summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>1999-03-31 14:27:39 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>1999-03-31 14:27:39 +0000
commit1e30a9e562b4cc683dad031fba68de073895bcd2 (patch)
treeff8f2ba74756b2f713f5aa5d0771acc7ed4c33e8
parent0ec447b528a219adc9d4f77a296381351cf82611 (diff)
ipsec.c: Merge with EOM 1.86
ipsec.h: Merge with EOM 1.33 pf_encap.c: Merge with EOM 1.52 pf_key_v2.c: Merge with EOM 1.3 Fix case of missing client ID payloads, a case the standards allow. Thanks to Michael Paddon (mwp@aba.net.au) for the diffs I based my fix upon. His diff also made me realize I stored the address information in host order in internal structures where I had planned to use network order. Fix this, and remove the XXXes I had due to this elsewhere. Add commentary.
-rw-r--r--sbin/isakmpd/ipsec.c120
-rw-r--r--sbin/isakmpd/ipsec.h6
-rw-r--r--sbin/isakmpd/pf_encap.c10
-rw-r--r--sbin/isakmpd/pf_key_v2.c16
4 files changed, 92 insertions, 60 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 9aee13b7b40..828d68887ef 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: ipsec.c,v 1.8 1999/03/31 00:51:07 niklas Exp $ */
-/* $EOM: ipsec.c,v 1.85 1999/03/30 21:39:42 niklas Exp $ */
+/* $OpenBSD: ipsec.c,v 1.9 1999/03/31 14:27:37 niklas Exp $ */
+/* $EOM: ipsec.c,v 1.86 1999/03/31 14:19:51 niklas Exp $ */
/*
* Copyright (c) 1998 Niklas Hallqvist. All rights reserved.
@@ -79,6 +79,7 @@ static int ipsec_debug_attribute (u_int16_t, u_int8_t *, u_int16_t, void *);
static void ipsec_delete_spi (struct sa *, struct proto *, int);
static u_int16_t *ipsec_exchange_script (u_int8_t);
static void ipsec_finalize_exchange (struct message *);
+static void ipsec_set_network (u_int8_t *, u_int8_t *, struct ipsec_sa *);
static void ipsec_free_exchange_data (void *);
static void ipsec_free_proto_data (void *);
static void ipsec_free_sa_data (void *);
@@ -236,7 +237,8 @@ ipsec_finalize_exchange (struct message *msg)
struct proto *proto, *last_proto = 0;
int initiator = exchange->initiator;
struct timeval expiration;
- int id;
+ struct sockaddr *addr;
+ int len;
switch (exchange->phase)
{
@@ -316,49 +318,42 @@ ipsec_finalize_exchange (struct message *msg)
last_proto = proto;
}
- /* Figure out the networks. */
isa = sa->data;
- id = GET_ISAKMP_ID_TYPE (ie->id_ci);
- switch (id)
- {
- case IPSEC_ID_IPV4_ADDR:
- isa->src_net
- = decode_32 ((initiator ? ie->id_ci : ie->id_cr)
- + ISAKMP_ID_DATA_OFF);
- isa->src_mask = 0xffffffff;
- break;
- case IPSEC_ID_IPV4_ADDR_SUBNET:
- isa->src_net
- = decode_32 ((initiator ? ie->id_ci : ie->id_cr)
- + ISAKMP_ID_DATA_OFF);
- isa->src_mask
- = decode_32 ((initiator ? ie->id_ci : ie->id_cr)
- + ISAKMP_ID_DATA_OFF + 4);
- break;
- }
- id = GET_ISAKMP_ID_TYPE (ie->id_cr);
- switch (id)
+ /*
+ * If client identifiers are not present in the exchange,
+ * we fake them. RFC 2409 states:
+ * The identities of the SAs negotiated in Quick Mode are
+ * implicitly assumed to be the IP addresses of the ISAKMP
+ * peers, without any constraints on the protocol or port
+ * numbers allowed, unless client identifiers are specified
+ * in Quick Mode.
