diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2008-07-01 14:08:40 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2008-07-01 14:08:40 +0000 |
| commit | e10672951adbd7ce81e6c837f4121f6da9508bf9 (patch) | |
| tree | f20a818f1af81119218a76d47488c625325653f5 | |
| parent | d1633f38591d98b6174bc7606a4d55a94f6c8449 (diff) | |
If multiple to addresses but no peer are given in an ike or flow
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer
| -rw-r--r-- | regress/sbin/ipsecctl/Makefile | 8 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ikefail7.in | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ikefail7.ok | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec23.ok | 8 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec24.ok | 24 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec54.in | 1 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec54.ok | 4 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec55.in | 1 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec55.ok | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec56.in | 1 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec56.ok | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec57.in | 1 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsec57.ok | 6 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsecfail3.in | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ipsecfail3.ok | 4 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 99 |
16 files changed, 102 insertions, 65 deletions
diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile index 882365daa44..339b0ed7ba7 100644 --- a/regress/sbin/ipsecctl/Makefile +++ b/regress/sbin/ipsecctl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.50 2008/01/04 11:09:20 hshoexer Exp $ +# $OpenBSD: Makefile,v 1.51 2008/07/01 14:08:39 bluhm Exp $ # you can update the *.ok files with: make -i | patch # TARGETS @@ -10,12 +10,12 @@ IPSECTESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 IPSECTESTS+=25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 -IPSECTESTS+=51 52 53 +IPSECTESTS+=51 52 53 54 55 56 57 TCPMD5TESTS=1 2 3 SATESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 SAFAIL=1 2 -IPSECFAIL=1 2 -IKEFAIL=1 3 4 5 6 7 8 9 10 11 12 +IPSECFAIL=1 2 3 +IKEFAIL=1 3 4 5 6 8 9 10 11 12 IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 IKETESTS+=16 17 18 19 20 21 22 23 IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40 diff --git a/regress/sbin/ipsecctl/ikefail7.in b/regress/sbin/ipsecctl/ikefail7.in deleted file mode 100644 index e5bab74fad1..00000000000 --- a/regress/sbin/ipsecctl/ikefail7.in +++ /dev/null @@ -1,2 +0,0 @@ -# specifying peers from different address families should cause an error -ike from 1.1.1.1 to { 3ffe::1, 2.2.2.2 } diff --git a/regress/sbin/ipsecctl/ikefail7.ok b/regress/sbin/ipsecctl/ikefail7.ok deleted file mode 100644 index e7fbf39104c..00000000000 --- a/regress/sbin/ipsecctl/ikefail7.ok +++ /dev/null @@ -1,2 +0,0 @@ -stdin: 2: source/destination address families do not match -ipsecctl: Syntax error in config file: ipsec rules not loaded diff --git a/regress/sbin/ipsecctl/ipsec23.ok b/regress/sbin/ipsecctl/ipsec23.ok index 334f1ee1e71..b1e2c2100cb 100644 --- a/regress/sbin/ipsecctl/ipsec23.ok +++ b/regress/sbin/ipsecctl/ipsec23.ok @@ -1,7 +1,7 @@ TO = "{ 1.1.1.1, 2.2.2.2, 3.3.3.3 }" flow esp out from 4.4.4.4 to 1.1.1.1 peer 1.1.1.1 type require flow esp in from 1.1.1.1 to 4.4.4.4 peer 1.1.1.1 type require -flow esp out from 4.4.4.4 to 2.2.2.2 peer 1.1.1.1 type require -flow esp in from 2.2.2.2 to 4.4.4.4 peer 1.1.1.1 type require -flow esp out from 4.4.4.4 to 3.3.3.3 peer 1.1.1.1 type require -flow esp in from 3.3.3.3 to 4.4.4.4 peer 1.1.1.1 type require +flow esp out from 4.4.4.4 to 2.2.2.2 peer 2.2.2.2 type require +flow esp in from 2.2.2.2 to 4.4.4.4 peer 2.2.2.2 type require +flow esp out from 4.4.4.4 to 3.3.3.3 peer 3.3.3.3 type require +flow esp in from 3.3.3.3 to 4.4.4.4 peer 3.3.3.3 type require diff --git a/regress/sbin/ipsecctl/ipsec24.ok b/regress/sbin/ipsecctl/ipsec24.ok index db61535152d..491d60e5605 100644 --- a/regress/sbin/ipsecctl/ipsec24.ok +++ b/regress/sbin/ipsecctl/ipsec24.ok @@ -2,19 +2,19 @@ FROM = "{ 1.1.1.1, 2.2.2.2, 3.3.3.3 }" TO = "{ 4.4.4.4, 5.5.5.5, 6.6.6.6 }" flow esp out from 1.1.1.1 to 4.4.4.4 peer 4.4.4.4 type require flow esp in from 4.4.4.4 to 1.1.1.1 peer 4.4.4.4 type require -flow esp out from 1.1.1.1 to 5.5.5.5 peer 4.4.4.4 type require -flow esp in from 5.5.5.5 to 1.1.1.1 peer 4.4.4.4 type require -flow esp out from 1.1.1.1 to 6.6.6.6 peer 4.4.4.4 type require -flow esp in from 6.6.6.6 to 1.1.1.1 peer 4.4.4.4 type require +flow esp out from 1.1.1.1 to 5.5.5.5 peer 5.5.5.5 type require +flow esp in from 5.5.5.5 to 1.1.1.1 peer 5.5.5.5 type require +flow esp out from 1.1.1.1 to 6.6.6.6 peer 6.6.6.6 type require +flow esp in from 6.6.6.6 to 1.1.1.1 peer 6.6.6.6 type require flow esp out from 2.2.2.2 to 4.4.4.4 peer 4.4.4.4 type require flow esp in from 4.4.4.4 to 2.2.2.2 peer 4.4.4.4 type require -flow esp out from 2.2.2.2 to 5.5.5.5 peer 4.4.4.4 type require -flow esp in from 5.5.5.5 to 2.2.2.2 peer 4.4.4.4 type require -flow esp out from 2.2.2.2 to 6.6.6.6 peer 4.4.4.4 type require -flow esp in from 6.6.6.6 to 2.2.2.2 peer 4.4.4.4 type require +flow esp out from 2.2.2.2 to 5.5.5.5 peer 5.5.5.5 type require +flow esp in from 5.5.5.5 to 2.2.2.2 peer 5.5.5.5 type require +flow esp out from 2.2.2.2 to 6.6.6.6 peer 6.6.6.6 type require +flow esp in from 6.6.6.6 to 2.2.2.2 peer 6.6.6.6 type require flow esp out from 3.3.3.3 to 4.4.4.4 peer 4.4.4.4 type require flow esp in from 4.4.4.4 to 3.3.3.3 peer 4.4.4.4 type require -flow esp out from 3.3.3.3 to 5.5.5.5 peer 4.4.4.4 type require -flow esp in from 5.5.5.5 to 3.3.3.3 peer 4.4.4.4 type require -flow esp out from 3.3.3.3 to 6.6.6.6 peer 4.4.4.4 type require -flow esp in from 6.6.6.6 to 3.3.3.3 peer 4.4.4.4 type require +flow esp out from 3.3.3.3 to 5.5.5.5 peer 5.5.5.5 type require +flow esp in from 5.5.5.5 to 3.3.3.3 peer 5.5.5.5 type require +flow esp out from 3.3.3.3 to 6.6.6.6 peer 6.6.6.6 type require +flow esp in from 6.6.6.6 to 3.3.3.3 peer 6.6.6.6 type require diff --git a/regress/sbin/ipsecctl/ipsec54.in b/regress/sbin/ipsecctl/ipsec54.in new file mode 100644 index 00000000000..c4cce2f8abc --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec54.in @@ -0,0 +1 @@ +flow from 1.1.1.1 to { 2.2.2.2 3.3.3.3 } diff --git a/regress/sbin/ipsecctl/ipsec54.ok b/regress/sbin/ipsecctl/ipsec54.ok new file mode 100644 index 00000000000..a92ee9127b4 --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec54.ok @@ -0,0 +1,4 @@ +flow esp out from 1.1.1.1 to 2.2.2.2 peer 2.2.2.2 type require +flow esp in from 2.2.2.2 to 1.1.1.1 peer 2.2.2.2 type require +flow esp out from 1.1.1.1 to 3.3.3.3 peer 3.3.3.3 type require +flow esp in from 3.3.3.3 to 1.1.1.1 peer 3.3.3.3 type require diff --git a/regress/sbin/ipsecctl/ipsec55.in b/regress/sbin/ipsecctl/ipsec55.in new file mode 100644 index 00000000000..cf3a57a76b6 --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec55.in @@ -0,0 +1 @@ +flow from 1.1.1.1 to 2.2.2.0/24 peer 2.2.2.2 diff --git a/regress/sbin/ipsecctl/ipsec55.ok b/regress/sbin/ipsecctl/ipsec55.ok new file mode 100644 index 00000000000..48517e8c87f --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec55.ok @@ -0,0 +1,2 @@ +flow esp out from 1.1.1.1 to 2.2.2.0/24 peer 2.2.2.2 type require +flow esp in from 2.2.2.0/24 to 1.1.1.1 peer 2.2.2.2 type require diff --git a/regress/sbin/ipsecctl/ipsec56.in b/regress/sbin/ipsecctl/ipsec56.in new file mode 100644 index 00000000000..079ec4c6e3f --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec56.in @@ -0,0 +1 @@ +flow from 1.1.1.1 to 2.2.2.0/24 type bypass diff --git a/regress/sbin/ipsecctl/ipsec56.ok b/regress/sbin/ipsecctl/ipsec56.ok new file mode 100644 index 00000000000..149efe982ba --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec56.ok @@ -0,0 +1,2 @@ +flow esp out from 1.1.1.1 to 2.2.2.0/24 type bypass +flow esp in from 2.2.2.0/24 to 1.1.1.1 type bypass diff --git a/regress/sbin/ipsecctl/ipsec57.in b/regress/sbin/ipsecctl/ipsec57.in new file mode 100644 index 00000000000..3c1695ada4c --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec57.in @@ -0,0 +1 @@ +flow from { ::1 1.1.1.1 } to { ::2 2.2.2.2 ::3 } diff --git a/regress/sbin/ipsecctl/ipsec57.ok b/regress/sbin/ipsecctl/ipsec57.ok new file mode 100644 index 00000000000..5d2d032b2e8 --- /dev/null +++ b/regress/sbin/ipsecctl/ipsec57.ok @@ -0,0 +1,6 @@ +flow esp out from ::1 to ::2 peer ::2 type require +flow esp in from ::2 to ::1 peer ::2 type require +flow esp out from ::1 to ::3 peer ::3 type require +flow esp in from ::3 to ::1 peer ::3 type require +flow esp out from 1.1.1.1 to 2.2.2.2 peer 2.2.2.2 type require +flow esp in from 2.2.2.2 to 1.1.1.1 peer 2.2.2.2 type require diff --git a/regress/sbin/ipsecctl/ipsecfail3.in b/regress/sbin/ipsecctl/ipsecfail3.in new file mode 100644 index 00000000000..d0e3863fc25 --- /dev/null +++ b/regress/sbin/ipsecctl/ipsecfail3.in @@ -0,0 +1,2 @@ +# destination network without peer in flow must fail +flow from 1.1.1.1 to { 2.2.2.2 3.3.3.0/24 } diff --git a/regress/sbin/ipsecctl/ipsecfail3.ok b/regress/sbin/ipsecctl/ipsecfail3.ok new file mode 100644 index 00000000000..c85057213a5 --- /dev/null +++ b/regress/sbin/ipsecctl/ipsecfail3.ok @@ -0,0 +1,4 @@ +stdin: 2: no peer specified for destination 3.3.3.0/24 +ipsecctl: Syntax error in config file: ipsec rules not loaded +flow esp out from 1.1.1.1 to 2.2.2.2 peer 2.2.2.2 type require +flow esp in from 2.2.2.2 to 1.1.1.1 peer 2.2.2.2 type require diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index ff7569ccc8a..a53667f07bd 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.136 2008/06/14 00:57:30 bluhm Exp $ */ +/* $OpenBSD: parse.y,v 1.137 2008/07/01 