1 /* $OpenBSD: ike.c,v 1.82 2017/10/27 08:29:32 mpi Exp $ */ 2 /* 3 * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/types.h> 19 #include <sys/socket.h> 20 #include <sys/stat.h> 21 #include <sys/queue.h> 22 #include <netinet/in.h> 23 #include <netdb.h> 24 #include <arpa/inet.h> 25 26 #include <err.h> 27 #include <fcntl.h> 28 #include <stdio.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <unistd.h> 32 #include <limits.h> 33 34 #include "ipsecctl.h" 35 36 static void ike_section_general(struct ipsec_rule *, FILE *); 37 static void ike_section_peer(struct ipsec_rule *, FILE *); 38 static void ike_section_ids(struct ipsec_rule *, FILE *); 39 static void ike_section_ipsec(struct ipsec_rule *, FILE *); 40 static int ike_section_p1(struct ipsec_rule *, FILE *); 41 static int ike_section_p2(struct ipsec_rule *, FILE *); 42 static void ike_section_p2ids(struct ipsec_rule *, FILE *); 43 static int ike_connect(struct ipsec_rule *, FILE *); 44 static int ike_gen_config(struct ipsec_rule *, FILE *); 45 static int ike_delete_config(struct ipsec_rule *, FILE *); 46 static void ike_setup_ids(struct ipsec_rule *); 47 48 int ike_print_config(struct ipsec_rule *, int); 49 int ike_ipsec_establish(int, struct ipsec_rule *, const char *); 50 51 #define SET "C set " 52 #define ADD "C add " 53 #define DELETE "C rms " 54 #define RMV "C rmv " 55 56 #define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 57 #define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 58 59 char *ike_id_types[] = { 60 "", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" 61 }; 62 63 static void 64 ike_section_general(struct ipsec_rule *r, FILE *fd) 65 { 66 if (r->ikemode == IKE_DYNAMIC) { 67 fprintf(fd, SET "[General]:Check-interval=%d force\n", 68 CONF_DFLT_DYNAMIC_CHECK_INTERVAL); 69 fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", 70 CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); 71 } 72 } 73 74 static void 75 ike_section_peer(struct ipsec_rule *r, FILE *fd) 76 { 77 if (r->peer) 78 fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, 79 r->p1name); 80 else 81 fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); 82 fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); 83 if (r->peer) 84 fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, 85 r->peer->name); 86 if (r->local) 87 fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, 88 r->local->name); 89 if (r->ikeauth->type == IKE_AUTH_PSK) 90 fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, 91 r->ikeauth->string); 92 } 93 94 static void 95 ike_section_ids(struct ipsec_rule *r, FILE *fd) 96 { 97 char myname[HOST_NAME_MAX+1]; 98 99 if (r->auth == NULL) 100 return; 101 102 if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { 103 if (gethostname(myname, sizeof(myname)) == -1) 104 err(1, "ike_section_ids: gethostname"); 105 if ((r->auth->srcid = strdup(myname)) == NULL) 106 err(1, "ike_section_ids: strdup"); 107 r->auth->srcid_type = ID_FQDN; 108 } 109 if (r->auth->srcid) { 110 fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, 111 r->auth->srcid); 112 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, 113 ike_id_types[r->auth->srcid_type]); 114 if (r->auth->srcid_type == ID_IPV4 || 115 r->auth->srcid_type == ID_IPV6) 116 fprintf(fd, SET "[id-%s]:Address=%s force\n", 117 r->auth->srcid, r->auth->srcid); 118 else 119 fprintf(fd, SET "[id-%s]:Name=%s force\n", 120 r->auth->srcid, r->auth->srcid); 