diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 1997-07-23 12:28:58 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 1997-07-23 12:28:58 +0000 |
| commit | dc827378e8e2aaf3813b5a7cd4b487194c224ebd (patch) | |
| tree | afe896c16a8d922734119ed6d6bce71342a6f8c7 | |
| parent | 1ac06ffb4b821e98d86f25af1d385216d62f6270 (diff) | |
tunnel,lifetimes,hostname via startkey/startup
errors to stderr before daemon, to syslog afterwards
| -rw-r--r-- | sbin/ipsec/photurisd/compute_secrets.c | 8 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/config.c | 31 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/config.h | 4 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/errlog.c | 52 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/errlog.h | 24 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/handle_identity_request.c | 8 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/handle_identity_response.c | 8 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/handle_spi_needed.c | 4 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/handle_spi_update.c | 4 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/identity.c | 4 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/kernel.c | 118 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/kernel.h | 13 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/photuris.h | 4 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/photurisd.1 | 4 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/photurisd.c | 5 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/schedule.c | 15 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/spi.c | 34 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/spi.h | 12 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/state.c | 3 | ||||
| -rw-r--r-- | sbin/ipsec/photurisd/state.h | 4 | ||||
| -rw-r--r-- | sbin/ipsec/startkey/startkey.1 | 4 |
21 files changed, 226 insertions, 137 deletions
diff --git a/sbin/ipsec/photurisd/compute_secrets.c b/sbin/ipsec/photurisd/compute_secrets.c index 9b87342eea6..2511208501d 100644 --- a/sbin/ipsec/photurisd/compute_secrets.c +++ b/sbin/ipsec/photurisd/compute_secrets.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: compute_secrets.c,v 1.1 1997/07/18 22:48:48 provos Exp $"; +static char rcsid[] = "$Id: compute_secrets.c,v 1.2 1997/07/23 12:28:46 provos Exp $"; #endif #define _SECRETS_C_ @@ -147,14 +147,16 @@ make_session_keys(struct stateob *st, struct spiob *spi) for (i = 0; i<attribsize; i += attributes[i+1] + 2) { if (attributes[i] != AT_AH_ATTRIB && attributes[i] != AT_ESP_ATTRIB) { - bits = compute_session_key(st, p, attributes+i, spi->owner, + bits = compute_session_key(st, p, attributes+i, + spi->flags & SPI_OWNER, &count); if (bits == -1) return -1; #ifdef DEBUG { int d = BUFFER_SIZE; printf("%s session key for AT %d: ", - spi->owner ? "Owner" : "User", (int)attributes[i]); + spi->flags & SPI_OWNER ? + "Owner" : "User", (int)attributes[i]); bin2hex(buffer, &d, p, bits & 7 ? (bits >> 3) + 1 : bits >> 3); printf("0x%s\n", buffer); diff --git a/sbin/ipsec/photurisd/config.c b/sbin/ipsec/photurisd/config.c index 4576e8b405d..34f7932cbea 100644 --- a/sbin/ipsec/photurisd/config.c +++ b/sbin/ipsec/photurisd/config.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: config.c,v 1.2 1997/07/22 11:18:21 provos Exp $"; +static char rcsid[] = "$Id: config.c,v 1.3 1997/07/23 12:28:46 provos Exp $"; #endif #define _CONFIG_C_ @@ -47,6 +47,7 @@ static char rcsid[] = "$Id: config.c,v 1.2 1997/07/22 11:18:21 provos Exp $"; #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> +#include <netdb.h> #include <time.h> #include <pwd.h> #include <gmp.h> @@ -438,6 +439,7 @@ void startup_parse(struct stateob *st, char *p2) { char *p, *p3; + struct hostent *hp; while((p=strsep(&p2, " ")) != NULL) { if ((p3 = strchr(p, '=')) == NULL) { @@ -449,17 +451,34 @@ startup_parse(struct stateob *st, char *p2) continue; } if (!strncmp(p, OPT_DST, strlen(OPT_DST))) { - if (inet_addr(p3) == -1) { - log_error(0, "invalid destination IP address: %s", p3); + hp = NULL; + if (inet_addr(p3) == -1 && (hp = gethostbyname(p3)) == NULL) { + log_error(1, "invalid destination address: %s", p3); continue; } - strncpy(st->address, p3, 15); + if (hp == NULL) + strncpy(st->address, p3, 15); + else { + struct sockaddr_in sin; + bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); + strncpy(st->address, inet_ntoa(sin.sin_addr), 15); + } st->address[15] = '\0'; } else if (!strncmp(p, OPT_PORT, strlen(OPT_PORT))) { if ((st->port = atoi(p3)) == 0) { log_error(0, "invalid port number: %s", p3); continue; } + } else if (!strncmp(p, CONFIG_EX_LIFETIME, strlen(CONFIG_EX_LIFETIME))) { + if ((st->exchange_lifetime = atol(p3)) == 0) { + log_error(0, "invalid exchange lifetime: %s", p3); + continue; + } + } else if (!strncmp(p, CONFIG_SPI_LIFETIME, strlen(CONFIG_SPI_LIFETIME))) { + if ((st->spi_lifetime = atol(p3)) == 0) { + log_error(0, "invalid spi lifetime: %s", p3); + continue; + } } else if (!strncmp(p, OPT_USER, strlen(OPT_USER))) { struct passwd *pwd; if ((st->user = strdup(p3)) == NULL) { @@ -468,6 +487,8 @@ startup_parse(struct stateob *st, char *p2) } if ((pwd = getpwnam(st->user)) == NULL) { log_error(1, "getpwnam() in startup_parse()"); + free(st->user); + st->user = NULL; continue; } } else if (!strncmp(p, OPT_OPTIONS, strlen(OPT_OPTIONS))) { @@ -601,7 +622,7 @@ init_startup(void) #ifndef DEBUG void -reconfig(int sig, siginfo_t *sip, struct sigcontext *scp) +reconfig(int sig) { log_error(0, "Reconfiguring on SIGHUP"); diff --git a/sbin/ipsec/photurisd/config.h b/sbin/ipsec/photurisd/config.h index 669348d7c86..5f54072e229 100644 --- a/sbin/ipsec/photurisd/config.h +++ b/sbin/ipsec/photurisd/config.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: config.h,v 1.2 1997/07/22 11:18:21 provos Exp $ */ +/* $Id: config.h,v 1.3 1997/07/23 12:28:47 provos Exp $ */ /* * config.h: * handling config @@ -74,7 +74,7 @@ #define EXTERN #ifndef DEBUG -void reconfig(int sig, siginfo_t *sip, struct sigcontext *scp); +void reconfig(int sig); #endif #else diff --git a/sbin/ipsec/photurisd/errlog.c b/sbin/ipsec/photurisd/errlog.c index cb6c4a54ed4..8ad85869cd1 100644 --- a/sbin/ipsec/photurisd/errlog.c +++ b/sbin/ipsec/photurisd/errlog.c @@ -31,13 +31,17 @@ */ /* - * $Header: /cvs/OpenBSD/src/sbin/ipsec/photurisd/Attic/errlog.c,v 1.1 1997/07/18 22:48:49 provos Exp $ + * $Header: /cvs/OpenBSD/src/sbin/ipsec/photurisd/Attic/errlog.c,v 1.2 1997/07/23 12:28:47 provos Exp $ * * $Author: provos $ * * $Log: errlog.c,v $ - * Revision 1.1 1997/07/18 22:48:49 provos - * Initial revision + * Revision 1.2 1997/07/23 12:28:47 provos + * tunnel,lifetimes,hostname via startkey/startup + * errors to stderr before daemon, to syslog afterwards + * + * Revision 1.1.1.1 1997/07/18 22:48:49 provos + * initial import of the photuris keymanagement daemon * * Revision 1.1 1997/05/22 17:34:16 provos * Initial revision @@ -45,7 +49,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: errlog.c,v 1.1 1997/07/18 22:48:49 provos Exp $"; +static char rcsid[] = "$Id: errlog.c,v 1.2 1997/07/23 12:28:47 provos Exp $"; #endif #define _ERRLOG_C_ @@ -61,6 +65,7 @@ static char rcsid[] = "$Id: errlog.c,v 1.1 1997/07/18 22:48:49 provos Exp $"; #include <syslog.h> #include <sys/types.h> #include <errno.h> +#include "photuris.h" #include "buffer.h" #include "errlog.h" @@ -132,35 +137,26 @@ void _log_error(int flag, char *fmt, va_list ap) { char *buffer = calloc(LOG_SIZE, sizeof(char)); -#ifdef __SWR - FILE f; -#endif + if(buffer == NULL) return; -#ifdef DEBUG - sprintf(buffer, "%s: ", (flag ? "Error" : "Warning")); -#else - buffer[0] = '\0'; -#endif + if (!daemon_mode) + sprintf(buffer, "%s: ", (flag ? "Error" : "Warning")); + else + buffer[0] = '\0'; -#ifdef __SWR - f._flags = __SWR | __SSTR; - f._bf._base = f._p = buffer + strlen(buffer); - f._bf._size = f._w = LOG_SIZE-1-strlen(buffer); - vfprintf(&f, fmt, ap); -#else - vsprintf(buffer+strlen(buffer), fmt, ap); -#endif + vsnprintf(buffer+strlen(buffer), LOG_SIZE-1, fmt, ap); buffer[LOG_SIZE-1] = '\0'; -#ifdef DEBUG - fprintf(stderr, buffer); - if (flag) - fprintf(stderr, " : %s", sys_errlist[errno]); - fprintf(stderr, ".