1 /* $OpenBSD: ike.c,v 1.84 2023/08/07 04:10:08 dlg Exp $ */
2 /*
3 * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <sys/stat.h>
21 #include <sys/queue.h>
22 #include <netinet/in.h>
23 #include <netdb.h>
24 #include <arpa/inet.h>
25
26 #include <err.h>
27 #include <fcntl.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <unistd.h>
32 #include <limits.h>
33
34 #include "ipsecctl.h"
35
36 static void ike_section_general(struct ipsec_rule *, FILE *);
37 static void ike_section_peer(struct ipsec_rule *, FILE *);
38 static void ike_section_ids(struct ipsec_rule *, FILE *);
39 static void ike_section_ipsec(struct ipsec_rule *, FILE *);
40 static int ike_section_p1(struct ipsec_rule *, FILE *);
41 static int ike_section_p2(struct ipsec_rule *, FILE *);
42 static void ike_section_p2ids(struct ipsec_rule *, FILE *);
43 static int ike_connect(struct ipsec_rule *, FILE *);
44 static int ike_gen_config(struct ipsec_rule *, FILE *);
45 static int ike_delete_config(struct ipsec_rule *, FILE *);
46 static void ike_setup_ids(struct ipsec_rule *);
47
48 int ike_print_config(struct ipsec_rule *, int);
49 int ike_ipsec_establish(int, struct ipsec_rule *, const char *);
50
51 #define SET "C set "
52 #define ADD "C add "
53 #define DELETE "C rms "
54 #define RMV "C rmv "
55
56 #define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5
57 #define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30
58
59 char *ike_id_types[] = {
60 "", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN"
61 };
62
63 static void
ike_section_general(struct ipsec_rule * r,FILE * fd)64 ike_section_general(struct ipsec_rule *r, FILE *fd)
65 {
66 if (r->ikemode == IKE_DYNAMIC) {
67 fprintf(fd, SET "[General]:Check-interval=%d force\n",
68 CONF_DFLT_DYNAMIC_CHECK_INTERVAL);
69 fprintf(fd, SET "[General]:DPD-check-interval=%d force\n",
70 CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL);
71 }
72 }
73
74 static void
ike_section_peer(struct ipsec_rule * r,FILE * fd)75 ike_section_peer(struct ipsec_rule *r, FILE *fd)
76 {
77 if (r->peer)
78 fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name,
79 r->p1name);
80 else
81 fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name);
82 fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name);
83 if (r->peer)
84 fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name,
85 r->peer->name);
86 if (r->local)
87 fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name,
88 r->local->name);
89 if (r->ikeauth->type == IKE_AUTH_PSK)
90 fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name,
91 r->ikeauth->string);
92 }
93
94 static void
ike_section_ids(struct ipsec_rule * r,FILE * fd)95 ike_section_ids(struct ipsec_rule *r, FILE *fd)
96 {
97 char myname[HOST_NAME_MAX+1];
98
99 if (r->auth == NULL)
100 return;
101
102 if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) {
103 if (gethostname(myname, sizeof(myname)) == -1)
104 err(1, "ike_section_ids: gethostname");
105 if ((r->auth->srcid = strdup(myname)) == NULL)
106 err(1, "ike_section_ids: strdup");
107 r->auth->srcid_type = ID_FQDN;
108 }
109 if (r->auth->srcid) {
110 fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name,
111 r->auth->srcid);
112 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid,
113 ike_id_types[r->auth->srcid_type]);
114 if (r->auth->srcid_type == ID_IPV4 ||
115 r->auth->srcid_type == ID_IPV6)
116 fprintf(fd, SET "[id-%s]:Address=%s force\n",
117 r->auth->srcid, r->auth->srcid);
118 else
