summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2007-03-16 20:51:02 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2007-03-16 20:51:02 +0000
commit0651608af8c3d57db9626a1bcc4bf9cdd16b7d9b (patch)
tree4769556c8622c436cb4b2e6e839a78fbd29c160f
parentc9cf3937b559200a434857f044c1ade90acda964 (diff)
move autodetection of the ID type to the parser. this way the
static flows have the correct ID, too. ok hshoexer, reyk
-rw-r--r--regress/sbin/ipsecctl/Makefile4
-rw-r--r--regress/sbin/ipsecctl/ike57.in3
-rw-r--r--regress/sbin/ipsecctl/ike57.ok78
-rw-r--r--sbin/ipsecctl/ike.c22
-rw-r--r--sbin/ipsecctl/ipsecctl.h5
-rw-r--r--sbin/ipsecctl/parse.y24
-rw-r--r--sbin/ipsecctl/pfkey.c6
7 files changed, 111 insertions, 31 deletions
diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile
index f549374c4f3..fd13187819b 100644
--- a/regress/sbin/ipsecctl/Makefile
+++ b/regress/sbin/ipsecctl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.47 2007/02/19 10:12:45 hshoexer Exp $
+# $OpenBSD: Makefile,v 1.48 2007/03/16 20:51:01 markus Exp $
# you can update the *.ok files with: make -i | patch
# TARGETS
@@ -19,7 +19,7 @@ IKEFAIL=1 3 4 5 6 7 8 9 10 11 12
IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IKETESTS+=16 17 18 19 20 21 22 23
IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40
-IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55 56
+IKETESTS+=41 42 43 46 47 48 49 50 51 52 53 54 55 56 57
IKEDELTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IKEDELTESTS+=16 17 18 19 20 21 22 23
diff --git a/regress/sbin/ipsecctl/ike57.in b/regress/sbin/ipsecctl/ike57.in
new file mode 100644
index 00000000000..1d947fb9981
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike57.in
@@ -0,0 +1,3 @@
+ike from 10.0.0.0/24 to 10.0.1.0/24 peer 192.168.0.1 srcid me@example.com dstid other.example.com
+ike from 10.0.0.0/24 to 10.0.2.0/24 peer 192.168.0.2 srcid me@example.com dstid other@example.com
+ike from 10.0.0.0/24 to 10.0.3.0/24 peer 192.168.0.3 srcid me.example.com dstid other@example.com
diff --git a/regress/sbin/ipsecctl/ike57.ok b/regress/sbin/ipsecctl/ike57.ok
new file mode 100644
index 00000000000..6f77ea5f6fa
--- /dev/null
+++ b/regress/sbin/ipsecctl/ike57.ok
@@ -0,0 +1,78 @@
+C set [Phase 1]:192.168.0.1=peer-192.168.0.1 force
+C set [peer-192.168.0.1]:Phase=1 force
+C set [peer-192.168.0.1]:Address=192.168.0.1 force
+C set [peer-192.168.0.1]:Configuration=mm-192.168.0.1 force
+C set [mm-192.168.0.1]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-192.168.0.1]:Transforms=AES-SHA-RSA_SIG force
+C set [peer-192.168.0.1]:ID=me@example.com-ID force
+C set [me@example.com-ID]:ID-type=USER_FQDN force
+C set [me@example.com-ID]:Name=me@example.com force
+C set [peer-192.168.0.1]:Remote-ID=192.168.0.1-ID force
+C set [192.168.0.1-ID]:ID-type=FQDN force
+C set [192.168.0.1-ID]:Name=other.example.com force
+C set [IPsec-10.0.0.0/24-10.0.1.0/24]:Phase=2 force
+C set [IPsec-10.0.0.0/24-10.0.1.0/24]:ISAKMP-peer=peer-192.168.0.1 force
+C set [IPsec-10.0.0.0/24-10.0.1.0/24]:Configuration=qm-10.0.0.0/24-10.0.1.0/24 force
+C set [IPsec-10.0.0.0/24-10.0.1.0/24]:Local-ID=lid-10.0.0.0/24 force
