summaryrefslogtreecommitdiffstats
path: root/sbin/setkey
diff options
context:
space:
mode:
authorbms <bms@FreeBSD.org>2004-02-11 04:34:34 +0000
committerbms <bms@FreeBSD.org>2004-02-11 04:34:34 +0000
commit9ce9891eda27e795842235191242d30adbed875f (patch)
treea0a78792b610ea5a9a0f7dfb08f47c3816efb276 /sbin/setkey
parent903cdeea1a6d0c99fecc1d8aeeab65bdfbab46d7 (diff)
downloadFreeBSD-src-9ce9891eda27e795842235191242d30adbed875f.zip
FreeBSD-src-9ce9891eda27e795842235191242d30adbed875f.tar.gz
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the second of two commits; bring in the userland support to finish. Teach libipsec and setkey about the tcp-md5 class of security associations, thus allowing administrators to add per-host keys to the SADB for use by the tcpsignature_compute() function. Document that a single SPI must be used until such time as the code which adds support to the SPD to specify flows for tcp-md5 treatment is suitable for production. Sponsored by: sentex.net
Diffstat (limited to 'sbin/setkey')
-rw-r--r--sbin/setkey/parse.y17
-rw-r--r--sbin/setkey/setkey.87
-rw-r--r--sbin/setkey/token.l2
3 files changed, 22 insertions, 4 deletions
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index 80b9d17..bc944a8 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -94,7 +94,7 @@ extern void yyerror __P((const char *));
%token EOT SLASH BLCL ELCL
%token ADD GET DELETE DELETEALL FLUSH DUMP
-%token PR_ESP PR_AH PR_IPCOMP
+%token PR_ESP PR_AH PR_IPCOMP PR_TCP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
@@ -113,7 +113,7 @@ extern void yyerror __P((const char *));
%type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
%type <num> ALG_AUTH ALG_AUTH_NOKEY
%type <num> ALG_COMP
-%type <num> PR_ESP PR_AH PR_IPCOMP
+%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
%type <num> EXTENSION MODE
%type <ulnum> DECSTRING
%type <val> PL_REQUESTS portstr key_string
@@ -250,8 +250,12 @@ protocol_spec
{
$$ = SADB_X_SATYPE_IPCOMP;
}
+ | PR_TCP
+ {
+ $$ = SADB_X_SATYPE_TCPSIGNATURE;
+ }
;
-
+
spi
: DECSTRING { p_spi = $1; }
| HEXSTRING
@@ -400,7 +404,12 @@ auth_alg
p_key_auth_len = $2.len;
p_key_auth = $2.buf;
- if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
+
+ if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
+ if ((p_key_auth_len < 1) || (p_key_auth_len >
+ 80))
+ return -1;
+ } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
yyerror(ipsec_strerror());
return -1;
diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
index 1e03edf..567dde4 100644
--- a/sbin/setkey/setkey.8
+++ b/sbin/setkey/setkey.8
@@ -252,6 +252,8 @@ AH based on rfc2402
AH based on rfc1826
.It Li ipcomp
IPComp
+.It Li tcp
+TCP-MD5 based on rfc2385
.El
.\"
.Pp
@@ -265,6 +267,8 @@ must be a decimal number, or a hexadecimal number with
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
+TCP-MD5 associations must use 0x1000 and therefore only have per-host
+granularity at this time.
.\"
.Pp
.It Ar extensions
@@ -585,6 +589,7 @@ hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
+tcp-md5 8 to 640 tcp: rfc2385
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
@@ -649,6 +654,8 @@ dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
+add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
+
.Ed
.\"
.Sh SEE ALSO
diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l
index f065fd3..9bea6ae 100644
--- a/sbin/setkey/token.l
+++ b/sbin/setkey/token.l
@@ -139,6 +139,7 @@ esp { yylval.num = 0; return(PR_ESP); }
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
+tcp { yylval.num = 0; return(PR_TCP); }
/* authentication alogorithm */
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
@@ -151,6 +152,7 @@ ipcomp { yylval.num = 0; return(PR_IPCOMP); }
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
+<S_AUTHALG>tcp-md5 { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
/* encryption alogorithm */
OpenPOWER on IntegriCloud