119 fprintf(fd, SET "[id-%s]:Name=%s force\n",
120 r->auth->srcid, r->auth->srcid);
121 }
122 if (r->auth->dstid) {
123 fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name,
124 r->auth->dstid);
125 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid,
126 ike_id_types[r->auth->dstid_type]);
127 if (r->auth->dstid_type == ID_IPV4 ||
128 r->auth->dstid_type == ID_IPV6)
129 fprintf(fd, SET "[id-%s]:Address=%s force\n",
130 r->auth->dstid, r->auth->dstid);
131 else
132 fprintf(fd, SET "[id-%s]:Name=%s force\n",
133 r->auth->dstid, r->auth->dstid);
134 }
135 }
136
137 static void
ike_section_ipsec(struct ipsec_rule * r,FILE * fd)138 ike_section_ipsec(struct ipsec_rule *r, FILE *fd)
139 {
140 fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name);
141 fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name);
142 fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name,
143 r->p2name);
144 fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid);
145 if (r->p2nid)
146 fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid);
147 fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid);
148
149 if (r->tag)
150 fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag);
151 if (r->flags & IPSEC_RULE_F_IFACE) {
152 fprintf(fd, SET "[%s]:Interface=%u force\n", r->p2name,
153 r->iface);
154 }
155 }
156
157 static int
ike_section_p2(struct ipsec_rule * r,FILE * fd)158 ike_section_p2(struct ipsec_rule *r, FILE *fd)
159 {
160 char *exchange_type, *key_length, *transform, *p;
161 char *enc_alg, *auth_alg, *group_desc, *encap;
162 int needauth = 1;
163 int num_print = 0;
164
165 switch (r->p2ie) {
166 case IKE_QM:
167 exchange_type = "QUICK_MODE";
168 break;
169 default:
170 warnx("illegal phase 2 ike mode %d", r->p2ie);
171 return (-1);
172 }
173
174 fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name,
175 exchange_type);
176 fprintf(fd, SET "[phase2-%s]:Suites=phase2-suite-%s force\n", r->p2name,
177 r->p2name);
178
179 fprintf(fd, SET "[phase2-suite-%s]:Protocols=phase2-protocol-%s "
180 "force\n", r->p2name, r->p2name);
181
182 fprintf(fd, SET "[phase2-protocol-%s]:PROTOCOL_ID=", r->p2name);
183
184 switch (r->satype) {
185 case IPSEC_ESP:
186 fprintf(fd, "IPSEC_ESP");
187 break;
188 case IPSEC_AH:
189 fprintf(fd, "IPSEC_AH");
190 break;
191 default:
192 warnx("illegal satype %d", r->satype);
193 return (-1);
194 }
195 fprintf(fd, " force\n");
196
197 key_length = NULL;
198 enc_alg = NULL;
199 if (r->p2xfs && r->p2xfs->encxf) {
200 if (r->satype == IPSEC_ESP) {
201 switch (r->p2xfs->encxf->id) {
202 case ENCXF_3DES_CBC:
203 enc_alg = "3DES";
204 break;
205 case ENCXF_AES:
206 enc_alg = "AES";
207 key_length = "128,128:256";
208 break;
209 case ENCXF_AES_128:
210 enc_alg = "AES";
211 key_length = "128,128:128";
212 break;
213 case ENCXF_AES_192:
214 enc_alg = "AES";
215 key_length = "192,192:192";
216 break;
217 case ENCXF_AES_256:
218 enc_alg = "AES";
219 key_length = "256,256:256";
220 break;
221 case ENCXF_AESCTR:
222 enc_alg = "AES_CTR";
223 key_length = "128,128:128";
224 break;
225 case ENCXF_AES_128_CTR:
226 enc_alg = "AES_CTR";
227 key_length = "128,128:128";
228 break;
229 case ENCXF_AES_192_CTR:
230 enc_alg = "AES_CTR";
231 key_length = "192,192:192";
232 break;
233 case ENCXF_AES_256_CTR:
234 enc_alg = "AES_CTR";
235 key_length = "256,256:256";
236 break;
237 case ENCXF_AES_128_GCM:
238 enc_alg = "AES_GCM_16";
239 key_length = "128,128:128";
240 needauth = 0;
241 break;
242 case ENCXF_AES_192_GCM:
243 enc_alg = "AES_GCM_16";
