diff options
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 4 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 10 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 49 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkdump.c | 17 | ||||
-rw-r--r-- | sbin/ipsecctl/pfkey.c | 27 |
5 files changed, 82 insertions, 25 deletions
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index eb9abd39854..80ad8e7c81f 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.28 2005/10/28 07:18:47 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.29 2005/10/30 19:50:23 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -268,6 +268,8 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) printf(" auth %s", r->xfs->authxf->name); if (r->xfs && r->xfs->encxf) printf(" enc %s", r->xfs->encxf->name); + if (r->xfs && r->xfs->compxf) + printf(" comp %s", r->xfs->compxf->name); } if (r->authkey) { if (r->proto == IPSEC_TCPMD5) diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 1d005f1e9b4..88725c879ee 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.17 2005/08/22 17:26:46 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.18 2005/10/30 19:50:23 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -40,7 +40,7 @@ enum { DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT }; enum { - PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_COMP, IPSEC_TCPMD5 + PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5 }; enum { AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA @@ -58,10 +58,13 @@ enum { AUTHXF_HMAC_SHA2_512, AUTHXF_MD5, AUTHXF_SHA1 }; enum { - ENCXF_UNKNOWN,ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES, + ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_DES_CBC, ENCXF_AES, ENCXF_AESCTR, ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_NULL, ENCXF_SKIPJACK }; enum { + COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS +}; +enum { IKE_ACTIVE, IKE_PASSIVE }; @@ -98,6 +101,7 @@ struct ipsec_xf { struct ipsec_transforms { const struct ipsec_xf *authxf; const struct ipsec_xf *encxf; + const struct ipsec_xf *compxf; }; extern const struct ipsec_xf authxfs[]; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 72c44251029..aefada102e8 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.29 2005/10/28 07:18:47 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.30 2005/10/30 19:50:23 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -78,6 +78,13 @@ const struct ipsec_xf encxfs[] = { {NULL, 0, 0, 0}, }; +const struct ipsec_xf compxfs[] = { + {"unknown", COMPXF_UNKNOWN, 0, 0}, + {"deflate", COMPXF_DEFLATE, 0, 0}, + {"lzs", COMPXF_LZS, 0, 0}, + {NULL, 0, 0, 0}, +}; + int yyerror(const char *, ...); int yyparse(void); int kw_cmp(const void *, const void *); @@ -106,9 +113,12 @@ struct ipsec_key *parsekey(unsigned char *, size_t); struct ipsec_key *parsekeyfile(char *); struct ipsec_addr *host(const char *); struct ipsec_addr *host_v4(const char *, int); +#if 0 +struct ipsec_addr *host_if(const char *, int); +#endif struct ipsec_addr *copyhost(const struct ipsec_addr *); const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *); -struct ipsec_transforms *transforms(const char *, const char *); +struct ipsec_transforms *transforms(const char *, const char *, const char *); struct ipsec_transforms *copytransforms(const struct ipsec_transforms *); int validate_sa(u_int32_t, u_int8_t, struct ipsec_transforms *, struct ipsec_key *, @@ -174,7 +184,7 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE -%token ACTIVE ANY +%token ACTIVE ANY IPCOMP COMPXF %token <v.string> STRING %type <v.dir> dir %type <v.protocol> protocol @@ -220,7 +230,6 @@ number : STRING { $$ = (u_int32_t)ulval; free($1); } - ; tcpmd5rule : TCPMD5 hosts spispec authkeyspec { struct ipsec_rule *r; @@ -312,6 +321,7 @@ ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids { protocol : /* empty */ { $$ = IPSEC_ESP; } | ESP { $$ = IPSEC_ESP; } | AH { $$ = IPSEC_AH; } + | IPCOMP { $$ = IPSEC_IPCOMP; } ; dir : /* empty */ { $$ = IPSEC_INOUT; } @@ -434,7 +444,7 @@ transforms : /* empty */ { $$ = xfs; } | AUTHXF STRING ENCXF STRING { - if (($$ = transforms($2, $4)) == NULL) { + if (($$ = transforms($2, $4, NULL)) == NULL) { free($2); free($4); yyerror("could not parse transforms"); @@ -444,7 +454,7 @@ transforms : /* empty */ { free($4); } | AUTHXF STRING { - if (($$ = transforms($2, NULL)) == NULL) { + if (($$ = transforms($2, NULL, NULL)) == NULL) { free($2); yyerror("could not parse transforms"); YYERROR; @@ -452,7 +462,15 @@ transforms : /* empty */ { free($2); } | ENCXF STRING { - if (($$ = transforms(NULL, $2)) == NULL) { + if (($$ = transforms(NULL, $2, NULL)) == NULL) { + free($2); + yyerror("could not parse transforms"); + YYERROR; + } + free($2); + } + | COMPXF STRING { + if (($$ = transforms(NULL, NULL, $2)) == NULL) { free($2); yyerror("could not parse transforms"); YYERROR; @@ -577,6 +595,7 @@ lookup(char *s) { "any", ANY}, { "auth", AUTHXF}, { "authkey", AUTHKEY}, + { "comp", COMPXF}, { "dstid", DSTID}, { "enc", ENCXF}, { "enckey", ENCKEY}, @@ -586,6 +605,7 @@ lookup(char *s) { "from", FROM}, { "ike", IKE}, { "in", IN}, + { "ipcomp", IPCOMP}, { "main", MAIN}, { "out", OUT}, { "passive", PASSIVE}, @@ -1095,7 +1115,7 @@ parse_xf(const char *name, const struct ipsec_xf xfs[]) } struct ipsec_transforms * -transforms(const char *authname, const char *encname) +transforms(const char *authname, const char *encname, const char *compname) { struct ipsec_transforms *xfs; @@ -1113,6 +1133,11 @@ transforms(const char *authname, const char *encname) if (xfs->encxf == NULL) yyerror("%s not a valid transform", encname); } + if (compname) { + xfs->compxf = parse_xf(compname, compxfs); + if (xfs->compxf == NULL) + yyerror("%s not a valid transform", compname); + } return (xfs); } @@ -1164,6 +1189,14 @@ validate_sa(u_int32_t spi, u_int8_t protocol, struct ipsec_transforms *xfs, if (!xfs->encxf) xfs->encxf = &encxfs[ENCXF_AESCTR]; } + if (protocol == IPSEC_IPCOMP) { + if (!xfs) { + yyerror("no transform specified"); + return (0); + } + if (!xfs->compxf) + xfs->compxf = &compxfs[COMPXF_DEFLATE]; + } if (protocol == IPSEC_TCPMD5 && authkey == NULL) { yyerror("authentication key needed for tcpmd5"); return (0); diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c index 301d0f6b5b3..f2cb74f8ebb 100644 --- a/sbin/ipsecctl/pfkdump.c +++ b/sbin/ipsecctl/pfkdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkdump.c,v 1.5 2005/07/09 21:54:12 hshoexer Exp $ */ +/* $OpenBSD: pfkdump.c,v 1.6 2005/10/30 19:50:24 hshoexer Exp $ */ /* * Copyright (c) 2003 Markus Friedl. All rights reserved. @@ -219,18 +219,17 @@ print_sa(struct sadb_ext *ext, struct sadb_msg *msg) printf(" to "); print_addr(extensions[SADB_EXT_ADDRESS_DST], msg); } + printf(" spi 0x%08x", ntohl(sa->sadb_sa_spi)); if (msg->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) - printf("cpi 0x%8.8x %s", - ntohl(sa->sadb_sa_spi), - lookup_name(comp_types, sa->sadb_sa_encrypt)); + printf(" comp %s", lookup_name(comp_types, + sa->sadb_sa_encrypt)); else { - printf(" spi 0x%8.8x", ntohl(sa->sadb_sa_spi)); if (sa->sadb_sa_encrypt) - printf(" %s", - lookup_name(enc_types, sa->sadb_sa_encrypt)); + printf(" enc %s", lookup_name(enc_types, + sa->sadb_sa_encrypt)); if (sa->sadb_sa_auth) - printf(" %s", - lookup_name(auth_types, sa->sadb_sa_auth)); + printf(" auth %s", lookup_name(auth_types, + sa->sadb_sa_auth)); } if (sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) printf(" tunnel"); diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index 13b3a650af5..6b71fea466c 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.25 2005/10/17 07:31:44 hshoexer Exp $ */ +/* $OpenBSD: pfkey.c,v 1.26 2005/10/30 19:50:24 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -422,6 +422,19 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct xfs->encxf->id); } } + if (xfs && xfs->compxf) { + switch (xfs->compxf->id) { + case COMPXF_DEFLATE: + sa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; + break; + case COMPXF_LZS: + sa.sadb_sa_encrypt = SADB_X_CALG_LZS; + break; + default: + warnx("unsupported compression algorithm %d", + xfs->compxf->id); + } + } bzero(&sa_src, sizeof(sa_src)); sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; @@ -431,7 +444,8 @@ pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi, struct sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - if (action == SADB_ADD && !authkey && !enckey) { /* XXX ENCNULL */ + if (action == SADB_ADD && !authkey && !enckey && satype != + SADB_X_SATYPE_IPCOMP) { /* XXX ENCNULL */ warnx("no key specified"); return -1; } @@ -563,7 +577,7 @@ pfkey_parse(struct sadb_msg *msg, struct ipsec_rule *rule) rule->proto = IPSEC_AH; break; case SADB_X_SATYPE_IPCOMP: - rule->proto = IPSEC_COMP; + rule->proto = IPSEC_IPCOMP; break; default: return (1); @@ -816,7 +830,9 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) case IPSEC_AH: satype = SADB_SATYPE_AH; break; - case IPSEC_COMP: + case IPSEC_IPCOMP: + satype = SADB_X_SATYPE_IPCOMP; + break; default: return -1; } @@ -853,6 +869,9 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) case IPSEC_ESP: satype = SADB_SATYPE_ESP; break; + case IPSEC_IPCOMP: + satype = SADB_X_SATYPE_IPCOMP; + break; case IPSEC_TCPMD5: satype = SADB_X_SATYPE_TCPSIGNATURE; break; |