summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-02-24 04:00:00 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-02-24 04:00:00 +0000
commit5935d29a2f96630b8e2b1796f8392067115fd0f0 (patch)
treebcd13f8452f78f08f6ca99bc9c13d0597cd9bc9f
parent45d74a5c03e81c13cba27fb734334558336c8ea4 (diff)
For the GETSPI PFKEY message, use the sequence number from the ACQUIRE
message.
-rw-r--r--sbin/isakmpd/exchange.c6
-rw-r--r--sbin/isakmpd/exchange.h5
-rw-r--r--sbin/isakmpd/ipsec.c5
-rw-r--r--sbin/isakmpd/pf_key_v2.c23
-rw-r--r--sbin/isakmpd/pf_key_v2.h4
-rw-r--r--sbin/isakmpd/sysdep.h4
-rw-r--r--sbin/isakmpd/sysdep/freebsd/sysdep.c7
-rw-r--r--sbin/isakmpd/sysdep/linux/klips.c4
-rw-r--r--sbin/isakmpd/sysdep/linux/klips.h4
-rw-r--r--sbin/isakmpd/sysdep/linux/sysdep.c7
-rw-r--r--sbin/isakmpd/sysdep/netbsd/sysdep.c7
-rw-r--r--sbin/isakmpd/sysdep/openbsd-encap/sysdep.c7
-rw-r--r--sbin/isakmpd/sysdep/openbsd/sysdep.c7
13 files changed, 55 insertions, 35 deletions
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index ec497c51010..2f373bcf1a3 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.c,v 1.40 2001/01/27 12:03:32 niklas Exp $ */
+/* $OpenBSD: exchange.c,v 1.41 2001/02/24 03:59:54 angelos Exp $ */
/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */
/*
@@ -838,6 +838,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name,
int i;
char *tag, *str;
u_int32_t doi = ISAKMP_DOI_ISAKMP;
+ u_int32_t seq = 0;
if (isakmp_sa)
doi = isakmp_sa->doi->id;
@@ -853,6 +854,8 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name,
return;
}
+ seq = (u_int32_t) conf_get_num (name, "Acquire-ID", 0);
+
/* Figure out the DOI. */
str = conf_get_str (tag, "DOI");
if (!str || strcasecmp (str, "IPSEC") == 0)
@@ -906,6 +909,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name,
exchange->policy = name ? conf_get_str (name, "Configuration") : 0;
exchange->finalize = finalize;
exchange->finalize_arg = arg;
+ exchange->seq = seq;
memcpy (exchange->cookies, isakmp_sa->cookies, ISAKMP_HDR_COOKIES_LEN);
getrandom (exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
exchange->flags |= EXCHANGE_FLAG_ENCRYPT;
diff --git a/sbin/isakmpd/exchange.h b/sbin/isakmpd/exchange.h
index 1648518f52e..a4b8905a301 100644
--- a/sbin/isakmpd/exchange.h
+++ b/sbin/isakmpd/exchange.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: exchange.h,v 1.17 2001/01/27 12:03:32 niklas Exp $ */
+/* $OpenBSD: exchange.h,v 1.18 2001/02/24 03:59:55 angelos Exp $ */
/* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */
/*
@@ -162,6 +162,9 @@ struct exchange {
void *recv_cert;
void *recv_key;
+ /* ACQUIRE sequence number */
+ u_int32_t seq;
+
/* XXX This is no longer necessary, it is covered by policy. */
/* Acceptable authorities for cert requests */
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 9d6ae446da7..66f45762a71 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.38 2001/01/27 12:03:33 niklas Exp $ */
+/* $OpenBSD: ipsec.c,v 1.39 2001/02/24 03:59:55 angelos Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -1378,7 +1378,8 @@ ipsec_get_spi (size_t *sz, u_int8_t proto, struct message *msg)
transport->vtbl->get_src (transport, &dst, &dstlen);
/* The peer is the source. */
transport->vtbl->get_dst (transport, &src, &srclen);
- return sysdep_ipsec_get_spi (sz, proto, src, srclen, dst, dstlen);
+ return sysdep_ipsec_get_spi (sz, proto, src, srclen, dst, dstlen,
+ msg->exchange->seq);
}
}
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index ae64751318d..bd5f9286b45 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.c,v 1.45 2001/01/27 12:03:34 niklas Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.46 2001/02/24 03:59:55 angelos Exp $ */
/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */
/*
@@ -587,7 +587,8 @@ pf_key_v2_open ()
*/
u_int8_t *
pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
- int srclen, struct sockaddr *dst, int dstlen)
+ int srclen, struct sockaddr *dst, int dstlen,
+ u_int32_t seq)
{
struct sadb_msg msg;
struct sadb_sa *sa;
@@ -614,11 +615,9 @@ pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
log_print ("pf_key_v2_get_spi: invalid proto %d", proto);
goto cleanup;
}
- /*
- * XXX When we have acquires working, the sequence number has to be set
- * from the acquire message.
