src - OpenBSD base system

diff options


context:
space:
mode:

author	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2005-11-12 12:00:54 +0000
committer	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2005-11-12 12:00:54 +0000
commit	63ce3110ca26585d80f472054e98dc7773e807e7 (patch)
tree	0d5e4df88a49c6d367c076097a29b54a66fcbe0b /sbin
parent	02ffe946b7c40c8ecd5fac91ee755299fc2bacb9 (diff)

handle transport/tunnel mode

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/ipsecctl/ipsecctl.c

-rw-r--r--

sbin/ipsecctl/ipsecctl.h

-rw-r--r--

sbin/ipsecctl/parse.y

-rw-r--r--

sbin/ipsecctl/pfkdump.c

-rw-r--r--

sbin/ipsecctl/pfkey.c

5 files changed, 60 insertions, 28 deletions

diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index f8641570962..5704e78dfc0 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.c,v 1.31 2005/11/06 22:51:51 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.c,v 1.32 2005/11/12 12:00:53 hshoexer Exp $ */

@@ -70,6 +70,7 @@ static const char *direction[] = {"?", "in", "out"};

static const char *flowtype[] = {"?", "use", "acquire", "require", "deny",

"bypass", "dontacq"};

static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5"};

+static const char *tmode[] = {"?", "transport", "tunnel"};

static const char *auth[] = {"?", "psk", "rsa"};

int

@@ -255,6 +256,9 @@ void

ipsecctl_print_sa(struct ipsec_rule *r, int opts)

{

printf("%s ", proto[r->proto]);

+ /* tunnel/transport is only meaningful esp/ah/ipcomp */

+ if (r->proto != IPSEC_TCPMD5)

+ printf("%s ", tmode[r->tmode]);

printf("from ");

ipsecctl_print_addr(r->src);

printf(" to ");

diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index dbda9d40a75..e710d00495c 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.h,v 1.20 2005/11/06 22:51:51 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.h,v 1.21 2005/11/12 12:00:53 hshoexer Exp $ */

@@ -43,6 +43,9 @@ enum {

PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5

};

enum {

+ MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL

+};

+enum {

AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA

};

enum {

@@ -134,6 +137,7 @@ struct ipsec_rule {

struct ipsec_key *enckey;

u_int8_t proto;

+ u_int8_t tmode;

u_int8_t direction;

u_int8_t flowtype;

u_int8_t ikemode;

diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 91e8e0d34ad..7d29595909d 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.33 2005/11/06 22:51:51 hshoexer Exp $ */

+/* $OpenBSD: parse.y,v 1.34 2005/11/12 12:00:53 hshoexer Exp $ */

@@ -120,8 +120,8 @@ struct ipsec_transforms *transforms(const char *, const char *, const char *);

struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);

int validate_sa(u_int32_t, u_int8_t,

struct ipsec_transforms *, struct ipsec_key *,

- struct ipsec_key *);

-struct ipsec_rule *create_sa(u_int8_t, struct ipsec_addr_wrap *,

+ struct ipsec_key *, u_int8_t);

+struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *,

struct ipsec_addr_wrap *, u_int32_t,

struct ipsec_transforms *, struct ipsec_key *,

struct ipsec_key *);

@@ -142,8 +142,9 @@ typedef struct {

u_int32_t number;

u_int8_t ikemode;

u_int8_t dir;

- char *string;

u_int8_t protocol;

+ u_int8_t tmode;

+ char *string;

struct {

struct ipsec_addr_wrap *src;

struct ipsec_addr_wrap *dst;

@@ -183,10 +184,11 @@ typedef struct {

%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI

%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE

-%token ACTIVE ANY IPCOMP COMPXF

+%token ACTIVE ANY IPCOMP COMPXF TUNNEL TRANSPORT

%token <v.string> STRING

%type <v.dir> dir

%type <v.protocol> protocol

+%type <v.tmode> tmode

%type <v.number> number

%type <v.hosts> hosts

%type <v.peer> peer

@@ -233,8 +235,8 @@ number : STRING {

tcpmd5rule : TCPMD5 hosts spispec authkeyspec {

struct ipsec_rule *r;

