diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2002-03-17 21:48:07 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2002-03-17 21:48:07 +0000 |
commit | b2f3be2ea2db67c81003cbe0ded62cf01045e61b (patch) | |
tree | 140b85bb9914606a8dec37677d3335e831c8d0fc | |
parent | b1c153652482f4a01274f1467de1a1b8f7afccfa (diff) |
Add 'T' and 'S' commands (for tearing-down and reporting all Phase 2
SAs), from bdallen@nps.navy.mil
-rw-r--r-- | sbin/isakmpd/DESIGN-NOTES | 6 | ||||
-rw-r--r-- | sbin/isakmpd/sa.c | 229 | ||||
-rw-r--r-- | sbin/isakmpd/sa.h | 4 | ||||
-rw-r--r-- | sbin/isakmpd/ui.c | 31 |
4 files changed, 266 insertions, 4 deletions
diff --git a/sbin/isakmpd/DESIGN-NOTES b/sbin/isakmpd/DESIGN-NOTES index ee405fdb8c7..eb108b91158 100644 --- a/sbin/isakmpd/DESIGN-NOTES +++ b/sbin/isakmpd/DESIGN-NOTES @@ -1,4 +1,4 @@ -$OpenBSD: DESIGN-NOTES,v 1.16 2001/06/27 03:31:39 angelos Exp $ +$OpenBSD: DESIGN-NOTES,v 1.17 2002/03/17 21:48:06 angelos Exp $ $EOM: DESIGN-NOTES,v 1.48 1999/08/12 22:34:25 niklas Exp $ General coding conventions @@ -218,6 +218,10 @@ d delete Delete an SA given cookies and message-IDs D debug Change logging level for a debug class r report Report status information of the daemon t teardown Teardown a connection +Q quit Quit the isakmpd process +R reinitialize Reinitialize isakmpd (re-read configuration file) +S report SA Report SA information to file /var/run/isakmp_sa +T teardown all Teardown all Phase 2 connections For example you can do: diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c index e6db7dd6a48..0de4e33fdc2 100644 --- a/sbin/isakmpd/sa.c +++ b/sbin/isakmpd/sa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.c,v 1.52 2002/01/25 13:46:22 ho Exp $ */ +/* $OpenBSD: sa.c,v 1.53 2002/03/17 21:48:06 angelos Exp $ */ /* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ /* @@ -46,6 +46,7 @@ #include "sysdep.h" +#include "connection.h" #include "cookie.h" #include "doi.h" #include "exchange.h" @@ -59,6 +60,11 @@ #include "cert.h" #include "policy.h" #include "key.h" +#include "ipsec.h" +#include "ipsec_num.h" + +/* Outfile for detailed SA information. */ +#define SA_FILE "/var/run/isakmpd_sa" /* Initial number of bits from the cookies used as hash. */ #define INITIAL_BUCKET_BITS 6 @@ -448,6 +454,144 @@ sa_dump (int cls, int level, char *header, struct sa *sa) } } +/* + * Display the SA's two SPI values. + */ +static void +report_spi (FILE *fd, const u_int8_t *buf, size_t sz, int index) +{ + char s[73]; + int i, j; + + { + for (i = j = 0; i < sz;) + { + sprintf (s + j, "%02x", buf[i++]); + j += 2; + if (i % 4 == 0) + { + if (i % 32 == 0) + { + s[j] = '\0'; + fprintf(fd, "%s", s); + j = 0; + } + else + s[j++] = ' '; + } + } + if (j) + { + s[j] = '\0'; + fprintf(fd, "SPI %d: %s\n", index, s); + } + } +} + + +/* + * Display the transform names to file SA_FILE. + * Structure is taken from pf_key_v2.c, pf_key_v2_set_spi. + * Transform names are taken from /usr/src/sys/crypto/xform.c. + */ +static void +report_proto (FILE *fd, struct proto *proto) +{ + int keylen, hashlen; + struct ipsec_proto *iproto = proto->data; + + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + keylen = ipsec_esp_enckeylength (proto); + hashlen = ipsec_esp_authkeylength (proto); + fprintf(fd, "Transform: IPsec ESP\n"); + fprintf(fd, "Encryption key