121 } 122 if (r->auth->dstid) { 123 fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, 124 r->auth->dstid); 125 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, 126 ike_id_types[r->auth->dstid_type]); 127 if (r->auth->dstid_type == ID_IPV4 || 128 r->auth->dstid_type == ID_IPV6) 129 fprintf(fd, SET "[id-%s]:Address=%s force\n", 130 r->auth->dstid, r->auth->dstid); 131 else 132 fprintf(fd, SET "[id-%s]:Name=%s force\n", 133 r->auth->dstid, r->auth->dstid); 134 } 135 } 136 137 static void 138 ike_section_ipsec(struct ipsec_rule *r, FILE *fd) 139 { 140 fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); 141 fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); 142 fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, 143 r->p2name); 144 fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); 145 if (r->p2nid) 146 fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); 147 fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); 148 149 if (r->tag) 150 fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); 151 } 152 153 static int 154 ike_section_p2(struct ipsec_rule *r, FILE *fd) 155 { 156 char *exchange_type, *key_length, *transform, *p; 157 char *enc_alg, *auth_alg, *group_desc, *encap; 158 int needauth = 1; 159 int num_print = 0; 160 161 switch (r->p2ie) { 162 case IKE_QM: 163 exchange_type = "QUICK_MODE"; 164 break; 165 default: 166 warnx("illegal phase 2 ike mode %d", r->p2ie); 167 return (-1); 168 } 169 170 fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, 171 exchange_type); 172 fprintf(fd, SET "[phase2-%s]:Suites=phase2-suite-%s force\n", r->p2name, 173 r->p2name); 174 175 fprintf(fd, SET "[phase2-suite-%s]:Protocols=phase2-protocol-%s " 176 "force\n", r->p2name, r->p2name); 177 178 fprintf(fd, SET "[phase2-protocol-%s]:PROTOCOL_ID=", r->p2name); 179 180 switch (r->satype) { 181 case IPSEC_ESP: 182 fprintf(fd, "IPSEC_ESP"); 183 break; 184 case IPSEC_AH: 185 fprintf(fd, "IPSEC_AH"); 186 break; 187 default: 188 warnx("illegal satype %d", r->satype); 189 return (-1); 190 } 191 fprintf(fd, " force\n"); 192 193 key_length = NULL; 194 enc_alg = NULL; 195 if (r->p2xfs && r->p2xfs->encxf) { 196 if (r->satype == IPSEC_ESP) { 197 switch (r->p2xfs->encxf->id) { 198 case ENCXF_3DES_CBC: 199 enc_alg = "3DES"; 200 break; 201 case ENCXF_AES: 202 enc_alg = "AES"; 203 key_length = "128,128:256"; 204 break; 205 case ENCXF_AES_128: 206 enc_alg = "AES"; 207 key_length = "128,128:128"; 208 break; 209 case ENCXF_AES_192: 210 enc_alg = "AES"; 211 key_length = "192,192:192"; 212 break; 213 case ENCXF_AES_256: 214 enc_alg = "AES"; 215 key_length = "256,256:256"; 216 break; 217 case ENCXF_AESCTR: 218 enc_alg = "AES_CTR"; 219 key_length = "128,128:128"; 220 break; 221 case ENCXF_AES_128_CTR: 222 enc_alg = "AES_CTR"; 223 key_length = "128,128:128"; 224 break; 225 case ENCXF_AES_192_CTR: 226 enc_alg = "AES_CTR"; 227 key_length = "192,192:192"; 228 break; 229 case ENCXF_AES_256_CTR: 230 enc_alg = "AES_CTR"; 231 key_length = "256,256:256"; 232 break; 233 case ENCXF_AES_128_GCM: 234 enc_alg = "AES_GCM_16"; 235 key_length = "128,128:128"; 236 needauth = 0; 237 break; 238 case ENCXF_AES_192_GCM: 239 enc_alg = "AES_GCM_16"; 240 key_length = "192,192:192"; 241 needauth = 0; 242 break; 243 case ENCXF_AES_256_GCM: 244 enc_alg = "AES_GCM_16"; 245 key_length = "256,256:256"; 246 needauth = 0; 247 break; 248 case ENCXF_AES_128_GMAC: 249 enc_alg = "AES_GMAC"; 250 