diff options
author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2006-06-02 05:59:32 +0000 |
---|---|---|
committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2006-06-02 05:59:32 +0000 |
commit | 5f914c0eb1f34f923c5251126ed6a7d2c8663c0d (patch) | |
tree | ed2fb03d3cbcb65638b066a806553fd6c9892616 | |
parent | ad578685d095c60c83441c0b5e2a4fd1e9d18f35 (diff) |
allow to specify phase 1 and 2 lifetimes. Right now, these values
can only be set globally (ie. Default-phase-[12]-lifetime).
-rw-r--r-- | sbin/ipsecctl/ike.c | 8 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 10 | ||||
-rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 4 | ||||
-rw-r--r-- | sbin/ipsecctl/parse.y | 33 |
4 files changed, 49 insertions, 6 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 795577ede8c..095f3ee7024 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.34 2006/06/02 03:40:26 hshoexer Exp $ */ +/* $OpenBSD: ike.c,v 1.35 2006/06/02 05:59:31 hshoexer Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -72,6 +72,12 @@ ike_section_general(struct ipsec_rule *r, FILE *fd) fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); } + if (r->mmlife && r->mmlife->lifetime != -1) + fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n", + r->mmlife->lifetime); + if (r->qmlife && r->mmlife->lifetime != -1) + fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n", + r->qmlife->lifetime); } static void diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index fe0c8d3745d..4020dcbcb3f 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.54 2006/06/01 17:32:20 naddy Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.55 2006/06/02 05:59:31 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -220,6 +220,14 @@ ipsecctl_free_rule(struct ipsec_rule *rp) } if (rp->xfs) free(rp->xfs); + if (rp->mmxfs) + free(rp->mmxfs); + if (rp->qmxfs) + free(rp->qmxfs); + if (rp->mmlife) + free(rp->mmlife); + if (rp->qmlife) + free(rp->qmlife); if (rp->authkey) { free(rp->authkey->data); free(rp->authkey); diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index c5c0e5ab7bd..c17c7c59905 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.46 2006/06/02 04:51:55 hshoexer Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.47 2006/06/02 05:59:31 hshoexer Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -169,7 +169,9 @@ struct ipsec_rule { struct ike_auth *ikeauth; struct ipsec_transforms *xfs; struct ipsec_transforms *mmxfs; + struct ipsec_life *mmlife; struct ipsec_transforms *qmxfs; + struct ipsec_life *qmlife; struct ipsec_key *authkey; struct ipsec_key *enckey; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index d9f2def080f..d1bc03cac6f 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.95 2006/06/02 05:57:05 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.96 2006/06/02 05:59:31 hshoexer Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -148,6 +148,7 @@ void set_ipmask(struct ipsec_addr_wrap *, u_int8_t); const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *); struct ipsec_life *parse_life(int); struct ipsec_transforms *copytransforms(const struct ipsec_transforms *); +struct ipsec_life *copylife(const struct ipsec_life *); struct ipsec_auth *copyipsecauth(const struct ipsec_auth *); struct ike_auth *copyikeauth(const struct ike_auth *); struct ipsec_key *copykey(struct ipsec_key *); @@ -655,6 +656,7 @@ mainmode : /* empty */ { if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL) err(1, "mainmode: calloc"); mm->xfs = $2; + mm->life = $3; $$ = mm; } ; @@ -673,6 +675,7 @@ quickmode : /* empty */ { if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL) err(1, "quickmode: calloc"); qm->xfs = $2; + qm->life = $3; $$ = qm; } ; @@ -684,6 +687,8 @@ life : /* empty */ { if ((life = calloc(1, sizeof(struct ipsec_life))) == NULL) err(1, "life: calloc"); + life->lifetime = -1; + life->lifevolume = -1; $$ = life; } | LIFE number { @@ -1696,6 +1701,22 @@ copytransforms(const struct ipsec_transforms *xfs) return (newxfs); } +struct ipsec_life * +copylife(const struct ipsec_life *life) +{ + struct ipsec_life *newlife; + + if (life == NULL) + return (NULL); + + newlife = calloc(1, sizeof(struct ipsec_life)); + if (newlife == NULL) + err(1, "copylife: calloc"); + + memcpy(newlife, life, sizeof(struct ipsec_life)); + return (newlife); +} + struct ipsec_auth * copyipsecauth(const struct ipsec_auth *auth) { @@ -1793,6 +1814,8 @@ copyrule(struct ipsec_rule *rule) r->xfs = copytransforms(rule->xfs); r->mmxfs = copytransforms(rule->mmxfs); r->qmxfs = copytransforms(rule->qmxfs); + r->mmlife = copylife(rule->mmlife); + r->qmlife = copylife(rule->qmlife); r->authkey = copykey(rule->authkey); r->enckey = copykey(rule->enckey); @@ -2238,10 +2261,14 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, r->satype = satype; r->ikemode = mode; - if (mainmode) + if (mainmode) { r->mmxfs = mainmode->xfs; - if (quickmode) + r->mmlife = mainmode->life; + } + if (quickmode) { r->qmxfs = quickmode->xfs; + r->qmlife = quickmode->life; + } r->auth = calloc(1, sizeof(struct ipsec_auth)); if (r->auth == NULL) err(1, "create_ike: calloc"); |