make old style padding default again, use -netpadding for new style

padding. allow ip4 encapsulation/tunnels with no encryption/authentication.

5 files changed, 118 insertions, 20 deletions

diff --git a/sbin/ipsec/ipsecadm/Makefile b/sbin/ipsec/ipsecadm/Makefile
index 0ece7294427..040631724fc 100644
--- a/sbin/ipsec/ipsecadm/Makefile
+++ b/sbin/ipsec/ipsecadm/Makefile
@@ -1,7 +1,7 @@
-#	$OpenBSD: Makefile,v 1.6 1997/08/26 17:19:05 provos Exp $
+#	$OpenBSD: Makefile,v 1.7 1997/11/18 00:13:43 provos Exp $
 
 PROG= ipsecadm
 SRCS= ipsecadm.c kernel.c xf_esp_new.c xf_esp_old.c xf_ah_old.c xf_ah_new.c \
-	xf_delspi.c xf_grp.c
+	xf_delspi.c xf_grp.c xf_ip4.c
 
 .include <bsd.prog.mk>
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1
index eb26cb4871d..9f141223b4e 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.1
+++ b/sbin/ipsec/ipsecadm/ipsecadm.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.1,v 1.4 1997/11/04 09:13:41 provos Exp $
+.\" $OpenBSD: ipsecadm.1,v 1.5 1997/11/18 00:13:43 provos Exp $
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
 .\"
@@ -64,7 +64,7 @@ modifiers are:
 .Fl enc ,
 .Fl auth ,
 .Fl iv ,
-.Fl oldpadding ,
+.Fl newpadding ,
 .Fl authkey ,
 and
 .Fl key .
@@ -120,7 +120,7 @@ and
 .El
 .Pp
 The modifiers have the following meanings: 
-.Bl -tag -width oldpadding -offset indent
+.Bl -tag -width newpadding -offset indent
 .It src
 The source IP address for the SPI.
 .It dst
@@ -129,8 +129,8 @@ The destination IP address for the SPI.
 The unique Security Parameter Index (SPI).
 .It tunnel
 The source and destination IP addresses for the external IP header.
-.It oldpadding
-For new ESP, specify old style self-describing padding should be used. Ignored everywhere else.
+.It newpadding
+For new ESP, specify new style self-describing padding should be used. Ignored everywhere else.
 .It enc
 The encryption algorithm to be used with the SPI. Possible values
 are:
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c
index de459a99f10..2e7ef187554 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.c
+++ b/sbin/ipsec/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.11 1997/11/04 09:13:41 provos Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.12 1997/11/18 00:13:44 provos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -61,6 +61,7 @@
 #define XF_AUTH   0x20
 #define DEL_SPI   0x30
 #define GRP_SPI   0x40
+#define ENC_IP    0x80
 
 #define CMD_MASK  0xf0
 
@@ -84,6 +85,8 @@ int xf_ah_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
 
 int xf_delspi __P((struct in_addr, u_int32_t, int, int));
 int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int));
+int xf_ip4 __P((struct in_addr, struct in_addr, u_int32_t, 
+		struct in_addr, struct in_addr));
 
 transform xf[] = {
 	{"des", ALG_ENC_DES,   XF_ENC |ESP_OLD|ESP_NEW},
@@ -126,7 +129,7 @@ void
 usage()
 {
      fprintf( stderr, "usage: ipsecadm [command] <modifier...>\n"
-	      "\tCommands: new esp, old esp, new ah, old ah, group, delspi\n"
+	      "\tCommands: new esp, old esp, new ah, old ah, group, delspi, ip4\n"
 	      "\tPossible modifiers:\n"
 	      "\t\t-enc <alg>\t encryption algorithm\n"
 	      "\t\t-auth <alg>\t authentication algorithm\n"
@@ -139,7 +142,7 @@ usage()
 	      "\t\t-iv <val>\t iv to be used\n"
 	      "\t\t-proto <val>\t security protocol\n"
 	      "\t\t-chain\t\t SPI chain delete\n"
-	      "\t\t-oldpadding\t old style padding for new ESP\n"
+	      "\t\t-newpadding\t new style padding for new ESP\n"
 	      "\talso: dst2, spi2, proto2\n"
 	  );
 }
@@ -150,7 +153,7 @@ main(argc, argv)
 	char  **argv;
 {
 	int i;
-	int mode = ESP_NEW, new = 1, flag = 0, oldpadding = 0;
+	int mode = ESP_NEW, new = 1, flag = 0, newpadding = 0;
 	int auth = 0, enc = 0, ivlen = 0, klen = 0, alen = 0;
 	int proto = IPPROTO_ESP, proto2 = IPPROTO_AH;
 	int chain = 0; 
@@ -184,6 +187,9 @@ main(argc, argv)
 	     } else if (!strcmp(argv[i], "group") && flag < 2) {
 		  flag = 2;
 		  mode = GRP_SPI;
+	     } else if (!strcmp(argv[i], "ip4") && flag < 2) {
+		  flag = 2;
+		  mode = ENC_IP;
 	     } else if (argv[i][0] == '-') {
 		  break;
 	     } else {
@@ -248,8 +254,8 @@ main(argc, argv)
 	     } else if (!strcmp(argv[i]+1, "src") && i+1 < argc) {
 		  src.s_addr = inet_addr(argv[i+1]);
 		  i++;
-	     } else if (!strcmp(argv[i]+1, "oldpadding")) {
-		  oldpadding = 1;
+	     } else if (!strcmp(argv[i]+1, "newpadding")) {
+		  newpadding = 1;
 	     } else if (!strcmp(argv[i]+1, "tunnel") && i+2 < argc) {
 		  osrc.s_addr = inet_addr(argv[i+1]);
 		  i++;
@@ -300,7 +306,8 @@ main(argc, argv)
 	} else if (iscmd(mode, GRP_SPI) && spi2 == 0) {
 	     fprintf(stderr, "%s: No SPI2 specified\n", argv[0]);
 	     exit(1);
-	} else if (isencauth(mode) && src.s_addr == 0) {
+	} else if ((isencauth(mode) || iscmd(mode, ENC_IP)) && 
+		    src.s_addr == 0) {
 	     fprintf(stderr, "%s: No source address specified\n", argv[0]);
 	     exit(1);
 	} else if ((iscmd(mode, DEL_SPI) || iscmd(mode, GRP_SPI)) 
@@ -314,6 +321,11 @@ main(argc, argv)
 	     fprintf(stderr, "%s: No destination address specified\n", 
 		     argv[0]);
 	     exit(1);
+	} else if (iscmd(mode, ENC_IP) && 
+		   (odst.s_addr == 0 || osrc.s_addr == 0)) {
+	     fprintf(stderr, "%s: No tunnel addresses specified\n", 
+		     argv[0]);
+	     exit(1);
 	} else if (iscmd(mode, GRP_SPI) && dst2.s_addr == 0) {
 	     fprintf(stderr, "%s: No destination address2 specified\n", 
 		     argv[0]);
@@ -325,7 +337,7 @@ main(argc, argv)
 	     switch(mode) {
 	     case ESP_NEW:
 		  xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp, 
-			     osrc, odst, oldpadding);
+			     osrc, odst, newpadding);
 		  break;
 	     case ESP_OLD:
 		  xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst);
@@ -345,6 +357,9 @@ main(argc, argv)
 	     case DEL_SPI:
 		  xf_delspi(dst, spi, proto, chain);
 		  break;
+	     case ENC_IP:
+		  xf_ip4(src, dst, spi, osrc, odst);
+		  break;
 	     }
 	}
 
