1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00

Add support to use sasyncd(8) with iked(8) instead of isakmpd(8). The

new config option "control isakmpd|iked|all|none" in sasyncd.conf(5)
is used to set the mode; the default is to control isakmpd like
before.  When controlling iked, sasyncd connects to the daemon using
the imsg socket and sends imsgs - this is easy because the imsg
framework has been imported into libutil. iked(8) already includes
the important bits to work with sasyncd(8) (the active/passive mode
option in ikectl).

manpage bits ok jsg@
ok jsg@
This commit is contained in:
reyk 2010-06-16 17:39:05 +00:00
parent a25eb005c3
commit f3eaad2d1d
9 changed files with 196 additions and 51 deletions

View File

@ -1,4 +1,4 @@
# $Id: Makefile,v 1.5 2005/05/24 02:35:39 ho Exp $
# $Id: Makefile,v 1.6 2010/06/16 17:39:05 reyk Exp $
PROG= sasyncd
SRCS= sasyncd.c carp.c conf.y log.c monitor.c net.c net_ctl.c pfkey.c timer.c
@ -8,7 +8,7 @@ MAN= sasyncd.8 sasyncd.conf.5
CFLAGS= -O0 $(PIPE) $(DEBUG)
.endif
CFLAGS+= -I${.CURDIR}
CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../sbin/iked
CLEANFILES= y.tab.h
# ElectricFence
@ -20,6 +20,6 @@ CLEANFILES= y.tab.h
CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes \
-Wmissing-declarations
LDADD+= -lcrypto
LDADD+= -lcrypto -lutil
.include <bsd.prog.mk>

View File

@ -1,4 +1,4 @@
/* $OpenBSD: carp.c,v 1.10 2009/06/26 13:25:23 deraadt Exp $ */
/* $OpenBSD: carp.c,v 1.11 2010/06/16 17:39:05 reyk Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@ -173,7 +173,7 @@ carp_update_state(enum RUNSTATE current_state)
cfgstate.runstate = current_state;
if (current_state == MASTER)
pfkey_set_promisc();
isakmpd_setrun();
control_setrun();
net_ctl_update_state();
}
}
@ -269,15 +269,15 @@ carp_init(void)
return 0;
}
/* Enable or disable isakmpd connection checker. */
/* Enable or disable isakmpd/iked connection checker. */
void
isakmpd_setrun(void)
control_setrun(void)
{
if (cfgstate.runstate == MASTER) {
if (monitor_isakmpd_active(1))
log_msg(0, "failed to activate isakmpd");
if (monitor_control_active(1))
log_msg(0, "failed to activate controlled daemon");
} else {
if (monitor_isakmpd_active(0))
log_msg(0, "failed to passivate isakmpd");
if (monitor_control_active(0))
log_msg(0, "failed to passivate controlled daemon");
}
}

View File

@ -1,4 +1,4 @@
/* $OpenBSD: conf.y,v 1.14 2007/05/17 11:01:36 moritz Exp $ */
/* $OpenBSD: conf.y,v 1.15 2010/06/16 17:39:05 reyk Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@ -64,11 +64,11 @@ unsigned char x2i(unsigned char *);
%token MODE INTERFACE INTERVAL LISTEN ON PORT PEER SHAREDKEY
%token Y_SLAVE Y_MASTER INET INET6 FLUSHMODE STARTUP NEVER SYNC
%token GROUP SKIPSLAVE
%token GROUP SKIPSLAVE CONTROL
%token <string> STRING
%token <hex> HEX
%token <val> VALUE
%type <val> af port mode flushmode
%type <val> af port mode flushmode ctlmode
%%
/* Rules */
@ -125,6 +125,27 @@ key : STRING
log_msg(2, "config: %d byte shared hex key", $1.len);
}
ctlmode : STRING
{
/* Compare strings to avoid keywords for daemons */
if (strcmp("isakmpd", $1) == 0)
$$ = CTL_ISAKMPD;
else if (strcmp("iked", $1) == 0)
$$ = CTL_IKED;
else if (strcmp("all", $1) == 0)
$$ = CTL_MASK;
else if (strcmp("none", $1) == 0)
$$ = CTL_NONE;
else {
log_err("config: invalid control mode");
free($1);
YYERROR;
}
log_msg(2, "config: control mode set to %s", $1);
free($1);
}
;
setting : INTERFACE STRING
{
if (cfgstate.carp_ifname)
@ -210,6 +231,11 @@ setting : INTERFACE STRING
}
log_msg(2, "config: shared key set");
}
| CONTROL ctlmode
{
cfgstate.flags &= ~CTL_MASK;
cfgstate.flags |= $2;
}
;
%%
@ -231,6 +257,7 @@ match(char *token)
{
/* Sorted */
static const struct keyword keywords[] = {
{ "control", CONTROL },
{ "flushmode", FLUSHMODE },
{ "group", GROUP },
{ "inet", INET },

