Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src allow setkey(8) set and display ...
details: https://anonhg.NetBSD.org/src/rev/6741e01bc422
branches: trunk
changeset: 772596:6741e01bc422
user: drochner <drochner%NetBSD.org@localhost>
date: Mon Jan 09 15:25:13 2012 +0000
description:
allow setkey(8) set and display the ESP fragment size in the NAT-T case,
userland part of PR kern/44952 by Wolfgang Stukenbrock, just changed
the "frag" option name to "esp_frag", for consistency to the existing
option of similar effect in racoon(8)
diffstat:
crypto/dist/ipsec-tools/src/libipsec/key_debug.c | 24 +++++++++++++++++-
crypto/dist/ipsec-tools/src/libipsec/pfkey.c | 5 +++-
crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c | 13 +++++++++-
crypto/dist/ipsec-tools/src/setkey/parse.y | 30 +++++++++++++++++++++-
crypto/dist/ipsec-tools/src/setkey/setkey.8 | 5 +++-
crypto/dist/ipsec-tools/src/setkey/token.l | 3 +-
6 files changed, 73 insertions(+), 7 deletions(-)
diffs (220 lines):
diff -r e73242b57e38 -r 6741e01bc422 crypto/dist/ipsec-tools/src/libipsec/key_debug.c
--- a/crypto/dist/ipsec-tools/src/libipsec/key_debug.c Mon Jan 09 15:24:37 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/key_debug.c Mon Jan 09 15:25:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key_debug.c,v 1.9 2008/12/05 06:02:20 tteras Exp $ */
+/* $NetBSD: key_debug.c,v 1.10 2012/01/09 15:25:13 drochner Exp $ */
/* $KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $ */
@@ -85,6 +85,9 @@
#ifdef SADB_X_EXT_NAT_T_TYPE
static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static void kdebug_sadb_x_nat_t_frag __P((struct sadb_ext *ext));
+#endif
#endif
#ifdef SADB_X_EXT_PACKET
@@ -192,6 +195,11 @@
case SADB_X_EXT_NAT_T_OA:
kdebug_sadb_address(ext);
break;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ case SADB_X_EXT_NAT_T_FRAG:
+ kdebug_sadb_x_nat_t_frag(ext);
+ break;
+#endif
#endif
#ifdef SADB_X_EXT_PACKET
case SADB_X_EXT_PACKET:
@@ -543,6 +551,20 @@
return;
}
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static void kdebug_sadb_x_nat_t_frag (struct sadb_ext *ext)
+{
+ struct sadb_x_nat_t_frag *esp_frag = (void *)ext;
+
+ /* sanity check */
+ if (ext == NULL)
+ panic("kdebug_sadb_x_nat_t_frag: NULL pointer was passed.\n");
+
+ printf("sadb_x_nat_t_frag{ esp_frag=%u }\n", esp_frag->sadb_x_nat_t_frag_fraglen);
+
+ return;
+}
+#endif
#endif
#ifdef SADB_X_EXT_PACKET
diff -r e73242b57e38 -r 6741e01bc422 crypto/dist/ipsec-tools/src/libipsec/pfkey.c
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Mon Jan 09 15:24:37 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey.c Mon Jan 09 15:25:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey.c,v 1.22 2011/11/14 13:24:04 tteras Exp $ */
+/* $NetBSD: pfkey.c,v 1.23 2012/01/09 15:25:13 drochner Exp $ */
/* $KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $ */
@@ -2034,6 +2034,9 @@
case SADB_X_EXT_NAT_T_TYPE:
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ case SADB_X_EXT_NAT_T_FRAG:
+#endif
case SADB_X_EXT_NAT_T_OA:
#endif
#ifdef SADB_X_EXT_TAG
diff -r e73242b57e38 -r 6741e01bc422 crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
--- a/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Mon Jan 09 15:24:37 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c Mon Jan 09 15:25:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pfkey_dump.c,v 1.19 2011/05/26 21:50:02 drochner Exp $ */
+/* $NetBSD: pfkey_dump.c,v 1.20 2012/01/09 15:25:13 drochner Exp $ */
/* $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $ */
@@ -260,6 +260,9 @@
struct sadb_x_nat_t_type *natt_type;
struct sadb_x_nat_t_port *natt_sport, *natt_dport;
struct sadb_address *natt_oa;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ struct sadb_x_nat_t_frag *esp_frag;
+#endif
int use_natt = 0;
#endif
@@ -300,6 +303,9 @@
natt_sport = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
natt_dport = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
natt_oa = (void *)mhp[SADB_X_EXT_NAT_T_OA];
