diff options
author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-11-01 03:10:03 +0000 |
---|---|---|
committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-11-01 03:10:03 +0000 |
commit | 037e3c4e84775802702128873f541a1042e02edc (patch) | |
tree | 5ec77c61b93ac97816ad7fd92d94b4d99e11ad55 | |
parent | 0a250b06d9f17515ba375278425e54f7591327eb (diff) |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
-rw-r--r-- | sbin/ipsecctl/ike.c | 116 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 16 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 18 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 17 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 134 |
5 files changed, 185 insertions, 116 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index e8144515525..df5bf79f86f 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.50 2006/09/18 13:45:45 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.51 2006/11/01 03:10:02 mcbride Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -40,12 +40,12 @@ static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, static int ike_get_id_type(char *); static void ike_section_ipsec(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); -static int ike_section_qm(struct ipsec_addr_wrap *, struct +static int ike_section_p1(struct ipsec_addr_wrap *, struct + ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t); +static int ike_section_p2(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, u_int8_t, u_int8_t, struct - ipsec_transforms *, FILE *); -static int ike_section_mm(struct ipsec_addr_wrap *, struct - ipsec_transforms *, FILE *, struct ike_auth *); -static void ike_section_qmids(u_int8_t, struct ipsec_addr_wrap *, + ipsec_transforms *, FILE *, u_int8_t); +static void ike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *); static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); @@ -75,12 +75,12 @@ ike_section_general(struct ipsec_rule *r, FILE *fd) fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); } - if (r->mmlife && r->mmlife->lifetime != -1) + if (r->p1life && r->p1life->lifetime != -1) fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n", - r->mmlife->lifetime); - if (r->qmlife && r->qmlife->lifetime != -1) + r->p1life->lifetime); + if (r->p2life && r->p2life->lifetime != -1) fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n", - r->qmlife->lifetime); + r->p2life->lifetime); } static void @@ -196,12 +196,27 @@ ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, } static int -ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, - u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd) +ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, + u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, + u_int8_t ike_exch) { - fprintf(fd, SET "[qm-%s-%s]:EXCHANGE_TYPE=QUICK_MODE force\n", - src->name, dst->name); - fprintf(fd, SET "[qm-%s-%s]:Suites=QM-", src->name, dst->name); + char *tag, *exchange_type, *sprefix; + + switch (ike_exch) { + case IKE_QM: + tag = "qm"; + exchange_type = "QUICK_MODE"; + sprefix = "QM"; + break; + default: + warnx("illegal phase 2 ike mode %d", ike_exch); + return (-1); + } + + fprintf(fd, SET "[%s-%s-%s]:EXCHANGE_TYPE=%s force\n", + tag, src->name, dst->name, exchange_type); + fprintf(fd, SET "[%s-%s-%s]:Suites=%s-", tag, src->name, + dst->name, sprefix); switch (satype) { case IPSEC_ESP: @@ -328,24 +343,41 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, } static int -ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, - FILE *fd, struct ike_auth *auth) +ike_section_p1(struct ipsec_addr_wrap *peer, struct ipsec_transforms *p1xfs, + FILE *fd, struct ike_auth *auth, u_int8_t ike_exch) { + char *tag, *exchange_type; + + switch (ike_exch) { + case IKE_MM: + tag = "mm"; + exchange_type = "ID_PROT"; + break; + case IKE_AM: + tag = "am"; + exchange_type = "AGGRESSIVE"; + break; + default: + warnx("illegal phase 2 ike mode %d", ike_exch); + return (-1); + } + if (peer) { - fprintf(fd, SET "[peer-%s]:Configuration=mm-%s force\n", - peer->name, peer->name); - fprintf(fd, SET "[mm-%s]:EXCHANGE_TYPE=ID_PROT force\n", - peer->name); - fprintf(fd, ADD "[mm-%s]:Transforms=", peer->name); + fprintf(fd, SET "[peer-%s]:Configuration=%s-%s