+C set [IPsec-10.0.0.0/24-10.0.1.0/24]:Remote-ID=rid-10.0.1.0/24 force
+C set [qm-10.0.0.0/24-10.0.1.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.0.0.0/24-10.0.1.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [lid-10.0.0.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.0.0.0/24]:Network=10.0.0.0 force
+C set [lid-10.0.0.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.0.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.0.1.0/24]:Network=10.0.1.0 force
+C set [rid-10.0.1.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.0.0.0/24-10.0.1.0/24
+C set [Phase 1]:192.168.0.2=peer-192.168.0.2 force
+C set [peer-192.168.0.2]:Phase=1 force
+C set [peer-192.168.0.2]:Address=192.168.0.2 force
+C set [peer-192.168.0.2]:Configuration=mm-192.168.0.2 force
+C set [mm-192.168.0.2]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-192.168.0.2]:Transforms=AES-SHA-RSA_SIG force
+C set [peer-192.168.0.2]:ID=me@example.com-ID force
+C set [me@example.com-ID]:ID-type=USER_FQDN force
+C set [me@example.com-ID]:Name=me@example.com force
+C set [peer-192.168.0.2]:Remote-ID=192.168.0.2-ID force
+C set [192.168.0.2-ID]:ID-type=USER_FQDN force
+C set [192.168.0.2-ID]:Name=other@example.com force
+C set [IPsec-10.0.0.0/24-10.0.2.0/24]:Phase=2 force
+C set [IPsec-10.0.0.0/24-10.0.2.0/24]:ISAKMP-peer=peer-192.168.0.2 force
+C set [IPsec-10.0.0.0/24-10.0.2.0/24]:Configuration=qm-10.0.0.0/24-10.0.2.0/24 force
+C set [IPsec-10.0.0.0/24-10.0.2.0/24]:Local-ID=lid-10.0.0.0/24 force
+C set [IPsec-10.0.0.0/24-10.0.2.0/24]:Remote-ID=rid-10.0.2.0/24 force
+C set [qm-10.0.0.0/24-10.0.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.0.0.0/24-10.0.2.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [lid-10.0.0.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.0.0.0/24]:Network=10.0.0.0 force
+C set [lid-10.0.0.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.0.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.0.2.0/24]:Network=10.0.2.0 force
+C set [rid-10.0.2.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.0.0.0/24-10.0.2.0/24
+C set [Phase 1]:192.168.0.3=peer-192.168.0.3 force
+C set [peer-192.168.0.3]:Phase=1 force
+C set [peer-192.168.0.3]:Address=192.168.0.3 force
+C set [peer-192.168.0.3]:Configuration=mm-192.168.0.3 force
+C set [mm-192.168.0.3]:EXCHANGE_TYPE=ID_PROT force
+C add [mm-192.168.0.3]:Transforms=AES-SHA-RSA_SIG force
+C set [peer-192.168.0.3]:ID=me.example.com-ID force
+C set [me.example.com-ID]:ID-type=FQDN force
+C set [me.example.com-ID]:Name=me.example.com force
+C set [peer-192.168.0.3]:Remote-ID=192.168.0.3-ID force
+C set [192.168.0.3-ID]:ID-type=USER_FQDN force
+C set [192.168.0.3-ID]:Name=other@example.com force
+C set [IPsec-10.0.0.0/24-10.0.3.0/24]:Phase=2 force
+C set [IPsec-10.0.0.0/24-10.0.3.0/24]:ISAKMP-peer=peer-192.168.0.3 force
+C set [IPsec-10.0.0.0/24-10.0.3.0/24]:Configuration=qm-10.0.0.0/24-10.0.3.0/24 force
+C set [IPsec-10.0.0.0/24-10.0.3.0/24]:Local-ID=lid-10.0.0.0/24 force
+C set [IPsec-10.0.0.0/24-10.0.3.0/24]:Remote-ID=rid-10.0.3.0/24 force
+C set [qm-10.0.0.0/24-10.0.3.0/24]:EXCHANGE_TYPE=QUICK_MODE force