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ esp_frag = (void *)mhp[SADB_X_EXT_NAT_T_FRAG];
+#endif
if (natt_type && natt_type->sadb_x_nat_t_type_type)
use_natt = 1;
@@ -371,6 +377,11 @@
if (use_natt && natt_oa)
printf("\tNAT OA=%s\n",
str_ipaddr((void *)(natt_oa + 1)));
+
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ if (use_natt && esp_frag && esp_frag->sadb_x_nat_t_frag_fraglen != 0)
+ printf("\tNAT-T esp_frag=%u\n", esp_frag->sadb_x_nat_t_frag_fraglen);
+#endif
#endif
/* encryption key */
diff -r e73242b57e38 -r 6741e01bc422 crypto/dist/ipsec-tools/src/setkey/parse.y
--- a/crypto/dist/ipsec-tools/src/setkey/parse.y Mon Jan 09 15:24:37 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/parse.y Mon Jan 09 15:25:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: parse.y,v 1.14 2010/12/03 14:32:52 tteras Exp $ */
+/* $NetBSD: parse.y,v 1.15 2012/01/09 15:25:13 drochner Exp $ */
/* $KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $ */
@@ -85,7 +85,7 @@
struct security_ctx sec_ctx;
-static u_int p_natt_type;
+static u_int p_natt_type, p_esp_frag;
static struct addrinfo * p_natt_oa = NULL;
static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
@@ -125,6 +125,7 @@
%token ALG_COMP
%token F_LIFETIME_HARD F_LIFETIME_SOFT
%token F_LIFEBYTE_HARD F_LIFEBYTE_SOFT
+%token F_ESPFRAG
%token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
/* SPD management */
%token SPDADD SPDUPDATE SPDDELETE SPDDUMP SPDFLUSH
@@ -545,6 +546,14 @@
| F_MODE MODE { p_mode = $2; }
| F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
| F_REQID DECSTRING { p_reqid = $2; }
+ | F_ESPFRAG DECSTRING
+ {
+ if (p_natt_type == 0) {
+ yyerror("esp fragment size only valid for NAT-T");
+ return -1;
+ }
+ p_esp_frag = $2;
+ }
| F_REPLAY DECSTRING
{
if ((p_ext & SADB_X_EXT_OLD) != 0) {
@@ -1518,6 +1527,22 @@
memcpy(buf + l, &natt_port, len);
l += len;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ if (p_esp_frag) {
+ struct sadb_x_nat_t_frag esp_frag;
+
+ /* NATT_FRAG */
+ len = sizeof(struct sadb_x_nat_t_frag);
+ memset(&esp_frag, 0, len);
+ esp_frag.sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
+ esp_frag.sadb_x_nat_t_frag_exttype =
+ SADB_X_EXT_NAT_T_FRAG;
+ esp_frag.sadb_x_nat_t_frag_fraglen = p_esp_frag;
+
+ memcpy(buf + l, &esp_frag, len);
+ l += len;
+ }
+#endif
}
#endif
msg->sadb_msg_len = PFKEY_UNIT64(l);
@@ -1657,6 +1682,7 @@
freeaddrinfo (p_natt_oa);
p_natt_oa = NULL;
p_natt_type = 0;
+ p_esp_frag = 0;
return;
}
diff -r e73242b57e38 -r 6741e01bc422 crypto/dist/ipsec-tools/src/setkey/setkey.8
--- a/crypto/dist/ipsec-tools/src/setkey/setkey.8 Mon Jan 09 15:24:37 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/setkey.8 Mon Jan 09 15:25:13 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: setkey.8,v 1.28 2011/05/24 08:54:40 wiz Exp $
+.\" $NetBSD: setkey.8,v 1.29 2012/01/09 15:25:13 drochner Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
@@ -331,6 +331,9 @@
.It Fl bs Ar bytes
Specify hard/soft life time duration of the SA measured in bytes transported.
.\"
+.It Fl esp_frag Ar bytes
+Specify esp fragment size for NAT-T (only valid for NAT-T SAs).
+.\"
.It Fl ctx Ar doi Ar algorithm Ar context-name
Specify an access control label.
The access control label is interpreted by the LSM (e.g., SELinux).
diff -r e73242b57e38 -r 6741e01bc422 crypto/dist/ipsec-tools/src/setkey/token.l
--- a/crypto/dist/ipsec-tools/src/setkey/token.l Mon Jan 09 15:24:37 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/setkey/token.l Mon Jan 09 15:25:13 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: token.l,v 1.16 2011/05/26 21:50:02 drochner Exp $ */
+/* $NetBSD: token.l,v 1.17 2012/01/09 15:25:13 drochner Exp $ */
/* $KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $ */
@@ -257,6 +257,7 @@
{hyphen}bh { return(F_LIFEBYTE_HARD); }
{hyphen}bs { return(F_LIFEBYTE_SOFT); }
{hyphen}ctx { return(SECURITY_CTX); }
+{hyphen}esp_frag { return(F_ESPFRAG); }
/* ... */
any { return(ANY); }
Home |
Main Index |
Thread Index |
Old Index