1/* $OpenBSD: ike.c,v 1.84 2023/08/07 04:10:08 dlg Exp $ */ 2/* 3 * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include <sys/types.h> 19#include <sys/socket.h> 20#include <sys/stat.h> 21#include <sys/queue.h> 22#include <netinet/in.h> 23#include <netdb.h> 24#include <arpa/inet.h> 25 26#include <err.h> 27#include <fcntl.h> 28#include <stdio.h> 29#include <stdlib.h> 30#include <string.h> 31#include <unistd.h> 32#include <limits.h> 33 34#include "ipsecctl.h" 35 36static void ike_section_general(struct ipsec_rule *, FILE *); 37static void ike_section_peer(struct ipsec_rule *, FILE *); 38static void ike_section_ids(struct ipsec_rule *, FILE *); 39static void ike_section_ipsec(struct ipsec_rule *, FILE *); 40static int ike_section_p1(struct ipsec_rule *, FILE *); 41static int ike_section_p2(struct ipsec_rule *, FILE *); 42static void ike_section_p2ids(struct ipsec_rule *, FILE *); 43static int ike_connect(struct ipsec_rule *, FILE *); 44static int ike_gen_config(struct ipsec_rule *, FILE *); 45static int ike_delete_config(struct ipsec_rule *, FILE *); 46static void ike_setup_ids(struct ipsec_rule *); 47 48int ike_print_config(struct ipsec_rule *, int); 49int ike_ipsec_establish(int, struct ipsec_rule *, const char *); 50 51#define SET "C set " 52#define ADD "C add " 53#define DELETE "C rms " 54#define RMV "C rmv " 55 56#define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 57#define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 58 59char *ike_id_types[] = { 60 "", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" 61}; 62 63static void 64ike_section_general(struct ipsec_rule *r, FILE *fd) 65{ 66 if (r->ikemode == IKE_DYNAMIC) { 67 fprintf(fd, SET "[General]:Check-interval=%d force\n", 68 CONF_DFLT_DYNAMIC_CHECK_INTERVAL); 69 fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", 70 CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); 71 } 72} 73 74static void 75ike_section_peer(struct ipsec_rule *r, FILE *fd) 76{ 77 if (r->peer) 78 fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, 79 r->p1name); 80 else 81 fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); 82 fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); 83 if (r->peer) 84 fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, 85 r->peer->name); 86 if (r->local) 87 fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, 88 r->local->name); 89 if (r->ikeauth->type == IKE_AUTH_PSK) 90 fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, 91 r->ikeauth->string); 92} 93 94static void 95ike_section_ids(struct ipsec_rule *r, FILE *fd) 96{ 97 char myname[HOST_NAME_MAX+1]; 98 99 if (r->auth == NULL) 100 return; 101 102 if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { 103 if (gethostname(myname, sizeof(myname)) == -1) 104 err(1, "ike_section_ids: gethostname"); 105 if ((r->auth->srcid = strdup(myname)) == NULL) 106 err(1, "ike_section_ids: strdup"); 107 r->auth->srcid_type = ID_FQDN; 108 } 109 if (r->auth->srcid) { 110 fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, 111 r->auth->srcid); 112 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, 113 ike_id_types[r->auth->srcid_type]); 114 if (r->auth->srcid_type == ID_IPV4 || 115 r->auth->srcid_type == ID_IPV6) 116 fprintf(fd, SET "[id-%s]:Address=%s force\n", 117 r->auth->srcid, r->auth->srcid); 118 else 119 fprintf(fd, SET "[id-%s]:Name=%s force\n", 120 r->auth->srcid, r->auth->srcid); 121 } 122 if (r->auth->dstid) { 123 fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, 