key_length = "128,128:128"; 251 needauth = 0; 252 break; 253 case ENCXF_AES_192_GMAC: 254 enc_alg = "AES_GMAC"; 255 key_length = "192,192:192"; 256 needauth = 0; 257 break; 258 case ENCXF_AES_256_GMAC: 259 enc_alg = "AES_GMAC"; 260 key_length = "256,256:256"; 261 needauth = 0; 262 break; 263 case ENCXF_BLOWFISH: 264 enc_alg = "BLOWFISH"; 265 key_length = "128,96:192"; 266 break; 267 case ENCXF_CAST128: 268 enc_alg = "CAST"; 269 break; 270 case ENCXF_NULL: 271 enc_alg = "NULL"; 272 needauth = 0; 273 break; 274 default: 275 warnx("illegal transform %s", 276 r->p2xfs->encxf->name); 277 return (-1); 278 } 279 } else { 280 warnx("illegal transform %s", r->p2xfs->encxf->name); 281 return (-1); 282 } 283 } else if (r->satype == IPSEC_ESP) { 284 enc_alg = "AES"; 285 key_length = "128,128:256"; 286 } 287 288 switch (r->tmode) { 289 case IPSEC_TUNNEL: 290 encap = "TUNNEL"; 291 break; 292 case IPSEC_TRANSPORT: 293 encap = "TRANSPORT"; 294 break; 295 default: 296 warnx("illegal encapsulation mode %d", r->tmode); 297 return (-1); 298 } 299 300 auth_alg = NULL; 301 if (r->p2xfs && r->p2xfs->authxf) { 302 switch (r->p2xfs->authxf->id) { 303 case AUTHXF_HMAC_MD5: 304 auth_alg = "MD5"; 305 break; 306 case AUTHXF_HMAC_SHA1: 307 auth_alg = "SHA"; 308 break; 309 case AUTHXF_HMAC_RIPEMD160: 310 auth_alg = "RIPEMD"; 311 break; 312 case AUTHXF_HMAC_SHA2_256: 313 auth_alg = "SHA2_256"; 314 break; 315 case AUTHXF_HMAC_SHA2_384: 316 auth_alg = "SHA2_384"; 317 break; 318 case AUTHXF_HMAC_SHA2_512: 319 auth_alg = "SHA2_512"; 320 break; 321 default: 322 warnx("illegal transform %s", r->p2xfs->authxf->name); 323 return (-1); 324 } 325 } else if (needauth) 326 auth_alg = "SHA2_256"; 327 328 group_desc = NULL; 329 if (r->p2xfs && r->p2xfs->groupxf) { 330 switch (r->p2xfs->groupxf->id) { 331 case GROUPXF_NONE: 332 break; 333 case GROUPXF_1: 334 group_desc = "MODP_768"; 335 break; 336 case GROUPXF_2: 337 group_desc = "MODP_1024"; 338 break; 339 case GROUPXF_5: 340 group_desc = "MODP_1536"; 341 break; 342 case GROUPXF_14: 343 group_desc = "MODP_2048"; 344 break; 345 case GROUPXF_15: 346 group_desc = "MODP_3072"; 347 break; 348 case GROUPXF_16: 349 group_desc = "MODP_4096"; 350 break; 351 case GROUPXF_17: 352 group_desc = "MODP_6144"; 353 break; 354 case GROUPXF_18: 355 group_desc = "MODP_8192"; 356 break; 357 case GROUPXF_19: 358 group_desc = "ECP_256"; 359 break; 360 case GROUPXF_20: 361 group_desc = "ECP_384"; 362 break; 363 case GROUPXF_21: 364 group_desc = "ECP_521"; 365 break; 366 case GROUPXF_25: 367 group_desc = "ECP_192"; 368 break; 369 case GROUPXF_26: 370 group_desc = "ECP_224"; 371 break; 372 case GROUPXF_27: 373 group_desc = "BP_224"; 374 break; 375 case GROUPXF_28: 376 group_desc = "BP_256"; 377 break; 378 case GROUPXF_29: 379 group_desc = "BP_384"; 380 break; 381 case GROUPXF_30: 382 group_desc = "BP_512"; 383 break; 384 default: 385 warnx("illegal group %s", r->p2xfs->groupxf->name); 386 return (-1); 387 } 388 } else 389 group_desc = "MODP_3072"; 390 391 /* the transform name must not include "," */ 392 if (key_length && (p = strchr(key_length, ',')) != NULL) 393 num_print = p - key_length; 394 /* 395 * create a unique transform name, otherwise we cannot have 396 * multiple transforms per p2name. 397 */ 398 if (asprintf(&transform, "phase2-transform-%s-%s%.