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.12 2006/12/25 08:17:17 deraadt Exp $ */
/* $OpenBSD: monitor.c,v 1.13 2010/06/16 17:39:05 reyk Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@ -32,6 +32,7 @@
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/wait.h>
#include <sys/un.h>
#include <net/pfkeyv2.h>
#include <errno.h>
@ -41,6 +42,9 @@
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <imsg.h>
#include "types.h" /* iked imsg types */
#include "monitor.h"
#include "sasyncd.h"
@ -55,8 +59,8 @@ volatile sig_atomic_t sigchld = 0;
static void got_sigchld(int);
static void sig_to_child(int);
static void m_priv_pfkey_snap(int);
static void m_priv_isakmpd_activate(void);
static void m_priv_isakmpd_passivate(void);
static int m_priv_control_activate(void);
static int m_priv_control_passivate(void);
static ssize_t m_write(int, void *, size_t);
static ssize_t m_read(int, void *, size_t);
@ -146,10 +150,20 @@ monitor_drain_input(void)
void
monitor_loop(void)
{
u_int32_t v;
ssize_t r;
u_int32_t v, vn;
ssize_t r;
fd_set rfds;
int ret;
struct timeval *tvp, tv;
FD_ZERO(&rfds);
tvp = NULL;
vn = 0;
for (;;) {
ret = 0;
v = 0;
if (sigchld) {
pid_t pid;
int status;
@ -162,13 +176,30 @@ monitor_loop(void)
break;
}
/* Wait for next task */
if ((r = m_read(m_state.s, &v, sizeof v)) < 1) {
if (r == -1)
log_err(0, "monitor_loop: read() ");
FD_SET(m_state.s, &rfds);
if (select(m_state.s + 1, &rfds, NULL, NULL, tvp) == -1) {
if (errno == EINTR || errno == EAGAIN)
continue;
log_err(0, "monitor_loop: select() ");
break;
}
/* Wait for next task */
if (FD_ISSET(m_state.s, &rfds)) {
if ((r = m_read(m_state.s, &v, sizeof v)) < 1) {
if (r == -1)
log_err(0, "monitor_loop: read() ");
break;
}
}
/* Retry after timeout */
if (v == 0 && tvp != NULL) {
v = vn;
tvp = NULL;
vn = 0;
}
switch (v) {
case MONITOR_GETSNAP:
/* Get the data. */
@ -180,13 +211,21 @@ monitor_loop(void)
case MONITOR_CARPDEC:
carp_demote(CARP_DEC, 1);
break;
case MONITOR_ISAKMPD_ACTIVATE:
m_priv_isakmpd_activate();
case MONITOR_CONTROL_ACTIVATE:
ret = m_priv_control_activate();
break;
case MONITOR_ISAKMPD_PASSIVATE:
m_priv_isakmpd_passivate();
case MONITOR_CONTROL_PASSIVATE:
ret = m_priv_control_passivate();
break;
}
if (ret == -1) {
/* Trigger retry after timeout */
tv.tv_sec = MONITOR_RETRY_TIMEOUT;
tv.tv_usec = 0;
