UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)

ok deraadt@

4 files changed, 48 insertions, 5 deletions

diff --git a/sbin/ipsecadm/ipsecadm.8 b/sbin/ipsecadm/ipsecadm.8
index 75a09c0fe88..948efd103d0 100644
--- a/sbin/ipsecadm/ipsecadm.8
+++ b/sbin/ipsecadm/ipsecadm.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.8,v 1.62 2003/07/24 08:03:19 itojun Exp $
+.\" $OpenBSD: ipsecadm.8,v 1.63 2003/12/02 23:16:29 markus Exp $
 .\"
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
@@ -90,6 +90,7 @@ modifiers are:
 .Fl authkey ,
 .Fl authkeyfile ,
 .Fl forcetunnel ,
+.Fl udpencap ,
 .Fl key ,
 and
 .Fl keyfile .
@@ -382,6 +383,10 @@ and
 options.
 Notice that the IPsec stack will perform IP-inside-IP encapsulation
 when deemed necessary, even if this flag has not been set.
+.It Fl udpencap
+Enable ESP-inside-UDP encapsulation.
+The UDP destination port must be specified on the command line.
+This port will be used for sending encapsulated UDP packets.
 .It Fl enc
 The encryption algorithm to be used with the SA.
 Possible values are:
diff --git a/sbin/ipsecadm/ipsecadm.c b/sbin/ipsecadm/ipsecadm.c
index 08e24e36d67..f12c49e0896 100644
--- a/sbin/ipsecadm/ipsecadm.c
+++ b/sbin/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.70 2003/09/23 18:09:20 itojun Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.71 2003/12/02 23:16:29 markus Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -286,6 +286,7 @@ usage(void)
 	    "\t  -src <ip>\t\t\tsource address to be used\n"
 	    "\t  -halfiv\t\t\tuse 4-byte IV in old ESP\n"
 	    "\t  -forcetunnel\t\t\tforce IP-in-IP encapsulation\n"
+	    "\t  -udpencap <port>\t\tenable ESP-in-UDP encapsulation\n"
 	    "\t  -dst <ip>\t\t\tdestination address to be used\n"
 	    "\t  -proto <val>\t\t\tsecurity protocol\n"
 	    "\t  -proxy <ip>\t\t\tproxy address to be used\n"
@@ -309,7 +310,7 @@ usage(void)
 	    "\t  -dontacq\t\t\trequire, without using key mgmt.\n"
 	    "\t  -in\t\t\t\tspecify incoming-packet policy\n"
 	    "\t  -out\t\t\t\tspecify outgoing-packet policy\n"
-	    "\t  -[ah|esp|ip4|ipcomp]\t\t\tflush a particular protocol\n"
+	    "\t  -[ah|esp|ip4|ipcomp]\t\tflush a particular protocol\n"
 	    "\t  -srcid\t\t\tsource identity for flows\n"
 	    "\t  -dstid\t\t\tdestination identity for flows\n"
 	    "\t  -srcid_type\t\t\tsource identity type\n"
@@ -345,6 +346,7 @@ main(int argc, char *argv[])
 	struct sadb_ident sid1, sid2;
 	struct sadb_key skey1, skey2;
 	struct sadb_protocol sprotocol, sprotocol2;
+	struct sadb_x_udpencap udpencap;	/* Peer UDP Port */
 	u_char realkey[8192], realakey[8192];
 	struct iovec iov[30];
 	struct addrinfo hints, *res;
@@ -375,6 +377,7 @@ main(int argc, char *argv[])
 	memset(realakey, 0, sizeof(realakey));
 	memset(&sid1, 0, sizeof(sid1));
 	memset(&sid2, 0, sizeof(sid2));
+	memset(&udpencap, 0, sizeof(udpencap));
 
