CVS commit: src/crypto/dist/ipsec-tools/src

Mon, 09 Jan 2012 07:25:20 -0800 

Module Name:    src
Committed By:   drochner
Date:           Mon Jan  9 15:25:14 UTC 2012

Modified Files:
        src/crypto/dist/ipsec-tools/src/libipsec: key_debug.c pfkey.c
            pfkey_dump.c
        src/crypto/dist/ipsec-tools/src/setkey: parse.y setkey.8 token.l

Log Message:
allow setkey(8) set and display the ESP fragment size in the NAT-T case,
userland part of PR kern/44952 by Wolfgang Stukenbrock, just changed
the "frag" option name to "esp_frag", for consistency to the existing
option of similar effect in racoon(8)


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 \
    src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
cvs rdiff -u -r1.22 -r1.23 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
cvs rdiff -u -r1.19 -r1.20 \
    src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/dist/ipsec-tools/src/setkey/parse.y
cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/setkey/setkey.8
cvs rdiff -u -r1.16 -r1.17 src/crypto/dist/ipsec-tools/src/setkey/token.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.9 src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.10
--- src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c:1.9	Fri Dec  5 06:02:20 2008
+++ src/crypto/dist/ipsec-tools/src/libipsec/key_debug.c	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: key_debug.c,v 1.9 2008/12/05 06:02:20 tteras Exp $	*/
+/*	$NetBSD: key_debug.c,v 1.10 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: key_debug.c,v 1.29 2001/08/16 14:25:41 itojun Exp $	*/
 
@@ -85,6 +85,9 @@ static void kdebug_sockaddr __P((struct 
 #ifdef SADB_X_EXT_NAT_T_TYPE
 static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
 static void kdebug_sadb_x_nat_t_port __P((struct sadb_ext *ext));
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static void kdebug_sadb_x_nat_t_frag __P((struct sadb_ext *ext));
+#endif
 #endif
 
 #ifdef SADB_X_EXT_PACKET
@@ -192,6 +195,11 @@ kdebug_sadb(base)
 		case SADB_X_EXT_NAT_T_OA:
 			kdebug_sadb_address(ext);
 			break;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+		case SADB_X_EXT_NAT_T_FRAG:
+			kdebug_sadb_x_nat_t_frag(ext);
+			break;
+#endif
 #endif
 #ifdef SADB_X_EXT_PACKET
 		case SADB_X_EXT_PACKET:
@@ -543,6 +551,20 @@ kdebug_sadb_x_nat_t_port(struct sadb_ext
 
 	return;
 }
+#ifdef SADB_X_EXT_NAT_T_FRAG
+static void kdebug_sadb_x_nat_t_frag (struct sadb_ext *ext)
+{
+	struct sadb_x_nat_t_frag *esp_frag = (void *)ext;
+
+	/* sanity check */
+	if (ext == NULL)
+		panic("kdebug_sadb_x_nat_t_frag: NULL pointer was passed.\n");
+
+	printf("sadb_x_nat_t_frag{ esp_frag=%u }\n", esp_frag->sadb_x_nat_t_frag_fraglen);
+
+	return;
+}
+#endif
 #endif
 
 #ifdef SADB_X_EXT_PACKET

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.22 src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.23
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c:1.22	Mon Nov 14 13:24:04 2011
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.22 2011/11/14 13:24:04 tteras Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.23 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -2034,6 +2034,9 @@ pfkey_align(struct sadb_msg *msg, caddr_
 		case SADB_X_EXT_NAT_T_TYPE:
 		case SADB_X_EXT_NAT_T_SPORT:
 		case SADB_X_EXT_NAT_T_DPORT:
+#ifdef SADB_X_EXT_NAT_T_FRAG
+		case SADB_X_EXT_NAT_T_FRAG:
+#endif
 		case SADB_X_EXT_NAT_T_OA:
 #endif
 #ifdef SADB_X_EXT_TAG

Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
diff -u src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.19 src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.20
--- src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c:1.19	Thu May 26 21:50:02 2011
+++ src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey_dump.c,v 1.19 2011/05/26 21:50:02 drochner Exp $	*/
+/*	$NetBSD: pfkey_dump.c,v 1.20 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $	*/
 
@@ -260,6 +260,9 @@ pfkey_sadump1(m, withports)
 	struct sadb_x_nat_t_type *natt_type;
 	struct sadb_x_nat_t_port *natt_sport, *natt_dport;
 	struct sadb_address *natt_oa;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+	struct sadb_x_nat_t_frag *esp_frag;
+#endif
 
 	int use_natt = 0;
 #endif
@@ -300,6 +303,9 @@ pfkey_sadump1(m, withports)
 	natt_sport = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
 	natt_dport = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
 	natt_oa = (void *)mhp[SADB_X_EXT_NAT_T_OA];
+#ifdef SADB_X_EXT_NAT_T_FRAG
+	esp_frag = (void *)mhp[SADB_X_EXT_NAT_T_FRAG];
+#endif
 
 	if (natt_type && natt_type->sadb_x_nat_t_type_type)
 		use_natt = 1;
@@ -371,6 +377,11 @@ pfkey_sadump1(m, withports)
 	if (use_natt && natt_oa)
 		printf("\tNAT OA=%s\n",
 		       str_ipaddr((void *)(natt_oa + 1)));
+
+#ifdef SADB_X_EXT_NAT_T_FRAG
+	if (use_natt && esp_frag && esp_frag->sadb_x_nat_t_frag_fraglen != 0)
+		printf("\tNAT-T esp_frag=%u\n", esp_frag->sadb_x_nat_t_frag_fraglen);
+#endif
 #endif
 