diff --git a/sbin/ipsec/ipsecadm/xf_esp_new.c b/sbin/ipsec/ipsecadm/xf_esp_new.c
index ddf0b2d98ab..b5661a5925e 100644
--- a/sbin/ipsec/ipsecadm/xf_esp_new.c
+++ b/sbin/ipsec/ipsecadm/xf_esp_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xf_esp_new.c,v 1.4 1997/11/04 09:13:42 provos Exp $ */
+/* $OpenBSD: xf_esp_new.c,v 1.5 1997/11/18 00:13:44 provos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -59,13 +59,13 @@ int x2i __P((char *));
 
 int
 xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, authp, 
-	   osrc, odst, oldpadding)
+	   osrc, odst, newpadding)
 struct in_addr src, dst;
 u_int32_t spi;
 int enc, auth;
 u_char *ivp, *keyp, *authp;
 struct in_addr osrc, odst;
-int oldpadding;
+int newpadding;
 {
 	int i, klen, alen, ivlen;
 
@@ -101,8 +101,8 @@ int oldpadding;
 	xd->edx_wnd = -1;	/* Manual keying -- no seq */
 	xd->edx_flags = auth ? ESP_NEW_FLAG_AUTH : 0;
 	
-	if (oldpadding)
-	  xd->edx_flags |= ESP_NEW_FLAG_OPADDING;
+	if (newpadding)
+	  xd->edx_flags |= ESP_NEW_FLAG_NPADDING;
 
 	for (i = 0; i < ivlen; i++)
 	     xd->edx_data[i] = x2i(ivp+2*i);
diff --git a/sbin/ipsec/ipsecadm/xf_ip4.c b/sbin/ipsec/ipsecadm/xf_ip4.c
new file mode 100644
index 00000000000..69fbd3a4308
--- /dev/null
+++ b/sbin/ipsec/ipsecadm/xf_ip4.c
@@ -0,0 +1,83 @@
+/* $OpenBSD: xf_ip4.c,v 1.4 1997/11/18 00:13:45 provos Exp $ */
+/*
+ * The author of this code is John Ioannidis, ji@tla.org,
+ * 	(except when noted otherwise).
+ *
+ * This code was written for BSD/OS in Athens, Greece, in November 1995.
+ *
+ * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
+ * by Angelos D. Keromytis, kermit@forthnet.gr. Additional code written by
+ * Niels Provos in Germany.
+ * 
+ * Copyright (C) 1995, 1996, 1997 by John Ioannidis, Angelos D. Keromytis and
+ * Niels Provos.
+ *	
+ * Permission to use, copy, and modify this software without fee
+ * is hereby granted, provided that this entire notice is included in
+ * all copies of any software which is or includes a copy or
+ * modification of this software.
+ *
+ * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTY. IN PARTICULAR, NEITHER AUTHOR MAKES ANY
+ * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+ * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+ * PURPOSE.
+ */
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/mbuf.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/in.h>
+#include <netns/ns.h>
+#include <netiso/iso.h>
+#include <netccitt/x25.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <paths.h>
+#include "net/encap.h"
+#include "netinet/ip_ipsp.h"
+ 
+extern char buf[];
+
+int xf_set __P(( struct encap_msghdr *));
+int x2i __P((char *));
+
+int
+xf_ip4(src, dst, spi, osrc, odst)
+struct in_addr src, dst;
+u_int32_t spi;
+struct in_addr osrc, odst;
+{
+	struct encap_msghdr *em;
+
+	em = (struct encap_msghdr *)&buf[0];
+	
+	em->em_msglen = EMT_SETSPI_FLEN + 1;
+
+	em->em_version = PFENCAP_VERSION_1;
+	em->em_type = EMT_SETSPI;
+	em->em_spi = spi;
+	em->em_src = src;
+	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
+	em->em_alg = XF_IP4;
+
+	return xf_set(em);
+}
+
+