*s-%s-%s-%s", 399 r->p2name, 400 enc_alg ? enc_alg : "NONE", 401 num_print, key_length ? key_length : "", 402 auth_alg ? auth_alg : "NONE", 403 group_desc ? group_desc : "NONE", 404 encap) == -1) 405 errx(1, "asprintf phase2-transform"); 406 407 fprintf(fd, SET "[phase2-protocol-%s]:Transforms=%s force\n", 408 r->p2name, transform); 409 410 fprintf(fd, SET "[%s]:TRANSFORM_ID=%s force\n", transform, 411 r->satype == IPSEC_AH ? auth_alg : enc_alg); 412 if (key_length) 413 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, 414 key_length); 415 fprintf(fd, SET "[%s]:ENCAPSULATION_MODE=%s force\n", transform, encap); 416 if (auth_alg) 417 fprintf(fd, SET "[%s]:AUTHENTICATION_ALGORITHM=HMAC_%s force\n", 418 transform, auth_alg); 419 if (group_desc) 420 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, 421 group_desc); 422 423 if (r->p2life && r->p2life->lt_seconds != -1) { 424 fprintf(fd, SET "[%s]:Life=%s-life force\n", 425 transform, transform); 426 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", 427 transform); 428 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", 429 transform, r->p2life->lt_seconds); 430 } else 431 fprintf(fd, SET "[%s]:Life=LIFE_QUICK_MODE force\n", 432 transform); 433 434 free(transform); 435 return (0); 436 } 437 438 static int 439 ike_section_p1(struct ipsec_rule *r, FILE *fd) 440 { 441 char *exchange_type, *key_length, *transform, *p; 442 char *enc_alg, *auth_alg, *group_desc, *auth_method; 443 int num_print = 0; 444 445 switch (r->p1ie) { 446 case IKE_MM: 447 exchange_type = "ID_PROT"; 448 break; 449 case IKE_AM: 450 exchange_type = "AGGRESSIVE"; 451 break; 452 default: 453 warnx("illegal phase 1 ike mode %d", r->p1ie); 454 return (-1); 455 } 456 457 fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, 458 r->p1name); 459 fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, 460 exchange_type); 461 462 key_length = NULL; 463 if (r->p1xfs && r->p1xfs->encxf) { 464 switch (r->p1xfs->encxf->id) { 465 case ENCXF_3DES_CBC: 466 enc_alg = "3DES"; 467 break; 468 case ENCXF_AES: 469 enc_alg = "AES"; 470 key_length = "128,128:256"; 471 break; 472 case ENCXF_AES_128: 473 enc_alg = "AES"; 474 key_length = "128,128:128"; 475 break; 476 case ENCXF_AES_192: 477 enc_alg = "AES"; 478 key_length = "192,192:192"; 479 break; 480 case ENCXF_AES_256: 481 enc_alg = "AES"; 482 key_length = "256,256:256"; 483 break; 484 case ENCXF_BLOWFISH: 485 enc_alg = "BLOWFISH"; 486 key_length = "128,96:192"; 487 break; 488 case ENCXF_CAST128: 489 enc_alg = "CAST"; 490 break; 491 default: 492 warnx("illegal transform %s", r->p1xfs->encxf->name); 493 return (-1); 494 } 495 } else { 496 enc_alg = "AES"; 497 key_length = "128,128:256"; 498 } 499 500 if (r->p1xfs && r->p1xfs->authxf) { 501 switch (r->p1xfs->authxf->id) { 502 case AUTHXF_HMAC_MD5: 503 auth_alg = "MD5"; 504 break; 505 case AUTHXF_HMAC_SHA1: 506 auth_alg = "SHA"; 507 break; 508 case AUTHXF_HMAC_SHA2_256: 509 auth_alg = "SHA2_256"; 510 break; 511 case AUTHXF_HMAC_SHA2_384: 512 auth_alg = "SHA2_384"; 513 break; 514 case AUTHXF_HMAC_SHA2_512: 515 auth_alg = "SHA2_512"; 516 break; 517 default: 518 warnx("illegal transform %s", r->p1xfs->authxf->name); 519 return (-1); 520 } 521 } else 522 auth_alg = "SHA"; 523 524 if (r->p1xfs && r->p1xfs->groupxf) { 525 switch (r->p1xfs->groupxf->id) { 526 case GROUPXF_1: 527 group_desc = "MODP_768"; 528 break; 529 case GROUPXF_2: 530 group_desc = "MODP_1024"; 531 break; 532 case GROUPXF_5: 533 group_desc = "MODP_1536"; 534 break; 535 case GROUPXF_14: 536 group_desc = "MODP_2048"; 537 break; 538 