- r = create_sa(IPSEC_TCPMD5, $2.src, $2.dst, $3.spiout,

- NULL, $4.keyout, NULL);

+ r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, $2.src,

+ $2.dst, $3.spiout, NULL, $4.keyout, NULL);

if (r == NULL)

YYERROR;

r->nr = ipsec->rule_nr++;

@@ -255,11 +257,12 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec {

}

;

-sarule : protocol hosts spispec transforms authkeyspec enckeyspec {

+sarule : protocol tmode hosts spispec transforms authkeyspec

+ enckeyspec {

struct ipsec_rule *r;

- r = create_sa($1, $2.src, $2.dst, $3.spiout, $4,

- $5.keyout, $6.keyout);

+ r = create_sa($1, $2, $3.src, $3.dst, $4.spiout, $5,

+ $6.keyout, $7.keyout);

if (r == NULL)

YYERROR;

r->nr = ipsec->rule_nr++;

@@ -268,9 +271,9 @@ sarule : protocol hosts spispec transforms authkeyspec enckeyspec {

errx(1, "sarule: ipsecctl_add_rule");

/* Create and add reverse SA rule. */

- if ($3.spiin != 0 || $5.keyin || $6.keyin) {

- r = reverse_sa(r, $3.spiin, $5.keyin,

- $6.keyin);

+ if ($4.spiin != 0 || $6.keyin || $7.keyin) {

+ r = reverse_sa(r, $4.spiin, $6.keyin,

+ $7.keyin);

if (r == NULL)

YYERROR;

r->nr = ipsec->rule_nr++;

@@ -323,6 +326,11 @@ protocol : /* empty */ { $$ = IPSEC_ESP; }

| IPCOMP { $$ = IPSEC_IPCOMP; }

;

+tmode : /* empty */ { $$ = IPSEC_TUNNEL; }

+ | TUNNEL { $$ = IPSEC_TUNNEL; }

+ | TRANSPORT { $$ = IPSEC_TRANSPORT; }

+ ;

dir : /* empty */ { $$ = IPSEC_INOUT; }

| IN { $$ = IPSEC_IN; }

| OUT { $$ = IPSEC_OUT; }

@@ -616,6 +624,8 @@ lookup(char *s)

{ "srcid", SRCID},

{ "tcpmd5", TCPMD5},

{ "to", TO},

+ { "transport", TRANSPORT},

+ { "tunnel", TUNNEL},

};

const struct keywords *p;

@@ -1183,7 +1193,7 @@ copytransforms(const struct ipsec_transforms *xfs)

int

validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,

- struct ipsec_key *authkey, struct ipsec_key *enckey)

+ struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode)

{

/* Sanity checks */

if (spi == 0) {

@@ -1220,7 +1230,8 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,

if (!xfs->compxf)

xfs->compxf = &compxfs[COMPXF_DEFLATE];

}

- if (protocol == IPSEC_TCPMD5 && authkey == NULL) {

+ if (protocol == IPSEC_TCPMD5 && authkey == NULL && tmode !=

+ IPSEC_TRANSPORT) {

yyerror("authentication key needed for tcpmd5");

return (0);

}

@@ -1258,13 +1269,13 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,

}

struct ipsec_rule *

-create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct

+create_sa(u_int8_t protocol, u_int8_t tmode, struct ipsec_addr_wrap *src, struct

ipsec_addr_wrap *dst, u_int32_t spi, struct ipsec_transforms *xfs,

struct ipsec_key *authkey, struct ipsec_key *enckey)

{

struct ipsec_rule *r;

- if (validate_sa(spi, protocol, xfs, authkey, enckey) == 0)

