summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2008-07-01 15:00:55 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2008-07-01 15:00:55 +0000
commitec17add7bc79551b55da5b3f390fa5e620127244 (patch)
treed6dd3dac752697b62aeac06e0d235f2631a6fcfd /sbin
parent9c78cb2146f35e6ffd5b0e0a09831b3f586c8f15 (diff)
Isakmpd acquire mode did not work with a config generated from
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
Diffstat (limited to 'sbin')
-rw-r--r--sbin/ipsecctl/ike.c241
-rw-r--r--sbin/ipsecctl/ipsecctl.c4
-rw-r--r--sbin/ipsecctl/ipsecctl.h3
-rw-r--r--sbin/isakmpd/pf_key_v2.c166
4 files changed, 225 insertions, 189 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 12464bf84e9..0569c409a79 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.63 2008/02/22 23:51:31 hshoexer Exp $ */
+/* $OpenBSD: ike.c,v 1.64 2008/07/01 15:00:53 bluhm Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -79,30 +79,21 @@ ike_section_general(struct ipsec_rule *r, FILE *fd)
static void
ike_section_peer(struct ipsec_rule *r, FILE *fd)
{
- if (r->peer) {
- fprintf(fd, SET "[Phase 1]:%s=peer-%s force\n", r->peer->name,
- r->peer->name);
- fprintf(fd, SET "[peer-%s]:Phase=1 force\n", r->peer->name);
- fprintf(fd, SET "[peer-%s]:Address=%s force\n", r->peer->name,
+ if (r->peer)
+ fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name,
+ r->p1name);
+ else
+ fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name);
+ fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name);
+ if (r->peer)
+ fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name,
r->peer->name);
- if (r->local)
- fprintf(fd, SET "[peer-%s]:Local-address=%s force\n",
- r->peer->name, r->local->name);
- if (r->ikeauth->type == IKE_AUTH_PSK)
- fprintf(fd, SET "[peer-%s]:Authentication=%s force\n",
- r->peer->name, r->ikeauth->string);
- } else {
- fprintf(fd, SET "[Phase 1]:Default=peer-default force\n");
- fprintf(fd, SET "[peer-default]:Phase=1 force\n");
- if (r->local)
- fprintf(fd, SET
- "[peer-default]:Local-address=%s force\n",
- r->local->name);
- if (r->ikeauth->type == IKE_AUTH_PSK)
- fprintf(fd, SET
- "[peer-default]:Authentication=%s force\n",
- r->ikeauth->string);
- }
+ if (r->local)
+ fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name,
+ r->local->name);
+ if (r->ikeauth->type == IKE_AUTH_PSK)
+ fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name,
+ r->ikeauth->string);
}
static void
@@ -120,69 +111,44 @@ ike_section_ids(struct ipsec_rule *r, FILE *fd)
err(1, "ike_section_ids: strdup");
}
if (r->auth->srcid) {
- if (r->peer)
- fprintf(fd, SET "[peer-%s]:ID=%s-ID force\n",
- r->peer->name, r->auth->srcid);
- else
- fprintf(fd, SET "[peer-default]:ID=%s-ID force\n",
- r->auth->srcid);
-
- fprintf(fd, SET "[%s-ID]:ID-type=%s force\n", r->auth->srcid,
+ fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name,
+ r->auth->srcid);
+ fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid,
ike_id_types[r->auth->srcid_type]);
- fprintf(fd, SET "[%s-ID]:Name=%s force\n", r->auth->srcid,
+ fprintf(fd, SET "[id-%s]:Name=%s force\n", r->auth->srcid,
r->auth->srcid);
}
if (r->auth->dstid) {
- if (r->peer) {
- fprintf(fd, SET "[peer-%s]:Remote-ID=%s-ID force\n",
- r->peer->name, r->peer->name);
- fprintf(fd, SET "[%s-ID]:ID-type=%s force\n",
- r->peer->name, ike_id_types[r->auth->dstid_type]);
- fprintf(fd, SET "[%s-ID]:Name=%s force\n", r->peer->name,
- r->auth->dstid);
- } else {
- fprintf(fd, SET
- "[peer-default]:Remote-ID=default-ID force\n");