case GROUPXF_15: 539 group_desc = "MODP_3072"; 540 break; 541 case GROUPXF_16: 542 group_desc = "MODP_4096"; 543 break; 544 case GROUPXF_17: 545 group_desc = "MODP_6144"; 546 break; 547 case GROUPXF_18: 548 group_desc = "MODP_8192"; 549 break; 550 case GROUPXF_19: 551 group_desc = "ECP_256"; 552 break; 553 case GROUPXF_20: 554 group_desc = "ECP_384"; 555 break; 556 case GROUPXF_21: 557 group_desc = "ECP_521"; 558 break; 559 case GROUPXF_25: 560 group_desc = "ECP_192"; 561 break; 562 case GROUPXF_26: 563 group_desc = "ECP_224"; 564 break; 565 case GROUPXF_27: 566 group_desc = "BP_224"; 567 break; 568 case GROUPXF_28: 569 group_desc = "BP_256"; 570 break; 571 case GROUPXF_29: 572 group_desc = "BP_384"; 573 break; 574 case GROUPXF_30: 575 group_desc = "BP_512"; 576 break; 577 default: 578 warnx("illegal group %s", r->p1xfs->groupxf->name); 579 return (-1); 580 } 581 } else 582 group_desc = "MODP_3072"; 583 584 switch (r->ikeauth->type) { 585 case IKE_AUTH_PSK: 586 auth_method = "PRE_SHARED"; 587 break; 588 case IKE_AUTH_RSA: 589 auth_method = "RSA_SIG"; 590 break; 591 default: 592 warnx("illegal authentication method %u", r->ikeauth->type); 593 return (-1); 594 } 595 596 /* the transform name must not include "," */ 597 if (key_length && (p = strchr(key_length, ',')) != NULL) 598 num_print = p - key_length; 599 /* create unique name for transform, see also ike_section_p2() */ 600 if (asprintf(&transform, "phase1-transform-%s-%s-%s-%s%.*s-%s", 601 r->p1name, auth_method, auth_alg, enc_alg, 602 num_print, key_length ? key_length : "", 603 group_desc) == -1) 604 errx(1, "asprintf phase1-transform"); 605 606 fprintf(fd, ADD "[phase1-%s]:Transforms=%s force\n", r->p1name, 607 transform); 608 fprintf(fd, SET "[%s]:AUTHENTICATION_METHOD=%s force\n", transform, 609 auth_method); 610 fprintf(fd, SET "[%s]:HASH_ALGORITHM=%s force\n", transform, auth_alg); 611 fprintf(fd, SET "[%s]:ENCRYPTION_ALGORITHM=%s_CBC force\n", transform, 612 enc_alg); 613 if (key_length) 614 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, 615 key_length); 616 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, 617 group_desc); 618 619 if (r->p1life && r->p1life->lt_seconds != -1) { 620 fprintf(fd, SET "[%s]:Life=%s-life force\n", 621 transform, transform); 622 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", 623 transform); 624 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", 625 transform, r->p1life->lt_seconds); 626 } else 627 fprintf(fd, SET "[%s]:Life=LIFE_MAIN_MODE force\n", transform); 628 629 free(transform); 630 return (0); 631 } 632 633 static void 634 ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, 635 char *p2xid, FILE *fd) 636 { 637 char mask[NI_MAXHOST], *network, *p; 638 struct sockaddr_storage sas; 639 struct sockaddr *sa = (struct sockaddr *)&sas; 640 641 bzero(&sas, sizeof(struct sockaddr_storage)); 642 bzero(mask, sizeof(mask)); 643 sa->sa_family = af; 644 switch (af) { 645 case AF_INET: 646 sa->sa_len = sizeof(struct sockaddr_in); 647 bcopy(&iamask->ipa, 648 &((struct sockaddr_in *)(sa))->sin_addr, 649 sizeof(struct in6_addr)); 650 break; 651 case AF_INET6: 652 sa->sa_len = sizeof(struct sockaddr_in6); 653 bcopy(&iamask->ipa, 654 &((struct sockaddr_in6 *)(sa))->sin6_addr, 655 sizeof(struct in6_addr)); 656 break; 657 } 658 if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, 659 NI_NUMERICHOST)) 660 errx(1, "could not get a numeric mask"); 661 662 if ((network = strdup(name)) == NULL) 663 err(1, "ike_section_p2ids: strdup"); 664 if ((p = strrchr(network, '/')) != NULL) 665 *p = '\0'; 666 667 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", 668 p2xid, ((af == AF_INET) ? 