Re: ipsecctl psk usage

Frans Haarman Mon, 08 Sep 2008 11:54:17 -0700

2008/9/8 Otto Moerbeek <[EMAIL PROTECTED]>

> On Mon, Sep 08, 2008 at 12:57:09PM +0200, Reyk Floeter wrote:
>
> > hi!
> >
> > On Mon, Sep 08, 2008 at 12:33:20PM +0200, Frans Haarman wrote:
> > > If you use an unqouted string as psk (pre-shared key)  it can't start
> with a
> > > number so:
> > >
> > > fails: ike from any to any psk 123
> > > works: ike from any to any psk  "123"
> > >
> >
> > it can start with a number, but it cannot be a number.  so 123foo
> > would be ok but not just 123.
> >
> > > Same goes for the tag-strings.  For most this is probably obvious,
> because
> > > it has to
> > > be a string right ?  But not for me :P
> > >
> >
> > is there any problem with quoting the string?  i think the normal
> > approach is that quoting should be the default unless you have a
> > string that also works without quotes.
> >
> > i mean we could fix this in ipsecctl (see diff below) but is it really
> > required?  and there is a problem with the attached diff that it
> > "normalizes" the number, so a key 0123 would become 123.  any other
> > "fix" would require changes in the parser that is shared with many
> > other tools and daemons in openbsd - it is probably just easier to use
> > the quotes and to add a note in the manpage suggesting it.
>
> yes, i think it's just a manpage thing. Ambiguous stuff in the grammer
> oftemn leads to confusion and/or disaster.
>


Yes I expected some mention of it in the manpage.  I notice the same
behaviour with pf.conf also (labels, tags).

Gr. FH



>
>        -Otto
>
> >
> > reyk
> >
> > Index: parse.y
> > ===================================================================
> > RCS file: /cvs/src/sbin/ipsecctl/parse.y,v
> > retrieving revision 1.138
> > diff -u -p -r1.138 parse.y
> > --- parse.y   1 Jul 2008 14:31:37 -0000       1.138
> > +++ parse.y   8 Sep 2008 10:51:00 -0000
> > @@ -275,7 +275,7 @@ typedef struct {
> >  %type        <v.type>                type
> >  %type        <v.life>                life
> >  %type        <v.mode>                phase1mode phase2mode
> > -%type        <v.string>              tag
> > +%type        <v.string>              tag numstr
> >  %%
> >
> >  grammar              : /* empty */
> > @@ -806,7 +806,7 @@ ikeauth           : /* empty */                   {
> >                       $$.type = IKE_AUTH_RSA;
> >                       $$.string = NULL;
> >               }
> > -             | PSK STRING                    {
> > +             | PSK numstr                    {
> >                       $$.type = IKE_AUTH_PSK;
> >                       if (($$.string = strdup($2)) == NULL)
> >                               err(1, "ikeauth: strdup");
> > @@ -817,9 +817,20 @@ tag              : /* empty */
> >               {
> >                       $$ = NULL;
> >               }
> > -             | TAG STRING
> > +             | TAG numstr
> >               {
> >                       $$ = $2;
> > +             }
> > +             ;
> > +
> > +numstr               : STRING
> > +             {
> > +                     $$ = $1;
> > +             }
> > +             | NUMBER
> > +             {
> > +                     if (asprintf(&$$, "%lld", $1) == -1)
> > +                             err(1, "string: asprintf");
> >               }
> >               ;

Re: ipsecctl psk usage

Reply via email to