summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2011-04-18 09:54:42 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2011-04-18 09:54:42 +0000
commit9bfe5cd12445034828753d3cf1c75f1c742a42e4 (patch)
tree6c99524c273b7e8b32dc079c5bc85780ab5b0895
parente9e2c56254ecb6f7ae8722d89ad005d22f00c03c (diff)
Improve the iked acquire mode peer <-> policy matching. This change
picks the peer from the acquire message and allows to match masked peers in the policies like "peer any" or "peer 10.0.0.0/8" instead of requiring exactly matching peer specifications. ok mikeb@
-rw-r--r--sbin/iked/ikev2.c17
-rw-r--r--sbin/iked/policy.c9
2 files changed, 16 insertions, 10 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index a9dae3cd59f..3d90fcb7033 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikev2.c,v 1.49 2011/04/18 08:45:43 reyk Exp $ */
+/* $OpenBSD: ikev2.c,v 1.50 2011/04/18 09:54:41 reyk Exp $ */
/* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */
/*
@@ -61,6 +61,8 @@ int ikev2_ike_auth(struct iked *, struct iked_sa *,
void ikev2_init_recv(struct iked *, struct iked_message *,
struct ike_header *);
+int ikev2_init_ike_sa_peer(struct iked *, struct iked_policy *,
+ struct iked_addr *);
int ikev2_init_ike_auth(struct iked *, struct iked_sa *);
int ikev2_init_auth(struct iked *, struct iked_message *);
int ikev2_init_done(struct iked *, struct iked_sa *);
@@ -623,6 +625,13 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
int
ikev2_init_ike_sa(struct iked *env, struct iked_policy *pol)
{
+ return (ikev2_init_ike_sa_peer(env, pol, &pol->pol_peer));
+}
+
+int
+ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol,
+ struct iked_addr *peer)
+{
struct iked_message req;
struct ike_header *hdr;
struct ikev2_payload *pld;
@@ -638,7 +647,7 @@ ikev2_init_ike_sa(struct iked *env, struct iked_policy *pol)
in_port_t port;
if ((sock = ikev2_msg_getsocket(env,
- pol->pol_peer.addr_af)) == NULL)
+ peer->addr_af)) == NULL)
return (-1);
/* Create a new initiator SA */
@@ -652,7 +661,7 @@ ikev2_init_ike_sa(struct iked *env, struct iked_policy *pol)
goto done;
if ((buf = ikev2_msg_init(env, &req,
- &pol->pol_peer.addr, pol->pol_peer.addr.ss_len,
+ &peer->addr, peer->addr.ss_len,
&pol->pol_local.addr, pol->pol_local.addr.ss_len, 0)) == NULL)
goto done;
@@ -3688,7 +3697,7 @@ ikev2_acquire_sa(struct iked *env, struct iked_flow *acquire)
log_debug("%s: found matching policy '%s'", __func__,
p->pol_name);
- if (ikev2_init_ike_sa(env, p) != 0)
+ if (ikev2_init_ike_sa_peer(env, p, acquire->flow_peer) != 0)
log_warnx("%s: failed to initiate a "
"IKE_SA_INIT exchange", __func__);
} else {
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index 5f218048aab..b9c7bfcddf5 100644
--- a/sbin/iked/policy.c
+++ b/sbin/iked/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.17 2011/04/18 08:45:43 reyk Exp $ */
+/* $OpenBSD: policy.c,v 1.18 2011/04/18 09:54:41 reyk Exp $ */
/* $vantronix: policy.c,v 1.29 2010/05/28 15:34:35 reyk Exp $ */
/*
@@ -123,16 +123,13 @@ policy_test(struct iked *env, struct iked_policy *key)
/*
* Check if a specific flow is requested
* (eg. for acquire messages from the kernel)
- * and find a matching flow. The policy also
- * needs to have a valid peer address specified.
+ * and find a matching flow.
*/
if (key->pol_nflows &&
(flowkey = RB_MIN(iked_flows,
&key->pol_flows)) != NULL &&
- (p->pol_peer.addr_net ||
- p->pol_peer.addr_af == AF_UNSPEC ||
(flow = RB_FIND(iked_flows, &p->pol_flows,
- flowkey)) == NULL)) {
+ flowkey)) == NULL) {
p = TAILQ_NEXT(p, pol_entry);
continue;
}