- fprintf(fd, SET "[default-ID]:ID-type=%s force\n",
- ike_id_types[r->auth->dstid_type]);
- fprintf(fd, SET "[default-ID]:Name=%s force\n",
- r->auth->dstid);
- }
+ fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name,
+ r->auth->dstid);
+ fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid,
+ ike_id_types[r->auth->dstid_type]);
+ fprintf(fd, SET "[id-%s]:Name=%s force\n", r->auth->dstid,
+ r->auth->dstid);
}
}
static void
ike_section_ipsec(struct ipsec_rule *r, FILE *fd)
{
- fprintf(fd, SET "[IPsec-%s]:Phase=2 force\n", r->p2name);
-
- if (r->peer)
- fprintf(fd, SET "[IPsec-%s]:ISAKMP-peer=peer-%s force\n",
- r->p2name, r->peer->name);
- else
- fprintf(fd, SET
- "[IPsec-%s]:ISAKMP-peer=peer-default force\n", r->p2name);
-
- fprintf(fd, SET "[IPsec-%s]:Configuration=qm-%s force\n", r->p2name,
+ fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name);
+ fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name);
+ fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name,
r->p2name);
- fprintf(fd, SET "[IPsec-%s]:Local-ID=lid-%s force\n", r->p2name,
- r->p2lid);
- fprintf(fd, SET "[IPsec-%s]:Remote-ID=rid-%s force\n", r->p2name,
- r->p2rid);
+ fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid);
+ fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid);
if (r->tag)
- fprintf(fd, SET "[IPsec-%s]:PF-Tag=%s force\n", r->p2name,
- r->tag);
+ fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag);
}
static int
ike_section_p2(struct ipsec_rule *r, FILE *fd)
{
- char *tag, *exchange_type, *sprefix;
+ char *exchange_type, *sprefix;
switch (r->p2ie) {
case IKE_QM:
- tag = "qm";
exchange_type = "QUICK_MODE";
sprefix = "QM";
break;
@@ -191,9 +157,9 @@ ike_section_p2(struct ipsec_rule *r, FILE *fd)
return (-1);
}
- fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n", tag, r->p2name,
+ fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name,
exchange_type);
- fprintf(fd, SET "[%s-%s]:Suites=%s-", tag, r->p2name, sprefix);
+ fprintf(fd, SET "[phase2-%s]:Suites=%s-", r->p2name, sprefix);
switch (r->satype) {
case IPSEC_ESP:
@@ -334,15 +300,13 @@ ike_section_p2(struct ipsec_rule *r, FILE *fd)
static int
ike_section_p1(struct ipsec_rule *r, FILE *fd)
{
- char *tag, *exchange_type;
+ char *exchange_type;
switch (r->p1ie) {
case IKE_MM:
- tag = "mm";
exchange_type = "ID_PROT";
break;
case IKE_AM:
- tag = "am";
exchange_type = "AGGRESSIVE";
break;
default:
@@ -350,19 +314,11 @@ ike_section_p1(struct ipsec_rule *r, FILE *fd)
return (-1);
}
- if (r->peer) {
- fprintf(fd, SET "[peer-%s]:Configuration=%s-%s force\n",
- r->peer->name, tag, r->peer->name);
- fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n",
- tag, r->peer->name, exchange_type);
- fprintf(fd, ADD "[%s-%s]:Transforms=", tag, r->peer->name);
- } else {
- fprintf(fd, SET
- "[peer-default]:Configuration=%s-default force\n", tag);
- fprintf(fd, SET "[%s-default]:EXCHANGE_TYPE=%s force\n",
- tag, exchange_type);
- fprintf(fd, ADD "[%s-default]:Transforms=", tag);
- }
+ fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name,
+ r->p1name);
+ fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name,
+ exchange_type);
+ fprintf(fd, ADD "[phase1-%s]:Transforms=", r->p1name);
if (r->p1xfs && r->p1xfs->encxf) {
switch (r->p1xfs->encxf->id) {
@@ -497,19 +453,19 @@ ike_section_p2ids(struct ipsec_rule *r, FILE *fd)
if ((p = strrchr(network, '/')) != NULL)
*p = '\0';
- fprintf(fd, SET "[lid-%s]:ID-type=IPV%d_ADDR_SUBNET force\n",
+ fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n",
