src - OpenBSD base system

diff options


context:
space:
mode:

author	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2005-10-30 19:50:25 +0000
committer	Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>	2005-10-30 19:50:25 +0000
commit	91398d4504c457003e896acbf5f781048215dafc (patch)
tree	a95971356f9032bcc6fb44fbb48e03b8128c9050 /sbin
parent	ca05097b98440835495e82aa7e6818085ab4e93e (diff)

add support for ipcomp.

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/ipsecctl/ipsecctl.c

-rw-r--r--

sbin/ipsecctl/ipsecctl.h

-rw-r--r--

sbin/ipsecctl/parse.y

-rw-r--r--

sbin/ipsecctl/pfkdump.c

-rw-r--r--

sbin/ipsecctl/pfkey.c

5 files changed, 82 insertions, 25 deletions

diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index eb9abd39854..80ad8e7c81f 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.c,v 1.28 2005/10/28 07:18:47 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.c,v 1.29 2005/10/30 19:50:23 hshoexer Exp $ */

@@ -268,6 +268,8 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts)

printf(" auth %s", r->xfs->authxf->name);

if (r->xfs && r->xfs->encxf)

printf(" enc %s", r->xfs->encxf->name);

+ if (r->xfs && r->xfs->compxf)

+ printf(" comp %s", r->xfs->compxf->name);

}

if (r->authkey) {

if (r->proto == IPSEC_TCPMD5)

diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 1d005f1e9b4..88725c879ee 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.h,v 1.17 2005/08/22 17:26:46 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.h,v 1.18 2005/10/30 19:50:23 hshoexer Exp $ */

@@ -40,7 +40,7 @@ enum {

DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT

};

enum {

- PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP, IPSEC_TCPMD5

+ PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5

};

enum {

AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA

@@ -58,10 +58,13 @@ enum {

AUTHXF_HMAC_SHA2_512, AUTHXF_MD5, AUTHXF_SHA1

};

enum {

- ENCXF_UNKNOWN,ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES,

+ ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES,

ENCXF_AESCTR, ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_NULL, ENCXF_SKIPJACK

};

enum {

+ COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS

+};

+enum {

IKE_ACTIVE, IKE_PASSIVE

};

@@ -98,6 +101,7 @@ struct ipsec_xf {

struct ipsec_transforms {

const struct ipsec_xf *authxf;

const struct ipsec_xf *encxf;

+ const struct ipsec_xf *compxf;

};

extern const struct ipsec_xf authxfs[];

diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 72c44251029..aefada102e8 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.29 2005/10/28 07:18:47 hshoexer Exp $ */

+/* $OpenBSD: parse.y,v 1.30 2005/10/30 19:50:23 hshoexer Exp $ */

@@ -78,6 +78,13 @@ const struct ipsec_xf encxfs[] = {

{NULL, 0, 0, 0},

};

+const struct ipsec_xf compxfs[] = {

+ {"unknown", COMPXF_UNKNOWN, 0, 0},

+ {"deflate", COMPXF_DEFLATE, 0, 0},

+ {"lzs", COMPXF_LZS, 0, 0},

+ {NULL, 0, 0, 0},

+};

int yyerror(const char *, ...);

int yyparse(void);

int kw_cmp(const void *, const void *);

@@ -106,9 +113,12 @@ struct ipsec_key *parsekey(unsigned char *, size_t);

struct ipsec_key *parsekeyfile(char *);

struct ipsec_addr *host(const char *);

struct ipsec_addr *host_v4(const char *, int);

+#if 0

+struct ipsec_addr *host_if(const char *, int);

+#endif

struct ipsec_addr *copyhost(const struct ipsec_addr *);

const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *);

-struct ipsec_transforms *transforms(const char *, const char *);

+struct ipsec_transforms *transforms(const char *, const char *, const char *);

struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);

int validate_sa(u_int32_t, u_int8_t,

struct ipsec_transforms *, struct ipsec_key *,

@@ -174,7 +184,7 @@ typedef struct {

%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI

%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE

-%token ACTIVE ANY

+%token ACTIVE ANY IPCOMP COMPXF

%token <v.string> STRING

%type <v.dir> dir

%type <v.protocol> protocol

@@ -220,7 +230,6 @@ number : STRING {

$$ = (u_int32_t)ulval;

free($1);

}

- ;

tcpmd5rule : TCPMD5 hosts spispec authkeyspec {

struct ipsec_rule *r;

@@ -312,6 +321,7 @@ ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids {

protocol : /* empty */ { $$ = IPSEC_ESP; }

| ESP { $$ = IPSEC_ESP; }

| AH { $$ = IPSEC_AH; }

+ | IPCOMP { $$ = IPSEC_IPCOMP; }

;

dir : /* empty */ { $$ = IPSEC_INOUT; }

@@ -434,7 +444,7 @@ transforms : /* empty */ {

$$ = xfs;

}

| AUTHXF STRING ENCXF STRING {

- if (($$ = transforms($2, $4)) == NULL) {

+ if (($$ = transforms($2, $4, NULL)) == NULL) {

free($2);

free($4);

yyerror("could not parse transforms");

@@ -444,7 +454,7 @@ transforms : /* empty */ {

free($4);

}

| AUTHXF STRING {

- if (($$ = transforms($2, NULL)) == NULL) {

+ if (($$ = transforms($2, NULL, NULL)) == NULL) {

free($2);

yyerror("could not parse transforms");

YYERROR;

@@ -452,7 +462,15 @@ transforms : /* empty */ {

free($2);

}

| ENCXF STRING {

- if (($$ = transforms(NULL, $2)) == NULL) {

+ if (($$ = transforms(NULL, $2, NULL)) == NULL) {

+ free($2);

