diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2011-04-18 09:54:42 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2011-04-18 09:54:42 +0000 |
commit | 9bfe5cd12445034828753d3cf1c75f1c742a42e4 (patch) | |
tree | 6c99524c273b7e8b32dc079c5bc85780ab5b0895 | |
parent | e9e2c56254ecb6f7ae8722d89ad005d22f00c03c (diff) |
Improve the iked acquire mode peer <-> policy matching. This change
picks the peer from the acquire message and allows to match masked
peers in the policies like "peer any" or "peer 10.0.0.0/8" instead of
requiring exactly matching peer specifications.
ok mikeb@
-rw-r--r-- | sbin/iked/ikev2.c | 17 | ||||
-rw-r--r-- | sbin/iked/policy.c | 9 |
2 files changed, 16 insertions, 10 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index a9dae3cd59f..3d90fcb7033 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.49 2011/04/18 08:45:43 reyk Exp $ */ +/* $OpenBSD: ikev2.c,v 1.50 2011/04/18 09:54:41 reyk Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -61,6 +61,8 @@ int ikev2_ike_auth(struct iked *, struct iked_sa *, void ikev2_init_recv(struct iked *, struct iked_message *, struct ike_header *); +int ikev2_init_ike_sa_peer(struct iked *, struct iked_policy *, + struct iked_addr *); int ikev2_init_ike_auth(struct iked *, struct iked_sa *); int ikev2_init_auth(struct iked *, struct iked_message *); int ikev2_init_done(struct iked *, struct iked_sa *); @@ -623,6 +625,13 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg, int ikev2_init_ike_sa(struct iked *env, struct iked_policy *pol) { + return (ikev2_init_ike_sa_peer(env, pol, &pol->pol_peer)); +} + +int +ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol, + struct iked_addr *peer) +{ struct iked_message req; struct ike_header *hdr; struct ikev2_payload *pld; @@ -638,7 +647,7 @@ ikev2_init_ike_sa(struct iked *env, struct iked_policy *pol) in_port_t port; if ((sock = ikev2_msg_getsocket(env, - pol->pol_peer.addr_af)) == NULL) + peer->addr_af)) == NULL) return (-1); /* Create a new initiator SA */ @@ -652,7 +661,7 @@ ikev2_init_ike_sa(struct iked *env, struct iked_policy *pol) goto done; if ((buf = ikev2_msg_init(env, &req, - &pol->pol_peer.addr, pol->pol_peer.addr.ss_len, + &peer->addr, peer->addr.ss_len, &pol->pol_local.addr, pol->pol_local.addr.ss_len, 0)) == NULL) goto done; @@ -3688,7 +3697,7 @@ ikev2_acquire_sa(struct iked *env, struct iked_flow *acquire) log_debug("%s: found matching policy '%s'", __func__, p->pol_name); - if (ikev2_init_ike_sa(env, p) != 0) + if (ikev2_init_ike_sa_peer(env, p, acquire->flow_peer) != 0) log_warnx("%s: failed to initiate a " "IKE_SA_INIT exchange", __func__); } else { diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index 5f218048aab..b9c7bfcddf5 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.17 2011/04/18 08:45:43 reyk Exp $ */ +/* $OpenBSD: policy.c,v 1.18 2011/04/18 09:54:41 reyk Exp $ */ /* $vantronix: policy.c,v 1.29 2010/05/28 15:34:35 reyk Exp $ */ /* @@ -123,16 +123,13 @@ policy_test(struct iked *env, struct iked_policy *key) /* * Check if a specific flow is requested * (eg. for acquire messages from the kernel) - * and find a matching flow. The policy also - * needs to have a valid peer address specified. + * and find a matching flow. */ if (key->pol_nflows && (flowkey = RB_MIN(iked_flows, &key->pol_flows)) != NULL && - (p->pol_peer.addr_net || - p->pol_peer.addr_af == AF_UNSPEC || (flow = RB_FIND(iked_flows, &p->pol_flows, - flowkey)) == NULL)) { + flowkey)) == NULL) { p = TAILQ_NEXT(p, pol_entry); continue; } |