14:08:39 bluhm Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -181,18 +181,18 @@ struct ipsec_rule *create_sagroup(struct ipsec_addr_wrap *, u_int8_t, u_int32_t, struct ipsec_addr_wrap *, u_int8_t, u_int32_t); struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *, - struct ipsec_hosts *, u_int8_t, char *, char *, - u_int8_t); -void set_rule_peers(struct ipsec_rule *r, + u_int8_t, char *, char *, u_int8_t); +int set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers); void expand_any(struct ipsec_addr_wrap *); -int expand_rule(struct ipsec_rule *, u_int8_t, u_int32_t, - struct ipsec_key *, struct ipsec_key *, int); +int expand_rule(struct ipsec_rule *, struct ipsec_hosts *, + u_int8_t, u_int32_t, struct ipsec_key *, + struct ipsec_key *, int); struct ipsec_rule *reverse_rule(struct ipsec_rule *); struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, - struct ipsec_hosts *, struct ike_mode *, - struct ike_mode *, u_int8_t, u_int8_t, u_int8_t, - char *, char *, struct ike_auth *, char *); + struct ike_mode *, struct ike_mode *, u_int8_t, + u_int8_t, u_int8_t, char *, char *, + struct ike_auth *, char *); int add_sagroup(struct ipsec_rule *); int get_id_type(char *); @@ -316,7 +316,8 @@ tcpmd5rule : TCPMD5 hosts spispec authkeyspec { if (r == NULL) YYERROR; - if (expand_rule(r, 0, $3.spiin, $4.keyin, NULL, 0)) + if (expand_rule(r, NULL, 0, $3.spiin, $4.keyin, NULL, + 0)) errx(1, "tcpmd5rule: expand_rule"); } ; @@ -330,7 +331,8 @@ sarule : satype tmode hosts spispec transforms authkeyspec if (r == NULL) YYERROR; - if (expand_rule(r, 0, $4.spiin, $6.keyin, $7.keyin, 1)) + if (expand_rule(r, NULL, 0, $4.spiin, $6.keyin, + $7.keyin, 1)) errx(1, "sarule: expand_rule"); } ; @@ -338,12 +340,12 @@ sarule : satype tmode hosts spispec transforms authkeyspec flowrule : FLOW satype dir proto hosts peers ids type { struct ipsec_rule *r; - r = create_flow($3, $4, &$5, &$6, $2, $7.srcid, + r = create_flow($3, $4, &$5, $2, $7.srcid, $7.dstid, $8); if (r == NULL) YYERROR; - if (expand_rule(r, $3, 0, NULL, NULL, 0)) + if (expand_rule(r, &$6, $3, 0, NULL, NULL, 0)) errx(1, "flowrule: expand_rule"); } ; @@ -352,12 +354,12 @@ ikerule : IKE ikemode satype tmode proto hosts peers phase1mode phase2mode ids ikeauth tag { struct ipsec_rule *r; - r = create_ike($5, &$6, &$7, $8, $9, $3, $4, $2, + r = create_ike($5, &$6, $8, $9, $3, $4, $2, $10.srcid, $10.dstid, &$11, $12); if (r == NULL) YYERROR; - if (expand_rule(r, 0, 0, NULL, NULL, 0)) + if (expand_rule(r, &$7, 0, 0, NULL, NULL, 0)) errx(1, "ikerule: expand_rule"); } ; @@ -2310,7 +2312,6 @@ create_sagroup(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, struct ipsec_rule * create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, - struct ipsec_hosts *peers, u_int8_t satype, char *srcid, char *dstid, u_int8_t type) { struct ipsec_rule *r; @@ -2342,12 +2343,6 @@ create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, if (type == TYPE_DENY || type == TYPE_BYPASS) return (r); - set_rule_peers(r, peers); - if (r->peer == NULL) { - yyerror("no peer specified"); - goto errout; - } - r->auth = calloc(1, sizeof(struct ipsec_auth)); if (r->auth == NULL) err(1, "create_flow: calloc"); @@ -2398,11 +2393,15 @@ expand_any(struct ipsec_addr_wrap *ipa_in) } } -void +int