
- printf("cpi 0x%8.8x %s",
- ntohl(sa->sadb_sa_spi),
- lookup_name(comp_types, sa->sadb_sa_encrypt));
+ printf(" comp %s", lookup_name(comp_types,
+ sa->sadb_sa_encrypt));
else {
- printf(" spi 0x%8.8x", ntohl(sa->sadb_sa_spi));
if (sa->sadb_sa_encrypt)
- printf(" %s",
- lookup_name(enc_types, sa->sadb_sa_encrypt));
+ printf(" enc %s", lookup_name(enc_types,
+ sa->sadb_sa_encrypt));
if (sa->sadb_sa_auth)
- printf(" %s",
- lookup_name(auth_types, sa->sadb_sa_auth));
+ printf(" auth %s", lookup_name(auth_types,
+ sa->sadb_sa_auth));
}
if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
printf(" tunnel");
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 13b3a650af5..6b71fea466c 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.25 2005/10/17 07:31:44 hshoexer Exp $ */
+/* $OpenBSD: pfkey.c,v 1.26 2005/10/30 19:50:24 hshoexer Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -422,6 +422,19 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct
xfs->encxf->id);
}
}
+ if (xfs && xfs->compxf) {
+ switch (xfs->compxf->id) {
+ case COMPXF_DEFLATE:
+ sa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE;
+ break;
+ case COMPXF_LZS:
+ sa.sadb_sa_encrypt = SADB_X_CALG_LZS;
+ break;
+ default:
+ warnx("unsupported compression algorithm %d",
+ xfs->compxf->id);
+ }
+ }
bzero(&sa_src, sizeof(sa_src));
sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;
@@ -431,7 +444,8 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
- if (action == SADB_ADD && !authkey && !enckey) { /* XXX ENCNULL */
+ if (action == SADB_ADD && !authkey && !enckey && satype !=
+ SADB_X_SATYPE_IPCOMP) { /* XXX ENCNULL */
warnx("no key specified");
return -1;
}
@@ -563,7 +577,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)
rule->proto = IPSEC_AH;
break;
case SADB_X_SATYPE_IPCOMP:
- rule->proto = IPSEC_COMP;
+ rule->proto = IPSEC_IPCOMP;
break;
default:
return (1);
@@ -816,7 +830,9 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)
case IPSEC_AH:
satype = SADB_SATYPE_AH;
break;
- case IPSEC_COMP:
+ case IPSEC_IPCOMP:
+ satype = SADB_X_SATYPE_IPCOMP;
+ break;
default:
return -1;
}
@@ -853,6 +869,9 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)
case IPSEC_ESP:
satype = SADB_SATYPE_ESP;
break;
+ case IPSEC_IPCOMP:
+ satype = SADB_X_SATYPE_IPCOMP;
+ break;
case IPSEC_TCPMD5:
satype = SADB_X_SATYPE_TCPSIGNATURE;
break;