 	src = (union sockaddr_union *) srcbuf;
 	dst = (union sockaddr_union *) dstbuf;
@@ -921,6 +924,24 @@ main(int argc, char *argv[])
 			sa.sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
 			continue;
 		}
+		if (!strcmp(argv[i] + 1, "udpencap") &&
+		    udpencap.sadb_x_udpencap_port == 0 && (i + 1 < argc)) {
+			if (!(mode & ESP_NEW)) {
+				fprintf(stderr, "%s: option udpencap can "
+				    "be used only with new ESP\n", argv[0]);
+				exit(1);
+			}
+			sa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
+			udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
+			udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8;
+			udpencap.sadb_x_udpencap_port =
+			    strtoul(argv[i + 1], NULL, 10);
+			udpencap.sadb_x_udpencap_port =
+			    htons(udpencap.sadb_x_udpencap_port);
+			udpencap.sadb_x_udpencap_reserved = 0;
+			i++;
+			continue;
+		}
 		if (!strcmp(argv[i] + 1, "halfiv")) {
 			if (!(mode & ESP_OLD)) {
 				fprintf(stderr,
@@ -1520,6 +1541,11 @@ argfail:
 			skey2.sadb_key_bits = 8 * alen;
 			smsg.sadb_msg_len += skey2.sadb_key_len;
 		}
+		if (sa.sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP) {
+			iov[cnt].iov_base = &udpencap;
+			iov[cnt++].iov_len = sizeof(udpencap);
+			smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len;
+		}
 	} else {
 		switch (mode & CMD_MASK) {
 		case GRP_SPI:
diff --git a/sbin/ipsecadm/pfkdump.c b/sbin/ipsecadm/pfkdump.c
index 08853fe3655..3e9532a936a 100644
--- a/sbin/ipsecadm/pfkdump.c
+++ b/sbin/ipsecadm/pfkdump.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkdump.c,v 1.8 2003/07/29 18:38:36 deraadt Exp $	*/
+/*	$OpenBSD: pfkdump.c,v 1.9 2003/12/02 23:16:29 markus Exp $	*/
 
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
@@ -52,6 +52,7 @@ void	print_ident(struct sadb_ext *, struct sadb_msg *);
 void	print_policy(struct sadb_ext *, struct sadb_msg *);
 void	print_cred(struct sadb_ext *, struct sadb_msg *);
 void	print_auth(struct sadb_ext *, struct sadb_msg *);
+void	print_udpenc(struct sadb_ext *, struct sadb_msg *);
 
 struct idname *lookup(struct idname [], u_int8_t);
 char	*lookup_name(struct idname [], u_int8_t);
@@ -104,6 +105,7 @@ struct idname ext_types[] = {
 	{ SADB_X_EXT_LOCAL_AUTH,	"x_local_auth",		print_auth },
 	{ SADB_X_EXT_REMOTE_AUTH,	"x_remote_auth",	print_auth },
 	{ SADB_X_EXT_SUPPORTED_COMP,	"x_supported_comp",	print_supp },
+	{ SADB_X_EXT_UDPENCAP,		"x_udpencap",		print_udpenc },
 	{ 0,				NULL,			NULL }
 };
 
@@ -533,6 +535,14 @@ print_auth(struct sadb_ext *ext, struct sadb_msg *msg)
 }
 
 void
+print_udpenc(struct sadb_ext *ext, struct sadb_msg *msg)
+{
+	struct sadb_x_udpencap *x_udpencap = (struct sadb_x_udpencap *) ext;
+
+	printf("udpencap port %u\n", ntohs(x_udpencap->sadb_x_udpencap_port));
+}
+
+void
 msg_send(int pfkey, u_int8_t satype, u_int8_t mtype)
 {
 	struct sadb_msg msg;
diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8
index 32f748a6ee0..84737672388 100644
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: sysctl.8,v 1.109 2003/10/17 21:04:57 mcbride Exp $
+.\"	$OpenBSD: sysctl.8,v 1.110 2003/12/02 23:16:29 markus Exp $
 .\"	$NetBSD: sysctl.8,v 1.4 1995/09/30 07:12:49 thorpej Exp $
 .\"
 .\" Copyright (c) 1993
@@ -240,6 +240,8 @@ privilege can change the value.
 .It net.inet.gre.allow	integer	yes
 .It net.inet.gre.wccp	integer	yes
 .It net.inet.esp.enable	integer	yes
+.It net.inet.esp.udpencap	integer	yes
+.It net.inet.esp.udpencap_port	integer	yes
 .It net.inet.ah.enable	integer	yes
 .It net.inet.mobileip.allow	integer	yes
 .It net.inet.etherip.allow	integer	yes