summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/isakmpd/connection.c12
-rw-r--r--sbin/isakmpd/isakmpd.819
-rw-r--r--sbin/isakmpd/sa.c188
-rw-r--r--sbin/isakmpd/sa.h7
-rw-r--r--sbin/isakmpd/ui.c127
-rw-r--r--sbin/isakmpd/ui.h3
6 files changed, 236 insertions, 120 deletions
diff --git a/sbin/isakmpd/connection.c b/sbin/isakmpd/connection.c
index d855ed66509..45c0c35429a 100644
--- a/sbin/isakmpd/connection.c
+++ b/sbin/isakmpd/connection.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: connection.c,v 1.26 2004/04/15 18:39:25 deraadt Exp $ */
+/* $OpenBSD: connection.c,v 1.27 2004/05/13 06:56:33 ho Exp $ */
/* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */
/*
@@ -263,8 +263,8 @@ connection_setup(char *name)
/* Check for trials to add duplicate connections. */
if (connection_lookup(name)) {
- LOG_DBG((LOG_MISC, 10, "connection_setup: cannot add \"%s\" twice",
- name));
+ LOG_DBG((LOG_MISC, 10,
+ "connection_setup: cannot add \"%s\" twice", name));
return 0;
}
conn = calloc(1, sizeof *conn);
@@ -326,7 +326,8 @@ connection_record_passive(char *name)
}
conn->name = strdup(name);
if (!conn->name) {
- log_error("connection_record_passive: strdup (\"%s\") failed", name);
+ log_error("connection_record_passive: strdup (\"%s\") failed",
+ name);
goto fail;
}
/* XXX IPsec DOI-specific. */
@@ -401,7 +402,8 @@ connection_report(void)
#endif
gettimeofday(&now, 0);
- for (conn = TAILQ_FIRST(&connections); conn; conn = TAILQ_NEXT(conn, link))
+ for (conn = TAILQ_FIRST(&connections); conn;
+ conn = TAILQ_NEXT(conn, link))
LOG_DBG((LOG_REPORT, 0,
"connection_report: connection %s next check %ld seconds",
(conn->name ? conn->name : "<unnamed>"),
diff --git a/sbin/isakmpd/isakmpd.8 b/sbin/isakmpd/isakmpd.8
index 1eca77ebb59..04ab081de3a 100644
--- a/sbin/isakmpd/isakmpd.8
+++ b/sbin/isakmpd/isakmpd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: isakmpd.8,v 1.62 2004/04/15 00:27:40 deraadt Exp $
+.\" $OpenBSD: isakmpd.8,v 1.63 2004/05/13 06:56:34 ho Exp $
.\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $
.\"
.\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.
@@ -410,6 +410,7 @@ Start the named connection, if stopped or inactive.
.Pp
.It Ic "C set [section]:tag=value"
.It Ic "C set [section]:tag=value force"
+.It Ic "C add [section]:tag=value"
.It Ic "C rm [section]:tag"
.It Ic "C rms [section]"
Update the running
@@ -422,11 +423,21 @@ will fail if the configuration already contains a section with the named tag;
use the
.Sq force
option to change this behaviour.
+.Sq add
+appends a configuration value to the named configuration list tag.
.Sq rm
removes a tag in a section.
.Sq rms
removes an entire section.
.Pp
+NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will
+void any updates done to the configuration.
+.Pp
+.It Ic "C get [section]:tag"
+Get the configuration value of the specified section and tag. The
+result is stored in
+.Pa /var/run/isakmpd.result .
+.Pp
.It Ic "d <cookies> <msgid>"
Delete the specified SA from the system.
Specify <msgid> as "-" to match a Phase 1 SA.
@@ -471,7 +482,7 @@ signal.
.Pp
.It Ic "S"
Report information on all known SAs to the
-.Pa /var/run/isakmpd_sa
+.Pa /var/run/isakmpd.result
file.
.Pp
.It Ic "t <name>"
@@ -519,9 +530,11 @@ The default IKE packet capture file.
The report file written when
.Dv SIGUSR1
is received.
-.It Pa /var/run/isakmpd_sa
+.It Pa /var/run/isakmpd.result
The report file written when the
.Sq S
+or
+.Sq "C get"
command is issued in the command FIFO.