tvp = &tv;
vn = v;
}
}
monitor_carpundemote(NULL);
@ -288,10 +327,10 @@ monitor_get_pfkey_snap(u_int8_t **sadb, u_int32_t *sadbsize, u_int8_t **spd,
}
int
monitor_isakmpd_active(int active)
monitor_control_active(int active)
{
u_int32_t cmd =
active ? MONITOR_ISAKMPD_ACTIVATE : MONITOR_ISAKMPD_PASSIVATE;
active ? MONITOR_CONTROL_ACTIVATE : MONITOR_CONTROL_PASSIVATE;
if (write(m_state.s, &cmd, sizeof cmd) < 1)
return -1;
return 0;
@ -386,11 +425,11 @@ m_priv_pfkey_snap(int s)
return;
}
static void
static int
m_priv_isakmpd_fifocmd(const char *cmd)
{
struct stat sb;
int fd = -1;
int fd = -1, ret = -1;
if ((fd = open(ISAKMPD_FIFO, O_WRONLY)) == -1) {
log_err("m_priv_isakmpd_fifocmd: open(%s)", ISAKMPD_FIFO);
@ -409,23 +448,78 @@ m_priv_isakmpd_fifocmd(const char *cmd)
log_err("m_priv_isakmpd_fifocmd write");
goto out;
}
ret = 0;
out:
if (fd != -1)
close(fd);
/* No values returned. */
return;
return (ret);
}
static void
m_priv_isakmpd_activate(void)
static int
m_priv_iked_imsg(u_int cmd)
{
m_priv_isakmpd_fifocmd("M active\n");
struct sockaddr_un sun;
int fd = -1, ret = -1;
struct imsgbuf ibuf;
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
log_err("m_priv_iked_imsg: socket");
goto out;
}
bzero(&sun, sizeof(sun));
sun.sun_family = AF_UNIX;
strlcpy(sun.sun_path, IKED_SOCKET, sizeof(sun.sun_path));
if (connect(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
log_err("m_priv_iked_imsg: connect");
goto out;
}
imsg_init(&ibuf, fd);
if (imsg_compose(&ibuf, cmd, 0, 0, -1, NULL, 0) == -1) {
log_err("m_priv_iked_imsg: compose");
goto err;
}
if (imsg_flush(&ibuf) == -1) {
log_err("m_priv_iked_imsg: flush");
goto err;
}
ret = 0;
err:
imsg_clear(&ibuf);
out:
if (fd != -1)
close(fd);
return (ret);
}
static void
m_priv_isakmpd_passivate(void)
static int
m_priv_control_activate(void)
{
m_priv_isakmpd_fifocmd("M passive\n");
if (cfgstate.flags & CTL_ISAKMPD)
if (m_priv_isakmpd_fifocmd("M active\n") == -1)
return (-1);
if (cfgstate.flags & CTL_IKED)
if (m_priv_iked_imsg(IMSG_CTL_ACTIVE) == -1)
return (-1);
return (0);
}
static int
m_priv_control_passivate(void)
{
if (cfgstate.flags & CTL_ISAKMPD)
if (m_priv_isakmpd_fifocmd("M passive\n") == -1)
return (-1);
if (cfgstate.flags & CTL_IKED)
if (m_priv_iked_imsg(IMSG_CTL_PASSIVE) == -1)
return (-1);
return (0);
}
ssize_t