124 r->auth->dstid); 125 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, 126 ike_id_types[r->auth->dstid_type]); 127 if (r->auth->dstid_type == ID_IPV4 || 128 r->auth->dstid_type == ID_IPV6) 129 fprintf(fd, SET "[id-%s]:Address=%s force\n", 130 r->auth->dstid, r->auth->dstid); 131 else 132 fprintf(fd, SET "[id-%s]:Name=%s force\n", 133 r->auth->dstid, r->auth->dstid); 134 } 135} 136 137static void 138ike_section_ipsec(struct ipsec_rule *r, FILE *fd) 139{ 140 fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); 141 fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); 142 fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, 143 r->p2name); 144 fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); 145 if (r->p2nid) 146 fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); 147 fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); 148 149 if (r->tag) 150 fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); 151 if (r->flags & IPSEC_RULE_F_IFACE) { 152 fprintf(fd, SET "[%s]:Interface=%u force\n", r->p2name, 153 r->iface); 154 } 155} 156 157static int 158ike_section_p2(struct ipsec_rule *r, FILE *fd) 159{ 160 char *exchange_type, *key_length, *transform, *p; 161 char *enc_alg, *auth_alg, *group_desc, *encap; 162 int needauth = 1; 163 int num_print = 0; 164 165 switch (r->p2ie) { 166 case IKE_QM: 167 exchange_type = "QUICK_MODE"; 168 break; 169 default: 170 warnx("illegal phase 2 ike mode %d", r->p2ie); 171 return (-1); 172 } 173 174 fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, 175 exchange_type); 176 fprintf(fd, SET "[phase2-%s]:Suites=phase2-suite-%s force\n", r->p2name, 177 r->p2name); 178 179 fprintf(fd, SET "[phase2-suite-%s]:Protocols=phase2-protocol-%s " 180 "force\n", r->p2name, r->p2name); 181 182 fprintf(fd, SET "[phase2-protocol-%s]:PROTOCOL_ID=", r->p2name); 183 184 switch (r->satype) { 185 case IPSEC_ESP: 186 fprintf(fd, "IPSEC_ESP"); 187 break; 188 case IPSEC_AH: 189 fprintf(fd, "IPSEC_AH"); 190 break; 191 default: 192 warnx("illegal satype %d", r->satype); 193 return (-1); 194 } 195 fprintf(fd, " force\n"); 196 197 key_length = NULL; 198 enc_alg = NULL; 199 if (r->p2xfs && r->p2xfs->encxf) { 200 if (r->satype == IPSEC_ESP) { 201 switch (r->p2xfs->encxf->id) { 202 case ENCXF_3DES_CBC: 203 enc_alg = "3DES"; 204 break; 205 case ENCXF_AES: 206 enc_alg = "AES"; 207 key_length = "128,128:256"; 208 break; 209 case ENCXF_AES_128: 210 enc_alg = "AES"; 211 key_length = "128,128:128"; 212 break; 213 case ENCXF_AES_192: 214 enc_alg = "AES"; 215 key_length = "192,192:192"; 216 break; 217 case ENCXF_AES_256: 218 enc_alg = "AES"; 219 key_length = "256,256:256"; 220 break; 221 case ENCXF_AESCTR: 222 enc_alg = "AES_CTR"; 223 key_length = "128,128:128"; 224 break; 225 case ENCXF_AES_128_CTR: 226 enc_alg = "AES_CTR"; 227 key_length = "128,128:128"; 228 break; 229 case ENCXF_AES_192_CTR: 230 enc_alg = "AES_CTR"; 231 key_length = "192,192:192"; 232 break; 233 case ENCXF_AES_256_CTR: 234 enc_alg = "AES_CTR"; 235 key_length = "256,256:256"; 236 break; 237 case ENCXF_AES_128_GCM: 238 enc_alg = "AES_GCM_16"; 239 key_length = "128,128:128"; 240 needauth = 0; 241 break; 242 case ENCXF_AES_192_GCM: 243 enc_alg = "AES_GCM_16"; 244 key_length = "192,192:192"; 245 needauth = 0; 246 break; 247 case ENCXF_AES_256_GCM: 248 enc_alg = "AES_GCM_16"; 249 key_length = "256,256:256"; 250 needauth = 0; 251 break; 252 case ENCXF_AES_128_GMAC: 253 enc_alg = "AES_GMAC"; 254 key_length = "128,128:128"; 255 needauth = 0; 256 break; 257 case ENCXF_AES_192_GMAC: 258 enc_alg = "AES_GMAC"; 259 key_length = "192,192:192"; 260 needauth = 0; 261 break; 262 case ENCXF_AES_256_GMAC: 263 enc_alg = "AES_GMAC"; 264 key_length = "256,256:256"; 265 needauth = 0; 266 break; 267 case ENCXF_BLOWFISH: 268 enc_alg = "BLOWFISH"; 269 key_length = "128,96:192"; 270 break; 271 case ENCXF_CAST128: 272 enc_alg = "CAST"; 273 break; 274 case ENCXF_NULL: 275 enc_alg = "NULL"; 276 needauth = 0; 277 break; 278 default: 279 warnx("illegal transform %s", 280 r->p2xfs->encxf->name); 281 return (-1); 282 } 283 } else { 284 warnx("illegal transform %s", r->p2xfs->encxf->name); 285 return (-1); 286 } 287 } else if (r->satype == IPSEC_ESP) { 288 enc_alg = "AES"; 289 key_length = "128,128:256"; 290 } 291 292 switch (r->tmode) { 293 case IPSEC_TUNNEL: 294 encap = "TUNNEL"; 295 break; 296 case IPSEC_TRANSPORT: 297 encap = "TRANSPORT"; 298 break; 299 default: 300 warnx("illegal encapsulation mode %d", r->tmode); 301 return (-1); 302 } 303 304 auth_alg = NULL; 305 if (r->p2xfs && r->p2xfs->authxf) { 306 switch (r->p2xfs->authxf->id) { 307 case AUTHXF_HMAC_MD5: 308 auth_alg = "MD5"; 309 break; 310 case AUTHXF_HMAC_SHA1: 311 auth_alg = "SHA"; 312 break; 313 case AUTHXF_HMAC_RIPEMD160: 314 auth_alg = "RIPEMD"; 315 break; 316 case AUTHXF_HMAC_SHA2_256: 317 auth_alg = "SHA2_256"; 318 break; 319 case AUTHXF_HMAC_SHA2_384: 320 auth_alg = "SHA2_384"; 321 break; 322 case AUTHXF_HMAC_SHA2_512: 323 auth_alg = "SHA2_512"; 324 break; 325 default: 326 warnx("illegal transform %s", r->p2xfs->authxf->name); 327 return (-1); 328 } 329 } else if (needauth) 330 auth_alg = "SHA2_256"; 331 332 group_desc = NULL; 333 if (r->p2xfs && r->p2xfs->groupxf) { 334 switch (r->p2xfs->groupxf->id) { 335 case GROUPXF_NONE: 336 break; 337 case GROUPXF_1: 338 group_desc = "MODP_768"; 339 break; 340 case GROUPXF_2: 341 group_desc = "MODP_1024"; 342 break; 343 case GROUPXF_5: 344 group_desc = "MODP_1536"; 345 break; 346 case GROUPXF_14: 347 group_desc = "MODP_2048"; 348 break; 349 case GROUPXF_15: 350 group_desc = "MODP_3072"; 351 break; 352 case GROUPXF_16: 353 group_desc = "MODP_4096"; 354 break; 355 case GROUPXF_17: 356 group_desc = "MODP_6144"; 357 break; 358 case GROUPXF_18: 359 group_desc = "MODP_8192"; 360 break; 361 case GROUPXF_19: 362 group_desc = "ECP_256"; 363 break; 364 case GROUPXF_20: 365 group_desc = "ECP_384"; 366 break; 367 case GROUPXF_21: 368 group_desc = "ECP_521"; 369 break; 370 case GROUPXF_25: 371 group_desc = "ECP_192"; 372 break; 373 case GROUPXF_26: 374 group_desc = "ECP_224"; 375 break; 376 case GROUPXF_27: 377 group_desc = "BP_224"; 378 break; 379 case GROUPXF_28: 380 group_desc = "BP_256"; 381 break; 382 case GROUPXF_29: 383 group_desc = "BP_384"; 384 break; 385 case GROUPXF_30: 386 group_desc = "BP_512"; 387 break; 388 default: 389 warnx("illegal group %s", r->p2xfs->groupxf->name); 390 return (-1); 391 } 392 } else 393 group_desc = "MODP_3072"; 394 395 /* the transform name must not include "," */ 396 if (key_length && (p = strchr(key_length, ',')) != NULL) 397 num_print = p - key_length; 398 /* 399 * create a unique transform name, otherwise we cannot have 400 * multiple transforms per p2name. 401 */ 402 if (asprintf(&transform, "phase2-transform-%s-%s%.