prepare for static keying

4 files changed, 48 insertions, 24 deletions

diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index 56e6b3923f0..465e2b85c18 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.c,v 1.22 2005/08/05 14:39:02 hshoexer Exp $	*/
+/*	$OpenBSD: ipsecctl.c,v 1.23 2005/08/08 09:15:09 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -64,11 +64,10 @@ static const char *showopt_list[] = {
 	"flow", "sa", "all", NULL
 };
 
-static const char *ruletype[] = {"?", "flow", "tcpmd5"};
 static const char *direction[] = {"?", "in", "out"};
 static const char *flowtype[] = {"?", "use", "acquire", "require", "deny",
     "bypass", "dontacq"};
-static const char *proto[] = {"?", "esp", "ah"};
+static const char *proto[] = {"?", "esp", "ah", "ipcomp", "tcpmd5"};
 static const char *auth[] = {"?", "psk", "rsa"};
 
 int
@@ -216,7 +215,7 @@ ipsecctl_print_key(struct ipsec_key *key)
 void
 ipsecctl_print_flow(struct ipsec_rule *r, int opts)
 {
-	printf(" %s %s", proto[r->proto], direction[r->direction]);
+	printf("flow %s %s", proto[r->proto], direction[r->direction]);
 
 	printf(" from ");
 	ipsecctl_print_addr(r->src);
@@ -241,7 +240,8 @@ ipsecctl_print_flow(struct ipsec_rule *r, int opts)
 void
 ipsecctl_print_sa(struct ipsec_rule *r, int opts)
 {
-	printf(" from ");
+	printf("%s ", proto[r->proto]);
+	printf("from ");
 	ipsecctl_print_addr(r->src);
 	printf(" to ");
 	ipsecctl_print_addr(r->dst);
@@ -250,6 +250,10 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts)
 		printf(" authkey 0x");
 		ipsecctl_print_key(r->authkey);
 	}
+	if (r->enckey) {
+		printf(" enckey 0x");
+		ipsecctl_print_key(r->enckey);
+	}
 }
 
 void
@@ -258,8 +262,6 @@ ipsecctl_print_rule(struct ipsec_rule *r, int opts)
 	if (opts & IPSECCTL_OPT_VERBOSE2)
 		printf("@%d ", r->nr);
 
-	printf("%s", ruletype[r->type]);
-
 	if (r->type & RULE_FLOW)
 		ipsecctl_print_flow(r, opts);
 	if (r->type & RULE_SA)
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 21fb2532862..e9a6eca54d1 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.h,v 1.13 2005/08/05 14:39:02 hshoexer Exp $	*/
+/*	$OpenBSD: ipsecctl.h,v 1.14 2005/08/08 09:15:09 hshoexer Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -35,7 +35,7 @@ enum {
 	DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
 };
 enum {
-	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP
+	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP, IPSEC_TCPMD5
 };
 enum {
 	AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
@@ -47,6 +47,12 @@ enum {
 	TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
 	TYPE_BYPASS, TYPE_DONTACQ
 };
+enum {
+	ENC_NONE
+};
+enum {
+	AUTH_NONE
+};
 
 struct ipsec_addr {
 	struct in_addr  v4;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 15dad5789e0..dbc98420294 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.18 2005/08/05 15:44:57 hshoexer Exp $	*/
+/*	$OpenBSD: parse.y,v 1.19 2005/08/08 09:15:09 hshoexer Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -78,11 +78,11 @@ struct ipsec_key	*parsekey(unsigned char *, size_t);
 struct ipsec_key	*parsekeyfile(char *);
 struct ipsec_addr	*host(const char *);
 struct ipsec_addr	*copyhost(const struct ipsec_addr *);
-struct ipsec_rule	*create_sa(struct ipsec_addr *, struct ipsec_addr *,
-			 u_int32_t, struct ipsec_key *);
-
+struct ipsec_rule	*create_sa(u_int8_t, struct ipsec_addr *,
+			     struct ipsec_addr *, u_int32_t, u_int16_t,
+			     u_int16_t, struct ipsec_key *, struct ipsec_key *);
 struct ipsec_rule	*reverse_sa(struct ipsec_rule *, u_int32_t,
-			     struct ipsec_key *);
+			     struct ipsec_key *, struct ipsec_key *);
 struct ipsec_rule	*create_flow(u_int8_t, struct ipsec_addr *, struct
 			     ipsec_addr *, struct ipsec_addr *, u_int8_t,
 			     char *, char *, u_int16_t);
@@ -174,7 +174,8 @@ number		: STRING			{
 tcpmd5rule	: TCPMD5 hosts spispec authkeyspec	{
 			struct ipsec_rule	*r;
 
