diff options
-rw-r--r-- | sbin/ipsec/photurisd/kernel.c | 45 | ||||
-rw-r--r-- | sbin/ipsec/photurisd/photuris.h | 3 | ||||
-rw-r--r-- | sbin/ipsec/photurisd/photurisd.8 | 15 | ||||
-rw-r--r-- | sbin/ipsec/photurisd/photurisd.c | 13 |
4 files changed, 55 insertions, 21 deletions
diff --git a/sbin/ipsec/photurisd/kernel.c b/sbin/ipsec/photurisd/kernel.c index 8dab2f16130..4f67945eb33 100644 --- a/sbin/ipsec/photurisd/kernel.c +++ b/sbin/ipsec/photurisd/kernel.c @@ -39,7 +39,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: kernel.c,v 1.8 1998/05/18 21:25:31 provos Exp $"; +static char rcsid[] = "$Id: kernel.c,v 1.9 1998/05/24 14:17:11 provos Exp $"; #endif #include <time.h> @@ -76,6 +76,7 @@ static char rcsid[] = "$Id: kernel.c,v 1.8 1998/05/18 21:25:31 provos Exp $"; #include <netinet/ip_ah.h> #define _KERNEL_C_ +#include "photuris.h" #include "state.h" #include "attributes.h" #include "buffer.h" @@ -90,7 +91,7 @@ static char rcsid[] = "$Id: kernel.c,v 1.8 1998/05/18 21:25:31 provos Exp $"; #ifdef DEBUG time_t now; -#define kernel_debug(x) {time(&now); printf("%.24s", ctime(&now)); printf x;} +#define kernel_debug(x) {time(&now); printf("%.24s ", ctime(&now)); printf x;} #else #define kernel_debug(x) #endif @@ -331,7 +332,9 @@ kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets) } em->em_sproto = IPPROTO_AH; - kernel_debug(("kernel_ah: %08x.\n", em->em_spi)); + kernel_debug(("kernel_ah: %08x. %s-Mode\n", + em->em_spi, + SPI->flags & SPI_TUNNEL ? "Tunnel" : "Transport")); if (!kernel_xf_set(em)) { log_error(1, "kernel_xf_set() in kernel_ah()"); @@ -432,7 +435,9 @@ kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets) SPI->local_address : SPI->address); } - kernel_debug(("kernel_esp: %08x\n", em->em_spi)); + kernel_debug(("kernel_esp: %08x. %s-Mode\n", + em->em_spi, + SPI->flags & SPI_TUNNEL ? "Tunnel" : "Transport")); if (!kernel_xf_set(em)) { log_error(1, "kernel_xf_set() in kernel_esp()"); @@ -608,6 +613,9 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) attributes = SPI->attributes; attribsize = SPI->attribsize; secrets = SPI->sessionkey; + + if (vpn_mode) + SPI->flags |= SPI_TUNNEL; for(n=0, i=0; n<attribsize; n += attributes[n+1] + 2) { switch(attributes[n]) { @@ -635,8 +643,11 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) phase = 0; secrets += offset; i++; - if (!proto) + if (!proto) { proto = IPPROTO_AH; + if (vpn_mode) + SPI->flags = SPI->flags & ~SPI_TUNNEL; + } break; case AT_ESP_ATTRIB: offset = attributes[n+1] + 2; @@ -651,8 +662,11 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) phase = 0; secrets += offset; i++; - if (!proto) + if (!proto) { proto = IPPROTO_ESP; + if (vpn_mode) + SPI->flags = SPI->flags & ~SPI_TUNNEL; + } break; } } @@ -666,11 +680,12 @@ kernel_insert_spi(struct stateob *st, struct spiob *SPI) } if (!(SPI->flags & SPI_OWNER)) - if (!(SPI->flags & SPI_NOTIFY)) { + if (!(SPI->flags & SPI_NOTIFY) || vpn_mode) { if (kernel_enable_spi(SPI->isrc, SPI->ismask, SPI->idst, SPI->idmask, SPI->address, spi, proto, - ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL) == -1) + ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL | + (vpn_mode ? ENABLE_FLAG_MODIFY : 0)) == -1) log_error(0, "kernel_enable_spi() in kernel_insert_spi()"); } else { /* @@ -738,12 +753,14 @@ kernel_unlink_spi(struct spiob *ospi) switch (phase) { case AT_AH_ATTRIB: if (!proto) { + int flag = (vpn_mode ? ENABLE_FLAG_MODIFY : 0) | + ENABLE_FLAG_LOCAL; proto = IPPROTO_AH; if (!(ospi->flags & SPI_OWNER) && kernel_disable_spi(ospi->isrc, ospi->ismask, ospi->idst, ospi->idmask, - ospi->address, ospi->SPI, proto, - ENABLE_FLAG_LOCAL) == -1) + ospi->address, ospi->SPI, + proto, flag) == -1) log_error(0, "kernel_disable_spi() in kernel_unlink_spi()"); } @@ -752,12 +769,14 @@ kernel_unlink_spi(struct spiob *ospi) break; case AT_ESP_ATTRIB: if (!proto) { + int flag = (vpn_mode ? ENABLE_FLAG_MODIFY : 0) | + ENABLE_FLAG_LOCAL; proto = IPPROTO_ESP; if (!