length: %d\n", keylen); + fprintf(fd, "Authentication key length: %d\n", hashlen); + + switch (proto->id) + { + case IPSEC_ESP_DES: + case IPSEC_ESP_DES_IV32: + case IPSEC_ESP_DES_IV64: + fprintf(fd, "Encryption algorithm: DES\n"); + break; + + case IPSEC_ESP_3DES: + fprintf(fd, "Encryption algorithm: 3DES\n"); + break; + + case IPSEC_ESP_AES: + fprintf(fd, "Encryption algorithm: Rijndael-128/AES\n"); + break; + + case IPSEC_ESP_CAST: + fprintf(fd, "Encryption algorithm: Cast-128\n"); + break; + + case IPSEC_ESP_BLOWFISH: + fprintf(fd, "Encryption algorithm: Blowfish\n"); + break; + + default: + fprintf(fd, "Unknown encryption algorithm %d\n", proto->id); + } + + switch (iproto->auth) + { + case IPSEC_AUTH_HMAC_MD5: + fprintf(fd, "Authentication algorithm: HMAC-MD5\n"); + break; + + case IPSEC_AUTH_HMAC_SHA: + fprintf(fd, "Authentication algorithm: HMAC-SHA1\n"); + break; + + case IPSEC_AUTH_HMAC_RIPEMD: + fprintf(fd, "Authentication algorithm: HMAC-RIPEMD-160\n"); + break; + + case IPSEC_AUTH_DES_MAC: + case IPSEC_AUTH_KPDK: + /* XXX We should be supporting KPDK */ + fprintf(fd, "Unknown authentication algorithm: %d", iproto->auth); + break; + + default: + fprintf(fd, "Authentication algorithm not used.\n"); + } + break; + + case IPSEC_PROTO_IPSEC_AH: + hashlen = ipsec_ah_keylength (proto); + fprintf(fd, "Transform: IPsec AH\n"); + fprintf(fd, "Encryption not used.\n"); + fprintf(fd, "Authentication key length: %d\n", hashlen); + + switch (proto->id) + { + case IPSEC_AH_MD5: + fprintf(fd, "Authentication algorithm: HMAC-MD5\n"); + break; + + case IPSEC_AH_SHA: + fprintf(fd, "Authentication algorithm: HMAC-SHA1\n"); + break; + + case IPSEC_AH_RIPEMD: + fprintf(fd, "Authentication algorithm: HMAC-RIPEMD-160\n"); + break; + + default: + fprintf(fd, "Unknown authentication algorithm: %d\n", proto->id); + } + break; + + default: + fprintf(fd, "report_proto: invalid proto %d\n", proto->proto); + } +} + /* Report all the SAs to the report channel. */ void sa_report (void) @@ -460,6 +604,67 @@ sa_report (void) sa_dump (LOG_REPORT, 0, "sa_report", sa); } + +/* + * Print an SA's connection details to file SA_FILE. + */ +static void +sa_dump_all (FILE *fd, struct sa *sa) +{ + struct proto *proto; + int i; + + /* SA name and phase. */ + fprintf(fd, "SA name: %s", sa->name ? sa->name : "<unnamed>"); + fprintf(fd, " (Phase %d)\n", sa->phase); + + /* Source and destination IPs. */ + fprintf(fd, sa->transport == NULL ? "<no transport>" : + sa->transport->vtbl->decode_ids (sa->transport)); + fprintf(fd, "\n"); + + /* Transform information. */ + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + { + /* SPI values. */ + for (i = 0; i < 2; i++) + if (proto->spi[i]) + report_spi(fd, proto->spi[i], proto->spi_sz[i], i); + else + fprintf(fd, "SPI %d not defined.", i); + + /* Proto values. */ + report_proto(fd, proto); + + /* SA separator. */ + fprintf(fd, "\n"); + } +} + +/* Report info of all SAs to file SA_FILE. */ +void +sa_report_all (void) +{ + int i; + FILE *fd; + struct sa *sa; + + /* Open SA_FILE. */ + fd = fopen(SA_FILE, "w"); + + /* Start sa_config_report. */ + for (i = 0; i <= bucket_mask; i++) + for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link)) + if (sa->phase == 1) + fprintf(fd, "SA name: none (phase 1)\n\n"); + else + sa_dump_all (fd, sa); + + /* End