4 : 6)); 669 fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); 670 fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); 671 672 free(network); 673 } 674 675 static void 676 ike_section_p2ids(struct ipsec_rule *r, FILE *fd) 677 { 678 char *p; 679 struct ipsec_addr_wrap *src = r->src; 680 struct ipsec_addr_wrap *dst = r->dst; 681 682 if (src->netaddress) { 683 ike_section_p2ids_net(&src->mask, src->af, src->name, 684 r->p2lid, fd); 685 } else { 686 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 687 r->p2lid, ((src->af == AF_INET) ? 4 : 6)); 688 if ((p = strrchr(src->name, '/')) != NULL) 689 *p = '\0'; 690 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, 691 src->name); 692 } 693 694 if (src->srcnat && src->srcnat->netaddress) { 695 ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, 696 r->p2nid, fd); 697 } else if (src->srcnat) { 698 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 699 r->p2nid, ((src->af == AF_INET) ? 4 : 6)); 700 if ((p = strrchr(src->srcnat->name, '/')) != NULL) 701 *p = '\0'; 702 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, 703 src->srcnat->name); 704 } 705 706 if (dst->netaddress) { 707 ike_section_p2ids_net(&dst->mask, dst->af, dst->name, 708 r->p2rid, fd); 709 } else { 710 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 711 r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); 712 if ((p = strrchr(dst->name, '/')) != NULL) 713 *p = '\0'; 714 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, 715 dst->name); 716 } 717 if (r->proto) { 718 fprintf(fd, SET "[%s]:Protocol=%d force\n", 719 r->p2lid, r->proto); 720 fprintf(fd, SET "[%s]:Protocol=%d force\n", 721 r->p2rid, r->proto); 722 } 723 if (r->sport) 724 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, 725 ntohs(r->sport)); 726 if (r->dport) 727 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, 728 ntohs(r->dport)); 729 } 730 731 static int 732 ike_connect(struct ipsec_rule *r, FILE *fd) 733 { 734 switch (r->ikemode) { 735 case IKE_ACTIVE: 736 case IKE_DYNAMIC: 737 fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); 738 break; 739 case IKE_PASSIVE: 740 fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", 741 r->p2name); 742 break; 743 default: 744 return (-1); 745 } 746 return (0); 747 } 748 749 static int 750 ike_gen_config(struct ipsec_rule *r, FILE *fd) 751 { 752 ike_setup_ids(r); 753 ike_section_general(r, fd); 754 ike_section_peer(r, fd); 755 if (ike_section_p1(r, fd) == -1) { 756 return (-1); 757 } 758 ike_section_ids(r, fd); 759 ike_section_ipsec(r, fd); 760 if (ike_section_p2(r, fd) == -1) { 761 return (-1); 762 } 763 ike_section_p2ids(r, fd); 764 765 if (ike_connect(r, fd) == -1) 766 return (-1); 767 return (0); 768 } 769 770 static int 771 ike_delete_config(struct ipsec_rule *r, FILE *fd) 772 { 773 ike_setup_ids(r); 774 #if 0 775 switch (r->ikemode) { 776 case IKE_ACTIVE: 777 case IKE_DYNAMIC: 778 fprintf(fd, "t %s\n", r->p2name); 779 break; 780 case IKE_PASSIVE: 781 fprintf(fd, DELETE "[Phase 2]\n"); 782 fprintf(fd, "t %s\n", r->p2name); 783 break; 784 default: 785 return (-1); 786 } 787 788 if (r->peer) { 789 fprintf(fd, DELETE "[%s]\n", r->p1name); 790 fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); 