diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2003-12-02 23:16:30 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2003-12-02 23:16:30 +0000 |
commit | 7827007d3935fef762fc37ed47e44956982e543a (patch) | |
tree | 32503217eaf3f477211d64e2f795e83f59c1a618 /sbin/ipsecadm | |
parent | efce987ff534832e2def76f49222eb98d59aefaa (diff) |
UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@
Diffstat (limited to 'sbin/ipsecadm')
-rw-r--r-- | sbin/ipsecadm/ipsecadm.8 | 7 | ||||
-rw-r--r-- | sbin/ipsecadm/ipsecadm.c | 30 | ||||
-rw-r--r-- | sbin/ipsecadm/pfkdump.c | 12 |
3 files changed, 45 insertions, 4 deletions
diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8 index 75a09c0fe88..948efd103d0 100644 --- a/sbin/ipsecadm/ipsecadm.8 +++ b/sbin/ipsecadm/ipsecadm.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsecadm.8,v 1.62 2003/07/24 08:03:19 itojun Exp $ +.\" $OpenBSD: ipsecadm.8,v 1.63 2003/12/02 23:16:29 markus Exp $ .\" .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -90,6 +90,7 @@ modifiers are: .Fl authkey , .Fl authkeyfile , .Fl forcetunnel , +.Fl udpencap , .Fl key , and .Fl keyfile . @@ -382,6 +383,10 @@ and options. Notice that the IPsec stack will perform IP-inside-IP encapsulation when deemed necessary, even if this flag has not been set. +.It Fl udpencap +Enable ESP-inside-UDP encapsulation. +The UDP destination port must be specified on the command line. +This port will be used for sending encapsulated UDP packets. .It Fl enc The encryption algorithm to be used with the SA. Possible values are: diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c index 08e24e36d67..f12c49e0896 100644 --- a/sbin/ipsecadm/ipsecadm.c +++ b/sbin/ipsecadm/ipsecadm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecadm.c,v 1.70 2003/09/23 18:09:20 itojun Exp $ */ +/* $OpenBSD: ipsecadm.c,v 1.71 2003/12/02 23:16:29 markus Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -286,6 +286,7 @@ usage(void) "\t -src <ip>\t\t\tsource address to be used\n" "\t -halfiv\t\t\tuse 4-byte IV in old ESP\n" "\t -forcetunnel\t\t\tforce IP-in-IP encapsulation\n" + "\t -udpencap <port>\t\tenable ESP-in-UDP encapsulation\n" "\t -dst <ip>\t\t\tdestination address to be used\n" "\t -proto <val>\t\t\tsecurity protocol\n" "\t -proxy <ip>\t\t\tproxy address to be used\n" @@ -309,7 +310,7 @@ usage(void) "\t -dontacq\t\t\trequire, without using key mgmt.\n" "\t -in\t\t\t\tspecify incoming-packet policy\n" "\t -out\t\t\t\tspecify outgoing-packet policy\n" - "\t -[ah|esp|ip4|ipcomp]\t\t\tflush a particular protocol\n" + "\t -[ah|esp|ip4|ipcomp]\t\tflush a particular protocol\n" "\t -srcid\t\t\tsource identity for flows\n" "\t -dstid\t\t\tdestination identity for flows\n" "\t -srcid_type\t\t\tsource identity type\n" @@ -345,6 +346,7 @@ main(int argc, char *argv[]) struct sadb_ident sid1, sid2; struct sadb_key skey1, skey2; struct sadb_protocol sprotocol, sprotocol2; + struct sadb_x_udpencap udpencap; /* Peer UDP Port */ u_char realkey[8192], realakey[8192]; struct iovec iov[30]; struct addrinfo hints, *res; @@ -375,6 +377,7 @@ main(int argc, char *argv[]) memset(realakey, 0, sizeof(realakey)); memset(&sid1, 0, sizeof(sid1)); memset(&sid2, 0, sizeof(sid2)); + memset(&udpencap, 0, sizeof(udpencap)); src = (union sockaddr_union *) srcbuf; dst = (union sockaddr_union *) dstbuf; @@ -921,6 +924,24 @@ main(int argc, char *argv[]) sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL; continue; } + if (!strcmp(argv[i] + 1, "udpencap") && + udpencap.sadb_x_udpencap_port == 0 && (i + 1 < argc)) { + if (!(mode & ESP_NEW)) { + fprintf(stderr, "%s: option udpencap can " + "be used only with new ESP\n", argv[0]); + exit(1); + } + sa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; + udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; + udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8; + udpencap.sadb_x_udpencap_port = + strtoul(argv[i + 1], NULL, 10); + udpencap.sadb_x_udpencap_port = + htons(udpencap.sadb_x_udpencap_port); + udpencap.sadb_x_udpencap_reserved = 0; + i++; + continue; + } if (!strcmp(argv[i] + 1, "halfiv")) { if (!(mode & ESP_OLD)) { fprintf(stderr, @@ -1520,6 +1541,11 @@ argfail: skey2.sadb_key_bits = 8 * alen; smsg.sadb_msg_len += skey2.sadb_key_len; } + if (sa.sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) { + iov[cnt].iov_base = &udpencap; + iov[cnt++].iov_len = sizeof(udpencap); + smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len; + } } else { switch (mode & CMD_MASK) { case GRP_SPI: diff --git a/sbin/ipsecadm/pfkdump.c b/sbin/ipsecadm/pfkdump.c index 08853fe3655..3e9532a936a 100644 --- a/sbin/ipsecadm/pfkdump.c +++ b/sbin/ipsecadm/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.8 2003/07/29 18:38:36 deraadt Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.9 2003/12/02 23:16:29 markus Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -52,6 +52,7 @@ void print_ident(struct sadb_ext *, struct sadb_msg *); void print_policy(struct sadb_ext *, struct sadb_msg *); void print_cred(struct sadb_ext *, struct sadb_msg *); void print_auth(struct sadb_ext *, struct sadb_msg *); +void print_udpenc(struct sadb_ext *, struct sadb_msg *); struct idname *lookup(struct idname [], u_int8_t); char *lookup_name(struct idname [], u_int8_t); @@ -104,6 +105,7 @@ struct idname ext_types[] = { { SADB_X_EXT_LOCAL_AUTH, "x_local_auth", print_auth }, { SADB_X_EXT_REMOTE_AUTH, "x_remote_auth", print_auth }, { SADB_X_EXT_SUPPORTED_COMP, "x_supported_comp", print_supp }, + { SADB_X_EXT_UDPENCAP, "x_udpencap", print_udpenc }, { 0, NULL, NULL } }; @@ -533,6 +535,14 @@ print_auth(struct sadb_ext *ext, struct sadb_msg *msg) } void +print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg) +{ + struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *) ext; + + printf("udpencap port %u\n", ntohs(x_udpencap->sadb_x_udpencap_port)); +} + +void msg_send(int pfkey, u_int8_t satype, u_int8_t mtype) { struct sadb_msg msg; |