add support for pre-shared keys with "ike esp" using the new keyword

"psk". rsa-sig is recommended and will still be used by default.

ok hshoexer@, manpage ok jmc@

5 files changed, 71 insertions, 40 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index 8ad16893049..18015850ab4 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ike.c,v 1.13 2005/12/28 19:18:43 naddy Exp $	*/
+/*	$OpenBSD: ike.c,v 1.14 2006/01/16 23:57:20 reyk Exp $	*/
 /*
  * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -31,7 +31,8 @@
 
 #include "ipsecctl.h"
 
-static void	ike_section_peer(struct ipsec_addr_wrap *, FILE *);
+static void	ike_section_peer(struct ipsec_addr_wrap *, FILE *,
+		    struct ike_auth *);
 static void	ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
 		    FILE *);
 static void	ike_section_ipsec(struct ipsec_addr_wrap *, struct
@@ -40,7 +41,7 @@ static int	ike_section_qm(struct ipsec_addr_wrap *, struct
 		    ipsec_addr_wrap *, u_int8_t, struct ipsec_transforms *,
 		    FILE *);
 static int	ike_section_mm(struct ipsec_addr_wrap *, struct
-		    ipsec_transforms *, FILE *);
+		    ipsec_transforms *, FILE *, struct ike_auth *);
 static void	ike_section_qmids(struct ipsec_addr_wrap *, struct
 		    ipsec_addr_wrap *, FILE *);
 static int	ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct
@@ -58,11 +59,14 @@ int		ike_ipsec_establish(int, struct ipsec_rule *);
 #define ISAKMPD_FIFO	"/var/run/isakmpd.fifo"
 
 static void
-ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd)
+ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth)
 {
 	fprintf(fd, SET "[Phase 1]:%s=peer-%s force\n", peer->name, peer->name);
 	fprintf(fd, SET "[peer-%s]:Phase=1 force\n", peer->name);
 	fprintf(fd, SET "[peer-%s]:Address=%s force\n", peer->name, peer->name);
+	if (auth->type == IKE_AUTH_PSK)
+		fprintf(fd, SET "[peer-%s]:Authentication=%s\n",
+		    peer->name, auth->string);
 }
 
 static void
@@ -178,7 +182,7 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
 
 static int
 ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
-    FILE *fd)
+    FILE *fd, struct ike_auth *auth)
 {
 	if (!(mmxfs->authxf || mmxfs->encxf))
 		return (0);
@@ -228,7 +232,10 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
 	} else
 		fprintf(fd, "SHA");
 
-	fprintf(fd, "-RSA_SIG\n");
+	if (auth->type == IKE_AUTH_RSA)
+		fprintf(fd, "-RSA_SIG\n");
+	else
+		fprintf(fd, "\n");
 
 	return (0);
 }
@@ -305,8 +312,8 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
 static int
 ike_gen_config(struct ipsec_rule *r, FILE *fd)
 {
-	ike_section_peer(r->peer, fd);
-	if (ike_section_mm(r->peer, r->mmxfs, fd) == -1)
+	ike_section_peer(r->peer, fd, r->ikeauth);
+	if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1)
 		return (-1);
 	ike_section_ids(r->peer, r->auth, fd);
 	ike_section_ipsec(r->src, r->dst, r->peer, fd);
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 3e5e8f80644..31bb7879546 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.28 2005/12/06 14:27:57 markus Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.29 2006/01/16 23:57:20 reyk Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -391,14 +391,17 @@ as the identity of the local peer.
 Similar to
 .Ar srcid ,
 this optional parameter defines a FQDN to be used by the remote peer.
-.El
-.Pp
-Note that
-.Xr isakmpd 8
-will use RSA authentication.
+.It Ar psk Aq Ar string
+Use a pre-shared key
+.Ar string
+for authentication.
+If not specified, RSA authentication will be used.
 By default, the system startup script
 .Xr rc 8
-generates a key-pair when starting, if one does not already exist.
+generates a key-pair for
+.Xr isakmpd 8
+when starting, if one does not already exist.
+.El
 .Pp
 See also
 .Sx ISAKMP EXAMPLES
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index c8af85a0811..6138070b313 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.c,v 1.39 2005/12/06 16:55:28 markus Exp $	*/
+/*	$OpenBSD: ipsecctl.c,v 1.40 2006/01/16 23:57:20 reyk Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -178,6 +178,11 @@ ipsecctl_commit(int action, struct ipsecctl *ipsec)
 				free(rp->auth->dstid);
 			free(rp->auth);
 		}
+		if (rp->ikeauth) {
+			if (rp->ikeauth->string)
+				free(rp->ikeauth->string);
+			free(rp->ikeauth);
+		}
 		if (rp->xfs)
 			free(rp->xfs);
 		if (rp->authkey) {
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index c001bc472e1..7367f9e40f5 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsecctl.h,v 1.25 2005/12/06 14:27:57 markus Exp $	*/
+/*	$OpenBSD: ipsecctl.h,v 1.26 2006/01/16 23:57:20 reyk Exp $	*/
 /*
  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -47,9 +47,6 @@ enum {
 	MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
 };
 enum {
-	AUTH_UNKNOWN, AUTH_PSK, AUTH_RSA
-};
-enum {
 	ID_UNKNOWN, ID_PREFIX, ID_FQDN, ID_UFQDN
 };
 enum {
@@ -69,7 +66,10 @@ enum {
 	COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
 };
 enum {
-	IKE_ACTIVE, IKE_PASSIVE
+	IKE_ACTIVE, IKE_PASSIVE, 
+};
+enum {
+	IKE_AUTH_RSA, IKE_AUTH_PSK
 };
 