.It Pa /usr/share/ipsec/isakmpd/
A directory containing some sample
diff --git a/sbin/isakmpd/sa.c b/sbin/isakmpd/sa.c
index fa00096d5ed..5698323f236 100644
--- a/sbin/isakmpd/sa.c
+++ b/sbin/isakmpd/sa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.c,v 1.80 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: sa.c,v 1.81 2004/05/13 06:56:34 ho Exp $ */
/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */
/*
@@ -86,16 +86,15 @@ static int bucket_mask;
void
sa_init(void)
{
- int i;
+ int i;
bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1;
sa_tab = malloc((bucket_mask + 1) * sizeof(struct sa_list));
if (!sa_tab)
log_fatal("sa_init: malloc (%lu) failed",
(bucket_mask + 1) * (unsigned long) sizeof(struct sa_list));
- for (i = 0; i <= bucket_mask; i++) {
+ for (i = 0; i <= bucket_mask; i++)
LIST_INIT(&sa_tab[i]);
- }
}
#if 0
@@ -111,9 +110,8 @@ sa_resize(void)
if (!new_tab)
return;
sa_tab = new_tab;
- for (i = bucket_mask + 1; i <= new_mask; i++) {
+ for (i = bucket_mask + 1; i <= new_mask; i++)
LIST_INIT(&sa_tab[i]);
- }
bucket_mask = new_mask;
/* XXX Rehash existing entries. */
@@ -130,7 +128,8 @@ sa_find(int (*check) (struct sa*, void *), void *arg)
for (i = 0; i <= bucket_mask; i++)
for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link))
if (check(sa, arg)) {
- LOG_DBG((LOG_SA, 90, "sa_find: return SA %p", sa));
+ LOG_DBG((LOG_SA, 90, "sa_find: return SA %p",
+ sa));
return sa;
}
LOG_DBG((LOG_SA, 90, "sa_find: no SA matched query"));
@@ -141,8 +140,8 @@ sa_find(int (*check) (struct sa*, void *), void *arg)
static int
sa_check_icookie(struct sa *sa, void *icookie)
{
- return sa->phase == 1
- && memcmp(sa->cookies, icookie, ISAKMP_HDR_ICOOKIE_LEN) == 0;
+ return sa->phase == 1 &&
+ memcmp(sa->cookies, icookie, ISAKMP_HDR_ICOOKIE_LEN) == 0;
}
/* Lookup an ISAKMP SA out of just the initiator cookie. */
@@ -215,10 +214,10 @@ struct dst_isakmpspi_arg {
* be a finished phaes 1 (ISAKMP) SA.
*/
static int
-isakmp_sa_check(struct sa * sa, void *v_arg)
+isakmp_sa_check(struct sa *sa, void *v_arg)
{
struct dst_isakmpspi_arg *arg = v_arg;
- struct sockaddr *dst, *src;
+ struct sockaddr *dst, *src;
if (sa->phase != 1 || !(sa->flags & SA_FLAG_READY))
return 0;
@@ -241,7 +240,7 @@ isakmp_sa_check(struct sa * sa, void *v_arg)
* Find an ISAKMP SA with a "name" of DST & SPI.
*/
struct sa *
-sa_lookup_isakmp_sa(struct sockaddr * dst, u_int8_t * spi)
+sa_lookup_isakmp_sa(struct sockaddr *dst, u_int8_t *spi)
{
struct dst_isakmpspi_arg arg;
@@ -253,7 +252,7 @@ sa_lookup_isakmp_sa(struct sockaddr * dst, u_int8_t * spi)
/* Lookup a ready SA by the peer's address. */
struct sa *
-sa_lookup_by_peer(struct sockaddr * dst, socklen_t dstlen)
+sa_lookup_by_peer(struct sockaddr *dst, socklen_t dstlen)
{
struct addr_arg arg;
@@ -266,7 +265,7 @@ sa_lookup_by_peer(struct sockaddr * dst, socklen_t dstlen)
/* Lookup a ready ISAKMP SA given its peer address. */
struct sa *
-sa_isakmp_lookup_by_peer(struct sockaddr * dst, socklen_t dstlen)
+sa_isakmp_lookup_by_peer(struct sockaddr *dst, socklen_t dstlen)
{
struct addr_arg arg;
@@ -308,7 +307,7 @@ sa_enter(struct sa *sa)
* looking for phase 1 SAa and true otherwise.