+ *
+ * -- Michael Paddon (mwp@aba.net.au)
+ */
+ if (!ie->id_ci || !ie->id_cr)
{
- case IPSEC_ID_IPV4_ADDR:
- isa->dst_net
- = decode_32 ((initiator ? ie->id_cr : ie->id_ci)
- + ISAKMP_ID_DATA_OFF);
- isa->dst_mask = 0xffffffff;
- break;
- case IPSEC_ID_IPV4_ADDR_SUBNET:
- isa->dst_net
- = decode_32 ((initiator ? ie->id_cr : ie->id_ci)
- + ISAKMP_ID_DATA_OFF);
- isa->dst_mask
- = decode_32 ((initiator ? ie->id_cr : ie->id_ci)
- + ISAKMP_ID_DATA_OFF + 4);
- break;
+ /* Get source address. */
+ msg->transport->vtbl->get_src (msg->transport, &addr, &len);
+ isa->src_net = ((struct sockaddr_in *)addr)->sin_addr.s_addr;
+ isa->src_mask = htonl (0xffffffff);
+
+ /* Get destination address. */
+ msg->transport->vtbl->get_dst (msg->transport, &addr, &len);
+ isa->dst_net = ((struct sockaddr_in *)addr)->sin_addr.s_addr;
+ isa->dst_mask = htonl (0xffffffff);
}
+ else if (initiator)
+ /* Initiator is source, responder is destination. */
+ ipsec_set_network (ie->id_ci, ie->id_cr, isa);
+ else
+ /* Responder is source, initiator is destination. */
+ ipsec_set_network (ie->id_cr, ie->id_ci, isa);
+
log_debug (LOG_MISC, 50,
"ipsec_finalize_exchange: src %x %x dst %x %x",
- isa->src_net, isa->src_mask, isa->dst_net,
- isa->dst_mask);
+ ntohl (isa->src_net), ntohl (isa->src_mask),
+ ntohl (isa->dst_net), ntohl (isa->dst_mask));
if (sysdep_ipsec_enable_sa (sa))
/* XXX Tear down this exchange. */
@@ -374,6 +369,46 @@ ipsec_finalize_exchange (struct message *msg)
}
}
+/* Set the client addresses in ISA from SRC_ID and DST_ID. */
+static void
+ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
+{
+ int id;
+
+ /* Set source address. */
+ id = GET_ISAKMP_ID_TYPE (src_id);
+ switch (id)
+ {
+ case IPSEC_ID_IPV4_ADDR:
+ memcpy (&isa->src_net, src_id + ISAKMP_ID_DATA_OFF, sizeof isa->src_net);
+ isa->src_mask = htonl (0xffffffff);
+ break;
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ memcpy (&isa->src_net, src_id + ISAKMP_ID_DATA_OFF, sizeof isa->src_net);
+ memcpy (&isa->src_mask,
+ src_id + ISAKMP_ID_DATA_OFF + sizeof isa->src_net,
+ sizeof isa->src_mask);
+ break;
+ }
+
+ /* Set destination address. */
+ id = GET_ISAKMP_ID_TYPE (dst_id);
+ switch (id)
+ {
+ case IPSEC_ID_IPV4_ADDR:
+ memcpy (&isa->dst_net, dst_id + ISAKMP_ID_DATA_OFF, sizeof isa->dst_net);
+ isa->dst_mask = htonl (0xffffffff);
+ break;
+ case IPSEC_ID_IPV4_ADDR_SUBNET:
+ memcpy (&isa->dst_net, dst_id + ISAKMP_ID_DATA_OFF, sizeof isa->dst_net);
+ memcpy (&isa->dst_mask,
+ dst_id + ISAKMP_ID_DATA_OFF + sizeof isa->dst_net,
+ sizeof isa->dst_mask);
+ break;
+ }
+}
+
+/* Free the DOI-specific exchange data pointed to by VIE. */
static void
ipsec_free_exchange_data (void *vie)
{
@@ -405,6 +440,7 @@ ipsec_free_exchange_data (void *vie)
free (ie->hash_r);
}
+/* Free the DOI-specific SA data pointed to by VISA. */
static void
ipsec_free_sa_data (void *visa)
{
@@ -416,6 +452,7 @@ ipsec_free_sa_data (void *visa)
free (isa->skeyid_d);
}
+/* Free the DOI-specific protocol data of an SA pointed to by VIPROTO. */
static void
ipsec_free_proto_data (void *viproto)
{
@@ -427,6 +464,7 @@ ipsec_free_proto_data (void *viproto)
free (iproto->keymat[i]);
}
+/* Return exchange script based on TYPE. */
static u_int16_t *
ipsec_exchange_script (u_int8_t type)
{
@@ -440,7 +478,7 @@ ipsec_exchange_script (u_int8_t type)
return 0;
}
-/* Requires doi_init to already have been called. */
+/* Initialize this DOI, requires doi_init to already have been called. */
void
ipsec_init ()
{
diff --git a/sbin/isakmpd/ipsec.h b/sbin/isakmpd/ipsec.h
index d5a1ec4d8f8..56459512e19 100644
--- a/sbin/isakmpd/ipsec.h
+++ b/sbin/isakmpd/ipsec.h
@@ -1,5 +1,5 @@
-/* $OpenBSD: ipsec.h,v 1.5 1999/02/26 03:44:04 niklas Exp $ */
-/* $EOM: ipsec.h,v 1.32 1999/02/25 09:30:26 niklas Exp $ */
+/* $OpenBSD: ipsec.h,v 1.6 1999/03/31 14:27:37 niklas Exp $ */
+/* $EOM: ipsec.h,v 1.33 1999/03/31 14:19:52 niklas Exp $ */
/*
* Copyright (c) 1998 Niklas Hallqvist. All rights reserved.