*s-%s-%s-%s", 403 r->p2name, 404 enc_alg ? enc_alg : "NONE", 405 num_print, key_length ? key_length : "", 406 auth_alg ? auth_alg : "NONE", 407 group_desc ? group_desc : "NONE", 408 encap) == -1) 409 errx(1, "asprintf phase2-transform"); 410 411 fprintf(fd, SET "[phase2-protocol-%s]:Transforms=%s force\n", 412 r->p2name, transform); 413 414 fprintf(fd, SET "[%s]:TRANSFORM_ID=%s force\n", transform, 415 r->satype == IPSEC_AH ? auth_alg : enc_alg); 416 if (key_length) 417 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, 418 key_length); 419 fprintf(fd, SET "[%s]:ENCAPSULATION_MODE=%s force\n", transform, encap); 420 if (auth_alg) 421 fprintf(fd, SET "[%s]:AUTHENTICATION_ALGORITHM=HMAC_%s force\n", 422 transform, auth_alg); 423 if (group_desc) 424 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, 425 group_desc); 426 427 if (r->p2life && r->p2life->lt_seconds != -1) { 428 fprintf(fd, SET "[%s]:Life=%s-life force\n", 429 transform, transform); 430 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", 431 transform); 432 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", 433 transform, r->p2life->lt_seconds); 434 } else 435 fprintf(fd, SET "[%s]:Life=LIFE_QUICK_MODE force\n", 436 transform); 437 438 free(transform); 439 return (0); 440} 441 442static int 443ike_section_p1(struct ipsec_rule *r, FILE *fd) 444{ 445 char *exchange_type, *key_length, *transform, *p; 446 char *enc_alg, *auth_alg, *group_desc, *auth_method; 447 int num_print = 0; 448 449 switch (r->p1ie) { 450 case IKE_MM: 451 exchange_type = "ID_PROT"; 452 break; 453 case IKE_AM: 454 exchange_type = "AGGRESSIVE"; 455 break; 456 default: 457 warnx("illegal phase 1 ike mode %d", r->p1ie); 458 return (-1); 459 } 460 461 fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, 462 r->p1name); 463 fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, 464 exchange_type); 465 466 key_length = NULL; 467 if (r->p1xfs && r->p1xfs->encxf) { 468 switch (r->p1xfs->encxf->id) { 469 case ENCXF_3DES_CBC: 470 enc_alg = "3DES"; 471 break; 472 case ENCXF_AES: 473 enc_alg = "AES"; 474 key_length = "128,128:256"; 475 break; 476 case ENCXF_AES_128: 477 enc_alg = "AES"; 478 key_length = "128,128:128"; 479 break; 480 case ENCXF_AES_192: 481 enc_alg = "AES"; 482 key_length = "192,192:192"; 483 break; 484 case ENCXF_AES_256: 485 enc_alg = "AES"; 486 key_length = "256,256:256"; 487 break; 488 case ENCXF_BLOWFISH: 489 enc_alg = "BLOWFISH"; 490 key_length = "128,96:192"; 491 break; 492 case ENCXF_CAST128: 493 enc_alg = "CAST"; 494 break; 495 default: 496 warnx("illegal transform %s", r->p1xfs->encxf->name); 497 return (-1); 498 } 499 } else { 500 enc_alg = "AES"; 501 key_length = "128,128:256"; 502 } 503 504 if (r->p1xfs && r->p1xfs->authxf) { 505 switch (r->p1xfs->authxf->id) { 506 case AUTHXF_HMAC_MD5: 507 auth_alg = "MD5"; 508 break; 509 case AUTHXF_HMAC_SHA1: 510 auth_alg = "SHA"; 511 break; 512 case AUTHXF_HMAC_SHA2_256: 513 auth_alg = "SHA2_256"; 514 break; 515 case AUTHXF_HMAC_SHA2_384: 516 auth_alg = "SHA2_384"; 517 break; 518 case AUTHXF_HMAC_SHA2_512: 519 auth_alg = "SHA2_512"; 520 break; 521 default: 522 warnx("illegal transform %s", r->p1xfs->authxf->name); 523 return (-1); 524 } 525 } else 526 auth_alg = "SHA"; 527 528 if (r->p1xfs && r->p1xfs->groupxf) { 529 switch (r->p1xfs->groupxf->id) { 530 case GROUPXF_1: 531 group_desc = "MODP_768"; 532 break; 533 case GROUPXF_2: 534 group_desc = "MODP_1024"; 535 break; 536 case GROUPXF_5: 537 group_desc = "MODP_1536"; 538 break; 539 case GROUPXF_14: 540 group_desc = "MODP_2048"; 541 break; 542 case GROUPXF_15: 543 group_desc = "MODP_3072"; 544 break; 545 case GROUPXF_16: 546 group_desc = "MODP_4096"; 547 break; 548 case GROUPXF_17: 549 group_desc = "MODP_6144"; 550 break; 551 case GROUPXF_18: 552 group_desc = "MODP_8192"; 553 break; 554 case GROUPXF_19: 555 group_desc = "ECP_256"; 556 break; 557 case GROUPXF_20: 558 group_desc = "ECP_384"; 559 break; 560 case GROUPXF_21: 561 group_desc = "ECP_521"; 562 break; 563 case GROUPXF_25: 564 group_desc = "ECP_192"; 565 break; 566 case GROUPXF_26: 567 group_desc = "ECP_224"; 568 break; 569 case GROUPXF_27: 570 group_desc = "BP_224"; 571 break; 572 case GROUPXF_28: 573 group_desc = "BP_256"; 574 break; 575 case GROUPXF_29: 576 group_desc = "BP_384"; 577 break; 578 case GROUPXF_30: 579 group_desc = "BP_512"; 580 break; 581 default: 582 warnx("illegal group %s", r->p1xfs->groupxf->name); 583 return (-1); 584 } 585 } else 586 group_desc = "MODP_3072"; 587 588 switch (r->ikeauth->type) { 589 case IKE_AUTH_PSK: 590 auth_method = "PRE_SHARED"; 591 break; 592 case IKE_AUTH_RSA: 593 auth_method = "RSA_SIG"; 594 break; 595 default: 596 warnx("illegal authentication method %u", r->ikeauth->type); 597 return (-1); 598 } 599 600 /* the transform name must not include "," */ 601 if (key_length && (p = strchr(key_length, ',')) != NULL) 602 num_print = p - key_length; 603 /* create unique name for transform, see also ike_section_p2() */ 604 if (asprintf(&transform, "phase1-transform-%s-%s-%s-%s%.*s-%s", 605 r->p1name, auth_method, auth_alg, enc_alg, 606 num_print, key_length ? key_length : "", 607 group_desc) == -1) 608 errx(1, "asprintf phase1-transform"); 609 610 fprintf(fd, ADD "[phase1-%s]:Transforms=%s force\n", r->p1name, 611 transform); 612 fprintf(fd, SET "[%s]:AUTHENTICATION_METHOD=%s force\n", transform, 613 auth_method); 614 fprintf(fd, SET "[%s]:HASH_ALGORITHM=%s force\n", transform, auth_alg); 615 fprintf(fd, SET "[%s]:ENCRYPTION_ALGORITHM=%s_CBC force\n", transform, 616 enc_alg); 617 if (key_length) 618 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, 619 key_length); 620 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, 621 group_desc); 622 623 if (r->p1life && r->p1life->lt_seconds != -1) { 624 fprintf(fd, SET "[%s]:Life=%s-life force\n", 625 transform, transform); 626 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", 627 transform); 628 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", 629 transform, r->p1life->lt_seconds); 630 } else 631 fprintf(fd, SET "[%s]:Life=LIFE_MAIN_MODE force\n", transform); 632 633 free(transform); 634 return (0); 635} 636 637static void 638ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, 639 char *p2xid, FILE *fd) 640{ 641 char mask[NI_MAXHOST], *network, *p; 642 struct sockaddr_storage sas; 643 struct sockaddr *sa = (struct sockaddr *)&sas; 644 645 bzero(&sas, sizeof(struct sockaddr_storage)); 646 bzero(mask, sizeof(mask)); 647 sa->sa_family = af; 648 switch (af) { 649 case AF_INET: 650 sa->sa_len = sizeof(struct sockaddr_in); 651 bcopy(&iamask->ipa, 652 &((struct sockaddr_in *)(sa))->sin_addr, 653 sizeof(struct in_addr)); 654 break; 655 case AF_INET6: 656 sa->sa_len = sizeof(struct sockaddr_in6); 657 bcopy(&iamask->ipa, 658 &((struct sockaddr_in6 *)(sa))->sin6_addr, 659 sizeof(struct in6_addr)); 660 break; 661 } 662 if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, 663 NI_NUMERICHOST)) 664 errx(1, "could not get a numeric mask"); 665 666 if ((network = strdup(name)) == NULL) 667 err(1, "ike_section_p2ids: strdup"); 668 if ((p = strrchr(network, '/')) != NULL) 669 *p = '\0'; 670 671 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", 672 p2xid, ((af == AF_INET) ? 