\n"); -#else - syslog(LOG_WARNING, buffer); -#endif + + if (daemon_mode) + syslog(LOG_WARNING, buffer); + else { + fprintf(stderr, buffer); + if (flag) + fprintf(stderr, " : %s", sys_errlist[errno]); + fprintf(stderr, ".\n"); + } free(buffer); } diff --git a/sbin/ipsec/photurisd/errlog.h b/sbin/ipsec/photurisd/errlog.h index ac25decb7f6..04583eacfaf 100644 --- a/sbin/ipsec/photurisd/errlog.h +++ b/sbin/ipsec/photurisd/errlog.h @@ -30,24 +30,22 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef _ERRLOG_C_ +#ifndef _ERRLOG_H_ +#define _ERRLOG_H_ -#if __STDC__ -void crit_error __P((int, char *, ...)); -void log_error __P((int, char *, ...)); +#undef EXTERN +#ifdef _ERRLOG_C_ +#define EXTERN #else -void crit_error(); -void log_error(); +#define EXTERN extern #endif -#else - #if __STDC__ -extern void crit_error __P((int, char *, ...)); -extern void log_error __P((int, char *, ...)); +EXTERN void crit_error __P((int, char *, ...)); +EXTERN void log_error __P((int, char *, ...)); #else -extern void crit_error(); -extern void log_error(); +EXTERN void crit_error(); +EXTERN void log_error(); #endif -#endif +#endif /* _ERRLOG_H_ */ diff --git a/sbin/ipsec/photurisd/handle_identity_request.c b/sbin/ipsec/photurisd/handle_identity_request.c index 38e103187b1..7ba9868c5a8 100644 --- a/sbin/ipsec/photurisd/handle_identity_request.c +++ b/sbin/ipsec/photurisd/handle_identity_request.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_identity_request.c,v 1.2 1997/07/19 12:07:45 provos Exp $"; +static char rcsid[] = "$Id: handle_identity_request.c,v 1.3 1997/07/23 12:28:48 provos Exp $"; #endif #include <stdio.h> @@ -256,7 +256,7 @@ handle_identity_request(u_char *packet, int size, char *address, return -1; } bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->owner = 1; + spi->flags |= SPI_OWNER; spi->attribsize = st->oSPIattribsize; spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); if (spi->attributes == NULL) { @@ -301,13 +301,15 @@ handle_identity_request(u_char *packet, int size, char *address, /* Make session keys for User */ make_session_keys(st, spi); + spi_set_tunnel(st, spi); + spi_insert(spi); #ifdef IPSEC kernel_insert_spi(spi); #endif } - st->lifetime = exchange_lifetime + time(NULL) + random() % 20; + st->lifetime = st->exchange_lifetime + time(NULL) + random() % 20; st->retries = 0; st->phase = SPI_UPDATE; diff --git a/sbin/ipsec/photurisd/handle_identity_response.c b/sbin/ipsec/photurisd/handle_identity_response.c index 43f61f9ca38..30152173ef5 100644 --- a/sbin/ipsec/photurisd/handle_identity_response.c +++ b/sbin/ipsec/photurisd/handle_identity_response.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_identity_response.c,v 1.2 1997/07/19 12:07:47 provos Exp $"; +static char rcsid[] = "$Id: handle_identity_response.c,v 1.3 1997/07/23 12:28:49 provos Exp $"; #endif #include <stdio.h> @@ -203,7 +203,7 @@ handle_identity_response(u_char *packet, int size, char *address, st->ulifetime = (header->lifetime[0] << 16) + (header->lifetime[1] << 8) + header->lifetime[2]; - st->lifetime = exchange_lifetime + time(NULL) + random() % 20; + st->lifetime = st->exchange_lifetime + time(NULL) + random() % 20; st->retries = 0; st->phase = SPI_UPDATE; @@ -228,7 +228,7 @@ handle_identity_response(u_char *packet, int size, char *address, return -1; } bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->owner = 1; + spi->flags |= SPI_OWNER; spi->attribsize = st->oSPIattribsize; spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); if (spi->attributes == NULL) { @@ -272,6 +272,8 @@ handle_identity_response(u_char *packet, int size, char *address, /* Session keys for User */ make_session_keys(st, spi); + spi_set_tunnel(st, spi); + spi_insert(spi); #ifdef IPSEC kernel_insert_spi(spi); diff --git a/sbin/ipsec/photurisd/handle_spi_needed.c b/sbin/ipsec/photurisd/handle_spi_needed.c index 92fc52eadc8..f070d675b81 100644 --- a/sbin/ipsec/photurisd/handle_spi_needed.c +++ b/sbin/ipsec/photurisd/handle_spi_needed.