View File

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.h,v 1.1 2006/09/01 01:13:25 mpf Exp $ */
/* $OpenBSD: monitor.h,v 1.2 2010/06/16 17:39:05 reyk Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@ -28,8 +28,10 @@
#define MONITOR_GETSNAP 1
#define MONITOR_CARPINC 2
#define MONITOR_CARPDEC 3
#define MONITOR_ISAKMPD_ACTIVATE 4
#define MONITOR_ISAKMPD_PASSIVATE 5
#define MONITOR_CONTROL_ACTIVATE 4
#define MONITOR_CONTROL_PASSIVATE 5
#define MONITOR_RETRY_TIMEOUT 4
#define ISAKMPD_FIFO "/var/run/isakmpd.fifo"
@ -38,4 +40,4 @@ void monitor_loop(void);
int monitor_get_pfkey_snap(u_int8_t **, u_int32_t *, u_int8_t **,
u_int32_t *);
int monitor_isakmpd_active(int);
int monitor_control_active(int);

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sasyncd.8,v 1.10 2008/04/04 06:21:27 otto Exp $
.\" $OpenBSD: sasyncd.8,v 1.11 2010/06/16 17:39:05 reyk Exp $
.\"
.\" Copyright (c) 2005 Håkan Olsson. All rights reserved.
.\"
@ -27,7 +27,7 @@
.\"
.\" Manual page for sasyncd
.\"
.Dd $Mdocdate: April 4 2008 $
.Dd $Mdocdate: June 16 2010 $
.Dt SASYNCD 8
.Os
.Sh NAME
@ -46,6 +46,8 @@ The most typical scenario is to run
.Nm
on hosts also running
.Xr isakmpd 8
or
.Xr iked 8
and sharing a common IP address using
.Xr carp 4 .
.Pp
@ -136,6 +138,7 @@ configuration file.
.Xr ipsec 4 ,
.Xr pfsync 4 ,
.Xr sasyncd.conf 5 ,
.Xr iked 8 ,
.Xr isakmpd 8
.Sh HISTORY
The

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sasyncd.c,v 1.19 2009/11/11 23:05:40 deraadt Exp $ */
/* $OpenBSD: sasyncd.c,v 1.20 2010/06/16 17:39:05 reyk Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@ -76,7 +76,7 @@ sasyncd_run(pid_t ppid)
return -1;
}
isakmpd_setrun();
control_setrun();
signal(SIGINT, sasyncd_stop);
signal(SIGTERM, sasyncd_stop);
@ -185,6 +185,7 @@ main(int argc, char **argv)
LIST_INIT(&cfgstate.peerlist);
cfgstate.listen_port = SASYNCD_DEFAULT_PORT;
cfgstate.flags |= CTL_DEFAULT;
if (!cfgfile)
cfgfile = SASYNCD_CFGFILE;

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sasyncd.conf.5,v 1.15 2007/05/31 19:20:29 jmc Exp $
.\" $OpenBSD: sasyncd.conf.5,v 1.16 2010/06/16 17:39:05 reyk Exp $
.\"
.\" Copyright (c) 2005 Håkan Olsson. All rights reserved.
.\"
@ -27,7 +27,7 @@
.\"
.\" Manual page for sasyncd.conf
.\"
.Dd $Mdocdate: May 31 2007 $
.Dd $Mdocdate: June 16 2010 $
.Dt SASYNCD.CONF 5
.Os
.Sh NAME
@ -157,6 +157,17 @@ The shared AES key used to encrypt messages between
hosts.
This configuration setting is required and must be either 16, 24 or 32
bytes long (corresponding to AES using a 128, 192 or 256 bit key).
.It Ic control isakmpd | iked | all | none
By default,
.Xr sasyncd 8
tracks its local master/slave mode and toggles the passive mode of
.Xr isakmpd 8
accordingly.
This option can be changed to control
.Xr iked 8
instead,
to control all supported daemons at the same time,
or to turn it off to synchronize SAs only.
.El
.Sh SEE ALSO
.Xr chmod 1 ,

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sasyncd.h,v 1.14 2007/01/08 15:31:01 markus Exp $ */
/* $OpenBSD: sasyncd.h,v 1.15 2010/06/16 17:39:05 reyk Exp $ */
/*
* Copyright (c) 2005 Håkan Olsson. All rights reserved.
@ -73,6 +73,13 @@ struct cfgstate {
/* Do not sync SAs to/from our peers. */
#define SKIP_LOCAL_SAS 0x0004
/* Control isakmpd or iked */
#define CTL_NONE 0x0000
#define CTL_ISAKMPD 0x0008
#define CTL_IKED 0x0010
#define CTL_DEFAULT CTL_ISAKMPD
#define CTL_MASK 0x0018
extern struct cfgstate cfgstate;
extern int carp_demoted;
@ -113,7 +120,7 @@ void carp_update_state(enum RUNSTATE);
void carp_set_rfd(fd_set *);
void carp_read_message(fd_set *);
const char* carp_state_name(enum RUNSTATE);
void isakmpd_setrun(void);
void control_setrun(void);
/* log.c */