Initial import of RFC 2385 (TCP-MD5) digest support.

This is the second of two commits; bring in the userland support to finish.

Teach libipsec and setkey about the tcp-md5 class of security associations,
thus allowing administrators to add per-host keys to the SADB for use by
the tcpsignature_compute() function.

Document that a single SPI must be used until such time as the code which
adds support to the SPD to specify flows for tcp-md5 treatment is suitable
for production.

Sponsored by:	sentex.net
This commit is contained in:
bms 2004-02-11 04:34:34 +00:00
parent 320d5d9482
commit 20570d493e
10 changed files with 64 additions and 9 deletions

View File

@ -196,6 +196,8 @@ ipsec_dump_ipsecrequest(buf, len, xisr, bound)
case IPPROTO_IPCOMP:
proto = "ipcomp";
break;
case IPPROTO_TCP:
proto = "tcp";
default:
__ipsec_errcode = EIPSEC_INVAL_PROTO;
return NULL;

View File

@ -79,12 +79,13 @@ static caddr_t pfkey_setsadbxsa2(caddr_t, caddr_t, u_int32_t, u_int32_t);
/*
* make and search supported algorithm structure.
*/
static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
static int supported_map[] = {
SADB_SATYPE_AH,
SADB_SATYPE_ESP,
SADB_X_SATYPE_IPCOMP,
SADB_X_SATYPE_TCPSIGNATURE
};
static int
@ -1169,6 +1170,16 @@ pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
return -1;
}
break;
case SADB_X_SATYPE_TCPSIGNATURE:
if (e_type != SADB_EALG_NONE) {
__ipsec_errcode = EIPSEC_INVAL_ALGS;
return -1;
}
if (a_type != SADB_X_AALG_TCP_MD5) {
__ipsec_errcode = EIPSEC_INVAL_ALGS;
return -1;
}
break;
default:
__ipsec_errcode = EIPSEC_INVAL_SATYPE;
return -1;
@ -1379,6 +1390,7 @@ pfkey_send_x3(so, type, satype)
case SADB_SATYPE_AH:
case SADB_SATYPE_ESP:
case SADB_X_SATYPE_IPCOMP:
case SADB_X_SATYPE_TCPSIGNATURE:
break;
default:
__ipsec_errcode = EIPSEC_INVAL_SATYPE;
@ -1838,6 +1850,7 @@ pfkey_check(mhp)
case SADB_SATYPE_ESP:
case SADB_SATYPE_AH:
case SADB_X_SATYPE_IPCOMP:
case SADB_X_SATYPE_TCPSIGNATURE:
switch (msg->sadb_msg_type) {
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:

View File

@ -126,6 +126,8 @@ static char *str_satype[] = {
"ripv2",
"mip",
"ipcomp",
"policy",
"tcp"
};
static char *str_mode[] = {
@ -148,6 +150,7 @@ static struct val2str str_alg_auth[] = {
{ SADB_X_AALG_MD5, "md5", },
{ SADB_X_AALG_SHA, "sha", },
{ SADB_X_AALG_NULL, "null", },
{ SADB_X_AALG_TCP_MD5, "tcp-md5", },
#ifdef SADB_X_AALG_SHA2_256
{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
#endif

View File

@ -97,6 +97,7 @@ entrust { yylval.num = IPSEC_POLICY_ENTRUST; return(ACTION); }
esp { yylval.num = IPPROTO_ESP; return(PROTOCOL); }
ah { yylval.num = IPPROTO_AH; return(PROTOCOL); }
ipcomp { yylval.num = IPPROTO_IPCOMP; return(PROTOCOL); }
tcp { yylval.num = IPPROTO_TCP; return(PROTOCOL); }
transport { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
tunnel { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }

View File

@ -94,7 +94,7 @@ extern void yyerror __P((const char *));
%token EOT SLASH BLCL ELCL
%token ADD GET DELETE DELETEALL FLUSH DUMP
%token PR_ESP PR_AH PR_IPCOMP
%token PR_ESP PR_AH PR_IPCOMP PR_TCP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
@ -113,7 +113,7 @@ extern void yyerror __P((const char *));
%type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
%type <num> ALG_AUTH ALG_AUTH_NOKEY
%type <num> ALG_COMP
%type <num> PR_ESP PR_AH PR_IPCOMP
%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
%type <num> EXTENSION MODE
%type <ulnum> DECSTRING
%type <val> PL_REQUESTS portstr key_string
@ -250,8 +250,12 @@ protocol_spec
{
$$ = SADB_X_SATYPE_IPCOMP;
}
| PR_TCP
{
$$ = SADB_X_SATYPE_TCPSIGNATURE;
}
;
spi
: DECSTRING { p_spi = $1; }
| HEXSTRING
@ -400,7 +404,12 @@ auth_alg
p_key_auth_len = $2.len;
p_key_auth = $2.buf;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
if ((p_key_auth_len < 1) || (p_key_auth_len >
80))
return -1;
} else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
yyerror(ipsec_strerror());
return -1;

View File

@ -252,6 +252,8 @@ AH based on rfc2402
AH based on rfc1826
.It Li ipcomp
IPComp
.It Li tcp
TCP-MD5 based on rfc2385
.El
.\"
.Pp
@ -265,6 +267,8 @@ must be a decimal number, or a hexadecimal number with
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
TCP-MD5 associations must use 0x1000 and therefore only have per-host
granularity at this time.
.\"
.Pp
.It Ar extensions
@ -585,6 +589,7 @@ hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
tcp-md5 8 to 640 tcp: rfc2385
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
@ -649,6 +654,8 @@ dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
.Ed
.\"
.Sh SEE ALSO

View File

@ -139,6 +139,7 @@ esp { yylval.num = 0; return(PR_ESP); }
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
tcp { yylval.num = 0; return(PR_TCP); }
/* authentication alogorithm */
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
@ -151,6 +152,7 @@ ipcomp { yylval.num = 0; return(PR_IPCOMP); }
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>tcp-md5 { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
/* encryption alogorithm */

View File

@ -94,7 +94,7 @@ extern void yyerror __P((const char *));
%token EOT SLASH BLCL ELCL
%token ADD GET DELETE DELETEALL FLUSH DUMP
%token PR_ESP PR_AH PR_IPCOMP
%token PR_ESP PR_AH PR_IPCOMP PR_TCP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
@ -113,7 +113,7 @@ extern void yyerror __P((const char *));
%type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
%type <num> ALG_AUTH ALG_AUTH_NOKEY
%type <num> ALG_COMP
%type <num> PR_ESP PR_AH PR_IPCOMP
%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
%type <num> EXTENSION MODE
%type <ulnum> DECSTRING
%type <val> PL_REQUESTS portstr key_string
@ -250,8 +250,12 @@ protocol_spec
{
$$ = SADB_X_SATYPE_IPCOMP;
}
| PR_TCP
{
$$ = SADB_X_SATYPE_TCPSIGNATURE;
}
;
spi
: DECSTRING { p_spi = $1; }
| HEXSTRING
@ -400,7 +404,12 @@ auth_alg
p_key_auth_len = $2.len;
p_key_auth = $2.buf;
if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
if ((p_key_auth_len < 1) || (p_key_auth_len >
80))
return -1;
} else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
yyerror(ipsec_strerror());
return -1;

View File

@ -252,6 +252,8 @@ AH based on rfc2402
AH based on rfc1826
.It Li ipcomp
IPComp
.It Li tcp
TCP-MD5 based on rfc2385
.El
.\"
.Pp
@ -265,6 +267,8 @@ must be a decimal number, or a hexadecimal number with
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
TCP-MD5 associations must use 0x1000 and therefore only have per-host
granularity at this time.
.\"
.Pp
.It Ar extensions
@ -585,6 +589,7 @@ hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
tcp-md5 8 to 640 tcp: rfc2385
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
@ -649,6 +654,8 @@ dump esp ;
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
.Ed
.\"
.Sh SEE ALSO

View File

@ -139,6 +139,7 @@ esp { yylval.num = 0; return(PR_ESP); }
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
tcp { yylval.num = 0; return(PR_TCP); }
/* authentication alogorithm */
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
@ -151,6 +152,7 @@ ipcomp { yylval.num = 0; return(PR_IPCOMP); }
<S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>tcp-md5 { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); }
<S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
/* encryption alogorithm */