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_spi_needed.c,v 1.2 1997/07/19 12:07:48 provos Exp $"; +static char rcsid[] = "$Id: handle_spi_needed.c,v 1.3 1997/07/23 12:28:49 provos Exp $"; #endif #include <stdio.h> @@ -177,7 +177,7 @@ handle_spi_needed(u_char *packet, int size, char *address, return -1; } bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->owner = 1; + spi->flags |= SPI_OWNER; spi->attribsize = st->oSPIattribsize; spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); if (spi->attributes == NULL) { diff --git a/sbin/ipsec/photurisd/handle_spi_update.c b/sbin/ipsec/photurisd/handle_spi_update.c index 5fd25028af5..20bd3a488a4 100644 --- a/sbin/ipsec/photurisd/handle_spi_update.c +++ b/sbin/ipsec/photurisd/handle_spi_update.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: handle_spi_update.c,v 1.2 1997/07/19 12:07:50 provos Exp $"; +static char rcsid[] = "$Id: handle_spi_update.c,v 1.3 1997/07/23 12:28:50 provos Exp $"; #endif #include <stdio.h> @@ -175,6 +175,8 @@ handle_spi_update(u_char *packet, int size, char *address, bcopy(st->icookie, spi->icookie, COOKIE_SIZE); spi->lifetime = time(NULL) + lifetime; + spi_set_tunnel(st, spi); + make_session_keys(st, spi); spi_insert(spi); diff --git a/sbin/ipsec/photurisd/identity.c b/sbin/ipsec/photurisd/identity.c index fdfc11d0431..2b015be02ab 100644 --- a/sbin/ipsec/photurisd/identity.c +++ b/sbin/ipsec/photurisd/identity.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: identity.c,v 1.1 1997/07/18 22:48:49 provos Exp $"; +static char rcsid[] = "$Id: identity.c,v 1.2 1997/07/23 12:28:50 provos Exp $"; #endif #define _IDENTITY_C_ @@ -111,6 +111,8 @@ init_identities(char *name, struct identity *root) p++; if(*p == '#') /* Ignore comments */ continue; + if(!strlen(p)) + continue; if (!strncmp(p, IDENT_LOCAL, strlen(IDENT_LOCAL))) { type = ID_LOCAL; diff --git a/sbin/ipsec/photurisd/kernel.c b/sbin/ipsec/photurisd/kernel.c index ac7955a87a2..16aa1015b41 100644 --- a/sbin/ipsec/photurisd/kernel.c +++ b/sbin/ipsec/photurisd/kernel.c @@ -29,7 +29,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: kernel.c,v 1.1 1997/07/18 22:48:50 provos Exp $"; +static char rcsid[] = "$Id: kernel.c,v 1.2 1997/07/23 12:28:51 provos Exp $"; #endif #include <sys/param.h> @@ -134,7 +134,8 @@ kernel_reserve_spi(char *srcaddress) return em->em_gen_spi; } int -kernel_md5(char *srcaddress, char *dstaddress, u_int8_t *spi, u_int8_t *secret) +kernel_md5(char *srcaddress, char *dstaddress, u_int8_t *spi, u_int8_t *secret, + int tunnel) { struct encap_msghdr *em; struct ah_old_xencap *xd; @@ -153,6 +154,12 @@ kernel_md5(char *srcaddress, char *dstaddress, u_int8_t *spi, u_int8_t *secret) (spi[2]<<8) + spi[3]); em->em_src.s_addr = inet_addr(srcaddress); em->em_dst.s_addr = inet_addr(dstaddress); + + if (tunnel) { + em->em_osrc.s_addr = inet_addr(srcaddress); + em->em_odst.s_addr = inet_addr(dstaddress); + } + em->em_alg = XF_OLD_AH; em->em_sproto = IPPROTO_AH; @@ -170,38 +177,45 @@ kernel_md5(char *srcaddress, char *dstaddress, u_int8_t *spi, u_int8_t *secret) } int -kernel_des(char *srcaddress, char *dstaddress, u_int8_t *spi, u_int8_t *secret) +kernel_des(char *srcaddress, char *dstaddress, u_int8_t *spi, u_int8_t *secret, + int tunnel) { - struct encap_msghdr *em; - struct esp_old_xencap *xd; + struct encap_msghdr *em; + struct esp_old_xencap *xd; - bzero(buffer, EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN + 4 + 8); + bzero(buffer, EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN + 4 + 8); - em = (struct encap_msghdr *)buffer; + em = (struct encap_msghdr *)buffer; - em->em_msglen = EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN + 4 + 8; - em->em_version = PFENCAP_VERSION_1; - em->em_type = EMT_SETSPI; - em->em_spi = htonl((spi[0]<<24) + (spi[1]<<16) + - (spi[2]<<8) + spi[3]); - em->em_src.s_addr = inet_addr(srcaddress); - em->em_dst.s_addr = inet_addr(dstaddress); - em->em_alg = XF_OLD_ESP; - em->em_sproto = IPPROTO_ESP; + em->em_msglen = EMT_SETSPI_FLEN + ESP_OLD_XENCAP_LEN + 4 + 8; + em->em_version = PFENCAP_VERSION_1; + em->em_type = EMT_SETSPI; + em->em_spi = htonl((spi[0]<<24) + (spi[1]<<16) + + (spi[2]<<8) + spi[3]); + em->em_src.s_addr = inet_addr(srcaddress); + em->em_dst.s_addr = inet_addr(dstaddress); + + if (tunnel) { + em->em_osrc.s_addr = inet_addr(srcaddress); + em->em_odst.s_addr = inet_addr(dstaddress); + } - xd = (struct esp_old_xencap *)(em->em_dat); + em->em_alg = XF_OLD_ESP; + em->em_sproto = IPPROTO_ESP; - xd->edx_enc_algorithm = ALG_ENC_DES; - xd->edx_ivlen = 4; - xd->edx_keylen = 8; + xd = (struct esp_old_xencap *)(em->em_dat); - bcopy(spi, xd->edx_data, 4); - bcopy(secret, xd->edx_data + 8, 8); - - if (!kernel_xf_set(em)) - return -1; + xd->edx_enc_algorithm = ALG_ENC_DES; + xd->edx_ivlen = 4; + xd->edx_keylen = 8; - return 8; + bcopy(spi, xd->edx_data, 4); + bcopy(secret, xd->edx_data + 8, 8); + + if (!kernel_xf_set(em)) + return -1; + + return 8; } /* Group an ESP SPI with an AH SPI */ @@ -238,7 +252,8 @@ kernel_group_spi(char *address, u_int8_t *spi) } int -kernel_enable_spi(char *isrc, char *ismask, char *idst, char *idmask, +kernel_enable_spi(in_addr_t isrc, in_addr_t ismask, + in_addr_t idst, in_addr_t idmask, char *address, u_int8_t *spi, int proto, int flags) { struct encap_msghdr *em; @@ -254,10 +269,10 @@ kernel_enable_spi(char *isrc, char *ismask, char *idst, char *idmask, em->em_version = PFENCAP_VERSION_1; em->em_type = EMT_ENABLESPI; - em->em_ena_isrc.s_addr = inet_addr(isrc); - em->em_ena_ismask.s_addr = inet_addr(ismask); - em->em_ena_idst.s_addr = inet_addr(idst); - em->em_ena_idmask.s_addr = inet_addr(idmask); + em->em_ena_isrc.s_addr = isrc; + em->em_ena_ismask.s_addr = ismask; + em->em_ena_idst.s_addr = idst; + em->em_ena_idmask.s_addr = idmask; em->em_ena_dst.s_addr = inet_addr(address); em->em_ena_spi = htonl(SPI); @@ -271,7 +286,8 @@ kernel_enable_spi(char *isrc, char *ismask, char *idst, char *idmask, } int -kernel_disable_spi(char *isrc, char *ismask, char *idst, char *idmask, +kernel_disable_spi(in_addr_t isrc, in_addr_t ismask, + in_addr_t idst, in_addr_t idmask, char *address, u_int8_t *spi, int proto, int flags) { struct encap_msghdr *em; @@ -287,10 +303,10 @@ kernel_disable_spi(char *isrc, char *ismask, char *idst, char *idmask, em->em_version = PFENCAP_VERSION_1; em->em_type = EMT_DISABLESPI; - em->em_ena_isrc.s_addr = inet_addr(isrc); - em->em_ena_ismask.s_addr = inet_addr(ismask); - em->em_ena_idst.s_addr = inet_addr(idst); - em->em_ena_idmask.s_addr = inet_addr(idmask); + em->em_ena_isrc.s_addr = isrc; + em->em_ena_ismask.s_addr = ismask; + em->em_ena_idst.s_addr = idst; + em->em_ena_idmask.s_addr = idmask; em->em_ena_dst.s_addr = inet_addr(address); em->em_ena_spi = htonl(SPI); @@ -346,9 +362,9 @@ kernel_insert_spi(struct spiob *SPI) case AT_ESP_ATTRIB: break; case AT_MD5_KDP: - offset = kernel_md5(SPI->local_address, SPI->owner ? + offset = kernel_md5(SPI->local_address, SPI->flags & SPI_OWNER ? SPI->local_address : SPI->address, - spi, secrets); + spi, secrets, SPI->flags & SPI_TUNNEL); if (offset == -1) return -1; secrets += offset; @@ -357,9 +373,9 @@ kernel_insert_spi(struct spiob *SPI) proto = IPPROTO_AH; break; case AT_DES_CBC: - offset = kernel_des(SPI->local_address, SPI->owner ? + offset = kernel_des(SPI->local_address, SPI->flags & SPI_OWNER ? SPI->local_address : SPI->address, - spi, secrets); + spi, secrets, SPI->flags & SPI_TUNNEL); if (offset == -1) return -1; secrets += offset; @@ -375,14 +391,14 @@ kernel_insert_spi(struct spiob *SPI) } /* Group the SPIs for User */ - if (!SPI->owner && i > 1) { + if (!