summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2006-01-16 23:57:21 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2006-01-16 23:57:21 +0000
commit8507d5ed84a7c901a192d08a29970726415afa65 (patch)
treefc0b39eded2b01ba40687e6a318b2ca680655ad7 /sbin/ipsecctl
parentb7ffe7e87ee21e1dff5302e470d7b9490c931053 (diff)
add support for pre-shared keys with "ike esp" using the new keyword
"psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
Diffstat (limited to 'sbin/ipsecctl')
-rw-r--r--sbin/ipsecctl/ike.c23
-rw-r--r--sbin/ipsecctl/ipsec.conf.517
-rw-r--r--sbin/ipsecctl/ipsecctl.c7
-rw-r--r--sbin/ipsecctl/ipsecctl.h16
-rw-r--r--sbin/ipsecctl/parse.y48
5 files changed, 71 insertions, 40 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 8ad16893049..18015850ab4 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.13 2005/12/28 19:18:43 naddy Exp $ */
+/* $OpenBSD: ike.c,v 1.14 2006/01/16 23:57:20 reyk Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -31,7 +31,8 @@
#include "ipsecctl.h"
-static void ike_section_peer(struct ipsec_addr_wrap *, FILE *);
+static void ike_section_peer(struct ipsec_addr_wrap *, FILE *,
+ struct ike_auth *);
static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
FILE *);
static void ike_section_ipsec(struct ipsec_addr_wrap *, struct
@@ -40,7 +41,7 @@ static int ike_section_qm(struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, u_int8_t, struct ipsec_transforms *,
FILE *);
static int ike_section_mm(struct ipsec_addr_wrap *, struct
- ipsec_transforms *, FILE *);
+ ipsec_transforms *, FILE *, struct ike_auth *);
static void ike_section_qmids(struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, FILE *);
static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct
@@ -58,11 +59,14 @@ int ike_ipsec_establish(int, struct ipsec_rule *);
#define ISAKMPD_FIFO "/var/run/isakmpd.fifo"
static void
-ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth)
{
fprintf(fd, SET "[Phase 1]:%s=peer-%s force\n", peer->name, peer->name);
fprintf(fd, SET "[peer-%s]:Phase=1 force\n", peer->name);
fprintf(fd, SET "[peer-%s]:Address=%s force\n", peer->name, peer->name);
+ if (auth->type == IKE_AUTH_PSK)
+ fprintf(fd, SET "[peer-%s]:Authentication=%s\n",
+ peer->name, auth->string);
}
static void
@@ -178,7 +182,7 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
static int
ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
- FILE *fd)
+ FILE *fd, struct ike_auth *auth)
{
if (!(mmxfs->authxf || mmxfs->encxf))
return (0);
@@ -228,7 +232,10 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
} else
fprintf(fd, "SHA");
- fprintf(fd, "-RSA_SIG\n");
+ if (auth->type == IKE_AUTH_RSA)
+ fprintf(fd, "-RSA_SIG\n");
+ else
+ fprintf(fd, "\n");
return (0);
}
@@ -305,8 +312,8 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
static int
ike_gen_config(struct ipsec_rule *r, FILE *fd)
{
- ike_section_peer(r->peer, fd);
- if (ike_section_mm(r->peer, r->mmxfs, fd) == -1)
+ ike_section_peer(r->peer, fd, r->ikeauth);
+ if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1)
return (-1);
ike_section_ids(r->peer, r->auth, fd);
ike_section_ipsec(r->src, r->dst, r->peer, fd);
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 3e5e8f80644..31bb7879546 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.conf.5,v 1.28 2005/12/06 14:27:57 markus Exp $
+.\" $OpenBSD: ipsec.conf.5,v 1.29 2006/01/16 23:57:20 reyk Exp $
.\"
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\"
@@ -391,14 +391,17 @@ as the identity of the local peer.
Similar to
.Ar srcid ,
this optional parameter defines a FQDN to be used by the remote peer.
-.El
-.Pp
-Note that
-.Xr isakmpd 8
-will use RSA authentication.
+.It Ar psk Aq Ar string
+Use a pre-shared key
+.Ar string
+for authentication.
+If not specified, RSA authentication will be used.
By default, the system startup script
.Xr rc 8
-generates a key-pair when starting, if one does not already exist.
+generates a key-pair for
+.Xr isakmpd 8
+when starting, if one does not already exist.