 struct ipsec_addr {
@@ -107,6 +107,11 @@ struct ipsec_key {
 	u_int8_t	*data;
 };
 
+struct ike_auth {
+	u_int8_t	 type;
+	char		*string;
+};
+
 struct ipsec_xf {
 	char		*name;
 	u_int16_t	 id;
@@ -131,6 +136,7 @@ struct ipsec_rule {
 	struct ipsec_addr_wrap *dst;
 	struct ipsec_addr_wrap *peer;
 	struct ipsec_auth *auth;
+	struct ike_auth *ikeauth;
 	struct ipsec_transforms *xfs;
 	struct ipsec_transforms *mmxfs;
 	struct ipsec_transforms *qmxfs;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index c11f21570fc..f8df84dc224 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.47 2005/12/12 09:41:51 hshoexer Exp $	*/
+/*	$OpenBSD: parse.y,v 1.48 2006/01/16 23:57:20 reyk Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -133,13 +133,13 @@ struct ipsec_rule	*reverse_sa(struct ipsec_rule *, u_int32_t,
 			     struct ipsec_key *, struct ipsec_key *);
 struct ipsec_rule	*create_flow(u_int8_t, struct ipsec_addr_wrap *, struct
 			     ipsec_addr_wrap *, struct ipsec_addr_wrap *,
-			     u_int8_t, char *, char *, u_int16_t);
+			     u_int8_t, char *, char *);
 struct ipsec_rule	*reverse_rule(struct ipsec_rule *);
 struct ipsec_rule	*create_ike(struct ipsec_addr_wrap *, struct
 			     ipsec_addr_wrap *, struct ipsec_addr_wrap *,
 			     struct ipsec_transforms *, struct
 			     ipsec_transforms *, u_int8_t, u_int8_t, char *,
-			     char *);
+			     char *, struct ike_auth *);
 
 struct ipsec_transforms *ipsec_transforms;
 
@@ -162,7 +162,7 @@ typedef struct {
 			char *dstid;
 		} ids;
 		char		*id;
-		u_int16_t	 authtype;
+		struct ike_auth	 ikeauth;
 		struct {
 			u_int32_t	spiout;
 			u_int32_t	spiin;
@@ -201,7 +201,6 @@ typedef struct {
 %type	<v.host>		host
 %type	<v.ids>			ids
 %type	<v.id>			id
-%type	<v.authtype>		authtype
 %type	<v.spis>		spispec
 %type	<v.authkeys>		authkeyspec
 %type	<v.enckeys>		enckeyspec
@@ -210,6 +209,7 @@ typedef struct {
 %type	<v.mmxfs>		mmxfs
 %type	<v.qmxfs>		qmxfs
 %type	<v.ikemode>		ikemode
+%type	<v.ikeauth>		ikeauth
 %%
 
 grammar		: /* empty */
@@ -291,11 +291,11 @@ sarule		: protocol tmode hosts spispec transforms authkeyspec
 		}
 		;
 
