> >
> > We should rather fix the defaults to do what we expect them to do.
> > In your example case that would be using fqdn/D.example.com
> Agreed; do you take a stab at it? I'm happy to test.
>
Try this
Index: parse.y
===================================================================
RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
retrieving revision 1.89
diff -u -p -r1.89 parse.y
--- parse.y 21 Feb 2020 15:17:34 -0000 1.89
+++ parse.y 22 Feb 2020 21:04:16 -0000
@@ -1962,6 +1962,11 @@ set_policy(char *idstr, int type, struct
const char *prefix = NULL;
EVP_PKEY *key = NULL;
+ if (idstr == NULL) {
+ log_warnx("%s: can not set empty ID.", __func__);
+ return (-1);
+ }
+
switch (type) {
case IKEV2_ID_IPV4:
prefix = "ipv4";
@@ -2112,7 +2117,7 @@ host_dns(const char *s, int mask)
err(1, "%s", __func__);
copy_sockaddrtoipa(ipa, res->ai_addr);
error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
- sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
+ sizeof(hbuf), NULL, 0, 0);
if (error)
err(1, "host_dns: getnameinfo");
ipa->name = strdup(hbuf);
@@ -2798,6 +2803,10 @@ create_ike(char *name, int af, uint8_t i
pol.pol_peer.addr_net = ipb->netaddress;
if (pol.pol_af == AF_UNSPEC)
pol.pol_af = ipb->af;
+ if (ipb->name) {
+ strlcpy(idstr, ipb->name, sizeof(idstr));
+ idtype = get_id_type(ipb->name);
+ }
}
if (ikelifetime)
@@ -2984,20 +2993,6 @@ create_ike(char *name, int af, uint8_t i
if (dstid) {
strlcpy(idstr, dstid, sizeof(idstr));
idtype = pol.pol_peerid.id_type;
- } else if (!pol.pol_peer.addr_net) {
- print_host((struct sockaddr *)&pol.pol_peer.addr, idstr,
- sizeof(idstr));
- switch (pol.pol_peer.addr.ss_family) {
- case AF_INET:
- idtype = IKEV2_ID_IPV4;
- break;
- case AF_INET6:
- idtype = IKEV2_ID_IPV6;
- break;
- default:
- log_warnx("%s: unknown address family", __func__);
- break;
- }
}
/* Make sure that we know how to authenticate this peer */
