summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2002-03-17 21:48:07 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2002-03-17 21:48:07 +0000
commitb2f3be2ea2db67c81003cbe0ded62cf01045e61b (patch)
tree140b85bb9914606a8dec37677d3335e831c8d0fc
parentb1c153652482f4a01274f1467de1a1b8f7afccfa (diff)
Add 'T' and 'S' commands (for tearing-down and reporting all Phase 2
SAs), from bdallen@nps.navy.mil
-rw-r--r--sbin/isakmpd/DESIGN-NOTES6
-rw-r--r--sbin/isakmpd/sa.c229
-rw-r--r--sbin/isakmpd/sa.h4
-rw-r--r--sbin/isakmpd/ui.c31
4 files changed, 266 insertions, 4 deletions
diff --git a/sbin/isakmpd/DESIGN-NOTES b/sbin/isakmpd/DESIGN-NOTES
index ee405fdb8c7..eb108b91158 100644
--- a/sbin/isakmpd/DESIGN-NOTES
+++ b/sbin/isakmpd/DESIGN-NOTES
@@ -1,4 +1,4 @@
-$OpenBSD: DESIGN-NOTES,v 1.16 2001/06/27 03:31:39 angelos Exp $
+$OpenBSD: DESIGN-NOTES,v 1.17 2002/03/17 21:48:06 angelos Exp $
$EOM: DESIGN-NOTES,v 1.48 1999/08/12 22:34:25 niklas Exp $
General coding conventions
@@ -218,6 +218,10 @@ d delete Delete an SA given cookies and message-IDs
D debug Change logging level for a debug class
r report Report status information of the daemon
t teardown Teardown a connection
+Q quit Quit the isakmpd process
+R reinitialize Reinitialize isakmpd (re-read configuration file)
+S report SA Report SA information to file /var/run/isakmp_sa
+T teardown all Teardown all Phase 2 connections
For example you can do:
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index e6db7dd6a48..0de4e33fdc2 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.c,v 1.52 2002/01/25 13:46:22 ho Exp $ */
+/* $OpenBSD: sa.c,v 1.53 2002/03/17 21:48:06 angelos Exp $ */
/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */
/*
@@ -46,6 +46,7 @@
#include "sysdep.h"
+#include "connection.h"
#include "cookie.h"
#include "doi.h"
#include "exchange.h"
@@ -59,6 +60,11 @@
#include "cert.h"
#include "policy.h"
#include "key.h"
+#include "ipsec.h"
+#include "ipsec_num.h"
+
+/* Outfile for detailed SA information. */
+#define SA_FILE "/var/run/isakmpd_sa"
/* Initial number of bits from the cookies used as hash. */
#define INITIAL_BUCKET_BITS 6
@@ -448,6 +454,144 @@ sa_dump (int cls, int level, char *header, struct sa *sa)
}
}
+/*
+ * Display the SA's two SPI values.
+ */
+static void
+report_spi (FILE *fd, const u_int8_t *buf, size_t sz, int index)
+{
+ char s[73];
+ int i, j;
+
+ {
+ for (i = j = 0; i < sz;)
+ {
+ sprintf (s + j, "%02x", buf[i++]);
+ j += 2;
+ if (i % 4 == 0)
+ {
+ if (i % 32 == 0)
+ {
+ s[j] = '\0';
+ fprintf(fd, "%s", s);
+ j = 0;
+ }
+ else
+ s[j++] = ' ';
+ }
+ }
+ if (j)
+ {
+ s[j] = '\0';
+ fprintf(fd, "SPI %d: %s\n", index, s);
+ }
+ }
+}
+
+
+/*
+ * Display the transform names to file SA_FILE.
+ * Structure is taken from pf_key_v2.c, pf_key_v2_set_spi.
+ * Transform names are taken from /usr/src/sys/crypto/xform.c.
