add support for ipsec ah with manual keys, pfkey part already does so, and

flesh parser out a bit. also add support for printing ipsec ah with manual
keys in printconf

2 files changed, 33 insertions, 17 deletions

diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index 83dbf7e648c..f38fc15ec58 100644
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.103 2004/05/08 17:23:20 henning Exp $ */
+/*	$OpenBSD: parse.y,v 1.104 2004/05/08 17:40:53 henning Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -123,7 +123,7 @@ typedef struct {
 %token	ERROR
 %token	IPSEC ESP AH SPI IKE
 %token	<v.string>		STRING
-%type	<v.number>		number asnumber optnumber yesno inout
+%type	<v.number>		number asnumber optnumber yesno inout espah
 %type	<v.string>		string
 %type	<v.addr>		address
 %type	<v.prefix>		prefix addrspec
@@ -539,21 +539,17 @@ peeropts	: REMOTEAS asnumber	{
 			curpeer->conf.auth.md5key_len = strlen($4) / 2;
 			free($4);
 		}
-		| IPSEC ESP IKE {
+		| IPSEC espah IKE {
 			if (curpeer->conf.auth.method) {
 				yyerror("auth method cannot be redefined");
 				YYERROR;
 			}
-			curpeer->conf.auth.method = AUTH_IPSEC_IKE_ESP;
-		}
-		| IPSEC AH IKE {
-			if (curpeer->conf.auth.method) {
-				yyerror("auth method cannot be redefined");
-				YYERROR;
-			}
-			curpeer->conf.auth.method = AUTH_IPSEC_IKE_AH;
+			if ($2)
+				curpeer->conf.auth.method = AUTH_IPSEC_IKE_ESP;
+			else
+				curpeer->conf.auth.method = AUTH_IPSEC_IKE_AH;
 		}
-		| IPSEC ESP inout SPI number STRING STRING encspec {
+		| IPSEC espah inout SPI number STRING STRING encspec {
 			u_int32_t	auth_alg;
 			u_int8_t	keylen;
 
@@ -561,7 +557,6 @@ peeropts	: REMOTEAS asnumber	{
 				yyerror("auth method cannot be redefined");
 				YYERROR;
 			}
-			curpeer->conf.auth.method = AUTH_IPSEC_MANUAL_ESP;
 
 			if (!strcmp($6, "sha1")) {
 				auth_alg = SADB_AALG_SHA1HMAC;
@@ -584,6 +579,17 @@ peeropts	: REMOTEAS asnumber	{
 				YYERROR;
 			}
 
+			if ($2)
+				curpeer->conf.auth.method = AUTH_IPSEC_MANUAL_ESP;
+			else {
+				if ($8.enc_alg) {
+					yyerror("\"ipsec ah\" doesn't take encryption keys");
+					free($7);
+					YYERROR;
+				}
+				curpeer->conf.auth.method = AUTH_IPSEC_MANUAL_AH;
+			}
+
 			if ($3 == 1) {
 				if (str2key($7, curpeer->conf.auth.auth_key_in,
 				    sizeof(curpeer->conf.auth.auth_key_in)) ==
@@ -633,6 +639,10 @@ peeropts	: REMOTEAS asnumber	{
 		| mrtdump
 		;
 
+espah		: ESP		{ $$ = 1; }
+		| AH		{ $$ = 0; }
+		;
+
 encspec		: /* nada */	{
 			bzero(&$$, sizeof($$));
 		}
diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c
index e6b9d17c725..439d5bf7033 100644
--- a/usr.sbin/bgpd/printconf.c
+++ b/usr.sbin/bgpd/printconf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: printconf.c,v 1.17 2004/04/28 04:34:46 henning Exp $	*/
+/*	$OpenBSD: printconf.c,v 1.18 2004/05/08 17:40:53 henning Exp $	*/
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -128,6 +128,7 @@ print_peer(struct peer_config *p)
 	const char	*tab	= "\t";
 	const char	*nada	= "";
 	const char	*c;
+	char		*method;
 
 	if (p->group[0]) {
 		printf("group \"%s\" {\n", p->group);
@@ -170,14 +171,19 @@ print_peer(struct peer_config *p)
 
 	if (p->auth.method == AUTH_MD5SIG)
 		printf("%s\ttcp md5sig\n", c);
-	else if (p->auth.method == AUTH_IPSEC_MANUAL_ESP) {
-		printf("%s\tipsec esp in spi %u %s XXXXXX", c, p->auth.spi_in,
+	else if (p->auth.method == AUTH_IPSEC_MANUAL_ESP || p->auth.method == AUTH_IPSEC_MANUAL_AH) {
+		if (p->auth.method == AUTH_IPSEC_MANUAL_ESP)
+			method = "esp";
+		else
+			method = "ah";
+
+		printf("%s\tipsec %s in spi %u %s XXXXXX", c, method, p->auth.spi_in,
 		    print_auth_alg(p->auth.auth_alg_in));
 		if (p->auth.enc_alg_in)
 			printf(" %s XXXXXX", print_enc_alg(p->auth.enc_alg_in));
 		printf("\n");
 
-		printf("%s\tipsec esp out spi %u %s XXXXXX", c, p->auth.spi_out,
+		printf("%s\tipsec %s out spi %u %s XXXXXX", c, method, p->auth.spi_out,
 		    print_auth_alg(p->auth.auth_alg_out));
 		if (p->auth.enc_alg_out)
 			printf(" %s XXXXXX",