- */
- msg.sadb_msg_seq = 0;
+
+ /* Set the sequence number from the ACQUIRE message */
+ msg.sadb_msg_seq = seq;
getspi = pf_key_v2_msg_new (&msg, 0);
if (!getspi)
goto cleanup;
@@ -2057,7 +2056,6 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg)
u_int8_t tproto = 0;
char tmbuf[sizeof sport * 3 + 1];
-
msg = (struct sadb_msg *)TAILQ_FIRST (pmsg)->seg;
ext = pf_key_v2_find_ext (pmsg, SADB_EXT_ADDRESS_DST);
@@ -2505,6 +2503,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg)
* - Phase
* - ISAKMP-peer
* - Local-ID/Remote-ID (if provided)
+ * - Acquire-ID (sequence number of kernel message, e.g., PF_KEYv2)
*
* Also set the following section:
* [Peer-dstaddr(/srcaddr)(-srcid)(/dstid)]
@@ -2549,6 +2548,14 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg)
goto fail;
}
+ /* Set the sequence number */
+ sprintf (lname, "%u", msg->sadb_msg_seq);
+ if (conf_set (af, conn, "Acquire-ID", lname, 0, 0))
+ {
+ conf_end (af, 0);
+ goto fail;
+ }
+
/* Set Phase 2 IDs -- this is the Local-ID section */
sprintf (lname, "Phase2-ID:%s/%s/%d/%d", ssflow, ssmask, tproto, sport);
if (conf_set (af, conn, "Local-ID", lname, 0, 0))
diff --git a/sbin/isakmpd/pf_key_v2.h b/sbin/isakmpd/pf_key_v2.h
index 2c578997ed9..d422c3bbb3d 100644
--- a/sbin/isakmpd/pf_key_v2.h
+++ b/sbin/isakmpd/pf_key_v2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.h,v 1.4 2000/12/12 01:46:17 niklas Exp $ */
+/* $OpenBSD: pf_key_v2.h,v 1.5 2001/02/24 03:59:56 angelos Exp $ */
/* $EOM: pf_key_v2.h,v 1.4 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -50,7 +50,7 @@ extern int pf_key_v2_enable_sa (struct sa *, struct sa *);
extern int pf_key_v2_enable_spi (in_addr_t, in_addr_t, in_addr_t, in_addr_t,
u_int8_t *, u_int8_t, in_addr_t);
extern u_int8_t *pf_key_v2_get_spi (size_t *, u_int8_t, struct sockaddr *, int,
- struct sockaddr *, int);
+ struct sockaddr *, int, u_int32_t);
extern int pf_key_v2_group_spis (struct sa *, struct proto *, struct proto *,
int);
extern void pf_key_v2_handler (int);
diff --git a/sbin/isakmpd/sysdep.h b/sbin/isakmpd/sysdep.h
index d3c193db13b..8ca48cf2d7b 100644
--- a/sbin/isakmpd/sysdep.h
+++ b/sbin/isakmpd/sysdep.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.h,v 1.8 2000/12/12 01:46:17 niklas Exp $ */
+/* $OpenBSD: sysdep.h,v 1.9 2001/02/24 03:59:56 angelos Exp $ */
/* $EOM: sysdep.h,v 1.17 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -52,7 +52,7 @@ extern void sysdep_connection_check (char *);
extern int sysdep_ipsec_delete_spi (struct sa *, struct proto *, int);
