diff options
Diffstat (limited to 'sbin/ipsecctl')
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 12 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 14 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 5 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 38 | ||||
| -rw-r--r-- | sbin/ipsecctl/pfkey.c | 6 |
5 files changed, 42 insertions, 33 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index f2c1224d496..de86f4eade5 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.12 2005/07/23 20:44:36 hshoexer Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.13 2005/08/05 14:39:02 hshoexer Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -119,7 +119,7 @@ following rule: .Aq Ar dst .Ar spi .Aq Ar number -.Ar key +.Ar authkey .Aq Ar hex string .Xc This rule applies for packets with source address @@ -130,17 +130,17 @@ All addresses are specified in CIDR notation. The parameter .Ar spi is a 32-bit value defining the Security Parameter Index (SPI) for this SA. -The key to be used is a hexadecimal string of arbitrary length. +The authentication key to be used is a hexadecimal string of arbitrary length. For both .Ar spi and -.Ar key +.Ar authkey it is possible to specify two values separated by a colon. .Xr ipsecctl 8 will then generate the matching incoming SA using the second values for .Ar spi and -.Ar key . +.Ar authkey . .El .Pp For details on how to enable TCP MD5 signatures see @@ -163,7 +163,7 @@ flow esp in from 192.168.8.0/24 to 192.168.7.0/24 peer 192.168.3.12 # Set up keys for TCP MD5 signatures tcpmd5 from 192.168.3.14 to 192.168.3.27 spi 0x1000:0x1001 \\ - key 0xdeadbeef:0xbeefdead + authkey 0xdeadbeef:0xbeefdead .Ed .Sh SEE ALSO .Xr ipsec 4 , diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index 0dff2042a45..56e6b3923f0 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.21 2005/08/03 15:27:01 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.22 2005/08/05 14:39:02 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -158,9 +158,9 @@ ipsecctl_commit(int action, struct ipsecctl *ipsec) free(rp->auth->dstid); } free(rp->auth); - if (rp->key) { - free(rp->key->data); - free(rp->key); + if (rp->authkey) { + free(rp->authkey->data); + free(rp->authkey); } free(rp); } @@ -246,9 +246,9 @@ ipsecctl_print_sa(struct ipsec_rule *r, int opts) printf(" to "); ipsecctl_print_addr(r->dst); printf(" spi 0x%08x", r->spi); - if (r->key) { - printf(" key 0x"); - ipsecctl_print_key(r->key); + if (r->authkey) { + printf(" authkey 0x"); + ipsecctl_print_key(r->authkey); } } diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 90d70b1ea30..21fb2532862 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.12 2005/08/02 15:47:25 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.13 2005/08/05 14:39:02 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -78,7 +78,8 @@ struct ipsec_rule { struct ipsec_addr *dst; struct ipsec_addr *peer; struct ipsec_auth *auth; - struct ipsec_key *key; + struct ipsec_key *authkey; + struct ipsec_key *enckey; u_int8_t proto; u_int8_t direction; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 802d6f22367..6e97a540624 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.16 2005/08/05 14:09:27 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.17 2005/08/05 14:39:02 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -113,15 +113,19 @@ typedef struct { struct { struct ipsec_key *keyout; struct ipsec_key *keyin; - } keys; + } authkeys; + struct { + struct ipsec_key *keyout; + struct ipsec_key *keyin; + } enckeys; } v; int lineno; } YYSTYPE; %} -%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI KEY -%token KEYFILE ERROR +%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI +%token AUTHKEY ENCKEY KEYFILE ERROR %token <v.string> STRING %type <v.dir> dir %type <v.protocol> protocol @@ -133,7 +137,8 @@ typedef struct { %type <v.id> id %type <v.authtype> authtype %type <v.spis> spispec -%type <v.keys> keyspec +%type <v.authkeys> authkeyspec +%type <v.enckeys> enckeyspec %% grammar : /* empty */ @@ -160,7 +165,7 @@ number : STRING { free($1); } -tcpmd5rule : TCPMD5 hosts spispec keyspec { +tcpmd5rule : TCPMD5 hosts spispec authkeyspec { struct ipsec_rule *r; r = create_sa($2.src, $2.dst, $3.spiout, $4.keyout); @@ -309,11 +314,11 @@ spispec : SPI STRING { } ; -keyspec : /* empty */ { +authkeyspec : /* empty */ { $$.keyout = NULL; $$.keyin = NULL; } - | KEY STRING { + | AUTHKEY STRING { unsigned char *hex; unsigned char *p = strchr($2, ':'); @@ -355,6 +360,8 @@ keyspec : /* empty */ { free($2); } ; + +mode : /* empty */ { }; %% struct keywords { @@ -389,12 +396,13 @@ lookup(char *s) /* this has to be sorted always */ static const struct keywords keywords[] = { { "ah", AH}, + { "authkey", AUTHKEY}, { "dstid", DSTID}, + { "enckey", ENCKEY}, { "esp", ESP}, { "flow", FLOW}, { "from", FROM}, { "in", IN}, - { "key", KEY}, { "keyfile", KEYFILE}, { "out", OUT}, { "peer", PEER}, @@ -828,11 +836,11 @@ copyhost(const struct ipsec_addr *src) struct ipsec_rule * create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi, - struct ipsec_key *key) + struct ipsec_key *authkey) { struct ipsec_rule *r; - if (spi == 0 || key == NULL) + if (spi == 0 || authkey == NULL) return (NULL); r = calloc(1, sizeof(struct ipsec_rule)); @@ -844,17 +852,17 @@ create_sa(struct ipsec_addr *src, struct ipsec_addr *dst, u_int32_t spi, r->src = src; r->dst = dst; r->spi = spi; - r->key = key; + r->authkey = authkey; return r; } struct ipsec_rule * -reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *key) +reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey) { struct ipsec_rule *reverse; - if (spi == 0 || key == NULL) + if (spi == 0 || authkey == NULL) return (NULL); reverse = calloc(1, sizeof(struct ipsec_rule)); @@ -865,7 +873,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *key) reverse->src = copyhost(rule->dst); reverse->dst = copyhost(rule->src); reverse->spi = spi; - reverse->key = key; + reverse->authkey = authkey; return (reverse); } diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c index de1f08e5f14..2a4b0314b75 100644 --- a/sbin/ipsecctl/pfkey.c +++ b/sbin/ipsecctl/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.18 2005/08/03 15:27:01 hshoexer Exp $ */ +/* $OpenBSD: pfkey.c,v 1.19 2005/08/05 14:39:02 hshoexer Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org> @@ -762,11 +762,11 @@ pfkey_ipsec_establish(int action, struct ipsec_rule *r) switch (action) { case PFK_ACTION_ADD: ret = pfkey_sa(fd, satype, SADB_ADD, r->spi, - r->src, r->dst, r->key); + r->src, r->dst, r->authkey); break; case PFK_ACTION_DELETE: ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi, - r->src, r->dst, r->key); + r->src, r->dst, r->authkey); break; default: return -1; |