r->p2lid, ((src->af == AF_INET) ? 4 : 6));
- fprintf(fd, SET "[lid-%s]:Network=%s force\n", r->p2lid,
+ fprintf(fd, SET "[%s]:Network=%s force\n", r->p2lid,
network);
- fprintf(fd, SET "[lid-%s]:Netmask=%s force\n", r->p2lid, mask);
+ fprintf(fd, SET "[%s]:Netmask=%s force\n", r->p2lid, mask);
free(network);
} else {
- fprintf(fd, SET "[lid-%s]:ID-type=IPV%d_ADDR force\n",
+ fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n",
r->p2lid, ((src->af == AF_INET) ? 4 : 6));
if ((p = strrchr(src->name, '/')) != NULL)
*p = '\0';
- fprintf(fd, SET "[lid-%s]:Address=%s force\n", r->p2lid,
+ fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid,
src->name);
}
if (dst->netaddress) {
@@ -539,32 +495,32 @@ ike_section_p2ids(struct ipsec_rule *r, FILE *fd)
if ((p = strrchr(network, '/')) != NULL)
*p = '\0';
- fprintf(fd, SET "[rid-%s]:ID-type=IPV%d_ADDR_SUBNET force\n",
+ fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n",
r->p2rid, ((dst->af == AF_INET) ? 4 : 6));
- fprintf(fd, SET "[rid-%s]:Network=%s force\n", r->p2rid,
+ fprintf(fd, SET "[%s]:Network=%s force\n", r->p2rid,
network);
- fprintf(fd, SET "[rid-%s]:Netmask=%s force\n", r->p2rid, mask);
+ fprintf(fd, SET "[%s]:Netmask=%s force\n", r->p2rid, mask);
free(network);
} else {
- fprintf(fd, SET "[rid-%s]:ID-type=IPV%d_ADDR force\n",
+ fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n",
r->p2rid, ((dst->af == AF_INET) ? 4 : 6));
if ((p = strrchr(dst->name, '/')) != NULL)
*p = '\0';
- fprintf(fd, SET "[rid-%s]:Address=%s force\n", r->p2rid,
+ fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid,
dst->name);
}
if (r->proto) {
- fprintf(fd, SET "[lid-%s]:Protocol=%d force\n",
+ fprintf(fd, SET "[%s]:Protocol=%d force\n",
r->p2lid, r->proto);
- fprintf(fd, SET "[rid-%s]:Protocol=%d force\n",
+ fprintf(fd, SET "[%s]:Protocol=%d force\n",
r->p2rid, r->proto);
}
if (r->sport)
- fprintf(fd, SET "[lid-%s]:Port=%d force\n", r->p2lid,
+ fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid,
ntohs(r->sport));
if (r->dport)
- fprintf(fd, SET "[rid-%s]:Port=%d force\n", r->p2rid,
+ fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid,
ntohs(r->dport));
}
@@ -574,10 +530,10 @@ ike_connect(struct ipsec_rule *r, FILE *fd)
switch (r->ikemode) {
case IKE_ACTIVE:
case IKE_DYNAMIC:
- fprintf(fd, ADD "[Phase 2]:Connections=IPsec-%s\n", r->p2name);
+ fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name);
break;
case IKE_PASSIVE:
- fprintf(fd, ADD "[Phase 2]:Passive-Connections=IPsec-%s\n",
+ fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n",
r->p2name);
break;
default:
@@ -615,20 +571,19 @@ ike_delete_config(struct ipsec_rule *r, FILE *fd)
switch (r->ikemode) {
case IKE_ACTIVE:
case IKE_DYNAMIC:
- fprintf(fd, "t IPsec-%s\n", r->p2name);
+ fprintf(fd, "t %s\n", r->p2name);
break;
case IKE_PASSIVE:
fprintf(fd, DELETE "[Phase 2]\n");
- fprintf(fd, "t IPsec-%s\n", r->p2name);
+ fprintf(fd, "t %s\n", r->p2name);
break;
default:
return (-1);
}
if (r->peer) {
- fprintf(fd, DELETE "[peer-%s]\n", r->peer->name);
- fprintf(fd, DELETE "[mm-%s]\n", r->peer->name);
- fprintf(fd, DELETE "[am-%s]\n", r->peer->name);
+ fprintf(fd, DELETE "[%s]\n", r->p1name);
+ fprintf(fd, DELETE "[phase1-%s]\n", r->p1name);
}
if (r->auth) {
if (r->auth->srcid)
@@ -636,26 +591,26 @@ ike_delete_config(struct ipsec_rule *r, FILE *fd)
if (r->auth->dstid)
fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid);
}
- fprintf(fd, DELETE "[IPsec-%s]\n", r->p2name);
- fprintf(fd, DELETE "[qm-%s]\n", r->p2name);
- fprintf(fd, DELETE "[lid-%s]\n", r->p2lid);