4 : 6)); 673 fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); 674 fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); 675 676 free(network); 677} 678 679static void 680ike_section_p2ids(struct ipsec_rule *r, FILE *fd) 681{ 682 char *p; 683 struct ipsec_addr_wrap *src = r->src; 684 struct ipsec_addr_wrap *dst = r->dst; 685 686 if (src->netaddress) { 687 ike_section_p2ids_net(&src->mask, src->af, src->name, 688 r->p2lid, fd); 689 } else { 690 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 691 r->p2lid, ((src->af == AF_INET) ? 4 : 6)); 692 if ((p = strrchr(src->name, '/')) != NULL) 693 *p = '\0'; 694 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, 695 src->name); 696 } 697 698 if (src->srcnat && src->srcnat->netaddress) { 699 ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, 700 r->p2nid, fd); 701 } else if (src->srcnat) { 702 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 703 r->p2nid, ((src->af == AF_INET) ? 4 : 6)); 704 if ((p = strrchr(src->srcnat->name, '/')) != NULL) 705 *p = '\0'; 706 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, 707 src->srcnat->name); 708 } 709 710 if (dst->netaddress) { 711 ike_section_p2ids_net(&dst->mask, dst->af, dst->name, 712 r->p2rid, fd); 713 } else { 714 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 715 r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); 716 if ((p = strrchr(dst->name, '/')) != NULL) 717 *p = '\0'; 718 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, 719 dst->name); 720 } 721 if (r->proto) { 722 fprintf(fd, SET "[%s]:Protocol=%d force\n", 723 r->p2lid, r->proto); 724 fprintf(fd, SET "[%s]:Protocol=%d force\n", 725 r->p2rid, r->proto); 726 } 727 if (r->sport) 728 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, 729 ntohs(r->sport)); 730 if (r->dport) 731 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, 732 ntohs(r->dport)); 733} 734 735static int 736ike_connect(struct ipsec_rule *r, FILE *fd) 737{ 738 switch (r->ikemode) { 739 case IKE_ACTIVE: 740 case IKE_DYNAMIC: 741 fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); 742 break; 743 case IKE_PASSIVE: 744 fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", 745 r->p2name); 746 break; 747 default: 748 return (-1); 749 } 750 return (0); 751} 752 753static int 754ike_gen_config(struct ipsec_rule *r, FILE *fd) 755{ 756 ike_setup_ids(r); 757 ike_section_general(r, fd); 758 ike_section_peer(r, fd); 759 if (ike_section_p1(r, fd) == -1) { 760 return (-1); 761 } 762 ike_section_ids(r, fd); 763 ike_section_ipsec(r, fd); 764 if (ike_section_p2(r, fd) == -1) { 765 return (-1); 766 } 767 ike_section_p2ids(r, fd); 768 769 if (ike_connect(r, fd) == -1) 770 return (-1); 771 return (0); 772} 773 774static int 775ike_delete_config(struct ipsec_rule *r, FILE *fd) 776{ 777 ike_setup_ids(r); 778#if 0 779 switch (r->ikemode) { 780 case IKE_ACTIVE: 781 case IKE_DYNAMIC: 782 fprintf(fd, "t %s\n", r->p2name); 783 break; 784 case IKE_PASSIVE: 785 fprintf(fd, DELETE "[Phase 2]\n"); 786 fprintf(fd, "t %s\n", r->p2name); 787 break; 788 default: 789 return (-1); 790 } 791 792 if (r->peer) { 793 fprintf(fd, DELETE "[%s]\n", r->p1name); 794 fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); 795 } 796 if (r->auth) { 797 if (r->auth->srcid) 798 fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); 799 if (r->auth->dstid) 800 fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); 