Missing "Configuration" tag in a Phase-1 peer was not handled correctly,

pointed out by Aref Taidi. Replace this with a "Default-Phase-1-Configuration"
that will be used if this tag is missing from the peer. Update manpage
accordingly. niklas@ ok.

4 files changed, 30 insertions, 32 deletions

diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index 71300adcc83..052498e515f 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.46 2002/11/14 16:13:27 ho Exp $	*/
+/*	$OpenBSD: conf.c,v 1.47 2002/11/15 14:58:38 ho Exp $	*/
 /*	$EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $	*/
 
 /*
@@ -446,6 +446,12 @@ conf_load_defaults (int tr)
   conf_set (tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION",
 	    (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1);
 
+  /* Default Phase-1 Configuration section */
+  conf_set (tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE",
+	    CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1);
+  conf_set (tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms", 
+	    CONF_DFLT_PHASE1_TRANSFORMS, 0, 1);
+
   /* Main modes */
   for (enc = 0; mm_enc[enc]; enc ++)
     for (hash = 0; mm_hash[hash]; hash ++)
diff --git a/sbin/isakmpd/conf.h b/sbin/isakmpd/conf.h
index f8f693f0e22..8b368fb3e5d 100644
--- a/sbin/isakmpd/conf.h
+++ b/sbin/isakmpd/conf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.h,v 1.18 2002/11/14 16:13:27 ho Exp $	*/
+/*	$OpenBSD: conf.h,v 1.19 2002/11/15 14:58:38 ho Exp $	*/
 /*	$EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $	*/
 
 /*
@@ -66,6 +66,11 @@
 #define CONF_DFLT_X509_CRL_DIR         "/etc/isakmpd/crls/"
 
 #define CONF_DFLT_KEYNOTE_CRED_DIR     "/etc/isakmpd/keynote/"
+
+#define CONF_DFLT_TAG_PHASE1_CONFIG    "Default-Phase-1-Configuration"
+#define CONF_DFLT_PHASE1_EXCH_TYPE     "ID_PROT"
+#define CONF_DFLT_PHASE1_TRANSFORMS    "3DES-SHA"
+
 struct conf_list_node {
   TAILQ_ENTRY (conf_list_node) link;
   char *field;
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index f95ce47b9cc..5d70ad05723 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: exchange.c,v 1.72 2002/11/08 10:16:30 ho Exp $	*/
+/*	$OpenBSD: exchange.c,v 1.73 2002/11/15 14:58:38 ho Exp $	*/
 /*	$EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $	*/
 
 /*
@@ -755,19 +755,8 @@ exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi,
 	  tag = conf_get_str (name, "Configuration");
 	  if (!tag)
 	    {
-	      /* Use default setting */
-	      tag = conf_get_str ("Phase 1", "Default");
-	      if (!tag)
-		{
-		  log_print ("exchange_establish_p1: "
-			     "no \"Default\" tag in [Phase 1] section");
-		  return;
-		}
-#if 0
-	      log_print ("exchange_establish_p1: "
-			 "no configuration found for peer \"%s\"",
-			 name);
-#endif
+	      /* Use default setting.  */
+	      tag = CONF_DFLT_TAG_PHASE1_CONFIG;
 	    }
 
 	  /* Figure out the DOI.  XXX Factor out?  */
@@ -820,7 +809,7 @@ exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi,
 
   exchange->policy = name ? conf_get_str (name, "Configuration") : 0;
   if (!exchange->policy && name)
-    exchange->policy = conf_get_str ("Phase 1", "Default");
+    exchange->policy = CONF_DFLT_TAG_PHASE1_CONFIG;
 
   if (name)
     {
@@ -1067,11 +1056,7 @@ exchange_setup_p1 (struct message *msg, u_int32_t doi)
 
       policy = conf_get_str (name, "Configuration");
       if (!policy)
-	{
-	  log_print ("exchange_setup_p1: no configuration for peer \"%s\"",
-		     name);
-	  return 0;
-	}
+	policy = CONF_DFLT_TAG_PHASE1_CONFIG;
 
       /* Figure out the DOI.  */
       str = conf_get_str (policy, "DOI");
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 3e2e50b03a3..f07df2a644f 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.68 2002/11/09 00:57:20 fgsch Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.69 2002/11/15 14:58:38 ho Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -113,8 +113,9 @@ Unless explicitly stated with -GRP1, 2 or 5, transforms and PFS suites
 use DH group 2. There are currently no predefined ESP+AH Quick Mode suites.
 .Pp
 The predefinitions include some default values for the special
-sections "General", and "X509-certificates". These default values are
-presented in the example below.
+sections "General", "Keynote", "X509-certificates", and 
+"Default-Phase-1-Configuration".
+These default values are presented in the example below.
 .Pp
 All autogenerated values can be overridden by manual entries by using the
 same section and tag names in the configuration file.
@@ -314,6 +315,7 @@ If existent, the IP-address of the peer.
 .It Em Configuration
 The name of the ISAKMP-configuration section to use.
 Look at <ISAKMP-configuration> below.
+If unspecified, defaults to "Default-Phase-1-Configuration".
 .It Em Authentication
 If existent, authentication data for this specific peer.
 In the case of preshared key, this is the key value itself.
@@ -677,7 +679,7 @@ Local-address=		10.1.0.2
 Address=		10.1.0.1
 #Port=			isakmp
 #Port=			500
-Configuration=		Default-main-mode
+#Configuration=		Default-Phase-1-Configuration
 Authentication=		mekmitasdigoat
 #Flags=
 
@@ -699,12 +701,6 @@ ID-type=		IPV4_ADDR_SUBNET
 Network=		192.168.2.0
 Netmask=		255.255.255.0
 
-# Main mode descriptions
-
-[Default-main-mode]
-EXCHANGE_TYPE=		ID_PROT
-Transforms=		3DES-SHA
-
 # Quick mode descriptions
 
 [Default-quick-mode]
@@ -743,6 +739,12 @@ Cert-directory=         /etc/isakmpd/certs/
 CRL-directory=		/etc/isakmpd/crls/
 Private-key=		/etc/isakmpd/private/local.key
 
+# Default phase 1 description (Main Mode)
+
+[Default-Phase-1-Configuration]
+EXCHANGE_TYPE=		ID_PROT
+Transforms=		3DES-SHA
+
 # Main mode transforms
 ######################