diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2006-01-16 23:57:21 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2006-01-16 23:57:21 +0000 |
| commit | 8507d5ed84a7c901a192d08a29970726415afa65 (patch) | |
| tree | fc0b39eded2b01ba40687e6a318b2ca680655ad7 | |
| parent | b7ffe7e87ee21e1dff5302e470d7b9490c931053 (diff) | |
add support for pre-shared keys with "ike esp" using the new keyword
"psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
| -rw-r--r-- | sbin/ipsecctl/ike.c | 23 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 17 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.c | 7 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 16 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 48 |
5 files changed, 71 insertions, 40 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 8ad16893049..18015850ab4 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.13 2005/12/28 19:18:43 naddy Exp $ */ +/* $OpenBSD: ike.c,v 1.14 2006/01/16 23:57:20 reyk Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -31,7 +31,8 @@ #include "ipsecctl.h" -static void ike_section_peer(struct ipsec_addr_wrap *, FILE *); +static void ike_section_peer(struct ipsec_addr_wrap *, FILE *, + struct ike_auth *); static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, FILE *); static void ike_section_ipsec(struct ipsec_addr_wrap *, struct @@ -40,7 +41,7 @@ static int ike_section_qm(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, u_int8_t, struct ipsec_transforms *, FILE *); static int ike_section_mm(struct ipsec_addr_wrap *, struct - ipsec_transforms *, FILE *); + ipsec_transforms *, FILE *, struct ike_auth *); static void ike_section_qmids(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct @@ -58,11 +59,14 @@ int ike_ipsec_establish(int, struct ipsec_rule *); #define ISAKMPD_FIFO "/var/run/isakmpd.fifo" static void -ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd) +ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth) { fprintf(fd, SET "[Phase 1]:%s=peer-%s force\n", peer->name, peer->name); fprintf(fd, SET "[peer-%s]:Phase=1 force\n", peer->name); fprintf(fd, SET "[peer-%s]:Address=%s force\n", peer->name, peer->name); + if (auth->type == IKE_AUTH_PSK) + fprintf(fd, SET "[peer-%s]:Authentication=%s\n", + peer->name, auth->string); } static void @@ -178,7 +182,7 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, static int ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, - FILE *fd) + FILE *fd, struct ike_auth *auth) { if (!(mmxfs->authxf || mmxfs->encxf)) return (0); @@ -228,7 +232,10 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs, } else fprintf(fd, "SHA"); - fprintf(fd, "-RSA_SIG\n"); + if (auth->type == IKE_AUTH_RSA) + fprintf(fd, "-RSA_SIG\n"); + else + fprintf(fd, "\n"); return (0); } @@ -305,8 +312,8 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap static int ike_gen_config(struct ipsec_rule *r, FILE *fd) { - ike_section_peer(r->peer, fd); - if (ike_section_mm(r->peer, r->mmxfs, fd) == -1) + ike_section_peer(r->peer, fd, r->ikeauth); + if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1) return (-1); ike_section_ids(r->peer, r->auth, fd); ike_section_ipsec(r->src, r->dst, r->peer, fd); diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 3e5e8f80644..31bb7879546 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.28 2005/12/06 14:27:57 markus Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.29 2006/01/16 23:57:20 reyk Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -391,14 +391,17 @@ as the identity of the local peer. Similar to .Ar srcid , this optional parameter defines a FQDN to be used by the remote peer. -.El -.Pp -Note that -.Xr isakmpd 8 -will use RSA authentication. +.It Ar psk Aq Ar string +Use a pre-shared key +.Ar string +for authentication. +If not specified, RSA authentication will be used. By default, the system startup script .Xr rc 8 -generates a key-pair when starting, if one does not already exist. +generates a key-pair for +.Xr isakmpd 8 +when starting, if one does not already exist. +.El .Pp See also .Sx ISAKMP EXAMPLES diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c index c8af85a0811..6138070b313 100644 --- a/sbin/ipsecctl/ipsecctl.c +++ b/sbin/ipsecctl/ipsecctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.c,v 1.39 2005/12/06 16:55:28 markus Exp $ */ +/* $OpenBSD: ipsecctl.c,v 1.40 2006/01/16 23:57:20 reyk Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -178,6 +178,11 @@ ipsecctl_commit(int action, struct ipsecctl *ipsec) free(rp->auth->dstid); free(rp->auth); } + if (rp->ikeauth) { + if (rp->ikeauth->string) + free(rp->ikeauth->string); + free(rp->ikeauth); + } if (rp->xfs) free(rp->xfs); if (rp->authkey) { diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index c001bc472e1..7367f9e40f5 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.25 2005/12/06 14:27:57 markus Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.26 2006/01/16 