iked bug: incorrectly prints policy requests for configuration payloads

Thu, 26 Dec 2024 07:54:36 -0800 

>Synopsis:      When printing the parsed policy iked erroneously prints config 
>when it should print request.
>Category:      bin
>Description:
        The below example iked.conf has a request configuration payload.
        ```iked.conf
        ikev2 \
                from dynamic to any \
                peer 10.0.0.1 \ iface lo1
                request address any
        ```
        
        when printing the policy (look at the end of the line) `config` is 
printed instead of `request`
        ```txt
        ikev2 "policy1" passive tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from 
:: to ::/0 local any peer 10.0.0.1 ikesa enc aes-128-gcm enc aes-256-gcm prf 
hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group 
curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 
group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc 
aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf 
hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth 
hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group 
modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa 
enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc 
aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 
auth hmac-sha1 group none esn noesn lifetime 10800 bytes 4294967296 signature 
config address any
        ```
        
        It should actually print the following which properly describes the 
policy
        ```txt
        ikev2 "policy1" passive tunnel esp inet from 0.0.0.0 to 0.0.0.0/0 from 
:: to ::/0 local any peer 10.0.0.1 ikesa enc aes-128-gcm enc aes-256-gcm prf 
hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group 
curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 
group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc 
aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf 
hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth 
hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group 
modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa 
enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc 
aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 
auth hmac-sha1 group none esn noesn lifetime 10800 bytes 4294967296 signature 
request address any
        ```
>How-To-Repeat:
        1. Save the above example iked.conf to file.
        2. Run `iked -n -f iked.conf`
        ```
>Fix:
        Depending on cfg_action print config or request instead of just config.
        
        ```diff
        Index: print.c
        ===================================================================
        RCS file: /cvs/src/sbin/iked/print.c,v
        diff -u -p -u -p -r1.4 print.c
        --- print.c     13 Jun 2023 12:34:12 -0000      1.4
        +++ print.c     14 Dec 2024 18:23:56 -0000
        @@ -225,7 +225,9 @@ print_policy(struct iked_policy *pol)
         
                for (i = 0; i < pol->pol_ncfg; i++) {
                        cfg = &pol->pol_cfg[i];
        -               print_verbose(" config %s %s", print_xf(cfg->cfg_type,
        +               print_verbose(" %s %s %s",
        +                   cfg->cfg_action == IKEV2_CP_REPLY ? "config" : 
"request",
        +                   print_xf(cfg->cfg_type,
                            cfg->cfg.address.addr_af, cpxfs),
                            print_addr(&cfg->cfg.address.addr));
                }
        ```

Reply via email to