diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-02-24 04:00:00 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-02-24 04:00:00 +0000 |
commit | 5935d29a2f96630b8e2b1796f8392067115fd0f0 (patch) | |
tree | bcd13f8452f78f08f6ca99bc9c13d0597cd9bc9f | |
parent | 45d74a5c03e81c13cba27fb734334558336c8ea4 (diff) |
For the GETSPI PFKEY message, use the sequence number from the ACQUIRE
message.
-rw-r--r-- | sbin/isakmpd/exchange.c | 6 | ||||
-rw-r--r-- | sbin/isakmpd/exchange.h | 5 | ||||
-rw-r--r-- | sbin/isakmpd/ipsec.c | 5 | ||||
-rw-r--r-- | sbin/isakmpd/pf_key_v2.c | 23 | ||||
-rw-r--r-- | sbin/isakmpd/pf_key_v2.h | 4 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep.h | 4 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/freebsd/sysdep.c | 7 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/linux/klips.c | 4 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/linux/klips.h | 4 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/linux/sysdep.c | 7 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/netbsd/sysdep.c | 7 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/openbsd-encap/sysdep.c | 7 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/openbsd/sysdep.c | 7 |
13 files changed, 55 insertions, 35 deletions
diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index ec497c51010..2f373bcf1a3 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.40 2001/01/27 12:03:32 niklas Exp $ */ +/* $OpenBSD: exchange.c,v 1.41 2001/02/24 03:59:54 angelos Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -838,6 +838,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, int i; char *tag, *str; u_int32_t doi = ISAKMP_DOI_ISAKMP; + u_int32_t seq = 0; if (isakmp_sa) doi = isakmp_sa->doi->id; @@ -853,6 +854,8 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, return; } + seq = (u_int32_t) conf_get_num (name, "Acquire-ID", 0); + /* Figure out the DOI. */ str = conf_get_str (tag, "DOI"); if (!str || strcasecmp (str, "IPSEC") == 0) @@ -906,6 +909,7 @@ exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, exchange->policy = name ? conf_get_str (name, "Configuration") : 0; exchange->finalize = finalize; exchange->finalize_arg = arg; + exchange->seq = seq; memcpy (exchange->cookies, isakmp_sa->cookies, ISAKMP_HDR_COOKIES_LEN); getrandom (exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); exchange->flags |= EXCHANGE_FLAG_ENCRYPT; diff --git a/sbin/isakmpd/exchange.h b/sbin/isakmpd/exchange.h index 1648518f52e..a4b8905a301 100644 --- a/sbin/isakmpd/exchange.h +++ b/sbin/isakmpd/exchange.h @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.h,v 1.17 2001/01/27 12:03:32 niklas Exp $ */ +/* $OpenBSD: exchange.h,v 1.18 2001/02/24 03:59:55 angelos Exp $ */ /* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */ /* @@ -162,6 +162,9 @@ struct exchange { void *recv_cert; void *recv_key; + /* ACQUIRE sequence number */ + u_int32_t seq; + /* XXX This is no longer necessary, it is covered by policy. */ /* Acceptable authorities for cert requests */ diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 9d6ae446da7..66f45762a71 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.38 2001/01/27 12:03:33 niklas Exp $ */ +/* $OpenBSD: ipsec.c,v 1.39 2001/02/24 03:59:55 angelos Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -1378,7 +1378,8 @@ ipsec_get_spi (size_t *sz, u_int8_t proto, struct message *msg) transport->vtbl->get_src (transport, &dst, &dstlen); /* The peer is the source. */ transport->vtbl->get_dst (transport, &src, &srclen); - return sysdep_ipsec_get_spi (sz, proto, src, srclen, dst, dstlen); + return sysdep_ipsec_get_spi (sz, proto, src, srclen, dst, dstlen, + msg->exchange->seq); } } diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c index ae64751318d..bd5f9286b45 100644 --- a/sbin/isakmpd/pf_key_v2.c +++ b/sbin/isakmpd/pf_key_v2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.c,v 1.45 2001/01/27 12:03:34 niklas Exp $ */ +/* $OpenBSD: pf_key_v2.c,v 1.46 2001/02/24 03:59:55 angelos Exp $ */ /* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ /* @@ -587,7 +587,8 @@ pf_key_v2_open () */ u_int8_t * pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - int srclen, struct sockaddr *dst, int dstlen) + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) { struct sadb_msg msg; struct sadb_sa *sa; @@ -614,11 +615,9 @@ pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, log_print ("pf_key_v2_get_spi: invalid proto %d", proto); goto cleanup; } - /* - * XXX When we have acquires working, the sequence number has to be set - * from the acquire message. - */ - msg.sadb_msg_seq = 0; + + /* Set the sequence number from the ACQUIRE message */ + msg.sadb_msg_seq = seq; getspi = pf_key_v2_msg_new (&msg, 0); if (!getspi) goto cleanup; @@ -2057,7 +2056,6 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) u_int8_t tproto = 0; char tmbuf[sizeof sport * 3 + 1]; - msg = (struct sadb_msg *)TAILQ_FIRST (pmsg)->seg; ext = pf_key_v2_find_ext (pmsg, SADB_EXT_ADDRESS_DST); @@ -2505,6 +2503,7 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) * - Phase * - ISAKMP-peer * - Local-ID/Remote-ID (if provided) + * - Acquire-ID (sequence number of kernel message, e.g., PF_KEYv2) * * Also set the following section: * [Peer-dstaddr(/srcaddr)(-srcid)(/dstid)] @@ -2549,6 +2548,14 @@ pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) goto fail; } + /* Set the sequence number */ + sprintf (lname, "%u", msg->sadb_msg_seq); + if (conf_set (af, conn, "Acquire-ID", lname, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + /* Set Phase 2 IDs -- this is the Local-ID section */ sprintf (lname, "Phase2-ID:%s/%s/%d/%d", ssflow, ssmask, tproto, sport); if (conf_set (af, conn, "Local-ID", lname, 0, 0)) diff --git a/sbin/isakmpd/pf_key_v2.h b/sbin/isakmpd/pf_key_v2.h index 2c578997ed9..d422c3bbb3d 100644 --- a/sbin/isakmpd/pf_key_v2.h +++ b/sbin/isakmpd/pf_key_v2.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_key_v2.h,v 1.4 2000/12/12 01:46:17 niklas Exp $ */ +/* $OpenBSD: pf_key_v2.h,v 1.5 2001/02/24 03:59:56 angelos Exp $ */ /* $EOM: pf_key_v2.h,v 1.4 2000/12/04 04:46:35 angelos Exp $ */ /* @@ -50,7 +50,7 @@ extern int pf_key_v2_enable_sa (struct sa *, struct sa *); extern int pf_key_v2_enable_spi (in_addr_t, in_addr_t, in_addr_t, in_addr_t, u_int8_t *, u_int8_t, in_addr_t); extern u_int8_t *pf_key_v2_get_spi (size_t *, u_int8_t, struct sockaddr *, int, - struct sockaddr *, int); + struct sockaddr *, int, u_int32_t); extern int pf_key_v2_group_spis (struct sa *, struct proto *, struct proto *, int); extern void pf_key_v2_handler (int); diff --git a/sbin/isakmpd/sysdep.h b/sbin/isakmpd/sysdep.h index d3c193db13b..8ca48cf2d7b 100644 --- a/sbin/isakmpd/sysdep.h +++ b/sbin/isakmpd/sysdep.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.h,v 1.8 2000/12/12 01:46:17 niklas Exp $ */ +/* $OpenBSD: sysdep.h,v 1.9 2001/02/24 03:59:56 angelos Exp $ */ /* $EOM: sysdep.h,v 1.17 2000/12/04 04:46:35 angelos Exp $ */ /* @@ -52,7 +52,7 @@ extern void sysdep_connection_check (char *); extern int sysdep_ipsec_delete_spi (struct sa *, struct proto *, int); extern int sysdep_ipsec_enable_sa (struct sa *, struct sa *); extern u_int8_t *sysdep_ipsec_get_spi (size_t *, u_int8_t, struct sockaddr *, - int, struct sockaddr *, int); + int, struct sockaddr *, int, u_int32_t); extern int sysdep_ipsec_group_spis (struct sa *, struct proto *, struct proto *, int); extern int sysdep_ipsec_set_spi (struct sa *, struct proto *, int); diff --git a/sbin/isakmpd/sysdep/freebsd/sysdep.c b/sbin/isakmpd/sysdep/freebsd/sysdep.c index 3fb87a2878b..afdedde44a3 100644 --- a/sbin/isakmpd/sysdep/freebsd/sysdep.c +++ b/sbin/isakmpd/sysdep/freebsd/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.2 2001/01/28 22:38:48 niklas Exp $ */ +/* $OpenBSD: sysdep.c,v 1.3 2001/02/24 03:59:56 angelos Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -115,7 +115,8 @@ sysdep_connection_check (char *name) */ u_int8_t * sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - int srclen, struct sockaddr *dst, int dstlen) + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) { if (app_none) { @@ -123,7 +124,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* XXX should be random instead I think. */ return strdup ("\x12\x34\x56\x78"); } - return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen); + return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq); } /* Force communication on socket FD to go in the clear. */ diff --git a/sbin/isakmpd/sysdep/linux/klips.c b/sbin/isakmpd/sysdep/linux/klips.c index 698bc8bebbd..4b90baccfb5 100644 --- a/sbin/isakmpd/sysdep/linux/klips.c +++ b/sbin/isakmpd/sysdep/linux/klips.c @@ -1,4 +1,4 @@ -/* $OpenBSD: klips.c,v 1.2 2001/01/28 22:38:48 niklas Exp $ */ +/* $OpenBSD: klips.c,v 1.3 2001/02/24 03:59:57 angelos Exp $ */ /* * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. @@ -136,7 +136,7 @@ klips_write (struct encap_msghdr *em) */ u_int8_t * klips_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, int srclen, - struct sockaddr *dst, int dstlen) + struct sockaddr *dst, int dstlen, u_int32_t seq) { u_int8_t *spi; u_int32_t spinum; diff --git a/sbin/isakmpd/sysdep/linux/klips.h b/sbin/isakmpd/sysdep/linux/klips.h