- fprintf(fd, DELETE "[rid-%s]\n", r->p2rid);
+ fprintf(fd, DELETE "[%s]\n", r->p2name);
+ fprintf(fd, DELETE "[phase2-%s]\n", r->p2name);
+ fprintf(fd, DELETE "[%s]\n", r->p2lid);
+ fprintf(fd, DELETE "[%s]\n", r->p2rid);
#else
- fprintf(fd, "t IPsec-%s\n", r->p2name);
+ fprintf(fd, "t %s\n", r->p2name);
switch (r->ikemode) {
case IKE_ACTIVE:
case IKE_DYNAMIC:
- fprintf(fd, RMV "[Phase 2]:Connections=IPsec-%s\n", r->p2name);
+ fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name);
break;
case IKE_PASSIVE:
- fprintf(fd, RMV "[Phase 2]:Passive-Connections=IPsec-%s\n",
+ fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n",
r->p2name);
break;
default:
return (-1);
}
- fprintf(fd, DELETE "[IPsec-%s]\n", r->p2name);
- fprintf(fd, DELETE "[qm-%s]\n", r->p2name);
+ fprintf(fd, DELETE "[%s]\n", r->p2name);
+ fprintf(fd, DELETE "[phase2-%s]\n", r->p2name);
#endif
return (0);
@@ -664,32 +619,42 @@ ike_delete_config(struct ipsec_rule *r, FILE *fd)
static void
ike_setup_ids(struct ipsec_rule *r)
{
- if (r->proto) {
- if (asprintf(&r->p2lid, "%s:%d-%d", r->src->name,
- ntohs(r->sport), r->proto) == -1)
- err(1, "ike_setup_ids");
- if (asprintf(&r->p2rid, "%s:%d-%d", r->dst->name,
- ntohs(r->dport), r->proto) == -1)
- err(1, "ike_setup_ids");
- } else {
- if (r->sport) {
- if (asprintf(&r->p2lid, "%s:%d", r->src->name,
- ntohs(r->sport)) == -1)
- err(1, "ike_setup_ids");
- } else {
- if ((r->p2lid = strdup(r->src->name)) == NULL)
- err(1, "ike_setup_ids");
- }
- if (r->dport) {
- if (asprintf(&r->p2rid, "%s:%d", r->dst->name,
- ntohs(r->dport)) == -1)
+ char sproto[10], ssport[10], sdport[10];
+
+ /* phase 1 name is peer and local address */
+ if (r->peer) {
+ if (r->local) {
+ /* peer-dstaddr-local-srcaddr */
+ if (asprintf(&r->p1name, "peer-%s-local-%s",
+ r->peer->name, r->local->name) == -1)
err(1, "ike_setup_ids");
- } else {
- if ((r->p2rid = strdup(r->dst->name)) == NULL)
+ } else
+ /* peer-dstaddr */
+ if (asprintf(&r->p1name, "peer-%s",
+ r->peer->name) == -1)
err(1, "ike_setup_ids");
- }
- }
- if (asprintf(&r->p2name, "%s-%s", r->p2lid, r->p2rid) == -1)
+ } else
+ if ((r->p1name = strdup("peer-default")) == NULL)
+ err(1, "ike_setup_ids");
+
+ /* Phase 2 name is from and to network, protocol, port*/
+ sproto[0] = ssport[0] = sdport[0] = 0;
+ if (r->proto)
+ snprintf(sproto, sizeof sproto, "=%u", r->proto);
+ if (r->sport)
+ snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport));
+ if (r->dport)
+ snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport));
+ /* from-network/masklen=proto:port */
+ if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport)
+ == -1)
+ err(1, "ike_setup_ids");
+ /* to-network/masklen=proto:port */
+ if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport)
+ == -1)
+ err(1, "ike_setup_ids");
+ /* from-network/masklen=proto:port-to-network/masklen=proto:port */
+ if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1)
err(1, "ike_setup_ids");
}
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index 33b04468e45..4defd1ada4b 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.69 2007/10/13 16:35:18 deraadt Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.70 2008/07/01 15:00:53 bluhm Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -240,6 +240,8 @@ ipsecctl_free_rule(struct ipsec_rule *rp)
free(rp->enckey->data);
free(rp->enckey);
}
+ if (rp->p1name)
+ free(rp->p1name);
if (rp->p2name)
free(rp->p2name);
if (rp->p2lid)
