summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/ipsec/photurisd/kernel.c45
-rw-r--r--sbin/ipsec/photurisd/photuris.h3
-rw-r--r--sbin/ipsec/photurisd/photurisd.815
-rw-r--r--sbin/ipsec/photurisd/photurisd.c13
4 files changed, 55 insertions, 21 deletions
diff --git a/sbin/ipsec/photurisd/kernel.c b/sbin/ipsec/photurisd/kernel.c
index 8dab2f16130..4f67945eb33 100644
--- a/sbin/ipsec/photurisd/kernel.c
+++ b/sbin/ipsec/photurisd/kernel.c
@@ -39,7 +39,7 @@
*/
#ifndef lint
-static char rcsid[] = "$Id: kernel.c,v 1.8 1998/05/18 21:25:31 provos Exp $";
+static char rcsid[] = "$Id: kernel.c,v 1.9 1998/05/24 14:17:11 provos Exp $";
#endif
#include <time.h>
@@ -76,6 +76,7 @@ static char rcsid[] = "$Id: kernel.c,v 1.8 1998/05/18 21:25:31 provos Exp $";
#include <netinet/ip_ah.h>
#define _KERNEL_C_
+#include "photuris.h"
#include "state.h"
#include "attributes.h"
#include "buffer.h"
@@ -90,7 +91,7 @@ static char rcsid[] = "$Id: kernel.c,v 1.8 1998/05/18 21:25:31 provos Exp $";
#ifdef DEBUG
time_t now;
-#define kernel_debug(x) {time(&now); printf("%.24s", ctime(&now)); printf x;}
+#define kernel_debug(x) {time(&now); printf("%.24s ", ctime(&now)); printf x;}
#else
#define kernel_debug(x)
#endif
@@ -331,7 +332,9 @@ kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets)
}
em->em_sproto = IPPROTO_AH;
- kernel_debug(("kernel_ah: %08x.\n", em->em_spi));
+ kernel_debug(("kernel_ah: %08x. %s-Mode\n",
+ em->em_spi,
+ SPI->flags & SPI_TUNNEL ? "Tunnel" : "Transport"));
if (!kernel_xf_set(em)) {
log_error(1, "kernel_xf_set() in kernel_ah()");
@@ -432,7 +435,9 @@ kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets)
SPI->local_address : SPI->address);
}
- kernel_debug(("kernel_esp: %08x\n", em->em_spi));
+ kernel_debug(("kernel_esp: %08x. %s-Mode\n",
+ em->em_spi,
+ SPI->flags & SPI_TUNNEL ? "Tunnel" : "Transport"));
if (!kernel_xf_set(em)) {
log_error(1, "kernel_xf_set() in kernel_esp()");
@@ -608,6 +613,9 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI)
attributes = SPI->attributes;
attribsize = SPI->attribsize;
secrets = SPI->sessionkey;
+
+ if (vpn_mode)
+ SPI->flags |= SPI_TUNNEL;
for(n=0, i=0; n<attribsize; n += attributes[n+1] + 2) {
switch(attributes[n]) {
@@ -635,8 +643,11 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI)
phase = 0;
secrets += offset;
i++;
- if (!proto)
+ if (!proto) {
proto = IPPROTO_AH;
+ if (vpn_mode)
+ SPI->flags = SPI->flags & ~SPI_TUNNEL;
+ }
break;
case AT_ESP_ATTRIB:
offset = attributes[n+1] + 2;
@@ -651,8 +662,11 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI)
phase = 0;
secrets += offset;
i++;
- if (!proto)
+ if (!proto) {
proto = IPPROTO_ESP;
+ if (vpn_mode)
+ SPI->flags = SPI->flags & ~SPI_TUNNEL;
+ }
break;
}
}
@@ -666,11 +680,12 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI)
}
if (!(SPI->flags & SPI_OWNER))
- if (!(SPI->flags & SPI_NOTIFY)) {
+ if (!(SPI->flags & SPI_NOTIFY) || vpn_mode) {
if (kernel_enable_spi(SPI->isrc, SPI->ismask,
SPI->idst, SPI->idmask,
SPI->address, spi, proto,
- ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL) == -1)
+ ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL |
+ (vpn_mode ? ENABLE_FLAG_MODIFY : 0)) == -1)
log_error(0, "kernel_enable_spi() in kernel_insert_spi()");
} else {
/*
@@ -738,12 +753,14 @@ kernel_unlink_spi(struct spiob *ospi)
switch (phase) {
case AT_AH_ATTRIB:
if (!proto) {
+ int flag = (vpn_mode ? ENABLE_FLAG_MODIFY : 0) |
+ ENABLE_FLAG_LOCAL;
proto = IPPROTO_AH;
if (!(ospi->flags & SPI_OWNER) &&
kernel_disable_spi(ospi->isrc, ospi->ismask,
ospi->idst, ospi->idmask,
- ospi->address, ospi->SPI, proto,
- ENABLE_FLAG_LOCAL) == -1)
+ ospi->address, ospi->SPI,
+ proto, flag) == -1)
log_error(0, "kernel_disable_spi() in kernel_unlink_spi()");
}
@@ -752,12 +769,14 @@ kernel_unlink_spi(struct spiob *ospi)