23:57:20 reyk Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -47,9 +47,6 @@ enum { MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL }; enum { - AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA -}; -enum { ID_UNKNOWN, ID_PREFIX, ID_FQDN, ID_UFQDN }; enum { @@ -69,7 +66,10 @@ enum { COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS }; enum { - IKE_ACTIVE, IKE_PASSIVE + IKE_ACTIVE, IKE_PASSIVE, +}; +enum { + IKE_AUTH_RSA, IKE_AUTH_PSK }; struct ipsec_addr { @@ -107,6 +107,11 @@ struct ipsec_key { u_int8_t *data; }; +struct ike_auth { + u_int8_t type; + char *string; +}; + struct ipsec_xf { char *name; u_int16_t id; @@ -131,6 +136,7 @@ struct ipsec_rule { struct ipsec_addr_wrap *dst; struct ipsec_addr_wrap *peer; struct ipsec_auth *auth; + struct ike_auth *ikeauth; struct ipsec_transforms *xfs; struct ipsec_transforms *mmxfs; struct ipsec_transforms *qmxfs; diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index c11f21570fc..f8df84dc224 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.47 2005/12/12 09:41:51 hshoexer Exp $ */ +/* $OpenBSD: parse.y,v 1.48 2006/01/16 23:57:20 reyk Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -133,13 +133,13 @@ struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, struct ipsec_key *, struct ipsec_key *); struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, - u_int8_t, char *, char *, u_int16_t); + u_int8_t, char *, char *); struct ipsec_rule *reverse_rule(struct ipsec_rule *); struct ipsec_rule *create_ike(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_transforms *, struct ipsec_transforms *, u_int8_t, u_int8_t, char *, - char *); + char *, struct ike_auth *); struct ipsec_transforms *ipsec_transforms; @@ -162,7 +162,7 @@ typedef struct { char *dstid; } ids; char *id; - u_int16_t authtype; + struct ike_auth ikeauth; struct { u_int32_t spiout; u_int32_t spiin; @@ -201,7 +201,6 @@ typedef struct { %type <v.host> host %type <v.ids> ids %type <v.id> id -%type <v.authtype> authtype %type <v.spis> spispec %type <v.authkeys> authkeyspec %type <v.enckeys> enckeyspec @@ -210,6 +209,7 @@ typedef struct { %type <v.mmxfs> mmxfs %type <v.qmxfs> qmxfs %type <v.ikemode> ikemode +%type <v.ikeauth> ikeauth %% grammar : /* empty */ @@ -291,11 +291,11 @@ sarule : protocol tmode hosts spispec transforms authkeyspec } ; -flowrule : FLOW protocol dir hosts peer ids authtype { +flowrule : FLOW protocol dir hosts peer ids { struct ipsec_rule *r; r = create_flow($3, $4.src, $4.dst, $5, $2, $6.srcid, - $6.dstid, $7); + $6.dstid); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -314,11 +314,11 @@ flowrule : FLOW protocol dir hosts peer ids authtype { } ; -ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids { +ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids ikeauth { struct ipsec_rule *r; r = create_ike($4.src, $4.dst, $5, $6, $7, $3, $2, - $8.srcid, $8.dstid); + $8.srcid, $8.dstid, &$9); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -423,11 +423,6 @@ ids : /* empty */ { id : STRING { $$ = $1; } ; -authtype : /* empty */ { $$ = 0; } - | RSA { $$ = AUTH_RSA; } - | PSK { $$ = AUTH_PSK; } - ; - spispec : SPI STRING { u_int32_t spi; char *p = strchr($2, ':'); @@ -574,10 +569,21 @@ keyspec : STRING { free($2); } ; + ikemode : /* empty */ { $$ = IKE_ACTIVE; } | PASSIVE { $$ = IKE_PASSIVE; } | ACTIVE { $$ = IKE_ACTIVE; } ; + +ikeauth : /* empty */ { $$.type = IKE_AUTH_RSA; } + | RSA { $$.type = IKE_AUTH_RSA; } + | PSK STRING { + $$.type = IKE_AUTH_PSK; + if (($$.string = strdup($2)) == NULL) + err(1, "ikeauth: strdup"); + } + ; + %% struct keywords { @@ -1447,7 +1453,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, struct ipsec_rule * create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct ipsec_addr_wrap *peer, u_int8_t proto, char *srcid, char - *dstid, u_int16_t authtype) + *dstid) { struct ipsec_rule *r; @@ -1495,9 +1501,6 @@ create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap r->auth->srcid = srcid; r->auth->dstid = dstid; r->auth->idtype = ID_FQDN; /* XXX For now only FQDN. */ -#ifdef notyet - r->auth->type = authtype; -#endif return r; @@ -1556,7 +1559,7 @@ struct ipsec_rule * create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct ipsec_addr_wrap * peer, struct ipsec_transforms *mmxfs, struct ipsec_transforms *qmxfs, u_int8_t proto, u_int8_t mode, char *srcid, char - *dstid) + *dstid, struct ike_auth *authtype) { struct ipsec_rule *r; @@ -1597,6 +1600,11 @@ create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct r->auth->srcid = srcid; r->auth->dstid = dstid; r->auth->idtype = ID_FQDN; /* XXX For now only FQDN. */ + r->ikeauth = calloc(1, sizeof(struct ike_auth)); + if (r->ikeauth == NULL) + err(1, "create_ike: calloc"); + r->ikeauth->type = authtype->type; + r->ikeauth->string = authtype->string; return (r); @@ -1608,6 +1616,8 @@ errout: free(dstid); free(src); free(dst); + if (authtype->string) + free(authtype->string); return (NULL); } |