Add KEY_ID support (mostly from roland@digitalvampire.org)

5 files changed, 61 insertions, 14 deletions

diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c
index 72e0d3034ca..874b4f31bdc 100644
--- a/sbin/isakmpd/ike_phase_1.c
+++ b/sbin/isakmpd/ike_phase_1.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike_phase_1.c,v 1.21 2000/12/12 01:45:45 niklas Exp $	*/
+/*	$OpenBSD: ike_phase_1.c,v 1.22 2001/03/07 07:33:53 angelos Exp $	*/
 /*	$EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $	*/
 
 /*
@@ -824,6 +824,7 @@ ike_phase_1_send_ID (struct message *msg)
 	  break;
 	case IPSEC_ID_FQDN:
 	case IPSEC_ID_USER_FQDN:
+	case IPSEC_ID_KEY_ID:
 	  memcpy (buf + ISAKMP_ID_DATA_OFF, conf_get_str (my_id, "Name"),
 		  sz - ISAKMP_ID_DATA_OFF);
 	  break;
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 66f45762a71..d797a223327 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec.c,v 1.39 2001/02/24 03:59:55 angelos Exp $	*/
+/*	$OpenBSD: ipsec.c,v 1.40 2001/03/07 07:33:53 angelos Exp $	*/
 /*	$EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $	*/
 
 /*
@@ -2108,6 +2108,7 @@ ipsec_id_size (char *section, u_int8_t *id)
       return 2 * sizeof (in_addr_t);
     case IPSEC_ID_FQDN:
     case IPSEC_ID_USER_FQDN:
+    case IPSEC_ID_KEY_ID:
       data = conf_get_str (section, "Name");
       if (!data)
 	{
diff --git a/sbin/isakmpd/isakmpd.conf.5 b/sbin/isakmpd/isakmpd.conf.5
index 56eb8af64b7..79c14febd10 100644
--- a/sbin/isakmpd/isakmpd.conf.5
+++ b/sbin/isakmpd/isakmpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.conf.5,v 1.48 2001/01/27 12:03:33 niklas Exp $
+.\" $OpenBSD: isakmpd.conf.5,v 1.49 2001/03/07 07:33:53 angelos Exp $
 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $
 .\"
 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -321,8 +321,9 @@ For Phase 1 this is currently
 .Li IPV4_ADDR ,
 .Li IPV4_ADDR_SUBNET ,
 .Li FQDN ,
+.Li USER_FQDN ,
 or
-.Li USER_FQDN .
+.Li KEY_ID .
 .It Em Address
 If the ID-type is
 .Li IPV4_ADDR ,
@@ -339,11 +340,12 @@ this tag should exist and
 be a network subnet mask.
 .It Em Name
 If the ID-type is
-.Li FQDN
-or
+.Li FQDN ,
 .Li USER_FQDN ,
-this tag should exist and contain a domain name or a user@domain
-string respectively.
+or
+.Li KEY_ID ,
+this tag should exist and contain a domain name, user@domain, or
+other identifying string respectively.
 .El
 .It Em <ISAKMP-configuration>
 .Bl -tag -width 12n
diff --git a/sbin/isakmpd/isakmpd.policy.5 b/sbin/isakmpd/isakmpd.policy.5
index b71092123c5..a0c7ee6e271 100644
--- a/sbin/isakmpd/isakmpd.policy.5
+++ b/sbin/isakmpd/isakmpd.policy.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.policy.5,v 1.16 2001/02/19 16:58:05 angelos Exp $
+.\" $OpenBSD: isakmpd.policy.5,v 1.17 2001/03/07 07:33:53 angelos Exp $
 .\" $EOM: isakmpd.policy.5,v 1.24 2000/11/23 12:55:25 niklas Exp $
 .\"
 .\" Copyright (c) 1999, Angelos D. Keromytis.  All rights reserved.
@@ -460,6 +460,8 @@ subnet, these are set to the upper and lower part of the address
 space separated by a dash ('-') character (if the type specifies a
 single address, they are set to that address).
 For FQDN and User FQDN types, these are set to the respective string.
+For Key ID, these are set to the hexadecimal representation of the
+associated byte string (lower-case letters used).
 .It remote_filter_port, local_filter_port, remote_id_port
 Set to the transport protocol port.
 .It remote_filter_proto, local_filter_proto, remote_id_proto
diff --git a/sbin/isakmpd/policy.c b/sbin/isakmpd/policy.c
index b8e514ba19e..de1498812cb 100644
--- a/sbin/isakmpd/policy.c
+++ b/sbin/isakmpd/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.21 2001/01/27 12:03:34 niklas Exp $	*/
+/*	$OpenBSD: policy.c,v 1.22 2001/03/07 07:33:53 angelos Exp $	*/
 /*	$EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
 