*/
struct sa *
-sa_lookup_by_header(u_int8_t * msg, int phase2)
+sa_lookup_by_header(u_int8_t *msg, int phase2)
{
return sa_lookup(msg + ISAKMP_HDR_COOKIES_OFF,
phase2 ? msg + ISAKMP_HDR_MESSAGE_ID_OFF : 0);
@@ -345,12 +344,13 @@ sa_lookup(u_int8_t *cookies, u_int8_t *message_id)
bucket ^= cp[0] | cp[1] << 8;
}
bucket &= bucket_mask;
- for (sa = LIST_FIRST(&sa_tab[bucket]);
- sa && (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 ||
- (message_id && memcmp(message_id, sa->message_id,
- ISAKMP_HDR_MESSAGE_ID_LEN) != 0) ||
- (!message_id && !zero_test(sa->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)));
- sa = LIST_NEXT(sa, link))
+ for (sa = LIST_FIRST(&sa_tab[bucket]); sa &&
+ (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 ||
+ (message_id && memcmp(message_id, sa->message_id,
+ ISAKMP_HDR_MESSAGE_ID_LEN) != 0) ||
+ (!message_id && !zero_test(sa->message_id,
+ ISAKMP_HDR_MESSAGE_ID_LEN)));
+ sa = LIST_NEXT(sa, link))
;
return sa;
@@ -358,7 +358,7 @@ sa_lookup(u_int8_t *cookies, u_int8_t *message_id)
/* Create an SA. */
int
-sa_create(struct exchange * exchange, struct transport * t)
+sa_create(struct exchange *exchange, struct transport *t)
{
struct sa *sa;
@@ -377,7 +377,8 @@ sa_create(struct exchange * exchange, struct transport * t)
transport_reference(t);
sa->phase = exchange->phase;
memcpy(sa->cookies, exchange->cookies, ISAKMP_HDR_COOKIES_LEN);
- memcpy(sa->message_id, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN);
+ memcpy(sa->message_id, exchange->message_id,
+ ISAKMP_HDR_MESSAGE_ID_LEN);
sa->doi = exchange->doi;
sa->policy_id = -1;
@@ -412,14 +413,14 @@ sa_create(struct exchange * exchange, struct transport * t)
* prepended to each line.
*/
void
-sa_dump(int cls, int level, char *header, struct sa * sa)
+sa_dump(int cls, int level, char *header, struct sa *sa)
{
struct proto *proto;
char spi_header[80];
int i;
- LOG_DBG((cls, level, "%s: %p %s phase %d doi %d flags 0x%x", header, sa,
- sa->name ? sa->name : "<unnamed>", sa->phase, sa->doi->id,
+ LOG_DBG((cls, level, "%s: %p %s phase %d doi %d flags 0x%x", header,
+ sa, sa->name ? sa->name : "<unnamed>", sa->phase, sa->doi->id,
sa->flags));
LOG_DBG((cls, level, "%s: icookie %08x%08x rcookie %08x%08x", header,
decode_32(sa->cookies), decode_32(sa->cookies + 4),
@@ -430,11 +431,11 @@ sa_dump(int cls, int level, char *header, struct sa * sa)
sa->kilobytes));
for (proto = TAILQ_FIRST(&sa->protos); proto;
proto = TAILQ_NEXT(proto, link)) {
- LOG_DBG((cls, level, "%s: suite %d proto %d", header, proto->no,
- proto->proto));
+ LOG_DBG((cls, level, "%s: suite %d proto %d", header,
+ proto->no, proto->proto));
LOG_DBG((cls, level,
- "%s: spi_sz[0] %d spi[0] %p spi_sz[1] %d spi[1] %p", header,
- proto->spi_sz[0], proto->spi[0], proto->spi_sz[1],
+ "%s: spi_sz[0] %d spi[0] %p spi_sz[1] %d spi[1] %p",
+ header, proto->spi_sz[0], proto->spi[0], proto->spi_sz[1],
proto->spi[1]));
LOG_DBG((cls, level, "%s: %s, %s", header,
!sa->doi ? "<nodoi>" :
@@ -447,8 +448,8 @@ sa_dump(int cls, int level, char *header, struct sa * sa)
if (proto->spi[i]) {
snprintf(spi_header, sizeof spi_header,
"%s: spi[%d]", header, i);
- LOG_DBG_BUF((cls, level, spi_header, proto->spi[i],
- proto->spi_sz[i]));
+ LOG_DBG_BUF((cls, level, spi_header,
+ proto->spi[i], proto->spi_sz[i]));
}
}
}
@@ -460,8 +461,8 @@ static void
report_spi(FILE *fd, const u_int8_t *buf, size_t sz, int spi)
{
#define SBUFSZ (2 * 32 + 9)
- char s[SBUFSZ];
- size_t i, j;
+ char s[SBUFSZ];
+ size_t i, j;
for (i = j = 0; i < sz;) {
snprintf(s + j, sizeof s - j, "%02x", buf[i++]);
@@ -482,17 +483,16 @@ report_spi(FILE *fd, const u_int8_t *buf, size_t sz, int spi)
}
}
-
/*
- * Display the transform names to file SA_FILE.