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 8c2e1142f63..52af45c08ff 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.56 2008/02/22 23:51:31 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.57 2008/07/01 15:00:53 bluhm Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -185,6 +185,7 @@ struct ipsec_rule {
struct ipsec_key *enckey;
char *tag; /* pf tag for SAs */
+ char *p1name; /* Phase 1 Name */
char *p2name; /* Phase 2 Name (IPsec-XX) */
char *p2lid; /* Phase 2 source ID */
char *p2rid; /* Phase 2 destination ID */
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index 4ceb71b8620..00e22ca0085 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_key_v2.c,v 1.183 2008/06/10 17:25:57 bluhm Exp $ */
+/* $OpenBSD: pf_key_v2.c,v 1.184 2008/07/01 15:00:53 bluhm Exp $ */
/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */
/*
@@ -2431,6 +2431,57 @@ pf_key_v2_expire(struct pf_key_v2_msg *pmsg)
}
}
+static int
+mask4len(const struct sockaddr_in *mask)
+{
+ int len;
+ u_int32_t m;
+
+ len = 0;
+ for (m = 0x80000000; m & ntohl(mask->sin_addr.s_addr); m >>= 1)
+ len++;
+ if (len == 32)
+ len = -1;
+ return len;
+}
+
+#ifndef s6_addr8
+#define s6_addr8 __u6_addr.__u6_addr8
+#endif
+
+static int
+mask6len(const struct sockaddr_in6 *mask)
+{
+ int i, len;
+ u_int8_t m;
+
+ len = 0;
+ for (i = 0, m = 0; i < 16 && !m; i++)
+ for (m = 0x80; m & mask->sin6_addr.s6_addr8[i]; m >>= 1)
+ len++;
+ if (len == 128)
+ len = -1;
+ return len;
+}
+
+static int
+phase2id(char *str, size_t size, const char *side, const char *sflow,
+ int masklen, u_int8_t proto, u_int16_t port)
+{
+ char smasklen[10], sproto[10], sport[10];
+
+ smasklen[0] = sproto[0] = sport[0] = 0;
+ if (masklen != -1)
+ snprintf(smasklen, sizeof smasklen, "/%d", masklen);
+ if (proto)
+ snprintf(sproto, sizeof sproto, "=%u", proto);
+ if (port)
+ snprintf(sport, sizeof sport, ":%u", ntohs(port));
+
+ return snprintf(str, size, "%s-%s%s%s%s", side, sflow, smasklen,
+ sproto, sport);
+}
+
/* Handle a PF_KEY SA ACQUIRE message PMSG. */
static void
pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
@@ -2451,8 +2502,9 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
struct sadb_protocol *sproto;
char ssflow[ADDRESS_MAX], sdflow[ADDRESS_MAX];
char sdmask[ADDRESS_MAX], ssmask[ADDRESS_MAX];
+ int dmasklen, smasklen;
char *sidtype = 0, *didtype = 0;
- char lname[100], dname[100], configname[30];
+ char lname[100], dname[100], configname[200];
int shostflag = 0, dhostflag = 0;
struct pf_key_v2_node *ext;
struct passwd *pwd = 0;
@@ -2569,6 +2621,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
bzero(sdflow, sizeof sdflow);
bzero(ssmask, sizeof ssmask);
bzero(sdmask, sizeof sdmask);
+ smasklen = dmasklen = -1;
sidtype = didtype = "IPV4_ADDR_SUBNET"; /* default */
@@ -2600,6 +2653,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
log_print("pf_key_v2_acquire: inet_ntop failed");
goto fail;
}
+ smasklen = mask4len((struct sockaddr_in *) smask);
+ dmasklen = mask4len((struct sockaddr_in *) dmask);
if (((struct sockaddr_in *) smask)->sin_addr.s_addr ==
INADDR_BROADCAST) {
shostflag = 1;
@@ -2639,6 +2694,8 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
log_print("pf_key_v2_acquire: inet_ntop failed");
goto fail;
}
+ smasklen = mask6len((struct sockaddr_in6 *) smask);
+ dmasklen = mask6len((struct sockaddr_in6 *) dmask);
sidtype = didtype = "IPV6_ADDR_SUBNET";
if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)smask)->sin6_addr)) {
shostflag = 1;
@@ -2773,7 +2830,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
* then dup.
