Do not use defines from pfkeyv2.h in portable code.

Instead define our own algorithm enums for the IPsec code.
OK tb@ sthen@

diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h
index f075eec..b432b6c 100644 (file)
--- a/usr.sbin/bgpd/bgpd.h
+++ b/usr.sbin/bgpd/bgpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: bgpd.h,v 1.429 2022/06/15 10:10:03 claudio Exp $ */
+/*     $OpenBSD: bgpd.h,v 1.430 2022/06/15 14:09:30 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -26,7 +26,6 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <net/if.h>
-#include <net/pfkeyv2.h>
 
 #include <poll.h>
 #include <stdarg.h>
@@ -329,6 +328,18 @@ enum auth_method {
        AUTH_IPSEC_IKE_AH
 };
 
+enum auth_alg {
+       AUTH_AALG_NONE,
+       AUTH_AALG_SHA1HMAC,
+       AUTH_AALG_MD5HMAC,
+};
+
+enum auth_enc_alg {
+       AUTH_EALG_NONE,
+       AUTH_EALG_3DESCBC,
+       AUTH_EALG_AES,
+};
+
 struct peer_auth {
        char                    md5key[TCP_MD5_KEY_LEN];
        char                    auth_key_in[IPSEC_AUTH_KEY_LEN];
@@ -338,13 +349,13 @@ struct peer_auth {
        uint32_t                spi_in;
        uint32_t                spi_out;
        enum auth_method        method;
+       enum auth_alg           auth_alg_in;
+       enum auth_alg           auth_alg_out;
+       enum auth_enc_alg       enc_alg_in;
+       enum auth_enc_alg       enc_alg_out;
        uint8_t                 md5key_len;
-       uint8_t                 auth_alg_in;
-       uint8_t                 auth_alg_out;
        uint8_t                 auth_keylen_in;
        uint8_t                 auth_keylen_out;
-       uint8_t                 enc_alg_in;
-       uint8_t                 enc_alg_out;
        uint8_t                 enc_keylen_in;
        uint8_t                 enc_keylen_out;
 };

diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index 89b5c67..26b731f 100644 (file)
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.429 2022/06/09 17:33:47 claudio Exp $ */
+/*     $OpenBSD: parse.y,v 1.430 2022/06/15 14:09:30 claudio Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -193,7 +193,7 @@ typedef struct {
                struct filter_prefixlen prefixlen;
                struct prefixset_item   *prefixset_item;
                struct {
-                       uint8_t                 enc_alg;
+                       enum auth_enc_alg       enc_alg;
                        uint8_t                 enc_key_len;
                        char                    enc_key[IPSEC_ENC_KEY_LEN];
                }                       encspec;
@@ -1609,7 +1609,7 @@ peeropts  : REMOTEAS as4number    {
                                curpeer->conf.auth.method = AUTH_IPSEC_IKE_AH;
                }
                | IPSEC espah inout SPI NUMBER STRING STRING encspec {
-                       uint32_t        auth_alg;
+                       enum auth_alg   auth_alg;
                        uint8_t         keylen;
 
                        if (curpeer->conf.auth.method &&
@@ -1626,10 +1626,10 @@ peeropts        : REMOTEAS as4number    {
                        }
 
                        if (!strcmp($6, "sha1")) {
-                               auth_alg = SADB_AALG_SHA1HMAC;
+                               auth_alg = AUTH_AALG_SHA1HMAC;
                                keylen = 20;
                        } else if (!strcmp($6, "md5")) {
-                               auth_alg = SADB_AALG_MD5HMAC;
+                               auth_alg = AUTH_AALG_MD5HMAC;
                                keylen = 16;
                        } else {
                                yyerror("unknown auth algorithm \"%s\"", $6);
@@ -1860,11 +1860,11 @@ encspec         : /* nada */    {
                | STRING STRING {
                        bzero(&$$, sizeof($$));
                        if (!strcmp($1, "3des") || !strcmp($1, "3des-cbc")) {
-                               $$.enc_alg = SADB_EALG_3DESCBC;
+                               $$.enc_alg = AUTH_EALG_3DESCBC;
                                $$.enc_key_len = 21; /* XXX verify */
                        } else if (!strcmp($1, "aes") ||
                            !strcmp($1, "aes-128-cbc")) {
-                               $$.enc_alg = SADB_X_EALG_AES;
+                               $$.enc_alg = AUTH_EALG_AES;
                                $$.enc_key_len = 16;
                        } else {
                                yyerror("unknown enc algorithm \"%s\"", $1);

diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c
index 92136c2..6da7de6 100644 (file)
--- a/usr.sbin/bgpd/pfkey.c
+++ b/usr.sbin/bgpd/pfkey.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfkey.c,v 1.62 2022/02/06 09:51:19 claudio Exp $ */
+/*     $OpenBSD: pfkey.c,v 1.63 2022/06/15 14:09:30 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -590,6 +590,32 @@ fail:
        return (-1);
 }
 