+ * Display the transform names to file.
* Structure is taken from pf_key_v2.c, pf_key_v2_set_spi.
* Transform names are taken from /usr/src/sys/crypto/xform.c.
*/
static void
-report_proto(FILE * fd, struct proto * proto)
+report_proto(FILE *fd, struct proto *proto)
{
- int keylen, hashlen;
struct ipsec_proto *iproto = proto->data;
+ int keylen, hashlen;
switch (proto->proto) {
case IPSEC_PROTO_IPSEC_ESP:
@@ -617,8 +617,8 @@ report_proto(FILE * fd, struct proto * proto)
void
sa_report(void)
{
- int i;
struct sa *sa;
+ int i;
for (i = 0; i <= bucket_mask; i++)
for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link))
@@ -630,7 +630,7 @@ sa_report(void)
* Print an SA's connection details to file SA_FILE.
*/
static void
-sa_dump_all(FILE * fd, struct sa * sa)
+sa_dump_all(FILE *fd, struct sa *sa)
{
struct proto *proto;
int i;
@@ -650,7 +650,8 @@ sa_dump_all(FILE * fd, struct sa * sa)
/* SPI values. */
for (i = 0; i < 2; i++)
if (proto->spi[i])
- report_spi(fd, proto->spi[i], proto->spi_sz[i], i);
+ report_spi(fd, proto->spi[i], proto->spi_sz[i],
+ i);
else
fprintf(fd, "SPI %d not defined.", i);
@@ -662,36 +663,28 @@ sa_dump_all(FILE * fd, struct sa * sa)
}
}
-/* Report info of all SAs to file SA_FILE. */
+/* Report info of all SAs to file 'fd'. */
void
-sa_report_all(void)
+sa_report_all(FILE *fd)
{
- int i;
- FILE *fd;
struct sa *sa;
+ int i;
- /* Open SA_FILE. */
- fd = monitor_fopen(SA_FILE, "w");
-
- /* Start sa_config_report. */
for (i = 0; i <= bucket_mask; i++)
for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link))
if (sa->phase == 1)
fprintf(fd, "SA name: none (phase 1)\n\n");
else
sa_dump_all(fd, sa);
-
- /* End sa_config_report. */
- fclose(fd);
}
/* Free the protocol structure pointed to by PROTO. */
void
-proto_free(struct proto * proto)
+proto_free(struct proto *proto)
{
- int i;
- struct sa *sa = proto->sa;
struct proto_attr *pa;
+ struct sa *sa = proto->sa;
+ int i;
for (i = 0; i < 2; i++)
if (proto->spi[i]) {
@@ -745,7 +738,7 @@ sa_remove(struct sa *sa)
/* Raise the reference count of SA. */
void
-sa_reference(struct sa * sa)
+sa_reference(struct sa *sa)
{
sa->refcnt++;
LOG_DBG((LOG_SA, 80, "sa_reference: SA %p now has %d references",
@@ -754,10 +747,10 @@ sa_reference(struct sa * sa)
/* Release a reference to SA. */
void
-sa_release(struct sa * sa)
+sa_release(struct sa *sa)
{
- struct proto *proto;
struct cert_handler *handler;
+ struct proto *proto;
LOG_DBG((LOG_SA, 80, "sa_release: SA %p had %d references",
sa, sa->refcnt));
@@ -789,7 +782,8 @@ sa_release(struct sa * sa)
handler->cert_free(sa->sent_cert);
}
if (sa->recv_key)
- key_free(sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, sa->recv_key);
+ key_free(sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC,
+ sa->recv_key);
if (sa->keynote_key)
free(sa->keynote_key); /* This is just a string */
#if defined (USE_POLICY) || defined (USE_KEYNOTE)
@@ -810,7 +804,7 @@ sa_release(struct sa * sa)
* filled in.