+C set [qm-10.0.0.0/24-10.0.3.0/24]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
+C set [lid-10.0.0.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [lid-10.0.0.0/24]:Network=10.0.0.0 force
+C set [lid-10.0.0.0/24]:Netmask=255.255.255.0 force
+C set [rid-10.0.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
+C set [rid-10.0.3.0/24]:Network=10.0.3.0 force
+C set [rid-10.0.3.0/24]:Netmask=255.255.255.0 force
+C add [Phase 2]:Connections=IPsec-10.0.0.0/24-10.0.3.0/24
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 0a7b579be63..bf0233c488c 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.60 2007/02/19 09:00:46 hshoexer Exp $ */
+/* $OpenBSD: ike.c,v 1.61 2007/03/16 20:51:01 markus Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -35,7 +35,6 @@
static void ike_section_general(struct ipsec_rule *, FILE *);
static void ike_section_peer(struct ipsec_rule *, FILE *);
static void ike_section_ids(struct ipsec_rule *, FILE *);
-static int ike_get_id_type(char *);
static void ike_section_ipsec(struct ipsec_rule *, FILE *);
static int ike_section_p1(struct ipsec_rule *, FILE *);
static int ike_section_p2(struct ipsec_rule *, FILE *);
@@ -121,8 +120,6 @@ ike_section_ids(struct ipsec_rule *r, FILE *fd)
err(1, "ike_section_ids: strdup");
}
if (r->auth->srcid) {
- int idtype = ike_get_id_type(r->auth->srcid);
-
if (r->peer)
fprintf(fd, SET "[peer-%s]:ID=%s-ID force\n",
r->peer->name, r->auth->srcid);
@@ -131,40 +128,29 @@ ike_section_ids(struct ipsec_rule *r, FILE *fd)
r->auth->srcid);
fprintf(fd, SET "[%s-ID]:ID-type=%s force\n", r->auth->srcid,
- ike_id_types[idtype]);
+ ike_id_types[r->auth->srcid_type]);
fprintf(fd, SET "[%s-ID]:Name=%s force\n", r->auth->srcid,
r->auth->srcid);
}
if (r->auth->dstid) {
- int idtype = ike_get_id_type(r->auth->dstid);
-
if (r->peer) {
fprintf(fd, SET "[peer-%s]:Remote-ID=%s-ID force\n",
r->peer->name, r->peer->name);
fprintf(fd, SET "[%s-ID]:ID-type=%s force\n",
- r->peer->name, ike_id_types[idtype]);
+ r->peer->name, ike_id_types[r->auth->dstid_type]);
fprintf(fd, SET "[%s-ID]:Name=%s force\n", r->peer->name,
r->auth->dstid);
} else {
fprintf(fd, SET
"[peer-default]:Remote-ID=default-ID force\n");
fprintf(fd, SET "[default-ID]:ID-type=%s force\n",
- ike_id_types[idtype]);
+ ike_id_types[r->auth->dstid_type]);
fprintf(fd, SET "[default-ID]:Name=%s force\n",
r->auth->dstid);
}
}
}
-static int
-ike_get_id_type(char *string)
-{
- if (strchr(string, '@'))
- return ID_UFQDN;
- else
- return ID_FQDN;
-}
-
static void
ike_section_ipsec(struct ipsec_rule *r, FILE *fd)
{
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 789ba2f1bb1..50a19a1ae70 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.53 2007/01/03 12:17:43 markus Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.54 2007/03/16 20:51:01 markus Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -118,7 +118,8 @@ struct ipsec_hosts {
struct ipsec_auth {
char *srcid;
char *dstid;
- u_int8_t idtype;
+ u_int8_t srcid_type;
+ u_int8_t dstid_type;
u_int16_t type;
};
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 7b77a52aa2e..be9f4bcade3 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.121 2007/02/26 14:40:09 todd Exp $ */