break;
case AT_ESP_ATTRIB:
if (!proto) {
+ int flag = (vpn_mode ? ENABLE_FLAG_MODIFY : 0) |
+ ENABLE_FLAG_LOCAL;
proto = IPPROTO_ESP;
if (!(ospi->flags & SPI_OWNER) &&
kernel_disable_spi(ospi->isrc, ospi->ismask,
ospi->idst, ospi->idmask,
- ospi->address, ospi->SPI, proto,
- ENABLE_FLAG_LOCAL) == -1)
+ ospi->address, ospi->SPI,
+ proto, flag) == -1)
log_error(0, "kernel_disable_spi() in kernel_unlink_spi()");
}
if (kernel_delete_spi(p, SPI, IPPROTO_ESP) == -1)
@@ -839,7 +858,7 @@ kernel_request_sa(struct encap_msghdr *em)
st = state_find(address);
tm = time(NULL);
- while (st != NULL && st->lifetime <= tm)
+ while (st != NULL && (st->lifetime <= tm || st->phase >= SPI_UPDATE))
st = state_find_next(st, address);
if (st == NULL) {
diff --git a/sbin/ipsec/photurisd/photuris.h b/sbin/ipsec/photurisd/photuris.h
index 223ad52bba4..41cc7d794fa 100644
--- a/sbin/ipsec/photurisd/photuris.h
+++ b/sbin/ipsec/photurisd/photuris.h
@@ -27,7 +27,7 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* $Id: photuris.h,v 1.2 1997/07/23 12:28:52 provos Exp $ */
+/* $Id: photuris.h,v 1.3 1998/05/24 14:17:12 provos Exp $ */
/*
* photuris.h:
* general header file
@@ -62,6 +62,7 @@ EXTERN int retrans_timeout;
EXTERN int exchange_timeout;
EXTERN int exchange_lifetime;
EXTERN int spi_lifetime;
+EXTERN int vpn_mode;
EXTERN int daemon_mode;
diff --git a/sbin/ipsec/photurisd/photurisd.8 b/sbin/ipsec/photurisd/photurisd.8
index 1ffb99b8779..bbb8e4bb1e6 100644
--- a/sbin/ipsec/photurisd/photurisd.8
+++ b/sbin/ipsec/photurisd/photurisd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: photurisd.8,v 1.4 1998/05/14 10:46:21 niklas Exp $
+.\" $OpenBSD: photurisd.8,v 1.5 1998/05/24 14:17:09 provos Exp $
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
.\"
@@ -37,7 +37,7 @@
.Nd IPSec key management daemon
.Sh SYNOPSIS
.Nm photurisd
-.Op Fl ci
+.Op Fl cvi
.Op Fl d Ar directory
.Op Fl p Ar port
.Sh DESCRIPTION
@@ -58,6 +58,13 @@ The options are as follows:
The
.Fl c
option is used to force a primality check of the bootstrapped moduli.
+.It Fl v
+The
+.Fl v
+options is used to start
+.Xr photurisd 8
+in VPN (Virtual Private Network) mode, see
+.Xr vpn 8 .
.It Fl i
The
.Fl i
@@ -259,7 +266,9 @@ tdst=134.100.106.0/255.255.255.255
.Ed
.Pp
.Sh SEE ALSO
-.Xr startkey 1 .
+.Xr startkey 1 ,
+.Xr ipsec 4 ,
+.Xr vpn 8 .
.Sh HISTORY
The photuris keymanagement protocol is described in the internet draft
.Nm draft-simpson-photuris
diff --git a/sbin/ipsec/photurisd/photurisd.c b/sbin/ipsec/photurisd/photurisd.c
index 5668ede6050..5fb59e9525e 100644
--- a/sbin/ipsec/photurisd/photurisd.c
+++ b/sbin/ipsec/photurisd/photurisd.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
+ * Copyright 1997,1998 Niels Provos <provos@physnet.uni-hamburg.de>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
*/
#ifndef lint
-static char rcsid[] = "$Id: photurisd.c,v 1.6 1998/03/04 11:43:47 provos Exp $";
+static char rcsid[] = "$Id: photurisd.c,v 1.7 1998/05/24 14:17:10 provos Exp $";
#endif
#define _PHOTURIS_C_
@@ -67,8 +67,9 @@ usage(void)
{
FILE *f = stderr;
- fprintf(f, "usage: photurisd [-ci] [-d directory] [-p port]\n");
+ fprintf(f, "usage: photurisd [-cvi] [-d directory] [-p port]\n");
fprintf(f, "\t-c check primes on startup\n");
+ fprintf(f, "\t-v start in VPN mode\n");
fprintf(f, "\t-i ignore startup file %s\n", PHOTURIS_STARTUP);
fprintf(f, "\t-d specifies the startup dir\n");
fprintf(f, "\t-p specifies the local port to bind to\n");
@@ -117,12 +118,16 @@ main(int argc, char **argv)
daemon_mode = 0;
global_port = 0;
+ vpn_mode = 0;
- while ((ch = getopt(argc, argv, "cid:p:")) != -1)
+ while ((ch = getopt(argc, argv, "vcid:p:")) != -1)
switch((char)ch) {
case 'c':
primes = 1;
break;
+ case 'v':
+ vpn_mode = 1;
+ break;
case 'i':
ignore = 1;
break;