force\n", + peer->name, tag, peer->name); + fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n", + tag, peer->name, exchange_type); + fprintf(fd, ADD "[%s-%s]:Transforms=", tag, peer->name); } else { fprintf(fd, SET - "[peer-default]:Configuration=mm-default force\n"); - fprintf(fd, SET "[mm-default]:EXCHANGE_TYPE=ID_PROT force\n"); - fprintf(fd, ADD "[mm-default]:Transforms="); + "[peer-default]:Configuration=%s-default force\n", tag); + fprintf(fd, SET "[%s-default]:EXCHANGE_TYPE=%s force\n", + tag, exchange_type); + fprintf(fd, ADD "[%s-default]:Transforms=", tag); } - if (mmxfs && mmxfs->encxf) { - switch (mmxfs->encxf->id) { + if (p1xfs && p1xfs->encxf) { + switch (p1xfs->encxf->id) { case ENCXF_3DES_CBC: fprintf(fd, "3DES"); break; @@ -362,15 +394,15 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, fprintf(fd, "CAST"); break; default: - warnx("illegal transform %s", mmxfs->encxf->name); + warnx("illegal transform %s", p1xfs->encxf->name); return (-1); } } else fprintf(fd, "AES"); fprintf(fd, "-"); - if (mmxfs && mmxfs->authxf) { - switch (mmxfs->authxf->id) { + if (p1xfs && p1xfs->authxf) { + switch (p1xfs->authxf->id) { case AUTHXF_HMAC_MD5: fprintf(fd, "MD5"); break; @@ -387,14 +419,14 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, fprintf(fd, "SHA2-512"); break; default: - warnx("illegal transform %s", mmxfs->authxf->name); + warnx("illegal transform %s", p1xfs->authxf->name); return (-1); } } else fprintf(fd, "SHA"); - if (mmxfs && mmxfs->groupxf) { - switch (mmxfs->groupxf->id) { + if (p1xfs && p1xfs->groupxf) { + switch (p1xfs->groupxf->id) { case GROUPXF_768: fprintf(fd, "-GRP1"); break; @@ -420,7 +452,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, fprintf(fd, "-GRP18"); break; default: - warnx("illegal group %s", mmxfs->groupxf->name); + warnx("illegal group %s", p1xfs->groupxf->name); return (-1); }; } @@ -433,7 +465,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, } static void -ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src, +ike_section_p2ids(u_int8_t proto, struct ipsec_addr_wrap *src, u_int16_t sport, struct ipsec_addr_wrap *dst, u_int16_t dport, FILE *fd) { char mask[NI_MAXHOST], *network, *p; @@ -463,7 +495,7 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src, errx(1, "could not get a numeric mask"); if ((network = strdup(src->name)) == NULL) - err(1, "ike_section_qmids: strdup"); + err(1, "ike_section_p2ids: strdup"); if ((p = strrchr(network, '/')) != NULL) *p = '\0'; @@ -503,7 +535,7 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src, errx(1, "could not get a numeric mask"); if ((network = strdup(dst->name)) == NULL) - err(1, "ike_section_qmids: strdup"); + err(1, "ike_section_p2ids: strdup"); if ((p = strrchr(network, '/')) != NULL) *p = '\0'; @@ -557,14 +589,15 @@ ike_gen_config(struct ipsec_rule *r, FILE *fd) { ike_section_general(r, fd); ike_section_peer(r->peer, r->local, fd, r->ikeauth); - if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1) + if (ike_section_p1(r->peer, r->p1xfs, + fd, r->ikeauth, r->p1ie) == -1) return (-1); ike_section_ids(r->peer, r->auth, fd, r->ikemode); ike_section_ipsec(r->src, r->dst, r->peer, fd); - if (ike_section_qm(r->src, r->dst, r->satype, r->tmode, r->qmxfs, fd) - == -1) + if (ike_section_p2(r->src, r->dst, r->satype, r->tmode, r->p2xfs, + fd, r->p2ie) == -1) return (-1); - ike_section_qmids(r->proto, r->src, r->sport, r->dst, r->dport, fd); + ike_section_p2ids(r->proto, r->src, r->sport, r->dst, r->dport, fd); if (ike_connect(r->ikemode, r->src, r->dst, fd) == -1) return (-1); @@ -591,6 +624,7 @@ ike_delete_config(struct ipsec_rule *r, FILE *fd) if (r->peer) { fprintf(fd, DELETE "[peer-%s]\n", r->peer->name); fprintf(fd, DELETE "[mm-%s]\n", r->peer->name); + fprintf(fd, DELETE "[am-%s]\n", r->peer->name); } if (r->auth) { if (r->auth->srcid) diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index f7b81c72d4e..845b5f226d9 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.102 2006/10/19 08:41:18 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.103 2006/11/01 03:10:02 mcbride Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -274,12 +274,17 @@ is identical to .Ar remote , this option is generally not needed. .It Xo -.Ic main auth Ar algorithm +.Ar mode auth Ar algorithm .Ic enc Ar algorithm .Ic group Ar group .Xc -These parameters define the cryptographic