 	/* encryption key */

Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
diff -u src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.14 src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.15
--- src/crypto/dist/ipsec-tools/src/setkey/parse.y:1.14	Fri Dec  3 14:32:52 2010
+++ src/crypto/dist/ipsec-tools/src/setkey/parse.y	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse.y,v 1.14 2010/12/03 14:32:52 tteras Exp $	*/
+/*	$NetBSD: parse.y,v 1.15 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: parse.y,v 1.81 2003/07/01 04:01:48 itojun Exp $	*/
 
@@ -85,7 +85,7 @@ struct security_ctx {
 
 struct security_ctx sec_ctx;
 
-static u_int p_natt_type;
+static u_int p_natt_type, p_esp_frag;
 static struct addrinfo * p_natt_oa = NULL;
 
 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
@@ -125,6 +125,7 @@ static int setkeymsg_add __P((unsigned i
 %token ALG_COMP
 %token F_LIFETIME_HARD F_LIFETIME_SOFT
 %token F_LIFEBYTE_HARD F_LIFEBYTE_SOFT
+%token F_ESPFRAG
 %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
 	/* SPD management */
 %token SPDADD SPDUPDATE SPDDELETE SPDDUMP SPDFLUSH
@@ -545,6 +546,14 @@ extension
 	|	F_MODE MODE { p_mode = $2; }
 	|	F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
 	|	F_REQID DECSTRING { p_reqid = $2; }
+	|	F_ESPFRAG DECSTRING
+		{
+			if (p_natt_type == 0) {
+				yyerror("esp fragment size only valid for NAT-T");
+				return -1;
+			}
+			p_esp_frag = $2;
+		}
 	|	F_REPLAY DECSTRING
 		{
 			if ((p_ext & SADB_X_EXT_OLD) != 0) {
@@ -1518,6 +1527,22 @@ setkeymsg_add(type, satype, srcs, dsts)
 				
 				memcpy(buf + l, &natt_port, len);
 				l += len;
+#ifdef SADB_X_EXT_NAT_T_FRAG
+				if (p_esp_frag) {
+					struct sadb_x_nat_t_frag esp_frag;
+
+					/* NATT_FRAG */
+					len = sizeof(struct sadb_x_nat_t_frag);
+					memset(&esp_frag, 0, len);
+					esp_frag.sadb_x_nat_t_frag_len = PFKEY_UNIT64(len);
+					esp_frag.sadb_x_nat_t_frag_exttype =
+						SADB_X_EXT_NAT_T_FRAG;
+					esp_frag.sadb_x_nat_t_frag_fraglen = p_esp_frag;
+
+					memcpy(buf + l, &esp_frag, len);
+					l += len;
+				}
+#endif
 			}
 #endif
 			msg->sadb_msg_len = PFKEY_UNIT64(l);
@@ -1657,6 +1682,7 @@ parse_init()
 		freeaddrinfo (p_natt_oa);
 	p_natt_oa = NULL;
 	p_natt_type = 0;
+	p_esp_frag = 0;
 
 	return;
 }

Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
diff -u src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.28 src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.29
--- src/crypto/dist/ipsec-tools/src/setkey/setkey.8:1.28	Tue May 24 08:54:40 2011
+++ src/crypto/dist/ipsec-tools/src/setkey/setkey.8	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-.\"	$NetBSD: setkey.8,v 1.28 2011/05/24 08:54:40 wiz Exp $
+.\"	$NetBSD: setkey.8,v 1.29 2012/01/09 15:25:13 drochner Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 .\" All rights reserved.
@@ -331,6 +331,9 @@ Specify hard/soft life time duration of 
 .It Fl bs Ar bytes
 Specify hard/soft life time duration of the SA measured in bytes transported.
 .\"
+.It Fl esp_frag Ar bytes
+Specify esp fragment size for NAT-T (only valid for NAT-T SAs).
+.\"
 .It Fl ctx Ar doi Ar algorithm Ar context-name
 Specify an access control label.
 The access control label is interpreted by the LSM (e.g., SELinux).

Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
diff -u src/crypto/dist/ipsec-tools/src/setkey/token.l:1.16 src/crypto/dist/ipsec-tools/src/setkey/token.l:1.17
--- src/crypto/dist/ipsec-tools/src/setkey/token.l:1.16	Thu May 26 21:50:02 2011
+++ src/crypto/dist/ipsec-tools/src/setkey/token.l	Mon Jan  9 15:25:13 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: token.l,v 1.16 2011/05/26 21:50:02 drochner Exp $	*/
+/*	$NetBSD: token.l,v 1.17 2012/01/09 15:25:13 drochner Exp $	*/
 
 /*	$KAME: token.l,v 1.44 2003/10/21 07:20:58 itojun Exp $	*/
 
@@ -257,6 +257,7 @@ nocyclic-seq	{ return(NOCYCLICSEQ); }
 {hyphen}bh	{ return(F_LIFEBYTE_HARD); }
 {hyphen}bs	{ return(F_LIFEBYTE_SOFT); }
 {hyphen}ctx	{ return(SECURITY_CTX); }
+{hyphen}esp_frag { return(F_ESPFRAG); }
 
 	/* ... */
 any		{ return(ANY); }

Reply via email to