From 93662c4e0ba4769623ae1d0c925e13370c65aae1 Mon Sep 17 00:00:00 2001 From: claudio Date: Wed, 15 Jun 2022 14:09:30 +0000 Subject: [PATCH] Do not use defines from pfkeyv2.h in portable code. Instead define our own algorithm enums for the IPsec code. OK tb@ sthen@ --- usr.sbin/bgpd/bgpd.h | 23 +++++++++++++++++------ usr.sbin/bgpd/parse.y | 14 +++++++------- usr.sbin/bgpd/pfkey.c | 36 +++++++++++++++++++++++++++++++----- usr.sbin/bgpd/printconf.c | 18 +++++++++--------- usr.sbin/bgpd/session.h | 3 ++- 5 files changed, 66 insertions(+), 28 deletions(-) diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index f075eecadc2..b432b6ccabc 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.429 2022/06/15 10:10:03 claudio Exp $ */ +/* $OpenBSD: bgpd.h,v 1.430 2022/06/15 14:09:30 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -26,7 +26,6 @@ #include #include #include -#include #include #include @@ -329,6 +328,18 @@ enum auth_method { AUTH_IPSEC_IKE_AH }; +enum auth_alg { + AUTH_AALG_NONE, + AUTH_AALG_SHA1HMAC, + AUTH_AALG_MD5HMAC, +}; + +enum auth_enc_alg { + AUTH_EALG_NONE, + AUTH_EALG_3DESCBC, + AUTH_EALG_AES, +}; + struct peer_auth { char md5key[TCP_MD5_KEY_LEN]; char auth_key_in[IPSEC_AUTH_KEY_LEN]; @@ -338,13 +349,13 @@ struct peer_auth { uint32_t spi_in; uint32_t spi_out; enum auth_method method; + enum auth_alg auth_alg_in; + enum auth_alg auth_alg_out; + enum auth_enc_alg enc_alg_in; + enum auth_enc_alg enc_alg_out; uint8_t md5key_len; - uint8_t auth_alg_in; - uint8_t auth_alg_out; uint8_t auth_keylen_in; uint8_t auth_keylen_out; - uint8_t enc_alg_in; - uint8_t enc_alg_out; uint8_t enc_keylen_in; uint8_t enc_keylen_out; }; diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index 89b5c672d88..26b731f06d9 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.429 2022/06/09 17:33:47 claudio Exp $ */ +/* $OpenBSD: parse.y,v 1.430 2022/06/15 14:09:30 claudio Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -193,7 +193,7 @@ typedef struct { struct filter_prefixlen prefixlen; struct prefixset_item *prefixset_item; struct { - uint8_t enc_alg; + enum auth_enc_alg enc_alg; uint8_t enc_key_len; char enc_key[IPSEC_ENC_KEY_LEN]; } encspec; @@ -1609,7 +1609,7 @@ peeropts : REMOTEAS as4number { curpeer->conf.auth.method = AUTH_IPSEC_IKE_AH; } | IPSEC espah inout SPI NUMBER STRING STRING encspec { - uint32_t auth_alg; + enum auth_alg auth_alg; uint8_t keylen; if (curpeer->conf.auth.method && @@ -1626,10 +1626,10 @@ peeropts : REMOTEAS as4number { } if (!strcmp($6, "sha1")) { - auth_alg = SADB_AALG_SHA1HMAC; + auth_alg = AUTH_AALG_SHA1HMAC; keylen = 20; } else if (!strcmp($6, "md5")) { - auth_alg = SADB_AALG_MD5HMAC; + auth_alg = AUTH_AALG_MD5HMAC; keylen = 16; } else { yyerror("unknown auth algorithm \"%s\"", $6); @@ -1860,11 +1860,11 @@ encspec : /* nada */ { | STRING STRING { bzero(&$$, sizeof($$)); if (!strcmp($1, "3des") || !strcmp($1, "3des-cbc")) { - $$.enc_alg = SADB_EALG_3DESCBC; + $$.enc_alg = AUTH_EALG_3DESCBC; $$.enc_key_len = 21; /* XXX verify */ } else if (!strcmp($1, "aes") || !strcmp($1, "aes-128-cbc")) { - $$.enc_alg = SADB_X_EALG_AES; + $$.enc_alg = AUTH_EALG_AES; $$.enc_key_len = 16; } else { yyerror("unknown enc algorithm \"%s\"", $1); diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c index 92136c2bf2c..6da7de6519c 100644 --- a/usr.sbin/bgpd/pfkey.c +++ b/usr.sbin/bgpd/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.62 2022/02/06 09:51:19 claudio Exp $ */ +/* $OpenBSD: pfkey.c,v 1.63 2022/06/15 14:09:30 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -590,6 +590,32 @@ fail: return (-1); } +static uint8_t +pfkey_auth_alg(enum auth_alg alg) +{ + switch (alg) { + case AUTH_AALG_SHA1HMAC: + return SADB_AALG_SHA1HMAC; + case AUTH_AALG_MD5HMAC: + return SADB_AALG_MD5HMAC; + default: + return SADB_AALG_NONE; + } +} + +static uint8_t +pfkey_enc_alg(enum auth_enc_alg alg) +{ + switch (alg) { + case AUTH_EALG_3DESCBC: + return SADB_EALG_3DESCBC; + case AUTH_EALG_AES: + return SADB_X_EALG_AES; + default: + return SADB_AALG_NONE; + } +} + static int pfkey_ipsec_establish(struct peer *p) { @@ -616,10 +642,10 @@ pfkey_ipsec_establish(struct peer *p) if (pfkey_send(pfkey_fd, satype, SADB_ADD, 0, local_addr, &p->conf.remote_addr, p->conf.auth.spi_out, - p->conf.auth.auth_alg_out, + pfkey_auth_alg(p->conf.auth.auth_alg_out), p->conf.auth.auth_keylen_out, p->conf.auth.auth_key_out, - p->conf.auth.enc_alg_out, + pfkey_enc_alg(p->conf.auth.enc_alg_out), p->conf.auth.enc_keylen_out, p->conf.auth.enc_key_out, 0, 0) == -1) @@ -629,10 +655,10 @@ pfkey_ipsec_establish(struct peer *p) if (pfkey_send(pfkey_fd, satype, SADB_ADD, 0, &p->conf.remote_addr, local_addr, p->conf.auth.spi_in, - p->conf.auth.auth_alg_in, + pfkey_auth_alg(p->conf.auth.auth_alg_in), p->conf.auth.auth_keylen_in, p->conf.auth.auth_key_in, - p->conf.auth.enc_alg_in, + pfkey_enc_alg(p->conf.auth.enc_alg_in), p->conf.auth.enc_keylen_in, p->conf.auth.enc_key_in, 0, 0) == -1) diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c index 3a20405ef82..c7107a8799c 100644 --- a/usr.sbin/bgpd/printconf.c +++ b/usr.sbin/bgpd/printconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printconf.c,v 1.152 2022/05/31 09:45:33 claudio Exp $ */ +/* $OpenBSD: printconf.c,v 1.153 2022/06/15 14:09:30 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -45,8 +45,8 @@ void print_roa(struct roa_tree *); void print_rtrs(struct rtr_config_head *); void print_peer(struct peer_config *, struct bgpd_config *, const char *); -const char *print_auth_alg(uint8_t); -const char *print_enc_alg(uint8_t); +const char *print_auth_alg(enum auth_alg); +const char *print_enc_alg(enum auth_enc_alg); void print_announce(struct peer_config *, const char *); void print_as(struct filter_rule *); void print_rule(struct bgpd_config *, struct filter_rule *); @@ -751,12 +751,12 @@ print_peer(struct peer_config *p, struct bgpd_config *conf, const char *c) } const char * -print_auth_alg(uint8_t alg) +print_auth_alg(enum auth_alg alg) { switch (alg) { - case SADB_AALG_SHA1HMAC: + case AUTH_AALG_SHA1HMAC: return ("sha1"); - case SADB_AALG_MD5HMAC: + case AUTH_AALG_MD5HMAC: return ("md5"); default: return ("???"); @@ -764,12 +764,12 @@ print_auth_alg(uint8_t alg) } const char * -print_enc_alg(uint8_t alg) +print_enc_alg(enum auth_enc_alg alg) { switch (alg) { - case SADB_EALG_3DESCBC: + case AUTH_EALG_3DESCBC: return ("3des"); - case SADB_X_EALG_AES: + case AUTH_EALG_AES: return ("aes"); default: return ("???"); diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h index 4fa848f6fd4..a27bb774980 100644 --- a/usr.sbin/bgpd/session.h +++ b/usr.sbin/bgpd/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.154 2022/02/06 09:51:19 claudio Exp $ */ +/* $OpenBSD: session.h,v 1.155 2022/06/15 14:09:30 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -295,6 +295,7 @@ void mrt_dump_state(struct mrt *, uint16_t, uint16_t, void mrt_done(struct mrt *); /* pfkey.c */ +struct sadb_msg; int pfkey_read(int, struct sadb_msg *); int pfkey_establish(struct peer *); int pfkey_remove(struct peer *); -- 2.20.1