On 2024/12/26 10:50, William Rusnack wrote:
> >Synopsis: When printing the parsed policy iked erroneously prints config
> >when it should print request.
> >Category: bin
> >Description:
> The below example iked.conf has a request configuration payload.
> ```iked.conf
> ikev2 \
> from dynamic to any \
> peer 10.0.0.1 \ iface lo1
> request address any
> ```
>
> when printing the policy (look at the end of the line) `config` is
> printed instead of `request`
> ```txt
> ikev2 "policy1" passive tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from
> :: to ::/0 local any peer 10.0.0.1 ikesa enc aes-128-gcm enc aes-256-gcm prf
> hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
> curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
> modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
> aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
> hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
> hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group
> ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group
> modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa
> enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384
> auth hmac-sha2-512 auth hmac-sha1 group none esn noesn lifetime 10800 bytes
> 4294967296 signature config address any
> ```
>
> It should actually print the following which properly describes the
> policy
> ```txt
> ikev2 "policy1" passive tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from
> :: to ::/0 local any peer 10.0.0.1 ikesa enc aes-128-gcm enc aes-256-gcm prf
> hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
> curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
> modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
> aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
> hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
> hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group
> ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group
> modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa
> enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384
> auth hmac-sha2-512 auth hmac-sha1 group none esn noesn lifetime 10800 bytes
> 4294967296 signature request address any
> ```
> >How-To-Repeat:
> 1. Save the above example iked.conf to file.
> 2. Run `iked -n -f iked.conf`
> ```
> >Fix:
> Depending on cfg_action print config or request instead of just config.
>
> ```diff
> Index: print.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/print.c,v
> diff -u -p -u -p -r1.4 print.c
> --- print.c 13 Jun 2023 12:34:12 -0000 1.4
> +++ print.c 14 Dec 2024 18:23:56 -0000
> @@ -225,7 +225,9 @@ print_policy(struct iked_policy *pol)
>
> for (i = 0; i < pol->pol_ncfg; i++) {
> cfg = &pol->pol_cfg[i];
> - print_verbose(" config %s %s", print_xf(cfg->cfg_type,
> + print_verbose(" %s %s %s",
> + cfg->cfg_action == IKEV2_CP_REPLY ? "config" :
> "request",
> + print_xf(cfg->cfg_type,
> cfg->cfg.address.addr_af, cpxfs),
> print_addr(&cfg->cfg.address.addr));
> }
> ```
>
This one looks good too, diff that can be applied with patch
Index: print.c
===================================================================
RCS file: /cvs/src/sbin/iked/print.c,v
diff -u -p -r1.5 print.c
--- print.c 4 Nov 2024 02:44:28 -0000 1.5
+++ print.c 26 Dec 2024 16:32:55 -0000
@@ -228,7 +228,9 @@ print_policy(struct iked_policy *pol)
for (i = 0; i < pol->pol_ncfg; i++) {
cfg = &pol->pol_cfg[i];
- print_verbose(" config %s %s", print_xf(cfg->cfg_type,
+ print_verbose(" %s %s %s",
+ cfg->cfg_action == IKEV2_CP_REPLY ? "config" : "request",
+ print_xf(cfg->cfg_type,
cfg->cfg.address.addr_af, cpxfs),
print_addr(&cfg->cfg.address.addr));
}
