diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2004-05-19 14:30:27 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2004-05-19 14:30:27 +0000 |
commit | 523984cbb72a86146c0f75d2ae4c5e71f2f4fd1e (patch) | |
tree | 5491d3728dfc32f6ef7e834c82cc0ee5409ab63c | |
parent | 8c69b6bafacdeed4ca1909535360f09009a7516d (diff) |
Permit symbolic protocol and service names, such as "Protocol= tcp", in the
<IPsec-ID> sections. hshoexer@ ok
-rw-r--r-- | sbin/isakmpd/ipsec.c | 92 | ||||
-rw-r--r-- | sbin/isakmpd/isakmpd.c | 7 |
2 files changed, 71 insertions, 28 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index d570759467b..2a224c0b694 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.89 2004/04/15 18:39:25 deraadt Exp $ */ +/* $OpenBSD: ipsec.c,v 1.90 2004/05/19 14:30:26 ho Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -1699,6 +1699,49 @@ ipsec_keymat_length(struct proto * proto) } } +/* Helper function for ipsec_get_id(). */ +static int +ipsec_get_proto_port(char *section, u_int8_t *tproto, u_int16_t *port) +{ + struct protoent *pe = NULL; + struct servent *se; + char *pstr; + + pstr = conf_get_str(section, "Protocol"); + if (!pstr) { + *tproto = 0; + return 0; + } + *tproto = (u_int8_t)atoi(pstr); + if (!*tproto) { + pe = getprotobyname(pstr); + if (pe) + *tproto = pe->p_proto; + } + if (!*tproto) { + log_print("ipsec_get_proto_port: protocol \"%s\" unknown", + pstr); + return -1; + } + + pstr = conf_get_str(section, "Port"); + if (!pstr) + return 0; + *port = (u_int16_t)atoi(pstr); + if (!*port) { + se = getservbyname(pstr, + pe ? pe->p_name : (pstr ? pstr : NULL)); + if (se) + *port = se->s_port; + } + if (!*port) { + log_print("ipsec_get_proto_port: port \"%s\" unknown", + pstr); + return -1; + } + return 0; +} + /* * Out of a named section SECTION in the configuration file find out * the network address and mask as well as the ID type. Put the info @@ -1706,14 +1749,15 @@ ipsec_keymat_length(struct proto * proto) * Return 0 on success and -1 on failure. */ int -ipsec_get_id(char *section, int *id, struct sockaddr ** addr, - struct sockaddr ** mask, u_int8_t * tproto, u_int16_t * port) +ipsec_get_id(char *section, int *id, struct sockaddr **addr, + struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port) { - char *type, *address, *netmask; + char *type, *address, *netmask; type = conf_get_str(section, "ID-type"); if (!type) { - log_print("ipsec_get_id: section %s has no \"ID-type\" tag", section); + log_print("ipsec_get_id: section %s has no \"ID-type\" tag", + section); return -1; } *id = constant_value(ipsec_id_cst, type); @@ -1722,19 +1766,16 @@ ipsec_get_id(char *section, int *id, struct sockaddr ** addr, case IPSEC_ID_IPV6_ADDR: address = conf_get_str(section, "Address"); if (!address) { - log_print("ipsec_get_id: section %s has no \"Address\" tag", - section); + log_print("ipsec_get_id: section %s has no " + "\"Address\" tag", section); return -1; } if (text2sockaddr(address, NULL, addr)) { - log_print("ipsec_get_id: invalid address %s in section %s", address, - section); + log_print("ipsec_get_id: invalid address %s in " + "section %s", address, section); return -1; } - *tproto = conf_get_num(section, "Protocol", 0); - if (*tproto) - *port = conf_get_num(section, "Port", 0); - break; + return ipsec_get_proto_port(section, tproto, port); #ifdef notyet case IPSEC_ID_FQDN: @@ -1748,30 +1789,27 @@ ipsec_get_id(char *section, int *id, struct sockaddr ** addr, case IPSEC_ID_IPV6_ADDR_SUBNET: address = conf_get_str(section, "Network"); if (!address) { - log_print("ipsec_get_id: section %s has no \"Network\" tag", - section); + log_print("ipsec_get_id: section %s has no " + "\"Network\" tag", section); return -1; } if (text2sockaddr(address, NULL, addr)) { - log_print("ipsec_get_id: invalid section %s network %s", section, - address); + log_print("ipsec_get_id: invalid section %s " + "network %s", section, address); return -1; } netmask = conf_get_str(section, "Netmask"); if (!netmask) { - log_print("ipsec_get_id: section %s has no \"Netmask\" tag", - section); + log_print("ipsec_get_id: section %s has no " + "\"Netmask\" tag", section); return -1; } if (text2sockaddr(netmask, NULL, mask)) { - log_print("ipsec_id_build: invalid section %s network %s", section, - netmask); + log_print("ipsec_id_build: invalid section %s " + "network %s", section, netmask); return -1; } - *tproto = conf_get_num(section, "Protocol", 0); - if (*tproto) - *port = conf_get_num(section, "Port", 0); - break; + return ipsec_get_proto_port(section, tproto, port); #ifdef notyet case IPSEC_ID_IPV4_RANGE: @@ -1791,8 +1829,8 @@ ipsec_get_id(char *section, int *id, struct sockaddr ** addr, #endif default: - log_print("ipsec_get_id: unknown ID type \"%s\" in section %s", type, - section); + log_print("ipsec_get_id: unknown ID type \"%s\" in " + "section %s", type, section); return -1; } diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index bdb61b733fd..f8dc4d7b7b1 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: isakmpd.c,v 1.61 2004/04/15 18:39:26 deraadt Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.62 2004/05/19 14:30:26 ho Exp $ */ /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ /* @@ -40,6 +40,7 @@ #include <stdlib.h> #include <string.h> #include <time.h> +#include <netdb.h> #include <unistd.h> #include <fcntl.h> @@ -376,6 +377,10 @@ main(int argc, char *argv[]) parse_args(argc, argv); log_init(debug); + /* Open protocols and services databases. */ + setprotoent(1); + setservent(1); + /* * Do a clean daemon shutdown on TERM/INT. These signals must be * initialized before monitor_init(). INT is only used with '-d'. |