set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers) { - r->local = peers->src; - r->peer = peers->dst; + if (r->type == RULE_FLOW && + (r->flowtype == TYPE_DENY || r->flowtype == TYPE_BYPASS)) + return (0); + + r->local = copyhost(peers->src); + r->peer = copyhost(peers->dst); if (r->peer == NULL) { /* Set peer to remote host. Must be a host address. */ if (r->direction == IPSEC_IN) { @@ -2417,15 +2416,23 @@ set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers) r->peer = copyhost(r->dst); } } + + if (r->type == RULE_FLOW && r->peer == NULL) { + yyerror("no peer specified for destination %s", + r->dst->name); + return (1); + } + return (0); } int -expand_rule(struct ipsec_rule *rule, u_int8_t direction, u_int32_t spi, - struct ipsec_key *authkey, struct ipsec_key *enckey, int group) +expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, + u_int8_t direction, u_int32_t spi, struct ipsec_key *authkey, + struct ipsec_key *enckey, int group) { struct ipsec_rule *r, *revr; struct ipsec_addr_wrap *src, *dst; - int added = 0; + int added = 0, ret = 1; if (validate_af(rule->src, rule->dst)) { yyerror("source/destination address families do not match"); @@ -2433,7 +2440,6 @@ expand_rule(struct ipsec_rule *rule, u_int8_t direction, u_int32_t spi, } expand_any(rule->src); expand_any(rule->dst); - expand_any(rule->peer); for (src = rule->src; src; src = src->next) { for (dst = rule->dst; dst; dst = dst->next) { if (src->af != dst->af) @@ -2443,34 +2449,39 @@ expand_rule(struct ipsec_rule *rule, u_int8_t direction, u_int32_t spi, r->src = copyhost(src); r->dst = copyhost(dst); + if (peers && set_rule_peers(r, peers)) { + ipsecctl_free_rule(r); + goto errout; + } + r->nr = ipsec->rule_nr++; if (ipsecctl_add_rule(ipsec, r)) - return (1); + goto out; if (group && add_sagroup(r)) - return (1); + goto out; if (direction == IPSEC_INOUT) { /* Create and add reverse flow rule. */ revr = reverse_rule(r); if (revr == NULL) - return (1); + goto out; revr->nr = ipsec->rule_nr++; if (ipsecctl_add_rule(ipsec, revr)) - return (1); + goto out; if (group && add_sagroup(revr)) - return (1); + goto out; } else if (spi != 0 || authkey || enckey) { /* Create and add reverse sa rule. */ revr = reverse_sa(r, spi, authkey, enckey); if (revr == NULL) - return (1); + goto out; revr->nr = ipsec->rule_nr++; if (ipsecctl_add_rule(ipsec, revr)) - return (1); + goto out; if (group && add_sagroup(revr)) - return (1); + goto out; } added++; } @@ -2478,8 +2489,16 @@ expand_rule(struct ipsec_rule *rule, u_int8_t direction, u_int32_t spi, if (!added) yyerror("rule expands to no valid combination"); errout: + ret = 0; ipsecctl_free_rule(rule); - return (0); + out: + if (peers) { + if (peers->src) + free(peers->src); + if (peers->dst) + free(peers->dst); + } + return (ret); } struct ipsec_rule * @@ -2530,7 +2549,7 @@ reverse_rule(struct ipsec_rule *rule) } struct ipsec_rule * -create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, +create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype, u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, struct ike_auth *authtype, char *tag) @@ -2575,8 +2594,6 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, return NULL; } - set_rule_peers(r, peers); - r->satype = satype; r->tmode = tmode; r->ikemode = mode; |