+ */
+static void
+report_proto (FILE *fd, struct proto *proto)
+{
+ int keylen, hashlen;
+ struct ipsec_proto *iproto = proto->data;
+
+ switch (proto->proto)
+ {
+ case IPSEC_PROTO_IPSEC_ESP:
+ keylen = ipsec_esp_enckeylength (proto);
+ hashlen = ipsec_esp_authkeylength (proto);
+ fprintf(fd, "Transform: IPsec ESP\n");
+ fprintf(fd, "Encryption key length: %d\n", keylen);
+ fprintf(fd, "Authentication key length: %d\n", hashlen);
+
+ switch (proto->id)
+ {
+ case IPSEC_ESP_DES:
+ case IPSEC_ESP_DES_IV32:
+ case IPSEC_ESP_DES_IV64:
+ fprintf(fd, "Encryption algorithm: DES\n");
+ break;
+
+ case IPSEC_ESP_3DES:
+ fprintf(fd, "Encryption algorithm: 3DES\n");
+ break;
+
+ case IPSEC_ESP_AES:
+ fprintf(fd, "Encryption algorithm: Rijndael-128/AES\n");
+ break;
+
+ case IPSEC_ESP_CAST:
+ fprintf(fd, "Encryption algorithm: Cast-128\n");
+ break;
+
+ case IPSEC_ESP_BLOWFISH:
+ fprintf(fd, "Encryption algorithm: Blowfish\n");
+ break;
+
+ default:
+ fprintf(fd, "Unknown encryption algorithm %d\n", proto->id);
+ }
+
+ switch (iproto->auth)
+ {
+ case IPSEC_AUTH_HMAC_MD5:
+ fprintf(fd, "Authentication algorithm: HMAC-MD5\n");
+ break;
+
+ case IPSEC_AUTH_HMAC_SHA:
+ fprintf(fd, "Authentication algorithm: HMAC-SHA1\n");
+ break;
+
+ case IPSEC_AUTH_HMAC_RIPEMD:
+ fprintf(fd, "Authentication algorithm: HMAC-RIPEMD-160\n");
+ break;
+
+ case IPSEC_AUTH_DES_MAC:
+ case IPSEC_AUTH_KPDK:
+ /* XXX We should be supporting KPDK */
+ fprintf(fd, "Unknown authentication algorithm: %d", iproto->auth);
+ break;
+
+ default:
+ fprintf(fd, "Authentication algorithm not used.\n");
+ }
+ break;
+
+ case IPSEC_PROTO_IPSEC_AH:
+ hashlen = ipsec_ah_keylength (proto);
+ fprintf(fd, "Transform: IPsec AH\n");
+ fprintf(fd, "Encryption not used.\n");
+ fprintf(fd, "Authentication key length: %d\n", hashlen);
+
+ switch (proto->id)
+ {
+ case IPSEC_AH_MD5:
+ fprintf(fd, "Authentication algorithm: HMAC-MD5\n");
+ break;
+
+ case IPSEC_AH_SHA:
+ fprintf(fd, "Authentication algorithm: HMAC-SHA1\n");
+ break;
+
+ case IPSEC_AH_RIPEMD:
+ fprintf(fd, "Authentication algorithm: HMAC-RIPEMD-160\n");
+ break;
+
+ default:
+ fprintf(fd, "Unknown authentication algorithm: %d\n", proto->id);
+ }
+ break;
+
+ default:
+ fprintf(fd, "report_proto: invalid proto %d\n", proto->proto);
+ }
+}
+
/* Report all the SAs to the report channel. */
void
sa_report (void)
@@ -460,6 +604,67 @@ sa_report (void)
sa_dump (LOG_REPORT, 0, "sa_report", sa);
}
+
+/*
+ * Print an SA's connection details to file SA_FILE.
