ISAKMP configuration, a.k.a IKECFG or "mode-config", protocol implementation.

Disabled, has no configuration mechanism yet.  This will be used for roaming
users, who are going to get parameters like IP-address and nameserver from its
peer, very much like DHCP, but securily inside an ISAKMP connection and still
in time before negotiation of IPsec connections.  You may see stylistic fixes
in this commit too.  Add some not yet used Makefile magic to deal with DNSSEC-
enabled OpenSSL too.  The IKECFG code work was sponsered by Gatespace Inc.
Thank you!  Configuration will come very soon, btw.

1 files changed, 49 insertions, 11 deletions

diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index fc98b78eaae..68bb1eebded 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec.c,v 1.51 2001/07/01 14:17:06 ho Exp $	*/
+/*	$OpenBSD: ipsec.c,v 1.52 2001/07/01 20:43:39 niklas Exp $	*/
 /*	$EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $	*/
 
 /*
@@ -61,6 +61,9 @@
 #include "ipsec.h"
 #include "ipsec_doi.h"
 #include "isakmp.h"
+#include "isakmp_cfg.h"
+#include "isakmp_fld.h"
+#include "isakmp_num.h"
 #include "log.h"
 #include "math_group.h"
 #include "message.h"
@@ -541,6 +544,9 @@ static void
 ipsec_free_exchange_data (void *vie)
 {
   struct ipsec_exch *ie = vie;
+#ifdef USE_ISAKMP_CFG
+  struct isakmp_cfg_attr *attr;
+#endif
 
   if (ie->sa_i_b)
     free (ie->sa_i_b);
@@ -568,6 +574,15 @@ ipsec_free_exchange_data (void *vie)
     free (ie->hash_r);
   if (ie->group)
     group_free (ie->group);
+#ifdef USE_ISAKMP_CFG
+  for (attr = LIST_FIRST (&ie->attrs); attr; attr = LIST_FIRST (&ie->attrs))
+    {
+      LIST_REMOVE (attr, link);
+      if (attr->length)
+	free (attr->value);
+      free (attr);
+    }
+#endif
 }
 
 /* Free the DOI-specific SA data pointed to by VISA.  */
@@ -608,6 +623,10 @@ ipsec_exchange_script (u_int8_t type)
 {
   switch (type)
     {
+#ifdef USE_ISAKMP_CFG
+    case ISAKMP_EXCH_TRANSACTION:
+      return script_transaction;
+#endif
     case IKE_EXCH_QUICK_MODE:
       return script_quick_mode;
     case IKE_EXCH_NEW_GROUP_MODE:
@@ -860,11 +879,12 @@ ipsec_initiator (struct message *msg)
   int (**script) (struct message *msg) = 0;
 
   /* Check that the SA is coherent with the IKE rules.  */
-  if ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
-       && exchange->type != ISAKMP_EXCH_AGGRESSIVE
-       && exchange->type != ISAKMP_EXCH_INFO)
-      || (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE
-	  && exchange->type != ISAKMP_EXCH_INFO))
+  if (exchange->type != ISAKMP_EXCH_TRANSACTION
+      && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
+	   && exchange->type != ISAKMP_EXCH_AGGRESSIVE
+	   && exchange->type != ISAKMP_EXCH_INFO)
+	  || (exchange->phase == 2 && exchange->type != IKE_EXCH_QUICK_MODE
+	      && exchange->type != ISAKMP_EXCH_INFO)))
     {
       log_print ("ipsec_initiator: unsupported exchange type %d in phase %d",
 		 exchange->type, exchange->phase);
@@ -881,6 +901,11 @@ ipsec_initiator (struct message *msg)
       script = ike_aggressive_initiator;
       break;
 #endif
+#ifdef USE_ISAKMP_CFG
+    case ISAKMP_EXCH_TRANSACTION:
+      script = isakmp_cfg_initiator;
+      break;
+#endif
     case ISAKMP_EXCH_INFO:
       return message_send_info (msg);
     case IKE_EXCH_QUICK_MODE:
@@ -995,7 +1020,7 @@ ipsec_responder (struct message *msg)
   u_int16_t type;
 
   /* Check that a new exchange is coherent with the IKE rules.  */
-  if (exchange->step == 0
+  if (exchange->step == 0 && exchange->type != ISAKMP_EXCH_TRANSACTION
       && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT
 	   && exchange->type != ISAKMP_EXCH_AGGRESSIVE
 	   && exchange->type != ISAKMP_EXCH_INFO)
@@ -1020,6 +1045,12 @@ ipsec_responder (struct message *msg)
       break;
 #endif
 
+#ifdef USE_ISAKMP_CFG
+    case ISAKMP_EXCH_TRANSACTION:
+      script = isakmp_cfg_responder;
+      break;
+#endif
+
     case ISAKMP_EXCH_INFO:
       for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p;
 	   p = TAILQ_NEXT (p, link))
@@ -1943,22 +1974,21 @@ ipsec_build_id (char *section, size_t *sz)
 /*
  * copy an ISAKMPD id
  */
-
 int
 ipsec_clone_id (u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len)
 {
   if (*did)
     free (*did);
 
-  if (!id_len || id == NULL)
+  if (!id_len || !id)
     {
-      *did = NULL;
+      *did = 0;
       *did_len = 0;
       return 0;
     }
 
   *did = malloc (id_len);
-  if (*did == NULL)
+  if (!*did)
     {
       *did_len = 0;
       log_error ("ipsec_clone_id: malloc(%d) failed", id_len);
@@ -2233,6 +2263,14 @@ ipsec_id_size (char *section, u_int8_t *id)
 	  return -1;
 	}
       return strlen (data);
+    case IPSEC_ID_DER_ASN1_DN:
+      data = conf_get_str (section, "Name");
+      if (!data)
+	{
+	  log_print ("ipsec_id_size: section %s has no \"Name\" tag", section);
+	  return -1;
+	}
+      break;
     }
   log_print ("ipsec_id_size: unrecognized ID-type %d (%s)", *id, type);
   return -1;