791 } 792 if (r->auth) { 793 if (r->auth->srcid) 794 fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); 795 if (r->auth->dstid) 796 fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); 797 } 798 fprintf(fd, DELETE "[%s]\n", r->p2name); 799 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 800 fprintf(fd, DELETE "[%s]\n", r->p2lid); 801 fprintf(fd, DELETE "[%s]\n", r->p2rid); 802 #else 803 fprintf(fd, "t %s\n", r->p2name); 804 switch (r->ikemode) { 805 case IKE_ACTIVE: 806 case IKE_DYNAMIC: 807 fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); 808 break; 809 case IKE_PASSIVE: 810 fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", 811 r->p2name); 812 break; 813 default: 814 return (-1); 815 } 816 fprintf(fd, DELETE "[%s]\n", r->p2name); 817 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 818 #endif 819 820 return (0); 821 } 822 823 static void 824 ike_setup_ids(struct ipsec_rule *r) 825 { 826 char sproto[10], ssport[10], sdport[10]; 827 828 /* phase 1 name is peer and local address */ 829 if (r->peer) { 830 if (r->local) { 831 /* peer-dstaddr-local-srcaddr */ 832 if (asprintf(&r->p1name, "peer-%s-local-%s", 833 r->peer->name, r->local->name) == -1) 834 err(1, "ike_setup_ids"); 835 } else 836 /* peer-dstaddr */ 837 if (asprintf(&r->p1name, "peer-%s", 838 r->peer->name) == -1) 839 err(1, "ike_setup_ids"); 840 } else 841 if ((r->p1name = strdup("peer-default")) == NULL) 842 err(1, "ike_setup_ids"); 843 844 /* Phase 2 name is from and to network, protocol, port*/ 845 sproto[0] = ssport[0] = sdport[0] = 0; 846 if (r->proto) 847 snprintf(sproto, sizeof sproto, "=%u", r->proto); 848 if (r->sport) 849 snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); 850 if (r->dport) 851 snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); 852 /* from-network/masklen=proto:port */ 853 if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport) 854 == -1) 855 err(1, "ike_setup_ids"); 856 /* to-network/masklen=proto:port */ 857 if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport) 858 == -1) 859 err(1, "ike_setup_ids"); 860 /* from-network/masklen=proto:port-to-network/masklen=proto:port */ 861 if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) 862 err(1, "ike_setup_ids"); 863 /* nat-network/masklen=proto:port */ 864 if (r->src->srcnat && r->src->srcnat->name) { 865 if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, 866 ssport) == -1) 867 err(1, "ike_setup_ids"); 868 } 869 } 870 871 int 872 ike_print_config(struct ipsec_rule *r, int opts) 873 { 874 if (opts & IPSECCTL_OPT_DELETE) 875 return (ike_delete_config(r, stdout)); 876 else 877 return (ike_gen_config(r, stdout)); 878 } 879 880 int 881 ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo) 882 { 883 struct stat sb; 884 FILE *fdp; 885 int fd, ret = 0; 886 887 if ((fd = open(fifo, O_WRONLY)) == -1) 888 err(1, "ike_ipsec_establish: open(%s)", fifo); 889 if (fstat(fd, &sb) == -1) 890 err(1, "ike_ipsec_establish: fstat(%s)", fifo); 891 if (!S_ISFIFO(sb.st_mode)) 892 errx(1, "ike_ipsec_establish: %s not a fifo", fifo); 893 if ((fdp = fdopen(fd, "w")) == NULL) 894 err(1, "ike_ipsec_establish: fdopen(%s)", fifo); 895 896 switch (action) { 897 case ACTION_ADD: 898 ret = ike_gen_config(r, fdp); 899 break; 900 case ACTION_DELETE: 901 ret = ike_delete_config(r, fdp); 902 break; 903 default: 904 ret = -1; 905 } 906 907 fclose(fdp); 908 return (ret); 909 } 910