diff options
author | bms <bms@FreeBSD.org> | 2004-02-11 04:34:34 +0000 |
---|---|---|
committer | bms <bms@FreeBSD.org> | 2004-02-11 04:34:34 +0000 |
commit | 9ce9891eda27e795842235191242d30adbed875f (patch) | |
tree | a0a78792b610ea5a9a0f7dfb08f47c3816efb276 /usr.sbin/setkey/parse.y | |
parent | 903cdeea1a6d0c99fecc1d8aeeab65bdfbab46d7 (diff) | |
download | FreeBSD-src-9ce9891eda27e795842235191242d30adbed875f.zip FreeBSD-src-9ce9891eda27e795842235191242d30adbed875f.tar.gz |
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the second of two commits; bring in the userland support to finish.
Teach libipsec and setkey about the tcp-md5 class of security associations,
thus allowing administrators to add per-host keys to the SADB for use by
the tcpsignature_compute() function.
Document that a single SPI must be used until such time as the code which
adds support to the SPD to specify flows for tcp-md5 treatment is suitable
for production.
Sponsored by: sentex.net
Diffstat (limited to 'usr.sbin/setkey/parse.y')
-rw-r--r-- | usr.sbin/setkey/parse.y | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/usr.sbin/setkey/parse.y b/usr.sbin/setkey/parse.y index 80b9d17..bc944a8 100644 --- a/usr.sbin/setkey/parse.y +++ b/usr.sbin/setkey/parse.y @@ -94,7 +94,7 @@ extern void yyerror __P((const char *)); %token EOT SLASH BLCL ELCL %token ADD GET DELETE DELETEALL FLUSH DUMP -%token PR_ESP PR_AH PR_IPCOMP +%token PR_ESP PR_AH PR_IPCOMP PR_TCP %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI %token F_MODE MODE F_REQID %token F_EXT EXTENSION NOCYCLICSEQ @@ -113,7 +113,7 @@ extern void yyerror __P((const char *)); %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY %type <num> ALG_AUTH ALG_AUTH_NOKEY %type <num> ALG_COMP -%type <num> PR_ESP PR_AH PR_IPCOMP +%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP %type <num> EXTENSION MODE %type <ulnum> DECSTRING %type <val> PL_REQUESTS portstr key_string @@ -250,8 +250,12 @@ protocol_spec { $$ = SADB_X_SATYPE_IPCOMP; } + | PR_TCP + { + $$ = SADB_X_SATYPE_TCPSIGNATURE; + } ; - + spi : DECSTRING { p_spi = $1; } | HEXSTRING @@ -400,7 +404,12 @@ auth_alg p_key_auth_len = $2.len; p_key_auth = $2.buf; - if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, + + if (p_alg_auth == SADB_X_AALG_TCP_MD5) { + if ((p_key_auth_len < 1) || (p_key_auth_len > + 80)) + return -1; + } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH, p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) { yyerror(ipsec_strerror()); return -1; |