summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-06-02 05:59:32 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2006-06-02 05:59:32 +0000
commit5f914c0eb1f34f923c5251126ed6a7d2c8663c0d (patch)
treeed2fb03d3cbcb65638b066a806553fd6c9892616
parentad578685d095c60c83441c0b5e2a4fd1e9d18f35 (diff)
allow to specify phase 1 and 2 lifetimes. Right now, these values
can only be set globally (ie. Default-phase-[12]-lifetime).
-rw-r--r--sbin/ipsecctl/ike.c8
-rw-r--r--sbin/ipsecctl/ipsecctl.c10
-rw-r--r--sbin/ipsecctl/ipsecctl.h4
-rw-r--r--sbin/ipsecctl/parse.y33
4 files changed, 49 insertions, 6 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 795577ede8c..095f3ee7024 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.34 2006/06/02 03:40:26 hshoexer Exp $ */
+/* $OpenBSD: ike.c,v 1.35 2006/06/02 05:59:31 hshoexer Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -72,6 +72,12 @@ ike_section_general(struct ipsec_rule *r, FILE *fd)
fprintf(fd, SET "[General]:DPD-check-interval=%d force\n",
CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL);
}
+ if (r->mmlife && r->mmlife->lifetime != -1)
+ fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n",
+ r->mmlife->lifetime);
+ if (r->qmlife && r->mmlife->lifetime != -1)
+ fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n",
+ r->qmlife->lifetime);
}
static void
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index fe0c8d3745d..4020dcbcb3f 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.54 2006/06/01 17:32:20 naddy Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.55 2006/06/02 05:59:31 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -220,6 +220,14 @@ ipsecctl_free_rule(struct ipsec_rule *rp)
}
if (rp->xfs)
free(rp->xfs);
+ if (rp->mmxfs)
+ free(rp->mmxfs);
+ if (rp->qmxfs)
+ free(rp->qmxfs);
+ if (rp->mmlife)
+ free(rp->mmlife);
+ if (rp->qmlife)
+ free(rp->qmlife);
if (rp->authkey) {
free(rp->authkey->data);
free(rp->authkey);
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index c5c0e5ab7bd..c17c7c59905 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.46 2006/06/02 04:51:55 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.47 2006/06/02 05:59:31 hshoexer Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -169,7 +169,9 @@ struct ipsec_rule {
struct ike_auth *ikeauth;
struct ipsec_transforms *xfs;
struct ipsec_transforms *mmxfs;
+ struct ipsec_life *mmlife;
struct ipsec_transforms *qmxfs;
+ struct ipsec_life *qmlife;
struct ipsec_key *authkey;
struct ipsec_key *enckey;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index d9f2def080f..d1bc03cac6f 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.95 2006/06/02 05:57:05 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.96 2006/06/02 05:59:31 hshoexer Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -148,6 +148,7 @@ void set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *);
struct ipsec_life *parse_life(int);
struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);
+struct ipsec_life *copylife(const struct ipsec_life *);
struct ipsec_auth *copyipsecauth(const struct ipsec_auth *);
struct ike_auth *copyikeauth(const struct ike_auth *);
struct ipsec_key *copykey(struct ipsec_key *);
@@ -655,6 +656,7 @@ mainmode : /* empty */ {
if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL)
err(1, "mainmode: calloc");
mm->xfs = $2;
+ mm->life = $3;
$$ = mm;
}
;
@@ -673,6 +675,7 @@ quickmode : /* empty */ {
if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL)
err(1, "quickmode: calloc");
qm->xfs = $2;
+ qm->life = $3;
$$ = qm;
}
;
@@ -684,6 +687,8 @@ life : /* empty */ {
if ((life = calloc(1, sizeof(struct ipsec_life)))
== NULL)
err(1, "life: calloc");
+ life->lifetime = -1;
+ life->lifevolume = -1;
$$ = life;
}
| LIFE number {
@@ -1696,6 +1701,22 @@ copytransforms(const struct ipsec_transforms *xfs)
return (newxfs);
}
+struct ipsec_life *
+copylife(const struct ipsec_life *life)
+{
+ struct ipsec_life *newlife;
+
+ if (life == NULL)
+ return (NULL);
+
+ newlife = calloc(1, sizeof(struct ipsec_life));
+ if (newlife == NULL)
+ err(1, "copylife: calloc");
+
+ memcpy(newlife, life, sizeof(struct ipsec_life));
+ return (newlife);
+}
+
struct ipsec_auth *
copyipsecauth(const struct ipsec_auth *auth)
{
@@ -1793,6 +1814,8 @@ copyrule(struct ipsec_rule *rule)
r->xfs = copytransforms(rule->xfs);
r->mmxfs = copytransforms(rule->mmxfs);
r->qmxfs = copytransforms(rule->qmxfs);
+ r->mmlife = copylife(rule->mmlife);
+ r->qmlife = copylife(rule->qmlife);
r->authkey = copykey(rule->authkey);
r->enckey = copykey(rule->enckey);
@@ -2238,10 +2261,14 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,
r->satype = satype;
r->ikemode = mode;
- if (mainmode)
+ if (mainmode) {
r->mmxfs = mainmode->xfs;
- if (quickmode)
+ r->mmlife = mainmode->life;
+ }
+ if (quickmode) {
r->qmxfs = quickmode->xfs;
+ r->qmlife = quickmode->life;
+ }
r->auth = calloc(1, sizeof(struct ipsec_auth));
if (r->auth == NULL)
err(1, "create_ike: calloc");