+ yyerror("could not parse transforms");

+ YYERROR;

+ }

+ free($2);

+ }

+ | COMPXF STRING {

+ if (($$ = transforms(NULL, NULL, $2)) == NULL) {

free($2);

yyerror("could not parse transforms");

YYERROR;

@@ -577,6 +595,7 @@ lookup(char *s)

{ "any", ANY},

{ "auth", AUTHXF},

{ "authkey", AUTHKEY},

+ { "comp", COMPXF},

{ "dstid", DSTID},

{ "enc", ENCXF},

{ "enckey", ENCKEY},

@@ -586,6 +605,7 @@ lookup(char *s)

{ "from", FROM},

{ "ike", IKE},

{ "in", IN},

+ { "ipcomp", IPCOMP},

{ "main", MAIN},

{ "out", OUT},

{ "passive", PASSIVE},

@@ -1095,7 +1115,7 @@ parse_xf(const char *name, const struct ipsec_xf xfs[])

}

struct ipsec_transforms *

-transforms(const char *authname, const char *encname)

+transforms(const char *authname, const char *encname, const char *compname)

{

struct ipsec_transforms *xfs;

@@ -1113,6 +1133,11 @@ transforms(const char *authname, const char *encname)

if (xfs->encxf == NULL)

yyerror("%s not a valid transform", encname);

}

+ if (compname) {

+ xfs->compxf = parse_xf(compname, compxfs);

+ if (xfs->compxf == NULL)

+ yyerror("%s not a valid transform", compname);

+ }

return (xfs);

}

@@ -1164,6 +1189,14 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs,

if (!xfs->encxf)

xfs->encxf = &encxfs[ENCXF_AESCTR];

}

+ if (protocol == IPSEC_IPCOMP) {

+ if (!xfs) {

+ yyerror("no transform specified");

+ return (0);

+ }

+ if (!xfs->compxf)

+ xfs->compxf = &compxfs[COMPXF_DEFLATE];

+ }

if (protocol == IPSEC_TCPMD5 && authkey == NULL) {

yyerror("authentication key needed for tcpmd5");

return (0);

diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index 301d0f6b5b3..f2cb74f8ebb 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfkdump.c,v 1.5 2005/07/09 21:54:12 hshoexer Exp $ */

+/* $OpenBSD: pfkdump.c,v 1.6 2005/10/30 19:50:24 hshoexer Exp $ */

@@ -219,18 +219,17 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg)

printf(" to ");

print_addr(extensions[SADB_EXT_ADDRESS_DST], msg);

}

+ printf(" spi 0x%08x", ntohl(sa->sadb_sa_spi));

if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP)

- printf("cpi 0x%8.8x %s",

- ntohl(sa->sadb_sa_spi),

- lookup_name(comp_types, sa->sadb_sa_encrypt));

+ printf(" comp %s", lookup_name(comp_types,

+ sa->sadb_sa_encrypt));

else {

- printf(" spi 0x%8.8x", ntohl(sa->sadb_sa_spi));

if (sa->sadb_sa_encrypt)

- printf(" %s",

- lookup_name(enc_types, sa->sadb_sa_encrypt));

+ printf(" enc %s", lookup_name(enc_types,

+ sa->sadb_sa_encrypt));

if (sa->sadb_sa_auth)

- printf(" %s",

- lookup_name(auth_types, sa->sadb_sa_auth));

+ printf(" auth %s", lookup_name(auth_types,

+ sa->sadb_sa_auth));

}

if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)

printf(" tunnel");

diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 13b3a650af5..6b71fea466c 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfkey.c,v 1.25 2005/10/17 07:31:44 hshoexer Exp $ */

+/* $OpenBSD: pfkey.c,v 1.26 2005/10/30 19:50:24 hshoexer Exp $ */

@@ -422,6 +422,19 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct

xfs->encxf->id);

}

+ if (xfs && xfs->compxf) {

+ switch (xfs->compxf->id) {

+ case COMPXF_DEFLATE:

+ sa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE;

+ break;

+ case COMPXF_LZS:

+ sa.sadb_sa_encrypt = SADB_X_CALG_LZS;

+ break;

+ default:

+ warnx("unsupported compression algorithm %d",

+ xfs->compxf->id);

+ }

bzero(&sa_src, sizeof(sa_src));

sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8;

@@ -431,7 +444,8 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct

sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;

sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;

- if (action == SADB_ADD && !authkey && !enckey) { /* XXX ENCNULL */

+ if (action == SADB_ADD && !authkey && !enckey && satype !=

+ SADB_X_SATYPE_IPCOMP) { /* XXX ENCNULL */

warnx("no key specified");

return -1;

}

@@ -563,7 +577,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule)

rule->proto = IPSEC_AH;

break;

case SADB_X_SATYPE_IPCOMP:

- rule->proto = IPSEC_COMP;

+ rule->proto = IPSEC_IPCOMP;

break;

default:

return (1);

@@ -816,7 +830,9 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)

case IPSEC_AH:

satype = SADB_SATYPE_AH;

break;

- case IPSEC_COMP:

+ case IPSEC_IPCOMP:

+ satype = SADB_X_SATYPE_IPCOMP;

+ break;

default:

return -1;

}

@@ -853,6 +869,9 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)

case IPSEC_ESP:

satype = SADB_SATYPE_ESP;

break;

+ case IPSEC_IPCOMP:

+ satype = SADB_X_SATYPE_IPCOMP;

+ break;

case IPSEC_TCPMD5:

satype = SADB_X_SATYPE_TCPSIGNATURE;

break;