244 key_length = "192,192:192";
245 needauth = 0;
246 break;
247 case ENCXF_AES_256_GCM:
248 enc_alg = "AES_GCM_16";
249 key_length = "256,256:256";
250 needauth = 0;
251 break;
252 case ENCXF_AES_128_GMAC:
253 enc_alg = "AES_GMAC";
254 key_length = "128,128:128";
255 needauth = 0;
256 break;
257 case ENCXF_AES_192_GMAC:
258 enc_alg = "AES_GMAC";
259 key_length = "192,192:192";
260 needauth = 0;
261 break;
262 case ENCXF_AES_256_GMAC:
263 enc_alg = "AES_GMAC";
264 key_length = "256,256:256";
265 needauth = 0;
266 break;
267 case ENCXF_BLOWFISH:
268 enc_alg = "BLOWFISH";
269 key_length = "128,96:192";
270 break;
271 case ENCXF_CAST128:
272 enc_alg = "CAST";
273 break;
274 case ENCXF_NULL:
275 enc_alg = "NULL";
276 needauth = 0;
277 break;
278 default:
279 warnx("illegal transform %s",
280 r->p2xfs->encxf->name);
281 return (-1);
282 }
283 } else {
284 warnx("illegal transform %s", r->p2xfs->encxf->name);
285 return (-1);
286 }
287 } else if (r->satype == IPSEC_ESP) {
288 enc_alg = "AES";
289 key_length = "128,128:256";
290 }
291
292 switch (r->tmode) {
293 case IPSEC_TUNNEL:
294 encap = "TUNNEL";
295 break;
296 case IPSEC_TRANSPORT:
297 encap = "TRANSPORT";
298 break;
299 default:
300 warnx("illegal encapsulation mode %d", r->tmode);
301 return (-1);
302 }
303
304 auth_alg = NULL;
305 if (r->p2xfs && r->p2xfs->authxf) {
306 switch (r->p2xfs->authxf->id) {
307 case AUTHXF_HMAC_MD5:
308 auth_alg = "MD5";
309 break;
310 case AUTHXF_HMAC_SHA1:
311 auth_alg = "SHA";
312 break;
313 case AUTHXF_HMAC_RIPEMD160:
314 auth_alg = "RIPEMD";
315 break;
316 case AUTHXF_HMAC_SHA2_256:
317 auth_alg = "SHA2_256";
318 break;
319 case AUTHXF_HMAC_SHA2_384:
320 auth_alg = "SHA2_384";
321 break;
322 case AUTHXF_HMAC_SHA2_512:
323 auth_alg = "SHA2_512";
324 break;
325 default:
326 warnx("illegal transform %s", r->p2xfs->authxf->name);
327 return (-1);
328 }
329 } else if (needauth)
330 auth_alg = "SHA2_256";
331
332 group_desc = NULL;
333 if (r->p2xfs && r->p2xfs->groupxf) {
334 switch (r->p2xfs->groupxf->id) {
335 case GROUPXF_NONE:
336 break;
337 case GROUPXF_1:
338 group_desc = "MODP_768";
339 break;
340 case GROUPXF_2:
341 group_desc = "MODP_1024";
342 break;
343 case GROUPXF_5:
344 group_desc = "MODP_1536";
345 break;
346 case GROUPXF_14:
347 group_desc = "MODP_2048";
348 break;
349 case GROUPXF_15:
350 group_desc = "MODP_3072";
351 break;
352 case GROUPXF_16:
353 group_desc = "MODP_4096";
354 break;
355 case GROUPXF_17:
356 group_desc = "MODP_6144";
357 break;
358 case GROUPXF_18:
359 group_desc = "MODP_8192";
360 break;
361 case GROUPXF_19:
362 group_desc = "ECP_256";
363 break;
364 case GROUPXF_20:
365 group_desc = "ECP_384";
366 break;
367 case GROUPXF_21:
368 group_desc = "ECP_521";
369 break;
370 case GROUPXF_25:
371 group_desc = "ECP_192";
372 break;
373 case GROUPXF_26:
374 group_desc = "ECP_224";
375 break;
376 case GROUPXF_27:
377 group_desc = "BP_224";
378 break;
379 case GROUPXF_28:
380 group_desc = "BP_256";
381 break;
382 case GROUPXF_29:
383 group_desc = "BP_384";
384 break;
385 case GROUPXF_30:
386 group_desc = "BP_512";
387 break;
388 default:
389 warnx("illegal group %s", r->p2xfs->groupxf->name);
390 return (-1);
391 }
392 } else
393 group_desc = "MODP_3072";
394
395 /* the transform name must not include "," */
396 if (key_length && (p = strchr(key_length, ',')) != NULL)
397 num_print = p - key_length;
398 /*
399 * create a unique transform name, otherwise we cannot have
400 * multiple transforms per p2name.
