diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-03-18 22:12:44 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-03-18 22:12:44 +0000 |
| commit | 6f58a8fa7dd864951b94da779e7d2f65c05e2d1b (patch) | |
| tree | ec947f0e7afa012bde3443cbcf3458e65f557355 /sbin/iked | |
| parent | 74391ff6023d4bbf4bffe94d1d2f82e679ca1d6c (diff) | |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.
ok patrick@ markus@
Diffstat (limited to 'sbin/iked')
| -rw-r--r-- | sbin/iked/control.c | 8 | ||||
| -rw-r--r-- | sbin/iked/ikev2.c | 56 | ||||
| -rw-r--r-- | sbin/iked/types.h | 3 |
3 files changed, 62 insertions, 5 deletions
diff --git a/sbin/iked/control.c b/sbin/iked/control.c index 67466c6a555..44c6f92e104 100644 --- a/sbin/iked/control.c +++ b/sbin/iked/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.26 2018/08/06 06:30:06 mestre Exp $ */ +/* $OpenBSD: control.c,v 1.27 2020/03/18 22:12:43 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -50,7 +50,8 @@ void control_imsg_forward(struct imsg *); void control_run(struct privsep *, struct privsep_proc *, void *); static struct privsep_proc procs[] = { - { "parent", PROC_PARENT, NULL } + { "parent", PROC_PARENT, NULL }, + { "ikev2", PROC_IKEV2, NULL } }; pid_t @@ -305,6 +306,9 @@ control_dispatch_imsg(int fd, short event, void *arg) case IMSG_CTL_PASSIVE: proc_forward_imsg(&env->sc_ps, &imsg, PROC_PARENT, -1); break; + case IMSG_CTL_RESET_ID: + proc_forward_imsg(&env->sc_ps, &imsg, PROC_IKEV2, -1); + break; default: log_debug("%s: error handling imsg %d", __func__, imsg.hdr.type); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 56d00df3363..b335af5a2f3 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.196 2020/03/16 09:07:40 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.197 2020/03/18 22:12:43 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -49,6 +49,7 @@ void ikev2_run(struct privsep *, struct privsep_proc *, void *); int ikev2_dispatch_parent(int, struct privsep_proc *, struct imsg *); int ikev2_dispatch_cert(int, struct privsep_proc *, struct imsg *); +int ikev2_dispatch_control(int, struct privsep_proc *, struct imsg *); struct iked_sa * ikev2_getimsgdata(struct iked *, struct imsg *, struct iked_sahdr *, @@ -155,10 +156,12 @@ int ikev2_update_sa_addresses(struct iked *, struct iked_sa *); int ikev2_resp_informational(struct iked *, struct iked_sa *, struct iked_message *); +void ikev2_ctl_reset_id(struct iked *, struct imsg *, unsigned int); static struct privsep_proc procs[] = { { "parent", PROC_PARENT, ikev2_dispatch_parent }, - { "certstore", PROC_CERT, ikev2_dispatch_cert } + { "certstore", PROC_CERT, ikev2_dispatch_cert }, + { "control", PROC_CONTROL, ikev2_dispatch_control } }; pid_t @@ -376,6 +379,22 @@ ikev2_dispatch_cert(int fd, struct privsep_proc *p, struct imsg *imsg) return (0); } +int +ikev2_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg) +{ + struct iked *env = p->p_env; + + switch (imsg->hdr.type) { + case IMSG_CTL_RESET_ID: + ikev2_ctl_reset_id(env, imsg, imsg->hdr.type); + break; + default: + return (-1); + } + + return (0); +} + const char * ikev2_ikesa_info(uint64_t spi, const char *msg) { @@ -390,6 +409,39 @@ ikev2_ikesa_info(uint64_t spi, const char *msg) return buf; } +void +ikev2_ctl_reset_id(struct iked *env, struct imsg *imsg, unsigned int type) +{ + struct iked_sa *sa; + char *reset_id = NULL; + char sa_id[IKED_ID_SIZE]; + + if ((reset_id = get_string(imsg->data, IMSG_DATA_SIZE(imsg))) == NULL) + return; + + log_debug("%s: %s %d", __func__, reset_id, type); + RB_FOREACH(sa, iked_sas, &env->sc_sas) { + if (ikev2_print_id(IKESA_DSTID(sa), sa_id, sizeof(sa_id)) == -1) + continue; + if (strcmp(reset_id, sa_id) != 0) + continue; + if (sa->sa_state == IKEV2_STATE_CLOSED) + continue; + if (sa->sa_state == IKEV2_STATE_ESTABLISHED) + ikev2_disable_timer(env, sa); + log_info("%s: IKE SA %p id %s ispi %s rspi %s", __func__, + sa, sa_id, + print_spi(sa->sa_hdr.sh_ispi, 8), + print_spi(sa->sa_hdr.sh_rspi, 8)); + ikev2_ike_sa_setreason(sa, "reset control message"); + ikev2_ikesa_delete(env, sa, 1); + /* default IKED_IKE_SA_DELETE_TIMEOUT is 120s, so switch to 6s */ + timer_add(env, &sa->sa_timer, 3 * IKED_RETRANSMIT_TIMEOUT); + } + free(reset_id); +} + + struct iked_sa * ikev2_getimsgdata(struct iked *env, struct imsg *imsg, struct iked_sahdr *sh, uint8_t *type, uint8_t **buf, size_t *size) diff --git a/sbin/iked/types.h b/sbin/iked/types.h index e8881a74e9a..0d0d64e9ae0 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.32 2020/01/16 20:05:00 tobhe Exp $ */ +/* $OpenBSD: types.h,v 1.33 2020/03/18 22:12:43 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -105,6 +105,7 @@ enum imsg_type { IMSG_CTL_MOBIKE, IMSG_CTL_FRAGMENTATION, IMSG_CTL_NATTPORT, + IMSG_CTL_RESET_ID, IMSG_COMPILE, IMSG_UDP_SOCKET, IMSG_PFKEY_SOCKET, |