*/
void
-sa_isakmp_upgrade(struct message * msg)
+sa_isakmp_upgrade(struct message *msg)
{
struct sa *sa = TAILQ_FIRST(&msg->exchange->sa_list);
@@ -838,20 +832,23 @@ struct attr_validation_state {
/* Validate an attribute. Return 0 on match. */
static int
-sa_validate_xf_attrs(u_int16_t type, u_int8_t * value, u_int16_t len,
+sa_validate_xf_attrs(u_int16_t type, u_int8_t *value, u_int16_t len,
void *arg)
{
- struct attr_validation_state *avs = (struct attr_validation_state *) arg;
+ struct attr_validation_state *avs =
+ (struct attr_validation_state *)arg;
LOG_DBG((LOG_SA, 95, "sa_validate_xf_attrs: phase %d mode %d type %d "
"len %d", avs->phase, avs->mode, type, len));
/* Make sure the phase and type are valid. */
if (avs->phase == 1) {
- if (type < IKE_ATTR_ENCRYPTION_ALGORITHM || type > IKE_ATTR_BLOCK_SIZE)
+ if (type < IKE_ATTR_ENCRYPTION_ALGORITHM ||
+ type > IKE_ATTR_BLOCK_SIZE)
return 1;
} else if (avs->phase == 2) {
- if (type < IPSEC_ATTR_SA_LIFE_TYPE || type > IPSEC_ATTR_ECN_TUNNEL)
+ if (type < IPSEC_ATTR_SA_LIFE_TYPE ||
+ type > IPSEC_ATTR_ECN_TUNNEL)
return 1;
} else
return 1;
@@ -876,10 +873,10 @@ sa_validate_xf_attrs(u_int16_t type, u_int8_t * value, u_int16_t len,
* otherwise. Also see note in sa_add_transform() below.
*/
static int
-sa_validate_proto_xf(struct proto * match, struct payload * xf, int phase)
+sa_validate_proto_xf(struct proto *match, struct payload *xf, int phase)
{
- struct proto_attr *pa;
struct attr_validation_state *avs;
+ struct proto_attr *pa;
int found = 0;
size_t i;
u_int8_t xf_id;
@@ -946,8 +943,8 @@ sa_validate_proto_xf(struct proto * match, struct payload * xf, int phase)
* are the initiator.
*/
int
-sa_add_transform(struct sa * sa, struct payload * xf, int initiator,
- struct proto ** protop)
+sa_add_transform(struct sa *sa, struct payload *xf, int initiator,
+ struct proto **protop)
{
struct proto *proto;
struct payload *prop = xf->context;
@@ -960,10 +957,11 @@ sa_add_transform(struct sa * sa, struct payload * xf, int initiator,
(unsigned long) sizeof *proto);
} else {
/*
- * RFC 2408, section 4.2 states the responder SHOULD use the proposal
- * number from the initiator (i.e us), in it's selected proposal to make
- * this lookup easier. Most vendors follow this. One noted exception is
- * the CiscoPIX (and perhaps other Cisco products).
+ * RFC 2408, section 4.2 states the responder SHOULD use the
+ * proposal number from the initiator (i.e us), in it's
+ * selected proposal to make this lookup easier. Most vendors
+ * follow this. One noted exception is the CiscoPIX (and
+ * perhaps other Cisco products).
*
* We start by matching on the proposal number, as before.
*/
@@ -972,13 +970,15 @@ sa_add_transform(struct sa * sa, struct payload * xf, int initiator,
proto = TAILQ_NEXT(proto, link))
;
/*
- * If we did not find a match, search through all proposals and xforms.