*/
*srcid = '\0';
- if (asprintf(&srcid, "ID:Address/%s",
+ if (asprintf(&srcid, "id-%s",
(char *) (srcident + 1)) == -1) {
log_error("pf_key_v2_acquire: asprintf() failed");
goto fail;
@@ -2846,7 +2903,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
}
}
}
- if (asprintf(&srcid, "ID:%s/%s", prefstring,
+ if (asprintf(&srcid, "id-%s",
slen ? (char *) (srcident + 1) : pwd->pw_name) == -1) {
log_error("pf_key_v2_acquire: asprintf() failed");
goto fail;
@@ -2860,8 +2917,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
1, 0) ||
conf_set(af, srcid, "Refcount", "1", 1, 0) ||
conf_set(af, srcid, "Name",
- srcid + sizeof "ID:/" - 1 +
- strlen(prefstring), 1, 0)) {
+ srcid + 3, 1, 0)) {
conf_end(af, 0);
goto fail;
}
@@ -2922,7 +2978,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
* then dup.
*/
*dstid = '\0';
- if (asprintf(&dstid, "ID:Address/%s",
+ if (asprintf(&dstid, "id-%s",
(char *) (dstident + 1)) == -1) {
log_error("pf_key_v2_acquire: asprintf() failed");
goto fail;
@@ -2994,7 +3050,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
}
}
}
- if (asprintf(&dstid, "ID:%s/%s", prefstring,
+ if (asprintf(&dstid, "id-%s",
slen ? (char *) (dstident + 1) : pwd->pw_name) == -1) {
log_error("pf_key_v2_acquire: asprintf() failed");
goto fail;
@@ -3008,8 +3064,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
1, 0) ||
conf_set(af, dstid, "Refcount", "1", 1, 0) ||
conf_set(af, dstid, "Name",
- dstid + sizeof "ID:/" - 1 +
- strlen(prefstring), 1, 0)) {
+ dstid + 3, 1, 0)) {
conf_end(af, 0);
goto fail;
}
@@ -3034,12 +3089,9 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
/* Get a new connection sequence number. */
for (;; connection_seq++) {
snprintf(conn, connlen, "Connection-%u", connection_seq);
- snprintf(configname, sizeof configname, "Config-Phase2-%u",
- connection_seq);
/* Does it exist ? */
- if (!conf_get_str(conn, "Phase") &&
- !conf_get_str(configname, "Suites"))
+ if (!conf_get_str(conn, "Phase"))
break;
}
@@ -3052,31 +3104,24 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
* - Configuration
*
* Also set the following section:
- * [Peer-dstaddr(/srcaddr)(-srcid)(/dstid)]
+ * [peer-dstaddr(-local-srcaddr)]
* with these fields:
* - Phase
* - ID (if provided)
* - Remote-ID (if provided)
* - Local-address (if provided)
* - Address
- * - Configuration (if an entry ISAKMP-configuration-dstaddr(/srcaddr)
+ * - Configuration (if an entry phase1-dstaddr-srcadd)
* exists -- otherwise use the defaults)
*/
/*
* The various cases:
- * - Peer-dstaddr
- * - Peer-dstaddr/srcaddr
- * - Peer-dstaddr/srcaddr-srcid
- * - Peer-dstaddr/srcaddr-srcid/dstid
- * - Peer-dstaddr/srcaddr-/dstid
- * - Peer-dstaddr-srcid/dstid
- * - Peer-dstaddr-/dstid
- * - Peer-dstaddr-srcid
+ * - peer-dstaddr
+ * - peer-dstaddr-local-srcaddr
*/
- if (asprintf(&peer, "Peer-%s%s%s%s%s%s%s", dstbuf, srcaddr ? "/" : "",
- srcaddr ? srcbuf : "", srcid ? "-" : "", srcid ? srcid : "",
- dstid ? (srcid ? "/" : "-/") : "", dstid ? dstid : "") == -1)
+ if (asprintf(&peer, "peer-%s%s%s", dstbuf, srcaddr ? "-local-" : "",
+ srcaddr ? srcbuf : "") == -1)
goto fail;
/*
@@ -3097,9 +3142,16 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
conf_end(af, 0);
goto fail;
}
- /* Set Phase 2 IDs -- this is the Local-ID section. */
- snprintf(lname, sizeof lname, "Phase2-ID:%s/%s/%u/%u", ssflow, ssmask,
- tproto, sport);
+ /*
+ * Set Phase 2 IDs -- this is the Local-ID section.