extern int sysdep_ipsec_enable_sa (struct sa *, struct sa *);
extern u_int8_t *sysdep_ipsec_get_spi (size_t *, u_int8_t, struct sockaddr *,
- int, struct sockaddr *, int);
+ int, struct sockaddr *, int, u_int32_t);
extern int sysdep_ipsec_group_spis (struct sa *, struct proto *,
struct proto *, int);
extern int sysdep_ipsec_set_spi (struct sa *, struct proto *, int);
diff --git a/sbin/isakmpd/sysdep/freebsd/sysdep.c b/sbin/isakmpd/sysdep/freebsd/sysdep.c
index 3fb87a2878b..afdedde44a3 100644
--- a/sbin/isakmpd/sysdep/freebsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/freebsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.2 2001/01/28 22:38:48 niklas Exp $ */
+/* $OpenBSD: sysdep.c,v 1.3 2001/02/24 03:59:56 angelos Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -115,7 +115,8 @@ sysdep_connection_check (char *name)
*/
u_int8_t *
sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
- int srclen, struct sockaddr *dst, int dstlen)
+ int srclen, struct sockaddr *dst, int dstlen,
+ u_int32_t seq)
{
if (app_none)
{
@@ -123,7 +124,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* XXX should be random instead I think. */
return strdup ("\x12\x34\x56\x78");
}
- return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+ return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq);
}
/* Force communication on socket FD to go in the clear. */
diff --git a/sbin/isakmpd/sysdep/linux/klips.c b/sbin/isakmpd/sysdep/linux/klips.c
index 698bc8bebbd..4b90baccfb5 100644
--- a/sbin/isakmpd/sysdep/linux/klips.c
+++ b/sbin/isakmpd/sysdep/linux/klips.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: klips.c,v 1.2 2001/01/28 22:38:48 niklas Exp $ */
+/* $OpenBSD: klips.c,v 1.3 2001/02/24 03:59:57 angelos Exp $ */
/*
* Copyright (c) 1999 Niklas Hallqvist. All rights reserved.
@@ -136,7 +136,7 @@ klips_write (struct encap_msghdr *em)
*/
u_int8_t *
klips_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, int srclen,
- struct sockaddr *dst, int dstlen)
+ struct sockaddr *dst, int dstlen, u_int32_t seq)
{
u_int8_t *spi;
u_int32_t spinum;
diff --git a/sbin/isakmpd/sysdep/linux/klips.h b/sbin/isakmpd/sysdep/linux/klips.h
index 058d1a4f63a..80536fd95cd 100644
--- a/sbin/isakmpd/sysdep/linux/klips.h
+++ b/sbin/isakmpd/sysdep/linux/klips.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: klips.h,v 1.2 2001/01/28 22:38:48 niklas Exp $ */
+/* $OpenBSD: klips.h,v 1.3 2001/02/24 03:59:57 angelos Exp $ */
/*
* Copyright (c) 1999 Niklas Hallqvist. All rights reserved.