index 058d1a4f63a..80536fd95cd 100644 --- a/sbin/isakmpd/sysdep/linux/klips.h +++ b/sbin/isakmpd/sysdep/linux/klips.h @@ -1,4 +1,4 @@ -/* $OpenBSD: klips.h,v 1.2 2001/01/28 22:38:48 niklas Exp $ */ +/* $OpenBSD: klips.h,v 1.3 2001/02/24 03:59:57 angelos Exp $ */ /* * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. @@ -47,7 +47,7 @@ extern void klips_connection_check (char *); extern int klips_delete_spi (struct sa *, struct proto *, int); extern int klips_enable_sa (struct sa *, struct sa *); extern u_int8_t *klips_get_spi (size_t *, u_int8_t, struct sockaddr *, int, - struct sockaddr *, int); + struct sockaddr *, int, u_int32_t); extern int klips_group_spis (struct sa *, struct proto *, struct proto *, int); extern int klips_open (void); diff --git a/sbin/isakmpd/sysdep/linux/sysdep.c b/sbin/isakmpd/sysdep/linux/sysdep.c index 0aac833d598..12d77aff0ff 100644 --- a/sbin/isakmpd/sysdep/linux/sysdep.c +++ b/sbin/isakmpd/sysdep/linux/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.4 2001/01/28 22:38:49 niklas Exp $ */ +/* $OpenBSD: sysdep.c,v 1.5 2001/02/24 03:59:57 angelos Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -120,7 +120,8 @@ sysdep_connection_check (char *name) */ u_int8_t * sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - int srclen, struct sockaddr *dst, int dstlen) + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) { if (app_none) { @@ -129,7 +130,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, return strdup ("\x12\x34\x56\x78"); } - return klips_get_spi (sz, proto, src, srclen, dst, dstlen); + return klips_get_spi (sz, proto, src, srclen, dst, dstlen, seq); } int diff --git a/sbin/isakmpd/sysdep/netbsd/sysdep.c b/sbin/isakmpd/sysdep/netbsd/sysdep.c index c45bc8ae599..046d68011bf 100644 --- a/sbin/isakmpd/sysdep/netbsd/sysdep.c +++ b/sbin/isakmpd/sysdep/netbsd/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.2 2001/01/28 22:38:49 niklas Exp $ */ +/* $OpenBSD: sysdep.c,v 1.3 2001/02/24 03:59:58 angelos Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -109,7 +109,8 @@ sysdep_connection_check (char *name) */ u_int8_t * sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - int srclen, struct sockaddr *dst, int dstlen) + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) { if (app_none) { @@ -117,7 +118,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* XXX should be random instead I think. */ return strdup ("\x12\x34\x56\x78"); } - return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen); + return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq); } /* Force communication on socket FD to go in the clear. */ diff --git a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c index 5b3ac088c8a..367c5ed10da 100644 --- a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c +++ b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.2 2001/01/28 22:38:49 niklas Exp $ */ +/* $OpenBSD: sysdep.c,v 1.3 2001/02/24 03:59:59 angelos Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -118,7 +118,8 @@ sysdep_connection_check (char *name) */ u_int8_t * sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - int srclen, struct sockaddr *dst, int dstlen) + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) { if (app_none) { @@ -126,7 +127,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* XXX should be random instead I think. */ return strdup ("\x12\x34\x56\x78"); } - return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen); + return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq); } /* Force communication on socket FD to go in the clear. */ diff --git a/sbin/isakmpd/sysdep/openbsd/sysdep.c b/sbin/isakmpd/sysdep/openbsd/sysdep.c index f50055707db..22fbe0f3eb1 100644 --- a/sbin/isakmpd/sysdep/openbsd/sysdep.c +++ b/sbin/isakmpd/sysdep/openbsd/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.7 2000/12/12 01:46:17 niklas Exp $ */ +/* $OpenBSD: sysdep.c,v 1.8 2001/02/24 03:59:58 angelos Exp $ */ /* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */ /* @@ -119,7 +119,8 @@ sysdep_connection_check (char *name) */ u_int8_t * sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - int srclen, struct sockaddr *dst, int dstlen) + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) { if (app_none) { @@ -127,7 +128,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* XXX should be random instead I think. */ return strdup ("\x12\x34\x56\x78"); } - return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen); + return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq); } /* Force communication on socket FD to go in the clear. */ |