diff options
author | bms <bms@FreeBSD.org> | 2004-02-11 04:34:34 +0000 |
---|---|---|
committer | bms <bms@FreeBSD.org> | 2004-02-11 04:34:34 +0000 |
commit | 9ce9891eda27e795842235191242d30adbed875f (patch) | |
tree | a0a78792b610ea5a9a0f7dfb08f47c3816efb276 /sbin/setkey | |
parent | 903cdeea1a6d0c99fecc1d8aeeab65bdfbab46d7 (diff) | |
download | FreeBSD-src-9ce9891eda27e795842235191242d30adbed875f.zip FreeBSD-src-9ce9891eda27e795842235191242d30adbed875f.tar.gz |
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the second of two commits; bring in the userland support to finish.
Teach libipsec and setkey about the tcp-md5 class of security associations,
thus allowing administrators to add per-host keys to the SADB for use by
the tcpsignature_compute() function.
Document that a single SPI must be used until such time as the code which
adds support to the SPD to specify flows for tcp-md5 treatment is suitable
for production.
Sponsored by: sentex.net
Diffstat (limited to 'sbin/setkey')
-rw-r--r-- | sbin/setkey/parse.y | 17 | ||||
-rw-r--r-- | sbin/setkey/setkey.8 | 7 | ||||
-rw-r--r-- | sbin/setkey/token.l | 2 |
3 files changed, 22 insertions, 4 deletions
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y index 80b9d17..bc944a8 100644 --- a/sbin/setkey/parse.y +++ b/sbin/setkey/parse.y @@ -94,7 +94,7 @@ extern void yyerror __P((const char *)); %token EOT SLASH BLCL ELCL %token ADD GET DELETE DELETEALL FLUSH DUMP -%token PR_ESP PR_AH PR_IPCOMP +%token PR_ESP PR_AH PR_IPCOMP PR_TCP %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI %token F_MODE MODE F_REQID %token F_EXT EXTENSION NOCYCLICSEQ @@ -113,7 +113,7 @@ extern void yyerror __P((const char *)); %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY %type <num> ALG_AUTH ALG_AUTH_NOKEY %type <num> ALG_COMP -%type <num> PR_ESP PR_AH PR_IPCOMP +%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP %type <num> EXTENSION MODE %type <ulnum> DECSTRING %type <val> PL_REQUESTS portstr key_string @@ -250,8 +250,12 @@ protocol_spec { $$ = SADB_X_SATYPE_IPCOMP; } + | PR_TCP + { + $$ = SADB_X_SATYPE_TCPSIGNATURE; + } ; - + spi : DECSTRING { p_spi = $1; } | HEXSTRING @@ -400,7 +404,12 @@ auth_alg p_key_auth_len = $2.len; p_key_auth = $2.buf; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, + + if (p_alg_auth == SADB_X_AALG_TCP_MD5) { + if ((p_key_auth_len < 1) || (p_key_auth_len > + 80)) + return -1; + } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) { yyerror(ipsec_strerror()); return -1; diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index 1e03edf..567dde4 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -252,6 +252,8 @@ AH based on rfc2402 AH based on rfc1826 .It Li ipcomp IPComp +.It Li tcp +TCP-MD5 based on rfc2385 .El .\" .Pp @@ -265,6 +267,8 @@ must be a decimal number, or a hexadecimal number with prefix. SPI values between 0 and 255 are reserved for future use by IANA and they cannot be used. +TCP-MD5 associations must use 0x1000 and therefore only have per-host +granularity at this time. .\" .Pp .It Ar extensions @@ -585,6 +589,7 @@ hmac-ripemd160 160 ah: 96bit ICV (RFC2857) ah-old: 128bit ICV (no document) aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) 128 ah-old: 128bit ICV (no document) +tcp-md5 8 to 640 tcp: rfc2385 .Ed .Pp Followings are the list of encryption algorithms that can be used as @@ -649,6 +654,8 @@ dump esp ; spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ; +add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; + .Ed .\" .Sh SEE ALSO diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l index f065fd3..9bea6ae 100644 --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -139,6 +139,7 @@ esp { yylval.num = 0; return(PR_ESP); } ah-old { yylval.num = 1; return(PR_AH); } esp-old { yylval.num = 1; return(PR_ESP); } ipcomp { yylval.num = 0; return(PR_IPCOMP); } +tcp { yylval.num = 0; return(PR_TCP); } /* authentication alogorithm */ {hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); } @@ -151,6 +152,7 @@ ipcomp { yylval.num = 0; return(PR_IPCOMP); } <S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); } <S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); } <S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); } +<S_AUTHALG>tcp-md5 { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); } <S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); } /* encryption alogorithm */ |