@@ -47,7 +47,7 @@ extern void klips_connection_check (char *);
extern int klips_delete_spi (struct sa *, struct proto *, int);
extern int klips_enable_sa (struct sa *, struct sa *);
extern u_int8_t *klips_get_spi (size_t *, u_int8_t, struct sockaddr *, int,
- struct sockaddr *, int);
+ struct sockaddr *, int, u_int32_t);
extern int klips_group_spis (struct sa *, struct proto *, struct proto *,
int);
extern int klips_open (void);
diff --git a/sbin/isakmpd/sysdep/linux/sysdep.c b/sbin/isakmpd/sysdep/linux/sysdep.c
index 0aac833d598..12d77aff0ff 100644
--- a/sbin/isakmpd/sysdep/linux/sysdep.c
+++ b/sbin/isakmpd/sysdep/linux/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.4 2001/01/28 22:38:49 niklas Exp $ */
+/* $OpenBSD: sysdep.c,v 1.5 2001/02/24 03:59:57 angelos Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -120,7 +120,8 @@ sysdep_connection_check (char *name)
*/
u_int8_t *
sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
- int srclen, struct sockaddr *dst, int dstlen)
+ int srclen, struct sockaddr *dst, int dstlen,
+ u_int32_t seq)
{
if (app_none)
{
@@ -129,7 +130,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
return strdup ("\x12\x34\x56\x78");
}
- return klips_get_spi (sz, proto, src, srclen, dst, dstlen);
+ return klips_get_spi (sz, proto, src, srclen, dst, dstlen, seq);
}
int
diff --git a/sbin/isakmpd/sysdep/netbsd/sysdep.c b/sbin/isakmpd/sysdep/netbsd/sysdep.c
index c45bc8ae599..046d68011bf 100644
--- a/sbin/isakmpd/sysdep/netbsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/netbsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.2 2001/01/28 22:38:49 niklas Exp $ */
+/* $OpenBSD: sysdep.c,v 1.3 2001/02/24 03:59:58 angelos Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -109,7 +109,8 @@ sysdep_connection_check (char *name)
*/
u_int8_t *
sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
- int srclen, struct sockaddr *dst, int dstlen)
+ int srclen, struct sockaddr *dst, int dstlen,
+ u_int32_t seq)
{
if (app_none)
{
@@ -117,7 +118,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* XXX should be random instead I think. */
return strdup ("\x12\x34\x56\x78");
}
- return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+ return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq);
}
/* Force communication on socket FD to go in the clear. */
diff --git a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
index 5b3ac088c8a..367c5ed10da 100644
--- a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
+++ b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.2 2001/01/28 22:38:49 niklas Exp $ */
+/* $OpenBSD: sysdep.c,v 1.3 2001/02/24 03:59:59 angelos Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -118,7 +118,8 @@ sysdep_connection_check (char *name)
*/
u_int8_t *
sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
- int srclen, struct sockaddr *dst, int dstlen)
+ int srclen, struct sockaddr *dst, int dstlen,
+ u_int32_t seq)
{
if (app_none)
{
@@ -126,7 +127,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* XXX should be random instead I think. */
return strdup ("\x12\x34\x56\x78");
}
- return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+ return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq);
}
/* Force communication on socket FD to go in the clear. */
diff --git a/sbin/isakmpd/sysdep/openbsd/sysdep.c b/sbin/isakmpd/sysdep/openbsd/sysdep.c
index f50055707db..22fbe0f3eb1 100644
--- a/sbin/isakmpd/sysdep/openbsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/openbsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.7 2000/12/12 01:46:17 niklas Exp $ */
+/* $OpenBSD: sysdep.c,v 1.8 2001/02/24 03:59:58 angelos Exp $ */
/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -119,7 +119,8 @@ sysdep_connection_check (char *name)
*/
u_int8_t *
sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
- int srclen, struct sockaddr *dst, int dstlen)
+ int srclen, struct sockaddr *dst, int dstlen,
+ u_int32_t seq)
{
if (app_none)
{
@@ -127,7 +128,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* XXX should be random instead I think. */
return strdup ("\x12\x34\x56\x78");
}
- return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen);
+ return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq);
}
/* Force communication on socket FD to go in the clear. */