Initial import of RFC 2385 (TCP-MD5) digest support.

This is the second of two commits; bring in the userland support to finish.

Teach libipsec and setkey about the tcp-md5 class of security associations,
thus allowing administrators to add per-host keys to the SADB for use by
the tcpsignature_compute() function.

Document that a single SPI must be used until such time as the code which
adds support to the SPD to specify flows for tcp-md5 treatment is suitable
for production.

Sponsored by:	sentex.net

1 files changed, 13 insertions, 4 deletions

diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index 80b9d17..bc944a8 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -94,7 +94,7 @@ extern void yyerror __P((const char *));
 
 %token EOT SLASH BLCL ELCL
 %token ADD GET DELETE DELETEALL FLUSH DUMP
-%token PR_ESP PR_AH PR_IPCOMP
+%token PR_ESP PR_AH PR_IPCOMP PR_TCP
 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
 %token F_MODE MODE F_REQID
 %token F_EXT EXTENSION NOCYCLICSEQ
@@ -113,7 +113,7 @@ extern void yyerror __P((const char *));
 %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
 %type <num> ALG_AUTH ALG_AUTH_NOKEY
 %type <num> ALG_COMP
-%type <num> PR_ESP PR_AH PR_IPCOMP
+%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
 %type <num> EXTENSION MODE
 %type <ulnum> DECSTRING
 %type <val> PL_REQUESTS portstr key_string
@@ -250,8 +250,12 @@ protocol_spec
 		{
 			$$ = SADB_X_SATYPE_IPCOMP;
 		}
+	|	PR_TCP
+		{
+			$$ = SADB_X_SATYPE_TCPSIGNATURE;
+		}
 	;
-	
+
 spi
 	:	DECSTRING { p_spi = $1; }
 	|	HEXSTRING
@@ -400,7 +404,12 @@ auth_alg
 
 			p_key_auth_len = $2.len;
 			p_key_auth = $2.buf;
-			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
+
+			if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
+				if ((p_key_auth_len < 1) || (p_key_auth_len >
+				    80))
+					return -1;
+			} else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
 			    p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
 				yyerror(ipsec_strerror());
 				return -1;