(ospi->flags & SPI_OWNER) && kernel_disable_spi(ospi->isrc, ospi->ismask, ospi->idst, ospi->idmask, - ospi->address, ospi->SPI, proto, - ENABLE_FLAG_LOCAL) == -1) + ospi->address, ospi->SPI, + proto, flag) == -1) log_error(0, "kernel_disable_spi() in kernel_unlink_spi()"); } if (kernel_delete_spi(p, SPI, IPPROTO_ESP) == -1) @@ -839,7 +858,7 @@ kernel_request_sa(struct encap_msghdr *em) st = state_find(address); tm = time(NULL); - while (st != NULL && st->lifetime <= tm) + while (st != NULL && (st->lifetime <= tm || st->phase >= SPI_UPDATE)) st = state_find_next(st, address); if (st == NULL) { diff --git a/sbin/ipsec/photurisd/photuris.h b/sbin/ipsec/photurisd/photuris.h index 223ad52bba4..41cc7d794fa 100644 --- a/sbin/ipsec/photurisd/photuris.h +++ b/sbin/ipsec/photurisd/photuris.h @@ -27,7 +27,7 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* $Id: photuris.h,v 1.2 1997/07/23 12:28:52 provos Exp $ */ +/* $Id: photuris.h,v 1.3 1998/05/24 14:17:12 provos Exp $ */ /* * photuris.h: * general header file @@ -62,6 +62,7 @@ EXTERN int retrans_timeout; EXTERN int exchange_timeout; EXTERN int exchange_lifetime; EXTERN int spi_lifetime; +EXTERN int vpn_mode; EXTERN int daemon_mode; diff --git a/sbin/ipsec/photurisd/photurisd.8 b/sbin/ipsec/photurisd/photurisd.8 index 1ffb99b8779..bbb8e4bb1e6 100644 --- a/sbin/ipsec/photurisd/photurisd.8 +++ b/sbin/ipsec/photurisd/photurisd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: photurisd.8,v 1.4 1998/05/14 10:46:21 niklas Exp $ +.\" $OpenBSD: photurisd.8,v 1.5 1998/05/24 14:17:09 provos Exp $ .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. .\" @@ -37,7 +37,7 @@ .Nd IPSec key management daemon .Sh SYNOPSIS .Nm photurisd -.Op Fl ci +.Op Fl cvi .Op Fl d Ar directory .Op Fl p Ar port .Sh DESCRIPTION @@ -58,6 +58,13 @@ The options are as follows: The .Fl c option is used to force a primality check of the bootstrapped moduli. +.It Fl v +The +.Fl v +options is used to start +.Xr photurisd 8 +in VPN (Virtual Private Network) mode, see +.Xr vpn 8 . .It Fl i The .Fl i @@ -259,7 +266,9 @@ tdst=134.100.106.0/255.255.255.255 .Ed .Pp .Sh SEE ALSO -.Xr startkey 1 . +.Xr startkey 1 , +.Xr ipsec 4 , +.Xr vpn 8 . .Sh HISTORY The photuris keymanagement protocol is described in the internet draft .Nm draft-simpson-photuris diff --git a/sbin/ipsec/photurisd/photurisd.c b/sbin/ipsec/photurisd/photurisd.c index 5668ede6050..5fb59e9525e 100644 --- a/sbin/ipsec/photurisd/photurisd.c +++ b/sbin/ipsec/photurisd/photurisd.c @@ -1,5 +1,5 @@ /* - * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> + * Copyright 1997,1998 Niels Provos <provos@physnet.uni-hamburg.de> * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -32,7 +32,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: photurisd.c,v 1.6 1998/03/04 11:43:47 provos Exp $"; +static char rcsid[] = "$Id: photurisd.c,v 1.7 1998/05/24 14:17:10 provos Exp $"; #endif #define _PHOTURIS_C_ @@ -67,8 +67,9 @@ usage(void) { FILE *f = stderr; - fprintf(f, "usage: photurisd [-ci] [-d directory] [-p port]\n"); + fprintf(f, "usage: photurisd [-cvi] [-d directory] [-p port]\n"); fprintf(f, "\t-c check primes on startup\n"); + fprintf(f, "\t-v start in VPN mode\n"); fprintf(f, "\t-i ignore startup file %s\n", PHOTURIS_STARTUP); fprintf(f, "\t-d specifies the startup dir\n"); fprintf(f, "\t-p specifies the local port to bind to\n"); @@ -117,12 +118,16 @@ main(int argc, char **argv) daemon_mode = 0; global_port = 0; + vpn_mode = 0; - while ((ch = getopt(argc, argv, "cid:p:")) != -1) + while ((ch = getopt(argc, argv, "vcid:p:")) != -1) switch((char)ch) { case 'c': primes = 1; break; + case 'v': + vpn_mode = 1; + break; case 'i': ignore = 1; break; |