+ */
+static void
+sa_dump_all (FILE *fd, struct sa *sa)
+{
+ struct proto *proto;
+ int i;
+
+ /* SA name and phase. */
+ fprintf(fd, "SA name: %s", sa->name ? sa->name : "<unnamed>");
+ fprintf(fd, " (Phase %d)\n", sa->phase);
+
+ /* Source and destination IPs. */
+ fprintf(fd, sa->transport == NULL ? "<no transport>" :
+ sa->transport->vtbl->decode_ids (sa->transport));
+ fprintf(fd, "\n");
+
+ /* Transform information. */
+ for (proto = TAILQ_FIRST (&sa->protos); proto;
+ proto = TAILQ_NEXT (proto, link))
+ {
+ /* SPI values. */
+ for (i = 0; i < 2; i++)
+ if (proto->spi[i])
+ report_spi(fd, proto->spi[i], proto->spi_sz[i], i);
+ else
+ fprintf(fd, "SPI %d not defined.", i);
+
+ /* Proto values. */
+ report_proto(fd, proto);
+
+ /* SA separator. */
+ fprintf(fd, "\n");
+ }
+}
+
+/* Report info of all SAs to file SA_FILE. */
+void
+sa_report_all (void)
+{
+ int i;
+ FILE *fd;
+ struct sa *sa;
+
+ /* Open SA_FILE. */
+ fd = fopen(SA_FILE, "w");
+
+ /* Start sa_config_report. */
+ for (i = 0; i <= bucket_mask; i++)
+ for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link))
+ if (sa->phase == 1)
+ fprintf(fd, "SA name: none (phase 1)\n\n");
+ else
+ sa_dump_all (fd, sa);
+
+ /* End sa_config_report. */
+ fclose(fd);
+}
+
/* Free the protocol structure pointed to by PROTO. */
void
proto_free (struct proto *proto)
@@ -695,6 +900,28 @@ sa_delete (struct sa *sa, int notify)
sa_free (sa);
}
+
+/* Teardown all SAs. */
+void
+sa_teardown_all (void)
+{
+ int i;
+ struct sa *sa;
+
+ LOG_DBG((LOG_MISC, 70, "sa_teardown_all.a"));
+ /* Get Phase 2 SAs. */
+ for (i = 0; i <= bucket_mask; i++)
+ for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link))
+ if (sa->phase == 2)
+ {
+ /* Teardown the phase 2 SAs by name, similar to ui_teardown. */
+ LOG_DBG((LOG_MISC, 70, "sa_teardown_all: tearing down SA %s",
+ sa->name));
+ connection_teardown (sa->name);
+ sa_delete (sa, 1);
+ }
+}
+
/*
* This function will get called when we are closing in on the death time of SA
*/
diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h
index 831c1c2001c..a226896b476 100644
--- a/sbin/isakmpd/sa.h
+++ b/sbin/isakmpd/sa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.h,v 1.25 2002/01/25 13:46:22 ho Exp $ */
+/* $OpenBSD: sa.h,v 1.26 2002/03/17 21:48:06 angelos Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
@@ -211,6 +211,7 @@ extern int sa_add_transform (struct sa *, struct payload *, int,
extern int sa_create (struct exchange *, struct transport *);
extern int sa_enter (struct sa *);
extern void sa_delete (struct sa *, int);
+extern void sa_teardown_all (void);
extern struct sa *sa_find (int (*) (struct sa *, void *), void *);
extern int sa_flag (char *);
extern void sa_free (struct sa *);
@@ -229,5 +230,6 @@ extern void sa_release (struct sa *);
extern void sa_remove (struct sa *);
extern void sa_report (void);
extern void sa_dump (int, int, char *, struct sa *);
+extern void sa_report_all (void);
extern int sa_setup_expirations (struct sa *);
#endif /* _SA_H_ */
diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c
index 8209c476c54..a7b4db51959 100644
--- a/sbin/isakmpd/ui.c
+++ b/sbin/isakmpd/ui.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui.c,v 1.26 2001/12/11 01:43:54 ho Exp $ */
+/* $OpenBSD: ui.c,v 1.27 2002/03/17 21:48:06 angelos Exp $ */
/* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */
/*
@@ -63,6 +63,11 @@
/* from isakmpd.c */
void daemon_shutdown_now (int);
+/* Report all SA configuration information. */
+void ui_report_sa (char *cmd);
+/* Issue SIGHUP. */
+void ui_sighup (char *cmd);
+
char *ui_fifo = FIFO;
int ui_socket;
@@ -133,6 +138,14 @@ ui_teardown (char *cmd)
sa_delete (sa, 1);
}
+/* Tear down all phase 2 connections. */
+static void
+ui_teardown_all (char *cmd)
+{
+ /* Skip 'cmd' as arg. */
+ sa_teardown_all();
+}
+
/*
* Call the configuration API.
* XXX Error handling! How to do multi-line transactions? Too short arbitrary
@@ -307,6 +320,14 @@ ui_report (char *cmd)
conf_report ();
}
+/* Report all SA configuration information. */
+void
+ui_report_sa (char *cmd)
+{
+ /* Skip 'cmd' as arg? */
+ sa_report_all ();
+}
+
/*
* Call the relevant command handler based on the first character of the
* line (the command).
@@ -347,6 +368,10 @@ ui_handle_command (char *line)
reinit ();
break;
+ case 'S':
+ ui_report_sa (line);
+ break;
+
case 'r':
ui_report (line);
break;
@@ -355,6 +380,10 @@ ui_handle_command (char *line)
ui_teardown (line);
break;
+ case 'T':
+ ui_teardown_all (line);
+ break;
+
default:
log_print ("ui_handle_messages: unrecognized command: '%c'", line[0]);
}