transforms to be used for -main mode. +These parameters define the mode and cryptographic transforms to be +used for the phase 1 negotiation. +The mode can be either +.Ar main , +which specifies main mode, or +.Ar aggressive , +which specifies aggressive mode. Possible values for .Ic auth , .Ic enc , @@ -291,6 +296,7 @@ are described below in If omitted, .Xr ipsecctl 8 will use the default values +.Ar main , .Ar hmac-sha1 , .Ar aes , and @@ -301,7 +307,7 @@ and .Ic group Ar group .Xc These parameters define the cryptographic transforms to be used for -quick mode. +the phase 2 negotiation. Possible values for .Ic auth , .Ic enc , diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index db681e09b7e..a4139b4f115 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.60 2006/09/19 21:29:47 markus Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.61 2006/11/01 03:10:02 mcbride Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -242,14 +242,14 @@ ipsecctl_free_rule(struct ipsec_rule *rp) } if (rp->xfs) free(rp->xfs); - if (rp->mmxfs) - free(rp->mmxfs); - if (rp->qmxfs) - free(rp->qmxfs); - if (rp->mmlife) - free(rp->mmlife); - if (rp->qmlife) - free(rp->qmlife); + if (rp->p1xfs) + free(rp->p1xfs); + if (rp->p2xfs) + free(rp->p2xfs); + if (rp->p1life) + free(rp->p1life); + if (rp->p2life) + free(rp->p2life); if (rp->authkey) { free(rp->authkey->data); free(rp->authkey); diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 3020155f241..27e84bd5850 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.49 2006/06/18 18:18:01 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.50 2006/11/01 03:10:02 mcbride Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -77,6 +77,10 @@ enum { enum { IKE_AUTH_RSA, IKE_AUTH_PSK }; +enum { + IKE_MM=0, IKE_AM, IKE_QM +}; + struct ipsec_addr { union { @@ -149,6 +153,7 @@ struct ipsec_life { struct ike_mode { struct ipsec_transforms *xfs; struct ipsec_life *life; + u_int8_t ike_exch; }; extern const struct ipsec_xf authxfs[]; @@ -169,10 +174,10 @@ struct ipsec_rule { struct ipsec_auth *auth; struct ike_auth *ikeauth; struct ipsec_transforms *xfs; - struct ipsec_transforms *mmxfs; - struct ipsec_life *mmlife; - struct ipsec_transforms *qmxfs; - struct ipsec_life *qmlife; + struct ipsec_transforms *p1xfs; + struct ipsec_life *p1life; + struct ipsec_transforms *p2xfs; + struct ipsec_life *p2life; struct ipsec_key *authkey; struct ipsec_key *enckey; @@ -183,6 +188,8 @@ struct ipsec_rule { u_int8_t direction; u_int8_t flowtype; u_int8_t ikemode; + u_int8_t p1ie; + u_int8_t p2ie; u_int16_t sport; u_int16_t dport; u_int32_t spi; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 4734ecfe2f3..6decbd72b09 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.109 2006/09/22 10:22:49 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.110 2006/11/01 03:10:02 mcbride Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -219,8 +219,7 @@ typedef struct { } keys; struct ipsec_transforms *transforms; struct ipsec_life *life; - struct ike_mode *mainmode; - struct ike_mode *quickmode; + struct ike_mode *mode; } v; int lineno; } YYSTYPE; @@ -228,8 +227,8 @@ typedef struct { %} %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI -%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE -%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE +%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE +%token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE %token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT %token <v.string> STRING %type <v.string> string @@ -254,8 +253,7 @@ typedef struct { %type <v.ikeauth> ikeauth %type <v.type> type %type <v.life> life -%type <v.mainmode> mainmode -%type <v.quickmode> quickmode +%type <v.mode> phase1mode phase2mode %% grammar : /* empty */ @@ -332,8 +330,8 @@ flowrule : FLOW satype dir proto hosts peers ids type { } ; -ikerule : IKE ikemode satype tmode proto hosts peers mainmode quickmode - ids ikeauth { +ikerule : IKE ikemode satype tmode proto hosts peers + phase1mode phase2mode ids ikeauth { struct ipsec_rule *r; r = create_ike($5, &$6, &$7, $8, $9, $3, $4, $2, @@ -643,41 +641,55 @@ transform : AUTHXF STRING { } ; -mainmode : /* empty */ { - struct ike_mode *mm; +phase1mode : /* empty */ { + struct ike_mode *p1; - /* We create just an empty mode */ - if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL) - err(1, "mainmode: calloc"); - $$ = mm; + /* We create just an empty main mode */ + if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) + err(1, "phase1mode: calloc"); + p1->ike_exch = IKE_MM; + $$ = p1; } | MAIN transforms life { - struct ike_mode *mm; + struct ike_mode *p1; - if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL) - err(1, "mainmode: calloc"); - mm->xfs = $2; - mm->life = $3; - $$ = mm; + if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) + err(1, "phase1mode: calloc"); + p1->xfs = $2; + p1->life = $3; + p1->ike_exch = IKE_MM; + $$ = p1; + } + | AGGRESSIVE transforms life { + struct ike_mode *p1; + + if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) + err(1, "phase1mode: calloc"); + p1->xfs = $2; + p1->life = $3; + p1->ike_exch = IKE_AM; + $$ = p1; } ; -quickmode : /* empty */ { - struct ike_mode *qm; +phase2mode : /* empty */ { + struct ike_mode *p2; - /* We create just an empty mode */ - if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL) - err(1, "quickmode: calloc"); - $$ = qm; + /* We create just an empty quick mode */ + if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL) + err(1, "phase1mode: calloc"); + p2->ike_exch = IKE_QM; + $$ = p2; } | QUICK transforms life { - struct ike_mode *qm; + struct ike_mode *p2; - if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL) - err(1, "quickmode: calloc"); - qm->xfs = $2; - qm->life = $3; - $$ = qm; + if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL) + err(1, "phase1mode: calloc"); + p2->xfs = $2; + p2->life = $3; + p2->ike_exch = IKE_QM; + $$ = p2; } ; @@ -831,6 +843,7 @@ lookup(char *s) static const struct keywords keywords[] = { { "acquire", ACQUIRE }, { "active", ACTIVE }, + { "aggressive", AGGRESSIVE }, { "ah", AH }, { "any", ANY }, { "auth", AUTHXF }, @@ -1814,13 +1827,15 @@ copyrule(struct ipsec_rule *rule) r->auth = copyipsecauth(rule->auth); r->ikeauth = copyikeauth(rule->ikeauth); r->xfs = copytransforms(rule->xfs); - r->mmxfs = copytransforms(rule->mmxfs); - r->qmxfs = copytransforms(rule->qmxfs); - r->mmlife = copylife(rule->mmlife); - r->qmlife = copylife(rule->qmlife); + r->p1xfs = copytransforms(rule->p1xfs); + r->p2xfs = copytransforms(rule->p2xfs); + r->p1life = copylife(rule->p1life); + r->p2life = copylife(rule->p2life); r->authkey = copykey(rule->authkey); r->enckey = copykey(rule->enckey); + r->p1ie = rule->p1ie; + r->p2ie = rule->p2ie; r->type = rule->type; r->satype = rule->satype; r->proto = rule->proto; @@ -2228,8 +2243,8 @@ reverse_rule(struct ipsec_rule *rule) struct ipsec_rule * create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, - struct ike_mode *mainmode, struct ike_mode *quickmode, - u_int8_t satype, u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, + struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype, + u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, struct ike_auth *authtype) { struct ipsec_rule *r; @@ -2253,17 +2268,17 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, hosts->src = NULL; free(hosts->dst); hosts->dst = NULL; - if (mainmode) { - free(mainmode->xfs); - mainmode->xfs = NULL; - free(mainmode->life); - mainmode->life = NULL; - } - if (quickmode) { - free(quickmode->xfs); - quickmode->xfs = NULL; - free(quickmode->life); - quickmode->life = NULL; + if (phase1mode) { + free(phase1mode->xfs); + phase1mode->xfs = NULL; + free(phase1mode->life); + phase1mode->life = NULL; + } + if (phase2mode) { + free(phase2mode->xfs); + phase2mode->xfs = NULL; + free(phase2mode->life); + phase2mode->life = NULL; } if (srcid) free(srcid); @@ -2294,14 +2309,21 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, r->satype = satype; r->tmode = tmode; r->ikemode = mode; - if (mainmode) { - r->mmxfs = mainmode->xfs; - r->mmlife = mainmode->life; + if (phase1mode) { + r->p1xfs = phase1mode->xfs; + r->p1life = phase1mode->life; + r->p1ie = phase1mode->ike_exch; + } else { + r->p1ie = IKE_MM; } - if (quickmode) { - r->qmxfs = quickmode->xfs; - r->qmlife = quickmode->life; + if (phase2mode) { + r->p2xfs = phase2mode->xfs; + r->p2life = phase2mode->life; + r->p2ie = phase2mode->ike_exch; + } else { + r->p2ie = IKE_QM; } + r->auth = calloc(1, sizeof(struct ipsec_auth)); if (r->auth == NULL) err(1, "create_ike: calloc"); |