401 */
402 if (asprintf(&transform, "phase2-transform-%s-%s%.*s-%s-%s-%s",
403 r->p2name,
404 enc_alg ? enc_alg : "NONE",
405 num_print, key_length ? key_length : "",
406 auth_alg ? auth_alg : "NONE",
407 group_desc ? group_desc : "NONE",
408 encap) == -1)
409 errx(1, "asprintf phase2-transform");
410
411 fprintf(fd, SET "[phase2-protocol-%s]:Transforms=%s force\n",
412 r->p2name, transform);
413
414 fprintf(fd, SET "[%s]:TRANSFORM_ID=%s force\n", transform,
415 r->satype == IPSEC_AH ? auth_alg : enc_alg);
416 if (key_length)
417 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform,
418 key_length);
419 fprintf(fd, SET "[%s]:ENCAPSULATION_MODE=%s force\n", transform, encap);
420 if (auth_alg)
421 fprintf(fd, SET "[%s]:AUTHENTICATION_ALGORITHM=HMAC_%s force\n",
422 transform, auth_alg);
423 if (group_desc)
424 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform,
425 group_desc);
426
427 if (r->p2life && r->p2life->lt_seconds != -1) {
428 fprintf(fd, SET "[%s]:Life=%s-life force\n",
429 transform, transform);
430 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n",
431 transform);
432 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n",
433 transform, r->p2life->lt_seconds);
434 } else
435 fprintf(fd, SET "[%s]:Life=LIFE_QUICK_MODE force\n",
436 transform);
437
438 free(transform);
439 return (0);
440 }
441
442 static int
ike_section_p1(struct ipsec_rule * r,FILE * fd)443 ike_section_p1(struct ipsec_rule *r, FILE *fd)
444 {
445 char *exchange_type, *key_length, *transform, *p;
446 char *enc_alg, *auth_alg, *group_desc, *auth_method;
447 int num_print = 0;
448
449 switch (r->p1ie) {
450 case IKE_MM:
451 exchange_type = "ID_PROT";
452 break;
453 case IKE_AM:
454 exchange_type = "AGGRESSIVE";
455 break;
456 default:
457 warnx("illegal phase 1 ike mode %d", r->p1ie);
458 return (-1);
459 }
460
461 fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name,
462 r->p1name);
463 fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name,
464 exchange_type);
465
466 key_length = NULL;
467 if (r->p1xfs && r->p1xfs->encxf) {
468 switch (r->p1xfs->encxf->id) {
469 case ENCXF_3DES_CBC:
470 enc_alg = "3DES";
471 break;
472 case ENCXF_AES:
473 enc_alg = "AES";
474 key_length = "128,128:256";
475 break;
476 case ENCXF_AES_128:
477 enc_alg = "AES";
478 key_length = "128,128:128";
479 break;
480 case ENCXF_AES_192:
481 enc_alg = "AES";
482 key_length = "192,192:192";
483 break;
484 case ENCXF_AES_256:
485 enc_alg = "AES";
486 key_length = "256,256:256";
487 break;
488 case ENCXF_BLOWFISH:
489 enc_alg = "BLOWFISH";
490 key_length = "128,96:192";
491 break;
492 case ENCXF_CAST128:
493 enc_alg = "CAST";
494 break;
495 default:
496 warnx("illegal transform %s", r->p1xfs->encxf->name);
497 return (-1);
498 }
499 } else {
500 enc_alg = "AES";
501 key_length = "128,128:256";
502 }
503
504 if (r->p1xfs && r->p1xfs->authxf) {
505 switch (r->p1xfs->authxf->id) {
506 case AUTHXF_HMAC_MD5:
507 auth_alg = "MD5";
508 break;
509 case AUTHXF_HMAC_SHA1:
510 auth_alg = "SHA";
511 break;
512 case AUTHXF_HMAC_SHA2_256:
513 auth_alg = "SHA2_256";
514 break;
515 case AUTHXF_HMAC_SHA2_384:
516 auth_alg = "SHA2_384";
517 break;
518 case AUTHXF_HMAC_SHA2_512:
519 auth_alg = "SHA2_512";
520 break;
521 default:
522 warnx("illegal transform %s", r->p1xfs->authxf->name);
523 return (-1);
524 }
525 } else
526 auth_alg = "SHA";
527
528 if (r->p1xfs && r->p1xfs->groupxf) {
529 switch (r->p1xfs->groupxf->id) {
530 case GROUPXF_1:
531 group_desc = "MODP_768";
532 break;
533 case GROUPXF_2:
534 group_desc = "MODP_1024";
535 break;
536 case GROUPXF_5:
537 group_desc = "MODP_1536";
538 break;
539 case GROUPXF_14:
540 group_desc = "MODP_2048";
541 break;
542 case GROUPXF_15:
543 group_desc = "MODP_3072";
544 break;
545 case GROUPXF_16:
546 group_desc = "MODP_4096";
547 break;
548 case GROUPXF_17:
549 group_desc = "MODP_6144";
550 break;
551 case GROUPXF_18:
552 group_desc = "MODP_8192";
553 break;
554 case GROUPXF_19:
555 group_desc = "ECP_256";
556 break;
557 case GROUPXF_20:
558 group_desc = "ECP_384";
559 break;
560 case GROUPXF_21:
561 group_desc = "ECP_521";
562 break;
563 case GROUPXF_25:
564 group_desc = "ECP_192";
565 break;
566 case GROUPXF_26:
567 group_desc = "ECP_224";
568 break;
569 case GROUPXF_27:
570 group_desc = "BP_224";
571 break;
572 case GROUPXF_28:
573 group_desc = "BP_256";
574 break;
575 case GROUPXF_29:
576 group_desc = "BP_384";
577 break;
578 case GROUPXF_30:
579 group_desc = "BP_512";
580 break;
581 default:
582 warnx("illegal group %s", r->p1xfs->groupxf->name);
583 return (-1);
584 }
585 } else
586 group_desc = "MODP_3072";
587
588 switch (r->ikeauth->type) {
589 case IKE_AUTH_PSK:
590 auth_method = "PRE_SHARED";
591 break;
592 case IKE_AUTH_RSA:
593 auth_method = "RSA_SIG";
594 break;
595 default:
596 warnx("illegal authentication method %u", r->ikeauth->type);
597 return (-1);
598 }
599
600 /* the transform name must not include "," */
601 if (key_length && (p = strchr(key_length, ',')) != NULL)
602 num_print = p - key_length;
603 /* create unique name for transform, see also ike_section_p2() */
604 if (asprintf(&transform, "phase1-transform-%s-%s-%s-%s%.*s-%s",
605 r->p1name, auth_method, auth_alg, enc_alg,
606 num_print, key_length ? key_length : "",
607 group_desc) == -1)
608 errx(1, "asprintf phase1-transform");
609
610 fprintf(fd, ADD "[phase1-%s]:Transforms=%s force\n", r->p1name,
611 transform);
612 fprintf(fd, SET "[%s]:AUTHENTICATION_METHOD=%s force\n", transform,
613 auth_method);
614 fprintf(fd, SET "[%s]:HASH_ALGORITHM=%s force\n", transform, auth_alg);
615 fprintf(fd, SET "[%s]:ENCRYPTION_ALGORITHM=%s_CBC force\n", transform,
616 enc_alg);
617 if (key_length)
618 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform,
619 key_length);
620 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform,
621 group_desc);
622
623 if (r->p1life && r->p1life->lt_seconds != -1) {
624 fprintf(fd, SET "[%s]:Life=%s-life force\n",
625 transform, transform);
626 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n",
627 transform);
628 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n",
629 transform, r->p1life->lt_seconds);
630 } else
631 fprintf(fd, SET "[%s]:Life=LIFE_MAIN_MODE force\n", transform);
632
633 free(transform);
634 return (0);
635 }
636
637 static void
ike_section_p2ids_net(struct ipsec_addr * iamask,sa_family_t af,char * name,char * p2xid,FILE * fd)638 ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name,
639 char *p2xid, FILE *fd)
640 {
641 char mask[NI_MAXHOST], *network, *p;
642 struct sockaddr_storage sas;
643 struct sockaddr *sa = (struct sockaddr *)&sas;
644
645 bzero(&sas, sizeof(struct sockaddr_storage));
646 bzero(mask, sizeof(mask));
647 sa->sa_family = af;
648 switch (af) {
649 case AF_INET:
650 sa->sa_len = sizeof(struct sockaddr_in);
651 bcopy(&iamask->ipa,
652 &((struct sockaddr_in *)(sa))->sin_addr,
653 sizeof(struct in_addr));
654 break;
655 case AF_INET6:
656 sa->sa_len = sizeof(struct sockaddr_in6);
657 bcopy(&iamask->ipa,
658 &((struct sockaddr_in6 *)(sa))->sin6_addr,
659 sizeof(struct in6_addr));
660 break;
661 }
662 if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0,
663 NI_NUMERICHOST))
664 errx(1, "could not get a numeric mask");
665
666 if ((network = strdup(name)) == NULL)
667 err(1, "ike_section_p2ids: strdup");
668 if ((p = strrchr(network, '/')) != NULL)
669 *p = '\0';
670
671 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n",
672 p2xid, ((af == AF_INET) ? 4 : 6));
673 fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network);
674 fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask);
675
676 free(network);
677 }
678
679 static void
ike_section_p2ids(struct ipsec_rule * r,FILE * fd)680 ike_section_p2ids(struct ipsec_rule *r, FILE *fd)
681 {
682 char *p;
683 struct ipsec_addr_wrap *src = r->src;
684 struct ipsec_addr_wrap *dst = r->dst;
685
686 if (src->netaddress) {
687 ike_section_p2ids_net(&src->mask, src->af, src->name,
688 r->p2lid, fd);
689 } else {
690 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n",
691 r->p2lid, ((src->af == AF_INET) ? 4 : 6));
692 if ((p = strrchr(src->name, '/')) != NULL)
693 *p = '\0';
694 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid,
695 src->name);
696 }
697
698 if (src->srcnat && src->srcnat->netaddress) {
699 ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name,
700 r->p2nid, fd);
701 } else if (src->srcnat) {
702 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n",
703 r->p2nid, ((src->af == AF_INET) ? 4 : 6));
704 if ((p = strrchr(src->srcnat->name, '/')) != NULL)
705 *p = '\0';
706 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid,
707 src->srcnat->name);
708 }
709
710 if (dst->netaddress) {
711 ike_section_p2ids_net(&dst->mask, dst->af, dst->name,
712 r->p2rid, fd);
713 } else {
714 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n",
715 r->p2rid, ((dst->af == AF_INET) ? 4 : 6));
716 if ((p = strrchr(dst->name, '/')) != NULL)
717 *p = '\0';
718 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid,
719 dst->name);
720 }
721 if (r->proto) {
722 fprintf(fd, SET "[%s]:Protocol=%d force\n",
723 r->p2lid, r->proto);
724 fprintf(fd, SET "[%s]:Protocol=%d force\n",
725 r->p2rid, r->proto);
726 }
727 if (r->sport)
728 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid,
729 ntohs(r->sport));
730 if (r->dport)
731 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid,
732 ntohs(r->dport));
733 }
734
735 static int
ike_connect(struct ipsec_rule * r,FILE * fd)736 ike_connect(struct ipsec_rule *r, FILE *fd)
737 {
738 switch (r->ikemode) {
739 case IKE_ACTIVE:
740 case IKE_DYNAMIC:
741 fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name);
742 break;
743 case IKE_PASSIVE:
744 fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n",
745 r->p2name);
746 break;
747 default:
748 return (-1);
749 }
750 return (0);
751 }
752
753 static int
ike_gen_config(struct ipsec_rule * r,FILE * fd)754 ike_gen_config(struct ipsec_rule *r, FILE *fd)
755 {
756 ike_setup_ids(r);
757 ike_section_general(r, fd);
758 ike_section_peer(r, fd);
759 if (ike_section_p1(r, fd) == -1) {
760 return (-1);
761 }
762 ike_section_ids(r, fd);
763 ike_section_ipsec(r, fd);
764 if (ike_section_p2(r, fd) == -1) {
765 return (-1);
766 }
767 ike_section_p2ids(r, fd);
768
769 if (ike_connect(r, fd) == -1)
770 return (-1);
771 return (0);
772 }
773
774 static int
ike_delete_config(struct ipsec_rule * r,FILE * fd)775 ike_delete_config(struct ipsec_rule *r, FILE *fd)
776 {
777 ike_setup_ids(r);
778 #if 0
779 switch (r->ikemode) {
780 case IKE_ACTIVE:
781 case IKE_DYNAMIC:
782 fprintf(fd, "t %s\n", r->p2name);
783 break;
784 case IKE_PASSIVE:
785 fprintf(fd, DELETE "[Phase 2]\n");
786 fprintf(fd, "t %s\n", r->p2name);
787 break;
788 default:
789 return (-1);
790 }
791
792 if (r->peer) {
793 fprintf(fd, DELETE "[%s]\n", r->p1name);
794 fprintf(fd, DELETE "[phase1-%s]\n", r->p1name);
795 }
796 if (r->auth) {
797 if (r->auth->srcid)
798 fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid);
799 if (r->auth->dstid)
800 fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid);
801 }
802 fprintf(fd, DELETE "[%s]\n", r->p2name);
803 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name);
804 fprintf(fd, DELETE "[%s]\n", r->p2lid);
805 fprintf(fd, DELETE "[%s]\n", r->p2rid);
806 #else
807 fprintf(fd, "t %s\n", r->p2name);
808 switch (r->ikemode) {
809 case IKE_ACTIVE:
810 case IKE_DYNAMIC:
811 fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name);
812 break;
813 case IKE_PASSIVE:
814 fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n",
815 r->p2name);
816 break;
817 default:
818 return (-1);
819 }
820 fprintf(fd, DELETE "[%s]\n", r->p2name);
821 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name);
822 #endif
823
824 return (0);
825 }
826
827 static void
ike_setup_ids(struct ipsec_rule * r)828 ike_setup_ids(struct ipsec_rule *r)
829 {
830 char sproto[10], ssport[10], sdport[10];
831
832 /* phase 1 name is peer and local address */
833 if (r->peer) {
834 if (r->local) {
835 /* peer-dstaddr-local-srcaddr */
836 if (asprintf(&r->p1name, "peer-%s-local-%s",
837 r->peer->name, r->local->name) == -1)
838 err(1, "ike_setup_ids");
839 } else
840 /* peer-dstaddr */
841 if (asprintf(&r->p1name, "peer-%s",
842 r->peer->name) == -1)
843 err(1, "ike_setup_ids");
844 } else
845 if ((r->p1name = strdup("peer-default")) == NULL)
846 err(1, "ike_setup_ids");
847
848 /* Phase 2 name is from and to network, protocol, port*/
849 if (r->flags & IPSEC_RULE_F_IFACE) {
850 if (asprintf(&r->p2lid, "from-sec%u", r->iface) == -1)
851 err(1, "ike_setup_ids");
852 if (asprintf(&r->p2rid, "to-sec%u", r->iface) == -1)
853 err(1, "ike_setup_ids");
854 } else {
855 sproto[0] = ssport[0] = sdport[0] = 0;
856 if (r->proto)
857 snprintf(sproto, sizeof sproto, "=%u", r->proto);
858 if (r->sport)
859 snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport));
860 if (r->dport)
861 snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport));
862
863 /* from-network/masklen=proto:port */
864 if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name,
865 sproto, ssport) == -1)
866 err(1, "ike_setup_ids");
867 /* to-network/masklen=proto:port */
868 if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name,
869 sproto, sdport) == -1)
870 err(1, "ike_setup_ids");
871 }
872
873 /* from-network/masklen=proto:port-to-network/masklen=proto:port */
874 if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1)
875 err(1, "ike_setup_ids");
876 /* nat-network/masklen=proto:port */
877 if (r->src->srcnat && r->src->srcnat->name) {
878 if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto,
879 ssport) == -1)
880 err(1, "ike_setup_ids");
881 }
882 }
883
884 int
ike_print_config(struct ipsec_rule * r,int opts)885 ike_print_config(struct ipsec_rule *r, int opts)
886 {
887 if (opts & IPSECCTL_OPT_DELETE)
888 return (ike_delete_config(r, stdout));
889 else
890 return (ike_gen_config(r, stdout));
891 }
892
893 int
ike_ipsec_establish(int action,struct ipsec_rule * r,const char * fifo)894 ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo)
895 {
896 struct stat sb;
897 FILE *fdp;
898 int fd, ret = 0;
899
900 if ((fd = open(fifo, O_WRONLY)) == -1)
901 err(1, "ike_ipsec_establish: open(%s)", fifo);
902 if (fstat(fd, &sb) == -1)
903 err(1, "ike_ipsec_establish: fstat(%s)", fifo);
904 if (!S_ISFIFO(sb.st_mode))
905 errx(1, "ike_ipsec_establish: %s not a fifo", fifo);
906 if ((fdp = fdopen(fd, "w")) == NULL)
907 err(1, "ike_ipsec_establish: fdopen(%s)", fifo);
908
909 switch (action) {
910 case ACTION_ADD:
911 ret = ike_gen_config(r, fdp);
912 break;
913 case ACTION_DELETE:
914 ret = ike_delete_config(r, fdp);
915 break;
916 default:
917 ret = -1;
918 }
919
920 fclose(fdp);
921 return (ret);
922 }
923