-# $OpenBSD: Makefile,v 1.20 2021/03/04 22:27:13 tobhe Exp $
+# $OpenBSD: Makefile,v 1.21 2021/03/05 22:03:51 tobhe Exp $
PROG= iked
SRCS= ca.c chap_ms.c config.c control.c crypto.c dh.c \
eap.c iked.c ikev2.c ikev2_msg.c ikev2_pld.c \
- log.c ocsp.c pfkey.c policy.c proc.c timer.c util.c \
+ log.c ocsp.c pfkey.c policy.c print.c proc.c timer.c util.c \
imsg_util.c smult_curve25519_ref.c vroute.c
SRCS+= eap_map.c ikev2_map.c
SRCS+= parse.y
-/* $OpenBSD: iked.h,v 1.187 2021/02/25 20:13:24 tobhe Exp $ */
+/* $OpenBSD: iked.h,v 1.188 2021/03/05 22:03:51 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
struct sockaddr_storage sock_addr;
};
+struct ipsec_xf {
+ const char *name;
+ unsigned int id;
+ unsigned int length;
+ unsigned int keylength;
+ unsigned int nonce;
+ unsigned int noauth;
+};
+
+struct ipsec_transforms {
+ const struct ipsec_xf **authxf;
+ unsigned int nauthxf;
+ const struct ipsec_xf **prfxf;
+ unsigned int nprfxf;
+ const struct ipsec_xf **encxf;
+ unsigned int nencxf;
+ const struct ipsec_xf **groupxf;
+ unsigned int ngroupxf;
+ const struct ipsec_xf **esnxf;
+ unsigned int nesnxf;
+};
+
+struct ipsec_mode {
+ struct ipsec_transforms **xfs;
+ unsigned int nxfs;
+};
+
/* iked.c */
void parent_reload(struct iked *, int, const char *);
/* parse.y */
int parse_config(const char *, struct iked *);
-void print_user(struct iked_user *);
-void print_policy(struct iked_policy *);
+int cmdline_symset(char *);
+extern const struct ipsec_xf authxfs[];
+extern const struct ipsec_xf prfxfs[];
+extern const struct ipsec_xf *encxfs;
+extern const struct ipsec_xf ikeencxfs[];
+extern const struct ipsec_xf ipsecencxfs[];
+extern const struct ipsec_xf groupxfs[];
+extern const struct ipsec_xf esnxfs[];
+extern const struct ipsec_xf methodxfs[];
+extern const struct ipsec_xf saxfs[];
+extern const struct ipsec_xf cpxfs[];
size_t keylength_xf(unsigned int, unsigned int, unsigned int);
size_t noncelength_xf(unsigned int, unsigned int);
-int cmdline_symset(char *);
int encxf_noauth(unsigned int);
+/* print.c */
+void print_user(struct iked_user *);
+void print_policy(struct iked_policy *);
+const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *);
+
#endif /* IKED_H */
-/* $OpenBSD: parse.y,v 1.128 2021/02/13 16:14:12 tobhe Exp $ */
+/* $OpenBSD: parse.y,v 1.129 2021/03/05 22:03:51 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
static long ocsp_maxage = -1;
static int cert_partial_chain = 0;
-struct ipsec_xf {
- const char *name;
- unsigned int id;
- unsigned int length;
- unsigned int keylength;
- unsigned int nonce;
- unsigned int noauth;
-};
-
-struct ipsec_transforms {
- const struct ipsec_xf **authxf;
- unsigned int nauthxf;
- const struct ipsec_xf **prfxf;
- unsigned int nprfxf;
- const struct ipsec_xf **encxf;
- unsigned int nencxf;
- const struct ipsec_xf **groupxf;
- unsigned int ngroupxf;
- const struct ipsec_xf **esnxf;
- unsigned int nesnxf;
-};
-
-struct ipsec_mode {
- struct ipsec_transforms **xfs;
- unsigned int nxfs;
-};
-
struct iked_transform ikev2_default_ike_transforms[] = {
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
void set_ipmask(struct ipsec_addr_wrap *, int);
const struct ipsec_xf *parse_xf(const char *, unsigned int,
const struct ipsec_xf *);
-const char *print_xf(unsigned int, unsigned int,
- const struct ipsec_xf *);
void copy_transforms(unsigned int,
const struct ipsec_xf **, unsigned int,
struct iked_transform **, unsigned int *,
return (NULL);
}
-const char *
-print_xf(unsigned int id, unsigned int length, const struct ipsec_xf xfs[])
-{
- int i;
-
- for (i = 0; xfs[i].name != NULL; i++) {
- if (xfs[i].id == id) {
- if (length == 0 || length == xfs[i].length)
- return (xfs[i].name);
- }
- }
- return ("unknown");
-}
-
int
encxf_noauth(unsigned int id)
{
return (0);
}
-void
-print_user(struct iked_user *usr)
-{
- print_verbose("user \"%s\" \"%s\"\n", usr->usr_name, usr->usr_pass);
-}
-
-void
-print_policy(struct iked_policy *pol)
-{
- struct iked_proposal *pp;
- struct iked_transform *xform;
- struct iked_flow *flow;
- struct iked_cfg *cfg;
- unsigned int i, j;
- const struct ipsec_xf *xfs = NULL;
- char iface[IF_NAMESIZE];
-
- print_verbose("ikev2");
-
- if (pol->pol_name[0] != '\0')
- print_verbose(" \"%s\"", pol->pol_name);
-
- if (pol->pol_flags & IKED_POLICY_DEFAULT)
- print_verbose(" default");
- else if (pol->pol_flags & IKED_POLICY_QUICK)
- print_verbose(" quick");
- else if (pol->pol_flags & IKED_POLICY_SKIP)
- print_verbose(" skip");
-
- if (pol->pol_flags & IKED_POLICY_ACTIVE)
- print_verbose(" active");
- else
- print_verbose(" passive");
-
- if (pol->pol_flags & IKED_POLICY_IPCOMP)
- print_verbose(" ipcomp");
-
- if (pol->pol_flags & IKED_POLICY_TRANSPORT)
- print_verbose(" transport");
- else
- print_verbose(" tunnel");
-
- print_verbose(" %s", print_xf(pol->pol_saproto, 0, saxfs));
-
- if (pol->pol_ipproto)
- print_verbose(" proto %s", print_proto(pol->pol_ipproto));
-
- if (pol->pol_af) {
- if (pol->pol_af == AF_INET)
- print_verbose(" inet");
- else
- print_verbose(" inet6");
- }
-
- if (pol->pol_rdomain >= 0)
- print_verbose(" rdomain %d", pol->pol_rdomain);
-
- RB_FOREACH(flow, iked_flows, &pol->pol_flows) {
- print_verbose(" from %s",
- print_host((struct sockaddr *)&flow->flow_src.addr, NULL,
- 0));
- if (flow->flow_src.addr_af != AF_UNSPEC &&
- flow->flow_src.addr_net)
- print_verbose("/%d", flow->flow_src.addr_mask);
- if (flow->flow_src.addr_port)
- print_verbose(" port %d",
- ntohs(flow->flow_src.addr_port));
-
- print_verbose(" to %s",
- print_host((struct sockaddr *)&flow->flow_dst.addr, NULL,
- 0));
- if (flow->flow_dst.addr_af != AF_UNSPEC &&
- flow->flow_dst.addr_net)
- print_verbose("/%d", flow->flow_dst.addr_mask);
- if (flow->flow_dst.addr_port)
- print_verbose(" port %d",
- ntohs(flow->flow_dst.addr_port));
- }
-
- if ((pol->pol_flags & IKED_POLICY_DEFAULT) == 0) {
- print_verbose(" local %s",
- print_host((struct sockaddr *)&pol->pol_local.addr, NULL,
- 0));
- if (pol->pol_local.addr.ss_family != AF_UNSPEC &&
- pol->pol_local.addr_net)
- print_verbose("/%d", pol->pol_local.addr_mask);
-
- print_verbose(" peer %s",
- print_host((struct sockaddr *)&pol->pol_peer.addr, NULL,
- 0));
- if (pol->pol_peer.addr.ss_family != AF_UNSPEC &&
- pol->pol_peer.addr_net)
- print_verbose("/%d", pol->pol_peer.addr_mask);
- }
-
- TAILQ_FOREACH(pp, &pol->pol_proposals, prop_entry) {
- if (!pp->prop_nxforms)
- continue;
- if (pp->prop_protoid == IKEV2_SAPROTO_IKE)
- print_verbose(" ikesa");
- else
- print_verbose(" childsa");
-
- for (j = 0; ikev2_xformtype_map[j].cm_type != 0; j++) {
- xfs = NULL;
-
- for (i = 0; i < pp->prop_nxforms; i++) {
- xform = pp->prop_xforms + i;
-
- if (xform->xform_type !=
- ikev2_xformtype_map[j].cm_type)
- continue;
-
- switch (xform->xform_type) {
- case IKEV2_XFORMTYPE_INTEGR:
- print_verbose(" auth ");
- xfs = authxfs;
- break;
- case IKEV2_XFORMTYPE_ENCR:
- print_verbose(" enc ");
- if (pp->prop_protoid ==
- IKEV2_SAPROTO_IKE)
- xfs = ikeencxfs;
- else
- xfs = ipsecencxfs;
- break;
- case IKEV2_XFORMTYPE_PRF:
- print_verbose(" prf ");
- xfs = prfxfs;
- break;
- case IKEV2_XFORMTYPE_DH:
- print_verbose(" group ");
- xfs = groupxfs;
- break;
- case IKEV2_XFORMTYPE_ESN:
- print_verbose(" ");
- xfs = esnxfs;
- break;
- default:
- continue;
- }
-
- print_verbose("%s", print_xf(xform->xform_id,
- xform->xform_length / 8, xfs));
- }
- }
- }
-
- if (pol->pol_localid.id_length != 0)
- print_verbose(" srcid %s", pol->pol_localid.id_data);
- if (pol->pol_peerid.id_length != 0)
- print_verbose(" dstid %s", pol->pol_peerid.id_data);
-
- if (pol->pol_rekey)
- print_verbose(" ikelifetime %u", pol->pol_rekey);
-
- print_verbose(" lifetime %llu bytes %llu",
- pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes);
-
- switch (pol->pol_auth.auth_method) {
- case IKEV2_AUTH_NONE:
- print_verbose (" none");
- break;
- case IKEV2_AUTH_SHARED_KEY_MIC:
- print_verbose(" psk 0x");
- for (i = 0; i < pol->pol_auth.auth_length; i++)
- print_verbose("%02x", pol->pol_auth.auth_data[i]);
- break;
- default:
- if (pol->pol_auth.auth_eap)
- print_verbose(" eap \"%s\"",
- print_map(pol->pol_auth.auth_eap, eap_type_map));
- else
- print_verbose(" %s",
- print_xf(pol->pol_auth.auth_method, 0, methodxfs));
- }
-
- for (i = 0; i < pol->pol_ncfg; i++) {
- cfg = &pol->pol_cfg[i];
- print_verbose(" config %s %s", print_xf(cfg->cfg_type,
- cfg->cfg.address.addr_af, cpxfs),
- print_host((struct sockaddr *)&cfg->cfg.address.addr, NULL,
- 0));
- }
-
- if (pol->pol_tag[0] != '\0')
- print_verbose(" tag \"%s\"", pol->pol_tag);
-
- if (pol->pol_iface != 0 && if_indextoname(pol->pol_iface, iface) != NULL)
- print_verbose(" iface %s", iface);
-
- if (pol->pol_tap != 0)
- print_verbose(" tap \"enc%u\"", pol->pol_tap);
-
- print_verbose("\n");
-}
-
void
copy_transforms(unsigned int type,
const struct ipsec_xf **xfs, unsigned int nxfs,
--- /dev/null
+/* $OpenBSD: print.c,v 1.1 2021/03/05 22:03:51 tobhe Exp $ */
+
+/*
+ * Copyright (c) 2019-2021 Tobias Heider <tobias.heider@stusta.de>
+ * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+#include <net/if.h>
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <event.h>
+
+#include "iked.h"
+#include "ikev2.h"
+#include "eap.h"
+
+const char *
+print_xf(unsigned int id, unsigned int length, const struct ipsec_xf xfs[])
+{
+ int i;
+
+ for (i = 0; xfs[i].name != NULL; i++) {
+ if (xfs[i].id == id) {
+ if (length == 0 || length == xfs[i].length)
+ return (xfs[i].name);
+ }
+ }
+ return ("unknown");
+}
+
+void
+print_user(struct iked_user *usr)
+{
+ print_verbose("user \"%s\" \"%s\"\n", usr->usr_name, usr->usr_pass);
+}
+
+void
+print_policy(struct iked_policy *pol)
+{
+ struct iked_proposal *pp;
+ struct iked_transform *xform;
+ struct iked_flow *flow;
+ struct iked_cfg *cfg;
+ unsigned int i, j;
+ const struct ipsec_xf *xfs = NULL;
+ char iface[IF_NAMESIZE];
+
+ print_verbose("ikev2");
+
+ if (pol->pol_name[0] != '\0')
+ print_verbose(" \"%s\"", pol->pol_name);
+
+ if (pol->pol_flags & IKED_POLICY_DEFAULT)
+ print_verbose(" default");
+ else if (pol->pol_flags & IKED_POLICY_QUICK)
+ print_verbose(" quick");
+ else if (pol->pol_flags & IKED_POLICY_SKIP)
+ print_verbose(" skip");
+
+ if (pol->pol_flags & IKED_POLICY_ACTIVE)
+ print_verbose(" active");
+ else
+ print_verbose(" passive");
+
+ if (pol->pol_flags & IKED_POLICY_IPCOMP)
+ print_verbose(" ipcomp");
+
+ if (pol->pol_flags & IKED_POLICY_TRANSPORT)
+ print_verbose(" transport");
+ else
+ print_verbose(" tunnel");
+
+ print_verbose(" %s", print_xf(pol->pol_saproto, 0, saxfs));
+
+ if (pol->pol_ipproto)
+ print_verbose(" proto %s", print_proto(pol->pol_ipproto));
+
+ if (pol->pol_af) {
+ if (pol->pol_af == AF_INET)
+ print_verbose(" inet");
+ else
+ print_verbose(" inet6");
+ }
+
+ if (pol->pol_rdomain >= 0)
+ print_verbose(" rdomain %d", pol->pol_rdomain);
+
+ RB_FOREACH(flow, iked_flows, &pol->pol_flows) {
+ print_verbose(" from %s",
+ print_host((struct sockaddr *)&flow->flow_src.addr, NULL,
+ 0));
+ if (flow->flow_src.addr_af != AF_UNSPEC &&
+ flow->flow_src.addr_net)
+ print_verbose("/%d", flow->flow_src.addr_mask);
+ if (flow->flow_src.addr_port)
+ print_verbose(" port %d",
+ ntohs(flow->flow_src.addr_port));
+
+ print_verbose(" to %s",
+ print_host((struct sockaddr *)&flow->flow_dst.addr, NULL,
+ 0));
+ if (flow->flow_dst.addr_af != AF_UNSPEC &&
+ flow->flow_dst.addr_net)
+ print_verbose("/%d", flow->flow_dst.addr_mask);
+ if (flow->flow_dst.addr_port)
+ print_verbose(" port %d",
+ ntohs(flow->flow_dst.addr_port));
+ }
+
+ if ((pol->pol_flags & IKED_POLICY_DEFAULT) == 0) {
+ print_verbose(" local %s",