-flowrule	: FLOW protocol dir hosts peer ids authtype	{
+flowrule	: FLOW protocol dir hosts peer ids {
 			struct ipsec_rule	*r;
 
 			r = create_flow($3, $4.src, $4.dst, $5, $2, $6.srcid,
-			    $6.dstid, $7);
+			    $6.dstid);
 			if (r == NULL)
 				YYERROR;
 			r->nr = ipsec->rule_nr++;
@@ -314,11 +314,11 @@ flowrule	: FLOW protocol dir hosts peer ids authtype	{
 		}
 		;
 
-ikerule		: IKE ikemode protocol hosts peer mmxfs qmxfs ids {
+ikerule		: IKE ikemode protocol hosts peer mmxfs qmxfs ids ikeauth {
 			struct ipsec_rule	*r;
 
 			r = create_ike($4.src, $4.dst, $5, $6, $7, $3, $2,
-			    $8.srcid, $8.dstid);
+			    $8.srcid, $8.dstid, &$9);
 			if (r == NULL)
 				YYERROR;
 			r->nr = ipsec->rule_nr++;
@@ -423,11 +423,6 @@ ids		: /* empty */			{
 id		: STRING			{ $$ = $1; }
 		;
 
-authtype	: /* empty */			{ $$ = 0; }
-		| RSA				{ $$ = AUTH_RSA; }
-		| PSK				{ $$ = AUTH_PSK; }
-		;
-
 spispec		: SPI STRING			{
 			u_int32_t	 spi;
 			char		*p = strchr($2, ':');
@@ -574,10 +569,21 @@ keyspec		: STRING			{
 			free($2);
 		}
 		;
+
 ikemode		: /* empty */			{ $$ = IKE_ACTIVE; }
 		| PASSIVE			{ $$ = IKE_PASSIVE; }
 		| ACTIVE			{ $$ = IKE_ACTIVE; }
 		;
+
+ikeauth		: /* empty */			{ $$.type = IKE_AUTH_RSA; }
+		| RSA				{ $$.type = IKE_AUTH_RSA; }
+		| PSK STRING			{
+			$$.type = IKE_AUTH_PSK;
+			if (($$.string = strdup($2)) == NULL)
+				err(1, "ikeauth: strdup");
+		}
+		;
+
 %%
 
 struct keywords {
@@ -1447,7 +1453,7 @@ reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
 struct ipsec_rule *
 create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
     *dst, struct ipsec_addr_wrap *peer, u_int8_t proto, char *srcid, char
-    *dstid, u_int16_t authtype)
+    *dstid)
 {
 	struct ipsec_rule *r;
 
@@ -1495,9 +1501,6 @@ create_flow(u_int8_t dir, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap
 	r->auth->srcid = srcid;
 	r->auth->dstid = dstid;
 	r->auth->idtype = ID_FQDN;	/* XXX For now only FQDN. */
-#ifdef notyet
-	r->auth->type = authtype;
-#endif
 
 	return r;
 
@@ -1556,7 +1559,7 @@ struct ipsec_rule *
 create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct
     ipsec_addr_wrap * peer, struct ipsec_transforms *mmxfs, struct
     ipsec_transforms *qmxfs, u_int8_t proto, u_int8_t mode, char *srcid, char
-    *dstid)
+    *dstid, struct ike_auth *authtype)
 {
 	struct ipsec_rule *r;
 
@@ -1597,6 +1600,11 @@ create_ike(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, struct
 	r->auth->srcid = srcid;
 	r->auth->dstid = dstid;
 	r->auth->idtype = ID_FQDN;	/* XXX For now only FQDN. */
+	r->ikeauth = calloc(1, sizeof(struct ike_auth));
+	if (r->ikeauth == NULL)
+		err(1, "create_ike: calloc");
+	r->ikeauth->type = authtype->type;
+	r->ikeauth->string = authtype->string;
 
 	return (r);
 
@@ -1608,6 +1616,8 @@ errout:
 		free(dstid);
 	free(src);
 	free(dst);
+	if (authtype->string)
+		free(authtype->string);
 
 	return (NULL);
 }