+ * - from-address
+ * - from-address=proto
+ * - from-address=proto:port
+ * - from-network/masklen
+ * - from-network/masklen=proto
+ * - from-network/masklen=proto:port
+ */
+ phase2id(lname, sizeof lname, "from", ssflow, smasklen, tproto, sport);
if (conf_set(af, conn, "Local-ID", lname, 0, 0)) {
conf_end(af, 0);
goto fail;
@@ -3141,9 +3193,16 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
} else
pf_key_v2_conf_refinc(af, lname);
- /* Set Remote-ID section. */
- snprintf(dname, sizeof dname, "Phase2-ID:%s/%s/%u/%u", sdflow, sdmask,
- tproto, dport);
+ /*
+ * Set Remote-ID section.
+ * to-address
+ * to-address=proto
+ * to-address=proto:port
+ * to-network/masklen
+ * to-network/masklen=proto
+ * to-network/masklen=proto:port
+ */
+ phase2id(dname, sizeof dname, "to", sdflow, dmasklen, tproto, dport);
if (conf_set(af, conn, "Remote-ID", dname, 0, 0)) {
conf_end(af, 0);
goto fail;
@@ -3192,27 +3251,37 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
* At least, we should make this selectable.
*/
- /* Phase 2 configuration. */
+ /*
+ * Phase 2 configuration.
+ * - phase2-from-address-to-address
+ * - ...
+ * - phase2-from-net/len=proto:port-to-net/len=proto:port
+ */
+ snprintf(configname, sizeof configname, "phase2-%s-%s", lname, dname);
if (conf_set(af, conn, "Configuration", configname, 0, 0)) {
conf_end(af, 0);
goto fail;
}
- if (conf_set(af, configname, "Exchange_type", "Quick_mode", 0, 0) ||
- conf_set(af, configname, "DOI", "IPSEC", 0, 0)) {
- conf_end(af, 0);
- goto fail;
- }
- if (conf_get_str("General", "Default-phase-2-suites")) {
- if (conf_set(af, configname, "Suites",
- conf_get_str("General", "Default-phase-2-suites"), 0, 0)) {
+ if (!conf_get_str(configname, "Exchange_type")) {
+ if (conf_set(af, configname, "Exchange_type", "Quick_mode",
+ 0, 0) ||
+ conf_set(af, configname, "DOI", "IPSEC", 0, 0)) {
conf_end(af, 0);
goto fail;
}
- } else {
- if (conf_set(af, configname, "Suites",
- "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) {
- conf_end(af, 0);
- goto fail;
+ if (conf_get_str("General", "Default-phase-2-suites")) {
+ if (conf_set(af, configname, "Suites",
+ conf_get_str("General", "Default-phase-2-suites"),
+ 0, 0)) {
+ conf_end(af, 0);
+ goto fail;
+ }
+ } else {
+ if (conf_set(af, configname, "Suites",
+ "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) {
+ conf_end(af, 0);
+ goto fail;
+ }
}
}
@@ -3229,8 +3298,7 @@ pf_key_v2_acquire(struct pf_key_v2_msg *pmsg)
conf_end(af, 0);
goto fail;
}
- snprintf(confname, sizeof confname, "ISAKMP-Configuration-%s",
- peer);
+ snprintf(confname, sizeof confname, "phase1-%s", peer);
if (conf_set(af, peer, "Configuration", confname, 0, 0)) {
conf_end(af, 0);
goto fail;
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-15 02:57:06 +0000