Synopsis: The cfg grammar rule allows for unsupported payloads to be parsed
without error making it seem that the iked implementation allows for much more
functionality than is implemented.
Description:
The function ikev2_pld_cp in ikev2_pld.c only supports requesting an
address and name server.
However, the parser rule cfg in parse.y allows for all the
configuration options for REQUEST.
This is problematic since it misrepresents the capabilities for
configuring clients and any
unsupported requested confuration is silently discarded leaving the user
frustrated as to why
the connection is not be configured as specified in the iked.conf file.
How-To-Repeat:
This creates a configuration that has an unsupported configuration
payload request of netmask.
If iked is run without -n, it will not report that it cannot configure
the netmask even if
the server supplies it.
```sh
su
echo ikev2 from any to any request netmask any > /tmp/iked.conf
chmod 600 /tmp/iked.conf
iked -n -v -f /tmp/iked.conf
```
The iked command should produce the below output
```txt
ikev2 "policy1" passive tunnel esp from 0.0.0.0/0 to 0.0.0.0/0 from
::/0 to ::/0 local any peer any ikesa enc aes-128-gcm enc aes-256-gcm prf
hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072
group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc
aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf
hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth
hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group
modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa
enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc
aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512
auth hmac-sha1 group none esn noesn lifetime 10800 bytes 4294967296 signature
config netmask any
configuration OK
```
Fix:
The cfg rule now uses a different lookup table for REQUEST that only
contains the
supported options that ikev2_pld_cp in ikev2_pld.c can process.
Also, the error message now specifies the unsupported config and
request option.
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
diff -u -p -u -r1.147 parse.y
--- parse.y 13 Jul 2024 12:22:46 -0000 1.147
+++ parse.y 4 Jan 2025 16:17:40 -0000
@@ -328,6 +328,14 @@ const struct ipsec_xf cpxfs[] = {
{ NULL }
};
+const struct ipsec_xf rpxfs[] = {
+ { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS, AF_INET },
+ { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS, AF_INET6 },
+ { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS, AF_INET },
+ { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS, AF_INET6 },
+ { NULL }
+};
+
const struct iked_lifetime deflifetime = {
IKED_LIFETIME_BYTES,
IKED_LIFETIME_SECONDS
@@ -599,7 +607,7 @@ cfg : CONFIG STRING host_spec {
const struct ipsec_xf *xf;
if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) {
- yyerror("not a valid ikecfg option");
+ yyerror("\"config %s\" not a valid ikecfg
option", $2);
free($2);
free($3);
YYERROR;
@@ -612,8 +620,8 @@ cfg : CONFIG STRING host_spec {
| REQUEST STRING anyhost {
const struct ipsec_xf *xf;
- if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) {
- yyerror("not a valid ikecfg option");
+ if ((xf = parse_xf($2, $3->af, rpxfs)) == NULL) {
+ yyerror("\"request %s\" not a valid ikecfg
option", $2);
free($2);
free($3);
YYERROR;