+ * If we did not find a match, search through all proposals
+ * and xforms.
*/
if (!proto || sa_validate_proto_xf(proto, xf, sa->phase) != 0)
for (proto = TAILQ_FIRST(&sa->protos);
- proto && sa_validate_proto_xf(proto, xf, sa->phase) != 0;
- proto = TAILQ_NEXT(proto, link))
- ;
+ proto && sa_validate_proto_xf(proto, xf,
+ sa->phase) != 0;
+ proto = TAILQ_NEXT(proto, link))
+ ;
}
if (!proto)
return -1;
@@ -1000,7 +1000,8 @@ sa_add_transform(struct sa * sa, struct payload * xf, int initiator,
proto->spi[0] = malloc(proto->spi_sz[0]);
if (!proto->spi[0])
goto cleanup;
- memcpy(proto->spi[0], prop->p + ISAKMP_PROP_SPI_OFF, proto->spi_sz[0]);
+ memcpy(proto->spi[0], prop->p + ISAKMP_PROP_SPI_OFF,
+ proto->spi_sz[0]);
}
proto->chosen = xf;
proto->sa = sa;
@@ -1032,7 +1033,7 @@ cleanup:
/* Delete an SA. Tell the peer if NOTIFY is set. */
void
-sa_delete(struct sa * sa, int notify)
+sa_delete(struct sa *sa, int notify)
{
/* Don't bother notifying of Phase 1 SA deletes. */
if (sa->phase != 1 && notify)
@@ -1123,7 +1124,8 @@ sa_reinit(void)
for (i = 0; i <= bucket_mask; i++)
for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link))
if (sa->phase == 2)
- if (exchange_lookup_by_name(sa->name, sa->phase) == 0) {
+ if (exchange_lookup_by_name(sa->name,
+ sa->phase) == 0) {
timer_remove_event(sa->soft_death);
sa_soft_expire(sa);
}
@@ -1139,19 +1141,19 @@ sa_flag(char *attr)
char *name;
int flag;
} sa_flag_map[] = {
- {
- "active-only", SA_FLAG_ACTIVE_ONLY
- },
-
+ {
+ "active-only", SA_FLAG_ACTIVE_ONLY
+ },
+
/*
* Below this point are flags that are internal to the
* implementation.
*/
- {
- "__ondemand", SA_FLAG_ONDEMAND
- }, {
- "ikecfg", SA_FLAG_IKECFG
- },
+ {
+ "__ondemand", SA_FLAG_ONDEMAND
+ }, {
+ "ikecfg", SA_FLAG_IKECFG
+ },
};
size_t i;
@@ -1164,7 +1166,7 @@ sa_flag(char *attr)
/* Mark SA as replaced. */
void
-sa_mark_replaced(struct sa * sa)
+sa_mark_replaced(struct sa *sa)
{
LOG_DBG((LOG_SA, 60, "sa_mark_replaced: SA %p (%s) marked as replaced",
sa, sa->name ? sa->name : "unnamed"));
@@ -1178,10 +1180,10 @@ sa_mark_replaced(struct sa * sa)
* stack.