+.El
.Pp
See also
.Sx ISAKMP EXAMPLES
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index c8af85a0811..6138070b313 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.39 2005/12/06 16:55:28 markus Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.40 2006/01/16 23:57:20 reyk Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -178,6 +178,11 @@ ipsecctl_commit(int action, struct ipsecctl *ipsec)
free(rp->auth->dstid);
free(rp->auth);
}
+ if (rp->ikeauth) {
+ if (rp->ikeauth->string)
+ free(rp->ikeauth->string);
+ free(rp->ikeauth);
+ }
if (rp->xfs)
free(rp->xfs);
if (rp->authkey) {
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index c001bc472e1..7367f9e40f5 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.25 2005/12/06 14:27:57 markus Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.26 2006/01/16 23:57:20 reyk Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -47,9 +47,6 @@ enum {
MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
};
enum {
- AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
-};
-enum {
ID_UNKNOWN, ID_PREFIX, ID_FQDN, ID_UFQDN
};
enum {
@@ -69,7 +66,10 @@ enum {
COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
};
enum {
- IKE_ACTIVE, IKE_PASSIVE
+ IKE_ACTIVE, IKE_PASSIVE,
+};
+enum {
+ IKE_AUTH_RSA, IKE_AUTH_PSK
};
struct ipsec_addr {
@@ -107,6 +107,11 @@ struct ipsec_key {
u_int8_t *data;
};
+struct ike_auth {
+ u_int8_t type;
+ char *string;
+};
+
struct ipsec_xf {
char *name;
u_int16_t id;
@@ -131,6 +136,7 @@ struct ipsec_rule {
struct ipsec_addr_wrap *dst;
struct ipsec_addr_wrap *peer;
struct ipsec_auth *auth;
+ struct ike_auth *ikeauth;
struct ipsec_transforms *xfs;
struct ipsec_transforms *mmxfs;
struct ipsec_transforms *qmxfs;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index c11f21570fc..f8df84dc224 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.47 2005/12/12 09:41:51 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.48 2006/01/16 23:57:20 reyk Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -133,13 +133,13 @@ struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t,
struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule *create_flow(u_int8_t, struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, struct ipsec_addr_wrap *,
- u_int8_t, char *, char *, u_int16_t);
+ u_int8_t, char *, char *);
struct ipsec_rule *reverse_rule(struct ipsec_rule *);
struct ipsec_rule *create_ike(struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, struct ipsec_addr_wrap *,
struct ipsec_transforms *, struct
ipsec_transforms *, u_int8_t, u_int8_t, char *,
- char *);
+ char *, struct ike_auth *);
struct ipsec_transforms *ipsec_transforms;
@@ -162,7 +162,7 @@ typedef struct {
char *dstid;
} ids;
char *id;
- u_int16_t authtype;
+ struct ike_auth ikeauth;
struct {
u_int32_t spiout;
u_int32_t spiin;
@@ -201,7 +201,6 @@ typedef struct {
%type <v.host> host
%type <v.ids> ids
%type <v.id> id
-%type <v.authtype> authtype
%type <v.spis> spispec
%type <v.authkeys> authkeyspec
%type <v.enckeys> enckeyspec
@@ -210,6 +209,7 @@ typedef struct {
%type <v.mmxfs> mmxfs
%type <v.qmxfs> qmxfs
%type <v.ikemode> ikemode
+%type <v.ikeauth> ikeauth
%%
grammar : /* empty */
@@ -291,11 +291,11 @@ sarule : protocol tmode hosts spispec transforms authkeyspec
}
;
-flowrule : FLOW protocol dir hosts peer ids authtype {
+flowrule : FLOW protocol dir hosts peer ids {
struct ipsec_rule *r;
r = create_flow($3, $4.src, $4.dst, $5, $2, $6.srcid,
- $6.dstid, $7);
+ $6.dstid);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -314,11 +314,11 @@ flowrule : FLOW protocol dir hosts peer ids authtype {
}
;
-ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids {
+ikerule : IKE ikemode protocol hosts peer mmxfs qmxfs ids ikeauth {
struct ipsec_rule *r;
r = create_ike($4.src, $4.dst, $5, $6, $7, $3, $2,
- $8.srcid, $8.dstid);
+ $8.srcid, $8.dstid, &$9);
if (r == NULL)
YYERROR;
r->nr = ipsec->rule_nr++;
@@ -423,11 +423,6 @@ ids : /* empty */ {
id : STRING { $$ = $1; }
;
-authtype : /* empty */ { $$ = 0; }
- | RSA { $$ = AUTH_RSA; }
- | PSK { $$ = AUTH_PSK; }
- ;
-
spispec : SPI STRING {
u_int32_t spi;
char *p = strchr($2, ':');
@@ -574,10 +569,21 @@ keyspec : STRING {
free($2);
}
;
+
ikemode : /* empty */ { $$ = IKE_ACTIVE; }
| PASSIVE { $$ = IKE_PASSIVE; }
| ACTIVE { $$ = IKE_ACTIVE; }
;
+
+ikeauth : /* empty */ { $$.type = IKE_AUTH_RSA; }
+ | RSA { $$.type = IKE_AUTH_RSA; }
+ | PSK STRING {
+ $$.type = IKE_AUTH_PSK;
+ if (($$.string = strdup($2)) == NULL)
+ err(1, "ikeauth: strdup");
+ }
+ ;
+
%%
struct keywords {
@@ -1447,7 +1453,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
struct ipsec_rule *
create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
*dst, struct ipsec_addr_wrap *peer, u_int8_t proto, char *srcid, char
- *dstid, u_int16_t authtype)
+ *dstid)
{
struct ipsec_rule *r;
@@ -1495,9 +1501,6 @@ create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
r->auth->srcid = srcid;
r->auth->dstid = dstid;
r->auth->idtype = ID_FQDN; /* XXX For now only FQDN. */
-#ifdef notyet
- r->auth->type = authtype;
-#endif
return r;
@@ -1556,7 +1559,7 @@ struct ipsec_rule *
create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct
ipsec_addr_wrap * peer, struct ipsec_transforms *mmxfs, struct
ipsec_transforms *qmxfs, u_int8_t proto, u_int8_t mode, char *srcid, char
- *dstid)
+ *dstid, struct ike_auth *authtype)
{
struct ipsec_rule *r;
@@ -1597,6 +1600,11 @@ create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct
r->auth->srcid = srcid;
r->auth->dstid = dstid;
r->auth->idtype = ID_FQDN; /* XXX For now only FQDN. */
+ r->ikeauth = calloc(1, sizeof(struct ike_auth));
+ if (r->ikeauth == NULL)
+ err(1, "create_ike: calloc");
+ r->ikeauth->type = authtype->type;
+ r->ikeauth->string = authtype->string;
return (r);
@@ -1608,6 +1616,8 @@ errout:
free(dstid);
free(src);
free(dst);
+ if (authtype->string)
+ free(authtype->string);
return (NULL);
}