sa_config_report. */ + fclose(fd); +} + /* Free the protocol structure pointed to by PROTO. */ void proto_free (struct proto *proto) @@ -695,6 +900,28 @@ sa_delete (struct sa *sa, int notify) sa_free (sa); } + +/* Teardown all SAs. */ +void +sa_teardown_all (void) +{ + int i; + struct sa *sa; + + LOG_DBG((LOG_MISC, 70, "sa_teardown_all.a")); + /* Get Phase 2 SAs. */ + for (i = 0; i <= bucket_mask; i++) + for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link)) + if (sa->phase == 2) + { + /* Teardown the phase 2 SAs by name, similar to ui_teardown. */ + LOG_DBG((LOG_MISC, 70, "sa_teardown_all: tearing down SA %s", + sa->name)); + connection_teardown (sa->name); + sa_delete (sa, 1); + } +} + /* * This function will get called when we are closing in on the death time of SA */ diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index 831c1c2001c..a226896b476 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.25 2002/01/25 13:46:22 ho Exp $ */ +/* $OpenBSD: sa.h,v 1.26 2002/03/17 21:48:06 angelos Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -211,6 +211,7 @@ extern int sa_add_transform (struct sa *, struct payload *, int, extern int sa_create (struct exchange *, struct transport *); extern int sa_enter (struct sa *); extern void sa_delete (struct sa *, int); +extern void sa_teardown_all (void); extern struct sa *sa_find (int (*) (struct sa *, void *), void *); extern int sa_flag (char *); extern void sa_free (struct sa *); @@ -229,5 +230,6 @@ extern void sa_release (struct sa *); extern void sa_remove (struct sa *); extern void sa_report (void); extern void sa_dump (int, int, char *, struct sa *); +extern void sa_report_all (void); extern int sa_setup_expirations (struct sa *); #endif /* _SA_H_ */ diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c index 8209c476c54..a7b4db51959 100644 --- a/sbin/isakmpd/ui.c +++ b/sbin/isakmpd/ui.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui.c,v 1.26 2001/12/11 01:43:54 ho Exp $ */ +/* $OpenBSD: ui.c,v 1.27 2002/03/17 21:48:06 angelos Exp $ */ /* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */ /* @@ -63,6 +63,11 @@ /* from isakmpd.c */ void daemon_shutdown_now (int); +/* Report all SA configuration information. */ +void ui_report_sa (char *cmd); +/* Issue SIGHUP. */ +void ui_sighup (char *cmd); + char *ui_fifo = FIFO; int ui_socket; @@ -133,6 +138,14 @@ ui_teardown (char *cmd) sa_delete (sa, 1); } +/* Tear down all phase 2 connections. */ +static void +ui_teardown_all (char *cmd) +{ + /* Skip 'cmd' as arg. */ + sa_teardown_all(); +} + /* * Call the configuration API. * XXX Error handling! How to do multi-line transactions? Too short arbitrary @@ -307,6 +320,14 @@ ui_report (char *cmd) conf_report (); } +/* Report all SA configuration information. */ +void +ui_report_sa (char *cmd) +{ + /* Skip 'cmd' as arg? */ + sa_report_all (); +} + /* * Call the relevant command handler based on the first character of the * line (the command). @@ -347,6 +368,10 @@ ui_handle_command (char *line) reinit (); break; + case 'S': + ui_report_sa (line); + break; + case 'r': ui_report (line); break; @@ -355,6 +380,10 @@ ui_handle_command (char *line) ui_teardown (line); break; + case 'T': + ui_teardown_all (line); + break; + default: log_print ("ui_handle_messages: unrecognized command: '%c'", line[0]); } |