On Thu, Dec 26, 2024 at 04:33:22PM +0000, Stuart Henderson wrote:
> On 2024/12/26 10:50, William Rusnack wrote:
> > >Synopsis: When printing the parsed policy iked erroneously prints config
> > >when it should print request.
> > >Category: bin
> > >Description:
> > The below example iked.conf has a request configuration payload.
> > ```iked.conf
> > ikev2 \
> > from dynamic to any \
> > peer 10.0.0.1 \ iface lo1
> > request address any
> > ```
> >
> > when printing the policy (look at the end of the line) `config` is
> > printed instead of `request`
> > ```txt
> > ikev2 "policy1" passive tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from
> > :: to ::/0 local any peer 10.0.0.1 ikesa enc aes-128-gcm enc aes-256-gcm
> > prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
> > curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
> > modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
> > aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
> > hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
> > hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384
> > group ecp256 group modp4096 group modp3072 group modp2048 group modp1536
> > group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn
> > childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth
> > hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn
> > lifetime 10800 bytes 4294967296 signature config address any
> > ```
> >
> > It should actually print the following which properly describes the
> > policy
> > ```txt
> > ikev2 "policy1" passive tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from
> > :: to ::/0 local any peer 10.0.0.1 ikesa enc aes-128-gcm enc aes-256-gcm
> > prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
> > curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
> > modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
> > aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
> > hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
> > hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384
> > group ecp256 group modp4096 group modp3072 group modp2048 group modp1536
> > group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn
> > childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth
> > hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn
> > lifetime 10800 bytes 4294967296 signature request address any
> > ```
> > >How-To-Repeat:
> > 1. Save the above example iked.conf to file.
> > 2. Run `iked -n -f iked.conf`
> > ```
> > >Fix:
> > Depending on cfg_action print config or request instead of just config.
> >
> > ```diff
> > Index: print.c
> > ===================================================================
> > RCS file: /cvs/src/sbin/iked/print.c,v
> > diff -u -p -u -p -r1.4 print.c
> > --- print.c 13 Jun 2023 12:34:12 -0000 1.4
> > +++ print.c 14 Dec 2024 18:23:56 -0000
> > @@ -225,7 +225,9 @@ print_policy(struct iked_policy *pol)
> >
> > for (i = 0; i < pol->pol_ncfg; i++) {
> > cfg = &pol->pol_cfg[i];
> > - print_verbose(" config %s %s", print_xf(cfg->cfg_type,
> > + print_verbose(" %s %s %s",
> > + cfg->cfg_action == IKEV2_CP_REPLY ? "config" :
> > "request",
> > + print_xf(cfg->cfg_type,
> > cfg->cfg.address.addr_af, cpxfs),
> > print_addr(&cfg->cfg.address.addr));
> > }
> > ```
> >
>
> This one looks good too, diff that can be applied with patch
ok with me too
>
>
> Index: print.c
> ===================================================================
> RCS file: /cvs/src/sbin/iked/print.c,v
> diff -u -p -r1.5 print.c
> --- print.c 4 Nov 2024 02:44:28 -0000 1.5
> +++ print.c 26 Dec 2024 16:32:55 -0000
> @@ -228,7 +228,9 @@ print_policy(struct iked_policy *pol)
>
> for (i = 0; i < pol->pol_ncfg; i++) {
> cfg = &pol->pol_cfg[i];
> - print_verbose(" config %s %s", print_xf(cfg->cfg_type,
> + print_verbose(" %s %s %s",
> + cfg->cfg_action == IKEV2_CP_REPLY ? "config" : "request",
> + print_xf(cfg->cfg_type,
> cfg->cfg.address.addr_af, cpxfs),
> print_addr(&cfg->cfg.address.addr));
> }
>
