Fix iked's auto-srcid based on the local hostname

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fix iked's auto-srcid based on the local hostname

Reyk Floeter-2
Hi,

the iked.conf(5) manpage says: "If srcid is omitted, the default is to
use the hostname of the local machine, see hostname(1) to set or print
the hostname." This was true but I broke it with a commit about two
years ago :(

The following diff tells ikev2_policy2id() in ca_setreq() that it's
dealing with a srcid that needs to be obtained from the local hostname
if empty (setting the srcid parameter to 1).  This code is called
after receiving a CERTREQ from the peer: The peer gives us a list of
SHA1 hashes of accepted CAs and we look up a matching host certificate
that is signed by one of these CAs and includes a subjectAltName field
that matches our srcid.

This should unbreak some configurations with OpenBSD as the initiator.

OK?

Reyk

Index: ca.c
===================================================================
RCS file: /cvs/src/sbin/iked/ca.c,v
retrieving revision 1.18
diff -u -p -r1.18 ca.c
--- ca.c 18 Sep 2012 12:07:59 -0000 1.18
+++ ca.c 9 Oct 2012 10:19:03 -0000
@@ -248,7 +248,7 @@ ca_setreq(struct iked *env, struct iked_
 
  /* Convert to a static Id */
  bzero(&id, sizeof(id));
- if (ikev2_policy2id(localid, &id, 0) != 0)
+ if (ikev2_policy2id(localid, &id, 1) != 0)
  return (-1);
 
  bzero(&idb, sizeof(idb));

Reply | Threaded
Open this post in threaded view
|

Re: Fix iked's auto-srcid based on the local hostname

Mike Belopuhov-5
On Tue, Oct 9, 2012 at 1:23 PM, Reyk Floeter <[hidden email]> wrote:

> Hi,
>
> the iked.conf(5) manpage says: "If srcid is omitted, the default is to
> use the hostname of the local machine, see hostname(1) to set or print
> the hostname." This was true but I broke it with a commit about two
> years ago :(
>
> The following diff tells ikev2_policy2id() in ca_setreq() that it's
> dealing with a srcid that needs to be obtained from the local hostname
> if empty (setting the srcid parameter to 1).  This code is called
> after receiving a CERTREQ from the peer: The peer gives us a list of
> SHA1 hashes of accepted CAs and we look up a matching host certificate
> that is signed by one of these CAs and includes a subjectAltName field
> that matches our srcid.
>
> This should unbreak some configurations with OpenBSD as the initiator.
>
> OK?
>

OK

> Reyk