-			r = create_sa($2.src, $2.dst, $3.spiout, $4.keyout);
+			r = create_sa(IPSEC_TCPMD5, $2.src, $2.dst, $3.spiout,
+			    AUTH_NONE, ENC_NONE, $4.keyout, NULL);
 			if (r == NULL)
 				YYERROR;
 			r->nr = ipsec->rule_nr++;
@@ -184,7 +185,7 @@ tcpmd5rule	: TCPMD5 hosts spispec authkeyspec	{
 
 			/* Create and add reverse SA rule. */
 			if ($3.spiin != 0 || $4.keyin != NULL) {
-				r = reverse_sa(r, $3.spiin, $4.keyin);
+				r = reverse_sa(r, $3.spiin, $4.keyin, NULL);
 				if (r == NULL)
 					YYERROR;
 				r->nr = ipsec->rule_nr++;
@@ -866,12 +867,15 @@ copyhost(const struct ipsec_addr *src)
 }
 
 struct ipsec_rule *
-create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi,
-    struct ipsec_key *authkey)
+create_sa(u_int8_t protocol, struct ipsec_addr *src, struct ipsec_addr *dst,
+    u_int32_t spi, u_int16_t authxf, u_int16_t encxf,
+    struct ipsec_key *authkey, struct ipsec_key *enckey)
 {
 	struct ipsec_rule *r;
 
-	if (spi == 0 || authkey == NULL)
+	if (spi == 0)
+		return (NULL);
+	if (protocol == IPSEC_TCPMD5 && authkey == NULL)
 		return (NULL);
 
 	r = calloc(1, sizeof(struct ipsec_rule));
@@ -879,21 +883,25 @@ create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi,
 		err(1, "calloc");
 
 	r->type |= RULE_SA;
-
+	r->proto = protocol;
 	r->src = src;
 	r->dst = dst;
 	r->spi = spi;
 	r->authkey = authkey;
+	r->enckey = enckey;
 
 	return r;
 }
 
 struct ipsec_rule *
-reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey)
+reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
+    struct ipsec_key *enckey)
 {
 	struct ipsec_rule *reverse;
 
-	if (spi == 0 || authkey == NULL)
+	if (spi == 0)
+		return (NULL);
+	if (rule->proto == IPSEC_TCPMD5 && authkey == NULL)
 		return (NULL);
 
 	reverse = calloc(1, sizeof(struct ipsec_rule));
@@ -901,10 +909,12 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey)
 		err(1, "calloc");
 
 	reverse->type |= RULE_SA;
+	reverse->proto = rule->proto;
 	reverse->src = copyhost(rule->dst);
 	reverse->dst = copyhost(rule->src);
 	reverse->spi = spi;
 	reverse->authkey = authkey;
+	reverse->enckey = enckey;
 
 	return (reverse);
 }
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index 2a4b0314b75..b78d364620f 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.19 2005/08/05 14:39:02 hshoexer Exp $	*/
+/*	$OpenBSD: pfkey.c,v 1.20 2005/08/08 09:15:09 hshoexer Exp $	*/
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
  * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -758,7 +758,13 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r)
 			return -1;
 		}
 	} else if (r->type == RULE_SA) {
-		satype = SADB_X_SATYPE_TCPSIGNATURE;
+		switch (r->proto) {
+		case IPSEC_TCPMD5:
+			satype = SADB_X_SATYPE_TCPSIGNATURE;
+			break;
+		default:
+			return -1;
+		}
 		switch (action) {
 		case PFK_ACTION_ADD:
 			ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,