+static uint8_t
+pfkey_auth_alg(enum auth_alg alg)
+{
+       switch (alg) {
+       case AUTH_AALG_SHA1HMAC:
+               return SADB_AALG_SHA1HMAC;
+       case AUTH_AALG_MD5HMAC:
+               return SADB_AALG_MD5HMAC;
+       default:
+               return SADB_AALG_NONE;
+       }
+}
+
+static uint8_t
+pfkey_enc_alg(enum auth_enc_alg alg)
+{
+       switch (alg) {
+       case AUTH_EALG_3DESCBC:
+               return SADB_EALG_3DESCBC;
+       case AUTH_EALG_AES:
+               return SADB_X_EALG_AES;
+       default:
+               return SADB_AALG_NONE;
+       }
+}
+
 static int
 pfkey_ipsec_establish(struct peer *p)
 {
@@ -616,10 +642,10 @@ pfkey_ipsec_establish(struct peer *p)
                if (pfkey_send(pfkey_fd, satype, SADB_ADD, 0,
                    local_addr, &p->conf.remote_addr,
                    p->conf.auth.spi_out,
-                   p->conf.auth.auth_alg_out,
+                   pfkey_auth_alg(p->conf.auth.auth_alg_out),
                    p->conf.auth.auth_keylen_out,
                    p->conf.auth.auth_key_out,
-                   p->conf.auth.enc_alg_out,
+                   pfkey_enc_alg(p->conf.auth.enc_alg_out),
                    p->conf.auth.enc_keylen_out,
                    p->conf.auth.enc_key_out,
                    0, 0) == -1)
@@ -629,10 +655,10 @@ pfkey_ipsec_establish(struct peer *p)
                if (pfkey_send(pfkey_fd, satype, SADB_ADD, 0,
                    &p->conf.remote_addr, local_addr,
                    p->conf.auth.spi_in,
-                   p->conf.auth.auth_alg_in,
+                   pfkey_auth_alg(p->conf.auth.auth_alg_in),
                    p->conf.auth.auth_keylen_in,
                    p->conf.auth.auth_key_in,
-                   p->conf.auth.enc_alg_in,
+                   pfkey_enc_alg(p->conf.auth.enc_alg_in),
                    p->conf.auth.enc_keylen_in,
                    p->conf.auth.enc_key_in,
                    0, 0) == -1)

diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c
index 3a20405..c7107a8 100644 (file)
--- a/usr.sbin/bgpd/printconf.c
+++ b/usr.sbin/bgpd/printconf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: printconf.c,v 1.152 2022/05/31 09:45:33 claudio Exp $ */
+/*     $OpenBSD: printconf.c,v 1.153 2022/06/15 14:09:30 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -45,8 +45,8 @@ void           print_roa(struct roa_tree *);
 void            print_rtrs(struct rtr_config_head *);
 void            print_peer(struct peer_config *, struct bgpd_config *,
                    const char *);
-const char     *print_auth_alg(uint8_t);
-const char     *print_enc_alg(uint8_t);
+const char     *print_auth_alg(enum auth_alg);
+const char     *print_enc_alg(enum auth_enc_alg);
 void            print_announce(struct peer_config *, const char *);
 void            print_as(struct filter_rule *);
 void            print_rule(struct bgpd_config *, struct filter_rule *);
@@ -751,12 +751,12 @@ print_peer(struct peer_config *p, struct bgpd_config *conf, const char *c)
 }
 
 const char *
-print_auth_alg(uint8_t alg)
+print_auth_alg(enum auth_alg alg)
 {
        switch (alg) {
-       case SADB_AALG_SHA1HMAC:
+       case AUTH_AALG_SHA1HMAC:
                return ("sha1");
-       case SADB_AALG_MD5HMAC:
+       case AUTH_AALG_MD5HMAC:
                return ("md5");
        default:
                return ("???");
@@ -764,12 +764,12 @@ print_auth_alg(uint8_t alg)
 }
 
 const char *
-print_enc_alg(uint8_t alg)
+print_enc_alg(enum auth_enc_alg alg)
 {
        switch (alg) {
-       case SADB_EALG_3DESCBC:
+       case AUTH_EALG_3DESCBC:
                return ("3des");
-       case SADB_X_EALG_AES:
+       case AUTH_EALG_AES:
                return ("aes");
        default:
                return ("???");

diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h
index 4fa848f..a27bb77 100644 (file)
--- a/usr.sbin/bgpd/session.h
+++ b/usr.sbin/bgpd/session.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: session.h,v 1.154 2022/02/06 09:51:19 claudio Exp $ */
+/*     $OpenBSD: session.h,v 1.155 2022/06/15 14:09:30 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -295,6 +295,7 @@ void         mrt_dump_state(struct mrt *, uint16_t, uint16_t,
 void    mrt_done(struct mrt *);
 
 /* pfkey.c */
+struct sadb_msg;
 int    pfkey_read(int, struct sadb_msg *);
 int    pfkey_establish(struct peer *);
 int    pfkey_remove(struct peer *);