+/* $OpenBSD: parse.y,v 1.122 2007/03/16 20:51:01 markus Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -181,6 +181,7 @@ struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *,
struct ike_mode *, u_int8_t, u_int8_t, u_int8_t,
char *, char *, struct ike_auth *, char *);
int add_sagroup(struct ipsec_rule *);
+int get_id_type(char *);
struct ipsec_transforms *ipsec_transforms;
@@ -1277,6 +1278,14 @@ parsekeyfile(char *filename)
return (parsekey(hex, sb.st_size));
}
+int
+get_id_type(char *string)
+{
+ if (string && strchr(string, '@'))
+ return (ID_UFQDN);
+ return (ID_FQDN);
+}
+
struct ipsec_addr_wrap *
host(const char *s)
{
@@ -1771,7 +1780,8 @@ copyipsecauth(const struct ipsec_auth *auth)
asprintf(&newauth->dstid, "%s", auth->dstid) == -1)
err(1, "asprintf");
- newauth->idtype = auth->idtype;
+ newauth->srcid_type = auth->srcid_type;
+ newauth->dstid_type = auth->dstid_type;
newauth->type = auth->type;
return (newauth);
@@ -2195,8 +2205,8 @@ create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts,
err(1, "create_flow: calloc");
r->auth->srcid = srcid;
r->auth->dstid = dstid;
- r->auth->idtype = ID_FQDN; /* XXX For now only FQDN. */
-
+ r->auth->srcid_type = get_id_type(srcid);
+ r->auth->dstid_type = get_id_type(dstid);
return r;
errout:
@@ -2342,7 +2352,8 @@ reverse_rule(struct ipsec_rule *rule)
if (rule->auth->srcid && (reverse->auth->srcid =
strdup(rule->auth->srcid)) == NULL)
err(1, "reverse_rule: strdup");
- reverse->auth->idtype = rule->auth->idtype;
+ reverse->auth->srcid_type = rule->auth->srcid_type;
+ reverse->auth->dstid_type = rule->auth->dstid_type;
reverse->auth->type = rule->auth->type;
}
@@ -2437,7 +2448,8 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,
err(1, "create_ike: calloc");
r->auth->srcid = srcid;
r->auth->dstid = dstid;
- r->auth->idtype = ID_FQDN; /* XXX For now only FQDN. */
+ r->auth->srcid_type = get_id_type(srcid);
+ r->auth->dstid_type = get_id_type(dstid);
r->ikeauth = calloc(1, sizeof(struct ike_auth));
if (r->ikeauth == NULL)
err(1, "create_ike: calloc");
diff --git a/sbin/ipsecctl/pfkey.c b/sbin/ipsecctl/pfkey.c
index f3cd4f7efcb..bf5f6fd75bd 100644
--- a/sbin/ipsecctl/pfkey.c
+++ b/sbin/ipsecctl/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.47 2006/11/10 14:47:52 hshoexer Exp $ */
+/* $OpenBSD: pfkey.c,v 1.48 2007/03/16 20:51:01 markus Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
* Copyright (c) 2003, 2004 Markus Friedl <markus@openbsd.org>
@@ -255,7 +255,7 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
if (sa_srcid == NULL)
err(1, "pfkey_flow: calloc");
- sa_srcid->sadb_ident_type = auth->idtype;
+ sa_srcid->sadb_ident_type = auth->srcid_type;
sa_srcid->sadb_ident_len = len / 8;
sa_srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
@@ -269,7 +269,7 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, u_int8_t direction,
if (sa_dstid == NULL)
err(1, "pfkey_flow: calloc");
- sa_dstid->sadb_ident_type = auth->idtype;
+ sa_dstid->sadb_ident_type = auth->dstid_type;
sa_dstid->sadb_ident_len = len / 8;
sa_dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;