@@ -104,7 +104,7 @@ struct ipsec_sa {
/* Phase 2. */
u_int16_t group_desc;
- /* Tunnel parameters. */
+ /* Tunnel parameters. These are in network byte order. */
in_addr_t src_net;
in_addr_t src_mask;
in_addr_t dst_net;
diff --git a/sbin/isakmpd/pf_encap.c b/sbin/isakmpd/pf_encap.c
index 2790140b27a..2a437a7512e 100644
--- a/sbin/isakmpd/pf_encap.c
+++ b/sbin/isakmpd/pf_encap.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: pf_encap.c,v 1.9 1999/03/31 00:51:50 niklas Exp $ */
-/* $EOM: pf_encap.c,v 1.51 1999/03/30 21:43:08 niklas Exp $ */
+/* $OpenBSD: pf_encap.c,v 1.10 1999/03/31 14:27:38 niklas Exp $ */
+/* $EOM: pf_encap.c,v 1.52 1999/03/31 14:19:53 niklas Exp $ */
/*
* Copyright (c) 1998 Niklas Hallqvist. All rights reserved.
@@ -712,10 +712,8 @@ pf_encap_enable_sa (struct sa *sa)
sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
- /* XXX Check why byte ordering is backwards. */
- return pf_encap_enable_spi (htonl (isa->src_net), htonl (isa->src_mask),
- htonl (isa->dst_net), htonl (isa->dst_mask),
- proto->spi[0], proto->proto,
+ return pf_encap_enable_spi (isa->src_net, isa->src_mask, isa->dst_net,
+ isa->dst_mask, proto->spi[0], proto->proto,
((struct sockaddr_in *)dst)->sin_addr.s_addr);
}
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index bae8bef1a40..fa177854852 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: pf_key_v2.c,v 1.2 1999/03/31 01:53:00 niklas Exp $ */
-/* $EOM: pf_key_v2.c,v 1.2 1999/03/31 01:32:57 niklas Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.3 1999/03/31 14:27:38 niklas Exp $ */
+/* $EOM: pf_key_v2.c,v 1.3 1999/03/31 14:19:54 niklas Exp $ */
/*
* Copyright (c) 1999 Niklas Hallqvist. All rights reserved.
@@ -1119,10 +1119,8 @@ pf_key_v2_enable_sa (struct sa *sa)
sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
- /* XXX Check why byte ordering is backwards. */
- return pf_key_v2_flow (htonl (isa->src_net), htonl (isa->src_mask),
- htonl (isa->dst_net), htonl (isa->dst_mask),
- proto->spi[0], proto->proto,
+ return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
+ isa->dst_mask, proto->spi[0], proto->proto,
((struct sockaddr_in *)dst)->sin_addr.s_addr, 0);
}
@@ -1137,10 +1135,8 @@ pf_key_v2_disable_sa (struct sa *sa)
sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen);
- /* XXX Check why byte ordering is backwards. */
- return pf_key_v2_flow (htonl (isa->src_net), htonl (isa->src_mask),
- htonl (isa->dst_net), htonl (isa->dst_mask),
- proto->spi[0], proto->proto,
+ return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
+ isa->dst_mask, proto->spi[0], proto->proto,
((struct sockaddr_in *)dst)->sin_addr.s_addr, 1);
}