+ if (validate_sa(spi, protocol, xfs, authkey, enckey, tmode) == 0)

return (NULL);

r = calloc(1, sizeof(struct ipsec_rule));

@@ -1273,6 +1284,7 @@ create_sa(u_int8_t protocol, struct ipsec_addr_wrap *src, struct

r->type |= RULE_SA;

r->proto = protocol;

+ r->tmode = tmode;

r->src = src;

r->dst = dst;

r->spi = spi;

@@ -1289,7 +1301,8 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,

{

struct ipsec_rule *reverse;

- if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey) == 0)

+ if (validate_sa(spi, rule->proto, rule->xfs, authkey, enckey,

+ rule->tmode) == 0)

return (NULL);

reverse = calloc(1, sizeof(struct ipsec_rule));

@@ -1298,6 +1311,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,

reverse->type |= RULE_SA;

reverse->proto = rule->proto;

+ reverse->tmode = rule->tmode;

reverse->src = copyhost(rule->dst);

reverse->dst = copyhost(rule->src);

reverse->spi = spi;

diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index f2cb74f8ebb..1d930404a9d 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfkdump.c,v 1.6 2005/10/30 19:50:24 hshoexer Exp $ */

+/* $OpenBSD: pfkdump.c,v 1.7 2005/11/12 12:00:53 hshoexer Exp $ */

@@ -211,6 +211,14 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg)

{

struct sadb_sa *sa = (struct sadb_sa *)ext;

+ /* tunnel/transport is only meaningful for esp/ah/ipcomp */

+ if (msg->sadb_msg_satype != SADB_X_SATYPE_TCPSIGNATURE) {

+ if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)

+ printf("tunnel ");

+ else

+ printf("transport ");

+ }

if (extensions[SADB_EXT_ADDRESS_SRC]) {

printf("from ");

print_addr(extensions[SADB_EXT_ADDRESS_SRC], msg);

@@ -231,8 +239,6 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg)

printf(" auth %s", lookup_name(auth_types,

sa->sadb_sa_auth));

}

- if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)

- printf(" tunnel");

printf("\n");

}

diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index e6299ba0923..86ba2bf5768 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfkey.c,v 1.28 2005/11/06 22:51:51 hshoexer Exp $ */

+/* $OpenBSD: pfkey.c,v 1.29 2005/11/12 12:00:53 hshoexer Exp $ */

@@ -47,7 +47,7 @@ static int pfkey_flow(int, u_int8_t, u_int8_t, u_int8_t,

static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,

struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,

struct ipsec_transforms *, struct ipsec_key *,

- struct ipsec_key *);

+ struct ipsec_key *, u_int8_t);

static int pfkey_reply(int);

int pfkey_parse(struct sadb_msg *, struct ipsec_rule *);

int pfkey_ipsec_flush(void);

@@ -307,7 +307,7 @@ static int

pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,

struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

struct ipsec_transforms *xfs, struct ipsec_key *authkey,

- struct ipsec_key *enckey)

+ struct ipsec_key *enckey, u_int8_t tmode)

{

struct sadb_msg smsg;

struct sadb_sa sa;

@@ -358,6 +358,9 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,

sa.sadb_sa_spi = htonl(spi);

sa.sadb_sa_state = SADB_SASTATE_MATURE;

+ if (tmode == IPSEC_TUNNEL)

+ sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;

if (xfs && xfs->authxf) {

switch (xfs->authxf->id) {

case AUTHXF_NONE:

@@ -886,11 +889,12 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)

switch (action) {

case ACTION_ADD:

ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,

- r->src, r->dst, r->xfs, r->authkey, r->enckey);

+ r->src, r->dst, r->xfs, r->authkey, r->enckey,

+ r->tmode);

break;

case ACTION_DELETE:

ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi,

- r->src, r->dst, r->xfs, NULL, NULL);

+ r->src, r->dst, r->xfs, NULL, NULL, r->tmode);

break;

default:

return -1;