*/
int
-sa_setup_expirations(struct sa * sa)
+sa_setup_expirations(struct sa *sa)
{
- u_int64_t seconds = sa->seconds;
struct timeval expiration;
+ u_int64_t seconds = sa->seconds;
/*
* Set the soft timeout to a random percentage between 85 & 95 of
@@ -1219,8 +1221,8 @@ sa_setup_expirations(struct sa * sa)
"sa_setup_expirations: SA %p hard timeout in %llu seconds",
sa, sa->seconds));
expiration.tv_sec += sa->seconds;
- sa->death = timer_add_event("sa_hard_expire",
- sa_hard_expire, sa, &expiration);
+ sa->death = timer_add_event("sa_hard_expire", sa_hard_expire,
+ sa, &expiration);
if (!sa->death) {
/* If we don't give up we might start leaking... */
sa_delete(sa, 1);
diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h
index f7071755185..0bdd97d9c73 100644
--- a/sbin/isakmpd/sa.h
+++ b/sbin/isakmpd/sa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sa.h,v 1.35 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: sa.h,v 1.36 2004/05/13 06:56:34 ho Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
@@ -225,9 +225,6 @@ struct sa {
/* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */
#define SA_FLAG_IKECFG 0x40
-/* Outfile for detailed SA information. */
-#define SA_FILE "/var/run/isakmpd_sa"
-
extern void proto_free(struct proto * proto);
extern int
sa_add_transform(struct sa *, struct payload *, int,
@@ -255,6 +252,6 @@ extern void sa_release(struct sa *);
extern void sa_remove(struct sa *);
extern void sa_report(void);
extern void sa_dump(int, int, char *, struct sa *);
-extern void sa_report_all(void);
+extern void sa_report_all(FILE *);
extern int sa_setup_expirations(struct sa *);
#endif /* _SA_H_ */
diff --git a/sbin/isakmpd/ui.c b/sbin/isakmpd/ui.c
index 97207a4a5d2..acba4404bc3 100644
--- a/sbin/isakmpd/ui.c
+++ b/sbin/isakmpd/ui.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui.c,v 1.38 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: ui.c,v 1.39 2004/05/13 06:56:34 ho Exp $ */
/* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */
/*
@@ -57,13 +57,16 @@
#define BUF_SZ 256
/* from isakmpd.c */
-void daemon_shutdown_now(int);
+void daemon_shutdown_now(int);
/* Report all SA configuration information. */
-void ui_report_sa(char *cmd);
+void ui_report_sa(char *);
-char *ui_fifo = FIFO;
-int ui_socket;
+static FILE *ui_open_result(void);
+
+char *ui_fifo = FIFO;
+int ui_socket;
+struct event *ui_cr_event = NULL;
/* Create and open the FIFO used for user control. */
void
@@ -88,7 +91,8 @@ ui_init(void)
#endif
if ((st.st_mode & S_IFMT) == S_IFREG) {
errno = EEXIST;
- log_fatal("ui_init: could not create FIFO \"%s\"", ui_fifo);
+ log_fatal("ui_init: could not create FIFO \"%s\"",
+ ui_fifo);
}
}
@@ -99,8 +103,8 @@ ui_init(void)
ui_socket = monitor_open(ui_fifo, O_RDWR | O_NONBLOCK, 0);
if (ui_socket == -1)
- log_fatal("ui_init: open (\"%s\", O_RDWR | O_NONBLOCK, 0) failed",
- ui_fifo);
+ log_fatal("ui_init: open (\"%s\", O_RDWR | O_NONBLOCK, 0) "
+ "failed", ui_fifo);
}
/*
@@ -145,6 +149,37 @@ ui_teardown_all(char *cmd)
sa_teardown_all();
}
+static void
+ui_conn_reinit_event(void *v)
+{
+ /*
+ * This event is required for isakmpd to reinitialize the connection
+ * and passive-connection lists. Otherwise a change to the
+ * "[Phase 2]:Connections" tag will not have any effect.
+ */
+ connection_reinit();
+
+ ui_cr_event = NULL;
+}
+
+static void
+ui_conn_reinit(void)
+{
+ struct timeval tv;
+
+ if (ui_cr_event)
+ timer_remove_event(ui_cr_event);
+
+ gettimeofday(&tv, 0);
+ tv.tv_sec += 5;
+
+ ui_cr_event = timer_add_event("ui_conn_reinit", ui_conn_reinit_event,
+ 0, &tv);
+ if (!ui_cr_event)
+ log_print("ui_conn_reinit: timer_add_event() failed. "
+ "Connections will not be updated.");
+}
+
/*
* Call the configuration API.