 /*
@@ -132,6 +132,11 @@ struct exchange *policy_exchange = 0;
 struct sa *policy_sa = 0;
 struct sa *policy_isakmp_sa = 0;
 
+static const char hextab[] = {
+     '0', '1', '2', '3', '4', '5', '6', '7',
+     '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
+};
+
 /*
  * Adaptation of Vixie's inet_ntop4 ()
  */
@@ -167,7 +172,7 @@ policy_callback (char *name)
   struct sockaddr_in *sin;
   struct ipsec_exch *ie;
   struct ipsec_sa *is;
-  int fmt, lifetype = 0;
+  int fmt, i, lifetype = 0;
   in_addr_t net, subnet;
   u_int16_t len, type;
   time_t tt;
@@ -786,8 +791,22 @@ policy_callback (char *name)
 	  remote_id_type = "ASN1 GN";
 	  break;
 
-	case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this.  */
+	case IPSEC_ID_KEY_ID:
 	  remote_id_type = "Key ID";
+	  remote_id = calloc (2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) +
+			      1, sizeof (char));
+	  if (!remote_id)
+	    {
+		log_print ("policy_callback: calloc (%d, %d) failed",
+			   2 * (id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1,
+			   sizeof (char));
+		goto bad;
+	    }
+          for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; i++)
+	    {
+		remote_id[2 * i] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4];
+		remote_id[2 * i + 1] = hextab[*(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF];
+	    }
 	  break;
 
 	default:
@@ -966,8 +985,19 @@ policy_callback (char *name)
 	      remote_filter_type = "ASN1 GN";
 	      break;
 
-	    case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this.  */
+	    case IPSEC_ID_KEY_ID:
 	      remote_filter_type = "Key ID";
+	      remote_filter = calloc (2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
+	      if (!remote_filter)
+	        {
+		    log_print ("policy_callback: calloc (%d, %d) failed", 2 * (idremotesz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
+		    goto bad;
+	        }
+              for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF; i++)
+	        {
+		    remote_filter[2 * i] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) >> 4];
+		    remote_filter[2 * i + 1] = hextab[*(idremote + ISAKMP_ID_DATA_OFF) & 0xF];
+	        }
 	      break;
 
 	    default:
@@ -1149,8 +1179,19 @@ policy_callback (char *name)
 	      local_filter_type = "ASN1 GN";
 	      break;
 
-	    case IPSEC_ID_KEY_ID: /* XXX -- hex-encode this.  */
+	    case IPSEC_ID_KEY_ID:
 	      local_filter_type = "Key ID";
+	      local_filter = calloc (2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
+	      if (!local_filter)
+	        {
+		    log_print ("policy_callback: calloc (%d, %d) failed", 2 * (idlocalsz - ISAKMP_ID_DATA_OFF) + 1, sizeof (char));
+		    goto bad;
+	        }
+              for (i = 0; i < id_sz - ISAKMP_ID_DATA_OFF; i++)
+	        {
+		    local_filter[2 * i] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) >> 4];
+		    local_filter[2 * i + 1] = hextab[*(idlocal + ISAKMP_ID_DATA_OFF) & 0xF];
+	        }
 	      break;
 
 	    default: