From 97ca1c62e1baebab1f2ef69c25d6d16469a82e7c Mon Sep 17 00:00:00 2001 From: tobhe Date: Fri, 5 Mar 2021 22:03:51 +0000 Subject: [PATCH] Move policy printing code from parse.y to new print.c ok patrick@ --- sbin/iked/Makefile | 4 +- sbin/iked/iked.h | 48 ++++++++- sbin/iked/parse.y | 242 +------------------------------------------- sbin/iked/print.c | 244 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 291 insertions(+), 247 deletions(-) create mode 100644 sbin/iked/print.c diff --git a/sbin/iked/Makefile b/sbin/iked/Makefile index a761155da50..9cef5b2f75a 100644 --- a/sbin/iked/Makefile +++ b/sbin/iked/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.20 2021/03/04 22:27:13 tobhe Exp $ +# $OpenBSD: Makefile,v 1.21 2021/03/05 22:03:51 tobhe Exp $ PROG= iked SRCS= ca.c chap_ms.c config.c control.c crypto.c dh.c \ eap.c iked.c ikev2.c ikev2_msg.c ikev2_pld.c \ - log.c ocsp.c pfkey.c policy.c proc.c timer.c util.c \ + log.c ocsp.c pfkey.c policy.c print.c proc.c timer.c util.c \ imsg_util.c smult_curve25519_ref.c vroute.c SRCS+= eap_map.c ikev2_map.c SRCS+= parse.y diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 0a2e659df3f..ce83571e503 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.187 2021/02/25 20:13:24 tobhe Exp $ */ +/* $OpenBSD: iked.h,v 1.188 2021/03/05 22:03:51 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -782,6 +782,33 @@ struct iked_socket { struct sockaddr_storage sock_addr; }; +struct ipsec_xf { + const char *name; + unsigned int id; + unsigned int length; + unsigned int keylength; + unsigned int nonce; + unsigned int noauth; +}; + +struct ipsec_transforms { + const struct ipsec_xf **authxf; + unsigned int nauthxf; + const struct ipsec_xf **prfxf; + unsigned int nprfxf; + const struct ipsec_xf **encxf; + unsigned int nencxf; + const struct ipsec_xf **groupxf; + unsigned int ngroupxf; + const struct ipsec_xf **esnxf; + unsigned int nesnxf; +}; + +struct ipsec_mode { + struct ipsec_transforms **xfs; + unsigned int nxfs; +}; + /* iked.c */ void parent_reload(struct iked *, int, const char *); @@ -1217,11 +1244,24 @@ int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, /* parse.y */ int parse_config(const char *, struct iked *); -void print_user(struct iked_user *); -void print_policy(struct iked_policy *); +int cmdline_symset(char *); +extern const struct ipsec_xf authxfs[]; +extern const struct ipsec_xf prfxfs[]; +extern const struct ipsec_xf *encxfs; +extern const struct ipsec_xf ikeencxfs[]; +extern const struct ipsec_xf ipsecencxfs[]; +extern const struct ipsec_xf groupxfs[]; +extern const struct ipsec_xf esnxfs[]; +extern const struct ipsec_xf methodxfs[]; +extern const struct ipsec_xf saxfs[]; +extern const struct ipsec_xf cpxfs[]; size_t keylength_xf(unsigned int, unsigned int, unsigned int); size_t noncelength_xf(unsigned int, unsigned int); -int cmdline_symset(char *); int encxf_noauth(unsigned int); +/* print.c */ +void print_user(struct iked_user *); +void print_policy(struct iked_policy *); +const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); + #endif /* IKED_H */ diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index 60dd3f3ea03..2b73a6b8a49 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.128 2021/02/13 16:14:12 tobhe Exp $ */ +/* $OpenBSD: parse.y,v 1.129 2021/03/05 22:03:51 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -108,33 +108,6 @@ static long ocsp_tolerate = 0; static long ocsp_maxage = -1; static int cert_partial_chain = 0; -struct ipsec_xf { - const char *name; - unsigned int id; - unsigned int length; - unsigned int keylength; - unsigned int nonce; - unsigned int noauth; -}; - -struct ipsec_transforms { - const struct ipsec_xf **authxf; - unsigned int nauthxf; - const struct ipsec_xf **prfxf; - unsigned int nprfxf; - const struct ipsec_xf **encxf; - unsigned int nencxf; - const struct ipsec_xf **groupxf; - unsigned int ngroupxf; - const struct ipsec_xf **esnxf; - unsigned int nesnxf; -}; - -struct ipsec_mode { - struct ipsec_transforms **xfs; - unsigned int nxfs; -}; - struct iked_transform ikev2_default_ike_transforms[] = { { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, @@ -395,8 +368,6 @@ struct ipsec_addr_wrap *ifa_grouplookup(const char *); void set_ipmask(struct ipsec_addr_wrap *, int); const struct ipsec_xf *parse_xf(const char *, unsigned int, const struct ipsec_xf *); -const char *print_xf(unsigned int, unsigned int, - const struct ipsec_xf *); void copy_transforms(unsigned int, const struct ipsec_xf **, unsigned int, struct iked_transform **, unsigned int *, @@ -2377,20 +2348,6 @@ parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[]) return (NULL); } -const char * -print_xf(unsigned int id, unsigned int length, const struct ipsec_xf xfs[]) -{ - int i; - - for (i = 0; xfs[i].name != NULL; i++) { - if (xfs[i].id == id) { - if (length == 0 || length == xfs[i].length) - return (xfs[i].name); - } - } - return ("unknown"); -} - int encxf_noauth(unsigned int id) { @@ -2444,203 +2401,6 @@ noncelength_xf(unsigned int type, unsigned int id) return (0); } -void -print_user(struct iked_user *usr) -{ - print_verbose("user \"%s\" \"%s\"\n", usr->usr_name, usr->usr_pass); -} - -void -print_policy(struct iked_policy *pol) -{ - struct iked_proposal *pp; - struct iked_transform *xform; - struct iked_flow *flow; - struct iked_cfg *cfg; - unsigned int i, j; - const struct ipsec_xf *xfs = NULL; - char iface[IF_NAMESIZE]; - - print_verbose("ikev2"); - - if (pol->pol_name[0] != '\0') - print_verbose(" \"%s\"", pol->pol_name); - - if (pol->pol_flags & IKED_POLICY_DEFAULT) - print_verbose(" default"); - else if (pol->pol_flags & IKED_POLICY_QUICK) - print_verbose(" quick"); - else if (pol->pol_flags & IKED_POLICY_SKIP) - print_verbose(" skip"); - - if (pol->pol_flags & IKED_POLICY_ACTIVE) - print_verbose(" active"); - else - print_verbose(" passive"); - - if (pol->pol_flags & IKED_POLICY_IPCOMP) - print_verbose(" ipcomp"); - - if (pol->pol_flags & IKED_POLICY_TRANSPORT) - print_verbose(" transport"); - else - print_verbose(" tunnel"); - - print_verbose(" %s", print_xf(pol->pol_saproto, 0, saxfs)); - - if (pol->pol_ipproto) - print_verbose(" proto %s", print_proto(pol->pol_ipproto)); - - if (pol->pol_af) { - if (pol->pol_af == AF_INET) - print_verbose(" inet"); - else - print_verbose(" inet6"); - } - - if (pol->pol_rdomain >= 0) - print_verbose(" rdomain %d", pol->pol_rdomain); - - RB_FOREACH(flow, iked_flows, &pol->pol_flows) { - print_verbose(" from %s", - print_host((struct sockaddr *)&flow->flow_src.addr, NULL, - 0)); - if (flow->flow_src.addr_af != AF_UNSPEC && - flow->flow_src.addr_net) - print_verbose("/%d", flow->flow_src.addr_mask); - if (flow->flow_src.addr_port) - print_verbose(" port %d", - ntohs(flow->flow_src.addr_port)); - - print_verbose(" to %s", - print_host((struct sockaddr *)&flow->flow_dst.addr, NULL, - 0)); - if (flow->flow_dst.addr_af != AF_UNSPEC && - flow->flow_dst.addr_net) - print_verbose("/%d", flow->flow_dst.addr_mask); - if (flow->flow_dst.addr_port) - print_verbose(" port %d", - ntohs(flow->flow_dst.addr_port)); - } - - if ((pol->pol_flags & IKED_POLICY_DEFAULT) == 0) { - print_verbose(" local %s", - print_host((struct sockaddr *)&pol->pol_local.addr, NULL, - 0)); - if (pol->pol_local.addr.ss_family != AF_UNSPEC && - pol->pol_local.addr_net) - print_verbose("/%d", pol->pol_local.addr_mask); - - print_verbose(" peer %s", - print_host((struct sockaddr *)&pol->pol_peer.addr, NULL, - 0)); - if (pol->pol_peer.addr.ss_family != AF_UNSPEC && - pol->pol_peer.addr_net) - print_verbose("/%d", pol->pol_peer.addr_mask); - } - - TAILQ_FOREACH(pp, &pol->pol_proposals, prop_entry) { - if (!pp->prop_nxforms) - continue; - if (pp->prop_protoid == IKEV2_SAPROTO_IKE) - print_verbose(" ikesa"); - else - print_verbose(" childsa"); - - for (j = 0; ikev2_xformtype_map[j].cm_type != 0; j++) { - xfs = NULL; - - for (i = 0; i < pp->prop_nxforms; i++) { - xform = pp->prop_xforms + i; - - if (xform->xform_type != - ikev2_xformtype_map[j].cm_type) - continue; - - switch (xform->xform_type) { - case IKEV2_XFORMTYPE_INTEGR: - print_verbose(" auth "); - xfs = authxfs; - break; - case IKEV2_XFORMTYPE_ENCR: - print_verbose(" enc "); - if (pp->prop_protoid == - IKEV2_SAPROTO_IKE) - xfs = ikeencxfs; - else - xfs = ipsecencxfs; - break; - case IKEV2_XFORMTYPE_PRF: - print_verbose(" prf "); - xfs = prfxfs; - break; - case IKEV2_XFORMTYPE_DH: - print_verbose(" group "); - xfs = groupxfs; - break; - case IKEV2_XFORMTYPE_ESN: - print_verbose(" "); - xfs = esnxfs; - break; - default: - continue; - } - - print_verbose("%s", print_xf(xform->xform_id, - xform->xform_length / 8, xfs)); - } - } - } - - if (pol->pol_localid.id_length != 0) - print_verbose(" srcid %s", pol->pol_localid.id_data); - if (pol->pol_peerid.id_length != 0) - print_verbose(" dstid %s", pol->pol_peerid.id_data); - - if (pol->pol_rekey) - print_verbose(" ikelifetime %u", pol->pol_rekey); - - print_verbose(" lifetime %llu bytes %llu", - pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes); - - switch (pol->pol_auth.auth_method) { - case IKEV2_AUTH_NONE: - print_verbose (" none"); - break; - case IKEV2_AUTH_SHARED_KEY_MIC: - print_verbose(" psk 0x"); - for (i = 0; i < pol->pol_auth.auth_length; i++) - print_verbose("%02x", pol->pol_auth.auth_data[i]); - break; - default: - if (pol->pol_auth.auth_eap) - print_verbose(" eap \"%s\"", - print_map(pol->pol_auth.auth_eap, eap_type_map)); - else - print_verbose(" %s", - print_xf(pol->pol_auth.auth_method, 0, methodxfs)); - } - - for (i = 0; i < pol->pol_ncfg; i++) { - cfg = &pol->pol_cfg[i]; - print_verbose(" config %s %s", print_xf(cfg->cfg_type, - cfg->cfg.address.addr_af, cpxfs), - print_host((struct sockaddr *)&cfg->cfg.address.addr, NULL, - 0)); - } - - if (pol->pol_tag[0] != '\0') - print_verbose(" tag \"%s\"", pol->pol_tag); - - if (pol->pol_iface != 0 && if_indextoname(pol->pol_iface, iface) != NULL) - print_verbose(" iface %s", iface); - - if (pol->pol_tap != 0) - print_verbose(" tap \"enc%u\"", pol->pol_tap); - - print_verbose("\n"); -} - void copy_transforms(unsigned int type, const struct ipsec_xf **xfs, unsigned int nxfs, diff --git a/sbin/iked/print.c b/sbin/iked/print.c new file mode 100644 index 00000000000..c9718117651 --- /dev/null +++ b/sbin/iked/print.c @@ -0,0 +1,244 @@ +/* $OpenBSD: print.c,v 1.1 2021/03/05 22:03:51 tobhe Exp $ */ + +/* + * Copyright (c) 2019-2021 Tobias Heider + * Copyright (c) 2010-2013 Reyk Floeter + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "iked.h" +#include "ikev2.h" +#include "eap.h" + +const char * +print_xf(unsigned int id, unsigned int length, const struct ipsec_xf xfs[]) +{ + int i; + + for (i = 0; xfs[i].name != NULL; i++) { + if (xfs[i].id == id) { + if (length == 0 || length == xfs[i].length) + return (xfs[i].name); + } + } + return ("unknown"); +} + +void +print_user(struct iked_user *usr) +{ + print_verbose("user \"%s\" \"%s\"\n", usr->usr_name, usr->usr_pass); +} + +void +print_policy(struct iked_policy *pol) +{ + struct iked_proposal *pp; + struct iked_transform *xform; + struct iked_flow *flow; + struct iked_cfg *cfg; + unsigned int i, j; + const struct ipsec_xf *xfs = NULL; + char iface[IF_NAMESIZE]; + + print_verbose("ikev2"); + + if (pol->pol_name[0] != '\0') + print_verbose(" \"%s\"", pol->pol_name); + + if (pol->pol_flags & IKED_POLICY_DEFAULT) + print_verbose(" default"); + else if (pol->pol_flags & IKED_POLICY_QUICK) + print_verbose(" quick"); + else if (pol->pol_flags & IKED_POLICY_SKIP) + print_verbose(" skip"); + + if (pol->pol_flags & IKED_POLICY_ACTIVE) + print_verbose(" active"); + else + print_verbose(" passive"); + + if (pol->pol_flags & IKED_POLICY_IPCOMP) + print_verbose(" ipcomp"); + + if (pol->pol_flags & IKED_POLICY_TRANSPORT) + print_verbose(" transport"); + else + print_verbose(" tunnel"); + + print_verbose(" %s", print_xf(pol->pol_saproto, 0, saxfs)); + + if (pol->pol_ipproto) + print_verbose(" proto %s", print_proto(pol->pol_ipproto)); + + if (pol->pol_af) { + if (pol->pol_af == AF_INET) + print_verbose(" inet"); + else + print_verbose(" inet6"); + } + + if (pol->pol_rdomain >= 0) + print_verbose(" rdomain %d", pol->pol_rdomain); + + RB_FOREACH(flow, iked_flows, &pol->pol_flows) { + print_verbose(" from %s", + print_host((struct sockaddr *)&flow->flow_src.addr, NULL, + 0)); + if (flow->flow_src.addr_af != AF_UNSPEC && + flow->flow_src.addr_net) + print_verbose("/%d", flow->flow_src.addr_mask); + if (flow->flow_src.addr_port) + print_verbose(" port %d", + ntohs(flow->flow_src.addr_port)); + + print_verbose(" to %s", + print_host((struct sockaddr *)&flow->flow_dst.addr, NULL, + 0)); + if (flow->flow_dst.addr_af != AF_UNSPEC && + flow->flow_dst.addr_net) + print_verbose("/%d", flow->flow_dst.addr_mask); + if (flow->flow_dst.addr_port) + print_verbose(" port %d", + ntohs(flow->flow_dst.addr_port)); + } + + if ((pol->pol_flags & IKED_POLICY_DEFAULT) == 0) { + print_verbose(" local %s", + print_host((struct sockaddr *)&pol->pol_local.addr, NULL, + 0)); + if (pol->pol_local.addr.ss_family != AF_UNSPEC && + pol->pol_local.addr_net) + print_verbose("/%d", pol->pol_local.addr_mask); + + print_verbose(" peer %s", + print_host((struct sockaddr *)&pol->pol_peer.addr, NULL, + 0)); + if (pol->pol_peer.addr.ss_family != AF_UNSPEC && + pol->pol_peer.addr_net) + print_verbose("/%d", pol->pol_peer.addr_mask); + } + + TAILQ_FOREACH(pp, &pol->pol_proposals, prop_entry) { + if (!pp->prop_nxforms) + continue; + if (pp->prop_protoid == IKEV2_SAPROTO_IKE) + print_verbose(" ikesa"); + else + print_verbose(" childsa"); + + for (j = 0; ikev2_xformtype_map[j].cm_type != 0; j++) { + xfs = NULL; + + for (i = 0; i < pp->prop_nxforms; i++) { + xform = pp->prop_xforms + i; + + if (xform->xform_type != + ikev2_xformtype_map[j].cm_type) + continue; + + switch (xform->xform_type) { + case IKEV2_XFORMTYPE_INTEGR: + print_verbose(" auth "); + xfs = authxfs; + break; + case IKEV2_XFORMTYPE_ENCR: + print_verbose(" enc "); + if (pp->prop_protoid == + IKEV2_SAPROTO_IKE) + xfs = ikeencxfs; + else + xfs = ipsecencxfs; + break; + case IKEV2_XFORMTYPE_PRF: + print_verbose(" prf "); + xfs = prfxfs; + break; + case IKEV2_XFORMTYPE_DH: + print_verbose(" group "); + xfs = groupxfs; + break; + case IKEV2_XFORMTYPE_ESN: + print_verbose(" "); + xfs = esnxfs; + break; + default: + continue; + } + + print_verbose("%s", print_xf(xform->xform_id, + xform->xform_length / 8, xfs)); + } + } + } + + if (pol->pol_localid.id_length != 0) + print_verbose(" srcid %s", pol->pol_localid.id_data); + if (pol->pol_peerid.id_length != 0) + print_verbose(" dstid %s", pol->pol_peerid.id_data); + + if (pol->pol_rekey) + print_verbose(" ikelifetime %u", pol->pol_rekey); + + print_verbose(" lifetime %llu bytes %llu", + pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes); + + switch (pol->pol_auth.auth_method) { + case IKEV2_AUTH_NONE: + print_verbose (" none"); + break; + case IKEV2_AUTH_SHARED_KEY_MIC: + print_verbose(" psk 0x"); + for (i = 0; i < pol->pol_auth.auth_length; i++) + print_verbose("%02x", pol->pol_auth.auth_data[i]); + break; + default: + if (pol->pol_auth.auth_eap) + print_verbose(" eap \"%s\"", + print_map(pol->pol_auth.auth_eap, eap_type_map)); + else + print_verbose(" %s", + print_xf(pol->pol_auth.auth_method, 0, methodxfs)); + } + + for (i = 0; i < pol->pol_ncfg; i++) { + cfg = &pol->pol_cfg[i]; + print_verbose(" config %s %s", print_xf(cfg->cfg_type, + cfg->cfg.address.addr_af, cpxfs), + print_host((struct sockaddr *)&cfg->cfg.address.addr, NULL, + 0)); + } + + if (pol->pol_tag[0] != '\0') + print_verbose(" tag \"%s\"", pol->pol_tag); + + if (pol->pol_iface != 0 && if_indextoname(pol->pol_iface, iface) != NULL) + print_verbose(" iface %s", iface); + + if (pol->pol_tap != 0) + print_verbose(" tap \"enc%u\"", pol->pol_tap); + + print_verbose("\n"); +} -- 2.20.1