801 } 802 fprintf(fd, DELETE "[%s]\n", r->p2name); 803 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 804 fprintf(fd, DELETE "[%s]\n", r->p2lid); 805 fprintf(fd, DELETE "[%s]\n", r->p2rid); 806#else 807 fprintf(fd, "t %s\n", r->p2name); 808 switch (r->ikemode) { 809 case IKE_ACTIVE: 810 case IKE_DYNAMIC: 811 fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); 812 break; 813 case IKE_PASSIVE: 814 fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", 815 r->p2name); 816 break; 817 default: 818 return (-1); 819 } 820 fprintf(fd, DELETE "[%s]\n", r->p2name); 821 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 822#endif 823 824 return (0); 825} 826 827static void 828ike_setup_ids(struct ipsec_rule *r) 829{ 830 char sproto[10], ssport[10], sdport[10]; 831 832 /* phase 1 name is peer and local address */ 833 if (r->peer) { 834 if (r->local) { 835 /* peer-dstaddr-local-srcaddr */ 836 if (asprintf(&r->p1name, "peer-%s-local-%s", 837 r->peer->name, r->local->name) == -1) 838 err(1, "ike_setup_ids"); 839 } else 840 /* peer-dstaddr */ 841 if (asprintf(&r->p1name, "peer-%s", 842 r->peer->name) == -1) 843 err(1, "ike_setup_ids"); 844 } else 845 if ((r->p1name = strdup("peer-default")) == NULL) 846 err(1, "ike_setup_ids"); 847 848 /* Phase 2 name is from and to network, protocol, port*/ 849 if (r->flags & IPSEC_RULE_F_IFACE) { 850 if (asprintf(&r->p2lid, "from-sec%u", r->iface) == -1) 851 err(1, "ike_setup_ids"); 852 if (asprintf(&r->p2rid, "to-sec%u", r->iface) == -1) 853 err(1, "ike_setup_ids"); 854 } else { 855 sproto[0] = ssport[0] = sdport[0] = 0; 856 if (r->proto) 857 snprintf(sproto, sizeof sproto, "=%u", r->proto); 858 if (r->sport) 859 snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); 860 if (r->dport) 861 snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); 862 863 /* from-network/masklen=proto:port */ 864 if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, 865 sproto, ssport) == -1) 866 err(1, "ike_setup_ids"); 867 /* to-network/masklen=proto:port */ 868 if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, 869 sproto, sdport) == -1) 870 err(1, "ike_setup_ids"); 871 } 872 873 /* from-network/masklen=proto:port-to-network/masklen=proto:port */ 874 if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) 875 err(1, "ike_setup_ids"); 876 /* nat-network/masklen=proto:port */ 877 if (r->src->srcnat && r->src->srcnat->name) { 878 if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, 879 ssport) == -1) 880 err(1, "ike_setup_ids"); 881 } 882} 883 884int 885ike_print_config(struct ipsec_rule *r, int opts) 886{ 887 if (opts & IPSECCTL_OPT_DELETE) 888 return (ike_delete_config(r, stdout)); 889 else 890 return (ike_gen_config(r, stdout)); 891} 892 893int 894ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo) 895{ 896 struct stat sb; 897 FILE *fdp; 898 int fd, ret = 0; 899 900 if ((fd = open(fifo, O_WRONLY)) == -1) 901 err(1, "ike_ipsec_establish: open(%s)", fifo); 902 if (fstat(fd, &sb) == -1) 903 err(1, "ike_ipsec_establish: fstat(%s)", fifo); 904 if (!S_ISFIFO(sb.st_mode)) 905 errx(1, "ike_ipsec_establish: %s not a fifo", fifo); 906 if ((fdp = fdopen(fd, "w")) == NULL) 907 err(1, "ike_ipsec_establish: fdopen(%s)", fifo); 908 909 switch (action) { 910 case ACTION_ADD: 911 ret = ike_gen_config(r, fdp); 912 break; 913 case ACTION_DELETE: 914 ret = ike_delete_config(r, fdp); 915 break; 916 default: 917 ret = -1; 918 } 919 920 fclose(fdp); 921 return (ret); 922} 923