+ print_host((struct sockaddr *)&pol->pol_local.addr, NULL,
+ 0));
+ if (pol->pol_local.addr.ss_family != AF_UNSPEC &&
+ pol->pol_local.addr_net)
+ print_verbose("/%d", pol->pol_local.addr_mask);
+
+ print_verbose(" peer %s",
+ print_host((struct sockaddr *)&pol->pol_peer.addr, NULL,
+ 0));
+ if (pol->pol_peer.addr.ss_family != AF_UNSPEC &&
+ pol->pol_peer.addr_net)
+ print_verbose("/%d", pol->pol_peer.addr_mask);
+ }
+
+ TAILQ_FOREACH(pp, &pol->pol_proposals, prop_entry) {
+ if (!pp->prop_nxforms)
+ continue;
+ if (pp->prop_protoid == IKEV2_SAPROTO_IKE)
+ print_verbose(" ikesa");
+ else
+ print_verbose(" childsa");
+
+ for (j = 0; ikev2_xformtype_map[j].cm_type != 0; j++) {
+ xfs = NULL;
+
+ for (i = 0; i < pp->prop_nxforms; i++) {
+ xform = pp->prop_xforms + i;
+
+ if (xform->xform_type !=
+ ikev2_xformtype_map[j].cm_type)
+ continue;
+
+ switch (xform->xform_type) {
+ case IKEV2_XFORMTYPE_INTEGR:
+ print_verbose(" auth ");
+ xfs = authxfs;
+ break;
+ case IKEV2_XFORMTYPE_ENCR:
+ print_verbose(" enc ");
+ if (pp->prop_protoid ==
+ IKEV2_SAPROTO_IKE)
+ xfs = ikeencxfs;
+ else
+ xfs = ipsecencxfs;
+ break;
+ case IKEV2_XFORMTYPE_PRF:
+ print_verbose(" prf ");
+ xfs = prfxfs;
+ break;
+ case IKEV2_XFORMTYPE_DH:
+ print_verbose(" group ");
+ xfs = groupxfs;
+ break;
+ case IKEV2_XFORMTYPE_ESN:
+ print_verbose(" ");
+ xfs = esnxfs;
+ break;
+ default:
+ continue;
+ }
+
+ print_verbose("%s", print_xf(xform->xform_id,
+ xform->xform_length / 8, xfs));
+ }
+ }
+ }
+
+ if (pol->pol_localid.id_length != 0)
+ print_verbose(" srcid %s", pol->pol_localid.id_data);
+ if (pol->pol_peerid.id_length != 0)
+ print_verbose(" dstid %s", pol->pol_peerid.id_data);
+
+ if (pol->pol_rekey)
+ print_verbose(" ikelifetime %u", pol->pol_rekey);
+
+ print_verbose(" lifetime %llu bytes %llu",
+ pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes);
+
+ switch (pol->pol_auth.auth_method) {
+ case IKEV2_AUTH_NONE:
+ print_verbose (" none");
+ break;
+ case IKEV2_AUTH_SHARED_KEY_MIC:
+ print_verbose(" psk 0x");
+ for (i = 0; i < pol->pol_auth.auth_length; i++)
+ print_verbose("%02x", pol->pol_auth.auth_data[i]);
+ break;
+ default:
+ if (pol->pol_auth.auth_eap)
+ print_verbose(" eap \"%s\"",
+ print_map(pol->pol_auth.auth_eap, eap_type_map));
+ else
+ print_verbose(" %s",
+ print_xf(pol->pol_auth.auth_method, 0, methodxfs));
+ }
+
+ for (i = 0; i < pol->pol_ncfg; i++) {
+ cfg = &pol->pol_cfg[i];
+ print_verbose(" config %s %s", print_xf(cfg->cfg_type,
+ cfg->cfg.address.addr_af, cpxfs),
+ print_host((struct sockaddr *)&cfg->cfg.address.addr, NULL,
+ 0));
+ }
+
+ if (pol->pol_tag[0] != '\0')
+ print_verbose(" tag \"%s\"", pol->pol_tag);
+
+ if (pol->pol_iface != 0 && if_indextoname(pol->pol_iface, iface) != NULL)
+ print_verbose(" iface %s", iface);
+
+ if (pol->pol_tap != 0)
+ print_verbose(" tap \"enc%u\"", pol->pol_tap);
+
+ print_verbose("\n");
+}
projects / openbsd / commitdiff