(SPI->flags & SPI_OWNER) && i > 1) { if (kernel_group_spi(SPI->address, spi) == -1) log_error(0, "kernel_group_spi() in kernel_insert_spi()"); } - if (!SPI->owner && !SPI->notify) { - if (kernel_enable_spi(SPI->local_address, "255.255.255.255", - SPI->address, "255.255.255.255", + if (!(SPI->flags & SPI_OWNER) && !(SPI->flags & SPI_NOTIFY)) { + if (kernel_enable_spi(SPI->isrc, SPI->ismask, + SPI->idst, SPI->idmask, SPI->address, spi, proto, ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL) == -1) log_error(0, "kernel_enable_spi() in kernel_insert_spi()"); @@ -403,7 +419,7 @@ kernel_unlink_spi(struct spiob *ospi) u_int32_t spi; u_int8_t SPI[SPI_SIZE], *p; - if (!ospi->owner) + if (!(ospi->flags & SPI_OWNER)) p = ospi->address; else p = ospi->local_address; @@ -424,9 +440,9 @@ kernel_unlink_spi(struct spiob *ospi) case AT_MD5_KDP: if (!proto) { proto = IPPROTO_AH; - if (!ospi->owner && - kernel_disable_spi(ospi->local_address, "255.255.255.255", - ospi->address, "255.255.255.255", + if (!(ospi->flags & SPI_OWNER) && + kernel_disable_spi(ospi->isrc, ospi->ismask, + ospi->idst, ospi->idmask, ospi->address, ospi->SPI, proto, ENABLE_FLAG_LOCAL) == -1) log_error(0, "kernel_disable_spi() in kernel_unlink_spi()"); @@ -438,9 +454,9 @@ kernel_unlink_spi(struct spiob *ospi) case AT_DES_CBC: if (!proto) { proto = IPPROTO_ESP; - if (!ospi->owner && - kernel_disable_spi(ospi->local_address, "255.255.255.255", - ospi->address, "255.255.255.255", + if (!(ospi->flags & SPI_OWNER) && + kernel_disable_spi(ospi->isrc, ospi->ismask, + ospi->idst, ospi->idmask, ospi->address, ospi->SPI, proto, ENABLE_FLAG_LOCAL) == -1) log_error(0, "kernel_disable_spi() in kernel_unlink_spi()"); diff --git a/sbin/ipsec/photurisd/kernel.h b/sbin/ipsec/photurisd/kernel.h index 520da3cbae0..9f72bc44bff 100644 --- a/sbin/ipsec/photurisd/kernel.h +++ b/sbin/ipsec/photurisd/kernel.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: kernel.h,v 1.1 1997/07/18 22:48:50 provos Exp $ */ +/* $Id: kernel.h,v 1.2 1997/07/23 12:28:52 provos Exp $ */ /* * kernel.h: * security paramter index creation. @@ -44,14 +44,17 @@ int kernel_xf_set(struct encap_msghdr *em); int kernel_xf_read(struct encap_msghdr *em, int msglen); int kernel_des(char *srcaddress, char *dstaddress, - u_int8_t *spi, u_int8_t *secret); + u_int8_t *spi, u_int8_t *secret, int tunnel); int kernel_md5(char *srcaddress, char *dstaddress, - u_int8_t *spi, u_int8_t *secret); + u_int8_t *spi, u_int8_t *secret, int tunnel); + int kernel_group_spi(char *address, u_int8_t *spi); -int kernel_enable_spi(char *isrc, char *ismask, char *idst, char *idmask, +int kernel_enable_spi(in_addr_t isrc, in_addr_t ismask, + in_addr_t idst, in_addr_t idmask, char *address, u_int8_t *spi, int proto, int flags); -int kernel_disable_spi(char *isrc, char *ismask, char *idst, char *idmask, +int kernel_disable_spi(in_addr_t isrc, in_addr_t ismask, + in_addr_t idst, in_addr_t idmask, char *address, u_int8_t *spi, int proto, int flags); int kernel_delete_spi(char *address, u_int8_t *spi, int proto); diff --git a/sbin/ipsec/photurisd/photuris.h b/sbin/ipsec/photurisd/photuris.h index 6e4f41e6344..223ad52bba4 100644 --- a/sbin/ipsec/photurisd/photuris.h +++ b/sbin/ipsec/photurisd/photuris.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: photuris.h,v 1.1 1997/07/18 22:48:50 provos Exp $ */ +/* $Id: photuris.h,v 1.2 1997/07/23 12:28:52 provos Exp $ */ /* * photuris.h: * general header file @@ -63,6 +63,8 @@ EXTERN int exchange_timeout; EXTERN int exchange_lifetime; EXTERN int spi_lifetime; +EXTERN int daemon_mode; + /* Infos about our interfaces */ EXTERN char **addresses; EXTERN int *sockets; diff --git a/sbin/ipsec/photurisd/photurisd.1 b/sbin/ipsec/photurisd/photurisd.1 index a7a3bfe114c..a8760128b43 100644 --- a/sbin/ipsec/photurisd/photurisd.1 +++ b/sbin/ipsec/photurisd/photurisd.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: photurisd.1,v 1.4 1997/07/22 11:18:24 provos Exp $ +.\" $OpenBSD: photurisd.1,v 1.5 1997/07/23 12:28:53 provos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -67,7 +67,7 @@ on startup. .It Fl d The .Fl d -option specifies the directory in wich +option specifies the directory in which .Nm photurisd looks for its startup files. The default is .Pa /etc/photuris/ . diff --git a/sbin/ipsec/photurisd/photurisd.c b/sbin/ipsec/photurisd/photurisd.c index 744e2295f0b..3e19ec0c8b3 100644 --- a/sbin/ipsec/photurisd/photurisd.c +++ b/sbin/ipsec/photurisd/photurisd.c @@ -32,7 +32,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: photurisd.c,v 1.1 1997/07/18 22:48:50 provos Exp $"; +static char rcsid[] = "$Id: photurisd.c,v 1.2 1997/07/23 12:28:53 provos Exp $"; #endif #define _PHOTURIS_C_ @@ -113,6 +113,8 @@ void main(int argc, char **argv) int primes = 1, ignore = 0; char *dir = PHOTURIS_DIR; + daemon_mode = 0; + while ((ch = getopt(argc, argv, "fid:")) != -1) switch((char)ch) { case 'f': @@ -165,6 +167,7 @@ void main(int argc, char **argv) init_signals(); if (fork()) exit(0); + daemon_mode = 1; #endif server(); diff --git a/sbin/ipsec/photurisd/schedule.c b/sbin/ipsec/photurisd/schedule.c index 793be76a5af..8200cb5e5a7 100644 --- a/sbin/ipsec/photurisd/schedule.c +++ b/sbin/ipsec/photurisd/schedule.c @@ -35,7 +35,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: schedule.c,v 1.2 1997/07/22 11:18:24 provos Exp $"; +static char rcsid[] = "$Id: schedule.c,v 1.3 1997/07/23 12:28:54 provos Exp $"; #endif #define _SCHEDULE_C_ @@ -223,9 +223,18 @@ schedule_process(int sock) break; case TIMEOUT: st = state_find_cookies(NULL, tmp->cookie, NULL); - if (st == NULL || st->retries >= max_retries) { + if (st == NULL) { remove = 1; break; + } else if (st->retries >= max_retries) { + remove = 1; + if (st->phase == COOKIE_REQUEST) + log_error(0, "no anwser for cookie request to %s:%d", + st->address, st->port); + else + log_error(0, "exchange terminated, phase %d to %s:%d", + st->phase, st->address, st->port); + break; } st->retries++; @@ -321,7 +330,7 @@ schedule_process(int sock) break; } bcopy(st->icookie, nspi->icookie, COOKIE_SIZE); - nspi->owner = 1; + nspi->flags |= SPI_OWNER; nspi->attribsize = st->oSPIattribsize; nspi->attributes = calloc(nspi->attribsize, sizeof(u_int8_t)); if (nspi->attributes == NULL) { diff --git a/sbin/ipsec/photurisd/spi.c b/sbin/ipsec/photurisd/spi.c index b0dd9a1b088..e73d97ac12d 100644 --- a/sbin/ipsec/photurisd/spi.c +++ b/sbin/ipsec/photurisd/spi.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: spi.c,v 1.2 1997/07/19 12:07:56 provos Exp $"; +static char rcsid[] = "$Id: spi.c,v 1.3 1997/07/23 12:28:54 provos Exp $"; #endif #define _SPI_C_ @@ -64,7 +64,7 @@ time_t getspilifetime(struct stateob *st) { /* XXX - destination depend lifetimes */ - return spi_lifetime; + return st->spi_lifetime; } int @@ -169,6 +169,24 @@ make_spi(struct stateob *st, char *local_address, return 0; } +int +spi_set_tunnel(struct stateob *st, struct spiob *spi) +{ + if (st->flags & IPSEC_OPT_TUNNEL) { + spi->flags |= SPI_TUNNEL; + spi->isrc = st->isrc; + spi->ismask = st->ismask; + spi->idst = st->idst; + spi->idmask = st->idmask; + } else { + spi->isrc = inet_addr(spi->local_address); + spi->ismask = inet_addr("255.255.255.255"); + spi->idst = inet_addr(spi->address); + spi->idmask = inet_addr("255.255.255.255"); + } + return 1; +} + int spi_insert(struct spiob *ob) @@ -268,8 +286,8 @@ spi_find_attrib(char *address, u_int8_t *attrib, u_int16_t attribsize) /* * find the spi ob with matching address - * Alas this is tweaked, for owner = 1 compare with local_address - * and for owner = 0 compare with address. + * Alas this is tweaked, for SPI_OWNER compare with local_address + * and for user compare with address. */ struct spiob * @@ -277,7 +295,7 @@ spi_find(char *address, u_int8_t *spi) { struct spiob *tmp = spiob; while(tmp!=NULL) { - if ((address == NULL || (tmp->owner ? + if ((address == NULL || (tmp->flags & SPI_OWNER ? !strcmp(address, tmp->local_address) : !strcmp(address, tmp->address))) && !bcmp(spi, tmp->SPI, SPI_SIZE)) @@ -316,7 +334,8 @@ spi_expire(void) tm = time(NULL); while (tmp != NULL) { if (tmp->lifetime == -1 || - tmp->lifetime + (tmp->owner ? CLEANUP_TIMEOUT : 0) > tm) { + tmp->lifetime + (tmp->flags & SPI_OWNER ? + CLEANUP_TIMEOUT : 0) > tm) { tmp = tmp->next; continue; } @@ -324,7 +343,8 @@ spi_expire(void) { int i = BUFFER_SIZE; bin2hex(buffer, &i, tmp->SPI, 4); - printf("Expiring %s spi %s to %s\n", tmp->owner ? "Owner" : "User", + printf("Expiring %s spi %s to %s\n", + tmp->flags & SPI_OWNER ? "Owner" : "User", buffer, tmp->address); } #endif diff --git a/sbin/ipsec/photurisd/spi.h b/sbin/ipsec/photurisd/spi.h index ec456cacd20..1057c5ff739 100644 --- a/sbin/ipsec/photurisd/spi.h +++ b/sbin/ipsec/photurisd/spi.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: spi.h,v 1.2 1997/07/19 12:07:58 provos Exp $ */ +/* $Id: spi.h,v 1.3 1997/07/23 12:28:55 provos Exp $ */ /* * spi.h: * security paramter index creation. @@ -48,12 +48,17 @@ #define SPI_LIFETIME 1800 /* 30 minutes default lifetime */ +#define SPI_OWNER 1 +#define SPI_NOTIFY 2 +#define SPI_TUNNEL 4 + struct spiob { struct spiob *next; /* Linked list */ char *address; char *local_address; - int owner; - int notify; /* Created due to kernel notify */ + in_addr_t isrc, ismask; + in_addr_t idst, idmask; + int flags; u_int8_t SPI[SPI_SIZE]; /* SPI */ u_int8_t icookie[COOKIE_SIZE]; /* Initator cookie */ u_int8_t *attributes; /* SPI attributes */ @@ -68,6 +73,7 @@ EXTERN int make_spi(struct stateob *st, char *local_address, u_int8_t *SPI, time_t *lifetime, u_int8_t **attributes, u_int16_t *attribsize); +EXTERN int spi_set_tunnel(struct stateob *st, struct spiob *spi); EXTERN int spi_insert(struct spiob *); EXTERN int spi_unlink(struct spiob *); EXTERN struct spiob *spi_new(char *, u_int8_t *); diff --git a/sbin/ipsec/photurisd/state.c b/sbin/ipsec/photurisd/state.c index 9349337c334..0d7a1f2d6be 100644 --- a/sbin/ipsec/photurisd/state.c +++ b/sbin/ipsec/photurisd/state.c @@ -99,6 +99,9 @@ state_new(void) mpz_init(p->modulus); mpz_init(p->generator); + p->exchange_lifetime = exchange_lifetime; + p->spi_lifetime = spi_lifetime; + return p; } diff --git a/sbin/ipsec/photurisd/state.h b/sbin/ipsec/photurisd/state.h index 61f6170537a..ddd59eaf0fe 100644 --- a/sbin/ipsec/photurisd/state.h +++ b/sbin/ipsec/photurisd/state.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: state.h,v 1.1 1997/07/18 22:48:49 provos Exp $ */ +/* $Id: state.h,v 1.2 1997/07/23 12:28:56 provos Exp $ */ /* * state.h: * state object @@ -119,6 +119,8 @@ struct stateob { u_int8_t *packet; /* Buffer for retransmits */ u_int16_t packetlen; time_t lifetime; /* Lifetime for the exchange */ + time_t exchange_lifetime; /* Use this as default */ + time_t spi_lifetime; /* Use this as default */ }; /* Prototypes */ diff --git a/sbin/ipsec/startkey/startkey.1 b/sbin/ipsec/startkey/startkey.1 index 27f0db728e8..689d2e2254d 100644 --- a/sbin/ipsec/startkey/startkey.1 +++ b/sbin/ipsec/startkey/startkey.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: startkey.1,v 1.1 1997/07/22 11:19:22 provos Exp $ +.\" $OpenBSD: startkey.1,v 1.2 1997/07/23 12:28:57 provos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -50,7 +50,7 @@ daemon and initalize a key exchange. The flags are: .It Fl d The .Fl d -option specifies the directory in wich +option specifies the directory in which .Nm photurisd looks for its startup files. The default is .Pa /etc/photuris/ . |