* XXX Error handling! How to do multi-line transactions? Too short arbitrary
@@ -153,12 +188,28 @@ ui_teardown_all(char *cmd)
static void
ui_config(char *cmd)
{
- char subcmd[81], section[81], tag[81], value[81], tmp[81];
- int trans = 0, items;
+ char subcmd[81], section[81], tag[81], value[81], tmp[81];
+ char *v, *nv;
+ int trans = 0, items, nvlen;
+ FILE *fd;
if (sscanf(cmd, "C %80s", subcmd) != 1)
goto fail;
+ if (strcasecmp(subcmd, "get") == 0) {
+ if (sscanf(cmd, "C %*s [%80[^]]]:%80s", section, tag) != 2)
+ goto fail;
+ v = conf_get_str(section, tag);
+ fd = ui_open_result();
+ if (fd) {
+ if (v)
+ fprintf(fd, "%s\n", v);
+ fclose(fd);
+ }
+ LOG_DBG((LOG_UI, 30, "ui_config: \"%s\"", cmd));
+ return;
+ }
+
trans = conf_begin();
if (strcasecmp(subcmd, "set") == 0) {
items = sscanf(cmd, "C %*s [%80[^]]]:%80[^=]=%80s %80s",
@@ -166,6 +217,39 @@ ui_config(char *cmd)
if (!(items == 3 || items == 4))
goto fail;
conf_set(trans, section, tag, value, items == 4 ? 1 : 0, 0);
+ if (strcasecmp(section, "Phase 2") == 0 &&
+ (strcasecmp(tag, "Connections") == 0 ||
+ strcasecmp(tag, "Passive-connections") == 0))
+ ui_conn_reinit();
+ } else if (strcasecmp(subcmd, "add") == 0) {
+ items = sscanf(cmd, "C %*s [%80[^]]]:%80[^=]=%80s %80s",
+ section, tag, value, tmp);
+ if (!(items == 3 || items == 4))
+ goto fail;
+ v = conf_get_str(section, tag);
+ if (!v)
+ conf_set(trans, section, tag, value, 1, 0);
+ else {
+ /* Add the new value to the end of the 'v' list. */
+ nvlen = strlen(v) + strlen(value) + 2;
+ nv = (char *)malloc(nvlen);
+ if (!nv) {
+ log_error("ui_config: malloc(%d) failed",
+ nvlen);
+ if (trans)
+ conf_end(trans, 0);
+ return;
+ }
+ snprintf(nv, nvlen,
+ v[strlen(v) - 1] == ',' ? "%s%s" : "%s,%s", v,
+ value);
+ conf_set(trans, section, tag, nv, 1, 0);
+ free(nv);
+ }
+ if (strcasecmp(section, "Phase 2") == 0 &&
+ (strcasecmp(tag, "Connections") == 0 ||
+ strcasecmp(tag, "Passive-connections") == 0))
+ ui_conn_reinit();
} else if (strcasecmp(subcmd, "rm") == 0) {
if (sscanf(cmd, "C %*s [%80[^]]]:%80s", section, tag) != 2)
goto fail;
@@ -302,7 +386,14 @@ void
ui_report_sa(char *cmd)
{
/* Skip 'cmd' as arg? */
- sa_report_all();
+
+ FILE *fd = ui_open_result();
+ if (!fd)
+ return;
+
+ sa_report_all(fd);
+
+ fclose(fd);
}
/*
@@ -314,7 +405,7 @@ ui_handle_command(char *line)
{
/* Find out what one-letter command was sent. */
switch (line[0]) {
- case 'c':
+ case 'c':
ui_connect(line);
break;
@@ -361,7 +452,8 @@ ui_handle_command(char *line)
break;
default:
- log_print("ui_handle_messages: unrecognized command: '%c'", line[0]);
+ log_print("ui_handle_messages: unrecognized command: '%c'",
+ line[0]);
}
}
@@ -432,3 +524,12 @@ ui_handler(void)
p++;
}
}
+
+static FILE *
+ui_open_result(void)
+{
+ FILE *fd = monitor_fopen(RESULT_FILE, "w");
+ if (!fd)
+ log_error("ui_open_result: fopen() failed");
+ return fd;
+}
diff --git a/sbin/isakmpd/ui.h b/sbin/isakmpd/ui.h
index 3876e8d1bdf..db9de7fd8e4 100644
--- a/sbin/isakmpd/ui.h
+++ b/sbin/isakmpd/ui.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui.h,v 1.6 2004/04/15 18:39:26 deraadt Exp $ */
+/* $OpenBSD: ui.h,v 1.7 2004/05/13 06:56:34 ho Exp $ */
/* $EOM: ui.h,v 1.5 1998/12/01 10:20:12 niklas Exp $ */
/*
@@ -33,6 +33,7 @@
#define _UI_H_
#define FIFO "/var/run/isakmpd.fifo"
+#define RESULT_FILE "/var/run/isakmpd.result"
extern char *ui_fifo;
extern int ui_socket;